Version 20 vs 65
Version 20 vs 65
Edits
Edits
- Edit by gyuri-szing, Version 65
- Oct 18 2023 12:55 PM
- Edit by jellesels-arm, Version 20
- Feb 25 2022 5:47 PM
Edit Older Version 20... | Edit Current Version 65... |
Content Changes
Content Changes
OP-TEE SPMC implementation
==========================
Introduction
------------
### OP-TEE SPMC implementation
This document describes the OP-TEE SPMC implementation. This
implementation is used to support the Trusted Services PSA SPs. The PSA
SPs are based on the Arm FF-A specifications. The OP-TEE SPMC can be
used as a reference S-EL1 implementation and the Trusted Service can be
used a reference S-EL0 SP implementations.
### FF-A
Arm Firmware Framework for Arm A-profile (FF-A) is a framework designed
to standardize the communication between the various software images.
Including the communication between the various software images in the
Secure world and Normal world. The current release of the OP-TEE SPMC is
based around the [FF-A v1.0
spec](https://developer.arm.com/documentation/den0077/latest.)
### OP-TEE
OP-TEE is an open source Trusted Execution Environment (TEE)
implementing the Arm TrustZone technology. More information can be found
at [readthedocs](https://optee.readthedocs.io/en/latest/) OP-TEE can run both as a S-EL1 SP or as the S-EL1 SPMC.
This document describes OP-TEE as a S-El1 SPMC. The current mainline
OP-TEE version can be found [here](https://github.com/OP-TEE/optee_os)
### Trusted Services
The Trusted Services project provides a framework for developing and
deploying device Root Of Trust (RoT) services across a range of secure
processing environments such as those provided by OP-TEE and Hafnium.
More information about Trusted Service can be found at
[Trusted-Services](https://trusted-services.readthedocs.io/en/latest/)
Current Status
--------------
Currently the mainline OP-TEE SPMC is not yet fully compliant with the
FF-A V1.0 spec. It also doesn't support all of the Trusted Services
SPs.
### SPMC status
OP-TEE mainline SPMC FF-A status:
| Description | Status|
| --- | ----------- |
|SP loading | Supported |
|SP messaging | Supported |
|Manifest file | Not Supported |
|Memory management | Supported |
|Interrupts | Not supported |
OP-TEE mainline SPMC FF-A messages status:
------------------------------ -------------------------
|------------------------------|-----------|
| FFA_ERROR | Supported|
| FFA_SUCCESS | Supported|
| FFA_INTERRUPT | Not supported|
| FFA_VERSION | Supported|
| FFA_FEATURES | Supported|
| FFA_RX_RELEASE | Supported|
| FFA_RXTX_MAP | Supported|
| FFA_RXTX_UNMAP | Supported|
| FFA_PARTITION_INFO_GET | Supported|
| FFA_ID_GET | Supported|
| FFA_MSG_WAIT | Supported|
| FFA_YIELD | Not supported|
| FFA_RUN | Not supported|
| FFA_NORMAL_WORLD_RESUME | Not supported|
| FFA_MSG_SEND | Not supported|
| FFA_MSG_SEND_DIRECT_REQ | Supported|
| FFA_MSG_SEND_DIRECT_RESP | Supported|
| FFA_MSG_POLL | Not supported|
| FFA_MEM_DONATE | Not supported|
| FFA_MEM_LEND | Not supported|
| FFA_MEM_SHARE | Partially supported[^1]|
| FFA_MEM_RETRIEVE_REQ | Supported|
| FFA_MEM_RETRIEVE_RESP | Supported|
| FFA_MEM_RELINQUISH | Supported|
| FFA_MEM_RECLAIM | Supported|
[^1]: Device memory is not yet supported.
### Trusted Service status
Currently not all Trusted Service functionality is supported when using
the OP-TEE SPMC. We are planning to support all functionality over time.
Currently the OP-TEE SPMC supports the following PSA Trusted Services
SPs:
--------------------------- --------------------------------------------------------------------
|----------------------------|--------|
|internal-trusted-storage: |Supported|
|protected-storage: |Supported|
|crypto: |Supported with mock backend. A hardware trngs is not yet supported|
|attestation: |Not yet supported|
|smm-gateway: |Not yet supported|
Build
-----
The build process is based around the [OP-TEE build
process](https://optee.readthedocs.io/en/latest/building/gits/build.html)
with some extra steps.
### Requirements:
- The Trusted Services project has some extra
[requirements](https://trusted-services.readthedocs.io/en/latest/developer/software-requirements.html)
from OP-TEE. It mainly depends on cmake.
