diff options
Diffstat (limited to 'recipes-security')
16 files changed, 566 insertions, 56 deletions
diff --git a/recipes-security/optee-imx/optee-client_3.15.0.imx.bb b/recipes-security/optee-imx/optee-client_3.19.0.imx.bb index 53ee5bc4..b0fb9178 100644 --- a/recipes-security/optee-imx/optee-client_3.15.0.imx.bb +++ b/recipes-security/optee-imx/optee-client_3.19.0.imx.bb @@ -5,28 +5,26 @@ HOMEPAGE = "http://www.optee.org/" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=69663ab153298557a59c67a60a743e5b" -SRCBRANCH = "lf-5.15.5_1.0.0" SRC_URI = " \ - git://source.codeaurora.org/external/imx/imx-optee-client.git;protocol=https;branch=${SRCBRANCH} \ - file://tee-supplicant.service \ -" - -SRCREV = "182874320395787a389e5b0f7df02b32f3c0a1b0" + git://github.com/nxp-imx/imx-optee-client.git;protocol=https;branch=${SRCBRANCH} \ + file://tee-supplicant.service" +SRCBRANCH = "lf-5.15.71_2.2.0" +SRCREV = "644022f8970c832a40be00747fcec70c7b5d488c" S = "${WORKDIR}/git" B = "${WORKDIR}/build" -inherit python3native systemd features_check +inherit python3native systemd features_check pkgconfig + +DEPENDS = "util-linux-libuuid" REQUIRED_MACHINE_FEATURES = "optee" SYSTEMD_SERVICE:${PN} = "tee-supplicant.service" -OPTEE_ARCH ?= "arm32" -OPTEE_ARCH:armv7a = "arm32" -OPTEE_ARCH:aarch64 = "arm64" - -EXTRA_OEMAKE = "ARCH=${OPTEE_ARCH} O=${B}" +EXTRA_OEMAKE = " \ + -C ${S} O=${B} \ +" do_install () { oe_runmake -C ${S} install diff --git a/recipes-security/optee-imx/optee-os/0001-core-Define-section-attributes-for-clang.patch b/recipes-security/optee-imx/optee-os/0001-core-Define-section-attributes-for-clang.patch new file mode 100644 index 00000000..2abd78a8 --- /dev/null +++ b/recipes-security/optee-imx/optee-os/0001-core-Define-section-attributes-for-clang.patch @@ -0,0 +1,230 @@ +From f189457b79989543f65b8a4e8729eff2cdf9a758 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 13 Aug 2022 19:24:55 -0700 +Subject: [PATCH] core: Define section attributes for clang + +Clang's attribute section is not same as gcc, here we need to add flags +to sections so they can be eventually collected by linker into final +output segments. Only way to do so with clang is to use + +pragma clang section ... + +The behavious is described here [1], this allows us to define names bss +sections. This was not an issue until clang-15 where LLD linker starts +to detect the section flags before merging them and throws the following +errors + +| ld.lld: error: section type mismatch for .nozi.kdata_page +| >>> /mnt/b/yoe/master/build/tmp/work/qemuarm64-yoe-linux/optee-os-tadevkit/3.17.0-r0/build/core/arch/arm/kernel/thread.o:(.nozi.kdata_page): SHT_PROGBITS +| >>> output section .nozi: SHT_NOBITS +| +| ld.lld: error: section type mismatch for .nozi.mmu.l2 +| >>> /mnt/b/yoe/master/build/tmp/work/qemuarm64-yoe-linux/optee-os-tadevkit/3.17.0-r0/build/core/arch/arm/mm/core_mmu_lpae.o:(.nozi.mmu.l2): SHT_PROGBITS +| >>> output section .nozi: SHT_NOBITS + +These sections should be carrying SHT_NOBITS but so far it was not +possible to do so, this patch tries to use clangs pragma to get this +going and match the functionality with gcc. + +[1] https://intel.github.io/llvm-docs/clang/LanguageExtensions.html#specifying-section-names-for-global-objects-pragma-clang-section + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + core/arch/arm/kernel/thread.c | 19 +++++++++++++++-- + core/arch/arm/mm/core_mmu_lpae.c | 35 ++++++++++++++++++++++++++++---- + core/arch/arm/mm/pgt_cache.c | 12 ++++++++++- + core/kernel/thread.c | 13 +++++++++++- + 4 files changed, 71 insertions(+), 8 deletions(-) + +--- a/core/arch/arm/kernel/thread.c ++++ b/core/arch/arm/kernel/thread.c +@@ -44,16 +44,31 @@ static size_t thread_user_kcode_size __n + #if defined(CFG_CORE_UNMAP_CORE_AT_EL0) && \ + defined(CFG_CORE_WORKAROUND_SPECTRE_BP_SEC) && defined(ARM64) + long thread_user_kdata_sp_offset __nex_bss; ++#ifdef __clang__ ++#ifndef CFG_VIRTUALIZATION ++#pragma clang section bss=".nozi.kdata_page" ++#else ++#pragma clang section bss=".nex_nozi.kdata_page" ++#endif ++#endif + static uint8_t thread_user_kdata_page[ + ROUNDUP(sizeof(struct thread_core_local) * CFG_TEE_CORE_NB_CORE, + SMALL_PAGE_SIZE)] + __aligned(SMALL_PAGE_SIZE) ++#ifndef __clang__ + #ifndef CFG_VIRTUALIZATION +- __section(".nozi.kdata_page"); ++ __section(".nozi.kdata_page") + #else +- __section(".nex_nozi.kdata_page"); ++ __section(".nex_nozi.kdata_page") + #endif + #endif ++ ; ++#endif ++ ++/* reset BSS section to default ( .bss ) */ ++#ifdef __clang__ ++#pragma clang section bss="" ++#endif + + #ifdef ARM32 + uint32_t __nostackcheck thread_get_exceptions(void) +--- a/core/arch/arm/mm/core_mmu_lpae.c ++++ b/core/arch/arm/mm/core_mmu_lpae.c +@@ -233,19 +233,46 @@ typedef uint16_t l1_idx_t; + typedef uint64_t base_xlat_tbls_t[CFG_TEE_CORE_NB_CORE][NUM_BASE_LEVEL_ENTRIES]; + typedef uint64_t xlat_tbl_t[XLAT_TABLE_ENTRIES]; + ++#ifdef __clang__ ++#pragma clang section bss=".nozi.mmu.base_table" ++#endif + static base_xlat_tbls_t base_xlation_table[NUM_BASE_TABLES] + __aligned(NUM_BASE_LEVEL_ENTRIES * XLAT_ENTRY_SIZE) +- __section(".nozi.mmu.base_table"); ++#ifndef __clang__ ++ __section(".nozi.mmu.base_table") ++#endif ++; ++#ifdef __clang__ ++#pragma clang section bss="" ++#endif + ++#ifdef __clang__ ++#pragma clang section bss=".nozi.mmu.l2" ++#endif + static xlat_tbl_t xlat_tables[MAX_XLAT_TABLES] +- __aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2"); ++ __aligned(XLAT_TABLE_SIZE) ++#ifndef __clang__ ++ __section(".nozi.mmu.l2") ++#endif ++; ++#ifdef __clang__ ++#pragma clang section bss="" ++#endif + + #define XLAT_TABLES_SIZE (sizeof(xlat_tbl_t) * MAX_XLAT_TABLES) + ++#ifdef __clang__ ++#pragma clang section bss=".nozi.mmu.l2" ++#endif + /* MMU L2 table for TAs, one for each thread */ + static xlat_tbl_t xlat_tables_ul1[CFG_NUM_THREADS] +- __aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2"); +- ++#ifndef __clang__ ++ __aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2") ++#endif ++; ++#ifdef __clang__ ++#pragma clang section bss="" ++#endif + /* + * TAs page table entry inside a level 1 page table. + * +--- a/core/arch/arm/mm/pgt_cache.c ++++ b/core/arch/arm/mm/pgt_cache.c +@@ -410,8 +410,18 @@ void pgt_init(void) + * has a large alignment, while .bss has a small alignment. The current + * link script is optimized for small alignment in .bss + */ ++#ifdef __clang__ ++#pragma clang section bss=".nozi.mmu.l2" ++#endif + static uint8_t pgt_tables[PGT_CACHE_SIZE][PGT_SIZE] +- __aligned(PGT_SIZE) __section(".nozi.pgt_cache"); ++ __aligned(PGT_SIZE) ++#ifndef __clang__ ++ __section(".nozi.pgt_cache") ++#endif ++ ; ++#ifdef __clang__ ++#pragma clang section bss="" ++#endif + size_t n; + + for (n = 0; n < ARRAY_SIZE(pgt_tables); n++) { +--- a/core/kernel/thread.c ++++ b/core/kernel/thread.c +@@ -38,13 +38,24 @@ struct thread_core_local thread_core_loc + name[stack_num][sizeof(name[stack_num]) / sizeof(uint32_t) - 1] + #endif + ++#define DO_PRAGMA(x) _Pragma (#x) ++ ++#ifdef __clang__ ++#define DECLARE_STACK(name, num_stacks, stack_size, linkage) \ ++DO_PRAGMA (clang section bss=".nozi_stack." #name) \ ++linkage uint32_t name[num_stacks] \ ++ [ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \ ++ STACK_ALIGNMENT) / sizeof(uint32_t)] \ ++ __attribute__((aligned(STACK_ALIGNMENT))); \ ++DO_PRAGMA(clang section bss="") ++#else + #define