[isar-cip-core][PATCH 00/19] Enable RPMB-base firmware stack with OP-TEE/fTPM/StMM for QEMU ARM64

[isar-cip-core][PATCH 00/19] Enable RPMB-base firmware stack with OP-TEE/fTPM/StMM for QEMU ARM64

[Jan Kiszka]

While waiting for [1] to be merged into QEMU upstream, already enable
the qemu-arm64 target to make use of the RPMB emulation. We keep this
optional, though, not only because of its dependency on special QEMU at
this stage. We still need to support discrete TPM emulation for older
kernels.

Debugging the stack has revealed several issues. Most of them are fixed
now, but one is still under discussion [2]. This series addresses it by
disabling the hardware random number generator of the TPM for all CIP
kernels.

Jan

[1] https://patchwork.kernel.org/project/qemu-devel/list/?series=1012864
[2] https://lore.kernel.org/lkml/bbc41534-a2d9-42dc-ac8a-ff8a0b4fd41f@siemens.com/

Jan Kiszka (19):
  linux-cip: Update cip-kernel-config revision
  Update isar revision
  qemu-arm64: Add recipe for optee-ftpm
  qemu-arm64: Add optee-os 4.8.0
  qemu-arm64: Add recipe for TF-A
  u-boot: Add patch to fix sporadic build failures
  u-boot: Relocate or drop secure boot unrelated config switches
  u-boot-qemu: Add patches and config switch needed for eMMC boot
  u-boot: Prepare for different build dependency without built-in UEFI
    keys
  u-boot: Add optional support for fTPM/StMM
  cip-core-initramfs: Add initramfs-tee-ftpm-hook when needed
  Add class to generate eMMC image for QEMU
  qemu-arm64: Switch firmware provider to TF-A in fTPM/StMM mode
  customizations: Install efitools in secure boot mode
  kas: Add option for fTPM/StMM firmware mode
  start-qemu: Indention fixes
  start-qemu: Factor out -drive parameter in UEFI boot mode
  start-qemu: Add support for qemu-arm64 fTPM/StMM mode
  linux-cip: Disable CONFIG_HW_RANDOM_TPM in QEMU

 Kconfig                                       |  19 +++
 classes/qemu-emmc.bbclass                     |  43 ++++++
 conf/distro/cip-core-common.inc               |   2 +
 conf/layer.conf                               |   5 +-
 conf/machine/qemu-arm64.conf                  |   4 +-
 kas-cip.yml                                   |   2 +-
 kas/opt/ebg-swu.yml                           |   6 +-
 kas/opt/ftpm-stmm.yml                         |  16 +++
 ...ftpm-qemu-arm64_4.8+v1.62r1-48-ge9fc7b8.bb |  30 ++++
 .../optee-os/optee-os-qemu-arm64_4.8.0.bb     |  13 ++
 .../optee-os/optee-os-qemu-arm64_4.8.0.inc    |  18 +++
 recipes-bsp/optee-os/optee-os-qemu.inc        |  44 ++++++
 .../optee-os-tadevkit-qemu-arm64_4.8.0.bb     |  15 ++
 .../trusted-firmware-a-qemu-arm64_2.13.0.bb   |  40 ++++++
 ...onvert-SYS_EARLY_PCI_INIT-to-Kconfig.patch |  37 +++++
 ...ot-generate-logo-when-cross-building.patch |  33 +++++
 ...arm-Select-CONFIG_SYS_EARLY_PCI_INIT.patch |  28 ++++
 .../files/0003-test-Fix-optee-unit-test.patch | 134 ++++++++++++++++++
 recipes-bsp/u-boot/files/ftpm-stmm.cfg        |   5 +
 recipes-bsp/u-boot/files/qemu-extra.cfg       |   9 ++
 recipes-bsp/u-boot/files/secure-boot.cfg      |   6 +-
 recipes-bsp/u-boot/u-boot-common-2025.07.inc  |  30 +++-
 recipes-bsp/u-boot/u-boot-qemu-common.inc     |  14 +-
 recipes-core/customizations/customizations.bb |   4 +-
 .../cip-core-initramfs/cip-core-initramfs.bb  |   1 +
 recipes-kernel/linux/cip-kernel-config.inc    |   5 +-
 recipes-kernel/linux/files/no-tpm-hwrng.cfg   |   2 +
 start-qemu.sh                                 |  70 +++++----
 28 files changed, 587 insertions(+), 48 deletions(-)
 create mode 100644 classes/qemu-emmc.bbclass
 create mode 100644 kas/opt/ftpm-stmm.yml
 create mode 100644 recipes-bsp/optee-ftpm/optee-ftpm-qemu-arm64_4.8+v1.62r1-48-ge9fc7b8.bb
 create mode 100644 recipes-bsp/optee-os/optee-os-qemu-arm64_4.8.0.bb
 create mode 100644 recipes-bsp/optee-os/optee-os-qemu-arm64_4.8.0.inc
 create mode 100644 recipes-bsp/optee-os/optee-os-qemu.inc
 create mode 100644 recipes-bsp/optee-os/optee-os-tadevkit-qemu-arm64_4.8.0.bb
 create mode 100644 recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemu-arm64_2.13.0.bb
 create mode 100644 recipes-bsp/u-boot/files/0001-Kconfig-Convert-SYS_EARLY_PCI_INIT-to-Kconfig.patch
 create mode 100644 recipes-bsp/u-boot/files/0001-tools-Do-not-generate-logo-when-cross-building.patch
 create mode 100644 recipes-bsp/u-boot/files/0002-qemu_arm-Select-CONFIG_SYS_EARLY_PCI_INIT.patch
 create mode 100644 recipes-bsp/u-boot/files/0003-test-Fix-optee-unit-test.patch
 create mode 100644 recipes-bsp/u-boot/files/ftpm-stmm.cfg
 create mode 100644 recipes-bsp/u-boot/files/qemu-extra.cfg
 create mode 100644 recipes-kernel/linux/files/no-tpm-hwrng.cfg

-- 
2.51.0

[isar-cip-core][PATCH 01/19] linux-cip: Update cip-kernel-config revision

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Brings the required config options for fTPM and StMM for QEMU ARM64.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 recipes-kernel/linux/cip-kernel-config.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-kernel/linux/cip-kernel-config.inc b/recipes-kernel/linux/cip-kernel-config.inc
index 7ffeb195..8baf79b8 100644
--- a/recipes-kernel/linux/cip-kernel-config.inc
+++ b/recipes-kernel/linux/cip-kernel-config.inc
@@ -14,7 +14,7 @@ SRC_URI:append = " ${@ \
     if d.getVar('USE_CIP_KERNEL_CONFIG') == '1' else '' \
     }"
 
-SRCREV_cip-kernel-config ?= "60f3454fe50a2faead9fe5f156ed1f89bd0cd99d"
+SRCREV_cip-kernel-config ?= "64bb9beeef908c4f699e84d53bb72b6124cff492"
 
 do_fetch[vardeps] += "SRCREV_cip-kernel-config"
 
-- 
2.51.0

[isar-cip-core][PATCH 02/19] Update isar revision

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Needed for the upcoming OP-TEE-based firmware integration.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 kas-cip.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kas-cip.yml b/kas-cip.yml
index d76d6d94..19e634d7 100644
--- a/kas-cip.yml
+++ b/kas-cip.yml
@@ -22,7 +22,7 @@ repos:
 
   isar:
     url: https://github.com/ilbers/isar.git
-    commit: d63a1cbae6f737aa843d00d8812547fe7b87104a
+    commit: fd711088bc7eb84fb040c0fad5059e79a765bc89
     layers:
       meta:
 
