自己动手构建系统软件-OP-TEE编译分析

仅仅是自动编译，不了解里面做了什么，使我们没法满意的。本章节我们分析一下OP-TEE的自动编译过程，理解它具体做了什么。

构建日志分析

• 执行构建命令：

$ make -n FORCE_UNSAFE_CONFIGURE=1 GDBSERVER=y

接下来是从构建日志中提取的构建命令。

• OP-TEE OS：

$ make -C /opt/sysdev/tee/optee/optee_os \O=out/arm \CFG_ARM64_core=y \PLATFORM=vexpress-qemu_armv8a \CROSS_COMPILE="/usr/bin/ccache /opt/sysdev/tee/optee/toolchains/aarch64/bin/aarch64-linux-gnu-" \CROSS_COMPILE_core="/usr/bin/ccache /opt/sysdev/tee/optee/toolchains/aarch64/bin/aarch64-linux-gnu-" \CROSS_COMPILE_ta_arm64="/usr/bin/ccache /opt/sysdev/tee/optee/toolchains/aarch64/bin/aarch64-linux-gnu-" \CROSS_COMPILE_ta_arm32="/usr/bin/ccache /opt/sysdev/tee/optee/toolchains/aarch32/bin/arm-linux-gnueabihf-" \CFG_TEE_CORE_LOG_LEVEL=3 \DEBUG=0 \CFG_TEE_BENCHMARK=n \DEBUG=0

• EDK2：

$ export WORKSPACE=/opt/sysdev/tee/optee/edk2 PYTHON3_ENABLE=TRUE && \export PACKAGES_PATH=/opt/sysdev/tee/optee/edk2: && \source /opt/sysdev/tee/optee/edk2/edksetup.sh && \make -j1 -C /opt/sysdev/tee/optee/edk2/BaseTools && \GCC49_AARCH64_PREFIX=/opt/sysdev/tee/optee/toolchains/aarch64/bin/aarch64-linux-gnu- \build -n `getconf _NPROCESSORS_ONLN` -a AARCH64 -t GCC49 -p ArmVirtPkg/ArmVirtQemuKernel.dsc -b RELEASE all

• ATF：

$ CROSS_COMPILE="/usr/bin/ccache /opt/sysdev/tee/optee/toolchains/aarch64/bin/aarch64-linux-gnu-" \make -C /opt/sysdev/tee/optee/trusted-firmware-a \BL32=/opt/sysdev/tee/optee/optee_os/out/arm/core/tee-header_v2.bin \BL32_EXTRA1=/opt/sysdev/tee/optee/optee_os/out/arm/core/tee-pager_v2.bin \BL32_EXTRA2=/opt/sysdev/tee/optee/optee_os/out/arm/core/tee-pageable_v2.bin \BL33=/opt/sysdev/tee/optee/edk2/Build/ArmVirtQemuKernel-AARCH64/RELEASE_GCC49/FV/QEMU_EFI.fd \PLAT=qemu \ARM_TSP_RAM_LOCATION=tdram \BL32_RAM_LOCATION=tdram \SPD=opteed DEBUG=0 LOG_LEVEL=30 all fip

