OP-TEE GP存储构建系统分析
构建系统架构概览
OP-TEE存储系统的构建采用模块化设计,支持条件编译、平台特定配置和可选特性的灵活组合。Copy
┌─────────────────────────────────────────────────────────────┐
│ Top-Level Makefile │ ← 顶层构建控制
├─────────────────────────────────────────────────────────────┤
│ Platform Configuration │ ← 平台特定配置
├─────────────────────────────────────────────────────────────┤
│ Storage Module Makefiles │ ← 存储模块构建
├─────────────────────────────────────────────────────────────┤
│ Conditional Compilation │ ← 条件编译控制
├─────────────────────────────────────────────────────────────┤
│ Feature Selection │ ← 特性选择
├─────────────────────────────────────────────────────────────┤
│ Dependency Management │ ← 依赖关系管理
└─────────────────────────────────────────────────────────────┘
核心构建配置
1. 主要配置选项
存储后端配置
位置:optee_os/mk/config.mk
Copy
################################################################################
# Storage Backend Configuration
################################################################################
# REE Filesystem Backend
CFG_REE_FS ?= y # 启用REE文件系统后端
CFG_REE_FS_BLOCK_SIZE ?= 4096 # REE FS块大小
CFG_REE_FS_MAX_FILE_SIZE ?= 0x200000 # REE FS最大文件大小 (2MB)
# RPMB Filesystem Backend
CFG_RPMB_FS ?= y # 启用RPMB文件系统后端
CFG_RPMB_FS_CACHE_ENTRIES ?= 8 # RPMB缓存条目数
CFG_RPMB_FS_HMAC_KEY ?= $(CFG_RPMB_TESTKEY) # RPMB HMAC密钥配置
CFG_RPMB_TESTKEY ?= y # 使用测试密钥(仅开发环境)
# Storage Path Configuration
CFG_TEE_FS_PARENT_PATH ?= /data/tee # REE存储根路径
CFG_TEE_FS_BACKUP_PATH ?= /data/tee_backup # 备份路径
# Storage Security Configuration
CFG_STORAGE_ENCRYPTION ?= y # 启用存储加密
CFG_STORAGE_HUK_REQUIRED ?= y # 要求硬件唯一密钥
CFG_STORAGE_ANTI_ROLLBACK ?= $(CFG_RPMB_FS) # 防回滚保护
# Storage Performance Configuration
CFG_TEE_POBJ_CACHE_SIZE ?= 16 # 持久化对象缓存大小
CFG_STORAGE_BLOCK_CACHE_SIZE ?= 32 # 块缓存大小
CFG_STORAGE_MAX_CONCURRENT_OPS ?= 8 # 最大并发操作数
# Storage Debugging Configuration
CFG_STORAGE_DEBUG ?= n # 存储调试开关
CFG_STORAGE_TRACE ?= n # 存储跟踪开关
CFG_STORAGE_BENCHMARK ?= n # 存储性能基准测试
依赖关系配置
Copy
################################################################################
# Storage Dependencies
################################################################################
# Core dependencies
$(call force, CFG_CRYPTO, y) # 存储需要加密支持
$(call force, CFG_TEE_CORE_LOG_LEVEL, 1) # 至少需要错误日志
# REE FS dependencies
ifeq ($(CFG_REE_FS),y)
$(call force, CFG_FS_HTREE, y) # REE FS需要哈希树
$(call force, CFG_RPC_FS, y) # REE FS需要RPC支持
endif
# RPMB FS dependencies
ifeq ($(CFG_RPMB_FS),y)
$(call force, CFG_RPMB_EMMC, y) # RPMB FS需要eMMC支持
$(call force, CFG_CRYPTO_GCM, y) # RPMB FS需要GCM加密
endif
# Conditional feature enabling
ifeq ($(CFG_STORAGE_ENCRYPTION),y)
$(call force, CFG_AES, y) # 加密需要AES支持
$(call force, CFG_SHA256, y) # 加密需要SHA256支持
endif
