-
Overview
-
redpesk OS releases
-
Security updates
-
Application Framework Manager
-
Application Framework Binder
-
APIs & Services
-
Security manager
-
OP-TEE within redpesk
-
Trusted Boot
-
Recovery features
-
redpak
-
Minimal image
- Reduce image size
- Optimizing boot time
-
Kernel fragments description
- Introduction to Linux Kernel Configuration
- 01 Disable IPC, Timers and Audit
- 02 Disable Kconfig, Scheduler and Initrd
- 03 Disable Perf, Profiling and Errata
- 04 Disable EFI, Power Management Debug and Energy Model
- 05 Disable Schedutil, CPUFreq Governors and Virtualization
- 06 Disable Kprobes and Jump Labels
- 07 Disable GCC Plugins and Function Alignment
- 08 Disable Partition Parsers
- 09 Enable Inline Spinlocks and Kernel Operations
- 10 Disable Swap, Memory Hotplug and KSM
- 11 Disable Networking IPv4, IPv6, Netfilter
- 12 Disable SCTP, VLAN, TIPC, BATMAN
- 13 Disable Wireless, Bluetooth, CAN and RFKILL
- 14 Disable PCI and Firmware
- 15 Disable GNSS and ProcEvents
- 16 Disable Block Storage NBD and AoE
- 17 Disable EEPROM and Misc Drivers
- 18 Disable Network Device Drivers
- 19 Disable PHY Drivers
- 20 Disable PPP, WLAN Coexistence, and Failover
- 21 Disable Input Devices
- 22 Disable Serial, TTY and TPM
- 23 Disable I2C, Power and Sensor Drivers
- 24 Disable MFD, Display and Media Drivers
- 25 Disable USB, Sound, RTC and VirtIO
- 26 Disable Filesystem Encodings and Compatibility
- 27 Enable Minimal Cryptographic Core with SHA3 and XTS
- 28 Disable Hardware Cryptography, Keep DRBG and Jitter Entropy
- 29 Disable Kernel Debugging Features
- 30 Disable Filesystem Verity and SecurityFS
-
Zephyr in Redpesk
-
Mender redpesk (OTA)
-
Hardware support
- Download images
- Image metrics
- Trusted Boot
- Boards - ARM64
- Boards - x86_64
- Boards - Virtual
- Miscs
Run OP-TEE client (using tee-supplicant program)
If you have successfully deployed OP-TEE OS on your board, it’s necessary to have OP-TEE client installed and running too.
It builds and installs libteec (TEE Client API) and tee-supplicant binary/service so normal-world apps can invoke Trusted Applications in OP-TEE via the Kernel driver. But as explained here, to be able to communicate with the TEE, we need a Kernel embedding the correct configurations and drivers.
Package installation or build steps
On redpesk OS, we directly provide the optee-client package which contains these components.
[root@localhost ~]# dnf install optee-client
If you want to do a standalone build, it’s recommended to have the full OP-TEE build environment because of toolchains, paths… But you can try following NXP Yocto recipes as an example.
Run tee-supplicant program
If you have install the optee-client package, you can directly use the /usr/bin/tee-supplicant daemon:
[root@localhost ~]# tee-supplicant -d & # Run in background
By default it takes the device /dev/tee0 and will look to TAs stored in /lib/optee_armtz but it could be changed if options are set.
Run tee-supplicant service
If you have install the optee-client package, you have install the tee-supplicant.service too:
[root@d0-63-b4-04-d5-b0 ~]# systemctl status tee-supplicant
● tee-supplicant.service - TEE Supplicant
Loaded: loaded (/usr/lib/systemd/system/tee-supplicant.service; enabled; preset: enabled)
Active: active (running) since Tue 2025-10-14 12:18:36 CEST; 820ms ago
Main PID: 1259 (tee-supplicant)
Tasks: 1 (limit: 19796)
Memory: 160.0K
CPU: 2ms
CGroup: /system.slice/tee-supplicant.service
└─1259 /usr/sbin/tee-supplicant -t /lib/optee_armtz
Oct 14 12:18:36 d0-63-b4-04-d5-b0 systemd[1]: Started TEE Supplicant.
When installed, this systemd service is enabled by default.
Please note that you can’t have both at the same time (you’ll have failed to find an OP-TEE supplicant device message).
If both OP-TEE OS and OP-TEE client are successfully running, you can go to OP-TEE test side to validate the communication between Trusted Execution Environment (OP-TEE OS) and Rich Execution Environment (redpesk OS).