From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7247222195536003072 X-Received: by 2002:a05:6870:6296:b0:192:79ba:ef35 with SMTP id s22-20020a056870629600b0019279baef35mr8946553oan.18.1687375408516; Wed, 21 Jun 2023 12:23:28 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:6870:f984:b0:1ad:11bf:6662 with SMTP id hv4-20020a056870f98400b001ad11bf6662ls1171423oab.2.-pod-prod-09-us; Wed, 21 Jun 2023 12:23:28 -0700 (PDT) X-Received: by 2002:aca:62c6:0:b0:39c:4616:ef8d with SMTP id w189-20020aca62c6000000b0039c4616ef8dmr3610501oib.10.1687375408002; Wed, 21 Jun 2023 12:23:28 -0700 (PDT) Received: by 2002:a05:6808:151e:b0:39a:505a:af7c with SMTP id 5614622812f47-39e995c1b34msb6e; Wed, 21 Jun 2023 12:22:42 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4zxjAhJ/np/OIf3np9yVl53t+0dzvZ3Q+uHvFXfqQGWudAqG7UZisOKU5vuWIayU9rDeB/ X-Received: by 2002:a92:a30e:0:b0:341:dd0e:2e61 with SMTP id a14-20020a92a30e000000b00341dd0e2e61mr16752905ili.23.1687375361744; Wed, 21 Jun 2023 12:22:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687375361; cv=none; d=google.com; s=arc-20160816; b=wqmPxzfPnC22fgiNbVmVRF03jTKDqwXJZdtt/Z4rIuUY7UXxHgeh9B0xcYKx9+CTC8 4uZeQGsRunfP7eq31rc3sAaxRPpKiDTwn3S+HCYVsJjNe8NNmY/9FDwviCa6n4xcLMkl p+MoGjzLTAPtne4tong3mzBP3PGaVpTJB2h9rLbE1jkHuQPDRpAFIz4gq0vl91enn038 +rYfOTA8JWtc0Tnbr8YdjhfUTKSmB2CQtzSyqLBJH8OXWni0v+AC88DdzpWxgzf3a5Z3 90S8ZCVG1eGoK5xGVa1R2Xb4wXdpIyVCS98zxMUCiqNfLSOMBJzCD0aW8PmoYKDdUq0K PxAg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=Qw48R3o7OjBVYAsbNyraTk/euyCxgZuT7zO05zIS2Ng=; fh=GgMiNLHZnl2bvP8VPxegTB3ayLcM+y3HGT82k1lVG2o=; b=B2JaOtbNW7HgIEzb5wUK8QrYglSnpborEhsUHTvSQNzFF6KKAR9YwbPDEKrsWubBeo M+lvuMz7Y85ItrAQldrG7K6B7dmCY0vACEFqP0Dn/ZHTS3aLSv0cNgc9dAr52HWGPbm7 zMHMB7lNdg3pvuAugZrdbEs3S5gPI9oSOBW+uXLdgmsI0DkWuHNKCNUXb97c4VFTbbiC eHbszyFHEv5XPiEanZHP/Oi2GRvdXTsJSElEJBfDQ48wuSRBsHdzLt1rYbqgsu8tcHJy bSAMEjfXDdkzWEAKmwhmxvd6YMI2W9oxmh4xkU83+xrxiQeQ9SZmPrYe5qkWNlpCom+H 7RQw== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=brsopphJ; spf=pass (google.com: domain of baocheng_su@163.com designates 220.181.12.217 as permitted sender) smtp.mailfrom=baocheng_su@163.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com Return-Path: Received: from m12.mail.163.com (m12.mail.163.com. [220.181.12.217]) by gmr-mx.google.com with ESMTP id pt4-20020a17090b3d0400b0025bc8247fcasi152084pjb.1.2023.06.21.12.22.41 for ; Wed, 21 Jun 2023 12:22:41 -0700 (PDT) Received-SPF: pass (google.com: domain of baocheng_su@163.com designates 220.181.12.217 as permitted sender) client-ip=220.181.12.217; Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=brsopphJ; spf=pass (google.com: domain of baocheng_su@163.com designates 220.181.12.217 as permitted sender) smtp.mailfrom=baocheng_su@163.