[PATCH] optee-os: Add package optee-os-tadevkit

[PATCH] optee-os: Add package optee-os-tadevkit

[Su, Bao Cheng]

The TA dev kit is used to build trusted applications, details refer to
[1]. A typical use case of this devkit is a firmware TPM reference
implementation, see [2].

1. https://optee.readthedocs.io/en/3.21.0/building/trusted_applications.html
2. https://github.com/microsoft/ms-tpm-20-ref

Signed-off-by: Su Baocheng <baocheng.su@siemens.com>
---
 .../optee-os/files/debian/control.tmpl        |  4 +--
 meta/recipes-bsp/optee-os/optee-os-custom.inc | 29 +++----------------
 .../optee-os/optee-os-tadevkit-custom.inc     | 20 +++++++++++++
 .../{optee-os-custom.inc => optee-os.inc}     | 14 +++------
 4 files changed, 30 insertions(+), 37 deletions(-)
 create mode 100644 meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
 copy meta/recipes-bsp/optee-os/{optee-os-custom.inc => optee-os.inc} (62%)

diff --git a/meta/recipes-bsp/optee-os/files/debian/control.tmpl b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
index 60b3927..fdf898e 100644
--- a/meta/recipes-bsp/optee-os/files/debian/control.tmpl
+++ b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
@@ -5,6 +5,6 @@ Standards-Version: 3.9.6
 Build-Depends: ${DEBIAN_BUILD_DEPENDS}
 Maintainer: ISAR project <isar-users@googlegroups.com>
 
-Package: optee-os-${OPTEE_NAME}
+Package: ${DEBIAN_PACKAGE_NAME}
 Architecture: ${DISTRO_ARCH}
-Description: ${DESCRIPTION}, firmware binaries
+Description: ${DESCRIPTION}
diff --git a/meta/recipes-bsp/optee-os/optee-os-custom.inc b/meta/recipes-bsp/optee-os/optee-os-custom.inc
index d48827a..abe46e8 100644
--- a/meta/recipes-bsp/optee-os/optee-os-custom.inc
+++ b/meta/recipes-bsp/optee-os/optee-os-custom.inc
@@ -1,38 +1,17 @@
 # Custom OP-TEE OS build
 #
 # This software is a part of ISAR.
-# Copyright (c) Siemens AG, 2020
+# Copyright (c) Siemens AG, 2020-2023
 #
 # SPDX-License-Identifier: MIT
 
-inherit dpkg
+require optee-os.inc
 
-FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
-
-SRC_URI += "file://debian/"
-
-DESCRIPTION ?= "Custom OP-TEE OS"
-
-OPTEE_NAME ?= "${MACHINE}"
-OPTEE_PLATFORM ?= "unknown"
-OPTEE_EXTRA_BUILDARGS ?= ""
-OPTEE_BINARIES ?= "tee-pager_v2.bin"
-
-DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
+DESCRIPTION:append = ", firmware binaries"
 
 PROVIDES += "optee-os-${OPTEE_NAME}"
 
-TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
-TEMPLATE_VARS += "OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
-
-# split strip platform flavor, if any, from the specified platform string
-OPTEE_PLATFORM_BASE = "${@d.getVar('OPTEE_PLATFORM').split('-')[0]}"
-
-do_prepare_build() {
-    cp -r ${WORKDIR}/debian ${S}/
-
-    deb_add_changelog
-
+do_prepare_build:append() {
     rm -f ${S}/debian/optee-os-${OPTEE_NAME}.install
     for binary in ${OPTEE_BINARIES}; do
         echo "out/arm-plat-${OPTEE_PLATFORM_BASE}/core/$binary /usr/lib/optee-os/${OPTEE_NAME}/" >> \
diff --git a/meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc b/meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
new file mode 100644
index 0000000..85d6c25
--- /dev/null
+++ b/meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
@@ -0,0 +1,20 @@
+
+# Custom OP-TEE OS build
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2023
+#
+# SPDX-License-Identifier: MIT
+
+require optee-os.inc
+
+DEBIAN_PACKAGE_NAME = "optee-os-tadevkit-${OPTEE_NAME}"
+DESCRIPTION:append = ", trust application development kit."
+
+PROVIDES += "${DEBIAN_PACKAGE_NAME}"
+
+do_prepare_build:append() {
+    rm -f ${S}/debian/optee-os-tadevkit-${OPTEE_NAME}.install
+    echo "out/arm-plat-${OPTEE_PLATFORM_BASE}/export-ta_${DISTRO_ARCH} /usr/lib/optee-os/" > \
+        ${S}/debian/optee-os-tadevkit-${OPTEE_NAME}.install
+}
diff --git a/meta/recipes-bsp/optee-os/optee-os-custom.inc b/meta/recipes-bsp/optee-os/optee-os.inc
similarity index 62%
copy from meta/recipes-bsp/optee-os/optee-os-custom.inc
copy to meta/recipes-bsp/optee-os/optee-os.inc
index d48827a..198746b 100644
--- a/meta/recipes-bsp/optee-os/optee-os-custom.inc
+++ b/meta/recipes-bsp/optee-os/optee-os.inc
@@ -1,7 +1,7 @@
 # Custom OP-TEE OS build
 #
 # This software is a part of ISAR.
-# Copyright (c) Siemens AG, 2020
+# Copyright (c) Siemens AG, 2020-2023
 #
 # SPDX-License-Identifier: MIT
 
@@ -18,12 +18,12 @@ OPTEE_PLATFORM ?= "unknown"
 OPTEE_EXTRA_BUILDARGS ?= ""
 OPTEE_BINARIES ?= "tee-pager_v2.bin"
 
-DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
+DEBIAN_PACKAGE_NAME ?= "optee-os-${OPTEE_NAME}"
 
-PROVIDES += "optee-os-${OPTEE_NAME}"
+DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
 
 TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
-TEMPLATE_VARS += "OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
+TEMPLATE_VARS += "DEBIAN_PACKAGE_NAME OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
 
 # split strip platform flavor, if any, from the specified platform string
 OPTEE_PLATFORM_BASE = "${@d.getVar('OPTEE_PLATFORM').split('-')[0]}"
@@ -32,10 +32,4 @@ do_prepare_build() {
     cp -r ${WORKDIR}/debian ${S}/
 
     deb_add_changelog
-
-    rm -f ${S}/debian/optee-os-${OPTEE_NAME}.install
-    for binary in ${OPTEE_BINARIES}; do
-        echo "out/arm-plat-${OPTEE_PLATFORM_BASE}/core/$binary /usr/lib/optee-os/${OPTEE_NAME}/" >> \
-            ${S}/debian/optee-os-${OPTEE_NAME}.install
-    done
 }

Re: [PATCH] optee-os: Add package optee-os-tadevkit

[Jan Kiszka]

