diff options
Diffstat (limited to 'meta-arm/recipes-security')
64 files changed, 1134 insertions, 498 deletions
diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch new file mode 100644 index 00000000..7c61105b --- /dev/null +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch @@ -0,0 +1,27 @@ +From cd7b41b30cf157338cfd5cda3c0f6f33164ad16d Mon Sep 17 00:00:00 2001 +From: Maxim Uvarov <maxim.uvarov@linaro.org> +Date: Fri, 17 Apr 2020 12:05:53 +0100 +Subject: [PATCH] add enum to ta flags + +If we compile this TA into OPTEE-OS we need to define a flag +that this TA can be discovered on the optee bus. +Upstream-Status: Submitted [https://github.com/microsoft/MSRSec/pull/34] + +Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org> +--- + .../ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h +index 92c33c1..e83619d 100644 +--- a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h ++++ b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h +@@ -44,7 +44,7 @@ + + #define TA_UUID TA_FTPM_UUID + +-#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE) ++#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP) + #define TA_STACK_SIZE (64 * 1024) + #define TA_DATA_SIZE (32 * 1024) + diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb new file mode 100644 index 00000000..d5f6e01d --- /dev/null +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb @@ -0,0 +1,79 @@ +SUMMARY = "OPTEE fTPM Microsoft TA" +DESCRIPTION = "TCG reference implementation of the TPM 2.0 Specification." +HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/" + +COMPATIBLE_MACHINE ?= "invalid" +COMPATIBLE_MACHINE:qemuarm64 = "qemuarm64" +COMPATIBLE_MACHINE:qemuarm64-secureboot = "qemuarm64" +COMPATIBLE_MACHINE:qemuarm-secureboot = "qemuarm" + +#FIXME - doesn't currently work with clang +TOOLCHAIN = "gcc" + +inherit deploy python3native + +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://LICENSE;md5=5a3925ece0806073ae9ebbb08ff6f11e" + +DEPENDS = "python3-pyelftools-native optee-os-tadevkit python3-cryptography-native " + +FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896" + +SRC_URI = "gitsm://github.com/Microsoft/ms-tpm-20-ref;branch=main;protocol=https \ + file://0001-add-enum-to-ta-flags.patch" +SRCREV = "e9fc7b89d865536c46deb63f9c7d0121a3ded49c" + +UPSTREAM_CHECK_COMMITS = "1" + +S = "${WORKDIR}/git" + +OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}" +TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}" +TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta" + +EXTRA_OEMAKE += '\ + CFG_FTPM_USE_WOLF=y \ + TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \ + TA_CROSS_COMPILE=${TARGET_PREFIX} \ + CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST} -I${WORKDIR}/optee-os" \ +' + +EXTRA_OEMAKE:append:aarch64:qemuall = "\ + CFG_ARM64_ta_arm64=y \ +" + +# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the +# right path until this is relocated automatically. +export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules" + +PARALLEL_MAKE = "" + +do_compile() { + # The internal ${CC} includes the correct -mcpu option + sed -i 's/-mcpu=$(TA_CPU)//' Samples/ARM32-FirmwareTPM/optee_ta/fTPM/sub.mk + # there's also a secure variable storage TA called authvars + cd ${S}/Samples/ARM32-FirmwareTPM/optee_ta + oe_runmake +} + +do_install () { + mkdir -p ${D}/${nonarch_base_libdir}/optee_armtz + install -D -p -m 0644 ${S}/Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/${FTPM_UUID}.ta ${D}/${nonarch_base_libdir}/optee_armtz/ + install -D -p -m 0644 ${S}/Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/${FTPM_UUID}.stripped.elf ${D}/${nonarch_base_libdir}/optee_armtz/ +} + +do_deploy () { + install -d ${DEPLOYDIR}/optee + install -D -p -m 0644 ${S}/Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/${FTPM_UUID}.stripped.elf ${DEPLOYDIR}/optee/ +} + +addtask deploy before do_build after do_install + +FILES:${PN} += " \ + ${nonarch_base_libdir}/optee_armtz/${FTPM_UUID}.ta \ + ${nonarch_base_libdir}/optee_armtz/${FTPM_UUID}.stripped.elf \ + " + +# Imports machine specific configs from staging to build +PACKAGE_ARCH = "${MACHINE_ARCH}" +INSANE_SKIP:${PN} += "ldflags" diff --git a/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend b/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend new file mode 100644 index 00000000..31be0e8f --- /dev/null +++ b/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend @@ -0,0 +1,11 @@ +FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896" + +DEPENDS:append = "\ + ${@bb.utils.contains('MACHINE_FEATURES', 'optee-ftpm', 'optee-ftpm', '' , d)} \ +" + +EXTRA_OEMAKE:append = "\ + ${@bb.utils.contains('MACHINE_FEATURES', 'optee-ftpm', \ + 'CFG_CORE_HEAP_SIZE=131072 CFG_EARLY_TA=y EARLY_TA_PATHS="${STAGING_DIR_TARGET}/${base_libdir}/optee_armtz/${FTPM_UUID}.stripped.elf"', \ + '', d)} \ +" diff --git a/meta-arm/recipes-security/optee/optee-client.inc b/meta-arm/recipes-security/optee/optee-client.inc index 65c9a447..77f6a642 100644 --- a/meta-arm/recipes-security/optee/optee-client.inc +++ b/meta-arm/recipes-security/optee/optee-client.inc @@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=69663ab153298557a59c67a60a743e5b" inherit systemd update-rc.d cmake SRC_URI = " \ - git://github.com/OP-TEE/optee_client.git \ - file://tee-supplicant.service \ + git://github.com/OP-TEE/optee_client.git;branch=master;protocol=https \ + file://tee-supplicant@.service \ file://tee-supplicant.sh \ " @@ -21,20 +21,20 @@ EXTRA_OECMAKE = " \ -DBUILD_SHARED_LIBS=ON \ -DCFG_TEE_FS_PARENT_PATH='${localstatedir}/lib/tee' \ " -EXTRA_OECMAKE_append_toolchain-clang = " -DCFG_WERROR=0" +EXTRA_OECMAKE:append:toolchain-clang = " -DCFG_WERROR=0" -do_install_append() { - install -D -p -m0644 ${WORKDIR}/tee-supplicant.service ${D}${systemd_system_unitdir}/tee-supplicant.service +do_install:append() { + install -D -p -m0644 ${WORKDIR}/tee-supplicant@.service ${D}${systemd_system_unitdir}/tee-supplicant@.service install -D -p -m0755 ${WORKDIR}/tee-supplicant.sh ${D}${sysconfdir}/init.d/tee-supplicant sed -i -e s:@sysconfdir@:${sysconfdir}:g \ -e s:@sbindir@:${sbindir}:g \ - ${D}${systemd_system_unitdir}/tee-supplicant.service \ + ${D}${systemd_system_unitdir}/tee-supplicant@.service \ ${D}${sysconfdir}/init.d/tee-supplicant } -SYSTEMD_SERVICE_${PN} = "tee-supplicant.service" +SYSTEMD_SERVICE:${PN} = "tee-supplicant@.service" INITSCRIPT_PACKAGES = "${PN}" -INITSCRIPT_NAME_${PN} = "tee-supplicant" -INITSCRIPT_PARAMS_${PN} = "start 10 1 2 3 4 5 . stop 90 0 6 ." +INITSCRIPT_NAME:${PN} = "tee-supplicant" +INITSCRIPT_PARAMS:${PN} = "start 10 1 2 3 4 5 . stop 90 0 6 ." diff --git a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service b/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service index c273832d..72c0b9aa 100644 --- a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service +++ b/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service @@ -1,5 +1,5 @@ [Unit] -Description=TEE Supplicant +Description=TEE Supplicant on %i [Service] User=root diff --git a/meta-arm/recipes-security/optee/optee-client_3.11.0.bb b/meta-arm/recipes-security/optee/optee-client_3.11.0.bb deleted file mode 100644 index f765d12c..00000000 --- a/meta-arm/recipes-security/optee/optee-client_3.11.0.bb +++ /dev/null @@ -1,3 +0,0 @@ -require optee-client.inc - -SRCREV = "c0c925384c1d7e3558d27d2708857482952d7907" diff --git a/meta-arm/recipes-security/optee/optee-client_4.2.0.bb b/meta-arm/recipes-security/optee/optee-client_4.2.0.bb new file mode 100644 index 00000000..56494e4c --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-client_4.2.0.bb @@ -0,0 +1,7 @@ +require recipes-security/optee/optee-client.inc + +SRCREV = "3eac340a781c00ccd61b151b0e9c22a8c6e9f9f0" + +inherit pkgconfig +DEPENDS += "util-linux" +EXTRA_OEMAKE += "PKG_CONFIG=pkg-config" diff --git a/meta-arm/recipes-security/optee/optee-examples.inc b/meta-arm/recipes-security/optee/optee-examples.inc index 81c31bc0..5011f480 100644 --- a/meta-arm/recipes-security/optee/optee-examples.inc +++ b/meta-arm/recipes-security/optee/optee-examples.inc @@ -5,15 +5,14 @@ HOMEPAGE = "https://github.com/linaro-swg/optee_examples" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=cd95ab417e23b94f381dafc453d70c30" -DEPENDS = "optee-client optee-os python3-pycryptodome-native" +DEPENDS = "optee-client optee-os-tadevkit python3-cryptography-native" inherit python3native require optee.inc -SRC_URI = "git://github.com/linaro-swg/optee_examples.git \ - file://0001-make-Pass-ldflags-during-link.patch \ - " +SRC_URI = "git://github.com/linaro-swg/optee_examples.git;branch=master;protocol=https \ + " EXTRA_OEMAKE += "TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \ HOST_CROSS_COMPILE=${HOST_PREFIX} \ @@ -24,6 +23,7 @@ EXTRA_OEMAKE += "TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \ S = "${WORKDIR}/git" B = "${WORKDIR}/build" + do_compile() { oe_runmake -C ${S} } @@ -32,11 +32,15 @@ do_compile[cleandirs] = "${B}" do_install () { mkdir -p ${D}${nonarch_base_libdir}/optee_armtz mkdir -p ${D}${bindir} + mkdir -p ${D}${libdir}/tee-supplicant/plugins install -D -p -m0755 ${B}/ca/* ${D}${bindir} install -D -p -m0444 ${B}/ta/* ${D}${nonarch_base_libdir}/optee_armtz + install -D -p -m0444 ${B}/plugins/* ${D}${libdir}/tee-supplicant/plugins } -FILES_${PN} += "${nonarch_base_libdir}/optee_armtz/" +FILES:${PN} += "${nonarch_base_libdir}/optee_armtz/ \ + ${libdir}/tee-supplicant/plugins/ \ + " # Imports machine specific configs from staging to build PACKAGE_ARCH = "${MACHINE_ARCH}" diff --git a/meta-arm/recipes-security/optee/optee-examples/0001-make-Pass-ldflags-during-link.patch b/meta-arm/recipes-security/optee/optee-examples/0001-make-Pass-ldflags-during-link.patch deleted file mode 100644 index 84202ef0..00000000 --- a/meta-arm/recipes-security/optee/optee-examples/0001-make-Pass-ldflags-during-link.