Trusted Application for secure off-chain data storage
Note
This is based on OP-TEE Sample Application secure storage example.
| Application name | UUID |
|---|---|
| off_chain_secure_storage | e3ae8c32-5fc1-42e4-b476-b35fe3f8f07d |
This project implements a secure off-chain data storage solution using OP-TEE (Open Portable Trusted Execution Environment) for IoT sensor data management. The system main purpose is storing sensitive data off-chain while maintaining blockchain-level integrity and auditability through cryptographic hashing.
off_chain_secure_storage/
βββ docs/ # Documentation files
β
βββ host/ # Client Application (Normal World)
β βββ main.c # Main CLI application
β βββ Makefile
β
βββ iot-json/ # Sample IoT data files
β
βββ ta/ # Trusted Application (Secure World)
β βββ include/
β β βββ crypto_operations.h # Functions and macros for cryptography
β β βββ secure_storage_ta.h # TA header file
β β
β βββ crypto_operations.c # Main TA implementation
β βββ secure_storage_ta.c # Main TA implementation
β βββ Makefile
β βββ user_ta_header_defines.h # TA configuration
β βββ sub.mk
β
βββ Android.mk
βββ CMakeLists.txt
βββ LICENSE
βββ Makefile
βββ README.mdβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Normal World β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Client Application (CA) β β
β β β’ Command parsing β β
β β β’ TEE Client API calls β β
β β β’ User interface β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β TEE Client API β
β β β
βββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββ
β TrustZone Boundary
βββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββ
β Secure World β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Trusted Application (TA) β β
β β β’ JSON data encryption/decryption β β
β β β’ SHA-256 hash computation β β
β β β’ RSA key management β β
β β β’ Persistent storage access β β
β β β’ Digital attestation β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β OP-TEE OS Services β β
β β β’ Secure storage β β
β β β’ Cryptographic operations β β
β β β’ Memory management β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Trusted Application (TA) - Runs in OP-TEE Secure World:
- Secure data storage and retrieval
- Cryptographic operations (SHA-256 hashing)
- Key management and encryption
- Attestation services
Client Application (CA) - Runs in Normal World:
- Command-line interface for user interactions
- Communication bridge to TA
QEMU Emulation Environment
- ARM TrustZone simulation for development:
- Secure and Normal World isolation
The application provides the following commands:
- Store JSON File
./off_chain_secure_storage store <iot_device_id> <json_data>Purpose: Securely store IoT sensor data with device identification
Response: Returns the file ID (SHA-256 hash of contents)
Example:
./off_chain_secure_storage store FARM001 '{"temperature": 24.5, "humidity": 65.2}'- Retrieve JSON File
./off_chain_secure_storage retrieve <json_hash>Purpose: Retrieve stored data using its SHA-256 hash
Response: Returns the decrypted JSON file contents
Example:
./off_chain_secure_storage retrieve 'a1b2c3d4e5f6789...'- Get File Hash
./off_chain_secure_storage hash <json_data>Purpose: Generate SHA-256 hash without storing the file
Response: Returns cryptographic hash for blockchain anchoring
Example:
./off_chain_secure_storage hash '{"sensor_id": "ENV001", "reading": 42}'- Get Digital Attestation
./off_chain_secure_storage attestPurpose: Obtain cryptographic proof of TA authenticity
Response: Returns RSA-PSS signature of TA UUID
- Get Public Key
./off_chain_secure_storage public-keyPurpose: Extract TA's public key for signature verification
Response: Returns RSA-2048 public key components
export OPTEE_DIR=~/optee
# Create OP-TEE directory and initialize repository
mkdir $OPTEE_DIR && cd $OPTEE_DIR
repo init -u https://github.com/OP-TEE/manifest.git -m qemu_v8.xml
repo sync
# Build OP-TEE system
cd $OPTEE_DIR/build
make toolchains
make --jobs=$(nproc)
# Clone this project
cd $OPTEE_DIR/optee_examples
git clone https://github.com/joelvaz0x01/off-chain-secure-storage.git off_chain_secure_storage
# Rebuild OP-TEE with the new project
cd $OPTEE_DIR/build
make --jobs=$(nproc)Execute the following commands to run OP-TEE in QEMU:
cd $OPTEE_DIR/build
make run-onlyThen follow these steps:
- Press
corcontto start the QEMU emulation - Login as
rootinNormal Worldconsole
Now you can run the off_chain_secure_storage command in the QEMU terminal:
/usr/bin/off_chain_secure_storage <command>
Commands:
store <iot_device_id> <json_data> - Store JSON data for a given IoT device ID
retrieve <json_hash> - Retrieve JSON data for a given hash
hash <json_data> - Get SHA256 hash of a given JSON data
attest - Get attestation data of the TA
public-key - Get public key of the TA
To build the documentation, you will need to install Python and make the following commands:
# Install Python virtual environment
cd $OPTEE_DIR/optee_examples/off_chain_secure_storage
python -m venv .venv
source .venv/bin/activate
# Build documentation
pip install -r docs/requirements.txt
sphinx-build -b html docs/ docs/_build/htmlThe documentation will be generated in the _build/html directory. You can open the index.html file in a web browser to view it or consult the online documentation.
- OP-TEE Documentation - Official OP-TEE development guide
- TEE Internal Core API Specifications - Trusted application specifications
- TEE Client API Specification - Client application specifications