HKG18-119 - Overview of integrating OP-TEE into HiKey620 AOSP

HKG18-119 Overview of Integrating
OP-TEE into HiKey620 AOSP Builds
Victor Chong

Agenda
● First things first
● Local manifests
● Patches
● Custom CA/TA
● Calling CA/TA from AOSP
● Improvements

First things first - build Google HiKey620 AOSP
repo init -u https://android.googlesource.com/platform/manifest -b master
repo sync -j24
wget https://dl.google.com/dl/android/aosp/linaro-hikey-20170523-4b9ebaff.tgz
tar xzf linaro-hikey-20170523-4b9ebaff.tgz
./extract-linaro-hikey.sh
apt-get install mtools
. build/envsetup.sh
lunch hikey-userdebug
make -j32
https://source.android.com/setup/devices (HiKey boards)

Build Linaro HiKey620 AOSP O (with OP-TEE)
# install dependencies
repo init -u https://android-git.linaro.org/git/platform/manifest.git -b
android-8.1.0_r7 -g "default,-non-default,-device,hikey"
cd .repo
git clone https://android-git.linaro.org/git/platform/manifest.git -b linaro-oreo
local_manifests
cd ../
repo sync
repo manifest -r -o pinned-manifest.xml
# apply Linaro patches
source ./build/envsetup.sh
lunch hikey-userdebug
make TARGET_BUILD_KERNEL=true TARGET_BOOTIMAGE_USE_FAT=true
CFG_SECURE_DATA_PATH=y CFG_SECSTOR_TA_MGMT_PTA=y
TARGET_TEE_IS_OPTEE=true TARGET_BUILD_UEFI=true
https://github.com/linaro-swg/optee_android_manifest/tree/lcr-ref-hikey-o

Local manifests
git clone https://android-git.linaro.org/git/platform/manifest.git
-b linaro-oreo local_manifests
Local manifest contains
● optee_* repos
● kernel source tree

.repo/local_manifests/
arm.xml
hikey.xml
linaro-pm-extras.xml
linaro-toolchains.xml
linaro.xml
optee.xml
update-externals.xml
x15.xml
x20.xml

.repo/local_manifests/optee.xml
<project path="external/optee_test" name="OP-TEE/optee_test"
revision="refs/tags/2.6.0" remote="github-optee" />
<project path="external/optee_client" name="OP-TEE/optee_client"
<project path="optee/optee_os" name="OP-TEE/optee_os"
<project path="external/optee_examples"
name="linaro-swg/optee_examples" revision="master"
remote="github-optee" />
NOTE: Adjust revision as necessary

.repo/local_manifests/hikey.xml
<project path="kernel/linaro/hisilicon"
name="kernel/hikey-linaro" revision="android-hikey-linaro-4.9"
remote="aosp" groups="device,hikey" />

Linaro patches
android-patchsets/
hikey-o-workarounds
get-hikey-blobs
O-RLCR-PATCHSET
hikey-optee-o*
hikey-optee-4.9*
OREO-BOOTTIME-OPTIMIZATIONS-HIKEY
optee-master-workarounds*
swg-mods-o*
hikey-tv (optional)
NOTE: These are custom scripts, not regular patch files. To apply them, execute each file (in
order) from root of source tree!
* OP-TEE related patches, mostly contained within device/linaro/hikey

hikey-optee-o
##################################################
###### OP-TEE support on device config ####
##################################################
## Integrate OP-TEE components
## optee: integrate for optee components
## http://android-review.linaro.org/17833
apply --linaro device/linaro/hikey 17833/3
## OP-TEE selinux
## https://android-review.linaro.org/#/c/17177/
## Enable OP-TEE in the bootloader
## build fip.bin automatically

hikey-optee-4.9
● Any additionally required OP-TEE kernel patches that are not mainlined
● Currently limited to patches required to enable SDP

swg-mods-o
#######################################################
## Patches for SWG use cases different than r-lcr #####
#######################################################
## Add optee_examples CA and TA
## Allow extra flags for optee_os builds

