* [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64
@ 2022-10-19 9:21 sven.schultschik
2022-10-19 9:21 ` [isar-cip-core][PATCH 2/7] add recipe for for edk2 sven.schultschik
` (6 more replies)
0 siblings, 7 replies; 19+ messages in thread
From: sven.schultschik @ 2022-10-19 9:21 UTC (permalink / raw)
To: cip-dev; +Cc: jan.kiszka, Sven Schultschik
From: Sven Schultschik <sven.schultschik@siemens.com>
The recipe provides the possibility to create optee-os binaries for use inside of an qemu secureboot setup with edk2, rpmb, u-boot and uefi
Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
---
.../op-tee/optee-os-qemu-arm64_3.17.0.bb | 57 +++++++++++++++++++
recipes-bsp/u-boot/files/secure-boot.cfg.tmpl | 7 +++
recipes-bsp/u-boot/u-boot-common.inc | 6 +-
3 files changed, 67 insertions(+), 3 deletions(-)
create mode 100644 recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb
diff --git a/recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb b/recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb
new file mode 100644
index 000000000..5e60041af
--- /dev/null
+++ b/recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb
@@ -0,0 +1,57 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+# Sven Schultschik <sven.schultschik@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+HOMEPAGE = "https://github.com/OP-TEE/optee_os"
+MAINTAINER = "Sven Schultschik <sven.schultschik@siemens.com>"
+LICENSE = "BSD-2-Clause"
+
+require recipes-bsp/optee-os/optee-os-custom.inc
+
+SRC_URI += " \
+ gitsm://github.com/OP-TEE/optee_os.git;branch=master;protocol=https;destsuffix=git;rev=${PV}"
+
+S = "${WORKDIR}/git"
+
+OPTEE_PLATFORM = "vexpress-qemu_armv8a"
+
+OPTEE_BINARIES = "tee-header_v2.bin \
+ tee-pager_v2.bin \
+ tee-pageable_v2.bin"
+
+DEPENDS = "edk2"
+DEBIAN_BUILD_DEPENDS += " ,\
+ debhelper(>= 11~), \
+ build-essential, \
+ cpio, \
+ python3-cryptography, \
+ python3-pycryptodome, \
+ python3-serial, \
+ device-tree-compiler, \
+ edk2, \
+ gcc-arm-linux-gnueabihf,"
+
+OPTEE_EXTRA_BUILDARGS = "CFG_STMM_PATH=/usr/lib/edk2/BL32_AP_MM.fd CFG_RPMB_FS=y \
+ CFG_RPMB_FS_DEV_ID=0 CFG_CORE_HEAP_SIZE=524288 CFG_RPMB_WRITE_KEY=1 \
+ CFG_CORE_DYN_SHM=y CFG_RPMB_TESTKEY=y \
+ CFG_REE_FS=n\
+ CFG_TEE_CORE_LOG_LEVEL=1 CFG_TEE_TA_LOG_LEVEL=1 CFG_SCTLR_ALIGNMENT_CHECK=n \
+ CFG_ARM64_core=y CFG_CORE_ARM64_PA_BITS=48"
+
+ISAR_CROSS_COMPILE = "0"
+
+dpkg_runbuild_prepend() {
+ # $(ARCH) is the CPU architecture to be built.
+ # Currently, the only supported value is arm for 32-bit or 64-bit Armv7-A or Armv8-A.
+ # Please note that contrary to the Linux kernel, $(ARCH) should not be set to arm64 for 64-bit builds.
+ export ARCH="arm"
+ export CROSS_COMPILE32=arm-linux-gnueabihf-
+ export CROSS_COMPILE64=aarch64-linux-gnu-
+}
\ No newline at end of file
diff --git a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl
index 956dcbfed..8e6428238 100644
--- a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl
+++ b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl
@@ -4,3 +4,10 @@ CONFIG_USE_BOOTCOMMAND=y
CONFIG_BOOTCOMMAND="setenv scan_dev_for_boot 'if test -e ${devtype} ${devnum}:${distro_bootpart} efi/boot/boot${EFI_ARCH}.efi; then load ${devtype} ${devnum}:${distro_bootpart} ${kernel_addr_r} efi/boot/boot${EFI_ARCH}.efi; bootefi ${kernel_addr_r} ${fdtcontroladdr}; fi'; run distro_bootcmd; echo 'EFI Boot failed!'; sleep 1000; reset"
CONFIG_EFI_VARIABLES_PRESEED=y
CONFIG_EFI_SECURE_BOOT=y
+### OPTEE config
+CONFIG_CMD_OPTEE_RPMB=y
+CONFIG_MMC=y
+CONFIG_SUPPORT_EMMC_RPMB=y
+CONFIG_TEE=y
+CONFIG_OPTEE=y
+CONFIG_EFI_MM_COMM_TEE=y
diff --git a/recipes-bsp/u-boot/u-boot-common.inc b/recipes-bsp/u-boot/u-boot-common.inc
index 60f0da361..7fe4d3fad 100644
--- a/recipes-bsp/u-boot/u-boot-common.inc
+++ b/recipes-bsp/u-boot/u-boot-common.inc
@@ -25,12 +25,12 @@ DEBIAN_BUILD_DEPENDS += ", libssl-dev:native, libssl-dev:${DISTRO_ARCH}"
DEBIAN_BUILD_DEPENDS_append_secureboot = ", \
openssl, pesign, secure-boot-secrets, python3-openssl:native"
-DEPENDS_append_secureboot = " secure-boot-secrets"
+DEPENDS_append_secureboot = " secure-boot-secrets optee-os-${MACHINE}"
TEMPLATE_FILES_append_secureboot = " secure-boot.cfg.tmpl"
TEMPLATE_VARS_append_secureboot = " EFI_ARCH"
do_prepare_build_append_secureboot() {
sed -ni '/### Secure boot config/q;p' ${S}/configs/${U_BOOT_CONFIG}
- cat ${WORKDIR}/secure-boot.cfg >> ${S}/configs/${U_BOOT_CONFIG}
-}
+ cat ${WORKDIR}/secure-boot.cfg >> ${S}/configs/${U_BOOT_CONFIG}
+}
\ No newline at end of file
--
2.30.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [isar-cip-core][PATCH 2/7] add recipe for for edk2
2022-10-19 9:21 [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64 sven.schultschik
@ 2022-10-19 9:21 ` sven.schultschik
2022-10-19 10:57 ` Jan Kiszka
2022-10-19 9:21 ` [isar-cip-core][PATCH 3/7] add recipe for trusted firmware a qemu arm64 sven.schultschik
` (5 subsequent siblings)
6 siblings, 1 reply; 19+ messages in thread
From: sven.schultschik @ 2022-10-19 9:21 UTC (permalink / raw)
To: cip-dev; +Cc: jan.kiszka, Sven Schultschik
From: Sven Schultschik <sven.schultschik@siemens.com>
provide a recipe to create the BL32_AP_MM.fd binary by edk2 which is needed for the qemu optee generation as dependencie.
Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
---
recipes-bsp/edk2/edk2_202205.bb | 34 ++++++++++++
recipes-bsp/edk2/files/debian/changelog.tmpl | 6 +++
recipes-bsp/edk2/files/debian/compat | 1 +
recipes-bsp/edk2/files/debian/control.tmpl | 14 +++++
recipes-bsp/edk2/files/debian/edk2.install | 2 +
recipes-bsp/edk2/files/debian/rules.tmpl | 55 ++++++++++++++++++++
6 files changed, 112 insertions(+)
create mode 100644 recipes-bsp/edk2/edk2_202205.bb
create mode 100644 recipes-bsp/edk2/files/debian/changelog.tmpl
create mode 100644 recipes-bsp/edk2/files/debian/compat
create mode 100644 recipes-bsp/edk2/files/debian/control.tmpl
create mode 100644 recipes-bsp/edk2/files/debian/edk2.install
create mode 100755 recipes-bsp/edk2/files/debian/rules.tmpl
diff --git a/recipes-bsp/edk2/edk2_202205.bb b/recipes-bsp/edk2/edk2_202205.bb
new file mode 100644
index 000000000..5a773bf77
--- /dev/null
+++ b/recipes-bsp/edk2/edk2_202205.bb
@@ -0,0 +1,34 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+# Sven Schultschik <sven.schultschik@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+HOMEPAGE = "https://github.com/tianocore/edk2"
+MAINTAINER = "Sven Schultschik <sven.schultschik@siemens.com>"
+LICENSE = "BSD-2-Clause-Patent"
+
+inherit dpkg
+
+SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https;destsuffix=git/edk2;rev=edk2-stable${PV} \
+ git://github.com/tianocore/edk2-platforms.git;protocol=https;destsuffix=git/edk2-platforms;rev=3b896d1a325686de3942723c42f286090453e37a \
+ file://debian \
+ "
+S = "${WORKDIR}/git"
+
+BUILD_DEPENDS += ""
+
+TEMPLATE_FILES = "debian/changelog.tmpl debian/control.tmpl debian/rules.tmpl"
+TEMPLATE_VARS += "BUILD_DEPENDS S"
+
+ISAR_CROSS_COMPILE = "0"
+
+do_prepare_build() {
+ cp -R ${WORKDIR}/debian ${S}
+ deb_add_changelog
+}
\ No newline at end of file
diff --git a/recipes-bsp/edk2/files/debian/changelog.tmpl b/recipes-bsp/edk2/files/debian/changelog.tmpl
new file mode 100644
index 000000000..8d74dfe7a
--- /dev/null
+++ b/recipes-bsp/edk2/files/debian/changelog.tmpl
@@ -0,0 +1,6 @@
+${PN} (${PV}) unstable; urgency=medium
+
+ * EDK2
+
+ --
+
diff --git a/recipes-bsp/edk2/files/debian/compat b/recipes-bsp/edk2/files/debian/compat
new file mode 100644
index 000000000..f599e28b8
--- /dev/null
+++ b/recipes-bsp/edk2/files/debian/compat
@@ -0,0 +1 @@
+10
diff --git a/recipes-bsp/edk2/files/debian/control.tmpl b/recipes-bsp/edk2/files/debian/control.tmpl
new file mode 100644
index 000000000..1f1bad7c8
--- /dev/null
+++ b/recipes-bsp/edk2/files/debian/control.tmpl
@@ -0,0 +1,14 @@
+Source: ${PN}
+Section: base
+Priority: optional
+Standards-Version: 3.9.6
+Build-Depends: ${BUILD_DEPENDS}, python3, dh-python, uuid-dev
+Homepage: ${HOMEPAGE}
+Maintainer: ${MAINTAINER}
+
+Package: ${PN}
+Depends: ${shlibs:Depends}
+Section: base
+Architecture: ${DISTRO_ARCH}
+Priority: required
+Description: ${DESCRIPTION}
\ No newline at end of file
diff --git a/recipes-bsp/edk2/files/debian/edk2.install b/recipes-bsp/edk2/files/debian/edk2.install
new file mode 100644
index 000000000..e5cadccf3
--- /dev/null
+++ b/recipes-bsp/edk2/files/debian/edk2.install
@@ -0,0 +1,2 @@
+#! /usr/bin/dh-exec
+Build/MmStandaloneRpmb/RELEASE_GCC5/FV/BL32_AP_MM.fd /usr/lib/edk2
\ No newline at end of file
diff --git a/recipes-bsp/edk2/files/debian/rules.tmpl b/recipes-bsp/edk2/files/debian/rules.tmpl
new file mode 100755
index 000000000..11e4ae8cd
--- /dev/null
+++ b/recipes-bsp/edk2/files/debian/rules.tmpl
@@ -0,0 +1,55 @@
+#!/usr/bin/make -f
+#
+# Copyright (c) Siemens AG, 2022
+#
+# SPDX-License-Identifier: MIT
+
+export WORKSPACE=$(shell pwd)
+export PACKAGES_PATH=$(WORKSPACE)/edk2:$(WORKSPACE)/edk2-platforms
+export ACTIVE_PLATFORM="Platform/StandaloneMm/PlatformStandaloneMmPkg/PlatformStandaloneMmRpmb.dsc"
+
+# https://github.com/tianocore/edk2-platforms/blob/master/Readme.md#if-cross-compiling
+ifeq (arm64,$(DEB_TARGET_ARCH))
+export TARGET_ARCH = 'AARCH64'
+else ifeq ((armhf,$(DEB_TARGET_ARCH))
+export TARGET_ARCH = 'ARM'
+else ifeq ((amd64,$(DEB_TARGET_ARCH))
+export TARGET_ARCH = 'X64'
+else ifeq ((i386,$(DEB_TARGET_ARCH))
+export TARGET_ARCH = 'IA32'
+else
+$(error DEB_TARGET_ARCH $(DEB_TARGET_ARCH) unsupported)
+endif
+# When cross-compiling, or building with a different version of the compiler than
+# the default `gcc`, we additionally need to inform the
+# build command which toolchain to use. We do this by setting the environment
+# variable `{TOOL_CHAIN_TAG}_{TARGET_ARCH}_PREFIX` - in the case above,
+# **GCC5_AARCH64_PREFIX**.
+# export GCC5_AARCH64_PREFIX=aarch64-linux-gnu-
+export GCC5_$(TARGET_ARCH)_PREFIX=$(DEB_HOST_GNU_TYPE)-
+
+
+export SHELL=/bin/bash
+
+# ENV Vars which should get set by edksetup.sh
+export PYTHON_COMMAND=python3
+export PYTHONHASHSEED=1
+export CONF_PATH=$(WORKSPACE)/edk2/Conf
+export EDK_TOOLS_PATH=$(WORKSPACE)/edk2/BaseTools
+export PATH=$(WORKSPACE)/edk2/BaseTools/Bin/Linux-$(TARGET_ARCH):$(WORKSPACE)/edk2/BaseTools/BinWrappers/PosixLike::/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+override_dh_auto_build:
+ source edk2/edksetup.sh --reconfig
+
+ make -C edk2/BaseTools
+
+ build -p $(ACTIVE_PLATFORM) -b RELEASE -a $(TARGET_ARCH) -t GCC5 -n $(shell nproc)
+
+override_dh_auto_install:
+
+override_dh_auto_test:
+
+override_dh_strip:
+
+%:
+ dh $@ --with python3 --no-parallel
--
2.30.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [isar-cip-core][PATCH 3/7] add recipe for trusted firmware a qemu arm64
2022-10-19 9:21 [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64 sven.schultschik
2022-10-19 9:21 ` [isar-cip-core][PATCH 2/7] add recipe for for edk2 sven.schultschik
@ 2022-10-19 9:21 ` sven.schultschik
2022-10-19 9:21 ` [isar-cip-core][PATCH 4/7] add u-boot patch for qemu to support RPMB sven.schultschik
` (4 subsequent siblings)
6 siblings, 0 replies; 19+ messages in thread
From: sven.schultschik @ 2022-10-19 9:21 UTC (permalink / raw)
To: cip-dev; +Cc: jan.kiszka, Sven Schultschik
From: Sven Schultschik <sven.schultschik@siemens.com>
provide a recipe to generate the needed binary to start a secure boot qemu with integrated optee and active RPMB replay protected memory emulation within u-boot
Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
---
.../trusted-firmware-a-qemu-arm64_2.7.0.bb | 61 +++++++++++++++++++
1 file changed, 61 insertions(+)
create mode 100644 recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemu-arm64_2.7.0.bb
diff --git a/recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemu-arm64_2.7.0.bb b/recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemu-arm64_2.7.0.bb
new file mode 100644
index 000000000..791089a21
--- /dev/null
+++ b/recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemu-arm64_2.7.0.bb
@@ -0,0 +1,61 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+# Sven Schultschik <sven.schultschik@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+HOMEPAGE = "https://www.trustedfirmware.org/projects/tf-a/"
+MAINTAINER = "Sven Schultschik <sven.schultschik@siemens.com>"
+LICENSE = "BSD-3-Clause"
+
+require recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc
+
+SRC_URI += " \
+ git://review.trustedfirmware.org/TF-A/trusted-firmware-a;branch=master;protocol=https;destsuffix=git;rev=v${PV} "
+
+S = "${WORKDIR}/git"
+
+DEPENDS = "optee-os-${MACHINE} u-boot-qemu-arm64"
+DEBIAN_BUILD_DEPENDS += " \
+ debhelper(>= 11~), \
+ optee-os-${MACHINE}, \
+ u-boot-qemu-arm64, \
+ libssl-dev, "
+
+TEEHEADER = "/usr/lib/optee-os/${MACHINE}/tee-header_v2.bin"
+TEEPAGER = "/usr/lib/optee-os/${MACHINE}/tee-pager_v2.bin"
+TEEPAGEABLE = "/usr/lib/optee-os/${MACHINE}/tee-pageable_v2.bin"
+BL33 = "/usr/lib/u-boot/${MACHINE}/u-boot.bin"
+
+TF_A_EXTRA_BUILDARGS = "BL32=${TEEHEADER} \
+ BL32_EXTRA1=${TEEPAGER} \
+ BL32_EXTRA2=${TEEPAGEABLE} \
+ BL33=${BL33} \
+ BL32_RAM_LOCATION=tdram SPD=opteed ${DEBUG} all fip"
+
+TF_A_PLATFORM = "qemu"
+
+TF_A_BINARIES = "release/bl1.bin release/fip.bin"
+
+ISAR_CROSS_COMPILE = "0"
+
+do_deploy[dirs] = "${DEPLOY_DIR_IMAGE}"
+do_deploy() {
+ dpkg --fsys-tarfile "${WORKDIR}/trusted-firmware-a-${MACHINE}_${PV}_${DISTRO_ARCH}.deb" | \
+ tar xOf - "./usr/lib/trusted-firmware-a/${MACHINE}/bl1.bin" \
+ > "${DEPLOY_DIR_IMAGE}/bl1.bin"
+
+ dpkg --fsys-tarfile "${WORKDIR}/trusted-firmware-a-${MACHINE}_${PV}_${DISTRO_ARCH}.deb" | \
+ tar xOf - "./usr/lib/trusted-firmware-a/${MACHINE}/fip.bin" \
+ > "${DEPLOY_DIR_IMAGE}/fip.bin"
+
+ dd if="${DEPLOY_DIR_IMAGE}/bl1.bin" of="${DEPLOY_DIR_IMAGE}/flash.bin" bs=4096 conv=notrunc
+ dd if="${DEPLOY_DIR_IMAGE}/fip.bin" of="${DEPLOY_DIR_IMAGE}/flash.bin" seek=64 bs=4096 conv=notrunc
+}
+
+addtask deploy after do_dpkg_build before do_deploy_deb
\ No newline at end of file
--
2.30.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [isar-cip-core][PATCH 4/7] add u-boot patch for qemu to support RPMB
2022-10-19 9:21 [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64 sven.schultschik
2022-10-19 9:21 ` [isar-cip-core][PATCH 2/7] add recipe for for edk2 sven.schultschik
2022-10-19 9:21 ` [isar-cip-core][PATCH 3/7] add recipe for trusted firmware a qemu arm64 sven.schultschik
@ 2022-10-19 9:21 ` sven.schultschik
2022-10-19 9:21 ` [isar-cip-core][PATCH 5/7] add kas files for building qemu secure boot images sven.schultschik
` (3 subsequent siblings)
6 siblings, 0 replies; 19+ messages in thread
From: sven.schultschik @ 2022-10-19 9:21 UTC (permalink / raw)
To: cip-dev; +Cc: jan.kiszka, Sven Schultschik
From: Sven Schultschik <sven.schultschik@siemens.com>
Qemu itself is missing a implemented emulation of an RPBM (replay protected memory) which is part of an emmc. Therefore currently a u-boot patch, which adds a RPMB emulation, is needed which breaks the u-boot hardware support. The patch is only included into the qemu u-boot recipes and can be removed if there is an official qemu rpmb emulation, which currently does not have any ETA.
Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
---
...hack.-Breaks-proper-hardware-support.patch | 1375 +++++++++++++++++
recipes-bsp/u-boot/u-boot-qemu-common.inc | 3 +
2 files changed, 1378 insertions(+)
create mode 100644 recipes-bsp/u-boot/files/0002-rpmb-emulation-hack.-Breaks-proper-hardware-support.patch
diff --git a/recipes-bsp/u-boot/files/0002-rpmb-emulation-hack.-Breaks-proper-hardware-support.patch b/recipes-bsp/u-boot/files/0002-rpmb-emulation-hack.-Breaks-proper-hardware-support.patch
new file mode 100644
index 000000000..26266b549
--- /dev/null
+++ b/recipes-bsp/u-boot/files/0002-rpmb-emulation-hack.-Breaks-proper-hardware-support.patch
@@ -0,0 +1,1375 @@
+From a4179f663673dbfa48f79761acc3ff781ee9b2b8 Mon Sep 17 00:00:00 2001
+From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
+Date: Thu, 12 Nov 2020 09:44:54 +0200
+Subject: [PATCH] irpmb patch hack
+
+Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
+---
+ arch/arm/include/asm/gpio.h | 3 +-
+ arch/arm/include/asm/ioctl.h | 1 +
+ configs/qemu_tfa_mm_defconfig | 53 ++++
+ drivers/tee/optee/Makefile | 1 +
+ drivers/tee/optee/hmac_sha2.c | 126 ++++++++
+ drivers/tee/optee/hmac_sha2.h | 74 +++++
+ drivers/tee/optee/rpmb.c | 27 +-
+ drivers/tee/optee/rpmb.h | 1 +
+ drivers/tee/optee/rpmb_emu.c | 563 ++++++++++++++++++++++++++++++++++
+ drivers/tee/optee/rpmb_emu.h | 141 +++++++++
+ drivers/tee/optee/sha2.c | 249 +++++++++++++++
+ drivers/tee/optee/sha2.h | 75 +++++
+ 12 files changed, 1292 insertions(+), 22 deletions(-)
+ create mode 100644 arch/arm/include/asm/ioctl.h
+ create mode 100644 configs/qemu_tfa_mm_defconfig
+ create mode 100644 drivers/tee/optee/hmac_sha2.c
+ create mode 100644 drivers/tee/optee/hmac_sha2.h
+ create mode 100644 drivers/tee/optee/rpmb.h
+ create mode 100644 drivers/tee/optee/rpmb_emu.c
+ create mode 100644 drivers/tee/optee/rpmb_emu.h
+ create mode 100644 drivers/tee/optee/sha2.c
+ create mode 100644 drivers/tee/optee/sha2.h
+
+diff --git a/arch/arm/include/asm/ioctl.h b/arch/arm/include/asm/ioctl.h
+new file mode 100644
+index 000000000000..b279fe06dfe5
+--- /dev/null
++++ b/arch/arm/include/asm/ioctl.h
+@@ -0,0 +1 @@
++#include <asm-generic/ioctl.h>
+diff --git a/drivers/tee/optee/Makefile b/drivers/tee/optee/Makefile
+index 928d3f80027f..28108536d231 100644
+--- a/drivers/tee/optee/Makefile
++++ b/drivers/tee/optee/Makefile
+@@ -3,3 +3,4 @@
+ obj-y += core.o
+ obj-y += supplicant.o
+ obj-$(CONFIG_SUPPORT_EMMC_RPMB) += rpmb.o
++obj-y += sha2.o hmac_sha2.o rpmb_emu.o rpmb.o
+diff --git a/drivers/tee/optee/hmac_sha2.c b/drivers/tee/optee/hmac_sha2.c
+new file mode 100644
+index 000000000000..61b24b128f1d
+--- /dev/null
++++ b/drivers/tee/optee/hmac_sha2.c
+@@ -0,0 +1,126 @@
++/*
++ * HMAC-SHA-224/256/384/512 implementation
++ * Last update: 06/15/2005
++ * Issue date: 06/15/2005
++ *
++ * Copyright (C) 2005 Olivier Gay <olivier.gay@a3.epfl.ch>
++ * All rights reserved.
++ *
++ * Copyright (c) 2016, Linaro Limited
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. Neither the name of the project nor the names of its contributors
++ * may be used to endorse or promote products derived from this software
++ * without specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ */
++
++#include <string.h>
++
++#include "hmac_sha2.h"
++
++/* HMAC-SHA-256 functions */
++
++void hmac_sha256_init(hmac_sha256_ctx *ctx, const unsigned char *key,
++ unsigned int key_size)
++{
++ unsigned int fill = 0;
++ unsigned int num = 0;
++ const unsigned char *key_used = NULL;
++ unsigned char key_temp[SHA256_DIGEST_SIZE] = { 0 };
++ int i = 0;
++
++ if (key_size == SHA256_BLOCK_SIZE) {
++ key_used = key;
++ num = SHA256_BLOCK_SIZE;
++ } else {
++ if (key_size > SHA256_BLOCK_SIZE){
++ num = SHA256_DIGEST_SIZE;
++ sha256(key, key_size, key_temp);
++ key_used = key_temp;
++ } else { /* key_size > SHA256_BLOCK_SIZE */
++ key_used = key;
++ num = key_size;
++ }
++ fill = SHA256_BLOCK_SIZE - num;
++
++ memset(ctx->block_ipad + num, 0x36, fill);
++ memset(ctx->block_opad + num, 0x5c, fill);
++ }
++
++ for (i = 0; i < (int) num; i++) {
++ ctx->block_ipad[i] = key_used[i] ^ 0x36;
++ ctx->block_opad[i] = key_used[i] ^ 0x5c;
++ }
++
++ sha256_init(&ctx->ctx_inside);
++ sha256_update_tee(&ctx->ctx_inside, ctx->block_ipad, SHA256_BLOCK_SIZE);
++
++ sha256_init(&ctx->ctx_outside);
++ sha256_update_tee(&ctx->ctx_outside, ctx->block_opad,
++ SHA256_BLOCK_SIZE);
++
++ /* for hmac_reinit */
++ memcpy(&ctx->ctx_inside_reinit, &ctx->ctx_inside,
++ sizeof(sha256_ctx));
++ memcpy(&ctx->ctx_outside_reinit, &ctx->ctx_outside,
++ sizeof(sha256_ctx));
++}
++
++void hmac_sha256_reinit(hmac_sha256_ctx *ctx)
++{
++ memcpy(&ctx->ctx_inside, &ctx->ctx_inside_reinit,
++ sizeof(sha256_ctx));
++ memcpy(&ctx->ctx_outside, &ctx->ctx_outside_reinit,
++ sizeof(sha256_ctx));
++}
++
++void hmac_sha256_update(hmac_sha256_ctx *ctx, const unsigned char *message,
++ unsigned int message_len)
++{
++ sha256_update_tee(&ctx->ctx_inside, message, message_len);
++}
++
++void hmac_sha256_final(hmac_sha256_ctx *ctx, unsigned char *mac,
++ unsigned int mac_size)
++{
++ unsigned char digest_inside[SHA256_DIGEST_SIZE] = { 0 };
++ unsigned char mac_temp[SHA256_DIGEST_SIZE] = { 0 };
++
++ sha256_final(&ctx->ctx_inside, digest_inside);
++ sha256_update_tee(&ctx->ctx_outside, digest_inside, SHA256_DIGEST_SIZE);
++ sha256_final(&ctx->ctx_outside, mac_temp);
++ memcpy(mac, mac_temp, mac_size);
++}
++
++void hmac_sha256(const unsigned char *key, unsigned int key_size,
++ const unsigned char *message, unsigned int message_len,
++ unsigned char *mac, unsigned mac_size)
++{
++ hmac_sha256_ctx ctx;
++
++ memset(&ctx, 0, sizeof(ctx));
++
++ hmac_sha256_init(&ctx, key, key_size);
++ hmac_sha256_update(&ctx, message, message_len);
++ hmac_sha256_final(&ctx, mac, mac_size);
++}
+diff --git a/drivers/tee/optee/hmac_sha2.h b/drivers/tee/optee/hmac_sha2.h
+new file mode 100644
+index 000000000000..1044524d75c5
+--- /dev/null
++++ b/drivers/tee/optee/hmac_sha2.h
+@@ -0,0 +1,74 @@
++/*
++ * HMAC-SHA-224/256/384/512 implementation
++ * Last update: 06/15/2005
++ * Issue date: 06/15/2005
++ *
++ * Copyright (C) 2005 Olivier Gay <olivier.gay@a3.epfl.ch>
++ * All rights reserved.
++ *
++ * Copyright (c) 2016, Linaro Limited
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. Neither the name of the project nor the names of its contributors
++ * may be used to endorse or promote products derived from this software
++ * without specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ */
++
++#ifndef HMAC_SHA2_H
++#define HMAC_SHA2_H
++
++#include "sha2.h"
++
++#ifdef __cplusplus
++extern "C" {
++#endif
++
++typedef struct {
++ sha256_ctx ctx_inside;
++ sha256_ctx ctx_outside;
++
++ /* for hmac_reinit */
++ sha256_ctx ctx_inside_reinit;
++ sha256_ctx ctx_outside_reinit;
++
++ unsigned char block_ipad[SHA256_BLOCK_SIZE];
++ unsigned char block_opad[SHA256_BLOCK_SIZE];
++} hmac_sha256_ctx;
++
++void hmac_sha256_init(hmac_sha256_ctx *ctx, const unsigned char *key,
++ unsigned int key_size);
++void hmac_sha256_reinit(hmac_sha256_ctx *ctx);
++void hmac_sha256_update(hmac_sha256_ctx *ctx, const unsigned char *message,
++ unsigned int message_len);
++void hmac_sha256_final(hmac_sha256_ctx *ctx, unsigned char *mac,
++ unsigned int mac_size);
++void hmac_sha256(const unsigned char *key, unsigned int key_size,
++ const unsigned char *message, unsigned int message_len,
++ unsigned char *mac, unsigned mac_size);
++
++#ifdef __cplusplus
++}
++#endif
++
++#endif /* !HMAC_SHA2_H */
++
+diff --git a/drivers/tee/optee/rpmb.c b/drivers/tee/optee/rpmb.c
+index 0804fc963cf5..275f2112f102 100644
+--- a/drivers/tee/optee/rpmb.c
++++ b/drivers/tee/optee/rpmb.c
+@@ -12,35 +12,15 @@
+
+ #include "optee_msg.h"
+ #include "optee_private.h"
++#include "rpmb_emu.h"
+
+ /*
+ * Request and response definitions must be in sync with the secure side of
+ * OP-TEE.
