diff options
Diffstat (limited to 'documentation/globalplatform_api.md')
-rw-r--r-- | documentation/globalplatform_api.md | 106 |
1 files changed, 106 insertions, 0 deletions
diff --git a/documentation/globalplatform_api.md b/documentation/globalplatform_api.md new file mode 100644 index 0000000..f8ed8d7 --- /dev/null +++ b/documentation/globalplatform_api.md @@ -0,0 +1,106 @@ +GlobalPlatform API and OP-TEE +============================= + +Contents : + +1. Introduction +2. TEE Client API +3. TEE Internal API + +# 1. Introduction +[GlobalPlatform](http://www.globalplatform.org) works across industries to +identify, develop and publish specifications which facilitate the secure and +interoperable deployment and management of multiple embedded applications on +secure chip technology. OP-TEE has support for GlobalPlatform [TEE Client API +Specification v1.0](http://www.globalplatform.org/specificationsdevice.asp) and +[TEE Internal API Specification +v1.0](http://www.globalplatform.org/specificationsdevice.asp). + +# 2. TEE Client API +The TEE Client API describes and defines how a client running in a rich +operating environment (REE) should communicate with the TEE. To identify a +Trusted Application (TA) to be used, the client provides an +[UUID](http://en.wikipedia.org/wiki/Universally_unique_identifier). All TA's +exposes one or several functions. Those functions corresponds to a so called +`commandID` which also is sent by the client. + +### TEE Contexts +The TEE Context is used for creating a logical connection between the client and +the TEE. The context must be initialized before the TEE Session can be +created. When the client has completed a jobs running in secure world, it should +finalize the context and thereby also releasing resources. + +### TEE Sessions +Sessions are used to create logical connections between a client and a specific +Trusted Application. When the session has been established the client have a +opened up the communication channel towards the specified Trusted Application +identified by the `UUID`. At this stage the client and the Trusted Application +can start to exchange data. + + +### TEE Client API example / usage +Below you will find the main functions as defined by GlobalPlatform and which +are used in the communication between the client and the TEE. + +#### TEE Functions +``` c +TEEC_Result TEEC_InitializeContext( + const char* + name, + TEEC_Context* context) + +void TEEC_FinalizeContext( + TEEC_Context* context) + +TEEC_Result TEEC_OpenSession ( + TEEC_Context* context, + TEEC_Session* session, + const TEEC_UUID* destination, + uint32_t connectionMethod, + const void* connectionData, + TEEC_Operation* operation, + uint32_t* returnOrigin) + +void TEEC_CloseSession ( + TEEC_Session* session) + +TEEC_Result TEEC_InvokeCommand( + TEEC_Session* session, + uint32_t commandID, + TEEC_Operation* operation, + uint32_t* returnOrigin) +``` + +In principle the commands are called in this order: + + TEEC_InitializeContext(...) + TEEC_OpenSession(...) + TEEC_InvokeCommand(...) + TEEC_CloseSession(...) + TEEC_FinalizeContext(...) + +It is not uncommon that `TEEC_InvokeCommand` is called several times in row +when the session has been established. + +For a complete example, please see chapter **5.2 Example 1: Using the TEE +Client API** in the GlobalPlatform [TEE Client API +Specification v1.0](http://www.globalplatform.org/specificationsdevice.asp). + + +# 3. TEE Internal API +The Internal API is the API that is exposed to the Trusted Applications running +in the secure world. The TEE Internal API consists of four major parts: + +1. **Trusted Storage API for Data and Keys** +2. **Cryptographic Operations API** +3. **Time API** +4. **Arithmetical API** + +### Examples / usage +Calling the Internal API is done in the same way as described above using Client API. +The best place to find information how this should be done is in the +[TEE Internal API Specification +v1.0](http://www.globalplatform.org/specificationsdevice.asp) which contains a +lot of examples of how to call the various APIs. + + |