How to build TEE for Android

This message will disappear after all relevant tasks have been resolved.

Semantic MediaWiki

There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

1. Article purpose[edit source]

This article intends to a distribution creator profil end user (see Which Package better suits your needs for more information).

OP-TEE Security feature is composed of several parts:

OP-TEE drivers (hardware/bsp/stm/kernel/optee-driver): TEE and OP-TEE Linux Kernel drivers

OP-TEE OS (hardware/bsp/stm/tee/optee_os): OP-TEE firmware
- OP-TEE OS Firmware is part of bootloader image.
- In ST Android distribution, prebuilt binary exist for OP-TEE OS Firmware, and it is used to generate bootloader image.
- A OP-TEE OS FW is available in vendor/stm/<BoardId>/optee/os/optee.bin.

OP-TEE Client (hardware/bsp/stm/peripheral/optee/optee_client): OP-TEE Userland client
- This component provides the TEE Client API as defined by the GlobalPlatform TEE standard

OP-TEE Tests (hardware/bsp/stm/peripheral/optee/optee_test): OP-TEE Tests suite with dedicated trusted applications
- This module proposes a tests suite for OP-TEE
- Only available when NOT in user building profile

For detail, you can refer to OP-TEE overview page.

Following page explain how to rebuild all except OP-TEE drivers.

For OP-TEE drivers, as part of Linux Kernel drivers compiled as modules, please refer to How to build kernel for Android page.

2. Prerequisites[edit source]

The environment must be installed using the Distribution Package adapted to your selected microprocessor device, STM32MP1 Distribution Package for Android.

To be able to execute following instruction you need to work from your ST AOSP root directory STM32MP1 Distribution Package for Android, initialise your environment and then launch:

source build/envsetup.sh

lunch aosp-eval-userdebug

3. Load OP-TEE source[edit source]

By default, the OP-TEE sources are not part of the STM32MPU distribution for Android. To load the sources, execute the following command:

load_tee

It will load the sources. They can be access from device/stm/stm32mp1-tee/optee_os-stm32mp1

Information

The load_tee script is using configuration file available in the device/stm/stm32mp1-tee/source/patch/<kernel version>/ directory.

4. Build OP-TEE[edit source]

Before trying to build make sure you have the python module pycrypto in your environment else install it:

pip install pycrypto --user

After retriving the OP-TEE sources you can build it using:

build_tee

Usage: build_tee [Options] [Board options]

  This script allows building the OP-TEE OS source

Options:
  -h/--help: print this message
  -v/--version: get script version
  -i/--install: update prebuilt images
  --verbose: enable verbosity
  --clean: clean OP-TEE OS out directory to force full rebuild

Board options:
  -c/--current: build only for current configuration (board and memory)
  or
  -b/--board <name>: set board name = eval or disco (default: all)

5. Generate AOSP without OP-TEE prebuilt[edit source]

In order to compile and generate the AOSP with your custom OP-TEE build you need to change the device/stm/stm32mp1/BoardConfigCommon.mk file and comment those lines:

TARGET_PREBUILT_OPTEE

Then you need to rebuild the AOSP:

make -j

6. Creates OP-TEE prebuilt[edit source]

When you have compile your new OP-TEE and your change are valid, you can generate prebuilt images to simplify it's integration by doing:

build_tee -i