Re: [yocto-patches] [PATCH meta-rockchip 2/2] add support for baking OP-TEE OS into U-Boot proper binary

[Trevor Woerner <twoerner@gmail.com>]

Hi Quentin,

Thanks for this patch series!

I believe there was a little fuzz required to apply patch 1 (around the
-D), perhaps a v2 against the current to clean that up?

On Mon 2026-01-26 @ 03:48:30 PM, Quentin Schulz via lists.yoctoproject.org wrote:
> From: Quentin Schulz <quentin.schulz@cherry.de>
> 
> TF-A has support for loading OP-TEE OS as BL32 which allows us to have
> the following boot flow on supported Rockchip SoCs:
> 
> BootROM -> U-Boot TPL/SPL -> TF-A (BL31) -> OP-TEE OS (BL32) -> U-Boot
> proper -> Linux kernel
> 
> TF-A must be built with support for the opteed payload via the SPD
> variable. It can always be set, the downside is that if it's set and no
> OP-TEE OS is available to load, it'll complain with
> 
>   ERROR:   Error initializing runtime service opteed_fast
> 
> but will still continue the boot flow.
> 
> U-Boot proper must be built with OPTEE_LIB enabled (forced enabled on
> U-Boot v2026.01 when a TEE environment variable is set) otherwise random
> crashes may happen while in Linux as the memory marked as secure for
> OP-TEE OS isn't reserved and the kernel may use it and trigger a
> security exception.
> 
> This has only been tested with `xtest` on PX30, RK3399 and RK3588
> platforms, all tests pass. Note that this is unsecure by default as it's
> using the default development key in OP-TEE OS tree which isn't secret
> at all. I have not looked into how to provide your own key pair.
> 
> Note that xtest has two fails on RK3588 with OP-TEE OS v4.7.0. They are
> fixed since v4.8.0 (v4.9.0 series for meta-arm has been posted
> already[1]).
> 
> We also pass a few variables to make such that we avoid panics when an
> FDT is passed by TF-A (happens when SPL_ATF_NO_PLATFORM_PARAM is not
> set) due to the memory area to store the FDT being too small, also avoid
> panics when the device is using a different console than the default in
> OP-TEE OS by simply disabling the early console (thus relying on FDT to
> find which one to write to) and enable Arm Cryptographic Extensions on
> PX30 for faster crypto (xtest in 3m11s vs 3min32s).
> 
> [1] https://lore.kernel.org/yocto-meta-arm/20260121140356.16818-1-hugues.kambampiana@arm.com/
> Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
> ---
>  README                                             | 42 ++++++++++++++++++++++
>  conf/machine/include/px30.inc                      |  7 ++++
>  conf/machine/include/rk3399.inc                    |  7 ++++
>  conf/machine/include/rk3588s.inc                   |  7 ++++
>  recipes-bsp/u-boot/u-boot-rockchip.inc             |  6 ++++
>  .../optee/optee-os-tadevkit_%.bbappend             |  3 ++
>  recipes-security/optee/optee-os_%.bbappend         | 19 ++++++++++
>  recipes-security/optee/optee-test_%.bbappend       |  3 ++
>  8 files changed, 94 insertions(+)
> 
> diff --git a/README b/README
> index c2697d1..f49fdb5 100644
> --- a/README
> +++ b/README
> @@ -222,6 +222,48 @@ Notes:
>  	NOTE: this variable must be set before any include/require in the
>  	      machine configuration file
>  
> +  OP-TEE
> +
> +	PX30, RK3399 and RK3588 are all supported by upstream OP-TEE OS. By
> +	default, OP-TEE OS is not baked into U-Boot.
> +
> +	You can bake OP-TEE OS in U-Boot by setting:
> +
> +		RK_UBOOT_TEE = "1"

Is it worth pointing out this is a boolean so any of
"1"/"y"/"yes"/"true" or "0"/"n"/"no"/"false" will work?

