Registered User |
Registered User |
| (16 intermediate revisions by 4 users not shown) |
| Line 1: |
Line 1: |
| {{ApplicableFor | | {{ApplicableFor |
| |MPUs list=STM32MP13x, STM32MP15x, STM32MP25x | | |MPUs list=STM32MP13x, STM32MP15x, STM32MP21x, STM32MP23x, STM32MP25x |
| |MPUs checklist=STM32MP13x, STM32MP15x, STM32MP25x | | |MPUs checklist=STM32MP13x, STM32MP15x, STM32MP21x, STM32MP23x, STM32MP25x |
| }} | | }} |
| <noinclude></noinclude> | | <noinclude></noinclude> |
|
| |
|
| == Purpose ==
| | This article is a place holder for previous article "How to configure OP-TEE". This article has been split in few pieces: |
| This article describes the configuration and process used for building several OP-TEE components from sources and deploying them the target.<br> | | * [[STM32_MPU_OP-TEE_overview|STM32MPU OP-TEE Overview]] presents how OP-TEE is used in STM32MPU releases. |
| | * [[STM32MPU_OP-TEE_profiles|STM32MPU OP-TEE Profiles]] presents the services that are embedded in OP-TEE (Cortex-A secure world) upon its configuration and exposed to the operating system (Cortex-A normal/non-secure world). |
| | * [[OP-TEE_configuration_switches|OP-TEE Configuration Switches]] gives more details on many of the OP-TEE configuration switches. |
| | * [[How_to_build_OP-TEE_components|How to build OP-TEE components]] details how to rebuild OP-TEE OS and the other OP-TEE components and deploy them on target. This article covers most of the information previously found in "How to configure OP-TEE". |
|
| |
|
| The build example is based on the OpenSTLinux [[STM32MPU_Developer_Package|Developer Package]] or [[STM32MPU_Distribution_Package|Distribution Package]], and also presents build instructions for a bare environment. | | The availability of the services embedded in OP-TEE configuration depends on the OS configuration (the several '''CFG_xxx{{=}}...''' switches) and on the device tree (DT) provided to OP-TEE image, currently built within the OP-TEE image. |
| | |
| == Overview ==
| |
| OP-TEE is a trusted execution environment for Arm<sup>®</sup>v7-A and Arm<sup>®</sup>v8-A platforms.
| |
| OP-TEE is made of several components described in [[OP-TEE_overview#Architecture|OP-TEE architecture overview]].<br>
| |
| | |
| OP-TEE components generate boot images and files stored in the filesystem embedded in the target.
| |
| | |
| * OP-TEE OS generates 3 boot image files to be loaded in the platform boot media, in the predefined partitions. The generated boot images include a [[STM32_header_for_binary_files|STM32 binary header]] enabling the use of the authenticated boot and flash programming facilities.
| |
| | |
| * OP-TEE client (package optee_client) can be built to generate non-secure services for the OP-TEE OS. The files generated from optee_client build are stored in the embedded filesystem.
| |
| | |
| * OP-TEE project releases other packages intended for test and demonstration. These can be built and embedded in the target filesystem. Building optee_examples and optee_test generates client and trusted applications together with libraries which are all stored in the target filesystem. Note the OP-TEE Linux driver is built into the Linux kernel image and is part of the OP-TEE ecosystem.
