[isar-cip-core][PATCH v2 0/2] Add recipes for optee-cilent and optee based initramfs fTPM hook

[isar-cip-core][PATCH v2 0/2] Add recipes for optee-cilent and optee based initramfs fTPM hook

[baocheng_su]

From: Su Baocheng <baocheng.su@siemens.com>

This brings the optee-client, mainly the tee-supplicant, then the fTPM
initramfs hook based on the optee & RPMB backed fTPM.

Changes v2:
- Fix the typo
- Document the current status regarding the *tee.ko in the stock debian
  kernel.

Baocheng Su (2):
  Add recipe for optee-client
  initramfs: Add recipe for optee based ftpm hook

 recipes-bsp/optee-client/files/control.tmpl   | 51 +++++++++++++++++++
 recipes-bsp/optee-client/files/rules.tmpl     | 20 ++++++++
 .../optee-client/files/tee-supplicant.service |  9 ++++
 .../optee-client/optee-client_3.20.0.bb       | 47 +++++++++++++++++
 .../initramfs-ms-ftpm-hook/files/ms-ftpm.hook | 38 ++++++++++++++
 .../files/ms-ftpm.script                      | 43 ++++++++++++++++
 .../initramfs-ms-ftpm-hook_0.1.bb             | 30 +++++++++++
 7 files changed, 238 insertions(+)
 create mode 100644 recipes-bsp/optee-client/files/control.tmpl
 create mode 100755 recipes-bsp/optee-client/files/rules.tmpl
 create mode 100644 recipes-bsp/optee-client/files/tee-supplicant.service
 create mode 100644 recipes-bsp/optee-client/optee-client_3.20.0.bb
 create mode 100644 recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.hook
 create mode 100644 recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.script
 create mode 100644 recipes-initramfs/initramfs-ms-ftpm-hook/initramfs-ms-ftpm-hook_0.1.bb

-- 
2.39.2

[isar-cip-core][PATCH v2 1/2] Add recipe for optee-client

[baocheng_su]

From: Baocheng Su <baocheng.su@siemens.com>

This brings the libteec1, optee-client-dev and most important,
tee-supplicant.

Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
---
 recipes-bsp/optee-client/files/control.tmpl   | 51 +++++++++++++++++++
 recipes-bsp/optee-client/files/rules.tmpl     | 20 ++++++++
 .../optee-client/files/tee-supplicant.service |  9 ++++
 .../optee-client/optee-client_3.20.0.bb       | 47 +++++++++++++++++
 4 files changed, 127 insertions(+)
 create mode 100644 recipes-bsp/optee-client/files/control.tmpl
 create mode 100755 recipes-bsp/optee-client/files/rules.tmpl
 create mode 100644 recipes-bsp/optee-client/files/tee-supplicant.service
 create mode 100644 recipes-bsp/optee-client/optee-client_3.20.0.bb

diff --git a/recipes-bsp/optee-client/files/control.tmpl b/recipes-bsp/optee-client/files/control.tmpl
new file mode 100644
index 0000000..b0c3756
--- /dev/null
+++ b/recipes-bsp/optee-client/files/control.tmpl
@@ -0,0 +1,51 @@
+Source: optee-client
+Priority: optional
+Maintainer: Unknown maintainer <unknown@example.com>
+Build-Depends: pkg-config, uuid-dev
+Standards-Version: 4.1.3
+Section: libs
+Homepage: https://github.com/OP-TEE/optee_client
+Rules-Requires-Root: no
+
+Package: optee-client-dev
+Section: libdevel
+Architecture: arm64
+Multi-Arch: same
+Depends: libteec1 (= ${binary:Version}),
+         ${misc:Depends}
+Description: normal world user space client APIs for OP-TEE (development)
+ OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
+ non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
+ technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API
+ exposed to Trusted Applications and the TEE Client API v1.0, which is the
+ API describing how to communicate with a TEE. This package provides the TEE
+ Client API library.
+ .
+ This package contains the development files OpTEE Client API
+
+Package: libteec1
+Architecture: arm64
+Multi-Arch: same
+Depends: ${misc:Depends}, ${shlibs:Depends}
+Description: normal world user space client APIs for OP-TEE
+ OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
+ non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
+ technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API
+ exposed to Trusted Applications and the TEE Client API v1.0, which is the
+ API describing how to communicate with a TEE. This package provides the TEE
+ Client API library.
+ .
+ This package contains libteec library.
+
+Package: tee-supplicant
+Architecture: arm64
+Depends: ${misc:Depends}, ${shlibs:Depends}
+Description: normal world user space client APIs for OP-TEE
+ OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
+ non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
+ technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API
+ exposed to Trusted Applications and the TEE Client API v1.0, which is the
+ API describing how to communicate with a TEE. This package provides the TEE
+ Client API library.
+ .
+ This package contains tee-supplicant executable.
diff --git a/recipes-bsp/optee-client/files/rules.tmpl b/recipes-bsp/optee-client/files/rules.tmpl
new file mode 100755
index 0000000..a8f2afd
--- /dev/null
+++ b/recipes-bsp/optee-client/files/rules.tmpl
@@ -0,0 +1,20 @@
+#!/usr/bin/make -f
+
+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
+endif
+
+%:
+	dh $@ --exclude=.a
+
+override_dh_auto_build:
+	dh_auto_build -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
+		CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH} ${RPMB_EMU_BUILD_OPT}
+
+override_dh_auto_install:
+	dh_auto_install -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
+		CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH} ${RPMB_EMU_BUILD_OPT}
+
+override_dh_auto_clean:
+	dh_auto_clean
+	rm -rf $(CURDIR)/out
diff --git a/recipes-bsp/optee-client/files/tee-supplicant.service b/recipes-bsp/optee-client/files/tee-supplicant.service
new file mode 100644
index 0000000..7148515
--- /dev/null
+++ b/recipes-bsp/optee-client/files/tee-supplicant.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=TEE Supplicant
+
+[Service]
+Type=simple
+ExecStart=/usr/sbin/tee-supplicant
+
+[Install]
+WantedBy=multi-user.target
diff --git a/recipes-bsp/optee-client/optee-client_3.20.0.bb b/recipes-bsp/optee-client/optee-client_3.20.0.bb
new file mode 100644
index 0000000..b760a2c
--- /dev/null
+++ b/recipes-bsp/optee-client/optee-client_3.20.0.bb
@@ -0,0 +1,47 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg
+
+DESCRIPTION = "OPTee Client"
+
+PROVIDES = "libteec1 optee-client-dev tee-supplicant"
+
+SRC_URI += "https://github.com/OP-TEE/optee_client/archive/${PV}.tar.gz;downloadfilename=optee_client-${PV}.tar.gz \
+    file://control.tmpl \
+    file://rules.tmpl \
+    file://tee-supplicant.service"
+SRC_URI[sha256sum] = "69414c424b8dbed11ce1ae0d812817eda2ef4f42a1bef762e5ca3b6fed80764c"
+
+S = "${WORKDIR}/optee_client-${PV}"
+
+TEE_FS_PARENT_PATH ?= "/var/lib/optee-client/data/tee"
+# To use the builtin RPMB emulation, empty this
+RPMB_EMU_BUILD_OPT ?= "RPMB_EMU=0"
+
+TEMPLATE_FILES = "rules.tmpl control.tmpl"
+TEMPLATE_VARS += "TEE_FS_PARENT_PATH RPMB_EMU_BUILD_OPT"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+    deb_debianize
+
+    cp -f ${WORKDIR}/tee-supplicant.service \
+        ${S}/debian/tee-supplicant.service
+    echo "/usr/sbin/*" > ${S}/debian/tee-supplicant.install
+    echo "lib/optee_armtz/" > ${S}/debian/tee-supplicant.dirs
+    echo "usr/lib/tee-supplicant/plugins/" >> ${S}/debian/tee-supplicant.dirs
+
+    echo "usr/lib/*/libteec*.so.*" > ${S}/debian/libteec1.install
+
+    echo "usr/include/*" > ${S}/debian/optee-client-dev.install
+    echo "usr/lib/*/lib*.so" >> ${S}/debian/optee-client-dev.install
+}
-- 
2.39.2

