[PATCH 0/5] Add optee-os 3.19 recipe

[PATCH 0/5] Add optee-os 3.19 recipe

[emekcan.aras]

From: Emekcan Aras <emekcan.aras@arm.com>

This patchset adds optee 3.19 recipe and makes necessary configurations
to support optee-os 3.19 on n1sdp.

Emekcan Aras (3):
  arm/optee: support optee 3.19
  arm-bsp/optee-os: Adds 3.19 bbappend
  arm-bsp/optee-os: N1SDP support for optee-os 3.19

Emekcan Aras (2):
  arm/optee: Move optee-3.18 patches
  arm/qemuarm-secureboot: pin optee-os version

 ...d-external-device-tree-base-and-size.patch |  44 ++++
 .../recipes-security/optee/optee-os-n1sdp.inc |   7 +
 .../optee/optee-os_3.19.0.bbappend            |   6 +
 meta-arm/conf/machine/qemuarm-secureboot.conf |   3 +
 .../conf/machine/qemuarm64-secureboot.conf    |   3 +
 ...-Define-section-attributes-for-clang.patch |   0
 ...ow-setting-sysroot-for-libgcc-lookup.patch |   0
 ...0007-allow-setting-sysroot-for-clang.patch |   0
 .../0008-no-warn-rwx-segments.patch           |   0
 .../0009-add-z-execstack.patch                |   0
 .../0010-add-note-GNU-stack-section.patch     |   0
 ...-Define-section-attributes-for-clang.patch | 243 ++++++++++++++++++
 ...ow-setting-sysroot-for-libgcc-lookup.patch |  35 +++
 ...0007-allow-setting-sysroot-for-clang.patch |  30 +++
 .../0008-no-warn-rwx-segments.patch           |  38 +++
 .../0009-add-z-execstack.patch                |  94 +++++++
 .../0010-add-note-GNU-stack-section.patch     | 128 +++++++++
 .../recipes-security/optee/optee-os-3_19.inc  |  82 ++++++
 ...-Define-section-attributes-for-clang.patch | 230 +++++++++++++++++
 ...ow-setting-sysroot-for-libgcc-lookup.patch |  35 +++
 ...0007-allow-setting-sysroot-for-clang.patch |  30 +++
 .../0008-no-warn-rwx-segments.patch           |  65 +++++
 .../0009-add-z-execstack.patch                |  94 +++++++
 .../0010-add-note-GNU-stack-section.patch     | 128 +++++++++
 .../recipes-security/optee/optee-os_3.18.0.bb |   2 +
 .../recipes-security/optee/optee-os_3.19.0.bb |   9 +
 26 files changed, 1306 insertions(+)
 create mode 100644 meta-arm-bsp/recipes-security/optee/files/optee-os/n1sdp/0006-plat-n1sdp-add-external-device-tree-base-and-size.patch
 create mode 100644 meta-arm-bsp/recipes-security/optee/optee-os_3.19.0.bbappend
 rename meta-arm/recipes-security/optee/{optee-os => optee-os-3.18.0}/0001-core-Define-section-attributes-for-clang.patch (100%)
 rename meta-arm/recipes-security/optee/{optee-os => optee-os-3.18.0}/0006-allow-setting-sysroot-for-libgcc-lookup.patch (100%)
 rename meta-arm/recipes-security/optee/{optee-os => optee-os-3.18.0}/0007-allow-setting-sysroot-for-clang.patch (100%)
 rename meta-arm/recipes-security/optee/{optee-os => optee-os-3.18.0}/0008-no-warn-rwx-segments.patch (100%)
 rename meta-arm/recipes-security/optee/{optee-os => optee-os-3.18.0}/0009-add-z-execstack.patch (100%)
 rename meta-arm/recipes-security/optee/{optee-os => optee-os-3.18.0}/0010-add-note-GNU-stack-section.patch (100%)
 create mode 100644 meta-arm/recipes-security/optee/optee-os-3.19.0/0001-core-Define-section-attributes-for-clang.patch
 create mode 100644 meta-arm/recipes-security/optee/optee-os-3.19.0/0006-allow-setting-sysroot-for-libgcc-lookup.patch
 create mode 100644 meta-arm/recipes-security/optee/optee-os-3.19.0/0007-allow-setting-sysroot-for-clang.patch
 create mode 100644 meta-arm/recipes-security/optee/optee-os-3.19.0/0008-no-warn-rwx-segments.patch
 create mode 100644 meta-arm/recipes-security/optee/optee-os-3.19.0/0009-add-z-execstack.patch
 create mode 100644 meta-arm/recipes-security/optee/optee-os-3.19.0/0010-add-note-GNU-stack-section.patch
 create mode 100644 meta-arm/recipes-security/optee/optee-os-3_19.inc
 create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0001-core-Define-section-attributes-for-clang.patch
 create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0006-allow-setting-sysroot-for-libgcc-lookup.patch
 create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0007-allow-setting-sysroot-for-clang.patch
 create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0008-no-warn-rwx-segments.patch
 create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0009-add-z-execstack.patch
 create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0010-add-note-GNU-stack-section.patch
 create mode 100644 meta-arm/recipes-security/optee/optee-os_3.19.0.bb

-- 
2.17.1

[PATCH 1/5] arm/optee: Move optee-3.18 patches

[emekcan.aras]

From: Emekcan Aras <emekcan.aras@arm.com>

Moves optee-3.18 and optee-tadevkit patches into
related directories.

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
---
 ...-Define-section-attributes-for-clang.patch |   0
 ...ow-setting-sysroot-for-libgcc-lookup.patch |   0
 ...0007-allow-setting-sysroot-for-clang.patch |   0
 .../0008-no-warn-rwx-segments.patch           |   0
 .../0009-add-z-execstack.patch                |   0
 .../0010-add-note-GNU-stack-section.patch     |   0
 ...-Define-section-attributes-for-clang.patch | 230 ++++++++++++++++++
 ...ow-setting-sysroot-for-libgcc-lookup.patch |  35 +++
 ...0007-allow-setting-sysroot-for-clang.patch |  30 +++
 .../0008-no-warn-rwx-segments.patch           |  65 +++++
 .../0009-add-z-execstack.patch                |  94 +++++++
 .../0010-add-note-GNU-stack-section.patch     | 128 ++++++++++
 .../recipes-security/optee/optee-os_3.18.0.bb |   2 +
 13 files changed, 584 insertions(+)
 rename meta-arm/recipes-security/optee/{optee-os => optee-os-3.18.0}/0001-core-Define-section-attributes-for-clang.patch (100%)
 rename meta-arm/recipes-security/optee/{optee-os => optee-os-3.18.0}/0006-allow-setting-sysroot-for-libgcc-lookup.patch (100%)
 rename meta-arm/recipes-security/optee/{optee-os => optee-os-3.18.0}/0007-allow-setting-sysroot-for-clang.patch (100%)
 rename meta-arm/recipes-security/optee/{optee-os => optee-os-3.18.0}/0008-no-warn-rwx-segments.patch (100%)
 rename meta-arm/recipes-security/optee/{optee-os => optee-os-3.18.0}/0009-add-z-execstack.patch (100%)
 rename meta-arm/recipes-security/optee/{optee-os => optee-os-3.18.0}/0010-add-note-GNU-stack-section.patch (100%)
 create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0001-core-Define-section-attributes-for-clang.patch
 create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0006-allow-setting-sysroot-for-libgcc-lookup.patch
 create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0007-allow-setting-sysroot-for-clang.patch
 create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0008-no-warn-rwx-segments.patch
 create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0009-add-z-execstack.patch
 create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0010-add-note-GNU-stack-section.patch

