[ English | 简体中文 ]
Security Framework API
The openvela security framework is based on MiTEE (Trusted Execution Environment) and provides secure storage, key management, and secure payment capabilities, following the GlobalPlatform (GP) TEE standard.
This document covers:
- MiTEE CA application-level API (SST secure storage, triad, WeChat/Alipay payment, PIN)
- MiTEE Rootkey API
- GP TEE Client API (REE side, called by CA)
- GP TEE Internal API (TEE side, used by TA implementations)
Header files: Various CA headers under frameworks/security/include/ (comsst_ca_api.h / triad_ca_api.h, etc.), as well as <sys/boardctl.h> (Rootkey), OP-TEE <tee_client_api.h> (TEE Client), and <tee_internal_api.h> (TEE Internal).
openvela Implementation Notes
- Dual security schemes: openvela provides two optional security capabilities:
- MiTEE-based TEE scheme (main content of this document): For scenarios requiring hardware-level trusted execution environments
- Android Keystore scheme (see "Android Keystore Client API" section): Ported from AOSP, for lightweight scenarios requiring only key management and secure storage
- Based on MiTEE: openvela's TEE implementation, compatible with OP-TEE, following GlobalPlatform (GP) specifications
- Two-side runtime:
- REE side (Rich Execution Environment): Runs CA (Client Application), initiates TEE requests through
libteec - TEE side (Trusted Execution Environment): Runs TA (Trusted Application), scheduled by the
miteedserver
- REE side (Rich Execution Environment): Runs CA (Client Application), initiates TEE requests through
- Communication channel: Data exchange between CA and TA is performed via rpmsg socket
- API layers:
- Application-level CA API (located in
frameworks/security/ca/) encapsulates common security operations (SST, triad, payment, PIN) - GP TEE Client API (REE side) provides GP-standard Context/Session management and command invocation
- GP TEE Internal API (TEE side) provides memory/object/cryptographic capabilities callable by TA implementors
- Application-level CA API (located in
- Key root: Rootkey is written once during factory provisioning, immutable at runtime; all derived keys are derived from Rootkey
Common Secure Storage SST CA API
Performs read/write operations on the Secure Storage (SST) partition. Implementation located in frameworks/security/ca/comsst.
comsst_data_read
uint32_t comsst_data_read(uint8_t *scope, uint8_t *name, bool is_deletable,
uint8_t *buff, uint32_t *out_len);
Reads a data record from the SST partition.
Parameters:
scopeNamespace (scope identifier) used to distinguish different services.nameRecord name.is_deletableWhether this record is allowed to be deleted by the user side.buffOutput buffer to receive the read data.out_lenInput/output parameter; input is the buffer size, output is the actual bytes read.
Returns:
Returns TEE_SUCCESS (0) on success, or a TEE error code on failure.
comsst_data_write
uint32_t comsst_data_write(uint8_t *scope, uint8_t *name, bool is_deletable,
uint8_t *buff, uint32_t len);
Writes a data record to the SST partition.
Parameters:
scopeNamespace.nameRecord name.is_deletableWhether this record is allowed to be deleted by the user side.buffData buffer to write.lenData length.
Returns:
Returns TEE_SUCCESS on success, or a TEE error code on failure.
comsst_data_delete
uint32_t comsst_data_delete(uint8_t *scope, uint8_t *name, bool is_deletable);
Deletes a record from the SST partition.
Parameters:
scopeNamespace.nameRecord name.is_deletableThe deletable attribute of the record, must match the value used during write.
Returns:
Returns TEE_SUCCESS on success, or a TEE error code on failure.
is_comsst_data_exited
uint32_t is_comsst_data_exited(uint8_t *scope, uint8_t *name, bool is_deletable);
Queries whether a specified record exists in the SST partition.
Parameters:
scopeNamespace.nameRecord name.is_deletableDeletable attribute.
Returns:
Returns TEE_SUCCESS if the record exists, or a corresponding error code if it does not.
comsst_data_verify
uint32_t comsst_data_verify(uint8_t *scope, uint8_t *name, bool is_deletable,
uint8_t *buff, uint32_t len);
Compares the provided data against the data already stored in SST. Commonly used to verify whether the application-side copy is up to date.
