全球平台TEE内部核心API规范v1.3公共发布

globalplatform

trustonic

需积分: 48 138 浏览量更新于2024-07-09 1 收藏 3.33MB PDF 举报

身份认证购VIP最低享 7 折!

30元优惠券

"GPD_TEE_Internal_Core_API_Specification_v1.3_PublicRelease.pdf" 本文档是2021年发布的GlobalPlatform TEE Internal Core API的最新版本，旨在定义可信执行环境（Trusted Execution Environment，简称TEE）内部核心API的规范。GlobalPlatform是一个国际组织，致力于制定标准，以确保安全组件在各种设备上的互操作性，包括移动设备、智能卡和其他嵌入式系统。该文档可能涉及到的关键词有：GlobalPlatform、GP TEE、Trustonic以及 Trusted Application (TA)。 TEE是一种安全环境，它与主操作系统（通常称为Rich Execution Environment,REE）并存，为敏感应用和服务提供额外的安全保障。它允许在不安全的主系统中运行的同时，保护关键数据和处理任务。此内部核心API规范是开发者和硬件/软件供应商的重要指南，他们需要实现或与TEE进行交互。它详细描述了如何在TEE内部创建、管理和执行受信任的应用程序，以及这些应用程序如何与其他安全服务通信。API提供了安全功能的接口，如加密、密钥管理、身份验证和权限控制。文档中的“IPR”部分提醒接收者，如果他们在实施此规范时发现可能侵犯的任何相关专利或其他知识产权，应提交通知并提供支持文档。这表明GlobalPlatform尊重知识产权，并期望其技术的使用遵循特定的许可协议。版本1.3的公共发布意味着这个规范已经过多次迭代和改进，以适应不断变化的技术需求和安全挑战。文档的使用者需要了解，使用这些信息需遵守GlobalPlatform的许可协议，违反协议的使用是被严格禁止的。 "GPD_TEE_Internal_Core_API_Specification_v1.3_PublicRelease.pdf" 是一个关于TEE内部核心API的详细规范，它涵盖了安全软件开发的关键元素，包括API接口、安全服务和知识产权管理。这份文档对于理解如何在TEE环境中开发和集成安全应用至关重要，同时也为设备制造商、操作系统提供商和安全解决方案开发者提供了指导。

资源详情

资源推荐

16 / 369 TEE Internal Core API Specification – Public Release v1.3



The technology provided or described herein is subject to updates, revisions, and extensions by GlobalPlatform. Use of this

information is governed by the GlobalPlatform license agreement and any use inconsistent with that agreement is strictly

prohibited.

Standard / Specification

Description

Ref

NIST SP800-56B Recommendation for Pair-Wise Key Establishment

Schemes Using Integer Factorization Cryptography

[NIST SP800-56B]

NIST SP800-185

SHA-3 Derived Functions: cSHAKE, KMAC,

TupleHash, and ParallelHash

[NIST SP800-185]

RFC 2045 Multipurpose Internet Mail Extensions (MIME)

Part One: Format of Internet Message Bodies

[RFC 2045]

RFC 2119 Key words for use in RFCs to Indicate Requirement

Levels

[RFC 2119]

RFC 4122

A Universally Unique IDentifier (UUID) URN

Namespace

[RFC 4122]

RFC 7748 Elliptic Curves for Security [X25519]

RFC 8032 Edwards-Curve Digital Signature Algorithm [Ed25519]

SM2 Organization of State Commercial Administration of

China, “Public Key Cryptographic Algorithm SM2 Based

on Elliptic Curves", December 2010

[SM2]

SM2-2

Organization of State Commercial Administration of

China, “Public Key Cryptographic Algorithm SM2 Based

on Elliptic Curves – Part 2: Digital Signature Algorithm”,

December 2010

[SM2-2]

SM2-4

Organization of State Commercial Administration of

China, “Public Key Cryptographic Algorithm SM2 Based

on Elliptic Curves – Part 4: Public Key Encryption

Algorithm”, December 2010

[SM2-4]

SM2-5

Organization of State Commercial Administration of

China, “Public Key Cryptographic Algorithm SM2 Based

on Elliptic Curves – Part 5: Parameter definitions”,

December 2010

[SM2-5]

SM3

Organization of State Commercial Administration of

China, “SM3 Cryptographic Hash Algorithm”,

December 2010

[SM3]

SM4 Organization of State Commercial Administration of

China, “SM4 block cipher algorithm”, December 2010

[SM4]

Table 1-2: Informative References

Standard / Specification

Description

Ref

GP_GUI_001 GlobalPlatform Document Management Guide [Doc Mgmt]

ISO/IEC 10118-3

Information technology – Security techniques –

Hash-functions – Part 3: Dedicated hash-functions

(English language reference for SM3)

[ISO 10118-3]

TEE Internal Core API Specification – Public Release v1.3 17 / 369



The technology provided or described herein is subject to updates, revisions, and extensions by GlobalPlatform. Use of this

information is governed by the GlobalPlatform license agreement and any use inconsistent with that agreement is strictly

prohibited.

