Security and Privacy Research at Microsoft
Перейти к файлу
dmattoon 2319a84b1e Manufacturer and vendor strings need to be defined by the implementor. 2024-09-09 10:30:58 -07:00
TAs/optee_ta Manufacturer and vendor strings need to be defined by the implementor. 2024-09-09 10:30:58 -07:00
external Pull latest TPM rev (again) this time for self-test fixes 2019-12-06 11:15:17 -08:00
.gitignore Initial commit 2019-03-21 15:24:51 -07:00
.gitmodules Build system updates to support submodules and OSSL (#1) 2019-03-29 10:23:53 -07:00
LICENSE Initial commit 2019-03-21 15:24:55 -07:00
NOTICE Add auto-generated notice file (#18) 2019-07-29 12:53:58 -07:00
README.md Update README.md 2023-11-08 21:05:50 -08:00
SECURITY.md Microsoft mandatory file 2022-08-30 09:34:33 +00:00
azure-pipelines.yml Pass CFG_ARM64_ta_arm64 flag in the pipeline (#30) 2019-12-05 14:36:55 -08:00

README.md

Microsoft Research Security TAs

Trusted firmware for 32-bit and 64-bit ARM SoC's

This repository contains OP-TEE Trusted Applications (TAs) which implement a firmware Trusted Platform Module (TPM), and a UEFI authenticated variable store. These are provided as starting points for development of fTPM and AuthVars implementations.

Further Reading

See Authvars README.md and fTPM README.md for details about each TA.

See External Libraries README.md for details about how the external code is linked into the TAs.

See IoT Core build-firmware.md for details on using these TAs in a full firmware stack.

Crypto Options

Each TA can link against either OpenSSL or WolfSSL crypto libraries.

Stand Alone OpenSSL

OpenSSL is provided as the default crypto option. OpenSSL's libcrypto.a is compiled and statically linked with each TA. Work was required to stub out many standard library functions which the OP-TEE environment does not provide. See the SASSL README.md for details.

WolfSSL

Please be aware of licensing considerations when using WolfSSL. To enable WolfSSL set the CFG_AUTHVARS_USE_WOLF=y and CFG_FTPM_USE_WOLF=y flags when building the TAs.

Building

Extra Installation Steps

The secure firmware utilizes the OP-TEE implementation of the Global Platform specifications. The OP-TEE project is not duplicated in this repository but is obtained directly from the public release (however some features of the fTPM will only work with the Microsoft fork of OP-TEE).

OP-TEE builds natively on Linux, however the following installation steps allow OP-TEE to be built under Windows using the Windows Subsystem for Linux (WSL). Only the optee_os repository is relevant for building the trusted firmware - the optee_client & optee_linuxdriver repositories are integration components for Linux and can serve as a reference for the Windows equivalent components. Note that optee_linuxdriver is GPL.

OP-TEE generates a build environment for trusted applications which is based on Make (See TA_DEV_KIT_DIR in the build directions). This build environment places several constraints on how the code is organized, which are explained in the relevant makefiles, and in the external library README.md. See the optee_os documentation for details about how OP-TEE build works.

1. Enable Windows Subsystem for Linux if needed

See instructions here.

The build has also been validated on Ubuntu 16.04.

2. Launch Bash

Search for "bash" in the start menu, OR press Windows key + 'R', then type bash.
Update if needed.

In WSL:

sudo apt-get update

3. Install the ARM tool chain

Install the ARM toolchain to a directory of your choice.

cd ~
wget https://releases.linaro.org/components/toolchain/binaries/6.4-2017.11/arm-linux-gnueabihf/gcc-linaro-6.4.1-2017.11-x86_64_arm-linux-gnueabihf.tar.xz
tar xf gcc-linaro-6.4.1-2017.11-x86_64_arm-linux-gnueabihf.tar.xz
rm gcc-linaro-6.4.1-2017.11-x86_64_arm-linux-gnueabihf.tar.xz

4. Clone the OP-TEE source code

If you do not already have a version of the OP-TEE OS repo cloned on your machine you may run:

cd ~
git clone https://github.com/ms-iot/optee_os.git

Additional information on the Microsoft IoT fork of OP-TEE OS can be found here.

5. Build OP-TEE OS for the target platform

CROSS_COMPILE should point to the ARM toolchain installed in step 3.

cd ~/optee_os
CROSS_COMPILE=~/gcc-linaro-6.4.1-2017.11-x86_64_arm-linux-gnueabihf/bin/arm-linux-gnueabihf- make PLATFORM=imx-mx6qhmbedge CFG_TEE_CORE_LOG_LEVEL=4 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_TESTKEY=y CFG_RPMB_WRITE_KEY=y -j20

6. Clone the MSRSec source code

cd ~
git clone https://github.com/Microsoft/MSRSec.git

7. (Optional) Initialize the git submodules

The build system will determine which submodules are required at build time, but you can manually download them now. This will download the MSR TPM reference implementation, OpenSSL, and WolfSSL.

cd ~/MSRSec
git submodule update --init

Building the TAs

TA_CROSS_COMPILE should point to the ARM toolchain installed in step 3.

TA_DEV_KIT_DIR should point to the directory the optee_os TA devkit was compiled to in step 5.

-j increases the parallelism of the build process.

cd ~/MSRSec/TAs/optee_ta
TA_CPU=cortex-a9 TA_CROSS_COMPILE=~/gcc-linaro-6.4.1-2017.11-x86_64_arm-linux-gnueabihf/bin/arm-linux-gnueabihf- TA_DEV_KIT_DIR=~/optee_os/out/arm-plat-imx/export-ta_arm32 CFG_TEE_TA_LOG_LEVEL=2 make -j20

Debugging options you may want to add:

CFG_TEE_TA_LOG_LEVEL=3 1 is fatal errors only, other values increase debug tracing output.

CFG_TA_DEBUG=y Turns on debug output from the TAs, and enables extra correctness checks in the fTPM TA.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.