-- 
2.51.0

[isar-cip-core][PATCH 03/19] qemu-arm64: Add recipe for optee-ftpm

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Given a QEMU with RPMB emulation (upcoming upstream feature), this will
be able to replace the virtual discrete TPM we currently use for
qemu-arm64.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 ...ftpm-qemu-arm64_4.8+v1.62r1-48-ge9fc7b8.bb | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 recipes-bsp/optee-ftpm/optee-ftpm-qemu-arm64_4.8+v1.62r1-48-ge9fc7b8.bb

diff --git a/recipes-bsp/optee-ftpm/optee-ftpm-qemu-arm64_4.8+v1.62r1-48-ge9fc7b8.bb b/recipes-bsp/optee-ftpm/optee-ftpm-qemu-arm64_4.8+v1.62r1-48-ge9fc7b8.bb
new file mode 100644
index 00000000..5c462c8e
--- /dev/null
+++ b/recipes-bsp/optee-ftpm/optee-ftpm-qemu-arm64_4.8+v1.62r1-48-ge9fc7b8.bb
@@ -0,0 +1,30 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2025
+#
+# Authors:
+#  Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+require recipes-bsp/optee-ftpm/optee-ftpm.inc
+
+SRC_URI += " \
+    https://github.com/OP-TEE/optee_ftpm/archive/${SRCREV}.tar.gz;downloadfilename=optee_ftpm-${SRCREV}.tar.gz \
+    https://github.com/microsoft/ms-tpm-20-ref/archive/${SRCREV_ms-tpm}.tar.gz;name=ms-tpm;downloadfilename=ms-tpm-20-ref-${SRCREV_ms-tpm}.tar.gz \
+    "
+SRCREV = "04cbc8a136e8fe6731a536f5fe145e2862feafd7"
+SRCREV_ms-tpm = "e9fc7b89d865536c46deb63f9c7d0121a3ded49c"
+
+SRC_URI[sha256sum] = "7adfa71c4b49affef7d4db2436d8d6b93cdc3aaa9bdc9cf795c0bf7488a4cac6"
+SRC_URI[ms-tpm.sha256sum] = "b77d092c0dde362adf6bc88a580ca7c8abe124d69bb734bf28f8904ae30494a4"
+
+S = "${WORKDIR}/optee_ftpm-${SRCREV}"
+MS_TPM_20_REF_DIR = "ms-tpm-20-ref-${SRCREV_ms-tpm}"
+
+OPTEE_NAME = "qemu-arm64"
+
+TA_CPU = "cortex-a53"
+TA_DEV_KIT_DIR = "/usr/lib/optee-os/${OPTEE_NAME}/export-ta_arm64"
-- 
2.51.0

[isar-cip-core][PATCH 04/19] qemu-arm64: Add optee-os 4.8.0

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Build OP-TEE for qemu-arm64 with fTPM and StMM. If QEMU comes with an
RPMB emulation, this allows to run a firmware stack that is very close
to real devices. It specifically enables modifiable secure UEFI
variables and allows to drop the virtual discrete TPM.

For building the fTPM TA, also the corresponding tadevkit package is
generated.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../optee-os/optee-os-qemu-arm64_4.8.0.bb     | 13 ++++++
 .../optee-os/optee-os-qemu-arm64_4.8.0.inc    | 18 ++++++++
 recipes-bsp/optee-os/optee-os-qemu.inc        | 44 +++++++++++++++++++
 .../optee-os-tadevkit-qemu-arm64_4.8.0.bb     | 15 +++++++
 4 files changed, 90 insertions(+)
 create mode 100644 recipes-bsp/optee-os/optee-os-qemu-arm64_4.8.0.bb
 create mode 100644 recipes-bsp/optee-os/optee-os-qemu-arm64_4.8.0.inc
 create mode 100644 recipes-bsp/optee-os/optee-os-qemu.inc
 create mode 100644 recipes-bsp/optee-os/optee-os-tadevkit-qemu-arm64_4.8.0.bb

diff --git a/recipes-bsp/optee-os/optee-os-qemu-arm64_4.8.0.bb b/recipes-bsp/optee-os/optee-os-qemu-arm64_4.8.0.bb
new file mode 100644
index 00000000..18eec20b
--- /dev/null
+++ b/recipes-bsp/optee-os/optee-os-qemu-arm64_4.8.0.bb
@@ -0,0 +1,13 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2025
+#
+# Authors:
+#  Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+require recipes-bsp/optee-os/optee-os-custom.inc
+require optee-os-qemu-arm64_${PV}.inc
diff --git a/recipes-bsp/optee-os/optee-os-qemu-arm64_4.8.0.inc b/recipes-bsp/optee-os/optee-os-qemu-arm64_4.8.0.inc
new file mode 100644
index 00000000..bc684534
--- /dev/null
+++ b/recipes-bsp/optee-os/optee-os-qemu-arm64_4.8.0.inc
@@ -0,0 +1,18 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2025
+#
+# Authors:
+#  Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+require optee-os-qemu.inc
+
+SRC_URI[sha256sum] = "5222cd553f5edb69ae4ec7cb99b2bfec2c47a47c0be1865b49744701918e8b4d"
+
+OPTEE_NAME = "qemu-arm64"
+OPTEE_PLATFORM = "vexpress-qemu_armv8a"
+OPTEE_EXTRA_BUILDARGS += "CFG_ARM64_core=y CFG_USER_TA_TARGETS=ta_arm64"
diff --git a/recipes-bsp/optee-os/optee-os-qemu.inc b/recipes-bsp/optee-os/optee-os-qemu.inc
new file mode 100644
index 00000000..dec393e5
--- /dev/null
+++ b/recipes-bsp/optee-os/optee-os-qemu.inc
@@ -0,0 +1,44 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2025
+#
+# Authors:
+#  Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+SRC_URI += " \
+    https://github.com/OP-TEE/optee_os/archive/${PV}.tar.gz;downloadfilename=optee-os-${PV}.tar.gz \
+    "
+
+S = "${WORKDIR}/optee_os-${PV}"
+
+DEBIAN_BUILD_DEPENDS += ", device-tree-compiler, python3-cryptography:native"
+
+OPTEE_EXTRA_BUILDARGS = " \
+    TEE_IMPL_VERSION=${PV} \
+    CFG_TEE_CORE_LOG_LEVEL=2 CFG_TEE_TA_LOG_LEVEL=2 \
+    CFG_REE_FS=n CFG_CORE_HEAP_SIZE=524288 CFG_RPMB_FS=y \
+    CFG_RPMB_WRITE_KEY=y CFG_RPMB_TESTKEY=y \
+    "
+
+OPTEE_ENABLE_APPS ?= "1"
+OVERRIDES .= "${@':optee-with-apps' if bb.utils.to_boolean(d.getVar("OPTEE_ENABLE_APPS")) else ''}"
+
+# StMM integration, required by UEFI auth variable management
+DEPENDS:append:optee-with-apps = " edk2-standalonemm-rpmb"
+DEBIAN_BUILD_DEPENDS:append:optee-with-apps = ", edk2-standalonemm-rpmb"
+OPTEE_EXTRA_BUILDARGS:append:optee-with-apps = " \
+    CFG_STMM_PATH=/usr/lib/edk2/BL32_AP_MM.fd \
+    "
+
+# OP-TEE fTPM integration
+DEPENDS:append:optee-with-apps = " optee-ftpm-${OPTEE_NAME}"
+DEBIAN_BUILD_DEPENDS:append:optee-with-apps = ", optee-ftpm-${OPTEE_NAME}"
+FTPM_UUID = "bc50d971-d4c9-42c4-82cb-343fb7f37896"
+OPTEE_EXTRA_BUILDARGS:append:optee-with-apps = " \
+    CFG_EARLY_TA=y \
+    EARLY_TA_PATHS=/usr/lib/optee-os/${OPTEE_NAME}/ta/${FTPM_UUID}.stripped.elf \
+    "
diff --git a/recipes-bsp/optee-os/optee-os-tadevkit-qemu-arm64_4.8.0.bb b/recipes-bsp/optee-os/optee-os-tadevkit-qemu-arm64_4.8.0.bb
new file mode 100644
index 00000000..252e7bc4
--- /dev/null
+++ b/recipes-bsp/optee-os/optee-os-tadevkit-qemu-arm64_4.8.0.bb
@@ -0,0 +1,15 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2025
+#
+# Authors:
+#  Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+OPTEE_ENABLE_APPS = "0"
+
+require recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
+require optee-os-qemu-arm64_${PV}.inc
-- 
2.51.0