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 29ae21de41f2fbab6dbecbbf408826b28de82df1 Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Tue, 1 Sep 2020 21:09:56 -0700 -Subject: [PATCH] make: Pass ldflags during link - -OpenEmbeeded needs to pass essential linker flags to set correct flags -for gnu_hash among others which sets the linking straight -using LDFLAGS varible here means, we can affect the linker flags -from build environment - -Upstream-Status: Submitted [https://github.com/linaro-swg/optee_examples/pull/85] - -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - acipher/host/Makefile | 2 +- - aes/host/Makefile | 2 +- - hello_world/host/Makefile | 2 +- - hotp/host/Makefile | 2 +- - random/host/Makefile | 2 +- - secure_storage/host/Makefile | 2 +- - 6 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/acipher/host/Makefile b/acipher/host/Makefile -index 8f4bc8a..c2cabef 100644 ---- a/acipher/host/Makefile -+++ b/acipher/host/Makefile -@@ -18,7 +18,7 @@ BINARY = optee_example_acipher - all: $(BINARY) - - $(BINARY): $(OBJS) -- $(CC) -o $@ $< $(LDADD) -+ $(CC) -o $@ $< $(LDFLAGS) $(LDADD) - - .PHONY: clean - clean: -diff --git a/aes/host/Makefile b/aes/host/Makefile -index dfeb4e8..f61c71b 100644 ---- a/aes/host/Makefile -+++ b/aes/host/Makefile -@@ -18,7 +18,7 @@ BINARY = optee_example_aes - all: $(BINARY) - - $(BINARY): $(OBJS) -- $(CC) -o $@ $< $(LDADD) -+ $(CC) -o $@ $< $(LDFLAGS) $(LDADD) - - .PHONY: clean - clean: -diff --git a/hello_world/host/Makefile b/hello_world/host/Makefile -index c4c8239..69cf42c 100644 ---- a/hello_world/host/Makefile -+++ b/hello_world/host/Makefile -@@ -18,7 +18,7 @@ BINARY = optee_example_hello_world - all: $(BINARY) - - $(BINARY): $(OBJS) -- $(CC) -o $@ $< $(LDADD) -+ $(CC) -o $@ $< $(LDFLAGS) $(LDADD) - - .PHONY: clean - clean: -diff --git a/hotp/host/Makefile b/hotp/host/Makefile -index cb7fd19..e7f013f 100644 ---- a/hotp/host/Makefile -+++ b/hotp/host/Makefile -@@ -18,7 +18,7 @@ BINARY = optee_example_hotp - all: $(BINARY) - - $(BINARY): $(OBJS) -- $(CC) -o $@ $< $(LDADD) -+ $(CC) -o $@ $< $(LDFLAGS) $(LDADD) - - .PHONY: clean - clean: -diff --git a/random/host/Makefile b/random/host/Makefile -index fd407d9..9377f7a 100644 ---- a/random/host/Makefile -+++ b/random/host/Makefile -@@ -18,7 +18,7 @@ BINARY = optee_example_random - all: $(BINARY) - - $(BINARY): $(OBJS) -- $(CC) -o $@ $< $(LDADD) -+ $(CC) -o $@ $< $(LDFLAGS) $(LDADD) - - .PHONY: clean - clean: -diff --git a/secure_storage/host/Makefile b/secure_storage/host/Makefile -index 29bfb87..b3265ae 100644 ---- a/secure_storage/host/Makefile -+++ b/secure_storage/host/Makefile -@@ -18,7 +18,7 @@ BINARY = optee_example_secure_storage - all: $(BINARY) - - $(BINARY): $(OBJS) -- $(CC) -o $@ $< $(LDADD) -+ $(CC) -o $@ $< $(LDFLAGS) $(LDADD) - - .PHONY: clean - clean: --- -2.28.0 - diff --git a/meta-arm/recipes-security/optee/optee-examples_3.11.0.bb b/meta-arm/recipes-security/optee/optee-examples_3.11.0.bb deleted file mode 100644 index 72473eda..00000000 --- a/meta-arm/recipes-security/optee/optee-examples_3.11.0.bb +++ /dev/null @@ -1,4 +0,0 @@ -require optee-examples.inc - -SRCREV = "9a7dc598591990349d88b4dba3a37aadd6851295" - diff --git a/meta-arm/recipes-security/optee/optee-examples_4.2.0.bb b/meta-arm/recipes-security/optee/optee-examples_4.2.0.bb new file mode 100644 index 00000000..f082a25d --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-examples_4.2.0.bb @@ -0,0 +1,3 @@ +require recipes-security/optee/optee-examples.inc + +SRCREV = "378dc0db2d5dd279f58a3b6cb3f78ffd6b165035" diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit_4.2.0.bb b/meta-arm/recipes-security/optee/optee-os-tadevkit_4.2.0.bb new file mode 100644 index 00000000..961d5251 --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-os-tadevkit_4.2.0.bb @@ -0,0 +1,29 @@ +require recipes-security/optee/optee-os_${PV}.bb + +SUMMARY = "OP-TEE Trusted OS TA devkit" +DESCRIPTION = "OP-TEE TA devkit for build TAs" +HOMEPAGE = "https://www.op-tee.org/" + +DEPENDS += "python3-pycryptodome-native" + +do_install() { + #install TA devkit + install -d ${D}${includedir}/optee/export-user_ta/ + for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do + cp -aR $f ${D}${includedir}/optee/export-user_ta/ + done +} + +do_deploy() { + echo "Do not inherit do_deploy from optee-os." +} + +FILES:${PN} = "${includedir}/optee/" + +# Build paths are currently embedded +INSANE_SKIP:${PN}-dev += "buildpaths" + +# Include extra headers needed by SPMC tests to TA DEVKIT. +# Supported after op-tee v3.20 +EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' CFG_SPMC_TESTS=y', '' , d)}" diff --git a/meta-arm/recipes-security/optee/optee-os-ts.inc b/meta-arm/recipes-security/optee/optee-os-ts.inc new file mode 100644 index 00000000..d30e8ea7 --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-os-ts.inc @@ -0,0 +1,85 @@ +# Include Trusted Services SPs accordingly to defined machine features + +# Please notice that OPTEE will load SPs in the order listed in this file. +# If an SP requires another SP to be already loaded it must be listed lower. + +# TS SPs UUIDs definitions +require recipes-security/trusted-services/ts-uuid.inc + +TS_ENV ?= "opteesp" +TS_BIN = "${RECIPE_SYSROOT}/usr/${TS_ENV}/bin" +TS_BIN_SPM_TEST= "${RECIPE_SYSROOT}/usr/opteesp/bin" + +SP_EXT = "${@oe.utils.conditional('TS_ENV','opteesp','.stripped.elf','.bin',d)}" + +# ITS SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-its', \ + ' ts-sp-its', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-its', \ + ' ${TS_BIN}/${ITS_UUID}${SP_EXT}', '', d)}" + +# Storage SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-storage', \ + ' ts-sp-storage', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-storage', \ + ' ${TS_BIN}/${STORAGE_UUID}${SP_EXT}', '', d)}" + +# Crypto SP. +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-crypto', \ + ' ts-sp-crypto', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-crypto', \ + ' ${TS_BIN}/${CRYPTO_UUID}${SP_EXT}', '', d)}" + +# Attestation SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation', \ + ' ts-sp-attestation', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation', \ + ' ${TS_BIN}/${ATTESTATION_UUID}${SP_EXT}', '', d)}" + +# Env-test SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-env-test', \ + ' ts-sp-env-test', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-env-test', \ + ' ${TS_BIN}/${ENV_TEST_UUID}${SP_EXT}', '', d)}" + +# SE-Proxy SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-se-proxy', \ + ' ts-sp-se-proxy', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-se-proxy', \ + ' ${TS_BIN}/${SE_PROXY_UUID}${SP_EXT}', '', d)}" + +# SMM Gateway +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ + ' ts-sp-smm-gateway', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \ + ' ${TS_BIN}/${SMM_GATEWAY_UUID}${SP_EXT}', '', d)}" + +# SPM test SPs +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' ts-sp-spm-test1 ts-sp-spm-test2 \ + ts-sp-spm-test3 ts-sp-spm-test4', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' ${TS_BIN_SPM_TEST}/${SPM_TEST1_UUID}.stripped.elf \ + ${TS_BIN_SPM_TEST}/${SPM_TEST2_UUID}.stripped.elf \ + ${TS_BIN_SPM_TEST}/${SPM_TEST3_UUID}.stripped.elf \ + ${TS_BIN_SPM_TEST}/${SPM_TEST4_UUID}.stripped.elf', \ + '', d)}" +EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' CFG_SPMC_TESTS=y', '' , d)}" + +# Firmware Update SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-fwu', \ + ' ts-sp-fwu', '' , d)}" +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-fwu', \ + ' ${TS_BIN}/${FWU_UUID}${SP_EXT}', '', d)}" + +# Block Storage SP +DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-block-storage', \ + ' ts-sp-block-storage', '' , d)}" + +SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-block-storage', \ + ' ${TS_BIN}/${BLOCK_STORAGE_UUID}${SP_EXT}', '', d)}" + +EXTRA_OEMAKE:append = "${@oe.utils.conditional('SP_PATHS', '', '', \ + ' CFG_MAP_EXT_DT_SECURE=y CFG_SECURE_PARTITION=y \ + SP_PATHS="${SP_PATHS}" ', d)}" diff --git a/meta-arm/recipes-security/optee/optee-os.inc b/meta-arm/recipes-security/optee/optee-os.inc index 483b797d..80ac0097 100644 --- a/meta-arm/recipes-security/optee/optee-os.inc +++ b/meta-arm/recipes-security/optee/optee-os.inc @@ -10,11 +10,11 @@ require optee.inc CVE_PRODUCT = "linaro:op-tee op-tee:op-tee_os" -DEPENDS = "python3-pycryptodome-native python3-pyelftools-native" +DEPENDS = "python3-pyelftools-native python3-cryptography-native" -DEPENDS_append_toolchain-clang = " compiler-rt" +DEPENDS:append:toolchain-clang = " compiler-rt" -SRC_URI = "git://github.com/OP-TEE/optee_os.git" +SRC_URI = "git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https" S = "${WORKDIR}/git" B = "${WORKDIR}/build" @@ -28,14 +28,17 @@ EXTRA_OEMAKE += " \ ta-targets=ta_${OPTEE_ARCH} \ O=${B} \ " +EXTRA_OEMAKE += " HOST_PREFIX=${HOST_PREFIX}" +EXTRA_OEMAKE += " CROSS_COMPILE64=${HOST_PREFIX}" -CFLAGS[unexport] = "1" LDFLAGS[unexport] = "1" CPPFLAGS[unexport] = "1" AS[unexport] = "1" LD[unexport] = "1" -do_configure[noexec] = "1" +do_compile:prepend() { + PLAT_LIBGCC_PATH=$(${CC} -print-libgcc-file-name) +} do_compile() { oe_runmake -C ${S} all @@ -47,30 +50,34 @@ do_install() { install -d ${D}${nonarch_base_libdir}/firmware/ install -m 644 ${B}/core/*.bin ${B}/core/tee.elf ${D}${nonarch_base_libdir}/firmware/ - #install TA devkit - install -d ${D}${includedir}/optee/export-user_ta/ - for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do - cp -aR $f ${D}${includedir}/optee/export-user_ta/ - done + #install tas in optee_armtz + install -d ${D}${nonarch_base_libdir}/optee_armtz/ + install -m 444 ${B}/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz } PACKAGE_ARCH = "${MACHINE_ARCH}" do_deploy() { - install -d ${DEPLOYDIR}/optee - install -m 644 ${D}${nonarch_base_libdir}/firmware/* ${DEPLOYDIR}/optee/ + install -d ${DEPLOYDIR}/${MLPREFIX}optee + install -m 644 ${D}${nonarch_base_libdir}/firmware/* ${DEPLOYDIR}/${MLPREFIX}optee + + install -d ${DEPLOYDIR}/${MLPREFIX}optee/ta + install -m 644 ${B}/ta/*/*.elf ${DEPLOYDIR}/${MLPREFIX}optee/ta } addtask deploy before do_build after do_install SYSROOT_DIRS += "${nonarch_base_libdir}/firmware" -FILES_${PN} = "${nonarch_base_libdir}/firmware/" -FILES_${PN}-dev = "${includedir}/optee/" +PACKAGES += "${PN}-ta" +FILES:${PN} = "${nonarch_base_libdir}/firmware/" +FILES:${PN}-ta = "${nonarch_base_libdir}/optee_armtz/*" -# note: "textrel" is not triggered on all archs -INSANE_SKIP_${PN} = "textrel" -INSANE_SKIP_${PN}-dev = "staticdev" +# note: "textrel" is not triggered on all archs +INSANE_SKIP:${PN} = "textrel" +# Build paths are currently embedded +INSANE_SKIP:${PN} += "buildpaths" +INSANE_SKIP:${PN}-dev = "staticdev" INHIBIT_PACKAGE_STRIP = "1" diff --git a/meta-arm/recipes-security/optee/optee-os/0001-libutils-provide-empty-__getauxval-implementation.patch b/meta-arm/recipes-security/optee/optee-os/0001-libutils-provide-empty-__getauxval-implementation.patch deleted file mode 100644 index 0120f5c2..00000000 --- a/meta-arm/recipes-security/optee/optee-os/0001-libutils-provide-empty-__getauxval-implementation.patch +++ /dev/null @@ -1,62 +0,0 @@ -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> - -From 36e784f621bf5d5be9183beba35f39426277c110 Mon Sep 17 00:00:00 2001 -From: Volodymyr Babchuk <volodymyr_babchuk@epam.com> -Date: Tue, 13 Oct 2020 22:45:39 +0300 -Subject: [PATCH 1/3] libutils: provide empty __getauxval() implementation - -Never version of libgcc are built with LSE implementation in mind. To -determine if LSE is available on platform it calls __getauxval(), so in -some cases we can get undefined reference to __getauxval() error. - -Prominent case is libgcc_eh.a library, which is used by C++ TAs. Exception -handler depends on atomic operations, so it tries to call -init_have_lse_atomics() first. This function in turn calls __getauxval(), -which causes linking error. - -In the future we can make __getauxval() to return actual platform -capabilities. - -Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com> -Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> -Reviewed-by: Jerome Forissier <jerome@forissier.org> ---- - lib/libutils/ext/arch/arm/auxval.c | 12 ++++++++++++ - lib/libutils/ext/arch/arm/sub.mk | 1 + - 2 files changed, 13 insertions(+) - create mode 100644 lib/libutils/ext/arch/arm/auxval.c - -diff --git a/lib/libutils/ext/arch/arm/auxval.c b/lib/libutils/ext/arch/arm/auxval.c -new file mode 100644 -index 00000000..98bca850 ---- /dev/null -+++ b/lib/libutils/ext/arch/arm/auxval.c -@@ -0,0 +1,12 @@ -+// SPDX-License-Identifier: BSD-2-Clause -+/* -+ * Copyright (c) 2020, EPAM Systems -+ */ -+ -+#include <compiler.h> -+ -+unsigned long int __getauxval (unsigned long int type); -+unsigned long int __getauxval (unsigned long int type __unused) -+{ -+ return 0; -+} -diff --git a/lib/libutils/ext/arch/arm/sub.mk b/lib/libutils/ext/arch/arm/sub.mk -index dc5eed67..2e779066 100644 ---- a/lib/libutils/ext/arch/arm/sub.mk -+++ b/lib/libutils/ext/arch/arm/sub.mk -@@ -3,6 +3,7 @@ srcs-$(CFG_ARM32_$(sm)) += aeabi_unwind.c - endif - srcs-$(CFG_ARM32_$(sm)) += atomic_a32.S - srcs-$(CFG_ARM64_$(sm)) += atomic_a64.S -+srcs-y += auxval.c - ifneq ($(sm),ldelf) # TA, core - srcs-$(CFG_ARM32_$(sm)) += mcount_a32.S - srcs-$(CFG_ARM64_$(sm)) += mcount_a64.S --- -2.25.1 - diff --git a/meta-arm/recipes-security/optee/optee-os/0002-link.mk-implement-support-for-libnames-after-libgcc-.patch b/meta-arm/recipes-security/optee/optee-os/0002-link.mk-implement-support-for-libnames-after-libgcc-.patch deleted file mode 100644 index 11296c8c..00000000 --- a/meta-arm/recipes-security/optee/optee-os/0002-link.mk-implement-support-for-libnames-after-libgcc-.patch +++ /dev/null @@ -1,55 +0,0 @@ -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> - -From 73196b58ea6978ffa5e581738030f51c5789ef73 Mon Sep 17 00:00:00 2001 -From: Volodymyr Babchuk <volodymyr_babchuk@epam.com> -Date: Tue, 13 Oct 2020 22:54:13 +0300 -Subject: [PATCH 2/3] link.mk: implement support for libnames-after-libgcc - variable - -Newer versions of libgcc depend on external __getauxval() symbol, which is -now provided by libutils. But libgcc is linked after libutils, so linker -can't resolve that symbol. We can't include libgcc into linking group with -libtutils, because libgcc provides symbols that conflict with libutil's -ones, like __aeabi_idiv with friends for instance. - -So, to resolve libgcc dependency on libutils we need to link with libutils -second time. To make things more generic, we will introduce -$(libnames-after-libgcc) variable for libraries that should be linked after -libgcc. - -Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com> -Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> -Reviewed-by: Jerome Forissier <jerome@forissier.org> ---- - ta/arch/arm/link.mk | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/ta/arch/arm/link.mk b/ta/arch/arm/link.mk -index 445c285d..3025acb1 100644 ---- a/ta/arch/arm/link.mk -+++ b/ta/arch/arm/link.mk -@@ -55,8 +55,11 @@ link-ldflags += --eh-frame-hdr - link-ldadd += $(libstdc++$(sm)) $(libgcc_eh$(sm)) - endif - link-ldadd += --end-group --ldargs-$(user-ta-uuid).elf := $(link-ldflags) $(objs) $(link-ldadd) $(libgcc$(sm)) - -+link-ldadd-after-libgcc += $(addprefix -l,$(libnames-after-libgcc)) -+ -+ldargs-$(user-ta-uuid).elf := $(link-ldflags) $(objs) $(link-ldadd) \ -+ $(libgcc$(sm)) $(link-ldadd-after-libgcc) - - link-script-cppflags-$(sm) := \ - $(filter-out $(CPPFLAGS_REMOVE) $(cppflags-remove), \ -@@ -76,6 +79,7 @@ $(link-script-pp$(sm)): $(link-script$(sm)) $(conf-file) $(link-script-pp-makefi - $(link-script-cppflags-$(sm)) $$< -o $$@ - - $(link-out-dir$(sm))/$(user-ta-uuid).elf: $(objs) $(libdeps) \ -+ $(libdeps-after-libgcc) \ - $(link-script-pp$(sm)) \ - $(dynlistdep) \ - $(additional-link-deps) --- -2.25.1 - diff --git a/meta-arm/recipes-security/optee/optee-os/0007-allow-setting-sysroot-for-clang.patch b/meta-arm/recipes-security/optee/optee-os/0003-optee-enable-clang-support.patch index 5c0d0a56..3c13ce3f 100644 --- a/meta-arm/recipes-security/optee/optee-os/0007-allow-setting-sysroot-for-clang.patch +++ b/meta-arm/recipes-security/optee/optee-os/0003-optee-enable-clang-support.patch @@ -1,4 +1,4 @@ -From 3167f2c0dba4db59d61b60a8fe66f969d20aafa9 Mon Sep 17 00:00:00 2001 +From 59d4c190eae11c93b26cca5a7b005a17dadc8248 Mon Sep 17 00:00:00 2001 From: Brett Warren <brett.warren@arm.com> Date: Wed, 23 Sep 2020 09:27:34 +0100 Subject: [PATCH] optee: enable clang support @@ -10,15 +10,16 @@ compiler-rt. This is mitigated by including the variable as ammended. Upstream-Status: Pending ChangeId: 8ba69a4b2eb8ebaa047cb266c9aa6c2c3da45701 Signed-off-by: Brett Warren <brett.warren@arm.com> + --- mk/clang.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mk/clang.mk b/mk/clang.mk -index 0f48c836..47465523 100644 +index a045beee8..1ebe2f702 100644 --- a/mk/clang.mk +++ b/mk/clang.mk -@@ -27,7 +27,7 @@ comp-cflags-warns-clang := -Wno-language-extension-token \ +@@ -30,7 +30,7 @@ comp-cflags-warns-clang := -Wno-language-extension-token \ # Note, use the compiler runtime library (libclang_rt.builtins.*.a) instead of # libgcc for clang diff --git a/meta-arm/recipes-security/optee/optee-os/0003-ta_dev_kit.mk-make-sure-that-libutils-is-linked-seco.patch b/meta-arm/recipes-security/optee/optee-os/0003-ta_dev_kit.mk-make-sure-that-libutils-is-linked-seco.patch deleted file mode 100644 index 88ba5f85..00000000 --- a/meta-arm/recipes-security/optee/optee-os/0003-ta_dev_kit.mk-make-sure-that-libutils-is-linked-seco.patch +++ /dev/null @@ -1,44 +0,0 @@ -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> - -From f50962e3f56f0932662b2ffa10afe53339a335dd Mon Sep 17 00:00:00 2001 -From: Volodymyr Babchuk <volodymyr_babchuk@epam.com> -Date: Fri, 16 Oct 2020 16:36:08 +0300 -Subject: [PATCH 3/3] ta_dev_kit.mk: make sure that libutils is linked second - time - -libgcc depends on __getauxval symbol from libuils. As, generally libutils -is linked before libgcc, we will get "unresolved symbol" error. To resolve -this dependency we need to link libutils second time - after libgcc. - -Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com> -Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> -Reviewed-by: Jerome Forissier <jerome@forissier.org> ---- - ta/mk/ta_dev_kit.mk | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/ta/mk/ta_dev_kit.mk b/ta/mk/ta_dev_kit.mk -index e28be677..d0e66317 100644 ---- a/ta/mk/ta_dev_kit.mk -+++ b/ta/mk/ta_dev_kit.mk -@@ -78,6 +78,16 @@ endif - libnames += dl - libdeps += $(ta-dev-kit-dir$(sm))/lib/libdl.a - -+# libutils provides __getauxval symbol which is needed by libgcc 10.x. We can't -+# link libutils after libgcc, because libgcc will replace some symbols provided -+# by libutils, which will cause further linking issues. -+# -+# But if we place libutils before libgcc, linker will not be able to resolve -+# __getauxval. So we need to link with libutils twice: before and after libgcc. -+# Hence it included both in $(libnames) and in $(libnames-after-libgcc) -+libnames-after-libgcc += utils -+libdeps-after-libgcc += $(ta-dev-kit-dir$(sm))/lib/libutils.a -+ - # Pass config variable (CFG_) from conf.mk on the command line - cppflags$(sm) += $(strip \ - $(foreach var, $(filter CFG_%,$(.VARIABLES)), \ --- -2.25.1 - diff --git a/meta-arm/recipes-security/optee/optee-os/0006-allow-setting-sysroot-for-libgcc-lookup.patch b/meta-arm/recipes-security/optee/optee-os/0006-allow-setting-sysroot-for-libgcc-lookup.patch deleted file mode 100644 index 17005396..00000000 --- a/meta-arm/recipes-security/optee/optee-os/0006-allow-setting-sysroot-for-libgcc-lookup.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 0bab935695ebcf0c533b49896ab18ff33d4a47d1 Mon Sep 17 00:00:00 2001 -From: Ross Burton <ross.burton@arm.com> -Date: Tue, 26 May 2020 14:38:02 -0500 -Subject: [PATCH] allow setting sysroot for libgcc lookup - -Explicitly pass the new variable LIBGCC_LOCATE_CFLAGS variable when searching -for the compiler libraries as there's no easy way to reliably pass --sysroot -otherwise. - -Upstream-Status: Pending [https://github.com/OP-TEE/optee_os/issues/4188] -Signed-off-by: Ross Burton <ross.burton@arm.com> ---- - mk/gcc.mk | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/mk/gcc.mk b/mk/gcc.mk -index adc77a24..81bfa78a 100644 ---- a/mk/gcc.mk -+++ b/mk/gcc.mk -@@ -13,11 +13,11 @@ nostdinc$(sm) := -nostdinc -isystem $(shell $(CC$(sm)) \ - -print-file-name=include 2> /dev/null) - - # Get location of libgcc from gcc --libgcc$(sm) := $(shell $(CC$(sm)) $(CFLAGS$(arch-bits-$(sm))) \ -+libgcc$(sm) := $(shell $(CC$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CFLAGS$(arch-bits-$(sm))) \ - -print-libgcc-file-name 2> /dev/null) --libstdc++$(sm) := $(shell $(CXX$(sm)) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \ -+libstdc++$(sm) := $(shell $(CXX$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \ - -print-file-name=libstdc++.a 2> /dev/null) --libgcc_eh$(sm) := $(shell $(CXX$(sm)) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \ -+libgcc_eh$(sm) := $(shell $(CXX$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \ - -print-file-name=libgcc_eh.a 2> /dev/null) - - # Define these to something to discover accidental use diff --git a/meta-arm/recipes-security/optee/optee-os_3.11.0.bb b/meta-arm/recipes-security/optee/optee-os_3.11.0.bb deleted file mode 100644 index 13b3dc65..00000000 --- a/meta-arm/recipes-security/optee/optee-os_3.11.0.bb +++ /dev/null @@ -1,11 +0,0 @@ -require optee-os.inc - -SRCREV = "c4def2a8262a03244d9a88461699b9b8e43c6b55" - -SRC_URI_append = " \ - file://0006-allow-setting-sysroot-for-libgcc-lookup.patch \ - file://0007-allow-setting-sysroot-for-clang.patch \ - file://0001-libutils-provide-empty-__getauxval-implementation.patch \ - file://0002-link.mk-implement-support-for-libnames-after-libgcc-.patch \ - file://0003-ta_dev_kit.mk-make-sure-that-libutils-is-linked-seco.patch \ -" diff --git a/meta-arm/recipes-security/optee/optee-os_4.