1 Introduction
1.1 Purpose
In embedded processor design the need of hardware support for cryptographic
operations is increasing. In particular, there are customer requirements for
easily performing cryptographic operations inside TrustZone
®
. In i.MX 8M and
i.MX 8MM, OP-TEE OS can control the hardware cryptographic module by
using libimxcrypt. This is a mechanism to perform hardware accelerated
cryptographic operations inside of a secure zone.
The purpose of this document is to describe how to add the support of
accelerated OP-TEE OS with Cryptographic Accelerator and Assurance
Module (CAAM) on top of OpenSSL. The final result being an enhanced
OpenSSL being capable to accelerate crypto algorithms in a secure way via
OP-TEE.
1.2 Audience
This document is intended for those who:
• Need to understand the secure storage inside of OP-TEE
• Need to hardware accelerate cryptographic algorithms using the complete flow OpenSSL <-> OP-TEE <-> CAAM
It is assumed that the reader is familiar with the basics of the RSA/ECC cryptographic functions.
1.3 Definitions, Acronyms and Abbreviations
CA Client Application
CAAM Cryptographic Accelerator and Assurance Module
ECC Elliptic-curve cryptography
MD5 Message-Digest Algorithm 5
OP-TEE Open Portable Trusted Execution Environment
PKCS Public Key Cryptography Standards
RSA Public-key cryptosystem which is widely used for secure data
transmission
Table continues on the next page...
Contents
1 Introduction............................................ 1
1.1 Purpose........................ 1
1.2 Audience.......................1
1.3 Definitions,
Acronyms and
Abbreviations................. 1
2 Overview................................................2
3 Components.......................................... 2
3.1 Pseudo Trusted
Application..................... 3
3.2 Trusted Application.......3
3.3 Secure Key Library....... 3
3.4 SecureObject
OpenSSL Engine........... 4
4 Setup and usage....................................4
5 Revision history..................................... 5
AN12632
Enhanced OpenSSL on i.MX 8M and i.MX 8MM
Rev. 0 — 25 January 2020
Application Note
Table continued from the previous page...
SHA Secure Hash Algorithm
TA Trusted Application
PTA Pseudo Trusted Application
2 Overview
OpenSSL is a general-purpose cryptography library that provides an open-source implementation of the Secure Sockets Layer
(SSL) and Transport Layer Security (TLS) protocols. The core library implements basic cryptographic algorithms and provides
various utility functions. This type of algorithm requires extremely high computing power. However, by default OpenSSL runs on
CPU (pure software acceleration) and the only way to have a better throughput is using the hardware acceleration (i.e.: CAAM
in our case).
A trusted execution environment (TEE) is a secure area of a processor. It guarantees code and data loaded inside to be protected
regarding confidentiality and integrity. OP-TEE is a Trusted Execution Environment designed as a companion to a non-secure
Linux kernel running on Arm. OP-TEE is designed primarily to rely on the Arm TrustZone technology as the underlying hardware
isolation. TrustZone is used to protect high-value code and data for use cases like key storing or authentication.
3 Components
The OpenSSL Engine is the top layer of the project where the new cryptographic functions are implemented and bind to OpenSSL.
The Client Application is represented by the Secure Key Library which runs in Normal World and offers an API to the OpenSSL
Engine to easily access the features inside OP-TEE. Each cryptographic function from the Secure Key Library has an equivalent
inside Secure World.
The Trusted Application calls the Pseudo Trusted Application (PTA) which has access to the CAAM Drivers. All the data is stored
inside of the Trusted Application which resides inside of the Secure World. The project layers and their interaction can be seen
in Figure 1.
NXP Semiconductors
Overview
Enhanced OpenSSL on i.MX 8M and i.MX 8MM, Rev. 0, 25 January 2020
Application Note 2 / 6