• BuildRoot：

echo'BR2_PACKAGE_OPTEE_TEST_EXT_CROSS_COMPILE="'"/usr/bin/ccache /opt/sysdev/tee/optee/toolchains/aarch64/bin/aarch64-linux-gnu-"'"' >>../out-br/extra.conf; \echo'BR2_PACKAGE_LIBOPENSSL='y'' >>../out-br/extra.conf; \echo'BR2_PACKAGE_STRACE='y'' >>../out-br/extra.conf; \echo'BR2_PACKAGE_OPTEE_TEST_EXT_WITH_CXX_TESTS='y'' >>../out-br/extra.conf; \echo'BR2_ROOTFS_POST_BUILD_SCRIPT="'/opt/sysdev/tee/optee/build/br-ext/board/qemu/post-build.sh'"' >>../out-br/extra.conf; \echo'BR2_PACKAGE_OPTEE_OS_EXT_SITE="'/opt/develop/sysdev/tee/optee/build/br-ext/package/optee_os_ext'"' >>../out-br/extra.conf; \echo'BR2_PACKAGE_OPTEE_OS_EXT='y'' >>../out-br/extra.conf; \echo'BR2_PACKAGE_OPTEE_OS_EXT_SDK="'/opt/sysdev/tee/optee/optee_os/out/arm/export-ta_arm64'"' >>../out-br/extra.conf; \echo'BR2_PACKAGE_OPTEE_EXAMPLES_EXT_SDK="'/opt/sysdev/tee/optee/optee_os/out/arm/export-ta_arm64'"' >>../out-br/extra.conf; \echo'BR2_ROOTFS_POST_SCRIPT_ARGS="'"n /mnt/host n"'"' >>../out-br/extra.conf; \echo'BR2_PACKAGE_MMC_UTILS='y'' >>../out-br/extra.conf; \echo'BR2_PACKAGE_OPTEE_EXAMPLES_EXT_CROSS_COMPILE="'"/usr/bin/ccache /opt/sysdev/tee/optee/toolchains/aarch64/bin/aarch64-linux-gnu-"'"' >>../out-br/extra.conf; \echo'BR2_PACKAGE_OPTEE_TEST_EXT_SITE="'/opt/sysdev/tee/optee/optee_test'"' >>../out-br/extra.conf; echo'BR2_PACKAGE_OPTEE_TEST_EXT='y'' >>../out-br/extra.conf; \echo'BR2_PACKAGE_OPTEE_TEST_EXT_SDK="'/opt/sysdev/tee/optee/optee_os/out/arm/export-ta_arm64'"' >>../out-br/extra.conf; \echo'BR2_ROOTFS_OVERLAY="'/opt/sysdev/tee/optee/build/br-ext/board/qemu/overlay'"' >>../out-br/extra.conf; \echo'BR2_TARGET_GENERIC_GETTY_PORT="'ttyAMA0'"' >>../out-br/extra.conf; \echo'BR2_PACKAGE_OPTEE_TEST_EXT_GP_PACKAGE="''"' >>../out-br/extra.conf; \echo'BR2_PACKAGE_OPENSC='y'' >>../out-br/extra.conf; \echo'BR2_PACKAGE_OPENSSL='y'' >>../out-br/extra.conf; \echo'BR2_PACKAGE_OPTEE_TEST_EXT_WITH_TLS_TESTS='y'' >>../out-br/extra.conf; \echo'BR2_PACKAGE_OPTEE_BENCHMARK_EXT_SITE="''"' >>../out-br/extra.conf; \echo'BR2_PACKAGE_OPTEE_BENCHMARK_EXT='n'' >>../out-br/extra.conf; \echo'BR2_PACKAGE_OPTEE_CLIENT_EXT_SITE="'/opt/sysdev/tee/optee/optee_client'"' >>../out-br/extra.conf; \echo'BR2_PACKAGE_OPTEE_EXAMPLES_EXT_SITE="'/opt/sysdev/tee/optee/optee_examples'"' >>../out-br/extra.conf; \echo'BR2_PACKAGE_OPTEE_EXAMPLES_EXT='y'' >>../out-br/extra.conf;(cd .. && python build/br-ext/scripts/make_def_config.py \ --br buildroot --out out-br --br-ext build/br-ext \ --top-dir "/opt/sysdev/tee/optee" \ --br-defconfig build/br-ext/configs/optee_aarch64 \ --br-defconfig build/br-ext/configs/optee_generic \ --br-defconfig build/br-ext/configs/toolchain-br  \ --br-defconfig build/br-ext/configs/gdbserver.conf \ --br-defconfig out-br/extra.conf \ --make-cmd make)make[1]: Entering directory `/opt/develop/sysdev/tee/optee/buildroot'umask 0022 && \ make -C /opt/develop/sysdev/tee/optee/buildroot --no-print-directory \  defconfig O=/opt/develop/sysdev/tee/optee/out-br/opt/develop/sysdev/tee/optee/buildroot/support/scripts/mkmakefile /opt/develop/sysdev/tee/optee/buildroot /opt/develop/sysdev/tee/optee/out-brBR2_DEFCONFIG='../out-br/defconfig' KCONFIG_AUTOCONFIG=/opt/develop/sysdev/tee/optee/out-br/build/buildroot-config/auto.conf KCONFIG_AUTOHEADER=/opt/develop/sysdev/tee/optee/out-br/build/buildroot-config/autoconf.h KCONFIG_TRISTATE=/opt/develop/sysdev/tee/optee/out-br/build/buildroot-config/tristate.config BR2_CONFIG=/opt/develop/sysdev/tee/optee/out-br/.config HOST_GCC_VERSION="4 8" BASE_DIR=/opt/develop/sysdev/tee/optee/out-br SKIP_LEGACY= /opt/develop/sysdev/tee/optee/out-br/build/buildroot-config/conf --defconfig=../out-br/defconfig Config.in:make[1]: Leaving directory `/opt/develop/sysdev/tee/optee/buildroot'make -C ../out-br allmake[1]: Entering directory `/opt/develop/sysdev/tee/optee/out-br'umask 0022 && make -C /opt/develop/sysdev/tee/optee/buildroot O=/opt/develop/sysdev/tee/optee/out-br/. allMAKE="/usr/bin/make -j3" DL_TOOLS="bzcat git gzip xzcat" \...

