github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/docs/trusty/README.md (about) 1 # Trusty support 2 3 [Trusty](https://source.android.com/security/trusty) is a set of software 4 components supporting a Trusted Execution Environment (TEE) on mobile devices. 5 6 This is work-in-progress, see #933. For now we only support testing `Trusty` via actual application ports. 7 8 # Building kernel with Trusty IPC support 9 10 ``` 11 git remote add android https://android.googlesource.com/kernel/common 12 git fetch android 13 git checkout android/android-trusty-4.9 14 make distclean 15 # TODO: consider using trusty_qemu_defconfig instead. 16 make ARCH=arm64 ranchu64_defconfig 17 # Required to enable qemu networking: 18 make ARCH=arm64 defconfig 19 make ARCH=arm64 kvmconfig 20 # Some custom configs: 21 ARCH=arm64 ./scripts/kconfig/merge_config.sh .config trusty.config 22 # We don't install modules: 23 sed -i 's#^\(.*\)=m$#\# \1 is not set#g' .config 24 make ARCH=arm64 olddefconfig 25 make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- -j64 26 ``` 27 28 ``` 29 # trusty.config 30 CONFIG_TRUSTY=y 31 CONFIG_DEBUG_FS=y 32 CONFIG_DEBUG_INFO=y 33 CONFIG_KCOV=y 34 CONFIG_KASAN=y 35 CONFIG_KASAN_INLINE=y 36 CONFIG_PROVE_LOCKING=y 37 CONFIG_DEBUG_ATOMIC_SLEEP=y 38 CONFIG_DEBUG_VM=y 39 CONFIG_LOCKUP_DETECTOR=y 40 CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y 41 CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y 42 CONFIG_DETECT_HUNG_TASK=y 43 CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=140 44 CONFIG_BOOTPARAM_HUNG_TASK_PANIC=y 45 CONFIG_WQ_WATCHDOG=y 46 ``` 47 48 # Building Trusty 49 50 ``` 51 mkdir trusty; cd trusty 52 repo init -u https://android.googlesource.com/trusty/manifest -b master 53 repo sync -j32 54 source trusty/vendor/google/aosp/scripts/envsetup.sh 55 make -j32 generic-arm64 56 # Build Trusty and qemu images: 57 trusty/vendor/google/aosp/scripts/build.py qemu-generic-arm64-test-debug 58 # Create qemu-comb.dtb: 59 KERNEL_DIR=$KERNEL build-root/build-qemu-generic-arm64-test-debug/run-qemu 60 ``` 61 62 # Building arm64 image 63 64 ``` 65 git clone git://git.buildroot.net/buildroot 66 cd buildroot 67 make qemu_aarch64_virt_defconfig 68 support/kconfig/merge_config.sh .config syzkaller.config 69 make -j64 70 ``` 71 72 ``` 73 # syzkaller.config 74 BR2_cortex_a57=y 75 BR2_TOOLCHAIN_EXTERNAL=y 76 BR2_TOOLCHAIN_EXTERNAL_ARM_AARCH64=y 77 BR2_TARGET_GENERIC_HOSTNAME="syzkaller" 78 BR2_TARGET_GENERIC_ISSUE="syzkaller" 79 BR2_PACKAGE_DHCPCD=y 80 BR2_PACKAGE_OPENSSH=y 81 BR2_TARGET_ROOTFS_EXT2_SIZE="1G" 82 BR2_ROOTFS_POST_FAKEROOT_SCRIPT="./syzkaller.sh" 83 # BR2_LINUX_KERNEL is not set 84 ``` 85 86 ``` 87 # syzkaller.sh 88 set -eux 89 # Mount debugfs for KCOV. 90 echo "debugfs /sys/kernel/debug debugfs defaults 0 0" >> $1/etc/fstab 91 # Generate and install ssh key. 92 rm -f key key.pub 93 ssh-keygen -f key -t rsa -N "" 94 mkdir -p $1/root/.ssh 95 cp key.pub $1/root/.ssh/authorized_keys 96 ``` 97 98 # Testing build 99 100 TODO: where does the firmware come from? 101 102 Boot in qemu: 103 ``` 104 cd $TRUSTY/build-root/build-qemu-generic-arm64-test-debug/atf/qemu/debug 105 $TRUSTY/build-root/build-qemu-generic-arm64-test-debug/qemu-build/aarch64-softmmu/qemu-system-aarch64 -m 1024 -smp 1 -net nic -net user,host=10.0.2.10,hostfwd=tcp::10022-:22 -display none -serial stdio -no-reboot -machine virt,secure=on,virtualization=on -cpu cortex-a57 -bios $TRUSTY/build-root/build-qemu-generic-arm64-test-debug/atf/qemu/debug/bl1.bin -d unimp -semihosting-config enable,target=native -no-acpi -dtb $TRUSTY/build-root/build-qemu-generic-arm64-test-debug/atf/qemu/debug/qemu-comb.dtb -hda $BUILDROOT/output/images/rootfs.ext4 -snapshot -kernel $KERNEL/arch/arm64/boot/Image -append "androidboot.hardware=qemu_trusty earlyprintk=serial console=ttyAMA0,38400 root=/dev/vda" 106 ``` 107 108 SSH into the VM: 109 ``` 110 ssh -i $BUILDROOT/key -p 10022 -o IdentitiesOnly=yes root@localhost 111 ``` 112 113 # Running syzkaller 114 115 Build and run `syzkaller` as: 116 ``` 117 cd $SYZKALLER 118 make TARGETARCH=arm64 119 cd $TRUSTY/build-root/build-qemu-generic-arm64-test-debug/atf/qemu/debug 120 $SYZKALLER/bin/syz-manager -config trusty.cfg 121 ``` 122 123 using config along the lines of (substitute actual values for `$KERNEL`, `$SYZKALLER`, `$BUILDROOT` and `$TRUSTY`): 124 ``` 125 { 126 "name": "trusty", 127 "target": "linux/arm64", 128 "http": ":10000", 129 "workdir": "/workdir", 130 "kernel_obj": "$KERNEL", 131 "syzkaller": "$SYZKALLER", 132 "image": "$BUILDROOT/output/images/rootfs.ext4", 133 "sshkey": "$BUILDROOT/key", 134 "cover": false, 135 "procs": 4, 136 "type": "qemu", 137 "vm": { 138 "count": 4, 139 "cpu": 1, 140 "mem": 1024, 141 "qemu": "$TRUSTY/build-root/build-qemu-generic-arm64-test-debug/qemu-build/aarch64-softmmu/qemu-system-aarch64", 142 "qemu_args": "-machine virt,secure=on,virtualization=on -cpu cortex-a57 -bios $TRUSTY/build-root/build-qemu-generic-arm64-test-debug/atf/qemu/debug/bl1.bin -d unimp -semihosting-config enable,target=native -no-acpi -dtb $TRUSTY/build-root/build-qemu-generic-arm64-test-debug/atf/qemu/debug/qemu-comb.dtb", 143 "cmdline": "androidboot.hardware=qemu_trusty console=ttyAMA0,38400 root=/dev/vda", 144 "kernel": "$KERNEL/arch/arm64/boot/Image" 145 }, 146 "enable_syscalls": [ 147 "openat$trusty*", 148 "write$trusty*", 149 "read", 150 "ioctl$TIPC_IOC_CONNECT*", 151 "ppoll", 152 "dup3", 153 "tkill", 154 "gettid", 155 "close" 156 ] 157 } 158 ```