commit | 58587f2178b0ccdad8efd45e75af2d6744dcedd4 | [log] [tgz] |
---|---|---|
author | Sami Tolvanen <samitolvanen@google.com> | Wed Feb 14 01:45:32 2024 +0000 |
committer | Yuan Zhuang <yuanz@apache.org> | Mon Apr 22 14:31:22 2024 +0800 |
tree | 3bbe13382e89fedc2717843a3669f56eb14b94fb | |
parent | e47bf6ad0c5d5b5ab86df127b24a1dedb5269d57 [diff] |
Add missing identifiers for RSA and elliptic curves optee-utee is missing a few algorithm and attribute identifiers required for implementing AOSP KeyMint TA [1]. Add the missing RSA and ECC constants. [1] https://android.googlesource.com/platform/system/keymint/
Teaclave TrustZone SDK (Rust OP-TEE TrustZone SDK) provides abilities to build safe TrustZone applications in Rust. The SDK is based on the OP-TEE project which follows GlobalPlatform TEE specifications and provides ergonomic APIs. In addition, it enables the capability to write TrustZone applications with Rust's standard library (std) and many third-party libraries (i.e., crates). Teaclave TrustZone SDK is a sub-project of Apache Teaclave (incubating).
Teaclave TrustZone SDK has been integrated into the OP-TEE Repo since OP-TEE Release 3.15.0 (18/Oct/21). The aarch64 Rust examples are built and installed into OP-TEE's default filesystem for QEMUv8. Follow this documentation to set up the OP-TEE repo and try the Rust examples!
To get started with Teaclave TrustZone SDK, you could choose either QEMU for Armv8-A (QEMUv8) or other platforms (platforms OP-TEE supported) as your development environment.
The OP-TEE libraries are needed when building Rust applications, so you should finish the Quick start with the OP-TEE Repo for QEMUv8 part first. Then initialize the building environment in Teaclave TrustZone SDK, build Rust applications and copy them into the target's filesystem.
Teaclave TrustZone SDK is located in [YOUR_OPTEE_DIR]/optee_rust/
. Teaclave TrustZone SDK in OP-TEE repo is pinned to the release version. Alternatively, you can try the develop version using git pull
:
cd [YOUR_OPTEE_DIR]/optee_rust/ git pull github master
If you are building trusted applications for other platforms (platforms OP-TEE supported). QEMU and the filesystem in the OP-TEE repo are not needed. You can follow these steps to clone the project and build applications independently from the complete OP-TEE repo. In this case, the necessary OP-TEE libraries are initialized in the setup process.
# install dependencies sudo apt-get install android-tools-adb android-tools-fastboot autoconf \ automake bc bison build-essential ccache cscope curl device-tree-compiler \ expect flex ftp-upload gdisk iasl libattr1-dev libc6:i386 libcap-dev \ libfdt-dev libftdi-dev libglib2.0-dev libhidapi-dev libncurses5-dev \ libpixman-1-dev libssl-dev libstdc++6:i386 libtool libz1:i386 make \ mtools netcat python-crypto python3-crypto python-pyelftools \ python3-pycryptodome python3-pyelftools python-serial python3-serial \ rsync unzip uuid-dev xdg-utils xterm xz-utils zlib1g-dev
Alternatively, you can use a docker container built with our Dockerfile.
# clone the project git clone https://github.com/apache/incubator-teaclave-trustzone-sdk.git cd incubator-teaclave-trustzone-sdk
To build the project, the Rust environment and several related submodules are required.
OPTEE_DIR
is incubator-teaclave-trustzone-sdk/optee/
. OP-TEE submodules (optee_os
, optee_client
and build
) will be initialized automatically in setup.sh
.If you are building within QEMUv8 or already have the OP-TEE repository cloned somewhere, you can set the OP-TEE root directory with:
export OPTEE_DIR=[YOUR_OPTEE_DIR]
Note: your OPTEE root directory should have build/
, optee_os/
and optee_client/
as sub-directory.
./setup.sh
source environment
Note: by default, the target platform is aarch64
. If you want to build for the arm
target, you can setup ARCH
before the source environment
command:
export ARCH=arm source environment
make optee
make examples
Or build your own CA and TA:
make -C examples/[YOUR_APPLICATION]
Besides, you can collect all example CAs and TAs to /incubator-teaclave-trustzone-sdk/out
:
make examples-install
Considering the platform has been chosen (QEMUv8 or other), the ways to run the Rust applications are different.
(cd $OPTEE_DIR/build && make QEMU_VIRTFS_ENABLE=y qemu)
mkdir shared_folder cd [YOUR_OPTEE_DIR]/optee_rust/ && make examples-install) cp -r [YOUR_OPTEE_DIR]/optee_rust/out/* shared_folder/
(cd $OPTEE_DIR/build && make run-only QEMU_VIRTFS_ENABLE=y QEMU_VIRTFS_HOST_DIR=$(pwd)/shared_folder)
mkdir shared && mount -t 9p -o trans=virtio host shared
Copy the applications to your platform and run.
More details about the design and implementation can be found in our paper published in ACSAC 2020: RusTEE: Developing Memory-Safe ARM TrustZone Applications. Here is the BiBTeX record for your reference.
@inproceedings{wan20rustee, author = "Shengye Wan and Mingshen Sun and Kun Sun and Ning Zhang and Xu He", title = "{RusTEE: Developing Memory-Safe ARM TrustZone Applications}", booktitle = "Proceedings of the 36th Annual Computer Security Applications Conference", series = "ACSAC '20", year = "2020", month = "12", }
Teaclave is open source in The Apache Way, we aim to create a project that is maintained and owned by the community. All kinds of contributions are welcome. Thanks to our contributors.