linaro-swg / optee_examples Goto Github PK

I do not know if this is the right place to ask, but I would like to know if OP-TEE provides some mechanism through which we can attest that some code is the real trusted code we are expecting for.

Also, is there some capabilities related to devices identification in a way I can query or authenticate a specific device running OP-TEE?

A fast search on Internet did not return good information...

Hi,

from time to time, following error occurs:

>>> optee_examples_ext 1.0 Building
PATH="/home/alzeha/Desktop/bc-praktikum-group2/optee-project-for-rpi3/out-br/host/bin:/home/alzeha/Desktop/bc-praktikum-group2/optee-project-for-rpi3/out-br/host/sbin:/home/alzeha/bin:/home/alzeha/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games"  /usr/bin/make   -C /home/alzeha/Desktop/bc-praktikum-group2/optee-project-for-rpi3/out-br/build/optee_examples_ext-1.0/
Scanning dependencies of target optee_example_hello_world
Scanning dependencies of target optee_example_acipher
Scanning dependencies of target optee_example_aes
Scanning dependencies of target optee_example_hotp
Scanning dependencies of target optee_example_random
Scanning dependencies of target optee_example_secure_storage
[  8%] Building C object hello_world/CMakeFiles/optee_example_hello_world.dir/host/main.c.o
[ 16%] Building C object aes/CMakeFiles/optee_example_aes.dir/host/main.c.o
[ 25%] Building C object acipher/CMakeFiles/optee_example_acipher.dir/host/main.c.o
[ 33%] Building C object random/CMakeFiles/optee_example_random.dir/host/main.c.o
[ 41%] Building C object hotp/CMakeFiles/optee_example_hotp.dir/host/main.c.o
[ 50%] Building C object secure_storage/CMakeFiles/optee_example_secure_storage.dir/host/main.c.o
[ 58%] Linking C executable optee_example_hello_world
[ 66%] Linking C executable optee_example_random
[ 75%] Linking C executable optee_example_hotp
[ 83%] Linking C executable optee_example_aes
[ 91%] Linking C executable optee_example_acipher
[ 91%] Built target optee_example_hello_world
[ 91%] Built target optee_example_random
[ 91%] Built target optee_example_hotp
[100%] Linking C executable optee_example_secure_storage
[100%] Built target optee_example_aes
[100%] Built target optee_example_acipher
[100%] Built target optee_example_secure_storage
Building /home/alzeha/Desktop/bc-praktikum-group2/optee-project-for-rpi3/out-br/build/optee_examples_ext-1.0/acipher/ta/Makefile
make[3]: warning: jobserver unavailable: using -j1.  Add '+' to parent make rule.
  CC      out/acipher_ta.o
  CC      out/user_ta_header.o
  CPP     out/ta.lds
  GEN     out/dyn_list
  LD      out/a734eed9-d6a1-4244-aa50-7c99719e7b7b.elf
  OBJDUMP out/a734eed9-d6a1-4244-aa50-7c99719e7b7b.dmp
  OBJCOPY out/a734eed9-d6a1-4244-aa50-7c99719e7b7b.stripped.elf
  SIGN    out/a734eed9-d6a1-4244-aa50-7c99719e7b7b.ta
Traceback (most recent call last):
  File "/home/alzeha/Desktop/bc-praktikum-group2/optee-project-for-rpi3/optee_os/out/arm/export-ta_arm64/scripts/sign_encrypt.py", line 258, in <module>
    main()
  File "/home/alzeha/Desktop/bc-praktikum-group2/optee-project-for-rpi3/optee_os/out/arm/export-ta_arm64/scripts/sign_encrypt.py", line 131, in main
    from Cryptodome.Signature import pss
ModuleNotFoundError: No module named 'Cryptodome'
make[3]: *** [/home/alzeha/Desktop/bc-praktikum-group2/optee-project-for-rpi3/optee_os/out/arm/export-ta_arm64/mk/link.mk:104: out/a734eed9-d6a1-4244-aa50-7c99719e7b7b.ta] Error 1
make[2]: *** [package/pkg-generic.mk:242: /home/alzeha/Desktop/bc-praktikum-group2/optee-project-for-rpi3/out-br/build/optee_examples_ext-1.0/.stamp_built] Error 2
make[1]: *** [Makefile:23: _all] Error 2
make[1]: Leaving directory '/home/alzeha/Desktop/bc-praktikum-group2/optee-project-for-rpi3/out-br'
make: *** [common.mk:227: buildroot] Error 2

I am not really sure about the reasons, when it happens. It seems like this error corresponds to the circumstances of adding new python packages from github, using the $(eval $(python-package)) command. But again: Not sure about this. Including the missing library does not help and as I said, it often works.

Has someone seen something similar? This is a very strange behavior, isn't it?

EDIT:
On my new Linux Mint machine, Python2 is not really broadly accepted anymore. So it might is a problem with cryptodome, but due to these outdated prerequisites?

Hi,

Can anyone help me in linking external .so files to main.c(host part) file in optee examples(i.e CA or user space), I tried but could not succeed.

Suppose for example in hello_world example, inside main if I want to use some external APIs of my own, I have libX.so file, I created include file inside /hello_world/host/include and added header files there of libX.so
Now I modified hello_world/CMakeLists.txt as below,

target_link_libraries (${PROJECT_NAME} PRIVATE teec PUBLIC X)
I'm stuck here, i tried few things but nothing helps
I get below error:

lib/gcc/arm-linux-gnueabihf/8.2.1/../../../../arm-linux-gnueabihf/bin/ld: cannot find -lX

Kindly help!

Hi,

I have tried out the example of Secure_Storage. With this example, I can store my data to the secure storage, which I verified in the /data/tee folder.

Is there any possibility to achieve TA - TA communication. Here, my use case is to transfer data from one TA to another TA.

If yes, can you share the example for the same? Thanks.

一 以下代码是模仿aes实现的sm4设置key和iv，然后进行ctr模式加密。

#include <tee_internal_api.h>
#include <tee_internal_api_extensions.h>
#include <ys_ta.h>
#include <ys_ta_sm4.h>

#define AES128_KEY_BIT_SIZE 128
#define AES128_KEY_BYTE_SIZE (AES128_KEY_BIT_SIZE / 8) // 只有128位

/*

• Ciphering context: each opened session relates to a cipehring operation.
• • configure the AES flavour from a command.
• • load key from a command (here the key is provided by the REE)
• • reset init vector (here IV is provided by the REE)
• • cipher a buffer frame (here input and output buffers are non-secure)
    */

/*

• Few routines to convert IDs from TA API into IDs from OP-TEE.
  */
  TEE_Result sm4_ta2tee_algo_id(uint32_t param, uint32_t *algo)
  {
  DMSG("----------sm4_ta2tee_algo_id param=%d\n", param);
  switch (param)
  {

  case TA_SM4_ALGO_ECB:
  *algo = TEE_ALG_SM4_ECB_NOPAD;
  return TEE_SUCCESS;
  case TA_SM4_ALGO_CBC:
  *algo = TEE_ALG_SM4_CBC_NOPAD;
  return TEE_SUCCESS;
  case TA_SM4_ALGO_CTR:
  *algo = TEE_ALG_SM4_CTR;
  return TEE_SUCCESS;
  default:
  EMSG("Invalid algo %u", param);
  return TEE_ERROR_BAD_PARAMETERS;
  }
  }
  TEE_Result sm4_ta2tee_key_size(uint32_t param, uint32_t *key_size)
  {
  switch (param)
  {
  case AES128_KEY_BYTE_SIZE:
  DMSG("sm4_ta2tee_key_size-----------------param=%d\n", param);
  *key_size = param;
  return TEE_SUCCESS;
  default:
  EMSG("Invalid key size %u", param);
  return TEE_ERROR_BAD_PARAMETERS;
  }
  }
  TEE_Result sm4_ta2tee_mode_id(uint32_t param, uint32_t *mode)
  {
  switch (param)
  {
  case TA_SM4_MODE_ENCODE:
  *mode = TEE_MODE_ENCRYPT;
  return TEE_SUCCESS;
  case TA_SM4_MODE_DECODE:
  *mode = TEE_MODE_DECRYPT;
  return TEE_SUCCESS;
  default:
  EMSG("Invalid mode %u", param);
  return TEE_ERROR_BAD_PARAMETERS;
  }
  }

/*

• Process command TA_AES_CMD_PREPARE. API in aes_ta.h

• Allocate resources required for the ciphering operation.

• During ciphering operation, when expect client can:

• • update the key materials (provided by client)
• • reset the initial vector (provided by client)
• • cipher an input buffer into an output buffer (provided by client)
    */
    TEE_Result sm4_alloc_resources(void *session, uint32_t param_types,
    TEE_Param params[4])
    {
    const uint32_t exp_param_types =
    TEE_PARAM_TYPES(TEE_PARAM_TYPE_VALUE_INPUT,
    TEE_PARAM_TYPE_VALUE_INPUT,
    TEE_PARAM_TYPE_VALUE_INPUT,
    TEE_PARAM_TYPE_NONE);
    struct sm4_cipher *sess;
    TEE_Attribute attr;
    TEE_Result res;
    char *key;

  /* Get ciphering context from session ID */
  DMSG("Session %p: get ciphering resources", session);
  sess = (struct sm4_cipher *)session;

  /* Safely get the invocation parameters */
  if (param_types != exp_param_types)
  return TEE_ERROR_BAD_PARAMETERS;

  res = sm4_ta2tee_algo_id(params[0].value.a, &sess->algo);
  if (res != TEE_SUCCESS)
  return res;

  res = sm4_ta2tee_key_size(params[1].value.a, &sess->key_size);
  if (res != TEE_SUCCESS)
  return res;

  res = sm4_ta2tee_mode_id(params[2].value.a, &sess->mode);
  if (res != TEE_SUCCESS)
  return res;

  /*

  • Ready to allocate the resources which are:
  • • an operation handle, for an AES ciphering of given configuration
  • • a transient object that will be use to load the key materials
  • into the AES ciphering operation.
    */

  /* Free potential previous operation */
  if (sess->op_handle != TEE_HANDLE_NULL)
  TEE_FreeOperation(sess->op_handle);

