Building & running OP-TEE

Download of repositories

The i.MX6 build system is based on a customized Buildroot. The TACOS related changes are maintained in our fork of Buildroot. To initialize the build environment, create a project directory and clone the buildroot into this directory.

mkdir -p <project-dir>
cd <project-dir>
git clone https://github.com/Distrinet-TACOS/buildroot.git

i.MX6 specific layer on buildroot called buildroot-external-boundary is provided by boundary devices. TACOS related modifications on this repo are maintained in a forked repository at buildroot-external-boundary repository. Check out this repository in the same project folder as mentioned above.

cd <project-dir>
git clone https://github.com/Distrinet-TACOS/buildroot-external-boundary.git

Some other necessary parts are contained in another project:

cd <project-dir>
git clone https://github.com/Distrinet-TACOS/shared-secure-peripherals.git

Output folder for buildroot

Use the following command to overlay the i.MX6 related configurations, the Board Support Package (BSP), OPTEE configurations and TACOS related configurations on the Buildroot setup. The following command will create a directory named output and place the configurations in this folder.

cd <project-dir>
make BR2_EXTERNAL=$PWD/buildroot-external-boundary/:$PWD/shared-secure-peripherals/ -C buildroot/ O=$PWD/output imx6q_sabrelite_defconfig

Build OP-TEE, Linux and the i.MX6 BSP

The simplest way to bootstrap is to issue a make command. This will fetch all the components and build Linux, OPTEE and OPTEE applications. The Linux image is bounded to the OPTEE image and an SD card image is created.

cd <project-dir>/output
make BR2_JLEVEL="$(nproc)" all

This process will take some time.

Creating a bootable SD Card

The previous process will create an SD card image in the directory <project-dir>/output/images/sdcard.img. You can use an SD card flash tool such as balenaEtcher to flash the image on an SD Card.

Connecting the BD-SL-i.MX6 Serial

The BD-SL-i.MX6 board has two UART connections. The UART connection labled ‘Console’ will be connected to OPTEE while the other UART will be connected to the Linux running in the Normal world. Once the UART cables are connected and their interfaces are attached to separate console windows. Power up the BD-SL-i.MX6 board and you will see boot logs for OPTEE on the UART labeled console and the Linux logs on the other UART. You can now log in to linux and look around or start an example client application available onboard.

It might be that only one serial connection is used to output both the normal and the secure world consoles. To change this, during the first moments of the boot process, press any key to stop the autoboot. Enter the following in the terminal that appears.

setenv console ttymxc0
saveenv
reboot

The device should now use both serial connections.

SSP Notifier

To get everything up and running, execute the following commands in the Linux command prompt of the i.MX6 to enable the necessary kernel modules.

modprobe normal-controller