€•švŒsphinx.addnodes”Œdocument”“”)”}”(Œ rawsource”Œ”Œchildren”]”(Œ translations”Œ LanguagesNode”“”)”}”(hhh]”(hŒ pending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ refdomain”Œstd”Œreftype”Œdoc”Œ reftarget”Œ/translations/zh_CN/tee/op-tee”Œmodname”NŒ classname”NŒ refexplicit”ˆuŒtagname”hhh ubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ/translations/zh_TW/tee/op-tee”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ/translations/it_IT/tee/op-tee”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ/translations/ja_JP/tee/op-tee”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ/translations/ko_KR/tee/op-tee”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒPortuguese (Brazilian)”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ/translations/pt_BR/tee/op-tee”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒSpanish”…””}”hh–sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ/translations/sp_SP/tee/op-tee”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h hhŒ _document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh·sbah}”(h]”h ]”h"]”h$]”h&]”Œ xml:space”Œpreserve”uh1hµhhh²hh³Œ8/var/lib/git/docbuild/linux/Documentation/tee/op-tee.rst”h´KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒ4OP-TEE (Open Portable Trusted Execution Environment)”h]”hŒ4OP-TEE (Open Portable Trusted Execution Environment)”…””}”(hhÏh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhhÊh²hh³hÇh´KubhŒ paragraph”“”)”}”(hŒ€The OP-TEE driver handles OP-TEE [1] based TEEs. Currently it is only the ARM TrustZone based OP-TEE solution that is supported.”h]”hŒ€The OP-TEE driver handles OP-TEE [1] based TEEs. Currently it is only the ARM TrustZone based OP-TEE solution that is supported.”…””}”(hhßh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KhhÊh²hubhÞ)”}”(hŒèLowest level of communication with OP-TEE builds on ARM SMC Calling Convention (SMCCC) [2], which is the foundation for OP-TEE's SMC interface [3] used internally by the driver. Stacked on top of that is OP-TEE Message Protocol [4].”h]”hŒêLowest level of communication with OP-TEE builds on ARM SMC Calling Convention (SMCCC) [2], which is the foundation for OP-TEE’s SMC interface [3] used internally by the driver. Stacked on top of that is OP-TEE Message Protocol [4].”…””}”(hhíh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K hhÊh²hubhÞ)”}”(hŒšOP-TEE SMC interface provides the basic functions required by SMCCC and some additional functions specific for OP-TEE. The most interesting functions are:”h]”hŒšOP-TEE SMC interface provides the basic functions required by SMCCC and some additional functions specific for OP-TEE. The most interesting functions are:”…””}”(hhûh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KhhÊh²hubhŒ bullet_list”“”)”}”(hhh]”(hŒ list_item”“”)”}”(hŒuOPTEE_SMC_FUNCID_CALLS_UID (part of SMCCC) returns the version information which is then returned by TEE_IOC_VERSION ”h]”hÞ)”}”(hŒtOPTEE_SMC_FUNCID_CALLS_UID (part of SMCCC) returns the version information which is then returned by TEE_IOC_VERSION”h]”hŒtOPTEE_SMC_FUNCID_CALLS_UID (part of SMCCC) returns the version information which is then returned by TEE_IOC_VERSION”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Khjubah}”(h]”h ]”h"]”h$]”h&]”uh1jhj h²hh³hÇh´Nubj)”}”(hŒ¸OPTEE_SMC_CALL_GET_OS_UUID returns the particular OP-TEE implementation, used to tell, for instance, a TrustZone OP-TEE apart from an OP-TEE running on a separate secure co-processor. ”h]”hÞ)”}”(hŒ·OPTEE_SMC_CALL_GET_OS_UUID returns the particular OP-TEE implementation, used to tell, for instance, a TrustZone OP-TEE apart from an OP-TEE running on a separate secure co-processor.”h]”hŒ·OPTEE_SMC_CALL_GET_OS_UUID returns the particular OP-TEE implementation, used to tell, for instance, a TrustZone OP-TEE apart from an OP-TEE running on a separate secure co-processor.”