On 23.05.23 05:27, Su, Bao Cheng (DI FA CTR IPC CN PRC4) wrote:
> The TA dev kit is used to build trusted applications, details refer to
> [1]. A typical use case of this devkit is a firmware TPM reference
> implementation, see [2].
> 
> 1. https://optee.readthedocs.io/en/3.21.0/building/trusted_applications.html
> 2. https://github.com/microsoft/ms-tpm-20-ref
> 
> Signed-off-by: Su Baocheng <baocheng.su@siemens.com>
> ---
>  .../optee-os/files/debian/control.tmpl        |  4 +--
>  meta/recipes-bsp/optee-os/optee-os-custom.inc | 29 +++----------------
>  .../optee-os/optee-os-tadevkit-custom.inc     | 20 +++++++++++++
>  .../{optee-os-custom.inc => optee-os.inc}     | 14 +++------
>  4 files changed, 30 insertions(+), 37 deletions(-)
>  create mode 100644 meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
>  copy meta/recipes-bsp/optee-os/{optee-os-custom.inc => optee-os.inc} (62%)
> 
> diff --git a/meta/recipes-bsp/optee-os/files/debian/control.tmpl b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
> index 60b3927..fdf898e 100644
> --- a/meta/recipes-bsp/optee-os/files/debian/control.tmpl
> +++ b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
> @@ -5,6 +5,6 @@ Standards-Version: 3.9.6
>  Build-Depends: ${DEBIAN_BUILD_DEPENDS}
>  Maintainer: ISAR project <isar-users@googlegroups.com>
> 
> -Package: optee-os-${OPTEE_NAME}
> +Package: ${DEBIAN_PACKAGE_NAME}
>  Architecture: ${DISTRO_ARCH}
> -Description: ${DESCRIPTION}, firmware binaries
> +Description: ${DESCRIPTION}
> diff --git a/meta/recipes-bsp/optee-os/optee-os-custom.inc b/meta/recipes-bsp/optee-os/optee-os-custom.inc
> index d48827a..abe46e8 100644
> --- a/meta/recipes-bsp/optee-os/optee-os-custom.inc
> +++ b/meta/recipes-bsp/optee-os/optee-os-custom.inc
> @@ -1,38 +1,17 @@
>  # Custom OP-TEE OS build
>  #
>  # This software is a part of ISAR.
> -# Copyright (c) Siemens AG, 2020
> +# Copyright (c) Siemens AG, 2020-2023
>  #
>  # SPDX-License-Identifier: MIT
> 
> -inherit dpkg
> +require optee-os.inc
> 
> -FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
> -
> -SRC_URI += "file://debian/"
> -
> -DESCRIPTION ?= "Custom OP-TEE OS"
> -
> -OPTEE_NAME ?= "${MACHINE}"
> -OPTEE_PLATFORM ?= "unknown"
> -OPTEE_EXTRA_BUILDARGS ?= ""
> -OPTEE_BINARIES ?= "tee-pager_v2.bin"
> -
> -DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
> +DESCRIPTION:append = ", firmware binaries"
> 
>  PROVIDES += "optee-os-${OPTEE_NAME}"
> 
> -TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
> -TEMPLATE_VARS += "OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
> -
> -# split strip platform flavor, if any, from the specified platform string
> -OPTEE_PLATFORM_BASE = "${@d.getVar('OPTEE_PLATFORM').split('-')[0]}"
> -
> -do_prepare_build() {
> -    cp -r ${WORKDIR}/debian ${S}/
> -
> -    deb_add_changelog
> -
> +do_prepare_build:append() {
>      rm -f ${S}/debian/optee-os-${OPTEE_NAME}.install
>      for binary in ${OPTEE_BINARIES}; do
>          echo "out/arm-plat-${OPTEE_PLATFORM_BASE}/core/$binary /usr/lib/optee-os/${OPTEE_NAME}/" >> \
> diff --git a/meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc b/meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
> new file mode 100644
> index 0000000..85d6c25
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
> @@ -0,0 +1,20 @@
> +
> +# Custom OP-TEE OS build
> +#
> +# This software is a part of ISAR.
> +# Copyright (c) Siemens AG, 2023
> +#
> +# SPDX-License-Identifier: MIT
> +
> +require optee-os.inc
> +
> +DEBIAN_PACKAGE_NAME = "optee-os-tadevkit-${OPTEE_NAME}"
> +DESCRIPTION:append = ", trust application development kit."
> +
> +PROVIDES += "${DEBIAN_PACKAGE_NAME}"
> +
> +do_prepare_build:append() {
> +    rm -f ${S}/debian/optee-os-tadevkit-${OPTEE_NAME}.install
> +    echo "out/arm-plat-${OPTEE_PLATFORM_BASE}/export-ta_${DISTRO_ARCH} /usr/lib/optee-os/" > \
> +        ${S}/debian/optee-os-tadevkit-${OPTEE_NAME}.install
> +}
> diff --git a/meta/recipes-bsp/optee-os/optee-os-custom.inc b/meta/recipes-bsp/optee-os/optee-os.inc
> similarity index 62%
> copy from meta/recipes-bsp/optee-os/optee-os-custom.inc
> copy to meta/recipes-bsp/optee-os/optee-os.inc
> index d48827a..198746b 100644
> --- a/meta/recipes-bsp/optee-os/optee-os-custom.inc
> +++ b/meta/recipes-bsp/optee-os/optee-os.inc
> @@ -1,7 +1,7 @@
>  # Custom OP-TEE OS build
>  #
>  # This software is a part of ISAR.
> -# Copyright (c) Siemens AG, 2020
> +# Copyright (c) Siemens AG, 2020-2023
>  #
>  # SPDX-License-Identifier: MIT
> 
> @@ -18,12 +18,12 @@ OPTEE_PLATFORM ?= "unknown"
>  OPTEE_EXTRA_BUILDARGS ?= ""
>  OPTEE_BINARIES ?= "tee-pager_v2.bin"
> 
> -DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
> +DEBIAN_PACKAGE_NAME ?= "optee-os-${OPTEE_NAME}"
> 
> -PROVIDES += "optee-os-${OPTEE_NAME}"
> +DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
> 
>  TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
> -TEMPLATE_VARS += "OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
> +TEMPLATE_VARS += "DEBIAN_PACKAGE_NAME OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
> 
>  # split strip platform flavor, if any, from the specified platform string
>  OPTEE_PLATFORM_BASE = "${@d.getVar('OPTEE_PLATFORM').split('-')[0]}"
> @@ -32,10 +32,4 @@ do_prepare_build() {
>      cp -r ${WORKDIR}/debian ${S}/
> 
>      deb_add_changelog
> -
> -    rm -f ${S}/debian/optee-os-${OPTEE_NAME}.install
> -    for binary in ${OPTEE_BINARIES}; do
> -        echo "out/arm-plat-${OPTEE_PLATFORM_BASE}/core/$binary /usr/lib/optee-os/${OPTEE_NAME}/" >> \
> -            ${S}/debian/optee-os-${OPTEE_NAME}.install
> -    done
>  }
> 

We will need some demo recipes that actually pulls the new package. Is
there some "hello world" TA that we could include and build into the
stm32mp15x demo image? Would it actually be better to also include the
fTPM recipe in Isar and use that at the same time as stress test?

Jan

-- 
Siemens AG, Technology
Competence Center Embedded Linux

Re: [PATCH] optee-os: Add package optee-os-tadevkit

[Su, Bao Cheng]