  /* Allocate operation: AES/CTR, mode and size from params */
  res = TEE_AllocateOperation(&sess->op_handle,
  sess->algo,
  sess->mode,
  sess->key_size * 8);
  if (res != TEE_SUCCESS)
  {
  EMSG("Failed to allocate operation");
  sess->op_handle = TEE_HANDLE_NULL;
  goto err;
  }

  /* Free potential previous transient object */
  if (sess->key_handle != TEE_HANDLE_NULL)
  TEE_FreeTransientObject(sess->key_handle);

  /* Allocate transient object according to target key size */
  res = TEE_AllocateTransientObject(TEE_TYPE_SM4,
  sess->key_size * 8,
  &sess->key_handle);
  if (res != TEE_SUCCESS)
  {
  EMSG("Failed to allocate transient object");
  sess->key_handle = TEE_HANDLE_NULL;
  goto err;
  }

  /*

  • When loading a key in the cipher session, set_aes_key()
  • will reset the operation and load a key. But we cannot
  • reset and operation that has no key yet (GPD TEE Internal
  • Core API Specification – Public Release v1.1.1, section
  • 6.2.5 TEE_ResetOperation). In consequence, we will load a
  • dummy key in the operation so that operation can be reset
  • when updating the key.
    */
    key = TEE_Malloc(sess->key_size, 0);
    if (!key)
    {
    res = TEE_ERROR_OUT_OF_MEMORY;
    goto err;
    }

  TEE_InitRefAttribute(&attr, TEE_ATTR_SECRET_VALUE, key, sess->key_size);

  res = TEE_PopulateTransientObject(sess->key_handle, &attr, 1);
  if (res != TEE_SUCCESS)
  {
  EMSG("TEE_PopulateTransientObject failed, %x", res);
  goto err;
  }

  res = TEE_SetOperationKey(sess->op_handle, sess->key_handle);
  if (res != TEE_SUCCESS)
  {
  EMSG("TEE_SetOperationKey failed %x", res);
  goto err;
  }

  return res;

err:
if (sess->op_handle != TEE_HANDLE_NULL)
TEE_FreeOperation(sess->op_handle);
sess->op_handle = TEE_HANDLE_NULL;

if (sess->key_handle != TEE_HANDLE_NULL)
    TEE_FreeTransientObject(sess->key_handle);
sess->key_handle = TEE_HANDLE_NULL;

return res;

}

/*

• Process command TA_AES_CMD_SET_KEY. API in aes_ta.h
  */
  TEE_Result sm4_set_aes_key(void *session, uint32_t param_types,
  TEE_Param params[4])
  {
  const uint32_t exp_param_types =
  TEE_PARAM_TYPES(TEE_PARAM_TYPE_MEMREF_INPUT,
  TEE_PARAM_TYPE_NONE,
  TEE_PARAM_TYPE_NONE,
  TEE_PARAM_TYPE_NONE);
  struct sm4_cipher *sess;
  TEE_Attribute attr;
  TEE_Result res;
  uint32_t key_sz;
  char *key;

  /* Get ciphering context from session ID */
  DMSG("Session %p: load key material", session);
  sess = (struct sm4_cipher *)session;

  /* Safely get the invocation parameters */
  if (param_types != exp_param_types)
  {
  // DMSG("TEE_ERROR_BAD_PARAMETERS-------------------------------------\n");
  return TEE_ERROR_BAD_PARAMETERS;
  }

  key = params[0].memref.buffer;
  key_sz = params[0].memref.size;

  DMSG("-----进入setkey以后KEY %s::::::key_sz %d", key, key_sz);

  if (key_sz != sess->key_size)
  {
  EMSG("Wrong key size %" PRIu32 ", expect %" PRIu32 " bytes",
  key_sz, sess->key_size);
  return TEE_ERROR_BAD_PARAMETERS;
  }

  /*

  • Load the key material into the configured operation
  • • create a secret key attribute with the key material
  • TEE_InitRefAttribute()
  • • reset transient object and load attribute data
  • TEE_ResetTransientObject()
  • TEE_PopulateTransientObject()
  • • load the key (transient object) into the ciphering operation
  • TEE_SetOperationKey()
  • TEE_SetOperationKey() requires operation to be in "initial state".
  • We can use TEE_ResetOperation() to reset the operation but this
  • API cannot be used on operation with key(s) not yet set. Hence,
  • when allocating the operation handle, we load a dummy key.
  • Thus, set_key sequence always reset then set key on operation.
    */

  TEE_InitRefAttribute(&attr, TEE_ATTR_SECRET_VALUE, key, key_sz);

  TEE_ResetTransientObject(sess->key_handle);
  res = TEE_PopulateTransientObject(sess->key_handle, &attr, 1);
  if (res != TEE_SUCCESS)
  {
  EMSG("TEE_PopulateTransientObject failed, %x", res);
  return res;
  }

  TEE_ResetOperation(sess->op_handle);
  res = TEE_SetOperationKey(sess->op_handle, sess->key_handle);
  if (res != TEE_SUCCESS)
  {
  EMSG("TEE_SetOperationKey failed %x", res);
  return res;
  }

  return res;
  }

/*

• Process command TA_AES_CMD_SET_IV. API in aes_ta.h
  */
  TEE_Result sm4_reset_aes_iv(void *session, uint32_t param_types,
  TEE_Param params[4])
  {
  const uint32_t exp_param_types =
  TEE_PARAM_TYPES(TEE_PARAM_TYPE_MEMREF_INPUT,
  TEE_PARAM_TYPE_NONE,
  TEE_PARAM_TYPE_NONE,
  TEE_PARAM_TYPE_NONE);
  struct sm4_cipher *sess;
  size_t iv_sz;
  char *iv;

  /* Get ciphering context from session ID */
  DMSG("Session %p: reset initial vector", session);
  sess = (struct sm4_cipher *)session;

  /* Safely get the invocation parameters */
  if (param_types != exp_param_types)
  return TEE_ERROR_BAD_PARAMETERS;

  iv = params[0].memref.buffer;
  iv_sz = params[0].memref.size;

  DMSG("-----进入iv以后iv %s::::::iv_sz %d", iv, iv_sz);

  /*

  • Init cipher operation with the initialization vector.
    */
    TEE_CipherInit(sess->op_handle, iv, iv_sz);

  return TEE_SUCCESS;
  }

/*

• Process command TA_AES_CMD_CIPHER. API in aes_ta.h
  */
  TEE_Result sm4_cipher_buffer(void *session, uint32_t param_types,
  TEE_Param params[4])
  {
  const uint32_t exp_param_types =
  TEE_PARAM_TYPES(TEE_PARAM_TYPE_MEMREF_INPUT,
  TEE_PARAM_TYPE_MEMREF_OUTPUT,
  TEE_PARAM_TYPE_NONE,
  TEE_PARAM_TYPE_NONE);
  struct sm4_cipher *sess;

  /* Get ciphering context from session ID */
  DMSG("Session %p: cipher buffer", session);
  sess = (struct sm4_cipher *)session;

  /* Safely get the invocation parameters */
  if (param_types != exp_param_types)
  return TEE_ERROR_BAD_PARAMETERS;

  if (params[1].memref.size < params[0].memref.size)
  {
  EMSG("Bad sizes: in %d, out %d", params[0].memref.size,
  params[1].memref.size);
  return TEE_ERROR_BAD_PARAMETERS;
  }

  if (sess->op_handle == TEE_HANDLE_NULL)
  return TEE_ERROR_BAD_STATE;

  /*

  • Process ciphering operation on provided buffers
    */
    return TEE_CipherUpdate(sess->op_handle,
    params[0].memref.buffer, params[0].memref.size,
    params[1].memref.buffer, &params[1].memref.size);
    }

TEE_Result sm4_read_raw_objectSetKey(void *session, uint32_t param_types, TEE_Param params[4])
{
const uint32_t exp_param_types =
TEE_PARAM_TYPES(TEE_PARAM_TYPE_MEMREF_INPUT,
TEE_PARAM_TYPE_NONE,
TEE_PARAM_TYPE_NONE,
TEE_PARAM_TYPE_NONE);
TEE_ObjectHandle object;
TEE_ObjectInfo object_info;
TEE_Result res;
uint32_t read_bytes;
char *obj_id;
size_t obj_id_sz;
char *data;
size_t data_sz;

/*
 * Safely get the invocation parameters
 */
if (param_types != exp_param_types)
    return TEE_ERROR_BAD_PARAMETERS;

obj_id_sz = params[0].memref.size;
obj_id = TEE_Malloc(obj_id_sz, 0);
if (!obj_id)
    return TEE_ERROR_OUT_OF_MEMORY;

TEE_MemMove(obj_id, params[0].memref.buffer, obj_id_sz);

data_sz = 32; // 修改的地方
data = TEE_Malloc(data_sz, 0);
if (!data)
    return TEE_ERROR_OUT_OF_MEMORY;

/*
 * Check the object exist and can be dumped into output buffer
 * then dump it.
 */
res = TEE_OpenPersistentObject(TEE_STORAGE_PRIVATE,
                               obj_id, obj_id_sz,
                               TEE_DATA_FLAG_ACCESS_READ |
                                   TEE_DATA_FLAG_SHARE_READ,
                               &object);
if (res != TEE_SUCCESS)
{
    EMSG("Failed to open persistent object, res=0x%08x", res);
    TEE_Free(obj_id);
    TEE_Free(data);
    return res;
}

res = TEE_GetObjectInfo1(object, &object_info);
if (res != TEE_SUCCESS)
{
    EMSG("Failed to create persistent object, res=0x%08x", res);
    goto exit;
}

if (object_info.dataSize > data_sz)
{
    /*
     * Provided buffer is too short.
     * Return the expected size together with status "short buffer"
     */
    // params[1].memref.size = object_info.dataSize;
    res = TEE_ERROR_SHORT_BUFFER;
    goto exit;
}

res = TEE_ReadObjectData(object, data, object_info.dataSize,
                         &read_bytes);
// if (res == TEE_SUCCESS) 修改的地方
// 	TEE_MemMove(params[1].memref.buffer, data, read_bytes);
if (res != TEE_SUCCESS || read_bytes != object_info.dataSize)
{
    EMSG("TEE_ReadObjectData failed 0x%08x, read %" PRIu32 " over %u",
         res, read_bytes, object_info.dataSize);
    goto exit;
}

// /* Return the number of byte effectively filled */
// params[1].memref.size = read_bytes;

