* [PATCH 2/2] add optee-ftpm
[not found] <20211103131144.4005-1-maxim.uvarov@linaro.org>
@ 2021-11-03 13:11 ` Maxim Uvarov
2021-11-03 17:23 ` [meta-arm] " Denys Dmytriyenko
[not found] ` <20211103154101.GA31775@kudzu.us>
1 sibling, 1 reply; 7+ messages in thread
From: Maxim Uvarov @ 2021-11-03 13:11 UTC (permalink / raw)
To: meta-arm; +Cc: jon.mason, ross.burton, Maxim Uvarov
Add software TPM emulated in the OPTEE-OS.
Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
---
.../optee-ftpm/0000-fix-ssl-fallthrough.patch | 13 +++
.../0002-add-enum-to-ta-flags.patch | 26 ++++++
.../otee-ftpm/optee-ftpm_git.bb | 82 +++++++++++++++++++
.../otee-ftpm/optee-os_%.bbappend | 7 ++
4 files changed, 128 insertions(+)
create mode 100644 meta-arm/recipes-security/otee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch
create mode 100644 meta-arm/recipes-security/otee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch
create mode 100644 meta-arm/recipes-security/otee-ftpm/optee-ftpm_git.bb
create mode 100644 meta-arm/recipes-security/otee-ftpm/optee-os_%.bbappend
diff --git a/meta-arm/recipes-security/otee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch b/meta-arm/recipes-security/otee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch
new file mode 100644
index 0000000..3e61d2d
--- /dev/null
+++ b/meta-arm/recipes-security/otee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch
@@ -0,0 +1,13 @@
+diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h
+index 7b3a953aebda..e156ae5c7909 100755
+--- a/external/wolfssl/wolfssl/wolfcrypt/types.h
++++ b/external/wolfssl/wolfssl/wolfcrypt/types.h
+@@ -181,7 +181,7 @@
+ /* GCC 7 has new switch() fall-through detection */
+ #if defined(__GNUC__)
+ #if ((__GNUC__ > 7) || ((__GNUC__ == 7) && (__GNUC_MINOR__ >= 1)))
+- #define FALL_THROUGH __attribute__ ((fallthrough));
++ #define FALL_THROUGH __attribute__ ((__fallthrough__));
+ #endif
+ #endif
+ #ifndef FALL_THROUGH
diff --git a/meta-arm/recipes-security/otee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch b/meta-arm/recipes-security/otee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch
new file mode 100644
index 0000000..0d285d7
--- /dev/null
+++ b/meta-arm/recipes-security/otee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch
@@ -0,0 +1,26 @@
+From 2d00f16058529eb9f4d4d2bcaeed91fd53b43989 Mon Sep 17 00:00:00 2001
+From: Maxim Uvarov <maxim.uvarov@linaro.org>
+Date: Fri, 17 Apr 2020 12:05:53 +0100
+Subject: [PATCH 2/2] add enum to ta flags
+
+Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
+---
+ TAs/optee_ta/fTPM/user_ta_header_defines.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/TAs/optee_ta/fTPM/user_ta_header_defines.h b/TAs/optee_ta/fTPM/user_ta_header_defines.h
+index 6ff62d1..685b54a 100644
+--- a/TAs/optee_ta/fTPM/user_ta_header_defines.h
++++ b/TAs/optee_ta/fTPM/user_ta_header_defines.h
+@@ -44,7 +44,7 @@
+
+ #define TA_UUID TA_FTPM_UUID
+
+-#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE )
++#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP)
+ #define TA_STACK_SIZE (64 * 1024)
+ #define TA_DATA_SIZE (64 * 1024)
+
+--
+2.17.1
+
diff --git a/meta-arm/recipes-security/otee-ftpm/optee-ftpm_git.bb b/meta-arm/recipes-security/otee-ftpm/optee-ftpm_git.bb
new file mode 100644
index 0000000..1eb11b0
--- /dev/null
+++ b/meta-arm/recipes-security/otee-ftpm/optee-ftpm_git.bb
@@ -0,0 +1,82 @@
+SUMMARY = "OPTEE fTPM Microsoft TA"
+DESCRIPTION = "OPTEE fTPM"
+HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/"
+
+inherit autotools-brokensep deploy pkgconfig gettext python3native
+
+FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=27e94c0280987ab296b0b8dd02ab9fe5"
+
+SYSROOT_DIRS += "${RECIPE_SYSROOT}/../optee-ftpm/usr/"
+
+DEPENDS = "optee-client openssl"
+DEPENDS += " openssl-native autoconf-archive-native"
+DEPENDS += " python3-pycryptodome-native python3-pycryptodomex-native python3-pyelftools-native"
+DEPENDS += " libgcc"
+DEPENDS += " optee-os-tadevkit"
+
+# SRC_URI = "git://github.com/Microsoft/ms-tpm-20-ref;branch=master"
+# Since this is not built as a pseudo TA, we can only use it as a kernel module and not built in.
+# The TEE supplicant is also needed to provide access to secure storage.
+# Secure storage access required by OP-TEE fTPM TA
+# is provided via OP-TEE supplicant that's not available during boot.
+# Fix this once we replace this with the MS implementation
+SRC_URI = "git://github.com/microsoft/MSRSec"
+SRC_URI += "file://0000-fix-ssl-fallthrough.patch"
+SRC_URI += "file://0002-add-enum-to-ta-flags.patch"
+SRCREV = "76f81b36efbb1a366b0d382bc0defe677f1f0534"
+
+S = "${WORKDIR}/git"
+
+OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
+TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
+TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta"
+
+EXTRA_OEMAKE += '\
+ CFG_FTPM_USE_WOLF=y \
+ TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
+ TA_CROSS_COMPILE=${TARGET_PREFIX} \
+ CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST} -I${WORKDIR}/optee-os" \
+'
+
+EXTRA_OEMAKE_append_aarch64 = "\
+ CFG_ARM64_ta_arm64=y \
+"
+
+B = "${S}"
+
+do_unpack_append() {
+ bb.build.exec_func('source_fixup_patch', d)
+}
+
+source_fixup_patch() {
+ cd ${S}
+ git submodule update --init
+ sed -i 's/-mcpu=$(TA_CPU)//' TAs/optee_ta/fTPM/sub.mk
+}
+
+do_compile() {
+ # there's also a secure variable storage TA called authvars
+ cd ${S}/TAs/optee_ta
+ # fails with j > 1
+ oe_runmake -j1 ftpm
+}
+
+do_install () {
+ mkdir -p ${D}/lib/optee_armtz
+ install -D -p -m0444 ${S}/TAs/optee_ta/out/fTPM/${FTPM_UUID}.ta ${D}/lib/optee_armtz/
+}
+
+do_deploy () {
+ install -d ${DEPLOYDIR}/optee
+ install -D -p -m0444 ${S}/TAs/optee_ta/out/fTPM/${FTPM_UUID}.stripped.elf ${DEPLOYDIR}/optee/
+}
+
+addtask deploy before do_build after do_install
+
+FILES_${PN} += "/lib/optee_armtz/${FTPM_UUID}.ta"
+
+# Imports machine specific configs from staging to build
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+INSANE_SKIP_${PN} += "ldflags"
diff --git a/meta-arm/recipes-security/otee-ftpm/optee-os_%.bbappend b/meta-arm/recipes-security/otee-ftpm/optee-os_%.bbappend
new file mode 100644
index 0000000..c102de4
--- /dev/null
+++ b/meta-arm/recipes-security/otee-ftpm/optee-os_%.bbappend
@@ -0,0 +1,7 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+DEPENDS += "optee-ftpm"
+inherit deploy
+
+FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896"
+EXTRA_OEMAKE_append='CFG_EARLY_TA=y EARLY_TA_PATHS="${DEPLOY_DIR_IMAGE}/optee/${FTPM_UUID}.stripped.elf"'
--
2.17.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [meta-arm] [PATCH 2/2] add optee-ftpm
2021-11-03 13:11 ` [PATCH 2/2] add optee-ftpm Maxim Uvarov
@ 2021-11-03 17:23 ` Denys Dmytriyenko
2021-11-11 11:42 ` Maxim Uvarov
0 siblings, 1 reply; 7+ messages in thread
From: Denys Dmytriyenko @ 2021-11-03 17:23 UTC (permalink / raw)
To: Maxim Uvarov; +Cc: meta-arm, jon.mason, ross.burton
On Wed, Nov 03, 2021 at 04:11:44PM +0300, Maxim Uvarov wrote:
> Add software TPM emulated in the OPTEE-OS.
