[PATCH v3 0/7] Add optee family and friends

[PATCH v3 0/7] Add optee family and friends

[baocheng.su]

From: Baocheng Su <baocheng.su@siemens.com>

This brings below optee family members:
  optee-ta-devkit, optee-client, optee-examples
and a fTPM running in optee-os, plus some initramfs hooks for tee-supplicant and
the optee-ftpm.

The optee-ta-devkit is used to provide a sdk for building trusted application of
optee.

The optee-client provides the libteec1, the optee-client-dev, and the
tee-supplicant daemon.

The optee-examples provides both the optee TAs and host applications for
demostrating how to use optee-ta-devkit and optee-client-dev.

The initramfs hooks for tee-supplicant and optee-ftpm is used to support
initramfs stage applications that needs the optee-ftpm or other TAs, such as the
disk encryption based on TPM. An example is the LUKS2 implementation in
isar-cip-core.

Also bump the stm32mp15x optee-os version to 3.21.0 to ease the integration.

Since these bits are the common foundation for applications based on ARM 
trustzone, isar should be the best place to hold them.

The idea is partly inspired by the ARM trusted substrate.

This integration use stm32mp15x as the demo platform. However, I might need some
help to verify on the real hardware, since I don't have one :)

Changes since v2:
- update copyright header to 2023
- define RPMB_EMU to replace the RPMB_EMU_BUILD_OPT
- depends systemd for tee-supplicant
- add new line EOF for some source files.

Baocheng Su (7):
  stm32mp15x: Bump optee-os to 3.21.0
  Add recipe for optee TA devkit
  Add recipe for optee-client
  Add recipe for optee examples
  Add recipe for optee ftpm
  initramfs: Add recipe for tee-supplicant hook
  initramfs: Add recipe for tee-ftpm hook

 meta-isar/conf/machine/stm32mp15x.conf        |   9 +-
 .../optee-client-stm32mp15x_3.21.0.bb         |  18 +++
 .../optee-examples/files/debian/compat        |   1 +
 .../optee-examples/files/debian/control.tmpl  | 112 ++++++++++++++++++
 .../optee-examples/files/debian/rules.tmpl    |  21 ++++
 .../optee-examples-stm32mp15x_3.21.0.bb       | 100 ++++++++++++++++
 .../files/0001-add-enum-to-ta-flags.patch     |  27 +++++
 .../optee-ftpm-stm32mp15x_0~230316+git.bb     |  35 ++++++
 .../optee-os/optee-os-stm32mp15x_3.11.0.bb    |  29 -----
 .../optee-os/optee-os-stm32mp15x_3.21.0.bb    |  38 ++++++
 .../optee-os/optee-os-stm32mp15x_3.21.0.inc   |  18 +++
 .../optee-os-tadevkit-stm32mp15x_3.21.0.bb    |   7 ++
 .../images/stm32mp15x-initramfs.bb            |  15 +++
 .../lib/wic/canned-wks/stm32mp15x.wks.in      |   2 +-
 .../optee-client/files/debian/compat          |   1 +
 .../optee-client/files/debian/control.tmpl    |  51 ++++++++
 .../optee-client/files/debian/rules.tmpl      |  27 +++++
 .../files/debian/tee-supplicant.service       |  21 ++++
 .../optee-client/optee-client-custom.inc      |  41 +++++++
 .../optee-ftpm/files/debian/compat            |   1 +
 .../optee-ftpm/files/debian/control.tmpl      |  11 ++
 .../optee-ftpm/files/debian/rules.tmpl        |  25 ++++
 meta/recipes-bsp/optee-ftpm/optee-ftpm.inc    |  47 ++++++++
 .../optee-os/files/debian/control.tmpl        |   4 +-
 meta/recipes-bsp/optee-os/optee-os-custom.inc |  29 +----
 .../optee-os/optee-os-tadevkit-custom.inc     |  26 ++++
 .../{optee-os-custom.inc => optee-os.inc}     |  14 +--
 .../files/tee-ftpm.hook                       |  25 ++++
 .../files/tee-ftpm.script                     |  26 ++++
 .../initramfs-tee-ftpm-hook_0.1.bb            |  27 +++++
 .../files/tee-supplicant.hook                 |  33 ++++++
 .../files/tee-supplicant.script               |  33 ++++++
 .../initramfs-tee-supplicant-hook_0.1.bb      |  27 +++++
 testsuite/citest.py                           |   1 +
 34 files changed, 834 insertions(+), 68 deletions(-)
 create mode 100644 meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
 create mode 100644 meta-isar/recipes-bsp/optee-examples/files/debian/compat
 create mode 100644 meta-isar/recipes-bsp/optee-examples/files/debian/control.tmpl
 create mode 100644 meta-isar/recipes-bsp/optee-examples/files/debian/rules.tmpl
 create mode 100644 meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb
 create mode 100644 meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch
 create mode 100644 meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
 delete mode 100644 meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.11.0.bb
 create mode 100644 meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
 create mode 100644 meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.inc
 create mode 100644 meta-isar/recipes-bsp/optee-os/optee-os-tadevkit-stm32mp15x_3.21.0.bb
 create mode 100644 meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
 create mode 100644 meta/recipes-bsp/optee-client/files/debian/compat
 create mode 100644 meta/recipes-bsp/optee-client/files/debian/control.tmpl
 create mode 100755 meta/recipes-bsp/optee-client/files/debian/rules.tmpl
 create mode 100644 meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
 create mode 100644 meta/recipes-bsp/optee-client/optee-client-custom.inc
 create mode 100644 meta/recipes-bsp/optee-ftpm/files/debian/compat
 create mode 100644 meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
 create mode 100755 meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
 create mode 100644 meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
 create mode 100644 meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
 copy meta/recipes-bsp/optee-os/{optee-os-custom.inc => optee-os.inc} (62%)
 create mode 100644 meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.hook
 create mode 100644 meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
 create mode 100644 meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
 create mode 100644 meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.hook
 create mode 100644 meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
 create mode 100644 meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb

-- 
2.39.2

[PATCH v3 1/7] stm32mp15x: Bump optee-os to 3.21.0

[baocheng.su]

From: Baocheng Su <baocheng.su@siemens.com>

Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
---
 ...s-stm32mp15x_3.11.0.bb => optee-os-stm32mp15x_3.21.0.bb} | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 rename meta-isar/recipes-bsp/optee-os/{optee-os-stm32mp15x_3.11.0.bb => optee-os-stm32mp15x_3.21.0.bb} (77%)

diff --git a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.11.0.bb b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
similarity index 77%
rename from meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.11.0.bb
rename to meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
index 08676be..14485f4 100644
--- a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.11.0.bb
+++ b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
@@ -1,16 +1,16 @@
 #
-# Copyright (c) Siemens AG, 2020
+# Copyright (c) Siemens AG, 2020-2023
 #
 # SPDX-License-Identifier: MIT
 
 require recipes-bsp/optee-os/optee-os-custom.inc
 
 SRC_URI += "https://github.com/OP-TEE/optee_os/archive/${PV}.tar.gz"
-SRC_URI[sha256sum] = "3c34eda1052fbb9ed36fcfdfaecfd2685023b9290670c1a5982f8a0457bfd2cb"
+SRC_URI[sha256sum] = "92a16e841b0bdb4bfcb1c20b6a1bd3309092203d534ed167dfdb5a5f395bf60b"
 
 S = "${WORKDIR}/optee_os-${PV}"
 
-DEBIAN_BUILD_DEPENDS += ", device-tree-compiler"
+DEBIAN_BUILD_DEPENDS += ", device-tree-compiler, python3-cryptography:native"
 
 OPTEE_PLATFORM = "stm32mp1"
 OPTEE_EXTRA_BUILDARGS = " \
-- 
2.39.2

[PATCH v3 2/7] Add recipe for optee TA devkit

[baocheng.su]

From: Baocheng Su <baocheng.su@siemens.com>

The TA dev kit is used to build trusted applications, details refer to
[1]. A typical use case of this devkit is a firmware TPM reference
implementation, see [2].

1. https://optee.readthedocs.io/en/3.21.0/building/trusted_applications.html
2. https://github.com/microsoft/ms-tpm-20-ref

This brings the .inc for customization, and also an example for
stm32mp15x.

Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
---
 .../optee-os/optee-os-stm32mp15x_3.21.0.bb    | 23 +--------------
 ...21.0.bb => optee-os-stm32mp15x_3.21.0.inc} | 15 ++--------
 .../optee-os-tadevkit-stm32mp15x_3.21.0.bb    |  7 +++++
 .../optee-os/files/debian/control.tmpl        |  4 +--
 meta/recipes-bsp/optee-os/optee-os-custom.inc | 29 +++----------------
 .../optee-os/optee-os-tadevkit-custom.inc     | 26 +++++++++++++++++
 .../{optee-os-custom.inc => optee-os.inc}     | 14 +++------
 7 files changed, 46 insertions(+), 72 deletions(-)
 copy meta-isar/recipes-bsp/optee-os/{optee-os-stm32mp15x_3.21.0.bb => optee-os-stm32mp15x_3.21.0.inc} (61%)
 create mode 100644 meta-isar/recipes-bsp/optee-os/optee-os-tadevkit-stm32mp15x_3.21.0.bb
 create mode 100644 meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
 copy meta/recipes-bsp/optee-os/{optee-os-custom.inc => optee-os.inc} (62%)

diff --git a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
index 14485f4..096e263 100644
--- a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
+++ b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
@@ -4,26 +4,5 @@
 # SPDX-License-Identifier: MIT
 
 require recipes-bsp/optee-os/optee-os-custom.inc
+require optee-os-stm32mp15x_${PV}.inc
 
-SRC_URI += "https://github.com/OP-TEE/optee_os/archive/${PV}.tar.gz"
-SRC_URI[sha256sum] = "92a16e841b0bdb4bfcb1c20b6a1bd3309092203d534ed167dfdb5a5f395bf60b"
-
-S = "${WORKDIR}/optee_os-${PV}"
-
-DEBIAN_BUILD_DEPENDS += ", device-tree-compiler, python3-cryptography:native"
-
-OPTEE_PLATFORM = "stm32mp1"
-OPTEE_EXTRA_BUILDARGS = " \
-    ARCH=arm CFG_EMBED_DTB_SOURCE_FILE=stm32mp157c-ev1.dts \
-    CFG_TEE_CORE_LOG_LEVEL=2"
-OPTEE_BINARIES = "tee-header_v2.stm32 tee-pageable_v2.stm32 tee-pager_v2.stm32"
-
-# Set version manually to PV, the tarball does not contain any hint.
-# Alternative: pull from git and add git as build dependency.
-dpkg_runbuild:prepend() {
-    grep -q "^export TEE_IMPL_VERSION" ${S}/debian/rules ||
-        cat << EOF >> ${S}/debian/rules
-
-export TEE_IMPL_VERSION=${PV}
-EOF
-}
diff --git a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.inc
similarity index 61%
copy from meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
copy to meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.inc
index 14485f4..cbf6974 100644
--- a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
+++ b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.inc
@@ -3,9 +3,7 @@
 #
 # SPDX-License-Identifier: MIT
 
-require recipes-bsp/optee-os/optee-os-custom.inc
-
-SRC_URI += "https://github.com/OP-TEE/optee_os/archive/${PV}.tar.gz"
+SRC_URI += "https://github.com/OP-TEE/optee_os/archive/${PV}.tar.gz;downloadfilename=optee_os-${PV}.tar.gz"
 SRC_URI[sha256sum] = "92a16e841b0bdb4bfcb1c20b6a1bd3309092203d534ed167dfdb5a5f395bf60b"
 
 S = "${WORKDIR}/optee_os-${PV}"
@@ -14,16 +12,7 @@ DEBIAN_BUILD_DEPENDS += ", device-tree-compiler, python3-cryptography:native"
 
 OPTEE_PLATFORM = "stm32mp1"
 OPTEE_EXTRA_BUILDARGS = " \
+    TEE_IMPL_VERSION=${PV} \
     ARCH=arm CFG_EMBED_DTB_SOURCE_FILE=stm32mp157c-ev1.dts \
     CFG_TEE_CORE_LOG_LEVEL=2"
 OPTEE_BINARIES = "tee-header_v2.stm32 tee-pageable_v2.stm32 tee-pager_v2.stm32"
-
-# Set version manually to PV, the tarball does not contain any hint.
-# Alternative: pull from git and add git as build dependency.
-dpkg_runbuild:prepend() {
-    grep -q "^export TEE_IMPL_VERSION" ${S}/debian/rules ||
-        cat << EOF >> ${S}/debian/rules
-
-export TEE_IMPL_VERSION=${PV}
-EOF
-}
diff --git a/meta-isar/recipes-bsp/optee-os/optee-os-tadevkit-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-os/optee-os-tadevkit-stm32mp15x_3.21.0.bb
new file mode 100644
index 0000000..2be7a9d
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-os/optee-os-tadevkit-stm32mp15x_3.21.0.bb
@@ -0,0 +1,7 @@
+#
+# Copyright (c) Siemens AG, 2023
+#
+# SPDX-License-Identifier: MIT
+
+require recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
+require optee-os-stm32mp15x_${PV}.inc
diff --git a/meta/recipes-bsp/optee-os/files/debian/control.tmpl b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
index 60b3927..fdf898e 100644
--- a/meta/recipes-bsp/optee-os/files/debian/control.tmpl
+++ b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
@@ -5,6 +5,6 @@ Standards-Version: 3.9.6
 Build-Depends: ${DEBIAN_BUILD_DEPENDS}
 Maintainer: ISAR project <isar-users@googlegroups.com>
 
-Package: optee-os-${OPTEE_NAME}
+Package: ${DEBIAN_PACKAGE_NAME}
 Architecture: ${DISTRO_ARCH}
-Description: ${DESCRIPTION}, firmware binaries
+Description: ${DESCRIPTION}
diff --git a/meta/recipes-bsp/optee-os/optee-os-custom.inc b/meta/recipes-bsp/optee-os/optee-os-custom.inc
index d48827a..abe46e8 100644
--- a/meta/recipes-bsp/optee-os/optee-os-custom.inc
+++ b/meta/recipes-bsp/optee-os/optee-os-custom.inc
@@ -1,38 +1,17 @@
 # Custom OP-TEE OS build
 #
 # This software is a part of ISAR.
-# Copyright (c) Siemens AG, 2020
+# Copyright (c) Siemens AG, 2020-2023
 #
 # SPDX-License-Identifier: MIT
 
-inherit dpkg
+require optee-os.inc
 
-FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
-
-SRC_URI += "file://debian/"
-
-DESCRIPTION ?= "Custom OP-TEE OS"
-
-OPTEE_NAME ?= "${MACHINE}"
-OPTEE_PLATFORM ?= "unknown"
-OPTEE_EXTRA_BUILDARGS ?= ""
-OPTEE_BINARIES ?= "tee-pager_v2.bin"
-
-DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
+DESCRIPTION:append = ", firmware binaries"
 
 PROVIDES += "optee-os-${OPTEE_NAME}"
 
-TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
-TEMPLATE_VARS += "OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
-
-# split strip platform flavor, if any, from the specified platform string
-OPTEE_PLATFORM_BASE = "${@d.getVar('OPTEE_PLATFORM').split('-')[0]}"
-
-do_prepare_build() {
-    cp -r ${WORKDIR}/debian ${S}/
-
-    deb_add_changelog
-
+do_prepare_build:append() {
     rm -f ${S}/debian/optee-os-${OPTEE_NAME}.install
     for binary in ${OPTEE_BINARIES}; do
         echo "out/arm-plat-${OPTEE_PLATFORM_BASE}/core/$binary /usr/lib/optee-os/${OPTEE_NAME}/" >> \
diff --git a/meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc b/meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
new file mode 100644
index 0000000..cfb2cfd
--- /dev/null
+++ b/meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
@@ -0,0 +1,26 @@
+# Custom OP-TEE OS build for TA devkit
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2023
+#
+# SPDX-License-Identifier: MIT
+
+require optee-os.inc
+
+DEBIAN_PACKAGE_NAME = "optee-os-tadevkit-${OPTEE_NAME}"
+DESCRIPTION:append = ", trust application development kit."
+
+PROVIDES += "${DEBIAN_PACKAGE_NAME}"
+
+do_prepare_build:append() {
+    if [ "${DISTRO_ARCH}" = "arm64" ]; then
+        TADEVKIT_DIR="export-ta_arm64"
+    elif [ "${DISTRO_ARCH}" = "armhf" ]; then
+        TADEVKIT_DIR="export-ta_arm32"
+    else
+        bbfatal "${DISTRO_ARCH} does not have a compat arch for optee TA devkit!"
+    fi
+
+    echo "out/arm-plat-${OPTEE_PLATFORM_BASE}/${TADEVKIT_DIR} /usr/lib/optee-os/${OPTEE_NAME}/" > \
+        ${S}/debian/optee-os-tadevkit-${OPTEE_NAME}.install
+}
diff --git a/meta/recipes-bsp/optee-os/optee-os-custom.inc b/meta/recipes-bsp/optee-os/optee-os.inc
similarity index 62%
copy from meta/recipes-bsp/optee-os/optee-os-custom.inc
copy to meta/recipes-bsp/optee-os/optee-os.inc
index d48827a..198746b 100644
--- a/meta/recipes-bsp/optee-os/optee-os-custom.inc
+++ b/meta/recipes-bsp/optee-os/optee-os.inc
@@ -1,7 +1,7 @@
 # Custom OP-TEE OS build
 #
 # This software is a part of ISAR.
-# Copyright (c) Siemens AG, 2020
+# Copyright (c) Siemens AG, 2020-2023
 #
 # SPDX-License-Identifier: MIT
 
@@ -18,12 +18,12 @@ OPTEE_PLATFORM ?= "unknown"
 OPTEE_EXTRA_BUILDARGS ?= ""
 OPTEE_BINARIES ?= "tee-pager_v2.bin"
 
-DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
+DEBIAN_PACKAGE_NAME ?= "optee-os-${OPTEE_NAME}"
 
-PROVIDES += "optee-os-${OPTEE_NAME}"
+DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
 
 TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
-TEMPLATE_VARS += "OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
+TEMPLATE_VARS += "DEBIAN_PACKAGE_NAME OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
 
 # split strip platform flavor, if any, from the specified platform string
 OPTEE_PLATFORM_BASE = "${@d.getVar('OPTEE_PLATFORM').split('-')[0]}"
@@ -32,10 +32,4 @@ do_prepare_build() {
     cp -r ${WORKDIR}/debian ${S}/
 
     deb_add_changelog
-
-    rm -f ${S}/debian/optee-os-${OPTEE_NAME}.install
-    for binary in ${OPTEE_BINARIES}; do
-        echo "out/arm-plat-${OPTEE_PLATFORM_BASE}/core/$binary /usr/lib/optee-os/${OPTEE_NAME}/" >> \
-            ${S}/debian/optee-os-${OPTEE_NAME}.install
-    done
 }
-- 
2.39.2

[PATCH v3 3/7] Add recipe for optee-client

[baocheng.su]

From: Baocheng Su <baocheng.su@siemens.com>

optee-client provides the userland library for communicating with the
trusted applications running in OP-TEE.