Parameters:
scopeNamespace.nameRecord name.is_deletableDeletable attribute.buffData to compare.lenData length.
Returns:
Returns TEE_SUCCESS if the data matches, or an error code if it does not match or the operation fails.
Triad CA API
Performs read/write operations on the device triad's Device ID (DID) and Key. Implementation located in frameworks/security/ca/triad.
triad_store_did
int triad_store_did(uint8_t *did, uint16_t len);
Writes the device DID to secure storage.
Parameters:
didDID buffer.lenDID length in bytes.
Returns:
Returns 0 on success, or a negative error code on failure.
triad_load_did
int triad_load_did(uint8_t *did, uint16_t len);
Reads the DID from secure storage.
Parameters:
didOutput buffer to receive the DID.lenBuffer length.
Returns:
Returns 0 on success, or a negative error code on failure.
triad_store_key
int triad_store_key(uint8_t *key, uint16_t len);
Writes the device key to secure storage.
Parameters:
keyKey buffer.lenKey length.
Returns:
Returns 0 on success, or a negative error code on failure.
triad_load_key
int triad_load_key(uint8_t *key, uint16_t len);
Reads the device key from secure storage.
Parameters:
keyOutput buffer.lenBuffer length.
Returns:
Returns 0 on success, or a negative error code on failure.
triad_get_hmac
int triad_get_hmac(uint8_t *input, uint16_t inlen,
uint8_t *output, uint16_t outlen);
Computes an HMAC over the input data using the device key, writing the result to the output buffer.
Parameters:
inputInput data.inlenInput data length.outputOutput buffer to receive the HMAC result.outlenOutput buffer length.
Returns:
Returns 0 on success, or a negative error code on failure.
WeChat Pay CA API
Performs read/write operations on WeChat secure payment data. Implementation located in frameworks/security/ca/wxcodepay.
wxcodepay_tee_data_read
uint32_t wxcodepay_tee_data_read(int item, uint8_t *buff, uint32_t *out_len);
Reads a WeChat Pay data item.
Parameters:
itemData item ID.buffOutput buffer.out_lenInput/output parameter, returns the actual bytes read.
Returns:
Returns TEE_SUCCESS on success, or a TEE error code on failure.
wxcodepay_tee_data_write
uint32_t wxcodepay_tee_data_write(int item, const uint8_t *buf, uint32_t len);
Writes a WeChat Pay data item.
Parameters:
itemData item ID.bufData buffer.lenData length.
Returns:
Returns TEE_SUCCESS on success, or a TEE error code on failure.
wxcodepay_tee_data_delete
uint32_t wxcodepay_tee_data_delete(int item);
Deletes the specified WeChat Pay data item.
Parameters:
itemData item ID.
Returns:
Returns TEE_SUCCESS on success, or a TEE error code on failure.
is_wxcodepay_tee_data_exited
bool is_wxcodepay_tee_data_exited(int item);
Queries whether the specified WeChat Pay data item is stored.
Parameters:
itemData item ID.
Returns:
Returns true if the item exists, false otherwise.
Alipay CA API
Performs read/write operations on Alipay secure payment data. Implementation located in frameworks/security/ca/alipay.
alipay_tee_data_read
uint32_t alipay_tee_data_read(const char *item_name, uint8_t *buff,
uint32_t *out_len);
Reads an Alipay data item.
Parameters:
item_nameData item name string.buffOutput buffer.out_lenInput/output parameter, returns the actual bytes read.
Returns:
Returns TEE_SUCCESS on success, or a TEE error code on failure.
alipay_tee_data_write
uint32_t alipay_tee_data_write(const char *item_name, const uint8_t *buf,
uint32_t len);
Writes an Alipay data item.
Parameters:
item_nameData item name string.bufData buffer.lenData length.