> +
> +	in a configuration file.
> +
> +	Your U-Boot defconfig must enable CONFIG_OPTEE_LIB otherwise random
> +	crashes in Linux will occur. It is force-enabled since v2026.01 so you
> +	may omit this if running that or a more recent version.
> +
> +	Note that this has only been tested with upstream OP-TEE OS and upstream
> +	TF-A. Please consider disabling CONFIG_SPL_ATF_NO_PLATFORM_PARAM in your
> +	U-Boot's defconfig such that both upstream TF-A and OP-TEE OS are passed
> +	the FDT (useful for debugging since it specifies the serial console).
> +
> +	Note that this is only adding OP-TEE OS to the U-Boot proper
> +	(u-boot.itb) binary. It is *NOT* secure by default as it'll use
> +	development keys contained in-tree, see
> +	https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html#trusted-application-private-public-keypair.
> +	How to properly specify the private/public key pair is left to the user
> +	for now.
> +
> +	By default, early console is disabled because a misconfiguration of the
> +	serial console will silently crash your device. You may enable it again
> +	by setting:
> +
> +		OPTEE_OS_EARLY_CONSOLE = "y"
> +
> +	This only controls early console, before OP-TEE OS finds the FDT and
> +	parse it to know which UART controller to use.
> +	If you are not using the default serial controller (UART2), you must
> +	change CFG_EARLY_CONSOLE_BASE to the appropriate UART controller base
> +	address. You may have to set CFG_EARLY_CONSOLE_SIZE if it isn't set by
> +	default.
> +	CFG_EARLY_CONSOLE_* variables must be passed directly via EXTRA_OEMAKE
> +	BitBake variable.
> +
>  U-Boot Environment:
>  ------------------
>  	In order to configure U-Boot to be able to store its environment into the
> diff --git a/conf/machine/include/px30.inc b/conf/machine/include/px30.inc
> index 1997f6f..689a745 100644
> --- a/conf/machine/include/px30.inc
> +++ b/conf/machine/include/px30.inc
> @@ -14,6 +14,13 @@ KBUILD_DEFCONFIG ?= "defconfig"
>  
>  TFA_PLATFORM = "px30"
>  TFA_BUILD_TARGET = "bl31"
> +# Allow TF-A to load OP-TEE OS
> +# If no OP-TEE OS, it'll simply print
> +#  ERROR:   Error initializing runtime service opteed_fast
> +# and the boot process will continue.
> +TFA_SPD ?= "opteed"
> +
> +OPTEEMACHINE = "rockchip-px30"
>  
>  UBOOT_SUFFIX ?= "itb"
>  UBOOT_ENTRYPOINT ?= "0x06000000"
> diff --git a/conf/machine/include/rk3399.inc b/conf/machine/include/rk3399.inc
> index 166db7b..93594bc 100644
> --- a/conf/machine/include/rk3399.inc
> +++ b/conf/machine/include/rk3399.inc
> @@ -14,6 +14,13 @@ KBUILD_DEFCONFIG ?= "defconfig"
>  
>  TFA_PLATFORM = "rk3399"
>  TFA_BUILD_TARGET = "bl31"
> +# Allow TF-A to load OP-TEE OS
> +# If no OP-TEE OS, it'll simply print
> +#  ERROR:   Error initializing runtime service opteed_fast
> +# and the boot process will continue.
> +TFA_SPD ?= "opteed"
> +
> +OPTEEMACHINE = "rockchip-rk3399"
>  
>  UBOOT_SUFFIX ?= "itb"
>  UBOOT_ENTRYPOINT ?= "0x06000000"
> diff --git a/conf/machine/include/rk3588s.inc b/conf/machine/include/rk3588s.inc
> index 18c2fb2..ab16e1a 100644
> --- a/conf/machine/include/rk3588s.inc
> +++ b/conf/machine/include/rk3588s.inc
> @@ -18,5 +18,12 @@ UBOOT_ENTRYPOINT ?= "0x06000000"
>  
>  TFA_PLATFORM = "rk3588"
>  TFA_BUILD_TARGET = "bl31"
> +# Allow TF-A to load OP-TEE OS
> +# If no OP-TEE OS, it'll simply print
> +#  ERROR:   Error initializing runtime service opteed_fast
> +# and the boot process will continue.