%.bbappend b/meta-arm/recipes-security/optee/optee-os_4.%.bbappend new file mode 100644 index 00000000..4f4a0006 --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-os_4.%.bbappend @@ -0,0 +1,5 @@ +# Include Trusted Services Secure Partitions +require recipes-security/optee/optee-os-ts.inc + +# Conditionally include platform specific Trusted Services related OPTEE build parameters +EXTRA_OEMAKE:append:qemuarm64-secureboot = "${@oe.utils.conditional('SP_PATHS', '', '', ' CFG_CORE_HEAP_SIZE=131072 CFG_TEE_BENCHMARK=n CFG_TEE_CORE_LOG_LEVEL=4 CFG_CORE_SEL1_SPMC=y ', d)}" diff --git a/meta-arm/recipes-security/optee/optee-os_4.2.0.bb b/meta-arm/recipes-security/optee/optee-os_4.2.0.bb new file mode 100644 index 00000000..8ae219f4 --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-os_4.2.0.bb @@ -0,0 +1,10 @@ +require recipes-security/optee/optee-os.inc + +DEPENDS += "dtc-native" + +FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" + +SRCREV = "12d7c4ee4642d2d761e39fbcf21a06fb77141dea" +SRC_URI += " \ + file://0003-optee-enable-clang-support.patch \ + " diff --git a/meta-arm/recipes-security/optee/optee-test.inc b/meta-arm/recipes-security/optee/optee-test.inc index f09b9d24..58f10139 100644 --- a/meta-arm/recipes-security/optee/optee-test.inc +++ b/meta-arm/recipes-security/optee/optee-test.inc @@ -2,23 +2,16 @@ SUMMARY = "OP-TEE sanity testsuite" DESCRIPTION = "Open Portable Trusted Execution Environment - Test suite" HOMEPAGE = "https://www.op-tee.org/" -LICENSE = "BSD & GPLv2" -LIC_FILES_CHKSUM = "file://${S}/LICENSE.md;md5=daa2bcccc666345ab8940aab1315a4fa" +LICENSE = "BSD-2-Clause & GPL-2.0-only" +LIC_FILES_CHKSUM = "file://LICENSE.md;md5=daa2bcccc666345ab8940aab1315a4fa" inherit python3native ptest +inherit deploy require optee.inc -# Linking fails on musl due to C++/threads -# https://github.com/OP-TEE/optee_test/issues/458#issuecomment-720540834 -# When upgraded we should be able to remove this limitation -COMPATIBLE_HOST_libc-musl = 'null' +DEPENDS = "optee-client optee-os-tadevkit python3-cryptography-native openssl" -DEPENDS = "optee-client optee-os python3-pycryptodome-native" - -SRC_URI = "git://github.com/OP-TEE/optee_test.git \ - file://0001-host-xtest-Adjust-order-of-including-compiler.h.patch \ - file://0002-make-remove-Wno-unsafe-loop-for-clang.patch \ - file://0003-make-remove-Wmissing-noreturn-for-clang.patch \ +SRC_URI = "git://github.com/OP-TEE/optee_test.git;branch=master;protocol=https \ file://run-ptest \ " @@ -26,16 +19,20 @@ S = "${WORKDIR}/git" B = "${WORKDIR}/build" EXTRA_OEMAKE += "TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \ + OPTEE_OPENSSL_EXPORT=${STAGING_INCDIR} \ CROSS_COMPILE_HOST=${HOST_PREFIX} \ CROSS_COMPILE_TA=${HOST_PREFIX} \ O=${B} \ " +CFLAGS += "-Wno-error=deprecated-declarations" + do_compile() { cd ${S} # Top level makefile doesn't seem to handle parallel make gracefully oe_runmake xtest oe_runmake ta + oe_runmake test_plugin } do_compile[cleandirs] = "${B}" @@ -46,9 +43,20 @@ do_install () { # default TEEC_LOAD_PATH is /lib mkdir -p ${D}${nonarch_base_libdir}/optee_armtz/ install -D -p -m0444 ${B}/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz/ + mkdir -p ${D}${libdir}/tee-supplicant/plugins + install -D -p -m0444 ${B}/supp_plugin/*.plugin ${D}${libdir}/tee-supplicant/plugins/ +} + +do_deploy () { + install -d ${DEPLOYDIR}/${MLPREFIX}optee/ta + install -m 644 ${B}/ta/*/*.elf ${DEPLOYDIR}/${MLPREFIX}optee/ta } -FILES_${PN} += "${nonarch_base_libdir}/optee_armtz/" +addtask deploy before do_build after do_install + +FILES:${PN} += "${nonarch_base_libdir}/optee_armtz/ \ + ${libdir}/tee-supplicant/plugins/ \ + " # Imports machine specific configs from staging to build PACKAGE_ARCH = "${MACHINE_ARCH}" diff --git a/meta-arm/recipes-security/optee/optee-test/0001-host-xtest-Adjust-order-of-including-compiler.h.patch b/meta-arm/recipes-security/optee/optee-test/0001-host-xtest-Adjust-order-of-including-compiler.h.patch deleted file mode 100644 index 3c500d7a..00000000 --- a/meta-arm/recipes-security/optee/optee-test/0001-host-xtest-Adjust-order-of-including-compiler.h.patch +++ /dev/null @@ -1,64 +0,0 @@ -From fc95b3ccbbfd336797ae2cfd6dd4dc58644e146f Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Sat, 30 May 2020 17:52:18 -0700 -Subject: [PATCH] host/xtest: Adjust order of including compiler.h - -compiler.h defines some defines which violate libc namespace e.g. -__unused, this works ok with glibc but fails in awkward ways with musl -the reason is musl uses __unused in its internal structures and this -define in compiler.h conflicts with system headers causing errors like - -recipe-sysroot/usr/include/bits/stat.h:17:19: error: expected identifier or '(' before '[' token unsigned __unused[2]; - ^ -including compiler.h afer sys/stat.h fixes the problem. - -Upstream-Status: Pending [https://github.com/OP-TEE/optee_test/issues/453] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - host/xtest/install_ta.c | 2 +- - host/xtest/stats.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/host/xtest/install_ta.c b/host/xtest/install_ta.c -index 09a4c6d..6f7bb5c 100644 ---- a/host/xtest/install_ta.c -+++ b/host/xtest/install_ta.c -@@ -4,7 +4,6 @@ - * SPDX-License-Identifier: BSD-2-Clause - */ - --#include <compiler.h> - #include <dirent.h> - #include <err.h> - #include <errno.h> -@@ -20,6 +19,7 @@ - #include <sys/types.h> - #include <tee_client_api.h> - #include <unistd.h> -+#include <compiler.h> - - #include "install_ta.h" - #include "xtest_helpers.h" -diff --git a/host/xtest/stats.c b/host/xtest/stats.c -index 96b0b5f..db9bf25 100644 ---- a/host/xtest/stats.c -+++ b/host/xtest/stats.c -@@ -3,7 +3,6 @@ - * Copyright (c) 2019, Linaro Limited - */ - --#include <compiler.h> - #include <dirent.h> - #include <err.h> - #include <errno.h> -@@ -18,6 +17,7 @@ - #include <sys/types.h> - #include <tee_client_api.h> - #include <unistd.h> -+#include <compiler.h> - #include "xtest_test.h" - #include "stats.h" - --- -2.26.2 - diff --git a/meta-arm/recipes-security/optee/optee-test/0001-xtest-stats-remove-unneeded-stat.h-include.patch b/meta-arm/recipes-security/optee/optee-test/0001-xtest-stats-remove-unneeded-stat.h-include.patch new file mode 100644 index 00000000..581c6db3 --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-test/0001-xtest-stats-remove-unneeded-stat.h-include.patch @@ -0,0 +1,34 @@ +From 236ebb968a298fa5d461e734559ad8a13b667eb6 Mon Sep 17 00:00:00 2001 +From: Jon Mason <jon.mason@arm.com> +Date: Wed, 24 Jan 2024 11:35:50 -0500 +Subject: [PATCH] xtest: stats: remove unneeded stat.h include + +Hack to work around musl compile error: + +| In file included from optee-test/4.1.0/recipe-sysroot/usr/include/sys/stat.h:23, +| from optee-test/4.1.0/git/host/xtest/stats.c:17: +| optee-test/4.1.0/recipe-sysroot/usr/include/bits/stat.h:17:26: error: expected identifier or '(' before '[' token +| 17 | unsigned __unused[2]; +| | ^ + +stat.h is not needed, since it is not being used in this file. So +removing it. + +Upstream-Status: Inappropriate [https://github.com/OP-TEE/optee_test/issues/722] +Signed-off-by: Jon Mason <jon.mason@arm.com> +--- + host/xtest/stats.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/host/xtest/stats.c b/host/xtest/stats.c +index fb16d55586da..05aa3adac611 100644 +--- a/host/xtest/stats.c ++++ b/host/xtest/stats.c +@@ -14,7 +14,6 @@ + #include <stdio.h> + #include <stdlib.h> + #include <string.h> +-#include <sys/stat.h> + #include <sys/types.h> + #include <tee_client_api.h> + #include <unistd.h> diff --git a/meta-arm/recipes-security/optee/optee-test/0002-make-remove-Wno-unsafe-loop-for-clang.patch b/meta-arm/recipes-security/optee/optee-test/0002-make-remove-Wno-unsafe-loop-for-clang.patch deleted file mode 100644 index 17dd7d87..00000000 --- a/meta-arm/recipes-security/optee/optee-test/0002-make-remove-Wno-unsafe-loop-for-clang.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 438533ce9da1df0b7c7914e64b39ffdc1da1ab79 Mon Sep 17 00:00:00 2001 -From: Brett Warren <brett.warran@arm.com> -Date: Thu, 8 Oct 2020 10:03:25 +0100 -Subject: [PATCH] make: remove -Wmissing-noreturn for clang - -When compiling when clang, -Wmissing-noreturn causes an error because -of non-compliant code. This option is removed to workaround this. - -Upstream-Status: Pending [https://github.com/OP-TEE/optee_test/issues/452] -Changed-Id: 71cb511904547d790d1ea98f93bf8e5a6afcb36d -Signed-off-by: Brett Warren <brett.warren@arm.com> ---- - host/xtest/Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/host/xtest/Makefile b/host/xtest/Makefile -index 3c206b0..96746de 100644 ---- a/host/xtest/Makefile -+++ b/host/xtest/Makefile -@@ -169,7 +169,7 @@ CFLAGS += -Wall -Wcast-align -Werror \ - -Werror-implicit-function-declaration -Wextra -Wfloat-equal \ - -Wformat-nonliteral -Wformat-security -Wformat=2 -Winit-self \ - -Wmissing-declarations -Wmissing-format-attribute \ -- -Wmissing-include-dirs -Wmissing-noreturn \ -+ -Wmissing-include-dirs \ - -Wmissing-prototypes -Wnested-externs -Wpointer-arith \ - -Wshadow -Wstrict-prototypes -Wswitch-default \ - -Wwrite-strings \ --- -2.17.1 - diff --git a/meta-arm/recipes-security/optee/optee-test/0003-make-remove-Wmissing-noreturn-for-clang.patch b/meta-arm/recipes-security/optee/optee-test/0003-make-remove-Wmissing-noreturn-for-clang.patch deleted file mode 100644 index bbc303f3..00000000 --- a/meta-arm/recipes-security/optee/optee-test/0003-make-remove-Wmissing-noreturn-for-clang.patch +++ /dev/null @@ -1,31 +0,0 @@ -From ed5a9d9f7a3e9e14ca0e8aea59008124ee0e5f96 Mon Sep 17 00:00:00 2001 -From: Brett Warren <brett.warren@arm.com> -Date: Thu, 8 Oct 2020 10:20:52 +0100 -Subject: [PATCH] make: remove -Wno-unsafe-loop for clang - -When compiling with clang, the -Wno-unsafe-loop-optimizations option -throws an error because clang doesn't recognise it. This option is -removed to workaround this. - -Upstream-Status: Pending [https://github.com/OP-TEE/optee_test/issues/452] -Change-Id: 5fe0892c73208aaffac8c9995cb3275936fb1ba6 -Signed-off-by: Brett Warren <brett.warren@arm.com> ---- - host/xtest/Makefile | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/host/xtest/Makefile b/host/xtest/Makefile -index 96746de..73731d0 100644 ---- a/host/xtest/Makefile -+++ b/host/xtest/Makefile -@@ -174,7 +174,6 @@ CFLAGS += -Wall -Wcast-align -Werror \ - -Wshadow -Wstrict-prototypes -Wswitch-default \ - -Wwrite-strings \ - -Wno-declaration-after-statement \ -- -Wno-unsafe-loop-optimizations \ - -Wno-missing-field-initializers -Wno-format-zero-length - endif - --- -2.17.1 - diff --git a/meta-arm/recipes-security/optee/optee-test_3.11.0.bb b/meta-arm/recipes-security/optee/optee-test_3.11.0.bb deleted file mode 100644 index 0f8b5b04..00000000 --- a/meta-arm/recipes-security/optee/optee-test_3.11.0.bb +++ /dev/null @@ -1,3 +0,0 @@ -require optee-test.inc - -SRCREV = "159e295d5cc3ad2275ab15fe544620f6604d4ba4" diff --git a/meta-arm/recipes-security/optee/optee-test_4.2.0.bb b/meta-arm/recipes-security/optee/optee-test_4.2.0.bb new file mode 100644 index 00000000..6317a72f --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-test_4.2.0.bb @@ -0,0 +1,12 @@ +require recipes-security/optee/optee-test.inc + +SRCREV = "526d5bac1b65f907f67c05cd07beca72fbab88dd" +SRC_URI += "file://0001-xtest-stats-remove-unneeded-stat.h-include.patch" + +# Include ffa_spmc test group if the SPMC test is enabled. +# Supported after op-tee v3.20 +EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' CFG_SPMC_TESTS=y CFG_SECURE_PARTITION=y', '' , d)}" + +RDEPENDS:${PN} += "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' arm-ffa-user', '' , d)}" diff --git a/meta-arm/recipes-security/optee/optee.inc b/meta-arm/recipes-security/optee/optee.inc index d093b48c..37676f14 100644 --- a/meta-arm/recipes-security/optee/optee.inc +++ b/meta-arm/recipes-security/optee/optee.inc @@ -1,17 +1,22 @@ UPSTREAM_CHECK_GITTAGREGEX = "^(?P<pver>\d+(\.\d+)+)$" COMPATIBLE_MACHINE ?= "invalid" -COMPATIBLE_MACHINE_qemuarm64 ?= "qemuarm64" +COMPATIBLE_MACHINE:qemuarm64 ?= "qemuarm64" +COMPATIBLE_MACHINE:qemuarm ?= "qemuarm" # Please add supported machines below or set it in .bbappend or .conf OPTEEMACHINE ?= "${MACHINE}" -OPTEEMACHINE_aarch64_qemuall ?= "vexpress-qemu_armv8a" +OPTEEMACHINE:aarch64:qemuall ?= "vexpress-qemu_armv8a" +OPTEEMACHINE:arm:qemuall ?= "vexpress-qemu_virt" OPTEE_ARCH = "null" -OPTEE_ARCH_armv7a = "arm32" -OPTEE_ARCH_aarch64 = "arm64" +OPTEE_ARCH:arm = "arm32" +OPTEE_ARCH:aarch64 = "arm64" OPTEE_CORE = "${@d.getVar('OPTEE_ARCH').upper()}" +# FIXME - breaks with Clang 18. See https://github.com/OP-TEE/optee_os/issues/6754 +TOOLCHAIN = "gcc" + OPTEE_TOOLCHAIN = "${@d.getVar('TOOLCHAIN') or 'gcc'}" OPTEE_COMPILER = "${@bb.utils.contains("BBFILE_COLLECTIONS", "clang-layer", "${OPTEE_TOOLCHAIN}", "gcc", d)}" @@ -20,8 +25,16 @@ OPTEE_COMPILER = "${@bb.utils.contains("BBFILE_COLLECTIONS", "clang-layer", "${O TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta" EXTRA_OEMAKE += "V=1 \ - LIBGCC_LOCATE_CFLAGS=--sysroot=${STAGING_DIR_HOST} \ + LIBGCC_LOCATE_CFLAGS='${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}' \ COMPILER=${OPTEE_COMPILER} \ OPTEE_CLIENT_EXPORT=${STAGING_DIR_HOST}${prefix} \ TEEC_EXPORT=${STAGING_DIR_HOST}${prefix} \ " +# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the +# right path until this is relocated automatically. +export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules" + +CFLAGS += "--sysroot=${STAGING_DIR_HOST}" + +# See the rationale in https://github.com/f-secure-foundry/advisories/blob/master/Security_Advisory-Ref_FSC-HWSEC-VR2021-0001-OP-TEE_TrustZone_bypass.txt. +CVE_STATUS[CVE-2021-36133] = "disputed: devices shipped open for development purposes" diff --git a/meta-arm/recipes-security/packagegroups/packagegroup-ts-tests.bb b/meta-arm/recipes-security/packagegroups/packagegroup-ts-tests.bb new file mode 100644 index 00000000..25ee2f5a --- /dev/null +++ b/meta-arm/recipes-security/packagegroups/packagegroup-ts-tests.bb @@ -0,0 +1,28 @@ +SUMMARY = "Trusted Services test/demo linux tools" + +PACKAGE_ARCH = "${MACHINE_ARCH}" + +inherit packagegroup + +COMPATIBLE_HOST = "aarch64.*-linux" +COMPATIBLE_MACHINE ?= "invalid" +COMPATIBLE_MACHINE:qemuarm64-secureboot = "qemuarm64-secureboot" + +PACKAGES = "${PN} ${PN}-psa" + +RDEPENDS:${PN} = "\ + ts-demo \ + ts-service-test \ + ${@bb.utils.contains('MACHINE_FEATURES', 'ts-env-test', 'ts-remote-test', '' , d)} \ + ${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', 'ts-uefi-test', '' , d)} \ +" + +SUMMARY:${PN}-psa = "PSA certification tests (psa-arch-test) for TS SPs" +RDEPENDS:${PN}-psa = "\ + ${@bb.utils.contains('MACHINE_FEATURES', 'ts-crypto', 'ts-psa-crypto-api-test', '' , d)} \ + ${@bb.utils.contains('MACHINE_FEATURES', 'ts-its', 'ts-psa-its-api-test', '' , d)} \ + ${@bb.utils.contains('MACHINE_FEATURES', 'ts-storage', 'ts-psa-ps-api-test', '' , d)} \ + ${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation', 'ts-psa-iat-api-test', '' , d)} \ + ${@bb.utils.contains('MACHINE_FEATURES', 'ts-se-proxy', \ + 'ts-psa-crypto-api-test ts-psa-its-api-test ts-psa-ps-api-test ts-psa-iat-api-test', '' , d)} \ +" diff --git a/meta-arm/recipes-security/trusted-services/files/0001-Allow-configuring-flash-image-files-compile-time.patch b/meta-arm/recipes-security/trusted-services/files/0001-Allow-configuring-flash-image-files-compile-time.patch new file mode 100644 index 00000000..bcffa4b8 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/files/0001-Allow-configuring-flash-image-files-compile-time.patch @@ -0,0 +1,100 @@ +From 9fbeb9dd8c4f2c842248541b73e4cff9c6f8d26e Mon Sep 17 00:00:00 2001 +From: Gyorgy Szing <gyorgy.szing@arm.com> +Date: Wed, 27 Mar 2024 21:53:51 +0000 +Subject: [PATCH 1/1] Allow configuring flash image files compile time + +Allow configuring image file PATH name for file and semihosted +block_store using CMake build options. + +Upstream-Status: Pending + +Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com> +--- + .../block_storage/factory/file/block_store_factory.c | 6 +++++- + .../service/block_storage/factory/file/component.cmake | 6 +++++- + .../block_storage/factory/semihosting/block_store_factory.c | 6 +++++- + .../block_storage/factory/semihosting/component.cmake | 6 +++++- + 4 files changed, 20 insertions(+), 4 deletions(-) + +diff --git a/components/service/block_storage/factory/file/block_store_factory.c b/components/service/block_storage/factory/file/block_store_factory.c +index c6915107b..ef05ee791 100644 +--- a/components/service/block_storage/factory/file/block_store_factory.c ++++ b/components/service/block_storage/factory/file/block_store_factory.c +@@ -25,6 +25,10 @@ + #define FILE_BLOCK_SIZE (512) + #endif + ++#ifndef FILE_BLK_FILE_NAME ++#define FILE_BLK_FILE_NAME "secure-flash.img" ++#endif ++ + static char disk_img_filename[256]; + + struct block_store_assembly { +@@ -60,7 +64,7 @@ struct block_store *file_block_store_factory_create(void) + + /* Ensure disk image filename is set */ + if (disk_img_filename[0] == '\0') +- file_block_store_factory_set_filename("secure-flash.img"); ++ file_block_store_factory_set_filename(FILE_BLK_FILE_NAME); + + /* Initialise a file_block_store to provide underlying storage */ + struct block_store *secure_flash = file_block_store_init( +diff --git a/components/service/block_storage/factory/file/component.cmake b/components/service/block_storage/factory/file/component.cmake +index 644f03972..fa15d1399 100644 +--- a/components/service/block_storage/factory/file/component.cmake ++++ b/components/service/block_storage/factory/file/component.cmake +@@ -17,4 +17,8 @@ if (NOT DEFINED TS_BLOCK_STORE_FACTORY) + set(TS_BLOCK_STORE_FACTORY "file_block_store_factory") + target_compile_definitions(${TGT} PRIVATE + CONCRETE_BLOCK_STORE_FACTORY=${TS_BLOCK_STORE_FACTORY}) +-endif() +\ No newline at end of file ++endif() ++ ++set(FILE_BLK_FILE_NAME "secure-flash.img" CACHE PATH "PATH to block storage flash image file.") ++set_property(SOURCE "${CMAKE_CURRENT_LIST_DIR}/block_store_factory.c" APPEND PROPERTY COMPILE_DEFINITIONS FILE_BLK_FILE_NAME="${FILE_BLK_FILE_NAME}") ++message(status "Block storage image file PATH is ${FILE_BLK_FILE_NAME}") +diff --git a/components/service/block_storage/factory/semihosting/block_store_factory.c b/components/service/block_storage/factory/semihosting/block_store_factory.c +index 8e58e3638..09bdb74eb 100644 +--- a/components/service/block_storage/factory/semihosting/block_store_factory.c ++++ b/components/service/block_storage/factory/semihosting/block_store_factory.c +@@ -21,6 +21,10 @@ + /* Most common block size for UEFI volumes */ + #define SEMIHOSTING_BLOCK_SIZE (512) + ++#ifndef SEMIHOSTING_BLK_FILE_NAME ++#define SEMIHOSTING_BLK_FILE_NAME "secure-flash.img" ++#endif ++ + struct block_store_assembly + { + struct semihosting_block_store semihosting_block_store; +@@ -55,7 +59,7 @@ struct block_store *semihosting_block_store_factory_create(void) + /* Initialise a semihosting_block_store to provide underlying storage */ + struct block_store *secure_flash = semihosting_block_store_init( + &assembly->semihosting_block_store, +- "secure-flash.img", ++ SEMIHOSTING_BLK_FILE_NAME, + SEMIHOSTING_BLOCK_SIZE); + + if (secure_flash) { +diff --git a/components/service/block_storage/factory/semihosting/component.cmake b/components/service/block_storage/factory/semihosting/component.cmake +index 97affaf49..98d6dcdcb 100644 +--- a/components/service/block_storage/factory/semihosting/component.cmake ++++ b/components/service/block_storage/factory/semihosting/component.cmake +@@ -17,4 +17,8 @@ if (NOT DEFINED TS_BLOCK_STORE_FACTORY) + set(TS_BLOCK_STORE_FACTORY "semihosting_block_store_factory") + target_compile_definitions(${TGT} PRIVATE + CONCRETE_BLOCK_STORE_FACTORY=${TS_BLOCK_STORE_FACTORY}) +-endif() +\ No newline at end of file ++endif() ++ ++set(SEMIHOSTING_BLK_FILE_NAME "secure-flash.img" CACHE PATH "PATH to block storage flash image file.") ++set_property(SOURCE "${CMAKE_CURRENT_LIST_DIR}/block_store_factory.c" APPEND PROPERTY COMPILE_DEFINITIONS SEMIHOSTING_BLK_FILE_NAME="${SEMIHOSTING_BLK_FILE_NAME}") ++message(status "Block storage semihosting image file PATH is ${SEMIHOSTING_BLK_FILE_NAME}") +\ No newline at end of file +-- +2.34.1 + diff --git a/meta-arm/recipes-security/trusted-services/files/0001-Pass-Yocto-build-settings-to-psa-arch-tests-native.patch b/meta-arm/recipes-security/trusted-services/files/0001-Pass-Yocto-build-settings-to-psa-arch-tests-native.patch new file mode 100644 index 00000000..516aa55f --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/files/0001-Pass-Yocto-build-settings-to-psa-arch-tests-native.patch @@ -0,0 +1,32 @@ +From 3f9b148fe3cad9f1bc6eb08ff8807c54dec5b8d9 Mon Sep 17 00:00:00 2001 +From: Anton Antonov <Anton.Antonov@arm.com> +Date: Tue, 11 Oct 2022 16:17:15 +0100 +Subject: [PATCH] Pass Yocto build settings to psa-arch-tests native build + +PSA-arch-tests need to build a native executable as a part of target build. +The patch defines correct toolchain settings for native builds. + +Upstream-Status: Inappropriate [Yocto build specific change] +Signed-off-by: Anton Antonov <Anton.Antonov@arm.com> +--- + api-tests/tools/scripts/target_cfg/CMakeLists.txt | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/api-tests/tools/scripts/target_cfg/CMakeLists.txt b/api-tests/tools/scripts/target_cfg/CMakeLists.txt +index 259eb9c..fec1fb8 100644 +--- a/api-tests/tools/scripts/target_cfg/CMakeLists.txt ++++ b/api-tests/tools/scripts/target_cfg/CMakeLists.txt +@@ -26,7 +26,9 @@ include("common/CMakeSettings") + include("common/Utils") + + # Causes toolchain to be re-evaluated +-unset(ENV{CC}) ++set(ENV{CC} $ENV{BUILD_CC}) ++set(ENV{CFLAGS} $ENV{BUILD_CFLAGS}) ++set(ENV{LDFLAGS} $ENV{BUILD_LDFLAGS}) + + # Let the CMake look for C compiler + project(TargetConfigGen LANGUAGES C) +-- +2.25.1 + diff --git a/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules b/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules new file mode 100644 index 00000000..43fafd8c --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules @@ -0,0 +1,7 @@ +# tee devices can only be accessed by the teeclnt group members +KERNEL=="tee[0-9]*", TAG+="systemd", MODE="0660", GROUP="teeclnt" + +# If a /dev/teepriv[0-9]* device is detected, start an instance of +# tee-supplicant.service with the device name as parameter +KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="tee", \ + TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service" diff --git a/meta-arm/recipes-security/trusted-services/libts_%.bbappend b/meta-arm/recipes-security/trusted-services/libts_%.bbappend new file mode 100644 index 00000000..9156e022 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/libts_%.bbappend @@ -0,0 +1,4 @@ +# Update MM communication buffer address for qemuarm64 machine +EXTRA_OECMAKE:append:qemuarm64-secureboot = "-DMM_COMM_BUFFER_ADDRESS=0x42000000 \ + -DMM_COMM_BUFFER_SIZE=0x1000 \ +" diff --git a/meta-arm/recipes-security/trusted-services/libts_git.bb b/meta-arm/recipes-security/trusted-services/libts_git.bb new file mode 100644 index 00000000..789bde7c --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/libts_git.bb @@ -0,0 +1,42 @@ +DESCRIPTION = "Trusted Services libts library for the arm-linux enviroment. \ + Used for locating and accessing services from a Linux userspace client" + +TS_ENV = "arm-linux" + +require trusted-services.inc + +SRC_URI += "file://tee-udev.rules \ + " + +OECMAKE_SOURCEPATH="${S}/deployments/libts/${TS_ENV}" + +DEPENDS += "arm-tstee arm-ffa-user" +RRECOMMENDS:${PN} += "arm-tstee" + +# Unix group name for dev/tee* ownership. +TEE_GROUP_NAME ?= "teeclnt" + +do_install:append () { + if ${@oe.utils.conditional('VIRTUAL-RUNTIME_dev_manager', 'busybox-mdev', 'false', 'true', d)}; then + install -d ${D}${nonarch_base_libdir}/udev/rules.d/ + install -m 755 ${WORKDIR}/tee-udev.rules ${D}${nonarch_base_libdir}/udev/rules.d/ + sed -i -e "s/teeclnt/${TEE_GROUP_NAME}/" ${D}${nonarch_base_libdir}/udev/rules.d/tee-udev.rules + fi + + # Move the dynamic libraries into the standard place. + install -d ${D}${libdir} + mv ${D}${TS_INSTALL}/lib/libts* ${D}${libdir} + + # Update generated cmake file to use correct paths. + target_cmake=$(find ${D}${TS_INSTALL}/lib/cmake/libts -type f -iname "libtsTargets-*.cmake") + if [ ! -z "$target_cmake" ]; then + sed -i -e "s#/${TS_ENV}##g" $target_cmake + fi +} + +inherit ${@oe.utils.conditional('VIRTUAL-RUNTIME_dev_manager', 'busybox-mdev', '', 'useradd', d)} +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM:${PN} = "--system ${TEE_GROUP_NAME}" + +FILES:${PN} = "${libdir}/libts.so.* ${nonarch_base_libdir}/udev/rules.d/" +FILES:${PN}-dev = "${TS_INSTALL}/lib/cmake ${TS_INSTALL}/include ${libdir}/libts.so" diff --git a/meta-arm/recipes-security/trusted-services/trusted-services-src.inc b/meta-arm/recipes-security/trusted-services/trusted-services-src.inc new file mode 100644 index 00000000..e05aadd7 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/trusted-services-src.inc @@ -0,0 +1,77 @@ +# Define sources of Trusted Service and all external dependencies + +LICENSE = "Apache-2.0 & BSD-3-Clause & BSD-2-Clause & Zlib" + +SRC_URI = "git://git.trustedfirmware.org/TS/trusted-services.git;protocol=https;branch=main;name=trusted-services;destsuffix=git/trusted-services \ +" + +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" + +SRC_URI:append = "\ + file://0001-Allow-configuring-flash-image-files-compile-time.patch \ +" + +# Trusted Services; aka. 2024 April 19 +SRCREV_trusted-services = "602be607198ea784bc5ab1c0c9d3ac4e2c67f1d9" +LIC_FILES_CHKSUM = "file://${S}/license.rst;md5=ea160bac7f690a069c608516b17997f4" + +S = "${WORKDIR}/git/trusted-services" +PV ?= "0.0+git" + +# DTC, tag "v1.6.1" +SRC_URI += "git://github.com/dgibson/dtc;name=dtc;protocol=https;branch=main;destsuffix=git/dtc" +SRCREV_dtc = "b6910bec11614980a21e46fbccc35934b671bd81" +LIC_FILES_CHKSUM += "file://../dtc/README.license;md5=a1eb22e37f09df5b5511b8a278992d0e" + +# MbedTLS, tag "v3.5.1" +SRC_URI += "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;branch=master;destsuffix=git/mbedtls" +SRCREV_mbedtls = "15254759342494c7e969766d5424d78d7deb9bfa" +LIC_FILES_CHKSUM += "file://../mbedtls/LICENSE;md5=379d5819937a6c2f1ef1630d341e026d" + +# Nanopb, tag "nanopb-0.4.7" plus some further fixes +SRC_URI += "git://github.com/nanopb/nanopb.git;name=nanopb;protocol=https;branch=master;destsuffix=git/nanopb" +SRCREV_nanopb = "dbbf5d8992295aae669b8071eadad02f87d5faf0" +LIC_FILES_CHKSUM += "file://../nanopb/LICENSE.txt;md5=9db4b73a55a3994384112efcdb37c01f" + +# qcbor, tag "v1.0.0" +SRC_URI += "git://github.com/laurencelundblade/QCBOR.git;name=qcbor;protocol=https;branch=master;destsuffix=git/qcbor" +SRCREV_qcbor = "56b17bf9f74096774944bcac0829adcd887d391e" +LIC_FILES_CHKSUM += "file://../qcbor/README.md;md5=e8ff2e88a722cdc55eddd0bb9aeca002" + +# T_Cose +SRC_URI += "git://github.com/laurencelundblade/t_cose.git;name=tcose;protocol=https;branch=master;destsuffix=git/tcose" +SRCREV_tcose = "fc3a4b2c7196ff582e8242de8bd4a1bc4eec577f" +LIC_FILES_CHKSUM += "file://../tcose/LICENSE;md5=b2ebdbfb82602b97aa628f64cf4b65ad" + +# CppUTest, tag "v3.8" +SRC_URI += "git://github.com/cpputest/cpputest.git;name=cpputest;protocol=https;branch=master;destsuffix=git/cpputest" +SRCREV_cpputest = "e25097614e1c4856036366877a02346c4b36bb5b" +LIC_FILES_CHKSUM += "file://../cpputest/COPYING;md5=ce5d5f1fe02bcd1343ced64a06fd4177" + +SRCREV_FORMAT = "trusted-services_dtc_mbedtls_nanopb_qcbor_tcose_cpputest" + +inherit apply_local_src_patches +LOCAL_SRC_PATCHES_INPUT_DIR = "N/A" + +do_apply_local_src_patches() { + apply_local_src_patches ${S}/external/qcbor ${WORKDIR}/git/qcbor + apply_local_src_patches ${S}/external/t_cose ${WORKDIR}/git/tcose + apply_local_src_patches ${S}/external/MbedTLS ${WORKDIR}/git/mbedtls + apply_local_src_patches ${S}/external/CppUTest ${WORKDIR}/git/cpputest + apply_local_src_patches ${S}/external/libfdt ${WORKDIR}/git/dtc + apply_local_src_patches ${S}/external/nanopb ${WORKDIR}/git/nanopb +} + +do_config:append:() { + # Fine tune MbedTLS configuration for crypto only operation. + sh -c "cd ${WORKDIR}/git/mbedtls; python3 scripts/config.py crypto" +} + +# Paths to dependencies required by some TS SPs/tools +EXTRA_OECMAKE += "-DDTC_SOURCE_DIR=${WORKDIR}/git/dtc \ + -DCPPUTEST_SOURCE_DIR=${WORKDIR}/git/cpputest \ + -DNANOPB_SOURCE_DIR=${WORKDIR}/git/nanopb \ + -DT_COSE_SOURCE_DIR=${WORKDIR}/git/tcose \ + -DQCBOR_SOURCE_DIR=${WORKDIR}/git/qcbor \ + -DMBEDTLS_SOURCE_DIR=${WORKDIR}/git/mbedtls \ + " diff --git a/meta-arm/recipes-security/trusted-services/trusted-services.inc b/meta-arm/recipes-security/trusted-services/trusted-services.inc new file mode 100644 index 00000000..272e9106 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/trusted-services.inc @@ -0,0 +1,58 @@ +SUMMARY ?= "The Trusted Services: framework for developing root-of-trust services" +HOMEPAGE = "https://trusted-services.readthedocs.io/en/latest/index.html" + +LICENSE = "Apache-2.0 & BSD-3-Clause & Zlib" + +inherit python3native cmake pkgconfig + +COMPATIBLE_HOST = "aarch64.*-linux" +COMPATIBLE_MACHINE ?= "invalid" +COMPATIBLE_MACHINE:qemuarm64-secureboot = "qemuarm64-secureboot" + +require trusted-services-src.inc + +# By default bitbake includes only ${S} (i.e git/trusted-services) in the maps. +# We also need to include the TS dependencies source trees. +DEBUG_PREFIX_MAP:append = "-fmacro-prefix-map=${WORKDIR}/git=/usr/src/debug/${PN}/${EXTENDPE}${PV}-${PR} \ + -fdebug-prefix-map=${WORKDIR}/git=/usr/src/debug/${PN}/${EXTENDPE}${PV}-${PR} \ +" + +TS_PLATFORM ?= "ts/mock" + +# SP images are embedded into optee-os image +# FIP packaging is not supported yet +SP_PACKAGING_METHOD ?