I've come across the chip ID caveat mentioned in the op-tee documentation for secure storage. Are unique chip IDs implemented in STs branch of the op-tee OS? Also is trustzone code itself stored securely at rest or only the data in secure storage? Th

Full text from op-tee:

Important caveats
Currently no OP-TEE platform is able to support retrieval of the Hardware Unique Key or Chip ID required for secure operation.
 
For all platforms, a constant key is used, resulting in no protection against decryption, or Secure Storage duplication to other devices.
 
This is because information about how to retrieve key data from the SoC is considered sensitive by the vendors and it is not freely available.
 
In OP-TEE, there are apis for reading the keys generically from "One-Time Programmable" memory, or OTP. But there are no existing platform implementations.
 
To allow Secure Storage to operate securely on your platform, you must define implementations in your platform code for:
 
 void tee_otp_get_hw_unique_key(struct tee_hw_unique_key *hwkey);
 int tee_otp_get_die_id(uint8_t *buffer, size_t len);
These implementations should fetch the key data from your SoC-specific e-fuses, or crypto unit according to the method defined by your SoC vendor.