- The current system uses the Arm FVP to run the test environment. The
latest version can be found at
[developer.arm.com](https://developer.arm.com/-/media/Files/downloads/ecosystem-models/FVP_Base_RevC-2xAEMvA_11.16_16.tgz)
The default path for FVP in the build scripts is set to
/opt/fvp/latest
### Build steps
Get the manifest file:
rm -rf optee
mkdir optee
cd optee
repo init -u https://review.trustedfirmware.org/OP-TEE/manifest -m psa-sp-fvp.xml -b topics/spmc_mainline
repo sync -j4 --no-clone-bundle
Build the OP-TEE image:
The OP-TEE build will default be configure to use mainline OP-TEE SPMC.
To be able to build OP-TEE mainline version, it might be needed to
change the SPMC_VERSION to SPMC_VERSION=github in build/fvp_ffa.mk.
Build OP-TEE:
cd build
make toolchains
make
cd ..
Build TS apps:
make -C trusted-services/tools/b-test r-component-test-arm-linux \
r-psa-api-test-crypto-arm-linux \
r-psa-api-test-internal_trusted_storage-arm-linux \
r-psa-api-test-protected_storage-arm-linux \
r-ts-demo-arm-linux \
r-ts-service-test-arm-linux
Copy the TS apps to the shared directory:
cp -r trusted-services/tools/b-test/install/arm-linux shared
More info about building TS-apps can be found at the [Trusted Services
build
instructions](https://trusted-services.readthedocs.io/en/latest/developer/build-instructions.html)
Run fvp:
make -C build run-only
2 console windows should appear, 1 for the Secure World and 1 for the Normal World.
Login as root.
Set up the [fvp
environment](https://trusted-services.readthedocs.io/en/latest/environments/deployment-guides/fvp-deployment-guide.html?highlight=ts-service-test#deploying-service-level-tests):
cd /mnt/
sh load_module.sh
cp arm-linux/lib/libts.so.1 /usr/lib/
Run the PSA ServiceTests:
cd /mnt/arm-linux/bin
# Prepare tests
cd /mnt
./load_module.sh
cp arm-linux/lib/libts.so* /lib
# Run the TS demo
./arm-linux/bin/ts-demo
lines=8
```
Demonstrates use of trusted services from an application
---------------------------------------------------------
A client requests a set of crypto operations performed by
the Crypto service. Key storage for persistent keys is
provided by the Secure Storage service via the ITS client.
Generating random bytes length: 1
Operation successful
Random bytes:
2B
Generating random bytes length: 7
Operation successful
Random bytes:
68 CF 0C 5D 87 C7 11
Generating random bytes length: 128
Operation successful
Random bytes:
BF C6 85 27 81 02 5F 83
60 97 E9 2C A6 30 8E F7
C6 81 44 CB 26 32 8D F5
62 BA 0F DE B8 2C 69 E2
DD C0 FF A0 04 E2 D0 C0
DC EA 11 CE DD 7E 33 87
62 07 89 02 00 68 FC 24
AD D2 E4 86 40 3F 6E 65
83 46 33 9A F8 84 14 3B
72 11 8D 63 59 6F 69 96
70 D2 83 8D 60 6D 9F A2
B3 54 F6 3E 5E B3 FE 07
C9 51 F1 6A F5 B0 0E AA
08 B3 AE F5 06 73 6C 8B
95 73 B2 FF 72 C6 CF 84
12 7A 7A 1F 07 F2 58 71
Generating ECC signing key
Operation successful
Signing message: "The quick brown fox" using key: 256
Operation successful
Signature bytes:
F9 F7 0E D0 4A B2 77 DF
67 40 F5 36 4D 92 38 A3
13 5B 04 A0 6C BD 84 40
03 E2 43 EE BF 6F C6 C4
5B 5D A4 21 D9 EB 17 86
B9 71 0D C9 84 0C FE 55
71 8E 5C F7 D4 7D EB 04
9B 5A 11 D7 46 96 BD A6
Verify signature using original message: "The quick brown fox"
Operation successful
Verify signature using modified message: "!he quick brown fox"
Successfully detected modified message
Signing message: "jumps over the lazy dog" using key: 256
Operation successful
Signature bytes:
45 40 14 E3 39 0C 3B 8A
5F 05 C8 0C E0 B6 A6 D2
8B 5E E3 76 49 DD F1 9E
50 A0 77 6F 1B FA FF C8
38 66 6A 2D 40 B1 79 9C
43 BE 59 F4 48 45 A2 0E
D0 17 3F 1F D3 D7 C0 84
65 AC 9B 8A FB 6E B6 B6
Verify signature using original message: "jumps over the lazy dog"
Operation successful
Verify signature using modified message: "!umps over the lazy dog"
Successfully detected modified message
Generating RSA encryption key
