[Buildroot] [PATCH 1/5] boot/optee-os: OP-TEE secure world

[Buildroot] [PATCH 1/5] boot/optee-os: OP-TEE secure world

[Etienne Carriere]

OP-TEE OS is maintained by the OP-TEE project. It provides an
open source solution for development and integration of secure
services for Armv7-A and Armv8-A CPU based platforms supporting
the TrustZone technology. This technology enables CPUs to
concurrently host a secure world as the OP-TEE OS and a non-secure
world as a Linux based OS.

The OP-TEE project maintains other packages to leverage OP-TEE on
Linux kernel based OSes. An OP-TEE interface driver is available
in the Linux kernel since 4.12 upon CONFIG_OPTEE.

https://www.op-tee.org/
https://github.com/OP-TEE/optee_os

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
---
 boot/Config.in                                     |   1 +
 .../3.3.0/0001-move-python-to-python3.patch        |  26 ++++++
 boot/optee-os/Config.in                            | 102 ++++++++++++++++++++
 boot/optee-os/optee-os.hash                        |   4 +
 boot/optee-os/optee-os.mk                          | 103 +++++++++++++++++++++
 5 files changed, 236 insertions(+)
 create mode 100644 boot/optee-os/3.3.0/0001-move-python-to-python3.patch
 create mode 100644 boot/optee-os/Config.in
 create mode 100644 boot/optee-os/optee-os.hash
 create mode 100644 boot/optee-os/optee-os.mk

diff --git a/boot/Config.in b/boot/Config.in
index 8e0c8e5..cd14731 100644
--- a/boot/Config.in
+++ b/boot/Config.in
@@ -13,6 +13,7 @@ source "boot/gummiboot/Config.in"
 source "boot/lpc32xxcdl/Config.in"
 source "boot/mv-ddr-marvell/Config.in"
 source "boot/mxs-bootlets/Config.in"
+source "boot/optee-os/Config.in"
 source "boot/riscv-pk/Config.in"
 source "boot/s500-bootloader/Config.in"
 source "boot/syslinux/Config.in"
diff --git a/boot/optee-os/3.3.0/0001-move-python-to-python3.patch b/boot/optee-os/3.3.0/0001-move-python-to-python3.patch
new file mode 100644
index 0000000..b0ed5b5
--- /dev/null
+++ b/boot/optee-os/3.3.0/0001-move-python-to-python3.patch
@@ -0,0 +1,26 @@
+move python scripts to pyhton3
+
+Use python3 for scripts depending on module Crypto.
+
+Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
+
+diff --git a/scripts/pem_to_pub_c.py b/scripts/pem_to_pub_c.py
+index 6b8fa36..0b03d62 100755
+--- a/scripts/pem_to_pub_c.py
++++ b/scripts/pem_to_pub_c.py
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env python
++#!/usr/bin/env python3
+ # SPDX-License-Identifier: BSD-2-Clause
+ #
+ # Copyright (c) 2015, Linaro Limited
+diff --git a/scripts/sign.py b/scripts/sign.py
+index ad47479..348b40a 100755
+--- a/scripts/sign.py
++++ b/scripts/sign.py
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env python
++#!/usr/bin/env python3
+ #
+ # Copyright (c) 2015, 2017, Linaro Limited
+ #
diff --git a/boot/optee-os/Config.in b/boot/optee-os/Config.in
new file mode 100644
index 0000000..5968531
--- /dev/null
+++ b/boot/optee-os/Config.in
@@ -0,0 +1,102 @@
+config BR2_TARGET_OPTEE_OS
+	bool "optee_os"
+	depends on BR2_aarch64 || BR2_arm
+	select BR2_PACKAGE_OPENSSL # host tool
+	help
+	  OP-TEE OS provides the secure world boot image and the trust
+	  application development kit of the OP-TEE project. OP-TEE OS
+	  also provides generic trusted application one can embedded
+	  into its system.
+
+	  http://github.org/OP-TEE/optee_os
+
+if BR2_TARGET_OPTEE_OS
+
+choice
+	prompt "OP-TEE OS version"
+	default BR2_TARGET_OPTEE_OS_LATEST
+	help
+	  Select the version of OP-TEE OS you want to use
+
+config BR2_TARGET_OPTEE_OS_LATEST
+	bool "sync with latest registered release tag"
+	help
+	  This fetches the latest registered release tag from
+	  the OP-TEE OS official Git repository.
+
+config BR2_TARGET_OPTEE_OS_CUSTOM_GIT
+	bool "sync on custom OP-TEE OS Git repository"
+	help
+	  Sync with a specific OP-TEE Git repository.
+
+endchoice
+
+config BR2_TARGET_OPTEE_OS_VERSION
+	string
+	default "3.3.0"		if BR2_TARGET_OPTEE_OS_LATEST
+	default BR2_TARGET_OPTEE_OS_CUSTOM_REPO_VERSION \
+				if BR2_TARGET_OPTEE_OS_CUSTOM_GIT
+
+if BR2_TARGET_OPTEE_OS_CUSTOM_GIT
+
+config BR2_TARGET_OPTEE_OS_CUSTOM_REPO_URL
+	string "sourcetree-site"
+	help
+	  Specific location of the reference source tree Git
+	  repository.
+
+config BR2_TARGET_OPTEE_OS_CUSTOM_REPO_VERSION
+	string "git reference to pull"
+	help
+	  Reference in the target git repository to sync with.
+
+endif
+
+# Building core, TA libraries/devkit and/or generic TA services
+
+config BR2_TARGET_OPTEE_OS_CORE
+	bool "Build core"
+	default y
+	help
+	  This option will build and install the OP-TEE core
+	  boot images.
+
+config BR2_TARGET_OPTEE_OS_SDK
+	bool "Build TA devkit"
+	default y
+	help
+	  This option will build and install the OP-TEE development
+	  kit for building OP-TEE trusted application images. It is
+          installed in the staging filetree in /lib/optee directory.
+
+config BR2_TARGET_OPTEE_OS_SERVICES
+	bool "Build service TAs"
+	default y
+	help
+	  This option will build and install the generic trusted
+	  applications in the OP-TEE OS source tree and install
+	  them in the target /lib/optee_armtz directory. At runtime
+	  OP-TEE OS can load trusted applications from a non secure
+	  filesystem into the secure world for execution.
+
+# Building TA libraries and/or core images require target platform info
+
+config BR2_TARGET_OPTEE_OS_PLATFORM
+	string "mandatory target PLATFORM"
+	help
+	  Value for the mandated PLATFORM build directive provided to
+	  OP-TEE OS.
+
+config BR2_TARGET_OPTEE_OS_PLATFORM_FLAVOR
+	string "optional target PLATFORM_FLAVOR"
+	help
+	  Value for the optional PLATFORM_FLAVOR build directive
+	  provided to OP-TEE OS.
+
+config BR2_TARGET_OPTEE_OS_ADDITIONAL_VARIABLES
+	string "Additional OP-TEE OS build variables"
+	help
+	  Additional parameters for the OP-TEE OS build
+	  E.g. 'CFG_TEE_CORE_LOG_LEVEL=3 CFG_UNWIND=y'
+
+endif # BR2_TARGET_OPTEE_OS
diff --git a/boot/optee-os/optee-os.hash b/boot/optee-os/optee-os.hash
new file mode 100644
index 0000000..f68d72f
--- /dev/null
+++ b/boot/optee-os/optee-os.hash
@@ -0,0 +1,4 @@
+# From https://github.com/OP-TEE/optee_test/archive/3.3.0.tar.gz
+sha256 f0c9572d3a341ea37bb8e89cfd511e96d6ca3b2b714b536564e8fedb93b0f44a  optee-os-3.3.0.tar.gz
+# Locally computed
+sha256 fda8385993f112d7ca61b88b54ba5b4cbeec7e43a0f9b317d5186703c1985e8f  LICENSE
diff --git a/boot/optee-os/optee-os.mk b/boot/optee-os/optee-os.mk
new file mode 100644
index 0000000..2e04ce0
--- /dev/null
+++ b/boot/optee-os/optee-os.mk
@@ -0,0 +1,103 @@
+################################################################################
+#
+# optee-os
+#
+################################################################################
+
+OPTEE_OS_VERSION = $(call qstrip,$(BR2_TARGET_OPTEE_OS_VERSION))
+OPTEE_OS_LICENSE = BSD-2-Clause
+OPTEE_OS_LICENSE_FILES = LICENSE
+
+ifeq ($(BR2_TARGET_OPTEE_OS_CUSTOM_GIT),y)
+OPTEE_OS_SITE = $(call qstrip,$(BR2_TARGET_OPTEE_OS_CUSTOM_REPO_URL))
+OPTEE_OS_SITE_METHOD = git
+BR_NO_CHECK_HASH_FOR += $(OPTEE_OS_SOURCE)
+else
+OPTEE_OS_SITE = $(call github,OP-TEE,optee_os,OPTEE_OS_VERSION)
+endif
+
+# On 64bit targets, OP-TEE OS can be built in 32bit mode, or
+# can be built in 64bit mode and support 32bit and 64bit
+# trusted applications. Since buildroot currently references
+# a single cross compiler, build exclusively in 32bit
+# or 64bit mode.
+OPTEE_OS_MAKE_OPTS = CROSS_COMPILE="$(TARGET_CROSS)"
+OPTEE_OS_MAKE_OPTS += CROSS_COMPILE_core="$(TARGET_CROSS)"
+ifeq ($(BR2_aarch64),y)
+OPTEE_OS_MAKE_OPTS += CROSS_COMPILE_ta_arm64="$(TARGET_CROSS)"
+endif
+ifeq ($(BR2_arm),y)
+OPTEE_OS_MAKE_OPTS += CROSS_COMPILE_ta_arm32="$(TARGET_CROSS)"
+endif
+
+# Get mandatory PLAFORM and optional PLATFORM_FLAVOR
+OPTEE_OS_MAKE_OPTS += PLATFORM=$(call qstrip,$(BR2_TARGET_OPTEE_OS_PLATFORM))
+ifneq ($(BR2_TARGET_OPTEE_OS_PLATFORM_FLAVOR),)
+OPTEE_OS_MAKE_OPTS += PLATFORM_FLAVOR=$(call qstrip,$(BR2_TARGET_OPTEE_OS_PLATFORM_FLAVOR))
+endif
+OPTEE_OS_MAKE_OPTS += $(call qstrip,$(BR2_TARGET_OPTEE_OS_ADDITIONAL_VARIABLES))
+
+# OP-TEE OS builds from subdirectory build/ of its synced sourcetree root path
+ifeq ($(BR2_aarch64),y)
+OPTEE_OS_LOCAL_SDK = build/export-ta_arm64
+endif
+ifeq ($(BR2_arm),y)
+OPTEE_OS_LOCAL_SDK = build/export-ta_arm32
+endif
+
+ifeq ($(BR2_TARGET_OPTEE_OS_CORE),y)
+define OPTEE_OS_BUILD_CORE
+	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) \
+		O=build $(TARGET_CONFIGURE_OPTS) $(OPTEE_OS_MAKE_OPTS) all
+endef
+define OPTEE_OS_INSTALL_CORE
+	mkdir -p $(BINARIES_DIR)
+	cp -dpf $(@D)/build/core/tee.bin $(BINARIES_DIR)
+	cp -dpf $(@D)/build/core/tee-*_v2.bin $(BINARIES_DIR)
+endef
+endif
+
+ifeq ($(BR2_TARGET_OPTEE_OS_SDK),y)
+define OPTEE_OS_BUILD_SDK
+	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) \
+		 O=build $(TARGET_CONFIGURE_OPTS) $(OPTEE_OS_MAKE_OPTS) ta_dev_kit
+endef
+define OPTEE_OS_INSTALL_SDK
+	mkdir -p $(STAGING_DIR)/lib/optee
+	cp -ardpf $(@D)/$(OPTEE_OS_LOCAL_SDK) $(STAGING_DIR)/lib/optee
+endef
+endif
+
+ifeq ($(BR2_TARGET_OPTEE_OS_SERVICES),y)
+define OPTEE_OS_BUILD_SERVICES
+	$(foreach f,$(wildcard $(@D)/ta_services/*/Makefile), \
+		$(TARGET_MAKE_ENV) $(MAKE) -C $(dir $f) \
+			O=build $(TARGET_CONFIGURE_OPTS) \
+			TA_DEV_KIT_DIR=$(@D)/$(OPTEE_OS_LOCAL_SDK) \
+			CROSS_COMPILE=$(TARGET_CROSS) &&) true
+endef
+define OPTEE_OS_INSTALL_SERVICES
+	mkdir -p $(TARGET_DIR)/lib/optee_armtz
+	$(foreach f,$(wildcard $(@D)/ta_services/*/build/*.ta), \
+		$(INSTALL) -v -p --mode=444 \
+			--target-directory=$(TARGET_DIR)/lib/optee_armtz \
+			 $f &&) true
+endef
+endif
+
+define OPTEE_OS_BUILD_CMDS
+	$(OPTEE_OS_BUILD_CORE)
+	$(OPTEE_OS_BUILD_SDK)
+	$(OPTEE_OS_BUILD_SERVICES)
+endef
+
+define OPTEE_OS_INSTALL_IMAGES_CMDS
+	$(OPTEE_OS_INSTALL_CORE)
+	$(OPTEE_OS_INSTALL_SDK)
+	$(OPTEE_OS_INSTALL_SERVICES)
+endef
+
+OPTEE_OS_INSTALL_STAGING = YES
+OPTEE_OS_INSTALL_IMAGES = YES
+
+$(eval $(generic-package))
-- 
1.9.1

[Buildroot] [PATCH 2/5] optee-client: new package

[Etienne Carriere]

OP-TEE client API library and supplicant daemon from the
OP-TEE project.

The package is added to the Security menu of BR configuration.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
---
 package/Config.in                      |  1 +
 package/optee-client/Config.in         | 62 ++++++++++++++++++++++++++++++++++
 package/optee-client/S30optee          | 26 ++++++++++++++
 package/optee-client/optee-client.hash |  4 +++
 package/optee-client/optee-client.mk   | 31 +++++++++++++++++
 5 files changed, 124 insertions(+)
 create mode 100644 package/optee-client/Config.in
 create mode 100644 package/optee-client/S30optee
 create mode 100644 package/optee-client/optee-client.hash
 create mode 100644 package/optee-client/optee-client.mk

diff --git a/package/Config.in b/package/Config.in
index b60e770..8c3b1bf 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2047,6 +2047,7 @@ endmenu
 
 menu "Security"
 	source "package/checkpolicy/Config.in"
+	source "package/optee-client/Config.in"
 	source "package/paxtest/Config.in"
 	source "package/policycoreutils/Config.in"
 	source "package/refpolicy/Config.in"
diff --git a/package/optee-client/Config.in b/package/optee-client/Config.in
new file mode 100644
index 0000000..c3f28c1
--- /dev/null
+++ b/package/optee-client/Config.in
@@ -0,0 +1,62 @@
+config BR2_PACKAGE_OPTEE_CLIENT
+	bool "Embed OP-TEE client"
+	help
+	  Enable the OP-TEE client package that brings non-secure
+	  client application resources for OP-TEE support. OP-TEE
+	  client is a component delivered by the OP-TEE project.
+
+	  https://github.com/OP-TEE/optee_client
+
+	  The client API library allows application to invoke
+	  trusted applications hosted in the OP-TEE OS secure world.
+	  The supplicant provides services hosted by the non-secure
+	  world and invoked by the secure world.
+
+if BR2_PACKAGE_OPTEE_CLIENT
+
+choice
+	prompt "OP-TEE client version"
+	default BR2_PACKAGE_OPTEE_CLIENT_LATEST
+	help
+	  Select the version of OP-TEE client you want to use
+
+config BR2_PACKAGE_OPTEE_CLIENT_LATEST
+	bool "sync with latest registered release tag"
+	help
+	  Sync on latest release tag. This currently fetches the
+	  latest registered release tag from the OP-TEE official
+	  Git repository.
+
+config BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_GIT
+	bool "sync with a specific Git"
+	help
+	  Sync with a specific OP-TEE Git repository.
+
+endchoice
+
+config BR2_PACKAGE_OPTEE_CLIENT_VERSION
+	string
+	default "3.3.0"		if BR2_PACKAGE_OPTEE_CLIENT_LATEST
+	default BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_REPO_VERSION \
+				if BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_GIT
+	help
+	  Reference in the target Git repository to sync with.
+
+if BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_GIT
+
+config BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_REPO_URL
+	string "Git repository site"
+	help
+	  Specific location of the reference source tree Git
+	  repository.
+
+config BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_REPO_VERSION
+	string "target reference to pull in the Git repository"
+	help
+	  Package version reference to sync with. As source file
+	  reference is a Git repository, the version reference can
+	  be any Git reference as a tag or a sha1.
+
+endif
+
+endif #BR2_PACKAGE_OPTEE_CLIENT
diff --git a/package/optee-client/S30optee b/package/optee-client/S30optee
new file mode 100644
index 0000000..c893243
--- /dev/null
+++ b/package/optee-client/S30optee
@@ -0,0 +1,26 @@
+#!/bin/sh
+#
+# /etc/init.d/optee
+#
+# Start/stop tee-supplicant (OP-TEE normal world daemon)
+#
+case "$1" in
+    start)
+	if [ -e /usr/sbin/tee-supplicant -a -e /dev/teepriv0 ]; then
+		echo "Starting tee-supplicant..."
+		/usr/sbin/tee-supplicant &
+		exit 0
+	else
+		echo "tee-supplicant or TEE device not found"
+		exit 1
+	fi
+
+        ;;
+    stop)
+	killall tee-supplicant
+	;;
+    status)
+	cat /dev/teepriv0 2>&1 | grep -q "Device or resource busy" || not="not "
+	echo "tee-supplicant is ${not}active"
+	;;
+esac
diff --git a/package/optee-client/optee-client.hash b/package/optee-client/optee-client.hash
new file mode 100644
index 0000000..ed7bf4e
--- /dev/null
+++ b/package/optee-client/optee-client.hash
@@ -0,0 +1,4 @@
+# From https://github.com/OP-TEE/optee_client/archive/3.3.0.tar.gz
+sha256 63af1567fdcdbe28b45be274266a89aa81bef3d0fd8ec5a6eb680046a92e1177  optee-client-3.3.0.tar.gz
+# Locally computed
+sha256 fda8385993f112d7ca61b88b54ba5b4cbeec7e43a0f9b317d5186703c1985e8f  LICENSE
diff --git a/package/optee-client/optee-client.mk b/package/optee-client/optee-client.mk
new file mode 100644
index 0000000..e856ca5
--- /dev/null
+++ b/package/optee-client/optee-client.mk
@@ -0,0 +1,31 @@
+################################################################################
+#
+# optee-client
+#
+################################################################################
+
+OPTEE_CLIENT_VERSION = $(call qstrip,$(BR2_PACKAGE_OPTEE_CLIENT_VERSION))
+OPTEE_CLIENT_LICENSE = BSD-3-Clause
+OPTEE_CLIENT_LICENSE_FILES = LICENSE
+
+ifeq ($(BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_GIT),y)
+OPTEE_CLIENT_SITE = $(call qstrip,$(BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_REPO_URL))
+OPTEE_CLIENT_SITE_METHOD = git
+BR_NO_CHECK_HASH_FOR += $(OPTEE_CLIENT_SOURCE)
+else
+OPTEE_CLIENT_SITE = $(call github,OP-TEE,optee_client,$(OPTEE_CLIENT_VERSION))
+endif
+
+define OPTEE_CLIENT_INSTALL_SUPPLICANT_SCRIPT
+	$(INSTALL) -m 0755 -D $(OPTEE_CLIENT_PKGDIR)/S30optee \
+		$(TARGET_DIR)/etc/init.d/S30optee
+endef
+
+define OPTEE_CLIENT_INSTALL_INIT_SYSV
+	$(OPTEE_CLIENT_INSTALL_SUPPLICANT_SCRIPT)
+endef
+
+OPTEE_CLIENT_INSTALL_STAGING = YES
+OPTEE_CLIENT_INSTALL_IMAGES = YES
+
+$(eval $(cmake-package))
-- 
1.9.1

[Buildroot] [PATCH 3/5] optee-benchmark: new package

[Etienne Carriere]

OP-TEE performance benchmark tools for the OP-TEE project.

This packages generates embedded Linux based OS materials used
to retrieve execution timing information on invocation of the
OP-TEE secure services.

It is added next to the OP-TEE client package in BR configuration.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
---
 package/Config.in                            |  1 +
 package/optee-benchmark/Config.in            | 56 ++++++++++++++++++++++++++++
 package/optee-benchmark/optee-benchmark.hash |  2 +
 package/optee-benchmark/optee-benchmark.mk   | 29 ++++++++++++++
 4 files changed, 88 insertions(+)
 create mode 100644 package/optee-benchmark/Config.in
 create mode 100644 package/optee-benchmark/optee-benchmark.hash
 create mode 100644 package/optee-benchmark/optee-benchmark.mk

diff --git a/package/Config.in b/package/Config.in
index 8c3b1bf..38200af 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2047,6 +2047,7 @@ endmenu
 
 menu "Security"
 	source "package/checkpolicy/Config.in"
+	source "package/optee-benchmark/Config.in"
 	source "package/optee-client/Config.in"
 	source "package/paxtest/Config.in"
 	source "package/policycoreutils/Config.in"
diff --git a/package/optee-benchmark/Config.in b/package/optee-benchmark/Config.in
new file mode 100644
index 0000000..9a4b15f
--- /dev/null
+++ b/package/optee-benchmark/Config.in
@@ -0,0 +1,56 @@
+config BR2_PACKAGE_OPTEE_BENCHMARK
+	bool "Embed OP-TEE benchmark support"
+	select BR2_PACKAGE_LIBYAML
+	help
+	  Enable the OP-TEE benchmark package that brings facilities
+	  for profiling traversal and execution timings when
+	  invoking OP-TEE. OP-TEE benchmark is a component delivered
+	  by the OP-TEE project.
+
+if BR2_PACKAGE_OPTEE_BENCHMARK
+
+choice
+	prompt "OP-TEE Benchmark version"
+	default BR2_PACKAGE_OPTEE_BENCHMARK_LATEST
+	help
+	  Select the version of OP-TEE benchmark you want to use
+
+config BR2_PACKAGE_OPTEE_BENCHMARK_LATEST
+	bool "sync with latest release tag"
+	help
+	  Sync on latest release tag. This currently fetches the
+	  latest registered release tag from the OP-TEE official
+	  Git repository.
+
+config BR2_PACKAGE_OPTEE_BENCHMARK_CUSTOM_GIT
+	bool "sync with a specific Git"
+	help
+	  Sync with a specific OP-TEE Git repository.
+
+endchoice
+
+config BR2_PACKAGE_OPTEE_BENCHMARK_VERSION
+	string
+	default "3.3.0"		if BR2_PACKAGE_OPTEE_BENCHMARK_LATEST
+	default BR2_PACKAGE_OPTEE_BENCHMARK_CUSTOM_REPO_VERSION \
+				if BR2_PACKAGE_OPTEE_BENCHMARK_CUSTOM_GIT
+	help
+	  Reference in the target Git repository to sync with.
+
+if BR2_PACKAGE_OPTEE_BENCHMARK_CUSTOM_GIT
+
+config BR2_PACKAGE_OPTEE_BENCHMARK_CUSTOM_REPO_URL
+	string "Git repository site"
+	help
+	  Specific location of the reference source tree Git repository.
+
+config BR2_PACKAGE_OPTEE_BENCHMARK_CUSTOM_REPO_VERSION
+	string "target reference to pull in the Git repository"
+	help
+	  Package version reference to sync with. As source file
+	  reference is a Git repository, the version reference can be
+	  any Git reference as a tag or a sha1.
+
+endif
+
+endif #BR2_PACKAGE_OPTEE_BENCHMARK
diff --git a/package/optee-benchmark/optee-benchmark.hash b/package/optee-benchmark/optee-benchmark.hash
new file mode 100644
index 0000000..d93c26c
--- /dev/null
+++ b/package/optee-benchmark/optee-benchmark.hash
@@ -0,0 +1,2 @@
+# From https://github.com/linaro-swg/optee_benchmark/archive/3.3.0.tar.gz
+sha256 bfba3749ac8b37628550696f0625452ae8aef060eff5b3b1c4283a5dad8a3383 optee-benchmark-3.3.0.tar.gz
diff --git a/package/optee-benchmark/optee-benchmark.mk b/package/optee-benchmark/optee-benchmark.mk
new file mode 100644
index 0000000..8c450b6
--- /dev/null
+++ b/package/optee-benchmark/optee-benchmark.mk
@@ -0,0 +1,29 @@
+################################################################################
+#
+# optee-benchmarch
+#
+################################################################################
+
+OPTEE_BENCHMARK_VERSION = $(call qstrip,$(BR2_PACKAGE_OPTEE_BENCHMARK_VERSION))
+OPTEE_BENCHMARK_LICENSE = BSD-2-Clause
+
+OPTEE_BENCHMARK_DEPENDENCIES = optee-client libyaml
+
+ifeq ($(BR2_PACKAGE_OPTEE_BENCHMARK_CUSTOM_GIT),y)
+OPTEE_BENCHMARK_SITE = $(call qstrip,$(BR2_PACKAGE_OPTEE_BENCHMARK_CUSTOM_REPO_URL))
+OPTEE_BENCHMARK_SITE_METHOD = git
+BR_NO_CHECK_HASH_FOR += $(OPTEE_BENCHMARK_SOURCE)
+endif
+
+ifeq ($(BR2_PACKAGE_OPTEE_BENCHMARK_GIT_REFERENCE),y)
+OPTEE_BENCHMARK_SITE = $(call github,linaro-swg,optee_benchmark,$(OPTEE_BENCHMARK_VERSION))
+endif
+
+ifeq ($(BR2_PACKAGE_OPTEE_BENCHMARK_LATEST),y)
+OPTEE_BENCHMARK_SITE = $(call github,linaro-swg,optee_benchmark,$(OPTEE_BENCHMARK_VERSION))
+endif
+
+OPTEE_BENCHMARK_INSTALL_STAGING = YES
+OPTEE_BENCHMARK_INSTALL_IMAGES = YES
+
+$(eval $(cmake-package))
-- 
1.9.1

[Buildroot] [PATCH 4/5] optee-examples: new package

[Etienne Carriere]

This package generates embedded Linux based OS userland client
applications and OP-TEE OS trusted applications all embedded in
the file system. These applications shows how to use the APIs
OP-TEE OS is based on, both in the non secure and secure worlds.

Package is added next to the OP-TEE client package in the BR
package configuration.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
---
 package/Config.in                          |  1 +
 package/optee-examples/Config.in           | 57 ++++++++++++++++++++++++++++++
 package/optee-examples/optee-examples.hash |  4 +++
 package/optee-examples/optee-examples.mk   | 48 +++++++++++++++++++++++++
 4 files changed, 110 insertions(+)
 create mode 100644 package/optee-examples/Config.in
 create mode 100644 package/optee-examples/optee-examples.hash
 create mode 100644 package/optee-examples/optee-examples.mk

diff --git a/package/Config.in b/package/Config.in
index 38200af..35870d0 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2049,6 +2049,7 @@ menu "Security"
 	source "package/checkpolicy/Config.in"
 	source "package/optee-benchmark/Config.in"
 	source "package/optee-client/Config.in"
+	source "package/optee-examples/Config.in"
 	source "package/paxtest/Config.in"
 	source "package/policycoreutils/Config.in"
 	source "package/refpolicy/Config.in"
diff --git a/package/optee-examples/Config.in b/package/optee-examples/Config.in
new file mode 100644
index 0000000..1a19791
--- /dev/null
+++ b/package/optee-examples/Config.in
@@ -0,0 +1,57 @@
+config BR2_PACKAGE_OPTEE_EXAMPLES
+	bool "Embed OP-TEE examples"
+	depends on BR2_aarch64 || BR2_arm
+	help
+	  Enable the OP-TEE examples package that brings examples of
+	  implementation of OP-TEE non-secure client applications and
+	  secure trusted applications. OP-TEE examples is a
+	  component delivered by the OP-TEE project.
+
+if BR2_PACKAGE_OPTEE_EXAMPLES
+
+choice
+	prompt "OP-TEE exmaples version"
+	default BR2_PACKAGE_OPTEE_EXAMPLES_LATEST
+	help
+	  Select the version of OP-TEE exmaples you want to use
+
+config BR2_PACKAGE_OPTEE_EXAMPLES_LATEST
+	bool "sync with latest release tag"
+	help
+	  Sync on latest release tag. This currently fetches the
+	  latest registered release tag from the OP-TEE official
+	  Git repository.
+
+config BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_GIT
+	bool "sync with a specific Git"
+	help
+	  Sync with a specific OP-TEE Git repository.
+
+endchoice
+
+config BR2_PACKAGE_OPTEE_EXAMPLES_VERSION
+	string
+	default "3.3.0"		if BR2_PACKAGE_OPTEE_EXAMPLES_LATEST
+	default BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_REPO_VERSION \
+				if BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_GIT
+	help
+	  Reference in the target Git repository to sync with.
+
+if BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_GIT
+
+config BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_REPO_URL
+	string "Git repository site"
+	help
+	  Specific location of the reference source tree Git
+	  repository.
+
+config BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_REPO_VERSION
+	string "target reference to pull in the Git repository"
+	help
+	  Package version reference to sync with. As source file
+	  reference is a Git repository, the version reference can
+	  be any Git reference as a tag or a sha1.
+
+endif
+
+endif #BR2_PACKAGE_OPTEE_EXAMPLES
diff --git a/package/optee-examples/optee-examples.hash b/package/optee-examples/optee-examples.hash
new file mode 100644
index 0000000..77b7466
--- /dev/null
+++ b/package/optee-examples/optee-examples.hash
@@ -0,0 +1,4 @@
+# From https://github.com/linaro-swg/optee_examples/archive/3.3.0.tar.gz
+sha256 504642edd1510562dcc213637d8869190dd581986daf938ed3e85088830e0ef9  optee-examples-3.3.0.tar.gz
+# Locally computed
+sha256 6f1ef8449cb82ae79d2155605f7985bdf0f08e7ab5007de9b4362e8bf28733b9  LICENSE
diff --git a/package/optee-examples/optee-examples.mk b/package/optee-examples/optee-examples.mk
new file mode 100644
index 0000000..2edcc45
--- /dev/null
+++ b/package/optee-examples/optee-examples.mk
@@ -0,0 +1,48 @@
+################################################################################
+#
+# optee-examples
+#
+################################################################################
+
+OPTEE_EXAMPLES_VERSION = $(call qstrip,$(BR2_PACKAGE_OPTEE_EXAMPLES_VERSION))
+OPTEE_EXAMPLES_LICENSE = BSD-2-Clause
+OPTEE_EXAMPLES_LICENSE_FILES = LICENSE
+
+ifeq ($(BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_GIT),y)
+OPTEE_EXAMPLES_SITE = $(call qstrip,$(BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_REPO_URL))
+OPTEE_EXAMPLES_SITE_METHOD = git
+BR_NO_CHECK_HASH_FOR += $(OPTEE_EXAMPLES_SOURCE)
+else
+OPTEE_EXAMPLES_SITE = $(call github,linaro-swg,optee_examples,$(OPTEE_EXAMPLES_VERSION))
+endif
+
+OPTEE_EXAMPLES_DEPENDENCIES = optee-client optee-os
+OPTEE_EXAMPLES_INSTALL_STAGING = YES
+
+ifeq ($(BR2_aarch64),y)
+OPTEE_EXAMPLES_SDK = $(STAGING_DIR)/lib/optee/export-ta_arm64
+endif
+ifeq ($(BR2_arm),y)
+OPTEE_EXAMPLES_SDK = $(STAGING_DIR)/lib/optee/export-ta_arm32
+endif
+
+define OPTEE_EXAMPLES_BUILD_TAS
+	@$(foreach f,$(wildcard $(@D)/*/ta/Makefile), \
+		$(TARGET_CONFIGURE_OPTS) \
+		$(MAKE) CROSS_COMPILE=$(TARGET_CROSS) \
+			O=out TA_DEV_KIT_DIR=$(OPTEE_EXAMPLES_SDK) \
+			-C $(dir $f) all &&) true
+endef
+
+define OPTEE_EXAMPLES_INSTALL_TAS
+	@$(foreach f,$(wildcard $(@D)/*/ta/out/*.ta), \
+		mkdir -p $(TARGET_DIR)/lib/optee_armtz && \
+		$(INSTALL) -v -p --mode=444 \
+			--target-directory=$(TARGET_DIR)/lib/optee_armtz $f \
+			&&) true
+endef
+
+OPTEE_EXAMPLES_POST_BUILD_HOOKS += OPTEE_EXAMPLES_BUILD_TAS
+OPTEE_EXAMPLES_POST_INSTALL_TARGET_HOOKS += OPTEE_EXAMPLES_INSTALL_TAS
+
+$(eval $(cmake-package))
-- 
1.9.1

[Buildroot] [PATCH 5/5] optee-test: new package

[Etienne Carriere]

OP-TEE test package provide test materials as part of the OP-TEE
project helping platforms to verify their OP-TEE components
against a set of regression and performance tests.

