Which supported ARM platform is most turn key for demoing OPTEE.

[dnovick]

Good Day,

So, I've posted to this list for help with my issue getting OP-TEE and Linux booting properly on a Zedboard. As my other post details, OP-TEE boots fine but Linux pukes during PLL init. I've been supposed to be doing a TZ demo of a custom crypto algorithm over ARM TZ on this and an Altera platform, but have been blocked by this issue...and the fact that I have to implement the Altera port of OP-TEE. I've worked with Xilinx support, and beaten my head on the wall for 2 months with no progress. So, I'm considering a short term option that may also help me troubleshoot the Zedboard issue...i.e. use another ARM TZ device that is known to do a proper dual OS boot with OP-TEE and Linux without a lot of pain. That way, I could take my project specific code and actually demo it in short order. BTW, I've had the code working under Qemu for 8 months.

Here's my question then: Of all the currently supported platforms, which of the ARM SoC ones has the best track record for booting OP-TEE in secure world followed by Linux in non-secure? Which one would be easiest to get up and running to get my demos done and have a stable platform with which to compare my problematic and to be developed paltforms? Price is almost a non-issue here....within reason. I'm just looking for the most functional option that would allow me to drop my TA and Linux client app in with minimal pain..

Any suggestions would be really appreciated.

Thanks, Dave

[dnovick]

One thing I may not have been explicit about...but I'd like it if said board had a decent toolchain / dev env with it.

I noticed that Raspberry PI 3 is supported....and I actually have one laying around. Would this qualify for what I'm looking for? I saw that there's a product out there that supposedly will turn Visual Studio into a decent embedded platform for devices like the PI. If the PI support for OP-TEE and linux is solid, I may just go down that path.

Of course, if other suggestions are better...I'm all ears. I'm just desperate for a short term solution.

Dave

[dnovick]

So, I went ahead and built the RPI3 version today and loaded it on my device. However, I'm not seeing any UI when I connect the PI to an HDMI monitor. Nor does the device ever get onto my network through DHCP. Am I correct then to assume that the only way to interact with the device is to use the JTAG mechanism described on the PI3 build instructions? I was hoping to not have to make a special cable just to do simple mods and debugging.

[jforissier]

Hi @dnovick ,

I'm sorry you're having issues with OP-TEE on the Zedboard, and unfortunately I can't offer any help because I don't have this board (nor does anyone else in the Linaro team AFAIK).

RPI3 is certainly a good choice for development/demo purposes, but please note that the platform is otherwise quite limited security-wise. For instance, and to the best of my knowledge, there is no memory firewall allowing you to set aside some physical address range for exclusive use by TrustZone. I don't think you can restrict access to the programming registers of the various devices to secure world, either. But as I said you probably don't care for development/demo.

Another good choice would be the HiKey board. It is my primary development platform when I'm not using QEMU. You can be pretty sure that the latest OP-TEE always works on HiKey. We have repo manifests that you can use to build and run a small initramfs-based Linux with Busybox or a full Debian distro ; you may even run Android. I'm personally using the small Busybox because it's small and convenient. See the build instructions at https://github.com/OP-TEE/build and you should be good to go in minutes (you would use one of: hikey.xml, hikey_stable.xml, hikey_debian.xml, or hikey_debian_stable.xml when cloning the repository). In any case you need a UART-USB adapter to connect to UART3 on the low-speed expansion connector, or to UART0 (the debug UART) using the dedicated header. Setting up a serial console connection is a pain in itself hardware-wise, because it's 1.8V logic level and on some boards you even need to do some soldering to access UART0 :( But if you're playing with low-level stuff there's almost no chance you can do without a UART console in my opinion.

A final word about HiKey: altough it does support lots of security features (memory firewall, secure-only peripherals, crypto engine...) the programming documentation for the security features is almost non-existent, effectively making the platform not much better than RPI3 for real use. But yet again, quite usable for development and demo.

HTH.

[dnovick]

Thanks for the suggestions. So, I managed to get my PI3 up and running with OP-TEE yesterday and am now off to getting my crypto demo in place. Yeah, I was aware of the security limitations...but like you said, I'm not worried about it for demo purposes. I still plan to figure out my Zedboard issues as well as finish the Altera port of OP-TEE, but really needed to get a working demo in place first. The other benefit I hope to get out of the working version is now I have something I know works that I can compare my Zedboard and Altera implementations with. While there are certainly differences between the platforms, there should be enough similarity to at least help me rule out anything I might have done wrong...or something that may be wrong with Petalinux on my platforms. Before now, I was left to doing line by line ASM comparisons...which while useful educationally are pretty grueling as a debugging approach :-).

I'll need to keep the HiKey in mind. I'm assuming they are readily available. I was really interested in the Juno board, but have yet to find anywhere to buy it.

Thanks, Dave