Operation successful
Encrypting message: "Top secret" using RSA key: 257
Operation successful
Encrypted message:
42 B6 53 D8 A3 03 BB 64
66 C0 31 A5 42 2C F8 F3
B8 E3 9C 58 42 7C 2C E0
19 43 F6 02 EB 60 6A DC
Decrypting message using RSA key: 257
Operation successful
Decrypted message: "Top secret"
Exporting public key: 256
Operation successful
Public key bytes:
04 D0 9A AF 76 18 9B 3B
08 38 65 BA 5F 81 B0 85
6A 39 42 19 5F 0D 17 86
CD 7E 2A E6 A4 CC A2 E4
B3 78 89 76 F6 CA 02 12
CB 07 2B AB CF 03 59 B3
34 8D 5D 0F 31 53 E0 68
9D 25 E2 AF 2E 0C 2C BE
51
Destroying signing key: 256
Operation successful
Destroying encryption key: 257
Operation successful
```
# Run the tests
./arm-linux/bin/component-test -v
./arm-linux/bin/psa-its-api-test
./arm-linux/bin/psa-ps-api-test
./arm-linux/bin/psa-crypto-api-test
./arm-linux/bin/ts-service-test -v -xg Attestation
```
./ts-service-test -v -sg ItsServiceTests
./ts-service-test -v -sg PsServiceTests
./ts-service-test -v -sg CryptoKeyDerivationServicePackedcTests
./ts-service-test -v -sg CryptoMacServicePackedcTests
./ts-service-test -v -sg CryptoCipherServicePackedcTests
./ts-service-test -v -sg CryptoHashServicePackedcTests
./ts-service-test -v -sg CryptoServiceProtobufTests
./ts-service-test -v -sg CryptoServiceLimitTests
./ts-service-test -v -sg DiscoveryServiceTests
./ts-service-test -v -sg CryptoServicePackedcTests
```
lines=8
TEST(PsServiceTests, createAndSetExtended) - 18029 ms
TEST(PsServiceTests, createAndSet) - 20259 ms
TEST(PsServiceTests, storeNewItem) - 18276 ms
TEST(ItsServiceTests, storeNewItem) - 11099 ms
TEST(CryptoKeyDerivationServicePackedcTests, deriveAbort) - 21819 ms
TEST(CryptoKeyDerivationServicePackedcTests, hkdfDeriveBytes) - 23492 ms
TEST(CryptoKeyDerivationServicePackedcTests, hkdfDeriveKey) - 25032 ms
TEST(CryptoMacServicePackedcTests, macAbort) - 19256 ms
TEST(CryptoMacServicePackedcTests, signAndVerify) - 101831 ms
TEST(CryptoCipherServicePackedcTests, cipherAbort) - 19739 ms
TEST(CryptoCipherServicePackedcTests, encryptDecryptRoundtrip) - 66694 ms
TEST(CryptoHashServicePackedcTests, hashAbort) - 23204 ms
TEST(CryptoHashServicePackedcTests, hashAndVerify) - 34243 ms
TEST(CryptoHashServicePackedcTests, calculateHash) - 17353 ms
TEST(CryptoServicePackedcTests, generateRandomNumbers) - 29636 ms
TEST(CryptoServicePackedcTests, asymEncryptDecryptWithSalt) - 2859988 ms
TEST(CryptoServicePackedcTests, asymEncryptDecrypt) - 234077 ms
TEST(CryptoServicePackedcTests, signAndVerifyEat) - 1060967 ms
TEST(CryptoServicePackedcTests, signAndVerifyHash) - 1072643 ms
TEST(CryptoServicePackedcTests, exportAndImportKeyPair) - 127551 ms
TEST(CryptoServicePackedcTests, exportPublicKey) - 199842 ms
TEST(CryptoServicePackedcTests, purgeKey) - 118558 ms
TEST(CryptoServicePackedcTests, copyKey) - 199131 ms
TEST(CryptoServicePackedcTests, generatePersistentKeys) - 213434 ms
TEST(CryptoServicePackedcTests, generateVolatileKeys) - 188038 ms
TEST(CryptoServiceProtobufTests, generateRandomNumbers) - 31397 ms
TEST(CryptoServiceProtobufTests, asymEncryptDecryptWithSalt) - 4241805 ms
TEST(CryptoServiceProtobufTests, asymEncryptDecrypt) - 267644 ms
TEST(CryptoServiceProtobufTests, signAndVerifyHash) - 1073035 ms
TEST(CryptoServiceProtobufTests, exportAndImportKeyPair) - 127099 ms
TEST(CryptoServiceProtobufTests, exportPublicKey) - 200390 ms
TEST(CryptoServiceProtobufTests, generatePersistentKeys) - 213373 ms
TEST(CryptoServiceProtobufTests, generateVolatileKeys) - 189439 ms
TEST(CryptoServiceLimitTests, volatileRsaKeyPairLimit) - 19765597 ms
TEST(CryptoServiceLimitTests, volatileEccKeyPairLimit) - 5244688 ms
TEST(DiscoveryServiceTests, checkServiceInfo) - 12706 ms
OK (41 tests, 36 ran, 318 checks, 0 ignored, 5 filtered out, 38104375 ms)
Currently the attestation test fails due the lack of the attestation SP
support.
