Feature Usage

Firmware Requirements

**Table 1** Firmware version
Firmware	Version
TEE OS	1.2.0 or later

Software Packages

**Table 2** Software packages
Software Name	Description	How to Obtain
verify lib	Kunpeng security library, which provides APIs for verifying remote attestation reports.	https://gitee.com/openeuler/kunpengsecl/tree/master/
QCA lib	Provides APIs for attestation key registration and remote attestation.	https://gitee.com/openeuler/itrustee_sdk.git
QTA	Privileged TA running in the TEE. It initiates an attestation challenge to the target TA and works with the QCA to obtain and transfer attestation reports.	https://gitee.com/openeuler/itrustee_sdk.git
iTrustee SDK	Developer tool for the iTrustee. It must be 6.1.1 or later. The tool can automatically generate TA baseline measurement values for remote and local TA attestation.	https://gitee.com/openeuler/itrustee_sdk.git
libboundscheck	Safety function library	https://gitee.com/openeuler/libboundscheck.git

Procedure

In the current version, the verify lib, QCA lib, and QTA are open-sourced in the openEuler community. You can see the demos to learn how to use remote attestation APIs and develop remote attestation applications. To obtain, compile, and use the demos, perform the following steps.

Compile and deploy libteec.so.
Obtain and compile the itrustee_client following the instructions in Obtaining the iTrustee Patch Package. Deploy libteec.so in the /usr/lib64 directory. Ensure that the /usr/lib64 directory has been added to the default search path of the system dynamic library.
Download the iTrustee SDK, which contains the QCA lib and QTA source code.
https://gitee.com/openeuler/itrustee_sdk.git

Code branch: master

The iTrustee SDK contains the QCA lib and QTA source code. The code paths are as follows:

QCA lib: itrustee_sdk/test/CA/libqca

QTA: itrustee_sdk/test/TA/qta
Download and integrate the safety function library.
https://gitee.com/openeuler/libboundscheck.git

Code branch: master

Integrate the safety function library into the iTrustee SDK.
```
cp -rf libboundscheck/ itrustee_sdk/thirdparty/open_source/  # Replace the path with the actual one.
```
Compile and deploy the QCA lib and QTA.
1. Specify the QTA path in the QCA lib source code.
```
vim itrustee_sdk/test/CA/libqca/src/ra_operate_api.c
```
  Search for TEEC_OpenSession and add the following content above TEEC_OpenSession.
```
context.ta_path = (uint8_t *)"/data/e08f7eca-e875-440e-9ab0-5f381136c600.sec";
```
2. Compile and deploy the QCA lib.
```
cd itrustee_sdk/test/CA/libqca   # Replace the path with the actual one.
make
cp output/libqca.so /usr/lib64 && ldconfig
```
  If the compilation is successful, the output/libqca.so dynamic library is generated. You need to deploy libqca.so into the default search path of the system dynamic library, for example, /usr/lib64.
3. The TEE OS enhances the permission check for a CA to invoke a TA. Therefore, the CAs that can invoke the QTA must be specified in the QTA source code.
```
vim itrustee_sdk/test/TA/qta/src/tee_qta.c
```
  In the TA_CreateEntryPoint function, add the following content below the comment /* TA auth CA */:
```
ret = addcaller_ca_exec("/vendor/bin/qcaserver", "root");
if (ret != TEE_SUCCESS)
    return ret;
```
1. Compile and deploy the QTA.
  - The QTA depends on cJSON. You need to download the cJSON source code and save it to the itrustee_sdk/test/TA/qta/src directory.
```
wget https://github.com/DaveGamble/cJSON/archive/refs/tags/v1.7.15.tar.gz
tar xvf v1.7.15.tar.gz 
mv cJSON-1.7.15/ itrustee_sdk/test/TA/qta/src/cJSON
```
  - Similar to common TAs, the QTA requires a TA developer certificate issued by Huawei. For details, see Applying for a TA Developer Certificate in a Debugging Environment.
    After obtaining the TA developer certificate and the config binary file, deploy the TA private key and config binary file of the QTA to the following paths, for example:
    
    itrustee_sdk/build/signtools/signed_config/config
    itrustee_sdk/build/signtools/TA_cert/private_key.pem
```
pip3 install pycryptodomex           # Install the dependency of the iTrustee SDK TA signature tool.
cd itrustee_sdk/test/TA/qta    # Replace the path with the actual one.
make
cp e08f7eca-e875-440e-9ab0-5f381136c600.sec /data
```
    If the QTA compilation is successful, the e08f7eca-e875-440e-9ab0-5f381136c600.sec file is generated and needs to be deployed into the /data directory. This directory is specified by the QCA lib code and can be replaced with the actual one.
The QTA is a privileged TA for remote attestation. The QTA UUID must be e08f7eca-e875-440e-9ab0-5f381136c600 and the QTA service name can be modified.
Download the Kunpeng security library to obtain the remote attestation demo.
https://gitee.com/openeuler/kunpengsecl/tree/master/

Code branch: master
Configure the compilation environment.
1. Some header files are required. You can specify the path to the actual header file in the following file:
```
vim kunpengsecl/attestation/rac/Makefile    # Replace the path with the actual one.
vim kunpengsecl/attestation/rac/ka/katools/katools_arm64.go
```
  Change the following header file path to the actual path, that is, change /opt to the actual path of itrustee_sdk in 2.
2. The libteec_adaptor.so library is required. You can run the following commands in the source code directory of itrustee_sdk in 2 to compile a dynamic library and copy it to the system path:
```
cd itrustee_sdk/src/CA   # Replace the path with the actual one.
gcc -fPIC -shared -o libteec_adaptor.so libteec_adaptor.c -I ../../include/CA/
cp libteec_adaptor.so /usr/lib64/
```
3. The cJSON dynamic library is required. You can use the cJSON source code downloaded in 4 to install the library.
```
cd itrustee_sdk/test/TA/qta/src/cJSON
make && make PREFIX=/usr install
```
4. Golang 1.17 is required. Configure it as follows:
```
wget https://go.dev/dl/go1.17.13.linux-arm64.tar.gz
tar xvf go1.17.13.linux-arm64.tar.gz
export PATH=$PWD/go/bin/:$PATHv
go version
```
Compile the remote attestation demo.
```
cd kunpengsecl
make clean && make build
```
After the compilation is complete, programs related to the demo are generated in each folder, such as qcaserver and libteeverifier.so. In addition, some .so files of the simulator are generated and need to be deleted. Otherwise, libqca preferentially uses the .so files of the simulator.
```
rm -rf attestation/tee/tverlib/simulator/*.so
```
Deploy the program: The QCA server execution path is specified in the QTA source code in 4. Therefore, you need to deploy the QCA server to the corresponding directory.
```
cp kunpengsecl/attestation/tee/demo/pkg/qcaserver /vendor/bin/
```

If the Attestation Service (AS) mode is used, prepare the database in advance.

dnf install openldap-devel postgresql-server
cd kunpengsecl/attestation/quick-scripts/
bash prepare-database-env.sh

If the AS mode is used, start the AS in advance. You can start a window and run the following command:

Configure the certificate.

cd kunpengsecl/attestation/tas/cmd/
# Before starting the AS, configure the private key and certificate.
openssl genrsa -out aspriv.key 4096
openssl req -new -x509 -days 365 -key aspriv.key -out ascert.crt

You need to enter some configuration information for the certificate. The configuration information is not contained in the demo.

Edit the config.yaml file. This directory provides the default config.yaml file of the AS. Edit the file based on your requirements. In this demo, only basevalue is modified.

