diff options
Diffstat (limited to 'recipes-security')
36 files changed, 1067 insertions, 924 deletions
diff --git a/recipes-security/optee-imx/optee-client-fslc-imx.inc b/recipes-security/optee-imx/optee-client-fslc-imx.inc new file mode 100644 index 00000000..4cfe18bf --- /dev/null +++ b/recipes-security/optee-imx/optee-client-fslc-imx.inc @@ -0,0 +1,7 @@ +# Copyright (C) 2017-2021 NXP + +require optee-client-fslc.inc + +SRC_URI += "git://github.com/nxp-imx/imx-optee-client.git;protocol=https;branch=${SRCBRANCH}" + +COMPATIBLE_MACHINE = "(imx-nxp-bsp)" diff --git a/recipes-security/optee-imx/optee-client-fslc.inc b/recipes-security/optee-imx/optee-client-fslc.inc new file mode 100644 index 00000000..b9e91f97 --- /dev/null +++ b/recipes-security/optee-imx/optee-client-fslc.inc @@ -0,0 +1,42 @@ +# Copyright (C) 2017-2021 NXP + +SUMMARY = "OPTEE Client libs" +HOMEPAGE = "http://www.optee.org/" +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=69663ab153298557a59c67a60a743e5b" + +SRC_URI = "file://tee-supplicant.service" + +S = "${WORKDIR}/git" +B = "${WORKDIR}/build" + +inherit python3native systemd features_check pkgconfig + +DEPENDS = "util-linux-libuuid" + +REQUIRED_MACHINE_FEATURES = "optee" + +SYSTEMD_SERVICE:${PN} = "tee-supplicant.service" + +EXTRA_OEMAKE = " \ + -C ${S} O=${B} \ +" + +do_install () { + oe_runmake -C ${S} install + + install -D -p -m0644 ${B}/export/usr/lib/libteec.so.1.0.0 ${D}${libdir}/libteec.so.1.0.0 + ln -sf libteec.so.1.0.0 ${D}${libdir}/libteec.so.1 + ln -sf libteec.so.1.0.0 ${D}${libdir}/libteec.so + + install -D -p -m0644 ${B}/export/usr/lib/libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0.1.0 + ln -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0 + ln -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so + + install -D -p -m0755 ${B}/export/usr/sbin/tee-supplicant ${D}${bindir}/tee-supplicant + + cp -a ${B}/export/usr/include ${D}${includedir} + + sed -i -e s:/etc:${sysconfdir}:g -e s:/usr/bin:${bindir}:g ${UNPACKDIR}/tee-supplicant.service + install -D -p -m0644 ${UNPACKDIR}/tee-supplicant.service ${D}${systemd_system_unitdir}/tee-supplicant.service +} diff --git a/recipes-security/optee-imx/optee-client/0001-libteec-refactor-_dprintf.patch b/recipes-security/optee-imx/optee-client/0001-libteec-refactor-_dprintf.patch deleted file mode 100644 index 1c053f38..00000000 --- a/recipes-security/optee-imx/optee-client/0001-libteec-refactor-_dprintf.patch +++ /dev/null @@ -1,171 +0,0 @@ -Upstream-Status: Backport 3.3.0 - -Signed-off-by: Peter Griffin <peter.griffin@linaro.org> ---- -From 0361f9b21bb1acfaf23323a121f542fe03dcd2c8 Mon Sep 17 00:00:00 2001 -From: Jerome Forissier <jerome.forissier@linaro.org> -Date: Thu, 5 Jul 2018 15:15:31 +0200 -Subject: [PATCH] libteec: refactor _dprintf() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -GCC8.1 gives an error when compiling _dprintf(): - -src/teec_trace.c: In function ‘_dprintf’: -src/teec_trace.c:110:5: error: ‘%s’ directive output may be truncated writing up to 255 bytes into a region of size 246 [-Werror=format-truncation=] - "%s [%d] %s:%s:%d: %s", - ^~~~~~~~~~~~~~~~~~~~~~ -src/teec_trace.c:112:11: - line, raw); - ~~~ -src/teec_trace.c:109:3: note: ‘snprintf’ output 11 or more bytes (assuming 266) into a destination of size 256 - snprintf(prefixed, MAX_PRINT_SIZE, - ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - "%s [%d] %s:%s:%d: %s", - ~~~~~~~~~~~~~~~~~~~~~~~ - trace_level_strings[level], thread_id, prefix, func, - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - line, raw); - ~~~~~~~~~~ - -Fix this error by using a single output buffer, printing the prefix first -then the other arguments with the supplied format. - -In addition, further simplify the function by getting rid of things that -do not make much sense: -- Remove the 'flen' parameter, which is only ever set to zero or - strlen(__func__). -- Remove the TRACE_FUNC_LENGTH_CST macro which is not set by default and - does not seem very useful. -- Change the return type to void because callers do not care about success - or failure. - -Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> -Reviewed-by: Joakim Bech <joakim.bech@linaro.org> ---- - libteec/src/teec_trace.c | 63 +++++++++++++++--------------------------------- - public/teec_trace.h | 8 +++--- - 2 files changed, 23 insertions(+), 48 deletions(-) - -diff --git a/libteec/src/teec_trace.c b/libteec/src/teec_trace.c -index 78b79d6..3a2a0da 100644 ---- a/libteec/src/teec_trace.c -+++ b/libteec/src/teec_trace.c -@@ -47,7 +47,6 @@ - * PPPP: MMMMM [FFFFFFFFFFFFFFF : LLLLL] - */ - #define MAX_PRINT_SIZE 256 --#define MAX_FUNC_PRINT_SIZE 32 - - #ifdef TEEC_LOG_FILE - static void log_to_file(const char *buffer) -@@ -69,57 +68,33 @@ static const char * const trace_level_strings[] = { - "", "ERR", "INF", "DBG", "FLW" - }; - --int _dprintf(const char *function, int flen, int line, int level, -- const char *prefix, const char *fmt, ...) -+void _dprintf(const char *function, int line, int level, const char *prefix, -+ const char *fmt, ...) - { -- char raw[MAX_PRINT_SIZE]; -- char prefixed[MAX_PRINT_SIZE]; -- char *to_print = NULL; -- const char *func; -- int err; -+ char msg[MAX_PRINT_SIZE]; -+ int n = 0; - va_list ap; - -- va_start(ap, fmt); -- err = vsnprintf(raw, sizeof(raw), fmt, ap); -- va_end(ap); -- - if (function) { --#ifdef TRACE_FUNC_LENGTH_CST -- char func_buf[MAX_FUNC_PRINT_SIZE]; -- /* Limit the function name to MAX_FUNC_PRINT_SIZE characters. */ -- strncpy(func_buf, function, flen > MAX_FUNC_PRINT_SIZE ? -- (MAX_FUNC_PRINT_SIZE - 1) : flen); -- if (flen < (MAX_FUNC_PRINT_SIZE - 1)) { -- memset(func_buf + flen, 0x20, -- (MAX_FUNC_PRINT_SIZE - flen)); -- } -- func_buf[MAX_FUNC_PRINT_SIZE - 1] = '\0'; -- func = func_buf; --#else -- (void)flen; -- func = function; --#endif -+ int thread_id = syscall(SYS_gettid); - -- /* -- * pthread_self returns the POSIX tid which is different from -- * the kernel id -- */ -- int thread_id = syscall(SYS_gettid); /* perf issue ? */ -- -- snprintf(prefixed, MAX_PRINT_SIZE, -- "%s [%d] %s:%s:%d: %s", -- trace_level_strings[level], thread_id, prefix, func, -- line, raw); -- to_print = prefixed; -- } else { -- to_print = raw; -+ n = snprintf(msg, sizeof(msg), "%s [%d] %s:%s:%d: ", -+ trace_level_strings[level], thread_id, prefix, -+ function, line); -+ if (n < 0) -+ return; - } - -- fprintf(stdout, "%s", to_print); -- -- log_to_file(to_print); -+ if ((size_t)n < sizeof(msg)) { -+ va_start(ap, fmt); -+ n = vsnprintf(msg + n, sizeof(msg) - n, fmt, ap); -+ va_end(ap); -+ if (n < 0) -+ return; -+ } - -- return err; -+ fprintf(stdout, "%s", msg); -+ log_to_file(msg); - } - - #if (defined(DEBUGLEVEL_3) || defined(DEBUGLEVEL_true) || defined(DEBUGLEVEL_4)) -diff --git a/public/teec_trace.h b/public/teec_trace.h -index 28e290c..f75358f 100644 ---- a/public/teec_trace.h -+++ b/public/teec_trace.h -@@ -91,12 +91,12 @@ extern "C" { - #define __PRINTFLIKE(__fmt, __varargs) __attribute__\ - ((__format__(__printf__, __fmt, __varargs))) - --int _dprintf(const char *function, int flen, int line, int level, -- const char *prefix, const char *fmt, ...) __PRINTFLIKE(6, 7); -+void _dprintf(const char *function, int line, int level, const char *prefix, -+ const char *fmt, ...) __PRINTFLIKE(5, 6); - - #define dprintf(level, x...) do { \ - if ((level) <= DEBUGLEVEL) { \ -- _dprintf(__func__, strlen(__func__), __LINE__, level, \ -+ _dprintf(__func__, __LINE__, level, \ - BINARY_PREFIX, x); \ - } \ - } while (0) -@@ -118,7 +118,7 @@ int _dprintf(const char *function, int flen, int line, int level, - - #define dprintf_raw(level, x...) do { \ - if ((level) <= DEBUGLEVEL) \ -- _dprintf(0, 0, 0, (level), BINARY_PREFIX, x); \ -+ _dprintf(0, 0, (level), BINARY_PREFIX, x); \ - } while (0) - - #define EMSG_RAW(fmt, ...) dprintf_raw(TRACE_ERROR, fmt, ##__VA_ARGS__) --- -2.7.4 - diff --git a/recipes-security/optee-imx/optee-client_3.2.0.imx.bb b/recipes-security/optee-imx/optee-client_3.2.0.imx.bb deleted file mode 100644 index 2b0bcf48..00000000 --- a/recipes-security/optee-imx/optee-client_3.2.0.imx.bb +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright (C) 2017-2018 NXP - -SUMMARY = "OPTEE Client libs" -HOMEPAGE = "http://www.optee.org/" -LICENSE = "BSD" -LIC_FILES_CHKSUM = "file://LICENSE;md5=69663ab153298557a59c67a60a743e5b" - -inherit pythonnative systemd - -SRCBRANCH = "imx_4.14.78_1.0.0_ga" -OPTEE_CLIENT_SRC ?