# Platform-specific dependencies
ifeq ($(PLATFORM_FLAVOR),qemu_virt)
$(call force, CFG_RPMB_TESTKEY, y) # QEMU使用测试密钥
endif
ifeq ($(PLATFORM_FLAVOR),hikey)
$(call force, CFG_RPMB_TESTKEY, n) # HiKey使用真实密钥
$(call force, CFG_UFS, y) # HiKey需要UFS支持
endif
2. 模块化构建文件
存储核心模块构建
位置:optee_os/core/tee/sub.mk
Copy
################################################################################
# TEE Storage Core Module
################################################################################
# Storage core source files
srcs-y += tee_svc_storage.c # 存储系统调用
srcs-y += tee_pobj.c # 持久化对象管理
srcs-y += tee_obj.c # 对象管理
srcs-y += tee_fs_key_manager.c # 密钥管理
# Storage backend source files
srcs-$(CFG_REE_FS) += tee_ree_fs.c # REE文件系统后端
srcs-$(CFG_RPMB_FS) += tee_rpmb_fs.c # RPMB文件系统后端
srcs-$(CFG_RPC_FS) += tee_fs_rpc.c # RPC文件系统
# Hash tree implementation
srcs-$(CFG_FS_HTREE) += fs_htree.c # 哈希树实现
srcs-$(CFG_FS_HTREE) += fs_dirfile.c # 目录文件管理
# Storage utilities
srcs-y += storage_utils.c # 存储工具函数
srcs-$(CFG_STORAGE_DEBUG) += storage_debug.c # 调试支持
# Conditional compilation flags
cflags-y += -DCFG_STORAGE_BLOCK_SIZE=$(CFG_STORAGE_BLOCK_SIZE)
cflags-y += -DCFG_STORAGE_MAX_FILE_SIZE=$(CFG_STORAGE_MAX_FILE_SIZE)
cflags-$(CFG_STORAGE_DEBUG) += -DSTORAGE_DEBUG
cflags-$(CFG_STORAGE_TRACE) += -DSTORAGE_TRACE
cflags-$(CFG_STORAGE_BENCHMARK) += -DSTORAGE_BENCHMARK
# Include directories
incdirs-y += $(optee_os-path)/core/include/tee
incdirs-y += $(optee_os-path)/core/arch/arm/include
加密模块构建
位置:optee_os/core/crypto/sub.mk
Copy
################################################################################
# Crypto Module for Storage
################################################################################
# Storage-related crypto sources
srcs-$(CFG_STORAGE_ENCRYPTION) += aes_gcm.c # AES-GCM认证加密
srcs-$(CFG_STORAGE_ENCRYPTION) += sha256.c # SHA256哈希
srcs-$(CFG_STORAGE_ENCRYPTION) += hmac.c # HMAC认证
srcs-$(CFG_FS_HTREE) += merkle_tree.c # Merkle树实现
# RPMB-specific crypto
srcs-$(CFG_RPMB_FS) += rpmb_hmac.c # RPMB HMAC
srcs-$(CFG_RPMB_FS) += rpmb_counter.c # RPMB计数器管理
# Key derivation
srcs-$(CFG_STORAGE_HUK_REQUIRED) += huk_derive.c # HUK密钥派生
srcs-y += storage_key_manager.c # 存储密钥管理
# Platform-specific crypto
srcs-$(CFG_ARM_CRYPTO_EXTENSION) += arm_crypto_accel.c # ARM加密加速
客户端库构建
位置:optee_client/libteec/src/Makefile
Copy
################################################################################
# TEE Client Library - Storage Support
################################################################################
# Client library sources
SRCS += tee_client_api.c # TEE客户端API
SRCS += teec_trace.c # 跟踪支持
# Storage-specific client sources
SRCS-$(CFG_FS_CLIENT_SUPPORT) += fs_client.c # 文件系统客户端支持