[isar-cip-core][PATCH v2 2/2] initramfs: Add recipe for optee based ftpm hook

[baocheng_su]

From: Baocheng Su <baocheng.su@siemens.com>

Prepare for initramfs applications relying on TPM, such as clevis or
systemd-cryptsetup

Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
---
 .../initramfs-ms-ftpm-hook/files/ms-ftpm.hook | 38 ++++++++++++++++
 .../files/ms-ftpm.script                      | 43 +++++++++++++++++++
 .../initramfs-ms-ftpm-hook_0.1.bb             | 30 +++++++++++++
 3 files changed, 111 insertions(+)
 create mode 100644 recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.hook
 create mode 100644 recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.script
 create mode 100644 recipes-initramfs/initramfs-ms-ftpm-hook/initramfs-ms-ftpm-hook_0.1.bb

diff --git a/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.hook b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.hook
new file mode 100644
index 0000000..6db4ef9
--- /dev/null
+++ b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.hook
@@ -0,0 +1,38 @@
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+PREREQ=""
+prereqs()
+{
+    echo "$PREREQ"
+}
+case $1 in
+prereqs)
+    prereqs
+    exit 0
+    ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+hook_error() {
+    echo "(ERROR): $2" >&2
+    exit 1
+}
+
+# Just in case these modules are not built-in. For stock debian arm64 kernel,
+# the tee.ko and the optee.ko exist since bookworm; the tpm_ftpm_tee.ko does not
+# exist in any stock debian kernels, it could be provided by customized kernel.
+manual_add_modules tee
+manual_add_modules optee
+manual_add_modules tpm_ftpm_tee
+
+copy_exec /usr/sbin/tee-supplicant || hook_error "/usr/sbin/tee-supplicant not found"
diff --git a/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.script b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.script
new file mode 100644
index 0000000..c6ee2dd
--- /dev/null
+++ b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.script
@@ -0,0 +1,43 @@
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+PREREQ=""
+
+prereqs()
+{
+	echo "$PREREQ"
+}
+
+case $1 in
+# get pre-requisites
+prereqs)
+	prereqs
+	exit 0
+	;;
+esac
+
+FTPM_DEV=/dev/tpmrm0
+
+. /scripts/functions
+
+/usr/sbin/tee-supplicant -d
+
+# The fTPM TA would take some time to be discovered as well as the tee-supplicant
+# 10 seconds should be enough
+wait_sec=10
+until test $wait_sec -eq 0 || test -c "${FTPM_DEV}" ; do
+	wait_sec=$((wait_sec-1))
+	sleep 1
+done
+
+if ! test -c "${FTPM_DEV}"; then
+    panic "Can't discover the fTPM device ${FTPM_DEV}!"
+fi
diff --git a/recipes-initramfs/initramfs-ms-ftpm-hook/initramfs-ms-ftpm-hook_0.1.bb b/recipes-initramfs/initramfs-ms-ftpm-hook/initramfs-ms-ftpm-hook_0.1.bb
new file mode 100644
index 0000000..fece6ff
--- /dev/null
+++ b/recipes-initramfs/initramfs-ms-ftpm-hook/initramfs-ms-ftpm-hook_0.1.bb
@@ -0,0 +1,30 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+SRC_URI += " \
+    file://ms-ftpm.hook \
+    file://ms-ftpm.script \
+    "
+
+DEBIAN_DEPENDS = "initramfs-tools, tee-supplicant"
+
+do_install[cleandirs] += " \
+    ${D}/usr/share/initramfs-tools/hooks \
+    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
+
+do_install() {
+    install -m 0755 "${WORKDIR}/ms-ftpm.hook" \
+        "${D}/usr/share/initramfs-tools/hooks/ms-ftpm"
+    install -m 0755 "${WORKDIR}/ms-ftpm.script" \
+        "${D}/usr/share/initramfs-tools/scripts/local-bottom/ms-ftpm"
+}
-- 
2.39.2

Re: [isar-cip-core][PATCH v2 1/2] Add recipe for optee-client

[Jan Kiszka]

On 06.06.23 05:55, baocheng_su@163.com wrote:
> From: Baocheng Su <baocheng.su@siemens.com>
> 
> This brings the libteec1, optee-client-dev and most important,
> tee-supplicant.
> 
> Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
> ---
>  recipes-bsp/optee-client/files/control.tmpl   | 51 +++++++++++++++++++
>  recipes-bsp/optee-client/files/rules.tmpl     | 20 ++++++++
>  .../optee-client/files/tee-supplicant.service |  9 ++++
>  .../optee-client/optee-client_3.20.0.bb       | 47 +++++++++++++++++
>  4 files changed, 127 insertions(+)
>  create mode 100644 recipes-bsp/optee-client/files/control.tmpl
>  create mode 100755 recipes-bsp/optee-client/files/rules.tmpl
>  create mode 100644 recipes-bsp/optee-client/files/tee-supplicant.service
>  create mode 100644 recipes-bsp/optee-client/optee-client_3.20.0.bb
> 
> diff --git a/recipes-bsp/optee-client/files/control.tmpl b/recipes-bsp/optee-client/files/control.tmpl
> new file mode 100644
> index 0000000..b0c3756
> --- /dev/null
> +++ b/recipes-bsp/optee-client/files/control.tmpl
> @@ -0,0 +1,51 @@
> +Source: optee-client
> +Priority: optional
> +Maintainer: Unknown maintainer <unknown@example.com>
> +Build-Depends: pkg-config, uuid-dev
> +Standards-Version: 4.1.3
> +Section: libs
> +Homepage: https://github.com/OP-TEE/optee_client
> +Rules-Requires-Root: no
> +
> +Package: optee-client-dev
> +Section: libdevel
> +Architecture: arm64
> +Multi-Arch: same
> +Depends: libteec1 (= ${binary:Version}),
> +         ${misc:Depends}
> +Description: normal world user space client APIs for OP-TEE (development)
> + OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
> + non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
> + technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API
> + exposed to Trusted Applications and the TEE Client API v1.0, which is the
> + API describing how to communicate with a TEE. This package provides the TEE
> + Client API library.
> + .
> + This package contains the development files OpTEE Client API
> +
> +Package: libteec1
> +Architecture: arm64
> +Multi-Arch: same
> +Depends: ${misc:Depends}, ${shlibs:Depends}
> +Description: normal world user space client APIs for OP-TEE
> + OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
> + non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
> + technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API
> + exposed to Trusted Applications and the TEE Client API v1.0, which is the
> + API describing how to communicate with a TEE. This package provides the TEE
> + Client API library.
> + .
> + This package contains libteec library.
> +
> +Package: tee-supplicant
> +Architecture: arm64
> +Depends: ${misc:Depends}, ${shlibs:Depends}
> +Description: normal world user space client APIs for OP-TEE
> + OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
> + non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
> + technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API
> + exposed to Trusted Applications and the TEE Client API v1.0, which is the
> + API describing how to communicate with a TEE. This package provides the TEE
> + Client API library.
> + .
> + This package contains tee-supplicant executable.
> diff --git a/recipes-bsp/optee-client/files/rules.tmpl b/recipes-bsp/optee-client/files/rules.tmpl
> new file mode 100755
> index 0000000..a8f2afd
> --- /dev/null
> +++ b/recipes-bsp/optee-client/files/rules.tmpl
> @@ -0,0 +1,20 @@
> +#!/usr/bin/make -f
> +
> +ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
> +export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
> +endif
> +
> +%:
> +	dh $@ --exclude=.a
> +
> +override_dh_auto_build:
> +	dh_auto_build -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
> +		CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH} ${RPMB_EMU_BUILD_OPT}
> +
> +override_dh_auto_install:
> +	dh_auto_install -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
> +		CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH} ${RPMB_EMU_BUILD_OPT}
> +
> +override_dh_auto_clean:
> +	dh_auto_clean
> +	rm -rf $(CURDIR)/out
> diff --git a/recipes-bsp/optee-client/files/tee-supplicant.service b/recipes-bsp/optee-client/files/tee-supplicant.service
> new file mode 100644
> index 0000000..7148515
> --- /dev/null
> +++ b/recipes-bsp/optee-client/files/tee-supplicant.service
> @@ -0,0 +1,9 @@
> +[Unit]
> +Description=TEE Supplicant
> +
> +[Service]
> +Type=simple
> +ExecStart=/usr/sbin/tee-supplicant
> +
> +[Install]
> +WantedBy=multi-user.target
> diff --git a/recipes-bsp/optee-client/optee-client_3.20.0.bb b/recipes-bsp/optee-client/optee-client_3.20.0.bb
> new file mode 100644
> index 0000000..b760a2c
> --- /dev/null
> +++ b/recipes-bsp/optee-client/optee-client_3.20.0.bb
> @@ -0,0 +1,47 @@
> +#
> +# CIP Core, generic profile
> +#
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Su Bao Cheng <baocheng.su@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +inherit dpkg
> +
> +DESCRIPTION = "OPTee Client"
> +
> +PROVIDES = "libteec1 optee-client-dev tee-supplicant"
> +
> +SRC_URI += "https://github.com/OP-TEE/optee_client/archive/${PV}.tar.gz;downloadfilename=optee_client-${PV}.tar.gz \
> +    file://control.tmpl \
> +    file://rules.tmpl \
> +    file://tee-supplicant.service"
> +SRC_URI[sha256sum] = "69414c424b8dbed11ce1ae0d812817eda2ef4f42a1bef762e5ca3b6fed80764c"
> +
> +S = "${WORKDIR}/optee_client-${PV}"
> +
> +TEE_FS_PARENT_PATH ?= "/var/lib/optee-client/data/tee"
> +# To use the builtin RPMB emulation, empty this
> +RPMB_EMU_BUILD_OPT ?= "RPMB_EMU=0"
> +
> +TEMPLATE_FILES = "rules.tmpl control.tmpl"
> +TEMPLATE_VARS += "TEE_FS_PARENT_PATH RPMB_EMU_BUILD_OPT"
> +
> +do_prepare_build[cleandirs] += "${S}/debian"
> +do_prepare_build() {
> +    deb_debianize
> +
> +    cp -f ${WORKDIR}/tee-supplicant.service \
> +        ${S}/debian/tee-supplicant.service
> +    echo "/usr/sbin/*" > ${S}/debian/tee-supplicant.install
> +    echo "lib/optee_armtz/" > ${S}/debian/tee-supplicant.dirs
> +    echo "usr/lib/tee-supplicant/plugins/" >> ${S}/debian/tee-supplicant.dirs
> +
> +    echo "usr/lib/*/libteec*.so.*" > ${S}/debian/libteec1.install
> +
> +    echo "usr/include/*" > ${S}/debian/optee-client-dev.install
> +    echo "usr/lib/*/lib*.so" >> ${S}/debian/optee-client-dev.install
> +}

