[meta-arm][PATCH] Add support for booting qemu with TFA and optee

[meta-arm][PATCH] Add support for booting qemu with TFA and optee

[Joshua Watt]

Adds support for booting AArch64 Qemu machines using TF-A + optee +
u-boot. Most of the changes are applicable to any AArch64 qemu target,
and a reference machine called qemuarm64-secureboot has been added that
show how to enable support for it.

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
---
 .../conf/machine/qemuarm64-secureboot.conf    | 26 +++++++++++++
 .../trusted-firmware-a/trusted-firmware-a.inc | 39 ++++++++++++-------
 .../recipes-bsp/u-boot/u-boot/qemuarm64.cfg   |  4 ++
 meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend |  3 ++
 .../recipes-security/optee/optee-os_git.bb    |  6 +++
 meta-arm/recipes-security/optee/optee.inc     |  2 +-
 meta-arm/wic/qemuarm64.wks                    |  4 ++
 7 files changed, 70 insertions(+), 14 deletions(-)
 create mode 100644 meta-arm/conf/machine/qemuarm64-secureboot.conf
 create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
 create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
 create mode 100644 meta-arm/wic/qemuarm64.wks

diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
new file mode 100644
index 0000000..cfb358b
--- /dev/null
+++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
@@ -0,0 +1,26 @@
+MACHINEOVERRIDES =. "qemuarm64:"
+
+require ${COREBASE}/meta/conf/machine/qemuarm64.conf
+
+KMACHINE = "qemuarm64"
+
+UBOOT_MACHINE = "qemu_arm64_defconfig"
+
+# The 5.4 kernel panics when booting, so use the development kernel until the
+# default kernel is upgraded (5.5. supposedly works)
+PREFERRED_PROVIDER_virtual/kernel = "linux-yocto-dev"
+
+QB_MACHINE = "-machine virt,secure=on"
+QB_OPT_APPEND += "-no-acpi"
+QB_MEM = "-m 1G"
+QB_DEFAULT_FSTYPE = "wic.qcow2"
+QB_DEFAULT_BIOS = "flash.bin-qemu"
+QB_FSINFO = "wic:no-kernel-in-fs"
+QB_ROOTFS_OPT = ""
+
+IMAGE_FSTYPES += "wic wic.qcow2"
+
+WKS_FILE ?= "qemuarm64.wks"
+WKS_FILE_DEPENDS = "trusted-firmware-a"
+IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
+
diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
index 4b5da7a..64497d6 100644
--- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
+++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
@@ -7,10 +7,11 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
 
 inherit deploy nopackages
 
-COMPATIBLE_MACHINE ?= "invalid"
+COMPATIBLE_MACHINE = "qemuarm64"
 
 # Platform must be set for each machine
 TFA_PLATFORM ?= "invalid"
+TFA_PLATFORM_aarch64_qemuall = "qemu"
 
 # Build for debug (set TFA_DEBUG to 1 to activate)
 TFA_DEBUG ?= "0"
@@ -35,16 +36,19 @@ SRCREV_FORMAT_append = "${@bb.utils.contains('TFA_MBEDTLS', '1', '_mbedtls', '',
 # U-boot support (set TFA_UBOOT to 1 to activate)
 # When U-Boot support is activated BL33 is activated with u-boot.bin file
 TFA_UBOOT ?= "0"
+TFA_UBOOT_aarch64_qemuall = "1"
 
 # What to build
 # By default we only build bl1, do_deploy will copy
 # everything listed in this variable (by default bl1.bin)
 TFA_BUILD_TARGET ?= "bl1"
+TFA_BUILD_TARGET_aarch64_qemuall = "all fip"
 
 # What to install
 # do_install and do_deploy will install everything listed in this
 # variable. It is set by default to TFA_BUILD_TARGET
 TFA_INSTALL_TARGET ?= "${TFA_BUILD_TARGET}"
+TFA_INSTALL_TARGET_aarch64_qemuall = "flash.bin"
 
 # Requires CROSS_COMPILE set by hand as there is no configure script
 export CROSS_COMPILE="${TARGET_PREFIX}"
@@ -61,6 +65,7 @@ do_configure[noexec] = "1"
 # We need dtc for dtbs compilation
 # We need openssl for fiptool
 DEPENDS_append = " dtc-native openssl-native"
+DEPENDS_append_aarch64_qemuall = " optee-os"
 
 # Add platform parameter
 EXTRA_OEMAKE += "BUILD_BASE=${B} PLAT=${TFA_PLATFORM}"
@@ -76,6 +81,15 @@ DEPENDS += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot', '', d)}"
 do_compile[depends] += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot:do_deploy', '', d)}"
 EXTRA_OEMAKE += "${@bb.utils.contains('TFA_UBOOT', '1', ' BL33=${DEPLOY_DIR_IMAGE}/u-boot.bin', '',d)}"
 
+EXTRA_OEMAKE_append_aarch64_qemuall = " \
+    BL32=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-header_v2.bin \
+    BL32_EXTRA1=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-pager_v2.bin \
+    BL32_EXTRA2=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-pageable_v2.bin \
+    BL32_RAM_LOCATION=tdram \
+    SPD=opteed \
+    "
+BUILD_PLAT = "${B}/${TFA_PLATFORM}/${@"debug" if d.getVar("TFA_DEBUG") == "1" else "release"}/"
+
 # The following hack is needed to fit properly in yocto build environment
 # TFA is forcing the host compiler and its flags in the Makefile using :=
 # assignment for GCC and CFLAGS.
@@ -91,13 +105,12 @@ do_compile() {
 }
 do_compile[cleandirs] = "${B}"
 
-do_install() {
-    if ${@"true" if d.getVar('TFA_DEBUG') == '1' else "false"}; then
-        BUILD_PLAT=${B}/${TFA_PLATFORM}/debug/
-    else
-        BUILD_PLAT=${B}/${TFA_PLATFORM}/release/
-    fi
+do_compile_append_aarch64_qemuall() {
+    dd if=${BUILD_PLAT}/bl1.bin of=${BUILD_PLAT}/flash.bin bs=4096 conv=notrunc
+    dd if=${BUILD_PLAT}/fip.bin of=${BUILD_PLAT}/flash.bin seek=64 bs=4096 conv=notrunc
+}
 
+do_install() {
     install -d -m 755 ${D}/firmware
     for atfbin in ${TFA_INSTALL_TARGET}; do
         if [ "$atfbin" = "all" ]; then
@@ -106,17 +119,17 @@ do_install() {
             bberror "Please specify valid targets in TFA_INSTALL_TARGET or"
             bberror "rewrite or turn off do_install"
             exit 1
-        elif [ -f $BUILD_PLAT/$atfbin.bin ]; then
+        elif [ -f ${BUILD_PLAT}/$atfbin.bin ]; then
             echo "Install $atfbin.bin"
-            install -m 0644 $BUILD_PLAT/$atfbin.bin \
+            install -m 0644 ${BUILD_PLAT}/$atfbin.bin \
                 ${D}/firmware/$atfbin-${TFA_PLATFORM}.bin
-        elif [ -f $BUILD_PLAT/$atfbin/$atfbin.elf ]; then
+        elif [ -f ${BUILD_PLAT}/$atfbin/$atfbin.elf ]; then
             echo "Install $atfbin.elf"
-            install -m 0644 $BUILD_PLAT/$atfbin/$atfbin.elf \
+            install -m 0644 ${BUILD_PLAT}/$atfbin/$atfbin.elf \
                 ${D}/firmware/$atfbin-${TFA_PLATFORM}.elf
-        elif [ -f $BUILD_PLAT/$atfbin ]; then
+        elif [ -f ${BUILD_PLAT}/$atfbin ]; then
             echo "Install $atfbin"
-            install -m 0644 $BUILD_PLAT/$atfbin \
+            install -m 0644 ${BUILD_PLAT}/$atfbin \
                 ${D}/firmware/$atfbin-${TFA_PLATFORM}
         elif [ "$atfbin" = "dtbs" ]; then
             echo "dtbs install, skipped"
diff --git a/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg b/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
new file mode 100644
index 0000000..de0c6ec
--- /dev/null
+++ b/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
@@ -0,0 +1,4 @@
+CONFIG_TFABOOT=y
+# This must match the address that TF-A jumps to for BL33
+CONFIG_SYS_TEXT_BASE=0x60000000
+
diff --git a/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
new file mode 100644
index 0000000..afcd70a
--- /dev/null
+++ b/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
@@ -0,0 +1,3 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI_append_qemuarm64-secureboot = " file://qemuarm64.cfg"
diff --git a/meta-arm/recipes-security/optee/optee-os_git.bb b/meta-arm/recipes-security/optee/optee-os_git.bb
index dfff6d1..aa51376 100644
--- a/meta-arm/recipes-security/optee/optee-os_git.bb
+++ b/meta-arm/recipes-security/optee/optee-os_git.bb
@@ -21,7 +21,11 @@ SRC_URI = " \
 S = "${WORKDIR}/git"
 
 OPTEEMACHINE ?= "${MACHINE}"
+OPTEEMACHINE_aarch64_qemuall = "vexpress-qemu_armv8a"
+OPTEEMACHINE_armv7a_qemuall = "vexpress-qemu_virt"
+
 OPTEEOUTPUTMACHINE ?= "${MACHINE}"
+OPTEEOUTPUTMACHINE_qemuall = "vexpress"
 
 OPTEE_ARCH = "null"
 OPTEE_ARCH_armv7a = "arm32"
@@ -72,6 +76,8 @@ do_deploy() {
 
 addtask deploy before do_build after do_install
 
+SYSROOT_DIRS += "${nonarch_base_libdir}/firmware"
+
 FILES_${PN} = "${nonarch_base_libdir}/firmware/"
 FILES_${PN}-dev = "${includedir}/optee/"
 
diff --git a/meta-arm/recipes-security/optee/optee.inc b/meta-arm/recipes-security/optee/optee.inc
index b3e5271..3138148 100644
--- a/meta-arm/recipes-security/optee/optee.inc
+++ b/meta-arm/recipes-security/optee/optee.inc
@@ -1,2 +1,2 @@
-COMPATIBLE_MACHINE ?= "invalid"
+COMPATIBLE_MACHINE = "qemuarm64"
 # Please add supported machines below or set it in .bbappend or .conf
diff --git a/meta-arm/wic/qemuarm64.wks b/meta-arm/wic/qemuarm64.wks
new file mode 100644
index 0000000..7285279
--- /dev/null
+++ b/meta-arm/wic/qemuarm64.wks
@@ -0,0 +1,4 @@
+bootloader --ptable gpt
+
+part /boot --ondisk=vda --align 64 --size=100M --active --source bootimg-partition --fstype=ext4 --label boot --sourceparams="loader=u-boot"
+part /     --ondisk=vda                                 --source rootfs            --fstype=ext4 --label root
-- 
2.17.1

Re: [meta-arm][PATCH] Add support for booting qemu with TFA and optee

[Denys Dmytriyenko]

On Wed, May 13, 2020 at 05:11:34PM -0500, Joshua Watt wrote:
> Adds support for booting AArch64 Qemu machines using TF-A + optee +
> u-boot. Most of the changes are applicable to any AArch64 qemu target,
> and a reference machine called qemuarm64-secureboot has been added that
> show how to enable support for it.

Can we hold on this patch, please? I want to review it thoroughly :)

Also, it touches a lot of suff and throws a wrench into my TF-A work - 
I waited patiently to get all your changes in and kept rebasing my work. 
No more rebases, please, let me submit my changes first... :)

Denys


> Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
> ---
>  .../conf/machine/qemuarm64-secureboot.conf    | 26 +++++++++++++
>  .../trusted-firmware-a/trusted-firmware-a.inc | 39 ++++++++++++-------
>  .../recipes-bsp/u-boot/u-boot/qemuarm64.cfg   |  4 ++
>  meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend |  3 ++
>  .../recipes-security/optee/optee-os_git.bb    |  6 +++
>  meta-arm/recipes-security/optee/optee.inc     |  2 +-
>  meta-arm/wic/qemuarm64.wks                    |  4 ++
>  7 files changed, 70 insertions(+), 14 deletions(-)
>  create mode 100644 meta-arm/conf/machine/qemuarm64-secureboot.conf
>  create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
>  create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
>  create mode 100644 meta-arm/wic/qemuarm64.wks
> 
> diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> new file mode 100644
> index 0000000..cfb358b
> --- /dev/null
> +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> @@ -0,0 +1,26 @@
> +MACHINEOVERRIDES =. "qemuarm64:"
> +
> +require ${COREBASE}/meta/conf/machine/qemuarm64.conf
> +
> +KMACHINE = "qemuarm64"
> +
> +UBOOT_MACHINE = "qemu_arm64_defconfig"
> +
> +# The 5.4 kernel panics when booting, so use the development kernel until the
> +# default kernel is upgraded (5.5. supposedly works)
> +PREFERRED_PROVIDER_virtual/kernel = "linux-yocto-dev"
> +
> +QB_MACHINE = "-machine virt,secure=on"
> +QB_OPT_APPEND += "-no-acpi"
> +QB_MEM = "-m 1G"
> +QB_DEFAULT_FSTYPE = "wic.qcow2"
> +QB_DEFAULT_BIOS = "flash.bin-qemu"
> +QB_FSINFO = "wic:no-kernel-in-fs"
> +QB_ROOTFS_OPT = ""
> +
> +IMAGE_FSTYPES += "wic wic.qcow2"
> +
> +WKS_FILE ?= "qemuarm64.wks"
> +WKS_FILE_DEPENDS = "trusted-firmware-a"
> +IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
> +
> diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> index 4b5da7a..64497d6 100644
> --- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> +++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> @@ -7,10 +7,11 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
>  
>  inherit deploy nopackages
>  
> -COMPATIBLE_MACHINE ?= "invalid"
> +COMPATIBLE_MACHINE = "qemuarm64"
>  
>  # Platform must be set for each machine
>  TFA_PLATFORM ?= "invalid"
> +TFA_PLATFORM_aarch64_qemuall = "qemu"
>  
>  # Build for debug (set TFA_DEBUG to 1 to activate)
>  TFA_DEBUG ?= "0"
> @@ -35,16 +36,19 @@ SRCREV_FORMAT_append = "${@bb.utils.contains('TFA_MBEDTLS', '1', '_mbedtls', '',
>  # U-boot support (set TFA_UBOOT to 1 to activate)
>  # When U-Boot support is activated BL33 is activated with u-boot.bin file
>  TFA_UBOOT ?= "0"
> +TFA_UBOOT_aarch64_qemuall = "1"
>  
>  # What to build
>  # By default we only build bl1, do_deploy will copy
>  # everything listed in this variable (by default bl1.bin)
>  TFA_BUILD_TARGET ?= "bl1"
> +TFA_BUILD_TARGET_aarch64_qemuall = "all fip"
>  
>  # What to install
>  # do_install and do_deploy will install everything listed in this
>  # variable. It is set by default to TFA_BUILD_TARGET
>  TFA_INSTALL_TARGET ?= "${TFA_BUILD_TARGET}"
> +TFA_INSTALL_TARGET_aarch64_qemuall = "flash.bin"
>  
>  # Requires CROSS_COMPILE set by hand as there is no configure script
>  export CROSS_COMPILE="${TARGET_PREFIX}"
> @@ -61,6 +65,7 @@ do_configure[noexec] = "1"
>  # We need dtc for dtbs compilation
>  # We need openssl for fiptool
>  DEPENDS_append = " dtc-native openssl-native"
> +DEPENDS_append_aarch64_qemuall = " optee-os"
>  
>  # Add platform parameter
>  EXTRA_OEMAKE += "BUILD_BASE=${B} PLAT=${TFA_PLATFORM}"
> @@ -76,6 +81,15 @@ DEPENDS += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot', '', d)}"
>  do_compile[depends] += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot:do_deploy', '', d)}"
>  EXTRA_OEMAKE += "${@bb.utils.contains('TFA_UBOOT', '1', ' BL33=${DEPLOY_DIR_IMAGE}/u-boot.bin', '',d)}"
>  
> +EXTRA_OEMAKE_append_aarch64_qemuall = " \
> +    BL32=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-header_v2.bin \
> +    BL32_EXTRA1=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-pager_v2.bin \
> +    BL32_EXTRA2=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-pageable_v2.bin \
> +    BL32_RAM_LOCATION=tdram \
> +    SPD=opteed \
> +    "
> +BUILD_PLAT = "${B}/${TFA_PLATFORM}/${@"debug" if d.getVar("TFA_DEBUG") == "1" else "release"}/"
> +
>  # The following hack is needed to fit properly in yocto build environment
>  # TFA is forcing the host compiler and its flags in the Makefile using :=
>  # assignment for GCC and CFLAGS.
> @@ -91,13 +105,12 @@ do_compile() {
>  }
>  do_compile[cleandirs] = "${B}"
>  
> -do_install() {
> -    if ${@"true" if d.getVar('TFA_DEBUG') == '1' else "false"}; then
> -        BUILD_PLAT=${B}/${TFA_PLATFORM}/debug/
> -    else
> -        BUILD_PLAT=${B}/${TFA_PLATFORM}/release/
> -    fi
> +do_compile_append_aarch64_qemuall() {
> +    dd if=${BUILD_PLAT}/bl1.bin of=${BUILD_PLAT}/flash.bin bs=4096 conv=notrunc
> +    dd if=${BUILD_PLAT}/fip.bin of=${BUILD_PLAT}/flash.bin seek=64 bs=4096 conv=notrunc
> +}
>  
> +do_install() {
>      install -d -m 755 ${D}/firmware
>      for atfbin in ${TFA_INSTALL_TARGET}; do
>          if [ "$atfbin" = "all" ]; then
> @@ -106,17 +119,17 @@ do_install() {
>              bberror "Please specify valid targets in TFA_INSTALL_TARGET or"
>              bberror "rewrite or turn off do_install"
>              exit 1
> -        elif [ -f $BUILD_PLAT/$atfbin.bin ]; then
> +        elif [ -f ${BUILD_PLAT}/$atfbin.bin ]; then
>              echo "Install $atfbin.bin"
> -            install -m 0644 $BUILD_PLAT/$atfbin.bin \
> +            install -m 0644 ${BUILD_PLAT}/$atfbin.bin \
>                  ${D}/firmware/$atfbin-${TFA_PLATFORM}.bin
> -        elif [ -f $BUILD_PLAT/$atfbin/$atfbin.elf ]; then
> +        elif [ -f ${BUILD_PLAT}/$atfbin/$atfbin.elf ]; then
>              echo "Install $atfbin.elf"
> -            install -m 0644 $BUILD_PLAT/$atfbin/$atfbin.elf \
> +            install -m 0644 ${BUILD_PLAT}/$atfbin/$atfbin.elf \
>                  ${D}/firmware/$atfbin-${TFA_PLATFORM}.elf
> -        elif [ -f $BUILD_PLAT/$atfbin ]; then
> +        elif [ -f ${BUILD_PLAT}/$atfbin ]; then
>              echo "Install $atfbin"
> -            install -m 0644 $BUILD_PLAT/$atfbin \
> +            install -m 0644 ${BUILD_PLAT}/$atfbin \
>                  ${D}/firmware/$atfbin-${TFA_PLATFORM}
>          elif [ "$atfbin" = "dtbs" ]; then
>              echo "dtbs install, skipped"
> diff --git a/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg b/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
> new file mode 100644
> index 0000000..de0c6ec
> --- /dev/null
> +++ b/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
> @@ -0,0 +1,4 @@
> +CONFIG_TFABOOT=y
> +# This must match the address that TF-A jumps to for BL33
> +CONFIG_SYS_TEXT_BASE=0x60000000
> +
> diff --git a/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
> new file mode 100644
> index 0000000..afcd70a
> --- /dev/null
> +++ b/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
> @@ -0,0 +1,3 @@
> +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
> +
> +SRC_URI_append_qemuarm64-secureboot = " file://qemuarm64.cfg"
> diff --git a/meta-arm/recipes-security/optee/optee-os_git.bb b/meta-arm/recipes-security/optee/optee-os_git.bb
> index dfff6d1..aa51376 100644
> --- a/meta-arm/recipes-security/optee/optee-os_git.bb
> +++ b/meta-arm/recipes-security/optee/optee-os_git.bb
> @@ -21,7 +21,11 @@ SRC_URI = " \
>  S = "${WORKDIR}/git"
>  
>  OPTEEMACHINE ?= "${MACHINE}"
> +OPTEEMACHINE_aarch64_qemuall = "vexpress-qemu_armv8a"
> +OPTEEMACHINE_armv7a_qemuall = "vexpress-qemu_virt"
> +
>  OPTEEOUTPUTMACHINE ?= "${MACHINE}"
> +OPTEEOUTPUTMACHINE_qemuall = "vexpress"
>  
>  OPTEE_ARCH = "null"
>  OPTEE_ARCH_armv7a = "arm32"
> @@ -72,6 +76,8 @@ do_deploy() {
>  
>  addtask deploy before do_build after do_install
>  
> +SYSROOT_DIRS += "${nonarch_base_libdir}/firmware"
> +
>  FILES_${PN} = "${nonarch_base_libdir}/firmware/"
>  FILES_${PN}-dev = "${includedir}/optee/"
>  
> diff --git a/meta-arm/recipes-security/optee/optee.inc b/meta-arm/recipes-security/optee/optee.inc
> index b3e5271..3138148 100644
> --- a/meta-arm/recipes-security/optee/optee.inc
> +++ b/meta-arm/recipes-security/optee/optee.inc
> @@ -1,2 +1,2 @@
> -COMPATIBLE_MACHINE ?= "invalid"
> +COMPATIBLE_MACHINE = "qemuarm64"
>  # Please add supported machines below or set it in .bbappend or .conf
> diff --git a/meta-arm/wic/qemuarm64.wks b/meta-arm/wic/qemuarm64.wks
> new file mode 100644
> index 0000000..7285279
> --- /dev/null
> +++ b/meta-arm/wic/qemuarm64.wks
> @@ -0,0 +1,4 @@
> +bootloader --ptable gpt
> +
> +part /boot --ondisk=vda --align 64 --size=100M --active --source bootimg-partition --fstype=ext4 --label boot --sourceparams="loader=u-boot"
> +part /     --ondisk=vda                                 --source rootfs            --fstype=ext4 --label root
> -- 
> 2.17.1
> 

> 

Re: [meta-arm][PATCH] Add support for booting qemu with TFA and optee

[Joshua Watt]

[-- Attachment #1: Type: text/plain, Size: 10574 bytes --]

On Wed, May 13, 2020, 5:27 PM Denys Dmytriyenko <denis@denix.org> wrote:

> On Wed, May 13, 2020 at 05:11:34PM -0500, Joshua Watt wrote:
> > Adds support for booting AArch64 Qemu machines using TF-A + optee +
> > u-boot. Most of the changes are applicable to any AArch64 qemu target,
> > and a reference machine called qemuarm64-secureboot has been added that
> > show how to enable support for it.
>
> Can we hold on this patch, please? I want to review it thoroughly :)
>
> Also, it touches a lot of suff and throws a wrench into my TF-A work -
> I waited patiently to get all your changes in and kept rebasing my work.
> No more rebases, please, let me submit my changes first... :)
>

That's fine. I'm not in any hurry for this, just got it working and figured
I'd share it.


