[PATCH v4 00/11] Fixes, cleanups and updates for OP-TEE and TAs

[PATCH v4 00/11] Fixes, cleanups and updates for OP-TEE and TAs

[Uladzimir Bely]

This summarizes and partially updates previously sent patches to fix and
improve the recently merged OP-TEE changes. Labeling starts with v3 as
some patches were already sent out in v2.

Improvements over the individual patches:
 - update for WolfSSL in fTPM recipe
 - better unbinding of fTPM on tee-supplicant shutdown

Patch 11 might still have no effect and needs confirmation via larger CI
builds.

Jan

Changes since v3:
- Rework patch 4 in order to prevent conflicting parallel build of
linux-mainline for stm32mp15x and non-stm32mp15x machines for the
same distro and architecture.
- Replaced patch 11 with new one that guarantees `tpm` and `wolf`
symlinks creating before compilation source files. By default TA devkit
runs them in parallel and it sometimes results in race condition and
build error.

Jan Kiszka (11):
  optee-client: Add missing runtime dependency
  optee-client: Unbind ftpm, rather than remove its driver
  optee-examples-stm32mp15x: Fix parsing error for non-stm32mp15x
    machines
  linux-mainline: Add fTPM support
  initramfs-tee-{ftpm,supplicant}-hook: Move sync loop to ftpm-hook
  initramfs-tee-supplicant-hook: Account for modular optee
  initramfs-tee-ftpm-hook: Lift timeout to 30 s
  Drop stm32mp15x-initramfs in favor of image enabling
  optee-ftpm-stm32mp15x: Recipe cleanups
  optee-ftpm-stm32mp15x: Update WolfSSL to 5.6.3
  optee-ftpm-stm32mp15x: Add patch to fix parallel build issues

 meta-isar/conf/machine/stm32mp15x.conf        |  2 +
 .../optee-examples-stm32mp15x_3.21.0.bb       |  2 +-
 .../0001-Fix-parallel-build-of-optee_ta.patch | 59 +++++++++++++++++++
 .../optee-ftpm-stm32mp15x_0~230316+git.bb     | 11 ++--
 .../images/stm32mp15x-initramfs.bb            | 15 -----
 .../linux/files/ftpm-module.cfg               |  3 +
 .../linux/linux-mainline_5.4.203.bb           |  1 +
 .../optee-client/files/debian/control.tmpl    |  2 +-
 .../files/debian/tee-supplicant.service       |  2 +-
 .../files/tee-ftpm.script                     |  9 +++
 .../files/tee-supplicant.script               |  9 +--
 testsuite/citest.py                           |  1 -
 12 files changed, 82 insertions(+), 34 deletions(-)
 create mode 100644 meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-parallel-build-of-optee_ta.patch
 delete mode 100644 meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
 create mode 100644 meta-isar/recipes-kernel/linux/files/ftpm-module.cfg

-- 
2.20.1

[PATCH v4 01/11] optee-client: Add missing runtime dependency

[Uladzimir Bely]

From: Jan Kiszka <jan.kiszka@siemens.com>

The alternative service file uses pgrep and pkill.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 meta/recipes-bsp/optee-client/files/debian/control.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-bsp/optee-client/files/debian/control.tmpl b/meta/recipes-bsp/optee-client/files/debian/control.tmpl
index de780b73..7cd121ee 100644
--- a/meta/recipes-bsp/optee-client/files/debian/control.tmpl
+++ b/meta/recipes-bsp/optee-client/files/debian/control.tmpl
@@ -39,7 +39,7 @@ Description: normal world user space client APIs for OP-TEE
 
 Package: tee-supplicant
 Architecture: ${DISTRO_ARCH}
-Depends: systemd ${misc:Depends}, ${shlibs:Depends}
+Depends: systemd ${misc:Depends}, procps, ${shlibs:Depends}
 Description: normal world user space client APIs for OP-TEE
  OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
  non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
-- 
2.20.1

[PATCH v4 02/11] optee-client: Unbind ftpm, rather than remove its driver

[Uladzimir Bely]