On Wed, 2023-05-24 at 13:34 +0200, Jan Kiszka wrote:
> On 23.05.23 05:27, Su, Bao Cheng (DI FA CTR IPC CN PRC4) wrote:
> > The TA dev kit is used to build trusted applications, details refer to
> > [1]. A typical use case of this devkit is a firmware TPM reference
> > implementation, see [2].
> > 
> > 1. https://optee.readthedocs.io/en/3.21.0/building/trusted_applications.html
> > 2. https://github.com/microsoft/ms-tpm-20-ref
> > 
> > Signed-off-by: Su Baocheng <baocheng.su@siemens.com>
> > ---
> >  .../optee-os/files/debian/control.tmpl        |  4 +--
> >  meta/recipes-bsp/optee-os/optee-os-custom.inc | 29 +++----------------
> >  .../optee-os/optee-os-tadevkit-custom.inc     | 20 +++++++++++++
> >  .../{optee-os-custom.inc => optee-os.inc}     | 14 +++------
> >  4 files changed, 30 insertions(+), 37 deletions(-)
> >  create mode 100644 meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
> >  copy meta/recipes-bsp/optee-os/{optee-os-custom.inc => optee-os.inc} (62%)
> > 
> > diff --git a/meta/recipes-bsp/optee-os/files/debian/control.tmpl b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
> > index 60b3927..fdf898e 100644
> > --- a/meta/recipes-bsp/optee-os/files/debian/control.tmpl
> > +++ b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
> > @@ -5,6 +5,6 @@ Standards-Version: 3.9.6
> >  Build-Depends: ${DEBIAN_BUILD_DEPENDS}
> >  Maintainer: ISAR project <isar-users@googlegroups.com>
> > 
> > -Package: optee-os-${OPTEE_NAME}
> > +Package: ${DEBIAN_PACKAGE_NAME}
> >  Architecture: ${DISTRO_ARCH}
> > -Description: ${DESCRIPTION}, firmware binaries
> > +Description: ${DESCRIPTION}
> > diff --git a/meta/recipes-bsp/optee-os/optee-os-custom.inc b/meta/recipes-bsp/optee-os/optee-os-custom.inc
> > index d48827a..abe46e8 100644
> > --- a/meta/recipes-bsp/optee-os/optee-os-custom.inc
> > +++ b/meta/recipes-bsp/optee-os/optee-os-custom.inc
> > @@ -1,38 +1,17 @@
> >  # Custom OP-TEE OS build
> >  #
> >  # This software is a part of ISAR.
> > -# Copyright (c) Siemens AG, 2020
> > +# Copyright (c) Siemens AG, 2020-2023
> >  #
> >  # SPDX-License-Identifier: MIT
> > 
> > -inherit dpkg
> > +require optee-os.inc
> > 
> > -FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
> > -
> > -SRC_URI += "file://debian/"
> > -
> > -DESCRIPTION ?= "Custom OP-TEE OS"
> > -
> > -OPTEE_NAME ?= "${MACHINE}"
> > -OPTEE_PLATFORM ?= "unknown"
> > -OPTEE_EXTRA_BUILDARGS ?= ""
> > -OPTEE_BINARIES ?= "tee-pager_v2.bin"
> > -
> > -DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
> > +DESCRIPTION:append = ", firmware binaries"
> > 
> >  PROVIDES += "optee-os-${OPTEE_NAME}"
> > 
> > -TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
> > -TEMPLATE_VARS += "OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
> > -
> > -# split strip platform flavor, if any, from the specified platform string
> > -OPTEE_PLATFORM_BASE = "${@d.getVar('OPTEE_PLATFORM').split('-')[0]}"
> > -
> > -do_prepare_build() {
> > -    cp -r ${WORKDIR}/debian ${S}/
> > -
> > -    deb_add_changelog
> > -
> > +do_prepare_build:append() {
> >      rm -f ${S}/debian/optee-os-${OPTEE_NAME}.install
> >      for binary in ${OPTEE_BINARIES}; do
> >          echo "out/arm-plat-${OPTEE_PLATFORM_BASE}/core/$binary /usr/lib/optee-os/${OPTEE_NAME}/" >> \
> > diff --git a/meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc b/meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
> > new file mode 100644
> > index 0000000..85d6c25
> > --- /dev/null
> > +++ b/meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
> > @@ -0,0 +1,20 @@
> > +
> > +# Custom OP-TEE OS build
> > +#
> > +# This software is a part of ISAR.
> > +# Copyright (c) Siemens AG, 2023
> > +#
> > +# SPDX-License-Identifier: MIT
> > +
> > +require optee-os.inc
> > +
> > +DEBIAN_PACKAGE_NAME = "optee-os-tadevkit-${OPTEE_NAME}"
> > +DESCRIPTION:append = ", trust application development kit."
> > +
> > +PROVIDES += "${DEBIAN_PACKAGE_NAME}"
> > +
> > +do_prepare_build:append() {
> > +    rm -f ${S}/debian/optee-os-tadevkit-${OPTEE_NAME}.install
> > +    echo "out/arm-plat-${OPTEE_PLATFORM_BASE}/export-ta_${DISTRO_ARCH} /usr/lib/optee-os/" > \
> > +        ${S}/debian/optee-os-tadevkit-${OPTEE_NAME}.install
> > +}
> > diff --git a/meta/recipes-bsp/optee-os/optee-os-custom.inc b/meta/recipes-bsp/optee-os/optee-os.inc
> > similarity index 62%
> > copy from meta/recipes-bsp/optee-os/optee-os-custom.inc
> > copy to meta/recipes-bsp/optee-os/optee-os.inc
> > index d48827a..198746b 100644
> > --- a/meta/recipes-bsp/optee-os/optee-os-custom.inc
> > +++ b/meta/recipes-bsp/optee-os/optee-os.inc
> > @@ -1,7 +1,7 @@
> >  # Custom OP-TEE OS build
> >  #
> >  # This software is a part of ISAR.
> > -# Copyright (c) Siemens AG, 2020
> > +# Copyright (c) Siemens AG, 2020-2023
> >  #
> >  # SPDX-License-Identifier: MIT
> > 
> > @@ -18,12 +18,12 @@ OPTEE_PLATFORM ?= "unknown"
> >  OPTEE_EXTRA_BUILDARGS ?= ""
> >  OPTEE_BINARIES ?= "tee-pager_v2.bin"
> > 
> > -DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
> > +DEBIAN_PACKAGE_NAME ?= "optee-os-${OPTEE_NAME}"
> > 
> > -PROVIDES += "optee-os-${OPTEE_NAME}"
> > +DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
> > 
> >  TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
> > -TEMPLATE_VARS += "OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
> > +TEMPLATE_VARS += "DEBIAN_PACKAGE_NAME OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
> > 
> >  # split strip platform flavor, if any, from the specified platform string
> >  OPTEE_PLATFORM_BASE = "${@d.getVar('OPTEE_PLATFORM').split('-')[0]}"
> > @@ -32,10 +32,4 @@ do_prepare_build() {
> >      cp -r ${WORKDIR}/debian ${S}/
> > 
> >      deb_add_changelog
> > -
> > -    rm -f ${S}/debian/optee-os-${OPTEE_NAME}.install
> > -    for binary in ${OPTEE_BINARIES}; do
> > -        echo "out/arm-plat-${OPTEE_PLATFORM_BASE}/core/$binary /usr/lib/optee-os/${OPTEE_NAME}/" >> \
> > -            ${S}/debian/optee-os-${OPTEE_NAME}.install
> > -    done
> >  }
> > 
> 
> We will need some demo recipes that actually pulls the new package. Is
> there some "hello world" TA that we could include and build into the
> stm32mp15x demo image? Would it actually be better to also include the
> fTPM recipe in Isar and use that at the same time as stress test?
> 

There is a helloworld ta in
https://github.com/linaro-swg/optee_examples, so we can integrate it
into that demo image.

It's better to integrate fTPM into the isar, but maybe it's hard to
find a demo image target for it.

- Baocheng

> Jan
> 

Re: [PATCH] optee-os: Add package optee-os-tadevkit

[Su, Bao Cheng]