…””}”(hj,h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Khj(ubah}”(h]”h ]”h"]”h$]”h&]”uh1jhj h²hh³hÇh´Nubj)”}”(hŒ;OPTEE_SMC_CALL_WITH_ARG drives the OP-TEE message protocol ”h]”hÞ)”}”(hŒ:OPTEE_SMC_CALL_WITH_ARG drives the OP-TEE message protocol”h]”hŒ:OPTEE_SMC_CALL_WITH_ARG drives the OP-TEE message protocol”…””}”(hjDh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Khj@ubah}”(h]”h ]”h"]”h$]”h&]”uh1jhj h²hh³hÇh´Nubj)”}”(hŒ„OPTEE_SMC_GET_SHM_CONFIG lets the driver and OP-TEE agree on which memory range to used for shared memory between Linux and OP-TEE. ”h]”hÞ)”}”(hŒƒOPTEE_SMC_GET_SHM_CONFIG lets the driver and OP-TEE agree on which memory range to used for shared memory between Linux and OP-TEE.”h]”hŒƒOPTEE_SMC_GET_SHM_CONFIG lets the driver and OP-TEE agree on which memory range to used for shared memory between Linux and OP-TEE.”…””}”(hj\h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KhjXubah}”(h]”h ]”h"]”h$]”h&]”uh1jhj h²hh³hÇh´Nubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ-”uh1j h³hÇh´KhhÊh²hubhÞ)”}”(hŒSThe GlobalPlatform TEE Client API [5] is implemented on top of the generic TEE API.”h]”hŒSThe GlobalPlatform TEE Client API [5] is implemented on top of the generic TEE API.”…””}”(hjxh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KhhÊh²hubhÞ)”}”(hŒYPicture of the relationship between the different components in the OP-TEE architecture::”h]”hŒXPicture of the relationship between the different components in the OP-TEE architecture:”…””}”(hj†h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K!hhÊh²hubhŒ literal_block”“”)”}”(hX+ User space Kernel Secure world ~~~~~~~~~~ ~~~~~~ ~~~~~~~~~~~~ +--------+ +-------------+ | Client | | Trusted | +--------+ | Application | /\ +-------------+ || +----------+ /\ || |tee- | || || |supplicant| \/ || +----------+ +-------------+ \/ /\ | TEE Internal| +-------+ || | API | + TEE | || +--------+--------+ +-------------+ | Client| || | TEE | OP-TEE | | OP-TEE | | API | \/ | subsys | driver | | Trusted OS | +-------+----------------+----+-------+----+-----------+-------------+ | Generic TEE API | | OP-TEE MSG | | IOCTL (TEE_IOC_*) | | SMCCC (OPTEE_SMC_CALL_*) | +-----------------------------+ +------------------------------+”h]”hX+ User space Kernel Secure world ~~~~~~~~~~ ~~~~~~ ~~~~~~~~~~~~ +--------+ +-------------+ | Client | | Trusted | +--------+ | Application | /\ +-------------+ || +----------+ /\ || |tee- | || || |supplicant| \/ || +----------+ +-------------+ \/ /\ | TEE Internal| +-------+ || | API | + TEE | || +--------+--------+ +-------------+ | Client| || | TEE | OP-TEE | | OP-TEE | | API | \/ | subsys | driver | | Trusted OS | +-------+----------------+----+-------+----+-----------+-------------+ | Generic TEE API | | OP-TEE MSG | | IOCTL (TEE_IOC_*) | | SMCCC (OPTEE_SMC_CALL_*) | +-----------------------------+ +------------------------------+”…””}”hj–sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j”h³hÇh´K$hhÊh²hubhÞ)”}”(hX¤RPC (Remote Procedure Call) are requests from secure world to kernel driver or tee-supplicant. An RPC is identified by a special range of SMCCC return values from OPTEE_SMC_CALL_WITH_ARG. RPC messages which are intended for the kernel are handled by the kernel driver. Other RPC messages will be forwarded to tee-supplicant without further involvement of the driver, except switching shared memory buffer representation.”h]”hX¤RPC (Remote Procedure Call) are requests from secure world to kernel driver or tee-supplicant. An RPC is identified by a special range of SMCCC return values from OPTEE_SMC_CALL_WITH_ARG. RPC messages which are intended for the kernel are handled by the kernel driver. Other RPC messages will be forwarded to tee-supplicant without further involvement of the driver, except switching shared memory buffer representation.”