Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Setting Up the Environment

This section describes how to set up and configure the development and operating environment for the intrinsic cryptographic module.

For details about the CCOS environment deployment script, see https://gitcode.com/openeuler/tee-gp-proxy/tree/master/trustzone-awared-vm/utils/ccos-env-deploy. The following describes the manual deployment procedure.

Before setting up the environment, obtain BoostKit-boostcc-ccos-1.3.zip as instructed in Table 2. Decompress the ZIP package to obtain the HPM firmware, kunpeng_sec_drv.sec, and sdf-utils*.rpm.

Deploying the HPM Package

  1. Log in to the iBMC WebUI, choose iBMC Settings > Firmware Upgrade, select the HPM file in the preceding package, and click Upgrade.

  2. After the upgrade is successful, click the power icon and choose Power Off. Wait for several seconds until the icon turns gray, and then click Power On.

Deploying the SEC Driver

Perform this operation for TEE OS 1.3.0 and later, and skip it for earlier versions.

  1. The preceding package contains the SEC driver that matches the current version. If the SEC driver does not match the current version, the TEE OS may malfunction.
  2. Deploy the SEC driver file.
    1
2
    mkdir -p /var/itrustee/tee_dynamic_drv/crypto/
cp kunpeng_sec_drv.sec /var/itrustee/tee_dynamic_drv/crypto/
    • The SEC driver deployment path is specified by the DYNAMIC_CRYPTO_DRV_DIR macro in the Makefile file of itrustee_client. If you want to change the deployment path, recompile and deploy teecd.
    • When teecd is being started, all files in the directory specified by DYNAMIC_CRYPTO_DRV_DIR are loaded by default. Therefore, do not place any other files in this directory.
    • The SEC driver is automatically loaded when starting the teecd process. If it fails to be loaded, the TEE OS may malfunction. Therefore, you need to deploy the SEC driver before starting the teecd process. If the teecd process is started earlier, you can stop it, deploy the SEC driver, and then start the teecd process.
    • When updating the TEE OS image, you are advised to update the SEC driver too.

Deploying the Environment

  1. Download the itrustee_client source code.
    git clone https://gitcode.com/openeuler/itrustee_client.git -b iTrustee_7.10.0_release
  2. Download the itrustee_tzdriver source code.
    git clone https://gitcode.com/openeuler/itrustee_tzdriver.git -b iTrustee_7.10.0_release
  3. Download the libboundscheck source code.
    git clone https://gitcode.com/openeuler/libboundscheck.git
cd libboundscheck
git checkout 43f39407
  4. Copy the libboundscheck source code to the itrustee_client/ and itrustee_tzdriver/ directories.
    cd ..
cp -rf libboundscheck itrustee_client
cp -rf libboundscheck itrustee_tzdriver
  5. Install the compilation dependencies.
    yum install openssl-devel zlib-devel kernel-devel-$(uname -r)
  6. Compile itrustee_tzdriver.
    cd itrustee_tzdriver && make CPU_GROUP_BINDING=y
  7. After compiling tzdriver, copy tzdriver.ko to the specified directory.
    mkdir -p "/lib/modules/$(uname -r)/kernel/drivers/trustzone/"
cp tzdriver.ko /lib/modules/$(uname -r)/kernel/drivers/trustzone
  8. Compile itrustee_client.
    cd ../itrustee_client
make
make install
  9. Install sdf-utils.
    rpm -ivh sdf-utils*.rpm
  10. Load tzdriver.ko.
    insmod /lib/modules/$(uname -r)/kernel/drivers/trustzone/tzdriver.ko
  11. Run the teecd process.
    nohup /usr/bin/teecd &

1. For details about security management during environment setup, see the Security Management section in the TrustZone Kit Feature Guide.

2. Each time the server is restarted, perform steps 10 and 11 to run the corresponding components.

Parent topic: Environment Preparation