On Mon, 2023-05-29 at 07:51 +0000, 'Su, Bao Cheng' via isar-users wrote:
> On Wed, 2023-05-24 at 13:34 +0200, Jan Kiszka wrote:
> > On 23.05.23 05:27, Su, Bao Cheng (DI FA CTR IPC CN PRC4) wrote:
> > > The TA dev kit is used to build trusted applications, details refer to
> > > [1]. A typical use case of this devkit is a firmware TPM reference
> > > implementation, see [2].
> > > 
> > > 1. https://optee.readthedocs.io/en/3.21.0/building/trusted_applications.html
> > > 2. https://github.com/microsoft/ms-tpm-20-ref
> > > 
> > > Signed-off-by: Su Baocheng <baocheng.su@siemens.com>
> > > ---
> > >  .../optee-os/files/debian/control.tmpl        |  4 +--
> > >  meta/recipes-bsp/optee-os/optee-os-custom.inc | 29 +++----------------
> > >  .../optee-os/optee-os-tadevkit-custom.inc     | 20 +++++++++++++
> > >  .../{optee-os-custom.inc => optee-os.inc}     | 14 +++------
> > >  4 files changed, 30 insertions(+), 37 deletions(-)
> > >  create mode 100644 meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
> > >  copy meta/recipes-bsp/optee-os/{optee-os-custom.inc => optee-os.inc} (62%)
> > > 
> > > diff --git a/meta/recipes-bsp/optee-os/files/debian/control.tmpl b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
> > > index 60b3927..fdf898e 100644
> > > --- a/meta/recipes-bsp/optee-os/files/debian/control.tmpl
> > > +++ b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
> > > @@ -5,6 +5,6 @@ Standards-Version: 3.9.6
> > >  Build-Depends: ${DEBIAN_BUILD_DEPENDS}
> > >  Maintainer: ISAR project <isar-users@googlegroups.com>
> > > 
> > > -Package: optee-os-${OPTEE_NAME}
> > > +Package: ${DEBIAN_PACKAGE_NAME}
> > >  Architecture: ${DISTRO_ARCH}
> > > -Description: ${DESCRIPTION}, firmware binaries
> > > +Description: ${DESCRIPTION}
> > > diff --git a/meta/recipes-bsp/optee-os/optee-os-custom.inc b/meta/recipes-bsp/optee-os/optee-os-custom.inc
> > > index d48827a..abe46e8 100644
> > > --- a/meta/recipes-bsp/optee-os/optee-os-custom.inc
> > > +++ b/meta/recipes-bsp/optee-os/optee-os-custom.inc
> > > @@ -1,38 +1,17 @@
> > >  # Custom OP-TEE OS build
> > >  #
> > >  # This software is a part of ISAR.
> > > -# Copyright (c) Siemens AG, 2020
> > > +# Copyright (c) Siemens AG, 2020-2023
> > >  #
> > >  # SPDX-License-Identifier: MIT
> > > 
> > > -inherit dpkg
> > > +require optee-os.inc
> > > 
> > > -FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
> > > -
> > > -SRC_URI += "file://debian/"
> > > -
> > > -DESCRIPTION ?= "Custom OP-TEE OS"
> > > -
> > > -OPTEE_NAME ?= "${MACHINE}"
> > > -OPTEE_PLATFORM ?= "unknown"
> > > -OPTEE_EXTRA_BUILDARGS ?= ""
> > > -OPTEE_BINARIES ?= "tee-pager_v2.bin"
> > > -
> > > -DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
> > > +DESCRIPTION:append = ", firmware binaries"
> > > 
> > >  PROVIDES += "optee-os-${OPTEE_NAME}"
> > > 
> > > -TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
> > > -TEMPLATE_VARS += "OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
> > > -
> > > -# split strip platform flavor, if any, from the specified platform string
> > > -OPTEE_PLATFORM_BASE = "${@d.getVar('OPTEE_PLATFORM').split('-')[0]}"
> > > -
> > > -do_prepare_build() {
> > > -    cp -r ${WORKDIR}/debian ${S}/
> > > -
> > > -    deb_add_changelog
> > > -
> > > +do_prepare_build:append() {
> > >      rm -f ${S}/debian/optee-os-${OPTEE_NAME}.install
> > >      for binary in ${OPTEE_BINARIES}; do
> > >          echo "out/arm-plat-${OPTEE_PLATFORM_BASE}/core/$binary /usr/lib/optee-os/${OPTEE_NAME}/" >> \
> > > diff --git a/meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc b/meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
> > > new file mode 100644
> > > index 0000000..85d6c25
> > > --- /dev/null
> > > +++ b/meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
> > > @@ -0,0 +1,20 @@
> > > +
> > > +# Custom OP-TEE OS build
> > > +#
> > > +# This software is a part of ISAR.
> > > +# Copyright (c) Siemens AG, 2023
> > > +#
> > > +# SPDX-License-Identifier: MIT
> > > +
> > > +require optee-os.inc
> > > +
> > > +DEBIAN_PACKAGE_NAME = "optee-os-tadevkit-${OPTEE_NAME}"
> > > +DESCRIPTION:append = ", trust application development kit."
> > > +
> > > +PROVIDES += "${DEBIAN_PACKAGE_NAME}"
> > > +
> > > +do_prepare_build:append() {
> > > +    rm -f ${S}/debian/optee-os-tadevkit-${OPTEE_NAME}.install
> > > +    echo "out/arm-plat-${OPTEE_PLATFORM_BASE}/export-ta_${DISTRO_ARCH} /usr/lib/optee-os/" > \
> > > +        ${S}/debian/optee-os-tadevkit-${OPTEE_NAME}.install
> > > +}
> > > diff --git a/meta/recipes-bsp/optee-os/optee-os-custom.inc b/meta/recipes-bsp/optee-os/optee-os.inc
> > > similarity index 62%
> > > copy from meta/recipes-bsp/optee-os/optee-os-custom.inc
> > > copy to meta/recipes-bsp/optee-os/optee-os.inc
> > > index d48827a..198746b 100644
> > > --- a/meta/recipes-bsp/optee-os/optee-os-custom.inc
> > > +++ b/meta/recipes-bsp/optee-os/optee-os.inc
> > > @@ -1,7 +1,7 @@
> > >  # Custom OP-TEE OS build
> > >  #
> > >  # This software is a part of ISAR.
> > > -# Copyright (c) Siemens AG, 2020
> > > +# Copyright (c) Siemens AG, 2020-2023
> > >  #
> > >  # SPDX-License-Identifier: MIT
> > > 
> > > @@ -18,12 +18,12 @@ OPTEE_PLATFORM ?= "unknown"
> > >  OPTEE_EXTRA_BUILDARGS ?= ""
> > >  OPTEE_BINARIES ?= "tee-pager_v2.bin"
> > > 
> > > -DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
> > > +DEBIAN_PACKAGE_NAME ?= "optee-os-${OPTEE_NAME}"
> > > 
> > > -PROVIDES += "optee-os-${OPTEE_NAME}"
> > > +DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
> > > 
> > >  TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
> > > -TEMPLATE_VARS += "OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
> > > +TEMPLATE_VARS += "DEBIAN_PACKAGE_NAME OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
> > > 
> > >  # split strip platform flavor, if any, from the specified platform string
> > >  OPTEE_PLATFORM_BASE = "${@d.getVar('OPTEE_PLATFORM').split('-')[0]}"
> > > @@ -32,10 +32,4 @@ do_prepare_build() {
> > >      cp -r ${WORKDIR}/debian ${S}/
> > > 
> > >      deb_add_changelog
> > > -
> > > -    rm -f ${S}/debian/optee-os-${OPTEE_NAME}.install
> > > -    for binary in ${OPTEE_BINARIES}; do
> > > -        echo "out/arm-plat-${OPTEE_PLATFORM_BASE}/core/$binary /usr/lib/optee-os/${OPTEE_NAME}/" >> \
> > > -            ${S}/debian/optee-os-${OPTEE_NAME}.install
> > > -    done
> > >  }
> > > 
> > 
> > We will need some demo recipes that actually pulls the new package. Is
> > there some "hello world" TA that we could include and build into the
> > stm32mp15x demo image? Would it actually be better to also include the
> > fTPM recipe in Isar and use that at the same time as stress test?
> > 
> 
> There is a helloworld ta in
> https://github.com/linaro-swg/optee_examples, so we can integrate it
> into that demo image.
> 
> It's better to integrate fTPM into the isar, but maybe it's hard to
> find a demo image target for it.
> 
One thing I forgot to mention is that to verify the example TA working,
you have to build the host side to use the TA, then you will need the
libteec and the headers from optee-client... So eventually the optee-
client need be included into isar.

Currently I am upstreaming the optee-client into the isar-cip-core, so
should I upstream it here instead?

Or at this moment, only the example TA is necessary to verify the
integration of the optee-ta-devkit?

- Baocheng

> - Baocheng
> 
> > Jan
> > 
> 

Re: [PATCH] optee-os: Add package optee-os-tadevkit

[Jan Kiszka]

