OP-TEE OS Version
warraagal opened this issue · 12 comments
What is the oldest version of OP-TEE OS that this implementation of Keymaster and Gatekeeper is known to work well with ?
What is the oldest version of OP-TEE OS that this implementation of Keymaster and Gatekeeper is known to work well with ?
master branch *should* work for anything beyond Pie, but there are dependencies on the android_keymaster_message* Classes in AOSP which have seen more frequent changes recently, and not all regression tests pass atm.
For Pie, you can try https://github.com/vchong/kmgk/commits/opt313_pie_20210428. It's basically the master branch with some patches reverted, and all regression tests should pass.
Don't remember trying on anything older than that.
@vchong
I was asking for the version of OPTEE OS and not the version of Android OS. But this information is useful too. Thanks.
I see that the link you shared above has 'opt313' in it. I am guessing that means OP-TEE 3.13.
I am currently using OP-TEE 3.8 in a project. I would like to use the latest implementation of Keymaster 3.0 and Gatekeeper 1.0.
Will the TAs in this implementation work with OP-TEE 3.8 ? Or have you made use of something introduced in newer versions of OP-TEE OS?
I will upgrade to a newer version of OP-TEE OS if and only if necessary to make the latest KMGK implementation work.
So, let me ask again. What version(s) of OP-TEE OS was this repository and the one you linked to, tested on ?
@vchong
I was asking for the version of OPTEE OS and not the version of Android OS. But this information is useful too. Thanks.
Sorry. Probably read the question wrong because the OP-TEE OS version shouldn't matter in this case we're just using standard GP APIs in the CA and TA.
I see that the link you shared above has 'opt313' in it. I am guessing that means OP-TEE 3.13.
Yes. This release was done for testing on top of the recent OP-TEE 3.13 release to make sure there are no regressions.
I am currently using OP-TEE 3.8 in a project. I would like to use the latest implementation of Keymaster 3.0 and Gatekeeper 1.0.
KM3 and GK1 are what we currently have in this repo. As mentioned above, the OP-TEE version shouldn't matter. Please give it a try and let us know how it goes. Do note that however there are some extra patches you'll need to apply (cherrypick) on top of optee_os (any version) to support kmgk due to different expectations on some of the default behavior of the secure OS. See below patches from https://github.com/vchong/optee_os/commits/kmgk_rebase_mbedtls_pie_20210421 for details:
Revert "core: syscall_obj_generate_key() check public rsa exponent"
core: crypto: change supported HMAC key size ranges
libutee: remove restrictions for TEE_ALG_RSA_NOPAD
core: crypto: detect elliptic curve size
core: crypto: add support MD5 hashes in RSA sign/verify
libtomcrypt: rsa: oaep: Use SHA-1 by default for MGF1
Thank you for your response @vchong
You mentioned above that all regression tests pass for https://github.com/vchong/kmgk/commits/opt313_pie_20210428
Can you share which commit (or fork) of https://github.com/linaro-swg/optee_android_manifest you used for testing ? Thanks
You're welcome.
https://github.com/linaro-swg/optee_android_manifest/tree/3.13.0.
VtsHalKeymasterV3_0TargetTest should all pass.
xtest has failure in pkcs11_1014 per linaro-swg/optee_android_manifest@628162f.
Note that each revision/commit ID in https://github.com/linaro-swg/optee_android_manifest/blob/3.13.0/archive/pinned-manifest_hikey960_v9r30_v3.13.0_20210421.xml is NOT final if the corresponding repo is later modified by a patch file.
@vchong
Last question before I close this.
Did you check whether the build created with the commit you have linked above boots to the Home screen ?
In your post on the 96boards forum (https://discuss.96boards.org/t/aosp-op-tee-build-and-sync-issue-in-hikey960/9959/32),
you had said that the 3.4.2 build boots to Home screen but the 3.8.3 doesn't. Does the 3.13 build boot to Home screen ?
Yes I checked.
3.4.2 was based on AOSP v9r30. 3.8.3 on r34. For 3.12 and 3.13, we wanted a 'stable' build/base so reverted back to r30.
Are you not able to boot to the Home screen?
