Skip to content

Commit a6f24aa

Browse files
author
liushiwei
committed
Added TEE SBI Extension description
To support secure service running, cpu running environments are divided into Trusted execution environment (TEE) and Rich Execution Environment (REE). This section describes how to switch between REE and TEE and how to start TEE. Signed-off-by: liushiwei <[email protected]>
1 parent 804ec74 commit a6f24aa

File tree

3 files changed

+38
-0
lines changed

3 files changed

+38
-0
lines changed

riscv-sbi-tee1.png

73.6 KB
Loading

riscv-sbi-tee2.png

29.5 KB
Loading

riscv-sbi.adoc

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1682,3 +1682,41 @@ Low bits from `mvendorid`.
16821682
Low bits is SBI implementation ID. The firmware specific SBI extensions are
16831683
for SBI implementations. It provides firmware specific SBI functions which
16841684
are defined in the external firmware specification.
1685+
1686+
== Trusted Execution Environment SBI Extension Space (EID #0x544545 "TEE")
1687+
The Trusted Execution Environment Unit Extension divides cpu Execution
1688+
Environment into two parts: REE (Rich Execution Environment) and TEE
1689+
(Trusted execution environment), As shown in the picture below <<fig_tee1>>.
1690+
To enable some applications to perform security-related services,
1691+
which are placed in TEE.
1692+
1693+
[#fig_tee1]
1694+
.SBI TEE extensions runtimes
1695+
image::riscv-sbi-tee1.png[width=1007,height=464]
1696+
1697+
Well, one option is REE runs linux, TEE runs optee-os.
1698+
When starting a security service, REE needs to convey 8 parameters
1699+
to TEE according to optee-os standard,
1700+
and TEE needs to return 4 parameters to REE when TEE is finished.
1701+
So linux needs to pass 10 parameters to opensbi. I use the a0-a7,
1702+
t0, t1 register. the newly added correlation parameters,
1703+
one conveying 0x544545 indicating that this is a TEE extension,
1704+
and the other conveying the caller status indicating
1705+
it is from REE or from TEE. Unlike other SBI extensions contexts saved,
1706+
In the tee process, not only sbi_trap_regs but also CSRs of S mode
1707+
should be saved including all calls from REE and some calls from TEE.
1708+
1709+
REE S mode CSRs is derived from linux, and TEE S mode CSRs is derived
1710+
from optee os initialization. Upon startup, opensbi will add
1711+
a tee_os_init function before sbi_hart_switch_mode.
1712+
tee_os_init will jump to optee os for initialization.
1713+
The startup address of optee os is configured using configuration items.
1714+
After the initialization is complete, it returns to opensbi.
1715+
The return parameter holds the optee os entry address of the runtime,
1716+
and it gets EE S mode CSRs. Then go back to the previous execution process
1717+
to start linux. The same function is used to boot the secondary hart.
1718+
The following figure(<<fig_tee2>>) shows the startup process.
1719+
1720+
[#fig_tee2]
1721+
.SBI TEE extensions boot flow
1722+
image::riscv-sbi-tee2.png[width=975,height=527]

0 commit comments

Comments
 (0)