How to build Trusted Applications for the OP-TEE

jaspergerth · ‎05-15-2018

Hi,

I have build the PPA with OP-TEE with the flexbuilder for the LS1012. When the board is booted, running xtest (and before that starting tee-supplicant) results in 0 failed tests so this should work.

But with the TEE running, I would like to start building my own Trusted Applications, but there seems to be no guide on how to do that. I followed the OP-TEE Build Instructions which also results in some examples being build. Copying the generated TA to /lib/optee-armtz/ and running the ``hello_world'' application i get a TEEC_ERROR_SECURITY response.

After some research i think that either the TEE does not know about the default key (building the ppa-optee with the default key removed from the flex builder did not give errors) and/or another key is used by the TEE.

Also i would like to en-/decrypt BLOB's, I know that it is possible under U-Boot but i would like to do this under linux (via a TA?)

TL;DR: How do i build a TA for the TEE build by the flex-builder. And is it possible to generate blobs via a TA?

Thanks in advance!

yipingwang · ‎05-17-2018

Hello Jasper Gerth,

You could refer to source code of optee_test package in ~/flexbuild/packages/apps/optee_test.

Please build optee_os, optee_client first, then build optee_test with the following commands with flex-builder.

$ flex-builder -c optee_os -a arm64

$ flex-builder -c optee_client -a arm64

$ flex-builder -c optee_test -a arm64

Please refer to TA_DEV_KIT_DIR definition in packages/apps/Makefile, which should be specified as the PATH of optee_os(<optee_os path>/out/arm-plat-ls/export-ta_arm64).

TA_DEV_KIT_DIR=$(FBDIR)/packages/apps/optee_os/out/arm-plat-ls/export-ta_arm64/.

You could refer to ~/flexbuild/packages/apps/optee_test/Makefile for TA_DEV_KIT_DIR usage.

   Final CA image and TA image,
   CA: out/xtest/xtest
   TA: out/ta/*/*.ta

Please refer to storage use case source code as an example, please refer to TA source code in optee_test/ta/storage, please refer to please to the following definition in ta/storage/include/ta_storage.h

#define TA_STORAGE_UUID { 0xb689f2a7, 0x8adf, 0x477a, \
{ 0x9f, 0x99, 0x32, 0xe9, 0x0c, 0x0a, 0xd0, 0xa2 } }

Please refer to CA source code host/xtest/regression_6000.c, the value TA_STORAGE_UUID is used to open the session.

* Run Trusted Application

Copy TA image to /lib/optee_armtz/ and CA to root file system.

$ tee-supplicant &
$ xtest -t regression 6000

For en-/decrypt BLOB via TA, please refer to the case optee_test/ta/crypt.

Have a great day,
TIC

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

View solution in original post

yipingwang · ‎05-17-2018