arm/trusted-services: include documentation

Signed-off-by: Anton Antonov <Anton.Antonov@arm.com> Signed-off-by: Jon Mason <jon.mason@arm.com>
2026-01-12 03:10:15 +00:00 · 2022-10-13 16:47:40 +01:00
parent f8aba2d5f3
commit 90f9e1241b
1 changed files with 53 additions and 0 deletions
--- a/documentation/trusted-services.md
+++ b/documentation/trusted-services.md
@@ -0,0 +1,53 @@
+# The Trusted Services: framework for developing root-of-trust services
+
+  meta-arm layer includes recipes for [Trusted Services][1] Secure Partitions and Normal World applications
+in `meta-arm/recipes-security/trusted-services`
+
+## Secure Partitions recipes
+
+We define dedicated recipes for all supported Trusted Services (TS) Secure Partitions.
+These recipes produce ELF and DTB files for SPs.
+These files are automatically included into optee-os image accordingly to defined MACHINE_FEATURES.
+
+### How to include TS SPs
+
+To include TS SPs into optee-os image you need to add into MACHINE_FEATURES
+features for each [Secure Partition][2] you would like to include:
+
+| Secure Partition  | MACHINE_FEATURE |
+| ----------------- | --------------- |
+| Attestation       | ts-attesation   |
+| Crypto            | ts-crypto       |
+| Internal Storage  | ts-its          |
+| Protected Storage | ts-storage      |
+| se-proxy          | ts-se-proxy     |
+| smm-gateway       | ts-smm-gateway  |
+
+Other steps depend on your machine/platform definition:
+
+1. For communications between Secure and Normal Words Linux kernel option `CONFIG_ARM_FFA_TRANSPORT=y`
+is required. If your platform doesn't include it already you can add `arm-ffa` into MACHINE_FEATURES.
+
+2. optee-os might require platform specific OP-TEE build parameters (for example what SEL the SPM Core is implemented at).
+You can find examples in `meta-arm/recipes-security/optee/optee-os_%.bbappend` for qemuarm64-secureboot machine
+and in `meta-arm-bsp/recipes-security/optee/optee-os-n1sdp.inc` and `meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc`
+for N1SDP and Corstone1000 platforms accordingly.
+
+3. trusted-firmware-a might require platform specific TF-A build parameters (SPD and SPMC details on the platform).
+See `meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend` for qemuarm64-secureboot machine
+and in `meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-n1sdp.inc` and
+`meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc` for N1SDP and Corstone1000 platforms.
+
+## Normal World applications
+
+  Optionally for testing purposes you can add `packagegroup-ts-tests` and `packagegroup-ts-tests-psa` package groups into your image.
+They include [Trusted Services test and demo tools][3]
+
+## OEQA Trusted Services tests
+
+  meta-arm also includes Trusted Service OEQA tests which can be used for automated testing.
+See `ci/trusted-services.yml` for an example how to include them into an image.
+
+[1] https://trusted-services.readthedocs.io/en/integration/overview/introduction.html
+[2] https://trusted-services.readthedocs.io/en/integration/developer/deployments/secure-partitions.html
+[3] https://trusted-services.readthedocs.io/en/integration/developer/deployments/test-executables.html