diff --git a/meta-arm/recipes-security/optee/optee-os/0001-core-Define-section-attributes-for-clang.patch b/meta-arm/recipes-security/optee/optee-os-3.18.0/0001-core-Define-section-attributes-for-clang.patch
similarity index 100%
rename from meta-arm/recipes-security/optee/optee-os/0001-core-Define-section-attributes-for-clang.patch
rename to meta-arm/recipes-security/optee/optee-os-3.18.0/0001-core-Define-section-attributes-for-clang.patch
diff --git a/meta-arm/recipes-security/optee/optee-os/0006-allow-setting-sysroot-for-libgcc-lookup.patch b/meta-arm/recipes-security/optee/optee-os-3.18.0/0006-allow-setting-sysroot-for-libgcc-lookup.patch
similarity index 100%
rename from meta-arm/recipes-security/optee/optee-os/0006-allow-setting-sysroot-for-libgcc-lookup.patch
rename to meta-arm/recipes-security/optee/optee-os-3.18.0/0006-allow-setting-sysroot-for-libgcc-lookup.patch
diff --git a/meta-arm/recipes-security/optee/optee-os/0007-allow-setting-sysroot-for-clang.patch b/meta-arm/recipes-security/optee/optee-os-3.18.0/0007-allow-setting-sysroot-for-clang.patch
similarity index 100%
rename from meta-arm/recipes-security/optee/optee-os/0007-allow-setting-sysroot-for-clang.patch
rename to meta-arm/recipes-security/optee/optee-os-3.18.0/0007-allow-setting-sysroot-for-clang.patch
diff --git a/meta-arm/recipes-security/optee/optee-os/0008-no-warn-rwx-segments.patch b/meta-arm/recipes-security/optee/optee-os-3.18.0/0008-no-warn-rwx-segments.patch
similarity index 100%
rename from meta-arm/recipes-security/optee/optee-os/0008-no-warn-rwx-segments.patch
rename to meta-arm/recipes-security/optee/optee-os-3.18.0/0008-no-warn-rwx-segments.patch
diff --git a/meta-arm/recipes-security/optee/optee-os/0009-add-z-execstack.patch b/meta-arm/recipes-security/optee/optee-os-3.18.0/0009-add-z-execstack.patch
similarity index 100%
rename from meta-arm/recipes-security/optee/optee-os/0009-add-z-execstack.patch
rename to meta-arm/recipes-security/optee/optee-os-3.18.0/0009-add-z-execstack.patch
diff --git a/meta-arm/recipes-security/optee/optee-os/0010-add-note-GNU-stack-section.patch b/meta-arm/recipes-security/optee/optee-os-3.18.0/0010-add-note-GNU-stack-section.patch
similarity index 100%
rename from meta-arm/recipes-security/optee/optee-os/0010-add-note-GNU-stack-section.patch
rename to meta-arm/recipes-security/optee/optee-os-3.18.0/0010-add-note-GNU-stack-section.patch
diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0001-core-Define-section-attributes-for-clang.patch b/meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0001-core-Define-section-attributes-for-clang.patch
new file mode 100644
index 00000000..a69d7776
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0001-core-Define-section-attributes-for-clang.patch
@@ -0,0 +1,230 @@
+From f189457b79989543f65b8a4e8729eff2cdf9a758 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sat, 13 Aug 2022 19:24:55 -0700
+Subject: [PATCH] core: Define section attributes for clang
+
+Clang's attribute section is not same as gcc, here we need to add flags
+to sections so they can be eventually collected by linker into final
+output segments. Only way to do so with clang is to use
+
+pragma clang section ...
+
+The behavious is described here [1], this allows us to define names bss
+sections. This was not an issue until clang-15 where LLD linker starts
+to detect the section flags before merging them and throws the following
+errors
+
+| ld.lld: error: section type mismatch for .nozi.kdata_page
+| >>> /mnt/b/yoe/master/build/tmp/work/qemuarm64-yoe-linux/optee-os-tadevkit/3.17.0-r0/build/core/arch/arm/kernel/thread.o:(.nozi.kdata_page): SHT_PROGBITS
+| >>> output section .nozi: SHT_NOBITS
+|
+| ld.lld: error: section type mismatch for .nozi.mmu.l2
+| >>> /mnt/b/yoe/master/build/tmp/work/qemuarm64-yoe-linux/optee-os-tadevkit/3.17.0-r0/build/core/arch/arm/mm/core_mmu_lpae.o:(.nozi.mmu.l2): SHT_PROGBITS
+| >>> output section .nozi: SHT_NOBITS
+
+These sections should be carrying SHT_NOBITS but so far it was not
+possible to do so, this patch tries to use clangs pragma to get this
+going and match the functionality with gcc.
+
+[1] https://intel.github.io/llvm-docs/clang/LanguageExtensions.html#specifying-section-names-for-global-objects-pragma-clang-section
+
+Upstream-Status: Pending
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ core/arch/arm/kernel/thread.c    | 19 +++++++++++++++--
+ core/arch/arm/mm/core_mmu_lpae.c | 35 ++++++++++++++++++++++++++++----
+ core/arch/arm/mm/pgt_cache.c     | 12 ++++++++++-
+ core/kernel/thread.c             | 13 +++++++++++-
+ 4 files changed, 71 insertions(+), 8 deletions(-)
+
+--- a/core/arch/arm/kernel/thread.c
++++ b/core/arch/arm/kernel/thread.c
+@@ -44,16 +44,31 @@ static size_t thread_user_kcode_size __n
+ #if defined(CFG_CORE_UNMAP_CORE_AT_EL0) && \
+ 	defined(CFG_CORE_WORKAROUND_SPECTRE_BP_SEC) && defined(ARM64)
+ long thread_user_kdata_sp_offset __nex_bss;
++#ifdef __clang__
++#ifndef CFG_VIRTUALIZATION
++#pragma clang section bss=".nozi.kdata_page"
++#else
++#pragma clang section bss=".nex_nozi.kdata_page"
++#endif
++#endif
+ static uint8_t thread_user_kdata_page[
+ 	ROUNDUP(sizeof(struct thread_core_local) * CFG_TEE_CORE_NB_CORE,
+ 		SMALL_PAGE_SIZE)]
+ 	__aligned(SMALL_PAGE_SIZE)
++#ifndef __clang__
+ #ifndef CFG_VIRTUALIZATION
+-	__section(".nozi.kdata_page");
++	__section(".nozi.kdata_page")
+ #else
+-	__section(".nex_nozi.kdata_page");
++	__section(".nex_nozi.kdata_page")
+ #endif
+ #endif
++    ;
++#endif
++
++/* reset BSS section to default ( .bss ) */
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+ 
+ #ifdef ARM32
+ uint32_t __nostackcheck thread_get_exceptions(void)
+--- a/core/arch/arm/mm/core_mmu_lpae.c
++++ b/core/arch/arm/mm/core_mmu_lpae.c
+@@ -233,19 +233,46 @@ typedef uint16_t l1_idx_t;
+ typedef uint64_t base_xlat_tbls_t[CFG_TEE_CORE_NB_CORE][NUM_BASE_LEVEL_ENTRIES];
+ typedef uint64_t xlat_tbl_t[XLAT_TABLE_ENTRIES];
+ 
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.base_table"
++#endif
+ static base_xlat_tbls_t base_xlation_table[NUM_BASE_TABLES]
+ 	__aligned(NUM_BASE_LEVEL_ENTRIES * XLAT_ENTRY_SIZE)
+-	__section(".nozi.mmu.base_table");
++#ifndef __clang__
++	__section(".nozi.mmu.base_table")
++#endif
++;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+ 
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.l2"
++#endif
+ static xlat_tbl_t xlat_tables[MAX_XLAT_TABLES]
+-	__aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2");
++	__aligned(XLAT_TABLE_SIZE)
++#ifndef __clang__
++	__section(".nozi.mmu.l2")
++#endif
++;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+ 
+ #define XLAT_TABLES_SIZE	(sizeof(xlat_tbl_t) * MAX_XLAT_TABLES)
+ 
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.l2"
++#endif
+ /* MMU L2 table for TAs, one for each thread */
+ static xlat_tbl_t xlat_tables_ul1[CFG_NUM_THREADS]
+-	__aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2");
+-
++#ifndef __clang__
++	__aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2")
++#endif
++;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+ /*
+  * TAs page table entry inside a level 1 page table.
+  *
+--- a/core/arch/arm/mm/pgt_cache.c
++++ b/core/arch/arm/mm/pgt_cache.c
+@@ -104,8 +104,18 @@ void pgt_init(void)
+ 	 * has a large alignment, while .bss has a small alignment. The current
+ 	 * link script is optimized for small alignment in .bss
+ 	 */
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.l2"
++#endif
+ 	static uint8_t pgt_tables[PGT_CACHE_SIZE][PGT_SIZE]
+-			__aligned(PGT_SIZE) __section(".nozi.pgt_cache");
++			__aligned(PGT_SIZE)
++#ifndef __clang__
++			__section(".nozi.pgt_cache")
++#endif
++			;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+ 	size_t n;
+ 
+ 	for (n = 0; n < ARRAY_SIZE(pgt_tables); n++) {
+--- a/core/kernel/thread.c
++++ b/core/kernel/thread.c
+@@ -37,13 +37,24 @@ struct thread_core_local thread_core_loc
+ 	name[stack_num][sizeof(name[stack_num]) / sizeof(uint32_t) - 1]
+ #endif
+ 
++#define DO_PRAGMA(x) _Pragma (#x)
++
++#ifdef __clang__
++#define DECLARE_STACK(name, num_stacks, stack_size, linkage) \
++DO_PRAGMA (clang section bss=".nozi_stack." #name) \
++linkage uint32_t name[num_stacks] \
++		[ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \
++			 STACK_ALIGNMENT) / sizeof(uint32_t)] \
++		__attribute__((aligned(STACK_ALIGNMENT))); \
++DO_PRAGMA(clang section bss="")
++#else
+ #define DECLARE_STACK(name, num_stacks, stack_size, linkage) \
+ linkage uint32_t name[num_stacks] \
+ 		[ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \
+ 			 STACK_ALIGNMENT) / sizeof(uint32_t)] \
+ 		__attribute__((section(".nozi_stack." # name), \
+ 			       aligned(STACK_ALIGNMENT)))
+-
++#endif
+ #define GET_STACK(stack) ((vaddr_t)(stack) + STACK_SIZE(stack))
+ 
+ DECLARE_STACK(stack_tmp, CFG_TEE_CORE_NB_CORE,
+--- a/core/arch/arm/mm/core_mmu_v7.c
++++ b/core/arch/arm/mm/core_mmu_v7.c
+@@ -204,16 +204,46 @@ typedef uint32_t l1_xlat_tbl_t[NUM_L1_EN
+ typedef uint32_t l2_xlat_tbl_t[NUM_L2_ENTRIES];
+ typedef uint32_t ul1_xlat_tbl_t[NUM_UL1_ENTRIES];
+ 
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.l1"
++#endif
+ static l1_xlat_tbl_t main_mmu_l1_ttb
+-		__aligned(L1_ALIGNMENT) __section(".nozi.mmu.l1");
++		__aligned(L1_ALIGNMENT)
++#ifndef __clang__
++       __section(".nozi.mmu.l1")
++#endif
++;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+ 
+ /* L2 MMU tables */
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.l2"
++#endif
+ static l2_xlat_tbl_t main_mmu_l2_ttb[MAX_XLAT_TABLES]
+-		__aligned(L2_ALIGNMENT) __section(".nozi.mmu.l2");
++		__aligned(L2_ALIGNMENT)
++#ifndef __clang__
++       __section(".nozi.mmu.l2")
++#endif
++;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+ 
+ /* MMU L1 table for TAs, one for each thread */
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.ul1"
++#endif
+ static ul1_xlat_tbl_t main_mmu_ul1_ttb[CFG_NUM_THREADS]
+-		__aligned(UL1_ALIGNMENT) __section(".nozi.mmu.ul1");
++		__aligned(UL1_ALIGNMENT)
++#ifndef __clang__
++       __section(".nozi.mmu.ul1")
++#endif
++;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+ 
+ struct mmu_partition {
+ 	l1_xlat_tbl_t *l1_table;
diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0006-allow-setting-sysroot-for-libgcc-lookup.patch b/meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0006-allow-setting-sysroot-for-libgcc-lookup.patch
new file mode 100644
index 00000000..ab4a6dbc
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0006-allow-setting-sysroot-for-libgcc-lookup.patch
@@ -0,0 +1,35 @@
+From 528aeb42652a3159c1bfd51d6c1442c3ff27b84c Mon Sep 17 00:00:00 2001
+From: Ross Burton <ross.burton@arm.com>
+Date: Tue, 26 May 2020 14:38:02 -0500
+Subject: [PATCH] allow setting sysroot for libgcc lookup
+
+Explicitly pass the new variable LIBGCC_LOCATE_CFLAGS variable when searching
+for the compiler libraries as there's no easy way to reliably pass --sysroot
+otherwise.
+
+Upstream-Status: Pending [https://github.com/OP-TEE/optee_os/issues/4188]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+---
+ mk/gcc.mk | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/mk/gcc.mk b/mk/gcc.mk
+index adc77a24..81bfa78a 100644
+--- a/mk/gcc.mk
++++ b/mk/gcc.mk
+@@ -13,11 +13,11 @@ nostdinc$(sm)	:= -nostdinc -isystem $(shell $(CC$(sm)) \
+ 			-print-file-name=include 2> /dev/null)
+ 
+ # Get location of libgcc from gcc
+-libgcc$(sm)  	:= $(shell $(CC$(sm)) $(CFLAGS$(arch-bits-$(sm))) \
++libgcc$(sm)  	:= $(shell $(CC$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CFLAGS$(arch-bits-$(sm))) \
+ 			-print-libgcc-file-name 2> /dev/null)
+-libstdc++$(sm)	:= $(shell $(CXX$(sm)) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \
++libstdc++$(sm)	:= $(shell $(CXX$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \
+ 			-print-file-name=libstdc++.a 2> /dev/null)
+-libgcc_eh$(sm)	:= $(shell $(CXX$(sm)) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \
++libgcc_eh$(sm)	:= $(shell $(CXX$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \
+ 			-print-file-name=libgcc_eh.a 2> /dev/null)
+ 
+ # Define these to something to discover accidental use
diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0007-allow-setting-sysroot-for-clang.patch b/meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0007-allow-setting-sysroot-for-clang.patch
new file mode 100644
index 00000000..067ba6eb
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0007-allow-setting-sysroot-for-clang.patch
@@ -0,0 +1,30 @@
+From db9e44af75c7cfd3316cab15aaa387383df3e57e Mon Sep 17 00:00:00 2001
+From: Brett Warren <brett.warren@arm.com>
+Date: Wed, 23 Sep 2020 09:27:34 +0100
+Subject: [PATCH] optee: enable clang support
+
+When compiling with clang, the LIBGCC_LOCATE_CFLAG variable used
+to provide a sysroot wasn't included, which results in not locating
+compiler-rt. This is mitigated by including the variable as ammended.
+
+Upstream-Status: Pending
+ChangeId: 8ba69a4b2eb8ebaa047cb266c9aa6c2c3da45701
+Signed-off-by: Brett Warren <brett.warren@arm.com>
+
+---
+ mk/clang.mk | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mk/clang.mk b/mk/clang.mk
+index c141a3f2..7d067cc0 100644
+--- a/mk/clang.mk
++++ b/mk/clang.mk
+@@ -27,7 +27,7 @@ comp-cflags-warns-clang := -Wno-language-extension-token \
+ 
+ # Note, use the compiler runtime library (libclang_rt.builtins.*.a) instead of
+ # libgcc for clang
+-libgcc$(sm)	:= $(shell $(CC$(sm)) $(CFLAGS$(arch-bits-$(sm))) \
++libgcc$(sm)	:= $(shell $(CC$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CFLAGS$(arch-bits-$(sm))) \
+ 			-rtlib=compiler-rt -print-libgcc-file-name 2> /dev/null)
+ 
+ # Core ASLR relies on the executable being ready to run from its preferred load
diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0008-no-warn-rwx-segments.patch b/meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0008-no-warn-rwx-segments.patch
new file mode 100644
index 00000000..6d48a760
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0008-no-warn-rwx-segments.patch
@@ -0,0 +1,65 @@
+From cf2a2451f4e9300532d677bb3a8315494a3b3a82 Mon Sep 17 00:00:00 2001
+From: Jerome Forissier <jerome.forissier@linaro.org>
+Date: Fri, 5 Aug 2022 09:48:03 +0200
+Subject: [PATCH] core: link: add --no-warn-rwx-segments
+
+Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
+Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5474]
+
+binutils ld.bfd generates one RWX LOAD segment by merging several sections
+with mixed R/W/X attributes (.text, .rodata, .data). After version 2.38 it
+also warns by default when that happens [1], which breaks the build due to
+--fatal-warnings. The RWX segment is not a problem for the TEE core, since
+that information is not used to set memory permissions. Therefore, silence
+the warning.
+
+Link: [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107
+Link: https://sourceware.org/bugzilla/show_bug.cgi?id=29448
+Reported-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
+Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
+Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
+
+---
+ core/arch/arm/kernel/link.mk | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/core/arch/arm/kernel/link.mk b/core/arch/arm/kernel/link.mk
+index 7eed333a..c39d43cb 100644
+--- a/core/arch/arm/kernel/link.mk
++++ b/core/arch/arm/kernel/link.mk
+@@ -31,6 +31,7 @@ link-ldflags += -T $(link-script-pp) -Map=$(link-out-dir)/tee.map
+ link-ldflags += --sort-section=alignment
+ link-ldflags += --fatal-warnings
+ link-ldflags += --gc-sections
++link-ldflags += $(call ld-option,--no-warn-rwx-segments)
+ 
+ link-ldadd  = $(LDADD)
+ link-ldadd += $(ldflags-external)
+@@ -55,6 +56,7 @@ link-script-cppflags := \
+ 		$(cppflagscore))
+ 
+ ldargs-all_objs := -T $(link-script-dummy) --no-check-sections \
++		   $(call ld-option,--no-warn-rwx-segments) \
+ 		   $(link-objs) $(link-ldadd) $(libgcccore)
+ cleanfiles += $(link-out-dir)/all_objs.o
+ $(link-out-dir)/all_objs.o: $(objs) $(libdeps) $(MAKEFILE_LIST)
+@@ -67,7 +69,8 @@ $(link-out-dir)/unpaged_entries.txt: $(link-out-dir)/all_objs.o
+ 	$(q)$(NMcore) $< | \
+ 		$(AWK) '/ ____keep_pager/ { printf "-u%s ", $$3 }' > $@
+ 
+-unpaged-ldargs = -T $(link-script-dummy) --no-check-sections --gc-sections
++unpaged-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \
++		 $(call ld-option,--no-warn-rwx-segments)
+ unpaged-ldadd := $(objs) $(link-ldadd) $(libgcccore)
+ cleanfiles += $(link-out-dir)/unpaged.o
+ $(link-out-dir)/unpaged.o: $(link-out-dir)/unpaged_entries.txt
+@@ -95,7 +98,8 @@ $(link-out-dir)/init_entries.txt: $(link-out-dir)/all_objs.o
+ 	$(q)$(NMcore) $< | \
+ 		$(AWK) '/ ____keep_init/ { printf "-u%s ", $$3 }' > $@
+ 
+-init-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections
++init-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \
++	       $(call ld-option,--no-warn-rwx-segments)
+ init-ldadd := $(link-objs-init) $(link-out-dir)/version.o  $(link-ldadd) \
+ 	      $(libgcccore)
+ cleanfiles += $(link-out-dir)/init.o
diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0009-add-z-execstack.patch b/meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0009-add-z-execstack.patch
new file mode 100644
index 00000000..3ba6c4ef
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0009-add-z-execstack.patch
@@ -0,0 +1,94 @@
+From ea932656461865ab9ac4036245c756c082aeb3e1 Mon Sep 17 00:00:00 2001
+From: Jerome Forissier <jerome.forissier@linaro.org>
+Date: Tue, 23 Aug 2022 11:41:00 +0000
+Subject: [PATCH] core, ldelf: link: add -z execstack
+
+When building for arm32 with GNU binutils 2.39, the linker outputs
+warnings when generating some TEE core binaries (all_obj.o, init.o,
+unpaged.o and tee.elf) as well as ldelf.elf:
+
+ arm-poky-linux-gnueabi-ld.bfd: warning: atomic_a32.o: missing .note.GNU-stack section implies executable stack
+ arm-poky-linux-gnueabi-ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
+
+The permissions used when mapping the TEE core stacks do not depend on
+any metadata found in the ELF file. Similarly when the TEE core loads
+ldelf it already creates a non-executable stack regardless of ELF
+information. Therefore we can safely ignore the warnings. This is done
+by adding the '-z execstack' option.
+
+Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
+
+Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
+Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5499]
+
+---
+ core/arch/arm/kernel/link.mk | 13 +++++++++----
+ ldelf/link.mk                |  3 +++
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/core/arch/arm/kernel/link.mk b/core/arch/arm/kernel/link.mk
+index c39d43cb..0e96e606 100644
+--- a/core/arch/arm/kernel/link.mk
++++ b/core/arch/arm/kernel/link.mk
+@@ -9,6 +9,11 @@ link-script-dep = $(link-out-dir)/.kern.ld.d
+ 
+ AWK	 = awk
+ 
++link-ldflags-common += $(call ld-option,--no-warn-rwx-segments)
++ifeq ($(CFG_ARM32_core),y)
++link-ldflags-common += $(call ld-option,--no-warn-execstack)
++endif
++
+ link-ldflags  = $(LDFLAGS)
+ ifeq ($(CFG_CORE_ASLR),y)
+ link-ldflags += -pie -Bsymbolic -z norelro $(ldflag-apply-dynamic-relocs)
+@@ -31,7 +36,7 @@ link-ldflags += -T $(link-script-pp) -Map=$(link-out-dir)/tee.map
+ link-ldflags += --sort-section=alignment
+ link-ldflags += --fatal-warnings
+ link-ldflags += --gc-sections
+-link-ldflags += $(call ld-option,--no-warn-rwx-segments)
++link-ldflags += $(link-ldflags-common)
+ 
+ link-ldadd  = $(LDADD)
+ link-ldadd += $(ldflags-external)
+@@ -56,7 +61,7 @@ link-script-cppflags := \
+ 		$(cppflagscore))
+ 
+ ldargs-all_objs := -T $(link-script-dummy) --no-check-sections \
+-		   $(call ld-option,--no-warn-rwx-segments) \
++		   $(link-ldflags-common) \
+ 		   $(link-objs) $(link-ldadd) $(libgcccore)
+ cleanfiles += $(link-out-dir)/all_objs.o
+ $(link-out-dir)/all_objs.o: $(objs) $(libdeps) $(MAKEFILE_LIST)
+@@ -70,7 +75,7 @@ $(link-out-dir)/unpaged_entries.txt: $(link-out-dir)/all_objs.o
+ 		$(AWK) '/ ____keep_pager/ { printf "-u%s ", $$3 }' > $@
+ 
+ unpaged-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \
+-		 $(call ld-option,--no-warn-rwx-segments)
++		 $(link-ldflags-common)
+ unpaged-ldadd := $(objs) $(link-ldadd) $(libgcccore)
+ cleanfiles += $(link-out-dir)/unpaged.o
+ $(link-out-dir)/unpaged.o: $(link-out-dir)/unpaged_entries.txt
+@@ -99,7 +104,7 @@ $(link-out-dir)/init_entries.txt: $(link-out-dir)/all_objs.o
+ 		$(AWK) '/ ____keep_init/ { printf "-u%s ", $$3 }' > $@
+ 
+ init-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \
+-	       $(call ld-option,--no-warn-rwx-segments)
++	       $(link-ldflags-common)
+ init-ldadd := $(link-objs-init) $(link-out-dir)/version.o  $(link-ldadd) \
+ 	      $(libgcccore)
+ cleanfiles += $(link-out-dir)/init.o
+diff --git a/ldelf/link.mk b/ldelf/link.mk
+index 64c8212a..bd49551e 100644
+--- a/ldelf/link.mk
++++ b/ldelf/link.mk
+@@ -20,6 +20,9 @@ link-ldflags += -z max-page-size=4096 # OP-TEE always uses 4K alignment
+ ifeq ($(CFG_CORE_BTI),y)
+ link-ldflags += $(call ld-option,-z force-bti) --fatal-warnings
+ endif
++ifeq ($(CFG_ARM32_$(sm)), y)
++link-ldflags += $(call ld-option,--no-warn-execstack)
++endif
+ link-ldflags += $(link-ldflags$(sm))
+ 
+ link-ldadd  = $(addprefix -L,$(libdirs))
diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0010-add-note-GNU-stack-section.patch b/meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0010-add-note-GNU-stack-section.patch
new file mode 100644
index 00000000..4ea65d88
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-os-tadevkit-3.18.0/0010-add-note-GNU-stack-section.patch
@@ -0,0 +1,128 @@
+From ec30e84671aac9a2e9549754eb7bc6201728db4c Mon Sep 17 00:00:00 2001
+From: Jerome Forissier <jerome.forissier@linaro.org>
+Date: Tue, 23 Aug 2022 12:31:46 +0000
+Subject: [PATCH] arm32: libutils, libutee, ta: add .note.GNU-stack section to
+
+ .S files
+
+When building for arm32 with GNU binutils 2.39, the linker outputs
+warnings when linking Trusted Applications:
+
+ arm-unknown-linux-uclibcgnueabihf-ld.bfd: warning: utee_syscalls_a32.o: missing .note.GNU-stack section implies executable stack
+ arm-unknown-linux-uclibcgnueabihf-ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
+
+We could silence the warning by adding the '-z execstack' option to the
+TA link flags, like we did in the parent commit for the TEE core and
+ldelf. Indeed, ldelf always allocates a non-executable piece of memory
+for the TA to use as a stack.
+
+However it seems preferable to comply with the common ELF practices in
+this case. A better fix is therefore to add the missing .note.GNU-stack
+sections in the assembler files.
+
+Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
+
+Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
+Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5499]
+
+---
+ lib/libutee/arch/arm/utee_syscalls_a32.S             | 2 ++
+ lib/libutils/ext/arch/arm/atomic_a32.S               | 2 ++
+ lib/libutils/ext/arch/arm/mcount_a32.S               | 2 ++
+ lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S  | 2 ++
+ lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S | 2 ++
+ lib/libutils/isoc/arch/arm/setjmp_a32.S              | 2 ++
+ ta/arch/arm/ta_entry_a32.S                           | 2 ++
+ 7 files changed, 14 insertions(+)
+
+diff --git a/lib/libutee/arch/arm/utee_syscalls_a32.S b/lib/libutee/arch/arm/utee_syscalls_a32.S
+index 6e621ca6..af405f62 100644
+--- a/lib/libutee/arch/arm/utee_syscalls_a32.S
++++ b/lib/libutee/arch/arm/utee_syscalls_a32.S
+@@ -7,6 +7,8 @@
+ #include <tee_syscall_numbers.h>
+ #include <asm.S>
+ 
++	.section .note.GNU-stack,"",%progbits
++
+         .section .text
+         .balign 4
+         .code 32
+diff --git a/lib/libutils/ext/arch/arm/atomic_a32.S b/lib/libutils/ext/arch/arm/atomic_a32.S
+index eaef6914..2be73ffa 100644
+--- a/lib/libutils/ext/arch/arm/atomic_a32.S
++++ b/lib/libutils/ext/arch/arm/atomic_a32.S
+@@ -5,6 +5,8 @@
+ 
+ #include <asm.S>
+ 
++	.section .note.GNU-stack,"",%progbits
++
+ /* uint32_t atomic_inc32(uint32_t *v); */
+ FUNC atomic_inc32 , :
+ 	ldrex	r1, [r0]
+diff --git a/lib/libutils/ext/arch/arm/mcount_a32.S b/lib/libutils/ext/arch/arm/mcount_a32.S
+index 51439a23..54dc3c02 100644
+--- a/lib/libutils/ext/arch/arm/mcount_a32.S
++++ b/lib/libutils/ext/arch/arm/mcount_a32.S
+@@ -7,6 +7,8 @@
+ 
+ #if defined(CFG_TA_GPROF_SUPPORT) || defined(CFG_FTRACE_SUPPORT)
+ 
++	.section .note.GNU-stack,"",%progbits
++
+ /*
+  * Convert return address to call site address by subtracting the size of the
+  * mcount call instruction (blx __gnu_mcount_nc).
+diff --git a/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S b/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S
+index a600c879..37ae9ec6 100644
+--- a/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S
++++ b/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S
+@@ -5,6 +5,8 @@
+ 
+ #include <asm.S>
+ 
++	.section .note.GNU-stack,"",%progbits
++
+ /*
+  * signed ret_idivmod_values(signed quot, signed rem);
+  * return quotient and remaining the EABI way (regs r0,r1)
+diff --git a/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S b/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S
+index 2dc50bc9..5c3353e2 100644
+--- a/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S
++++ b/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S
+@@ -5,6 +5,8 @@
+ 
+ #include <asm.S>
+ 
++	.section .note.GNU-stack,"",%progbits
++
+ /*
+  * __value_in_regs lldiv_t __aeabi_ldivmod( long long n, long long d)
+  */
+diff --git a/lib/libutils/isoc/arch/arm/setjmp_a32.S b/lib/libutils/isoc/arch/arm/setjmp_a32.S
+index 43ea5937..f8a0b70d 100644
+--- a/lib/libutils/isoc/arch/arm/setjmp_a32.S
++++ b/lib/libutils/isoc/arch/arm/setjmp_a32.S
+@@ -51,6 +51,8 @@
+ #define SIZE(x)
+ #endif
+ 
++	.section .note.GNU-stack,"",%progbits
++
+ /* Arm/Thumb interworking support:
+ 
+    The interworking scheme expects functions to use a BX instruction
+diff --git a/ta/arch/arm/ta_entry_a32.S b/ta/arch/arm/ta_entry_a32.S
+index d2f8a69d..cd9a12f9 100644
+--- a/ta/arch/arm/ta_entry_a32.S
++++ b/ta/arch/arm/ta_entry_a32.S
+@@ -5,6 +5,8 @@
+ 
+ #include <asm.S>
+ 
++	.section .note.GNU-stack,"",%progbits
++
+ /*
+  * This function is the bottom of the user call stack. Mark it as such so that
+  * the unwinding code won't try to go further down.
diff --git a/meta-arm/recipes-security/optee/optee-os_3.18.0.bb b/meta-arm/recipes-security/optee/optee-os_3.18.0.bb
index 59e58ed3..31da5ded 100644
--- a/meta-arm/recipes-security/optee/optee-os_3.18.0.bb
+++ b/meta-arm/recipes-security/optee/optee-os_3.18.0.bb
@@ -2,6 +2,8 @@ require optee-os.inc
 