…””}”(hj¤h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K8hhÊh²hubhÉ)”}”(hhh]”(hÎ)”}”(hŒOP-TEE device enumeration”h]”hŒOP-TEE device enumeration”…””}”(hjµh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhj²h²hh³hÇh´K@ubhÞ)”}”(hXOP-TEE provides a pseudo Trusted Application: drivers/tee/optee/device.c in order to support device enumeration. In other words, OP-TEE driver invokes this application to retrieve a list of Trusted Applications which can be registered as devices on the TEE bus.”h]”hXOP-TEE provides a pseudo Trusted Application: drivers/tee/optee/device.c in order to support device enumeration. In other words, OP-TEE driver invokes this application to retrieve a list of Trusted Applications which can be registered as devices on the TEE bus.”…””}”(hjÃh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KBhj²h²hubeh}”(h]”Œop-tee-device-enumeration”ah ]”h"]”Œop-tee device enumeration”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´K@ubhÉ)”}”(hhh]”(hÎ)”}”(hŒOP-TEE notifications”h]”hŒOP-TEE notifications”…””}”(hjÜh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjÙh²hh³hÇh´KHubhÞ)”}”(hŒhThere are two kinds of notifications that secure world can use to make normal world aware of some event.”h]”hŒhThere are two kinds of notifications that secure world can use to make normal world aware of some event.”…””}”(hjêh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KJhjÙh²hubhŒenumerated_list”“”)”}”(hhh]”(j)”}”(hŒ|Synchronous notifications delivered with ``OPTEE_RPC_CMD_NOTIFICATION`` using the ``OPTEE_RPC_NOTIFICATION_SEND`` parameter.”h]”hÞ)”}”(hŒ|Synchronous notifications delivered with ``OPTEE_RPC_CMD_NOTIFICATION`` using the ``OPTEE_RPC_NOTIFICATION_SEND`` parameter.”h]”(hŒ)Synchronous notifications delivered with ”…””}”(hjh²hh³Nh´NubhŒliteral”“”)”}”(hŒ``OPTEE_RPC_CMD_NOTIFICATION``”h]”hŒOPTEE_RPC_CMD_NOTIFICATION”…””}”(hj h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j hjubhŒ using the ”…””}”(hjh²hh³Nh´Nubj )”}”(hŒ``OPTEE_RPC_NOTIFICATION_SEND``”h]”hŒOPTEE_RPC_NOTIFICATION_SEND”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j hjubhŒ parameter.”…””}”(hjh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KMhjýubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjúh²hh³hÇh´Nubj)”}”(hŒ˜Asynchronous notifications delivered with a combination of a non-secure edge-triggered interrupt and a fast call from the non-secure interrupt handler. ”h]”hÞ)”}”(hŒ—Asynchronous notifications delivered with a combination of a non-secure edge-triggered interrupt and a fast call from the non-secure interrupt handler.”h]”hŒ—Asynchronous notifications delivered with a combination of a non-secure edge-triggered interrupt and a fast call from the non-secure interrupt handler.”…””}”(hj?h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KOhj;ubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjúh²hh³hÇh´Nubeh}”(h]”h ]”h"]”h$]”h&]”Œenumtype”Œarabic”Œprefix”hŒsuffix”Œ.”uh1jøhjÙh²hh³hÇh´KMubhÞ)”}”(hŒõSynchronous notifications are limited by depending on RPC for delivery, this is only usable when secure world is entered with a yielding call via ``OPTEE_SMC_CALL_WITH_ARG``. This excludes such notifications from secure world interrupt handlers.”h]”(hŒ’Synchronous notifications are limited by depending on RPC for delivery, this is only usable when secure world is entered with a yielding call via ”…””}”(hj^h²hh³Nh´Nubj )”}”(hŒ``OPTEE_SMC_CALL_WITH_ARG``”h]”hŒOPTEE_SMC_CALL_WITH_ARG”…””}”(hjfh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j hj^ubhŒH. This excludes such notifications from secure world interrupt handlers.”