Last edited 4 months ago

How to develop an OP-TEE Trusted Application

Applicable for STM32MP13x lines, STM32MP15x lines, STM32MP25x lines

This article describes how to develop a Trusted Application for OP-TEE using an OpenSTLinux environment.

Warning white.png Warning
OP-TEE support for Trusted Applications requires that STM32MPU OP-TEE is configured with secure services enabled.
Please refer to STM32MPU OP-TEE configuration profile article to ensure that the OP-TEE firmware you embed on your target does support Trusted Applications (CFG_WITH_USER_TA=y).

1. Starting from an example[edit | edit source]

The simplest way to begin the development of a new OP-TEE Trusted Application is to start from a minimal example. Let's take the hello_world example from the official optee_examples.git repository:

 git clone https://github.com/linaro-swg/optee_examples

2. Build[edit | edit source]

At this point it is assumed OpenSTLinux SDK is installed and set up correctly.

The Trusted Application can be built by running make. For instance with the "hello_world" example:

 make -C optee_examples/hello_world
 make[1]: Entering directory '…/optee_examples/hello_world/host'
 [...]
 make[1]: Leaving directory '…/optee_examples/hello_world/host'
 make[1]: Entering directory '…/optee_examples/hello_world/ta'
 [...]
 make[1]: Leaving directory '…/optee_examples/hello_world/ta'

3. Run[edit | edit source]

Once built, the Trusted Application (here built from hello_world/ta/) and its client application (here built from hello_world/host) can be copied onto the running system at the expected location. For instance with the "hello_world" example, using scp:

 scp optee_examples/hello_world/host/optee_example_hello_world root@<board ip address>:/usr/bin
 scp optee_examples/hello_world/ta/8aaaf200-2450-11e4-abe2-0002a5d5c51b.ta root@<board ip address>:/lib/optee_armtz/

Now it can be executed easily from the running system:

 optee_example_hello_world
 D/TA:  TA_CreateEntryPoint:39 has been called
 D/TA:  TA_OpenSessionEntryPoint:68 has been called
 I/TA: Hello World!
 Invoking TA to increment 42
 D/TA:  inc_value:105 has been called
 I/TA: Got value: 42 from NW
 I/TA: Increase value to: 43
 TA incremented value to 43
 I/TA: Goodbye!
 D/TA:  TA_DestroyEntryPoint:50 has been called

4. Going further[edit | edit source]

To get more information on how to develop on OP-TEE Trusted Application, please refer to https://optee.readthedocs.io/en/latest/building/trusted_applications.html.

Section above shows how to install a Trusted Application on a Linux OS filesystem (here /lib/optee_armtz/ directory). Note however that there are alternate locations where an OP-TEE Trusted Application can be installed: the OP-TEE firmware image and the OP-TEE secure storage. Please refer to https://optee.readthedocs.io/en/latest/architecture/trusted_applications.html for more information.