[meta-ti][scarthgap][PATCH] meta-ti-bsp: optee: Add flags to enable RPMB and PKCS#11

[meta-ti][scarthgap][PATCH] meta-ti-bsp: optee: Add flags to enable RPMB and PKCS#11

[Suhaas Joshi]

RPMB is a secure storage mechanism used to store data in a separate
partition of compliant storage devices such as eMMC, NVME etc. It is
provided by TEE's, including OP-TEE.

Add the following build options to optee_os:
    * CFG_REE_FS=n -> disables the default REE_FS, this is so that
      RPMB can be be demonstrated
    * CFG_RPMB_FS=y -> enables the RPMB feature
    * CFG_RPMB_WRITE_KEY=y -> generates Auth Key during first access to
      storage device. Note: This needs to be turned off for production
      builds.
    * CFG_PKCS11_TA=y -> enables PKCS#11 API support in form of a
      Trusted Application. This commit also copies this TA to the
      relevant location.

In optee_client, do the following:
    * Add RPMB_EMU=1 option. This is enabled by-default, but even so,
      enable it explicitly. This option makes tee-supplicant emulate
      RPMB instead of using the actual hardware. The actual hardware
      should be used consciously since the key, once written, cannot be
      re-programmed. But in the emulated flow, each reboot wipes the key
      off, since the "emulated RPMB" is just a portion of primary
      memory.
    * Copy libckteec library files to relevant locations.

Signed-off-by: Suhaas Joshi <s-joshi@ti.com>
---
 .../recipes-security/optee/optee-client_%.bbappend   | 12 ++++++++++++
 .../recipes-security/optee/optee-os-ti-overrides.inc | 10 ++++++----
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend b/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend
index f193e78b..07db2955 100644
--- a/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend
+++ b/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend
@@ -2,3 +2,15 @@ OPTEE_TI_VERSION = ""
 OPTEE_TI_VERSION:ti-soc = "${BPN}-ti-version.inc"
 
 require ${OPTEE_TI_VERSION}
+
+do_install:append() {
+   install -d ${D}${libdir}
+
+   install -m 0644 ${B}/libckteec/libckteec.so.0.1.0 ${D}${libdir}/
+   ln -v -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0.1
+   ln -v -sf libckteec.so.0.1 ${D}${libdir}/libckteec.so.0
+   ln -v -sf libckteec.so.0 ${D}${libdir}/libckteec.so
+}
+
+FILES:${PN} += "${libdir}/libckteec.so.0 ${libdir}/libckteec.so.0.1 ${libdir}/libckteec.so.0.1.0"
+FILES:${PN}-dev += "${libdir}/libckteec.so"
diff --git a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc
index 61a74a06..0b940e5c 100644
--- a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc
+++ b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc
@@ -6,11 +6,11 @@ EXTRA_OEMAKE:remove = "CFG_MAP_EXT_DT_SECURE=y"
 EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_CONSOLE_UART='+ d.getVar('OPTEE_K3_USART') if d.getVar('OPTEE_K3_USART') else ''}"
 EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_TZDRAM_START='+ d.getVar('OPTEE_K3_TZDRAM_START') if d.getVar('OPTEE_K3_TZDRAM_START') else ''}"
 
-EXTRA_OEMAKE:append:am62xx = " CFG_TEE_CORE_LOG_LEVEL=1"
+EXTRA_OEMAKE:append:am62xx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_PKCS11_TA=y"
 EXTRA_OEMAKE:append:am62lxx = " CFG_TEE_CORE_LOG_LEVEL=1"
-EXTRA_OEMAKE:append:am62pxx = " CFG_TEE_CORE_LOG_LEVEL=1"
-EXTRA_OEMAKE:append:am62axx = " CFG_TEE_CORE_LOG_LEVEL=1"
-EXTRA_OEMAKE:append:am62dxx = " CFG_TEE_CORE_LOG_LEVEL=1"
+EXTRA_OEMAKE:append:am62pxx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_PKCS11_TA=y"
+EXTRA_OEMAKE:append:am62axx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_PKCS11_TA=y"
+EXTRA_OEMAKE:append:am62dxx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_PKCS11_TA=y"
 EXTRA_OEMAKE:append:j722s = " CFG_TEE_CORE_LOG_LEVEL=1"
 
 do_compile:append:k3() {
@@ -49,6 +49,8 @@ do_install:append() {
     install -m 644 ${B}/*.optee ${D}${nonarch_base_libdir}/firmware/ || true
     install -m 644 ${B}/bl32.bin ${D}${nonarch_base_libdir}/firmware/ || true
     install -m 644 ${B}/bl32.elf ${D}${nonarch_base_libdir}/firmware/ || true
+    install -d ${D}${nonarch_base_libdir}/optee_armtz
+    install -m 644 ${B}/ta/pkcs11/fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta ${D}${nonarch_base_libdir}/optee_armtz
 }
 
 optee_deploy_legacyhs() {
-- 
2.34.1

Re: [meta-ti][scarthgap][PATCH] meta-ti-bsp: optee: Add flags to enable RPMB and PKCS#11