= "git://source.codeaurora.org/external/imx/imx-optee-client.git;protocol=https" -SRC_URI = "${OPTEE_CLIENT_SRC};branch=${SRCBRANCH}" - -SRCREV = "d06647d201520ac57f1331e97db6138d63bc2666" - -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI_append = " file://0001-libteec-refactor-_dprintf.patch \ - file://tee-supplicant.service" - -S = "${WORKDIR}/git" -SYSTEMD_SERVICE_${PN} = "tee-supplicant.service" - -EXTRA_OEMAKE = "CFG_SECURE_DATA_PATH=y" - -do_compile () { - if [ ${DEFAULTTUNE} = "aarch64" ]; then - oe_runmake -C ${S} ARCH=arm64 - else - oe_runmake -C ${S} ARCH=arm - fi -} - -do_install () { - oe_runmake install - - install -D -p -m0644 ${S}/out/export/lib/libteec.so.1.0 ${D}${libdir}/libteec.so.1.0 - ln -sf libteec.so.1.0 ${D}${libdir}/libteec.so - ln -sf libteec.so.1.0 ${D}${libdir}/libteec.so.1 - - install -D -p -m0755 ${S}/out/export/bin/tee-supplicant ${D}${bindir}/tee-supplicant - - cp -a ${S}/out/export/include ${D}/usr/ - - sed -i -e s:/etc:${sysconfdir}:g -e s:/usr/bin:${bindir}:g ${WORKDIR}/tee-supplicant.service - install -D -p -m0644 ${WORKDIR}/tee-supplicant.service ${D}${systemd_system_unitdir}/tee-supplicant.service -} - -PACKAGES += "tee-supplicant" -FILES_${PN} += "${libdir}/* ${includedir}/*" -FILES_tee-supplicant += "${bindir}/tee-supplicant" - -INSANE_SKIP_${PN} = "ldflags dev-elf" -INSANE_SKIP_${PN}-dev = "ldflags dev-elf" -INSANE_SKIP_tee-supplicant = "ldflags" - -COMPATIBLE_MACHINE = "(mx6|mx7|mx8)" diff --git a/recipes-security/optee-imx/optee-client_4.0.0.imx.bb b/recipes-security/optee-imx/optee-client_4.0.0.imx.bb new file mode 100644 index 00000000..b404dd5b --- /dev/null +++ b/recipes-security/optee-imx/optee-client_4.0.0.imx.bb @@ -0,0 +1,7 @@ +require optee-client-fslc-imx.inc + +SRCBRANCH = "lf-6.6.3_1.0.0" +SRCREV = "acb0885c117e73cb6c5c9b1dd9054cb3f93507ee" + +DEPENDS += "util-linux" +EXTRA_OEMAKE += "PKG_CONFIG=pkg-config" diff --git a/recipes-security/optee-imx/optee-fslc.inc b/recipes-security/optee-imx/optee-fslc.inc new file mode 100644 index 00000000..6c96dc2b --- /dev/null +++ b/recipes-security/optee-imx/optee-fslc.inc @@ -0,0 +1,26 @@ +HOMEPAGE = "http://www.optee.org/" + +inherit python3native features_check + +REQUIRED_MACHINE_FEATURES = "optee" + +DEPENDS = "python3-cryptography-native" + +S = "${WORKDIR}/git" +B = "${WORKDIR}/build" + +OPTEE_ARCH:arm = "arm32" +OPTEE_ARCH:aarch64 = "arm64" + +COMPILER ?= "gcc" +COMPILER:toolchain-clang = "clang" + +CFLAGS += "--sysroot=${STAGING_DIR_HOST}" +CXXFLAGS += "--sysroot=${STAGING_DIR_HOST}" + +EXTRA_OEMAKE = " \ + COMPILER=${COMPILER} \ + OPENSSL_MODULES=${STAGING_LIBDIR_NATIVE}/ossl-modules \ + OPTEE_CLIENT_EXPORT=${STAGING_DIR_HOST}${exec_prefix} \ + -C ${S} O=${B} \ +" diff --git a/recipes-security/optee-imx/optee-os-fslc-imx.inc b/recipes-security/optee-imx/optee-os-fslc-imx.inc new file mode 100644 index 00000000..6b72e827 --- /dev/null +++ b/recipes-security/optee-imx/optee-os-fslc-imx.inc @@ -0,0 +1,26 @@ +require optee-os-fslc.inc + +SRC_URI = "git://github.com/nxp-imx/imx-optee-os.git;protocol=https;branch=${SRCBRANCH}" + +# The platform flavor corresponds to the Yocto machine without the leading 'i'. +PLATFORM_FLAVOR = "${@d.getVar('MACHINE')[1:]}" +PLATFORM_FLAVOR:imx6qdlsabresd = "mx6qsabresd" +PLATFORM_FLAVOR:imx6qdlsabreauto = "mx6qsabreauto" +PLATFORM_FLAVOR:imx6qpdlsolox = "mx6qsabresd" +PLATFORM_FLAVOR:mx6ul-nxp-bsp = "mx6ulevk" +PLATFORM_FLAVOR:mx6ull-nxp-bsp = "mx6ullevk" +PLATFORM_FLAVOR:mx6ulz-nxp-bsp = "mx6ulzevk" +PLATFORM_FLAVOR:mx8mq-nxp-bsp = "mx8mqevk" +PLATFORM_FLAVOR:mx8mm-nxp-bsp = "mx8mmevk" +PLATFORM_FLAVOR:mx8mn-nxp-bsp = "mx8mnevk" +PLATFORM_FLAVOR:mx8mnul-nxp-bsp = "mx8mnevk" +PLATFORM_FLAVOR:mx8mp-nxp-bsp = "mx8mpevk" +PLATFORM_FLAVOR:mx8mpul-nxp-bsp = "mx8mpevk" +PLATFORM_FLAVOR:mx8qm-nxp-bsp = "mx8qmmek" +PLATFORM_FLAVOR:mx8qxp-nxp-bsp = "mx8qxpmek" +PLATFORM_FLAVOR:mx8dx-nxp-bsp = "mx8dxmek" +PLATFORM_FLAVOR:mx8dxl-nxp-bsp = "mx8dxlevk" +PLATFORM_FLAVOR:mx8ulp-nxp-bsp = "mx8ulpevk" +PLATFORM_FLAVOR:mx93-nxp-bsp = "mx93evk" + +COMPATIBLE_MACHINE = "(imx-nxp-bsp)" diff --git a/recipes-security/optee-imx/optee-os-fslc.inc b/recipes-security/optee-imx/optee-os-fslc.inc new file mode 100644 index 00000000..b91a5531 --- /dev/null +++ b/recipes-security/optee-imx/optee-os-fslc.inc @@ -0,0 +1,87 @@ +# Copyright (C) 2017-2021 NXP + +SUMMARY = "OPTEE OS" +DESCRIPTION = "OPTEE OS" +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=c1f21c4f72f372ef38a5a4aee55ec173" + +require optee-fslc.inc + +DEPENDS += "python3-pyelftools-native u-boot-mkimage-native" +DEPENDS:append:toolchain-clang = " compiler-rt" + +inherit deploy autotools + +# Optee-os can be built for 32 bits and 64 bits at the same time +# as long as the compilers are correctly defined. +# For 64bits, CROSS_COMPILE64 must be set +# When defining CROSS_COMPILE and CROSS_COMPILE64, we assure that +# any 32 or 64 bits builds will pass +EXTRA_OEMAKE += " \ + PLATFORM=imx-${PLATFORM_FLAVOR} \ + CROSS_COMPILE=${HOST_PREFIX} \ + CROSS_COMPILE64=${HOST_PREFIX} \ + CFLAGS32=--sysroot=${STAGING_DIR_HOST} \ + CFLAGS64=--sysroot=${STAGING_DIR_HOST} \ + CFG_TEE_TA_LOG_LEVEL=0 \ + CFG_TEE_CORE_LOG_LEVEL=0 \ +" + +EXTRA_OEMAKE:append:imx8mq-lpddr4-wevk = " \ + CFG_CORE_LARGE_PHYS_ADDR=y \ + CFG_CORE_ARM64_PA_BITS=36 \ + CFG_DDR_SIZE=0x100000000 \ + CFG_TZDRAM_START=0xfe000000 \ +" + +LDFLAGS[unexport] = "1" +CPPFLAGS[unexport] = "1" +AS[unexport] = "1" +LD[unexport] = "1" + +do_configure[noexec] = "1" + +do_compile:prepend() { + PLAT_LIBGCC_PATH=$(${CC} -print-libgcc-file-name) +} + +do_compile:arm () { + oe_runmake all uTee +} + +do_compile:aarch64 () { + oe_runmake all +} +do_compile[cleandirs] = "${B}" + +do_deploy () { + install -d ${DEPLOYDIR} + cp ${B}/core/tee-raw.bin ${DEPLOYDIR}/tee.${PLATFORM_FLAVOR}.bin + ln -sf tee.${PLATFORM_FLAVOR}.bin ${DEPLOYDIR}/tee.bin +} + +do_deploy:append:arm () { + cp ${B}/core/uTee ${DEPLOYDIR}/uTee-${OPTEE_BIN_EXT} +} + +do_install () { + install -d ${D}${nonarch_base_libdir}/firmware/ + install -m 644 ${B}/core/*.bin ${D}${nonarch_base_libdir}/firmware/ + + # Install embedded TAs + install -d ${D}${nonarch_base_libdir}/optee_armtz/ + install -m 444 ${B}/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz/ + + # Install the TA devkit + install -d ${D}${includedir}/optee/export-user_ta_${OPTEE_ARCH}/ + cp -aR ${B}/export-ta_${OPTEE_ARCH}/* \ + ${D}${includedir}/optee/export-user_ta_${OPTEE_ARCH}/ +} + +addtask deploy after do_compile before do_install + +FILES:${PN} = "${nonarch_base_libdir}/firmware/ ${nonarch_base_libdir}/optee_armtz/" +FILES:${PN}-staticdev = "${includedir}/optee/" +RDEPENDS:${PN}-dev += "${PN}-staticdev" + +PACKAGE_ARCH = "${MACHINE_ARCH}" diff --git a/recipes-security/optee-imx/optee-os/0001-core-Define-section-attributes-for-clang.patch b/recipes-security/optee-imx/optee-os/0001-core-Define-section-attributes-for-clang.patch new file mode 100644 index 00000000..54fbe541 --- /dev/null +++ b/recipes-security/optee-imx/optee-os/0001-core-Define-section-attributes-for-clang.patch @@ -0,0 +1,245 @@ +From ef83625c9a5f50610e25aa860c4b9c5e64723a66 Mon Sep 17 00:00:00 2001 +From: Emekcan Aras <emekcan.aras@arm.com> +Date: Wed, 21 Dec 2022 10:55:58 +0000 +Subject: [PATCH 1/4] core: Define section attributes for clang + +Clang's attribute section is not same as gcc, here we need to add flags +to sections so they can be eventually collected by linker into final +output segments. Only way to do so with clang is to use + +pragma clang section ... + +The behavious is described here [1], this allows us to define names bss +sections. This was not an issue until clang-15 where LLD linker starts +to detect the section flags before merging them and throws the following +errors + +| ld.lld: error: section type mismatch for .nozi.kdata_page +| >>> /mnt/b/yoe/master/build/tmp/work/qemuarm64-yoe-linux/optee-os-tadevkit/3.17.0-r0/build/core/arch/arm/kernel/thread.o:(.nozi.kdata_page): SHT_PROGBITS +| >>> output section .nozi: SHT_NOBITS +| +| ld.lld: error: section type mismatch for .nozi.mmu.l2 +| >>> /mnt/b/yoe/master/build/tmp/work/qemuarm64-yoe-linux/optee-os-tadevkit/3.17.0-r0/build/core/arch/arm/mm/core_mmu_lpae.o:(.nozi.mmu.l2): SHT_PROGBITS +| >>> output section .nozi: SHT_NOBITS + +These sections should be carrying SHT_NOBITS but so far it was not +possible to do so, this patch tries to use clangs pragma to get this +going and match the functionality with gcc. + +[1] https://intel.github.io/llvm-docs/clang/LanguageExtensions.html#specifying-section-names-for-global-objects-pragma-clang-section + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io> +--- + + core/arch/arm/kernel/thread.c | 19 +++++++++++++++-- + core/arch/arm/mm/core_mmu_lpae.c | 35 +++++++++++++++++++++++++++---- + core/arch/arm/mm/core_mmu_v7.c | 36 +++++++++++++++++++++++++++++--- + core/kernel/thread.c | 13 +++++++++++- + core/mm/pgt_cache.c | 12 ++++++++++- + 5 files changed, 104 insertions(+), 11 deletions(-) + +diff --git a/core/arch/arm/kernel/thread.c b/core/arch/arm/kernel/thread.c +index 66833b3a0..b3eb9cf9a 100644 +--- a/core/arch/arm/kernel/thread.c ++++ b/core/arch/arm/kernel/thread.c +@@ -45,15 +45,30 @@ static size_t thread_user_kcode_size __nex_bss; + #if defined(CFG_CORE_UNMAP_CORE_AT_EL0) && \ + defined(CFG_CORE_WORKAROUND_SPECTRE_BP_SEC) && defined(ARM64) + long thread_user_kdata_sp_offset __nex_bss; ++#ifdef __clang__ ++#ifndef CFG_VIRTUALIZATION ++#pragma clang section bss=".nozi.kdata_page" ++#else ++#pragma clang section bss=".nex_nozi.kdata_page" ++#endif ++#endif + static uint8_t thread_user_kdata_page[ + ROUNDUP(sizeof(struct thread_core_local) * CFG_TEE_CORE_NB_CORE, + SMALL_PAGE_SIZE)] + __aligned(SMALL_PAGE_SIZE) ++#ifndef __clang__ + #ifndef CFG_NS_VIRTUALIZATION +- __section(".nozi.kdata_page"); ++ __section(".nozi.kdata_page") + #else +- __section(".nex_nozi.kdata_page"); ++ __section(".nex_nozi.kdata_page") + #endif ++#endif ++ ; ++#endif ++ ++/* reset BSS section to default ( .bss ) */ ++#ifdef __clang__ ++#pragma clang section bss="" + #endif + + #ifdef ARM32 +diff --git a/core/arch/arm/mm/core_mmu_lpae.c b/core/arch/arm/mm/core_mmu_lpae.c +index 4c8b85e39..1885e1d3f 100644 +--- a/core/arch/arm/mm/core_mmu_lpae.c ++++ b/core/arch/arm/mm/core_mmu_lpae.c +@@ -234,19 +234,46 @@ typedef uint16_t l1_idx_t; + typedef uint64_t base_xlat_tbls_t[CFG_TEE_CORE_NB_CORE][NUM_BASE_LEVEL_ENTRIES]; + typedef uint64_t