 DEPENDS += "dtc-native"
 
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}-3.18.0:"
+
 SRCREV = "1ee647035939e073a2e8dddb727c0f019cc035f1"
 SRC_URI:append = " \
     file://0001-core-Define-section-attributes-for-clang.patch \
-- 
2.17.1

[PATCH 2/5] arm/optee: support optee 3.19

[emekcan.aras]

From: Emekcan Aras <emekcan.aras@arm.com>

From: Emekcan <emekcan.aras@arm.com>

This commits adds a recipe to support optee-os 3.19.

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
---
 ...-Define-section-attributes-for-clang.patch | 230 ++++++++++++++++++
 ...ow-setting-sysroot-for-libgcc-lookup.patch |  35 +++
 ...0007-allow-setting-sysroot-for-clang.patch |  30 +++
 .../0008-no-warn-rwx-segments.patch           |  38 +++
 .../0009-add-z-execstack.patch                |  94 +++++++
 .../0010-add-note-GNU-stack-section.patch     | 128 ++++++++++
 .../recipes-security/optee/optee-os-3_19.inc  |  82 +++++++
 .../recipes-security/optee/optee-os_3.19.0.bb |   5 +
 8 files changed, 642 insertions(+)
 create mode 100644 meta-arm/recipes-security/optee/optee-os-3.19.0/0001-core-Define-section-attributes-for-clang.patch
 create mode 100644 meta-arm/recipes-security/optee/optee-os-3.19.0/0006-allow-setting-sysroot-for-libgcc-lookup.patch
 create mode 100644 meta-arm/recipes-security/optee/optee-os-3.19.0/0007-allow-setting-sysroot-for-clang.patch
 create mode 100644 meta-arm/recipes-security/optee/optee-os-3.19.0/0008-no-warn-rwx-segments.patch
 create mode 100644 meta-arm/recipes-security/optee/optee-os-3.19.0/0009-add-z-execstack.patch
 create mode 100644 meta-arm/recipes-security/optee/optee-os-3.19.0/0010-add-note-GNU-stack-section.patch
 create mode 100644 meta-arm/recipes-security/optee/optee-os-3_19.inc
 create mode 100644 meta-arm/recipes-security/optee/optee-os_3.19.0.bb