> +TFA_SPD ?= "opteed"
> +
> +OPTEEMACHINE = "rockchip-rk3588"
>  
>  ENABLE_STATELESS_VPU_GST ?= "1"
> diff --git a/recipes-bsp/u-boot/u-boot-rockchip.inc b/recipes-bsp/u-boot/u-boot-rockchip.inc
> index 2b5bbd7..19f7c8a 100644
> --- a/recipes-bsp/u-boot/u-boot-rockchip.inc
> +++ b/recipes-bsp/u-boot/u-boot-rockchip.inc
> @@ -7,6 +7,12 @@ TFA_DEPENDS ??= ""
>  TFA_DEPENDS:rockchip:aarch64 = " trusted-firmware-a:do_deploy"
>  do_compile[depends] .= "${TFA_DEPENDS}"
>  
> +EXTRA_OEMAKE:append:rockchip = "${@' TEE=${DEPLOY_DIR_IMAGE}/optee/tee.bin' if bb.utils.to_boolean(d.getVar('RK_UBOOT_TEE'), False) else ''}"
> +
> +TEE_DEPENDS ??= ""
> +TEE_DEPENDS:rockchip = "${@' optee-os:do_deploy' if bb.utils.to_boolean(d.getVar('RK_UBOOT_TEE'), False) else ''}"
> +do_compile[depends] .= "${TEE_DEPENDS}"
> +
>  # No open-source TPL (yet)
>  ROCKCHIP_TPL:closed-tpl = "${DEPLOY_DIR_IMAGE}/ddr-${SOC_FAMILY}.bin"
>  # SOC_FAMILY for RK3588S is rk3588s but it should use the binaries from rk3588
> diff --git a/recipes-security/optee/optee-os-tadevkit_%.bbappend b/recipes-security/optee/optee-os-tadevkit_%.bbappend
> new file mode 100644
> index 0000000..e4fc87b
> --- /dev/null
> +++ b/recipes-security/optee/optee-os-tadevkit_%.bbappend
> @@ -0,0 +1,3 @@
> +COMPATIBLE_MACHINE:px30 = "px30"
> +COMPATIBLE_MACHINE:rk3399 = "rk3399"
> +COMPATIBLE_MACHINE:rk3588s = "rk3588s"
> diff --git a/recipes-security/optee/optee-os_%.bbappend b/recipes-security/optee/optee-os_%.bbappend
> new file mode 100644
> index 0000000..2a5ec8b
> --- /dev/null
> +++ b/recipes-security/optee/optee-os_%.bbappend
> @@ -0,0 +1,19 @@
> +# Increase size for FDT in OP-TEE OS to the one in TF-A since v2.13 to avoid
> +# panics on 64+KiB FDT passed by U-Boot to TF-A to OP-TEE OS.
> +# Can be removed once https://github.com/OP-TEE/optee_os/pull/7687 is merged.
> +EXTRA_OEMAKE:append:rockchip:aarch64 = " CFG_DTB_MAX_SIZE=0x60000"
> +
> +# Disable early console by default to avoid OP-TEE OS panicking on boards with
> +# their UART console different from OP-TEE OS default (UART2 for rk322x, rk3399
> +# and rk3588(s)).
> +# In-tree default changes if https://github.com/OP-TEE/optee_os/pull/7688 merged
> +OPTEE_OS_EARLY_CONSOLE ?= "n"
> +EXTRA_OEMAKE:append:rockchip = " CFG_EARLY_CONSOLE=${OPTEE_OS_EARLY_CONSOLE}"
> +
> +# Enable hardware acceleration using Arm Cryptography Extensions on PX30.
> +# Can be removed once https://github.com/OP-TEE/optee_os/pull/7689 is merged.

Have these 3 merges occurred yet?

> +EXTRA_OEMAKE:append:px30 = " CFG_CRYPTO_WITH_CE=y"
> +
> +COMPATIBLE_MACHINE:px30 = "px30"
> +COMPATIBLE_MACHINE:rk3399 = "rk3399"
> +COMPATIBLE_MACHINE:rk3588s = "rk3588s"
> diff --git a/recipes-security/optee/optee-test_%.bbappend b/recipes-security/optee/optee-test_%.bbappend
> new file mode 100644
> index 0000000..e4fc87b
> --- /dev/null
> +++ b/recipes-security/optee/optee-test_%.bbappend
> @@ -0,0 +1,3 @@
> +COMPATIBLE_MACHINE:px30 = "px30"
> +COMPATIBLE_MACHINE:rk3399 = "rk3399"
> +COMPATIBLE_MACHINE:rk3588s = "rk3588s"
> 
> -- 
> 2.52.0
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#3085): https://lists.yoctoproject.org/g/yocto-patches/message/3085
> Mute This Topic: https://lists.yoctoproject.org/mt/117469183/900817
> Group Owner: yocto-patches+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto-patches/leave/13168745/900817/63955952/xyzzy [twoerner@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 
>