1Deploying trusted services in S-EL0 Secure Partitions under OP-TEE 2================================================================== 3 4Trusted services built for the *opteesp* environment may be deployed to run within S-EL0 secure 5partitions, managed by OP-TEE. The current implementation of the OP-TEE SPMC supports booting SPs 6embedded into the OP-TEE OS binary (similar to early-TAs) or from the FIP. 7 8Tool prerequisites and general build instruction for OP-TEE are described here: 9`<https://optee.readthedocs.io/en/latest/building/gits/build.html>`_ 10 11Download page for Arm Fixed Virtual Platforms (FVP): 12`<https://developer.arm.com/tools-and-software/simulation-models/fixed-virtual-platforms>`_ 13 14 15Embedding SP images into the *OP-TEE OS* image 16---------------------------------------------- 17 18The set of SP images to include in the built *OP-TEE OS* image are specified to the *OP-TEE OS* 19build by the ``SP_PATHS`` make variable. The ``SP_PATHS`` variable should be assigned a string 20containing a space separated list of file paths for each SP image file to include. SP images 21that need to be deployed from the Trusted Services project will be located in the install directory, 22specified when the SP images where built i.e.:: 23 24 <CMAKE_INSTALL_PREFIX>/opteesp/bin 25 26The following example illustrates a setting of the ``SP_PATHS`` variable to deploy the Secure Storage 27SP and Crypto SP:: 28 29 SP_PATHS="ts-install-dir/opteesp/bin/dc1eef48-b17a-4ccf-ac8b-dfcff7711b14.stripped.elf \ 30 ts-install-dir/opteesp/bin/d9df52d5-16a2-4bb2-9aa4-d26d3b84e8c0.stripped.elf" 31 32 33Reference OP-TEE build with PSA RoT Services 34-------------------------------------------- 35 36To provide an example integration of OP-TEE with a set of trusted services, a makefile called 37*fvp-ps-sp.mk* is included in the OP-TEE build repository that builds OP-TEE OS with a set of SP 38images. SP images are built using the standard trusted services build flow and are automatically 39injected into the *optee_os* build using the TA feature described above. 40 41A bootable Linux image is created that is intended to run on the Arm AEM FVP virtual platform. The 42built image includes user space programs that may be used to test and demonstrate the deployed 43trusted services. 44 45 46Getting build dependencies 47'''''''''''''''''''''''''' 48 49To help setup the workspace, a manifest file called *fvp-ts.xml* is included in OP-TEE manifests 50repository. This may be used with the *repo* tool to manage the set of git repositories. 51 52Having created a new directory for the workspace, the required set of git repositories can be cloned 53and fetched using:: 54 55 repo init -u https://github.com/OP-TEE/manifest.git -b master -m fvp-ts.xml 56 repo sync 57 58 59Building the reference OP-TEE image 60''''''''''''''''''''''''''''''''''' 61 62To build the bootable image that includes OP-TEE and the set of secure partition images that hold the 63PSA RoT services, use the following (from the root directory of the workspace):: 64 65 make -C build 66 67This will take many tens of minutes to complete. 68 69 70Running the reference OP-TEE image on FVP 71''''''''''''''''''''''''''''''''''''''''' 72 73The fvp makefile includes a *run* and *run-only* target which can be used to start the FVP model and 74boot the built image. The example assumes that the FVP model has been installed in the following 75directory relative to the OP-TEE build directory:: 76 77 ../Base_RevC_AEMvA_pkg/models/Linux64_GCC-9.3 78 79To boot the built image on FVP without building, use:: 80 81 FVP_PATH=../Base_RevC_AEMvA_pkg/models/Linux64_GCC-9.3 make run-only 82 83For information on running user space programs on FVP, see: 84 85:ref:`Running User-space Programs on FVP` 86 87-------------- 88 89*Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.* 90 91SPDX-License-Identifier: BSD-3-Clause 92