+ */
+
+-/* Request */
+-struct rpmb_req {
+- u16 cmd;
+-#define RPMB_CMD_DATA_REQ 0x00
+-#define RPMB_CMD_GET_DEV_INFO 0x01
+- u16 dev_id;
+- u16 block_count;
+- /* Optional data frames (rpmb_data_frame) follow */
+-};
+-
+ #define RPMB_REQ_DATA(req) ((void *)((struct rpmb_req *)(req) + 1))
+
+-/* Response to device info request */
+-struct rpmb_dev_info {
+- u8 cid[16];
+- u8 rpmb_size_mult; /* EXT CSD-slice 168: RPMB Size */
+- u8 rel_wr_sec_c; /* EXT CSD-slice 222: Reliable Write Sector */
+- /* Count */
+- u8 ret_code;
+-#define RPMB_CMD_GET_DEV_INFO_RET_OK 0x00
+-#define RPMB_CMD_GET_DEV_INFO_RET_ERROR 0x01
+-};
+-
+ static void release_mmc(struct optee_private *priv)
+ {
+ int rc;
+@@ -175,8 +155,13 @@ void optee_suppl_cmd_rpmb(struct udevice *dev, struct optee_msg_arg *arg)
+ rsp_buf = (u8 *)rsp_shm->addr + arg->params[1].u.rmem.offs;
+ rsp_size = arg->params[1].u.rmem.size;
+
++#ifdef EMU
+ arg->ret = rpmb_process_request(dev_get_priv(dev), req_buf, req_size,
+ rsp_buf, rsp_size);
++#else
++ arg->ret = rpmb_process_request_emu(req_buf, req_size, rsp_buf,
++ rsp_size);
++#endif
+ }
+
+ void optee_suppl_rpmb_release(struct udevice *dev)
+diff --git a/drivers/tee/optee/rpmb.h b/drivers/tee/optee/rpmb.h
+new file mode 100644
+index 000000000000..8b137891791f
+--- /dev/null
++++ b/drivers/tee/optee/rpmb.h
+@@ -0,0 +1 @@
++
+diff --git a/drivers/tee/optee/rpmb_emu.c b/drivers/tee/optee/rpmb_emu.c
+new file mode 100644
+index 000000000000..629f36ee6b29
+--- /dev/null
++++ b/drivers/tee/optee/rpmb_emu.c
+@@ -0,0 +1,563 @@
++// SPDX-License-Identifier: BSD-2-Clause
++/*
++ * Copyright (c) 2020 Linaro Limited
++ */
++
++#include <common.h>
++#include <dm.h>
++#include <hexdump.h>
++#include <log.h>
++#include <tee.h>
++#include <mmc.h>
++#include <dm/device_compat.h>
++
++#include "optee_msg.h"
++#include "optee_private.h"
++#include "sha2.h"
++#include "hmac_sha2.h"
++#include "rpmb_emu.h"
++
++static struct rpmb_emu rpmb_emu = {
++ .size = EMU_RPMB_SIZE_BYTES
++};
++
++static struct rpmb_emu *mem_for_fd(int fd)
++{
++ static int sfd = -1;
++
++ if (sfd == -1)
++ sfd = fd;
++ if (sfd != fd) {
++ printf("Emulating more than 1 RPMB partition is not supported\n");
++ return NULL;
++ }
++
++ return &rpmb_emu;
++}
++
++#if (DEBUGLEVEL >= TRACE_FLOW)
++static void dump_blocks(size_t startblk, size_t numblk, uint8_t *ptr,
++ bool to_mmc)
++{
++ char msg[100] = { 0 };
++ size_t i = 0;
++
++ for (i = 0; i < numblk; i++) {
++ snprintf(msg, sizeof(msg), "%s MMC block %zu",
++ to_mmc ? "Write" : "Read", startblk + i);
++ //print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, ptr, 256);
++ ptr += 256;
++ }
++}
++#else
++static void dump_blocks(size_t startblk, size_t numblk, uint8_t *ptr,
++ bool to_mmc)
++{
++ (void)startblk;
++ (void)numblk;
++ (void)ptr;
++ (void)to_mmc;
++}
++#endif
++
++#define CUC(x) ((const unsigned char *)(x))
++static void hmac_update_frm(hmac_sha256_ctx *ctx, struct rpmb_data_frame *frm)
++{
++ hmac_sha256_update(ctx, CUC(frm->data), 256);
++ hmac_sha256_update(ctx, CUC(frm->nonce), 16);
++ hmac_sha256_update(ctx, CUC(&frm->write_counter), 4);
++ hmac_sha256_update(ctx, CUC(&frm->address), 2);
++ hmac_sha256_update(ctx, CUC(&frm->block_count), 2);
++ hmac_sha256_update(ctx, CUC(&frm->op_result), 2);
++ hmac_sha256_update(ctx, CUC(&frm->msg_type), 2);
++}
++
++static bool is_hmac_valid(struct rpmb_emu *mem, struct rpmb_data_frame *frm,
++ size_t nfrm)
++{
++ uint8_t mac[32] = { 0 };
++ size_t i = 0;
++ hmac_sha256_ctx ctx;
++
++ memset(&ctx, 0, sizeof(ctx));
++
++ if (!mem->key_set) {
++ printf("Cannot check MAC (key not set)\n");
++ return false;
++ }
++
++ hmac_sha256_init(&ctx, mem->key, sizeof(mem->key));
++ for (i = 0; i < nfrm; i++, frm++)
++ hmac_update_frm(&ctx, frm);
++ frm--;
++ hmac_sha256_final(&ctx, mac, 32);
++
++ if (memcmp(mac, frm->key_mac, 32)) {
++ printf("Invalid MAC\n");
++ return false;
++ }
++ return true;
++}
++
++static uint16_t gen_msb1st_result(uint8_t byte)
++{
++ return (uint16_t)byte << 8;
++}
++
++static uint16_t compute_hmac(struct rpmb_emu *mem, struct rpmb_data_frame *frm,
++ size_t nfrm)
++{
++ size_t i = 0;
++ hmac_sha256_ctx ctx;
++
++ memset(&ctx, 0, sizeof(ctx));
++
++ if (!mem->key_set) {
++ printf("Cannot compute MAC (key not set)\n");
++ return gen_msb1st_result(RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED);
++ }
++
++ hmac_sha256_init(&ctx, mem->key, sizeof(mem->key));
++ for (i = 0; i < nfrm; i++, frm++)
++ hmac_update_frm(&ctx, frm);
++ frm--;
++ hmac_sha256_final(&ctx, frm->key_mac, 32);
++
++ return gen_msb1st_result(RPMB_RESULT_OK);
++}
++
++static uint16_t ioctl_emu_mem_transfer(struct rpmb_emu *mem,
++ struct rpmb_data_frame *frm,
++ size_t nfrm, int to_mmc)
++{
++ size_t start = mem->last_op.address * 256;
++ size_t size = nfrm * 256;
++ size_t i = 0;
++ uint8_t *memptr = NULL;
++
++ if (start > mem->size || start + size > mem->size) {
++ printf("Transfer bounds exceeed emulated memory\n");
++ return gen_msb1st_result(RPMB_RESULT_ADDRESS_FAILURE);
++ }
++ if (to_mmc && !is_hmac_valid(mem, frm, nfrm))
++ return gen_msb1st_result(RPMB_RESULT_AUTH_FAILURE);
++
++ //printf("Transferring %zu 256-byte data block%s %s MMC (block offset=%zu)",
++ //nfrm, (nfrm > 1) ? "s" : "", to_mmc ? "to" : "from", start / 256);
++ for (i = 0; i < nfrm; i++) {
++ memptr = mem->buf + start + i * 256;
++ if (to_mmc) {
++ memcpy(memptr, frm[i].data, 256);
++ mem->write_counter++;
++ frm[i].write_counter = htonl(mem->write_counter);
++ frm[i].msg_type =
++ htons(RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE);
++ } else {
++ memcpy(frm[i].data, memptr, 256);
++ frm[i].msg_type =
++ htons(RPMB_MSG_TYPE_RESP_AUTH_DATA_READ);
++ frm[i].address = htons(mem->last_op.address);
++ frm[i].block_count = nfrm;
++ memcpy(frm[i].nonce, mem->nonce, 16);
++ }
++ frm[i].op_result = gen_msb1st_result(RPMB_RESULT_OK);
++ }
++ dump_blocks(mem->last_op.address, nfrm, mem->buf + start, to_mmc);
++
++ if (!to_mmc)
++ compute_hmac(mem, frm, nfrm);
++
++ return gen_msb1st_result(RPMB_RESULT_OK);
++}
++
++static void ioctl_emu_get_write_result(struct rpmb_emu *mem,
++ struct rpmb_data_frame *frm)
++{
++ frm->msg_type = htons(RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE);
++ frm->op_result = mem->last_op.op_result;
++ frm->address = htons(mem->last_op.address);
++ frm->write_counter = htonl(mem->write_counter);
++ compute_hmac(mem, frm, 1);
++}
++
++static uint16_t ioctl_emu_setkey(struct rpmb_emu *mem,
++ struct rpmb_data_frame *frm)
++{
++ if (mem->key_set) {
++ printf("Key already set\n");
++ return gen_msb1st_result(RPMB_RESULT_GENERAL_FAILURE);
++ }
++ print_hex_dump_bytes("Setting Key:", DUMP_PREFIX_OFFSET, frm->key_mac,
++ 32);
++ memcpy(mem->key, frm->key_mac, 32);
++ mem->key_set = true;
++
++ return gen_msb1st_result(RPMB_RESULT_OK);
++}
++
++static void ioctl_emu_get_keyprog_result(struct rpmb_emu *mem,
++ struct rpmb_data_frame *frm)
++{
++ frm->msg_type =
++ htons(RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM);
++ frm->op_result = mem->last_op.op_result;
++}
++
++static void ioctl_emu_read_ctr(struct rpmb_emu *mem,
++ struct rpmb_data_frame *frm)
++{
++ printf("Reading counter\n");
++ frm->msg_type = htons(RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ);
++ frm->write_counter = htonl(mem->write_counter);
++ memcpy(frm->nonce, mem->nonce, 16);
++ frm->op_result = compute_hmac(mem, frm, 1);
++}
++
++static uint32_t read_cid(uint16_t dev_id, uint8_t *cid)
++{
++ /* Taken from an actual eMMC chip */
++ static const uint8_t test_cid[] = {
++ /* MID (Manufacturer ID): Micron */
++ 0xfe,
++ /* CBX (Device/BGA): BGA */
++ 0x01,
++ /* OID (OEM/Application ID) */
++ 0x4e,
++ /* PNM (Product name) "MMC04G" */
++ 0x4d, 0x4d, 0x43, 0x30, 0x34, 0x47,
++ /* PRV (Product revision): 4.2 */
++ 0x42,
++ /* PSN (Product serial number) */
++ 0xc8, 0xf6, 0x55, 0x2a,
++ /*
++ * MDT (Manufacturing date):
++ * June, 2014
++ */
++ 0x61,
++ /* (CRC7 (0xA) << 1) | 0x1 */
++ 0x15
++ };
++
++ (void)dev_id;
++ memcpy(cid, test_cid, sizeof(test_cid));
++
++ return TEE_SUCCESS;
++}
++
++static void ioctl_emu_set_ext_csd(uint8_t *ext_csd)
++{
++ ext_csd[168] = EMU_RPMB_SIZE_MULT;
++ ext_csd[222] = EMU_RPMB_REL_WR_SEC_C;
++}
++
++/* A crude emulation of the MMC ioctls we need for RPMB */
++static int ioctl_emu(int fd, unsigned long request, ...)
++{
++ struct mmc_ioc_cmd *cmd = NULL;
++ struct rpmb_data_frame *frm = NULL;
++ uint16_t msg_type = 0;
++ struct rpmb_emu *mem = mem_for_fd(fd);
++ va_list ap;
++
++ if (request != MMC_IOC_CMD) {
++ printf("Unsupported ioctl: 0x%lx\n", request);
++ return -1;
++ }
++ if (!mem)
++ return -1;
++
++ va_start(ap, request);
++ cmd = va_arg(ap, struct mmc_ioc_cmd *);
++ va_end(ap);
++
++ switch (cmd->opcode) {
++ case MMC_SEND_EXT_CSD:
++ ioctl_emu_set_ext_csd((uint8_t *)(uintptr_t)cmd->data_ptr);
++ break;
++
++ case MMC_WRITE_MULTIPLE_BLOCK:
++ frm = (struct rpmb_data_frame *)(uintptr_t)cmd->data_ptr;
++ msg_type = ntohs(frm->msg_type);
++
++ switch (msg_type) {
++ case RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM:
++ mem->last_op.msg_type = msg_type;
++ mem->last_op.op_result = ioctl_emu_setkey(mem, frm);
++ break;
++
++ case RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE:
++ mem->last_op.msg_type = msg_type;
++ mem->last_op.address = ntohs(frm->address);
++ mem->last_op.op_result =
++ ioctl_emu_mem_transfer(mem, frm,
++ cmd->blocks, 1);
++ break;
++
++ case RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ:
++ case RPMB_MSG_TYPE_REQ_AUTH_DATA_READ:
++ memcpy(mem->nonce, frm->nonce, 16);
++ mem->last_op.msg_type = msg_type;
++ mem->last_op.address = ntohs(frm->address);
++ break;
++ default:
++ break;
++ }
++ break;
++
++ case MMC_READ_MULTIPLE_BLOCK:
++ frm = (struct rpmb_data_frame *)(uintptr_t)cmd->data_ptr;
++ msg_type = ntohs(frm->msg_type);
++
++ switch (mem->last_op.msg_type) {
++ case RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM:
++ ioctl_emu_get_keyprog_result(mem, frm);
++ break;
++
++ case RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE:
++ ioctl_emu_get_write_result(mem, frm);
++ break;
++
++ case RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ:
++ ioctl_emu_read_ctr(mem, frm);
++ break;
++
++ case RPMB_MSG_TYPE_REQ_AUTH_DATA_READ:
++ ioctl_emu_mem_transfer(mem, frm, cmd->blocks, 0);
++ break;
++
++ default:
++ printf("Unexpected\n");
++ break;
++ }
++ break;
++
++ default:
++ printf("Unsupported ioctl opcode 0x%08x\n", cmd->opcode);
++ return -1;
++ }
++
++ return 0;
++}
++
++static int mmc_rpmb_fd(uint16_t dev_id)
++{
++ (void)dev_id;
++
++ /* Any value != -1 will do in test mode */
++ return 0;
++}
++
++static int mmc_fd(uint16_t dev_id)
++{
++ (void)dev_id;
++
++ return 0;
++}
++
++static void close_mmc_fd(int fd)
++{
++ (void)fd;
++}
++
++/*
++ * Extended CSD Register is 512 bytes and defines device properties
++ * and selected modes.
++ */
++static uint32_t read_ext_csd(int fd, uint8_t *ext_csd)
++{
++ int st = 0;
++ struct mmc_ioc_cmd cmd = {
++ .blksz = 512,
++ .blocks = 1,
++ .flags = MMC_RSP_R1 | MMC_CMD_ADTC,
++ .opcode = MMC_SEND_EXT_CSD,
++ };
++
++ mmc_ioc_cmd_set_data(cmd, ext_csd);
++
++ st = IOCTL(fd, MMC_IOC_CMD, &cmd);
++ if (st < 0)
++ return TEE_ERROR_GENERIC;
++
++ return TEE_SUCCESS;
++}
++
++static uint32_t rpmb_data_req(int fd, struct rpmb_data_frame *req_frm,
++ size_t req_nfrm, struct rpmb_data_frame *rsp_frm,
++ size_t rsp_nfrm)
++{
++ int st = 0;
++ size_t i = 0;
++ uint16_t msg_type = ntohs(req_frm->msg_type);
++ struct mmc_ioc_cmd cmd = {
++ .blksz = 512,
++ .blocks = req_nfrm,
++ .data_ptr = (uintptr_t)req_frm,
++ .flags = MMC_RSP_R1 | MMC_CMD_ADTC,
++ .opcode = MMC_WRITE_MULTIPLE_BLOCK,
++ .write_flag = 1,
++ };
++
++ for (i = 1; i < req_nfrm; i++) {
++ if (req_frm[i].msg_type != msg_type) {
++ printf("All request frames shall be of the same type\n");
++ return TEE_ERROR_BAD_PARAMETERS;
++ }
++ }
++
++ //printf("Req: %zu frame(s) of type 0x%04x", req_nfrm, msg_type);
++ //printf("Rsp: %zu frame(s)", rsp_nfrm);
++
++ switch(msg_type) {
++ case RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM:
++ case RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE:
++ if (rsp_nfrm != 1) {
++ printf("Expected only one response frame\n");
++ return TEE_ERROR_BAD_PARAMETERS;
++ }
++
++ /* Send write request frame(s) */
++ cmd.write_flag |= MMC_CMD23_ARG_REL_WR;
++ /*
++ * Black magic: tested on a HiKey board with a HardKernel eMMC
++ * module. When postsleep values are zero, the kernel logs
++ * random errors: "mmc_blk_ioctl_cmd: Card Status=0x00000E00"
++ * and ioctl() fails.
++ */
++ cmd.postsleep_min_us = 20000;
++ cmd.postsleep_max_us = 50000;
++ st = IOCTL(fd, MMC_IOC_CMD, &cmd);
++ if (st < 0)
++ return TEE_ERROR_GENERIC;
++ cmd.postsleep_min_us = 0;
++ cmd.postsleep_max_us = 0;
++
++ /* Send result request frame */
++ memset(rsp_frm, 0, 1);
++ rsp_frm->msg_type = htons(RPMB_MSG_TYPE_REQ_RESULT_READ);
++ cmd.data_ptr = (uintptr_t)rsp_frm;
++ cmd.write_flag &= ~MMC_CMD23_ARG_REL_WR;
++ st = IOCTL(fd, MMC_IOC_CMD, &cmd);
++ if (st < 0)
++ return TEE_ERROR_GENERIC;
++
++ /* Read response frame */
++ cmd.opcode = MMC_READ_MULTIPLE_BLOCK;
++ cmd.write_flag = 0;
++ cmd.blocks = rsp_nfrm;
++ st = IOCTL(fd, MMC_IOC_CMD, &cmd);
++ if (st < 0)
++ return TEE_ERROR_GENERIC;
++ break;
++
++ case RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ:
++ if (rsp_nfrm != 1) {
++ printf("Expected only one response frame\n");
++ return TEE_ERROR_BAD_PARAMETERS;
++ }
++//#if __GNUC__ > 6
++ //__attribute__((fallthrough));
++//#endif
++
++ case RPMB_MSG_TYPE_REQ_AUTH_DATA_READ:
++ if (req_nfrm != 1) {
++ printf("Expected only one request frame\n");
++ return TEE_ERROR_BAD_PARAMETERS;
++ }
++
++ /* Send request frame */
++ st = IOCTL(fd, MMC_IOC_CMD, &cmd);
++ if (st < 0)
++ return TEE_ERROR_GENERIC;
++
++ /* Read response frames */
++ cmd.data_ptr = (uintptr_t)rsp_frm;
++ cmd.opcode = MMC_READ_MULTIPLE_BLOCK;
++ cmd.write_flag = 0;
++ cmd.blocks = rsp_nfrm;
++ st = IOCTL(fd, MMC_IOC_CMD, &cmd);
++ if (st < 0)
++ return TEE_ERROR_GENERIC;
++ break;
++
++ default:
++ printf("Unsupported message type: %d", msg_type);
++ return TEE_ERROR_GENERIC;
++ }
++
++ return TEE_SUCCESS;
++}
++
++static uint32_t rpmb_get_dev_info(uint16_t dev_id, struct rpmb_dev_info *info)
++{
++ int fd = 0;
++ uint32_t res = 0;
++ uint8_t ext_csd[512] = { 0 };
++
++ res = read_cid(dev_id, info->cid);
++ if (res != TEE_SUCCESS)
++ return res;
++
++ fd = mmc_fd(dev_id);
++ if (fd < 0)
++ return TEE_ERROR_BAD_PARAMETERS;
++
++ res = read_ext_csd(fd, ext_csd);
++ if (res != TEE_SUCCESS)
++ goto err;
++
++ info->rel_wr_sec_c = ext_csd[222];
++ info->rpmb_size_mult = ext_csd[168];
++ info->ret_code = RPMB_CMD_GET_DEV_INFO_RET_OK;
++
++err:
++ close_mmc_fd(fd);
++ return res;
++}
++
++
++/*
++ * req is one struct rpmb_req followed by one or more struct rpmb_data_frame
++ * rsp is either one struct rpmb_dev_info or one or more struct rpmb_data_frame
++ */
++uint32_t rpmb_process_request_emu(void *req, size_t req_size,
++ void *rsp, size_t rsp_size)
++{
++ struct rpmb_req *sreq = req;
++ size_t req_nfrm = 0;
++ size_t rsp_nfrm = 0;
++ uint32_t res = 0;
++ int fd = 0;
++
++ if (req_size < sizeof(*sreq))
++ return TEE_ERROR_BAD_PARAMETERS;
++
++ switch (sreq->cmd) {
++ case RPMB_CMD_DATA_REQ:
++ req_nfrm = (req_size - sizeof(struct rpmb_req)) / 512;
++ rsp_nfrm = rsp_size / 512;
++ fd = mmc_rpmb_fd(sreq->dev_id);
++ if (fd < 0)
++ return TEE_ERROR_BAD_PARAMETERS;
++ res = rpmb_data_req(fd, RPMB_REQ_DATA(req), req_nfrm, rsp,
++ rsp_nfrm);
++ break;
++
++ case RPMB_CMD_GET_DEV_INFO:
++ if (req_size != sizeof(struct rpmb_req) ||
++ rsp_size != sizeof(struct rpmb_dev_info)) {
++ printf("Invalid req/rsp size");
++ return TEE_ERROR_BAD_PARAMETERS;
++ }
++ res = rpmb_get_dev_info(sreq->dev_id,
++ (struct rpmb_dev_info *)rsp);
++ break;
++
++ default:
++ printf("Unsupported RPMB command: %d", sreq->cmd);
++ res = TEE_ERROR_BAD_PARAMETERS;
++ break;
++ }
++
++ return res;
++}
+diff --git a/drivers/tee/optee/rpmb_emu.h b/drivers/tee/optee/rpmb_emu.h
+new file mode 100644
+index 000000000000..3471eecf63b5
+--- /dev/null
++++ b/drivers/tee/optee/rpmb_emu.h
+@@ -0,0 +1,141 @@
++#include <linux/ioctl.h>
++
++/* mmc_ioc_cmd.opcode */
++#define MMC_SEND_EXT_CSD 8
++#define MMC_READ_MULTIPLE_BLOCK 18
++#define MMC_WRITE_MULTIPLE_BLOCK 25
++
++#define IOCTL(fd, request, ...) ioctl_emu((fd), (request), ##__VA_ARGS__)
++#define mmc_ioc_cmd_set_data(ic, ptr) ic.data_ptr = (__u64)(unsigned long) ptr
++#define MMC_CMD23_ARG_REL_WR (1 << 31) /* CMD23 reliable write */
++
++/* Emulated rel_wr_sec_c value (reliable write size, *256 bytes) */
++#define EMU_RPMB_REL_WR_SEC_C 1
++/* Emulated rpmb_size_mult value (RPMB size, *128 kB) */
++#define EMU_RPMB_SIZE_MULT 2
++
++#define EMU_RPMB_SIZE_BYTES (EMU_RPMB_SIZE_MULT * 128 * 1024)
++
++struct mmc_ioc_cmd {
++ /* Implies direction of data. true = write, false = read */
++ int write_flag;
++
++ /* Application-specific command. true = precede with CMD55 */
++ int is_acmd;
++
++ uint32_t opcode;
++ uint32_t arg;
++ uint32_t response[4]; /* CMD response */
++ unsigned int flags;
++ unsigned int blksz;
++ unsigned int blocks;
++
++ /*
++ * Sleep at least postsleep_min_us useconds, and at most
++ * postsleep_max_us useconds *after* issuing command. Needed for
++ * some read commands for which cards have no other way of indicating
++ * they're ready for the next command (i.e. there is no equivalent of
++ * a "busy" indicator for read operations).
