diff options
Diffstat (limited to 'meta-arm/recipes-security/trusted-services')
33 files changed, 718 insertions, 0 deletions
diff --git a/meta-arm/recipes-security/trusted-services/files/0001-Allow-configuring-flash-image-files-compile-time.patch b/meta-arm/recipes-security/trusted-services/files/0001-Allow-configuring-flash-image-files-compile-time.patch new file mode 100644 index 00000000..bcffa4b8 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/files/0001-Allow-configuring-flash-image-files-compile-time.patch @@ -0,0 +1,100 @@ +From 9fbeb9dd8c4f2c842248541b73e4cff9c6f8d26e Mon Sep 17 00:00:00 2001 +From: Gyorgy Szing <gyorgy.szing@arm.com> +Date: Wed, 27 Mar 2024 21:53:51 +0000 +Subject: [PATCH 1/1] Allow configuring flash image files compile time + +Allow configuring image file PATH name for file and semihosted +block_store using CMake build options. + +Upstream-Status: Pending + +Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com> +--- + .../block_storage/factory/file/block_store_factory.c | 6 +++++- + .../service/block_storage/factory/file/component.cmake | 6 +++++- + .../block_storage/factory/semihosting/block_store_factory.c | 6 +++++- + .../block_storage/factory/semihosting/component.cmake | 6 +++++- + 4 files changed, 20 insertions(+), 4 deletions(-) + +diff --git a/components/service/block_storage/factory/file/block_store_factory.c b/components/service/block_storage/factory/file/block_store_factory.c +index c6915107b..ef05ee791 100644 +--- a/components/service/block_storage/factory/file/block_store_factory.c ++++ b/components/service/block_storage/factory/file/block_store_factory.c +@@ -25,6 +25,10 @@ + #define FILE_BLOCK_SIZE (512) + #endif + ++#ifndef FILE_BLK_FILE_NAME ++#define FILE_BLK_FILE_NAME "secure-flash.img" ++#endif ++ + static char disk_img_filename[256]; + + struct block_store_assembly { +@@ -60,7 +64,7 @@ struct block_store *file_block_store_factory_create(void) + + /* Ensure disk image filename is set */ + if (disk_img_filename[0] == '\0') +- file_block_store_factory_set_filename("secure-flash.img"); ++ file_block_store_factory_set_filename(FILE_BLK_FILE_NAME); + + /* Initialise a file_block_store to provide underlying storage */ + struct block_store *secure_flash = file_block_store_init( +diff --git a/components/service/block_storage/factory/file/component.cmake b/components/service/block_storage/factory/file/component.cmake +index 644f03972..fa15d1399 100644 +--- a/components/service/block_storage/factory/file/component.cmake ++++ b/components/service/block_storage/factory/file/component.cmake +@@ -17,4 +17,8 @@ if (NOT DEFINED TS_BLOCK_STORE_FACTORY) + set(TS_BLOCK_STORE_FACTORY "file_block_store_factory") + target_compile_definitions(${TGT} PRIVATE + CONCRETE_BLOCK_STORE_FACTORY=${TS_BLOCK_STORE_FACTORY}) +-endif() +\ No newline at end of file ++endif() ++ ++set(FILE_BLK_FILE_NAME "secure-flash.img" CACHE PATH "PATH to block storage flash image file.") ++set_property(SOURCE "${CMAKE_CURRENT_LIST_DIR}/block_store_factory.c" APPEND PROPERTY COMPILE_DEFINITIONS FILE_BLK_FILE_NAME="${FILE_BLK_FILE_NAME}") ++message(status "Block storage image file PATH is ${FILE_BLK_FILE_NAME}") +diff --git a/components/service/block_storage/factory/semihosting/block_store_factory.c b/components/service/block_storage/factory/semihosting/block_store_factory.c +index 8e58e3638..09bdb74eb 100644 +--- a/components/service/block_storage/factory/semihosting/block_store_factory.c ++++ b/components/service/block_storage/factory/semihosting/block_store_factory.c +@@ -21,6 +21,10 @@ + /* Most common block size for UEFI volumes */ + #define SEMIHOSTING_BLOCK_SIZE (512) + ++#ifndef SEMIHOSTING_BLK_FILE_NAME ++#define SEMIHOSTING_BLK_FILE_NAME "secure-flash.img" ++#endif ++ + struct block_store_assembly + { + struct semihosting_block_store semihosting_block_store; +@@ -55,7 +59,7 @@ struct block_store *semihosting_block_store_factory_create(void) + /* Initialise a semihosting_block_store to provide underlying storage */ + struct block_store *secure_flash = semihosting_block_store_init( + &assembly->semihosting_block_store, +- "secure-flash.img", ++ SEMIHOSTING_BLK_FILE_NAME, + SEMIHOSTING_BLOCK_SIZE); + + if (secure_flash) { +diff --git a/components/service/block_storage/factory/semihosting/component.cmake b/components/service/block_storage/factory/semihosting/component.cmake +index 97affaf49..98d6dcdcb 100644 +--- a/components/service/block_storage/factory/semihosting/component.cmake ++++ b/components/service/block_storage/factory/semihosting/component.cmake +@@ -17,4 +17,8 @@ if (NOT DEFINED TS_BLOCK_STORE_FACTORY) + set(TS_BLOCK_STORE_FACTORY "semihosting_block_store_factory") + target_compile_definitions(${TGT} PRIVATE + CONCRETE_BLOCK_STORE_FACTORY=${TS_BLOCK_STORE_FACTORY}) +-endif() +\ No newline at end of file ++endif() ++ ++set(SEMIHOSTING_BLK_FILE_NAME "secure-flash.img" CACHE PATH "PATH to block storage flash image file.") ++set_property(SOURCE "${CMAKE_CURRENT_LIST_DIR}/block_store_factory.c" APPEND PROPERTY COMPILE_DEFINITIONS SEMIHOSTING_BLK_FILE_NAME="${SEMIHOSTING_BLK_FILE_NAME}") ++message(status "Block storage semihosting image file PATH is ${SEMIHOSTING_BLK_FILE_NAME}") +\ No newline at end of file +-- +2.34.1 + diff --git a/meta-arm/recipes-security/trusted-services/files/0001-Pass-Yocto-build-settings-to-psa-arch-tests-native.patch b/meta-arm/recipes-security/trusted-services/files/0001-Pass-Yocto-build-settings-to-psa-arch-tests-native.patch new file mode 100644 index 00000000..516aa55f --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/files/0001-Pass-Yocto-build-settings-to-psa-arch-tests-native.patch @@ -0,0 +1,32 @@ +From 3f9b148fe3cad9f1bc6eb08ff8807c54dec5b8d9 Mon Sep 17 00:00:00 2001 +From: Anton Antonov <Anton.Antonov@arm.com> +Date: Tue, 11 Oct 2022 16:17:15 +0100 +Subject: [PATCH] Pass Yocto build settings to psa-arch-tests native build + +PSA-arch-tests need to build a native executable as a part of target build. +The patch defines correct toolchain settings for native builds. + +Upstream-Status: Inappropriate [Yocto build specific change] +Signed-off-by: Anton Antonov <Anton.Antonov@arm.com> +--- + api-tests/tools/scripts/target_cfg/CMakeLists.txt | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/api-tests/tools/scripts/target_cfg/CMakeLists.txt b/api-tests/tools/scripts/target_cfg/CMakeLists.txt +index 259eb9c..fec1fb8 100644 +--- a/api-tests/tools/scripts/target_cfg/CMakeLists.txt ++++ b/api-tests/tools/scripts/target_cfg/CMakeLists.txt +@@ -26,7 +26,9 @@ include("common/CMakeSettings") + include("common/Utils") + + # Causes toolchain to be re-evaluated +-unset(ENV{CC}) ++set(ENV{CC} $ENV{BUILD_CC}) ++set(ENV{CFLAGS} $ENV{BUILD_CFLAGS}) ++set(ENV{LDFLAGS} $ENV{BUILD_LDFLAGS}) + + # Let the CMake look for C compiler + project(TargetConfigGen LANGUAGES C) +-- +2.25.1 + diff --git a/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules b/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules new file mode 100644 index 00000000..43fafd8c --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules @@ -0,0 +1,7 @@ +# tee devices can only be accessed by the teeclnt group members +KERNEL=="tee[0-9]*", TAG+="systemd", MODE="0660", GROUP="teeclnt" + +# If a /dev/teepriv[0-9]* device is detected, start an instance of +# tee-supplicant.service with the device name as parameter +KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="tee", \ + TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service" diff --git a/meta-arm/recipes-security/trusted-services/libts_%.bbappend b/meta-arm/recipes-security/trusted-services/libts_%.bbappend new file mode 100644 index 00000000..9156e022 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/libts_%.bbappend @@ -0,0 +1,4 @@ +# Update MM communication buffer address for qemuarm64 machine +EXTRA_OECMAKE:append:qemuarm64-secureboot = "-DMM_COMM_BUFFER_ADDRESS=0x42000000 \ + -DMM_COMM_BUFFER_SIZE=0x1000 \ +" diff --git a/meta-arm/recipes-security/trusted-services/libts_git.bb b/meta-arm/recipes-security/trusted-services/libts_git.bb new file mode 100644 index 00000000..789bde7c --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/libts_git.bb @@ -0,0 +1,42 @@ +DESCRIPTION = "Trusted Services libts library for the arm-linux enviroment. \ + Used for locating and accessing services from a Linux userspace client" + +TS_ENV = "arm-linux" + +require trusted-services.inc + +SRC_URI += "file://tee-udev.rules \ + " + +OECMAKE_SOURCEPATH="${S}/deployments/libts/${TS_ENV}" + +DEPENDS += "arm-tstee arm-ffa-user" +RRECOMMENDS:${PN} += "arm-tstee" + +# Unix group name for dev/tee* ownership. +TEE_GROUP_NAME ?