Standard / Specification

Description

Ref

ISO/IEC 14888-3 Information technology – Security techniques – Digital

signatures with appendix – Part 3: Discrete logarithm

based mechanisms

(English Language reference for SM2)

[ISO 14888-3]

ISO/IEC 15408 Information technology – Security techniques –

Evaluation criteria for IT security

[ISO 15408]

ISO/IEC 18033-3

Information technology – Security techniques –

Encryption algorithms – Part 3: Block ciphers

(English Language reference for SM4)

[ISO 18033-3]

1.4 Terminology and Definitions

The following meanings apply to SHALL, SHALL NOT, MUST, MUST NOT, SHOULD, SHOULD NOT, and

MAY in this document (refer to [RFC 2119]):

• SHALL indicates an absolute requirement, as does MUST.

• SHALL NOT indicates an absolute prohibition, as does MUST NOT.

• SHOULD and SHOULD NOT indicate recommendations.

• MAY indicates an option.

Selected terms used in this document are included in the following table.

Table 1-3: Terminology and Definitions

Term

Definition

Cancellation Flag An indicator that a Client has requested cancellation of an operation.

Client Either of the following:

• a Client Application using the TEE Client API

• a Trusted Application acting as a client of another Trusted

Application, using the Internal Client API

Client Application (CA)

An application running outside of the Trusted Execution Environment

(TEE) making use of the TEE Client API ([Client API]) to access

facilities provided by Trusted Applications inside the TEE.

Contrast Trusted Application (TA).

Client Properties A set of properties associated with the Client of a Trusted Application.

Command

A message (including a Command Identifier and four Operation

Parameters) send by a Client to a Trusted Application to initiate an

operation.

Command Identifier A 32-bit integer identifying a Command.

Cryptographic Key Object An object containing key material.

Cryptographic Key-Pair Object An object containing material associated with both keys of a key-pair.

Cryptographic Operation

Handle

An opaque reference that identifies a particular cryptographic operation.

18 / 369 TEE Internal Core API Specification – Public Release v1.3



The technology provided or described herein is subject to updates, revisions, and extensions by GlobalPlatform. Use of this

information is governed by the GlobalPlatform license agreement and any use inconsistent with that agreement is strictly

prohibited.

Term

Definition

Cryptographic Operation Key The key to be used for a particular operation.

Data Object An object containing a data stream but no key material.

Data Stream Data associated with a Persistent Object (excluding Object Attributes

and metadata).

Event API An API that supports the event loop. See section 9.

Event loop

A mechanism by which a TA can enquire for and then process

messages from types of peripherals including pseudo-peripherals.

Function Number Identifies a function within a specification. With the Specification

Number, forms a unique identifier for a function. May be displayed when

a Panic occurs or in debug messages where supported.

Implementation Properties

A set of properties describing the TEE implementation, including the

associated hardware and Trusted OS.

Initialized Describes a transient object whose attributes have been populated.

Instance A particular execution of a Trusted Application, having physical memory

space that is separated from the physical memory space of all other TA

instances.

Key Size

The key size associated with a Cryptographic Object; values are limited

by the key algorithm used.

Key Usage Flags Indicators of the operations permitted with a Cryptographic Object.

Memory Reference Parameter An Operation Parameter that carries a pointer to a client-owned

memory buffer.

Contrast Value Parameter.

Metadata

Additional data associated with a Cryptographic Object: Key Size and

Key Usage Flags.

Multi Instance Trusted

Application

Denotes a Trusted Application for which each session opened by a

client is directed to a separate TA instance.

Object Attribute Small amounts of data used to store key material in a structured way.

Object Handle An opaque reference that identifies a particular object.

Object Identifier A variable-length binary buffer identifying a persistent object.

Operation Parameter One of four data items passed in a Command, which can contain

integer values or references to client-owned shared memory blocks.

Panic

An exception that kills a whole TA instance. See section 2.3.3 for full

definition.

Panic Reason A programmer error that makes it impossible to produce the result of a

function and requires that the API panic the calling TA instance. See

section 2.3.3 for further information.

Parameter Annotation

Denotes the pattern of usage of a function parameter or pair of function

parameters.

Peripheral API A low-level API that enables a Trusted Application to interact with

peripherals via the Trusted OS. See section 9.

TEE Internal Core API Specification – Public Release v1.3 19 / 369



The technology provided or described herein is subject to updates, revisions, and extensions by GlobalPlatform. Use of this

information is governed by the GlobalPlatform license agreement and any use inconsistent with that agreement is strictly

prohibited.

Term

Definition

Persistent Object An object identified by an Object Identifier and including a Data Stream.

Contrast Transient Object.

Property An immutable value identified by a name.

Property Set Any of the following:

• The configuration properties of a Trusted Application

• Properties associated with a Client Application by the Regular

Execution Environment

• Properties describing characteristics of a TEE implementation

Protection Profile (PP) A document according to the Common Criteria, as described in

[ISO 15408], used as part of the security certification process; defines

the specific set of security features required of a technology to claim

compliance.