Patch: Integrate OP-TEE components
device/linaro/hikey/device-common.mk
# Include OP-TEE packages
$(call inherit-product-if-exists, device/linaro/hikey/optee-packages.mk)
device/linaro/hikey / ueventd.common.rc
/dev/tee0 0660* shell shell
/dev/teepriv0 0660* shell shell
* Try 0666 when troubleshooting permission issues

device/linaro/hikey/init.common.rc
on post-fs-data
# create for OP-TEE test
mkdir /data/tee 0775 shell shell
mkdir /data/tee/optee_armtz 0775 shell shell
restorecon_recursive /data/tee
service tee-supplicant /system/bin/tee-supplicant
class main
user root
oneshot

device/linaro/hikey/optee-packages.mk
OPTEE_PLATFORM ?= hikey
OPTEE_PLATFORM_FLAVOR ?= hikey
OPTEE_CFG_ARM64_CORE ?= y
OPTEE_TA_TARGETS ?= ta_arm64
OPTEE_OS_DIR ?= optee/optee_os
BUILD_OPTEE_MK := $(OPTEE_OS_DIR)/mk/aosp_optee.mk
PRODUCT_PACKAGES += libteec tee-supplicant xtest
PRODUCT_PACKAGES += 5b9e0e40-2636-11e1-ad9e-0002a5d5c51b.ta
PRODUCT_PACKAGES += 5ce0c432-0ab0-40e5-a056-782ca0e6aba2.ta
…
PRODUCT_PACKAGES += 12345678-5b69-11e4-9dbb-101f74f00099.ta

Patch: OP-TEE selinux
device/linaro/hikey/sepolicy/file_contexts
# optee files
/system/bin/tee-supplicant u:object_r:tee_exec:s0
/system/bin/xtest u:object_r:tee_exec:s0
/dev/teepriv[0-9]* u:object_r:tee_device:s0
/dev/tee[0-9]* u:object_r:tee_device:s0
/data/tee(/.*)? u:object_r:tee_data_file:s0

device/linaro/hikey/sepolicy/tee.te
# allow run xtest as shell
domain_auto_trans(shell, tee_exec, tee);
allow shell tee_exec:file { getattr execute read open execute_no_trans };
allow shell tee_data_file:file { create write open getattr unlink read };
allow shell tee_data_file:dir { write add_name remove_name rename search };
allow shell tee_data_file:chr_file { read write open ioctl };
allow tee console_device:chr_file { getattr read write ioctl };
allow tee shell:fd { use };
allow tee tee_data_file:dir { create rmdir rename };
allow tee system_data_file:dir { write remove_name };

device/linaro/hikey/sepolicy/tee.te (cont.)
# For xtest 200x tests
allow tee tee:tcp_socket { create connect read write getopt setopt };
allow tee tee:udp_socket { create connect read write getopt getattr };
allow tee tee:capability { net_raw };
allow tee fwmarkd_socket:sock_file { write };
allow tee port:tcp_socket { name_connect };
allow netd tee:tcp_socket { read write getopt setopt };
allow netd tee:udp_socket { read write getopt setopt };
allow netd tee:fd { use };
typeattribute tee socket_between_core_and_vendor_violators;
typeattribute tee_data_file core_data_file_type;
typeattribute tee coredomain;

Patch: Enable OP-TEE in the bootloader
● Include optee_os binary in fip.bin
● Shortened/simplified version
device/linaro/hikey/bootloader/Makefile
OPTEE_OS_DIR=$(ANDROID_BUILD_TOP)/optee/optee_os
UEFI_BUILD_EXTRA_ARGS =
ifeq ($(TARGET_TEE_IS_OPTEE), true)
UEFI_BUILD_EXTRA_ARGS+=-s $(OPTEE_OS_DIR)
endif
$(UEFI_TOOLS_DIR)/uefi-build.sh -b $(TARGET) -D
EDK2_OUT_DIR=$(ANDROID_BUILD_TOP)/$(PRODUCT_OUT)/obj/uefi -a $(ATF_DIR)
$(UEFI_BUILD_EXTRA_ARGS) hikey