= "teeclnt" + +do_install:append () { + if ${@oe.utils.conditional('VIRTUAL-RUNTIME_dev_manager', 'busybox-mdev', 'false', 'true', d)}; then + install -d ${D}${nonarch_base_libdir}/udev/rules.d/ + install -m 755 ${WORKDIR}/tee-udev.rules ${D}${nonarch_base_libdir}/udev/rules.d/ + sed -i -e "s/teeclnt/${TEE_GROUP_NAME}/" ${D}${nonarch_base_libdir}/udev/rules.d/tee-udev.rules + fi + + # Move the dynamic libraries into the standard place. + install -d ${D}${libdir} + mv ${D}${TS_INSTALL}/lib/libts* ${D}${libdir} + + # Update generated cmake file to use correct paths. + target_cmake=$(find ${D}${TS_INSTALL}/lib/cmake/libts -type f -iname "libtsTargets-*.cmake") + if [ ! -z "$target_cmake" ]; then + sed -i -e "s#/${TS_ENV}##g" $target_cmake + fi +} + +inherit ${@oe.utils.conditional('VIRTUAL-RUNTIME_dev_manager', 'busybox-mdev', '', 'useradd', d)} +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM:${PN} = "--system ${TEE_GROUP_NAME}" + +FILES:${PN} = "${libdir}/libts.so.* ${nonarch_base_libdir}/udev/rules.d/" +FILES:${PN}-dev = "${TS_INSTALL}/lib/cmake ${TS_INSTALL}/include ${libdir}/libts.so" diff --git a/meta-arm/recipes-security/trusted-services/trusted-services-src.inc b/meta-arm/recipes-security/trusted-services/trusted-services-src.inc new file mode 100644 index 00000000..e05aadd7 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/trusted-services-src.inc @@ -0,0 +1,77 @@ +# Define sources of Trusted Service and all external dependencies + +LICENSE = "Apache-2.0 & BSD-3-Clause & BSD-2-Clause & Zlib" + +SRC_URI = "git://git.trustedfirmware.org/TS/trusted-services.git;protocol=https;branch=main;name=trusted-services;destsuffix=git/trusted-services \ +" + +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" + +SRC_URI:append = "\ + file://0001-Allow-configuring-flash-image-files-compile-time.patch \ +" + +# Trusted Services; aka. 2024 April 19 +SRCREV_trusted-services = "602be607198ea784bc5ab1c0c9d3ac4e2c67f1d9" +LIC_FILES_CHKSUM = "file://${S}/license.rst;md5=ea160bac7f690a069c608516b17997f4" + +S = "${WORKDIR}/git/trusted-services" +PV ?= "0.0+git" + +# DTC, tag "v1.6.1" +SRC_URI += "git://github.com/dgibson/dtc;name=dtc;protocol=https;branch=main;destsuffix=git/dtc" +SRCREV_dtc = "b6910bec11614980a21e46fbccc35934b671bd81" +LIC_FILES_CHKSUM += "file://../dtc/README.license;md5=a1eb22e37f09df5b5511b8a278992d0e" + +# MbedTLS, tag "v3.5.1" +SRC_URI += "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;branch=master;destsuffix=git/mbedtls" +SRCREV_mbedtls = "15254759342494c7e969766d5424d78d7deb9bfa" +LIC_FILES_CHKSUM += "file://../mbedtls/LICENSE;md5=379d5819937a6c2f1ef1630d341e026d" + +# Nanopb, tag "nanopb-0.4.7" plus some further fixes +SRC_URI += "git://github.com/nanopb/nanopb.git;name=nanopb;protocol=https;branch=master;destsuffix=git/nanopb" +SRCREV_nanopb = "dbbf5d8992295aae669b8071eadad02f87d5faf0" +LIC_FILES_CHKSUM += "file://../nanopb/LICENSE.txt;md5=9db4b73a55a3994384112efcdb37c01f" + +# qcbor, tag "v1.0.0" +SRC_URI += "git://github.com/laurencelundblade/QCBOR.git;name=qcbor;protocol=https;branch=master;destsuffix=git/qcbor" +SRCREV_qcbor = "56b17bf9f74096774944bcac0829adcd887d391e" +LIC_FILES_CHKSUM += "file://../qcbor/README.md;md5=e8ff2e88a722cdc55eddd0bb9aeca002" + +# T_Cose +SRC_URI += "git://github.com/laurencelundblade/t_cose.git;name=tcose;protocol=https;branch=master;destsuffix=git/tcose" +SRCREV_tcose = "fc3a4b2c7196ff582e8242de8bd4a1bc4eec577f" +LIC_FILES_CHKSUM += "file://../tcose/LICENSE;md5=b2ebdbfb82602b97aa628f64cf4b65ad" + +# CppUTest, tag "v3.8" +SRC_URI += "git://github.com/cpputest/cpputest.git;name=cpputest;protocol=https;branch=master;destsuffix=git/cpputest" +SRCREV_cpputest = "e25097614e1c4856036366877a02346c4b36bb5b" +LIC_FILES_CHKSUM += "file://../cpputest/COPYING;md5=ce5d5f1fe02bcd1343ced64a06fd4177" + +SRCREV_FORMAT = "trusted-services_dtc_mbedtls_nanopb_qcbor_tcose_cpputest" + +inherit apply_local_src_patches +LOCAL_SRC_PATCHES_INPUT_DIR = "N/A" + +do_apply_local_src_patches() { + apply_local_src_patches ${S}/external/qcbor ${WORKDIR}/git/qcbor + apply_local_src_patches ${S}/external/t_cose ${WORKDIR}/git/tcose + apply_local_src_patches ${S}/external/MbedTLS ${WORKDIR}/git/mbedtls + apply_local_src_patches ${S}/external/CppUTest ${WORKDIR}/git/cpputest + apply_local_src_patches ${S}/external/libfdt ${WORKDIR}/git/dtc + apply_local_src_patches ${S}/external/nanopb ${WORKDIR}/git/nanopb +} + +do_config:append:() { + # Fine tune MbedTLS configuration for crypto only operation. + sh -c "cd ${WORKDIR}/git/mbedtls; python3 scripts/config.py crypto" +} + +# Paths to dependencies required by some TS SPs/tools +EXTRA_OECMAKE += "-DDTC_SOURCE_DIR=${WORKDIR}/git/dtc \ + -DCPPUTEST_SOURCE_DIR=${WORKDIR}/git/cpputest \ + -DNANOPB_SOURCE_DIR=${WORKDIR}/git/nanopb \ + -DT_COSE_SOURCE_DIR=${WORKDIR}/git/tcose \ + -DQCBOR_SOURCE_DIR=${WORKDIR}/git/qcbor \ + -DMBEDTLS_SOURCE_DIR=${WORKDIR}/git/mbedtls \ + " diff --git a/meta-arm/recipes-security/trusted-services/trusted-services.inc b/meta-arm/recipes-security/trusted-services/trusted-services.inc new file mode 100644 index 00000000..272e9106 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/trusted-services.inc @@ -0,0 +1,58 @@ +SUMMARY ?