Package is added in the BR package configuration next to the
OP-TEE client package.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
---
 package/Config.in                                  |  1 +
 .../optee-test/3.3.0/0001-cmake-rely-on-C.patch    | 32 +++++++++++
 package/optee-test/Config.in                       | 64 ++++++++++++++++++++++
 package/optee-test/optee-test.hash                 |  4 ++
 package/optee-test/optee-test.mk                   | 49 +++++++++++++++++
 5 files changed, 150 insertions(+)
 create mode 100644 package/optee-test/3.3.0/0001-cmake-rely-on-C.patch
 create mode 100644 package/optee-test/Config.in
 create mode 100644 package/optee-test/optee-test.hash
 create mode 100644 package/optee-test/optee-test.mk

diff --git a/package/Config.in b/package/Config.in
index 35870d0..ff53a75 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2050,6 +2050,7 @@ menu "Security"
 	source "package/optee-benchmark/Config.in"
 	source "package/optee-client/Config.in"
 	source "package/optee-examples/Config.in"
+	source "package/optee-test/Config.in"
 	source "package/paxtest/Config.in"
 	source "package/policycoreutils/Config.in"
 	source "package/refpolicy/Config.in"
diff --git a/package/optee-test/3.3.0/0001-cmake-rely-on-C.patch b/package/optee-test/3.3.0/0001-cmake-rely-on-C.patch
new file mode 100644
index 0000000..ea7b966
--- /dev/null
+++ b/package/optee-test/3.3.0/0001-cmake-rely-on-C.patch
@@ -0,0 +1,32 @@
+cmake: component rely on C support
+
+Without specifing optee_client source expects only C source file
+support cmake may attempt to look for resources as g++. When
+building with environments that do not provide such tools as when
+building from native buildroot ofr a qemu target, optee_client
+fails to build. This change ensure a minimal C support allows to
+build optee_client with cmake.
+
+Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
+Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 0290205..a3fd269 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -1,4 +1,5 @@
+ cmake_minimum_required (VERSION 3.2)
++project (optee_test C)
+ 
+ # Default cross compile settings
+ set (CMAKE_TOOLCHAIN_FILE CMakeToolchain.txt)
+diff --git a/ta/CMakeLists.txt b/ta/CMakeLists.txt
+index 22d7727..795237e 100644
+--- a/ta/CMakeLists.txt
++++ b/ta/CMakeLists.txt
+@@ -1,4 +1,4 @@
+-project (xtest-ta-headers)
++project (xtest-ta-headers C)
+ 
+ add_library(${PROJECT_NAME} INTERFACE)
+ 
diff --git a/package/optee-test/Config.in b/package/optee-test/Config.in
new file mode 100644
index 0000000..f06cbf6
--- /dev/null
+++ b/package/optee-test/Config.in
@@ -0,0 +1,64 @@
+config BR2_PACKAGE_OPTEE_TEST
+	bool "optee_test"
+	depends on BR2_aarch64 || BR2_arm
+	help
+	  This build option enables OP-TEE test package from the
+	  OP-TEE project. It helps platforms to verify the OP-TEE
+	  installation against a set of regression and performance
+	  tests.
+
+	  The package generates userspace test applications and
+	  data files for the Linux userland. It also generates
+	  OP-TEE trusted applications embedded in the target
+	  directory /lib/optee-armtz. These are loaded into the
+	  secure world at runtime.
+
+	  http://github.org/OP-TEE/optee_test
+
+if BR2_PACKAGE_OPTEE_TEST
+
+choice
+	prompt "OP-TEE test version"
+	default BR2_PACKAGE_OPTEE_TEST_LATEST
+	help
+	  Select the version of OP-TEE test you want to use
+
+config BR2_PACKAGE_OPTEE_TEST_LATEST
+	bool "sync with latest release tag"
+	help
+	  This fetches the latest registered release tag from
+	  the OP-TEE test official Git repository.
+
+config BR2_PACKAGE_OPTEE_TEST_CUSTOM_GIT
+	bool "sync with a specific Git"
+	help
+	  Sync with a specific OP-TEE Git repository.
+
+endchoice
+
+config BR2_PACKAGE_OPTEE_TEST_VERSION
+	string
+	default "3.3.0"		if BR2_PACKAGE_OPTEE_TEST_LATEST
+	default BR2_PACKAGE_OPTEE_TEST_CUSTOM_REPO_VERSION \
+				if BR2_PACKAGE_OPTEE_TEST_CUSTOM_GIT
+	help
+	  Reference in the target Git repository to sync with.
+
+if BR2_PACKAGE_OPTEE_TEST_CUSTOM_GIT
+
+config BR2_PACKAGE_OPTEE_TEST_CUSTOM_REPO_URL
+	string "Git repository site"
+	help
+	  Specific location of the reference source tree Git
+	  repository.
+
+config BR2_PACKAGE_OPTEE_TEST_CUSTOM_REPO_VERSION
+	string "target reference to pull in the Git repository"
+	help
+	  Package version reference to sync with. As source file
+	  reference is a Git repository, the version reference can
+	  be any Git reference as a tag or a sha1.
+
+endif
+
+endif #BR2_PACKAGE_OPTEE_TEST
diff --git a/package/optee-test/optee-test.hash b/package/optee-test/optee-test.hash
new file mode 100644
index 0000000..0da2212
--- /dev/null
+++ b/package/optee-test/optee-test.hash
@@ -0,0 +1,4 @@
+# From https://github.com/OP-TEE/optee_test/archive/3.3.0.tar.gz
+sha256 9651d5db0d28856e45d6bc25ce603bfcf641435bd3264d95b449f093665c8521  optee-test-3.3.0.tar.gz
+# Locally computed
+sha256 6e6810981f0ddab9e0d44399d0700a15d9f760a3c2843cc866659c2074139ae7  LICENSE.md
diff --git a/package/optee-test/optee-test.mk b/package/optee-test/optee-test.mk
new file mode 100644
index 0000000..68caea7
--- /dev/null
+++ b/package/optee-test/optee-test.mk
@@ -0,0 +1,49 @@
+################################################################################
+#
+# optee-test
+#
+################################################################################
+
+OPTEE_TEST_VERSION = $(call qstrip,$(BR2_PACKAGE_OPTEE_TEST_VERSION))
+OPTEE_TEST_LICENSE = GPL-2.0, BSD-2-Clause,
+OPTEE_TEST_LICENSE_FILES = LICENSE.md
+
+ifeq ($(BR2_PACKAGE_OPTEE_TEST_CUSTOM_GIT),y)
+OPTEE_TEST_SITE = $(call qstrip,$(BR2_PACKAGE_OPTEE_TEST_CUSTOM_REPO_URL))
+OPTEE_TEST_SITE_METHOD = git
+BR_NO_CHECK_HASH_FOR += $(OPTEE_TEST_SOURCE)
+else
+OPTEE_TEST_SITE = $(call github,OP-TEE,optee_test,$(OPTEE_TEST_VERSION))
+endif
+
+OPTEE_TEST_DEPENDENCIES = optee-client optee-os
+OPTEE_TEST_INSTALL_STAGING = YES
+
+ifeq ($(BR2_aarch64),y)
+OPTEE_TEST_SDK = $(STAGING_DIR)/lib/optee/export-ta_arm64
+endif
+ifeq ($(BR2_arm),y)
+OPTEE_TEST_SDK = $(STAGING_DIR)/lib/optee/export-ta_arm32
+endif
+OPTEE_TEST_CONF_OPTS = -DOPTEE_TEST_SDK=$(OPTEE_TEST_SDK)
+
+define OPTEE_TEST_BUILD_TAS
+	@$(foreach f,$(wildcard $(@D)/ta/*/Makefile), \
+		$(TARGET_CONFIGURE_OPTS) \
+		$(MAKE) CROSS_COMPILE=$(TARGET_CROSS) \
+			O=out TA_DEV_KIT_DIR=$(OPTEE_TEST_SDK) \
+			-C $(dir $f) all &&) true
+endef
+
+define OPTEE_TEST_INSTALL_TAS
+	@$(foreach f,$(wildcard $(@D)/ta/*/out/*.ta), \
+		mkdir -p $(TARGET_DIR)/lib/optee_armtz && \
+		$(INSTALL) -v -p --mode=444 \
+			--target-directory=$(TARGET_DIR)/lib/optee_armtz $f \
+			&&) true
+endef
+
+OPTEE_TEST_POST_BUILD_HOOKS += OPTEE_TEST_BUILD_TAS
+OPTEE_TEST_POST_INSTALL_TARGET_HOOKS += OPTEE_TEST_INSTALL_TAS
+
+$(eval $(cmake-package))
-- 
1.9.1

[Buildroot] [PATCH 1/5] boot/optee-os: OP-TEE secure world

[Baruch Siach]

Hi Etienne,

Thanks for your contribution. I have a few comments below.

Etienne Carriere writes:
> OP-TEE OS is maintained by the OP-TEE project. It provides an
> open source solution for development and integration of secure
> services for Armv7-A and Armv8-A CPU based platforms supporting
> the TrustZone technology. This technology enables CPUs to
> concurrently host a secure world as the OP-TEE OS and a non-secure
> world as a Linux based OS.
>
> The OP-TEE project maintains other packages to leverage OP-TEE on
> Linux kernel based OSes. An OP-TEE interface driver is available
> in the Linux kernel since 4.12 upon CONFIG_OPTEE.
>
> https://www.op-tee.org/
> https://github.com/OP-TEE/optee_os
>
> Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

...

> diff --git a/boot/optee-os/Config.in b/boot/optee-os/Config.in
> new file mode 100644
> index 0000000..5968531
> --- /dev/null
> +++ b/boot/optee-os/Config.in
> @@ -0,0 +1,102 @@
> +config BR2_TARGET_OPTEE_OS
> +	bool "optee_os"
> +	depends on BR2_aarch64 || BR2_arm
> +	select BR2_PACKAGE_OPENSSL # host tool

Which host? Is that the host below which OPTEE OS runs? This is usually
called target in the Buildroot lingo. Please clarify in a comment.

Is that a build time dependency? If so you need to add openssl to
_DEPENDENCIES.

> +	help
> +	  OP-TEE OS provides the secure world boot image and the trust
> +	  application development kit of the OP-TEE project. OP-TEE OS
> +	  also provides generic trusted application one can embedded
> +	  into its system.
> +
> +	  http://github.org/OP-TEE/optee_os
> +
> +if BR2_TARGET_OPTEE_OS
> +
> +choice
> +	prompt "OP-TEE OS version"
> +	default BR2_TARGET_OPTEE_OS_LATEST
> +	help
> +	  Select the version of OP-TEE OS you want to use

Is there a practical need to support selection separate version
selection for each OPTEE component? If not then I think this version
selection should apply to all other components.

baruch

--
     http://baruch.siach.name/blog/                  ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -

[Buildroot] [PATCH 1/5] boot/optee-os: OP-TEE secure world

[Carlos Santos]

> From: "Etienne Carriere" <etienne.carriere@linaro.org>
> To: "buildroot" <buildroot@buildroot.org>
> Cc: "etienne carriere" <etienne.carriere@linaro.org>
> Sent: Quinta-feira, 22 de novembro de 2018 13:22:53
> Subject: [Buildroot] [PATCH 1/5] boot/optee-os: OP-TEE secure world

[...]
> --- /dev/null
> +++ b/boot/optee-os/Config.in
> @@ -0,0 +1,102 @@
> +config BR2_TARGET_OPTEE_OS
> +	bool "optee_os"
> +	depends on BR2_aarch64 || BR2_arm
> +	select BR2_PACKAGE_OPENSSL # host tool
> +	help
> +	  OP-TEE OS provides the secure world boot image and the trust
> +	  application development kit of the OP-TEE project. OP-TEE OS
> +	  also provides generic trusted application one can embedded
> +	  into its system.
> +
> +	  http://github.org/OP-TEE/optee_os

Must be https://github.com/OP-TEE/optee_os

-- 
Carlos Santos (Casantos) - DATACOM, P&D
?Marched towards the enemy, spear upright, armed with the certainty
that only the ignorant can have.? ? Epitaph of a volunteer

[Buildroot] [PATCH 5/5] optee-test: new package

[Carlos Santos]

> From: "Etienne Carriere" <etienne.carriere@linaro.org>
> To: "buildroot" <buildroot@buildroot.org>
> Cc: "etienne carriere" <etienne.carriere@linaro.org>
> Sent: Quinta-feira, 22 de novembro de 2018 13:22:57
> Subject: [Buildroot] [PATCH 5/5] optee-test: new package

[...]
> --- /dev/null
> +++ b/package/optee-test/Config.in
> @@ -0,0 +1,64 @@
> +config BR2_PACKAGE_OPTEE_TEST
> +	bool "optee_test"
> +	depends on BR2_aarch64 || BR2_arm
> +	help
> +	  This build option enables OP-TEE test package from the
> +	  OP-TEE project. It helps platforms to verify the OP-TEE
> +	  installation against a set of regression and performance
> +	  tests.
> +
> +	  The package generates userspace test applications and
> +	  data files for the Linux userland. It also generates
> +	  OP-TEE trusted applications embedded in the target
> +	  directory /lib/optee-armtz. These are loaded into the
> +	  secure world at runtime.
> +
> +	  http://github.org/OP-TEE/optee_test

Must be https://github.com/OP-TEE/optee_test

-- 
Carlos Santos (Casantos) - DATACOM, P&D
?Marched towards the enemy, spear upright, armed with the certainty
that only the ignorant can have.? ? Epitaph of a volunteer

[Buildroot] [PATCH 1/5] boot/optee-os: OP-TEE secure world

[Etienne Carriere]

On Fri, 23 Nov 2018 at 04:00, Carlos Santos <casantos@datacom.com.br> wrote:
>
> > From: "Etienne Carriere" <etienne.carriere@linaro.org>
> > To: "buildroot" <buildroot@buildroot.org>
> > Cc: "etienne carriere" <etienne.carriere@linaro.org>
> > Sent: Quinta-feira, 22 de novembro de 2018 13:22:53
> > Subject: [Buildroot] [PATCH 1/5] boot/optee-os: OP-TEE secure world
>
> [...]
> > --- /dev/null
> > +++ b/boot/optee-os/Config.in
> > @@ -0,0 +1,102 @@
> > +config BR2_TARGET_OPTEE_OS
> > +     bool "optee_os"
> > +     depends on BR2_aarch64 || BR2_arm
> > +     select BR2_PACKAGE_OPENSSL # host tool
> > +     help
> > +       OP-TEE OS provides the secure world boot image and the trust
> > +       application development kit of the OP-TEE project. OP-TEE OS
> > +       also provides generic trusted application one can embedded
> > +       into its system.
> > +
> > +       http://github.org/OP-TEE/optee_os
>
> Must be https://github.com/OP-TEE/optee_os

Oups! yes, my mistake.
I fear I did the same mistake in the other OP-TEE packages.
I'll fix. thanks.

>
> --
> Carlos Santos (Casantos) - DATACOM, P&D
> ?Marched towards the enemy, spear upright, armed with the certainty
> that only the ignorant can have.? ? Epitaph of a volunteer

[Buildroot] [PATCH 1/5] boot/optee-os: OP-TEE secure world

[Etienne Carriere]

On Thu, 22 Nov 2018 at 21:18, Baruch Siach <baruch@tkos.co.il> wrote:
>
> Hi Etienne,
>
> Thanks for your contribution. I have a few comments below.
>
> Etienne Carriere writes:
> > OP-TEE OS is maintained by the OP-TEE project. It provides an
> > open source solution for development and integration of secure
> > services for Armv7-A and Armv8-A CPU based platforms supporting
> > the TrustZone technology. This technology enables CPUs to
> > concurrently host a secure world as the OP-TEE OS and a non-secure
> > world as a Linux based OS.
> >
> > The OP-TEE project maintains other packages to leverage OP-TEE on
> > Linux kernel based OSes. An OP-TEE interface driver is available
> > in the Linux kernel since 4.12 upon CONFIG_OPTEE.
> >
> > https://www.op-tee.org/
> > https://github.com/OP-TEE/optee_os
> >
> > Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
>
> ...
>
> > diff --git a/boot/optee-os/Config.in b/boot/optee-os/Config.in
> > new file mode 100644
> > index 0000000..5968531
> > --- /dev/null
> > +++ b/boot/optee-os/Config.in
> > @@ -0,0 +1,102 @@
> > +config BR2_TARGET_OPTEE_OS
> > +     bool "optee_os"
> > +     depends on BR2_aarch64 || BR2_arm
> > +     select BR2_PACKAGE_OPENSSL # host tool
>
> Which host? Is that the host below which OPTEE OS runs? This is usually
> called target in the Buildroot lingo. Please clarify in a comment.

I see. Well, it is really the host here: OpenSSL is required to build
the OPTEE OS binaries, it is not required in the target.
I found such "# host tool" comment in some packages and though it was
the shortest explicit way to highlight the deps.

By the way, I have a questions on
optee-os also requires the Crypto module from python to build the
optee-os target binaries.
It failed with trace:
     File "scripts/pem_to_pub_c.py", line 23, in main
       from Crypto.PublicKey import RSA
   ImportError: No module named Crypto.PublicKey

I tried to resolve this by adding "select BR2_PACKAGE_PYTHON_PYCRYPTO"
here but it did not solve the issue.
Moreover, I had to also enable some configs to get pycrypto to build:
 BR2_PACKAGE_PYTHON=y
 BR2_TOOLCHAIN_BUILDROOT_WCHAR=y
 BR2_USE_WCHAR=y
Finally, i worked around the issue by patching optee-os filetree: port
related scripts to python3

How do you think should have I done to get Crypto module supported for
optee-os build?


>
> Is that a build time dependency? If so you need to add openssl to
> _DEPENDENCIES.

Ok. I understand I need both: BR2_<dep>=y  + add <package>_DEPENDENCIES+= <dep>.

thanks.

>
> > +     help
> > +       OP-TEE OS provides the secure world boot image and the trust
> > +       application development kit of the OP-TEE project. OP-TEE OS
> > +       also provides generic trusted application one can embedded
> > +       into its system.
> > +
> > +       http://github.org/OP-TEE/optee_os
> > +
> > +if BR2_TARGET_OPTEE_OS
> > +
> > +choice
> > +     prompt "OP-TEE OS version"
> > +     default BR2_TARGET_OPTEE_OS_LATEST
> > +     help
> > +       Select the version of OP-TEE OS you want to use
>
> Is there a practical need to support selection separate version
> selection for each OPTEE component? If not then I think this version
> selection should apply to all other components.

Your absolutely right. I will see how to handle that.

regards,
etienne

>
> baruch
>
> --
>      http://baruch.siach.name/blog/                  ~. .~   Tk Open Systems
> =}------------------------------------------------ooO--U--Ooo------------{=
>    - baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -

[Buildroot] [PATCH 1/5] boot/optee-os: OP-TEE secure world

[Shyam Saini]

Hi Etienne,


>
> OP-TEE OS is maintained by the OP-TEE project. It provides an
> open source solution for development and integration of secure
> services for Armv7-A and Armv8-A CPU based platforms supporting
> the TrustZone technology. This technology enables CPUs to
> concurrently host a secure world as the OP-TEE OS and a non-secure
> world as a Linux based OS.
>
> The OP-TEE project maintains other packages to leverage OP-TEE on
> Linux kernel based OSes. An OP-TEE interface driver is available
> in the Linux kernel since 4.12 upon CONFIG_OPTEE.
>
> https://www.op-tee.org/
> https://github.com/OP-TEE/optee_os
>
> Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
> ---
>  boot/Config.in                                     |   1 +
>  .../3.3.0/0001-move-python-to-python3.patch        |  26 ++++++
>  boot/optee-os/Config.in                            | 102 ++++++++++++++++++++
>  boot/optee-os/optee-os.hash                        |   4 +
>  boot/optee-os/optee-os.mk                          | 103 +++++++++++++++++++++
>  5 files changed, 236 insertions(+)
>  create mode 100644 boot/optee-os/3.3.0/0001-move-python-to-python3.patch
>  create mode 100644 boot/optee-os/Config.in
>  create mode 100644 boot/optee-os/optee-os.hash
>  create mode 100644 boot/optee-os/optee-os.mk
>
> diff --git a/boot/Config.in b/boot/Config.in
> index 8e0c8e5..cd14731 100644
> --- a/boot/Config.in
> +++ b/boot/Config.in
> @@ -13,6 +13,7 @@ source "boot/gummiboot/Config.in"
>  source "boot/lpc32xxcdl/Config.in"
>  source "boot/mv-ddr-marvell/Config.in"
>  source "boot/mxs-bootlets/Config.in"
> +source "boot/optee-os/Config.in"
>  source "boot/riscv-pk/Config.in"
>  source "boot/s500-bootloader/Config.in"
>  source "boot/syslinux/Config.in"
> diff --git a/boot/optee-os/3.3.0/0001-move-python-to-python3.patch b/boot/optee-os/3.3.0/0001-move-python-to-python3.patch
> new file mode 100644
> index 0000000..b0ed5b5
> --- /dev/null
> +++ b/boot/optee-os/3.3.0/0001-move-python-to-python3.patch
> @@ -0,0 +1,26 @@
> +move python scripts to pyhton3
> +
> +Use python3 for scripts depending on module Crypto.
> +
> +Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
> +
> +diff --git a/scripts/pem_to_pub_c.py b/scripts/pem_to_pub_c.py
> +index 6b8fa36..0b03d62 100755
> +--- a/scripts/pem_to_pub_c.py
> ++++ b/scripts/pem_to_pub_c.py
> +@@ -1,4 +1,4 @@
> +-#!/usr/bin/env python
> ++#!/usr/bin/env python3
> + # SPDX-License-Identifier: BSD-2-Clause
> + #
> + # Copyright (c) 2015, Linaro Limited
> +diff --git a/scripts/sign.py b/scripts/sign.py
> +index ad47479..348b40a 100755
> +--- a/scripts/sign.py
> ++++ b/scripts/sign.py
> +@@ -1,4 +1,4 @@
> +-#!/usr/bin/env python
> ++#!/usr/bin/env python3
> + #
> + # Copyright (c) 2015, 2017, Linaro Limited
> + #
> diff --git a/boot/optee-os/Config.in b/boot/optee-os/Config.in
> new file mode 100644
> index 0000000..5968531
> --- /dev/null
> +++ b/boot/optee-os/Config.in
> @@ -0,0 +1,102 @@
> +config BR2_TARGET_OPTEE_OS
> +       bool "optee_os"
> +       depends on BR2_aarch64 || BR2_arm
> +       select BR2_PACKAGE_OPENSSL # host tool
> +       help
> +         OP-TEE OS provides the secure world boot image and the trust
> +         application development kit of the OP-TEE project. OP-TEE OS
> +         also provides generic trusted application one can embedded
> +         into its system.
> +
> +         http://github.org/OP-TEE/optee_os
> +
> +if BR2_TARGET_OPTEE_OS
> +
> +choice
> +       prompt "OP-TEE OS version"
> +       default BR2_TARGET_OPTEE_OS_LATEST
> +       help
> +         Select the version of OP-TEE OS you want to use
> +
> +config BR2_TARGET_OPTEE_OS_LATEST
> +       bool "sync with latest registered release tag"
> +       help
> +         This fetches the latest registered release tag from
> +         the OP-TEE OS official Git repository.
> +
> +config BR2_TARGET_OPTEE_OS_CUSTOM_GIT
> +       bool "sync on custom OP-TEE OS Git repository"
> +       help
> +         Sync with a specific OP-TEE Git repository.
> +
> +endchoice
> +
> +config BR2_TARGET_OPTEE_OS_VERSION
> +       string
> +       default "3.3.0"         if BR2_TARGET_OPTEE_OS_LATEST
> +       default BR2_TARGET_OPTEE_OS_CUSTOM_REPO_VERSION \
> +                               if BR2_TARGET_OPTEE_OS_CUSTOM_GIT
> +
> +if BR2_TARGET_OPTEE_OS_CUSTOM_GIT
> +
> +config BR2_TARGET_OPTEE_OS_CUSTOM_REPO_URL
> +       string "sourcetree-site"
> +       help
> +         Specific location of the reference source tree Git
> +         repository.
> +
> +config BR2_TARGET_OPTEE_OS_CUSTOM_REPO_VERSION
> +       string "git reference to pull"
> +       help
> +         Reference in the target git repository to sync with.
> +
> +endif
> +
> +# Building core, TA libraries/devkit and/or generic TA services
> +
> +config BR2_TARGET_OPTEE_OS_CORE
> +       bool "Build core"
> +       default y
> +       help
> +         This option will build and install the OP-TEE core
> +         boot images.
> +
> +config BR2_TARGET_OPTEE_OS_SDK
> +       bool "Build TA devkit"
> +       default y
> +       help
> +         This option will build and install the OP-TEE development
> +         kit for building OP-TEE trusted application images. It is
> +          installed in the staging filetree in /lib/optee directory.
> +
> +config BR2_TARGET_OPTEE_OS_SERVICES
> +       bool "Build service TAs"
> +       default y
> +       help
> +         This option will build and install the generic trusted
> +         applications in the OP-TEE OS source tree and install
> +         them in the target /lib/optee_armtz directory. At runtime
> +         OP-TEE OS can load trusted applications from a non secure
> +         filesystem into the secure world for execution.
> +
> +# Building TA libraries and/or core images require target platform info
> +
> +config BR2_TARGET_OPTEE_OS_PLATFORM
> +       string "mandatory target PLATFORM"
> +       help
> +         Value for the mandated PLATFORM build directive provided to
> +         OP-TEE OS.
> +
> +config BR2_TARGET_OPTEE_OS_PLATFORM_FLAVOR
> +       string "optional target PLATFORM_FLAVOR"
> +       help
> +         Value for the optional PLATFORM_FLAVOR build directive
> +         provided to OP-TEE OS.
> +
> +config BR2_TARGET_OPTEE_OS_ADDITIONAL_VARIABLES
> +       string "Additional OP-TEE OS build variables"
> +       help
> +         Additional parameters for the OP-TEE OS build
> +         E.g. 'CFG_TEE_CORE_LOG_LEVEL=3 CFG_UNWIND=y'
> +
> +endif # BR2_TARGET_OPTEE_OS
> diff --git a/boot/optee-os/optee-os.hash b/boot/optee-os/optee-os.hash
> new file mode 100644
> index 0000000..f68d72f
> --- /dev/null
> +++ b/boot/optee-os/optee-os.hash
> @@ -0,0 +1,4 @@
> +# From https://github.com/OP-TEE/optee_test/archive/3.3.0.tar.gz
> +sha256 f0c9572d3a341ea37bb8e89cfd511e96d6ca3b2b714b536564e8fedb93b0f44a  optee-os-3.3.0.tar.gz
> +# Locally computed
> +sha256 fda8385993f112d7ca61b88b54ba5b4cbeec7e43a0f9b317d5186703c1985e8f  LICENSE
> diff --git a/boot/optee-os/optee-os.mk b/boot/optee-os/optee-os.mk
> new file mode 100644
> index 0000000..2e04ce0
> --- /dev/null
> +++ b/boot/optee-os/optee-os.mk
> @@ -0,0 +1,103 @@
> +################################################################################
> +#
> +# optee-os
> +#
> +################################################################################
> +
> +OPTEE_OS_VERSION = $(call qstrip,$(BR2_TARGET_OPTEE_OS_VERSION))
> +OPTEE_OS_LICENSE = BSD-2-Clause
> +OPTEE_OS_LICENSE_FILES = LICENSE
> +
> +ifeq ($(BR2_TARGET_OPTEE_OS_CUSTOM_GIT),y)
> +OPTEE_OS_SITE = $(call qstrip,$(BR2_TARGET_OPTEE_OS_CUSTOM_REPO_URL))
> +OPTEE_OS_SITE_METHOD = git
> +BR_NO_CHECK_HASH_FOR += $(OPTEE_OS_SOURCE)
> +else
> +OPTEE_OS_SITE = $(call github,OP-TEE,optee_os,OPTEE_OS_VERSION)
> +endif
> +
> +# On 64bit targets, OP-TEE OS can be built in 32bit mode, or
> +# can be built in 64bit mode and support 32bit and 64bit
> +# trusted applications. Since buildroot currently references
> +# a single cross compiler, build exclusively in 32bit
> +# or 64bit mode.
> +OPTEE_OS_MAKE_OPTS = CROSS_COMPILE="$(TARGET_CROSS)"
> +OPTEE_OS_MAKE_OPTS += CROSS_COMPILE_core="$(TARGET_CROSS)"
> +ifeq ($(BR2_aarch64),y)
> +OPTEE_OS_MAKE_OPTS += CROSS_COMPILE_ta_arm64="$(TARGET_CROSS)"
> +endif
> +ifeq ($(BR2_arm),y)
> +OPTEE_OS_MAKE_OPTS += CROSS_COMPILE_ta_arm32="$(TARGET_CROSS)"
> +endif
> +
> +# Get mandatory PLAFORM and optional PLATFORM_FLAVOR
> +OPTEE_OS_MAKE_OPTS += PLATFORM=$(call qstrip,$(BR2_TARGET_OPTEE_OS_PLATFORM))
> +ifneq ($(BR2_TARGET_OPTEE_OS_PLATFORM_FLAVOR),)
> +OPTEE_OS_MAKE_OPTS += PLATFORM_FLAVOR=$(call qstrip,$(BR2_TARGET_OPTEE_OS_PLATFORM_FLAVOR))
> +endif
> +OPTEE_OS_MAKE_OPTS += $(call qstrip,$(BR2_TARGET_OPTEE_OS_ADDITIONAL_VARIABLES))

minor nit, please see below
> +
> +# OP-TEE OS builds from subdirectory build/ of its synced sourcetree root path

optee_os by default uses [1] "out" as build directory, Shouldn't  we
use the same for consistency. We can provide option
and let the user decide?