>
> Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
> ---
> .../optee-ftpm/0000-fix-ssl-fallthrough.patch | 13 +++
> .../0002-add-enum-to-ta-flags.patch | 26 ++++++
> .../otee-ftpm/optee-ftpm_git.bb | 82 +++++++++++++++++++
> .../otee-ftpm/optee-os_%.bbappend | 7 ++
> 4 files changed, 128 insertions(+)
> create mode 100644 meta-arm/recipes-security/otee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch
> create mode 100644 meta-arm/recipes-security/otee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch
> create mode 100644 meta-arm/recipes-security/otee-ftpm/optee-ftpm_git.bb
> create mode 100644 meta-arm/recipes-security/otee-ftpm/optee-os_%.bbappend
>
> diff --git a/meta-arm/recipes-security/otee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch b/meta-arm/recipes-security/otee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch
> new file mode 100644
> index 0000000..3e61d2d
> --- /dev/null
> +++ b/meta-arm/recipes-security/otee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch
Patch w/o a header?
> @@ -0,0 +1,13 @@
> +diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h
> +index 7b3a953aebda..e156ae5c7909 100755
> +--- a/external/wolfssl/wolfssl/wolfcrypt/types.h
> ++++ b/external/wolfssl/wolfssl/wolfcrypt/types.h
> +@@ -181,7 +181,7 @@
> + /* GCC 7 has new switch() fall-through detection */
> + #if defined(__GNUC__)
> + #if ((__GNUC__ > 7) || ((__GNUC__ == 7) && (__GNUC_MINOR__ >= 1)))
> +- #define FALL_THROUGH __attribute__ ((fallthrough));
> ++ #define FALL_THROUGH __attribute__ ((__fallthrough__));
> + #endif
> + #endif
> + #ifndef FALL_THROUGH
> diff --git a/meta-arm/recipes-security/otee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch b/meta-arm/recipes-security/otee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch
> new file mode 100644
> index 0000000..0d285d7
> --- /dev/null
> +++ b/meta-arm/recipes-security/otee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch
> @@ -0,0 +1,26 @@
> +From 2d00f16058529eb9f4d4d2bcaeed91fd53b43989 Mon Sep 17 00:00:00 2001
> +From: Maxim Uvarov <maxim.uvarov@linaro.org>
> +Date: Fri, 17 Apr 2020 12:05:53 +0100
> +Subject: [PATCH 2/2] add enum to ta flags
> +
> +Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
Upstream-Status?
> +---
> + TAs/optee_ta/fTPM/user_ta_header_defines.h | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/TAs/optee_ta/fTPM/user_ta_header_defines.h b/TAs/optee_ta/fTPM/user_ta_header_defines.h
> +index 6ff62d1..685b54a 100644
> +--- a/TAs/optee_ta/fTPM/user_ta_header_defines.h
> ++++ b/TAs/optee_ta/fTPM/user_ta_header_defines.h
> +@@ -44,7 +44,7 @@
> +
> + #define TA_UUID TA_FTPM_UUID
> +
> +-#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE )
> ++#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP)
> + #define TA_STACK_SIZE (64 * 1024)
> + #define TA_DATA_SIZE (64 * 1024)
> +
> +--
> +2.17.1
> +
> diff --git a/meta-arm/recipes-security/otee-ftpm/optee-ftpm_git.bb b/meta-arm/recipes-security/otee-ftpm/optee-ftpm_git.bb
> new file mode 100644
> index 0000000..1eb11b0
> --- /dev/null
> +++ b/meta-arm/recipes-security/otee-ftpm/optee-ftpm_git.bb
> @@ -0,0 +1,82 @@
> +SUMMARY = "OPTEE fTPM Microsoft TA"
> +DESCRIPTION = "OPTEE fTPM"
The other way around - short summary and long description (if needed)
> +HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/"
> +
> +inherit autotools-brokensep deploy pkgconfig gettext python3native
> +
> +FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896"
> +LICENSE = "MIT"
> +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=27e94c0280987ab296b0b8dd02ab9fe5"
> +SYSROOT_DIRS += "${RECIPE_SYSROOT}/../optee-ftpm/usr/"
Why is this?
> +DEPENDS = "optee-client openssl"
> +DEPENDS += " openssl-native autoconf-archive-native"
> +DEPENDS += " python3-pycryptodome-native python3-pycryptodomex-native python3-pyelftools-native"
> +DEPENDS += " libgcc"
> +DEPENDS += " optee-os-tadevkit"
Seems excessive...
> +# SRC_URI = "git://github.com/Microsoft/ms-tpm-20-ref;branch=master"
> +# Since this is not built as a pseudo TA, we can only use it as a kernel module and not built in.
> +# The TEE supplicant is also needed to provide access to secure storage.
> +# Secure storage access required by OP-TEE fTPM TA
> +# is provided via OP-TEE supplicant that's not available during boot.