Looks like optee-client is part of bookworm, but version 3.19.0 only.
Latest is 3.21.0. Please make sure we aren't colliding.

And did you use the official debianization? If not, please do.

Jan

-- 
Siemens AG, Technology
Competence Center Embedded Linux

Re: [isar-cip-core][PATCH v2 1/2] Add recipe for optee-client

[Su, Bao Cheng]

On Tue, 2023-06-06 at 07:37 +0200, Jan Kiszka wrote:
> On 06.06.23 05:55, baocheng_su@163.com wrote:
> > From: Baocheng Su <baocheng.su@siemens.com>
> > 
> > This brings the libteec1, optee-client-dev and most important,
> > tee-supplicant.
> > 
> > Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
> > ---
> >  recipes-bsp/optee-client/files/control.tmpl   | 51
> > +++++++++++++++++++
> >  recipes-bsp/optee-client/files/rules.tmpl     | 20 ++++++++
> >  .../optee-client/files/tee-supplicant.service |  9 ++++
> >  .../optee-client/optee-client_3.20.0.bb       | 47
> > +++++++++++++++++
> >  4 files changed, 127 insertions(+)
> >  create mode 100644 recipes-bsp/optee-client/files/control.tmpl
> >  create mode 100755 recipes-bsp/optee-client/files/rules.tmpl
> >  create mode 100644 recipes-bsp/optee-client/files/tee-
> > supplicant.service
> >  create mode 100644 recipes-bsp/optee-client/optee-client_3.20.0.bb
> > 
> > diff --git a/recipes-bsp/optee-client/files/control.tmpl b/recipes-
> > bsp/optee-client/files/control.tmpl
> > new file mode 100644
> > index 0000000..b0c3756
> > --- /dev/null
> > +++ b/recipes-bsp/optee-client/files/control.tmpl
> > @@ -0,0 +1,51 @@
> > +Source: optee-client
> > +Priority: optional
> > +Maintainer: Unknown maintainer <unknown@example.com>
> > +Build-Depends: pkg-config, uuid-dev
> > +Standards-Version: 4.1.3
> > +Section: libs
> > +Homepage:
> > https://github.com/OP-TEE/optee_client
> > +Rules-Requires-Root: no
> > +
> > +Package: optee-client-dev
> > +Section: libdevel
> > +Architecture: arm64
> > +Multi-Arch: same
> > +Depends: libteec1 (= ${binary:Version}),
> > +         ${misc:Depends}
> > +Description: normal world user space client APIs for OP-TEE
> > (development)
> > + OP-TEE is a Trusted Execution Environment (TEE) designed as
> > companion to a
> > + non-secure Linux kernel running on Arm; Cortex-A cores using the
> > TrustZone
> > + technology. OP-TEE implements TEE Internal Core API v1.1.x which
> > is the API
> > + exposed to Trusted Applications and the TEE Client API v1.0,
> > which is the
> > + API describing how to communicate with a TEE. This package
> > provides the TEE
> > + Client API library.
> > + .
> > + This package contains the development files OpTEE Client API
> > +
> > +Package: libteec1
> > +Architecture: arm64
> > +Multi-Arch: same
> > +Depends: ${misc:Depends}, ${shlibs:Depends}
> > +Description: normal world user space client APIs for OP-TEE
> > + OP-TEE is a Trusted Execution Environment (TEE) designed as
> > companion to a
> > + non-secure Linux kernel running on Arm; Cortex-A cores using the
> > TrustZone
> > + technology. OP-TEE implements TEE Internal Core API v1.1.x which
> > is the API
> > + exposed to Trusted Applications and the TEE Client API v1.0,
> > which is the
> > + API describing how to communicate with a TEE. This package
> > provides the TEE
> > + Client API library.
> > + .
> > + This package contains libteec library.
> > +
> > +Package: tee-supplicant
> > +Architecture: arm64
> > +Depends: ${misc:Depends}, ${shlibs:Depends}
> > +Description: normal world user space client APIs for OP-TEE
> > + OP-TEE is a Trusted Execution Environment (TEE) designed as
> > companion to a
> > + non-secure Linux kernel running on Arm; Cortex-A cores using the
> > TrustZone
> > + technology. OP-TEE implements TEE Internal Core API v1.1.x which
> > is the API
> > + exposed to Trusted Applications and the TEE Client API v1.0,
> > which is the
> > + API describing how to communicate with a TEE. This package
> > provides the TEE
> > + Client API library.
> > + .
> > + This package contains tee-supplicant executable.
> > diff --git a/recipes-bsp/optee-client/files/rules.tmpl b/recipes-
> > bsp/optee-client/files/rules.tmpl
> > new file mode 100755
> > index 0000000..a8f2afd
> > --- /dev/null
> > +++ b/recipes-bsp/optee-client/files/rules.tmpl
> > @@ -0,0 +1,20 @@
> > +#!/usr/bin/make -f
> > +
> > +ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
> > +export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
> > +endif
> > +
> > +%:
> > +       dh $@ --exclude=.a
> > +
> > +override_dh_auto_build:
> > +       dh_auto_build -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
> > +               CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH}
> > ${RPMB_EMU_BUILD_OPT}
> > +
> > +override_dh_auto_install:
> > +       dh_auto_install -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
> > +               CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH}
> > ${RPMB_EMU_BUILD_OPT}
> > +
> > +override_dh_auto_clean:
> > +       dh_auto_clean
> > +       rm -rf $(CURDIR)/out
> > diff --git a/recipes-bsp/optee-client/files/tee-supplicant.service
> > b/recipes-bsp/optee-client/files/tee-supplicant.service
> > new file mode 100644
> > index 0000000..7148515
> > --- /dev/null
> > +++ b/recipes-bsp/optee-client/files/tee-supplicant.service
> > @@ -0,0 +1,9 @@
> > +[Unit]
> > +Description=TEE Supplicant
> > +
> > +[Service]
> > +Type=simple
> > +ExecStart=/usr/sbin/tee-supplicant
> > +
> > +[Install]
> > +WantedBy=multi-user.target
> > diff --git a/recipes-bsp/optee-client/optee-client_3.20.0.bb
> > b/recipes-bsp/optee-client/optee-client_3.20.0.bb
> > new file mode 100644
> > index 0000000..b760a2c
> > --- /dev/null
> > +++ b/recipes-bsp/optee-client/optee-client_3.20.0.bb
> > @@ -0,0 +1,47 @@
> > +#
> > +# CIP Core, generic profile
> > +#
> > +# Copyright (c) Siemens AG, 2023
> > +#
> > +# Authors:
> > +#  Su Bao Cheng <baocheng.su@siemens.com>
> > +#
> > +# SPDX-License-Identifier: MIT
> > +#
> > +
> > +inherit dpkg
> > +
> > +DESCRIPTION = "OPTee Client"
> > +
> > +PROVIDES = "libteec1 optee-client-dev tee-supplicant"
> > +
> > +SRC_URI +=
> > "https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2F
> > github.com%2FOP-
> > TEE%2Foptee_client%2Farchive%2F%24&data=05%7C01%7Cbaocheng.su%40ad0
> > 11.siemens.com%7C4165545a244e4709dbe608db66500fee%7C38ae3bcd95794fd
> > 4addab42e1495d55a%7C1%7C0%7C638216266262554942%7CUnknown%7CTWFpbGZs
> > b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0
> > %3D%7C3000%7C%7C%7C&sdata=wpVB2SbJ1kQ2znZPG62J9EvJd7C4Bk%2FQT1EsqAi
> > E%2FVY%3D&reserved=0{PV}.tar.gz;downloadfilename=optee_client-
> > ${PV}.tar.gz \
> > +    file://control.tmpl \
> > +    file://rules.tmpl \
> > +    file://tee-supplicant.service"
> > +SRC_URI[sha256sum] =
> > "69414c424b8dbed11ce1ae0d812817eda2ef4f42a1bef762e5ca3b6fed80764c"
> > +
> > +S = "${WORKDIR}/optee_client-${PV}"
> > +
> > +TEE_FS_PARENT_PATH ?= "/var/lib/optee-client/data/tee"
> > +# To use the builtin RPMB emulation, empty this
> > +RPMB_EMU_BUILD_OPT ?= "RPMB_EMU=0"
> > +
> > +TEMPLATE_FILES = "rules.tmpl control.tmpl"
> > +TEMPLATE_VARS += "TEE_FS_PARENT_PATH RPMB_EMU_BUILD_OPT"
> > +
> > +do_prepare_build[cleandirs] += "${S}/debian"
> > +do_prepare_build() {
> > +    deb_debianize
> > +
> > +    cp -f ${WORKDIR}/tee-supplicant.service \
> > +        ${S}/debian/tee-supplicant.service
> > +    echo "/usr/sbin/*" > ${S}/debian/tee-supplicant.install
> > +    echo "lib/optee_armtz/" > ${S}/debian/tee-supplicant.dirs
> > +    echo "usr/lib/tee-supplicant/plugins/" >> ${S}/debian/tee-
> > supplicant.dirs
> > +
> > +    echo "usr/lib/*/libteec*.so.*" > ${S}/debian/libteec1.install
> > +
> > +    echo "usr/include/*" > ${S}/debian/optee-client-dev.install
> > +    echo "usr/lib/*/lib*.so" >> ${S}/debian/optee-client-
> > dev.install
> > +}
> 
> Looks like optee-client is part of bookworm, but version 3.19.0 only.
> Latest is 3.21.0. Please make sure we aren't colliding.
> 

That is a point, I will test it from my side.

> And did you use the official debianization? If not, please do.
> 

I borrowed something from the official debianization when I was writing
it.

Or should we use the `apt://${PN}` and add our modification on top?
That may bind us to the 3.19 version for a pretty long time.

> Jan
> 

Re: [isar-cip-core][PATCH v2 1/2] Add recipe for optee-client

[Jan Kiszka]

