This is an automated email from the ASF dual-hosted git repository.
yuanz pushed a commit to branch main
in repository
https://gitbox.apache.org/repos/asf/incubator-teaclave-trustzone-sdk.git
The following commit(s) were added to refs/heads/main by this push:
new 6529eb1 dev-env: prebuilt docker image for development and emulation
6529eb1 is described below
commit 6529eb11846e8502765055822c3270800301b43b
Author: Yuan Zhuang <[email protected]>
AuthorDate: Wed Jun 11 14:35:30 2025 +0800
dev-env: prebuilt docker image for development and emulation
---
Dockerfile.dev | 47 ++++++
README.md | 17 +-
docs/README.md | 1 +
docs/emulate-and-dev-in-docker.md | 180 +++++++++++++++++++++
examples/hello_world-rs/Makefile | 6 +-
examples/hello_world-rs/host/Makefile | 6 +-
examples/hello_world-rs/ta/Makefile | 3 +
.../runtime/bin/listen_on_guest_vm_shell | 44 ++---
.../runtime/bin/listen_on_secure_world_log | 24 +--
scripts/runtime/bin/start_qemuv8 | 69 ++++++++
scripts/runtime/bin/sync_to_emulator | 78 +++++++++
scripts/runtime/environment | 118 ++++++++++++++
scripts/setup/build_optee_libraries.sh | 39 +++++
.../Makefile => scripts/setup/environment | 30 ++--
scripts/setup/install_dependencies.sh | 81 ++++++++++
.../setup/prepare_emulator_images.sh | 35 ++--
.../Makefile => scripts/setup/rust-toolchain.toml | 28 +---
scripts/setup/setup_toolchain.sh | 49 ++++++
18 files changed, 758 insertions(+), 97 deletions(-)
diff --git a/Dockerfile.dev b/Dockerfile.dev
new file mode 100644
index 0000000..d7e45ff
--- /dev/null
+++ b/Dockerfile.dev
@@ -0,0 +1,47 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+FROM ubuntu:24.04
+
+# Base environment
+ENV TEACLAVE_TOOLCHAIN_BASE=/opt/teaclave
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Copy scripts into image
+COPY scripts/setup ${TEACLAVE_TOOLCHAIN_BASE}/setup
+
+WORKDIR ${TEACLAVE_TOOLCHAIN_BASE}/setup
+
+RUN ./install_dependencies.sh
+RUN . ./environment && ./prepare_emulator_images.sh
+RUN . ./environment && ./setup_toolchain.sh
+RUN . ./environment && ./build_optee_libraries.sh
+
+# Set up shell environment and link useful scripts
+COPY scripts/runtime/bin ${TEACLAVE_TOOLCHAIN_BASE}/bin
+COPY scripts/runtime/environment ${TEACLAVE_TOOLCHAIN_BASE}/environment
+
+RUN chmod +x ${TEACLAVE_TOOLCHAIN_BASE}/bin/*
+RUN echo "source ${HOME}/.cargo/env" >> "${HOME}/.profile" && \
+ echo "source ${TEACLAVE_TOOLCHAIN_BASE}/setup/environment" >>
"${HOME}/.profile" && \
+ echo "source ${TEACLAVE_TOOLCHAIN_BASE}/environment" >> "${HOME}/.profile"
&& \
+ echo "export PATH=${TEACLAVE_TOOLCHAIN_BASE}/bin:\$PATH" >>
"${HOME}/.profile"
+
+WORKDIR "/root"
+
+# Default interactive shell, use bash -l to load the environment variables
+CMD ["/bin/bash", "-l"]
diff --git a/README.md b/README.md
index 80833ad..18b8f67 100644
--- a/README.md
+++ b/README.md
@@ -31,8 +31,9 @@ branch (`main`), please refer to the
- [TA Development Modes](#ta-development-modes)
- [Comparison](#comparison)
- [Supported Examples](#supported-examples)
-- [Quick Start with the OP-TEE Repo for
QEMUv8](#quick-start-with-the-op-tee-repo-for-qemuv8)
-- [Getting Started](#getting-started)
+- [🚀 Quick & Easy Start: Hello World in
Minutes](#-quick--easy-start-hello-world-in-minutes)
+- [Use the SDK as submodule in OP-TEE
Repo](#use-the-sdk-as-submodule-in-op-tee-repo)
+- [Advanced Setup: Customize Your Build
Environment](#advanced-setup-customize-your-build-environment)
- [Platforms](#platforms)
- [Develop with QEMUv8](#develop-with-qemuv8)
- [Develop on Other Platforms](#develop-on-other-platforms)
@@ -86,8 +87,16 @@ branch (`main`), please refer to the
- **`std`**: Excludes `test_mnist_rs`, `test_build_with_optee_utee_sys`.
+## 🚀 Quick & Easy Start: Hello World in Minutes
+We've streamlined the entire development workflow into a Docker-based solution
+that handles all the complex setup automatically. This approach gives you a
+complete TrustZone development environment with QEMU emulation, pre-built
toolchains,
+and monitoring tools - no manual configuration required.
-## Quick Start with the OP-TEE Repo for QEMUv8
+We highly recommend starting here for the fastest and most reliable setup
experience.
