In this tutorial, we will cover the installation of TPM emulator, TrouSerS (the open source Trusted Computing Software Stack) and IMA (Integrity Measurement Architecture) on the Android platform. This tutorial is based on Ubuntu 10.10 (x86), Android source code (froyo version) & Android golfish kernel 2.6.29. This tutorial is aimed at relative newbies so each step will be explained in detail. Here are the steps that are needed to successfully download, build and run a specific kernel (with the above mentioned features) on the emulator.
1. Installing the prerequisites
1.1 Installing the JDK
The Sun JDK is no longer in Ubuntu’s main package repository. In order to download it through apt-get, you need to add the appropriate repository and indicate to the system which JDK should be used.
Java 5: for Froyo and older versions of Android
$ sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu dapper main multiverse"
$ sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu dapper-updates main multiverse"
$ sudo add-apt-repository "deb http://us.archive.ubuntu.com/ubuntu/ hardy multiverse"
$ sudo add-apt-repository "deb http://us.archive.ubuntu.com/ubuntu/ hardy-updates multiverse"
$ sudo apt-get update
$ sudo apt-get install sun-java5-jdk
1.2 Installing required packages for Android source
You will need to install a number of required packages in order to set up your development environment. Run the following command to install these packages:
$ sudo apt-get install git-core gnupg flex bison gperf build-essential zip curl zlib1g-dev libc6-dev libncurses5-dev x11proto-core-dev libx11-dev libreadline5-dev libz-dev libgl1-mesa-dev
2. Building & Running Android Kernel:
2.1 Download Android Source
(a) Installing Repo
repo is a repository management tool that work on top of Git in the context of Android. You will need it to download Android source on your local machine.
Create a bin/ directory in your home directory to install Repo client, and included it in your path:
$ mkdir ~/bin
Download the Repo script and ensure it is executable:
$ curl http://android.git.kernel.org/repo > ~/bin/repo
$ curl https://dl-ssl.google.com/dl/googlesource/git-repo/repo > ~/bin/repo
$ chmod a+x ~/bin/repo
(b) Initializing Repo Client
Once Repo is installed you will need to initialize it to access Android source repository. In your home directory create an empty directory to hold the Android source code at your machine:
$ mkdir mydroid # Android Source Directory
$ cd mydroid
Since we want to download the Froyo version, we will specify it in the command as:
$ repo init -u git://android.git.kernel.org/platform/manifest.git -b froyo
$ repo init -u https://android.googlesource.com/platform/manifest -b froyo
Repo will prompt you for your name & email address which is used in case you are submitting your own changes/contribution to the Android source code. If the Repo is initialized successfully it will end with a message stating that Repo is initialized in your working directory i.e., mydroid in this case.
Run the following command to start the download process to your working directory from the Android repositories:
$ repo sync
Sit back and relax as it will take some time to complete the download.
(c) Build the Android source code
Initialize the build environment with the envsetup.sh script:
$ . build/envsetup.sh
$ lunch full-eng
Build the Android source with the following command:
$ make -j4
(The number of threads with the ‘j’ option depends on your hardware, you can specify a higher or lower value accordingly)
2.2 Building custom kernel
In the standard Android open source distribution the kernel is distributed as a pre-built binary in the mydroid/prebuilt/android-arm/kernel folder and the source code is not included. The kernel source was removed from the default manifest for two reasons. One is that it takes a lot of bandwidth and disk-space for a platform component that most people will not work with much. The other reason is that since the kernel is built with the kernel build system and not as part of the Android Open Source Project (AOSP) build system it makes sense to keep it separated. The common branch for the kernel is the one used by the emulator.
The Android emulator runs a virtual CPU that Google calls Goldfish. This is a specific kernel which we will download, build and run on the emulator. You can download the android goldfish kernel from here:
It might take a while for the download to complete. Once downloaded, the name should look something like this: common-archive.android-gldfish-2.6.29-xxxx.tar.gz
(a) Extract the kernel:
$ tar -xvzf common-archive.android-gldfish-2.6.29-xxxx.tar.gz
For simplicity rename the kernel to a suitable name (goldfish-kernel)
$ mv common-archive.android-gldfish-2.6.29-xxxx.tar.gz goldfish-kernel
Copy the goldfish-kernel folder to your home directory. Move to the extracted kernel directory and remove world writable permissions from the source code:
$ cd goldfish-kernel
$ find -print0 | xargs -0 chmod go-w --
You will need a configuration file to compile the kernel. Generate the emulator configuration (qemu emulator runs arm code, i.e. an arm config) as:
$ make ARCH=arm goldfish_defconfig
(b) Download & Apply patches
Download the patches from here and save in a folder in your home directory (/home/yourHomeDir/patches). Apply the patches to the goldfish-kernel (make sure you are in the goldfish-kernel directory).