> +# Fix this once we replace this with the MS implementation
> +SRC_URI = "git://github.com/microsoft/MSRSec"
> +SRC_URI += "file://0000-fix-ssl-fallthrough.patch"
> +SRC_URI += "file://0002-add-enum-to-ta-flags.patch"
> +SRCREV = "76f81b36efbb1a366b0d382bc0defe677f1f0534"
> +
> +S = "${WORKDIR}/git"
> +
> +OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
> +TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
> +TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta"
> +
> +EXTRA_OEMAKE += '\
> + CFG_FTPM_USE_WOLF=y \
> + TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
> + TA_CROSS_COMPILE=${TARGET_PREFIX} \
> + CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST} -I${WORKDIR}/optee-os" \
> +'
> +
> +EXTRA_OEMAKE_append_aarch64 = "\
Old override syntax
> + CFG_ARM64_ta_arm64=y \
> +"
> +
> +B = "${S}"
> +
> +do_unpack_append() {
> + bb.build.exec_func('source_fixup_patch', d)
> +}
> +
> +source_fixup_patch() {
> + cd ${S}
> + git submodule update --init
There's a special bitbake fetcher for git submodules - this way is hacky and
will mess up sstate etc.
> + sed -i 's/-mcpu=$(TA_CPU)//' TAs/optee_ta/fTPM/sub.mk
Patching in do_unpack()?
> +}
> +
> +do_compile() {
> + # there's also a secure variable storage TA called authvars
> + cd ${S}/TAs/optee_ta
> + # fails with j > 1
> + oe_runmake -j1 ftpm
This is done with:
PARALLEL_MAKE = ""
> +}
> +
> +do_install () {
> + mkdir -p ${D}/lib/optee_armtz
> + install -D -p -m0444 ${S}/TAs/optee_ta/out/fTPM/${FTPM_UUID}.ta ${D}/lib/optee_armtz/
Use ${nonarch_base_libdir} instead of /lib
And should permissions be 644 instead of 444?
> +}
> +
> +do_deploy () {
> + install -d ${DEPLOYDIR}/optee
> + install -D -p -m0444 ${S}/TAs/optee_ta/out/fTPM/${FTPM_UUID}.stripped.elf ${DEPLOYDIR}/optee/
Permissions
> +}
> +
> +addtask deploy before do_build after do_install
> +
> +FILES_${PN} += "/lib/optee_armtz/${FTPM_UUID}.ta"
${nonarch_base_libdir}
> +
> +# Imports machine specific configs from staging to build
> +PACKAGE_ARCH = "${MACHINE_ARCH}"
> +INSANE_SKIP_${PN} += "ldflags"
> diff --git a/meta-arm/recipes-security/otee-ftpm/optee-os_%.bbappend b/meta-arm/recipes-security/otee-ftpm/optee-os_%.bbappend
bbappend for optee-os, but in a separate dir?
> new file mode 100644
> index 0000000..c102de4
> --- /dev/null
> +++ b/meta-arm/recipes-security/otee-ftpm/optee-os_%.bbappend
> @@ -0,0 +1,7 @@
> +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
Old override synax
> +
> +DEPENDS += "optee-ftpm"
> +inherit deploy
Redundant
> +
> +FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896"
Is it hardcoded? Where does it come from? Maybe a commend needed?
> +EXTRA_OEMAKE_append='CFG_EARLY_TA=y EARLY_TA_PATHS="${DEPLOY_DIR_IMAGE}/optee/${FTPM_UUID}.stripped.elf"'
Also old override syntax
--
Regards,
Denys Dmytriyenko <denis@denix.org>
PGP: 0x420902729A92C964 - https://denix.org/0x420902729A92C964
Fingerprint: 25FC E4A5 8A72 2F69 1186 6D76 4209 0272 9A92 C964
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [meta-arm] [PATCH 1/2] optee: updae optee-os.inc to support external TAs
[not found] ` <20211103154101.GA31775@kudzu.us>
@ 2021-11-08 12:52 ` Maxim Uvarov
2021-11-09 2:48 ` Jon Mason
0 siblings, 1 reply; 7+ messages in thread
From: Maxim Uvarov @ 2021-11-08 12:52 UTC (permalink / raw)
To: Jon Mason; +Cc: meta-arm, Jon.Mason, Ross.Burton
On Wed, 3 Nov 2021 at 18:41, Jon Mason <jdmason@kudzu.us> wrote:
>
> This patch doesn't appear to apply to my tree.
>
Thanks for your review. I will try to fix comments in v2. Do you
manifest for the meta-arm somewhere? So I can test it locally in an
environment close to your CI then combine layers together by myself.
Maxim.
> Applying: optee: updae optee-os.inc to support external TAs
> error: patch failed: meta-arm/recipes-security/optee/optee-os.inc:44
> error: meta-arm/recipes-security/optee/optee-os.inc: patch does not apply
> Patch failed at 0001 optee: updae optee-os.inc to support external TAs
>
>
> Other comments below
>
>
> On Wed, Nov 03, 2021 at 04:11:43PM +0300, Maxim Uvarov wrote:
> > Separate recipe for TA devkit is needed to solve
> > circular dependency to build TAs withthe devkit
>
> Nit, space between "with" and "the" needed and extra space before
> "build"
>
> > and integrate it inside optee-os.
> >
> > Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
> > ---
> > .../optee/optee-os-tadevkit_3.11.0.bb | 18 ++++++++++++++++++
> > meta-arm/recipes-security/optee/optee-os.inc | 6 ------
> > 2 files changed, 18 insertions(+), 6 deletions(-)
> > create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit_3.11.0.bb
> >
> > diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit_3.11.0.bb b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.11.0.bb
> > new file mode 100644
> > index 0000000..d20cee9
> > --- /dev/null
> > +++ b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.11.0.bb
> > @@ -0,0 +1,18 @@
> > +FILESEXTRAPATHS_prepend := "${THISDIR}/optee-os:"
>
> This is the old syntax, which is probably one of the reasons why it
> doesn't apply on the latest.
>
> > +require optee-os_3.11.0.bb
> > +
> > +SUMMARY = "OP-TEE Trusted OS TA devkit"
> > +DESCRIPTION = "OP-TEE TA devkit for build TAs"
> > +HOMEPAGE = "https://www.op-tee.org/"
> > +
> > +do_install() {
> > + #install TA devkit
> > + install -d ${D}${includedir}/optee/export-user_ta/
> > + for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
> > + cp -aR $f ${D}${includedir}/optee/export-user_ta/
> > + done
> > +}
> > +
> > +do_deploy() {
> > + echo "Nothing"
>
> I don't think you need this
>
> > +}
> > diff --git a/meta-arm/recipes-security/optee/optee-os.inc b/meta-arm/recipes-security/optee/optee-os.inc
> > index ea6c496..482d0e0 100644
> > --- a/meta-arm/recipes-security/optee/optee-os.inc
> > +++ b/meta-arm/recipes-security/optee/optee-os.inc
> > @@ -44,12 +44,6 @@ do_install() {
> > #install core in firmware
> > install -d ${D}${nonarch_base_libdir}/firmware/
> > install -m 644 ${B}/core/*.bin ${D}${nonarch_base_libdir}/firmware/
> > -
> > - #install TA devkit
> > - install -d ${D}${includedir}/optee/export-user_ta/
> > - for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
> > - cp -aR $f ${D}${includedir}/optee/export-user_ta/
> > - done
> > }
> >
> > PACKAGE_ARCH = "${MACHINE_ARCH}"
> > --
> > 2.17.1
> >
>
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#2332): https://lists.yoctoproject.org/g/meta-arm/message/2332
> > Mute This Topic: https://lists.yoctoproject.org/mt/86790368/3616920
> > Group Owner: meta-arm+owner@lists.yoctoproject.org
> > Unsubscribe: https://lists.yoctoproject.org/g/meta-arm/unsub [jdmason@kudzu.us]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [meta-arm] [PATCH 1/2] optee: updae optee-os.inc to support external TAs
2021-11-08 12:52 ` [meta-arm] [PATCH 1/2] optee: updae optee-os.inc to support external TAs Maxim Uvarov
@ 2021-11-09 2:48 ` Jon Mason
2021-11-09 15:19 ` Maxim Uvarov
0 siblings, 1 reply; 7+ messages in thread
From: Jon Mason @ 2021-11-09 2:48 UTC (permalink / raw)
To: Maxim Uvarov; +Cc: meta-arm, jon.mason, ross.burton
On Mon, Nov 8, 2021 at 7:52 AM Maxim Uvarov <maxim.uvarov@linaro.org> wrote:
>
> On Wed, 3 Nov 2021 at 18:41, Jon Mason <jdmason@kudzu.us> wrote:
> >
> > This patch doesn't appear to apply to my tree.
