Session ID: HKG18-119
Session Name: HKG18-119 - Overview of integrating OP-TEE into HiKey620 AOSP
Speaker: Victor Chong
Track: Security
★ Session Summary ★
A brief overview of the process of integrating OP-TEE into HiKey620 AOSP builds
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/hkg18/hkg18-119/
Presentation: http://connect.linaro.org.s3.amazonaws.com/hkg18/presentations/hkg18-119.pdf
Video: http://connect.linaro.org.s3.amazonaws.com/hkg18/videos/hkg18-119.mp4
---------------------------------------------------
★ Event Details ★
Linaro Connect Hong Kong 2018 (HKG18)
19-23 March 2018
Regal Airport Hotel Hong Kong
---------------------------------------------------
Keyword: Security
'http://www.linaro.org'
'http://connect.linaro.org'
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/1026961
13. hikey-optee-4.9
● Any additionally required OP-TEE kernel patches that are not mainlined
● Currently limited to patches required to enable SDP
14. swg-mods-o
#######################################################
## Patches for SWG use cases different than r-lcr #####
#######################################################
## Add optee_examples CA and TA
## http://android-review.linaro.org/17989
apply --linaro device/linaro/hikey 17989/2
## Allow extra flags for optee_os builds
## http://android-review.linaro.org/17632
apply --linaro device/linaro/hikey 17632/1
16. Patch: Integrate OP-TEE components
device/linaro/hikey/init.common.rc
on post-fs-data
# create for OP-TEE test
mkdir /data/tee 0775 shell shell
mkdir /data/tee/optee_armtz 0775 shell shell
restorecon_recursive /data/tee
service tee-supplicant /system/bin/tee-supplicant
class main
user root
oneshot
25. Patch: Allow extra flags for optee_os builds
device/linaro/hikey/optee-packages.mk
OPTEE_EXTRA_FLAGS ?= CFG_TEE_CORE_LOG_LEVEL=3
CFG_TEE_TA_LOG_LEVEL=3 DEBUG=1
26. Agenda
● First things first
● Local manifests
● Patches
● Custom CA/TA
● Calling CA/TA from AOSP
● Improvements
27. Add custom CA/TA
● Use external/optee_examples as reference
● Assign new TA uuid
● Add required SE policies
● Build within source tree, NOT outside
● Don’t have to rebuild everything
○ make <options> my_ca
○ make <options> <my_ta_uuid>.ta
28. Agenda
● First things first
● Local manifests
● Patches
● Custom CA/TA
● Calling CA/TA from AOSP
● Improvements
29. Calling CA/TA from AOSP app/apk
● No beginner* code samples atm
● Use JNI
● https://developer.android.com/ndk/samples/sample_hellojni.html
○ C-side vs Java-side
○ Integrate into C-side Implementation code from external/optee_examples
* One open source example (albeit a bit indirect, and involves many layers) could be LHG’s ClearKey TA.
The JAVA AV frameworks call into a mediadrm plugin (c++) @
https://github.com/linaro-home/clearkeydrmplugin which then calls into a TA @
https://github.com/linaro-home/optee-clearkey-cdmi
30. optee_examples/master/hello_world/host/main.c
int main(int argc, char *argv[])
{
…
res = TEEC_InitializeContext(NULL, &ctx);
res = TEEC_OpenSession(&ctx, &sess, &uuid,
TEEC_LOGIN_PUBLIC, NULL, NULL, &err_origin);
…
res = TEEC_InvokeCommand(&sess,
TA_HELLO_WORLD_CMD_INC_VALUE, &op, &err_origin);
…
TEEC_CloseSession(&sess);
TEEC_FinalizeContext(&ctx);
}
31. ndk/samples/hello-jni/hello-jni.c
#include <string.h>
#include <jni.h>
/* This is a trivial JNI example where we use a native method
* to return a new VM String. See the corresponding Java source
* file located at:
*
* apps/samples/hello-jni/project/src/com/example/HelloJni/HelloJni.java
*/
jstring
Java_com_example_hellojni_HelloJni_stringFromJNI(JNIEnv* env, jobject this)
{
return (*env)->NewStringUTF(env, "Hello from JNI !");
}
33. Calling TA from AOSP app/apk (cont.)
● Make sure extern “C” is in tee_client_api.h
○ if using optee_client before commit
48107e5f3743be34536e476aea4824a0f68f9a30*
● Build CAs as shared libraries (.so) rather than executables
○ to be used by apk
● (adb) push *.apk and *.ta files to target and run
● *.apk apps by default have no access to kernel drivers
○ define SELinux rules or disable SELinux (testing)
○ check /dev/tee* file permissions
○ try running as root
* https://github.com/OP-TEE/optee_client/commit/48107e5f3743be34536e476aea4824a0f68f9a30
34. Agenda
● First things first
● Local manifests
● Patches
● Custom CA/TA
● Calling TA from AOSP
● Improvements
35. Improvements
● CI loop for (HiKey) OP-TEE AOSP builds - in progress
● Create a build script*
○ + containerization?
● Improve SELinux rules
● Simple sample/example apks**
● Support PRODUCT_FULL_TREBLE=true
○ /system vs /vendor partition
* Might be more difficult to debug if error occurs
** LHG also provides ExoPlayer apk which integrates with clearkeydrmplugin and clearkey TA
http://people.linaro.org/~peter.griffin/clearkey/exoplayer-2.6.0-clearkey-demo-withExtensions-debug.apk
41. Patch: grub.cfg: set serialno for boot_fat.uefi.img
device/linaro/hikey/bootloader/EFI/BOOT/grub.cfg
# kernel cmdline
linux /kernel console=ttyFIQ0 androidboot.console=ttyFIQ0
androidboot.hardware=hikey firmware_class.path=/system/etc/firmware
efi=noruntime printk.devkmsg=on androidboot.serialno=0123456789
NOTE: This is for boot-fat.uefi.img only! If using boot.img, change change
BOARD_KERNEL_CMDLINE in BoardConfig.mk instead!