How to build TEE for Android

This message will disappear after all relevant tasks have been resolved.

Semantic MediaWiki

There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

1. Article purpose[edit source]

This article is intended for Distribution creator profile users (see Which Package better suits your needs for more information).

The OP-TEE Security feature is composed of several parts:

OP-TEE drivers (hardware/bsp/stm/kernel/optee-driver): TEE and OP-TEE Linux Kernel drivers

OP-TEE OS (hardware/bsp/stm/tee/optee_os): OP-TEE firmware
- OP-TEE OS Firmware is part of bootloader image.
- In the ST Android distribution, a prebuilt binary exists for the OP-TEE OS Firmware and is used to generate the bootloader image.
- A OP-TEE OS Firmware is available in vendor/stm/<BoardId>/optee/os/optee.bin.

OP-TEE Client (hardware/bsp/stm/peripheral/optee/optee_client): the OP-TEE userland client
- This component provides the TEE Client API as defined by the GlobalPlatform TEE standard

OP-TEE Tests (hardware/bsp/stm/peripheral/optee/optee_test): OP-TEE Tests suite with dedicated trusted applications
- This module proposes a tests suite for OP-TEE
- Only available when NOT in user building profile

For detail, you can refer to OP-TEE overview page.

The following page explains how to rebuild all the components, except the OP-TEE drivers. The latter are part of the Linux build process and are compiled as loadable modules, please refer to How to build kernel for Android.

2. Prerequisites[edit source]

The environment must be installed using the Distribution Package adapted to your selected microprocessor device, STM32MP1 Distribution Package for Android.

To be able to execute the following instructions you need to work from your distribution root directory STM32MP1 Distribution Package for Android, initialize your environment and then run lunch:

 source build/envsetup.sh
 lunch aosp-eval-userdebug

3. Load OP-TEE source[edit source]

By default, the OP-TEE sources are not part of the STM32MPU distribution for Android. To load the sources, execute the following command:

load_tee

The newly loaded sources can then be accessed at the device/stm/<SocId>-tee/optee_os-<SocId> directory.

Information

The load_tee script uses the configuration file located in the device/stm/<SocId>-tee/source/patch/<kernel version>/directory.

4. Building OP-TEE[edit source]

After retrieving the OP-TEE sources you can build them using:

 build_tee

Usage: build_tee [Options] [Board options]

  This script allows building the OP-TEE OS source

Options:
  -h/--help: print this message
  -v/--version: get script version
  -i/--install: update prebuilt images
  --verbose: enable verbosity
  --clean: clean OP-TEE OS out directory to force full rebuild

Board options:
  -c/--current: build only for current configuration (board and memory)
  or
  -b/--board <name>: set board name = eval or disco (default: all)

5. Generating distribution without a prebuilt OP-TEE[edit source]

In order to compile and generate distribution with your custom OP-TEE build you need to change the device/stm/<SocId>/BoardConfigCommon.mk file and comment those lines:

TARGET_PREBUILT_OPTEE

Then you need to rebuild the distribution:

 make -j

6. Creating a prebuilt OP-TEE[edit source]

When you have compiled your new OP-TEE and your change are validated, you can generate prebuilt images and easily integrate them by running:

 build_tee -i