> >
>
> Thanks for your review. I will try to fix comments in v2. Do you
> manifest for the meta-arm somewhere? So I can test it locally in an
> environment close to your CI then combine layers together by myself.
We use Gitlab CI and KAS. It works externally, as you can see from me
running it on my personal gitlab instance and docker container running
on my desktop.
https://gitlab.com/jonmason00/meta-arm/-/pipelines
It is probably overkill for you to set up something like this, but you
can use KAS fairly trivially and use our CI machine definitions. For
OPTEE, I think you would want to build against the
qemuarm64-secureboot machine. Something like:
$ pip install kas
$ kas build ci/qemuarm64-secureboot.yml:ci/testimage.yml
If you get stuck, message me on IRC and I'll do my best to help you.
Thanks,
Jon
>
> Maxim.
>
> > Applying: optee: updae optee-os.inc to support external TAs
> > error: patch failed: meta-arm/recipes-security/optee/optee-os.inc:44
> > error: meta-arm/recipes-security/optee/optee-os.inc: patch does not apply
> > Patch failed at 0001 optee: updae optee-os.inc to support external TAs
> >
> >
> > Other comments below
> >
> >
> > On Wed, Nov 03, 2021 at 04:11:43PM +0300, Maxim Uvarov wrote:
> > > Separate recipe for TA devkit is needed to solve
> > > circular dependency to build TAs withthe devkit
> >
> > Nit, space between "with" and "the" needed and extra space before
> > "build"
> >
> > > and integrate it inside optee-os.
> > >
> > > Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
> > > ---
> > > .../optee/optee-os-tadevkit_3.11.0.bb | 18 ++++++++++++++++++
> > > meta-arm/recipes-security/optee/optee-os.inc | 6 ------
> > > 2 files changed, 18 insertions(+), 6 deletions(-)
> > > create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit_3.11.0.bb
> > >
> > > diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit_3.11.0.bb b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.11.0.bb
> > > new file mode 100644
> > > index 0000000..d20cee9
> > > --- /dev/null
> > > +++ b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.11.0.bb
> > > @@ -0,0 +1,18 @@
> > > +FILESEXTRAPATHS_prepend := "${THISDIR}/optee-os:"
> >
> > This is the old syntax, which is probably one of the reasons why it
> > doesn't apply on the latest.
> >
> > > +require optee-os_3.11.0.bb
> > > +
> > > +SUMMARY = "OP-TEE Trusted OS TA devkit"
> > > +DESCRIPTION = "OP-TEE TA devkit for build TAs"
> > > +HOMEPAGE = "https://www.op-tee.org/"
> > > +
> > > +do_install() {
> > > + #install TA devkit
> > > + install -d ${D}${includedir}/optee/export-user_ta/
> > > + for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
> > > + cp -aR $f ${D}${includedir}/optee/export-user_ta/
> > > + done
> > > +}
> > > +
> > > +do_deploy() {
> > > + echo "Nothing"
> >
> > I don't think you need this
> >
> > > +}
> > > diff --git a/meta-arm/recipes-security/optee/optee-os.inc b/meta-arm/recipes-security/optee/optee-os.inc
> > > index ea6c496..482d0e0 100644
> > > --- a/meta-arm/recipes-security/optee/optee-os.inc
> > > +++ b/meta-arm/recipes-security/optee/optee-os.inc
> > > @@ -44,12 +44,6 @@ do_install() {
> > > #install core in firmware
> > > install -d ${D}${nonarch_base_libdir}/firmware/
> > > install -m 644 ${B}/core/*.bin ${D}${nonarch_base_libdir}/firmware/
> > > -
> > > - #install TA devkit
> > > - install -d ${D}${includedir}/optee/export-user_ta/
> > > - for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
> > > - cp -aR $f ${D}${includedir}/optee/export-user_ta/
> > > - done
> > > }
> > >
> > > PACKAGE_ARCH = "${MACHINE_ARCH}"
> > > --
> > > 2.17.1
> > >
> >
> > >
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > > Links: You receive all messages sent to this group.
> > > View/Reply Online (#2332): https://lists.yoctoproject.org/g/meta-arm/message/2332
> > > Mute This Topic: https://lists.yoctoproject.org/mt/86790368/3616920
> > > Group Owner: meta-arm+owner@lists.yoctoproject.org
> > > Unsubscribe: https://lists.yoctoproject.org/g/meta-arm/unsub [jdmason@kudzu.us]
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > >
> >
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [meta-arm] [PATCH 1/2] optee: updae optee-os.inc to support external TAs
2021-11-09 2:48 ` Jon Mason
@ 2021-11-09 15:19 ` Maxim Uvarov
0 siblings, 0 replies; 7+ messages in thread
From: Maxim Uvarov @ 2021-11-09 15:19 UTC (permalink / raw)
To: Jon Mason; +Cc: meta-arm, Jon.Mason, Ross.Burton
On Tue, 9 Nov 2021 at 05:48, Jon Mason <jdmason@kudzu.us> wrote:
>
> On Mon, Nov 8, 2021 at 7:52 AM Maxim Uvarov <maxim.uvarov@linaro.org> wrote:
> >
> > On Wed, 3 Nov 2021 at 18:41, Jon Mason <jdmason@kudzu.us> wrote:
> > >
> > > This patch doesn't appear to apply to my tree.
> > >
> >
> > Thanks for your review. I will try to fix comments in v2. Do you
> > manifest for the meta-arm somewhere? So I can test it locally in an
> > environment close to your CI then combine layers together by myself.
>
> We use Gitlab CI and KAS. It works externally, as you can see from me
> running it on my personal gitlab instance and docker container running
> on my desktop.
