This blog post, written by Márton Juhász, is the first in a series of blog posts on transforming the Raspberry Pi into a security enhanced IoT platform.
This blog post explains how to build and install the default OP-TEE implementation for the Raspberry Pi 3. The easiest way is to follow the steps described in the corresponding git repo of OP-TEE. However, for the sake of completeness (and because some steps may actually be a bit confusing in the original description), we provide a comprehensive description here.
Theoretically, you can use any Linux distribution to build OP-TEE. However, to be able to build and run OP-TEE, there are a few packages that need to be installed to start with. Therefore, first install the following packages:
$ sudo apt-get install android-tools-adb android-tools-fastboot autoconf \ automake bc bison build-essential cscope curl device-tree-compiler \ expect flex ftp-upload gdisk iasl libattr1-dev libc6:i386 libcap-dev \ libfdt-dev libftdi-dev libglib2.0-dev libhidapi-dev libncurses5-dev \ libpixman-1-dev libssl-dev libstdc++6:i386 libtool libz1:i386 make \ mtools netcat python-crypto python-serial python-wand unzip uuid-dev \ xdg-utils xterm xz-utils zlib1g-dev git
Install Android Repo
Note that here you do not install a huge SDK, it is simply a Python script that you download and put in your
$PATH. That’s all. To install the Repo, make sure you have a bin/ directory in your home directory and that it is included in your path:
$ mkdir ~/bin $ PATH=~/bin:$PATH
Download the Repo tool and ensure that it is executable:
$ curl https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo $ chmod a+x ~/bin/repo
Once you istalled the Repo, you have to configure git with:
$ git config --global user.name "Your Name" $ git config --global user.email "email@example.com"
Get the source code of OP-TEE
Download the OP-TEE source files:
$ mkdir -p $HOME/devel/optee $ cd $HOME/devel/optee $ repo init -u https://github.com/OP-TEE/manifest.git -m rpi3.xml $ repo sync
Note that the
repo sync step will take some time if you aren’t referencing an existing tree.
Get the toolchains
Create the toolchains by:
$ cd build $ make toolchains
The repo manifests have been configured, so that repo will always automatically symlink the
Makefile to the correct device specific makefile, that means that you simply start the build by running:
Note: Remember to add -jX to make to run parallel build. This step will also take some time.
Flash the device
The last step is to partition and format the memory card and to put the files onto it. That is something not automated, since if anything goes wrong, in worst case, it might wipe one of your regular hard disks. Instead, there is another makefile target that will tell you exactly what to do. Run that command and follow the instructions there:
$ make img-help
Note: If you don’t want to get any warnings, errors or don’t want to reboot, then start with an empty, unpartitioned memory card.
Boot up the device
With all files on the memory card, put the memory card into the Raspberry Pi 3 and boot up the system. On the UART interface, you will see the system booting up.
tee-supplicant is already loaded (check with
$ ps aux | grep tee-supplicant). If it’s not running, then start it by typing:
$ tee-supplicant &
The entire xtest test suite has been deployed when you we’re running
$ make in the previous steps, i.e, in general there is no need to copy any binaries manually. Everything has been put into the root FS automatically. So, to run
xtest, you simply type:
If everything went well, then xtest should end with something like this:
+----------------------------------------------------- 23476 subtests of which 0 failed 67 test cases of which 0 failed 0 test case was skipped TEE test application done!
The next post will explain how to use the Buildroot environment to build your own custom Linux system (with OP-TEE) that you can put on the Raspberry Pi.