Please see the build-firmware document in the iMX IoT Core repo for additional information on including this TA in an IoT Core image for iMX boards.
The fTPM Trusted Application (TA) provides a secure firmware implementation of a TPM using the MS reference implementation. Platform specific code is copied and modified locally in optee_ta/fTPM/platform, while /fTPM/reference contains files to support WolfSSL, control the fTPM's functionality, and define basic types, which may not be found in OpTEE.
See the reference implementation for more details.
The secure firmware utilizes the OP-TEE implementation of the Global Platform specifications. The OP-TEE project is not duplicated in this repository but is obtained directly from the public release. The build of OP-TEE is based on a native Linux build, however the following installation steps allow OP-TEE to be built under Windows using WSL. Only the optee_os repository is relevant for trusted firmware use - the optee_client & optee_linuxdriver repositories are integration components for Linux and can serve as a reference for the Windows equivalent components. Note that optee_linuxdriver is GPL.
OpTEE generates a build environment for trusted applications which is based on Make (See TA_DEV_KIT_DIR in the build directions). This build environment places several constraints on how the code is organized, which are explained in the relevant makefiles. See the optee_os documentation for details about how OpTEE build works.
See instructions here:
Search for “bash” in the start menu, OR press Windows key + ‘R’, then type bash.
Update if needed.
In WSL:
sudo apt-get update
Install the ARM toolchain to a directory of your choice.
cd ~ wget https://releases.linaro.org/components/toolchain/binaries/6.4-2017.11/arm-linux-gnueabihf/gcc-linaro-6.4.1-2017.11-x86_64_arm-linux-gnueabihf.tar.xz tar xf gcc-linaro-6.4.1-2017.11-x86_64_arm-linux-gnueabihf.tar.xz rm gcc-linaro-6.4.1-2017.11-x86_64_arm-linux-gnueabihf.tar.xz
If you do not already have a version of the OP-TEE OS repo cloned on your machine you may run:
cd ~ git clone https://github.com/ms-iot/ms-iot-optee_os.git
TA_CROSS_COMPILE should point to the ARM toolchain installed in step 3.
cd ~/optee_os CROSS_COMPILE=~/gcc-linaro-6.4.1-2017.11-x86_64_arm-linux-gnueabihf/bin/arm-linux-gnueabihf- make PLATFORM=imx-mx6qhmbedge CFG_TEE_CORE_LOG_LEVEL=4 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_TESTKEY=y CFG_RPMB_WRITE_KEY=y -j20
Additional information on Microsoft IoT fork of OP-TEE OS can be found here.
cd ~ git clone https://github.com/Microsoft/ms-tpm-20-ref.git
cd ~/ms-tpm-20-ref git submodule init git submodule update
TA_CROSS_COMPILE should point to the ARM toolchain installed in step 3.
TA_DEV_KIT_DIR should point to the directory the optee_os TA devkit was compiled to in step 5.
-j increases the parallelism of the build process.
cd ~/ms-tpm-20-ref/Samples/ARM32-FirmwareTPM/optee_ta TA_CPU=cortex-a9 TA_CROSS_COMPILE=~/gcc-linaro-6.4.1-2017.11-x86_64_arm-linux-gnueabihf/bin/arm-linux-gnueabihf- TA_DEV_KIT_DIR=~/optee_os/out/arm-plat-imx/export-ta_arm32 CFG_TEE_TA_LOG_LEVEL=2 make -j20
Debugging options you may want to add:
CFG_TEE_TA_LOG_LEVEL=3 1 is fatal errors only, other values increase debug tracing output.
CFG_TA_DEBUG=y Turns on debug output from the TAs, and enables extra correctness checks in the fTPM TA.