[PATCHv2 1/3] optee: updae optee-os.inc to support external TAs

[PATCHv2 1/3] optee: updae optee-os.inc to support external TAs

[Maxim Uvarov]

Separate recipe for TA devkit is needed to solve
circular dependency to build TAs withthe devkit
and integrate it inside optee-os.

Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
---
 .../recipes-security/optee/optee-examples.inc |  2 +-
 .../optee/optee-os-tadevkit_3.14.0.bb         | 20 +++++++++++++++++++
 meta-arm/recipes-security/optee/optee-os.inc  |  7 -------
 3 files changed, 21 insertions(+), 8 deletions(-)
 create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb

diff --git a/meta-arm/recipes-security/optee/optee-examples.inc b/meta-arm/recipes-security/optee/optee-examples.inc
index 921fa18..656722e 100644
--- a/meta-arm/recipes-security/optee/optee-examples.inc
+++ b/meta-arm/recipes-security/optee/optee-examples.inc
@@ -5,7 +5,7 @@ HOMEPAGE = "https://github.com/linaro-swg/optee_examples"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=cd95ab417e23b94f381dafc453d70c30"
 
-DEPENDS = "optee-client optee-os python3-pycryptodome-native"
+DEPENDS = "optee-client optee-os-tadevkit python3-pycryptodome-native"
 
 inherit python3native
 
diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb
new file mode 100644
index 0000000..0d37a52
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb
@@ -0,0 +1,20 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os:"
+require optee-os_3.14.0.bb
+
+SUMMARY = "OP-TEE Trusted OS TA devkit"
+DESCRIPTION = "OP-TEE TA devkit for build TAs"
+HOMEPAGE = "https://www.op-tee.org/"
+
+do_install() {
+    #install TA devkit
+    install -d ${D}${includedir}/optee/export-user_ta/
+    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
+        cp -aR $f ${D}${includedir}/optee/export-user_ta/
+    done
+}
+
+do_deploy() {
+	echo "Do not inherit do_deploy from optee-os."
+}
+
+FILES:${PN} = "${includedir}/optee/"
diff --git a/meta-arm/recipes-security/optee/optee-os.inc b/meta-arm/recipes-security/optee/optee-os.inc
index 277646e..1506a58 100644
--- a/meta-arm/recipes-security/optee/optee-os.inc
+++ b/meta-arm/recipes-security/optee/optee-os.inc
@@ -46,12 +46,6 @@ do_install() {
     #install core in firmware
     install -d ${D}${nonarch_base_libdir}/firmware/
     install -m 644 ${B}/core/*.bin ${B}/core/tee.elf ${D}${nonarch_base_libdir}/firmware/
-
-    #install TA devkit
-    install -d ${D}${includedir}/optee/export-user_ta/
-    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
-        cp -aR $f ${D}${includedir}/optee/export-user_ta/
-    done
 }
 
 PACKAGE_ARCH = "${MACHINE_ARCH}"
@@ -66,7 +60,6 @@ addtask deploy before do_build after do_install
 SYSROOT_DIRS += "${nonarch_base_libdir}/firmware"
 
 FILES:${PN} = "${nonarch_base_libdir}/firmware/"
-FILES:${PN}-dev = "${includedir}/optee/"
 
 # note: "textrel" is not triggered on all archs
 INSANE_SKIP:${PN} = "textrel"
-- 
2.17.1

[PATCHv2 2/3] add optee-ftpm

[Maxim Uvarov]

Add software TPM emulated in the OPTEE-OS.

Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
---
 .../optee-ftpm/0000-fix-ssl-fallthrough.patch | 20 ++++++
 .../0002-add-enum-to-ta-flags.patch           | 30 ++++++++
 .../optee-ftpm/optee-ftpm_git.bb              | 71 +++++++++++++++++++
 .../optee-ftpm/optee-os_%.bbappend            |  5 ++
 4 files changed, 126 insertions(+)
 create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch
 create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch
 create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb
 create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend

diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch
new file mode 100644
index 0000000..08acde2
--- /dev/null
+++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch
@@ -0,0 +1,20 @@
+fix gcc compilation
+
+just fix compilation under gcc.
+Upstream-Status: Submitted [https://github.com/wolfSSL/wolfssl/pull/4563]
+
+Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
+
+diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h
+index 7b3a953aebda..e156ae5c7909 100755
+--- a/external/wolfssl/wolfssl/wolfcrypt/types.h
++++ b/external/wolfssl/wolfssl/wolfcrypt/types.h
+@@ -181,7 +181,7 @@
+     /* GCC 7 has new switch() fall-through detection */
+     #if defined(__GNUC__)
+         #if ((__GNUC__ > 7) || ((__GNUC__ == 7) && (__GNUC_MINOR__ >= 1)))
+-            #define FALL_THROUGH __attribute__ ((fallthrough));
++            #define FALL_THROUGH __attribute__ ((__fallthrough__));
+         #endif
+     #endif
+     #ifndef FALL_THROUGH
diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch
new file mode 100644
index 0000000..bbc1107
--- /dev/null
+++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch
@@ -0,0 +1,30 @@
+From 2d00f16058529eb9f4d4d2bcaeed91fd53b43989 Mon Sep 17 00:00:00 2001
+From: Maxim Uvarov <maxim.uvarov@linaro.org>
+Date: Fri, 17 Apr 2020 12:05:53 +0100
+Subject: [PATCH 2/2] add enum to ta flags
+
+If we compile this TA into OPTEE-OS we need to define a flag
+that this TA can be discovered on the optee bus.
+Upstream-Status: Submitted [https://github.com/microsoft/MSRSec/pull/34]
+
+Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
+---
+ TAs/optee_ta/fTPM/user_ta_header_defines.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/TAs/optee_ta/fTPM/user_ta_header_defines.h b/TAs/optee_ta/fTPM/user_ta_header_defines.h
+index 6ff62d1..685b54a 100644
+--- a/TAs/optee_ta/fTPM/user_ta_header_defines.h
++++ b/TAs/optee_ta/fTPM/user_ta_header_defines.h
+@@ -44,7 +44,7 @@
+ 
+ #define TA_UUID                     TA_FTPM_UUID
+ 
+-#define TA_FLAGS                    (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE )
++#define TA_FLAGS                    (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP)
+ #define TA_STACK_SIZE               (64 * 1024)
+ #define TA_DATA_SIZE                (64 * 1024)
+ 
+-- 
+2.17.1
+
diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb
new file mode 100644
index 0000000..a6244b2
--- /dev/null
+++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb
@@ -0,0 +1,71 @@
+SUMMARY = "OPTEE fTPM Microsoft TA"
+DESCRIPTION = "OPTEE fTPM"
+HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/"
+
+inherit autotools-brokensep deploy pkgconfig gettext python3native
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=27e94c0280987ab296b0b8dd02ab9fe5"
+
+DEPENDS = "python3-pycryptodome-native python3-pycryptodomex-native python3-pyelftools-native"
+DEPENDS += " optee-os-tadevkit"
+
+FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896"
+
+# SRC_URI = "git://github.com/Microsoft/ms-tpm-20-ref;branch=master"
+# Since this is not built as a pseudo TA, we can only use it as a kernel module and not built in.
+# The TEE supplicant is also needed to provide access to secure storage.
+# Secure storage access required by OP-TEE fTPM TA
+# is provided via OP-TEE supplicant that's not available during boot.
+# Fix this once we replace this with the MS implementation
+SRC_URI = "gitsm://github.com/microsoft/MSRSec;protocol=https;branch=master"
+SRC_URI += "file://0000-fix-ssl-fallthrough.patch"
+SRC_URI += "file://0002-add-enum-to-ta-flags.patch"
+SRCREV = "76f81b36efbb1a366b0d382bc0defe677f1f0534"
+
+S = "${WORKDIR}/git"
+
+OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
+TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
+TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta"
+
+EXTRA_OEMAKE += '\
+    CFG_FTPM_USE_WOLF=y \
+    TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
+    TA_CROSS_COMPILE=${TARGET_PREFIX} \
+    CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST} -I${WORKDIR}/optee-os" \
+'
+
+EXTRA_OEMAKE:append:aarch64:qemuall = "\
+    CFG_ARM64_ta_arm64=y \
+"
+
+B = "${S}"
+
+# fails with j > 1
+PARALLEL_MAKE = ""
+
+do_compile() {
+    sed -i 's/-mcpu=$(TA_CPU)//' TAs/optee_ta/fTPM/sub.mk
+    # there's also a secure variable storage TA called authvars
+    cd ${S}/TAs/optee_ta
+    oe_runmake ftpm
+}
+
+do_install () {
+    mkdir -p ${D}/lib/optee_armtz
+    install -D -p -m 0644 ${S}/TAs/optee_ta/out/fTPM/${FTPM_UUID}.ta ${D}/lib/optee_armtz/
+}
+
+do_deploy () {
+    install -d ${DEPLOYDIR}/optee
+    install -D -p -m 0644 ${S}/TAs/optee_ta/out/fTPM/${FTPM_UUID}.stripped.elf ${DEPLOYDIR}/optee/
+}
+
+addtask deploy before do_build after do_install
+
+FILES:${PN} += "${nonarch_base_libdir}/optee_armtz/${FTPM_UUID}.ta"
+
+# Imports machine specific configs from staging to build
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+INSANE_SKIP:${PN} += "ldflags"
diff --git a/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend b/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend
new file mode 100644
index 0000000..910603e
--- /dev/null
+++ b/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend
@@ -0,0 +1,5 @@
+DEPENDS:append = "optee-ftpm"
+inherit deploy
+
+FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896"
+EXTRA_OEMAKE:append='CFG_EARLY_TA=y EARLY_TA_PATHS="${DEPLOY_DIR_IMAGE}/optee/${FTPM_UUID}.stripped.elf"'
-- 
2.17.1

