[meta-rockchip][PATCH 0/6] WIP/RFC OP-TEE support for ARM and rk3399

[meta-rockchip][PATCH 0/6] WIP/RFC OP-TEE support for ARM and rk3399

[Yann Dirson]

From: Yann Dirson <yann@blade-group.com>

This tries to provide a generic framework for easier OP-TEE support in
BSP layers.  It would probably make sense to have the generic parts in
meta-arm when they are finalized.  Today the kernel/dts handling is
still not properly done, and patches to fix rk3399 support in OP-TEE
have not yet been merged upstream, and I'm mostly posting this to
gather comments on the whole idea.

Yann Dirson (6):
  optee: condition for "optee" DISTRO_FEATURE
  truster-firmware-a: include optee support when requested by
    DISTRO_FEATURE
  u-boot: include optee-os as BL32 when requested by DISTRO_FEATURE
  WIP optee-os: rk3399 support
  WIP nanopi-m4: declare OP-TEE presence in devicetree
  WIP kernel config feature for OP-TEE activation

 conf/machine/include/rk3399.inc               |  2 +
 .../trusted-firmware-a_%.bbappend             | 19 ++++++++
 recipes-bsp/u-boot/u-boot%.bbappend           | 14 ++++++
 .../0001-nanopi-declare-optee-presence.patch  | 30 ++++++++++++
 recipes-kernel/linux/files/bsp/tee.cfg        |  2 +
 recipes-kernel/linux/linux-yocto%.bbappend    |  1 +
 ...399-enable-serial-console-by-default.patch | 46 +++++++++++++++++++
 .../optee/files/rk3399-boot-fix.patch         | 13 ++++++
 recipes-security/optee/optee%.bbappend        |  4 ++
 recipes-security/optee/optee-os_%.bbappend    |  9 ++++
 10 files changed, 140 insertions(+)
 create mode 100644 recipes-kernel/linux/files/0001-nanopi-declare-optee-presence.patch
 create mode 100644 recipes-kernel/linux/files/bsp/tee.cfg
 create mode 100644 recipes-security/optee/files/0001-rk3399-enable-serial-console-by-default.patch
 create mode 100644 recipes-security/optee/files/rk3399-boot-fix.patch
 create mode 100644 recipes-security/optee/optee%.bbappend
 create mode 100644 recipes-security/optee/optee-os_%.bbappend

-- 
2.30.2

[meta-rockchip][PATCH 1/6] optee: condition for "optee" DISTRO_FEATURE

[Yann Dirson]

From: Yann Dirson <yann@blade-group.com>

This effectively sets up a single switch to activate OP-TEE support.
Disabling optee-* recipes when the feature is not set is not the
primary goal, though it can occasionally be handy to catch
dependencies pulling them without using the new DISTRO_FEATURE, which
provides a safeguard to ensure downstream recipes in need of upgrade
will fail early.

The main value for this flag is for dependent recipes to know when to
activate the OP-TEE support, rather than having to control each of
them separately:

- u-boot
- trusted-firmware-a
- kernel

Signed-off-by: Yann Dirson <yann@blade-group.com>
---
 recipes-security/optee/optee%.bbappend | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 recipes-security/optee/optee%.bbappend

diff --git a/recipes-security/optee/optee%.bbappend b/recipes-security/optee/optee%.bbappend
new file mode 100644
index 0000000..2a8722a
--- /dev/null
+++ b/recipes-security/optee/optee%.bbappend
@@ -0,0 +1,2 @@
+inherit features_check
+REQUIRED_DISTRO_FEATURES = "optee"
-- 
2.30.2

[meta-rockchip][PATCH 2/6] truster-firmware-a: include optee support when requested by DISTRO_FEATURE

[Yann Dirson]

From: Yann Dirson <yann@blade-group.com>

This instructs TF-A to:

 - load OP-TEE OS as BL32, but still relies on the actual image to be
   provided through other means, eg. in u-boot.itb
 - run opteed as Secure Payload Dispatcher

This is configured automatically when DISTRO_FEATURE includes "optee".

