Procedure
This document uses the iTrustee SDK and rsa-demo code as an example to describe how to deploy the TA and CA compilation environment. The OS version is openEuler 20.03 LTS SP1.
Obtaining the iTrustee Patch Package
- Download the itrustee_client source code.
- Download the libboundscheck source code.
- Install the dependencies.
1yum install openssl-devel zlib-devel
- Compile itrustee_client.
- Save the libboundscheck source code to the itrustee_client/ path and rename the folder to libboundscheck. The following figure shows the directory structure:
- Perform the compilation.
1cd itrustee_client && make
After the compilation is successful, a dist directory is generated in the itrustee_client/ path to store the generated executable file and dynamic library.
- Save the libboundscheck source code to the itrustee_client/ path and rename the folder to libboundscheck. The following figure shows the directory structure:
- Deploy the dynamic library.
1 2
cp -rf dist/*.so /usr/lib64 ldconfig
Obtaining the iTrustee SDK
- Download the iTrustee SDK.
- Decompress the iTrustee SDK package. The following figure shows the directory structure:
The SDK includes the four directories: build, include, test, and thirdparty.
- build/: stores the signature tool of TAs.
- include/: stores the description file of API functions supported by the iTrustee OS. Those API functions comply with the Global Platform (GP) interface protocol.
- test/: stores the source code of TAs and CAs.
- thirdparty/: stores third-party libraries used by TA and CA applications.
Compiling the rsa-demo Applications
- Obtain the rsa-demo code.
After the rsa-demo code package is decompressed, the directory structure is as follows:
The package contains the TA and CA code. Copy the CA code to the itrustee_sdk/test/CA directory.
cp -rf rsa-demo/rsa-demo/CA/rsa-demo/ itrustee_sdk/test/CA/
Copy the TA code to the itrustee_sdk/test/TA directory.
cp -rf rsa-demo/rsa-demo/TA/rsa_demo/ itrustee_sdk/test/TA/
- Compile the rsa-demo CA.
1 2
cd itrustee_sdk/test/CA/rsa-demo/cloud make
After the compilation is complete, a CA binary file is generated in the directory of the Makefile file, as shown in the following figure:
- Compile the rsa-demo TA.
Add the following content to the itrustee_sdk/test/TA/rsa_demo/rsa_ta_interface.h header file:
#define TEE_OBJECT_STORAGE_PRIVATE 0x00000001 #define TEE_DATA_FLAG_ACCESS_READ 0x00000001 #define TEE_DATA_FLAG_ACCESS_WRITE 0x00000002 extern TEE_Result TEE_CreatePersistentObject(); extern TEE_Result TEE_OpenPersistentObject();
Modify the itrustee_sdk/test/TA/rsa_demo/rsa_ta_interface.c file and delete the reference to tee_trusted_storage_api.h.
Compile the TA.1 2
cd itrustee_sdk/test/TA/rsa_demo/cloud make
After the compilation is complete, a TA .sec file is generated in the directory of the Makefile file. The file name is the unique UUID of each TA application.
A standard TA contains the source code, TA certificate, signed config file, config_cloud.ini file, and manifest.txt file, as shown in the following figure. The config_cloud.ini, config, and private_key.pem files are related to TA signing. For details about how to generate these files, see Applying for a TA Developer Certificate in a Debugging Environment. The manifest.txt file describes the resources that the TEE provides for TAs. These resources are prepared by developers.
An example of the manifest.txt file:
1 2 3 4 5 6 7 |
gpd.ta.appID: f68fd704-6eb1-4d14-b218-722850eb3ef0 gpd.ta.service_name: rsa-demo gpd.ta.singleInstance: true gpd.ta.multiSession: false gpd.ta.instanceKeepAlive: False gpd.ta.dataSize: 819200 gpd.ta.stackSize: 40960 |
Among the preceding fields:
gpd.ta.appID is the TA UUID, which is generated by the user and is the same as the CA UUID. Each TA has a unique UUID. gpd.ta.service_name is the TA name, which is a string consisting of 1 to 64 characters.
For other possible fields in the manifest.txt file, see the iTrustee SDK Developer Guide.
Please contact the Huawei service owner for this guide.