Last edited 5 days ago

OP-TEE PKCS11 Trusted Application

Applicable for STM32MP13x lines, STM32MP15x lines, STM32MP21x lines, STM32MP23x lines, STM32MP25x lines


This page provides a high-level overview of the PKCS#11 integration with OpenSSL in an OpenSTLinux / OP-TEE environment.

1. Purpose[edit | edit source]

This page presents the support for PKCS#11[1] Trusted Application (TA) at OpenSTLinux level, enabling applications running in the non-secure Linux world to access cryptographic objects and operations exposed by a PKCS#11 Trusted Application running in the secure world through the OP-TEE stack.

This page focuses on the architecture, the software bricks involved, and links to the official documentation for deeper technical details.

2. Overview[edit | edit source]

In a typical deployment, the platform is split into two execution domains:

  • Secure world: OP-TEE runtime and the PKCS#11 Trusted Application
  • Non-secure world: Linux user space applications using OpenSSL through a PKCS#11 provider / engine path, which interacts with the Cryptoki library and the TEE Client API

The PKCS#11 interface allows applications to use cryptographic keys and operations without directly exposing private key material to the normal world. The sensitive operations are delegated to the secure world via OP-TEE.

3. High-level architecture[edit | edit source]

The following diagram illustrates the main software layers and the separation between secure and non-secure execution domains.

Insert the attached image here as the main schematic

3.1. Conceptual view[edit | edit source]

The secure side hosts the PKCS#11 Trusted Application, while the non-secure side exposes the standard software interfaces used by applications.

4. Software stack description[edit | edit source]

4.1. Secure world[edit | edit source]

4.1.1. OP-TEE core[edit | edit source]

The secure execution environment that provides trusted services and manages secure resources.

4.1.2. TEE Internal Core API Library[edit | edit source]

Library used by trusted applications to access OP-TEE internal services.

4.1.3. TA PKCS#11[edit | edit source]

The Trusted Application implementing the PKCS#11 service in the secure world.

4.2. Non-secure world[edit | edit source]

4.2.1. Linux kernel[edit | edit source]

Includes the OP-TEE driver used for communication with the secure world.

4.2.2. TEE Client API Library[edit | edit source]

Userspace API used by client applications and middleware to communicate with trusted applications.

4.2.3. Cryptoki Library (libckteec)[edit | edit source]

A PKCS#11-oriented library used on the non-secure side to forward PKCS#11 requests to the the OP-TEE PKCS#11 TA through the TEE client stack.

4.2.4. User application[edit | edit source]

Any application, including OpenSSL-based applications, that uses PKCS#11 for cryptographic operations.

5. How OpenSSL uses PKCS#11[edit | edit source]

OpenSSL can be configured to rely on PKCS#11-backed cryptographic material instead of local software keys.

In this model:

  1. The application runs in the non-secure world
  2. OpenSSL accesses a PKCS#11 interface
  3. The PKCS#11 layer uses the Cryptoki library
  4. Requests are forwarded through the TEE Client API
  5. The OP-TEE PKCS#11 TA performs the operation in the secure world

This enables:

  • protection of sensitive keys in secure storage
  • cryptographic operations in the secure world that can be enhanced by platform resources like CRYP internal peripheral
  • a standard interface compatible with PKCS#11-aware software

6. Main usage flow[edit | edit source]

  1. Application invokes OpenSSL cryptographic functions
  2. OpenSSL interacts with a PKCS#11 provider / engine
  3. The provider uses PKCS#11 / Cryptoki conventions
  4. The TEE Client API sends commands to OP-TEE
  5. The TA PKCS#11 executes the secure operation
  6. The result is returned to the application

7. Security rationale[edit | edit source]

Using PKCS#11 with OP-TEE provides several advantages:

  • Private key material remains in secure storage
  • Sensitive operations are performed in the secure world
  • Standard interface for cryptographic applications
  • Improved portability for applications using OpenSSL and PKCS#11

8. Official documentation[edit | edit source]

For deeper information on the interfaces and implementation details, refer to the official OP-TEE documentation and related references:

9. References[edit | edit source]

Please refer to the following links for additional information: