Procedure

The CA must use the patch in the REE when communicating with the TA in the TEE. The patch in the REE has a version mapping relationship with the TEE OS firmware package, as described in Table 1. This document uses openEuler 20.03 LTS SP1 and TEE OS 1.4.0 as an example to describe how to compile and deploy the patch in the REE.

**Table 1** Version mapping between the TEE OS and the REE patch
TEE OS HPM Firmware Version	itrustee_tzdriver Code Tag	itrustee_client Code Tag	libboundscheck Code Branch
1.1.0 ≤ version < 1.2.0	v1.0.0	v1.0.0	master
1.2.0	v1.2.0	v1.2.0	master
1.3.0 ≤ version < 1.4.0	v1.3.0	v1.3.0	master
1.4.0	master	master	master

(Optional) Installing the TrustZone License

If the Kunpeng Accelerator SEC Function option is enabled on the License Management tab page of the server iBMC, skip this section. Otherwise, perform the following steps to import the TrustZone license and enable the SEC feature.

Contact your local Huawei service owner to apply for the TrustZone license. After obtaining the license, install the license on the server.

Log in to the iBMC and choose iBMC Settings > License Management.
Click Install to upload the TrustZone license that you have obtained.
After the installation is complete, Kunpeng Accelerator SEC Function is enabled on the iBMC.

Configuring the BIOS

Restart the server. In the BIOS, enable the TrustZone feature and configure the TEE secure memory size.

Restart the server and go to the BIOS.
Choose Advanced > TEE Config.
Enable Support TEE and set TEE Memory Size.
- If TEE Memory Size is set to an inappropriate value, the BIOS may fail to start the TEE OS and the TrustZone function cannot be enabled on the server.
- For details about how to set TEE Memory Size, see Secure Memory Specifications.
Save the BIOS settings and restart the server to go to the OS in the REE.

Obtaining the iTrustee Patch Package

Download the itrustee_client source code.
https://gitee.com/openeuler/itrustee_client

Code branch: master
Download the itrustee_tzdriver source code.
https://gitee.com/openeuler/itrustee_tzdriver

Code branch: master
Download the libboundscheck source code.
https://gitee.com/openeuler/libboundscheck

Code branch: master
Save the downloaded and decompressed libboundscheck source code to the itrustee_client/ and itrustee_tzdriver/ directories and rename the folders to libboundscheck. The following figure shows the directory structure:
Install the dependencies.
1

yum install openssl-devel zlib-devel
Compile itrustee_tzdriver.
1

cd itrustee_tzdriver && make
1. Compiling the tzdriver.ko kernel module depends on the kernel header file. itrustee_tzdriver/Makefile specifies the path to the kernel header file.
  
  Generally, the kernel header file is stored in /usr/src/kernels/<kernel_version>. If the compilation script does not match the correct path, replace it with the actual one. Note that the kernel header file version must be the same as the kernel version of the final operating environment of tzdriver.ko. Otherwise, tzdriver.ko may fail to be loaded due to the kernel version difference. You can run the uname -r command to view the kernel version of the current operating environment.
2. itrustee_tzdriver/Makefile specifies the mailbox pool size. A single mailbox pool is 4 MB. To set the total size of mailbox pools to 32 MB, change the value of MAILBOX_POOL_COUNT in Makefile to 8.
1. tzdriver.ko depends on security function symbols. Based on the current kernel status, itrustee_tzdriver/Makefile determines whether tzdriver.ko compilation contains security function symbols. The tzdriver compilation process may vary according to the REE OS.
  
  After the compilation is complete, a tzdriver.ko kernel module is generated.
Compile itrustee_client.
1

cd itrustee_client && make
After the compilation is complete, a dist directory is generated for storing the generated executable binary and dynamic libraries.

Deploy itrustee_client.

        
             cp -rf dist/*.so /usr/lib64 && ldconfig
cp -rf dist/teecd /usr/bin
cp -rf dist/tlogcat /usr/bin

# Optional
cp -rf dist/tee_teleport /usr/bin
cp -rf dist/agentd /usr/bin

Save the patch driver dependencies, libboundscheck.so and libteec.so, to /usr/lib64. For some OSs that do not contain the /usr/lib64 directory by default, you need to create a /usr/lib64 directory and add it to the default search path of the system dynamic library.
The tlogcat process provides the capability of viewing TEE logs in the REE. The teecd process is the user-mode daemon in the REE. The two processes must be stored in the /usr/bin directory.
tee_teleport can push Python and Java programs in the REE to the TEE and obtain the execution result. It is not necessary in non-high-level language scenarios.
agentd provides secure storage and log storage for trusted applications in a container. It must be deployed in the /usr/bin directory of the container. It is not necessary in non-container scenarios.
The mailboxes are used to transfer CA and TA communication parameters and they affect the global maximum number of concurrent CA and TA requests. You can configure the mailbox pool size based on your requirements. The upper limit of the mailbox pool size is 128 MB. That is, the maximum value of MAILBOX_POOL_COUNT is 32.

(Optional) Deploying the SEC Driver

Perform this operation for TEE OS 1.3.0 and later, and skip it for an earlier version.

Obtain the SEC driver.
Download the firmware package and extract the SEC driver file kunpeng_sec_drv.sec.
Deploy the SEC driver file.
```
mkdir -p /var/itrustee/tee_dynamic_drv/crypto/
cp kunpeng_sec_drv.sec /var/itrustee/tee_dynamic_drv/crypto/
```
The SEC driver deployment path is specified by the DYNAMIC_CRYPTO_DRV_DIR macro in the Makefile file of itrustee_client. If you want to change the deployment path, recompile itrustee_client.

Loading Modules in the REE

Load the tzdriver.ko kernel module.

        
             cd itrustee_tzdriver/
insmod tzdriver.ko && lsmod | grep tzdriver

The tzdriver.ko kernel module cannot be uninstalled after being loaded. You can restore it to the unloaded state only by powering off and then restarting the server.

Load the teecd daemon process.

        
             nohup /usr/bin/teecd &
ps aux | grep teecd

teecd must be run in an absolute path, that is, /usr/bin/teecd. The ampersand (&) indicates that teecd is run in the background.

View TEE logs and verify that the REE can communicate with the TEE.
1. View the log information.
  1
  
  tlogcat
2. View the TEE OS version.
```
tlogcat -v
```
3. View the TEE log storage path, which is /var/log/tee.
```
tlogcat -f
```
- The tlogcat process can be properly executed only after the tzdriver.ko kernel module is loaded.
- The tlogcat -v command output is the latest TEE OS version information. The actual result may be different. If necessary, obtain the latest TEE OS firmware package from Table 2 and upgrade the firmware based on Upgrading Firmware.

Checking the TrustZone Environment

If you are not sure whether the TrustZone environment is available, use the TEE status check tool to check the environment.

Obtain the TEE status detection tool.
The firmware package obtained from Table 2 contains the TEE status detection tool. Its tee_check directory contains the following files:

Copy the file to the following directories to deploy the tee-check tool.

mkdir -p /vendor/bin/ /data/tee-check
cp -rf tee-check /vendor/bin/
cp -rf 35397f0d-26ef-476c-b955-4806f2c6454a.sec /data/tee-check
cp -rf teeos.txt /var/itrustee/version/

Run the plugin tool.
```
/vendor/bin/tee-check
```
- If the TrustZone environment is normal, the log information is as follows:
- If the TrustZone environment is abnormal, a message is displayed. For example, if teecd is not started, the following error information is displayed:
  
  According to the error information, teecd is not started. You can start it using /usr/bin/teecd &.

Parent topic: Setting Up the TA and CA Operating Environment