Patch: build fip.bin automatically
device/linaro/hikey/build/tasks/build_uefi.mk
ifeq ($(TARGET_BUILD_UEFI), true)
BOOTLOADER_DIR ?= $(ANDROID_BUILD_TOP)/device/linaro/hikey/bootloader
DIST_DIR_PRODUCT ?= $(ANDROID_BUILD_TOP)/out/dist
TARGET_TEE_IS_OPTEE ?= false
$(DIST_DIR_PRODUCT)/fip.bin: $(BOOTLOADER_DIR)/Makefile
$(MAKE) -C $(BOOTLOADER_DIR) DIST_DIR=$(DIST_DIR_PRODUCT)
TARGET_TEE_IS_OPTEE=$(TARGET_TEE_IS_OPTEE) all
cp $@ $(ANDROID_BUILD_TOP)/device/linaro/hikey/installer/hikey

Patch: build fip.bin automatically
device/linaro/hikey/build/tasks/build_uefi.mk (cont.)
$(DIST_DIR_PRODUCT)/l-loader.bin: $(DIST_DIR_PRODUCT)/fip.bin
cp $@ $(ANDROID_BUILD_TOP)/device/linaro/hikey/installer/hikey
droidcore: $(DIST_DIR_PRODUCT)/fip.bin $(DIST_DIR_PRODUCT)/l-loader.bin
endif

Patch: Add optee_examples CA and TA
PRODUCT_PACKAGES += optee_example_helloworld
PRODUCT_PACKAGES += 8aaaf200-2450-11e4-abe2-0002a5d5c51b.ta
PRODUCT_PACKAGES += optee_example_random
PRODUCT_PACKAGES += b6c53aba-9669-4668-a7f2-205629d00f86.ta
PRODUCT_PACKAGES += optee_example_aes
PRODUCT_PACKAGES += 5dbac793-f574-4871-8ad3-04331ec17f24.ta
PRODUCT_PACKAGES += optee_example_hotp
PRODUCT_PACKAGES += 484d4143-2d53-4841-3120-4a6f636b6542.ta

Patch: Allow extra flags for optee_os builds
OPTEE_EXTRA_FLAGS ?= CFG_TEE_CORE_LOG_LEVEL=3
CFG_TEE_TA_LOG_LEVEL=3 DEBUG=1

Add custom CA/TA
● Use external/optee_examples as reference
● Assign new TA uuid
● Add required SE policies
● Build within source tree, NOT outside
● Don’t have to rebuild everything
○ make <options> my_ca
○ make <options> <my_ta_uuid>.ta

Calling CA/TA from AOSP app/apk
● No beginner* code samples atm
● Use JNI
● https://developer.android.com/ndk/samples/sample_hellojni.html
○ C-side vs Java-side
○ Integrate into C-side Implementation code from external/optee_examples
* One open source example (albeit a bit indirect, and involves many layers) could be LHG’s ClearKey TA.
The JAVA AV frameworks call into a mediadrm plugin (c++) @
https://github.com/linaro-home/clearkeydrmplugin which then calls into a TA @
https://github.com/linaro-home/optee-clearkey-cdmi

optee_examples/master/hello_world/host/main.c
int main(int argc, char *argv[])
{
…
res = TEEC_InitializeContext(NULL, &ctx);
res = TEEC_OpenSession(&ctx, &sess, &uuid,
TEEC_LOGIN_PUBLIC, NULL, NULL, &err_origin);
…
res = TEEC_InvokeCommand(&sess,
TA_HELLO_WORLD_CMD_INC_VALUE, &op, &err_origin);
…
TEEC_CloseSession(&sess);
TEEC_FinalizeContext(&ctx);
}

ndk/samples/hello-jni/hello-jni.c
#include <string.h>
#include <jni.h>
/* This is a trivial JNI example where we use a native method
* to return a new VM String. See the corresponding Java source
* file located at:
*
* apps/samples/hello-jni/project/src/com/example/HelloJni/HelloJni.java
*/
jstring
Java_com_example_hellojni_HelloJni_stringFromJNI(JNIEnv* env, jobject this)
{
return (*env)->NewStringUTF(env, "Hello from JNI !");
}

ndk/samples/hello-jni/hello-jni.c < main.c
#include <string.h>
#include <jni.h>
#include “tee_client_api.h”
jstring
Java_com_example_hellojni_HelloJni_stringFromJNI(JNIEnv* env, jobject this)
{
return (*env)->NewStringUTF(env, "Hello from JNI !");
}
TEEC_InitializeContext();
TEEC_OpenSession(); …
TEEC_InvokeCommand(); …
TEEC_CloseSession();
TEEC_FinalizeContext();
code from external/optee_examples/hello_world/host/main.c