> Denys
>
>
> > Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
> > ---
> >  .../conf/machine/qemuarm64-secureboot.conf    | 26 +++++++++++++
> >  .../trusted-firmware-a/trusted-firmware-a.inc | 39 ++++++++++++-------
> >  .../recipes-bsp/u-boot/u-boot/qemuarm64.cfg   |  4 ++
> >  meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend |  3 ++
> >  .../recipes-security/optee/optee-os_git.bb    |  6 +++
> >  meta-arm/recipes-security/optee/optee.inc     |  2 +-
> >  meta-arm/wic/qemuarm64.wks                    |  4 ++
> >  7 files changed, 70 insertions(+), 14 deletions(-)
> >  create mode 100644 meta-arm/conf/machine/qemuarm64-secureboot.conf
> >  create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
> >  create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
> >  create mode 100644 meta-arm/wic/qemuarm64.wks
> >
> > diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf
> b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> > new file mode 100644
> > index 0000000..cfb358b
> > --- /dev/null
> > +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> > @@ -0,0 +1,26 @@
> > +MACHINEOVERRIDES =. "qemuarm64:"
> > +
> > +require ${COREBASE}/meta/conf/machine/qemuarm64.conf
> > +
> > +KMACHINE = "qemuarm64"
> > +
> > +UBOOT_MACHINE = "qemu_arm64_defconfig"
> > +
> > +# The 5.4 kernel panics when booting, so use the development kernel
> until the
> > +# default kernel is upgraded (5.5. supposedly works)
> > +PREFERRED_PROVIDER_virtual/kernel = "linux-yocto-dev"
> > +
> > +QB_MACHINE = "-machine virt,secure=on"
> > +QB_OPT_APPEND += "-no-acpi"
> > +QB_MEM = "-m 1G"
> > +QB_DEFAULT_FSTYPE = "wic.qcow2"
> > +QB_DEFAULT_BIOS = "flash.bin-qemu"
> > +QB_FSINFO = "wic:no-kernel-in-fs"
> > +QB_ROOTFS_OPT = ""
> > +
> > +IMAGE_FSTYPES += "wic wic.qcow2"
> > +
> > +WKS_FILE ?= "qemuarm64.wks"
> > +WKS_FILE_DEPENDS = "trusted-firmware-a"
> > +IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
> > +
> > diff --git
> a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> > index 4b5da7a..64497d6 100644
> > --- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> > +++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> > @@ -7,10 +7,11 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
> >
> >  inherit deploy nopackages
> >
> > -COMPATIBLE_MACHINE ?= "invalid"
> > +COMPATIBLE_MACHINE = "qemuarm64"
> >
> >  # Platform must be set for each machine
> >  TFA_PLATFORM ?= "invalid"
> > +TFA_PLATFORM_aarch64_qemuall = "qemu"
> >
> >  # Build for debug (set TFA_DEBUG to 1 to activate)
> >  TFA_DEBUG ?= "0"
> > @@ -35,16 +36,19 @@ SRCREV_FORMAT_append =
> "${@bb.utils.contains('TFA_MBEDTLS', '1', '_mbedtls', '',
> >  # U-boot support (set TFA_UBOOT to 1 to activate)
> >  # When U-Boot support is activated BL33 is activated with u-boot.bin
> file
> >  TFA_UBOOT ?= "0"
> > +TFA_UBOOT_aarch64_qemuall = "1"
> >
> >  # What to build
> >  # By default we only build bl1, do_deploy will copy
> >  # everything listed in this variable (by default bl1.bin)
> >  TFA_BUILD_TARGET ?= "bl1"
> > +TFA_BUILD_TARGET_aarch64_qemuall = "all fip"
> >
> >  # What to install
> >  # do_install and do_deploy will install everything listed in this
> >  # variable. It is set by default to TFA_BUILD_TARGET
> >  TFA_INSTALL_TARGET ?= "${TFA_BUILD_TARGET}"
> > +TFA_INSTALL_TARGET_aarch64_qemuall = "flash.bin"
> >
> >  # Requires CROSS_COMPILE set by hand as there is no configure script
> >  export CROSS_COMPILE="${TARGET_PREFIX}"
> > @@ -61,6 +65,7 @@ do_configure[noexec] = "1"
> >  # We need dtc for dtbs compilation
> >  # We need openssl for fiptool
> >  DEPENDS_append = " dtc-native openssl-native"
> > +DEPENDS_append_aarch64_qemuall = " optee-os"
> >
> >  # Add platform parameter
> >  EXTRA_OEMAKE += "BUILD_BASE=${B} PLAT=${TFA_PLATFORM}"
> > @@ -76,6 +81,15 @@ DEPENDS += " ${@bb.utils.contains('TFA_UBOOT', '1',
> 'u-boot', '', d)}"
> >  do_compile[depends] += " ${@bb.utils.contains('TFA_UBOOT', '1',
> 'u-boot:do_deploy', '', d)}"
> >  EXTRA_OEMAKE += "${@bb.utils.contains('TFA_UBOOT', '1', '
> BL33=${DEPLOY_DIR_IMAGE}/u-boot.bin', '',d)}"
> >
> > +EXTRA_OEMAKE_append_aarch64_qemuall = " \
> > +
> BL32=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-header_v2.bin
> \
> > +
> BL32_EXTRA1=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-pager_v2.bin
> \
> > +
> BL32_EXTRA2=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-pageable_v2.bin
> \
> > +    BL32_RAM_LOCATION=tdram \
> > +    SPD=opteed \
> > +    "
> > +BUILD_PLAT = "${B}/${TFA_PLATFORM}/${@"debug" if d.getVar("TFA_DEBUG")
> == "1" else "release"}/"
> > +
> >  # The following hack is needed to fit properly in yocto build
> environment
> >  # TFA is forcing the host compiler and its flags in the Makefile using
> :=
> >  # assignment for GCC and CFLAGS.
> > @@ -91,13 +105,12 @@ do_compile() {
> >  }
> >  do_compile[cleandirs] = "${B}"
> >
> > -do_install() {
> > -    if ${@"true" if d.getVar('TFA_DEBUG') == '1' else "false"}; then
> > -        BUILD_PLAT=${B}/${TFA_PLATFORM}/debug/
> > -    else
> > -        BUILD_PLAT=${B}/${TFA_PLATFORM}/release/
> > -    fi
> > +do_compile_append_aarch64_qemuall() {
> > +    dd if=${BUILD_PLAT}/bl1.bin of=${BUILD_PLAT}/flash.bin bs=4096
> conv=notrunc
> > +    dd if=${BUILD_PLAT}/fip.bin of=${BUILD_PLAT}/flash.bin seek=64
> bs=4096 conv=notrunc
> > +}
> >
> > +do_install() {
> >      install -d -m 755 ${D}/firmware
> >      for atfbin in ${TFA_INSTALL_TARGET}; do
> >          if [ "$atfbin" = "all" ]; then
> > @@ -106,17 +119,17 @@ do_install() {
> >              bberror "Please specify valid targets in TFA_INSTALL_TARGET
> or"
> >              bberror "rewrite or turn off do_install"
> >              exit 1
> > -        elif [ -f $BUILD_PLAT/$atfbin.bin ]; then
> > +        elif [ -f ${BUILD_PLAT}/$atfbin.bin ]; then
> >              echo "Install $atfbin.bin"
> > -            install -m 0644 $BUILD_PLAT/$atfbin.bin \
> > +            install -m 0644 ${BUILD_PLAT}/$atfbin.bin \
> >                  ${D}/firmware/$atfbin-${TFA_PLATFORM}.bin
> > -        elif [ -f $BUILD_PLAT/$atfbin/$atfbin.elf ]; then
> > +        elif [ -f ${BUILD_PLAT}/$atfbin/$atfbin.elf ]; then
> >              echo "Install $atfbin.elf"
> > -            install -m 0644 $BUILD_PLAT/$atfbin/$atfbin.elf \
> > +            install -m 0644 ${BUILD_PLAT}/$atfbin/$atfbin.elf \
> >                  ${D}/firmware/$atfbin-${TFA_PLATFORM}.elf
> > -        elif [ -f $BUILD_PLAT/$atfbin ]; then
> > +        elif [ -f ${BUILD_PLAT}/$atfbin ]; then
> >              echo "Install $atfbin"
> > -            install -m 0644 $BUILD_PLAT/$atfbin \
> > +            install -m 0644 ${BUILD_PLAT}/$atfbin \
> >                  ${D}/firmware/$atfbin-${TFA_PLATFORM}
> >          elif [ "$atfbin" = "dtbs" ]; then
> >              echo "dtbs install, skipped"
> > diff --git a/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
> b/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
> > new file mode 100644
> > index 0000000..de0c6ec
> > --- /dev/null
> > +++ b/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
> > @@ -0,0 +1,4 @@
> > +CONFIG_TFABOOT=y
> > +# This must match the address that TF-A jumps to for BL33
> > +CONFIG_SYS_TEXT_BASE=0x60000000
> > +
> > diff --git a/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
> b/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
> > new file mode 100644
> > index 0000000..afcd70a
> > --- /dev/null
> > +++ b/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
> > @@ -0,0 +1,3 @@
> > +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
> > +
> > +SRC_URI_append_qemuarm64-secureboot = " file://qemuarm64.cfg"
> > diff --git a/meta-arm/recipes-security/optee/optee-os_git.bb
> b/meta-arm/recipes-security/optee/optee-os_git.bb
> > index dfff6d1..aa51376 100644
> > --- a/meta-arm/recipes-security/optee/optee-os_git.bb
> > +++ b/meta-arm/recipes-security/optee/optee-os_git.bb
> > @@ -21,7 +21,11 @@ SRC_URI = " \
> >  S = "${WORKDIR}/git"
> >
> >  OPTEEMACHINE ?= "${MACHINE}"
> > +OPTEEMACHINE_aarch64_qemuall = "vexpress-qemu_armv8a"
> > +OPTEEMACHINE_armv7a_qemuall = "vexpress-qemu_virt"
> > +
> >  OPTEEOUTPUTMACHINE ?= "${MACHINE}"
> > +OPTEEOUTPUTMACHINE_qemuall = "vexpress"
> >
> >  OPTEE_ARCH = "null"
> >  OPTEE_ARCH_armv7a = "arm32"
> > @@ -72,6 +76,8 @@ do_deploy() {
> >
> >  addtask deploy before do_build after do_install
> >
> > +SYSROOT_DIRS += "${nonarch_base_libdir}/firmware"
> > +
> >  FILES_${PN} = "${nonarch_base_libdir}/firmware/"
> >  FILES_${PN}-dev = "${includedir}/optee/"
> >
> > diff --git a/meta-arm/recipes-security/optee/optee.inc
> b/meta-arm/recipes-security/optee/optee.inc
> > index b3e5271..3138148 100644
> > --- a/meta-arm/recipes-security/optee/optee.inc
> > +++ b/meta-arm/recipes-security/optee/optee.inc
> > @@ -1,2 +1,2 @@
> > -COMPATIBLE_MACHINE ?= "invalid"
> > +COMPATIBLE_MACHINE = "qemuarm64"
> >  # Please add supported machines below or set it in .bbappend or .conf
> > diff --git a/meta-arm/wic/qemuarm64.wks b/meta-arm/wic/qemuarm64.wks
> > new file mode 100644
> > index 0000000..7285279
> > --- /dev/null
> > +++ b/meta-arm/wic/qemuarm64.wks
> > @@ -0,0 +1,4 @@
> > +bootloader --ptable gpt
> > +
> > +part /boot --ondisk=vda --align 64 --size=100M --active --source
> bootimg-partition --fstype=ext4 --label boot --sourceparams="loader=u-boot"
> > +part /     --ondisk=vda                                 --source
> rootfs            --fstype=ext4 --label root
> > --
> > 2.17.1
> >
>
> > 
>
>

[-- Attachment #2: Type: text/html, Size: 13830 bytes --]

[meta-arm][PATCH v2 0/3] Add support for booting qemu with TFA and optee

[Joshua Watt]

Adds support for booting AArch64 Qemu machines using TF-A + optee +
u-boot. Most of the changes are applicable to any AArch64 qemu target,
and a reference machine called qemuarm64-secureboot has been added that
show how to enable support for it.

Testing of op-tee can be done using the qemuarm64-secureboot machine
with the following commands:

$ cat >> conf/local.conf <<HEREDOC
MACHINE = "qemuarm64-secureboot"
CORE_IMAGE_EXTRA_INSTALL += "optee-test kernel-modules"
HEREDOC
$ bitbake core-image-minimal
$ runqemu nographic serialstdio slirp
...
root@qemuarm64-secureboot:~# xtest

Joshua Watt (3):
  optee-{os,examples,client,test}: Build out of tree
  optee-client: Add sysVinit service
  Add support for booting qemu with TFA and optee

 .../conf/machine/qemuarm64-secureboot.conf    | 26 +++++++++++
 .../trusted-firmware-a/trusted-firmware-a.inc | 39 ++++++++++------
 .../recipes-bsp/u-boot/u-boot/qemuarm64.cfg   |  4 ++
 meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend |  3 ++
 .../linux/linux-yocto-dev.bbappend            |  4 ++
 .../linux/linux-yocto-dev/tee.cfg             |  4 ++
 .../optee/optee-client/tee-supplicant.service |  4 +-
 .../optee/optee-client/tee-supplicant.sh      | 46 +++++++++++++++++++
 .../optee/optee-client_git.bb                 | 39 ++++++++++++----
 .../optee/optee-examples_git.bb               |  8 +++-
 .../recipes-security/optee/optee-os_git.bb    | 14 ++++--
 .../recipes-security/optee/optee-test_git.bb  |  8 +++-
 meta-arm/recipes-security/optee/optee.inc     |  2 +-
 meta-arm/wic/qemuarm64.wks                    |  4 ++
 14 files changed, 171 insertions(+), 34 deletions(-)
 create mode 100644 meta-arm/conf/machine/qemuarm64-secureboot.conf
 create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
 create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
 create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-dev.bbappend
 create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-dev/tee.cfg
 create mode 100644 meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
 create mode 100644 meta-arm/wic/qemuarm64.wks

-- 
2.17.1

[meta-arm][PATCH v2 1/3] optee-{os,examples,client,test}: Build out of tree

[Joshua Watt]

Modifies the optee recipes to all build out of tree. This is cleaner and
helps prevent build error from stale builds when dependencies change.
Also allows the elimination of the OPTEEOUTPUTMACHINE variable in
optee-os.

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
---
 .../recipes-security/optee/optee-client_git.bb  | 17 +++++++++++++----
 .../optee/optee-examples_git.bb                 |  8 ++++++--
 meta-arm/recipes-security/optee/optee-os_git.bb | 10 ++++++----
 .../recipes-security/optee/optee-test_git.bb    |  8 ++++++--
 4 files changed, 31 insertions(+), 12 deletions(-)

diff --git a/meta-arm/recipes-security/optee/optee-client_git.bb b/meta-arm/recipes-security/optee/optee-client_git.bb
index bae7b20..ec0826c 100644
--- a/meta-arm/recipes-security/optee/optee-client_git.bb
+++ b/meta-arm/recipes-security/optee/optee-client_git.bb
@@ -18,20 +18,29 @@ SRC_URI = " \
 "
 
 S = "${WORKDIR}/git"
+B = "${WORKDIR}/build"
 
 SYSTEMD_SERVICE_${PN} = "tee-supplicant.service"
 
+EXTRA_OEMAKE = "O=${B}"
+
+do_compile() {
+    cd ${S}
+    oe_runmake
+}
+do_compile[cleandirs] = "${B}"
+
 do_install() {
-    oe_runmake install
+    (cd ${S} && oe_runmake install)
 
-    install -D -p -m0755 ${S}/out/export/usr/sbin/tee-supplicant ${D}${sbindir}/tee-supplicant
+    install -D -p -m0755 ${B}/export/usr/sbin/tee-supplicant ${D}${sbindir}/tee-supplicant
 
-    install -D -p -m0644 ${S}/out/export/usr/lib/libteec.so.1.0 ${D}${libdir}/libteec.so.1.0
+    install -D -p -m0644 ${B}/export/usr/lib/libteec.so.1.0 ${D}${libdir}/libteec.so.1.0
     ln -sf libteec.so.1.0 ${D}${libdir}/libteec.so
     ln -sf libteec.so.1.0 ${D}${libdir}/libteec.so.1
 
     install -d ${D}${includedir}
-    install -p -m0644 ${S}/out/export/usr/include/*.h ${D}${includedir}
+    install -p -m0644 ${B}/export/usr/include/*.h ${D}${includedir}
 
     sed -i -e s:/etc:${sysconfdir}:g \
            -e s:/usr/bin:${bindir}:g \
diff --git a/meta-arm/recipes-security/optee/optee-examples_git.bb b/meta-arm/recipes-security/optee/optee-examples_git.bb
index 996e2cd..04cc5fd 100644
--- a/meta-arm/recipes-security/optee/optee-examples_git.bb
+++ b/meta-arm/recipes-security/optee/optee-examples_git.bb
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/linaro-swg/optee_examples.git"
 SRCREV = "559b2141c16bf0f57ccd72f60e4deb84fc2a05b0"
 
 S = "${WORKDIR}/git"
+B = "${WORKDIR}/build"
 
 OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
 TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
@@ -28,17 +29,20 @@ EXTRA_OEMAKE = " TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
                  HOST_CROSS_COMPILE=${TARGET_PREFIX} \
                  TA_CROSS_COMPILE=${TARGET_PREFIX} \
                  V=1 \
+                 OUTPUT_DIR=${B} \
                "
 
 do_compile() {
+    cd ${S}
     oe_runmake
 }
+do_compile[cleandirs] = "${B}"
 
 do_install () {
     mkdir -p ${D}${nonarch_base_libdir}/optee_armtz
     mkdir -p ${D}${bindir}
-    install -D -p -m0755 ${S}/out/ca/* ${D}${bindir}
-    install -D -p -m0444 ${S}/out/ta/* ${D}${nonarch_base_libdir}/optee_armtz
+    install -D -p -m0755 ${B}/ca/* ${D}${bindir}
+    install -D -p -m0444 ${B}/ta/* ${D}${nonarch_base_libdir}/optee_armtz
 }
 
 FILES_${PN} += "${nonarch_base_libdir}/optee_armtz/"
diff --git a/meta-arm/recipes-security/optee/optee-os_git.bb b/meta-arm/recipes-security/optee/optee-os_git.bb
index dfff6d1..d58b89f 100644
--- a/meta-arm/recipes-security/optee/optee-os_git.bb
+++ b/meta-arm/recipes-security/optee/optee-os_git.bb
@@ -19,10 +19,9 @@ SRC_URI = " \
 "
 
 S = "${WORKDIR}/git"
+B = "${WORKDIR}/build"
 
 OPTEEMACHINE ?= "${MACHINE}"
-OPTEEOUTPUTMACHINE ?= "${MACHINE}"
-
 OPTEE_ARCH = "null"
 OPTEE_ARCH_armv7a = "arm32"
 OPTEE_ARCH_aarch64 = "arm64"
@@ -37,6 +36,7 @@ EXTRA_OEMAKE = " \
     V=1 \
     ta-targets=ta_${OPTEE_ARCH} \
     LIBGCC_LOCATE_CFLAGS=--sysroot=${STAGING_DIR_HOST} \
+    O=${B} \
 "
 
 CFLAGS[unexport] = "1"
@@ -48,17 +48,19 @@ LD[unexport] = "1"
 do_configure[noexec] = "1"
 
 do_compile() {
+    cd ${S}
     oe_runmake all CFG_TEE_TA_LOG_LEVEL=0
 }
+do_compile[cleandirs] = "${B}"
 
 do_install() {
     #install core in firmware
     install -d ${D}${nonarch_base_libdir}/firmware/
-    install -m 644 ${B}/out/arm-plat-${OPTEEOUTPUTMACHINE}/core/*.bin ${D}${nonarch_base_libdir}/firmware/
+    install -m 644 ${B}/core/*.bin ${D}${nonarch_base_libdir}/firmware/
 
     #install TA devkit
     install -d ${D}${includedir}/optee/export-user_ta/
-    for f in ${B}/out/arm-plat-${OPTEEOUTPUTMACHINE}/export-ta_${OPTEE_ARCH}/* ; do
+    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
         cp -aR $f ${D}${includedir}/optee/export-user_ta/
     done
 }
diff --git a/meta-arm/recipes-security/optee/optee-test_git.bb b/meta-arm/recipes-security/optee/optee-test_git.bb
index ee73a2c..f699972 100644
--- a/meta-arm/recipes-security/optee/optee-test_git.bb
+++ b/meta-arm/recipes-security/optee/optee-test_git.bb
@@ -16,6 +16,7 @@ SRCREV = "30481e381cb4285706e7516853495a7699c93b2c"
 SRC_URI = "git://github.com/OP-TEE/optee_test.git"
 
 S = "${WORKDIR}/git"
+B = "${WORKDIR}/build"
 
 OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
 TEEC_EXPORT         = "${STAGING_DIR_HOST}${prefix}"
@@ -27,21 +28,24 @@ EXTRA_OEMAKE = " TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
                  CROSS_COMPILE_HOST=${TARGET_PREFIX} \
                  CROSS_COMPILE_TA=${TARGET_PREFIX} \
                  V=1 \
+                 O=${B} \
                "
 
 do_compile() {
+    cd ${S}
     # Top level makefile doesn't seem to handle parallel make gracefully
     oe_runmake xtest
     oe_runmake ta
 }
+do_compile[cleandirs] = "${B}"
 
 do_install () {
-    install -D -p -m0755 ${S}/out/xtest/xtest ${D}${bindir}/xtest
+    install -D -p -m0755 ${B}/xtest/xtest ${D}${bindir}/xtest
 
     # install path should match the value set in optee-client/tee-supplicant
     # default TEEC_LOAD_PATH is /lib
     mkdir -p ${D}${nonarch_base_libdir}/optee_armtz/
-    install -D -p -m0444 ${S}/out/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz/
+    install -D -p -m0444 ${B}/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz/
 }
 
 FILES_${PN} += "${nonarch_base_libdir}/optee_armtz/"
-- 
2.17.1

Re: [meta-arm][PATCH v2 1/3] optee-{os,examples,client,test}: Build out of tree

[Denys Dmytriyenko]

On Fri, May 15, 2020 at 11:02:38AM -0500, Joshua Watt wrote:
> Modifies the optee recipes to all build out of tree. This is cleaner and
> helps prevent build error from stale builds when dependencies change.
> Also allows the elimination of the OPTEEOUTPUTMACHINE variable in
> optee-os.

Thanks, this looks fine. Can you please ping me when this gets into master or 
dunfell, as it will break our bbappend in the middle of the release...

Reviewed-by: Denys Dmytriyenko <denys@ti.com>

> Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
> ---
>  .../recipes-security/optee/optee-client_git.bb  | 17 +++++++++++++----
>  .../optee/optee-examples_git.bb                 |  8 ++++++--
>  meta-arm/recipes-security/optee/optee-os_git.bb | 10 ++++++----
>  .../recipes-security/optee/optee-test_git.bb    |  8 ++++++--
>  4 files changed, 31 insertions(+), 12 deletions(-)
> 
> diff --git a/meta-arm/recipes-security/optee/optee-client_git.bb b/meta-arm/recipes-security/optee/optee-client_git.bb
> index bae7b20..ec0826c 100644
> --- a/meta-arm/recipes-security/optee/optee-client_git.bb
> +++ b/meta-arm/recipes-security/optee/optee-client_git.bb
> @@ -18,20 +18,29 @@ SRC_URI = " \
>  "
>  
>  S = "${WORKDIR}/git"
> +B = "${WORKDIR}/build"
>  
>  SYSTEMD_SERVICE_${PN} = "tee-supplicant.service"
>  
> +EXTRA_OEMAKE = "O=${B}"
> +
> +do_compile() {
> +    cd ${S}
> +    oe_runmake
> +}
> +do_compile[cleandirs] = "${B}"
> +
>  do_install() {
> -    oe_runmake install
> +    (cd ${S} && oe_runmake install)
>  
> -    install -D -p -m0755 ${S}/out/export/usr/sbin/tee-supplicant ${D}${sbindir}/tee-supplicant
> +    install -D -p -m0755 ${B}/export/usr/sbin/tee-supplicant ${D}${sbindir}/tee-supplicant
>  
> -    install -D -p -m0644 ${S}/out/export/usr/lib/libteec.so.1.0 ${D}${libdir}/libteec.so.1.0
> +    install -D -p -m0644 ${B}/export/usr/lib/libteec.so.1.0 ${D}${libdir}/libteec.so.1.0
>      ln -sf libteec.so.1.0 ${D}${libdir}/libteec.so
>      ln -sf libteec.so.1.0 ${D}${libdir}/libteec.so.1
>  
>      install -d ${D}${includedir}
> -    install -p -m0644 ${S}/out/export/usr/include/*.h ${D}${includedir}
> +    install -p -m0644 ${B}/export/usr/include/*.h ${D}${includedir}
>  
>      sed -i -e s:/etc:${sysconfdir}:g \
>             -e s:/usr/bin:${bindir}:g \
> diff --git a/meta-arm/recipes-security/optee/optee-examples_git.bb b/meta-arm/recipes-security/optee/optee-examples_git.bb
> index 996e2cd..04cc5fd 100644
> --- a/meta-arm/recipes-security/optee/optee-examples_git.bb
> +++ b/meta-arm/recipes-security/optee/optee-examples_git.bb
> @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/linaro-swg/optee_examples.git"
>  SRCREV = "559b2141c16bf0f57ccd72f60e4deb84fc2a05b0"
>  
>  S = "${WORKDIR}/git"
> +B = "${WORKDIR}/build"
>  
>  OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
>  TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
> @@ -28,17 +29,20 @@ EXTRA_OEMAKE = " TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
>                   HOST_CROSS_COMPILE=${TARGET_PREFIX} \
>                   TA_CROSS_COMPILE=${TARGET_PREFIX} \
>                   V=1 \
> +                 OUTPUT_DIR=${B} \
>                 "
>  
>  do_compile() {
> +    cd ${S}
>      oe_runmake
>  }
> +do_compile[cleandirs] = "${B}"
>  
>  do_install () {
>      mkdir -p ${D}${nonarch_base_libdir}/optee_armtz
>      mkdir -p ${D}${bindir}
> -    install -D -p -m0755 ${S}/out/ca/* ${D}${bindir}
> -    install -D -p -m0444 ${S}/out/ta/* ${D}${nonarch_base_libdir}/optee_armtz
> +    install -D -p -m0755 ${B}/ca/* ${D}${bindir}
> +    install -D -p -m0444 ${B}/ta/* ${D}${nonarch_base_libdir}/optee_armtz
>  }
>  
>  FILES_${PN} += "${nonarch_base_libdir}/optee_armtz/"
> diff --git a/meta-arm/recipes-security/optee/optee-os_git.bb b/meta-arm/recipes-security/optee/optee-os_git.bb
> index dfff6d1..d58b89f 100644
> --- a/meta-arm/recipes-security/optee/optee-os_git.bb
> +++ b/meta-arm/recipes-security/optee/optee-os_git.bb
> @@ -19,10 +19,9 @@ SRC_URI = " \
>  "
>  
>  S = "${WORKDIR}/git"
> +B = "${WORKDIR}/build"
>  
>  OPTEEMACHINE ?= "${MACHINE}"
> -OPTEEOUTPUTMACHINE ?= "${MACHINE}"
> -
>  OPTEE_ARCH = "null"
>  OPTEE_ARCH_armv7a = "arm32"
>  OPTEE_ARCH_aarch64 = "arm64"
> @@ -37,6 +36,7 @@ EXTRA_OEMAKE = " \
>      V=1 \
>      ta-targets=ta_${OPTEE_ARCH} \
>      LIBGCC_LOCATE_CFLAGS=--sysroot=${STAGING_DIR_HOST} \
> +    O=${B} \
>  "
>  
>  CFLAGS[unexport] = "1"
> @@ -48,17 +48,19 @@ LD[unexport] = "1"
>  do_configure[noexec] = "1"
>  
>  do_compile() {
> +    cd ${S}
>      oe_runmake all CFG_TEE_TA_LOG_LEVEL=0
>  }
> +do_compile[cleandirs] = "${B}"
>  
>  do_install() {
>      #install core in firmware
>      install -d ${D}${nonarch_base_libdir}/firmware/
> -    install -m 644 ${B}/out/arm-plat-${OPTEEOUTPUTMACHINE}/core/*.bin ${D}${nonarch_base_libdir}/firmware/
> +    install -m 644 ${B}/core/*.bin ${D}${nonarch_base_libdir}/firmware/
>  
>      #install TA devkit
>      install -d ${D}${includedir}/optee/export-user_ta/
> -    for f in ${B}/out/arm-plat-${OPTEEOUTPUTMACHINE}/export-ta_${OPTEE_ARCH}/* ; do
> +    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
>          cp -aR $f ${D}${includedir}/optee/export-user_ta/
>      done
>  }
> diff --git a/meta-arm/recipes-security/optee/optee-test_git.bb b/meta-arm/recipes-security/optee/optee-test_git.bb
> index ee73a2c..f699972 100644
> --- a/meta-arm/recipes-security/optee/optee-test_git.bb
> +++ b/meta-arm/recipes-security/optee/optee-test_git.bb
> @@ -16,6 +16,7 @@ SRCREV = "30481e381cb4285706e7516853495a7699c93b2c"
>  SRC_URI = "git://github.com/OP-TEE/optee_test.git"
>  
>  S = "${WORKDIR}/git"
> +B = "${WORKDIR}/build"
>  
>  OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
>  TEEC_EXPORT         = "${STAGING_DIR_HOST}${prefix}"
> @@ -27,21 +28,24 @@ EXTRA_OEMAKE = " TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
>                   CROSS_COMPILE_HOST=${TARGET_PREFIX} \
>                   CROSS_COMPILE_TA=${TARGET_PREFIX} \
>                   V=1 \
> +                 O=${B} \
>                 "
>  
>  do_compile() {
> +    cd ${S}
>      # Top level makefile doesn't seem to handle parallel make gracefully
>      oe_runmake xtest
>      oe_runmake ta
>  }
> +do_compile[cleandirs] = "${B}"
>  
>  do_install () {
> -    install -D -p -m0755 ${S}/out/xtest/xtest ${D}${bindir}/xtest
> +    install -D -p -m0755 ${B}/xtest/xtest ${D}${bindir}/xtest
>  
>      # install path should match the value set in optee-client/tee-supplicant
>      # default TEEC_LOAD_PATH is /lib
>      mkdir -p ${D}${nonarch_base_libdir}/optee_armtz/
> -    install -D -p -m0444 ${S}/out/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz/
> +    install -D -p -m0444 ${B}/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz/
>  }
>  
>  FILES_${PN} += "${nonarch_base_libdir}/optee_armtz/"
> -- 
> 2.17.1
> 

> 

Re: [PATCH v2 1/3] optee-{os,examples,client,test}: Build out of tree

[Diego Sueiro]

On Fri, May 15, 2020 at 05:02 PM, Joshua Watt wrote:

>
> Modifies the optee recipes to all build out of tree. This is cleaner and
> helps prevent build error from stale builds when dependencies change.
> Also allows the elimination of the OPTEEOUTPUTMACHINE variable in
> optee-os.
> 
> Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
> ---
>  .../recipes-security/optee/optee-client_git.bb  | 17 +++++++++++++----
>  .../optee/optee-examples_git.bb                 |  8 ++++++--
>  meta-arm/recipes-security/optee/optee-os_git.bb | 10 ++++++----
>  .../recipes-security/optee/optee-test_git.bb    |  8 ++++++--
>  4 files changed, 31 insertions(+), 12 deletions(-)
> 
> diff --git a/meta-arm/recipes-security/optee/optee-client_git.bb
> b/meta-arm/recipes-security/optee/optee-client_git.bb
> index bae7b20..ec0826c 100644
> --- a/meta-arm/recipes-security/optee/optee-client_git.bb
> +++ b/meta-arm/recipes-security/optee/optee-client_git.bb
> @@ -18,20 +18,29 @@ SRC_URI = " \
>  "
>
>  S = "${WORKDIR}/git"
> +B = "${WORKDIR}/build"
>
>  SYSTEMD_SERVICE_${PN} = "tee-supplicant.service"
>
> +EXTRA_OEMAKE = "O=${B}"
> +
> +do_compile() {
> +    cd ${S}
> +    oe_runmake
> +}
> +do_compile[cleandirs] = "${B}"
> +
>  do_install() {
> -    oe_runmake install
> +    (cd ${S} && oe_runmake install)

Why are you using a subshell?

