How to build TEE for Android

This message will disappear after all relevant tasks have been resolved.

Semantic MediaWiki

There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

This article explains how to build tee components, except the OP-TEE drivers. The latter are part of the Linux build process and are compiled as loadable modules, please refer to How to build kernel for Android. It is intended for Distribution Package users.

The OP-TEE Security feature is composed of several parts:

OP-TEE drivers: it is include in the Linux Kernel
OP-TEE OS: is part of bootloader image.
OP-TEE Client: the OP-TEE userland client and is part of the STM32MPU distribution for Android™.
OP-TEE Tests: OP-TEE Tests suite with dedicated trusted applications part of the STM32MPU distribution for Android™.
- This module proposes a tests suite for OP-TEE
- Only available when NOT in user building profile

For detail, you can refer to OP-TEE overview page.

1. Prerequisites[edit source]

The environment must be installed using the Distribution Package adapted to your selected microprocessor device. See the list of Android Distribution Package.

To be able to execute the following instructions you need to work from your distribution root directory STM32MP1 Distribution Package for Android, initialize your environment and then run lunch:

 source build/envsetup.sh
 bspsetup
 lunch aosp-<BoardId>-userdebug

Information

The bspsetup command needs to be run only one time for the distribution

2. Load OP-TEE source[edit source]

By default, the OP-TEE sources are not part of the STM32MPU distribution for Android. To load the sources, execute the following command:

 load_tee

The newly loaded sources can then be accessed at the device/stm/<SocId>-tee/optee_os-<SocId> directory.

Information

The load_tee script uses the configuration file located in the device/stm/<SocId>-tee/source/patch/optee-<version>/directory.

3. Building OP-TEE[edit source]

After retrieving the OP-TEE sources you can build them using:

 build_tee

This command generate OP-TEE for every available boards. To only generate for one board:

 build_tee --board <BoardId>

For more information check the command usage:

 build_tee -h

Usage: build_tee [Options] [Board options]

  This script allows building the OP-TEE OS source

Options:
  -h/--help: print this message
  -v/--version: get script version
  -i/--install: update prebuilt images
  --verbose: enable verbosity
  --clean: clean OP-TEE OS out directory to force full rebuild

Board options:
  -c/--current: build only for current configuration (board and memory)
  or
  -b/--board <name>: set board name = <BoardId> (default: all)

4. How to build trust applications[edit source]

You can customize trust applications that need to be build. You need to change the configuration file android_tabuild.config located in device/stm/stm32mp1-tee/source.

To build trust applications you need to execute:

 build_ta

To install them:

 build_ta -i

This script works like build_tee, it generates every applications for all available boards.To only generate for one board:

 build_ta --board <BoardId>

For more information check the command usage:

 build_ta -h

Usage: build_ta [Options] [Board options]

  This script allows building the trust applications (TA) source listed in android_tabuild.config file

Options:
  -h/--help: print this message
  -v/--version: get script version
  -i/--install: update prebuilt images
  --verbose: enable verbosity
  --clean: clean TA out directory to force full rebuild

Board options:
  -c/--current: build only for current configuration (board and memory)
  or
  -b/--board <name>: set board name = <BoardId> (default: all)

5. Creating a prebuilt OP-TEE[edit source]

When you have compiled your new OP-TEE and your change are validated, you can generate prebuilt images:

 build_tee -i
 build_ta -i