REE Time A time value that is as trusted as the REE.

Regular Execution

Environment (REE)

An Execution Environment comprising at least one Regular OS and all

other components of the device (SoCs, other discrete components,

firmware, and software) which execute, host, and support the Regular

OS (excluding any Secure Components included in the device).

From the viewpoint of a Secure Component, everything in the REE is

considered untrusted, though from the Regular OS point of view there

may be internal trust structures.

(Formerly referred to as a Rich Execution Environment (REE).)

Contrast Trusted Execution Environment (TEE).

Regular OS

An OS executing in a Regular Execution Environment. May be anything

from a large OS such as Linux down to a minimal set of statically linked

libraries providing services such as a TCP/IP stack.

(Formerly referred to as a Rich OS or Device OS.)

Contrast Trusted OS.

Secure Component GlobalPlatform terminology to represent either a Secure Element or a

Trusted Execution Environment.

Secure Element A tamper-resistant secure hardware component which is used in a

device to provide the security, confidentiality, and multiple application

environment required to support various business models. May exist in

any form factor, such as embedded or integrated SE, SIM/UICC,

smart card, smart microSD, etc.

Security Domain

An on-device representative of an Authority in the TEE Management

Framework security model. Security Domains are responsible for the

control of administration operations. SDs are used to perform the

provisioning of TEE properties and to manage the life cycle of Trusted

Applications and SDs associated with them.

Session Logically connects multiple commands invoked on a Trusted Application

or a Security Domain.

Simple Symmetric Key Type In the context of this specification, any of a set of object types defined in

Table 5-10.

20 / 369 TEE Internal Core API Specification – Public Release v1.3



The technology provided or described herein is subject to updates, revisions, and extensions by GlobalPlatform. Use of this

information is governed by the GlobalPlatform license agreement and any use inconsistent with that agreement is strictly

prohibited.

Term

Definition

Single Instance Trusted

Application

Denotes a Trusted Application for which all sessions opened by clients

are directed to a single TA instance.

Specification Number

Identifies the specification within which a function is defined. May be

displayed when a Panic occurs or in debug messages where supported.

Storage Identifier A 32-bit identifier for a Trusted Storage Space that can be accessed by

a Trusted Application.

System Time A time value that can be used to compute time differences and

operation deadlines.

TA Persistent Time

A time value set by the Trusted Application that persists across platform

reboots and whose level of trust can be queried.

Tamper-resistant secure

hardware

Hardware designed to isolate and protect embedded software and data

by implementing appropriate security measures. The hardware and

embedded software meet the requirements of the latest Security IC

Platform Protection Profile ([PP-0084]) including resistance to physical

tampering scenarios described in that Protection Profile.

Task The entity that executes any code executed in a Trusted Application.

TEE Client API The software interface used by clients running in the REE to

communicate with the TEE and with the Trusted Applications executed

by the TEE. For details, see [Client API].

TEE Management Framework A security model for administration of Trusted Execution Environments

(TEEs) and for administration and life cycle management of Trusted

Applications (TAs) and corresponding Security Domains (SDs).

Transient Object

An object containing attributes but no data stream, which is reclaimed

when closed or when the TA instance is destroyed.

Contrast Persistent Object.

Trusted Application (TA) An application running inside the Trusted Execution Environment that

provides security related functionality to Client Applications outside of

the TEE or to other Trusted Applications inside the TEE.

Contrast Client Application (CA).

Trusted Application

Configuration Properties

A set of properties associated with the installation of a Trusted

Application.

Trusted Core Framework or

“Framework”

The part of the Trusted OS responsible for implementing the Trusted

Core Framework API

that provides OS-like facilities to Trusted

Applications and a way for the Trusted OS to interact with the Trusted

Applications.

The Trusted Core Framework API is described in Chapter 4.

剩余368页未读，继续阅读

代码改变世界ctw

粉丝: 5w+
资源: 44

全球平台TEE内部核心API规范v1.3公共发布

GPD_TEE_Internal_Core_API_Specification_v1.1.1_20160614.pdf

GPD_TEE_Internal_API_Specification_v1.0.pdf

GPD_TEE_TA_Debug_Spec_v1.0

gpd_tee_protectionprofile_v1.3

gpd.fiscale(y) Error in gpd.fiscale(y) : Use only with 'pot' objects

plt.bar(height=GPD_data[8:16,1],x=range(len(GPD_data[8:16,1])), label='第一产业GDP',tick_label=quarter)

plt.bar(height=GPD_data[0:8, 3], x=range(len(GPD_data[0:8, 3])), label='第三产业GDP', tick_label=quarter)

File "D:\Users\streamlit可视化\app.py", line 2 data = gpd.read_file('C:\Users\Administrator\可视化动图.qgs') ^ SyntaxError: (unicode error) 'unicodeescape' codec can't decode bytes in position 2-3: truncated \UXXXXXXXX escape

gpd.read_file()函数具体用法

gpd.read_file()函数用法

gpd.GeoDataFrame

最新资源