[1] https://github.com/OP-TEE/optee_os/blob/master/Makefile#L44

other than that,

Tested-by: Shyam Saini <shyam.saini@amarulasolutions.com>

[Buildroot] [PATCH 1/5] boot/optee-os: OP-TEE secure world

[Etienne Carriere]

On Fri, 23 Nov 2018 at 09:35, Shyam Saini <shyam@amarulasolutions.com> wrote:
>
> Hi Etienne,
>
>
> >
> > OP-TEE OS is maintained by the OP-TEE project. It provides an
> > open source solution for development and integration of secure
> > services for Armv7-A and Armv8-A CPU based platforms supporting
> > the TrustZone technology. This technology enables CPUs to
> > concurrently host a secure world as the OP-TEE OS and a non-secure
> > world as a Linux based OS.
> >
> > The OP-TEE project maintains other packages to leverage OP-TEE on
> > Linux kernel based OSes. An OP-TEE interface driver is available
> > in the Linux kernel since 4.12 upon CONFIG_OPTEE.
> >
> > https://www.op-tee.org/
> > https://github.com/OP-TEE/optee_os
> >
> > Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
> > ---
> >  boot/Config.in                                     |   1 +
> >  .../3.3.0/0001-move-python-to-python3.patch        |  26 ++++++
> >  boot/optee-os/Config.in                            | 102 ++++++++++++++++++++
> >  boot/optee-os/optee-os.hash                        |   4 +
> >  boot/optee-os/optee-os.mk                          | 103 +++++++++++++++++++++
> >  5 files changed, 236 insertions(+)
> >  create mode 100644 boot/optee-os/3.3.0/0001-move-python-to-python3.patch
> >  create mode 100644 boot/optee-os/Config.in
> >  create mode 100644 boot/optee-os/optee-os.hash
> >  create mode 100644 boot/optee-os/optee-os.mk
> >
> > diff --git a/boot/Config.in b/boot/Config.in
> > index 8e0c8e5..cd14731 100644
> > --- a/boot/Config.in
> > +++ b/boot/Config.in
> > @@ -13,6 +13,7 @@ source "boot/gummiboot/Config.in"
> >  source "boot/lpc32xxcdl/Config.in"
> >  source "boot/mv-ddr-marvell/Config.in"
> >  source "boot/mxs-bootlets/Config.in"
> > +source "boot/optee-os/Config.in"
> >  source "boot/riscv-pk/Config.in"
> >  source "boot/s500-bootloader/Config.in"
> >  source "boot/syslinux/Config.in"
> > diff --git a/boot/optee-os/3.3.0/0001-move-python-to-python3.patch b/boot/optee-os/3.3.0/0001-move-python-to-python3.patch
> > new file mode 100644
> > index 0000000..b0ed5b5
> > --- /dev/null
> > +++ b/boot/optee-os/3.3.0/0001-move-python-to-python3.patch
> > @@ -0,0 +1,26 @@
> > +move python scripts to pyhton3
> > +
> > +Use python3 for scripts depending on module Crypto.
> > +
> > +Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
> > +
> > +diff --git a/scripts/pem_to_pub_c.py b/scripts/pem_to_pub_c.py
> > +index 6b8fa36..0b03d62 100755
> > +--- a/scripts/pem_to_pub_c.py
> > ++++ b/scripts/pem_to_pub_c.py
> > +@@ -1,4 +1,4 @@
> > +-#!/usr/bin/env python
> > ++#!/usr/bin/env python3
> > + # SPDX-License-Identifier: BSD-2-Clause
> > + #
> > + # Copyright (c) 2015, Linaro Limited
> > +diff --git a/scripts/sign.py b/scripts/sign.py
> > +index ad47479..348b40a 100755
> > +--- a/scripts/sign.py
> > ++++ b/scripts/sign.py
> > +@@ -1,4 +1,4 @@
> > +-#!/usr/bin/env python
> > ++#!/usr/bin/env python3
> > + #
> > + # Copyright (c) 2015, 2017, Linaro Limited
> > + #
> > diff --git a/boot/optee-os/Config.in b/boot/optee-os/Config.in
> > new file mode 100644
> > index 0000000..5968531
> > --- /dev/null
> > +++ b/boot/optee-os/Config.in
> > @@ -0,0 +1,102 @@
> > +config BR2_TARGET_OPTEE_OS
> > +       bool "optee_os"
> > +       depends on BR2_aarch64 || BR2_arm
> > +       select BR2_PACKAGE_OPENSSL # host tool
> > +       help
> > +         OP-TEE OS provides the secure world boot image and the trust
> > +         application development kit of the OP-TEE project. OP-TEE OS
> > +         also provides generic trusted application one can embedded
> > +         into its system.
> > +
> > +         http://github.org/OP-TEE/optee_os
> > +
> > +if BR2_TARGET_OPTEE_OS
> > +
> > +choice
> > +       prompt "OP-TEE OS version"
> > +       default BR2_TARGET_OPTEE_OS_LATEST
> > +       help
> > +         Select the version of OP-TEE OS you want to use
> > +
> > +config BR2_TARGET_OPTEE_OS_LATEST
> > +       bool "sync with latest registered release tag"
> > +       help
> > +         This fetches the latest registered release tag from
> > +         the OP-TEE OS official Git repository.
> > +
> > +config BR2_TARGET_OPTEE_OS_CUSTOM_GIT
> > +       bool "sync on custom OP-TEE OS Git repository"
> > +       help
> > +         Sync with a specific OP-TEE Git repository.
> > +
> > +endchoice
> > +
> > +config BR2_TARGET_OPTEE_OS_VERSION
> > +       string
> > +       default "3.3.0"         if BR2_TARGET_OPTEE_OS_LATEST
> > +       default BR2_TARGET_OPTEE_OS_CUSTOM_REPO_VERSION \
> > +                               if BR2_TARGET_OPTEE_OS_CUSTOM_GIT
> > +
> > +if BR2_TARGET_OPTEE_OS_CUSTOM_GIT
> > +
> > +config BR2_TARGET_OPTEE_OS_CUSTOM_REPO_URL
> > +       string "sourcetree-site"
> > +       help
> > +         Specific location of the reference source tree Git
> > +         repository.
> > +
> > +config BR2_TARGET_OPTEE_OS_CUSTOM_REPO_VERSION
> > +       string "git reference to pull"
> > +       help
> > +         Reference in the target git repository to sync with.
> > +
> > +endif
> > +
> > +# Building core, TA libraries/devkit and/or generic TA services
> > +
> > +config BR2_TARGET_OPTEE_OS_CORE
> > +       bool "Build core"
> > +       default y
> > +       help
> > +         This option will build and install the OP-TEE core
> > +         boot images.
> > +
> > +config BR2_TARGET_OPTEE_OS_SDK
> > +       bool "Build TA devkit"
> > +       default y
> > +       help
> > +         This option will build and install the OP-TEE development
> > +         kit for building OP-TEE trusted application images. It is
> > +          installed in the staging filetree in /lib/optee directory.
> > +
> > +config BR2_TARGET_OPTEE_OS_SERVICES
> > +       bool "Build service TAs"
> > +       default y
> > +       help
> > +         This option will build and install the generic trusted
> > +         applications in the OP-TEE OS source tree and install
> > +         them in the target /lib/optee_armtz directory. At runtime
> > +         OP-TEE OS can load trusted applications from a non secure
> > +         filesystem into the secure world for execution.
> > +
> > +# Building TA libraries and/or core images require target platform info
> > +
> > +config BR2_TARGET_OPTEE_OS_PLATFORM
> > +       string "mandatory target PLATFORM"
> > +       help
> > +         Value for the mandated PLATFORM build directive provided to
> > +         OP-TEE OS.
> > +
> > +config BR2_TARGET_OPTEE_OS_PLATFORM_FLAVOR
> > +       string "optional target PLATFORM_FLAVOR"
> > +       help
> > +         Value for the optional PLATFORM_FLAVOR build directive
> > +         provided to OP-TEE OS.
> > +
> > +config BR2_TARGET_OPTEE_OS_ADDITIONAL_VARIABLES
> > +       string "Additional OP-TEE OS build variables"
> > +       help
> > +         Additional parameters for the OP-TEE OS build
> > +         E.g. 'CFG_TEE_CORE_LOG_LEVEL=3 CFG_UNWIND=y'
> > +
> > +endif # BR2_TARGET_OPTEE_OS
> > diff --git a/boot/optee-os/optee-os.hash b/boot/optee-os/optee-os.hash
> > new file mode 100644
> > index 0000000..f68d72f
> > --- /dev/null
> > +++ b/boot/optee-os/optee-os.hash
> > @@ -0,0 +1,4 @@
> > +# From https://github.com/OP-TEE/optee_test/archive/3.3.0.tar.gz
> > +sha256 f0c9572d3a341ea37bb8e89cfd511e96d6ca3b2b714b536564e8fedb93b0f44a  optee-os-3.3.0.tar.gz
> > +# Locally computed
> > +sha256 fda8385993f112d7ca61b88b54ba5b4cbeec7e43a0f9b317d5186703c1985e8f  LICENSE
> > diff --git a/boot/optee-os/optee-os.mk b/boot/optee-os/optee-os.mk
> > new file mode 100644
> > index 0000000..2e04ce0
> > --- /dev/null
> > +++ b/boot/optee-os/optee-os.mk
> > @@ -0,0 +1,103 @@
> > +################################################################################
> > +#
> > +# optee-os
> > +#
> > +################################################################################
> > +
> > +OPTEE_OS_VERSION = $(call qstrip,$(BR2_TARGET_OPTEE_OS_VERSION))
> > +OPTEE_OS_LICENSE = BSD-2-Clause
> > +OPTEE_OS_LICENSE_FILES = LICENSE
> > +
> > +ifeq ($(BR2_TARGET_OPTEE_OS_CUSTOM_GIT),y)
> > +OPTEE_OS_SITE = $(call qstrip,$(BR2_TARGET_OPTEE_OS_CUSTOM_REPO_URL))
> > +OPTEE_OS_SITE_METHOD = git
> > +BR_NO_CHECK_HASH_FOR += $(OPTEE_OS_SOURCE)
> > +else
> > +OPTEE_OS_SITE = $(call github,OP-TEE,optee_os,OPTEE_OS_VERSION)
> > +endif
> > +
> > +# On 64bit targets, OP-TEE OS can be built in 32bit mode, or
> > +# can be built in 64bit mode and support 32bit and 64bit
> > +# trusted applications. Since buildroot currently references
> > +# a single cross compiler, build exclusively in 32bit
> > +# or 64bit mode.
> > +OPTEE_OS_MAKE_OPTS = CROSS_COMPILE="$(TARGET_CROSS)"
> > +OPTEE_OS_MAKE_OPTS += CROSS_COMPILE_core="$(TARGET_CROSS)"
> > +ifeq ($(BR2_aarch64),y)
> > +OPTEE_OS_MAKE_OPTS += CROSS_COMPILE_ta_arm64="$(TARGET_CROSS)"
> > +endif
> > +ifeq ($(BR2_arm),y)
> > +OPTEE_OS_MAKE_OPTS += CROSS_COMPILE_ta_arm32="$(TARGET_CROSS)"
> > +endif
> > +
> > +# Get mandatory PLAFORM and optional PLATFORM_FLAVOR
> > +OPTEE_OS_MAKE_OPTS += PLATFORM=$(call qstrip,$(BR2_TARGET_OPTEE_OS_PLATFORM))
> > +ifneq ($(BR2_TARGET_OPTEE_OS_PLATFORM_FLAVOR),)
> > +OPTEE_OS_MAKE_OPTS += PLATFORM_FLAVOR=$(call qstrip,$(BR2_TARGET_OPTEE_OS_PLATFORM_FLAVOR))
> > +endif
> > +OPTEE_OS_MAKE_OPTS += $(call qstrip,$(BR2_TARGET_OPTEE_OS_ADDITIONAL_VARIABLES))
>
> minor nit, please see below
> > +
> > +# OP-TEE OS builds from subdirectory build/ of its synced sourcetree root path
>
> optee_os by default uses [1] "out" as build directory, Shouldn't  we
> use the same for consistency. We can provide option
> and let the user decide?

I though i would be better to have this makefile agnostic of the
optee_os default output path.
I guess a build option with a known default value is more flexible.
However i did not find such in other BR packages. I wonder if it is a good idea.

>
> [1] https://github.com/OP-TEE/optee_os/blob/master/Makefile#L44
>
> other than that,
>
> Tested-by: Shyam Saini <shyam.saini@amarulasolutions.com>

Thanks a lot.

etienne

[Buildroot] [PATCH 1/5] boot/optee-os: OP-TEE secure world

[Baruch Siach]

Hi Etienne,

Etienne Carriere writes:
> On Thu, 22 Nov 2018 at 21:18, Baruch Siach <baruch@tkos.co.il> wrote:
>> Thanks for your contribution. I have a few comments below.
>>
>> Etienne Carriere writes:
>> > OP-TEE OS is maintained by the OP-TEE project. It provides an
>> > open source solution for development and integration of secure
>> > services for Armv7-A and Armv8-A CPU based platforms supporting
>> > the TrustZone technology. This technology enables CPUs to
>> > concurrently host a secure world as the OP-TEE OS and a non-secure
>> > world as a Linux based OS.
>> >
>> > The OP-TEE project maintains other packages to leverage OP-TEE on
>> > Linux kernel based OSes. An OP-TEE interface driver is available
>> > in the Linux kernel since 4.12 upon CONFIG_OPTEE.
>> >
>> > https://www.op-tee.org/
>> > https://github.com/OP-TEE/optee_os
>> >
>> > Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
>>
>> ...
>>
>> > diff --git a/boot/optee-os/Config.in b/boot/optee-os/Config.in
>> > new file mode 100644
>> > index 0000000..5968531
>> > --- /dev/null
>> > +++ b/boot/optee-os/Config.in
>> > @@ -0,0 +1,102 @@
>> > +config BR2_TARGET_OPTEE_OS
>> > +     bool "optee_os"
>> > +     depends on BR2_aarch64 || BR2_arm
>> > +     select BR2_PACKAGE_OPENSSL # host tool
>>
>> Which host? Is that the host below which OPTEE OS runs? This is usually
>> called target in the Buildroot lingo. Please clarify in a comment.
>
> I see. Well, it is really the host here: OpenSSL is required to build
> the OPTEE OS binaries, it is not required in the target.
> I found such "# host tool" comment in some packages and though it was
> the shortest explicit way to highlight the deps.

Your 'select' enables the target OpenSSL, which is not what you
need. You only need to add host-openssl to the _DEPENDENCIES of your
package. No need to 'select' the host package.

Make sure to test on a host that has no openssl tools installed by the
distro. Your build test succeeds because your package is actually using
your distro installed tools. That didn't work for your other dependency
...

> By the way, I have a questions on
> optee-os also requires the Crypto module from python to build the
> optee-os target binaries.
> It failed with trace:
>      File "scripts/pem_to_pub_c.py", line 23, in main
>        from Crypto.PublicKey import RSA
>    ImportError: No module named Crypto.PublicKey
>
> I tried to resolve this by adding "select BR2_PACKAGE_PYTHON_PYCRYPTO"
> here but it did not solve the issue.
> Moreover, I had to also enable some configs to get pycrypto to build:
>  BR2_PACKAGE_PYTHON=y
>  BR2_TOOLCHAIN_BUILDROOT_WCHAR=y
>  BR2_USE_WCHAR=y
> Finally, i worked around the issue by patching optee-os filetree: port
> related scripts to python3
>
> How do you think should have I done to get Crypto module supported for
> optee-os build?

Here again BR2_PACKAGE_PYTHON_PYCRYPTO enables the target package, while
you need the host package. The solutions is the same. Add
host-python-pycrypto to your _DEPENDENCIES.

>> Is that a build time dependency? If so you need to add openssl to
>> _DEPENDENCIES.
>
> Ok. I understand I need both: BR2_<dep>=y  + add
> <package>_DEPENDENCIES+= <dep>.

For target package you need both. For host packages you don't need BR2_<dep>.

>> > +     help
>> > +       OP-TEE OS provides the secure world boot image and the trust
>> > +       application development kit of the OP-TEE project. OP-TEE OS
>> > +       also provides generic trusted application one can embedded
>> > +       into its system.
>> > +
>> > +       http://github.org/OP-TEE/optee_os
>> > +
>> > +if BR2_TARGET_OPTEE_OS
>> > +
>> > +choice
>> > +     prompt "OP-TEE OS version"
>> > +     default BR2_TARGET_OPTEE_OS_LATEST
>> > +     help
>> > +       Select the version of OP-TEE OS you want to use
>>
>> Is there a practical need to support selection separate version
>> selection for each OPTEE component? If not then I think this version
>> selection should apply to all other components.
>
> Your absolutely right. I will see how to handle that.

baruch

--
     http://baruch.siach.name/blog/                  ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -

[Buildroot] [PATCH 5/5] optee-test: new package

[Etienne Carriere]

On Fri, 23 Nov 2018 at 04:06, Carlos Santos <casantos@datacom.com.br> wrote:
>
> > From: "Etienne Carriere" <etienne.carriere@linaro.org>
> > To: "buildroot" <buildroot@buildroot.org>
> > Cc: "etienne carriere" <etienne.carriere@linaro.org>
> > Sent: Quinta-feira, 22 de novembro de 2018 13:22:57
> > Subject: [Buildroot] [PATCH 5/5] optee-test: new package
>
> [...]
> > --- /dev/null
> > +++ b/package/optee-test/Config.in
> > @@ -0,0 +1,64 @@
> > +config BR2_PACKAGE_OPTEE_TEST
> > +     bool "optee_test"
> > +     depends on BR2_aarch64 || BR2_arm
> > +     help
> > +       This build option enables OP-TEE test package from the
> > +       OP-TEE project. It helps platforms to verify the OP-TEE
> > +       installation against a set of regression and performance
> > +       tests.
> > +
> > +       The package generates userspace test applications and
> > +       data files for the Linux userland. It also generates
> > +       OP-TEE trusted applications embedded in the target
> > +       directory /lib/optee-armtz. These are loaded into the
> > +       secure world at runtime.
> > +
> > +       http://github.org/OP-TEE/optee_test
>
> Must be https://github.com/OP-TEE/optee_test

Hello Carlos,

Yes, thanks.

regards,
etienne

>
> --
> Carlos Santos (Casantos) - DATACOM, P&D
> ?Marched towards the enemy, spear upright, armed with the certainty
> that only the ignorant can have.? ? Epitaph of a volunteer

[Buildroot] [PATCH 1/5] boot/optee-os: OP-TEE secure world

[Etienne Carriere]

On Fri, 23 Nov 2018 at 11:05, Baruch Siach <baruch@tkos.co.il> wrote:
>
> Hi Etienne,
>
> Etienne Carriere writes:
> > On Thu, 22 Nov 2018 at 21:18, Baruch Siach <baruch@tkos.co.il> wrote:
> >> Thanks for your contribution. I have a few comments below.
> >>
> >> Etienne Carriere writes:
> >> > OP-TEE OS is maintained by the OP-TEE project. It provides an
> >> > open source solution for development and integration of secure
> >> > services for Armv7-A and Armv8-A CPU based platforms supporting
> >> > the TrustZone technology. This technology enables CPUs to
> >> > concurrently host a secure world as the OP-TEE OS and a non-secure
> >> > world as a Linux based OS.
> >> >
> >> > The OP-TEE project maintains other packages to leverage OP-TEE on
> >> > Linux kernel based OSes. An OP-TEE interface driver is available
> >> > in the Linux kernel since 4.12 upon CONFIG_OPTEE.
> >> >
> >> > https://www.op-tee.org/
> >> > https://github.com/OP-TEE/optee_os
> >> >
> >> > Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
> >>
> >> ...
> >>
> >> > diff --git a/boot/optee-os/Config.in b/boot/optee-os/Config.in
> >> > new file mode 100644
> >> > index 0000000..5968531
> >> > --- /dev/null
> >> > +++ b/boot/optee-os/Config.in
> >> > @@ -0,0 +1,102 @@
> >> > +config BR2_TARGET_OPTEE_OS
> >> > +     bool "optee_os"
> >> > +     depends on BR2_aarch64 || BR2_arm
> >> > +     select BR2_PACKAGE_OPENSSL # host tool
> >>
> >> Which host? Is that the host below which OPTEE OS runs? This is usually
> >> called target in the Buildroot lingo. Please clarify in a comment.
> >
> > I see. Well, it is really the host here: OpenSSL is required to build
> > the OPTEE OS binaries, it is not required in the target.
> > I found such "# host tool" comment in some packages and though it was
> > the shortest explicit way to highlight the deps.
>
> Your 'select' enables the target OpenSSL, which is not what you
> need. You only need to add host-openssl to the _DEPENDENCIES of your
> package. No need to 'select' the host package.
>
> Make sure to test on a host that has no openssl tools installed by the
> distro. Your build test succeeds because your package is actually using
> your distro installed tools. That didn't work for your other dependency
> ...
>
> > By the way, I have a questions on
> > optee-os also requires the Crypto module from python to build the
> > optee-os target binaries.
> > It failed with trace:
> >      File "scripts/pem_to_pub_c.py", line 23, in main
> >        from Crypto.PublicKey import RSA
> >    ImportError: No module named Crypto.PublicKey
> >
> > I tried to resolve this by adding "select BR2_PACKAGE_PYTHON_PYCRYPTO"
> > here but it did not solve the issue.
> > Moreover, I had to also enable some configs to get pycrypto to build:
> >  BR2_PACKAGE_PYTHON=y
> >  BR2_TOOLCHAIN_BUILDROOT_WCHAR=y
> >  BR2_USE_WCHAR=y
> > Finally, i worked around the issue by patching optee-os filetree: port
> > related scripts to python3
> >
> > How do you think should have I done to get Crypto module supported for
> > optee-os build?
>
> Here again BR2_PACKAGE_PYTHON_PYCRYPTO enables the target package, while
> you need the host package. The solutions is the same. Add
> host-python-pycrypto to your _DEPENDENCIES.
>
> >> Is that a build time dependency? If so you need to add openssl to
> >> _DEPENDENCIES.
> >
> > Ok. I understand I need both: BR2_<dep>=y  + add
> > <package>_DEPENDENCIES+= <dep>.
>
> For target package you need both. For host packages you don't need BR2_<dep>.

Ok Baruch,
Thanks a lot for the details.

etienne

>
> >> > +     help
> >> > +       OP-TEE OS provides the secure world boot image and the trust
> >> > +       application development kit of the OP-TEE project. OP-TEE OS
> >> > +       also provides generic trusted application one can embedded
> >> > +       into its system.
> >> > +
> >> > +       http://github.org/OP-TEE/optee_os
> >> > +
> >> > +if BR2_TARGET_OPTEE_OS
> >> > +
> >> > +choice
> >> > +     prompt "OP-TEE OS version"
> >> > +     default BR2_TARGET_OPTEE_OS_LATEST
> >> > +     help
> >> > +       Select the version of OP-TEE OS you want to use
> >>
> >> Is there a practical need to support selection separate version
> >> selection for each OPTEE component? If not then I think this version
> >> selection should apply to all other components.
> >
> > Your absolutely right. I will see how to handle that.
>
> baruch
>
> --
>      http://baruch.siach.name/blog/                  ~. .~   Tk Open Systems
> =}------------------------------------------------ooO--U--Ooo------------{=
>    - baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -

[Buildroot] [PATCH 2/5] optee-client: new package

[Shyam Saini]

On Thu, Nov 22, 2018 at 8:53 PM Etienne Carriere
<etienne.carriere@linaro.org> wrote:
>
> OP-TEE client API library and supplicant daemon from the
> OP-TEE project.
>
> The package is added to the Security menu of BR configuration.
>
> Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
> ---
>  package/Config.in                      |  1 +
>  package/optee-client/Config.in         | 62 ++++++++++++++++++++++++++++++++++
>  package/optee-client/S30optee          | 26 ++++++++++++++
>  package/optee-client/optee-client.hash |  4 +++
>  package/optee-client/optee-client.mk   | 31 +++++++++++++++++
>  5 files changed, 124 insertions(+)
>  create mode 100644 package/optee-client/Config.in
>  create mode 100644 package/optee-client/S30optee
>  create mode 100644 package/optee-client/optee-client.hash
>  create mode 100644 package/optee-client/optee-client.mk
>
> diff --git a/package/Config.in b/package/Config.in
> index b60e770..8c3b1bf 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -2047,6 +2047,7 @@ endmenu
>
>  menu "Security"
>         source "package/checkpolicy/Config.in"
> +       source "package/optee-client/Config.in"
>         source "package/paxtest/Config.in"
>         source "package/policycoreutils/Config.in"
>         source "package/refpolicy/Config.in"
> diff --git a/package/optee-client/Config.in b/package/optee-client/Config.in
> new file mode 100644
> index 0000000..c3f28c1
> --- /dev/null
> +++ b/package/optee-client/Config.in
> @@ -0,0 +1,62 @@
> +config BR2_PACKAGE_OPTEE_CLIENT
> +       bool "Embed OP-TEE client"
> +       help
> +         Enable the OP-TEE client package that brings non-secure
> +         client application resources for OP-TEE support. OP-TEE
> +         client is a component delivered by the OP-TEE project.
> +
> +         https://github.com/OP-TEE/optee_client
> +
> +         The client API library allows application to invoke
> +         trusted applications hosted in the OP-TEE OS secure world.
> +         The supplicant provides services hosted by the non-secure
> +         world and invoked by the secure world.
> +
> +if BR2_PACKAGE_OPTEE_CLIENT
> +
> +choice
> +       prompt "OP-TEE client version"
> +       default BR2_PACKAGE_OPTEE_CLIENT_LATEST
> +       help
> +         Select the version of OP-TEE client you want to use
> +
> +config BR2_PACKAGE_OPTEE_CLIENT_LATEST
> +       bool "sync with latest registered release tag"
> +       help
> +         Sync on latest release tag. This currently fetches the
> +         latest registered release tag from the OP-TEE official
> +         Git repository.
> +
> +config BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_GIT
> +       bool "sync with a specific Git"
> +       help
> +         Sync with a specific OP-TEE Git repository.
> +
> +endchoice
> +
> +config BR2_PACKAGE_OPTEE_CLIENT_VERSION
> +       string
> +       default "3.3.0"         if BR2_PACKAGE_OPTEE_CLIENT_LATEST
> +       default BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_REPO_VERSION \
> +                               if BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_GIT
> +       help
> +         Reference in the target Git repository to sync with.
> +
> +if BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_GIT
> +
> +config BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_REPO_URL
> +       string "Git repository site"
> +       help
> +         Specific location of the reference source tree Git
> +         repository.
> +
> +config BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_REPO_VERSION
> +       string "target reference to pull in the Git repository"
> +       help
> +         Package version reference to sync with. As source file
> +         reference is a Git repository, the version reference can
> +         be any Git reference as a tag or a sha1.
> +
> +endif
> +
> +endif #BR2_PACKAGE_OPTEE_CLIENT
> diff --git a/package/optee-client/S30optee b/package/optee-client/S30optee
> new file mode 100644
> index 0000000..c893243
> --- /dev/null
> +++ b/package/optee-client/S30optee
> @@ -0,0 +1,26 @@
> +#!/bin/sh
> +#
> +# /etc/init.d/optee
> +#
> +# Start/stop tee-supplicant (OP-TEE normal world daemon)
> +#
> +case "$1" in
> +    start)
> +       if [ -e /usr/sbin/tee-supplicant -a -e /dev/teepriv0 ]; then
> +               echo "Starting tee-supplicant..."
> +               /usr/sbin/tee-supplicant &
> +               exit 0
> +       else
> +               echo "tee-supplicant or TEE device not found"
> +               exit 1
> +       fi
> +
> +        ;;
> +    stop)
> +       killall tee-supplicant
> +       ;;
> +    status)
> +       cat /dev/teepriv0 2>&1 | grep -q "Device or resource busy" || not="not "
> +       echo "tee-supplicant is ${not}active"
> +       ;;
> +esac
> diff --git a/package/optee-client/optee-client.hash b/package/optee-client/optee-client.hash
> new file mode 100644
> index 0000000..ed7bf4e
> --- /dev/null
> +++ b/package/optee-client/optee-client.hash
> @@ -0,0 +1,4 @@
> +# From https://github.com/OP-TEE/optee_client/archive/3.3.0.tar.gz
> +sha256 63af1567fdcdbe28b45be274266a89aa81bef3d0fd8ec5a6eb680046a92e1177  optee-client-3.3.0.tar.gz
> +# Locally computed
> +sha256 fda8385993f112d7ca61b88b54ba5b4cbeec7e43a0f9b317d5186703c1985e8f  LICENSE
> diff --git a/package/optee-client/optee-client.mk b/package/optee-client/optee-client.mk
> new file mode 100644
> index 0000000..e856ca5
> --- /dev/null
> +++ b/package/optee-client/optee-client.mk
> @@ -0,0 +1,31 @@
> +################################################################################
> +#
> +# optee-client
> +#
> +################################################################################
> +
> +OPTEE_CLIENT_VERSION = $(call qstrip,$(BR2_PACKAGE_OPTEE_CLIENT_VERSION))
> +OPTEE_CLIENT_LICENSE = BSD-3-Clause
> +OPTEE_CLIENT_LICENSE_FILES = LICENSE
> +
> +ifeq ($(BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_GIT),y)
> +OPTEE_CLIENT_SITE = $(call qstrip,$(BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_REPO_URL))
> +OPTEE_CLIENT_SITE_METHOD = git
> +BR_NO_CHECK_HASH_FOR += $(OPTEE_CLIENT_SOURCE)
> +else
> +OPTEE_CLIENT_SITE = $(call github,OP-TEE,optee_client,$(OPTEE_CLIENT_VERSION))
> +endif
> +
> +define OPTEE_CLIENT_INSTALL_SUPPLICANT_SCRIPT
> +       $(INSTALL) -m 0755 -D $(OPTEE_CLIENT_PKGDIR)/S30optee \
> +               $(TARGET_DIR)/etc/init.d/S30optee
> +endef
> +
> +define OPTEE_CLIENT_INSTALL_INIT_SYSV
> +       $(OPTEE_CLIENT_INSTALL_SUPPLICANT_SCRIPT)
> +endef
> +
> +OPTEE_CLIENT_INSTALL_STAGING = YES
> +OPTEE_CLIENT_INSTALL_IMAGES = YES
> +
> +$(eval $(cmake-package))

Tested-by: Shyam Saini <shyam.saini@amarulasolutions.com>

[Buildroot] [PATCH 4/5] optee-examples: new package

[Shyam Saini]

