* [PATCHv2 1/3] optee: updae optee-os.inc to support external TAs
@ 2021-11-11 13:16 Maxim Uvarov
2021-11-11 13:16 ` [PATCHv2 2/3] add optee-ftpm Maxim Uvarov
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: Maxim Uvarov @ 2021-11-11 13:16 UTC (permalink / raw)
To: meta-arm; +Cc: jon.mason, ross.burton, Maxim Uvarov
Separate recipe for TA devkit is needed to solve
circular dependency to build TAs withthe devkit
and integrate it inside optee-os.
Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
---
.../recipes-security/optee/optee-examples.inc | 2 +-
.../optee/optee-os-tadevkit_3.14.0.bb | 20 +++++++++++++++++++
meta-arm/recipes-security/optee/optee-os.inc | 7 -------
3 files changed, 21 insertions(+), 8 deletions(-)
create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb
diff --git a/meta-arm/recipes-security/optee/optee-examples.inc b/meta-arm/recipes-security/optee/optee-examples.inc
index 921fa18..656722e 100644
--- a/meta-arm/recipes-security/optee/optee-examples.inc
+++ b/meta-arm/recipes-security/optee/optee-examples.inc
@@ -5,7 +5,7 @@ HOMEPAGE = "https://github.com/linaro-swg/optee_examples"
LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=cd95ab417e23b94f381dafc453d70c30"
-DEPENDS = "optee-client optee-os python3-pycryptodome-native"
+DEPENDS = "optee-client optee-os-tadevkit python3-pycryptodome-native"
inherit python3native
diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb
new file mode 100644
index 0000000..0d37a52
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb
@@ -0,0 +1,20 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os:"
+require optee-os_3.14.0.bb
+
+SUMMARY = "OP-TEE Trusted OS TA devkit"
+DESCRIPTION = "OP-TEE TA devkit for build TAs"
+HOMEPAGE = "https://www.op-tee.org/"
+
+do_install() {
+ #install TA devkit
+ install -d ${D}${includedir}/optee/export-user_ta/
+ for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
+ cp -aR $f ${D}${includedir}/optee/export-user_ta/
+ done
+}
+
+do_deploy() {
+ echo "Do not inherit do_deploy from optee-os."
+}
+
+FILES:${PN} = "${includedir}/optee/"
diff --git a/meta-arm/recipes-security/optee/optee-os.inc b/meta-arm/recipes-security/optee/optee-os.inc
index 277646e..1506a58 100644
--- a/meta-arm/recipes-security/optee/optee-os.inc
+++ b/meta-arm/recipes-security/optee/optee-os.inc
@@ -46,12 +46,6 @@ do_install() {
#install core in firmware
install -d ${D}${nonarch_base_libdir}/firmware/
install -m 644 ${B}/core/*.bin ${B}/core/tee.elf ${D}${nonarch_base_libdir}/firmware/
-
- #install TA devkit
- install -d ${D}${includedir}/optee/export-user_ta/
- for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
- cp -aR $f ${D}${includedir}/optee/export-user_ta/
- done
}
PACKAGE_ARCH = "${MACHINE_ARCH}"
@@ -66,7 +60,6 @@ addtask deploy before do_build after do_install
SYSROOT_DIRS += "${nonarch_base_libdir}/firmware"
FILES:${PN} = "${nonarch_base_libdir}/firmware/"
-FILES:${PN}-dev = "${includedir}/optee/"
# note: "textrel" is not triggered on all archs
INSANE_SKIP:${PN} = "textrel"
--
2.17.1
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCHv2 2/3] add optee-ftpm 2021-11-11 13:16 [PATCHv2 1/3] optee: updae optee-os.inc to support external TAs Maxim Uvarov @ 2021-11-11 13:16 ` Maxim Uvarov 2021-11-11 19:13 ` [meta-arm] " Denys Dmytriyenko 2021-11-11 13:16 ` [PATCHv2 3/3] ci/qemuarm64-secureboot.yml: add optee and tf-a Maxim Uvarov 2021-11-15 3:52 ` [meta-arm] [PATCHv2 1/3] optee: updae optee-os.inc to support external TAs Jon Mason 2 siblings, 1 reply; 10+ messages in thread From: Maxim Uvarov @ 2021-11-11 13:16 UTC (permalink / raw) To: meta-arm; +Cc: jon.mason, ross.burton, Maxim Uvarov Add software TPM emulated in the OPTEE-OS. Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org> --- .../optee-ftpm/0000-fix-ssl-fallthrough.patch | 20 ++++++ .../0002-add-enum-to-ta-flags.patch | 30 ++++++++ .../optee-ftpm/optee-ftpm_git.bb | 71 +++++++++++++++++++ .../optee-ftpm/optee-os_%.bbappend | 5 ++ 4 files changed, 126 insertions(+) create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch new file mode 100644 index 0000000..08acde2 --- /dev/null +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch @@ -0,0 +1,20 @@ +fix gcc compilation + +just fix compilation under gcc. +Upstream-Status: Submitted [https://github.com/wolfSSL/wolfssl/pull/4563] + +Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org> + +diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h +index 7b3a953aebda..e156ae5c7909 100755 +--- a/external/wolfssl/wolfssl/wolfcrypt/types.h ++++ b/external/wolfssl/wolfssl/wolfcrypt/types.h +@@ -181,7 +181,7 @@ + /* GCC 7 has new switch() fall-through detection */ + #if defined(__GNUC__) + #if ((__GNUC__ > 7) || ((__GNUC__ == 7) && (__GNUC_MINOR__ >= 1))) +- #define FALL_THROUGH __attribute__ ((fallthrough)); ++ #define FALL_THROUGH __attribute__ ((__fallthrough__)); + #endif + #endif + #ifndef FALL_THROUGH diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch new file mode 100644 index 0000000..bbc1107 --- /dev/null +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch @@ -0,0 +1,30 @@ +From 2d00f16058529eb9f4d4d2bcaeed91fd53b43989 Mon Sep 17 00:00:00 2001 +From: Maxim Uvarov <maxim.uvarov@linaro.org> +Date: Fri, 17 Apr 2020 12:05:53 +0100 +Subject: [PATCH 2/2] add enum to ta flags + +If we compile this TA into OPTEE-OS we need to define a flag +that this TA can be discovered on the optee bus. +Upstream-Status: Submitted [https://github.com/microsoft/MSRSec/pull/34] + +Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org> +--- + TAs/optee_ta/fTPM/user_ta_header_defines.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/TAs/optee_ta/fTPM/user_ta_header_defines.h b/TAs/optee_ta/fTPM/user_ta_header_defines.h +index 6ff62d1..685b54a 100644 +--- a/TAs/optee_ta/fTPM/user_ta_header_defines.h ++++ b/TAs/optee_ta/fTPM/user_ta_header_defines.h +@@ -44,7 +44,7 @@ + + #define TA_UUID TA_FTPM_UUID + +-#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE ) ++#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP) + #define TA_STACK_SIZE (64 * 1024) + #define TA_DATA_SIZE (64 * 1024) + +-- +2.17.1 + diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb new file mode 100644 index 0000000..a6244b2 --- /dev/null +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb @@ -0,0 +1,71 @@ +SUMMARY = "OPTEE fTPM Microsoft TA" +DESCRIPTION = "OPTEE fTPM" +HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/" + +inherit autotools-brokensep deploy pkgconfig gettext python3native + +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=27e94c0280987ab296b0b8dd02ab9fe5" + +DEPENDS = "python3-pycryptodome-native python3-pycryptodomex-native python3-pyelftools-native" +DEPENDS += " optee-os-tadevkit" + +FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896" + +# SRC_URI = "git://github.com/Microsoft/ms-tpm-20-ref;branch=master" +# Since this is not built as a pseudo TA, we can only use it as a kernel module and not built in. +# The TEE supplicant is also needed to provide access to secure storage. +# Secure storage access required by OP-TEE fTPM TA +# is provided via OP-TEE supplicant that's not available during boot. +# Fix this once we replace this with the MS implementation +SRC_URI = "gitsm://github.com/microsoft/MSRSec;protocol=https;branch=master" +SRC_URI += "file://0000-fix-ssl-fallthrough.patch" +SRC_URI += "file://0002-add-enum-to-ta-flags.patch" +SRCREV = "76f81b36efbb1a366b0d382bc0defe677f1f0534" + +S = "${WORKDIR}/git" + +OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}" +TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}" +TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta" + +EXTRA_OEMAKE += '\ + CFG_FTPM_USE_WOLF=y \ + TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \ + TA_CROSS_COMPILE=${TARGET_PREFIX} \ + CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST} -I${WORKDIR}/optee-os" \ +' + +EXTRA_OEMAKE:append:aarch64:qemuall = "\ + CFG_ARM64_ta_arm64=y \ +" + +B = "${S}" + +# fails with j > 1 +PARALLEL_MAKE = "" + +do_compile() { + sed -i 's/-mcpu=$(TA_CPU)//' TAs/optee_ta/fTPM/sub.mk + # there's also a secure variable storage TA called authvars + cd ${S}/TAs/optee_ta + oe_runmake ftpm +} + +do_install () { + mkdir -p ${D}/lib/optee_armtz + install -D -p -m 0644 ${S}/TAs/optee_ta/out/fTPM/${FTPM_UUID}.ta ${D}/lib/optee_armtz/ +} + +do_deploy () { + install -d ${DEPLOYDIR}/optee + install -D -p -m 0644 ${S}/TAs/optee_ta/out/fTPM/${FTPM_UUID}.stripped.elf ${DEPLOYDIR}/optee/ +} + +addtask deploy before do_build after do_install + +FILES:${PN} += "${nonarch_base_libdir}/optee_armtz/${FTPM_UUID}.ta" + +# Imports machine specific configs from staging to build +PACKAGE_ARCH = "${MACHINE_ARCH}" +INSANE_SKIP:${PN} += "ldflags" diff --git a/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend b/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend new file mode 100644 index 0000000..910603e --- /dev/null +++ b/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend @@ -0,0 +1,5 @@ +DEPENDS:append = "optee-ftpm" +inherit deploy + +FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896" +EXTRA_OEMAKE:append='CFG_EARLY_TA=y EARLY_TA_PATHS="${DEPLOY_DIR_IMAGE}/optee/${FTPM_UUID}.stripped.elf"' -- 2.17.1 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [meta-arm] [PATCHv2 2/3] add optee-ftpm 2021-11-11 13:16 ` [PATCHv2 2/3] add optee-ftpm Maxim Uvarov @ 2021-11-11 19:13 ` Denys Dmytriyenko 2021-11-12 9:42 ` Maxim Uvarov [not found] ` <16B6C33755E65ACE.32262@lists.yoctoproject.org> 0 siblings, 2 replies; 10+ messages in thread From: Denys Dmytriyenko @ 2021-11-11 19:13 UTC (permalink / raw) To: Maxim Uvarov; +Cc: meta-arm, jon.mason, ross.burton On Thu, Nov 11, 2021 at 04:16:14PM +0300, Maxim Uvarov wrote: > Add software TPM emulated in the OPTEE-OS. > > Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org> > --- > .../optee-ftpm/0000-fix-ssl-fallthrough.patch | 20 ++++++ > .../0002-add-enum-to-ta-flags.patch | 30 ++++++++ > .../optee-ftpm/optee-ftpm_git.bb | 71 +++++++++++++++++++ > .../optee-ftpm/optee-os_%.bbappend | 5 ++ > 4 files changed, 126 insertions(+) > create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch > create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch > create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb > create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend > > diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch > new file mode 100644 > index 0000000..08acde2 > --- /dev/null > +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch > @@ -0,0 +1,20 @@ > +fix gcc compilation > + > +just fix compilation under gcc. > +Upstream-Status: Submitted [https://github.com/wolfSSL/wolfssl/pull/4563] > + > +Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org> > + > +diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h > +index 7b3a953aebda..e156ae5c7909 100755 > +--- a/external/wolfssl/wolfssl/wolfcrypt/types.h > ++++ b/external/wolfssl/wolfssl/wolfcrypt/types.h > +@@ -181,7 +181,7 @@ > + /* GCC 7 has new switch() fall-through detection */ > + #if defined(__GNUC__) > + #if ((__GNUC__ > 7) || ((__GNUC__ == 7) && (__GNUC_MINOR__ >= 1))) > +- #define FALL_THROUGH __attribute__ ((fallthrough)); > ++ #define FALL_THROUGH __attribute__ ((__fallthrough__)); > + #endif > + #endif > + #ifndef FALL_THROUGH > diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch > new file mode 100644 > index 0000000..bbc1107 > --- /dev/null > +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch > @@ -0,0 +1,30 @@ > +From 2d00f16058529eb9f4d4d2bcaeed91fd53b43989 Mon Sep 17 00:00:00 2001 > +From: Maxim Uvarov <maxim.uvarov@linaro.org> > +Date: Fri, 17 Apr 2020 12:05:53 +0100 > +Subject: [PATCH 2/2] add enum to ta flags > + > +If we compile this TA into OPTEE-OS we need to define a flag > +that this TA can be discovered on the optee bus. > +Upstream-Status: Submitted [https://github.com/microsoft/MSRSec/pull/34] > + > +Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org> > +--- > + TAs/optee_ta/fTPM/user_ta_header_defines.h | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/TAs/optee_ta/fTPM/user_ta_header_defines.h b/TAs/optee_ta/fTPM/user_ta_header_defines.h > +index 6ff62d1..685b54a 100644 > +--- a/TAs/optee_ta/fTPM/user_ta_header_defines.h > ++++ b/TAs/optee_ta/fTPM/user_ta_header_defines.h > +@@ -44,7 +44,7 @@ > + > + #define TA_UUID TA_FTPM_UUID > + > +-#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE ) > ++#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP) > + #define TA_STACK_SIZE (64 * 1024) > + #define TA_DATA_SIZE (64 * 1024) > + > +-- > +2.17.1 > + > diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb > new file mode 100644 > index 0000000..a6244b2 > --- /dev/null > +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb > @@ -0,0 +1,71 @@ > +SUMMARY = "OPTEE fTPM Microsoft TA" > +DESCRIPTION = "OPTEE fTPM" There's no need in DESCRIPTION here, as it's meant to expand on the short SUMMARY and provide a more detailed description of the package, which it clearly doesn't here. > +HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/" > + > +inherit autotools-brokensep deploy pkgconfig gettext python3native > + > +LICENSE = "MIT" > +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=27e94c0280987ab296b0b8dd02ab9fe5" > + > +DEPENDS = "python3-pycryptodome-native python3-pycryptodomex-native python3-pyelftools-native" > +DEPENDS += " optee-os-tadevkit" > + > +FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896" > + > +# SRC_URI = "git://github.com/Microsoft/ms-tpm-20-ref;branch=master" > +# Since this is not built as a pseudo TA, we can only use it as a kernel module and not built in. > +# The TEE supplicant is also needed to provide access to secure storage. > +# Secure storage access required by OP-TEE fTPM TA > +# is provided via OP-TEE supplicant that's not available during boot. > +# Fix this once we replace this with the MS implementation > +SRC_URI = "gitsm://github.com/microsoft/MSRSec;protocol=https;branch=master" > +SRC_URI += "file://0000-fix-ssl-fallthrough.patch" > +SRC_URI += "file://0002-add-enum-to-ta-flags.patch" > +SRCREV = "76f81b36efbb1a366b0d382bc0defe677f1f0534" > + > +S = "${WORKDIR}/git" > + > +OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}" > +TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}" > +TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta" > + > +EXTRA_OEMAKE += '\ > + CFG_FTPM_USE_WOLF=y \ > + TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \ > + TA_CROSS_COMPILE=${TARGET_PREFIX} \ > + CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST} -I${WORKDIR}/optee-os" \ > +' > + > +EXTRA_OEMAKE:append:aarch64:qemuall = "\ Is it aarch64 or qemuall? > + CFG_ARM64_ta_arm64=y \ > +" > + > +B = "${S}" > + > +# fails with j > 1 > +PARALLEL_MAKE = "" > + > +do_compile() { > + sed -i 