+- 🚀 [Quick Emulation And Development in Docker](emulate-and-dev-in-docker.md)
+
+## Use the SDK as submodule in OP-TEE Repo
Teaclave TrustZone SDK has been integrated into the OP-TEE Repo since OP-TEE
Release 3.15.0 (18/Oct/21). The aarch64 Rust examples are built and installed
@@ -98,7 +107,7 @@ to set up the OP-TEE repo and try the Rust examples!
UPDATES: The `no-std` TA has replaced the original `std` TAs since OP-TEE
Release 4.1.0 (19/Jan/24).
-## Getting Started
+## Advanced Setup: Customize Your Build Environment
### Platforms
diff --git a/docs/README.md b/docs/README.md
index db83a9f..6cc58d9 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -4,6 +4,7 @@ permalink: /trustzone-sdk-docs
# Teaclave TrustZone SDK Documentation
+* [Quick Emulation And Development in Docker](emulate-and-dev-in-docker.md)
* [Overview of OP-TEE Rust Examples](overview-of-optee-rust-examples.md)
* [Debugging OP-TEE TA](debugging-optee-ta.md)
* [Expanding TA Secure Memory on
QEMUv8](expanding-ta-secure-memory-on-qemuv8.md)
diff --git a/docs/emulate-and-dev-in-docker.md
b/docs/emulate-and-dev-in-docker.md
new file mode 100644
index 0000000..0004cd8
--- /dev/null
+++ b/docs/emulate-and-dev-in-docker.md
@@ -0,0 +1,180 @@
+---
+permalink: /trustzone-sdk-docs/dev-and-emulate-in-docker.md
+---
+
+# 🚀 Quick Start For QEMU Emulation
+
+This guide walks you through building and running QEMU emulation using the
+Teaclave TrustZone SDK.
+
+We provide a Docker image with prebuilt QEMU and OP-TEE images to streamline
+the entire Trusted Application (TA) development workflow. The image allows
+developers to build TAs and emulate a guest virtual machine (VM) that includes
+both the Normal World and Secure World environments.
+
+## 1. Pull Development Docker Image
+
+**Terminal A** (Main development terminal):
+```bash
+# Pull the pre-built development environment
+$ docker pull
teaclave/teaclave-trustzone-emulator-nostd-optee-4.5.0-expand-memory:latest
+
+# Clone the repository
+$ git clone https://github.com/apache/incubator-teaclave-trustzone-sdk.git && \
+ cd incubator-teaclave-trustzone-sdk
+
+# Launch the development container
+$ docker run -it --rm \
+ --name teaclave_dev_env \
+ -v $(pwd):/root/teaclave_sdk_src \
+ -w /root/teaclave_sdk_src \
+ teaclave/teaclave-trustzone-emulator-nostd-optee-4.5.0-expand-memory:latest
+```
+
+## 2. Build the Hello World Example
+
+**Still in Terminal A** (inside the Docker container):
+```bash
+# Build the Hello World example (both CA and TA)
+make -C examples/hello_world-rs/
+```
+Under the hood, the Makefile builds both the Trusted Application (TA) and the
+Host Application separately. After a successful build, you'll find the
+resulting binaries in the `hello_world-rs` directory:
+```bash
+TA=ta/target/aarch64-unknown-linux-gnu/release/133af0ca-bdab-11eb-9130-43bf7873bf67.ta
+HOST_APP=host/target/aarch64-unknown-linux-gnu/release/hello_world-rs
+```
+
+## 3. Make the Artifacts Accessible to the Emulator
+After building the Hello World example, the next step is to make the compiled
+artifacts accessible to the emulator.
+
+There are **two approaches** to do this. You can choose either based on your
+preference:
+- 📦 **Manual sync**: Explicitly sync host and TA binaries to the emulator
+- ⚙️ **Makefile integration**: Use `make emulate` to build and sync in one step
+
+#### Option 1: Manual Sync via `sync_to_emulator`
+We provide a helper command called `sync_to_emulator`, which simplifies the
+process of syncing the build outputs to the emulation environment.
+Run the following commands inside the container:
+```bash
+sync_to_emulator --ta $TA
+sync_to_emulator --host $HOST_APP
+```
+Run `sync_to_emulator -h` for more usage options.
+
+#### Option 2: Integrate sync with TA's Makefile
+For convenience during daily development, the sync invocation can be
integrated into
+the Makefile. In the `hello_world-rs` example, an `emulate` target is
provided.
+This helps automatically build the artifacts and sync them to the emulator in
one step:
+```bash
+make -C examples/hello_world-rs/ emulate
+```
+
+## 4. Multi-Terminal Execution
+
+The emulation workflow requires three additional terminals to monitor
+various aspects of the system:
+
+- **Terminal B**: 🖥️ **Normal World Listener** - Provides access to the guest
VM shell
+- **Terminal C**: 🔒 **Secure World Listener** - Monitors Trusted Application
output logs
+- **Terminal D**: 🚀 **QEMU Control** - Controls the QEMU emulator
+
+Built-in commands are provided in the Docker image. These commands are located
+in `/opt/teaclave/bin/` and are included in the default user's $PATH.
+
+You may use `bash -l` or the full path when executing with docker exec.
