This article explains how to build TEE components, except the OP-TEE drivers. The latter are part of the Linux build process and are compiled as loadable modules. Refer to How to build kernel for Android. It is intended for Distribution Package users.
The OP-TEE security feature is composed of several parts:
- OP-TEE drivers: included in the Linux Kernel
- OP-TEE OS: part of bootloader image.
- OP-TEE Client: the OP-TEE userland client and is part of the OpenSTDroid distribution.
- OP-TEE Tests: OP-TEE Tests suite with dedicated trusted applications part of the OpenSTDroid distribution.
- This module proposes a test suite for OP-TEE.
- It is only available when not in user building profile.
For detail, you can refer to STM32 MPU OP-TEE overview page.
1. Prerequisites
The environment must be installed using the distribution package adapted to the selected microprocessor device.
To be able to execute the following instructions, work from the distribution root directory, initialize the environment, and then run lunch:
source build/envsetup.sh lunch aosp_<BoardId>-userdebug bspsetup
 Information
|
The bspsetup instruction needs to be run only once for the distribution
|
2. Partition layout
The OP-TEE OS is integrated in the fip partition.
The OP-TEE TA (Trusted Applications) are integrated in the vendor partition.
The binaries are available in device/stm/<STM32Series>-tee/prebuilt.
| Information
|
|
For more information on the complete partition layout depending on your development platform, refer to the corresponding Flash mapping article named Your_development_platform Flash mapping for Android. Example: STM32 MPU Flash mapping for Android for the STM32MP25x boards. All Flash mapping for Android articles belong to the Category:Flash mapping for Android. |
3. Load the TEE sources
By default, the OP-TEE sources are not part of the OpenSTDroid distribution. To load the sources, execute the following instruction:
load_tee
| Information
|
|
The load_tee script uses the configuration file |
The loaded sources can then be accessed at the device/stm/<STM32Series>-tee/optee_os-<STM32Series> directory.
| Information
|
|
As soon as possible, only the archive is loaded from the remote repository (reducing size). This means that you need to configure your environment to ensure that you can download via http from GitHub. If required, you can clone the remote repository if all the git history is needed. For this purpose, replace the |
4. Build the TEE
After retrieving the OP-TEE sources, build them using:
build_tee
This instruction generates an OP-TEE for every available board.
To get back more details on available options, run:
build_tee -h
Here after, see the result for the version 1.6:
Usage: build_tee [Options] [Command]
This script allows building the OP-TEE OS source
Options:
-h / --help: print this message
-i / --install: update prebuilt images
-r <level> / --rpmb=<level>:
0: disable RPMB
1: enable RPMB with TESTKEY for anti-rollback only (TAKE CARE: CFG_RPMB_WRITE_KEY is enabled, fusing the TESTKEY on your device)
2: enable RPMB with TESTKEY for secure storage (TAKE CARE: CFG_RPMB_WRITE_KEY is enabled, fusing the TESTKEY on your device) (default)
-v / --version: get script version
--verbose=<level>: enable build verbosity
0: no verbosity (default)
1: remove script filtering
2: remove script filtering and quiet option for the build
-d <level> / --debug=<level>: TEE debug level
0: NO DEBUG (default)
1: TEE core and TA log level 1 = Only non-tagged and error trace (MSG/EMSG)
2: TEE core and TA log level 2 = + Info trace messages (IMSG)
3: TEE core and TA log level 3 = + Debug trace messages (DMSG)
4: TEE core and TA log level 4 = + Flow trace messages (FMSG)
-b <name> / --board=<name>: set board name from following list = eval (default: all)
Command: Optional, only one command at a time supported
clean: execute make clean on targeted module
5. Integrate the TEE
To integrate the new OP-TEE solution within your distribution, first, the prebuilt images must be updated:
build_tee -i
Then, build the full distribution.
make -j
Finally, update the associated partitions for the device. Refer to Flashing the built image.
6. Build Trusted Applications
Customized trusted applications can be built as needed. For this purpose, the configuration file android_tabuild.config located in device/stm/<STM32Series>-tee/source has to be changed.
To build trusted applications, execute:
build_ta
This script generates every application for all available boards.
To get more details on available options, run:
build_ta -h
Here after, see the result for the version 1.1:
Usage: build_ta [Options] [Board options]
This script allows building the trust applications (TA) source listed in android_tabuild.config file
Options:
-h / --help: print this message
-i / --install: update prebuilt images
-v / --version: get script version
--verbose=<level>: enable verbosity (1 or 2 depending on level of verbosity required)
-b <name> / --board=<name>: set board name from following list = eval (default: all)
7. Integrate Trusted Applications
To integrate the new trusted applications into a distribution, first update the prebuilt images.
build_ta -i
Then, update the file device.mk by copying the trusted application in the /vendor/lib/optee_armtz directory.
PRODUCT_COPY_FILES += \
device/stm/<STM32Series>-tee/prebuilt/<BoardId>/ta/<UUID>.ta:$(TARGET_COPY_OUT_VENDOR)/lib/optee_armtz/<UUID>.ta
Next, build the full distribution.
make -j
Finally, update the associated partitions on the device. Refer to How to populate boards for Android.