//////////////////////setkey////////////////////////////////////////
// const uint32_t exp_param_types =
// 	TEE_PARAM_TYPES(TEE_PARAM_TYPE_MEMREF_INPUT,
// 					TEE_PARAM_TYPE_NONE,
// 					TEE_PARAM_TYPE_NONE,
// 					TEE_PARAM_TYPE_NONE);
struct sm4_cipher *sess;
TEE_Attribute attr;
// TEE_Result res;
uint32_t key_sz = 16;
// char *key;

/* Get ciphering context from session ID */
DMSG("Session %p: load key material", session);
sess = (struct sm4_cipher *)session;

/* Safely get the invocation parameters */
if (param_types != exp_param_types)
{
    // DMSG("TEE_ERROR_BAD_PARAMETERS-------------------------------------\n");
    return TEE_ERROR_BAD_PARAMETERS;
}

// DMSG("---------------------%s,sz=%d", data, data_sz);
//  TEE_MemMove(key, data, data_sz);

// DMSG("---------------------%s,sz=%d", key);
// // key = data;		  // 修改的地方
// key_sz = data_sz; // 修改的地方

DMSG("-----进入setkey以后KEY %s::::::key_sz %d", data, data_sz);

if (key_sz != sess->key_size)
{
    EMSG("Wrong key size %" PRIu32 ", expect %" PRIu32 " bytes",
         key_sz, sess->key_size);
    return TEE_ERROR_BAD_PARAMETERS;
}

/*
 * Load the key material into the configured operation
 * - create a secret key attribute with the key material
 *   TEE_InitRefAttribute()
 * - reset transient object and load attribute data
 *   TEE_ResetTransientObject()
 *   TEE_PopulateTransientObject()
 * - load the key (transient object) into the ciphering operation
 *   TEE_SetOperationKey()
 *
 * TEE_SetOperationKey() requires operation to be in "initial state".
 * We can use TEE_ResetOperation() to reset the operation but this
 * API cannot be used on operation with key(s) not yet set. Hence,
 * when allocating the operation handle, we load a dummy key.
 * Thus, set_key sequence always reset then set key on operation.
 */

TEE_InitRefAttribute(&attr, TEE_ATTR_SECRET_VALUE, data, key_sz);

TEE_ResetTransientObject(sess->key_handle);
res = TEE_PopulateTransientObject(sess->key_handle, &attr, 1);
if (res != TEE_SUCCESS)
{
    EMSG("TEE_PopulateTransientObject failed, %x", res);
    return res;
}

TEE_ResetOperation(sess->op_handle);
res = TEE_SetOperationKey(sess->op_handle, sess->key_handle);
if (res != TEE_SUCCESS)
{
    EMSG("TEE_SetOperationKey failed %x", res);
    return res;
}

exit:
TEE_CloseObject(object);
TEE_Free(obj_id);
TEE_Free(data);
return res;
}

TEE_Result sm4_read_raw_objectSetIv(void *session, uint32_t param_types, TEE_Param params[4])
{
const uint32_t exp_param_types =
TEE_PARAM_TYPES(TEE_PARAM_TYPE_MEMREF_INPUT,
TEE_PARAM_TYPE_NONE,
TEE_PARAM_TYPE_NONE,
TEE_PARAM_TYPE_NONE);
TEE_ObjectHandle object;
TEE_ObjectInfo object_info;
TEE_Result res;
uint32_t read_bytes;
char *obj_id;
size_t obj_id_sz;
char *data;
size_t data_sz;

/*
 * Safely get the invocation parameters
 */
if (param_types != exp_param_types)
    return TEE_ERROR_BAD_PARAMETERS;

obj_id_sz = params[0].memref.size;
obj_id = TEE_Malloc(obj_id_sz, 0);
if (!obj_id)
    return TEE_ERROR_OUT_OF_MEMORY;

TEE_MemMove(obj_id, params[0].memref.buffer, obj_id_sz);

data_sz = 32; // 修改的地方
data = TEE_Malloc(data_sz, 0);
if (!data)
    return TEE_ERROR_OUT_OF_MEMORY;

/*
 * Check the object exist and can be dumped into output buffer
 * then dump it.
 */
res = TEE_OpenPersistentObject(TEE_STORAGE_PRIVATE,
                               obj_id, obj_id_sz,
                               TEE_DATA_FLAG_ACCESS_READ |
                                   TEE_DATA_FLAG_SHARE_READ,
                               &object);
if (res != TEE_SUCCESS)
{
    EMSG("Failed to open persistent object, res=0x%08x", res);
    TEE_Free(obj_id);
    TEE_Free(data);
    return res;
}

res = TEE_GetObjectInfo1(object, &object_info);
if (res != TEE_SUCCESS)
{
    EMSG("Failed to create persistent object, res=0x%08x", res);
    goto exit;
}

if (object_info.dataSize > data_sz)
{
    /*
     * Provided buffer is too short.
     * Return the expected size together with status "short buffer"
     */
    // params[1].memref.size = object_info.dataSize;
    res = TEE_ERROR_SHORT_BUFFER;
    goto exit;
}

res = TEE_ReadObjectData(object, data, object_info.dataSize,
                         &read_bytes);
// if (res == TEE_SUCCESS)  修改的地方
// 	TEE_MemMove(params[1].memref.buffer, data, read_bytes);
if (res != TEE_SUCCESS || read_bytes != object_info.dataSize)
{
    EMSG("TEE_ReadObjectData failed 0x%08x, read %" PRIu32 " over %u",
         res, read_bytes, object_info.dataSize);
    goto exit;
}

// /* Return the number of byte effectively filled */
// params[1].memref.size = read_bytes;

//////////////////////setiv////////////////////////////////////////
// const uint32_t exp_param_types =
// 	TEE_PARAM_TYPES(TEE_PARAM_TYPE_MEMREF_INPUT,
// 					TEE_PARAM_TYPE_NONE,
// 					TEE_PARAM_TYPE_NONE,
// 					TEE_PARAM_TYPE_NONE);
struct sm4_cipher *sess;
size_t iv_sz = 16;
// char *iv;

/* Get ciphering context from session ID */
DMSG("Session %p: reset initial vector", session);
sess = (struct sm4_cipher *)session;

/* Safely get the invocation parameters */
if (param_types != exp_param_types)
    return TEE_ERROR_BAD_PARAMETERS;

// strcpy(iv, data);
// // iv = data;		 // 修改的地方
// iv_sz = data_sz; // 修改的地方

DMSG("-----进入iv以后iv %s::::::iv_sz %d", data, data_sz);

/*
 * Init cipher operation with the initialization vector.
 */
TEE_CipherInit(sess->op_handle, data, iv_sz);

exit:
TEE_CloseObject(object);
TEE_Free(obj_id);
TEE_Free(data);
return TEE_SUCCESS;
}

二 实际结果
加密的字符串是helloworld helloworld, 加密的key和iv
是C5438CB49497AF0704D66D88871FAD0E。
通过上述方法加密得到的结果是942078CAE85B0B51374F13534F6CA80200000000，与实际加密结果942078CAE85B0B51374F13534F6CA802B0CE4A80，最后几位不一致。尝试了其他字符串 也是最后几位不一致！！！

请问这个是哪里的问题呢？
通过上述方法加密得到的结果是

I figured that the hello world example increments a number. Instead of incrementing a number, I wanted my TA to do a wget to some website. So I added a system("wget website") to my code along with the necessary header file, stdlib.h.
But when I run make, it always shows implicit declaration of system function. Could you please help?

Hi i tried to implement my own application folder to my HiKey 960 board.
In a previous version i just edit the Makefile for the optee_examples and add my folder there. This works fine for me. With the newer Version i am unable to locate the file where the optee_examples are compiled. I checked the make all command and find out that it should be somewhere in the buildroot rule. But i am unable to add my application to the build routine so that i can execute it on my board.
Could it be that all old Makefiles in optee_examples are obsolete because in /out-br/optee_examples1.0/APPLICATION all Makefiles are created via cmake?

I am implementing an RSA example to encrypt and decrypt some data. I tried to run my first version now and received the following output:

D/TC:? 0 tee_ta_init_pseudo_ta_session:274 Lookup pseudo TA 21d38c70-f25a-4b95-ac25-07d1bfdbc112
D/TC:? 0 load_elf:842 Lookup user TA ELF 21d38c70-f25a-4b95-ac25-07d1bfdbc112 (Secure Storage TA)
D/TC:? 0 load_elf:842 Lookup user TA ELF 21d38c70-f25a-4b95-ac25-07d1bfdbc112 (REE)
D/TC:? 0 load_elf_from_store:810 ELF load address 0x40005000
D/TC:? 0 tee_ta_init_user_ta_session:1021 Processing relocations in 21d38c70-f25a-4b95-ac25-07d1bfdbc112
D/TA: TA_OpenSessionEntryPoint:173 Session 0x4001a090: newly allocated
D/TC:0 0 abort_handler:671 [abort] abort in User mode (TA will panic)
E/TC:0 0
E/TC:0 0 User TA data-abort at address 0x70158 (translation fault)
E/TC:0 0 esr 0x92000005 ttbr0 0x200000e180000 ttbr1 0x00000000 cidr 0x0
...
E/TC:0 0 Status of TA 21d38c70-f25a-4b95-ac25-07d1bfdbc112 (0xe171550) (active)
E/TC:0 0 arch: aarch64 load address: 0x40005000 ctx-idr: 2
E/TC:0 0 stack: 0x40004000 4096
E/TC:0 0 region 0: va 0x40000000 pa 0xe100000 size 0x2000 flags ---R-X
E/TC:0 0 region 1: va 0x40002000 pa 0xe174000 size 0x1000 flags ---RW-
E/TC:0 0 region 2: va 0x40004000 pa 0xe318000 size 0x1000 flags rw-RW-
E/TC:0 0 region 3: va 0x40005000 pa 0xe300000 size 0xd000 flags r-x--- [0]
E/TC:0 0 region 4: va 0x40012000 pa 0xe30d000 size 0xb000 flags rw---- [0]
E/TC:0 0 region 5: va 0x4001e000 pa 0x80f7d090 size 0x1000 flags rw-RW-
E/TC:0 0 region 6: va 0x4001f000 pa 0x80f7d030 size 0x1000 flags rw-RW-
E/TC:0 0 [0] 21d38c70-f25a-4b95-ac25-07d1bfdbc112 @ 0x40005000
E/TC:0 0 Call stack:
E/TC:0 0 0x00000000400051c0
E/TC:0 0 0x0000000040009cc4
E/TC:0 0 0x000000000e102d1c
D/TC:0 0 unwind_stack_arm64:56 FP out of bounds 0
D/TC:? 0 user_ta_enter:312 tee_user_ta_enter: TA panicked with code 0xdeadbeef
D/TC:? 0 tee_ta_invoke_command:625 Error: ffff3024 of 3
D/TC:? 0 tee_ta_close_session:380 tee_ta_close_session(0xe1715b0)
D/TC:? 0 tee_ta_close_session:399 Destroy session
D/TC:? 0 tee_ta_close_session:425 Destroy TA ctx

Here is my client: https://github.com/cezane/optee_rsa_example/blob/master/host/main.c
And here is my TA: https://github.com/cezane/optee_rsa_example/blob/master/ta/rsa_crypto.c

Any help will be very appreciated.