's/-mcpu=$(TA_CPU)//' TAs/optee_ta/fTPM/sub.mk If not done statically as a patch, then should at least be done in do_configure() instead of do_compile() > + # there's also a secure variable storage TA called authvars > + cd ${S}/TAs/optee_ta > + oe_runmake ftpm > +} > + > +do_install () { > + mkdir -p ${D}/lib/optee_armtz > + install -D -p -m 0644 ${S}/TAs/optee_ta/out/fTPM/${FTPM_UUID}.ta ${D}/lib/optee_armtz/ /lib -> ${nonarch_base_libdir} > +} > + > +do_deploy () { > + install -d ${DEPLOYDIR}/optee > + install -D -p -m 0644 ${S}/TAs/optee_ta/out/fTPM/${FTPM_UUID}.stripped.elf ${DEPLOYDIR}/optee/ > +} > + > +addtask deploy before do_build after do_install > + > +FILES:${PN} += "${nonarch_base_libdir}/optee_armtz/${FTPM_UUID}.ta" > + > +# Imports machine specific configs from staging to build > +PACKAGE_ARCH = "${MACHINE_ARCH}" > +INSANE_SKIP:${PN} += "ldflags" > diff --git a/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend b/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend > new file mode 100644 > index 0000000..910603e > --- /dev/null > +++ b/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend > @@ -0,0 +1,5 @@ > +DEPENDS:append = "optee-ftpm" > +inherit deploy Again, this is redundant, as optee-os already inherits deploy. > +FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896" > +EXTRA_OEMAKE:append='CFG_EARLY_TA=y EARLY_TA_PATHS="${DEPLOY_DIR_IMAGE}/optee/${FTPM_UUID}.stripped.elf"' Needs a leading whitespace, as :append won't insert it, hence it will concatenate it to the existing value of EXTRA_OEMAKE. And I do believe there's a confusion about how bbappends work in OE - it is not optional, even when it's in a different directory. This bbappend will unconditionally modify the main optee-os recipe, which is also in the same layer. So, if it is meant to unconditionally modify optee-os, then these changes should go directly into optee-os recipe, instead of a bbappend. And if this is meant to be an optional extension to optee-os, then it cannot be done as bbappend either. -- Regards, Denys Dmytriyenko <denis@denix.org> PGP: 0x420902729A92C964 - https://denix.org/0x420902729A92C964 Fingerprint: 25FC E4A5 8A72 2F69 1186 6D76 4209 0272 9A92 C964 ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [meta-arm] [PATCHv2 2/3] add optee-ftpm 2021-11-11 19:13 ` [meta-arm] " Denys Dmytriyenko @ 2021-11-12 9:42 ` Maxim Uvarov [not found] ` <16B6C33755E65ACE.32262@lists.yoctoproject.org> 1 sibling, 0 replies; 10+ messages in thread From: Maxim Uvarov @ 2021-11-12 9:42 UTC (permalink / raw) To: Denys Dmytriyenko; +Cc: meta-arm, Jon.Mason, Ross.Burton On Thu, 11 Nov 2021 at 22:13, Denys Dmytriyenko <denis@denix.org> wrote: > > On Thu, Nov 11, 2021 at 04:16:14PM +0300, Maxim Uvarov wrote: > > Add software TPM emulated in the OPTEE-OS. > > > > Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org> > > --- > > .../optee-ftpm/0000-fix-ssl-fallthrough.patch | 20 ++++++ > > .../0002-add-enum-to-ta-flags.patch | 30 ++++++++ > > .../optee-ftpm/optee-ftpm_git.bb | 71 +++++++++++++++++++ > > .../optee-ftpm/optee-os_%.bbappend | 5 ++ > > 4 files changed, 126 insertions(+) > > create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch > > create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch > > create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb > > create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend > > > > diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch > > new file mode 100644 > > index 0000000..08acde2 > > --- /dev/null > > +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch > > @@ -0,0 +1,20 @@ > > +fix gcc compilation > > + > > +just fix compilation under gcc. > > +Upstream-Status: Submitted [https://github.com/wolfSSL/wolfssl/pull/4563] > > + > > +Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org> > > + > > +diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h > > +index 7b3a953aebda..e156ae5c7909 100755 > > +--- a/external/wolfssl/wolfssl/wolfcrypt/types.h > > ++++ b/external/wolfssl/wolfssl/wolfcrypt/types.h > > +@@ -181,7 +181,7 @@ > > + /* GCC 7 has new switch() fall-through detection */ > > + #if defined(__GNUC__) > > + #if ((__GNUC__ > 7) || ((__GNUC__ == 7) && (__GNUC_MINOR__ >= 1))) > > +- #define FALL_THROUGH __attribute__ ((fallthrough)); > > ++ #define FALL_THROUGH __attribute__ ((__fallthrough__)); > > + #endif > > + #endif > > + #ifndef FALL_THROUGH > > diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch > > new file mode 100644 > > index 0000000..bbc1107 > > --- /dev/null > > +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch > > @@ -0,0 +1,30 @@ > > +From 2d00f16058529eb9f4d4d2bcaeed91fd53b43989 Mon Sep 17 00:00:00 2001 > > +From: Maxim Uvarov <maxim.uvarov@linaro.org> > > +Date: Fri, 17 Apr 2020 12:05:53 +0100 > > +Subject: [PATCH 2/2] add enum to ta flags > > + > > +If we compile this TA into OPTEE-OS we need to define a flag > > +that this TA can be discovered on the optee bus. > > +Upstream-Status: Submitted [https://github.com/microsoft/MSRSec/pull/34] > > + > > +Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org> > > +--- > > + TAs/optee_ta/fTPM/user_ta_header_defines.h | 2 +- > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > + > > +diff --git a/TAs/optee_ta/fTPM/user_ta_header_defines.h b/TAs/optee_ta/fTPM/user_ta_header_defines.h > > +index 6ff62d1..685b54a 100644 > > +--- a/TAs/optee_ta/fTPM/user_ta_header_defines.h > > ++++ b/TAs/optee_ta/fTPM/user_ta_header_defines.h > > +@@ -44,7 +44,7 @@ > > + > > + #define TA_UUID TA_FTPM_UUID > > + > > +-#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE ) > > ++#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP) > > + #define TA_STACK_SIZE (64 * 1024) > > + #define TA_DATA_SIZE (64 * 1024) > > + > > +-- > > +2.17.1 > > + > > diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb > > new file mode 100644 > > index 0000000..a6244b2 > > --- /dev/null > > +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb > > @@ -0,0 +1,71 @@ > > +SUMMARY = "OPTEE fTPM Microsoft TA" > > +DESCRIPTION = "OPTEE fTPM" > > There's no need in DESCRIPTION here, as it's meant to expand on the short > SUMMARY and provide a more detailed description of the package, which it > clearly doesn't here. > > > > +HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/" > > + > > +inherit autotools-brokensep deploy pkgconfig gettext python3native > > + > > +LICENSE = "MIT" > > +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=27e94c0280987ab296b0b8dd02ab9fe5" > > + > > +DEPENDS = "python3-pycryptodome-native python3-pycryptodomex-native python3-pyelftools-native" > > +DEPENDS += " optee-os-tadevkit" > > + > > +FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896" > > + > > +# SRC_URI = "git://github.com/Microsoft/ms-tpm-20-ref;branch=master" > > +# Since this is not built as a pseudo TA, we can only use it as a kernel module and not built in. > > +# The TEE supplicant is also needed to provide access to secure storage. > > +# Secure storage access required by OP-TEE fTPM TA > > +# is provided via OP-TEE supplicant that's not available during boot. > > +# Fix this once we replace this with the MS implementation > > +SRC_URI = "gitsm://github.com/microsoft/MSRSec;protocol=https;branch=master" > > +SRC_URI += "file://0000-fix-ssl-fallthrough.patch" > > +SRC_URI += "file://0002-add-enum-to-ta-flags.patch" > > +SRCREV = "76f81b36efbb1a366b0d382bc0defe677f1f0534" > > + > > +S = "${WORKDIR}/git" > > + > > +OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}" > > +TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}" > > +TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta" > > + > > +EXTRA_OEMAKE += '\ > > + CFG_FTPM_USE_WOLF=y \ > > + TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \ > > + TA_CROSS_COMPILE=${TARGET_PREFIX} \ > > + CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST} -I${WORKDIR}/optee-os" \ > > +' > > + > > +EXTRA_OEMAKE:append:aarch64:qemuall = "\ > > Is it aarch64 or qemuall? > > > > + CFG_ARM64_ta_arm64=y \ > > +" > > + > > +B = "${S}" > > + > > +# fails with j > 1 > > +PARALLEL_MAKE = "" > > + > > +do_compile() { > > + sed -i 's/-mcpu=$(TA_CPU)//' TAs/optee_ta/fTPM/sub.mk > > If not done statically as a patch, then should at least be done in > do_configure() instead of do_compile() > > > > + # there's also a secure variable storage TA called authvars > > + cd ${S}/TAs/optee_ta > > + oe_runmake ftpm > > +} > > + > > +do_install () { > > + mkdir -p ${D}/lib/optee_armtz > > + install -D -p -m 0644 ${S}/TAs/optee_ta/out/fTPM/${FTPM_UUID}.ta ${D}/lib/optee_armtz/ > > /lib -> ${nonarch_base_libdir} > > > > +} > > + > > +do_deploy () { > > + install -d ${DEPLOYDIR}/optee > > + install -D -p -m 0644 ${S}/TAs/optee_ta/out/fTPM/${FTPM_UUID}.stripped.elf ${DEPLOYDIR}/optee/ > > +} > > + > > +addtask deploy before do_build after do_install > > + > > +FILES:${PN} += "${nonarch_base_libdir}/optee_armtz/${FTPM_UUID}.ta" > > + > > +# Imports machine specific configs from staging to build > > +PACKAGE_ARCH = "${MACHINE_ARCH}" > > +INSANE_SKIP:${PN} += "ldflags" > > diff --git a/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend b/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend > > new file mode 100644 > > index 0000000..910603e > > --- /dev/null > > +++ b/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend > > @@ -0,0 +1,5 @@ > > +DEPENDS:append = "optee-ftpm" > > +inherit deploy > > Again, this is redundant, as optee-os already inherits deploy. > > > > +FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896" > > +EXTRA_OEMAKE:append='CFG_EARLY_TA=y EARLY_TA_PATHS="${DEPLOY_DIR_IMAGE}/optee/${FTPM_UUID}.stripped.elf"' > > Needs a leading whitespace, as :append won't insert it, hence it will > concatenate it to the existing value of EXTRA_OEMAKE. > > And I do believe there's a confusion about how bbappends work in OE - it is > not optional, even when it's in a different directory. This bbappend will > unconditionally modify the main optee-os recipe, which is also in the same > layer. So, if it is meant to unconditionally modify optee-os, then these > changes should go directly into optee-os recipe, instead of a bbappend. And > if this is meant to be an optional extension to optee-os, then it cannot be > done as bbappend either. > I think that it's better to enable a condition for it and make fTPM optional. Some systems might have hardware TPM device and don't need software emulated in secure os.It looks like MACHINE_FEATURES is a good place for it. Something like: optee-os.bb: FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896" DEPENDS:append = "\ ${@bb.utils.contains('MACHINE_FEATURES', \ 'optee-ftpm', \ 'optee-ftpm', \ '' , \ d)}" EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', \ 'optee-ftpm', \ 'CFG_EARLY_TA=y EARLY_TA_PATHS="${DEPLOY_DIR_IMAGE}/optee/${FTPM_UUID}.stripped.elf"', \ '', \ d)} " ./meta-arm/conf/machine/qemuarm64-secureboot.conf MACHINE_FEATURES += "optee-ftpm" Does that look good? I also did grep for other MACHINE_FEATURES in meta-arm and looks like they are not used anymore and config files can be cleaned up: fgrep -r FEATURE ./meta-* |grep optee ./meta-arm-bsp/conf/machine/fvp-common.inc:MACHINE_FEATURES = "optee" ./meta-arm-bsp/conf/machine/juno.conf:MACHINE_FEATURES = "usbhost usbgadget alsa screen wifi bluetooth optee pci" ./meta-gem5/conf/machine/gem5-arm64.conf:MACHINE_FEATURES = "optee pci" BR, Maxim. > -- > Regards, > Denys Dmytriyenko <denis@denix.org> > PGP: 0x420902729A92C964 - https://denix.org/0x420902729A92C964 > Fingerprint: 25FC E4A5 8A72 2F69 1186 6D76 4209 0272 9A92 C964 > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#2377): https://lists.yoctoproject.org/g/meta-arm/message/2377 > Mute This Topic: https://lists.yoctoproject.org/mt/86981078/4454737 > Group Owner: meta-arm+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/meta-arm/unsub [maxim.uvarov@linaro.org] > -=-=-=-=-=-=-=-=-=-=-=- > ^ permalink raw reply [flat|nested] 10+ messages in thread
[parent not found: <16B6C33755E65ACE.32262@lists.yoctoproject.org>]
* Re: [meta-arm] [PATCHv2 2/3] add optee-ftpm [not found] ` <16B6C33755E65ACE.32262@lists.yoctoproject.org> @ 2021-11-12 11:15 ` Maxim Uvarov 0 siblings, 0 replies; 10+ messages in thread From: Maxim Uvarov @ 2021-11-12 11:15 UTC (permalink / raw) To: maxim.uvarov; +Cc: Denys Dmytriyenko, meta-arm, Jon.Mason, Ross.Burton On Fri, 12 Nov 2021 at 12:42, Maxim Uvarov via lists.yoctoproject.org <maxim.uvarov=linaro.org@lists.yoctoproject.org> wrote: > > On Thu, 11 Nov 2021 at 22:13, Denys Dmytriyenko <denis@denix.org> wrote: > > > > On Thu, Nov 11, 2021 at 04:16:14PM +0300, Maxim Uvarov wrote: > > > Add software TPM emulated in the OPTEE-OS. > > > > > > Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org> > > > --- > > > .../optee-ftpm/0000-fix-ssl-fallthrough.patch | 20 ++++++ > > > .../0002-add-enum-to-ta-flags.patch | 30 ++++++++ > > > .../optee-ftpm/optee-ftpm_git.bb | 71 +++++++++++++++++++ > > > .../optee-ftpm/optee-os_%.bbappend | 5 ++ > > > 4 files changed, 126 insertions(+) > > > create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch > > > create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch > > > create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb > > > create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend > > > > > > diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch > > > new file mode 100644 > > > index 0000000..08acde2 > > > --- /dev/null > > > +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch > > > @@ -0,0 +1,20 @@ > > > +fix gcc compilation > > > + > > > +just fix compilation under gcc. > > > +Upstream-Status: Submitted [https://github.com/wolfSSL/wolfssl/pull/4563] > > > + > > > +Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org> > > > + > > > +diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h > > > +index 7b3a953aebda..e156ae5c7909 100755 > > > +--- a/external/wolfssl/wolfssl/wolfcrypt/types.h > > > ++++ b/external/wolfssl/wolfssl/wolfcrypt/types.h > > > +@@ -181,7 +181,7 @@ > > > + /* GCC 7 has new switch() fall-through detection */ > > > + #if defined(__GNUC__) > > > + #if ((__GNUC__ > 7) || ((__GNUC__ == 7) && (__GNUC_MINOR__ >= 1))) > > > +- #define FALL_THROUGH __attribute__ ((fallthrough)); > > > ++ #define FALL_THROUGH __attribute__ ((__fallthrough__)); > > > + #endif > > > + #endif > > > + #ifndef FALL_THROUGH > > > diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch > > > new file mode 100644 > > > index 0000000..bbc1107 > > > --- /dev/null > > > +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch > > > @@ -0,0 +1,30 @@ > > > +From 2d00f16058529eb9f4d4d2bcaeed91fd53b43989 Mon Sep 17 00:00:00 2001 > > > +From: Maxim Uvarov <maxim.uvarov@linaro.org> > > > +Date: Fri, 17 Apr 2020 12:05:53 +0100 > > > +Subject: [PATCH 