[PATCHv2 3/3] ci/qemuarm64-secureboot.yml: add optee and tf-a

[Maxim Uvarov]

Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
---
 ci/qemuarm64-secureboot.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml
index b7f3cb4..a7e89d4 100644
--- a/ci/qemuarm64-secureboot.yml
+++ b/ci/qemuarm64-secureboot.yml
@@ -14,3 +14,5 @@ target:
   - core-image-base
   - perf
   - optee-examples
+  - optee-os
+  - trusted-firmware-a
-- 
2.17.1

Re: [meta-arm] [PATCHv2 2/3] add optee-ftpm

[Denys Dmytriyenko]

On Thu, Nov 11, 2021 at 04:16:14PM +0300, Maxim Uvarov wrote:
> Add software TPM emulated in the OPTEE-OS.
> 
> Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
> ---
>  .../optee-ftpm/0000-fix-ssl-fallthrough.patch | 20 ++++++
>  .../0002-add-enum-to-ta-flags.patch           | 30 ++++++++
>  .../optee-ftpm/optee-ftpm_git.bb              | 71 +++++++++++++++++++
>  .../optee-ftpm/optee-os_%.bbappend            |  5 ++
>  4 files changed, 126 insertions(+)
>  create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch
>  create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch
>  create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb
>  create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend
> 
> diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch
> new file mode 100644
> index 0000000..08acde2
> --- /dev/null
> +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch
> @@ -0,0 +1,20 @@
> +fix gcc compilation
> +
> +just fix compilation under gcc.
> +Upstream-Status: Submitted [https://github.com/wolfSSL/wolfssl/pull/4563]
> +
> +Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
> +
> +diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h
> +index 7b3a953aebda..e156ae5c7909 100755
> +--- a/external/wolfssl/wolfssl/wolfcrypt/types.h
> ++++ b/external/wolfssl/wolfssl/wolfcrypt/types.h
> +@@ -181,7 +181,7 @@
> +     /* GCC 7 has new switch() fall-through detection */
> +     #if defined(__GNUC__)
> +         #if ((__GNUC__ > 7) || ((__GNUC__ == 7) && (__GNUC_MINOR__ >= 1)))
> +-            #define FALL_THROUGH __attribute__ ((fallthrough));
> ++            #define FALL_THROUGH __attribute__ ((__fallthrough__));
> +         #endif
> +     #endif
> +     #ifndef FALL_THROUGH
> diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch
> new file mode 100644
> index 0000000..bbc1107
> --- /dev/null
> +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch
> @@ -0,0 +1,30 @@
> +From 2d00f16058529eb9f4d4d2bcaeed91fd53b43989 Mon Sep 17 00:00:00 2001
> +From: Maxim Uvarov <maxim.uvarov@linaro.org>
> +Date: Fri, 17 Apr 2020 12:05:53 +0100
> +Subject: [PATCH 2/2] add enum to ta flags
> +
> +If we compile this TA into OPTEE-OS we need to define a flag
> +that this TA can be discovered on the optee bus.
> +Upstream-Status: Submitted [https://github.com/microsoft/MSRSec/pull/34]
> +
> +Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
> +---
> + TAs/optee_ta/fTPM/user_ta_header_defines.h | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/TAs/optee_ta/fTPM/user_ta_header_defines.h b/TAs/optee_ta/fTPM/user_ta_header_defines.h
> +index 6ff62d1..685b54a 100644
> +--- a/TAs/optee_ta/fTPM/user_ta_header_defines.h
> ++++ b/TAs/optee_ta/fTPM/user_ta_header_defines.h
> +@@ -44,7 +44,7 @@
> + 
> + #define TA_UUID                     TA_FTPM_UUID
> + 
> +-#define TA_FLAGS                    (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE )
> ++#define TA_FLAGS                    (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP)
> + #define TA_STACK_SIZE               (64 * 1024)
> + #define TA_DATA_SIZE                (64 * 1024)
> + 
> +-- 
> +2.17.1
> +
> diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb
> new file mode 100644
> index 0000000..a6244b2
> --- /dev/null
> +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb
> @@ -0,0 +1,71 @@
> +SUMMARY = "OPTEE fTPM Microsoft TA"
> +DESCRIPTION = "OPTEE fTPM"

There's no need in DESCRIPTION here, as it's meant to expand on the short 
SUMMARY and provide a more detailed description of the package, which it 
clearly doesn't here.


> +HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/"
> +
> +inherit autotools-brokensep deploy pkgconfig gettext python3native
> +
> +LICENSE = "MIT"
> +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=27e94c0280987ab296b0b8dd02ab9fe5"
> +
> +DEPENDS = "python3-pycryptodome-native python3-pycryptodomex-native python3-pyelftools-native"
> +DEPENDS += " optee-os-tadevkit"
> +
> +FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896"
> +
> +# SRC_URI = "git://github.com/Microsoft/ms-tpm-20-ref;branch=master"
> +# Since this is not built as a pseudo TA, we can only use it as a kernel module and not built in.
> +# The TEE supplicant is also needed to provide access to secure storage.
> +# Secure storage access required by OP-TEE fTPM TA
> +# is provided via OP-TEE supplicant that's not available during boot.
> +# Fix this once we replace this with the MS implementation
> +SRC_URI = "gitsm://github.com/microsoft/MSRSec;protocol=https;branch=master"
> +SRC_URI += "file://0000-fix-ssl-fallthrough.patch"
> +SRC_URI += "file://0002-add-enum-to-ta-flags.patch"
> +SRCREV = "76f81b36efbb1a366b0d382bc0defe677f1f0534"
> +
> +S = "${WORKDIR}/git"
> +
> +OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
> +TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
> +TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta"
> +
> +EXTRA_OEMAKE += '\
> +    CFG_FTPM_USE_WOLF=y \
> +    TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
> +    TA_CROSS_COMPILE=${TARGET_PREFIX} \
> +    CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST} -I${WORKDIR}/optee-os" \
> +'
> +
> +EXTRA_OEMAKE:append:aarch64:qemuall = "\

Is it aarch64 or qemuall?


