new file mode 100644
@@ -0,0 +1,53 @@
+# The Trusted Services: framework for developing root-of-trust services
+
+ meta-arm layer includes recipes for [Trusted Services][1] Secure Partitions and Normal World applications
+in `meta-arm/recipes-security/trusted-services`
+
+## Secure Partitions recipes
+
+We define dedicated recipes for all supported Trusted Services (TS) Secure Partitions.
+These recipes produce ELF and DTB files for SPs.
+These files are automatically included into optee-os image accordingly to defined MACHINE_FEATURES.
+
+### How to include TS SPs
+
+To include TS SPs into optee-os image you need to add into MACHINE_FEATURES
+features for each [Secure Partition][2] you would like to include:
+
+| Secure Partition | MACHINE_FEATURE |
+| ----------------- | --------------- |
+| Attestation | ts-attesation |
+| Crypto | ts-crypto |
+| Internal Storage | ts-its |
+| Protected Storage | ts-storage |
+| se-proxy | ts-se-proxy |
+| smm-gateway | ts-smm-gateway |
+
+Other steps depend on your machine/platform definition:
+
+1. For communications between Secure and Normal Words Linux kernel option `CONFIG_ARM_FFA_TRANSPORT=y`
+is required. If your platform doesn't include it already you can add `arm-ffa` into MACHINE_FEATURES.
+
+2. optee-os might require platform specific OP-TEE build parameters (for example what SEL the SPM Core is implemented at).
+You can find examples in `meta-arm/recipes-security/optee/optee-os_%.bbappend` for qemuarm64-secureboot machine
+and in `meta-arm-bsp/recipes-security/optee/optee-os-n1sdp.inc` and `meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc`
+for N1SDP and Corstone1000 platforms accordingly.
+
+3. trusted-firmware-a might require platform specific TF-A build parameters (SPD and SPMC details on the platform).
+See `meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend` for qemuarm64-secureboot machine
+and in `meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-n1sdp.inc` and
+`meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc` for N1SDP and Corstone1000 platforms.
+
+## Normal World applications
+
+ Optionally for testing purposes you can add `packagegroup-ts-tests` and `packagegroup-ts-tests-psa` package groups into your image.
+They include [Trusted Services test and demo tools][3]
+
+## OEQA Trusted Services tests
+
+ meta-arm also includes Trusted Service OEQA tests which can be used for automated testing.
+See `ci/trusted-services.yml` for an example how to include them into an image.
+
+[1] https://trusted-services.readthedocs.io/en/integration/overview/introduction.html
+[2] https://trusted-services.readthedocs.io/en/integration/developer/deployments/secure-partitions.html
+[3] https://trusted-services.readthedocs.io/en/integration/developer/deployments/test-executables.html
Signed-off-by: Anton Antonov <Anton.Antonov@arm.com> --- documentation/trusted-services.md | 53 +++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 documentation/trusted-services.md