| |
| | |
| OP-TEE can be embedded as BL32 in the STM32 MPU platforms for the ST trusted configuration.<br>
| |
| | |
| {{Warning | OP-TEE boot images must be embedded in the [[How to configure TF-A FIP|FIP binary]] that is loaded by BL2 and can be automatically authentified}}
| |
| | |
| == OP-TEE core configuration ==
| |
| {|
| |
| |-
| |
| ! OP-TEE services !! {{MicroprocessorDevice | device=13}} !! {{MicroprocessorDevice | device=15}} <br/> (OP-TEE in [[SYSRAM_internal_memory|SYSRAM]]) !! {{MicroprocessorDevice | device=15}}<br/> (OP-TEE in DDR) !! {{MicroprocessorDevice | device=25}}
| |
| |-
| |
| | [[#SCMI services table | SCMI services]] || ✓ || ✓ || ✓ || ✓
| |
| |-
| |
| | [[#PSCI services table | PSCI services]]|| ✓ || ✓ || ✓ || N.A
| |
| |-
| |
| | [[OP-TEE_Calibration_PTA_overview|Oscillator calibration service]] || ✓ || ✓ || ✓ || ✓
| |
| |-
| |
| | [[RNG internal peripheral | Random generation service]] || ✓ || ✓ || ✓ || ✓
| |
| |-
| |
| | [[PWR_internal_peripheral | Wakeup source management]] || ✓ || ✓ || ✓ || ✓
| |
| |-
| |
| | [[Power_overview|Power Domain service]] || ✓ || ✓ || ✓ || ✓
| |
| |-
| |
| | [[OP-TEE_OTP_overview|OTP access services]] || ✓ || ✓ || ✓ || ✓
| |
| |-
| |
| | [[OP-TEE_OTP_overview|NVMEM provisioning services]] || ✓ || ✓ || || ✓
| |
| |-
| |
| | [[How to develop an OP-TEE Trusted Application|User Trusted application support]] || ✓ || ✓ || || ✓
| |
| |-
| |
| | Trustworthiness of secure services || ✓ || ✓ || || ✓
| |
| |-
| |
| | OPP request management || ✓ || || || ✓
| |
| |-
| |
| | [[How to protect the coprocessor firmware | Remote proc services]] || || ✓ || || ✓
| |
| |}
| |
| | |
| === SCMI services ===
| |
| {|
| |
| |-
| |
| ! <span id="SCMI services table">SCMI services</span> !! {{MicroprocessorDevice | device=13}} !! {{MicroprocessorDevice | device=15}} <br/> (OP-TEE in [[SYSRAM_internal_memory|SYSRAM]]) !! {{MicroprocessorDevice | device=15}} <br/> (OP-TEE in DDR) !! {{MicroprocessorDevice | device=25}}
| |
| |-
| |
| | Clock management || ✓ || ✓ || ✓ || ✓
| |
| |-
| |
| | Reset management|| ✓ || ✓ || ✓ || ✓
| |
| |-
| |
| | Performance management|| ✓ || || || ✓
| |
| |-
| |
| | Regulator management|| ✓ || ✓ || ✓ || ✓
| |
| |}
| |
| | |
| === PSCI services ===
| |
| | |
| {|
| |
| |-
| |
| ! <span id="PSCI services table">PSCI services</span> !! {{MicroprocessorDevice | device=13}} !!{{MicroprocessorDevice | device=15}} <br/> (OP-TEE in [[SYSRAM_internal_memory|SYSRAM]]) !! {{MicroprocessorDevice | device=15}} <br/> (OP-TEE in DDR) !! {{MicroprocessorDevice | device=25}}
| |
| |-
| |
| | System reset || ✓ || ✓ || ✓ || N.A
| |
| |-
| |
| | CPU hotplug || ✓ || ✓ || ✓ || N.A
| |
| |-
| |
| | Low power || ✓ || ✓ || ✓ || N.A
| |
| |}
| |
| | |
| {{Info| On {{MicroprocessorDevice | device=25}}, the PSCI services are handled by secure monitor level firmware that is TF-A/BL31}}
| |
| | |
| ==={{MicroprocessorDevice | device=13}} ===
| |
| OP-TEE OS is loaded in DDR. Thanks to [[DDRMCE_internal_peripheral|DDRMCE]], the DDR area is encrypted.
| |
| | |
| === {{MicroprocessorDevice | device=15}} ===
| |
| {{Warning | '''Enabling OP-TEE secure services in {{MicroprocessorDevice | device=15}} for {{EcosystemRelease | revision=5.0.0 | range=and after}}'''<BR>
| |
| Before {{EcosystemRelease | revision=5.0.0}}, OP-TEE for {{MicroprocessorDevice | device=15}} default configuration builds OP-TEE so that the firmware and the Trusted Applications execute in secure [[SYSRAM_internal_memory|SYSRAM insternal secure memory]].<br/>
| |
| With {{EcosystemRelease | revision=5.0.0 | range=and after}} OP-TEE OS for {{MicroprocessorDevice | device=15}} default configuration makes it loaded in DDR, relaxed from hardware contraints of running in the secure [[SYSRAM_internal_memory|SYSRAM]]. Because the DDR is not encrypted, OP-TEE cannot enforce trustworthiness of its secure services. Therefore this default configuration disables OP-TEE support for Trusted Applications and secure services. This default configuration only embeds support for power management and system services.<br/>
| |
| <br/>
| |
| | |
| From {{EcosystemRelease | revision=5.0.0}}, OP-TEE for {{MicroprocessorDevice | device=15}}, one can enable back OP-TEE secure services
| |
| by changing the components build configuration switches so that OP-TEE executes in the secure [[SYSRAM_internal_memory|SYSRAM]], refer to [[#Details on build directives | Details on build directives]].