> +    CFG_ARM64_ta_arm64=y \
> +"
> +
> +B = "${S}"
> +
> +# fails with j > 1
> +PARALLEL_MAKE = ""
> +
> +do_compile() {
> +    sed -i 's/-mcpu=$(TA_CPU)//' TAs/optee_ta/fTPM/sub.mk

If not done statically as a patch, then should at least be done in 
do_configure() instead of do_compile()


> +    # there's also a secure variable storage TA called authvars
> +    cd ${S}/TAs/optee_ta
> +    oe_runmake ftpm
> +}
> +
> +do_install () {
> +    mkdir -p ${D}/lib/optee_armtz
> +    install -D -p -m 0644 ${S}/TAs/optee_ta/out/fTPM/${FTPM_UUID}.ta ${D}/lib/optee_armtz/

/lib -> ${nonarch_base_libdir}


> +}
> +
> +do_deploy () {
> +    install -d ${DEPLOYDIR}/optee
> +    install -D -p -m 0644 ${S}/TAs/optee_ta/out/fTPM/${FTPM_UUID}.stripped.elf ${DEPLOYDIR}/optee/
> +}
> +
> +addtask deploy before do_build after do_install
> +
> +FILES:${PN} += "${nonarch_base_libdir}/optee_armtz/${FTPM_UUID}.ta"
> +
> +# Imports machine specific configs from staging to build
> +PACKAGE_ARCH = "${MACHINE_ARCH}"
> +INSANE_SKIP:${PN} += "ldflags"
> diff --git a/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend b/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend
> new file mode 100644
> index 0000000..910603e
> --- /dev/null
> +++ b/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend
> @@ -0,0 +1,5 @@
> +DEPENDS:append = "optee-ftpm"
> +inherit deploy

Again, this is redundant, as optee-os already inherits deploy.


> +FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896"
> +EXTRA_OEMAKE:append='CFG_EARLY_TA=y EARLY_TA_PATHS="${DEPLOY_DIR_IMAGE}/optee/${FTPM_UUID}.stripped.elf"'

Needs a leading whitespace, as :append won't insert it, hence it will 
concatenate it to the existing value of EXTRA_OEMAKE.

And I do believe there's a confusion about how bbappends work in OE - it is 
not optional, even when it's in a different directory. This bbappend will 
unconditionally modify the main optee-os recipe, which is also in the same 
layer. So, if it is meant to unconditionally modify optee-os, then these 
changes should go directly into optee-os recipe, instead of a bbappend. And 
if this is meant to be an optional extension to optee-os, then it cannot be 
done as bbappend either.

-- 
Regards,
Denys Dmytriyenko <denis@denix.org>
PGP: 0x420902729A92C964 - https://denix.org/0x420902729A92C964
Fingerprint: 25FC E4A5 8A72 2F69 1186  6D76 4209 0272 9A92 C964

Re: [meta-arm] [PATCHv2 2/3] add optee-ftpm

[Maxim Uvarov]

On Thu, 11 Nov 2021 at 22:13, Denys Dmytriyenko <denis@denix.org> wrote:
>
> On Thu, Nov 11, 2021 at 04:16:14PM +0300, Maxim Uvarov wrote:
> > Add software TPM emulated in the OPTEE-OS.
> >
> > Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
> > ---
> >  .../optee-ftpm/0000-fix-ssl-fallthrough.patch | 20 ++++++
> >  .../0002-add-enum-to-ta-flags.patch           | 30 ++++++++
> >  .../optee-ftpm/optee-ftpm_git.bb              | 71 +++++++++++++++++++
> >  .../optee-ftpm/optee-os_%.bbappend            |  5 ++
> >  4 files changed, 126 insertions(+)
> >  create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch
> >  create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch
> >  create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb
> >  create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend
> >
> > diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch
> > new file mode 100644
> > index 0000000..08acde2
> > --- /dev/null
> > +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch
> > @@ -0,0 +1,20 @@
> > +fix gcc compilation
> > +
> > +just fix compilation under gcc.
> > +Upstream-Status: Submitted [https://github.com/wolfSSL/wolfssl/pull/4563]
> > +
> > +Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
> > +
> > +diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h
> > +index 7b3a953aebda..e156ae5c7909 100755
> > +--- a/external/wolfssl/wolfssl/wolfcrypt/types.h
> > ++++ b/external/wolfssl/wolfssl/wolfcrypt/types.h
> > +@@ -181,7 +181,7 @@
> > +     /* GCC 7 has new switch() fall-through detection */
> > +     #if defined(__GNUC__)
> > +         #if ((__GNUC__ > 7) || ((__GNUC__ == 7) && (__GNUC_MINOR__ >= 1)))
> > +-            #define FALL_THROUGH __attribute__ ((fallthrough));
> > ++            #define FALL_THROUGH __attribute__ ((__fallthrough__));
> > +         #endif
> > +     #endif
> > +     #ifndef FALL_THROUGH
> > diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch
> > new file mode 100644
> > index 0000000..bbc1107
> > --- /dev/null
> > +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch
> > @@ -0,0 +1,30 @@
> > +From 2d00f16058529eb9f4d4d2bcaeed91fd53b43989 Mon Sep 17 00:00:00 2001
> > +From: Maxim Uvarov <maxim.uvarov@linaro.org>
> > +Date: Fri, 17 Apr 2020 12:05:53 +0100
> > +Subject: [PATCH 2/2] add enum to ta flags
> > +
> > +If we compile this TA into OPTEE-OS we need to define a flag
> > +that this TA can be discovered on the optee bus.
> > +Upstream-Status: Submitted [https://github.com/microsoft/MSRSec/pull/34]
> > +
> > +Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
> > +---
> > + TAs/optee_ta/fTPM/user_ta_header_defines.h | 2 +-
> > + 1 file changed, 1 insertion(+), 1 deletion(-)
> > +
> > +diff --git a/TAs/optee_ta/fTPM/user_ta_header_defines.h b/TAs/optee_ta/fTPM/user_ta_header_defines.h
> > +index 6ff62d1..685b54a 100644
> > +--- a/TAs/optee_ta/fTPM/user_ta_header_defines.h
> > ++++ b/TAs/optee_ta/fTPM/user_ta_header_defines.h
> > +@@ -44,7 +44,7 @@
> > +
> > + #define TA_UUID                     TA_FTPM_UUID
> > +
> > +-#define TA_FLAGS                    (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE )
> > ++#define TA_FLAGS                    (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP)
> > + #define TA_STACK_SIZE               (64 * 1024)
> > + #define TA_DATA_SIZE                (64 * 1024)
> > +
> > +--
> > +2.17.1
> > +
> > diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb
> > new file mode 100644
> > index 0000000..a6244b2
> > --- /dev/null
> > +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb
> > @@ -0,0 +1,71 @@
> > +SUMMARY = "OPTEE fTPM Microsoft TA"
> > +DESCRIPTION = "OPTEE fTPM"
>
> There's no need in DESCRIPTION here, as it's meant to expand on the short
> SUMMARY and provide a more detailed description of the package, which it
> clearly doesn't here.
>
>
> > +HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/"
> > +
> > +inherit autotools-brokensep deploy pkgconfig gettext python3native
> > +
> > +LICENSE = "MIT"
> > +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=27e94c0280987ab296b0b8dd02ab9fe5"
> > +
> > +DEPENDS = "python3-pycryptodome-native python3-pycryptodomex-native python3-pyelftools-native"
> > +DEPENDS += " optee-os-tadevkit"
> > +
> > +FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896"
> > +
> > +# SRC_URI = "git://github.com/Microsoft/ms-tpm-20-ref;branch=master"
> > +# Since this is not built as a pseudo TA, we can only use it as a kernel module and not built in.
> > +# The TEE supplicant is also needed to provide access to secure storage.
> > +# Secure storage access required by OP-TEE fTPM TA
> > +# is provided via OP-TEE supplicant that's not available during boot.
> > +# Fix this once we replace this with the MS implementation
> > +SRC_URI = "gitsm://github.com/microsoft/MSRSec;protocol=https;branch=master"
> > +SRC_URI += "file://0000-fix-ssl-fallthrough.patch"
> > +SRC_URI += "file://0002-add-enum-to-ta-flags.patch"
> > +SRCREV = "76f81b36efbb1a366b0d382bc0defe677f1f0534"
> > +
> > +S = "${WORKDIR}/git"
> > +
> > +OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
> > +TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
> > +TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta"
> > +
> > +EXTRA_OEMAKE += '\
> > +    CFG_FTPM_USE_WOLF=y \
> > +    TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
> > +    TA_CROSS_COMPILE=${TARGET_PREFIX} \
> > +    CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST} -I${WORKDIR}/optee-os" \
> > +'
> > +
> > +EXTRA_OEMAKE:append:aarch64:qemuall = "\
>
> Is it aarch64 or qemuall?
>
>
> > +    CFG_ARM64_ta_arm64=y \
> > +"
> > +
> > +B = "${S}"
> > +
> > +# fails with j > 1
> > +PARALLEL_MAKE = ""
> > +
> > +do_compile() {
> > +    sed -i 's/-mcpu=$(TA_CPU)//' TAs/optee_ta/fTPM/sub.mk
>
> If not done statically as a patch, then should at least be done in
> do_configure() instead of do_compile()
>
>
> > +    # there's also a secure variable storage TA called authvars
> > +    cd ${S}/TAs/optee_ta
> > +    oe_runmake ftpm
> > +}
> > +
> > +do_install () {
> > +    mkdir -p ${D}/lib/optee_armtz
> > +    install -D -p -m 0644 ${S}/TAs/optee_ta/out/fTPM/${FTPM_UUID}.ta ${D}/lib/optee_armtz/
>
> /lib -> ${nonarch_base_libdir}
>
>
> > +}
> > +
> > +do_deploy () {
> > +    install -d ${DEPLOYDIR}/optee
> > +    install -D -p -m 0644 ${S}/TAs/optee_ta/out/fTPM/${FTPM_UUID}.stripped.elf ${DEPLOYDIR}/optee/
> > +}
> > +
> > +addtask deploy before do_build after do_install
> > +
> > +FILES:${PN} += "${nonarch_base_libdir}/optee_armtz/${FTPM_UUID}.ta"
> > +
> > +# Imports machine specific configs from staging to build
> > +PACKAGE_ARCH = "${MACHINE_ARCH}"
> > +INSANE_SKIP:${PN} += "ldflags"
> > diff --git a/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend b/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend
> > new file mode 100644
> > index 0000000..910603e
> > --- /dev/null
> > +++ b/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend
> > @@ -0,0 +1,5 @@
> > +DEPENDS:append = "optee-ftpm"
> > +inherit deploy
>
> Again, this is redundant, as optee-os already inherits deploy.
>
>
> > +FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896"
> > +EXTRA_OEMAKE:append='CFG_EARLY_TA=y EARLY_TA_PATHS="${DEPLOY_DIR_IMAGE}/optee/${FTPM_UUID}.stripped.elf"'
>
> Needs a leading whitespace, as :append won't insert it, hence it will
> concatenate it to the existing value of EXTRA_OEMAKE.
>
> And I do believe there's a confusion about how bbappends work in OE - it is
> not optional, even when it's in a different directory. This bbappend will
> unconditionally modify the main optee-os recipe, which is also in the same
> layer. So, if it is meant to unconditionally modify optee-os, then these
> changes should go directly into optee-os recipe, instead of a bbappend. And
> if this is meant to be an optional extension to optee-os, then it cannot be
> done as bbappend either.
>

