iWave Japan      Welcome to iWave Systems

OPTEE on i.MX6UL Platform

OPTEE, Open Portable Trusted Execution Environment for Secure Connectivity Solutions and Embedded Applications

Client:

US based company, which works on secure connectivity solutions for embedded applications, end-to-end security and privacy and smart connected solutions markets.

Overview:

The increased demand for privacy and security among users, for banking, medical and safety critical devices urged the need to have secured execution environment. To maintain all the secret credentials and data manipulation in larger rich operating system, also called as Rich Execution Environment (REE), is vulnerable. This paves the way for the target systems of malware and hackers in general. To achieve this, it requires offloading the sensitive information and processing to a more trusted and securing environment, called Trusted Execution Environment (TEE). Isolation of REE and TEE is implemented through both Hardware and Software.

OPTEE Secure Connectivity Solutions for Embedded Applications

OP-TEE stands for Open Portable Trusted Execution Environment. The OPTEE runs securely on Trustzone hardware embedded in the SoC. The processor core of SoC has two virtual cores: Secure and Non-Secure

  • Secure world runs Trusted OS like OP-TEE – ARM Trusted Zone
  • Non-Secure world runs Rich OS like Linux (REE) – ARM Cortex A

Switching between secure and non-secure world is achieved through “Secure Monitor Call (SMC)”. The TrustZone hardware, Trusted boot, Trusted OS and Trusted Application together forms the Trusted Execution Environment (TEE). The REE uses the services/apps provided by OP-TEE to execute securely and to avoid any data manipulation (data protection).

Key Features of OP-TEE:

  • Isolation – The Rich OS (typically, Linux/Android) and OPTEE are isolated. Secure way of executing Trusted Applications (TAs). Privileged access to underlying hardware
  • Small footprint - small enough to reside in a reasonable amount of on-chip memory
  • Portability – Can execute in different architectures, multiple TEEs or multiple client OS’s

The OPTEE technical specification and standards are defined by Global Platform (a non-profit industry association)

  • TEE Client API
  • TEE Core API (Trusted Core Framework API, Trusted Storage API for Data and Keys, Cryptographic Operation API, Time API, Arithmetical API)
  • Others (Access Control, UI API)

Application Areas:

  • Digital Right Management (DRM)
    • Smart phones, tablets, digital TV systems...
  • Mobile Commerce Application – Secure Transactions
    • Mobile Wallets, Contactless payments (NFC)
    • Secure Point Of Sale (Secure POS)
  • Authentication: Biometric ID methods
    • Facial recognition, fingerprint sensor and voice authorization

Solution offered by iWave:

  • Bring up of OP-TEE OS for i.MX6UL platform.
    • OP-TEE Framework – Version 2.x
  • Porting of different peripherals from REE - Linux to TEE - OPTEE.
  • Critical Security Features
    • Tamper Detection
    • Software Cryptography: CAAM ( LibTomCrypt)
    • Central Security Unit (CSU)
    • SNVS
    • Secure 1-2 Boot (HAB)
  • Development of Trusted Application and Host Application. API’s for card payment application:
    • NFC Card Reader APIs
    • EMV APIs
    • MSR APIs
    • PINPAD APIs

Click here for more information OP-TEE