++ */
++ unsigned int postsleep_min_us;
++ unsigned int postsleep_max_us;
++
++ /*
++ * Override driver-computed timeouts. Note the difference in units!
++ */
++ unsigned int data_timeout_ns;
++ unsigned int cmd_timeout_ms;
++
++ /*
++ * For 64-bit machines, the next member, ``__u64 data_ptr``, wants to
++ * be 8-byte aligned. Make sure this struct is the same size when
++ * built for 32-bit.
++ */
++ uint32_t __pad;
++
++ /* DAT buffer */
++ uint32_t data_ptr;
++};
++#define MMC_BLOCK_MAJOR 179
++#define MMC_IOC_CMD _IOWR(MMC_BLOCK_MAJOR, 0, struct mmc_ioc_cmd)
++
++/* Request */
++struct rpmb_req {
++ uint16_t cmd;
++#define RPMB_CMD_DATA_REQ 0x00
++#define RPMB_CMD_GET_DEV_INFO 0x01
++ uint16_t dev_id;
++ uint16_t block_count;
++ /* Optional data frames (rpmb_data_frame) follow */
++};
++#define RPMB_REQ_DATA(req) ((void *)((struct rpmb_req *)(req) + 1))
++
++/* Response to device info request */
++struct rpmb_dev_info {
++ uint8_t cid[16];
++ uint8_t rpmb_size_mult; /* EXT CSD-slice 168: RPMB Size */
++ uint8_t rel_wr_sec_c; /* EXT CSD-slice 222: Reliable Write Sector */
++ /* Count */
++ uint8_t ret_code;
++#define RPMB_CMD_GET_DEV_INFO_RET_OK 0x00
++#define RPMB_CMD_GET_DEV_INFO_RET_ERROR 0x01
++};
++/* mmc_ioc_cmd.flags */
++#define MMC_RSP_PRESENT (1 << 0)
++#define MMC_RSP_136 (1 << 1) /* 136 bit response */
++#define MMC_RSP_CRC (1 << 2) /* Expect valid CRC */
++#define MMC_RSP_OPCODE (1 << 4) /* Response contains opcode */
++
++#define MMC_RSP_R1 (MMC_RSP_PRESENT|MMC_RSP_CRC|MMC_RSP_OPCODE)
++
++#define MMC_CMD_ADTC (1 << 5) /* Addressed data transfer command */
++
++
++/* Emulated eMMC device state */
++struct rpmb_emu {
++ uint8_t buf[EMU_RPMB_SIZE_BYTES];
++ size_t size;
++ uint8_t key[32];
++ bool key_set;
++ uint8_t nonce[16];
++ uint32_t write_counter;
++ struct {
++ uint16_t msg_type;
++ uint16_t op_result;
++ uint16_t address;
++ } last_op;
++};
++
++/*
++ * This structure is shared with OP-TEE and the MMC ioctl layer.
++ * It is the "data frame for RPMB access" defined by JEDEC, minus the
++ * start and stop bits.
++ */
++struct rpmb_data_frame {
++ uint8_t stuff_bytes[196];
++ uint8_t key_mac[32];
++ uint8_t data[256];
++ uint8_t nonce[16];
++ uint32_t write_counter;
++ uint16_t address;
++ uint16_t block_count;
++ uint16_t op_result;
++#define RPMB_RESULT_OK 0x00
++#define RPMB_RESULT_GENERAL_FAILURE 0x01
++#define RPMB_RESULT_AUTH_FAILURE 0x02
++#define RPMB_RESULT_ADDRESS_FAILURE 0x04
++#define RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED 0x07
++ uint16_t msg_type;
++#define RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM 0x0001
++#define RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ 0x0002
++#define RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE 0x0003
++#define RPMB_MSG_TYPE_REQ_AUTH_DATA_READ 0x0004
++#define RPMB_MSG_TYPE_REQ_RESULT_READ 0x0005
++#define RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM 0x0100
++#define RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ 0x0200
++#define RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE 0x0300
++#define RPMB_MSG_TYPE_RESP_AUTH_DATA_READ 0x0400
++};
++
++uint32_t rpmb_process_request_emu(void *req, size_t req_size,
++ void *rsp, size_t rsp_size);
+diff --git a/drivers/tee/optee/sha2.c b/drivers/tee/optee/sha2.c
+new file mode 100644
+index 000000000000..a9acd7244947
+--- /dev/null
++++ b/drivers/tee/optee/sha2.c
+@@ -0,0 +1,249 @@
++/*
++ * FIPS 180-2 SHA-224/256/384/512 implementation
++ * Last update: 02/02/2007
++ * Issue date: 04/30/2005
++ *
++ * Copyright (C) 2005, 2007 Olivier Gay <olivier.gay@a3.epfl.ch>
++ * All rights reserved.
++ *
++ * Copyright (c) 2016, Linaro Limited
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. Neither the name of the project nor the names of its contributors
++ * may be used to endorse or promote products derived from this software
++ * without specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ */
++
++#include <string.h>
++#include "sha2.h"
++
++#define SHFR(x, n) (x >> n)
++#define ROTR(x, n) ((x >> n) | (x << ((sizeof(x) << 3) - n)))
++#define ROTL(x, n) ((x << n) | (x >> ((sizeof(x) << 3) - n)))
++#define CH(x, y, z) ((x & y) ^ (~x & z))
++#define MAJ(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
++
++#define SHA256_F1(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
++#define SHA256_F2(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
++#define SHA256_F3(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHFR(x, 3))
++#define SHA256_F4(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHFR(x, 10))
++
++#define UNPACK32(x, str) \
++{ \
++ *((str) + 3) = (uint8) ((x) ); \
++ *((str) + 2) = (uint8) ((x) >> 8); \
++ *((str) + 1) = (uint8) ((x) >> 16); \
++ *((str) + 0) = (uint8) ((x) >> 24); \
++}
++
++#define PACK32(str, x) \
++{ \
++ *(x) = ((uint32) *((str) + 3) ) \
++ | ((uint32) *((str) + 2) << 8) \
++ | ((uint32) *((str) + 1) << 16) \
++ | ((uint32) *((str) + 0) << 24); \
++}
++
++#define UNPACK64(x, str) \
++{ \
++ *((str) + 7) = (uint8) ((x) ); \
++ *((str) + 6) = (uint8) ((x) >> 8); \
++ *((str) + 5) = (uint8) ((x) >> 16); \
++ *((str) + 4) = (uint8) ((x) >> 24); \
++ *((str) + 3) = (uint8) ((x) >> 32); \
++ *((str) + 2) = (uint8) ((x) >> 40); \
++ *((str) + 1) = (uint8) ((x) >> 48); \
++ *((str) + 0) = (uint8) ((x) >> 56); \
++}
++
++#define PACK64(str, x) \
++{ \
++ *(x) = ((uint64) *((str) + 7) ) \
++ | ((uint64) *((str) + 6) << 8) \
++ | ((uint64) *((str) + 5) << 16) \
++ | ((uint64) *((str) + 4) << 24) \
++ | ((uint64) *((str) + 3) << 32) \
++ | ((uint64) *((str) + 2) << 40) \
++ | ((uint64) *((str) + 1) << 48) \
++ | ((uint64) *((str) + 0) << 56); \
++}
++
++#define SHA256_SCR(i) \
++{ \
++ w[i] = SHA256_F4(w[i - 2]) + w[i - 7] \
++ + SHA256_F3(w[i - 15]) + w[i - 16]; \
++}
++
++uint32 sha256_h0[8] =
++ {0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
++ 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19};
++
++uint32 sha256_k[64] =
++ {0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
++ 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
++ 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
++ 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
++ 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
++ 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
++ 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
++ 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
++ 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
++ 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
++ 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
++ 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
++ 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
++ 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
++ 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
++ 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2};
++
++/* SHA-256 functions */
++
++static void sha256_transf(sha256_ctx *ctx, const unsigned char *message,
++ unsigned int block_nb)
++{
++ uint32 w[64] = { 0 };
++ uint32 wv[8] = { 0 };
++ uint32 t1 = 0;
++ uint32 t2 = 0;
++ const unsigned char *sub_block = NULL;
++ int i = 0;
++ int j = 0;
++
++ for (i = 0; i < (int) block_nb; i++) {
++ sub_block = message + (i << 6);
++
++ for (j = 0; j < 16; j++) {
++ PACK32(&sub_block[j << 2], &w[j]);
++ }
++
++ for (j = 16; j < 64; j++) {
++ SHA256_SCR(j);
++ }
++
++ for (j = 0; j < 8; j++) {
++ wv[j] = ctx->h[j];
++ }
++
++ for (j = 0; j < 64; j++) {
++ t1 = wv[7] + SHA256_F2(wv[4]) + CH(wv[4], wv[5], wv[6])
++ + sha256_k[j] + w[j];
++ t2 = SHA256_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]);
++ wv[7] = wv[6];
++ wv[6] = wv[5];
++ wv[5] = wv[4];
++ wv[4] = wv[3] + t1;
++ wv[3] = wv[2];
++ wv[2] = wv[1];
++ wv[1] = wv[0];
++ wv[0] = t1 + t2;
++ }
++
++ for (j = 0; j < 8; j++) {
++ ctx->h[j] += wv[j];
++ }
++ }
++}
++
++void sha256(const unsigned char *message, unsigned int len,
++ unsigned char *digest)
++{
++ sha256_ctx ctx;
++
++ memset(&ctx, 0, sizeof(ctx));
++
++ sha256_init(&ctx);
++ sha256_update_tee(&ctx, message, len);
++ sha256_final(&ctx, digest);
++}
++
++void sha256_init(sha256_ctx *ctx)
++{
++ int i = 0;
++
++ for (i = 0; i < 8; i++) {
++ ctx->h[i] = sha256_h0[i];
++ }
++
++ ctx->len = 0;
++ ctx->tot_len = 0;
++}
++
++void sha256_update_tee(sha256_ctx *ctx, const unsigned char *message,
++ unsigned int len)
++{
++ unsigned int block_nb = 0;
++ unsigned int new_len = 0;
++ unsigned int rem_len = 0;
++ unsigned int tmp_len = 0;
++ const unsigned char *shifted_message = NULL;
++
++ tmp_len = SHA256_BLOCK_SIZE - ctx->len;
++ rem_len = len < tmp_len ? len : tmp_len;
++
++ memcpy(&ctx->block[ctx->len], message, rem_len);
++
++ if (ctx->len + len < SHA256_BLOCK_SIZE) {
++ ctx->len += len;
++ return;
++ }
++
++ new_len = len - rem_len;
++ block_nb = new_len / SHA256_BLOCK_SIZE;
++
++ shifted_message = message + rem_len;
++
++ sha256_transf(ctx, ctx->block, 1);
++ sha256_transf(ctx, shifted_message, block_nb);
++
++ rem_len = new_len % SHA256_BLOCK_SIZE;
++
++ memcpy(ctx->block, &shifted_message[block_nb << 6],
++ rem_len);
++
++ ctx->len = rem_len;
++ ctx->tot_len += (block_nb + 1) << 6;
++}
++
++void sha256_final(sha256_ctx *ctx, unsigned char *digest)
++{
++ unsigned int block_nb = 0;
++ unsigned int pm_len = 0;
++ unsigned int len_b = 0;
++ int i = 0;
++
++ block_nb = (1 + ((SHA256_BLOCK_SIZE - 9)
++ < (ctx->len % SHA256_BLOCK_SIZE)));
++
++ len_b = (ctx->tot_len + ctx->len) << 3;
++ pm_len = block_nb << 6;
++
++ memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
++ ctx->block[ctx->len] = 0x80;
++ UNPACK32(len_b, ctx->block + pm_len - 4);
++
++ sha256_transf(ctx, ctx->block, block_nb);
++
++ for (i = 0 ; i < 8; i++) {
++ UNPACK32(ctx->h[i], &digest[i << 2]);
++ }
++}
+diff --git a/drivers/tee/optee/sha2.h b/drivers/tee/optee/sha2.h
+new file mode 100644
+index 000000000000..4ce0f3cd5231
+--- /dev/null
++++ b/drivers/tee/optee/sha2.h
+@@ -0,0 +1,75 @@
++/*
++ * FIPS 180-2 SHA-224/256/384/512 implementation
++ * Last update: 02/02/2007
++ * Issue date: 04/30/2005
++ *
++ * Copyright (C) 2005, 2007 Olivier Gay <olivier.gay@a3.epfl.ch>
++ * All rights reserved.
++ *
++ * Copyright (c) 2016, Linaro Limited
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. Neither the name of the project nor the names of its contributors
++ * may be used to endorse or promote products derived from this software
++ * without specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ */
++
++#ifndef SHA2_H
++#define SHA2_H
++
++#define SHA256_DIGEST_SIZE ( 256 / 8)
++#define SHA256_BLOCK_SIZE ( 512 / 8)
++
++#ifndef SHA2_TYPES
++#define SHA2_TYPES
++typedef unsigned char uint8;
++typedef unsigned int uint32;
++typedef unsigned long long uint64;
++#endif
++
++#ifdef __cplusplus
++extern "C" {
++#endif
++
++typedef struct {
++ unsigned int tot_len;
++ unsigned int len;
++ unsigned char block[2 * SHA256_BLOCK_SIZE];
++ uint32 h[8];
++} sha256_ctx;
++
++typedef sha256_ctx sha224_ctx;
++
++void sha256_init(sha256_ctx * ctx);
++void sha256_update_tee(sha256_ctx *ctx, const unsigned char *message,
++ unsigned int len);
++void sha256_final(sha256_ctx *ctx, unsigned char *digest);
++void sha256(const unsigned char *message, unsigned int len,
++ unsigned char *digest);
++
++#ifdef __cplusplus
++}
++#endif
++
++#endif /* !SHA2_H */
++
+--
+2.29.2
+
diff --git a/recipes-bsp/u-boot/u-boot-qemu-common.inc b/recipes-bsp/u-boot/u-boot-qemu-common.inc
index 0a9a15a0f..d5d7c16de 100644
--- a/recipes-bsp/u-boot/u-boot-qemu-common.inc
+++ b/recipes-bsp/u-boot/u-boot-qemu-common.inc
@@ -13,6 +13,9 @@ require recipes-bsp/u-boot/u-boot-common.inc
U_BOOT_BIN = "u-boot.bin"
+SRC_URI_append_secureboot = " \
+ file://0002-rpmb-emulation-hack.-Breaks-proper-hardware-support.patch;patch=1"
+
do_deploy[dirs] = "${DEPLOY_DIR_IMAGE}"
do_deploy() {
dpkg --fsys-tarfile "${WORKDIR}/u-boot-${MACHINE}_${PV}_${DISTRO_ARCH}.deb" | \
--
2.30.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [isar-cip-core][PATCH 5/7] add kas files for building qemu secure boot images
2022-10-19 9:21 [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64 sven.schultschik
` (2 preceding siblings ...)