[isar-cip-core][PATCH 05/19] qemu-arm64: Add recipe for TF-A

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Build TF-A with OP-TEE support, starting U-Boot as BL33. This package
will provide the firmware.bin alternative to u-boot.bin when emulating
a full ARM firmware stack.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../trusted-firmware-a-qemu-arm64_2.13.0.bb   | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemu-arm64_2.13.0.bb

diff --git a/recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemu-arm64_2.13.0.bb b/recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemu-arm64_2.13.0.bb
new file mode 100644
index 00000000..f2ee44ba
--- /dev/null
+++ b/recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemu-arm64_2.13.0.bb
@@ -0,0 +1,40 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2025
+#
+# Authors:
+#  Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit deploy-firmware
+
+require recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc
+
+SRC_URI += "https://github.com/TrustedFirmware-A/trusted-firmware-a/archive/refs/tags/v${PV}.tar.gz;downloadfilename=trusted-firmware-a-v${PV}.tar.gz"
+SRC_URI[sha256sum] = "28bc15daeeed000ecd30819ecc4851bf9ffc2d33e1d4553a71985c17f47a999e"
+
+S = "${WORKDIR}/trusted-firmware-a-${PV}"
+
+DEPENDS += "u-boot-qemu-arm64 optee-os-qemu-arm64"
+DEBIAN_BUILD_DEPENDS += ", libssl-dev:native, u-boot-qemu-arm64, optee-os-qemu-arm64"
+
+TF_A_NAME = "qemu-arm64"
+TF_A_PLATFORM = "qemu"
+TF_A_EXTRA_BUILDARGS = " \
+    SPD=opteed BL32_RAM_LOCATION=tdram \
+    BL32=/usr/lib/optee-os/qemu-arm64/tee-raw.bin \
+    BL33=/usr/lib/u-boot/qemu-arm64/u-boot.bin \
+    all fip"
+TF_A_BINARIES = "release/bl1.bin release/fip.bin"
+
+do_deploy_firmware() {
+    dpkg --fsys-tarfile "${WORKDIR}/trusted-firmware-a-${TF_A_NAME}_${PV}_${DISTRO_ARCH}.deb" | \
+        tar xOf - "./usr/lib/trusted-firmware-a/${TF_A_NAME}/bl1.bin" \
+        > "${DEPLOYDIR_FIRMWARE}/firmware.bin"
+    dpkg --fsys-tarfile "${WORKDIR}/trusted-firmware-a-${TF_A_NAME}_${PV}_${DISTRO_ARCH}.deb" | \
+        tar xOf - "./usr/lib/trusted-firmware-a/${TF_A_NAME}/fip.bin" | \
+        dd of="${DEPLOYDIR_FIRMWARE}/firmware.bin" seek=64 bs=4096 conv=notrunc
+}
-- 
2.51.0

[isar-cip-core][PATCH 06/19] u-boot: Add patch to fix sporadic build failures

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Merge upstream, will appear in v2026.01.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 ...ot-generate-logo-when-cross-building.patch | 33 +++++++++++++++++++
 recipes-bsp/u-boot/u-boot-common-2025.07.inc  |  1 +
 2 files changed, 34 insertions(+)
 create mode 100644 recipes-bsp/u-boot/files/0001-tools-Do-not-generate-logo-when-cross-building.patch

diff --git a/recipes-bsp/u-boot/files/0001-tools-Do-not-generate-logo-when-cross-building.patch b/recipes-bsp/u-boot/files/0001-tools-Do-not-generate-logo-when-cross-building.patch
new file mode 100644
index 00000000..16b219f5
--- /dev/null
+++ b/recipes-bsp/u-boot/files/0001-tools-Do-not-generate-logo-when-cross-building.patch
@@ -0,0 +1,33 @@
+From 371a76e845504c9ba7ca216b6edfb4ae4ec14e56 Mon Sep 17 00:00:00 2001
+From: Jan Kiszka <jan.kiszka@siemens.com>
+Date: Sat, 23 Aug 2025 17:21:09 +0200
+Subject: [PATCH] tools: Do not generate logo when cross-building
+
+This cannot work (unless qemu-user is registered in binfmt_misc) as the
+tools will be for a different architecture.
+
+Fixes "make cross_tools" in case CONFIG_VIDEO_LOGO is enabled.
+
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+Reviewed-by: Tom Rini <trini@konsulko.com>
+---
+ tools/Makefile | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/Makefile b/tools/Makefile
+index 7eb17f92116..ae6a3052646 100644
+--- a/tools/Makefile
++++ b/tools/Makefile
+@@ -333,7 +333,9 @@ HOST_EXTRACFLAGS += -include $(srctree)/include/compiler.h \
+ 		-D__KERNEL_STRICT_NAMES \
+ 		-D_GNU_SOURCE
+ 
++ifeq ($(CROSS_BUILD_TOOLS),)
+ __build:	$(LOGO-y)
++endif
+ 
+ $(LOGO_H):	$(obj)/bmp_logo $(LOGO_BMP)
+ 	$(obj)/bmp_logo --gen-info $(LOGO_BMP) > $@
+-- 
+2.51.0
+
diff --git a/recipes-bsp/u-boot/u-boot-common-2025.07.inc b/recipes-bsp/u-boot/u-boot-common-2025.07.inc
index 93678cbf..b5ecb31a 100644
--- a/recipes-bsp/u-boot/u-boot-common-2025.07.inc
+++ b/recipes-bsp/u-boot/u-boot-common-2025.07.inc
@@ -15,6 +15,7 @@ FILESPATH:append := ":${FILE_DIRNAME}/files"
 
 SRC_URI += " \
     https://ftp.denx.de/pub/u-boot/u-boot-${PV}.tar.bz2 \
+    file://0001-tools-Do-not-generate-logo-when-cross-building.patch \
     file://rules.tmpl;subdir=debian"
 SRC_URI[sha256sum] = "0f933f6c5a426895bf306e93e6ac53c60870e4b54cda56d95211bec99e63bec7"
 
-- 
2.51.0

[isar-cip-core][PATCH 07/19] u-boot: Relocate or drop secure boot unrelated config switches

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

CONFIG_USB_STORAGE and CONFIG_FIT_SIGNATURE are not generically required
to switch U-Boot into UEFI secure boot, drop them.

CONFIG_EFI_SCROLL_ON_CLEAR_SCREEN helps to keep the debug output intact
when booting via UEFI, but also without secure boot. Move this into a
newly introduced config extension for the QEMU boards. That snippet will
gain more options soon.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 recipes-bsp/u-boot/files/qemu-extra.cfg   | 2 ++
 recipes-bsp/u-boot/files/secure-boot.cfg  | 3 ---
 recipes-bsp/u-boot/u-boot-qemu-common.inc | 9 ++++++++-
 3 files changed, 10 insertions(+), 4 deletions(-)
 create mode 100644 recipes-bsp/u-boot/files/qemu-extra.cfg

diff --git a/recipes-bsp/u-boot/files/qemu-extra.cfg b/recipes-bsp/u-boot/files/qemu-extra.cfg
new file mode 100644
index 00000000..775e999c
--- /dev/null
+++ b/recipes-bsp/u-boot/files/qemu-extra.cfg
@@ -0,0 +1,2 @@
+### QEMU extra config
+CONFIG_EFI_SCROLL_ON_CLEAR_SCREEN=y
diff --git a/recipes-bsp/u-boot/files/secure-boot.cfg b/recipes-bsp/u-boot/files/secure-boot.cfg
index 58786a45..9d8b047e 100644
--- a/recipes-bsp/u-boot/files/secure-boot.cfg
+++ b/recipes-bsp/u-boot/files/secure-boot.cfg
@@ -9,12 +9,9 @@ CONFIG_BOOTDELAY=-2
 CONFIG_USE_BOOTCOMMAND=y
 CONFIG_BOOTCOMMAND="bootflow scan -lb; echo 'EFI Boot failed!'; sleep 1000; reset"
 CONFIG_HUSH_PARSER=y
-CONFIG_USB_STORAGE=y
 CONFIG_EFI_PARTITION=y
 CONFIG_FS_FAT=y
 CONFIG_EFI_VARIABLES_PRESEED=y
 CONFIG_EFI_SECURE_BOOT=y
-CONFIG_FIT_SIGNATURE=y
-CONFIG_EFI_SCROLL_ON_CLEAR_SCREEN=y
 # workaround for v2025.07
 CONFIG_CMD_DHCP=y
diff --git a/recipes-bsp/u-boot/u-boot-qemu-common.inc b/recipes-bsp/u-boot/u-boot-qemu-common.inc
index 0bf7b621..f1a415b1 100644
--- a/recipes-bsp/u-boot/u-boot-qemu-common.inc
+++ b/recipes-bsp/u-boot/u-boot-qemu-common.inc
@@ -1,7 +1,7 @@
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2022-2024
+# Copyright (c) Siemens AG, 2022-2025
 #
 # Authors:
 #  Jan Kiszka <jan.kiszka@siemens.com>
@@ -11,8 +11,15 @@
 
 inherit deploy-firmware
 
+SRC_URI += "file://qemu-extra.cfg"
+
 U_BOOT_BIN = "u-boot.bin"
 
+do_prepare_build:append() {
+    sed -ni '/### QEMU extra config/q;p' ${S}/configs/${U_BOOT_CONFIG}
+    cat ${WORKDIR}/qemu-extra.cfg >> ${S}/configs/${U_BOOT_CONFIG}
+}
+
 do_deploy_firmware() {
     dpkg --fsys-tarfile "${WORKDIR}/u-boot-${MACHINE}_${PV}_${DISTRO_ARCH}.deb" | \
         tar xOf - "./usr/lib/u-boot/${MACHINE}/${U_BOOT_BIN}" \
-- 
2.51.0

[isar-cip-core][PATCH 08/19] u-boot-qemu: Add patches and config switch needed for eMMC boot

