Practical Security for Embedded Systems: Implementing TEE and Secure Storage - Yocto Project DevDay 2024 #36
Conversation
DaniilKl
force-pushed
the
yoctodday_practical_sec_tee
branch
from
d4f06a8
to
cd3f219
Compare
|
I think it's not that important to keep a pretty commit history here. We can easily merge it as one commit or squash them before rebasing. The content should be what matters here |
DaniilKl
force-pushed
the
yoctodday_practical_sec_tee
branch
from
2399e9c
to
b2b2392
Compare
Signed-off-by: Tymoteusz Burak <[email protected]>
Signed-off-by: Maciej Pijanowski <[email protected]>
Signed-off-by: Daniil Klimuk <[email protected]>
This is a preliminary plan for my slides. Signed-off-by: Daniil Klimuk <[email protected]>
timings Signed-off-by: Daniil Klimuk <[email protected]>
Signed-off-by: Daniil Klimuk <[email protected]>
Signed-off-by: Daniil Klimuk <[email protected]>
Signed-off-by: Tymoteusz Burak <[email protected]>
Signed-off-by: Tymoteusz Burak <[email protected]>
Signed-off-by: Tymoteusz Burak <[email protected]>
tym2k1
force-pushed
the
yoctodday_practical_sec_tee
branch
from
1ec2069
to
b14896f
Compare
Signed-off-by: Tymoteusz Burak <[email protected]>
Signed-off-by: Daniil Klimuk <[email protected]>
Signed-off-by: Tymoteusz Burak <[email protected]>
Signed-off-by: Daniil Klimuk <[email protected]>
Signed-off-by: Daniil Klimuk <[email protected]>
Signed-off-by: Daniil Klimuk <[email protected]>
Signed-off-by: Tymoteusz Burak <[email protected]>
Signed-off-by: Tymoteusz Burak <[email protected]>
Signed-off-by: Tymoteusz Burak <[email protected]>
Signed-off-by: Tymoteusz Burak <[email protected]>
Signed-off-by: Tymoteusz Burak <[email protected]>
Signed-off-by: Tymoteusz Burak <[email protected]>
Signed-off-by: Tymoteusz Burak <[email protected]>
Signed-off-by: Tymoteusz Burak <[email protected]>
Signed-off-by: Daniil Klimuk <[email protected]>
Signed-off-by: Daniil Klimuk <[email protected]>
Signed-off-by: Daniil Klimuk <[email protected]>
Signed-off-by: Daniil Klimuk <[email protected]>
Signed-off-by: Daniil Klimuk <[email protected]>
Signed-off-by: Tymoteusz Burak <[email protected]>
Signed-off-by: Daniil Klimuk <[email protected]>
Signed-off-by: Daniil Klimuk <[email protected]>
Signed-off-by: Daniil Klimuk <[email protected]>
There was a problem hiding this comment.
What is the Secure Partition Manager and what functionality/task does it have? Could you explain this, or redirect me to appropriate resources?
There was a problem hiding this comment.
Here's a good definition of both Secure Partition Manager and Secure Partition. Till recently Trusted Firmware-A only supported single secure partition. I don't think it's a stable and well documented feature. Might not be implemented that often
There was a problem hiding this comment.
You should describe this drawing really good, for now it is difficult to understand. Please leave a comment how are you going to do this.
There was a problem hiding this comment.
I want to describe how Arm Trustzone doesn't handle storing secrets in a non-volatile memory. So for some scenario "private keys for authentication" like a mobile banking application plain TrustZone is not enough and needs a secure storage (not just any storage). I guess I could go into more detail what safety measures should be present (RPMB, maybe secure counter(?))
| + Trusted Applications are also protected from each other | ||
| - The Secure Partition Manager is optional, just as you can run a Rich OS without a | ||
| hypervisor you can run a Trusted OS without the Secure Partition Manager | ||
| - Worth noting that the Secure Partition Manager can be also implemented in EL3 |
There was a problem hiding this comment.
From my understanding it's most often implemented in EL3 but I've added resources at the Resources slide with implementation that lives in EL2 called Hafnium
Trusted firmware docs mention implementation that resides in EL3
There was a problem hiding this comment.
It's just easier to understand when SPM is in EL2 because you can think of it as this "Trusted OS Hypervisor" that ensures TA's are isolated from each other
|
|
||
| --- | ||
|
|
||
| # Normal vs Secure Worlds - Arm Cortex-M |
There was a problem hiding this comment.
