Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Procedure

The patch in the TEE is required by a CA to communicate with a TA. This document uses openEuler 20.03 LTS-SP1 as an example to describe how to compile and deploy the patch.

Installing the SEC Driver License

Please contact the Huawei service owner to apply for the TaiShan server license (model: iBMCV2-02-KAE-01). After obtaining the server license, install it by performing the following steps:

  1. Log in to the iBMC and choose iBMC Settings > License Management.

  2. Click Install to upload the KAE license that you have obtained.

    After the installation is complete, the SEC feature is enabled on the iBMC.

Setting the BIOS

Restart the server. In the BIOS, enable the TrustZone feature and configure the TEE secure memory size.

  1. Restart the server and go to the BIOS.

  2. Choose Advanced > TEE Config.

  3. Enable Support TEE and set TEE Memory Size.

    For details about how to set an appropriate secure memory size, see Secure Memory Specifications.

  4. Save the BIOS settings and restart the server to go to the OS in the REE.

Obtaining the iTrustee Patch Package

  1. Download the itrustee_client source code.
    git clone -b v1.0.0 https://gitee.com/openeuler/itrustee_client.git
  2. Download the itrustee_tzdriver source code.
    git clone -b v1.0.0 https://gitee.com/openeuler/itrustee_tzdriver.git
  3. Download the libboundscheck source code.
    git clone https://gitee.com/openeuler/libboundscheck.git
  4. Save the libboundscheck source code to the itrustee_client/ and itrustee_tzdriver/ directories and rename the folders to libboundscheck. The following figure shows the directory structure:

  5. Install the dependencies.
    1
    		 
    yum install openssl-devel zlib-devel
  6. Compile itrustee_tzdriver.
    1
    		 
    cd itrustee_tzdriver && make

    After the compilation is complete, a tzdriver.ko kernel module is generated.

  7. Modify the Makefile file of itrustee_client.
    1. Open itrustee_client/Makefile. 
      vim itrustee_client/Makefile
    2. Change this field

      With:

      LIB_LDFLAGS += -lboundscheck -Llibboundscheck/lib -shared
    3. Change this field

      With:

      @$(CC) $(LIB_CFLAGS) -o $@ $(LIB_SOURCES) $(LIB_LDFLAGS)
    4. Press Esc, type :wq!, and press Enter to save the file and exit.
  8. Compile itrustee_client.
    1
    		 
    cd itrustee_client && make

    After the compilation is complete, a dist directory is generated for storing the generated executable binary and dynamic libraries.

  9. Deploy itrustee_client.
    1
2
3
    		 
    cp -rf dist/*.so /usr/lib64 && ldconfig
cp -rf dist/teecd /usr/bin
cp -rf dist/tlogcat /usr/bin

Save the patch driver dependencies, libboundscheck.so and libteec.so, to /usr/lib64. The tlogcat process provides the capability of viewing TEE logs on the REE side. The teecd process is the user-mode daemon in the REE. The two processes must be stored in the specified directory /usr/bin.

Loading the REE Driver

  1. Load the tzdriver.ko kernel module.
    1
2
    		 
    cd itrustee_tzdriver/
insmod tzdriver.ko && lsmod | grep tzdriver

  2. Load the teecd daemon process.
    1
2
    		 
    /usr/bin/teecd &
ps aux | grep teecd

    The teecd process must run in an absolute path, that is, /usr/bin/teecd. The ampersand sign (&) indicates that the process is executed in the background.

  3. View TEE logs and verify that the REE can communicate with the TEE.
    1
    		 
    tlogcat