From: Jan Kiszka <jan.kiszka@siemens.com>

This allows to support also scenarios where the driver is built into the
kernel. And it also resolves an escaping issue in the old version.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../optee-client/files/debian/tee-supplicant.service            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service b/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
index 4508a142..cc92a5fd 100644
--- a/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
+++ b/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
@@ -14,7 +14,7 @@ RemainAfterExit=yes
 # Start if not already started by the initramfs hook
 ExecStart=/bin/sh -c '/usr/bin/pgrep tee-supplicant >/dev/null || /usr/sbin/tee-supplicant -d'
 ExecStop=/bin/sh -c '/usr/bin/findmnt /sys/firmware/efi/efivars >/dev/null && /usr/bin/umount /sys/firmware/efi/efivars || true'
-ExecStop=/bin/sh -c '/usr/sbin/modinfo -n tpm_ftpm_tee | /usr/bin/grep -E "\.ko$" >/dev/null && /usr/sbin/modprobe -r tpm_ftpm_tee || true'
+ExecStop=/bin/sh -c 'echo -n optee-ta-bc50d971-d4c9-42c4-82cb-343fb7f37896 > /sys/bus/tee/drivers/optee-ftpm/unbind || true'
 ExecStop=/usr/bin/pkill tee-supplicant
 
 [Install]
-- 
2.20.1

[PATCH v4 03/11] optee-examples-stm32mp15x: Fix parsing error for non-stm32mp15x machines

[Uladzimir Bely]

From: Jan Kiszka <jan.kiszka@siemens.com>

Hard-code the machine name so that parsing will not fail if a machine
does not provide optee-os-tadevkit-${MACHINE} or
optee-client-${MACHINE}.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../optee-examples/optee-examples-stm32mp15x_3.21.0.bb          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb
index 2a64a86b..e10654e8 100644
--- a/meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb
+++ b/meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb
@@ -16,7 +16,7 @@ SRC_URI[sha256sum] = "9b965f829adc532b5228534d3b9b38ae1fc4f2ac55d73159a39d43e597
 
 S = "${WORKDIR}/optee_examples-${PV}"
 
-OPTEE_NAME = "${MACHINE}"
+OPTEE_NAME = "stm32mp15x"
 OPTEE_PLATFORM = "stm32mp1"
 TA_DEV_KIT_DIR = "/usr/lib/optee-os/${OPTEE_NAME}/export-ta_arm32"
 
-- 
2.20.1

[PATCH v4 04/11] linux-mainline: Add fTPM support

[Uladzimir Bely]

From: Jan Kiszka <jan.kiszka@siemens.com>

Needed for the stm32mp15x demo of fTPM.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Uladzimir Bely <ubely@ilbers.de>
---
 meta-isar/recipes-kernel/linux/files/ftpm-module.cfg     | 3 +++
 meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb | 1 +
 2 files changed, 4 insertions(+)
 create mode 100644 meta-isar/recipes-kernel/linux/files/ftpm-module.cfg

diff --git a/meta-isar/recipes-kernel/linux/files/ftpm-module.cfg b/meta-isar/recipes-kernel/linux/files/ftpm-module.cfg
new file mode 100644
index 00000000..f47620bc
--- /dev/null
+++ b/meta-isar/recipes-kernel/linux/files/ftpm-module.cfg
@@ -0,0 +1,3 @@
+CONFIG_TEE=m
+CONFIG_OPTEE=m
+CONFIG_TCG_FTPM_TEE=m
diff --git a/meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb b/meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb
index 76f73f02..7f1bac12 100644
--- a/meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb
+++ b/meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb
@@ -12,6 +12,7 @@ ARCHIVE_VERSION = "${@ d.getVar('PV')[:-2] if d.getVar('PV').endswith('.0') else
 SRC_URI += " \
     https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-${ARCHIVE_VERSION}.tar.xz \
     file://x86_64_defconfig \
+    file://ftpm-module.cfg \
     file://no-ubifs-fs.cfg \
     file://no-root-nfs.cfg;apply=no"
 
-- 
2.20.1

[PATCH v4 05/11] initramfs-tee-{ftpm,supplicant}-hook: Move sync loop to ftpm-hook

[Uladzimir Bely]

