In the second part of our lab, it's time to run some Trusted Applications (TAs)!
We will use the official optee_examples as starting point.
Two questions arise: how can one compile a TA? + how to test it on our board?
If we wish to communicate with OP-TEE from Linux, we need to configure its driver (don't worry, we don't need to recompile the kernel, it's included in defconfig
').
Of course, the intended way to do that is by modifying the Linux Device Tree. Do it as documented here ;)
arch/arm64/
.
We promised that you won't need to recompile the kernel, you just need to recompile its DTB ;) use:
make ARCH=... dtbs
Afterwards, you need to copy the new .dtb
into your staging/
directory and re-build the Linux FIT (e.g., linux.itb
). And upload it to your emmc (check out the ums
trick described below!).
We can use our workstation / laptop to cross-compile a trusted application!
Read the official instructions here.
Also set the -DCMAKE_INSTALL_PREFIX=…
cmake flag to some dir in your project's working root directory and run make install
at the end to copy the final product there. It will be required to specify its path (see below).
Make sure to read the examples documentation to see the make variables to set!
Remember the secure boot process? The Secure OS (OP-TEE) will also verify each TA before being able to load it!
Fortunately, OP-TEE comes with a predefined key pair, used to facilitate development / testing (warning: highly insecure since anybody can retrieve that key from the source repository!).
Read on for the TA signing procedure!
Even better: the TA Makefile automatically signs the .ta using the development key. So we won't need to do anything more! Yay…
Our rootfs image already contains the OP-TEE client library.
You just need to copy to the cross-compiled binaries to your boot partition.
For this, put u-boot in USB Mass Storage mode:
u-boot=> ums mmc 0
Do not Ctrl+C yet, leave it running and mount the newly appeared USB device in your PC/VM!
After copying the files, boot the Linux package (you can use the Lab02 boot commands, see Readme.md).
Mount the boot partition and run the TA (you might need to copy it somewhere else and chmod +x
)!
Then execute the program ;)
.ta
file inside a trusted memory or REE.
For this, you will need to copy the signed <UUID>.ta
file to /lib/optee_armtz/
, as (very badly) documented.