diff --git a/meta-arm/recipes-security/optee/optee-os-3.19.0/0001-core-Define-section-attributes-for-clang.patch b/meta-arm/recipes-security/optee/optee-os-3.19.0/0001-core-Define-section-attributes-for-clang.patch
new file mode 100644
index 00000000..a69d7776
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-os-3.19.0/0001-core-Define-section-attributes-for-clang.patch
@@ -0,0 +1,230 @@
+From f189457b79989543f65b8a4e8729eff2cdf9a758 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sat, 13 Aug 2022 19:24:55 -0700
+Subject: [PATCH] core: Define section attributes for clang
+
+Clang's attribute section is not same as gcc, here we need to add flags
+to sections so they can be eventually collected by linker into final
+output segments. Only way to do so with clang is to use
+
+pragma clang section ...
+
+The behavious is described here [1], this allows us to define names bss
+sections. This was not an issue until clang-15 where LLD linker starts
+to detect the section flags before merging them and throws the following
+errors
+
+| ld.lld: error: section type mismatch for .nozi.kdata_page
+| >>> /mnt/b/yoe/master/build/tmp/work/qemuarm64-yoe-linux/optee-os-tadevkit/3.17.0-r0/build/core/arch/arm/kernel/thread.o:(.nozi.kdata_page): SHT_PROGBITS
+| >>> output section .nozi: SHT_NOBITS
+|
+| ld.lld: error: section type mismatch for .nozi.mmu.l2
+| >>> /mnt/b/yoe/master/build/tmp/work/qemuarm64-yoe-linux/optee-os-tadevkit/3.17.0-r0/build/core/arch/arm/mm/core_mmu_lpae.o:(.nozi.mmu.l2): SHT_PROGBITS
+| >>> output section .nozi: SHT_NOBITS
+
+These sections should be carrying SHT_NOBITS but so far it was not
+possible to do so, this patch tries to use clangs pragma to get this
+going and match the functionality with gcc.
+
+[1] https://intel.github.io/llvm-docs/clang/LanguageExtensions.html#specifying-section-names-for-global-objects-pragma-clang-section
+
+Upstream-Status: Pending
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ core/arch/arm/kernel/thread.c    | 19 +++++++++++++++--
+ core/arch/arm/mm/core_mmu_lpae.c | 35 ++++++++++++++++++++++++++++----
+ core/arch/arm/mm/pgt_cache.c     | 12 ++++++++++-
+ core/kernel/thread.c             | 13 +++++++++++-
+ 4 files changed, 71 insertions(+), 8 deletions(-)
+
+--- a/core/arch/arm/kernel/thread.c
++++ b/core/arch/arm/kernel/thread.c
+@@ -44,16 +44,31 @@ static size_t thread_user_kcode_size __n
+ #if defined(CFG_CORE_UNMAP_CORE_AT_EL0) && \
+ 	defined(CFG_CORE_WORKAROUND_SPECTRE_BP_SEC) && defined(ARM64)
+ long thread_user_kdata_sp_offset __nex_bss;
++#ifdef __clang__
++#ifndef CFG_VIRTUALIZATION
++#pragma clang section bss=".nozi.kdata_page"
++#else
++#pragma clang section bss=".nex_nozi.kdata_page"
++#endif
++#endif
+ static uint8_t thread_user_kdata_page[
+ 	ROUNDUP(sizeof(struct thread_core_local) * CFG_TEE_CORE_NB_CORE,
+ 		SMALL_PAGE_SIZE)]
+ 	__aligned(SMALL_PAGE_SIZE)
++#ifndef __clang__
+ #ifndef CFG_VIRTUALIZATION
+-	__section(".nozi.kdata_page");
++	__section(".nozi.kdata_page")
+ #else
+-	__section(".nex_nozi.kdata_page");
++	__section(".nex_nozi.kdata_page")
+ #endif
+ #endif
++    ;
++#endif
++
++/* reset BSS section to default ( .bss ) */
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+ 
+ #ifdef ARM32
+ uint32_t __nostackcheck thread_get_exceptions(void)
+--- a/core/arch/arm/mm/core_mmu_lpae.c
++++ b/core/arch/arm/mm/core_mmu_lpae.c
+@@ -233,19 +233,46 @@ typedef uint16_t l1_idx_t;
+ typedef uint64_t base_xlat_tbls_t[CFG_TEE_CORE_NB_CORE][NUM_BASE_LEVEL_ENTRIES];
+ typedef uint64_t xlat_tbl_t[XLAT_TABLE_ENTRIES];
+ 
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.base_table"
++#endif
+ static base_xlat_tbls_t base_xlation_table[NUM_BASE_TABLES]
+ 	__aligned(NUM_BASE_LEVEL_ENTRIES * XLAT_ENTRY_SIZE)
+-	__section(".nozi.mmu.base_table");
++#ifndef __clang__
++	__section(".nozi.mmu.base_table")
++#endif
++;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+ 
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.l2"
++#endif
+ static xlat_tbl_t xlat_tables[MAX_XLAT_TABLES]
+-	__aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2");
++	__aligned(XLAT_TABLE_SIZE)
++#ifndef __clang__
++	__section(".nozi.mmu.l2")
++#endif
++;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+ 
+ #define XLAT_TABLES_SIZE	(sizeof(xlat_tbl_t) * MAX_XLAT_TABLES)
+ 
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.l2"
++#endif
+ /* MMU L2 table for TAs, one for each thread */
+ static xlat_tbl_t xlat_tables_ul1[CFG_NUM_THREADS]
+-	__aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2");
+-
++#ifndef __clang__
++	__aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2")
++#endif
++;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+ /*
+  * TAs page table entry inside a level 1 page table.
+  *
+--- a/core/arch/arm/mm/pgt_cache.c
++++ b/core/arch/arm/mm/pgt_cache.c
+@@ -104,8 +104,18 @@ void pgt_init(void)
+ 	 * has a large alignment, while .bss has a small alignment. The current
+ 	 * link script is optimized for small alignment in .bss
+ 	 */
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.l2"
++#endif
+ 	static uint8_t pgt_tables[PGT_CACHE_SIZE][PGT_SIZE]
+-			__aligned(PGT_SIZE) __section(".nozi.pgt_cache");
++			__aligned(PGT_SIZE)
++#ifndef __clang__
++			__section(".nozi.pgt_cache")
++#endif
++			;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+ 	size_t n;
+ 
+ 	for (n = 0; n < ARRAY_SIZE(pgt_tables); n++) {
+--- a/core/kernel/thread.c
++++ b/core/kernel/thread.c
+@@ -37,13 +37,24 @@ struct thread_core_local thread_core_loc
+ 	name[stack_num][sizeof(name[stack_num]) / sizeof(uint32_t) - 1]
+ #endif
+ 
++#define DO_PRAGMA(x) _Pragma (#x)
++
++#ifdef __clang__
++#define DECLARE_STACK(name, num_stacks, stack_size, linkage) \
++DO_PRAGMA (clang section bss=".nozi_stack." #name) \
++linkage uint32_t name[num_stacks] \
++		[ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \
++			 STACK_ALIGNMENT) / sizeof(uint32_t)] \
++		__attribute__((aligned(STACK_ALIGNMENT))); \
++DO_PRAGMA(clang section bss="")
++#else
+ #define DECLARE_STACK(name, num_stacks, stack_size, linkage) \
+ linkage uint32_t name[num_stacks] \
+ 		[ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \
+ 			 STACK_ALIGNMENT) / sizeof(uint32_t)] \
+ 		__attribute__((section(".nozi_stack." # name), \
+ 			       aligned(STACK_ALIGNMENT)))
+-
++#endif
+ #define GET_STACK(stack) ((vaddr_t)(stack) + STACK_SIZE(stack))
+ 
+ DECLARE_STACK(stack_tmp, CFG_TEE_CORE_NB_CORE,
+--- a/core/arch/arm/mm/core_mmu_v7.c
++++ b/core/arch/arm/mm/core_mmu_v7.c
+@@ -204,16 +204,46 @@ typedef uint32_t l1_xlat_tbl_t[NUM_L1_EN
+ typedef uint32_t l2_xlat_tbl_t[NUM_L2_ENTRIES];
+ typedef uint32_t ul1_xlat_tbl_t[NUM_UL1_ENTRIES];
+ 
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.l1"
++#endif
+ static l1_xlat_tbl_t main_mmu_l1_ttb
+-		__aligned(L1_ALIGNMENT) __section(".nozi.mmu.l1");
++		__aligned(L1_ALIGNMENT)
++#ifndef __clang__
++       __section(".nozi.mmu.l1")
++#endif
++;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+ 
+ /* L2 MMU tables */
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.l2"
++#endif
+ static l2_xlat_tbl_t main_mmu_l2_ttb[MAX_XLAT_TABLES]
+-		__aligned(L2_ALIGNMENT) __section(".nozi.mmu.l2");
++		__aligned(L2_ALIGNMENT)
++#ifndef __clang__
++       __section(".nozi.mmu.l2")
++#endif
++;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+ 
+ /* MMU L1 table for TAs, one for each thread */
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.ul1"
++#endif
+ static ul1_xlat_tbl_t main_mmu_ul1_ttb[CFG_NUM_THREADS]
+-		__aligned(UL1_ALIGNMENT) __section(".nozi.mmu.ul1");
++		__aligned(UL1_ALIGNMENT)
++#ifndef __clang__
++       __section(".nozi.mmu.ul1")
++#endif
++;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+ 
+ struct mmu_partition {
+ 	l1_xlat_tbl_t *l1_table;
diff --git a/meta-arm/recipes-security/optee/optee-os-3.19.0/0006-allow-setting-sysroot-for-libgcc-lookup.patch b/meta-arm/recipes-security/optee/optee-os-3.19.0/0006-allow-setting-sysroot-for-libgcc-lookup.patch
new file mode 100644
index 00000000..ab4a6dbc
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-os-3.19.0/0006-allow-setting-sysroot-for-libgcc-lookup.patch
@@ -0,0 +1,35 @@
+From 528aeb42652a3159c1bfd51d6c1442c3ff27b84c Mon Sep 17 00:00:00 2001
+From: Ross Burton <ross.burton@arm.com>
+Date: Tue, 26 May 2020 14:38:02 -0500
+Subject: [PATCH] allow setting sysroot for libgcc lookup
+
+Explicitly pass the new variable LIBGCC_LOCATE_CFLAGS variable when searching
+for the compiler libraries as there's no easy way to reliably pass --sysroot
+otherwise.
+
+Upstream-Status: Pending [https://github.com/OP-TEE/optee_os/issues/4188]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+---
+ mk/gcc.mk | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/mk/gcc.mk b/mk/gcc.mk
+index adc77a24..81bfa78a 100644
+--- a/mk/gcc.mk
++++ b/mk/gcc.mk
+@@ -13,11 +13,11 @@ nostdinc$(sm)	:= -nostdinc -isystem $(shell $(CC$(sm)) \
+ 			-print-file-name=include 2> /dev/null)
+ 
+ # Get location of libgcc from gcc
+-libgcc$(sm)  	:= $(shell $(CC$(sm)) $(CFLAGS$(arch-bits-$(sm))) \
++libgcc$(sm)  	:= $(shell $(CC$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CFLAGS$(arch-bits-$(sm))) \
+ 			-print-libgcc-file-name 2> /dev/null)
+-libstdc++$(sm)	:= $(shell $(CXX$(sm)) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \
++libstdc++$(sm)	:= $(shell $(CXX$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \
+ 			-print-file-name=libstdc++.a 2> /dev/null)
+-libgcc_eh$(sm)	:= $(shell $(CXX$(sm)) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \
++libgcc_eh$(sm)	:= $(shell $(CXX$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \
+ 			-print-file-name=libgcc_eh.a 2> /dev/null)
+ 
+ # Define these to something to discover accidental use
diff --git a/meta-arm/recipes-security/optee/optee-os-3.19.0/0007-allow-setting-sysroot-for-clang.patch b/meta-arm/recipes-security/optee/optee-os-3.19.0/0007-allow-setting-sysroot-for-clang.patch
new file mode 100644
index 00000000..067ba6eb
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-os-3.19.0/0007-allow-setting-sysroot-for-clang.patch
@@ -0,0 +1,30 @@
+From db9e44af75c7cfd3316cab15aaa387383df3e57e Mon Sep 17 00:00:00 2001
+From: Brett Warren <brett.warren@arm.com>
+Date: Wed, 23 Sep 2020 09:27:34 +0100
+Subject: [PATCH] optee: enable clang support
+
+When compiling with clang, the LIBGCC_LOCATE_CFLAG variable used
+to provide a sysroot wasn't included, which results in not locating
+compiler-rt. This is mitigated by including the variable as ammended.
+
+Upstream-Status: Pending
+ChangeId: 8ba69a4b2eb8ebaa047cb266c9aa6c2c3da45701
+Signed-off-by: Brett Warren <brett.warren@arm.com>
+
+---
+ mk/clang.mk | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mk/clang.mk b/mk/clang.mk
+index c141a3f2..7d067cc0 100644
+--- a/mk/clang.mk
++++ b/mk/clang.mk
+@@ -27,7 +27,7 @@ comp-cflags-warns-clang := -Wno-language-extension-token \
+ 
+ # Note, use the compiler runtime library (libclang_rt.builtins.*.a) instead of
+ # libgcc for clang
+-libgcc$(sm)	:= $(shell $(CC$(sm)) $(CFLAGS$(arch-bits-$(sm))) \
++libgcc$(sm)	:= $(shell $(CC$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CFLAGS$(arch-bits-$(sm))) \
+ 			-rtlib=compiler-rt -print-libgcc-file-name 2> /dev/null)
+ 
+ # Core ASLR relies on the executable being ready to run from its preferred load
diff --git a/meta-arm/recipes-security/optee/optee-os-3.19.0/0008-no-warn-rwx-segments.patch b/meta-arm/recipes-security/optee/optee-os-3.19.0/0008-no-warn-rwx-segments.patch
new file mode 100644
index 00000000..2dc797b3
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-os-3.19.0/0008-no-warn-rwx-segments.patch
@@ -0,0 +1,38 @@
+diff --git a/core/arch/arm/kernel/link.mk b/core/arch/arm/kernel/link.mk
+index 0e96e606c..3fbcb6804 100644
+--- a/core/arch/arm/kernel/link.mk
++++ b/core/arch/arm/kernel/link.mk
+@@ -37,6 +37,7 @@ link-ldflags += --sort-section=alignment
+ link-ldflags += --fatal-warnings
+ link-ldflags += --gc-sections
+ link-ldflags += $(link-ldflags-common)
++link-ldflags += $(call ld-option,--no-warn-rwx-segments)
+ 
+ link-ldadd  = $(LDADD)
+ link-ldadd += $(ldflags-external)
+@@ -61,6 +62,7 @@ link-script-cppflags := \
+ 		$(cppflagscore))
+ 
+ ldargs-all_objs := -T $(link-script-dummy) --no-check-sections \
++		   $(call ld-option,--no-warn-rwx-segments) \
+ 		   $(link-ldflags-common) \
+ 		   $(link-objs) $(link-ldadd) $(libgcccore)
+ cleanfiles += $(link-out-dir)/all_objs.o
+@@ -75,7 +77,7 @@ $(link-out-dir)/unpaged_entries.txt: $(link-out-dir)/all_objs.o
+ 		$(AWK) '/ ____keep_pager/ { printf "-u%s ", $$3 }' > $@
+ 
+ unpaged-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \
+-		 $(link-ldflags-common)
++		 $(link-ldflags-common) $(call ld-option,--no-warn-rwx-segments)
+ unpaged-ldadd := $(objs) $(link-ldadd) $(libgcccore)
+ cleanfiles += $(link-out-dir)/unpaged.o
+ $(link-out-dir)/unpaged.o: $(link-out-dir)/unpaged_entries.txt
+@@ -104,7 +106,7 @@ $(link-out-dir)/init_entries.txt: $(link-out-dir)/all_objs.o
+ 		$(AWK) '/ ____keep_init/ { printf "-u%s ", $$3 }' > $@
+ 
+ init-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \
+-	       $(link-ldflags-common)
++	       $(link-ldflags-common) $(call ld-option,--no-warn-rwx-segments)
+ init-ldadd := $(link-objs-init) $(link-out-dir)/version.o  $(link-ldadd) \
+ 	      $(libgcccore)
+ cleanfiles += $(link-out-dir)/init.o
diff --git a/meta-arm/recipes-security/optee/optee-os-3.19.0/0009-add-z-execstack.patch b/meta-arm/recipes-security/optee/optee-os-3.19.0/0009-add-z-execstack.patch
new file mode 100644
index 00000000..3ba6c4ef
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-os-3.19.0/0009-add-z-execstack.patch
@@ -0,0 +1,94 @@
+From ea932656461865ab9ac4036245c756c082aeb3e1 Mon Sep 17 00:00:00 2001
+From: Jerome Forissier <jerome.forissier@linaro.org>
+Date: Tue, 23 Aug 2022 11:41:00 +0000
+Subject: [PATCH] core, ldelf: link: add -z execstack
+
+When building for arm32 with GNU binutils 2.39, the linker outputs
+warnings when generating some TEE core binaries (all_obj.o, init.o,
+unpaged.o and tee.elf) as well as ldelf.elf:
+
+ arm-poky-linux-gnueabi-ld.bfd: warning: atomic_a32.o: missing .note.GNU-stack section implies executable stack
+ arm-poky-linux-gnueabi-ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
+
+The permissions used when mapping the TEE core stacks do not depend on
+any metadata found in the ELF file. Similarly when the TEE core loads
+ldelf it already creates a non-executable stack regardless of ELF
+information. Therefore we can safely ignore the warnings. This is done
+by adding the '-z execstack' option.
+
+Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
+
+Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
+Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5499]
+
+---
+ core/arch/arm/kernel/link.mk | 13 +++++++++----
+ ldelf/link.mk                |  3 +++
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/core/arch/arm/kernel/link.mk b/core/arch/arm/kernel/link.mk
+index c39d43cb..0e96e606 100644
+--- a/core/arch/arm/kernel/link.mk
++++ b/core/arch/arm/kernel/link.mk
+@@ -9,6 +9,11 @@ link-script-dep = $(link-out-dir)/.kern.ld.d
+ 
+ AWK	 = awk
+ 
++link-ldflags-common += $(call ld-option,--no-warn-rwx-segments)
++ifeq ($(CFG_ARM32_core),y)
++link-ldflags-common += $(call ld-option,--no-warn-execstack)
++endif
++
+ link-ldflags  = $(LDFLAGS)
+ ifeq ($(CFG_CORE_ASLR),y)
+ link-ldflags += -pie -Bsymbolic -z norelro $(ldflag-apply-dynamic-relocs)
+@@ -31,7 +36,7 @@ link-ldflags += -T $(link-script-pp) -Map=$(link-out-dir)/tee.map
+ link-ldflags += --sort-section=alignment
+ link-ldflags += --fatal-warnings
+ link-ldflags += --gc-sections
+-link-ldflags += $(call ld-option,--no-warn-rwx-segments)
++link-ldflags += $(link-ldflags-common)
+ 
+ link-ldadd  = $(LDADD)
+ link-ldadd += $(ldflags-external)
+@@ -56,7 +61,7 @@ link-script-cppflags := \
+ 		$(cppflagscore))
+ 
+ ldargs-all_objs := -T $(link-script-dummy) --no-check-sections \
+-		   $(call ld-option,--no-warn-rwx-segments) \
++		   $(link-ldflags-common) \
+ 		   $(link-objs) $(link-ldadd) $(libgcccore)
+ cleanfiles += $(link-out-dir)/all_objs.o
+ $(link-out-dir)/all_objs.o: $(objs) $(libdeps) $(MAKEFILE_LIST)
+@@ -70,7 +75,7 @@ $(link-out-dir)/unpaged_entries.txt: $(link-out-dir)/all_objs.o
+ 		$(AWK) '/ ____keep_pager/ { printf "-u%s ", $$3 }' > $@
+ 
+ unpaged-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \
+-		 $(call ld-option,--no-warn-rwx-segments)
++		 $(link-ldflags-common)
+ unpaged-ldadd := $(objs) $(link-ldadd) $(libgcccore)
+ cleanfiles += $(link-out-dir)/unpaged.o
+ $(link-out-dir)/unpaged.o: $(link-out-dir)/unpaged_entries.txt
+@@ -99,7 +104,7 @@ $(link-out-dir)/init_entries.txt: $(link-out-dir)/all_objs.o
+ 		$(AWK) '/ ____keep_init/ { printf "-u%s ", $$3 }' > $@
+ 
+ init-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \
+-	       $(call ld-option,--no-warn-rwx-segments)
++	       $(link-ldflags-common)
+ init-ldadd := $(link-objs-init) $(link-out-dir)/version.o  $(link-ldadd) \
+ 	      $(libgcccore)
+ cleanfiles += $(link-out-dir)/init.o
+diff --git a/ldelf/link.mk b/ldelf/link.mk
+index 64c8212a..bd49551e 100644
+--- a/ldelf/link.mk
++++ b/ldelf/link.mk
+@@ -20,6 +20,9 @@ link-ldflags += -z max-page-size=4096 # OP-TEE always uses 4K alignment
+ ifeq ($(CFG_CORE_BTI),y)
+ link-ldflags += $(call ld-option,-z force-bti) --fatal-warnings
+ endif
++ifeq ($(CFG_ARM32_$(sm)), y)
++link-ldflags += $(call ld-option,--no-warn-execstack)
++endif
+ link-ldflags += $(link-ldflags$(sm))
+ 
+ link-ldadd  = $(addprefix -L,$(libdirs))
diff --git a/meta-arm/recipes-security/optee/optee-os-3.19.0/0010-add-note-GNU-stack-section.patch b/meta-arm/recipes-security/optee/optee-os-3.19.0/0010-add-note-GNU-stack-section.patch
new file mode 100644
index 00000000..4ea65d88
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-os-3.19.0/0010-add-note-GNU-stack-section.patch
@@ -0,0 +1,128 @@
+From ec30e84671aac9a2e9549754eb7bc6201728db4c Mon Sep 17 00:00:00 2001
+From: Jerome Forissier <jerome.forissier@linaro.org>
+Date: Tue, 23 Aug 2022 12:31:46 +0000
+Subject: [PATCH] arm32: libutils, libutee, ta: add .note.GNU-stack section to
+
+ .S files
+
+When building for arm32 with GNU binutils 2.39, the linker outputs
+warnings when linking Trusted Applications:
+
+ arm-unknown-linux-uclibcgnueabihf-ld.bfd: warning: utee_syscalls_a32.o: missing .note.GNU-stack section implies executable stack
+ arm-unknown-linux-uclibcgnueabihf-ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
+
+We could silence the warning by adding the '-z execstack' option to the
+TA link flags, like we did in the parent commit for the TEE core and
+ldelf. Indeed, ldelf always allocates a non-executable piece of memory
+for the TA to use as a stack.
+
+However it seems preferable to comply with the common ELF practices in
+this case. A better fix is therefore to add the missing .note.GNU-stack
+sections in the assembler files.
+
+Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
+
+Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
+Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5499]
+
+---
+ lib/libutee/arch/arm/utee_syscalls_a32.S             | 2 ++
+ lib/libutils/ext/arch/arm/atomic_a32.S               | 2 ++
+ lib/libutils/ext/arch/arm/mcount_a32.S               | 2 ++
+ lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S  | 2 ++
+ lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S | 2 ++
+ lib/libutils/isoc/arch/arm/setjmp_a32.S              | 2 ++
+ ta/arch/arm/ta_entry_a32.S                           | 2 ++
+ 7 files changed, 14 insertions(+)
+
+diff --git a/lib/libutee/arch/arm/utee_syscalls_a32.S b/lib/libutee/arch/arm/utee_syscalls_a32.S
+index 6e621ca6..af405f62 100644
+--- a/lib/libutee/arch/arm/utee_syscalls_a32.S
++++ b/lib/libutee/arch/arm/utee_syscalls_a32.S
+@@ -7,6 +7,8 @@
+ #include <tee_syscall_numbers.h>
+ #include <asm.S>
+ 
++	.section .note.GNU-stack,"",%progbits
++
+         .section .text
+         .balign 4
+         .code 32
+diff --git a/lib/libutils/ext/arch/arm/atomic_a32.S b/lib/libutils/ext/arch/arm/atomic_a32.S
+index eaef6914..2be73ffa 100644
+--- a/lib/libutils/ext/arch/arm/atomic_a32.S
++++ b/lib/libutils/ext/arch/arm/atomic_a32.S
+@@ -5,6 +5,8 @@
+ 
+ #include <asm.S>
+ 
++	.section .note.GNU-stack,"",%progbits
++
+ /* uint32_t atomic_inc32(uint32_t *v); */
+ FUNC atomic_inc32 , :
+ 	ldrex	r1, [r0]
+diff --git a/lib/libutils/ext/arch/arm/mcount_a32.S b/lib/libutils/ext/arch/arm/mcount_a32.S
+index 51439a23..54dc3c02 100644
+--- a/lib/libutils/ext/arch/arm/mcount_a32.S
++++ b/lib/libutils/ext/arch/arm/mcount_a32.S
+@@ -7,6 +7,8 @@
+ 
+ #if defined(CFG_TA_GPROF_SUPPORT) || defined(CFG_FTRACE_SUPPORT)
+ 
++	.section .note.GNU-stack,"",%progbits
++
+ /*
+  * Convert return address to call site address by subtracting the size of the
+  * mcount call instruction (blx __gnu_mcount_nc).
+diff --git a/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S b/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S
+index a600c879..37ae9ec6 100644
+--- a/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S
++++ b/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S
+@@ -5,6 +5,8 @@
+ 
+ #include <asm.S>
+ 
++	.section .note.GNU-stack,"",%progbits
++
+ /*
+  * signed ret_idivmod_values(signed quot, signed rem);
+  * return quotient and remaining the EABI way (regs r0,r1)
+diff --git a/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S b/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S
+index 2dc50bc9..5c3353e2 100644
+--- a/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S
++++ b/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S
+@@ -5,6 +5,8 @@
+ 
+ #include <asm.S>
+ 
++	.section .note.GNU-stack,"",%progbits
++
+ /*
+  * __value_in_regs lldiv_t __aeabi_ldivmod( long long n, long long d)
+  */
+diff --git a/lib/libutils/isoc/arch/arm/setjmp_a32.S b/lib/libutils/isoc/arch/arm/setjmp_a32.S
+index 43ea5937..f8a0b70d 100644
+--- a/lib/libutils/isoc/arch/arm/setjmp_a32.S
++++ b/lib/libutils/isoc/arch/arm/setjmp_a32.S
+@@ -51,6 +51,8 @@
+ #define SIZE(x)
+ #endif
+ 
++	.section .note.GNU-stack,"",%progbits
++
+ /* Arm/Thumb interworking support:
+ 
+    The interworking scheme expects functions to use a BX instruction
+diff --git a/ta/arch/arm/ta_entry_a32.S b/ta/arch/arm/ta_entry_a32.S
+index d2f8a69d..cd9a12f9 100644
+--- a/ta/arch/arm/ta_entry_a32.S
++++ b/ta/arch/arm/ta_entry_a32.S
+@@ -5,6 +5,8 @@
+ 
+ #include <asm.S>
+ 
++	.section .note.GNU-stack,"",%progbits
++
+ /*
+  * This function is the bottom of the user call stack. Mark it as such so that
+  * the unwinding code won't try to go further down.
diff --git a/meta-arm/recipes-security/optee/optee-os-3_19.inc b/meta-arm/recipes-security/optee/optee-os-3_19.inc
new file mode 100644
index 00000000..8adb6996
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-os-3_19.inc
@@ -0,0 +1,82 @@
+SUMMARY = "OP-TEE Trusted OS"
+DESCRIPTION = "Open Portable Trusted Execution Environment - Trusted side of the TEE"
+HOMEPAGE = "https://www.op-tee.org/"
+
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=c1f21c4f72f372ef38a5a4aee55ec173"
+
+inherit deploy python3native
+require optee.inc
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os-3_19:"
+
+CVE_PRODUCT = "linaro:op-tee op-tee:op-tee_os"
+
+DEPENDS = "python3-pyelftools-native python3-cryptography-native"
+
+DEPENDS:append:toolchain-clang = " compiler-rt"
+
+SRC_URI = "git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https"
+
+SRC_URI:append = " \
+    file://0006-allow-setting-sysroot-for-libgcc-lookup.patch \
+    file://0007-allow-setting-sysroot-for-clang.patch \
+    file://0008-no-warn-rwx-segments.patch \
+   "
+
+S = "${WORKDIR}/git"
+B = "${WORKDIR}/build"
+
+EXTRA_OEMAKE += " \
+    PLATFORM=${OPTEEMACHINE} \
+    CFG_${OPTEE_CORE}_core=y \
+    CROSS_COMPILE_core=${HOST_PREFIX} \
+    CROSS_COMPILE_ta_${OPTEE_ARCH}=${HOST_PREFIX} \
+    NOWERROR=1 \
+    ta-targets=ta_${OPTEE_ARCH} \
+    O=${B} \
+"
+EXTRA_OEMAKE += " HOST_PREFIX=${HOST_PREFIX}"
+EXTRA_OEMAKE += " CROSS_COMPILE64=${HOST_PREFIX}"
+
+CFLAGS[unexport] = "1"
+LDFLAGS[unexport] = "1"
+CPPFLAGS[unexport] = "1"
+AS[unexport] = "1"
+LD[unexport] = "1"
+
+do_compile:prepend() {
+	PLAT_LIBGCC_PATH=$(${CC} -print-libgcc-file-name)
+}
+
+do_compile() {
+    oe_runmake -C ${S} all
+}
+do_compile[cleandirs] = "${B}"
+
+do_install() {
+    #install core in firmware
+    install -d ${D}${nonarch_base_libdir}/firmware/
+    install -m 644 ${B}/core/*.bin ${B}/core/tee.elf ${D}${nonarch_base_libdir}/firmware/
+}
+
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+do_deploy() {
+    install -d ${DEPLOYDIR}/${MLPREFIX}optee
+    install -m 644 ${D}${nonarch_base_libdir}/firmware/* ${DEPLOYDIR}/${MLPREFIX}optee
+}
+
+addtask deploy before do_build after do_install
+
+SYSROOT_DIRS += "${nonarch_base_libdir}/firmware"
+
+FILES:${PN} = "${nonarch_base_libdir}/firmware/"
+
+# note: "textrel" is not triggered on all archs
+INSANE_SKIP:${PN} = "textrel"
+# Build paths are currently embedded
+INSANE_SKIP:${PN} += "buildpaths"
+INSANE_SKIP:${PN}-dev = "staticdev"
+INHIBIT_PACKAGE_STRIP = "1"
+
diff --git a/meta-arm/recipes-security/optee/optee-os_3.19.0.bb b/meta-arm/recipes-security/optee/optee-os_3.19.0.bb
new file mode 100644
index 00000000..9ad8a148
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-os_3.19.0.bb
@@ -0,0 +1,5 @@
+require optee-os-3_19.inc
+
+DEPENDS += "dtc-native"
+
+SRCREV = "afacf356f9593a7f83cae9f96026824ec242ff52"
-- 
2.17.1

[PATCH 3/5] arm-bsp/optee-os: Adds 3.19 bbappend

[emekcan.aras]

From: Emekcan Aras <emekcan.aras@arm.com>

From: Emekcan <emekcan.aras@arm.com>

This commit adds bbappend file for new optee-os 3.19 version.