Signed-off-by: Yann Dirson <yann@blade-group.com>
---
 .../trusted-firmware-a_%.bbappend             | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
index 1942c17..5b04311 100644
--- a/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
+++ b/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
@@ -9,3 +9,22 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
 SRC_URI += "\
     file://serial-console-baudrate.patch \
 "
+
+# OP-TEE, dependent on "optee" DISTRO_FEATURES
+
+OPTEE_DEPENDS ?= "optee-os:do_deploy"
+OPTEE_OEMAKE ?= " \
+    BL32=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-header_v2.bin \
+    BL32_EXTRA1=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-pager_v2.bin \
+    BL32_EXTRA2=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-pageable_v2.bin \
+    "
+
+do_compile[depends] .= " \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'optee', ' ${OPTEE_DEPENDS}', '', d)} \
+"
+
+EXTRA_OEMAKE_append = " \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'optee', ' ${OPTEE_OEMAKE}', '', d)} \
+"
+
+TFA_SPD ?= "${@bb.utils.contains('DISTRO_FEATURES', 'optee', 'opteed', '', d)}"
-- 
2.30.2

[meta-rockchip][PATCH 3/6] u-boot: include optee-os as BL32 when requested by DISTRO_FEATURE

[Yann Dirson]

From: Yann Dirson <yann@blade-group.com>

This causes OP-TEE to get included into the u-boot.itb fitImage so u-boot
can load it for the trusted-firmware-a BL31 to run it.

This is configured automatically when DISTRO_FEATURE includes "optee".

Signed-off-by: Yann Dirson <yann@blade-group.com>
---
 recipes-bsp/u-boot/u-boot%.bbappend | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/recipes-bsp/u-boot/u-boot%.bbappend b/recipes-bsp/u-boot/u-boot%.bbappend
index 95c019d..c8e150b 100644
--- a/recipes-bsp/u-boot/u-boot%.bbappend
+++ b/recipes-bsp/u-boot/u-boot%.bbappend
@@ -5,6 +5,8 @@ do_compile_append_rock2-square () {
 	fi
 }
 
+# TF-A, when supported
+
 ATF_DEPENDS ??= ""
 
 EXTRA_OEMAKE_append_rk3399 = " BL31=${DEPLOY_DIR_IMAGE}/bl31-rk3399.elf"
@@ -14,3 +16,15 @@ ATF_DEPENDS_rk3328 = " virtual/trusted-firmware-a:do_deploy"
 
 do_compile[depends] .= "${ATF_DEPENDS}"
 
+# OP-TEE, dependent on "optee" DISTRO_FEATURES
+
+OPTEE_DEPENDS ?= "optee-os:do_deploy"
+OPTEE_OEMAKE ?= " TEE=${DEPLOY_DIR_IMAGE}/optee/tee.elf"
+
+do_compile[depends] .= " \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'optee', ' ${OPTEE_DEPENDS}', '', d)} \
+"
+
+EXTRA_OEMAKE_append = " \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'optee', ' ${OPTEE_OEMAKE}', '', d)} \
+"
-- 
2.30.2

[meta-rockchip][PATCH 4/6] WIP optee-os: rk3399 support

[Yann Dirson]

From: Yann Dirson <yann@blade-group.com>

This is the current state of working patches being discussed in
https://github.com/OP-TEE/optee_os/issues/4542
---
 conf/machine/include/rk3399.inc               |  2 +
 ...399-enable-serial-console-by-default.patch | 46 +++++++++++++++++++
 .../optee/files/rk3399-boot-fix.patch         | 13 ++++++
 recipes-security/optee/optee%.bbappend        |  2 +
 recipes-security/optee/optee-os_%.bbappend    |  9 ++++
 5 files changed, 72 insertions(+)
 create mode 100644 recipes-security/optee/files/0001-rk3399-enable-serial-console-by-default.patch
 create mode 100644 recipes-security/optee/files/rk3399-boot-fix.patch
 create mode 100644 recipes-security/optee/optee-os_%.bbappend

diff --git a/conf/machine/include/rk3399.inc b/conf/machine/include/rk3399.inc
index f6b7826..9ac434e 100644
--- a/conf/machine/include/rk3399.inc
+++ b/conf/machine/include/rk3399.inc
@@ -13,6 +13,8 @@ KBUILD_DEFCONFIG ?= "defconfig"
 KERNEL_CLASSES = "kernel-fitimage"
 KERNEL_IMAGETYPE = "fitImage"
 
