Upgrading the Confidential OS

Server Compatibility List

To enable high-level languages, confidential containers, or confidential VMs, you need to upgrade the TEE OS to the confidential OS.
The server models that support the TrustZone function differ in the methods of upgrading and using the confidential OS. For details about the differences, see Table 1.
Upgrading the confidential OS will interrupt the TA running in iTrustee. To prevent service interruption, upgrade the confidential OS when no TA is running.
The confidential OS requires at least 4 GB secure memory. To prevent an upgrade failure, ensure that the secure memory in the BIOS is greater than or equal to 4 GB.
The TEE OS loaded during system startup is the confidential OS.

**Table 1** Servers that support the confidential OS
How to Boot the Confidential OS	Server Model
Delayed boot. The BIOS boots iTrustee first. After entering the REE OS, dynamically load the confidential OS if needed.	TaiShan 200 server (model 2280, VD) TaiShan 200 servers (model 2280) TaiShan 200 server (model 2480 Pro) Servers equipped with the Kunpeng S920S03 motherboard

Delayed Boot

Table 2 describes the firmware requirements.

**Table 2** Firmware requirements for delayed boot
Software Package	Version	Description	How to Obtain
BoostKit-2280_2280Pro_S920S03_teeos_1.6.0.zip	1.4.0 or later	TEE OS firmware package, including the iTrustee HPM firmware and the confidential OS image. It applies to TaiShan 2280 and 2280 Pro servers and the servers equipped with the Kunpeng S920S03 motherboard.	Huawei enterprise website: BoostKit-2280_2280Pro_S920S03_teeos_1.6.0.zip
BoostKit-2480Pro_teeos_1.6.0.zip	1.4.0 or later	TEE OS firmware package, including the iTrustee HPM firmware and the confidential OS image. It applies to TaiShan 2480 Pro servers.	Huawei enterprise website: BoostKit-2480Pro_teeos_1.6.0.zip
BIOS	≥6.69	Server BIOS firmware package	Huawei enterprise website: https://support.huawei.com/enterprise/en/category/kunpeng-computing-pid-1548148188432?submodel=software

Before using the software package, read and agree to the user agreement.

Perform the following steps to deploy, start, and run the confidential OS:

Download the TEE OS firmware package that matches your server model, as described in Table 2. Upgrade the iTrustee firmware by following instructions in Upgrading Firmware.
Download the BIOS firmware package that matches your server model, as described in Table 2. Upgrade the BIOS firmware by following instructions in Upgrading Firmware.
Compile and deploy REE patch components such as tzdriver, teecd, and the SEC driver by following instructions in Procedure, set up the TrustZone environment, and confirm the TEE OS version.
```
tlogcat -v
```
In this case, the TEE OS is iTrustee. The detailed version information is as follows:

Deploy the upgrade TA and the confidential OS image, which can be obtained from Table 2.

cp 9ab6f960-54f3-4317-a8f7-e92ed12b6ae2.sec  /var/itrustee/image/
cp trustedcore.img  /var/itrustee/image/

Obtain the source code of the upgrade CA and compile tee_upgrade.ko.
```
git clone https://gitee.com/openeuler/itrustee_sdk.git -b master
git clone https://gitee.com/openeuler/libboundscheck.git
mv libboundscheck/ itrustee_sdk/thirdparty/open_source/
```
Modify Makefile to specify the tzdriver header path and kernel symbol path. You can use the tzdriver downloaded in Procedure.
```
cd itrustee_sdk/test/CA/tee_upgrade
vim Makefile
```
```
make
```
- Generally, the kernel header file is stored in /usr/src/kernels/<kernel_version>. If the compilation script does not match the correct path, replace it with the actual one. Note that the kernel header file version must be the same as the kernel version of the final operating environment of tee_upgrade.ko. Otherwise, tee_upgrade.ko may fail to be loaded due to the kernel version difference. You can run the uname -r command to view the kernel version of the current operating environment.
- Compiling the tee_upgrade.ko kernel module depends on the header file and kernel symbols in tzdriver. You can specify the header file search path using EXTRA_CFLAGS and specify the kernel symbol file (Module.symvers) path using KBUILD_EXTRA_SYMBOLS.
  - The kernel symbol file path is not specified in some compilation environments and only some warning logs are generated. Some compilation environments regard warnings as errors, which cause compilation failures. In this case, you must specify the kernel symbol file path.
  - If tzdriver has been loaded but it does not contain the kernel symbol file, you can download tzdriver again for compilation. If a message is displayed indicating that symbols such as strcpy_s are not found, modify the Makefile file of tzdriver to add security functions into tzdriver.ko as follows:
Load the tee_upgrade.ko module to complete the OS upgrade.
```
insmod tee_upgrade.ko
```
After the upgrade is complete, the teecd process is terminated. You need to restart the teecd process.
```
/usr/bin/teecd &
```
Query the current TEE OS version. In the following command output, CCOS (confidential OS) is displayed.
```
tlogcat -v
```

Check that teecd is running before starting the CA and TA used to upgrade the OS. After the OS is upgraded, load and run the teecd daemon.

Parent topic: Feature Usage