This blog post, written by Márton Juhász, is the first in a series of blog posts on transforming the Raspberry Pi into a security enhanced IoT platform.

This blog post explains how to build and install the default OP-TEE implementation for the Raspberry Pi 3. The easiest way is to follow the steps described in the corresponding git repo of OP-TEE. However, for the sake of completeness (and because some steps may actually be a bit confusing in the original description), we provide a comprehensive description here.


Theoretically, you can use any Linux distribution to build OP-TEE. However, to be able to build and run OP-TEE, there are a few packages that need to be installed to start with. Therefore, first install the following packages:

$ sudo apt-get install android-tools-adb android-tools-fastboot autoconf \
    automake bc bison build-essential cscope curl device-tree-compiler \
    expect flex ftp-upload gdisk iasl libattr1-dev libc6:i386 libcap-dev \
    libfdt-dev libftdi-dev libglib2.0-dev libhidapi-dev libncurses5-dev \
    libpixman-1-dev libssl-dev libstdc++6:i386 libtool libz1:i386 make \
    mtools netcat python-crypto python-serial python-wand unzip uuid-dev \
    xdg-utils xterm xz-utils zlib1g-dev git

Install Android Repo

Note that here you do not install a huge SDK, it is simply a Python script that you download and put in your $PATH. That’s all. To install the Repo, make sure you have a bin/ directory in your home directory and that it is included in your path:

$ mkdir ~/bin 
$ PATH=~/bin:$PATH

Download the Repo tool and ensure that it is executable:

$ curl > ~/bin/repo
$ chmod a+x ~/bin/repo

Once you istalled the Repo, you have to configure git with:

$ git config --global "Your Name"
$ git config --global ""

Get the source code of OP-TEE

Download the OP-TEE source files:

$ mkdir -p $HOME/devel/optee
$ cd $HOME/devel/optee
$ repo init -u -m rpi3.xml
$ repo sync

Note that the repo sync step will take some time if you aren’t referencing an existing tree.

Get the toolchains

Create the toolchains by:

$ cd build
$ make toolchains

Build OP-TEE

The repo manifests have been configured, so that repo will always automatically symlink the Makefile to the correct device specific makefile, that means that you simply start the build by running:

$ make

Note: Remember to add -jX to make to run parallel build. This step will also take some time.

Flash the device

The last step is to partition and format the memory card and to put the files onto it. That is something not automated, since if anything goes wrong, in worst case, it might wipe one of your regular hard disks. Instead, there is another makefile target that will tell you exactly what to do. Run that command and follow the instructions there:

$ make img-help

Note: If you don’t want to get any warnings, errors or don’t want to reboot, then start with an empty, unpartitioned memory card.

Boot up the device

With all files on the memory card, put the memory card into the Raspberry Pi 3 and boot up the system. On the UART interface, you will see the system booting up.

Load tee-supplicant

Theoretically tee-supplicant is already loaded (check with $ ps aux | grep tee-supplicant). If it’s not running, then start it by typing:

$ tee-supplicant &

Run xtest

The entire xtest test suite has been deployed when you we’re running $ make in the previous steps, i.e, in general there is no need to copy any binaries manually. Everything has been put into the root FS automatically. So, to run xtest, you simply type:

$ xtest

If everything went well, then xtest should end with something like this:

23476 subtests of which 0 failed
67 test cases of which 0 failed
0 test case was skipped
TEE test application done!

The next post will explain how to use the Buildroot environment to build your own custom Linux system (with OP-TEE) that you can put on the Raspberry Pi.



Leave a Reply