You can add a bit more info on this slide, so it will not look so empty.
| - coreboot licensed service providers since 2016 and leadership participants | ||
| - UEFI Adopters since 2018 | ||
| - Yocto Participants and Embedded Linux experts since 2019 | ||
| - Official consultants for Linux Foundation fwupd/LVFS project since 2020 | ||
| - IBM OpenPOWER Foundation members since 2020 |
There was a problem hiding this comment.
@tym2k1, could you address this?
| 1. Turn on `CONFIG_TEE` and `CONFIG_OPTEE` (and related configs, if needed) | ||
| configs. |
There was a problem hiding this comment.
| 1. Turn on `CONFIG_TEE` and `CONFIG_OPTEE` (and related configs, if needed) | |
| configs. | |
| 1. Turn on `CONFIG_TEE` and `CONFIG_OPTEE` (and related, if needed) configs. |
|
|
||
| # Linux integration | ||
|
|
||
| Turn on `CONFIG_TEE` and `CONFIG_OPTEE` (and related, if needed) configs, and |
There was a problem hiding this comment.
@DaniilKl, the previous and next slides have numbered lists - shouldn't we split this sentence into two points?
There was a problem hiding this comment.
I have thought about it, but if I split this sentence into a list - I will not be able to place code on the same slide, and splitting this sentence and code on two slides will, IMHO, be more inconvenient than using the sentence. I am going to compensate it with speech.
|
|
||
| - <a href="https://3mdeb.com">https://3mdeb.com</a> | ||
|
|
||
| - <a href="https://calendly.com/3mdeb/consulting-remote-meeting">Book a call</a> |
There was a problem hiding this comment.
@DaniilKl please use this link for a "Book a Call" action: https://cloud.3mdeb.com/index.php/apps/calendar/appointment/n7T65toSaD9t
| </a> | ||
|
|
||
| - <a href="https://twitter.com/3mdeb_com"> | ||
| <img src="/remark-templates/3mdeb-presentation-template/images/twitter.png" |
There was a problem hiding this comment.
@DaniilKl outdated icon - if you've some time, maybe prepare the X icon - nice to have feature :)
|
|
||
| --- | ||
|
|
||
| # Resources |
There was a problem hiding this comment.
This slide is not designed for live presentation, but rather as a reference, for those who will check the slides on their own, so I do not see any reason to simplify it.
Signed-off-by: Tymoteusz Burak <[email protected]>
Signed-off-by: Tymoteusz Burak <[email protected]>
Signed-off-by: Tymoteusz Burak <[email protected]>
Signed-off-by: Tymoteusz Burak <[email protected]>
Signed-off-by: Tymoteusz Burak <[email protected]>
Signed-off-by: Tymoteusz Burak <[email protected]>
Signed-off-by: Tymoteusz Burak <[email protected]>
Signed-off-by: Tymoteusz Burak <[email protected]>
| ??? | ||
|
|
||
| - Time for this slide: TODO | ||
| - Idea/goal of this slide: To say that though vendor supplied binaries were |
There was a problem hiding this comment.
Could you highlight why such binaries are needed? What do they contain and why do the vendors supply them?
There was a problem hiding this comment.
Could you highlight why such binaries are needed?
To launch OP-TEE and ATF they provide.
What do they contain
ATF and OP-TEE.
why do the vendors supply them?
I wish I knew...
I will say thin during presentation.
|
|
||
| .center[ <img src="./img/vendor-binaries-meme.png" height="350px"> ] | ||
|
|
||
| .center[ <span style="font-size:30px;">There's some kind of mess here!</span>] |
There was a problem hiding this comment.
IMHO it's funnier without the subtitle as youre explaining the joke
There was a problem hiding this comment.
IMHO it is easier to understand with subtitle.
| - TODO | ||
| - Notes: | ||
| - Weak points: | ||
| - You have to trust vendor binaries; |
There was a problem hiding this comment.
Is there a way to not use them? What could be done about it?
There was a problem hiding this comment.
Compilation from source, I will say it during presentation without stating it on slides explicitly.
|
|
||
| 1. Turn on `CONFIG_TEE` and `CONFIG_OPTEE` (and related configs, if needed) | ||
| configs. | ||
| 2. Link ATF (`BL31`): |
There was a problem hiding this comment.
What does BL31 stand for?
There was a problem hiding this comment.
BL1: Boot ROM;
BL2: SPL and TPL;
BL3: Bootloader (U-Boot) with integrated ATF and OP-TEE;
BL31: ATF (so, it is explicitly sown that it is a part of U-Boot image);
BL32: OP-TEE (so, it is explicitly sown that it is a part of U-Boot image);
BL33: REE bootloader (U-Boot).