On 06.06.23 12:24, Su, Bao Cheng (DI FA CTR IPC CN PRC4) wrote:
> On Tue, 2023-06-06 at 07:37 +0200, Jan Kiszka wrote:
>> On 06.06.23 05:55, baocheng_su@163.com wrote:
>>> From: Baocheng Su <baocheng.su@siemens.com>
>>>
>>> This brings the libteec1, optee-client-dev and most important,
>>> tee-supplicant.
>>>
>>> Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
>>> ---
>>>  recipes-bsp/optee-client/files/control.tmpl   | 51
>>> +++++++++++++++++++
>>>  recipes-bsp/optee-client/files/rules.tmpl     | 20 ++++++++
>>>  .../optee-client/files/tee-supplicant.service |  9 ++++
>>>  .../optee-client/optee-client_3.20.0.bb       | 47
>>> +++++++++++++++++
>>>  4 files changed, 127 insertions(+)
>>>  create mode 100644 recipes-bsp/optee-client/files/control.tmpl
>>>  create mode 100755 recipes-bsp/optee-client/files/rules.tmpl
>>>  create mode 100644 recipes-bsp/optee-client/files/tee-
>>> supplicant.service
>>>  create mode 100644 recipes-bsp/optee-client/optee-client_3.20.0.bb
>>>
>>> diff --git a/recipes-bsp/optee-client/files/control.tmpl b/recipes-
>>> bsp/optee-client/files/control.tmpl
>>> new file mode 100644
>>> index 0000000..b0c3756
>>> --- /dev/null
>>> +++ b/recipes-bsp/optee-client/files/control.tmpl
>>> @@ -0,0 +1,51 @@
>>> +Source: optee-client
>>> +Priority: optional
>>> +Maintainer: Unknown maintainer <unknown@example.com>
>>> +Build-Depends: pkg-config, uuid-dev
>>> +Standards-Version: 4.1.3
>>> +Section: libs
>>> +Homepage:
>>> https://github.com/OP-TEE/optee_client
>>> +Rules-Requires-Root: no
>>> +
>>> +Package: optee-client-dev
>>> +Section: libdevel
>>> +Architecture: arm64
>>> +Multi-Arch: same
>>> +Depends: libteec1 (= ${binary:Version}),
>>> +         ${misc:Depends}
>>> +Description: normal world user space client APIs for OP-TEE
>>> (development)
>>> + OP-TEE is a Trusted Execution Environment (TEE) designed as
>>> companion to a
>>> + non-secure Linux kernel running on Arm; Cortex-A cores using the
>>> TrustZone
>>> + technology. OP-TEE implements TEE Internal Core API v1.1.x which
>>> is the API
>>> + exposed to Trusted Applications and the TEE Client API v1.0,
>>> which is the
>>> + API describing how to communicate with a TEE. This package
>>> provides the TEE
>>> + Client API library.
>>> + .
>>> + This package contains the development files OpTEE Client API
>>> +
>>> +Package: libteec1
>>> +Architecture: arm64
>>> +Multi-Arch: same
>>> +Depends: ${misc:Depends}, ${shlibs:Depends}
>>> +Description: normal world user space client APIs for OP-TEE
>>> + OP-TEE is a Trusted Execution Environment (TEE) designed as
>>> companion to a
>>> + non-secure Linux kernel running on Arm; Cortex-A cores using the
>>> TrustZone
>>> + technology. OP-TEE implements TEE Internal Core API v1.1.x which
>>> is the API
>>> + exposed to Trusted Applications and the TEE Client API v1.0,
>>> which is the
>>> + API describing how to communicate with a TEE. This package
>>> provides the TEE
>>> + Client API library.
>>> + .
>>> + This package contains libteec library.
>>> +
>>> +Package: tee-supplicant
>>> +Architecture: arm64
>>> +Depends: ${misc:Depends}, ${shlibs:Depends}
>>> +Description: normal world user space client APIs for OP-TEE
>>> + OP-TEE is a Trusted Execution Environment (TEE) designed as
>>> companion to a
>>> + non-secure Linux kernel running on Arm; Cortex-A cores using the
>>> TrustZone
>>> + technology. OP-TEE implements TEE Internal Core API v1.1.x which
>>> is the API
>>> + exposed to Trusted Applications and the TEE Client API v1.0,
>>> which is the
>>> + API describing how to communicate with a TEE. This package
>>> provides the TEE
>>> + Client API library.
>>> + .
>>> + This package contains tee-supplicant executable.
>>> diff --git a/recipes-bsp/optee-client/files/rules.tmpl b/recipes-
>>> bsp/optee-client/files/rules.tmpl
>>> new file mode 100755
>>> index 0000000..a8f2afd
>>> --- /dev/null
>>> +++ b/recipes-bsp/optee-client/files/rules.tmpl
>>> @@ -0,0 +1,20 @@
>>> +#!/usr/bin/make -f
>>> +
>>> +ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
>>> +export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
>>> +endif
>>> +
>>> +%:
>>> +       dh $@ --exclude=.a
>>> +
>>> +override_dh_auto_build:
>>> +       dh_auto_build -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
>>> +               CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH}
>>> ${RPMB_EMU_BUILD_OPT}
>>> +
>>> +override_dh_auto_install:
>>> +       dh_auto_install -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
>>> +               CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH}
>>> ${RPMB_EMU_BUILD_OPT}
>>> +
>>> +override_dh_auto_clean:
>>> +       dh_auto_clean
>>> +       rm -rf $(CURDIR)/out
>>> diff --git a/recipes-bsp/optee-client/files/tee-supplicant.service
>>> b/recipes-bsp/optee-client/files/tee-supplicant.service
>>> new file mode 100644
>>> index 0000000..7148515
>>> --- /dev/null
>>> +++ b/recipes-bsp/optee-client/files/tee-supplicant.service
>>> @@ -0,0 +1,9 @@
>>> +[Unit]
>>> +Description=TEE Supplicant
>>> +
>>> +[Service]
>>> +Type=simple
>>> +ExecStart=/usr/sbin/tee-supplicant
>>> +
>>> +[Install]
>>> +WantedBy=multi-user.target
>>> diff --git a/recipes-bsp/optee-client/optee-client_3.20.0.bb
>>> b/recipes-bsp/optee-client/optee-client_3.20.0.bb
>>> new file mode 100644
>>> index 0000000..b760a2c
>>> --- /dev/null
>>> +++ b/recipes-bsp/optee-client/optee-client_3.20.0.bb
>>> @@ -0,0 +1,47 @@
>>> +#
>>> +# CIP Core, generic profile
>>> +#
>>> +# Copyright (c) Siemens AG, 2023
>>> +#
>>> +# Authors:
>>> +#  Su Bao Cheng <baocheng.su@siemens.com>
>>> +#
>>> +# SPDX-License-Identifier: MIT
>>> +#
>>> +
>>> +inherit dpkg
>>> +
>>> +DESCRIPTION = "OPTee Client"
>>> +
>>> +PROVIDES = "libteec1 optee-client-dev tee-supplicant"
>>> +
>>> +SRC_URI +=
>>> "https://
>>> github.com%2FOP-
>>> TEE%2Foptee_client%2Farchive%2F%24&data=05%7C01%7Cbaocheng.su%40ad0
>>> 11.siemens.com%7C4165545a244e4709dbe608db66500fee%7C38ae3bcd95794fd
>>> 4addab42e1495d55a%7C1%7C0%7C638216266262554942%7CUnknown%7CTWFpbGZs
>>> b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0
>>> %3D%7C3000%7C%7C%7C&sdata=wpVB2SbJ1kQ2znZPG62J9EvJd7C4Bk%2FQT1EsqAi
>>> E%2FVY%3D&reserved=0{PV}.tar.gz;downloadfilename=optee_client-
>>> ${PV}.tar.gz \
>>> +    file://control.tmpl \
>>> +    file://rules.tmpl \
>>> +    file://tee-supplicant.service"
>>> +SRC_URI[sha256sum] =
>>> "69414c424b8dbed11ce1ae0d812817eda2ef4f42a1bef762e5ca3b6fed80764c"
>>> +
>>> +S = "${WORKDIR}/optee_client-${PV}"
>>> +
>>> +TEE_FS_PARENT_PATH ?= "/var/lib/optee-client/data/tee"
>>> +# To use the builtin RPMB emulation, empty this
>>> +RPMB_EMU_BUILD_OPT ?= "RPMB_EMU=0"
>>> +
>>> +TEMPLATE_FILES = "rules.tmpl control.tmpl"
>>> +TEMPLATE_VARS += "TEE_FS_PARENT_PATH RPMB_EMU_BUILD_OPT"
>>> +
>>> +do_prepare_build[cleandirs] += "${S}/debian"
>>> +do_prepare_build() {
>>> +    deb_debianize
>>> +
>>> +    cp -f ${WORKDIR}/tee-supplicant.service \
>>> +        ${S}/debian/tee-supplicant.service
>>> +    echo "/usr/sbin/*" > ${S}/debian/tee-supplicant.install
>>> +    echo "lib/optee_armtz/" > ${S}/debian/tee-supplicant.dirs
>>> +    echo "usr/lib/tee-supplicant/plugins/" >> ${S}/debian/tee-
>>> supplicant.dirs
>>> +
>>> +    echo "usr/lib/*/libteec*.so.*" > ${S}/debian/libteec1.install
>>> +
>>> +    echo "usr/include/*" > ${S}/debian/optee-client-dev.install
>>> +    echo "usr/lib/*/lib*.so" >> ${S}/debian/optee-client-
>>> dev.install
>>> +}
>>
>> Looks like optee-client is part of bookworm, but version 3.19.0 only.
>> Latest is 3.21.0. Please make sure we aren't colliding.
>>
> 
> That is a point, I will test it from my side.
> 
>> And did you use the official debianization? If not, please do.
>>
> 
> I borrowed something from the official debianization when I was writing
> it.
> 
> Or should we use the `apt://${PN}` and add our modification on top?
> That may bind us to the 3.19 version for a pretty long time.

Check is some salsa branch is holding what you need, maybe even already
3.21.0. Otherwise, it would be nice to contribute and pull again from
there, at least midterm.

And, as we just realized during your private discussion about [1], we
likely also need a separate initrd hook for tee-supplicant to ensure
that this service is running before systemd mounts efivarfs.

