Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Procedure

This document uses the helloworld demo case included in the iTrustee SDK as an example to describe how to deploy the TA and CA compilation environment. The OS version is openEuler 20.03 LTS SP1.

Obtaining the iTrustee SDK

  1. Download the iTrustee SDK.
    git clone -b master https://gitee.com/openeuler/itrustee_sdk.git

    The following figure shows the directory structure of the SDK.

    The SDK includes the four directories: build, include, test, and thirdparty.

    • build/: stores the signature tool of TAs.
    • include/: stores the description of function interfaces supported by the iTrustee OS, including standard Global Platform (GP) interfaces and some Huawei extended interfaces.
    • test/: stores the TA and CA source code of some TEE tools and demos.
    • thirdparty/: stores third-party libraries used by TAs and CAs.
  2. Obtain the libboundscheck bounds check function library. Move the downloaded libboundscheck folder to the itrustee_sdk/thirdparty/open_source/ directory, as shown in the following figure:
    git clone https://gitee.com/openeuler/libboundscheck.git
mv libboundscheck itrustee_sdk/thirdparty/open_source/

Compiling CAs and TAs

The test directory of the iTrustee SDK provides the CA and TA demo case helloworld, which enables communication between the CA and TA. You can refer to this test case to develop your own CAs and TAs. The following procedure uses helloworld as an example to demonstrate how to compile CAs and TAs.

  1. Obtain the files required for compiling TAs, as describes in Applying for a TA Developer Certificate in a Debugging Environment. The files include the TA resource configuration file configs.xml, private key file private_key.pem, and Huawei-issued config binary file.
  2. Compile the CA.
    1. Modify the g_demoTemplateUuid variable in the CA source code based on the UUID of the TA in the configs.xml file.
      cd itrustee_sdk/test/CA/helloworld
vim ca_demo.c

      If the ca_demo.c file does not specify the TA loading path, deploy the TA file in the default search path /var/itrustee/ta/. To specify the TA loading path, you can set the ta_path field of TEEC_Context before invoking TEEC_OpenSession. The following figure shows that the TA search directory is /data.

    2. Generate the CA binary file. 
      1
      		 
      make

      After the compilation is complete, a CA binary file is generated in the directory of the Makefile file. See the following figure:

  3. Compile the TA and go to the TA directory of helloworld.
    cd itrustee_sdk/test/TA/helloworld
    1. View the TA source code, which specifies the CAs that can invoke the TA.
      vim ta_demo.c

      In the preceding figure, the CA must be deployed in the /vendor/bin directory and executed by the root user using the /vendor/bin/demo_hello command to pass the authentication executed by the CA.

    2. Change the values of the fields in the manifest.txt file based on the configs.xml file.
      vim manifest.txt

    3. View Makefile to determine the configuration file for signing and packaging the TA.
      vim Makefile

      During TA compilation, the source file is compiled into an SO file, and the signtool_v3.py script is invoked to sign and package the SO file based on the configuration in config_cloud.ini.

    4. View the config_cloud.ini file to obtain the path for storing the resources used to sign and package the TA.
      vim ../../../build/signtools/config_cloud.ini

      • secSignKey: path of the private_key.pem file, which is used to sign the TA.
      • configPath: path of the config binary file, which is used for signature verification during TA loading.

      If you use relative paths, the preceding two relative paths must be based on itrustee_sdk/build/signtools/signtool_v3.py. You can customize the paths as needed.

    5. Place the private_key.pem and config files in the directories specified in the configuration file. When you use the default configuration, create two directories in the itrustee_sdk/build/signtools directory and upload the two files to the two directories:
      mkdir ../../../build/signtools/TA_cert
mkdir ../../../build/signtools/signed_config

    6. Install the Python library, which will be used to sign and package the TA.
      pip3 install pycryptodomex defusedxml gmssl
    7. Compile the TA. 
      1
      		 
      make

      After the compilation is complete, a TA .sec file is generated in the directory of the Makefile file. The file name is the unique UUID of each TA.

  • TEE OS 1.6.2 and later versions use the SM4-CBC cryptographic algorithm to encrypt TAs. You can set the secEncryptContentAlg field in config_cloud.ini to 1 so that this algorithm is automatically used for TA compilation. The default value is 0 (indicating the AES-CBC algorithm).

  • For more CA and TA development information, see the iTrustee SDK Developer Guide, which you can apply for from your Huawei service representative.