Security Features-Qualcomm TEE
Introduction
The Qualcomm Trusted Execution Environment (TEE) is a software implementation that runs within the Arm TrustZone environment on the Dragonwing IQ-9075. The TrustZone is a hardware-based security architecture enabled through a Secure mode of the Arm processor. It establishes two execution environments with hardware-enforced isolation across the entire system. Qualcomm offers a 64-bit Armv8.x processor system with hardware virtualization to run TrustZone. There are two different security states implemented in this architecture:
- Secure: Qualcomm TEE and trusted applications operate in this state.
- Non-secure: Linux operates in this mode of the Arm core.
The Secure mode is the core concept behind TrustZone and its architecture. Its exception levels and their key components are:
| Exception Level | Secure Mode | Non-Secure Mode |
|---|---|---|
| EL0 | Qualcomm TEE and Trusted Applications |
Linux user space:
|
| EL1 | Qualcomm TEE Mink | Linux kernel space:
|
| EL2 | - | Qualcomm Hypervisor |
| EL3 | Secure Monitor | - |
The system can operate either in a secure or non-secure state at exception levels EL0, EL1, and EL2, while EL3 will always run in the secure state.
Exception Level 0
Non-Secure mode
This user space includes the primary security modules in the Linux user space, such as:
- Mink-Linux
- Provides services and serves as the transport mechanism to use the Qualcomm TEE capabilities through trusted applications.
- Provides system listener services, intended as an extension to Qualcomm TEE functionality.
- Implements the global platform TEE client APIs for running global platform-based trusted applications through
libGPTEECandlibMTEEClibraries. - Implements client applications in the Linux user space and interacts with TAs that operate in the Qualcomm TEE. This may include:
- Client application developed using mink APIs
- Global platform-based client application
- Client application developed using the global platform-based TEE client API specification.
- Key management:
libckteeccryptographic library, which interfaces with the PKCS#11 interface of TEE. User space applications running on Linux can use this library for direct access to the PKCS#11 interface.- The
libckteeclibrary also defines the interface between an application and a cryptographic device. This means cryptographic devices can be treated as tokens by the application and can perform cryptographic functions as implemented by these tokens. - There are multiple cryptographic services for encryption, decryption, signature generation, signature verification, and permanent key storage provided by the PKCS#11 interface.
Secure mode
The Qualcomm TEE SDK runs at this level. Qualcomm offers this software development kit to build and develop trusted applications. The SDK already includes the necessary build system, header files, and library dependencies to compile trusted applications.
Trusted Applications
Trusted applications (TA) offer services within a secure environment for Linux clients operating in the non-secure world. Qualcomm TEE adds services to TAs such as:
- Support for TAs to operate in EL0 secure mode: Trusted Applications run in Secure EL0 (user mode), providing isolation from the secure kernel while still accessing secure services through controlled interfaces.
- Sand-boxing environment for TAs: Trusted Applications execute in isolated environments that prevent direct access to other TAs' memory or resources. Communication with other authorized TAs is still possible through secure inter-TA mechanisms such as QTEE IPC.
- Position-independent loading of TAs: Trusted Applications are loaded independently of a fixed memory address, allowing the secure loader to place them anywhere within the allocated secure memory region.
- Message passing between different TAs: Trusted Applications can securely invoke services exposed by other TAs entirely within the secure world, without passing through the non-secure operating system.
TAs operate from hardware-protected memory. However, the applications that require more memory can use double data rate (DDR) memory for loading and running. TAs are set to run from hardware-protected memory by default.
Exception Level 1
Non-Secure mode
The EL1 non-secure mode provides security-specific kernel drivers for the Linux kernel space, such as:
- QCOMTEE driver:
- The driver extends the subsystem's functionality to support the Qualcomm-specific requirements, although, is also integrated into the standard Linux TEE subsystem.