xlat_tbl_t[XLAT_TABLE_ENTRIES]; + ++#ifdef __clang__ ++#pragma clang section bss=".nozi.mmu.base_table" ++#endif + static base_xlat_tbls_t base_xlation_table[NUM_BASE_TABLES] + __aligned(NUM_BASE_LEVEL_ENTRIES * XLAT_ENTRY_SIZE) +- __section(".nozi.mmu.base_table"); ++#ifndef __clang__ ++ __section(".nozi.mmu.base_table") ++#endif ++; ++#ifdef __clang__ ++#pragma clang section bss="" ++#endif + ++#ifdef __clang__ ++#pragma clang section bss=".nozi.mmu.l2" ++#endif + static xlat_tbl_t xlat_tables[MAX_XLAT_TABLES] +- __aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2"); ++ __aligned(XLAT_TABLE_SIZE) ++#ifndef __clang__ ++ __section(".nozi.mmu.l2") ++#endif ++; ++#ifdef __clang__ ++#pragma clang section bss="" ++#endif + + #define XLAT_TABLES_SIZE (sizeof(xlat_tbl_t) * MAX_XLAT_TABLES) + ++#ifdef __clang__ ++#pragma clang section bss=".nozi.mmu.l2" ++#endif + /* MMU L2 table for TAs, one for each thread */ + static xlat_tbl_t xlat_tables_ul1[CFG_NUM_THREADS] +- __aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2"); +- ++#ifndef __clang__ ++ __aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2") ++#endif ++; ++#ifdef __clang__ ++#pragma clang section bss="" ++#endif + /* + * TAs page table entry inside a level 1 page table. + * +diff --git a/core/arch/arm/mm/core_mmu_v7.c b/core/arch/arm/mm/core_mmu_v7.c +index 61e703da8..1960c08ca 100644 +--- a/core/arch/arm/mm/core_mmu_v7.c ++++ b/core/arch/arm/mm/core_mmu_v7.c +@@ -204,16 +204,46 @@ typedef uint32_t l1_xlat_tbl_t[NUM_L1_ENTRIES]; + typedef uint32_t l2_xlat_tbl_t[NUM_L2_ENTRIES]; + typedef uint32_t ul1_xlat_tbl_t[NUM_UL1_ENTRIES]; + ++#ifdef __clang__ ++#pragma clang section bss=".nozi.mmu.l1" ++#endif + static l1_xlat_tbl_t main_mmu_l1_ttb +- __aligned(L1_ALIGNMENT) __section(".nozi.mmu.l1"); ++ __aligned(L1_ALIGNMENT) ++#ifndef __clang__ ++ __section(".nozi.mmu.l1") ++#endif ++; ++#ifdef __clang__ ++#pragma clang section bss="" ++#endif + + /* L2 MMU tables */ ++#ifdef __clang__ ++#pragma clang section bss=".nozi.mmu.l2" ++#endif + static l2_xlat_tbl_t main_mmu_l2_ttb[MAX_XLAT_TABLES] +- __aligned(L2_ALIGNMENT) __section(".nozi.mmu.l2"); ++ __aligned(L2_ALIGNMENT) ++#ifndef __clang__ ++ __section(".nozi.mmu.l2") ++#endif ++; ++#ifdef __clang__ ++#pragma clang section bss="" ++#endif + + /* MMU L1 table for TAs, one for each thread */ ++#ifdef __clang__ ++#pragma clang section bss=".nozi.mmu.ul1" ++#endif + static ul1_xlat_tbl_t main_mmu_ul1_ttb[CFG_NUM_THREADS] +- __aligned(UL1_ALIGNMENT) __section(".nozi.mmu.ul1"); ++ __aligned(UL1_ALIGNMENT) ++#ifndef __clang__ ++ __section(".nozi.mmu.ul1") ++#endif ++; ++#ifdef __clang__ ++#pragma clang section bss="" ++#endif + + struct mmu_partition { + l1_xlat_tbl_t *l1_table; +diff --git a/core/kernel/thread.c b/core/kernel/thread.c +index 2a1f22dce..5516b6771 100644 +--- a/core/kernel/thread.c ++++ b/core/kernel/thread.c +@@ -39,13 +39,24 @@ static uint32_t end_canary_value = 0xababab00; + name[stack_num][sizeof(name[stack_num]) / sizeof(uint32_t) - 1] + #endif + ++#define DO_PRAGMA(x) _Pragma (#x) ++ ++#ifdef __clang__ ++#define DECLARE_STACK(name, num_stacks, stack_size, linkage) \ ++DO_PRAGMA (clang section bss=".nozi_stack." #name) \ ++linkage uint32_t name[num_stacks] \ ++ [ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \ ++ STACK_ALIGNMENT) / sizeof(uint32_t)] \ ++ __attribute__((aligned(STACK_ALIGNMENT))); \ ++DO_PRAGMA(clang section bss="") ++#else + #define DECLARE_STACK(name, num_stacks, stack_size, linkage) \ + linkage uint32_t name[num_stacks] \ + [ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \ + STACK_ALIGNMENT) / sizeof(uint32_t)] \ + __attribute__((section(".nozi_stack." # name), \ + aligned(STACK_ALIGNMENT))) +- ++#endif + #define GET_STACK(stack) ((vaddr_t)(stack) + STACK_SIZE(stack)) + + DECLARE_STACK(stack_tmp, CFG_TEE_CORE_NB_CORE, STACK_TMP_SIZE, +diff --git a/core/mm/pgt_cache.c b/core/mm/pgt_cache.c +index 79553c6d2..b9efdf427 100644 +--- a/core/mm/pgt_cache.c ++++ b/core/mm/pgt_cache.c +@@ -410,8 +410,18 @@ void pgt_init(void) + * has a large alignment, while .bss has a small alignment. The current + * link script is optimized for small alignment in .bss + */ ++#ifdef __clang__ ++#pragma clang section bss=".nozi.mmu.l2" ++#endif + static uint8_t pgt_tables[PGT_CACHE_SIZE][PGT_SIZE] +- __aligned(PGT_SIZE) __section(".nozi.pgt_cache"); ++ __aligned(PGT_SIZE) ++#ifndef __clang__ ++ __section(".nozi.pgt_cache") ++#endif ++ ; ++#ifdef __clang__ ++#pragma clang section bss="" ++#endif + size_t n; + + for (n = 0; n < ARRAY_SIZE(pgt_tables); n++) { +-- +2.43.2 + diff --git a/recipes-security/optee-imx/optee-os/0002-optee-enable-clang-support.patch b/recipes-security/optee-imx/optee-os/0002-optee-enable-clang-support.patch new file mode 100644 index 00000000..dbc53542 --- /dev/null +++ b/recipes-security/optee-imx/optee-os/0002-optee-enable-clang-support.patch @@ -0,0 +1,34 @@ +From 2ba573c9763329fbfdfacc8393d565ab747cac4d Mon Sep 17 00:00:00 2001 +From: Brett Warren <brett.warren@arm.com> +Date: Wed, 23 Sep 2020 09:27:34 +0100 +Subject: [PATCH 2/4] optee: enable clang support + +When compiling with clang, the LIBGCC_LOCATE_CFLAG variable used +to provide a sysroot wasn't included, which results in not locating +compiler-rt. This is mitigated by including the variable as ammended. + +Upstream-Status: Pending +ChangeId: 8ba69a4b2eb8ebaa047cb266c9aa6c2c3da45701 +Signed-off-by: Brett Warren <brett.warren@arm.com> +Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io> +--- + + mk/clang.mk | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mk/clang.mk b/mk/clang.mk +index a045beee8..1ebe2f702 100644 +--- a/mk/clang.mk ++++ b/mk/clang.mk +@@ -30,7 +30,7 @@ comp-cflags-warns-clang := -Wno-language-extension-token \ + + # Note, use the compiler runtime library (libclang_rt.builtins.*.a) instead of + # libgcc for clang +-libgcc$(sm) := $(shell $(CC$(sm)) $(CFLAGS$(arch-bits-$(sm))) \ ++libgcc$(sm) := $(shell $(CC$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CFLAGS$(arch-bits-$(sm))) \ + -rtlib=compiler-rt -print-libgcc-file-name 2> /dev/null) + + # Core ASLR relies on the executable being ready to run from its preferred load +-- +2.43.2 + diff --git a/recipes-security/optee-imx/optee-os/0003-arm32-libutils-libutee-ta-add-.note.GNU-stack-sectio.patch b/recipes-security/optee-imx/optee-os/0003-arm32-libutils-libutee-ta-add-.note.GNU-stack-sectio.patch new file mode 100644 index 00000000..1c5753c7 --- /dev/null +++ b/recipes-security/optee-imx/optee-os/0003-arm32-libutils-libutee-ta-add-.note.GNU-stack-sectio.patch @@ -0,0 +1,133 @@ +From 6f738803a59613ec4a683ddbc1747ebffd75a4e6 Mon Sep 17 00:00:00 2001 +From: Jerome Forissier <jerome.forissier@linaro.org> +Date: Tue, 23 Aug 2022 12:31:46 +0000 +Subject: [PATCH 3/4] arm32: libutils, libutee, ta: add .note.GNU-stack section + to + + .S files + +When building for arm32 with GNU binutils 2.39, the linker outputs +warnings when linking Trusted Applications: + + arm-unknown-linux-uclibcgnueabihf-ld.bfd: warning: utee_syscalls_a32.o: missing .note.GNU-stack section implies executable stack + arm-unknown-linux-uclibcgnueabihf-ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker + +We could silence the warning by adding the '-z execstack' option to the +TA link flags, like we did in the parent commit for the TEE core and +ldelf. Indeed, ldelf always allocates a non-executable piece of memory +for the TA to use as a stack. + +However it seems preferable to comply with the common ELF practices in +this case. A better fix is therefore to add the missing .note.GNU-stack +sections in the assembler files. + +Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> + +Signed-off-by: Anton Antonov <Anton.Antonov@arm.com> +Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5499] +Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io> +--- + + lib/libutee/arch/arm/utee_syscalls_a32.S | 2 ++ + lib/libutils/ext/arch/arm/atomic_a32.S | 2 ++ + lib/libutils/ext/arch/arm/mcount_a32.S | 2 ++ + lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S | 2 ++ + lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S | 2 ++ + lib/libutils/isoc/arch/arm/setjmp_a32.S | 2 ++ + ta/arch/arm/ta_entry_a32.S | 2 ++ + 7 files changed, 14 insertions(+) + +diff --git a/lib/libutee/arch/arm/utee_syscalls_a32.S b/lib/libutee/arch/arm/utee_syscalls_a32.S +index 2dea83ab8..668b65a86 100644 +--- a/lib/libutee/arch/arm/utee_syscalls_a32.S ++++ b/lib/libutee/arch/arm/utee_syscalls_a32.S +@@ -9,6 +9,8 @@ + + .section .note.GNU-stack,"",%progbits + ++ .section .note.GNU-stack,"",%progbits ++ + .section .text + .balign 4 + .code 32 +diff --git a/lib/libutils/ext/arch/arm/atomic_a32.S b/lib/libutils/ext/arch/arm/atomic_a32.S +index 2be73ffad..87ddf1065 100644 +--- a/lib/libutils/ext/arch/arm/atomic_a32.S ++++ b/lib/libutils/ext/arch/arm/atomic_a32.S +@@ -7,6 +7,8 @@ + + .section .note.GNU-stack,"",%progbits + ++ .section .note.GNU-stack,"",%progbits ++ + /* uint32_t atomic_inc32(uint32_t *v); */ + FUNC atomic_inc32 , : + ldrex r1, [r0] +diff --git a/lib/libutils/ext/arch/arm/mcount_a32.S b/lib/libutils/ext/arch/arm/mcount_a32.S +index 54dc3c02d..2f24632b8 100644 +--- a/lib/libutils/ext/arch/arm/mcount_a32.S ++++ b/lib/libutils/ext/arch/arm/mcount_a32.S +@@ -9,6 +9,8 @@ + + .section .note.GNU-stack,"",%progbits + ++ .section .note.GNU-stack,"",%progbits ++ + /* + * Convert return address to call site address by