Returns:
Returns TEE_SUCCESS on success, or a TEE error code on failure.
alipay_tee_data_delete
uint32_t alipay_tee_data_delete(const char *item_name);
Deletes the specified Alipay data item.
Parameters:
item_nameData item name.
Returns:
Returns TEE_SUCCESS on success, or a TEE error code on failure.
is_alipay_tee_data_exited
bool is_alipay_tee_data_exited(const char *item_name);
Queries whether the specified Alipay data item is stored.
Parameters:
item_nameData item name.
Returns:
Returns true if the item exists, false otherwise.
PIN CA API
Performs storage, verification, and modification operations on Personal Identification Numbers (PINs). Implementation located in frameworks/security/ca/pin.
pin_store
uint32_t pin_store(bool is_deletable, uint8_t *buff, uint32_t len);
Stores a PIN in secure storage.
Parameters:
is_deletableWhether the PIN is allowed to be deleted by the user side.buffPIN data buffer.lenPIN data length.
Returns:
Returns TEE_SUCCESS on success, or a TEE error code on failure.
pin_is_exist
bool pin_is_exist(bool is_deletable);
Queries whether a PIN of the specified type is stored.
Parameters:
is_deletableDeletable attribute, used to distinguish different types of PINs.
Returns:
Returns true if the PIN exists, false otherwise.
pin_delete
uint32_t pin_delete(bool is_deletable);
Deletes a PIN from secure storage.
Parameters:
is_deletableDeletable attribute.
Returns:
Returns TEE_SUCCESS on success, or a TEE error code on failure.
pin_verify
uint32_t pin_verify(bool is_deletable, uint8_t *buff, uint32_t len);
Verifies whether the PIN matches the record in secure storage.
Parameters:
is_deletableDeletable attribute.buffPIN data to verify.lenPIN data length.
Returns:
Returns TEE_SUCCESS if verification passes, or an error code if it fails.
pin_change
uint32_t pin_change(bool is_deletable, uint8_t *old, uint32_t oldlen,
uint8_t *new, uint32_t newlen);
Changes a stored PIN. Both the old PIN and new PIN must be provided.
Parameters:
is_deletableDeletable attribute.oldOld PIN buffer.oldlenOld PIN length.newNew PIN buffer.newlenNew PIN length.
Returns:
Returns TEE_SUCCESS on success (old PIN verified and new PIN written), or an error code on failure.
pin_getsha256
uint32_t pin_getsha256(bool is_deletable, uint8_t *buff, uint32_t len);
Retrieves the SHA-256 digest of the PIN.
Parameters:
is_deletableDeletable attribute.buffOutput buffer to receive the 32-byte digest.lenBuffer length (must be at least 32).
Returns:
Returns TEE_SUCCESS on success, or a TEE error code on failure.
MiTEE Rootkey Management
Rootkey is the root of trust key in the TEE security system, used to derive other keys. This key is written once during factory provisioning and read by the TEE OS at runtime.
boardctl_BOARDIOC_UNIQUEKEY
#include <sys/boardctl.h>
boardctl(BOARDIOC_UNIQUEKEY, tmp_key);
The TEE Server (miteed) in the TEE OS reads the Rootkey through the boardctl system call.
Parameters:
BOARDIOC_UNIQUEKEYFixed command identifier.tmp_keyOutput buffer pointer to receive the Rootkey content.
Returns:
Returns 0 on success, or a negative value on failure and sets errno.
Notes:
- Only the TEE OS side is allowed to call this interface; REE-side applications cannot access the Rootkey.
rootkey_provision
norflash_api_security_register_erase(HAL_FLASH_ID_0, 2048, 32);
norflash_api_security_register_write(HAL_FLASH_ID_0, 2048, rn, 32);
norflash_api_security_register_lock(HAL_FLASH_ID_0, 2048, 32);
Rootkey is written only in the factory build during the TEE OS first boot. The typical flow is "erase, write, lock":
Parameters (using norflash_api_security_register_* as example):
HAL_FLASH_ID_0Flash device identifier.2048Security register start offset.32Byte length (256 bits).rnRootkey data buffer provided during write.
