From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Subject: [isar-cip-core][PATCH 00/19] Enable RPMB-base firmware stack with OP-TEE/fTPM/StMM for QEMU ARM64
Date: Mon, 27 Oct 2025 08:21:29 +0100 [thread overview]
Message-ID: <cover.1761549708.git.jan.kiszka@siemens.com> (raw)
While waiting for [1] to be merged into QEMU upstream, already enable
the qemu-arm64 target to make use of the RPMB emulation. We keep this
optional, though, not only because of its dependency on special QEMU at
this stage. We still need to support discrete TPM emulation for older
kernels.
Debugging the stack has revealed several issues. Most of them are fixed
now, but one is still under discussion [2]. This series addresses it by
disabling the hardware random number generator of the TPM for all CIP
kernels.
Jan
[1] https://patchwork.kernel.org/project/qemu-devel/list/?series=1012864
[2] https://lore.kernel.org/lkml/bbc41534-a2d9-42dc-ac8a-ff8a0b4fd41f@siemens.com/
Jan Kiszka (19):
linux-cip: Update cip-kernel-config revision
Update isar revision
qemu-arm64: Add recipe for optee-ftpm
qemu-arm64: Add optee-os 4.8.0
qemu-arm64: Add recipe for TF-A
u-boot: Add patch to fix sporadic build failures
u-boot: Relocate or drop secure boot unrelated config switches
u-boot-qemu: Add patches and config switch needed for eMMC boot
u-boot: Prepare for different build dependency without built-in UEFI
keys
u-boot: Add optional support for fTPM/StMM
cip-core-initramfs: Add initramfs-tee-ftpm-hook when needed
Add class to generate eMMC image for QEMU
qemu-arm64: Switch firmware provider to TF-A in fTPM/StMM mode
customizations: Install efitools in secure boot mode
kas: Add option for fTPM/StMM firmware mode
start-qemu: Indention fixes
start-qemu: Factor out -drive parameter in UEFI boot mode
start-qemu: Add support for qemu-arm64 fTPM/StMM mode
linux-cip: Disable CONFIG_HW_RANDOM_TPM in QEMU
Kconfig | 19 +++
classes/qemu-emmc.bbclass | 43 ++++++
conf/distro/cip-core-common.inc | 2 +
conf/layer.conf | 5 +-
conf/machine/qemu-arm64.conf | 4 +-
kas-cip.yml | 2 +-
kas/opt/ebg-swu.yml | 6 +-
kas/opt/ftpm-stmm.yml | 16 +++
...ftpm-qemu-arm64_4.8+v1.62r1-48-ge9fc7b8.bb | 30 ++++
.../optee-os/optee-os-qemu-arm64_4.8.0.bb | 13 ++
.../optee-os/optee-os-qemu-arm64_4.8.0.inc | 18 +++
recipes-bsp/optee-os/optee-os-qemu.inc | 44 ++++++
.../optee-os-tadevkit-qemu-arm64_4.8.0.bb | 15 ++
.../trusted-firmware-a-qemu-arm64_2.13.0.bb | 40 ++++++
...onvert-SYS_EARLY_PCI_INIT-to-Kconfig.patch | 37 +++++
...ot-generate-logo-when-cross-building.patch | 33 +++++
...arm-Select-CONFIG_SYS_EARLY_PCI_INIT.patch | 28 ++++
.../files/0003-test-Fix-optee-unit-test.patch | 134 ++++++++++++++++++
recipes-bsp/u-boot/files/ftpm-stmm.cfg | 5 +
recipes-bsp/u-boot/files/qemu-extra.cfg | 9 ++
recipes-bsp/u-boot/files/secure-boot.cfg | 6 +-
recipes-bsp/u-boot/u-boot-common-2025.07.inc | 30 +++-
recipes-bsp/u-boot/u-boot-qemu-common.inc | 14 +-
recipes-core/customizations/customizations.bb | 4 +-
.../cip-core-initramfs/cip-core-initramfs.bb | 1 +
recipes-kernel/linux/cip-kernel-config.inc | 5 +-
recipes-kernel/linux/files/no-tpm-hwrng.cfg | 2 +
start-qemu.sh | 70 +++++----
28 files changed, 587 insertions(+), 48 deletions(-)
create mode 100644 classes/qemu-emmc.bbclass
create mode 100644 kas/opt/ftpm-stmm.yml
create mode 100644 recipes-bsp/optee-ftpm/optee-ftpm-qemu-arm64_4.8+v1.62r1-48-ge9fc7b8.bb
