Trusty is a mandatory component since Android Oreo dessert onwards. It provides the hardware-backed security services such as the keymaster, gatekeeper, crypto, and so forth. These services are required for applications such as data storage encryption.
How to enable Trusty
Project Celadon supports Trusty. To enable Trusty explicitly, update the config file
device/intel/project-celadon/$<lunch-target>/mixins.spec in the device config project ‘device-androidia’ as follows:
.. [groups] device-specific: celadon treble: true .. trusty: true(ref_target=$<target name>)
The following parameters are valid options within the brackets in the previous configuration setting:
This option defines the reference target device.
For project Celadon, it can be any of the following values:
project-celadon_apl : For IVI usage running on Intel Apollo Lake family
project-celadon_kbl : For IVI usage running on Intel Kaby Lake Core processor
project-celadon_64 : For tablet usage running on for Commercial Kaby Lake and Apollo Lake NUCs
This flag indicates the Trusty feature is backed by hardware or software. By setting this option to true, the security services are provided by the Trusty, or the software-backed security services are used.
This flag defines whether the storge proxy daemon service is started or not. At present, this flag must be set to true when Trusty is enabled.
This option specifies the keymaster HAL version is used, it can be 1 or 2. Note, keymaster 3.0 uses the HAL version 2.
Those optional parameters are primarily used for debugging purposes during the development. Users should not set any of the parameters explicitly unless the impact is clearly understood.
After the mixin configuration is changed, the user must run the mixin-update script before re-building the image in order to apply the changes to the project device configuration. Follow the instructions in Build Celadon From Source Guide to rebuild the Celadon images.
How to disable Trusty
It is common practice to disable the Trusty temporarily for ease of debugging
while you bring up a new platform, or migrate to the new Android dessert.
To disable, set the ‘trusty’ option to false in the mixins config file
mixins.spec of the device config project, and update the mixins configurations
with the device/intel/mixins/mixin-update script. Then, the Trusty is disabled after rebuilding the Celadon image.
.. [groups] device-specific: celadon treble: true .. trusty: false