| |
| }}
| |
| | |
| '''When OP-TEE is running in [[SYSRAM_internal_memory|SYSRAM]]:'''
| |
| | |
| OP-TEE OS requires more than 256Ko RAM to execute. {{MicroprocessorDevice | device=15}} [[SYSRAM_internal_memory| SYSRAM]] is only 256Ko large therefore OP-TEE core, when executing from [[SYSRAM_internal_memory|SYSRAM]] must enable its pager mode (configuration switch '''CFG_WITH_PAGER{{=}}y''') to extend secure memory using virtual memory means and paging on demand mechanisms to save secure data into DDR, protected by hash tables and software encryption keys.
| |
| | |
| When so, OP-TEE boot image is made of 2 binary images: one (the unpaged part) is loaded at the beginning of the [[SYSRAM_internal_memory|SYSRAM]] by the FSBL, the second (the pageable part) is loaded in DDR by the FSBL, in a DDR area that can be accessed by the CPU secure world.
| |
| | |
| OP-TEE OS manages low power mode by saving an encrypted image of the [[SYSRAM_internal_memory|SYSRAM]] content in DDR before it is suspended. OP-TEE restores this content back into the [[SYSRAM_internal_memory|SYSRAM]] when it resumes from the suspended state. This sequence is achieved using CPU instructions and encryption keys saved in the secure and retained [[BKPSRAM_internal_memory|backup SRAM]].
| |
| | |
| For more information on OP-TEE's pager implementation and integration, one can refer to the OP-TEE documenation related to pager
| |
| <ref name=optee.readthedocs.pager>https://optee.readthedocs.io/en/latest/architecture/core.html#pager</ref>
| |
| | |
| ==={{MicroprocessorDevice | device=25}} ===
| |
| OP-TEE OS is loaded in DDR, in memory areas protected thanks to [[RISAF internal peripheral|RISAF]] memory region encryption and secure level management.
| |
| | |
| == Build with the Distribution Package ==
| |
| | |
| The [[STM32MPU_Distribution_Package|Distribution Package]] provides means to build the following OP-TEE components from their related bitbake target:
| |
| | |
| {{PC$}} bitbake optee-os-stm32mp # OP-TEE core firmware
| |
| {{PC$}} bitbake optee-os-sdk-stm32mp # OP-TEE development kit for Trusted Applications
| |
| {{PC$}} bitbake optee-client # OP-TEE client
| |
| {{PC$}} bitbake optee-test # OP-TEE test suite (optional)
| |
| {{PC$}} bitbake optee-examples # TA and CA examples
| |
| | |
| [[STM32MPU_Distribution_Package|Distribution Package]] build process includes fetching the source files, compiling them and installing them to the target images.
| |
| | |
| The Yocto recipes for the OP-TEE packages can be found in:<br>
| |
| meta-st/meta-st-stm32mp/recipes-security/optee/optee-os-stm32mp*
| |
| meta-st/meta-st-openstlinux/recipes-security/optee/optee-client*
| |
| meta-st/meta-st-openstlinux/recipes-security/optee/optee-examples*
| |
| meta-st/meta-st-openstlinux/recipes-security/optee/optee-test*
| |
| | |
| == Build with the Developer Package or a Bare Environment ==
| |
| | |
| Both [[STM32MPU_Developer_Package|Developer Package]] and bare build environments expect you to fetch/download the OP-TEE package source file trees in order to build the embedded binary images.