Jan

[1]
https://lore.kernel.org/lkml/4ff09002-e871-38b9-43ec-227a64bac731@siemens.com/T/#u

-- 
Siemens AG, Technology
Competence Center Embedded Linux

Re: [isar-cip-core][PATCH v2 1/2] Add recipe for optee-client

[Su Baocheng]

On 2023/6/6 18:29, Jan Kiszka wrote:
> On 06.06.23 12:24, Su, Bao Cheng (DI FA CTR IPC CN PRC4) wrote:
>> On Tue, 2023-06-06 at 07:37 +0200, Jan Kiszka wrote:
>>> On 06.06.23 05:55, baocheng_su@163.com wrote:
>>>> From: Baocheng Su <baocheng.su@siemens.com>
>>>>
>>>> This brings the libteec1, optee-client-dev and most important,
>>>> tee-supplicant.
>>>>
>>>> Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
>>>> ---
>>>>   recipes-bsp/optee-client/files/control.tmpl   | 51
>>>> +++++++++++++++++++
>>>>   recipes-bsp/optee-client/files/rules.tmpl     | 20 ++++++++
>>>>   .../optee-client/files/tee-supplicant.service |  9 ++++
>>>>   .../optee-client/optee-client_3.20.0.bb       | 47
>>>> +++++++++++++++++
>>>>   4 files changed, 127 insertions(+)
>>>>   create mode 100644 recipes-bsp/optee-client/files/control.tmpl
>>>>   create mode 100755 recipes-bsp/optee-client/files/rules.tmpl
>>>>   create mode 100644 recipes-bsp/optee-client/files/tee-
>>>> supplicant.service
>>>>   create mode 100644 recipes-bsp/optee-client/optee-client_3.20.0.bb
>>>>
>>>> diff --git a/recipes-bsp/optee-client/files/control.tmpl b/recipes-
>>>> bsp/optee-client/files/control.tmpl
>>>> new file mode 100644
>>>> index 0000000..b0c3756
>>>> --- /dev/null
>>>> +++ b/recipes-bsp/optee-client/files/control.tmpl
>>>> @@ -0,0 +1,51 @@
>>>> +Source: optee-client
>>>> +Priority: optional
>>>> +Maintainer: Unknown maintainer <unknown@example.com>
>>>> +Build-Depends: pkg-config, uuid-dev
>>>> +Standards-Version: 4.1.3
>>>> +Section: libs
>>>> +Homepage:
>>>> https://github.com/OP-TEE/optee_client
>>>> +Rules-Requires-Root: no
>>>> +
>>>> +Package: optee-client-dev
>>>> +Section: libdevel
>>>> +Architecture: arm64
>>>> +Multi-Arch: same
>>>> +Depends: libteec1 (= ${binary:Version}),
>>>> +         ${misc:Depends}
>>>> +Description: normal world user space client APIs for OP-TEE
>>>> (development)
>>>> + OP-TEE is a Trusted Execution Environment (TEE) designed as
>>>> companion to a
>>>> + non-secure Linux kernel running on Arm; Cortex-A cores using the
>>>> TrustZone
>>>> + technology. OP-TEE implements TEE Internal Core API v1.1.x which
>>>> is the API
>>>> + exposed to Trusted Applications and the TEE Client API v1.0,
>>>> which is the
>>>> + API describing how to communicate with a TEE. This package
>>>> provides the TEE
>>>> + Client API library.
>>>> + .
>>>> + This package contains the development files OpTEE Client API
>>>> +
>>>> +Package: libteec1
>>>> +Architecture: arm64
>>>> +Multi-Arch: same
>>>> +Depends: ${misc:Depends}, ${shlibs:Depends}
>>>> +Description: normal world user space client APIs for OP-TEE
>>>> + OP-TEE is a Trusted Execution Environment (TEE) designed as
>>>> companion to a
>>>> + non-secure Linux kernel running on Arm; Cortex-A cores using the
>>>> TrustZone
>>>> + technology. OP-TEE implements TEE Internal Core API v1.1.x which
>>>> is the API
>>>> + exposed to Trusted Applications and the TEE Client API v1.0,
>>>> which is the
>>>> + API describing how to communicate with a TEE. This package
>>>> provides the TEE
>>>> + Client API library.
>>>> + .
>>>> + This package contains libteec library.
>>>> +
>>>> +Package: tee-supplicant
>>>> +Architecture: arm64
>>>> +Depends: ${misc:Depends}, ${shlibs:Depends}
>>>> +Description: normal world user space client APIs for OP-TEE
>>>> + OP-TEE is a Trusted Execution Environment (TEE) designed as
>>>> companion to a
>>>> + non-secure Linux kernel running on Arm; Cortex-A cores using the
>>>> TrustZone
>>>> + technology. OP-TEE implements TEE Internal Core API v1.1.x which
>>>> is the API
>>>> + exposed to Trusted Applications and the TEE Client API v1.0,
>>>> which is the
>>>> + API describing how to communicate with a TEE. This package
>>>> provides the TEE
>>>> + Client API library.
>>>> + .
>>>> + This package contains tee-supplicant executable.
>>>> diff --git a/recipes-bsp/optee-client/files/rules.tmpl b/recipes-
>>>> bsp/optee-client/files/rules.tmpl
>>>> new file mode 100755
>>>> index 0000000..a8f2afd
>>>> --- /dev/null
>>>> +++ b/recipes-bsp/optee-client/files/rules.tmpl