>
> -    install -D -p -m0755 ${S}/out/export/usr/sbin/tee-supplicant
> ${D}${sbindir}/tee-supplicant
> +    install -D -p -m0755 ${B}/export/usr/sbin/tee-supplicant
> ${D}${sbindir}/tee-supplicant
>
> -    install -D -p -m0644 ${S}/out/export/usr/lib/libteec.so.1.0
> ${D}${libdir}/libteec.so.1.0
> +    install -D -p -m0644 ${B}/export/usr/lib/libteec.so.1.0
> ${D}${libdir}/libteec.so.1.0
>      ln -sf libteec.so.1.0 ${D}${libdir}/libteec.so
>      ln -sf libteec.so.1.0 ${D}${libdir}/libteec.so.1
>
>      install -d ${D}${includedir}
> -    install -p -m0644 ${S}/out/export/usr/include/*.h ${D}${includedir}
> +    install -p -m0644 ${B}/export/usr/include/*.h ${D}${includedir}
>
>      sed -i -e s:/etc:${sysconfdir}:g \
>             -e s:/usr/bin:${bindir}:g \
> diff --git a/meta-arm/recipes-security/optee/optee-examples_git.bb
> b/meta-arm/recipes-security/optee/optee-examples_git.bb
> index 996e2cd..04cc5fd 100644
> --- a/meta-arm/recipes-security/optee/optee-examples_git.bb
> +++ b/meta-arm/recipes-security/optee/optee-examples_git.bb
> @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/linaro-swg/optee_examples.git"
>  SRCREV = "559b2141c16bf0f57ccd72f60e4deb84fc2a05b0"
>
>  S = "${WORKDIR}/git"
> +B = "${WORKDIR}/build"
>
>  OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
>  TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
> @@ -28,17 +29,20 @@ EXTRA_OEMAKE = " TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
>                   HOST_CROSS_COMPILE=${TARGET_PREFIX} \
>                   TA_CROSS_COMPILE=${TARGET_PREFIX} \
>                   V=1 \
> +                 OUTPUT_DIR=${B} \
>                 "
>
>  do_compile() {
> +    cd ${S}
>      oe_runmake
>  }
> +do_compile[cleandirs] = "${B}"
>
>  do_install () {
>      mkdir -p ${D}${nonarch_base_libdir}/optee_armtz
>      mkdir -p ${D}${bindir}
> -    install -D -p -m0755 ${S}/out/ca/* ${D}${bindir}
> -    install -D -p -m0444 ${S}/out/ta/* ${D}${nonarch_base_libdir}/optee_armtz
> +    install -D -p -m0755 ${B}/ca/* ${D}${bindir}
> +    install -D -p -m0444 ${B}/ta/* ${D}${nonarch_base_libdir}/optee_armtz
>  }
>
>  FILES_${PN} += "${nonarch_base_libdir}/optee_armtz/"
> diff --git a/meta-arm/recipes-security/optee/optee-os_git.bb
> b/meta-arm/recipes-security/optee/optee-os_git.bb
> index dfff6d1..d58b89f 100644
> --- a/meta-arm/recipes-security/optee/optee-os_git.bb
> +++ b/meta-arm/recipes-security/optee/optee-os_git.bb
> @@ -19,10 +19,9 @@ SRC_URI = " \
>  "
>
>  S = "${WORKDIR}/git"
> +B = "${WORKDIR}/build"
>
>  OPTEEMACHINE ?= "${MACHINE}"
> -OPTEEOUTPUTMACHINE ?= "${MACHINE}"
> -
>  OPTEE_ARCH = "null"
>  OPTEE_ARCH_armv7a = "arm32"
>  OPTEE_ARCH_aarch64 = "arm64"
> @@ -37,6 +36,7 @@ EXTRA_OEMAKE = " \
>      V=1 \
>      ta-targets=ta_${OPTEE_ARCH} \
>      LIBGCC_LOCATE_CFLAGS=--sysroot=${STAGING_DIR_HOST} \
> +    O=${B} \
>  "
>
>  CFLAGS[unexport] = "1"
> @@ -48,17 +48,19 @@ LD[unexport] = "1"
>  do_configure[noexec] = "1"
>
>  do_compile() {
> +    cd ${S}
>      oe_runmake all CFG_TEE_TA_LOG_LEVEL=0
>  }
> +do_compile[cleandirs] = "${B}"
>
>  do_install() {
>      #install core in firmware
>      install -d ${D}${nonarch_base_libdir}/firmware/
> -    install -m 644 ${B}/out/arm-plat-${OPTEEOUTPUTMACHINE}/core/*.bin
> ${D}${nonarch_base_libdir}/firmware/
> +    install -m 644 ${B}/core/*.bin ${D}${nonarch_base_libdir}/firmware/
>
>      #install TA devkit
>      install -d ${D}${includedir}/optee/export-user_ta/
> -    for f in
> ${B}/out/arm-plat-${OPTEEOUTPUTMACHINE}/export-ta_${OPTEE_ARCH}/* ; do
> +    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
>          cp -aR $f ${D}${includedir}/optee/export-user_ta/
>      done
>  }
> diff --git a/meta-arm/recipes-security/optee/optee-test_git.bb
> b/meta-arm/recipes-security/optee/optee-test_git.bb
> index ee73a2c..f699972 100644
> --- a/meta-arm/recipes-security/optee/optee-test_git.bb
> +++ b/meta-arm/recipes-security/optee/optee-test_git.bb
> @@ -16,6 +16,7 @@ SRCREV = "30481e381cb4285706e7516853495a7699c93b2c"
>  SRC_URI = "git://github.com/OP-TEE/optee_test.git"
>
>  S = "${WORKDIR}/git"
> +B = "${WORKDIR}/build"
>
>  OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
>  TEEC_EXPORT         = "${STAGING_DIR_HOST}${prefix}"
> @@ -27,21 +28,24 @@ EXTRA_OEMAKE = " TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
>                   CROSS_COMPILE_HOST=${TARGET_PREFIX} \
>                   CROSS_COMPILE_TA=${TARGET_PREFIX} \
>                   V=1 \
> +                 O=${B} \
>                 "
>
>  do_compile() {
> +    cd ${S}
>      # Top level makefile doesn't seem to handle parallel make gracefully
>      oe_runmake xtest
>      oe_runmake ta
>  }
> +do_compile[cleandirs] = "${B}"
>
>  do_install () {
> -    install -D -p -m0755 ${S}/out/xtest/xtest ${D}${bindir}/xtest
> +    install -D -p -m0755 ${B}/xtest/xtest ${D}${bindir}/xtest
>
>      # install path should match the value set in optee-client/tee-supplicant
>      # default TEEC_LOAD_PATH is /lib
>      mkdir -p ${D}${nonarch_base_libdir}/optee_armtz/
> -    install -D -p -m0444 ${S}/out/ta/*/*.ta
> ${D}${nonarch_base_libdir}/optee_armtz/
> +    install -D -p -m0444 ${B}/ta/*/*.ta
> ${D}${nonarch_base_libdir}/optee_armtz/
>  }
>
>  FILES_${PN} += "${nonarch_base_libdir}/optee_armtz/"
> -- 
> 2.17.1
> 
>

[meta-arm][PATCH v2 2/3] optee-client: Add sysVinit service

[Joshua Watt]

Adds a sysVinit service to start tee-supplicant so that the optee-client
package can be used on distros where systemd is not used. Also does some
cleanup of the recipe including:
 1) Using @path@ tokens for replacemane in the .service file instead of
    paths
 2) Replacing tokens in the .service file after it is installed instead
    of editing the source file in ${WORKDIR}

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
---
 .../optee/optee-client/tee-supplicant.service |  4 +-
 .../optee/optee-client/tee-supplicant.sh      | 46 +++++++++++++++++++
 .../optee/optee-client_git.bb                 | 24 +++++++---
 3 files changed, 65 insertions(+), 9 deletions(-)
 create mode 100644 meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh

diff --git a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service
index ffb54d3..c273832 100644
--- a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service
+++ b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service
@@ -3,8 +3,8 @@ Description=TEE Supplicant
 
 [Service]
 User=root
-EnvironmentFile=-/etc/default/tee-supplicant
-ExecStart=/usr/sbin/tee-supplicant $OPTARGS
+EnvironmentFile=-@sysconfdir@/default/tee-supplicant
+ExecStart=@sbindir@/tee-supplicant $OPTARGS
 
 [Install]
 WantedBy=basic.target
diff --git a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
new file mode 100644
index 0000000..b4d2195
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+# Source function library
+. /etc/init.d/functions
+
+NAME=tee-supplicant
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+DESC="OP-TEE Supplicant"
+
+DAEMON=@sbindir@/$NAME
+
+test -f $DAEMON || exit 0
+
+test -f @sysconfdir@/default/$NAME && . @sysconfdir@/default/$NAME
+test -f @sysconfdir@/default/rcS && . @sysconfdir@/default/rcS
+
+SSD_OPTIONS="--oknodo --quiet --exec $DAEMON -- -d $OPTARGS"
+
+set -e
+
+case $1 in
+    start)
+	    echo -n "Starting $DESC: "
+	    start-stop-daemon --start $SSD_OPTIONS
+        echo "${DAEMON##*/}."
+        ;;
+    stop)
+	    echo -n "Stopping $DESC: "
+	    start-stop-daemon --stop $SSD_OPTIONS
+        echo "${DAEMON##*/}."
+        ;;
+    restart|force-reload)
+	    $0 stop
+	    sleep 1
+	    $0 start
+        ;;
+    status)
+        status ${DAEMON} || exit $?
+        ;;
+    *)
+        echo "Usage: $0 {start|stop|restart|force-reload|status}" >&2
+        exit 1
+        ;;
+esac
+
+exit 0
diff --git a/meta-arm/recipes-security/optee/optee-client_git.bb b/meta-arm/recipes-security/optee/optee-client_git.bb
index ec0826c..a26a799 100644
--- a/meta-arm/recipes-security/optee/optee-client_git.bb
+++ b/meta-arm/recipes-security/optee/optee-client_git.bb
@@ -9,19 +9,18 @@ PV = "3.8.0+git${SRCPV}"
 
 require optee.inc
 
-inherit python3native systemd
+inherit python3native systemd update-rc.d
 
 SRCREV = "be4fa2e36f717f03ca46e574aa66f697a897d090"
 SRC_URI = " \
     git://github.com/OP-TEE/optee_client.git \
     file://tee-supplicant.service \
+    file://tee-supplicant.sh \
 "
 
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build"
 
-SYSTEMD_SERVICE_${PN} = "tee-supplicant.service"
-
 EXTRA_OEMAKE = "O=${B}"
 
 do_compile() {
@@ -42,9 +41,20 @@ do_install() {
     install -d ${D}${includedir}
     install -p -m0644 ${B}/export/usr/include/*.h ${D}${includedir}
 
-    sed -i -e s:/etc:${sysconfdir}:g \
-           -e s:/usr/bin:${bindir}:g \
-              ${WORKDIR}/tee-supplicant.service
-
     install -D -p -m0644 ${WORKDIR}/tee-supplicant.service ${D}${systemd_system_unitdir}/tee-supplicant.service
+
+    install -D -p -m0755 ${WORKDIR}/tee-supplicant.sh ${D}${sysconfdir}/init.d/tee-supplicant
+
+    sed -i -e s:@sysconfdir@:${sysconfdir}:g \
+           -e s:@sbindir@:${sbindir}:g \
+              ${D}${systemd_system_unitdir}/tee-supplicant.service \
+              ${D}${sysconfdir}/init.d/tee-supplicant
 }
+
+SYSTEMD_SERVICE_${PN} = "tee-supplicant.service"
+
+INITSCRIPT_PACKAGES = "${PN}"
+
+INITSCRIPT_NAME_${PN} = "tee-supplicant"
+INITSCRIPT_PARAMS_${PN} = "start 10 1 2 3 4 5 . stop 90 0 6 ."
+
-- 
2.17.1

Re: [meta-arm][PATCH v2 2/3] optee-client: Add sysVinit service

[Denys Dmytriyenko]

On Fri, May 15, 2020 at 11:02:39AM -0500, Joshua Watt wrote:
> Adds a sysVinit service to start tee-supplicant so that the optee-client
> package can be used on distros where systemd is not used. Also does some
> cleanup of the recipe including:
>  1) Using @path@ tokens for replacemane in the .service file instead of
>     paths
>  2) Replacing tokens in the .service file after it is installed instead
>     of editing the source file in ${WORKDIR}

Overall looks fine. Quick question - if both sysvinit and systemd are in 
DISTRO_FEATURES - will it start tee-supplicant twice? This was never clear 
to me - I see some recipes go the extra mile to check the DISTRO_FEATURES 
and only install/enable the service accordingly, while some completely rely 
on the corresponding bbclass.


> Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
> ---
>  .../optee/optee-client/tee-supplicant.service |  4 +-
>  .../optee/optee-client/tee-supplicant.sh      | 46 +++++++++++++++++++
>  .../optee/optee-client_git.bb                 | 24 +++++++---
>  3 files changed, 65 insertions(+), 9 deletions(-)
>  create mode 100644 meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
> 
> diff --git a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service
> index ffb54d3..c273832 100644
> --- a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service
> +++ b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service
> @@ -3,8 +3,8 @@ Description=TEE Supplicant
>  
>  [Service]
>  User=root
> -EnvironmentFile=-/etc/default/tee-supplicant
> -ExecStart=/usr/sbin/tee-supplicant $OPTARGS
> +EnvironmentFile=-@sysconfdir@/default/tee-supplicant
> +ExecStart=@sbindir@/tee-supplicant $OPTARGS
>  
>  [Install]
>  WantedBy=basic.target
> diff --git a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
> new file mode 100644
> index 0000000..b4d2195
> --- /dev/null
> +++ b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
> @@ -0,0 +1,46 @@
> +#!/bin/sh
> +
> +# Source function library
> +. /etc/init.d/functions
> +
> +NAME=tee-supplicant
> +PATH=/sbin:/bin:/usr/sbin:/usr/bin
> +DESC="OP-TEE Supplicant"
> +
> +DAEMON=@sbindir@/$NAME
> +
> +test -f $DAEMON || exit 0
> +
> +test -f @sysconfdir@/default/$NAME && . @sysconfdir@/default/$NAME
> +test -f @sysconfdir@/default/rcS && . @sysconfdir@/default/rcS
> +
> +SSD_OPTIONS="--oknodo --quiet --exec $DAEMON -- -d $OPTARGS"
> +
> +set -e
> +
> +case $1 in
> +    start)
> +	    echo -n "Starting $DESC: "
> +	    start-stop-daemon --start $SSD_OPTIONS
> +        echo "${DAEMON##*/}."
> +        ;;
> +    stop)
> +	    echo -n "Stopping $DESC: "
> +	    start-stop-daemon --stop $SSD_OPTIONS
> +        echo "${DAEMON##*/}."
> +        ;;
> +    restart|force-reload)
> +	    $0 stop
> +	    sleep 1
> +	    $0 start
> +        ;;
> +    status)
> +        status ${DAEMON} || exit $?
> +        ;;
> +    *)
> +        echo "Usage: $0 {start|stop|restart|force-reload|status}" >&2
> +        exit 1
> +        ;;
> +esac
> +
> +exit 0
> diff --git a/meta-arm/recipes-security/optee/optee-client_git.bb b/meta-arm/recipes-security/optee/optee-client_git.bb
> index ec0826c..a26a799 100644
> --- a/meta-arm/recipes-security/optee/optee-client_git.bb
> +++ b/meta-arm/recipes-security/optee/optee-client_git.bb
> @@ -9,19 +9,18 @@ PV = "3.8.0+git${SRCPV}"
>  
>  require optee.inc
>  
> -inherit python3native systemd
> +inherit python3native systemd update-rc.d
>  
>  SRCREV = "be4fa2e36f717f03ca46e574aa66f697a897d090"
>  SRC_URI = " \
>      git://github.com/OP-TEE/optee_client.git \
>      file://tee-supplicant.service \
> +    file://tee-supplicant.sh \
>  "
>  
>  S = "${WORKDIR}/git"
>  B = "${WORKDIR}/build"
>  
> -SYSTEMD_SERVICE_${PN} = "tee-supplicant.service"
> -
>  EXTRA_OEMAKE = "O=${B}"
>  
>  do_compile() {
> @@ -42,9 +41,20 @@ do_install() {
>      install -d ${D}${includedir}
>      install -p -m0644 ${B}/export/usr/include/*.h ${D}${includedir}
>  
> -    sed -i -e s:/etc:${sysconfdir}:g \
> -           -e s:/usr/bin:${bindir}:g \
> -              ${WORKDIR}/tee-supplicant.service
> -
>      install -D -p -m0644 ${WORKDIR}/tee-supplicant.service ${D}${systemd_system_unitdir}/tee-supplicant.service
> +
> +    install -D -p -m0755 ${WORKDIR}/tee-supplicant.sh ${D}${sysconfdir}/init.d/tee-supplicant
> +
> +    sed -i -e s:@sysconfdir@:${sysconfdir}:g \
> +           -e s:@sbindir@:${sbindir}:g \
> +              ${D}${systemd_system_unitdir}/tee-supplicant.service \
> +              ${D}${sysconfdir}/init.d/tee-supplicant
>  }
> +
> +SYSTEMD_SERVICE_${PN} = "tee-supplicant.service"
> +
> +INITSCRIPT_PACKAGES = "${PN}"
> +
> +INITSCRIPT_NAME_${PN} = "tee-supplicant"
> +INITSCRIPT_PARAMS_${PN} = "start 10 1 2 3 4 5 . stop 90 0 6 ."
> +
> -- 
> 2.17.1
> 

> 

Re: [meta-arm][PATCH v2 2/3] optee-client: Add sysVinit service

[William Mills]

On 5/17/20 12:44 PM, Denys Dmytriyenko wrote:
> On Fri, May 15, 2020 at 11:02:39AM -0500, Joshua Watt wrote:
>> Adds a sysVinit service to start tee-supplicant so that the optee-client
>> package can be used on distros where systemd is not used. Also does some
>> cleanup of the recipe including:
>>  1) Using @path@ tokens for replacemane in the .service file instead of
>>     paths
>>  2) Replacing tokens in the .service file after it is installed instead
>>     of editing the source file in ${WORKDIR}
> 
> Overall looks fine. Quick question - if both sysvinit and systemd are in 
> DISTRO_FEATURES - will it start tee-supplicant twice? This was never clear 
> to me - I see some recipes go the extra mile to check the DISTRO_FEATURES 
> and only install/enable the service accordingly, while some completely rely 
> on the corresponding bbclass.
> 

I had to look into this on ubuntu/debian recently.
systemd's sysvinit emulation will skip any sysvinit script that has the
same name as a *.service file.

From [1]:
"""
systemd-sysv-generator generates the service units that run the van
Smoorenburg rc scripts from /etc/init.d, if it doesn't find a native
systemd service unit by that name already existing in the other six
locations.
"""

I don't know if that is systemd default or Debian enhancement but OE
should follow that rule if it does not already IMHO.

This is not clear in the man pages [2][3].

[1]
https://unix.stackexchange.com/questions/233468/how-does-systemd-use-etc-init-d-scripts

[2]
http://manpages.ubuntu.com/manpages/bionic/man8/systemd-sysv-generator.8.html

[3]
https://www.freedesktop.org/software/systemd/man/systemd-sysv-generator.html

Bill

Re: [meta-arm][PATCH v2 2/3] optee-client: Add sysVinit service

[Joshua Watt]

On 5/18/20 12:04 PM, William Mills wrote:
>
> On 5/17/20 12:44 PM, Denys Dmytriyenko wrote:
>> On Fri, May 15, 2020 at 11:02:39AM -0500, Joshua Watt wrote:
>>> Adds a sysVinit service to start tee-supplicant so that the optee-client
>>> package can be used on distros where systemd is not used. Also does some
>>> cleanup of the recipe including:
>>>   1) Using @path@ tokens for replacemane in the .service file instead of
>>>      paths
>>>   2) Replacing tokens in the .service file after it is installed instead
>>>      of editing the source file in ${WORKDIR}
>> Overall looks fine. Quick question - if both sysvinit and systemd are in
>> DISTRO_FEATURES - will it start tee-supplicant twice? This was never clear
>> to me - I see some recipes go the extra mile to check the DISTRO_FEATURES
>> and only install/enable the service accordingly, while some completely rely
>> on the corresponding bbclass.
>>
> I had to look into this on ubuntu/debian recently.
> systemd's sysvinit emulation will skip any sysvinit script that has the
> same name as a *.service file.
>
>  From [1]:
> """
> systemd-sysv-generator generates the service units that run the van
> Smoorenburg rc scripts from /etc/init.d, if it doesn't find a native
> systemd service unit by that name already existing in the other six
> locations.
> """
>
> I don't know if that is systemd default or Debian enhancement but OE
> should follow that rule if it does not already IMHO.

systemd.bbclass and update-rc.d.bbclass work together to do the correct 
things based on the existence of the "sysvinit" and "systemd" 
DISTRO_FEATURES, so its fine to include both in a recipe.


>
> This is not clear in the man pages [2][3].
>
> [1]
> https://unix.stackexchange.com/questions/233468/how-does-systemd-use-etc-init-d-scripts
>
> [2]
> http://manpages.ubuntu.com/manpages/bionic/man8/systemd-sysv-generator.8.html
>
> [3]
> https://www.freedesktop.org/software/systemd/man/systemd-sysv-generator.html
>
> Bill

Re: [meta-arm][PATCH v2 2/3] optee-client: Add sysVinit service

[Denys Dmytriyenko]

On Mon, May 18, 2020 at 01:03:01PM -0500, Joshua Watt wrote:
> 
> On 5/18/20 12:04 PM, William Mills wrote:
> >
> >On 5/17/20 12:44 PM, Denys Dmytriyenko wrote:
> >>On Fri, May 15, 2020 at 11:02:39AM -0500, Joshua Watt wrote:
> >>>Adds a sysVinit service to start tee-supplicant so that the optee-client
> >>>package can be used on distros where systemd is not used. Also does some
> >>>cleanup of the recipe including:
> >>>  1) Using @path@ tokens for replacemane in the .service file instead of
> >>>     paths
> >>>  2) Replacing tokens in the .service file after it is installed instead
> >>>     of editing the source file in ${WORKDIR}
> >>Overall looks fine. Quick question - if both sysvinit and systemd are in
> >>DISTRO_FEATURES - will it start tee-supplicant twice? This was never clear
> >>to me - I see some recipes go the extra mile to check the DISTRO_FEATURES
> >>and only install/enable the service accordingly, while some completely rely
> >>on the corresponding bbclass.
> >>
> >I had to look into this on ubuntu/debian recently.
> >systemd's sysvinit emulation will skip any sysvinit script that has the
> >same name as a *.service file.
> >
> > From [1]:
> >"""
> >systemd-sysv-generator generates the service units that run the van
> >Smoorenburg rc scripts from /etc/init.d, if it doesn't find a native
> >systemd service unit by that name already existing in the other six
> >locations.
> >"""
> >
> >I don't know if that is systemd default or Debian enhancement but OE
> >should follow that rule if it does not already IMHO.
> 
> systemd.bbclass and update-rc.d.bbclass work together to do the
> correct things based on the existence of the "sysvinit" and
> "systemd" DISTRO_FEATURES, so its fine to include both in a recipe.

So, if both are included and have the same name, systemd will skip the 
sysvinit emulation and load the correct service only once, correct?


