TEE Security

TEE Security Integration

TEE Security

TEE Security Integration

Trusted Execution Environment (TEE) is a rapidly evolving set of security technologies that is becoming a standard in almost all devices. Offcode has a broad support for various TEE environments and components, such as Trusty TEE and OP-TEE. Arm Trusted Firmware (ATF) integration and other important security aspects are professionally prepared. Any worries regarding TEE? Have a chat with us! Talk is cheap!

If your TEE integration starts taking more time than a few months, you should think about alternative approaches. Don't let your product launches be delayed due to a TEE problem. Guaranteed, it's easy to spend time with TEE and not making any progress. It's even possible that the path you have chosen is impossible to implement.

Below is an example problem. We'll have an answer after the traces below.

E/LD:  copy_section_headers:896 sys_copy_from_ta_bin
E/TC:? 0 init_with_ldelf:232 ldelf failed with res: 0xf0100003
D/TC:? 0 tee_ta_close_session:499 csess 0x<address> id 1
D/TC:? 0 tee_ta_close_session:518 Destroy session
D/TC:? 0 destroy_context:298 Destroy TA ctx (0x<address>)
D/TC:? 0 tee_ta_close_session:499 csess 0x<address> id 1
D/TC:? 0 tee_ta_close_session:518 Destroy session
E/TC:? 0 tee_ta_open_session:728 Failed. Return error 0xf0100003
/usr/src/debug/optee-test/git/host/xtest/regression_4000.c:3984: xtest_teec_open_session(&session, &crypt_user_ta_uuid, ((void *)0), &ret_orig) has an unexpected value: 0xf0100003 = TEE_ERROR_STORAGE_NOT_AVAILABLE, expected 0x0 = TEEC_SUCCESS
 regression_4006 FAILED

The problem here is that the default OP-TEE path, which points to /data/tee, is at a read-only partition. Thus, the TEE_ERROR_STORAGE_NOT_AVAILABLE message will be there every time. Mount it on a writable partition or make the CFG_TEE_FS_PARENT_PATH in optee_client package point to another location. The good news is that if you got this far, you're almost finished.

Let's check another kind of problem. Kernel oopses and the complete system halts every time you try to access some of the functions. What could be the medicine?

Unable to handle kernel paging request at virtual address <address>

PC is at tee_shm_get_va+0x1c/0x58
LR is at optee_handle_rpc+0x68/0x650


Well, your ATF might be too old and might not contain the relevant errata fixes. Another, more likely issue is that the shared memory between the OP-TEE and userspace is misconfigured. For example, if the shared memory is not reserved in the device tree, it could be used by any piece of software. This will conflict and cause kernel paging requests to fail as memory corruption is guaranteed. Please check the kernel reserved memory doc. Make sure you reserve the TEE shared memory so that no other modules can access it. Some of the OP-TEE modules might amend the kernel command line automatically so that the region is automaticaly reserved. By default, this feature is disabled (March, 2020).

Contact information