2/2] add enum to ta flags > > > + > > > +If we compile this TA into OPTEE-OS we need to define a flag > > > +that this TA can be discovered on the optee bus. > > > +Upstream-Status: Submitted [https://github.com/microsoft/MSRSec/pull/34] > > > + > > > +Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org> > > > +--- > > > + TAs/optee_ta/fTPM/user_ta_header_defines.h | 2 +- > > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > > + > > > +diff --git a/TAs/optee_ta/fTPM/user_ta_header_defines.h b/TAs/optee_ta/fTPM/user_ta_header_defines.h > > > +index 6ff62d1..685b54a 100644 > > > +--- a/TAs/optee_ta/fTPM/user_ta_header_defines.h > > > ++++ b/TAs/optee_ta/fTPM/user_ta_header_defines.h > > > +@@ -44,7 +44,7 @@ > > > + > > > + #define TA_UUID TA_FTPM_UUID > > > + > > > +-#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE ) > > > ++#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP) > > > + #define TA_STACK_SIZE (64 * 1024) > > > + #define TA_DATA_SIZE (64 * 1024) > > > + > > > +-- > > > +2.17.1 > > > + > > > diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb > > > new file mode 100644 > > > index 0000000..a6244b2 > > > --- /dev/null > > > +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb > > > @@ -0,0 +1,71 @@ > > > +SUMMARY = "OPTEE fTPM Microsoft TA" > > > +DESCRIPTION = "OPTEE fTPM" > > > > There's no need in DESCRIPTION here, as it's meant to expand on the short > > SUMMARY and provide a more detailed description of the package, which it > > clearly doesn't here. > > > > > > > +HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/" > > > + > > > +inherit autotools-brokensep deploy pkgconfig gettext python3native > > > + > > > +LICENSE = "MIT" > > > +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=27e94c0280987ab296b0b8dd02ab9fe5" > > > + > > > +DEPENDS = "python3-pycryptodome-native python3-pycryptodomex-native python3-pyelftools-native" > > > +DEPENDS += " optee-os-tadevkit" > > > + > > > +FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896" > > > + > > > +# SRC_URI = "git://github.com/Microsoft/ms-tpm-20-ref;branch=master" > > > +# Since this is not built as a pseudo TA, we can only use it as a kernel module and not built in. > > > +# The TEE supplicant is also needed to provide access to secure storage. > > > +# Secure storage access required by OP-TEE fTPM TA > > > +# is provided via OP-TEE supplicant that's not available during boot. > > > +# Fix this once we replace this with the MS implementation > > > +SRC_URI = "gitsm://github.com/microsoft/MSRSec;protocol=https;branch=master" > > > +SRC_URI += "file://0000-fix-ssl-fallthrough.patch" > > > +SRC_URI += "file://0002-add-enum-to-ta-flags.patch" > > > +SRCREV = "76f81b36efbb1a366b0d382bc0defe677f1f0534" > > > + > > > +S = "${WORKDIR}/git" > > > + > > > +OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}" > > > +TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}" > > > +TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta" > > > + > > > +EXTRA_OEMAKE += '\ > > > + CFG_FTPM_USE_WOLF=y \ > > > + TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \ > > > + TA_CROSS_COMPILE=${TARGET_PREFIX} \ > > > + CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST} -I${WORKDIR}/optee-os" \ > > > +' > > > + > > > +EXTRA_OEMAKE:append:aarch64:qemuall = "\ > > > > Is it aarch64 or qemuall? > > > > > > > + CFG_ARM64_ta_arm64=y \ > > > +" > > > + > > > +B = "${S}" > > > + > > > +# fails with j > 1 > > > +PARALLEL_MAKE = "" > > > + > > > +do_compile() { > > > + sed -i 's/-mcpu=$(TA_CPU)//' TAs/optee_ta/fTPM/sub.mk > > > > If not done statically as a patch, then should at least be done in > > do_configure() instead of do_compile() > > > > > > > + # there's also a secure variable storage TA called authvars > > > + cd ${S}/TAs/optee_ta > > > + oe_runmake ftpm > > > +} > > > + > > > +do_install () { > > > + mkdir -p ${D}/lib/optee_armtz > > > + install -D -p -m 0644 ${S}/TAs/optee_ta/out/fTPM/${FTPM_UUID}.ta ${D}/lib/optee_armtz/ > > > > /lib -> ${nonarch_base_libdir} > > > > > > > +} > > > + > > > +do_deploy () { > > > + install -d ${DEPLOYDIR}/optee > > > + install -D -p -m 0644 ${S}/TAs/optee_ta/out/fTPM/${FTPM_UUID}.stripped.elf ${DEPLOYDIR}/optee/ > > > +} > > > + > > > +addtask deploy before do_build after do_install > > > + > > > +FILES:${PN} += "${nonarch_base_libdir}/optee_armtz/${FTPM_UUID}.ta" > > > + > > > +# Imports machine specific configs from staging to build > > > +PACKAGE_ARCH = "${MACHINE_ARCH}" > > > +INSANE_SKIP:${PN} += "ldflags" > > > diff --git a/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend b/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend > > > new file mode 100644 > > > index 0000000..910603e > > > --- /dev/null > > > +++ b/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend > > > @@ -0,0 +1,5 @@ > > > +DEPENDS:append = "optee-ftpm" > > > +inherit deploy > > > > Again, this is redundant, as optee-os already inherits deploy. > > > > > > > +FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896" > > > +EXTRA_OEMAKE:append='CFG_EARLY_TA=y EARLY_TA_PATHS="${DEPLOY_DIR_IMAGE}/optee/${FTPM_UUID}.stripped.elf"' > > > > Needs a leading whitespace, as :append won't insert it, hence it will > > concatenate it to the existing value of EXTRA_OEMAKE. > > > > And I do believe there's a confusion about how bbappends work in OE - it is > > not optional, even when it's in a different directory. This bbappend will > > unconditionally modify the main optee-os recipe, which is also in the same > > layer. So, if it is meant to unconditionally modify optee-os, then these > > changes should go directly into optee-os recipe, instead of a bbappend. And > > if this is meant to be an optional extension to optee-os, then it cannot be > > done as bbappend either. > > > > I think that it's better to enable a condition for it and make fTPM > optional. Some systems might have hardware TPM device > and don't need software emulated in secure os.It looks like > MACHINE_FEATURES is a good place for it. Something like: > > optee-os.bb: > FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896" > > DEPENDS:append = "\ > ${@bb.utils.contains('MACHINE_FEATURES', \ > 'optee-ftpm', \ > 'optee-ftpm', \ > '' , \ > d)}" > > EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', \ > 'optee-ftpm', \ > 'CFG_EARLY_TA=y > EARLY_TA_PATHS="${DEPLOY_DIR_IMAGE}/optee/${FTPM_UUID}.stripped.elf"', > \ > '', \ > d)} " > > ./meta-arm/conf/machine/qemuarm64-secureboot.conf > MACHINE_FEATURES += "optee-ftpm" > > Does that look good? > > > I also did grep for other MACHINE_FEATURES in meta-arm and looks like > they are not used anymore and config files can be > cleaned up: > fgrep -r FEATURE ./meta-* |grep optee > ./meta-arm-bsp/conf/machine/fvp-common.inc:MACHINE_FEATURES = "optee" > ./meta-arm-bsp/conf/machine/juno.conf:MACHINE_FEATURES = "usbhost > usbgadget alsa screen wifi bluetooth optee pci" > ./meta-gem5/conf/machine/gem5-arm64.conf:MACHINE_FEATURES = "optee pci" > > BR, > Maxim. > Also due to optee-os-tadevkit_3.14.0.bb calls: require optee-os_3.14.0.bb I can not move DEPENDS += optee-ftpm inside optee-os_3.14.0.bb. It will cause circular dependency. But separate .bbappend with enabling this TA, with condition based on MACHINE_FEATURES works well. Maxim. > > -- > > Regards, > > Denys Dmytriyenko <denis@denix.org> > > PGP: 0x420902729A92C964 - https://denix.org/0x420902729A92C964 > > Fingerprint: 