Last edited 4 months ago

How to develop an OP-TEE Trusted Application

Applicable for STM32MP13x lines, STM32MP15x lines, STM32MP21x lines, STM32MP23x lines, STM32MP25x lines

This article describes how to develop a Trusted Application for OP-TEE using an OpenSTLinux environment.

Warning white.png Warning
OP-TEE support for Trusted Applications requires that STM32MPU OP-TEE is configured with secure services enabled.
Please refer to STM32MPU OP-TEE configuration profile article to ensure that the OP-TEE firmware you embed on your target does support Trusted Applications (CFG_WITH_USER_TA=y).

1. Starting from an example

The simplest way to begin the development of a new OP-TEE Trusted Application is to start from a minimal example. Let's take the hello_world example from the official optee_examples.git repository: 

 git clone https://github.com/linaro-swg/optee_examples

2. Build

At this point it is assumed OpenSTLinux SDK is installed and set up correctly.

The Trusted Application can be built by running make. For instance with the "hello_world" example: 

 make -C optee_examples/hello_world
 make[1]: Entering directory '…/optee_examples/hello_world/host'
 [...]
 make[1]: Leaving directory '…/optee_examples/hello_world/host'
 make[1]: Entering directory '…/optee_examples/hello_world/ta'
 [...]
 make[1]: Leaving directory '…/optee_examples/hello_world/ta'

3. Run

Once built, the Trusted Application (here built from hello_world/ta/) and its client application (here built from hello_world/host) can be copied onto the running system at the expected location. For instance with the "hello_world" example, using scp: 

 scp optee_examples/hello_world/host/optee_example_hello_world root@<board ip address>:/usr/bin
 scp optee_examples/hello_world/ta/8aaaf200-2450-11e4-abe2-0002a5d5c51b.ta root@<board ip address>:/lib/optee_armtz/

Now it can be executed easily from the running system: 

 optee_example_hello_world
 D/TA:  TA_CreateEntryPoint:39 has been called
 D/TA:  TA_OpenSessionEntryPoint:68 has been called
 I/TA: Hello World!
 Invoking TA to increment 42
 D/TA:  inc_value:105 has been called
 I/TA: Got value: 42 from NW
 I/TA: Increase value to: 43
 TA incremented value to 43
 I/TA: Goodbye!
 D/TA:  TA_DestroyEntryPoint:50 has been called

4. Going further

To get more information on how to develop on OP-TEE Trusted Application, please refer to OP-TEE documentation on building Trusted Applications [1].

Section above shows how to install a Trusted Application on a Linux OS filesystem (here /lib/optee_armtz/ directory). Note however that there are alternate locations where an OP-TEE Trusted Application can be installed: the OP-TEE firmware image and the OP-TEE secure storage. Please refer to to OP-TEE documentation on Trusted Application architecture [2] for more information.


  1. building/trusted_applications.html (optee.readthedocs.io)
  2. architecture/trusted_applications.html (optee.readthedocs.io)
Retrieved from "https://wiki.st.com/stm32mpu/index.php?title=How_to_develop_an_OP-TEE_Trusted_Application&oldid=111117"