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Add 2 patches that are needed to boot from a PCI-attached eMMC. Both
will be available with v2026.01. Furthermore enable the required config
switches for all QEMU builds of U-Boot. Only ARM64 will use that soon,
but there is no reason to not have the others prepared already.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 ...onvert-SYS_EARLY_PCI_INIT-to-Kconfig.patch | 37 +++++++++++++++++++
 ...arm-Select-CONFIG_SYS_EARLY_PCI_INIT.patch | 28 ++++++++++++++
 recipes-bsp/u-boot/files/qemu-extra.cfg       |  7 ++++
 recipes-bsp/u-boot/u-boot-common-2025.07.inc  |  2 +
 4 files changed, 74 insertions(+)
 create mode 100644 recipes-bsp/u-boot/files/0001-Kconfig-Convert-SYS_EARLY_PCI_INIT-to-Kconfig.patch
 create mode 100644 recipes-bsp/u-boot/files/0002-qemu_arm-Select-CONFIG_SYS_EARLY_PCI_INIT.patch

diff --git a/recipes-bsp/u-boot/files/0001-Kconfig-Convert-SYS_EARLY_PCI_INIT-to-Kconfig.patch b/recipes-bsp/u-boot/files/0001-Kconfig-Convert-SYS_EARLY_PCI_INIT-to-Kconfig.patch
new file mode 100644
index 00000000..36c0ea8b
--- /dev/null
+++ b/recipes-bsp/u-boot/files/0001-Kconfig-Convert-SYS_EARLY_PCI_INIT-to-Kconfig.patch
@@ -0,0 +1,37 @@
+From d3403a731b5b194a9e4e2ba67911e760dcd89207 Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@gmail.com>
+Date: Thu, 14 Aug 2025 20:14:35 +0200
+Subject: [PATCH 1/3] Kconfig: Convert SYS_EARLY_PCI_INIT to Kconfig
+
+The CONFIG_SYS_EARLY_PCI_INIT symbol is currently not supported
+by Kconfig.
+
+Make it a Kconfig symbol so that users could select it via defconfig.
+
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Reviewed-by: Tom Rini <trini@konsulko.com>
+---
+ common/Kconfig | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/common/Kconfig b/common/Kconfig
+index a2f653f7e72..cb17f056153 100644
+--- a/common/Kconfig
++++ b/common/Kconfig
+@@ -833,6 +833,13 @@ config PCI_INIT_R
+ 	  case of DM PCI-based Ethernet devices, which will not be detected
+ 	  without having the enumeration performed earlier.
+ 
++config SYS_EARLY_PCI_INIT
++	bool "Enumerate PCI buses early during init"
++	depends on PCI
++	help
++	  Do early PCI configuration before the eMMC gets initialised,
++	  because PCI resources are crucial for eMMC access on some boards.
++
+ config RESET_PHY_R
+ 	bool "Reset ethernet PHY during init"
+ 	help
+-- 
+2.51.0
+
diff --git a/recipes-bsp/u-boot/files/0002-qemu_arm-Select-CONFIG_SYS_EARLY_PCI_INIT.patch b/recipes-bsp/u-boot/files/0002-qemu_arm-Select-CONFIG_SYS_EARLY_PCI_INIT.patch
new file mode 100644
index 00000000..ec82a32b
--- /dev/null
+++ b/recipes-bsp/u-boot/files/0002-qemu_arm-Select-CONFIG_SYS_EARLY_PCI_INIT.patch
@@ -0,0 +1,28 @@
+From b93d9e7cc2b39a6d16356d391d2d7832ed4b9202 Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@gmail.com>
+Date: Thu, 14 Aug 2025 20:14:36 +0200
+Subject: [PATCH 2/3] qemu_arm: Select CONFIG_SYS_EARLY_PCI_INIT
+
+Select CONFIG_SYS_EARLY_PCI_INIT so that eMMC emulation can
+work.
+
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+---
+ board/emulation/qemu-arm/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/board/emulation/qemu-arm/Kconfig b/board/emulation/qemu-arm/Kconfig
+index 80ab9d8e1c3..447061b25cd 100644
+--- a/board/emulation/qemu-arm/Kconfig
++++ b/board/emulation/qemu-arm/Kconfig
+@@ -8,6 +8,7 @@ config BOARD_SPECIFIC_OPTIONS # dummy
+ 	select HAS_CUSTOM_SYS_INIT_SP_ADDR
+ 	select QFW if ACPI
+ 	select QFW_MMIO if CMD_QFW
++	imply SYS_EARLY_PCI_INIT
+ 	imply VIRTIO_MMIO
+ 	imply VIRTIO_PCI
+ 	imply VIRTIO_NET
+-- 
+2.51.0
+
diff --git a/recipes-bsp/u-boot/files/qemu-extra.cfg b/recipes-bsp/u-boot/files/qemu-extra.cfg
index 775e999c..e643db7d 100644
--- a/recipes-bsp/u-boot/files/qemu-extra.cfg
+++ b/recipes-bsp/u-boot/files/qemu-extra.cfg
@@ -1,2 +1,9 @@
 ### QEMU extra config
+CONFIG_MMC=y
+CONFIG_SUPPORT_EMMC_RPMB=y
+CONFIG_SUPPORT_EMMC_BOOT=y
+CONFIG_MMC_PCI=y
+CONFIG_MMC_SDHCI=y
+CONFIG_CMD_MMC=y
+CONFIG_CMD_MMC_REG=y
 CONFIG_EFI_SCROLL_ON_CLEAR_SCREEN=y
diff --git a/recipes-bsp/u-boot/u-boot-common-2025.07.inc b/recipes-bsp/u-boot/u-boot-common-2025.07.inc
index b5ecb31a..5f8f9de9 100644
--- a/recipes-bsp/u-boot/u-boot-common-2025.07.inc
+++ b/recipes-bsp/u-boot/u-boot-common-2025.07.inc
@@ -16,6 +16,8 @@ FILESPATH:append := ":${FILE_DIRNAME}/files"
 SRC_URI += " \
     https://ftp.denx.de/pub/u-boot/u-boot-${PV}.tar.bz2 \
     file://0001-tools-Do-not-generate-logo-when-cross-building.patch \
+    file://0001-Kconfig-Convert-SYS_EARLY_PCI_INIT-to-Kconfig.patch \
+    file://0002-qemu_arm-Select-CONFIG_SYS_EARLY_PCI_INIT.patch \
     file://rules.tmpl;subdir=debian"
 SRC_URI[sha256sum] = "0f933f6c5a426895bf306e93e6ac53c60870e4b54cda56d95211bec99e63bec7"
 
-- 
2.51.0

[isar-cip-core][PATCH 09/19] u-boot: Prepare for different build dependency without built-in UEFI keys

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

We will soon add StMM/RPMB-based UEFI key storage as an alternative to
static, built-in keys in U-Boot. Prepare for having different build
dependencies then.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 recipes-bsp/u-boot/u-boot-common-2025.07.inc | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/recipes-bsp/u-boot/u-boot-common-2025.07.inc b/recipes-bsp/u-boot/u-boot-common-2025.07.inc
index 5f8f9de9..f9dde598 100644
--- a/recipes-bsp/u-boot/u-boot-common-2025.07.inc
+++ b/recipes-bsp/u-boot/u-boot-common-2025.07.inc
@@ -29,12 +29,18 @@ S = "${WORKDIR}/u-boot-${PV}"
 DEBIAN_BUILD_DEPENDS += ", libssl-dev:native, libssl-dev:${DISTRO_ARCH}, \
     libgnutls28-dev:native, libgnutls28-dev:${DISTRO_ARCH}"
 
-DEBIAN_BUILD_DEPENDS:append:secureboot = ", \
+STATIC_KEYS_BUILD_DEPENDS = ", \
     openssl, efivar, secure-boot-secrets, python3-openssl:native"
-DEBIAN_BUILD_DEPENDS:append:secureboot:buster   = ", pesign"
-DEBIAN_BUILD_DEPENDS:append:secureboot:bullseye = ", pesign"
-DEBIAN_BUILD_DEPENDS:append:secureboot:bookworm = ", pesign"
-DEPENDS:append:secureboot = " secure-boot-secrets"
+STATIC_KEYS_BUILD_DEPENDS:append:buster   = ", pesign"
+STATIC_KEYS_BUILD_DEPENDS:append:bullseye = ", pesign"
+STATIC_KEYS_BUILD_DEPENDS:append:bookworm = ", pesign"
+STATIC_KEYS_DEPENDS = "secure-boot-secrets"
+
+SECURE_BOOT_BUILD_DEPENDS = "${STATIC_KEYS_BUILD_DEPENDS}"
+SECURE_BOOT_DEPENDS = "${STATIC_KEYS_DEPENDS}"
+
+DEBIAN_BUILD_DEPENDS:append:secureboot = "${SECURE_BOOT_BUILD_DEPENDS}"
+DEPENDS:append:secureboot = "${SECURE_BOOT_DEPENDS}"
 
 do_prepare_build:append:secureboot() {
     sed -ni '/### Secure boot config/q;p' ${S}/configs/${U_BOOT_CONFIG}
-- 
2.51.0

[isar-cip-core][PATCH 10/19] u-boot: Add optional support for fTPM/StMM

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Switch on support for fTPM and StMM in U-Boot when the corresponding
override is set.

