From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 7252203608347770880
X-Received: by 2002:a2e:9b06:0:b0:2b4:7559:32b0 with SMTP id u6-20020a2e9b06000000b002b4755932b0mr10848719lji.19.1688535245160;
        Tue, 04 Jul 2023 22:34:05 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a2e:a714:0:b0:2b6:9e60:5995 with SMTP id s20-20020a2ea714000000b002b69e605995ls457509lje.0.-pod-prod-07-eu;
 Tue, 04 Jul 2023 22:34:03 -0700 (PDT)
X-Google-Smtp-Source: APBJJlEDtH3PWewK+/D1dixL83nfu2m4Y1BeAPutIrbEX6KQ3iG0UITKvGGm69V11i37b9C0dDnK
X-Received: by 2002:a05:6512:3710:b0:4f7:6966:36fb with SMTP id z16-20020a056512371000b004f7696636fbmr9334492lfr.12.1688535243692;
        Tue, 04 Jul 2023 22:34:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1688535243; cv=none;
        d=google.com; s=arc-20160816;
        b=YFRGtvhLdf6u9cnZdYZAwFaTdxX4VhEU6vx1efG/IW5Zms8dCFUBKr0/2Bcycc/+4G
         8rlOfPsYy9Cpqf390p+PO1YbzioZhWKhrgu8ae5YKKVCc/Z+B8ACqD1CDIUTwVk8ni6x
         T1NjwqwxSpge/8AkpnIEfEoK7Csq2K5t9qOIZ4iOe2pTDOSjX1vgf0EkU4jYJDKaQZao
         1kNly3jvflqL2e4HToY7jh0LD/TuDi7Wi/HMOi0AcGHBDZzVyJgB/QXlMzsssesO03mI
         RfNL/HJinFwdFsRUh9vpniEbaQz14bc1WCp7ffpfcKU8snRfl7k7M9ri9x0r1B5lfnxa
         X5XA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=feedback-id:content-transfer-encoding:mime-version:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature;
        bh=Y8x1RM54kCjobOIanMKTbxv++TExiWY2HSh7xeEn3Is=;
        fh=zeq4V+FUVVI2f9Ivx965+McAJkxSDosb/5yCI9B0DjU=;
        b=ZIYOPOT74BXkMa2vXDz+2xq9ml/n7EvdP7MXHAnEwN+VaMWIiGbWaZxMI5WHRbcCUF
         5Do2YbKeiudxQXvy49XP/KpiEGg9ajXsqyfvheBp8FHyO4vRaM6AkaCRXujiR7//x+Tc
         Gi4dKnrvMWgERjErB0Pyj3LtqLE3HnawSWcrvY9udHHB5V4cyhDswrTLpOJcd2KEUpPr
         3wFqH0fkhE2KWLBnvUR7pJGC67Hm3zvwLtCqN7xgy6wMX8iUYIVrjsn/1qfQ6wQKu5co
         ZthoVVoHg7v3UnnUdHIzbtEc3sYcW1UDDoDDAzi61ygkn/BqOkHIdk3d0p+jF1YI/tC+
         OboA==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=fm1 header.b=V6HHyRe8;
       spf=pass (google.com: domain of fm-909155-20230705053403c76d3c2689d71c7db0-lij_tv@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-909155-20230705053403c76d3c2689d71c7db0-LiJ_tV@rts-flowmailer.siemens.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
Return-Path: <fm-909155-20230705053403c76d3c2689d71c7db0-LiJ_tV@rts-flowmailer.siemens.com>
Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net. [185.136.65.227])
        by gmr-mx.google.com with ESMTPS id o18-20020a056512231200b004fba307ab75si809540lfu.7.2023.07.04.22.34.03
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 04 Jul 2023 22:34:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of fm-909155-20230705053403c76d3c2689d71c7db0-lij_tv@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) client-ip=185.136.65.227;
Authentication-Results: gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=fm1 header.b=V6HHyRe8;
       spf=pass (google.com: domain of fm-909155-20230705053403c76d3c2689d71c7db0-lij_tv@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-909155-20230705053403c76d3c2689d71c7db0-LiJ_tV@rts-flowmailer.siemens.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20230705053403c76d3c2689d71c7db0
        for <isar-users@googlegroups.com>;
        Wed, 05 Jul 2023 07:34:03 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=baocheng.su@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=Y8x1RM54kCjobOIanMKTbxv++TExiWY2HSh7xeEn3Is=;
 b=V6HHyRe8V4VWOa2+UYajVnu8kzqu2EArxYeHAqyydTlPmBHYV73iM+tEsrb12CjQJ9aCbA
 hlulEisPiHyf7B9h0OHaPx9U+ODXH2kJsgCtX8wkTfz5vhrFVUTdngZs/MwR1BF4OR4qE1/w
 qm5W0tn64qDtT2PmnNsYyPvssr9IY=;
From: baocheng.su@siemens.com
To: isar-users@googlegroups.com
Cc: jan.kiszka@siemens.com,
	felix.moessbauer@siemens.com,
	christian.storm@siemens.com,
	quirin.gylstorff@siemens.com,
	baocheng_su@163.com,
	henning.schild@siemens.com,
	baocheng.su@siemens.com
Subject: [PATCH v3 3/7] Add recipe for optee-client
Date: Wed,  5 Jul 2023 13:33:36 +0800
Message-Id: <20230705053340.1158024-4-baocheng.su@siemens.com>
In-Reply-To: <20230705053340.1158024-1-baocheng.su@siemens.com>
References: <20230705053340.1158024-1-baocheng.su@siemens.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-909155:519-21489:flowmailer
X-TUID: P3eeQVY/7dwg

