ass:laboratoare:03:tasks:02

02. Writing Trusted Applications

In the second part of our lab, it's time to run some Trusted Applications (TAs)!

We will use the official optee_examples as starting point.

Two questions arise: how can one compile a TA? + how to test it on our board?

Step 5. Not so fast... we forgot about the kernel?

If we wish to communicate with OP-TEE from Linux, we need to configure its driver (don't worry, we don't need to recompile the kernel, it's included in defconfig').

Of course, the intended way to do that is by modifying the Linux Device Tree. Do it as documented here ;)

In case you need a little reminder, the device tree source code is inside linux's arch/arm64/.

We promised that you won't need to recompile the kernel, you just need to recompile its DTB ;) use:

make ARCH=... dtbs

Afterwards, you need to copy the new .dtb into your staging/ directory and re-build the Linux FIT (e.g., linux.itb). And upload it to your emmc (check out the ums trick described below!).

Step 6. Building a TA

We can use our workstation / laptop to cross-compile a trusted application!

Read the official instructions here.

Note that you must build the optee_client first. Note that CMake needs to receive the path to CROSS_COMPILEr's gcc via specific define (argument).

Also set the -DCMAKE_INSTALL_PREFIX=… cmake flag to some dir in your project's working root directory and run make install at the end to copy the final product there. It will be required to specify its path (see below).

Build both the host app and the TA need to be compiled TOGETHER with the TEE Client Library, and the OPTEE OS exported SDK, respectively.

Make sure to read the examples documentation to see the make variables to set!

Step 7. Signing the TA

Remember the secure boot process? The Secure OS (OP-TEE) will also verify each TA before being able to load it!

Fortunately, OP-TEE comes with a predefined key pair, used to facilitate development / testing (warning: highly insecure since anybody can retrieve that key from the source repository!).

Read on for the TA signing procedure!

Even better: the TA Makefile automatically signs the .ta using the development key. So we won't need to do anything more! Yay…

Step 8. Testing the TA

Our rootfs image already contains the OP-TEE client library.

You just need to copy to the cross-compiled binaries to your boot partition.

For this, put u-boot in USB Mass Storage mode:

u-boot=> ums mmc 0

Do not Ctrl+C yet, leave it running and mount the newly appeared USB device in your PC/VM!

After copying the files, boot the Linux package (you can use the Lab02 boot commands, see Readme.md).

Mount the boot partition and run the TA (you might need to copy it somewhere else and chmod +x)! Then execute the program ;)

Observe the error: OP-TEE cannot find the .ta file inside a trusted memory or REE.

For this, you will need to copy the signed <UUID>.ta file to /lib/optee_armtz/, as (very badly) documented.