lcu14 302- how to port op-tee to another platform

LCU14 BURLINGAME

Sun Yan bang and Joakim Bech, LCU14

LCU14-302: How to port OP-TEE to another platform

A80 Overview

Optimus board Overview

Getting started with OP-TEE● Get OP-TEE source code

http://github.com/OP-TEE

● Get the toolchain http://releases.linaro.org/14.05/components/toolchain/binaries/gcc-linaro-arm-linux-gnueabihf-4.9-2014.05_linux.tar.xz

How to build OP-TEE

● Add toolchain path export PATH=path-to-toolchain-bin:$PATH

● Define CROSS_PREFIX macro export CROSS_PREFIX=arm-linux-gnueabihf

● Choose target platform export PLATFORM=sunxi #default is orly2

● Build OP-TEE make

A80 eMMC Partition Map

OP-TEE Trusted OS

Linux

Android

OP-TEE Main Blocks

TEE Driver

TEE Client

Client Application

Client Application

TEE Core TEE functions(crypto/mm)

TEE Internal API

Trusted Application

Trusted Application

TrustZone based chipset crypto timer efuse

HAL

TEE Client API

SMC

porting

OP-TEE Porting - Affected Gits

● OP-TEE Trusted OS (optee_os) Add new platform support (plat-sunxi)

● OP-TEE Linux kernel driver (optee_linuxdriver) No changes needed for the ARMv7-A platform

● OP-TEE Normal World user space (optee_client) No changes needed for the ARMv7-A platform

OP-TEE Porting - Cloning a New Platform

● Cloned plat-sunxi from plat-orly2plat-sunxi/

├── conf.mk├── core_bootcfg.c├── core_chip.c├── link.mk├── main.c├── sub.mk├── system_config.in├── tz_sinit.S└── tz-template.lds

OP-TEE Porting - Compiler & Linker options

● Compiler options: conf.mk

● Linker options: link.mk

● Linker script file: tz-template.lds

CROSS_PREFIX ?= armv7-linuxCROSS_COMPILE ?= $(CROSS_PREFIX)-platform-cpuarch = cortex-a7 #orly2 is cortex-a9

link-out-dir = $(out-dir)/core/link-script = $(platform-dir)/tz-template.ldslink-ldflags = $(LDFLAGS)

MEMORY{

/* 1 MByte is allocated for teecore execution */EXEC_MEM (rw) : ORIGIN = (%in_TEE_SCATTER_START% + 0x00000000), LENGTH = 0x000D0000STACKS_MEM (rw) : ORIGIN = (%in_TEE_SCATTER_START% + 0x000D0000), LENGTH = 0x00010000CTX_MEM (rw) : ORIGIN = (%in_TEE_SCATTER_START% + 0x000E0000), LENGTH = 0x00010000MMU_MEM (rw) : ORIGIN = (%in_TEE_SCATTER_START% + 0x000F0000), LENGTH = 0x00010000

}

OP-TEE Porting - Platform Configuration

● Platform specific configuration: system_config.in

# DDR addressDDR_PHYS_START := 0x20000000DDR_SIZE := 0x20000000

# Static configuration of DDR reserved to TEE/TZCFG_DDR_TEETZ_RESERVED_START ?= 0x9e000000CFG_DDR_TEETZ_RESERVED_SIZE ?= 0x02000000TEE_SCATTER_START := $(CFG_DDR_TEETZ_RESERVED_START)

# Hard coded NB coresCFG_TEE_CORE_NB_CORE := 4

# Stack size configurationSTACK_TMP_SIZE := 1024STACK_ABT_SIZE := 1024STACK_THREAD_SIZE := 8192

OP-TEE Porting - Platform Configuration

● platform_config.h● PLATFORM_FLAVOR - Similar SoC but different versions?

● GIC base

● UART

● Stack sizes (tmp, abt, thread etc)

● Will replace “system_config.in” in the near future

OP-TEE Porting - Memory Map

PUB_RAMNon-Secure

OP-TEE Porting - Memory Configuration● plat-sunxi/\

core_bootconfig.c

OP-TEE Porting - Platform Initialization

1. tz_sinit (tz_sinit.S )a. CPU basic initializationb. Cache/MMU Initializationc. init BSSd. Jump to main_init

2. main_init (main.c)a. Initialization thread stacksb. Register handlers

(stdcall/fiq/svc/abort)c. Return to non-secure entry

OP-TEE Running and debug

4. sm_smc_entry (sm_asm.S)a. Save caller world contextb. Restore world contextc. Update SCR bits(NS/FIQ)

5. Thread handle (thread_asm.S,thread.c)a. Check if fiq handle requestb. Thread allocatec. Thread context restore

6. main_tee_entry (main.c)

7. tee_entry (entry.c)

OP-TEE documentation● OP-TEE Introduction

LCA14-502: The Way To a Generic TrustZone Solution http://www.slideshare.net/linaroorg/lca14-502-thewaytoagenerictrustzonesolution

● OP-TEE OS Documents https://github.com/OP-TEE/optee_os/tree/master/documentation https://github.com/jbech-linaro/optee_os/tree/trusted_os_docs/documentation (*)

● Linaro Blog - “OP-TEE, open-source security for the mass-market” https://www.linaro.org/blog/core-dump/op-tee-open-source-security-mass-market

(*) Not completed and should be put in the official OP-TEE Git.

More about Linaro Connect: connect.linaro.org Linaro members: www.linaro.org/membersMore about Linaro: www.linaro.org/about/