> >This is not clear in the man pages [2][3].
> >
> >[1]
> >https://unix.stackexchange.com/questions/233468/how-does-systemd-use-etc-init-d-scripts
> >
> >[2]
> >http://manpages.ubuntu.com/manpages/bionic/man8/systemd-sysv-generator.8.html
> >
> >[3]
> >https://www.freedesktop.org/software/systemd/man/systemd-sysv-generator.html
> >
> >Bill

> 

Re: [meta-arm][PATCH v2 2/3] optee-client: Add sysVinit service

[Joshua Watt]

On 5/18/20 1:58 PM, Denys Dmytriyenko wrote:
> On Mon, May 18, 2020 at 01:03:01PM -0500, Joshua Watt wrote:
>> On 5/18/20 12:04 PM, William Mills wrote:
>>> On 5/17/20 12:44 PM, Denys Dmytriyenko wrote:
>>>> On Fri, May 15, 2020 at 11:02:39AM -0500, Joshua Watt wrote:
>>>>> Adds a sysVinit service to start tee-supplicant so that the optee-client
>>>>> package can be used on distros where systemd is not used. Also does some
>>>>> cleanup of the recipe including:
>>>>>   1) Using @path@ tokens for replacemane in the .service file instead of
>>>>>      paths
>>>>>   2) Replacing tokens in the .service file after it is installed instead
>>>>>      of editing the source file in ${WORKDIR}
>>>> Overall looks fine. Quick question - if both sysvinit and systemd are in
>>>> DISTRO_FEATURES - will it start tee-supplicant twice? This was never clear
>>>> to me - I see some recipes go the extra mile to check the DISTRO_FEATURES
>>>> and only install/enable the service accordingly, while some completely rely
>>>> on the corresponding bbclass.
>>>>
>>> I had to look into this on ubuntu/debian recently.
>>> systemd's sysvinit emulation will skip any sysvinit script that has the
>>> same name as a *.service file.
>>>
>>>  From [1]:
>>> """
>>> systemd-sysv-generator generates the service units that run the van
>>> Smoorenburg rc scripts from /etc/init.d, if it doesn't find a native
>>> systemd service unit by that name already existing in the other six
>>> locations.
>>> """
>>>
>>> I don't know if that is systemd default or Debian enhancement but OE
>>> should follow that rule if it does not already IMHO.
>> systemd.bbclass and update-rc.d.bbclass work together to do the
>> correct things based on the existence of the "sysvinit" and
>> "systemd" DISTRO_FEATURES, so its fine to include both in a recipe.
> So, if both are included and have the same name, systemd will skip the
> sysvinit emulation and load the correct service only once, correct?

Correct. It takes a bit of chicanery to convince a build to include both 
the init script and the systemd service file, but even if you do it 
still only starts the systemd service.


>
>
>>> This is not clear in the man pages [2][3].
>>>
>>> [1]
>>> https://unix.stackexchange.com/questions/233468/how-does-systemd-use-etc-init-d-scripts
>>>
>>> [2]
>>> http://manpages.ubuntu.com/manpages/bionic/man8/systemd-sysv-generator.8.html
>>>
>>> [3]
>>> https://www.freedesktop.org/software/systemd/man/systemd-sysv-generator.html
>>>
>>> Bill
>> 

Re: [meta-arm][PATCH v2 2/3] optee-client: Add sysVinit service

[William Mills]

On 5/18/20 2:58 PM, Denys Dmytriyenko wrote:
> On Mon, May 18, 2020 at 01:03:01PM -0500, Joshua Watt wrote:
>>
>> On 5/18/20 12:04 PM, William Mills wrote:
>>>
>>> On 5/17/20 12:44 PM, Denys Dmytriyenko wrote:
>>>> On Fri, May 15, 2020 at 11:02:39AM -0500, Joshua Watt wrote:
>>>>> Adds a sysVinit service to start tee-supplicant so that the optee-client
>>>>> package can be used on distros where systemd is not used. Also does some
>>>>> cleanup of the recipe including:
>>>>>  1) Using @path@ tokens for replacemane in the .service file instead of
>>>>>     paths
>>>>>  2) Replacing tokens in the .service file after it is installed instead
>>>>>     of editing the source file in ${WORKDIR}
>>>> Overall looks fine. Quick question - if both sysvinit and systemd are in
>>>> DISTRO_FEATURES - will it start tee-supplicant twice? This was never clear
>>>> to me - I see some recipes go the extra mile to check the DISTRO_FEATURES
>>>> and only install/enable the service accordingly, while some completely rely
>>>> on the corresponding bbclass.
>>>>
>>> I had to look into this on ubuntu/debian recently.
>>> systemd's sysvinit emulation will skip any sysvinit script that has the
>>> same name as a *.service file.
>>>
>>> From [1]:
>>> """
>>> systemd-sysv-generator generates the service units that run the van
>>> Smoorenburg rc scripts from /etc/init.d, if it doesn't find a native
>>> systemd service unit by that name already existing in the other six
>>> locations.
>>> """
>>>
>>> I don't know if that is systemd default or Debian enhancement but OE
>>> should follow that rule if it does not already IMHO.
>>
>> systemd.bbclass and update-rc.d.bbclass work together to do the
>> correct things based on the existence of the "sysvinit" and
>> "systemd" DISTRO_FEATURES, so its fine to include both in a recipe.
> 
> So, if both are included and have the same name, systemd will skip the 
> sysvinit emulation and load the correct service only once, correct?
> 
> 

Yes that is my understanding of how it works at run time, at least on
debian.  Even if the user was to hand create both an sysinit script and
a service file with the same basename, systemd will ignore the script in
favor of the service file.  (sysvinit has know how to ignore service
files since the 1970's :)

Joshua: is what you are talking about in the classes a runtime selection
or a rootfs build time selection?  Perhaps we are double covered?

Re: [meta-arm][PATCH v2 2/3] optee-client: Add sysVinit service

[Joshua Watt]

On 5/18/20 4:57 PM, William Mills wrote:
>
> On 5/18/20 2:58 PM, Denys Dmytriyenko wrote:
>> On Mon, May 18, 2020 at 01:03:01PM -0500, Joshua Watt wrote:
>>> On 5/18/20 12:04 PM, William Mills wrote:
>>>> On 5/17/20 12:44 PM, Denys Dmytriyenko wrote:
>>>>> On Fri, May 15, 2020 at 11:02:39AM -0500, Joshua Watt wrote:
>>>>>> Adds a sysVinit service to start tee-supplicant so that the optee-client
>>>>>> package can be used on distros where systemd is not used. Also does some
>>>>>> cleanup of the recipe including:
>>>>>>   1) Using @path@ tokens for replacemane in the .service file instead of
>>>>>>      paths
>>>>>>   2) Replacing tokens in the .service file after it is installed instead
>>>>>>      of editing the source file in ${WORKDIR}
>>>>> Overall looks fine. Quick question - if both sysvinit and systemd are in
>>>>> DISTRO_FEATURES - will it start tee-supplicant twice? This was never clear
>>>>> to me - I see some recipes go the extra mile to check the DISTRO_FEATURES
>>>>> and only install/enable the service accordingly, while some completely rely
>>>>> on the corresponding bbclass.
>>>>>
>>>> I had to look into this on ubuntu/debian recently.
>>>> systemd's sysvinit emulation will skip any sysvinit script that has the
>>>> same name as a *.service file.
>>>>
>>>>  From [1]:
>>>> """
>>>> systemd-sysv-generator generates the service units that run the van
>>>> Smoorenburg rc scripts from /etc/init.d, if it doesn't find a native
>>>> systemd service unit by that name already existing in the other six
>>>> locations.
>>>> """
>>>>
>>>> I don't know if that is systemd default or Debian enhancement but OE
>>>> should follow that rule if it does not already IMHO.
>>> systemd.bbclass and update-rc.d.bbclass work together to do the
>>> correct things based on the existence of the "sysvinit" and
>>> "systemd" DISTRO_FEATURES, so its fine to include both in a recipe.
>> So, if both are included and have the same name, systemd will skip the
>> sysvinit emulation and load the correct service only once, correct?
>>
>>
> Yes that is my understanding of how it works at run time, at least on
> debian.  Even if the user was to hand create both an sysinit script and
> a service file with the same basename, systemd will ignore the script in
> favor of the service file.  (sysvinit has know how to ignore service
> files since the 1970's :)
>
> Joshua: is what you are talking about in the classes a runtime selection
> or a rootfs build time selection?  Perhaps we are double covered?

Build time. systemd.bbclass sets INHIBIT_UPDATERCD_BBCLASS = "1" if 
"systemd" is in DISTRO_FEATURES and "sysvinit" is not, 
update-rc.d.bbclass does nothing if that is set, and setting 
INIT_MANAGER = "systemd" removes(*) "sysvinit" from DISTRO_FEATURES and 
adds "systemd", so it pretty much automatically prefers the systemd 
service files if possible.


* Well, sets DISTRO_FEATURES_BACKFILL_CONSIDERED = "sysvinit"

>

Re: [meta-arm][PATCH v2 2/3] optee-client: Add sysVinit service

[Denys Dmytriyenko]

On Mon, May 18, 2020 at 05:06:48PM -0500, Joshua Watt wrote:
> 
> On 5/18/20 4:57 PM, William Mills wrote:
> >
> >On 5/18/20 2:58 PM, Denys Dmytriyenko wrote:
> >>On Mon, May 18, 2020 at 01:03:01PM -0500, Joshua Watt wrote:
> >>>On 5/18/20 12:04 PM, William Mills wrote:
> >>>>On 5/17/20 12:44 PM, Denys Dmytriyenko wrote:
> >>>>>On Fri, May 15, 2020 at 11:02:39AM -0500, Joshua Watt wrote:
> >>>>>>Adds a sysVinit service to start tee-supplicant so that the optee-client
> >>>>>>package can be used on distros where systemd is not used. Also does some
> >>>>>>cleanup of the recipe including:
> >>>>>>  1) Using @path@ tokens for replacemane in the .service file instead of
> >>>>>>     paths
> >>>>>>  2) Replacing tokens in the .service file after it is installed instead
> >>>>>>     of editing the source file in ${WORKDIR}
> >>>>>Overall looks fine. Quick question - if both sysvinit and systemd are in
> >>>>>DISTRO_FEATURES - will it start tee-supplicant twice? This was never clear
> >>>>>to me - I see some recipes go the extra mile to check the DISTRO_FEATURES
> >>>>>and only install/enable the service accordingly, while some completely rely
> >>>>>on the corresponding bbclass.
> >>>>>
> >>>>I had to look into this on ubuntu/debian recently.
> >>>>systemd's sysvinit emulation will skip any sysvinit script that has the
> >>>>same name as a *.service file.
> >>>>
> >>>> From [1]:
> >>>>"""
> >>>>systemd-sysv-generator generates the service units that run the van
> >>>>Smoorenburg rc scripts from /etc/init.d, if it doesn't find a native
> >>>>systemd service unit by that name already existing in the other six
> >>>>locations.
> >>>>"""
> >>>>
> >>>>I don't know if that is systemd default or Debian enhancement but OE
> >>>>should follow that rule if it does not already IMHO.
> >>>systemd.bbclass and update-rc.d.bbclass work together to do the
> >>>correct things based on the existence of the "sysvinit" and
> >>>"systemd" DISTRO_FEATURES, so its fine to include both in a recipe.
> >>So, if both are included and have the same name, systemd will skip the
> >>sysvinit emulation and load the correct service only once, correct?
> >>
> >>
> >Yes that is my understanding of how it works at run time, at least on
> >debian.  Even if the user was to hand create both an sysinit script and
> >a service file with the same basename, systemd will ignore the script in
> >favor of the service file.  (sysvinit has know how to ignore service
> >files since the 1970's :)
> >
> >Joshua: is what you are talking about in the classes a runtime selection
> >or a rootfs build time selection?  Perhaps we are double covered?
> 
> Build time. systemd.bbclass sets INHIBIT_UPDATERCD_BBCLASS = "1" if
> "systemd" is in DISTRO_FEATURES and "sysvinit" is not,
> update-rc.d.bbclass does nothing if that is set, and setting
> INIT_MANAGER = "systemd" removes(*) "sysvinit" from DISTRO_FEATURES
> and adds "systemd", so it pretty much automatically prefers the
> systemd service files if possible.
> 
> * Well, sets DISTRO_FEATURES_BACKFILL_CONSIDERED = "sysvinit"

Yeah, well, INIT_MANAGER is a simplification short-cut that is meant to setup 
bunch of VIRTUAL-RUNTIME variables and ensure some sane defaults. It only 
handles cases of systemd OR sysvinit OR mdev.

One can still go a more advanced route and set VIRTUAL-RUNTIME variables 
directly and have both systemd AND sysvinit enabled in DISTRO_FEATURES. There 
are (or maybe were) some specific use-cases that required systemd init-manager 
enabled alongside fallback sysvinit scripts, because "systemd-compat-units" 
was not enough. Maybe because of the recipes I mentioned that check for 
"sysvinit" in DISTRO_FEATURES to even install correcponding initscripts.

Hence my question (and I believe, Bill's comments also) were regarding 
run-time support of such cases...

-- 
Denys

Re: [meta-arm][PATCH v2 2/3] optee-client: Add sysVinit service

[William Mills]

On 5/18/20 6:41 PM, Denys Dmytriyenko wrote:
> On Mon, May 18, 2020 at 05:06:48PM -0500, Joshua Watt wrote:
>>
>> On 5/18/20 4:57 PM, William Mills wrote:
>>>
>>> On 5/18/20 2:58 PM, Denys Dmytriyenko wrote:
>>>> On Mon, May 18, 2020 at 01:03:01PM -0500, Joshua Watt wrote:
>>>>> On 5/18/20 12:04 PM, William Mills wrote:
>>>>>> On 5/17/20 12:44 PM, Denys Dmytriyenko wrote:
>>>>>>> On Fri, May 15, 2020 at 11:02:39AM -0500, Joshua Watt wrote:
>>>>>>>> Adds a sysVinit service to start tee-supplicant so that the optee-client
>>>>>>>> package can be used on distros where systemd is not used. Also does some
>>>>>>>> cleanup of the recipe including:
>>>>>>>>  1) Using @path@ tokens for replacemane in the .service file instead of
>>>>>>>>     paths
>>>>>>>>  2) Replacing tokens in the .service file after it is installed instead
>>>>>>>>     of editing the source file in ${WORKDIR}
>>>>>>> Overall looks fine. Quick question - if both sysvinit and systemd are in
>>>>>>> DISTRO_FEATURES - will it start tee-supplicant twice? This was never clear
>>>>>>> to me - I see some recipes go the extra mile to check the DISTRO_FEATURES
>>>>>>> and only install/enable the service accordingly, while some completely rely
>>>>>>> on the corresponding bbclass.
>>>>>>>
>>>>>> I had to look into this on ubuntu/debian recently.
>>>>>> systemd's sysvinit emulation will skip any sysvinit script that has the
>>>>>> same name as a *.service file.
>>>>>>
>>>>>> From [1]:
>>>>>> """
>>>>>> systemd-sysv-generator generates the service units that run the van
>>>>>> Smoorenburg rc scripts from /etc/init.d, if it doesn't find a native
>>>>>> systemd service unit by that name already existing in the other six
>>>>>> locations.
>>>>>> """
>>>>>>
>>>>>> I don't know if that is systemd default or Debian enhancement but OE
>>>>>> should follow that rule if it does not already IMHO.
>>>>> systemd.bbclass and update-rc.d.bbclass work together to do the
>>>>> correct things based on the existence of the "sysvinit" and
>>>>> "systemd" DISTRO_FEATURES, so its fine to include both in a recipe.
>>>> So, if both are included and have the same name, systemd will skip the
>>>> sysvinit emulation and load the correct service only once, correct?
>>>>
>>>>
>>> Yes that is my understanding of how it works at run time, at least on
>>> debian.  Even if the user was to hand create both an sysinit script and
>>> a service file with the same basename, systemd will ignore the script in
>>> favor of the service file.  (sysvinit has know how to ignore service
>>> files since the 1970's :)
>>>
>>> Joshua: is what you are talking about in the classes a runtime selection
>>> or a rootfs build time selection?  Perhaps we are double covered?
>>
>> Build time. systemd.bbclass sets INHIBIT_UPDATERCD_BBCLASS = "1" if
>> "systemd" is in DISTRO_FEATURES and "sysvinit" is not,
>> update-rc.d.bbclass does nothing if that is set, and setting
>> INIT_MANAGER = "systemd" removes(*) "sysvinit" from DISTRO_FEATURES
>> and adds "systemd", so it pretty much automatically prefers the
>> systemd service files if possible.
>>
>> * Well, sets DISTRO_FEATURES_BACKFILL_CONSIDERED = "sysvinit"
> 
> Yeah, well, INIT_MANAGER is a simplification short-cut that is meant to setup 
> bunch of VIRTUAL-RUNTIME variables and ensure some sane defaults. It only 
> handles cases of systemd OR sysvinit OR mdev.
> 
> One can still go a more advanced route and set VIRTUAL-RUNTIME variables 
> directly and have both systemd AND sysvinit enabled in DISTRO_FEATURES. There 
> are (or maybe were) some specific use-cases that required systemd init-manager 
> enabled alongside fallback sysvinit scripts, because "systemd-compat-units" 
> was not enough. Maybe because of the recipes I mentioned that check for 
> "sysvinit" in DISTRO_FEATURES to even install correcponding initscripts.
> 
> Hence my question (and I believe, Bill's comments also) were regarding 
> run-time support of such cases...
> 

Here is the code:
https://github.com/systemd/systemd/blob/master/src/sysv-generator/sysv-generator.c#L778

...
    r = unit_file_exists(UNIT_FILE_SYSTEM, lp, name);
    if (r < 0 && !IN_SET(r, -ELOOP, -ERFKILL, -EADDRNOTAVAIL)) {
        log_debug_errno(r, "Failed to detect whether %s exists,
skipping: %m", name);
        continue;
    } else if (r != 0) {
        log_debug("Native unit for %s already exists, skipping.", name);
        continue;
    }
...

So upstream systemd does ignore sysvinit scripts with the same name as a
service file.

That file also verifies other things in that stack exchange answer like
systemd looks at rc{1,2,3,4,5}.d and runs scripts if enabled in any.
It looks at all scripts in /etc/init.d but only uses them if referenced
in one of the rcN.d's above.  The name compared for console-setup.sh
will be "console-setup".

It also ignores rc{S,0,6}.d and the K* files in rc{1,2,3,4,5}.

Bill

[meta-arm][PATCH v2 3/3] Add support for booting qemu with TFA and optee

[Joshua Watt]

Adds support for booting AArch64 Qemu machines using TF-A + optee +
u-boot. Most of the changes are applicable to any AArch64 qemu target,
and a reference machine called qemuarm64-secureboot has been added that
show how to enable support for it.

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
---
 .../conf/machine/qemuarm64-secureboot.conf    | 26 +++++++++++++
 .../trusted-firmware-a/trusted-firmware-a.inc | 39 ++++++++++++-------
 .../recipes-bsp/u-boot/u-boot/qemuarm64.cfg   |  4 ++
 meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend |  3 ++
 .../linux/linux-yocto-dev.bbappend            |  4 ++
 .../linux/linux-yocto-dev/tee.cfg             |  4 ++
 .../recipes-security/optee/optee-os_git.bb    |  4 ++
 meta-arm/recipes-security/optee/optee.inc     |  2 +-
 meta-arm/wic/qemuarm64.wks                    |  4 ++
 9 files changed, 76 insertions(+), 14 deletions(-)
 create mode 100644 meta-arm/conf/machine/qemuarm64-secureboot.conf
 create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
 create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
 create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-dev.bbappend
 create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-dev/tee.cfg
 create mode 100644 meta-arm/wic/qemuarm64.wks

diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
new file mode 100644
index 0000000..a5b7401
--- /dev/null
+++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
@@ -0,0 +1,26 @@
+MACHINEOVERRIDES =. "qemuarm64:"
+
+require ${COREBASE}/meta/conf/machine/qemuarm64.conf
+
+KMACHINE = "qemuarm64"
+
+UBOOT_MACHINE = "qemu_arm64_defconfig"
+
+# The 5.4 kernel panics when booting, so use the development kernel until the
+# default kernel is upgraded (5.5. supposedly works)
+PREFERRED_PROVIDER_virtual/kernel = "linux-yocto-dev"
+
+QB_MACHINE = "-machine virt,secure=on"
+QB_OPT_APPEND += "-no-acpi"
+QB_MEM = "-m 1G"
+QB_DEFAULT_FSTYPE = "wic.qcow2"
+QB_DEFAULT_BIOS = "flash.bin"
+QB_FSINFO = "wic:no-kernel-in-fs"
+QB_ROOTFS_OPT = ""
+
+IMAGE_FSTYPES += "wic wic.qcow2"
+
+WKS_FILE ?= "qemuarm64.wks"
+WKS_FILE_DEPENDS = "trusted-firmware-a"
+IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
+
diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
index c9c5710..1369372 100644
--- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
+++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
@@ -7,10 +7,11 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
 
 inherit deploy nopackages
 
-COMPATIBLE_MACHINE ?= "invalid"
+COMPATIBLE_MACHINE = "qemuarm64"
 
 # Platform must be set for each machine
 TFA_PLATFORM ?= "invalid"
+TFA_PLATFORM_aarch64_qemuall = "qemu"
 
 # Some platforms can have multiple board configurations
 # Leave empty for default behavior
@@ -20,6 +21,7 @@ TFA_BOARD ?= ""
 # Few options are "opteed", "tlkd", "trusty", "tspd"...
 # Leave empty to not use SPD
 TFA_SPD ?= ""
+TFA_SPD_aarch64_qemuall = "opteed"
 
 # Build for debug (set TFA_DEBUG to 1 to activate)
 TFA_DEBUG ?= "0"
@@ -44,16 +46,19 @@ SRCREV_FORMAT_append = "${@bb.utils.contains('TFA_MBEDTLS', '1', '_mbedtls', '',
 # U-boot support (set TFA_UBOOT to 1 to activate)
 # When U-Boot support is activated BL33 is activated with u-boot.bin file
 TFA_UBOOT ?= "0"
+TFA_UBOOT_aarch64_qemuall = "1"
 
 # What to build
 # By default we only build bl1, do_deploy will copy
 # everything listed in this variable (by default bl1.bin)
 TFA_BUILD_TARGET ?= "bl1"
+TFA_BUILD_TARGET_aarch64_qemuall = "all fip"
 
 # What to install
 # do_install and do_deploy will install everything listed in this
 # variable. It is set by default to TFA_BUILD_TARGET
 TFA_INSTALL_TARGET ?= "${TFA_BUILD_TARGET}"
+TFA_INSTALL_TARGET_aarch64_qemuall = "flash.bin"
 
 # Requires CROSS_COMPILE set by hand as there is no configure script
 export CROSS_COMPILE="${TARGET_PREFIX}"
@@ -70,6 +75,7 @@ do_configure[noexec] = "1"
 # We need dtc for dtbs compilation
 # We need openssl for fiptool
 DEPENDS_append = " dtc-native openssl-native"
+DEPENDS_append_aarch64_qemuall = " optee-os"
 
 # Add platform parameter
 EXTRA_OEMAKE += "BUILD_BASE=${B} PLAT=${TFA_PLATFORM}"
@@ -91,6 +97,14 @@ EXTRA_OEMAKE += "${@bb.utils.contains('TFA_MBEDTLS', '1', 'MBEDTLS_DIR=${TFA_MBE
 DEPENDS += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot', '', d)}"
 do_compile[depends] += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot:do_deploy', '', d)}"
 EXTRA_OEMAKE += "${@bb.utils.contains('TFA_UBOOT', '1', 'BL33=${DEPLOY_DIR_IMAGE}/u-boot.bin', '',d)}"
+EXTRA_OEMAKE_append_aarch64_qemuall = " \
+    BL32=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-header_v2.bin \
+    BL32_EXTRA1=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-pager_v2.bin \
+    BL32_EXTRA2=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-pageable_v2.bin \
+    BL32_RAM_LOCATION=tdram \
+    "
+
+BUILD_PLAT = "${B}/${TFA_PLATFORM}/${@"debug" if d.getVar("TFA_DEBUG") == "1" else "release"}/"
 
 # The following hack is needed to fit properly in yocto build environment
 # TFA is forcing the host compiler and its flags in the Makefile using :=
@@ -107,13 +121,12 @@ do_compile() {
 }
 do_compile[cleandirs] = "${B}"
 
-do_install() {
-    if ${@"true" if d.getVar('TFA_DEBUG') == '1' else "false"}; then
-        BUILD_PLAT=${B}/${BUILD_DIR}/debug/
-    else
-        BUILD_PLAT=${B}/${BUILD_DIR}/release/
-    fi
+do_compile_append_aarch64_qemuall() {
+    dd if=${BUILD_PLAT}/bl1.bin of=${BUILD_PLAT}/flash.bin bs=4096 conv=notrunc
+    dd if=${BUILD_PLAT}/fip.bin of=${BUILD_PLAT}/flash.bin seek=64 bs=4096 conv=notrunc
+}
 
+do_install() {
     install -d -m 755 ${D}/firmware
     for atfbin in ${TFA_INSTALL_TARGET}; do
         processes="0"
@@ -125,23 +138,23 @@ do_install() {
             exit 1
         fi
 
-        if [ -f $BUILD_PLAT/$atfbin.bin ]; then
+        if [ -f ${BUILD_PLAT}/$atfbin.bin ]; then
             echo "Install $atfbin.bin"
-            install -m 0644 $BUILD_PLAT/$atfbin.bin \
+            install -m 0644 ${BUILD_PLAT}/$atfbin.bin \
                 ${D}/firmware/$atfbin-${TFA_PLATFORM}.bin
             ln -sf $atfbin-${TFA_PLATFORM}.bin ${D}/firmware/$atfbin.bin
             processes="1"
         fi
-        if [ -f $BUILD_PLAT/$atfbin/$atfbin.elf ]; then
+        if [ -f ${BUILD_PLAT}/$atfbin/$atfbin.elf ]; then
             echo "Install $atfbin.elf"
-            install -m 0644 $BUILD_PLAT/$atfbin/$atfbin.elf \
+            install -m 0644 ${BUILD_PLAT}/$atfbin/$atfbin.elf \
                 ${D}/firmware/$atfbin-${TFA_PLATFORM}.elf
             ln -sf $atfbin-${TFA_PLATFORM}.elf ${D}/firmware/$atfbin.elf
             processes="1"
         fi
-        if [ -f $BUILD_PLAT/$atfbin ]; then
+        if [ -f ${BUILD_PLAT}/$atfbin ]; then
             echo "Install $atfbin"
-            install -m 0644 $BUILD_PLAT/$atfbin \
+            install -m 0644 ${BUILD_PLAT}/$atfbin \
                 ${D}/firmware/$atfbin-${TFA_PLATFORM}
             ln -sf $atfbin-${TFA_PLATFORM} ${D}/firmware/$atfbin
             processes="1"
diff --git a/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg b/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
new file mode 100644
index 0000000..de0c6ec
--- /dev/null
+++ b/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
@@ -0,0 +1,4 @@
+CONFIG_TFABOOT=y
+# This must match the address that TF-A jumps to for BL33
+CONFIG_SYS_TEXT_BASE=0x60000000
+
diff --git a/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
new file mode 100644
index 0000000..afcd70a
--- /dev/null
+++ b/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
@@ -0,0 +1,3 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI_append_qemuarm64-secureboot = " file://qemuarm64.cfg"
diff --git a/meta-arm/recipes-kernel/linux/linux-yocto-dev.bbappend b/meta-arm/recipes-kernel/linux/linux-yocto-dev.bbappend
new file mode 100644
index 0000000..c7742f8
--- /dev/null
+++ b/meta-arm/recipes-kernel/linux/linux-yocto-dev.bbappend
@@ -0,0 +1,4 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI_append_qemuarm64-secureboot = " file://tee.cfg"
+
diff --git a/meta-arm/recipes-kernel/linux/linux-yocto-dev/tee.cfg b/meta-arm/recipes-kernel/linux/linux-yocto-dev/tee.cfg
new file mode 100644
index 0000000..7415e18
--- /dev/null
+++ b/meta-arm/recipes-kernel/linux/linux-yocto-dev/tee.cfg
@@ -0,0 +1,4 @@
+CONFIG_HW_RANDOM_OPTEE=m
+CONFIG_TEE=m
+CONFIG_OPTEE=m
+CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=10
diff --git a/meta-arm/recipes-security/optee/optee-os_git.bb b/meta-arm/recipes-security/optee/optee-os_git.bb
index d58b89f..5e3c59a 100644
--- a/meta-arm/recipes-security/optee/optee-os_git.bb
+++ b/meta-arm/recipes-security/optee/optee-os_git.bb
@@ -22,6 +22,8 @@ S = "${WORKDIR}/git"
 B = "${WORKDIR}/build"
 