Hi Team,

I'm trying to run a program involving lots of calculations in the TA. It always fails in one line. I used symbolize.py to debug, the information is:

D/TC:1 0 abort_handler:618 [abort] abort in User mode (TA will panic)
E/TC:1 0 
E/TC:1 0 User TA data-abort at address 0xd03000 (translation fault)
E/TC:1 0  fsr 0x00000007  ttbr0 0x0e1ca06a  ttbr1 0x0e18006a  cidr 0x2
E/TC:1 0  cpu #1          cpsr 0x80000130
E/TC:1 0  r0 0x00000064      r4 0x00217bc4    r8 0x00000000   r12 0x00000000
E/TC:1 0  r1 0x0000000a      r5 0x0020c28f    r9 0x00000000    sp 0x002022f8
E/TC:1 0  r2 0x00d02ba8      r6 0x60000130   r10 0x00000000    lr 0x0020fb57
E/TC:1 0  r3 0x00d03000      r7 0x002022f8   r11 0x00000000    pc 0x0020f7bc
E/TC:1 0 Status of TA 7fc5c039-0542-4ee1-80af-b4eab2f1998d (0xe17df18) (active)
E/TC:1 0  arch: arm  load address: 0x203000 ctx-idr: 2
E/TC:1 0  stack: 0x102000 1050624
E/TC:1 0  region 0: va 0x100000 pa 0xe100000 size 0x1000 flags ---R-X 
E/TC:1 0  region 1: va 0x102000 pa 0xed18000 size 0x101000 flags rw-RW- 
E/TC:1 0  region 2: va 0x203000 pa 0xe300000 size 0x15000 flags r-x--- [0] .ta_head .text .rodata .ARM.extab .gnu.hash .ARM.extab.text.__aeabi_ldivmod .ARM.extab.text.__aeabi_uldivmod .ARM.extab.text.utee_panic .ARM.exidx .got .dynsym .rel.got .dynamic .dynstr .hash .rel.dyn
E/TC:1 0  region 3: va 0x218000 pa 0xe315000 size 0xa03000 flags rw---- [0] .data .bss
E/TC:1 0  region 4: va 0xd00000 pa 0x409d4710 size 0x1000 flags rw-RW- 
E/TC:1 0  region 5: va 0xd01000 pa 0x409d4ff0 size 0x1000 flags rw-RW- 
E/TC:1 0  region 6: va 0xd02000 pa 0x409d4ba8 size 0x1000 flags rw-RW- 
E/TC:1 0  [0] 7fc5c039-0542-4ee1-80af-b4eab2f1998d @ 0x203000 (out-br/build/optee_examples-1.0/darknetp/ta/out/7fc5c039-0542-4ee1-80af-b4eab2f1998d.elf)
E/TC:1 0 Call stack:
E/TC:1 0  0x0020f7bc gemm_nt_TA at out-br/build/optee_examples-1.0/darknetp/ta/gemm_TA.c:59 (discriminator 3)
E/TC:1 0  0x0020fb57 gemm_cpu_TA at out-br/build/optee_examples-1.0/darknetp/ta/gemm_TA.c:123
E/TC:1 0  0x0020f685 gemm_TA at out-br/build/optee_examples-1.0/darknetp/ta/gemm_TA.c:16
E/TC:1 0  0x002051c5 forward_connected_layer_TA at out-br/build/optee_examples-1.0/darknetp/ta/network_TA.c:78
E/TC:1 0  0x00204c1d forward_connected_layer at out-br/build/optee_examples-1.0/darknetp/ta/darknetp_ta.c:113
E/TC:1 0  0x00204e97 TA_InvokeCommandEntryPoint at out-br/build/optee_examples-1.0/darknetp/ta/darknetp_ta.c:198
E/TC:1 0  0x0020c273 entry_invoke_command at optee_os/lib/libutee/arch/arm/user_ta_entry.c:191
E/TC:1 0  0x0020c2d3 __utee_entry at optee_os/lib/libutee/arch/arm/user_ta_entry.c:219
D/TC:? 0 user_ta_enter:312 tee_user_ta_enter: TA panicked with code 0xdeadbeef
D/TC:? 0 tee_ta_invoke_command:625 Error: ffff3024 of 3

The function gemm_TA() is as follows. The error happens at line sum += ALPHA*A[i*lda+k]*B[j*ldb + k];.

float* gemm_nt_TA(int M, int N, int K, float ALPHA,
             float *A, int lda,
             float *B, int ldb,
             float *C, int ldc)
{
    int i,j,k;
    for(i = 0; i < M; ++i){
        for(j = 0; j < N; ++j){
            //register float sum = 0;
            float sum = 0;
            for(k = 0; k < K; ++k){
                //IMSG("A %d in %d; B %d in %d\n", i*lda+k, (M-1)*lda + K, j*ldb+k,(N-1)*ldb + K);
                sum += ALPHA*A[i*lda+k]*B[j*ldb + k];
            }
            C[i*ldc+j] += sum;
        }
    }
    return C;
}

I have tested this line many times. It seems that each time the error comes out at different iterations. That makes me really confused.
Is this because the TA memory is not enough? I can't understand other error information above.

Any help is very appreciated!
Vincent

Hi,sir.
Recently i make a DH demo for optee.
When i run that demo ,the value of private key and public key are both correct but it give me a wrong result when calculating the shared secret.
Here uploaded the source code as attach.
In the demo i set a small prime and base ,and output some value for debugging.

Thanks!
dh.zip

Hi,

I'm trying to incorporate TEE_GenerateRandom in my sample TA, on RPI3. I understand that TEE_GenerateRandom returns void, and generates a random UUID by changing the values passed by reference, allowing the CA to print out the generated value.
However, I wish to store the generated value within my TA, and not at CA, is that possible? As I wish to encrypt the value within TA later. I hope I'm speaking with a bit of sense here.
Would appreciate any help! Thanks!

P.S. I couldn't find any TEE_GenerateRandom function within tee_api.c, only found it in tee_api.h file, so I'm not certain how the function actually works.

I am changing the AES example in order to encrypt/decrypt some data received from the user. In the host main.c file, I am using:

printf("Please type your secret: \n");
fflush(stdin);
fgets(clear, sizeof(clear), stdin);

printf("Load key in TA\n");
memset(key, 0xa5, sizeof(key)); /* Load some dummy value */
set_key(&ctx, key, AES_TEST_KEY_SIZE);

printf("Reset ciphering operation in TA (provides the initial vector)\n");
memset(iv, 0, sizeof(iv)); /* Load some dummy value */
set_iv(&ctx, iv, AES_TEST_KEY_SIZE);

cipher_buffer(&ctx, ciph, temp, AES_TEST_BUFFER_SIZE);

In the TA side, I put the following in the cipher_buffer function:

DMSG("Secret received: %s", (char *) params[0].memref.buffer);

And I am getting the following output:

D/TA: cipher_buffer:356 Secret received: �3���(��߽vr�]tS����NM=���(����Ο�
�2 �\��$��\�gól�6��-�_(���ݠ���fn��e��>��l���]�@�q;]�(K�bU��A�����Ը
�@\���p����~Odž���DJ�^�m�XyR�����H��)V*�Ћ�G�:n�Xu�j��Ts�����m$�g�q��@�n�U��iRդd�ht�����>aN4%m�g��>ˣ�v

I would like to know if I am missing something because (char *) params[0].memref.buffer is not printing the string I am passing. I know TEE_PARAM_TYPE_MEMREF_INPUT has two attributes: a buffer ( void *) and a size (size_t). So, why this cast is not working properly?

Thank you.

Try lastest revision 0607ed4

commit 0607ed4 (HEAD -> master, origin/master, origin/HEAD)
Author: Aleksandr Anisimov [email protected]
Date: Tue Dec 8 23:13:14 2020 +0300

Has compilation error

| plugin_ta.c: In function 'syslog_plugin_ping':
| plugin_ta.c:58:8: error: implicit declaration of function 'tee_invoke_supp_plugin' [-Werror=implicit-function-declaration]
|    58 |  res = tee_invoke_supp_plugin(&syslog_uuid, TO_SYSLOG_CMD, LOG_INFO,
|       |        ^~~~~~~~~~~~~~~~~~~~~~
| plugin_ta.c:58:8: warning: nested extern declaration of 'tee_invoke_supp_plugin' [-Wnested-externs]

Hello,

I would like to create a new Trusted Application ‘optee_example_print_rpmb_key’ and the associated Client Application, to show the RPMB key (as development purpose).
I know that RPMB key is not directly accessible (stored somewhere in secure storage), so I would like to ask if someone knows how or what function to use in order to get/read RPMB Key.

Thank you for your help.

Julie

Hello everyone,
According to the TEE document, it seems that the secure world has the highest authority and it can access all the resource in the normal world. Is it correct for op-tee?

I'm curious about if I run a program in the normal world, sending a variable's address (pointer) to the TA in the secure world via TEE APIs. Can TA directly access this variable which is in the normal world?

Thanks in advance!

Hi,

I am trying to add some test cases to my TA by using -Wl,--wrap for few of the functions like malloc(). However, I end up with the following compilation error. Can you please help:

In TA, I will move to TEE_Malloc(), but just trying to get the basic compilation working using malloc().

