meta-arm layer includes recipes for Trusted Services Secure Partitions and Normal World applications in meta-arm/recipes-security/trusted-services
We define dedicated recipes for all supported Trusted Services (TS) Secure Partitions. These recipes produce ELF and DTB files for SPs. These files are automatically included into optee-os image accordingly to defined MACHINE_FEATURES.
To include TS SPs into optee-os image you need to add into MACHINE_FEATURES features for each Secure Partition you would like to include:
| Secure Partition | MACHINE_FEATURE |
|---|---|
| Attestation | ts-attesation |
| Crypto | ts-crypto |
| Internal Storage | ts-its |
| Protected Storage | ts-storage |
| se-proxy | ts-se-proxy |
| smm-gateway | ts-smm-gateway |
| spm-test[1-3] | optee-spmc-test |
Other steps depend on your machine/platform definition:
For communications between Secure and Normal Words Linux kernel option CONFIG_ARM_FFA_TRANSPORT=y is required. If your platform doesn't include it already you can add arm-ffa into MACHINE_FEATURES. (Please see meta-arm/recipes-kernel/arm-ffa-tee.)
For running the uefi-test or the xtest -t ffa_spmc tests under Linux the arm-ffa-user drivel is required. This is enabled if the ts-smm-gateway and/or the optee-spmc-test machine features are enabled. (Please see meta-arm/recipes-kernel/arm-ffa-user.)
optee-os might require platform specific OP-TEE build parameters (for example what SEL the SPM Core is implemented at). You can find examples in meta-arm/recipes-security/optee/optee-os_%.bbappend for qemuarm64-secureboot machine and in meta-arm-bsp/recipes-security/optee/optee-os-n1sdp.inc and meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc for N1SDP and Corstone1000 platforms accordingly.
trusted-firmware-a might require platform specific TF-A build parameters (SPD and SPMC details on the platform). See meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend for qemuarm64-secureboot machine and in meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-n1sdp.inc and meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc for N1SDP and Corstone1000 platforms.
Optionally for testing purposes you can add packagegroup-ts-tests into your image. It includes Trusted Services test and demo tools and xtest configured to include the ffa_spmc tests.
meta-arm also includes Trusted Service OEQA tests which can be used for automated testing. See ci/trusted-services.yml for an example how to include them into an image.