Artik 5 hands on - a first look at TEE development on Artik

Hands on the Artik

I recently got a Artik 5 development board, https://www.artik.io/hardware/artik-5. It's Samsung's IoT device aimed at various applications:

  • IoT Hub
  • Home IP camera
  • Wearables
  • IoT end node

It has a full set of security features, and crucially the Artik 5 and 10 supports the Trustonic TEE.

In this blog I take a look at development using the Artik board, and run a Trustonic SDK sample on the board.

Getting connected

The board connects to your development machine via USB, much like an Android mobile device. It supports the Android debug bridge, adb (for more info - http://developer.android.com/tools/help/adb.html), so getting up and running, and poking around on the board is simple. You should make sure you start adb on the board by running start_adbd.sh.

With adb devices, I can see the Artik 5 listed:

You can use adb shell to get a shell on the device, adb push/pull to copy files to/from the board. All familiar things if you've programmed on Android before.

Trustonic SDK install

In the r10 release of the SDK we've added support for Artik. Our sample client applications can now also be built for the Fedora 24 OS that the Artik runs. If you're new to the Trustonic SDK, I recommend reading /develop/get-started, and some of the earlier blogs on trusted application development.

The SDK installation is the same as before, except you'll need to reference the Linaro GCC 4.9.3 compiler that we'll use for cross compiling the client application for Fedora. You can download this tool from https://releases.linaro.org/15.02/components/toolchain/binaries/arm-linux-gnueabihf/gcc-linaro-4.9-2015.02-3-x86_64_arm-linux-gnueabihf.tar.xz.

We then edit the setup.sh script in the root of the r10 SDK to reference GCC 4.9.3 for GNUEABI builds:

Building trusted applications

Trusted applications are built the same way for Artik as any other device that supports the Trustonic TEE. The samples in the Trustonic SDK come with build scripts and Makefiles. You will need to edit the sample makefile (i.e. Samples/Rot13/TlSampleRot13/Locals/Code/makefile.mk) to build the Trusted application as a system trusted application, for the Rot13 sample:

  TA_SERVICE_TYPE := SYS
  TA_KEYFILE := Locals/Build/pairVendorTltSig.pem
  TA_DEBUGGABLE := Y

 

Once built, our trusted application can be copied to the Artik with adb push.

Building client applications

Artik runs Fedora 24, which means we must build the client application targetting this platform. So before we build a sample client application we set TOOLCHAIN=GNUEABI and execute the build script as before. You'll need to modify the call to tlOpen to specify a system trusted application:

  tlcOpen(MC_SPID_SYSTEM, pTAData, nTASize)

 

Once built our client application is ready to be copied to the Artik with adb push.

Running and debugging

Having copied both the client application and trusted application to the Artik board with adb push, we can run the sample from the shell:

There we go! We have successfully built and ran one of the Trustonic SDK samples on the Artik 5 board. You can debug with traces and use the dmesg command to see output from the trusted application.