Documentation
我要评分
获取效率
正确性
完整性
易理解
提交关闭

Environment Requirements

Hardware Requirements

Table 1 lists the hardware requirements.

Table 1 Hardware environment

Item

Version

Server

Kunpeng server

Motherboard

Kunpeng mainboard (S920S00, S920X00, S920X02, S920S03, S920X10, or S920S10)

iBMC

1711 board (model: BC82SMMAB); firmware version: 3.01.12.49 or later

BIOS

6.69 or later

TEE OS

Firmware version: 1.1.0 or later

CPU

Kunpeng 920 processor (model 7260, 5250, or 5220)

Drive

No special requirements; an 8- or 12-drive chassis recommended
  • The TrustZone feature must have been pre-installed on the server, that is, the TEE OS, TEE OS boot key, iBMC, BIOS, and license must have been pre-installed on the server. For details about how to check whether they have been pre-installed, see Checking the TrustZone Kit.
  • For common servers, the TrustZone feature cannot be enabled only by upgrading the iBMC, BIOS, and TEE OS firmware.
  • By default, the TrustZone feature is disabled on the server. See Configuring the BIOS for how to enable it.

Software Packages

Table 2 describes how to obtain the software packages.

Table 2 Software packages

Software Package

Version (Branch) Requirement

Description

How to Obtain

itrustee_tzdriver

master

Source code of the patch package in the iTrustee REE.

https://gitee.com/openeuler/itrustee_tzdriver

itrustee_client

master

Source code of the patch package in the iTrustee REE.

https://gitee.com/openeuler/itrustee_client

libboundscheck

master

Bounds check function library.

https://gitee.com/openeuler/libboundscheck

BoostKit-2280_2280Pro_S920S03_teeos_1.7.0.zip

1.7.0

TEE OS HPM firmware package, which is used to upgrade those servers equipped with the Kunpeng S920S00, S920X00, or S920S03 motherboard.

Huawei enterprise website:

BoostKit-2280_2280Pro_S920S03_teeos_1.7.0.zip

BoostKit-2480Pro_teeos_1.7.0.zip

1.7.0

TEE OS HPM firmware package, which is used to upgrade those servers equipped with the Kunpeng S920X02 motherboard.

Huawei enterprise website:

BoostKit-2480Pro_teeos_1.7.0.zip

BoostKit-2280VF_teeos_2.3.0.zip

2.3.0

TEE OS HPM firmware package, which is used to upgrade those servers equipped with the Kunpeng S920X10 or S920S10 motherboard.

Huawei enterprise website:

BoostKit-2280VF_teeos_2.3.0.zip
  • Before using the software package provided in the , read and agree to the user agreement.
  • The TEE OS firmware has been pre-deployed on the Kunpeng server that integrates the TrustZone feature. If a new version of TEE OS firmware is released, you can upgrade the firmware by yourself. For details, see Upgrading Firmware.

Verifying the Software Package Integrity

After downloading a software package from the Kunpeng community, verify the software package to ensure that it is consistent with the original one on the website.

Verify a software package as follows:

  1. Obtain the digital certificate and software.
  2. Obtain the verification tool and method from the following link:

    https://support.huawei.com/enterprise/en/tool/pgp-verify-TL1000000054

  3. Verify the package integrity by following the procedure described in the OpenPGP Signature Verification Guide obtained from the URL.

Checking the TrustZone Kit

Perform the following steps to check whether the TrustZone kit has been pre-installed on the Kunpeng server.

  1. Check the iBMC and BIOS versions.

    Log in to the iBMC and view the iBMC and BIOS firmware versions on the home page.

    The iBMC firmware version must be 3.01.12.49 or later, and the BIOS firmware version must be 7.12 or later. Some bugs are fixed in these versions. You are advised to download the firmware and upgrade it to the specified version. If the TEE OS version information is not displayed on the home page, there is a high probability that the server does not support the TrustZone feature.

  2. Check the TrustZone license.

    Log in to the iBMC WebUI. On the home page, choose iBMC Management > License Management to check the license status.

    The license must have been imported and is still valid, and the Kunpeng accelerator SEC Function feature is Enabled. If this condition is not met, the Kunpeng TrustZone function cannot be enabled even if the firmware related to the TrustZone kit has been burnt to the server.

  3. Check the secure OS boot key.
    1. Log in to the server BIOS.

    2. Choose Advanced > TEE Config to view the TEE configuration options.

    3. Check the OEMKEY installation status.

      If TEE OEMKEY is in the Install state, the Kunpeng TrustZone kit has been pre-installed on the server. You can set Support TEE to enable the TrustZone function on the Kunpeng server.