> https://gitlab.com/jonmason00/meta-arm/-/pipelines
>
> It is probably overkill for you to set up something like this, but you
> can use KAS fairly trivially and use our CI machine definitions. For
> OPTEE, I think you would want to build against the
> qemuarm64-secureboot machine. Something like:
> $ pip install kas
> $ kas build ci/qemuarm64-secureboot.yml:ci/testimage.yml
>
> If you get stuck, message me on IRC and I'll do my best to help you.
> Thanks,
> Jon
>
Never tried KAS, but the build started and I think everything is fine.
Maxim.
> >
> > Maxim.
> >
> > > Applying: optee: updae optee-os.inc to support external TAs
> > > error: patch failed: meta-arm/recipes-security/optee/optee-os.inc:44
> > > error: meta-arm/recipes-security/optee/optee-os.inc: patch does not apply
> > > Patch failed at 0001 optee: updae optee-os.inc to support external TAs
> > >
> > >
> > > Other comments below
> > >
> > >
> > > On Wed, Nov 03, 2021 at 04:11:43PM +0300, Maxim Uvarov wrote:
> > > > Separate recipe for TA devkit is needed to solve
> > > > circular dependency to build TAs withthe devkit
> > >
> > > Nit, space between "with" and "the" needed and extra space before
> > > "build"
> > >
> > > > and integrate it inside optee-os.
> > > >
> > > > Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
> > > > ---
> > > > .../optee/optee-os-tadevkit_3.11.0.bb | 18 ++++++++++++++++++
> > > > meta-arm/recipes-security/optee/optee-os.inc | 6 ------
> > > > 2 files changed, 18 insertions(+), 6 deletions(-)
> > > > create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit_3.11.0.bb
> > > >
> > > > diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit_3.11.0.bb b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.11.0.bb
> > > > new file mode 100644
> > > > index 0000000..d20cee9
> > > > --- /dev/null
> > > > +++ b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.11.0.bb
> > > > @@ -0,0 +1,18 @@
> > > > +FILESEXTRAPATHS_prepend := "${THISDIR}/optee-os:"
> > >
> > > This is the old syntax, which is probably one of the reasons why it
> > > doesn't apply on the latest.
> > >
> > > > +require optee-os_3.11.0.bb
> > > > +
> > > > +SUMMARY = "OP-TEE Trusted OS TA devkit"
> > > > +DESCRIPTION = "OP-TEE TA devkit for build TAs"
> > > > +HOMEPAGE = "https://www.op-tee.org/"
> > > > +
> > > > +do_install() {
> > > > + #install TA devkit
> > > > + install -d ${D}${includedir}/optee/export-user_ta/
> > > > + for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
> > > > + cp -aR $f ${D}${includedir}/optee/export-user_ta/
> > > > + done
> > > > +}
> > > > +
> > > > +do_deploy() {
> > > > + echo "Nothing"
> > >
> > > I don't think you need this
> > >
> > > > +}
> > > > diff --git a/meta-arm/recipes-security/optee/optee-os.inc b/meta-arm/recipes-security/optee/optee-os.inc
> > > > index ea6c496..482d0e0 100644
> > > > --- a/meta-arm/recipes-security/optee/optee-os.inc
> > > > +++ b/meta-arm/recipes-security/optee/optee-os.inc
> > > > @@ -44,12 +44,6 @@ do_install() {
> > > > #install core in firmware
> > > > install -d ${D}${nonarch_base_libdir}/firmware/
> > > > install -m 644 ${B}/core/*.bin ${D}${nonarch_base_libdir}/firmware/
> > > > -
> > > > - #install TA devkit
> > > > - install -d ${D}${includedir}/optee/export-user_ta/
> > > > - for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
> > > > - cp -aR $f ${D}${includedir}/optee/export-user_ta/
> > > > - done
> > > > }
> > > >
> > > > PACKAGE_ARCH = "${MACHINE_ARCH}"
> > > > --
> > > > 2.17.1
> > > >
> > >
> > > >
> > > > -=-=-=-=-=-=-=-=-=-=-=-
> > > > Links: You receive all messages sent to this group.
> > > > View/Reply Online (#2332): https://lists.yoctoproject.org/g/meta-arm/message/2332
> > > > Mute This Topic: https://lists.yoctoproject.org/mt/86790368/3616920
> > > > Group Owner: meta-arm+owner@lists.yoctoproject.org
> > > > Unsubscribe: https://lists.yoctoproject.org/g/meta-arm/unsub [jdmason@kudzu.us]
> > > > -=-=-=-=-=-=-=-=-=-=-=-
> > > >
> > >
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [meta-arm] [PATCH 2/2] add optee-ftpm
2021-11-03 17:23 ` [meta-arm] " Denys Dmytriyenko
@ 2021-11-11 11:42 ` Maxim Uvarov
2021-11-11 18:32 ` Denys Dmytriyenko
0 siblings, 1 reply; 7+ messages in thread
From: Maxim Uvarov @ 2021-11-11 11:42 UTC (permalink / raw)
To: Denys Dmytriyenko; +Cc: meta-arm, Jon.Mason, Ross.Burton
Thanks Denys,
I installed KAS and updated the patch to the current master. I also
have a few comments below.
On Wed, 3 Nov 2021 at 20:23, Denys Dmytriyenko <denis@denix.org> wrote:
>
> On Wed, Nov 03, 2021 at 04:11:44PM +0300, Maxim Uvarov wrote:
> > Add software TPM emulated in the OPTEE-OS.
> >
> > Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
> > ---
> > .../optee-ftpm/0000-fix-ssl-fallthrough.patch | 13 +++
> > .../0002-add-enum-to-ta-flags.patch | 26 ++++++
> > .../otee-ftpm/optee-ftpm_git.bb | 82 +++++++++++++++++++
> > .../otee-ftpm/optee-os_%.bbappend | 7 ++
> > 4 files changed, 128 insertions(+)
> > create mode 100644 meta-arm/recipes-security/otee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch
> > create mode 100644 meta-arm/recipes-security/otee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch
> > create mode 100644 meta-arm/recipes-security/otee-ftpm/optee-ftpm_git.bb
> > create mode 100644 meta-arm/recipes-security/otee-ftpm/optee-os_%.bbappend
> >
> > diff --git a/meta-arm/recipes-security/otee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch b/meta-arm/recipes-security/otee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch
> > new file mode 100644
> > index 0000000..3e61d2d
> > --- /dev/null
> > +++ b/meta-arm/recipes-security/otee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch
>
> Patch w/o a header?
