Creating an Empty GlobalPlatform-Compliant TEE Application Project

Procedure

1. Click in the shortcut menu bar on the left pane or click next to Development Assistant. The Kunpeng Application Projects page is displayed. See Figure 1.
   Figure 1 Kunpeng Application Projects
   
2. Click Secure Computing Application. The Secure Computing Application page is displayed. See Figure 2.
   Figure 2 Secure Computing Application
   
3. Click GlobalPlatform-Compliant TEE Application. On the left pane of the displayed page, select Empty project for Project Type and set other parameters as required. See Figure 3.
   Figure 3 Creating an empty GlobalPlatform-compliant TEE application project
   
4. Click Next to configure the target node. You can use an existing server or add a new server. To add a server, enter the IP address, SSH port, user name, password, and storage directory. If you select Configure later, no SDKs will be deployed by default. See Figure 4.
   Figure 4 Configuring the target node
   

   

   When configuring the new target node, ensure that the node is running on a physical machine and runs the openEuler 20.03 LTS SP1, UOS 20 SP1, CentOS 7.6, or Kylin V10 in the Arm architecture, and that you have administrator permissions for the node.

5. Determine whether to deploy the SDK when creating the project. If you select Yes, specify a deployment method. See Figure 5. Click Create.
   Figure 5 Deploying the SDK
   
   

   If the secure computing SDK fails to be deployed, rectify the fault by following instructions in Failed to Deploy the Secure Computing Application SDK.

   Table 1 Parameters for configuring a GlobalPlatform-compliant TEE application project

   Parameter	Description
   Project Type	The options are: Template project CA Project TA Project RSA Project Data Sealing Secret Vote Cert Assign Empty project NOTE: A CA project runs in the REE, and a TA project runs in the TEE. An RSA project implements secure communication based on the CA and TA projects. A data sealing project includes CA and TA projects. The TEE secure storage interface is used to store confidential data. A secret voting project includes CA and TA projects and is based on Advanced Encryption Standard (AES) and RSA encryption. A certificate assignment project includes CA and TA projects. Certificates are issued based on the RSA and SM2 algorithms. Dependencies: Ensure that kunpeng-sc has been installed. (For data sealing and secret voting projects, ensure that kunpeng-sc-devel has been installed. For certificate assignment projects, ensure that the confidential computing SDK and kunpeng-sc-devel have been installed.) Run the lsmod | grep tzdriver command to check that the tzdriver is properly loaded. Run the ps -ef| grep teecd command to check that the daemon is properly started.
   Project Name	The default project name is xxx_ProjectN, which can be modified as required. Name of the project to be created. NOTE: N is an integer starting from 1 in ascending order. The project name can contain 1 to 64 characters, including only letters, digits, periods (.), hyphens (-), plus signs (+), parentheses (), and underscores (_). It cannot start with a period (.).
   Project Location	The default project location is C:\Users\username\KunpengProject, which can be modified as required. Storage path of the project to be created.
   (Optional) Signature Private Key	Import the signature private key file.
   (Optional) Config Binary	Import the binary configuration file.
   Deploy Server	Existing New Configure later NOTE: The new server will be added to the target server management.
   IP Address	IP address of the target node for subsequent operations.
   SSH Port	SSH port number of the target node.
   User Name	Account of the target node for subsequent operations.
   Password	Password of the target node user.
   Remember password	If you select this option, the password of the current server user will be remembered.
   Storage Directory	Storage directory on the target node. NOTE: The tool reads and writes the content in the storage directory. To avoid data loss, you are advised to use an empty directory.
   Deploy SDK When Creating Project	Yes: deploys the SDK. No: does not deploy the SDK.
   Deploy SDK	Select an SDK deployment method. Online deployment kunpeng-sc kunpeng-sc-devel Offline deployment kunpeng-sc kunpeng-sc-devel NOTE: If you select Online deployment, the server must be connected to the Internet. In an isolated network environment, you need to use a proxy to access the Internet. For details, see Configuring a Proxy. If you select Offline deployment, the SDK is imported from the local host. Download the SDK to the local host and upload it.

6. Click Create. A dialog box is displayed, asking you to confirm whether TrustZone has been enabled. If it is enabled, select Enabled and click OK. See Figure 6.
   Figure 6 TrustZone dialog box
   
   

   TrustZone is a hardware solution to software and hardware security problems in the Arm architecture. Based on TrustZone, iTrustee offers a complete security solution, including a CA in normal mode, a TA in secure mode, and a trusted OS in secure mode. For details about how to enable TrustZone, see Kunpeng BoostKit Confidential Computing TrustZone Kit Feature Guide.

7. During project creation, the corresponding module content in the secure computing application framework will be verified. You can click Terminate Configuration on the verification page to stop the current verification. If the verification is successful, the module content on the left is displayed in green. If the verification fails, the content is displayed in red.
   Figure 7 Terminating configuration
   
   Figure 8 Verification success
   
   Figure 9 Verification failure
   
   

   • If the parameters fail to be set, check the network connection and reconfigure the parameters.
   • If the verification fails in online SDK deployment mode, click Retry. If the verification fails in offline SDK deployment mode, click Retry, or click reselect and upload to upload the SDK and perform another verification.
   • During project creation, even if some parameters fail to be configured, you can open the project once it is successfully downloaded.
8. After the empty GlobalPlatform-compliant TEE application project is created, click Open Project to open it in the current window.
   Figure 10 Viewing the empty GlobalPlatform-compliant TEE application project
   
9. Use the Compiler and Debugger to compile and debug the new project. For details, see the README file in the src folder of the project.
   Figure 11 README
   

   

   If a project folder or file is added, deleted, modified, or renamed, you can synchronize the change to the remote server. For details, see Synchronizing Code to a Remote Server.

   After the compilation is complete, copy the generated files to the specified directory by following instructions in Instructions on Running Secure Computing Applications.

10. If the Kunpeng secure computing application project fails to be created, click Reconfigure.
    Figure 12 Reconfigure
    

Navigation Back

• When configuring parameters, you can click Kunpeng Application Project or Secure Computing Application in the upper left corner of the page. The Leave dialog box is displayed. Clicking OK will clear related configurations.
  Figure 13 Leave dialog box when setting parameters
  
• When creating a project, you can click Kunpeng Application Project or Secure Computing Application in the upper left corner of the page. The Leave dialog box is displayed. Clicking OK will terminate the configuration.
  Figure 14 Leave dialog box when creating a project