On Thu, Nov 22, 2018 at 8:53 PM Etienne Carriere
<etienne.carriere@linaro.org> wrote:
>
> This package generates embedded Linux based OS userland client
> applications and OP-TEE OS trusted applications all embedded in
> the file system. These applications shows how to use the APIs
> OP-TEE OS is based on, both in the non secure and secure worlds.
>
> Package is added next to the OP-TEE client package in the BR
> package configuration.
>
> Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
> ---
>  package/Config.in                          |  1 +
>  package/optee-examples/Config.in           | 57 ++++++++++++++++++++++++++++++
>  package/optee-examples/optee-examples.hash |  4 +++
>  package/optee-examples/optee-examples.mk   | 48 +++++++++++++++++++++++++
>  4 files changed, 110 insertions(+)
>  create mode 100644 package/optee-examples/Config.in
>  create mode 100644 package/optee-examples/optee-examples.hash
>  create mode 100644 package/optee-examples/optee-examples.mk
>
> diff --git a/package/Config.in b/package/Config.in
> index 38200af..35870d0 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -2049,6 +2049,7 @@ menu "Security"
>         source "package/checkpolicy/Config.in"
>         source "package/optee-benchmark/Config.in"
>         source "package/optee-client/Config.in"
> +       source "package/optee-examples/Config.in"
>         source "package/paxtest/Config.in"
>         source "package/policycoreutils/Config.in"
>         source "package/refpolicy/Config.in"
> diff --git a/package/optee-examples/Config.in b/package/optee-examples/Config.in
> new file mode 100644
> index 0000000..1a19791
> --- /dev/null
> +++ b/package/optee-examples/Config.in
> @@ -0,0 +1,57 @@
> +config BR2_PACKAGE_OPTEE_EXAMPLES
> +       bool "Embed OP-TEE examples"
> +       depends on BR2_aarch64 || BR2_arm
> +       help
> +         Enable the OP-TEE examples package that brings examples of
> +         implementation of OP-TEE non-secure client applications and
> +         secure trusted applications. OP-TEE examples is a
> +         component delivered by the OP-TEE project.
> +
> +if BR2_PACKAGE_OPTEE_EXAMPLES
> +
> +choice
> +       prompt "OP-TEE exmaples version"
> +       default BR2_PACKAGE_OPTEE_EXAMPLES_LATEST
> +       help
> +         Select the version of OP-TEE exmaples you want to use
> +
> +config BR2_PACKAGE_OPTEE_EXAMPLES_LATEST
> +       bool "sync with latest release tag"
> +       help
> +         Sync on latest release tag. This currently fetches the
> +         latest registered release tag from the OP-TEE official
> +         Git repository.
> +
> +config BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_GIT
> +       bool "sync with a specific Git"
> +       help
> +         Sync with a specific OP-TEE Git repository.
> +
> +endchoice
> +
> +config BR2_PACKAGE_OPTEE_EXAMPLES_VERSION
> +       string
> +       default "3.3.0"         if BR2_PACKAGE_OPTEE_EXAMPLES_LATEST
> +       default BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_REPO_VERSION \
> +                               if BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_GIT
> +       help
> +         Reference in the target Git repository to sync with.
> +
> +if BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_GIT
> +
> +config BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_REPO_URL
> +       string "Git repository site"
> +       help
> +         Specific location of the reference source tree Git
> +         repository.
> +
> +config BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_REPO_VERSION
> +       string "target reference to pull in the Git repository"
> +       help
> +         Package version reference to sync with. As source file
> +         reference is a Git repository, the version reference can
> +         be any Git reference as a tag or a sha1.
> +
> +endif
> +
> +endif #BR2_PACKAGE_OPTEE_EXAMPLES
> diff --git a/package/optee-examples/optee-examples.hash b/package/optee-examples/optee-examples.hash
> new file mode 100644
> index 0000000..77b7466
> --- /dev/null
> +++ b/package/optee-examples/optee-examples.hash
> @@ -0,0 +1,4 @@
> +# From https://github.com/linaro-swg/optee_examples/archive/3.3.0.tar.gz
> +sha256 504642edd1510562dcc213637d8869190dd581986daf938ed3e85088830e0ef9  optee-examples-3.3.0.tar.gz
> +# Locally computed
> +sha256 6f1ef8449cb82ae79d2155605f7985bdf0f08e7ab5007de9b4362e8bf28733b9  LICENSE
> diff --git a/package/optee-examples/optee-examples.mk b/package/optee-examples/optee-examples.mk
> new file mode 100644
> index 0000000..2edcc45
> --- /dev/null
> +++ b/package/optee-examples/optee-examples.mk
> @@ -0,0 +1,48 @@
> +################################################################################
> +#
> +# optee-examples
> +#
> +################################################################################
> +
> +OPTEE_EXAMPLES_VERSION = $(call qstrip,$(BR2_PACKAGE_OPTEE_EXAMPLES_VERSION))
> +OPTEE_EXAMPLES_LICENSE = BSD-2-Clause
> +OPTEE_EXAMPLES_LICENSE_FILES = LICENSE
> +
> +ifeq ($(BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_GIT),y)
> +OPTEE_EXAMPLES_SITE = $(call qstrip,$(BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_REPO_URL))
> +OPTEE_EXAMPLES_SITE_METHOD = git
> +BR_NO_CHECK_HASH_FOR += $(OPTEE_EXAMPLES_SOURCE)
> +else
> +OPTEE_EXAMPLES_SITE = $(call github,linaro-swg,optee_examples,$(OPTEE_EXAMPLES_VERSION))
> +endif
> +
> +OPTEE_EXAMPLES_DEPENDENCIES = optee-client optee-os
> +OPTEE_EXAMPLES_INSTALL_STAGING = YES
> +
> +ifeq ($(BR2_aarch64),y)
> +OPTEE_EXAMPLES_SDK = $(STAGING_DIR)/lib/optee/export-ta_arm64
> +endif
> +ifeq ($(BR2_arm),y)
> +OPTEE_EXAMPLES_SDK = $(STAGING_DIR)/lib/optee/export-ta_arm32
> +endif
> +
> +define OPTEE_EXAMPLES_BUILD_TAS
> +       @$(foreach f,$(wildcard $(@D)/*/ta/Makefile), \
> +               $(TARGET_CONFIGURE_OPTS) \
> +               $(MAKE) CROSS_COMPILE=$(TARGET_CROSS) \
> +                       O=out TA_DEV_KIT_DIR=$(OPTEE_EXAMPLES_SDK) \
> +                       -C $(dir $f) all &&) true
> +endef
> +
> +define OPTEE_EXAMPLES_INSTALL_TAS
> +       @$(foreach f,$(wildcard $(@D)/*/ta/out/*.ta), \
> +               mkdir -p $(TARGET_DIR)/lib/optee_armtz && \
> +               $(INSTALL) -v -p --mode=444 \
> +                       --target-directory=$(TARGET_DIR)/lib/optee_armtz $f \
> +                       &&) true
> +endef
> +
> +OPTEE_EXAMPLES_POST_BUILD_HOOKS += OPTEE_EXAMPLES_BUILD_TAS
> +OPTEE_EXAMPLES_POST_INSTALL_TARGET_HOOKS += OPTEE_EXAMPLES_INSTALL_TAS
> +
> +$(eval $(cmake-package))

Tested-by: Shyam Saini <shyam.saini@amarulasolutions.com>

[Buildroot] [PATCH 5/5] optee-test: new package

[Shyam Saini]

On Thu, Nov 22, 2018 at 8:53 PM Etienne Carriere
<etienne.carriere@linaro.org> wrote:
>
> OP-TEE test package provide test materials as part of the OP-TEE
> project helping platforms to verify their OP-TEE components
> against a set of regression and performance tests.
>
> Package is added in the BR package configuration next to the
> OP-TEE client package.
>
> Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
> ---
>  package/Config.in                                  |  1 +
>  .../optee-test/3.3.0/0001-cmake-rely-on-C.patch    | 32 +++++++++++
>  package/optee-test/Config.in                       | 64 ++++++++++++++++++++++
>  package/optee-test/optee-test.hash                 |  4 ++
>  package/optee-test/optee-test.mk                   | 49 +++++++++++++++++
>  5 files changed, 150 insertions(+)
>  create mode 100644 package/optee-test/3.3.0/0001-cmake-rely-on-C.patch
>  create mode 100644 package/optee-test/Config.in
>  create mode 100644 package/optee-test/optee-test.hash
>  create mode 100644 package/optee-test/optee-test.mk
>
> diff --git a/package/Config.in b/package/Config.in
> index 35870d0..ff53a75 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -2050,6 +2050,7 @@ menu "Security"
>         source "package/optee-benchmark/Config.in"
>         source "package/optee-client/Config.in"
>         source "package/optee-examples/Config.in"
> +       source "package/optee-test/Config.in"
>         source "package/paxtest/Config.in"
>         source "package/policycoreutils/Config.in"
>         source "package/refpolicy/Config.in"
> diff --git a/package/optee-test/3.3.0/0001-cmake-rely-on-C.patch b/package/optee-test/3.3.0/0001-cmake-rely-on-C.patch
> new file mode 100644
> index 0000000..ea7b966
> --- /dev/null
> +++ b/package/optee-test/3.3.0/0001-cmake-rely-on-C.patch
> @@ -0,0 +1,32 @@
> +cmake: component rely on C support
> +
> +Without specifing optee_client source expects only C source file
> +support cmake may attempt to look for resources as g++. When
> +building with environments that do not provide such tools as when
> +building from native buildroot ofr a qemu target, optee_client
> +fails to build. This change ensure a minimal C support allows to
> +build optee_client with cmake.
> +
> +Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
> +Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
> +
> +diff --git a/CMakeLists.txt b/CMakeLists.txt
> +index 0290205..a3fd269 100644
> +--- a/CMakeLists.txt
> ++++ b/CMakeLists.txt
> +@@ -1,4 +1,5 @@
> + cmake_minimum_required (VERSION 3.2)
> ++project (optee_test C)
> +
> + # Default cross compile settings
> + set (CMAKE_TOOLCHAIN_FILE CMakeToolchain.txt)
> +diff --git a/ta/CMakeLists.txt b/ta/CMakeLists.txt
> +index 22d7727..795237e 100644
> +--- a/ta/CMakeLists.txt
> ++++ b/ta/CMakeLists.txt
> +@@ -1,4 +1,4 @@
> +-project (xtest-ta-headers)
> ++project (xtest-ta-headers C)
> +
> + add_library(${PROJECT_NAME} INTERFACE)
> +
> diff --git a/package/optee-test/Config.in b/package/optee-test/Config.in
> new file mode 100644
> index 0000000..f06cbf6
> --- /dev/null
> +++ b/package/optee-test/Config.in
> @@ -0,0 +1,64 @@
> +config BR2_PACKAGE_OPTEE_TEST
> +       bool "optee_test"
> +       depends on BR2_aarch64 || BR2_arm
> +       help
> +         This build option enables OP-TEE test package from the
> +         OP-TEE project. It helps platforms to verify the OP-TEE
> +         installation against a set of regression and performance
> +         tests.
> +
> +         The package generates userspace test applications and
> +         data files for the Linux userland. It also generates
> +         OP-TEE trusted applications embedded in the target
> +         directory /lib/optee-armtz. These are loaded into the
> +         secure world at runtime.
> +
> +         http://github.org/OP-TEE/optee_test
> +
> +if BR2_PACKAGE_OPTEE_TEST
> +
> +choice
> +       prompt "OP-TEE test version"
> +       default BR2_PACKAGE_OPTEE_TEST_LATEST
> +       help
> +         Select the version of OP-TEE test you want to use
> +
> +config BR2_PACKAGE_OPTEE_TEST_LATEST
> +       bool "sync with latest release tag"
> +       help
> +         This fetches the latest registered release tag from
> +         the OP-TEE test official Git repository.
> +
> +config BR2_PACKAGE_OPTEE_TEST_CUSTOM_GIT
> +       bool "sync with a specific Git"
> +       help
> +         Sync with a specific OP-TEE Git repository.
> +
> +endchoice
> +
> +config BR2_PACKAGE_OPTEE_TEST_VERSION
> +       string
> +       default "3.3.0"         if BR2_PACKAGE_OPTEE_TEST_LATEST
> +       default BR2_PACKAGE_OPTEE_TEST_CUSTOM_REPO_VERSION \
> +                               if BR2_PACKAGE_OPTEE_TEST_CUSTOM_GIT
> +       help
> +         Reference in the target Git repository to sync with.
> +
> +if BR2_PACKAGE_OPTEE_TEST_CUSTOM_GIT
> +
> +config BR2_PACKAGE_OPTEE_TEST_CUSTOM_REPO_URL
> +       string "Git repository site"
> +       help
> +         Specific location of the reference source tree Git
> +         repository.
> +
> +config BR2_PACKAGE_OPTEE_TEST_CUSTOM_REPO_VERSION
> +       string "target reference to pull in the Git repository"
> +       help
> +         Package version reference to sync with. As source file
> +         reference is a Git repository, the version reference can
> +         be any Git reference as a tag or a sha1.
> +
> +endif
> +
> +endif #BR2_PACKAGE_OPTEE_TEST
> diff --git a/package/optee-test/optee-test.hash b/package/optee-test/optee-test.hash
> new file mode 100644
> index 0000000..0da2212
> --- /dev/null
> +++ b/package/optee-test/optee-test.hash
> @@ -0,0 +1,4 @@
> +# From https://github.com/OP-TEE/optee_test/archive/3.3.0.tar.gz
> +sha256 9651d5db0d28856e45d6bc25ce603bfcf641435bd3264d95b449f093665c8521  optee-test-3.3.0.tar.gz
> +# Locally computed
> +sha256 6e6810981f0ddab9e0d44399d0700a15d9f760a3c2843cc866659c2074139ae7  LICENSE.md
> diff --git a/package/optee-test/optee-test.mk b/package/optee-test/optee-test.mk
> new file mode 100644
> index 0000000..68caea7
> --- /dev/null
> +++ b/package/optee-test/optee-test.mk
> @@ -0,0 +1,49 @@
> +################################################################################
> +#
> +# optee-test
> +#
> +################################################################################
> +
> +OPTEE_TEST_VERSION = $(call qstrip,$(BR2_PACKAGE_OPTEE_TEST_VERSION))
> +OPTEE_TEST_LICENSE = GPL-2.0, BSD-2-Clause,
> +OPTEE_TEST_LICENSE_FILES = LICENSE.md
> +
> +ifeq ($(BR2_PACKAGE_OPTEE_TEST_CUSTOM_GIT),y)
> +OPTEE_TEST_SITE = $(call qstrip,$(BR2_PACKAGE_OPTEE_TEST_CUSTOM_REPO_URL))
> +OPTEE_TEST_SITE_METHOD = git
> +BR_NO_CHECK_HASH_FOR += $(OPTEE_TEST_SOURCE)
> +else
> +OPTEE_TEST_SITE = $(call github,OP-TEE,optee_test,$(OPTEE_TEST_VERSION))
> +endif
> +
> +OPTEE_TEST_DEPENDENCIES = optee-client optee-os
> +OPTEE_TEST_INSTALL_STAGING = YES
> +
> +ifeq ($(BR2_aarch64),y)
> +OPTEE_TEST_SDK = $(STAGING_DIR)/lib/optee/export-ta_arm64
> +endif
> +ifeq ($(BR2_arm),y)
> +OPTEE_TEST_SDK = $(STAGING_DIR)/lib/optee/export-ta_arm32
> +endif
> +OPTEE_TEST_CONF_OPTS = -DOPTEE_TEST_SDK=$(OPTEE_TEST_SDK)
> +
> +define OPTEE_TEST_BUILD_TAS
> +       @$(foreach f,$(wildcard $(@D)/ta/*/Makefile), \
> +               $(TARGET_CONFIGURE_OPTS) \
> +               $(MAKE) CROSS_COMPILE=$(TARGET_CROSS) \
> +                       O=out TA_DEV_KIT_DIR=$(OPTEE_TEST_SDK) \
> +                       -C $(dir $f) all &&) true
> +endef
> +
> +define OPTEE_TEST_INSTALL_TAS
> +       @$(foreach f,$(wildcard $(@D)/ta/*/out/*.ta), \
> +               mkdir -p $(TARGET_DIR)/lib/optee_armtz && \
> +               $(INSTALL) -v -p --mode=444 \
> +                       --target-directory=$(TARGET_DIR)/lib/optee_armtz $f \
> +                       &&) true
> +endef
> +
> +OPTEE_TEST_POST_BUILD_HOOKS += OPTEE_TEST_BUILD_TAS
> +OPTEE_TEST_POST_INSTALL_TARGET_HOOKS += OPTEE_TEST_INSTALL_TAS
> +
> +$(eval $(cmake-package))

Tested-by: Shyam Saini <shyam.saini@amarulasolutions.com>

[Buildroot] [PATCH 1/5] boot/optee-os: OP-TEE secure world

[Etienne Carriere]

On Fri, 23 Nov 2018 at 10:05, Etienne Carriere
<etienne.carriere@linaro.org> wrote:
>
> On Fri, 23 Nov 2018 at 09:35, Shyam Saini <shyam@amarulasolutions.com> wrote:
> >
> > Hi Etienne,
> >
> >
> > >
> > > OP-TEE OS is maintained by the OP-TEE project. It provides an
> > > open source solution for development and integration of secure
> > > services for Armv7-A and Armv8-A CPU based platforms supporting
> > > the TrustZone technology. This technology enables CPUs to
> > > concurrently host a secure world as the OP-TEE OS and a non-secure
> > > world as a Linux based OS.
> > >
> > > The OP-TEE project maintains other packages to leverage OP-TEE on
> > > Linux kernel based OSes. An OP-TEE interface driver is available
> > > in the Linux kernel since 4.12 upon CONFIG_OPTEE.
> > >
> > > https://www.op-tee.org/
> > > https://github.com/OP-TEE/optee_os
> > >
> > > Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
> > > ---
> > >  boot/Config.in                                     |   1 +
> > >  .../3.3.0/0001-move-python-to-python3.patch        |  26 ++++++
> > >  boot/optee-os/Config.in                            | 102 ++++++++++++++++++++
> > >  boot/optee-os/optee-os.hash                        |   4 +
> > >  boot/optee-os/optee-os.mk                          | 103 +++++++++++++++++++++
> > >  5 files changed, 236 insertions(+)
> > >  create mode 100644 boot/optee-os/3.3.0/0001-move-python-to-python3.patch
> > >  create mode 100644 boot/optee-os/Config.in
> > >  create mode 100644 boot/optee-os/optee-os.hash
> > >  create mode 100644 boot/optee-os/optee-os.mk
> > >
> > > diff --git a/boot/Config.in b/boot/Config.in
> > > index 8e0c8e5..cd14731 100644
> > > --- a/boot/Config.in
> > > +++ b/boot/Config.in
> > > @@ -13,6 +13,7 @@ source "boot/gummiboot/Config.in"
> > >  source "boot/lpc32xxcdl/Config.in"
> > >  source "boot/mv-ddr-marvell/Config.in"
> > >  source "boot/mxs-bootlets/Config.in"
> > > +source "boot/optee-os/Config.in"
> > >  source "boot/riscv-pk/Config.in"
> > >  source "boot/s500-bootloader/Config.in"
> > >  source "boot/syslinux/Config.in"
> > > diff --git a/boot/optee-os/3.3.0/0001-move-python-to-python3.patch b/boot/optee-os/3.3.0/0001-move-python-to-python3.patch
> > > new file mode 100644
> > > index 0000000..b0ed5b5
> > > --- /dev/null
> > > +++ b/boot/optee-os/3.3.0/0001-move-python-to-python3.patch
> > > @@ -0,0 +1,26 @@
> > > +move python scripts to pyhton3
> > > +
> > > +Use python3 for scripts depending on module Crypto.
> > > +
> > > +Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
> > > +
> > > +diff --git a/scripts/pem_to_pub_c.py b/scripts/pem_to_pub_c.py
> > > +index 6b8fa36..0b03d62 100755
> > > +--- a/scripts/pem_to_pub_c.py
> > > ++++ b/scripts/pem_to_pub_c.py
> > > +@@ -1,4 +1,4 @@
> > > +-#!/usr/bin/env python
> > > ++#!/usr/bin/env python3
> > > + # SPDX-License-Identifier: BSD-2-Clause
> > > + #
> > > + # Copyright (c) 2015, Linaro Limited
> > > +diff --git a/scripts/sign.py b/scripts/sign.py
> > > +index ad47479..348b40a 100755
> > > +--- a/scripts/sign.py
> > > ++++ b/scripts/sign.py
> > > +@@ -1,4 +1,4 @@
> > > +-#!/usr/bin/env python
> > > ++#!/usr/bin/env python3
> > > + #
> > > + # Copyright (c) 2015, 2017, Linaro Limited
> > > + #
> > > diff --git a/boot/optee-os/Config.in b/boot/optee-os/Config.in
> > > new file mode 100644
> > > index 0000000..5968531
> > > --- /dev/null
> > > +++ b/boot/optee-os/Config.in
> > > @@ -0,0 +1,102 @@
> > > +config BR2_TARGET_OPTEE_OS
> > > +       bool "optee_os"
> > > +       depends on BR2_aarch64 || BR2_arm
> > > +       select BR2_PACKAGE_OPENSSL # host tool
> > > +       help
> > > +         OP-TEE OS provides the secure world boot image and the trust
> > > +         application development kit of the OP-TEE project. OP-TEE OS
> > > +         also provides generic trusted application one can embedded
> > > +         into its system.
> > > +
> > > +         http://github.org/OP-TEE/optee_os
> > > +
> > > +if BR2_TARGET_OPTEE_OS
> > > +
> > > +choice
> > > +       prompt "OP-TEE OS version"
> > > +       default BR2_TARGET_OPTEE_OS_LATEST
> > > +       help
> > > +         Select the version of OP-TEE OS you want to use
> > > +
> > > +config BR2_TARGET_OPTEE_OS_LATEST
> > > +       bool "sync with latest registered release tag"
> > > +       help
> > > +         This fetches the latest registered release tag from
> > > +         the OP-TEE OS official Git repository.
> > > +
> > > +config BR2_TARGET_OPTEE_OS_CUSTOM_GIT
> > > +       bool "sync on custom OP-TEE OS Git repository"
> > > +       help
> > > +         Sync with a specific OP-TEE Git repository.
> > > +
> > > +endchoice
> > > +
> > > +config BR2_TARGET_OPTEE_OS_VERSION
> > > +       string
> > > +       default "3.3.0"         if BR2_TARGET_OPTEE_OS_LATEST
> > > +       default BR2_TARGET_OPTEE_OS_CUSTOM_REPO_VERSION \
> > > +                               if BR2_TARGET_OPTEE_OS_CUSTOM_GIT
> > > +
> > > +if BR2_TARGET_OPTEE_OS_CUSTOM_GIT
> > > +
> > > +config BR2_TARGET_OPTEE_OS_CUSTOM_REPO_URL
> > > +       string "sourcetree-site"
> > > +       help
> > > +         Specific location of the reference source tree Git
> > > +         repository.
> > > +
> > > +config BR2_TARGET_OPTEE_OS_CUSTOM_REPO_VERSION
> > > +       string "git reference to pull"
> > > +       help
> > > +         Reference in the target git repository to sync with.
> > > +
> > > +endif
> > > +
> > > +# Building core, TA libraries/devkit and/or generic TA services
> > > +
> > > +config BR2_TARGET_OPTEE_OS_CORE
> > > +       bool "Build core"
> > > +       default y
> > > +       help
> > > +         This option will build and install the OP-TEE core
> > > +         boot images.
> > > +
> > > +config BR2_TARGET_OPTEE_OS_SDK
> > > +       bool "Build TA devkit"
> > > +       default y
> > > +       help
> > > +         This option will build and install the OP-TEE development
> > > +         kit for building OP-TEE trusted application images. It is
> > > +          installed in the staging filetree in /lib/optee directory.
> > > +
> > > +config BR2_TARGET_OPTEE_OS_SERVICES
> > > +       bool "Build service TAs"
> > > +       default y
> > > +       help
> > > +         This option will build and install the generic trusted
> > > +         applications in the OP-TEE OS source tree and install
> > > +         them in the target /lib/optee_armtz directory. At runtime
> > > +         OP-TEE OS can load trusted applications from a non secure
> > > +         filesystem into the secure world for execution.
> > > +
> > > +# Building TA libraries and/or core images require target platform info
> > > +
> > > +config BR2_TARGET_OPTEE_OS_PLATFORM
> > > +       string "mandatory target PLATFORM"
> > > +       help
> > > +         Value for the mandated PLATFORM build directive provided to
> > > +         OP-TEE OS.
> > > +
> > > +config BR2_TARGET_OPTEE_OS_PLATFORM_FLAVOR
> > > +       string "optional target PLATFORM_FLAVOR"
> > > +       help
> > > +         Value for the optional PLATFORM_FLAVOR build directive
> > > +         provided to OP-TEE OS.
> > > +
> > > +config BR2_TARGET_OPTEE_OS_ADDITIONAL_VARIABLES
> > > +       string "Additional OP-TEE OS build variables"
> > > +       help
> > > +         Additional parameters for the OP-TEE OS build
> > > +         E.g. 'CFG_TEE_CORE_LOG_LEVEL=3 CFG_UNWIND=y'
> > > +
> > > +endif # BR2_TARGET_OPTEE_OS
> > > diff --git a/boot/optee-os/optee-os.hash b/boot/optee-os/optee-os.hash
> > > new file mode 100644
> > > index 0000000..f68d72f
> > > --- /dev/null
> > > +++ b/boot/optee-os/optee-os.hash
> > > @@ -0,0 +1,4 @@
> > > +# From https://github.com/OP-TEE/optee_test/archive/3.3.0.tar.gz
> > > +sha256 f0c9572d3a341ea37bb8e89cfd511e96d6ca3b2b714b536564e8fedb93b0f44a  optee-os-3.3.0.tar.gz
> > > +# Locally computed
> > > +sha256 fda8385993f112d7ca61b88b54ba5b4cbeec7e43a0f9b317d5186703c1985e8f  LICENSE
> > > diff --git a/boot/optee-os/optee-os.mk b/boot/optee-os/optee-os.mk
> > > new file mode 100644
> > > index 0000000..2e04ce0
> > > --- /dev/null
> > > +++ b/boot/optee-os/optee-os.mk
> > > @@ -0,0 +1,103 @@
> > > +################################################################################
> > > +#
> > > +# optee-os
> > > +#
> > > +################################################################################
> > > +
> > > +OPTEE_OS_VERSION = $(call qstrip,$(BR2_TARGET_OPTEE_OS_VERSION))
> > > +OPTEE_OS_LICENSE = BSD-2-Clause
> > > +OPTEE_OS_LICENSE_FILES = LICENSE
> > > +
> > > +ifeq ($(BR2_TARGET_OPTEE_OS_CUSTOM_GIT),y)
> > > +OPTEE_OS_SITE = $(call qstrip,$(BR2_TARGET_OPTEE_OS_CUSTOM_REPO_URL))
> > > +OPTEE_OS_SITE_METHOD = git
> > > +BR_NO_CHECK_HASH_FOR += $(OPTEE_OS_SOURCE)
> > > +else
> > > +OPTEE_OS_SITE = $(call github,OP-TEE,optee_os,OPTEE_OS_VERSION)
> > > +endif
> > > +
> > > +# On 64bit targets, OP-TEE OS can be built in 32bit mode, or
> > > +# can be built in 64bit mode and support 32bit and 64bit
> > > +# trusted applications. Since buildroot currently references
> > > +# a single cross compiler, build exclusively in 32bit
> > > +# or 64bit mode.
> > > +OPTEE_OS_MAKE_OPTS = CROSS_COMPILE="$(TARGET_CROSS)"
> > > +OPTEE_OS_MAKE_OPTS += CROSS_COMPILE_core="$(TARGET_CROSS)"
> > > +ifeq ($(BR2_aarch64),y)
> > > +OPTEE_OS_MAKE_OPTS += CROSS_COMPILE_ta_arm64="$(TARGET_CROSS)"
> > > +endif
> > > +ifeq ($(BR2_arm),y)
> > > +OPTEE_OS_MAKE_OPTS += CROSS_COMPILE_ta_arm32="$(TARGET_CROSS)"
> > > +endif
> > > +
> > > +# Get mandatory PLAFORM and optional PLATFORM_FLAVOR
> > > +OPTEE_OS_MAKE_OPTS += PLATFORM=$(call qstrip,$(BR2_TARGET_OPTEE_OS_PLATFORM))
> > > +ifneq ($(BR2_TARGET_OPTEE_OS_PLATFORM_FLAVOR),)
> > > +OPTEE_OS_MAKE_OPTS += PLATFORM_FLAVOR=$(call qstrip,$(BR2_TARGET_OPTEE_OS_PLATFORM_FLAVOR))
> > > +endif
> > > +OPTEE_OS_MAKE_OPTS += $(call qstrip,$(BR2_TARGET_OPTEE_OS_ADDITIONAL_VARIABLES))
> >
> > minor nit, please see below
> > > +
> > > +# OP-TEE OS builds from subdirectory build/ of its synced sourcetree root path
> >
> > optee_os by default uses [1] "out" as build directory, Shouldn't  we
> > use the same for consistency. We can provide option
> > and let the user decide?
>
> I though i would be better to have this makefile agnostic of the
> optee_os default output path.
> I guess a build option with a known default value is more flexible.
> However i did not find such in other BR packages. I wonder if it is a good idea.
>

I check and actually the default output build dir is not out/ but
out/$(ARCH)-plat-$(PLATFORM) knowing that $(PLATFORM) may not be the
value of PLATFORM set in this makefile script.
i.e Single PLATFORM=vexpress-qemu_virt external directive in
transformed by optee-os internal build as dual PLATFORM=vexpress +
PLATFORM_FLAVOR=qemu_virt.
Refer to https://github.com/OP-TEE/optee_os/blob/master/Makefile#L32

I will stick on forcing it to out/ as it simplifies the path resolution.

etienne

> >
> > [1] https://github.com/OP-TEE/optee_os/blob/master/Makefile#L44
> >
> > other than that,
> >
> > Tested-by: Shyam Saini <shyam.saini@amarulasolutions.com>
>
> Thanks a lot.
>
> etienne

[Buildroot] [PATCH v2 1/5] boot/optee-os: new package

[Etienne Carriere]

OP-TEE OS is maintained by the OP-TEE project. It provides an
open source solution for development and integration of secure
services for Armv7-A and Armv8-A CPU based platforms supporting
the TrustZone technology. This technology enables CPUs to
concurrently host a secure world as the OP-TEE OS and a non-secure
world as a Linux based OS.

The OP-TEE project maintains other packages to leverage OP-TEE on
Linux kernel based OSes. An OP-TEE interface driver is available
in the Linux kernel since 4.12 upon CONFIG_OPTEE.

https://www.op-tee.org/
https://github.com/OP-TEE/optee_os

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
---
Changes v1 -> v2:
  - Replace dependency on BR2_arm with BR2_ARM_CPU_ARMV7 as BR2_arm
    is enabled for non Armv7 targets.
  - Correct build dependencies on OpenSSL and pycrypto.
    Remove patch on package python scripts since pycrypto dependency
    is now handled.
  - Correct location of in-tree services TAs (s/ta_services/ta/).
    Remvoe OPTEE_OS_BUILD_SERVICES as service TAs are already built built when OP-TEE OS core is built.
    Correct BR2_TARGET_OPTEE_OS_SERVICES options: it only installs the
  - Fix bad reference in Config.in package description.
  - Fix wrong hash for the optee-os v3.3.0 tarball.
  - Fix bad use of OPTEE_OS_VERSION where it is the value content that
    is expected: $(OPTEE_OS_VERSION).
  - Clarify output build directory name: use out/.
  - Minor replace use if/endif with use of depends on in Config.mk.
  - Add missing dependency of BR2_TARGET_OPTEE_OS_SERVICES
    on BR2_TARGET_OPTEE_OS_SDK.
  - Change commit header comment to "boot/optee-os: new package".