2022-10-19 9:21 ` [isar-cip-core][PATCH 4/7] add u-boot patch for qemu to support RPMB sven.schultschik
@ 2022-10-19 9:21 ` sven.schultschik
2022-10-19 9:21 ` [isar-cip-core][PATCH 6/7] enhance start-qemu.sh for arm64 secure boot sven.schultschik
` (2 subsequent siblings)
6 siblings, 0 replies; 19+ messages in thread
From: sven.schultschik @ 2022-10-19 9:21 UTC (permalink / raw)
To: cip-dev; +Cc: jan.kiszka, Sven Schultschik
From: Sven Schultschik <sven.schultschik@siemens.com>
The u-boot-efi-ebg-op-tee-qemu kas file combines the different recipes to create an image which can be booted with qemu and provides secure boot with EBG, TFA, u-boot, UEFI, EDK2, OPTEE and RPMB
Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
---
kas/opt/u-boot-efi-ebg-op-tee-qemu.yml | 11 +++++++++++
1 file changed, 11 insertions(+)
create mode 100644 kas/opt/u-boot-efi-ebg-op-tee-qemu.yml
diff --git a/kas/opt/u-boot-efi-ebg-op-tee-qemu.yml b/kas/opt/u-boot-efi-ebg-op-tee-qemu.yml
new file mode 100644
index 000000000..0558c8e79
--- /dev/null
+++ b/kas/opt/u-boot-efi-ebg-op-tee-qemu.yml
@@ -0,0 +1,11 @@
+header:
+ version: 10
+ includes:
+ - kas/board/qemu-arm64.yml
+ - kas/opt/5.10.yml
+ - kas/opt/bullseye.yml
+ - kas/opt/ebg-secure-boot-snakeoil.yml
+
+local_conf_header:
+ trusted-firmware-a-qemu-arm64: |
+ IMAGE_INSTALL_append = " trusted-firmware-a-qemu-arm64"
\ No newline at end of file
--
2.30.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [isar-cip-core][PATCH 6/7] enhance start-qemu.sh for arm64 secure boot
2022-10-19 9:21 [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64 sven.schultschik
` (3 preceding siblings ...)
2022-10-19 9:21 ` [isar-cip-core][PATCH 5/7] add kas files for building qemu secure boot images sven.schultschik
@ 2022-10-19 9:21 ` sven.schultschik
2022-10-19 9:21 ` [isar-cip-core][PATCH 7/7] no merge - manually instructions test " sven.schultschik
2022-10-19 10:44 ` [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64 Jan Kiszka
6 siblings, 0 replies; 19+ messages in thread
From: sven.schultschik @ 2022-10-19 9:21 UTC (permalink / raw)
To: cip-dev; +Cc: jan.kiszka, Sven Schultschik
From: Sven Schultschik <sven.schultschik@siemens.com>
The start-qemu shell script need some adjustments to switch on secure in the machine statement and adds the virtual random number generator if secure boot is enabled.
Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
---
start-qemu.sh | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/start-qemu.sh b/start-qemu.sh
index dd16aed98..18946a6c9 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -80,13 +80,22 @@ case "${arch}" in
QEMU_EXTRA_ARGS=" \
-cpu cortex-a57 \
-smp 4 \
- -machine virt \
-device virtio-serial-device \
-device virtconsole,chardev=con -chardev vc,id=con \
-device virtio-blk-device,drive=disk \
-device virtio-net-device,netdev=net"
KERNEL_CMDLINE=" \
root=/dev/vda rw"
+ if [ -n "${SECURE_BOOT}" ]; then
+ QEMU_EXTRA_ARGS=" \
+ ${QEMU_EXTRA_ARGS} \
+ -machine virt,secure=on \
+ -device virtio-rng-device"
+ else
+ QEMU_EXTRA_ARGS=" \
+ ${QEMU_EXTRA_ARGS} \
+ -machine virt"
+ fi
;;
arm|armhf)
QEMU_ARCH=arm
--
2.30.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [isar-cip-core][PATCH 7/7] no merge - manually instructions test secure boot
2022-10-19 9:21 [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64 sven.schultschik
` (4 preceding siblings ...)
2022-10-19 9:21 ` [isar-cip-core][PATCH 6/7] enhance start-qemu.sh for arm64 secure boot sven.schultschik
@ 2022-10-19 9:21 ` sven.schultschik
2022-10-19 10:44 ` [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64 Jan Kiszka
6 siblings, 0 replies; 19+ messages in thread
From: sven.schultschik @ 2022-10-19 9:21 UTC (permalink / raw)
To: cip-dev; +Cc: jan.kiszka, Sven Schultschik
From: Sven Schultschik <sven.schultschik@siemens.com>
This patch is not ment for merge but shows how to generally test the implementation of the optee and rpmb driven secure boot qemu setup.
Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
---
README.md | 65 ++++++++++++++++++
keys/helloworld.efi | Bin 0 -> 4576 bytes
recipes-bsp/u-boot/files/secure-boot.cfg.tmpl | 2 +-
start-qemu.sh | 3 +-
4 files changed, 68 insertions(+), 2 deletions(-)
create mode 100644 keys/helloworld.efi
diff --git a/README.md b/README.md
index e30ff3a63..36f9ebe25 100644
--- a/README.md
+++ b/README.md
@@ -55,6 +55,71 @@ or via bmap-tools
bmaptool copy build/tmp/deploy/images/bbb/cip-core-image-cip-core-buster-bbb.wic.img /dev/<medium-device>
+## Running Secure Boot Target Images and test it
+Create a folder named `keys` if not exist and within this folder create the signing keys and db
+
+```bash
+#PK
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=SIEMENS_TEST_PK/ -keyout PK.key -out PK.crt -nodes -days 365
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl
+sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
+
+# KEK
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=SIEMENS_TEST_KEK/ -keyout KEK.key -out KEK.crt -nodes -days 365
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl
+sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
+
+# db
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=SIEMENS_TEST_db/ -keyout db.key -out db.crt -nodes -days 365
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl
+sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
+```
+
+Put an bootable `.efi` file in it or use the `helloworld.efi` provided and sign it.
+
+```
+sbsign --key db.key --cert db.crt helloworld.efi
+```
+
+The `start-qemu.sh` has additional `-hdb fat:rw:keys` added with this patch to mount the `keys` folder.
+
+Start the qemu with following command
+
+```
+FIRMWARE_BIN=./build/tmp/deploy/images/qemu-arm64/flash.bin ./start-qemu.sh aarch64
+```
+
+In this test patch there is as well the possibility added to stop in the u-boot. So if you see a 5 sec timer ticking press Enter to stop.
+
+Now add the keys to the environment my typing
+
+```
+fatload virtio 1:1 ${fileaddr} PK.auth
+setenv -e -nv -bs -rt -at -i ${fileaddr}:$filesize PK
+fatload virtio 1:1 ${fileaddr} KEK.auth
+setenv -e -nv -bs -rt -at -i ${fileaddr}:$filesize KEK
+fatload virtio 1:1 ${fileaddr} db.auth
+setenv -e -nv -bs -rt -at -i ${fileaddr}:$filesize db
+```
+> The address ${fileaddr}=40000000 depends on your DRAM setup. You can check with `bdinfo`
+
+> $filesize is set by fatload
+
+### Boot signed efi binary
+
+```
+fatload virtio 1:1 ${fileaddr} helloworld.efi.signed
+
+bootefi ${fileaddr} ${fdtcontroladdr}
+```
+
+### Try same binary but unsigned
+This should fail with `Image not authenticated. Loading image failed`
+```
+fatload virtio 1:1 ${fileaddr} helloworld.efi
+
+bootefi ${fileaddr} ${fdtcontroladdr}
+```
## Community Resources
diff --git a/keys/helloworld.efi b/keys/helloworld.efi
new file mode 100644
index 0000000000000000000000000000000000000000..c021d94ae576271f1f472bd2e5f380ed1830a2ff
GIT binary patch
literal 4576
zcmeHKYfKbZ6h1SvJSx^Kg7`w6;o+lE>w`Af8X2%q+e(Xoefa|rRv{uFPz#|cL$D1A
ziD9CqO=~TtHE}mhYK@xOmxv~9Q<GY>r2V(h{ve?bDWy6pZoe~omt7WOn<n)acQbqL
zJ@-4`{m!{}c4l*5r2o`1^K;8|MCN4^m3icG9Gx^nj*;c~rPG4$O%f4bfu^Dp9T<ez
znwTIiBs>H$u^Tzj^^cyFwXVwQ(!0ZSa%QcpcQw=l#<{TmfDMgQDbG9F^o4s=A=4Wr
zxr;}9PCz>}eVMsHqJzamr@c{`?q`V(jy824?^23-8E<1c5>1X9E|A=Di1||?Pq8Q4
zk{!CGQ%0|`MnBsnQCiDF-D;8OROlS{nPa#h)2$6GGMSs>t|_vI<VC%Kc`bT@$^K!V
zZ}w=@=eAB>FCMWYaby`1oi+ql92q^D?#J``UM0@M{3CI?HQIE+)}9P5nT&i5S1~Zd
z(5woMwUW`pn&Rl%A6i?G=Qpg)YxIHdP}T}tkDZ@bm-Pp7?u^teDMhz<ZB_7h-SV9Z
zXw*(D9K-%#=k)QooDP70WSi_Bfv)SNird=daNnwnaI33ytN3+ttEz4po(Q{knh{)=
zB8_|*S64)5tyh_`tazGk^*7O31$j!*`dRfAXMwh!W)jIU-k+$kZ<rc&2gMS687Z`9
zAc_icq|*8a{c}<@rD<Ih%eXP^q?$J`NG9)fL-!IpkGbg2-$>@VcGaAX`UmRLr_A#N
zYBCldQm4bn(}+Q>(sauwOM@32RA@x$)?V=Tw@T*uZZeh4T*q0Sz&>?G(<wti4A#_Y
zlE&(I5L~=B$h8N1+hbr49F_i9BlH|>%W_{Y-H4h#hMH!(N1MK~&xE#=w)89X0M{oO
z_4)++;`^N%yI~U)qo+@q<Dqoj`s>w%w`JMrAxda(#{JMq^pO8t%njyhYnkt{anZWP
zag476zDwY3{i-&m-$0DiN@jS>j_{bv!I<ljWPS*J-nF`w=<~h7wd;RRG9~1%bm~@@
zESZ72VclTeI+E>mPl{NY4lM5RvAPbV*z+FDw=gI6F&X=CJ}bz_Sl-(M;I(r(o@yQe
z-tG@9Hu((nwdT0vp^NV?8ukVGpZA{|#(1N0+~m})X#%$&9GZ$ca1OW}xKfRx8^@q8
zlN668(`kaQODXC-r_vDa+ro1x!Y0yC2~lAZ@%=5gYdV=j;7h@H6gC<57HkpGP}v;)
zCVr0!@w;~NSNJk<e`HK|4jn~&HgFhQ8d3Yva`i?QDee16`Q}~3UAp5d^a8Ir=sVU{
zM2<mT6Pog)h~ky<vh;lpGE-rjDPkA-e1*jn@f7P_MAG0gnF<}O4OhRCWS`eka5a-W
z$hoAJm!`i~o}A7)Q_y#yk9m{lTfoIUT$kIJ{{<KKi%1#Fga)3I1fJu0%-3eBrV=V6
z6}E=zsRFi&>gW-82seL~J$BKCu+ja*Pq2-Mt+Fxoz?a(Cz2u@=FsWd5(Oxi?!m3~|
zfwvsJdf@omMGg3#jA;iLTq3F(=t|&sW4s&vT51$Ao8YO$r<#^y{$+cv602%rKA&E)
z)m7koClH*ON?R$La_9;4@YI7Q)*G(1Uaare7DQzt<2*Zd4XvbAh^q&~c4%;oX$mkF
zP%dQw`wSIKf*W5suD#1v$Jy|Hxa>WtK*lA|?yp}h=D2oT=gLXz7UcPNwdY-#j5Qa#
zR)<fZa^u;`p{WY`f?3}kAKdvJP+mKs+7tP*fa6@p?~DIT=0Fv%96V8eKhgKvnU4++
z9m{Nu`El0r3XgZsKzZBH&sSnUOCsaT^=&PySG+UWw&F_cTM5*$B;$PU(be;}Z9mi#
zyFY_Ezpki#RNb(zeN9XLrjAQn=RN&obD~-G+<h6lF~80~@5G4-Z4NQGtol16cYM{{
ztI_=92)`jnwcFUcoFEFk1AZ%Tcs;b+9AOs<JN^w+IPam!3kbc3YfddSRe`ArOjY3j
zsK8E;&LoKv@lwVu@H_q{`cC-6TQMArCxK5CfKOqaq!9nF4{eWQ!1$};0r0+<d{Fos
z#DgGB_;uLHcntWNM-9_?QQ*}usYh(TMB%^JTLjMsV%<E9x#2&u&3{esT(!MKi-rH9
zc<?wC|HK&>)|nTU@58n~ObmSNVf_tassUqecwYz4kS|>43-B}kw$K^amlHN#p;ck)
F{tfI&1hD`B
literal 0
HcmV?d00001
diff --git a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl
index 8e6428238..63d73f70a 100644
--- a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl
+++ b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl
@@ -1,5 +1,5 @@
### Secure boot config
-CONFIG_BOOTDELAY=-2
+CONFIG_BOOTDELAY=5
CONFIG_USE_BOOTCOMMAND=y
CONFIG_BOOTCOMMAND="setenv scan_dev_for_boot 'if test -e ${devtype} ${devnum}:${distro_bootpart} efi/boot/boot${EFI_ARCH}.efi; then load ${devtype} ${devnum}:${distro_bootpart} ${kernel_addr_r} efi/boot/boot${EFI_ARCH}.efi; bootefi ${kernel_addr_r} ${fdtcontroladdr}; fi'; run distro_bootcmd; echo 'EFI Boot failed!'; sleep 1000; reset"
CONFIG_EFI_VARIABLES_PRESEED=y
diff --git a/start-qemu.sh b/start-qemu.sh
index 18946a6c9..ac73d8d3b 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -179,7 +179,8 @@ if [ -n "${SECURE_BOOT}${SWUPDATE_BOOT}" ]; then
${QEMU_PATH}${QEMU} \
-drive file=${IMAGE_PREFIX}.wic,discard=unmap,if=none,id=disk,format=raw \
-bios ${u_boot_bin} \
- ${QEMU_COMMON_OPTIONS} "$@"
+ ${QEMU_COMMON_OPTIONS} "$@" \
+ -hdb fat:rw:keys
;;
*)
echo "Unsupported architecture: ${arch}"
--
2.30.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64
2022-10-19 9:21 [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64 sven.schultschik
` (5 preceding siblings ...)
2022-10-19 9:21 ` [isar-cip-core][PATCH 7/7] no merge - manually instructions test " sven.schultschik
@ 2022-10-19 10:44 ` Jan Kiszka
2022-10-19 10:46 ` Jan Kiszka
` (2 more replies)
6 siblings, 3 replies; 19+ messages in thread
From: Jan Kiszka @ 2022-10-19 10:44 UTC (permalink / raw)
To: sven.schultschik, cip-dev
On 19.10.22 11:21, sven.schultschik@siemens.com wrote:
> From: Sven Schultschik <sven.schultschik@siemens.com>
>
> The recipe provides the possibility to create optee-os binaries for use inside of an qemu secureboot setup with edk2, rpmb, u-boot and uefi
>
> Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
> ---
> .../op-tee/optee-os-qemu-arm64_3.17.0.bb | 57 +++++++++++++++++++
> recipes-bsp/u-boot/files/secure-boot.cfg.tmpl | 7 +++
> recipes-bsp/u-boot/u-boot-common.inc | 6 +-
> 3 files changed, 67 insertions(+), 3 deletions(-)
> create mode 100644 recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb
>
> diff --git a/recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb b/recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb
> new file mode 100644
> index 000000000..5e60041af
> --- /dev/null
> +++ b/recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb
> @@ -0,0 +1,57 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2022
> +#
> +# Authors:
> +# Sven Schultschik <sven.schultschik@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +HOMEPAGE = "https://github.com/OP-TEE/optee_os"
> +MAINTAINER = "Sven Schultschik <sven.schultschik@siemens.com>"
> +LICENSE = "BSD-2-Clause"
> +
> +require recipes-bsp/optee-os/optee-os-custom.inc
> +
> +SRC_URI += " \
> + gitsm://github.com/OP-TEE/optee_os.git;branch=master;protocol=https;destsuffix=git;rev=${PV}"
Do we really need the second-class supported gitsm fetcher here? Also,
destsuffix and rev are both redundant (they are defaults).