使用fip镜像

# https://trustedfirmware-a.readthedocs.io/en/latest/plat/qemu.html# https://trustedfirmware-a.readthedocs.io/en/latest/getting_started/tools-build.html$ make run QEMU_USERNET_ENABLE=y FORCE_UNSAFE_CONFIGURE=1...tools/fiptool/fiptool create --tos-fw-extra1 /opt/sysdev/tee/optee/optee_os/out/arm/core/tee-pager_v2.bin --tos-fw-extra2 /opt/sysdev/tee/optee/optee_os/out/arm/core/tee-pageable_v2.bin --tb-fw ./build/qemu/release/bl2.bin --soc-fw ./build/qemu/release/bl31.bin --tos-fw /opt/sysdev/tee/optee/optee_os/out/arm/core/tee-header_v2.bin --nt-fw /opt/sysdev/tee/optee/edk2/Build/ArmVirtQemuKernel-AARCH64/RELEASE_GCC49/FV/QEMU_EFI.fd build/qemu/release/fip.bintools/fiptool/fiptool info build/qemu/release/fip.bin$ make run-only QEMU_USERNET_ENABLE=y QEMU_VIRTFS_ENABLE=y QEMU_VIRTFS_HOST_DIR=/opt$ cd /opt/sysdev/tee/optee/out/bin && /opt/sysdev/tee/optee/qemu/aarch64-softmmu/qemu-system-aarch64 \ -nographic \ -serial mon:stdio \ -serial tcp::45457,server,nowait \ -smp 2 \ -machine virt,secure=on -cpu cortex-a57 \ -d unimp -semihosting-config enable,target=native \ -m 1057 \ -bios bl1.bin \ -initrd rootfs.cpio.gz \ -kernel Image -no-acpi \ -append 'console=ttyAMA0,38400 keep_bootcon root=/dev/vda2' \ -object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-pci,rng=rng0,max-bytes=1024,period=1000 -netdev user,id=vmnic -device virtio-net-device,netdev=vmnic# UART1Host $ telnet localhost 45457

• 查看生成的安全程序：

$ gunzip -c rootfs.cpio.gz > rootfs.cpio$ mkdir rootfs && cd rootfs$ cpio -i -F rootfs.cpio --no-absolute-filename$ cd -$ find rootfs -name "*.ta"rootfs/lib/optee_armtz/cb3e5ba0-adf1-11e0-998b-0002a5d5c51b.tarootfs/lib/optee_armtz/5dbac793-f574-4871-8ad3-04331ec17f24.tarootfs/lib/optee_armtz/8aaaf200-2450-11e4-abe2-0002a5d5c51b.tarootfs/lib/optee_armtz/e13010e0-2ae1-11e5-896a-0002a5d5c51b.tarootfs/lib/optee_armtz/528938ce-fc59-11e8-8eb2-f2801f1b9fd1.ta...$ find rootfs -name "optee_*"rootfs/lib/optee_armtzrootfs/usr/bin/optee_example_randomrootfs/usr/bin/optee_example_hotprootfs/usr/bin/optee_example_acipherrootfs/usr/bin/optee_example_aesrootfs/usr/bin/optee_example_hello_worldrootfs/usr/bin/optee_example_pluginsrootfs/usr/bin/optee_example_secure_storage

• 创建并启动fip镜像：

$ /opt/sysdev/tee/optee/trusted-firmware-a/tools/fiptool/fiptool create \--tb-fw /opt/sysdev/tee/optee/trusted-firmware-a/build/qemu/release/bl2.bin \--soc-fw /opt/sysdev/tee/optee/trusted-firmware-a/build/qemu/release/bl31.bin \--tos-fw /opt/sysdev/tee/optee/optee_os/out/arm/core/tee-header_v2.bin \--tos-fw-extra1 /opt/sysdev/tee/optee/optee_os/out/arm/core/tee-pager_v2.bin \--tos-fw-extra2 /opt/sysdev/tee/optee/optee_os/out/arm/core/tee-pageable_v2.bin \--nt-fw piccolo.bin \fip_piccolo.bin$ dd if=fip_piccolo.bin of=flash.bin seek=64 bs=4096 conv=notrunc$ qemu-system-aarch64 -serial mon:stdio -serial tcp::45457,server,nowait -nographic \ -machine virt,virtualization=true,secure=on -cpu cortex-a57 -smp 2 -m 1057 -no-acpi \ -bios flash.bin \ -d unimp -semihosting-config enable,target=native \ -netdev user,id=vmnic -device virtio-net-device,netdev=vmnic