This requires a patch to fix a build breakage of QEMU targets when
OP-TEE support is enabled. It will be available with v2026.01.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../files/0003-test-Fix-optee-unit-test.patch | 134 ++++++++++++++++++
 recipes-bsp/u-boot/files/ftpm-stmm.cfg        |   5 +
 recipes-bsp/u-boot/files/secure-boot.cfg      |   3 +-
 recipes-bsp/u-boot/u-boot-common-2025.07.inc  |  11 ++
 4 files changed, 152 insertions(+), 1 deletion(-)
 create mode 100644 recipes-bsp/u-boot/files/0003-test-Fix-optee-unit-test.patch
 create mode 100644 recipes-bsp/u-boot/files/ftpm-stmm.cfg

diff --git a/recipes-bsp/u-boot/files/0003-test-Fix-optee-unit-test.patch b/recipes-bsp/u-boot/files/0003-test-Fix-optee-unit-test.patch
new file mode 100644
index 00000000..ed928f64
--- /dev/null
+++ b/recipes-bsp/u-boot/files/0003-test-Fix-optee-unit-test.patch
@@ -0,0 +1,134 @@
+From a7ff306c8ea79743552992638b8d228818cd9975 Mon Sep 17 00:00:00 2001
+From: Jan Kiszka <jan.kiszka@siemens.com>
+Date: Mon, 15 Sep 2025 07:50:26 +0200
+Subject: [PATCH 3/3] test: Fix optee unit test
+
+This was apparently not built for several years: Since a2535243e011,
+optee_copy_fdt_nodes implicitly works against the U-Boot dt. We
+therefore have to tweak its reference before using the function and
+restore things afterwards.
+
+If it had been built, actually trying it out would have failed next: We
+need CONFIG_OPTEE_LIB to actually build the function that is primarily
+being tested here. And we need to re-initialize target fdt, now that the
+tests may run in random order.
+
+Fixes: a2535243e011 ("lib: optee: migration optee_copy_fdt_nodes for OF_LIVE support")
+Fixes: ba2feaf41435 ("test: Split optee tests into three functions")
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+---
+ test/optee/Kconfig |  1 +
+ test/optee/optee.c | 42 +++++++++++++++++++++++++++++++-----------
+ 2 files changed, 32 insertions(+), 11 deletions(-)
+
+diff --git a/test/optee/Kconfig b/test/optee/Kconfig
+index 63e2cbf79c7..ebf8d07c41c 100644
+--- a/test/optee/Kconfig
++++ b/test/optee/Kconfig
+@@ -1,6 +1,7 @@
+ config UT_OPTEE
+ 	bool "Enable OP-TEE Unit Tests"
+ 	depends on OF_CONTROL && OPTEE
++	select OPTEE_LIB
+ 	default y
+ 	help
+ 	  This enables the 'ut optee' command which runs a series of unit
+diff --git a/test/optee/optee.c b/test/optee/optee.c
+index 658621fa2fa..7e1c8d04a11 100644
+--- a/test/optee/optee.c
++++ b/test/optee/optee.c
+@@ -5,16 +5,20 @@
+ 
+ #include <command.h>
+ #include <errno.h>
++#include <fdtdec.h>
+ #include <fdt_support.h>
+ #include <log.h>
+ #include <malloc.h>
+ #include <tee/optee.h>
++#include <asm/global_data.h>
+ 
+ #include <linux/sizes.h>
+ 
+ #include <test/ut.h>
+ #include <test/optee.h>
+ 
++DECLARE_GLOBAL_DATA_PTR;
++
+ /* 4k ought to be enough for anybody */
+ #define FDT_COPY_SIZE	(4 * SZ_1K)
+ 
+@@ -40,14 +44,6 @@ static int optee_test_init(struct unit_test_state *uts)
+ 	if (!fdt)
+ 		return ret;
+ 
+-	/*
+-	 * Resize the FDT to 4k so that we have room to operate on
+-	 *
+-	 * (and relocate it since the memory might be mapped
+-	 * read-only)
+-	 */
+-	ut_assertok(fdt_open_into(fdt_base, fdt, FDT_COPY_SIZE));
+-
+ 	return 0;
+ }
+ OPTEE_TEST_INIT(optee_test_init, 0);
+@@ -127,9 +123,21 @@ static int optee_fdt_protected_memory(struct unit_test_state *uts)
+ static int optee_fdt_copy_empty(struct unit_test_state *uts)
+ {
+ 	void *fdt_no_optee = &__dtb_test_optee_no_optee_begin;
++	const void *fdt_blob = gd->fdt_blob;
++
++	/*
++	 * Resize the FDT to 4k so that we have room to operate on
++	 *
++	 * (and relocate it since the memory might be mapped
++	 * read-only)
++	 */
++	ut_assertok(fdt_open_into(&__dtb_test_optee_base_begin, fdt,
++				  FDT_COPY_SIZE));
+ 
+ 	/* This should still run successfully */
+-	ut_assertok(optee_copy_fdt_nodes(fdt_no_optee, fdt));
++	gd->fdt_blob = fdt_no_optee;
++	ut_assertok(optee_copy_fdt_nodes(fdt));
++	gd->fdt_blob = fdt_blob;
+ 
+ 	expect_success = false;
+ 	ut_assertok(optee_fdt_firmware(uts));
+@@ -143,8 +151,14 @@ OPTEE_TEST(optee_fdt_copy_empty, 0);
+ static int optee_fdt_copy_prefilled(struct unit_test_state *uts)
+ {
+ 	void *fdt_optee = &__dtb_test_optee_optee_begin;
++	const void *fdt_blob = gd->fdt_blob;
+ 
+-	ut_assertok(optee_copy_fdt_nodes(fdt_optee, fdt));
++	ut_assertok(fdt_open_into(&__dtb_test_optee_base_begin, fdt,
++				  FDT_COPY_SIZE));
++
++	gd->fdt_blob = fdt_optee;
++	ut_assertok(optee_copy_fdt_nodes(fdt));
++	gd->fdt_blob = fdt_blob;
+ 
+ 	expect_success = true;
+ 	ut_assertok(optee_fdt_firmware(uts));
+@@ -158,9 +172,15 @@ OPTEE_TEST(optee_fdt_copy_prefilled, 0);
+ static int optee_fdt_copy_already_filled(struct unit_test_state *uts)
+ {
+ 	void *fdt_optee = &__dtb_test_optee_optee_begin;
++	const void *fdt_blob = gd->fdt_blob;
++
++	ut_assertok(fdt_open_into(&__dtb_test_optee_base_begin, fdt,
++				  FDT_COPY_SIZE));
+ 
+ 	ut_assertok(fdt_open_into(fdt_optee, fdt, FDT_COPY_SIZE));
+-	ut_assertok(optee_copy_fdt_nodes(fdt_optee, fdt));
++	gd->fdt_blob = fdt_optee;
++	ut_assertok(optee_copy_fdt_nodes(fdt));
++	gd->fdt_blob = fdt_blob;
+ 
+ 	expect_success = true;
+ 	ut_assertok(optee_fdt_firmware(uts));
+-- 
+2.51.0
+
diff --git a/recipes-bsp/u-boot/files/ftpm-stmm.cfg b/recipes-bsp/u-boot/files/ftpm-stmm.cfg
new file mode 100644
index 00000000..af5da938
--- /dev/null
+++ b/recipes-bsp/u-boot/files/ftpm-stmm.cfg
@@ -0,0 +1,5 @@
+### Enable OPTEE, fTPM and StMM
+CONFIG_TEE=y
+CONFIG_OPTEE=y
+CONFIG_CMD_OPTEE_RPMB=y
+CONFIG_EFI_MM_COMM_TEE=y
diff --git a/recipes-bsp/u-boot/files/secure-boot.cfg b/recipes-bsp/u-boot/files/secure-boot.cfg
index 9d8b047e..694356f7 100644
--- a/recipes-bsp/u-boot/files/secure-boot.cfg
+++ b/recipes-bsp/u-boot/files/secure-boot.cfg
@@ -11,7 +11,8 @@ CONFIG_BOOTCOMMAND="bootflow scan -lb; echo 'EFI Boot failed!'; sleep 1000; rese
 CONFIG_HUSH_PARSER=y
 CONFIG_EFI_PARTITION=y
 CONFIG_FS_FAT=y
-CONFIG_EFI_VARIABLES_PRESEED=y
 CONFIG_EFI_SECURE_BOOT=y
+# overruled by CONFIG_EFI_MM_COMM_TEE where available
+CONFIG_EFI_VARIABLES_PRESEED=y
 # workaround for v2025.07
 CONFIG_CMD_DHCP=y
diff --git a/recipes-bsp/u-boot/u-boot-common-2025.07.inc b/recipes-bsp/u-boot/u-boot-common-2025.07.inc
index f9dde598..96c7ee96 100644
--- a/recipes-bsp/u-boot/u-boot-common-2025.07.inc
+++ b/recipes-bsp/u-boot/u-boot-common-2025.07.inc
@@ -18,9 +18,13 @@ SRC_URI += " \
     file://0001-tools-Do-not-generate-logo-when-cross-building.patch \
     file://0001-Kconfig-Convert-SYS_EARLY_PCI_INIT-to-Kconfig.patch \
     file://0002-qemu_arm-Select-CONFIG_SYS_EARLY_PCI_INIT.patch \
+    file://0003-test-Fix-optee-unit-test.patch \
     file://rules.tmpl;subdir=debian"
 SRC_URI[sha256sum] = "0f933f6c5a426895bf306e93e6ac53c60870e4b54cda56d95211bec99e63bec7"
 
