文档
我要评分
获取效率
正确性
完整性
易理解
提交关闭

Procedure

The CA must use the patch in the REE when communicating with the TA in the TEE. The patch in the REE has a version mapping relationship with the TEE OS firmware package, as described in Table 1. This document uses openEuler 20.03 LTS SP1 and TEE OS 1.7.0 as an example to describe how to compile and deploy the patch in the REE.

Table 1 Version mapping between the TEE OS and the REE patch

TEE OS HPM Firmware Version

itrustee_tzdriver Code Tag

itrustee_client Code Tag

libboundscheck Code Branch

1.1.0 ≤ version < 1.2.0

v1.0.0

v1.0.0

master

1.2.0

v1.2.0

v1.2.0

master

1.3.0 ≤ version < 1.4.0

v1.3.0

v1.3.0

master

1.4.0

v1.5.0

v1.5.0

master

1.5.0

v1.5.0-r1

v1.5.0-r1

master

>=1.6.0

master

master

master

The master branches of the itrustee_tzdriver and itrustee_client code repositories always match the latest TEE OS version. The table information may not be updated in a timely manner. If the repository contains the tag of the matched TEE OS version, you are advised to use the source code corresponding to that tag.

(Optional) Installing the TrustZone License

If the Kunpeng Accelerator SEC Function option is active on the License Management tab page of the server iBMC, skip this section. Otherwise, perform the following steps to import the TrustZone license and enable the SEC feature.

Contact your local Huawei service owner to apply for the TrustZone license. After obtaining the license, install the license on the server.

  1. Log in to the iBMC and choose iBMC Settings > License Management.

  2. Click Install to upload the TrustZone license that you have obtained.

    After the installation is complete, Kunpeng Accelerator SEC Function is enabled on the iBMC.

Configuring the BIOS

Restart the server. In the BIOS, enable the TrustZone feature and configure the TEE secure memory size.

  1. Restart the server and go to the BIOS.

  2. Choose Advanced > TEE Config.

  3. Enable Support TEE and set TEE Memory Size.

    • If TEE Memory Size is set to an inappropriate value, the BIOS may fail to start the TEE OS and the TrustZone function cannot be enabled on the server.
    • For details about how to set TEE Memory Size, see Secure Memory Specifications.
  4. Save the BIOS settings and restart the server to go to the OS in the REE.

Obtaining the iTrustee Patch Package

  1. Download the itrustee_client source code.
    git clone https://gitee.com/openeuler/itrustee_client.git
  2. Download the itrustee_tzdriver source code.
    git clone https://gitee.com/openeuler/itrustee_tzdriver.git
  3. Download the libboundscheck source code.
    git clone https://gitee.com/openeuler/libboundscheck.git
  4. Save the libboundscheck source code to the itrustee_client/ and itrustee_tzdriver/ directories and rename the folders to libboundscheck. The following figure shows the directory structure:
    cp -rf libboundscheck itrustee_client
cp -rf libboundscheck itrustee_tzdriver

  5. Install the dependencies.
    1
    		 
    yum install openssl-devel zlib-devel kernel-devel
  6. Compile itrustee_tzdriver.
    1
    		 
    cd itrustee_tzdriver && make
    1. Compiling the tzdriver.ko kernel module depends on the kernel header file. itrustee_tzdriver/Makefile specifies the path to the kernel header file.

      Generally, the kernel header file is stored in /usr/src/kernels/<kernel_version>. If the compilation script does not match the correct path, replace it with the actual one. Note that the kernel header file version must be the same as the kernel version of the final operating environment of tzdriver.ko. Otherwise, tzdriver.ko may fail to be loaded due to the kernel version difference. You can run the uname -r command to view the kernel version of the current operating environment.

    2. itrustee_tzdriver/Makefile specifies the mailbox pool size. A single mailbox pool is 4 MB. For example, to set the total size of mailbox pools to 128 MB, change the value of MAILBOX_POOL_COUNT in Makefile to 32.

    1. tzdriver.ko depends on security function symbols. Based on the current kernel status, itrustee_tzdriver/Makefile determines whether tzdriver.ko compilation contains security function symbols. The tzdriver compilation process may vary according to the REE OS.

      After the compilation is complete, a tzdriver.ko kernel module is generated.

      For compilation on Kylin V10 SP3 or UOS v20 Server, delete the -fstack-protector-strong option in Makefile. Otherwise, the following stack protection error is reported:

  7. Compile itrustee_client.
    1
    		 
    cd itrustee_client && make

    After the compilation is complete, a dist directory is generated for storing the generated executable binary and dynamic libraries.

