TEE Communication
PUBLISHED
You can create secure communications by executing your application in a trusted execution environment (TEE), and communicating with other applications within that environment. To implement TEE communication, you can use the libteec API, which is based on the GlobalPlatform® TEE Client API [1].
You can run applications in 2 environments: a rich world (like Linux) with client applications (CA) and a secure world with trusted applications (TA).
Figure: TEE communication architecture
The main features of the Tizen.Security.TEEC namespace include:
- Connecting to a trusted application
You can securely connect to a trusted application by creating a new session.
- Sending commands to a trusted application
You can pass commands from a client application to a trusted application, including using shared memory blocks.
Prerequisites
To enable your application to use the TEE communication functionality:
- To make your application visible in the Tizen Store only for devices that support TEE communication, the application must specify the following feature in the
tizen-manifest.xml
file:<feature name="http://tizen.org/feature/security.tee"/>
You can also check whether a device supports the Tizen.Security.TEEC [2] namespace by using the
TryGetValue()
method of the Tizen.System.Information [3] class and, accordingly, enabling or disabling the code requiring the namespace:const string TEEC_FEATURE_KEY = "http://tizen.org/feature/security.tee"; bool ret; if (Information.TryGetValue<bool>(TEEC_FEATURE_KEY, out ret) == false) { /// Error handling }
Note In TV applications, you can test the TEE communication functionality on an emulator only. Most target devices do not currently support this feature. - To use the methods and properties of the Tizen.Security.TEEC [2] namespace, include it in your application:
using Tizen.Security.TEEC;
- Initialize a new TEEC context by creating an instance of the Tizen.Security.TEEC.Context [4] class:
Context ctx = new Context(null);
When it is no longer needed, destroy the TEEC context:
ctx.Dispose();
Connecting Applications
To communicate between applications, you must connect a client application to a trusted application by creating a session:
- Open a session with the
OpenSession()
method of the Tizen.Security.TEEC.Context [4] class, which returns the session as a new instance of the Tizen.Security.TEEC.Session [5] class.Guid ta_uuid = new Guid(" "); /// Trusted application GUID try { Session ses = ctx.OpenSession(ta_uuid);
- When it is no longer needed, close the session with the
Close()
method of theTizen.Security.TEEC.Session
class:
ses.Close(); } catch (Exception e) { /// Error handling }
Sending Secure Commands
After opening a session with a trusted application, a client application can execute functions in the trusted application by sending secure commands to the trusted application.
To send function call commands:
- To send a command for invoking a function without parameters, use the
InvokeCommand()
method of the Tizen.Security.TEEC.Session [5] class, with the first parameter identifying the function to be executed by the trusted application:try { ses.InvokeCommand(1, null); } catch (Exception e) { /// Error handling }
- To send a command for invoking a function with simple integer parameters:
- Create the parameters as new instances of the Tizen.Security.TEEC.Value [6] class:
try { Value p1 = new Value(1, 2, TEFValueType.InOut); Value p2 = new Value(10, 200, TEFValueType.InOut);
- Send the command to the trusted application with the
InvokeCommand()
method of theTizen.Security.TEEC.Session
class. The second parameter is a new instance of the Tizen.Security.TEEC.Parameter [7] class containing the 2 integer parameter values.
ses.InvokeCommand(1, new Parameter[] {p1, p2}); } catch (Exception e) { /// Error handling }
- Create the parameters as new instances of the Tizen.Security.TEEC.Value [6] class:
- To send a command for invoking a function with a local memory reference as a parameter:
- Create a temporary memory reference as a new instance of the Tizen.Security.TEEC.TempMemoryReference [8] class:
try { long val = 10; TempMemoryReference p1 = new TempMemoryReference((IntPtr)(&val), 1024, TEFTempMemoryType.InOut);
- Send the command to the trusted application with the
InvokeCommand()
method of theTizen.Security.TEEC.Session
class. The second parameter is a new instance of theTizen.Security.TEEC.Parameter
class containing the memory reference.
ses.InvokeCommand(1, new Parameter[] {p1}); } catch (Exception e) { /// Error handling }
- Create a temporary memory reference as a new instance of the Tizen.Security.TEEC.TempMemoryReference [8] class:
Using Shared Memory
To share a memory block between a client application and a trusted application:
- To send a function call command to the trusted application, including an allocated shared memory reference:
- Allocate a new memory block as shared memory with the
AllocateSharedMemory()
method of the Tizen.Security.TEEC.Context [4] class, which returns the block as a new instance of the Tizen.Security.TEEC.SharedMemory [9] class:try { SharedMemory shm = ctx.AllocateSharedMemory(1024, SharedMemoryFlags.InOut);
- Register a memory reference based on the shared memory block by creating a new instance of the Tizen.Security.TEEC.RegisteredMemoryReference [10] class, and send the function call command to the trusted application with the
InvokeCommand()
method of the Tizen.Security.TEEC.Session [5] class. The registered memory reference is passed in a new instance of the Tizen.Security.TEEC.Parameter [7] class.
RegisteredMemoryReference p1 = new RegisteredMemoryReference(shm, 1024, 0, RegisteredMemoryReference.InOut); ses.InvokeCommand(1, new Parameter[] {p1});
- Release the shared memory:
ctx.ReleaseSharedMemory(shm); } catch (Exception e) { /// Error handling }
- Allocate a new memory block as shared memory with the
- To send a function call command to the trusted application, including an external shared memory reference:
- Register a block of existing client application memory as shared memory with the
RegisterSharedMemory()
method of theTizen.Security.TEEC.Context
class, which returns the block as a new instance of theTizen.Security.TEEC.SharedMemory
class:try { IntPtr memaddr = <Some memory address>; SharedMemory shm = ctx.RegisterSharedMemory(memaddr, 1024, SharedMemoryFlags.InOut);
- Register a memory reference based on the shared memory block by creating a new instance of the
Tizen.Security.TEEC.RegisteredMemoryReference
class, and send the function call command to the trusted application with theInvokeCommand()
method of theTizen.Security.TEEC.Session
class. The registered memory reference is passed in a new instance of theTizen.Security.TEEC.Parameter
class.
RegisteredMemoryReference p1 = new RegisteredMemoryReference(shm, 1024, 0, RegisteredMemoryReference.InOut); ses.InvokeCommand(1, new Parameter[] {p1});
- Release the shared memory:
ctx.ReleaseSharedMemory(shm); } catch (Exception e) { /// Error handling }
- Register a block of existing client application memory as shared memory with the