I think that it's better to enable a condition for it and make fTPM
optional. Some systems might have hardware TPM device
and don't need software emulated in secure os.It looks like
MACHINE_FEATURES is a good place for it. Something like:

optee-os.bb:
FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896"

DEPENDS:append = "\
                  ${@bb.utils.contains('MACHINE_FEATURES', \
                 'optee-ftpm', \
                 'optee-ftpm', \
                 '' , \
                 d)}"

EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', \
                      'optee-ftpm', \
                      'CFG_EARLY_TA=y
EARLY_TA_PATHS="${DEPLOY_DIR_IMAGE}/optee/${FTPM_UUID}.stripped.elf"',
\
                      '', \
                      d)} "

./meta-arm/conf/machine/qemuarm64-secureboot.conf
MACHINE_FEATURES += "optee-ftpm"

Does that look good?


I also did grep for other MACHINE_FEATURES in meta-arm and looks like
they are not used anymore and config files can be
cleaned up:
fgrep -r FEATURE ./meta-* |grep optee
./meta-arm-bsp/conf/machine/fvp-common.inc:MACHINE_FEATURES = "optee"
./meta-arm-bsp/conf/machine/juno.conf:MACHINE_FEATURES = "usbhost
usbgadget alsa screen wifi bluetooth optee pci"
./meta-gem5/conf/machine/gem5-arm64.conf:MACHINE_FEATURES = "optee pci"

BR,
Maxim.

> --
> Regards,
> Denys Dmytriyenko <denis@denix.org>
> PGP: 0x420902729A92C964 - https://denix.org/0x420902729A92C964
> Fingerprint: 25FC E4A5 8A72 2F69 1186  6D76 4209 0272 9A92 C964
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#2377): https://lists.yoctoproject.org/g/meta-arm/message/2377
> Mute This Topic: https://lists.yoctoproject.org/mt/86981078/4454737
> Group Owner: meta-arm+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-arm/unsub [maxim.uvarov@linaro.org]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [meta-arm] [PATCHv2 2/3] add optee-ftpm

[Maxim Uvarov]