 OPTEEMACHINE ?= "${MACHINE}"
+OPTEEMACHINE_aarch64_qemuall = "vexpress-qemu_armv8a"
+OPTEEMACHINE_armv7a_qemuall = "vexpress-qemu_virt"
 OPTEE_ARCH = "null"
 OPTEE_ARCH_armv7a = "arm32"
 OPTEE_ARCH_aarch64 = "arm64"
@@ -74,6 +76,8 @@ do_deploy() {
 
 addtask deploy before do_build after do_install
 
+SYSROOT_DIRS += "${nonarch_base_libdir}/firmware"
+
 FILES_${PN} = "${nonarch_base_libdir}/firmware/"
 FILES_${PN}-dev = "${includedir}/optee/"
 
diff --git a/meta-arm/recipes-security/optee/optee.inc b/meta-arm/recipes-security/optee/optee.inc
index b3e5271..3138148 100644
--- a/meta-arm/recipes-security/optee/optee.inc
+++ b/meta-arm/recipes-security/optee/optee.inc
@@ -1,2 +1,2 @@
-COMPATIBLE_MACHINE ?= "invalid"
+COMPATIBLE_MACHINE = "qemuarm64"
 # Please add supported machines below or set it in .bbappend or .conf
diff --git a/meta-arm/wic/qemuarm64.wks b/meta-arm/wic/qemuarm64.wks
new file mode 100644
index 0000000..7285279
--- /dev/null
+++ b/meta-arm/wic/qemuarm64.wks
@@ -0,0 +1,4 @@
+bootloader --ptable gpt
+
+part /boot --ondisk=vda --align 64 --size=100M --active --source bootimg-partition --fstype=ext4 --label boot --sourceparams="loader=u-boot"
+part /     --ondisk=vda                                 --source rootfs            --fstype=ext4 --label root
-- 
2.17.1

Re: [meta-arm][PATCH v2 3/3] Add support for booting qemu with TFA and optee

[Denys Dmytriyenko]

On Fri, May 15, 2020 at 11:02:40AM -0500, Joshua Watt wrote:
> Adds support for booting AArch64 Qemu machines using TF-A + optee +
> u-boot. Most of the changes are applicable to any AArch64 qemu target,
> and a reference machine called qemuarm64-secureboot has been added that
> show how to enable support for it.
> 
> Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
> ---
>  .../conf/machine/qemuarm64-secureboot.conf    | 26 +++++++++++++
>  .../trusted-firmware-a/trusted-firmware-a.inc | 39 ++++++++++++-------
>  .../recipes-bsp/u-boot/u-boot/qemuarm64.cfg   |  4 ++
>  meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend |  3 ++
>  .../linux/linux-yocto-dev.bbappend            |  4 ++
>  .../linux/linux-yocto-dev/tee.cfg             |  4 ++
>  .../recipes-security/optee/optee-os_git.bb    |  4 ++
>  meta-arm/recipes-security/optee/optee.inc     |  2 +-
>  meta-arm/wic/qemuarm64.wks                    |  4 ++
>  9 files changed, 76 insertions(+), 14 deletions(-)
>  create mode 100644 meta-arm/conf/machine/qemuarm64-secureboot.conf
>  create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
>  create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
>  create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-dev.bbappend
>  create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-dev/tee.cfg
>  create mode 100644 meta-arm/wic/qemuarm64.wks
> 
> diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> new file mode 100644
> index 0000000..a5b7401
> --- /dev/null
> +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> @@ -0,0 +1,26 @@
> +MACHINEOVERRIDES =. "qemuarm64:"
> +
> +require ${COREBASE}/meta/conf/machine/qemuarm64.conf
> +
> +KMACHINE = "qemuarm64"
> +
> +UBOOT_MACHINE = "qemu_arm64_defconfig"
> +
> +# The 5.4 kernel panics when booting, so use the development kernel until the
> +# default kernel is upgraded (5.5. supposedly works)
> +PREFERRED_PROVIDER_virtual/kernel = "linux-yocto-dev"
> +
> +QB_MACHINE = "-machine virt,secure=on"
> +QB_OPT_APPEND += "-no-acpi"
> +QB_MEM = "-m 1G"
> +QB_DEFAULT_FSTYPE = "wic.qcow2"
> +QB_DEFAULT_BIOS = "flash.bin"
> +QB_FSINFO = "wic:no-kernel-in-fs"
> +QB_ROOTFS_OPT = ""
> +
> +IMAGE_FSTYPES += "wic wic.qcow2"
> +
> +WKS_FILE ?= "qemuarm64.wks"
> +WKS_FILE_DEPENDS = "trusted-firmware-a"
> +IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
> +
> diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> index c9c5710..1369372 100644
> --- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> +++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> @@ -7,10 +7,11 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
>  
>  inherit deploy nopackages
>  
> -COMPATIBLE_MACHINE ?= "invalid"
> +COMPATIBLE_MACHINE = "qemuarm64"

Should this be a weak assignment? Maybe like this:

COMPATIBLE_MACHINE ?= "invalid"
COMPATIBLE_MACHINE_qemuarm64 = "qemuarm64"


BTW, I noticed you are defining qemuarm64-secureboot machine, but not using it 
and all overrides are _aarch64_qemuall - will that break if one tries to build 
for regular qemuarm64 machine with meta-arm?


>  # Platform must be set for each machine
>  TFA_PLATFORM ?= "invalid"
> +TFA_PLATFORM_aarch64_qemuall = "qemu"
>  
>  # Some platforms can have multiple board configurations
>  # Leave empty for default behavior
> @@ -20,6 +21,7 @@ TFA_BOARD ?= ""
>  # Few options are "opteed", "tlkd", "trusty", "tspd"...
>  # Leave empty to not use SPD
>  TFA_SPD ?= ""
> +TFA_SPD_aarch64_qemuall = "opteed"
>  
>  # Build for debug (set TFA_DEBUG to 1 to activate)
>  TFA_DEBUG ?= "0"
> @@ -44,16 +46,19 @@ SRCREV_FORMAT_append = "${@bb.utils.contains('TFA_MBEDTLS', '1', '_mbedtls', '',
>  # U-boot support (set TFA_UBOOT to 1 to activate)
>  # When U-Boot support is activated BL33 is activated with u-boot.bin file
>  TFA_UBOOT ?= "0"
> +TFA_UBOOT_aarch64_qemuall = "1"
>  
>  # What to build
>  # By default we only build bl1, do_deploy will copy
>  # everything listed in this variable (by default bl1.bin)
>  TFA_BUILD_TARGET ?= "bl1"
> +TFA_BUILD_TARGET_aarch64_qemuall = "all fip"
>  
>  # What to install
>  # do_install and do_deploy will install everything listed in this
>  # variable. It is set by default to TFA_BUILD_TARGET
>  TFA_INSTALL_TARGET ?= "${TFA_BUILD_TARGET}"
> +TFA_INSTALL_TARGET_aarch64_qemuall = "flash.bin"
>  
>  # Requires CROSS_COMPILE set by hand as there is no configure script
>  export CROSS_COMPILE="${TARGET_PREFIX}"
> @@ -70,6 +75,7 @@ do_configure[noexec] = "1"
>  # We need dtc for dtbs compilation
>  # We need openssl for fiptool
>  DEPENDS_append = " dtc-native openssl-native"
> +DEPENDS_append_aarch64_qemuall = " optee-os"
>  
>  # Add platform parameter
>  EXTRA_OEMAKE += "BUILD_BASE=${B} PLAT=${TFA_PLATFORM}"
> @@ -91,6 +97,14 @@ EXTRA_OEMAKE += "${@bb.utils.contains('TFA_MBEDTLS', '1', 'MBEDTLS_DIR=${TFA_MBE
>  DEPENDS += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot', '', d)}"
>  do_compile[depends] += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot:do_deploy', '', d)}"
>  EXTRA_OEMAKE += "${@bb.utils.contains('TFA_UBOOT', '1', 'BL33=${DEPLOY_DIR_IMAGE}/u-boot.bin', '',d)}"
> +EXTRA_OEMAKE_append_aarch64_qemuall = " \
> +    BL32=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-header_v2.bin \
> +    BL32_EXTRA1=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-pager_v2.bin \
> +    BL32_EXTRA2=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-pageable_v2.bin \
> +    BL32_RAM_LOCATION=tdram \
> +    "
> +
> +BUILD_PLAT = "${B}/${TFA_PLATFORM}/${@"debug" if d.getVar("TFA_DEBUG") == "1" else "release"}/"
>  
> -do_install() {
> -    if ${@"true" if d.getVar('TFA_DEBUG') == '1' else "false"}; then
> -        BUILD_PLAT=${B}/${BUILD_DIR}/debug/
> -    else
> -        BUILD_PLAT=${B}/${BUILD_DIR}/release/
> -    fi

You are breaking TFA_BOARD use case here - your BUILD_PLAT is not the same as 
original BUILD_PLAT.


> +do_compile_append_aarch64_qemuall() {
> +    dd if=${BUILD_PLAT}/bl1.bin of=${BUILD_PLAT}/flash.bin bs=4096 conv=notrunc
> +    dd if=${BUILD_PLAT}/fip.bin of=${BUILD_PLAT}/flash.bin seek=64 bs=4096 conv=notrunc

Is there some sort of a manual/howto with these tricks?


> +}
>  
> +do_install() {
>      install -d -m 755 ${D}/firmware
>      for atfbin in ${TFA_INSTALL_TARGET}; do
>          processes="0"
> @@ -125,23 +138,23 @@ do_install() {
>              exit 1
>          fi
>  
> -        if [ -f $BUILD_PLAT/$atfbin.bin ]; then
> +        if [ -f ${BUILD_PLAT}/$atfbin.bin ]; then
>              echo "Install $atfbin.bin"
> -            install -m 0644 $BUILD_PLAT/$atfbin.bin \
> +            install -m 0644 ${BUILD_PLAT}/$atfbin.bin \
>                  ${D}/firmware/$atfbin-${TFA_PLATFORM}.bin
>              ln -sf $atfbin-${TFA_PLATFORM}.bin ${D}/firmware/$atfbin.bin
>              processes="1"
>          fi
> -        if [ -f $BUILD_PLAT/$atfbin/$atfbin.elf ]; then
> +        if [ -f ${BUILD_PLAT}/$atfbin/$atfbin.elf ]; then
>              echo "Install $atfbin.elf"
> -            install -m 0644 $BUILD_PLAT/$atfbin/$atfbin.elf \
> +            install -m 0644 ${BUILD_PLAT}/$atfbin/$atfbin.elf \
>                  ${D}/firmware/$atfbin-${TFA_PLATFORM}.elf
>              ln -sf $atfbin-${TFA_PLATFORM}.elf ${D}/firmware/$atfbin.elf
>              processes="1"
>          fi
> -        if [ -f $BUILD_PLAT/$atfbin ]; then
> +        if [ -f ${BUILD_PLAT}/$atfbin ]; then
>              echo "Install $atfbin"
> -            install -m 0644 $BUILD_PLAT/$atfbin \
> +            install -m 0644 ${BUILD_PLAT}/$atfbin \
>                  ${D}/firmware/$atfbin-${TFA_PLATFORM}
>              ln -sf $atfbin-${TFA_PLATFORM} ${D}/firmware/$atfbin
>              processes="1"
> diff --git a/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg b/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
> new file mode 100644
> index 0000000..de0c6ec
> --- /dev/null
> +++ b/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
> @@ -0,0 +1,4 @@
> +CONFIG_TFABOOT=y
> +# This must match the address that TF-A jumps to for BL33
> +CONFIG_SYS_TEXT_BASE=0x60000000
> +
> diff --git a/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
> new file mode 100644
> index 0000000..afcd70a
> --- /dev/null
> +++ b/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
> @@ -0,0 +1,3 @@
> +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
> +
> +SRC_URI_append_qemuarm64-secureboot = " file://qemuarm64.cfg"
> diff --git a/meta-arm/recipes-kernel/linux/linux-yocto-dev.bbappend b/meta-arm/recipes-kernel/linux/linux-yocto-dev.bbappend
> new file mode 100644
> index 0000000..c7742f8
> --- /dev/null
> +++ b/meta-arm/recipes-kernel/linux/linux-yocto-dev.bbappend
> @@ -0,0 +1,4 @@
> +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
> +
> +SRC_URI_append_qemuarm64-secureboot = " file://tee.cfg"
> +
> diff --git a/meta-arm/recipes-kernel/linux/linux-yocto-dev/tee.cfg b/meta-arm/recipes-kernel/linux/linux-yocto-dev/tee.cfg
> new file mode 100644
> index 0000000..7415e18
> --- /dev/null
> +++ b/meta-arm/recipes-kernel/linux/linux-yocto-dev/tee.cfg
> @@ -0,0 +1,4 @@
> +CONFIG_HW_RANDOM_OPTEE=m
> +CONFIG_TEE=m
> +CONFIG_OPTEE=m
> +CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=10
> diff --git a/meta-arm/recipes-security/optee/optee-os_git.bb b/meta-arm/recipes-security/optee/optee-os_git.bb
> index d58b89f..5e3c59a 100644
> --- a/meta-arm/recipes-security/optee/optee-os_git.bb
> +++ b/meta-arm/recipes-security/optee/optee-os_git.bb
> @@ -22,6 +22,8 @@ S = "${WORKDIR}/git"
>  B = "${WORKDIR}/build"
>  
>  OPTEEMACHINE ?= "${MACHINE}"
> +OPTEEMACHINE_aarch64_qemuall = "vexpress-qemu_armv8a"
> +OPTEEMACHINE_armv7a_qemuall = "vexpress-qemu_virt"

Do you plan to also do armv7a "qemuarm-secureboot"?


>  OPTEE_ARCH = "null"
>  OPTEE_ARCH_armv7a = "arm32"
>  OPTEE_ARCH_aarch64 = "arm64"
> @@ -74,6 +76,8 @@ do_deploy() {
>  
>  addtask deploy before do_build after do_install
>  
> +SYSROOT_DIRS += "${nonarch_base_libdir}/firmware"
> +
>  FILES_${PN} = "${nonarch_base_libdir}/firmware/"
>  FILES_${PN}-dev = "${includedir}/optee/"
>  
> diff --git a/meta-arm/recipes-security/optee/optee.inc b/meta-arm/recipes-security/optee/optee.inc
> index b3e5271..3138148 100644
> --- a/meta-arm/recipes-security/optee/optee.inc
> +++ b/meta-arm/recipes-security/optee/optee.inc
> @@ -1,2 +1,2 @@
> -COMPATIBLE_MACHINE ?= "invalid"
> +COMPATIBLE_MACHINE = "qemuarm64"

Dropping weak assignment?


>  # Please add supported machines below or set it in .bbappend or .conf
> diff --git a/meta-arm/wic/qemuarm64.wks b/meta-arm/wic/qemuarm64.wks
> new file mode 100644
> index 0000000..7285279
> --- /dev/null
> +++ b/meta-arm/wic/qemuarm64.wks
> @@ -0,0 +1,4 @@
> +bootloader --ptable gpt
> +
> +part /boot --ondisk=vda --align 64 --size=100M --active --source bootimg-partition --fstype=ext4 --label boot --sourceparams="loader=u-boot"
> +part /     --ondisk=vda                                 --source rootfs            --fstype=ext4 --label root
> -- 
> 2.17.1
> 

> 

Re: [meta-arm][PATCH v2 3/3] Add support for booting qemu with TFA and optee

[Joshua Watt]

On 5/17/20 11:58 AM, Denys Dmytriyenko wrote:
> On Fri, May 15, 2020 at 11:02:40AM -0500, Joshua Watt wrote:
>> Adds support for booting AArch64 Qemu machines using TF-A + optee +
>> u-boot. Most of the changes are applicable to any AArch64 qemu target,
>> and a reference machine called qemuarm64-secureboot has been added that
>> show how to enable support for it.
>>
>> Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
>> ---
>>   .../conf/machine/qemuarm64-secureboot.conf    | 26 +++++++++++++
>>   .../trusted-firmware-a/trusted-firmware-a.inc | 39 ++++++++++++-------
>>   .../recipes-bsp/u-boot/u-boot/qemuarm64.cfg   |  4 ++
>>   meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend |  3 ++
>>   .../linux/linux-yocto-dev.bbappend            |  4 ++
>>   .../linux/linux-yocto-dev/tee.cfg             |  4 ++
>>   .../recipes-security/optee/optee-os_git.bb    |  4 ++
>>   meta-arm/recipes-security/optee/optee.inc     |  2 +-
>>   meta-arm/wic/qemuarm64.wks                    |  4 ++
>>   9 files changed, 76 insertions(+), 14 deletions(-)
>>   create mode 100644 meta-arm/conf/machine/qemuarm64-secureboot.conf
>>   create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
>>   create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
>>   create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-dev.bbappend
>>   create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-dev/tee.cfg
>>   create mode 100644 meta-arm/wic/qemuarm64.wks
>>
>> diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
>> new file mode 100644
>> index 0000000..a5b7401
>> --- /dev/null
>> +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
>> @@ -0,0 +1,26 @@
>> +MACHINEOVERRIDES =. "qemuarm64:"
>> +
>> +require ${COREBASE}/meta/conf/machine/qemuarm64.conf
>> +
>> +KMACHINE = "qemuarm64"
>> +
>> +UBOOT_MACHINE = "qemu_arm64_defconfig"
>> +
>> +# The 5.4 kernel panics when booting, so use the development kernel until the
>> +# default kernel is upgraded (5.5. supposedly works)
>> +PREFERRED_PROVIDER_virtual/kernel = "linux-yocto-dev"
>> +
>> +QB_MACHINE = "-machine virt,secure=on"
>> +QB_OPT_APPEND += "-no-acpi"
>> +QB_MEM = "-m 1G"
>> +QB_DEFAULT_FSTYPE = "wic.qcow2"
>> +QB_DEFAULT_BIOS = "flash.bin"
>> +QB_FSINFO = "wic:no-kernel-in-fs"
>> +QB_ROOTFS_OPT = ""
>> +
>> +IMAGE_FSTYPES += "wic wic.qcow2"
>> +
>> +WKS_FILE ?= "qemuarm64.wks"
>> +WKS_FILE_DEPENDS = "trusted-firmware-a"
>> +IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
>> +
>> diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
>> index c9c5710..1369372 100644
>> --- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
>> +++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
>> @@ -7,10 +7,11 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
>>   
>>   inherit deploy nopackages
>>   
>> -COMPATIBLE_MACHINE ?= "invalid"
>> +COMPATIBLE_MACHINE = "qemuarm64"
> Should this be a weak assignment? Maybe like this:
>
> COMPATIBLE_MACHINE ?= "invalid"
> COMPATIBLE_MACHINE_qemuarm64 = "qemuarm64"

Yes, I'll clean those up

>
>
> BTW, I noticed you are defining qemuarm64-secureboot machine, but not using it
> and all overrides are _aarch64_qemuall - will that break if one tries to build
> for regular qemuarm64 machine with meta-arm?

The idea was that the recipes would do the correct thing by default for 
any ARM based qemu machine, not just qemuarm64 (or a machine that adds 
"qemuarm64" to its MACHINEOVERRIDES to get all the oe-core qemuarm64 
behavior). Perhaps this is being too "cute" and we should just use 
qemuarm64 as the override? Either way, this won't affect the qemuarm64 
machine currently because these recipes didn't compile for it before (it 
wasn't in COMPATIBLE_MACHINE), and none of my change will make it start 
compiling it. I was careful to use the qemuarm64-secureboot override in 
the places were it would have actually affected the oe-core qemuarm64 
machine (e.g. u-boot and kernel bbappends)

>
>
>>   # Platform must be set for each machine
>>   TFA_PLATFORM ?= "invalid"
>> +TFA_PLATFORM_aarch64_qemuall = "qemu"
>>   
>>   # Some platforms can have multiple board configurations
>>   # Leave empty for default behavior
>> @@ -20,6 +21,7 @@ TFA_BOARD ?= ""
>>   # Few options are "opteed", "tlkd", "trusty", "tspd"...
>>   # Leave empty to not use SPD
>>   TFA_SPD ?= ""
>> +TFA_SPD_aarch64_qemuall = "opteed"
>>   
>>   # Build for debug (set TFA_DEBUG to 1 to activate)
>>   TFA_DEBUG ?= "0"
>> @@ -44,16 +46,19 @@ SRCREV_FORMAT_append = "${@bb.utils.contains('TFA_MBEDTLS', '1', '_mbedtls', '',
>>   # U-boot support (set TFA_UBOOT to 1 to activate)
>>   # When U-Boot support is activated BL33 is activated with u-boot.bin file
>>   TFA_UBOOT ?= "0"
>> +TFA_UBOOT_aarch64_qemuall = "1"
>>   
>>   # What to build
>>   # By default we only build bl1, do_deploy will copy
>>   # everything listed in this variable (by default bl1.bin)
>>   TFA_BUILD_TARGET ?= "bl1"
>> +TFA_BUILD_TARGET_aarch64_qemuall = "all fip"
>>   
>>   # What to install
>>   # do_install and do_deploy will install everything listed in this
>>   # variable. It is set by default to TFA_BUILD_TARGET
>>   TFA_INSTALL_TARGET ?= "${TFA_BUILD_TARGET}"
>> +TFA_INSTALL_TARGET_aarch64_qemuall = "flash.bin"
>>   
>>   # Requires CROSS_COMPILE set by hand as there is no configure script
>>   export CROSS_COMPILE="${TARGET_PREFIX}"
>> @@ -70,6 +75,7 @@ do_configure[noexec] = "1"
>>   # We need dtc for dtbs compilation
>>   # We need openssl for fiptool
>>   DEPENDS_append = " dtc-native openssl-native"
>> +DEPENDS_append_aarch64_qemuall = " optee-os"
>>   
>>   # Add platform parameter
>>   EXTRA_OEMAKE += "BUILD_BASE=${B} PLAT=${TFA_PLATFORM}"
>> @@ -91,6 +97,14 @@ EXTRA_OEMAKE += "${@bb.utils.contains('TFA_MBEDTLS', '1', 'MBEDTLS_DIR=${TFA_MBE
>>   DEPENDS += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot', '', d)}"
>>   do_compile[depends] += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot:do_deploy', '', d)}"
>>   EXTRA_OEMAKE += "${@bb.utils.contains('TFA_UBOOT', '1', 'BL33=${DEPLOY_DIR_IMAGE}/u-boot.bin', '',d)}"
>> +EXTRA_OEMAKE_append_aarch64_qemuall = " \
>> +    BL32=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-header_v2.bin \
>> +    BL32_EXTRA1=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-pager_v2.bin \
>> +    BL32_EXTRA2=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-pageable_v2.bin \
>> +    BL32_RAM_LOCATION=tdram \
>> +    "
>> +
>> +BUILD_PLAT = "${B}/${TFA_PLATFORM}/${@"debug" if d.getVar("TFA_DEBUG") == "1" else "release"}/"
>>   
>> -do_install() {
>> -    if ${@"true" if d.getVar('TFA_DEBUG') == '1' else "false"}; then
>> -        BUILD_PLAT=${B}/${BUILD_DIR}/debug/
>> -    else
>> -        BUILD_PLAT=${B}/${BUILD_DIR}/release/
>> -    fi
> You are breaking TFA_BOARD use case here - your BUILD_PLAT is not the same as
> original BUILD_PLAT.

Oops, sorry about that, I will fix it.

>
>
>> +do_compile_append_aarch64_qemuall() {
>> +    dd if=${BUILD_PLAT}/bl1.bin of=${BUILD_PLAT}/flash.bin bs=4096 conv=notrunc
>> +    dd if=${BUILD_PLAT}/fip.bin of=${BUILD_PLAT}/flash.bin seek=64 bs=4096 conv=notrunc
> Is there some sort of a manual/howto with these tricks?


Yes, I will reference it in the commit message: 
https://github.com/ARM-software/arm-trusted-firmware/blob/master/docs/plat/qemu.rst#booting-via-flash-based-firmwares

They are using EFI firmware, but I didn't want to figure out how to 
build that, so I'm booting with u-boot instead.