+SRC_URI:append:ftpm-stmm = " \
+    file://ftpm-stmm.cfg"
+
 SRC_URI:append:secureboot = " \
     file://secure-boot.cfg"
 
@@ -37,11 +41,18 @@ STATIC_KEYS_BUILD_DEPENDS:append:bookworm = ", pesign"
 STATIC_KEYS_DEPENDS = "secure-boot-secrets"
 
 SECURE_BOOT_BUILD_DEPENDS = "${STATIC_KEYS_BUILD_DEPENDS}"
+SECURE_BOOT_BUILD_DEPENDS:ftpm-stmm = ""
 SECURE_BOOT_DEPENDS = "${STATIC_KEYS_DEPENDS}"
+SECURE_BOOT_DEPENDS:ftpm-stmm = ""
 
 DEBIAN_BUILD_DEPENDS:append:secureboot = "${SECURE_BOOT_BUILD_DEPENDS}"
 DEPENDS:append:secureboot = "${SECURE_BOOT_DEPENDS}"
 
+do_prepare_build:append:ftpm-stmm() {
+    sed -ni '/### Enable OPTEE, fTPM and StMM/q;p' ${S}/configs/${U_BOOT_CONFIG}
+    cat ${WORKDIR}/ftpm-stmm.cfg >> ${S}/configs/${U_BOOT_CONFIG}
+}
+
 do_prepare_build:append:secureboot() {
     sed -ni '/### Secure boot config/q;p' ${S}/configs/${U_BOOT_CONFIG}
     cat ${WORKDIR}/secure-boot.cfg >> ${S}/configs/${U_BOOT_CONFIG}
-- 
2.51.0

[isar-cip-core][PATCH 11/19] cip-core-initramfs: Add initramfs-tee-ftpm-hook when needed

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This ensures that all modules required for the fTPM are part of the
initramfs.

We only support fTPM with kernel 6.12 are newer, so
TEE_SUPPLICANT_IN_USERSPACE can be disabled by default.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 conf/distro/cip-core-common.inc                            | 2 ++
 recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb | 1 +
 2 files changed, 3 insertions(+)

diff --git a/conf/distro/cip-core-common.inc b/conf/distro/cip-core-common.inc
index 86f79f0f..b5c0d5ac 100644
--- a/conf/distro/cip-core-common.inc
+++ b/conf/distro/cip-core-common.inc
@@ -23,3 +23,5 @@ PREFERRED_VERSION_linux-cip-kbuildtarget ?= "${PREFERRED_VERSION_linux-cip}"
 
 PREFERRED_VERSION_linux-cip-rt-native ?= "${PREFERRED_VERSION_linux-cip-rt}"
 PREFERRED_VERSION_linux-cip-rt-kbuildtarget ?= "${PREFERRED_VERSION_linux-cip-rt}"
+
+TEE_SUPPLICANT_IN_USERLAND ?= "0"
diff --git a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
index 4fe7ee15..c54a4897 100644
--- a/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
+++ b/recipes-initramfs/cip-core-initramfs/cip-core-initramfs.bb
@@ -17,3 +17,4 @@ INITRAMFS_INSTALL += " \
 
 INITRAMFS_INSTALL:append:encrypt-partitions = " initramfs-crypt-hook"
 INITRAMFS_INSTALL:append:factory-reset = " initramfs-factory-reset-hook"
+INITRAMFS_INSTALL:append:ftpm-stmm = " initramfs-tee-ftpm-hook"
-- 
2.51.0

[isar-cip-core][PATCH 12/19] Add class to generate eMMC image for QEMU

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

To add an RPMB partition to eMMC image for QEMU, we need a simple image
class. It will prepend a zero'ed partition to the user data area or 2 MB
by default.

First user of this image type is the qemu-arm64 target in fTPM/StMM
mode.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 classes/qemu-emmc.bbclass    | 43 ++++++++++++++++++++++++++++++++++++
 conf/layer.conf              |  5 ++---
 conf/machine/qemu-arm64.conf |  4 +++-
 3 files changed, 48 insertions(+), 4 deletions(-)
 create mode 100644 classes/qemu-emmc.bbclass

diff --git a/classes/qemu-emmc.bbclass b/classes/qemu-emmc.bbclass
new file mode 100644
index 00000000..bded834d
--- /dev/null
+++ b/classes/qemu-emmc.bbclass
@@ -0,0 +1,43 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2025
+#
+# Authors:
+#  Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+IMAGE_TYPEDEP:qemu_emmc = "wic"
+
+SOURCE_IMAGE_FILE ?= "${IMAGE_FULLNAME}.wic"
+SOURCE_IMAGE_PATH = "${DEPLOY_DIR_IMAGE}/${SOURCE_IMAGE_FILE}"
+
+QEMU_EMMC_RPMB_PART_SIZE ?= "2097152"
+
+python set_data_part_size() {
+    import os
+
+    size = os.stat(d.getVar('SOURCE_IMAGE_PATH')).st_size
+    if size > 2 * 1024 * 1024 * 1024:
+        size = (size + 511) & ~511
+    elif size & (size - 1) > 0:
+        n = 0
+        while size > 0:
+            size >>= 1
+            n = n + 1
+        size = 1 << n
+    size += int(d.getVar('QEMU_EMMC_RPMB_PART_SIZE'))
+    d.setVar('QEMU_EMMC_IMAGE_SIZE', str(size))
+}
+
+do_image_qemu_emmc[prefuncs] = "set_data_part_size"
+IMAGE_CMD:qemu_emmc() {
+    dd if=/dev/zero of="${IMAGE_FILE_HOST}" status=none bs=128K \
+        count=${@int(d.getVar('QEMU_EMMC_RPMB_PART_SIZE')) // (128*1024)}
+    cat "${SOURCE_IMAGE_PATH}" >> "${IMAGE_FILE_HOST}"
+
+    image_size=$(stat -L -c %s "${SOURCE_IMAGE_PATH}")
+    truncate "${IMAGE_FILE_HOST}" -s ${QEMU_EMMC_IMAGE_SIZE}
+}
diff --git a/conf/layer.conf b/conf/layer.conf
index 316f4a81..c51c3af1 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -1,7 +1,7 @@
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2019
+# Copyright (c) Siemens AG, 2019-2025
 #
 # Authors:
 #  Jan Kiszka <jan.kiszka@siemens.com>
@@ -23,5 +23,4 @@ LAYERSERIES_COMPAT_cip-core = "next"
 LAYERDIR_cip-core = "${LAYERDIR}"
 LAYERDIR_cip-core[vardepvalue] = "isar-cip-core"
 
-IMAGE_CLASSES += "squashfs erofs verity swupdate delta-update"
-
+IMAGE_CLASSES += "squashfs erofs verity swupdate delta-update qemu-emmc"
diff --git a/conf/machine/qemu-arm64.conf b/conf/machine/qemu-arm64.conf
index cdb94d51..0745938b 100644
--- a/conf/machine/qemu-arm64.conf
+++ b/conf/machine/qemu-arm64.conf
@@ -1,7 +1,7 @@
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2019
+# Copyright (c) Siemens AG, 2019-2025
 #
 # SPDX-License-Identifier: MIT
 #
@@ -9,6 +9,8 @@
 DISTRO_ARCH = "arm64"
 
