How to build TEE for Android

This message will disappear after all relevant tasks have been resolved.

Semantic MediaWiki

There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

This article explains how to build TEE components, except the OP-TEE drivers. The latter are part of the Linux build process and are compiled as loadable modules, please refer to How to build kernel for Android. It is intended for Distribution Package users.

The OP-TEE Security feature is composed of several parts:

OP-TEE drivers: it is included in the Linux Kernel
OP-TEE OS: is part of bootloader image.
OP-TEE Client: the OP-TEE userland client and is part of the STM32MPU distribution for Android™.
OP-TEE Tests: OP-TEE Tests suite with dedicated trusted applications part of the STM32MPU distribution for Android™.
- This module proposes a tests suite for OP-TEE
- Only available when NOT in user building profile

For detail, you can refer to OP-TEE overview page.

1. Prerequisites[edit source]

The environment must be installed using the Distribution Package adapted to your selected microprocessor device. See the list of Android Distribution Package.

To be able to execute the following instructions, you need to work from your distribution root directory, initialize your environment and then run lunch:

 source build/envsetup.sh
 bspsetup
 lunch aosp-<BoardId>-userdebug

Information

The bspsetup command needs to be run only once for the distribution

2. Partition layout[edit source]

The OP-TEE OS is separated in three different partitions teeh, teed and teex to allow managing paging.

The OP-TEE TA (Trusted Applications) are integrated in the vendor partition.

The binaries are available in device/stm/<STM32Series>-tee/prebuilt.

Information

For more information on the complete partition layout depending on your development platform, refer to the corresponding Flash mapping article named Your_development_platform Flash mapping for Android. Example: STM32MP15 Flash mapping for Android for the STM32MP15 boards.

All Flash mapping for Android articles belong to the Category:Flash mapping for Android.

3. Load the tee sources[edit source]

By default, the OP-TEE sources are not part of the STM32MPU distribution for Android™. To load the sources, execute the following command:

 load_tee

Information

The load_tee script uses the configuration file android_opteeos.config located in the device/stm/<STM32Series>-tee/source/patch/optee-<version>/directory.

The loaded sources can then be accessed at the device/stm/<STM32Series>-tee/optee_os-<STM32Series> directory.

Information

By default, only the archive is loaded from the remote repository (reducing size). If required you can instead clone the remote repository to get all the git history.

For that purpose, you have to replace in android_opteeos.config file TEE_ARCHIVE_PATH by TEE_GIT_PATH. Then execute load_tee again (with -f option to replace previously loaded source).

4. Build the tee[edit source]

After retrieving the OP-TEE sources you can build them using:

 build_tee

This command generate OP-TEE for every available boards. To only generate for one board:

 build_tee --board <BoardId>

or

 build_tee --current

For more information check the command usage:

 build_tee -h

Usage: build_tee [Options] [Board] [Command]

  This script allows building the OP-TEE OS source

Options:
  -h/--help: print this message
  -i/--install: update prebuilt images
  -v/--version: get script version
  --verbose <level>: enable verbosity (1 or 2 depending on level of verbosity required)

Board: Optional (default = all)
  -c/--current: build only for current configuration (board and memory)
  or
  -b/--board <name>: set board name = eval or disco

Command: Optional, only one command at a time supported
  clean: execute make clean on targeted module

5. Integrate the tee[edit source]

To integrate the new OP-TEE solution within your distribution, you have first to update the prebuilt images:

 build_tee -i

Then you have to build the full distribution

 make -j

Then you can update associated partitions on your device. Please refer to Flashing the built image

6. Build Trusted Applications[edit source]

You can customize trusted applications that need to be built. For that purpose, you have to change the configuration file android_tabuild.config located in device/stm/<STM32Series>-tee/source.

To build trusted applications, execute:

 build_ta

This script generates every applications for all available boards. To only generate for one board:

 build_ta --board <BoardId>

or

 build_ta --current

For more information check the command usage:

 build_ta -h

Usage: build_ta [Options] [Board options]

  This script allows building the trust applications (TA) source listed in android_tabuild.config file

Options:
  -h/--help: print this message
  -i/--install: update prebuilt images
  -v/--version: get script version
  --verbose <level>: enable verbosity (1 or 2 depending on level of verbosity required)

Board options:
  -c/--current: build only for current configuration (board and memory)
  or
  -b/--board <name>: set board name = eval or disco (default: all)

7. Integrate Trusted Applications[edit source]

To integrate the new trusted applications within your distribution, you have first to update the prebuilt images:

 build_ta -i

Then you have to update the file device.mk copying the trusted application in the /vendor/lib/optee_armtz directory.

PRODUCT_COPY_FILES += \
	device/stm/{{HighlightParam|''<STM32Series>''}}-tee/prebuilt/{{HighlightParam|''<BoardId>''}}/ta/{{HighlightParam|''<UUID>''}}.ta:$(TARGET_COPY_OUT_VENDOR)/lib/optee_armtz/{{HighlightParam|''<UUID>''}}.ta

Then you have to build the full distribution

 make -j

Then you can update associated partitions on your device. Please refer to How to populate boards for Android