tkaratapanis opened a new pull request, #3141:
URL: https://github.com/apache/nuttx-apps/pull/3141
## Summary
This PR introduces to `nuttx-apps`, the OP-TEE supplicant. Since `LIBTEEC`
already downloads a zip file containing the supplicant and the supplicant
**requires** `LIBTEEC`, I decided to re-use the downloaded artifact from
LIBTEEC and apply the supplicant patch on top of it, in the
`apps/tee/optee_supplicant/optee_client` directory.
The build system will expect `CONFIG_OPTEE_SUPPLICANT_VERSION` to match
`CONFIG_LIBTEEC_VERSION` otherwise
the build will abort with an error message.
The main reason this application is added, is to provide to OP-TEE secure
storage. So an expected (and the currently tested) scenario is to run
`optee_supplicant` as a background app in order to allow Trusted Applications
(TAs) running in the OP-TEE to have access to secure files. These files are
created on the nuttx side, but all their metadata and contents are only known
to OP-TEE since they are encrypted before being "transferred" to nuttx.
To enable the supplicant we need the following:
```
CONFIG_OPTEE_SUPPLICANT=y
CONFIG_LIBTEEC=y
CONFIG_ALLOW_BSD_COMPONENTS=y
CONFIG_FS_ANONMAP=y
CONFIG_DEV_OPTEE_SMC=y
CONFIG_DEV_OPTEE_SUPPLICANT=y
```
More info:
- https://github.com/OP-TEE/optee_client
- https://optee.readthedocs.io/en/latest/architecture/secure_storage.html
## Impact
No impact to existing users.
## Testing
To test the file creation I created 1 nuttx Client Application (CA) and one
TA (they are out of scope of this PR and are not included in any way).
The CA invokes the TA by its uuid (`145f361e-40f3-11ee-be56-0242ac120002` in
this example) and a specific custom function.
In the following scenario the cmd `2` creates a file with some content and
then closes the file.
The cmd `3` opens the file by filename and prints the contents (which are
the expected).
For this to be possible the `optee_supplicant` must be running in the
background.
The logs follow:
```
# Run the supplicant in the background, with /data/tee as the filesystem
path for OP-TEE
nsh> optee_supplicant -f /data/tee &
optee_supplicant [0:100]
# Ask OP-TEE to create a secure file, write data to it and then close the
file descriptor (cmd 2)
nsh> optee_client 145f361e-40f3-11ee-be56-0242ac120002 2
I/TA: File created! closing handle!
# Ask OP-TEE to open the file and print its contents (cmd 3)
saluki> optee_client 145f361e-40f3-11ee-be56-0242ac120002 3
I/TA: file found!!
I/TA: Object content (19 bytes): "Secure OP-TEE data"
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@nuttx.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