On Fri, 12 Nov 2021 at 12:42, Maxim Uvarov via lists.yoctoproject.org
<maxim.uvarov=linaro.org@lists.yoctoproject.org> wrote:
>
> On Thu, 11 Nov 2021 at 22:13, Denys Dmytriyenko <denis@denix.org> wrote:
> >
> > On Thu, Nov 11, 2021 at 04:16:14PM +0300, Maxim Uvarov wrote:
> > > Add software TPM emulated in the OPTEE-OS.
> > >
> > > Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
> > > ---
> > >  .../optee-ftpm/0000-fix-ssl-fallthrough.patch | 20 ++++++
> > >  .../0002-add-enum-to-ta-flags.patch           | 30 ++++++++
> > >  .../optee-ftpm/optee-ftpm_git.bb              | 71 +++++++++++++++++++
> > >  .../optee-ftpm/optee-os_%.bbappend            |  5 ++
> > >  4 files changed, 126 insertions(+)
> > >  create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch
> > >  create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch
> > >  create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb
> > >  create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend
> > >
> > > diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch
> > > new file mode 100644
> > > index 0000000..08acde2
> > > --- /dev/null
> > > +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch
> > > @@ -0,0 +1,20 @@
> > > +fix gcc compilation
> > > +
> > > +just fix compilation under gcc.
> > > +Upstream-Status: Submitted [https://github.com/wolfSSL/wolfssl/pull/4563]
> > > +
> > > +Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
> > > +
> > > +diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h
> > > +index 7b3a953aebda..e156ae5c7909 100755
> > > +--- a/external/wolfssl/wolfssl/wolfcrypt/types.h
> > > ++++ b/external/wolfssl/wolfssl/wolfcrypt/types.h
> > > +@@ -181,7 +181,7 @@
> > > +     /* GCC 7 has new switch() fall-through detection */
> > > +     #if defined(__GNUC__)
> > > +         #if ((__GNUC__ > 7) || ((__GNUC__ == 7) && (__GNUC_MINOR__ >= 1)))
> > > +-            #define FALL_THROUGH __attribute__ ((fallthrough));
> > > ++            #define FALL_THROUGH __attribute__ ((__fallthrough__));
> > > +         #endif
> > > +     #endif
> > > +     #ifndef FALL_THROUGH
> > > diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch
> > > new file mode 100644
> > > index 0000000..bbc1107
> > > --- /dev/null
> > > +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch
> > > @@ -0,0 +1,30 @@
> > > +From 2d00f16058529eb9f4d4d2bcaeed91fd53b43989 Mon Sep 17 00:00:00 2001
> > > +From: Maxim Uvarov <maxim.uvarov@linaro.org>
> > > +Date: Fri, 17 Apr 2020 12:05:53 +0100
> > > +Subject: [PATCH 2/2] add enum to ta flags
> > > +
> > > +If we compile this TA into OPTEE-OS we need to define a flag
> > > +that this TA can be discovered on the optee bus.
> > > +Upstream-Status: Submitted [https://github.com/microsoft/MSRSec/pull/34]
> > > +
> > > +Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
> > > +---
> > > + TAs/optee_ta/fTPM/user_ta_header_defines.h | 2 +-
> > > + 1 file changed, 1 insertion(+), 1 deletion(-)
> > > +
> > > +diff --git a/TAs/optee_ta/fTPM/user_ta_header_defines.h b/TAs/optee_ta/fTPM/user_ta_header_defines.h
> > > +index 6ff62d1..685b54a 100644
> > > +--- a/TAs/optee_ta/fTPM/user_ta_header_defines.h
> > > ++++ b/TAs/optee_ta/fTPM/user_ta_header_defines.h
> > > +@@ -44,7 +44,7 @@
> > > +
> > > + #define TA_UUID                     TA_FTPM_UUID
> > > +
> > > +-#define TA_FLAGS                    (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE )
> > > ++#define TA_FLAGS                    (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP)
> > > + #define TA_STACK_SIZE               (64 * 1024)
> > > + #define TA_DATA_SIZE                (64 * 1024)
> > > +
> > > +--
> > > +2.17.1
> > > +
> > > diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb
> > > new file mode 100644
> > > index 0000000..a6244b2
> > > --- /dev/null
> > > +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb
> > > @@ -0,0 +1,71 @@
> > > +SUMMARY = "OPTEE fTPM Microsoft TA"
> > > +DESCRIPTION = "OPTEE fTPM"
> >
> > There's no need in DESCRIPTION here, as it's meant to expand on the short
> > SUMMARY and provide a more detailed description of the package, which it
> > clearly doesn't here.
> >
> >
> > > +HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/"
> > > +
> > > +inherit autotools-brokensep deploy pkgconfig gettext python3native
> > > +
> > > +LICENSE = "MIT"
> > > +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=27e94c0280987ab296b0b8dd02ab9fe5"
> > > +
> > > +DEPENDS = "python3-pycryptodome-native python3-pycryptodomex-native python3-pyelftools-native"
> > > +DEPENDS += " optee-os-tadevkit"
> > > +
> > > +FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896"
> > > +
> > > +# SRC_URI = "git://github.com/Microsoft/ms-tpm-20-ref;branch=master"
> > > +# Since this is not built as a pseudo TA, we can only use it as a kernel module and not built in.
> > > +# The TEE supplicant is also needed to provide access to secure storage.
> > > +# Secure storage access required by OP-TEE fTPM TA
> > > +# is provided via OP-TEE supplicant that's not available during boot.
> > > +# Fix this once we replace this with the MS implementation
> > > +SRC_URI = "gitsm://github.com/microsoft/MSRSec;protocol=https;branch=master"
> > > +SRC_URI += "file://0000-fix-ssl-fallthrough.patch"
> > > +SRC_URI += "file://0002-add-enum-to-ta-flags.patch"
> > > +SRCREV = "76f81b36efbb1a366b0d382bc0defe677f1f0534"
> > > +
> > > +S = "${WORKDIR}/git"
> > > +
> > > +OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
> > > +TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
> > > +TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta"
> > > +
> > > +EXTRA_OEMAKE += '\
> > > +    CFG_FTPM_USE_WOLF=y \
> > > +    TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
> > > +    TA_CROSS_COMPILE=${TARGET_PREFIX} \
> > > +    CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST} -I${WORKDIR}/optee-os" \
> > > +'
> > > +
> > > +EXTRA_OEMAKE:append:aarch64:qemuall = "\
> >
> > Is it aarch64 or qemuall?
> >
> >
> > > +    CFG_ARM64_ta_arm64=y \
> > > +"
> > > +
> > > +B = "${S}"
> > > +
> > > +# fails with j > 1
> > > +PARALLEL_MAKE = ""
> > > +
> > > +do_compile() {
> > > +    sed -i 's/-mcpu=$(TA_CPU)//' TAs/optee_ta/fTPM/sub.mk
> >
> > If not done statically as a patch, then should at least be done in
> > do_configure() instead of do_compile()
> >
> >
> > > +    # there's also a secure variable storage TA called authvars
> > > +    cd ${S}/TAs/optee_ta
> > > +    oe_runmake ftpm
> > > +}
> > > +
> > > +do_install () {
> > > +    mkdir -p ${D}/lib/optee_armtz
> > > +    install -D -p -m 0644 ${S}/TAs/optee_ta/out/fTPM/${FTPM_UUID}.ta ${D}/lib/optee_armtz/
> >
> > /lib -> ${nonarch_base_libdir}
> >
> >
> > > +}
> > > +
> > > +do_deploy () {
> > > +    install -d ${DEPLOYDIR}/optee
> > > +    install -D -p -m 0644 ${S}/TAs/optee_ta/out/fTPM/${FTPM_UUID}.stripped.elf ${DEPLOYDIR}/optee/
> > > +}
> > > +
> > > +addtask deploy before do_build after do_install
> > > +
> > > +FILES:${PN} += "${nonarch_base_libdir}/optee_armtz/${FTPM_UUID}.ta"
> > > +
> > > +# Imports machine specific configs from staging to build
> > > +PACKAGE_ARCH = "${MACHINE_ARCH}"
> > > +INSANE_SKIP:${PN} += "ldflags"
> > > diff --git a/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend b/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend
> > > new file mode 100644
> > > index 0000000..910603e
> > > --- /dev/null
> > > +++ b/meta-arm/recipes-security/optee-ftpm/optee-os_%.bbappend
> > > @@ -0,0 +1,5 @@
> > > +DEPENDS:append = "optee-ftpm"
> > > +inherit deploy
> >
> > Again, this is redundant, as optee-os already inherits deploy.
> >
> >
> > > +FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896"
> > > +EXTRA_OEMAKE:append='CFG_EARLY_TA=y EARLY_TA_PATHS="${DEPLOY_DIR_IMAGE}/optee/${FTPM_UUID}.stripped.elf"'
> >
> > Needs a leading whitespace, as :append won't insert it, hence it will
> > concatenate it to the existing value of EXTRA_OEMAKE.
> >
> > And I do believe there's a confusion about how bbappends work in OE - it is
> > not optional, even when it's in a different directory. This bbappend will
> > unconditionally modify the main optee-os recipe, which is also in the same
> > layer. So, if it is meant to unconditionally modify optee-os, then these
> > changes should go directly into optee-os recipe, instead of a bbappend. And
> > if this is meant to be an optional extension to optee-os, then it cannot be
> > done as bbappend either.
> >
>
> I think that it's better to enable a condition for it and make fTPM
> optional. Some systems might have hardware TPM device
> and don't need software emulated in secure os.It looks like
> MACHINE_FEATURES is a good place for it. Something like:
>
> optee-os.bb:
> FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896"
>
> DEPENDS:append = "\
>                   ${@bb.utils.contains('MACHINE_FEATURES', \
>                  'optee-ftpm', \
>                  'optee-ftpm', \
>                  '' , \
>                  d)}"
>
> EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', \
>                       'optee-ftpm', \
>                       'CFG_EARLY_TA=y
> EARLY_TA_PATHS="${DEPLOY_DIR_IMAGE}/optee/${FTPM_UUID}.stripped.elf"',
> \
>                       '', \
>                       d)} "
>
> ./meta-arm/conf/machine/qemuarm64-secureboot.conf
> MACHINE_FEATURES += "optee-ftpm"
>
> Does that look good?
>
>
> I also did grep for other MACHINE_FEATURES in meta-arm and looks like
> they are not used anymore and config files can be
> cleaned up:
> fgrep -r FEATURE ./meta-* |grep optee
> ./meta-arm-bsp/conf/machine/fvp-common.inc:MACHINE_FEATURES = "optee"
> ./meta-arm-bsp/conf/machine/juno.conf:MACHINE_FEATURES = "usbhost
> usbgadget alsa screen wifi bluetooth optee pci"
> ./meta-gem5/conf/machine/gem5-arm64.conf:MACHINE_FEATURES = "optee pci"
>
> BR,
> Maxim.
>

Also due to
optee-os-tadevkit_3.14.0.bb calls:
require optee-os_3.14.0.bb

I can not move DEPENDS += optee-ftpm inside optee-os_3.14.0.bb. It
will cause circular dependency.
But separate  .bbappend with enabling this TA, with condition based on
MACHINE_FEATURES
works well.