…””}”(hj^h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KShjÙh²hubhÞ)”}”(hX.An asynchronous notification is delivered via a non-secure edge-triggered interrupt to an interrupt handler registered in the OP-TEE driver. The actual notification value are retrieved with the fast call ``OPTEE_SMC_GET_ASYNC_NOTIF_VALUE``. Note that one interrupt can represent multiple notifications.”h]”(hŒÌAn asynchronous notification is delivered via a non-secure edge-triggered interrupt to an interrupt handler registered in the OP-TEE driver. The actual notification value are retrieved with the fast call ”…””}”(hj~h²hh³Nh´Nubj )”}”(hŒ#``OPTEE_SMC_GET_ASYNC_NOTIF_VALUE``”h]”hŒOPTEE_SMC_GET_ASYNC_NOTIF_VALUE”…””}”(hj†h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j hj~ubhŒ?. Note that one interrupt can represent multiple notifications.”…””}”(hj~h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KXhjÙh²hubhÞ)”}”(hX–One notification value ``OPTEE_SMC_ASYNC_NOTIF_VALUE_DO_BOTTOM_HALF`` has a special meaning. When this value is received it means that normal world is supposed to make a yielding call ``OPTEE_MSG_CMD_DO_BOTTOM_HALF``. This call is done from the thread assisting the interrupt handler. This is a building block for OP-TEE OS in secure world to implement the top half and bottom half style of device drivers.”h]”(hŒOne notification value ”…””}”(hjžh²hh³Nh´Nubj )”}”(hŒ.``OPTEE_SMC_ASYNC_NOTIF_VALUE_DO_BOTTOM_HALF``”h]”hŒ*OPTEE_SMC_ASYNC_NOTIF_VALUE_DO_BOTTOM_HALF”…””}”(hj¦h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j hjžubhŒs has a special meaning. When this value is received it means that normal world is supposed to make a yielding call ”…””}”(hjžh²hh³Nh´Nubj )”}”(hŒ ``OPTEE_MSG_CMD_DO_BOTTOM_HALF``”h]”hŒOPTEE_MSG_CMD_DO_BOTTOM_HALF”…””}”(hj¸h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j hjžubhŒ¾. This call is done from the thread assisting the interrupt handler. This is a building block for OP-TEE OS in secure world to implement the top half and bottom half style of device drivers.”…””}”(hjžh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K^hjÙh²hubeh}”(h]”Œop-tee-notifications”ah ]”h"]”Œop-tee notifications”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´KHubhÉ)”}”(hhh]”(hÎ)”}”(hŒ(OPTEE_INSECURE_LOAD_IMAGE Kconfig option”h]”hŒ(OPTEE_INSECURE_LOAD_IMAGE Kconfig option”…””}”(hjÛh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjØh²hh³hÇh´KfubhÞ)”}”(hX¿The OPTEE_INSECURE_LOAD_IMAGE Kconfig option enables the ability to load the BL32 OP-TEE image from the kernel after the kernel boots, rather than loading it from the firmware before the kernel boots. This also requires enabling the corresponding option in Trusted Firmware for Arm. The Trusted Firmware for Arm documentation [6] explains the security threat associated with enabling this as well as mitigations at the firmware and platform level.”h]”hX¿The OPTEE_INSECURE_LOAD_IMAGE Kconfig option enables the ability to load the BL32 OP-TEE image from the kernel after the kernel boots, rather than loading it from the firmware before the kernel boots. This also requires enabling the corresponding option in Trusted Firmware for Arm. The Trusted Firmware for Arm documentation [6] explains the security threat associated with enabling this as well as mitigations at the firmware and platform level.”…””}”(hjéh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KhhjØh²hubhÞ)”}”(hŒoThere are additional attack vectors/mitigations for the kernel that should be addressed when using this option.”h]”hŒoThere are additional attack vectors/mitigations for the kernel that should be addressed when using this option.”…””}”(hj÷h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KohjØh²hubjù)”}”(hhh]”(j)”}”(hX%Boot chain security. * Attack vector: Replace the OP-TEE OS image in the rootfs to gain control of the system. * Mitigation: There must be boot chain security that verifies the kernel and rootfs, otherwise an attacker can modify the loaded OP-TEE binary by modifying it in the rootfs. ”h]”(hÞ)”}”(hŒBoot chain security.”h]”hŒBoot chain security.”