Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Procedure

This document uses the itrustee_sdk-1.0 version and rsa-demo code as an example to describe how to deploy the TA and CA compilation environment. The OS version is openEuler 20.03 LTS SP1.

Obtaining the iTrustee SDK

  1. Download the iTrustee SDK.

    https://gitee.com/openeuler/itrustee_sdk/tree/itrustee_sdk-1.0/

    Code branch: itrustee_sdk-1.0

    The following figure shows the directory structure of the SDK.

    The SDK includes the four directories: build, include, test, and thirdparty.

    • build/: stores the signature tool of TAs.
    • include/: stores the description of function interfaces supported by the iTrustee OS, including standard Global Platform (GP) interfaces and some Huawei extended interfaces.
    • test/: stores the source code of TAs and CAs.
    • thirdparty/: stores third-party libraries used by TAs and CAs.
  2. Obtain the libboundscheck bounds check function library.

    https://gitee.com/openeuler/libboundscheck

    Code branch: master

    Move the downloaded libboundscheck folder to the itrustee_sdk/thirdparty/open_source/ directory, as shown in the following figure:

Compiling the rsa-demo Applications

  1. Compile the rsa_demo CA.
    1
2
    		 
    cd itrustee_sdk/test/CA/rsa_demo/cloud
make

    After the compilation is complete, a CA binary file is generated in the directory of the Makefile file, as shown in the following figure:

  2. Compile the rsa_demo TA.
    1. Apply to the Huawei service owner for the compilation materials of the rsa_demo TA, including the private key and the config binary issued by Huawei. The following figure shows the file information:

    2. Copy the compilation materials to the specified directory of the rsa_demo TA in the iTrustee SDK. 
      1
2
      		 
      cp rsa_demo/signed_config/config itrustee_sdk/test/TA/rsa_demo/cloud/signed_config/
cp rsa_demo/TA_cert/private_key.pem itrustee_sdk/test/TA/rsa_demo/cloud/TA_cert/
    3. Modify the manifest.txt file based on the configs.xml file used to apply for the TA certificate. The values of the same fields in the two configuration files must be the same. Otherwise, the TA cannot be loaded. For details, see Configuring the manifest.txt File.
    4. Compile the rsa_demo TA. 
      1
2
      		 
      cd itrustee_sdk/test/TA/rsa_demo/cloud
make

      After the compilation is complete, a TA .sec file is generated in the directory of the Makefile file. The file name is the unique UUID of each TA.

Configuring the manifest.txt File

A standard TA contains the source code, TA private key, signed config file, config_cloud.ini file, and manifest.txt file, as shown in the following figure.

  1. TA developer certificate: includes the config binary file and the private_key.pem file. The private key file is used for signature during TA compilation and the config binary file is used for signature verification during TA loading. For details about how to apply for a TA developer certificate, see Applying for a TA Developer Certificate in a Debugging Environment.
  2. TA signature configuration file: config_cloud.ini, which is used to configure the signature algorithm and file path required for signing the TA. The template file is stored in itrustee_sdk/build/signtools/config_cloud.ini. The configuration affects the TA signature and signature verification and cannot be modified unless required. The following fields can be configured as needed:
    • secSignKey: path of the private_key.pem file, which is used to sign the TA.
    • configPath: path of the config binary file, which is used for signature verification during TA loading.

    If you use relative paths, the preceding two relative paths must be based on itrustee_sdk/build/signtools/signtool_v3.py.

  3. TA resource configuration file: manifest.txt, which is used to restrict the resources that can be used by the TA in the TEE. Its configuration must be the same as the configs.xml file used for apply for the TA certificate. The following is an example of the manifest.txt file: 
    1
2
3
4
5
6
7
8
    		 
    gpd.ta.appID:                   f68fd704-6eb1-4d14-b218-722850eb3ef0
gpd.ta.service_name:            rsa-demo
gpd.ta.singleInstance:          true
gpd.ta.multiSession:            false
gpd.ta.instanceKeepAlive:       false
gpd.ta.dataSize:                67928064
gpd.ta.stackSize:               40960
gpd.ta.mem_page_align:          false

    Among the preceding fields:

    • gpd.ta.appID is the TA UUID, which is generated by the user and is the same as the CA UUID. Each TA has a unique UUID.

      You can run the cat /proc/sys/kernel/random/uuid command to obtain the UUID.

    • gpd.ta.service_name is the TA name, which is a string consisting of 1 to 27 characters.
    • gpd.ta.dataSize is the TA heap space size, which is an integer equal to 1 byte when mem_page_align is set to false and 4096 bytes when mem_page_align is set to true.
    • gpd.ta.stackSize is the TA stack space size, which is an integer equal to 1 byte when mem_page_align is set to false and 4096 bytes when mem_page_align is set to true.

For configuration details, see the iTrustee SDK Developer Guide.

Please contact the Huawei service owner for this guide.