OP-TEE: Open Portable Trusted Execution Environment

Applies to the Jetson AGX Thor series, the Jetson AGX Orin series, the Jetson Orin NX series, and the Jetson Orin Nano series.

Open Portable Trusted Execution Environment (OP-TEE) is an open-source trusted execution environment (TEE) based on Arm® TrustZone® technology, created by trustedfirmware.org, and maintained by Linaro.

The overall framework of OP-TEE combines with two major components: optee_os, which is the trusted side of the TEE (the secure world), and optee_client, which is the untrusted, or “normal,” side of the TEE (the normal world).

optee_os is a TEE operating system running at ARMv8 secure EL-1 level. It provides generic OS-level functions like interrupt handling, thread handling, crypto services, and shared memory. It implements the GlobalPlatform TEE Internal Core API. You can use this API to build Trusted Applications (TAs) that run in the secure world at ARMv8 secure EL-0 level.

optee_client has three components: a normal-world user-space library, a normal-world PKCS #11 crypto interface library, and a normal-world user-space daemon. The library libteec.so implements the GlobalPlatform TEE Client API, which defines the interface that normal-world Client Applications (CAs) use to communicate with the TA in the secure world. The library libckteec.so implements the PKCS #11 Cryptographic Token Interface Base Specification Version 2.40 based on the TEE Client API and a PKCS #11 TA. The daemon tee-supplicant implements some miscellaneous features for OP-TEE, such as file system access to load the TAs from the normal-world file system into the secure world.

OP-TEE Documentation is available on the Web. The documentation source files are in ReStructuredText (RST) format, and are available from the OPTEE/optee_docs project on GitHub.

The OP-TEE project also provides a sanity test suite, optee_test, which offers thousands of tests, collectively known as xtest. See the optee_test project itself and the optee_test documentation for more information.

OP-TEE in Jetson Linux

OP-TEE in NVIDIA^® Jetson™ Linux enables you to boot OP-TEE on supported Jetson devices. The version of OP-TEE in NVIDIA^® Jetson™ Linux 39.2 is v4.6.0. The following sections explain how to set up and use OP-TEE.

This topic uses some terms that are specific to trusted applications and OP-TEE in particular:

• ATF: Arm Trusted Firmware.

• CA: Client Application.

• TA: Trusted Application; any application that runs within OP-TEE.

• TEE: Trusted Execution Environment, the secure environment provided by OP-TEE for running trusted applications.

• TOS: An acronym for “Trusted OS.” OP-TEE is a TOS supported by Jetson Linux.

The following sections cover OP-TEE on Jetson in depth:

• Architecture — how OP-TEE partitions normal-world and secure-world components and how requests flow between them.

• Trusted Application and Client Application Development — TA/CA working model, cross-compiling, implementing or porting TAs, signing, and subkeys.

• EKB: Encrypted Key Blob — EKB terminology, key hierarchy, format, generation, extraction, and SE keyslot clearing.

• Sample Applications — the jetson-user-key PTA, hwkey-agent, luks, and cpubl-payload-dec sample CAs and TAs.

• PKCS #11 Support in OP-TEE — Cryptoki introduction, the OP-TEE implementation, the PKCS #11 TA, and the sample CA.