# Build flags
CFLAGS += -DCFG_TEE_CLIENT_LOAD_PATH=\"$(CFG_TEE_CLIENT_LOAD_PATH)\"
CFLAGS += -DCFG_TEE_FS_PARENT_PATH=\"$(CFG_TEE_FS_PARENT_PATH)\"
# Platform-specific flags
ifeq ($(PLATFORM),linux)
CFLAGS += -DLINUX_PLATFORM
LDFLAGS += -lpthread
endif
# Debugging support
CFLAGS-$(CFG_STORAGE_CLIENT_DEBUG) += -DSTORAGE_CLIENT_DEBUG
3. 平台特定构建配置
ARM平台构建配置
位置:optee_os/core/arch/arm/plat-*/conf.mk
Copy
################################################################################
# ARM Platform Storage Configuration
################################################################################
# Platform CPU configuration
include core/arch/arm/cpu/cortex-a53.mk
# Storage backend selection
CFG_REE_FS ?= y # 默认启用REE FS
CFG_RPMB_FS ?= $(call cfg-one-enabled, CFG_RPMB_EMMC) # 根据RPMB支持启用
# Platform memory configuration
CFG_CORE_HEAP_SIZE ?= 131072 # 128KB核心堆
CFG_TEE_RAM_VA_SIZE ?= 0x200000 # 2MB TEE RAM
# Storage paths
CFG_TEE_FS_PARENT_PATH ?= /data/tee
# Platform-specific optimizations
CFG_ARM_NEON ?= y # 启用NEON优化
CFG_ARM_CRYPTO_EXTENSION ?= y # 启用ARM加密扩展
# Security features
CFG_STORAGE_HUK_REQUIRED ?= y # 要求HUK
CFG_WITH_SECURE_TIME_SOURCE_CNTPCT ?= y # 安全时间源
# Debug configuration
CFG_TEE_CORE_LOG_LEVEL ?= 1 # 错误级别日志
CFG_STORAGE_DEBUG ?= n # 生产环境关闭调试
QEMU平台构建配置
位置:optee_os/core/arch/arm/plat-virt/conf.mk
Copy
################################################################################
# QEMU Virtual Platform Configuration
################################################################################
# QEMU platform base
include core/arch/arm/cpu/cortex-a15.mk
# QEMU-specific storage configuration
CFG_REE_FS ?= y # REE FS用于开发
CFG_RPMB_FS ?= y # QEMU模拟RPMB
CFG_RPMB_TESTKEY ?= y # 使用测试密钥
# Development features
CFG_STORAGE_DEBUG ?= y # 开发环境启用调试
CFG_STORAGE_TRACE ?= y # 启用跟踪
CFG_STORAGE_BENCHMARK ?= y # 启用性能测试
# Memory configuration (generous for development)
CFG_CORE_HEAP_SIZE ?= 262144 # 256KB核心堆
CFG_TEE_RAM_VA_SIZE ?= 0x400000 # 4MB TEE RAM
# QEMU-specific paths
CFG_TEE_FS_PARENT_PATH ?= /tmp/optee_fs
# Relaxed security for development
CFG_STORAGE_HUK_REQUIRED ?= n # 开发环境不强制HUK
CFG_RPMB_STRICT_COUNTER ?= n # 放宽RPMB计数器检查
4. 特性选择和条件编译
特性组合验证
位置:optee_os/mk/checkconf.mk
Copy
################################################################################
# Storage Configuration Validation
################################################################################
# Validate storage backend selection
ifeq ($(CFG_REE_FS)$(CFG_RPMB_FS),nn)
$(error At least one storage backend must be enabled)
endif
# Validate RPMB configuration
ifeq ($(CFG_RPMB_FS),y)
ifeq ($(CFG_RPMB_EMMC),n)
$(error RPMB FS requires eMMC RPMB support)
endif
endif
