Saturday 18 June 2016

Trusted Execution Environment on seL4 [UPDATE 2]

In this post I will explain my progress since the previous update and also provide some high level insights on how the architecture will look like.

On speaking with my mentors Stefan and Hesham we decided that it would be nice to have a fully working proof of concept of the TEE and then add depth in the form of libraries.

A high level flowchart of the execution would look something like this

(i)Flowchart
Some properties would be:
  • The tee-container would be the main process which boots up first, it spawns the rich os and the ta's
  • All the components have different CSpace and Vspace hence they are isolated from each other.
  • For the sake of demonstration the Rich OS and client apps are very simple programs used just to test the communication.
I have built all three components and have built simple API's for the client and the TA similar to what OPTEE provides.


The sample TA provides two functions , one for encrypting a string and the other for incrementing a number

The client will look like this :

The output is:

For the sake of demonstration the encrypt function on the TA is a simple caesar's cipher , Later on I will be porting the libtomcrypt library.

The features which work now are:
  • Communication from client-os and isolation of all components
  • passing and receiving any type of complex parameters
  • multiple-TA (not tested extensively)
  • multiple function calls to TA
  • Client and TA libraries
I can conclude that the skeleton and structure for the seL4 TEE-OS is ready.
The tasks for the future are:
  • Study GlobalPlatform specifications and make the sel4-tee-os in compliance to that.
  • provide api's for secure-storage and crypto
  • try sel4-tee-os on sel4 port of risc-v

References:
Github: https://github.com/hybridNeo/sel4-tee-os