On 05.06.23 05:33, Su, Bao Cheng (DI FA CTR IPC CN PRC4) wrote:
> On Mon, 2023-05-29 at 07:51 +0000, 'Su, Bao Cheng' via isar-users wrote:
>> On Wed, 2023-05-24 at 13:34 +0200, Jan Kiszka wrote:
>>> On 23.05.23 05:27, Su, Bao Cheng (DI FA CTR IPC CN PRC4) wrote:
>>>> The TA dev kit is used to build trusted applications, details refer to
>>>> [1]. A typical use case of this devkit is a firmware TPM reference
>>>> implementation, see [2].
>>>>
>>>> 1. https://optee.readthedocs.io/en/3.21.0/building/trusted_applications.html
>>>> 2. https://github.com/microsoft/ms-tpm-20-ref
>>>>
>>>> Signed-off-by: Su Baocheng <baocheng.su@siemens.com>
>>>> ---
>>>>  .../optee-os/files/debian/control.tmpl        |  4 +--
>>>>  meta/recipes-bsp/optee-os/optee-os-custom.inc | 29 +++----------------
>>>>  .../optee-os/optee-os-tadevkit-custom.inc     | 20 +++++++++++++
>>>>  .../{optee-os-custom.inc => optee-os.inc}     | 14 +++------
>>>>  4 files changed, 30 insertions(+), 37 deletions(-)
>>>>  create mode 100644 meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
>>>>  copy meta/recipes-bsp/optee-os/{optee-os-custom.inc => optee-os.inc} (62%)
>>>>
>>>> diff --git a/meta/recipes-bsp/optee-os/files/debian/control.tmpl b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
>>>> index 60b3927..fdf898e 100644
>>>> --- a/meta/recipes-bsp/optee-os/files/debian/control.tmpl
>>>> +++ b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
>>>> @@ -5,6 +5,6 @@ Standards-Version: 3.9.6
>>>>  Build-Depends: ${DEBIAN_BUILD_DEPENDS}
>>>>  Maintainer: ISAR project <isar-users@googlegroups.com>
>>>>
>>>> -Package: optee-os-${OPTEE_NAME}
>>>> +Package: ${DEBIAN_PACKAGE_NAME}
>>>>  Architecture: ${DISTRO_ARCH}
>>>> -Description: ${DESCRIPTION}, firmware binaries
>>>> +Description: ${DESCRIPTION}
>>>> diff --git a/meta/recipes-bsp/optee-os/optee-os-custom.inc b/meta/recipes-bsp/optee-os/optee-os-custom.inc
>>>> index d48827a..abe46e8 100644
>>>> --- a/meta/recipes-bsp/optee-os/optee-os-custom.inc
>>>> +++ b/meta/recipes-bsp/optee-os/optee-os-custom.inc
>>>> @@ -1,38 +1,17 @@
>>>>  # Custom OP-TEE OS build
>>>>  #
>>>>  # This software is a part of ISAR.
>>>> -# Copyright (c) Siemens AG, 2020
>>>> +# Copyright (c) Siemens AG, 2020-2023
>>>>  #
>>>>  # SPDX-License-Identifier: MIT
>>>>
>>>> -inherit dpkg
>>>> +require optee-os.inc
>>>>
>>>> -FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
>>>> -
>>>> -SRC_URI += "file://debian/"
>>>> -
>>>> -DESCRIPTION ?= "Custom OP-TEE OS"
>>>> -
>>>> -OPTEE_NAME ?= "${MACHINE}"
>>>> -OPTEE_PLATFORM ?= "unknown"
>>>> -OPTEE_EXTRA_BUILDARGS ?= ""
>>>> -OPTEE_BINARIES ?= "tee-pager_v2.bin"
>>>> -
>>>> -DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
>>>> +DESCRIPTION:append = ", firmware binaries"
>>>>
>>>>  PROVIDES += "optee-os-${OPTEE_NAME}"
>>>>
>>>> -TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
>>>> -TEMPLATE_VARS += "OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
>>>> -
>>>> -# split strip platform flavor, if any, from the specified platform string
>>>> -OPTEE_PLATFORM_BASE = "${@d.getVar('OPTEE_PLATFORM').split('-')[0]}"
>>>> -
>>>> -do_prepare_build() {
>>>> -    cp -r ${WORKDIR}/debian ${S}/
>>>> -
>>>> -    deb_add_changelog
>>>> -
>>>> +do_prepare_build:append() {
>>>>      rm -f ${S}/debian/optee-os-${OPTEE_NAME}.install
>>>>      for binary in ${OPTEE_BINARIES}; do
>>>>          echo "out/arm-plat-${OPTEE_PLATFORM_BASE}/core/$binary /usr/lib/optee-os/${OPTEE_NAME}/" >> \
>>>> diff --git a/meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc b/meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
>>>> new file mode 100644
>>>> index 0000000..85d6c25
>>>> --- /dev/null
>>>> +++ b/meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
>>>> @@ -0,0 +1,20 @@
>>>> +
>>>> +# Custom OP-TEE OS build
>>>> +#
>>>> +# This software is a part of ISAR.
>>>> +# Copyright (c) Siemens AG, 2023
>>>> +#
>>>> +# SPDX-License-Identifier: MIT
>>>> +
>>>> +require optee-os.inc
>>>> +
>>>> +DEBIAN_PACKAGE_NAME = "optee-os-tadevkit-${OPTEE_NAME}"
>>>> +DESCRIPTION:append = ", trust application development kit."
>>>> +
>>>> +PROVIDES += "${DEBIAN_PACKAGE_NAME}"
>>>> +
>>>> +do_prepare_build:append() {
>>>> +    rm -f ${S}/debian/optee-os-tadevkit-${OPTEE_NAME}.install
>>>> +    echo "out/arm-plat-${OPTEE_PLATFORM_BASE}/export-ta_${DISTRO_ARCH} /usr/lib/optee-os/" > \
>>>> +        ${S}/debian/optee-os-tadevkit-${OPTEE_NAME}.install
>>>> +}
>>>> diff --git a/meta/recipes-bsp/optee-os/optee-os-custom.inc b/meta/recipes-bsp/optee-os/optee-os.inc
>>>> similarity index 62%
>>>> copy from meta/recipes-bsp/optee-os/optee-os-custom.inc
>>>> copy to meta/recipes-bsp/optee-os/optee-os.inc
>>>> index d48827a..198746b 100644
>>>> --- a/meta/recipes-bsp/optee-os/optee-os-custom.inc
>>>> +++ b/meta/recipes-bsp/optee-os/optee-os.inc
>>>> @@ -1,7 +1,7 @@
>>>>  # Custom OP-TEE OS build
>>>>  #
>>>>  # This software is a part of ISAR.
>>>> -# Copyright (c) Siemens AG, 2020
>>>> +# Copyright (c) Siemens AG, 2020-2023
>>>>  #
>>>>  # SPDX-License-Identifier: MIT
>>>>
>>>> @@ -18,12 +18,12 @@ OPTEE_PLATFORM ?= "unknown"
>>>>  OPTEE_EXTRA_BUILDARGS ?= ""
>>>>  OPTEE_BINARIES ?= "tee-pager_v2.bin"
>>>>
>>>> -DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
>>>> +DEBIAN_PACKAGE_NAME ?= "optee-os-${OPTEE_NAME}"
>>>>
>>>> -PROVIDES += "optee-os-${OPTEE_NAME}"
>>>> +DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
>>>>
>>>>  TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
>>>> -TEMPLATE_VARS += "OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
>>>> +TEMPLATE_VARS += "DEBIAN_PACKAGE_NAME OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
>>>>
>>>>  # split strip platform flavor, if any, from the specified platform string
>>>>  OPTEE_PLATFORM_BASE = "${@d.getVar('OPTEE_PLATFORM').split('-')[0]}"
>>>> @@ -32,10 +32,4 @@ do_prepare_build() {
>>>>      cp -r ${WORKDIR}/debian ${S}/
>>>>
>>>>      deb_add_changelog
>>>> -
>>>> -    rm -f ${S}/debian/optee-os-${OPTEE_NAME}.install
>>>> -    for binary in ${OPTEE_BINARIES}; do
>>>> -        echo "out/arm-plat-${OPTEE_PLATFORM_BASE}/core/$binary /usr/lib/optee-os/${OPTEE_NAME}/" >> \
>>>> -            ${S}/debian/optee-os-${OPTEE_NAME}.install
>>>> -    done
>>>>  }
>>>>
>>>
>>> We will need some demo recipes that actually pulls the new package. Is
>>> there some "hello world" TA that we could include and build into the
>>> stm32mp15x demo image? Would it actually be better to also include the
>>> fTPM recipe in Isar and use that at the same time as stress test?
>>>
>>
>> There is a helloworld ta in
>> https://github.com/linaro-swg/optee_examples, so we can integrate it
>> into that demo image.
>>
>> It's better to integrate fTPM into the isar, but maybe it's hard to
>> find a demo image target for it.
>>
> One thing I forgot to mention is that to verify the example TA working,
> you have to build the host side to use the TA, then you will need the
> libteec and the headers from optee-client... So eventually the optee-
> client need be included into isar.
> 
> Currently I am upstreaming the optee-client into the isar-cip-core, so
> should I upstream it here instead?
> 
> Or at this moment, only the example TA is necessary to verify the
> integration of the optee-ta-devkit?

How would a complete demo with that example TA look like then?

Note, though, that the only in-tree optee-os user, stm32mp15x, is not
part of any regular runtime tests (AFAIK). From that perspective, having
a build test would be fine for now.