@vchong
The build failed for me. The sync was successful and all patchsets were applied successfully. Relevant part of the log from a single thread build :
CHK out/arm-plat-hikey/export-ta_arm64/mk/conf.mk
INSTALL out/arm-plat-hikey/export-ta_arm64/scripts/symbolize.py
GEN out/arm-plat-hikey/ta/pkcs11/dyn_list
GEN out/arm-plat-hikey/ta/trusted_keys/dyn_list
CHK out/arm-plat-hikey/include/generated/conf.h
INSTALL out/arm-plat-hikey/export-ta_arm32/host_include/conf.cmake
UPD out/arm-plat-hikey/include/generated/conf.h
UPD out/arm-plat-hikey/export-ta_arm64/mk/conf.mk
CC out/arm-plat-hikey/core/include/generated/.asm-defines.s
bash: aarch64-linux-gnu-gcc: command not found
AS out/arm-plat-hikey/ldelf/start_a64.o
mk/compile.mk:246: recipe for target 'out/arm-plat-hikey/core/include/generated/.asm-defines.s' failed
make[1]: *** [out/arm-plat-hikey/core/include/generated/.asm-defines.s] Error 127
make[1]: *** Waiting for unfinished jobs....
bash: aarch64-linux-gnu-gcc: command not found
mk/compile.mk:159: recipe for target 'out/arm-plat-hikey/ldelf/start_a64.o' failed
make[1]: *** [out/arm-plat-hikey/ldelf/start_a64.o] Error 127
AS out/arm-plat-hikey/ldelf/syscalls_a64.o
bash: aarch64-linux-gnu-gcc: command not found
mk/compile.mk:159: recipe for target 'out/arm-plat-hikey/ldelf/syscalls_a64.o' failed
make[1]: *** [out/arm-plat-hikey/ldelf/syscalls_a64.o] Error 127
AS out/arm-plat-hikey/ldelf/tlsdesc_rel_a64.o
bash: aarch64-linux-gnu-gcc: command not found
mk/compile.mk:159: recipe for target 'out/arm-plat-hikey/ldelf/tlsdesc_rel_a64.o' failed
make[1]: *** [out/arm-plat-hikey/ldelf/tlsdesc_rel_a64.o] Error 127
For some reason the build cannot find the compiler aarch64-linux-gnu-gcc
I have checked that it is present at optee/aarch64/bin/aarch64-linux-gnu-gcc
I don't understand why I am getting this error.
Have you downloaded the toolchain separately? In our build.git we create a symlink from
aarch64-none-linux-gnu-gcc to aarch64-linux-gnu-gcc. This is done automatically when running the make toolchains command.
https://github.com/OP-TEE/build/blob/master/toolchain.mk#L28
This is my best guess, that this is the issue.
@warraagal That is strange if the toolchain has already been downloaded. Can you list out the steps you took and/or commands you run? Any changes made? Might be helpful if you include the full logs as well. You can find them under <your build root dir>/logs.
Also, are you using an external drive/storage for the build? And what's your distro?
@vchong
In my first attempt, I had tried to run the sync on top of an existing one for 3.8.3 after checking out the tag 3.13.0. I had made some minor changes to the sync and build scripts to add timestamps to the log file name. When the build failed with the above error, I deleted all the AOSP directories but kept the .repo directory created by repo and ran the sync again. Build failed again with the same error. In my third attempt I cloned https://github.com/linaro-swg/optee_android_manifest/ in a new directory, checked out the tag 3.13.0, made absolutely no changes at all and ran the sync. The only patchset that failed was android-patchsets/get-hikey960-gcc patch that downloads the toolchains. I downloaded and extracted the toolchains manually. But the build still failed with the same error.
I use an external SSD. The sync and build are done in an Ubuntu 18.04 Docker container running on a Linux Mint 20.1 host. The /media of host is bind mounted as /media in the container, so any external storage device is always available to both the host and the container.
For now, I have fixed the issue by making a small modification to optee/uefi-tools/tos-build.sh. Just before opteed-build.sh is called from tos-build.sh, I have added the path of toolchain to $PATH after saving its existing value. The existing value is restored after opteed-build.sh completes. This small modification was enough to run the build to completion without any more errors.
I am closing this issue because the original question (and several more :P ) have been answered. Thank you @vchong
@warraagal You're welcome. Glad you got it to work, and thanks for the details. The toolchain download url appears to be fine. I'll double check again for the next release.