3.10. OP-TEEΒΆ
Overview
OP-TEE is a Trusted Execution Environment (TEE) designed as a companion to a non-secure Linux kernel running on Arm Cortex-A cores using the TrustZone technology.
Furthur information about it can be found at: https://optee.readthedocs.io/en/latest/general/about.html
Official OP-TEE documentation: https://optee.readthedocs.io/en/latest
OP-TEE advisory listing: https://github.com/OP-TEE/optee_os/security/advisories
The OP-TEE binary (bl32.bin/tee-pager_v2.bin) is bundled into tispl.bin and the following are the instructions to build:
Getting the OP-TEE Source Code
The pre-built OPTEE binary should be packaged in TI Processor SDK: <path-to-processor-sdk>/board-support/prebuilt-images/<optional-build-machine-name>/bl32.bin. Use this binary since it has been tested with TI Processor SDK.
If it is not possible to use pre-build binary, use the following:
$ git clone https://github.com/OP-TEE/optee_os.git
$ git checkout <hash>
Where <hash> is the OPTEE commit shown here: OP-TEE.
Setting up the toolchain paths
Refer to Yocto-built SDK Toolchains section to use the toolchain packaged in the Processor SDK (recommended).
Refer to ARM toolchains to download and setup ARM toolchains, if the Processor SDK is not used.
In either of the above setups, the OP-TEE build commands in the next section will assume the below variables are set appropriately.
CROSS_COMPILE_64CROSS_COMPILE_32
Building OP-TEE OS
Building the OPTEE image
$ make CROSS_COMPILE="$CROSS_COMPILE_32" CROSS_COMPILE64="$CROSS_COMPILE_64" PLATFORM=k3-j721e CFG_ARM64_core=y
Building the OPTEE image with debug parameters
$ make CROSS_COMPILE="$CROSS_COMPILE_32" CROSS_COMPILE64="$CROSS_COMPILE_64" PLATFORM=k3-j721e CFG_ARM64_core=y CFG_TEE_CORE_LOG_LEVEL=2 CFG_TEE_CORE_DEBUG=y
Secure Storage with RPMB (For HS)
OP-TEE provides secure storage functionality. TI SoCs with HS configuration have a KEK embedded in them that is programmed across OP-TEE instances that are distributed in a derived manner. Each HS device has its own HUK signing key (DKEK) which is different from other HS devices.
For enabling RPMB support along with secure storage, additional flags need to be passed to the build instructions. The information for the flags can be found here. https://optee.readthedocs.io/en/latest/architecture/secure_storage.html
There is a hybrid mode in which both the flags i.e CFG_REE_FS=y and CFG_RPMB_FS=y are enabled. This mode stores the state of the Secure Storage directory in RPMB partition to check for the integrity of the data present in it. It is the recommended way.
E.g. For enabling hybrid mode of RPMB along with REE_FS
$ make CROSS_COMPILE64="$CROSS_COMPILE_64" PLATFORM=k3-j721e CFG_ARM64_core=y CFG_REE_FS=y CFG_RPMB_FS=y
OPTEE-client also needs to be updated to enable the use of real emmc instead of the virtual emmc that is enabled by default
Getting OP-TEE Client source code
$ git clone https://github.com/OP-TEE/optee_client
Building OP-TEE Client with RPMB support
$ make CROSS_COMPILE="$CROSS_COMPILE_64" PLATFORM=k3 CFG_TEE_SUPP_LOG_LEVEL=2 RPMB_EMU=0 CFG_ARM64_core=y
Now update optee-client binary and libraries on your SD card with the generated ones in out/export/usr folder
Building u-boot with OP-TEE OS
As of Processor SDK 9.0, the signing functionality earlier provided by the TI Security Development Package, has been integrated within U-Boot itself. This means tee-pager_v2.bin does not need to be signed before being packaged in tispl.bin in U-Boot for HS devices.
Expected binary output
Generated binary: tee-pager_v2.bin
Binary saved saved in: <path-to-optee>/out/arm-plat-k3/core
Integrate binary output into U-boot
Go to u-boot folder <path-to-u-boot>
Re-build U-boot with A72/A53 instructions found under: Build U-Boot, but with the TEE parameter pointing to the newly built tee-pager_v2.bin. i.e. TEE=<path-to-optee>/out/arm-plat-k3/core/tee-pager_v2.bin
Note
tee-pager_v2.bin may be called bl32.bin in other documentation.