This page provides a high-level overview of the PKCS#11 integration with OpenSSL in an OpenSTLinux / OP-TEE environment.
1. Purpose[edit | edit source]
This page presents the support for PKCS#11[1] Trusted Application (TA) at OpenSTLinux level, enabling applications running in the non-secure Linux world to access cryptographic objects and operations exposed by a PKCS#11 Trusted Application running in the secure world through the OP-TEE stack.
This page focuses on the architecture, the software bricks involved, and links to the official documentation for deeper technical details.
2. Overview[edit | edit source]
In a typical deployment, the platform is split into two execution domains:
- Secure world: OP-TEE runtime and the PKCS#11 Trusted Application
- Non-secure world: Linux user space applications using OpenSSL through a PKCS#11 provider / engine path, which interacts with the Cryptoki library and the TEE Client API
The PKCS#11 interface allows applications to use cryptographic keys and operations without directly exposing private key material to the normal world. The sensitive operations are delegated to the secure world via OP-TEE.
3. High-level architecture[edit | edit source]
The following diagram illustrates the main software layers and the separation between secure and non-secure execution domains.
Insert the attached image here as the main schematic
3.1. Conceptual view[edit | edit source]
The secure side hosts the PKCS#11 Trusted Application, while the non-secure side exposes the standard software interfaces used by applications.
4. Software stack description[edit | edit source]
4.1. Secure world[edit | edit source]
4.1.1. OP-TEE core[edit | edit source]
The secure execution environment that provides trusted services and manages secure resources.
4.1.2. TEE Internal Core API Library[edit | edit source]
Library used by trusted applications to access OP-TEE internal services.
4.1.3. TA PKCS#11[edit | edit source]
The Trusted Application implementing the PKCS#11 service in the secure world.
4.2. Non-secure world[edit | edit source]
4.2.1. Linux kernel[edit | edit source]
Includes the OP-TEE driver used for communication with the secure world.
4.2.2. TEE Client API Library[edit | edit source]
Userspace API used by client applications and middleware to communicate with trusted applications.
4.2.3. Cryptoki Library (libckteec)[edit | edit source]
A PKCS#11-oriented library used on the non-secure side to forward PKCS#11 requests to the the OP-TEE PKCS#11 TA through the TEE client stack.
4.2.4. User application[edit | edit source]
Any application, including OpenSSL-based applications, that uses PKCS#11 for cryptographic operations.
5. How OpenSSL uses PKCS#11[edit | edit source]
OpenSSL can be configured to rely on PKCS#11-backed cryptographic material instead of local software keys.
In this model:
- The application runs in the non-secure world
- OpenSSL accesses a PKCS#11 interface
- The PKCS#11 layer uses the Cryptoki library
- Requests are forwarded through the TEE Client API
- The OP-TEE PKCS#11 TA performs the operation in the secure world
This enables:
- protection of sensitive keys in secure storage
- cryptographic operations in the secure world that can be enhanced by platform resources like CRYP internal peripheral
- a standard interface compatible with PKCS#11-aware software
6. Main usage flow[edit | edit source]
- Application invokes OpenSSL cryptographic functions
- OpenSSL interacts with a PKCS#11 provider / engine
- The provider uses PKCS#11 / Cryptoki conventions
- The TEE Client API sends commands to OP-TEE
- The TA PKCS#11 executes the secure operation
- The result is returned to the application
7. Security rationale[edit | edit source]
Using PKCS#11 with OP-TEE provides several advantages:
- Private key material remains in secure storage
- Sensitive operations are performed in the secure world
- Standard interface for cryptographic applications
- Improved portability for applications using OpenSSL and PKCS#11
8. Official documentation[edit | edit source]
For deeper information on the interfaces and implementation details, refer to the official OP-TEE documentation and related references:
- Trusted Applications build and integration
- Userland integration and PKCS#11 driver, which only speaks about OpenSC[2] engine
- For OpenSSL integration, please check
- Linaro presentation on OP-TEE PKCS#11
9. References[edit | edit source]
Please refer to the following links for additional information: