The Sequitur Labs port of Linaro’s OP-TEE environment to the Raspberry Pi 3 aims to encourage prototyping of ARM TrustZone hardware security on IoT devices.
Linaro’s three-year old OP-TEE open source port of the TEE (Trusted Execution Environment) for ARM TrustZone security is now available on the lowest-cost platform yet: the Raspberry Pi 3. Sequitur Labs has worked with the ARM-backed not-for-profit development firm Linaro and its Linaro Security Working Group (SWG) to provide the technology to Pi 3 developers so they can learn about ARM TrustZone and begin developing trusted applications for it.
Linaro OP-TEE architecture
(click image to enlarge)
ARM TrustZone, which is defined by Sequitur Labs as an on-chip “security enclave” that provides hardware isolation and protection for cryptographic keys, algorithms, and sensitive data, is widely used on mobile devices and set-top boxes. Now, ARM and Linaro want to expand TrustZone’s use in embedded IoT devices. The Sequitur Labs port appears to be a version of its own Core-TEE platform, which is based on OP-TEE, judging from the almost identical architecture diagrams (see above and below).
Sequitur Labs Core-TEE architecture
(click image to enlarge)
As part of the port, Sequitur Labs added a modified uBoot process, “making bare-metal debugging easy for developers via JTAG,” says the company. “This level of access makes it possible to investigate the Pi 3 in a very controlled state while having access to all the various parameters.”
Raspberry Pi 3
The 64-bit images require a Raspberry Pi 3 with a free microSD card, bus blaster, and a custom cable for bare metal debugging. Linaro is providing tutorials and other components, and will offer support via Linaro forums.
Linaro’s OP-TEE is based on TEE technology from STMicroelectronics (ST), which in turn was based on the original TEE created by GlobalPlatform and the OMTP standardization forum. TEE and OP-TEE are small OS-like environments that sit alongside a rich OS such as Android or Linux.
The TEE maintains secret credentials and data manipulation internally rather than exposing it to malware and hackers in the rich OS. With the help of TrustZone, which enables hardware isolation, the TEE precisely defines and offloads sensitive functions from the rich OS in the form of trusted applications. (For more on TEE, see our previous Linaro SWG coverage.)
“It is critical for IoT devices that security be built-in, not bolted on,” stated Philip Attfield, CEO of Sequitur Labs. “This begins with educating developers and makers and enabling them with the right tools. A practical bonus is that trusted applications they build for OP-TEE on the Raspberry Pi could be deployed on other TrustZone enabled chips.”
“Enabling the open source Trusted Execution Environment, OP-TEE, on the new Raspberry Pi 3 will allow IoT developers and students to learn the concepts of a GlobalPlatform TEE and how to develop trusted code on ARM Cortex-A processors,” stated Rob Coombs, director of security marketing, ARM. “It will enable the development of IoT devices with a deeper level of protection.”
The version of OP-TEE for the Raspberry Pi 3 will be available July 11 for free download. More information may be found on this Github page, and source code will become available on this separate Github page on July 11. More information about the Sequitur Labs Core-TEE platform may be found here.