# Validate encryption configuration
ifeq ($(CFG_STORAGE_ENCRYPTION),y)
ifeq ($(CFG_AES)$(CFG_SHA256),ny)
$(error Storage encryption requires AES support)
endif
ifeq ($(CFG_AES)$(CFG_SHA256),yn)
$(error Storage encryption requires SHA256 support)
endif
endif
# Validate platform compatibility
ifneq ($(filter $(PLATFORM_FLAVOR),qemu_virt),)
ifeq ($(CFG_RPMB_TESTKEY),n)
$(warning QEMU platform should use RPMB test key)
endif
endif
# Validate memory configuration
ifeq ($(shell test $(CFG_CORE_HEAP_SIZE) -lt 65536; echo $$?),0)
$(error Core heap size too small for storage operations)
endif
# Check for conflicting options
ifeq ($(CFG_STORAGE_DEBUG)$(CFG_RELEASE_BUILD),yy)
$(warning Debug options enabled in release build)
endif
条件编译宏定义
位置:optee_os/core/include/tee/storage_config.h
Copy
#ifndef STORAGE_CONFIG_H
#define STORAGE_CONFIG_H
/* 基础存储配置 */
#ifdef CFG_REE_FS
#define TEE_STORAGE_REE_FS_ENABLED 1
#else
#define TEE_STORAGE_REE_FS_ENABLED 0
#endif
#ifdef CFG_RPMB_FS
#define TEE_STORAGE_RPMB_FS_ENABLED 1
#else
#define TEE_STORAGE_RPMB_FS_ENABLED 0
#endif
/* 安全配置 */
#ifdef CFG_STORAGE_ENCRYPTION
#define TEE_STORAGE_ENCRYPTION_ENABLED 1
#define TEE_STORAGE_AES_KEY_SIZE 32 /* AES-256 */
#else
#define TEE_STORAGE_ENCRYPTION_ENABLED 0
#endif
#ifdef CFG_STORAGE_HUK_REQUIRED
#define TEE_STORAGE_HUK_REQUIRED 1
#else
#define TEE_STORAGE_HUK_REQUIRED 0
#endif
/* 性能配置 */
#ifndef CFG_TEE_POBJ_CACHE_SIZE
#define CFG_TEE_POBJ_CACHE_SIZE 16
#endif
#ifndef CFG_STORAGE_BLOCK_SIZE
#define CFG_STORAGE_BLOCK_SIZE 4096
#endif
#ifndef CFG_STORAGE_MAX_FILE_SIZE
#define CFG_STORAGE_MAX_FILE_SIZE 0x200000 /* 2MB */
#endif
/* RPMB配置 */
#ifdef CFG_RPMB_FS
#ifndef CFG_RPMB_FS_CACHE_ENTRIES
#define CFG_RPMB_FS_CACHE_ENTRIES 8
#endif
#ifdef CFG_RPMB_TESTKEY
#define TEE_RPMB_USE_TEST_KEY 1
#else
#define TEE_RPMB_USE_TEST_KEY 0
#endif
#endif
/* 调试配置 */
#ifdef CFG_STORAGE_DEBUG
#define TEE_STORAGE_DEBUG_ENABLED 1
#define STORAGE_DEBUG(fmt, ...) DMSG(fmt, ##__VA_ARGS__)
#else
#define TEE_STORAGE_DEBUG_ENABLED 0
#define STORAGE_DEBUG(fmt, ...) do {} while(0)
#endif
#ifdef CFG_STORAGE_TRACE
#define TEE_STORAGE_TRACE_ENABLED 1
#define STORAGE_TRACE(fmt, ...) TMSG(fmt, ##__VA_ARGS__)
#else
#define TEE_STORAGE_TRACE_ENABLED 0
#define STORAGE_TRACE(fmt, ...) do {} while(0)
#endif
/* 特性检查宏 */
#define TEE_STORAGE_HAS_REE_FS() (TEE_STORAGE_REE_FS_ENABLED)
#define TEE_STORAGE_HAS_RPMB_FS() (TEE_STORAGE_RPMB_FS_ENABLED)
#define TEE_STORAGE_HAS_ENCRYPTION() (TEE_STORAGE_ENCRYPTION_ENABLED)
/* 编译时断言 */
#if !TEE_STORAGE_REE_FS_ENABLED && !TEE_STORAGE_RPMB_FS_ENABLED
#error "At least one storage backend must be enabled"
#endif
#if TEE_STORAGE_ENCRYPTION_ENABLED && !defined(CFG_AES)