---
 boot/Config.in              |   1 +
 boot/optee-os/Config.in     | 100 +++++++++++++++++++++++++++++++++++++++++++
 boot/optee-os/optee-os.hash |   4 ++
 boot/optee-os/optee-os.mk   | 101 ++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 206 insertions(+)
 create mode 100644 boot/optee-os/Config.in
 create mode 100644 boot/optee-os/optee-os.hash
 create mode 100644 boot/optee-os/optee-os.mk

diff --git a/boot/Config.in b/boot/Config.in
index 8e0c8e5..cd14731 100644
--- a/boot/Config.in
+++ b/boot/Config.in
@@ -13,6 +13,7 @@ source "boot/gummiboot/Config.in"
 source "boot/lpc32xxcdl/Config.in"
 source "boot/mv-ddr-marvell/Config.in"
 source "boot/mxs-bootlets/Config.in"
+source "boot/optee-os/Config.in"
 source "boot/riscv-pk/Config.in"
 source "boot/s500-bootloader/Config.in"
 source "boot/syslinux/Config.in"
diff --git a/boot/optee-os/Config.in b/boot/optee-os/Config.in
new file mode 100644
index 0000000..7a598c6
--- /dev/null
+++ b/boot/optee-os/Config.in
@@ -0,0 +1,100 @@
+config BR2_TARGET_OPTEE_OS
+	bool "optee_os"
+	depends on BR2_aarch64 || BR2_ARM_CPU_ARMV7A
+	help
+	  OP-TEE OS provides the secure world boot image and the trust
+	  application development kit of the OP-TEE project. OP-TEE OS
+	  also provides generic trusted application one can embedded
+	  into its system.
+
+	  http://github.com/OP-TEE/optee_os
+
+if BR2_TARGET_OPTEE_OS
+
+choice
+	prompt "OP-TEE OS version"
+	default BR2_TARGET_OPTEE_OS_LATEST
+	help
+	  Select the version of OP-TEE OS you want to use
+
+config BR2_TARGET_OPTEE_OS_LATEST
+	bool "sync with latest registered release tag"
+	help
+	  This fetches the latest registered release tag from
+	  the OP-TEE OS official Git repository.
+
+config BR2_TARGET_OPTEE_OS_CUSTOM_GIT
+	bool "sync on custom OP-TEE OS Git repository"
+	help
+	  Sync with a specific OP-TEE Git repository.
+
+endchoice
+
+config BR2_TARGET_OPTEE_OS_VERSION
+	string
+	default "3.3.0"		if BR2_TARGET_OPTEE_OS_LATEST
+	default BR2_TARGET_OPTEE_OS_CUSTOM_REPO_VERSION \
+				if BR2_TARGET_OPTEE_OS_CUSTOM_GIT
+
+config BR2_TARGET_OPTEE_OS_CUSTOM_REPO_URL
+	string "sourcetree-site"
+	depends on BR2_TARGET_OPTEE_OS_CUSTOM_GIT
+	help
+	  Specific location of the reference source tree Git
+	  repository.
+
+config BR2_TARGET_OPTEE_OS_CUSTOM_REPO_VERSION
+	string "git reference to pull"
+	depends on BR2_TARGET_OPTEE_OS_CUSTOM_GIT
+	help
+	  Reference in the target git repository to sync with.
+
+# Building core, TA libraries/devkit and/or generic TA services
+
+config BR2_TARGET_OPTEE_OS_CORE
+	bool "Build core"
+	default y
+	help
+	  This option will build and install the OP-TEE core
+	  boot images.
+
+config BR2_TARGET_OPTEE_OS_SDK
+	bool "Build TA devkit"
+	default y
+	help
+	  This option will build and install the OP-TEE development
+	  kit for building OP-TEE trusted application images. It is
+          installed in the staging filetree in /lib/optee directory.
+
+config BR2_TARGET_OPTEE_OS_SERVICES
+	bool "Build service TAs"
+	depends on BR2_TARGET_OPTEE_OS_SDK
+	default y
+	help
+	  This option install the generic trusted applications built
+	  from OP-TEE OS source tree. These are installed in the target
+	  /lib/optee_armtz directory. At runtime OP-TEE OS can load
+	  trusted applications from a non secure filesystem into the
+	  secure world for execution.
+
+# Building TA libraries and/or core images require target platform info
+
+config BR2_TARGET_OPTEE_OS_PLATFORM
+	string "mandatory target PLATFORM"
+	help
+	  Value for the mandated PLATFORM build directive provided to
+	  OP-TEE OS.
+
+config BR2_TARGET_OPTEE_OS_PLATFORM_FLAVOR
+	string "optional target PLATFORM_FLAVOR"
+	help
+	  Value for the optional PLATFORM_FLAVOR build directive
+	  provided to OP-TEE OS.
+
+config BR2_TARGET_OPTEE_OS_ADDITIONAL_VARIABLES
+	string "Additional OP-TEE OS build variables"
+	help
+	  Additional parameters for the OP-TEE OS build
+	  E.g. 'CFG_TEE_CORE_LOG_LEVEL=3 CFG_UNWIND=y'
+
+endif # BR2_TARGET_OPTEE_OS
diff --git a/boot/optee-os/optee-os.hash b/boot/optee-os/optee-os.hash
new file mode 100644
index 0000000..02828a3
--- /dev/null
+++ b/boot/optee-os/optee-os.hash
@@ -0,0 +1,4 @@
+# From https://github.com/OP-TEE/optee_os/archive/3.3.0.tar.gz
+sha256 7b62e9fe650e197473eb2f4dc35c09d1e6395eb48dc1c16cc139d401b359ac6f  optee-os-3.3.0.tar.gz
+# Locally computed
+sha256 fda8385993f112d7ca61b88b54ba5b4cbeec7e43a0f9b317d5186703c1985e8f  LICENSE
diff --git a/boot/optee-os/optee-os.mk b/boot/optee-os/optee-os.mk
new file mode 100644
index 0000000..14ad143
--- /dev/null
+++ b/boot/optee-os/optee-os.mk
@@ -0,0 +1,101 @@
+################################################################################
+#
+# optee-os
+#
+################################################################################
+
+OPTEE_OS_VERSION = $(call qstrip,$(BR2_TARGET_OPTEE_OS_VERSION))
+OPTEE_OS_LICENSE = BSD-2-Clause
+OPTEE_OS_LICENSE_FILES = LICENSE
+
+ifeq ($(BR2_TARGET_OPTEE_OS_CUSTOM_GIT),y)
+OPTEE_OS_SITE = $(call qstrip,$(BR2_TARGET_OPTEE_OS_CUSTOM_REPO_URL))
+OPTEE_OS_SITE_METHOD = git
+BR_NO_CHECK_HASH_FOR += $(OPTEE_OS_SOURCE)
+else
+OPTEE_OS_SITE = $(call github,OP-TEE,optee_os,$(OPTEE_OS_VERSION))
+endif
+
+OPTEE_OS_DEPENDENCIES = openssl host-python-pycrypto
+
+# On 64bit targets, OP-TEE OS can be built in 32bit mode, or
+# can be built in 64bit mode and support 32bit and 64bit
+# trusted applications. Since buildroot currently references
+# a single cross compiler, build exclusively in 32bit
+# or 64bit mode.
+OPTEE_OS_MAKE_OPTS = CROSS_COMPILE="$(TARGET_CROSS)"
+OPTEE_OS_MAKE_OPTS += CROSS_COMPILE_core="$(TARGET_CROSS)"
+ifeq ($(BR2_aarch64),y)
+OPTEE_OS_MAKE_OPTS += CROSS_COMPILE_ta_arm64="$(TARGET_CROSS)"
+endif
+ifeq ($(BR2_arm),y)
+OPTEE_OS_MAKE_OPTS += CROSS_COMPILE_ta_arm32="$(TARGET_CROSS)"
+endif
+
+# Get mandatory PLAFORM and optional PLATFORM_FLAVOR
+OPTEE_OS_MAKE_OPTS += PLATFORM=$(call qstrip,$(BR2_TARGET_OPTEE_OS_PLATFORM))
+ifneq ($(BR2_TARGET_OPTEE_OS_PLATFORM_FLAVOR),)
+OPTEE_OS_MAKE_OPTS += PLATFORM_FLAVOR=$(call qstrip,$(BR2_TARGET_OPTEE_OS_PLATFORM_FLAVOR))
+endif
+OPTEE_OS_MAKE_OPTS += $(call qstrip,$(BR2_TARGET_OPTEE_OS_ADDITIONAL_VARIABLES))
+
+# Requests OP-TEE OS to build from subdirectory out/ of its synced sourcetree root path
+# otherwise the output directory path depends on the target platform name.
+OPTEE_OS_BUILDDIR_OUT = out
+
+ifeq ($(BR2_aarch64),y)
+OPTEE_OS_LOCAL_SDK = $(OPTEE_OS_BUILDDIR_OUT)/export-ta_arm64
+endif
+ifeq ($(BR2_arm),y)
+OPTEE_OS_LOCAL_SDK = $(OPTEE_OS_BUILDDIR_OUT)/export-ta_arm32
+endif
+
+ifeq ($(BR2_TARGET_OPTEE_OS_CORE),y)
+define OPTEE_OS_BUILD_CORE
+	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) O=$(OPTEE_OS_BUILDDIR_OUT) \
+		$(TARGET_CONFIGURE_OPTS) $(OPTEE_OS_MAKE_OPTS) all
+endef
+define OPTEE_OS_INSTALL_CORE
+	mkdir -p $(BINARIES_DIR)
+	cp -dpf $(@D)/$(OPTEE_OS_BUILDDIR_OUT)/core/tee.bin $(BINARIES_DIR)
+	cp -dpf $(@D)/$(OPTEE_OS_BUILDDIR_OUT)/core/tee-*_v2.bin $(BINARIES_DIR)
+endef
+endif
+
+ifeq ($(BR2_TARGET_OPTEE_OS_SDK),y)
+define OPTEE_OS_BUILD_SDK
+	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) O=$(OPTEE_OS_BUILDDIR_OUT) \
+		 $(TARGET_CONFIGURE_OPTS) $(OPTEE_OS_MAKE_OPTS) ta_dev_kit
+endef
+define OPTEE_OS_INSTALL_SDK
+	mkdir -p $(STAGING_DIR)/lib/optee
+	cp -ardpf $(@D)/$(OPTEE_OS_LOCAL_SDK) $(STAGING_DIR)/lib/optee
+endef
+endif
+
+ifeq ($(BR2_TARGET_OPTEE_OS_SERVICES),y)
+# Core build already generates the TA services binaries. Install them.
+define OPTEE_OS_INSTALL_SERVICES
+	mkdir -p $(TARGET_DIR)/lib/optee_armtz
+	$(foreach f,$(wildcard $(@D)/ta/*/$(OPTEE_OS_BUILDDIR_OUT)/*.ta), \
+		$(INSTALL) -v -p --mode=444 \
+			--target-directory=$(TARGET_DIR)/lib/optee_armtz \
+			 $f &&) true
+endef
+endif
+
+define OPTEE_OS_BUILD_CMDS
+	$(OPTEE_OS_BUILD_CORE)
+	$(OPTEE_OS_BUILD_SDK)
+endef
+
+define OPTEE_OS_INSTALL_IMAGES_CMDS
+	$(OPTEE_OS_INSTALL_CORE)
+	$(OPTEE_OS_INSTALL_SDK)
+	$(OPTEE_OS_INSTALL_SERVICES)
+endef
+
+OPTEE_OS_INSTALL_STAGING = YES
+OPTEE_OS_INSTALL_IMAGES = YES
+
+$(eval $(generic-package))
-- 
1.9.1

[Buildroot] [PATCH v2 2/5] optee-client: new package

[Etienne Carriere]

OP-TEE client API library and supplicant daemon from the
OP-TEE project.

The package is added to the Security menu of BR configuration.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
---
Changes v1 -> v2:
  - Add option BR2_PACKAGE_OPTEE_CLIENT_SYNCED_VERSION to ensure
    OP-TEE client version is synced with OP-TEE OS version when
    the later if enabled.  
  - Remove useless OPTEE_CLIENT_INSTALL_IMAGE=YES.

---
 package/Config.in                      |  1 +
 package/optee-client/Config.in         | 73 ++++++++++++++++++++++++++++++++++
 package/optee-client/S30optee          | 26 ++++++++++++
 package/optee-client/optee-client.hash |  4 ++
 package/optee-client/optee-client.mk   | 30 ++++++++++++++
 5 files changed, 134 insertions(+)
 create mode 100644 package/optee-client/Config.in
 create mode 100644 package/optee-client/S30optee
 create mode 100644 package/optee-client/optee-client.hash
 create mode 100644 package/optee-client/optee-client.mk

diff --git a/package/Config.in b/package/Config.in
index b60e770..8c3b1bf 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2047,6 +2047,7 @@ endmenu
 
 menu "Security"
 	source "package/checkpolicy/Config.in"
+	source "package/optee-client/Config.in"
 	source "package/paxtest/Config.in"
 	source "package/policycoreutils/Config.in"
 	source "package/refpolicy/Config.in"
diff --git a/package/optee-client/Config.in b/package/optee-client/Config.in
new file mode 100644
index 0000000..cff452b
--- /dev/null
+++ b/package/optee-client/Config.in
@@ -0,0 +1,73 @@
+config BR2_PACKAGE_OPTEE_CLIENT
+	bool "Embed OP-TEE client"
+	help
+	  Enable the OP-TEE client package that brings non-secure
+	  client application resources for OP-TEE support. OP-TEE
+	  client is a component delivered by the OP-TEE project.
+
+	  https://github.com/OP-TEE/optee_client
+
+	  The client API library allows application to invoke
+	  trusted applications hosted in the OP-TEE OS secure world.
+	  The supplicant provides services hosted by the non-secure
+	  world and invoked by the secure world.
+
+if BR2_PACKAGE_OPTEE_CLIENT
+
+choice
+	prompt "OP-TEE client version"
+	default BR2_PACKAGE_OPTEE_CLIENT_LATEST
+	help
+	  Select the version of OP-TEE client you want to use
+
+config BR2_PACKAGE_OPTEE_CLIENT_LATEST
+	bool "sync with latest registered release tag"
+	help
+	  Sync on latest release tag. This currently fetches the
+	  latest registered release tag from the OP-TEE official
+	  Git repository.
+
+config BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_GIT
+	bool "sync with a specific Git"
+	help
+	  Sync with a specific OP-TEE Git repository.
+
+endchoice
+
+config BR2_PACKAGE_OPTEE_CLIENT_SYNCED_VERSION
+	bool "use same version ref for OP-TEE components"
+	depends on BR2_PACKAGE_OPTEE_CLIENT_LATEST
+	default true
+	help
+	  When enabled, OP-TEE client version must match the version
+	  set for the other OP-TEE components.
+
+config BR2_PACKAGE_OPTEE_CLIENT_VERSION
+	string
+	default BR2_TARGET_OPTEE_OS_VERSION \
+			if BR2_PACKAGE_OPTEE_CLIENT_SYNCED_VERSION && \
+			   BR2_TARGET_OPTEE_OS
+	default "3.3.0"	if BR2_PACKAGE_OPTEE_CLIENT_LATEST
+	default BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_REPO_VERSION \
+			if BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_GIT
+	help
+	  Reference in the target Git repository to sync with.
+
+if BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_GIT
+
+config BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_REPO_URL
+	string "Git repository site"
+	help
+	  Specific location of the reference source tree Git
+	  repository.
+
+config BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_REPO_VERSION
+	string "target reference to pull in the Git repository"
+	help
+	  Package version reference to sync with. As source file
+	  reference is a Git repository, the version reference can
+	  be any Git reference as a tag or a sha1.
+
+endif
+
+endif #BR2_PACKAGE_OPTEE_CLIENT
diff --git a/package/optee-client/S30optee b/package/optee-client/S30optee
new file mode 100644
index 0000000..c893243
--- /dev/null
+++ b/package/optee-client/S30optee
@@ -0,0 +1,26 @@
+#!/bin/sh
+#
+# /etc/init.d/optee
+#
+# Start/stop tee-supplicant (OP-TEE normal world daemon)
+#
+case "$1" in
+    start)
+	if [ -e /usr/sbin/tee-supplicant -a -e /dev/teepriv0 ]; then
+		echo "Starting tee-supplicant..."
+		/usr/sbin/tee-supplicant &
+		exit 0
+	else
+		echo "tee-supplicant or TEE device not found"
+		exit 1
+	fi
+
+        ;;
+    stop)
+	killall tee-supplicant
+	;;
+    status)
+	cat /dev/teepriv0 2>&1 | grep -q "Device or resource busy" || not="not "
+	echo "tee-supplicant is ${not}active"
+	;;
+esac
diff --git a/package/optee-client/optee-client.hash b/package/optee-client/optee-client.hash
new file mode 100644
index 0000000..ed7bf4e
--- /dev/null
+++ b/package/optee-client/optee-client.hash
@@ -0,0 +1,4 @@
+# From https://github.com/OP-TEE/optee_client/archive/3.3.0.tar.gz
+sha256 63af1567fdcdbe28b45be274266a89aa81bef3d0fd8ec5a6eb680046a92e1177  optee-client-3.3.0.tar.gz
+# Locally computed
+sha256 fda8385993f112d7ca61b88b54ba5b4cbeec7e43a0f9b317d5186703c1985e8f  LICENSE
diff --git a/package/optee-client/optee-client.mk b/package/optee-client/optee-client.mk
new file mode 100644
index 0000000..ccc5d12
--- /dev/null
+++ b/package/optee-client/optee-client.mk
@@ -0,0 +1,30 @@
+################################################################################
+#
+# optee-client
+#
+################################################################################
+
+OPTEE_CLIENT_VERSION = $(call qstrip,$(BR2_PACKAGE_OPTEE_CLIENT_VERSION))
+OPTEE_CLIENT_LICENSE = BSD-3-Clause
+OPTEE_CLIENT_LICENSE_FILES = LICENSE
+
+ifeq ($(BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_GIT),y)
+OPTEE_CLIENT_SITE = $(call qstrip,$(BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_REPO_URL))
+OPTEE_CLIENT_SITE_METHOD = git
+BR_NO_CHECK_HASH_FOR += $(OPTEE_CLIENT_SOURCE)
+else
+OPTEE_CLIENT_SITE = $(call github,OP-TEE,optee_client,$(OPTEE_CLIENT_VERSION))
+endif
+
+define OPTEE_CLIENT_INSTALL_SUPPLICANT_SCRIPT
+	$(INSTALL) -m 0755 -D $(OPTEE_CLIENT_PKGDIR)/S30optee \
+		$(TARGET_DIR)/etc/init.d/S30optee
+endef
+
+define OPTEE_CLIENT_INSTALL_INIT_SYSV
+	$(OPTEE_CLIENT_INSTALL_SUPPLICANT_SCRIPT)
+endef
+
+OPTEE_CLIENT_INSTALL_STAGING = YES
+
+$(eval $(cmake-package))
-- 
1.9.1

[Buildroot] [PATCH v2 3/5] optee-benchmark: new package

[Etienne Carriere]

OP-TEE performance benchmark tools for the OP-TEE project.

This packages generates embedded Linux based OS materials used
to retrieve execution timing information on invocation of the
OP-TEE secure services.

It is added next to the OP-TEE client package in BR configuration.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
---
Changes v1 -> v2:
  - Add dependency on OP-TEE client.
  - Add option BR2_PACKAGE_OPTEE_BENCHMARK_SYNCED_VERSION to ensure
    OP-TEE benchmark version is synced with OP-TEE client version.
  - Remove useless OPTEE_BENCHMARK_INSTALL_STAGING and
    OPTEE_BENCHMARK_INSTALL_IMAGES.
  - Remove unused BR2_PACKAGE_OPTEE_BENCHMARK_GIT_REFERENCE. 
  - Remove useless _INSTALL_STAGING/_INSTALL_IMAGES=YES.

---
 package/Config.in                            |  1 +
 package/optee-benchmark/Config.in            | 69 ++++++++++++++++++++++++++++
 package/optee-benchmark/optee-benchmark.hash |  2 +
 package/optee-benchmark/optee-benchmark.mk   | 22 +++++++++
 4 files changed, 94 insertions(+)
 create mode 100644 package/optee-benchmark/Config.in
 create mode 100644 package/optee-benchmark/optee-benchmark.hash
 create mode 100644 package/optee-benchmark/optee-benchmark.mk

diff --git a/package/Config.in b/package/Config.in
index 8c3b1bf..38200af 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2047,6 +2047,7 @@ endmenu
 
 menu "Security"
 	source "package/checkpolicy/Config.in"
+	source "package/optee-benchmark/Config.in"
 	source "package/optee-client/Config.in"
 	source "package/paxtest/Config.in"
 	source "package/policycoreutils/Config.in"
diff --git a/package/optee-benchmark/Config.in b/package/optee-benchmark/Config.in
new file mode 100644
index 0000000..2d56a7e
--- /dev/null
+++ b/package/optee-benchmark/Config.in
@@ -0,0 +1,69 @@
+config BR2_PACKAGE_OPTEE_BENCHMARK
+	bool "Embed OP-TEE benchmark support"
+	select BR2_PACKAGE_OPTEE_CLIENT
+	select BR2_PACKAGE_LIBYAML
+	help
+	  Enable the OP-TEE benchmark package that brings facilities
+	  for profiling traversal and execution timings when
+	  invoking OP-TEE. OP-TEE benchmark is a component delivered
+	  by the OP-TEE project.
+
+	  http://github.com/linaro-swg/optee_benchmark
+
+if BR2_PACKAGE_OPTEE_BENCHMARK
+
+choice
+	prompt "OP-TEE Benchmark version"
+	default BR2_PACKAGE_OPTEE_BENCHMARK_LATEST
+	help
+	  Select the version of OP-TEE benchmark you want to use
+
+config BR2_PACKAGE_OPTEE_BENCHMARK_LATEST
+	bool "sync with latest release tag"
+	help
+	  Sync on latest release tag. This currently fetches the
+	  latest registered release tag from the OP-TEE official
+	  Git repository.
+
+config BR2_PACKAGE_OPTEE_BENCHMARK_CUSTOM_GIT
+	bool "sync with a specific Git"
+	help
+	  Sync with a specific OP-TEE Git repository.
+
+endchoice
+
+config BR2_PACKAGE_OPTEE_BENCHMARK_SYNCED_VERSION
+	bool "use same version ref for OP-TEE components"
+	depends on BR2_PACKAGE_OPTEE_BENCHMARK_LATEST
+	default true
+	help
+	  When enabled package version must match the version set for
+	  OP-TEE client.
+
+config BR2_PACKAGE_OPTEE_BENCHMARK_VERSION
+	string
+	default BR2_PACKAGE_OPTEE_CLIENT_VERSION \
+			if BR2_PACKAGE_OPTEE_BENCHMARK_SYNCED_VERSION
+	default "3.3.0"	if BR2_PACKAGE_OPTEE_BENCHMARK_LATEST
+	default BR2_PACKAGE_OPTEE_BENCHMARK_CUSTOM_REPO_VERSION \
+			if BR2_PACKAGE_OPTEE_BENCHMARK_CUSTOM_GIT
+	help
+	  Reference in the target Git repository to sync with.
+
+if BR2_PACKAGE_OPTEE_BENCHMARK_CUSTOM_GIT
+
+config BR2_PACKAGE_OPTEE_BENCHMARK_CUSTOM_REPO_URL
+	string "Git repository site"
+	help
+	  Specific location of the reference source tree Git repository.
+
+config BR2_PACKAGE_OPTEE_BENCHMARK_CUSTOM_REPO_VERSION
+	string "target reference to pull in the Git repository"
+	help
+	  Package version reference to sync with. As source file
+	  reference is a Git repository, the version reference can be
+	  any Git reference as a tag or a sha1.
+
+endif
+
+endif #BR2_PACKAGE_OPTEE_BENCHMARK
diff --git a/package/optee-benchmark/optee-benchmark.hash b/package/optee-benchmark/optee-benchmark.hash
new file mode 100644
index 0000000..d93c26c
--- /dev/null
+++ b/package/optee-benchmark/optee-benchmark.hash
@@ -0,0 +1,2 @@
+# From https://github.com/linaro-swg/optee_benchmark/archive/3.3.0.tar.gz
+sha256 bfba3749ac8b37628550696f0625452ae8aef060eff5b3b1c4283a5dad8a3383 optee-benchmark-3.3.0.tar.gz
diff --git a/package/optee-benchmark/optee-benchmark.mk b/package/optee-benchmark/optee-benchmark.mk
new file mode 100644
index 0000000..8eef0f6
--- /dev/null
+++ b/package/optee-benchmark/optee-benchmark.mk
@@ -0,0 +1,22 @@
+################################################################################
+#
+# optee-benchmarch
+#
+################################################################################
+
+OPTEE_BENCHMARK_VERSION = $(call qstrip,$(BR2_PACKAGE_OPTEE_BENCHMARK_VERSION))
+OPTEE_BENCHMARK_LICENSE = BSD-2-Clause
+
+OPTEE_BENCHMARK_DEPENDENCIES = optee-client libyaml
+
+ifeq ($(BR2_PACKAGE_OPTEE_BENCHMARK_LATEST),y)
+OPTEE_BENCHMARK_SITE = $(call github,linaro-swg,optee_benchmark,$(OPTEE_BENCHMARK_VERSION))
+endif
+
+ifeq ($(BR2_PACKAGE_OPTEE_BENCHMARK_CUSTOM_GIT),y)
+OPTEE_BENCHMARK_SITE = $(call qstrip,$(BR2_PACKAGE_OPTEE_BENCHMARK_CUSTOM_REPO_URL))
+OPTEE_BENCHMARK_SITE_METHOD = git
+BR_NO_CHECK_HASH_FOR += $(OPTEE_BENCHMARK_SOURCE)
+endif
+
+$(eval $(cmake-package))
-- 
1.9.1

[Buildroot] [PATCH v2 4/5] optee-examples: new package

[Etienne Carriere]

This package generates embedded Linux based OS userland client
applications and OP-TEE OS trusted applications all embedded in
the file system. These applications shows how to use the APIs
OP-TEE OS is based on, both in the non secure and secure worlds.

Package is added next to the OP-TEE client package in the BR
package configuration.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
---
Changes v1 -> v2:
  - Replace BR2_arm with BR2_ARM_CPU_ARMV7 as OP-TEE supports only
    BR2_ARM_CPU_ARMV7 architectures among the 32bit Arm machines.
  - Select OP-TEE client and add dependency on OP-TEE OS.
  - Add option BR2_PACKAGE_OPTEE_EXAMPLES_SYNCED_VERSION to ensure
    OP-TEE examples version is synced with OP-TEE OS version.
  - Do not force output build directory, rely on native path: out/.
  - Replace if/endif with depends on in Config.in. 
  - Remove useless OPTEE_EXAMPLES_INSTALL_STAGING=YES.
  - Add package official URL in Config.in package description.

---
 package/Config.in                          |  1 +
 package/optee-examples/Config.in           | 68 ++++++++++++++++++++++++++++++
 package/optee-examples/optee-examples.hash |  4 ++
 package/optee-examples/optee-examples.mk   | 47 +++++++++++++++++++++
 4 files changed, 120 insertions(+)
 create mode 100644 package/optee-examples/Config.in
 create mode 100644 package/optee-examples/optee-examples.hash
 create mode 100644 package/optee-examples/optee-examples.mk

diff --git a/package/Config.in b/package/Config.in
index 38200af..35870d0 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2049,6 +2049,7 @@ menu "Security"
 	source "package/checkpolicy/Config.in"
 	source "package/optee-benchmark/Config.in"
 	source "package/optee-client/Config.in"
+	source "package/optee-examples/Config.in"
 	source "package/paxtest/Config.in"
 	source "package/policycoreutils/Config.in"
 	source "package/refpolicy/Config.in"
diff --git a/package/optee-examples/Config.in b/package/optee-examples/Config.in
new file mode 100644
index 0000000..de16246
--- /dev/null
+++ b/package/optee-examples/Config.in
@@ -0,0 +1,68 @@
+config BR2_PACKAGE_OPTEE_EXAMPLES
+	bool "Embed OP-TEE examples"
+	depends on BR2_aarch64 || BR2_ARM_CPU_ARMV7A
+	depends on BR2_TARGET_OPTEE_OS
+	select BR2_PACKAGE_OPTEE_CLIENT
+	help
+	  Enable the OP-TEE examples package that brings examples of
+	  implementation of OP-TEE non-secure client applications and
+	  secure trusted applications. OP-TEE examples is a
+	  component delivered by the OP-TEE project.
+
+	  https://github.com/linaro-swg/optee_examples
+
+if BR2_PACKAGE_OPTEE_EXAMPLES
+
+choice
+	prompt "OP-TEE exmaples version"
+	default BR2_PACKAGE_OPTEE_EXAMPLES_LATEST
+	help
+	  Select the version of OP-TEE exmaples you want to use
+
+config BR2_PACKAGE_OPTEE_EXAMPLES_LATEST
+	bool "sync with latest release tag"
+	help
+	  Sync on latest release tag. This currently fetches the
+	  latest registered release tag from the OP-TEE official
+	  Git repository.
+
+config BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_GIT
+	bool "sync with a specific Git"
+	help
+	  Sync with a specific OP-TEE Git repository.
+
+endchoice
+
+config BR2_PACKAGE_OPTEE_EXAMPLES_SYNCED_VERSION
+	bool "use same version ref for OP-TEE components"
+	depends on BR2_PACKAGE_OPTEE_EXAMPLES_LATEST
+	help
+	  When enabled package version must match the version set for
+	  OP-TEE OS and client components.
+
+config BR2_PACKAGE_OPTEE_EXAMPLES_VERSION
+	string
+	default BR2_TARGET_OPTEE_OS_VERSION \
+			if BR2_PACKAGE_OPTEE_EXAMPLES_SYNCED_VERSION
+	default "3.3.0"	if BR2_PACKAGE_OPTEE_EXAMPLES_LATEST
+	default BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_REPO_VERSION \
+			if BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_GIT
+	help
+	  Reference in the target Git repository to sync with.
+
+config BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_REPO_URL
+	string "Git repository site"
+	depends on BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_GIT
+	help
+	  Specific location of the reference source tree Git
+	  repository.
+
+config BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_REPO_VERSION
+	string "target reference to pull in the Git repository"
+	depends on BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_GIT
+	help
+	  Package version reference to sync with. As source file
+	  reference is a Git repository, the version reference can
+	  be any Git reference as a tag or a sha1.
+
+endif #BR2_PACKAGE_OPTEE_EXAMPLES
diff --git a/package/optee-examples/optee-examples.hash b/package/optee-examples/optee-examples.hash
new file mode 100644
index 0000000..77b7466
--- /dev/null
+++ b/package/optee-examples/optee-examples.hash
@@ -0,0 +1,4 @@
+# From https://github.com/linaro-swg/optee_examples/archive/3.3.0.tar.gz
+sha256 504642edd1510562dcc213637d8869190dd581986daf938ed3e85088830e0ef9  optee-examples-3.3.0.tar.gz
+# Locally computed
+sha256 6f1ef8449cb82ae79d2155605f7985bdf0f08e7ab5007de9b4362e8bf28733b9  LICENSE
diff --git a/package/optee-examples/optee-examples.mk b/package/optee-examples/optee-examples.mk
new file mode 100644
index 0000000..08b25b2
--- /dev/null
+++ b/package/optee-examples/optee-examples.mk
@@ -0,0 +1,47 @@
+################################################################################
+#
+# optee-examples
+#
+################################################################################
+
+OPTEE_EXAMPLES_VERSION = $(call qstrip,$(BR2_PACKAGE_OPTEE_EXAMPLES_VERSION))
+OPTEE_EXAMPLES_LICENSE = BSD-2-Clause
+OPTEE_EXAMPLES_LICENSE_FILES = LICENSE
+
+ifeq ($(BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_GIT),y)
+OPTEE_EXAMPLES_SITE = $(call qstrip,$(BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_REPO_URL))
+OPTEE_EXAMPLES_SITE_METHOD = git
+BR_NO_CHECK_HASH_FOR += $(OPTEE_EXAMPLES_SOURCE)
+else
+OPTEE_EXAMPLES_SITE = $(call github,linaro-swg,optee_examples,$(OPTEE_EXAMPLES_VERSION))
+endif
+
+OPTEE_EXAMPLES_DEPENDENCIES = optee-client optee-os
+
+ifeq ($(BR2_aarch64),y)
+OPTEE_EXAMPLES_SDK = $(STAGING_DIR)/lib/optee/export-ta_arm64
+endif
+ifeq ($(BR2_arm),y)
+OPTEE_EXAMPLES_SDK = $(STAGING_DIR)/lib/optee/export-ta_arm32
+endif
+
+define OPTEE_EXAMPLES_BUILD_TAS
+	@$(foreach f,$(wildcard $(@D)/*/ta/Makefile), \
+		$(TARGET_CONFIGURE_OPTS) \
+		$(MAKE) CROSS_COMPILE=$(TARGET_CROSS) \
+			TA_DEV_KIT_DIR=$(OPTEE_EXAMPLES_SDK) \
+			-C $(dir $f) all &&) true
+endef
+
+define OPTEE_EXAMPLES_INSTALL_TAS
+	@$(foreach f,$(wildcard $(@D)/*/ta/out/*.ta), \
+		mkdir -p $(TARGET_DIR)/lib/optee_armtz && \
+		$(INSTALL) -v -p --mode=444 \
+			--target-directory=$(TARGET_DIR)/lib/optee_armtz $f \
+			&&) true
+endef
+
+OPTEE_EXAMPLES_POST_BUILD_HOOKS += OPTEE_EXAMPLES_BUILD_TAS
+OPTEE_EXAMPLES_POST_INSTALL_TARGET_HOOKS += OPTEE_EXAMPLES_INSTALL_TAS
+
+$(eval $(cmake-package))
-- 
1.9.1

[Buildroot] [PATCH v2 5/5] optee-test: new package

[Etienne Carriere]

OP-TEE test package provide test materials as part of the OP-TEE
project helping platforms to verify their OP-TEE components
against a set of regression and performance tests.

Package is added in the BR package configuration next to the
OP-TEE client package.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
---
Changes v1 -> v2:
  - Replace BR2_arm with BR2_ARM_CPU_ARMV7 as OP-TEE supports only
    BR2_ARM_CPU_ARMV7 architectures among the 32bit Arm machines.
  - Add missing dependency on BR2_TARGET_OPTEE_OS and select
    BR2_PACKAGE_OPTEE_CLIENT when enabled.
  - Add option BR2_PACKAGE_OPTEE_TEST_SYNCED_VERSION to ensure
    OP-TEE test version is synced with OP-TEE OS version.
  - Fix official repo URL in Config.in package description.
  - Remove useless OPTEE_TEST_INSTALL_STAGING=YES.
  - Do not force output build directory and rely on native one: out/.

---
 package/Config.in                                  |  1 +
 .../optee-test/3.3.0/0001-cmake-rely-on-C.patch    | 32 +++++++++
 package/optee-test/Config.in                       | 75 ++++++++++++++++++++++
 package/optee-test/optee-test.hash                 |  4 ++
 package/optee-test/optee-test.mk                   | 48 ++++++++++++++
 5 files changed, 160 insertions(+)
 create mode 100644 package/optee-test/3.3.0/0001-cmake-rely-on-C.patch
 create mode 100644 package/optee-test/Config.in
 create mode 100644 package/optee-test/optee-test.hash
 create mode 100644 package/optee-test/optee-test.mk

diff --git a/package/Config.in b/package/Config.in
index 35870d0..ff53a75 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2050,6 +2050,7 @@ menu "Security"
 	source "package/optee-benchmark/Config.in"
 	source "package/optee-client/Config.in"
 	source "package/optee-examples/Config.in"
+	source "package/optee-test/Config.in"
 	source "package/paxtest/Config.in"
 	source "package/policycoreutils/Config.in"
 	source "package/refpolicy/Config.in"
diff --git a/package/optee-test/3.3.0/0001-cmake-rely-on-C.patch b/package/optee-test/3.3.0/0001-cmake-rely-on-C.patch
new file mode 100644
index 0000000..ea7b966
--- /dev/null
+++ b/package/optee-test/3.3.0/0001-cmake-rely-on-C.patch
@@ -0,0 +1,32 @@
+cmake: component rely on C support
+
+Without specifing optee_client source expects only C source file
+support cmake may attempt to look for resources as g++. When
+building with environments that do not provide such tools as when
+building from native buildroot ofr a qemu target, optee_client
+fails to build. This change ensure a minimal C support allows to
+build optee_client with cmake.
+
+Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
+Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 0290205..a3fd269 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -1,4 +1,5 @@
+ cmake_minimum_required (VERSION 3.2)
++project (optee_test C)
+ 
+ # Default cross compile settings
+ set (CMAKE_TOOLCHAIN_FILE CMakeToolchain.txt)
+diff --git a/ta/CMakeLists.txt b/ta/CMakeLists.txt
+index 22d7727..795237e 100644
+--- a/ta/CMakeLists.txt
++++ b/ta/CMakeLists.txt
+@@ -1,4 +1,4 @@
+-project (xtest-ta-headers)
++project (xtest-ta-headers C)
+ 
+ add_library(${PROJECT_NAME} INTERFACE)
+ 
diff --git a/package/optee-test/Config.in b/package/optee-test/Config.in
new file mode 100644
index 0000000..545db03
--- /dev/null
+++ b/package/optee-test/Config.in
@@ -0,0 +1,75 @@
+config BR2_PACKAGE_OPTEE_TEST
+	bool "optee_test"
+	depends on BR2_aarch64 || BR2_ARM_CPU_ARMV7A
+	depends on BR2_TARGET_OPTEE_OS
+	select BR2_PACKAGE_OPTEE_CLIENT
+	help
+	  This build option enables OP-TEE test package from the
+	  OP-TEE project. It helps platforms to verify the OP-TEE
+	  installation against a set of regression and performance
+	  tests.
+
+	  The package generates userspace test applications and
+	  data files for the Linux userland. It also generates
+	  OP-TEE trusted applications embedded in the target
+	  directory /lib/optee-armtz. These are loaded into the
+	  secure world at runtime.
+
+	  http://github.com/OP-TEE/optee_test
+
+if BR2_PACKAGE_OPTEE_TEST
+
+choice
+	prompt "OP-TEE test version"
+	default BR2_PACKAGE_OPTEE_TEST_LATEST
+	help
+	  Select the version of OP-TEE test you want to use
+
+config BR2_PACKAGE_OPTEE_TEST_LATEST
+	bool "sync with latest release tag"
+	help
+	  This fetches the latest registered release tag from
+	  the OP-TEE test official Git repository.
+
+config BR2_PACKAGE_OPTEE_TEST_CUSTOM_GIT
+	bool "sync with a specific Git"
+	help
+	  Sync with a specific OP-TEE Git repository.
+
+endchoice
+
+config BR2_PACKAGE_OPTEE_TEST_SYNCED_VERSION
+	bool "use same version ref for OP-TEE components"
+	depends on BR2_PACKAGE_OPTEE_TEST_LATEST
+	help
+	  When enabled, OP-TEE examples version must match the version
+	  set for the other OP-TEE components.
+
+config BR2_PACKAGE_OPTEE_TEST_VERSION
+	string
+	default BR2_TARGET_OPTEE_OS_VERSION \
+			if BR2_PACKAGE_OPTEE_TEST_SYNCED_VERSION
+	default "3.3.0"	if BR2_PACKAGE_OPTEE_TEST_LATEST
+	default BR2_PACKAGE_OPTEE_TEST_CUSTOM_REPO_VERSION \
+			if BR2_PACKAGE_OPTEE_TEST_CUSTOM_GIT
+	help
+	  Reference in the target Git repository to sync with.
+
+if BR2_PACKAGE_OPTEE_TEST_CUSTOM_GIT
+
+config BR2_PACKAGE_OPTEE_TEST_CUSTOM_REPO_URL
+	string "Git repository site"
+	help
+	  Specific location of the reference source tree Git
+	  repository.
+
+config BR2_PACKAGE_OPTEE_TEST_CUSTOM_REPO_VERSION
+	string "target reference to pull in the Git repository"
+	help
+	  Package version reference to sync with. As source file
+	  reference is a Git repository, the version reference can
+	  be any Git reference as a tag or a sha1.
+
+endif
+
+endif #BR2_PACKAGE_OPTEE_TEST
diff --git a/package/optee-test/optee-test.hash b/package/optee-test/optee-test.hash
new file mode 100644
index 0000000..0da2212
--- /dev/null
+++ b/package/optee-test/optee-test.hash
@@ -0,0 +1,4 @@
+# From https://github.com/OP-TEE/optee_test/archive/3.3.0.tar.gz
+sha256 9651d5db0d28856e45d6bc25ce603bfcf641435bd3264d95b449f093665c8521  optee-test-3.3.0.tar.gz
+# Locally computed
+sha256 6e6810981f0ddab9e0d44399d0700a15d9f760a3c2843cc866659c2074139ae7  LICENSE.md
diff --git a/package/optee-test/optee-test.mk b/package/optee-test/optee-test.mk
new file mode 100644
index 0000000..8040ee5
--- /dev/null
+++ b/package/optee-test/optee-test.mk
@@ -0,0 +1,48 @@
+################################################################################
+#
+# optee-test
+#
+################################################################################
+
+OPTEE_TEST_VERSION = $(call qstrip,$(BR2_PACKAGE_OPTEE_TEST_VERSION))
+OPTEE_TEST_LICENSE = GPL-2.0, BSD-2-Clause,
+OPTEE_TEST_LICENSE_FILES = LICENSE.md
+
+ifeq ($(BR2_PACKAGE_OPTEE_TEST_CUSTOM_GIT),y)
+OPTEE_TEST_SITE = $(call qstrip,$(BR2_PACKAGE_OPTEE_TEST_CUSTOM_REPO_URL))
+OPTEE_TEST_SITE_METHOD = git
+BR_NO_CHECK_HASH_FOR += $(OPTEE_TEST_SOURCE)
+else
+OPTEE_TEST_SITE = $(call github,OP-TEE,optee_test,$(OPTEE_TEST_VERSION))
+endif
+
+OPTEE_TEST_DEPENDENCIES = optee-client optee-os
+
+ifeq ($(BR2_aarch64),y)
+OPTEE_TEST_SDK = $(STAGING_DIR)/lib/optee/export-ta_arm64
+endif
+ifeq ($(BR2_arm),y)
+OPTEE_TEST_SDK = $(STAGING_DIR)/lib/optee/export-ta_arm32
+endif
+OPTEE_TEST_CONF_OPTS = -DOPTEE_TEST_SDK=$(OPTEE_TEST_SDK)
+
+define OPTEE_TEST_BUILD_TAS
+	@$(foreach f,$(wildcard $(@D)/ta/*/Makefile), \
+		$(TARGET_CONFIGURE_OPTS) \
+		$(MAKE) CROSS_COMPILE=$(TARGET_CROSS) \
+			TA_DEV_KIT_DIR=$(OPTEE_TEST_SDK) \
+			-C $(dir $f) all &&) true
+endef
+
+define OPTEE_TEST_INSTALL_TAS
+	@$(foreach f,$(wildcard $(@D)/ta/*/out/*.ta), \
+		mkdir -p $(TARGET_DIR)/lib/optee_armtz && \
+		$(INSTALL) -v -p --mode=444 \
+			--target-directory=$(TARGET_DIR)/lib/optee_armtz $f \
+			&&) true
+endef
+
+OPTEE_TEST_POST_BUILD_HOOKS += OPTEE_TEST_BUILD_TAS
+OPTEE_TEST_POST_INSTALL_TARGET_HOOKS += OPTEE_TEST_INSTALL_TAS
+
+$(eval $(cmake-package))
-- 
1.9.1

[Buildroot] [PATCH v3 1/7] boot/optee-os: new package

[Etienne Carriere]

OP-TEE OS is maintained by the OP-TEE project. It provides an
open source solution for development and integration of secure
services for Armv7-A and Armv8-A CPU based platforms supporting
the TrustZone technology. This technology enables CPUs to
concurrently host a secure world as the OP-TEE OS and a non-secure
world as a Linux based OS.

The OP-TEE project maintains other packages to leverage OP-TEE on
Linux kernel based OSes. An OP-TEE interface driver is available
in the Linux kernel since 4.12 upon CONFIG_OPTEE.

This change references in Buildroot the today's latest OP-TEE
revision release tagged 3.3.0 with 2 patches:
- fix a issue in the OP-TEE OS Qemu platform regarding Qemu v2.12.1+.
- Introduce CFG_USER_TA_TARGETS to have Aarch64 building Aarch64 only.

https://www.op-tee.org/
https://github.com/OP-TEE/optee_os

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
---
Chages v2-> v3
  - Add an entry in file DEVELOPERS.
  - Fix BR2_ARM_CPU_ARMV7 into BR2_ARM_CPU_ARMV7A and replace dependency
    on BR2_aarch64 with dep on BR2_ARM_CPU_ARMV8A which is more accurate.
  - Many cleaning in description sections of Config.in and layout
    reordering.
  - Reordering in optee-os.mk layout.
  - Correct dependency openssl into host-openssl.
  - Use OPTEE_OS_INSTALL_STAGING_CMDS for installs in the staging dir.
  - Clean in-tree TAs install command (s/@(foreach ...)/$(INSTALL) ...)
  - BR2_TARGET_OPTEE_OS_SERVICES selects BR2_TARGET_OPTEE_OS_CORE
    instead of depending on BR2_TARGET_OPTEE_OS_SDK. This because
    core build also builds the in-tree TAs.
  - Replace common optee-os.hash with per-version .hash files.
    Support the released 3.x tags from OP-TEE project.
  - Remove useless indirection in OPTEE_OS_INSTALL_STAGING_CMDS definition.
  - Fix issue of Aarch64 OS to attempt to build Aarch32 user mode support
    while the selected cross compilation toolchain cannot compile for
    Aarch32 targets. OP-TEE OS 3.3.0 is patched to backport support for
    CFG_USER_TA_TARGETS directive, allowing to restrict build to Aarch64.

Changes v1 -> v2:
  - Replace dependency on BR2_arm with BR2_ARM_CPU_ARMV7 as BR2_arm
    is enabled for non Armv7 targets.
  - Correct build dependencies on OpenSSL and pycrypto.
    Remove patch on package python scripts since pycrypto dependency
    is now handled.
  - Correct location of in-tree services TAs (s/ta_services/ta/).
    Remvoe OPTEE_OS_BUILD_SERVICES as service TAs are already built built when OP-TEE OS core is built.
    Correct BR2_TARGET_OPTEE_OS_SERVICES options: it only installs the
  - Fix bad reference in Config.in package description.
  - Fix wrong hash for the optee-os v3.3.0 tarball.
  - Fix bad use of OPTEE_OS_VERSION where it is the value content that
    is expected: $(OPTEE_OS_VERSION).
  - Clarify output build directory name: use out/.
  - Minor replace use if/endif with use of depends on in Config.mk.
  - Add missing dependency of BR2_TARGET_OPTEE_OS_SERVICES
    on BR2_TARGET_OPTEE_OS_SDK.
  - Change commit header comment to "boot/optee-os: new package".

---
 DEVELOPERS                                         |   3 +
 boot/Config.in                                     |   1 +
 ...1-qemu-increase-CFG_DTB_MAX_SIZE-to-1-MiB.patch |  41 +++++++++
 ...0002-workaround-multiple-ta-targets-issue.patch |  45 +++++++++
 boot/optee-os/3.3.0/optee-os.hash                  |   4 +
 boot/optee-os/Config.in                            | 101 +++++++++++++++++++++
 boot/optee-os/optee-os.mk                          |  97 ++++++++++++++++++++
 7 files changed, 292 insertions(+)
 create mode 100644 boot/optee-os/3.3.0/0001-qemu-increase-CFG_DTB_MAX_SIZE-to-1-MiB.patch
 create mode 100644 boot/optee-os/3.3.0/0002-workaround-multiple-ta-targets-issue.patch
 create mode 100644 boot/optee-os/3.3.0/optee-os.hash
 create mode 100644 boot/optee-os/Config.in
 create mode 100644 boot/optee-os/optee-os.mk

diff --git a/DEVELOPERS b/DEVELOPERS
index 9654fcf..83c0ec8 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -681,6 +681,9 @@ F:	package/mxsldr/
 N:	Ernesto L. Williams Jr <realcontrols@gmail.com>
 F:	package/szip/
 
+N:	Etienne Carriere <etienne.carriere@linaro.org>
+F:	boot/optee-os/
+
 N:	Eugene Tarassov <eugene@largest.net>
 F:	package/tcf-agent/
 
diff --git a/boot/Config.in b/boot/Config.in
index 8e0c8e5..cd14731 100644
--- a/boot/Config.in
+++ b/boot/Config.in
@@ -13,6 +13,7 @@ source "boot/gummiboot/Config.in"
 source "boot/lpc32xxcdl/Config.in"
 source "boot/mv-ddr-marvell/Config.in"
 source "boot/mxs-bootlets/Config.in"
+source "boot/optee-os/Config.in"
 source "boot/riscv-pk/Config.in"
 source "boot/s500-bootloader/Config.in"
 source "boot/syslinux/Config.in"
diff --git a/boot/optee-os/3.3.0/0001-qemu-increase-CFG_DTB_MAX_SIZE-to-1-MiB.patch b/boot/optee-os/3.3.0/0001-qemu-increase-CFG_DTB_MAX_SIZE-to-1-MiB.patch
new file mode 100644
index 0000000..a1def96
--- /dev/null
+++ b/boot/optee-os/3.3.0/0001-qemu-increase-CFG_DTB_MAX_SIZE-to-1-MiB.patch
@@ -0,0 +1,41 @@
+From 078b214af05c1a95f26e288d7b6547a8f7f369d0 Mon Sep 17 00:00:00 2001
+From: Jerome Forissier <jerome.forissier@linaro.org>
+Date: Thu, 18 Oct 2018 11:16:23 +0200
+Subject: [PATCH] qemu: increase CFG_DTB_MAX_SIZE to 1 MiB
+
+Since upstream QEMU commit 14ec3cbd7c1e ("device_tree: Increase
+FDT_MAX_SIZE to 1 MiB"), which is included in release v2.12.1 and later,
+OP-TEE initialization fails with the following error (-3 is
+-FDT_ERR_NOSPACE):
+
+ E/TC:0 0 init_fdt:808 Invalid Device Tree at 0x40000000: error -3
+
+Increase CFG_DTB_MAX_SIZE accordingly. Tested with the current tip of the
+QEMU master branch, in 32- and 64-bit modes (note that our 64-bit QEMU
+setup needs a TF-A patch -- PLAT_QEMU_DT_MAX_SIZE needs to be set to 1 MiB
+too).
+
+Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
+Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
+---
+ core/arch/arm/plat-vexpress/conf.mk | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/core/arch/arm/plat-vexpress/conf.mk b/core/arch/arm/plat-vexpress/conf.mk
+index 91442801b1..7535c03834 100644
+--- a/core/arch/arm/plat-vexpress/conf.mk
++++ b/core/arch/arm/plat-vexpress/conf.mk
+@@ -90,6 +90,7 @@ endif
+ $(call force,CFG_BOOT_SECONDARY_REQUEST,y)
+ $(call force,CFG_PSCI_ARM32,y)
+ $(call force,CFG_DT,y)
++CFG_DTB_MAX_SIZE ?= 0x100000
+ # SE API is only supported by QEMU Virt platform
+ CFG_SE_API ?= y
+ CFG_SE_API_SELF_TEST ?= y
+@@ -108,4 +109,5 @@ CFG_SHMEM_SIZE  ?= 0x00200000
+ # When Secure Data Path is enable, last MByte of TZDRAM is SDP test memory.
+ CFG_TEE_SDP_MEM_SIZE ?= 0x00400000
+ $(call force,CFG_DT,y)
++CFG_DTB_MAX_SIZE ?= 0x100000
+ endif
diff --git a/boot/optee-os/3.3.0/0002-workaround-multiple-ta-targets-issue.patch b/boot/optee-os/3.3.0/0002-workaround-multiple-ta-targets-issue.patch
new file mode 100644
index 0000000..0cf0c80
--- /dev/null
+++ b/boot/optee-os/3.3.0/0002-workaround-multiple-ta-targets-issue.patch
@@ -0,0 +1,45 @@
+core: configure for a single user mode architecture
+
+This change introduces CFG_USER_TA_TARGETS to allow a configuration
+to select a unique user TA execution architecture even if the
+platform supports several (Aarch32/Aarch64).
+
+CFG_USER_TA_TARGETS shall be set to either ta_arm32 or ta_arm64.
+
+This feature can be used in build environments that do not support
+several cross compilation toolchains when building a single target.
+Buildroot (at least up to 2018.11) is such of an environment.
+The environment will likely use an Aarch64 toolchain for the
+TEE/REE which toolchain may not be able to compile Aarch32 targets
+and build to fail with a error message like:
+
+    CC      out/ta_arm32-lib/libmbedtls/mbedtls/library/aes.o
+  aarch64-linux-gnu-gcc: error: unrecognized command line option '-mthumb'
+
+This changes is a less invasive yet less safe change in OP-TEE
+OS to support CFG_USER_TA_TARGETS. A better implementation for
+this configuration directive was merged as [1] from [2] before
+3.4.0 tag. One should prefer the official integration [1] rahter
+than this change but the later is likely to apply on older
+versions of OP-TEE one may need to use.
+
+[1] optee_os.git commit dc701d99e0d0 ("Introduce CFG_USER_TA_TARGETS to select user mode architecture(s)"
+[2] https://github.com/OP-TEE/optee_os/pull/2703
+
+Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
+
+diff --git a/Makefile b/Makefile
+--- a/Makefile
++++ b/Makefile
+@@ -69,6 +69,10 @@ cmd-echo-silent := true
+ endif
+ endif
+ 
++# Non-invasive hack for well formed CFG_USER_TA_TARGETS to define ta-targets
++ifneq ($(strip $(CFG_USER_TA_TARGETS)),)
++override ta-targets := $(CFG_USER_TA_TARGETS)
++endif
+ 
+ include core/core.mk
+ 
+
diff --git a/boot/optee-os/3.3.0/optee-os.hash b/boot/optee-os/3.3.0/optee-os.hash
new file mode 100644
index 0000000..02828a3
--- /dev/null
+++ b/boot/optee-os/3.3.0/optee-os.hash
@@ -0,0 +1,4 @@
+# From https://github.com/OP-TEE/optee_os/archive/3.3.0.tar.gz
+sha256 7b62e9fe650e197473eb2f4dc35c09d1e6395eb48dc1c16cc139d401b359ac6f  optee-os-3.3.0.tar.gz
+# Locally computed
+sha256 fda8385993f112d7ca61b88b54ba5b4cbeec7e43a0f9b317d5186703c1985e8f  LICENSE
diff --git a/boot/optee-os/Config.in b/boot/optee-os/Config.in
new file mode 100644
index 0000000..a8a2982
--- /dev/null
+++ b/boot/optee-os/Config.in
@@ -0,0 +1,101 @@
+config BR2_TARGET_OPTEE_OS
+	bool "optee_os"
+	depends on BR2_ARM_CPU_ARMV8A || BR2_ARM_CPU_ARMV7A
+	help
+	  OP-TEE OS provides the secure world boot image and the trust
+	  application development kit of the OP-TEE project. OP-TEE OS
+	  also provides generic trusted application one can embedded
+	  into its system.
+
+	  http://github.com/OP-TEE/optee_os
+
+if BR2_TARGET_OPTEE_OS
+
+choice
+	prompt "OP-TEE OS version"
+	default BR2_TARGET_OPTEE_OS_LATEST
+	help
+	  Select the version of OP-TEE OS you want to use
+
+config BR2_TARGET_OPTEE_OS_LATEST
+	bool "3.3.0"
+	help
+	  This fetches the registered release tag from the
+	  OP-TEE OS official Git repository.
+
+config BR2_TARGET_OPTEE_OS_CUSTOM_GIT
+	bool "Custom Git repository"
+	help
+	  Sync with a specific OP-TEE Git repository.
+
+endchoice
+
+if BR2_TARGET_OPTEE_OS_CUSTOM_GIT
+
+config BR2_TARGET_OPTEE_OS_CUSTOM_REPO_URL
+	string "URL of custom repository"
+	depends on BR2_TARGET_OPTEE_OS_CUSTOM_GIT
+	help
+	  Specific location of the reference source tree Git
+	  repository.
+
+config BR2_TARGET_OPTEE_OS_CUSTOM_REPO_VERSION
+	string "Custom repository version"
+	depends on BR2_TARGET_OPTEE_OS_CUSTOM_GIT
+	help
+	  Reference in the target git repository to sync with.
+
+endif
+
+config BR2_TARGET_OPTEE_OS_VERSION
+	string
+	default "3.3.0"		if BR2_TARGET_OPTEE_OS_LATEST
+	default BR2_TARGET_OPTEE_OS_CUSTOM_REPO_VERSION \
+				if BR2_TARGET_OPTEE_OS_CUSTOM_GIT
+
+config BR2_TARGET_OPTEE_OS_CORE
+	bool "Build core"
+	default y
+	help
+	  This option will build and install the OP-TEE core
+	  boot images.
+
+config BR2_TARGET_OPTEE_OS_SDK
+	bool "Build TA devkit"
+	default y
+	help
+	  This option will build and install the OP-TEE development
+	  kit for building OP-TEE trusted application images. It is
+	  installed in the staging directory /lib/optee.
+
+config BR2_TARGET_OPTEE_OS_SERVICES
+	bool "Build service TAs"
+	select BR2_TARGET_OPTEE_OS_CORE
+	default y
+	help
+	  This option installs the service trusted applications built
+	  from OP-TEE OS source tree. These are installed in the target
+	  /lib/optee_armtz directory as other trusted applications.
+	  At runtime OP-TEE OS can load trusted applications from this
+	  non-secure filesystem/directory into the secure world for
+	  execution.
+
+config BR2_TARGET_OPTEE_OS_PLATFORM
+	string "Mandatory target PLATFORM"
+	help
+	  Value for the mandated PLATFORM build directive provided to
+	  OP-TEE OS.
+
+config BR2_TARGET_OPTEE_OS_PLATFORM_FLAVOR
+	string "Optional target PLATFORM_FLAVOR"
+	help
+	  Value for the optional PLATFORM_FLAVOR build directive
+	  provided to OP-TEE OS.
+
+config BR2_TARGET_OPTEE_OS_ADDITIONAL_VARIABLES
+	string "Additional OP-TEE OS build variables"
+	help
+	  Additional parameters for the OP-TEE OS build
+	  E.g. 'CFG_TEE_CORE_LOG_LEVEL=3 CFG_UNWIND=y'
+
+endif # BR2_TARGET_OPTEE_OS
diff --git a/boot/optee-os/optee-os.mk b/boot/optee-os/optee-os.mk
new file mode 100644
index 0000000..d10249e
--- /dev/null
+++ b/boot/optee-os/optee-os.mk
@@ -0,0 +1,97 @@
+################################################################################
+#
+# optee-os
+#
+################################################################################
+
+OPTEE_OS_VERSION = $(call qstrip,$(BR2_TARGET_OPTEE_OS_VERSION))
+OPTEE_OS_LICENSE = BSD-2-Clause
+OPTEE_OS_LICENSE_FILES = LICENSE
+
+OPTEE_OS_INSTALL_STAGING = YES
+OPTEE_OS_INSTALL_IMAGES = YES
+
+ifeq ($(BR2_TARGET_OPTEE_OS_CUSTOM_GIT),y)
+OPTEE_OS_SITE = $(call qstrip,$(BR2_TARGET_OPTEE_OS_CUSTOM_REPO_URL))
+OPTEE_OS_SITE_METHOD = git
+BR_NO_CHECK_HASH_FOR += $(OPTEE_OS_SOURCE)
+else
+OPTEE_OS_SITE = $(call github,OP-TEE,optee_os,$(OPTEE_OS_VERSION))
+endif
+
+OPTEE_OS_DEPENDENCIES = host-openssl host-python-pycrypto
+
+# On 64bit targets, OP-TEE OS can be built in 32bit mode, or
+# can be built in 64bit mode and support 32bit and 64bit
+# trusted applications. Since buildroot currently references
+# a single cross compiler, build exclusively in 32bit
+# or 64bit mode.
+OPTEE_OS_MAKE_OPTS = CROSS_COMPILE="$(TARGET_CROSS)" \
+		     CROSS_COMPILE_core="$(TARGET_CROSS)" \
+		     CROSS_COMPILE_ta_arm64="$(TARGET_CROSS)" \
+		     CROSS_COMPILE_ta_arm32="$(TARGET_CROSS)"
+
+ifeq ($(BR2_aarch64),y)
+OPTEE_OS_MAKE_OPTS += CFG_ARM64_core=y \
+		      CFG_USER_TA_TARGETS=ta_arm64
+endif
+
+# Get mandatory PLAFORM and optional PLATFORM_FLAVOR and additional variables
+OPTEE_OS_MAKE_OPTS += PLATFORM=$(call qstrip,$(BR2_TARGET_OPTEE_OS_PLATFORM))
+ifneq ($(call qstrip,$(BR2_TARGET_OPTEE_OS_PLATFORM_FLAVOR)),)
+OPTEE_OS_MAKE_OPTS += PLATFORM_FLAVOR=$(call qstrip,$(BR2_TARGET_OPTEE_OS_PLATFORM_FLAVOR))
+endif
+OPTEE_OS_MAKE_OPTS += $(call qstrip,$(BR2_TARGET_OPTEE_OS_ADDITIONAL_VARIABLES))
+
+# Requests OP-TEE OS to build from subdirectory out/ of its sourcetree root path
+# otherwise the output directory path depends on the target platform name.
+OPTEE_OS_BUILDDIR_OUT = out
+ifeq ($(BR2_aarch64),y)
+OPTEE_OS_LOCAL_SDK = $(OPTEE_OS_BUILDDIR_OUT)/export-ta_arm64
+endif
+ifeq ($(BR2_arm),y)
+OPTEE_OS_LOCAL_SDK = $(OPTEE_OS_BUILDDIR_OUT)/export-ta_arm32
+endif
+
+ifeq ($(BR2_TARGET_OPTEE_OS_CORE),y)
+define OPTEE_OS_BUILD_CORE
+	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) O=$(OPTEE_OS_BUILDDIR_OUT) \
+		$(TARGET_CONFIGURE_OPTS) $(OPTEE_OS_MAKE_OPTS) all
+endef
+define OPTEE_OS_INSTALL_IMAGES_CORE
+	mkdir -p $(BINARIES_DIR)
+	cp -dpf $(@D)/$(OPTEE_OS_BUILDDIR_OUT)/core/tee.bin $(BINARIES_DIR)
+	cp -dpf $(@D)/$(OPTEE_OS_BUILDDIR_OUT)/core/tee-*_v2.bin $(BINARIES_DIR)
+endef
+endif # BR2_TARGET_OPTEE_OS_CORE
+
+ifeq ($(BR2_TARGET_OPTEE_OS_SERVICES),y)
+define OPTEE_OS_INSTALL_IMAGES_SERVICES
+	mkdir -p $(TARGET_DIR)/lib/optee_armtz
+	$(INSTALL) -D -m 444 -t $(TARGET_DIR)/lib/optee_armtz \
+				$(@D)/$(OPTEE_OS_BUILDDIR_OUT)/ta/*/*.ta
+endef
+endif # BR2_TARGET_OPTEE_OS_SERVICES
+
+ifeq ($(BR2_TARGET_OPTEE_OS_SDK),y)
+define OPTEE_OS_BUILD_SDK
+	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) O=$(OPTEE_OS_BUILDDIR_OUT) \
+		 $(TARGET_CONFIGURE_OPTS) $(OPTEE_OS_MAKE_OPTS) ta_dev_kit
+endef
+define OPTEE_OS_INSTALL_STAGING_CMDS
+	mkdir -p $(STAGING_DIR)/lib/optee
+	cp -ardpf $(@D)/$(OPTEE_OS_LOCAL_SDK) $(STAGING_DIR)/lib/optee
+endef
+endif # BR2_TARGET_OPTEE_OS_SDK
+
+define OPTEE_OS_BUILD_CMDS
+	$(OPTEE_OS_BUILD_CORE)
+	$(OPTEE_OS_BUILD_SDK)
+endef
+
+define OPTEE_OS_INSTALL_IMAGES_CMDS
+	$(OPTEE_OS_INSTALL_IMAGES_CORE)
+	$(OPTEE_OS_INSTALL_IMAGES_SERVICES)
+endef
+
+$(eval $(generic-package))
-- 
1.9.1

[Buildroot] [PATCH v3 2/7] optee-client: new package

[Etienne Carriere]

OP-TEE client API library and supplicant daemon from the
OP-TEE project are packaged in package/optee-client. An init script
launches the tee-supplicant deamon. Package is added to the
Security menu of BR configuration.

This change references in Buildroot the today's latest OP-TEE
revision release tagged 3.3.0.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
---
Changes v2 -> v3:
  - Add an entry in file DEVELOPERS.
  - Clean Config.in layout and description sections.
  - Drop BR2_PACKAGE_OPTEE_CLIENT_SYNCED_VERSION.
  - Clean optee-client.mk layout.
  - Remove OPTEE_CLIENT_INSTALL_STAGING indirection.
  - Replace optee-client.hash with per-version optee-client.hash files.
  - Support the released 3.x tags from OP-TEE project.
  - Correct license tag (client is BSD-2-Clause instead of BSD-3-Clause).
  - Rewrite the init script to use start-stop-daemon

Changes v1 -> v2:
  - Add option BR2_PACKAGE_OPTEE_CLIENT_SYNCED_VERSION to ensure
    OP-TEE client version is synced with OP-TEE OS version when
    the later if enabled.
  - Remove useless OPTEE_CLIENT_INSTALL_IMAGE=YES.

