1# The Trusted Services: framework for developing root-of-trust services
2
3meta-arm layer includes recipes for [Trusted Services][^1] Secure Partitions and Normal World applications
4in `meta-arm/recipes-security/trusted-services`
5
6## Secure Partitions recipes
7
8We define dedicated recipes for all supported Trusted Services (TS) Secure Partitions.
9These recipes produce ELF and DTB files for SPs.
10These files are automatically included into optee-os image accordingly to defined MACHINE_FEATURES.
11
12### How to include TS SPs
13
14To include TS SPs into optee-os image you need to add into MACHINE_FEATURES
15features for each [Secure Partition][^2] you would like to include:
16
17| Secure Partition  | MACHINE_FEATURE |
18| ----------------- | --------------- |
19| Attestation       | ts-attesation   |
20| Crypto            | ts-crypto       |
21| Internal Storage  | ts-its          |
22| Protected Storage | ts-storage      |
23| se-proxy          | ts-se-proxy     |
24| smm-gateway       | ts-smm-gateway  |
25| spm-test[1-3]     | optee-spmc-test |
26
27Other steps depend on your machine/platform definition:
28
291. For communications between Secure and Normal Words Linux kernel option `CONFIG_ARM_FFA_TRANSPORT=y`
30   is required. If your platform doesn't include it already you can add `arm-ffa` into MACHINE_FEATURES.
31   (Please see ` meta-arm/recipes-kernel/arm-ffa-tee`.)
32
33   For running the `uefi-test` or the `xtest -t ffa_spmc` tests under Linux the `arm-ffa-user` drivel is required. This is
34   enabled if the `ts-smm-gateway` and/or the `optee-spmc-test` machine features are enabled.
35   (Please see ` meta-arm/recipes-kernel/arm-ffa-user`.)
36
372. optee-os might require platform specific OP-TEE build parameters (for example what SEL the SPM Core is implemented at).
38   You can find examples in `meta-arm/recipes-security/optee/optee-os_%.bbappend` for qemuarm64-secureboot machine
39   and in `meta-arm-bsp/recipes-security/optee/optee-os-n1sdp.inc` and `meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc`
40   for N1SDP and Corstone1000 platforms accordingly.
41
423. trusted-firmware-a might require platform specific TF-A build parameters (SPD and SPMC details on the platform).
43   See `meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend` for qemuarm64-secureboot machine
44   and in `meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-n1sdp.inc` and
45   `meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc` for N1SDP and Corstone1000 platforms.
46
47## Normal World applications
48
49Optionally for testing purposes you can add `packagegroup-ts-tests` into your image. It includes
50[Trusted Services test and demo tools][^3] and [xtest][^4] configured to include the `ffa_spmc` tests.
51
52## OEQA Trusted Services tests
53
54  meta-arm also includes Trusted Service OEQA tests which can be used for automated testing.
55See `ci/trusted-services.yml` for an example how to include them into an image.
56
57
58------
59[^1]: https://trusted-services.readthedocs.io/en/integration/overview/index.html
60
61[^2]: https://trusted-services.readthedocs.io/en/integration/deployments/secure-partitions.html
62
63[^3]: https://trusted-services.readthedocs.io/en/integration/deployments/test-executables.html
64
65[^4]: https://optee.readthedocs.io/en/latest/building/gits/optee_test.html