25FC E4A5 8A72 2F69 1186 6D76 4209 0272 9A92 C964 > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#2379): https://lists.yoctoproject.org/g/meta-arm/message/2379 > Mute This Topic: https://lists.yoctoproject.org/mt/86981078/4454737 > Group Owner: meta-arm+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/meta-arm/unsub [maxim.uvarov@linaro.org] > -=-=-=-=-=-=-=-=-=-=-=- > ^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCHv2 3/3] ci/qemuarm64-secureboot.yml: add optee and tf-a 2021-11-11 13:16 [PATCHv2 1/3] optee: updae optee-os.inc to support external TAs Maxim Uvarov 2021-11-11 13:16 ` [PATCHv2 2/3] add optee-ftpm Maxim Uvarov @ 2021-11-11 13:16 ` Maxim Uvarov 2021-11-15 3:52 ` [meta-arm] [PATCHv2 1/3] optee: updae optee-os.inc to support external TAs Jon Mason 2 siblings, 0 replies; 10+ messages in thread From: Maxim Uvarov @ 2021-11-11 13:16 UTC (permalink / raw) To: meta-arm; +Cc: jon.mason, ross.burton, Maxim Uvarov Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org> --- ci/qemuarm64-secureboot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml index b7f3cb4..a7e89d4 100644 --- a/ci/qemuarm64-secureboot.yml +++ b/ci/qemuarm64-secureboot.yml @@ -14,3 +14,5 @@ target: - core-image-base - perf - optee-examples + - optee-os + - trusted-firmware-a -- 2.17.1 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [meta-arm] [PATCHv2 1/3] optee: updae optee-os.inc to support external TAs 2021-11-11 13:16 [PATCHv2 1/3] optee: updae optee-os.inc to support external TAs Maxim Uvarov 2021-11-11 13:16 ` [PATCHv2 2/3] add optee-ftpm Maxim Uvarov 2021-11-11 13:16 ` [PATCHv2 3/3] ci/qemuarm64-secureboot.yml: add optee and tf-a Maxim Uvarov @ 2021-11-15 3:52 ` Jon Mason 2021-11-15 6:28 ` Maxim Uvarov 2 siblings, 1 reply; 10+ messages in thread From: Jon Mason @ 2021-11-15 3:52 UTC (permalink / raw) To: Maxim Uvarov; +Cc: meta-arm, jon.mason, ross.burton On Thu, Nov 11, 2021 at 8:16 AM Maxim Uvarov <maxim.uvarov@linaro.org> wrote: > > Separate recipe for TA devkit is needed to solve > circular dependency to build TAs withthe devkit > and integrate it inside optee-os. > > Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org> On this series, I'm seeing: ERROR: Nothing PROVIDES 'optee-os-tadevkit' (but /builds/jonmason00/meta-arm/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb DEPENDS on or otherwise requires it) optee-os-tadevkit was skipped: incompatible with machine tc0 (not in COMPATIBLE_MACHINE) https://gitlab.com/jonmason00/meta-arm/-/jobs/1779328692 Issue on tc0, tc1, and corstone1000 (and check-patch) I'm also seeing: ERROR: Nothing PROVIDES 'compiler-rtoptee-ftpm' (but /builds/jonmason00/meta-arm/meta-arm/recipes-security/optee/optee-os_3.14.0.bb DEPENDS on or otherwise requires it) https://gitlab.com/jonmason00/meta-arm/-/jobs/1779328682 Issue on qemuarm64-secureboot Thanks, Jon > --- > .../recipes-security/optee/optee-examples.inc | 2 +- > .../optee/optee-os-tadevkit_3.14.0.bb | 20 +++++++++++++++++++ > meta-arm/recipes-security/optee/optee-os.inc | 7 ------- > 3 files changed, 21 insertions(+), 8 deletions(-) > create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb > > diff --git a/meta-arm/recipes-security/optee/optee-examples.inc b/meta-arm/recipes-security/optee/optee-examples.inc > index 921fa18..656722e 100644 > --- a/meta-arm/recipes-security/optee/optee-examples.inc > +++ b/meta-arm/recipes-security/optee/optee-examples.inc > @@ -5,7 +5,7 @@ HOMEPAGE = "https://github.com/linaro-swg/optee_examples" > LICENSE = "BSD-2-Clause" > LIC_FILES_CHKSUM = "file://LICENSE;md5=cd95ab417e23b94f381dafc453d70c30" > > -DEPENDS = "optee-client optee-os python3-pycryptodome-native" > +DEPENDS = "optee-client optee-os-tadevkit python3-pycryptodome-native" > > inherit python3native > > diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb > new file mode 100644 > index 0000000..0d37a52 > --- /dev/null > +++ b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb > @@ -0,0 +1,20 @@ > +FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os:" > +require optee-os_3.14.0.bb > + > +SUMMARY = "OP-TEE Trusted OS TA devkit" > +DESCRIPTION = "OP-TEE TA devkit for build TAs" > +HOMEPAGE = "https://www.op-tee.org/" > + > +do_install() { > + #install TA devkit > + install -d ${D}${includedir}/optee/export-user_ta/ > + for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do > + cp -aR $f ${D}${includedir}/optee/export-user_ta/ > + done > +} > + > +do_deploy() { > + echo "Do not inherit do_deploy from optee-os." > +} > + > +FILES:${PN} = "${includedir}/optee/" > diff --git a/meta-arm/recipes-security/optee/optee-os.inc b/meta-arm/recipes-security/optee/optee-os.inc > index 277646e..1506a58 100644 > --- a/meta-arm/recipes-security/optee/optee-os.inc > +++ b/meta-arm/recipes-security/optee/optee-os.inc > @@ -46,12 +46,6 @@ do_install() { > #install core in firmware > install -d ${D}${nonarch_base_libdir}/firmware/ > install -m 644 ${B}/core/*.bin ${B}/core/tee.elf ${D}${nonarch_base_libdir}/firmware/ > - > - #install TA devkit > - install -d ${D}${includedir}/optee/export-user_ta/ > - for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do > - cp -aR $f ${D}${includedir}/optee/export-user_ta/ > - done > } > > PACKAGE_ARCH = "${MACHINE_ARCH}" > @@ -66,7 +60,6 @@ addtask deploy before do_build after do_install > SYSROOT_DIRS += "${nonarch_base_libdir}/firmware" > > FILES:${PN} = "${nonarch_base_libdir}/firmware/" > -FILES:${PN}-dev = "${includedir}/optee/" > > # note: "textrel" is not triggered on all archs > INSANE_SKIP:${PN} = "textrel" > -- > 2.17.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#2362): https://lists.yoctoproject.org/g/meta-arm/message/2362 > Mute This Topic: https://lists.yoctoproject.org/mt/86981076/3616920 > Group Owner: meta-arm+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/meta-arm/unsub [jdmason@kudzu.us] > -=-=-=-=-=-=-=-=-=-=-=- > ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [meta-arm] [PATCHv2 1/3] optee: updae optee-os.inc to support external TAs 2021-11-15 3:52 ` [meta-arm] [PATCHv2 1/3] optee: updae optee-os.inc to support external TAs Jon Mason @ 2021-11-15 6:28 ` Maxim Uvarov 2021-11-15 16:32 ` Denys Dmytriyenko 0 siblings, 1 reply; 10+ messages in thread From: Maxim Uvarov @ 2021-11-15 6:28 UTC (permalink / raw) To: Jon Mason; +Cc: meta-arm, Jon.Mason, Ross.Burton On Mon, 15 Nov 2021 at 06:52, Jon Mason <jdmason@kudzu.us> wrote: > > On Thu, Nov 11, 2021 at 8:16 AM Maxim Uvarov <maxim.uvarov@linaro.org> wrote: > > > > Separate recipe for TA devkit is needed to solve > > circular dependency to build TAs withthe devkit > > and integrate it inside optee-os. > > > > Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org> > > On this series, I'm seeing: > ERROR: Nothing PROVIDES 'optee-os-tadevkit' (but > /builds/jonmason00/meta-arm/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb > DEPENDS on or otherwise requires it) > optee-os-tadevkit was skipped: incompatible with machine tc0 (not in > COMPATIBLE_MACHINE) > https://gitlab.com/jonmason00/meta-arm/-/jobs/1779328692 > > Issue on tc0, tc1, and corstone1000 (and check-patch) > This should be fixed in v3 with adding conditions. > I'm also seeing: > ERROR: Nothing PROVIDES 'compiler-rtoptee-ftpm' (but > /builds/jonmason00/meta-arm/meta-arm/recipes-security/optee/optee-os_3.14.0.bb > DEPENDS on or otherwise requires it) > https://gitlab.com/jonmason00/meta-arm/-/jobs/1779328682 > > Issue on qemuarm64-secureboot > That is interesting. I also built a qemuarm64-secureboot. Might be some changes in the current master for that. > Thanks, > Jon > > > > > > > > --- > > .../recipes-security/optee/optee-examples.inc | 2 +- > > .../optee/optee-os-tadevkit_3.14.0.bb | 20 +++++++++++++++++++ > > meta-arm/recipes-security/optee/optee-os.inc | 7 ------- > > 3 files changed, 21 insertions(+), 8 deletions(-) > > create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb > > > > diff --git a/meta-arm/recipes-security/optee/optee-examples.inc b/meta-arm/recipes-security/optee/optee-examples.inc > > index 921fa18..656722e 100644 > > --- a/meta-arm/recipes-security/optee/optee-examples.inc > > +++ b/meta-arm/recipes-security/optee/optee-examples.inc > > @@ -5,7 +5,7 @@ HOMEPAGE = "https://github.com/linaro-swg/optee_examples" > > LICENSE = "BSD-2-Clause" > > LIC_FILES_CHKSUM = "file://LICENSE;md5=cd95ab417e23b94f381dafc453d70c30" > > > > -DEPENDS = "optee-client optee-os python3-pycryptodome-native" > > +DEPENDS = "optee-client optee-os-tadevkit python3-pycryptodome-native" > > > > inherit python3native > > > > diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb > > new file mode 100644 > > index 0000000..0d37a52 > > --- /dev/null > > +++ b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb > > @@ -0,0 +1,20 @@ > > +FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os:" > > +require optee-os_3.14.0.bb > > + > > +SUMMARY = "OP-TEE Trusted OS TA devkit" > > +DESCRIPTION = "OP-TEE TA devkit for build TAs" > > +HOMEPAGE = "https://www.op-tee.org/" > > + > > +do_install() { > > + #install TA devkit > > + install -d ${D}${includedir}/optee/export-user_ta/ > > + for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do > > + cp -aR $f ${D}${includedir}/optee/export-user_ta/ > > + done > > +} > > + > > +do_deploy() { > > + echo "Do not inherit do_deploy from optee-os." > > +} > > + > > +FILES:${PN} = "${includedir}/optee/" > > diff --git a/meta-arm/recipes-security/optee/optee-os.inc b/meta-arm/recipes-security/optee/optee-os.inc > > index 277646e..1506a58 100644 > > --- a/meta-arm/recipes-security/optee/optee-os.inc > > +++ b/meta-arm/recipes-security/optee/optee-os.inc > > @@ -46,12 +46,6 @@ do_install() { > > #install core in firmware > > install -d ${D}${nonarch_base_libdir}/firmware/ > > install -m 644 ${B}/core/*.bin ${B}/core/tee.elf ${D}${nonarch_base_libdir}/firmware/ > > - > > - #install TA devkit > > - install -d ${D}${includedir}/optee/export-user_ta/ > > - for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do > > - cp -aR $f ${D}${includedir}/optee/export-user_ta/ > > - done > > } > > > > PACKAGE_ARCH = "${MACHINE_ARCH}" > > @@ -66,7 +60,6 @@ addtask deploy before do_build after do_install > > SYSROOT_DIRS += "${nonarch_base_libdir}/firmware" > > > > FILES:${PN} = "${nonarch_base_libdir}/firmware/" > > -FILES:${PN}-dev = "${includedir}/optee/" > > > > # note: "textrel" is not triggered on all archs > > INSANE_SKIP:${PN} = "textrel" > > -- > > 2.17.1 > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#2362): https://lists.yoctoproject.org/g/meta-arm/message/2362 > > Mute This Topic: https://lists.yoctoproject.org/mt/86981076/3616920 > > Group Owner: meta-arm+owner@lists.yoctoproject.org > > Unsubscribe: https://lists.yoctoproject.org/g/meta-arm/unsub [jdmason@kudzu.us] > > -=-=-=-=-=-=-=-=-=-=-=- > > ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [meta-arm] [PATCHv2 1/3] optee: updae optee-os.inc to support external TAs 2021-11-15 6:28 ` Maxim Uvarov @ 2021-11-15 16:32 ` Denys Dmytriyenko 2021-11-16 9:39 ` Maxim Uvarov 0 siblings, 1 reply; 10+ messages in thread From: Denys Dmytriyenko @ 2021-11-15 16:32 UTC (permalink / raw) To: Maxim Uvarov; +Cc: Jon Mason, meta-arm, Jon.Mason, Ross.Burton On Mon, Nov 15, 2021 at 09:28:08AM +0300, Maxim Uvarov wrote: > On Mon, 15 Nov 2021 at 06:52, Jon Mason <jdmason@kudzu.us> wrote: > > > > On Thu, Nov 11, 2021 at 8:16 AM Maxim Uvarov <maxim.uvarov@linaro.org> wrote: > > > > > > Separate recipe for TA devkit is needed to solve > > > circular dependency to build TAs withthe devkit > > > and integrate it inside optee-os. > > > > > > Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org> > > > > On this series, I'm seeing: > > ERROR: Nothing PROVIDES 'optee-os-tadevkit' (but > > /builds/jonmason00/meta-arm/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb > > DEPENDS on or otherwise requires it) > > optee-os-tadevkit was skipped: incompatible with machine tc0 (not in > > COMPATIBLE_MACHINE) > > https://gitlab.com/jonmason00/meta-arm/-/jobs/1779328692 > > > > Issue on tc0, tc1, and corstone1000 (and check-patch) > > > > This should be fixed in v3 with adding conditions. > > > I'm also seeing: > > ERROR: Nothing PROVIDES 'compiler-rtoptee-ftpm' (but > > /builds/jonmason00/meta-arm/meta-arm/recipes-security/optee/optee-os_3.14.0.bb > > DEPENDS on or otherwise requires it) > > https://gitlab.com/jonmason00/meta-arm/-/jobs/1779328682 > > > > Issue on qemuarm64-secureboot > > > > That is interesting. I also built a qemuarm64-secureboot. Might be > some changes in the current master for that. That is due to a missing space in bbappend: +DEPENDS:append = "optee-ftpm" Resulting in optee-ftpm being concatenated to compiler-rt in DEPENDS: > ERROR: Nothing PROVIDES 'compiler-rtoptee-ftpm' (but Similar to the one I reported about EXTRA_OEMAKE in the same bbappend... -- Denys > > Thanks, > > Jon > > > > > > > > > > > > > > > --- > > > .../recipes-security/optee/optee-examples.inc | 2 +- > > > .../optee/optee-os-tadevkit_3.14.0.bb | 20 +++++++++++++++++++ > > > meta-arm/recipes-security/optee/optee-os.inc | 7 ------- > > > 3 files changed, 21 insertions(+), 8 deletions(-) > > > create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb > > > > > > diff --git a/meta-arm/recipes-security/optee/optee-examples.inc b/meta-arm/recipes-security/optee/optee-examples.inc > > > index 921fa18..656722e 100644 > > > --- a/meta-arm/recipes-security/optee/optee-examples.inc > > > +++ b/meta-arm/recipes-security/optee/optee-examples.inc > > > @@ -5,7 +5,7 @@ HOMEPAGE = "https://github.com/linaro-swg/optee_examples" > > > LICENSE = "BSD-2-Clause" > > > LIC_FILES_CHKSUM = "file://LICENSE;md5=cd95ab417e23b94f381dafc453d70c30" > > > > > > -DEPENDS = "optee-client optee-os python3-pycryptodome-native" > > > +DEPENDS = "optee-client optee-os-tadevkit python3-pycryptodome-native" > > > > > > inherit python3native > > > > > > diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb > > > new file mode 100644 > > > index 0000000..0d37a52 > > > --- /dev/null > > > +++ b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb > > > @@ -0,0 +1,20 @@ > > > +FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os:" > > > +require optee-os_3.14.0.bb > > > + > > > +SUMMARY = "OP-TEE Trusted OS TA devkit" > > > +DESCRIPTION = "OP-TEE TA devkit for build TAs" > > > +HOMEPAGE = "https://www.op-tee.org/" > > > + > > > +do_install() { > > > + #install TA devkit > > > + install -d ${D}${includedir}/optee/export-user_ta/ > > > + for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do > > > + cp -aR $f ${D}${includedir}/optee/export-user_ta/ > > > + done > > > +} > > > + > > > +do_deploy() { > > > + echo "Do not inherit do_deploy from optee-os." > > > +} > > > + > > > +FILES:${PN} = "${includedir}/optee/" > > > diff --git