>
>
> > @@ -0,0 +1,13 @@
> > +diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h
> > +index 7b3a953aebda..e156ae5c7909 100755
> > +--- a/external/wolfssl/wolfssl/wolfcrypt/types.h
> > ++++ b/external/wolfssl/wolfssl/wolfcrypt/types.h
> > +@@ -181,7 +181,7 @@
> > + /* GCC 7 has new switch() fall-through detection */
> > + #if defined(__GNUC__)
> > + #if ((__GNUC__ > 7) || ((__GNUC__ == 7) && (__GNUC_MINOR__ >= 1)))
> > +- #define FALL_THROUGH __attribute__ ((fallthrough));
> > ++ #define FALL_THROUGH __attribute__ ((__fallthrough__));
> > + #endif
> > + #endif
> > + #ifndef FALL_THROUGH
> > diff --git a/meta-arm/recipes-security/otee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch b/meta-arm/recipes-security/otee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch
> > new file mode 100644
> > index 0000000..0d285d7
> > --- /dev/null
> > +++ b/meta-arm/recipes-security/otee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch
> > @@ -0,0 +1,26 @@
> > +From 2d00f16058529eb9f4d4d2bcaeed91fd53b43989 Mon Sep 17 00:00:00 2001
> > +From: Maxim Uvarov <maxim.uvarov@linaro.org>
> > +Date: Fri, 17 Apr 2020 12:05:53 +0100
> > +Subject: [PATCH 2/2] add enum to ta flags
> > +
> > +Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
>
> Upstream-Status?
>
>
> > +---
> > + TAs/optee_ta/fTPM/user_ta_header_defines.h | 2 +-
> > + 1 file changed, 1 insertion(+), 1 deletion(-)
> > +
> > +diff --git a/TAs/optee_ta/fTPM/user_ta_header_defines.h b/TAs/optee_ta/fTPM/user_ta_header_defines.h
> > +index 6ff62d1..685b54a 100644
> > +--- a/TAs/optee_ta/fTPM/user_ta_header_defines.h
> > ++++ b/TAs/optee_ta/fTPM/user_ta_header_defines.h
> > +@@ -44,7 +44,7 @@
> > +
> > + #define TA_UUID TA_FTPM_UUID
> > +
> > +-#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE )
> > ++#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP)
> > + #define TA_STACK_SIZE (64 * 1024)
> > + #define TA_DATA_SIZE (64 * 1024)
> > +
> > +--
> > +2.17.1
> > +
> > diff --git a/meta-arm/recipes-security/otee-ftpm/optee-ftpm_git.bb b/meta-arm/recipes-security/otee-ftpm/optee-ftpm_git.bb
> > new file mode 100644
> > index 0000000..1eb11b0
> > --- /dev/null
> > +++ b/meta-arm/recipes-security/otee-ftpm/optee-ftpm_git.bb
> > @@ -0,0 +1,82 @@
> > +SUMMARY = "OPTEE fTPM Microsoft TA"
> > +DESCRIPTION = "OPTEE fTPM"
>
> The other way around - short summary and long description (if needed)
>
>
> > +HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/"
> > +
> > +inherit autotools-brokensep deploy pkgconfig gettext python3native
> > +
> > +FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896"
> > +LICENSE = "MIT"
> > +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=27e94c0280987ab296b0b8dd02ab9fe5"
> > +SYSROOT_DIRS += "${RECIPE_SYSROOT}/../optee-ftpm/usr/"
>
> Why is this?
>
>
> > +DEPENDS = "optee-client openssl"
> > +DEPENDS += " openssl-native autoconf-archive-native"
> > +DEPENDS += " python3-pycryptodome-native python3-pycryptodomex-native python3-pyelftools-native"
> > +DEPENDS += " libgcc"
> > +DEPENDS += " optee-os-tadevkit"
>
> Seems excessive...
>
>
> > +# SRC_URI = "git://github.com/Microsoft/ms-tpm-20-ref;branch=master"
> > +# Since this is not built as a pseudo TA, we can only use it as a kernel module and not built in.
> > +# The TEE supplicant is also needed to provide access to secure storage.
> > +# Secure storage access required by OP-TEE fTPM TA
> > +# is provided via OP-TEE supplicant that's not available during boot.
> > +# Fix this once we replace this with the MS implementation
> > +SRC_URI = "git://github.com/microsoft/MSRSec"
> > +SRC_URI += "file://0000-fix-ssl-fallthrough.patch"
> > +SRC_URI += "file://0002-add-enum-to-ta-flags.patch"
> > +SRCREV = "76f81b36efbb1a366b0d382bc0defe677f1f0534"
> > +
> > +S = "${WORKDIR}/git"
> > +
> > +OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
> > +TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
> > +TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta"
> > +
> > +EXTRA_OEMAKE += '\
> > + CFG_FTPM_USE_WOLF=y \
> > + TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
> > + TA_CROSS_COMPILE=${TARGET_PREFIX} \
> > + CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST} -I${WORKDIR}/optee-os" \
> > +'
> > +
> > +EXTRA_OEMAKE_append_aarch64 = "\
>
> Old override syntax
>
>
> > + CFG_ARM64_ta_arm64=y \
> > +"
> > +
> > +B = "${S}"
> > +
> > +do_unpack_append() {
> > + bb.build.exec_func('source_fixup_patch', d)
> > +}
> > +
> > +source_fixup_patch() {
> > + cd ${S}
> > + git submodule update --init
>
> There's a special bitbake fetcher for git submodules - this way is hacky and
> will mess up sstate etc.
>
>
> > + sed -i 's/-mcpu=$(TA_CPU)//' TAs/optee_ta/fTPM/sub.mk
>
> Patching in do_unpack()?
>
>
> > +}
> > +
> > +do_compile() {
> > + # there's also a secure variable storage TA called authvars
> > + cd ${S}/TAs/optee_ta
> > + # fails with j > 1
> > + oe_runmake -j1 ftpm
>
> This is done with:
> PARALLEL_MAKE = ""
>
>
> > +}
> > +
> > +do_install () {
> > + mkdir -p ${D}/lib/optee_armtz
> > + install -D -p -m0444 ${S}/TAs/optee_ta/out/fTPM/${FTPM_UUID}.ta ${D}/lib/optee_armtz/
>
> Use ${nonarch_base_libdir} instead of /lib
> And should permissions be 644 instead of 444?
>
>
> > +}
> > +
> > +do_deploy () {
> > + install -d ${DEPLOYDIR}/optee
> > + install -D -p -m0444 ${S}/TAs/optee_ta/out/fTPM/${FTPM_UUID}.stripped.elf ${DEPLOYDIR}/optee/
>
> Permissions
>
>
> > +}
> > +
> > +addtask deploy before do_build after do_install
> > +
> > +FILES_${PN} += "/lib/optee_armtz/${FTPM_UUID}.ta"
>
> ${nonarch_base_libdir}
>
>
> > +
> > +# Imports machine specific configs from staging to build
> > +PACKAGE_ARCH = "${MACHINE_ARCH}"
> > +INSANE_SKIP_${PN} += "ldflags"
> > diff --git a/meta-arm/recipes-security/otee-ftpm/optee-os_%.bbappend b/meta-arm/recipes-security/otee-ftpm/optee-os_%.bbappend
>
> bbappend for optee-os, but in a separate dir?
Yes. It's optee-ftpm/ under directory. This also will force otee-os to
compile-in this TA. There might be other TAs which users would like to
compile-in in the same way.
