リネオブログ

How to use OP-TEE with Freescale i.MX6Q SDB?

2017 年 09 月 07 日   ソリューション統括部

Here we will be describing the general way of getting the source of OP-TEE, building the solution and how to run xtest on the device. The basic details of OP-TEE are already covered in the previous blog that we have gone through. There are some pre requisite to make the environment.

Pre-requisites:

We are selecting Ubuntu-based distributions for building OP-TEE and for this, there are a few packages that needs to be installed. Install the following packages regardless of what target board you will use in the end. But keep in mind that our primary target Board is i.MX6Quad SDB.

$ sudo apt-get install android-tools-adb android-tools-fastboot autoconf automake bc bison build-essential cscope curl flex ftp-upload gdisk libattr1-dev libc6:i386 libcap-dev libfdt-dev libftdi-dev libglib2.0-dev libhidapi-dev libncurses5-dev libpixman-1-dev libssl-dev libstdc++6:i386 libtool libz1:i386 make mtools netcat python-crypto python-serial python-wand unzip uuid-dev xdg-utils xterm xz-utils zlib1g-dev ccache

After making the setup ready for OP-TEE, the next step should be to install repo. We don't install a huge SDK instead we go with REPO.

What is REPO?

It's simply a Python script that you download and put in your?$PATH, that's it. We are using the repo python scripts from google repo pages.

Repo?is a repository management tool that is built on top of git. Repo is not meant to replace git, only to make it easier to work with git. The repo command is an executable Python script that you can put anywhere in your path.

How to Download OP-TEE OS?

Now as the first step after setting up the environment. Make a directory called bin in the home folder of the host PC. Download the repo from storage.googleapis.com. Installation procedure follows.

$ mkdir ~/bin
$ PATH=~/bin:$PATH
$ curl https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo
$ chmod a+x ~/bin/repo

For version 1.21, the SHA-1 checksum for repo is b8bd1804f432ecf1bab730949c82b93b0fc5fede

For version 1.23, the SHA-1 checksum for repo is ac9d646f6d699f6822a6bc787d3e7338ae7ab6ed

Now as a next step we have to create a folder where OP-TEE files to be downloaded and compiled. Make a folder called optee in the home folder of the host OS. Then change your directory to that.

Use repo init and repo sync commands to download the op-tee source from their repositories. Use the following commands for this.

$ repo init -u https://github.com/OP-TEE/manifest.git -m juno.xml
$ repo sync

How to get a proper compiler for OP-TEE OS?

The compiler that we have used and tested with op-tee is from linaro, with the name gcc-linaro-4.9-2016.02-x86_64_arm-linux-gnueabihf. Even though the source package was available for this, the one we have used is a pre-built cross compiler binary. This is tested with OP-TEE on I.MX6QSABRESD.

As a first step make a directory called toolchains in the op-tee directory and change the directory to toolchains.

Download the pre-built binary from Linaro. Untar and export it to make the cross compiler ready.

$ wget https://releases.linaro.org/components/toolchain/binaries/4.9-2016.02/arm-linux-gnueabihf/gcc-linaro-4.9-2016.02-x86_64_arm-linux-gnueabihf.tar.xz
$ tar xvf gcc-linaro-4.9-2016.02-x86_64_arm-linux-gnueabihf.tar.xz
$ export PATH=<optee dir>/toolchains/gcc-linaro-<version>_arm-linux-gnueabihf/bin:$PATH

Compiling U-boot for OP-TEE

There needs a different version of u-boot which supports op-tee in our case. OP-TEE team has already integrated the changes required to the u-boot.

Downloading u-boot:

We have to download the source from the above branch. U-boot folder will get created with this.

$ git clone https://github.com/MrVan/u-boot.git --branch imx_v2016.03_4.1.15_2.0.0_ga

Compiling u-boot:

For compiling the u-boot follow the below commands after changing the directory to u-boot. As usual this includes the export commands and make commands.

$ export PATH=$HOME/op-tee/toolchains/aarch32/bin:$PATH
$ make ARCH=arm mx6qsabresd_defconfig
$ CROSS_COMPILE=arm-linux-gnueabihf- make

With the above commands we will be able to compile the u-boot source code downloaded. This will generate a binary called uboot.imx. Copy this binary to the boot media.