Notes:
- Once
_lockis executed, the region is permanently locked and cannot be written again. The correctness of the written data must be ensured. - Production devices should never contain code that calls the above interfaces.
Android Keystore Client API
This section describes a Keystore that is independent of MiTEE. The source code is ported from the Android Keystore service framework and follows the Keystore/Keymaster standard interfaces. The Keymaster layer supports multiple implementation backends, including MiTEE integration, pure software implementation, and implementations customized for Secure Elements (SE).
The openvela Keystore exposes a C API to upper layers, providing key management and secure storage capabilities for scenarios such as account SDKs. Users do not need to be aware of underlying hardware differences or storage details.
Header file: #include <keystore/client.h>
Source path: external/android/system/security/keystore/
Keystore Usage Conventions
- Storage unit: Each data item is uniquely identified by a
namestring - Naming rules:
namelength is limited toCONFIG_NAME_MAX - 12; if it contains special characters (ASCII0to~range), each character counts as 2 bytes - Return value convention: All interfaces return
KEYSTORE_NO_ERROR(value1) on success, and an error code greater than1on failure - Memory management: Data returned by
keyStoreGetis allocated internally; the caller must release it withfree()
keyStoreInsert
int keyStoreInsert(const char *name, size_t nameLength,
const uint8_t *item, size_t itemLength);
Writes a data item to the Keystore. The data is encrypted internally within the Keystore.
Parameters:
nameData item name. Must be unique, subject to theCONFIG_NAME_MAX - 12length limit.nameLengthName length in bytes.itemData buffer to write.itemLengthData length in bytes.
Returns:
Returns KEYSTORE_NO_ERROR on success, or another KEYSTORE_* error code on failure.
keyStoreGet
int keyStoreGet(const char *name, size_t nameLength,
uint8_t **item, size_t *itemLength);
Reads a data item from the Keystore by name. The data is allocated internally; the caller must release it with free().
Parameters:
nameData item name.nameLengthName length.itemOutput parameter, returns a pointer to the internally allocated data buffer.itemLengthOutput parameter, returns the data length.
Returns:
Returns KEYSTORE_NO_ERROR on success, or another KEYSTORE_* error code on failure.
keyStoreDel
int keyStoreDel(const char *name, size_t nameLength);
Deletes a data item from the Keystore by name.
Parameters:
nameData item name.nameLengthName length.
Returns:
Returns KEYSTORE_NO_ERROR on success, or another KEYSTORE_* error code on failure.
keyStoreExist
int keyStoreExist(const char *name, size_t nameLength);
Checks whether a data item with the specified name exists in the Keystore.
Parameters:
nameData item name.nameLengthName length.
Returns:
Returns KEYSTORE_NO_ERROR if the item exists, or another KEYSTORE_* error code if it does not exist or the operation fails.
keyStoreReset
int keyStoreReset(void);
Deletes all data items belonging to the current application in the Keystore.
Returns:
Returns KEYSTORE_NO_ERROR on success, or another KEYSTORE_* error code on failure.
Notes:
- This operation is irreversible and only affects the current application's namespace.
Keystore Error Codes
Error codes returned by all Keystore interfaces (defined in header keystore/client.h):
| Error Code | Value | Description |
|---|---|---|
KEYSTORE_NO_ERROR |
1 | Operation successful |
KEYSTORE_LOCKED |
2 | Keystore is locked |
KEYSTORE_UNINITIALIZED |
3 | Not initialized |
KEYSTORE_SYSTEM_ERROR |
4 | System error |
KEYSTORE_PROTOCOL_ERROR |
5 | Protocol error |
KEYSTORE_PERMISSION_DENIED |
6 | Permission denied |
KEYSTORE_KEY_NOT_FOUND |
7 | Specified data item does not exist |
KEYSTORE_VALUE_CORRUPTED |
8 | Data corrupted |
KEYSTORE_UNDEFINED_ACTION |
9 | Undefined action |
KEYSTORE_WRONG_PASSWORD_0 ~ KEYSTORE_WRONG_PASSWORD_3 |
10-13 | Wrong password (up to 4 retries) |
KEYSTORE_SIGNATURE_INVALID |
14 | Invalid signature |
KEYSTORE_OP_AUTH_NEEDED |
15 | Authentication required before this operation |
KEYSTORE_KEY_ALREADY_EXISTS |
16 | Data item already exists |
KEYSTORE_KEY_PERMANENTLY_INVALIDATED |
17 | Data item permanently invalidated |
KEYSTORE_ABORT_CALLED |
18 | Operation aborted |
KEYSTORE_PRUNED |
19 | Data pruned |
KEYSTORE_BINDER_DIED |
20 | Binder connection lost |
GP TEE Client API (REE Side)
The following interfaces comply with the GlobalPlatform TEE Client API specification. They are called by CAs on the REE side to establish contexts with the TEE, open sessions, and execute commands.