…””}”(hj h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Krhjubj )”}”(hhh]”(j)”}”(hŒXAttack vector: Replace the OP-TEE OS image in the rootfs to gain control of the system. ”h]”hÞ)”}”(hŒWAttack vector: Replace the OP-TEE OS image in the rootfs to gain control of the system.”h]”hŒWAttack vector: Replace the OP-TEE OS image in the rootfs to gain control of the system.”…””}”(hj!h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Kthjubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjubj)”}”(hŒ¬Mitigation: There must be boot chain security that verifies the kernel and rootfs, otherwise an attacker can modify the loaded OP-TEE binary by modifying it in the rootfs. ”h]”hÞ)”}”(hŒ«Mitigation: There must be boot chain security that verifies the kernel and rootfs, otherwise an attacker can modify the loaded OP-TEE binary by modifying it in the rootfs.”h]”hŒ«Mitigation: There must be boot chain security that verifies the kernel and rootfs, otherwise an attacker can modify the loaded OP-TEE binary by modifying it in the rootfs.”…””}”(hj9h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Kwhj5ubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjubeh}”(h]”h ]”h"]”h$]”h&]”jvŒ*”uh1j h³hÇh´Kthjubeh}”(h]”h ]”h"]”h$]”h&]”uh1jhjh²hh³Nh´Nubj)”}”(hXCAlternate boot modes. * Attack vector: Using an alternate boot mode (i.e. recovery mode), the OP-TEE driver isn't loaded, leaving the SMC hole open. * Mitigation: If there are alternate methods of booting the device, such as a recovery mode, it should be ensured that the same mitigations are applied in that mode. ”h]”(hÞ)”}”(hŒAlternate boot modes.”h]”hŒAlternate boot modes.”…””}”(hj^h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K{hjZubj )”}”(hhh]”(j)”}”(hŒ}Attack vector: Using an alternate boot mode (i.e. recovery mode), the OP-TEE driver isn't loaded, leaving the SMC hole open. ”h]”hÞ)”}”(hŒ|Attack vector: Using an alternate boot mode (i.e. recovery mode), the OP-TEE driver isn't loaded, leaving the SMC hole open.”h]”hŒ~Attack vector: Using an alternate boot mode (i.e. recovery mode), the OP-TEE driver isn’t loaded, leaving the SMC hole open.”…””}”(hjsh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K}hjoubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjlubj)”}”(hŒ¤Mitigation: If there are alternate methods of booting the device, such as a recovery mode, it should be ensured that the same mitigations are applied in that mode. ”h]”hÞ)”}”(hŒ£Mitigation: If there are alternate methods of booting the device, such as a recovery mode, it should be ensured that the same mitigations are applied in that mode.”h]”hŒ£Mitigation: If there are alternate methods of booting the device, such as a recovery mode, it should be ensured that the same mitigations are applied in that mode.”…””}”(hj‹h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K€hj‡ubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjlubeh}”(h]”h ]”h"]”h$]”h&]”jvjSuh1j h³hÇh´K}hjZubeh}”(h]”h ]”h"]”h$]”h&]”uh1jhjh²hh³Nh´Nubj)”}”(hXžAttacks prior to SMC invocation. * Attack vector: Code that is executed prior to issuing the SMC call to load OP-TEE can be exploited to then load an alternate OS image. * Mitigation: The OP-TEE driver must be loaded before any potential attack vectors are opened up. This should include mounting of any modifiable filesystems, opening of network ports or communicating with external devices (e.g. USB). ”h]”(hÞ)”}”(hŒ Attacks prior to SMC invocation.”h]”hŒ Attacks prior to SMC invocation.”…””}”(hj¯h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K„hj«ubj )”}”(hhh]”(j)”}”(hŒ‡Attack vector: Code that is executed prior to issuing the SMC call to load OP-TEE can be exploited to then load an alternate OS image. ”h]”hÞ)”}”(hŒ†Attack vector: Code that is executed prior to issuing the SMC call to load OP-TEE can be exploited to then load an alternate OS image.”h]”hŒ†Attack vector: Code that is executed prior to issuing the SMC call to load OP-TEE can be exploited to then load an alternate OS image.”