Maxim.

> > --
> > Regards,
> > Denys Dmytriyenko <denis@denix.org>
> > PGP: 0x420902729A92C964 - https://denix.org/0x420902729A92C964
> > Fingerprint: 25FC E4A5 8A72 2F69 1186  6D76 4209 0272 9A92 C964
> >
> >
> >
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#2379): https://lists.yoctoproject.org/g/meta-arm/message/2379
> Mute This Topic: https://lists.yoctoproject.org/mt/86981078/4454737
> Group Owner: meta-arm+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-arm/unsub [maxim.uvarov@linaro.org]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [meta-arm] [PATCHv2 1/3] optee: updae optee-os.inc to support external TAs

[Jon Mason]

On Thu, Nov 11, 2021 at 8:16 AM Maxim Uvarov <maxim.uvarov@linaro.org> wrote:
>
> Separate recipe for TA devkit is needed to solve
> circular dependency to build TAs withthe devkit
> and integrate it inside optee-os.
>
> Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>

On this series, I'm seeing:
ERROR: Nothing PROVIDES 'optee-os-tadevkit' (but
/builds/jonmason00/meta-arm/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb
DEPENDS on or otherwise requires it)
optee-os-tadevkit was skipped: incompatible with machine tc0 (not in
COMPATIBLE_MACHINE)
https://gitlab.com/jonmason00/meta-arm/-/jobs/1779328692

Issue on tc0, tc1, and corstone1000 (and check-patch)

I'm also seeing:
ERROR: Nothing PROVIDES 'compiler-rtoptee-ftpm' (but
/builds/jonmason00/meta-arm/meta-arm/recipes-security/optee/optee-os_3.14.0.bb
DEPENDS on or otherwise requires it)
https://gitlab.com/jonmason00/meta-arm/-/jobs/1779328682

Issue on qemuarm64-secureboot

Thanks,
Jon






> ---
>  .../recipes-security/optee/optee-examples.inc |  2 +-
>  .../optee/optee-os-tadevkit_3.14.0.bb         | 20 +++++++++++++++++++
>  meta-arm/recipes-security/optee/optee-os.inc  |  7 -------
>  3 files changed, 21 insertions(+), 8 deletions(-)
>  create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb
>
> diff --git a/meta-arm/recipes-security/optee/optee-examples.inc b/meta-arm/recipes-security/optee/optee-examples.inc
> index 921fa18..656722e 100644
> --- a/meta-arm/recipes-security/optee/optee-examples.inc
> +++ b/meta-arm/recipes-security/optee/optee-examples.inc
> @@ -5,7 +5,7 @@ HOMEPAGE = "https://github.com/linaro-swg/optee_examples"
>  LICENSE = "BSD-2-Clause"
>  LIC_FILES_CHKSUM = "file://LICENSE;md5=cd95ab417e23b94f381dafc453d70c30"
>
> -DEPENDS = "optee-client optee-os python3-pycryptodome-native"
> +DEPENDS = "optee-client optee-os-tadevkit python3-pycryptodome-native"
>
>  inherit python3native
>
> diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb
> new file mode 100644
> index 0000000..0d37a52
> --- /dev/null
> +++ b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb
> @@ -0,0 +1,20 @@
> +FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os:"
> +require optee-os_3.14.0.bb
> +
> +SUMMARY = "OP-TEE Trusted OS TA devkit"
> +DESCRIPTION = "OP-TEE TA devkit for build TAs"
> +HOMEPAGE = "https://www.op-tee.org/"
> +
> +do_install() {
> +    #install TA devkit
> +    install -d ${D}${includedir}/optee/export-user_ta/
> +    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
> +        cp -aR $f ${D}${includedir}/optee/export-user_ta/
> +    done
> +}
> +
> +do_deploy() {
> +       echo "Do not inherit do_deploy from optee-os."
> +}
> +
> +FILES:${PN} = "${includedir}/optee/"
> diff --git a/meta-arm/recipes-security/optee/optee-os.inc b/meta-arm/recipes-security/optee/optee-os.inc
> index 277646e..1506a58 100644
> --- a/meta-arm/recipes-security/optee/optee-os.inc
> +++ b/meta-arm/recipes-security/optee/optee-os.inc
> @@ -46,12 +46,6 @@ do_install() {
>      #install core in firmware
>      install -d ${D}${nonarch_base_libdir}/firmware/
>      install -m 644 ${B}/core/*.bin ${B}/core/tee.elf ${D}${nonarch_base_libdir}/firmware/
> -
> -    #install TA devkit
> -    install -d ${D}${includedir}/optee/export-user_ta/
> -    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
> -        cp -aR $f ${D}${includedir}/optee/export-user_ta/
> -    done
>  }
>
>  PACKAGE_ARCH = "${MACHINE_ARCH}"
> @@ -66,7 +60,6 @@ addtask deploy before do_build after do_install
>  SYSROOT_DIRS += "${nonarch_base_libdir}/firmware"
>
>  FILES:${PN} = "${nonarch_base_libdir}/firmware/"
> -FILES:${PN}-dev = "${includedir}/optee/"
>
>  # note: "textrel" is not triggered on all archs
>  INSANE_SKIP:${PN} = "textrel"
> --
> 2.17.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#2362): https://lists.yoctoproject.org/g/meta-arm/message/2362
> Mute This Topic: https://lists.yoctoproject.org/mt/86981076/3616920
> Group Owner: meta-arm+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-arm/unsub [jdmason@kudzu.us]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [meta-arm] [PATCHv2 1/3] optee: updae optee-os.inc to support external TAs

[Maxim Uvarov]

On Mon, 15 Nov 2021 at 06:52, Jon Mason <jdmason@kudzu.us> wrote:
>
> On Thu, Nov 11, 2021 at 8:16 AM Maxim Uvarov <maxim.uvarov@linaro.org> wrote:
> >
> > Separate recipe for TA devkit is needed to solve
> > circular dependency to build TAs withthe devkit
> > and integrate it inside optee-os.
> >
> > Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
>
> On this series, I'm seeing:
> ERROR: Nothing PROVIDES 'optee-os-tadevkit' (but
> /builds/jonmason00/meta-arm/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb
> DEPENDS on or otherwise requires it)
> optee-os-tadevkit was skipped: incompatible with machine tc0 (not in
> COMPATIBLE_MACHINE)
> https://gitlab.com/jonmason00/meta-arm/-/jobs/1779328692
>
> Issue on tc0, tc1, and corstone1000 (and check-patch)
>

This should be fixed in v3 with adding conditions.

> I'm also seeing:
> ERROR: Nothing PROVIDES 'compiler-rtoptee-ftpm' (but
> /builds/jonmason00/meta-arm/meta-arm/recipes-security/optee/optee-os_3.14.0.bb
> DEPENDS on or otherwise requires it)
> https://gitlab.com/jonmason00/meta-arm/-/jobs/1779328682
>
> Issue on qemuarm64-secureboot
>

That is interesting. I also built a qemuarm64-secureboot. Might be
some changes in the current master for that.