+
+**Terminal B** (Guest VM Shell):
+```bash
+# Connect to the guest VM shell for running commands inside the emulated
environment
+$ docker exec -it teaclave_dev_env bash -l -c listen_on_guest_vm_shell
+
+# Alternative: Use full path
+$ docker exec -it teaclave_dev_env /opt/teaclave/bin/listen_on_guest_vm_shell
+```
+
+**Terminal C** (Secure World Output Monitor):
+```bash
+# Monitor Trusted Application output logs in real-time
+$ docker exec -it teaclave_dev_env bash -l -c listen_on_secure_world_log
+
+# Alternative: Use full path
+$ docker exec -it teaclave_dev_env /opt/teaclave/bin/listen_on_secure_world_log
+```
+
+## 5. Start the Emulation
+
+After the listeners are set up, we can start the QEMU emulator.
+
+**Terminal D** (QEMU Control):
+```bash
+# Launch QEMU emulator with debug output and connect to monitoring ports
+$ docker exec -it teaclave_dev_env bash -l -c "LISTEN_MODE=ON start_qemuv8"
+```
+
+> ⏳ **Wait for the QEMU environment to fully boot...**
+You should see boot messages in Terminal D and the guest VM shell prompt
+in Terminal B.
+
+After QEMU in Terminal D successfully launches, switch to Terminal B, which
+provides shell access to the guest VM's normal world.
+
+**Terminal B** (Inside Guest VM):
+From this shell, you'll find that the artifacts synced in **Step 3** are
already
+available in the current working directory. Additionally, the `ta/` and
+`plugin/` subdirectories are automatically mounted to be used by TEE OS during
+TA execution and plugin loading.
+
+For more details on the mount configuration, refer to the
+`listen_on_guest_vm_shell` command in the development environment.
+
+```bash
+# tree
+.
+|-- host
+| `-- hello_world-rs
+|-- plugin
+`-- ta
+ `-- 133af0ca-bdab-11eb-9130-43bf7873bf67.ta
+
+3 directories, 2 files
+```
+This makes it especially convenient for iterative development and frequent code
+updates.
+
+Now we are ready to interact with the TA from normal world shell.
+```bash
+# Execute the Hello World Client Application
+$ ./host/hello_world-rs
+```
+The secure world logs, including TA debug messages, are displayed in
**Terminal C**.
+
+## 6. Iterative Development with Frequent Code Updates and Execution
+During active development and debugging, you can leave Terminals B, C, and D
open to
+avoid restarting them each time. Simply return to Terminal A, and repeat Step
2 (build)
+and Step 3 (sync) to rebuild and update the artifacts. Once synced, switch to
+Terminal B to re-run the client application. This setup streamlines iterative
+development and testing.
+
+## Summary
+By following this guide, you can emulate and debug Trusted Applications using
our
+pre-configured Docker-based development environment.
+
+- **Terminal A** serves as the main interface for building and syncing
artifacts.
+- **Terminal B** gives access to the normal world inside the guest VM, where
you
+can run client applications like the Hello World example.
+- **Terminal C** captures logs and debug output from the secure world, making
it
+easy to trace TA behavior.
+- **Terminal D** controls the QEMU emulator and shows system-level logs during
+boot and runtime.
+
+Together, these terminals provide a complete and efficient workflow for
TrustZone
+development and emulation.
+
+### Development Environment Details
+The setup scripts and built-in commands can be found in `/opt/teaclave/`.
Please
+refer to the Dockerfile in the SDK source repository for more information about
+how we set up the development environment.
diff --git a/examples/hello_world-rs/Makefile b/examples/hello_world-rs/Makefile
index a7a3dec..6f10fa5 100644
--- a/examples/hello_world-rs/Makefile
+++ b/examples/hello_world-rs/Makefile
@@ -22,7 +22,7 @@ CROSS_COMPILE_TA ?= aarch64-linux-gnu-
TARGET_HOST ?= aarch64-unknown-linux-gnu
TARGET_TA ?= aarch64-unknown-linux-gnu
-.PHONY: host ta all clean
+.PHONY: all host ta clean emulate
all: host ta
@@ -34,6 +34,10 @@ ta:
$(q)make -C ta TARGET=$(TARGET_TA) \
CROSS_COMPILE=$(CROSS_COMPILE_TA)
+emulate: all
+ $(q)make -C host emulate
+ $(q)make -C ta emulate
+
clean:
$(q)make -C host clean
$(q)make -C ta clean
diff --git a/examples/hello_world-rs/host/Makefile
b/examples/hello_world-rs/host/Makefile
index 039051f..da7c588 100644
--- a/examples/hello_world-rs/host/Makefile
+++ b/examples/hello_world-rs/host/Makefile
@@ -24,14 +24,18 @@ LINKER_CFG :=
target.$(TARGET).linker=\"$(CROSS_COMPILE)gcc\"
OUT_DIR := $(CURDIR)/target/$(TARGET)/release
+.PHONY: all host strip clean emulate
all: host strip
host:
- @cargo build --target $(TARGET_HOST) --release --config $(LINKER_CFG)
+ @cargo build --target $(TARGET) --release --config $(LINKER_CFG)
strip: host
@$(OBJCOPY) --strip-unneeded $(OUT_DIR)/$(NAME) $(OUT_DIR)/$(NAME)
+emulate: all
+ @sync_to_emulator --host $(OUT_DIR)/$(NAME)
+
clean:
@cargo clean
diff --git a/examples/hello_world-rs/ta/Makefile
b/examples/hello_world-rs/ta/Makefile
index 029e66d..fd37946 100644
--- a/examples/hello_world-rs/ta/Makefile
+++ b/examples/hello_world-rs/ta/Makefile
@@ -41,5 +41,8 @@ sign: strip
@$(SIGN) --uuid $(UUID) --key $(TA_SIGN_KEY) --in
$(OUT_DIR)/stripped_ta --out $(OUT_DIR)/$(UUID).ta
@echo "SIGN => ${UUID}"
+emulate: all
+ @sync_to_emulator --ta $(OUT_DIR)/$(UUID).ta
+
clean:
@cargo clean
diff --git a/examples/hello_world-rs/Makefile
b/scripts/runtime/bin/listen_on_guest_vm_shell
old mode 100644
new mode 100755
similarity index 51%
copy from examples/hello_world-rs/Makefile
copy to scripts/runtime/bin/listen_on_guest_vm_shell
index a7a3dec..4f65a08
--- a/examples/hello_world-rs/Makefile
+++ b/scripts/runtime/bin/listen_on_guest_vm_shell
@@ -1,3 +1,5 @@
+#!/usr/bin/expect -f
+
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
@@ -15,25 +17,29 @@
# specific language governing permissions and limitations
# under the License.
-# If _HOST or _TA specific compiler/target are not specified, then use common
-# compiler/target for both
-CROSS_COMPILE_HOST ?= aarch64-linux-gnu-
-CROSS_COMPILE_TA ?= aarch64-linux-gnu-
-TARGET_HOST ?= aarch64-unknown-linux-gnu
-TARGET_TA ?= aarch64-unknown-linux-gnu
-
-.PHONY: host ta all clean
-
-all: host ta
+# This script helps to listen on the guest vm terminal and automatically mount
the shared folder.
-host:
- $(q)make -C host TARGET=$(TARGET_HOST) \
- CROSS_COMPILE=$(CROSS_COMPILE_HOST)
+set timeout -1
-ta:
- $(q)make -C ta TARGET=$(TARGET_TA) \
- CROSS_COMPILE=$(CROSS_COMPILE_TA)
+spawn socat TCP-LISTEN:54320,reuseaddr,fork -,raw,echo=0
+send_user "Listening on TCP port 54320 for guest vm output...\n"
-clean:
- $(q)make -C host clean
- $(q)make -C ta clean
+expect {
+ -re "buildroot login:" {
+ send "root\r"
+ exp_continue
+ }
+ -re "# $" {
+ send -- "mkdir -p shared && mount -t 9p -o trans=virtio host shared &&
cd shared\r"
+ expect "# $"
+ send -- "mount --bind ta/ /lib/optee_armtz\r"
+ expect "# $"
+ send -- "mount --bind plugin/ /usr/lib/tee-supplicant/plugins/\r"
+ expect "# $"
+ interact
+ }
+ timeout {
+ puts "Timeout waiting for login prompt"
+ exit 1
+ }
+}
diff --git a/examples/hello_world-rs/host/Makefile
b/scripts/runtime/bin/listen_on_secure_world_log
old mode 100644
new mode 100755
similarity index 64%
copy from examples/hello_world-rs/host/Makefile
copy to scripts/runtime/bin/listen_on_secure_world_log
index 039051f..6093b0f
--- a/examples/hello_world-rs/host/Makefile
+++ b/scripts/runtime/bin/listen_on_secure_world_log
@@ -1,3 +1,5 @@
+#!/bin/bash
+
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
@@ -15,23 +17,11 @@
# specific language governing permissions and limitations
# under the License.
-NAME := hello_world-rs
-
-TARGET ?= aarch64-unknown-linux-gnu
-CROSS_COMPILE ?= aarch64-linux-gnu-
-OBJCOPY := $(CROSS_COMPILE)objcopy
-LINKER_CFG := target.$(TARGET).linker=\"$(CROSS_COMPILE)gcc\"
-
-OUT_DIR := $(CURDIR)/target/$(TARGET)/release
-
-
-all: host strip
+# This script listens on TCP port 54321 for output from the Trusted
Application (TA) running in the OP-TEE emulator.
-host:
- @cargo build --target $(TARGET_HOST) --release --config $(LINKER_CFG)
+set -e
-strip: host
- @$(OBJCOPY) --strip-unneeded $(OUT_DIR)/$(NAME) $(OUT_DIR)/$(NAME)
+echo "Listening on TCP port 54321 for TA output..."
-clean:
- @cargo clean
+# Listen on TCP 54321, output data to stdout
+socat TCP-LISTEN:54321,reuseaddr,fork -,raw,echo=0
diff --git a/scripts/runtime/bin/start_qemuv8 b/scripts/runtime/bin/start_qemuv8
new file mode 100755
index 0000000..d0c509a
--- /dev/null
+++ b/scripts/runtime/bin/start_qemuv8
@@ -0,0 +1,69 @@
+#!/bin/bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+set -xe
+
+# Check if IMG_DIRECTORY and IMG_NAME are provided
+if [ -z "$IMG_DIRECTORY" ] || [ -z "$IMG_NAME" ]; then
+ echo "IMG_DIRECTORY or IMG_NAME is not set. Please set them before running
this script."
+ exit 1
+fi
+
+IMG="${IMG_DIRECTORY}/${IMG_NAME}"
+# Check if the image file exists locally
+if [ ! -d "${IMG}" ]; then
+ echo "Image file '${IMG}' not found locally. Please run
'prepare_emulator_images.sh' first."