Jan

-- 
Siemens AG, Technology
Competence Center Embedded Linux

Re: [PATCH] optee-os: Add package optee-os-tadevkit

[Su, Bao Cheng]

On Mon, 2023-06-05 at 06:45 +0200, Jan Kiszka wrote:
> On 05.06.23 05:33, Su, Bao Cheng (DI FA CTR IPC CN PRC4) wrote:
> > On Mon, 2023-05-29 at 07:51 +0000, 'Su, Bao Cheng' via isar-users
> > wrote:
> > > On Wed, 2023-05-24 at 13:34 +0200, Jan Kiszka wrote:
> > > > On 23.05.23 05:27, Su, Bao Cheng (DI FA CTR IPC CN PRC4) wrote:
> > > > > The TA dev kit is used to build trusted applications, details
> > > > > refer to
> > > > > [1]. A typical use case of this devkit is a firmware TPM
> > > > > reference
> > > > > implementation, see [2].
> > > > > 
> > > > > 1.
> > > > > https://optee.readthedocs.io/en/3.21.0/building/trusted_applications.html
> > > > > 2.
> > > > > https://github.com/microsoft/ms-tpm-20-ref
> > > > > 
> > > > > Signed-off-by: Su Baocheng <baocheng.su@siemens.com>
> > > > > ---
> > > > >  .../optee-os/files/debian/control.tmpl        |  4 +--
> > > > >  meta/recipes-bsp/optee-os/optee-os-custom.inc | 29 +++------
> > > > > ----------
> > > > >  .../optee-os/optee-os-tadevkit-custom.inc     | 20
> > > > > +++++++++++++
> > > > >  .../{optee-os-custom.inc => optee-os.inc}     | 14 +++------
> > > > >  4 files changed, 30 insertions(+), 37 deletions(-)
> > > > >  create mode 100644 meta/recipes-bsp/optee-os/optee-os-
> > > > > tadevkit-custom.inc
> > > > >  copy meta/recipes-bsp/optee-os/{optee-os-custom.inc =>
> > > > > optee-os.inc} (62%)
> > > > > 
> > > > > diff --git a/meta/recipes-bsp/optee-
> > > > > os/files/debian/control.tmpl b/meta/recipes-bsp/optee-
> > > > > os/files/debian/control.tmpl
> > > > > index 60b3927..fdf898e 100644
> > > > > --- a/meta/recipes-bsp/optee-os/files/debian/control.tmpl
> > > > > +++ b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
> > > > > @@ -5,6 +5,6 @@ Standards-Version: 3.9.6
> > > > >  Build-Depends: ${DEBIAN_BUILD_DEPENDS}
> > > > >  Maintainer: ISAR project <isar-users@googlegroups.com>
> > > > > 
> > > > > -Package: optee-os-${OPTEE_NAME}
> > > > > +Package: ${DEBIAN_PACKAGE_NAME}
> > > > >  Architecture: ${DISTRO_ARCH}
> > > > > -Description: ${DESCRIPTION}, firmware binaries
> > > > > +Description: ${DESCRIPTION}
> > > > > diff --git a/meta/recipes-bsp/optee-os/optee-os-custom.inc
> > > > > b/meta/recipes-bsp/optee-os/optee-os-custom.inc
> > > > > index d48827a..abe46e8 100644
> > > > > --- a/meta/recipes-bsp/optee-os/optee-os-custom.inc
> > > > > +++ b/meta/recipes-bsp/optee-os/optee-os-custom.inc
> > > > > @@ -1,38 +1,17 @@
> > > > >  # Custom OP-TEE OS build
> > > > >  #
> > > > >  # This software is a part of ISAR.
> > > > > -# Copyright (c) Siemens AG, 2020
> > > > > +# Copyright (c) Siemens AG, 2020-2023
> > > > >  #
> > > > >  # SPDX-License-Identifier: MIT
> > > > > 
> > > > > -inherit dpkg
> > > > > +require optee-os.inc
> > > > > 
> > > > > -FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
> > > > > -
> > > > > -SRC_URI += "file://debian/"
> > > > > -
> > > > > -DESCRIPTION ?= "Custom OP-TEE OS"
> > > > > -
> > > > > -OPTEE_NAME ?= "${MACHINE}"
> > > > > -OPTEE_PLATFORM ?= "unknown"
> > > > > -OPTEE_EXTRA_BUILDARGS ?= ""
> > > > > -OPTEE_BINARIES ?= "tee-pager_v2.bin"
> > > > > -
> > > > > -DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native,
> > > > > python3-pyelftools"
> > > > > +DESCRIPTION:append = ", firmware binaries"
> > > > > 
> > > > >  PROVIDES += "optee-os-${OPTEE_NAME}"
> > > > > 
> > > > > -TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
> > > > > -TEMPLATE_VARS += "OPTEE_NAME DEBIAN_BUILD_DEPENDS
> > > > > OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
> > > > > -
> > > > > -# split strip platform flavor, if any, from the specified
> > > > > platform string
> > > > > -OPTEE_PLATFORM_BASE =
> > > > > "${@d.getVar('OPTEE_PLATFORM').split('-')[0]}"
> > > > > -
> > > > > -do_prepare_build() {
> > > > > -    cp -r ${WORKDIR}/debian ${S}/
> > > > > -
> > > > > -    deb_add_changelog
> > > > > -
> > > > > +do_prepare_build:append() {
> > > > >      rm -f ${S}/debian/optee-os-${OPTEE_NAME}.install
> > > > >      for binary in ${OPTEE_BINARIES}; do
> > > > >          echo "out/arm-plat-
> > > > > ${OPTEE_PLATFORM_BASE}/core/$binary /usr/lib/optee-
> > > > > os/${OPTEE_NAME}/" >> \
> > > > > diff --git a/meta/recipes-bsp/optee-os/optee-os-tadevkit-
> > > > > custom.inc b/meta/recipes-bsp/optee-os/optee-os-tadevkit-
> > > > > custom.inc
> > > > > new file mode 100644
> > > > > index 0000000..85d6c25
> > > > > --- /dev/null
> > > > > +++ b/meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
> > > > > @@ -0,0 +1,20 @@
> > > > > +
> > > > > +# Custom OP-TEE OS build
> > > > > +#
> > > > > +# This software is a part of ISAR.
> > > > > +# Copyright (c) Siemens AG, 2023
> > > > > +#
> > > > > +# SPDX-License-Identifier: MIT
> > > > > +
> > > > > +require optee-os.inc
> > > > > +
> > > > > +DEBIAN_PACKAGE_NAME = "optee-os-tadevkit-${OPTEE_NAME}"
> > > > > +DESCRIPTION:append = ", trust application development kit."
> > > > > +
> > > > > +PROVIDES += "${DEBIAN_PACKAGE_NAME}"
> > > > > +
> > > > > +do_prepare_build:append() {
> > > > > +    rm -f ${S}/debian/optee-os-tadevkit-
> > > > > ${OPTEE_NAME}.install
> > > > > +    echo "out/arm-plat-${OPTEE_PLATFORM_BASE}/export-
> > > > > ta_${DISTRO_ARCH} /usr/lib/optee-os/" > \
> > > > > +        ${S}/debian/optee-os-tadevkit-${OPTEE_NAME}.install
> > > > > +}
> > > > > diff --git a/meta/recipes-bsp/optee-os/optee-os-custom.inc
> > > > > b/meta/recipes-bsp/optee-os/optee-os.inc
> > > > > similarity index 62%
> > > > > copy from meta/recipes-bsp/optee-os/optee-os-custom.inc
> > > > > copy to meta/recipes-bsp/optee-os/optee-os.inc
> > > > > index d48827a..198746b 100644
> > > > > --- a/meta/recipes-bsp/optee-os/optee-os-custom.inc
> > > > > +++ b/meta/recipes-bsp/optee-os/optee-os.inc
> > > > > @@ -1,7 +1,7 @@
> > > > >  # Custom OP-TEE OS build
> > > > >  #
> > > > >  # This software is a part of ISAR.
> > > > > -# Copyright (c) Siemens AG, 2020
> > > > > +# Copyright (c) Siemens AG, 2020-2023
> > > > >  #
> > > > >  # SPDX-License-Identifier: MIT
> > > > > 
> > > > > @@ -18,12 +18,12 @@ OPTEE_PLATFORM ?= "unknown"
> > > > >  OPTEE_EXTRA_BUILDARGS ?= ""
> > > > >  OPTEE_BINARIES ?= "tee-pager_v2.bin"
> > > > > 
> > > > > -DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native,
> > > > > python3-pyelftools"
> > > > > +DEBIAN_PACKAGE_NAME ?= "optee-os-${OPTEE_NAME}"
> > > > > 
> > > > > -PROVIDES += "optee-os-${OPTEE_NAME}"
> > > > > +DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native,
> > > > > python3-pyelftools"
> > > > > 
> > > > >  TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
> > > > > -TEMPLATE_VARS += "OPTEE_NAME DEBIAN_BUILD_DEPENDS
> > > > > OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
> > > > > +TEMPLATE_VARS += "DEBIAN_PACKAGE_NAME OPTEE_NAME
> > > > > DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
> > > > > 
> > > > >  # split strip platform flavor, if any, from the specified
> > > > > platform string
> > > > >  OPTEE_PLATFORM_BASE =
> > > > > "${@d.getVar('OPTEE_PLATFORM').split('-')[0]}"
> > > > > @@ -32,10 +32,4 @@ do_prepare_build() {
> > > > >      cp -r ${WORKDIR}/debian ${S}/
> > > > > 
> > > > >      deb_add_changelog
> > > > > -
> > > > > -    rm -f ${S}/debian/optee-os-${OPTEE_NAME}.install
> > > > > -    for binary in ${OPTEE_BINARIES}; do
> > > > > -        echo "out/arm-plat-
> > > > > ${OPTEE_PLATFORM_BASE}/core/$binary /usr/lib/optee-
> > > > > os/${OPTEE_NAME}/" >> \
> > > > > -            ${S}/debian/optee-os-${OPTEE_NAME}.install
> > > > > -    done
> > > > >  }
> > > > > 
> > > > 
> > > > We will need some demo recipes that actually pulls the new
> > > > package. Is
> > > > there some "hello world" TA that we could include and build
> > > > into the
> > > > stm32mp15x demo image? Would it actually be better to also
> > > > include the
> > > > fTPM recipe in Isar and use that at the same time as stress
> > > > test?
> > > > 
> > > 
> > > There is a helloworld ta in
> > > https://github.com/linaro-swg/optee_examples
> > > , so we can integrate it
> > > into that demo image.
> > > 
> > > It's better to integrate fTPM into the isar, but maybe it's hard
> > > to
> > > find a demo image target for it.
> > > 
> > One thing I forgot to mention is that to verify the example TA
> > working,
> > you have to build the host side to use the TA, then you will need
> > the
> > libteec and the headers from optee-client... So eventually the
> > optee-
> > client need be included into isar.
> > 
> > Currently I am upstreaming the optee-client into the isar-cip-core,
> > so
> > should I upstream it here instead?
> > 
> > Or at this moment, only the example TA is necessary to verify the
> > integration of the optee-ta-devkit?
> 
> How would a complete demo with that example TA look like then?
> 