| |
| | |
| The instruction set below assumes all OP-TEE package source trees are available in the base directory referred as <sources>/. The source files are available from the github repositories:
| |
| {{PC$}} cd <sources>/
| |
| {{PC$}} git clone {{CodeSource | OP-TEE_OS}}
| |
| {{PC$}} git clone https://github.com/OP-TEE/optee_client.git
| |
| {{PC$}} git clone https://github.com/OP-TEE/optee_test.git
| |
| {{PC$}} git clone https://github.com/linaro-swg/optee_examples.git
| |
| {{PC$}} ls -1 <sources>/
| |
| optee_client
| |
| optee_examples
| |
| optee_os
| |
| optee_test
| |
| {{PC$}}
| |
| | |
| {{Warning|Pay attention to use a consistent tag version for all optee components eg 3.12.0 for DV3.1 }}
| |
| | |
| {{Warning|The STM32 MPU platform may not be fully merged in the official OP-TEE repository <ref name=OP-TEE/optee_os>https://github.com/OP-TEE/optee_os</ref> hence the URL provided above refers to the ST distribution <ref name=STMicroelectronics/optee_os>https://github.com/STMicroelectronics/optee_os</ref>}}
| |
| | |
| {{InternalInfo |
| |
| Download optee_os source code from the internal Git:
| |
| {{PC$}} git clone ssh://gerrit.st.com:29418/mpu/oe/optee/optee_os.git
| |
| }}
| |
| | |
| {{MicroprocessorDevice | device=25}} require an extra source tree for the implementation of the SCMI server embedded in OP-TEE core:
| |
| {{PC$}} git clone {{CodeSource | SCP_firmware}}
| |
| | |
| {{MicroprocessorDevice | device=25}} may also need an extra source tree for some device tree files (DTS file) that define specific board configuration settings:
| |
| {{PC$}} git clone {{CodeSource | External_DT}}
| |
| | |
| === Initialize the cross compile environment ===
| |
| | |
| The compilation toolchain provided by the [[STM32MPU_Developer_Package|Developer Package]] can be used, refer to [[Cross-compile with OpenSTLinux SDK|Setup Cross Compile Environment]].
| |
| | |
| Alternatively other bare toolchains can be used to build the OP-TEE '''secure''' parts. In such case, the instructions below expect the toolchain to be part of the '''PATH''' and its prefix is defined by '''CROSS_COMPILE'''. One can use something like:
| |
| {{PC$}} export PATH=<path-to-toolchain>:$PATH
| |
| {{PC$}} export CROSS_COMPILE=<toolchain-prefix>-
| |
| | |
| === Build OP-TEE OS ===
| |
| | |
| ==== Developer Package SDK ====
| |
| The OP-TEE OS can be built from the [[STM32MPU_Developer_Package|Developer Package]] '''Makefile.sdk''' script that is present in the tarball. It automatically sets the proper configuration for the OP-TEE OS build. To build from shell command:<br>
| |
| {{PC$}} make -f $PWD/../Makefile.sdk CFG_EMBED_DTB_SOURCE_FILE=<board_dts_file_name>.dts
| |
| | |
| ==== Bare Environment ====
| |
| Alternatively one can also build OP-TEE OS based a bare cross compilation toolchain. OP-TEE OS builds with a Makefile and needs some configuration directives, in first place '''PLATFORM''' and '''CFG_EMBED_DTB_SOURCE_FILE'''.
| |
| | |
| '''PLATFORM''' defines the OP-TEE platform, '''stm32mp1''' or '''stm32mp2'''.
| |
| | |
| '''CFG_EMBED_DTB_SOURCE_FILE''' defines the target platform device tree file name, from '''<optee-os>/core/arch/arm/dts/'''.
| |
| | |
| For example, building for stm32mp157c-ev1 target:
| |
| {{PC$}} cd <optee-os>
| |
| {{PC$}} make PLATFORM=stm32mp1 \
| |
| CFG_EMBED_DTB_SOURCE_FILE=stm32mp157c-ev1.dts \
| |
| CFG_TEE_CORE_LOG_LEVEL=2 O=build all
| |
| | |
| {{MicroprocessorDevice | device=25}} requires an extra configuration switch '''CFG_SCP_FIRMWARE''', with the absolute path of the SCP-firmware component source file tree. SCP-firmware is the SCMI server reference implementation embedded for SCMI services.
| |
| | |
| For example, building for stm32mp257f-dk target:
| |
| {{PC$}} cd <optee-os>
| |
| {{PC$}} make PLATFORM=stm32mp2 ARCH=arm \
| |
| CFG_EMBED_DTB_SOURCE_FILE=stm32mp257f-dk.dts \
| |
| CFG_SCP_FIRMWARE=<SCP-Firmware absolute path> \
| |
| CFG_TEE_CORE_LOG_LEVEL=2 O=build all
| |
| | |
| '''Using the [[External device tree | External device tree]]:'''<br>
| |
| | |
| For some boards, ST provides extra device tree configurations in a dedicated [[git]] repository: {{CodeSource | External_DT | optee/stm32mp257f-ev1-ca35tdcid-ostl.dts}}. You can use the <code>git submodule</code> command or simply clone the repository below:
| |
| | |
| {{PC$}} git clone {{CodeSource | External_DT}}
| |
| | |
| or
| |
| | |
| {{PC$}} git submodule add {{CodeSource | External_DT}} {{Highlight|core/arch/arm/dts/external-dt}}
| |
| | |
| If the external device tree source tree is located at {{Highlight|core/arch/arm/dts/external-dt}}, please ignore the rest of this subchapter, this is the default path for the external device tree.
