From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 7252203608347770880
X-Received: by 2002:a2e:910c:0:b0:2b6:a22f:9fb9 with SMTP id m12-20020a2e910c000000b002b6a22f9fb9mr10715113ljg.27.1688535252446;
        Tue, 04 Jul 2023 22:34:12 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a2e:9148:0:b0:2b6:bdad:fb4b with SMTP id q8-20020a2e9148000000b002b6bdadfb4bls110144ljg.1.-pod-prod-00-eu;
 Tue, 04 Jul 2023 22:34:11 -0700 (PDT)
X-Google-Smtp-Source: APBJJlEsgZ5kT6e4PLpMJu4y5S16Y7YmGeevZRbawwaPgPUqohwXbjs1Afc4HW48NQ0523psacJW
X-Received: by 2002:a2e:a363:0:b0:2b6:e73c:67ea with SMTP id i3-20020a2ea363000000b002b6e73c67eamr445497ljn.17.1688535250976;
        Tue, 04 Jul 2023 22:34:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1688535250; cv=none;
        d=google.com; s=arc-20160816;
        b=FBZMuXKKaiH9Cp6abwBuKT2RNCwTEN21MntmtSTCmYyPMJdF4p3E+4Kj33g/v5To1m
         6Y8skDkm6eIpSXHGybZOTkmhfRL5XZllV1hDba9UAhV1HggHpmqyRSiIPQoQ9MBkkXxm
         yPx7vKyZ4F8CV31lgN/FD21j5DfDYNzmlKYpLeMs5msXKbuMeEzLHUXTr3juBI8K3E0L
         VGUrlENwRYW4H4+/YQF6qG000YKJ1Kwxcchtq8Vcszb2nLDE37UuPGUcOeh4jJdU+kne
         gykQ+1xNitaOfT77jOitZiggoMEO4y++m88c9s4TB72iAStuOaibc3s+rN4JBvcAwJjP
         G3xA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=feedback-id:content-transfer-encoding:mime-version:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature;
        bh=M4at+B+c5aQhHB/1lh5Uge8c18os3pSHxRWpzBrmCog=;
        fh=zeq4V+FUVVI2f9Ivx965+McAJkxSDosb/5yCI9B0DjU=;
        b=VcqpTiNK9k294+LsBT+4SAGEOrNeIJWkCIv2aCgxtbc6pRGrYI8n2bVT+DKtfprVun
         V4cOIBwwP40naXVfW6BN+arPqWdOKvO20gB7QDTmXmmqnY1lkuwa8jjvvSF4ieazuYdi
         +DGv21fAuEcKMlU1QH5vofcZXtcqLxOoQph/4iIWa5hR1zbL/zvTY9OGdgO3ShS6kRWv
         ijbz2dnfLHpyVbKTUfuBNuaqr3jFfsYG+HXKGtEdH6JPpJN6IzrhSVjrudPHDR1R4a/Z
         0CSHFTVMkz7K6SWcJg5LelScEMc1YImjewvb+BYEMIpuZ8MrZEKCsJKUOCSlpXQ9eB19
         nf/g==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=fm1 header.b="mfZEw/yI";
       spf=pass (google.com: domain of fm-909155-202307050534106c38233b208903ad22-8skscq@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-909155-202307050534106c38233b208903ad22-8SKscQ@rts-flowmailer.siemens.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
Return-Path: <fm-909155-202307050534106c38233b208903ad22-8SKscQ@rts-flowmailer.siemens.com>
Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net. [185.136.65.227])
        by gmr-mx.google.com with ESMTPS id h5-20020a2e3a05000000b002a8b2891ba7si815584lja.1.2023.07.04.22.34.10
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 04 Jul 2023 22:34:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of fm-909155-202307050534106c38233b208903ad22-8skscq@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) client-ip=185.136.65.227;
Authentication-Results: gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=fm1 header.b="mfZEw/yI";
       spf=pass (google.com: domain of fm-909155-202307050534106c38233b208903ad22-8skscq@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-909155-202307050534106c38233b208903ad22-8SKscQ@rts-flowmailer.siemens.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 202307050534106c38233b208903ad22
        for <isar-users@googlegroups.com>;
        Wed, 05 Jul 2023 07:34:10 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=baocheng.su@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=M4at+B+c5aQhHB/1lh5Uge8c18os3pSHxRWpzBrmCog=;
 b=mfZEw/yIUG9yYCgsw626/BVdPc20+aKu/OFRnKs5n4pNcRezuHGx26izMblrAUIymkhpOn
 Tj4RDgc87W+PLHmPKDagcTC60X1iL6kcLRoYOWdRQIEpL7SVKsxz72poj2gzch8e9WC6r2eD
 tDzegXlBibt0ohDtN8yn2gv2Iu/cI=;
From: baocheng.su@siemens.com
To: isar-users@googlegroups.com
Cc: jan.kiszka@siemens.com,
	felix.moessbauer@siemens.com,
	christian.storm@siemens.com,
	quirin.gylstorff@siemens.com,
	baocheng_su@163.com,
	henning.schild@siemens.com,
	baocheng.su@siemens.com
Subject: [PATCH v3 5/7] Add recipe for optee ftpm
Date: Wed,  5 Jul 2023 13:33:38 +0800
Message-Id: <20230705053340.1158024-6-baocheng.su@siemens.com>
In-Reply-To: <20230705053340.1158024-1-baocheng.su@siemens.com>
References: <20230705053340.1158024-1-baocheng.su@siemens.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-909155:519-21489:flowmailer
X-TUID: A0x8PgzOkQKe