---
 DEVELOPERS                                   |  1 +
 package/Config.in                            |  1 +
 package/optee-client/3.3.0/optee-client.hash |  4 ++
 package/optee-client/Config.in               | 55 ++++++++++++++++++++++++++++
 package/optee-client/S30optee                | 49 +++++++++++++++++++++++++
 package/optee-client/optee-client.mk         | 25 +++++++++++++
 6 files changed, 135 insertions(+)
 create mode 100644 package/optee-client/3.3.0/optee-client.hash
 create mode 100644 package/optee-client/Config.in
 create mode 100644 package/optee-client/S30optee
 create mode 100644 package/optee-client/optee-client.mk

diff --git a/DEVELOPERS b/DEVELOPERS
index 83c0ec8..0810e63 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -683,6 +683,7 @@ F:	package/szip/
 
 N:	Etienne Carriere <etienne.carriere@linaro.org>
 F:	boot/optee-os/
+F:	package/optee-client/
 
 N:	Eugene Tarassov <eugene@largest.net>
 F:	package/tcf-agent/
diff --git a/package/Config.in b/package/Config.in
index 0df9b73..277a855 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2076,6 +2076,7 @@ endmenu
 
 menu "Security"
 	source "package/checkpolicy/Config.in"
+	source "package/optee-client/Config.in"
 	source "package/paxtest/Config.in"
 	source "package/policycoreutils/Config.in"
 	source "package/refpolicy/Config.in"
diff --git a/package/optee-client/3.3.0/optee-client.hash b/package/optee-client/3.3.0/optee-client.hash
new file mode 100644
index 0000000..ed7bf4e
--- /dev/null
+++ b/package/optee-client/3.3.0/optee-client.hash
@@ -0,0 +1,4 @@
+# From https://github.com/OP-TEE/optee_client/archive/3.3.0.tar.gz
+sha256 63af1567fdcdbe28b45be274266a89aa81bef3d0fd8ec5a6eb680046a92e1177  optee-client-3.3.0.tar.gz
+# Locally computed
+sha256 fda8385993f112d7ca61b88b54ba5b4cbeec7e43a0f9b317d5186703c1985e8f  LICENSE
diff --git a/package/optee-client/Config.in b/package/optee-client/Config.in
new file mode 100644
index 0000000..b893a39
--- /dev/null
+++ b/package/optee-client/Config.in
@@ -0,0 +1,55 @@
+config BR2_PACKAGE_OPTEE_CLIENT
+	bool "optee-client"
+	help
+	  Enable the OP-TEE client package that brings non-secure
+	  client application resources for OP-TEE support. OP-TEE
+	  client is a component delivered by the OP-TEE project.
+
+	  The client API library allows application to invoke
+	  trusted applications hosted in the OP-TEE OS secure world.
+	  The supplicant provides services hosted by the non-secure
+	  world and invoked by the secure world.
+
+	  https://github.com/OP-TEE/optee_client
+
+if BR2_PACKAGE_OPTEE_CLIENT
+
+choice
+	prompt "version"
+	default BR2_PACKAGE_OPTEE_CLIENT_LATEST
+	help
+	  Select the version of OP-TEE client you want to use
+
+config BR2_PACKAGE_OPTEE_CLIENT_LATEST
+	bool "3.3.0"
+	help
+	  This fetches the registered release tag from the
+	  OP-TEE official Git repository.
+
+config BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_GIT
+	bool "Custom Git repository"
+	help
+	  Sync with a specific OP-TEE Git repository.
+
+endchoice
+
+if BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_GIT
+
+config BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_REPO_URL
+	string "URL of custom repository"
+
+config BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_REPO_VERSION
+	string "Custom repository version"
+	help
+	  Revision to use in the typical format used by
+	  Git E.G. a sha id, a tag, branch, ..
+
+endif
+
+config BR2_PACKAGE_OPTEE_CLIENT_VERSION
+	string
+	default "3.3.0"	if BR2_PACKAGE_OPTEE_CLIENT_LATEST
+	default BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_REPO_VERSION \
+			if BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_GIT
+
+endif #BR2_PACKAGE_OPTEE_CLIENT
diff --git a/package/optee-client/S30optee b/package/optee-client/S30optee
new file mode 100644
index 0000000..17e6d6d
--- /dev/null
+++ b/package/optee-client/S30optee
@@ -0,0 +1,49 @@
+#!/bin/sh
+
+DAEMON="tee-supplicant"
+PIDFILE="/var/run/$DAEMON.pid"
+
+DAEMON_ARGS="-d /dev/teepriv0"
+
+start() {
+	printf 'Starting %s: ' "$DAEMON"
+	start-stop-daemon -S -q -p "$PIDFILE" -x "/usr/sbin/$DAEMON" \
+		-- $DAEMON_ARGS
+	status=$?
+	if [ "$status" -eq 0 ]; then
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
+	return "$status"
+}
+
+stop() {
+	printf 'Stopping %s: ' "$DAEMON"
+	start-stop-daemon -K -q -p "$PIDFILE"
+	status=$?
+	if [ "$status" -eq 0 ]; then
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
+	return "$status"
+}
+
+restart() {
+	stop
+	sleep 1
+	start
+}
+
+case "$1" in
+        start|stop|restart)
+		"$1";;
+	reload)
+		# Restart, since there is no true "reload" feature (does not
+		# reconfigure/restart on SIGHUP, just closes all open files).
+		restart;;
+        *)
+                echo "Usage: $0 {start|stop|restart|reload}"
+                exit 1
+esac
diff --git a/package/optee-client/optee-client.mk b/package/optee-client/optee-client.mk
new file mode 100644
index 0000000..5cd741b
--- /dev/null
+++ b/package/optee-client/optee-client.mk
@@ -0,0 +1,25 @@
+################################################################################
+#
+# optee-client
+#
+################################################################################
+
+OPTEE_CLIENT_VERSION = $(call qstrip,$(BR2_PACKAGE_OPTEE_CLIENT_VERSION))
+OPTEE_CLIENT_LICENSE = BSD-2-Clause
+OPTEE_CLIENT_LICENSE_FILES = LICENSE
+OPTEE_CLIENT_INSTALL_STAGING = YES
+
+ifeq ($(BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_GIT),y)
+OPTEE_CLIENT_SITE = $(call qstrip,$(BR2_PACKAGE_OPTEE_CLIENT_CUSTOM_REPO_URL))
+OPTEE_CLIENT_SITE_METHOD = git
+BR_NO_CHECK_HASH_FOR += $(OPTEE_CLIENT_SOURCE)
+else
+OPTEE_CLIENT_SITE = $(call github,OP-TEE,optee_client,$(OPTEE_CLIENT_VERSION))
+endif
+
+define OPTEE_CLIENT_INSTALL_INIT_SYSV
+	$(INSTALL) -m 0755 -D $(OPTEE_CLIENT_PKGDIR)/S30optee \
+		$(TARGET_DIR)/etc/init.d/S30optee
+endef
+
+$(eval $(cmake-package))
-- 
1.9.1

[Buildroot] [PATCH v3 3/7] optee-examples: new package

[Etienne Carriere]

This package generates embedded Linux based OS userland client
applications and OP-TEE OS trusted applications all embedded in
the file system. These applications shows how to use the APIs
OP-TEE OS is based on, both in the non secure and secure worlds.

Package is added next to the OP-TEE client package in the BR
package configuration.

This change references in Buildroot the today's latest OP-TEE
revision release tagged 3.3.0 with an added patch to fix an issue
reported by recent GCC toolchains.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
---
Changes v2 -> v3:
  - Add an entry in file DEVELOPERS.
  - Clean Config.in layout and description sections.
  - Drop BR2_PACKAGE_OPTEE_EXAMPLES_SYNCED_VERSION.
  - Clean optee-examples.mk layout.
  - Replace common optee-examples.hash with per-version .hash files.
  - Simplify install command in iotee-test.mk
  - Patch optee_test 3.3.0 against an issue in the CMake files.
  - Remove dependency of BR2_PACKAGE_OPTEE_EXAMPLES. As the package
    depends on BR2_TARGET_OPTEE_OS, leave it to optee-os to define
    the supported architectures.

Changes v1 -> v2:
  - Replace BR2_arm with BR2_ARM_CPU_ARMV7 as OP-TEE supports only
    BR2_ARM_CPU_ARMV7 architectures among the 32bit Arm machines.
  - Select OP-TEE client and add dependency on OP-TEE OS.
  - Add option BR2_PACKAGE_OPTEE_EXAMPLES_SYNCED_VERSION to ensure
    OP-TEE examples version is synced with OP-TEE OS version.
  - Do not force output build directory, rely on native path: out/.
  - Replace if/endif with depends on in Config.in.
  - Remove useless OPTEE_EXAMPLES_INSTALL_STAGING=YES.
  - Add package official URL in Config.in package description.

---
 DEVELOPERS                                         |  1 +
 package/Config.in                                  |  1 +
 .../0001-fix-deprecated-size_t-type-for-size.patch | 37 ++++++++++++++
 package/optee-examples/3.3.0/optee-examples.hash   |  4 ++
 package/optee-examples/Config.in                   | 59 ++++++++++++++++++++++
 package/optee-examples/optee-examples.mk           | 44 ++++++++++++++++
 6 files changed, 146 insertions(+)
 create mode 100644 package/optee-examples/3.3.0/0001-fix-deprecated-size_t-type-for-size.patch
 create mode 100644 package/optee-examples/3.3.0/optee-examples.hash
 create mode 100644 package/optee-examples/Config.in
 create mode 100644 package/optee-examples/optee-examples.mk

diff --git a/DEVELOPERS b/DEVELOPERS
index 0810e63..c9f2e00 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -684,6 +684,7 @@ F:	package/szip/
 N:	Etienne Carriere <etienne.carriere@linaro.org>
 F:	boot/optee-os/
 F:	package/optee-client/
+F:	package/optee-examples/
 
 N:	Eugene Tarassov <eugene@largest.net>
 F:	package/tcf-agent/
diff --git a/package/Config.in b/package/Config.in
index 277a855..b76db17 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2077,6 +2077,7 @@ endmenu
 menu "Security"
 	source "package/checkpolicy/Config.in"
 	source "package/optee-client/Config.in"
+	source "package/optee-examples/Config.in"
 	source "package/paxtest/Config.in"
 	source "package/policycoreutils/Config.in"
 	source "package/refpolicy/Config.in"
diff --git a/package/optee-examples/3.3.0/0001-fix-deprecated-size_t-type-for-size.patch b/package/optee-examples/3.3.0/0001-fix-deprecated-size_t-type-for-size.patch
new file mode 100644
index 0000000..ba1716a
--- /dev/null
+++ b/package/optee-examples/3.3.0/0001-fix-deprecated-size_t-type-for-size.patch
@@ -0,0 +1,37 @@
+commit fca0caba591f31f66325826c74acd26aefd52dee
+Author: Etienne Carriere <etienne.carriere@linaro.org>
+Date:   Tue Dec 18 22:35:16 2018 +0100
+
+    secure_storage: fix deprecated size_t type for size
+    
+    size_t types is an deprecated type used in GPD API v1.0.
+    Update
+    
+    Error reported by GCC 7.3-2018.05:
+      secure_storage_ta.c:203:6: warning: passing argument 4 of 'TEE_ReadObjectData' from incompatible pointer type [-Wincompatible-pointer-types]
+          &read_bytes);
+    
+    Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
+
+diff --git a/secure_storage/ta/secure_storage_ta.c b/secure_storage/ta/secure_storage_ta.c
+index d120e47..3ccc12d 100644
+--- a/secure_storage/ta/secure_storage_ta.c
++++ b/secure_storage/ta/secure_storage_ta.c
+@@ -146,7 +146,7 @@ static TEE_Result read_raw_object(uint32_t param_types, TEE_Param params[4])
+ 	TEE_ObjectHandle object;
+ 	TEE_ObjectInfo object_info;
+ 	TEE_Result res;
+-	size_t read_bytes;
++	uint32_t read_bytes;
+ 	char *obj_id;
+ 	size_t obj_id_sz;
+ 	char *data;
+@@ -202,7 +202,7 @@ static TEE_Result read_raw_object(uint32_t param_types, TEE_Param params[4])
+ 	res = TEE_ReadObjectData(object, data, object_info.dataSize,
+ 				 &read_bytes);
+ 	if (res != TEE_SUCCESS || read_bytes != object_info.dataSize) {
+-		EMSG("TEE_ReadObjectData failed 0x%08x, read %u over %u",
++		EMSG("TEE_ReadObjectData failed 0x%08x, read %" PRIu32 " over %u",
+ 				res, read_bytes, object_info.dataSize);
+ 		goto exit;
+ 	}
diff --git a/package/optee-examples/3.3.0/optee-examples.hash b/package/optee-examples/3.3.0/optee-examples.hash
new file mode 100644
index 0000000..77b7466
--- /dev/null
+++ b/package/optee-examples/3.3.0/optee-examples.hash
@@ -0,0 +1,4 @@
+# From https://github.com/linaro-swg/optee_examples/archive/3.3.0.tar.gz
+sha256 504642edd1510562dcc213637d8869190dd581986daf938ed3e85088830e0ef9  optee-examples-3.3.0.tar.gz
+# Locally computed
+sha256 6f1ef8449cb82ae79d2155605f7985bdf0f08e7ab5007de9b4362e8bf28733b9  LICENSE
diff --git a/package/optee-examples/Config.in b/package/optee-examples/Config.in
new file mode 100644
index 0000000..9014c3f
--- /dev/null
+++ b/package/optee-examples/Config.in
@@ -0,0 +1,59 @@
+config BR2_PACKAGE_OPTEE_EXAMPLES
+	bool "optee-examples"
+	depends on BR2_TARGET_OPTEE_OS
+	select BR2_PACKAGE_OPTEE_CLIENT
+	help
+	  Enable the OP-TEE examples package that brings examples of
+	  implementation of OP-TEE non-secure client applications and
+	  secure trusted applications. OP-TEE examples is a
+	  component delivered by the OP-TEE project.
+
+	  Trusted application binary files are installed in the target
+	  directory /lib/optee_armtz as other trusted applications.
+	  At runtime OP-TEE OS can load trusted applications from this
+	  non-secure filesystem/directory into the secure world for
+	  execution.
+
+	  https://github.com/linaro-swg/optee_examples
+
+if BR2_PACKAGE_OPTEE_EXAMPLES
+
+choice
+	prompt "version"
+	default BR2_PACKAGE_OPTEE_EXAMPLES_LATEST
+	help
+	  Select the version of OP-TEE exmaples you want to use
+
+config BR2_PACKAGE_OPTEE_EXAMPLES_LATEST
+	bool "3.3.0"
+	help
+	  This fetches the registered release tag from the
+	  OP-TEE official Git repository.
+
+config BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_GIT
+	bool "Custom Git repository"
+	help
+	  Sync with a specific OP-TEE Git repository.
+
+endchoice
+
+if BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_GIT
+
+config BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_REPO_URL
+	string "URL of custom repository"
+
+config BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_REPO_VERSION
+	string "Custom repository version"
+	help
+	  Revision to use in the typical format used by
+	  Git E.G. a sha id, a tag, branch, ..
+
+endif
+
+config BR2_PACKAGE_OPTEE_EXAMPLES_VERSION
+	string
+	default "3.3.0"	if BR2_PACKAGE_OPTEE_EXAMPLES_LATEST
+	default BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_REPO_VERSION \
+			if BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_GIT
+
+endif #BR2_PACKAGE_OPTEE_EXAMPLES
diff --git a/package/optee-examples/optee-examples.mk b/package/optee-examples/optee-examples.mk
new file mode 100644
index 0000000..38701d4
--- /dev/null
+++ b/package/optee-examples/optee-examples.mk
@@ -0,0 +1,44 @@
+################################################################################
+#
+# optee-examples
+#
+################################################################################
+
+OPTEE_EXAMPLES_VERSION = $(call qstrip,$(BR2_PACKAGE_OPTEE_EXAMPLES_VERSION))
+OPTEE_EXAMPLES_LICENSE = BSD-2-Clause
+OPTEE_EXAMPLES_LICENSE_FILES = LICENSE
+
+OPTEE_EXAMPLES_DEPENDENCIES = optee-client optee-os
+
+ifeq ($(BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_GIT),y)
+OPTEE_EXAMPLES_SITE = $(call qstrip,$(BR2_PACKAGE_OPTEE_EXAMPLES_CUSTOM_REPO_URL))
+OPTEE_EXAMPLES_SITE_METHOD = git
+BR_NO_CHECK_HASH_FOR += $(OPTEE_EXAMPLES_SOURCE)
+else
+OPTEE_EXAMPLES_SITE = $(call github,linaro-swg,optee_examples,$(OPTEE_EXAMPLES_VERSION))
+endif
+
+ifeq ($(BR2_aarch64),y)
+OPTEE_EXAMPLES_SDK = $(STAGING_DIR)/lib/optee/export-ta_arm64
+endif
+ifeq ($(BR2_arm),y)
+OPTEE_EXAMPLES_SDK = $(STAGING_DIR)/lib/optee/export-ta_arm32
+endif
+
+# Trusted Application are not built from CMake due to ta_dev_kit dependencies.
+# We must build and install them on target.
+define OPTEE_EXAMPLES_BUILD_TAS
+	@$(foreach f,$(wildcard $(@D)/*/ta/Makefile), \
+		$(TARGET_CONFIGURE_OPTS) \
+		$(MAKE) CROSS_COMPILE=$(TARGET_CROSS) \
+			TA_DEV_KIT_DIR=$(OPTEE_EXAMPLES_SDK) \
+			O=out -C $(dir $f) all &&) true
+endef
+define OPTEE_EXAMPLES_INSTALL_TAS
+	@mkdir -p $(TARGET_DIR)/lib/optee_armtz
+	@$(INSTALL) -D -m 444 -t $(TARGET_DIR)/lib/optee_armtz $(@D)/*/ta/out/*.ta
+endef
+OPTEE_EXAMPLES_POST_BUILD_HOOKS += OPTEE_EXAMPLES_BUILD_TAS
+OPTEE_EXAMPLES_POST_INSTALL_TARGET_HOOKS += OPTEE_EXAMPLES_INSTALL_TAS
+
+$(eval $(cmake-package))
-- 
1.9.1

[Buildroot] [PATCH v3 4/7] optee-test: new package

[Etienne Carriere]

OP-TEE test package provide test materials as part of the OP-TEE
project helping platforms to verify their OP-TEE components
against a set of regression and performance tests.

Package is added in the BR package configuration next to the
OP-TEE client package.

This change references in Buildroot the today's latest OP-TEE
revision release tagged 3.3.0 with few added patches:
- fix an issue with the CMake files,
- fix few issues with recent GCC releases (8.x)

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
---
Changes v2 -> v3:
  - Add an entry in file DEVELOPERS.
  - Clean Config.in layout and description sections.
  - Drop BR2_PACKAGE_OPTEE_TEST_SYNCED_VERSION.
  - Clean optee-test.mk layout.
  - Replace common optee-test.hash with per-version .hash files.
  - Patch optee_benchmark 3.3.0 against an issue reported by GCC warns.
  - Remove dependency of BR2_PACKAGE_OPTEE_EXAMPLES and Arm architecture.
    As the package depends on BR2_TARGET_OPTEE_OS, leave it to optee-os
    to define the supported architectures.

Changes v1 -> v2:
  - Replace BR2_arm with BR2_ARM_CPU_ARMV7 as OP-TEE supports only
    BR2_ARM_CPU_ARMV7 architectures among the 32bit Arm machines.
  - Add missing dependency on BR2_TARGET_OPTEE_OS and select
    BR2_PACKAGE_OPTEE_CLIENT when enabled.
  - Add option BR2_PACKAGE_OPTEE_TEST_SYNCED_VERSION to ensure
    OP-TEE test version is synced with OP-TEE OS version.
  - Fix official repo URL in Config.in package description.
  - Remove useless OPTEE_TEST_INSTALL_STAGING=YES.
  - Do not force output build directory and rely on native one: out/.

---
 DEVELOPERS                                         |  1 +
 package/Config.in                                  |  1 +
 .../optee-test/3.3.0/0001-cmake-rely-on-C.patch    | 32 +++++++++++
 ...ent-unexpected-build-warning-with-strncpy.patch | 54 +++++++++++++++++++
 ...egression-4011-correct-potential-overflow.patch | 60 +++++++++++++++++++++
 package/optee-test/3.3.0/optee-test.hash           |  4 ++
 package/optee-test/Config.in                       | 63 ++++++++++++++++++++++
 package/optee-test/optee-test.mk                   | 45 ++++++++++++++++
 8 files changed, 260 insertions(+)
 create mode 100644 package/optee-test/3.3.0/0001-cmake-rely-on-C.patch
 create mode 100644 package/optee-test/3.3.0/0002-xtest-prevent-unexpected-build-warning-with-strncpy.patch
 create mode 100644 package/optee-test/3.3.0/0003-regression-4011-correct-potential-overflow.patch
 create mode 100644 package/optee-test/3.3.0/optee-test.hash
 create mode 100644 package/optee-test/Config.in
 create mode 100644 package/optee-test/optee-test.mk

diff --git a/DEVELOPERS b/DEVELOPERS
index c9f2e00..28ba658 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -685,6 +685,7 @@ N:	Etienne Carriere <etienne.carriere@linaro.org>
 F:	boot/optee-os/
 F:	package/optee-client/
 F:	package/optee-examples/
+F:	package/optee-test/
 
 N:	Eugene Tarassov <eugene@largest.net>
 F:	package/tcf-agent/
diff --git a/package/Config.in b/package/Config.in
index b76db17..e5b6dad 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2078,6 +2078,7 @@ menu "Security"
 	source "package/checkpolicy/Config.in"
 	source "package/optee-client/Config.in"
 	source "package/optee-examples/Config.in"
+	source "package/optee-test/Config.in"
 	source "package/paxtest/Config.in"
 	source "package/policycoreutils/Config.in"
 	source "package/refpolicy/Config.in"
diff --git a/package/optee-test/3.3.0/0001-cmake-rely-on-C.patch b/package/optee-test/3.3.0/0001-cmake-rely-on-C.patch
new file mode 100644
index 0000000..ea7b966
--- /dev/null
+++ b/package/optee-test/3.3.0/0001-cmake-rely-on-C.patch
@@ -0,0 +1,32 @@
+cmake: component rely on C support
+
+Without specifing optee_client source expects only C source file
+support cmake may attempt to look for resources as g++. When
+building with environments that do not provide such tools as when
+building from native buildroot ofr a qemu target, optee_client
+fails to build. This change ensure a minimal C support allows to
+build optee_client with cmake.
+
+Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
+Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 0290205..a3fd269 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -1,4 +1,5 @@
+ cmake_minimum_required (VERSION 3.2)
++project (optee_test C)
+ 
+ # Default cross compile settings
+ set (CMAKE_TOOLCHAIN_FILE CMakeToolchain.txt)
+diff --git a/ta/CMakeLists.txt b/ta/CMakeLists.txt
+index 22d7727..795237e 100644
+--- a/ta/CMakeLists.txt
++++ b/ta/CMakeLists.txt
+@@ -1,4 +1,4 @@
+-project (xtest-ta-headers)
++project (xtest-ta-headers C)
+ 
+ add_library(${PROJECT_NAME} INTERFACE)
+ 
diff --git a/package/optee-test/3.3.0/0002-xtest-prevent-unexpected-build-warning-with-strncpy.patch b/package/optee-test/3.3.0/0002-xtest-prevent-unexpected-build-warning-with-strncpy.patch
new file mode 100644
index 0000000..55e796b
--- /dev/null
+++ b/package/optee-test/3.3.0/0002-xtest-prevent-unexpected-build-warning-with-strncpy.patch
@@ -0,0 +1,54 @@
+commit 30db8e0261fabe83bea6eb1922d9581e140125b6
+Author: Etienne Carriere <etienne.carriere@linaro.org>
+Date:   Fri Dec 21 15:36:00 2018 +0100
+
+    xtest: prevent unexpected build warning with strncpy
+    
+    This change modifies adbg_run.c to prevent a false positive
+    warning reported by GCC 8.2 on usage of strncpy():
+    
+        build/optee_test/host/xtest/adbg/src/adbg_run.c: In function 'Do_ADBG_AppendToSuite':
+        build/optee_test/host/xtest/adbg/src/adbg_run.c:103:3: error: 'strncpy' specified bound depends on the length of the source argument [-Werror=stringop-overflow=]
+           strncpy(p, Source_p->SuiteID_p, size);
+           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+        build/optee_test/host/xtest/adbg/src/adbg_run.c:88:9: note: length computed here
+          size = strlen(Source_p->SuiteID_p);
+                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~
+        cc1: all warnings being treated as errors
+    
+    From [1]:
+      Using strncpy Safely
+      In general, it is not possible to avoid string truncation by strncpy
+      except by sizing the destination to be at least a byte larger than
+      the length of the source string. With that approach, however, using
+      strncpy becomes unnecessary and the function can be avoided in favor
+      of other APIs such as strcpy or (less preferably) memcpy. Much has
+      been written about the problems with strncpy and we recommend to
+      avoid it whenever possible. It is, however, worth keeping in mind
+      that unlike other standard string-handling functions, strncpy always
+      writes exactly as many characters as specified by the third argument;
+      if the source string is shorter, the function fills the remaining
+      bytes with NULs.
+    
+    This change prefers using a snprintf() as used in the alternate
+    instruction block of the strncpy() call.
+    
+    [1] https://developers.redhat.com/blog/2018/05/24/detecting-string-truncation-with-gcc-8/
+    
+    Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
+    Signed-off-by: Simon Hughes <simon.hughes@arm.com>
+    Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
+
+diff --git a/host/xtest/adbg/src/adbg_run.c b/host/xtest/adbg/src/adbg_run.c
+index 406e429..2739db5 100644
+--- a/host/xtest/adbg/src/adbg_run.c
++++ b/host/xtest/adbg/src/adbg_run.c
+@@ -100,7 +100,7 @@ int Do_ADBG_AppendToSuite(
+ 		snprintf(p, size, "%s+%s", Dest_p->SuiteID_p,
+ 			 Source_p->SuiteID_p);
+ 	else
+-		strncpy(p, Source_p->SuiteID_p, size);
++		snprintf(p, size, "%s", Source_p->SuiteID_p);
+ 	free((void *)Dest_p->SuiteID_p);
+ 	Dest_p->SuiteID_p = p;
+ 
diff --git a/package/optee-test/3.3.0/0003-regression-4011-correct-potential-overflow.patch b/package/optee-test/3.3.0/0003-regression-4011-correct-potential-overflow.patch
new file mode 100644
index 0000000..77b7cd7
--- /dev/null
+++ b/package/optee-test/3.3.0/0003-regression-4011-correct-potential-overflow.patch
@@ -0,0 +1,60 @@
+commit 4e352aad0cfceeec1d9adde879a034039a0cf267
+Author: Etienne Carriere <etienne.carriere@linaro.org>
+Date:   Fri Dec 21 15:36:25 2018 +0100
+
+    regression 4011: correct potential overflow
+    
+    Fix issues reported by GCC 8.2.0.
+    
+    build/optee_test/host/xtest/regression_4000.c: In function 'xtest_tee_test_4011':
+    build/optee_test/host/xtest/regression_4000.c:5029:3: error: 'memmove' pointer overflow between offset [0, 8] and size [4294967295, 2147483647] accessing array 'tmp' with type 'uint8_t[1024]' {aka 'unsigned char[1024]'} [-Werror=array-bounds]
+       memmove(tmp + n + i, tmp + m, tmp_size - m);
+       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    build/optee_test/host/xtest/regression_4000.c:4927:10: note: array 'tmp' declared here
+      uint8_t tmp[1024];
+              ^~~
+    build/optee_test/host/xtest/regression_4000.c:5029:3: error: 'memmove' specified size 4294967295 exceeds maximum object size 2147483647 [-Werror=stringop-overflow=]
+       memmove(tmp + n + i, tmp + m, tmp_size - m);
+       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    cc1: all warnings being treated as errors
+    
+    Reported-by: Simon Hughes <simon.hughes@arm.com>
+    Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
+    Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
+
+diff --git a/host/xtest/regression_4000.c b/host/xtest/regression_4000.c
+index 766aad2..205a226 100644
+--- a/host/xtest/regression_4000.c
++++ b/host/xtest/regression_4000.c
+@@ -5018,18 +5018,28 @@ static void xtest_tee_test_4011(ADBG_Case_t *c)
+ 				out, out_size, tmp, &tmp_size)))
+ 			goto out;
+ 
++		if (!ADBG_EXPECT_COMPARE_UNSIGNED(c, tmp_size, <=, sizeof(tmp)))
++			goto out;
++
+ 		/* 4.1 */
+-		for (n = 0; n < tmp_size; n++)
++		for (n = 0; n < tmp_size - i; n++)
+ 			if (tmp[n] == 0xff)
+ 				break;
++
++		/* Shall find@least a padding start before buffer end */
++	        if (!ADBG_EXPECT_COMPARE_UNSIGNED(c, n, <, tmp_size - i - 1))
++			goto out;
++
+ 		for (m = n + 1; m < tmp_size; m++)
+ 			if (tmp[m] != 0xff)
+ 				break;
++
+ 		/* 4.2 */
+ 		memmove(tmp + n + i, tmp + m, tmp_size - m);
++
+ 		/* 4.3 */
+-		for (n = n + tmp_size - m + i; n < tmp_size; n++)
+-			tmp[n] = 0;
++		n = n + i + tmp_size - m;
++		memset(tmp + n, 0, tmp_size - n);
+ 
+ 		/* 5 */
+ 		out_size = sizeof(out);
diff --git a/package/optee-test/3.3.0/optee-test.hash b/package/optee-test/3.3.0/optee-test.hash
new file mode 100644
index 0000000..0da2212
--- /dev/null
+++ b/package/optee-test/3.3.0/optee-test.hash
@@ -0,0 +1,4 @@
+# From https://github.com/OP-TEE/optee_test/archive/3.3.0.tar.gz
+sha256 9651d5db0d28856e45d6bc25ce603bfcf641435bd3264d95b449f093665c8521  optee-test-3.3.0.tar.gz
+# Locally computed
+sha256 6e6810981f0ddab9e0d44399d0700a15d9f760a3c2843cc866659c2074139ae7  LICENSE.md
diff --git a/package/optee-test/Config.in b/package/optee-test/Config.in
new file mode 100644
index 0000000..40ac8e8
--- /dev/null
+++ b/package/optee-test/Config.in
@@ -0,0 +1,63 @@
+config BR2_PACKAGE_OPTEE_TEST
+	bool "optee-test"
+	depends on BR2_TARGET_OPTEE_OS
+	select BR2_PACKAGE_OPTEE_CLIENT
+	help
+	  This build option enables OP-TEE test package from the
+	  OP-TEE project. It helps platforms to verify the OP-TEE
+	  installation against a set of regression and performance
+	  tests.
+
+	  The package generates userspace test applications and
+	  data files for the Linux userland. It also generates
+	  OP-TEE trusted applications.
+
+	  Trusted application binary files are installed in the target
+	  directory /lib/optee_armtz as other trusted applications.
+	  At runtime OP-TEE OS can load trusted applications from this
+	  non-secure filesystem/directory into the secure world for
+	  execution.
+
+	  http://github.com/OP-TEE/optee_test
+
+if BR2_PACKAGE_OPTEE_TEST
+
+choice
+	prompt "version"
+	default BR2_PACKAGE_OPTEE_TEST_LATEST
+	help
+	  Select the version of OP-TEE test you want to use
+
+config BR2_PACKAGE_OPTEE_TEST_LATEST
+	bool "3.3.0"
+	help
+	  This fetches the registered release tag from the
+	  OP-TEE official Git repository.
+
+config BR2_PACKAGE_OPTEE_TEST_CUSTOM_GIT
+	bool "Custom Git repository"
+	help
+	  Sync with a specific OP-TEE Git repository.
+
+endchoice
+
+if BR2_PACKAGE_OPTEE_TEST_CUSTOM_GIT
+
+config BR2_PACKAGE_OPTEE_TEST_CUSTOM_REPO_URL
+	string "URL of custom repository"
+
+config BR2_PACKAGE_OPTEE_TEST_CUSTOM_REPO_VERSION
+	string "Custom repository version"
+	help
+	  Revision to use in the typical format used by
+	  Git E.G. a sha id, a tag, branch, ..
+
+endif
+
+config BR2_PACKAGE_OPTEE_TEST_VERSION
+	string
+	default "3.3.0"	if BR2_PACKAGE_OPTEE_TEST_LATEST
+	default BR2_PACKAGE_OPTEE_TEST_CUSTOM_REPO_VERSION \
+			if BR2_PACKAGE_OPTEE_TEST_CUSTOM_GIT
+
+endif #BR2_PACKAGE_OPTEE_TEST
diff --git a/package/optee-test/optee-test.mk b/package/optee-test/optee-test.mk
new file mode 100644
index 0000000..0ec7238
--- /dev/null
+++ b/package/optee-test/optee-test.mk
@@ -0,0 +1,45 @@
+################################################################################
+#
+# optee-test
+#
+################################################################################
+
+OPTEE_TEST_VERSION = $(call qstrip,$(BR2_PACKAGE_OPTEE_TEST_VERSION))
+OPTEE_TEST_LICENSE = GPL-2.0, BSD-2-Clause,
+OPTEE_TEST_LICENSE_FILES = LICENSE.md
+
+OPTEE_TEST_DEPENDENCIES = optee-client optee-os
+
+ifeq ($(BR2_PACKAGE_OPTEE_TEST_CUSTOM_GIT),y)
+OPTEE_TEST_SITE = $(call qstrip,$(BR2_PACKAGE_OPTEE_TEST_CUSTOM_REPO_URL))
+OPTEE_TEST_SITE_METHOD = git
+BR_NO_CHECK_HASH_FOR += $(OPTEE_TEST_SOURCE)
+else
+OPTEE_TEST_SITE = $(call github,OP-TEE,optee_test,$(OPTEE_TEST_VERSION))
+endif
+
+ifeq ($(BR2_aarch64),y)
+OPTEE_TEST_SDK = $(STAGING_DIR)/lib/optee/export-ta_arm64
+endif
+ifeq ($(BR2_arm),y)
+OPTEE_TEST_SDK = $(STAGING_DIR)/lib/optee/export-ta_arm32
+endif
+OPTEE_TEST_CONF_OPTS = -DOPTEE_TEST_SDK=$(OPTEE_TEST_SDK)
+
+# Trusted Application are not built from CMake due to ta_dev_kit dependencies.
+# We must build and install them on target.
+define OPTEE_TEST_BUILD_TAS
+	@$(foreach f,$(wildcard $(@D)/ta/*/Makefile), \
+		$(TARGET_CONFIGURE_OPTS) \
+		$(MAKE) CROSS_COMPILE=$(TARGET_CROSS) \
+			TA_DEV_KIT_DIR=$(OPTEE_TEST_SDK) \
+			-C $(dir $f) all &&) true
+endef
+define OPTEE_TEST_INSTALL_TAS
+	@mkdir -p $(TARGET_DIR)/lib/optee_armtz
+	@$(INSTALL) -D -m 444 -t $(TARGET_DIR)/lib/optee_armtz $(@D)/ta/*/*.ta
+endef
+OPTEE_TEST_POST_BUILD_HOOKS += OPTEE_TEST_BUILD_TAS
+OPTEE_TEST_POST_INSTALL_TARGET_HOOKS += OPTEE_TEST_INSTALL_TAS
+
+$(eval $(cmake-package))
-- 
1.9.1

[Buildroot] [PATCH v3 5/7] optee-benchmark: new package

[Etienne Carriere]

OP-TEE performance benchmark tools for the OP-TEE project.