TEEC_InitializeContext
TEEC_Result TEEC_InitializeContext(const char *name, TEEC_Context *context);
Initializes a TEE context, establishing a connection between the CA and the specified TEE.
Parameters:
nameNull-terminated string identifying the TEE to connect to. The current implementation only supportsNULL, indicating the default TEE.contextPointer to the context structure to initialize.
Returns:
Returns TEEC_SUCCESS on success, or another TEEC_Result error code on failure.
TEEC_FinalizeContext
void TEEC_FinalizeContext(TEEC_Context *context);
Destroys an initialized TEE context, closing the connection between the CA and the TEE.
Parameters:
contextThe context to destroy.
Notes:
- All associated sessions must be closed and all shared memory must be released before calling this function.
TEEC_OpenSession
TEEC_Result TEEC_OpenSession(TEEC_Context *context,
TEEC_Session *session,
const TEEC_UUID *destination,
uint32_t connectionMethod,
const void *connectionData,
TEEC_Operation *operation,
uint32_t *returnOrigin);
Opens a new session between the CA and the specified TA.
Parameters:
contextAn initialized TEE context.sessionPointer to the session structure to initialize.destinationUUID of the target TA.connectionMethodConnection method.connectionDataConnection-related data (currently unused, should passNULL).operationOperation parameter structure; passNULLif no parameters are needed.returnOriginOutput parameter, returns the origin of the error when a failure occurs.
Returns:
Returns TEEC_SUCCESS on success, or another TEEC_Result error code on failure.
TEEC_CloseSession
void TEEC_CloseSession(TEEC_Session *session);
Closes an opened TA session.
Parameters:
sessionThe session to close.
TEEC_InvokeCommand
TEEC_Result TEEC_InvokeCommand(TEEC_Session *session,
uint32_t commandID,
TEEC_Operation *operation,
uint32_t *returnOrigin);
Invokes a TA command within the specified session.
Parameters:
sessionAn opened session handle.commandIDThe command ID internal to the TA.operationOperation parameter structure; passNULLif no parameters are needed.returnOriginOutput parameter, returns the origin of the error when a failure occurs.
Returns:
Returns TEEC_SUCCESS on success, or another TEEC_Result error code on failure.
TEEC_AllocateSharedMemory
TEEC_Result TEEC_AllocateSharedMemory(TEEC_Context *context,
TEEC_SharedMemory *sharedMem);
Allocates a block of shared memory within the specified TEE context.
Parameters:
contextAn initialized TEE context.sharedMemPointer to the shared memory structure to allocate.
Returns:
Returns TEEC_SUCCESS on success; returns TEEC_ERROR_OUT_OF_MEMORY if memory is insufficient; returns other TEEC_Result error codes for other failures.
TEEC_RegisterSharedMemory
TEEC_Result TEEC_RegisterSharedMemory(TEEC_Context *context,
TEEC_SharedMemory *sharedMem);
Registers a caller-allocated memory block as shared memory. Unlike TEEC_AllocateSharedMemory (which allocates via the framework), this interface allows the CA to reuse an existing memory buffer as the TEE communication data area.
Parameters:
contextAn initialized TEE context.sharedMemPointer to the shared memory structure. The caller should pre-fill thebuffer,size, andflagsfields.
