0%

Building and Installing OP-TEE with AOSP on a Raspberry Pi 3B

In my recent research, I have to install an instrument logic into the TrustZone, where the system level codes cannot access to, of the ARM SoC to monitor the behaviours of apps without any awareness.

However, as a former mobile software engineer, it is struggling to understand the principle of TrustZone and find a way to manipulate it since most of my work was to interact with the system and SDK. What’s even worse, most of the tutorials require Juno Development kit or HiKey, which are either extremely expensive or tricky to get. At present, I got a dozen of Raspberry Pi 3Bs in the lab.

Raspberry Pi does not support the TrustZone, specifically secure boot. However, there is a project, OP-TEE, that suits well with this purpose. OP-TEE supports HiKey960 and HiKey620 boards by default, and its building tutorial is based on these boards. I referenced this Korean tutorial to build it.

The following steps are my walkthrough.

Note: Please build the project under non-Windows system, in either metal bare or virtual machine, since there’re critical bugs during building in Windows/WSL. If you don’t want to waste centuries of time, do it in Ubuntu

Tutorial

OP-TEE is an open-sourced implementation of the Trusted Execution Environment(TEE) with TrustZone technology. It provides a secure zone for trusted application and confidential data. OP-TEE includes:

  • Secure OS
  • Rich OS level client application
  • Secure OS level trusted application
  • kernel driver
  • ARM Trusted Firmware(ATF), which provides ways to the kernel driver.

OP-TEE supports QEMU and ARM boards including ARM Juno, Raspberry Pi 3, HiKey, STMicroelectronics, etc.

However, the Raspberry Pi 3’s ATF and OP-TEE are not virtually secure. Though the processor(BCM2837) of it supports Exception Status, other secure functions including secure boot, secure memory and peripherals are not supported. Moreover, OP-TEE only provides a simple prototype.

Building OP-TEE for Raspberry Pi 3/3B

  1. We will use the repo of Google AOSP for code management.
  2. If you are using Ubuntu, the following packages should be installed
1
2
3
4
5
6
7
8
9
$ sudo apt-get install python3 python3-pip android-tools-adb android-tools-fastboot autoconf \
automake bc bison build-essential cscope curl device-tree-compiler flex \
ftp-upload gdisk iasl libattr1-dev libc6:i386 libcap-dev libfdt-dev \
libftdi-dev libglib2.0-dev libhidapi-dev libncurses5-dev \
libpixman-1-dev libssl-dev libstdc++6:i386 libtool libz1:i386 make \
mtools netcat unzip uuid-dev libmagickwand-dev\
xdg-utils xterm xz-utils zlib1g-dev

$ python3 -m pip install pycryptodome pyserial Wand pyelftools
  1. Download the source code of OP-TEE for Raspberry Pi 3/3B.
1
2
3
4
$ mkdir ~/optee
$ cd ~/optee
$ repo init -u https://github.com/OP-TEE/manifest.git -m rpi3.xml
$ repo sync
  1. make toolchains
1
2
$ cd build
$ make toolchains

Commands above download and unarchive linux kernal packages and toolchains.

  1. Build
1
$ make all

The following targes will be built.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
rpi3-firmware

optee-os

arm-tf

optee-client

xtest

u-boot

u-boot-jtag-bin

linux

update_rootfs

During the building process, you will find the following error:

1
2
3
4
5
6
7
/usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x10): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
collect2: error: ld returned 1 exit status
make[3]: *** [scripts/Makefile.host:106: scripts/dtc/dtc] Error 1
make[2]: *** [scripts/Makefile.build:432: scripts/dtc] Error 2
make[1]: *** [Makefile:508: scripts] Error 2
make[1]: Leaving directory '~/optee/u-boot'
make: *** [Makefile:91: u-boot] Error 2

According to this page, we can simply remove the codes shown in this solution to solve this problem.

Note: according to my experience, you have to re-download u-boot since there is a bug triggering the above bug in the embedded version. So, move to the project directory and run:

1
2
$ rm -rf u-boot
$ git clone https://github.com/u-boot/u-boot.git -b v2020.10 --depth 1
  1. Flash into the sd card
1
$ make flash
  1. Test

You can also reference the official tutorial to build and test this project.

Welcome to my other publishing channels