In the second part of our lab, it's time to run some Trusted Applications (TAs)!
We will use the official optee_examples as starting point.
Two questions arise: how can one compile a TA? + how to test it on our board?
If we wish to communicate with OP-TEE from Linux, we need to configure its driver (don't worry, we don't need to recompile the kernel, it's included in defconfig').
Of course, the intended way to do that is by modifying the Linux Device Tree. Do it as documented here ;)
arch/arm64/.
We promised that you won't need to recompile the kernel, you just need to recompile its DTB ;) use:
make ARCH=... dtbs
Oh, and re-enable Buildroot if disabled for the previous lab (you backed up your ITS file, hopefully).
Then enter its menuconfig and search for PACKAGE_OPTEE_CLIENT. Enable it and rebuild your rootfs!
Afterwards, you need to copy the new .dtb into your staging/ directory and re-build the Linux FIT (e.g., linux.itb). And upload it to your emmc (use u-boot's ums and simply copy the file on the FAT32 boot partition).
We can use our workstation / laptop to cross-compile a trusted application!
Read the official instructions here.
Build both the host app and the Trusted Application need to be compiled TOGETHER with the TEE Client Library, and the OPTEE OS exported SDK, respectively.
Make sure to read the examples documentation to see the make variables to set!
But, since we're using Buildroot and have enabled it, you can find it already compiled for the target system at <buildroot-dir>/output/build/optee-client-<version>.
Touugh we need to give a TEEC_EXPORT install path when invoking the TA makefile… Use find for tee_client_api.h and see where it's found (hint: sysroot)!
TA_DEV_KIT_DIR of a Trusted Application, it must point to an SDK generated inside BL32 (optee_os) source directory (something like export-ta…'.
Also note that for building Buildroot-targeted applications, your classic aarch64-none-gnu- toolchain won't work since Buildroot uses custom ucLibC by default. But, fortunately, you may find the cross compilation prefix at <buildroot-dir>/output/host/bin/aarch64-buildroot-linux-gnu- (see the difference?)!
Remember the secure boot process? The Secure OS (OP-TEE) will also verify each TA before being able to load it!
Fortunately, OP-TEE comes with a predefined key pair, used to facilitate development / testing (warning: highly insecure since anybody can retrieve that key from the source repository!).
Read on for the TA signing procedure!
Even better: the TA Makefile automatically signs the .ta using the development key. So we won't need to do anything more! Yay…
Our rootfs image already contains the OP-TEE client library.
You just need to copy to the cross-compiled binaries to your boot partition.
For this, put u-boot in USB Mass Storage mode:
u-boot=> ums mmc 0
Do not Ctrl+C yet, leave it running and mount the newly appeared USB device in your PC/VM!
After copying the files, boot Linux.
Now check if tee-supplicant is running… let's mount devtmpfs then start it:
mount -t devtmpfs devtmpfs /dev tee-supplicant -d
Mount the boot partition and run the TA (you might need to copy it somewhere else and chmod +x)!
Then execute the program ;)
.ta file inside a trusted memory or REE.
For this, you will need to copy the signed <UUID>.ta file to /lib/optee_armtz/ (create it if it doesn't exist), as (very badly) documented.