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=Qw48R 3o7OjBVYAsbNyraTk/euyCxgZuT7zO05zIS2Ng=; b=brsopphJKcuPtS0Mhm/HE xniCzSd1SmB6i3KacyMJShMlSBi1TlDy5wvBk0jtD+va1dJkmm2RVBe84a35x0g8 VaPmy6RFKKpLVepLpyQ0wvO0SBICRRLv29d6Xcman0vTcqBPkCD6i2yZo4xHbCyJ L0F+ey7TIEv0ZOMUwthxqY= Received: from debian-sie.lan (unknown [182.148.93.108]) by zwqz-smtp-mta-g2-4 (Coremail) with SMTP id _____wCXC+XvTZNkxagjAg--.40412S7; Thu, 22 Jun 2023 03:22:36 +0800 (CST) From: baocheng_su@163.com To: isar-users@googlegroups.com, jan.kiszka@siemens.com, felix.moessbauer@siemens.com Cc: christian.storm@siemens.com, quirin.gylstorff@siemens.com, baocheng.su@siemens.com, baocheng_su@163.com Subject: [PATCH v2 5/7] Add recipe for optee ftpm Date: Thu, 22 Jun 2023 03:22:15 +0800 Message-Id: <20230621192217.2045717-6-baocheng_su@163.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230621192217.2045717-1-baocheng_su@163.com> References: <20230621192217.2045717-1-baocheng_su@163.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID:_____wCXC+XvTZNkxagjAg--.40412S7 X-Coremail-Antispam: 1Uf129KBjvJXoWfJw1xGw47ZFyxur43Xr13Jwb_yoWDXF4DpF yrGFyUJa1xJ3W7Wa9akF1xury3X3ykCas5uanrG348ZryfJFn8tw4xKFy3WFZrWrWFqw1a qFs8Ja4rKr4xJaDanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0zRy8BUUUUUU= X-Originating-IP: [182.148.93.108] X-CM-SenderInfo: pedrux5hqjs2rx6rljoofrz/1tbiLB6VJ1spiEKokQAAsB X-TUID: AoW+cS4dvSMv From: Baocheng Su This integrate Microsoft's reference implementation of the TCG TPM2.0 as an OPTee trusted application, see [1] and [2] for details, esp. meta-ts/layers/meta-arm/meta-arm/recipes-security/optee-ftpm Since the OPTee secure storage on IOT2050 is RPMB-based, and the RPMB accessing is provided by linux tee-supplicant, this TA is only discoverable when tee-supplicant is running. To help to gracefully manage the tee-supplicant, the kernel drive tpm_ftpm_tee should be compile as .ko and be loaded/unloaded dynamically. [1]: https://github.com/microsoft/ms-tpm-20-ref/ [2]: https://gitlab.com/Linaro/trustedsubstrate/meta-ts Signed-off-by: Baocheng Su --- .../files/0001-add-enum-to-ta-flags.patch | 27 +++++++++++ .../optee-ftpm-stm32mp15x_0~230316+git.bb | 35 ++++++++++++++ .../optee-os/optee-os-stm32mp15x_3.21.0.bb | 10 +++- .../optee-ftpm/files/debian/compat | 1 + .../optee-ftpm/files/debian/control.tmpl | 11 +++++ .../optee-ftpm/files/debian/rules.tmpl | 25 ++++++++++ meta/recipes-bsp/optee-ftpm/optee-ftpm.inc | 47 +++++++++++++++++++ 7 files changed, 155 insertions(+), 1 deletion(-) create mode 100644 meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch create mode 100644 meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb create mode 100644 meta/recipes-bsp/optee-ftpm/files/debian/compat create mode 100644 meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl create mode 100755 meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl create mode 100644 meta/recipes-bsp/optee-ftpm/optee-ftpm.inc diff --git a/meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch b/meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch new file mode 100644 index 0000000..57917ba --- /dev/null +++ b/meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch @@ -0,0 +1,27 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Maxim Uvarov +Date: Fri, 17 Apr 2020 12:05:53 +0100 +Subject: [PATCH] add enum to ta flags + +If we compile this TA into OPTEE-OS we need to define a flag +that this TA can be discovered