>
>
> > new file mode 100644
> > index 0000000..c102de4
> > --- /dev/null
> > +++ b/meta-arm/recipes-security/otee-ftpm/optee-os_%.bbappend
> > @@ -0,0 +1,7 @@
> > +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
>
> Old override synax
>
>
> > +
> > +DEPENDS += "optee-ftpm"
> > +inherit deploy
>
> Redundant
'inherit deploy' defines ${DEPLOY_DIR_IMAGE} variable which is used below.
>
>
> > +
> > +FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896"
>
> Is it hardcoded? Where does it come from? Maybe a commend needed?
It's TA (Trusted Application) which builds in the current folder
optee-ftpm/ . I think from the tree it should be clear that you build
TA and ask optee-os to compile it in.
But if you would like to add some text here please let me know.
All others notes will be fixed in v2.
BR,
Maxim.
>
>
> > +EXTRA_OEMAKE_append='CFG_EARLY_TA=y EARLY_TA_PATHS="${DEPLOY_DIR_IMAGE}/optee/${FTPM_UUID}.stripped.elf"'
>${DEPLOY_DIR_IMAGE}/
> Also old override syntax
>
> --
> Regards,
> Denys Dmytriyenko <denis@denix.org>
> PGP: 0x420902729A92C964 - https://denix.org/0x420902729A92C964
> Fingerprint: 25FC E4A5 8A72 2F69 1186 6D76 4209 0272 9A92 C964
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [meta-arm] [PATCH 2/2] add optee-ftpm
2021-11-11 11:42 ` Maxim Uvarov
@ 2021-11-11 18:32 ` Denys Dmytriyenko
0 siblings, 0 replies; 7+ messages in thread
From: Denys Dmytriyenko @ 2021-11-11 18:32 UTC (permalink / raw)
To: Maxim Uvarov; +Cc: meta-arm, Jon.Mason, Ross.Burton
On Thu, Nov 11, 2021 at 02:42:33PM +0300, Maxim Uvarov wrote:
> Thanks Denys,
>
> I installed KAS and updated the patch to the current master. I also
> have a few comments below.
>
> On Wed, 3 Nov 2021 at 20:23, Denys Dmytriyenko <denis@denix.org> wrote:
> >
> > On Wed, Nov 03, 2021 at 04:11:44PM +0300, Maxim Uvarov wrote:
> > > Add software TPM emulated in the OPTEE-OS.
> > >
> > > Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
> > > ---
> > > .../optee-ftpm/0000-fix-ssl-fallthrough.patch | 13 +++
> > > .../0002-add-enum-to-ta-flags.patch | 26 ++++++
> > > .../otee-ftpm/optee-ftpm_git.bb | 82 +++++++++++++++++++
> > > .../otee-ftpm/optee-os_%.bbappend | 7 ++
> > > 4 files changed, 128 insertions(+)
> > > create mode 100644 meta-arm/recipes-security/otee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch
> > > create mode 100644 meta-arm/recipes-security/otee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch
> > > create mode 100644 meta-arm/recipes-security/otee-ftpm/optee-ftpm_git.bb
> > > create mode 100644 meta-arm/recipes-security/otee-ftpm/optee-os_%.bbappend
> > >
> > > diff --git a/meta-arm/recipes-security/otee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch b/meta-arm/recipes-security/otee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch
> > > new file mode 100644
> > > index 0000000..3e61d2d
> > > --- /dev/null
> > > +++ b/meta-arm/recipes-security/otee-ftpm/optee-ftpm/0000-fix-ssl-fallthrough.patch
> >
> > Patch w/o a header?
> >
> >
> > > @@ -0,0 +1,13 @@
> > > +diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h
> > > +index 7b3a953aebda..e156ae5c7909 100755
> > > +--- a/external/wolfssl/wolfssl/wolfcrypt/types.h
> > > ++++ b/external/wolfssl/wolfssl/wolfcrypt/types.h
> > > +@@ -181,7 +181,7 @@
> > > + /* GCC 7 has new switch() fall-through detection */
> > > + #if defined(__GNUC__)
> > > + #if ((__GNUC__ > 7) || ((__GNUC__ == 7) && (__GNUC_MINOR__ >= 1)))
> > > +- #define FALL_THROUGH __attribute__ ((fallthrough));
> > > ++ #define FALL_THROUGH __attribute__ ((__fallthrough__));
> > > + #endif
> > > + #endif
> > > + #ifndef FALL_THROUGH
> > > diff --git a/meta-arm/recipes-security/otee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch b/meta-arm/recipes-security/otee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch
> > > new file mode 100644
> > > index 0000000..0d285d7
> > > --- /dev/null
> > > +++ b/meta-arm/recipes-security/otee-ftpm/optee-ftpm/0002-add-enum-to-ta-flags.patch
> > > @@ -0,0 +1,26 @@
> > > +From 2d00f16058529eb9f4d4d2bcaeed91fd53b43989 Mon Sep 17 00:00:00 2001
> > > +From: Maxim Uvarov <maxim.uvarov@linaro.org>
> > > +Date: Fri, 17 Apr 2020 12:05:53 +0100
> > > +Subject: [PATCH 2/2] add enum to ta flags
> > > +
> > > +Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
> >
> > Upstream-Status?
> >
> >
> > > +---
> > > + TAs/optee_ta/fTPM/user_ta_header_defines.h | 2 +-
> > > + 1 file changed, 1 insertion(+), 1 deletion(-)
> > > +
> > > +diff --git a/TAs/optee_ta/fTPM/user_ta_header_defines.h b/TAs/optee_ta/fTPM/user_ta_header_defines.h
> > > +index 6ff62d1..685b54a 100644
> > > +--- a/TAs/optee_ta/fTPM/user_ta_header_defines.h
> > > ++++ b/TAs/optee_ta/fTPM/user_ta_header_defines.h
> > > +@@ -44,7 +44,7 @@
> > > +
> > > + #define TA_UUID TA_FTPM_UUID
> > > +
> > > +-#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE )
> > > ++#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP)
> > > + #define TA_STACK_SIZE (64 * 1024)
> > > + #define TA_DATA_SIZE (64 * 1024)
> > > +
> > > +--
> > > +2.17.1
> > > +
> > > diff --git a/meta-arm/recipes-security/otee-ftpm/optee-ftpm_git.bb b/meta-arm/recipes-security/otee-ftpm/optee-ftpm_git.bb
> > > new file mode 100644
> > > index 0000000..1eb11b0
> > > --- /dev/null
> > > +++ b/meta-arm/recipes-security/otee-ftpm/optee-ftpm_git.bb
> > > @@ -0,0 +1,82 @@
> > > +SUMMARY = "OPTEE fTPM Microsoft TA"
> > > +DESCRIPTION = "OPTEE fTPM"
> >
> > The other way around - short summary and long description (if needed)
> >
> >
> > > +HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/"
> > > +
> > > +inherit autotools-brokensep deploy pkgconfig gettext python3native
> > > +
> > > +FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896"
> > > +LICENSE = "MIT"
> > > +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=27e94c0280987ab296b0b8dd02ab9fe5"
> > > +SYSROOT_DIRS += "${RECIPE_SYSROOT}/../optee-ftpm/usr/"
> >
> > Why is this?