 IMAGE_FSTYPES ?= "ext4"
+IMAGE_FSTYPES:append:ftpm-stmm = " qemu-emmc"
+
 USE_CIP_KERNEL_CONFIG = "1"
 KERNEL_DEFCONFIG ?= "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm64/cip_merged_defconfig"
 
-- 
2.51.0

[isar-cip-core][PATCH 13/19] qemu-arm64: Switch firmware provider to TF-A in fTPM/StMM mode

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

QEMU needs to boot via TF-A in order to install OP-TEE which is holding
the fTPM and StMM TAs.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 kas/opt/ebg-swu.yml                       | 6 ++++--
 recipes-bsp/u-boot/u-boot-qemu-common.inc | 5 +++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml
index 5066040c..ce64670c 100644
--- a/kas/opt/ebg-swu.yml
+++ b/kas/opt/ebg-swu.yml
@@ -29,8 +29,10 @@ local_conf_header:
     # not needed for Debian 11 and later
     DISTRO_APT_SOURCES:append:qemu-amd64:buster = " conf/distro/debian-buster-backports.list"
     DISTRO_APT_PREFERENCES:append:qemu-amd64:buster = " conf/distro/preferences.ovmf-snakeoil.conf"
-    # Add U-Boot for qemu
-    IMAGER_BUILD_DEPS:append:qemu-arm64 = " u-boot-qemu-arm64"
+    # Add firmware for qemu
+    QEMU_ARM64_FIRMWARE = "u-boot-qemu-arm64"
+    QEMU_ARM64_FIRMWARE:ftpm-stmm = "trusted-firmware-a-qemu-arm64"
+    IMAGER_BUILD_DEPS:append:qemu-arm64 = " ${QEMU_ARM64_FIRMWARE}"
     IMAGER_BUILD_DEPS:append:qemu-arm = " u-boot-qemu-arm"
     IMAGER_BUILD_DEPS:append:qemu-riscv64 = " opensbi-qemu-riscv64"
   drop-ext4-images: |
diff --git a/recipes-bsp/u-boot/u-boot-qemu-common.inc b/recipes-bsp/u-boot/u-boot-qemu-common.inc
index f1a415b1..b63e878c 100644
--- a/recipes-bsp/u-boot/u-boot-qemu-common.inc
+++ b/recipes-bsp/u-boot/u-boot-qemu-common.inc
@@ -20,6 +20,11 @@ do_prepare_build:append() {
     cat ${WORKDIR}/qemu-extra.cfg >> ${S}/configs/${U_BOOT_CONFIG}
 }
 
+python() {
+    if 'ftpm-stmm' in d.getVar('OVERRIDES').split(':'):
+        d.setVarFlag('do_deploy_firmware', 'noexec', '1')
+}
+
 do_deploy_firmware() {
     dpkg --fsys-tarfile "${WORKDIR}/u-boot-${MACHINE}_${PV}_${DISTRO_ARCH}.deb" | \
         tar xOf - "./usr/lib/u-boot/${MACHINE}/${U_BOOT_BIN}" \
-- 
2.51.0

[isar-cip-core][PATCH 14/19] customizations: Install efitools in secure boot mode

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This is useful for initially deploying or updating the UEFI keys to the
running system.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 recipes-core/customizations/customizations.bb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/recipes-core/customizations/customizations.bb b/recipes-core/customizations/customizations.bb
index 3f6b5de3..bf6e7175 100644
--- a/recipes-core/customizations/customizations.bb
+++ b/recipes-core/customizations/customizations.bb
@@ -1,7 +1,7 @@
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2019-2022
+# Copyright (c) Siemens AG, 2019-2025
 #
 # Authors:
 #  Jan Kiszka <jan.kiszka@siemens.com>
@@ -14,6 +14,8 @@ require common.inc
 SRC_URI += "file://ssh-permit-root.conf"
 SRC_URI:remove:security = "file://ssh-permit-root.conf"
 
+DEBIAN_DEPENDS:append:secureboot = ", efitools"
+
 DESCRIPTION = "CIP Core image demo & customizations"
 
 do_prepare_build:prepend:qemu-riscv64() {
-- 
2.51.0

[isar-cip-core][PATCH 15/19] kas: Add option for fTPM/StMM firmware mode

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This switches the qemu-arm64 target to TF-A, OP-TEE, fTPM and StMM
based firmware. We only support this with kernel 6.12 due to features
only available from that version onward. Furthermore the toolchain of
buster is not supported by optee-ftpm, so exclude this variant.

As this feature currently requires a custom QEMU build, do not turn it
on by default.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 Kconfig               | 19 +++++++++++++++++++
 kas/opt/ftpm-stmm.yml | 16 ++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 kas/opt/ftpm-stmm.yml

diff --git a/Kconfig b/Kconfig
index e7d8bd5e..71649f6c 100644
--- a/Kconfig
+++ b/Kconfig
@@ -37,6 +37,9 @@ config HAS_SWUPDATE
 config HAS_EFIVARS
 	bool
 
+config HAS_OPTEE
+	bool
+
 choice
 	prompt "Target board"
 	default TARGET_QEMU_AMD64
@@ -57,6 +60,7 @@ config TARGET_QEMU_ARM64
 	bool "QEMU ARM64 (aarch64)"
 	select ARCH_ARM64
 	select HAS_SWUPDATE
+	select HAS_OPTEE if KERNEL_6_12
 
 config TARGET_HIHOPE_RZG2M
 	bool "HopeRun HiHope-RZ/G2M"
@@ -157,6 +161,21 @@ config KAS_INCLUDE_KERNEL_RT
 	default "kas/opt/rt.yml"
 	depends on KERNEL_RT
 
+if HAS_OPTEE
+
+comment "Firmware options"
+
+config FTPM_STMM
+	bool "Use Firmware TPM and rewritable UEFI key storage"
+	depends on !DEBIAN_BUSTER
+
+config KAS_INCLUDE_FTPM_STMM
+	string
+	default "kas/opt/ftpm-stmm.yml"
+	depends on FTPM_STMM
+
+endif
+
 comment "Debian distribution options"
 
 choice
diff --git a/kas/opt/ftpm-stmm.yml b/kas/opt/ftpm-stmm.yml
new file mode 100644
index 00000000..06f645d7
--- /dev/null
+++ b/kas/opt/ftpm-stmm.yml
@@ -0,0 +1,16 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2025
+#
+# Authors:
+#  Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+header:
+  version: 14
+
+local_conf_header:
+  ftpm-stmm: |
+    OVERRIDES .= ":ftpm-stmm"
-- 
2.51.0

[isar-cip-core][PATCH 16/19] start-qemu: Indention fixes

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

No functional changes.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 start-qemu.sh | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/start-qemu.sh b/start-qemu.sh
index e8f1cfc3..745c7f56 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -2,7 +2,7 @@
 #
 # CIP Core, generic profile
 #
-# Copyright (c) Siemens AG, 2019-2024
+# Copyright (c) Siemens AG, 2019-2025
 #
 # Authors:
 #  Jan Kiszka <jan.kiszka@siemens.com>
@@ -89,11 +89,11 @@ case "${arch}" in
 			-device virtio-net-pci,netdev=net"
 		if [ -n "${SECURE_BOOT}" ]; then
 			# set bootindex=0 to boot disk instead of EFI-shell
-			QEMU_EXTRA_ARGS=" \
-			${QEMU_EXTRA_ARGS} -device ide-hd,drive=disk,bootindex=0"
+			QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS}  \
+				-device ide-hd,drive=disk,bootindex=0"
 		else
-			QEMU_EXTRA_ARGS=" \
-			${QEMU_EXTRA_ARGS} -device ide-hd,drive=disk"
+			QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS}  \
+				-device ide-hd,drive=disk"
 		fi
 		KERNEL_CMDLINE=" \
 			root=/dev/sda rw"
@@ -174,9 +174,9 @@ if [ "$TPM2_ENCRYPTION" = "true" ] && [ -x /usr/bin/swtpm ]; then
 				;;
 		esac
 		QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \
-			 -chardev socket,id=chrtpm,path=/tmp/qemu-swtpm.sock \
-			 -tpmdev emulator,id=tpm0,chardev=chrtpm \
-			 -device ${TPM_DEVICE},tpmdev=tpm0"
+			-chardev socket,id=chrtpm,path=/tmp/qemu-swtpm.sock \
+			-tpmdev emulator,id=tpm0,chardev=chrtpm \
+			-device ${TPM2_DEVICE},tpmdev=tpm0"
 	fi
 fi
 
-- 
2.51.0

[isar-cip-core][PATCH 17/19] start-qemu: Factor out -drive parameter in UEFI boot mode