= "The Trusted Services: framework for developing root-of-trust services" +HOMEPAGE = "https://trusted-services.readthedocs.io/en/latest/index.html" + +LICENSE = "Apache-2.0 & BSD-3-Clause & Zlib" + +inherit python3native cmake pkgconfig + +COMPATIBLE_HOST = "aarch64.*-linux" +COMPATIBLE_MACHINE ?= "invalid" +COMPATIBLE_MACHINE:qemuarm64-secureboot = "qemuarm64-secureboot" + +require trusted-services-src.inc + +# By default bitbake includes only ${S} (i.e git/trusted-services) in the maps. +# We also need to include the TS dependencies source trees. +DEBUG_PREFIX_MAP:append = "-fmacro-prefix-map=${WORKDIR}/git=/usr/src/debug/${PN}/${EXTENDPE}${PV}-${PR} \ + -fdebug-prefix-map=${WORKDIR}/git=/usr/src/debug/${PN}/${EXTENDPE}${PV}-${PR} \ +" + +TS_PLATFORM ?= "ts/mock" + +# SP images are embedded into optee-os image +# FIP packaging is not supported yet +SP_PACKAGING_METHOD ?= "embedded" + +SYSROOT_DIRS += "/usr/${TS_ENV} /usr/opteesp /usr/arm-linux" + +# TS cmake files use find_file() to search through source code and build dirs. +# Yocto cmake class limits CMAKE_FIND_ROOT_PATH and find_file() fails. +# Include the source tree and build dirs into searchable path. +OECMAKE_EXTRA_ROOT_PATH = "${WORKDIR}/git/ ${WORKDIR}/build/" + +EXTRA_OECMAKE += '-DLIBGCC_LOCATE_CFLAGS="--sysroot=${STAGING_DIR_HOST}" \ + -DCROSS_COMPILE="${TARGET_PREFIX}" \ + -DTS_PLATFORM="${TS_PLATFORM}" \ + ' +export CROSS_COMPILE="${TARGET_PREFIX}" + +# Default TS installation path +TS_INSTALL = "/usr/${TS_ENV}" + +# Use the Yocto cmake toolchain for external components of the arm-linux TS deployments, +# and the TS toolchain for opteesp and sp deployments +def get_ts_toolchain_option(d): + ts_env=d.getVar('TS_ENV') + if ts_env == 'opteesp' or ts_env == 'sp': + return '-DCMAKE_TOOLCHAIN_FILE=${S}/environments/'+ts_env+'/default_toolchain_file.cmake' + if ts_env == 'arm-linux': + return '-DTS_EXTERNAL_LIB_TOOLCHAIN_FILE=${WORKDIR}/toolchain.cmake' + bb.error("Unkown value \"%s\" for TS_ENV." % (ts_env)) + return '' + +EXTRA_OECMAKE += "${@get_ts_toolchain_option(d)}" + +# Paths to pre-built dependencies required by some TS SPs/tools +EXTRA_OECMAKE += "-Dlibts_ROOT=${STAGING_DIR_HOST}${TS_INSTALL}/lib/cmake/libts/ \ + -DNEWLIB_INSTALL_DIR=${STAGING_DIR_HOST}/usr/opteesp/newlib \ + " diff --git a/meta-arm/recipes-security/trusted-services/ts-demo_git.bb b/meta-arm/recipes-security/trusted-services/ts-demo_git.bb new file mode 100644 index 00000000..a17c1720 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-demo_git.bb @@ -0,0 +1,30 @@ +DESCRIPTION = "Trusted Services ts-demo deployment for arm-linux. \ + Used for running simple TS demo from Linux user-space \ + on an Arm platform with real deployments of trusted services." + +TS_ENV = "arm-linux" + +require trusted-services.inc + +DEPENDS += "python3-jsonschema-native python3-jinja2-native" +DEPENDS += "libts" +RDEPENDS:${PN} += "libts" + +OECMAKE_SOURCEPATH="${S}/deployments/ts-demo/${TS_ENV}" + +# Mbedtls 3.1.0 does not compile with clang. +# This can be removed after TS updated required mbedtls version +TOOLCHAIN = "gcc" + +FILES:${PN} = "${bindir}/ts-demo" + +# TODO: remove FORTIFY_SOURCE as MbedTLS fails to build in yocto if this +# compilation flag is used. +lcl_maybe_fortify = "${@oe.utils.conditional('OPTLEVEL','-O0','','${OPTLEVEL}',d)}" + +do_install:append () { + install -d ${D}${bindir} + mv ${D}${TS_INSTALL}/bin/ts-demo ${D}${bindir} + + rm -r --one-file-system ${D}${TS_INSTALL} +} diff --git a/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb b/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb new file mode 100644 index 00000000..669e87ae --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb @@ -0,0 +1,30 @@ +SUMMARY = "Newlib static libraries