[PRC Automation]

meta-ti / na / 20251103053940.555954-1-s-joshi

PRC Results: PASS

=========================================================
  check-yocto-patches: PASS
=========================================================
Patches
----------------------------------------
WARN - [meta-ti][scarthgap][PATCH] meta-ti-bsp: optee: Add flags to enable RPMB and PKCS#11
    WARN: Commit message does not include file/recipe name: meta-ti-bsp: optee: Add flags to enable RPMB and PKCS#11. (COMMIT-MESSAGE-2)
        patch
    
    WARN: Commit message should not include directory path to recipe: meta-ti-bsp: optee: Add flags to enable RPMB and PKCS#11.
              meta-ti-bsp: (COMMIT-MESSAGE-3)
        patch



=========================================================
  apply-yocto-patch: PASS
=========================================================
scarthgap
=====================
Summary:
- Patch Series: [meta-ti][scarthgap][PATCH] meta-ti-bsp: optee: Add flags to enable RPMB and PKCS#11
- Submitter: From: Suhaas Joshi <s-joshi@ti.com>
- Date: Date: Mon, 3 Nov 2025 11:09:41 +0530
- Num Patches: 1
- Mailing List (public inbox) Commit SHA: 245c62f5b6c684a4a5c7b41394631b4b3d200ee1

Applied to:
- Repository: lcpd-prc-meta-ti
- Base Branch: scarthgap-wip
- Commit Author: Vishnu Singh <v-singh1@ti.com>
- Commit Subject: ti-librpmsg-dma: update ti-librpmsg-dma SRCREV & LICENSE
- Commit SHA: 879abf6914437e3a4da45fd515f33ac583bbddc5

Patches
----------------------------------------
All patches applied



=========================================================
  check-yocto-repo: PASS
=========================================================
scarthgap
=====================
PASS

Re: [meta-ti][scarthgap][PATCH] meta-ti-bsp: optee: Add flags to enable RPMB and PKCS#11

[Kamlesh Gurudasani]

Suhaas Joshi <s-joshi@ti.com> writes:

> RPMB is a secure storage mechanism used to store data in a separate
> partition of compliant storage devices such as eMMC, NVME etc. It is
> provided by TEE's, including OP-TEE.
>
> Add the following build options to optee_os:
>     * CFG_REE_FS=n -> disables the default REE_FS, this is so that
>       RPMB can be be demonstrated
>     * CFG_RPMB_FS=y -> enables the RPMB feature
>     * CFG_RPMB_WRITE_KEY=y -> generates Auth Key during first access to
>       storage device. Note: This needs to be turned off for production
>       builds.
Add a note at the end, explaining that this will require two binaries for optee, the first
boot(or factory binary) which writes the binary and then the production
binary with this option =n. and RPMB_EMU=0 option combination for production.

>     * CFG_PKCS11_TA=y -> enables PKCS#11 API support in form of a
>       Trusted Application. This commit also copies this TA to the
>       relevant location.
>
> In optee_client, do the following:
>     * Add RPMB_EMU=1 option. This is enabled by-default, but even so,
>       enable it explicitly. This option makes tee-supplicant emulate
>       RPMB instead of using the actual hardware. The actual hardware
I guess you missed adding changes for this. Please add RPMB_EMU flag
explicitly.