It also provides a optee-client-dev package for developing host
application that talks to the TA counterpart.

Also a user land deamon tee-supplicant is provided to serve the trusted
applications for user-land resources such as RPMB accessing.

This brings the .inc for customization, and also a demo recipe for
stm32mp15x.

The debianization is learnt from the debian offical package. The
tee-supplicant.service is refined by Jan to fix some timing issues.

Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
---
 meta-isar/conf/machine/stm32mp15x.conf        |  2 +-
 .../optee-client-stm32mp15x_3.21.0.bb         | 18 +++++++
 .../optee-client/files/debian/compat          |  1 +
 .../optee-client/files/debian/control.tmpl    | 51 +++++++++++++++++++
 .../optee-client/files/debian/rules.tmpl      | 27 ++++++++++
 .../files/debian/tee-supplicant.service       | 21 ++++++++
 .../optee-client/optee-client-custom.inc      | 41 +++++++++++++++
 7 files changed, 160 insertions(+), 1 deletion(-)
 create mode 100644 meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
 create mode 100644 meta/recipes-bsp/optee-client/files/debian/compat
 create mode 100644 meta/recipes-bsp/optee-client/files/debian/control.tmpl
 create mode 100755 meta/recipes-bsp/optee-client/files/debian/rules.tmpl
 create mode 100644 meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
 create mode 100644 meta/recipes-bsp/optee-client/optee-client-custom.inc

diff --git a/meta-isar/conf/machine/stm32mp15x.conf b/meta-isar/conf/machine/stm32mp15x.conf
index 4fa4051..0b200d2 100644
--- a/meta-isar/conf/machine/stm32mp15x.conf
+++ b/meta-isar/conf/machine/stm32mp15x.conf
@@ -16,4 +16,4 @@ WKS_FILE ?= "stm32mp15x.wks.in"
 IMAGER_INSTALL += "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x u-boot-stm32mp15x"
 IMAGER_BUILD_DEPS += "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x u-boot-stm32mp15x"
 
-IMAGE_INSTALL += "u-boot-script"
+IMAGE_INSTALL += "u-boot-script tee-supplicant"
diff --git a/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
new file mode 100644
index 0000000..d0e157f
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
@@ -0,0 +1,18 @@
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+require recipes-bsp/optee-client/optee-client-custom.inc
+
+SRC_URI += "https://github.com/OP-TEE/optee_client/archive/${PV}.tar.gz;downloadfilename=optee_client-${PV}.tar.gz"
+SRC_URI[sha256sum] = "368164a539b85557d2079fa6cd839ec444869109f96de65d6569e58b0615d026"
+
+S = "${WORKDIR}/optee_client-${PV}"
+
+# Use RPMB emulation
+RPMB_EMU = "1"
diff --git a/meta/recipes-bsp/optee-client/files/debian/compat b/meta/recipes-bsp/optee-client/files/debian/compat
new file mode 100644
index 0000000..f599e28
--- /dev/null
+++ b/meta/recipes-bsp/optee-client/files/debian/compat
@@ -0,0 +1 @@
+10
diff --git a/meta/recipes-bsp/optee-client/files/debian/control.tmpl b/meta/recipes-bsp/optee-client/files/debian/control.tmpl
new file mode 100644
index 0000000..de780b7
--- /dev/null
+++ b/meta/recipes-bsp/optee-client/files/debian/control.tmpl
@@ -0,0 +1,51 @@
+Source: ${PN}
+Priority: optional
+Maintainer: Unknown maintainer <unknown@example.com>
+Build-Depends: pkg-config, uuid-dev
+Standards-Version: 4.1.3
+Section: libs
+Homepage: https://github.com/OP-TEE/optee_client
+Rules-Requires-Root: no
+
+Package: optee-client-dev
+Section: libdevel
+Architecture: ${DISTRO_ARCH}
+Multi-Arch: same
+Depends: libteec1 (= ${binary:Version}),
+         ${misc:Depends}
+Description: normal world user space client APIs for OP-TEE (development)
+ OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
+ non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
+ technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API
+ exposed to Trusted Applications and the TEE Client API v1.0, which is the
+ API describing how to communicate with a TEE. This package provides the TEE
+ Client API library.
+ .
+ This package contains the development files OpTEE Client API
+
+Package: libteec1
+Architecture: ${DISTRO_ARCH}
+Multi-Arch: same
+Depends: ${misc:Depends}, ${shlibs:Depends}
+Description: normal world user space client APIs for OP-TEE
+ OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
+ non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
+ technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API
+ exposed to Trusted Applications and the TEE Client API v1.0, which is the
+ API describing how to communicate with a TEE. This package provides the TEE
+ Client API library.
+ .
+ This package contains libteec library.
+
+Package: tee-supplicant
+Architecture: ${DISTRO_ARCH}
+Depends: systemd ${misc:Depends}, ${shlibs:Depends}
+Description: normal world user space client APIs for OP-TEE
+ OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
+ non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
+ technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API
+ exposed to Trusted Applications and the TEE Client API v1.0, which is the
+ API describing how to communicate with a TEE. This package provides the TEE
+ Client API library.
+ .
+ This package contains tee-supplicant executable.
diff --git a/meta/recipes-bsp/optee-client/files/debian/rules.tmpl b/meta/recipes-bsp/optee-client/files/debian/rules.tmpl
new file mode 100755
index 0000000..1b7920d
--- /dev/null
+++ b/meta/recipes-bsp/optee-client/files/debian/rules.tmpl
@@ -0,0 +1,27 @@
+#!/usr/bin/make -f
+#
+# Debian rules for custom OP-TEE Client build
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2023
+#
+# SPDX-License-Identifier: MIT
+
+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
+endif
+
+%:
+	dh $@ --exclude=.a
+
+override_dh_auto_build:
+	dh_auto_build -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
+		CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH} RPMB_EMU=${RPMB_EMU}
+
+override_dh_auto_install:
+	dh_auto_install -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
+		CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH} RPMB_EMU=${RPMB_EMU}
+
+override_dh_auto_clean:
+	dh_auto_clean
+	rm -rf $(CURDIR)/out
diff --git a/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service b/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
new file mode 100644
index 0000000..4508a14
--- /dev/null
+++ b/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
@@ -0,0 +1,21 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2023
+#
+# SPDX-License-Identifier: MIT
+[Unit]
+Description=TEE Supplicant
+DefaultDependencies=no
+Before=systemd-remount-fs.service shutdown.target
+Conflicts=shutdown.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+# Start if not already started by the initramfs hook
+ExecStart=/bin/sh -c '/usr/bin/pgrep tee-supplicant >/dev/null || /usr/sbin/tee-supplicant -d'
+ExecStop=/bin/sh -c '/usr/bin/findmnt /sys/firmware/efi/efivars >/dev/null && /usr/bin/umount /sys/firmware/efi/efivars || true'
+ExecStop=/bin/sh -c '/usr/sbin/modinfo -n tpm_ftpm_tee | /usr/bin/grep -E "\.ko$" >/dev/null && /usr/sbin/modprobe -r tpm_ftpm_tee || true'
+ExecStop=/usr/bin/pkill tee-supplicant
+
+[Install]
+WantedBy=sysinit.target
diff --git a/meta/recipes-bsp/optee-client/optee-client-custom.inc b/meta/recipes-bsp/optee-client/optee-client-custom.inc
new file mode 100644
index 0000000..18afb93
--- /dev/null
+++ b/meta/recipes-bsp/optee-client/optee-client-custom.inc
@@ -0,0 +1,41 @@
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
+
+DESCRIPTION = "OPTee Client"
+
+PROVIDES = "libteec1 optee-client-dev tee-supplicant"
+
+SRC_URI += "file://debian"
+
+TEE_FS_PARENT_PATH ?= "/var/lib/optee-client/data/tee"
+# To use the builtin RPMB emulation, change to 1
+RPMB_EMU ?= "0"
+
+TEMPLATE_FILES = "debian/rules.tmpl debian/control.tmpl"
+TEMPLATE_VARS += "TEE_FS_PARENT_PATH RPMB_EMU"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+    cp -r ${WORKDIR}/debian ${S}/
+
+    deb_add_changelog
+
+    echo "/usr/sbin/*" > ${S}/debian/tee-supplicant.install
+    echo "lib/optee_armtz/" > ${S}/debian/tee-supplicant.dirs
+    echo "usr/lib/tee-supplicant/plugins/" >> ${S}/debian/tee-supplicant.dirs
+
+    echo "usr/lib/*/libteec*.so.*" > ${S}/debian/libteec1.install
+
+    echo "usr/include/*" > ${S}/debian/optee-client-dev.install
+    echo "usr/lib/*/lib*.so" >> ${S}/debian/optee-client-dev.install
+}
-- 
2.39.2

Re: [PATCH v3 3/7] Add recipe for optee-client

[Uladzimir Bely]

[-- Attachment #1: Type: text/plain, Size: 1981 bytes --]

On Wed, 2023-07-05 at 13:33 +0800, baocheng.su via isar-users wrote:
> From: Baocheng Su <baocheng.su@siemens.com>
> 
> optee-client provides the userland library for communicating with the
> trusted applications running in OP-TEE.
> 
> It also provides a optee-client-dev package for developing host
> application that talks to the TA counterpart.
> 
> Also a user land deamon tee-supplicant is provided to serve the
> trusted
> applications for user-land resources such as RPMB accessing.
> 
> This brings the .inc for customization, and also a demo recipe for
> stm32mp15x.
> 
> The debianization is learnt from the debian offical package. The
> tee-supplicant.service is refined by Jan to fix some timing issues.
> 
> Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
> ---
>  meta-isar/conf/machine/stm32mp15x.conf        |  2 +-
>  .../optee-client-stm32mp15x_3.21.0.bb         | 18 +++++++
>  .../optee-client/files/debian/compat          |  1 +
>  .../optee-client/files/debian/control.tmpl    | 51
> +++++++++++++++++++
>  .../optee-client/files/debian/rules.tmpl      | 27 ++++++++++
>  .../files/debian/tee-supplicant.service       | 21 ++++++++
>  .../optee-client/optee-client-custom.inc      | 41 +++++++++++++++
>  7 files changed, 160 insertions(+), 1 deletion(-)
>  create mode 100644 meta-isar/recipes-bsp/optee-client/optee-client-
> stm32mp15x_3.21.0.bb
>  create mode 100644 meta/recipes-bsp/optee-client/files/debian/compat
>  create mode 100644 meta/recipes-bsp/optee-
> client/files/debian/control.tmpl
>  create mode 100755 meta/recipes-bsp/optee-
> client/files/debian/rules.tmpl
>  create mode 100644 meta/recipes-bsp/optee-client/files/debian/tee-
> supplicant.service
>  create mode 100644 meta/recipes-bsp/optee-client/optee-client-
> custom.inc
> 

The recipe is currently not buildable (at least, in cross mode) for
buster. So, CI fails.



[-- Attachment #2: optee-client-stm32mp15x-buster.log.txt --]
[-- Type: text/plain, Size: 42453 bytes --]

builder@22badc86cac4:/build$ bitbake -v mc:stm32mp15x-buster:optee-client-stm32mp15x
Loading cache: 100% |################################################################################################################################################################################################| Time: 0:00:00
Loaded 218 entries from dependency cache.
NOTE: Resolving any missing task queue dependencies
NOTE: Resolving any missing task queue dependencies
NOTE: Resolving any missing task queue dependencies
NOTE: Resolving any missing task queue dependencies
NOTE: Marking Active Tasks###############################################################################                                                                                                            | ETA:  0:00:00
NOTE: Pruned 38 inactive tasks, 28 left##################################################################                                                                                                            | ETA:  0:00:00
NOTE: Assign Weightings
NOTE: Compute totals (have 1 endpoint(s))#################################################################                                                                                                           | ETA:  0:00:00
Initialising tasks: 100% |###########################################################################################################################################################################################| Time: 0:00:00
Sstate summary: Wanted 1 Local 0 Mirrors 0 Missed 1 Current 2 (0% match, 66% complete)
NOTE: Executing Tasks
NOTE: Setscene tasks completed
NOTE: mc:stm32mp15x-buster:optee-client-stm32mp15x-3.21.0-r0 do_unpack: Unpacking /build/../work/isar/meta/recipes-bsp/optee-client/files/debian to /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/
NOTE: mc:stm32mp15x-buster:optee-client-stm32mp15x-3.21.0-r0 do_unpack: Unpacking /build/downloads/optee_client-3.21.0.tar.gz to /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/
NOTE: mc:stm32mp15x-buster:optee-client-stm32mp15x-3.21.0-r0 do_transform_template: envsubst \${PN} \${PV} \${DESCRIPTION} \${HOMEPAGE} \${MAINTAINER} \${DISTRO_ARCH} \${TEE_FS_PARENT_PATH} \${RPMB_EMU} [in: /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/debian/rules.tmpl out: /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/debian/rules]
NOTE: mc:stm32mp15x-buster:optee-client-stm32mp15x-3.21.0-r0 do_transform_template: envsubst \${PN} \${PV} \${DESCRIPTION} \${HOMEPAGE} \${MAINTAINER} \${DISTRO_ARCH} \${TEE_FS_PARENT_PATH} \${RPMB_EMU} [in: /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/debian/control.tmpl out: /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/debian/control]
+ do_prepare_build
+ cp -r /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/debian /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/optee_client-3.21.0/

+ deb_add_changelog
+ changelog_v=3.21.0
+ timestamp=3600

+ [ -f /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/optee_client-3.21.0/debian/changelog ]

+ LANG=C date -R -d
 @3600

+ date=Thu, 01 Jan 1970 01:00:00 +0000

+ cat

+ touch /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/changelog.orig

+ [ -s /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/changelog.orig ]
+ [ -f /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/changelog ]

+ echo /usr/sbin/*
+ echo lib/optee_armtz/
+ echo usr/lib/tee-supplicant/plugins/
+ echo usr/lib/*/libteec*.so.*

+ echo usr/include/*
+ echo usr/lib/*/lib*.so
+ rm -rf /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/isar-apt/debian-buster-armhf/*

+ mkdir -p /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/isar-apt/debian-buster-armhf/apt/debian-buster

+ cp -Rf /build/tmp/deploy/isar-apt/debian-buster-armhf/apt/debian-buster/dists /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/isar-apt/debian-buster-armhf/apt/debian-buster/

+ [ -d /build/tmp/deploy/isar-apt/debian-buster-armhf/apt/debian-buster/pool ]

+ env

+ ret=0
+ trap  0
+ exit 0

+ schroot_create_configs
+ mkdir -p /build/tmp/schroot-overlay

+ sudo -s

+ ret=0
+ trap  0
+ exit 0

+ dpkg_runbuild
+ E=False
+ E=None
+ export DEB_BUILD_OPTIONS=
+ export PARALLEL_MAKE=-j 16
+ rm -f /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf

+ 
env
+ read -r line

+ grep -q ^HOME=/tmp/tmp8zqvrwgi /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/dpkg_prebuild.env

+ continue
+ read -r line

+ grep -q ^CCACHE_DISABLE=1 /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/dpkg_prebuild.env

+ echo
 CCACHE_DISABLE=1
+ 
grep -q ^HOME=

+ echo
 CCACHE_DISABLE=1
+ 
grep -q ^PWD=

+ echo CCACHE_DISABLE=1

+ 
cut -d = -f1

+ var=CCACHE_DISABLE

+ 
echo CCACHE_DISABLE=1

+ cut -d = -f2-

+ value=1
+ sbuild_export CCACHE_DISABLE 1

+ [ -w /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf ]
+ touch /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf

+ grep -q ^$build_environment = /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf

+ echo $build_environment = {

+ echo };
+ VAR=CCACHE_DISABLE
+ shift
+ VAR_LINE='CCACHE_DISABLE' => '1',
+ sed -i -e /^'CCACHE_DISABLE' =>/d /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf -e /^$build_environment =.*/a 'CCACHE_DISABLE' => '1', /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf

+ [ CCACHE_DISABLE = PARALLEL_MAKE ]
+ [ CCACHE_DISABLE = CCACHE_DIR ]
+ [ CCACHE_DISABLE =
 CCACHE_DEBUGDIR ]
+ [ CCACHE_DISABLE = CCACHE_DEBUG ]
+ [ CCACHE_DISABLE = CCACHE_DISABLE ]
+ continue
+ read -r line
+ grep -q ^PATH=/work/isar/scripts:/work/isar/bitbake/bin:/usr/sbin:/usr/bin:/sbin:/bin /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/dpkg_prebuild.env

+ continue
+ read -r line
+ grep
 -q ^DEB_BUILD_OPTIONS= /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/dpkg_prebuild.env

+ echo DEB_BUILD_OPTIONS=

+ grep
 -q ^HOME=

+ echo DEB_BUILD_OPTIONS=

+ grep -q
 ^PWD=

+ echo DEB_BUILD_OPTIONS=

+ cut -d = -f1

+ var=DEB_BUILD_OPTIONS

+ echo DEB_BUILD_OPTIONS=

+ cut -d = -f2-

+ value=
+ sbuild_export DEB_BUILD_OPTIONS 

+ [ -w /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf ]
+ grep -q ^$build_environment = /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf

+ VAR=DEB_BUILD_OPTIONS
+ shift
+ VAR_LINE='DEB_BUILD_OPTIONS' => '',

+ sed -i -e /^'DEB_BUILD_OPTIONS' =>/d /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf -e /^$build_environment =.*/a 'DEB_BUILD_OPTIONS' => '', /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf

+ [ DEB_BUILD_OPTIONS = PARALLEL_MAKE ]
+ [ DEB_BUILD_OPTIONS = CCACHE_DIR ]

+ [ DEB_BUILD_OPTIONS = CCACHE_DEBUGDIR ]
+ [ DEB_BUILD_OPTIONS = CCACHE_DEBUG ]
+ [ DEB_BUILD_OPTIONS = CCACHE_DISABLE ]
+ [ DEB_BUILD_OPTIONS = PATH_PREPEND ]
+ [ DEB_BUILD_OPTIONS = DEB_BUILD_OPTIONS ]
+ continue
+ read -r line
+ grep -q ^SHELL=/bin/bash /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/dpkg_prebuild.env

+ continue
+ read -r line

+ grep -q ^PARALLEL_MAKE=-j 16 /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/dpkg_prebuild.env

+ echo PARALLEL_MAKE=-j 16

+ grep -q ^HOME=

+ echo PARALLEL_MAKE=-j 16

+ grep -q ^PWD=

+ echo PARALLEL_MAKE=-j 16

+ cut -d = -f1

+ var=PARALLEL_MAKE

+ echo PARALLEL_MAKE=-j 16

+ cut -d = -f2-

+ value=-j 16
+ sbuild_export PARALLEL_MAKE -j 16

+ [ -w /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf ]
+ grep -q ^$build_environment = /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf

+ VAR=PARALLEL_MAKE
+ shift
+ VAR_LINE='PARALLEL_MAKE' => '-j 16',
+ sed -i -e /^'PARALLEL_MAKE' =>/d /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf -e /^$build_environment =.*/a 'PARALLEL_MAKE' => '-j 16', /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf

+ [ PARALLEL_MAKE = PARALLEL_MAKE ]
+ continue
+ read -r line

+ grep -q ^PWD=/build /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/dpkg_prebuild.env

+ continue
+ read -r line
+ grep -q ^LC_ALL=en_US.UTF-8
 /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/dpkg_prebuild.env

+ continue
+ read -r line

+ distro=debian-buster
+ [ 1 -eq 1 ]
+ distro=debian-buster
+ deb_dl_dir_import /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/rootfs debian-buster

+ export pc=/build/downloads/deb/debian-buster
+ export rootfs=/build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/rootfs
+ sudo mkdir -p /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/rootfs/var/cache/apt/archives/

+ [ ! -d /build/downloads/deb/debian-buster ]

+ flock -s /build/downloads/deb/debian-buster.lock sudo -Es

+ deb_dir=/var/cache/apt/archives
+ ext_root=/home/builder/optee-client-stm32mp15x/rootfs
+ ext_deb_dir=/home/builder/optee-client-stm32mp15x/rootfs/var/cache/apt/archives
+ [ 0 -eq 1 ]
+ profiles=cross
+ [ ! -z cross ]

+ echo --profiles=cross
+ sed -e s/ \+/,/g

+ profiles=--profiles=cross
+ export SBUILD_CONFIG=/build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf
+ sbuild_add_env_filter http_proxy

+ [ -w /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf ]
+ grep -q ^$environment_filter = /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf

+ echo $environment_filter = [

+ echo ];
+ FILTER=http_proxy
+ sed -i -e /'\^http_proxy\$/d -e /^$environment_filter =.*/a '^http_proxy$', /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf

+ sbuild_add_env_filter HTTP_PROXY
+ [ -w /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf ]
+ grep -q ^$environment_filter = /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf

+ FILTER=HTTP_PROXY
+ sed -i -e /'\^HTTP_PROXY\$/d -e /^$environment_filter =.*/a '^HTTP_PROXY$', /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf

+ sbuild_add_env_filter https_proxy
+ [ -w /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf ]
+ grep -q ^$environment_filter = /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf

+ FILTER=https_proxy
+ sed -i -e /'\^https_proxy\$/d -e /^$environment_filter =.*/a '^https_proxy$', /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf

+ sbuild_add_env_filter HTTPS_PROXY
+ [ -w /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf ]
+ grep -q
 ^$environment_filter = /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf

+ FILTER=HTTPS_PROXY
+ sed -i -e /'\^HTTPS_PROXY\$/d -e /^$environment_filter =.*/a '^HTTPS_PROXY$', /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf

+ sbuild_add_env_filter ftp_proxy
+ [ -w /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf ]

+ grep -q ^$environment_filter = /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf

+ FILTER=ftp_proxy
+ sed -i -e /'\^ftp_proxy\$/d -e /^$environment_filter =.*/a '^ftp_proxy$', /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf

+ sbuild_add_env_filter FTP_PROXY
+ [ -w /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf ]
+ grep -q ^$environment_filter = /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf

+ FILTER=FTP_PROXY
+ sed -i -e /'\^FTP_PROXY\$/d -e /^$environment_filter =.*/a '^FTP_PROXY$', /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf

+ sbuild_add_env_filter no_proxy
+ [ -w /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf ]
+ grep -q ^$environment_filter = /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf

+ FILTER=no_proxy
+ sed -i -e /'\^no_proxy\$/d -e /^$environment_filter =.*/a '^no_proxy$', /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf

+ sbuild_add_env_filter NO_PROXY
+ [ -w /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf ]
+ grep -q ^$environment_filter = /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf

+ FILTER=NO_PROXY
+ sed -i -e /'\^NO_PROXY\$/d -e /^$environment_filter =.*/a '^NO_PROXY$', /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/sbuild.conf

+ echo $apt_keep_downloaded_packages = 1;

+ 
dpkg-parsechangelog --show-field Source --file /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/optee_client-3.21.0/debian/changelog

+ DEB_SOURCE_NAME=optee-client-stm32mp15x
+ find /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0 -name optee-client-stm32mp15x*.dsc -delete

+ sh -c cd /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0; dpkg-source -q -b optee_client-3.21.0

+ find /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0 -name optee-client-stm32mp15x*.dsc -print

+ DSC_FILE=/build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/optee-client-stm32mp15x_3.21.0.dsc

+ sbuild -A -n -c isar-builder-aefca26a-597c-4691-a179-5eafb7f83007-25811 --extra-repository=deb [trusted=yes] file:///home/builder/optee-client-stm32mp15x/isar-apt/debian-buster-armhf/apt/debian-buster isar main --host=armhf --build=amd64 --profiles=cross --no-run-lintian --no-run-piuparts --no-run-autopkgtest --resolve-alternatives --bd-uninstallable-explainer=apt --no-apt-update --chroot-setup-commands=echo "Package: *\nPin: release n=isar\nPin-Priority: 1000" > /etc/apt/preferences.d/isar-apt --chroot-setup-commands=echo "APT::Get::allow-downgrades 1;" > /etc/apt/apt.conf.d/50isar-apt --chroot-setup-commands=rm -f /var/log/dpkg.log --chroot-setup-commands=ln -sf /home/builder/optee-client-stm32mp15x/rootfs/var/cache/apt/archives/*.deb -t /var/cache/apt/archives/ || : --finished-build-commands=rm -f /var/cache/apt/archives/sbuild-build-depends-main-dummy_*.deb --finished-build-commands=cp -Ln --no-preserve=owner /var/cache/apt/archives/*.deb -t /home/builder/optee-client-stm32mp15x/rootfs/var/cache/apt/archives/ || : --finished-build-commands=cp /var/log/dpkg.log /home/builder/optee-client-stm32mp15x/rootfs/dpkg_partial.log --debbuildopts=--source-option=-I --build-dir=/build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0 --dist=isar /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/optee-client-stm32mp15x_3.21.0.dsc

sbuild (Debian sbuild) 0.85.0 (04 January 2023) on 22badc86cac4

+==============================================================================+
| optee-client-stm32mp15x 3.21.0 (armhf)       Thu, 06 Jul 2023 05:29:19 +0000 |
+==============================================================================+

Package: optee-client-stm32mp15x
Version: 3.21.0
Source Version: 3.21.0
Distribution: isar
Machine Architecture: amd64
Host Architecture: armhf
Build Architecture: amd64
Build Profiles: cross
Build Type: binary


I: NOTICE: Log filtering will replace 'var/run/schroot/mount/isar-builder-aefca26a-597c-4691-a179-5eafb7f83007-25811-5b2abb26-8100-4d04-9e85-5d8ece0fc374' with '<<CHROOT>>'


+------------------------------------------------------------------------------+
| Chroot Setup Commands                                                        |
+------------------------------------------------------------------------------+



echo "Package: *\nPin: release n=isar\nPin-Priority: 1000" > /etc/apt/preferences.d/isar-apt
--------------------------------------------------------------------------------------------



I: Finished running 'echo "Package: *\nPin: release n=isar\nPin-Priority: 1000" > /etc/apt/preferences.d/isar-apt'.

echo "APT::Get::allow-downgrades 1;" > /etc/apt/apt.conf.d/50isar-apt
---------------------------------------------------------------------



I: Finished running 'echo "APT::Get::allow-downgrades 1;" > /etc/apt/apt.conf.d/50isar-apt'.

rm -f /var/log/dpkg.log
-----------------------



I: Finished running 'rm -f /var/log/dpkg.log'.

ln -sf /home/builder/optee-client-stm32mp15x/rootfs/var/cache/apt/archives/*.deb -t /var/cache/apt/archives/ || :
-----------------------------------------------------------------------------------------------------------------



I: Finished running 'ln -sf /home/builder/optee-client-stm32mp15x/rootfs/var/cache/apt/archives/*.deb -t /var/cache/apt/archives/ || :'.

Finished processing commands.
--------------------------------------------------------------------------------

I: NOTICE: Log filtering will replace 'build/optee-client-stm32mp15x-LNvG65/resolver-0htGOz' with '<<RESOLVERDIR>>'

+------------------------------------------------------------------------------+
| Update chroot                                                                |
+------------------------------------------------------------------------------+


Reading package lists...

Building dependency tree...

Reading state information...

Calculating upgrade...

0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.


+------------------------------------------------------------------------------+

| Fetch source files                                                           |
+------------------------------------------------------------------------------+




Local sources
-------------

/build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/optee-client-stm32mp15x_3.21.0.dsc exists in /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0; copying to chroot

I: NOTICE: Log filtering will replace 'build/optee-client-stm32mp15x-LNvG65/optee-client-stm32mp15x-3.21.0' with '<<PKGBUILDDIR>>'
I: NOTICE: Log filtering will replace 'build/optee-client-stm32mp15x-LNvG65' with '<<BUILDDIR>>'


+------------------------------------------------------------------------------+
| Install package build dependencies                                           |
+------------------------------------------------------------------------------+


Setup apt archive
-----------------


Merged Build-Depends: pkg-config, uuid-dev, build-essential:amd64, fakeroot:amd64, crossbuild-essential-armhf:amd64, libc-dev:armhf, libstdc++-dev:armhf
Filtered Build-Depends: pkg-config, uuid-dev, build-essential:amd64, fakeroot:amd64, crossbuild-essential-armhf:amd64, libc-dev:armhf, libstdc++-dev:armhf

dpkg-deb: building package 'sbuild-build-depends-main-dummy' in '/<<RESOLVERDIR>>/apt_archive/sbuild-build-depends-main-dummy.deb'.

Ign:1 copy:/<<RESOLVERDIR>>/apt_archive ./ InRelease

Get:2 copy:/<<RESOLVERDIR>>/apt_archive ./ Release [609 B]

Ign:3 copy:/<<RESOLVERDIR>>/apt_archive ./ Release.gpg

Get:4 copy:/<<RESOLVERDIR>>/apt_archive ./ Sources [686 B]

Get:5 copy:/<<RESOLVERDIR>>/apt_archive ./ Packages [729 B]

Fetched 2024 B in 0s (0 B/s)

Reading package lists...

Get:1 file:/home/builder/optee-client-stm32mp15x/isar-apt/debian-buster-armhf/apt/debian-buster isar InRelease
Ign:1 file:/home/builder/optee-client-stm32mp15x/isar-apt/debian-buster-armhf/apt/debian-buster isar InRelease

Get:2 file:/home/builder/optee-client-stm32mp15x/isar-apt/debian-buster-armhf/apt/debian-buster isar Release [4994 B]

Get:2 file:/home/builder/optee-client-stm32mp15x/isar-apt/debian-buster-armhf/apt/debian-buster isar Release [4994 B]

Get:3 file:/home/builder/optee-client-stm32mp15x/isar-apt/debian-buster-armhf/apt/debian-buster isar Release.gpg

Ign:3 file:/home/builder/optee-client-stm32mp15x/isar-apt/debian-buster-armhf/apt/debian-buster isar Release.gpg

Reading package lists...

Reading package lists...


Install main build dependencies (apt-based resolver)
----------------------------------------------------


Installing build dependencies

Reading package lists...

Building dependency tree...

Reading state information...

Execute external solver...

The following additional packages will be installed:

  libuuid1:armhf pkg-config uuid-dev:armhf

Recommended packages:
  uuid-runtime:armhf

The following NEW packages will be installed:

  libuuid1:armhf pkg-config sbuild-build-depends-main-dummy:armhf

  uuid-dev:armhf

0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 235 kB of archives.
After this operation, 473 kB of additional disk space will be used.
Get:1 copy:/<<RESOLVERDIR>>/apt_archive ./ sbuild-build-depends-main-dummy 0.invalid.0 [900 B]

Get:2 http://deb.debian.org/debian buster/main armhf libuuid1 armhf 2.33.1-0.1 [77.5 kB]

Get:3 http://deb.debian.org/debian buster/main amd64 pkg-config amd64 0.29-6 [63.5 kB]

Get:4 http://deb.debian.org/debian buster/main armhf uuid-dev armhf 2.33.1-0.1 [92.6 kB]

Fetched 235 kB in 0s (588 kB/s)

Selecting previously unselected package libuuid1:armhf.

(Reading database ... 21139 files and directories currently installed.)

Preparing to unpack .../libuuid1_2.33.1-0.1_armhf.deb ...

Unpacking libuuid1:armhf (2.33.1-0.1) ...

Selecting previously unselected package pkg-config.

Preparing to unpack .../pkg-config_0.29-6_amd64.deb ...

Unpacking pkg-config (0.29-6) ...

Selecting previously unselected package uuid-dev:armhf.

Preparing to unpack .../uuid-dev_2.33.1-0.1_armhf.deb ...

Unpacking uuid-dev:armhf (2.33.1-0.1) ...

Selecting previously unselected package sbuild-build-depends-main-dummy:armhf.

Preparing to unpack .../sbuild-build-depends-main-dummy_0.invalid.0_armhf.deb ...

Unpacking sbuild-build-depends-main-dummy:armhf (0.invalid.0) ...

Setting up libuuid1:armhf (2.33.1-0.1) ...

Setting up pkg-config (0.29-6) ...

Setting up uuid-dev:armhf (2.33.1-0.1) ...

Setting up sbuild-build-depends-main-dummy:armhf (0.invalid.0) ...

Processing triggers for man-db (2.8.5-2) ...

Processing triggers for libc-bin (2.28-10+deb10u2) ...


+------------------------------------------------------------------------------+
| Check architectures                                                          |

+------------------------------------------------------------------------------+


Initial Foreign Architectures: armhf 

Arch check ok (armhf included in armhf)


+------------------------------------------------------------------------------+

| Build environment                                                            |
+------------------------------------------------------------------------------+

Kernel: Linux 6.1.31 #1 SMP PREEMPT_DYNAMIC Fri Jun 23 23:20:16 +03 2023 amd64 (x86_64)

Toolchain package versions: binutils_2.31.1-16 dpkg-dev_1.19.8 g++-8_8.3.0-6 gcc-8_8.3.0-6 libc6-dev_2.28-10+deb10u2 libstdc++-8-dev_8.3.0-6 libstdc++-8-dev-armhf-cross_8.3.0-2cross1 libstdc++6_8.3.0-6 libstdc++6-armhf-cross_8.3.0-2cross1 linux-libc-dev_4.19.282-1