= OP-TEE SPMC implementation
== Introduction
==== OP-TEE SPMC implementation
This document describes the OP-TEE SPMC (Secure Partition Manager Core) implementation. This implementation is used to support the Trusted Services PSA Secure Partitions (SPs). The PSA SPs are implemented based on the Arm FF-A specification. The OP-TEE SPMC can be used as a reference S-EL1 implementation and the Trusted Services can be used a reference S-EL0 SP implementations.
==== FF-A
Arm Firmware Framework for Arm A-profile (FF-A) is a framework designed to standardize the communication between the various software images.
Including the communication between the various software images in the Secure world and Normal world. The current release of the OP-TEE SPMC is based around the [FF-A v1.0 spec](https://developer.arm.com/documentation/den0077/latest).
==== OP-TEE
OP-TEE is an open source Trusted Execution Environment (TEE) relying on the Arm TrustZone technology. More information can be found at [readthedocs](https://optee.readthedocs.io/en/latest/). OP-TEE can run both as a S-EL1 SP or as the S-EL1 SPMC.
This document describes OP-TEE as a S-EL1 SPMC. The current mainline OP-TEE version can be found [here](https://github.com/OP-TEE/optee_os).
==== Trusted Services
The Trusted Services project provides a framework for developing and deploying device Root of Trust (RoT) services across a range of secure processing environments such as those provided by OP-TEE and Hafnium.
More information about Trusted Services can be found at [Trusted-Services](https://trusted-services.readthedocs.io/en/latest/).
== Current Status
Limited support for OP-TEE SPMC aligning with FF-A 1.0 is available since OP-TEE v3.19. Complete support for FF-A 1.0 and TS is planned for upcoming releases. See below for status.
For the OP-TEE release specific testing and results please see the following page:
- [[ https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc/release-testing-3-19/ | OP-TEE 3.19 release ]]
- [[ https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc/release-testing-3-20/ | OP-TEE 3.20 release ]]
- [[ https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc/release-testing-3-21/ | OP-TEE 3.21 release ]]
- [[ https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc/release-testing-3-22/ | OP-TEE 3.22 release ]]
- [[ https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc/release-testing-3-22/ | OP-TEE 3.22 release ]]
- [[ https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc/release-testing-4-0/ | OP-TEE 4.0.0 release ]]
== Important Changes of v4.0.0 release ==
- Added support for the `boot-order` property of the SP manifest. Earlier the boot order was determined by the linking order when using embedded packaging or by the order of SP entries in the FIP package when using FIP packaging. In case the `boot-order` property is not set for an SP, loading will fall back to the old method.
- The SPMC has been updated to allow the XEN Hypervisor being executed in the NWd. All Trusted Services tests from DOM0 and DOMU virtual machines are passing.
- Bug fixes:
- The SPMC was accepting direct messages targeting yet to be initialized SPs, and could jumping to an invalid address as a result.
- The SPMC was clearing MBZ registers when making FFA_ERROR calls. This could result in incorrect operation.
- In some scenarios the destination of FFA_ERROR calls were set incorrectly.
- Code handling the FFA_MEM_RECLAIM calls incorrectly assumed the NWd endpoint being 0. This resulted in a crash when a hypervisor is present in the NWd.
==== SPMC status
For a list of supported FF-A features please see: https://optee.readthedocs.io/en/latest/architecture/spmc.html
==== Trusted Services status
All Trusted Services Secure Partitions are supported with OP-TEE SPMC v4.0.0
Trusted Services SP support status:
| Name | Status |
|--------------------------|-----------|
| internal-trusted-storage | Supported |
| protected-storage | Supported |
| crypto | Supported |
| attestation | Supported |
| firmware-update | Supported |
| block-storage | Supported |
| smm-gateway | Supported |
== Build
The build process follows the [OP-TEE build process](https://optee.readthedocs.io/en/latest/building/gits/build.html#get-and-build-the-solution). Additional information is needed for some steps:
- [Step 1](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-1-prerequisites): The Trusted Services project has some extra requirements described on [this page](https://trusted-services.readthedocs.io/en/latest/developer/software-requirements.html), please install these.
- [Step 2](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-2-install-android-repo): -
- [Step 3](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-3-get-the-source-code): Use the manifest file for Trusted Services integration and use the 4.0.0 tagged version.
`repo init -u https://github.com/OP-TEE/manifest.git -m fvp-ts.xml -b 4.0.0`
- [Step 4](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-4-get-the-toolchains): -
- [Step 5](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-5-build-the-solution): -
- [Step 6 and onwards](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-6-flash-the-device): Since we're running on models instead of real hardware, these steps are not necessary.
