# Develop trusted and client applications

You can develop and run trusted and client applications using default files in the global platform interfaces. The trusted applications run in a secure Trusted Execution Environment (TEE) to keep the code and data integrity. Where as the client applications operate in the normal OS, using TEE client APIs to perform secure services.

This feature is available to licensed users with authorized access to develop and execute trusted applications and client applications. If you have access, see [Qualcomm Linux Security Guide - Addendum](https://docs.qualcomm.com/bundle/resource/topics/80-70020-11A/develop.html).

For developing applications that offer hardware-based attestation, zero-touch device provisioning, and chipset feature management, see [Qualcomm Linux Wireless Edge Services Guide](https://docs.qualcomm.com/bundle/resource/topics/80-70020-11B/overview.html). This feature is available to licensed users with authorized access.

## Security APIs

The security APIs offer the ability to interface with the Linux kernel and the device hardware. They also facilitate various software services that can be run in a trusted execution environment.

**User space APIs**

The user space APIs are the functions that the Linux OS accesses to interact with the kernel.

This feature is available to licensed developers with authorized access.
If you have access, see [Qualcomm Linux Security Guide - Addendum](https://docs.qualcomm.com/bundle/resource/topics/80-70020-11A/user-space-apis.html).

**Interfaces exposed for PKCS#11**

See [Cryptographic Token Interface Usage Guide](http://docs.oasis-open.org/pkcs11/pkcs11-ug/v2.40/pkcs11-ug-v2.40.html)
and [Cryptographic Token Interface Base Specification](http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html).

**Kernel APIs**

The kernel APIs are the functions that allow the Qualcomm Linux software
to interact with the device hardware.

**Cryptographic APIs**

The `qcrypto.ko` driver is on the device at `/lib/modules/<version>/kernel/drivers/crypto/qce`. Both kernel-level and user-level APIs can access the crypto engine. For the APIs, see the
kernel crypto documentation at [Index of crypto documentation](https://www.kernel.org/doc/Documentation/crypto/).

The following cryptographic algorithms are supported:

- RFC 4309 (CCCM (AES))
- CCM (AES)
- Authenc (HMAC (SHA-256), CBC (AES))
- Authenc (HMAC (SHA-256), CBC (DES3\_EDE))
- Authenc (HMAC (SHA-256), CBC (DES))
- Authenc (HMAC (SHA-1), CBC (DES3\_EDE))
- Authenc (HMAC (SHA-1), CBC (DES))
- HMAC (SHA-256)
- HMAC (SHA-1)
- SHA-256
- SHA-1
- CBC (DES3\_EDE)
- ECB (DES3\_EDE)
- CBC (DES)
- ECB (DES)
- XTS (AES)
- CTR (AES)
- CBC (AES)
- ECB (AES)

For more information about the Qualcomm crypto core, see [Cryptography](https://docs.qualcomm.com/doc/80-70020-11/topic/features.html#section-cryptography-features).

For more information, see [Kernel.org ➝ Crypto API](https://www.kernel.org/doc/html/v6.6/crypto/index.html).

**Hardware random generator APIs**

Qualcomm Linux supports a true random number generator using the `qcom-rng` Linux driver. The random number generated from `qcom-rng` uses kernel crypto for the random number generator API.

In the user space, a random number can be accessed at `/dev/hwrng`. For more information about the hardware random number generator, see the kernel documentation at [Linux support for random number generator in i8xx chipsets](https://www.kernel.org/doc/Documentation/hw_random.txt).

For PRNG APIs, see [Qualcomm Linux Security Guide - Addendum](https://docs.qualcomm.com/bundle/resource/topics/80-70020-11A/prng-apis.html). This feature is available to licensed developers with authorized access.

**Qualcomm TEE APIs**

Qualcomm TEE provides a collection of APIs that offer services to secure applications. These services include heap management, logging, secure file system access, listener interactions, and cryptography and hashing functions.

This feature is available to licensed developers with authorized access. If you have access, see [Qualcomm Linux Security Guide - Addendum](https://docs.qualcomm.com/bundle/resource/topics/80-70020-11A/trusted-execution-environment-apis.html).

## Use security services examples

To run security services, sample code and examples to load client and trusted applications using different interfaces are available to licensed users with authorized access. If you have access, see [Qualcomm Linux Security Guide - Addendum](https://docs.qualcomm.com/bundle/resource/topics/80-70020-11A/examples.html).

## See also

- To initialize and configure the hardware for running securely on Linux, see [Verify security configurations](https://docs.qualcomm.com/doc/80-70020-11/topic/bring-up.html#bring-up).
- To configure Qualcomm TEE for securing devices that handle sensitive data and run trusted applications, see [Configure security services](https://docs.qualcomm.com/doc/80-70020-11/topic/configure.html#configure).
- To customize memory and SEPolicy, see [Customize secuity services](https://docs.qualcomm.com/doc/80-70020-11/topic/customize.html#customize).

Last Published: Apr 14, 2026

[Previous Topic
Debug Qualcomm TEE and secure devices](https://docs.qualcomm.com/bundle/publicresource/80-70020-11/topics/debug.md) [Next Topic
References](https://docs.qualcomm.com/bundle/publicresource/80-70020-11/topics/references.md)