built with Trusted Services opteesp deployment options" + +TS_ENV = "opteesp" + +require trusted-services.inc + +SRC_URI += "git://sourceware.org/git/newlib-cygwin.git;name=newlib;protocol=https;branch=master;destsuffix=git/newlib \ +" + +# tag "newlib-4.1.0" +SRCREV_newlib = "415fdd4279b85eeec9d54775ce13c5c412451e08" +LIC_FILES_CHKSUM += "file://../newlib/COPYING.NEWLIB;md5=b8dda70da54e0efb49b1074f349d7749" + +# Newlib does not compile with clang +TOOLCHAIN = "gcc" + +EXTRA_OECMAKE += '-DNEWLIB_SOURCE_DIR=${WORKDIR}/git/newlib \ + -DNEWLIB_CFLAGS="--sysroot=${STAGING_DIR_HOST}" \ + ' + +OECMAKE_SOURCEPATH = "${S}/deployments/newlib/${TS_ENV}/" + +# TS ships a patch that needs to be applied to newlib +apply_ts_patch() { + ( cd ${WORKDIR}/git/newlib; git stash; git branch -f bf_am; git am ${S}/external/newlib/*.patch; git reset bf_am ) +} +do_patch[postfuncs] += "apply_ts_patch" + +FILES:${PN}-dev = "${TS_INSTALL}/newlib" +FILES:${PN}-staticdev = "${TS_INSTALL}/newlib/*/lib/*.a" diff --git a/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc b/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc new file mode 100644 index 00000000..93051bf3 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc @@ -0,0 +1,32 @@ +SUMMARY = "Parts of PSA certification tests (psa-arch-test) for Trusted Services" + +TS_ENV = "arm-linux" + +require trusted-services.inc + +DEPENDS += "python3-jsonschema-native python3-jinja2-native" + +DEPENDS += "libts" +RDEPENDS:${PN} += "libts" + +SRC_URI += "git://github.com/ARM-software/psa-arch-tests.git;name=psatest;protocol=https;branch=main;destsuffix=git/psatest \ + file://0001-Pass-Yocto-build-settings-to-psa-arch-tests-native.patch;patchdir=../psatest \ + " + +SRCREV_psatest = "74dc6646ff594e131a726a5305aba77bac30eceb" +LIC_FILES_CHKSUM += "file://../psatest/LICENSE.md;md5=2a944942e1496af1886903d274dedb13" + +EXTRA_OECMAKE += "-DPSA_ARCH_TESTS_SOURCE_DIR=${WORKDIR}/git/psatest" + +do_apply_local_src_patches:append() { + apply_local_src_patches ${S}/external/psa_arch_tests ${WORKDIR}/git/psatest +} + +FILES:${PN} = "${bindir}/${PSA_TEST}" + +do_install:append () { + install -d ${D}${bindir} + mv ${D}${TS_INSTALL}/bin/${PSA_TEST} ${D}${bindir} + + rm -r --one-file-system ${D}${TS_INSTALL} +} diff --git a/meta-arm/recipes-security/trusted-services/ts-psa-crypto-api-test_git.bb b/meta-arm/recipes-security/trusted-services/ts-psa-crypto-api-test_git.bb new file mode 100644 index 00000000..710d3778 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-psa-crypto-api-test_git.bb @@ -0,0 +1,9 @@ +DESCRIPTION = "Crypto PSA certification tests (psa-arch-test)" + +TS_ENV = "arm-linux" + +require ts-psa-api-test-common_${PV}.inc + +OECMAKE_SOURCEPATH = "${S}/deployments/psa-api-test/crypto/${TS_ENV}" + +PSA_TEST = "psa-crypto-api-test" diff --git a/meta-arm/recipes-security/trusted-services/ts-psa-iat-api-test_git.bb b/meta-arm/recipes-security/trusted-services/ts-psa-iat-api-test_git.bb new file mode 100644 index 00000000..c39554a6 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-psa-iat-api-test_git.bb @@ -0,0 +1,25 @@ +DESCRIPTION = "Initial Attestation PSA certification tests (psa-arch-test) for Trusted Services" + +TS_ENV = "arm-linux" + +require ts-psa-api-test-common_${PV}.inc + +OECMAKE_SOURCEPATH = "${S}/deployments/psa-api-test/initial_attestation/${TS_ENV}" + +PSA_TEST = "psa-iat-api-test" + +# psa-arch-tests for INITIAL_ATTESTATION suite can't be built with pre-built qcbor +# Fetch qcbor sources as a temp work-around and pass PSA_TARGET_QCBOR to psa-arch-tests +SRC_URI += "git://github.com/laurencelundblade/QCBOR.git;name=psaqcbor;protocol=https;branch=master;destsuffix=git/psaqcbor \ + " +SRCREV_psaqcbor = "42272e466a8472948bf8fca076d113b81b99f0e0" + +EXTRA_OECMAKE += "-DPSA_TARGET_QCBOR=${WORKDIR}/git/psaqcbor \ + " +# TODO: remove FORTIFY_SOURCE as MbedTLS fails to build in yocto if this +# compilation flag is used. +lcl_maybe_fortify = "${@oe.utils.conditional('OPTLEVEL','-O0','','${OPTLEVEL}',d)}" + +# Mbedtls 3.1.0 does not compile with clang. +# This can be removed after TS updated required mbedtls version +TOOLCHAIN = "gcc" diff --git a/meta-arm/recipes-security/trusted-services/ts-psa-its-api-test_git.bb b/meta-arm/recipes-security/trusted-services/ts-psa-its-api-test_git.bb new file mode 100644 index 00000000..32f2890b --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-psa-its-api-test_git.bb @@ -0,0 +1,9 @@ +DESCRIPTION = "Internal Trusted Storage PSA certification tests (psa-arch-test) for Trusted Services" + +TS_ENV = "arm-linux" + +require ts-psa-api-test-common_${PV}.inc + +OECMAKE_SOURCEPATH = "${S}/deployments/psa-api-test/internal_trusted_storage/${TS_ENV}" + +PSA_TEST = "psa-its-api-test" diff --git a/meta-arm/recipes-security/trusted-services/ts-psa-ps-api-test_git.bb b/meta-arm/recipes-security/trusted-services/ts-psa-ps-api-test_git.bb new file mode 100644 index 00000000..bcf16712 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-psa-ps-api-test_git.bb @@ -0,0 +1,9 @@ +DESCRIPTION = "Protected Storage PSA certification tests (psa-arch-test) for Trusted Services" + +TS_ENV = "arm-linux" + +require ts-psa-api-test-common_${PV}.inc + +OECMAKE_SOURCEPATH = "${S}/deployments/psa-api-test/protected_storage/${TS_ENV}" + +PSA_TEST = "psa-ps-api-test" diff --git a/meta-arm/recipes-security/trusted-services/ts-remote-test_git.bb b/meta-arm/recipes-security/trusted-services/ts-remote-test_git.bb new file mode 100644 index 00000000..1633ecfe --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-remote-test_git.bb @@ -0,0 +1,19 @@ +DESCRIPTION = "Trusted Services ts-remote-test deployment for arm-linux." + +TS_ENV = "arm-linux" + +require trusted-services.inc + +DEPENDS += "libts" +RDEPENDS:${PN} += "libts" + +OECMAKE_SOURCEPATH = "${S}/deployments/ts-remote-test/${TS_ENV}" + +FILES:${PN} = "${bindir}/ts-remote-test" + +do_install:append () { + install -d ${D}${bindir} + mv ${D}${TS_INSTALL}/bin/ts-remote-test ${D}${bindir} + + rm -r --one-file-system ${D}${TS_INSTALL} +} diff --git a/meta-arm/recipes-security/trusted-services/ts-service-test_git.bb b/meta-arm/recipes-security/trusted-services/ts-service-test_git.bb new file mode 100644 index 00000000..3278c6c6 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-service-test_git.bb @@ -0,0 +1,21 @@ +DESCRIPTION = "Trusted Services ts-service-test deployment for arm-linux. \ + Used for running service level tests from Linux user-space \ + on an Arm platform with real deployments of trusted services." + +TS_ENV = "arm-linux" + +require trusted-services.inc + +DEPENDS += "libts python3-protobuf-native" +RDEPENDS:${PN} += "libts" + +OECMAKE_SOURCEPATH = "${S}/deployments/ts-service-test/${TS_ENV}" + +FILES:${PN} = "${bindir}/ts-service-test" + +do_install:append () { + install -d ${D}${bindir} + mv ${D}${TS_INSTALL}/bin/ts-service-test ${D}${bindir} + + rm -r --one-file-system ${D}${TS_INSTALL} +} diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb new file mode 100644 index 00000000..6cddfb03 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb @@ -0,0 +1,8 @@ +DESCRIPTION = "Trusted Services attestation service provider" + +require ts-sp-common.inc + +SP_UUID = "${ATTESTATION_UUID}" +TS_SP_IAT_CONFIG ?= "default" + +OECMAKE_SOURCEPATH="${S}/deployments/attestation/config/${TS_SP_IAT_CONFIG}-${TS_ENV}" diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-block-storage_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-block-storage_git.bb new file mode 100644 index 00000000..efbaad14 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-block-storage_git.bb @@ -0,0 +1,13 @@ +# SPDX-FileCopyrightText: <text>Copyright 2023 Arm Limited and/or its +# affiliates <open-source-office@arm.com></text> +# +# SPDX-License-Identifier: MIT + +DESCRIPTION = "Trusted Services block storage service provider" + +require ts-sp-common.inc + +SP_UUID = "${BLOCK_STORAGE_UUID}" +TS_SP_BLOCK_STORAGE_CONFIG ?= "default" + +OECMAKE_SOURCEPATH="${S}/deployments/block-storage/config/${TS_SP_BLOCK_STORAGE_CONFIG}-${TS_ENV}" diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-common.inc b/meta-arm/recipes-security/trusted-services/ts-sp-common.inc new file mode 100644 index 00000000..c8b1409c --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-common.inc @@ -0,0 +1,43 @@ +# Common part of all Trusted Services SPs recipes + +TS_ENV ?= "opteesp" + +require trusted-services.inc +require ts-uuid.inc + +DEPENDS += "dtc-native ts-newlib" +DEPENDS += "${@oe.utils.conditional('TS_ENV','sp','python3-pyelftools-native','', d)}" + +FILES:${PN}-dev = "${TS_INSTALL}" + +# Secure Partition DTS file might be updated in bbapend files +SP_DTS_FILE ?