..../hello_world/ta/hello_world_ta.c:38: undefined reference to `__real_malloc'

Reference code: hello_world_ta.c

void *__real_malloc(size_t size);
void *__wrap_malloc (size_t size);
void *__wrap_malloc (size_t size)
{
	void *ptr = __real_malloc(size);
      	IMSG("malloc(%ld) = %p\n", size, ptr);
       	return ptr;
}
#endif

ta/sub.mk

cflags-hello_world_ta.c-y += -Wl,--wrap,malloc

Regards,
Divneil

Hello again,

I'm trying to hash a key, and storing that hashed key within my TA.
I understand, that hmac_sha1() is a function that I could use, but I'm not certain if I'm using it correctly, as I don't quite understand the usage of the parameters. Given that key, is the desired data to be hashed. I'm assuming that out would contain the hashed result, and frankly quite clueless what in is used for, despite the comments, much appreciated if anyone could provide any form of clarity!

static TEE_Result hmac_sha1(const uint8_t *key, const size_t keylen,
const uint8_t *in, const size_t inlen,
uint8_t *out, uint32_t *outlen)

• @param key The secret key
• @param keylen The length of the secret key (bytes)
• @param in The data to HMAC
• @param inlen The length of the data to HMAC (bytes)
• @param out [out] Destination of the authentication tag
• @param outlen [in/out] Max size and resulting size of authentication tag

Snippet of my code for illustration purposes, in calling hmac_sha1(), with reference from HOTP example.

char hashKey[50];
uint8_t mac[SHA1_HASH_SIZE];
uint32_t mac_len = sizeof(mac);
uint8_t counter[] = { 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 };
res = hmac_sha1(hashKey, sizeof(hashKey), counter, sizeof(counter), mac, &mac_len);
printf("\nHASHED VALUE OF HASHKEY = %u\n", mac);

I get "HASHED VALUE OF HASHKEY = 10737761984".
The question is, am I doing it right?
Cheers! (:

Edited
I hope I've got it right this time, just need to do a loop for mac and print out the values as hexadecimal.

res = hmac_sha1(hashKey, sizeof(hashKey), counter, sizeof(counter), mac, &mac_len);

for (i = 0; i < mac_len; i++)
{
	temp[0] = '\0';
	snprintf(temp, sizeof(temp),"%x", mac[i]);
	my_strcat(hashedKeyValue, temp);
}
printf("\nHASHED VALUE OF HASHKEY = %s\n", hashedKeyValue);

Hello there!
I built OPTEE+AOSP in my hikey960 refering to https://optee.readthedocs.io/building/aosp/aosp.html
and xtest and optee_examples_* works well.
Then I build the standalone examples according to https://github.com/linaro-swg/hello_world , after that I use adb to push the host application and the .ta to /vendor/bin and /vendor/lib/optee_armtz/ respectively where the xtest and other .ta files locates.
when I run optee_example _helloworld, it can't find the optee_example_helloworld but it does exist.
/system/bin/sh: /vendor/bin/optee_example_hello_world: No such file or directory
Then I compare the two files (the one build manually and the one pull from the board) and find they are quite different:
$ file optee_example_random optee_example_random: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-, for GNU/Linux 3.7.0, with debug_info, not stripped
$ file optee_example_random_arm optee_example_random_arm: ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /system/, BuildID[md5/uuid]=3efe792d5b4270c901489624d9dff1ea, stripped
the arm one is pull from the board.
is the build instruction not suitable for the AOSP? or some other reason?
and how to build the examples suitable for the AOSP?
Thanks for any suggestions.

请问有没有sm4的ca调用ta侧demo实现呢？

I'm building op-tee on qemu with Armv8 and I've built optee_os and optee_client. I'm unable to make the example files as it returns the error cannot find -lteec.

This is what I do before make
export HOST_CROSS_COMPILE=/User_data/home/nramu/optee-qemuv8-3.14.0/toolchains/aarch64/bin/aarch64-linux-gnu-
export TA_CROSS_COMPILE=/User_data/home/nramu/optee-qemuv8-3.14.0/toolchains/aarch32/bin/arm-linux-gnueabihf-
export TEEC_EXPORT=/User_data/home/nramu/optee-qemuv8-3.14.0/optee_client/out/export
export TA_DEV_KIT_DIR=/User_data/home/nramu/optee-qemuv8-3.14.0/optee_os/out/arm/export-ta_arm32/

And this is my error

If I do the make individually, the ta compiles not the host

bb

I made modifications to the sign_encrypt.py code and imported a new module (let's call it new_module). Subsequently, I used pip install new_module and built optee_examples and optee_os within the optee_qemu environment.

While building a PTA (e.g., ta/pkcs#11), everything works fine, and I can observe that the Python version is 3.8.10, which accurately reflects the Python version on my computer. However, when building a TA within optee_examples, it fails with the error ModuleNotFoundError: No module named 'new_module'. Surprisingly, the Python version is reported as 3.9.7, which is not present on my computer. Could this be the Python version in the optee_qemu environment?

the questions are:

1. Is the Python version in optee_qemu environment different from my computer?
2. How can I resolve the ModuleNotFoundError for 'new_module' when building TAs in optee_examples?
3. I need to test the code in QEMU, but I'm unsure about the resolution. Any guidance is appreciated.

Thanks!

Through the examples(ex, helloWorld), I could see some log messages generated by the host application. But I have no idea at the moment in what way I could possibly see logs which are generated by TA, something like below.

void TA_DestroyEntryPoint(void)
{
	DMSG("has been called");
}

Because TA is running in trustzone, there must be some special method to be able to see logs which TA generates, I think.

Currently I'm using rpi3 and in the document for it, seems that some jtag cable and uart connections are required as a HW must and for software, OpenOCD etc.

I'm not fluent in embedded environment, so I'm curious the method described in the document is the best or recommended way to see the logs which TA creates?

Hope some guide on this.

I am trying to run the optee_example_acipher example in my QEMU environment, but getting the below error

Client application logs:

optee_example_acipher
optee_example_acipher: Unexpected number of arguments 0 (expected 2)
usage: optee_example_acipher <key_size>

optee_example_acipher 16 text-to-encrypt
optee_example_acipher: TEEC_InvokeCommand(TA_ACIPHER_CMD_GEN_KEY): 0xffff000a (error origin 0x4)

Trusted application logs:

D/TC:? 0 tee_ta_init_pseudo_ta_session:299 Lookup pseudo TA a734eed9-d6a1-4244-aa50-7c99719e7b7b
D/TC:? 0 ldelf_load_ldelf:91 ldelf load address 0x40006000
D/LD: ldelf:134 Loading TS a734eed9-d6a1-4244-aa50-7c99719e7b7b
D/TC:? 0 ldelf_syscall_open_bin:142 Lookup user TA ELF a734eed9-d6a1-4244-aa50-7c99719e7b7b (Secure Storage TA)
D/TC:? 0 ldelf_syscall_open_bin:146 res=0xffff0008
D/TC:? 0 ldelf_syscall_open_bin:142 Lookup user TA ELF a734eed9-d6a1-4244-aa50-7c99719e7b7b (REE)
D/TC:? 0 ldelf_syscall_open_bin:146 res=0
D/LD: ldelf:168 ELF (a734eed9-d6a1-4244-aa50-7c99719e7b7b) at 0x40024000
E/TA: cmd_gen_key:35 TEE_AllocateTransientObject(0xa1000030, 16): 0xffff000a
D/TC:? 0 tee_ta_invoke_command:823 Error: ffff000a of 4
D/TC:? 0 tee_ta_close_session:512 csess 0x14059c90 id 1
D/TC:? 0 tee_ta_close_session:531 Destroy session
D/TC:? 0 destroy_context:308 Destroy TA ctx (0x14059c30)

On Analysing the source code, it is getting failed to generate RSA key pair ->

Here -> E/TA: cmd_gen_key:35 TEE_AllocateTransientObject(0xa1000030, 16): 0xffff000a
Error code 0xffff000a indicates - TEE_ERROR_NOT_SUPPORTED and 0xa1000030 - TEE_TYPE_RSA_KEYPAIR from optee_os/lib/libutee/include.

Is the RSA_KEYPAIR generation not supported in QEMU environment. Can anyone help me resolve this issue? Thanks

Below are the logs on TA side:

I/TA: Push syslog plugin string "Hello, plugin! value = 0x0"
D/TC:? 0 tee_ta_init_pseudo_ta_session:316 Lookup pseudo TA 3a2f8978-5dc0-11e8-9c2d-fa7ae01bbebc
D/TC:? 0 tee_ta_init_pseudo_ta_session:341 Open system.pta
D/TC:? 0 tee_ta_init_pseudo_ta_session:358 system.pta : 3a2f8978-5dc0-11e8-9c2d-fa7ae01bbebc
D/TC:? 0 tee_ta_invoke_command:814 Error: ffff0008 of 4
E/TA:  tee_invoke_supp_plugin:105 Invoke tee-supplicant's plugin failed: 0xffff0008
E/TA:  syslog_plugin_ping:61 invoke plugin failed with code 0xffff0008
D/TC:? 0 tee_ta_invoke_command:814 Error: ffff0008 of 4
I/TA: Push syslog plugin string "Hello, plugin! value = 0x1"
D/TC:? 0 tee_ta_invoke_command:814 Error: ffff0008 of 4
E/TA:  tee_invoke_supp_plugin:105 Invoke tee-supplicant's plugin failed: 0xffff0008
E/TA:  syslog_plugin_ping:61 invoke plugin failed with code 0xffff0008
D/TC:? 0 tee_ta_invoke_command:814 Error: ffff0008 of 4
I/TA: Push syslog plugin string "Hello, plugin! value = 0x2"
D/TC:? 0 tee_ta_invoke_command:814 Error: ffff0008 of 4
E/TA:  tee_invoke_supp_plugin:105 Invoke tee-supplicant's plugin failed: 0xffff0008
E/TA:  syslog_plugin_ping:61 invoke plugin failed with code 0xffff0008
D/TC:? 0 tee_ta_invoke_command:814 Error: ffff0008 of 4
I/TA: Push syslog plugin string "Hello, plugin! value = 0x3"
D/TC:? 0 tee_ta_invoke_command:814 Error: ffff0008 of 4
E/TA:  tee_invoke_supp_plugin:105 Invoke tee-supplicant's plugin failed: 0xffff0008
E/TA:  syslog_plugin_ping:61 invoke plugin failed with code 0xffff0008
D/TC:? 0 tee_ta_invoke_command:814 Error: ffff0008 of 4
I/TA: Push syslog plugin string "Hello, plugin! value = 0x4"
D/TC:? 0 tee_ta_invoke_command:814 Error: ffff0008 of 4
E/TA:  tee_invoke_supp_plugin:105 Invoke tee-supplicant's plugin failed: 0xffff0008
E/TA:  syslog_plugin_ping:61 invoke plugin failed with code 0xffff0008
D/TC:? 0 tee_ta_invoke_command:814 Error: ffff0008 of 4
D/TC:? 0 tee_ta_close_session:508 csess 0x211196e0 id 1
D/TC:? 0 tee_ta_close_session:527 Destroy session

Environment: OPTEE 3.13 (not on ARM)

Am i missing something? Probably the .plugin file defined as per https://github.com/linaro-swg/optee_examples/blob/master/plugins/syslog/Makefile#L31?