Package versions: adduser_3.118 apt_1.8.2.3 apt-utils_1.8.2.3 autoconf_2.69-11 automake_1:1.16.1-4 autopoint_0.19.8.1-9 autotools-dev_20180224.1 base-files_10.3+deb10u13 base-passwd_3.5.46 bash_5.0-4 binutils_2.31.1-16 binutils-arm-linux-gnueabihf_2.31.1-16 binutils-common_2.31.1-16 binutils-x86-64-linux-gnu_2.31.1-16 bsdmainutils_11.1.2+b1 bsdutils_1:2.33.1-0.1 build-essential_12.6 bzip2_1.0.6-9.2~deb10u2 ca-certificates_20200601~deb10u2 coreutils_8.30-3 cpp_4:8.3.0-1 cpp-8_8.3.0-6 cpp-8-arm-linux-gnueabihf_8.3.0-2cross1 cpp-arm-linux-gnueabihf_4:8.3.0-1 cross-config_2.6.15-3 crossbuild-essential-armhf_12.6 dash_0.5.10.2-5 debconf_1.5.71+deb10u1 debhelper_12.1.1 debian-archive-keyring_2019.1+deb10u1 debianutils_4.8.6.1 devscripts_2.19.5+deb10u1 dh-autoreconf_19 dh-strip-nondeterminism_1.1.2-1 diffutils_1:3.7-3 dirmngr_2.2.12-1+deb10u2 dpkg_1.19.8 dpkg-cross_2.6.15-3 dpkg-dev_1.19.8 dwz_0.12-3 e2fsprogs_1.44.5-1+deb10u3 equivs_2.2.0 fakeroot_1.23-1 fdisk_2.33.1-0.1 file_1:5.35-4+deb10u2 findutils_4.6.0+git+20190209-2 g++_4:8.3.0-1 g++-8_8.3.0-6 g++-8-arm-linux-gnueabihf_8.3.0-2cross1 g++-arm-linux-gnueabihf_4:8.3.0-1 gcc_4:8.3.0-1 gcc-8_8.3.0-6 gcc-8-arm-linux-gnueabihf_8.3.0-2cross1 gcc-8-arm-linux-gnueabihf-base_8.3.0-2cross1 gcc-8-base_8.3.0-6 gcc-8-cross-base_8.3.0-2cross1 gcc-arm-linux-gnueabihf_4:8.3.0-1 gettext_0.19.8.1-9 gettext-base_0.19.8.1-9 gnupg_2.2.12-1+deb10u2 gnupg-l10n_2.2.12-1+deb10u2 gnupg-utils_2.2.12-1+deb10u2 gpg_2.2.12-1+deb10u2 gpg-agent_2.2.12-1+deb10u2 gpg-wks-client_2.2.12-1+deb10u2 gpg-wks-server_2.2.12-1+deb10u2 gpgconf_2.2.12-1+deb10u2 gpgsm_2.2.12-1+deb10u2 gpgv_2.2.12-1+deb10u2 grep_3.3-1 groff-base_1.22.4-3+deb10u1 gzip_1.9-3+deb10u1 hostname_3.21 init-system-helpers_1.56+nmu1 intltool-debian_0.35.0+20060710.5 libacl1_2.2.53-4 libapt-inst2.0_1.8.2.3 libapt-pkg5.0_1.8.2.3 libarchive-zip-perl_1.64-1 libasan5_8.3.0-6 libasan5-armhf-cross_8.3.0-2cross1 libassuan0_2.5.2-1 libatomic1_8.3.0-6 libatomic1-armhf-cross_8.3.0-2cross1 libattr1_1:2.4.48-4 libaudit-common_1:2.8.4-3 libaudit1_1:2.8.4-3 libb-hooks-op-check-perl_0.22-1+b1 libbinutils_2.31.1-16 libblkid1_2.33.1-0.1 libbsd0_0.9.1-2+deb10u1 libbz2-1.0_1.0.6-9.2~deb10u2 libc-bin_2.28-10+deb10u2 libc-dev-bin_2.28-10+deb10u2 libc-l10n_2.28-10+deb10u2 libc6_2.28-10+deb10u2 libc6-armhf-cross_2.28-7cross1 libc6-dev_2.28-10+deb10u2 libc6-dev-armhf-cross_2.28-7cross1 libcap-ng0_0.7.9-2 libcc1-0_8.3.0-6 libclass-method-modifiers-perl_2.12-1 libcom-err2_1.44.5-1+deb10u3 libconfig-auto-perl_0.44-1 libconfig-inifiles-perl_3.000001-1 libcroco3_0.6.12-3 libdb5.3_5.3.28+dfsg1-0.5 libdebconfclient0_0.249 libdebian-dpkgcross-perl_2.6.15-3 libdevel-callchecker-perl_0.008-1 libdevel-globaldestruction-perl_0.14-1 libdpkg-perl_1.19.8 libdynaloader-functions-perl_0.003-1 libelf1_0.176-1.1 libencode-locale-perl_1.05-1 libexpat1_2.2.6-2+deb10u6 libext2fs2_1.44.5-1+deb10u3 libfakeroot_1.23-1 libfdisk1_2.33.1-0.1 libffi6_3.2.1-9 libfile-homedir-perl_1.004-1 libfile-listing-perl_6.04-1 libfile-stripnondeterminism-perl_1.1.2-1 libfile-which-perl_1.23-1 libgcc-8-dev_8.3.0-6 libgcc-8-dev-armhf-cross_8.3.0-2cross1 libgcc1_1:8.3.0-6 libgcc1-armhf-cross_1:8.3.0-2cross1 libgcrypt20_1.8.4-5+deb10u1 libgdbm-compat4_1.18.1-4 libgdbm6_1.18.1-4 libglib2.0-0_2.58.3-2+deb10u4 libgmp10_2:6.1.2+dfsg-4+deb10u1 libgnutls30_3.6.7-4+deb10u10 libgomp1_8.3.0-6 libgomp1-armhf-cross_8.3.0-2cross1 libgpg-error0_1.35-1 libhogweed4_3.4.1-1+deb10u1 libhtml-parser-perl_3.72-3+b3 libhtml-tagset-perl_3.20-3 libhtml-tree-perl_5.07-2 libhttp-cookies-perl_6.04-1 libhttp-date-perl_6.02-1 libhttp-message-perl_6.18-1 libhttp-negotiate-perl_6.01-1 libicu63_63.1-6+deb10u3 libidn2-0_2.0.5-1+deb10u1 libimport-into-perl_1.002005-1 libio-html-perl_1.001-1 libio-pty-perl_1:1.08-1.1+b5 libio-socket-ssl-perl_2.060-3 libio-string-perl_1.08-3 libipc-run-perl_20180523.0-1 libisl19_0.20-2 libitm1_8.3.0-6 libksba8_1.3.5-2+deb10u2 libldap-2.4-2_2.4.47+dfsg-3+deb10u7 libldap-common_2.4.47+dfsg-3+deb10u7 liblocale-gettext-perl_1.07-3+b4 liblsan0_8.3.0-6 liblwp-mediatypes-perl_6.02-1 liblwp-protocol-https-perl_6.07-2 liblz4-1_1.8.3-1+deb10u1 liblzma5_5.2.4-1+deb10u1 libmagic-mgc_1:5.35-4+deb10u2 libmagic1_1:5.35-4+deb10u2 libmodule-runtime-perl_0.016-1 libmoo-perl_2.003004-2 libmount1_2.33.1-0.1 libmpc3_1.1.0-1 libmpdec2_2.4.2-2 libmpfr6_4.0.2-1 libmpx2_8.3.0-6 libncurses6_6.1+20181013-2+deb10u3 libncursesw6_6.1+20181013-2+deb10u3 libnet-http-perl_6.18-1 libnet-ssleay-perl_1.85-2+deb10u1 libnettle6_3.4.1-1+deb10u1 libnpth0_1.6-1 libp11-kit0_0.23.15-2+deb10u1 libpam-modules_1.3.1-5 libpam-modules-bin_1.3.1-5 libpam-runtime_1.3.1-5 libpam0g_1.3.1-5 libparams-classify-perl_0.015-1+b1 libpcre3_2:8.39-12 libperl5.28_5.28.1-6+deb10u1 libpipeline1_1.5.1-2 libpython3-stdlib_3.7.3-1 libpython3.7-minimal_3.7.3-2+deb10u5 libpython3.7-stdlib_3.7.3-2+deb10u5 libquadmath0_8.3.0-6 libreadline7_7.0-5 librole-tiny-perl_2.000006-1 libsasl2-2_2.1.27+dfsg-1+deb10u2 libsasl2-modules-db_2.1.27+dfsg-1+deb10u2 libseccomp2_2.3.3-4 libselinux1_2.8-1+b1 libsemanage-common_2.8-2 libsemanage1_2.8-2 libsepol1_2.8-1 libsigsegv2_2.12-2 libsmartcols1_2.33.1-0.1 libsqlite3-0_3.27.2-3+deb10u2 libss2_1.44.5-1+deb10u3 libssl1.1_1.1.1n-0+deb10u5 libstdc++-8-dev_8.3.0-6 libstdc++-8-dev-armhf-cross_8.3.0-2cross1 libstdc++6_8.3.0-6 libstdc++6-armhf-cross_8.3.0-2cross1 libstrictures-perl_2.000005-1 libsub-exporter-progressive-perl_0.001013-1 libsub-quote-perl_2.005001-1 libsystemd0_241-7~deb10u10 libtasn1-6_4.13-3+deb10u1 libtimedate-perl_2.3000-2+deb10u1 libtinfo6_6.1+20181013-2+deb10u3 libtool_2.4.6-9 libtry-tiny-perl_0.30-1 libtsan0_8.3.0-6 libubsan1_8.3.0-6 libubsan1-armhf-cross_8.3.0-2cross1 libuchardet0_0.0.6-3 libudev1_241-7~deb10u10 libunistring2_0.9.10-1 liburi-perl_1.76-1 libuuid1_2.33.1-0.1 libwww-perl_6.36-2 libwww-robotrules-perl_6.02-1 libxml-libxml-perl_2.0134+dfsg-1 libxml-namespacesupport-perl_1.12-1 libxml-sax-base-perl_1.09-1 libxml-sax-perl_1.00+dfsg-1 libxml-simple-perl_2.25-1 libxml2_2.9.4+dfsg1-7+deb10u6 libyaml-perl_1.27-1 libzstd1_1.3.8+dfsg-3+deb10u2 linux-libc-dev_4.19.282-1 linux-libc-dev-armhf-cross_4.19.20-1cross1 locales_2.28-10+deb10u2 login_1:4.5-1.1 lsb-base_10.2019051400 m4_1.4.18-2 make_4.2.1-1.2 man-db_2.8.5-2 mawk_1.3.3-17+b3 mime-support_3.62 mount_2.33.1-0.1 ncurses-base_6.1+20181013-2+deb10u3 ncurses-bin_6.1+20181013-2+deb10u3 netbase_5.6 openssl_1.1.1n-0+deb10u5 passwd_1:4.5-1.1 patch_2.7.6-3+deb10u1 patchutils_0.3.4-2 perl_5.28.1-6+deb10u1 perl-base_5.28.1-6+deb10u1 perl-modules-5.28_5.28.1-6+deb10u1 perl-openssl-defaults_3 pinentry-curses_1.1.0-2 pkg-config_0.29-6 po-debconf_1.0.21 python3_3.7.3-1 python3-minimal_3.7.3-1 python3.7_3.7.3-2+deb10u5 python3.7-minimal_3.7.3-2+deb10u5 readline-common_7.0-5 sbuild-build-depends-main-dummy_0.invalid.0 sed_4.7-1 sensible-utils_0.0.12 sysvinit-utils_2.93-8 tar_1.30+dfsg-6 tzdata_2021a-0+deb10u11 ucf_3.0038+nmu1 util-linux_2.33.1-0.1 uuid-dev_2.33.1-0.1 wdiff_1.2.2-2+b1 xz-utils_5.2.4-1+deb10u1 zlib1g_1:1.2.11.dfsg-1+deb10u2


+------------------------------------------------------------------------------+
| Build                                                                        |
+------------------------------------------------------------------------------+



Unpack source
-------------


Format: 1.0
Source: optee-client-stm32mp15x
Binary: optee-client-dev, libteec1, tee-supplicant

Architecture: armhf
Version: 3.21.0
Maintainer: Unknown maintainer <unknown@example.com>
Homepage: https://github.com/OP-TEE/optee_client
Standards-Version: 4.1.3
Build-Depends: pkg-config, uuid-dev
Package-List:
 libteec1 deb libs optional arch=armhf
 optee-client-dev deb libdevel optional arch=armhf
 tee-supplicant deb libs optional arch=armhf
Checksums-Sha1:
 9b0971b17a823e6577765188ff535b0e2edf725f 109653 optee-client-stm32mp15x_3.21.0.tar.gz
Checksums-Sha256:
 e4a6c2d8ba97e760307c4442530ea688b707a59bf1c5b0bee70c1d5077b84606 109653 optee-client-stm32mp15x_3.21.0.tar.gz
Files:

 e777d8e8aacd6dc31e1a17cc5fc9d493 109653 optee-client-stm32mp15x_3.21.0.tar.gz


dpkg-source: warning: extracting unsigned source package (optee-client-stm32mp15x_3.21.0.dsc)

dpkg-source: info: extracting optee-client-stm32mp15x in /<<PKGBUILDDIR>>
dpkg-source: info: unpacking optee-client-stm32mp15x_3.21.0.tar.gz


Check disk space
----------------


Sufficient free space for build


User Environment
----------------


APT_CONFIG=/var/lib/sbuild/apt.conf
CCACHE_DISABLE=1
CONFIG_SITE=/etc/dpkg-cross/cross-config.armhf

HOME=/sbuild-nonexistent
LC_ALL=C.UTF-8
LOGNAME=builder
PARALLEL_MAKE=-j 16
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
SCHROOT_ALIAS_NAME=isar-builder-aefca26a-597c-4691-a179-5eafb7f83007-25811
SCHROOT_CHROOT_NAME=isar-builder-aefca26a-597c-4691-a179-5eafb7f83007-25811
SCHROOT_COMMAND=env
SCHROOT_GID=1000
SCHROOT_GROUP=builder
SCHROOT_SESSION_ID=isar-builder-aefca26a-597c-4691-a179-5eafb7f83007-25811-5b2abb26-8100-4d04-9e85-5d8ece0fc374

SCHROOT_UID=1000
SCHROOT_USER=builder
SHELL=/bin/sh
USER=builder

dpkg-buildpackage

-----------------

Command: dpkg-buildpackage -aarmhf -Pcross -us -uc -b -rfakeroot --source-option=-I

dpkg-buildpackage: info: source package optee-client-stm32mp15x
dpkg-buildpackage: info: source version 3.21.0
dpkg-buildpackage: info: source distribution UNRELEASED
dpkg-buildpackage: info: source changed by Unknown maintainer <unknown@example.com>

dpkg-architecture: warning: specified GNU system type arm-linux-gnueabihf does not match CC system type x86_64-linux-gnu, try setting a correct CC environment variable

 dpkg-source -I --before-build .

dpkg-buildpackage: info: host architecture armhf

 debian/rules clean

dh clean --exclude=.a

   debian/rules override_dh_auto_clean

make[1]: Entering directory '/<<PKGBUILDDIR>>'
dh_auto_clean

        make -j16 distclean

make[2]: Entering directory '/<<PKGBUILDDIR>>'

rm -f /<<PKGBUILDDIR>>/libteec/../out/libteec/tee_client_api.o /<<PKGBUILDDIR>>/libteec/../out/libteec/teec_trace.o /<<PKGBUILDDIR>>/libteec/../out/libteec/libteec.so.1.0.0 /<<PKGBUILDDIR>>/libteec/../out/libteec/libteec.so.1 \

        /<<PKGBUILDDIR>>/libteec/../out/libteec/libteec.so.1.0 /<<PKGBUILDDIR>>/libteec/../out/libteec/libteec.so

rm -f /<<PKGBUILDDIR>>/tee-supplicant/../out/tee-supplicant/tee_supplicant.o /<<PKGBUILDDIR>>/tee-supplicant/../out/tee-supplicant/teec_ta_load.o /<<PKGBUILDDIR>>/tee-supplicant/../out/tee-supplicant/tee_supp_fs.o /<<PKGBUILDDIR>>/tee-supplicant/../out/tee-supplicant/rpmb.o /<<PKGBUILDDIR>>/tee-supplicant/../out/tee-supplicant/handle.o /<<PKGBUILDDIR>>/tee-supplicant/../out/tee-supplicant/tee_socket.o /<<PKGBUILDDIR>>/tee-supplicant/../out/tee-supplicant/sha2.o /<<PKGBUILDDIR>>/tee-supplicant/../out/tee-supplicant/hmac_sha2.o /<<PKGBUILDDIR>>/tee-supplicant/../out/tee-supplicant/prof.o /<<PKGBUILDDIR>>/tee-supplicant/../out/tee-supplicant/plugin.o /<<PKGBUILDDIR>>/tee-supplicant/../out/tee-supplicant/tee-supplicant

rm -f /<<PKGBUILDDIR>>/libteec/../out/libteec/libteec.a

rm -f /<<PKGBUILDDIR>>/libseteec/../out/libseteec/se.o

rm -f /<<PKGBUILDDIR>>/libckteec/../out/libckteec/pkcs11_api.o /<<PKGBUILDDIR>>/libckteec/../out/libckteec/ck_debug.o /<<PKGBUILDDIR>>/libckteec/../out/libckteec/ck_helpers.o /<<PKGBUILDDIR>>/libckteec/../out/libckteec/invoke_ta.o /<<PKGBUILDDIR>>/libckteec/../out/libckteec/pkcs11_processing.o /<<PKGBUILDDIR>>/libckteec/../out/libckteec/pkcs11_token.o /<<PKGBUILDDIR>>/libckteec/../out/libckteec/serializer.o /<<PKGBUILDDIR>>/libckteec/../out/libckteec/serialize_ck.o

if [ -d "/<<PKGBUILDDIR>>/tee-supplicant/../out/tee-supplicant" ] ; then rmdir --ignore-fail-on-non-empty /<<PKGBUILDDIR>>/tee-supplicant/../out/tee-supplicant ; fi

rm -f /<<PKGBUILDDIR>>/libseteec/../out/libseteec/libseteec.so.0.1.0

if [ -d "/<<PKGBUILDDIR>>/libteec/../out/libteec" ] ; then rmdir --ignore-fail-on-non-empty /<<PKGBUILDDIR>>/libteec/../out/libteec ; fi

rm -f /<<PKGBUILDDIR>>/libckteec/../out/libckteec/libckteec.so.0.1.0

rm -f /<<PKGBUILDDIR>>/libseteec/../out/libseteec/libseteec.so.0.1

rm -f /<<PKGBUILDDIR>>/libckteec/../out/libckteec/libckteec.so.0.1

rm -f /<<PKGBUILDDIR>>/libseteec/../out/libseteec/libseteec.so.0

rm -f /<<PKGBUILDDIR>>/libckteec/../out/libckteec/libckteec.so.0

rm -f /<<PKGBUILDDIR>>/libseteec/../out/libseteec/libseteec.so.0.1.0

rm -f /<<PKGBUILDDIR>>/libckteec/../out/libckteec/libckteec.so.0.1.0

rm -f /<<PKGBUILDDIR>>/libseteec/../out/libseteec/libseteec.a

if [ -d "/<<PKGBUILDDIR>>/libseteec/../out/libseteec" ] ; then rmdir --ignore-fail-on-non-empty /<<PKGBUILDDIR>>/libseteec/../out/libseteec ; fi
rm -f /<<PKGBUILDDIR>>/libckteec/../out/libckteec/libckteec.a

if [ -d "/<<PKGBUILDDIR>>/libckteec/../out/libckteec" ] ; then rmdir --ignore-fail-on-non-empty /<<PKGBUILDDIR>>/libckteec/../out/libckteec ; fi

rm -f /<<PKGBUILDDIR>>/libteeacl/../out/libteeacl/group.o /<<PKGBUILDDIR>>/libteeacl/../out/libteeacl/tee_uuid.o

rm -f /<<PKGBUILDDIR>>/libteeacl/../out/libteeacl/libteeacl.so.0.1.0

rm -f /<<PKGBUILDDIR>>/libteeacl/../out/libteeacl/libteeacl.so.0.1

rm -f /<<PKGBUILDDIR>>/libteeacl/../out/libteeacl/libteeacl.so.0

rm -f /<<PKGBUILDDIR>>/libteeacl/../out/libteeacl/libteeacl.so.0.1.0

rm -f /<<PKGBUILDDIR>>/libteeacl/../out/libteeacl/libteeacl.a

if [ -d "/<<PKGBUILDDIR>>/libteeacl/../out/libteeacl" ] ; then rmdir --ignore-fail-on-non-empty /<<PKGBUILDDIR>>/libteeacl/../out/libteeacl ; fi

make[2]: Leaving directory '/<<PKGBUILDDIR>>'

rm -rf /<<PKGBUILDDIR>>/out

make[1]: Leaving directory '/<<PKGBUILDDIR>>'

   dh_autoreconf_clean -O--exclude=.a

   dh_clean -O--exclude=.a

 debian/rules binary

dh binary --exclude=.a

   dh_update_autotools_config -O--exclude=.a

   dh_autoreconf -O--exclude=.a

   dh_auto_configure -O--exclude=.a

   debian/rules override_dh_auto_build

make[1]: Entering directory '/<<PKGBUILDDIR>>'
dh_auto_build -- LIBDIR=/usr/lib/arm-linux-gnueabihf \

        CFG_TEE_FS_PARENT_PATH=/var/lib/optee-client/data/tee RPMB_EMU=1

        make -j16 PKG_CONFIG=arm-linux-gnueabihf-pkg-config CXX=arm-linux-gnueabihf-g\+\+ CC=arm-linux-gnueabihf-gcc LIBDIR=/usr/lib/arm-linux-gnueabihf CFG_TEE_FS_PARENT_PATH=/var/lib/optee-client/data/tee RPMB_EMU=1

make[2]: Entering directory '/<<PKGBUILDDIR>>'

Building libteec.so

Building libteeacl.so

  CC      src/tee_client_api.c

  CC      src/teec_trace.c

  Finding uuid.pc

  CC      src/group.c

  CC      src/tee_uuid.c

make[3]: *** [Makefile:47: check-libuuid] Error 1
make[3]: *** Waiting for unfinished jobs....

make[2]: *** [Makefile:58: build-libteeacl] Error 2
make[2]: *** Waiting for unfinished jobs....