  8. Deploy itrustee_client.
    1
    		 
    make install
    • Save the patch driver dependencies, libboundscheck.so and libteec.so, to /usr/lib64. For some OSs that do not contain the /usr/lib64 directory by default, you need to create a /usr/lib64 directory and add it to the default search path of the system dynamic library.
    • The tlogcat process provides the capability of viewing TEE logs in the REE. The teecd process is the user-mode daemon in the REE. The two processes must be stored in the /usr/bin directory.
    • agentd provides secure storage and log storage for trusted applications in a container. It must be deployed in the /usr/bin directory of the container. It is not necessary in non-container scenarios.
    • The mailboxes are used to transfer CA and TA communication parameters and they affect the global maximum number of concurrent CA and TA requests. You can configure the mailbox pool size based on your requirements. The upper limit of the mailbox pool size is 128 MB. That is, the maximum value of MAILBOX_POOL_COUNT is 32.

(Optional) Deploying the SEC Driver

Perform this operation for TEE OS 1.3.0 and later, and skip it for an earlier version.

  1. Obtain the SEC driver. The TEE OS firmware package contains the SEC driver that matches the current version. If the SEC driver does not match the current version, the TEE OS may malfunction.

    Download the firmware package and extract the SEC driver file kunpeng_sec_drv.sec.

  2. Deploy the SEC driver file.
    mkdir -p /var/itrustee/tee_dynamic_drv/crypto/
cp kunpeng_sec_drv.sec /var/itrustee/tee_dynamic_drv/crypto/
    • The SEC driver deployment path is specified by the DYNAMIC_CRYPTO_DRV_DIR macro in the Makefile file of itrustee_client. If you want to change the deployment path, recompile and deploy teecd.
    • When teecd is being started, all files in the directory specified by DYNAMIC_CRYPTO_DRV_DIR are loaded by default. Therefore, do not place any other files in this directory.
    • The SEC driver is automatically loaded when starting the teecd process. If it fails to be loaded, the TEE OS may malfunction. Therefore, you need to deploy the SEC driver before starting the teecd process. If the teecd process is started earlier, you can stop it, deploy the SEC driver, and then start the teecd process.
    • When updating the TEE OS image, you are advised to update the SEC driver too.

Loading Modules in the REE

  1. Load the tzdriver.ko kernel module.
    1
2
    		 
    cd itrustee_tzdriver/
insmod tzdriver.ko && lsmod | grep tzdriver

    The tzdriver.ko kernel module cannot be uninstalled after being loaded. You can restore it to the unloaded state only by powering off and then restarting the server.

  2. Load the teecd daemon process.
    1
2
    		 
    nohup /usr/bin/teecd &
ps aux | grep teecd

    • teecd must be run in an absolute path, that is, /usr/bin/teecd. The ampersand (&) indicates that teecd is run in the background.
    • It is a good practice that you add the nohup command to prevent teecd from exiting due to session closure, which affects the running of CAs and TAs in other sessions.
  3. View TEE logs and verify that the REE can communicate with the TEE.
    1. View the log information. 
      1
      		 
      tlogcat

    2. View the TEE OS version. If the Tianchi model is used, CCOS is displayed. 
      tlogcat -v

    3. View the TEE log storage path, which is /var/log/tee. 
      tlogcat -f &

    • The tlogcat process can be properly executed only after the tzdriver.ko kernel module is loaded.
    • The tlogcat -v command output is the latest TEE OS version information. The actual result may be different. If necessary, obtain the latest TEE OS firmware package from Table 2 and upgrade the firmware based on Upgrading Firmware.

Checking the TrustZone Environment

Huawei provides the TEE status detection tool to help you check the TrustZone environment.

  1. Obtain the TEE status detection tool.

    The firmware package obtained from Table 2 contains the TEE status detection tool. Its tee_check directory contains the following files:

  2. Copy the file to the following directories to deploy the tee-check tool.
    mkdir -p /vendor/bin/ /data/tee-check
cp -rf tee-check /vendor/bin/
cp -rf 35397f0d-26ef-476c-b955-4806f2c6454a.sec /data/tee-check
cp -rf teeos.txt /var/itrustee/version/
  3. Run the plugin tool.
    /vendor/bin/tee-check
    • If the TrustZone environment is normal, the log information is as follows:

    • If the TrustZone environment is abnormal, a message is displayed. For example, if teecd is not started, the following error information is displayed:

      According to the error information, teecd is not started. You can start it using /usr/bin/teecd &.