The example secure storage will fail to compile in NXP flexbuild system.

secure_storage_ta.c:203:6: error: passing argument 4 of ‘TEE_ReadObjectData’ from incompatible pointer type [-Werror=incompatible-pointer-types]
      &read_bytes);
...
secure_storage_ta.c:205:8: error: format ‘%u’ expects argument of type ‘unsigned int’, but argument 7 has type ‘size_t {aka long unsigned int}’ [-Werror=format=]
   EMSG("TEE_ReadObjectData failed 0x%08x, read %u over %u",

I think the easy fix is to replace type "size_t" to "uint32_t" in line 149 .

I change the achipher na code as bellow, and I find the two time "Encrypted buffer:" printed is different.

And in the original code, why will you call TEEC_InvokeCommand twice ? Is the first one for getting output buffer size ?

int main(int argc, char *argv[])
{
	TEEC_Result res;
	uint32_t eo;
	TEEC_Context ctx;
	TEEC_Session sess;
	TEEC_Operation op;
	size_t key_size;
	void *inbuf;
	size_t inbuf_len;
	size_t n;
	const TEEC_UUID uuid = TA_ACIPHER_UUID;

	get_args(argc, argv, &key_size, &inbuf, &inbuf_len);

	res = TEEC_InitializeContext(NULL, &ctx);
	if (res)
		errx(1, "TEEC_InitializeContext(NULL, x): %#" PRIx32, res);

	res = TEEC_OpenSession(&ctx, &sess, &uuid, TEEC_LOGIN_PUBLIC, NULL,
			       NULL, &eo);
	if (res)
		teec_err(res, eo, "TEEC_OpenSession(TEEC_LOGIN_PUBLIC)");

	memset(&op, 0, sizeof(op));
	op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INPUT, TEEC_NONE,
					 TEEC_NONE, TEEC_NONE);
	op.params[0].value.a = key_size;

	res = TEEC_InvokeCommand(&sess, TA_ACIPHER_CMD_GEN_KEY, &op, &eo);
	if (res)
		teec_err(res, eo, "TEEC_InvokeCommand(TA_ACIPHER_CMD_GEN_KEY)");

	memset(&op, 0, sizeof(op));
	op.paramTypes = TEEC_PARAM_TYPES(TEEC_MEMREF_TEMP_INPUT,
					 TEEC_MEMREF_TEMP_OUTPUT,
					 TEEC_NONE, TEEC_NONE);
	op.params[0].tmpref.buffer = inbuf;
	op.params[0].tmpref.size = inbuf_len;

	res = TEEC_InvokeCommand(&sess, TA_ACIPHER_CMD_ENCRYPT, &op, &eo);
	if (eo != TEEC_ORIGIN_TRUSTED_APP || res != TEEC_ERROR_SHORT_BUFFER)
		teec_err(res, eo, "TEEC_InvokeCommand(TA_ACIPHER_CMD_ENCRYPT)");

	op.params[1].tmpref.buffer = malloc(op.params[1].tmpref.size);
	if (!op.params[1].tmpref.buffer)
		err(1, "Cannot allocate out buffer of size %zu",
		    op.params[1].tmpref.size);

	res = TEEC_InvokeCommand(&sess, TA_ACIPHER_CMD_ENCRYPT, &op, &eo);
	if (res)
		teec_err(res, eo, "TEEC_InvokeCommand(TA_ACIPHER_CMD_ENCRYPT)");

	printf("Encrypted buffer: ");
	for (n = 0; n < op.params[1].tmpref.size; n++)
		printf("%02x ", ((uint8_t *)op.params[1].tmpref.buffer)[n]);
	printf("\n");
	
	////////////////////////////////////
	printf("================\n");
	memset(&op, 0, sizeof(op));
	op.paramTypes = TEEC_PARAM_TYPES(TEEC_MEMREF_TEMP_INPUT,
					 TEEC_MEMREF_TEMP_OUTPUT,
					 TEEC_NONE, TEEC_NONE);
	op.params[0].tmpref.buffer = inbuf;
	op.params[0].tmpref.size = inbuf_len;

	res = TEEC_InvokeCommand(&sess, TA_ACIPHER_CMD_ENCRYPT, &op, &eo);
	if (eo != TEEC_ORIGIN_TRUSTED_APP || res != TEEC_ERROR_SHORT_BUFFER)
		teec_err(res, eo, "TEEC_InvokeCommand(TA_ACIPHER_CMD_ENCRYPT)");

	op.params[1].tmpref.buffer = malloc(op.params[1].tmpref.size);
	if (!op.params[1].tmpref.buffer)
		err(1, "Cannot allocate out buffer of size %zu",
		    op.params[1].tmpref.size);

	res = TEEC_InvokeCommand(&sess, TA_ACIPHER_CMD_ENCRYPT, &op, &eo);
	if (res)
		teec_err(res, eo, "TEEC_InvokeCommand(TA_ACIPHER_CMD_ENCRYPT)");

	printf("Encrypted buffer: ");
	for (n = 0; n < op.params[1].tmpref.size; n++)
		printf("%02x ", ((uint8_t *)op.params[1].tmpref.buffer)[n]);
	printf("\n");

print info:

# ./achipher_na 512 helloworld
Encrypted buffer: 9b 51 f9 cd 6a 54 8a 1c bb bb 82 61 b0 7b d8 a4 59 30 bc 10 72 f0 72 1f 8d 02 69 6a 5e d8 bc 7e de a4 4f 02 86 48 f3 44 d7 81 ba 3b 83 f5 31 59 59 ce 04 1d be 9e 2d ae 74 83 3f 97 6e 18 0a d7 
================
Encrypted buffer: 92 99 17 59 ee 1d 76 a9 d8 06 da 20 d1 e5 aa 88 27 90 9e a1 f0 27 c2 35 bc c0 83 09 96 05 7e 97 dd c4 84 8b 84 9d 62 ef 5b 49 a3 1d f1 53 6b 08 82 d7 65 75 39 73 fc c0 89 9c 6f 79 4d d6 bb dc

Sorry if I am wrong in relation to some of the following points and any of these does not make sense:

1. Since size_t is unsigned, what if I want to pass negative values as parameters (TEEC_Value)? Although it can be passed, it is strange, for me.
2. Why do we need to pass &uuid to TEEC_OpenSession if uuid will remain the same, i.e., it will not be changed in the TEEC_OpenSession function?
3. Why do we not pass &handle instead of just handle in this function: TEE_SetOperationKey(handle, key). In this case, the handle will be changed inside the function.

Hi,

I have recently discovered a vulnerability in this project (https://github.com/linaro-swg/optee_examples) and I would like to bring it to your attention. I believe that this vulnerability could potentially cause harm to your users and compromise the security of your project. In light of this, I would like to request that you enable the "published security advisories" feature for your project on GitHub. This feature allows you to create a dedicated space on your project page for publishing security advisories and keeping your users informed about any vulnerabilities that are discovered.

Thank you for your attention to this matter. I would be happy to provide more details about the vulnerability I discovered and assist you in any way I can to resolve it.

Hey~ Really appreciate if someone could help me in switching on logging macros like IMSG within TA~

Every second pass of optee_example_secure_storage gives the following error:

Test on object "object#2"E/TA: read_raw_object:189 Failed to open persistent object, res=0xffff0008

# optee_example_secure_storage 
Prepare session with the TA

Test on object "object#1"
- Create and load object in the TA secure storage
- Read back the object
- Delete the object

Test on object "object#2"
- Object found in TA secure storage, delete it.

We're done, close and release TEE resources
# optee_example_secure_storage 
Prepare session with the TA

Test on object "object#1"
- Create and load object in the TA secure storage
- Read back the object
- Delete the object

Test on object "object#2"E/TA:  read_raw_object:189 Failed to open persistent object, res=0xffff0008

- Object not found in TA secure storage, create it.

We're done, close and release TEE resources
# optee_example_secure_storage 
Prepare session with the TA

Test on object "object#1"
- Create and load object in the TA secure storage
- Read back the object
- Delete the object

Test on object "object#2"
- Object found in TA secure storage, delete it.

We're done, close and release TEE resources
# optee_example_secure_storage 
Prepare session with the TA

Test on object "object#1"
- Create and load object in the TA secure storage
- Read back the object
- Delete the object

Test on object "object#2"E/TA:  read_raw_object:189 Failed to open persistent object, res=0xffff0008

- Object not found in TA secure storage, create it.

We're done, close and release TEE resources
# optee_example_secure_storage 
Prepare session with the TA

Test on object "object#1"
- Create and load object in the TA secure storage
- Read back the object
- Delete the object

Test on object "object#2"
- Object found in TA secure storage, delete it.

We're done, close and release TEE resources
# optee_example_secure_storage 
Prepare session with the TA

Test on object "object#1"
- Create and load object in the TA secure storage
- Read back the object
- Delete the object

Test on object "object#2"E/TA:  read_raw_object:189 Failed to open persistent object, res=0xffff0008

- Object not found in TA secure storage, create it.

We're done, close and release TEE resources
# optee_example_secure_storage 
Prepare session with the TA

Test on object "object#1"
- Create and load object in the TA secure storage
- Read back the object
- Delete the object

Test on object "object#2"
- Object found in TA secure storage, delete it.

We're done, close and release TEE resources
# optee_example_secure_storage 
Prepare session with the TA

Test on object "object#1"
- Create and load object in the TA secure storage
- Read back the object
- Delete the object

Test on object "object#2"
E/TA:  read_raw_object:189 Failed to open persistent object, res=0xffff0008
- Object not found in TA secure storage, create it.