From: Baocheng Su <baocheng.su@siemens.com>

optee-client provides the userland library for communicating with the
trusted applications running in OP-TEE.

It also provides a optee-client-dev package for developing host
application that talks to the TA counterpart.

Also a user land deamon tee-supplicant is provided to serve the trusted
applications for user-land resources such as RPMB accessing.

This brings the .inc for customization, and also a demo recipe for
stm32mp15x.

The debianization is learnt from the debian offical package. The
tee-supplicant.service is refined by Jan to fix some timing issues.

Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
---
 meta-isar/conf/machine/stm32mp15x.conf        |  2 +-
 .../optee-client-stm32mp15x_3.21.0.bb         | 18 +++++++
 .../optee-client/files/debian/compat          |  1 +
 .../optee-client/files/debian/control.tmpl    | 51 +++++++++++++++++++
 .../optee-client/files/debian/rules.tmpl      | 27 ++++++++++
 .../files/debian/tee-supplicant.service       | 21 ++++++++
 .../optee-client/optee-client-custom.inc      | 41 +++++++++++++++
 7 files changed, 160 insertions(+), 1 deletion(-)
 create mode 100644 meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
 create mode 100644 meta/recipes-bsp/optee-client/files/debian/compat
 create mode 100644 meta/recipes-bsp/optee-client/files/debian/control.tmpl
 create mode 100755 meta/recipes-bsp/optee-client/files/debian/rules.tmpl
 create mode 100644 meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
 create mode 100644 meta/recipes-bsp/optee-client/optee-client-custom.inc

diff --git a/meta-isar/conf/machine/stm32mp15x.conf b/meta-isar/conf/machine/stm32mp15x.conf
index 4fa4051..0b200d2 100644
--- a/meta-isar/conf/machine/stm32mp15x.conf
+++ b/meta-isar/conf/machine/stm32mp15x.conf
@@ -16,4 +16,4 @@ WKS_FILE ?= "stm32mp15x.wks.in"
 IMAGER_INSTALL += "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x u-boot-stm32mp15x"
 IMAGER_BUILD_DEPS += "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x u-boot-stm32mp15x"
 