Oh, indention by 4 spaces would be sufficient.
> +
> +S = "${WORKDIR}/git"
> +
> +OPTEE_PLATFORM = "vexpress-qemu_armv8a"
> +
> +OPTEE_BINARIES = "tee-header_v2.bin \
> + tee-pager_v2.bin \
> + tee-pageable_v2.bin"
> +
> +DEPENDS = "edk2"
> +DEBIAN_BUILD_DEPENDS += " ,\
> + debhelper(>= 11~), \
> + build-essential, \
Redundant.
> + cpio, \
> + python3-cryptography, \
> + python3-pycryptodome, \
> + python3-serial, \
> + device-tree-compiler, \
> + edk2, \
Do we need Debian's edk2 here?
> + gcc-arm-linux-gnueabihf,"
> +
> +OPTEE_EXTRA_BUILDARGS = "CFG_STMM_PATH=/usr/lib/edk2/BL32_AP_MM.fd CFG_RPMB_FS=y \
> + CFG_RPMB_FS_DEV_ID=0 CFG_CORE_HEAP_SIZE=524288 CFG_RPMB_WRITE_KEY=1 \
> + CFG_CORE_DYN_SHM=y CFG_RPMB_TESTKEY=y \
> + CFG_REE_FS=n\
> + CFG_TEE_CORE_LOG_LEVEL=1 CFG_TEE_TA_LOG_LEVEL=1 CFG_SCTLR_ALIGNMENT_CHECK=n \
> + CFG_ARM64_core=y CFG_CORE_ARM64_PA_BITS=48"
> +
> +ISAR_CROSS_COMPILE = "0"
This looks wrong, specifically as you are installing a 32-bit
cross-compiler and calling a 64-bit one as well below.
> +
> +dpkg_runbuild_prepend() {
> + # $(ARCH) is the CPU architecture to be built.
> + # Currently, the only supported value is arm for 32-bit or 64-bit Armv7-A or Armv8-A.
> + # Please note that contrary to the Linux kernel, $(ARCH) should not be set to arm64 for 64-bit builds.
> + export ARCH="arm"
> + export CROSS_COMPILE32=arm-linux-gnueabihf-
> + export CROSS_COMPILE64=aarch64-linux-gnu-
That is a deprecated style, and sbuild will complain. Move into the
rules file.
> +}
> \ No newline at end of file
Please have a "newline at the end of file".
> diff --git a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl
> index 956dcbfed..8e6428238 100644
> --- a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl
> +++ b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl
> @@ -4,3 +4,10 @@ CONFIG_USE_BOOTCOMMAND=y
> CONFIG_BOOTCOMMAND="setenv scan_dev_for_boot 'if test -e ${devtype} ${devnum}:${distro_bootpart} efi/boot/boot${EFI_ARCH}.efi; then load ${devtype} ${devnum}:${distro_bootpart} ${kernel_addr_r} efi/boot/boot${EFI_ARCH}.efi; bootefi ${kernel_addr_r} ${fdtcontroladdr}; fi'; run distro_bootcmd; echo 'EFI Boot failed!'; sleep 1000; reset"
> CONFIG_EFI_VARIABLES_PRESEED=y
> CONFIG_EFI_SECURE_BOOT=y
> +### OPTEE config
> +CONFIG_CMD_OPTEE_RPMB=y
> +CONFIG_MMC=y
> +CONFIG_SUPPORT_EMMC_RPMB=y
> +CONFIG_TEE=y
> +CONFIG_OPTEE=y
> +CONFIG_EFI_MM_COMM_TEE=y
> diff --git a/recipes-bsp/u-boot/u-boot-common.inc b/recipes-bsp/u-boot/u-boot-common.inc
> index 60f0da361..7fe4d3fad 100644
> --- a/recipes-bsp/u-boot/u-boot-common.inc
> +++ b/recipes-bsp/u-boot/u-boot-common.inc
> @@ -25,12 +25,12 @@ DEBIAN_BUILD_DEPENDS += ", libssl-dev:native, libssl-dev:${DISTRO_ARCH}"
>
> DEBIAN_BUILD_DEPENDS_append_secureboot = ", \
> openssl, pesign, secure-boot-secrets, python3-openssl:native"
> -DEPENDS_append_secureboot = " secure-boot-secrets"
> +DEPENDS_append_secureboot = " secure-boot-secrets optee-os-${MACHINE}"
Nope, this must go into qemu-specific U-Boot bits. We don't have
optee-os for the rest yet.
>
> TEMPLATE_FILES_append_secureboot = " secure-boot.cfg.tmpl"
> TEMPLATE_VARS_append_secureboot = " EFI_ARCH"
>
> do_prepare_build_append_secureboot() {
> sed -ni '/### Secure boot config/q;p' ${S}/configs/${U_BOOT_CONFIG}
> - cat ${WORKDIR}/secure-boot.cfg >> ${S}/configs/${U_BOOT_CONFIG}
> -}
> + cat ${WORKDIR}/secure-boot.cfg >> ${S}/configs/${U_BOOT_CONFIG}
> +}
> \ No newline at end of file
Spurious change. Please cross-read your diffs for such things.
When you resend, I would suggest to split up the optee recipe
introduction and the U-Boot changes.
Jan
--
Siemens AG, Technology
Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64
2022-10-19 10:44 ` [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64 Jan Kiszka
@ 2022-10-19 10:46 ` Jan Kiszka
2022-10-19 13:05 ` AW: " Schultschik, Sven
2022-10-19 13:21 ` AW: " Schultschik, Sven
2 siblings, 0 replies; 19+ messages in thread
From: Jan Kiszka @ 2022-10-19 10:46 UTC (permalink / raw)
To: sven.schultschik, cip-dev
On 19.10.22 12:44, Jan Kiszka wrote:
> On 19.10.22 11:21, sven.schultschik@siemens.com wrote:
>> From: Sven Schultschik <sven.schultschik@siemens.com>
>>
>> The recipe provides the possibility to create optee-os binaries for use inside of an qemu secureboot setup with edk2, rpmb, u-boot and uefi
>>
>> Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
>> ---
>> .../op-tee/optee-os-qemu-arm64_3.17.0.bb | 57 +++++++++++++++++++
>> recipes-bsp/u-boot/files/secure-boot.cfg.tmpl | 7 +++
>> recipes-bsp/u-boot/u-boot-common.inc | 6 +-
>> 3 files changed, 67 insertions(+), 3 deletions(-)
>> create mode 100644 recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb
>>
>> diff --git a/recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb b/recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb
>> new file mode 100644
>> index 000000000..5e60041af
>> --- /dev/null
>> +++ b/recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb
>> @@ -0,0 +1,57 @@
>> +#
>> +# CIP Core, generic profile
>> +#
>> +# Copyright (c) Siemens AG, 2022
>> +#
>> +# Authors:
>> +# Sven Schultschik <sven.schultschik@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +
>> +HOMEPAGE = "https://github.com/OP-TEE/optee_os"
>> +MAINTAINER = "Sven Schultschik <sven.schultschik@siemens.com>"
>> +LICENSE = "BSD-2-Clause"
>> +
>> +require recipes-bsp/optee-os/optee-os-custom.inc
>> +
>> +SRC_URI += " \
>> + gitsm://github.com/OP-TEE/optee_os.git;branch=master;protocol=https;destsuffix=git;rev=${PV}"
>
> Do we really need the second-class supported gitsm fetcher here? Also,
> destsuffix and rev are both redundant (they are defaults).
>
> Oh, indention by 4 spaces would be sufficient.
>
>> +
>> +S = "${WORKDIR}/git"
>> +
>> +OPTEE_PLATFORM = "vexpress-qemu_armv8a"
>> +
>> +OPTEE_BINARIES = "tee-header_v2.bin \
>> + tee-pager_v2.bin \
>> + tee-pageable_v2.bin"
>> +
>> +DEPENDS = "edk2"
>> +DEBIAN_BUILD_DEPENDS += " ,\
>> + debhelper(>= 11~), \
>> + build-essential, \
>
> Redundant.
>
>> + cpio, \
>> + python3-cryptography, \
>> + python3-pycryptodome, \
>> + python3-serial, \
>> + device-tree-compiler, \
>> + edk2, \
>
> Do we need Debian's edk2 here?
Nope, self-built one -> wrong patch ordering, 2/7 must come first.
Jan
>
>> + gcc-arm-linux-gnueabihf,"
>> +
>> +OPTEE_EXTRA_BUILDARGS = "CFG_STMM_PATH=/usr/lib/edk2/BL32_AP_MM.fd CFG_RPMB_FS=y \
>> + CFG_RPMB_FS_DEV_ID=0 CFG_CORE_HEAP_SIZE=524288 CFG_RPMB_WRITE_KEY=1 \
>> + CFG_CORE_DYN_SHM=y CFG_RPMB_TESTKEY=y \
>> + CFG_REE_FS=n\
>> + CFG_TEE_CORE_LOG_LEVEL=1 CFG_TEE_TA_LOG_LEVEL=1 CFG_SCTLR_ALIGNMENT_CHECK=n \
>> + CFG_ARM64_core=y CFG_CORE_ARM64_PA_BITS=48"
>> +
>> +ISAR_CROSS_COMPILE = "0"
>
> This looks wrong, specifically as you are installing a 32-bit
> cross-compiler and calling a 64-bit one as well below.
>
>> +
>> +dpkg_runbuild_prepend() {
>> + # $(ARCH) is the CPU architecture to be built.
>> + # Currently, the only supported value is arm for 32-bit or 64-bit Armv7-A or Armv8-A.
>> + # Please note that contrary to the Linux kernel, $(ARCH) should not be set to arm64 for 64-bit builds.
>> + export ARCH="arm"
>> + export CROSS_COMPILE32=arm-linux-gnueabihf-
>> + export CROSS_COMPILE64=aarch64-linux-gnu-
>
> That is a deprecated style, and sbuild will complain. Move into the
> rules file.
>
>> +}
>> \ No newline at end of file
>
> Please have a "newline at the end of file".
>
>> diff --git a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl
>> index 956dcbfed..8e6428238 100644
>> --- a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl
>> +++ b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl
>> @@ -4,3 +4,10 @@ CONFIG_USE_BOOTCOMMAND=y
>> CONFIG_BOOTCOMMAND="setenv scan_dev_for_boot 'if test -e ${devtype} ${devnum}:${distro_bootpart} efi/boot/boot${EFI_ARCH}.efi; then load ${devtype} ${devnum}:${distro_bootpart} ${kernel_addr_r} efi/boot/boot${EFI_ARCH}.efi; bootefi ${kernel_addr_r} ${fdtcontroladdr}; fi'; run distro_bootcmd; echo 'EFI Boot failed!'; sleep 1000; reset"
>> CONFIG_EFI_VARIABLES_PRESEED=y
>> CONFIG_EFI_SECURE_BOOT=y
>> +### OPTEE config
>> +CONFIG_CMD_OPTEE_RPMB=y
>> +CONFIG_MMC=y
>> +CONFIG_SUPPORT_EMMC_RPMB=y
>> +CONFIG_TEE=y
>> +CONFIG_OPTEE=y
>> +CONFIG_EFI_MM_COMM_TEE=y
>> diff --git a/recipes-bsp/u-boot/u-boot-common.inc b/recipes-bsp/u-boot/u-boot-common.inc
>> index 60f0da361..7fe4d3fad 100644
>> --- a/recipes-bsp/u-boot/u-boot-common.inc
>> +++ b/recipes-bsp/u-boot/u-boot-common.inc
>> @@ -25,12 +25,12 @@ DEBIAN_BUILD_DEPENDS += ", libssl-dev:native, libssl-dev:${DISTRO_ARCH}"
>>
>> DEBIAN_BUILD_DEPENDS_append_secureboot = ", \
>> openssl, pesign, secure-boot-secrets, python3-openssl:native"
>> -DEPENDS_append_secureboot = " secure-boot-secrets"
>> +DEPENDS_append_secureboot = " secure-boot-secrets optee-os-${MACHINE}"
>
> Nope, this must go into qemu-specific U-Boot bits. We don't have
> optee-os for the rest yet.
>
>>
>> TEMPLATE_FILES_append_secureboot = " secure-boot.cfg.tmpl"
>> TEMPLATE_VARS_append_secureboot = " EFI_ARCH"
>>
>> do_prepare_build_append_secureboot() {
>> sed -ni '/### Secure boot config/q;p' ${S}/configs/${U_BOOT_CONFIG}
>> - cat ${WORKDIR}/secure-boot.cfg >> ${S}/configs/${U_BOOT_CONFIG}
>> -}
>> + cat ${WORKDIR}/secure-boot.cfg >> ${S}/configs/${U_BOOT_CONFIG}
>> +}
>> \ No newline at end of file
>
> Spurious change. Please cross-read your diffs for such things.
>
> When you resend, I would suggest to split up the optee recipe
> introduction and the U-Boot changes.
>
> Jan
>
--
Siemens AG, Technology
Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [isar-cip-core][PATCH 2/7] add recipe for for edk2
2022-10-19 9:21 ` [isar-cip-core][PATCH 2/7] add recipe for for edk2 sven.schultschik
@ 2022-10-19 10:57 ` Jan Kiszka
2022-10-19 13:14 ` AW: " Schultschik, Sven
2022-10-20 16:24 ` Schultschik, Sven
0 siblings, 2 replies; 19+ messages in thread
From: Jan Kiszka @ 2022-10-19 10:57 UTC (permalink / raw)
To: sven.schultschik, cip-dev
On 19.10.22 11:21, sven.schultschik@siemens.com wrote:
> From: Sven Schultschik <sven.schultschik@siemens.com>
>
> provide a recipe to create the BL32_AP_MM.fd binary by edk2 which is needed for the qemu optee generation as dependencie.
dependency
>
> Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
> ---
> recipes-bsp/edk2/edk2_202205.bb | 34 ++++++++++++
> recipes-bsp/edk2/files/debian/changelog.tmpl | 6 +++
> recipes-bsp/edk2/files/debian/compat | 1 +
> recipes-bsp/edk2/files/debian/control.tmpl | 14 +++++
> recipes-bsp/edk2/files/debian/edk2.install | 2 +
> recipes-bsp/edk2/files/debian/rules.tmpl | 55 ++++++++++++++++++++
> 6 files changed, 112 insertions(+)
> create mode 100644 recipes-bsp/edk2/edk2_202205.bb
> create mode 100644 recipes-bsp/edk2/files/debian/changelog.tmpl
> create mode 100644 recipes-bsp/edk2/files/debian/compat
> create mode 100644 recipes-bsp/edk2/files/debian/control.tmpl
> create mode 100644 recipes-bsp/edk2/files/debian/edk2.install
> create mode 100755 recipes-bsp/edk2/files/debian/rules.tmpl
>
> diff --git a/recipes-bsp/edk2/edk2_202205.bb b/recipes-bsp/edk2/edk2_202205.bb
> new file mode 100644
> index 000000000..5a773bf77
> --- /dev/null
> +++ b/recipes-bsp/edk2/edk2_202205.bb
> @@ -0,0 +1,34 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2022
> +#
> +# Authors:
> +# Sven Schultschik <sven.schultschik@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +HOMEPAGE = "https://github.com/tianocore/edk2"
> +MAINTAINER = "Sven Schultschik <sven.schultschik@siemens.com>"
> +LICENSE = "BSD-2-Clause-Patent"
> +
> +inherit dpkg
> +
> +SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https;destsuffix=git/edk2;rev=edk2-stable${PV} \
> + git://github.com/tianocore/edk2-platforms.git;protocol=https;destsuffix=git/edk2-platforms;rev=3b896d1a325686de3942723c42f286090453e37a \
- gitsm (see patch 1/7)
- please factor out revisions into separate variables
Or can we also address the revisions via release tags? The recipe
carries a release version number in the end...
> + file://debian \
> + "
> +S = "${WORKDIR}/git"
> +
> +BUILD_DEPENDS += ""
> +
> +TEMPLATE_FILES = "debian/changelog.tmpl debian/control.tmpl debian/rules.tmpl"
> +TEMPLATE_VARS += "BUILD_DEPENDS S"
> +
> +ISAR_CROSS_COMPILE = "0"
Why?
> +
> +do_prepare_build() {
> + cp -R ${WORKDIR}/debian ${S}
> + deb_add_changelog
> +}
> \ No newline at end of file
...