Patch 1: IBM IMA patch (ibm_ima_184.108.40.206.patch, license: GPL V2)
$ patch -p1 < /home/yourHomeDir/patches/ibm_ima_220.127.116.11.patch
Patch 2: IMA Modification for Android (ima_patch_android.patch, license: GPL V2)
$ patch -p1 < /home/yourHomeDir/patches/ima_patch_android.patch
Patch 3: TPM device driver (tpmd.patch, license: GPL)
$ patch -p1 < /home/yourHomeDir/patches/tpmd.patch
Patch 4: Kernel configuration patch (config.patch, license: GPL)
$ patch -p1 < /home/yourHomeDir/patches/config.patch
(c) Build the kernel:
Executing GNU make command will build the kernel:
$ ARCH=arm CROSS_COMPILE=/home/yourHomeDir/mydroid/prebuilt/linux-x86/toolchain/arm-eabi-4.2.1/bin/arm-eabi- make -j4
Make sure that you set the ANDROID_SOURCE path correctly. After the compilation finishes, the last couple of lines should show:
Kernel: arch/arm/boot/Image is ready
Kernel: arch/arm/boot/zImage is ready
The kernel built this way should end up in the arch/arm/boot folder of goldfish-kernel (where you download the kernel code).
2.3 Compiling the GMP library for Android:
GMP is a free library for arbitrary precision arithmetic, operating on signed integers, rational numbers, and floating point numbers. The main target applications for GMP are cryptography applications and research, Internet security applications, algebra systems, computational algebra research, etc. You can find more about GMP here.
In order to cross compile GMP library for Android we will use Droid-Wrapper. The Droid-Wrapper is used to compile native programs for Android. It is very hard to port software which uses the autotools (autoconf, automake, libtool etc) because different options are needed for linking shared library and program binary. Thanks to Takuya Murakami for providing the Droid-Wrapper script.
(a) Install ruby:
Install ruby if it is not already installed. It is required by the Droid-Wrapper, On Ubuntu/Debian-based Systems:
$ sudo apt-get install ruby
(b) Download and install droid-wrapper:
(i) Download the droid-wrapper script in the home directory:
$ cd ~
$ wget https://download.github.com/tmurakam-droid-wrapper-v1.0.4-5-g04eb4dc.tar.gz
(ii) Extract the droid-wrapper
$ tar -xvzf tmurakam-droid-wrapper-v1.0.4-5-g04eb4dc.tar.gz (version may change)
(iii) Move to the extracted droid-wrapper source directory
$ cd tmurakam-droid-wrapper-04eb4dc
$ sudo make install
(droid-gcc, droid-g++, and droid-ld commands will be installed under /usr/local/bin)
(c) Specify following environment variables for droid-wrapper:
DROID_ROOT: Android source tree directory
$ export DROID_ROOT=/home/yourHomeDir/mydroid
(Make sure that you set the ANDROID_SOURCE path correctly)
DROID_TARGET: Compile target (generic, dream-open etc)
$ export DROID_TARGET="generic"
(d) Download and cross-compile the GMP library:
The GNU Multiple Precision Arithmetic Library source code is free available. Download the version 4.3.2 (gmp-4.3.2.tar.bz2).
$ cd ~
$ wget http://ftp.gnu.org/gnu/gmp/gmp-4.3.2.tar.bz2
Extract the gmp-4.3.2.tar.bz2 library
$ tar -xvjf gmp-4.3.2.tar.bz2
Move to the extracted directory
$ cd gmp-4.3.2
$ mkdir install
$ CC=droid-gcc LD=droid-ld ./configure -prefix=path/to/install -build=i686-pc-linux-gnu -host=arm-linux-gnueabi
Make sure that you set the -prefix option (path to the install directory) correctly.
Install the GMP library by the executing the following commands:
$ make install
This will install the GMP library under /path/to/gmp-4.3.2/install/lib. The header file (gmp.h) can be found under install/include.
2.4 Patching TPM emulator, TPM tools and TrouSerS to Android Source:
The TPM emulator, TPM tools & TrouSerS need to be added to the Android source before building it.