  LINK    /<<PKGBUILDDIR>>/libteec/../out/libteec/libteec.so.1.0.0
  AR      /<<PKGBUILDDIR>>/libteec/../out/libteec/libteec.a



make[2]: Leaving directory '/<<PKGBUILDDIR>>'

dh_auto_build: make -j16 PKG_CONFIG=arm-linux-gnueabihf-pkg-config CXX=arm-linux-gnueabihf-g\+\+ CC=arm-linux-gnueabihf-gcc LIBDIR=/usr/lib/arm-linux-gnueabihf CFG_TEE_FS_PARENT_PATH=/var/lib/optee-client/data/tee RPMB_EMU=1 returned exit code 2

make[1]: *** [debian/rules:18: override_dh_auto_build] Error 2
make[1]: Leaving directory '/<<PKGBUILDDIR>>'

make: *** [debian/rules:15: binary] Error 2

dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2

--------------------------------------------------------------------------------

Build finished at 2023-07-06T05:29:25Z

+------------------------------------------------------------------------------+

| Finished Timed Build Commands                                                |
+------------------------------------------------------------------------------+



rm -f /var/cache/apt/archives/sbuild-build-depends-main-dummy_*.deb

-------------------------------------------------------------------




I: Finished running 'rm -f /var/cache/apt/archives/sbuild-build-depends-main-dummy_*.deb'.

cp -Ln --no-preserve=owner /var/cache/apt/archives/*.deb -t /home/builder/optee-client-stm32mp15x/rootfs/var/cache/apt/archives/ || :
-------------------------------------------------------------------------------------------------------------------------------------





I: Finished running 'cp -Ln --no-preserve=owner /var/cache/apt/archives/*.deb -t /home/builder/optee-client-stm32mp15x/rootfs/var/cache/apt/archives/ || :'.

cp /var/log/dpkg.log /home/builder/optee-client-stm32mp15x/rootfs/dpkg_partial.log
----------------------------------------------------------------------------------




I: Finished running 'cp /var/log/dpkg.log /home/builder/optee-client-stm32mp15x/rootfs/dpkg_partial.log'.

Finished processing commands.
--------------------------------------------------------------------------------


Finished
--------





+------------------------------------------------------------------------------+
| Cleanup                                                                      |
+------------------------------------------------------------------------------+

Purging /<<BUILDDIR>>

Not cleaning session: cloned chroot in use

E: Build failure (dpkg-buildpackage died)


+------------------------------------------------------------------------------+

| Summary                                                                      |
+------------------------------------------------------------------------------+


Build Architecture: amd64
Build Profiles: cross
Build Type: binary

Build-Space: 1092
Build-Time: 1
Distribution: isar
Fail-Stage: build
Foreign Architectures: armhf
Host Architecture: armhf

Install-Time: 3
Job: /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/optee-client-stm32mp15x_3.21.0.dsc
Machine Architecture: amd64
Package: optee-client-stm32mp15x
Package-Time: 6
Source-Version: 3.21.0
Space: 1092

Status: attempted
Version: 3.21.0
--------------------------------------------------------------------------------
Finished at 2023-07-06T05:29:25Z
Build needed 00:00:06, 1092k disk space

E: Build failure (dpkg-buildpackage died)

+ bb_sh_exit_handler
+ ret=2
+ [ 2 != 0 ]
+ echo
WARNING: exit code 2 from a shell command.

 WARNING: exit code 2 from a shell command.
+ exit 2

+ schroot_delete_configs
+ 
sudo -s

+ ret=0
+ trap  0
+ exit 0

ERROR: mc:stm32mp15x-buster:optee-client-stm32mp15x-3.21.0-r0 do_dpkg_build: ExecutionError('/build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/temp/run.dpkg_runbuild.25811', 2, None, None)
ERROR: Logfile of failure stored in: /build/tmp/work/debian-buster-armhf/optee-client-stm32mp15x/3.21.0-r0/temp/log.do_dpkg_build.25811
ERROR: Task (mc:stm32mp15x-buster:/build/../work/isar/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb:do_dpkg_build) failed with exit code '1'
NOTE: Tasks Summary: Attempted 26 tasks of which 19 didn't need to be rerun and 1 failed.

Summary: 1 task failed:
  mc:stm32mp15x-buster:/build/../work/isar/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb:do_dpkg_build
Summary: There was 1 ERROR message, returning a non-zero exit code.
builder@22badc86cac4:/build$ 

Re: [PATCH v3 3/7] Add recipe for optee-client

[Jan Kiszka]

On 06.07.23 07:35, Uladzimir Bely wrote:
> On Wed, 2023-07-05 at 13:33 +0800, baocheng.su via isar-users wrote:
>> From: Baocheng Su <baocheng.su@siemens.com>
>>
>> optee-client provides the userland library for communicating with the
>> trusted applications running in OP-TEE.
>>
>> It also provides a optee-client-dev package for developing host
>> application that talks to the TA counterpart.
>>
>> Also a user land deamon tee-supplicant is provided to serve the
>> trusted
>> applications for user-land resources such as RPMB accessing.
>>
>> This brings the .inc for customization, and also a demo recipe for
>> stm32mp15x.
>>
>> The debianization is learnt from the debian offical package. The
>> tee-supplicant.service is refined by Jan to fix some timing issues.
>>
>> Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
>> ---
>>  meta-isar/conf/machine/stm32mp15x.conf        |  2 +-
>>  .../optee-client-stm32mp15x_3.21.0.bb         | 18 +++++++
>>  .../optee-client/files/debian/compat          |  1 +
>>  .../optee-client/files/debian/control.tmpl    | 51
>> +++++++++++++++++++
>>  .../optee-client/files/debian/rules.tmpl      | 27 ++++++++++
>>  .../files/debian/tee-supplicant.service       | 21 ++++++++
>>  .../optee-client/optee-client-custom.inc      | 41 +++++++++++++++
>>  7 files changed, 160 insertions(+), 1 deletion(-)
>>  create mode 100644 meta-isar/recipes-bsp/optee-client/optee-client-
>> stm32mp15x_3.21.0.bb
>>  create mode 100644 meta/recipes-bsp/optee-client/files/debian/compat
>>  create mode 100644 meta/recipes-bsp/optee-
>> client/files/debian/control.tmpl
>>  create mode 100755 meta/recipes-bsp/optee-
>> client/files/debian/rules.tmpl
>>  create mode 100644 meta/recipes-bsp/optee-client/files/debian/tee-
>> supplicant.service
>>  create mode 100644 meta/recipes-bsp/optee-client/optee-client-
>> custom.inc
>>
> 
> The recipe is currently not buildable (at least, in cross mode) for
> buster. So, CI fails.
> 

We should likely drop the stm32 from buster - not worth the effort to
address that release anymore with new features.

Jan

-- 
Siemens AG, Technology
Competence Center Embedded Linux

Re: [PATCH v3 3/7] Add recipe for optee-client

[Jan Kiszka]

On 05.07.23 07:33, baocheng.su@siemens.com wrote:
> From: Baocheng Su <baocheng.su@siemens.com>
> 
> optee-client provides the userland library for communicating with the
> trusted applications running in OP-TEE.
> 
> It also provides a optee-client-dev package for developing host
> application that talks to the TA counterpart.
> 
> Also a user land deamon tee-supplicant is provided to serve the trusted
> applications for user-land resources such as RPMB accessing.
> 
> This brings the .inc for customization, and also a demo recipe for
> stm32mp15x.
> 
> The debianization is learnt from the debian offical package. The
> tee-supplicant.service is refined by Jan to fix some timing issues.
> 
> Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
> ---
>  meta-isar/conf/machine/stm32mp15x.conf        |  2 +-
>  .../optee-client-stm32mp15x_3.21.0.bb         | 18 +++++++
>  .../optee-client/files/debian/compat          |  1 +
>  .../optee-client/files/debian/control.tmpl    | 51 +++++++++++++++++++
>  .../optee-client/files/debian/rules.tmpl      | 27 ++++++++++
>  .../files/debian/tee-supplicant.service       | 21 ++++++++
>  .../optee-client/optee-client-custom.inc      | 41 +++++++++++++++
>  7 files changed, 160 insertions(+), 1 deletion(-)
>  create mode 100644 meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
>  create mode 100644 meta/recipes-bsp/optee-client/files/debian/compat
>  create mode 100644 meta/recipes-bsp/optee-client/files/debian/control.tmpl
>  create mode 100755 meta/recipes-bsp/optee-client/files/debian/rules.tmpl
>  create mode 100644 meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
>  create mode 100644 meta/recipes-bsp/optee-client/optee-client-custom.inc
> 
> diff --git a/meta-isar/conf/machine/stm32mp15x.conf b/meta-isar/conf/machine/stm32mp15x.conf
> index 4fa4051..0b200d2 100644
> --- a/meta-isar/conf/machine/stm32mp15x.conf
> +++ b/meta-isar/conf/machine/stm32mp15x.conf
> @@ -16,4 +16,4 @@ WKS_FILE ?= "stm32mp15x.wks.in"
>  IMAGER_INSTALL += "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x u-boot-stm32mp15x"
>  IMAGER_BUILD_DEPS += "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x u-boot-stm32mp15x"
>  
> -IMAGE_INSTALL += "u-boot-script"
> +IMAGE_INSTALL += "u-boot-script tee-supplicant"
> diff --git a/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
> new file mode 100644
> index 0000000..d0e157f
> --- /dev/null
> +++ b/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
> @@ -0,0 +1,18 @@
> +#
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Su Bao Cheng <baocheng.su@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +require recipes-bsp/optee-client/optee-client-custom.inc
> +
> +SRC_URI += "https://github.com/OP-TEE/optee_client/archive/${PV}.tar.gz;downloadfilename=optee_client-${PV}.tar.gz"
> +SRC_URI[sha256sum] = "368164a539b85557d2079fa6cd839ec444869109f96de65d6569e58b0615d026"
> +
> +S = "${WORKDIR}/optee_client-${PV}"
> +
> +# Use RPMB emulation
> +RPMB_EMU = "1"
> diff --git a/meta/recipes-bsp/optee-client/files/debian/compat b/meta/recipes-bsp/optee-client/files/debian/compat
> new file mode 100644
> index 0000000..f599e28
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-client/files/debian/compat
> @@ -0,0 +1 @@
> +10
> diff --git a/meta/recipes-bsp/optee-client/files/debian/control.tmpl b/meta/recipes-bsp/optee-client/files/debian/control.tmpl
> new file mode 100644
> index 0000000..de780b7
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-client/files/debian/control.tmpl
> @@ -0,0 +1,51 @@
> +Source: ${PN}
> +Priority: optional
> +Maintainer: Unknown maintainer <unknown@example.com>
> +Build-Depends: pkg-config, uuid-dev
> +Standards-Version: 4.1.3
> +Section: libs
> +Homepage: https://github.com/OP-TEE/optee_client
> +Rules-Requires-Root: no
> +
> +Package: optee-client-dev
> +Section: libdevel
> +Architecture: ${DISTRO_ARCH}
> +Multi-Arch: same
> +Depends: libteec1 (= ${binary:Version}),
> +         ${misc:Depends}
> +Description: normal world user space client APIs for OP-TEE (development)
> + OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
> + non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
> + technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API
> + exposed to Trusted Applications and the TEE Client API v1.0, which is the
> + API describing how to communicate with a TEE. This package provides the TEE
> + Client API library.
> + .
> + This package contains the development files OpTEE Client API
> +
> +Package: libteec1
> +Architecture: ${DISTRO_ARCH}
> +Multi-Arch: same
> +Depends: ${misc:Depends}, ${shlibs:Depends}
> +Description: normal world user space client APIs for OP-TEE
> + OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
> + non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
> + technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API
> + exposed to Trusted Applications and the TEE Client API v1.0, which is the
> + API describing how to communicate with a TEE. This package provides the TEE
> + Client API library.
> + .
> + This package contains libteec library.
> +
> +Package: tee-supplicant
> +Architecture: ${DISTRO_ARCH}
> +Depends: systemd ${misc:Depends}, ${shlibs:Depends}
> +Description: normal world user space client APIs for OP-TEE
> + OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
> + non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
> + technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API
> + exposed to Trusted Applications and the TEE Client API v1.0, which is the
> + API describing how to communicate with a TEE. This package provides the TEE
> + Client API library.
> + .
> + This package contains tee-supplicant executable.
> diff --git a/meta/recipes-bsp/optee-client/files/debian/rules.tmpl b/meta/recipes-bsp/optee-client/files/debian/rules.tmpl
> new file mode 100755
> index 0000000..1b7920d
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-client/files/debian/rules.tmpl
> @@ -0,0 +1,27 @@
> +#!/usr/bin/make -f
> +#
> +# Debian rules for custom OP-TEE Client build
> +#
> +# This software is a part of ISAR.
> +# Copyright (c) Siemens AG, 2023
> +#
> +# SPDX-License-Identifier: MIT
> +
> +ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
> +export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
> +endif
> +
> +%:
> +	dh $@ --exclude=.a
> +
> +override_dh_auto_build:
> +	dh_auto_build -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
> +		CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH} RPMB_EMU=${RPMB_EMU}
> +
> +override_dh_auto_install:
> +	dh_auto_install -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
> +		CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH} RPMB_EMU=${RPMB_EMU}
> +
> +override_dh_auto_clean:
> +	dh_auto_clean
> +	rm -rf $(CURDIR)/out
> diff --git a/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service b/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
> new file mode 100644
> index 0000000..4508a14
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
> @@ -0,0 +1,21 @@
> +# This software is a part of ISAR.
> +# Copyright (c) Siemens AG, 2023
> +#
> +# SPDX-License-Identifier: MIT
> +[Unit]
> +Description=TEE Supplicant
> +DefaultDependencies=no
> +Before=systemd-remount-fs.service shutdown.target
> +Conflicts=shutdown.target
> +
> +[Service]
> +Type=oneshot
> +RemainAfterExit=yes
> +# Start if not already started by the initramfs hook
> +ExecStart=/bin/sh -c '/usr/bin/pgrep tee-supplicant >/dev/null || /usr/sbin/tee-supplicant -d'
> +ExecStop=/bin/sh -c '/usr/bin/findmnt /sys/firmware/efi/efivars >/dev/null && /usr/bin/umount /sys/firmware/efi/efivars || true'
> +ExecStop=/bin/sh -c '/usr/sbin/modinfo -n tpm_ftpm_tee | /usr/bin/grep -E "\.ko$" >/dev/null && /usr/sbin/modprobe -r tpm_ftpm_tee || true'

With bullseye:

Dec 22 11:55:45 isar sh[151]: /bin/sh: 1: /usr/bin/pgrep: not found
Dec 22 11:55:45 isar sh[152]: ERR [152] TEES:main:870: make_daemon(): -1
Dec 22 11:55:49 isar systemd[1]: /lib/systemd/system/tee-supplicant.service:17: Ignoring unknown escape sequences: "/usr/sbin/modinfo -n tpm_ftpm_tee | /usr/bin/grep -E "\.ko$" >/dev/null && /usr/sbin/modprobe -r tpm_ftpm_tee || true"

Jan

> +ExecStop=/usr/bin/pkill tee-supplicant
> +
> +[Install]
> +WantedBy=sysinit.target
> diff --git a/meta/recipes-bsp/optee-client/optee-client-custom.inc b/meta/recipes-bsp/optee-client/optee-client-custom.inc
> new file mode 100644
> index 0000000..18afb93
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-client/optee-client-custom.inc
> @@ -0,0 +1,41 @@
> +#
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Su Bao Cheng <baocheng.su@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +inherit dpkg
> +
> +FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
> +
> +DESCRIPTION = "OPTee Client"
> +
> +PROVIDES = "libteec1 optee-client-dev tee-supplicant"
> +
> +SRC_URI += "file://debian"
> +
> +TEE_FS_PARENT_PATH ?= "/var/lib/optee-client/data/tee"
> +# To use the builtin RPMB emulation, change to 1
> +RPMB_EMU ?= "0"
> +
> +TEMPLATE_FILES = "debian/rules.tmpl debian/control.tmpl"
> +TEMPLATE_VARS += "TEE_FS_PARENT_PATH RPMB_EMU"
> +
> +do_prepare_build[cleandirs] += "${S}/debian"
> +do_prepare_build() {
> +    cp -r ${WORKDIR}/debian ${S}/
> +
> +    deb_add_changelog
> +
> +    echo "/usr/sbin/*" > ${S}/debian/tee-supplicant.install
> +    echo "lib/optee_armtz/" > ${S}/debian/tee-supplicant.dirs
> +    echo "usr/lib/tee-supplicant/plugins/" >> ${S}/debian/tee-supplicant.dirs
> +
> +    echo "usr/lib/*/libteec*.so.*" > ${S}/debian/libteec1.install
> +
> +    echo "usr/include/*" > ${S}/debian/optee-client-dev.install
> +    echo "usr/lib/*/lib*.so" >> ${S}/debian/optee-client-dev.install
> +}

-- 
Siemens AG, Technology
Competence Center Embedded Linux

[PATCH v3 4/7] Add recipe for optee examples

[baocheng.su]

From: Baocheng Su <baocheng.su@siemens.com>

The optee-examples repo is provided to demostrate the trusted
application and the host counterpart.

The stm32mp15x is used as the demo platform.

Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
---
 meta-isar/conf/machine/stm32mp15x.conf        |   9 +-
 .../optee-examples/files/debian/compat        |   1 +
 .../optee-examples/files/debian/control.tmpl  | 112 ++++++++++++++++++
 .../optee-examples/files/debian/rules.tmpl    |  21 ++++
 .../optee-examples-stm32mp15x_3.21.0.bb       | 100 ++++++++++++++++
 .../optee-os/optee-os-stm32mp15x_3.21.0.bb    |  22 ++++
 .../lib/wic/canned-wks/stm32mp15x.wks.in      |   2 +-
 7 files changed, 265 insertions(+), 2 deletions(-)
 create mode 100644 meta-isar/recipes-bsp/optee-examples/files/debian/compat
 create mode 100644 meta-isar/recipes-bsp/optee-examples/files/debian/control.tmpl
 create mode 100644 meta-isar/recipes-bsp/optee-examples/files/debian/rules.tmpl
 create mode 100644 meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb

diff --git a/meta-isar/conf/machine/stm32mp15x.conf b/meta-isar/conf/machine/stm32mp15x.conf
index 0b200d2..4e8142e 100644
--- a/meta-isar/conf/machine/stm32mp15x.conf
+++ b/meta-isar/conf/machine/stm32mp15x.conf
@@ -16,4 +16,11 @@ WKS_FILE ?= "stm32mp15x.wks.in"
 IMAGER_INSTALL += "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x u-boot-stm32mp15x"
 IMAGER_BUILD_DEPS += "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x u-boot-stm32mp15x"
 
-IMAGE_INSTALL += "u-boot-script tee-supplicant"
+IMAGE_INSTALL += "u-boot-script \
+    optee-examples-stm32mp15x-acipher-host \
+    optee-examples-stm32mp15x-aes-host \
+    optee-examples-stm32mp15x-hello-world-host \
+    optee-examples-stm32mp15x-hotp-host \
+    optee-examples-stm32mp15x-random-host \
+    optee-examples-stm32mp15x-secure-storage-host \
+    "
diff --git a/meta-isar/recipes-bsp/optee-examples/files/debian/compat b/meta-isar/recipes-bsp/optee-examples/files/debian/compat
new file mode 100644
index 0000000..f599e28
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-examples/files/debian/compat
@@ -0,0 +1 @@
+10
diff --git a/meta-isar/recipes-bsp/optee-examples/files/debian/control.tmpl b/meta-isar/recipes-bsp/optee-examples/files/debian/control.tmpl
new file mode 100644
index 0000000..b0e7039
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-examples/files/debian/control.tmpl
@@ -0,0 +1,112 @@
+Source: ${PN}
+Section: admin
+Priority: optional
+Standards-Version: 3.9.6
+Build-Depends: ${DEBIAN_BUILD_DEPENDS}
+Maintainer: ISAR project <isar-users@googlegroups.com>
+
+Package: ${PN}-acipher-ta
+Architecture: ${DISTRO_ARCH}
+Description: OP-TEE Trusted Application example - acipher
+ Generates an RSA key pair of specified size and encrypts a supplied string with
+ it using the GlobalPlatform TEE Internal Core API.
+ .
+ UUID: a734eed9-d6a1-4244-aa50-7c99719e7b7b
+
+Package: ${PN}-acipher-host
+Architecture: ${DISTRO_ARCH}
+Depends: libteec1, tee-supplicant,
+         ${misc:Depends}
+Description: OP-TEE Trusted Application example - acipher (host application)
+ Generates an RSA key pair of specified size and encrypts a supplied string with
+ it using the GlobalPlatform TEE Internal Core API.
+ .
+ UUID: a734eed9-d6a1-4244-aa50-7c99719e7b7b
+
+Package: ${PN}-aes-ta
+Architecture: ${DISTRO_ARCH}
+Description: OP-TEE Trusted Application example - aes
+ Runs an AES encryption and decryption from a TA using the GlobalPlatform TEE
+ Internal Core API. Non secure test application provides the key, initial vector
+ and ciphered data.
+ .
+ UUID: 5dbac793-f574-4871-8ad3-04331ec17f24
+
+Package: ${PN}-aes-host
+Architecture: ${DISTRO_ARCH}
+Depends: libteec1, tee-supplicant,
+         ${misc:Depends}
+Description: OP-TEE Trusted Application example - aes (host application)
+ Runs an AES encryption and decryption from a TA using the GlobalPlatform TEE
+ Internal Core API. Non secure test application provides the key, initial vector
+ and ciphered data.
+ .
+ UUID: 5dbac793-f574-4871-8ad3-04331ec17f24
+
+Package: ${PN}-hello-world-ta
+Architecture: ${DISTRO_ARCH}
+Description: OP-TEE Trusted Application example - hello_world
+ This is a very simple Trusted Application to answer a hello command and
+ incrementing an integer value.
+ .
+ UUID: 8aaaf200-2450-11e4-abe2-0002a5d5c51b
+
+Package: ${PN}-hello-world-host
+Architecture: ${DISTRO_ARCH}
+Depends: libteec1, tee-supplicant,
+         ${misc:Depends}
+Description: OP-TEE Trusted Application example - hello_world (host application)
+ This is a very simple Trusted Application to answer a hello command and
+ incrementing an integer value.
+ .
+ UUID: 8aaaf200-2450-11e4-abe2-0002a5d5c51b
+
+Package: ${PN}-hotp-ta
+Architecture: ${DISTRO_ARCH}
+Description: OP-TEE Trusted Application example - hotp
+ HMAC based One Time Password in OP-TEE.
+ .
+ UUID: 484d4143-2d53-4841-3120-4a6f636b6542
+
+Package: ${PN}-hotp-host
+Architecture: ${DISTRO_ARCH}
+Depends: libteec1, tee-supplicant,
+         ${misc:Depends}
+Description: OP-TEE Trusted Application example - hotp (host application)
+ HMAC based One Time Password in OP-TEE.
+ .
+ UUID: 484d4143-2d53-4841-3120-4a6f636b6542
+
+Package: ${PN}-random-ta
+Architecture: ${DISTRO_ARCH}
+Description: OP-TEE Trusted Application example - random
+ Generates a random UUID using capabilities of TEE API (TEE_GenerateRandom()).
+ .
+ UUID: b6c53aba-9669-4668-a7f2-205629d00f86
+
+Package: ${PN}-random-host
+Architecture: ${DISTRO_ARCH}
+Depends: libteec1, tee-supplicant,
+         ${misc:Depends}
+Description: OP-TEE Trusted Application example - random (host application)
+ Generates a random UUID using capabilities of TEE API (TEE_GenerateRandom()).
+ .
+ UUID: b6c53aba-9669-4668-a7f2-205629d00f86
+
+Package: ${PN}-secure-storage-ta
+Architecture: ${DISTRO_ARCH}
+Description: OP-TEE Trusted Application example - secure_storage
+ A Trusted Application to read/write raw data into the OP-TEE secure storage
+ using the GlobalPlatform TEE Internal Core API.
+ .
+ UUID: f4e750bb-1437-4fbf-8785-8d3580c34994
+
+Package: ${PN}-secure-storage-host
+Architecture: ${DISTRO_ARCH}
+Depends: libteec1, tee-supplicant,
+         ${misc:Depends}
+Description: OP-TEE Trusted Application example - secure_storage (host application)
+ A Trusted Application to read/write raw data into the OP-TEE secure storage
+ using the GlobalPlatform TEE Internal Core API.
+ .
+ UUID: f4e750bb-1437-4fbf-8785-8d3580c34994
diff --git a/meta-isar/recipes-bsp/optee-examples/files/debian/rules.tmpl b/meta-isar/recipes-bsp/optee-examples/files/debian/rules.tmpl
new file mode 100644
index 0000000..7e4be39
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-examples/files/debian/rules.tmpl
@@ -0,0 +1,21 @@
+#!/usr/bin/make -f
+#
+# Debian rules for custom OP-TEE Examples build
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2023
+#
+# SPDX-License-Identifier: MIT
+
+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
+endif
+
+%:
+	dh $@
+
+override_dh_auto_build:
+	dh_auto_build -- HOST_CROSS_COMPILE=${CROSS_COMPILE} \
+    PLATFORM=${OPTEE_PLATFORM} \
+    TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
+    examples
diff --git a/meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb
new file mode 100644
index 0000000..2a64a86
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb
@@ -0,0 +1,100 @@
+#
+# Copyright (c) Siemens AG, 2023
+#
+# SPDX-License-Identifier: MIT
+inherit dpkg
+
+DESCRIPTION ?= "OP-TEE examples"
+
+FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
+
+SRC_URI += " \
+    https://github.com/linaro-swg/optee_examples/archive/${PV}.tar.gz;downloadfilename=optee_examples-${PV}.tar.gz \
+    file://debian \
+    "
+SRC_URI[sha256sum] = "9b965f829adc532b5228534d3b9b38ae1fc4f2ac55d73159a39d43e59749f3ed"
+
+S = "${WORKDIR}/optee_examples-${PV}"
+
+OPTEE_NAME = "${MACHINE}"
+OPTEE_PLATFORM = "stm32mp1"
+TA_DEV_KIT_DIR = "/usr/lib/optee-os/${OPTEE_NAME}/export-ta_arm32"
+
+PROVIDES += " \
+    optee-examples-${OPTEE_NAME}-acipher-host \
+    optee-examples-${OPTEE_NAME}-acipher-ta \
+    optee-examples-${OPTEE_NAME}-aes-host \
+    optee-examples-${OPTEE_NAME}-aes-ta \
+    optee-examples-${OPTEE_NAME}-hello-world-host \
+    optee-examples-${OPTEE_NAME}-hello-world-ta \
+    optee-examples-${OPTEE_NAME}-hotp-host \
+    optee-examples-${OPTEE_NAME}-hotp-ta \
+    optee-examples-${OPTEE_NAME}-random-host \
+    optee-examples-${OPTEE_NAME}-random-ta \
+    optee-examples-${OPTEE_NAME}-secure-storage-host \
+    optee-examples-${OPTEE_NAME}-secure-storage-ta \
+    "
+
+DEPENDS = "optee-os-tadevkit-${OPTEE_NAME} optee-client-${OPTEE_NAME}"
+DEBIAN_BUILD_DEPENDS ?= " \
+    python3-pycryptodome:native, \
+    python3-cryptography:native, \
+    optee-client-dev, \
+    optee-os-tadevkit-${OPTEE_NAME}"
+
+TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
+TEMPLATE_VARS += "DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM TA_DEV_KIT_DIR"
+
+do_prepare_build() {
+    cp -r ${WORKDIR}/debian ${S}/
+
+    deb_add_changelog
+
+    # acipher.install
+    echo "acipher/ta/a734eed9-d6a1-4244-aa50-7c99719e7b7b.ta /usr/lib/optee-os/${OPTEE_NAME}/ta" > \
+        ${S}/debian/${PN}-acipher-ta.install
+    echo "acipher/ta/a734eed9-d6a1-4244-aa50-7c99719e7b7b.stripped.elf /usr/lib/optee-os/${OPTEE_NAME}/ta" >> \
+        ${S}/debian/${PN}-acipher-ta.install
+    echo "acipher/host/optee_example_acipher /usr/lib/optee-os/${OPTEE_NAME}/ca" > \
+        ${S}/debian/${PN}-acipher-host.install
+
+    # aes.install
+    echo "aes/ta/5dbac793-f574-4871-8ad3-04331ec17f24.ta /usr/lib/optee-os/${OPTEE_NAME}/ta" > \
+        ${S}/debian/${PN}-aes-ta.install
+    echo "aes/ta/5dbac793-f574-4871-8ad3-04331ec17f24.stripped.elf /usr/lib/optee-os/${OPTEE_NAME}/ta" >> \
+        ${S}/debian/${PN}-aes-ta.install
+    echo "aes/host/optee_example_aes /usr/lib/optee-os/${OPTEE_NAME}/ca" > \
+        ${S}/debian/${PN}-aes-host.install
+
+    # hello-world.install
+    echo "hello_world/ta/8aaaf200-2450-11e4-abe2-0002a5d5c51b.ta /usr/lib/optee-os/${OPTEE_NAME}/ta" > \
+        ${S}/debian/${PN}-hello-world-ta.install
+    echo "hello_world/ta/8aaaf200-2450-11e4-abe2-0002a5d5c51b.stripped.elf /usr/lib/optee-os/${OPTEE_NAME}/ta" >> \
+        ${S}/debian/${PN}-hello-world-ta.install
+    echo "hello_world/host/optee_example_hello_world /usr/lib/optee-os/${OPTEE_NAME}/ca" > \
+        ${S}/debian/${PN}-hello-world-host.install
+
+    # hotp.install
+    echo "hotp/ta/484d4143-2d53-4841-3120-4a6f636b6542.ta /usr/lib/optee-os/${OPTEE_NAME}/ta" > \
+        ${S}/debian/${PN}-hotp-ta.install
+    echo "hotp/ta/484d4143-2d53-4841-3120-4a6f636b6542.stripped.elf /usr/lib/optee-os/${OPTEE_NAME}/ta" >> \
+        ${S}/debian/${PN}-hotp-ta.install
+    echo "hotp/host/optee_example_hotp /usr/lib/optee-os/${OPTEE_NAME}/ca" > \
+        ${S}/debian/${PN}-hotp-host.install
+
+    # random.install
+    echo "random/ta/b6c53aba-9669-4668-a7f2-205629d00f86.ta /usr/lib/optee-os/${OPTEE_NAME}/ta" > \
+        ${S}/debian/${PN}-random-ta.install
+    echo "random/ta/b6c53aba-9669-4668-a7f2-205629d00f86.stripped.elf /usr/lib/optee-os/${OPTEE_NAME}/ta" >> \
+        ${S}/debian/${PN}-random-ta.install
+    echo "random/host/optee_example_random /usr/lib/optee-os/${OPTEE_NAME}/ca" > \
+        ${S}/debian/${PN}-random-host.install
+
+    # secure-storage.install
+    echo "secure_storage/ta/f4e750bb-1437-4fbf-8785-8d3580c34994.ta /usr/lib/optee-os/${OPTEE_NAME}/ta" > \
+        ${S}/debian/${PN}-secure-storage-ta.install
+    echo "secure_storage/ta/f4e750bb-1437-4fbf-8785-8d3580c34994.stripped.elf /usr/lib/optee-os/${OPTEE_NAME}/ta" >> \
+        ${S}/debian/${PN}-secure-storage-ta.install
+    echo "secure_storage/host/optee_example_secure_storage /usr/lib/optee-os/${OPTEE_NAME}/ca" > \
+        ${S}/debian/${PN}-secure-storage-host.install
+}
diff --git a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
index 096e263..7468ca6 100644
--- a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
+++ b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
@@ -6,3 +6,25 @@
 require recipes-bsp/optee-os/optee-os-custom.inc
 require optee-os-stm32mp15x_${PV}.inc
 
+# optee-examples integration
+DEPENDS += "optee-examples-stm32mp15x"
+DEBIAN_BUILD_DEPENDS += " \
+    , optee-examples-stm32mp15x-acipher-ta \
+    , optee-examples-stm32mp15x-aes-ta \
+    , optee-examples-stm32mp15x-hello-world-ta \
+    , optee-examples-stm32mp15x-hotp-ta \
+    , optee-examples-stm32mp15x-random-ta \
+    , optee-examples-stm32mp15x-secure-storage-ta \
+    "
+EARLY_TA_PATHS = " \
+    /usr/lib/optee-os/${OPTEE_NAME}/ta/a734eed9-d6a1-4244-aa50-7c99719e7b7b.stripped.elf \
+    /usr/lib/optee-os/${OPTEE_NAME}/ta/5dbac793-f574-4871-8ad3-04331ec17f24.stripped.elf \
+    /usr/lib/optee-os/${OPTEE_NAME}/ta/8aaaf200-2450-11e4-abe2-0002a5d5c51b.stripped.elf \
+    /usr/lib/optee-os/${OPTEE_NAME}/ta/484d4143-2d53-4841-3120-4a6f636b6542.stripped.elf \
+    /usr/lib/optee-os/${OPTEE_NAME}/ta/b6c53aba-9669-4668-a7f2-205629d00f86.stripped.elf \
+    /usr/lib/optee-os/${OPTEE_NAME}/ta/f4e750bb-1437-4fbf-8785-8d3580c34994.stripped.elf \
+    "
+OPTEE_EXTRA_BUILDARGS += " \
+    CFG_EARLY_TA=y \
+    EARLY_TA_PATHS='${EARLY_TA_PATHS}' \
+    "
diff --git a/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in b/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
index 4ed4ee8..5d96f65 100644
--- a/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
+++ b/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
@@ -8,7 +8,7 @@ part fsbl2 --part-name fsbl2 --source rawcopy --sourceparams "file=/usr/lib/trus
 part ssbl --part-name ssbl --source rawcopy --sourceparams "file=/usr/lib/u-boot/${MACHINE}/u-boot.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 2048K
 
 part teeh --part-name teeh --source rawcopy --sourceparams "file=/usr/lib/optee-os/${MACHINE}/tee-header_v2.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
-part teed --part-name teed --source rawcopy --sourceparams "file=/usr/lib/optee-os/${MACHINE}/tee-pageable_v2.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 512K
+part teed --part-name teed --source rawcopy --sourceparams "file=/usr/lib/optee-os/${MACHINE}/tee-pageable_v2.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 1024K
 part teex --part-name teex --source rawcopy --sourceparams "file=/usr/lib/optee-os/${MACHINE}/tee-pager_v2.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
 
 part / --source rootfs-u-boot --fstype ext4 --mkfs-extraopts "-T default" --label root --align 1024 --active --use-uuid
-- 
2.39.2

[PATCH v3 5/7] Add recipe for optee ftpm

[baocheng.su]

From: Baocheng Su <baocheng.su@siemens.com>

This integrate Microsoft's reference implementation of the TCG TPM2.0 as an
OPTee trusted application, see [1] and [2] for details, esp.
meta-ts/layers/meta-arm/meta-arm/recipes-security/optee-ftpm

Since the OPTee secure storage on IOT2050 is RPMB-based, and the RPMB accessing
is provided by linux tee-supplicant, this TA is only discoverable when
tee-supplicant is running.

To help to gracefully manage the tee-supplicant, the kernel drive
tpm_ftpm_tee should be compile as .ko and be loaded/unloaded dynamically.

[1]: https://github.com/microsoft/ms-tpm-20-ref/
[2]: https://gitlab.com/Linaro/trustedsubstrate/meta-ts

Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
---
 .../files/0001-add-enum-to-ta-flags.patch     | 27 +++++++++++
 .../optee-ftpm-stm32mp15x_0~230316+git.bb     | 35 ++++++++++++++
 .../optee-os/optee-os-stm32mp15x_3.21.0.bb    | 10 +++-
 .../optee-ftpm/files/debian/compat            |  1 +
 .../optee-ftpm/files/debian/control.tmpl      | 11 +++++
 .../optee-ftpm/files/debian/rules.tmpl        | 25 ++++++++++
 meta/recipes-bsp/optee-ftpm/optee-ftpm.inc    | 47 +++++++++++++++++++
 7 files changed, 155 insertions(+), 1 deletion(-)
 create mode 100644 meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch
 create mode 100644 meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
 create mode 100644 meta/recipes-bsp/optee-ftpm/files/debian/compat
 create mode 100644 meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
 create mode 100755 meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
 create mode 100644 meta/recipes-bsp/optee-ftpm/optee-ftpm.inc