The hello world example TA could be built into two binaries: one is
running in optee as a TA, and waiting for calling from non-secure
userspace, the other is an application running on non-secure OS, for
example Linux, the job is to issuing an calling to the API provided by
the hello world TA running in the OPTee. Once the TA received the
invoking, it simply prints a `Hello world` without doing anything
specific.

Now actually considering your suggesting of upstreaming the fTPM
recipe, we can use the fTPM as the testing TA, and kernel already
provided the host-side application - the fTPM driver. However I am not
sure if it works with the stm32mp15x board - since I don't have such
hardware in my hands, or any ref boards in isar.

So apparently two choice ahead of us:

1. Use hello world example TA and only provide building integration
without testing. And provide the fTPM as a standalone recipe without
users in isar.

2. If fTPM works for stm32mp15x or any other boards in isar, then we
can use the fTPM as the user of the optee-os-devkit, and integrate the
fTPM to the optee-os of the stm32mp15x. This requires somebody to help
to test on the real hardware device.

I need your help to select one.

- Baocheng

> Note, though, that the only in-tree optee-os user, stm32mp15x, is not
> part of any regular runtime tests (AFAIK). From that perspective,
> having
> a build test would be fine for now.
> 
> Jan
> 

Re: [PATCH] optee-os: Add package optee-os-tadevkit

[Jan Kiszka]

