Hikey Lemaker OPTEE kernel working source code

Products Support HiKey
#1

hi,
I have got one lemaker board last month,
I need to run sample TA in OPTEE, and then build a TA for my SPI device.

I tried to get OPTEE kernel and built from here https://github.com/OP-TEE, build succsfult, flashed boot image to lemaker, it did not boot.

Then I got the code from here. https://github.com/linaro-swg/hikey_optee. Tool chains were not updated, I updated and flashed fip. ptable. boot, nvme. device stopped booting to bootloader, fastboot does not get recognize device(with J15 1-2 closed, 3-4 open and 5-6 closed).

Could somebody point me to latest working OPTEE boot image, my REE is AOSP. I need details steps.

Thanks,
Krishna.

#2

Hi Krishna,

For non AOSP builds, you should follow this guide, which is the official OP-TEE documentation: https://github.com/OP-TEE/build and pay special attention to section 5, 6, 7 and the link to the hikey.md in the docs folder (https://github.com/OP-TEE/build/blob/master/docs/). This is used regularly by developers in the OP-TEE team and we also did a release roughly two weeks ago and HiKey both built fine and was tested OK (https://github.com/OP-TEE/optee_os/blob/master/CHANGELOG.md#tested-on).

For AOSP builds the situation is a bit worse. We used to keep a setup working and the instructions for that can be found here: https://github.com/linaro-swg/optee_android_manifest . Having that said, the engineer used to be working with that has been busy in other areas, it’s been untouched for 2-3 months now. I have one colleague that started to look into it last week and he sent a couple of patches for that git.

// Joakim
Tech Lead - Security Working Group - Linaro

TrustZone hardware features (TZASC, TZMA, TZPC) on HiKey
#3

Thanks Joakim for the reply.

I need to bring up AOSP with OPTEE on hikey board for our device. https://github.com/linaro-swg/optee_android_manifest

has in appropriate tool chain in linaro releases website, I have corrected it. Build still failed to locate gcc, I may need to correct it in optee_os repo. Can you please send the patch for buildable verion, before I get in GIT.

Thanks in advance,
Krishna.

#4

I am trying to get the functionalities of libc library into the optee os so that they can be used in the TEE domain. I guess getting all the libc functionalitites may not be possible in the TEE domain. Could someone please guide me as to how this could be done.

Thanks,
Rabi

#5

@sv_krishna,
Please find links to the toolchains that we’re using here:

Actually, earlier today we’ve updated from GCC5.3 to GCC6.2.

Trying to run Android with OP-TEE is a good task, but if you just want to play around to get used with OP-TEE and the tools, then I’d recommend to instead just follow the instructions for HiKey running plain Linux with BusyBox. I.e, the link I gave in the previous reply. An update regarding AOSP @vchong have continued making some updates to the optee_android_manifest git, so I’d believe he will have it up and running again any day.

@Rabi,

OP-TEE contains a very stripped down “libc”. You find that here:

If that wouldn’t be sufficient we can always add more as long as we’re using something compatible with the license for OP-TEE (alternatively write something on our own from scratch). Please have a check there so see if there is what you need. If not, how about try to create and submit a patch for the things you’re missing?

// Regards Joakim

#6

@sv_krishna

Sorry for the delay. For 6, you can try https://wiki.linaro.org/LMG/Engineering/IntegrateOptee. For 7/current master, https://github.com/vchong/optee_android_manifest is my still-work-in-progress branch. Atm, it can build and boot to linux 4.4.43 and run xtest (as root or disable selinux), but some tests are still failing, and please also be forewarned that I overwrite stuffs constantly, so use at your own risk.

#7

@Rabi

See https://github.com/OP-TEE/optee_os/issues/901 and https://github.com/OP-TEE/optee_os/issues/1003 as references or more info.

HTH

#8

Thanks to all of your suggestions. I am trying to extend the libutils.

Rabi

#9

Is there any support for socket library in optee ? I could not figure out any such thing.

In the rich OS side there are support for the socket lib.

I am trying to port libcurl in the tee. Could some one help me in identifying the procedure how I can do so.

If libcurl porting is not possible in tee side then is it possible to port that in rich os side and how that can be done?