>>>> @@ -0,0 +1,20 @@
>>>> +#!/usr/bin/make -f
>>>> +
>>>> +ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
>>>> +export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
>>>> +endif
>>>> +
>>>> +%:
>>>> +       dh $@ --exclude=.a
>>>> +
>>>> +override_dh_auto_build:
>>>> +       dh_auto_build -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
>>>> +               CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH}
>>>> ${RPMB_EMU_BUILD_OPT}
>>>> +
>>>> +override_dh_auto_install:
>>>> +       dh_auto_install -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
>>>> +               CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH}
>>>> ${RPMB_EMU_BUILD_OPT}
>>>> +
>>>> +override_dh_auto_clean:
>>>> +       dh_auto_clean
>>>> +       rm -rf $(CURDIR)/out
>>>> diff --git a/recipes-bsp/optee-client/files/tee-supplicant.service
>>>> b/recipes-bsp/optee-client/files/tee-supplicant.service
>>>> new file mode 100644
>>>> index 0000000..7148515
>>>> --- /dev/null
>>>> +++ b/recipes-bsp/optee-client/files/tee-supplicant.service
>>>> @@ -0,0 +1,9 @@
>>>> +[Unit]
>>>> +Description=TEE Supplicant
>>>> +
>>>> +[Service]
>>>> +Type=simple
>>>> +ExecStart=/usr/sbin/tee-supplicant
>>>> +
>>>> +[Install]
>>>> +WantedBy=multi-user.target
>>>> diff --git a/recipes-bsp/optee-client/optee-client_3.20.0.bb
>>>> b/recipes-bsp/optee-client/optee-client_3.20.0.bb
>>>> new file mode 100644
>>>> index 0000000..b760a2c
>>>> --- /dev/null
>>>> +++ b/recipes-bsp/optee-client/optee-client_3.20.0.bb
>>>> @@ -0,0 +1,47 @@
>>>> +#
>>>> +# CIP Core, generic profile
>>>> +#
>>>> +# Copyright (c) Siemens AG, 2023
>>>> +#
>>>> +# Authors:
>>>> +#  Su Bao Cheng <baocheng.su@siemens.com>
>>>> +#
>>>> +# SPDX-License-Identifier: MIT
>>>> +#
>>>> +
>>>> +inherit dpkg
>>>> +
>>>> +DESCRIPTION = "OPTee Client"
>>>> +
>>>> +PROVIDES = "libteec1 optee-client-dev tee-supplicant"
>>>> +
>>>> +SRC_URI +=
>>>> "https://
>>>> github.com%2FOP-
>>>> TEE%2Foptee_client%2Farchive%2F%24&data=05%7C01%7Cbaocheng.su%40ad0
>>>> 11.siemens.com%7C4165545a244e4709dbe608db66500fee%7C38ae3bcd95794fd
>>>> 4addab42e1495d55a%7C1%7C0%7C638216266262554942%7CUnknown%7CTWFpbGZs
>>>> b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0
>>>> %3D%7C3000%7C%7C%7C&sdata=wpVB2SbJ1kQ2znZPG62J9EvJd7C4Bk%2FQT1EsqAi
>>>> E%2FVY%3D&reserved=0{PV}.tar.gz;downloadfilename=optee_client-
>>>> ${PV}.tar.gz \
>>>> +    file://control.tmpl \
>>>> +    file://rules.tmpl \
>>>> +    file://tee-supplicant.service"
>>>> +SRC_URI[sha256sum] =
>>>> "69414c424b8dbed11ce1ae0d812817eda2ef4f42a1bef762e5ca3b6fed80764c"
>>>> +
>>>> +S = "${WORKDIR}/optee_client-${PV}"
>>>> +
>>>> +TEE_FS_PARENT_PATH ?= "/var/lib/optee-client/data/tee"
>>>> +# To use the builtin RPMB emulation, empty this
>>>> +RPMB_EMU_BUILD_OPT ?= "RPMB_EMU=0"
>>>> +
>>>> +TEMPLATE_FILES = "rules.tmpl control.tmpl"
>>>> +TEMPLATE_VARS += "TEE_FS_PARENT_PATH RPMB_EMU_BUILD_OPT"
>>>> +
>>>> +do_prepare_build[cleandirs] += "${S}/debian"
>>>> +do_prepare_build() {
>>>> +    deb_debianize
>>>> +
>>>> +    cp -f ${WORKDIR}/tee-supplicant.service \
>>>> +        ${S}/debian/tee-supplicant.service
>>>> +    echo "/usr/sbin/*" > ${S}/debian/tee-supplicant.install
>>>> +    echo "lib/optee_armtz/" > ${S}/debian/tee-supplicant.dirs
>>>> +    echo "usr/lib/tee-supplicant/plugins/" >> ${S}/debian/tee-
>>>> supplicant.dirs
>>>> +
>>>> +    echo "usr/lib/*/libteec*.so.*" > ${S}/debian/libteec1.install
>>>> +
>>>> +    echo "usr/include/*" > ${S}/debian/optee-client-dev.install
>>>> +    echo "usr/lib/*/lib*.so" >> ${S}/debian/optee-client-
>>>> dev.install
>>>> +}
>>>
>>> Looks like optee-client is part of bookworm, but version 3.19.0 only.
>>> Latest is 3.21.0. Please make sure we aren't colliding.
>>>
>>
>> That is a point, I will test it from my side.
>>
>>> And did you use the official debianization? If not, please do.
>>>
>>
>> I borrowed something from the official debianization when I was writing
>> it.
>>
>> Or should we use the `apt://${PN}` and add our modification on top?
>> That may bind us to the 3.19 version for a pretty long time.
> 
> Check is some salsa branch is holding what you need, maybe even already
> 3.21.0. Otherwise, it would be nice to contribute and pull again from
> there, at least midterm.
> 

