Thanks for the answers.
What about memory management? I have been reading through the ARM documentation about TrustZone (it's a pretty slow read for me, so this may take some time), but some of what I've seen with op-tee indicates that it runs out of off-chip DRAM, which seems pretty insecure to me, especially if a (root) user space application can gain access to /dev/mem or /dev/kmem, or if a (malicious) kernel module started poking around where it shouldn't.
How is access to secure RAM managed with op-tee? I am starting to understand a little bit about the NS bit in the ARM Secure Configuration Register, and the (effective) 33 bit address space that provides, but I don't understand how a TrustZone based TEE would protect access to its memory resources. Where could/should I look to learn more?
--wpd