Test TEE/REE communication (using xtest or TA samples)

If you have successfully deployed OP-TEE OS on your board, you may want to verify that the communication between Trusted Execution Environment (OP-TEE OS) and Rich Execution Environment (redpesk OS) is working well.

To achieve this, it’s possible to use OP-TEE test which is a framework for testing purposes which is exactly what we want to do!

Package installation or build steps

On redpesk OS, we directly provide the optee-test package which contains xtest program and TAs samples in /lib/optee_armtz.

[root@localhost ~]# dnf install optee-test

If you want to do a standalone build, it’s recommended to have the full OP-TEE build environment because of toolchains, paths… But you can try following NXP Yocto recipes as an example.

[root@localhost ~]# which xtest
/usr/bin/xtest
[root@localhost ~]# dnf provides xtest
optee-test-3.19.0-1.rpbatz.aarch64 : OP-TEE test samples for i.MX8MP
Repo        : @System
Matched from:
Filename    : /usr/bin/xtest
[root@localhost ~]# rpm -ql optee-test
/lib/optee_armtz/25497083-a58a-4fc5-8a72-1ad7b69b8562.ta
/lib/optee_armtz/380231ac-fb99-47ad-a689-9e017eb6e78a.ta
/lib/optee_armtz/528938ce-fc59-11e8-8eb2-f2801f1b9fd1.ta
/lib/optee_armtz/5b9e0e40-2636-11e1-ad9e-0002a5d5c51b.ta
/lib/optee_armtz/5ce0c432-0ab0-40e5-a056-782ca0e6aba2.ta
/lib/optee_armtz/614789f2-39c0-4ebf-b235-92b32ac107ed.ta
/lib/optee_armtz/690d2100-dbe5-11e6-bf26-cec0c932ce01.ta
/lib/optee_armtz/731e279e-aafb-4575-a771-38caa6f0cca6.ta
/lib/optee_armtz/873bcd08-c2c3-11e6-a937-d0bf9c45c61c.ta
/lib/optee_armtz/8aaaf200-2450-11e4-abe20002a5d5c51c.ta
/lib/optee_armtz/a4c04d50-f180-11e8-8eb2-f2801f1b9fd1.ta
/lib/optee_armtz/b3091a65-9751-4784-abf7-0298a7cc35ba.ta
/lib/optee_armtz/b689f2a7-8adf-477a-9f99-32e90c0ad0a2.ta
/lib/optee_armtz/c3f6e2c0-3548-11e1-b86c-0800200c9a66.ta
/lib/optee_armtz/cb3e5ba0-adf1-11e0-998b-0002a5d5c51b.ta
/lib/optee_armtz/d17f73a0-36ef-11e1-984a-0002a5d5c51b.ta
/lib/optee_armtz/e13010e0-2ae1-11e5-896a-0002a5d5c51b.ta
/lib/optee_armtz/e626662e-c0e2-485c-b8c8-09fbce6edf3d.ta
/lib/optee_armtz/e6a33ed4-562b-463a-bb7e-ff5e15a493c8.ta
/lib/optee_armtz/f157cda0-550c-11e5-a6fa-0002a5d5c51b.ta
/lib/optee_armtz/ffd2bded-ab7d-4988-95ee-e4962fff7154.ta
/usr/bin/xtest

Use xtest to guarantee the proper functioning of OP-TEE

If tee-supplicant.service is running, you can call xtest to run a collection of specific tests.

Here is an output of some xtest results provided by NXP in our usecase:

[root@localhost ~]# xtest 1001
+-----------------------------------------------------
Result of testsuite regression+pkcs11+regression_nxp filtered by "1001":
regression_1001 OK
pkcs11_1001 OK
regression_nxp_1001 OK
+-----------------------------------------------------
2404 subtests of which 0 failed
3 test cases of which 0 failed
132 test cases were skipped
TEE test application done!

You can find more xtest commands on the official OP-TEE test documentation.

Or execute the program by default to have a full sequence of all tests:

[root@localhost ~]# xtest
+-----------------------------------------------------
38100 subtests of which 2 failed
135 test cases of which 2 failed
0 test cases were skipped
TEE test application done!

If you have failed tests as above, you may check the details of each section to see what’s wrong.

In our example, it’s an issue dealing with pkcs11_1014.1 FAILED first error at /root/imx-optee-test/host/xtest/pkcs11_1000.c:3496 which is of no interest to us. It’s necessary to know your needs with OP-TEE to only validate your specific required feature is working well.

Alternative tests with op-tee examples

Some sample applications are included in OP-TEE examples maintained by the Linaro organization. They aim to showcase specific functionality and use cases.

This application isn’t packaged on redpesk OS (because it is absent from NXP Yocto recipes) so you must compile it directly on the target:

# install development packages
[root@localhost ~]# dnf install optee-client-ta-export \
                                optee-os-ta-devkit \
                                git make gcc \
                                python3-cryptography

# install OP-TEE examples repositories
[root@localhost ~]# git clone https://github.com/linaro-swg/optee_examples.git
[root@localhost ~]# cd optee_examples

After the requirements are installed, it’s possible (using a tricky method) to compile each TA sample. We’ll take hello_world as an example:

[root@localhost  optee_examples]# cd hello_world
[root@localhost  hello_world]# export TEEC_EXPORT=/usr/lib/firmware/optee-client-export/
[root@localhost  hello_world]# TA_DEV_KIT_DIR=/usr/lib/firmware/ta-devkit/export-ta_arm64/ make CROSS_COMPILE= CC=gcc  CFLAGS="-I$TEEC_EXPORT/usr/include -I/root/optee_examples/acipher/ta/include -I/root/optee_examples/hello_world/ta/include/" -j

After the compilation is successful, you must copy the Trusted Application to /lib/optee_armtz:

[root@localhost hello_world]# cp ta/8aaaf200-2450-11e4-abe2-0002a5d5c51b.ta /lib/optee_armtz/

If the tee-supplicant.service isn’t launched but the tee-supplicant program is installed:

[root@localhost hello_world]# tee-supplicant &
[1] 2168
[root@localhost hello_world]# ./host/optee_example_hello_world 
D/TA:  TA_CreateEntryPoint:39 has been called
D/TA:  TA_OpenSessionEntryPoint:68 has been called
I/TA: Hello World!
Invoking TA to increment 42
D/TA:  inc_value:105 has been called
I/TA: Got value: 42 from NW
I/TA: Increase value to: 43
TA incremented value to 43
I/TA: Goodbye!
D/TA:  TA_DestroyEntryPoint:50 has been called

Or if the service is running, just call the program. You can follow the same steps to execute other samples for testing.