No salsa repo for this optee-client. The patch and the debian files are 
hosted on https://packages.debian.org/source/bookworm/optee-client 
directly. And the latest version is still 3.19 on it.

> And, as we just realized during your private discussion about [1], we
> likely also need a separate initrd hook for tee-supplicant to ensure
> that this service is running before systemd mounts efivarfs.
> 
> Jan
> 
> [1]
> https://lore.kernel.org/lkml/4ff09002-e871-38b9-43ec-227a64bac731@siemens.com/T/#u
> 

Re: [isar-cip-core][PATCH v2 1/2] Add recipe for optee-client

[Jan Kiszka]

On 07.06.23 04:30, Su Baocheng wrote:
> 
> 
> On 2023/6/6 18:29, Jan Kiszka wrote:
>> On 06.06.23 12:24, Su, Bao Cheng (DI FA CTR IPC CN PRC4) wrote:
>>> On Tue, 2023-06-06 at 07:37 +0200, Jan Kiszka wrote:
>>>> On 06.06.23 05:55, baocheng_su@163.com wrote:
>>>>> From: Baocheng Su <baocheng.su@siemens.com>
>>>>>
>>>>> This brings the libteec1, optee-client-dev and most important,
>>>>> tee-supplicant.
>>>>>
>>>>> Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
>>>>> ---
>>>>>   recipes-bsp/optee-client/files/control.tmpl   | 51
>>>>> +++++++++++++++++++
>>>>>   recipes-bsp/optee-client/files/rules.tmpl     | 20 ++++++++
>>>>>   .../optee-client/files/tee-supplicant.service |  9 ++++
>>>>>   .../optee-client/optee-client_3.20.0.bb       | 47
>>>>> +++++++++++++++++
>>>>>   4 files changed, 127 insertions(+)
>>>>>   create mode 100644 recipes-bsp/optee-client/files/control.tmpl
>>>>>   create mode 100755 recipes-bsp/optee-client/files/rules.tmpl
>>>>>   create mode 100644 recipes-bsp/optee-client/files/tee-
>>>>> supplicant.service
>>>>>   create mode 100644 recipes-bsp/optee-client/optee-client_3.20.0.bb
>>>>>
>>>>> diff --git a/recipes-bsp/optee-client/files/control.tmpl b/recipes-
>>>>> bsp/optee-client/files/control.tmpl
>>>>> new file mode 100644
>>>>> index 0000000..b0c3756
>>>>> --- /dev/null
>>>>> +++ b/recipes-bsp/optee-client/files/control.tmpl
>>>>> @@ -0,0 +1,51 @@
>>>>> +Source: optee-client
>>>>> +Priority: optional
>>>>> +Maintainer: Unknown maintainer <unknown@example.com>
>>>>> +Build-Depends: pkg-config, uuid-dev
>>>>> +Standards-Version: 4.1.3
>>>>> +Section: libs
>>>>> +Homepage:
>>>>> https://github.com/OP-TEE/optee_client
>>>>> +Rules-Requires-Root: no
>>>>> +
>>>>> +Package: optee-client-dev
>>>>> +Section: libdevel
>>>>> +Architecture: arm64
>>>>> +Multi-Arch: same
>>>>> +Depends: libteec1 (= ${binary:Version}),
>>>>> +         ${misc:Depends}
>>>>> +Description: normal world user space client APIs for OP-TEE
>>>>> (development)
>>>>> + OP-TEE is a Trusted Execution Environment (TEE) designed as
>>>>> companion to a
>>>>> + non-secure Linux kernel running on Arm; Cortex-A cores using the
>>>>> TrustZone
>>>>> + technology. OP-TEE implements TEE Internal Core API v1.1.x which
>>>>> is the API
>>>>> + exposed to Trusted Applications and the TEE Client API v1.0,
>>>>> which is the
>>>>> + API describing how to communicate with a TEE. This package
>>>>> provides the TEE
>>>>> + Client API library.
>>>>> + .
>>>>> + This package contains the development files OpTEE Client API
>>>>> +
>>>>> +Package: libteec1
>>>>> +Architecture: arm64
>>>>> +Multi-Arch: same
>>>>> +Depends: ${misc:Depends}, ${shlibs:Depends}
>>>>> +Description: normal world user space client APIs for OP-TEE
>>>>> + OP-TEE is a Trusted Execution Environment (TEE) designed as
>>>>> companion to a
>>>>> + non-secure Linux kernel running on Arm; Cortex-A cores using the
>>>>> TrustZone
>>>>> + technology. OP-TEE implements TEE Internal Core API v1.1.x which
>>>>> is the API
>>>>> + exposed to Trusted Applications and the TEE Client API v1.0,
>>>>> which is the
>>>>> + API describing how to communicate with a TEE. This package
>>>>> provides the TEE
>>>>> + Client API library.
>>>>> + .
>>>>> + This package contains libteec library.
>>>>> +
>>>>> +Package: tee-supplicant
>>>>> +Architecture: arm64
>>>>> +Depends: ${misc:Depends}, ${shlibs:Depends}
>>>>> +Description: normal world user space client APIs for OP-TEE
>>>>> + OP-TEE is a Trusted Execution Environment (TEE) designed as
>>>>> companion to a
>>>>> + non-secure Linux kernel running on Arm; Cortex-A cores using the
>>>>> TrustZone
>>>>> + technology. OP-TEE implements TEE Internal Core API v1.1.x which
>>>>> is the API
>>>>> + exposed to Trusted Applications and the TEE Client API v1.0,
>>>>> which is the
>>>>> + API describing how to communicate with a TEE. This package
>>>>> provides the TEE
>>>>> + Client API library.
>>>>> + .
>>>>> + This package contains tee-supplicant executable.
>>>>> diff --git a/recipes-bsp/optee-client/files/rules.tmpl b/recipes-
>>>>> bsp/optee-client/files/rules.tmpl
>>>>> new file mode 100755
>>>>> index 0000000..a8f2afd
>>>>> --- /dev/null
>>>>> +++ b/recipes-bsp/optee-client/files/rules.tmpl
>>>>> @@ -0,0 +1,20 @@
>>>>> +#!/usr/bin/make -f
>>>>> +
>>>>> +ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