>       should be used consciously since the key, once written, cannot be
>       re-programmed. But in the emulated flow, each reboot wipes the key
>       off, since the "emulated RPMB" is just a portion of primary
>       memory.
>     * Copy libckteec library files to relevant locations.
>
> Signed-off-by: Suhaas Joshi <s-joshi@ti.com>
> ---
>  .../recipes-security/optee/optee-client_%.bbappend   | 12 ++++++++++++
>  .../recipes-security/optee/optee-os-ti-overrides.inc | 10 ++++++----
>  2 files changed, 18 insertions(+), 4 deletions(-)
>
> diff --git a/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend b/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend
> index f193e78b..07db2955 100644
> --- a/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend
> +++ b/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend
> @@ -2,3 +2,15 @@ OPTEE_TI_VERSION = ""
>  OPTEE_TI_VERSION:ti-soc = "${BPN}-ti-version.inc"
>  
>  require ${OPTEE_TI_VERSION}
> +
> +do_install:append() {
> +   install -d ${D}${libdir}
> +
> +   install -m 0644 ${B}/libckteec/libckteec.so.0.1.0 ${D}${libdir}/
> +   ln -v -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0.1
> +   ln -v -sf libckteec.so.0.1 ${D}${libdir}/libckteec.so.0
> +   ln -v -sf libckteec.so.0 ${D}${libdir}/libckteec.so
> +}
> +
> +FILES:${PN} += "${libdir}/libckteec.so.0 ${libdir}/libckteec.so.0.1 ${libdir}/libckteec.so.0.1.0"
> +FILES:${PN}-dev += "${libdir}/libckteec.so"
> diff --git a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc
> index 61a74a06..0b940e5c 100644
> --- a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc
> +++ b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc
> @@ -6,11 +6,11 @@ EXTRA_OEMAKE:remove = "CFG_MAP_EXT_DT_SECURE=y"
>  EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_CONSOLE_UART='+ d.getVar('OPTEE_K3_USART') if d.getVar('OPTEE_K3_USART') else ''}"
>  EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_TZDRAM_START='+ d.getVar('OPTEE_K3_TZDRAM_START') if d.getVar('OPTEE_K3_TZDRAM_START') else ''}"
>  
> -EXTRA_OEMAKE:append:am62xx = " CFG_TEE_CORE_LOG_LEVEL=1"
> +EXTRA_OEMAKE:append:am62xx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_PKCS11_TA=y"
>  EXTRA_OEMAKE:append:am62lxx = " CFG_TEE_CORE_LOG_LEVEL=1"
> -EXTRA_OEMAKE:append:am62pxx = " CFG_TEE_CORE_LOG_LEVEL=1"
> -EXTRA_OEMAKE:append:am62axx = " CFG_TEE_CORE_LOG_LEVEL=1"
> -EXTRA_OEMAKE:append:am62dxx = " CFG_TEE_CORE_LOG_LEVEL=1"
> +EXTRA_OEMAKE:append:am62pxx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_PKCS11_TA=y"
> +EXTRA_OEMAKE:append:am62axx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_PKCS11_TA=y"
> +EXTRA_OEMAKE:append:am62dxx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_PKCS11_TA=y"
>  EXTRA_OEMAKE:append:j722s = " CFG_TEE_CORE_LOG_LEVEL=1"
>  
>  do_compile:append:k3() {
> @@ -49,6 +49,8 @@ do_install:append() {
>      install -m 644 ${B}/*.optee ${D}${nonarch_base_libdir}/firmware/ || true
>      install -m 644 ${B}/bl32.bin ${D}${nonarch_base_libdir}/firmware/ || true
>      install -m 644 ${B}/bl32.elf ${D}${nonarch_base_libdir}/firmware/ || true
> +    install -d ${D}${nonarch_base_libdir}/optee_armtz
> +    install -m 644 ${B}/ta/pkcs11/fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta ${D}${nonarch_base_libdir}/optee_armtz
>  }
>  
>  optee_deploy_legacyhs() {
> -- 
> 2.34.1

Re: [meta-ti][scarthgap][PATCH] meta-ti-bsp: optee: Add flags to enable RPMB and PKCS#11

[Denys Dmytriyenko]