a/meta-arm/recipes-security/optee/optee-os.inc b/meta-arm/recipes-security/optee/optee-os.inc > > > index 277646e..1506a58 100644 > > > --- a/meta-arm/recipes-security/optee/optee-os.inc > > > +++ b/meta-arm/recipes-security/optee/optee-os.inc > > > @@ -46,12 +46,6 @@ do_install() { > > > #install core in firmware > > > install -d ${D}${nonarch_base_libdir}/firmware/ > > > install -m 644 ${B}/core/*.bin ${B}/core/tee.elf ${D}${nonarch_base_libdir}/firmware/ > > > - > > > - #install TA devkit > > > - install -d ${D}${includedir}/optee/export-user_ta/ > > > - for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do > > > - cp -aR $f ${D}${includedir}/optee/export-user_ta/ > > > - done > > > } > > > > > > PACKAGE_ARCH = "${MACHINE_ARCH}" > > > @@ -66,7 +60,6 @@ addtask deploy before do_build after do_install > > > SYSROOT_DIRS += "${nonarch_base_libdir}/firmware" > > > > > > FILES:${PN} = "${nonarch_base_libdir}/firmware/" > > > -FILES:${PN}-dev = "${includedir}/optee/" > > > > > > # note: "textrel" is not triggered on all archs > > > INSANE_SKIP:${PN} = "textrel" > > > -- > > > 2.17.1 > > > > > > > > > > > > ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [meta-arm] [PATCHv2 1/3] optee: updae optee-os.inc to support external TAs 2021-11-15 16:32 ` Denys Dmytriyenko @ 2021-11-16 9:39 ` Maxim Uvarov 0 siblings, 0 replies; 10+ messages in thread From: Maxim Uvarov @ 2021-11-16 9:39 UTC (permalink / raw) To: Denys Dmytriyenko; +Cc: Jon Mason, meta-arm, Jon.Mason, Ross.Burton On Mon, 15 Nov 2021 at 19:32, Denys Dmytriyenko <denis@denix.org> wrote: > > On Mon, Nov 15, 2021 at 09:28:08AM +0300, Maxim Uvarov wrote: > > On Mon, 15 Nov 2021 at 06:52, Jon Mason <jdmason@kudzu.us> wrote: > > > > > > On Thu, Nov 11, 2021 at 8:16 AM Maxim Uvarov <maxim.uvarov@linaro.org> wrote: > > > > > > > > Separate recipe for TA devkit is needed to solve > > > > circular dependency to build TAs withthe devkit > > > > and integrate it inside optee-os. > > > > > > > > Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org> > > > > > > On this series, I'm seeing: > > > ERROR: Nothing PROVIDES 'optee-os-tadevkit' (but > > > /builds/jonmason00/meta-arm/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb > > > DEPENDS on or otherwise requires it) > > > optee-os-tadevkit was skipped: incompatible with machine tc0 (not in > > > COMPATIBLE_MACHINE) > > > https://gitlab.com/jonmason00/meta-arm/-/jobs/1779328692 > > > > > > Issue on tc0, tc1, and corstone1000 (and check-patch) > > > > > > > This should be fixed in v3 with adding conditions. > > > > > I'm also seeing: > > > ERROR: Nothing PROVIDES 'compiler-rtoptee-ftpm' (but > > > /builds/jonmason00/meta-arm/meta-arm/recipes-security/optee/optee-os_3.14.0.bb > > > DEPENDS on or otherwise requires it) > > > https://gitlab.com/jonmason00/meta-arm/-/jobs/1779328682 > > > > > > Issue on qemuarm64-secureboot > > > > > > > That is interesting. I also built a qemuarm64-secureboot. Might be > > some changes in the current master for that. > > That is due to a missing space in bbappend: > +DEPENDS:append = "optee-ftpm" > > Resulting in optee-ftpm being concatenated to compiler-rt in DEPENDS: > > ERROR: Nothing PROVIDES 'compiler-rtoptee-ftpm' (but > > Similar to the one I reported about EXTRA_OEMAKE in the same bbappend... > I think that should be solved now in v3. qemuarm64_secure and t1000 build fine for me. Maxim. > -- > Denys > > > > > Thanks, > > > Jon > > > > > > > > > > > > > > > > > > > > > > --- > > > > .../recipes-security/optee/optee-examples.inc | 2 +- > > > > .../optee/optee-os-tadevkit_3.14.0.bb | 20 +++++++++++++++++++ > > > > meta-arm/recipes-security/optee/optee-os.inc | 7 ------- > > > > 3 files changed, 21 insertions(+), 8 deletions(-) > > > > create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb > > > > > > > > diff --git a/meta-arm/recipes-security/optee/optee-examples.inc b/meta-arm/recipes-security/optee/optee-examples.inc > > > > index 921fa18..656722e 100644 > > > > --- a/meta-arm/recipes-security/optee/optee-examples.inc > > > > +++ b/meta-arm/recipes-security/optee/optee-examples.inc > > > > @@ -5,7 +5,7 @@ HOMEPAGE = "https://github.com/linaro-swg/optee_examples" > > > > LICENSE = "BSD-2-Clause" > > > > LIC_FILES_CHKSUM = "file://LICENSE;md5=cd95ab417e23b94f381dafc453d70c30" > > > > > > > > -DEPENDS = "optee-client optee-os python3-pycryptodome-native" > > > > +DEPENDS = "optee-client optee-os-tadevkit python3-pycryptodome-native" > > > > > > > > inherit python3native > > > > > > > > diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb > > > > new file mode 100644 > > > > index 0000000..0d37a52 > > > > --- /dev/null > > > > +++ b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb > > > > @@ -0,0 +1,20 @@ > > > > +FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os:" > > > > +require optee-os_3.14.0.bb > > > > + > > > > +SUMMARY = "OP-TEE Trusted OS TA devkit" > > > > +DESCRIPTION = "OP-TEE TA devkit for build TAs" > > > > +HOMEPAGE = "https://www.op-tee.org/" > > > > + > > > > +do_install() { > > > > + #install TA devkit > > > > + install -d ${D}${includedir}/optee/export-user_ta/ > > > > + for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do > > > > + cp -aR $f ${D}${includedir}/optee/export-user_ta/ > > > > + done > > > > +} > > > > + > > > > +do_deploy() { > > > > + echo "Do not inherit do_deploy from optee-os." > > > > +} > > > > + > > > > +FILES:${PN} = "${includedir}/optee/" > > > > diff --git a/meta-arm/recipes-security/optee/optee-os.inc b/meta-arm/recipes-security/optee/optee-os.inc > > > > index 277646e..1506a58 100644 > > > > --- a/meta-arm/recipes-security/optee/optee-os.inc > > > > +++ b/meta-arm/recipes-security/optee/optee-os.inc > > > > @@ -46,12 +46,6 @@ do_install() { > > > > #install core in firmware > > > > install -d ${D}${nonarch_base_libdir}/firmware/ > > > > install -m 644 ${B}/core/*.bin ${B}/core/tee.elf ${D}${nonarch_base_libdir}/firmware/ > > > > - > > > > - #install TA devkit > > > > - install -d ${D}${includedir}/optee/export-user_ta/ > > > > - for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do > > > > - cp -aR $f ${D}${includedir}/optee/export-user_ta/ > > > > - done > > > > } > > > > > > > > PACKAGE_ARCH = "${MACHINE_ARCH}" > > > > @@ -66,7 +60,6 @@ addtask deploy before do_build after do_install > > > > SYSROOT_DIRS += "${nonarch_base_libdir}/firmware" > > > > > > > > FILES:${PN} = "${nonarch_base_libdir}/firmware/" > > > > -FILES:${PN}-dev = "${includedir}/optee/" > > > > > > > > # note: "textrel" is not triggered on all archs > > > > INSANE_SKIP:${PN} = "textrel" > > > > -- > > > > 2.17.1 > > > > > > > > > > > > > > > > ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2021-11-16 9:40 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-11-11 13:16 [PATCHv2 1/3] optee: updae optee-os.inc to support external TAs Maxim Uvarov
2021-11-11 13:16 ` [PATCHv2 2/3] add optee-ftpm Maxim Uvarov
2021-11-11 19:13 ` [meta-arm] " Denys Dmytriyenko
2021-11-12 9:42 ` Maxim Uvarov
[not found] ` <16B6C33755E65ACE.32262@lists.yoctoproject.org>
2021-11-12 11:15 ` Maxim Uvarov
2021-11-11 13:16 ` [PATCHv2 3/3] ci/qemuarm64-secureboot.yml: add optee and tf-a Maxim Uvarov
2021-11-15 3:52 ` [meta-arm] [PATCHv2 1/3] optee: updae optee-os.inc to support external TAs Jon Mason
2021-11-15 6:28 ` Maxim Uvarov
2021-11-15 16:32 ` Denys Dmytriyenko
2021-11-16 9:39 ` Maxim Uvarov
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.