Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Compiling and Deploying the QCA Lib and QTA

  1. Compile and deploy libteec.so.

    Obtain and compile the itrustee_client by following instructions in Obtaining the iTrustee Patch Package. Deploy libteec.so in the /usr/lib64 directory. Ensure that the /usr/lib64 directory has been added to the default search path of the system dynamic library.

  2. Download the iTrustee SDK, which contains the QCA lib and QTA source code.
    1
    		 
    git clone -b master https://gitee.com/openeuler/itrustee_sdk.git
  3. Download and integrate the bounds check function library.
    1
2
    		 
    git clone https://gitee.com/openeuler/libboundscheck.git
mv libboundscheck/ itrustee_sdk/thirdparty/open_source/
  4. Compile and deploy the QCA lib.
    1. Compile the QCA lib. 
      1
2
      		 
      cd itrustee_sdk/test/CA/libqca
make

      After the compilation is complete, a dynamic library named libqca.so is generated in the output directory.

    2. Deploy the QCA lib, that is, deploy libqca.so to the default search path of the dynamic library, for example, /usr/lib64. 
      1
      		 
      cp output/libqca.so /usr/lib64
  5. Compile and deploy the QTA.
    1. Open the QTA source code. 
      1
      		 
      vim itrustee_sdk/test/TA/qta/src/tee_qta.c
    2. Press i to enter the insert mode. Add the following content below /* TA auth CA */ in the TA_CreateEntryPoint function, indicating that only the CA started using /vendor/bin/qcaserver can invoke the TA. 
      1
2
3
      		 
      ret = addcaller_ca_exec("/vendor/bin/qcaserver", "root");
if (ret != TEE_SUCCESS)
    return ret;

    3. Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.
    4. The QTA depends on cJSON. Download the cJSON source code and save it to the itrustee_sdk/test/TA/qta/src directory. 
      1
2
3
      		 
      wget https://github.com/DaveGamble/cJSON/archive/refs/tags/v1.7.15.tar.gz
tar xvf v1.7.15.tar.gz 
mv cJSON-1.7.15/ itrustee_sdk/test/TA/qta/src/cJSON
    5. Similar to common TAs, the QTA requires a TA developer certificate issued by Huawei. For details, see Applying for a TA Developer Certificate in a Debugging Environment.

      After obtaining the certificate, deploy the TA private key and config binary file of the QTA to the following paths, and modify manifest/manifest.txt based on the configs.xml resource file configured to apply for the QTA certificate:

      itrustee_sdk/build/signtools/signed_config/config

      itrustee_sdk/build/signtools/TA_cert/private_key.pem

    6. Install the dependencies of the iTrustee SDK TA signing tool and compile the QTA. 
      1
2
3
      		 
      pip3 install pycryptodomex          
cd itrustee_sdk/test/TA/qta
make

    7. Deploy the QTA. If the QTA path is not specified in the QCA lib, the QTA is stored in /var/itrustee/ta/ by default. Otherwise, the QTA must be stored in a specified path. 
      1
      		 
      cp e08f7eca-e875-440e-9ab0-5f381136c600.sec /var/itrustee/ta/
    • The QTA is a privileged TA for remote attestation. The QTA UUID must be e08f7eca-e875-440e-9ab0-5f381136c600 and the QTA service name can be modified.
    • After the QTA compilation is complete, you can view the QTA base value in the hash_e08f7eca-e875-440e-9ab0-5f381136c600.txt directory. This value will be used in the configuration file of the Attestation Service.
Parent topic: Examples