More about this here.
| EXTRA_OEMAKE:append = " TEE=${DEPLOY_DIR_IMAGE}/optee/tee.elf" | ||
| ``` | ||
|
|
||
| 4. Check `binman` configuration, in case you are using other file formats (e.g. |
There was a problem hiding this comment.
Why binman and where are the mentioned files used?
There was a problem hiding this comment.
This is a complicated topic, I am going to mention and describe it during presentation, but I will not have enough time to go into details here.
| # Testing using vendor binaries | ||
|
|
||
| ```bash | ||
| (...) | ||
| U-Boot SPL 2024.01 (Jan 08 2024 - 15:37:48 +0000) | ||
| (...) | ||
| NOTICE: BL31: v2.3():v2.3-607-gbf602aff1:cl | ||
| NOTICE: BL31: Built : 10:16:03, Jun 5 2023 | ||
| (...) | ||
| I/TC: OP-TEE version: 3.13.0-723-gdcfdd61d0 #hisping.lin (gcc version 10.2.1... | ||
| (...) | ||
| root@quartz64-a:~# dmesg | ||
| (...) | ||
| root@quartz64-a:~# alias p11="pkcs11-tool --module /usr/lib/libckteec.so.0" | ||
| root@quartz64-a:~# p11 --show-info | ||
| E/LD: ta_elf_load_main:1128 sys_map_zi stack | ||
| E/TC:? 0 ldelf_init_with_ldelf:126 ldelf failed with res: 0xffff000c | ||
| ERR [291] LT:ckteec_invoke_init:304: TEEC open session failed ffff000c from 3 | ||
| (...) | ||
| root@quartz64-a:~# xtest | ||
| (...) | ||
| 653 subtests of which 188 failed | ||
| 106 test cases of which 76 failed | ||
| 0 test cases were skipped | ||
| TEE test application done! | ||
| ``` |
There was a problem hiding this comment.
That's a lot of information for one slide and it's a little unreadable. Maybe split it into shorter slides and just say what, where and why you're running?
| # Testing self-ported image | ||
|
|
||
| ```bash | ||
| U-Boot SPL 2024.01 (Jan 08 2024 - 15:37:48 +0000) | ||
| (...) | ||
| NOTICE: BL31: v2.3():v2.3-607-gbf602aff1:cl | ||
| NOTICE: BL31: Built : 10:16:03, Jun 5 2023 | ||
| (...) | ||
| I/TC: OP-TEE version: 4.1.0-dev (gcc version 13.2.0 (GCC)) #1 Fri Jan 19 17:14:14 UTC 2024 aarch64 | ||
| (...) | ||
| root@quartz64-a:~# alias p11="pkcs11-tool --module /usr/lib/libckteec.so.0" | ||
| root@quartz64-a:~# p11 --list-slots | ||
| Available slots: | ||
| Slot 0 (0x0): OP-TEE PKCS11 TA - TEE UUID 94e9ab89-4c43-56ea-8b35-45dc07226830 | ||
| token state: uninitialized | ||
| (...) | ||
| root@quartz64-a:~# p11 --init-token --label mytoken --so-pin 1234567890 | ||
| (...) | ||
| root@quartz64-a:~# p11 --list-slots | ||
| Available slots: | ||
| Slot 0 (0x0): OP-TEE PKCS11 TA - TEE UUID 94e9ab89-4c43-56ea-8b35-45dc07226830 | ||
| token label : mytoken | ||
| token manufacturer : Linaro | ||
| (...) | ||
| root@quartz64-a:~# xtest | ||
| (...) | ||
| +----------------------------------------------------- | ||
| 28130 subtests of which 0 failed | ||
| 106 test cases of which 0 failed | ||
| 0 test cases were skipped | ||
| TEE test application done! |
There was a problem hiding this comment.
The same problem of unreadability
|
|
||
| # OP-TEE Secure Storage | ||
|
|
||
| .center[ <img src="./img/op-tee-secure-storage.svg" height="350px"> ] |
There was a problem hiding this comment.
You haven't mentioned how Secure Storage is implemented on the device. Did you provision the RPMB somehow? Were there any constraints? What are requirements for such implementation? Could you do it differently?
There was a problem hiding this comment.
Could you do it differently?
How exactly?
There was a problem hiding this comment.
On what device? This slide shows Secure Storage implementation in OP-TEE not on any device.
Signed-off-by: Tymoteusz Burak <[email protected]>
Signed-off-by: Daniil Klimuk <[email protected]>
Signed-off-by: Daniil Klimuk <[email protected]>
No description provided.