| |
| | |
| You'll then need to compile OP-TEE and specify the external device tree path in the '''CFG_EXT_DTS''' config switch. Example for the {{Board | type=257F-EV1}} with OSTL config:
| |
| | |
| {{PC$}} make PLATFORM=stm32mp2 ARCH=arm \
| |
| CFG_EXT_DTS=<PATH_TO_EXTERNAL_DT>/optee
| |
| CFG_EMBED_DTB_SOURCE_FILE=stm32mp257f-ev1-ca35tdcid-ostl.dts \
| |
| CFG_SCP_FIRMWARE=<SCP-Firmware absolute path> \
| |
| CFG_TEE_CORE_LOG_LEVEL=2 \
| |
| O=build all
| |
| | |
| ==== Generated Files ====
| |
| The 3 OP-TEE boot images are generated at following paths:
| |
| <optee-os>/build/core/tee-header_v2.bin
| |
| <optee-os>/build/core/tee-pageable_v2.bin
| |
| <optee-os>/build/core/tee-pager_v2.bin
| |
| | |
| The configuration directives used for the build are available in this file:
| |
| <optee-os>/build/conf.mk
| |
| | |
| The build also generates a development kit used to build Trusted Application binaries, in 32bit and/or 64bit:
| |
| <optee-os>/build/export-ta_arm32/
| |
| <optee-os>/build/export-ta_arm64/
| |
| | |
| ==== Details on build directives ====
| |
| | |
| Mandatory directives to build OP-TEE OS:
| |
| * '''PLATFORM=<platform>'''
| |
| ** Ex: '''PLATFORM=stm32mp1''' for {{MicroprocessorDevice|device=1}}
| |
| ** Ex: '''PLATFORM=stm32mp2''' for {{MicroprocessorDevice|device=2}}
| |
| * '''CFG_EMBED_DTB_SOURCE_FILE=<device-tree-source-file>''': in-tree ({{CodeSource | OP-TEE_OS | core/arch/arm/dts/}}) device tree filename with its '''.dts''' extension.
| |
| ** Ex: '''CFG_EMBED_DTB_SOURCE_FILE=stm32mp157f-dk2.dts'''
| |
| | |
| Mandatory directives to build OP-TEE OS for {{MicroprocessorDevice|device=2}}:
| |
| * '''CFG_SCP_FIRMWARE'''=<SCP-Firmware absolute path>
| |
| <br/>
| |
| | |
| OP-TEE generic optional directives commonly used, described in OP-TEE OS ''mk/config.mk'' file:
| |
| * '''CFG_CORE_HEAP_SIZE{{=}}<VALUE>''': define the byte size of OP-TEE core memory allocation pool
| |
| * '''CFG_NUM_THREADS{{=}}<VALUE>''': define the number of TEE threads provisioned in OP-TEE
| |
| * '''CFG_REE_FS{{=}}{n|y}''': disable/enable OP-TEE REE filsystem based secure storage area
| |
| * '''CFG_RPMB_FS{{=}}{n|y}''': disable/enable OP-TEE eMMC/RPMB based secure storage area
| |
| * '''CFG_RPMB_FS_DEV_ID{{=}}<VALUE>''': define the ''mmcblk'' block device used by REE for eMMC/RPMB accesses <BR> (e.g. "1" on stm32mp157x-ev1 boards)
| |
| * '''CFG_WITH_USER_TA{{=}}{n|y}''': disable/enable support for Trusted Applications in OP-TEE secure memory (default is '''y''')
| |
| <br/>
| |
| | |
| OP-TEE generic optional debugging and test directives commonly used, described in OP-TEE OS ''mk/config.mk'' file:
| |
| * '''CFG_TEE_CORE_DEBUG{{=}}{n|y}''': disable/enable debug support
| |
| * '''CFG_TEE_CORE_LOG_LEVEL{{=}}{0|1|2|3|4}''': define OP-TEE core trace level ('''0''': no trace, '''4''': overflow of traces) (default is '''2''': info)
| |
| * '''CFG_TEE_CORE_TA_LEVEL{{=}}{0|1|2|3|4}''': define OP-TEE Trusted Applications (TAs) trace level (default is '''1''': error)
| |
| * '''CFG_TEE_CORE_TA_TRACE{{=}}{n|y}''': disable/enable TAs trace message at define OP-TEE core level (default is '''y''')
| |
| * '''CFG_UNWIND{{=}}{n|y}''': disable/enable stack unwind debug trace messages
| |
| * '''CFG_ENABLE_EMBEDDED_TESTS{{=}}{n|y}'''; disable/enable embedded test, used by ''xtest'' tool (default is '''y''')
| |
| * '''CFG_WITH_STATS{{=}}{n|y}''': disable/enable OP-TEE statistics retrieve from the Stats PTA service.