From: Baocheng Su <baocheng.su@siemens.com>

This integrate Microsoft's reference implementation of the TCG TPM2.0 as an
OPTee trusted application, see [1] and [2] for details, esp.
meta-ts/layers/meta-arm/meta-arm/recipes-security/optee-ftpm

Since the OPTee secure storage on IOT2050 is RPMB-based, and the RPMB accessing
is provided by linux tee-supplicant, this TA is only discoverable when
tee-supplicant is running.

To help to gracefully manage the tee-supplicant, the kernel drive
tpm_ftpm_tee should be compile as .ko and be loaded/unloaded dynamically.

[1]: https://github.com/microsoft/ms-tpm-20-ref/
[2]: https://gitlab.com/Linaro/trustedsubstrate/meta-ts

Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
---
 .../files/0001-add-enum-to-ta-flags.patch     | 27 +++++++++++
 .../optee-ftpm-stm32mp15x_0~230316+git.bb     | 35 ++++++++++++++
 .../optee-os/optee-os-stm32mp15x_3.21.0.bb    | 10 +++-
 .../optee-ftpm/files/debian/compat            |  1 +
 .../optee-ftpm/files/debian/control.tmpl      | 11 +++++
 .../optee-ftpm/files/debian/rules.tmpl        | 25 ++++++++++
 meta/recipes-bsp/optee-ftpm/optee-ftpm.inc    | 47 +++++++++++++++++++
 7 files changed, 155 insertions(+), 1 deletion(-)
 create mode 100644 meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch
 create mode 100644 meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
 create mode 100644 meta/recipes-bsp/optee-ftpm/files/debian/compat
 create mode 100644 meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
 create mode 100755 meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
 create mode 100644 meta/recipes-bsp/optee-ftpm/optee-ftpm.inc

