From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7247222195536003072 X-Received: by 2002:a05:6870:730:b0:1a9:8244:3284 with SMTP id ea48-20020a056870073000b001a982443284mr9608300oab.22.1687375408558; Wed, 21 Jun 2023 12:23:28 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:6870:f805:b0:1a3:1a9d:542b with SMTP id fr5-20020a056870f80500b001a31a9d542bls2417718oab.1.-pod-prod-09-us; Wed, 21 Jun 2023 12:23:28 -0700 (PDT) X-Received: by 2002:a05:6870:768b:b0:1a6:c249:9f87 with SMTP id dx11-20020a056870768b00b001a6c2499f87mr3807419oab.6.1687375408003; Wed, 21 Jun 2023 12:23:28 -0700 (PDT) Received: by 2002:a05:6808:114f:b0:398:25f:8e00 with SMTP id 5614622812f47-39e9978771dmsb6e; Wed, 21 Jun 2023 12:22:38 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4xRe9MkhoeLVQMLvZEYzFjlBdvLKX++b1Q4bgJ3no6XA7DWZevQkDag8rW1RspPhDAMXX4 X-Received: by 2002:a17:90b:3542:b0:25b:f0fa:ab3a with SMTP id lt2-20020a17090b354200b0025bf0faab3amr6137097pjb.18.1687375357934; Wed, 21 Jun 2023 12:22:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687375357; cv=none; d=google.com; s=arc-20160816; b=SaUJEK/baf35mbilbn0Yq8LdZEee6dujG1AbWNxIrZEpYN20g4amMJ1ukKXeArq40P HpNK4h83qp7c8X3nGDMrZiEr9ufFLL3iXtznr0xg3HE5zYaUHqGEbXhFyyKKZ2issDqx fS/JjdYZzsr6Pnjo9TrqxKrn3EzX1467nScF0vt4vrlZVPgf4H0sOsaBbMe5I1cI7EeJ Q1gDUsjHdDywfvjYMyd4+/5kuVqIv6kDtT00JJ5mA4u1X55vasQ40yvRTY1rst4riQ/y 5Mu0Zuzp3Kn0pwk4nWIxudUXQZe8J0f5tL+0iOyK/LLbsfLMJPp8q4MEjMfC074O6P5d Laxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=uo6QKkXn0/JNHuTRWUCkqP0aN5ffBAxIzIq9uLDvm2Q=; b=nthB0SMKBGk5xc+civMxi4D+ChjVnA/7Fxs99Xphl/Q/jwpXur/AXE/Mmv2Wnuj8Gh ry4Pwf5x/S0KjFyiyUkVHquQ0CeK9B5BOMjaOo+zEZrruQBxZLOCLU+6H3ESS4LWZXN1 8x0149nyaKIQVdjIMpTGXv8a5Qw14lumB67r8RFlpFKOH2FuVQ8FR3dtiyK/u4svpWjb 4MfA97qUVQsIyJixOMg4bdAsErb0Tn1Shw2dLYrgxGU4cKBEbbHPflVro2jfhmO7oNeO CVIJE1dfyVeTC7EadqfvpLHT5u+DQYMED/JTOVQnfu5aCIZLeO9xg8VAukzT8S+qmCgT zPBQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=ldXVc+ls; spf=pass (google.com: domain of baocheng_su@163.com designates 220.181.12.196 as permitted sender) smtp.mailfrom=baocheng_su@163.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com Return-Path: Received: from m12.mail.163.com (m12.mail.163.com. [220.181.12.196]) by gmr-mx.google.com with ESMTP id y6-20020a17090a154600b0025c1096a7a4si1412470pja.2.2023.06.21.12.22.37 for ; Wed, 21 Jun 2023 12:22:37 -0700 (PDT) Received-SPF: pass (google.com: domain of baocheng_su@163.com designates 220.181.12.196 as permitted sender) client-ip=220.181.12.196; Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=ldXVc+ls; spf=pass (google.com: domain of baocheng_su@163.com designates 220.181.12.196 as permitted sender) smtp.mailfrom=baocheng_su@163.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=uo6QK kXn0/JNHuTRWUCkqP0aN5ffBAxIzIq9uLDvm2Q=; b=ldXVc+lsFyWsQtJvt4Q5z A8YDXCYB+9df5GwEfp7eZLyf6aw0fUQoJloPn9F3y6VbxS6ErvmzLARDlu8dKanE M8wKvKWWWA70kJo836lHMOJ4YYFLaivOZ99r1cbr4F3s7SAbSyhvVOhauDnH15bA KvJ6oKy3Rt34ewUqO/x/T8= Received: from debian-sie.lan (unknown [182.148.93.108]) by zwqz-smtp-mta-g2-4 (Coremail) with SMTP id _____wCXC+XvTZNkxagjAg--.40412S5; Thu, 22 Jun 2023 03:22:34 +0800 (CST) From: baocheng_su@163.com To: isar-users@googlegroups.com, jan.kiszka@siemens.com, felix.moessbauer@siemens.com Cc: christian.storm@siemens.com, quirin.gylstorff@siemens.com, baocheng.su@siemens.com, baocheng_su@163.com Subject: [PATCH v2 3/7] Add recipe for optee-client Date: Thu, 22 Jun 2023 03:22:13 +0800 Message-Id: <20230621192217.2045717-4-baocheng_su@163.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230621192217.2045717-1-baocheng_su@163.com> References: <20230621192217.2045717-1-baocheng_su@163.