>
>
>> +}
>>   
>> +do_install() {
>>       install -d -m 755 ${D}/firmware
>>       for atfbin in ${TFA_INSTALL_TARGET}; do
>>           processes="0"
>> @@ -125,23 +138,23 @@ do_install() {
>>               exit 1
>>           fi
>>   
>> -        if [ -f $BUILD_PLAT/$atfbin.bin ]; then
>> +        if [ -f ${BUILD_PLAT}/$atfbin.bin ]; then
>>               echo "Install $atfbin.bin"
>> -            install -m 0644 $BUILD_PLAT/$atfbin.bin \
>> +            install -m 0644 ${BUILD_PLAT}/$atfbin.bin \
>>                   ${D}/firmware/$atfbin-${TFA_PLATFORM}.bin
>>               ln -sf $atfbin-${TFA_PLATFORM}.bin ${D}/firmware/$atfbin.bin
>>               processes="1"
>>           fi
>> -        if [ -f $BUILD_PLAT/$atfbin/$atfbin.elf ]; then
>> +        if [ -f ${BUILD_PLAT}/$atfbin/$atfbin.elf ]; then
>>               echo "Install $atfbin.elf"
>> -            install -m 0644 $BUILD_PLAT/$atfbin/$atfbin.elf \
>> +            install -m 0644 ${BUILD_PLAT}/$atfbin/$atfbin.elf \
>>                   ${D}/firmware/$atfbin-${TFA_PLATFORM}.elf
>>               ln -sf $atfbin-${TFA_PLATFORM}.elf ${D}/firmware/$atfbin.elf
>>               processes="1"
>>           fi
>> -        if [ -f $BUILD_PLAT/$atfbin ]; then
>> +        if [ -f ${BUILD_PLAT}/$atfbin ]; then
>>               echo "Install $atfbin"
>> -            install -m 0644 $BUILD_PLAT/$atfbin \
>> +            install -m 0644 ${BUILD_PLAT}/$atfbin \
>>                   ${D}/firmware/$atfbin-${TFA_PLATFORM}
>>               ln -sf $atfbin-${TFA_PLATFORM} ${D}/firmware/$atfbin
>>               processes="1"
>> diff --git a/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg b/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
>> new file mode 100644
>> index 0000000..de0c6ec
>> --- /dev/null
>> +++ b/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
>> @@ -0,0 +1,4 @@
>> +CONFIG_TFABOOT=y
>> +# This must match the address that TF-A jumps to for BL33
>> +CONFIG_SYS_TEXT_BASE=0x60000000
>> +
>> diff --git a/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
>> new file mode 100644
>> index 0000000..afcd70a
>> --- /dev/null
>> +++ b/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
>> @@ -0,0 +1,3 @@
>> +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
>> +
>> +SRC_URI_append_qemuarm64-secureboot = " file://qemuarm64.cfg"
>> diff --git a/meta-arm/recipes-kernel/linux/linux-yocto-dev.bbappend b/meta-arm/recipes-kernel/linux/linux-yocto-dev.bbappend
>> new file mode 100644
>> index 0000000..c7742f8
>> --- /dev/null
>> +++ b/meta-arm/recipes-kernel/linux/linux-yocto-dev.bbappend
>> @@ -0,0 +1,4 @@
>> +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
>> +
>> +SRC_URI_append_qemuarm64-secureboot = " file://tee.cfg"
>> +
>> diff --git a/meta-arm/recipes-kernel/linux/linux-yocto-dev/tee.cfg b/meta-arm/recipes-kernel/linux/linux-yocto-dev/tee.cfg
>> new file mode 100644
>> index 0000000..7415e18
>> --- /dev/null
>> +++ b/meta-arm/recipes-kernel/linux/linux-yocto-dev/tee.cfg
>> @@ -0,0 +1,4 @@
>> +CONFIG_HW_RANDOM_OPTEE=m
>> +CONFIG_TEE=m
>> +CONFIG_OPTEE=m
>> +CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=10
>> diff --git a/meta-arm/recipes-security/optee/optee-os_git.bb b/meta-arm/recipes-security/optee/optee-os_git.bb
>> index d58b89f..5e3c59a 100644
>> --- a/meta-arm/recipes-security/optee/optee-os_git.bb
>> +++ b/meta-arm/recipes-security/optee/optee-os_git.bb
>> @@ -22,6 +22,8 @@ S = "${WORKDIR}/git"
>>   B = "${WORKDIR}/build"
>>   
>>   OPTEEMACHINE ?= "${MACHINE}"
>> +OPTEEMACHINE_aarch64_qemuall = "vexpress-qemu_armv8a"
>> +OPTEEMACHINE_armv7a_qemuall = "vexpress-qemu_virt"
> Do you plan to also do armv7a "qemuarm-secureboot"?

No, I will remove this.

>
>
>>   OPTEE_ARCH = "null"
>>   OPTEE_ARCH_armv7a = "arm32"
>>   OPTEE_ARCH_aarch64 = "arm64"
>> @@ -74,6 +76,8 @@ do_deploy() {
>>   
>>   addtask deploy before do_build after do_install
>>   
>> +SYSROOT_DIRS += "${nonarch_base_libdir}/firmware"
>> +
>>   FILES_${PN} = "${nonarch_base_libdir}/firmware/"
>>   FILES_${PN}-dev = "${includedir}/optee/"
>>   
>> diff --git a/meta-arm/recipes-security/optee/optee.inc b/meta-arm/recipes-security/optee/optee.inc
>> index b3e5271..3138148 100644
>> --- a/meta-arm/recipes-security/optee/optee.inc
>> +++ b/meta-arm/recipes-security/optee/optee.inc
>> @@ -1,2 +1,2 @@
>> -COMPATIBLE_MACHINE ?= "invalid"
>> +COMPATIBLE_MACHINE = "qemuarm64"
> Dropping weak assignment?
>
>
>>   # Please add supported machines below or set it in .bbappend or .conf
>> diff --git a/meta-arm/wic/qemuarm64.wks b/meta-arm/wic/qemuarm64.wks
>> new file mode 100644
>> index 0000000..7285279
>> --- /dev/null
>> +++ b/meta-arm/wic/qemuarm64.wks
>> @@ -0,0 +1,4 @@
>> +bootloader --ptable gpt
>> +
>> +part /boot --ondisk=vda --align 64 --size=100M --active --source bootimg-partition --fstype=ext4 --label boot --sourceparams="loader=u-boot"
>> +part /     --ondisk=vda                                 --source rootfs            --fstype=ext4 --label root
>> -- 
>> 2.17.1
>>
>> 

[meta-arm][PATCH v3 0/3] Add support for booting qemu with TFA and optee

[Joshua Watt]

Adds support for booting AArch64 Qemu machines using TF-A + optee +
u-boot. Most of the changes are applicable to any AArch64 qemu target,
and a reference machine called qemuarm64-secureboot has been added that
show how to enable support for it.

Testing of op-tee can be done using the qemuarm64-secureboot machine
with the following commands:

$ cat >> conf/local.conf <<HEREDOC
MACHINE = "qemuarm64-secureboot"
CORE_IMAGE_EXTRA_INSTALL += "optee-test kernel-modules"
HEREDOC
$ bitbake core-image-minimal
$ runqemu nographic serialstdio slirp
...
root@qemuarm64-secureboot:~# xtest

V3: 
* Remove subshell in optee-client: do_install
* Changes assignements for compiling optee/TF-A for qemu to be weak
* Fixed optee-os install path to respect ${BUILD_PLAT}

Joshua Watt (3):
  optee-{os,examples,client,test}: Build out of tree
  optee-client: Add sysVinit service
  Add support for booting qemu with TFA and optee

 .../conf/machine/qemuarm64-secureboot.conf    | 26 +++++++++++
 .../trusted-firmware-a/trusted-firmware-a.inc | 44 ++++++++++++------
 .../recipes-bsp/u-boot/u-boot/qemuarm64.cfg   |  4 ++
 meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend |  3 ++
 .../linux/linux-yocto-dev.bbappend            |  4 ++
 .../linux/linux-yocto-dev/tee.cfg             |  4 ++
 .../optee/optee-client/tee-supplicant.service |  4 +-
 .../optee/optee-client/tee-supplicant.sh      | 46 +++++++++++++++++++
 .../optee/optee-client_git.bb                 | 38 +++++++++++----
 .../optee/optee-examples_git.bb               |  8 +++-
 .../recipes-security/optee/optee-os_git.bb    | 13 ++++--
 .../recipes-security/optee/optee-test_git.bb  |  8 +++-
 meta-arm/recipes-security/optee/optee.inc     |  1 +
 meta-arm/wic/qemuarm64.wks                    |  4 ++
 14 files changed, 175 insertions(+), 32 deletions(-)
 create mode 100644 meta-arm/conf/machine/qemuarm64-secureboot.conf
 create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
 create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
 create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-dev.bbappend
 create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-dev/tee.cfg
 create mode 100644 meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
 create mode 100644 meta-arm/wic/qemuarm64.wks

-- 
2.17.1

[meta-arm][PATCH v3 1/3] optee-{os,examples,client,test}: Build out of tree

[Joshua Watt]

Modifies the optee recipes to all build out of tree. This is cleaner and
helps prevent build error from stale builds when dependencies change.
Also allows the elimination of the OPTEEOUTPUTMACHINE variable in
optee-os.

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
---
 .../recipes-security/optee/optee-client_git.bb   | 16 +++++++++++++---
 .../recipes-security/optee/optee-examples_git.bb |  8 ++++++--
 meta-arm/recipes-security/optee/optee-os_git.bb  | 10 ++++++----
 .../recipes-security/optee/optee-test_git.bb     |  8 ++++++--
 4 files changed, 31 insertions(+), 11 deletions(-)

diff --git a/meta-arm/recipes-security/optee/optee-client_git.bb b/meta-arm/recipes-security/optee/optee-client_git.bb
index bae7b20..64d7d57 100644
--- a/meta-arm/recipes-security/optee/optee-client_git.bb
+++ b/meta-arm/recipes-security/optee/optee-client_git.bb
@@ -18,20 +18,30 @@ SRC_URI = " \
 "
 
 S = "${WORKDIR}/git"
+B = "${WORKDIR}/build"
 
 SYSTEMD_SERVICE_${PN} = "tee-supplicant.service"
 
+EXTRA_OEMAKE = "O=${B}"
+
+do_compile() {
+    cd ${S}
+    oe_runmake
+}
+do_compile[cleandirs] = "${B}"
+
 do_install() {
+    cd ${S}
     oe_runmake install
 
-    install -D -p -m0755 ${S}/out/export/usr/sbin/tee-supplicant ${D}${sbindir}/tee-supplicant
+    install -D -p -m0755 ${B}/export/usr/sbin/tee-supplicant ${D}${sbindir}/tee-supplicant
 
-    install -D -p -m0644 ${S}/out/export/usr/lib/libteec.so.1.0 ${D}${libdir}/libteec.so.1.0
+    install -D -p -m0644 ${B}/export/usr/lib/libteec.so.1.0 ${D}${libdir}/libteec.so.1.0
     ln -sf libteec.so.1.0 ${D}${libdir}/libteec.so
     ln -sf libteec.so.1.0 ${D}${libdir}/libteec.so.1
 
     install -d ${D}${includedir}
-    install -p -m0644 ${S}/out/export/usr/include/*.h ${D}${includedir}
+    install -p -m0644 ${B}/export/usr/include/*.h ${D}${includedir}
 
     sed -i -e s:/etc:${sysconfdir}:g \
            -e s:/usr/bin:${bindir}:g \
diff --git a/meta-arm/recipes-security/optee/optee-examples_git.bb b/meta-arm/recipes-security/optee/optee-examples_git.bb
index 996e2cd..04cc5fd 100644
--- a/meta-arm/recipes-security/optee/optee-examples_git.bb
+++ b/meta-arm/recipes-security/optee/optee-examples_git.bb
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/linaro-swg/optee_examples.git"
 SRCREV = "559b2141c16bf0f57ccd72f60e4deb84fc2a05b0"
 
 S = "${WORKDIR}/git"
+B = "${WORKDIR}/build"
 
 OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
 TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
@@ -28,17 +29,20 @@ EXTRA_OEMAKE = " TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
                  HOST_CROSS_COMPILE=${TARGET_PREFIX} \
                  TA_CROSS_COMPILE=${TARGET_PREFIX} \
                  V=1 \
+                 OUTPUT_DIR=${B} \
                "
 
 do_compile() {
+    cd ${S}
     oe_runmake
 }
+do_compile[cleandirs] = "${B}"
 
 do_install () {
     mkdir -p ${D}${nonarch_base_libdir}/optee_armtz
     mkdir -p ${D}${bindir}
-    install -D -p -m0755 ${S}/out/ca/* ${D}${bindir}
-    install -D -p -m0444 ${S}/out/ta/* ${D}${nonarch_base_libdir}/optee_armtz
+    install -D -p -m0755 ${B}/ca/* ${D}${bindir}
+    install -D -p -m0444 ${B}/ta/* ${D}${nonarch_base_libdir}/optee_armtz
 }
 
 FILES_${PN} += "${nonarch_base_libdir}/optee_armtz/"
diff --git a/meta-arm/recipes-security/optee/optee-os_git.bb b/meta-arm/recipes-security/optee/optee-os_git.bb
index eced362..dcbe990 100644
--- a/meta-arm/recipes-security/optee/optee-os_git.bb
+++ b/meta-arm/recipes-security/optee/optee-os_git.bb
@@ -20,10 +20,9 @@ SRC_URI = " \
 "
 
 S = "${WORKDIR}/git"
+B = "${WORKDIR}/build"
 
 OPTEEMACHINE ?= "${MACHINE}"
-OPTEEOUTPUTMACHINE ?= "${MACHINE}"
-
 OPTEE_ARCH = "null"
 OPTEE_ARCH_armv7a = "arm32"
 OPTEE_ARCH_aarch64 = "arm64"
@@ -38,6 +37,7 @@ EXTRA_OEMAKE = " \
     V=1 \
     ta-targets=ta_${OPTEE_ARCH} \
     LIBGCC_LOCATE_CFLAGS=--sysroot=${STAGING_DIR_HOST} \
+    O=${B} \
 "
 
 CFLAGS[unexport] = "1"
@@ -49,17 +49,19 @@ LD[unexport] = "1"
 do_configure[noexec] = "1"
 
 do_compile() {
+    cd ${S}
     oe_runmake all CFG_TEE_TA_LOG_LEVEL=0
 }
+do_compile[cleandirs] = "${B}"
 
 do_install() {
     #install core in firmware
     install -d ${D}${nonarch_base_libdir}/firmware/
-    install -m 644 ${B}/out/arm-plat-${OPTEEOUTPUTMACHINE}/core/*.bin ${D}${nonarch_base_libdir}/firmware/
+    install -m 644 ${B}/core/*.bin ${D}${nonarch_base_libdir}/firmware/
 
     #install TA devkit
     install -d ${D}${includedir}/optee/export-user_ta/
-    for f in ${B}/out/arm-plat-${OPTEEOUTPUTMACHINE}/export-ta_${OPTEE_ARCH}/* ; do
+    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
         cp -aR $f ${D}${includedir}/optee/export-user_ta/
     done
 }
diff --git a/meta-arm/recipes-security/optee/optee-test_git.bb b/meta-arm/recipes-security/optee/optee-test_git.bb
index ee73a2c..f699972 100644
--- a/meta-arm/recipes-security/optee/optee-test_git.bb
+++ b/meta-arm/recipes-security/optee/optee-test_git.bb
@@ -16,6 +16,7 @@ SRCREV = "30481e381cb4285706e7516853495a7699c93b2c"
 SRC_URI = "git://github.com/OP-TEE/optee_test.git"
 
 S = "${WORKDIR}/git"
+B = "${WORKDIR}/build"
 
 OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
 TEEC_EXPORT         = "${STAGING_DIR_HOST}${prefix}"
@@ -27,21 +28,24 @@ EXTRA_OEMAKE = " TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
                  CROSS_COMPILE_HOST=${TARGET_PREFIX} \
                  CROSS_COMPILE_TA=${TARGET_PREFIX} \
                  V=1 \
+                 O=${B} \
                "
 
 do_compile() {
+    cd ${S}
     # Top level makefile doesn't seem to handle parallel make gracefully
     oe_runmake xtest
     oe_runmake ta
 }
+do_compile[cleandirs] = "${B}"
 
 do_install () {
-    install -D -p -m0755 ${S}/out/xtest/xtest ${D}${bindir}/xtest
+    install -D -p -m0755 ${B}/xtest/xtest ${D}${bindir}/xtest
 
     # install path should match the value set in optee-client/tee-supplicant
     # default TEEC_LOAD_PATH is /lib
     mkdir -p ${D}${nonarch_base_libdir}/optee_armtz/
-    install -D -p -m0444 ${S}/out/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz/
+    install -D -p -m0444 ${B}/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz/
 }
 
 FILES_${PN} += "${nonarch_base_libdir}/optee_armtz/"
-- 
2.17.1

Re: [PATCH v3 1/3] optee-{os,examples,client,test}: Build out of tree

[Diego Sueiro]

On Thu, May 21, 2020 at 03:23 PM, Joshua Watt wrote:

>
> Modifies the optee recipes to all build out of tree. This is cleaner and
> helps prevent build error from stale builds when dependencies change.
> Also allows the elimination of the OPTEEOUTPUTMACHINE variable in
> optee-os.
> 
> Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>

Reviewed-by: Diego Sueiro <diego.sueiro@arm.com>

> ---
>  .../recipes-security/optee/optee-client_git.bb   | 16 +++++++++++++---
>  .../recipes-security/optee/optee-examples_git.bb |  8 ++++++--
>  meta-arm/recipes-security/optee/optee-os_git.bb  | 10 ++++++----
>  .../recipes-security/optee/optee-test_git.bb     |  8 ++++++--
>  4 files changed, 31 insertions(+), 11 deletions(-)
> 
> diff --git a/meta-arm/recipes-security/optee/optee-client_git.bb
> b/meta-arm/recipes-security/optee/optee-client_git.bb
> index bae7b20..64d7d57 100644
> --- a/meta-arm/recipes-security/optee/optee-client_git.bb
> +++ b/meta-arm/recipes-security/optee/optee-client_git.bb
> @@ -18,20 +18,30 @@ SRC_URI = " \
>  "
>
>  S = "${WORKDIR}/git"
> +B = "${WORKDIR}/build"
>
>  SYSTEMD_SERVICE_${PN} = "tee-supplicant.service"
>
> +EXTRA_OEMAKE = "O=${B}"
> +
> +do_compile() {
> +    cd ${S}
> +    oe_runmake
> +}
> +do_compile[cleandirs] = "${B}"
> +
>  do_install() {
> +    cd ${S}
>      oe_runmake install
>
> -    install -D -p -m0755 ${S}/out/export/usr/sbin/tee-supplicant
> ${D}${sbindir}/tee-supplicant
> +    install -D -p -m0755 ${B}/export/usr/sbin/tee-supplicant
> ${D}${sbindir}/tee-supplicant
>
> -    install -D -p -m0644 ${S}/out/export/usr/lib/libteec.so.1.0
> ${D}${libdir}/libteec.so.1.0
> +    install -D -p -m0644 ${B}/export/usr/lib/libteec.so.1.0
> ${D}${libdir}/libteec.so.1.0
>      ln -sf libteec.so.1.0 ${D}${libdir}/libteec.so
>      ln -sf libteec.so.1.0 ${D}${libdir}/libteec.so.1
>
>      install -d ${D}${includedir}
> -    install -p -m0644 ${S}/out/export/usr/include/*.h ${D}${includedir}
> +    install -p -m0644 ${B}/export/usr/include/*.h ${D}${includedir}
>
>      sed -i -e s:/etc:${sysconfdir}:g \
>             -e s:/usr/bin:${bindir}:g \
> diff --git a/meta-arm/recipes-security/optee/optee-examples_git.bb
> b/meta-arm/recipes-security/optee/optee-examples_git.bb
> index 996e2cd..04cc5fd 100644
> --- a/meta-arm/recipes-security/optee/optee-examples_git.bb
> +++ b/meta-arm/recipes-security/optee/optee-examples_git.bb
> @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/linaro-swg/optee_examples.git"
>  SRCREV = "559b2141c16bf0f57ccd72f60e4deb84fc2a05b0"
>
>  S = "${WORKDIR}/git"
> +B = "${WORKDIR}/build"
>
>  OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
>  TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
> @@ -28,17 +29,20 @@ EXTRA_OEMAKE = " TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
>                   HOST_CROSS_COMPILE=${TARGET_PREFIX} \
>                   TA_CROSS_COMPILE=${TARGET_PREFIX} \
>                   V=1 \
> +                 OUTPUT_DIR=${B} \
>                 "
>
>  do_compile() {
> +    cd ${S}
>      oe_runmake
>  }
> +do_compile[cleandirs] = "${B}"
>
>  do_install () {
>      mkdir -p ${D}${nonarch_base_libdir}/optee_armtz
>      mkdir -p ${D}${bindir}
> -    install -D -p -m0755 ${S}/out/ca/* ${D}${bindir}
> -    install -D -p -m0444 ${S}/out/ta/* ${D}${nonarch_base_libdir}/optee_armtz
> +    install -D -p -m0755 ${B}/ca/* ${D}${bindir}
> +    install -D -p -m0444 ${B}/ta/* ${D}${nonarch_base_libdir}/optee_armtz
>  }
>
>  FILES_${PN} += "${nonarch_base_libdir}/optee_armtz/"
> diff --git a/meta-arm/recipes-security/optee/optee-os_git.bb
> b/meta-arm/recipes-security/optee/optee-os_git.bb
> index eced362..dcbe990 100644
> --- a/meta-arm/recipes-security/optee/optee-os_git.bb
> +++ b/meta-arm/recipes-security/optee/optee-os_git.bb
> @@ -20,10 +20,9 @@ SRC_URI = " \
>  "
>
>  S = "${WORKDIR}/git"
> +B = "${WORKDIR}/build"
>
>  OPTEEMACHINE ?= "${MACHINE}"
> -OPTEEOUTPUTMACHINE ?= "${MACHINE}"
> -
>  OPTEE_ARCH = "null"
>  OPTEE_ARCH_armv7a = "arm32"
>  OPTEE_ARCH_aarch64 = "arm64"
> @@ -38,6 +37,7 @@ EXTRA_OEMAKE = " \
>      V=1 \
>      ta-targets=ta_${OPTEE_ARCH} \
>      LIBGCC_LOCATE_CFLAGS=--sysroot=${STAGING_DIR_HOST} \
> +    O=${B} \
>  "
>
>  CFLAGS[unexport] = "1"
> @@ -49,17 +49,19 @@ LD[unexport] = "1"
>  do_configure[noexec] = "1"
>
>  do_compile() {
> +    cd ${S}
>      oe_runmake all CFG_TEE_TA_LOG_LEVEL=0
>  }
> +do_compile[cleandirs] = "${B}"
>
>  do_install() {
>      #install core in firmware
>      install -d ${D}${nonarch_base_libdir}/firmware/
> -    install -m 644 ${B}/out/arm-plat-${OPTEEOUTPUTMACHINE}/core/*.bin
> ${D}${nonarch_base_libdir}/firmware/
> +    install -m 644 ${B}/core/*.bin ${D}${nonarch_base_libdir}/firmware/
>
>      #install TA devkit
>      install -d ${D}${includedir}/optee/export-user_ta/
> -    for f in
> ${B}/out/arm-plat-${OPTEEOUTPUTMACHINE}/export-ta_${OPTEE_ARCH}/* ; do
> +    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
>          cp -aR $f ${D}${includedir}/optee/export-user_ta/
>      done
>  }
> diff --git a/meta-arm/recipes-security/optee/optee-test_git.bb
> b/meta-arm/recipes-security/optee/optee-test_git.bb
> index ee73a2c..f699972 100644
> --- a/meta-arm/recipes-security/optee/optee-test_git.bb
> +++ b/meta-arm/recipes-security/optee/optee-test_git.bb
> @@ -16,6 +16,7 @@ SRCREV = "30481e381cb4285706e7516853495a7699c93b2c"
>  SRC_URI = "git://github.com/OP-TEE/optee_test.git"
>
>  S = "${WORKDIR}/git"
> +B = "${WORKDIR}/build"
>
>  OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
>  TEEC_EXPORT         = "${STAGING_DIR_HOST}${prefix}"
> @@ -27,21 +28,24 @@ EXTRA_OEMAKE = " TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
>                   CROSS_COMPILE_HOST=${TARGET_PREFIX} \
>                   CROSS_COMPILE_TA=${TARGET_PREFIX} \
>                   V=1 \
> +                 O=${B} \
>                 "
>
>  do_compile() {
> +    cd ${S}
>      # Top level makefile doesn't seem to handle parallel make gracefully
>      oe_runmake xtest
>      oe_runmake ta
>  }
> +do_compile[cleandirs] = "${B}"
>
>  do_install () {
> -    install -D -p -m0755 ${S}/out/xtest/xtest ${D}${bindir}/xtest
> +    install -D -p -m0755 ${B}/xtest/xtest ${D}${bindir}/xtest
>
>      # install path should match the value set in optee-client/tee-supplicant
>      # default TEEC_LOAD_PATH is /lib
>      mkdir -p ${D}${nonarch_base_libdir}/optee_armtz/
> -    install -D -p -m0444 ${S}/out/ta/*/*.ta
> ${D}${nonarch_base_libdir}/optee_armtz/
> +    install -D -p -m0444 ${B}/ta/*/*.ta
> ${D}${nonarch_base_libdir}/optee_armtz/
>  }
>
>  FILES_${PN} += "${nonarch_base_libdir}/optee_armtz/"
> -- 
> 2.17.1
> 
>

Re: [meta-arm] [PATCH v3 1/3] optee-{os,examples,client,test}: Build out of tree

[Denys Dmytriyenko]

On Fri, May 22, 2020 at 12:19:53AM -0700, Diego Sueiro wrote:
> On Thu, May 21, 2020 at 03:23 PM, Joshua Watt wrote:
> 
> >
> > Modifies the optee recipes to all build out of tree. This is cleaner and
> > helps prevent build error from stale builds when dependencies change.
> > Also allows the elimination of the OPTEEOUTPUTMACHINE variable in
> > optee-os.
> > 
> > Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
> 
> Reviewed-by: Diego Sueiro <diego.sueiro@arm.com>