- The driver source is located at
drivers/tee/qcomtee/. - The driver identifier value for QCOMTEE within the TEE subsystem is typically 3, a unique value to differentiate it from the OP-TEE(1) and the AMD-TEE(2).
- The QCOMTEE driver has a mink IPC layer on top of it, as the standard TEE subsystem does not support object-based IPC natively. This introduces generic object abstractions that can be referenced using specific IOCTLs.
- Communication architecture:
- User space: Applications use the MTEEC (mink TEE client) library or minkipc to interact with objects.
- TEE Subsystem: The use of standard IOCTLs is implemented as long as possible, as new IOCTLs are implemented in order to handle object-specific logic.
- QCOMTEE Driver: It translates and packages Linux-side arguments into a format compatible with the Qualcomm Trusted Execution Environment (QTEE).
- Qualcomm TEE: Receives requests and executes TA logic as requested.
Secure mode
The Qualcomm TEE mink is responsible for the message passing across different domains such as the kernel domain or the user domain. Software may run in one or more communicating domains, requiring code execution to invoke objects located in a different domain. These domains vary in their ability to access memory and other system resources:
- The kernel domain executes at secure EL1 and has complete control over the system resources.
- The user domains run at secure EL0 and have restricted access to system resources.
The Qualcomm TEE mink allows for precise control over the access granted to a process.
Exception Level 2
Non-Secure mode
The Qualcomm Hypervisor runs at this level, a modern virtualization framework that allows multiple operating systems to run independently and concurrently, with high performance. It also enables the hosting of multiple TEEs for secure use cases. The Qualcomm Type-1 Hypervisor provides the following features:
- Enhanced security compared to Type-2 (hosted) hypervisors.
- Multi-core, real-time operations independent of Linux.
- Operates independently and with higher privileges than Linux
- Minimal impact on performance.
Secure mode
There is not a secure mode app specifically for this level, yoy can see more information on Qualcomm's Official documentation.
Exception Level 3
Secure mode
The Secure Monitor runs at this level, a component of TrustZone that is responsible for the transitions between secure and non-secure modes. It operates in Monitor mode, which can be activated from a privileged Arm mode. It also ensures correct context saving and restoration when switching between the non-secure and secure modes. Additionally, it handles the initial processing of secure interrupts.
Security APIs
Trusted and client applications can be developed and executed using the default files provided by the GlobalPlatform interface. Trusted applications run within the Trusted Execution Environment (TEE), where they benefit code and data integrity and protection. In contrast, client applications execute in the normal operating system and interact with trusted applications through TEE client APIs to access secure services. This feature is available to licensed developers with authorized access to develop and execute trusted applications and client applications. If you have access, see Qualcomm's Official Documentation for more information.
For development involving hardware-backed attestation, zero-touch device provisioning, or management of chipset-specific features, Qualcomm provides additional support through the Qualcomm Linux Wireless Edge Services. This feature is available to licensed developers with authorized access. If you have access, see Qualcomm's Official Documentation for more information.
The security APIs provide the possibility of interacting with both the Linux kernel and underlying hardware components. They also enable access to a range of software services that can operate within a Trusted Execution Environment (TEE). The available APIs are:
- User-Space API: provide the interface through which the Linux operating system communicates with kernel-level functionality. This feature is available to licensed developers with authorized access. If you have access, see Qualcomm's Official Documentation for more information.
- Kernel APIs: provide interaction between Qualcomm Linux software and device hardware.