(a) Move to the android-source directory & perform clean up of the build directory:
$ cd /home/yourHomeDir/mydroid
$ make clean
(b) Apply the mydroid patch (previously downloaded):
TrouSerS, TPM Emulator, TPM Tools for Android (mydroid.patch, license: CPL)
$ patch -p1 </home/yourHomeDir/patches/mydroid.patch
(c) Copy the previously built GMP library to android-source:
The GMP library (libgmp.a) is residing in /path/to/gmp-4.3.2/install/lib copy it to /home/yourHomeDir/mydroid/frameworks/base/libs/libgmp
$ cp /path/to/gmp-4.3.2/install/lib/libgmp.a /home/yourHomeDir/mydroid/frameworks/base/libs/libgmp
(d) Build the Android source again:
$ make -j4
2.5 Run the Emulator:
The emulator command is used to run the emulator. If you don’t specify the custom compiled kernel with -kernel option, the emulator will load the prebuilt kernel which comes with Android source. Obviously, the prebuilt kernel has no TPM or IMA feautures. So, run the emulator with the goldfish kernel image that is compiled during this tutorial:
$ emulator -kernel /home/yourHomeDir/goldfish-kernel/arch/arm/boot/zImage
To check whether the patched stuff is working or not, open a new terminal and perform the following steps:
(a) Open ADB shell:
Android Debug Bridge (adb) is a tool that comes with Android source. It allows you to manage and interface with the state of an emulator instance or Android-powered device. In order to open adb shell initialize the build environment with the envsetup.sh script:
$ cd mydroid/
$ . build/envsetup.sh
$ lunch full-eng
Open the shell by the command:
$ adb shell
(b) Start the TPM daemon (tpmd):
The TPM daemon should start during the emulator initialization. It may fails to start if the socket /data/tpmd_socket:0 file already exists. Normally this happens when the emulator is killed. If this is the case remove the socket file and start tpmd manually.
# rm /data/tpmd_socket:0
Optionaly: You can specify the parameters -d -f to retrieve additional debug information and to force tpmd to run in foreground respectively.
(c) Start tcsd:
The tcsd daemon manages Trusted Computing resources. It is a user space daemon & according to the TSS specification, it should be the only interface to the TPM device driver. This daemon should be started at boot time because it is supposed to open the TPM device driver and from that point on, all requests to the TPM should go through the TSS stack.
Optionaly: You can specify the parameter -f to force tcsd to run in foreground.
(d) Mount securityfs & verify that IMA is working correctly:
Securityfs is a pseudo-filesystem where you can only have files and directories in-memory to configure the specified security modules. This filesystem is meant to be used by security modules only. You need to mount the securityfs with read/write permissions:
# mount -o remount,rw -t securityfs securityfs /sys/kernel/security
The hash values of apk files and executables are stored in the /sys/kernel/security/ima you can view the hashes by the following command:
# cat /sys/kernel/security/ima/ascii_runtime_measurements
This will show you the measurement list of all the apk files and executables loaded on the Android.
If you ends up with this error during the GMP compilation:
checking compiler droid-gcc -O2 -pedantic -fomit-frame-pointer … no
configure: error: could not find a working compiler, see config.log for details
It means that either you haven’t set the environment variables DROID_ROOT & DROID_TARGET correctly
or the lib directory is missing in /home/yourHomeDir/mydroid/out/target/product/generic/obj/
The config.log shows that:
configure:4417: droid-gcc -O2 -pedantic -fomit-frame-pointer conftest.c >&5
arm-eabi-gcc: /home/yourHomeDir/mydroid/out/target/product/generic/obj/lib/crtbegin_dynamic.o: No such file or directory
arm-eabi-gcc: /home/yourHomeDir/mydroid/out/target/product/generic/obj/lib/crtend_android.o: No such file or directory
You can search for the particular file in your Android source directory as:
$ find /home/yourHomeDir/mydroid/ -name crtbegin_dynamic.o
(copy the specific library folder that contain the file to /home/yourHomeDir/mydroid/out/target/product/generic/obj/ and re-run the command)
Sohail Khan is a PhD candidate at Malaysian Institute of Information Technology, University Kuala Lumpur, Malaysia. His research interests include information security and open source mobile platform. His recent research focuses on secure & trusted applications for mobile platforms to leverage Trusted Computing technologies for enhancing the trustworthiness of these platforms. He has a Masters in Information Technology and can be reached at sohail (dot) khan67 (at) gmail (dot) com.