…””}”(hjÄh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K†hjÀubah}”(h]”h ]”h"]”h$]”h&]”uh1jhj½ubj)”}”(hŒèMitigation: The OP-TEE driver must be loaded before any potential attack vectors are opened up. This should include mounting of any modifiable filesystems, opening of network ports or communicating with external devices (e.g. USB). ”h]”hÞ)”}”(hŒçMitigation: The OP-TEE driver must be loaded before any potential attack vectors are opened up. This should include mounting of any modifiable filesystems, opening of network ports or communicating with external devices (e.g. USB).”h]”hŒçMitigation: The OP-TEE driver must be loaded before any potential attack vectors are opened up. This should include mounting of any modifiable filesystems, opening of network ports or communicating with external devices (e.g. USB).”…””}”(hjÜh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K‰hjØubah}”(h]”h ]”h"]”h$]”h&]”uh1jhj½ubeh}”(h]”h ]”h"]”h$]”h&]”jvjSuh1j h³hÇh´K†hj«ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jhjh²hh³Nh´Nubj)”}”(hX‡Blocking SMC call to load OP-TEE. * Attack vector: Prevent the driver from being probed, so the SMC call to load OP-TEE isn't executed when desired, leaving it open to being executed later and loading a modified OS. * Mitigation: It is recommended to build the OP-TEE driver as builtin driver rather than as a module to prevent exploits that may cause the module to not be loaded. ”h]”(hÞ)”}”(hŒ!Blocking SMC call to load OP-TEE.”h]”hŒ!Blocking SMC call to load OP-TEE.”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KŽhjüubj )”}”(hhh]”(j)”}”(hŒ´Attack vector: Prevent the driver from being probed, so the SMC call to load OP-TEE isn't executed when desired, leaving it open to being executed later and loading a modified OS. ”h]”hÞ)”}”(hŒ³Attack vector: Prevent the driver from being probed, so the SMC call to load OP-TEE isn't executed when desired, leaving it open to being executed later and loading a modified OS.”h]”hŒµAttack vector: Prevent the driver from being probed, so the SMC call to load OP-TEE isn’t executed when desired, leaving it open to being executed later and loading a modified OS.”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Khjubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjubj)”}”(hŒ£Mitigation: It is recommended to build the OP-TEE driver as builtin driver rather than as a module to prevent exploits that may cause the module to not be loaded. ”h]”hÞ)”}”(hŒ¢Mitigation: It is recommended to build the OP-TEE driver as builtin driver rather than as a module to prevent exploits that may cause the module to not be loaded.”h]”hŒ¢Mitigation: It is recommended to build the OP-TEE driver as builtin driver rather than as a module to prevent exploits that may cause the module to not be loaded.”…””}”(hj-h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K”hj)ubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjubeh}”(h]”h ]”h"]”h$]”h&]”jvjSuh1j h³hÇh´Khjüubeh}”(h]”h ]”h"]”h$]”h&]”uh1jhjh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”jYjZj[hj\j]uh1jøhjØh²hh³hÇh´KrubhÉ)”}”(hhh]”(hÎ)”}”(hŒ References”h]”hŒ References”…””}”(hjVh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjSh²hh³hÇh´K™ubhÞ)”}”(hŒ&[1] https://github.com/OP-TEE/optee_os”h]”(hŒ[1] ”…””}”(hjdh²hh³Nh´NubhŒ reference”“”)”}”(hŒ"https://github.com/OP-TEE/optee_os”h]”hŒ"https://github.com/OP-TEE/optee_os”…””}”(hjnh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”jpuh1jlhjdubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K›hjSh²hubhÞ)”}”(hŒH[2] http://infocenter.arm.com/help/topic/com.arm.doc.den0028a/index.html”h]”(hŒ[2] ”…””}”(hjƒh²hh³Nh´Nubjm)”}”(hŒDhttp://infocenter.arm.com/help/topic/com.arm.doc.den0028a/index.html”h]”hŒDhttp://infocenter.arm.com/help/topic/com.arm.doc.den0028a/index.html”…””}”(hj‹h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”juh1jlhjƒubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KhjSh²hubhÞ)”}”(hŒ![3] drivers/tee/optee/optee_smc.h”h]”hŒ![3] drivers/tee/optee/optee_smc.h”…””}”(hj h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KŸhjSh²hubhÞ)”}”(hŒ![4] drivers/tee/optee/optee_msg.h”h]”hŒ![4] drivers/tee/optee/optee_msg.h”…””}”(hj®h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K¡hjSh²hubhŒdefinition_list”“”)”}”(hhh]”hŒdefinition_list_item”“”)”}”(hŒ|[5] http://www.globalplatform.org/specificationsdevice.asp look for "TEE Client API Specification v1.0" and click download. ”h]”(hŒterm”“”)”}”(hŒC[5] http://www.globalplatform.org/specificationsdevice.asp look for”h]”(hŒ[5] ”…””}”(hjÉh²hh³Nh´Nubjm)”}”(hŒ6http://www.globalplatform.org/specificationsdevice.asp”h]”hŒ6http://www.globalplatform.org/specificationsdevice.asp”…””}”(hjÑh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”jÓuh1jlhjÉubhŒ look for”…””}”(hjÉh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1jÇh³hÇh´K¤hjÃubhŒ definition”“”)”}”(hhh]”hÞ)”}”(hŒ7"TEE Client API Specification v1.0" and click download.”h]”hŒ;“TEE Client API Specification v1.0†and click download.”…””}”(hjïh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K¤hjìubah}”(h]”h ]”h"]”h$]”h&]”uh1jêhjÃubeh}”(h]”h ]”h"]”h$]”h&]”uh1jÁh³hÇh´K¤hj¾ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼hjSh²hh³hÇh´NubhÞ)”}”(hŒU[6] https://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html”h]”(hŒ[6] ”…””}”(hjh²hh³Nh´Nubjm)”}”(hŒQhttps://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html”h]”hŒQhttps://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”juh1jlhjubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K¦hjSh²hubeh}”(h]”Œ references”ah ]”h"]”Œ references”ah$]”h&]”uh1hÈhjØh²hh³hÇh´K™ubeh}”(h]”Œ(optee-insecure-load-image-kconfig-option”ah ]”h"]”Œ(optee_insecure_load_image kconfig option”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´Kfubeh}”(h]”Œ2op-tee-open-portable-trusted-execution-environment”ah ]”h"]”Œ4op-tee (open portable trusted execution environment)”ah$]”h&]”uh1hÈhhh²hh³hÇh´Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”hÇuh1hŒcurrent_source”NŒ current_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(hÍNŒ generator”NŒ datestamp”NŒ source_link”NŒ source_url”NŒ toc_backlinks”Œentry”Œfootnote_backlinks”KŒ sectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒ strip_classes”NŒ report_level”KŒ halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ traceback”ˆŒinput_encoding”Œ utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”jgŒerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œ language_code”Œen”Œrecord_dependencies”NŒconfig”NŒ id_prefix”hŒauto_id_prefix”Œid”Œ dump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”hÇŒ _destination”NŒ _config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒ raw_enabled”KŒline_length_limit”M'Œpep_references”NŒ pep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒ rfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œ smart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œ docinfo_xform”KŒsectsubtitle_xform”‰Œ image_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”(jAj>jÖjÓjÕjÒj9j6j1j.uŒ nametypes”}”(jA‰jÖ‰jÕ‰j9‰j1‰uh}”(j>hÊjÓj²jÒjÙj6jØj.jSuŒ footnote_refs”}”Œ citation_refs”}”Œ autofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ footnotes”]”Œ citations”]”Œautofootnote_start”KŒsymbol_footnote_start”KŒ id_counter”Œ collections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œ transformer”NŒ include_log”]”Œ decoration”Nh²hub.