DECLARE_STACK(name, num_stacks, stack_size, linkage) \ + linkage uint32_t name[num_stacks] \ + [ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \ + STACK_ALIGNMENT) / sizeof(uint32_t)] \ + __attribute__((section(".nozi_stack." # name), \ + aligned(STACK_ALIGNMENT))) +- ++#endif + #define GET_STACK(stack) ((vaddr_t)(stack) + STACK_SIZE(stack)) + + DECLARE_STACK(stack_tmp, CFG_TEE_CORE_NB_CORE, STACK_TMP_SIZE, +--- a/core/arch/arm/mm/core_mmu_v7.c ++++ b/core/arch/arm/mm/core_mmu_v7.c +@@ -204,16 +204,46 @@ typedef uint32_t l1_xlat_tbl_t[NUM_L1_EN + typedef uint32_t l2_xlat_tbl_t[NUM_L2_ENTRIES]; + typedef uint32_t ul1_xlat_tbl_t[NUM_UL1_ENTRIES]; + ++#ifdef __clang__ ++#pragma clang section bss=".nozi.mmu.l1" ++#endif + static l1_xlat_tbl_t main_mmu_l1_ttb +- __aligned(L1_ALIGNMENT) __section(".nozi.mmu.l1"); ++ __aligned(L1_ALIGNMENT) ++#ifndef __clang__ ++ __section(".nozi.mmu.l1") ++#endif ++; ++#ifdef __clang__ ++#pragma clang section bss="" ++#endif + + /* L2 MMU tables */ ++#ifdef __clang__ ++#pragma clang section bss=".nozi.mmu.l2" ++#endif + static l2_xlat_tbl_t main_mmu_l2_ttb[MAX_XLAT_TABLES] +- __aligned(L2_ALIGNMENT) __section(".nozi.mmu.l2"); ++ __aligned(L2_ALIGNMENT) ++#ifndef __clang__ ++ __section(".nozi.mmu.l2") ++#endif ++; ++#ifdef __clang__ ++#pragma clang section bss="" ++#endif + + /* MMU L1 table for TAs, one for each thread */ ++#ifdef __clang__ ++#pragma clang section bss=".nozi.mmu.ul1" ++#endif + static ul1_xlat_tbl_t main_mmu_ul1_ttb[CFG_NUM_THREADS] +- __aligned(UL1_ALIGNMENT) __section(".nozi.mmu.ul1"); ++ __aligned(UL1_ALIGNMENT) ++#ifndef __clang__ ++ __section(".nozi.mmu.ul1") ++#endif ++; ++#ifdef __clang__ ++#pragma clang section bss="" ++#endif + + struct mmu_partition { + l1_xlat_tbl_t *l1_table; diff --git a/recipes-security/optee-imx/optee-os/0006-allow-setting-sysroot-for-libgcc-lookup.patch b/recipes-security/optee-imx/optee-os/0006-allow-setting-sysroot-for-libgcc-lookup.patch new file mode 100644 index 00000000..c07d0482 --- /dev/null +++ b/recipes-security/optee-imx/optee-os/0006-allow-setting-sysroot-for-libgcc-lookup.patch @@ -0,0 +1,33 @@ +From 528aeb42652a3159c1bfd51d6c1442c3ff27b84c Mon Sep 17 00:00:00 2001 +From: Ross Burton <ross.burton@arm.com> +Date: Tue, 26 May 2020 14:38:02 -0500 +Subject: [PATCH] allow setting sysroot for libgcc lookup + +Explicitly pass the new variable LIBGCC_LOCATE_CFLAGS variable when searching +for the compiler libraries as there's no easy way to reliably pass --sysroot +otherwise. + +Upstream-Status: Pending [https://github.com/OP-TEE/optee_os/issues/4188] +Signed-off-by: Ross Burton <ross.burton@arm.com> + +--- + mk/gcc.mk | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/mk/gcc.mk ++++ b/mk/gcc.mk +@@ -13,11 +13,11 @@ nostdinc$(sm) := -nostdinc -isystem $(sh + -print-file-name=include 2> /dev/null) + + # Get location of libgcc from gcc +-libgcc$(sm) := $(shell $(CC$(sm)) $(CFLAGS$(arch-bits-$(sm))) \ ++libgcc$(sm) := $(shell $(CC$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CFLAGS$(arch-bits-$(sm))) \ + -print-libgcc-file-name 2> /dev/null) +-libstdc++$(sm) := $(shell $(CXX$(sm)) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \ ++libstdc++$(sm) := $(shell $(CXX$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \ + -print-file-name=libstdc++.a 2> /dev/null) +-libgcc_eh$(sm) := $(shell $(CXX$(sm)) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \ ++libgcc_eh$(sm) := $(shell $(CXX$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \ + -print-file-name=libgcc_eh.a 2> /dev/null) + + # Define these to something to discover accidental use diff --git a/recipes-security/optee-imx/optee-os/0007-allow-setting-sysroot-for-clang.patch