Returns:
Returns TEEC_SUCCESS on success, or a corresponding TEEC_Result error code on failure.
TEEC_ReleaseSharedMemory
void TEEC_ReleaseSharedMemory(TEEC_SharedMemory *sharedMemory);
Releases or deregisters a previously allocated shared memory block. For memory allocated by TEEC_AllocateSharedMemory, the memory is freed. For memory registered by TEEC_RegisterSharedMemory, only deregistration is performed (the caller's buffer is not freed).
Parameters:
sharedMemoryPointer to the shared memory structure to release.
TEEC_RequestCancellation
void TEEC_RequestCancellation(TEEC_Operation *operation);
Requests cancellation of an in-progress TEEC_OpenSession or TEEC_InvokeCommand operation. After calling this interface, the corresponding operation may be asynchronously aborted by the TEE.
Parameters:
operationPointer to the targetTEEC_Operationstructure. This must be the same object used by an in-progressOpenSession/InvokeCommand.
Notes:
- This interface is a "request" rather than a "force"; whether the operation is actually aborted depends on the TEE and the target TA.
- The TA needs to call
TEE_GetCancellationFlagin the GP Internal API to respond to cancellation requests.
GP TEE Internal API (TEE Side)
The GP TEE Internal Core API is a standard TA development interface defined by GlobalPlatform. Function signatures, parameter semantics, and return value semantics are authoritative per the official GP specification. openvela's MiTEE is compatible with these interfaces; however, due to current implementation progress, some interfaces are in an "Incomplete" state.
Authoritative References:
- GlobalPlatform TEE Internal Core API Specification v1.3.1
<tee_internal_api.h>in theoptee_ossource tree
This section provides a status lookup table listing openvela's support status for each GP Internal API, helping TA developers determine which APIs can be used directly. For complete signatures, parameters, and return values, refer to the official GP specification above.
Implementation Status column legend:
- Supported — openvela has fully implemented the function; behavior is consistent with the GP specification
- Incomplete — The function symbol exists, but some behavior is not yet implemented or has not been fully validated; not recommended for production use
TA Lifecycle Entry Points
| Function | Implementation Status | Description |
|---|---|---|
TA_CreateEntryPoint |
Supported | TA creation entry point |
TA_DestroyEntryPoint |
Supported | TA destruction entry point |
TA_OpenSessionEntryPoint |
Supported | Session open entry point |
TA_CloseSessionEntryPoint |
Supported | Session close entry point |
TA_InvokeCommandEntryPoint |
Supported | Command invocation entry point |
Inter-TA Communication
| Function | Implementation Status | Description |
|---|---|---|
TEE_OpenTASession |
Incomplete | Open an inter-TA session |
TEE_CloseTASession |
Incomplete | Close an inter-TA session |
TEE_InvokeTACommand |
Incomplete | Invoke a command on another TA |
Memory Access Check
| Function | Implementation Status | Description |
|---|---|---|
TEE_CheckMemoryAccessRights |
Incomplete | Check memory access rights |
Memory Management
| Function | Implementation Status | Description |
|---|---|---|
TEE_Malloc |
Supported | Allocate memory |
TEE_Realloc |
Supported | Reallocate memory |
TEE_Free |
Supported | Free memory |
TEE_MemMove |
Supported | Move memory |
TEE_MemCompare |
Supported | Compare memory |
TEE_MemFill |
Supported | Fill memory |
Generic Object Operations
| Function | Implementation Status | Description |
|---|---|---|
TEE_GetObjectInfo1 |
Supported | Get object information |
TEE_CloseObject |
Supported | Close an object |
Transient Object Operations
| Function | Implementation Status | Description |
|---|---|---|
TEE_AllocateTransientObject |
Supported | Allocate a transient object |