查看镜像内容

$ /opt/sysdev/tee/optee/trusted-firmware-a/tools/fiptool/fiptool info fip_piccolo.binTrusted Boot Firmware BL2: offset=0x128, size=0x6409, cmdline="--tb-fw"EL3 Runtime Firmware BL31: offset=0x6531, size=0x806C, cmdline="--soc-fw"Secure Payload BL32 (Trusted OS): offset=0xE59D, size=0x1C, cmdline="--tos-fw"Secure Payload BL32 Extra1 (Trusted OS Extra1): offset=0xE5B9, size=0x62990, cmdline="--tos-fw-extra1"Secure Payload BL32 Extra2 (Trusted OS Extra2): offset=0x70F49, size=0x0, cmdline="--tos-fw-extra2"Non-Trusted Firmware BL33: offset=0x70F49, size=0xE5A, cmdline="--nt-fw"

查看Repo仓库

$ cat .repo/manifest.xml <?xml version="1.0" encoding="UTF-8"?><!--DO NOT EDIT THIS FILE!  It is generated by repo and changes will be discarded.If you want to use a different manifest, use `repo init -m <file>` instead.If you want to customize your checkout by overriding manifest settings, usethe local_manifests/ directory instead.For more information on repo manifests, check out:https://gerrit.googlesource.com/git-repo/+/HEAD/docs/manifest-format.md--><manifest>  <include name="qemu_v8.xml" /></manifest>$ cat .repo/manifests/qemu_v8.xml <?xml version="1.0" encoding="UTF-8"?><manifest>        <remote name="github"   fetch="https://github.com" />        <remote name="tfo"      fetch="https://git.trustedfirmware.org" />        <default remote="github" revision="master" />        <!-- OP-TEE gits -->        <project path="optee_client"         name="OP-TEE/optee_client.git" />        <project path="optee_os"             name="OP-TEE/optee_os.git" />        <project path="optee_test"           name="OP-TEE/optee_test.git" />        <project path="build"                name="OP-TEE/build.git">                <linkfile src="qemu_v8.mk" dest="build/Makefile" />        </project>        <!-- linaro-swg gits -->        <project path="linux"                name="linaro-swg/linux.git" revision="optee"clone-depth="1" />        <project path="optee_benchmark"      name="linaro-swg/optee_benchmark.git"/>        <project path="optee_examples"       name="linaro-swg/optee_examples.git" />        <project path="soc_term"             name="linaro-swg/soc_term.git" />        <!-- Misc gits -->        <project path="buildroot"            name="buildroot/buildroot.git"               revision="refs/tags/2020.08"clone-depth="1" />        <project path="edk2"                 name="tianocore/edk2.git"                    revision="refs/tags/edk2-stable201905" sync-s="true" />        <project path="mbedtls"              name="ARMmbed/mbedtls.git"                   revision="refs/tags/mbedtls-2.16.0"clone-depth="1" />        <project path="qemu"                 name="qemu/qemu.git"                         revision="refs/tags/v5.1.0"clone-depth="1" />        <project path="trusted-firmware-a"   name="TF-A/trusted-firmware-a.git"           revision="refs/tags/v2.3"clone-depth="1" remote="tfo" /></manifest>$ ls -lh build | grep qemulrwxrwxrwx 1 root root   10 Feb 24 18:09 Makefile -> qemu_v8.mk-rw-r--r-- 1 root root 3.3K Feb 24 18:09 qemu-check.exp-rw-r--r-- 1 root root 6.6K Feb 24 18:09 qemu.mk-rw-r--r-- 1 root root 7.6K Feb 24 18:09 qemu_v8.mk

测试镜像加载

$ mkdir -pv ${SYSDEV_ROOT}/tee/target && cd${SYSDEV_ROOT}/tee/target$ cp ../optee/out/bin/bl1.bin .$ cp ../optee/out/bin/bl{1,2}.bin .$ cp ../optee/out/bin/bl3{1,2}.bin .$ cp ../optee/out/bin/bl3{2_*,3}.bin .$ cp ../optee/out/bin/Image .$ cp ../optee/out/bin/rootfs.cpio.gz .$ qemu-system-aarch64 -nographic -machine virt,secure=on -cpu cortex-a57 -smp 2 -m 1057 \ -bios bl1.bin \ -kernel Image \ -initrd rootfs.cpio.gz \ -serial mon:stdio \ -d unimp -semihosting-config enable,target=native \ -netdev user,id=vmnic -device virtio-net-device,netdev=vmnic...Saving random seed: [  112.863869] random: dd: uninitialized urandom read (512 bytes read)OKSet permissions on /dev/tee*: chown: /dev/teepriv0: No such file or directoryFAILStarting network: OKStarting network (udhcpc): OKWelcome to Buildroot, type root or test to loginbuildroot login: root

如果喜欢，请麻烦点个关注，会更快的更新！