diff options
Diffstat (limited to 'meta-ti-bsp/recipes-security')
13 files changed, 376 insertions, 0 deletions
diff --git a/meta-ti-bsp/recipes-security/optee/optee-%.bbappend b/meta-ti-bsp/recipes-security/optee/optee-%.bbappend new file mode 100644 index 00000000..bc590bfd --- /dev/null +++ b/meta-ti-bsp/recipes-security/optee/optee-%.bbappend @@ -0,0 +1 @@ +COMPATIBLE_MACHINE:ti-soc = "ti-soc" diff --git a/meta-ti-bsp/recipes-security/optee/optee-client-ti-version.inc b/meta-ti-bsp/recipes-security/optee/optee-client-ti-version.inc new file mode 100644 index 00000000..16fbd6c5 --- /dev/null +++ b/meta-ti-bsp/recipes-security/optee/optee-client-ti-version.inc @@ -0,0 +1,2 @@ +PV = "4.1.0+git" +SRCREV = "f7e4ced15d1fefd073bbfc484fe0e1f74afe96c2" diff --git a/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend b/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend new file mode 100644 index 00000000..f193e78b --- /dev/null +++ b/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend @@ -0,0 +1,4 @@ +OPTEE_TI_VERSION = "" +OPTEE_TI_VERSION:ti-soc = "${BPN}-ti-version.inc" + +require ${OPTEE_TI_VERSION} diff --git a/meta-ti-bsp/recipes-security/optee/optee-examples-ti-version.inc b/meta-ti-bsp/recipes-security/optee/optee-examples-ti-version.inc new file mode 100644 index 00000000..23cd7580 --- /dev/null +++ b/meta-ti-bsp/recipes-security/optee/optee-examples-ti-version.inc @@ -0,0 +1,2 @@ +PV = "4.0.0+git" +SRCREV = "378dc0db2d5dd279f58a3b6cb3f78ffd6b165035" diff --git a/meta-ti-bsp/recipes-security/optee/optee-examples_%.bbappend b/meta-ti-bsp/recipes-security/optee/optee-examples_%.bbappend new file mode 100644 index 00000000..f193e78b --- /dev/null +++ b/meta-ti-bsp/recipes-security/optee/optee-examples_%.bbappend @@ -0,0 +1,4 @@ +OPTEE_TI_VERSION = "" +OPTEE_TI_VERSION:ti-soc = "${BPN}-ti-version.inc" + +require ${OPTEE_TI_VERSION} diff --git a/meta-ti-bsp/recipes-security/optee/optee-os-4.0.0/0002ti-core-Define-section-attributes-for-clang.patch b/meta-ti-bsp/recipes-security/optee/optee-os-4.0.0/0002ti-core-Define-section-attributes-for-clang.patch new file mode 100644 index 00000000..06a8ff60 --- /dev/null +++ b/meta-ti-bsp/recipes-security/optee/optee-os-4.0.0/0002ti-core-Define-section-attributes-for-clang.patch @@ -0,0 +1,249 @@ + +This is a fixup of the patch in meta-arm. The file: + core/arch/arm/mm/pgt_cache.c +was moved to: + core/mm/pgt_cache.c + +Ryan Eatmon <reatmon@ti.com> + + +From 6f588813a170a671ebf1d6b51cebc7bc761295dc Mon Sep 17 00:00:00 2001 +From: Emekcan Aras <emekcan.aras@arm.com> +Date: Wed, 21 Dec 2022 10:55:58 +0000 +Subject: [PATCH] core: Define section attributes for clang + +Clang's attribute section is not same as gcc, here we need to add flags +to sections so they can be eventually collected by linker into final +output segments. Only way to do so with clang is to use + +pragma clang section ... + +The behavious is described here [1], this allows us to define names bss +sections. This was not an issue until clang-15 where LLD linker starts +to detect the section flags before merging them and throws the following +errors + +| ld.lld: