QTEE (Qualcomm Trusted Execution Environment)¶
The QTEE driver handles communication with Qualcomm TEE [1].
The lowest level of communication with QTEE builds on the ARM SMC CallingConvention (SMCCC) [2], which is the foundation for QTEE’s Secure ChannelManager (SCM) [3] used internally by the driver.
In a QTEE-based system, services are represented as objects with a series ofoperations that can be called to produce results, including other objects.
When an object is hosted within QTEE, executing its operations is referredto as “direct invocation”. QTEE can also invoke objects hosted in the non-secureworld using a method known as “callback request”.
The SCM provides two functions to support direct invocation and callback requests:
QCOM_SCM_SMCINVOKE_INVOKE: Used for direct invocation. It can return eithera result or initiate a callback request.
QCOM_SCM_SMCINVOKE_CB_RSP: Used to submit a response to a callback requesttriggered by a previous direct invocation.
The QTEE Transport Message [4] is stacked on top of the SCM driver functions.
A message consists of two buffers shared with QTEE: inbound and outboundbuffers. The inbound buffer is used for direct invocation, and the outboundbuffer is used to make callback requests. This picture shows the contents ofa QTEE transport message:
+---------------------+ | v+-----------------+-------+-------+------+--------------------------+| qcomtee_msg_ |object | buffer | || object_invoke | id | offset, size | | (inbound buffer)+-----------------+-------+--------------+--------------------------+<---- header -----><---- arguments ------><- in/out buffer payload -> +-----------+ | v+-----------------+-------+-------+------+----------------------+| qcomtee_msg_ |object | buffer | || callback | id | offset, size | | (outbound buffer)+-----------------+-------+--------------+----------------------+
Each buffer is started with a header and array of arguments.
QTEE Transport Message supports four types of arguments:
Input Object (IO) is an object parameter to the current invocationor callback request.
Output Object (OO) is an object parameter from the current invocationor callback request.
Input Buffer (IB) is (offset, size) pair to the inbound or outbound regionto store parameter to the current invocation or callback request.
Output Buffer (OB) is (offset, size) pair to the inbound or outbound regionto store parameter from the current invocation or callback request.
Picture of the relationship between the different components in the QTEEarchitecture:
User space Kernel Secure world ~~~~~~~~~~ ~~~~~~ ~~~~~~~~~~~~+--------+ +----------+ +--------------+| Client | |callback | | Trusted |+--------+ |server | | Application | /\ +----------+ +--------------+ || +----------+ /\ /\ || |callback | || || || |server | || \/ || +----------+ || +--------------+ || /\ || | TEE Internal | || || || | API | \/ \/ \/ +--------+--------+ +--------------++---------------------+ | TEE | QTEE | | QTEE || libqcomtee [5] | | subsys | driver | | Trusted OS |+-------+-------------+--+----+-------+----+-------------+--------------+| Generic TEE API | | QTEE MSG || IOCTL (TEE_IOC_*) | | SMCCC (QCOM_SCM_SMCINVOKE_*) |+-----------------------------+ +---------------------------------+
References¶
[2]http://infocenter.arm.com/help/topic/com.arm.doc.den0028a/index.html
[3] drivers/firmware/qcom/qcom_scm.c
[4] drivers/tee/qcomtee/qcomtee_msg.h