1# TEE Client 2 3## Introduction 4 5TEE Client provides an API interface for accessing TEE to the OpenHarmony side CA (Client Application), and also includes TEE's proxy services to work with TEE to achieve secure storage, log printing, and other functions. 6 7TEE Client includes the following modules: 8 9- libteec.so: Provide the TEE Client API for native applications of HAP applications or system components. 10- libteec_vendor.so: Provide TEE Client API for Native applications of chip components. 11- cadaemon: Forward CA requests and authenticate the CA. 12- teecd: As a proxy service for TEE, it supports TEE's implementation of secure storage and other functions. Simultaneously teecd supports identity recognition for CA. 13- tlogcat: Support printing TEE logs. 14 15Figure 1: Architecture diagram of TEE Client 16 17![](figures/tee_client.drawio_en.png) 18 19## Directory 20 21``` 22base/tee/tee_client 23├── frameworks 24│ └── libteec_vendor # libteec_vendor.so library, providing TEE Client API. 25├── interfaces 26│ ├── inner_api # Internal interfaces of this component 27| └── kits # The libteec.so library and corresponding TEE Client API published to SDK 28└── services 29 ├── authentication # CA identity recognition(Reserved function, not yet enabled) 30 ├── cadaemon # Forward CA request 31 ├── teecd # TEE proxy services 32 └── tlogcat # TEE log service 33``` 34 35## Interface Description 36 37The list of APIs provided by the TEE Client to CA is as follows: 38 39| Name | Description | 40| ------------------------------------------------------------ | -------------------- | 41| TEEC_InitializeContext (const char *name, TEEC_Context *context) | Initialize TEE context. | 42| TEEC_FinalizeContext (TEEC_Context *context) | End TEE context. | 43| TEEC_OpenSession (TEEC_Context *context, TEEC_Session *session, const TEEC_UUID *destination, uint32_t connectionMethod, const void *connectionData, TEEC_Operation *operation, uint32_t *returnOrigin) | Establish a conversation with TEE. | 44| TEEC_CloseSession (TEEC_Session *session) | Close the session with TEE. | 45| TEEC_InvokeCommand (TEEC_Session *session, uint32_t commandID, TEEC_Operation *operation, uint32_t *returnOrigin) | Send commands to TEE. | 46| TEEC_RegisterSharedMemory (TEEC_Context *context, TEEC_SharedMemory *sharedMem) | Register for shared memory. | 47| TEEC_AllocateSharedMemory (TEEC_Context *context, TEEC_SharedMemory *sharedMem) | Apply for shared memory. | 48| TEEC_ReleaseSharedMemory (TEEC_SharedMemory *sharedMem) | Release shared memory. | 49| TEEC_RequestCancellation (TEEC_Operation *operation) | Cancel the running operation. | 50 51The above APIs are all specified by the GlobalPlatform TEE standard, which can be referred to in the "[TEE Client API Specification v1.0 (GPD_SPE_007)](https://globalplatform.org/specs-library/?filter-committee=tee)". There are differences between a small number of implementations and the GlobalPlatform TEE specification, and the differences are as follows: 52 531. The TEEC_Context structure member ta_path of the TEEC_OpenSession interface supports specifying the file path of TA (limited to the /data directory). 54 55 Give an example: 56 57 ``` 58 TEEC_Context context; 59 context.ta_path = (uint8_t *)"/data/58dbb3b9-4a0c-42d2-a84d-7c7ab17539fc.sec" 60 ``` 61 62 If CA doesn't use ta_path to specify the file path of TA, TEE Client will read the TA file named uuid.sec (uuid needs to be replaced with TA's real uuid) from the default path. There are two default paths: "/system/bin" and "/vendor/bin". 63 642. The input parameter connectionMethod of the TEEC_OpenSession interface only supports TEEC_LOGIN_IDENTIFY. 65 66 For the fourth input parameter connectionMethod in the TEEC-OpenSession function, the GP specification defines six Login Methods, and TEE Client extends the type of TEEC_LOGIN_IDENTIFY and only supports this type of connectionMethod. 67 683. When calling TEEC_OpenSession, its parameters are limited. 69 70 When calling the TEEC_OpenSession interface, the params[2] and params[3] in TEEC_Operation are reserved for the system and are not allowed for use by CA. CA can only use params[0] and [1]. 71 72## Guidelines for Compilation 73 74The TEE Client component supports separate compilation and debugging. Taking the RK3568 chip as an example, run the following command to compile the TEE Client component: 75 76``` 77./build.sh --product-name rk3568 --ccache --build-target tee_client 78``` 79 80The path to the compiled product:out/rk3568/tee/tee_client 81 82Compilation products can be pushed into the device for debugging: 83 84``` 85hdc file send cadaemon.json /system/profile/ 86hdc file send cadaemon.cfg /system/etc/init/ 87hdc file send libteec.so /system/lib/ 88hdc file send libcadaemon.so /system/lib/ 89hdc file send tlogcat /system/bin/ 90hdc file send libteec_vendor.so /vendor/lib/ 91hdc file send teecd /vendor/bin/ 92``` 93 94## Related code repository 95 96[tee_tzdriver](https://gitee.com/openharmony-sig/tee_tee_tzdriver) 97