diff --git a/meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch b/meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch
new file mode 100644
index 0000000..57917ba
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch
@@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Maxim Uvarov <maxim.uvarov@linaro.org>
+Date: Fri, 17 Apr 2020 12:05:53 +0100
+Subject: [PATCH] add enum to ta flags
+
+If we compile this TA into OPTEE-OS we need to define a flag
+that this TA can be discovered on the optee bus.
+Upstream-Status: Submitted [https://github.com/microsoft/MSRSec/pull/34]
+
+Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
+---
+ .../ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h    | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h
+index 92c33c1..e83619d 100644
+--- a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h
++++ b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h
+@@ -44,7 +44,7 @@
+ 
+ #define TA_UUID                     TA_FTPM_UUID
+ 
+-#define TA_FLAGS                    (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE)
++#define TA_FLAGS                    (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP)
+ #define TA_STACK_SIZE               (64 * 1024)
+ #define TA_DATA_SIZE                (32 * 1024)
+ 
diff --git a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
new file mode 100644
index 0000000..de26ec3
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
@@ -0,0 +1,35 @@
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+require recipes-bsp/optee-ftpm/optee-ftpm.inc
+
+# CHANGELOG_V = "0.1+git+isar"
+
+SRC_URI += " \
+    https://github.com/Microsoft/ms-tpm-20-ref/archive/${SRCREV}.tar.gz \
+    https://github.com/wolfSSL/wolfssl/archive/${SRCREV-wolfssl}.tar.gz;name=wolfssl \
+    file://0001-add-enum-to-ta-flags.patch \
+    "
+
+SRCREV = "f74c0d9686625c02b0fdd5b2bbe792a22aa96cb6"
+# according to ms-tpm-20-ref submodules
+SRCREV-wolfssl = "9c87f979a7f1d3a6d786b260653d566c1d31a1c4"
+
+SRC_URI[sha256sum] = "16fabc6ad6cc700d947dbc96efc30ff8ae97e577944466f08193bb37bc1eb64d"
+SRC_URI[wolfssl.sha256sum] = "a68c301fa0ee6197158912d808c4258605a2d001e458fd958257cafba17bfd14"
+
+S = "${WORKDIR}/ms-tpm-20-ref-${SRCREV}"
+
+OPTEE_NAME = "${MACHINE}"
+TA_CPU = "cortex-a7"
+TA_DEV_KIT_DIR = "/usr/lib/optee-os/${OPTEE_NAME}/export-ta_arm32"
+OPTEE_FTPM_BUILD_ARGS_EXTRA = "CFG_FTPM_USE_WOLF=y"
+
+do_prepare_build:append() {
+    rm -rf ${S}/external/wolfssl
+    cp -a ${S}/../wolfssl-${SRCREV-wolfssl} ${S}/external/wolfssl
+}
diff --git a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
index 7468ca6..1b920cd 100644
--- a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
+++ b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
@@ -16,7 +16,7 @@ DEBIAN_BUILD_DEPENDS += " \
     , optee-examples-stm32mp15x-random-ta \
     , optee-examples-stm32mp15x-secure-storage-ta \
     "
-EARLY_TA_PATHS = " \
+EARLY_TA_PATHS += " \
     /usr/lib/optee-os/${OPTEE_NAME}/ta/a734eed9-d6a1-4244-aa50-7c99719e7b7b.stripped.elf \
     /usr/lib/optee-os/${OPTEE_NAME}/ta/5dbac793-f574-4871-8ad3-04331ec17f24.stripped.elf \
     /usr/lib/optee-os/${OPTEE_NAME}/ta/8aaaf200-2450-11e4-abe2-0002a5d5c51b.stripped.elf \
@@ -24,6 +24,14 @@ EARLY_TA_PATHS = " \
     /usr/lib/optee-os/${OPTEE_NAME}/ta/b6c53aba-9669-4668-a7f2-205629d00f86.stripped.elf \
     /usr/lib/optee-os/${OPTEE_NAME}/ta/f4e750bb-1437-4fbf-8785-8d3580c34994.stripped.elf \
