Overview
This project provides a hardware + software stack targeting blockchain applications such as PoS validation, remote signers, etc.
From an architectural overview, we cover the following aspects:
- Hardware alternatives
- BSP and Operating System
- Trusted apps (TAs) and Host Apps
- Signer Endpoint
- Node Endpoint
Supported Hardware
At the moment of this writing, we recommend testing using the following boards:
| Model | MPU | Manufacturer | |
|---|---|---|---|
| STM32MP157C-DK2 | STM32MP157C | ST Microelectronics | Mouser Digikey ST |
| NXP MCiMX8-evkb | i.MX8 | NXP | Mouser Digikey NXP |
Note: We plan to expand this list in the near future
Click here if you are interested in the selection process and a list of future supported devices.
Building an SD card image
These tests will concentrate on SD Card images, however, some of the boards support eMMC and/or SATA drives. We will add support for this in the next milestone.
Preconditions
We assume you are using Ubuntu. Other OSs (MacOS/Windows) are not formally supported.
- Install Docker CE
Creating the image
To create the image, please refer to the introduction and follow the steps.
Signing the image
Enabling secure boot in a device is an irreversible process. We recommend skipping this step for now.
At the moment, we can demonstrate the functionality but simplified tools are part of the next milestone.
Please refer to Secure Boot for a description of these manual steps in you still decide to go ahead.
Hello RusTee
Overview
Now is time to test a very simple Trusted Application (TA)!
Hello RusTee demonstrates how we can run both a host and trusted apps using OPTEE and Rust in these devices.
A Trusted application runs in a TEE (trusted execution environment) that is isolated from the normal REE (Rich execution environment) where the normal OS is running. To talk to a TA, you need a host application (HA) that executes in the non-secure world (REE = Rich execution environment).
In this section, we demonstrate a "hello world" (hello_rustee) implementation of a TA and HA using Rust. In practice, the HA will expose the TA signing service to the network.
When an image is built, we already include hello_rustee so you just need to login into your device to test OPTEE.
If you are interested, more information about the process, tooling and testing can be found here
Running
- First, let's connect to the board using a serial connection
minicom -D /dev/ttyACM0
In some systems, you may not have permission to access the serial port. Try using
sudoif the previous command fails.The serial port may vary depending on your OS, machine, etc. Possible alternatives are:
- /dev/ttyACM0
- /dev/ttyUSB0
- /dev/ttyUSB1
- /dev/ttyUSB2
- /dev/ttyUSB3
Reset the device (some devices have a reset button, otherwise unplug and plug again). You should be able to see in the console how you device is booting.
The host application
hello_rusteeis preinstalled in the image you build earlier.
Run the host application:
./hello_rustee
- The host application will connect to the TA (trusted application) and exchange data. You should be able to see something similar to:
[RUSTEE] <= 12345
[RUSTEE] => 12387
Summary
Along these steps, we have shown how:
- To build fully working images for a range of devices (based both on STM32MP175C and i.MX8).
- The secure boot process is documented and clear for the different supported devices.
- We can effectively combine Rust and OPTEE to build trusted applications in different device types.
- We can deploy both HA and TA app to the images and communicate between them.