Rabi

#10

GP socket support was merged yesterday in https://github.com/OP-TEE/optee_os/commit/a32a96ed0f53597ad86f74e3ff2dcb122a932a55 and https://github.com/OP-TEE/optee_os/commit/cb0b5954d71aafdc2b6de4538bfc7fb171093cbf.

This is based on the TEE Sockets API Specification v1.0 from Global Platform as can be obtained here.

#11

Thanks vchong. We have downloaded the latest code base with iSocket support and ran sample tcp/udp client application on optee.

Now we are trying to communicate with the external server through wifi but not getting the wifi access on the HiKey board after installing the optee image. So is there any wifi driver available on optee or we need to integrate a wifi driver on optee. Someone please help me.

Thanks,
Rabi

#12

Which build are you using? The debian and aosp build should support wifi. The other builds don’t so you’ll have to integrate your own. I haven’t done the integration before. https://github.com/96boards/documentation/wiki/HiKeyGettingStarted/37c7eb93a5edefd70c42faf6c3becf84facd60d8#wifi-driver-from-source might offer some info but I heard it was somewhat difficult to get right.

#13

@vchong Thanks for the information.

I was not using the Debian or AOSP build and was using the other build. But finally not able to make wifi work on that version.

Thanks,
Rabi

#14

@rabindranath-derebac You’re welcome.

What is ‘the other build’? FYI it’s still a bit of WIP but the latest build instructions we have is https://github.com/linaro-swg/optee_android_manifest/tree/hikey-n-4.9.

Also, I was informed of a wifi issue recently in hikey aosp. Please try reverting commit 17ea3f3016b967ddcca535acb90dc1c3f8d98ec2 in device/linaro/hikey to see if that helps.

#15

@vchong

I was using https://github.com/OP-TEE/build which is the optee version without Debian and AOSP.

Now I am going to build the AOSP version.

Thanks in advance for providing the android manifest link.

#16

fyi https://github.com/OP-TEE/build is just an initramfs build and doesn’t include the required wif components mentioned above so yes if you still want wifi on it you’ll have to try to build int.

I thought you were using the aosp build already. f you’re just starting to use it today then don’t worry about reverting the commit above manually. It’ll be automatically patched as part of the build instructions.

#17

@vchong

Hi
I am able to build and flash OP-TEE with AOSP on the HiKey board following the instructions mentioned in https://github.com/linaro-swg/optee_android_manifest/tree/hikey-n-4.9.

Now I am trying to get the iSocket interface in the OP-TEE which was committed https://github.com/OP-TEE/optee_os/commit/a32a96ed0f53597ad86f74e3ff2dcb122a932a55. But the OP-TEE 2.3 repo which is by default downloaded with the AOSP does not contain that.

So could you please help me on how I can merge those changes to my working copy.

Thanks,
Rabi

#18

@rabindranath-derebac I think you’ll have to do below but please note that it’s not tested. Also not sure if selinux will deny access/operation of iSocket or not.

In .repo/local_manifests/optee.xml, remove the three references to 2.3, i.e. delete revision="refs/tags/2.3.0".

Run repo sync.

Reapply the patches per step 3.4.

In device/linaro/hikey/optee-packages.mk, add PRODUCT_PACKAGES += 873bcd08-c2c3-11e6-a937-d0bf9c45c61c.ta and rebuild.

#19

Last day I was trying to get a fresh code base and followed the instruction https://github.com/linaro-swg/optee_android_manifest/tree/hikey-n-4.9. But while applying the patches I got error and patches did not apply properly. Build was also failed due to the failure in applying the patches.

./android-patchsets/hikey-n-workarounds
=== Applying 17601/1 ===
remote: Counting objects: 11, done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 11 (delta 5), reused 10 (delta 4)
Unpacking objects: 100% (11/11), done.
From git://android-review.linaro.org/device/linaro/hikey

