45206b21b9
Add information related to SPMC tests and fix stale links. Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com> Signed-off-by: Jon Mason <jon.mason@arm.com>
3.2 KiB
The Trusted Services: framework for developing root-of-trust services
meta-arm layer includes recipes for [Trusted Services]1 Secure Partitions and Normal World applications
in meta-arm/recipes-security/trusted-services
Secure Partitions recipes
We define dedicated recipes for all supported Trusted Services (TS) Secure Partitions. These recipes produce ELF and DTB files for SPs. These files are automatically included into optee-os image accordingly to defined MACHINE_FEATURES.
How to include TS SPs
To include TS SPs into optee-os image you need to add into MACHINE_FEATURES features for each [Secure Partition]2 you would like to include:
| Secure Partition | MACHINE_FEATURE |
|---|---|
| Attestation | ts-attesation |
| Crypto | ts-crypto |
| Internal Storage | ts-its |
| Protected Storage | ts-storage |
| se-proxy | ts-se-proxy |
| smm-gateway | ts-smm-gateway |
| spm-test[1-3] | optee-spmc-test |
Other steps depend on your machine/platform definition:
-
For communications between Secure and Normal Words Linux kernel option
CONFIG_ARM_FFA_TRANSPORT=yis required. If your platform doesn't include it already you can addarm-ffainto MACHINE_FEATURES. (Please seemeta-arm/recipes-kernel/arm-ffa-tee.)For running the
uefi-testor thextest -t ffa_spmctests under Linux thearm-ffa-userdrivel is required. This is enabled if thets-smm-gatewayand/or theoptee-spmc-testmachine features are enabled. (Please seemeta-arm/recipes-kernel/arm-ffa-user.) -
optee-os might require platform specific OP-TEE build parameters (for example what SEL the SPM Core is implemented at). You can find examples in
meta-arm/recipes-security/optee/optee-os_%.bbappendfor qemuarm64-secureboot machine and inmeta-arm-bsp/recipes-security/optee/optee-os-n1sdp.incandmeta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.incfor N1SDP and Corstone1000 platforms accordingly. -
trusted-firmware-a might require platform specific TF-A build parameters (SPD and SPMC details on the platform). See
meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappendfor qemuarm64-secureboot machine and inmeta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-n1sdp.incandmeta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.incfor N1SDP and Corstone1000 platforms.
Normal World applications
Optionally for testing purposes you can add packagegroup-ts-tests into your image. It includes
[Trusted Services test and demo tools]3 and [xtest]4 configured to include the ffa_spmc tests.
OEQA Trusted Services tests
meta-arm also includes Trusted Service OEQA tests which can be used for automated testing.
See ci/trusted-services.yml for an example how to include them into an image.
-
https://trusted-services.readthedocs.io/en/integration/overview/index.html ↩︎
-
https://trusted-services.readthedocs.io/en/integration/deployments/secure-partitions.html ↩︎
-
https://trusted-services.readthedocs.io/en/integration/deployments/test-executables.html ↩︎
-
https://optee.readthedocs.io/en/latest/building/gits/optee_test.html ↩︎