     "
+
+# optee-ftpm integration
+DEPENDS += "optee-ftpm-stm32mp15x"
+DEBIAN_BUILD_DEPENDS += ", optee-ftpm-stm32mp15x"
+EARLY_TA_PATHS += " \
+    /usr/lib/optee-os/${OPTEE_NAME}/ta/bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf \
+    "
+
 OPTEE_EXTRA_BUILDARGS += " \
     CFG_EARLY_TA=y \
     EARLY_TA_PATHS='${EARLY_TA_PATHS}' \
diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/compat b/meta/recipes-bsp/optee-ftpm/files/debian/compat
new file mode 100644
index 0000000..f599e28
--- /dev/null
+++ b/meta/recipes-bsp/optee-ftpm/files/debian/compat
@@ -0,0 +1 @@
+10
diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl b/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
new file mode 100644
index 0000000..abab42e
--- /dev/null
+++ b/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
@@ -0,0 +1,11 @@
+Source: ${PN}
+Section: misc
+Priority: optional
+Standards-Version: 3.9.6
+Maintainer: Unknown maintainer <unknown@example.com>
+Build-Depends: debhelper (>= 10), ${DEBIAN_BUILD_DEPENDS}
+
+Package: ${PN}
+Architecture: any
+Depends:
+Description: TCG reference implementation of the TPM 2.0 Specification.
diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl b/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
new file mode 100755
index 0000000..19d4e08
--- /dev/null
+++ b/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
@@ -0,0 +1,25 @@
+#!/usr/bin/make -f
+# Debian rules for optee-ftpm
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
+endif
+
+override_dh_auto_build:
+	cd Samples/ARM32-FirmwareTPM/optee_ta && \
+		TA_CROSS_COMPILE=${CROSS_COMPILE} \
+		TA_CPU=${TA_CPU} \
+		TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
+		CFG_TEE_TA_LOG_LEVEL=2 \
+		${OPTEE_FTPM_BUILD_ARGS_EXTRA} \
+		$(MAKE) $(PARALLEL_MAKE)
+
+%:
+	dh $@
diff --git a/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
new file mode 100644
index 0000000..2f6dc30
--- /dev/null
+++ b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
@@ -0,0 +1,47 @@
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+inherit dpkg
+
+SUMMARY = "OPTEE fTPM Microsoft TA"
+DESCRIPTION = "TCG reference implementation of the TPM 2.0 Specification."
+HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/"
+
+FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
+
+SRC_URI += "file://debian"
+
+OPTEE_NAME ?= "${MACHINE}"
+
+DEPENDS = "optee-os-tadevkit-${OPTEE_NAME}"
+DEBIAN_BUILD_DEPENDS ?= " \
+    python3-cryptography:native,                                        \
+    optee-os-tadevkit-${OPTEE_NAME}                                     \
+    "
+
+TA_CPU ?= "unknown"
+TA_DEV_KIT_DIR ?= "unknown"
+OPTEE_FTPM_BUILD_ARGS_EXTRA ?= " "
+
+TEMPLATE_FILES = "debian/rules.tmpl debian/control.tmpl"
+TEMPLATE_VARS += "DEBIAN_BUILD_DEPENDS \
+    OPTEE_FTPM_BUILD_ARGS_EXTRA \
+    TA_CPU \
+    TA_DEV_KIT_DIR"
+
+do_prepare_build() {
+    rm -rf ${S}/debian
+    cp -r ${WORKDIR}/debian ${S}/
+
+    deb_add_changelog
+
+    rm -f ${S}/debian/optee-ftpm-${OPTEE_NAME}.install
+    echo "Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/bc50d971-d4c9-42c4-82cb-343fb7f37896.ta /usr/lib/optee-os/${OPTEE_NAME}/ta" > \
+        ${S}/debian/optee-ftpm-${OPTEE_NAME}.install
+    echo "Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf /usr/lib/optee-os/${OPTEE_NAME}/ta" >> \
+        ${S}/debian/optee-ftpm-${OPTEE_NAME}.install
+}
-- 
2.39.2