Signed-off-by: Emekcan <emekcan.aras@arm.com>
---
 .../recipes-security/optee/optee-os_3.19.0.bbappend         | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 meta-arm-bsp/recipes-security/optee/optee-os_3.19.0.bbappend

diff --git a/meta-arm-bsp/recipes-security/optee/optee-os_3.19.0.bbappend b/meta-arm-bsp/recipes-security/optee/optee-os_3.19.0.bbappend
new file mode 100644
index 00000000..f80e09f8
--- /dev/null
+++ b/meta-arm-bsp/recipes-security/optee/optee-os_3.19.0.bbappend
@@ -0,0 +1,6 @@
+# Machine specific configurations
+
+MACHINE_OPTEE_OS_REQUIRE ?= ""
+MACHINE_OPTEE_OS_REQUIRE:n1sdp = "optee-os-n1sdp.inc"
+
+require ${MACHINE_OPTEE_OS_REQUIRE}
-- 
2.17.1

[PATCH 4/5] arm-bsp/optee-os: N1SDP support for optee-os 3.19

[emekcan.aras]

From: Emekcan Aras <emekcan.aras@arm.com>

From: Emekcan <emekcan.aras@arm.com>

Adds build configuration to support optee-os 3.19 for N1SDP.
Also, it patches optee-os to support external DT for N1SDP.

Signed-off-by: Emekcan <emekcan.aras@arm.com>
---
 ...d-external-device-tree-base-and-size.patch |  44 ++++++
 .../recipes-security/optee/optee-os-n1sdp.inc |   7 +
 ...-Define-section-attributes-for-clang.patch | 135 ++++++++++--------
 .../recipes-security/optee/optee-os_3.19.0.bb |   4 +
 4 files changed, 129 insertions(+), 61 deletions(-)
 create mode 100644 meta-arm-bsp/recipes-security/optee/files/optee-os/n1sdp/0006-plat-n1sdp-add-external-device-tree-base-and-size.patch

diff --git a/meta-arm-bsp/recipes-security/optee/files/optee-os/n1sdp/0006-plat-n1sdp-add-external-device-tree-base-and-size.patch b/meta-arm-bsp/recipes-security/optee/files/optee-os/n1sdp/0006-plat-n1sdp-add-external-device-tree-base-and-size.patch
new file mode 100644
index 00000000..74c94e0a
--- /dev/null
+++ b/meta-arm-bsp/recipes-security/optee/files/optee-os/n1sdp/0006-plat-n1sdp-add-external-device-tree-base-and-size.patch
@@ -0,0 +1,44 @@
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
+
+From 1a9aeedda58228893add545e49d2d6cd4c316b4f Mon Sep 17 00:00:00 2001
+From: Emekcan <emekcan.aras@arm.com>
+Date: Tue, 13 Dec 2022 13:45:06 +0000
+Subject: [PATCH] plat-n1sdp: add external device tree base and size
+
+Adds external device tree address and size. It also
+register this physical memory so optee can read the device tree.
+---
+ core/arch/arm/plat-n1sdp/main.c            | 1 +
+ core/arch/arm/plat-n1sdp/platform_config.h | 3 +++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/core/arch/arm/plat-n1sdp/main.c b/core/arch/arm/plat-n1sdp/main.c
+index bb951ce6b..ab76f60c6 100644
+--- a/core/arch/arm/plat-n1sdp/main.c
++++ b/core/arch/arm/plat-n1sdp/main.c
+@@ -31,6 +31,7 @@ static struct gic_data gic_data __nex_bss;
+ static struct pl011_data console_data __nex_bss;
+ 
+ register_phys_mem_pgdir(MEM_AREA_IO_SEC, CONSOLE_UART_BASE, PL011_REG_SIZE);
++register_phys_mem_pgdir(MEM_AREA_EXT_DT, EXT_DT_BASE, EXT_DT_SIZE);
+ 
+ register_ddr(DRAM0_BASE, DRAM0_SIZE);
+ register_ddr(DRAM1_BASE, DRAM1_SIZE);
+diff --git a/core/arch/arm/plat-n1sdp/platform_config.h b/core/arch/arm/plat-n1sdp/platform_config.h
+index bf0a3c834..8741a2503 100644
+--- a/core/arch/arm/plat-n1sdp/platform_config.h
++++ b/core/arch/arm/plat-n1sdp/platform_config.h
+@@ -42,6 +42,9 @@
+ #define GICC_BASE		0x2C000000
+ #define GICR_BASE		0x300C0000
+ 
++#define EXT_DT_BASE		0x04001600
++#define EXT_DT_SIZE		0x200
++
+ #ifndef UART_BAUDRATE
+ #define UART_BAUDRATE		115200
+ #endif
+-- 
+2.17.1
+
diff --git a/meta-arm-bsp/recipes-security/optee/optee-os-n1sdp.inc b/meta-arm-bsp/recipes-security/optee/optee-os-n1sdp.inc
index 2719e4c0..a40c93dc 100644
--- a/meta-arm-bsp/recipes-security/optee/optee-os-n1sdp.inc
+++ b/meta-arm-bsp/recipes-security/optee/optee-os-n1sdp.inc
@@ -11,6 +11,7 @@ SRC_URI:append = " \
     file://0003-HACK-disable-instruction-cache-and-data-cache.patch \
     file://0004-Handle-logging-syscall.patch \
     file://0005-plat-n1sdp-register-DRAM1-to-optee-os.patch \
+    file://0006-plat-n1sdp-add-external-device-tree-base-and-size.patch \
     "
 
 EXTRA_OEMAKE += " CFG_TEE_CORE_LOG_LEVEL=4"
@@ -20,3 +21,9 @@ EXTRA_OEMAKE += " CFG_TEE_BENCHMARK=n"
 EXTRA_OEMAKE += " CFG_CORE_SEL1_SPMC=y CFG_CORE_FFA=y"
 
 EXTRA_OEMAKE += " CFG_WITH_SP=y"
+
+EXTRA_OEMAKE += " CFG_DT=y"
+
+EXTRA_OEMAKE += " CFG_SECURE_PARTITION=y"
+
+EXTRA_OEMAKE += " CFG_MAP_EXT_DT_SECURE=y"
diff --git a/meta-arm/recipes-security/optee/optee-os-3.19.0/0001-core-Define-section-attributes-for-clang.patch b/meta-arm/recipes-security/optee/optee-os-3.19.0/0001-core-Define-section-attributes-for-clang.patch
index a69d7776..a1dc251a 100644
--- a/meta-arm/recipes-security/optee/optee-os-3.19.0/0001-core-Define-section-attributes-for-clang.patch
+++ b/meta-arm/recipes-security/optee/optee-os-3.19.0/0001-core-Define-section-attributes-for-clang.patch
@@ -1,7 +1,7 @@
-From f189457b79989543f65b8a4e8729eff2cdf9a758 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Sat, 13 Aug 2022 19:24:55 -0700
-Subject: [PATCH] core: Define section attributes for clang
+From ff1b556ac2cd6bbb857a1ac03e0557eb490bc845 Mon Sep 17 00:00:00 2001
+From: Emekcan Aras <emekcan.aras@arm.com>
+Date: Wed, 21 Dec 2022 10:55:58 +0000
+Subject: [PATCH] [PATCH] core: Define section attributes for clang
 
 Clang's attribute section is not same as gcc, here we need to add flags
 to sections so they can be eventually collected by linker into final
@@ -32,14 +32,17 @@ Upstream-Status: Pending
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
 ---
  core/arch/arm/kernel/thread.c    | 19 +++++++++++++++--
- core/arch/arm/mm/core_mmu_lpae.c | 35 ++++++++++++++++++++++++++++----
+ core/arch/arm/mm/core_mmu_lpae.c | 35 +++++++++++++++++++++++++++----
+ core/arch/arm/mm/core_mmu_v7.c   | 36 +++++++++++++++++++++++++++++---
  core/arch/arm/mm/pgt_cache.c     | 12 ++++++++++-
  core/kernel/thread.c             | 13 +++++++++++-
- 4 files changed, 71 insertions(+), 8 deletions(-)
+ 5 files changed, 104 insertions(+), 11 deletions(-)
 
+diff --git a/core/arch/arm/kernel/thread.c b/core/arch/arm/kernel/thread.c
+index 05dbbe56..8e6ea034 100644
 --- a/core/arch/arm/kernel/thread.c
 +++ b/core/arch/arm/kernel/thread.c
-@@ -44,16 +44,31 @@ static size_t thread_user_kcode_size __n
+@@ -44,15 +44,30 @@ static size_t thread_user_kcode_size __nex_bss;
  #if defined(CFG_CORE_UNMAP_CORE_AT_EL0) && \
  	defined(CFG_CORE_WORKAROUND_SPECTRE_BP_SEC) && defined(ARM64)
  long thread_user_kdata_sp_offset __nex_bss;
@@ -62,17 +65,18 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
 -	__section(".nex_nozi.kdata_page");
 +	__section(".nex_nozi.kdata_page")
  #endif
- #endif
++#endif
 +    ;
 +#endif
 +
 +/* reset BSS section to default ( .bss ) */
 +#ifdef __clang__
 +#pragma clang section bss=""
-+#endif
+ #endif
  
  #ifdef ARM32
- uint32_t __nostackcheck thread_get_exceptions(void)
+diff --git a/core/arch/arm/mm/core_mmu_lpae.c b/core/arch/arm/mm/core_mmu_lpae.c
+index 3f08eec6..e6dc9261 100644
 --- a/core/arch/arm/mm/core_mmu_lpae.c
 +++ b/core/arch/arm/mm/core_mmu_lpae.c
 @@ -233,19 +233,46 @@ typedef uint16_t l1_idx_t;
@@ -126,59 +130,11 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
  /*
   * TAs page table entry inside a level 1 page table.
   *
---- a/core/arch/arm/mm/pgt_cache.c
-+++ b/core/arch/arm/mm/pgt_cache.c
-@@ -104,8 +104,18 @@ void pgt_init(void)
- 	 * has a large alignment, while .bss has a small alignment. The current
- 	 * link script is optimized for small alignment in .bss
- 	 */
-+#ifdef __clang__
-+#pragma clang section bss=".nozi.mmu.l2"
-+#endif
- 	static uint8_t pgt_tables[PGT_CACHE_SIZE][PGT_SIZE]
--			__aligned(PGT_SIZE) __section(".nozi.pgt_cache");
-+			__aligned(PGT_SIZE)
-+#ifndef __clang__
-+			__section(".nozi.pgt_cache")
-+#endif
-+			;
-+#ifdef __clang__
-+#pragma clang section bss=""
-+#endif
- 	size_t n;
- 
- 	for (n = 0; n < ARRAY_SIZE(pgt_tables); n++) {
---- a/core/kernel/thread.c
-+++ b/core/kernel/thread.c
-@@ -37,13 +37,24 @@ struct thread_core_local thread_core_loc
- 	name[stack_num][sizeof(name[stack_num]) / sizeof(uint32_t) - 1]
- #endif
- 
-+#define DO_PRAGMA(x) _Pragma (#x)
-+
-+#ifdef __clang__
-+#define DECLARE_STACK(name, num_stacks, stack_size, linkage) \
-+DO_PRAGMA (clang section bss=".nozi_stack." #name) \
-+linkage uint32_t name[num_stacks] \
-+		[ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \
-+			 STACK_ALIGNMENT) / sizeof(uint32_t)] \
-+		__attribute__((aligned(STACK_ALIGNMENT))); \
-+DO_PRAGMA(clang section bss="")
-+#else
- #define DECLARE_STACK(name, num_stacks, stack_size, linkage) \
- linkage uint32_t name[num_stacks] \
- 		[ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \
- 			 STACK_ALIGNMENT) / sizeof(uint32_t)] \
- 		__attribute__((section(".nozi_stack." # name), \
- 			       aligned(STACK_ALIGNMENT)))
--
-+#endif
- #define GET_STACK(stack) ((vaddr_t)(stack) + STACK_SIZE(stack))
- 
- DECLARE_STACK(stack_tmp, CFG_TEE_CORE_NB_CORE,
+diff --git a/core/arch/arm/mm/core_mmu_v7.c b/core/arch/arm/mm/core_mmu_v7.c
+index cd85bd22..3e18f54f 100644
 --- a/core/arch/arm/mm/core_mmu_v7.c
 +++ b/core/arch/arm/mm/core_mmu_v7.c
-@@ -204,16 +204,46 @@ typedef uint32_t l1_xlat_tbl_t[NUM_L1_EN
+@@ -204,16 +204,46 @@ typedef uint32_t l1_xlat_tbl_t[NUM_L1_ENTRIES];
  typedef uint32_t l2_xlat_tbl_t[NUM_L2_ENTRIES];
  typedef uint32_t ul1_xlat_tbl_t[NUM_UL1_ENTRIES];
  
@@ -228,3 +184,60 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
  
  struct mmu_partition {
  	l1_xlat_tbl_t *l1_table;
+diff --git a/core/arch/arm/mm/pgt_cache.c b/core/arch/arm/mm/pgt_cache.c
+index a7b1b10e..489859ce 100644
+--- a/core/arch/arm/mm/pgt_cache.c
++++ b/core/arch/arm/mm/pgt_cache.c
+@@ -410,8 +410,18 @@ void pgt_init(void)
+ 	 * has a large alignment, while .bss has a small alignment. The current
+ 	 * link script is optimized for small alignment in .bss
+ 	 */
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.l2"
++#endif
+ 	static uint8_t pgt_tables[PGT_CACHE_SIZE][PGT_SIZE]
+-			__aligned(PGT_SIZE) __section(".nozi.pgt_cache");
++			__aligned(PGT_SIZE)
++#ifndef __clang__
++			__section(".nozi.pgt_cache")
++#endif
++			;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+ 	size_t n;
+ 
+ 	for (n = 0; n < ARRAY_SIZE(pgt_tables); n++) {
+diff --git a/core/kernel/thread.c b/core/kernel/thread.c
+index d1f2f382..8de124ae 100644
+--- a/core/kernel/thread.c
++++ b/core/kernel/thread.c
+@@ -38,13 +38,24 @@ struct thread_core_local thread_core_local[CFG_TEE_CORE_NB_CORE] __nex_bss;
+ 	name[stack_num][sizeof(name[stack_num]) / sizeof(uint32_t) - 1]
+ #endif
+ 
++#define DO_PRAGMA(x) _Pragma (#x)
++
++#ifdef __clang__
++#define DECLARE_STACK(name, num_stacks, stack_size, linkage) \
++DO_PRAGMA (clang section bss=".nozi_stack." #name) \
++linkage uint32_t name[num_stacks] \
++		[ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \
++			 STACK_ALIGNMENT) / sizeof(uint32_t)] \
++		__attribute__((aligned(STACK_ALIGNMENT))); \
++DO_PRAGMA(clang section bss="")
++#else
+ #define DECLARE_STACK(name, num_stacks, stack_size, linkage) \
+ linkage uint32_t name[num_stacks] \
+ 		[ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \
+ 			 STACK_ALIGNMENT) / sizeof(uint32_t)] \
+ 		__attribute__((section(".nozi_stack." # name), \
+ 			       aligned(STACK_ALIGNMENT)))
+-
++#endif
+ #define GET_STACK(stack) ((vaddr_t)(stack) + STACK_SIZE(stack))
+ 
+ DECLARE_STACK(stack_tmp, CFG_TEE_CORE_NB_CORE, STACK_TMP_SIZE,
+-- 
+2.17.1
+
diff --git a/meta-arm/recipes-security/optee/optee-os_3.19.0.bb b/meta-arm/recipes-security/optee/optee-os_3.19.0.bb
index 9ad8a148..656a0974 100644
--- a/meta-arm/recipes-security/optee/optee-os_3.19.0.bb
+++ b/meta-arm/recipes-security/optee/optee-os_3.19.0.bb
@@ -3,3 +3,7 @@ require optee-os-3_19.inc
 DEPENDS += "dtc-native"
 
 SRCREV = "afacf356f9593a7f83cae9f96026824ec242ff52"
+
+SRC_URI:append = " \
+    file://0001-core-Define-section-attributes-for-clang.patch \ 
+    "
-- 
2.17.1

[PATCH 5/5] arm/qemuarm-secureboot: pin optee-os version

[emekcan.aras]

From: Emekcan Aras <emekcan.aras@arm.com>

There is a new optee version 3.19. Currently, qemuarm-secureboot cannot boot
optee 3.19 out-of-the-box. This pins optee-os version to 3.18 for
qemuarm-secureboot.

Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
---
 meta-arm/conf/machine/qemuarm-secureboot.conf   | 3 +++
 meta-arm/conf/machine/qemuarm64-secureboot.conf | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/meta-arm/conf/machine/qemuarm-secureboot.conf b/meta-arm/conf/machine/qemuarm-secureboot.conf
index f08b84fe..db02dc68 100644
--- a/meta-arm/conf/machine/qemuarm-secureboot.conf
+++ b/meta-arm/conf/machine/qemuarm-secureboot.conf
@@ -21,3 +21,6 @@ WKS_FILE_DEPENDS = "trusted-firmware-a"
 IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
 
 MACHINE_FEATURES += "optee-ftpm"
+
+PREFERRED_VERSION_optee-os ?= "3.18.%"
+
diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
index 55c4cab4..7277817d 100644
--- a/meta-arm/conf/machine/qemuarm64-secureboot.conf
+++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
@@ -23,3 +23,6 @@ WKS_FILE_DEPENDS = "trusted-firmware-a"
 IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
 
 MACHINE_FEATURES += "optee-ftpm"
+
+PREFERRED_VERSION_optee-os ?= "3.18.%"
+
-- 
2.17.1

Re: [meta-arm] [PATCH 5/5] arm/qemuarm-secureboot: pin optee-os version

[Sumit Garg]

On Wed, 21 Dec 2022 at 20:10, <emekcan.aras@arm.com> wrote:
>
> From: Emekcan Aras <emekcan.aras@arm.com>
>
> There is a new optee version 3.19. Currently, qemuarm-secureboot cannot boot
> optee 3.19 out-of-the-box.

This sounds strange since Qemu is regularly tested in OP-TEE build CI
as well as 3.19 release [1]. Is it really an OP-TEE related issue? Can
you share details of the boot error you are observing?

[1] https://github.com/OP-TEE/optee_os/commit/afacf356f9593a7f83cae9f96026824ec242ff52

-Sumit

> This pins optee-os version to 3.18 for
> qemuarm-secureboot.
>
> Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
> ---
>  meta-arm/conf/machine/qemuarm-secureboot.conf   | 3 +++
>  meta-arm/conf/machine/qemuarm64-secureboot.conf | 3 +++
>  2 files changed, 6 insertions(+)
>
> diff --git a/meta-arm/conf/machine/qemuarm-secureboot.conf b/meta-arm/conf/machine/qemuarm-secureboot.conf
> index f08b84fe..db02dc68 100644
> --- a/meta-arm/conf/machine/qemuarm-secureboot.conf
> +++ b/meta-arm/conf/machine/qemuarm-secureboot.conf
> @@ -21,3 +21,6 @@ WKS_FILE_DEPENDS = "trusted-firmware-a"
>  IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
>
>  MACHINE_FEATURES += "optee-ftpm"
> +
> +PREFERRED_VERSION_optee-os ?= "3.18.%"
> +
> diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> index 55c4cab4..7277817d 100644
> --- a/meta-arm/conf/machine/qemuarm64-secureboot.conf
> +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> @@ -23,3 +23,6 @@ WKS_FILE_DEPENDS = "trusted-firmware-a"
>  IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
>
>  MACHINE_FEATURES += "optee-ftpm"
> +
> +PREFERRED_VERSION_optee-os ?= "3.18.%"
> +
> --
> 2.17.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#4220): https://lists.yoctoproject.org/g/meta-arm/message/4220
> Mute This Topic: https://lists.yoctoproject.org/mt/95807186/1777089
> Group Owner: meta-arm+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-arm/unsub [sumit.garg@linaro.org]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [meta-arm] [PATCH 5/5] arm/qemuarm-secureboot: pin optee-os version

[Emekcan Aras]

[-- Attachment #1: Type: text/plain, Size: 3850 bytes --]



________________________________
From: Sumit Garg <sumit.garg@linaro.org>
Sent: Wednesday, December 21, 2022 3:37 PM
To: Emekcan Aras <Emekcan.Aras@arm.com>
Cc: meta-arm@lists.yoctoproject.org <meta-arm@lists.yoctoproject.org>; Ross Burton <Ross.Burton@arm.com>; Jon Mason <Jon.Mason@arm.com>; nd <nd@arm.com>
Subject: Re: [meta-arm] [PATCH 5/5] arm/qemuarm-secureboot: pin optee-os version

On Wed, 21 Dec 2022 at 20:10, <emekcan.aras@arm.com> wrote:
>
> From: Emekcan Aras <emekcan.aras@arm.com>
>
> There is a new optee version 3.19. Currently, qemuarm-secureboot cannot boot
> optee 3.19 out-of-the-box.

This sounds strange since Qemu is regularly tested in OP-TEE build CI
as well as 3.19 release [1]. Is it really an OP-TEE related issue? Can
you share details of the boot error you are observing?

[1] https://github.com/OP-TEE/optee_os/commit/afacf356f9593a7f83cae9f96026824ec242ff52

-Sumit

2022-12-21 11:33:27 - INFO - E/TC:0 0 Panic 'Failed mapping FIP SPs' at core/arch/arm/kernel/secure_partition.c:1223 <sp_init_all>
2022-12-21 11:33:27 - INFO - E/TC:0 0 TEE load address @ 0xcf412000
2022-12-21 11:33:27 - INFO - E/TC:0 0 Call stack:
2022-12-21 11:33:27 - INFO - E/TC:0 0 0xcf41eb3c
2022-12-21 11:33:27 - INFO - E/TC:0 0 0xcf42bafc
2022-12-21 11:33:27 - INFO - E/TC:0 0 0xcf41bd4c
2022-12-21 11:33:27 - INFO - E/TC:0 0 0xcf42d548
2022-12-21 11:33:27 - INFO - E/TC:0 0 0xcf41e268
2022-12-21 11:33:27 - INFO - runqemu - INFO - SIGTERM received
2022-12-21 11:33:27 - INFO - runqemu - INFO - Cleaning up
2022-12-21 11:33:27 - INFO - runqemu - INFO - Host uptime: 1436.86
2022-12-21 11:33:27 - INFO -
2022-12-21 11:33:27 - INFO - tput: No value for $TERM and no -T specified
2022-12-21 11:33:27 - INFO - tput: No value for $TERM and no -T specified

This is the error message. We also have the same issue for n1sdp since the new optee is looking for an SP manifest in FIP.. Need to create a bbappend or an inc file for qemuarm-secureboot as well where the necessary flags are set. Just left it for now since there are other platforms that use optee 3.18 version. I think this can be fixed relatively easily when all the platforms upgrades to 3.19.

-Emek

> This pins optee-os version to 3.18 for
> qemuarm-secureboot.
>
> Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
> ---
>  meta-arm/conf/machine/qemuarm-secureboot.conf   | 3 +++
>  meta-arm/conf/machine/qemuarm64-secureboot.conf | 3 +++
>  2 files changed, 6 insertions(+)
>
> diff --git a/meta-arm/conf/machine/qemuarm-secureboot.conf b/meta-arm/conf/machine/qemuarm-secureboot.conf
> index f08b84fe..db02dc68 100644
> --- a/meta-arm/conf/machine/qemuarm-secureboot.conf
> +++ b/meta-arm/conf/machine/qemuarm-secureboot.conf
> @@ -21,3 +21,6 @@ WKS_FILE_DEPENDS = "trusted-firmware-a"
>  IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
>
>  MACHINE_FEATURES += "optee-ftpm"
> +
> +PREFERRED_VERSION_optee-os ?= "3.18.%"
> +
> diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> index 55c4cab4..7277817d 100644
> --- a/meta-arm/conf/machine/qemuarm64-secureboot.conf
> +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> @@ -23,3 +23,6 @@ WKS_FILE_DEPENDS = "trusted-firmware-a"
>  IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
>
>  MACHINE_FEATURES += "optee-ftpm"
> +
> +PREFERRED_VERSION_optee-os ?= "3.18.%"
> +
> --
> 2.17.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#4220): https://lists.yoctoproject.org/g/meta-arm/message/4220
> Mute This Topic: https://lists.yoctoproject.org/mt/95807186/1777089
> Group Owner: meta-arm+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-arm/unsub [sumit.garg@linaro.org]
> -=-=-=-=-=-=-=-=-=-=-=-
>

[-- Attachment #2: Type: text/html, Size: 9374 bytes --]

Re: [meta-arm] [PATCH 5/5] arm/qemuarm-secureboot: pin optee-os version

[Sumit Garg]

On Wed, 21 Dec 2022 at 21:29, Emekcan Aras <Emekcan.Aras@arm.com> wrote:
>
>
>
> ________________________________
> From: Sumit Garg <sumit.garg@linaro.org>
> Sent: Wednesday, December 21, 2022 3:37 PM
> To: Emekcan Aras <Emekcan.Aras@arm.com>
> Cc: meta-arm@lists.yoctoproject.org <meta-arm@lists.yoctoproject.org>; Ross Burton <Ross.Burton@arm.com>; Jon Mason <Jon.Mason@arm.com>; nd <nd@arm.com>
> Subject: Re: [meta-arm] [PATCH 5/5] arm/qemuarm-secureboot: pin optee-os version
>
> On Wed, 21 Dec 2022 at 20:10, <emekcan.aras@arm.com> wrote:
> >
> > From: Emekcan Aras <emekcan.aras@arm.com>
> >
> > There is a new optee version 3.19. Currently, qemuarm-secureboot cannot boot
> > optee 3.19 out-of-the-box.
>
> This sounds strange since Qemu is regularly tested in OP-TEE build CI
> as well as 3.19 release [1]. Is it really an OP-TEE related issue? Can
> you share details of the boot error you are observing?
>
> [1] https://github.com/OP-TEE/optee_os/commit/afacf356f9593a7f83cae9f96026824ec242ff52
>
> -Sumit
>
> 2022-12-21 11:33:27 - INFO - E/TC:0 0 Panic 'Failed mapping FIP SPs' at core/arch/arm/kernel/secure_partition.c:1223 <sp_init_all>

This file won't even compile if CFG_SECURE_PARTITION=n which is the
default configuration. So how does it get enabled for Qemu using
OP-TEE 3.19?

> 2022-12-21 11:33:27 - INFO - E/TC:0 0 TEE load address @ 0xcf412000
> 2022-12-21 11:33:27 - INFO - E/TC:0 0 Call stack:
> 2022-12-21 11:33:27 - INFO - E/TC:0 0 0xcf41eb3c
> 2022-12-21 11:33:27 - INFO - E/TC:0 0 0xcf42bafc
> 2022-12-21 11:33:27 - INFO - E/TC:0 0 0xcf41bd4c
> 2022-12-21 11:33:27 - INFO - E/TC:0 0 0xcf42d548
> 2022-12-21 11:33:27 - INFO - E/TC:0 0 0xcf41e268
> 2022-12-21 11:33:27 - INFO - runqemu - INFO - SIGTERM received
> 2022-12-21 11:33:27 - INFO - runqemu - INFO - Cleaning up
> 2022-12-21 11:33:27 - INFO - runqemu - INFO - Host uptime: 1436.86
> 2022-12-21 11:33:27 - INFO -
> 2022-12-21 11:33:27 - INFO - tput: No value for $TERM and no -T specified
> 2022-12-21 11:33:27 - INFO - tput: No value for $TERM and no -T specified
>
> This is the error message. We also have the same issue for n1sdp since the new optee is looking for an SP manifest in FIP..

AFAIK, secure partitions are not enabled by default in OP-TEE. So how
does that get enabled for Qemu? Also, I can see from your patch-set
that you enable secure partitions explicitly for n1sdp.

> Need to create a bbappend or an inc file for qemuarm-secureboot as well where the necessary flags are set. Just left it for now since there are other platforms that use optee 3.18 version. I think this can be fixed relatively easily when all the platforms upgrades to 3.19.

I would suggest that we update Qemu as part of OP-TEE uprev as that is
something which others could test as well as something that can be
tested in CI as well.

-Sumit

>
> -Emek
>
> > This pins optee-os version to 3.18 for
> > qemuarm-secureboot.
> >
> > Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
> > ---
> >  meta-arm/conf/machine/qemuarm-secureboot.conf   | 3 +++
> >  meta-arm/conf/machine/qemuarm64-secureboot.conf | 3 +++
> >  2 files changed, 6 insertions(+)
> >
> > diff --git a/meta-arm/conf/machine/qemuarm-secureboot.conf b/meta-arm/conf/machine/qemuarm-secureboot.conf
> > index f08b84fe..db02dc68 100644
> > --- a/meta-arm/conf/machine/qemuarm-secureboot.conf
> > +++ b/meta-arm/conf/machine/qemuarm-secureboot.conf
> > @@ -21,3 +21,6 @@ WKS_FILE_DEPENDS = "trusted-firmware-a"
> >  IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
> >
> >  MACHINE_FEATURES += "optee-ftpm"
> > +
> > +PREFERRED_VERSION_optee-os ?= "3.18.%"
> > +
> > diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> > index 55c4cab4..7277817d 100644
> > --- a/meta-arm/conf/machine/qemuarm64-secureboot.conf
> > +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> > @@ -23,3 +23,6 @@ WKS_FILE_DEPENDS = "trusted-firmware-a"
> >  IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
> >
> >  MACHINE_FEATURES += "optee-ftpm"
> > +
> > +PREFERRED_VERSION_optee-os ?= "3.18.%"
> > +
> > --
> > 2.17.1
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#4220): https://lists.yoctoproject.org/g/meta-arm/message/4220
> > Mute This Topic: https://lists.yoctoproject.org/mt/95807186/1777089
> > Group Owner: meta-arm+owner@lists.yoctoproject.org
> > Unsubscribe: https://lists.yoctoproject.org/g/meta-arm/unsub [sumit.garg@linaro.org]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >

Re: [meta-arm] [PATCH 5/5] arm/qemuarm-secureboot: pin optee-os version

[Emekcan Aras]

[-- Attachment #1: Type: text/plain, Size: 5953 bytes --]

From: Sumit Garg <sumit.garg@linaro.org>
Sent: Thursday, December 22, 2022 6:48 AM
To: Emekcan Aras <Emekcan.Aras@arm.com>
Cc: meta-arm@lists.yoctoproject.org <meta-arm@lists.yoctoproject.org>; Ross Burton <Ross.Burton@arm.com>; Jon Mason <Jon.Mason@arm.com>; nd <nd@arm.com>
Subject: Re: [meta-arm] [PATCH 5/5] arm/qemuarm-secureboot: pin optee-os version

On Wed, 21 Dec 2022 at 21:29, Emekcan Aras <Emekcan.Aras@arm.com> wrote:
>
>
>
> ________________________________
> From: Sumit Garg <sumit.garg@linaro.org>
> Sent: Wednesday, December 21, 2022 3:37 PM
> To: Emekcan Aras <Emekcan.Aras@arm.com>
> Cc: meta-arm@lists.yoctoproject.org <meta-arm@lists.yoctoproject.org>; Ross Burton <Ross.Burton@arm.com>; Jon Mason <Jon.Mason@arm.com>; nd <nd@arm.com>
> Subject: Re: [meta-arm] [PATCH 5/5] arm/qemuarm-secureboot: pin optee-os version
>
> On Wed, 21 Dec 2022 at 20:10, <emekcan.aras@arm.com> wrote:
> >
> > From: Emekcan Aras <emekcan.aras@arm.com>
> >
> > There is a new optee version 3.19. Currently, qemuarm-secureboot cannot boot
> > optee 3.19 out-of-the-box.
>
> This sounds strange since Qemu is regularly tested in OP-TEE build CI
> as well as 3.19 release [1]. Is it really an OP-TEE related issue? Can
> you share details of the boot error you are observing?
>
> [1] https://github.com/OP-TEE/optee_os/commit/afacf356f9593a7f83cae9f96026824ec242ff52
>
> -Sumit
>
> 2022-12-21 11:33:27 - INFO - E/TC:0 0 Panic 'Failed mapping FIP SPs' at core/arch/arm/kernel/secure_partition.c:1223 <sp_init_all>

This file won't even compile if CFG_SECURE_PARTITION=n which is the
default configuration. So how does it get enabled for Qemu using
OP-TEE 3.19?

I don't know. I saw that you've developed the qemu recipes. So hoping that you might answered this :)
Maybe optee 3.19 set this explicitly. This patchset was already reviewed by maintainers actually and ran on different platforms.
It could be related to the recipe as well, but as you can see I'm not doing anything complicated there.

