Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

(Optional) Upgrading the TEE OS

For servers equipped with the Kunpeng S920X10 or S920S10 motherboard, the TEE OS is the confidential OS after Procedure is completed. For other models, the TEE OS burnt in the flash memory is the compact iTrustee OS due to hardware restrictions, and does not offer some advanced features. You can use the following method to dynamically upgrade the OS (allowed since TEE OS 1.4.0):

  1. Deploy the upgrade TA and the confidential OS image, which can be obtained from Table 2.
    cp 9ab6f960-54f3-4317-a8f7-e92ed12b6ae2.sec  /var/itrustee/image/
cp trustedcore.img  /var/itrustee/image/
  2. Obtain the upgrade CA source code and compile tee_upgrade.ko.
    git clone https://gitee.com/openeuler/itrustee_sdk.git -b master
git clone https://gitee.com/openeuler/libboundscheck.git
mv libboundscheck/ itrustee_sdk/thirdparty/open_source/
    Modify Makefile to specify the tzdriver header path and kernel symbol path. You can use the tzdriver downloaded in Procedure. 
    cd itrustee_sdk/test/CA/tee_upgrade
vim Makefile

    make
    • Generally, the kernel header file is stored in /usr/src/kernels/<kernel_version>. If the compilation script does not match the correct path, replace it with the actual one. Note that the kernel header file version must be the same as the kernel version of the final operating environment of tee_upgrade.ko. Otherwise, tee_upgrade.ko may fail to be loaded due to the kernel version difference. You can run the uname -r command to view the kernel version of the current operating environment.
    • Compiling the tee_upgrade.ko kernel module depends on the header file and kernel symbols in tzdriver. You can specify the header file search path using EXTRA_CFLAGS and specify the kernel symbol file (Module.symvers) path using KBUILD_EXTRA_SYMBOLS.
      • The kernel symbol file path is not specified in some compilation environments and only some warning logs are generated. Some compilation environments regard warnings as errors, which cause compilation failures. In this case, you must specify the kernel symbol file path.
      • If tzdriver has been loaded but it does not contain the kernel symbol file, you can download tzdriver again for compilation. If a message is displayed indicating that symbols such as strcpy_s are not found, modify the Makefile file of tzdriver to add security functions into tzdriver.ko as follows:

  3. Load the tee_upgrade.ko module to complete the TEE OS upgrade.
    insmod tee_upgrade.ko
  4. After the upgrade is complete, the teecd process is terminated. You need to restart the teecd process.
    nohup /usr/bin/teecd &
  5. Query the current TEE OS version. In this case, CCOS is displayed in the command output, which is distinguished from the compact iTrustee OS.
    tlogcat -v

  • A dynamic upgrade interrupts the TAs that are running in the TEE OS. To prevent service interruption, perform a dynamic upgrade when no TA is running.
  • The latest TEE OS version requires at least 4 GB secure memory. To prevent an upgrade failure, ensure that the secure memory in the BIOS is greater than or equal to 4 GB.