= "embedded" + +SYSROOT_DIRS += "/usr/${TS_ENV} /usr/opteesp /usr/arm-linux" + +# TS cmake files use find_file() to search through source code and build dirs. +# Yocto cmake class limits CMAKE_FIND_ROOT_PATH and find_file() fails. +# Include the source tree and build dirs into searchable path. +OECMAKE_EXTRA_ROOT_PATH = "${WORKDIR}/git/ ${WORKDIR}/build/" + +EXTRA_OECMAKE += '-DLIBGCC_LOCATE_CFLAGS="--sysroot=${STAGING_DIR_HOST}" \ + -DCROSS_COMPILE="${TARGET_PREFIX}" \ + -DTS_PLATFORM="${TS_PLATFORM}" \ + ' +export CROSS_COMPILE="${TARGET_PREFIX}" + +# Default TS installation path +TS_INSTALL = "/usr/${TS_ENV}" + +# Use the Yocto cmake toolchain for external components of the arm-linux TS deployments, +# and the TS toolchain for opteesp and sp deployments +def get_ts_toolchain_option(d): + ts_env=d.getVar('TS_ENV') + if ts_env == 'opteesp' or ts_env == 'sp': + return '-DCMAKE_TOOLCHAIN_FILE=${S}/environments/'+ts_env+'/default_toolchain_file.cmake' + if ts_env == 'arm-linux': + return '-DTS_EXTERNAL_LIB_TOOLCHAIN_FILE=${WORKDIR}/toolchain.cmake' + bb.error("Unkown value \"%s\" for TS_ENV." % (ts_env)) + return '' + +EXTRA_OECMAKE += "${@get_ts_toolchain_option(d)}" + +# Paths to pre-built dependencies required by some TS SPs/tools +EXTRA_OECMAKE += "-Dlibts_ROOT=${STAGING_DIR_HOST}${TS_INSTALL}/lib/cmake/libts/ \ + -DNEWLIB_INSTALL_DIR=${STAGING_DIR_HOST}/usr/opteesp/newlib \ + " diff --git a/meta-arm/recipes-security/trusted-services/ts-demo_git.bb b/meta-arm/recipes-security/trusted-services/ts-demo_git.bb new file mode 100644 index 00000000..a17c1720 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-demo_git.bb @@ -0,0 +1,30 @@ +DESCRIPTION = "Trusted Services ts-demo deployment for arm-linux. \ + Used for running simple TS demo from Linux user-space \ + on an Arm platform with real deployments of trusted services." + +TS_ENV = "arm-linux" + +require trusted-services.inc + +DEPENDS += "python3-jsonschema-native python3-jinja2-native" +DEPENDS += "libts" +RDEPENDS:${PN} += "libts" + +OECMAKE_SOURCEPATH="${S}/deployments/ts-demo/${TS_ENV}" + +# Mbedtls 3.1.0 does not compile with clang. +# This can be removed after TS updated required mbedtls version +TOOLCHAIN = "gcc" + +FILES:${PN} = "${bindir}/ts-demo" + +# TODO: remove FORTIFY_SOURCE as MbedTLS fails to build in yocto if this +# compilation flag is used. +lcl_maybe_fortify = "${@oe.utils.conditional('OPTLEVEL','-O0','','${OPTLEVEL}',d)}" + +do_install:append () { + install -d ${D}${bindir} + mv ${D}${TS_INSTALL}/bin/ts-demo ${D}${bindir} + + rm -r --one-file-system ${D}${TS_INSTALL} +} diff --git a/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb b/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb new file mode 100644 index 00000000..669e87ae --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb @@ -0,0 +1,30 @@ +SUMMARY = "Newlib static libraries built with Trusted Services opteesp deployment options" + +TS_ENV = "opteesp" + +require trusted-services.inc + +SRC_URI += "git://sourceware.org/git/newlib-cygwin.git;name=newlib;protocol=https;branch=master;destsuffix=git/newlib \ +" + +# tag "newlib-4.1.0" +SRCREV_newlib = "415fdd4279b85eeec9d54775ce13c5c412451e08" +LIC_FILES_CHKSUM += "file://../newlib/COPYING.NEWLIB;md5=b8dda70da54e0efb49b1074f349d7749" + +# Newlib does not compile with clang +TOOLCHAIN = "gcc" + +EXTRA_OECMAKE += '-DNEWLIB_SOURCE_DIR=${WORKDIR}/git/newlib \ + -DNEWLIB_CFLAGS="--sysroot=${STAGING_DIR_HOST}" \ + ' + +OECMAKE_SOURCEPATH = "${S}/deployments/newlib/${TS_ENV}/" + +# TS ships a patch that needs to be applied to newlib +apply_ts_patch() { + ( cd ${WORKDIR}/git/newlib; git stash; git branch -f bf_am; git am ${S}/external/newlib/*.patch; git reset bf_am ) +} +do_patch[postfuncs] += "apply_ts_patch" + +FILES:${PN}-dev = "${TS_INSTALL}/newlib" +FILES:${PN}-staticdev = "${TS_INSTALL}/newlib/*/lib/*.a" diff --git a/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc b/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc new file mode 100644 index 00000000..93051bf3 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-psa-api-test-common_git.inc @@ -0,0 +1,32 @@ +SUMMARY = "Parts of PSA certification tests (psa-arch-test) for Trusted Services" + +TS_ENV = "arm-linux" + +require trusted-services.inc + +DEPENDS += "python3-jsonschema-native python3-jinja2-native" + +DEPENDS += "libts" +RDEPENDS:${PN} += "libts" + +SRC_URI += "git://github.com/ARM-software/psa-arch-tests.git;name=psatest;protocol=https;branch=main;destsuffix=git/psatest \ + file://0001-Pass-Yocto-build-settings-to-psa-arch-tests-native.patch;patchdir=../psatest \ + " + +SRCREV_psatest = "74dc6646ff594e131a726a5305aba77bac30eceb" +LIC_FILES_CHKSUM += "file://../psatest/LICENSE.md;md5=2a944942e1496af1886903d274dedb13" + +EXTRA_OECMAKE += "-DPSA_ARCH_TESTS_SOURCE_DIR=${WORKDIR}/git/psatest" + +do_apply_local_src_patches:append() { + apply_local_src_patches ${S}/external/psa_arch_tests ${WORKDIR}/git/psatest +} + +FILES:${PN} = "${bindir}/${PSA_TEST}" + +do_install:append () { + install -d ${D}${bindir} + mv ${D}${TS_INSTALL}/bin/${PSA_TEST} ${D}${bindir} + + rm -r --one-file-system ${D}${TS_INSTALL} +} diff --git a/meta-arm/recipes-security/trusted-services/ts-psa-crypto-api-test_git.bb b/meta-arm/recipes-security/trusted-services/ts-psa-crypto-api-test_git.bb new file mode 100644 index 00000000..710d3778 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-psa-crypto-api-test_git.bb @@ -0,0 +1,9 @@ +DESCRIPTION = "Crypto PSA certification tests (psa-arch-test)" + +TS_ENV = "arm-linux" + +require ts-psa-api-test-common_${PV}.inc + +OECMAKE_SOURCEPATH = "${S}/deployments/psa-api-test/crypto/${TS_ENV}" + +PSA_TEST = "psa-crypto-api-test" diff --git a/meta-arm/recipes-security/trusted-services/ts-psa-iat-api-test_git.bb b/meta-arm/recipes-security/trusted-services/ts-psa-iat-api-test_git.bb new file mode 100644 index 00000000..c39554a6 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-psa-iat-api-test_git.bb @@ -0,0 +1,25 @@ +DESCRIPTION = "Initial Attestation PSA certification tests (psa-arch-test) for Trusted Services" + +TS_ENV = "arm-linux" + +require ts-psa-api-test-common_${PV}.inc + +OECMAKE_SOURCEPATH = "${S}/deployments/psa-api-test/initial_attestation/${TS_ENV}" + +PSA_TEST = "psa-iat-api-test" + +# psa-arch-tests for INITIAL_ATTESTATION suite can't be built with pre-built qcbor +# Fetch qcbor sources as a temp work-around and pass PSA_TARGET_QCBOR to psa-arch-tests +SRC_URI += "git://github.com/laurencelundblade/QCBOR.git;name=psaqcbor;protocol=https;branch=master;destsuffix=git/psaqcbor \ + " +SRCREV_psaqcbor = "42272e466a8472948bf8fca076d113b81b99f0e0" + +EXTRA_OECMAKE += "-DPSA_TARGET_QCBOR=${WORKDIR}/git/psaqcbor \ + " +# TODO: remove FORTIFY_SOURCE as MbedTLS fails to build in yocto if this +# compilation flag is used. +lcl_maybe_fortify = "${@oe.utils.conditional('OPTLEVEL','-O0','','${OPTLEVEL}',d)}" + +# Mbedtls 3.1.0 does not compile with clang. +# This can be removed after TS updated required mbedtls version +TOOLCHAIN = "gcc" diff --git a/meta-arm/recipes-security/trusted-services/ts-psa-its-api-test_git.bb b/meta-arm/recipes-security/trusted-services/ts-psa-its-api-test_git.bb new file mode 100644 index 00000000..32f2890b --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-psa-its-api-test_git.bb @@ -0,0 +1,9 @@ +DESCRIPTION = "Internal Trusted Storage PSA certification tests (psa-arch-test) for Trusted Services" + +TS_ENV = "arm-linux" + +require ts-psa-api-test-common_${PV}.inc + +OECMAKE_SOURCEPATH = "${S}/deployments/psa-api-test/internal_trusted_storage/${TS_ENV}" + +PSA_TEST = "psa-its-api-test" diff --git a/meta-arm/recipes-security/trusted-services/ts-psa-ps-api-test_git.bb b/meta-arm/recipes-security/trusted-services/ts-psa-ps-api-test_git.bb new file mode 100644 index 00000000..bcf16712 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-psa-ps-api-test_git.bb @@ -0,0 +1,9 @@ +DESCRIPTION = "Protected Storage PSA certification tests (psa-arch-test) for Trusted Services" + +TS_ENV = "arm-linux" + +require ts-psa-api-test-common_${PV}.inc + +OECMAKE_SOURCEPATH = "${S}/deployments/psa-api-test/protected_storage/${TS_ENV}" + +PSA_TEST = "psa-ps-api-test" diff --git a/meta-arm/recipes-security/trusted-services/ts-remote-test_git.bb b/meta-arm/recipes-security/trusted-services/ts-remote-test_git.bb new file mode 100644 index 00000000..1633ecfe --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-remote-test_git.bb @@ -0,0 +1,19 @@ +DESCRIPTION = "Trusted Services ts-remote-test deployment for arm-linux." + +TS_ENV = "arm-linux" + +require trusted-services.inc + +DEPENDS += "libts" +RDEPENDS:${PN} += "libts" + +OECMAKE_SOURCEPATH = "${S}/deployments/ts-remote-test/${TS_ENV}" + +FILES:${PN} = "${bindir}/ts-remote-test" + +do_install:append () { + install -d ${D}${bindir} + mv ${D}${TS_INSTALL}/bin/ts-remote-test ${D}${bindir} + + rm -r --one-file-system ${D}${TS_INSTALL} +} diff --git a/meta-arm/recipes-security/trusted-services/ts-service-test_git.bb b/meta-arm/recipes-security/trusted-services/ts-service-test_git.bb new file mode 100644 index 00000000..3278c6c6 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-service-test_git.bb @@ -0,0 +1,21 @@ +DESCRIPTION = "Trusted Services ts-service-test deployment for arm-linux. \ + Used for running service level tests from Linux user-space \ + on an Arm platform with real deployments of trusted services." + +TS_ENV = "arm-linux" + +require trusted-services.inc + +DEPENDS += "libts python3-protobuf-native" +RDEPENDS:${PN} += "libts" + +OECMAKE_SOURCEPATH = "${S}/deployments/ts-service-test/${TS_ENV}" + +FILES:${PN} = "${bindir}/ts-service-test" + +do_install:append () { + install -d ${D}${bindir} + mv ${D}${TS_INSTALL}/bin/ts-service-test ${D}${bindir} + + rm -r --one-file-system ${D}${TS_INSTALL} +} diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb new file mode 100644 index 00000000..6cddfb03 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb @@ -0,0 +1,8 @@ +DESCRIPTION = "Trusted Services attestation service provider" + +require ts-sp-common.inc + +SP_UUID = "${ATTESTATION_UUID}" +TS_SP_IAT_CONFIG ?