#error "Storage encryption requires AES support"
#endif
#endif /* STORAGE_CONFIG_H */
5. 构建优化和变体
优化级别配置
Copy
################################################################################
# Storage Build Optimization
################################################################################
# Release build optimization
ifeq ($(CFG_RELEASE_BUILD),y)
cflags-y += -O2 -DNDEBUG # 优化级别2,禁用断言
cflags-y += -fomit-frame-pointer # 省略帧指针
cflags-y += -ffunction-sections # 函数节优化
cflags-y += -fdata-sections # 数据节优化
ldflags-y += --gc-sections # 垃圾回收未使用节
else
# Debug build configuration
cflags-y += -O0 -g -DDEBUG # 无优化,调试信息
cflags-y += -fno-omit-frame-pointer # 保留帧指针用于调试
endif
# Storage-specific optimizations
ifeq ($(CFG_STORAGE_OPTIMIZED),y)
cflags-y += -finline-functions # 内联函数优化
cflags-y += -funroll-loops # 循环展开
cflags-$(CFG_ARM_NEON) += -mfpu=neon # NEON SIMD优化
endif
# Size optimization for embedded systems
ifeq ($(CFG_STORAGE_SIZE_OPTIMIZED),y)
cflags-y += -Os # 大小优化
cflags-y += -fno-unwind-tables # 移除unwind表
cflags-y += -fno-asynchronous-unwind-tables
endif
构建变体支持
Copy
################################################################################
# Storage Build Variants
################################################################################
# Development variant
ifeq ($(STORAGE_VARIANT),dev)
CFG_STORAGE_DEBUG := y
CFG_STORAGE_TRACE := y
CFG_STORAGE_BENCHMARK := y
CFG_RPMB_TESTKEY := y
override CFG_RELEASE_BUILD := n
endif
# Production variant
ifeq ($(STORAGE_VARIANT),prod)
CFG_STORAGE_DEBUG := n
CFG_STORAGE_TRACE := n
CFG_STORAGE_BENCHMARK := n
CFG_RPMB_TESTKEY := n
override CFG_RELEASE_BUILD := y
endif
# Security-focused variant
ifeq ($(STORAGE_VARIANT),secure)
CFG_STORAGE_HUK_REQUIRED := y
CFG_STORAGE_ANTI_ROLLBACK := y
CFG_RPMB_STRICT_COUNTER := y
CFG_STORAGE_ENCRYPTION := y
override CFG_RPMB_TESTKEY := n
endif
# Performance variant
ifeq ($(STORAGE_VARIANT),perf)
CFG_STORAGE_OPTIMIZED := y
CFG_TEE_POBJ_CACHE_SIZE := 32
CFG_STORAGE_BLOCK_CACHE_SIZE := 64
CFG_STORAGE_MAX_CONCURRENT_OPS := 16
endif
6. 构建脚本和工具
自动化构建脚本
Copy
#!/bin/bash
# build_storage.sh - 存储系统构建脚本
set -e
# 默认配置
PLATFORM=${PLATFORM:-qemu_virt}
VARIANT=${VARIANT:-dev}
TOOLCHAIN=${TOOLCHAIN:-aarch64-linux-gnu-}
OUTPUT_DIR=${OUTPUT_DIR:-out}
# 设置环境变量
export CROSS_COMPILE=$TOOLCHAIN
export PLATFORM_FLAVOR=$PLATFORM
export STORAGE_VARIANT=$VARIANT
echo "Building OP-TEE Storage System..."
echo "Platform: $PLATFORM"
echo "Variant: $VARIANT"
echo "Toolchain: $TOOLCHAIN"
# 清理构建目录
make -C optee_os clean
make -C optee_client clean
# 构建TEE OS
echo "Building TEE OS..."
make -C optee_os \
PLATFORM=$PLATFORM \
CFG_STORAGE_VARIANT=$VARIANT \
O=$OUTPUT_DIR/optee_os
# 构建客户端库
echo "Building client library..."