+ exit 1
+else
+ echo "Image file '${IMG}' found locally."
+fi
+# check if QEMU_HOST_SHARE_DIR is set, if not, exit
+if [ -z "${QEMU_HOST_SHARE_DIR}" ]; then
+ echo "QEMU_HOST_SHARE_DIR is not set. Please set it to the directory you
want to share with the QEMU guest."
+ exit 1
+fi
+
+# if DEBUG is set, use this serial commands: -serial tcp:localhost:54320
-serial tcp:localhost:54321
+SERIAL_CMDS=""
+if [ "$LISTEN_MODE" = "1" ] || [ "$LISTEN_MODE" = "ON" ]; then
+ # before running this script, run the following commands in two separate
terminals for listening to the serial output:
+ SERIAL_CMDS="-serial tcp:localhost:54320 -serial tcp:localhost:54321"
+else
+ # Default serial commands for non-interaction mode
+ # Guest vm output is in standard output, and TA serial log is saved to
/tmp/serial.log
+ SERIAL_CMDS="-serial stdio -serial file:/tmp/serial.log"
+fi
+
+cd ${IMG} && ./qemu-system-aarch64 \
+ -nodefaults \
+ -nographic \
+ $SERIAL_CMDS \
+ -smp 2 \
+ -s -machine virt,secure=on,acpi=off,gic-version=3 \
+ -cpu cortex-a57 \
+ -d unimp -semihosting-config enable=on,target=native \
+ -m 1057 \
+ -bios bl1.bin \
+ -initrd rootfs.cpio.gz \
+ -append 'console=ttyAMA0,115200 keep_bootcon root=/dev/vda2' \
+ -kernel Image \
+ -fsdev local,id=fsdev0,path=${QEMU_HOST_SHARE_DIR},security_model=none \
+ -device virtio-9p-device,fsdev=fsdev0,mount_tag=host \
+ -netdev user,id=vmnic,hostfwd=:127.0.0.1:54433-:4433 \
+ -device virtio-net-device,netdev=vmnic
diff --git a/scripts/runtime/bin/sync_to_emulator
b/scripts/runtime/bin/sync_to_emulator
new file mode 100644
index 0000000..04bf19f
--- /dev/null
+++ b/scripts/runtime/bin/sync_to_emulator
@@ -0,0 +1,78 @@
+#!/bin/bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+set -e
+
+help() {
+ cat << EOF
+Usage: $0 [--ta|--host|--plugin|--dir] <files...>
+
+Options:
+ --ta Sync files to the TA (Trusted Application) directory inside the
+ emulator. Use this for Trusted Application binaries (*.ta).
+
+ --host Sync files to the Host Application directory inside the emulator.
+ Use this for client or host-side binaries.
+
+ --plugin Sync files to the Plugin directory inside the emulator. Use this
+ for any plugin binaries or related files.
+
+ --dir Sync files directly to the root shared directory inside the
emulator.
+ Use this for syncing arbitrary files or directories not covered
above.
+
+Arguments:
+ <files...> One or more files or directories to sync to the target directory.
+
+Example:
+ $0 --ta ta/target/release/myapp.ta
+ $0 --host host/target/release/myhostapp
+
+Environment:
+ QEMU_HOST_SHARE_DIR must be set and point to the shared directory used by the
+ emulator to access synced files.
+
+EOF
+}
+
+
+# Validate required environment variables
+: "${QEMU_HOST_SHARE_DIR:?QEMU_HOST_SHARE_DIR must be set}"
+
+# Check arguments
+[ $# -ge 2 ] || { help; exit 1; }
+
+# Determine target directory
+case "$1" in
+ --ta) TARGET="$QEMU_HOST_SHARE_DIR/ta" ;;
+ --host) TARGET="$QEMU_HOST_SHARE_DIR/host" ;;
+ --plugin) TARGET="$QEMU_HOST_SHARE_DIR/plugin" ;;
+ --dir) TARGET="$QEMU_HOST_SHARE_DIR" ;;
+ --help|-h) help; exit 0 ;;
+ *) echo "Error: Invalid option '$1'. Use --help for usage."; exit 1 ;;
+esac
+
+shift
+mkdir -p "$TARGET"
+
+# Copy files
+for item in "$@"; do
+ cp -r "$item" "$TARGET/"
+done
+
+echo "✓ Synced to $TARGET for emulation use."