> Thanks,
> Jon
>
>
>
>
>
>
> > ---
> >  .../recipes-security/optee/optee-examples.inc |  2 +-
> >  .../optee/optee-os-tadevkit_3.14.0.bb         | 20 +++++++++++++++++++
> >  meta-arm/recipes-security/optee/optee-os.inc  |  7 -------
> >  3 files changed, 21 insertions(+), 8 deletions(-)
> >  create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb
> >
> > diff --git a/meta-arm/recipes-security/optee/optee-examples.inc b/meta-arm/recipes-security/optee/optee-examples.inc
> > index 921fa18..656722e 100644
> > --- a/meta-arm/recipes-security/optee/optee-examples.inc
> > +++ b/meta-arm/recipes-security/optee/optee-examples.inc
> > @@ -5,7 +5,7 @@ HOMEPAGE = "https://github.com/linaro-swg/optee_examples"
> >  LICENSE = "BSD-2-Clause"
> >  LIC_FILES_CHKSUM = "file://LICENSE;md5=cd95ab417e23b94f381dafc453d70c30"
> >
> > -DEPENDS = "optee-client optee-os python3-pycryptodome-native"
> > +DEPENDS = "optee-client optee-os-tadevkit python3-pycryptodome-native"
> >
> >  inherit python3native
> >
> > diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb
> > new file mode 100644
> > index 0000000..0d37a52
> > --- /dev/null
> > +++ b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb
> > @@ -0,0 +1,20 @@
> > +FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os:"
> > +require optee-os_3.14.0.bb
> > +
> > +SUMMARY = "OP-TEE Trusted OS TA devkit"
> > +DESCRIPTION = "OP-TEE TA devkit for build TAs"
> > +HOMEPAGE = "https://www.op-tee.org/"
> > +
> > +do_install() {
> > +    #install TA devkit
> > +    install -d ${D}${includedir}/optee/export-user_ta/
> > +    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
> > +        cp -aR $f ${D}${includedir}/optee/export-user_ta/
> > +    done
> > +}
> > +
> > +do_deploy() {
> > +       echo "Do not inherit do_deploy from optee-os."
> > +}
> > +
> > +FILES:${PN} = "${includedir}/optee/"
> > diff --git a/meta-arm/recipes-security/optee/optee-os.inc b/meta-arm/recipes-security/optee/optee-os.inc
> > index 277646e..1506a58 100644
> > --- a/meta-arm/recipes-security/optee/optee-os.inc
> > +++ b/meta-arm/recipes-security/optee/optee-os.inc
> > @@ -46,12 +46,6 @@ do_install() {
> >      #install core in firmware
> >      install -d ${D}${nonarch_base_libdir}/firmware/
> >      install -m 644 ${B}/core/*.bin ${B}/core/tee.elf ${D}${nonarch_base_libdir}/firmware/
> > -
> > -    #install TA devkit
> > -    install -d ${D}${includedir}/optee/export-user_ta/
> > -    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
> > -        cp -aR $f ${D}${includedir}/optee/export-user_ta/
> > -    done
> >  }
> >
> >  PACKAGE_ARCH = "${MACHINE_ARCH}"
> > @@ -66,7 +60,6 @@ addtask deploy before do_build after do_install
> >  SYSROOT_DIRS += "${nonarch_base_libdir}/firmware"
> >
> >  FILES:${PN} = "${nonarch_base_libdir}/firmware/"
> > -FILES:${PN}-dev = "${includedir}/optee/"
> >
> >  # note: "textrel" is not triggered on all archs
> >  INSANE_SKIP:${PN} = "textrel"
> > --
> > 2.17.1
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#2362): https://lists.yoctoproject.org/g/meta-arm/message/2362
> > Mute This Topic: https://lists.yoctoproject.org/mt/86981076/3616920
> > Group Owner: meta-arm+owner@lists.yoctoproject.org
> > Unsubscribe: https://lists.yoctoproject.org/g/meta-arm/unsub [jdmason@kudzu.us]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >

Re: [meta-arm] [PATCHv2 1/3] optee: updae optee-os.inc to support external TAs

[Denys Dmytriyenko]

On Mon, Nov 15, 2021 at 09:28:08AM +0300, Maxim Uvarov wrote:
> On Mon, 15 Nov 2021 at 06:52, Jon Mason <jdmason@kudzu.us> wrote:
> >
> > On Thu, Nov 11, 2021 at 8:16 AM Maxim Uvarov <maxim.uvarov@linaro.org> wrote:
> > >
> > > Separate recipe for TA devkit is needed to solve
> > > circular dependency to build TAs withthe devkit
> > > and integrate it inside optee-os.
> > >
> > > Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
> >
> > On this series, I'm seeing:
> > ERROR: Nothing PROVIDES 'optee-os-tadevkit' (but
> > /builds/jonmason00/meta-arm/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb
> > DEPENDS on or otherwise requires it)
> > optee-os-tadevkit was skipped: incompatible with machine tc0 (not in
> > COMPATIBLE_MACHINE)
> > https://gitlab.com/jonmason00/meta-arm/-/jobs/1779328692
> >
> > Issue on tc0, tc1, and corstone1000 (and check-patch)
> >
> 
> This should be fixed in v3 with adding conditions.
> 
> > I'm also seeing:
> > ERROR: Nothing PROVIDES 'compiler-rtoptee-ftpm' (but
> > /builds/jonmason00/meta-arm/meta-arm/recipes-security/optee/optee-os_3.14.0.bb
> > DEPENDS on or otherwise requires it)
> > https://gitlab.com/jonmason00/meta-arm/-/jobs/1779328682
> >
> > Issue on qemuarm64-secureboot
> >
> 
> That is interesting. I also built a qemuarm64-secureboot. Might be
> some changes in the current master for that.

That is due to a missing space in bbappend:
+DEPENDS:append = "optee-ftpm"

Resulting in optee-ftpm being concatenated to compiler-rt in DEPENDS:
> ERROR: Nothing PROVIDES 'compiler-rtoptee-ftpm' (but

Similar to the one I reported about EXTRA_OEMAKE in the same bbappend...

-- 
Denys


> > Thanks,
> > Jon
> >
> >
> >
> >
> >
> >
> > > ---
> > >  .../recipes-security/optee/optee-examples.inc |  2 +-
> > >  .../optee/optee-os-tadevkit_3.14.0.bb         | 20 +++++++++++++++++++
> > >  meta-arm/recipes-security/optee/optee-os.inc  |  7 -------
> > >  3 files changed, 21 insertions(+), 8 deletions(-)
> > >  create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb
> > >
> > > diff --git a/meta-arm/recipes-security/optee/optee-examples.inc b/meta-arm/recipes-security/optee/optee-examples.inc
> > > index 921fa18..656722e 100644
> > > --- a/meta-arm/recipes-security/optee/optee-examples.inc
> > > +++ b/meta-arm/recipes-security/optee/optee-examples.inc
> > > @@ -5,7 +5,7 @@ HOMEPAGE = "https://github.com/linaro-swg/optee_examples"
> > >  LICENSE = "BSD-2-Clause"
> > >  LIC_FILES_CHKSUM = "file://LICENSE;md5=cd95ab417e23b94f381dafc453d70c30"
> > >
> > > -DEPENDS = "optee-client optee-os python3-pycryptodome-native"
> > > +DEPENDS = "optee-client optee-os-tadevkit python3-pycryptodome-native"
> > >
> > >  inherit python3native
> > >
> > > diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb
> > > new file mode 100644
> > > index 0000000..0d37a52
> > > --- /dev/null
> > > +++ b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb
> > > @@ -0,0 +1,20 @@
> > > +FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os:"
> > > +require optee-os_3.14.0.bb
> > > +
> > > +SUMMARY = "OP-TEE Trusted OS TA devkit"
> > > +DESCRIPTION = "OP-TEE TA devkit for build TAs"
> > > +HOMEPAGE = "https://www.op-tee.org/"
> > > +
> > > +do_install() {
> > > +    #install TA devkit
> > > +    install -d ${D}${includedir}/optee/export-user_ta/
> > > +    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
> > > +        cp -aR $f ${D}${includedir}/optee/export-user_ta/
> > > +    done
> > > +}
> > > +
> > > +do_deploy() {
> > > +       echo "Do not inherit do_deploy from optee-os."
> > > +}
> > > +
> > > +FILES:${PN} = "${includedir}/optee/"
> > > diff --git a/meta-arm/recipes-security/optee/optee-os.inc b/meta-arm/recipes-security/optee/optee-os.inc
> > > index 277646e..1506a58 100644
> > > --- a/meta-arm/recipes-security/optee/optee-os.inc
> > > +++ b/meta-arm/recipes-security/optee/optee-os.inc
> > > @@ -46,12 +46,6 @@ do_install() {
> > >      #install core in firmware
> > >      install -d ${D}${nonarch_base_libdir}/firmware/
> > >      install -m 644 ${B}/core/*.bin ${B}/core/tee.elf ${D}${nonarch_base_libdir}/firmware/
> > > -
> > > -    #install TA devkit
> > > -    install -d ${D}${includedir}/optee/export-user_ta/
> > > -    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
> > > -        cp -aR $f ${D}${includedir}/optee/export-user_ta/
> > > -    done
> > >  }
> > >
> > >  PACKAGE_ARCH = "${MACHINE_ARCH}"
> > > @@ -66,7 +60,6 @@ addtask deploy before do_build after do_install
> > >  SYSROOT_DIRS += "${nonarch_base_libdir}/firmware"
> > >
> > >  FILES:${PN} = "${nonarch_base_libdir}/firmware/"
> > > -FILES:${PN}-dev = "${includedir}/optee/"
> > >
> > >  # note: "textrel" is not triggered on all archs
> > >  INSANE_SKIP:${PN} = "textrel"
> > > --
> > > 2.17.1
> > >
> > >
> > > 
> > >

