Failed to Run the CA and TA

Symptom

Symptom:

The CA and TA fail to be run. You can view errors in system logs and TEE logs by running dmesg and tlogcat.

Impact on the system:

• Non-TrustZone system functions are not affected.
• The CA and TA cannot be loaded and service functions are affected.

Key Process and Cause Analysis

Possible causes:

• The REE patch is not properly deployed or loaded.
• The CA and TA are not properly deployed or the CA is not running in the absolute path.
• The TA is using a libc or OpenSSL API that iTrustee does not support.
• The TA is not correctly compiled. It may use an unmatched config binary file or manifest.txt file.

Troubleshooting method:

The following figure shows the fault locating process.

Conclusion and Solution

1. Check whether the REE patch is properly deployed and loaded.
   1. Check whether the dynamic library is properly deployed.

      ldconfig -p | grep -E "teec|boundscheck"

      Expected result:

      

   2. Check whether the teecd and tzdriver files are properly loaded.

      ps aux | grep teecd
      lsmod | grep tzdriver

      

   3. If the REE patch is not properly deployed or loaded, redeploy it by following instructions in Loading Drivers in the REE. Otherwise, go to 2.
      

      1. The .so file of the dynamic library must be stored in the /usr/lib64 directory and can be found by the default dynamic library of the system.
      2. The teecd daemon must be run in an absolute path. That is, the teecd daemon must be loaded by running the /usr/bin/teecd command.
2. Check security logs in the TEE.

   tlogcat

   • If any error information about TA loading exists in the TEE security logs, Rectify the fault by following instructions in Failed to Verify the TA Certificate, Failed to Verify the TA Resource Configuration File, A TA Has Function Symbols That Are Not Supported by iTrustee, Failed to Load the TA in iTrustee, and Failed to Check the CA Permission. If the fault persists, contact Huawei technical support.
   • If the TEE does not contain any error information or new logs, go to 3.
3. Check the REE system logs.

   journalctl --since "1 min ago"

   • Collect and view system user-mode logs generated within 1 minute, including logs of the teecd user-mode process and CA. Rectify the fault by following instructions in Failed to Verify the TA Certificate, Failed to Verify the TA Resource Configuration File, A TA Has Function Symbols That Are Not Supported by iTrustee, Failed to Load the TA in iTrustee, and Failed to Check the CA Permission. If the fault persists, contact Huawei technical support.
   • If no teecd log information is displayed, contact Huawei technical support.