> diff --git a/recipes-bsp/edk2/files/debian/changelog.tmpl b/recipes-bsp/edk2/files/debian/changelog.tmpl
> new file mode 100644
> index 000000000..8d74dfe7a
> --- /dev/null
> +++ b/recipes-bsp/edk2/files/debian/changelog.tmpl
> @@ -0,0 +1,6 @@
> +${PN} (${PV}) unstable; urgency=medium
> +
> + * EDK2
> +
> + --
> +
Should not be needed as you have deb_add_changelog anyway.
> diff --git a/recipes-bsp/edk2/files/debian/compat b/recipes-bsp/edk2/files/debian/compat
> new file mode 100644
> index 000000000..f599e28b8
> --- /dev/null
> +++ b/recipes-bsp/edk2/files/debian/compat
> @@ -0,0 +1 @@
> +10
> diff --git a/recipes-bsp/edk2/files/debian/control.tmpl b/recipes-bsp/edk2/files/debian/control.tmpl
> new file mode 100644
> index 000000000..1f1bad7c8
> --- /dev/null
> +++ b/recipes-bsp/edk2/files/debian/control.tmpl
> @@ -0,0 +1,14 @@
> +Source: ${PN}
> +Section: base
> +Priority: optional
> +Standards-Version: 3.9.6
> +Build-Depends: ${BUILD_DEPENDS}, python3, dh-python, uuid-dev
> +Homepage: ${HOMEPAGE}
> +Maintainer: ${MAINTAINER}
> +
> +Package: ${PN}
> +Depends: ${shlibs:Depends}
> +Section: base
> +Architecture: ${DISTRO_ARCH}
> +Priority: required
> +Description: ${DESCRIPTION}
> \ No newline at end of file
I suspect you could also generate both files (deb_debianize).
> diff --git a/recipes-bsp/edk2/files/debian/edk2.install b/recipes-bsp/edk2/files/debian/edk2.install
> new file mode 100644
> index 000000000..e5cadccf3
> --- /dev/null
> +++ b/recipes-bsp/edk2/files/debian/edk2.install
> @@ -0,0 +1,2 @@
> +#! /usr/bin/dh-exec
> +Build/MmStandaloneRpmb/RELEASE_GCC5/FV/BL32_AP_MM.fd /usr/lib/edk2
> \ No newline at end of file
> diff --git a/recipes-bsp/edk2/files/debian/rules.tmpl b/recipes-bsp/edk2/files/debian/rules.tmpl
> new file mode 100755
> index 000000000..11e4ae8cd
> --- /dev/null
> +++ b/recipes-bsp/edk2/files/debian/rules.tmpl
> @@ -0,0 +1,55 @@
> +#!/usr/bin/make -f
> +#
> +# Copyright (c) Siemens AG, 2022
> +#
> +# SPDX-License-Identifier: MIT
> +
> +export WORKSPACE=$(shell pwd)
> +export PACKAGES_PATH=$(WORKSPACE)/edk2:$(WORKSPACE)/edk2-platforms
> +export ACTIVE_PLATFORM="Platform/StandaloneMm/PlatformStandaloneMmPkg/PlatformStandaloneMmRpmb.dsc"
> +
> +# https://github.com/tianocore/edk2-platforms/blob/master/Readme.md#if-cross-compiling
> +ifeq (arm64,$(DEB_TARGET_ARCH))
> +export TARGET_ARCH = 'AARCH64'
> +else ifeq ((armhf,$(DEB_TARGET_ARCH))
> +export TARGET_ARCH = 'ARM'
> +else ifeq ((amd64,$(DEB_TARGET_ARCH))
> +export TARGET_ARCH = 'X64'
> +else ifeq ((i386,$(DEB_TARGET_ARCH))
> +export TARGET_ARCH = 'IA32'
> +else
> +$(error DEB_TARGET_ARCH $(DEB_TARGET_ARCH) unsupported)
> +endif
> +# When cross-compiling, or building with a different version of the compiler than
> +# the default `gcc`, we additionally need to inform the
> +# build command which toolchain to use. We do this by setting the environment
> +# variable `{TOOL_CHAIN_TAG}_{TARGET_ARCH}_PREFIX` - in the case above,
> +# **GCC5_AARCH64_PREFIX**.
> +# export GCC5_AARCH64_PREFIX=aarch64-linux-gnu-
> +export GCC5_$(TARGET_ARCH)_PREFIX=$(DEB_HOST_GNU_TYPE)-
> +
> +
> +export SHELL=/bin/bash
> +
> +# ENV Vars which should get set by edksetup.sh
> +export PYTHON_COMMAND=python3
> +export PYTHONHASHSEED=1
> +export CONF_PATH=$(WORKSPACE)/edk2/Conf
> +export EDK_TOOLS_PATH=$(WORKSPACE)/edk2/BaseTools
> +export PATH=$(WORKSPACE)/edk2/BaseTools/Bin/Linux-$(TARGET_ARCH):$(WORKSPACE)/edk2/BaseTools/BinWrappers/PosixLike::/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
> +
> +override_dh_auto_build:
> + source edk2/edksetup.sh --reconfig
> +
> + make -C edk2/BaseTools
> +
> + build -p $(ACTIVE_PLATFORM) -b RELEASE -a $(TARGET_ARCH) -t GCC5 -n $(shell nproc)
> +
> +override_dh_auto_install:
> +
> +override_dh_auto_test:
> +
> +override_dh_strip:
stripping you can likely allow again when doing a true cross-compilation.
> +
> +%:
> + dh $@ --with python3 --no-parallel
Jan
--
Siemens AG, Technology
Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 19+ messages in thread
* AW: [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64
2022-10-19 10:44 ` [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64 Jan Kiszka
2022-10-19 10:46 ` Jan Kiszka
@ 2022-10-19 13:05 ` Schultschik, Sven
2022-10-19 13:14 ` Jan Kiszka
2022-10-19 13:21 ` AW: " Schultschik, Sven
2 siblings, 1 reply; 19+ messages in thread
From: Schultschik, Sven @ 2022-10-19 13:05 UTC (permalink / raw)
To: jan.kiszka, cip-dev
> -----Ursprüngliche Nachricht-----
> Von: Kiszka, Jan (T CED) <jan.kiszka@siemens.com>
> Gesendet: Mittwoch, 19. Oktober 2022 12:44
> An: Schultschik, Sven (DI PA DCP R&D 2) <sven.schultschik@siemens.com>; cip-
> dev@lists.cip-project.org
> Betreff: Re: [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64
>
> > + gcc-arm-linux-gnueabihf,"
> > +
> > +OPTEE_EXTRA_BUILDARGS =
> "CFG_STMM_PATH=/usr/lib/edk2/BL32_AP_MM.fd CFG_RPMB_FS=y \
> > + CFG_RPMB_FS_DEV_ID=0 CFG_CORE_HEAP_SIZE=524288
> CFG_RPMB_WRITE_KEY=1 \
> > + CFG_CORE_DYN_SHM=y CFG_RPMB_TESTKEY=y \
> > + CFG_REE_FS=n\
> > + CFG_TEE_CORE_LOG_LEVEL=1 CFG_TEE_TA_LOG_LEVEL=1
> CFG_SCTLR_ALIGNMENT_CHECK=n \
> > + CFG_ARM64_core=y CFG_CORE_ARM64_PA_BITS=48"
> > +
> > +ISAR_CROSS_COMPILE = "0"
>
> This looks wrong, specifically as you are installing a 32-bit cross-compiler and
> calling a 64-bit one as well below.
Optee has it's own weired way to cross compile. If you configure optee for arm64 and activate ISAR cross compile it breaks.
Just come in my mind. I could delete the exports completly and set isar cross compile to true. So deactivate the
Cross compile of optee and use the isar one. I will test if this will work.
>
> > +
> > +dpkg_runbuild_prepend() {
> > + # $(ARCH) is the CPU architecture to be built.
> > + # Currently, the only supported value is arm for 32-bit or 64-bit Armv7-A or
> Armv8-A.
> > + # Please note that contrary to the Linux kernel, $(ARCH) should not be set
> to arm64 for 64-bit builds.
> > + export ARCH="arm"
> > + export CROSS_COMPILE32=arm-linux-gnueabihf-
> > + export CROSS_COMPILE64=aarch64-linux-gnu-
>
> That is a deprecated style, and sbuild will complain. Move into the rules file.
>
Sven
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64
2022-10-19 13:05 ` AW: " Schultschik, Sven
@ 2022-10-19 13:14 ` Jan Kiszka
0 siblings, 0 replies; 19+ messages in thread
From: Jan Kiszka @ 2022-10-19 13:14 UTC (permalink / raw)
To: Schultschik, Sven (DI PA DCP R&D 2), cip-dev
On 19.10.22 15:05, Schultschik, Sven (DI PA DCP R&D 2) wrote:
>
>
>> -----Ursprüngliche Nachricht-----
>> Von: Kiszka, Jan (T CED) <jan.kiszka@siemens.com>
>> Gesendet: Mittwoch, 19. Oktober 2022 12:44
>> An: Schultschik, Sven (DI PA DCP R&D 2) <sven.schultschik@siemens.com>; cip-
>> dev@lists.cip-project.org
>> Betreff: Re: [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64
>>
>>> + gcc-arm-linux-gnueabihf,"
>>> +
>>> +OPTEE_EXTRA_BUILDARGS =
>> "CFG_STMM_PATH=/usr/lib/edk2/BL32_AP_MM.fd CFG_RPMB_FS=y \
>>> + CFG_RPMB_FS_DEV_ID=0 CFG_CORE_HEAP_SIZE=524288
>> CFG_RPMB_WRITE_KEY=1 \
>>> + CFG_CORE_DYN_SHM=y CFG_RPMB_TESTKEY=y \
>>> + CFG_REE_FS=n\
>>> + CFG_TEE_CORE_LOG_LEVEL=1 CFG_TEE_TA_LOG_LEVEL=1
>> CFG_SCTLR_ALIGNMENT_CHECK=n \
>>> + CFG_ARM64_core=y CFG_CORE_ARM64_PA_BITS=48"
>>> +
>>> +ISAR_CROSS_COMPILE = "0"
>>
>> This looks wrong, specifically as you are installing a 32-bit cross-compiler and
>> calling a 64-bit one as well below.
>
> Optee has it's own weired way to cross compile. If you configure optee for arm64 and activate ISAR cross compile it breaks.
That is at least not generally true:
https://github.com/siemens/meta-iot2050/blob/master/recipes-bsp/optee-os/optee-os-iot2050_3.18.0.bb
>
> Just come in my mind. I could delete the exports completly and set isar cross compile to true. So deactivate the
> Cross compile of optee and use the isar one. I will test if this will work.
>
Will be curious to see the result.
Jan
--
Siemens AG, Technology
Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 19+ messages in thread
* AW: [isar-cip-core][PATCH 2/7] add recipe for for edk2
2022-10-19 10:57 ` Jan Kiszka
@ 2022-10-19 13:14 ` Schultschik, Sven
2022-10-19 13:21 ` Jan Kiszka
2022-10-20 16:24 ` Schultschik, Sven
1 sibling, 1 reply; 19+ messages in thread
From: Schultschik, Sven @ 2022-10-19 13:14 UTC (permalink / raw)
To: jan.kiszka, cip-dev
> -----Ursprüngliche Nachricht-----
> Von: Kiszka, Jan (T CED) <jan.kiszka@siemens.com>
> Gesendet: Mittwoch, 19. Oktober 2022 12:58
> An: Schultschik, Sven (DI PA DCP R&D 2) <sven.schultschik@siemens.com>; cip-
> dev@lists.cip-project.org
> Betreff: Re: [isar-cip-core][PATCH 2/7] add recipe for for edk2
>
> On 19.10.22 11:21, sven.schultschik@siemens.com wrote:
> > From: Sven Schultschik <sven.schultschik@siemens.com>
> > +MAINTAINER = "Sven Schultschik <sven.schultschik@siemens.com>"
> > +LICENSE = "BSD-2-Clause-Patent"
> > +
> > +inherit dpkg
> > +
> > +SRC_URI =
> "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https;destsuff
> ix=git/edk2;rev=edk2-stable${PV} \
> > +
> > +git://github.com/tianocore/edk2-platforms.git;protocol=https;destsuff
> > +ix=git/edk2-platforms;rev=3b896d1a325686de3942723c42f286090453e37a \
>
> - gitsm (see patch 1/7)
EDK2 really uses submodules which need to be pulled
> - please factor out revisions into separate variables
>
> Or can we also address the revisions via release tags? The recipe carries a
> release version number in the end...
>
> > + file://debian \
> > + "
> > +S = "${WORKDIR}/git"
> > +
> > +BUILD_DEPENDS += ""
> > +
> > +TEMPLATE_FILES = "debian/changelog.tmpl debian/control.tmpl
> debian/rules.tmpl"
> > +TEMPLATE_VARS += "BUILD_DEPENDS S"
> > +
> > +ISAR_CROSS_COMPILE = "0"
>
> Why?
EDK2 has it's own build parameter for the target architecture, which activates cross compile
Within EDK2 build which breaks if isar cross is activated.
build -p $(ACTIVE_PLATFORM) -b RELEASE -a $(TARGET_ARCH) -t GCC5 -n $(shell nproc)
You suggest to turn it off and try if isar cross compile could be enough?
Sven
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [isar-cip-core][PATCH 2/7] add recipe for for edk2
2022-10-19 13:14 ` AW: " Schultschik, Sven
@ 2022-10-19 13:21 ` Jan Kiszka
2022-10-20 17:59 ` AW: " Schultschik, Sven
0 siblings, 1 reply; 19+ messages in thread
From: Jan Kiszka @ 2022-10-19 13:21 UTC (permalink / raw)
To: Schultschik, Sven (DI PA DCP R&D 2), cip-dev
On 19.10.22 15:14, Schultschik, Sven (DI PA DCP R&D 2) wrote:
>
>
>> -----Ursprüngliche Nachricht-----
>> Von: Kiszka, Jan (T CED) <jan.kiszka@siemens.com>
>> Gesendet: Mittwoch, 19. Oktober 2022 12:58
>> An: Schultschik, Sven (DI PA DCP R&D 2) <sven.schultschik@siemens.com>; cip-
>> dev@lists.cip-project.org
>> Betreff: Re: [isar-cip-core][PATCH 2/7] add recipe for for edk2
>>
>> On 19.10.22 11:21, sven.schultschik@siemens.com wrote:
>>> From: Sven Schultschik <sven.schultschik@siemens.com>
>>> +MAINTAINER = "Sven Schultschik <sven.schultschik@siemens.com>"
>>> +LICENSE = "BSD-2-Clause-Patent"
>>> +
>>> +inherit dpkg
>>> +
>>> +SRC_URI =
>> "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https;destsuff
>> ix=git/edk2;rev=edk2-stable${PV} \
>>> +
>>> +git://github.com/tianocore/edk2-platforms.git;protocol=https;destsuff
>>> +ix=git/edk2-platforms;rev=3b896d1a325686de3942723c42f286090453e37a \
>>
>> - gitsm (see patch 1/7)
>
> EDK2 really uses submodules which need to be pulled
>
>> - please factor out revisions into separate variables
>>
>> Or can we also address the revisions via release tags? The recipe carries a
>> release version number in the end...
>>
>>> + file://debian \
>>> + "
>>> +S = "${WORKDIR}/git"
>>> +
>>> +BUILD_DEPENDS += ""
>>> +
>>> +TEMPLATE_FILES = "debian/changelog.tmpl debian/control.tmpl
>> debian/rules.tmpl"
>>> +TEMPLATE_VARS += "BUILD_DEPENDS S"
>>> +
>>> +ISAR_CROSS_COMPILE = "0"
>>
>> Why?
>
> EDK2 has it's own build parameter for the target architecture, which activates cross compile
> Within EDK2 build which breaks if isar cross is activated.
> build -p $(ACTIVE_PLATFORM) -b RELEASE -a $(TARGET_ARCH) -t GCC5 -n $(shell nproc)
>
> You suggest to turn it off and try if isar cross compile could be enough?
Cross-compile should give you some relevant toolchain bits and libs at
least. And it makes sure that you have a native toolchain for the build
environment, rather than running with emulation for that.
If you need different compiler settings, adjust the rules file.