tasconfig:
  # Service ports opened by default
  port: 127.0.0.1:40008
  rest: 127.0.0.1:40009
  # Private key and certificate configured for the AS
  akskeycertfile: ./ascert.crt
  aksprivkeyfile: ./aspriv.key
  huaweiitcafile: ./Huawei IT Product CA.pem
  # The following configuration is used only for testing. Update the content to ensure security.
  DAA_GRP_KEY_SK_X: 65a9bf91ac8832379ff04dd2c6def16d48a56be244f6e19274e97881a776543c65a9bf91ac8832379ff04dd2c6def16d48a56be244f6e19274e97881a776543c
  DAA_GRP_KEY_SK_Y: 126f74258bb0ceca2ae7522c51825f980549ec1ef24f81d189d17e38f1773b56126f74258bb0ceca2ae7522c51825f980549ec1ef24f81d189d17e38f1773b56
  # QTA measurement benchmark, which can be obtained from the itrustee_sdk/build/signtools/hash_e08f7eca-e875-440e-9ab0-5f381136c600.txt file used during QTA compilation in step 4. The format of basevalue is img_hash mem_hash.
  basevalue: "8c6faf44d8d1fa9f83977e405caadd7d9b1194839d6034d5412fe00f5f294976 0f474ebc56dc5502f7fba2a26d983b3a6cf2da84ce44730f60d4c660d42634a6"
  authkeyfile: ./ecdsakey.pub

Start the AS.
```
go run main.go -T; go run main.go
```

Start RA Service to receive attestation requests. You can open another window and run the following command to start the service:
```
cd kunpengsecl/attestation/tee/demo/qca_demo/cmd/
```
This directory provides the default config.yaml file of the QCA server. Modify the file based on your requirements. For demonstration, you can use the default value.
```
qcaconfig:
  server: 127.0.0.1:40007      # Service port opened by default.
  akserver: 127.0.0.1:40008    # Port for the AS.
  scenario: 0
  nodaaacfile: ./nodaa-ac.crt  # Path to the certificate in as no daa mode.
  daaacfile: ./daa-ac.crt      # Path to the certificate in as with daa mode.
```
Start RA Service. Select an appropriate scenario based on your requirements.
```
# -C indicates the remote attestation scenario, namely, 0: no as; 1: as no daa; 2: as with daa.
/vendor/bin/qcaserver -C 1
```
In AS mode, the QCA server proactively connects to the AS to obtain the certificate. In no AS mode, no connection is established.
Start the test CA and TA. You can open another window and run the demo CA and TA or your application based on Loading the TA and CA.
Start the RA client. You can open another window to initiate a remote attestation request.
1. Go to the RA client directory.
```
cd kunpengsecl/attestation/tee/demo/attester_demo/cmd
```
2. Edit the config.yaml file based on your requirements. This directory provides the default config.yaml file of the RA client. In this demonstration, the TA UUID is modified.
```
attesterconfig:
  server: 127.0.0.1:40007           # Port for RA Service.
  basevalue: "./basevalue.txt"      # Base value of the TA to be tested.
  mspolicy: 2                       # Verification policy. The value 1 indicates comparing the img-hash value only, 2 indicates comparing the mem-hash value only, and 3 indicates comparing both values.
  uuid: 435dcafa-0029-4d53-97e8-a7a13a80c82e   # UUID of the test TA.
```
3. Configure the base value of the test TA. The config.yaml file specifies the base value configuration file of the test TA.
```
vim basevalue.txt
```
  The base value can be obtained from the hash_{test TA uuid}.txt file generated during TA compilation and test, which is stored in the itrustee_sdk/build/signtools directory. The format of basevalue.txt is uuid img_hash mem_hash. The following is an example:
```
435dcafa-0029-4d53-97e8-a7a13a80c82e a1ef720498a93a36df8c3b1ea58058485de5b8146d399e837b0b709b53224542 ad36fdf631f1fdd6dc47c8d80bdf08fb752d1e93bd97ed534abbde797bf68b8b
```
4. If the AS mode is used, copy the AS certificate to the current directory.
```
cp ../../../../tas/cmd/ascert.crt TAS\ Root\ Cert.pem
```
5. Initiate a remote attestation request.
```
go run main.go
```
If the following error information is displayed in the tlogcat, the possible cause is that the test TA has exited when the RA client initiates the request.

Solution: Restart the test CA and TA and send the request again. Therefore, you are advised to prolong the CA and TA execution duration to reserve sufficient time for the operation.

Parent topic: Remote and Local Attestation