Re: [meta-arm] [PATCHv2 1/3] optee: updae optee-os.inc to support external TAs

[Maxim Uvarov]

On Mon, 15 Nov 2021 at 19:32, Denys Dmytriyenko <denis@denix.org> wrote:
>
> On Mon, Nov 15, 2021 at 09:28:08AM +0300, Maxim Uvarov wrote:
> > On Mon, 15 Nov 2021 at 06:52, Jon Mason <jdmason@kudzu.us> wrote:
> > >
> > > On Thu, Nov 11, 2021 at 8:16 AM Maxim Uvarov <maxim.uvarov@linaro.org> wrote:
> > > >
> > > > Separate recipe for TA devkit is needed to solve
> > > > circular dependency to build TAs withthe devkit
> > > > and integrate it inside optee-os.
> > > >
> > > > Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
> > >
> > > On this series, I'm seeing:
> > > ERROR: Nothing PROVIDES 'optee-os-tadevkit' (but
> > > /builds/jonmason00/meta-arm/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb
> > > DEPENDS on or otherwise requires it)
> > > optee-os-tadevkit was skipped: incompatible with machine tc0 (not in
> > > COMPATIBLE_MACHINE)
> > > https://gitlab.com/jonmason00/meta-arm/-/jobs/1779328692
> > >
> > > Issue on tc0, tc1, and corstone1000 (and check-patch)
> > >
> >
> > This should be fixed in v3 with adding conditions.
> >
> > > I'm also seeing:
> > > ERROR: Nothing PROVIDES 'compiler-rtoptee-ftpm' (but
> > > /builds/jonmason00/meta-arm/meta-arm/recipes-security/optee/optee-os_3.14.0.bb
> > > DEPENDS on or otherwise requires it)
> > > https://gitlab.com/jonmason00/meta-arm/-/jobs/1779328682
> > >
> > > Issue on qemuarm64-secureboot
> > >
> >
> > That is interesting. I also built a qemuarm64-secureboot. Might be
> > some changes in the current master for that.
>
> That is due to a missing space in bbappend:
> +DEPENDS:append = "optee-ftpm"
>
> Resulting in optee-ftpm being concatenated to compiler-rt in DEPENDS:
> > ERROR: Nothing PROVIDES 'compiler-rtoptee-ftpm' (but
>
> Similar to the one I reported about EXTRA_OEMAKE in the same bbappend...
>

I think that should be solved now in v3. qemuarm64_secure and t1000
build fine for me.

Maxim.

> --
> Denys
>
>
> > > Thanks,
> > > Jon
> > >
> > >
> > >
> > >
> > >
> > >
> > > > ---
> > > >  .../recipes-security/optee/optee-examples.inc |  2 +-
> > > >  .../optee/optee-os-tadevkit_3.14.0.bb         | 20 +++++++++++++++++++
> > > >  meta-arm/recipes-security/optee/optee-os.inc  |  7 -------
> > > >  3 files changed, 21 insertions(+), 8 deletions(-)
> > > >  create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb
> > > >
> > > > diff --git a/meta-arm/recipes-security/optee/optee-examples.inc b/meta-arm/recipes-security/optee/optee-examples.inc
> > > > index 921fa18..656722e 100644
> > > > --- a/meta-arm/recipes-security/optee/optee-examples.inc
> > > > +++ b/meta-arm/recipes-security/optee/optee-examples.inc
> > > > @@ -5,7 +5,7 @@ HOMEPAGE = "https://github.com/linaro-swg/optee_examples"
> > > >  LICENSE = "BSD-2-Clause"
> > > >  LIC_FILES_CHKSUM = "file://LICENSE;md5=cd95ab417e23b94f381dafc453d70c30"
> > > >
> > > > -DEPENDS = "optee-client optee-os python3-pycryptodome-native"
> > > > +DEPENDS = "optee-client optee-os-tadevkit python3-pycryptodome-native"
> > > >
> > > >  inherit python3native
> > > >
> > > > diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb
> > > > new file mode 100644
> > > > index 0000000..0d37a52
> > > > --- /dev/null
> > > > +++ b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb
> > > > @@ -0,0 +1,20 @@
> > > > +FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os:"
> > > > +require optee-os_3.14.0.bb
> > > > +
> > > > +SUMMARY = "OP-TEE Trusted OS TA devkit"
> > > > +DESCRIPTION = "OP-TEE TA devkit for build TAs"
> > > > +HOMEPAGE = "https://www.op-tee.org/"
> > > > +
> > > > +do_install() {
> > > > +    #install TA devkit
> > > > +    install -d ${D}${includedir}/optee/export-user_ta/
> > > > +    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
> > > > +        cp -aR $f ${D}${includedir}/optee/export-user_ta/
> > > > +    done
> > > > +}
> > > > +
> > > > +do_deploy() {
> > > > +       echo "Do not inherit do_deploy from optee-os."
> > > > +}
> > > > +
> > > > +FILES:${PN} = "${includedir}/optee/"
> > > > diff --git a/meta-arm/recipes-security/optee/optee-os.inc b/meta-arm/recipes-security/optee/optee-os.inc
> > > > index 277646e..1506a58 100644
> > > > --- a/meta-arm/recipes-security/optee/optee-os.inc
> > > > +++ b/meta-arm/recipes-security/optee/optee-os.inc
> > > > @@ -46,12 +46,6 @@ do_install() {
> > > >      #install core in firmware
> > > >      install -d ${D}${nonarch_base_libdir}/firmware/
> > > >      install -m 644 ${B}/core/*.bin ${B}/core/tee.elf ${D}${nonarch_base_libdir}/firmware/
> > > > -
> > > > -    #install TA devkit
> > > > -    install -d ${D}${includedir}/optee/export-user_ta/
> > > > -    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
> > > > -        cp -aR $f ${D}${includedir}/optee/export-user_ta/
> > > > -    done
> > > >  }
> > > >
> > > >  PACKAGE_ARCH = "${MACHINE_ARCH}"
> > > > @@ -66,7 +60,6 @@ addtask deploy before do_build after do_install
> > > >  SYSROOT_DIRS += "${nonarch_base_libdir}/firmware"
> > > >
> > > >  FILES:${PN} = "${nonarch_base_libdir}/firmware/"
> > > > -FILES:${PN}-dev = "${includedir}/optee/"
> > > >
> > > >  # note: "textrel" is not triggered on all archs
> > > >  INSANE_SKIP:${PN} = "textrel"
> > > > --
> > > > 2.17.1
> > > >
> > > >
> > > >
> > > >