> 2022-12-21 11:33:27 - INFO - E/TC:0 0 TEE load address @ 0xcf412000
> 2022-12-21 11:33:27 - INFO - E/TC:0 0 Call stack:
> 2022-12-21 11:33:27 - INFO - E/TC:0 0 0xcf41eb3c
> 2022-12-21 11:33:27 - INFO - E/TC:0 0 0xcf42bafc
> 2022-12-21 11:33:27 - INFO - E/TC:0 0 0xcf41bd4c
> 2022-12-21 11:33:27 - INFO - E/TC:0 0 0xcf42d548
> 2022-12-21 11:33:27 - INFO - E/TC:0 0 0xcf41e268
> 2022-12-21 11:33:27 - INFO - runqemu - INFO - SIGTERM received
> 2022-12-21 11:33:27 - INFO - runqemu - INFO - Cleaning up
> 2022-12-21 11:33:27 - INFO - runqemu - INFO - Host uptime: 1436.86
> 2022-12-21 11:33:27 - INFO -
> 2022-12-21 11:33:27 - INFO - tput: No value for $TERM and no -T specified
> 2022-12-21 11:33:27 - INFO - tput: No value for $TERM and no -T specified
>
> This is the error message. We also have the same issue for n1sdp since the new optee is looking for an SP manifest in FIP..

AFAIK, secure partitions are not enabled by default in OP-TEE. So how
does that get enabled for Qemu? Also, I can see from your patch-set
that you enable secure partitions explicitly for n1sdp.

> Need to create a bbappend or an inc file for qemuarm-secureboot as well where the necessary flags are set. Just left it for now since there are other platforms that use optee 3.18 version. I think this can be fixed relatively easily when all the platforms upgrades to 3.19.

I would suggest that we update Qemu as part of OP-TEE uprev as that is
something which others could test as well as something that can be
tested in CI as well.

I kindly disagree with this :) Normally, there is always an uprev work for components every now and then. Someone pushes a new recipe for the new version and if any platform fails, Maintainers ask platform-maintainers to fix it. At least that's our experience on corstone1000 and it makes sense, to be honest. I think optee uprev work and upgrading other platforms should go separately if it doesn't work out-of-the-box. I.E. Next month, I'll update corstone1000 to optee 3.19, because it doesn't work quite right with the new version. However, this is not related to the new recipe, it's rather related to configurations.

-Sumit

>
> -Emek
>
> > This pins optee-os version to 3.18 for
> > qemuarm-secureboot.
> >
> > Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
> > ---
> >  meta-arm/conf/machine/qemuarm-secureboot.conf   | 3 +++
> >  meta-arm/conf/machine/qemuarm64-secureboot.conf | 3 +++
> >  2 files changed, 6 insertions(+)
> >
> > diff --git a/meta-arm/conf/machine/qemuarm-secureboot.conf b/meta-arm/conf/machine/qemuarm-secureboot.conf
> > index f08b84fe..db02dc68 100644
> > --- a/meta-arm/conf/machine/qemuarm-secureboot.conf
> > +++ b/meta-arm/conf/machine/qemuarm-secureboot.conf
> > @@ -21,3 +21,6 @@ WKS_FILE_DEPENDS = "trusted-firmware-a"
> >  IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
> >
> >  MACHINE_FEATURES += "optee-ftpm"
> > +
> > +PREFERRED_VERSION_optee-os ?= "3.18.%"
> > +
> > diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> > index 55c4cab4..7277817d 100644
> > --- a/meta-arm/conf/machine/qemuarm64-secureboot.conf
> > +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> > @@ -23,3 +23,6 @@ WKS_FILE_DEPENDS = "trusted-firmware-a"
> >  IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
> >
> >  MACHINE_FEATURES += "optee-ftpm"
> > +
> > +PREFERRED_VERSION_optee-os ?= "3.18.%"
> > +
> > --
> > 2.17.1
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#4220): https://lists.yoctoproject.org/g/meta-arm/message/4220
> > Mute This Topic: https://lists.yoctoproject.org/mt/95807186/1777089
> > Group Owner: meta-arm+owner@lists.yoctoproject.org
> > Unsubscribe: https://lists.yoctoproject.org/g/meta-arm/unsub [sumit.garg@linaro.org]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >

[-- Attachment #2: Type: text/html, Size: 8627 bytes --]

Re: [meta-arm] [PATCH 5/5] arm/qemuarm-secureboot: pin optee-os version

[Sumit Garg]

On Thu, 22 Dec 2022 at 14:12, Emekcan Aras <emekcan.aras@arm.com> wrote:
>
> From: Sumit Garg <sumit.garg@linaro.org>
> Sent: Thursday, December 22, 2022 6:48 AM
> To: Emekcan Aras <Emekcan.Aras@arm.com>
> Cc: meta-arm@lists.yoctoproject.org <meta-arm@lists.yoctoproject.org>; Ross Burton <Ross.Burton@arm.com>; Jon Mason <Jon.Mason@arm.com>; nd <nd@arm.com>
> Subject: Re: [meta-arm] [PATCH 5/5] arm/qemuarm-secureboot: pin optee-os version
>
> On Wed, 21 Dec 2022 at 21:29, Emekcan Aras <Emekcan.Aras@arm.com> wrote:
> >
> >
> >
> > ________________________________
> > From: Sumit Garg <sumit.garg@linaro.org>
> > Sent: Wednesday, December 21, 2022 3:37 PM
> > To: Emekcan Aras <Emekcan.Aras@arm.com>
> > Cc: meta-arm@lists.yoctoproject.org <meta-arm@lists.yoctoproject.org>; Ross Burton <Ross.Burton@arm.com>; Jon Mason <Jon.Mason@arm.com>; nd <nd@arm.com>
> > Subject: Re: [meta-arm] [PATCH 5/5] arm/qemuarm-secureboot: pin optee-os version
> >
> > On Wed, 21 Dec 2022 at 20:10, <emekcan.aras@arm.com> wrote:
> > >
> > > From: Emekcan Aras <emekcan.aras@arm.com>
> > >
> > > There is a new optee version 3.19. Currently, qemuarm-secureboot cannot boot
> > > optee 3.19 out-of-the-box.
> >
> > This sounds strange since Qemu is regularly tested in OP-TEE build CI
> > as well as 3.19 release [1]. Is it really an OP-TEE related issue? Can
> > you share details of the boot error you are observing?
> >
> > [1] https://github.com/OP-TEE/optee_os/commit/afacf356f9593a7f83cae9f96026824ec242ff52
> >
> > -Sumit
> >
> > 2022-12-21 11:33:27 - INFO - E/TC:0 0 Panic 'Failed mapping FIP SPs' at core/arch/arm/kernel/secure_partition.c:1223 <sp_init_all>
>
> This file won't even compile if CFG_SECURE_PARTITION=n which is the
> default configuration. So how does it get enabled for Qemu using
> OP-TEE 3.19?
>
> I don't know. I saw that you've developed the qemu recipes. So hoping that you might answered this :)
> Maybe optee 3.19 set this explicitly. This patchset was already reviewed by maintainers actually and ran on different platforms.
> It could be related to the recipe as well, but as you can see I'm not doing anything complicated there.
>
> > 2022-12-21 11:33:27 - INFO - E/TC:0 0 TEE load address @ 0xcf412000
> > 2022-12-21 11:33:27 - INFO - E/TC:0 0 Call stack:
> > 2022-12-21 11:33:27 - INFO - E/TC:0 0 0xcf41eb3c
> > 2022-12-21 11:33:27 - INFO - E/TC:0 0 0xcf42bafc
> > 2022-12-21 11:33:27 - INFO - E/TC:0 0 0xcf41bd4c
> > 2022-12-21 11:33:27 - INFO - E/TC:0 0 0xcf42d548
> > 2022-12-21 11:33:27 - INFO - E/TC:0 0 0xcf41e268
> > 2022-12-21 11:33:27 - INFO - runqemu - INFO - SIGTERM received
> > 2022-12-21 11:33:27 - INFO - runqemu - INFO - Cleaning up
> > 2022-12-21 11:33:27 - INFO - runqemu - INFO - Host uptime: 1436.86
> > 2022-12-21 11:33:27 - INFO -
> > 2022-12-21 11:33:27 - INFO - tput: No value for $TERM and no -T specified
> > 2022-12-21 11:33:27 - INFO - tput: No value for $TERM and no -T specified
> >
> > This is the error message. We also have the same issue for n1sdp since the new optee is looking for an SP manifest in FIP..
>
> AFAIK, secure partitions are not enabled by default in OP-TEE. So how
> does that get enabled for Qemu? Also, I can see from your patch-set
> that you enable secure partitions explicitly for n1sdp.
>
> > Need to create a bbappend or an inc file for qemuarm-secureboot as well where the necessary flags are set. Just left it for now since there are other platforms that use optee 3.18 version. I think this can be fixed relatively easily when all the platforms upgrades to 3.19.
>
> I would suggest that we update Qemu as part of OP-TEE uprev as that is
> something which others could test as well as something that can be
> tested in CI as well.
>
> I kindly disagree with this :) Normally, there is always an uprev work for components every now and then.

The general practice is to bump up the component's version rather than
supporting multiple versions. If any bsp layer like meta-arm-bsp has a
different need for a component version then it can stick to an older
version and migrate later.

> Someone pushes a new recipe for the new version and if any platform fails, Maintainers ask platform-maintainers to fix it.

Qemu support is part of the meta-arm layer which has the OP-TEE
recipes too, see:

$ ls meta-arm/conf/machine/
generic-arm64.conf  qemuarm64-secureboot.conf  qemuarm-secureboot.conf
 qemu-generic-arm64.conf

So I would leave it upto meta-arm maintainers to decide here.

-Sumit

> At least that's our experience on corstone1000 and it makes sense, to be honest. I think optee uprev work and upgrading other platforms should go separately if it doesn't work out-of-the-box. I.E. Next month, I'll update corstone1000 to optee 3.19, because it doesn't work quite right with the new version. However, this is not related to the new recipe, it's rather related to configurations.
>
> -Sumit
>
> >
> > -Emek
> >
> > > This pins optee-os version to 3.18 for
> > > qemuarm-secureboot.
> > >
> > > Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
> > > ---
> > >  meta-arm/conf/machine/qemuarm-secureboot.conf   | 3 +++
> > >  meta-arm/conf/machine/qemuarm64-secureboot.conf | 3 +++
> > >  2 files changed, 6 insertions(+)
> > >
> > > diff --git a/meta-arm/conf/machine/qemuarm-secureboot.conf b/meta-arm/conf/machine/qemuarm-secureboot.conf
> > > index f08b84fe..db02dc68 100644
> > > --- a/meta-arm/conf/machine/qemuarm-secureboot.conf
> > > +++ b/meta-arm/conf/machine/qemuarm-secureboot.conf
> > > @@ -21,3 +21,6 @@ WKS_FILE_DEPENDS = "trusted-firmware-a"
> > >  IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
> > >
> > >  MACHINE_FEATURES += "optee-ftpm"
> > > +
> > > +PREFERRED_VERSION_optee-os ?= "3.18.%"
> > > +
> > > diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> > > index 55c4cab4..7277817d 100644
> > > --- a/meta-arm/conf/machine/qemuarm64-secureboot.conf
> > > +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> > > @@ -23,3 +23,6 @@ WKS_FILE_DEPENDS = "trusted-firmware-a"
> > >  IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
> > >
> > >  MACHINE_FEATURES += "optee-ftpm"
> > > +
> > > +PREFERRED_VERSION_optee-os ?= "3.18.%"
> > > +
> > > --
> > > 2.17.1
> > >
> > >
> > >
> > >
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#4224): https://lists.yoctoproject.org/g/meta-arm/message/4224
> Mute This Topic: https://lists.yoctoproject.org/mt/95807186/1777089
> Group Owner: meta-arm+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-arm/unsub [sumit.garg@linaro.org]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [PATCH 2/5] arm/optee: support optee 3.19

[Ross Burton]

> +++ b/meta-arm/recipes-security/optee/optee-os-3_19.inc
> @@ -0,0 +1,82 @@
> +SUMMARY = "OP-TEE Trusted OS"
> +DESCRIPTION = "Open Portable Trusted Execution Environment - Trusted side of the TEE"
> +HOMEPAGE = "https://www.op-tee.org/"
> +
> +LICENSE = "BSD-2-Clause"
> +LIC_FILES_CHKSUM = "file://LICENSE;md5=c1f21c4f72f372ef38a5a4aee55ec173"
> +
> +inherit deploy python3native
> +require optee.inc

…

This file is 99% identical to optee-os.inc apart from FILEEXTRAPATHS, so put that assignment in the .bb and include the common optee-os.inc.

Whilst I’m there…

> +do_compile:prepend() {
> + PLAT_LIBGCC_PATH=$(${CC} -print-libgcc-file-name)
> +}

This doesn’t appear to do anything, can you remove it in a separate commit.

> +# note: "textrel" is not triggered on all archs
> +INSANE_SKIP:${PN} = "textrel"
> +# Build paths are currently embedded
> +INSANE_SKIP:${PN} += "buildpaths"

Can you experiment and remove these to see if they’re still valid?

Ross

Re: [meta-arm] [PATCH 5/5] arm/qemuarm-secureboot: pin optee-os version

[Ross Burton]

On 23 Dec 2022, at 05:47, Sumit Garg <sumit.garg@linaro.org> wrote:
> 
> Qemu support is part of the meta-arm layer which has the OP-TEE
> recipes too, see:
> 
> $ ls meta-arm/conf/machine/
> generic-arm64.conf  qemuarm64-secureboot.conf  qemuarm-secureboot.conf
> qemu-generic-arm64.conf
> 
> So I would leave it upto meta-arm maintainers to decide here.

I’m definitely no optee expert, but I’d much prefer it if qemuarm64-secureboot was fixed instead of left on the old release.

As there’s no hardware requirement and runqemu works it should be easy to test for someone who knows what the problem actually is.

Ross

Re: [PATCH 0/5] Add optee-os 3.19 recipe

[Jon Mason]

On Wed, 21 Dec 2022 14:39:37 +0000, emekcan.aras@arm.com wrote:
> This patchset adds optee 3.19 recipe and makes necessary configurations
> to support optee-os 3.19 on n1sdp.
> 
> Emekcan Aras (3):
>   arm/optee: support optee 3.19
>   arm-bsp/optee-os: Adds 3.19 bbappend
>   arm-bsp/optee-os: N1SDP support for optee-os 3.19
> 
> [...]

Applied, thanks!

[1/5] arm/optee: Move optee-3.18 patches
      commit: b061104c87ce58fcc1e9e4791a8339b7af583a09
[2/5] arm/optee: support optee 3.19
      commit: 3259a2a8402fac059e198b772ada01281d3f9cf2
[3/5] arm-bsp/optee-os: Adds 3.19 bbappend
      commit: 3d9c97a0cc9811f6f48004f8f1753651714699eb
[4/5] arm-bsp/optee-os: N1SDP support for optee-os 3.19
      commit: 529d18e8a5e64b28469c5b6312052bf3ce7c80a7
[5/5] arm/qemuarm-secureboot: pin optee-os version
      commit: a6211b606763255020e11bb7d838e3de647b3048

Best regards,
-- 
Jon Mason <jon.mason@arm.com>

Re: [PATCH 2/5] arm/optee: support optee 3.19

[Jon Mason]

On Thu, Jan 05, 2023 at 03:30:14PM +0000, Ross Burton wrote:
> > +++ b/meta-arm/recipes-security/optee/optee-os-3_19.inc
> > @@ -0,0 +1,82 @@
> > +SUMMARY = "OP-TEE Trusted OS"
> > +DESCRIPTION = "Open Portable Trusted Execution Environment - Trusted side of the TEE"
> > +HOMEPAGE = "https://www.op-tee.org/"
> > +
> > +LICENSE = "BSD-2-Clause"
> > +LIC_FILES_CHKSUM = "file://LICENSE;md5=c1f21c4f72f372ef38a5a4aee55ec173"
> > +
> > +inherit deploy python3native
> > +require optee.inc
> 
> …
> 
> This file is 99% identical to optee-os.inc apart from FILEEXTRAPATHS, so put that assignment in the .bb and include the common optee-os.inc.
> 
> Whilst I’m there…
> 
> > +do_compile:prepend() {
> > + PLAT_LIBGCC_PATH=$(${CC} -print-libgcc-file-name)
> > +}
> 
> This doesn’t appear to do anything, can you remove it in a separate commit.
> 
> > +# note: "textrel" is not triggered on all archs
> > +INSANE_SKIP:${PN} = "textrel"
> > +# Build paths are currently embedded
> > +INSANE_SKIP:${PN} += "buildpaths"
> 
> Can you experiment and remove these to see if they’re still valid?
> 
> Ross
> 

Looks like I missed this and pulled it in without being commented on.
Emekcan, can you address this in a follow-on patch?

Thanks,
Jon

Re: [PATCH 0/5] Add optee-os 3.19 recipe

[Jon Mason]

On Wed, 21 Dec 2022 14:39:37 +0000, emekcan.aras@arm.com wrote:
> This patchset adds optee 3.19 recipe and makes necessary configurations
> to support optee-os 3.19 on n1sdp.
> 
> Emekcan Aras (3):
>   arm/optee: support optee 3.19
>   arm-bsp/optee-os: Adds 3.19 bbappend
>   arm-bsp/optee-os: N1SDP support for optee-os 3.19
> 
> [...]

Applied, thanks!