| |
| * '''CFG_WERROR{{=}}{n|y}''': disable/enable build error trigger on OP-TEE build warning occurences.
| |
| * '''CFG_TA_GPROF_SUPPORT{{=}}{n|y}''': disable/enable profiling of Trusted Application implementation based on ''gprof'' standard tool
| |
| * '''CFG_FTRACE_SUPPORT{{=}}{n|y}''': disable/enable function trace support in Trusted Applications based on ''ftrace'' standard tool
| |
| * '''CFG_SYSCALL_FTRACE{{=}}{n|y}''': disable/enable support for ''ftrace'' syscall graph generation
| |
| <br/>
| |
| | |
| OP-TEE optional directives commonly used on {{MicroprocessorDevice|device=1}} and {{MicroprocessorDevice|device=2}}:
| |
| * '''CFG_EXT_DTS'''=<PATH_TO_EXTERNAL_DT>
| |
| ** Needed if using the [[External device tree | External device tree]] and its source tree is not located at {{Highlight|core/arch/arm/dts/external-dt}}
| |
| * '''CFG_STM32_EARLY_CONSOLE_UART{{=}}{0|1|2|...}''': define the USART instance used for early console trace messages (default is '''4''')
| |
| * '''CFG_STM32_BSEC_WRITE{{=}}{n|y}''': disable/enable the program/write fuses capabilities (default '''n''' to avoid briking the chip)
| |
| <br/>
| |
| | |
| OP-TEE optional directives specific to {{MicroprocessorDevice|device=15}} {{EcosystemRelease | revision=5.0.0 | range=and after}}:
| |
| * '''CFG_STM32MP1_OPTEE_IN_SYSRAM{{=}}{n|y}''': See warning section below and [[#STM32MP15x lines|STM32MP15x lines]] for details (default is '''n''').<BR>Note that when '''CFG_STM32MP1_OPTEE_IN_SYSRAM{{=}}n''', '''CFG_WITH_USER_TA''' default value is '''n''',<BR>and when '''CFG_STM32MP1_OPTEE_IN_SYSRAM{{=}}y''', '''CFG_WITH_USER_TA''' default value is '''y'''.
| |
| * '''CFG_STM32MP15_HUK{{=}}{n|y}''': disable/enable reading of OP-TEE's HUK (Hardware Unique Key) from BSEC fuses.
| |
| * '''CFG_STM32_HUK_FROM_DT{{=}}{n|y}''': disable/enable reading of HUK location in BSEC fuses from OP-TEE's embedded Device Tree.
| |
| * '''CFG_STM32_HUK_TESTKEY{{=}}{n|y}''': disable/enable use of a test (default is '''y''') <BR> Supersedes '''CFG_OTP_HW_TESTKEY''' used in ''before'' {{EcosystemRelease | revision=5.0.0}}.
| |
| <br/>
| |
| | |
| {{Info|
| |
| For {{EcosystemRelease | revision=3.0.0 | range=and before}} compatibility: <BR>
| |
| It is still possible to generate the the STM32 binary files with an option flag: <BR>
| |
| CFG_STM32MP15x_STM32IMAGE{{=}}1: Generate the STM32 files for {{EcosystemRelease | revision=3.0.0 | range=and before}} compatibility.}}
| |
| <br/>
| |
| | |
| {{Warning |
| |
| "To enable OP-TEE secure service for {{MicroprocessorDevice | device=15}} on {{EcosystemRelease | revision=5.0.0 | range=and after}}, one must configure OP-TEE to execute in secure SYSRAM. TF-A boot loader must also be configured to load OP-TEE in internal SYSRAM, not is DDR.<br>
| |
| To make OP-TEE for {{MicroprocessorDevice | device=15}} to execute in SYSRAM, one shall:
| |
| * enable OP-TEE configuration switch '''CFG_STM32MP1_OPTEE_IN_SYSRAM{{=}}y'''
| |
| * enable TF-A configuration switch '''STM32MP1_OPTEE_IN_SYSRAM{{=}}1''' for both [[How_to_configure_TF-A_BL2|TF-A BL2]] and [[How_to_configure_TF-A_FIP|TF-A FIP]] images.