on the optee bus. +Upstream-Status: Submitted [https://github.com/microsoft/MSRSec/pull/34] + +Signed-off-by: Maxim Uvarov +--- + .../ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h +index 92c33c1..e83619d 100644 +--- a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h ++++ b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h +@@ -44,7 +44,7 @@ + + #define TA_UUID TA_FTPM_UUID + +-#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE) ++#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP) + #define TA_STACK_SIZE (64 * 1024) + #define TA_DATA_SIZE (32 * 1024) + diff --git a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb new file mode 100644 index 0000000..de26ec3 --- /dev/null +++ b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb @@ -0,0 +1,35 @@ +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Su Bao Cheng +# +# SPDX-License-Identifier: MIT +# +require recipes-bsp/optee-ftpm/optee-ftpm.inc + +# CHANGELOG_V = "0.1+git+isar" + +SRC_URI += " \ + https://github.com/Microsoft/ms-tpm-20-ref/archive/${SRCREV}.tar.gz \ + https://github.com/wolfSSL/wolfssl/archive/${SRCREV-wolfssl}.tar.gz;name=wolfssl \ + file://0001-add-enum-to-ta-flags.patch \ + " + +SRCREV = "f74c0d9686625c02b0fdd5b2bbe792a22aa96cb6" +# according to ms-tpm-20-ref submodules +SRCREV-wolfssl = "9c87f979a7f1d3a6d786b260653d566c1d31a1c4" + +SRC_URI[sha256sum] = "16fabc6ad6cc700d947dbc96efc30ff8ae97e577944466f08193bb37bc1eb64d" +SRC_URI[wolfssl.sha256sum] = "a68c301fa0ee6197158912d808c4258605a2d001e458fd958257cafba17bfd14" + +S = "${WORKDIR}/ms-tpm-20-ref-${SRCREV}" + +OPTEE_NAME = "${MACHINE}" +TA_CPU = "cortex-a7" +TA_DEV_KIT_DIR = "/usr/lib/optee-os/${OPTEE_NAME}/export-ta_arm32" +OPTEE_FTPM_BUILD_ARGS_EXTRA = "CFG_FTPM_USE_WOLF=y" + +do_prepare_build:append() { + rm -rf ${S}/external/wolfssl + cp -a ${S}/../wolfssl-${SRCREV-wolfssl} ${S}/external/wolfssl +} diff --git a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb index 7468ca6..1b920cd 100644 --- a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb +++ b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb @@ -16,7 +16,7 @@ DEBIAN_BUILD_DEPENDS += " \ , optee-examples-stm32mp15x-random-ta \ , optee-examples-stm32mp15x-secure-storage-ta \ " -EARLY_TA_PATHS = " \ +EARLY_TA_PATHS += " \ /usr/lib/optee-os/${OPTEE_NAME}/ta/a734eed9-d6a1-4244-aa50-7c99719e7b7b.stripped.elf \ /usr/lib/optee-os/${OPTEE_NAME}/ta/5dbac793-f574-4871-8ad3-04331ec17f24.stripped.elf \ /usr/lib/optee-os/${OPTEE_NAME}/ta/8aaaf200-2450-11e4-abe2-0002a5d5c51b.stripped.elf \ @@ -24,6 +24,14 @@ EARLY_TA_PATHS = " \ /usr/lib/optee-os/${OPTEE_NAME}/ta/b6c53aba-9669-4668-a7f2-205629d00f86.stripped.elf \ /usr/lib/optee-os/${OPTEE_NAME}/ta/f4e750bb-1437-4fbf-8785-8d3580c34994.stripped.elf \ " + +# optee-ftpm integration +DEPENDS += "optee-ftpm-stm32mp15x" +DEBIAN_BUILD_DEPENDS += ", optee-ftpm-stm32mp15x" +EARLY_TA_PATHS += " \ + /usr/lib/optee-os/${OPTEE_NAME}/ta/bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf \ + " + OPTEE_EXTRA_BUILDARGS += " \ CFG_EARLY_TA=y \ EARLY_TA_PATHS='${EARLY_TA_PATHS}' \ diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/compat b/meta/recipes-bsp/optee-ftpm/files/debian/compat new file mode 100644 index 0000000..f599e28 --- /dev/null +++ b/meta/recipes-bsp/optee-ftpm/files/debian/compat @@ -0,0 +1 @@ +10 diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl b/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl new file mode 100644 index 0000000..abab42e --- /dev/null +++ b/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl @@ -0,0 +1,11 @@ +Source: ${PN} +Section: misc +Priority: optional +Standards-Version: 3.9.6 +Maintainer: Unknown maintainer +Build-Depends: debhelper (>= 10), ${DEBIAN_BUILD_DEPENDS} + +Package: ${PN} +Architecture: any +Depends: +Description: TCG reference implementation of the TPM 2.0 Specification. diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl b/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl new file mode 100755 index 0000000..19d4e08 --- /dev/null +++ b/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl @@ -0,0 +1,25 @@ +#!/usr/bin/make -f +# Debian rules for optee-ftpm +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Su Bao Cheng +# +# SPDX-License-Identifier: MIT + +ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE)) +export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- +endif + +override_dh_auto_build: + cd Samples/ARM32-FirmwareTPM/optee_ta && \ + TA_CROSS_COMPILE=${CROSS_COMPILE} \ + TA_CPU=${TA_CPU} \ + TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \ + CFG_TEE_TA_LOG_LEVEL=2 \ + ${OPTEE_FTPM_BUILD_ARGS_EXTRA} \ + $(MAKE) $(PARALLEL_MAKE) + +%: + dh $@ diff --git a/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc new file mode 100644 index 0000000..2f6dc30 --- /dev/null +++ b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc @@ -0,0 +1,47 @@ +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Su Bao Cheng +# +# SPDX-License-Identifier: MIT +# +inherit dpkg + +SUMMARY = "OPTEE fTPM Microsoft TA" +DESCRIPTION = "TCG reference implementation of the TPM 2.0 Specification." +HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/" + +FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:" + +SRC_URI += "file://debian" + +OPTEE_NAME ?= "${MACHINE}" + +DEPENDS = "optee-os-tadevkit-${OPTEE_NAME}" +DEBIAN_BUILD_DEPENDS ?= " \ + python3-cryptography:native, \ + optee-os-tadevkit-${OPTEE_NAME} \ + " + +TA_CPU ?= "unknown" +TA_DEV_KIT_DIR ?= "unknown" +OPTEE_FTPM_BUILD_ARGS_EXTRA ?= " " + +TEMPLATE_FILES = "debian/rules.tmpl debian/control.tmpl" +TEMPLATE_VARS += "DEBIAN_BUILD_DEPENDS \ + OPTEE_FTPM_BUILD_ARGS_EXTRA \ + TA_CPU \ + TA_DEV_KIT_DIR" + +do_prepare_build() { + rm -rf ${S}/debian + cp -r ${WORKDIR}/debian ${S}/ + + deb_add_changelog + + rm -f ${S}/debian/optee-ftpm-${OPTEE_NAME}.install + echo "Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/bc50d971-d4c9-42c4-82cb-343fb7f37896.ta /usr/lib/optee-os/${OPTEE_NAME}/ta" > \ + ${S}/debian/optee-ftpm-${OPTEE_NAME}.install + echo "Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf /usr/lib/optee-os/${OPTEE_NAME}/ta" >> \ + ${S}/debian/optee-ftpm-${OPTEE_NAME}.install +} -- 2.30.2