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID:_____wCXC+XvTZNkxagjAg--.40412S5 X-Coremail-Antispam: 1Uf129KBjvJXoW3Xw4kZFyDGr18uF48ZrWkJFb_yoWDJFW5pr 1Fkry5Ar4fJw1I9a97C3Z7WrWrJayrArn5JrnFg34rAFWfGFnrKF4UKFyYkF9xJryxZw1j qF4DtayYgw47CaDanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07Uv_M3UUUUU= X-Originating-IP: [182.148.93.108] X-CM-SenderInfo: pedrux5hqjs2rx6rljoofrz/1tbiLBuVJ1spiEKogwAAsW X-TUID: gWt5BOZho17T From: Baocheng Su optee-client provides the userland library for communicating with the trusted applications running in OP-TEE. It also provides a optee-client-dev package for developing host application that talks to the TA counterpart. Also a user land deamon tee-supplicant is provided to serve the trusted applications for user-land resources such as RPMB accessing. This brings the .inc for customization, and also a demo recipe for stm32mp15x. The debianization is learnt from the debian offical package. The tee-supplicant.service is refined by Jan to fix some timing issues. Signed-off-by: Baocheng Su --- meta-isar/conf/machine/stm32mp15x.conf | 2 +- .../optee-client-stm32mp15x_3.21.0.bb | 18 +++++++ .../optee-client/files/debian/compat | 1 + .../optee-client/files/debian/control.tmpl | 51 +++++++++++++++++++ .../optee-client/files/debian/rules.tmpl | 27 ++++++++++ .../files/debian/tee-supplicant.service | 21 ++++++++ .../optee-client/optee-client-custom.inc | 41 +++++++++++++++ 7 files changed, 160 insertions(+), 1 deletion(-) create mode 100644 meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb create mode 100644 meta/recipes-bsp/optee-client/files/debian/compat create mode 100644 meta/recipes-bsp/optee-client/files/debian/control.tmpl create mode 100755 meta/recipes-bsp/optee-client/files/debian/rules.tmpl create mode 100644 meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service create mode 100644 meta/recipes-bsp/optee-client/optee-client-custom.inc diff --git a/meta-isar/conf/machine/stm32mp15x.conf b/meta-isar/conf/machine/stm32mp15x.conf index 4fa4051..0b200d2 100644 --- a/meta-isar/conf/machine/stm32mp15x.conf +++ b/meta-isar/conf/machine/stm32mp15x.conf @@ -16,4 +16,4 @@ WKS_FILE ?= "stm32mp15x.wks.in" IMAGER_INSTALL += "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x u-boot-stm32mp15x" IMAGER_BUILD_DEPS += "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x u-boot-stm32mp15x" -IMAGE_INSTALL += "u-boot-script" +IMAGE_INSTALL += "u-boot-script tee-supplicant" diff --git a/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb new file mode 100644 index 0000000..18525e3 --- /dev/null +++ b/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb @@ -0,0 +1,18 @@ +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Su Bao Cheng +# +# SPDX-License-Identifier: MIT +# + +require recipes-bsp/optee-client/optee-client-custom.inc + +SRC_URI += "https://github.com/OP-TEE/optee_client/archive/${PV}.tar.gz;downloadfilename=optee_client-${PV}.tar.gz" +SRC_URI[sha256sum] = "368164a539b85557d2079fa6cd839ec444869109f96de65d6569e58b0615d026" + +S = "${WORKDIR}/optee_client-${PV}" + +# Use RPMB emulation +RPMB_EMU_BUILD_OPT = "" diff --git a/meta/recipes-bsp/optee-client/files/debian/compat b/meta/recipes-bsp/optee-client/files/debian/compat new file mode 100644 index 0000000..f599e28 --- /dev/null +++ b/meta/recipes-bsp/optee-client/files/debian/compat @@ -0,0 +1 @@ +10 diff --git a/meta/recipes-bsp/optee-client/files/debian/control.tmpl b/meta/recipes-bsp/optee-client/files/debian/control.tmpl new file mode 100644 index 0000000..6c68b1d --- /dev/null +++ b/meta/recipes-bsp/optee-client/files/debian/control.tmpl @@ -0,0 +1,51 @@ +Source: ${PN} +Priority: optional +Maintainer: Unknown maintainer +Build-Depends: pkg-config, uuid-dev +Standards-Version: 4.1.3 +Section: libs +Homepage: https://github.com/OP-TEE/optee_client +Rules-Requires-Root: no + +Package: optee-client-dev +Section: libdevel +Architecture: ${DISTRO_ARCH} +Multi-Arch: same +Depends: libteec1 (= ${binary:Version}), + ${misc:Depends} +Description: normal world user space client APIs for OP-TEE (development) + OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a + non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone + technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API + exposed to Trusted Applications and the TEE Client API v1.0, which is the + API describing how to communicate with a TEE. This package provides the TEE + Client API library. + . + This package contains the development files OpTEE Client API + +Package: libteec1 +Architecture: ${DISTRO_ARCH} +Multi-Arch: same +Depends: ${misc:Depends}, ${shlibs:Depends} +Description: normal world user space client APIs for OP-TEE + OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a + non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone + technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API + exposed to Trusted Applications and the TEE Client API v1.0, which is the + API describing how to communicate with a TEE. This package provides the TEE + Client API library. + . + This package contains libteec library. + +Package: tee-supplicant +Architecture: ${DISTRO_ARCH} +Depends: ${misc:Depends}, ${shlibs:Depends} +Description: normal world user space client APIs for OP-TEE + OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a + non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone + technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API + exposed to Trusted Applications and the TEE Client API v1.0, which is the + API describing how to communicate with a TEE. This package provides the TEE + Client API library. + . + This package contains tee-supplicant executable. diff --git a/meta/recipes-bsp/optee-client/files/debian/rules.tmpl b/meta/recipes-bsp/optee-client/files/debian/rules.tmpl new file mode 100755 index 0000000..a0a8983 --- /dev/null +++ b/meta/recipes-bsp/optee-client/files/debian/rules.tmpl @@ -0,0 +1,27 @@ +#!/usr/bin/make -f +# +# Debian rules for custom OP-TEE Client build +# +# This software is a part of ISAR. +# Copyright (c) Siemens AG, 2023 +# +# SPDX-License-Identifier: MIT + +ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE)) +export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- +endif + +%: + dh $@ --exclude=.a + +override_dh_auto_build: + dh_auto_build -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \ + CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH} ${RPMB_EMU_BUILD_OPT} + +override_dh_auto_install: + dh_auto_install -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \ + CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH} ${RPMB_EMU_BUILD_OPT} + +override_dh_auto_clean: + dh_auto_clean + rm -rf $(CURDIR)/out diff --git a/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service b/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service new file mode 100644 index 0000000..4508a14 --- /dev/null +++ b/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service @@ -0,0 +1,21 @@ +# This software is a part of ISAR. +# Copyright (c) Siemens AG, 2023 +# +# SPDX-License-Identifier: MIT +[Unit] +Description=TEE Supplicant +DefaultDependencies=no +Before=systemd-remount-fs.service shutdown.target +Conflicts=shutdown.target + +[Service] +Type=oneshot +RemainAfterExit=yes +# Start if not already started by the initramfs hook +ExecStart=/bin/sh -c '/usr/bin/pgrep tee-supplicant >/dev/null || /usr/sbin/tee-supplicant -d' +ExecStop=/bin/sh -c '/usr/bin/findmnt /sys/firmware/efi/efivars >/dev/null && /usr/bin/umount /sys/firmware/efi/efivars || true' +ExecStop=/bin/sh -c '/usr/sbin/modinfo -n tpm_ftpm_tee | /usr/bin/grep -E "\.ko$" >/dev/null && /usr/sbin/modprobe -r tpm_ftpm_tee || true' +ExecStop=/usr/bin/pkill tee-supplicant + +[Install] +WantedBy=sysinit.target diff --git a/meta/recipes-bsp/optee-client/optee-client-custom.inc b/meta/recipes-bsp/optee-client/optee-client-custom.inc new file mode 100644 index 0000000..5c88dad --- /dev/null +++ b/meta/recipes-bsp/optee-client/optee-client-custom.inc @@ -0,0 +1,41 @@ +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Su Bao Cheng +# +# SPDX-License-Identifier: MIT +# + +inherit dpkg + +FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:" + +DESCRIPTION = "OPTee Client" + +PROVIDES = "libteec1 optee-client-dev tee-supplicant" + +SRC_URI += "file://debian" + +TEE_FS_PARENT_PATH ?= "/var/lib/optee-client/data/tee" +# To use the builtin RPMB emulation, empty this +RPMB_EMU_BUILD_OPT ?= "RPMB_EMU=0" + +TEMPLATE_FILES = "debian/rules.tmpl debian/control.tmpl" +TEMPLATE_VARS += "TEE_FS_PARENT_PATH RPMB_EMU_BUILD_OPT" + +do_prepare_build[cleandirs] += "${S}/debian" +do_prepare_build() { + cp -r ${WORKDIR}/debian ${S}/ + + deb_add_changelog + + echo "/usr/sbin/*" > ${S}/debian/tee-supplicant.install + echo "lib/optee_armtz/" > ${S}/debian/tee-supplicant.dirs + echo "usr/lib/tee-supplicant/plugins/" >> ${S}/debian/tee-supplicant.dirs + + echo "usr/lib/*/libteec*.so.*" > ${S}/debian/libteec1.install + + echo "usr/include/*" > ${S}/debian/optee-client-dev.install + echo "usr/lib/*/lib*.so" >> ${S}/debian/optee-client-dev.install +} -- 2.30.2