We're done, close and release TEE resources

Hi, I have been trying out the example, secure_storage -> I need to know the path of the Object being created.
I am using virtual machine Linux setup for QemuV8 environment.

https://github.com/linaro-swg/optee_examples/blob/378dc0db2d5dd279f58a3b6cb3f78ffd6b165035/secure_storage/ta/secure_storage_ta.c#L156C11-L156C11

It gets the object id from the Client application as Object#1 & Object#2 ->

Here, I need to know the exact path in the REE file system. Is it available in the /data/tee path?

Also, is it possible to provide an absolute path of my own to store the object? Thanks.

1. Regarding the host file, I modified gcc to g++ and added a link library, but I haven’t had time to verify whether it is feasible.

2. Regarding the compilation rules of TA files, it seems to be in ta_dev_kit.mk. I tried to go to the ta_dev_kit.mk folder to modify the content to complete the compilation of CPP, but I have not yet found the corresponding rules in ta_dev_kit.

3.The letter C in CMakeList.txt seems to mean that the file is in C language? I can't confirm

In general, I want to know what modifications need to be made to the makefile to make it run properly when I have to use CPP

Hi Team,
I would like to add a new custom client application to the optee_example/ directory (optee_android_manifest/external/optee_examples) and build along with the AOSP source code. The client application is to access custom Pseudo Trusted Application developed by me. Now am concentrating on bringing up client application and then Pseudo application. Can anyone please help the steps to be followed to do the same?

I have added a folder under optee_android_manifest/external/optee_examples/custom_client/ and follwoing are the contents.

CMakeLists.txt  
custom_client_pta.h 
main.c

Hi
I am trying test 'optee_example_hello_world' in 64bit NXP board
but i can't handle it,.. how to test optee_example_hello_world binary file.?

I check dmesg

and check tee-supplicant & xtest

I tried this process

1. build 64bit,(host, ta both)
   

2. location .ta file
   

3. test,

• running tee-supplicant
  I got this error message

 TEEC_Opensession failed with code 0xffff0008 origin 0x3

• except running tee-supplicant
  
  terminal stopped.. after this message

Hello,
I have compiled and run secure_storage exapmple. while executing "optee_example_secure_storage" binary, TA get panic. below is logs of same. Can anyone give me hint what is happening here?

root@colibri-imx6ull:~# optee_example_secure_storage
Prepare session with the TAD/TC:0 tee_ta_init_pseudo_ta_session:274 Lookup pseudo TA f4e750bb-1437-4fbf-8785-8d3580c34994

D/TC:0 load_elf:842 Lookup user TA ELF f4e750bb-1437-4fbf-8785-8d3580c34994 (Secure Storage TA)
D/TC:0 load_elf:842 Lookup user TA ELF f4e750bb-1437-4fbf-8785-8d3580c34994 (REE)
D/TC:0 load_elf_from_store:810 ELF load address 0x103000
D/TC:0 tee_ta_init_user_ta_session:1021 Processing relocations in f4e750bb-1437-4fbf-8785-8d3580c34994

Test on object "object#1"

• CreF/TC:0 trace_syscall:128 syscall #42 (syscall_storage_obj_create)
  F/TC:0 trace_syscall:128 syscall #2 (syscall_panic)
  ate and load object in the TA secE/TC:0
  E/TC:0 TA panicked with code 0xffff0001
  E/TC:0 Status of TA f4e750bb-1437-4fbf-8785-8d3580c34994 (0x9e061b98) (active)
  E/TC:0 arch: arm load address: 0x103000 ctx-idr: 2
  E/TC:0 stack: 0x102000 4096
  E/TC:0 region 0: va 0x100000 pa 0x9e000000 size 0x1000 flags ---R-X
  E/TC:0 region 1: va 0x102000 pa 0x9e113000 size 0x1000 flags rw-RW-
  E/TC:0 region 2: va 0x103000 pa 0x9e100000 size 0x8000 flags r-x--- [0]
  E/TC:0 region 3: va 0x10b000 pa 0x9e108000 size 0xb000 flags rw---- [0]
  E/TC:0 region 4: va 0x200000 pa 0x9fe01000 size 0x3000 flags rw-RW-
  E/TC:0 [0] f4e750bb-1437-4fbf-8785-8d3580c34994 @ 0x103000
  E/TC:0 Call stack:
  E/TC:0 0x00103b9c
  E/TC:0 0x001036c3
  E/TC:0 0x00103085
  E/TC:0 0x00103b57
  D/TC:0 user_ta_enter:312 tee_user_ta_enter: TA panicked with code 0xffff0001
  D/TC:0 tee_ta_invoke_command:625 Error: ffff3024 of 3
  ure storage
  D/TC:0 tee_ta_close_session:380 tee_ta_close_session(0x9e061bd8)
  D/TC:0 tee_ta_close_session:399 Destroy session
  Command WRITE_RAW failed: 0xffff3D/TC:0 tee_ta_close_session:425 Destroy TA ctx
  024 / 3
  Command WRITE_RAW failed: 0xffff3024 / 3
  optee_example_secure_storage: Failed to create an object in the secure storage

I am refactoring my code and adding more functions. Now, I have three trusted functions: one to generate an RSA key pair, one to encrypt some data and another to decrypt some data. I would like to create the key pair and maintain it in the session, until I encrypt and decrypt some data.

When I create the key pair, I return to the CA without free my key variable, that is in a session struct. This first function is called by rsa_gen_keys(&ta); in the main function of CA (below). After it returns ok, I am getting a segmentation fault. Is this because I continue with the session opened and follow calling another TEEC_InvokeCommand in sequence? This second call is the rsa_encrypt function in the main, as can be seen below:

int main(int argc, char *argv[])
{
	struct ta_attrs ta;
	char clear[RSA_MAX_PLAIN_LEN_1024];
	char ciph[RSA_CIPHER_LEN_1024];
	
	prepare_ta_session(&ta);
	
	printf("\nType something to be encrypted and decrypted in the TA:\n");
	fflush(stdin);
	fgets(clear, sizeof(clear), stdin);

	rsa_gen_keys(&ta);
	rsa_encrypt(&ta, clear, RSA_MAX_PLAIN_LEN_1024, ciph, RSA_CIPHER_LEN_1024);
	rsa_decrypt(&ta, ciph, RSA_CIPHER_LEN_1024, clear, RSA_MAX_PLAIN_LEN_1024);

	terminate_tee_session(&ta);
	return 0;
}

If this is not the case of segmentation fault, can you point me in order I can give more details about my problem?

Thank you.

I use the build_ta.sh script , and here the error:
cc -o optee_example_hello_world main.o -lteec -L/home/kael/Desktop/devel/optee/optee_examples/optee_client/out/export/lib /usr/bin/x86_64-linux-gnu-ld: cannot find -lteec collect2: error: ld returned 1 exit status Makefile:21: recipe for target 'optee_example_hello_world' failed make: *** [optee_example_hello_world] Error 1 Note: $(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk not found, cannot clean TA Note: TA_DEV_KIT_DIR=/home/kael/Desktop/devel/optee/optee_examples/optee_os/out/arm/export-ta_arm32

If I'd like to build a library with the ta_dev_kit, I think by default it is a static library, right?
I don't think dynamic link libraries are supported?

Hi,

I want to enable a secure interrupt and set the handler. As I understand, I have to do this inside the trusted application and I need to use these functions. My questions is how am I supposed to include these functions so that my TA compiles and runs? These functions are not present in any of the .h files in the /out/ folder.

itr_add(&ppi_handler);
itr_enable(TEST_PPI_ID);

I would appreicate any help.

So far, I have learned how to design a custom_ Hello for my rare blog materials(a optee example), it can run perfectly on REE while interacting with TEE:

However, my current task is to implement the semi homomorphic encryption algorithm Paillier based on tee, and I have the following doubts:
1.Should the formal application still be placed on optee_examples folder or other place?
2. How can CA provide interfaces to other applications running in REE, in the form of command line parameters&JNI (Java Native Interface)?
3. Can I find the API for encryption algorithms (which can help me implement paillier) in the 2.2 Cryptographic Implementation section of the Architecture section of OP-TEE Documentation? If not, where should I find these APIs that can help me

Thank you for your help and I would like to express my sincere respect to a student who is currently studying optoe

All,

I have some questions with regards to the Trusted Application database. I understand the basics from what is published around the web but I have a few specific details.

1. According to https://github.com/OP-TEE/optee_os/blob/master/documentation/secure_storage.md each persistent object is assigned an internal identifier, which is an integer. Is this derived from the UUID since UUIDs are 128 bits? If not how is this number created?

2. With regards to the database file dirf.db, how is this created?

3. What protections are in place to avoid the database from getting corrupted/hacked?

4. With regards to the database, as shown in slide 11 of http://connect.linaro.org.s3.amazonaws.com/sfo17/Presentations/SFO17-309%20Secure%20storage%20updates.pdf, how is the file_number created and assigned?

5. If a TA is updated, is a new UUID assigned? If so, what prevents the old TA with the old UUID from being used?

I want to test fTPM TA so I thought of making use of optee-examples. I am using OPENSTLinux distro. In that there is a recipe which builds the existing optee-examples and it can be included in my final image. So I want to use that recipe and add my example code which can be build using the same recipe. I am not getting how should I proceed since my files will be local files and how it can be made part of optee_examples build. Following is the recipe used by me.

SUMMARY = "OP-TEE examples"
HOMEPAGE = "https://github.com/linaro-swg/optee_examples"

LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=cd95ab417e23b94f381dafc453d70c30"

DEPENDS = "optee-client virtual/optee-os python3-pycryptodomex-native python3-pycrypto-native"

inherit python3native

SRC_URI = "git://github.com/linaro-swg/optee_examples.git"
SRCREV = "9a755dcf4d8ef6117af59dfd1b1a82315cee58ca"

S = "${WORKDIR}/git"

OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta"

EXTRA_OEMAKE = " TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
                 OPTEE_CLIENT_EXPORT=${OPTEE_CLIENT_EXPORT} \
                 TEEC_EXPORT=${TEEC_EXPORT} \
                 HOST_CROSS_COMPILE=${TARGET_PREFIX} \
                 TA_CROSS_COMPILE=${TARGET_PREFIX} \
                 V=1 \
                 LIBGCC_LOCATE_CFLAGS='--sysroot=${STAGING_DIR_HOST}' \
               "

do_compile() {
    oe_runmake
}

do_install () {
    mkdir -p ${D}${nonarch_base_libdir}/optee_armtz
    mkdir -p ${D}${bindir}
    install -D -p -m0755 ${S}/out/ca/* ${D}${bindir}
    install -D -p -m0444 ${S}/out/ta/* ${D}${nonarch_base_libdir}/optee_armtz
}

# Avoid QA Issue: No GNU_HASH in the elf binary
INSANE_SKIP_${PN} += "ldflags"

FILES_${PN} += "${nonarch_base_libdir}/optee_armtz/"

# Imports machine specific configs from staging to build
PACKAGE_ARCH = "${MACHINE_ARCH}"

Hi, I've created a trusted application and I want to add it to optee as in the optee_example doc.