create mode 100644 recipes-bsp/optee-os/optee-os-qemu-arm64_4.8.0.bb
create mode 100644 recipes-bsp/optee-os/optee-os-qemu-arm64_4.8.0.inc
create mode 100644 recipes-bsp/optee-os/optee-os-qemu.inc
create mode 100644 recipes-bsp/optee-os/optee-os-tadevkit-qemu-arm64_4.8.0.bb
create mode 100644 recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemu-arm64_2.13.0.bb
create mode 100644 recipes-bsp/u-boot/files/0001-Kconfig-Convert-SYS_EARLY_PCI_INIT-to-Kconfig.patch
create mode 100644 recipes-bsp/u-boot/files/0001-tools-Do-not-generate-logo-when-cross-building.patch
create mode 100644 recipes-bsp/u-boot/files/0002-qemu_arm-Select-CONFIG_SYS_EARLY_PCI_INIT.patch
create mode 100644 recipes-bsp/u-boot/files/0003-test-Fix-optee-unit-test.patch
create mode 100644 recipes-bsp/u-boot/files/ftpm-stmm.cfg
create mode 100644 recipes-bsp/u-boot/files/qemu-extra.cfg
create mode 100644 recipes-kernel/linux/files/no-tpm-hwrng.cfg
--
2.51.0
next reply other threads:[~2025-10-27 7:22 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-27 7:21 Jan Kiszka [this message]
2025-10-27 7:21 ` [isar-cip-core][PATCH 01/19] linux-cip: Update cip-kernel-config revision Jan Kiszka
2025-10-27 7:21 ` [isar-cip-core][PATCH 02/19] Update isar revision Jan Kiszka
2025-10-27 7:21 ` [isar-cip-core][PATCH 03/19] qemu-arm64: Add recipe for optee-ftpm Jan Kiszka
2025-10-27 7:21 ` [isar-cip-core][PATCH 04/19] qemu-arm64: Add optee-os 4.8.0 Jan Kiszka
2025-10-27 7:21 ` [isar-cip-core][PATCH 05/19] qemu-arm64: Add recipe for TF-A Jan Kiszka
2025-10-27 7:21 ` [isar-cip-core][PATCH 06/19] u-boot: Add patch to fix sporadic build failures Jan Kiszka
2025-10-27 7:21 ` [isar-cip-core][PATCH 07/19] u-boot: Relocate or drop secure boot unrelated config switches Jan Kiszka
2025-10-27 7:21 ` [isar-cip-core][PATCH 08/19] u-boot-qemu: Add patches and config switch needed for eMMC boot Jan Kiszka
2025-10-27 7:21 ` [isar-cip-core][PATCH 09/19] u-boot: Prepare for different build dependency without built-in UEFI keys Jan Kiszka
2025-10-27 7:21 ` [isar-cip-core][PATCH 10/19] u-boot: Add optional support for fTPM/StMM Jan Kiszka
2025-10-27 7:21 ` [isar-cip-core][PATCH 11/19] cip-core-initramfs: Add initramfs-tee-ftpm-hook when needed Jan Kiszka
2025-10-27 7:21 ` [isar-cip-core][PATCH 12/19] Add class to generate eMMC image for QEMU Jan Kiszka
2025-10-27 7:21 ` [isar-cip-core][PATCH 13/19] qemu-arm64: Switch firmware provider to TF-A in fTPM/StMM mode Jan Kiszka
2025-10-27 7:21 ` [isar-cip-core][PATCH 14/19] customizations: Install efitools in secure boot mode Jan Kiszka
2025-10-27 7:21 ` [isar-cip-core][PATCH 15/19] kas: Add option for fTPM/StMM firmware mode Jan Kiszka
2025-10-27 7:21 ` [isar-cip-core][PATCH 16/19] start-qemu: Indention fixes Jan Kiszka
2025-10-27 7:21 ` [isar-cip-core][PATCH 17/19] start-qemu: Factor out -drive parameter in UEFI boot mode Jan Kiszka
2025-10-27 7:21 ` [isar-cip-core][PATCH 18/19] start-qemu: Add support for qemu-arm64 fTPM/StMM mode Jan Kiszka
2025-10-27 7:21 ` [isar-cip-core][PATCH 19/19] linux-cip: Disable CONFIG_HW_RANDOM_TPM in QEMU Jan Kiszka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1761549708.git.jan.kiszka@siemens.com \
--to=jan.kiszka@siemens.com \
--cc=cip-dev@lists.cip-project.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox