Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Confidential Computing

How to Configure the TrustZone Function?

The TrustZone kit in Kunpeng BoostKit for Confidential Computing is provided for scenarios that have confidential data protection requirements. If TrustZone is enabled by default, some resources are reserved and wasted. Therefore, the BIOS provides the TrustZone switch so that the administrator can determine whether to enable this function based on site requirements.

Note that disabling this function does not mean that some security mechanisms are bypassed. It is only a switch of TrustZone. After this function is disabled, TrustZone does not take effect, and related components deployed on the platform are unavailable. However, the system is still available, and the existing security mechanism is not weakened.

For details, see TrustZone Feature Guide.

How to Obtain iTrustee?

Kunpeng BoostKit for Confidential Computing is a trusted execution environment (TEE) solution based on TrustZone, which is a security extension based on the standard Arm architecture. TrustZone has an additional TEE, and its original execution environment is called rich execution environment (REE). The two environments are isolated from each other in the chip architecture to ensure the applications running in the TEE are secure and trusted. TrustZone resolves the security issue of in-use data.

iTrustee, a Huawei-developed trusted OS, serves as the core component of the TrustZone kit.

To install and use the TrustZone kit, see TrustZone Kit Feature Guide.

tlogcat Cannot Collect Log Information Described in the Official Document After teecd Is Run

After teecd is started and then stopped, the tlogcat log output is empty. The possible cause is that the tzdriver module is not loaded. You can load tzdriver, start teecd, and then use tlogcat to view TEE logs by following instructions in Setting Up the TA and CA Operating Environment in the TrustZone Kit Feature Guide.

How to Uninstall tzdriver After Running insmod tzdriver to Load It?

To enable the TrustZone kit, tzdriver must be loaded. However, tzdriver cannot be uninstalled after being loaded. To uninstall tzdriver, you need to restart the server.

Does the SEC Driver Need to Be Downloaded or Is It Integrated in the TEE OS?

The SEC driver is contained in BoostKit-teeos_1.3.1.SPC1.zip. You need to apply for the package from the Huawei technical support website and then download it. If the application fails, contact the Huawei project owner or the customer contact personnel. After downloading the SEC driver, load it by following the instructions in Deploying the SEC Driver in the TrustZone Kit Feature Guide.

How to Enable Trusted Boot for KylinSec OS (openEuler-based Release)?

Currently, only EulerOS supports trusted boot. You can contact the technical personnel of the openEuler community to ask whether secure boot can be enabled for the openEuler-based release and how to enable it.

How to Apply for a TrustZone Kit TA Developer Certificate?

It may be insufficient for a system distribution vendor to apply for a single developer certificate. It is necessary to apply for a level-2 certificate for signing self-compiled trusted applications (TAs). How to apply for the level-2 certificate?

You can apply for the level-2 certificate by email to the Huawei project owner or customer contact personnel. PGP encrypted email is optional. You can choose not to use PGP encrypted email. For details, see Applying for a TA Developer Certificate in a Debugging Environment in the TrustZone Kit Feature Guide.

How to Obtain the Test Source Code and Binaries of TrustZone Kit Applications?

Currently, the TrustZone kit does not provide compiled binaries. However, it provides guidance for compiling and deploying Python and Java applications. If required, contact the Huawei project owner or customer contact personnel.

How to Use the TrustZone Kit with Kunpeng Servers?

Typically, a Kunpeng server does not provide the complete TrustZone kit. You need to specify the TEE function when purchasing a Kunpeng server. After the purchase, the server comes with the TEE OS and a permanently valid license. Servers with TEE support will have the TrustZone kit pre-installed before delivery.

To check whether the TrustZone kit has been pre-installed on a server, see Checking the TrustZone Kit in the TrustZone Kit Feature Guide.

How to Download the TEE OS 1.5.0 Firmware Package That Contains the SEC Driver?