- Cryptographic APIs: The
qcrypto.kodriver is located at/lib/modules/<version>/kernel/drivers/crypto/qceenabling kernel-level and user-level APIs to access the crypto engine. For APIs, see the kernel crypto documentation. The supported cryptographic algorithms are supported- RFC 4309 (CCCM (AES))
- CCM (AES)
- Authenc (HMAC (SHA-256), CBC (AES))
- Authenc (HMAC (SHA-256), CBC (DES3_EDE))
- Authenc (HMAC (SHA-256), CBC (DES))
- Authenc (HMAC (SHA-1), CBC (DES3_EDE))
- Authenc (HMAC (SHA-1), CBC (DES))
- HMAC (SHA-256)
- HMAC (SHA-1)
- SHA-256
- SHA-1
- CBC (DES3_EDE)
- ECB (DES3_EDE)
- CBC (DES)
- ECB (DES)
- XTS (AES)
- CTR (AES)
- CBC (AES)
- ECB (AES)
- Hardware random generator APIs: provide support for a true random number generator (TRNG) through the
qcom-rngLinux driver. This driver integrates with the kernel cryptographic framework to supply random data via the kernel's random number generation APIs. In user space, applications can access hardware-generated random numbers through the/dev/hwrngdevice interface. This feature is available to licensed developers with authorized access. If you have access, see Qualcomm's Official Documentation for more information.
- Qualcomm TEE APIs: Qualcomm TEE includes a set of APIs that provide essential services for secure applications operating within the Trusted Execution Environment. These APIs support capabilities such as memory allocation and management, logging, secure storage access, communication with listeners, and a variety of cryptographic and hashing operations. This feature is available to licensed developers with authorized access. If you have access, see Qualcomm's Official Documentation for more information.
Configuring Qualcomm TEE
Maintaining the security, compliance, performance, and flexibility of devices that manage sensitive data and run trusted applications requires proper Qualcomm TEE configuration. These configurations are adjusted through the device configuration (devcfg) framework, which provides a centralized mechanism for managing device-specific settings.
Compile devcfg image from TrustZone
The TrustZone sources are included in within the firmware source components for the Qualcomm Linux 1.8 installation guide. The TrustZone sources will be found in the following path (Refer to the Qualcomm Linux 1.8 Build Guide to see which firmware distributions are available):
export FIRMWARE_ROOT=$HOME/firmware-dir/ export FIRMWARE_DISTRO=<your-distro-of-choice> $FIRMWARE_ROOT/$FIRMWARE_DISTRO
1. Select your desired TrustZone version. For this guide, the TZ.XF.5.29.1 version will be used, but you can modify the command with the correspondent version:
export TRUSTZONE_PATH=$FIRMWARE_ROOT/$FIRMWARE_DISTRO/TZ.XF.5.29.1
2. Select the desired configuration options that TrustZone offers through the built-in devcfg.mbn XML files. For example, $TRUSTZONE_PATH/trustzone_images/ssg/securemsm/trustzone/qsee/mink/oem/config/lemans/oem_config.xml. The full list of configuration parameters is mentioned later in this wiki.
3. The devcfg_iot.mbn file is not generated by default. Apply the following patch to the $TRUSTZONE_PATH/trustzone_images/build/ms/build_config_deploy_lemans.xml file to generate it:
trustzone_images/build/ms/build_config_deploy_lemans.xml @@ -60,9 +60,12 @@ <alias build-once="false" disable="false" internal-test="false" recompile="true" strip="false" name="devcfg_auto_sgvm"> <artifact name="devcfg_auto_sgvm"/> </alias> + <alias build-once="false" disable="false" internal-test="false" recompile="true" strip="false" name="devcfg_iot"> + <artifact name="devcfg_iot"/> + </alias>
4. Compile the devcfg image from TZ.XF.5.29.1:
cd $TRUSTZONE_PATH/trustzone_images/build/ms export SECTOOLS=$FIRMWARE_ROOT/$FIRMWARE_DISTRO/QCS9100.LE.1.0/common/sectoolsv2/ext/Linux/sectools python3 build_all.py -b TZ.XF.5.0 CHIPSET=lemans devcfg_iot --cfg=build_config_deploy_lemans.xml
This step generates the devcfg.mbn images at $TRUSTZONE_PATH/trustzone_images/build/ms/bin/MAKAANAA, build flavor corresponding to the Dragonwing IQ-9075.
