Differences
This shows you the differences between two versions of the page.
|
ass:laboratoare:03:tasks:02 [2023/07/20 14:24] florin.stancu created |
ass:laboratoare:03:tasks:02 [2023/07/20 23:28] (current) florin.stancu |
||
|---|---|---|---|
| Line 7: | Line 7: | ||
| Two questions arise: how can one compile a TA? + how to test it on our board? | Two questions arise: how can one compile a TA? + how to test it on our board? | ||
| - | == Step 1. Building a TA == | + | == Step 5. Not so fast... we forgot about the kernel? == |
| + | |||
| + | If we wish to communicate with OP-TEE from Linux, we need to configure its driver (don't worry, we don't need to recompile the kernel, it's included in ''defconfig'''). | ||
| + | |||
| + | Of course, the intended way to do that is by modifying the Linux Device Tree. | ||
| + | Do it as [[https://elixir.bootlin.com/u-boot/v2023.04/source/doc/device-tree-bindings/firmware/linaro,optee-tz.txt|documented here]] ;) | ||
| + | |||
| + | <note> | ||
| + | In case you need a little reminder, the device tree source code is inside linux's ''arch/arm64/''. | ||
| + | |||
| + | We promised that you won't need to recompile the kernel, you just need to recompile its DTB ;) use: | ||
| + | <code> | ||
| + | make ARCH=... dtbs | ||
| + | </code> | ||
| + | |||
| + | Afterwards, you need to copy the new ''.dtb'' into your ''staging/'' directory and [[:ass:laboratoare:02:tasks:01#task_d_-_fit_image|re-build the Linux FIT]] (e.g., ''linux.itb''). And upload it to your emmc (check out the ''ums'' trick described below!). | ||
| + | </note> | ||
| + | |||
| + | == Step 6. Building a TA == | ||
| We can use our workstation / laptop to cross-compile a trusted application! | We can use our workstation / laptop to cross-compile a trusted application! | ||
| Line 14: | Line 32: | ||
| <note> | <note> | ||
| - | Note that you must build [[https://optee.readthedocs.io/en/latest/building/gits/optee_client.html#build-instructions|the optee_client first]]. | + | Note that you must build [[https://optee.readthedocs.io/en/latest/building/gits/optee_client.html#build-instructions|the optee_client first]]. Note that CMake needs to receive the path to CROSS_COMPILEr's gcc via specific define (argument). |
| + | |||
| + | Also set the ''-DCMAKE_INSTALL_PREFIX=...'' cmake flag to some dir in your project's working root directory and run ''make install'' at the end to copy the final product there. It will be required to specify its path (see below). | ||
| </note> | </note> | ||
| - | Build both the host app and the . | + | <note> |
| + | Build both the host app and the TA need to be compiled TOGETHER with the TEE Client Library, and the OPTEE OS exported SDK, respectively. | ||
| - | == Step 2. Testing the TA == | + | Make sure to read the examples documentation to see the make variables to set! |
| + | </note> | ||
| + | |||
| + | == Step 7. Signing the TA == | ||
| + | |||
| + | Remember the secure boot process? | ||
| + | The Secure OS (OP-TEE) will also verify each TA before being able to load it! | ||
| + | |||
| + | Fortunately, OP-TEE comes with a predefined key pair, used to facilitate development / testing (**warning**: highly insecure since anybody can retrieve that key from the source repository!). | ||
| + | |||
| + | [[https://optee.readthedocs.io/en/latest/building/trusted_applications.html#signing-of-tas|Read on for the TA signing procedure]]! | ||
| + | |||
| + | Even better: **the TA Makefile automatically signs the .ta** using the development key. | ||
| + | So we won't need to do anything more! Yay... | ||
| + | |||
| + | == Step 8. Testing the TA == | ||
| Our rootfs image already contains the OP-TEE client library. | Our rootfs image already contains the OP-TEE client library. | ||
| Line 26: | Line 62: | ||
| For this, put u-boot in USB Mass Storage mode: | For this, put u-boot in USB Mass Storage mode: | ||
| - | ``` | + | <code> |
| u-boot=> ums mmc 0 | u-boot=> ums mmc 0 | ||
| - | ``` | + | </code> |
| Do not Ctrl+C yet, leave it running and mount the newly appeared USB device in your PC/VM! | Do not Ctrl+C yet, leave it running and mount the newly appeared USB device in your PC/VM! | ||
| - | After copyint the files, boot the Linux (you can use the Lab02 boot commands, see Readme.md). | + | After copying the files, boot the Linux package (you can use the Lab02 boot commands, see Readme.md). |
| - | Mount the boot partition and run the TA (you might need to copy it somewhere else and `chmod +x`)! | + | Mount the boot partition and run the TA (you might need to copy it somewhere else and ''chmod +x'')! |
| + | Then execute the program ;) | ||
| + | |||
| + | <note info> | ||
| + | Observe the error: OP-TEE cannot find the ''.ta'' file inside a trusted memory or REE. | ||
| + | |||
| + | For this, you will need to copy the signed ''<UUID>.ta'' file to ''/lib/optee_armtz/'', as (very badly) documented. | ||
| + | </note> | ||