-IMAGE_INSTALL += "u-boot-script"
+IMAGE_INSTALL += "u-boot-script tee-supplicant"
diff --git a/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
new file mode 100644
index 0000000..d0e157f
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
@@ -0,0 +1,18 @@
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+require recipes-bsp/optee-client/optee-client-custom.inc
+
+SRC_URI += "https://github.com/OP-TEE/optee_client/archive/${PV}.tar.gz;downloadfilename=optee_client-${PV}.tar.gz"
+SRC_URI[sha256sum] = "368164a539b85557d2079fa6cd839ec444869109f96de65d6569e58b0615d026"
+
+S = "${WORKDIR}/optee_client-${PV}"
+
+# Use RPMB emulation
+RPMB_EMU = "1"
diff --git a/meta/recipes-bsp/optee-client/files/debian/compat b/meta/recipes-bsp/optee-client/files/debian/compat
new file mode 100644
index 0000000..f599e28
--- /dev/null
+++ b/meta/recipes-bsp/optee-client/files/debian/compat
@@ -0,0 +1 @@
+10
diff --git a/meta/recipes-bsp/optee-client/files/debian/control.tmpl b/meta/recipes-bsp/optee-client/files/debian/control.tmpl
new file mode 100644
index 0000000..de780b7
--- /dev/null
+++ b/meta/recipes-bsp/optee-client/files/debian/control.tmpl
@@ -0,0 +1,51 @@
+Source: ${PN}
+Priority: optional
+Maintainer: Unknown maintainer <unknown@example.com>
+Build-Depends: pkg-config, uuid-dev
+Standards-Version: 4.1.3
+Section: libs
+Homepage: https://github.com/OP-TEE/optee_client
+Rules-Requires-Root: no
+
+Package: optee-client-dev
+Section: libdevel
+Architecture: ${DISTRO_ARCH}
+Multi-Arch: same
+Depends: libteec1 (= ${binary:Version}),
+         ${misc:Depends}
+Description: normal world user space client APIs for OP-TEE (development)
+ OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
+ non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
+ technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API
+ exposed to Trusted Applications and the TEE Client API v1.0, which is the
+ API describing how to communicate with a TEE. This package provides the TEE
+ Client API library.
+ .
+ This package contains the development files OpTEE Client API
+
+Package: libteec1
+Architecture: ${DISTRO_ARCH}
+Multi-Arch: same
+Depends: ${misc:Depends}, ${shlibs:Depends}
+Description: normal world user space client APIs for OP-TEE
+ OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
+ non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
+ technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API
+ exposed to Trusted Applications and the TEE Client API v1.0, which is the
+ API describing how to communicate with a TEE. This package provides the TEE
+ Client API library.
+ .
+ This package contains libteec library.
+
+Package: tee-supplicant
+Architecture: ${DISTRO_ARCH}
+Depends: systemd ${misc:Depends}, ${shlibs:Depends}
+Description: normal world user space client APIs for OP-TEE
+ OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
+ non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
+ technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API
+ exposed to Trusted Applications and the TEE Client API v1.0, which is the
+ API describing how to communicate with a TEE. This package provides the TEE
+ Client API library.
+ .
+ This package contains tee-supplicant executable.
diff --git a/meta/recipes-bsp/optee-client/files/debian/rules.tmpl b/meta/recipes-bsp/optee-client/files/debian/rules.tmpl
new file mode 100755
index 0000000..1b7920d
--- /dev/null
+++ b/meta/recipes-bsp/optee-client/files/debian/rules.tmpl
@@ -0,0 +1,27 @@
+#!/usr/bin/make -f
+#
+# Debian rules for custom OP-TEE Client build
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2023
+#
+# SPDX-License-Identifier: MIT
+
+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
+endif
+
+%:
+	dh $@ --exclude=.a
+
+override_dh_auto_build:
+	dh_auto_build -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
+		CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH} RPMB_EMU=${RPMB_EMU}
+
+override_dh_auto_install:
+	dh_auto_install -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
+		CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH} RPMB_EMU=${RPMB_EMU}
+
+override_dh_auto_clean:
+	dh_auto_clean
+	rm -rf $(CURDIR)/out
diff --git a/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service b/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
new file mode 100644
index 0000000..4508a14
--- /dev/null
+++ b/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
@@ -0,0 +1,21 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2023
+#
+# SPDX-License-Identifier: MIT
+[Unit]
+Description=TEE Supplicant
+DefaultDependencies=no
+Before=systemd-remount-fs.service shutdown.target
+Conflicts=shutdown.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+# Start if not already started by the initramfs hook
+ExecStart=/bin/sh -c '/usr/bin/pgrep tee-supplicant >/dev/null || /usr/sbin/tee-supplicant -d'
+ExecStop=/bin/sh -c '/usr/bin/findmnt /sys/firmware/efi/efivars >/dev/null && /usr/bin/umount /sys/firmware/efi/efivars || true'
+ExecStop=/bin/sh -c '/usr/sbin/modinfo -n tpm_ftpm_tee | /usr/bin/grep -E "\.ko$" >/dev/null && /usr/sbin/modprobe -r tpm_ftpm_tee || true'
+ExecStop=/usr/bin/pkill tee-supplicant
+
+[Install]
+WantedBy=sysinit.target
diff --git a/meta/recipes-bsp/optee-client/optee-client-custom.inc b/meta/recipes-bsp/optee-client/optee-client-custom.inc
new file mode 100644
index 0000000..18afb93
--- /dev/null
+++ b/meta/recipes-bsp/optee-client/optee-client-custom.inc
@@ -0,0 +1,41 @@
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
+
+DESCRIPTION = "OPTee Client"
+
+PROVIDES = "libteec1 optee-client-dev tee-supplicant"
+
+SRC_URI += "file://debian"
+
+TEE_FS_PARENT_PATH ?= "/var/lib/optee-client/data/tee"
+# To use the builtin RPMB emulation, change to 1
+RPMB_EMU ?= "0"
+
+TEMPLATE_FILES = "debian/rules.tmpl debian/control.tmpl"
+TEMPLATE_VARS += "TEE_FS_PARENT_PATH RPMB_EMU"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+    cp -r ${WORKDIR}/debian ${S}/
+
+    deb_add_changelog
+
+    echo "/usr/sbin/*" > ${S}/debian/tee-supplicant.install
+    echo "lib/optee_armtz/" > ${S}/debian/tee-supplicant.dirs
+    echo "usr/lib/tee-supplicant/plugins/" >> ${S}/debian/tee-supplicant.dirs
+
+    echo "usr/lib/*/libteec*.so.*" > ${S}/debian/libteec1.install
+
+    echo "usr/include/*" > ${S}/debian/optee-client-dev.install
+    echo "usr/lib/*/lib*.so" >> ${S}/debian/optee-client-dev.install
+}
-- 
2.39.2