\ No newline at end of file
diff --git a/scripts/runtime/environment b/scripts/runtime/environment
new file mode 100644
index 0000000..9a6e68e
--- /dev/null
+++ b/scripts/runtime/environment
@@ -0,0 +1,118 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# This script is written into .bashrc to set up toolchains when enter the
docker, like:
+# docker run -it \
+# -e TA_ARCH=aarch64 \
+# -e CA_ARCH=arm \
+# -e STD=y \
+# teaclave-dev bash
+
+#export RUST_STD_DIR=${TEACLAVE_TOOLCHAIN_BASE}/rust
+#export RUST_TARGET_PATH=${TEACLAVE_TOOLCHAIN_BASE}/scripts/std
+
+# validate environment variables
+: "${TEACLAVE_TOOLCHAIN_BASE:?TEACLAVE_TOOLCHAIN_BASE must be set - directory
where Teaclave toolchain is installed}"
+: "${OPTEE_DIR:?OPTEE_DIR must be set - directory where OPTEE will be built}"
+: "${OPTEE_OS_DIR:?OPTEE_OS_DIR must be set - directory where OPTEE OS will be
built}"
+: "${OPTEE_CLIENT_DIR:?OPTEE_CLIENT_DIR must be set - directory where OPTEE
Client will be built}"
+: "${IMG_DIRECTORY:?IMG_DIRECTORY must be set - directory where images will be
stored}"
+: "${IMG_NAME:?IMG_NAME must be set - name of the image to download}"
+
+# Default ARCH_TA, ARCH_HOST, STD combination
+export ARCH_TA="${ARCH_TA:-aarch64}"
+export ARCH_HOST="${ARCH_HOST:-aarch64}"
+
+export CROSS_COMPILE32="${CROSS_COMPILE32:-arm-linux-gnueabihf-}"
+export CROSS_COMPILE64="${CROSS_COMPILE64:-aarch64-linux-gnu-}"
+
+if [ "$ARCH_TA" = "arm" ]
+then
+ # build TA as 32-bit
+ export TA_DEV_KIT_DIR="$OPTEE_OS_DIR/out/arm-plat-vexpress/export-ta_arm32"
+ if [ "$STD" ]
+ then
+ export TARGET_TA="arm-unknown-optee"
+ echo "set TARGET_TA=$TARGET_TA (std)"
+ else
+ export TARGET_TA="arm-unknown-linux-gnueabihf"
+ echo "set TARGET_TA=$TARGET_TA (no-std)"
+ fi
+ export CROSS_COMPILE_TA="$CROSS_COMPILE32"
+ echo "set CROSS_COMPILE_TA=$CROSS_COMPILE_TA"
+else
+ # build TA as 64-bit by default
+ export TA_DEV_KIT_DIR="$OPTEE_OS_DIR/out/arm-plat-vexpress/export-ta_arm64"
+ if [ "$STD" ]
+ then
+ export TARGET_TA="aarch64-unknown-optee"
+ echo "set TARGET_TA=$TARGET_TA (std)"
+ else
+ export TARGET_TA="aarch64-unknown-linux-gnu"
+ echo "set TARGET_TA=$TARGET_TA (no-std)"
+ fi
+ export CROSS_COMPILE_TA="$CROSS_COMPILE64"
+ echo "set CROSS_COMPILE_TA=$CROSS_COMPILE_TA"
+fi
+
+# check if libraries exist
+if [ -d "$TA_DEV_KIT_DIR" ]
+then
+ echo "set TA_DEV_KIT_DIR=$TA_DEV_KIT_DIR"
+else
+ echo -e "Error: TA_DEV_KIT_DIR=$TA_DEV_KIT_DIR does not exist, please set
the correct TA_DEV_KIT_DIR or run \"$ ./build_optee_libraries.sh optee/\" then
try again\n"
+ unset OPTEE_DIR
+fi
+
+if [ "$ARCH_HOST" = "arm" ]
+then
+ # build host as 32-bit
+ export OPTEE_CLIENT_EXPORT="$OPTEE_CLIENT_DIR/export_arm32"
+ export TARGET_HOST="arm-unknown-linux-gnueabihf"
+ echo "set TARGET_HOST=$TARGET_HOST"
+ export CROSS_COMPILE_HOST="$CROSS_COMPILE32"
+ echo "set CROSS_COMPILE_HOST=$CROSS_COMPILE_HOST"
+else
+ # build host as 64-bit by default
+ export OPTEE_CLIENT_EXPORT="$OPTEE_CLIENT_DIR/export_arm64"
+ export TARGET_HOST="aarch64-unknown-linux-gnu"
+ echo "set TARGET_HOST=$TARGET_HOST"
+ export CROSS_COMPILE_HOST="$CROSS_COMPILE64"
+ echo "set CROSS_COMPILE_HOST=$CROSS_COMPILE_HOST"
+fi
+
+if [ -d "$OPTEE_CLIENT_EXPORT" ]
+then
+ echo "set OPTEE_CLIENT_EXPORT=$OPTEE_CLIENT_EXPORT"
+else
+ echo -e "Error: OPTEE_CLIENT_EXPORT=$OPTEE_CLIENT_EXPORT does not exist,
please set the correct OPTEE_CLIENT_EXPORT or run \"$
./build_optee_libraries.sh optee/\" then try again\n"
+ unset OPTEE_DIR
+fi
+
+echo "[env] Configured Successfully for building OP-TEE applications."
+
+
+export QEMU_HOST_SHARE_DIR=${TEACLAVE_TOOLCHAIN_BASE}/shared
+# Create QEMU shared dir if it does not exist, it used for sharing CA and TA
between host and QEMU emulator.