subtracting the size of the + * mcount call instruction (blx __gnu_mcount_nc). +diff --git a/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S b/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S +index 37ae9ec6f..bc6c48b1a 100644 +--- a/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S ++++ b/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S +@@ -7,6 +7,8 @@ + + .section .note.GNU-stack,"",%progbits + ++ .section .note.GNU-stack,"",%progbits ++ + /* + * signed ret_idivmod_values(signed quot, signed rem); + * return quotient and remaining the EABI way (regs r0,r1) +diff --git a/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S b/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S +index 5c3353e2c..9fb5e0283 100644 +--- a/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S ++++ b/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S +@@ -7,6 +7,8 @@ + + .section .note.GNU-stack,"",%progbits + ++ .section .note.GNU-stack,"",%progbits ++ + /* + * __value_in_regs lldiv_t __aeabi_ldivmod( long long n, long long d) + */ +diff --git a/lib/libutils/isoc/arch/arm/setjmp_a32.S b/lib/libutils/isoc/arch/arm/setjmp_a32.S +index f8a0b70df..37d7cb88e 100644 +--- a/lib/libutils/isoc/arch/arm/setjmp_a32.S ++++ b/lib/libutils/isoc/arch/arm/setjmp_a32.S +@@ -53,6 +53,8 @@ + + .section .note.GNU-stack,"",%progbits + ++ .section .note.GNU-stack,"",%progbits ++ + /* Arm/Thumb interworking support: + + The interworking scheme expects functions to use a BX instruction +diff --git a/ta/arch/arm/ta_entry_a32.S b/ta/arch/arm/ta_entry_a32.S +index cd9a12f9d..ccdc19928 100644 +--- a/ta/arch/arm/ta_entry_a32.S ++++ b/ta/arch/arm/ta_entry_a32.S +@@ -7,6 +7,8 @@ + + .section .note.GNU-stack,"",%progbits + ++ .section .note.GNU-stack,"",%progbits ++ + /* + * This function is the bottom of the user call stack. Mark it as such so that + * the unwinding code won't try to go further down. +-- +2.43.2 + diff --git a/recipes-security/optee-imx/optee-os/0004-core-link-add-no-warn-rwx-segments.patch b/recipes-security/optee-imx/optee-os/0004-core-link-add-no-warn-rwx-segments.patch new file mode 100644 index 00000000..f32b2284 --- /dev/null +++ b/recipes-security/optee-imx/optee-os/0004-core-link-add-no-warn-rwx-segments.patch @@ -0,0 +1,67 @@ +From a63f82f74e015eb662242cdb51ef814e3f576829 Mon Sep 17 00:00:00 2001 +From: Jerome Forissier <jerome.forissier@linaro.org> +Date: Fri, 5 Aug 2022 09:48:03 +0200 +Subject: [PATCH 4/4] core: link: add --no-warn-rwx-segments + +Signed-off-by: Anton Antonov <Anton.Antonov@arm.com> +Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5474] + +binutils ld.bfd generates one RWX LOAD segment by merging several sections +with mixed R/W/X attributes (.text, .rodata, .data). After version 2.38 it +also warns by default when that happens [1], which breaks the build due to +--fatal-warnings. The RWX segment is not a problem for the TEE core, since +that information is not used to set memory permissions. Therefore, silence +the warning. + +Link: [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107 +Link: https://sourceware.org/bugzilla/show_bug.cgi?id=29448 +Reported-by: Dominique Martinet <dominique.martinet@atmark-techno.com> +Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> +Acked-by: Jens Wiklander <jens.wiklander@linaro.org> +Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io> +--- + + core/arch/arm/kernel/link.mk | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/core/arch/arm/kernel/link.mk b/core/arch/arm/kernel/link.mk +index 49e9f4fa1..9e1cc172f 100644 +--- a/core/arch/arm/kernel/link.mk ++++ b/core/arch/arm/kernel/link.mk +@@ -37,6 +37,7 @@ link-ldflags += --sort-section=alignment + link-ldflags += --fatal-warnings + link-ldflags += --gc-sections + link-ldflags += $(link-ldflags-common) ++link-ldflags += $(call ld-option,--no-warn-rwx-segments) + + link-ldadd = $(LDADD) + link-ldadd += $(ldflags-external) +@@ -61,6 +62,7 @@ link-script-cppflags := \ + $(cppflagscore)) + + ldargs-all_objs := -T $(link-script-dummy) --no-check-sections \ ++ $(call ld-option,--no-warn-rwx-segments) \ + $(link-ldflags-common) \ + $(link-objs) $(link-ldadd) $(libgcccore) + cleanfiles += $(link-out-dir)/all_objs.o +@@ -75,7 +77,7 @@ $(link-out-dir)/unpaged_entries.txt: $(link-out-dir)/all_objs.o + $(AWK) '/ ____keep_pager/ { printf "-u%s ", $$3 }' > $@ + + unpaged-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \ +- $(link-ldflags-common) ++ $(link-ldflags-common) $(call ld-option,--no-warn-rwx-segments) + unpaged-ldadd := $(objs) $(link-ldadd) $(libgcccore) + cleanfiles += $(link-out-dir)/unpaged.o + $(link-out-dir)/unpaged.o: $(link-out-dir)/unpaged_entries.txt +@@ -104,7 +106,7 @@ $(link-out-dir)/init_entries.txt: $(link-out-dir)/all_objs.o + $(AWK) '/ ____keep_init/ { printf "-u%s ", $$3 }' > $@ + + init-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \ +- $(link-ldflags-common) ++ $(link-ldflags-common) $(call ld-option,--no-warn-rwx-segments) + init-ldadd := $(link-objs-init) $(link-out-dir)/version.o $(link-ldadd) \ + $(libgcccore) + cleanfiles += $(link-out-dir)/init.o +-- +2.43.2 + diff --git a/recipes-security/optee-imx/optee-os_3.2.0.imx.bb b/recipes-security/optee-imx/optee-os_3.2.0.imx.bb deleted file mode 100644 index 9fbe09a4..00000000 --- a/recipes-security/optee-imx/optee-os_3.2.0.imx.bb +++ /dev/null @@ -1,93 +0,0 @@ -# Copyright (C) 2017-2018 NXP - -SUMMARY = "OPTEE OS" -DESCRIPTION = "OPTEE OS" -HOMEPAGE = "http://www.optee.org/" -LICENSE = "BSD" -LIC_FILES_CHKSUM = "file://LICENSE;md5=69663ab153298557a59c67a60a743e5b" - -inherit deploy pythonnative autotools -DEPENDS = "python-pycrypto-native u-boot-mkimage-native" - -SRCBRANCH = "imx_4.14.78_1.0.0_ga" -OPTEE_OS_SRC ?= "git://source.codeaurora.org/external/imx/imx-optee-os.git;protocol=https" -SRC_URI = "${OPTEE_OS_SRC};branch=${SRCBRANCH}" -SRCREV = "6a52487eb0ff664e4ebbd48497f0d3322844d51d" - -S = "${WORKDIR}/git" -B = "${WORKDIR}/build.${PLATFORM_FLAVOR}" - -# The platform flavor corresponds to the Yocto machine without the leading 'i'. -PLATFORM_FLAVOR = "${@d.getVar('MACHINE')[1:]}" -PLATFORM_FLAVOR_imx6qpdlsolox = "mx6qsabresd" -PLATFORM_FLAVOR_imx6ul7d = "mx6ulevk" -PLATFORM_FLAVOR_imx6ull14x14evk = "mx6ullevk" -PLATFORM_FLAVOR_imx6ull9x9evk = "mx6ullevk" -PLATFORM_FLAVOR_imx6ulz14x14evk = "mx6ullevk" -PLATFORM_FLAVOR_mx8mm = "mx8mmevk" - -OPTEE_ARCH ?= "arm32" -OPTEE_ARCH_armv7a = "arm32" -OPTEE_ARCH_aarch64 = "arm64" - -# Optee-os can be built for 32 bits and 64 bits at the same time -# as long as the compilers are correctly defined. -# For 64bits, CROSS_COMPILE64 must be set -# When defining CROSS_COMPILE and CROSS_COMPILE64, we assure that -# any 32 or 64 bits builds will pass -EXTRA_OEMAKE = "PLATFORM=imx PLATFORM_FLAVOR=${PLATFORM_FLAVOR} \ - CROSS_COMPILE=${HOST_PREFIX} \ - CROSS_COMPILE64=${HOST_PREFIX} \ - NOWERROR=1 \ - LDFLAGS= \ - O=${B} \ - CFG_SECURE_DATA_PATH=y \ - CFG_TEE_SDP_MEM_BASE=0xCC000000 \ - CFG_TEE_SDP_MEM_SIZE=0x02000000 \ - CFG_TEE_SDP_NONCACHE=y \ - " - - -do_compile () { - unset LDFLAGS - export CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST}" - oe_runmake -C ${S} all CFG_TEE_TA_LOG_LEVEL=0 -} - - -do_deploy () { - install -d ${DEPLOYDIR} - ${TARGET_PREFIX}objcopy -O binary ${B}/core/tee.elf ${DEPLOYDIR}/tee.${PLATFORM_FLAVOR}.bin - - if [ "${OPTEE_ARCH}" != "arm64" ]; then - IMX_LOAD_ADDR=`cat ${B}/core/tee-init_load_addr.txt` && \ - uboot-mkimage -A arm -O linux -C none -a ${IMX_LOAD_ADDR} -e ${IMX_LOAD_ADDR} \ - -d ${DEPLOYDIR}/tee.${PLATFORM_FLAVOR}.bin ${DEPLOYDIR}/uTee-${OPTEE_BIN_EXT} - fi - - cd ${DEPLOYDIR} - ln -sf tee.${PLATFORM_FLAVOR}.bin tee.bin - cd - -} - -do_install () { - install -d ${D}/lib/firmware/ - install -m 644 ${B}/core/*.bin ${D}/lib/firmware/ - - # Install the TA devkit - install -d ${D}/usr/include/optee/export-user_ta_${OPTEE_ARCH}/ - - for f in ${B}/export-ta_${OPTEE_ARCH}/*; do - cp -aR $f ${D}/usr/include/optee/export-user_ta_${OPTEE_ARCH}/ - done -} - -addtask deploy after do_compile before do_install - - -FILES_${PN} = "${nonarch_base_libdir}/firmware/" -FILES_${PN}-staticdev = "/usr/include/optee/" -RDEPENDS_${PN}-dev += "${PN}-staticdev" - -PACKAGE_ARCH = "${MACHINE_ARCH}" -COMPATIBLE_MACHINE = "(imx)" diff --git a/recipes-security/optee-imx/optee-os_4.0.0.imx.bb b/recipes-security/optee-imx/optee-os_4.0.0.imx.bb new file mode 100644 index 00000000..ad6c6b40 --- /dev/null +++ b/recipes-security/optee-imx/optee-os_4.0.0.imx.bb @@ -0,0 +1,12 @@ +# Copyright (C) 2017-2021 NXP + +require optee-os-fslc-imx.inc + +SRC_URI += " \ + file://0001-core-Define-section-attributes-for-clang.patch \ + file://0002-optee-enable-clang-support.patch \ + file://0003-arm32-libutils-libutee-ta-add-.note.GNU-stack-sectio.patch \ + file://0004-core-link-add-no-warn-rwx-segments.patch \ +" +SRCBRANCH = "lf-6.6.3_1.0.0" +SRCREV = "e0a3e77735941e6057a1994a576b83a93ea0bdb9" diff --git a/recipes-security/optee-imx/optee-test-fslc.inc b/recipes-security/optee-imx/optee-test-fslc.inc new file mode 100644 index 00000000..e0c133a7 --- /dev/null +++ b/recipes-security/optee-imx/optee-test-fslc.inc @@ -0,0 +1,38 @@ +# Copyright (C) 2017-2021 NXP + +SUMMARY = "OPTEE test" +LICENSE = "BSD-2-Clause & GPL-2.0-only" +LIC_FILES_CHKSUM = "file://LICENSE.md;md5=daa2bcccc666345ab8940aab1315a4fa" + +require optee-fslc.inc + +DEPENDS += "optee-os optee-client openssl" + +EXTRA_OEMAKE += " \ + TA_DEV_KIT_DIR=${STAGING_INCDIR}/optee/export-user_ta_${OPTEE_ARCH}/ \ + CROSS_COMPILE_HOST=${HOST_PREFIX} \ + CROSS_COMPILE_TA=${HOST_PREFIX} \ + CROSS_COMPILE=${HOST_PREFIX} \ +" + +do_compile() { + oe_runmake all +} +do_compile[cleandirs] = "${B}" + +do_install () { + install -d ${D}${bindir} + install ${B}/xtest/xtest ${D}${bindir} + + install -d ${D}${nonarch_base_libdir}/optee_armtz + find ${B}/ta -name '*.ta' | while read name; do + install -m 444 $name ${D}${nonarch_base_libdir}/optee_armtz/ + done + + install -d ${D}${libdir}/tee-supplicant/plugins/ + install ${B}/supp_plugin/*plugin ${D}${libdir}/tee-supplicant/plugins/ +} + +FILES:${PN} += "${nonarch_base_libdir}/optee_armtz/ ${libdir}/tee-supplicant/plugins/" + +RDEPENDS:${PN} = "optee-os" diff --git a/recipes-security/optee-imx/optee-test/0001-regression-4011-correct-potential-overflow.patch b/recipes-security/optee-imx/optee-test/0001-regression-4011-correct-potential-overflow.patch deleted file mode 100644 index 0d853ed0..00000000 --- a/recipes-security/optee-imx/optee-test/0001-regression-4011-correct-potential-overflow.patch +++ /dev/null @@ -1,72 +0,0 @@ -Upstream-Status: Backport 3.4.0 - -Signed-off-by: Peter Griffin <peter.griffin@linaro.org> ---- -From 0953bf0abb08fb98d24b7966001171a707fbb9b9 Mon Sep 17 00:00:00 2001 -From: Etienne Carriere <etienne.carriere@linaro.org> -Date: Fri, 21 Dec 2018 15:36:25 +0100 -Subject: [PATCH] regression 4011: correct potential overflow -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Fix issues reported by GCC 8.2.0. - -build/optee_test/host/xtest/regression_4000.c: In function ‘xtest_tee_test_4011’: -build/optee_test/host/xtest/regression_4000.c:5029:3: error: ‘memmove’ pointer overflow between offset [0, 8] and size [4294967295, 2147483647] accessing array ‘tmp’ with type ‘uint8_t[1024]’ {aka ‘unsigned char[1024]’} [-Werror=array-bounds] - memmove(tmp + n + i, tmp + m, tmp_size - m); - ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -build/optee_test/host/xtest/regression_4000.c:4927:10: note: array ‘tmp’ declared here - uint8_t tmp[1024]; - ^~~ -build/optee_test/host/xtest/regression_4000.c:5029:3: error: ‘memmove’ specified size 4294967295 exceeds maximum object size 2147483647 [-Werror=stringop-overflow=] - memmove(tmp + n + i, tmp + m, tmp_size - m); - ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -cc1: all warnings being treated as errors - -Reported-by: Simon Hughes <simon.hughes@arm.com> -Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org> -Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> ---- - host/xtest/regression_4000.c | 16 +++++++++++++--- - 1 file changed, 13 insertions(+), 3 deletions(-) - -diff --git a/host/xtest/regression_4000.c b/host/xtest/regression_4000.c -index 766aad2..205a226 100644 ---- a/host/xtest/regression_4000.c -+++ b/host/xtest/regression_4000.c -@@ -5018,18 +5018,28 @@ static void xtest_tee_test_4011(ADBG_Case_t *c) - out, out_size, tmp, &tmp_size))) - goto out; - -+ if (!ADBG_EXPECT_COMPARE_UNSIGNED(c, tmp_size, <=, sizeof(tmp))) -+ goto out; -+ - /* 4.1 */ -- for (n = 0; n < tmp_size; n++) -+ for (n = 0; n < tmp_size - i; n++) - if (tmp[n] == 0xff) - break; -+ -+ /* Shall find at least a padding start before buffer end */ -+ if (!ADBG_EXPECT_COMPARE_UNSIGNED(c, n, <, tmp_size - i - 1)) -+ goto out; -+ - for (m = n + 1; m < tmp_size; m++) - if (tmp[m] != 0xff) - break; -+ - /* 4.2 */ - memmove(tmp + n + i, tmp + m, tmp_size - m); -+ - /* 4.3 */ -- for (n = n + tmp_size - m + i; n < tmp_size; n++) -- tmp[n] = 0; -+ n = n + i + tmp_size - m; -+ memset(tmp + n, 0, tmp_size - n); - - /* 5 */ - out_size = sizeof(out); --- -2.7.4 - diff --git a/recipes-security/optee-imx/optee-test/0001-xtest-prevent-unexpected-build-warning-with-strncpy.patch b/recipes-security/optee-imx/optee-test/0001-xtest-prevent-unexpected-build-warning-with-strncpy.patch deleted file mode 100644 index 0c13dcfc..00000000 --- a/recipes-security/optee-imx/optee-test/0001-xtest-prevent-unexpected-build-warning-with-strncpy.patch +++ /dev/null @@ -1,66 +0,0 @@ -Upstream-Status: Backport 3.4.0 - -Signed-off-by: Peter Griffin <peter.griffin@linaro.org> ---- -From 493574ad1f4f56dd63097a652b87c25c507ce99c Mon Sep 17 00:00:00 2001 -From: Etienne Carriere <etienne.carriere@linaro.org> -Date: Fri, 21 Dec 2018 15:36:00 +0100 -Subject: [PATCH] xtest: prevent unexpected build warning with strncpy -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This change modifies adbg_run.c to prevent a false positive -warning reported by GCC 8.2 on usage of strncpy(): - - build/optee_test/host/xtest/adbg/src/adbg_run.c: In function ‘Do_ADBG_AppendToSuite’: - build/optee_test/host/xtest/adbg/src/adbg_run.c:103:3: error: ‘strncpy’ specified bound depends on the length of the source argument [-Werror=stringop-overflow=] - strncpy(p, Source_p->SuiteID_p, size); - ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - build/optee_test/host/xtest/adbg/src/adbg_run.c:88:9: note: length computed here - size = strlen(Source_p->SuiteID_p); - ^~~~~~~~~~~~~~~~~~~~~~~~~~~ - cc1: all warnings being treated as errors - -From [1]: - Using strncpy Safely - In general, it is not possible to avoid string truncation by strncpy - except by sizing the destination to be at least a byte larger than - the length of the source string. With that approach, however, using - strncpy becomes unnecessary and the function can be avoided in favor - of other APIs such as strcpy or (less preferably) memcpy. Much has - been written about the problems with strncpy and we recommend to - avoid it whenever possible. It is, however, worth keeping in mind - that unlike other standard string-handling functions, strncpy always - writes exactly as many characters as specified by the third argument; - if the source string is shorter, the function fills the remaining - bytes with NULs. - -This change prefers using a snprintf() as used in the alternate -instruction block of the strncpy() call. - -[1] https://developers.redhat.com/blog/2018/05/24/detecting-string-truncation-with-gcc-8/ - -Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org> -Signed-off-by: Simon Hughes <simon.hughes@arm.com> -Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> ---- - host/xtest/adbg/src/adbg_run.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/host/xtest/adbg/src/adbg_run.c b/host/xtest/adbg/src/adbg_run.c -index 406e429..2739db5 100644 ---- a/host/xtest/adbg/src/adbg_run.c -+++ b/host/xtest/adbg/src/adbg_run.c -@@ -100,7 +100,7 @@ int Do_ADBG_AppendToSuite( - snprintf(p, size, "%s+%s", Dest_p->SuiteID_p, - Source_p->SuiteID_p); - else -- strncpy(p, Source_p->SuiteID_p, size); -+ snprintf(p, size, "%s", Source_p->SuiteID_p); - free((void *)Dest_p->SuiteID_p); - Dest_p->SuiteID_p = p; - --- -2.7.4 - diff --git a/recipes-security/optee-imx/optee-test_3.2.0.imx.bb b/recipes-security/optee-imx/optee-test_3.2.0.imx.bb deleted file mode 100644 index 187c24a9..00000000 --- a/recipes-security/optee-imx/optee-test_3.2.0.imx.bb +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright (C) 2017-2018 NXP - -SUMMARY = "OPTEE test" -HOMEPAGE = "http://www.optee.org/" - -LICENSE = "BSD" -LIC_FILES_CHKSUM = "file://LICENSE.md;md5=daa2bcccc666345ab8940aab1315a4fa" - -DEPENDS = "optee-os optee-client python-pycrypto-native openssl" -inherit pythonnative - -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRCBRANCH = "imx_4.14.78_1.0.0_ga" -OPTEE_TEST_SRC ?= "git://source.codeaurora.org/external/imx/imx-optee-test.git;protocol=https" - -SRC_URI = "${OPTEE_TEST_SRC};branch=${SRCBRANCH} \ - file://0001-regression-4011-correct-potential-overflow.patch \ - file://0001-xtest-prevent-unexpected-build-warning-with-strncpy.patch \ -" - -S = "${WORKDIR}/git" - -SRCREV = "eb7f698da9a7fa1587f96aa92ad8668abb0f0f48" - - - -do_compile () { - if [ ${DEFAULTTUNE} = "aarch64" ];then - export TA_DEV_KIT_DIR=${STAGING_INCDIR}/optee/export-user_ta_arm64/ - export ARCH=arm64 - else - export TA_DEV_KIT_DIR=${STAGING_INCDIR}/optee/export-user_ta_arm32/ - export ARCH=arm - fi - export OPTEE_CLIENT_EXPORT=${STAGING_DIR_HOST}/usr - export CROSS_COMPILE_HOST=${HOST_PREFIX} - export CROSS_COMPILE_TA=${HOST_PREFIX} - export CROSS_COMPILE=${HOST_PREFIX} - export OPTEE_OPENSSL_EXPORT=${STAGING_INCDIR}/ - oe_runmake V=1 -} - -do_install () { - install -d ${D}/usr/bin - install ${S}/out/xtest/xtest ${D}/usr/bin/ - - install -d ${D}/lib/optee_armtz - find ${S}/out/ta -name '*.ta' | while read name; do - install -m 444 $name ${D}/lib/optee_armtz/ - done - -} - -FILES_${PN} = "/usr/bin/ /lib*/optee_armtz/" - -COMPATIBLE_MACHINE = "(mx6|mx7|mx8)" diff --git a/recipes-security/optee-imx/optee-test_4.0.0.imx.bb b/recipes-security/optee-imx/optee-test_4.0.0.imx.bb new file mode 100644 index 00000000..1717a713 --- /dev/null +++ b/recipes-security/optee-imx/optee-test_4.0.0.imx.bb @@ -0,0 +1,10 @@ +# Copyright (C) 2017-2021 NXP + +require optee-test-fslc.inc + +SRC_URI = "git://github.com/nxp-imx/imx-optee-test.git;protocol=https;branch=${SRCBRANCH}" + +SRCBRANCH = "lf-6.6.3_1.0.0" +SRCREV = "95c49d950f50fa774e4530d19a967079b3b61279" + +COMPATIBLE_MACHINE = "(imx-nxp-bsp)" diff --git a/recipes-security/optee-qoriq/optee-client-qoriq_3.13.0.bb b/recipes-security/optee-qoriq/optee-client-qoriq_3.13.0.bb new file mode 100644 index 00000000..94123e43 --- /dev/null +++ b/recipes-security/optee-qoriq/optee-client-qoriq_3.13.0.bb @@ -0,0 +1,5 @@ +require optee-client.nxp.inc + +PV:append = "+git${SRCPV}" + +COMPATIBLE_MACHINE = "(qoriq-arm64)" diff --git a/recipes-security/optee-qoriq/optee-client.nxp.inc b/recipes-security/optee-qoriq/optee-client.nxp.inc new file mode 100644 index 00000000..c3933a24 --- /dev/null +++ b/recipes-security/optee-qoriq/optee-client.nxp.inc @@ -0,0 +1,53 @@ +# Copyright 2020-2021 NXP + +SUMMARY = "OPTEE Client libs" +HOMEPAGE = "http://www.optee.org/" +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://LICENSE;md5=69663ab153298557a59c67a60a743e5b" + +inherit python3native systemd + +SRC_URI = "git://github.com/nxp-qoriq/optee_client.git;protocol=https;nobranch=1" +SRCREV = "7c9c423d00e96bf51debd5fe10fd70dce83be5cc" + +FILESEXTRAPATHS:prepend := "${THISDIR}/optee-client:" +SRC_URI += "file://tee-supplicant.service" + +S = "${WORKDIR}/git" +B = "${WORKDIR}/build" + +OPTEE_ARCH ?