b/recipes-security/optee-imx/optee-os/0007-allow-setting-sysroot-for-clang.patch new file mode 100644 index 00000000..dc6d5517 --- /dev/null +++ b/recipes-security/optee-imx/optee-os/0007-allow-setting-sysroot-for-clang.patch @@ -0,0 +1,28 @@ +From db9e44af75c7cfd3316cab15aaa387383df3e57e Mon Sep 17 00:00:00 2001 +From: Brett Warren <brett.warren@arm.com> +Date: Wed, 23 Sep 2020 09:27:34 +0100 +Subject: [PATCH] optee: enable clang support + +When compiling with clang, the LIBGCC_LOCATE_CFLAG variable used +to provide a sysroot wasn't included, which results in not locating +compiler-rt. This is mitigated by including the variable as ammended. + +Upstream-Status: Pending +ChangeId: 8ba69a4b2eb8ebaa047cb266c9aa6c2c3da45701 +Signed-off-by: Brett Warren <brett.warren@arm.com> + +--- + mk/clang.mk | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mk/clang.mk ++++ b/mk/clang.mk +@@ -30,7 +30,7 @@ comp-cflags-warns-clang := -Wno-language + + # Note, use the compiler runtime library (libclang_rt.builtins.*.a) instead of + # libgcc for clang +-libgcc$(sm) := $(shell $(CC$(sm)) $(CFLAGS$(arch-bits-$(sm))) \ ++libgcc$(sm) := $(shell $(CC$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CFLAGS$(arch-bits-$(sm))) \ + -rtlib=compiler-rt -print-libgcc-file-name 2> /dev/null) + + # Core ASLR relies on the executable being ready to run from its preferred load diff --git a/recipes-security/optee-imx/optee-os/0010-add-note-GNU-stack-section.patch b/recipes-security/optee-imx/optee-os/0010-add-note-GNU-stack-section.patch new file mode 100644 index 00000000..b82aabdc --- /dev/null +++ b/recipes-security/optee-imx/optee-os/0010-add-note-GNU-stack-section.patch @@ -0,0 +1,114 @@ +From ec30e84671aac9a2e9549754eb7bc6201728db4c Mon Sep 17 00:00:00 2001 +From: Jerome Forissier <jerome.forissier@linaro.org> +Date: Tue, 23 Aug 2022 12:31:46 +0000 +Subject: [PATCH] arm32: libutils, libutee, ta: add .note.GNU-stack section to + + .S files + +When building for arm32 with GNU binutils 2.39, the linker outputs +warnings when linking Trusted Applications: + + arm-unknown-linux-uclibcgnueabihf-ld.bfd: warning: utee_syscalls_a32.o: missing .note.GNU-stack section implies executable stack + arm-unknown-linux-uclibcgnueabihf-ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker + +We could silence the warning by adding the '-z execstack' option to the +TA link flags, like we did in the parent commit for the TEE core and +ldelf. Indeed, ldelf always allocates a non-executable piece of memory +for the TA to use as a stack. + +However it seems preferable to comply with the common ELF practices in +this case. A better fix is therefore to add the missing .note.GNU-stack +sections in the assembler files. + +Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> + +Signed-off-by: Anton Antonov <Anton.Antonov@arm.com> +Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5499] + +--- + lib/libutee/arch/arm/utee_syscalls_a32.S | 2 ++ + lib/libutils/ext/arch/arm/atomic_a32.S | 2 ++ + lib/libutils/ext/arch/arm/mcount_a32.S | 2 ++ + lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S | 2 ++ + lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S | 2 ++ + lib/libutils/isoc/arch/arm/setjmp_a32.S | 2 ++ + ta/arch/arm/ta_entry_a32.S | 2 ++ + 7 files changed, 14 insertions(+) + +--- a/lib/libutee/arch/arm/utee_syscalls_a32.S ++++ b/lib/libutee/arch/arm/utee_syscalls_a32.S +@@ -9,6 +9,8 @@ + + .section .note.GNU-stack,"",%progbits + ++ .section .note.GNU-stack,"",%progbits ++ + .section .text + .balign 4 + .code 32 +--- a/lib/libutils/ext/arch/arm/atomic_a32.S ++++ b/lib/libutils/ext/arch/arm/atomic_a32.S +@@ -7,6 +7,8 @@ + + .section .note.GNU-stack,"",%progbits + ++ .section .note.GNU-stack,"",%progbits ++ + /* uint32_t atomic_inc32(uint32_t *v); */ + FUNC atomic_inc32 , : + ldrex r1, [r0] +--- a/lib/libutils/ext/arch/arm/mcount_a32.S ++++ b/lib/libutils/ext/arch/arm/mcount_a32.S +@@ -9,6 +9,8 @@ + + .section .note.GNU-stack,"",%progbits + ++ .section .note.GNU-stack,"",%progbits ++ + /* + * Convert return address to call site address by subtracting the size of the + * mcount call instruction (blx __gnu_mcount_nc). +--- a/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S ++++ b/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S +@@ -7,6 +7,8 @@ + + .section .note.GNU-stack,"",%progbits + ++ .section .note.GNU-stack,"",%progbits ++ + /* + * signed ret_idivmod_values(signed quot, signed rem); + * return quotient and remaining the EABI way (regs r0,r1) +--- a/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S ++++ b/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S +@@ -7,6 +7,8 @@ + + .section .note.GNU-stack,"",%progbits + ++ .section .note.GNU-stack,"",%progbits ++ + /* + * __value_in_regs lldiv_t __aeabi_ldivmod( long long n, long long d) + */ +--- a/lib/libutils/isoc/arch/arm/setjmp_a32.S ++++ b/lib/libutils/isoc/arch/arm/setjmp_a32.S +@@ -53,6 +53,8 @@ + + .section .note.GNU-stack,"",%progbits + ++ .section .note.GNU-stack,"",%progbits ++ + /* Arm/Thumb interworking support: + + The interworking scheme expects functions to use a BX instruction +--- a/ta/arch/arm/ta_entry_a32.S ++++ b/ta/arch/arm/ta_entry_a32.S +@@ -7,6 +7,8 @@ + + .section .note.GNU-stack,"",%progbits + ++ .section .note.GNU-stack,"",%progbits ++ + /* + * This function is the bottom of the user call stack. Mark it as such so that + * the unwinding code won't try to go further down. diff --git a/recipes-security/optee-imx/optee-os_3.15.0.imx.bb b/recipes-security/optee-imx/optee-os_3.19.0.imx.bb index 6d10b93d..82751a80 100644 --- a/recipes-security/optee-imx/optee-os_3.15.0.imx.bb +++ b/recipes-security/optee-imx/optee-os_3.19.0.imx.bb @@ -6,14 +6,20 @@ HOMEPAGE = "http://www.optee.org/" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=c1f21c4f72f372ef38a5a4aee55ec173" -DEPENDS = "python3-pycryptodomex-native python3-pyelftools-native u-boot-mkimage-native" - -SRCBRANCH = "lf-5.15.5_1.0.0" -SRC_URI = "git://source.codeaurora.org/external/imx/imx-optee-os.git;protocol=https;branch=${SRCBRANCH}" - -SRCREV = "807629a0889ad5e888f1fd187932ab7f701ddf8c" +DEPENDS = "python3-pyelftools-native u-boot-mkimage-native \ + python3-cryptography-native" +DEPENDS:append:toolchain-clang = " compiler-rt" + +SRC_URI = "git://github.com/nxp-imx/imx-optee-os.git;protocol=https;branch=${SRCBRANCH} \ + file://0001-core-Define-section-attributes-for-clang.patch \ + file://0006-allow-setting-sysroot-for-libgcc-lookup.patch \ + file://0007-allow-setting-sysroot-for-clang.patch \ + file://0010-add-note-GNU-stack-section.patch" +SRCBRANCH = "lf-5.15.71_2.2.0" +SRCREV = "00919403f040fad4f8603e605932281ff8451b1d" S = "${WORKDIR}/git" +B = "${WORKDIR}/build" inherit deploy python3native autotools features_check @@ -24,10 +30,9 @@ PLATFORM_FLAVOR = "${@d.getVar('MACHINE')[1:]}" PLATFORM_FLAVOR:imx6qdlsabresd = "mx6qsabresd" PLATFORM_FLAVOR:imx6qdlsabreauto = "mx6qsabreauto" PLATFORM_FLAVOR:imx6qpdlsolox = "mx6qsabresd" -PLATFORM_FLAVOR:imx6ul = "mx6ulevk" -PLATFORM_FLAVOR:imx6ull = "mx6ullevk" -PLATFORM_FLAVOR:imx6ull = "mx6ullevk" -PLATFORM_FLAVOR:imx6ulz = "mx6ulzevk" +PLATFORM_FLAVOR:mx6ul-nxp-bsp = "mx6ulevk" +PLATFORM_FLAVOR:mx6ull-nxp-bsp = "mx6ullevk" +PLATFORM_FLAVOR:mx6ulz-nxp-bsp = "mx6ulzevk" PLATFORM_FLAVOR:mx8mq-nxp-bsp = "mx8mqevk" PLATFORM_FLAVOR:mx8mm-nxp-bsp = "mx8mmevk" PLATFORM_FLAVOR:mx8mn-nxp-bsp = "mx8mnevk" @@ -39,62 +44,79 @@ PLATFORM_FLAVOR:mx8qxp-nxp-bsp = "mx8qxpmek" PLATFORM_FLAVOR:mx8dx-nxp-bsp = "mx8dxmek" PLATFORM_FLAVOR:mx8dxl-nxp-bsp = "mx8dxlevk" PLATFORM_FLAVOR:mx8ulp-nxp-bsp = "mx8ulpevk" +PLATFORM_FLAVOR:mx93-nxp-bsp = "mx93evk" OPTEE_ARCH:arm = "arm32" OPTEE_ARCH:aarch64 = "arm64" +COMPILER ?