构建基于libckteec的tls安全通信应用程序,应用目录结构
$ tree -L 2
.
├── libp11
│ ├── libp11-libp11-0.4.12
│ ├── mk_optee_three_part.sh
│ └── out
├── openssl
│ ├── mk_optee_three_part.sh
│ ├── openssl-1.1.1w
│ └── out
└── tls_demo├── mk_optee_three_part.sh├── out└── p11_engine_app
SDK目录结构
$ tree -L 1
.
├── build
├── buildroot
├── hafnium
├── linux
├── mbedtls
├── optee_benchmark
├── optee_client
├── optee_examples
├── optee_os
│ ├── CHANGELOG.md
│ ├── core
│ ├── keys
│ ├── ldelf
│ ├── lib
│ ├── LICENSE
│ ├── MAINTAINERS
│ ├── Makefile
│ ├── mk
│ ├── out
│ ├── README.md
│ ├── scripts
│ ├── ta
│ └── typedefs.checkpatch
├── optee_rust
├── optee_test
├── out
├── out-br
├── qemu
├── toolchains
│ ├── aarch32
│ ├── aarch64
│ ├── arm-gnu-toolchain-11.3.rel1-x86_64-aarch64-none-linux-gnu.tar.xz
│ └── arm-gnu-toolchain-11.3.rel1-x86_64-arm-none-linux-gnueabihf.tar.xz
├── trusted-firmware-a
└── u-boot
先构建OpenSSL,被其他应用
FILEPATH=$(readlink -f "$0")
DIRPATH=$(dirname "$FILEPATH")optee_dir="/home/test0923/workspace/optee400"echo $FILEPATH
echo $DIRPATHexport PATH="$optee_dir/toolchains/aarch64/bin:$PATH"
export CROSS_COMPILE_HOST=aarch64-linux-gnu-
export ARCH=armexport OPENSSL_ENGINES=/libcd openssl-1.1.1w
./config no-asm --prefix=$DIRPATH/out \--cross-compile-prefix=aarch64-linux-gnu-
sed -i 's/-m64/ /g' Makefile# --openssldir=/usr
# old="ENGINESDIR=\$(libdir)\/engines-1.1"
# new="ENGINESDIR=\/usr\/lib\/engine-1.1"
# sed -i "s/$old/$new/g" Makefilemake -j16
make install
cd -echo "Copy "$FILEPATH" three part bin to $optee_dir/out-br/-------------------"
cp -aux ./out/lib/*.so* $optee_dir/out-br/target/usr/lib/
cp -aux ./out/bin/* $optee_dir/out-br/target/usr/bin
构建libpkcs11
# 依赖aarch64的libcrypto
# 需要先构建opensslFILEPATH=$(readlink -f "$0")
DIRPATH=$(dirname "$FILEPATH")optee_dir="/home/test0923/workspace/optee400"echo $FILEPATH
echo $DIRPATHexport PATH="$optee_dir/toolchains/aarch64/bin:$PATH"
export CROSS_COMPILE_HOST=aarch64-linux-gnu
export ARCH=armexport OPENSSL_CFLAGS="-I$DIRPATH/../openssl/out/include"
export OPENSSL_LIBS="-L$DIRPATH/../openssl/out/lib -lcrypto"cd libp11-libp11-0.4.12
./bootstrap
./configure --prefix=$DIRPATH/out \--with-enginesdir=$DIRPATH/out/engine \--host=aarch64-linux-gnu \CFLAGS="$OPENSSL_CFLAGS" \LDFLAGS="$OPENSSL_LIBS"make -j16
make install
cd -echo "Copy "$FILEPATH" three part bin to $optee_dir/out-br/-------------------"
cp -aux ./out/*/*.so* $optee_dir/out-br/target/usr/lib/
mkdir -p $optee_dir/out-br/target/usr/lib/engines-1.1/
cp -aux ./out/engine/* $optee_dir/out-br/target/usr/lib/engines-1.1/
构建tls
# 依赖aarch64的libcrypto
# 需要先构建opensslFILEPATH=$(readlink -f "$0")
DIRPATH=$(dirname "$FILEPATH")optee_dir="/home/test0923/workspace/optee400"echo $FILEPATH
echo $DIRPATHexport PATH="$optee_dir/toolchains/aarch64/bin:$PATH"
export CROSS_COMPILE=aarch64-linux-gnu-
export ARCH=armexport OPENSSL_CFLAGS="-I$DIRPATH/../openssl/out/include"
export OPENSSL_LIBS="-L$DIRPATH/../openssl/out/lib -lssl -lcrypto"cd p11_engine_app
make
cd -echo "Copy "$FILEPATH" three part bin to $optee_dir/out-br/-------------------"
cp -aux ./out/* $optee_dir/out-br/target/usr/bin
集成自定义应用
$ ls -l out-br/target/usr/lib/libssl.so*
lrwxrwxrwx 1 test0923 test0923 13 6月 26 22:27 out-br/target/usr/lib/libssl.so -> libssl.so.1.1
-rwxr-xr-x 5 test0923 test0923 584816 6月 26 23:51 out-br/target/usr/lib/libssl.so.1.1
$ ls -l out-br/target/usr/lib/libcrypto.so*
lrwxrwxrwx 1 test0923 test0923 16 6月 26 22:27 out-br/target/usr/lib/libcrypto.so -> libcrypto.so.1.1
-rwxr-xr-x 5 test0923 test0923 2560744 6月 26 23:51 out-br/target/usr/lib/libcrypto.so.1.1
$ ls -l out-br/target/usr/lib/libp*
libp11.so libp11.so.3.5.0 libpcsclite.so.1 libpcscspy.so libpcscspy.so.0.0.0
libp11.so.3 libpcsclite.so libpcsclite.so.1.0.0 libpcscspy.so.0 libpkcs11.so
$ ls -l out-br/target/usr/lib/libpkcs11.so*
lrwxrwxrwx 1 test0923 test0923 9 6月 26 23:49 out-br/target/usr/lib/libpkcs11.so -> pkcs11.so
$ ls -l out-br/target/usr/bin/tls_demo
-rwxr-xr-x 1 test0923 test0923 10232 6月 26 23:51 out-br/target/usr/bin/tls_demo
更新qemu rootfs
make -f qemu_v8.mk uRootfs -j32
配置环境变量[可选]
# 更改构建时未正确指定的引擎路径
# error:25066067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:118:filename(/usr/local/openssl/lib/engines-1.1/pkcs11.so): /usr/local/openssl/lib/engines-1.1/pkcs11.so: cannot open shared object file: No such file or directory
export OPENSSL_ENGINES=/usr/lib/engines-1.1
准备密钥
pkcs11-tool --module /usr/lib/libckteec.so --init-token --label "mytoken" --so-pin 12345
pkcs11-tool --module /usr/lib/libckteec.so --init-pin --slot 0 --so-pin 12345 --pin 1234
pkcs11-tool --module /usr/lib/libckteec.so --login --pin 1234 --keypairgen --key-type rsa:2048 --id 01 --label "mytoken"