+OPTEEMACHINE = "rockchip-rk3399"
+
 TFA_PLATFORM = "rk3399"
 TFA_BUILD_TARGET = "bl31"
 
diff --git a/recipes-security/optee/files/0001-rk3399-enable-serial-console-by-default.patch b/recipes-security/optee/files/0001-rk3399-enable-serial-console-by-default.patch
new file mode 100644
index 0000000..31daef7
--- /dev/null
+++ b/recipes-security/optee/files/0001-rk3399-enable-serial-console-by-default.patch
@@ -0,0 +1,46 @@
+From 0e2cbe08532a1344aab62f21b032ce6171e50f49 Mon Sep 17 00:00:00 2001
+From: Yann Dirson <yann@blade-group.com>
+Date: Mon, 12 Apr 2021 10:49:18 +0200
+Subject: [PATCH] rk3399: enable serial console by default
+Upstream-Status: Submitted [https://github.com/OP-TEE/optee_os/pull/4551]
+
+Signed-off-by: Yann Dirson <yann@blade-group.com>
+---
+ core/arch/arm/plat-rockchip/conf.mk | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+Index: git/core/arch/arm/plat-rockchip/conf.mk
+===================================================================
+--- git.orig/core/arch/arm/plat-rockchip/conf.mk
++++ git/core/arch/arm/plat-rockchip/conf.mk
+@@ -26,8 +26,6 @@ CFG_EARLY_CONSOLE_BAUDRATE ?= 1500000
+ CFG_EARLY_CONSOLE_CLK_IN_HZ ?= 24000000
+ endif
+ 
+-CFG_EARLY_CONSOLE ?= n
+-
+ ifeq ($(PLATFORM_FLAVOR),rk3399)
+ include core/arch/arm/cpu/cortex-armv8-0.mk
+ $(call force,CFG_TEE_CORE_NB_CORE,6)
+@@ -37,6 +35,12 @@ CFG_TZDRAM_START ?= 0x30000000
+ CFG_TZDRAM_SIZE  ?= 0x02000000
+ CFG_SHMEM_START  ?= 0x32000000
+ CFG_SHMEM_SIZE   ?= 0x00400000
++
++CFG_EARLY_CONSOLE ?= y
++CFG_EARLY_CONSOLE_BASE ?= UART2_BASE
++CFG_EARLY_CONSOLE_SIZE ?= UART2_SIZE
++CFG_EARLY_CONSOLE_BAUDRATE ?= 1500000
++CFG_EARLY_CONSOLE_CLK_IN_HZ ?= 24000000
+ endif
+ 
+ ifeq ($(PLATFORM_FLAVOR),px30)
+@@ -47,6 +51,8 @@ CFG_TZDRAM_START ?= 0x30000000
+ CFG_TZDRAM_SIZE  ?= 0x02000000
+ CFG_SHMEM_START  ?= 0x32000000
+ CFG_SHMEM_SIZE   ?= 0x00400000
++
++CFG_EARLY_CONSOLE ?= n
+ endif
+ 
+ ifeq ($(platform-flavor-armv8),1)
diff --git a/recipes-security/optee/files/rk3399-boot-fix.patch b/recipes-security/optee/files/rk3399-boot-fix.patch
new file mode 100644
index 0000000..d346157
--- /dev/null
+++ b/recipes-security/optee/files/rk3399-boot-fix.patch
@@ -0,0 +1,13 @@
+Index: git/core/arch/arm/kernel/entry_a64.S
+===================================================================
+--- git.orig/core/arch/arm/kernel/entry_a64.S
++++ git/core/arch/arm/kernel/entry_a64.S
+@@ -219,7 +219,7 @@ clear_nex_bss:
+ 	adr_l	x0, __text_start
+ 	ldr	x1, cached_mem_end
+ 	sub	x1, x1, x0
+-	bl	dcache_cleaninv_range
++/*	bl	dcache_cleaninv_range*/
+ 
+ 
+ 	/*
diff --git a/recipes-security/optee/optee%.bbappend b/recipes-security/optee/optee%.bbappend
index 2a8722a..ec11863 100644
--- a/recipes-security/optee/optee%.bbappend
+++ b/recipes-security/optee/optee%.bbappend
@@ -1,2 +1,4 @@
+COMPATIBLE_MACHINE_rk3399 ?= "rk3399"
+
 inherit features_check
 REQUIRED_DISTRO_FEATURES = "optee"
diff --git a/recipes-security/optee/optee-os_%.bbappend b/recipes-security/optee/optee-os_%.bbappend
new file mode 100644
index 0000000..eceb694
--- /dev/null
+++ b/recipes-security/optee/optee-os_%.bbappend
@@ -0,0 +1,9 @@
+EXTRA_OEMAKE_append_rk3399 = " \
+    CFG_CORE_ASLR=n \
+"
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+SRC_URI += "\
+    file://rk3399-boot-fix.patch \
+    file://0001-rk3399-enable-serial-console-by-default.patch \
+"
-- 
2.30.2