| |
| }}
| |
| | |
| Note: internal memory size constrains the debug support level that can be provided.
| |
| | |
| ==== Troubleshoot ====
| |
| The [[STM32MPU_Developer_Package|Developer Package]] toolchain may report dependency error in the traces such as:
| |
| {{PC$}} make PLATFORM=stm32mp1 ...
| |
| arm-ostl-linux-gnueabi-ld.bfd: unrecognized option '-Wl,-O1'
| |
| arm-ostl-linux-gnueabi-ld.bfd: use the --help option for usage information
| |
| core/arch/arm/kernel/link.mk:165: recipe for target 'build/arm-plat-stm32mp1/core/tee.elf' failed
| |
| make: *** [build/arm-plat-stm32mp1/core/tee.elf] Error 1
| |
| | |
| This is linked to default CFLAGS and LDFLAGS exported by SDK. Just remove them from the environment and rebuild
| |
| {{PC$}} unset -v CFLAGS LDFLAGS
| |
| | |
| Other reported issues:
| |
| | |
| {{PC$}} make PLATFORM=stm32mp1 ...
| |
| arm-openstlinux_weston-linux-gnueabi-ld.bfd: cannot find libgcc.a: No such file or directory
| |
| | |
| To overcome the issue, add the directive '''CFLAGS32=--sysroot=$SDKTARGETSYSROOT''' or '''CFLAGS64=--sysroot=$SDKTARGETSYSROOT''', depending on target architecture. For example, :
| |
| {{PC$}} cd <optee-os>
| |
| {{PC$}} make PLATFORM=stm32mp1 \
| |
| CFG_EMBED_DTB_SOURCE_FILE=stm32mp157c-ev1.dts \
| |
| CFG_TEE_CORE_LOG_LEVEL=2 \
| |
| CFLAGS32=--sysroot=${SDKTARGETSYSROOT} \
| |
| O=build all
| |
| | |
| === Build commands for other OP-TEE components ===
| |
| | |
| This section describes how the several OP-TEE components (excluding OP-TEE OS described in above section) can be built. All those components generate files targeting the embedded Linux OS based filesystem (i.e the rootfs). These files are the secure Trusted Applications (TAs) binaries as well as non-secure Client Applications (CAs), libraries and test files.
| |
| | |
| There are several ways to build the OP-TEE components. The examples given below refer to OP-TEE client, test and examples source file tree paths as
| |
| <optee-client>, <optee-test> and <optee-examples>.
| |
| | |
| Building these components expect, at least for the trusted applications, that the OP-TEE OS was built and the generated TA development kit is available at <optee-os>/build/export-ta_arm32/.
| |
| | |
| It is recommended to use CMake for building the Linux userland part whereas secure world binaries (TAs) must be build from their GNU makefiles as the OP-TEE project has not yet ported the secure world binaries build process over CMake.
| |
| | |
| ==== Build the secure components ====
| |
| | |
| Build the TAs: This step expects OP-TEE OS is built to generate the 32bit TA development kit. Assuming OP-TEE OS was built at path <optee-os>/build, the TA development kit is available from path <optee-os>/build/export-ta_arm32/.
| |
| | |
| Instructions below build and copy the Trusted Application binaries to a local '''./target/''' directory that can be used to populate the target
| |
| filesystem.
| |
| | |
| {{PC$}} export TA_DEV_KIT_DIR=$PWD/optee_os/build/export-ta_arm32
| |
| {{PC$}} mkdir -p ./target/lib/optee_armtz
| |
| {{PC$}} for f in optee_test/ta/*/Makefile; do \
| |
| make -C `dirname $f` O=build; \
| |
| cp -f `dirname $f`/build/*.ta ./target/lib/optee_armtz; \
| |
| done
| |
| | |
| Content in local directory '''./target/''' are the TA binary files:
| |
| | |
| {{PC$}} tree target/
| |
| target
| |
| └── lib
| |
| └── optee_armtz
| |
| ├── 614789f2-39c0-4ebf-b235-92b32ac107ed.ta
| |
| ├── 731e279e-aafb-4575-a771-38caa6f0cca6.ta
| |
| └── (...)
| |
| | |
| These files need to be copied to the the target filesystem.