From: Jan Kiszka <jan.kiszka@siemens.com>

There is no FTPM_DEV defined in tee-supplicant.script, and it also makes
no sense to wait for an unrelated fTPM device in the tee-supplicant
starter hook. That is better done in tee-ftpm.script.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../initramfs-tee-ftpm-hook/files/tee-ftpm.script        | 9 +++++++++
 .../files/tee-supplicant.script                          | 8 --------
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
index ce321a09..6e12e6df 100644
--- a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
+++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
@@ -21,6 +21,15 @@ esac
 . /scripts/functions
 
 FTPM_DEV=/dev/tpmrm0
+
+# The tee-supplicant would take some time to be discovered, 10 seconds should be
+# enough
+wait_sec=10
+until test $wait_sec -eq 0 || test -c "${FTPM_DEV}" ; do
+	wait_sec=$((wait_sec-1))
+	sleep 1
+done
+
 if ! test -c "${FTPM_DEV}"; then
     panic "Can't discover the fTPM device ${FTPM_DEV}!"
 fi
diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
index bb6dcc16..76efc1ad 100644
--- a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
+++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
@@ -22,12 +22,4 @@ esac
 
 /usr/sbin/tee-supplicant -d
 
-# The tee-supplicant would take some time to be discovered, 10 seconds should be
-# enough
-wait_sec=10
-until test $wait_sec -eq 0 || test -c "${FTPM_DEV}" ; do
-	wait_sec=$((wait_sec-1))
-	sleep 1
-done
-
 /usr/bin/pgrep tee-supplicant > /dev/null || panic "Can't start the tee-supplicant daemon!"
-- 
2.20.1

[PATCH v4 06/11] initramfs-tee-supplicant-hook: Account for modular optee

[Uladzimir Bely]

From: Jan Kiszka <jan.kiszka@siemens.com>

Starting tee-supplicant will fail otherwise.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../initramfs-tee-supplicant-hook/files/tee-supplicant.script    | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
index 76efc1ad..fcb84817 100644
--- a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
+++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
@@ -20,6 +20,7 @@ esac
 
 . /scripts/functions
 
+/usr/sbin/modprobe optee
 /usr/sbin/tee-supplicant -d
 
 /usr/bin/pgrep tee-supplicant > /dev/null || panic "Can't start the tee-supplicant daemon!"
-- 
2.20.1

[PATCH v4 07/11] initramfs-tee-ftpm-hook: Lift timeout to 30 s

[Uladzimir Bely]

From: Jan Kiszka <jan.kiszka@siemens.com>

Around 20 s are needed on the stm32mp15x, so let's give things more time
to settle and permit 30 s.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../initramfs-tee-ftpm-hook/files/tee-ftpm.script           | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
index 6e12e6df..053fb046 100644
--- a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
+++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
@@ -22,9 +22,9 @@ esac
 
 FTPM_DEV=/dev/tpmrm0
 
-# The tee-supplicant would take some time to be discovered, 10 seconds should be
-# enough
-wait_sec=10
+# The tee-supplicant would take some time to be discovered, 30 seconds should
+# be enough
+wait_sec=30
 until test $wait_sec -eq 0 || test -c "${FTPM_DEV}" ; do
 	wait_sec=$((wait_sec-1))
 	sleep 1
-- 
2.20.1

[PATCH v4 08/11] Drop stm32mp15x-initramfs in favor of image enabling

[Uladzimir Bely]

From: Jan Kiszka <jan.kiszka@siemens.com>

To really test the hooks on the stm32mp15x, we need them as part of the
initramfs generated for the image, not just stand-alone.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 meta-isar/conf/machine/stm32mp15x.conf            |  2 ++
 .../images/stm32mp15x-initramfs.bb                | 15 ---------------
 testsuite/citest.py                               |  1 -
 3 files changed, 2 insertions(+), 16 deletions(-)
 delete mode 100644 meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb

diff --git a/meta-isar/conf/machine/stm32mp15x.conf b/meta-isar/conf/machine/stm32mp15x.conf
index 4e8142ee..367b1934 100644
--- a/meta-isar/conf/machine/stm32mp15x.conf
+++ b/meta-isar/conf/machine/stm32mp15x.conf
@@ -23,4 +23,6 @@ IMAGE_INSTALL += "u-boot-script \
     optee-examples-stm32mp15x-hotp-host \
     optee-examples-stm32mp15x-random-host \
     optee-examples-stm32mp15x-secure-storage-host \
+    initramfs-tee-supplicant-hook \
+    initramfs-tee-ftpm-hook \
     "
diff --git a/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb b/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
deleted file mode 100644
index 8ec6d7ce..00000000
--- a/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# Copyright (c) Siemens AG, 2023
-#
-# Authors:
-#  Su Bao Cheng <baocheng.su@siemens.com>
-#
-# SPDX-License-Identifier: MIT
-#
-
-inherit initramfs
-
-INITRAMFS_INSTALL += " \
-    initramfs-tee-supplicant-hook \
-    initramfs-tee-ftpm-hook \
-    "
diff --git a/testsuite/citest.py b/testsuite/citest.py
index b81d86f9..f5cf1257 100755
--- a/testsuite/citest.py
+++ b/testsuite/citest.py
@@ -215,7 +215,6 @@ class NoCrossTest(CIBaseTest):
             'mc:bananapi-bullseye:isar-image-base',
             'mc:nanopi-neo-bullseye:isar-image-base',
             'mc:stm32mp15x-bullseye:isar-image-base',
-            'mc:stm32mp15x-bullseye:stm32mp15x-initramfs',
             'mc:qemuamd64-focal:isar-image-ci'
                   ]
 
-- 
2.20.1

[PATCH v4 09/11] optee-ftpm-stm32mp15x: Recipe cleanups

[Uladzimir Bely]

From: Jan Kiszka <jan.kiszka@siemens.com>

Remove commented out CHANGELOG_V assignment, remove redundant setting of
OPTEE_NAME to its default, remove setting of non-existing
CFG_FTPM_USE_WOLF config var.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb         | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
index de26ec38..d8c1528d 100644
--- a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
+++ b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
@@ -5,9 +5,8 @@
 #
 # SPDX-License-Identifier: MIT
 #
-require recipes-bsp/optee-ftpm/optee-ftpm.inc
 
-# CHANGELOG_V = "0.1+git+isar"
+require recipes-bsp/optee-ftpm/optee-ftpm.inc
 
 SRC_URI += " \
     https://github.com/Microsoft/ms-tpm-20-ref/archive/${SRCREV}.tar.gz \
@@ -24,10 +23,8 @@ SRC_URI[wolfssl.sha256sum] = "a68c301fa0ee6197158912d808c4258605a2d001e458fd9582
 
 S = "${WORKDIR}/ms-tpm-20-ref-${SRCREV}"
 
-OPTEE_NAME = "${MACHINE}"
 TA_CPU = "cortex-a7"
 TA_DEV_KIT_DIR = "/usr/lib/optee-os/${OPTEE_NAME}/export-ta_arm32"
-OPTEE_FTPM_BUILD_ARGS_EXTRA = "CFG_FTPM_USE_WOLF=y"
 
 do_prepare_build:append() {
     rm -rf ${S}/external/wolfssl
-- 
2.20.1

[PATCH v4 10/11] optee-ftpm-stm32mp15x: Update WolfSSL to 5.6.3

[Uladzimir Bely]

From: Jan Kiszka <jan.kiszka@siemens.com>

The upstream choice is seriously outdated, also security-wise. Choose
the latest stable release instead.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb         | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
index d8c1528d..441bc4ac 100644
--- a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
+++ b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
@@ -15,11 +15,10 @@ SRC_URI += " \
     "
 
 SRCREV = "f74c0d9686625c02b0fdd5b2bbe792a22aa96cb6"
-# according to ms-tpm-20-ref submodules
-SRCREV-wolfssl = "9c87f979a7f1d3a6d786b260653d566c1d31a1c4"
+SRCREV-wolfssl = "3b3c175af0e993ffaae251871421e206cc41963f"
 
 SRC_URI[sha256sum] = "16fabc6ad6cc700d947dbc96efc30ff8ae97e577944466f08193bb37bc1eb64d"
-SRC_URI[wolfssl.sha256sum] = "a68c301fa0ee6197158912d808c4258605a2d001e458fd958257cafba17bfd14"
+SRC_URI[wolfssl.sha256sum] = "1157994b12295b74754dd9054124c857c59093b762e6f744d0a3a3565cb6314d"
 
