Skip to main content
Zondax Github LinkZondax Github Link
Theme SwitchTheme Switch

Overview

The following project has been funded by the Web3 Foundation.
drawing

This project provides a hardware + software stack targeting blockchain applications such as PoS validation, remote signers, etc.

From an architectural overview, we cover the following aspects:

  • Hardware alternatives
  • BSP and Operating System
  • Trusted apps (TAs) and Host Apps
  • Signer Endpoint
  • Node Endpoint

Supported Hardware

At the moment of this writing, we recommend testing using the following boards:

ModelMPUManufacturer
STM32MP157C-DK2STM32MP157CST MicroelectronicsMouser Digikey ST
NXP MCiMX8-evkbi.MX8NXPMouser Digikey NXP
If you have one of these boards
info

Note: We plan to expand this list in the near future

Click here if you are interested in the selection process and a list of future supported devices.

Building an SD card image

These tests will concentrate on SD Card images, however, some of the boards support eMMC and/or SATA drives. We will add support for this in the next milestone.

Preconditions

We assume you are using Ubuntu. Other OSs (MacOS/Windows) are not formally supported.

Creating the image

tip

To create the image, please refer to the introduction and follow the steps.

Signing the image

warning

Enabling secure boot in a device is an irreversible process. We recommend skipping this step for now.

At the moment, we can demonstrate the functionality but simplified tools are part of the next milestone.

Please refer to [Secure Boot](50.Secure Boot/50.SecureBoot.md) for a description of these manual steps in you still decide to go ahead.

Hello RusTee

Overview

Now is time to test a very simple Trusted Application (TA)!

Hello RusTee demonstrates how we can run both a host and trusted apps using OPTEE and Rust in these devices.

A Trusted application runs in a TEE (trusted execution environment) that is isolated from the normal REE (Rich execution environment) where the normal OS is running. To talk to a TA, you need a host application (HA) that executes in the non-secure world (REE = Rich execution environment).

In this section, we demonstrate a "hello world" (hello_rustee) implementation of a TA and HA using Rust. In practice, the HA will expose the TA signing service to the network.

When an image is built, we already include hello_rustee so you just need to login into your device to test OPTEE.

How does the actual development process looks like?

If you are interested, more information about the process, tooling and testing can be found here

Running

  • First, let's connect to the board using a serial connection
minicom -D /dev/ttyACM0
Attention
  • In some systems, you may not have permission to access the serial port. Try using sudo if the previous command fails.

  • The serial port may vary depending on your OS, machine, etc. Possible alternatives are:

    • /dev/ttyACM0
    • /dev/ttyUSB0
    • /dev/ttyUSB1
    • /dev/ttyUSB2
    • /dev/ttyUSB3
  • Reset the device (some devices have a reset button, otherwise unplug and plug again). You should be able to see in the console how you device is booting.

  • The host application hello_rustee is preinstalled in the image you build earlier.

Run the host application:

./hello_rustee
  • The host application will connect to the TA (trusted application) and exchange data. You should be able to see something similar to:
[RUSTEE] <= 12345
[RUSTEE] => 12387

Summary

Along these steps, we have shown how:

  • To build fully working images for a range of devices (based both on STM32MP175C and i.MX8).
  • The secure boot process is documented and clear for the different supported devices.
  • We can effectively combine Rust and OPTEE to build trusted applications in different device types.
  • We can deploy both HA and TA app to the images and communicate between them.