+if [ -d "$QEMU_HOST_SHARE_DIR" ]; then
+ echo "QEMU shared directory already exists: $QEMU_HOST_SHARE_DIR"
+else
+ echo "Creating QEMU shared directory: $QEMU_HOST_SHARE_DIR"
+ mkdir -p "$QEMU_HOST_SHARE_DIR/host"
+ mkdir -p "$QEMU_HOST_SHARE_DIR/ta"
+ mkdir -p "$QEMU_HOST_SHARE_DIR/plugin"
+fi
\ No newline at end of file
diff --git a/scripts/setup/build_optee_libraries.sh
b/scripts/setup/build_optee_libraries.sh
new file mode 100755
index 0000000..d7f96a9
--- /dev/null
+++ b/scripts/setup/build_optee_libraries.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+set -e
+
+# Validate required environment variables
+: "${OPTEE_DIR:?OPTEE_DIR must be set - directory where OPTEE will be built}"
+: "${OPTEE_VERSION:?OPTEE_VERSION must be set - git branch/tag to checkout}"
+
+# Create OPTEE directory if it doesn't exist
+mkdir -p "$OPTEE_DIR"
+
+# set toolchain
+export CROSS_COMPILE32="${CROSS_COMPILE32:-arm-linux-gnueabihf-}"
+export CROSS_COMPILE64="${CROSS_COMPILE64:-aarch64-linux-gnu-}"
+
+# build optee_os and optee_client for qemu_v8
+git clone https://github.com/OP-TEE/optee_os.git -b $OPTEE_VERSION
$OPTEE_DIR/optee_os
+(cd $OPTEE_DIR/optee_os && make PLATFORM=vexpress-qemu_armv8a -j$(nproc))
+
+git clone https://github.com/OP-TEE/optee_client.git -b $OPTEE_VERSION
$OPTEE_DIR/optee_client
+(cd $OPTEE_DIR/optee_client && make -j$(nproc) WITH_TEEACL=0
DESTDIR=$PWD/export_arm32 CROSS_COMPILE=$CROSS_COMPILE32)
+(cd $OPTEE_DIR/optee_client && make clean && make -j$(nproc) WITH_TEEACL=0
DESTDIR=$PWD/export_arm64 CROSS_COMPILE=$CROSS_COMPILE64)
diff --git a/examples/hello_world-rs/Makefile b/scripts/setup/environment
similarity index 58%
copy from examples/hello_world-rs/Makefile
copy to scripts/setup/environment
index a7a3dec..c7e99f3 100644
--- a/examples/hello_world-rs/Makefile
+++ b/scripts/setup/environment
@@ -15,25 +15,21 @@
# specific language governing permissions and limitations
# under the License.
-# If _HOST or _TA specific compiler/target are not specified, then use common
-# compiler/target for both
-CROSS_COMPILE_HOST ?= aarch64-linux-gnu-
-CROSS_COMPILE_TA ?= aarch64-linux-gnu-
-TARGET_HOST ?= aarch64-unknown-linux-gnu
-TARGET_TA ?= aarch64-unknown-linux-gnu
+export TEACLAVE_TOOLCHAIN_BASE=${TEACLAVE_TOOLCHAIN_BASE:-/opt/teaclave}
-.PHONY: host ta all clean
+export OPTEE_DIR=${TEACLAVE_TOOLCHAIN_BASE}/optee
+export OPTEE_VERSION="${OPTEE_VERSION:-4.5.0}"
-all: host ta
+export OPTEE_OS_DIR=${OPTEE_DIR}/optee_os
+export OPTEE_CLIENT_DIR=${OPTEE_DIR}/optee_client
-host:
- $(q)make -C host TARGET=$(TARGET_HOST) \
- CROSS_COMPILE=$(CROSS_COMPILE_HOST)
+export IMG_DIRECTORY=${TEACLAVE_TOOLCHAIN_BASE}/images
-ta:
- $(q)make -C ta TARGET=$(TARGET_TA) \
- CROSS_COMPILE=$(CROSS_COMPILE_TA)
+export IMG_VERSION="$(uname -m)-optee-qemuv8-ubuntu-24.04"
+export NEED_EXPANDED_MEM="${NEED_EXPANDED_MEM:-true}"
-clean:
- $(q)make -C host clean
- $(q)make -C ta clean
+if [ "$NEED_EXPANDED_MEM" = true ]; then
+ export IMG_NAME="${IMG_VERSION}-expand-ta-memory"
+else
+ export IMG_NAME="$IMG_VERSION"