$ sudo dd if=u-boot.imx of=/dev/sd[x] bs=512 seek=2 conv=sync conv=notrunc

Compiling Linux for OP-TEE

A specific version of Linux kernel is required for OP-TEE. This is because the supporting patches needed for op-tee is not yet included in the upstream kernel.

Downloading Kernel:

The source package that supports OP-TEE will be downloaded to the specific location with the following command. A linux folder will get created.<

$ git clone https://github.com/MrVan/linux.git --branch imx_4.1.15_2.0.0_ga

Compiling the kernel:

Follow the commands below for make and config after changing the directory to linux.

$ make ARCH=arm imx_v7_defconfig or make ARCH=arm imx_v6_v7_defconfig
$ CROSS_COMPILE=arm-linux-gnueabihf- make ARCH=arm

Copy zImage and imx6q-sabresd.dtb to SD card.

How to Compile OP-TEE OS?

Now we have to compile OP-TEE OS. This has been already downloaded. Below commands are used for compiling OP-TEE OS. Change the directory to optee_os (source code) which will be available in optee directory.

$ CROSS_COMPILE=arm-linux-gnueabihf- make PLATFORM=imx-mx6qsabresd
ARCH=arm CFG_BUILT_IN_ARGS=y CFG_PAGEABLE_ADDR=0 \
CFG_NS_ENTRY_ADDR=0x12000000 CFG_DT_ADDR=0x18000000 \
CFG_TEE_GDB_BOOT=y CFG_DT=y DEBUG=y CFG_PSCI_ARM32=y \
CFG_BOOT_SECONDARY_REQUEST=y CFG_TEE_CORE_LOG_LEVEL=1

The above is the make command for compiling OP-TEE OS. As you could see, there are a lot of arguments passed. Each of them are having significant importance in this. Let us ignore the common arguments like PLATFORM, ARCH, CFG_BUILT_IN_ARGS etc. 0x12000000 is the place you put the Linux zImage. This has been informed to the system by passing CFG_NS_ENTRY_ADDR=0x12000000. . 0x18000000 is the place where device tree resides. This has been informed to the system by passing CFG_DT_ADDR=0x18000000. CFG_TEE_GDB_BOOT argument has been given here to ensure that OP-TEE relays r0-r2 to Linux. CFG_TEE_CORE_LOG_LEVEL argument is used to control Log levels.

$ mkimage -A arm -O linux -C none -a 0x4dffffe4 -e 0x4e000000 -d tee.bin uTee

mkimage command is used here to make uTee image to look like uImage so the bootm command can boot it. We recommend the use of mkimage from uboot/tools/mkimage to make uTee image. 0x4dffffe4 has been given as load address here because tee.bin has a small header in front of the real code.

Booting OP-TEE on SABRESDB

Now it's time to understand how OP-TEE boots on SABRESDB. The illustration of booting is given below as block diagram.

Booting OP-TEE on SABRESDB

As in the above block diagram the booting starts as usual with POR and the U-boot. The U-boot here loads uTee and not Kernel. uTee will enable all the required elements for Secure world. uTee has the information regarding the kernel location. After loading the secure world uTee will load the kernel and will in turn load the normal world. Following Commands are used in u-boot

tftp 0x12000000 zImage : - zImage will be loaded to 0x12000000

tftp 0x18000000 imx6q-sabresd.dtb :- dtb will loaded to 0x18000000

tftp 0x20000000 uTee:- uTee will be loaded to 0x20000000

setenv bootargs console=ttymxc0,115200 root=/dev/mmcblk2p2 rootwait rw

bootm 0x20000000 - 0x18000000

bootm command will consider uTee as an alternative for uImage and the same device tree.

How to build OP-TEE Libraries and Test Applications?

The OP-TEE supporting Libraries are available in the directory called optee_client. This source needs to be compiled to generate library files. For this just do a make as below.

$ make ARCH=arm

The compiled library files will be available in the directory out/export. Copy all the files from this folder to the rootfs of the target board.

The test application is known by the name xtest which needs to be compiled. The location where the source code for xtest available is optee_test. Follow the steps mentioned below for compiling xtest.

$ export TA_DEV_KIT_DIR=<Optee dir>/optee_os/out/arm-plat-imx/export-ta_arm32
$ export OPTEE_CLIENT_EXPORT=<Optee dir>/optee_client/out/export

Here there are some mandatory export paths for DEV_KIT_DIR and CLIENT. The first one is purely platform specific and next one is to get the static op-tee libraries for compiling.

