3.14. OP-TEE
OP-TEE is a Trusted Execution Environment (TEE) designed as a companion to a non-secure Linux kernel running on Arm Cortex-A cores using the TrustZone technology.
Furthur information about it can be found at: https://optee.readthedocs.io/en/latest/general/about.html
Official OP-TEE documentation: https://optee.readthedocs.io/en/latest
OP-TEE advisory listing: https://github.com/OP-TEE/optee_os/security/advisories
The OP-TEE binary (bl32.bin/tee-pager_v2.bin) is bundled into tispl.bin and the following are the instructions to build:
3.14.1. Getting the OP-TEE Source Code
The pre-built OPTEE binary should be packaged in TI Processor SDK: <path-to-processor-sdk>/board-support/prebuilt-images/<optional-build-machine-name>/bl32.bin. Use this binary since it has been tested with TI Processor SDK.
If it is not possible to use pre-build binary, use the following:
$ git clone https://github.com/OP-TEE/optee_os.git
$ git checkout <hash>
Where <hash> is the OPTEE commit shown in Build Information.
3.14.2. Setting up the toolchain paths
Before compiling any of the sources referenced in this document, set the cross compiler paths to the toolchains packaged in the Processor SDK [Recommended] as shown below. Refer to Yocto-built SDK Toolchains section for more details on usage.
host# export CROSS_COMPILE_64="${SDK_INSTALL_DIR}/linux-devkit/sysroots/x86_64-arago-linux/usr/bin/aarch64-oe-linux/aarch64-oe-linux-"
host# export SYSROOT_64="${SDK_INSTALL_DIR}/linux-devkit/sysroots/aarch64-oe-linux"
host# export CC_64="${CROSS_COMPILE_64}gcc --sysroot=${SYSROOT_64}"
host# export CROSS_COMPILE_32="${SDK_INSTALL_DIR}/k3r5-devkit/sysroots/x86_64-arago-linux/usr/bin/arm-oe-eabi/arm-oe-eabi-"
If the Processor SDK is not installed, the Arm GNU toolchains can be downloaded and setup. Refer to ARM toolchains section for more details on usage.
3.14.3. Building OP-TEE OS
3.14.3.1. Building the OP-TEE image
$ make CROSS_COMPILE="$CROSS_COMPILE_32" CROSS_COMPILE64="$CROSS_COMPILE_64" PLATFORM=|__OPTEE_PLATFORM_FLAVOR__| CFG_ARM64_core=y
3.14.3.2. Building the OP-TEE image with debug parameters
$ make CROSS_COMPILE="$CROSS_COMPILE_32" CROSS_COMPILE64="$CROSS_COMPILE_64" PLATFORM=|__OPTEE_PLATFORM_FLAVOR__| CFG_ARM64_core=y CFG_TEE_CORE_LOG_LEVEL=2 CFG_TEE_CORE_DEBUG=y
3.14.3.3. Building OP-TEE with Pseudo RNG drivers
In certain highly specific use-cases the true RNG drivers could have a
detrimental effect to the overall system latency. Using the
CFG_WITH_SOFTWARE_PRNG flag to use OP-TEE’s Pseudo RNG drivers as a source
of entropy can work around these issues.
$ make CROSS_COMPILE="$CROSS_COMPILE_32" CROSS_COMPILE64="$CROSS_COMPILE_64" PLATFORM=k3-k3-am62x CFG_ARM64_core=y CFG_WITH_SOFTWARE_PRNG=y
3.14.3.4. OP-TEE Secure Storage
OP-TEE provides secure storage functionality through two mechanisms: REE FS (Rich Execution Environment Filesystem) and RPMB (Replay Protected Memory Block).
TI SDK enables REE FS by-default, and configures OP-TEE to store
encrypted binary blobs created by REE FS in
/var/lib/tee/.
RPMB works in TI SoCs with HS configuration. These embed a KEK
that programs across OP-TEE instances in a derived manner. Each HS
device has its own HUK signing key (DKEK), which is different from
other HS devices. TI SDK disables RPMB by-default. To enable it,
re-compiling OP-TEE with CFG_RPMB_FS=y flag.
For learning more about secure storage in OP-TEE, and instructions to enable RPMB, refer: https://optee.readthedocs.io/en/latest/architecture/secure_storage.html
There is a hybrid mode in which both the flags i.e CFG_REE_FS=y and CFG_RPMB_FS=y are enabled. This mode stores the state of the Secure Storage directory in RPMB partition to check for the integrity of the data present in it. It is the recommended way.
E.g. For enabling hybrid mode of RPMB along with REE_FS
$ make CROSS_COMPILE64="$CROSS_COMPILE_64" PLATFORM=|__OPTEE_PLATFORM_FLAVOR__| CFG_ARM64_core=y CFG_REE_FS=y CFG_RPMB_FS=y
OPTEE-client also needs to be updated to enable the use of real emmc instead of the virtual emmc that is enabled by default
As an example to show the usage of secure storage, the filesystem
provides a binary /usr/bin/optee_examples_secure_storage.
optee_examples_secure_storage
For more details, see optee_examples: https://github.com/linaro-swg/optee_examples
3.14.4. Getting OP-TEE Client source code
To get optee_client source code, do:
Getting OP-TEE Client source code
$ git clone https://github.com/OP-TEE/optee_client
Building OP-TEE Client with RPMB support
To use emulated RPMB, set RPMB_EMU=1. Otherwise, set RPMB_EMU=0.
For example, the following command builds optee_client to use the real RPMB, instead of the emulated one.
$ make CROSS_COMPILE="$CROSS_COMPILE_64" PLATFORM=k3 CFG_TEE_SUPP_LOG_LEVEL=2 RPMB_EMU=0 CFG_ARM64_core=y
Now update optee-client binary and libraries on your SD card with the generated ones in out/export/usr folder
3.14.5. Building u-boot with OP-TEE OS
As of Processor SDK 9.0, the signing functionality earlier provided by the TI Security Development Package, has been integrated within U-Boot itself. This means tee-pager_v2.bin does not need to be signed before being packaged in tispl.bin in U-Boot for HS devices.
Expected binary output
Generated binary: tee-pager_v2.bin
Binary saved saved in: <path-to-optee>/out/arm-plat-k3/core
Integrate binary output into U-boot
Go to u-boot folder <path-to-u-boot>
Re-build U-boot with A72/A53 instructions found under: Build U-Boot, but with the TEE parameter pointing to the newly built tee-pager_v2.bin. i.e. TEE=<path-to-optee>/out/arm-plat-k3/core/tee-pager_v2.bin
Note
tee-pager_v2.bin may be called bl32.bin in other documentation.
PKCS#11
PKCS#11 is a cryptographic token interface standard that allows applications to access cryptographic services through a platform-independent API.
For userland integration details, refer: https://optee.readthedocs.io/en/latest/building/userland_integration.html