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

No need to define this identically multiple times.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 start-qemu.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/start-qemu.sh b/start-qemu.sh
index 745c7f56..d1154f54 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -188,6 +188,10 @@ QEMU_COMMON_OPTIONS=" \
 	"
 
 if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
+	QEMU_COMMON_OPTIONS=" \
+		-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
+		${QEMU_COMMON_OPTIONS} \
+		"
 	case "${arch}" in
 		x86|x86_64|amd64)
 			if [ -n "${SECURE_BOOT}" ]; then
@@ -199,13 +203,11 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
 					-global isa-fdc.driveA= \
 					-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
 					-drive if=pflash,format=raw,file=${ovmf_vars} \
-					-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
 					${QEMU_COMMON_OPTIONS} "$@"
 			else
 				ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.fd}
 
 				${QEMU_PATH}${QEMU} \
-					-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
 					-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
 					${QEMU_COMMON_OPTIONS} "$@"
 			fi
@@ -214,7 +216,6 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
 			u_boot_bin=${FIRMWARE_BIN:-./build/tmp/deploy/images/qemu-${QEMU_ARCH}/firmware.bin}
 
 			${QEMU_PATH}${QEMU} \
-				-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
 				-bios ${u_boot_bin} \
 				${QEMU_COMMON_OPTIONS} "$@"
 			;;
@@ -222,7 +223,6 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
 			opensbi_bin=${FIRMWARE_BIN:-./build/tmp/deploy/images/qemu-${QEMU_ARCH}/fw_payload.bin}
 
 			${QEMU_PATH}${QEMU} \
-				-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
 				-bios ${opensbi_bin} \
 				${QEMU_COMMON_OPTIONS} "$@"
 			;;
-- 
2.51.0

[isar-cip-core][PATCH 18/19] start-qemu: Add support for qemu-arm64 fTPM/StMM mode

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This means we no longer provide a virtual discrete TPM. Instead, we need
to switch to a PCI-attached eMMC with a 2 MB RPMB partition.

OP-TEE is using a secondary UART for output, so create one.

Currently requires a downstream QEMU version until [1] is merged.

[1] https://patchwork.kernel.org/project/qemu-devel/list/?series=1012864

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 start-qemu.sh | 48 +++++++++++++++++++++++++++++++-----------------
 1 file changed, 31 insertions(+), 17 deletions(-)

diff --git a/start-qemu.sh b/start-qemu.sh
index d1154f54..2426c986 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -31,9 +31,6 @@ if grep -s -q "IMAGE_SECURE_BOOT: true" .config.yaml; then
 elif grep -s -q "IMAGE_SWUPDATE: true" .config.yaml; then
 	SWUPDATE_BOOT="true"
 fi
-if grep -s -q "IMAGE_DATA_ENCRYPTION: true" .config.yaml; then
-	TPM2_ENCRYPTION="true"
-fi
 
 if [ -n "${QEMU_PATH}" ]; then
 	QEMU_PATH="${QEMU_PATH}/"
@@ -77,6 +74,20 @@ else
 	fi
 fi
 
+if grep -s -q "IMAGE_DATA_ENCRYPTION: true" .config.yaml && \
+   ! grep -s -q "FTPM_STMM: true" .config.yaml; then
+	case "${arch}" in
+		x86|x86_64|amd64)
+			TPM2_DEVICE="tpm-tis"
+			;;
+		arm|armhf|arm64|aarch64)
+			TPM2_DEVICE="tpm-tis-device"
+			;;
+	esac
+fi
+
+IMAGE_EXT="wic"
+
 case "${arch}" in
 	x86|x86_64|amd64)
 		QEMU_ARCH=amd64
@@ -104,11 +115,20 @@ case "${arch}" in
 		QEMU_EXTRA_ARGS=" \
 			-cpu cortex-a57 \
 			-smp 4 \
-			-machine virt \
 			-device virtio-serial-device \
 			-device virtconsole,chardev=con -chardev vc,id=con \
-			-device virtio-blk-device,drive=disk \
 			-device virtio-net-device,netdev=net"
+		if [ -z "${TPM2_DEVICE}" ]; then
+			QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \
+				-machine virt,secure=on \
+				-device sdhci-pci -device emmc,drive=disk,rpmb-partition-size=2097152 \
+				-serial vc"
+			IMAGE_EXT="qemu-emmc"
+		else
+			QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \
+				-machine virt \
+				-device virtio-blk-device,drive=disk"
+		fi
 		KERNEL_CMDLINE=" \
 			root=/dev/vda rw"
 		;;
@@ -161,18 +181,12 @@ if [ -z "${DISPLAY}" ]; then
 	esac
 fi
 
-if [ "$TPM2_ENCRYPTION" = "true" ] && [ -x /usr/bin/swtpm ]; then
+if [ -n "$TPM2_DEVICE" ] && [ -x /usr/bin/swtpm ]; then
 	SWTPM_DIR="${IMAGE_PREFIX}.swtpm"
 	mkdir -p "${SWTPM_DIR}"
 	if swtpm socket -d --tpmstate dir="${SWTPM_DIR}" \
-			 --ctrl type=unixio,path=/tmp/qemu-swtpm.sock \
-			 --tpm2; then
-		TPM_DEVICE=tpm-tis-device
-		case "${arch}" in
-			x86|x86_64|amd64)
-				TPM_DEVICE=tpm-tis
-				;;
-		esac
+			--ctrl type=unixio,path=/tmp/qemu-swtpm.sock \
+			--tpm2; then
 		QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} \
 			-chardev socket,id=chrtpm,path=/tmp/qemu-swtpm.sock \
 			-tpmdev emulator,id=tpm0,chardev=chrtpm \
@@ -189,7 +203,7 @@ QEMU_COMMON_OPTIONS=" \
 
 if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
 	QEMU_COMMON_OPTIONS=" \
-		-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
+		-drive file=${IMAGE_PREFIX}.${IMAGE_EXT},discard=unmap,if=none,id=disk,format=raw \
 		${QEMU_COMMON_OPTIONS} \
 		"
 	case "${arch}" in
@@ -213,10 +227,10 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
 			fi
 			;;
 		arm64|aarch64|arm|armhf)
-			u_boot_bin=${FIRMWARE_BIN:-./build/tmp/deploy/images/qemu-${QEMU_ARCH}/firmware.bin}
+			firmware_bin=${FIRMWARE_BIN:-./build/tmp/deploy/images/qemu-${QEMU_ARCH}/firmware.bin}
 
 			${QEMU_PATH}${QEMU} \
-				-bios ${u_boot_bin} \
+				-bios ${firmware_bin} \
 				${QEMU_COMMON_OPTIONS} "$@"
 			;;
 		rv64|riscv64)
-- 
2.51.0

[isar-cip-core][PATCH 19/19] linux-cip: Disable CONFIG_HW_RANDOM_TPM in QEMU

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

It turned out that the fTPM at least writes every 4 seconds its time to
flash when executing commands while hwrng asks it for a random number
every minute if this config is enabled, triggering the write.

Disabling is recommended for now, also for discrete TPMs. We do that via
config snippet so that the official CIP kernel config keeps the feature
in scope.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 recipes-kernel/linux/cip-kernel-config.inc  | 3 ++-
 recipes-kernel/linux/files/no-tpm-hwrng.cfg | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 recipes-kernel/linux/files/no-tpm-hwrng.cfg

diff --git a/recipes-kernel/linux/cip-kernel-config.inc b/recipes-kernel/linux/cip-kernel-config.inc
index 8baf79b8..6c9ac568 100644
--- a/recipes-kernel/linux/cip-kernel-config.inc
+++ b/recipes-kernel/linux/cip-kernel-config.inc
@@ -10,7 +10,8 @@
 #
 
 SRC_URI:append = " ${@ \
-    'git://gitlab.com/cip-project/cip-kernel/cip-kernel-config.git;protocol=https;branch=master;destsuffix=cip-kernel-config;name=cip-kernel-config' \
+    'git://gitlab.com/cip-project/cip-kernel/cip-kernel-config.git;protocol=https;branch=master;destsuffix=cip-kernel-config;name=cip-kernel-config \
+    file://no-tpm-hwrng.cfg' \
     if d.getVar('USE_CIP_KERNEL_CONFIG') == '1' else '' \
     }"
 
diff --git a/recipes-kernel/linux/files/no-tpm-hwrng.cfg b/recipes-kernel/linux/files/no-tpm-hwrng.cfg
new file mode 100644
index 00000000..ab46cd81
--- /dev/null
+++ b/recipes-kernel/linux/files/no-tpm-hwrng.cfg
@@ -0,0 +1,2 @@
+# see https://lore.kernel.org/lkml/bbc41534-a2d9-42dc-ac8a-ff8a0b4fd41f@siemens.com/
+# CONFIG_HW_RANDOM_TPM is not set
-- 
2.51.0