Jan
--
Siemens AG, Technology
Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 19+ messages in thread
* AW: [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64
2022-10-19 10:44 ` [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64 Jan Kiszka
2022-10-19 10:46 ` Jan Kiszka
2022-10-19 13:05 ` AW: " Schultschik, Sven
@ 2022-10-19 13:21 ` Schultschik, Sven
2022-10-19 13:24 ` Jan Kiszka
2 siblings, 1 reply; 19+ messages in thread
From: Schultschik, Sven @ 2022-10-19 13:21 UTC (permalink / raw)
To: jan.kiszka, cip-dev
[-- Attachment #1: Type: text/plain, Size: 3043 bytes --]
> -----Ursprüngliche Nachricht-----
> Von: Kiszka, Jan (T CED) <jan.kiszka@siemens.com>
> Gesendet: Mittwoch, 19. Oktober 2022 12:44
> An: Schultschik, Sven (DI PA DCP R&D 2) <sven.schultschik@siemens.com>;
cip-
> dev@lists.cip-project.org
> Betreff: Re: [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64
>
> On 19.10.22 11:21, sven.schultschik@siemens.com wrote:
> > From: Sven Schultschik <sven.schultschik@siemens.com>
> >
> > The recipe provides the possibility to create optee-os binaries for
> > use inside of an qemu secureboot setup with edk2, rpmb, u-boot and
> > uefi
> >
> > Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
> > ---
> > .../op-tee/optee-os-qemu-arm64_3.17.0.bb | 57 +++++++++++++++++++
> > recipes-bsp/u-boot/files/secure-boot.cfg.tmpl | 7 +++
> > recipes-bsp/u-boot/u-boot-common.inc | 6 +-
> > 3 files changed, 67 insertions(+), 3 deletions(-) create mode 100644
> > recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb
> >
> > diff --git a/recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb
> > b/recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb
> > new file mode 100644
> > index 000000000..5e60041af
> > --- /dev/null
> > +++ b/recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb
> > @@ -0,0 +1,57 @@
> > +#
> > +# CIP Core, generic profile
> > +#
> > +# Copyright (c) Siemens AG, 2022
> > +#
> > +# Authors:
> > +# Sven Schultschik <sven.schultschik@siemens.com> # #
> > +SPDX-License-Identifier: MIT #
> > +
> > +HOMEPAGE =
>
"https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.c
> om%2FOP-
> TEE%2Foptee_os&data=05%7C01%7Csven.schultschik%40siemens.com%7
> C4f98c0d0333a4da5414a08dab1bee02e%7C38ae3bcd95794fd4addab42e1495d
> 55a%7C1%7C0%7C638017730602326587%7CUnknown%7CTWFpbGZsb3d8eyJ
> WIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C
> 3000%7C%7C%7C&sdata=EnwEqlIP690Rw3fcrJv0Wc9dfcAc%2BN8h4O%2B
> yRdvsXX4%3D&reserved=0"
> > +MAINTAINER = "Sven Schultschik <sven.schultschik@siemens.com>"
> > +LICENSE = "BSD-2-Clause"
> > +
> > +require recipes-bsp/optee-os/optee-os-custom.inc
> > +
> > +SRC_URI += " \
> > + gitsm://github.com/OP-
> TEE/optee_os.git;branch=master;protocol=https;destsuffix=git;rev=${PV}"
>
> Do we really need the second-class supported gitsm fetcher here? Also,
> destsuffix and rev are both redundant (they are defaults).
I tried your suggestion and removed destsuffix and rev and now I remember
why I added it initially:
SRC_URI += " \
git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https"
optee-os-qemu-arm64-3.17.0-r0 do_fetch: Fetcher failure for URL:
'git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https'. Please
set a valid SRCREV for url ['SRCREV_default_pn-optee-os-qemu-arm64',
'SRCREV_default', 'SRCREV_pn-optee-os-qemu-arm64', 'SRCREV'] (possible key
names are git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https,
or use a ;rev=X URL parameter)
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 14944 bytes --]
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64
2022-10-19 13:21 ` AW: " Schultschik, Sven
@ 2022-10-19 13:24 ` Jan Kiszka
0 siblings, 0 replies; 19+ messages in thread
From: Jan Kiszka @ 2022-10-19 13:24 UTC (permalink / raw)
To: Schultschik, Sven (DI PA DCP R&D 2), cip-dev
On 19.10.22 15:21, Schultschik, Sven (DI PA DCP R&D 2) wrote:
>
>
>> -----Ursprüngliche Nachricht-----
>> Von: Kiszka, Jan (T CED) <jan.kiszka@siemens.com>
>> Gesendet: Mittwoch, 19. Oktober 2022 12:44
>> An: Schultschik, Sven (DI PA DCP R&D 2) <sven.schultschik@siemens.com>;
> cip-
>> dev@lists.cip-project.org
>> Betreff: Re: [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64
>>
>> On 19.10.22 11:21, sven.schultschik@siemens.com wrote:
>>> From: Sven Schultschik <sven.schultschik@siemens.com>
>>>
>>> The recipe provides the possibility to create optee-os binaries for
>>> use inside of an qemu secureboot setup with edk2, rpmb, u-boot and
>>> uefi
>>>
>>> Signed-off-by: Sven Schultschik <sven.schultschik@siemens.com>
>>> ---
>>> .../op-tee/optee-os-qemu-arm64_3.17.0.bb | 57 +++++++++++++++++++
>>> recipes-bsp/u-boot/files/secure-boot.cfg.tmpl | 7 +++
>>> recipes-bsp/u-boot/u-boot-common.inc | 6 +-
>>> 3 files changed, 67 insertions(+), 3 deletions(-) create mode 100644
>>> recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb
>>>
>>> diff --git a/recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb
>>> b/recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb
>>> new file mode 100644
>>> index 000000000..5e60041af
>>> --- /dev/null
>>> +++ b/recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb
>>> @@ -0,0 +1,57 @@
>>> +#
>>> +# CIP Core, generic profile
>>> +#
>>> +# Copyright (c) Siemens AG, 2022
>>> +#
>>> +# Authors:
>>> +# Sven Schultschik <sven.schultschik@siemens.com> # #
>>> +SPDX-License-Identifier: MIT #
>>> +
>>> +HOMEPAGE =
>>
> "https://github.c
>> om%2FOP-
>> TEE%2Foptee_os&data=05%7C01%7Csven.schultschik%40siemens.com%7
>> C4f98c0d0333a4da5414a08dab1bee02e%7C38ae3bcd95794fd4addab42e1495d
>> 55a%7C1%7C0%7C638017730602326587%7CUnknown%7CTWFpbGZsb3d8eyJ
>> WIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C
>> 3000%7C%7C%7C&sdata=EnwEqlIP690Rw3fcrJv0Wc9dfcAc%2BN8h4O%2B
>> yRdvsXX4%3D&reserved=0"
>>> +MAINTAINER = "Sven Schultschik <sven.schultschik@siemens.com>"
>>> +LICENSE = "BSD-2-Clause"
>>> +
>>> +require recipes-bsp/optee-os/optee-os-custom.inc
>>> +
>>> +SRC_URI += " \
>>> + gitsm://github.com/OP-
>> TEE/optee_os.git;branch=master;protocol=https;destsuffix=git;rev=${PV}"
>>
>> Do we really need the second-class supported gitsm fetcher here? Also,
>> destsuffix and rev are both redundant (they are defaults).
>
> I tried your suggestion and removed destsuffix and rev and now I remember
> why I added it initially:
>
> SRC_URI += " \
> git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https"
>
> optee-os-qemu-arm64-3.17.0-r0 do_fetch: Fetcher failure for URL:
> 'git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https'. Please
> set a valid SRCREV for url ['SRCREV_default_pn-optee-os-qemu-arm64',
> 'SRCREV_default', 'SRCREV_pn-optee-os-qemu-arm64', 'SRCREV'] (possible key
> names are git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https,
> or use a ;rev=X URL parameter)
Right, it gives you an even better suggestion than I what to do /wrt
SRCREV when you have multiple repos (not here but in edk2).
--
Siemens AG, Technology
Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 19+ messages in thread
* AW: [isar-cip-core][PATCH 2/7] add recipe for for edk2
2022-10-19 10:57 ` Jan Kiszka
2022-10-19 13:14 ` AW: " Schultschik, Sven
@ 2022-10-20 16:24 ` Schultschik, Sven
2022-10-21 6:57 ` Jan Kiszka
1 sibling, 1 reply; 19+ messages in thread
From: Schultschik, Sven @ 2022-10-20 16:24 UTC (permalink / raw)
To: jan.kiszka, cip-dev
> -----Ursprüngliche Nachricht-----
> Von: Kiszka, Jan (T CED) <jan.kiszka@siemens.com>
> Gesendet: Mittwoch, 19. Oktober 2022 12:58
> An: Schultschik, Sven (DI PA DCP R&D 2) <sven.schultschik@siemens.com>; cip-
> dev@lists.cip-project.org
> Betreff: Re: [isar-cip-core][PATCH 2/7] add recipe for for edk2
>
> On 19.10.22 11:21, sven.schultschik@siemens.com wrote:
> > From: Sven Schultschik <sven.schultschik@siemens.com>
> >
> > +MAINTAINER = "Sven Schultschik <sven.schultschik@siemens.com>"
> > +LICENSE = "BSD-2-Clause-Patent"
> > +
> > +inherit dpkg
> > +
> > +SRC_URI =
> "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https;destsuff
> ix=git/edk2;rev=edk2-stable${PV} \
> > +
> > +git://github.com/tianocore/edk2-platforms.git;protocol=https;destsuff
> > +ix=git/edk2-platforms;rev=3b896d1a325686de3942723c42f286090453e37a \
>
> - gitsm (see patch 1/7)
> - please factor out revisions into separate variables
>
> Or can we also address the revisions via release tags? The recipe carries a
> release version number in the end...
I checked and edk2-platforms does not have any tags. In theory you could use always the latest. But then you can't reproduce the builds.
The version of the recipe is the tag for the edk2 repository, which is already in use
^ permalink raw reply [flat|nested] 19+ messages in thread
* AW: [isar-cip-core][PATCH 2/7] add recipe for for edk2
2022-10-19 13:21 ` Jan Kiszka
@ 2022-10-20 17:59 ` Schultschik, Sven
0 siblings, 0 replies; 19+ messages in thread
From: Schultschik, Sven @ 2022-10-20 17:59 UTC (permalink / raw)
To: jan.kiszka, cip-dev
[-- Attachment #1: Type: text/plain, Size: 3119 bytes --]
> -----Ursprüngliche Nachricht-----
> Von: Kiszka, Jan (T CED) <jan.kiszka@siemens.com>
> Gesendet: Mittwoch, 19. Oktober 2022 15:22
> An: Schultschik, Sven (DI PA DCP R&D 2) <sven.schultschik@siemens.com>;
> cip-dev@lists.cip-project.org
> Betreff: Re: [isar-cip-core][PATCH 2/7] add recipe for for edk2
>
> On 19.10.22 15:14, Schultschik, Sven (DI PA DCP R&D 2) wrote:
> >
> >
> >> -----Ursprüngliche Nachricht-----
> >> Von: Kiszka, Jan (T CED) <jan.kiszka@siemens.com>
> >> Gesendet: Mittwoch, 19. Oktober 2022 12:58
> >> An: Schultschik, Sven (DI PA DCP R&D 2)
> >> <sven.schultschik@siemens.com>; cip- dev@lists.cip-project.org
> >> Betreff: Re: [isar-cip-core][PATCH 2/7] add recipe for for edk2
> >>
> >> On 19.10.22 11:21, sven.schultschik@siemens.com wrote:
> >>> From: Sven Schultschik <sven.schultschik@siemens.com>
> >>> +MAINTAINER = "Sven Schultschik <sven.schultschik@siemens.com>"
> >>> +LICENSE = "BSD-2-Clause-Patent"
> >>> +
> >>> +inherit dpkg
> >>> +
> >>> +SRC_URI =
> >> "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https;d
> >> estsuff
> >> ix=git/edk2;rev=edk2-stable${PV} \
> >>> +
> >>> +git://github.com/tianocore/edk2-platforms.git;protocol=https;destsu
> >>> +ff
> >>> +ix=git/edk2-
> platforms;rev=3b896d1a325686de3942723c42f286090453e37a
> >>> +\
> >>
> >> - gitsm (see patch 1/7)
> >
> > EDK2 really uses submodules which need to be pulled
> >
> >> - please factor out revisions into separate variables
> >>
> >> Or can we also address the revisions via release tags? The recipe
> >> carries a release version number in the end...
> >>
> >>> + file://debian \
> >>> + "
> >>> +S = "${WORKDIR}/git"
> >>> +
> >>> +BUILD_DEPENDS += ""
> >>> +
> >>> +TEMPLATE_FILES = "debian/changelog.tmpl debian/control.tmpl
> >> debian/rules.tmpl"
> >>> +TEMPLATE_VARS += "BUILD_DEPENDS S"
> >>> +
> >>> +ISAR_CROSS_COMPILE = "0"
> >>
> >> Why?
> >
> > EDK2 has it's own build parameter for the target architecture, which
> > activates cross compile Within EDK2 build which breaks if isar cross is
> activated.
> > build -p $(ACTIVE_PLATFORM) -b RELEASE -a $(TARGET_ARCH) -t GCC5 -n
> > $(shell nproc)
> >
> > You suggest to turn it off and try if isar cross compile could be enough?
>
> Cross-compile should give you some relevant toolchain bits and libs at least.
> And it makes sure that you have a native toolchain for the build environment,
> rather than running with emulation for that.
>
> If you need different compiler settings, adjust the rules file.
>
Currently strugling with the "true" cross compile. At some point it seems to use the wrong compiler.
gcc: error: unrecognized command-line option ‘-mlittle-endian’
| Building ... /<<PKGBUILDDIR>>/edk2/MdePkg/Library/StandaloneMmDriverEntryPoint/StandaloneMmDriverEntryPoint.inf [AARCH64]
| gcc: error: unrecognized command-line option ‘-mstrict-align’; did you mean ‘-Wstrict-aliasing’?
| gcc: error: unrecognized command-line option ‘-mstrict-align’; did you mean ‘-Wstrict-aliasing’?
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 14944 bytes --]
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: AW: [isar-cip-core][PATCH 2/7] add recipe for for edk2
2022-10-20 16:24 ` Schultschik, Sven
@ 2022-10-21 6:57 ` Jan Kiszka
0 siblings, 0 replies; 19+ messages in thread
From: Jan Kiszka @ 2022-10-21 6:57 UTC (permalink / raw)
To: Schultschik, Sven, cip-dev
On 20.10.22 18:24, Schultschik, Sven wrote:
>
>
>> -----Ursprüngliche Nachricht-----
>> Von: Kiszka, Jan (T CED) <jan.kiszka@siemens.com>
>> Gesendet: Mittwoch, 19. Oktober 2022 12:58
>> An: Schultschik, Sven (DI PA DCP R&D 2) <sven.schultschik@siemens.com>; cip-
>> dev@lists.cip-project.org
>> Betreff: Re: [isar-cip-core][PATCH 2/7] add recipe for for edk2
>>
>> On 19.10.22 11:21, sven.schultschik@siemens.com wrote:
>>> From: Sven Schultschik <sven.schultschik@siemens.com>
>>>
>>> +MAINTAINER = "Sven Schultschik <sven.schultschik@siemens.com>"
>>> +LICENSE = "BSD-2-Clause-Patent"
>>> +
>>> +inherit dpkg
>>> +
>>> +SRC_URI =
>> "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https;destsuff
>> ix=git/edk2;rev=edk2-stable${PV} \
>>> +
>>> +git://github.com/tianocore/edk2-platforms.git;protocol=https;destsuff
>>> +ix=git/edk2-platforms;rev=3b896d1a325686de3942723c42f286090453e37a \
>>
>> - gitsm (see patch 1/7)
>> - please factor out revisions into separate variables
>>
>> Or can we also address the revisions via release tags? The recipe carries a
>> release version number in the end...
>
> I checked and edk2-platforms does not have any tags. In theory you could use always the latest. But then you can't reproduce the builds.
> The version of the recipe is the tag for the edk2 repository, which is already in use
>
Indeed, seems revisions are managed via the tags in edk2 and the
submodule shas there. Or via edk2-edkrepo-manifest (sigh...).
Jan
--
Siemens AG, Technology
Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2022-10-21 6:58 UTC | newest]
Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-19 9:21 [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64 sven.schultschik
2022-10-19 9:21 ` [isar-cip-core][PATCH 2/7] add recipe for for edk2 sven.schultschik
2022-10-19 10:57 ` Jan Kiszka
2022-10-19 13:14 ` AW: " Schultschik, Sven
2022-10-19 13:21 ` Jan Kiszka
2022-10-20 17:59 ` AW: " Schultschik, Sven
2022-10-20 16:24 ` Schultschik, Sven
2022-10-21 6:57 ` Jan Kiszka
2022-10-19 9:21 ` [isar-cip-core][PATCH 3/7] add recipe for trusted firmware a qemu arm64 sven.schultschik
2022-10-19 9:21 ` [isar-cip-core][PATCH 4/7] add u-boot patch for qemu to support RPMB sven.schultschik
2022-10-19 9:21 ` [isar-cip-core][PATCH 5/7] add kas files for building qemu secure boot images sven.schultschik
2022-10-19 9:21 ` [isar-cip-core][PATCH 6/7] enhance start-qemu.sh for arm64 secure boot sven.schultschik
2022-10-19 9:21 ` [isar-cip-core][PATCH 7/7] no merge - manually instructions test " sven.schultschik
2022-10-19 10:44 ` [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64 Jan Kiszka
2022-10-19 10:46 ` Jan Kiszka
2022-10-19 13:05 ` AW: " Schultschik, Sven
2022-10-19 13:14 ` Jan Kiszka
2022-10-19 13:21 ` AW: " Schultschik, Sven
2022-10-19 13:24 ` Jan Kiszka
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.