Reviewed-by: Denys Dmytriyenko <denys@ti.com>


> > ---
> >  .../recipes-security/optee/optee-client_git.bb   | 16 +++++++++++++---
> >  .../recipes-security/optee/optee-examples_git.bb |  8 ++++++--
> >  meta-arm/recipes-security/optee/optee-os_git.bb  | 10 ++++++----
> >  .../recipes-security/optee/optee-test_git.bb     |  8 ++++++--
> >  4 files changed, 31 insertions(+), 11 deletions(-)
> > 
> > diff --git a/meta-arm/recipes-security/optee/optee-client_git.bb
> > b/meta-arm/recipes-security/optee/optee-client_git.bb
> > index bae7b20..64d7d57 100644
> > --- a/meta-arm/recipes-security/optee/optee-client_git.bb
> > +++ b/meta-arm/recipes-security/optee/optee-client_git.bb
> > @@ -18,20 +18,30 @@ SRC_URI = " \
> >  "
> >
> >  S = "${WORKDIR}/git"
> > +B = "${WORKDIR}/build"
> >
> >  SYSTEMD_SERVICE_${PN} = "tee-supplicant.service"
> >
> > +EXTRA_OEMAKE = "O=${B}"
> > +
> > +do_compile() {
> > +    cd ${S}
> > +    oe_runmake
> > +}
> > +do_compile[cleandirs] = "${B}"
> > +
> >  do_install() {
> > +    cd ${S}
> >      oe_runmake install
> >
> > -    install -D -p -m0755 ${S}/out/export/usr/sbin/tee-supplicant
> > ${D}${sbindir}/tee-supplicant
> > +    install -D -p -m0755 ${B}/export/usr/sbin/tee-supplicant
> > ${D}${sbindir}/tee-supplicant
> >
> > -    install -D -p -m0644 ${S}/out/export/usr/lib/libteec.so.1.0
> > ${D}${libdir}/libteec.so.1.0
> > +    install -D -p -m0644 ${B}/export/usr/lib/libteec.so.1.0
> > ${D}${libdir}/libteec.so.1.0
> >      ln -sf libteec.so.1.0 ${D}${libdir}/libteec.so
> >      ln -sf libteec.so.1.0 ${D}${libdir}/libteec.so.1
> >
> >      install -d ${D}${includedir}
> > -    install -p -m0644 ${S}/out/export/usr/include/*.h ${D}${includedir}
> > +    install -p -m0644 ${B}/export/usr/include/*.h ${D}${includedir}
> >
> >      sed -i -e s:/etc:${sysconfdir}:g \
> >             -e s:/usr/bin:${bindir}:g \
> > diff --git a/meta-arm/recipes-security/optee/optee-examples_git.bb
> > b/meta-arm/recipes-security/optee/optee-examples_git.bb
> > index 996e2cd..04cc5fd 100644
> > --- a/meta-arm/recipes-security/optee/optee-examples_git.bb
> > +++ b/meta-arm/recipes-security/optee/optee-examples_git.bb
> > @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/linaro-swg/optee_examples.git"
> >  SRCREV = "559b2141c16bf0f57ccd72f60e4deb84fc2a05b0"
> >
> >  S = "${WORKDIR}/git"
> > +B = "${WORKDIR}/build"
> >
> >  OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
> >  TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
> > @@ -28,17 +29,20 @@ EXTRA_OEMAKE = " TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
> >                   HOST_CROSS_COMPILE=${TARGET_PREFIX} \
> >                   TA_CROSS_COMPILE=${TARGET_PREFIX} \
> >                   V=1 \
> > +                 OUTPUT_DIR=${B} \
> >                 "
> >
> >  do_compile() {
> > +    cd ${S}
> >      oe_runmake
> >  }
> > +do_compile[cleandirs] = "${B}"
> >
> >  do_install () {
> >      mkdir -p ${D}${nonarch_base_libdir}/optee_armtz
> >      mkdir -p ${D}${bindir}
> > -    install -D -p -m0755 ${S}/out/ca/* ${D}${bindir}
> > -    install -D -p -m0444 ${S}/out/ta/* ${D}${nonarch_base_libdir}/optee_armtz
> > +    install -D -p -m0755 ${B}/ca/* ${D}${bindir}
> > +    install -D -p -m0444 ${B}/ta/* ${D}${nonarch_base_libdir}/optee_armtz
> >  }
> >
> >  FILES_${PN} += "${nonarch_base_libdir}/optee_armtz/"
> > diff --git a/meta-arm/recipes-security/optee/optee-os_git.bb
> > b/meta-arm/recipes-security/optee/optee-os_git.bb
> > index eced362..dcbe990 100644
> > --- a/meta-arm/recipes-security/optee/optee-os_git.bb
> > +++ b/meta-arm/recipes-security/optee/optee-os_git.bb
> > @@ -20,10 +20,9 @@ SRC_URI = " \
> >  "
> >
> >  S = "${WORKDIR}/git"
> > +B = "${WORKDIR}/build"
> >
> >  OPTEEMACHINE ?= "${MACHINE}"
> > -OPTEEOUTPUTMACHINE ?= "${MACHINE}"
> > -
> >  OPTEE_ARCH = "null"
> >  OPTEE_ARCH_armv7a = "arm32"
> >  OPTEE_ARCH_aarch64 = "arm64"
> > @@ -38,6 +37,7 @@ EXTRA_OEMAKE = " \
> >      V=1 \
> >      ta-targets=ta_${OPTEE_ARCH} \
> >      LIBGCC_LOCATE_CFLAGS=--sysroot=${STAGING_DIR_HOST} \
> > +    O=${B} \
> >  "
> >
> >  CFLAGS[unexport] = "1"
> > @@ -49,17 +49,19 @@ LD[unexport] = "1"
> >  do_configure[noexec] = "1"
> >
> >  do_compile() {
> > +    cd ${S}
> >      oe_runmake all CFG_TEE_TA_LOG_LEVEL=0
> >  }
> > +do_compile[cleandirs] = "${B}"
> >
> >  do_install() {
> >      #install core in firmware
> >      install -d ${D}${nonarch_base_libdir}/firmware/
> > -    install -m 644 ${B}/out/arm-plat-${OPTEEOUTPUTMACHINE}/core/*.bin
> > ${D}${nonarch_base_libdir}/firmware/
> > +    install -m 644 ${B}/core/*.bin ${D}${nonarch_base_libdir}/firmware/
> >
> >      #install TA devkit
> >      install -d ${D}${includedir}/optee/export-user_ta/
> > -    for f in
> > ${B}/out/arm-plat-${OPTEEOUTPUTMACHINE}/export-ta_${OPTEE_ARCH}/* ; do
> > +    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
> >          cp -aR $f ${D}${includedir}/optee/export-user_ta/
> >      done
> >  }
> > diff --git a/meta-arm/recipes-security/optee/optee-test_git.bb
> > b/meta-arm/recipes-security/optee/optee-test_git.bb
> > index ee73a2c..f699972 100644
> > --- a/meta-arm/recipes-security/optee/optee-test_git.bb
> > +++ b/meta-arm/recipes-security/optee/optee-test_git.bb
> > @@ -16,6 +16,7 @@ SRCREV = "30481e381cb4285706e7516853495a7699c93b2c"
> >  SRC_URI = "git://github.com/OP-TEE/optee_test.git"
> >
> >  S = "${WORKDIR}/git"
> > +B = "${WORKDIR}/build"
> >
> >  OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
> >  TEEC_EXPORT         = "${STAGING_DIR_HOST}${prefix}"
> > @@ -27,21 +28,24 @@ EXTRA_OEMAKE = " TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
> >                   CROSS_COMPILE_HOST=${TARGET_PREFIX} \
> >                   CROSS_COMPILE_TA=${TARGET_PREFIX} \
> >                   V=1 \
> > +                 O=${B} \
> >                 "
> >
> >  do_compile() {
> > +    cd ${S}
> >      # Top level makefile doesn't seem to handle parallel make gracefully
> >      oe_runmake xtest
> >      oe_runmake ta
> >  }
> > +do_compile[cleandirs] = "${B}"
> >
> >  do_install () {
> > -    install -D -p -m0755 ${S}/out/xtest/xtest ${D}${bindir}/xtest
> > +    install -D -p -m0755 ${B}/xtest/xtest ${D}${bindir}/xtest
> >
> >      # install path should match the value set in optee-client/tee-supplicant
> >      # default TEEC_LOAD_PATH is /lib
> >      mkdir -p ${D}${nonarch_base_libdir}/optee_armtz/
> > -    install -D -p -m0444 ${S}/out/ta/*/*.ta
> > ${D}${nonarch_base_libdir}/optee_armtz/
> > +    install -D -p -m0444 ${B}/ta/*/*.ta
> > ${D}${nonarch_base_libdir}/optee_armtz/
> >  }
> >
> >  FILES_${PN} += "${nonarch_base_libdir}/optee_armtz/"
> > -- 
> > 2.17.1
> > 
> >

> 

[meta-arm][PATCH v3 2/3] optee-client: Add sysVinit service

[Joshua Watt]

Adds a sysVinit service to start tee-supplicant so that the optee-client
package can be used on distros where systemd is not used. Also does some
cleanup of the recipe including:
 1) Using @path@ tokens for replacemane in the .service file instead of
    paths
 2) Replacing tokens in the .service file after it is installed instead
    of editing the source file in ${WORKDIR}

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
---
 .../optee/optee-client/tee-supplicant.service |  4 +-
 .../optee/optee-client/tee-supplicant.sh      | 46 +++++++++++++++++++
 .../optee/optee-client_git.bb                 | 24 +++++++---
 3 files changed, 65 insertions(+), 9 deletions(-)
 create mode 100644 meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh

diff --git a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service
index ffb54d3..c273832 100644
--- a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service
+++ b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service
@@ -3,8 +3,8 @@ Description=TEE Supplicant
 
 [Service]
 User=root
-EnvironmentFile=-/etc/default/tee-supplicant
-ExecStart=/usr/sbin/tee-supplicant $OPTARGS
+EnvironmentFile=-@sysconfdir@/default/tee-supplicant
+ExecStart=@sbindir@/tee-supplicant $OPTARGS
 
 [Install]
 WantedBy=basic.target
diff --git a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
new file mode 100644
index 0000000..b4d2195
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+# Source function library
+. /etc/init.d/functions
+
+NAME=tee-supplicant
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+DESC="OP-TEE Supplicant"
+
+DAEMON=@sbindir@/$NAME
+
+test -f $DAEMON || exit 0
+
+test -f @sysconfdir@/default/$NAME && . @sysconfdir@/default/$NAME
+test -f @sysconfdir@/default/rcS && . @sysconfdir@/default/rcS
+
+SSD_OPTIONS="--oknodo --quiet --exec $DAEMON -- -d $OPTARGS"
+
+set -e
+
+case $1 in
+    start)
+	    echo -n "Starting $DESC: "
+	    start-stop-daemon --start $SSD_OPTIONS
+        echo "${DAEMON##*/}."
+        ;;
+    stop)
+	    echo -n "Stopping $DESC: "
+	    start-stop-daemon --stop $SSD_OPTIONS
+        echo "${DAEMON##*/}."
+        ;;
+    restart|force-reload)
+	    $0 stop
+	    sleep 1
+	    $0 start
+        ;;
+    status)
+        status ${DAEMON} || exit $?
+        ;;
+    *)
+        echo "Usage: $0 {start|stop|restart|force-reload|status}" >&2
+        exit 1
+        ;;
+esac
+
+exit 0
diff --git a/meta-arm/recipes-security/optee/optee-client_git.bb b/meta-arm/recipes-security/optee/optee-client_git.bb
index 64d7d57..5dbbfe9 100644
--- a/meta-arm/recipes-security/optee/optee-client_git.bb
+++ b/meta-arm/recipes-security/optee/optee-client_git.bb
@@ -9,19 +9,18 @@ PV = "3.8.0+git${SRCPV}"
 
 require optee.inc
 
-inherit python3native systemd
+inherit python3native systemd update-rc.d
 
 SRCREV = "be4fa2e36f717f03ca46e574aa66f697a897d090"
 SRC_URI = " \
     git://github.com/OP-TEE/optee_client.git \
     file://tee-supplicant.service \
+    file://tee-supplicant.sh \
 "
 
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build"
 
-SYSTEMD_SERVICE_${PN} = "tee-supplicant.service"
-
 EXTRA_OEMAKE = "O=${B}"
 
 do_compile() {
@@ -43,9 +42,20 @@ do_install() {
     install -d ${D}${includedir}
     install -p -m0644 ${B}/export/usr/include/*.h ${D}${includedir}
 
-    sed -i -e s:/etc:${sysconfdir}:g \
-           -e s:/usr/bin:${bindir}:g \
-              ${WORKDIR}/tee-supplicant.service
-
     install -D -p -m0644 ${WORKDIR}/tee-supplicant.service ${D}${systemd_system_unitdir}/tee-supplicant.service
+
+    install -D -p -m0755 ${WORKDIR}/tee-supplicant.sh ${D}${sysconfdir}/init.d/tee-supplicant
+
+    sed -i -e s:@sysconfdir@:${sysconfdir}:g \
+           -e s:@sbindir@:${sbindir}:g \
+              ${D}${systemd_system_unitdir}/tee-supplicant.service \
+              ${D}${sysconfdir}/init.d/tee-supplicant
 }
+
+SYSTEMD_SERVICE_${PN} = "tee-supplicant.service"
+
+INITSCRIPT_PACKAGES = "${PN}"
+
+INITSCRIPT_NAME_${PN} = "tee-supplicant"
+INITSCRIPT_PARAMS_${PN} = "start 10 1 2 3 4 5 . stop 90 0 6 ."
+
-- 
2.17.1

Re: [PATCH v3 2/3] optee-client: Add sysVinit service

[Diego Sueiro]

On Thu, May 21, 2020 at 03:23 PM, Joshua Watt wrote:

>
> Adds a sysVinit service to start tee-supplicant so that the optee-client
> package can be used on distros where systemd is not used. Also does some
> cleanup of the recipe including:
>  1) Using @path@ tokens for replacemane in the .service file instead of
>     paths
>  2) Replacing tokens in the .service file after it is installed instead
>     of editing the source file in ${WORKDIR}
> 
> Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>

Reviewed-by: Diego Sueiro <diego.sueiro@arm.com>

> ---
>  .../optee/optee-client/tee-supplicant.service |  4 +-
>  .../optee/optee-client/tee-supplicant.sh      | 46 +++++++++++++++++++
>  .../optee/optee-client_git.bb                 | 24 +++++++---
>  3 files changed, 65 insertions(+), 9 deletions(-)
>  create mode 100644
> meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
> 
> diff --git
> a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service
> b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service
> index ffb54d3..c273832 100644
> --- a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service
> +++ b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service
> @@ -3,8 +3,8 @@ Description=TEE Supplicant
>
>  [Service]
>  User=root
> -EnvironmentFile=-/etc/default/tee-supplicant
> -ExecStart=/usr/sbin/tee-supplicant $OPTARGS
> +EnvironmentFile=-@sysconfdir@/default/tee-supplicant
> +ExecStart=@sbindir@/tee-supplicant $OPTARGS
>
>  [Install]
>  WantedBy=basic.target
> diff --git a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
> b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
> new file mode 100644
> index 0000000..b4d2195
> --- /dev/null
> +++ b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
> @@ -0,0 +1,46 @@
> +#!/bin/sh
> +
> +# Source function library
> +. /etc/init.d/functions
> +
> +NAME=tee-supplicant
> +PATH=/sbin:/bin:/usr/sbin:/usr/bin
> +DESC="OP-TEE Supplicant"
> +
> +DAEMON=@sbindir@/$NAME
> +
> +test -f $DAEMON || exit 0
> +
> +test -f @sysconfdir@/default/$NAME && . @sysconfdir@/default/$NAME
> +test -f @sysconfdir@/default/rcS && . @sysconfdir@/default/rcS
> +
> +SSD_OPTIONS="--oknodo --quiet --exec $DAEMON -- -d $OPTARGS"
> +
> +set -e
> +
> +case $1 in
> +    start)
> +	    echo -n "Starting $DESC: "
> +	    start-stop-daemon --start $SSD_OPTIONS
> +        echo "${DAEMON##*/}."
> +        ;;
> +    stop)
> +	    echo -n "Stopping $DESC: "
> +	    start-stop-daemon --stop $SSD_OPTIONS
> +        echo "${DAEMON##*/}."
> +        ;;
> +    restart|force-reload)
> +	    $0 stop
> +	    sleep 1
> +	    $0 start
> +        ;;
> +    status)
> +        status ${DAEMON} || exit $?
> +        ;;
> +    *)
> +        echo "Usage: $0 {start|stop|restart|force-reload|status}" >&2
> +        exit 1
> +        ;;
> +esac
> +
> +exit 0
> diff --git a/meta-arm/recipes-security/optee/optee-client_git.bb
> b/meta-arm/recipes-security/optee/optee-client_git.bb
> index 64d7d57..5dbbfe9 100644
> --- a/meta-arm/recipes-security/optee/optee-client_git.bb
> +++ b/meta-arm/recipes-security/optee/optee-client_git.bb
> @@ -9,19 +9,18 @@ PV = "3.8.0+git${SRCPV}"
>
>  require optee.inc
>
> -inherit python3native systemd
> +inherit python3native systemd update-rc.d
>
>  SRCREV = "be4fa2e36f717f03ca46e574aa66f697a897d090"
>  SRC_URI = " \
>      git://github.com/OP-TEE/optee_client.git \
>      file://tee-supplicant.service \
> +    file://tee-supplicant.sh \
>  "
>
>  S = "${WORKDIR}/git"
>  B = "${WORKDIR}/build"
>
> -SYSTEMD_SERVICE_${PN} = "tee-supplicant.service"
> -
>  EXTRA_OEMAKE = "O=${B}"
>
>  do_compile() {
> @@ -43,9 +42,20 @@ do_install() {
>      install -d ${D}${includedir}
>      install -p -m0644 ${B}/export/usr/include/*.h ${D}${includedir}
>
> -    sed -i -e s:/etc:${sysconfdir}:g \
> -           -e s:/usr/bin:${bindir}:g \
> -              ${WORKDIR}/tee-supplicant.service
> -
>      install -D -p -m0644 ${WORKDIR}/tee-supplicant.service
> ${D}${systemd_system_unitdir}/tee-supplicant.service
> +
> +    install -D -p -m0755 ${WORKDIR}/tee-supplicant.sh
> ${D}${sysconfdir}/init.d/tee-supplicant
> +
> +    sed -i -e s:@sysconfdir@:${sysconfdir}:g \
> +           -e s:@sbindir@:${sbindir}:g \
> +              ${D}${systemd_system_unitdir}/tee-supplicant.service \
> +              ${D}${sysconfdir}/init.d/tee-supplicant
>  }
> +
> +SYSTEMD_SERVICE_${PN} = "tee-supplicant.service"
> +
> +INITSCRIPT_PACKAGES = "${PN}"
> +
> +INITSCRIPT_NAME_${PN} = "tee-supplicant"
> +INITSCRIPT_PARAMS_${PN} = "start 10 1 2 3 4 5 . stop 90 0 6 ."
> +
> -- 
> 2.17.1
> 
>

Re: [meta-arm] [PATCH v3 2/3] optee-client: Add sysVinit service

[Denys Dmytriyenko]

On Fri, May 22, 2020 at 12:20:52AM -0700, Diego Sueiro wrote:
> On Thu, May 21, 2020 at 03:23 PM, Joshua Watt wrote:
> 
> >
> > Adds a sysVinit service to start tee-supplicant so that the optee-client
> > package can be used on distros where systemd is not used. Also does some
> > cleanup of the recipe including:
> >  1) Using @path@ tokens for replacemane in the .service file instead of
> >     paths
> >  2) Replacing tokens in the .service file after it is installed instead
> >     of editing the source file in ${WORKDIR}
> > 
> > Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
> 
> Reviewed-by: Diego Sueiro <diego.sueiro@arm.com>

Reviewed-by: Denys Dmytriyenko <denys@ti.com>


> > ---
> >  .../optee/optee-client/tee-supplicant.service |  4 +-
> >  .../optee/optee-client/tee-supplicant.sh      | 46 +++++++++++++++++++
> >  .../optee/optee-client_git.bb                 | 24 +++++++---
> >  3 files changed, 65 insertions(+), 9 deletions(-)
> >  create mode 100644
> > meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
> > 
> > diff --git
> > a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service
> > b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service
> > index ffb54d3..c273832 100644
> > --- a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service
> > +++ b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service
> > @@ -3,8 +3,8 @@ Description=TEE Supplicant
> >
> >  [Service]
> >  User=root
> > -EnvironmentFile=-/etc/default/tee-supplicant
> > -ExecStart=/usr/sbin/tee-supplicant $OPTARGS
> > +EnvironmentFile=-@sysconfdir@/default/tee-supplicant
> > +ExecStart=@sbindir@/tee-supplicant $OPTARGS
> >
> >  [Install]
> >  WantedBy=basic.target
> > diff --git a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
> > b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
> > new file mode 100644
> > index 0000000..b4d2195
> > --- /dev/null
> > +++ b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
> > @@ -0,0 +1,46 @@
> > +#!/bin/sh
> > +
> > +# Source function library
> > +. /etc/init.d/functions
> > +
> > +NAME=tee-supplicant
> > +PATH=/sbin:/bin:/usr/sbin:/usr/bin
> > +DESC="OP-TEE Supplicant"
> > +
> > +DAEMON=@sbindir@/$NAME
> > +
> > +test -f $DAEMON || exit 0
> > +
> > +test -f @sysconfdir@/default/$NAME && . @sysconfdir@/default/$NAME
> > +test -f @sysconfdir@/default/rcS && . @sysconfdir@/default/rcS
> > +
> > +SSD_OPTIONS="--oknodo --quiet --exec $DAEMON -- -d $OPTARGS"
> > +
> > +set -e
> > +
> > +case $1 in
> > +    start)
> > +	    echo -n "Starting $DESC: "
> > +	    start-stop-daemon --start $SSD_OPTIONS
> > +        echo "${DAEMON##*/}."
> > +        ;;
> > +    stop)
> > +	    echo -n "Stopping $DESC: "
> > +	    start-stop-daemon --stop $SSD_OPTIONS
> > +        echo "${DAEMON##*/}."
> > +        ;;
> > +    restart|force-reload)
> > +	    $0 stop
> > +	    sleep 1
> > +	    $0 start
> > +        ;;
> > +    status)
> > +        status ${DAEMON} || exit $?
> > +        ;;
> > +    *)
> > +        echo "Usage: $0 {start|stop|restart|force-reload|status}" >&2
> > +        exit 1
> > +        ;;
> > +esac
> > +
> > +exit 0
> > diff --git a/meta-arm/recipes-security/optee/optee-client_git.bb
> > b/meta-arm/recipes-security/optee/optee-client_git.bb
> > index 64d7d57..5dbbfe9 100644
> > --- a/meta-arm/recipes-security/optee/optee-client_git.bb
> > +++ b/meta-arm/recipes-security/optee/optee-client_git.bb
> > @@ -9,19 +9,18 @@ PV = "3.8.0+git${SRCPV}"
> >
> >  require optee.inc
> >
> > -inherit python3native systemd
> > +inherit python3native systemd update-rc.d
> >
> >  SRCREV = "be4fa2e36f717f03ca46e574aa66f697a897d090"
> >  SRC_URI = " \
> >      git://github.com/OP-TEE/optee_client.git \
> >      file://tee-supplicant.service \
> > +    file://tee-supplicant.sh \
> >  "
> >
> >  S = "${WORKDIR}/git"
> >  B = "${WORKDIR}/build"
> >
> > -SYSTEMD_SERVICE_${PN} = "tee-supplicant.service"
> > -
> >  EXTRA_OEMAKE = "O=${B}"
> >
> >  do_compile() {
> > @@ -43,9 +42,20 @@ do_install() {
> >      install -d ${D}${includedir}
> >      install -p -m0644 ${B}/export/usr/include/*.h ${D}${includedir}
> >
> > -    sed -i -e s:/etc:${sysconfdir}:g \
> > -           -e s:/usr/bin:${bindir}:g \
> > -              ${WORKDIR}/tee-supplicant.service
> > -
> >      install -D -p -m0644 ${WORKDIR}/tee-supplicant.service
> > ${D}${systemd_system_unitdir}/tee-supplicant.service
> > +
> > +    install -D -p -m0755 ${WORKDIR}/tee-supplicant.sh
> > ${D}${sysconfdir}/init.d/tee-supplicant
> > +
> > +    sed -i -e s:@sysconfdir@:${sysconfdir}:g \
> > +           -e s:@sbindir@:${sbindir}:g \
> > +              ${D}${systemd_system_unitdir}/tee-supplicant.service \
> > +              ${D}${sysconfdir}/init.d/tee-supplicant
> >  }
> > +
> > +SYSTEMD_SERVICE_${PN} = "tee-supplicant.service"
> > +
> > +INITSCRIPT_PACKAGES = "${PN}"
> > +
> > +INITSCRIPT_NAME_${PN} = "tee-supplicant"
> > +INITSCRIPT_PARAMS_${PN} = "start 10 1 2 3 4 5 . stop 90 0 6 ."
> > +
> > -- 
> > 2.17.1
> > 
> >

> 

[meta-arm][PATCH v3 3/3] Add support for booting qemu with TFA and optee

[Joshua Watt]

Adds support for booting AArch64 Qemu machines using TF-A + optee +
u-boot. Most of the changes are applicable to any AArch64 qemu target,
and a reference machine called qemuarm64-secureboot has been added that
show how to enable support for it.

