Open Source Summit + Embedded Linux Conference Europe 2020

OP-TEE for i.MX6 SoCs is production ready, so we finally have a fully mainline way to use TrustZone on a widely available platform. So what are the scenarios where we it can increase security or allow new features? This talk will present the current state of OP-TEE from an upstream perspective on i.MX6 SoCs and show two different Trusted Applications (TAs) which provide secure data storage or TPM functionality. One of the presented applications will be the PKCS#11 TA which is currently being upstreamed into the mainline OP-TEE project. In conjunction with the OpenSSL PKCS#11 engine, it can be used to store client certificate data which can not be extracted from the device. The other application will be the Microsoft firmware TPM, which is provided as an out-of-tree TA with an upstream Linux kernel driver. It is meant as a replacement for conventional hardware TPMs and provides a tighter coupling to the chosen SoC. Furthermore this talk will highlight the necessary steps to actually secure OP-TEE on your chosen SoC, using the i.MX6 platform as an example.