Calling TA from AOSP app/apk (cont.)
● Make sure extern “C” is in tee_client_api.h
○ if using optee_client before commit
48107e5f3743be34536e476aea4824a0f68f9a30*
● Build CAs as shared libraries (.so) rather than executables
○ to be used by apk
● (adb) push *.apk and *.ta files to target and run
● *.apk apps by default have no access to kernel drivers
○ define SELinux rules or disable SELinux (testing)
○ check /dev/tee* file permissions
○ try running as root
* https://github.com/OP-TEE/optee_client/commit/48107e5f3743be34536e476aea4824a0f68f9a30

Agenda
● First things first
● Local manifests
● Patches
● Custom CA/TA
● Calling TA from AOSP
● Improvements

Improvements
● CI loop for (HiKey) OP-TEE AOSP builds - in progress
● Create a build script*
○ + containerization?
● Improve SELinux rules
● Simple sample/example apks**
● Support PRODUCT_FULL_TREBLE=true
○ /system vs /vendor partition
* Might be more difficult to debug if error occurs
** LHG also provides ExoPlayer apk which integrates with clearkeydrmplugin and clearkey TA
http://people.linaro.org/~peter.griffin/clearkey/exoplayer-2.6.0-clearkey-demo-withExtensions-debug.apk

Thank You
#HKG18
HKG18 keynotes and videos on: connect.linaro.org
For further information: www.linaro.org

hikey-o-workarounds
#######################################################
## workaround for linaro work ######
#######################################################
## enabling kernel compilation, etc
## hikey_defconfig: Update defconfig
## grub.cfg: set serialno for boot_fat.uefi.img
cherrypick device/linaro/hikey 1b85c5d479562abd2e55c5b2e73f75aecdda25d2

Patch: enabling kernel compilation
device/linaro/hikey/BoardConfigCommon.mk
ifeq ($(TARGET_BUILD_KERNEL), true)
KERNEL_CONFIG := hikey_defconfig
ANDROID_64 := true
TARGET_KERNEL_SOURCE ?= kernel/linaro/hisilicon
DEVICE_TREES := hi6220-hikey:hi6220-hikey.dtb
BUILD_KERNEL_MODULES := false
KERNEL_TARGET := Image-dtb
endif

Patch: enabling kernel compilation
● Build kernel automatically
● Shortened/simplified version
device/linaro/hikey/build/tasks/build_kernel.mk
ifeq ($(TARGET_BUILD_KERNEL), true)
$(PRODUCT_OUT)/hi6220-hikey.dtb: all_dtbs
cp $(PRODUCT_OUT)/obj/kernel/arch/arm64/boot/hi6220-hikey.dtb
$(PRODUCT_OUT)/hi6220-hikey.dtb
endif

Patch: grub.cfg: set serialno for boot_fat.uefi.img
device/linaro/hikey/bootloader/EFI/BOOT/grub.cfg
# kernel cmdline
linux /kernel console=ttyFIQ0 androidboot.console=ttyFIQ0
androidboot.hardware=hikey firmware_class.path=/system/etc/firmware
efi=noruntime printk.devkmsg=on androidboot.serialno=0123456789
NOTE: This is for boot-fat.uefi.img only! If using boot.img, change change
BOARD_KERNEL_CMDLINE in BoardConfig.mk instead!

HKG18-119 - Overview of integrating OP-TEE into HiKey620 AOSP

Recommended

Recommended

More Related Content

More from Linaro

More from Linaro (20)

Recently uploaded

Recently uploaded (20)

HKG18-119 - Overview of integrating OP-TEE into HiKey620 AOSP