Setting Up the Environment
This section describes how to set up and configure the development and operating environment for the intrinsic cryptographic module.
You are advised to use the one-click CCOS environment deployment script.
The following describes the manual deployment procedure.
Before setting up the environment, obtain BoostKit-boostcc-ccos-1.4.RC1.zip as instructed in Table 2. Decompress the ZIP package to obtain the HPM firmware, kunpeng_sec_drv.sec, and sdf-utils*.rpm.
Deploying the SEC Driver
- The preceding package contains the SEC driver that matches the current version. If the SEC driver does not match the current version, the TEE OS may malfunction.
- Deploy the SEC driver file.
1 2
mkdir -p /var/itrustee/tee_dynamic_drv/crypto/ cp kunpeng_sec_drv.sec /var/itrustee/tee_dynamic_drv/crypto/
- The SEC driver deployment path is specified by the DYNAMIC_CRYPTO_DRV_DIR macro in the Makefile file of itrustee_client. If you want to change the deployment path, recompile and deploy teecd.
- When teecd is being started, all files in the directory specified by DYNAMIC_CRYPTO_DRV_DIR are loaded by default. Therefore, do not place any other files in this directory.
- The SEC driver is automatically loaded when starting the teecd process. If it fails to be loaded, the TEE OS may malfunction. Therefore, you need to deploy the SEC driver before starting the teecd process. If the teecd process is started earlier, you can stop it, deploy the SEC driver, and then start the teecd process.
- When updating the TEE OS image, you are advised to update the SEC driver too.
Deploying the Environment
- Download the itrustee_client source code.
git clone https://gitcode.com/openeuler/itrustee_client.git -b iTrustee_7.10.1_release
- Download the itrustee_tzdriver source code.
git clone https://gitcode.com/openeuler/itrustee_tzdriver.git -b iTrustee_7.10.1_release
- Download the libboundscheck source code.
git clone https://gitcode.com/openeuler/libboundscheck.git cd libboundscheck git checkout 43f39407
- Copy the libboundscheck source code to the itrustee_client/ and itrustee_tzdriver/ directories.
cd .. cp -rf libboundscheck itrustee_client cp -rf libboundscheck itrustee_tzdriver
- Install the compilation dependencies.
yum install openssl-devel zlib-devel kernel-devel-$(uname -r)
- Compile itrustee_tzdriver.
cd itrustee_tzdriver && make CPU_BINDING=y
For compilation on Kylin V10/V11 or UOS v20 Server, delete the -fstack-protector-strong option in Makefile. Otherwise, the following stack protection error is reported:

- After compiling tzdriver, copy tzdriver.ko to the specified directory.
mkdir -p "/lib/modules/$(uname -r)/kernel/drivers/trustzone/" cp tzdriver.ko /lib/modules/$(uname -r)/kernel/drivers/trustzone
- Compile itrustee_client.
cd ../itrustee_client make make install
- Install sdf-utils.
rpm -ivh sdf-utils*.rpm
- Load tzdriver.ko.
insmod /lib/modules/$(uname -r)/kernel/drivers/trustzone/tzdriver.ko
- Run the teecd process.
nohup /usr/bin/teecd &
- If a common user is used to execute CA and TA cases, grant the read and write permissions on the /var/itrustee/teecd directory to the user.
sudo setfacl -m u:your_user:rwx /var/itrustee/teecd # Replace your_user with the target user. sudo setfacl -d -m u:your_user:rw /var/itrustee/teecd # Replace your_user with the target user.
Parent topic: Environment Preparation