make -C optee_client \
CROSS_COMPILE=$TOOLCHAIN \
O=$OUTPUT_DIR/optee_client
# 构建测试和示例
echo "Building tests and examples..."
make -C optee_test \
CROSS_COMPILE=$TOOLCHAIN \
O=$OUTPUT_DIR/optee_test
make -C optee_examples \
CROSS_COMPILE=$TOOLCHAIN \
O=$OUTPUT_DIR/optee_examples
echo "Build completed successfully!"
echo "Output directory: $OUTPUT_DIR"
配置验证工具
Copy
#!/usr/bin/env python3
# validate_storage_config.py - 存储配置验证工具
import sys
import re
import os
def parse_config_file(config_path):
"""解析配置文件并提取配置选项"""
config = {}
with open(config_path, 'r') as f:
for line in f:
# 匹配 CFG_XXX ?= value 或 CFG_XXX := value
match = re.match(r'CFG_(\w+)\s*[?:]?=\s*(\w+)', line.strip())
if match:
key, value = match.groups()
config[key] = value
return config
def validate_storage_config(config):
"""验证存储配置的一致性"""
errors = []
warnings = []
# 检查存储后端
ree_fs = config.get('REE_FS', 'n') == 'y'
rpmb_fs = config.get('RPMB_FS', 'n') == 'y'
if not ree_fs and not rpmb_fs:
errors.append("At least one storage backend must be enabled")
# 检查RPMB依赖
if rpmb_fs:
if config.get('RPMB_EMMC', 'n') != 'y':
errors.append("RPMB_FS requires RPMB_EMMC support")
# 检查加密依赖
if config.get('STORAGE_ENCRYPTION', 'n') == 'y':
if config.get('AES', 'n') != 'y':
errors.append("Storage encryption requires AES support")
if config.get('SHA256', 'n') != 'y':
errors.append("Storage encryption requires SHA256 support")
# 检查内存配置
heap_size = int(config.get('CORE_HEAP_SIZE', '65536'))
if heap_size < 65536:
warnings.append(f"Core heap size ({heap_size}) may be too small")
# 检查调试配置
if (config.get('STORAGE_DEBUG', 'n') == 'y' and
config.get('RELEASE_BUILD', 'n') == 'y'):
warnings.append("Debug options enabled in release build")
return errors, warnings
def main():
if len(sys.argv) != 2:
print("Usage: validate_storage_config.py <config_file>")
sys.exit(1)
config_file = sys.argv[1]
if not os.path.exists(config_file):
print(f"Error: Config file {config_file} not found")
sys.exit(1)
print(f"Validating storage configuration: {config_file}")
config = parse_config_file(config_file)
errors, warnings = validate_storage_config(config)
if errors:
print("\nErrors:")
for error in errors:
print(f" ❌ {error}")
if warnings:
print("\nWarnings:")
for warning in warnings:
print(f" ⚠️ {warning}")
if not errors and not warnings:
print("✅ Configuration is valid")
sys.exit(1 if errors else 0)
if __name__ == "__main__":
main()
构建最佳实践
1. 构建环境配置
- 工具链版本: 使用稳定的工具链版本
- 依赖管理: 明确列出所有构建依赖
- 环境隔离: 使用容器或虚拟环境隔离构建
- 版本控制: 对构建配置进行版本控制
2. 配置管理
- 分层配置: 使用分层的配置文件管理
- 配置验证: 自动验证配置一致性
- 文档同步: 保持配置文档与代码同步
- 默认安全: 使用安全的默认配置
3. 构建优化
- 并行构建: 利用多核进行并行构建
- 增量构建: 支持增量构建减少时间
- 缓存利用: 使用构建缓存提高效率
- 分析工具: 使用构建分析工具优化
总结
OP-TEE的GP存储构建系统具有以下特点:- 模块化设计: 清晰的模块划分和依赖管理
- 灵活配置: 支持平台特定和特性特定的配置
- 条件编译: 通过宏定义实现精细的特性控制
- 构建变体: 支持开发、生产、安全等不同构建变体
- 自动化工具: 提供构建脚本和配置验证工具