The alarm rings and you wake up. You ask Alexa to prepare hot water for your bath, brush your teeth using the bluetooth-enabled electric toothbrush just after brewing your cappuccino using the mobile app. As you sip your coffee, you watch news on the YouTube app in your smart TV. As soon as you step out of the home, the smart lock does its thing with a reassuring click. We are living in times when most modern technical gadgets tend to have at least one connectivity mechanism. It is well known that more the connectivity, greater the attack surface and hence greater the cybersecurity risks associated with the product.
Keeping in mind the enhanced cybersecurity risks, cloud vendors like Amazon and Microsoft develop and maintain operating systems for IoT end devices like Amazon FreeRTOS and Microsoft Azure RTOS. These OSes supposedly implement the best cybersecurity practices that help improve the product’s cybersecurity posture.
However, in spite of the benefits that developers accrue from using well-maintained software from big corporations, use of the open-source linux kernel in IoT end devices and gateways is extremely popular and promises to remain so for a long time to come! The rise of edge computing, rich graphics and increased processing requirements at the edge makes the choice of linux kernel an (almost) automatic one.
In order to strengthen the cybersecurity posture of a linux-based system, use of Trusted Execution Environment or TEE with a linux-based OS is becoming increasingly popular. Let us now see what a TEE is.
What is a TEE?
According to Trustonic, a Trusted Execution Environment (TEE) is an environment for executing code, in which those executing the code can have high levels of trust in the asset management of that surrounding environment because it can ignore threats from the “unknown” rest of the device.
The TEE is used in conjunction with a Rich Execution Environment (REE) which is provided by a rich operating system like a linux-based OS. The REE is where the application resides, the services run and most of the user experience is derived from!
In a nutshell, the REE is where untrusted code runs from and the TEE is where the trusted code runs from. Typical use-cases that get implemented within the TEE are secure credential storage, secure credential usage, execution of critical cryptography primitives – especially where authentication or proof-of-identity operations happen.
A good example is the process of unlocking your smartphone using biometric data. The application that unlocks the phone is generally a TA or a Trusted Application running within the TEE and once authentication is successful, the REE OS i.e. the Android/iOS takes over!
How is a TEE implemented?
In order to facilitate the establishment and maintenance of a TEE, it is imperative to have support inside the processor for achieving isolation between TEE and REE. The most popular implementation today is a TEE achieved by making use of the TrustZone system inside Arm Cortex-A and Cortex-M processors. In the Arm TrustZone architecture, the security of the system is achieved by partitioning all of the processor’s hardware and software resources so that they exist in one of two worlds – the Secure world (TEE) for the security subsystem, and the Normal world (REE) for everything else.
Does it mean that there are two physical CPUs inside the processor? No! The isolation is logical – not physical. The same CPU is used for executing both TEE OS and the REE OS.
How do the TEE OS and REE OS get scheduled? Time-slicing! The OSes within the TEE and REE access the CPU in a time-sliced manner.
Can the TEE and REE talk to each other? Yes, indeed! Without this, the whole implementation may not have a lot of meaning, isn’t it? More on this in later posts… do subscribe to the blog!
Let us now clearly understand what having a TEE does for your system’s cybersecurity posture. This is an often misunderstood topic but is actually very simple to understand.
What can a TEE do and not do?
The ability to have a TEE while still retaining the ability to use your favourite rich OS kernel like linux greatly enhances the cybersecurity of your system! Over so many years of their usage, a lot of engineering has gone into attacking rich OS kernels and successfully compromising their operation. Sometimes, these attacks have resulted in huge losses to business prospects as well as brand reputations. By having a TEE in place, you essentially sandbox the security-critical operations such that successful attacks in the rich world don’t end up compromising the system’s cybersecurity assets (if TEE is implemented correctly) and hence mitigating the risks associated with REE-only systems.
Can a TEE mitigate invasive cybersecurity attacks? No! A TEE makes use of isolation within the processor. Invasive attacks that can change the firmware components, modify CPU execution paths, control CPU operations, etc. CANNOT be mitigated by using a TEE. If protection against such attacks is of utmost importance, one should consider using a hardware secure element like Microchip’s ATECC608 or similar products wherever possible.
With this background, let us now talk about OP-TEE.
What is OP-TEE?
OP-TEE (Open Portable TEE) is a TEE designed as companion to a non-secure Linux kernel running on Arm Cortex-A cores using the TrustZone technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API exposed to Trusted Applications and the TEE Client API v1.0, which is the API describing how to communicate with a TEE. Those APIs are defined in the GlobalPlatform API specifications.
Does OP-TEE only work with Arm TrustZone? Not really! OP-TEE is designed primarily to rely on the Arm TrustZone technology as the underlying hardware isolation mechanism. However, it has been structured to be compatible with any isolation technology suitable for the TEE concept and goals, such as running as a virtual machine or on a dedicated CPU.
Why use OP-TEE?
OP-TEE is the only well-known, actively maintained and completely open-source TEE OS available to use as a developer. The fact that it supports Arm TrustZone makes it a great choice as Arm processors are by far the most popular linux processors used today.
OP-TEE started off as a project by ST-Ericsson and later passed on to Linaro for maintenance and development as an open-source project. To know more about the project, check out the official documentation’s about page. We will learn more about OP-TEE in future posts!
As cybersecurity requirements increase in a typical IoT deployment, there is a rapidly growing interest in implementing TEE on linux-based systems. Arm TrustZone hardware architecture makes the implementation of TEE convenient. In fact, Arm TrustZone-based TEE is by far the most common TEE implementation today in all product segments like industrial, automotive, consumer electronics as well as computing products!
OP-TEE is one of the most popular TEE OS offerings that one can use as it is a high-quality, free and open-source software which is developed and maintained by Linaro.
In the coming posts, we will talk more about using OP-TEE with various platforms and implement typical use-cases that one may need to implement.