= "arm32" +OPTEE_ARCH:armv7a = "arm32" +OPTEE_ARCH:aarch64 = "arm64" + +EXTRA_OEMAKE = "ARCH=${OPTEE_ARCH} O=${B}" + +do_install () { + oe_runmake -C ${S} install + + install -d ${D}${libdir}/ + install -p -m0644 ${B}/export${libdir}/libteec.so.1.0.0 ${D}${libdir}/ + ln -sf libteec.so.1.0.0 ${D}${libdir}/libteec.so.1.0 + ln -sf libteec.so.1.0.0 ${D}${libdir}/libteec.so.1 + ln -sf libteec.so.1 ${D}${libdir}/libteec.so + + install -D -p -m0644 ${B}/export/usr/lib/libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0.1.0 + ln -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0.1 + ln -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0 + ln -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so + + install -D -p -m0755 ${B}/export/usr/sbin/tee-supplicant ${D}${bindir}/tee-supplicant + + cp -a ${B}/export/usr/include ${D}${includedir} + + install -d ${D}${systemd_system_unitdir}/ + install -m0644 ${UNPACKDIR}/tee-supplicant.service ${D}${systemd_system_unitdir}/ + sed -i -e s:/etc:${sysconfdir}:g -e s:/usr/bin:${bindir}:g ${D}${systemd_system_unitdir}/tee-supplicant.service +} + +SYSTEMD_SERVICE:${PN} = "tee-supplicant.service" + +FILES:${PN} += "${libdir}/* ${includedir}/*" + +INSANE_SKIP:${PN} = "ldflags dev-elf" +INSANE_SKIP:${PN}-dev = "ldflags dev-elf" diff --git a/recipes-security/optee-qoriq/optee-client/tee-supplicant.service b/recipes-security/optee-qoriq/optee-client/tee-supplicant.service new file mode 100644 index 00000000..0e2b4f6b --- /dev/null +++ b/recipes-security/optee-qoriq/optee-client/tee-supplicant.service @@ -0,0 +1,11 @@ +[Unit] +Description=TEE Supplicant + +[Service] +User=root +EnvironmentFile=-/etc/default/tee-supplicant +ExecStart=/usr/bin/tee-supplicant $OPTARGS + +[Install] +WantedBy=basic.target + diff --git a/recipes-security/optee-qoriq/optee-os-qoriq_3.13.0.bb b/recipes-security/optee-qoriq/optee-os-qoriq_3.13.0.bb new file mode 100644 index 00000000..3c3652d3 --- /dev/null +++ b/recipes-security/optee-qoriq/optee-os-qoriq_3.13.0.bb @@ -0,0 +1,28 @@ +require optee-os.nxp.inc + +PV:append = "+git${SRCPV}" + +PLATFORM_FLAVOR:ls1088ardb-pb = "ls1088ardb" +PLATFORM_FLAVOR:ls1046afrwy = "ls1046ardb" +PLATFORM_FLAVOR:lx2162aqds = "lx2160aqds" + +EXTRA_OEMAKE += " \ + PLATFORM=ls \ + CFG_ARM64_core=y \ +" + +do_compile:append:ls1012afrwy() { + mv ${B}/core/tee-raw.bin ${B}/core/tee_512mb.bin + oe_runmake CFG_DRAM0_SIZE=0x40000000 all +} + +do_install:append:qoriq() { + install -m 644 ${B}/core/tee-raw.bin ${D}${nonarch_base_libdir}/firmware/tee_${MACHINE}.bin +} + +do_install:append:ls1012afrwy() { + install -m 644 ${B}/core/tee_512mb.bin ${D}${nonarch_base_libdir}/firmware/tee_${MACHINE}_512mb.bin +} + +INHIBIT_PACKAGE_STRIP = "1" +COMPATIBLE_MACHINE = "(qoriq-arm64)" diff --git a/recipes-security/optee-qoriq/optee-os.nxp.inc b/recipes-security/optee-qoriq/optee-os.nxp.inc new file mode 100644 index 00000000..5b90b937 --- /dev/null +++ b/recipes-security/optee-qoriq/optee-os.nxp.inc @@ -0,0 +1,75 @@ +# Copyright 2020-2021 NXP + +SUMMARY = "OPTEE OS" +DESCRIPTION = "OPTEE OS" +HOMEPAGE = "http://www.optee.org/" +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://LICENSE;md5=c1f21c4f72f372ef38a5a4aee55ec173" + +inherit deploy python3native autotools +DEPENDS = "python3-pycryptodome-native python3-pyelftools-native python3-pycryptodomex-native dtc-native" + +SRC_URI = "git://github.com/nxp-qoriq/optee_os.git;protocol=https;nobranch=1" +SRCREV = "735d98806dc26fbeeecad7f5e60ffeab8170c67e" + +S = "${WORKDIR}/git" +B = "${WORKDIR}/build.${PLATFORM_FLAVOR}" + +PLATFORM_FLAVOR ?= "${MACHINE}" + +OPTEE_ARCH ?= "arm64" +OPTEE_ARCH:armv7a = "arm32" +OPTEE_ARCH:aarch64 = "arm64" + +OPTEE_CORE_LOG_LEVEL ?= "1" +OPTEE_TA_LOG_LEVEL ?= "0" + +# Optee-os can be built for 32 bits and 64 bits at the same time +# as long as the compilers are correctly defined. +# For 64bits, CROSS_COMPILE64 must be set +# When defining CROSS_COMPILE and CROSS_COMPILE64, we assure that +# any 32 or 64 bits builds will pass +EXTRA_OEMAKE = " \ + -C ${S} O=${B} \ + PLATFORM_FLAVOR=${PLATFORM_FLAVOR} \ + CROSS_COMPILE=${HOST_PREFIX} \ + CROSS_COMPILE64=${HOST_PREFIX} \ + CFG_WERROR=y \ + CFG_TEE_CORE_LOG_LEVEL=${OPTEE_CORE_LOG_LEVEL} \ + CFG_TEE_TA_LOG_LEVEL=${OPTEE_TA_LOG_LEVEL} \ +" + +do_compile() { + unset LDFLAGS + export CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST}" + oe_runmake all +} + +do_install() { + install -d ${D}${nonarch_base_libdir}/firmware/ + install -m 644 ${B}/core/*.bin ${D}${nonarch_base_libdir}/firmware/ + + # Install the TA devkit + install -d ${D}${includedir}/optee/export-user_ta/ + + for f in ${B}/export-ta_${OPTEE_ARCH}/*; do + cp -aR $f ${D}${includedir}/optee/export-user_ta/ + done + + install -d ${D}${nonarch_base_libdir}/optee_armtz + find ${B}/export-ta_${OPTEE_ARCH}/ta -name '*.ta' | while read name; do + install -m 444 $name ${D}${nonarch_base_libdir}/optee_armtz/ + done +} + +do_deploy() { + install -d ${DEPLOYDIR}/optee + install -m 644 ${D}${nonarch_base_libdir}/firmware/* ${DEPLOYDIR}/optee/ +} +addtask deploy before do_build after do_install + +FILES:${PN} = "${nonarch_base_libdir}/firmware/ ${nonarch_base_libdir}/optee_armtz/" +FILES:${PN}-staticdev = "/usr/include/optee/" +RDEPENDS:${PN}-dev += "${PN}-staticdev" + +PACKAGE_ARCH = "${MACHINE_ARCH}" diff --git a/recipes-security/optee-qoriq/optee-test-qoriq_3.13.0.bb b/recipes-security/optee-qoriq/optee-test-qoriq_3.13.0.bb new file mode 100644 index 00000000..69ef73d3 --- /dev/null +++ b/recipes-security/optee-qoriq/optee-test-qoriq_3.13.0.bb @@ -0,0 +1,13 @@ +require optee-test.nxp.inc + +PV:append = "+git${SRCPV}" + +DEPENDS += "optee-client-qoriq optee-os-qoriq" + +TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}" + +EXTRA_OEMAKE += " \ + TEEC_EXPORT=${TEEC_EXPORT} \ +" + +COMPATIBLE_MACHINE = "(qoriq-arm64)" diff --git a/recipes-security/optee-qoriq/optee-test.nxp.inc b/recipes-security/optee-qoriq/optee-test.nxp.inc new file mode 100644 index 00000000..14a42ac5 --- /dev/null +++ b/recipes-security/optee-qoriq/optee-test.nxp.inc @@ -0,0 +1,61 @@ +# Copyright 2020-2021 NXP + +SUMMARY = "OPTEE test" +HOMEPAGE = "http://www.optee.org/" + +LICENSE = "BSD & GPL-2.0-only" +LIC_FILES_CHKSUM = "file://LICENSE.md;md5=daa2bcccc666345ab8940aab1315a4fa" + +DEPENDS = "python3-pycryptodome-native python3-pycryptodomex-native openssl" +inherit python3native cmake + +SRC_URI = "git://github.com/nxp-qoriq/optee_test.git;protocol=https;nobranch=1" +SRCREV = "69722dab8c1f2683e30e0ee3b536053367e37aad" + +S = "${WORKDIR}/git" +B = "${WORKDIR}/build" + +TA_DEV_KIT_DIR ?= "${STAGING_INCDIR}/optee/export-user_ta" +OPTEE_CLIENT_EXPORT ?= "${STAGING_DIR_HOST}${prefix}" + +EXTRA_OEMAKE = " \ + TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \ + OPTEE_CLIENT_EXPORT=${OPTEE_CLIENT_EXPORT} \ + CROSS_COMPILE_HOST=${HOST_PREFIX} \ + CROSS_COMPILE_TA=${HOST_PREFIX} \ + OPTEE_OPENSSL_EXPORT=${STAGING_INCDIR}/ \ + -C ${S} O=${B} \ +" + +EXTRA_OECMAKE = " \ + -DOPTEE_TEST_SDK=${TA_DEV_KIT_DIR} \ +" + +do_compile() { + export CXXFLAGS="${CXXFLAGS} --sysroot=${STAGING_DIR_HOST}" + oe_runmake xtest + oe_runmake ta + oe_runmake test_plugin +} + +do_install() { + install -d ${D}${bindir}/ + install ${B}/xtest/xtest ${D}${bindir}/ + + install -d ${D}${nonarch_base_libdir}/optee_armtz + find ${B}/ta -name '*.ta' | while read name; do + install -m 444 $name ${D}${nonarch_base_libdir}/optee_armtz/ + done + + install -d ${D}${libdir}/tee-supplicant/plugins/ + find ${B}/supp_plugin -name '*.plugin' | while read name; do + install -m 755 $name ${D}${libdir}/tee-supplicant/plugins/ + done +} + +FILES:${PN} += "${nonarch_base_libdir} ${libdir}/tee-supplicant/plugins/" + +DEBUG_OPTIMIZATION:append = " -Wno-error=maybe-uninitialized -Wno-deprecated-declarations" +FULL_OPTIMIZATION:append = " -Wno-error=maybe-uninitialized -Wno-deprecated-declarations" + +PACKAGE_ARCH = "${MACHINE_ARCH}" diff --git a/recipes-security/optee/optee-client-qoriq.bb b/recipes-security/optee/optee-client-qoriq.bb deleted file mode 100644 index 4d1caa16..00000000 --- a/recipes-security/optee/optee-client-qoriq.bb +++ /dev/null @@ -1,29 +0,0 @@ -SUMMARY = "OPTEE Client" -HOMEPAGE = "https://github.com/qoriq-open-source/optee_client" - -LICENSE = "BSD" -LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=69663ab153298557a59c67a60a743e5b" - -inherit pythonnative systemd - -SRC_URI = "git://source.codeaurora.org/external/qoriq/qoriq-components/optee_client;nobranch=1 \ -" -S = "${WORKDIR}/git" - -SRCREV = "08428734c67fb559e420d87fa52fd74a955ea1bd" - -EXTRA_OEMAKE = "ARCH=arm64" - -do_install() { - oe_runmake install - - install -D -p -m0755 ${S}/out/export/bin/tee-supplicant ${D}${bindir}/tee-supplicant - - install -D -p -m0644 ${S}/out/export/lib/libteec.so.1.0 ${D}${libdir}/libteec.so.1.0 - ln -sf libteec.so.1.0 ${D}${libdir}/libteec.so - ln -sf libteec.so.1.0 ${D}${libdir}/libteec.so.1 - - cp -a ${S}/out/export/include ${D}/usr/ -} - -COMPATIBLE_MACHINE = "(qoriq)" diff --git a/recipes-security/optee/optee-client-qoriq/0001-GCC-8-format-truncation-error.patch b/recipes-security/optee/optee-client-qoriq/0001-GCC-8-format-truncation-error.patch deleted file mode 100644 index f58590c3..00000000 --- a/recipes-security/optee/optee-client-qoriq/0001-GCC-8-format-truncation-error.