Skip to Content

Trusted Application

Last modified by Microchip on 2025/03/03 06:21

In OP-TEE there are two types of applications the traditional user-space applications and trusted applications. Trusted applications are applications that access the secure portion of the OS.

To see more Trusted Application examples they can be found here OP-TEE Examples.

Building Trusted Application

In OP-TEE to build a trusted application there are a mandatory files that need to follow a certain layout shown below:

mandatory files that need to follow a certain layout

The parent directory for the tree is called my_program, this format makes it easy to organize multiple trusted applications.

Host

The host folder contains the main user-space program.

This program will need to:

  • Initialize a context connecting to TEE
  • Open a TEE session
  • Use a TEEC_Operation variable to pass in arguments from the non-secure world to the secure world
  • Prepare the arguments that are about to be passed using TEEC_PARAM_TYPES() function
  • Call the trusted application using TEEC_InvokeCommand()
  • At the end Close the session and context

The Makefile is similar to other Makefiles just adding the flags to include the trusted application and the host application this belongs in the host folder, shown below:

The Makefile is similar to other Makefiles just adding the flags

Trusted Application (TA)

The trusted application folder is more complicated and has many moving parts.

Include Folder

This contains the programs header file that has the TA commands API and the TA_UUID. The UUID can be generated here. Shown below is an example header file called ta_my_program.h

This contains the programs header file that has the TA commands API and the TA_UUID

Note: For clarity the UUID that was generated for this instance is 

cd9a3290-457b-4e49-99ff-32145fbde7cb

 and

TA_MY_PROGRAM_CMD_INC_VALUE

 is a parameter passed into the main program from the host program.

Main Program

The main program that interacts with the TA entry points his located in this folder as a .c file. The OP-TEE documentation mentioned above that there are TA mandatory entry points. These entry points are implemented in this main function, in this example my_program_ta.c. An example of implementing a counter within the TA is shown below, notice that InvokeCommandEntryPoint can be used to call different functions depending on the parameters passed into it similar to an ISR.

Trusted Application Properties Header File

This is a header file that stores the uuid, flags, stack size, and data size. This file is normally called user_ta_header_defines.h and is located in the ta folder. An Example:

<img src="%ATTACHURL%/ExampleTAPropertiesFile.jpg" width="800" height="361.31" border="0" align="center"/>

Makefiles

There are two Makefiles that need to be in the TA folder a Makefile and a sub.mk file. The Makefile needs to have the UUID labeled BINARY and the include path for the TA devkit, this is taken from the OP-TEE build and passed in as compile arguments.

Example:

<img src="%ATTACHURL%/ExampleTaMakeFile.jpg" width="800" height="294.09" border="0" align="center"/>

The sub.mk file is the entry point for the source files to build example shown below:

global-incdirs-y +=include
srcs-y += my_program_ta.c

This adds the include folder globally and adds the trusted application main.c file to the list of source files.

Compiling Trusted Applications

Inside the host folder the cross compiler needs to be set and the tee client export needs to be set as well.

If using the Buildroot OP-TEE build:

$ make CROSS_COMPILE=<buildroot-at91>/output/host/bin/arm-buildroot-gnueabihf- TEEC_EXPORT=<buildroot-at91>/output/build/optee-client-3.15.0/out/export/usr --no-builtin-variables

This will output the program as a binary in the host folder, where the build was done.

To compile the trusted application first navigate to the ta folder. The cross compiler needs to be set just like the above step as well as the location of the ta_dev_kit, which is made when the optee_os is built.

An example using buildroot:

$ make CROSS_COMPILE=<buildroot-at91>/output/host/bin/arm-buildroot-gnueabihf- PLATFORM=sam TA_DEV_KIT_DIR=<buildroot-at91>/output/build/<optee-os>/out/export-ta_arm32/

Copy the Trusted Application

Once the TA and the host application are compiled they can be copied into the root file system.

If using buildroot follow these steps after build has finished:

  • Copy the trusted application from the ta folder, the application would be titled <uuid>.ta into <buildroot-at91>/output/target/lib/optee_armtz/ folder If this folder is not there double check the environment was configured correctly for OP-TEE and finished building.
  • Copy the host application from the host folder into the root file system, <buildroot-at91>/output/target/usr/bin/ This location is different due to how OP-TEE separates the secure world and the non secure world.
  • Go into the buildroot-at91 main build directory and run make, this will build the file system with the new application added.

The image is ready for use.