[meta-rockchip][PATCH 5/6] WIP nanopi-m4: declare OP-TEE presence in devicetree

[Yann Dirson]

From: Yann Dirson <yann@blade-group.com>

FIXME:

 - this is not specific to the board, and would indeed apply to any SoC
   supported by OP-TEE.
 - should rather be selected by "optee" in DISTRO_FEATURES, maybe using
   a dts overlay
---
 .../0001-nanopi-declare-optee-presence.patch  | 30 +++++++++++++++++++
 recipes-kernel/linux/linux-yocto%.bbappend    |  1 +
 2 files changed, 31 insertions(+)
 create mode 100644 recipes-kernel/linux/files/0001-nanopi-declare-optee-presence.patch

diff --git a/recipes-kernel/linux/files/0001-nanopi-declare-optee-presence.patch b/recipes-kernel/linux/files/0001-nanopi-declare-optee-presence.patch
new file mode 100644
index 0000000..aede781
--- /dev/null
+++ b/recipes-kernel/linux/files/0001-nanopi-declare-optee-presence.patch
@@ -0,0 +1,30 @@
+From 30cb714e717990276a5fabc50dc616c83b223ee7 Mon Sep 17 00:00:00 2001
+From: Yann Dirson <yann@blade-group.com>
+Date: Mon, 12 Apr 2021 15:50:26 +0200
+Subject: [PATCH] nanopi: declare optee presence
+
+---
+ arch/arm64/boot/dts/rockchip/rk3399-nanopi-m4.dts | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399-nanopi-m4.dts b/arch/arm64/boot/dts/rockchip/rk3399-nanopi-m4.dts
+index 60358ab8c7df..ef11639b03f6 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399-nanopi-m4.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3399-nanopi-m4.dts
+@@ -16,6 +16,13 @@ / {
+ 	model = "FriendlyElec NanoPi M4";
+ 	compatible = "friendlyarm,nanopi-m4", "rockchip,rk3399";
+ 
++	firmware {
++		optee {
++			compatible = "linaro,optee-tz";
++			method = "smc";
++		};
++	};
++
+ 	vdd_5v: vdd-5v {
+ 		compatible = "regulator-fixed";
+ 		regulator-name = "vdd_5v";
+-- 
+2.30.2
+
diff --git a/recipes-kernel/linux/linux-yocto%.bbappend b/recipes-kernel/linux/linux-yocto%.bbappend
index 9658681..97b3238 100644
--- a/recipes-kernel/linux/linux-yocto%.bbappend
+++ b/recipes-kernel/linux/linux-yocto%.bbappend
@@ -2,6 +2,7 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
 
 SRC_URI_append = "\
  file://bsp;type=kmeta;subdir=kernel-meta \
+ file://0001-nanopi-declare-optee-presence.patch \
 "
 
 COMPATIBLE_MACHINE_marsboard-rk3066 = "marsboard-rk3066"
-- 
2.30.2

[meta-rockchip][PATCH 6/6] WIP kernel config feature for OP-TEE activation

[Yann Dirson]

From: Yann Dirson <yann@blade-group.com>

FIXME:
- provide an .scc with proper information
- maybe bundle with dts overlay
- select a more suitable path in config namespace
---
 recipes-kernel/linux/files/bsp/tee.cfg | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 recipes-kernel/linux/files/bsp/tee.cfg

diff --git a/recipes-kernel/linux/files/bsp/tee.cfg b/recipes-kernel/linux/files/bsp/tee.cfg
new file mode 100644
index 0000000..82213a5
--- /dev/null
+++ b/recipes-kernel/linux/files/bsp/tee.cfg
@@ -0,0 +1,2 @@
+CONFIG_TEE=m
+CONFIG_OPTEE=m
-- 
2.30.2