= "${D}${TS_INSTALL}/manifest/${SP_UUID}.dts" + +do_install:append() { + # Generate SP DTB which will be included automatically by optee-os build process + dtc -I dts -O dtb -o ${D}${TS_INSTALL}/manifest/${SP_UUID}.dtb ${SP_DTS_FILE} + + # We do not need libs and headers + rm -rf --one-file-system ${D}${TS_INSTALL}/lib + rm -rf --one-file-system ${D}${TS_INSTALL}/include +} + +# Use Yocto debug prefix maps for compiling assembler. +EXTRA_OECMAKE += '-DCMAKE_ASM_FLAGS="${DEBUG_PREFIX_MAP}"' + +# Ignore that SP stripped.elf does not have GNU_HASH +# Older versions of optee support SYSV hash only. +INSANE_SKIP:${PN}-dev += "ldflags" + +# Trusted Services SPs do not compile with clang +TOOLCHAIN = "gcc" + +# FORTIFY_SOURCE is a glibc feature. Disable it for all SPs as these do not use glibc. +TARGET_CFLAGS:remove = "-D_FORTIFY_SOURCE=2" +OECMAKE_C_FLAGS:remove = "-D_FORTIFY_SOURCE=2" +OECMAKE_CXX_FLAGS:remove = "-D_FORTIFY_SOURCE=2" + +# Override yoctos default linux specific toolchain file. trusted-services.inc +# will add a proper tooclhain option. +OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake" + diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb new file mode 100644 index 00000000..867e4a81 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb @@ -0,0 +1,10 @@ +DESCRIPTION = "Trusted Services crypto service provider" + +require ts-sp-common.inc + +SP_UUID = "${CRYPTO_UUID}" +TS_SP_CRYPTO_CONFIG ?= "default" + +DEPENDS += "python3-protobuf-native python3-jsonschema-native python3-jinja2-native" + +OECMAKE_SOURCEPATH="${S}/deployments/crypto/config/${TS_SP_CRYPTO_CONFIG}-${TS_ENV}" diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-fwu_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-fwu_git.bb new file mode 100644 index 00000000..02f58fb4 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-fwu_git.bb @@ -0,0 +1,32 @@ +# SPDX-FileCopyrightText: <text>Copyright 2024 Arm Limited and/or its +# affiliates <open-source-office@arm.com></text> +# +# SPDX-License-Identifier: MIT + +DESCRIPTION = "Trusted Services Firmware Update Service provider" + +require ts-sp-common.inc +inherit deploy + +SP_UUID = "${FWU_UUID}" +TS_SP_FWU_CONFIG ?= "default" + +OECMAKE_SOURCEPATH="${S}/deployments/fwu/config/${TS_SP_FWU_CONFIG}-${TS_ENV}" + +# The GPT parser component is needed from TF-A +SRC_URI += "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;name=tfa;protocol=https;branch=master;destsuffix=git/tf-a" +SRCREV_tfa = "v2.7.0" +LIC_FILES_CHKSUM = "file://../tf-a/docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde" +do_apply_local_src_patches:append() { + apply_local_src_patches ${S}/external/tf_a ${WORKDIR}/git/tf-a +} + +EXTRA_OECMAKE:append = "-DTFA_SOURCE_DIR=${WORKDIR}/git/tf-a" + +# Deploy the secure flash image. +do_deploy() { + cp -v ${S}/components/media/disk/disk_images/multi_location_fw.img ${DEPLOYDIR}/secure-flash.img +} +addtask deploy after do_compile + +EXTRA_OECMAKE:append:qemuall = " -DSEMIHOSTING_BLK_FILE_NAME:STRING=${@oe.path.relative('${TMPDIR}', '${DEPLOY_DIR_IMAGE}')}/secure-flash.img" diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb new file mode 100644 index 00000000..5472dbda --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb @@ -0,0 +1,8 @@ +DESCRIPTION = "Trusted Services internal secure storage service provider" + +require ts-sp-common.inc + +SP_UUID = "${ITS_UUID}" +TS_SP_ITS_CONFIG ?= "default" + +OECMAKE_SOURCEPATH="${S}/deployments/internal-trusted-storage/config/${TS_SP_ITS_CONFIG}-${TS_ENV}" diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb new file mode 100644 index 00000000..26781434 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb @@ -0,0 +1,10 @@ +DESCRIPTION = "Trusted Services proxy service providers" + +require ts-sp-common.inc + +SP_UUID = "${SE_PROXY_UUID}" +TS_SP_SE_PROXY_CONFIG ?= "default" + +DEPENDS += "python3-protobuf-native" + +OECMAKE_SOURCEPATH="${S}/deployments/se-proxy/config/${TS_SP_SE_PROXY_CONFIG}-${TS_ENV}" diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend b/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend new file mode 100644 index 00000000..c485a562 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend @@ -0,0 +1,5 @@ + +# Update MM communication buffer address for qemuarm64 machine +EXTRA_OECMAKE:append:qemuarm64-secureboot = "-DMM_COMM_BUFFER_ADDRESS="0x00000000 0x42000000" \ + -DMM_COMM_BUFFER_PAGE_COUNT="1" \ +" diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb new file mode 100644 index 00000000..752f7fe7 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb @@ -0,0 +1,8 @@ +DESCRIPTION = "Trusted Services service provider for UEFI SMM services" + +require ts-sp-common.inc + +SP_UUID = "${SMM_GATEWAY_UUID}" +TS_SP_SMM_GATEWAY_CONFIG ?