The TEE OS HPM firmware package contains kunpeng_sec_drv.sec. You can download the firmware package of the required version from the resource download center.

How to Check the TEE OS Version and Status?

  • Method 1: Run the tlogcat -v command. For details, see Upgrading the TEE OS in the Kunpeng BoostKit for Confidential Computing TrustZone Kit Feature Guide.
    • After setting up the TrustZone environment, you can run the tlogcat -v command to query the iTrustee OS or confidential computing OS (CCOS) version, with no need to install tlogcat.
    • If tlogcat cannot query the OS version, check whether the iTrustee OS or CCOS is properly installed.
  • Method 2: Use the tee-check tool. For details, see Procedure in the Kunpeng BoostKit for Confidential Computing TrustZone Kit Feature Guide. The procedure is as follows:
    1. Install the CCOS.
    2. Install the tee-check tool.
    3. Run the /vendor/bin/tee-check command.
  • Method 3: Check the version on the iBMC home page. The procedure is as follows:
    1. Log in to the iBMC home page of the server.
    2. View the TEE OS firmware version.

How to Check Whether the TrustZone License Has Expired?

Log in to the iBMC of the server and perform the following steps to view the TrustZone license information. For details, see Environment Requirements in the Kunpeng BoostKit for Confidential Computing TrustZone Kit Feature Guide.

  1. Log in to the iBMC home page and choose iBMC Settings > License Management.
  2. Check the license loading status and expiration date.

How to Verify Whether a Server Supports TEE?

Log in to the BIOS of the server and check whether the server supports TEE. The procedure is as follows: For details, see Environment Requirements in the Kunpeng BoostKit for Confidential Computing TrustZone Kit Feature Guide.

  1. Log in to the server BIOS.
  2. Choose Advanced > TEE Config to view the TEE configuration options and OEMKEY installation state.

    If the TEE OEMKEY state is Install, the Kunpeng TrustZone kit has been pre-installed on the server. You can enable the TrustZone function by setting Support TEE.

How to Check Whether a Kunpeng ECS Supports the TrustZone Feature?

For details, see Checking the TrustZone Kit in the Kunpeng BoostKit for Confidential Computing TrustZone Kit Feature Guide.

What Are the Differences Between Single-Instance and Multi-Instance TAs?

The single_instance parameter can be used to control whether a task operates in single-instance or multi-instance mode. The single-instance mode is suitable for scenarios requiring high data security and simplified management, whereas the multi-instance mode is appropriate for scenarios necessitating high fault tolerance and performance.

How Is TA Development Implemented on a Purchased Kunpeng ECS?

The ECS does not support TA development. You need to purchase a bare metal server (BMS) because the TEE feature can be used only in an environment where the host supports TEE.

How to Distinguish the TEE OS, Confidential Computing OS, and iTrustee?

  • TEE OS

    TEE OS is an OS running in the trusted execution environment (TEE). It is a field displayed on the BMC home page.

  • Confidential computing OS (CCOS)

    The TEE OS has two versions. One is iTrustee, featuring a small system and limited functions such as remote attestation and level-2 certificate. Another is the extended OS, CCOS, which supports functions such as confidential containers and hardware-based SM4 acceleration. iTrustee has stopped integrating new functions and is used only for transition on 16 MB devices. New requirements are integrated into CCOS.

  • iTrustee

    iTrustee is a TEE developed by Huawei based on TrustZone. In terms of confidential computing features and architecture principles, iTrustee is equivalent to TrustZone. Regarding the OS type, iTrustee refers to the TEE OS with fewer functions.

  • Version relationship between the TEE OS, CCOS, and iTrustee

    The TEE OS version is the version number displayed on the BMC home page or the external version number of the released software package. This version matches the tag of the REE patch.

    The iTrustee and CCOS versions are the internal evolution versions. After setting up the TEE OS environment, you can run the tlogcat -v command to query the version.

    CCOS version:

    iTrustee version:

Parent topic: Acceleration Features