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
---
 .../conf/machine/qemuarm64-secureboot.conf    | 26 +++++++++++
 .../trusted-firmware-a/trusted-firmware-a.inc | 44 +++++++++++++------
 .../recipes-bsp/u-boot/u-boot/qemuarm64.cfg   |  4 ++
 meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend |  3 ++
 .../linux/linux-yocto-dev.bbappend            |  4 ++
 .../linux/linux-yocto-dev/tee.cfg             |  4 ++
 .../recipes-security/optee/optee-os_git.bb    |  3 ++
 meta-arm/recipes-security/optee/optee.inc     |  1 +
 meta-arm/wic/qemuarm64.wks                    |  4 ++
 9 files changed, 80 insertions(+), 13 deletions(-)
 create mode 100644 meta-arm/conf/machine/qemuarm64-secureboot.conf
 create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
 create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
 create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-dev.bbappend
 create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-dev/tee.cfg
 create mode 100644 meta-arm/wic/qemuarm64.wks

diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
new file mode 100644
index 0000000..a5b7401
--- /dev/null
+++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
@@ -0,0 +1,26 @@
+MACHINEOVERRIDES =. "qemuarm64:"
+
+require ${COREBASE}/meta/conf/machine/qemuarm64.conf
+
+KMACHINE = "qemuarm64"
+
+UBOOT_MACHINE = "qemu_arm64_defconfig"
+
+# The 5.4 kernel panics when booting, so use the development kernel until the
+# default kernel is upgraded (5.5. supposedly works)
+PREFERRED_PROVIDER_virtual/kernel = "linux-yocto-dev"
+
+QB_MACHINE = "-machine virt,secure=on"
+QB_OPT_APPEND += "-no-acpi"
+QB_MEM = "-m 1G"
+QB_DEFAULT_FSTYPE = "wic.qcow2"
+QB_DEFAULT_BIOS = "flash.bin"
+QB_FSINFO = "wic:no-kernel-in-fs"
+QB_ROOTFS_OPT = ""
+
+IMAGE_FSTYPES += "wic wic.qcow2"
+
+WKS_FILE ?= "qemuarm64.wks"
+WKS_FILE_DEPENDS = "trusted-firmware-a"
+IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
+
diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
index fe9a4e0..6f64773 100644
--- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
+++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
@@ -8,9 +8,11 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
 inherit deploy
 
 COMPATIBLE_MACHINE ?= "invalid"
+COMPATIBLE_MACHINE_qemuarm64 ?= "qemuarm64"
 
 # Platform must be set for each machine
 TFA_PLATFORM ?= "invalid"
+TFA_PLATFORM_aarch64_qemuall ?= "qemu"
 
 # Some platforms can have multiple board configurations
 # Leave empty for default behavior
@@ -20,6 +22,7 @@ TFA_BOARD ?= ""
 # Few options are "opteed", "tlkd", "trusty", "tspd"...
 # Leave empty to not use SPD
 TFA_SPD ?= ""
+TFA_SPD_aarch64_qemuall ?= "opteed"
 
 # Build for debug (set TFA_DEBUG to 1 to activate)
 TFA_DEBUG ?= "0"
@@ -44,16 +47,19 @@ SRCREV_FORMAT_append = "${@bb.utils.contains('TFA_MBEDTLS', '1', '_mbedtls', '',
 # U-boot support (set TFA_UBOOT to 1 to activate)
 # When U-Boot support is activated BL33 is activated with u-boot.bin file
 TFA_UBOOT ?= "0"
+TFA_UBOOT_aarch64_qemuall ?= "1"
 
 # What to build
 # By default we only build bl1, do_deploy will copy
 # everything listed in this variable (by default bl1.bin)
 TFA_BUILD_TARGET ?= "bl1"
+TFA_BUILD_TARGET_aarch64_qemuall ?= "all fip"
 
 # What to install
 # do_install and do_deploy will install everything listed in this
 # variable. It is set by default to TFA_BUILD_TARGET
 TFA_INSTALL_TARGET ?= "${TFA_BUILD_TARGET}"
+TFA_INSTALL_TARGET_aarch64_qemuall ?= "flash.bin"
 
 # Requires CROSS_COMPILE set by hand as there is no configure script
 export CROSS_COMPILE="${TARGET_PREFIX}"
@@ -70,13 +76,13 @@ do_configure[noexec] = "1"
 # We need dtc for dtbs compilation
 # We need openssl for fiptool
 DEPENDS_append = " dtc-native openssl-native"
+DEPENDS_append_aarch64_qemuall ?= " optee-os"
 
 # Add platform parameter
 EXTRA_OEMAKE += "BUILD_BASE=${B} PLAT=${TFA_PLATFORM}"
 
 # Handle TFA_BOARD parameter
 EXTRA_OEMAKE += "${@'TARGET_BOARD=${TFA_BOARD}' if d.getVar('TFA_BOARD') else ''}"
-BUILD_DIR = "${TFA_PLATFORM}${@'/${TFA_BOARD}' if d.getVar('TFA_BOARD') else ''}"
 
 # Handle TFA_SPD parameter
 EXTRA_OEMAKE += "${@'SPD=${TFA_SPD}' if d.getVar('TFA_SPD') else ''}"
@@ -92,6 +98,17 @@ DEPENDS += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot', '', d)}"
 do_compile[depends] += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot:do_deploy', '', d)}"
 EXTRA_OEMAKE += "${@bb.utils.contains('TFA_UBOOT', '1', 'BL33=${DEPLOY_DIR_IMAGE}/u-boot.bin', '',d)}"
 
+EXTRA_OEMAKE_append_aarch64_qemuall = " \
+    BL32=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-header_v2.bin \
+    BL32_EXTRA1=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-pager_v2.bin \
+    BL32_EXTRA2=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-pageable_v2.bin \
+    BL32_RAM_LOCATION=tdram \
+    "
+
+BUILD_DIR = "${B}/${TFA_PLATFORM}"
+BUILD_DIR .= "${@'/${TFA_BOARD}' if d.getVar('TFA_BOARD') else ''}"
+BUILD_DIR .= "/${@'debug' if d.getVar("TFA_DEBUG") == '1' else 'release'}"
+
 # The following hack is needed to fit properly in yocto build environment
 # TFA is forcing the host compiler and its flags in the Makefile using :=
 # assignment for GCC and CFLAGS.
@@ -107,13 +124,14 @@ do_compile() {
 }
 do_compile[cleandirs] = "${B}"
 
-do_install() {
-    if ${@"true" if d.getVar('TFA_DEBUG') == '1' else "false"}; then
-        BUILD_PLAT=${B}/${BUILD_DIR}/debug/
-    else
-        BUILD_PLAT=${B}/${BUILD_DIR}/release/
-    fi
+do_compile_append_aarch64_qemuall() {
+    # Create a secure flash image for booting AArch64 Qemu. See:
+    # https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/docs/plat/qemu.rst
+    dd if=${BUILD_DIR}/bl1.bin of=${BUILD_DIR}/flash.bin bs=4096 conv=notrunc
+    dd if=${BUILD_DIR}/fip.bin of=${BUILD_DIR}/flash.bin seek=64 bs=4096 conv=notrunc
+}
 
+do_install() {
     install -d -m 755 ${D}/firmware
     for atfbin in ${TFA_INSTALL_TARGET}; do
         processes="0"
@@ -125,23 +143,23 @@ do_install() {
             exit 1
         fi
 
-        if [ -f $BUILD_PLAT/$atfbin.bin ]; then
+        if [ -f ${BUILD_DIR}/$atfbin.bin ]; then
             echo "Install $atfbin.bin"
-            install -m 0644 $BUILD_PLAT/$atfbin.bin \
+            install -m 0644 ${BUILD_DIR}/$atfbin.bin \
                 ${D}/firmware/$atfbin-${TFA_PLATFORM}.bin
             ln -sf $atfbin-${TFA_PLATFORM}.bin ${D}/firmware/$atfbin.bin
             processes="1"
         fi
-        if [ -f $BUILD_PLAT/$atfbin/$atfbin.elf ]; then
+        if [ -f ${BUILD_DIR}/$atfbin/$atfbin.elf ]; then
             echo "Install $atfbin.elf"
-            install -m 0644 $BUILD_PLAT/$atfbin/$atfbin.elf \
+            install -m 0644 ${BUILD_DIR}/$atfbin/$atfbin.elf \
                 ${D}/firmware/$atfbin-${TFA_PLATFORM}.elf
             ln -sf $atfbin-${TFA_PLATFORM}.elf ${D}/firmware/$atfbin.elf
             processes="1"
         fi
-        if [ -f $BUILD_PLAT/$atfbin ]; then
+        if [ -f ${BUILD_DIR}/$atfbin ]; then
             echo "Install $atfbin"
-            install -m 0644 $BUILD_PLAT/$atfbin \
+            install -m 0644 ${BUILD_DIR}/$atfbin \
                 ${D}/firmware/$atfbin-${TFA_PLATFORM}
             ln -sf $atfbin-${TFA_PLATFORM} ${D}/firmware/$atfbin
             processes="1"
diff --git a/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg b/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
new file mode 100644
index 0000000..de0c6ec
--- /dev/null
+++ b/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
@@ -0,0 +1,4 @@
+CONFIG_TFABOOT=y
+# This must match the address that TF-A jumps to for BL33
+CONFIG_SYS_TEXT_BASE=0x60000000
+
diff --git a/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
new file mode 100644
index 0000000..afcd70a
--- /dev/null
+++ b/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
@@ -0,0 +1,3 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI_append_qemuarm64-secureboot = " file://qemuarm64.cfg"
diff --git a/meta-arm/recipes-kernel/linux/linux-yocto-dev.bbappend b/meta-arm/recipes-kernel/linux/linux-yocto-dev.bbappend
new file mode 100644
index 0000000..c7742f8
--- /dev/null
+++ b/meta-arm/recipes-kernel/linux/linux-yocto-dev.bbappend
@@ -0,0 +1,4 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI_append_qemuarm64-secureboot = " file://tee.cfg"
+
diff --git a/meta-arm/recipes-kernel/linux/linux-yocto-dev/tee.cfg b/meta-arm/recipes-kernel/linux/linux-yocto-dev/tee.cfg
new file mode 100644
index 0000000..7415e18
--- /dev/null
+++ b/meta-arm/recipes-kernel/linux/linux-yocto-dev/tee.cfg
@@ -0,0 +1,4 @@
+CONFIG_HW_RANDOM_OPTEE=m
+CONFIG_TEE=m
+CONFIG_OPTEE=m
+CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=10
diff --git a/meta-arm/recipes-security/optee/optee-os_git.bb b/meta-arm/recipes-security/optee/optee-os_git.bb
index dcbe990..6036bac 100644
--- a/meta-arm/recipes-security/optee/optee-os_git.bb
+++ b/meta-arm/recipes-security/optee/optee-os_git.bb
@@ -23,6 +23,7 @@ S = "${WORKDIR}/git"
 B = "${WORKDIR}/build"
 
 OPTEEMACHINE ?= "${MACHINE}"
+OPTEEMACHINE_aarch64_qemuall ?= "vexpress-qemu_armv8a"
 OPTEE_ARCH = "null"
 OPTEE_ARCH_armv7a = "arm32"
 OPTEE_ARCH_aarch64 = "arm64"
@@ -75,6 +76,8 @@ do_deploy() {
 
 addtask deploy before do_build after do_install
 
+SYSROOT_DIRS += "${nonarch_base_libdir}/firmware"
+
 FILES_${PN} = "${nonarch_base_libdir}/firmware/"
 FILES_${PN}-dev = "${includedir}/optee/"
 
diff --git a/meta-arm/recipes-security/optee/optee.inc b/meta-arm/recipes-security/optee/optee.inc
index b3e5271..4bf87fe 100644
--- a/meta-arm/recipes-security/optee/optee.inc
+++ b/meta-arm/recipes-security/optee/optee.inc
@@ -1,2 +1,3 @@
 COMPATIBLE_MACHINE ?= "invalid"
+COMPATIBLE_MACHINE_qemuarm64 ?= "qemuarm64"
 # Please add supported machines below or set it in .bbappend or .conf
diff --git a/meta-arm/wic/qemuarm64.wks b/meta-arm/wic/qemuarm64.wks
new file mode 100644
index 0000000..7285279
--- /dev/null
+++ b/meta-arm/wic/qemuarm64.wks
@@ -0,0 +1,4 @@
+bootloader --ptable gpt
+
+part /boot --ondisk=vda --align 64 --size=100M --active --source bootimg-partition --fstype=ext4 --label boot --sourceparams="loader=u-boot"
+part /     --ondisk=vda                                 --source rootfs            --fstype=ext4 --label root
-- 
2.17.1

Re: [meta-arm][PATCH v3 3/3] Add support for booting qemu with TFA and optee

[Denys Dmytriyenko]

On Thu, May 21, 2020 at 09:22:59AM -0500, Joshua Watt wrote:
> Adds support for booting AArch64 Qemu machines using TF-A + optee +
> u-boot. Most of the changes are applicable to any AArch64 qemu target,
> and a reference machine called qemuarm64-secureboot has been added that
> show how to enable support for it.
> 
> Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>

Looks good to me now, thanks!

Reviewed-by: Denys Dmytriyenko <denys@ti.com>


> ---
>  .../conf/machine/qemuarm64-secureboot.conf    | 26 +++++++++++
>  .../trusted-firmware-a/trusted-firmware-a.inc | 44 +++++++++++++------
>  .../recipes-bsp/u-boot/u-boot/qemuarm64.cfg   |  4 ++
>  meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend |  3 ++
>  .../linux/linux-yocto-dev.bbappend            |  4 ++
>  .../linux/linux-yocto-dev/tee.cfg             |  4 ++
>  .../recipes-security/optee/optee-os_git.bb    |  3 ++
>  meta-arm/recipes-security/optee/optee.inc     |  1 +
>  meta-arm/wic/qemuarm64.wks                    |  4 ++
>  9 files changed, 80 insertions(+), 13 deletions(-)
>  create mode 100644 meta-arm/conf/machine/qemuarm64-secureboot.conf
>  create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
>  create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
>  create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-dev.bbappend
>  create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-dev/tee.cfg
>  create mode 100644 meta-arm/wic/qemuarm64.wks
> 
> diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> new file mode 100644
> index 0000000..a5b7401
> --- /dev/null
> +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> @@ -0,0 +1,26 @@
> +MACHINEOVERRIDES =. "qemuarm64:"
> +
> +require ${COREBASE}/meta/conf/machine/qemuarm64.conf
> +
> +KMACHINE = "qemuarm64"
> +
> +UBOOT_MACHINE = "qemu_arm64_defconfig"
> +
> +# The 5.4 kernel panics when booting, so use the development kernel until the
> +# default kernel is upgraded (5.5. supposedly works)
> +PREFERRED_PROVIDER_virtual/kernel = "linux-yocto-dev"
> +
> +QB_MACHINE = "-machine virt,secure=on"
> +QB_OPT_APPEND += "-no-acpi"
> +QB_MEM = "-m 1G"
> +QB_DEFAULT_FSTYPE = "wic.qcow2"
> +QB_DEFAULT_BIOS = "flash.bin"
> +QB_FSINFO = "wic:no-kernel-in-fs"
> +QB_ROOTFS_OPT = ""
> +
> +IMAGE_FSTYPES += "wic wic.qcow2"
> +
> +WKS_FILE ?= "qemuarm64.wks"
> +WKS_FILE_DEPENDS = "trusted-firmware-a"
> +IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
> +
> diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> index fe9a4e0..6f64773 100644
> --- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> +++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> @@ -8,9 +8,11 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
>  inherit deploy
>  
>  COMPATIBLE_MACHINE ?= "invalid"
> +COMPATIBLE_MACHINE_qemuarm64 ?= "qemuarm64"
>  
>  # Platform must be set for each machine
>  TFA_PLATFORM ?= "invalid"
> +TFA_PLATFORM_aarch64_qemuall ?= "qemu"
>  
>  # Some platforms can have multiple board configurations
>  # Leave empty for default behavior
> @@ -20,6 +22,7 @@ TFA_BOARD ?= ""
>  # Few options are "opteed", "tlkd", "trusty", "tspd"...
>  # Leave empty to not use SPD
>  TFA_SPD ?= ""
> +TFA_SPD_aarch64_qemuall ?= "opteed"
>  
>  # Build for debug (set TFA_DEBUG to 1 to activate)
>  TFA_DEBUG ?= "0"
> @@ -44,16 +47,19 @@ SRCREV_FORMAT_append = "${@bb.utils.contains('TFA_MBEDTLS', '1', '_mbedtls', '',
>  # U-boot support (set TFA_UBOOT to 1 to activate)
>  # When U-Boot support is activated BL33 is activated with u-boot.bin file
>  TFA_UBOOT ?= "0"
> +TFA_UBOOT_aarch64_qemuall ?= "1"
>  
>  # What to build
>  # By default we only build bl1, do_deploy will copy
>  # everything listed in this variable (by default bl1.bin)
>  TFA_BUILD_TARGET ?= "bl1"
> +TFA_BUILD_TARGET_aarch64_qemuall ?= "all fip"
>  
>  # What to install
>  # do_install and do_deploy will install everything listed in this
>  # variable. It is set by default to TFA_BUILD_TARGET
>  TFA_INSTALL_TARGET ?= "${TFA_BUILD_TARGET}"
> +TFA_INSTALL_TARGET_aarch64_qemuall ?= "flash.bin"
>  
>  # Requires CROSS_COMPILE set by hand as there is no configure script
>  export CROSS_COMPILE="${TARGET_PREFIX}"
> @@ -70,13 +76,13 @@ do_configure[noexec] = "1"
>  # We need dtc for dtbs compilation
>  # We need openssl for fiptool
>  DEPENDS_append = " dtc-native openssl-native"
> +DEPENDS_append_aarch64_qemuall ?= " optee-os"
>  
>  # Add platform parameter
>  EXTRA_OEMAKE += "BUILD_BASE=${B} PLAT=${TFA_PLATFORM}"
>  
>  # Handle TFA_BOARD parameter
>  EXTRA_OEMAKE += "${@'TARGET_BOARD=${TFA_BOARD}' if d.getVar('TFA_BOARD') else ''}"
> -BUILD_DIR = "${TFA_PLATFORM}${@'/${TFA_BOARD}' if d.getVar('TFA_BOARD') else ''}"
>  
>  # Handle TFA_SPD parameter
>  EXTRA_OEMAKE += "${@'SPD=${TFA_SPD}' if d.getVar('TFA_SPD') else ''}"
> @@ -92,6 +98,17 @@ DEPENDS += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot', '', d)}"
>  do_compile[depends] += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot:do_deploy', '', d)}"
>  EXTRA_OEMAKE += "${@bb.utils.contains('TFA_UBOOT', '1', 'BL33=${DEPLOY_DIR_IMAGE}/u-boot.bin', '',d)}"
>  
> +EXTRA_OEMAKE_append_aarch64_qemuall = " \
> +    BL32=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-header_v2.bin \
> +    BL32_EXTRA1=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-pager_v2.bin \
> +    BL32_EXTRA2=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-pageable_v2.bin \
> +    BL32_RAM_LOCATION=tdram \
> +    "
> +
> +BUILD_DIR = "${B}/${TFA_PLATFORM}"
> +BUILD_DIR .= "${@'/${TFA_BOARD}' if d.getVar('TFA_BOARD') else ''}"
> +BUILD_DIR .= "/${@'debug' if d.getVar("TFA_DEBUG") == '1' else 'release'}"
> +
>  # The following hack is needed to fit properly in yocto build environment
>  # TFA is forcing the host compiler and its flags in the Makefile using :=
>  # assignment for GCC and CFLAGS.
> @@ -107,13 +124,14 @@ do_compile() {
>  }
>  do_compile[cleandirs] = "${B}"
>  
> -do_install() {
> -    if ${@"true" if d.getVar('TFA_DEBUG') == '1' else "false"}; then
> -        BUILD_PLAT=${B}/${BUILD_DIR}/debug/
> -    else
> -        BUILD_PLAT=${B}/${BUILD_DIR}/release/
> -    fi
> +do_compile_append_aarch64_qemuall() {
> +    # Create a secure flash image for booting AArch64 Qemu. See:
> +    # https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/docs/plat/qemu.rst
> +    dd if=${BUILD_DIR}/bl1.bin of=${BUILD_DIR}/flash.bin bs=4096 conv=notrunc
> +    dd if=${BUILD_DIR}/fip.bin of=${BUILD_DIR}/flash.bin seek=64 bs=4096 conv=notrunc
> +}
>  
> +do_install() {
>      install -d -m 755 ${D}/firmware
>      for atfbin in ${TFA_INSTALL_TARGET}; do
>          processes="0"
> @@ -125,23 +143,23 @@ do_install() {
>              exit 1
>          fi
>  
> -        if [ -f $BUILD_PLAT/$atfbin.bin ]; then
> +        if [ -f ${BUILD_DIR}/$atfbin.bin ]; then
>              echo "Install $atfbin.bin"
> -            install -m 0644 $BUILD_PLAT/$atfbin.bin \
> +            install -m 0644 ${BUILD_DIR}/$atfbin.bin \
>                  ${D}/firmware/$atfbin-${TFA_PLATFORM}.bin
>              ln -sf $atfbin-${TFA_PLATFORM}.bin ${D}/firmware/$atfbin.bin
>              processes="1"
>          fi
> -        if [ -f $BUILD_PLAT/$atfbin/$atfbin.elf ]; then
> +        if [ -f ${BUILD_DIR}/$atfbin/$atfbin.elf ]; then
>              echo "Install $atfbin.elf"
> -            install -m 0644 $BUILD_PLAT/$atfbin/$atfbin.elf \
> +            install -m 0644 ${BUILD_DIR}/$atfbin/$atfbin.elf \
>                  ${D}/firmware/$atfbin-${TFA_PLATFORM}.elf
>              ln -sf $atfbin-${TFA_PLATFORM}.elf ${D}/firmware/$atfbin.elf
>              processes="1"
>          fi
> -        if [ -f $BUILD_PLAT/$atfbin ]; then
> +        if [ -f ${BUILD_DIR}/$atfbin ]; then
>              echo "Install $atfbin"
> -            install -m 0644 $BUILD_PLAT/$atfbin \
> +            install -m 0644 ${BUILD_DIR}/$atfbin \
>                  ${D}/firmware/$atfbin-${TFA_PLATFORM}
>              ln -sf $atfbin-${TFA_PLATFORM} ${D}/firmware/$atfbin
>              processes="1"
> diff --git a/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg b/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
> new file mode 100644
> index 0000000..de0c6ec
> --- /dev/null
> +++ b/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
> @@ -0,0 +1,4 @@
> +CONFIG_TFABOOT=y
> +# This must match the address that TF-A jumps to for BL33
> +CONFIG_SYS_TEXT_BASE=0x60000000
> +
> diff --git a/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
> new file mode 100644
> index 0000000..afcd70a
> --- /dev/null
> +++ b/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
> @@ -0,0 +1,3 @@
> +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
> +
> +SRC_URI_append_qemuarm64-secureboot = " file://qemuarm64.cfg"
> diff --git a/meta-arm/recipes-kernel/linux/linux-yocto-dev.bbappend b/meta-arm/recipes-kernel/linux/linux-yocto-dev.bbappend
> new file mode 100644
> index 0000000..c7742f8
> --- /dev/null
> +++ b/meta-arm/recipes-kernel/linux/linux-yocto-dev.bbappend
> @@ -0,0 +1,4 @@
> +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
> +
> +SRC_URI_append_qemuarm64-secureboot = " file://tee.cfg"
> +
> diff --git a/meta-arm/recipes-kernel/linux/linux-yocto-dev/tee.cfg b/meta-arm/recipes-kernel/linux/linux-yocto-dev/tee.cfg
> new file mode 100644
> index 0000000..7415e18
> --- /dev/null
> +++ b/meta-arm/recipes-kernel/linux/linux-yocto-dev/tee.cfg
> @@ -0,0 +1,4 @@
> +CONFIG_HW_RANDOM_OPTEE=m
> +CONFIG_TEE=m
> +CONFIG_OPTEE=m
> +CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=10
> diff --git a/meta-arm/recipes-security/optee/optee-os_git.bb b/meta-arm/recipes-security/optee/optee-os_git.bb
> index dcbe990..6036bac 100644
> --- a/meta-arm/recipes-security/optee/optee-os_git.bb
> +++ b/meta-arm/recipes-security/optee/optee-os_git.bb
> @@ -23,6 +23,7 @@ S = "${WORKDIR}/git"
>  B = "${WORKDIR}/build"
>  
>  OPTEEMACHINE ?= "${MACHINE}"
> +OPTEEMACHINE_aarch64_qemuall ?= "vexpress-qemu_armv8a"
>  OPTEE_ARCH = "null"
>  OPTEE_ARCH_armv7a = "arm32"
>  OPTEE_ARCH_aarch64 = "arm64"
> @@ -75,6 +76,8 @@ do_deploy() {
>  
>  addtask deploy before do_build after do_install
>  
> +SYSROOT_DIRS += "${nonarch_base_libdir}/firmware"
> +
>  FILES_${PN} = "${nonarch_base_libdir}/firmware/"
>  FILES_${PN}-dev = "${includedir}/optee/"
>  
> diff --git a/meta-arm/recipes-security/optee/optee.inc b/meta-arm/recipes-security/optee/optee.inc
> index b3e5271..4bf87fe 100644
> --- a/meta-arm/recipes-security/optee/optee.inc
> +++ b/meta-arm/recipes-security/optee/optee.inc
> @@ -1,2 +1,3 @@
>  COMPATIBLE_MACHINE ?= "invalid"
> +COMPATIBLE_MACHINE_qemuarm64 ?= "qemuarm64"
>  # Please add supported machines below or set it in .bbappend or .conf
> diff --git a/meta-arm/wic/qemuarm64.wks b/meta-arm/wic/qemuarm64.wks
> new file mode 100644
> index 0000000..7285279
> --- /dev/null
> +++ b/meta-arm/wic/qemuarm64.wks
> @@ -0,0 +1,4 @@
> +bootloader --ptable gpt
> +
> +part /boot --ondisk=vda --align 64 --size=100M --active --source bootimg-partition --fstype=ext4 --label boot --sourceparams="loader=u-boot"
> +part /     --ondisk=vda                                 --source rootfs            --fstype=ext4 --label root
> -- 
> 2.17.1
> 

> 

Re: [meta-arm][PATCH v3 0/3] Add support for booting qemu with TFA and optee

[Jon Mason]

On Thu, May 21, 2020 at 09:22:56AM -0500, Joshua Watt wrote:
> Adds support for booting AArch64 Qemu machines using TF-A + optee +
> u-boot. Most of the changes are applicable to any AArch64 qemu target,
> and a reference machine called qemuarm64-secureboot has been added that
> show how to enable support for it.
> 
> Testing of op-tee can be done using the qemuarm64-secureboot machine
> with the following commands:
> 
> $ cat >> conf/local.conf <<HEREDOC
> MACHINE = "qemuarm64-secureboot"
> CORE_IMAGE_EXTRA_INSTALL += "optee-test kernel-modules"
> HEREDOC
> $ bitbake core-image-minimal
> $ runqemu nographic serialstdio slirp
> ...
> root@qemuarm64-secureboot:~# xtest
> 
> V3: 
> * Remove subshell in optee-client: do_install
> * Changes assignements for compiling optee/TF-A for qemu to be weak
> * Fixed optee-os install path to respect ${BUILD_PLAT}

Thanks for doing this!  This is a great way to automate the building
and testing of these pieces.

I am seeing a weird issue of it not booting on my Debian system, but
seems to work fine on a Ubuntu VM.  So, chalk it up to all the Debian
issues YP master branch is seeing right now.

Pulled into the master branch.

Thanks,
Jon


> 
> Joshua Watt (3):
>   optee-{os,examples,client,test}: Build out of tree
>   optee-client: Add sysVinit service
>   Add support for booting qemu with TFA and optee
> 
>  .../conf/machine/qemuarm64-secureboot.conf    | 26 +++++++++++
>  .../trusted-firmware-a/trusted-firmware-a.inc | 44 ++++++++++++------
>  .../recipes-bsp/u-boot/u-boot/qemuarm64.cfg   |  4 ++
>  meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend |  3 ++
>  .../linux/linux-yocto-dev.bbappend            |  4 ++
>  .../linux/linux-yocto-dev/tee.cfg             |  4 ++
>  .../optee/optee-client/tee-supplicant.service |  4 +-
>  .../optee/optee-client/tee-supplicant.sh      | 46 +++++++++++++++++++
>  .../optee/optee-client_git.bb                 | 38 +++++++++++----
>  .../optee/optee-examples_git.bb               |  8 +++-
>  .../recipes-security/optee/optee-os_git.bb    | 13 ++++--
>  .../recipes-security/optee/optee-test_git.bb  |  8 +++-
>  meta-arm/recipes-security/optee/optee.inc     |  1 +
>  meta-arm/wic/qemuarm64.wks                    |  4 ++
>  14 files changed, 175 insertions(+), 32 deletions(-)
>  create mode 100644 meta-arm/conf/machine/qemuarm64-secureboot.conf
>  create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
>  create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
>  create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-dev.bbappend
>  create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-dev/tee.cfg
>  create mode 100644 meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
>  create mode 100644 meta-arm/wic/qemuarm64.wks
> 
> -- 
> 2.17.1
> 

>