[1/5] arm/optee: Move optee-3.18 patches
      commit: b061104c87ce58fcc1e9e4791a8339b7af583a09
[2/5] arm/optee: support optee 3.19
      commit: 3259a2a8402fac059e198b772ada01281d3f9cf2
[3/5] arm-bsp/optee-os: Adds 3.19 bbappend
      commit: 3d9c97a0cc9811f6f48004f8f1753651714699eb
[4/5] arm-bsp/optee-os: N1SDP support for optee-os 3.19
      commit: 529d18e8a5e64b28469c5b6312052bf3ce7c80a7
[5/5] arm/qemuarm-secureboot: pin optee-os version
      commit: a6211b606763255020e11bb7d838e3de647b3048

Best regards,
-- 
Jon Mason <jon.mason@arm.com>

Re: [PATCH 2/5] arm/optee: support optee 3.19

[Emekcan Aras]

[-- Attachment #1: Type: text/plain, Size: 1707 bytes --]



________________________________
From: Jon Mason <jdmason@kudzu.us>
Sent: Tuesday, January 10, 2023 4:37 PM
To: Ross Burton <Ross.Burton@arm.com>
Cc: Emekcan Aras <Emekcan.Aras@arm.com>; meta-arm@lists.yoctoproject.org <meta-arm@lists.yoctoproject.org>
Subject: Re: [PATCH 2/5] arm/optee: support optee 3.19

On Thu, Jan 05, 2023 at 03:30:14PM +0000, Ross Burton wrote:
> > +++ b/meta-arm/recipes-security/optee/optee-os-3_19.inc
> > @@ -0,0 +1,82 @@
> > +SUMMARY = "OP-TEE Trusted OS"
> > +DESCRIPTION = "Open Portable Trusted Execution Environment - Trusted side of the TEE"
> > +HOMEPAGE = "https://www.op-tee.org/"
> > +
> > +LICENSE = "BSD-2-Clause"
> > +LIC_FILES_CHKSUM = "[file://LICENSE;md5=c1f21c4f72f372ef38a5a4aee55ec173]file://LICENSE;md5=c1f21c4f72f372ef38a5a4aee55ec173"
> > +
> > +inherit deploy python3native
> > +require optee.inc
>
> …
>
> This file is 99% identical to optee-os.inc apart from FILEEXTRAPATHS, so put that assignment in the .bb and include the common optee-os.inc.
>
> Whilst I’m there…
>
> > +do_compile:prepend() {
> > + PLAT_LIBGCC_PATH=$(${CC} -print-libgcc-file-name)
> > +}
>
> This doesn’t appear to do anything, can you remove it in a separate commit.
>
> > +# note: "textrel" is not triggered on all archs
> > +INSANE_SKIP:${PN} = "textrel"
> > +# Build paths are currently embedded
> > +INSANE_SKIP:${PN} += "buildpaths"
>
> Can you experiment and remove these to see if they’re still valid?
>
> Ross
>

Looks like I missed this and pulled it in without being commented on.
Emekcan, can you address this in a follow-on patch?

Thanks,
Jon

Yeah sure, I had the patch, just need to rebase it

Thanks
Emek


[-- Attachment #2: Type: text/html, Size: 3521 bytes --]

Re: [meta-arm] [PATCH 2/5] arm/optee: support optee 3.19

[Denys Dmytriyenko]

On Wed, Dec 21, 2022 at 02:39:39PM +0000, emekcan.aras@arm.com wrote:
> From: Emekcan Aras <emekcan.aras@arm.com>
> 
> From: Emekcan <emekcan.aras@arm.com>
> 
> This commits adds a recipe to support optee-os 3.19.
> 
> Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>

Unfortunately, this breaks downstream users with own bbappends and 
customizations on top. Please pay close attention to the naming 
conventions. Thanks.

Also, what about updating optee-client, optee-test and optee-examples 
to 3.19?


> ---
> diff --git a/meta-arm/recipes-security/optee/optee-os-3_19.inc b/meta-arm/recipes-security/optee/optee-os-3_19.inc
> new file mode 100644
> index 00000000..8adb6996
> --- /dev/null
> +++ b/meta-arm/recipes-security/optee/optee-os-3_19.inc

While not critical, why does this inc file has "3_19" version in the name?


> @@ -0,0 +1,82 @@
> +SUMMARY = "OP-TEE Trusted OS"
> +DESCRIPTION = "Open Portable Trusted Execution Environment - Trusted side of the TEE"
> +HOMEPAGE = "https://www.op-tee.org/"
> +
> +LICENSE = "BSD-2-Clause"
> +LIC_FILES_CHKSUM = "file://LICENSE;md5=c1f21c4f72f372ef38a5a4aee55ec173"
> +
> +inherit deploy python3native
> +require optee.inc
> +
> +FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os-3_19:"

Now, this is critical - why is there "3_19" version in the directory name?


> +CVE_PRODUCT = "linaro:op-tee op-tee:op-tee_os"
> +
> +DEPENDS = "python3-pyelftools-native python3-cryptography-native"
> +
> +DEPENDS:append:toolchain-clang = " compiler-rt"
> +
> +SRC_URI = "git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https"
> +
> +SRC_URI:append = " \
> +    file://0006-allow-setting-sysroot-for-libgcc-lookup.patch \
> +    file://0007-allow-setting-sysroot-for-clang.patch \
> +    file://0008-no-warn-rwx-segments.patch \
> +   "
> +
> +S = "${WORKDIR}/git"
> +B = "${WORKDIR}/build"
> +
> +EXTRA_OEMAKE += " \
> +    PLATFORM=${OPTEEMACHINE} \
> +    CFG_${OPTEE_CORE}_core=y \
> +    CROSS_COMPILE_core=${HOST_PREFIX} \
> +    CROSS_COMPILE_ta_${OPTEE_ARCH}=${HOST_PREFIX} \
> +    NOWERROR=1 \
> +    ta-targets=ta_${OPTEE_ARCH} \
> +    O=${B} \
> +"
> +EXTRA_OEMAKE += " HOST_PREFIX=${HOST_PREFIX}"
> +EXTRA_OEMAKE += " CROSS_COMPILE64=${HOST_PREFIX}"
> +
> +CFLAGS[unexport] = "1"
> +LDFLAGS[unexport] = "1"
> +CPPFLAGS[unexport] = "1"
> +AS[unexport] = "1"
> +LD[unexport] = "1"
> +
> +do_compile:prepend() {
> +	PLAT_LIBGCC_PATH=$(${CC} -print-libgcc-file-name)
> +}
> +
> +do_compile() {
> +    oe_runmake -C ${S} all
> +}
> +do_compile[cleandirs] = "${B}"
> +
> +do_install() {
> +    #install core in firmware
> +    install -d ${D}${nonarch_base_libdir}/firmware/
> +    install -m 644 ${B}/core/*.bin ${B}/core/tee.elf ${D}${nonarch_base_libdir}/firmware/
> +}
> +
> +PACKAGE_ARCH = "${MACHINE_ARCH}"
> +
> +do_deploy() {
> +    install -d ${DEPLOYDIR}/${MLPREFIX}optee
> +    install -m 644 ${D}${nonarch_base_libdir}/firmware/* ${DEPLOYDIR}/${MLPREFIX}optee
> +}
> +
> +addtask deploy before do_build after do_install
> +
> +SYSROOT_DIRS += "${nonarch_base_libdir}/firmware"
> +
> +FILES:${PN} = "${nonarch_base_libdir}/firmware/"
> +
> +# note: "textrel" is not triggered on all archs
> +INSANE_SKIP:${PN} = "textrel"
> +# Build paths are currently embedded
> +INSANE_SKIP:${PN} += "buildpaths"
> +INSANE_SKIP:${PN}-dev = "staticdev"
> +INHIBIT_PACKAGE_STRIP = "1"
> +
> diff --git a/meta-arm/recipes-security/optee/optee-os_3.19.0.bb b/meta-arm/recipes-security/optee/optee-os_3.19.0.bb
> new file mode 100644
> index 00000000..9ad8a148
> --- /dev/null
> +++ b/meta-arm/recipes-security/optee/optee-os_3.19.0.bb
> @@ -0,0 +1,5 @@
> +require optee-os-3_19.inc
> +
> +DEPENDS += "dtc-native"
> +
> +SRCREV = "afacf356f9593a7f83cae9f96026824ec242ff52"
> -- 
> 2.17.1

Re: [meta-arm] [PATCH 2/5] arm/optee: support optee 3.19

[Ross Burton]

On 12 Jan 2023, at 17:58, Denys Dmytriyenko <denis@denix.org> wrote:
> 
>> ---
>> diff --git a/meta-arm/recipes-security/optee/optee-os-3_19.inc b/meta-arm/recipes-security/optee/optee-os-3_19.inc
>> new file mode 100644
>> index 00000000..8adb6996
>> --- /dev/null
>> +++ b/meta-arm/recipes-security/optee/optee-os-3_19.inc
> 
> While not critical, why does this inc file has "3_19" version in the name?
> 
> 
>> @@ -0,0 +1,82 @@
>> +SUMMARY = "OP-TEE Trusted OS"
>> +DESCRIPTION = "Open Portable Trusted Execution Environment - Trusted side of the TEE"
>> +HOMEPAGE = "https://www.op-tee.org/"
>> +
>> +LICENSE = "BSD-2-Clause"
>> +LIC_FILES_CHKSUM = "file://LICENSE;md5=c1f21c4f72f372ef38a5a4aee55ec173"
>> +
>> +inherit deploy python3native
>> +require optee.inc
>> +
>> +FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os-3_19:"
> 
> Now, this is critical - why is there "3_19" version in the directory name?

Sorry, these were picked up in internal review but the series accidentally got merged.  Hopefully Emekcan will be sending fixes shortly.

Ross

Re: [meta-arm] [PATCH 2/5] arm/optee: support optee 3.19

[Emekcan Aras]

On Thu, Jan 12, 2023 at 12:58:59PM -0500, Denys Dmytriyenko wrote:
> On Wed, Dec 21, 2022 at 02:39:39PM +0000, emekcan.aras@arm.com wrote:
> > From: Emekcan Aras <emekcan.aras@arm.com>
> > 
> > From: Emekcan <emekcan.aras@arm.com>
> > 
> > This commits adds a recipe to support optee-os 3.19.
> > 
> > Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
> 
> Unfortunately, this breaks downstream users with own bbappends and 
> customizations on top. Please pay close attention to the naming 
> conventions. Thanks.
> 
Sorry, I'll fix this.

> Also, what about updating optee-client, optee-test and optee-examples 
> to 3.19?
> 
> 
Hopefully, soon we'll update these as well
> > ---
> > diff --git a/meta-arm/recipes-security/optee/optee-os-3_19.inc b/meta-arm/recipes-security/optee/optee-os-3_19.inc
> > new file mode 100644
> > index 00000000..8adb6996
> > --- /dev/null
> > +++ b/meta-arm/recipes-security/optee/optee-os-3_19.inc
> 
> While not critical, why does this inc file has "3_19" version in the name?
> 
Okay, I'll fix this.
> 
> > @@ -0,0 +1,82 @@
> > +SUMMARY = "OP-TEE Trusted OS"
> > +DESCRIPTION = "Open Portable Trusted Execution Environment - Trusted side of the TEE"
> > +HOMEPAGE = "https://www.op-tee.org/"
> > +
> > +LICENSE = "BSD-2-Clause"
> > +LIC_FILES_CHKSUM = "file://LICENSE;md5=c1f21c4f72f372ef38a5a4aee55ec173"
> > +
> > +inherit deploy python3native
> > +require optee.inc
> > +
> > +FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os-3_19:"
> 
> Now, this is critical - why is there "3_19" version in the directory name?
> 
Out-of-tree patches that applies to 3.18 and 3.19 is very similar (naming-wise)
but patches applies to different lines. In order to keep 3.18 patches, we needed
to add 3.19 as a seperate directory.
> 
> > +CVE_PRODUCT = "linaro:op-tee op-tee:op-tee_os"
> > +
> > +DEPENDS = "python3-pyelftools-native python3-cryptography-native"
> > +
> > +DEPENDS:append:toolchain-clang = " compiler-rt"
> > +
> > +SRC_URI = "git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https"
> > +
> > +SRC_URI:append = " \
> > +    file://0006-allow-setting-sysroot-for-libgcc-lookup.patch \
> > +    file://0007-allow-setting-sysroot-for-clang.patch \
> > +    file://0008-no-warn-rwx-segments.patch \
> > +   "
> > +
> > +S = "${WORKDIR}/git"
> > +B = "${WORKDIR}/build"
> > +
> > +EXTRA_OEMAKE += " \
> > +    PLATFORM=${OPTEEMACHINE} \
> > +    CFG_${OPTEE_CORE}_core=y \
> > +    CROSS_COMPILE_core=${HOST_PREFIX} \
> > +    CROSS_COMPILE_ta_${OPTEE_ARCH}=${HOST_PREFIX} \
> > +    NOWERROR=1 \
> > +    ta-targets=ta_${OPTEE_ARCH} \
> > +    O=${B} \
> > +"
> > +EXTRA_OEMAKE += " HOST_PREFIX=${HOST_PREFIX}"
> > +EXTRA_OEMAKE += " CROSS_COMPILE64=${HOST_PREFIX}"
> > +
> > +CFLAGS[unexport] = "1"
> > +LDFLAGS[unexport] = "1"
> > +CPPFLAGS[unexport] = "1"
> > +AS[unexport] = "1"
> > +LD[unexport] = "1"
> > +
> > +do_compile:prepend() {
> > +	PLAT_LIBGCC_PATH=$(${CC} -print-libgcc-file-name)
> > +}
> > +
> > +do_compile() {
> > +    oe_runmake -C ${S} all
> > +}
> > +do_compile[cleandirs] = "${B}"
> > +
> > +do_install() {
> > +    #install core in firmware
> > +    install -d ${D}${nonarch_base_libdir}/firmware/
> > +    install -m 644 ${B}/core/*.bin ${B}/core/tee.elf ${D}${nonarch_base_libdir}/firmware/
> > +}
> > +
> > +PACKAGE_ARCH = "${MACHINE_ARCH}"
> > +
> > +do_deploy() {
> > +    install -d ${DEPLOYDIR}/${MLPREFIX}optee
> > +    install -m 644 ${D}${nonarch_base_libdir}/firmware/* ${DEPLOYDIR}/${MLPREFIX}optee
> > +}
> > +
> > +addtask deploy before do_build after do_install
> > +
> > +SYSROOT_DIRS += "${nonarch_base_libdir}/firmware"
> > +
> > +FILES:${PN} = "${nonarch_base_libdir}/firmware/"
> > +
> > +# note: "textrel" is not triggered on all archs
> > +INSANE_SKIP:${PN} = "textrel"
> > +# Build paths are currently embedded
> > +INSANE_SKIP:${PN} += "buildpaths"
> > +INSANE_SKIP:${PN}-dev = "staticdev"
> > +INHIBIT_PACKAGE_STRIP = "1"
> > +
> > diff --git a/meta-arm/recipes-security/optee/optee-os_3.19.0.bb b/meta-arm/recipes-security/optee/optee-os_3.19.0.bb
> > new file mode 100644
> > index 00000000..9ad8a148
> > --- /dev/null
> > +++ b/meta-arm/recipes-security/optee/optee-os_3.19.0.bb
> > @@ -0,0 +1,5 @@
> > +require optee-os-3_19.inc
> > +
> > +DEPENDS += "dtc-native"
> > +
> > +SRCREV = "afacf356f9593a7f83cae9f96026824ec242ff52"
> > -- 
> > 2.17.1

Re: [meta-arm] [PATCH 2/5] arm/optee: support optee 3.19

[Ross Burton]

On 13 Jan 2023, at 09:52, Emekcan Aras <Emekcan.Aras@arm.com> wrote:
>>> +FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os-3_19:"
>> 
>> Now, this is critical - why is there "3_19" version in the directory name?
>> 
> Out-of-tree patches that applies to 3.18 and 3.19 is very similar (naming-wise)
> but patches applies to different lines. In order to keep 3.18 patches, we needed
> to add 3.19 as a seperate directory.

It can’t use the automatic searching for PV as there *are* bbappends which bump the SHA to a post-release intermediate SHA and correctly set PV=3.19+git{SRCPV}, which is why there’s a 3.19 directory being added to the path.

I’d like it to be 3.19 and not 3_19 though.

Ross

Re: [PATCH 0/5] Add optee-os 3.19 recipe

[Jon Mason]

On Wed, 21 Dec 2022 14:39:37 +0000, emekcan.aras@arm.com wrote:
> This patchset adds optee 3.19 recipe and makes necessary configurations
> to support optee-os 3.19 on n1sdp.
> 
> Emekcan Aras (3):
>   arm/optee: support optee 3.19
>   arm-bsp/optee-os: Adds 3.19 bbappend
>   arm-bsp/optee-os: N1SDP support for optee-os 3.19
> 
> [...]

Applied, thanks!

[1/5] arm/optee: Move optee-3.18 patches
      commit: b061104c87ce58fcc1e9e4791a8339b7af583a09
[2/5] arm/optee: support optee 3.19
      commit: 3259a2a8402fac059e198b772ada01281d3f9cf2
[3/5] arm-bsp/optee-os: Adds 3.19 bbappend
      commit: 3d9c97a0cc9811f6f48004f8f1753651714699eb
[4/5] arm-bsp/optee-os: N1SDP support for optee-os 3.19
      commit: 529d18e8a5e64b28469c5b6312052bf3ce7c80a7
[5/5] arm/qemuarm-secureboot: pin optee-os version
      commit: a6211b606763255020e11bb7d838e3de647b3048

Best regards,
-- 
Jon Mason <jon.mason@arm.com>