Procedure

Installing the TrustZone License

If the SEC feature is enabled on the License Management page of the server iBMC, skip this section. Otherwise, perform the following steps to import the TrustZone license and enable the SEC feature.

Contact your local Huawei service owner to apply for the TrustZone license. After obtaining the license, install the license on the server.

1. Log in to the iBMC and choose iBMC Settings > License Management.

   

2. Click Install to upload the TrustZone license that you have obtained.

   After the installation is complete, the SEC feature is enabled on the iBMC.

   

Setting the BIOS

Restart the server. In the BIOS, enable the TrustZone feature and configure the TEE secure memory size.

1. Restart the server and go to the BIOS.

   

2. Choose Advanced > TEE Config.

   

3. Enable Support TEE and set TEE Memory Size.

   

   

   • If TEE Memory Size is set to an inappropriate value, the BIOS may fail to start the TEE OS and the TrustZone function cannot be enabled on the server.
   • For details about how to set TEE Memory Size, see Secure Memory Specifications.
4. Save the BIOS settings and restart the server to go to the OS in the REE.

Obtaining the iTrustee Patch Package

1. Download the itrustee_client source code.

   https://gitee.com/openeuler/itrustee_client

   Code branch: master

2. Download the itrustee_tzdriver source code.

   https://gitee.com/openeuler/itrustee_tzdriver

   Code branch: master

3. Download the libboundscheck source code.

   https://gitee.com/openeuler/libboundscheck

   Code branch: master

4. Save the downloaded and decompressed libboundscheck source code to the itrustee_client/ and itrustee_tzdriver/ directories and rename the folders to libboundscheck. The following figure shows the directory structure:

   

   

5. Install the dependencies.

   1	yum install openssl-devel zlib-devel

   

   For other OSs, replace Yum with the corresponding package management tool. In addition, due to the differences in software names of different package management tools, change the dependency names accordingly. For example, run the apt-get command on Ubuntu to install the dependencies:

   apt-get -y install zlib1g-dev libssl-dev

6. Compile itrustee_tzdriver.

   1	cd itrustee_tzdriver && make

   1. Compiling the tzdriver.ko kernel module depends on the kernel header file. itrustee_tzdriver/Makefile specifies the path to the kernel header file.

      

      

      Replace KDIR to the actual path of the kernel header file. Note that the the kernel header file version must be the same as the kernel version of the final operating environment of tzdriver.ko. Otherwise, tzdriver.ko may fail to be loaded due to the kernel version difference. You can run the uname -r command to view the kernel version of the current operating environment.

   2. tzdriver.ko depends on safety function symbols. Based on the current kernel status, itrustee_tzdriver/Makefile determines whether tzdriver.ko compilation contains safety function symbols. The tzdriver compilation process may vary according to the REE OS.

      

      After the compilation is complete, a tzdriver.ko kernel module is generated.

      

7. Compile itrustee_client.

   1	cd itrustee_client && make

   After the compilation is complete, a dist directory is generated for storing the generated executable binary and dynamic libraries.

   

   

8. Deploy itrustee_client.

   1 2 3

   cp -rf dist/*.so /usr/lib64 && ldconfig cp -rf dist/teecd /usr/bin cp -rf dist/tlogcat /usr/bin

• Save the patch driver dependencies, libboundscheck.so and libteec.so, to /usr/lib64. For some OSs that do not contain the /usr/lib64 directory by default, you need to create a /usr/lib64 directory and add it to the default search path of the system dynamic library.
• The tlogcat process provides the capability of viewing TEE logs in the REE. The teecd process is the user-mode daemon in the REE. The two processes must be stored in the /usr/bin directory.

Deploying the SEC Driver

1. Obtain the TEE OS firmware package and upload it to the server.

   Huawei enterprise website: BoostKit-teeos_1.3.1.SPC1.zip

2. Decompress the firmware package and ensure that the decompressed file contains the SEC driver file kunpeng_sec_drv.sec.

   unzip BoostKit-teeos_1.3.1.SPC1.zip

3. Deploy the SEC driver file.

   mkdir -p /var/itrustee/tee_dynamic_drv/crypto/
   cp kunpeng_sec_drv.sec /var/itrustee/tee_dynamic_drv/crypto/

• In TEE OS 1.3.0 and later versions, load the SEC driver independently. For the TEE OS of an earlier version, skip the operation of Deploying the SEC Driver.
• The SEC driver deployment path is specified by the DYNAMIC_CRYPTO_DRV_DIR macro in the Makefile file of itrustee_client. If you want to change the deployment path, recompile itrustee_client.

Loading the REE Driver

1. Load the tzdriver.ko kernel module.

   1 2	cd itrustee_tzdriver/ insmod tzdriver.ko && lsmod | grep tzdriver

   

2. Load the teecd daemon process.

   1 2	/usr/bin/teecd & ps aux | grep teecd

   

   

   The teecd process must run in an absolute path, that is, /usr/bin/teecd. The ampersand sign (&) indicates that the process is executed in the background.

3. View TEE logs and verify that the REE can communicate with the TEE.

   1

   tlogcat

   

   View the TEE OS version.

   tlogcat -v

   

   View the TEE log storage path, which is /var/log/tee.

   tlogcat -f

   

   

   • The tlogcat process can be properly executed only after the tzdriver.ko kernel module is loaded.
   • The tlogcat -v command output is the latest TEE OS version information. The actual result may be different. If necessary, obtain the latest TEE OS firmware package from Table 2 and upgrade the firmware based on Upgrading Firmware.