5. Replace the devcfg_iot.mbn file located at $WORK_DIR/build-qcom-wayland/tmp-glibc/deploy/images/qcs9075-iq-9075-evk/ with the generated devcfg_iot.mbn binary with the selected TrustZone options.
6. Flash the device configuration binary alongside all other binaries to the device following the Flashing an Image Guide.
Configuration parameters
Use the configuration parameters listed in the following table to customize the device as needed.
| Configuration parameter | Description |
|---|---|
OEM_pil_secure_app_load_region_size
|
Customizes the TA load region size. Must remain synchronized with the memory map used by TrustZone; otherwise TA loading may fail. |
OEM_pil_subsys_load_region_start
|
Customizes the PIL image load start address when the default memory map is modified. |
OEM_pil_subsys_load_region_size
|
Customizes the PIL image load region size when the default memory map changes. |
OEM_enable_app_fatal_err
|
Forces a TrustZone system fatal error when a specified trusted application crashes. |
OEM_crash_ta_name
|
Specifies the TA name whose crash should trigger a secure kernel crash. Can be configured as * to trigger on any TA crash.
|
OEM_sec_wdog_bark_time
|
Configures the secure watchdog bark timeout. |
OEM_sec_wdog_bite_time
|
Configures the secure watchdog bite timeout. |
OEM_tz_log_level
|
Sets the TrustZone logging level: Fatal (0), Error (1), Debug (2). |
OEM_allow_rpmb_key_provision
|
Allows RPMB key reprovisioning when storage devices are replaced. Should remain disabled on production devices. |
OEM_disable_rpmb_autoprovisioning
|
Enables or disables automatic RPMB production key provisioning. |
OEM_reset_reason_list
|
Allows OEMs to extend the list of reset reasons reported by the system. |
OEM_app_sandbox_default
|
Enables TA sandboxing and requires third-party TAs to be authenticated using an OEM-provided root certificate. |
OEM_enablecrashdumps_before_arb
|
Enables crash dump generation when anti-rollback fuses have not yet been blown. |
OEM_pub_mod
|
RSA public key modulus used for TrustZone log encryption. |
OEM_pub_exp
|
RSA public key exponent used for TrustZone log encryption. |
OEM_log_encr_enable
|
Enables or disables encrypted TrustZone diagnostic and QSEE log collection. |
OEM_MRC_activation_list
|
Defines fuse values used to select the active root certificate index for MRC-signed images. |
OEM_MRC_revocation_list
|
Defines fuse values used to revoke root certificate indices for MRC-signed images. |
OEM_counter_measure_enable
|
Enables timing countermeasures intended to mitigate side-channel attacks. |
OEM_Blacklisting_TA_auth_type
|
Blocks TAs from loading based on their authentication type (OEM, ALT, or both). |
OEM_Blacklisting_TA_cert_id
|
Blocks TAs from loading based on certificate identifiers. |
OEM_enable_bootup_from_a_b_partition
|
Enables support for Android A/B system updates and anti-rollback handling across A/B partitions. |
OEM_disable_scattered_memory
|
Disables scattered memory support for large TAs, favoring performance over fragmentation resilience. |
OEM_wdog_flags
|
Enables user-level watchdog functionality for trusted applications. |
OEM_wdog_ms_initial
|
Specifies the watchdog timeout for a TA thread to become ready to accept requests. |
OEM_wdog_ms_accept_hlos
|
Specifies the watchdog timeout for processing requests in a normal HLOS environment. |
OEM_wdog_ms_accept_uefitzt
|
Specifies the watchdog timeout for processing requests in a UEFI-TZT environment. |
It is important to note that the OEM_log_encr_enable option is important to debug TEE with secure boot. The next steps are to enable secure boot ensuring only trusted applications run on the device and flashing the device with the secure images. You can follow the guide on the Secure Boot wiki for more information.