Introduction
With Kinibi-610a, we at Trustonic have introduced many under-the-hood improvements that enable deeper integrations and improve support for the solution’s evolving use cases. In this first part of a series of blog posts, we will highlight the key changes of Kinibi-610a for the benefit of Trusted Application (TA) developers. Part Two will further explain the deeper system changes relevant to System on Chip integrators.
In the mobile market, we continue to follow Android requirements to support FF-A v1.1, more cryptographic options like paddings, removed HIDL interfaces, and Linux 16KB page granules. Trustonic is currently aligned with the latest version of Android (15), Linux (6.6), QNX (8.0), TF-A (2.10), Clang (16.0.0), GCC (10.3), and QEMU (8.1). We have improved the performance of SHA1, SHA256, as well as AES-GCM and the Secure Filesystem (SFS).
Cryptography
We have added a new sample HelloWorld, or Hello Secure World! Another new sample called BenchGP helps us to benchmark our Trusted Execution Environment’s cryptographic performance on various platforms.
Kinibi-610a evolves together with the GlobalPlatform Standard and extends the list of supported crypto algorithms to be aligned with what will be GP Internal API 1.4:
– New symmetric encryption: Chacha
– New message authentication codes: Poly1305
– New authenticated encryption: Chacha with Poly1305.
In addition, Kinibi-610a supports:
– New hash function: Whirlpool
Multi-threading for Trusted Applications
Kinibi has always supported multi-threading. Since Kinibi-500, SMP has been supported, and the TEE can use multiple cores at the same time. Secure Drivers can use the DrApi thread APIs.
With Kinibi-610a, we have enabled Trusted Applications to use multi-threading and SMP. TAs and Drivers can use the standard thread APIs. For example, in your TA_InvokeCommandEntryPoint, you can pthread_create() a child thread, have it work for you, and wait to finish using pthread_join().
To synchronize between threads, TA developers can use pthread_mutex_lock, timedlock, trylock, as well as pthread_cond_wait, timedwait, signal and broadcast.
Fingerprint algorithms must run inside the TEE to avoid fingerprints leaking.
Modern fingerprint algorithms require the power of multi-core, and hence multi-core in the TEE, and are now available with pthreads.
C library
Kinibi-610a brings the support of 32 commonly used libc functions, like malloc, memcpy, fopen, strnlen, rand and qsort. These can be used by TA developers who want to include other standard libraries in their TAs, which often depend on the availability of these functions. As a result, this reduces the integration time of, for example, OpenSSL or OpenCV into a TA.
By default, only the GlobalPlatform API is enabled.
To enable libc and open-source enrichment, TA developers need to activate it in the makefile.
Simplified support and integration
In this blog post, we’ve outlined a number of new TA developer-focused features supported in Kinibi-610a, the 2024 version of Trustonic’s TEE. With Kinibi-610a, OEMs can be assured that they have the support for the latest Android requirements, and access to the latest cryptography. The integration of software libraries, be they based on parallel computing or open source, is simplified with the support of pthreads and libc. In the second part of the blog series, we will go deeper into the “under-the-hood” changes that come with Kinibi-610a.