== Boot
The current system uses the Arm AEMv-A Base Platform FVP to run the test environment. The latest version can be found at [Arm Architecture Models](https://developer.arm.com/downloads/-/arm-ecosystem-models). The downloaded FVP should be extracted at the project root (`<project root>/Base_RevC_AEMvA_pkg`).
Boot the system on the FVP:
make -C build run-only
Two console windows should appear, one for the Secure World and one for the Normal World. When the boot is complete, login as root. Then run these commands to load the necessary kernel modules and install the TS test applications and libraries:
/mnt/host/out/linux-arm-ffa-tee/load_module.sh
/mnt/host/out/linux-arm-ffa-user/load_module.sh
cp -at /usr /mnt/host/out/ts-install/arm-linux/bin /mnt/host/out/ts-install/arm-linux/lib
To run the SPMC tests built into xtest (OP-TEE test suite):
xtest -t ffa_spmc
= OP-TEE SPMC implementation
==========================
== Introduction
------------
###==== OP-TEE SPMC implementation
This document describes the OP-TEE SPMC (Secure Partition Manager Core) implementation. This
implementation is used to support the Trusted Services PSA SPsSecure Partitions (SPs). The PSA
SPs aree implemented based on the Arm FF-A specifications. The OP-TEE SPMC can be
be used as a reference S-EL1 implementation and the Trusted Services can be
used a reference S-EL0 SP implementations.
###==== FF-A
Arm Firmware Framework for Arm A-profile (FF-A) is a framework designed
to standardize the communication between the various software images.
Includinge the communication between the various software images in the
Secure world and Normal world. The current release of the OP-TEE SPMC is.
Including the communication between the various software images in the Secure world and Normal world. The current release of the OP-TEE SPMC is based around the [FF-A v1.0
spec](https://developer.arm.com/documentation/den0077/latest.)).
###==== OP-TEE
OP-TEE is an open source Trusted Execution Environment (TEE)
implementing relying on the Arm TrustZone technology. More information can be found
at [readthedocs](https://optee.readthedocs.io/en/latest/). OP-TEE can run both as a S-EL1 SP or as the S-EL1 SPMC.
This document describes OP-TEE as a S-ElS-EL1 SPMC. The current mainline
The current mainline OP-TEE version can be found [here](https://github.com/OP-TEE/optee_os).
###==== Trusted Services
The Trusted Services project provides a framework for developing and
and deploying device Root Ofof Trust (RoT) services across a range of secure processing environments such as those provided by OP-TEE and Hafnium.
processing environments such as those provided by OP-TEE and Hafnium.
More information about Trusted Services can be found at
[Trusted-Services](https://trusted-services.readthedocs.io/en/latest/).
== Current Status
--------------
Currently the mainline OP-TEE SPMC is not yet fully compliant with the
FF-A V1.0 specLimited support for OP-TEE SPMC aligning with FF-A 1.0 is available since OP-TEE v3.19. Complete support for FF-A 1.0 and TS is planned for upcoming releases. It also doesn't support all of the Trusted ServicesSee below for status.
SPs.For the OP-TEE release specific testing and results please see the following page:
### SPMC status
OP-TEE mainline SPMC FF-A status:
| Description | Status|
| --- | ----------- |- [[ https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc/release-testing-3-19/ | OP-TEE 3.19 release ]]
|SP loading | Supported |- [[ https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc/release-testing-3-20/ | OP-TEE 3.20 release ]]
|SP messaging | Supported |- [[ https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc/release-testing-3-21/ | OP-TEE 3.21 release ]]
|Manifest file | Not Supported |- [[ https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc/release-testing-3-22/ | OP-TEE 3.22 release ]]
|Memory management | Supported |- [[ https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc/release-testing-3-22/ | OP-TEE 3.22 release ]]
|Interrupts | Not supported |
OP-TEE mainline SPMC FF-A messages status:- [[ https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc/release-testing-4-0/ | OP-TEE 4.0.0 release ]]
------------------------------ -------------------------
|------------------------------|-----------|
| FFA_ERROR | Supported|
| FFA_SUCCESS | Supported|
| FFA_INTERRUPT | Not supported|
| FFA_VERSION | Supported|
| FFA_FEATURES | Supported|
| FFA_RX_RELEASE | Supported|
| FFA_RXTX_MAP | Supported|
| FFA_RXTX_UNMAP | Supported|
| FFA_PARTITION_INFO_GET | Supported|
| FFA_ID_GET | Supported|
| FFA_MSG_WAIT | Supported|
| FFA_YIELD | Not supported|
| FFA_RUN | Not supported|
| FFA_NORMAL_WORLD_RESUME | Not supported|
| FFA_MSG_SEND | Not supported|
| FFA_MSG_SEND_DIRECT_REQ | Supported|
| FFA_MSG_SEND_DIRECT_RESP | Supported|
| FFA_MSG_POLL | Not supported|
| FFA_MEM_DONATE | Not supported|
| FFA_MEM_LEND | Not supported|
| FFA_MEM_SHARE | Partially supported[^1]|
| FFA_MEM_RETRIEVE_REQ | Supported|
| FFA_MEM_RETRIEVE_RESP | Supported|
| FFA_MEM_RELINQUISH | Supported|
| FFA_MEM_RECLAIM | Supported|
[^1]: Device memory is not yet supported.