error: section type mismatch for .nozi.kdata_page +| >>> /mnt/b/yoe/master/build/tmp/work/qemuarm64-yoe-linux/optee-os-tadevkit/3.17.0-r0/build/core/arch/arm/kernel/thread.o:(.nozi.kdata_page): SHT_PROGBITS +| >>> output section .nozi: SHT_NOBITS +| +| ld.lld: error: section type mismatch for .nozi.mmu.l2 +| >>> /mnt/b/yoe/master/build/tmp/work/qemuarm64-yoe-linux/optee-os-tadevkit/3.17.0-r0/build/core/arch/arm/mm/core_mmu_lpae.o:(.nozi.mmu.l2): SHT_PROGBITS +| >>> output section .nozi: SHT_NOBITS + +These sections should be carrying SHT_NOBITS but so far it was not +possible to do so, this patch tries to use clangs pragma to get this +going and match the functionality with gcc. + +[1] https://intel.github.io/llvm-docs/clang/LanguageExtensions.html#specifying-section-names-for-global-objects-pragma-clang-section + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + core/arch/arm/kernel/thread.c | 19 +++++++++++++++-- + core/arch/arm/mm/core_mmu_lpae.c | 35 +++++++++++++++++++++++++++---- + core/arch/arm/mm/core_mmu_v7.c | 36 +++++++++++++++++++++++++++++--- + core/arch/arm/mm/pgt_cache.c | 12 ++++++++++- + core/kernel/thread.c | 13 +++++++++++- + 5 files changed, 104 insertions(+), 11 deletions(-) + +diff --git a/core/arch/arm/kernel/thread.c b/core/arch/arm/kernel/thread.c +index 4487ef026df9..f3624389611b 100644 +--- a/core/arch/arm/kernel/thread.c ++++ b/core/arch/arm/kernel/thread.c +@@ -44,15 +44,30 @@ static size_t thread_user_kcode_size __nex_bss; + #if defined(CFG_CORE_UNMAP_CORE_AT_EL0) && \ + defined(CFG_CORE_WORKAROUND_SPECTRE_BP_SEC) && defined(ARM64) + long thread_user_kdata_sp_offset __nex_bss; ++#ifdef __clang__ ++#ifndef CFG_VIRTUALIZATION ++#pragma clang section bss=".nozi.kdata_page" ++#else ++#pragma clang section bss=".nex_nozi.kdata_page" ++#endif ++#endif + static uint8_t thread_user_kdata_page[ + ROUNDUP(sizeof(struct thread_core_local) * CFG_TEE_CORE_NB_CORE, + SMALL_PAGE_SIZE)] + __aligned(SMALL_PAGE_SIZE) ++#ifndef __clang__ + #ifndef CFG_NS_VIRTUALIZATION +- __section(".nozi.kdata_page"); ++ __section(".nozi.kdata_page") + #else +- __section(".nex_nozi.kdata_page"); ++ __section(".nex_nozi.kdata_page") + #endif ++#endif ++ ; ++#endif ++ ++/* reset BSS section to default ( .bss ) */ ++#ifdef __clang__ ++#pragma clang section bss="" + #endif + + #ifdef ARM32 +diff --git a/core/arch/arm/mm/core_mmu_lpae.c b/core/arch/arm/mm/core_mmu_lpae.c +index 7e79f780ad28..ec4db9dc98c5 100644 +--- a/core/arch/arm/mm/core_mmu_lpae.c ++++ b/core/arch/arm/mm/core_mmu_lpae.c +@@ -233,19 +233,46 @@ typedef uint16_t l1_idx_t; + typedef uint64_t base_xlat_tbls_t[CFG_TEE_CORE_NB_CORE][NUM_BASE_LEVEL_ENTRIES]; + typedef uint64_t xlat_tbl_t[XLAT_TABLE_ENTRIES]; + ++#ifdef __clang__ ++#pragma clang section bss=".nozi.mmu.base_table" ++#endif + static base_xlat_tbls_t base_xlation_table[NUM_BASE_TABLES] + __aligned(NUM_BASE_LEVEL_ENTRIES * XLAT_ENTRY_SIZE) +- __section(".nozi.mmu.base_table"); ++#ifndef __clang__ ++ __section(".nozi.mmu.base_table") ++#endif ++; ++#ifdef __clang__ ++#pragma clang section bss="" ++#endif + ++#ifdef __clang__ ++#pragma clang section bss=".nozi.mmu.l2" ++#endif + static xlat_tbl_t xlat_tables[MAX_XLAT_TABLES] +- __aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2"); ++ __aligned(XLAT_TABLE_SIZE) ++#ifndef __clang__ ++ __section(".nozi.mmu.l2") ++#endif ++; ++#ifdef __clang__ ++#pragma clang section bss="" ++#endif + + #define XLAT_TABLES_SIZE (sizeof(xlat_tbl_t) * MAX_XLAT_TABLES) + ++#ifdef __clang__ ++#pragma clang section bss=".nozi.mmu.l2" ++#endif + /* MMU L2 table for TAs, one for each thread */ + static xlat_tbl_t xlat_tables_ul1[CFG_NUM_THREADS] +- __aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2"); +- ++#ifndef __clang__ ++ __aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2") ++#endif ++; ++#ifdef __clang__ ++#pragma clang section bss="" ++#endif + /* + * TAs page table entry inside a level 1 page table. + * +diff --git a/core/arch/arm/mm/core_mmu_v7.c b/core/arch/arm/mm/core_mmu_v7.c +index 61e703da89c8..1960c08ca688 100644 +--- a/core/arch/arm/mm/core_mmu_v7.c ++++ b/core/arch/arm/mm/core_mmu_v7.c +@@ -204,16 +204,46 @@ typedef uint32_t l1_xlat_tbl_t[NUM_L1_ENTRIES]; + typedef uint32_t l2_xlat_tbl_t[NUM_L2_ENTRIES]; + typedef uint32_t ul1_xlat_tbl_t[NUM_UL1_ENTRIES]; + ++#ifdef __clang__ ++#pragma clang section bss=".nozi.mmu.l1" ++#endif + static l1_xlat_tbl_t main_mmu_l1_ttb +- __aligned(L1_ALIGNMENT) __section(".nozi.mmu.l1"); ++ __aligned(L1_ALIGNMENT) ++#ifndef __clang__ ++ __section(".nozi.mmu.l1") ++#endif ++; ++#ifdef __clang__ ++#pragma clang section bss="" ++#endif + + /* L2 MMU tables */ ++#ifdef __clang__ ++#pragma clang section bss=".nozi.mmu.l2" ++#endif + static l2_xlat_tbl_t main_mmu_l2_ttb[MAX_XLAT_TABLES] +- __aligned(L2_ALIGNMENT) __section(".nozi.mmu.l2"); ++ __aligned(L2_ALIGNMENT) ++#ifndef __clang__ ++ __section(".nozi.mmu.l2") ++#endif ++; ++#ifdef __clang__ ++#pragma clang section bss="" ++#endif + + /* MMU L1 table for TAs, one for each thread */ ++#ifdef __clang__ ++#pragma clang section bss=".nozi.mmu.ul1" ++#endif + static ul1_xlat_tbl_t main_mmu_ul1_ttb[CFG_NUM_THREADS] +- __aligned(UL1_ALIGNMENT) __section(".nozi.mmu.ul1"); ++ __aligned(UL1_ALIGNMENT) ++#ifndef __clang__ ++ __section(".nozi.mmu.ul1") ++#endif ++; ++#ifdef __clang__ ++#pragma clang section bss="" ++#endif + + struct mmu_partition { + l1_xlat_tbl_t *l1_table; +diff --git a/core/mm/pgt_cache.c b/core/mm/pgt_cache.c +index 79553c6d2183..b9efdf42780b 100644 +--- a/core/mm/pgt_cache.c ++++ b/core/mm/pgt_cache.c +@@ -410,8 +410,18 @@ void pgt_init(void) + * has a large alignment, while .bss has a small alignment. The current + * link script is optimized for small alignment in .bss + */ ++#ifdef __clang__ ++#pragma clang section bss=".nozi.mmu.l2" ++#endif + static uint8_t pgt_tables[PGT_CACHE_SIZE][PGT_SIZE] +- __aligned(PGT_SIZE) __section(".nozi.pgt_cache"); ++ __aligned(PGT_SIZE) ++#ifndef __clang__ ++ __section(".nozi.pgt_cache") ++#endif ++ ; ++#ifdef __clang__ ++#pragma clang section bss="" ++#endif + size_t n; + + for (n = 0; n < ARRAY_SIZE(pgt_tables); n++) { +diff --git a/core/kernel/thread.c b/core/kernel/thread.c +index 2a1f22dce635..5516b677141a 100644 +--- a/core/kernel/thread.c ++++ b/core/kernel/thread.c +@@ -39,13 +39,24 @@ static uint32_t end_canary_value = 0xababab00; + name[stack_num][sizeof(name[stack_num]) / sizeof(uint32_t) - 1] + #endif + ++#define DO_PRAGMA(x) _Pragma (#x) ++ ++#ifdef __clang__ ++#define DECLARE_STACK(name, num_stacks, stack_size, linkage) \ ++DO_PRAGMA (clang section bss=".nozi_stack." #name) \ ++linkage uint32_t name[num_stacks] \ ++ [ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \ ++ STACK_ALIGNMENT) / sizeof(uint32_t)] \ ++ __attribute__((aligned(STACK_ALIGNMENT))); \ ++DO_PRAGMA(clang section bss="") ++#else + #define DECLARE_STACK(name, num_stacks, stack_size, linkage) \ + linkage uint32_t name[num_stacks] \ + [ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \ + STACK_ALIGNMENT) / sizeof(uint32_t)] \ + __attribute__((section(".nozi_stack." # name), \ + aligned(STACK_ALIGNMENT))) +- ++#endif + #define GET_STACK(stack) ((vaddr_t)(stack) + STACK_SIZE(stack)) + + DECLARE_STACK(stack_tmp, CFG_TEE_CORE_NB_CORE, STACK_TMP_SIZE, diff --git a/meta-ti-bsp/recipes-security/optee/optee-os-tadevkit-ti-overrides.inc b/meta-ti-bsp/recipes-security/optee/optee-os-tadevkit-ti-overrides.inc new file mode 100644 index 00000000..df46e243 --- /dev/null +++ b/meta-ti-bsp/recipes-security/optee/optee-os-tadevkit-ti-overrides.inc @@ -0,0 +1 @@ +EXTRA_OEMAKE:remove = "CFG_MAP_EXT_DT_SECURE=y" diff --git a/meta-ti-bsp/recipes-security/optee/optee-os-tadevkit_%.bbappend b/meta-ti-bsp/recipes-security/optee/optee-os-tadevkit_%.bbappend new file mode 100644 index 00000000..980f7a4b --- /dev/null +++ b/meta-ti-bsp/recipes-security/optee/optee-os-tadevkit_%.bbappend @@ -0,0 +1,9 @@ +OPTEE_TI_VERSION = "" +OPTEE_TI_VERSION:ti-soc = "optee-os-ti-version.inc" + +require ${OPTEE_TI_VERSION} + +OPTEE_TI_OVERRIDES = "" +OPTEE_TI_OVERRIDES:ti-soc = "${BPN}-ti-overrides.inc" + +require ${OPTEE_TI_OVERRIDES} diff --git a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc new file mode 100644 index 00000000..0ea30907 --- /dev/null +++ b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc @@ -0,0 +1,78 @@ +# Use TI SECDEV for signing +inherit ti-secdev + +EXTRA_OEMAKE:remove = "CFG_MAP_EXT_DT_SECURE=y" + +EXTRA_OEMAKE:append:k3 = "${@ ' CFG_CONSOLE_UART='+ d.getVar('OPTEE_K3_USART') if d.getVar('OPTEE_K3_USART') else ''}" + +EXTRA_OEMAKE:append:am62xx = " CFG_TEE_CORE_LOG_LEVEL=1" +EXTRA_OEMAKE:append:am62pxx = " CFG_WITH_SOFTWARE_PRNG=y CFG_TEE_CORE_LOG_LEVEL=1" +EXTRA_OEMAKE:append:am62axx = " CFG_TEE_CORE_LOG_LEVEL=1" +EXTRA_OEMAKE:append:j722s = " CFG_WITH_SOFTWARE_PRNG=y CFG_TEE_CORE_LOG_LEVEL=1" + +do_compile:append:k3() { + cp ${B}/core/tee-pager_v2.bin ${B}/bl32.bin + cp ${B}/core/tee.elf ${B}/bl32.elf +} + +# Signing procedure for legacy HS devices +optee_sign_legacyhs() { + ( cd ${B}/core/; \ + ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh tee.bin tee.bin.signed; \ + normfl=`echo ${OPTEEFLAVOR} | tr "_" "-"` + mv tee.bin.signed ${B}/$normfl.optee; \ + ) + + if [ "${OPTEEPAGER}" = "y" ]; then + oe_runmake -C ${S} clean + oe_runmake -C ${S} all CFG_TEE_TA_LOG_LEVEL=0 CFG_WITH_PAGER=y + ( cd ${B}/core/; \ + ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh tee.bin tee.bin.signed; \ + normfl=`echo ${OPTEEFLAVOR} | tr "_" "-"` + mv tee.bin.signed ${B}/$normfl-pager.optee; \ + ) + fi +} + +do_compile:append:ti43x() { + optee_sign_legacyhs +} + +do_compile:append:dra7xx() { + optee_sign_legacyhs +} + +do_install:append() { + install -m 644 ${B}/*.optee ${D}${nonarch_base_libdir}/firmware/ || true + install -m 644 ${B}/bl32.bin ${D}${nonarch_base_libdir}/firmware/ || true + install -m 644 ${B}/bl32.elf ${D}${nonarch_base_libdir}/firmware/ || true + + # Install embedded TAs + mkdir -p ${D}${nonarch_base_libdir}/optee_armtz/ + install -D -p -m0444 ${B}/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz/ +} + +optee_deploy_legacyhs() { + cd ${DEPLOYDIR}/ + for f in optee/*.optee; do + ln -sf $f ${DEPLOYDIR}/ + done +} + +do_deploy:append:ti43x() { + optee_deploy_legacyhs +} + +do_deploy:append:dra7xx() { + optee_deploy_legacyhs +} + +do_deploy:append:k3() { + ln -sf optee/bl32.bin ${DEPLOYDIR}/ + ln -sf optee/bl32.elf ${DEPLOYDIR}/ +} + +FILES:${PN} += "${nonarch_base_libdir}/optee_armtz/" + +# This is needed for bl32.elf +INSANE_SKIP:${PN}:append:k3 = " textrel" diff --git a/meta-ti-bsp/recipes-security/optee/optee-os-ti-version.inc b/meta-ti-bsp/recipes-security/optee/optee-os-ti-version.inc new file mode 100644 index 00000000..9db67567 --- /dev/null +++ b/meta-ti-bsp/recipes-security/optee/optee-os-ti-version.inc @@ -0,0 +1,7 @@ +PV = "4.1.0+git" +SRCREV = "012cdca49db398693903e05c42a254a3a0c0d8f2" + +# Fixes for pointing to 4.0.0 before upstream meta-arm +FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os-4.0.0:" +SRC_URI:remove = "file://0002-core-Define-section-attributes-for-clang.patch" +SRC_URI:append = " file://0002ti-core-Define-section-attributes-for-clang.patch" diff --git a/meta-ti-bsp/recipes-security/optee/optee-os_%.bbappend b/meta-ti-bsp/recipes-security/optee/optee-os_%.bbappend new file mode 100644 index 00000000..0cee127f --- /dev/null +++ b/meta-ti-bsp/recipes-security/optee/optee-os_%.bbappend @@ -0,0 +1,9 @@ +OPTEE_TI_VERSION = "" +OPTEE_TI_VERSION:ti-soc = "${BPN}-ti-version.inc" + +require ${OPTEE_TI_VERSION} + +OPTEE_TI_OVERRIDES = "" +OPTEE_TI_OVERRIDES:ti-soc = "${BPN}-ti-overrides.inc" + +require ${OPTEE_TI_OVERRIDES} diff --git a/meta-ti-bsp/recipes-security/optee/optee-test-ti-version.inc b/meta-ti-bsp/recipes-security/optee/optee-test-ti-version.inc new file mode 100644 index 00000000..16b2dfc3 --- /dev/null +++ b/meta-ti-bsp/recipes-security/optee/optee-test-ti-version.inc @@ -0,0 +1,6 @@ +PV = "4.1.0+git" +SRCREV = "2e1e7a9c9d659585566a75fc8802f4758c42bcb2" + +# Fixes for pointing to 4.0.0 before upstream meta-arm +SRC_URI:remove = "file://0001-xtest-regression_1000-remove-unneeded-stat.h-include.patch" + diff --git a/meta-ti-bsp/recipes-security/optee/optee-test_%.bbappend b/meta-ti-bsp/recipes-security/optee/optee-test_%.bbappend new file mode 100644 index 00000000..f193e78b --- /dev/null +++ b/meta-ti-bsp/recipes-security/optee/optee-test_%.bbappend @@ -0,0 +1,4 @@ +OPTEE_TI_VERSION = "" +OPTEE_TI_VERSION:ti-soc = "${BPN}-ti-version.inc" + +require ${OPTEE_TI_VERSION} |