Hi, how should I go about getting the sample applications into my Raspberry Pi and executing the application?
I've gotten the OPTEE running on my Raspberry Pi 3 via cross compilation and a custom buildroot, as the xtest works fine. However, I'm quite clueless on how to go about trying the samples, before I try to write my own simple TA.

I've seen the slides from https://www.slideshare.net/linaroorg/lcu14103-how-to-create-and-run-trusted-applications-on-optee, but it just doesn't speak to me. Would be grateful if anyone knows how.

Thanks in advance!

I have a CA and I want to load it into the system virtualized by qemu after opte is running. I am in optee_examples, but there is no ta showing that it cannot be loaded into roofts after compilation.

I am am trying to use the OpenSSL functions in my client application, but I am receiving the following error:

aarch64-buildroot-linux-gnu-gcc: ERROR: unsafe header/library path used in cross-compilation: '-I/usr/include/openssl'

My CMakefiles.txt is like:

project (keyvault C)

set (SRC host/main.c)
set (CRYPTO_DIR /usr/include/openssl)

add_executable (${PROJECT_NAME} ${SRC})

include_directories (${CRYPTO_DIR})

target_include_directories(${PROJECT_NAME}
			   PRIVATE ta/include
			   PRIVATE include)

target_link_libraries (${PROJECT_NAME} PRIVATE teec)

install (TARGETS ${PROJECT_NAME} DESTINATION ${CMAKE_INSTALL_BINDIR})

And my CA (host) Makefile is like:

CC      ?= $(CROSS_COMPILE)gcc
LD      ?= $(CROSS_COMPILE)ld
AR      ?= $(CROSS_COMPILE)ar
NM      ?= $(CROSS_COMPILE)nm
OBJCOPY ?= $(CROSS_COMPILE)objcopy
OBJDUMP ?= $(CROSS_COMPILE)objdump
READELF ?= $(CROSS_COMPILE)readelf

OBJS = main.o

CRYPTO_DIR = /usr/include/openssl

CFLAGS += -Wall -I../ta/include -I./include -I$(CRYPTO_DIR)
CFLAGS += -I$(TEEC_EXPORT)/include
LDADD += -lteec -L$(TEEC_EXPORT)/lib

BINARY = keyvault

.PHONY: all
all: $(BINARY)

$(BINARY): $(OBJS)
	$(CC) -o $@ $< $(LDADD)

.PHONY: clean
clean:
	rm -f $(OBJS) $(BINARY)

%.o: %.c
	$(CC) $(CFLAGS) -c $< -o $@

If I change the openssl folder to optee/out-br/host/aarch64-buildroot-linux-gnu/sysroot/usr/include/openssl, I get undefined reference to the openssl functions. E.g.:

undefined reference to 'BN_new'
undefined reference to 'RSA_new'

Can anyone suggest something to solve this problem?

In CA, I have the following function to end session and context:

void terminate_tee_session(struct ta_attrs *ta)
{
	TEEC_CloseSession(&ta->sess);
	TEEC_FinalizeContext(&ta->ctx);
}

In TA, this is the code responsible to close session:

void TA_CloseSessionEntryPoint(void *session)
{
	struct rsa_session *sess;

	DMSG("Session %p: release session", session);
	sess = (struct rsa_session *)session;

	/* Release the session resources */
	TEE_FreeTransientObject(sess->key_handle);
	TEE_FreeOperation(sess->op_handle);
	TEE_Free(sess);
}

I am getting the following error:

D/TC:? 0 tee_ta_close_session:380 tee_ta_close_session(0xe171630)
D/TC:? 0 tee_ta_close_session:399 Destroy session
D/TA: TA_CloseSessionEntryPoint:180 Session 0x4001a090: release session
E/TC:? 0
E/TC:? 0 TA panicked with code 0x0
E/TC:? 0 Status of TA 2bb620d9-3e83-463b-b261-987fa92c95ef (0xe1715d0) (active)
E/TC:? 0 arch: aarch64 load address: 0x40005000 ctx-idr: 2
E/TC:? 0 stack: 0x40004000 4096
E/TC:? 0 region 0: va 0x40000000 pa 0xe100000 size 0x2000 flags ---R-X
E/TC:? 0 region 1: va 0x40002000 pa 0xe174000 size 0x1000 flags ---RW-
E/TC:? 0 region 2: va 0x40004000 pa 0xe318000 size 0x1000 flags rw-RW-
E/TC:? 0 region 3: va 0x40005000 pa 0xe300000 size 0xd000 flags r-x--- [0]
E/TC:? 0 region 4: va 0x40012000 pa 0xe30d000 size 0xb000 flags rw---- [0]
E/TC:? 0 [0] 2bb620d9-3e83-463b-b261-987fa92c95ef @ 0x40005000
E/TC:? 0 Call stack:
E/TC:? 0 0x0000000040007adc
E/TC:? 0 0x00000000400055c4
E/TC:? 0 0x0000000040009f2c
E/TC:? 0 0x000000000e102d1c
D/TC:? 0 unwind_stack_arm64:56 FP out of bounds 0
D/TC:? 0 user_ta_enter:312 tee_user_ta_enter: TA panicked with code 0x0
D/TC:? 0 tee_ta_close_session:425 Destroy TA ctx

Using gdb, I got this:

TEEC_CloseSession (session=session@entry=0xfffffffffc40) at src/tee_client_api.c:547
547 if (!session)
(gdb) n
544 {
(gdb) n
551 if (ioctl(session->ctx->fd, TEE_IOC_CLOSE_SESSION, &arg))
(gdb) n
544 {
(gdb) n
550 arg.session = session->session_id;
(gdb) s
551 if (ioctl(session->ctx->fd, TEE_IOC_CLOSE_SESSION, &arg))
(gdb) s
ioctl () at ../sysdeps/unix/sysv/linux/aarch64/ioctl.S:23
23 mov x8, #__NR_ioctl
(gdb) n
24 sxtw x0, w0
(gdb) n
25 svc #0x0
(gdb) n
26 cmn x0, #4095
(gdb) s
27 b.cs .Lsyscall_error
(gdb) n
28 ret

I tried to use the symbolize.py to get more help, but I am getting this error:

python optee_os/scripts/symbolize.py -d out-br/build/optee_examples-1.0/keyvault/ta/out/*
E/TC:? 0 arch: aarch64 load address: 0x40005000 ctx-idr: 2
E/TC:? 0 stack: 0x40004000 4096
E/TC:? 0 region 0: va 0x40000000 pa 0xe100000 size 0x2000 flags ---R-X
E/TC:? 0 region 1: va 0x40002000 pa 0xe174000 size 0x1000 flags ---RW-
E/TC:? 0 region 2: va 0x40004000 pa 0xe318000 size 0x1000 flags rw-RW-
E/TC:? 0 region 3: va 0x40005000 pa 0xe300000 size 0xd000 flags r-x--- [0]
E/TC:? 0 region 4: va 0x40012000 pa 0xe30d000 size 0xb000 flags rw---- [0]
E/TC:? 0 [0] 2bb620d9-3e83-463b-b261-987fa92c95ef @ 0x40005000
E/TC:? 0 Call stack:
E/TC:? 0 0x0000000040007adc
E/TC:? 0 0x00000000400055c4
E/TC:? 0 0x0000000040009f2c
E/TC:? 0 0x000000000e102d1c
D/TC:? 0 unwind_stack_arm64:56 FP out of bounds 0
D/TC:? 0 user_ta_enter:312 tee_user_ta_enter: TA panicked with code 0x0
D/TC:? 0 tee_ta_close_session:425 Destroy TA ctx
E/TC:? 0 arch: aarch64 load address: 0x40005000 ctx-idr: 2
E/TC:? 0 stack: 0x40004000 4096
E/TC:? 0 region 0: va 0x40000000 pa 0xe100000 size 0x2000 flags ---R-X
E/TC:? 0 region 1: va 0x40002000 pa 0xe174000 size 0x1000 flags ---RW-
E/TC:? 0 region 2: va 0x40004000 pa 0xe318000 size 0x1000 flags rw-RW-
Traceback (most recent call last):
File "optee_os/scripts/symbolize.py", line 436, in
main()
File "optee_os/scripts/symbolize.py", line 432, in main
symbolizer.write(line)
File "optee_os/scripts/symbolize.py", line 391, in write
elf_idx) +
File "optee_os/scripts/symbolize.py", line 316, in sections_in_region
self.read_sections(elf)
File "optee_os/scripts/symbolize.py", line 289, in read_sections
stdout=subprocess.PIPE)
File "/usr/lib/python2.7/subprocess.py", line 394, in init
errread, errwrite)
File "/usr/lib/python2.7/subprocess.py", line 1047, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or directory

For me, it does not make sense such error (TA panick) in TEEC_CloseSession calling. Any suggestion? Thanks in advance.

What do you think about moving kmgk under optee_examples? Then you can make a host directory containing Linux code which would not impact the Android code.

There is no rule that Linux crypto has to use PKCS#11. For the most common use case an OpenSSL plug-in could load the existing keymaster TA and use it to do the initial ECC exchange for the IOT services -- AWS, Google, Azure, Baidu.

The needed code is already in AOSP, it just need to be de-Androidized.
https://android.googlesource.com/platform/system/security/+/refs/heads/master

keystore-engine is the SSL plug in
keystore is the Android daemon

Code from those two projects could be merge into a single OpenSSL plug-in under Linux - no need for a daemon. This doesn't work multi-user, but embedded systems aren't multiuser.