= "default" + +OECMAKE_SOURCEPATH="${S}/deployments/smm-gateway/config/${TS_SP_SMM_GATEWAY_CONFIG}-${TS_ENV}" diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc b/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc new file mode 100644 index 00000000..5c0d6865 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc @@ -0,0 +1,10 @@ +DESCRIPTION = "Trusted Services SPMC test SPs" + +# spm test SP only supports opteesp. +TS_ENV = 'opteesp' + +require ts-sp-common.inc + +SP_UUID = "${SPM_TEST${SP_INDEX}_UUID}" +SP_DTS_FILE ?= "${D}${TS_INSTALL}/manifest/${SP_UUID}.dts" +OECMAKE_SOURCEPATH="${S}/deployments/spm-test${SP_INDEX}/${TS_ENV}" diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb new file mode 100644 index 00000000..4cbb970b --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb @@ -0,0 +1,5 @@ +DESCRIPTION = "Trusted Services SPMC test SP1" + +SP_INDEX="1" + +require ts-sp-spm-test-common.inc diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb new file mode 100644 index 00000000..e6fb822b --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb @@ -0,0 +1,6 @@ +DESCRIPTION = "Trusted Services SPMC test SP2" + +SP_INDEX="2" + +require ts-sp-spm-test-common.inc + diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb new file mode 100644 index 00000000..ad3ee76e --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb @@ -0,0 +1,6 @@ +DESCRIPTION = "Trusted Services SPMC test SP3" + +SP_INDEX="3" + +require ts-sp-spm-test-common.inc + diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-spm-test4_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-spm-test4_git.bb new file mode 100644 index 00000000..2ee69c1f --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-spm-test4_git.bb @@ -0,0 +1,6 @@ +DESCRIPTION = "Trusted Services SPMC test SP4" + +SP_INDEX="4" + +require ts-sp-spm-test-common.inc + diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb new file mode 100644 index 00000000..5b2f47b3 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb @@ -0,0 +1,8 @@ +DESCRIPTION = "Trusted Services secure storage service provider" + +require ts-sp-common.inc + +SP_UUID = "${STORAGE_UUID}" +TS_SP_PS_CONFIG ?= "default" + +OECMAKE_SOURCEPATH="${S}/deployments/protected-storage/config/${TS_SP_PS_CONFIG}-${TS_ENV}" diff --git a/meta-arm/recipes-security/trusted-services/ts-uefi-test_git.bb b/meta-arm/recipes-security/trusted-services/ts-uefi-test_git.bb new file mode 100644 index 00000000..5be436b6 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-uefi-test_git.bb @@ -0,0 +1,21 @@ +DESCRIPTION = "Trusted Services uefi-test deployment for arm-linux. \ + Used for running service level tests from Linux user-space \ + on an Arm platform with real deployments of UEFI SMM services." + +TS_ENV = "arm-linux" + +require trusted-services.inc + +DEPENDS += "libts python3-protobuf-native" +RDEPENDS:${PN} += "libts arm-ffa-user" + +OECMAKE_SOURCEPATH = "${S}/deployments/uefi-test/${TS_ENV}" + +FILES:${PN} = "${bindir}/uefi-test" + +do_install:append () { + install -d ${D}${bindir} + mv ${D}${TS_INSTALL}/bin/uefi-test ${D}${bindir} + + rm -r --one-file-system ${D}${TS_INSTALL} +} diff --git a/meta-arm/recipes-security/trusted-services/ts-uuid.inc b/meta-arm/recipes-security/trusted-services/ts-uuid.inc new file mode 100644 index 00000000..810ffa5e --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-uuid.inc @@ -0,0 +1,15 @@ +# Trusted Services SPs canonical UUIDs + +ATTESTATION_UUID = "a1baf155-8876-4695-8f7c-54955e8db974" +CRYPTO_UUID = "d9df52d5-16a2-4bb2-9aa4-d26d3b84e8c0" +ENV_TEST_UUID = "33c75baf-ac6a-4fe4-8ac7-e9909bee2d17" +ITS_UUID = "dc1eef48-b17a-4ccf-ac8b-dfcff7711b14" +SE_PROXY_UUID = "46bb39d1-b4d9-45b5-88ff-040027dab249" +SMM_GATEWAY_UUID = "ed32d533-99e6-4209-9cc0-2d72cdd998a7" +STORAGE_UUID = "751bf801-3dde-4768-a514-0f10aeed1790" +SPM_TEST1_UUID = "5c9edbc3-7b3a-4367-9f83-7c191ae86a37" +SPM_TEST2_UUID = "7817164c-c40c-4d1a-867a-9bb2278cf41a" +SPM_TEST3_UUID = "23eb0100-e32a-4497-9052-2f11e584afa6" +SPM_TEST4_UUID = "423762ed-7772-406f-99d8-0c27da0abbf8" +FWU_UUID = "6823a838-1b06-470e-9774-0cce8bfb53fd" +BLOCK_STORAGE_UUID = "63646e80-eb52-462f-ac4f-8cdf3987519c" |