TEE_FreeTransientObject |
Supported | Free a transient object |
TEE_ResetTransientObject |
Supported | Reset a transient object |
TEE_PopulateTransientObject |
Supported | Populate transient object attributes |
TEE_InitRefAttribute |
Supported | Initialize a reference attribute |
TEE_InitValueAttribute |
Supported | Initialize a value attribute |
TEE_CopyObjectAttributes1 |
Supported | Copy object attributes |
TEE_GenerateKey |
Incomplete | Generate a key |
Persistent Object Operations
| Function | Implementation Status | Description |
|---|---|---|
TEE_OpenPersistentObject |
Incomplete | Open a persistent object |
TEE_CreatePersistentObject |
Incomplete | Create a persistent object |
TEE_CloseAndDeletePersistentObject |
Incomplete | Close and delete a persistent object |
TEE_RenamePersistentObject |
Incomplete | Rename a persistent object |
Persistent Object Data Stream Operations
| Function | Implementation Status | Description |
|---|---|---|
TEE_ReadObjectData |
Incomplete | Read object data |
TEE_WriteObjectData |
Incomplete | Write object data |
TEE_TruncateObjectData |
Incomplete | Truncate object data |
TEE_SeekObjectData |
Incomplete | Seek object data offset |
Cryptographic Operation Management
| Function | Implementation Status | Description |
|---|---|---|
TEE_AllocateOperation |
Supported | Allocate a cryptographic operation |
TEE_FreeOperation |
Supported | Free a cryptographic operation |
TEE_GetOperationInfo |
Supported | Get operation information |
TEE_GetOperationInfoMultiple |
Supported | Get multi-key operation information |
TEE_ResetOperation |
Supported | Reset an operation |
TEE_SetOperationKey |
Supported | Set operation key |
TEE_SetOperationKey2 |
Supported | Set dual-key operation |
TEE_CopyOperation |
Supported | Copy an operation |
Message Digest
| Function | Implementation Status | Description |
|---|---|---|
TEE_DigestUpdate |
Supported | Update digest data |
TEE_DigestDoFinal |
Supported | Finalize digest computation |
Symmetric Cipher
| Function | Implementation Status | Description |
|---|---|---|
TEE_CipherInit |
Supported | Initialize symmetric cipher operation |
TEE_CipherUpdate |
Supported | Update cipher data |
TEE_CipherDoFinal |
Supported | Finalize cipher operation |
MAC (Message Authentication Code)
| Function | Implementation Status | Description |
|---|---|---|
TEE_MACInit |
Supported | Initialize MAC operation |
TEE_MACUpdate |
Supported | Update MAC data |
TEE_MACComputeFinal |
Supported | Compute final MAC value |
TEE_MACCompareFinal |
Supported | Compare final MAC value |
Authenticated Encryption (AE)
| Function | Implementation Status | Description |
|---|---|---|
TEE_AEInit |
Incomplete | Initialize AE operation |
TEE_AEUpdateAAD |
Incomplete | Update additional authenticated data |
TEE_AEUpdate |
Incomplete | Update AE data |
TEE_AEEncryptFinal |
Incomplete | Finalize AE encryption |
TEE_AEDecryptFinal |
Incomplete | Finalize AE decryption |
Asymmetric Cryptography
| Function | Implementation Status | Description |
|---|---|---|
TEE_AsymmetricEncrypt |
Incomplete | Asymmetric encryption |
TEE_AsymmetricDecrypt |
Incomplete | Asymmetric decryption |
TEE_AsymmetricSignDigest |
Incomplete | Asymmetric signature |
TEE_AsymmetricVerifyDigest |
Incomplete | Asymmetric verification |
Key Derivation
| Function | Implementation Status | Description |
|---|---|---|
TEE_DeriveKey |
Incomplete | Derive a key |
Random Number Generation
| Function | Implementation Status | Description |
|---|---|---|
TEE_GenerateRandom |
Incomplete | Generate random data |
Time API
| Function | Implementation Status | Description |
|---|---|---|
TEE_GetSystemTime |
Incomplete | Get system time |
TEE_GetTAPersistentTime |
Incomplete | Get TA persistent time |
TEE_SetTAPersistentTime |
Incomplete | Set TA persistent time |
TEE_GetREETime |
Incomplete | Get REE time |