In my recent research, I have to install an instrument logic into the TrustZone, where the system level codes cannot access to, of the ARM SoC to monitor the behaviours of apps without any awareness.
However, as a former mobile software engineer, it is struggling to understand the principle of TrustZone and find a way to manipulate it since most of my work was to interact with the system and SDK. What’s even worse, most of the tutorials require Juno Development kit or HiKey, which are either extremely expensive or tricky to get. At present, I got a dozen of Raspberry Pi 3Bs in the lab.
Raspberry Pi does not support the TrustZone, specifically secure boot. However, there is a project, OP-TEE, that suits well with this purpose. OP-TEE supports HiKey960 and HiKey620 boards by default, and its building tutorial is based on these boards. I referenced this Korean tutorial to build it.
The following steps are my walkthrough.
Note: Please build the project under non-Windows system, in either metal bare or virtual machine, since there’re critical bugs during building in Windows/WSL. If you don’t want to waste centuries of time, do it in Ubuntu
OP-TEE is an open-sourced implementation of the Trusted Execution Environment(TEE) with TrustZone technology. It provides a secure zone for trusted application and confidential data. OP-TEE includes:
- Secure OS
- Rich OS level client application
- Secure OS level trusted application
- kernel driver
- ARM Trusted Firmware(ATF), which provides ways to the kernel driver.
OP-TEE supports QEMU and ARM boards including ARM Juno, Raspberry Pi 3, HiKey, STMicroelectronics, etc.
However, the Raspberry Pi 3’s ATF and OP-TEE are not virtually secure. Though the processor(BCM2837) of it supports Exception Status, other secure functions including secure boot, secure memory and peripherals are not supported. Moreover, OP-TEE only provides a simple prototype.
- We will use the repo of Google AOSP for code management.
- If you are using Ubuntu, the following packages should be installed
$ sudo apt-get install python3 python3-pip android-tools-adb android-tools-fastboot autoconf \
- Download the source code of OP-TEE for Raspberry Pi 3/3B.
$ mkdir ~/optee
- make toolchains
$ cd build
Commands above download and unarchive linux kernal packages and toolchains.
$ make all
The following targes will be built.
During the building process, you will find the following error:
/usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x10): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
Note: according to my experience, you have to re-download u-boot since there is a bug triggering the above bug in the embedded version. So, move to the project directory and run:
$ rm -rf u-boot
- Flash into the sd card
$ make flash
You can also reference the official tutorial to build and test this project.