$ export CROSS_COMPILE_HOST=arm-linux-gnueabihf-
$ export CROSS_COMPILE_TA=arm-linux-gnueabihf-

Now we have to specify the cross compiler used for host, TA etc.

$ CROSS_COMPILE=arm-linux-gnueabihf- make ARCH=arm

After compiling the xtest, Copy all "xx.ta" "xx.elf" in out/* to sd card rootfs "/lib/optee_armtz/" and copy xtest to SD card rootfs /bin directory.

How to test OP-TEE?

Before running the xtest, the test application for optee, we have to make sure that teex, teeprivx driver files are available in /dev/. These device files are the key components required. Make sure that you have super user permission to run tee. Keep in mind that this test may slowdown the system. Follow the steps below:

$ tee-supplicant &

Run tee_supplicant in the background. tee_supplicant is the helper process for tee.

$ xtest

Simply run xtest after that. This will start the xtest and will print debug messages based on the debug level set.

After completing the test, Application will display messages similar to this

messages

The above messages are copy pasted from a SABRESD system with debug level 0.

                                     

Posted byvi

組込みLinuxセキュリティ基礎講座
Vigiles サポート
Yocto Project よもやま話
Yocto よもやま話 第 14 回 「Yocto 4.3 Nanbield リリース」
Yocto よもやま話 第 14 回 「Yocto 4.3 Nanbield リリース」

2024 年 03 月 26 日 Yocto Project よもやま話

Yocto よもやま話 第 13 回 「Yocto Project の最新動向 2023 夏」
Yocto よもやま話 第 13 回 「Yocto Project の最新動向 2023 夏」

2023 年 07 月 25 日 Yocto Project よもやま話

Yocto よもやま話 第 12 回 「Yocto Project 始めます その 2」
Yocto よもやま話 第 12 回 「Yocto Project 始めます その 2」

2023 年 06 月 20 日 Yocto Project よもやま話

Linux 技術ネタ
RISC-Vについて学ぶ-後編
RISC-Vについて学ぶ-後編

2024 年 01 月 10 日 Linux 技術ネタ

RISC-Vについて学ぶ-前編
RISC-Vについて学ぶ-前編

2023 年 12 月 12 日 Linux 技術ネタ

イベントレポート
EdgeTech+ West 2024 出展レポート
EdgeTech+ West 2024 出展レポート

2024 年 07 月 26 日 イベントレポート

Advanced Technology Forum 2024 Summer 参加レポート
Advanced Technology Forum 2024 Summer 参加レポート

2024 年 07 月 09 日 イベントレポート

リクルート
新卒採用、絶賛募集中!
新卒採用、絶賛募集中!

2023 年 05 月 30 日 リクルート

国立大学オンライン研修レポート 2022
国立大学オンライン研修レポート 2022

2022 年 09 月 27 日 リクルート

信州リネオ便り
社内BBQを開催しました!
社内BBQを開催しました!

2024 年 09 月 25 日 信州リネオ便り

夏季休業明け、スイカを頂きました!
夏季休業明け、スイカを頂きました!

2024 年 08 月 20 日 信州リネオ便り

逃げ上手の聖地、諏訪大社上社前宮
逃げ上手の聖地、諏訪大社上社前宮

2024 年 08 月 07 日 信州リネオ便り

ソリューション統括部
シリコンバレー探検記 2019 ~番外編~
シリコンバレー探検記 2019 ~番外編~

2019 年 12 月 10 日 ソリューション統括部

シリコンバレー探検記 2019 ~後編~
シリコンバレー探検記 2019 ~後編~

2019 年 12 月 10 日 ソリューション統括部

シリコンバレー探検記 2019 ~前編~
シリコンバレー探検記 2019 ~前編~

2019 年 12 月 10 日 ソリューション統括部

マーケティング統括部
大成功決起大会!!(ET2019)
大成功決起大会!!(ET2019)

2019 年 12 月 13 日 マーケティング統括部

ESEC 2019 決起大会
ESEC 2019 決起大会

2019 年 04 月 25 日 マーケティング統括部

シリコンバレー探検記 その 2
シリコンバレー探検記 その 2

2018 年 12 月 18 日 マーケティング統括部