文档
我要评分
获取效率
正确性
完整性
易理解
提交关闭

System Architecture

The Kunpeng BoostKit for Confidential Computing TrustZone Kit is a technical solution that consists of hardware (including BIOS and BMC), confidential computing operating environment, patches, application development guides, and application packaging tools. It is not dedicated to specific service functions.

This document does not describe a specific component. Instead, it introduces the TrustZone Kit as a solution. By describing involved components, this document aims to help industry developers learn about the software and hardware entities so that they can quickly deploy and use their own development environment.

Figure 1 Components of the TrustZone Kit

With this kit, Huawei aims to provide a secure platform for developers to deploy their own applications, including client applications (CAs) and trusted applications (TAs). The involved parties include Huawei and the customers. Table 1 describes the components and functions involved in the kit from the perspectives of Huawei and customers respectively.

Table 1 Components of the Kunpeng BoostKit for Confidential Computing TrustZone Kit

Category

Subcategory

Description

Industrial customers

Service applications

According to the TrustZone software development model, a specific service application is divided into a TA and a CA.

  • The TA runs in the TEE.
  • The CA runs in the REE of the host OS.

Linux OS

Linux OS selected and deployed by you. The TEE is not coupled with the guest OS. However, the communication between the CA and TA depends on the communication framework in the REE. Huawei provides the communication framework as an REE patch. To ensure compatibility with the OS, Huawei has open-sourced the REE patch in the openEuler community. You can compile the REE patch on the selected OS on demand.

Huawei deliverables

Secure OS

Huawei-developed TEE OS, which provides an application execution environment in the TEE. It adapts to the multi-CPU and multi-core Kunpeng platform and Kunpeng hardware. Generally, a Kunpeng server that supports the TrustZone function is equipped with the TEE OS in the hardware platform, which can be upgraded.

Hardware firmware

To support the TrustZone feature, the hardware firmware is adapted as follows:

  • BIOS: supports TEE OS decryption, secure boot, and TEE OS configuration.
  • BMC: manages and upgrades the TEE OS.
  • The hardware firmware that supports TrustZone is pre-installed with the hardware in the production line. You need to obtain the latest firmware version.

REE patch

To enable your service CA to communicate with the TA deployed in the TEE, a patch needs to be deployed in the guest OS. The patch includes the user-mode API library, daemon process, and kernel driver.

To meet the requirements for different OSs, Huawei has open-sourced the patch.

SDK

API description, application packaging tools, header files, and demo code are included. Currently, the SDK has been open-sourced.