>>>>> +export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
>>>>> +endif
>>>>> +
>>>>> +%:
>>>>> +       dh $@ --exclude=.a
>>>>> +
>>>>> +override_dh_auto_build:
>>>>> +       dh_auto_build -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
>>>>> +               CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH}
>>>>> ${RPMB_EMU_BUILD_OPT}
>>>>> +
>>>>> +override_dh_auto_install:
>>>>> +       dh_auto_install -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
>>>>> +               CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH}
>>>>> ${RPMB_EMU_BUILD_OPT}
>>>>> +
>>>>> +override_dh_auto_clean:
>>>>> +       dh_auto_clean
>>>>> +       rm -rf $(CURDIR)/out
>>>>> diff --git a/recipes-bsp/optee-client/files/tee-supplicant.service
>>>>> b/recipes-bsp/optee-client/files/tee-supplicant.service
>>>>> new file mode 100644
>>>>> index 0000000..7148515
>>>>> --- /dev/null
>>>>> +++ b/recipes-bsp/optee-client/files/tee-supplicant.service
>>>>> @@ -0,0 +1,9 @@
>>>>> +[Unit]
>>>>> +Description=TEE Supplicant
>>>>> +
>>>>> +[Service]
>>>>> +Type=simple
>>>>> +ExecStart=/usr/sbin/tee-supplicant
>>>>> +
>>>>> +[Install]
>>>>> +WantedBy=multi-user.target
>>>>> diff --git a/recipes-bsp/optee-client/optee-client_3.20.0.bb
>>>>> b/recipes-bsp/optee-client/optee-client_3.20.0.bb
>>>>> new file mode 100644
>>>>> index 0000000..b760a2c
>>>>> --- /dev/null
>>>>> +++ b/recipes-bsp/optee-client/optee-client_3.20.0.bb
>>>>> @@ -0,0 +1,47 @@
>>>>> +#
>>>>> +# CIP Core, generic profile
>>>>> +#
>>>>> +# Copyright (c) Siemens AG, 2023
>>>>> +#
>>>>> +# Authors:
>>>>> +#  Su Bao Cheng <baocheng.su@siemens.com>
>>>>> +#
>>>>> +# SPDX-License-Identifier: MIT
>>>>> +#
>>>>> +
>>>>> +inherit dpkg
>>>>> +
>>>>> +DESCRIPTION = "OPTee Client"
>>>>> +
>>>>> +PROVIDES = "libteec1 optee-client-dev tee-supplicant"
>>>>> +
>>>>> +SRC_URI +=
>>>>> "https://
>>>>> github.com%2FOP-
>>>>> TEE%2Foptee_client%2Farchive%2F%24&data=05%7C01%7Cbaocheng.su%40ad0
>>>>> 11.siemens.com%7C4165545a244e4709dbe608db66500fee%7C38ae3bcd95794fd
>>>>> 4addab42e1495d55a%7C1%7C0%7C638216266262554942%7CUnknown%7CTWFpbGZs
>>>>> b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0
>>>>> %3D%7C3000%7C%7C%7C&sdata=wpVB2SbJ1kQ2znZPG62J9EvJd7C4Bk%2FQT1EsqAi
>>>>> E%2FVY%3D&reserved=0{PV}.tar.gz;downloadfilename=optee_client-
>>>>> ${PV}.tar.gz \
>>>>> +    file://control.tmpl \
>>>>> +    file://rules.tmpl \
>>>>> +    file://tee-supplicant.service"
>>>>> +SRC_URI[sha256sum] =
>>>>> "69414c424b8dbed11ce1ae0d812817eda2ef4f42a1bef762e5ca3b6fed80764c"
>>>>> +
>>>>> +S = "${WORKDIR}/optee_client-${PV}"
>>>>> +
>>>>> +TEE_FS_PARENT_PATH ?= "/var/lib/optee-client/data/tee"
>>>>> +# To use the builtin RPMB emulation, empty this
>>>>> +RPMB_EMU_BUILD_OPT ?= "RPMB_EMU=0"
>>>>> +
>>>>> +TEMPLATE_FILES = "rules.tmpl control.tmpl"
>>>>> +TEMPLATE_VARS += "TEE_FS_PARENT_PATH RPMB_EMU_BUILD_OPT"
>>>>> +
>>>>> +do_prepare_build[cleandirs] += "${S}/debian"
>>>>> +do_prepare_build() {
>>>>> +    deb_debianize
>>>>> +
>>>>> +    cp -f ${WORKDIR}/tee-supplicant.service \
>>>>> +        ${S}/debian/tee-supplicant.service
>>>>> +    echo "/usr/sbin/*" > ${S}/debian/tee-supplicant.install
>>>>> +    echo "lib/optee_armtz/" > ${S}/debian/tee-supplicant.dirs
>>>>> +    echo "usr/lib/tee-supplicant/plugins/" >> ${S}/debian/tee-
>>>>> supplicant.dirs
>>>>> +
>>>>> +    echo "usr/lib/*/libteec*.so.*" > ${S}/debian/libteec1.install
>>>>> +
>>>>> +    echo "usr/include/*" > ${S}/debian/optee-client-dev.install
>>>>> +    echo "usr/lib/*/lib*.so" >> ${S}/debian/optee-client-
>>>>> dev.install
>>>>> +}
>>>>
>>>> Looks like optee-client is part of bookworm, but version 3.19.0 only.
>>>> Latest is 3.21.0. Please make sure we aren't colliding.
>>>>
>>>
>>> That is a point, I will test it from my side.
>>>
>>>> And did you use the official debianization? If not, please do.
>>>>
>>>
>>> I borrowed something from the official debianization when I was writing
>>> it.
>>>
>>> Or should we use the `apt://${PN}` and add our modification on top?
>>> That may bind us to the 3.19 version for a pretty long time.
>>
>> Check is some salsa branch is holding what you need, maybe even already
>> 3.21.0. Otherwise, it would be nice to contribute and pull again from
>> there, at least midterm.
>>
> 
> No salsa repo for this optee-client. The patch and the debian files are
> hosted on https://packages.debian.org/source/bookworm/optee-client
> directly. And the latest version is still 3.19 on it.
> 

I see. Then let's keep it here for now, but we should clarify with
Debian the plans and whether we can help.

Jan

>> And, as we just realized during your private discussion about [1], we
>> likely also need a separate initrd hook for tee-supplicant to ensure
>> that this service is running before systemd mounts efivarfs.
>>
>> Jan
>>
>> [1]
>> https://lore.kernel.org/lkml/4ff09002-e871-38b9-43ec-227a64bac731@siemens.com/T/#u
>>
> 

-- 
Siemens AG, Technology
Competence Center Embedded Linux