Testing the security of an OP-TEE installation
optee-security-test tests the behavior of an OP-TEE client when trying to run a trusted application (TA) signed with an incorrect key. The TA must not be executed in this case and the client API is expected to return a specific error.
test-app is an OP-TEE client application that is called in the REE. It in turn invokes a TA (mock-ta) in the TEE. mock-ta receives a value from the test-app, just multiplies it by a constant, and returns it. The mock-ta should work correctly because it was signed with the correct key that matches the OP-TEE OS.
fake-ta contains the same program code as mock-ta and has the same UUID. The only difference is that it was signed with a key that doesn't match the OP-TEE OS. The test-app only calls the TA using the UUID and doesn't care about signatures. The OP-TEE OS must recognize the invalid signature of the fake-ta, refuse execution of the fake-ta and return the error TEE_ERROR_SECURITY, which is then forwarded to the test-app.
The run-test script runs the test on the target or in QEMU. It calls the test-app three times and always copies mock-ta or fake-ta to the TA folder of the file system beforehand. The second time (with fake-ta) it expects the error code TEE_ERROR_SECURITY (0xffff000f).
[peter@PC1 ~]$ ssh [email protected]
# ./run-test
call whith: mock-ta
value after invocation: 1230
test result: passed
call whith: fake-ta
TEEC_OpenSession failed with code 0xffff000f origin 0x3
test result: passed
call whith: mock-ta
value after invocation: 1230
test result: passed
overall test result: passed
#
So far the Raspberry Pi 4 and QEMU are supported. It shouldn't be difficult to adapt the setup to more platforms supported by OP-TEE. Each platform requires a suitably built OP-TEE OS and a special bootloader. Furthermore, the OP-TEE client library and a Linux kernel with OP-TEE driver are required.
The Raspberry Pi 4 is not yet officially supported by OP-TEE, but the RPi3 is. So I provisionally adapted the RPi3 porting to the RPi4. A few extensions were also required in the ARM Trusted Firmware. To run optee-security-test on the RPi4, first build the forks according to these building instructions.
Once you get OP-TEE working on the RPi4, build the apps with mk-rpi4. Call inst-rpi to load the apps onto the RPi. On the RPi, call run-test as shown above.
A good guide to get OP-TEE working in QEMU can be found here. Once you've done that, build the apps with mk-qemu. Call start-qemu. In QEMU, call run-test like this:
Welcome to Buildroot, type root or test to login
buildroot login: root
# cd /mnt/host/build/qemu
# ../../run-test