### Trusted Service status
Currently not all Trusted Service functionality is supported when using
the OP-TEE SPMC. We are planning to support all functionality over time.== Important Changes of v4.0.0 release ==
Currently the OP-TEE SPMC supports the following PSA Trusted Services- Added support for the `boot-order` property of the SP manifest. Earlier the boot order was determined by the linking order when using embedded packaging or by the order of SP entries in the FIP package when using FIP packaging. In case the `boot-order` property is not set for an SP, loading will fall back to the old method.
- The SPMC has been updated to allow the XEN Hypervisor being executed in the NWd. All Trusted Services tests from DOM0 and DOMU virtual machines are passing.
- Bug fixes:
SPs:
--------------------------- --------------------------------------------------------------------
|----------------------------|--------|
|internal-trusted-storage: |Supported| The SPMC was accepting direct messages targeting yet to be initialized SPs, and could jumping to an invalid address as a result.
|protected-storage: |Supported|
|crypto: |Supported with mock backend - The SPMC was clearing MBZ registers when making FFA_ERROR calls. A hardware trngs is not yet supported|This could result in incorrect operation.
|attest - In some scenarios the destination: |Not yet supported| of FFA_ERROR calls were set incorrectly.
|smm-gateway: |Not yet supported| - Code handling the FFA_MEM_RECLAIM calls incorrectly assumed the NWd endpoint being 0. This resulted in a crash when a hypervisor is present in the NWd.
==== SPMC status
Build
-----For a list of supported FF-A features please see: https://optee.readthedocs.io/en/latest/architecture/spmc.html
==== Trusted Services status
The build process is based around the [OP-TEE build
process](https://optee.readthedocs.io/en/latest/building/gits/build.html)
with some extra steps.All Trusted Services Secure Partitions are supported with OP-TEE SPMC v4.0.0
### Requirements:Trusted Services SP support status:
- The Trusted Services project has some extra
[requirements](https://trusted-services.readthedocs.io/en/latest/developer/software-requirements.html)
from OP-TEE. It mainly depends on cmake.
- The current system uses the Arm FVP to run the test environment. The| Name | Status |
latest version can be found at|--------------------------|-----------|
[developer.arm.com](https://developer.arm.com/-/media/Files/downloads/ecosystem-models/FVP_Base_RevC-2xAEMvA_11.16_16.tgz)| internal-trusted-storage | Supported |
The default path for FVP in the build scripts is set to| protected-storage | Supported |
/opt/fvp/latest
### Build steps
Get the manifest file:
| crypto rm -rf optee | Supported |
| attestation mkdir optee | Supported |
cd optee| firmware-update | Supported |
repo init -u https://review.trustedfirmware.org/OP-TEE/manifest -m psa-sp-fvp.xml -b topics/spmc_mainline| block-storage | Supported |
repo sync -j4 --no-clone-bundle| smm-gateway | Supported |
Build the OP-TEE image:== Build
The OP-TEE build will default be configure to use mainline OP-TEE SPMC.
To be able to build OP-TEE mainline version, it might be needed to
change the SPMC_VERSION to SPMC_VERSION=github in build/fvp_ffa.mk.build process follows the [OP-TEE build process](https://optee.readthedocs.io/en/latest/building/gits/build.html#get-and-build-the-solution). Additional information is needed for some steps:
Build OP-TEE:- [Step 1](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-1-prerequisites): The Trusted Services project has some extra requirements described on [this page](https://trusted-services.readthedocs.io/en/latest/developer/software-requirements.html), please install these.
cd build
make toolchains
make
cd ..- [Step 2](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-2-install-android-repo): -
Build TS apps:- [Step 3](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-3-get-the-source-code): Use the manifest file for Trusted Services integration and use the 4.0.0 tagged version.
make -C trusted-services/tools/b-test r-component-test-arm-linux \
r-psa-api-test-crypto-arm-linux \
r-psa-api-test-internal_trusted_storage-arm-linux \
r-psa-api-test-protected_storage-arm-linux \
r-ts-demo-arm-linux \
r-ts-service-test-arm-linux`repo init -u https://github.com/OP-TEE/manifest.git -m fvp-ts.xml -b 4.0.0`
Copy the TS apps to the shared directory:- [Step 4](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-4-get-the-toolchains): -
cp -r trusted-services/tools/b-- [Step 5](https://optee.readthedocs.io/en/latest/install/arm-linux sharedbuilding/gits/build.html#step-5-build-the-solution): -
More info about building TS-apps can be found at the [Trusted Services
build
instructions](https://trusted-services.readthedocs.io/en/latest/developer/build-instructions.html)- [Step 6 and onwards](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-6-flash-the-device): Since we're running on models instead of real hardware, these steps are not necessary.
