πŸ”Webkey OS

Software Design

The following categories of operations are provided:

Generate keys

Import and export asymmetric keys (without key wrapping)

Import raw symmetric keys (without key wrapping)

Asymmetric encryption and decryption using appropriate padding modes

Asymmetric signing and verification using digests and appropriate padding modes

Symmetric encryption and decryption in appropriate modes (including AEAD modes)

Generate and verify symmetric message authentication codes

Four elements of TEE

TEE implements the following common functions:

verifiable launch and remote attestation: trusted launch and remote attestation

runtime isolation/memory curtaining:

runtime isolation trusted l/O: end-to-end encryption, privileged devices, etc.

secure storage/sealing: persistent data encryption and decryption

TEE hardware should be able to provide the following functions:

  1. When loading software, measure the software and provide a hardware-signed proof report (QUOTE/REPORT) to the remote verifier (verifier) ​​to prove the validity of the TEE hardware and the integrity of the software.

  2. Protect data runtime security through isolation and encryption (in-use)

  3. Enable trusted communication between software in TEE and external devices (in-transit)

  4. Provide hardware-derived keys based on software measurement values ​​so that software can encrypt and persist data (at-rest)

TEE Architecture and Components

TEE NSdrv: Kernel driver Responsible for the communication between the normal world application and the secure world Integrated into Linux as a kernel module in the form of source code

TEE Daemon: System resident service Handles file system, TA file loading and other requests Integrated into the system image in the form of a binary executable file, located in the /vendor partition

TEE Client lib: TEE client application dynamic library Common application links that call TEE functions, located in the /vendor partition

TKCored SPD: β€’ Integrated into ATF in the form of source code

TEE kernel T6: TEE kernel β€’ Provided in binary form β€’ Packaged with the Bootloader as an image, or occupy a separate partition.

TA: Security application, integrated into the system image as a binary file

PreviousChips for Web3 and AINextCore Vault

Last updated