3

I am interested in developing trusted applications using TEE. I have a Nexus 5 that has Android 5.1.1 (LMY48M) on it. I want to create a very basic hello world app to understand TEE logic running on a real device. Nexus 5 supports QSEE (Qualcomm Secure Execution Environment) but I couldn't found any documentation about how to include QSEE communication libraries on a regular Android application.

In an adb root shell,

cat /d/tzdbg/log
cat /d/tzdbg/qsee_log

commands displays empty result.

Is there any one who had try to develop an application like this before? Any help will be appreciated.

rene
  • 41,474
  • 78
  • 114
  • 152
acalb
  • 74
  • 2
  • 7

4 Answers4

0

If you found this: http://source.android.com/security/trusty/index.html

I believe this is the relevant section:

Currently all Trusty applications are developed by a single party and packaged with the Trusty kernel image. The entire image is signed and verified by the bootloader during boot. Third-party application development is not supported in this version of Trusty.

So unless you are creating your own Custom ROM, I don't think you can do anything with Trusty.

frogatto
  • 28,539
  • 11
  • 83
  • 129
Morrison Chang
  • 11,691
  • 3
  • 41
  • 77
  • 1
    Thanks for your response, I have read that documentation before. I think that Trusty TEE and QSEE are different TEE OSs, if this is wrong please correct me. In Android source code there are some files related to QSEE (QSEEComAPI.h, libQSEEComAPI.so, qseecom.h etc.), however there is nothing related to Trusty TEE. It is a different repo that is available for a specific ACL only. So I want to use QSEEComAPI to make SMC calls on TrustZone. – acalb Sep 07 '16 at 05:42
  • I'm interpreting that the TEE is implemented by QSEE. Have you seen: https://www.blackhat.com/docs/us-14/materials/us-14-Rosenberg-Reflections-on-Trusting-TrustZone.pdf The third page diagram shows a 'normal world' and 'secure world'. My expectation is that to do anything in the 'secure world' would require a license from Qualcomm. Unless you build Trusty as the TEE via Custom ROM. – Morrison Chang Sep 07 '16 at 06:04
0

First, for TEE one APP contains two parts, TA(Trust APP, runs in TEE) and CA(Client APP, runs in REE).

QSEE has implement GlobalPlatform(GP) API(not all the GP API), so you should read the GP API white paper and use them to develop CA and TA.

But, you cannot install CA and TA by yourself, because CA and TA should dispatch by TSM.

Cobain
  • 186
  • 1
  • 8
  • I have developed a CA and TA using [Open-TEE](http://open-tee.github.io). This project is also GP compliant but it provides virtual TEE environment. I am looking for a way to use QSEE API to communicate with TEE in a real hardware environment. By the way what do you mean by TSM? Could you please explain that a bit more? – acalb Sep 21 '16 at 05:11
  • @acalb Hi i glad to hear from you that you have developed TA and CA. i have an issue with Open-TEE project. core/build-binary.mk 1.Error:(688) Android NDK: Module nativelibtee-jni depends on undefined modules: c Error:(701) *** Android NDK: Aborting (set APP_ALLOW_MISSING_DEPS=true to allow missing dependencies) . Stop.:otservice:buildNative FAILED 2. /Users/Anand/Documents/OpenTEE/tee/opentee-android/otservice/src/main/jni/LibteeWrapper.cpp Error:(17, 35) tee_shared_data_types.h: No such file or directory compilation terminated. – Ritesh Bhavsar Jul 27 '17 at 13:38
0

I am afraid there is currently no straightforward way to do this.

If you want to learn to use a TEE right now, I would suggest that you use a VM running OP-TEE or Open-TEE (as I read you have in your response to @Cobain above), as the GlobalPlatform APIs are widely supported on different devices.

Unfortunately you essentially need to be a device OEM or an established software supplier to do what you want right now, but that is something which may get easier in the future - this is the downside of working with a relatively new technology.

A TSM is a Trusted Services Manager, which is a technology used by some GlobalPlatform TEE implementations to load a TA on a TEE. It is not applicable to QSEE.

Trusty is a Google proprietary TEE, and I'm not aware of any available device which exposes this to users. QSEE is the Qualcomm TEE. Unfortunately I am not able to comment on exactly what it may or may not do.

Jeremy ODonoghue
  • 365
  • 2
  • 5
0

I wanted to do the same but ended up using sequiturlabs framework for developing Trusted applications on OP-TEE on Raspberry Pi 3. It enabled a hello world TA on a hardware but I am still looking for something that would allow TA development for a secure OS with Android as REE.

https://www.sequiturlabs.com/media_portfolio/sequitur-labs-collaborates-with-linaro-to-lower-barriers-to-iot-security-education-for-raspberry-pi-maker-community/

hj'
  • 61
  • 1
  • 3