+fi
\ No newline at end of file
diff --git a/scripts/setup/install_dependencies.sh
b/scripts/setup/install_dependencies.sh
new file mode 100755
index 0000000..16574ef
--- /dev/null
+++ b/scripts/setup/install_dependencies.sh
@@ -0,0 +1,81 @@
+#!/bin/bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+set -xe
+
+# Install dependencies for building OP-TEE
+apt-get update && \
+ apt-get install -y \
+ git \
+ android-tools-adb \
+ android-tools-fastboot \
+ autoconf \
+ automake \
+ bc \
+ bison \
+ build-essential \
+ ccache \
+ cscope \
+ curl \
+ device-tree-compiler \
+ expect \
+ flex \
+ ftp-upload \
+ gdisk \
+ iasl \
+ libattr1-dev \
+ libcap-dev \
+ libfdt-dev \
+ libftdi-dev \
+ libglib2.0-dev \
+ libgmp-dev \
+ libhidapi-dev \
+ libmpc-dev \
+ libncurses5-dev \
+ libpixman-1-dev \
+ libssl-dev \
+ libtool \
+ make \
+ mtools \
+ ninja-build \
+ python3 \
+ python3-pycryptodome \
+ python3-pyelftools \
+ python3-serial \
+ python3-cryptography \
+ python3-tomli \
+ rsync \
+ repo \
+ unzip \
+ uuid-dev \
+ xdg-utils \
+ xterm \
+ xz-utils \
+ zlib1g-dev \
+ wget \
+ cpio \
+ libcap-ng-dev \
+ libslirp-dev \
+ screen \
+ libvdeplug-dev \
+ libsdl2-dev \
+ pip \
+ ca-certificates \
+ libgnutls28-dev \
+ socat
diff --git a/examples/hello_world-rs/Makefile
b/scripts/setup/prepare_emulator_images.sh
old mode 100644
new mode 100755
similarity index 53%
copy from examples/hello_world-rs/Makefile
copy to scripts/setup/prepare_emulator_images.sh
index a7a3dec..965d062
--- a/examples/hello_world-rs/Makefile
+++ b/scripts/setup/prepare_emulator_images.sh
@@ -1,3 +1,5 @@
+#!/bin/bash
+
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
@@ -15,25 +17,22 @@
# specific language governing permissions and limitations
# under the License.
-# If _HOST or _TA specific compiler/target are not specified, then use common
-# compiler/target for both
-CROSS_COMPILE_HOST ?= aarch64-linux-gnu-
-CROSS_COMPILE_TA ?= aarch64-linux-gnu-
-TARGET_HOST ?= aarch64-unknown-linux-gnu
-TARGET_TA ?= aarch64-unknown-linux-gnu
-
-.PHONY: host ta all clean
+set -xe
-all: host ta
+# Validate required environment variables
+: "${IMG_DIRECTORY:?IMG_DIRECTORY must be set - directory where images will be
stored}"
+: "${IMG_NAME:?IMG_NAME must be set - name of the image to download}"
-host:
- $(q)make -C host TARGET=$(TARGET_HOST) \
- CROSS_COMPILE=$(CROSS_COMPILE_HOST)
+# Create image directory if it doesn't exist
+mkdir -p "$IMG_DIRECTORY"
-ta:
- $(q)make -C ta TARGET=$(TARGET_TA) \
- CROSS_COMPILE=$(CROSS_COMPILE_TA)
+# Construct full image path
+IMG="${IMG_DIRECTORY}/${IMG_NAME}"
-clean:
- $(q)make -C host clean
- $(q)make -C ta clean
+# Check if the image directory exists locally
+if [ ! -d "$IMG" ]; then
+ echo "Image directory '$IMG' not found locally. Downloading from network."
+ curl
"https://nightlies.apache.org/teaclave/teaclave-trustzone-sdk/${IMG_NAME}.tar.gz";
| tar zxv -C "$IMG_DIRECTORY"
+else
+ echo "Image directory '$IMG' found locally."
+fi
\ No newline at end of file
diff --git a/examples/hello_world-rs/host/Makefile
b/scripts/setup/rust-toolchain.toml
similarity index 64%
copy from examples/hello_world-rs/host/Makefile
copy to scripts/setup/rust-toolchain.toml
index 039051f..f5affd4 100644
--- a/examples/hello_world-rs/host/Makefile
+++ b/scripts/setup/rust-toolchain.toml
@@ -15,23 +15,11 @@
# specific language governing permissions and limitations
# under the License.
-NAME := hello_world-rs
-
-TARGET ?= aarch64-unknown-linux-gnu
-CROSS_COMPILE ?= aarch64-linux-gnu-
-OBJCOPY := $(CROSS_COMPILE)objcopy
-LINKER_CFG := target.$(TARGET).linker=\"$(CROSS_COMPILE)gcc\"
-
-OUT_DIR := $(CURDIR)/target/$(TARGET)/release
-
-
-all: host strip
-
-host:
- @cargo build --target $(TARGET_HOST) --release --config $(LINKER_CFG)
-
-strip: host
- @$(OBJCOPY) --strip-unneeded $(OUT_DIR)/$(NAME) $(OUT_DIR)/$(NAME)
-
-clean:
- @cargo clean
+# Toolchain override for rustup
+
+[toolchain]
+channel = "nightly-2024-05-15"
+components = [ "rust-src" ]
+targets = ["aarch64-unknown-linux-gnu", "arm-unknown-linux-gnueabihf"]
+# minimal profile: install rustc, cargo, and rust-std
+profile = "minimal"
\ No newline at end of file
diff --git a/scripts/setup/setup_toolchain.sh b/scripts/setup/setup_toolchain.sh
new file mode 100755
index 0000000..daf7447
--- /dev/null
+++ b/scripts/setup/setup_toolchain.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+set -xe
+
+##########################################
+# move to project root
+cd "$(dirname "$0")"
+
+##########################################
+export CARGO_NET_GIT_FETCH_WITH_CLI=true
+
+# install rustup and stable Rust if needed
+if command -v rustup &>/dev/null ; then
+ # 1. rustup early than 1.28 fails with `rustup toolchain install`
+ # due to parameter mismatch. So self update first.
+ # 2. uninstall to avoid file corruption
+ rustup self update && rustup uninstall stable && rustup install stable
+else
+ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+ source "$HOME/.cargo/env"
+fi
+
+# install the Rust toolchain set in rust-toolchain.toml
+rustup toolchain install
+
+##########################################
+# install toolchain
+if [[ "$(uname -m)" == "aarch64" ]]; then
+ apt update && apt -y install gcc gcc-arm-linux-gnueabihf
+else
+ apt update && apt -y install gcc-aarch64-linux-gnu gcc-arm-linux-gnueabihf
+fi
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