> >
> >
> > > +DEPENDS = "optee-client openssl"
> > > +DEPENDS += " openssl-native autoconf-archive-native"
> > > +DEPENDS += " python3-pycryptodome-native python3-pycryptodomex-native python3-pyelftools-native"
> > > +DEPENDS += " libgcc"
> > > +DEPENDS += " optee-os-tadevkit"
> >
> > Seems excessive...
> >
> >
> > > +# SRC_URI = "git://github.com/Microsoft/ms-tpm-20-ref;branch=master"
> > > +# Since this is not built as a pseudo TA, we can only use it as a kernel module and not built in.
> > > +# The TEE supplicant is also needed to provide access to secure storage.
> > > +# Secure storage access required by OP-TEE fTPM TA
> > > +# is provided via OP-TEE supplicant that's not available during boot.
> > > +# Fix this once we replace this with the MS implementation
> > > +SRC_URI = "git://github.com/microsoft/MSRSec"
> > > +SRC_URI += "file://0000-fix-ssl-fallthrough.patch"
> > > +SRC_URI += "file://0002-add-enum-to-ta-flags.patch"
> > > +SRCREV = "76f81b36efbb1a366b0d382bc0defe677f1f0534"
> > > +
> > > +S = "${WORKDIR}/git"
> > > +
> > > +OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
> > > +TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
> > > +TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta"
> > > +
> > > +EXTRA_OEMAKE += '\
> > > + CFG_FTPM_USE_WOLF=y \
> > > + TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
> > > + TA_CROSS_COMPILE=${TARGET_PREFIX} \
> > > + CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST} -I${WORKDIR}/optee-os" \
> > > +'
> > > +
> > > +EXTRA_OEMAKE_append_aarch64 = "\
> >
> > Old override syntax
> >
> >
> > > + CFG_ARM64_ta_arm64=y \
> > > +"
> > > +
> > > +B = "${S}"
> > > +
> > > +do_unpack_append() {
> > > + bb.build.exec_func('source_fixup_patch', d)
> > > +}
> > > +
> > > +source_fixup_patch() {
> > > + cd ${S}
> > > + git submodule update --init
> >
> > There's a special bitbake fetcher for git submodules - this way is hacky and
> > will mess up sstate etc.
> >
> >
> > > + sed -i 's/-mcpu=$(TA_CPU)//' TAs/optee_ta/fTPM/sub.mk
> >
> > Patching in do_unpack()?
> >
> >
> > > +}
> > > +
> > > +do_compile() {
> > > + # there's also a secure variable storage TA called authvars
> > > + cd ${S}/TAs/optee_ta
> > > + # fails with j > 1
> > > + oe_runmake -j1 ftpm
> >
> > This is done with:
> > PARALLEL_MAKE = ""
> >
> >
> > > +}
> > > +
> > > +do_install () {
> > > + mkdir -p ${D}/lib/optee_armtz
> > > + install -D -p -m0444 ${S}/TAs/optee_ta/out/fTPM/${FTPM_UUID}.ta ${D}/lib/optee_armtz/
> >
> > Use ${nonarch_base_libdir} instead of /lib
> > And should permissions be 644 instead of 444?
> >
> >
> > > +}
> > > +
> > > +do_deploy () {
> > > + install -d ${DEPLOYDIR}/optee
> > > + install -D -p -m0444 ${S}/TAs/optee_ta/out/fTPM/${FTPM_UUID}.stripped.elf ${DEPLOYDIR}/optee/
> >
> > Permissions
> >
> >
> > > +}
> > > +
> > > +addtask deploy before do_build after do_install
> > > +
> > > +FILES_${PN} += "/lib/optee_armtz/${FTPM_UUID}.ta"
> >
> > ${nonarch_base_libdir}
> >
> >
> > > +
> > > +# Imports machine specific configs from staging to build
> > > +PACKAGE_ARCH = "${MACHINE_ARCH}"
> > > +INSANE_SKIP_${PN} += "ldflags"
> > > diff --git a/meta-arm/recipes-security/otee-ftpm/optee-os_%.bbappend b/meta-arm/recipes-security/otee-ftpm/optee-os_%.bbappend
> >
> > bbappend for optee-os, but in a separate dir?
>
> Yes. It's optee-ftpm/ under directory. This also will force otee-os to
> compile-in this TA. There might be other TAs which users would like to
> compile-in in the same way.
bbappend is not optional and it doesn't allow picking and choosing different
TAs. Moreover, using bbappend in the same layer could be confusing.
> > > new file mode 100644
> > > index 0000000..c102de4
> > > --- /dev/null
> > > +++ b/meta-arm/recipes-security/otee-ftpm/optee-os_%.bbappend
> > > @@ -0,0 +1,7 @@
> > > +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
> >
> > Old override synax
> >
> >
> > > +
> > > +DEPENDS += "optee-ftpm"
> > > +inherit deploy
> >
> > Redundant
>
> 'inherit deploy' defines ${DEPLOY_DIR_IMAGE} variable which is used below.
But why do it twice?
> > > +FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896"
> >
> > Is it hardcoded? Where does it come from? Maybe a commend needed?
>
>
> It's TA (Trusted Application) which builds in the current folder
> optee-ftpm/ . I think from the tree it should be clear that you build
> TA and ask optee-os to compile it in.
> But if you would like to add some text here please let me know.
>
> All others notes will be fixed in v2.
>
> BR,
> Maxim.
>
> >
> >
> > > +EXTRA_OEMAKE_append='CFG_EARLY_TA=y EARLY_TA_PATHS="${DEPLOY_DIR_IMAGE}/optee/${FTPM_UUID}.stripped.elf"'
> >${DEPLOY_DIR_IMAGE}/
> > Also old override syntax
--
Regards,
Denys Dmytriyenko <denis@denix.org>
PGP: 0x420902729A92C964 - https://denix.org/0x420902729A92C964
Fingerprint: 25FC E4A5 8A72 2F69 1186 6D76 4209 0272 9A92 C964
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-11-11 18:32 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20211103131144.4005-1-maxim.uvarov@linaro.org>
2021-11-03 13:11 ` [PATCH 2/2] add optee-ftpm Maxim Uvarov
2021-11-03 17:23 ` [meta-arm] " Denys Dmytriyenko
2021-11-11 11:42 ` Maxim Uvarov
2021-11-11 18:32 ` Denys Dmytriyenko
[not found] ` <20211103154101.GA31775@kudzu.us>
2021-11-08 12:52 ` [meta-arm] [PATCH 1/2] optee: updae optee-os.inc to support external TAs Maxim Uvarov
2021-11-09 2:48 ` Jon Mason
2021-11-09 15:19 ` Maxim Uvarov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.