= "default" + +OECMAKE_SOURCEPATH="${S}/deployments/attestation/config/${TS_SP_IAT_CONFIG}-${TS_ENV}" diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-block-storage_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-block-storage_git.bb new file mode 100644 index 00000000..efbaad14 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-block-storage_git.bb @@ -0,0 +1,13 @@ +# SPDX-FileCopyrightText: <text>Copyright 2023 Arm Limited and/or its +# affiliates <open-source-office@arm.com></text> +# +# SPDX-License-Identifier: MIT + +DESCRIPTION = "Trusted Services block storage service provider" + +require ts-sp-common.inc + +SP_UUID = "${BLOCK_STORAGE_UUID}" +TS_SP_BLOCK_STORAGE_CONFIG ?= "default" + +OECMAKE_SOURCEPATH="${S}/deployments/block-storage/config/${TS_SP_BLOCK_STORAGE_CONFIG}-${TS_ENV}" diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-common.inc b/meta-arm/recipes-security/trusted-services/ts-sp-common.inc new file mode 100644 index 00000000..c8b1409c --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-common.inc @@ -0,0 +1,43 @@ +# Common part of all Trusted Services SPs recipes + +TS_ENV ?= "opteesp" + +require trusted-services.inc +require ts-uuid.inc + +DEPENDS += "dtc-native ts-newlib" +DEPENDS += "${@oe.utils.conditional('TS_ENV','sp','python3-pyelftools-native','', d)}" + +FILES:${PN}-dev = "${TS_INSTALL}" + +# Secure Partition DTS file might be updated in bbapend files +SP_DTS_FILE ?= "${D}${TS_INSTALL}/manifest/${SP_UUID}.dts" + +do_install:append() { + # Generate SP DTB which will be included automatically by optee-os build process + dtc -I dts -O dtb -o ${D}${TS_INSTALL}/manifest/${SP_UUID}.dtb ${SP_DTS_FILE} + + # We do not need libs and headers + rm -rf --one-file-system ${D}${TS_INSTALL}/lib + rm -rf --one-file-system ${D}${TS_INSTALL}/include +} + +# Use Yocto debug prefix maps for compiling assembler. +EXTRA_OECMAKE += '-DCMAKE_ASM_FLAGS="${DEBUG_PREFIX_MAP}"' + +# Ignore that SP stripped.elf does not have GNU_HASH +# Older versions of optee support SYSV hash only. +INSANE_SKIP:${PN}-dev += "ldflags" + +# Trusted Services SPs do not compile with clang +TOOLCHAIN = "gcc" + +# FORTIFY_SOURCE is a glibc feature. Disable it for all SPs as these do not use glibc. +TARGET_CFLAGS:remove = "-D_FORTIFY_SOURCE=2" +OECMAKE_C_FLAGS:remove = "-D_FORTIFY_SOURCE=2" +OECMAKE_CXX_FLAGS:remove = "-D_FORTIFY_SOURCE=2" + +# Override yoctos default linux specific toolchain file. trusted-services.inc +# will add a proper tooclhain option. +OECMAKE_ARGS:remove="-DCMAKE_TOOLCHAIN_FILE:FILEPATH=${WORKDIR}/toolchain.cmake" + diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb new file mode 100644 index 00000000..867e4a81 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb @@ -0,0 +1,10 @@ +DESCRIPTION = "Trusted Services crypto service provider" + +require ts-sp-common.inc + +SP_UUID = "${CRYPTO_UUID}" +TS_SP_CRYPTO_CONFIG ?= "default" + +DEPENDS += "python3-protobuf-native python3-jsonschema-native python3-jinja2-native" + +OECMAKE_SOURCEPATH="${S}/deployments/crypto/config/${TS_SP_CRYPTO_CONFIG}-${TS_ENV}" diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-fwu_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-fwu_git.bb new file mode 100644 index 00000000..02f58fb4 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-fwu_git.bb @@ -0,0 +1,32 @@ +# SPDX-FileCopyrightText: <text>Copyright 2024 Arm Limited and/or its +# affiliates <open-source-office@arm.com></text> +# +# SPDX-License-Identifier: MIT + +DESCRIPTION = "Trusted Services Firmware Update Service provider" + +require ts-sp-common.inc +inherit deploy + +SP_UUID = "${FWU_UUID}" +TS_SP_FWU_CONFIG ?= "default" + +OECMAKE_SOURCEPATH="${S}/deployments/fwu/config/${TS_SP_FWU_CONFIG}-${TS_ENV}" + +# The GPT parser component is needed from TF-A +SRC_URI += "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;name=tfa;protocol=https;branch=master;destsuffix=git/tf-a" +SRCREV_tfa = "v2.7.0" +LIC_FILES_CHKSUM = "file://../tf-a/docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde" +do_apply_local_src_patches:append() { + apply_local_src_patches ${S}/external/tf_a ${WORKDIR}/git/tf-a +} + +EXTRA_OECMAKE:append = "-DTFA_SOURCE_DIR=${WORKDIR}/git/tf-a" + +# Deploy the secure flash image. +do_deploy() { + cp -v ${S}/components/media/disk/disk_images/multi_location_fw.img ${DEPLOYDIR}/secure-flash.img +} +addtask deploy after do_compile + +EXTRA_OECMAKE:append:qemuall = " -DSEMIHOSTING_BLK_FILE_NAME:STRING=${@oe.path.relative('${TMPDIR}', '${DEPLOY_DIR_IMAGE}')}/secure-flash.img" diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb new file mode 100644 index 00000000..5472dbda --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb @@ -0,0 +1,8 @@ +DESCRIPTION = "Trusted Services internal secure storage service provider" + +require ts-sp-common.inc + +SP_UUID = "${ITS_UUID}" +TS_SP_ITS_CONFIG ?= "default" + +OECMAKE_SOURCEPATH="${S}/deployments/internal-trusted-storage/config/${TS_SP_ITS_CONFIG}-${TS_ENV}" diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb new file mode 100644 index 00000000..26781434 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb @@ -0,0 +1,10 @@ +DESCRIPTION = "Trusted Services proxy service providers" + +require ts-sp-common.inc + +SP_UUID = "${SE_PROXY_UUID}" +TS_SP_SE_PROXY_CONFIG ?= "default" + +DEPENDS += "python3-protobuf-native" + +OECMAKE_SOURCEPATH="${S}/deployments/se-proxy/config/${TS_SP_SE_PROXY_CONFIG}-${TS_ENV}" diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend b/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend new file mode 100644 index 00000000..c485a562 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend @@ -0,0 +1,5 @@ + +# Update MM communication buffer address for qemuarm64 machine +EXTRA_OECMAKE:append:qemuarm64-secureboot = "-DMM_COMM_BUFFER_ADDRESS="0x00000000 0x42000000" \ + -DMM_COMM_BUFFER_PAGE_COUNT="1" \ +" diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb new file mode 100644 index 00000000..752f7fe7 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb @@ -0,0 +1,8 @@ +DESCRIPTION = "Trusted Services service provider for UEFI SMM services" + +require ts-sp-common.inc + +SP_UUID = "${SMM_GATEWAY_UUID}" +TS_SP_SMM_GATEWAY_CONFIG ?= "default" + +OECMAKE_SOURCEPATH="${S}/deployments/smm-gateway/config/${TS_SP_SMM_GATEWAY_CONFIG}-${TS_ENV}" diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc b/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc new file mode 100644 index 00000000..5c0d6865 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-spm-test-common.inc @@ -0,0 +1,10 @@ +DESCRIPTION = "Trusted Services SPMC test SPs" + +# spm test SP only supports opteesp. +TS_ENV = 'opteesp' + +require ts-sp-common.inc + +SP_UUID = "${SPM_TEST${SP_INDEX}_UUID}" +SP_DTS_FILE ?= "${D}${TS_INSTALL}/manifest/${SP_UUID}.dts" +OECMAKE_SOURCEPATH="${S}/deployments/spm-test${SP_INDEX}/${TS_ENV}" diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb new file mode 100644 index 00000000..4cbb970b --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-spm-test1_git.bb @@ -0,0 +1,5 @@ +DESCRIPTION = "Trusted Services SPMC test SP1" + +SP_INDEX="1" + +require ts-sp-spm-test-common.inc diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb new file mode 100644 index 00000000..e6fb822b --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-spm-test2_git.bb @@ -0,0 +1,6 @@ +DESCRIPTION = "Trusted Services SPMC test SP2" + +SP_INDEX="2" + +require ts-sp-spm-test-common.inc + diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb new file mode 100644 index 00000000..ad3ee76e --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-spm-test3_git.bb @@ -0,0 +1,6 @@ +DESCRIPTION = "Trusted Services SPMC test SP3" + +SP_INDEX="3" + +require ts-sp-spm-test-common.inc + diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-spm-test4_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-spm-test4_git.bb new file mode 100644 index 00000000..2ee69c1f --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-spm-test4_git.bb @@ -0,0 +1,6 @@ +DESCRIPTION = "Trusted Services SPMC test SP4" + +SP_INDEX="4" + +require ts-sp-spm-test-common.inc + diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb new file mode 100644 index 00000000..5b2f47b3 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb @@ -0,0 +1,8 @@ +DESCRIPTION = "Trusted Services secure storage service provider" + +require ts-sp-common.inc + +SP_UUID = "${STORAGE_UUID}" +TS_SP_PS_CONFIG ?= "default" + +OECMAKE_SOURCEPATH="${S}/deployments/protected-storage/config/${TS_SP_PS_CONFIG}-${TS_ENV}" diff --git a/meta-arm/recipes-security/trusted-services/ts-uefi-test_git.bb b/meta-arm/recipes-security/trusted-services/ts-uefi-test_git.bb new file mode 100644 index 00000000..5be436b6 --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-uefi-test_git.bb @@ -0,0 +1,21 @@ +DESCRIPTION = "Trusted Services uefi-test deployment for arm-linux. \ + Used for running service level tests from Linux user-space \ + on an Arm platform with real deployments of UEFI SMM services." + +TS_ENV = "arm-linux" + +require trusted-services.inc + +DEPENDS += "libts python3-protobuf-native" +RDEPENDS:${PN} += "libts arm-ffa-user" + +OECMAKE_SOURCEPATH = "${S}/deployments/uefi-test/${TS_ENV}" + +FILES:${PN} = "${bindir}/uefi-test" + +do_install:append () { + install -d ${D}${bindir} + mv ${D}${TS_INSTALL}/bin/uefi-test ${D}${bindir} + + rm -r --one-file-system ${D}${TS_INSTALL} +} diff --git a/meta-arm/recipes-security/trusted-services/ts-uuid.inc b/meta-arm/recipes-security/trusted-services/ts-uuid.inc new file mode 100644 index 00000000..810ffa5e --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/ts-uuid.inc @@ -0,0 +1,15 @@ +# Trusted Services SPs canonical UUIDs + +ATTESTATION_UUID = "a1baf155-8876-4695-8f7c-54955e8db974" +CRYPTO_UUID = "d9df52d5-16a2-4bb2-9aa4-d26d3b84e8c0" +ENV_TEST_UUID = "33c75baf-ac6a-4fe4-8ac7-e9909bee2d17" +ITS_UUID = "dc1eef48-b17a-4ccf-ac8b-dfcff7711b14" +SE_PROXY_UUID = "46bb39d1-b4d9-45b5-88ff-040027dab249" +SMM_GATEWAY_UUID = "ed32d533-99e6-4209-9cc0-2d72cdd998a7" +STORAGE_UUID = "751bf801-3dde-4768-a514-0f10aeed1790" +SPM_TEST1_UUID = "5c9edbc3-7b3a-4367-9f83-7c191ae86a37" +SPM_TEST2_UUID = "7817164c-c40c-4d1a-867a-9bb2278cf41a" +SPM_TEST3_UUID = "23eb0100-e32a-4497-9052-2f11e584afa6" +SPM_TEST4_UUID = "423762ed-7772-406f-99d8-0c27da0abbf8" +FWU_UUID = "6823a838-1b06-470e-9774-0cce8bfb53fd" +BLOCK_STORAGE_UUID = "63646e80-eb52-462f-ac4f-8cdf3987519c" |