Run fvp:== Boot
make -C build run-onlyThe current system uses the Arm AEMv-A Base Platform FVP to run the test environment. The latest version can be found at [Arm Architecture Models](https://developer.arm.com/downloads/-/arm-ecosystem-models). The downloaded FVP should be extracted at the project root (`<project root>/Base_RevC_AEMvA_pkg`).
2 console windows should appear, 1 for the Secure World and 1 for the Normal World.
Login as root.
Set up the [fvp
environment](https://trusted-services.readthedocs.io/en/latest/environments/deployment-guides/fvp-deployment-guide.html?highlight=ts-service-test#deploying-service-level-tests)Boot the system on the FVP:
cd /mnt/
sh load_module.sh
cp arm-linux/lib/libts.so.1 /usr/lib/
Run the PSA ServiceTests:make -C build run-only
cd /mnt/arm-linux/binTwo console windows should appear, one for the Secure World and one for the Normal World. When the boot is complete, login as root. Then run these commands to load the necessary kernel modules and install the TS test applications and libraries:
# Prepare tests
cd /mnt/mnt/host/out/linux-arm-ffa-tee/load_module.sh
./mnt/host/out/linux-arm-ffa-user/load_module.sh
cp arm-linux/lib/libts.so* /lib
# Run the TS demo
./arm-linux/bin/ts-demo
lines=8
```
Demonstrates use of trusted services from an application
---------------------------------------------------------
A client requests a set of crypto operations performed by
the Crypto service. Key storage for persistent keys is
provided by the Secure Storage service via the ITS client.
Generating random bytes length: 1
Operation successful
Random bytes:
2B
Generating random bytes length: 7
Operation successful
Random bytes:
68 CF 0C 5D 87 C7 11
Generating random bytes length: 128
Operation successful
Random bytes:
BF C6 85 27 81 02 5F 83
60 97 E9 2C A6 30 8E F7
C6 81 44 CB 26 32 8D F5
62 BA 0F DE B8 2C 69 E2
DD C0 FF A0 04 E2 D0 C0
DC EA 11 CE DD 7E 33 87
62 07 89 02 00 68 FC 24
AD D2 E4 86 40 3F 6E 65
83 46 33 9A F8 84 14 3B
72 11 8D 63 59 6F 69 96
70 D2 83 8D 60 6D 9F A2
B3 54 F6 3E 5E B3 FE 07
C9 51 F1 6A F5 B0 0E AA
08 B3 AE F5 06 73 6C 8B
95 73 B2 FF 72 C6 CF 84
12 7A 7A 1F 07 F2 58 71
Generating ECC signing key
Operation successful
Signing message: "The quick brown fox" using key: 256
Operation successful
Signature bytes:
F9 F7 0E D0 4A B2 77 DF
67 40 F5 36 4D 92 38 A3
13 5B 04 A0 6C BD 84 40
03 E2 43 EE BF 6F C6 C4
5B 5D A4 21 D9 EB 17 86
B9 71 0D C9 84 0C FE 55
71 8E 5C F7 D4 7D EB 04
9B 5A 11 D7 46 96 BD A6
Verify signature using original message: "The quick brown fox"
Operation successful
Verify signature using modified message: "!he quick brown fox"
Successfully detected modified message
Signing message: "jumps over the lazy dog" using key: 256
Operation successful
Signature bytes:
45 40 14 E3 39 0C 3B 8A
5F 05 C8 0C E0 B6 A6 D2
8B 5E E3 76 49 DD F1 9E
50 A0 77 6F 1B FA FF C8
38 66 6A 2D 40 B1 79 9C
43 BE 59 F4 48 45 A2 0E
D0 17 3F 1F D3 D7 C0 84
65 AC 9B 8A FB 6E B6 B6
Verify signature using original message: "jumps over the lazy dog"
Operation successful
Verify signature using modified message: "!umps over the lazy dog"
Successfully detected modified message
Generating RSA encryption key
Operation successful
Encrypting message: "Top secret" using RSA key: 257
Operation successful
Encrypted message:
42 B6 53 D8 A3 03 BB 64
66 C0 31 A5 42 2C F8 F3
B8 E3 9C 58 42 7C 2C E0
19 43 F6 02 EB 60 6A DC
Decrypting message using RSA key: 257
Operation successful
Decrypted message: "Top secret"
Exporting public key: 256
