Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Compiling and Deploying the QCA Lib and QTA

  1. Compile and deploy libteec.so.

    Obtain and compile the itrustee_client by following instructions in Obtaining the iTrustee Patch Package. Deploy libteec.so in the /usr/lib64 directory. Ensure that the /usr/lib64 directory has been added to the default search path of the system dynamic library.

  2. Download the iTrustee SDK, which contains the QCA lib and QTA source code.
    git clone -b master https://gitee.com/openeuler/itrustee_sdk.git
  3. Download and integrate the bounds check function library.
    git clone https://gitee.com/openeuler/libboundscheck.git
mv libboundscheck/ itrustee_sdk/thirdparty/open_source/
  4. Compile and deploy the QCA lib.
    1. Compile the QCA lib.
      cd itrustee_sdk/test/CA/libqca
make

      After the compilation is complete, a dynamic library named libqca.so is generated in the output directory.

    2. Deploy the QCA lib, that is, deploy libqca.so to the default search path of the dynamic library, for example, /usr/lib64.
      cp output/libqca.so /usr/lib64
  5. Compile and deploy the QTA.
    1. Open the QTA source code.
      vim itrustee_sdk/test/TA/qta/src/tee_qta.c
    2. Press i to enter the insert mode. Add the following content below /* TA auth CA */ in the TA_CreateEntryPoint function, indicating that only the CA started using /vendor/bin/qcaserver can invoke the TA.
      ret = addcaller_ca_exec("/vendor/bin/qcaserver", "root");
if (ret != TEE_SUCCESS)
    return ret;

    3. Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.
    4. The QTA depends on cJSON. Download the cJSON source code and save it to the itrustee_sdk/test/TA/qta/src directory.
      wget https://github.com/DaveGamble/cJSON/archive/refs/tags/v1.7.15.tar.gz
tar xvf v1.7.15.tar.gz 
mv cJSON-1.7.15/ itrustee_sdk/test/TA/qta/src/cJSON
    5. Similar to common TAs, the QTA requires a TA developer certificate issued by Huawei. For details, see Applying for a TA Developer Certificate in a Debugging Environment.

      After obtaining the certificate, deploy the TA private key and config binary file of the QTA to the following paths, and modify manifest/manifest.txt based on the configs.xml resource file configured to apply for the QTA certificate:

      itrustee_sdk/build/signtools/signed_config/config

      itrustee_sdk/build/signtools/TA_cert/private_key.pem

    6. Install the dependencies of the iTrustee SDK TA signing tool and compile the QTA.
      pip3 install pycryptodomex          
cd itrustee_sdk/test/TA/qta
make

    7. Deploy the QTA. If the QTA path is not specified in the QCA lib, the QTA is stored in /var/itrustee/ta/ by default. Otherwise, the QTA must be stored in a specified path.
      cp e08f7eca-e875-440e-9ab0-5f381136c600.sec /var/itrustee/ta/
    • The QTA is a privileged TA for remote attestation. The QTA UUID must be e08f7eca-e875-440e-9ab0-5f381136c600 and the QTA service name can be modified.
    • After the QTA compilation is complete, you can view the QTA base value in the hash_e08f7eca-e875-440e-9ab0-5f381136c600.txt directory. This value will be used in the configuration file of the Attestation Service.
Parent topic: Examples