On Mon, Nov 03, 2025 at 11:09:41AM +0530, Suhaas Joshi via lists.yoctoproject.org wrote:
> RPMB is a secure storage mechanism used to store data in a separate
> partition of compliant storage devices such as eMMC, NVME etc. It is
> provided by TEE's, including OP-TEE.
> 
> Add the following build options to optee_os:
>     * CFG_REE_FS=n -> disables the default REE_FS, this is so that
>       RPMB can be be demonstrated
>     * CFG_RPMB_FS=y -> enables the RPMB feature
>     * CFG_RPMB_WRITE_KEY=y -> generates Auth Key during first access to
>       storage device. Note: This needs to be turned off for production
>       builds.
>     * CFG_PKCS11_TA=y -> enables PKCS#11 API support in form of a
>       Trusted Application. This commit also copies this TA to the
>       relevant location.
> 
> In optee_client, do the following:
>     * Add RPMB_EMU=1 option. This is enabled by-default, but even so,
>       enable it explicitly. This option makes tee-supplicant emulate
>       RPMB instead of using the actual hardware. The actual hardware
>       should be used consciously since the key, once written, cannot be
>       re-programmed. But in the emulated flow, each reboot wipes the key
>       off, since the "emulated RPMB" is just a portion of primary
>       memory.
>     * Copy libckteec library files to relevant locations.
> 
> Signed-off-by: Suhaas Joshi <s-joshi@ti.com>
> ---
>  .../recipes-security/optee/optee-client_%.bbappend   | 12 ++++++++++++
>  .../recipes-security/optee/optee-os-ti-overrides.inc | 10 ++++++----
>  2 files changed, 18 insertions(+), 4 deletions(-)
> 
> diff --git a/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend b/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend
> index f193e78b..07db2955 100644
> --- a/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend
> +++ b/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend
> @@ -2,3 +2,15 @@ OPTEE_TI_VERSION = ""
>  OPTEE_TI_VERSION:ti-soc = "${BPN}-ti-version.inc"
>  
>  require ${OPTEE_TI_VERSION}
> +
> +do_install:append() {
> +   install -d ${D}${libdir}
> +
> +   install -m 0644 ${B}/libckteec/libckteec.so.0.1.0 ${D}${libdir}/
> +   ln -v -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0.1
> +   ln -v -sf libckteec.so.0.1 ${D}${libdir}/libckteec.so.0
> +   ln -v -sf libckteec.so.0 ${D}${libdir}/libckteec.so
> +}
> +
> +FILES:${PN} += "${libdir}/libckteec.so.0 ${libdir}/libckteec.so.0.1 ${libdir}/libckteec.so.0.1.0"
> +FILES:${PN}-dev += "${libdir}/libckteec.so"

This modifies upstream recipe directly, which violates YP Compatible 
compliance.

Simply put - you cannot modify .bbappend of upstream recipes directly, 
that's why those ${BPN}-ti-*.inc file exist.


> diff --git a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc
> index 61a74a06..0b940e5c 100644
> --- a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc
> +++ b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc
> @@ -6,11 +6,11 @@ EXTRA_OEMAKE:remove = "CFG_MAP_EXT_DT_SECURE=y"
>  EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_CONSOLE_UART='+ d.getVar('OPTEE_K3_USART') if d.getVar('OPTEE_K3_USART') else ''}"
>  EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_TZDRAM_START='+ d.getVar('OPTEE_K3_TZDRAM_START') if d.getVar('OPTEE_K3_TZDRAM_START') else ''}"
>  
> -EXTRA_OEMAKE:append:am62xx = " CFG_TEE_CORE_LOG_LEVEL=1"
> +EXTRA_OEMAKE:append:am62xx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_PKCS11_TA=y"
>  EXTRA_OEMAKE:append:am62lxx = " CFG_TEE_CORE_LOG_LEVEL=1"
> -EXTRA_OEMAKE:append:am62pxx = " CFG_TEE_CORE_LOG_LEVEL=1"
> -EXTRA_OEMAKE:append:am62axx = " CFG_TEE_CORE_LOG_LEVEL=1"
> -EXTRA_OEMAKE:append:am62dxx = " CFG_TEE_CORE_LOG_LEVEL=1"
> +EXTRA_OEMAKE:append:am62pxx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_PKCS11_TA=y"
> +EXTRA_OEMAKE:append:am62axx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_PKCS11_TA=y"
> +EXTRA_OEMAKE:append:am62dxx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_PKCS11_TA=y"
>  EXTRA_OEMAKE:append:j722s = " CFG_TEE_CORE_LOG_LEVEL=1"
>  
>  do_compile:append:k3() {
> @@ -49,6 +49,8 @@ do_install:append() {
>      install -m 644 ${B}/*.optee ${D}${nonarch_base_libdir}/firmware/ || true
>      install -m 644 ${B}/bl32.bin ${D}${nonarch_base_libdir}/firmware/ || true
>      install -m 644 ${B}/bl32.elf ${D}${nonarch_base_libdir}/firmware/ || true
> +    install -d ${D}${nonarch_base_libdir}/optee_armtz
> +    install -m 644 ${B}/ta/pkcs11/fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta ${D}${nonarch_base_libdir}/optee_armtz
>  }
>  
>  optee_deploy_legacyhs() {
> -- 
> 2.34.1