How to develop an OP-TEE Trusted Application with STM32CubeIDE

Applicable for STM32MP13x lines, STM32MP15x lines

This article is a guideline to OP-TEE trusted application support, which is fully integrated from release 1.10.0.22 of STM32CubeIDE.

It proposes to create an OP-TEE trusted application project implementing:

  • user space executable hello world which makes a call to OP-TEE trusted application
  • OP-TEE trusted application itself, with universally unique identifier (a.k.a. UUID) support

1 Prerequisites[edit]

Minimum hardware

  • STM32MP1x board booted with OP-TEE
  • Linux console
  • Ethernet (or Ethernet over USB) for connection to Linux® Cortex®-A

Minimum software

Yocto SDK is required to built trusted application example and Linux project is used here only to deploy trusted application on the STM32MP1x target.

2 Create a Trusted Application project[edit]

In the root project context, named "myMp135fDk" here, right-click and select Create an OP-TEE Trusted Application Project.

Trusted application project creation shortcut


Project name is given, note that the trusted application project uses by default the SDK version associated to the STM32MP1 project (OpenSTLinux 4.0.0 in this STM32CubeIDE 1.10 version).

STM32MP1 project enriched with OP-TEE Trusted Application projects

Trusted Application type project is created under root project. It contains two repositories for sources:

  • "host/", which targets user space executable sources
  • and "ta/" corresponding to trusted application sources
STM32MP1x project enriched with OP-TEE Trusted Application project

3 Build[edit]

Select your trusted application project, right-click and then Build Project.

Trusted application project build

This build generates two objects:

  • the executable, "myTrustedApp" here under "Binaries/" Eclipse artifact
  • the trusted application, "37cc9755-b605-4b7a-8c9d-257ee26aaa21.ta" under "ta/" repository.

4 Preparing debug[edit]

In order to debug user space application, your target must be Linux® booted and network connected.

You can check boot messages via Linux® console opened with butterfly icon, but remember this console cannot be shared outside STM32CubeIDE (minicom,...).

CubeIDELinuxConsole.png

In order to check network connection, start the Target Status widget in the bottom right corner of the window.

Target Status - green


Check also How to set up proxy and P2P Ethernet connection with STM32CubeIDE if you are in that case.

5 Linux® deployment configuration[edit]

To run or debug the executable "myTrustedApp", it is required to download the trusted application (.ta) to the STM32MP1 device. Select the Linux project, right-click Run as... > Run Configurations, then select STM32 Cortex-A Linux Deployment'.

Linux deployment


Setup for trusted application are:

  • select as Project the trusted application project, "myTrustedApp" here
  • select as Local path the .ta file inside ta/ of trusted application project
  • select as Remote path "/lib/optee_armtz/"


Trusted application deployment configuration


Then unclick reboot and click OK, you will get the corresponding deployment message in a dedicated console.

Trusted application deployment message

6 Debug Configuration[edit]

Select your trusted application project, right-click Debug as... > Debug Configurations, then select STM32 Cortex-A Remote Application > New Configuration...'.
Setup C/C++ Application with Search Project... and select the executable. The default connection proposed is "MPU SSH", corresponding to the target IP address discovered by the Target Status widget. The default destination directory is /home/root.

Trusted application debug configuration

7 Debug: stepping into myTrustedApp[edit]

Click Debug :

  1. Executable is downloaded to the target,
  2. GDBServer is launched on the target,
  3. GDBClient is launched on the workstation and can exchange via the network with GDBServer.


Trusted application debug


Stepping into trusted application source code, we reach the call to the trusted application on line 86. The increment is done by OP-TEE trusted application as mentioned in the console.
Note that debug of trusted application itself (.ta) is not supported.


Info white.png Information
In case of error; stop any GDBServer running on the target before launching a new debug session.