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 05f741c1e6263bec2977901abe61463b7f8175ad Mon Sep 17 00:00:00 2001 -From: Chunrong Guo <chunrong.guo@nxp.com> -Date: Fri, 22 Jun 2018 11:58:09 +0800 -Subject: [PATCH] GCC 8 format-truncation error - -Signed-off-by: BJ DevOps Team <bjdevops@NXP1.onmicrosoft.com> ---- - libteec/src/teec_trace.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/libteec/src/teec_trace.c b/libteec/src/teec_trace.c -index 78b79d6..7901deb 100644 ---- a/libteec/src/teec_trace.c -+++ b/libteec/src/teec_trace.c -@@ -73,7 +73,7 @@ int _dprintf(const char *function, int flen, int line, int level, - const char *prefix, const char *fmt, ...) - { - char raw[MAX_PRINT_SIZE]; -- char prefixed[MAX_PRINT_SIZE]; -+ char prefixed[MAX_PRINT_SIZE + 10]; - char *to_print = NULL; - const char *func; - int err; -@@ -106,7 +106,7 @@ int _dprintf(const char *function, int flen, int line, int level, - */ - int thread_id = syscall(SYS_gettid); /* perf issue ? */ - -- snprintf(prefixed, MAX_PRINT_SIZE, -+ snprintf(prefixed, MAX_PRINT_SIZE + 10, - "%s [%d] %s:%s:%d: %s", - trace_level_strings[level], thread_id, prefix, func, - line, raw); --- -1.8.3.1 - diff --git a/recipes-security/optee/optee-client-qoriq/0001-flags-CFLAGS-add-Wno-cpp.patch b/recipes-security/optee/optee-client-qoriq/0001-flags-CFLAGS-add-Wno-cpp.patch deleted file mode 100644 index 09e4490d..00000000 --- a/recipes-security/optee/optee-client-qoriq/0001-flags-CFLAGS-add-Wno-cpp.patch +++ /dev/null @@ -1,28 +0,0 @@ -From f2ebda1d85b10fd008c21974a0f7aa4e805d0e5c Mon Sep 17 00:00:00 2001 -From: Chunrong Guo <chunrong.guo@nxp.com> -Date: Tue, 11 Sep 2018 11:40:55 +0800 -Subject: [PATCH] flags: CFLAGS add -Wno-cpp - -*fix build with FORTIFY_SOURCES - -Signed-off-by: BJ DevOps Team <bjdevops@NXP1.onmicrosoft.com> ---- - flags.mk | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/flags.mk b/flags.mk -index 71f3d18..43c18f0 100644 ---- a/flags.mk -+++ b/flags.mk -@@ -14,7 +14,7 @@ CFLAGS := -Wall -Wbad-function-cast -Wcast-align \ - -Wmissing-noreturn -Wmissing-prototypes -Wnested-externs \ - -Wpointer-arith -Wshadow -Wstrict-prototypes \ - -Wswitch-default -Wunsafe-loop-optimizations \ -- -Wwrite-strings -Werror -+ -Wwrite-strings -Werror -Wno-cpp - CFLAGS += -c -fPIC - - DEBUG ?= 0 --- -2.7.4 - diff --git a/recipes-security/optee/optee-os-qoriq/0001-Fix-alignment-of-data-for-mempool_alloc_pool.patch b/recipes-security/optee/optee-os-qoriq/0001-Fix-alignment-of-data-for-mempool_alloc_pool.patch deleted file mode 100644 index e22bd6c0..00000000 --- a/recipes-security/optee/optee-os-qoriq/0001-Fix-alignment-of-data-for-mempool_alloc_pool.patch +++ /dev/null @@ -1,148 +0,0 @@ -From b2dd8747125be413f9b8b7fd7e52f457cabd709c Mon Sep 17 00:00:00 2001 -From: Jens Wiklander <jens.wiklander@linaro.org> -Date: Tue, 5 Feb 2019 13:05:29 +0100 -Subject: [PATCH] Fix alignment of data for mempool_alloc_pool() - -Upstream-Status: Submitted - -Prior to this patch was _TEE_MathAPI_Init() in -lib/libutee/tee_api_arith_mpi.c supplying a data buffer which was only 4 -byte aligned while mempool_alloc_pool() requires the alignment of long. -This will work in 32-bit mode, but could lead to alignment problem in -64-bit mode. The same problem can happen with -lib/libutee/tee_api_arith_mpa.c, but so far it has remained hidden. - -Incorrect alignment can result in errors like: -E/TA: assertion '!((vaddr_t)data & (POOL_ALIGN - 1))' failed at lib/libutils/ext/mempool.c:134 in mempool_alloc_pool() - -This fix introduces MEMPOOL_ALIGN which specifies required alignment of -data supplied to mempool_alloc_pool(). - -Fixes: 062e3d01c039 ("ta: switch to to mbedtls for bignum") -Reviewed-by: Joakim Bech <joakim.bech@linaro.org> -Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v8) -Acked-by: Jerome Forissier <jerome.forissier@linaro.org> -Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> ---- - core/lib/libtomcrypt/src/mpa_desc.c | 2 +- - core/lib/libtomcrypt/src/mpi_desc.c | 2 +- - lib/libutee/tee_api_arith_mpa.c | 3 ++- - lib/libutee/tee_api_arith_mpi.c | 3 +-- - lib/libutils/ext/include/mempool.h | 5 ++++- - lib/libutils/ext/mempool.c | 9 ++++----- - 6 files changed, 13 insertions(+), 11 deletions(-) - -diff --git a/core/lib/libtomcrypt/src/mpa_desc.c b/core/lib/libtomcrypt/src/mpa_desc.c -index b407f54..58aa242 100644 ---- a/core/lib/libtomcrypt/src/mpa_desc.c -+++ b/core/lib/libtomcrypt/src/mpa_desc.c -@@ -40,7 +40,7 @@ static struct mempool *get_mpa_scratch_memory_pool(void) - #else /* CFG_WITH_PAGER */ - static struct mempool *get_mpa_scratch_memory_pool(void) - { -- static uint32_t data[LTC_MEMPOOL_U32_SIZE] __aligned(__alignof__(long)); -+ static uint32_t data[LTC_MEMPOOL_U32_SIZE] __aligned(MEMPOOL_ALIGN); - - return mempool_alloc_pool(data, sizeof(data), NULL); - } -diff --git a/core/lib/libtomcrypt/src/mpi_desc.c b/core/lib/libtomcrypt/src/mpi_desc.c -index a43fbb4..67bc3a7 100644 ---- a/core/lib/libtomcrypt/src/mpi_desc.c -+++ b/core/lib/libtomcrypt/src/mpi_desc.c -@@ -38,7 +38,7 @@ static struct mempool *get_mp_scratch_memory_pool(void) - #else /* CFG_WITH_PAGER */ - static struct mempool *get_mp_scratch_memory_pool(void) - { -- static uint8_t data[MPI_MEMPOOL_SIZE] __aligned(__alignof__(long)); -+ static uint8_t data[MPI_MEMPOOL_SIZE] __aligned(MEMPOOL_ALIGN); - - return mempool_alloc_pool(data, sizeof(data), NULL); - } -diff --git a/lib/libutee/tee_api_arith_mpa.c b/lib/libutee/tee_api_arith_mpa.c -index 0f6c7f1..a8ca6aa 100644 ---- a/lib/libutee/tee_api_arith_mpa.c -+++ b/lib/libutee/tee_api_arith_mpa.c -@@ -19,7 +19,8 @@ - - static uint32_t mempool_u32[mpa_scratch_mem_size_in_U32( - MPA_INTERNAL_MEM_POOL_SIZE, -- CFG_TA_BIGNUM_MAX_BITS)]; -+ CFG_TA_BIGNUM_MAX_BITS)] -+ __aligned(MEMPOOL_ALIGN); - static mpa_scratch_mem mempool; - - /************************************************************* -diff --git a/lib/libutee/tee_api_arith_mpi.c b/lib/libutee/tee_api_arith_mpi.c -index 8e2751b..6b074e1 100644 ---- a/lib/libutee/tee_api_arith_mpi.c -+++ b/lib/libutee/tee_api_arith_mpi.c -@@ -42,8 +42,7 @@ static void __noreturn mpi_panic(const char *func, int line, int rc) - - void _TEE_MathAPI_Init(void) - { -- static uint8_t data[MPI_MEMPOOL_SIZE] -- __aligned(__alignof__(mbedtls_mpi_uint)); -+ static uint8_t data[MPI_MEMPOOL_SIZE] __aligned(MEMPOOL_ALIGN); - - mbedtls_mpi_mempool = mempool_alloc_pool(data, sizeof(data), NULL); - if (!mbedtls_mpi_mempool) -diff --git a/lib/libutils/ext/include/mempool.h b/lib/libutils/ext/include/mempool.h -index 62377df..2a60800 100644 ---- a/lib/libutils/ext/include/mempool.h -+++ b/lib/libutils/ext/include/mempool.h -@@ -19,9 +19,12 @@ struct mempool_item { - - struct mempool; - -+#define MEMPOOL_ALIGN __alignof__(long) -+ - /* - * mempool_alloc_pool() - Allocate a new memory pool -- * @data: a block of memory to carve out items from -+ * @data: a block of memory to carve out items from, must -+ * have an alignment of MEMPOOL_ALIGN. - * @size: size fo the block of memory - * @release_mem: function to call when the pool has been emptied, - * ignored if NULL. -diff --git a/lib/libutils/ext/mempool.c b/lib/libutils/ext/mempool.c -index f977699..6d38590 100644 ---- a/lib/libutils/ext/mempool.c -+++ b/lib/libutils/ext/mempool.c -@@ -53,7 +53,6 @@ - * So the potential fragmentation is mitigated. - */ - --#define POOL_ALIGN __alignof__(long) - - struct mempool { - size_t size; /* size of the memory pool, in bytes */ -@@ -130,8 +129,8 @@ mempool_alloc_pool(void *data, size_t size, - { - struct mempool *pool = calloc(1, sizeof(*pool)); - -- COMPILE_TIME_ASSERT(POOL_ALIGN >= __alignof__(struct mempool_item)); -- assert(!((vaddr_t)data & (POOL_ALIGN - 1))); -+ COMPILE_TIME_ASSERT(MEMPOOL_ALIGN >= __alignof__(struct mempool_item)); -+ assert(!((vaddr_t)data & (MEMPOOL_ALIGN - 1))); - - if (pool) { - pool->size = size; -@@ -163,13 +162,13 @@ void *mempool_alloc(struct mempool *pool, size_t size) - pool->last_offset); - offset = pool->last_offset + last_item->size; - -- offset = ROUNDUP(offset, POOL_ALIGN); -+ offset = ROUNDUP(offset, MEMPOOL_ALIGN); - if (offset > pool->size) - goto error; - } - - size = sizeof(struct mempool_item) + size; -- size = ROUNDUP(size, POOL_ALIGN); -+ size = ROUNDUP(size, MEMPOOL_ALIGN); - if (offset + size > pool->size) - goto error; - --- -2.7.4 - diff --git a/recipes-security/optee/optee-os-qoriq/0001-allow-setting-sysroot-for-libgcc-lookup.patch b/recipes-security/optee/optee-os-qoriq/0001-allow-setting-sysroot-for-libgcc-lookup.patch deleted file mode 100644 index 17127d0b..00000000 --- a/recipes-security/optee/optee-os-qoriq/0001-allow-setting-sysroot-for-libgcc-lookup.