diff --git a/meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch b/meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch
new file mode 100644
index 0000000..57917ba
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch
@@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Maxim Uvarov <maxim.uvarov@linaro.org>
+Date: Fri, 17 Apr 2020 12:05:53 +0100
+Subject: [PATCH] add enum to ta flags
+
+If we compile this TA into OPTEE-OS we need to define a flag
+that this TA can be discovered on the optee bus.
+Upstream-Status: Submitted [https://github.com/microsoft/MSRSec/pull/34]
+
+Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
+---
+ .../ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h    | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h
+index 92c33c1..e83619d 100644
+--- a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h
++++ b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h
+@@ -44,7 +44,7 @@
+ 
+ #define TA_UUID                     TA_FTPM_UUID
+ 
+-#define TA_FLAGS                    (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE)
++#define TA_FLAGS                    (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP)
+ #define TA_STACK_SIZE               (64 * 1024)
+ #define TA_DATA_SIZE                (32 * 1024)
+ 
diff --git a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
new file mode 100644
index 0000000..de26ec3
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
@@ -0,0 +1,35 @@
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+require recipes-bsp/optee-ftpm/optee-ftpm.inc
+
+# CHANGELOG_V = "0.1+git+isar"
+
+SRC_URI += " \
+    https://github.com/Microsoft/ms-tpm-20-ref/archive/${SRCREV}.tar.gz \
+    https://github.com/wolfSSL/wolfssl/archive/${SRCREV-wolfssl}.tar.gz;name=wolfssl \
+    file://0001-add-enum-to-ta-flags.patch \
+    "
+
+SRCREV = "f74c0d9686625c02b0fdd5b2bbe792a22aa96cb6"
+# according to ms-tpm-20-ref submodules
+SRCREV-wolfssl = "9c87f979a7f1d3a6d786b260653d566c1d31a1c4"
+
+SRC_URI[sha256sum] = "16fabc6ad6cc700d947dbc96efc30ff8ae97e577944466f08193bb37bc1eb64d"
+SRC_URI[wolfssl.sha256sum] = "a68c301fa0ee6197158912d808c4258605a2d001e458fd958257cafba17bfd14"
+
+S = "${WORKDIR}/ms-tpm-20-ref-${SRCREV}"
+
+OPTEE_NAME = "${MACHINE}"
+TA_CPU = "cortex-a7"
+TA_DEV_KIT_DIR = "/usr/lib/optee-os/${OPTEE_NAME}/export-ta_arm32"
+OPTEE_FTPM_BUILD_ARGS_EXTRA = "CFG_FTPM_USE_WOLF=y"
+
+do_prepare_build:append() {
+    rm -rf ${S}/external/wolfssl
+    cp -a ${S}/../wolfssl-${SRCREV-wolfssl} ${S}/external/wolfssl
+}
diff --git a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
index 7468ca6..1b920cd 100644
--- a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
+++ b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
@@ -16,7 +16,7 @@ DEBIAN_BUILD_DEPENDS += " \
     , optee-examples-stm32mp15x-random-ta \
     , optee-examples-stm32mp15x-secure-storage-ta \
     "
-EARLY_TA_PATHS = " \
+EARLY_TA_PATHS += " \
     /usr/lib/optee-os/${OPTEE_NAME}/ta/a734eed9-d6a1-4244-aa50-7c99719e7b7b.stripped.elf \
     /usr/lib/optee-os/${OPTEE_NAME}/ta/5dbac793-f574-4871-8ad3-04331ec17f24.stripped.elf \
     /usr/lib/optee-os/${OPTEE_NAME}/ta/8aaaf200-2450-11e4-abe2-0002a5d5c51b.stripped.elf \
@@ -24,6 +24,14 @@ EARLY_TA_PATHS = " \
     /usr/lib/optee-os/${OPTEE_NAME}/ta/b6c53aba-9669-4668-a7f2-205629d00f86.stripped.elf \
     /usr/lib/optee-os/${OPTEE_NAME}/ta/f4e750bb-1437-4fbf-8785-8d3580c34994.stripped.elf \
     "
+
+# optee-ftpm integration
+DEPENDS += "optee-ftpm-stm32mp15x"
+DEBIAN_BUILD_DEPENDS += ", optee-ftpm-stm32mp15x"
+EARLY_TA_PATHS += " \
+    /usr/lib/optee-os/${OPTEE_NAME}/ta/bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf \
+    "
+
 OPTEE_EXTRA_BUILDARGS += " \
     CFG_EARLY_TA=y \
     EARLY_TA_PATHS='${EARLY_TA_PATHS}' \
diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/compat b/meta/recipes-bsp/optee-ftpm/files/debian/compat
new file mode 100644
index 0000000..f599e28
--- /dev/null
+++ b/meta/recipes-bsp/optee-ftpm/files/debian/compat
@@ -0,0 +1 @@
+10
diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl b/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
new file mode 100644
index 0000000..abab42e
--- /dev/null
+++ b/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
@@ -0,0 +1,11 @@
+Source: ${PN}
+Section: misc
+Priority: optional
+Standards-Version: 3.9.6
+Maintainer: Unknown maintainer <unknown@example.com>
+Build-Depends: debhelper (>= 10), ${DEBIAN_BUILD_DEPENDS}
+
+Package: ${PN}
+Architecture: any
+Depends:
+Description: TCG reference implementation of the TPM 2.0 Specification.
diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl b/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
new file mode 100755
index 0000000..19d4e08
--- /dev/null
+++ b/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
@@ -0,0 +1,25 @@
+#!/usr/bin/make -f
+# Debian rules for optee-ftpm
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
+endif
+
+override_dh_auto_build:
+	cd Samples/ARM32-FirmwareTPM/optee_ta && \
+		TA_CROSS_COMPILE=${CROSS_COMPILE} \
+		TA_CPU=${TA_CPU} \
+		TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
+		CFG_TEE_TA_LOG_LEVEL=2 \
+		${OPTEE_FTPM_BUILD_ARGS_EXTRA} \
+		$(MAKE) $(PARALLEL_MAKE)
+
+%:
+	dh $@
diff --git a/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
new file mode 100644
index 0000000..2f6dc30
--- /dev/null
+++ b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
@@ -0,0 +1,47 @@
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+inherit dpkg
+
+SUMMARY = "OPTEE fTPM Microsoft TA"
+DESCRIPTION = "TCG reference implementation of the TPM 2.0 Specification."
+HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/"
+
+FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
+
+SRC_URI += "file://debian"
+
+OPTEE_NAME ?= "${MACHINE}"
+
+DEPENDS = "optee-os-tadevkit-${OPTEE_NAME}"
+DEBIAN_BUILD_DEPENDS ?= " \
+    python3-cryptography:native,                                        \
+    optee-os-tadevkit-${OPTEE_NAME}                                     \
+    "
+
+TA_CPU ?= "unknown"
+TA_DEV_KIT_DIR ?= "unknown"
+OPTEE_FTPM_BUILD_ARGS_EXTRA ?= " "
+
+TEMPLATE_FILES = "debian/rules.tmpl debian/control.tmpl"
+TEMPLATE_VARS += "DEBIAN_BUILD_DEPENDS \
+    OPTEE_FTPM_BUILD_ARGS_EXTRA \
+    TA_CPU \
+    TA_DEV_KIT_DIR"
+
+do_prepare_build() {
+    rm -rf ${S}/debian
+    cp -r ${WORKDIR}/debian ${S}/
+
+    deb_add_changelog
+
+    rm -f ${S}/debian/optee-ftpm-${OPTEE_NAME}.install
+    echo "Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/bc50d971-d4c9-42c4-82cb-343fb7f37896.ta /usr/lib/optee-os/${OPTEE_NAME}/ta" > \
+        ${S}/debian/optee-ftpm-${OPTEE_NAME}.install
+    echo "Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf /usr/lib/optee-os/${OPTEE_NAME}/ta" >> \
+        ${S}/debian/optee-ftpm-${OPTEE_NAME}.install
+}
-- 
2.39.2

Re: [PATCH v3 5/7] Add recipe for optee ftpm

[Jan Kiszka]

On 05.07.23 07:33, baocheng.su@siemens.com wrote:
> From: Baocheng Su <baocheng.su@siemens.com>
> 
> This integrate Microsoft's reference implementation of the TCG TPM2.0 as an
> OPTee trusted application, see [1] and [2] for details, esp.
> meta-ts/layers/meta-arm/meta-arm/recipes-security/optee-ftpm
> 
> Since the OPTee secure storage on IOT2050 is RPMB-based, and the RPMB accessing
> is provided by linux tee-supplicant, this TA is only discoverable when
> tee-supplicant is running.
> 
> To help to gracefully manage the tee-supplicant, the kernel drive
> tpm_ftpm_tee should be compile as .ko and be loaded/unloaded dynamically.
> 
> [1]: https://github.com/microsoft/ms-tpm-20-ref/
> [2]: https://gitlab.com/Linaro/trustedsubstrate/meta-ts
> 
> Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
> ---
>  .../files/0001-add-enum-to-ta-flags.patch     | 27 +++++++++++
>  .../optee-ftpm-stm32mp15x_0~230316+git.bb     | 35 ++++++++++++++
>  .../optee-os/optee-os-stm32mp15x_3.21.0.bb    | 10 +++-
>  .../optee-ftpm/files/debian/compat            |  1 +
>  .../optee-ftpm/files/debian/control.tmpl      | 11 +++++
>  .../optee-ftpm/files/debian/rules.tmpl        | 25 ++++++++++
>  meta/recipes-bsp/optee-ftpm/optee-ftpm.inc    | 47 +++++++++++++++++++
>  7 files changed, 155 insertions(+), 1 deletion(-)
>  create mode 100644 meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch
>  create mode 100644 meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
>  create mode 100644 meta/recipes-bsp/optee-ftpm/files/debian/compat
>  create mode 100644 meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
>  create mode 100755 meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
>  create mode 100644 meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
> 
> diff --git a/meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch b/meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch
> new file mode 100644
> index 0000000..57917ba
> --- /dev/null
> +++ b/meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch
> @@ -0,0 +1,27 @@
> +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
> +From: Maxim Uvarov <maxim.uvarov@linaro.org>
> +Date: Fri, 17 Apr 2020 12:05:53 +0100
> +Subject: [PATCH] add enum to ta flags
> +
> +If we compile this TA into OPTEE-OS we need to define a flag
> +that this TA can be discovered on the optee bus.
> +Upstream-Status: Submitted [https://github.com/microsoft/MSRSec/pull/34]
> +
> +Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
> +---
> + .../ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h    | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h
> +index 92c33c1..e83619d 100644
> +--- a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h
> ++++ b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h
> +@@ -44,7 +44,7 @@
> + 
> + #define TA_UUID                     TA_FTPM_UUID
> + 
> +-#define TA_FLAGS                    (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE)
> ++#define TA_FLAGS                    (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP)
> + #define TA_STACK_SIZE               (64 * 1024)
> + #define TA_DATA_SIZE                (32 * 1024)
> + 
> diff --git a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
> new file mode 100644
> index 0000000..de26ec3
> --- /dev/null
> +++ b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
> @@ -0,0 +1,35 @@
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Su Bao Cheng <baocheng.su@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +require recipes-bsp/optee-ftpm/optee-ftpm.inc
> +
> +# CHANGELOG_V = "0.1+git+isar"
> +
> +SRC_URI += " \
> +    https://github.com/Microsoft/ms-tpm-20-ref/archive/${SRCREV}.tar.gz \
> +    https://github.com/wolfSSL/wolfssl/archive/${SRCREV-wolfssl}.tar.gz;name=wolfssl \
> +    file://0001-add-enum-to-ta-flags.patch \
> +    "
> +
> +SRCREV = "f74c0d9686625c02b0fdd5b2bbe792a22aa96cb6"
> +# according to ms-tpm-20-ref submodules
> +SRCREV-wolfssl = "9c87f979a7f1d3a6d786b260653d566c1d31a1c4"
> +
> +SRC_URI[sha256sum] = "16fabc6ad6cc700d947dbc96efc30ff8ae97e577944466f08193bb37bc1eb64d"
> +SRC_URI[wolfssl.sha256sum] = "a68c301fa0ee6197158912d808c4258605a2d001e458fd958257cafba17bfd14"
> +
> +S = "${WORKDIR}/ms-tpm-20-ref-${SRCREV}"
> +
> +OPTEE_NAME = "${MACHINE}"
> +TA_CPU = "cortex-a7"
> +TA_DEV_KIT_DIR = "/usr/lib/optee-os/${OPTEE_NAME}/export-ta_arm32"
> +OPTEE_FTPM_BUILD_ARGS_EXTRA = "CFG_FTPM_USE_WOLF=y"
> +
> +do_prepare_build:append() {
> +    rm -rf ${S}/external/wolfssl
> +    cp -a ${S}/../wolfssl-${SRCREV-wolfssl} ${S}/external/wolfssl
> +}
> diff --git a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
> index 7468ca6..1b920cd 100644
> --- a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
> +++ b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
> @@ -16,7 +16,7 @@ DEBIAN_BUILD_DEPENDS += " \
>      , optee-examples-stm32mp15x-random-ta \
>      , optee-examples-stm32mp15x-secure-storage-ta \
>      "
> -EARLY_TA_PATHS = " \
> +EARLY_TA_PATHS += " \
>      /usr/lib/optee-os/${OPTEE_NAME}/ta/a734eed9-d6a1-4244-aa50-7c99719e7b7b.stripped.elf \
>      /usr/lib/optee-os/${OPTEE_NAME}/ta/5dbac793-f574-4871-8ad3-04331ec17f24.stripped.elf \
>      /usr/lib/optee-os/${OPTEE_NAME}/ta/8aaaf200-2450-11e4-abe2-0002a5d5c51b.stripped.elf \
> @@ -24,6 +24,14 @@ EARLY_TA_PATHS = " \
>      /usr/lib/optee-os/${OPTEE_NAME}/ta/b6c53aba-9669-4668-a7f2-205629d00f86.stripped.elf \
>      /usr/lib/optee-os/${OPTEE_NAME}/ta/f4e750bb-1437-4fbf-8785-8d3580c34994.stripped.elf \
>      "
> +
> +# optee-ftpm integration
> +DEPENDS += "optee-ftpm-stm32mp15x"
> +DEBIAN_BUILD_DEPENDS += ", optee-ftpm-stm32mp15x"
> +EARLY_TA_PATHS += " \
> +    /usr/lib/optee-os/${OPTEE_NAME}/ta/bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf \
> +    "
> +
>  OPTEE_EXTRA_BUILDARGS += " \
>      CFG_EARLY_TA=y \
>      EARLY_TA_PATHS='${EARLY_TA_PATHS}' \
> diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/compat b/meta/recipes-bsp/optee-ftpm/files/debian/compat
> new file mode 100644
> index 0000000..f599e28
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-ftpm/files/debian/compat
> @@ -0,0 +1 @@
> +10
> diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl b/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
> new file mode 100644
> index 0000000..abab42e
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
> @@ -0,0 +1,11 @@
> +Source: ${PN}
> +Section: misc
> +Priority: optional
> +Standards-Version: 3.9.6
> +Maintainer: Unknown maintainer <unknown@example.com>
> +Build-Depends: debhelper (>= 10), ${DEBIAN_BUILD_DEPENDS}
> +
> +Package: ${PN}
> +Architecture: any
> +Depends:
> +Description: TCG reference implementation of the TPM 2.0 Specification.
> diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl b/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
> new file mode 100755
> index 0000000..19d4e08
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
> @@ -0,0 +1,25 @@
> +#!/usr/bin/make -f
> +# Debian rules for optee-ftpm
> +#
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Su Bao Cheng <baocheng.su@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +
> +ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
> +export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
> +endif
> +
> +override_dh_auto_build:
> +	cd Samples/ARM32-FirmwareTPM/optee_ta && \
> +		TA_CROSS_COMPILE=${CROSS_COMPILE} \
> +		TA_CPU=${TA_CPU} \
> +		TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
> +		CFG_TEE_TA_LOG_LEVEL=2 \
> +		${OPTEE_FTPM_BUILD_ARGS_EXTRA} \
> +		$(MAKE) $(PARALLEL_MAKE)
> +
> +%:
> +	dh $@
> diff --git a/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
> new file mode 100644
> index 0000000..2f6dc30
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
> @@ -0,0 +1,47 @@
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Su Bao Cheng <baocheng.su@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +inherit dpkg
> +
> +SUMMARY = "OPTEE fTPM Microsoft TA"
> +DESCRIPTION = "TCG reference implementation of the TPM 2.0 Specification."
> +HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/"
> +
> +FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
> +
> +SRC_URI += "file://debian"
> +
> +OPTEE_NAME ?= "${MACHINE}"
> +
> +DEPENDS = "optee-os-tadevkit-${OPTEE_NAME}"
> +DEBIAN_BUILD_DEPENDS ?= " \
> +    python3-cryptography:native,                                        \
> +    optee-os-tadevkit-${OPTEE_NAME}                                     \
> +    "
> +
> +TA_CPU ?= "unknown"
> +TA_DEV_KIT_DIR ?= "unknown"
> +OPTEE_FTPM_BUILD_ARGS_EXTRA ?= " "
> +
> +TEMPLATE_FILES = "debian/rules.tmpl debian/control.tmpl"
> +TEMPLATE_VARS += "DEBIAN_BUILD_DEPENDS \
> +    OPTEE_FTPM_BUILD_ARGS_EXTRA \
> +    TA_CPU \
> +    TA_DEV_KIT_DIR"
> +
> +do_prepare_build() {
> +    rm -rf ${S}/debian
> +    cp -r ${WORKDIR}/debian ${S}/
> +
> +    deb_add_changelog
> +
> +    rm -f ${S}/debian/optee-ftpm-${OPTEE_NAME}.install
> +    echo "Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/bc50d971-d4c9-42c4-82cb-343fb7f37896.ta /usr/lib/optee-os/${OPTEE_NAME}/ta" > \
> +        ${S}/debian/optee-ftpm-${OPTEE_NAME}.install
> +    echo "Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf /usr/lib/optee-os/${OPTEE_NAME}/ta" >> \
> +        ${S}/debian/optee-ftpm-${OPTEE_NAME}.install
> +}

I randomly get this on boot-up, but some boots pass:

[...]
## Executing script at c4100000
Loading /usr/lib/linux-image-5.4.203-isar/stm32mp157c-ev1.dtb...
44180 bytes read in 67 ms (643.6 KiB/s)
Loading /boot/vmlinuz-5.4.203-isar...
9007616 bytes read in 410 ms (21 MiB/s)
Loading /boot/initrd.img-5.4.203-isar...
4196539 bytes read in 208 ms (19.2 MiB/s)
Kernel image @ 0xc2000000 [ 0x000000 - 0x897200 ]
## Flattened Device Tree blob at c4000000
   Booting using the fdt blob at 0xc4000000
   Loading Ramdisk to cfbff000, end cffff8bb ... OK
E/TC:0   tzc_it_handler:26 TZC permission failure
E/TC:0   dump_fail_filter:420 Permission violation on filter 0
E/TC:0   dump_fail_filter:425 Violation @0xfe33ed00, non-secure privileged read, AXI ID 5c0
E/TC:0   Panic

I suspect that the to-be-reserved memory is now larger with fTPM, and Linux either has this hard-coded or U-Boot/TF-A/OP-TEE fails to report that size properly.

Jan

-- 
Siemens AG, Technology
Competence Center Embedded Linux

[PATCH v3 6/7] initramfs: Add recipe for tee-supplicant hook

[baocheng.su]

From: Baocheng Su <baocheng.su@siemens.com>

This adds the tee-supplicant hook so that the tee supplicant daemon is
started at the initrd stage.

The tee-supplicant daemon is used to provide service to trust
applications running in optee, for example to provide RPMB access
service for StMM or fTPM TAs.

By running tee-supplicant at initrd stage, disk encryption based on fTPM
is possible.

stm32mp15x is used to demo the building of this hook, so add a new ci
target for the initramfs image of stm32mp15x.

Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
---
 .../images/stm32mp15x-initramfs.bb            | 14 ++++++++
 .../files/tee-supplicant.hook                 | 33 +++++++++++++++++++
 .../files/tee-supplicant.script               | 33 +++++++++++++++++++
 .../initramfs-tee-supplicant-hook_0.1.bb      | 27 +++++++++++++++
 testsuite/citest.py                           |  1 +
 5 files changed, 108 insertions(+)
 create mode 100644 meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
 create mode 100644 meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.hook
 create mode 100644 meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
 create mode 100644 meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb

diff --git a/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb b/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
new file mode 100644
index 0000000..211c201
--- /dev/null
+++ b/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
@@ -0,0 +1,14 @@
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit initramfs
+
+INITRAMFS_INSTALL += " \
+    initramfs-tee-supplicant-hook \
+    "
diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.hook b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.hook
new file mode 100644
index 0000000..0af277b
--- /dev/null
+++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.hook
@@ -0,0 +1,33 @@
+#!/bin/sh
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+PREREQ=""
+prereqs()
+{
+    echo "$PREREQ"
+}
+case $1 in
+prereqs)
+    prereqs
+    exit 0
+    ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+hook_error() {
+    echo "(ERROR): $2" >&2
+    exit 1
+}
+
+# For stock debian bookworm arm64 kernel, these two .ko exist, but not built-in.
+manual_add_modules tee
+manual_add_modules optee
+
+copy_exec /usr/sbin/tee-supplicant || hook_error "/usr/sbin/tee-supplicant not found"
+copy_exec /usr/bin/pgrep || hook_error "/usr/bin/pgrep not found"
diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
new file mode 100644
index 0000000..bb6dcc1
--- /dev/null
+++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
@@ -0,0 +1,33 @@
+#!/bin/sh
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+PREREQ=""
+prereqs()
+{
+	echo "$PREREQ"
+}
+case $1 in
+prereqs)
+	prereqs
+	exit 0
+	;;
+esac
+
+. /scripts/functions
+
+/usr/sbin/tee-supplicant -d
+
+# The tee-supplicant would take some time to be discovered, 10 seconds should be
+# enough
+wait_sec=10
+until test $wait_sec -eq 0 || test -c "${FTPM_DEV}" ; do
+	wait_sec=$((wait_sec-1))
+	sleep 1
+done
+
+/usr/bin/pgrep tee-supplicant > /dev/null || panic "Can't start the tee-supplicant daemon!"
diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
new file mode 100644
index 0000000..3768b8e
--- /dev/null
+++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
@@ -0,0 +1,27 @@
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+SRC_URI += " \
+    file://tee-supplicant.hook \
+    file://tee-supplicant.script \
+    "
+
+DEBIAN_DEPENDS = "initramfs-tools, tee-supplicant, procps"
+
+do_install[cleandirs] += " \
+    ${D}/usr/share/initramfs-tools/hooks \
+    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
+
+do_install() {
+    install -m 0755 "${WORKDIR}/tee-supplicant.hook" \
+        "${D}/usr/share/initramfs-tools/hooks/tee-supplicant"
+    install -m 0755 "${WORKDIR}/tee-supplicant.script" \
+        "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-supplicant"
+}
diff --git a/testsuite/citest.py b/testsuite/citest.py
index 17a9024..1aa2928 100755
--- a/testsuite/citest.py
+++ b/testsuite/citest.py
@@ -214,6 +214,7 @@ class NoCrossTest(CIBaseTest):
             'mc:bananapi-bullseye:isar-image-base',
             'mc:nanopi-neo-bullseye:isar-image-base',
             'mc:stm32mp15x-bullseye:isar-image-base',
+            'mc:stm32mp15x-bullseye:stm32mp15x-initramfs',
             'mc:qemuamd64-focal:isar-image-ci'
                   ]
 
-- 
2.39.2

Re: [PATCH v3 6/7] initramfs: Add recipe for tee-supplicant hook

[Jan Kiszka]

On 05.07.23 07:33, baocheng.su@siemens.com wrote:
> From: Baocheng Su <baocheng.su@siemens.com>
> 
> This adds the tee-supplicant hook so that the tee supplicant daemon is
> started at the initrd stage.
> 
> The tee-supplicant daemon is used to provide service to trust
> applications running in optee, for example to provide RPMB access
> service for StMM or fTPM TAs.
> 
> By running tee-supplicant at initrd stage, disk encryption based on fTPM
> is possible.
> 
> stm32mp15x is used to demo the building of this hook, so add a new ci
> target for the initramfs image of stm32mp15x.
> 
> Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
> ---
>  .../images/stm32mp15x-initramfs.bb            | 14 ++++++++
>  .../files/tee-supplicant.hook                 | 33 +++++++++++++++++++
>  .../files/tee-supplicant.script               | 33 +++++++++++++++++++
>  .../initramfs-tee-supplicant-hook_0.1.bb      | 27 +++++++++++++++
>  testsuite/citest.py                           |  1 +
>  5 files changed, 108 insertions(+)
>  create mode 100644 meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
>  create mode 100644 meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.hook
>  create mode 100644 meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
>  create mode 100644 meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
> 
> diff --git a/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb b/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
> new file mode 100644
> index 0000000..211c201
> --- /dev/null
> +++ b/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
> @@ -0,0 +1,14 @@
> +#
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Su Bao Cheng <baocheng.su@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +inherit initramfs
> +
> +INITRAMFS_INSTALL += " \
> +    initramfs-tee-supplicant-hook \
> +    "
> diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.hook b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.hook
> new file mode 100644
> index 0000000..0af277b
> --- /dev/null
> +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.hook
> @@ -0,0 +1,33 @@
> +#!/bin/sh
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Su Bao Cheng <baocheng.su@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +PREREQ=""
> +prereqs()
> +{
> +    echo "$PREREQ"
> +}
> +case $1 in
> +prereqs)
> +    prereqs
> +    exit 0
> +    ;;
> +esac
> +
> +. /usr/share/initramfs-tools/hook-functions
> +
> +hook_error() {
> +    echo "(ERROR): $2" >&2
> +    exit 1
> +}
> +
> +# For stock debian bookworm arm64 kernel, these two .ko exist, but not built-in.
> +manual_add_modules tee
> +manual_add_modules optee
> +
> +copy_exec /usr/sbin/tee-supplicant || hook_error "/usr/sbin/tee-supplicant not found"
> +copy_exec /usr/bin/pgrep || hook_error "/usr/bin/pgrep not found"
> diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
> new file mode 100644
> index 0000000..bb6dcc1
> --- /dev/null
> +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
> @@ -0,0 +1,33 @@
> +#!/bin/sh
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Su Bao Cheng <baocheng.su@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +PREREQ=""
> +prereqs()
> +{
> +	echo "$PREREQ"
> +}
> +case $1 in
> +prereqs)
> +	prereqs
> +	exit 0
> +	;;
> +esac
> +
> +. /scripts/functions
> +
> +/usr/sbin/tee-supplicant -d
> +
> +# The tee-supplicant would take some time to be discovered, 10 seconds should be
> +# enough
> +wait_sec=10
> +until test $wait_sec -eq 0 || test -c "${FTPM_DEV}" ; do
> +	wait_sec=$((wait_sec-1))
> +	sleep 1
> +done
> +
> +/usr/bin/pgrep tee-supplicant > /dev/null || panic "Can't start the tee-supplicant daemon!"
> diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
> new file mode 100644
> index 0000000..3768b8e
> --- /dev/null
> +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
> @@ -0,0 +1,27 @@
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Su Bao Cheng <baocheng.su@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +inherit dpkg-raw
> +
> +SRC_URI += " \
> +    file://tee-supplicant.hook \
> +    file://tee-supplicant.script \
> +    "
> +
> +DEBIAN_DEPENDS = "initramfs-tools, tee-supplicant, procps"
> +
> +do_install[cleandirs] += " \
> +    ${D}/usr/share/initramfs-tools/hooks \
> +    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> +
> +do_install() {
> +    install -m 0755 "${WORKDIR}/tee-supplicant.hook" \
> +        "${D}/usr/share/initramfs-tools/hooks/tee-supplicant"
> +    install -m 0755 "${WORKDIR}/tee-supplicant.script" \
> +        "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-supplicant"
> +}
> diff --git a/testsuite/citest.py b/testsuite/citest.py
> index 17a9024..1aa2928 100755
> --- a/testsuite/citest.py
> +++ b/testsuite/citest.py
> @@ -214,6 +214,7 @@ class NoCrossTest(CIBaseTest):
>              'mc:bananapi-bullseye:isar-image-base',
>              'mc:nanopi-neo-bullseye:isar-image-base',
>              'mc:stm32mp15x-bullseye:isar-image-base',
> +            'mc:stm32mp15x-bullseye:stm32mp15x-initramfs',

Argh, this is why I get nothing of the initramfs in the final image. But
this is not helpful. We need the initramfs for the integrated image.

Jan

-- 
Siemens AG, Technology
Competence Center Embedded Linux

[PATCH v3 7/7] initramfs: Add recipe for tee-ftpm hook

[baocheng.su]

From: Baocheng Su <baocheng.su@siemens.com>

This adds the tee-ftpm hook, that mainly load the kernel module tpm-ftpm-tee
during the initrd stage.

This makes the fTPM device avaible during the initrd stage so that the
encrypted partitions could be unlocked via keys stored in fTPM.

stm32mp15x platform is used to demo the building of this hook.

Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
---
 .../images/stm32mp15x-initramfs.bb            |  1 +
 .../files/tee-ftpm.hook                       | 25 +++++++++++++++++
 .../files/tee-ftpm.script                     | 26 ++++++++++++++++++
 .../initramfs-tee-ftpm-hook_0.1.bb            | 27 +++++++++++++++++++
 4 files changed, 79 insertions(+)
 create mode 100644 meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.hook
 create mode 100644 meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
 create mode 100644 meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb

diff --git a/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb b/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
index 211c201..8ec6d7c 100644
--- a/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
+++ b/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
@@ -11,4 +11,5 @@ inherit initramfs
 
 INITRAMFS_INSTALL += " \
     initramfs-tee-supplicant-hook \
+    initramfs-tee-ftpm-hook \
     "
diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.hook b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.hook
new file mode 100644
index 0000000..b7f7859
--- /dev/null
+++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.hook
@@ -0,0 +1,25 @@
+#!/bin/sh
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+PREREQ="tee-supplicant"
+prereqs()
+{
+    echo "$PREREQ"
+}
+case $1 in
+prereqs)
+    prereqs
+    exit 0
+    ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+# The tpm_ftpm_tee.ko does not exist in any stock debian kernels, it could be
+# provided by customized kernel.
+manual_add_modules tpm_ftpm_tee
diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
new file mode 100644
index 0000000..ce321a0
--- /dev/null
+++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
@@ -0,0 +1,26 @@
+#!/bin/sh
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+PREREQ="tee-supplicant"
+prereqs()
+{
+	echo "$PREREQ"
+}
+case $1 in
+prereqs)
+	prereqs
+	exit 0
+	;;
+esac
+
+. /scripts/functions
+
+FTPM_DEV=/dev/tpmrm0
+if ! test -c "${FTPM_DEV}"; then
+    panic "Can't discover the fTPM device ${FTPM_DEV}!"
+fi
diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
new file mode 100644
index 0000000..db38e61
--- /dev/null
+++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
@@ -0,0 +1,27 @@
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+SRC_URI += " \
+    file://tee-ftpm.hook \
+    file://tee-ftpm.script \
+    "
+
+DEBIAN_DEPENDS = "initramfs-tools"
+
+do_install[cleandirs] += " \
+    ${D}/usr/share/initramfs-tools/hooks \
+    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
+
+do_install() {
+    install -m 0755 "${WORKDIR}/tee-ftpm.hook" \
+        "${D}/usr/share/initramfs-tools/hooks/tee-ftpm"
+    install -m 0755 "${WORKDIR}/tee-ftpm.script" \
+        "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-ftpm"
+}
-- 
2.39.2

Re: [PATCH v3 0/7] Add optee family and friends

[Uladzimir Bely]

On Wed, 2023-07-05 at 13:33 +0800, baocheng.su via isar-users wrote:
> From: Baocheng Su <baocheng.su@siemens.com>
> 
> This brings below optee family members:
>   optee-ta-devkit, optee-client, optee-examples
> and a fTPM running in optee-os, plus some initramfs hooks for tee-
> supplicant and
> the optee-ftpm.
> 
> The optee-ta-devkit is used to provide a sdk for building trusted
> application of
> optee.
> 
> The optee-client provides the libteec1, the optee-client-dev, and the
> tee-supplicant daemon.
> 
> The optee-examples provides both the optee TAs and host applications
> for
> demostrating how to use optee-ta-devkit and optee-client-dev.
> 
> The initramfs hooks for tee-supplicant and optee-ftpm is used to
> support
> initramfs stage applications that needs the optee-ftpm or other TAs,
> such as the
> disk encryption based on TPM. An example is the LUKS2 implementation
> in
> isar-cip-core.
> 
> Also bump the stm32mp15x optee-os version to 3.21.0 to ease the
> integration.
> 
> Since these bits are the common foundation for applications based on
> ARM 
> trustzone, isar should be the best place to hold them.
> 
> The idea is partly inspired by the ARM trusted substrate.
> 
> This integration use stm32mp15x as the demo platform. However, I
> might need some
> help to verify on the real hardware, since I don't have one :)
> 
> Changes since v2:
> - update copyright header to 2023
> - define RPMB_EMU to replace the RPMB_EMU_BUILD_OPT
> - depends systemd for tee-supplicant
> - add new line EOF for some source files.
> 
> Baocheng Su (7):
>   stm32mp15x: Bump optee-os to 3.21.0
>   Add recipe for optee TA devkit
>   Add recipe for optee-client
>   Add recipe for optee examples
>   Add recipe for optee ftpm
>   initramfs: Add recipe for tee-supplicant hook
>   initramfs: Add recipe for tee-ftpm hook
> 
>  meta-isar/conf/machine/stm32mp15x.conf        |   9 +-
>  .../optee-client-stm32mp15x_3.21.0.bb         |  18 +++
>  .../optee-examples/files/debian/compat        |   1 +
>  .../optee-examples/files/debian/control.tmpl  | 112
> ++++++++++++++++++
>  .../optee-examples/files/debian/rules.tmpl    |  21 ++++
>  .../optee-examples-stm32mp15x_3.21.0.bb       | 100 ++++++++++++++++
>  .../files/0001-add-enum-to-ta-flags.patch     |  27 +++++
>  .../optee-ftpm-stm32mp15x_0~230316+git.bb     |  35 ++++++
>  .../optee-os/optee-os-stm32mp15x_3.11.0.bb    |  29 -----
>  .../optee-os/optee-os-stm32mp15x_3.21.0.bb    |  38 ++++++
>  .../optee-os/optee-os-stm32mp15x_3.21.0.inc   |  18 +++
>  .../optee-os-tadevkit-stm32mp15x_3.21.0.bb    |   7 ++
>  .../images/stm32mp15x-initramfs.bb            |  15 +++
>  .../lib/wic/canned-wks/stm32mp15x.wks.in      |   2 +-
>  .../optee-client/files/debian/compat          |   1 +
>  .../optee-client/files/debian/control.tmpl    |  51 ++++++++
>  .../optee-client/files/debian/rules.tmpl      |  27 +++++
>  .../files/debian/tee-supplicant.service       |  21 ++++
>  .../optee-client/optee-client-custom.inc      |  41 +++++++
>  .../optee-ftpm/files/debian/compat            |   1 +
>  .../optee-ftpm/files/debian/control.tmpl      |  11 ++
>  .../optee-ftpm/files/debian/rules.tmpl        |  25 ++++
>  meta/recipes-bsp/optee-ftpm/optee-ftpm.inc    |  47 ++++++++
>  .../optee-os/files/debian/control.tmpl        |   4 +-
>  meta/recipes-bsp/optee-os/optee-os-custom.inc |  29 +----
>  .../optee-os/optee-os-tadevkit-custom.inc     |  26 ++++
>  .../{optee-os-custom.inc => optee-os.inc}     |  14 +--
>  .../files/tee-ftpm.hook                       |  25 ++++
>  .../files/tee-ftpm.script                     |  26 ++++
>  .../initramfs-tee-ftpm-hook_0.1.bb            |  27 +++++
>  .../files/tee-supplicant.hook                 |  33 ++++++
>  .../files/tee-supplicant.script               |  33 ++++++
>  .../initramfs-tee-supplicant-hook_0.1.bb      |  27 +++++
>  testsuite/citest.py                           |   1 +
>  34 files changed, 834 insertions(+), 68 deletions(-)
>  create mode 100644 meta-isar/recipes-bsp/optee-client/optee-client-
> stm32mp15x_3.21.0.bb
>  create mode 100644 meta-isar/recipes-bsp/optee-
> examples/files/debian/compat
>  create mode 100644 meta-isar/recipes-bsp/optee-
> examples/files/debian/control.tmpl
>  create mode 100644 meta-isar/recipes-bsp/optee-
> examples/files/debian/rules.tmpl
>  create mode 100644 meta-isar/recipes-bsp/optee-examples/optee-
> examples-stm32mp15x_3.21.0.bb
>  create mode 100644 meta-isar/recipes-bsp/optee-ftpm/files/0001-add-
> enum-to-ta-flags.patch
>  create mode 100644 meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-
> stm32mp15x_0~230316+git.bb
>  delete mode 100644 meta-isar/recipes-bsp/optee-os/optee-os-
> stm32mp15x_3.11.0.bb
>  create mode 100644 meta-isar/recipes-bsp/optee-os/optee-os-
> stm32mp15x_3.21.0.bb
>  create mode 100644 meta-isar/recipes-bsp/optee-os/optee-os-
> stm32mp15x_3.21.0.inc
>  create mode 100644 meta-isar/recipes-bsp/optee-os/optee-os-tadevkit-
> stm32mp15x_3.21.0.bb
>  create mode 100644 meta-isar/recipes-initramfs/images/stm32mp15x-
> initramfs.bb
>  create mode 100644 meta/recipes-bsp/optee-client/files/debian/compat
>  create mode 100644 meta/recipes-bsp/optee-
> client/files/debian/control.tmpl
>  create mode 100755 meta/recipes-bsp/optee-
> client/files/debian/rules.tmpl
>  create mode 100644 meta/recipes-bsp/optee-client/files/debian/tee-
> supplicant.service
>  create mode 100644 meta/recipes-bsp/optee-client/optee-client-
> custom.inc
>  create mode 100644 meta/recipes-bsp/optee-ftpm/files/debian/compat
>  create mode 100644 meta/recipes-bsp/optee-
> ftpm/files/debian/control.tmpl
>  create mode 100755 meta/recipes-bsp/optee-
> ftpm/files/debian/rules.tmpl
>  create mode 100644 meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
>  create mode 100644 meta/recipes-bsp/optee-os/optee-os-tadevkit-
> custom.inc
>  copy meta/recipes-bsp/optee-os/{optee-os-custom.inc => optee-os.inc}
> (62%)
>  create mode 100644 meta/recipes-initramfs/initramfs-tee-ftpm-
> hook/files/tee-ftpm.hook
>  create mode 100644 meta/recipes-initramfs/initramfs-tee-ftpm-
> hook/files/tee-ftpm.script
>  create mode 100644 meta/recipes-initramfs/initramfs-tee-ftpm-
> hook/initramfs-tee-ftpm-hook_0.1.bb
>  create mode 100644 meta/recipes-initramfs/initramfs-tee-supplicant-
> hook/files/tee-supplicant.hook
>  create mode 100644 meta/recipes-initramfs/initramfs-tee-supplicant-
> hook/files/tee-supplicant.script
>  create mode 100644 meta/recipes-initramfs/initramfs-tee-supplicant-
> hook/initramfs-tee-supplicant-hook_0.1.bb
> 
> -- 
> 2.39.2
> 

Applied to next, thanks.