OP-TEE Remote Attestation with VERAISON Verification

OP-TEE / optee_os

Trusted side of the TEE

Other

1.6k stars 1.07k forks source link

OP-TEE Remote Attestation with VERAISON Verification #6921

Open kunisuzaki opened 4 months ago

kunisuzaki commented 4 months ago

We have customized OP-TEE (a Secure OS for Arm Cortex-A TrustZone) to enable Remote Attestation with VERAISON Verification. This setup runs seamlessly with Docker and QEMU. Detailed information can be found in the HP https://github.com/iisec-suzaki/optee-ra

jenswi-linaro commented 4 months ago

Hi @kunisuzaki,

Thanks for sharing, this is interesting. I took a quick look at the repository. You have a user TA that makes up the main interface towards the normal world. However the User TA in principle only forwards the requests to a Pseudo TA. Why is the user TA needed at all, couldn't the PTA provide the interface for the normal world instead? Or do you anticipate further changes in the user TA?

Cheers, Jens

kunisuzaki commented 4 months ago

Hello @jenswi-linaro,

Thank you for your interest.

The current User TA is just an example and only passes the RA evidence. As shown in the figure,, User TA and RP establish trust and secure communication once Remote Attestation is confirmed. You can customize the TA to suit your needs.

The PTA provides a general mechanism to make a RA evidence. It measures the hash of the TA and signs the hash. The RA evidence is verified byVeraison verifier.

github-actions[bot] commented 3 months ago

This issue has been marked as a stale issue because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this issue will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time.

jbech-linaro commented 3 months ago

I'm removing the Stale label and adding the Enhancement label instead, since I believe this is something that we're interested in.

jbech-linaro commented 3 months ago

@kunisuzaki , we discussed this in an OP-TEE maintainer email thread last week. If you're interested and have time, we'd like to suggest that you send patches for this inform of pull-requests. We believe that

The psuedo TA for this should go in under optee_os/core/pta/veraison_ra or something like that.

For user space TA and client app.

For a client app, we thought that perhaps optee_examples would be suitable.
The user space TA should go in under optee_os/ta or alternatively also land under optee_examples.

Please let us know that you think about this proposal.

kunisuzaki commented 3 months ago

＠jbech-linaro Thank you for your proposal. We want to accept it and make a pull request. Anyway ,we are now revising the optee-ra to use the least Verasion. Please wait for it.