 S = "${WORKDIR}/ms-tpm-20-ref-${SRCREV}"
 
-- 
2.20.1

[PATCH v4 11/11] optee-ftpm-stm32mp15x: Add patch to fix parallel build issues

[Uladzimir Bely]

From: Jan Kiszka <jan.kiszka@siemens.com>

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Uladzimir Bely <ubely@ilbers.de>
---
 .../0001-Fix-parallel-build-of-optee_ta.patch | 59 +++++++++++++++++++
 .../optee-ftpm-stm32mp15x_0~230316+git.bb     |  1 +
 2 files changed, 60 insertions(+)
 create mode 100644 meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-parallel-build-of-optee_ta.patch

diff --git a/meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-parallel-build-of-optee_ta.patch b/meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-parallel-build-of-optee_ta.patch
new file mode 100644
index 00000000..383ef9f7
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-parallel-build-of-optee_ta.patch
@@ -0,0 +1,59 @@
+From ee13738d203aca490c0fb3d1f79cee1d8f9e0c88 Mon Sep 17 00:00:00 2001
+From: Uladzimir Bely <ubely@ilbers.de>
+Date: Mon, 31 Jul 2023 14:42:52 +0300
+Subject: [PATCH] Fix parallel build of optee_ta
+
+TA devkit build system runs creating tpm and wolf symlinks in parallel
+with building ftpm. This sometimes causes build fail:
+
+make[2]: Entering directory '/<<PKGBUILDDIR>>/Samples/ARM32-FirmwareTPM/optee_ta'
+/usr/bin/make -C fTPM CROSS_COMPILE=
+make[3]: Entering directory '/<<PKGBUILDDIR>>/Samples/ARM32-FirmwareTPM/optee_ta/fTPM'
+Checking symlink to the TPM folder: /<<PKGBUILDDIR>>
+Checking symlink to the WolfSSL folder: /<<PKGBUILDDIR>>/external/wolfssl
+Establishing symlink.
+  CC      ../out/fTPM/platform/Cancel.o
+Establishing symlink.
+  CC      ../out/fTPM/platform/AdminPPI.o
+  CC      ../out/fTPM/platform/Entropy.o
+make[3]: *** No rule to make target 'lib/wolf/wolf_symlink/wolfcrypt/src/aes.c', needed by '../out/fTPM/./lib/wolf/wolf_symlink/wolfcrypt/src/aes.o'.  Stop.
+make[3]: *** Waiting for unfinished jobs....
+
+It's easy to reproduce by adding a small sleep to the makefile rules
+that create these symlinks just before 'ln -s' called.
+
+Signed-off-by: Uladzimir Bely <ubely@ilbers.de>
+---
+ Samples/ARM32-FirmwareTPM/optee_ta/Makefile      | 1 +
+ Samples/ARM32-FirmwareTPM/optee_ta/fTPM/Makefile | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/Samples/ARM32-FirmwareTPM/optee_ta/Makefile b/Samples/ARM32-FirmwareTPM/optee_ta/Makefile
+index ddf6784..2053c01 100644
+--- a/Samples/ARM32-FirmwareTPM/optee_ta/Makefile
++++ b/Samples/ARM32-FirmwareTPM/optee_ta/Makefile
+@@ -3,6 +3,7 @@ export V?=0
+ 
+ .PHONY: all
+ all:
++	$(MAKE) -C fTPM create_ftpm_lib_symlinks
+ 	$(MAKE) -C fTPM CROSS_COMPILE=$(TA_CROSS_COMPILE)
+ 
+ .PHONY: clean
+diff --git a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/Makefile b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/Makefile
+index c71eecd..2b4309c 100644
+--- a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/Makefile
++++ b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/Makefile
+@@ -11,3 +11,9 @@ clean: clean_stripped_file
+ clean_stripped_file:
+ 	rm -f $(BINARY).stripped.elf
+ 
++.PHONY: create_ftpm_lib_symlinks
++create_ftpm_lib_symlinks:
++	@echo Establishing tpm_symlink.
++	ln -fs ../../$(TPM_ROOT) ./lib/tpm/tpm_symlink
++	@echo Establishing wolf_symlink.
++	ln -fs ../../$(WOLF_ROOT) ./lib/wolf/wolf_symlink
+-- 
+2.41.0
+
diff --git a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
index 441bc4ac..c92620e1 100644
--- a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
+++ b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
@@ -12,6 +12,7 @@ SRC_URI += " \
     https://github.com/Microsoft/ms-tpm-20-ref/archive/${SRCREV}.tar.gz \
     https://github.com/wolfSSL/wolfssl/archive/${SRCREV-wolfssl}.tar.gz;name=wolfssl \
     file://0001-add-enum-to-ta-flags.patch \
+    file://0001-Fix-parallel-build-of-optee_ta.patch \
     "
 
