Skip to Content

OP-TEE

Last modified by Microchip on 2025/03/03 06:21

Get Sources

To get the source code for OP-TEE OS the repository must be cloned.

$ git clone https://github.com/OP-TEE/optee_os.git
Cloning into 'optee_os'...
remote: Enumerating objects: 72568, done.
remote: Counting objects: 100% (14031/14031), done.
remote: Compressing objects: 100% (1909/1909), done.
remote: Total 72568 (delta 12442), reused 12192 (delta 12121), pack-reused 58537
Receiving objects: 100% (72568/72568), 26.90 MiB | 2.82 MiB/s, done.
Resolving deltas: 100% (53100/53100), done.
$ cd optee_os/

After cloning the default branch is master which pointing to the latest version of optee_os. Checkout to the latest tag 4.0.0.

$ git checkout 4.0.0

Build

OP-TEE does not have any Kconfig system but can be configured through command line. However, by default, there is no need to add more options. Default platform flavor is sama5d27_som1_ek. Note: Currently there is only the sama5d27_som1_ek is supported.

prerequisites

$ sudo apt install python3-pyelftools

To build OP-TEE binary

 $ make CROSS_COMPILE=arm-linux-gnueabi- PLATFORM=sam PLATFORM_FLAVOR=sama5d27_som1_ek -j12 

A tee.bin file will be created in out/arm-plat-sam/core and should be copied on a SDCard to allow at91bootstrap booting it.

Note: By default OP-TEE will not display anything, only some messages in case of errors. To enable a more verbose debug, compile it with the following options:

 $ make CROSS_COMPILE=arm-linux-gnueabi- PLATFORM=sam PLATFORM_FLAVOR=sama5d27_som1_ek  DEBUG=1 CFG_TEE_CORE_LOG_LEVEL=4 CFG_TEE_CORE_DEBUG=y -j12

Debugging

As mentioned above debug messages are not enabled by default and have to be enabled by build variables.

Different print log levels are able to be configured for both TEE core and TEE trusted application. The default value is 1

  • 0: none
  • 1: error only
  • 2: error and info
  • 3: error, info, and debug
  • 4: error,info,debug, and flow

Along with showing the core log for debugging OP-TEE provides a helper script called symbolize.py located in the optee-os/scripts folder. This script will extend the abort or panic message from OP-TEE, example of this call is here

scripts/symbolize.py -d out/arm-plat-hikey/core -d ../optee_test/out/ta/* <paste whole dump here>

Secure Storage

Secure storage is implemented in two different ways as described in the documentation as well as API and the data-path flow. The commands that are mentioned for example, CFG_REE_FS, this would be passed into the additional build variables.

Both secure storage implementations can be enabled at the same time by passing these commands into the build variables, CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_RPMB_TESTKEY=y CFG_REE_FS=y

The xtest program will verify the secure storage when it runs its regression test. To call a specific secure storage memory test run xtest _6, and xtest -t benchmark -l 15.