Differences
This shows you the differences between two versions of the page.
|
ass:laboratoare:03:tasks:02 [2023/07/20 16:09] florin.stancu |
— (current) | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ==== 02. Writing Trusted Applications ==== | ||
| - | |||
| - | In the second part of our lab, it's time to run some Trusted Applications (TAs)! | ||
| - | |||
| - | We will use the official [[https://github.com/linaro-swg/optee_examples|optee_examples]] as starting point. | ||
| - | |||
| - | Two questions arise: how can one compile a TA? + how to test it on our board? | ||
| - | |||
| - | == Step 1. Building a TA == | ||
| - | |||
| - | We can use our workstation / laptop to cross-compile a trusted application! | ||
| - | |||
| - | Read the [[https://optee.readthedocs.io/en/latest/building/gits/optee_examples/optee_examples.html|official instructions here]]. | ||
| - | |||
| - | <note> | ||
| - | Note that you must build [[https://optee.readthedocs.io/en/latest/building/gits/optee_client.html#build-instructions|the optee_client first]]. Note that CMake needs to receive the path to CROSS_COMPILEr's gcc via specific define (argument). | ||
| - | |||
| - | Also set the ''-DCMAKE_INSTALL_PREFIX=...'' cmake flag to some dir in your project's working root directory and run ''make install'' at the end to copy the final product there. It will be required to specify its path (see below). | ||
| - | </note> | ||
| - | |||
| - | <note> | ||
| - | Build both the host app and the TA need to be compiled TOGETHER with the TEE Client Library, and the OPTEE OS exported SDK, respectively. | ||
| - | |||
| - | Make sure to read the examples documentation to see the make variables to set! | ||
| - | </note> | ||
| - | |||
| - | == Step 2. Signing the TA == | ||
| - | |||
| - | Remember the secure boot process? | ||
| - | The Secure OS (OP-TEE) will also verify each TA before being able to load it! | ||
| - | |||
| - | Fortunately, OP-TEE comes with a predefined key pair, used to facilitate development / testing (**warning**: highly insecure since anybody can retrieve that key from the source repository!). | ||
| - | |||
| - | [[https://optee.readthedocs.io/en/latest/building/trusted_applications.html#signing-of-tas|Read on for the TA signing procedure]]! | ||
| - | |||
| - | Even better: **the TA Makefile automatically signs the .ta** using the development key. | ||
| - | So we won't need to do anything more! Yay... | ||
| - | |||
| - | == Step 3. Testing the TA == | ||
| - | |||
| - | Our rootfs image already contains the OP-TEE client library. | ||
| - | |||
| - | You just need to copy to the cross-compiled binaries to your boot partition. | ||
| - | |||
| - | For this, put u-boot in USB Mass Storage mode: | ||
| - | <code> | ||
| - | u-boot=> ums mmc 0 | ||
| - | </code> | ||
| - | |||
| - | Do not Ctrl+C yet, leave it running and mount the newly appeared USB device in your PC/VM! | ||
| - | |||
| - | After copyint the files, boot the Linux (you can use the Lab02 boot commands, see Readme.md). | ||
| - | |||
| - | Mount the boot partition and run the TA (you might need to copy it somewhere else and ''chmod +x''')! | ||
| - | |||
| - | <note info> | ||
| - | Observe the error: OP-TEE cannot find the ''.ta'' file inside a trusted memory or REE. | ||
| - | |||
| - | For this, you will need to copy the signed ''<UUID>.ta'' file to ''/lib/optee_armtz/'', as (very badly) documented. | ||
| - | </note> | ||