 SRCREV = "f74c0d9686625c02b0fdd5b2bbe792a22aa96cb6"
-- 
2.20.1

Re: [PATCH v4 00/11] Fixes, cleanups and updates for OP-TEE and TAs

[Uladzimir Bely]

On Mon, 2023-07-31 at 14:17 +0200, Uladzimir Bely wrote:
> This summarizes and partially updates previously sent patches to fix
> and
> improve the recently merged OP-TEE changes. Labeling starts with v3
> as
> some patches were already sent out in v2.
> 
> Improvements over the individual patches:
>  - update for WolfSSL in fTPM recipe
>  - better unbinding of fTPM on tee-supplicant shutdown
> 
> Patch 11 might still have no effect and needs confirmation via larger
> CI
> builds.
> 
> Jan
> 
> Changes since v3:
> - Rework patch 4 in order to prevent conflicting parallel build of
> linux-mainline for stm32mp15x and non-stm32mp15x machines for the
> same distro and architecture.
> - Replaced patch 11 with new one that guarantees `tpm` and `wolf`
> symlinks creating before compilation source files. By default TA
> devkit
> runs them in parallel and it sometimes results in race condition and
> build error.
> 
> Jan Kiszka (11):
>   optee-client: Add missing runtime dependency
>   optee-client: Unbind ftpm, rather than remove its driver
>   optee-examples-stm32mp15x: Fix parsing error for non-stm32mp15x
>     machines
>   linux-mainline: Add fTPM support
>   initramfs-tee-{ftpm,supplicant}-hook: Move sync loop to ftpm-hook
>   initramfs-tee-supplicant-hook: Account for modular optee
>   initramfs-tee-ftpm-hook: Lift timeout to 30 s
>   Drop stm32mp15x-initramfs in favor of image enabling
>   optee-ftpm-stm32mp15x: Recipe cleanups
>   optee-ftpm-stm32mp15x: Update WolfSSL to 5.6.3
>   optee-ftpm-stm32mp15x: Add patch to fix parallel build issues
> 
>  meta-isar/conf/machine/stm32mp15x.conf        |  2 +
>  .../optee-examples-stm32mp15x_3.21.0.bb       |  2 +-
>  .../0001-Fix-parallel-build-of-optee_ta.patch | 59
> +++++++++++++++++++
>  .../optee-ftpm-stm32mp15x_0~230316+git.bb     | 11 ++--
>  .../images/stm32mp15x-initramfs.bb            | 15 -----
>  .../linux/files/ftpm-module.cfg               |  3 +
>  .../linux/linux-mainline_5.4.203.bb           |  1 +
>  .../optee-client/files/debian/control.tmpl    |  2 +-
>  .../files/debian/tee-supplicant.service       |  2 +-
>  .../files/tee-ftpm.script                     |  9 +++
>  .../files/tee-supplicant.script               |  9 +--
>  testsuite/citest.py                           |  1 -
>  12 files changed, 82 insertions(+), 34 deletions(-)
>  create mode 100644 meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-
> parallel-build-of-optee_ta.patch
>  delete mode 100644 meta-isar/recipes-initramfs/images/stm32mp15x-
> initramfs.bb
>  create mode 100644 meta-isar/recipes-kernel/linux/files/ftpm-
> module.cfg
> 
> -- 
> 2.20.1
> 

Applied to next, thanks.