How to Enable or Disable Trusty for Debugging

Trusty is a mandatory component since Android Oreo dessert onwards. It provides the hardware-backed security services such as the keymaster, gatekeeper, crypto, and so forth. These services are required for applications such as data storage encryption.

How to enable Trusty

Project Celadon supports Trusty. To enable Trusty explicitly, update the config file device/intel/project-celadon/$<lunch-target>/mixins.spec in the device config project ‘device-androidia’ as follows:

..
[groups]
device-specific: celadon
treble: true
..
trusty: true(ref_target=$<target name>)

The following parameters are valid options within the brackets in the previous configuration setting:

  • ref_target : mandatory

    This option defines the reference target device.

    For project Celadon, it can be any of the following values:

    project-celadon_apl : For IVI usage running on Intel Apollo Lake family

    project-celadon_kbl : For IVI usage running on Intel Kaby Lake Core processor

    project-celadon_64 : For tablet usage running on for Commercial Kaby Lake and Apollo Lake NUCs

  • enable_hw_sec : optional

    This flag indicates the Trusty feature is backed by hardware or software. By setting this option to true, the security services are provided by the Trusty, or the software-backed security services are used.

    Default: true

  • enable_storage_proxyd : optional

    This flag defines whether the storge proxy daemon service is started or not. At present, this flag must be set to true when Trusty is enabled.

    Default: true

  • keymaster_version : optional

    This option specifies the keymaster HAL version is used, it can be 1 or 2. Note, keymaster 3.0 uses the HAL version 2.

    Default: 2

Important

Those optional parameters are primarily used for debugging purposes during the development. Users should not set any of the parameters explicitly unless the impact is clearly understood.

After the mixin configuration is changed, the user must run the mixin-update script before re-building the image in order to apply the changes to the project device configuration. Follow the instructions in Build Celadon From Source Guide to rebuild the Celadon images.

$ device/intel/mixins/mixin-update

How to disable Trusty

It is common practice to disable the Trusty temporarily for ease of debugging while you bring up a new platform, or migrate to the new Android dessert. To disable, set the ‘trusty’ option to false in the mixins config file mixins.spec of the device config project, and update the mixins configurations with the device/intel/mixins/mixin-update script. Then, the Trusty is disabled after rebuilding the Celadon image.

..
[groups]
device-specific: celadon
treble: true
..
trusty: false