FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

How to build Trusted Applications for the OP-TEE

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

How to build Trusted Applications for the OP-TEE

Jump to solution
‎05-15-2018 05:19 AM
3,677 Views
jaspergerth
Contributor I

Hi,

I have build the PPA with OP-TEE with the flexbuilder for the LS1012. When the board is booted, running xtest (and before that starting tee-supplicant) results in 0 failed tests so this should work.

But with the TEE running, I would like to start building my own Trusted Applications, but there seems to be no guide on how to do that. I followed the OP-TEE Build Instructions  which also results in some examples being build. Copying the generated TA to /lib/optee-armtz/ and running the ``hello_world'' application i get a TEEC_ERROR_SECURITY  response.

After some research i think that either the TEE does not know about the default key (building the ppa-optee with the default key removed from the flex builder did not give errors) and/or another key is used by the TEE.

Also i would like to en-/decrypt BLOB's, I know that it is possible under U-Boot but i would like to do this under linux (via a TA?)

TL;DR: How do i build a TA for the TEE build by the flex-builder. And is it possible to generate blobs via a TA?

Thanks in advance!

Reply
1 Solution

Jump to solution
‎05-17-2018 08:08 PM
2,196 Views
yipingwang
NXP TechSupport
NXP TechSupport

Hello Jasper Gerth,

You could refer to source code of optee_test package in ~/flexbuild/packages/apps/optee_test.

Please build optee_os, optee_client first, then build optee_test with the following commands with flex-builder.

$ flex-builder -c optee_os  -a arm64

$ flex-builder -c optee_client  -a arm64

$ flex-builder -c optee_test  -a arm64

 Please refer to TA_DEV_KIT_DIR definition in packages/apps/Makefile, which should be specified as the PATH of optee_os(<optee_os path>/out/arm-plat-ls/export-ta_arm64).

TA_DEV_KIT_DIR=$(FBDIR)/packages/apps/optee_os/out/arm-plat-ls/export-ta_arm64/.

You could refer to ~/flexbuild/packages/apps/optee_test/Makefile for TA_DEV_KIT_DIR usage.

   Final CA image and TA image,
   CA: out/xtest/xtest
   TA: out/ta/*/*.ta

Please refer to storage use case source code as an example, please refer to TA source code in optee_test/ta/storage, please refer to please to the following definition in ta/storage/include/ta_storage.h

#define TA_STORAGE_UUID { 0xb689f2a7, 0x8adf, 0x477a, \
        { 0x9f, 0x99, 0x32, 0xe9, 0x0c, 0x0a, 0xd0, 0xa2 } }

Please refer to CA source code host/xtest/regression_6000.c, the value TA_STORAGE_UUID is used to open the session.

* Run Trusted Application

 Copy TA image to /lib/optee_armtz/ and CA to root file system.

 $ tee-supplicant  &
 $ xtest -t regression 6000

For en-/decrypt BLOB via TA, please refer to the case optee_test/ta/crypt.


Have a great day,
TIC

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

View solution in original post

Reply
1 Reply

Jump to solution
‎05-17-2018 08:08 PM
2,197 Views
yipingwang
NXP TechSupport
NXP TechSupport

Hello Jasper Gerth,

You could refer to source code of optee_test package in ~/flexbuild/packages/apps/optee_test.

Please build optee_os, optee_client first, then build optee_test with the following commands with flex-builder.

$ flex-builder -c optee_os  -a arm64

$ flex-builder -c optee_client  -a arm64

$ flex-builder -c optee_test  -a arm64

 Please refer to TA_DEV_KIT_DIR definition in packages/apps/Makefile, which should be specified as the PATH of optee_os(<optee_os path>/out/arm-plat-ls/export-ta_arm64).

TA_DEV_KIT_DIR=$(FBDIR)/packages/apps/optee_os/out/arm-plat-ls/export-ta_arm64/.

You could refer to ~/flexbuild/packages/apps/optee_test/Makefile for TA_DEV_KIT_DIR usage.

   Final CA image and TA image,
   CA: out/xtest/xtest
   TA: out/ta/*/*.ta

Please refer to storage use case source code as an example, please refer to TA source code in optee_test/ta/storage, please refer to please to the following definition in ta/storage/include/ta_storage.h

#define TA_STORAGE_UUID { 0xb689f2a7, 0x8adf, 0x477a, \
        { 0x9f, 0x99, 0x32, 0xe9, 0x0c, 0x0a, 0xd0, 0xa2 } }

Please refer to CA source code host/xtest/regression_6000.c, the value TA_STORAGE_UUID is used to open the session.

* Run Trusted Application

 Copy TA image to /lib/optee_armtz/ and CA to root file system.

 $ tee-supplicant  &
 $ xtest -t regression 6000

For en-/decrypt BLOB via TA, please refer to the case optee_test/ta/crypt.


Have a great day,
TIC

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

Reply