  • branch refs/changes/01/17601/1 → FETCH_HEAD
    [detached HEAD 9b55f40] boot parameters: set printk.devkmsg to on
    Author: Yongqin Liu yongqin.liu@linaro.org
    3 files changed, 11 insertions(+), 11 deletions(-)
    === Applying 17597/6 ===
    remote: Counting objects: 4, done.
    remote: Compressing objects: 100% (4/4), done.
    remote: Total 4 (delta 3), reused 1 (delta 0)
    Unpacking objects: 100% (4/4), done.
    From git://android-review.linaro.org/device/linaro/hikey
  • branch refs/changes/97/17597/6 → FETCH_HEAD
    error: could not apply 656c7e5… init rc files: enabled adb over tcpip by default
    hint: after resolving the conflicts, mark the corrected paths
    hint: with 'git add ’ or 'git rm ’
    hint: and commit the result with ‘git commit’
    Recorded preimage for ‘init.common.rc’
    Recorded preimage for ‘init.common.usb.rc’
    17597/6 failed to apply, please fix
    HEAD is now at 9b55f40 boot parameters: set printk.devkmsg to on

./android-patchsets/hikey-optee-n
=== Applying 16991/11 ===
remote: Counting objects: 6, done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 6 (delta 4), reused 6 (delta 4)
Unpacking objects: 100% (6/6), done.
From git://android-review.linaro.org/device/linaro/hikey

  • branch refs/changes/91/16991/11 → FETCH_HEAD
    error: could not apply d012ee7… optee: integrate for optee components
    hint: after resolving the conflicts, mark the corrected paths
    hint: with 'git add ’ or 'git rm ’
    hint: and commit the result with ‘git commit’
    Recorded preimage for ‘init.common.rc’
    Recorded preimage for ‘ueventd.common.rc’
    16991/11 failed to apply, please fix
    HEAD is now at 9b55f40 boot parameters: set printk.devkmsg to on

./android-patchsets/swg-mods
=== Applying 17625/3 ===
remote: Counting objects: 5, done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 5 (delta 3), reused 4 (delta 2)
Unpacking objects: 100% (5/5), done.
From git://android-review.linaro.org/device/linaro/hikey

  • branch refs/changes/25/17625/3 → FETCH_HEAD
    error: could not apply 1ccb424… Revert “init rc files: enabled adb over tcpip by default”
    hint: after resolving the conflicts, mark the corrected paths
    hint: with 'git add ’ or 'git rm ’
    hint: and commit the result with ‘git commit’
    Recorded preimage for ‘init.common.rc’
    Recorded preimage for ‘init.common.usb.rc’
    17625/3 failed to apply, please fix
    HEAD is now at 9b55f40 boot parameters: set printk.devkmsg to on

Two patches were applied successfully

./android-patchsets/hikey-optee-4.9
./android-patchsets/optee-230-workarounds

Build failed message
1 warning generated.
[ 29% 14076/47714] build out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy
FAILED: /bin/bash -c “(out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp out/target/product/hikey/obj/ETC/sepolicy_intermediates/policy.conf ) && (out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/hikey/obj/ETC/sepolicy_intermediates//sepolicy.dontaudit out/target/product/hikey/obj/ETC/sepolicy_intermediates/policy.conf.dontaudit ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp permissive > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ) && (if [ “userdebug” = “user” -a -s out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ]; then echo “==========” 1>&2; echo “ERROR: permissive domains not allowed in user builds” 1>&2; echo “List of invalid domains:” 1>&2; cat out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains 1>&2; exit 1; fi ) && (mv out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy )”
device/linaro/hikey/sepolicy/hal_bluetooth_hikey.te:5:ERROR ‘syntax error’ at token ‘hal_server_domain’ on line 20715:

hal_server_domain(hal_bluetooth_hikey, hal_bluetooth)
checkpolicy: error(s) encountered while parsing configuration
out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/hikey/obj/ETC/sepolicy_intermediates/policy.conf
[ 29% 14076/47714] Docs droiddoc: out/target/common/docs/system-api-stubs
DroidDoc took 42 sec. to write docs to out/target/common/docs/system-api-stubs
[ 29% 14076/47714] Docs droiddoc: out/target/common/docs/api-stubs
DroidDoc took 42 sec. to write docs to out/target/common/docs/api-stubs
[ 29% 14076/47714] Docs droiddoc: out/target/common/docs/test-api-stubs
DroidDoc took 42 sec. to write docs to out/target/common/docs/test-api-stubs
ninja: build stopped: subcommand failed.
make: *** [ninja_wrapper] Error 1

make failed to build some targets (21:18 (mm:ss))

#20

Fixed. Please repo sync, reapply patches and try building again. Note if you’re making above change to remove the references to 2.3, do not apply the optee-230-workarounds patch.