| |
| | |
| ==== Build the non-secure components====
| |
| | |
| Download the OP-TEE source files in a base directory and create a '''CMakeLists.txt''' file in the base directory that lists all package to be built through CMake. For example:
| |
| | |
| {{PC$}} ls
| |
| optee_client
| |
| optee_examples
| |
| optee_os
| |
| optee_test
| |
| CMakeLists.txt
| |
| {{PC$}} cat CMakeLists.txt
| |
| add_subdirectory (optee_client)
| |
| add_subdirectory (optee_test)
| |
| add_subdirectory (optee_examples)
| |
| {{PC$}}
| |
| | |
| From base directory, run '''cmake''' then '''make'''. The example below also creates the tree file system '''./target/''' that is populated with files generated that need to be installed in the target file system.<br>
| |
| Note this examples also sets the toolchain environment:
| |
| | |
| {{PC$}} cmake -DOPTEE_TEST_SDK=$PWD/optee_os/build/export-ta_arm32 \
| |
| -DCMAKE_INSTALL_PREFIX= -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=y
| |
| {{PC$}} make
| |
| {{PC$}} make DESTDIR=target install
| |
| | |
| Note the empty '''CMAKE_INSTALL_PREFIX''' value to get thing installed from root '''/''', not from '''/usr/'''.
| |
| '''DESTDIR=target''' makes the embedded files be populated in the local '''./target/''' directory.
| |
| | |
| Note also that stm32mp1 expects tool '''tee-supplicant''' to be located in directory '''/usr/bin''' whereas CMake installs it in directory '''/usr/sbin'''. To overcome this issue, one can build a link to the effective location, i.e:
| |
| | |
| {{PC$}} ln -s ../bin/tee-supplicant target/sbin/tee-supplicant
| |
| | |
| Once done, local directory '''./target/''' contains the files to be copied in the target filesystem.
| |
| | |
| {{PC$}} tree target/
| |
| target/
| |
| ├── bin
| |
| │ ├── benchmark
| |
| │ ├── optee_example_acipher
| |
| │ ├── optee_example_aes
| |
| │ ├── optee_example_hello_world
| |
| │ ├── optee_example_hotp
| |
| │ ├── optee_example_random
| |
| │ ├── optee_example_secure_storage
| |
| │ ├── tee-supplicant
| |
| │ └── xtest
| |
| ├── include
| |
| │ ├── tee_bench.h
| |
| │ ├── tee_client_api_extensions.h
| |
| │ ├── tee_client_api.h
| |
| │ └── teec_trace.h
| |
| ├── lib
| |
| │ ├── libteec.so -> libteec.so.1
| |
| │ ├── libteec.so.1 -> libteec.so.1.0.0
| |
| │ └── libteec.so.1.0.0
| |
| │ └── optee_armtz
| |
| │ └── (...) # This directory was previously filled with TAs
| |
| └── sbin
| |
| └── tee-supplicant -> ../bin/tee-supplicant
| |
| | |
| == Update OP-TEE boot images ==
| |
| OP-TEE boot images are part of the [[How to configure TF-A FIP|FIP binary]].<br>
| |
| The next step to deploy the OP-TEE OS is to update the FIP binary following the [[How to configure TF-A FIP#Updating the FIP binary|FIP update process]].
| |
| | |
| == Update OP-TEE Linux files ==
| |
| === Update on board ===
| |
| The other OP-TEE images are stored in the target filesystem.<br>
| |
| | |
| For example, if using an SD card as target boot media, the card can be plugged in its PC card reader and the images copied.
| |
| The files can be simply copied into the mounted rootfs.
| |
| | |
| === Update in a SD card ===
| |
| The OP-TEE files that need to be copied to the target filesystem were installed in a local directory '''./target/'''.
| |
| | |
| They can now be copied to the target SD card rootfs partition once the SD card is plugged to the host computer and its filesystems are mounted in the host, i.e
| |
| {{PC$}} cp -ar target/* /media/$USERNAME/rootfs/
| |
| | |
| == Update your boot device (including SD card on the target) ==
| |
| Refer to the [[STM32CubeProgrammer]] documentation to update your target.
| |
| | |
| == References ==
| |
| <references />
| |
|
| |
|
| <noinclude> | | <noinclude> |
| {{PublicationRequestId | 10619 | 2019-02-01 | Gregorys}} | | {{PublicationRequestId | 10619 | 2019-02-01 | Gregorys}} |
| [[Category:OP-TEE secure OS]] | | [[Category:OP-TEE]] |
| </noinclude> | | </noinclude> |