1# The Trusted Services: framework for developing root-of-trust services 2 3meta-arm layer includes recipes for [Trusted Services][^1] Secure Partitions and Normal World applications 4in `meta-arm/recipes-security/trusted-services` 5 6## Secure Partitions recipes 7 8We define dedicated recipes for all supported Trusted Services (TS) Secure Partitions. 9These recipes produce ELF and DTB files for SPs. 10These files are automatically included into optee-os image accordingly to defined MACHINE_FEATURES. 11 12### How to include TS SPs 13 14To include TS SPs into optee-os image you need to add into MACHINE_FEATURES 15features for each [Secure Partition][^2] you would like to include: 16 17| Secure Partition | MACHINE_FEATURE | 18| ----------------- | --------------- | 19| Attestation | ts-attesation | 20| Crypto | ts-crypto | 21| Internal Storage | ts-its | 22| Protected Storage | ts-storage | 23| se-proxy | ts-se-proxy | 24| smm-gateway | ts-smm-gateway | 25| spm-test[1-3] | optee-spmc-test | 26 27Other steps depend on your machine/platform definition: 28 291. For communications between Secure and Normal Words Linux kernel option `CONFIG_ARM_FFA_TRANSPORT=y` 30 is required. If your platform doesn't include it already you can add `arm-ffa` into MACHINE_FEATURES. 31 (Please see ` meta-arm/recipes-kernel/arm-ffa-tee`.) 32 33 For running the `uefi-test` or the `xtest -t ffa_spmc` tests under Linux the `arm-ffa-user` drivel is required. This is 34 enabled if the `ts-smm-gateway` and/or the `optee-spmc-test` machine features are enabled. 35 (Please see ` meta-arm/recipes-kernel/arm-ffa-user`.) 36 372. optee-os might require platform specific OP-TEE build parameters (for example what SEL the SPM Core is implemented at). 38 You can find examples in `meta-arm/recipes-security/optee/optee-os_%.bbappend` for qemuarm64-secureboot machine 39 and in `meta-arm-bsp/recipes-security/optee/optee-os-n1sdp.inc` and `meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc` 40 for N1SDP and Corstone1000 platforms accordingly. 41 423. trusted-firmware-a might require platform specific TF-A build parameters (SPD and SPMC details on the platform). 43 See `meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend` for qemuarm64-secureboot machine 44 and in `meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-n1sdp.inc` and 45 `meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc` for N1SDP and Corstone1000 platforms. 46 47## Normal World applications 48 49Optionally for testing purposes you can add `packagegroup-ts-tests` into your image. It includes 50[Trusted Services test and demo tools][^3] and [xtest][^4] configured to include the `ffa_spmc` tests. 51 52## OEQA Trusted Services tests 53 54 meta-arm also includes Trusted Service OEQA tests which can be used for automated testing. 55See `ci/trusted-services.yml` for an example how to include them into an image. 56 57 58------ 59[^1]: https://trusted-services.readthedocs.io/en/integration/overview/index.html 60 61[^2]: https://trusted-services.readthedocs.io/en/integration/deployments/secure-partitions.html 62 63[^3]: https://trusted-services.readthedocs.io/en/integration/deployments/test-executables.html 64 65[^4]: https://optee.readthedocs.io/en/latest/building/gits/optee_test.html