| Julian Hall | e76ade8 | 2020-11-25 03:07:21 +0100 | [diff] [blame] | 1 | Deploying trusted services in S-EL0 Secure Partitions under OP-TEE |
| 2 | ================================================================== |
| 3 | |
| 4 | Trusted services built for the *opteesp* environment may be deployed to run within S-EL0 secure |
| 5 | partitions, managed by OP-TEE. Secure partitions are loaded and run by OP-TEE using the early-TA |
| 6 | feature where a set of TAs or SPs are loaded during OP-TEE initialization. This feature relies on |
| 7 | SP images being incorporated into the *OP-TEE OS* image at build time. It is therefore necessary to |
| 8 | have access to the OP-TEE build environment and tools in order to deploy SP images. |
| 9 | |
| 10 | Tool prerequisites and general build instruction for OP-TEE are described here: |
| 11 | `<https://optee.readthedocs.io/en/latest/building/gits/build.html>`_ |
| 12 | |
| 13 | Download page for Arm Fixed Virtual Platforms (FVP): |
| 14 | `<https://developer.arm.com/tools-and-software/simulation-models/fixed-virtual-platforms>`_ |
| 15 | |
| 16 | Incorporating SP images into the *OP-TEE OS* image |
| 17 | -------------------------------------------------- |
| 18 | |
| 19 | The set of SP images to include in the built *OP-TEE OS* image are specified to the *OP-TEE OS* |
| 20 | build by the EARLY_TA_PATHS make variable. The EARLY_TA_PATHS variable should be assigned a string |
| 21 | containing a space separated list of file paths for each SP image file to include. SP images |
| 22 | that need to be deployed from the Trusted Services project will be located in the install directory, |
| 23 | specified when the SP images where built i.e.:: |
| 24 | |
| 25 | <CMAKE_INSTALL_PREFIX>/bin |
| 26 | |
| 27 | The following example illustrates a setting of the EARLY_TA_PATHS variable to deploy the Secure Storage |
| 28 | SP and Crypto SP:: |
| 29 | |
| 30 | EARLY_TA_PATHS="ts-install-dir/bin/dc1eef48-b17a-4ccf-ac8b-dfcff7711b14.stripped.elf \ |
| 31 | ts-install-dir/bin/d9df52d5-16a2-4bb2-9aa4-d26d3b84e8c0.stripped.elf" |
| 32 | |
| 33 | To help with integration with the OP-TEE build system, the installation step for a deployment to the |
| 34 | *opteesp* environment includes the generation of a simple makefile that extends the EARLY_TA_PATHS |
| 35 | variable for the particular deployment. For example, the generated makefile for the crypto SP |
| 36 | contains:: |
| 37 | |
| 38 | OPTEE_OS_COMMON_EXTRA_FLAGS+=EARLY_TA_PATHS+=${TS_INSTALL_PREFIX}/bin/d9df52d5-16a2-4bb2-9aa4-d26d3b84e8c0.stripped.elf |
| 39 | |
| 40 | The generated makefile is installed to:: |
| 41 | |
| 42 | <CMAKE_INSTALL_PREFIX>/lib/make |
| 43 | |
| 44 | Reference OP-TEE build with PSA RoT Services |
| 45 | -------------------------------------------- |
| 46 | To provide an example integration of OP-TEE with a set of trusted services, a makefile called *fvp_ffa.mk* |
| 47 | is included in the OP-TEE build repository that builds OP-TEE OS with a set of SP images that provide PSA |
| 48 | RoT services. SP images are built using the standard trusted services build flow and are automatically |
| 49 | injected into the *optee_os* build using the early TA feature described above. |
| 50 | |
| 51 | A bootable Linux image is created that is intended to run on the Arm FVP virtual platform. The built image |
| 52 | includes user space programs that may be used to test and demonstrate the deployed trusted services. |
| 53 | |
| 54 | Setting up the OP-TEE build environment |
| 55 | ''''''''''''''''''''''''''''''''''''''' |
| 56 | To help setup the OP-TEE build environment, a manifest file called *psa-sp-fvp.xml* is included in OP-TEE |
| 57 | manifests repository. This may be used with the *repo* tool to manage the set of git repositories. Note |
| 58 | that this manifest relies on SSH access to *github.com* so ensure that you have installed a suitable public |
| 59 | key into your *github* account. |
| 60 | |
| 61 | Having created a new directory for the OP-TEE build environment, the required set of git repositories can |
| 62 | be cloned and fetched using:: |
| 63 | |
| 64 | repo init -u https://git.trustedfirmware.org/OP-TEE/manifest.git -b psa-development -m psa-sp-fvp.xml |
| 65 | repo sync |
| 66 | |
| 67 | Building the reference OP-TEE image |
| 68 | ''''''''''''''''''''''''''''''''''' |
| 69 | To build the bootable image that includes OP-TEE and the set of secure partition images that hold the |
| 70 | PSA RoT services, use the following (from your OP-TEE root directory):: |
| 71 | |
| 72 | cd build |
| 73 | make -f fvp_ffa.mk all |
| 74 | |
| 75 | This will take many tens of minutes to complete. |
| 76 | |
| 77 | Running the reference OP-TEE image on FVP |
| 78 | ''''''''''''''''''''''''''''''''''''''''' |
| 79 | The fvp makefile includes a *run* and *run-only* target which can be used to start the FVP model and |
| 80 | boot the built image. The example assumes that the FVP model has been installed in the following |
| 81 | directory relative to the OP-TEE build directory:: |
| 82 | |
| 83 | ../Foundation_Platformpkg/models/Linux64_GCC-6.4/ |
| 84 | |
| 85 | To boot the built image on FVP without building, use:: |
| 86 | |
| 87 | make run-only FVP_PATH=../Foundation_Platformpkg/models/Linux64_GCC-6.4/ |
| 88 | |
| 89 | For information on running user space programs on FVP, see: |
| 90 | |
| 91 | :ref:`Deploying Programs on FVP` |
| 92 | |
| 93 | -------------- |
| 94 | |
| 95 | *Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.* |
| 96 | |
| 97 | SPDX-License-Identifier: BSD-3-Clause |