= "gcc" +COMPILER:toolchain-clang = "clang" + # Optee-os can be built for 32 bits and 64 bits at the same time # as long as the compilers are correctly defined. # For 64bits, CROSS_COMPILE64 must be set # When defining CROSS_COMPILE and CROSS_COMPILE64, we assure that # any 32 or 64 bits builds will pass EXTRA_OEMAKE = " \ - PLATFORM=imx \ - PLATFORM_FLAVOR=${PLATFORM_FLAVOR} \ - CROSS_COMPILE=${HOST_PREFIX} \ - CROSS_COMPILE64=${HOST_PREFIX} \ - CFG_TEE_TA_LOG_LEVEL=0 \ - CFG_TEE_CORE_LOG_LEVEL=0 \ - -C ${S} O=${B}\ + PLATFORM=imx-${PLATFORM_FLAVOR} \ + CROSS_COMPILE=${HOST_PREFIX} \ + CROSS_COMPILE64=${HOST_PREFIX} \ + CFG_TEE_TA_LOG_LEVEL=0 \ + CFG_TEE_CORE_LOG_LEVEL=0 \ + OPENSSL_MODULES=${STAGING_LIBDIR_NATIVE}/ossl-modules \ + COMPILER=${COMPILER} \ + -C ${S} O=${B} \ " -LDFLAGS = "" +LDFLAGS[unexport] = "1" +CPPFLAGS[unexport] = "1" +AS[unexport] = "1" +LD[unexport] = "1" + CFLAGS += "--sysroot=${STAGING_DIR_HOST}" CXXFLAGS += "--sysroot=${STAGING_DIR_HOST}" +do_configure[noexec] = "1" + +do_compile:prepend() { + PLAT_LIBGCC_PATH=$(${CC} -print-libgcc-file-name) +} + +do_compile:arm () { + oe_runmake all uTee +} + +do_compile:aarch64 () { + oe_runmake all +} +do_compile[cleandirs] = "${B}" + do_deploy () { install -d ${DEPLOYDIR} cp ${B}/core/tee-raw.bin ${DEPLOYDIR}/tee.${PLATFORM_FLAVOR}.bin ln -sf tee.${PLATFORM_FLAVOR}.bin ${DEPLOYDIR}/tee.bin +} - if [ "${OPTEE_ARCH}" != "arm64" ]; then - IMX_LOAD_ADDR=`${TARGET_PREFIX}readelf -h ${B}/core/tee.elf | grep "Entry point address" | awk '{print $4}'` - uboot-mkimage -A arm -O linux -C none -a ${IMX_LOAD_ADDR} -e ${IMX_LOAD_ADDR} \ - -d ${DEPLOYDIR}/tee.${PLATFORM_FLAVOR}.bin ${DEPLOYDIR}/uTee-${OPTEE_BIN_EXT} - fi +do_deploy:append:arm () { + cp ${B}/core/uTee ${DEPLOYDIR}/uTee-${OPTEE_BIN_EXT} } do_install () { install -d ${D}${nonarch_base_libdir}/firmware/ install -m 644 ${B}/core/*.bin ${D}${nonarch_base_libdir}/firmware/ + # Install embedded TAs + install -d ${D}${nonarch_base_libdir}/optee_armtz/ + install -m 444 ${B}/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz/ + # Install the TA devkit install -d ${D}${includedir}/optee/export-user_ta_${OPTEE_ARCH}/ - - for f in ${B}/export-ta_${OPTEE_ARCH}/*; do - cp -aR $f ${D}${includedir}/optee/export-user_ta_${OPTEE_ARCH}/ - done - - # Install embedded TAs - install -d ${D}${nonarch_base_libdir}/optee_armtz - find ${B}/ta -name '*.ta' | while read name; do - install -m 444 $name ${D}${nonarch_base_libdir}/optee_armtz/ - done + cp -aR ${B}/export-ta_${OPTEE_ARCH}/* \ + ${D}${includedir}/optee/export-user_ta_${OPTEE_ARCH}/ } addtask deploy after do_compile before do_install - FILES:${PN} = "${nonarch_base_libdir}/firmware/ ${nonarch_base_libdir}/optee_armtz/" FILES:${PN}-staticdev = "${includedir}/optee/" RDEPENDS:${PN}-dev += "${PN}-staticdev" diff --git a/recipes-security/optee-imx/optee-test_3.15.0.imx.bb b/recipes-security/optee-imx/optee-test_3.19.0.imx.bb index a3649d74..fa418b87 100644 --- a/recipes-security/optee-imx/optee-test_3.15.0.imx.bb +++ b/recipes-security/optee-imx/optee-test_3.19.0.imx.bb @@ -6,17 +6,15 @@ HOMEPAGE = "http://www.optee.org/" LICENSE = "BSD-2-Clause & GPL-2.0-only" LIC_FILES_CHKSUM = "file://LICENSE.md;md5=daa2bcccc666345ab8940aab1315a4fa" -DEPENDS = "python3-pycryptodome-native python3-pycryptodomex-native optee-os optee-client openssl" +DEPENDS = "python3-cryptography-native optee-os optee-client