This packages generates embedded Linux based OS materials used
to retrieve execution timing information on invocation of the
OP-TEE secure services.

It is added next to the OP-TEE client package in BR configuration.

This change references in Buildroot the today's latest OP-TEE
revision release tagged 3.3.0 with an added patch to fix an issue
reported by recent GCC toolchains.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
---
Changes v2 -> v3:
  - Add an entry in file DEVELOPERS.
  - Clean Config.in layout and description sections.
  - Drop BR2_PACKAGE_OPTEE_BENCHMARK_SYNCED_VERSION.
  - Clean optee-benchmark.mk layout.
  - Replace common optee-benchmark.hash with per-version .hash files.
  - Add a patch on 3.3.0 to fix an issue reported through GCC warns.

Changes v1 -> v2:
  - Add dependency on OP-TEE client.
  - Add option BR2_PACKAGE_OPTEE_BENCHMARK_SYNCED_VERSION to ensure
    OP-TEE benchmark version is synced with OP-TEE client version.
  - Remove useless OPTEE_BENCHMARK_INSTALL_STAGING and
    OPTEE_BENCHMARK_INSTALL_IMAGES.
  - Remove unused BR2_PACKAGE_OPTEE_BENCHMARK_GIT_REFERENCE.
  - Remove useless _INSTALL_STAGING/_INSTALL_IMAGES=YES.

---
 DEVELOPERS                                         |  1 +
 package/Config.in                                  |  1 +
 ...ix-format-specifier-in-call-to-INFO-macro.patch | 30 ++++++++++++
 package/optee-benchmark/3.3.0/optee-benchmark.hash |  2 +
 package/optee-benchmark/Config.in                  | 55 ++++++++++++++++++++++
 package/optee-benchmark/optee-benchmark.mk         | 22 +++++++++
 6 files changed, 111 insertions(+)
 create mode 100644 package/optee-benchmark/3.3.0/0001-Fix-format-specifier-in-call-to-INFO-macro.patch
 create mode 100644 package/optee-benchmark/3.3.0/optee-benchmark.hash
 create mode 100644 package/optee-benchmark/Config.in
 create mode 100644 package/optee-benchmark/optee-benchmark.mk

diff --git a/DEVELOPERS b/DEVELOPERS
index 28ba658..4dd7f4a 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -683,6 +683,7 @@ F:	package/szip/
 
 N:	Etienne Carriere <etienne.carriere@linaro.org>
 F:	boot/optee-os/
+F:	package/optee-benchmark/
 F:	package/optee-client/
 F:	package/optee-examples/
 F:	package/optee-test/
diff --git a/package/Config.in b/package/Config.in
index e5b6dad..cdee281 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2076,6 +2076,7 @@ endmenu
 
 menu "Security"
 	source "package/checkpolicy/Config.in"
+	source "package/optee-benchmark/Config.in"
 	source "package/optee-client/Config.in"
 	source "package/optee-examples/Config.in"
 	source "package/optee-test/Config.in"
diff --git a/package/optee-benchmark/3.3.0/0001-Fix-format-specifier-in-call-to-INFO-macro.patch b/package/optee-benchmark/3.3.0/0001-Fix-format-specifier-in-call-to-INFO-macro.patch
new file mode 100644
index 0000000..6a2cd37
--- /dev/null
+++ b/package/optee-benchmark/3.3.0/0001-Fix-format-specifier-in-call-to-INFO-macro.patch
@@ -0,0 +1,30 @@
+commit ecba70dd88f33f3c770a4c564b49d7e872eab34e
+Author: ChrisG55 <christian_g_55@msn.com>
+Date:   Thu Dec 6 11:52:29 2018 +0100
+
+    Fix format specifier in call to INFO macro
+    
+    Improper use of format specifiers for arguments of type intptr_t and size_t
+    raises warnings at compile time. Compilation breaks when GCC's -Werror flag is
+    set, which is the default. By using the appropriate format specifiers, no
+    warnings are raised and compilation succeeds.
+    
+    Reported-by: ChrisG55 <christian_g_55@msn.com>
+    Tested-by: ChrisG55 <christian_g_55@msn.com>
+    Fixes: 55fcc4ae0de4b9a2f7253562f8083694e69a8e33
+    Signed-off-by: ChrisG55 <christian_g_55@msn.com>
+    Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
+
+diff --git a/main.c b/main.c
+index 3d53dca..86225bd 100644
+--- a/main.c
++++ b/main.c
+@@ -106,7 +106,7 @@ static void alloc_bench_buf(uint32_t cores)
+ 	paddr_ts_buf = op.params[0].value.a;
+ 	size = op.params[0].value.b;
+ 
+-	INFO("ts buffer paddr = %x, size = %d\n", paddr_ts_buf, size);
++	INFO("ts buffer paddr = %" PRIiPTR ", size = %zu\n", paddr_ts_buf, size);
+ 	if (paddr_ts_buf) {
+ 
+ 		bench_ts_global = mmap_paddr(paddr_ts_buf, size);
diff --git a/package/optee-benchmark/3.3.0/optee-benchmark.hash b/package/optee-benchmark/3.3.0/optee-benchmark.hash
new file mode 100644
index 0000000..d93c26c
--- /dev/null
+++ b/package/optee-benchmark/3.3.0/optee-benchmark.hash
@@ -0,0 +1,2 @@
+# From https://github.com/linaro-swg/optee_benchmark/archive/3.3.0.tar.gz
+sha256 bfba3749ac8b37628550696f0625452ae8aef060eff5b3b1c4283a5dad8a3383 optee-benchmark-3.3.0.tar.gz
diff --git a/package/optee-benchmark/Config.in b/package/optee-benchmark/Config.in
new file mode 100644
index 0000000..99794c3
--- /dev/null
+++ b/package/optee-benchmark/Config.in
@@ -0,0 +1,55 @@
+config BR2_PACKAGE_OPTEE_BENCHMARK
+	bool "optee-benchmark"
+	select BR2_PACKAGE_OPTEE_CLIENT
+	select BR2_PACKAGE_LIBYAML
+	help
+	  Enable the OP-TEE benchmark package that brings facilities
+	  for profiling traversal and execution timings when
+	  invoking OP-TEE. OP-TEE benchmark is a component delivered
+	  by the OP-TEE project.
+
+	  http://github.com/linaro-swg/optee_benchmark
+
+if BR2_PACKAGE_OPTEE_BENCHMARK
+
+choice
+	prompt "version"
+	default BR2_PACKAGE_OPTEE_BENCHMARK_LATEST
+	help
+	  Select the version of OP-TEE benchmark you want to use
+
+config BR2_PACKAGE_OPTEE_BENCHMARK_LATEST
+	bool "3.3.0"
+	help
+	  This fetches the registered release tag from the
+	  OP-TEE official Git repository.
+
+config BR2_PACKAGE_OPTEE_BENCHMARK_CUSTOM_GIT
+	bool "Custom Git repository"
+	help
+	  Sync with a specific OP-TEE Git repository.
+
+endchoice
+
+if BR2_PACKAGE_OPTEE_BENCHMARK_CUSTOM_GIT
+
+config BR2_PACKAGE_OPTEE_BENCHMARK_CUSTOM_REPO_URL
+	string "URL of custom repository"
+	help
+	  Specific location of the reference source tree Git repository.
+
+config BR2_PACKAGE_OPTEE_BENCHMARK_CUSTOM_REPO_VERSION
+	string "Custom repository version"
+	help
+	  Revision to use in the typical format used by
+	  Git E.G. a sha id, a tag, branch, ..
+
+endif
+
+config BR2_PACKAGE_OPTEE_BENCHMARK_VERSION
+	string
+	default "3.3.0"	if BR2_PACKAGE_OPTEE_BENCHMARK_LATEST
+	default BR2_PACKAGE_OPTEE_BENCHMARK_CUSTOM_REPO_VERSION \
+			if BR2_PACKAGE_OPTEE_BENCHMARK_CUSTOM_GIT
+
+endif #BR2_PACKAGE_OPTEE_BENCHMARK
diff --git a/package/optee-benchmark/optee-benchmark.mk b/package/optee-benchmark/optee-benchmark.mk
new file mode 100644
index 0000000..8eef0f6
--- /dev/null
+++ b/package/optee-benchmark/optee-benchmark.mk
@@ -0,0 +1,22 @@
+################################################################################
+#
+# optee-benchmarch
+#
+################################################################################
+
+OPTEE_BENCHMARK_VERSION = $(call qstrip,$(BR2_PACKAGE_OPTEE_BENCHMARK_VERSION))
+OPTEE_BENCHMARK_LICENSE = BSD-2-Clause
+
+OPTEE_BENCHMARK_DEPENDENCIES = optee-client libyaml
+
+ifeq ($(BR2_PACKAGE_OPTEE_BENCHMARK_LATEST),y)
+OPTEE_BENCHMARK_SITE = $(call github,linaro-swg,optee_benchmark,$(OPTEE_BENCHMARK_VERSION))
+endif
+
+ifeq ($(BR2_PACKAGE_OPTEE_BENCHMARK_CUSTOM_GIT),y)
+OPTEE_BENCHMARK_SITE = $(call qstrip,$(BR2_PACKAGE_OPTEE_BENCHMARK_CUSTOM_REPO_URL))
+OPTEE_BENCHMARK_SITE_METHOD = git
+BR_NO_CHECK_HASH_FOR += $(OPTEE_BENCHMARK_SOURCE)
+endif
+
+$(eval $(cmake-package))
-- 
1.9.1

[Buildroot] [PATCH v3 6/7] configs/qemu_armv7a_tz_virt: Armv7-A emulation with TrustZone services

[Etienne Carriere]

This change introduces a Qemu board for an Armv7-A target executing
with OP-TEE secure world services.

The target Linux based normal world embeds the standard minimal
filesystem with OP-TEE non-secure components embedded files from
OP-TEE test, examples and benchmark packages.

The Linux custom configuration is dumped from the vexpress_defconfig
with few added fragments: OP-TEE driver and 9p for virtual filesystem to
ease file manipulation and exchanges through Qemu virtfs support.

The standard way for booting OP-TEE with a non-secure world companion
use the Arm Trusted Firmware-A as bootloader. OP-TEE OS provides the
BL32 image and U-boot the BL33 image. The proposed board enables OP-TEE
and U-boot build for this. However package boot/arm-trusted-firmware
needs few change support building Armv7-A targets.

Therefore the proposed board allows one to build the images but not
yet to run the target with the built Qemu host tool.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
---
Changes v2 -> v3
  - New change to introduce a board that at least builds Armv7-A OP-TEE.

---
 board/qemu/armv7a-tz-virt/linux.config  | 167 ++++++++++++++++++++++++++++++++
 board/qemu/armv7a-tz-virt/readme.txt    |  11 +++
 board/qemu/armv7a-tz-virt/u-boot.config |   3 +
 configs/qemu_armv7a_tz_virt_defconfig   |  41 ++++++++
 4 files changed, 222 insertions(+)
 create mode 100644 board/qemu/armv7a-tz-virt/linux.config
 create mode 100644 board/qemu/armv7a-tz-virt/readme.txt
 create mode 100644 board/qemu/armv7a-tz-virt/u-boot.config
 create mode 100644 configs/qemu_armv7a_tz_virt_defconfig

diff --git a/board/qemu/armv7a-tz-virt/linux.config b/board/qemu/armv7a-tz-virt/linux.config
new file mode 100644
index 0000000..62ece0c
--- /dev/null
+++ b/board/qemu/armv7a-tz-virt/linux.config
@@ -0,0 +1,167 @@
+# CONFIG_LOCALVERSION_AUTO is not set
+CONFIG_SYSVIPC=y
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_CGROUPS=y
+CONFIG_CPUSETS=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+CONFIG_BLK_DEV_INITRD=y
+CONFIG_PROFILING=y
+CONFIG_OPROFILE=y
+CONFIG_MODULES=y
+CONFIG_MODULE_UNLOAD=y
+# CONFIG_LBDAF is not set
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_IOSCHED_DEADLINE is not set
+# CONFIG_IOSCHED_CFQ is not set
+CONFIG_ARCH_VEXPRESS=y
+CONFIG_ARCH_VEXPRESS_DCSCB=y
+CONFIG_ARCH_VEXPRESS_TC2_PM=y
+# CONFIG_SWP_EMULATE is not set
+CONFIG_SMP=y
+CONFIG_HAVE_ARM_ARCH_TIMER=y
+CONFIG_MCPM=y
+CONFIG_VMSPLIT_2G=y
+CONFIG_NR_CPUS=8
+CONFIG_ARM_PSCI=y
+CONFIG_AEABI=y
+CONFIG_CMA=y
+CONFIG_ZBOOT_ROM_TEXT=0x0
+CONFIG_ZBOOT_ROM_BSS=0x0
+CONFIG_CMDLINE="console=ttyAMA0"
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_MULTIPLE_DRIVERS=y
+CONFIG_VFP=y
+CONFIG_NEON=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+CONFIG_NET=y
+CONFIG_PACKET=y
+CONFIG_UNIX=y
+CONFIG_INET=y
+CONFIG_IP_PNP=y
+CONFIG_IP_PNP_DHCP=y
+CONFIG_IP_PNP_BOOTP=y
+# CONFIG_IPV6 is not set
+# CONFIG_WIRELESS is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+CONFIG_DEVTMPFS=y
+CONFIG_MTD=y
+CONFIG_MTD_CMDLINE_PARTS=y
+CONFIG_MTD_BLOCK=y
+CONFIG_MTD_CFI=y
+CONFIG_MTD_CFI_INTELEXT=y
+CONFIG_MTD_CFI_AMDSTD=y
+CONFIG_MTD_PHYSMAP=y
+CONFIG_MTD_PHYSMAP_OF=y
+CONFIG_MTD_PLATRAM=y
+CONFIG_MTD_UBI=y
+CONFIG_PROC_DEVICETREE=y
+CONFIG_VIRTIO_BLK=y
+# CONFIG_SCSI_PROC_FS is not set
+CONFIG_BLK_DEV_SD=y
+CONFIG_SCSI_VIRTIO=y
+CONFIG_ATA=y
+# CONFIG_SATA_PMP is not set
+CONFIG_NETDEVICES=y
+CONFIG_VIRTIO_NET=y
+CONFIG_SMC91X=y
+CONFIG_SMSC911X=y
+# CONFIG_WLAN is not set
+CONFIG_INPUT_EVDEV=y
+# CONFIG_SERIO_SERPORT is not set
+CONFIG_SERIO_AMBAKMI=y
+CONFIG_LEGACY_PTY_COUNT=16
+CONFIG_SERIAL_AMBA_PL011=y
+CONFIG_SERIAL_AMBA_PL011_CONSOLE=y
+CONFIG_VIRTIO_CONSOLE=y
+CONFIG_HW_RANDOM=y
+CONFIG_HW_RANDOM_VIRTIO=y
+CONFIG_I2C=y
+CONFIG_I2C_VERSATILE=y
+CONFIG_SENSORS_VEXPRESS=y
+CONFIG_REGULATOR=y
+CONFIG_REGULATOR_VEXPRESS=y
+CONFIG_FB=y
+CONFIG_FB_ARMCLCD=y
+CONFIG_FRAMEBUFFER_CONSOLE=y
+CONFIG_LOGO=y
+# CONFIG_LOGO_LINUX_MONO is not set
+# CONFIG_LOGO_LINUX_VGA16 is not set
+CONFIG_SOUND=y
+CONFIG_SND=y
+CONFIG_SND_MIXER_OSS=y
+CONFIG_SND_PCM_OSS=y
+# CONFIG_SND_DRIVERS is not set
+CONFIG_SND_ARMAACI=y
+CONFIG_HID_DRAGONRISE=y
+CONFIG_HID_GYRATION=y
+CONFIG_HID_TWINHAN=y
+CONFIG_HID_NTRIG=y
+CONFIG_HID_PANTHERLORD=y
+CONFIG_HID_PETALYNX=y
+CONFIG_HID_SAMSUNG=y
+CONFIG_HID_SONY=y
+CONFIG_HID_SUNPLUS=y
+CONFIG_HID_GREENASIA=y
+CONFIG_HID_SMARTJOYPLUS=y
+CONFIG_HID_TOPSEED=y
+CONFIG_HID_THRUSTMASTER=y
+CONFIG_HID_ZEROPLUS=y
+CONFIG_USB=y
+CONFIG_USB_ANNOUNCE_NEW_DEVICES=y
+CONFIG_USB_MON=y
+CONFIG_USB_STORAGE=y
+CONFIG_USB_ISP1760=y
+CONFIG_MMC=y
+CONFIG_MMC_ARMMMCI=y
+CONFIG_NEW_LEDS=y
+CONFIG_LEDS_CLASS=y
+CONFIG_LEDS_GPIO=y
+CONFIG_LEDS_TRIGGERS=y
+CONFIG_LEDS_TRIGGER_HEARTBEAT=y
+CONFIG_LEDS_TRIGGER_CPU=y
+CONFIG_RTC_CLASS=y
+CONFIG_RTC_DRV_PL031=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y
+CONFIG_EXT2_FS=y
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+# CONFIG_EXT3_FS_XATTR is not set
+CONFIG_EXT4_FS=y
+CONFIG_VFAT_FS=y
+CONFIG_TMPFS=y
+#CONFIG_JFFS2_FS is not set
+CONFIG_UBIFS_FS=y
+CONFIG_CRAMFS=y
+CONFIG_SQUASHFS=y
+CONFIG_SQUASHFS_LZO=y
+CONFIG_NFS_FS=y
+CONFIG_ROOT_NFS=y
+CONFIG_9P_FS=y
+CONFIG_NLS_CODEPAGE_437=y
+CONFIG_NLS_ISO8859_1=y
+CONFIG_DEBUG_INFO=y
+CONFIG_DEBUG_FS=y
+CONFIG_MAGIC_SYSRQ=y
+CONFIG_DEBUG_KERNEL=y
+CONFIG_DETECT_HUNG_TASK=y
+# CONFIG_SCHED_DEBUG is not set
+CONFIG_DEBUG_USER=y
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+# CONFIG_CRYPTO_HW is not set
+### Enable OP-TEE
+CONFIG_TEE=y
+CONFIG_OPTEE=y
+### Enable 9P VFS
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
diff --git a/board/qemu/armv7a-tz-virt/readme.txt b/board/qemu/armv7a-tz-virt/readme.txt
new file mode 100644
index 0000000..06b728f
--- /dev/null
+++ b/board/qemu/armv7a-tz-virt/readme.txt
@@ -0,0 +1,11 @@
+Board qemu_armv7a_tz_virt builds a Qemu Armv7-A target with
+OP-TEE running in the TrustZone secure world setup and a Linux based
+OS running in the non-secure world.
+
+This setup is usually booted with the Arm Trsuted Firmware-A (TF-A from
+package boot/arm-trusted-firmware). However the current Buildroot package
+needs few changes to build TF-A for OP-TEE support.
+
+Until BR arm-trusted-firmware is updated this board allows one to only
+build the secure and non-secure boot images if not the BIOS for the Qemu
+host.
diff --git a/board/qemu/armv7a-tz-virt/u-boot.config b/board/qemu/armv7a-tz-virt/u-boot.config
new file mode 100644
index 0000000..5588008
--- /dev/null
+++ b/board/qemu/armv7a-tz-virt/u-boot.config
@@ -0,0 +1,3 @@
+CONFIG_SYS_TEXT_BASE=0x60000000
+CONFIG_BOOTCOMMAND="fdt addr ${fdt_addr} && fdt resize 1000 && smhload zImage ${kernel_addr_r} && smhload rootfs.cpio.gz ${ramdisk_addr_r} ramdisk_addr_end &&  setenv bootargs console=ttyAMA0,115200 earlyprintk=serial,ttyAMA0,115200 && fdt chosen ${ramdisk_addr_r} ${ramdisk_addr_end} && bootz ${kernel_addr_r} - ${fdt_addr}"
+CONFIG_SEMIHOSTING=y
diff --git a/configs/qemu_armv7a_tz_virt_defconfig b/configs/qemu_armv7a_tz_virt_defconfig
new file mode 100644
index 0000000..ab52480
--- /dev/null
+++ b/configs/qemu_armv7a_tz_virt_defconfig
@@ -0,0 +1,41 @@
+# Architecture
+BR2_arm=y
+BR2_cortex_a15=y
+BR2_ARM_ENABLE_NEON=y
+BR2_ARM_ENABLE_VFP=y
+BR2_ARM_FPU_VFPV3D16=y
+# System
+BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0"
+# Filesystem
+BR2_TARGET_ROOTFS_CPIO=y
+BR2_TARGET_ROOTFS_CPIO_GZIP=y
+BR2_TARGET_ROOTFS_EXT2=y
+# Linux 4.16 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+BR2_LINUX_KERNEL=y
+BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
+BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/armv7a-tz-virt/linux.config"
+BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_DEFCONFIG="vexpress"
+BR2_LINUX_KERNEL_DTS_SUPPORT=y
+BR2_LINUX_KERNEL_INTREE_DTS_NAME="vexpress-v2p-ca15_a7"
+# TF-A for booting OP-TEE secure and uboot/linux non secure
+# POSTPONED: depends on boot/arm-trusted-firmware support for Armv7-A
+# OP-TEE components
+BR2_TARGET_OPTEE_OS=y
+BR2_TARGET_OPTEE_OS_PLATFORM="vexpress-qemu_virt"
+BR2_TARGET_OPTEE_OS_ADDITIONAL_VARIABLES="CFG_TEE_CORE_DEBUG=n CFG_UNWIND=n CFG_TEE_CORE_LOG_LEVEL=2"
+BR2_PACKAGE_OPTEE_CLIENT=y
+BR2_PACKAGE_OPTEE_TEST=y
+BR2_PACKAGE_OPTEE_EXAMPLES=y
+BR2_PACKAGE_OPTEE_BENCHMARK=y
+# U-boot for booting the dear Linux kernel
+BR2_TARGET_UBOOT=y
+BR2_TARGET_UBOOT_BUILD_SYSTEM_KCONFIG=y
+BR2_TARGET_UBOOT_BOARD_DEFCONFIG="qemu_arm"
+BR2_TARGET_UBOOT_CONFIG_FRAGMENT_FILES="board/qemu/armv7a-tz-virt/u-boot.config"
+# Qemu emulator for the Arm target
+BR2_PACKAGE_HOST_QEMU=y
+BR2_PACKAGE_HOST_QEMU_SYSTEM_MODE=y
+BR2_PACKAGE_HOST_QEMU_VIRTFS=y
-- 
1.9.1

[Buildroot] [PATCH v3 7/7] configs/qemu_aarch64_tz_virt: AArch64 emulation with TrustZone services

[Etienne Carriere]

This change introduces a Qemu board for an AArch64 target executing
with OP-TEE secure world services.

The target Linux based normal world embeds the standard minimal
filesystem with OP-TEE non-secure components embedded files from
OP-TEE client, test, examples and benchmark packages.

The Linux custom configuration is dumped from the qemu/aarch64-virt board
with few added fragments: OP-TEE driver and 9p for virtual filesystem to
ease file manipulation and exchanges through Qemu virtfs support.

The standard way for booting OP-TEE with a non-secure world companion
use the Arm Trusted Firmware-A as bootloader. OP-TEE OS provides the
BL32 image and U-boot the BL33 image. The proposed board enables OP-TEE
and U-boot build for this. However package boot/arm-trusted-firmware
needs few changes to build OP-TEE compliant TF-A images.

Therefore the proposed board allows one to build the images but not
yet to run the target with the built Qemu host tool.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
---
Changes v2 -> v3
  - New change to introduce a board that at least builds Aarch64 OP-TEE.

---
 board/qemu/aarch64-tz-virt/linux.config  | 63 ++++++++++++++++++++++++++++++++
 board/qemu/aarch64-tz-virt/readme.txt    | 11 ++++++
 board/qemu/aarch64-tz-virt/u-boot.config |  3 ++
 configs/qemu_aarch64_tz_virt_defconfig   | 47 ++++++++++++++++++++++++
 4 files changed, 124 insertions(+)
 create mode 100644 board/qemu/aarch64-tz-virt/linux.config
 create mode 100644 board/qemu/aarch64-tz-virt/readme.txt
 create mode 100644 board/qemu/aarch64-tz-virt/u-boot.config
 create mode 100644 configs/qemu_aarch64_tz_virt_defconfig

diff --git a/board/qemu/aarch64-tz-virt/linux.config b/board/qemu/aarch64-tz-virt/linux.config
new file mode 100644
index 0000000..49b7ac6
--- /dev/null
+++ b/board/qemu/aarch64-tz-virt/linux.config
@@ -0,0 +1,63 @@
+CONFIG_SYSVIPC=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_NO_HZ_IDLE=y
+CONFIG_HIGH_RES_TIMERS=y
+CONFIG_TASKSTATS=y
+CONFIG_SCHED_AUTOGROUP=y
+CONFIG_PROFILING=y
+CONFIG_MODULES=y
+CONFIG_MODULE_UNLOAD=y
+CONFIG_BLK_DEV_BSGLIB=y
+CONFIG_ARCH_VEXPRESS=y
+CONFIG_TRANSPARENT_HUGEPAGE=y
+CONFIG_BINFMT_MISC=y
+CONFIG_COMPAT=y
+CONFIG_NET=y
+CONFIG_PACKET=y
+CONFIG_PACKET_DIAG=y
+CONFIG_UNIX=y
+CONFIG_NET_KEY=y
+CONFIG_INET=y
+CONFIG_IP_MULTICAST=y
+CONFIG_IP_ADVANCED_ROUTER=y
+CONFIG_BRIDGE=m
+CONFIG_NET_SCHED=y
+CONFIG_VSOCKETS=y
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_VIRTIO_BLK=y
+CONFIG_BLK_DEV_SD=y
+CONFIG_CHR_DEV_SG=y
+CONFIG_SCSI_CONSTANTS=y
+CONFIG_SCSI_LOGGING=y
+CONFIG_SCSI_SCAN_ASYNC=y
+CONFIG_SCSI_VIRTIO=y
+CONFIG_ATA=y
+CONFIG_NETDEVICES=y
+CONFIG_DUMMY=y
+CONFIG_MACVLAN=y
+CONFIG_VIRTIO_NET=y
+CONFIG_NLMON=y
+CONFIG_VT_HW_CONSOLE_BINDING=y
+CONFIG_SERIAL_AMBA_PL011=y
+CONFIG_SERIAL_AMBA_PL011_CONSOLE=y
+CONFIG_VIRTIO_CONSOLE=y
+CONFIG_HW_RANDOM=y
+CONFIG_HW_RANDOM_VIRTIO=y
+CONFIG_RTC_CLASS=y
+CONFIG_VIRTIO_MMIO=y
+CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y
+CONFIG_MAILBOX=y
+CONFIG_PL320_MBOX=y
+CONFIG_EXT4_FS=y
+CONFIG_TMPFS=y
+CONFIG_TMPFS_POSIX_ACL=y
+### Enable OP-TEE
+CONFIG_TEE=y
+CONFIG_OPTEE=y
+### Enable 9P VFS
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+
diff --git a/board/qemu/aarch64-tz-virt/readme.txt b/board/qemu/aarch64-tz-virt/readme.txt
new file mode 100644
index 0000000..ec91d2e
--- /dev/null
+++ b/board/qemu/aarch64-tz-virt/readme.txt
@@ -0,0 +1,11 @@
+Board qemu_aarch64_tz_virt builds a Qemu Armv8-A target with
+OP-TEE running in the TrustZone secure wolrd setup and a Linux based
+OS running in the non-secure wolrd.
+
+This setup is usually booted with the Arm Trsuted Firmware-A (TF-A from
+package boot/arm-trusted-firmware). However the current Buildroot package
+needs few changes to build TF-A for OP-TEE support.
+
+Until BR arm-trusted-firmware is updated this board allows one to only
+build the secure and non-secure boot images if not the BIOS for the Qemu
+host.
diff --git a/board/qemu/aarch64-tz-virt/u-boot.config b/board/qemu/aarch64-tz-virt/u-boot.config
new file mode 100644
index 0000000..5588008
--- /dev/null
+++ b/board/qemu/aarch64-tz-virt/u-boot.config
@@ -0,0 +1,3 @@
+CONFIG_SYS_TEXT_BASE=0x60000000
+CONFIG_BOOTCOMMAND="fdt addr ${fdt_addr} && fdt resize 1000 && smhload zImage ${kernel_addr_r} && smhload rootfs.cpio.gz ${ramdisk_addr_r} ramdisk_addr_end &&  setenv bootargs console=ttyAMA0,115200 earlyprintk=serial,ttyAMA0,115200 && fdt chosen ${ramdisk_addr_r} ${ramdisk_addr_end} && bootz ${kernel_addr_r} - ${fdt_addr}"
+CONFIG_SEMIHOSTING=y
diff --git a/configs/qemu_aarch64_tz_virt_defconfig b/configs/qemu_aarch64_tz_virt_defconfig
new file mode 100644
index 0000000..9286d15
--- /dev/null
+++ b/configs/qemu_aarch64_tz_virt_defconfig
@@ -0,0 +1,47 @@
+# Architecture
+BR2_aarch64=y
+
+# System
+BR2_SYSTEM_DHCP="eth0"
+BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0"
+
+# Filesystem
+BR2_TARGET_ROOTFS_CPIO=y
+BR2_TARGET_ROOTFS_CPIO_GZIP=y
+BR2_TARGET_ROOTFS_EXT2=y
+BR2_TARGET_ROOTFS_EXT2_4=y
+# BR2_TARGET_ROOTFS_TAR is not set
+
+# Linux headers same as kernel, a 4.16 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+
+# Kernel
+BR2_LINUX_KERNEL=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
+BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/aarch64-tz-virt/linux.config"
+BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
+
+# TF-A for booting OP-TEE secure and uboot/linux non secure
+# POSTPONED: depends on boot/arm-trusted-firmware support for Armv7-A
+
+# OP-TEE components
+BR2_TARGET_OPTEE_OS=y
+BR2_TARGET_OPTEE_OS_PLATFORM="vexpress-qemu_armv8a"
+BR2_TARGET_OPTEE_OS_ADDITIONAL_VARIABLES="CFG_TEE_CORE_DEBUG=n CFG_UNWIND=n CFG_TEE_CORE_LOG_LEVEL=2"
+BR2_PACKAGE_OPTEE_CLIENT=y
+BR2_PACKAGE_OPTEE_TEST=y
+BR2_PACKAGE_OPTEE_EXAMPLES=y
+BR2_PACKAGE_OPTEE_BENCHMARK=y
+
+# Need a non-secure bootloader for the dear Linux kernel: U-boot? UEFI?
+BR2_TARGET_UBOOT=y
+BR2_TARGET_UBOOT_BUILD_SYSTEM_KCONFIG=y
+BR2_TARGET_UBOOT_BOARD_DEFCONFIG="qemu_arm64"
+BR2_TARGET_UBOOT_CONFIG_FRAGMENT_FILES="board/qemu/aarch64-tz-virt/u-boot.config"
+
+# Qemu emulator for the Arm target
+BR2_PACKAGE_HOST_QEMU=y
+BR2_PACKAGE_HOST_QEMU_SYSTEM_MODE=y
+BR2_PACKAGE_HOST_QEMU_VIRTFS=y
-- 
1.9.1