Open Source Summit + Embedded Linux Conference + OSPOCon 2021

In modern embedded applications, security is paramount. The use of OP-TEE to provide a trusted execution environment (TEE) has emerged as a popular and effective solution for a tiered approach to security, securing sensitive operations against vulnerabilities in userspace and the Linux kernel itself. Out of the box, OP-TEE provides a cryptographic API based on the GlobalPlatform TEE Specification including a software-only implementation based on mbedTLS. This system is flexible and designed to be integrated into any system as a general cryptographic provider. This talk focuses on the use of OP-TEE as a cryptography engine in two parts. In the first part, we will discuss some OP-TEE internals and provide an overview of how to integrate platform-specific hardware, such as cryptographic accelerators and hardware random number generators. In the second part, we will discuss building a platform-agnostic key storage system with OP-TEE as a Trusted Application (TA). This will cover the TEE-side TA implementation as well as the methods in which it can be accessed from Linux, including both integration with Linux kernel crypto API and direct userspace access by implementing a standalone library, an OpenSSL engine, or a PKCS#11 provider.