openssl" -SRCBRANCH = "lf-5.15.5_1.0.0" - -SRC_URI = "git://source.codeaurora.org/external/imx/imx-optee-test.git;protocol=https;branch=${SRCBRANCH}" +SRC_URI = "git://github.com/nxp-imx/imx-optee-test.git;protocol=https;branch=${SRCBRANCH}" +SRCBRANCH = "lf-5.15.71_2.2.0" +SRCREV = "5c1dbb531b304f7ae100958f6261b6cefea49b62" S = "${WORKDIR}/git" B = "${WORKDIR}/build" -SRCREV = "e9d8bf6ee121d6686e6e409c727caee76496bb86" - inherit python3native features_check REQUIRED_MACHINE_FEATURES = "optee" @@ -29,11 +27,11 @@ CXXFLAGS += "--sysroot=${STAGING_DIR_HOST}" EXTRA_OEMAKE = " \ TA_DEV_KIT_DIR=${STAGING_INCDIR}/optee/export-user_ta_${OPTEE_ARCH}/ \ - ARCH=${OPTEE_ARCH} \ OPTEE_CLIENT_EXPORT=${STAGING_DIR_HOST}${exec_prefix} \ CROSS_COMPILE_HOST=${HOST_PREFIX} \ CROSS_COMPILE_TA=${HOST_PREFIX} \ CROSS_COMPILE=${HOST_PREFIX} \ + OPENSSL_MODULES=${STAGING_LIBDIR_NATIVE}/ossl-modules \ -C ${S} O=${B} \ " diff --git a/recipes-security/optee/optee-client-qoriq_3.13.0.bb b/recipes-security/optee-qoriq/optee-client-qoriq_3.13.0.bb index 94123e43..94123e43 100644 --- a/recipes-security/optee/optee-client-qoriq_3.13.0.bb +++ b/recipes-security/optee-qoriq/optee-client-qoriq_3.13.0.bb diff --git a/recipes-security/optee/optee-client.nxp.inc b/recipes-security/optee-qoriq/optee-client.nxp.inc index fa187e84..a7d34497 100644 --- a/recipes-security/optee/optee-client.nxp.inc +++ b/recipes-security/optee-qoriq/optee-client.nxp.inc @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=69663ab153298557a59c67a60a743e5b" inherit python3native systemd -SRC_URI = "git://source.codeaurora.org/external/qoriq/qoriq-components/optee_client.git;nobranch=1" +SRC_URI = "git://github.com/nxp-qoriq/optee_client.git;protocol=https;nobranch=1" SRCREV = "7c9c423d00e96bf51debd5fe10fd70dce83be5cc" FILESEXTRAPATHS:prepend := "${THISDIR}/optee-client:" diff --git a/recipes-security/optee/optee-client/tee-supplicant.service b/recipes-security/optee-qoriq/optee-client/tee-supplicant.service index 0e2b4f6b..0e2b4f6b 100644 --- a/recipes-security/optee/optee-client/tee-supplicant.service +++ b/recipes-security/optee-qoriq/optee-client/tee-supplicant.service diff --git a/recipes-security/optee/optee-os-qoriq_3.13.0.bb b/recipes-security/optee-qoriq/optee-os-qoriq_3.13.0.bb index 3c3652d3..3c3652d3 100644 --- a/recipes-security/optee/optee-os-qoriq_3.13.0.bb +++ b/recipes-security/optee-qoriq/optee-os-qoriq_3.13.0.bb diff --git a/recipes-security/optee/optee-os.nxp.inc b/recipes-security/optee-qoriq/optee-os.nxp.inc index 72af6ca4..5b90b937 100644 --- a/recipes-security/optee/optee-os.nxp.inc +++ b/recipes-security/optee-qoriq/optee-os.nxp.inc @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=c1f21c4f72f372ef38a5a4aee55ec173" inherit deploy python3native autotools DEPENDS = "python3-pycryptodome-native python3-pyelftools-native python3-pycryptodomex-native dtc-native" -SRC_URI = "git://source.codeaurora.org/external/qoriq/qoriq-components/optee_os.git;nobranch=1" +SRC_URI = "git://github.com/nxp-qoriq/optee_os.git;protocol=https;nobranch=1" SRCREV = "735d98806dc26fbeeecad7f5e60ffeab8170c67e" S = "${WORKDIR}/git" diff --git a/recipes-security/optee/optee-test-qoriq_3.13.0.bb b/recipes-security/optee-qoriq/optee-test-qoriq_3.13.0.bb index 69ef73d3..69ef73d3 100644 --- a/recipes-security/optee/optee-test-qoriq_3.13.0.bb +++ b/recipes-security/optee-qoriq/optee-test-qoriq_3.13.0.bb diff --git a/recipes-security/optee/optee-test.nxp.inc b/recipes-security/optee-qoriq/optee-test.nxp.inc index e3ba0c8e..14a42ac5 100644 --- a/recipes-security/optee/optee-test.nxp.inc +++ b/recipes-security/optee-qoriq/optee-test.nxp.inc @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=daa2bcccc666345ab8940aab1315a4fa" DEPENDS = "python3-pycryptodome-native python3-pycryptodomex-native openssl" inherit python3native cmake -SRC_URI = "git://source.codeaurora.org/external/qoriq/qoriq-components/optee_test.git;nobranch=1" +SRC_URI = "git://github.com/nxp-qoriq/optee_test.git;protocol=https;nobranch=1" SRCREV = "69722dab8c1f2683e30e0ee3b536053367e37aad" S = "${WORKDIR}/git" diff --git a/recipes-security/smw/keyctl-caam_git.bb b/recipes-security/smw/keyctl-caam_git.bb new file mode 100644 index 00000000..25a5f656 --- /dev/null +++ b/recipes-security/smw/keyctl-caam_git.bb @@ -0,0 +1,23 @@ +# Copyright 2020-2022 NXP + +SUMMARY = "NXP i.MX CAAM Keyctl" +DESCRIPTION = "NXP i.MX keyctl tool to manage CAAM Keys" +SECTION = "base" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://COPYING;md5=8636bd68fc00cc6a3809b7b58b45f982" + +SRCBRANCH = "master" +SRC_URI = "git://github.com/nxp-imx/keyctl_caam.git;protocol=https;branch=${SRCBRANCH}" + +SRCREV = "81dc06cdb9c4d0d4ba10459d85af9a8603774948" + +S = "${WORKDIR}/git" + +TARGET_CC_ARCH += "${LDFLAGS}" + +do_install () { + oe_runmake DESTDIR=${D} install +} + +COMPATIBLE_MACHINE = "(imx-generic-bsp)" + diff --git a/recipes-security/smw/smw_git.bb b/recipes-security/smw/smw_git.bb new file mode 100644 index 00000000..3f77ad06 --- /dev/null +++ b/recipes-security/smw/smw_git.bb @@ -0,0 +1,64 @@ +# Copyright 2020-23 NXP + +SUMMARY = "NXP i.MX Security Middleware Library" +DESCRIPTION = "NXP i.MX Security Middleware Library" +SECTION = "base" +LICENSE = "BSD-3-Clause" +LICENSE = "Apache-2.0 & BSD-3-Clause & Zlib" +LIC_FILES_CHKSUM = "file://LICENSE;md5=8636bd68fc00cc6a3809b7b58b45f982 \ + file://../psa-arch-tests/LICENSE.md;md5=2a944942e1496af1886903d274dedb13" + +DEPENDS = "json-c optee-os optee-client python3-cryptography-native" +DEPENDS:append:mx8qxp-nxp-bsp = " imx-seco-libs" +DEPENDS:append:mx8dx-nxp-bsp = " imx-seco-libs" +DEPENDS:append:mx8ulp-nxp-bsp = " imx-secure-enclave" + +SRC_URI = "git://github.com/nxp-imx/imx-smw.git;protocol=https;branch=release/version_2.x;name=smw;destsuffix=git/smw \ + git://github.com/ARM-software/psa-arch-tests.git;protocol=https;branch=main;name=psa;destsuffix=git/psa-arch-tests \ + " +SRCREV_smw = "f0570b3e8cb5f68d54edc4f9dd7cb984f6f604ed" +SRCREV_psa = "463cb95ada820bc6f758d50066cf8c0ed5cc3a02" +SRCREV_FORMAT = "smw_psa" +S = "${WORKDIR}/git/smw" + +inherit cmake python3native + +CFLAGS[unexport] = "1" +CPPFLAGS[unexport] = "1" +AS[unexport] = "1" +LD[unexport] = "1" + +# setting the linker options +TARGET_LDFLAGS:remove = "${DEBUG_PREFIX_MAP}" + +OPTEE_OS_TA_EXPORT_DIR:aarch64 = "${STAGING_INCDIR}/optee/export-user_ta_arm64" +OPTEE_OS_TA_EXPORT_DIR:arm = "${STAGING_INCDIR}/optee/export-user_ta_arm32" + +# Needs to sign OPTEE TAs +export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules" + +EXTRA_OECMAKE = " \ + -DTA_DEV_KIT_ROOT=${OPTEE_OS_TA_EXPORT_DIR} \ + -DTEEC_ROOT=${STAGING_DIR_HOST} \ + -DJSONC_ROOT="${COMPONENTS_DIR}/${TARGET_ARCH}/json-c/usr" \ + -DPSA_ARCH_TESTS_SRC_PATH=../${PSA_ARCH_TESTS_SRC_PATH} \ +" +EXTRA_OECMAKE:append:mx8qxp-nxp-bsp = "-DSECO_ROOT=${STAGING_DIR_HOST}" +EXTRA_OECMAKE:append:mx8dx-nxp-bsp = "-DSECO_ROOT=${STAGING_DIR_HOST}" +EXTRA_OECMAKE:append:mx8ulp-nxp-bsp = "-DELE_ROOT=${STAGING_DIR_HOST}" +EXTRA_OECMAKE_IMX:mx93-nxp-bsp = "-DELE_ROOT=${STAGING_DIR_HOST}" + +OECMAKE_TARGET_COMPILE += "build_tests" +OECMAKE_TARGET_INSTALL += "install_tests" + +INSANE_SKIP_${PN}-tests = "textrel" + +PACKAGES =+ "${PN}-tests" + +FILES:${PN} += "${base_libdir}/optee_armtz/*" + +FILES:${PN}-tests = "${bindir}/* ${datadir}/${BPN}/*" + +RDEPENDS:${PN}-tests += "bash cmake" + +COMPATIBLE_MACHINE = "(imx-nxp-bsp)" |