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/mk/gcc.mk b/mk/gcc.mk -index fc38c4d..77b8d74 100644 ---- a/mk/gcc.mk -+++ b/mk/gcc.mk -@@ -12,7 +12,7 @@ nostdinc$(sm) := -nostdinc -isystem $(shell $(CC$(sm)) \ - -print-file-name=include 2> /dev/null) - - # Get location of libgcc from gcc --libgcc$(sm) := $(shell $(CC$(sm)) $(CFLAGS$(arch-bits-$(sm))) $(comp-cflags$(sm)) \ -+libgcc$(sm) := $(shell $(CC$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CFLAGS$(arch-bits-$(sm))) $(comp-cflags$(sm)) \ - -print-libgcc-file-name 2> /dev/null) - - # Define these to something to discover accidental use diff --git a/recipes-security/optee/optee-os-qoriq_git.bb b/recipes-security/optee/optee-os-qoriq_git.bb deleted file mode 100644 index fbde2616..00000000 --- a/recipes-security/optee/optee-os-qoriq_git.bb +++ /dev/null @@ -1,78 +0,0 @@ -SUMMARY = "OP-TEE Trusted OS" -DESCRIPTION = "OPTEE OS" - -LICENSE = "BSD" -LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=69663ab153298557a59c67a60a743e5b" - -DEPENDS = "python-pycrypto-native" - -inherit deploy pythonnative - -SRCREV = "4e8d2e5307b99a91a0cac3ea3560ecb7d62898d6" -SRC_URI = "git://source.codeaurora.org/external/qoriq/qoriq-components/optee_os;nobranch=1 \ - file://0001-allow-setting-sysroot-for-libgcc-lookup.patch \ - file://0001-Fix-alignment-of-data-for-mempool_alloc_pool.patch \ - " -S = "${WORKDIR}/git" - -OPTEEMACHINE ?= "${MACHINE}" -OPTEEMACHINE_ls1088ardb-pb = "ls1088ardb" -OPTEEMACHINE_ls1046afrwy = "ls1046ardb" - -EXTRA_OEMAKE = "PLATFORM=ls-${OPTEEMACHINE} CFG_ARM64_core=y \ - ARCH=arm \ - CROSS_COMPILE_core=${HOST_PREFIX} \ - CROSS_COMPILE_ta_arm64=${HOST_PREFIX} \ - NOWERROR=1 \ - LDFLAGS= \ - LIBGCC_LOCATE_CFLAGS=--sysroot=${STAGING_DIR_HOST} \ - " - -OPTEE_ARCH_armv7a = "arm32" -OPTEE_ARCH_aarch64 = "arm64" - -do_compile() { - unset LDFLAGS - oe_runmake all CFG_TEE_TA_LOG_LEVEL=0 - ${OBJCOPY} -v -O binary ${B}/out/arm-plat-ls/core/tee.elf ${B}/out/arm-plat-ls/core/tee.bin - - if [ ${MACHINE} = ls1012afrwy ]; then - mv ${B}/out/arm-plat-ls/core/tee.bin ${B}/out/arm-plat-ls/core/tee_512mb.bin - oe_runmake CFG_DRAM0_SIZE=0x40000000 all CFG_TEE_TA_LOG_LEVEL=0 - ${OBJCOPY} -v -O binary ${B}/out/arm-plat-ls/core/tee.elf ${B}/out/arm-plat-ls/core/tee.bin - fi -} - -do_install() { - #install core on boot directory - install -d ${D}/lib/firmware/ - if [ ${MACHINE} = ls1012afrwy ]; then - install -m 644 ${B}/out/arm-plat-ls/core/tee_512mb.bin ${D}/lib/firmware/tee_${MACHINE}_512mb.bin - fi - install -m 644 ${B}/out/arm-plat-ls/core/tee.bin ${D}/lib/firmware/tee_${MACHINE}.bin - #install TA devkit - install -d ${D}/usr/include/optee/export-user_ta/ - - for f in ${B}/out/arm-plat-ls/export-ta_${OPTEE_ARCH}/* ; do - cp -aR $f ${D}/usr/include/optee/export-user_ta/ - done -} - -PACKAGE_ARCH = "${MACHINE_ARCH}" - -do_deploy() { - install -d ${DEPLOYDIR}/optee - for f in ${D}/lib/firmware/*; do - cp $f ${DEPLOYDIR}/optee/ - done -} - -addtask deploy before do_build after do_install - -FILES_${PN} = "/lib/firmware/" -FILES_${PN}-dev = "/usr/include/optee" - -INSANE_SKIP_${PN}-dev = "staticdev" - -INHIBIT_PACKAGE_STRIP = "1" -COMPATIBLE_MACHINE = "(qoriq-arm64)" diff --git a/recipes-security/optee/optee-test-qoriq/0001-fix-build-failure-with-GCC-9.patch b/recipes-security/optee/optee-test-qoriq/0001-fix-build-failure-with-GCC-9.patch deleted file mode 100644 index 9b912777..00000000 --- a/recipes-security/optee/optee-test-qoriq/0001-fix-build-failure-with-GCC-9.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 79330c8383e02e91a355964a3cc7b932d03c2517 Mon Sep 17 00:00:00 2001 -From: Chunrong Guo <chunrong.guo@nxp.com> -Date: Wed, 10 Jul 2019 11:09:01 +0200 -Subject: [PATCH] fix build failure with GCC 9 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: C.r. Guo <nxa13725@lsv07004.swis.us-cdc01.nxp.com> ---- - host/xtest/Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/host/xtest/Makefile b/host/xtest/Makefile -index e4e2881..e86e056 100644 ---- a/host/xtest/Makefile -+++ b/host/xtest/Makefile -@@ -152,7 +152,7 @@ CFLAGS += -Wall -Wcast-align -Werror \ - -Wmissing-include-dirs -Wmissing-noreturn \ - -Wmissing-prototypes -Wnested-externs -Wpointer-arith \ - -Wshadow -Wstrict-prototypes -Wswitch-default \ -- -Wwrite-strings \ -+ -Wwrite-strings -Wno-format-overflow \ - -Wno-missing-field-initializers -Wno-format-zero-length - endif - --- -2.7.4 - diff --git a/recipes-security/optee/optee-test-qoriq_git.bb b/recipes-security/optee/optee-test-qoriq_git.bb deleted file mode 100644 index 1c6ca22e..00000000 --- a/recipes-security/optee/optee-test-qoriq_git.bb +++ /dev/null @@ -1,49 +0,0 @@ -SUMMARY = "OP-TEE sanity testsuite" -HOMEPAGE = "https://github.com/qoriq-open-source/optee_test" - -LICENSE = "BSD & GPLv2" -LIC_FILES_CHKSUM = "file://${S}/LICENSE.md;md5=daa2bcccc666345ab8940aab1315a4fa" - -DEPENDS = "optee-client-qoriq optee-os-qoriq python-pycrypto-native" - -inherit pythonnative - -SRC_URI = "git://source.codeaurora.org/external/qoriq/qoriq-components/optee_test;nobranch=1 \ - file://0001-fix-build-failure-with-GCC-9.patch \ -" -S = "${WORKDIR}/git" - -SRCREV = "669058459e4a544be12f37dab103ee4c2b32e31d" - -OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}" -TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}" -TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta" - -EXTRA_OEMAKE = " TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \ - OPTEE_CLIENT_EXPORT=${OPTEE_CLIENT_EXPORT} \ - CFG_ARM64=y \ - CROSS_COMPILE_HOST=${TARGET_PREFIX} \ - CROSS_COMPILE_TA=${TARGET_PREFIX} \ - V=1 \ - " - -do_compile() { - # Top level makefile doesn't seem to handle parallel make gracefully - oe_runmake xtest - oe_runmake ta -} - -do_install () { - install -D -p -m0755 ${S}/out/xtest/xtest ${D}${bindir}/xtest - - # install path should match the value set in optee-client/tee-supplicant - # default TEEC_LOAD_PATH is /lib - mkdir -p ${D}/lib/optee_armtz/ - install -D -p -m0444 ${S}/out/ta/*/*.ta ${D}/lib/optee_armtz/ -} - -FILES_${PN} += "/lib/optee_armtz/" - -# Imports machine specific configs from staging to build -PACKAGE_ARCH = "${MACHINE_ARCH}" -COMPATIBLE_MACHINE = "(qoriq-arm64)" diff --git a/recipes-security/smw/keyctl-caam_git.bb b/recipes-security/smw/keyctl-caam_git.bb new file mode 100644 index 00000000..25a5f656 --- /dev/null +++ b/recipes-security/smw/keyctl-caam_git.bb @@ -0,0 +1,23 @@ +# Copyright 2020-2022 NXP + +SUMMARY = "NXP i.MX CAAM Keyctl" +DESCRIPTION = "NXP i.MX keyctl tool to manage CAAM Keys" +SECTION = "base" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://COPYING;md5=8636bd68fc00cc6a3809b7b58b45f982" + +SRCBRANCH = "master" +SRC_URI = "git://github.com/nxp-imx/keyctl_caam.git;protocol=https;branch=${SRCBRANCH}" + +SRCREV = "81dc06cdb9c4d0d4ba10459d85af9a8603774948" + +S = "${WORKDIR}/git" + +TARGET_CC_ARCH += "${LDFLAGS}" + +do_install () { + oe_runmake DESTDIR=${D} install +} + +COMPATIBLE_MACHINE = "(imx-generic-bsp)" + diff --git a/recipes-security/smw/smw_git.bb b/recipes-security/smw/smw_git.bb new file mode 100644 index 00000000..3f77ad06 --- /dev/null +++ b/recipes-security/smw/smw_git.bb @@ -0,0 +1,64 @@ +# Copyright 2020-23 NXP + +SUMMARY = "NXP i.MX Security Middleware Library" +DESCRIPTION = "NXP i.MX Security Middleware Library" +SECTION = "base" +LICENSE = "BSD-3-Clause" +LICENSE = "Apache-2.0 & BSD-3-Clause & Zlib" +LIC_FILES_CHKSUM = "file://LICENSE;md5=8636bd68fc00cc6a3809b7b58b45f982 \ + file://../psa-arch-tests/LICENSE.md;md5=2a944942e1496af1886903d274dedb13" + +DEPENDS = "json-c optee-os optee-client python3-cryptography-native" +DEPENDS:append:mx8qxp-nxp-bsp = " imx-seco-libs" +DEPENDS:append:mx8dx-nxp-bsp = " imx-seco-libs" +DEPENDS:append:mx8ulp-nxp-bsp = " imx-secure-enclave" + +SRC_URI = "git://github.com/nxp-imx/imx-smw.git;protocol=https;branch=release/version_2.x;name=smw;destsuffix=git/smw \ + git://github.com/ARM-software/psa-arch-tests.git;protocol=https;branch=main;name=psa;destsuffix=git/psa-arch-tests \ + " +SRCREV_smw = "f0570b3e8cb5f68d54edc4f9dd7cb984f6f604ed" +SRCREV_psa = "463cb95ada820bc6f758d50066cf8c0ed5cc3a02" +SRCREV_FORMAT = "smw_psa" +S = "${WORKDIR}/git/smw" + +inherit cmake python3native + +CFLAGS[unexport] = "1" +CPPFLAGS[unexport] = "1" +AS[unexport] = "1" +LD[unexport] = "1" + +# setting the linker options +TARGET_LDFLAGS:remove = "${DEBUG_PREFIX_MAP}" + +OPTEE_OS_TA_EXPORT_DIR:aarch64 = "${STAGING_INCDIR}/optee/export-user_ta_arm64" +OPTEE_OS_TA_EXPORT_DIR:arm = "${STAGING_INCDIR}/optee/export-user_ta_arm32" + +# Needs to sign OPTEE TAs +export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules" + +EXTRA_OECMAKE = " \ + -DTA_DEV_KIT_ROOT=${OPTEE_OS_TA_EXPORT_DIR} \ + -DTEEC_ROOT=${STAGING_DIR_HOST} \ + -DJSONC_ROOT="${COMPONENTS_DIR}/${TARGET_ARCH}/json-c/usr" \ + -DPSA_ARCH_TESTS_SRC_PATH=../${PSA_ARCH_TESTS_SRC_PATH} \ +" +EXTRA_OECMAKE:append:mx8qxp-nxp-bsp = "-DSECO_ROOT=${STAGING_DIR_HOST}" +EXTRA_OECMAKE:append:mx8dx-nxp-bsp = "-DSECO_ROOT=${STAGING_DIR_HOST}" +EXTRA_OECMAKE:append:mx8ulp-nxp-bsp = "-DELE_ROOT=${STAGING_DIR_HOST}" +EXTRA_OECMAKE_IMX:mx93-nxp-bsp = "-DELE_ROOT=${STAGING_DIR_HOST}" + +OECMAKE_TARGET_COMPILE += "build_tests" +OECMAKE_TARGET_INSTALL += "install_tests" + +INSANE_SKIP_${PN}-tests = "textrel" + +PACKAGES =+ "${PN}-tests" + +FILES:${PN} += "${base_libdir}/optee_armtz/*" + +FILES:${PN}-tests = "${bindir}/* ${datadir}/${BPN}/*" + +RDEPENDS:${PN}-tests += "bash cmake" + +COMPATIBLE_MACHINE = "(imx-nxp-bsp)" |