Operation successful
Public key bytes:
04 D0 9A AF 76 18 9B 3B
08 38 65 BA 5F 81 B0 85
6A 39 42 19 5F 0D 17 86
CD 7E 2A E6 A4 CC A2 E4
B3 78 89 76 F6 CA 02 12
CB 07 2B AB CF 03 59 B3
34 8D 5D 0F 31 53 E0 68
9D 25 E2 AF 2E 0C 2C BE
51
Destroying signing key: 256
Operation successful
Destroying encryption key: 257
Operation successful
```cp -at /usr /mnt/host/out/ts-install/arm-linux/bin /mnt/host/out/ts-install/arm-linux/lib
/arm-linux/bin/ts-service-To run the SPMC tests built into xtest -v -xg Attestation(OP-TEE test suite):
```
./ts-service-test -v -sg ItsServiceTests
./ts-service-test -v -sg PsServiceTests
./ts-service-test -v -sg CryptoKeyDerivationServicePackedcTests
./ts-service-test -v -sg CryptoMacServicePackedcTests
./ts-service-test -v -sg CryptoCipherServicePackedcTests
./ts-service-test -v -sg CryptoHashServicePackedcTests
./ts-service-test -v -sg CryptoServiceProtobufTests
./ts-service-test -v -sg CryptoServiceLimitTests
./ts-service-test -v -sg DiscoveryServiceTests
./ts-service-test -v -sg CryptoServicePackedcTests
```
lines=8
TEST(PsServiceTests, createAndSetExtended) - 18029 ms
TEST(PsServiceTests, createAndSet) - 20259 ms
TEST(PsServiceTests, storeNewItem) - 18276 ms
TEST(ItsServiceTests, storeNewItem) - 11099 ms
TEST(CryptoKeyDerivationServicePackedcTests, deriveAbort) - 21819 msxtest -t ffa_spmc
TEST(CryptoKeyDerivationServicePackedcTests, hkdfDeriveBytes) - 23492 ms
TEST(CryptoKeyDerivationServicePackedcTests, hkdfDeriveKey) - 25032 ms
TEST(CryptoMacServicePackedcTests, macAbort) - 19256 ms
TEST(CryptoMacServicePackedcTests, signAndVerify) - 101831 ms
TEST(CryptoCipherServicePackedcTests, cipherAbort) - 19739 ms
TEST(CryptoCipherServicePackedcTests, encryptDecryptRoundtrip) - 66694 ms
TEST(CryptoHashServicePackedcTests, hashAbort) - 23204 ms
TEST(CryptoHashServicePackedcTests, hashAndVerify) - 34243 ms
TEST(CryptoHashServicePackedcTests, calculateHash) - 17353 ms
TEST(CryptoServicePackedcTests, generateRandomNumbers) - 29636 ms
TEST(CryptoServicePackedcTests, asymEncryptDecryptWithSalt) - 2859988 ms
TEST(CryptoServicePackedcTests, asymEncryptDecrypt) - 234077 ms
TEST(CryptoServicePackedcTests, signAndVerifyEat) - 1060967 ms
TEST(CryptoServicePackedcTests, signAndVerifyHash) - 1072643 ms
TEST(CryptoServicePackedcTests, exportAndImportKeyPair) - 127551 ms
TEST(CryptoServicePackedcTests, exportPublicKey) - 199842 ms
TEST(CryptoServicePackedcTests, purgeKey) - 118558 ms
TEST(CryptoServicePackedcTests, copyKey) - 199131 ms
TEST(CryptoServicePackedcTests, generatePersistentKeys) - 213434 ms
TEST(CryptoServicePackedcTests, generateVolatileKeys) - 188038 ms
TEST(CryptoServiceProtobufTests, generateRandomNumbers) - 31397 ms
TEST(CryptoServiceProtobufTests, asymEncryptDecryptWithSalt) - 4241805 ms
TEST(CryptoServiceProtobufTests, asymEncryptDecrypt) - 267644 ms
TEST(CryptoServiceProtobufTests, signAndVerifyHash) - 1073035 ms
TEST(CryptoServiceProtobufTests, exportAndImportKeyPair) - 127099 ms
TEST(CryptoServiceProtobufTests, exportPublicKey) - 200390 ms
TEST(CryptoServiceProtobufTests, generatePersistentKeys) - 213373 ms
TEST(CryptoServiceProtobufTests, generateVolatileKeys) - 189439 ms
TEST(CryptoServiceLimitTests, volatileRsaKeyPairLimit) - 19765597 ms
TEST(CryptoServiceLimitTests, volatileEccKeyPairLimit) - 5244688 ms
TEST(DiscoveryServiceTests, checkServiceInfo) - 12706 ms
OK (41 tests, 36 ran, 318 checks, 0 ignored, 5 filtered out, 38104375 ms)
Currently the attestation test fails due the lack of the attestation SP
support.