# The Trusted Services: framework for developing root-of-trust services

  meta-arm layer includes recipes for [Trusted Services][1] Secure Partitions and Normal World applications
in `meta-arm/recipes-security/trusted-services`

## Secure Partitions recipes

We define dedicated recipes for all supported Trusted Services (TS) Secure Partitions.
These recipes produce ELF and DTB files for SPs.
These files are automatically included into optee-os image accordingly to defined MACHINE_FEATURES.

### How to include TS SPs

To include TS SPs into optee-os image you need to add into MACHINE_FEATURES
features for each [Secure Partition][2] you would like to include:

| Secure Partition  | MACHINE_FEATURE |
| ----------------- | --------------- |
| Attestation       | ts-attesation   |
| Crypto            | ts-crypto       |
| Internal Storage  | ts-its          |
| Protected Storage | ts-storage      |
| se-proxy          | ts-se-proxy     |
| smm-gateway       | ts-smm-gateway  |

Other steps depend on your machine/platform definition:

1. For communications between Secure and Normal Words Linux kernel option `CONFIG_ARM_FFA_TRANSPORT=y`
is required. If your platform doesn't include it already you can add `arm-ffa` into MACHINE_FEATURES.

2. optee-os might require platform specific OP-TEE build parameters (for example what SEL the SPM Core is implemented at).
You can find examples in `meta-arm/recipes-security/optee/optee-os_%.bbappend` for qemuarm64-secureboot machine
and in `meta-arm-bsp/recipes-security/optee/optee-os-n1sdp.inc` and `meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc`
for N1SDP and Corstone1000 platforms accordingly.

3. trusted-firmware-a might require platform specific TF-A build parameters (SPD and SPMC details on the platform).
See `meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend` for qemuarm64-secureboot machine
and in `meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-n1sdp.inc` and
`meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc` for N1SDP and Corstone1000 platforms.

## Normal World applications

  Optionally for testing purposes you can add `packagegroup-ts-tests` and `packagegroup-ts-tests-psa` package groups into your image.
They include [Trusted Services test and demo tools][3]

## OEQA Trusted Services tests

  meta-arm also includes Trusted Service OEQA tests which can be used for automated testing.
See `ci/trusted-services.yml` for an example how to include them into an image.

[1] https://trusted-services.readthedocs.io/en/integration/overview/introduction.html
[2] https://trusted-services.readthedocs.io/en/integration/developer/deployments/secure-partitions.html
[3] https://trusted-services.readthedocs.io/en/integration/developer/deployments/test-executables.html