On 05.06.23 10:59, Su, Bao Cheng (DI FA CTR IPC CN PRC4) wrote:
> On Mon, 2023-06-05 at 06:45 +0200, Jan Kiszka wrote:
>> On 05.06.23 05:33, Su, Bao Cheng (DI FA CTR IPC CN PRC4) wrote:
>>> On Mon, 2023-05-29 at 07:51 +0000, 'Su, Bao Cheng' via isar-users
>>> wrote:
>>>> On Wed, 2023-05-24 at 13:34 +0200, Jan Kiszka wrote:
>>>>> On 23.05.23 05:27, Su, Bao Cheng (DI FA CTR IPC CN PRC4) wrote:
>>>>>> The TA dev kit is used to build trusted applications, details
>>>>>> refer to
>>>>>> [1]. A typical use case of this devkit is a firmware TPM
>>>>>> reference
>>>>>> implementation, see [2].
>>>>>>
>>>>>> 1.
>>>>>> https://optee.readthedocs.io/en/3.21.0/building/trusted_applications.html
>>>>>> 2.
>>>>>> https://github.com/microsoft/ms-tpm-20-ref
>>>>>>
>>>>>> Signed-off-by: Su Baocheng <baocheng.su@siemens.com>
>>>>>> ---
>>>>>>  .../optee-os/files/debian/control.tmpl        |  4 +--
>>>>>>  meta/recipes-bsp/optee-os/optee-os-custom.inc | 29 +++------
>>>>>> ----------
>>>>>>  .../optee-os/optee-os-tadevkit-custom.inc     | 20
>>>>>> +++++++++++++
>>>>>>  .../{optee-os-custom.inc => optee-os.inc}     | 14 +++------
>>>>>>  4 files changed, 30 insertions(+), 37 deletions(-)
>>>>>>  create mode 100644 meta/recipes-bsp/optee-os/optee-os-
>>>>>> tadevkit-custom.inc
>>>>>>  copy meta/recipes-bsp/optee-os/{optee-os-custom.inc =>
>>>>>> optee-os.inc} (62%)
>>>>>>
>>>>>> diff --git a/meta/recipes-bsp/optee-
>>>>>> os/files/debian/control.tmpl b/meta/recipes-bsp/optee-
>>>>>> os/files/debian/control.tmpl
>>>>>> index 60b3927..fdf898e 100644
>>>>>> --- a/meta/recipes-bsp/optee-os/files/debian/control.tmpl
>>>>>> +++ b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
>>>>>> @@ -5,6 +5,6 @@ Standards-Version: 3.9.6
>>>>>>  Build-Depends: ${DEBIAN_BUILD_DEPENDS}
>>>>>>  Maintainer: ISAR project <isar-users@googlegroups.com>
>>>>>>
>>>>>> -Package: optee-os-${OPTEE_NAME}
>>>>>> +Package: ${DEBIAN_PACKAGE_NAME}
>>>>>>  Architecture: ${DISTRO_ARCH}
>>>>>> -Description: ${DESCRIPTION}, firmware binaries
>>>>>> +Description: ${DESCRIPTION}
>>>>>> diff --git a/meta/recipes-bsp/optee-os/optee-os-custom.inc
>>>>>> b/meta/recipes-bsp/optee-os/optee-os-custom.inc
>>>>>> index d48827a..abe46e8 100644
>>>>>> --- a/meta/recipes-bsp/optee-os/optee-os-custom.inc
>>>>>> +++ b/meta/recipes-bsp/optee-os/optee-os-custom.inc
>>>>>> @@ -1,38 +1,17 @@
>>>>>>  # Custom OP-TEE OS build
>>>>>>  #
>>>>>>  # This software is a part of ISAR.
>>>>>> -# Copyright (c) Siemens AG, 2020
>>>>>> +# Copyright (c) Siemens AG, 2020-2023
>>>>>>  #
>>>>>>  # SPDX-License-Identifier: MIT
>>>>>>
>>>>>> -inherit dpkg
>>>>>> +require optee-os.inc
>>>>>>
>>>>>> -FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
>>>>>> -
>>>>>> -SRC_URI += "file://debian/"
>>>>>> -
>>>>>> -DESCRIPTION ?= "Custom OP-TEE OS"
>>>>>> -
>>>>>> -OPTEE_NAME ?= "${MACHINE}"
>>>>>> -OPTEE_PLATFORM ?= "unknown"
>>>>>> -OPTEE_EXTRA_BUILDARGS ?= ""
>>>>>> -OPTEE_BINARIES ?= "tee-pager_v2.bin"
>>>>>> -
>>>>>> -DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native,
>>>>>> python3-pyelftools"
>>>>>> +DESCRIPTION:append = ", firmware binaries"
>>>>>>
>>>>>>  PROVIDES += "optee-os-${OPTEE_NAME}"
>>>>>>
>>>>>> -TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
>>>>>> -TEMPLATE_VARS += "OPTEE_NAME DEBIAN_BUILD_DEPENDS
>>>>>> OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
>>>>>> -
>>>>>> -# split strip platform flavor, if any, from the specified
>>>>>> platform string
>>>>>> -OPTEE_PLATFORM_BASE =
>>>>>> "${@d.getVar('OPTEE_PLATFORM').split('-')[0]}"
>>>>>> -
>>>>>> -do_prepare_build() {
>>>>>> -    cp -r ${WORKDIR}/debian ${S}/
>>>>>> -
>>>>>> -    deb_add_changelog
>>>>>> -
>>>>>> +do_prepare_build:append() {
>>>>>>      rm -f ${S}/debian/optee-os-${OPTEE_NAME}.install
>>>>>>      for binary in ${OPTEE_BINARIES}; do
>>>>>>          echo "out/arm-plat-
>>>>>> ${OPTEE_PLATFORM_BASE}/core/$binary /usr/lib/optee-
>>>>>> os/${OPTEE_NAME}/" >> \
>>>>>> diff --git a/meta/recipes-bsp/optee-os/optee-os-tadevkit-
>>>>>> custom.inc b/meta/recipes-bsp/optee-os/optee-os-tadevkit-
>>>>>> custom.inc
>>>>>> new file mode 100644
>>>>>> index 0000000..85d6c25
>>>>>> --- /dev/null
>>>>>> +++ b/meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
>>>>>> @@ -0,0 +1,20 @@
>>>>>> +
>>>>>> +# Custom OP-TEE OS build
>>>>>> +#
>>>>>> +# This software is a part of ISAR.
>>>>>> +# Copyright (c) Siemens AG, 2023
>>>>>> +#
>>>>>> +# SPDX-License-Identifier: MIT
>>>>>> +
>>>>>> +require optee-os.inc
>>>>>> +
>>>>>> +DEBIAN_PACKAGE_NAME = "optee-os-tadevkit-${OPTEE_NAME}"
>>>>>> +DESCRIPTION:append = ", trust application development kit."
>>>>>> +
>>>>>> +PROVIDES += "${DEBIAN_PACKAGE_NAME}"
>>>>>> +
>>>>>> +do_prepare_build:append() {
>>>>>> +    rm -f ${S}/debian/optee-os-tadevkit-
>>>>>> ${OPTEE_NAME}.install
>>>>>> +    echo "out/arm-plat-${OPTEE_PLATFORM_BASE}/export-
>>>>>> ta_${DISTRO_ARCH} /usr/lib/optee-os/" > \
>>>>>> +        ${S}/debian/optee-os-tadevkit-${OPTEE_NAME}.install
>>>>>> +}
>>>>>> diff --git a/meta/recipes-bsp/optee-os/optee-os-custom.inc
>>>>>> b/meta/recipes-bsp/optee-os/optee-os.inc
>>>>>> similarity index 62%
>>>>>> copy from meta/recipes-bsp/optee-os/optee-os-custom.inc
>>>>>> copy to meta/recipes-bsp/optee-os/optee-os.inc
>>>>>> index d48827a..198746b 100644
>>>>>> --- a/meta/recipes-bsp/optee-os/optee-os-custom.inc
>>>>>> +++ b/meta/recipes-bsp/optee-os/optee-os.inc
>>>>>> @@ -1,7 +1,7 @@
>>>>>>  # Custom OP-TEE OS build
>>>>>>  #
>>>>>>  # This software is a part of ISAR.
>>>>>> -# Copyright (c) Siemens AG, 2020
>>>>>> +# Copyright (c) Siemens AG, 2020-2023
>>>>>>  #
>>>>>>  # SPDX-License-Identifier: MIT
>>>>>>
>>>>>> @@ -18,12 +18,12 @@ OPTEE_PLATFORM ?= "unknown"
>>>>>>  OPTEE_EXTRA_BUILDARGS ?= ""
>>>>>>  OPTEE_BINARIES ?= "tee-pager_v2.bin"
>>>>>>
>>>>>> -DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native,
>>>>>> python3-pyelftools"
>>>>>> +DEBIAN_PACKAGE_NAME ?= "optee-os-${OPTEE_NAME}"
>>>>>>
>>>>>> -PROVIDES += "optee-os-${OPTEE_NAME}"
>>>>>> +DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native,
>>>>>> python3-pyelftools"
>>>>>>
>>>>>>  TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
>>>>>> -TEMPLATE_VARS += "OPTEE_NAME DEBIAN_BUILD_DEPENDS
>>>>>> OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
>>>>>> +TEMPLATE_VARS += "DEBIAN_PACKAGE_NAME OPTEE_NAME
>>>>>> DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
>>>>>>
>>>>>>  # split strip platform flavor, if any, from the specified
>>>>>> platform string
>>>>>>  OPTEE_PLATFORM_BASE =
>>>>>> "${@d.getVar('OPTEE_PLATFORM').split('-')[0]}"
>>>>>> @@ -32,10 +32,4 @@ do_prepare_build() {
>>>>>>      cp -r ${WORKDIR}/debian ${S}/
>>>>>>
>>>>>>      deb_add_changelog
>>>>>> -
>>>>>> -    rm -f ${S}/debian/optee-os-${OPTEE_NAME}.install
>>>>>> -    for binary in ${OPTEE_BINARIES}; do
>>>>>> -        echo "out/arm-plat-
>>>>>> ${OPTEE_PLATFORM_BASE}/core/$binary /usr/lib/optee-
>>>>>> os/${OPTEE_NAME}/" >> \
>>>>>> -            ${S}/debian/optee-os-${OPTEE_NAME}.install
>>>>>> -    done
>>>>>>  }
>>>>>>
>>>>>
>>>>> We will need some demo recipes that actually pulls the new
>>>>> package. Is
>>>>> there some "hello world" TA that we could include and build
>>>>> into the
>>>>> stm32mp15x demo image? Would it actually be better to also
>>>>> include the
>>>>> fTPM recipe in Isar and use that at the same time as stress
>>>>> test?
>>>>>
>>>>
>>>> There is a helloworld ta in
>>>> https://github.com/linaro-swg/optee_examples
>>>> , so we can integrate it
>>>> into that demo image.
>>>>
>>>> It's better to integrate fTPM into the isar, but maybe it's hard
>>>> to
>>>> find a demo image target for it.
>>>>
>>> One thing I forgot to mention is that to verify the example TA
>>> working,
>>> you have to build the host side to use the TA, then you will need
>>> the
>>> libteec and the headers from optee-client... So eventually the
>>> optee-
>>> client need be included into isar.
>>>
>>> Currently I am upstreaming the optee-client into the isar-cip-core,
>>> so
>>> should I upstream it here instead?
>>>
>>> Or at this moment, only the example TA is necessary to verify the
>>> integration of the optee-ta-devkit?
>>
>> How would a complete demo with that example TA look like then?
>>
> 
> The hello world example TA could be built into two binaries: one is
> running in optee as a TA, and waiting for calling from non-secure
> userspace, the other is an application running on non-secure OS, for
> example Linux, the job is to issuing an calling to the API provided by
> the hello world TA running in the OPTee. Once the TA received the
> invoking, it simply prints a `Hello world` without doing anything
> specific.
> 
> Now actually considering your suggesting of upstreaming the fTPM
> recipe, we can use the fTPM as the testing TA, and kernel already
> provided the host-side application - the fTPM driver. However I am not
> sure if it works with the stm32mp15x board - since I don't have such
> hardware in my hands, or any ref boards in isar.
> 
> So apparently two choice ahead of us:
> 
> 1. Use hello world example TA and only provide building integration
> without testing. And provide the fTPM as a standalone recipe without
> users in isar.
> 
> 2. If fTPM works for stm32mp15x or any other boards in isar, then we
> can use the fTPM as the user of the optee-os-devkit, and integrate the
> fTPM to the optee-os of the stm32mp15x. This requires somebody to help
> to test on the real hardware device.

Or:

3. Model the TA setup over qemu-arm[64], but then likely with the hello
world thing as fTPM still needs RPMB, and we still have no support for
that in QEMU.

In any case, let's first focus on build testing, and there do what you
think is simplest. If that is upstreaming fTPM here and at least
building it for stm32mp15x, let's do that.

Jan

-- 
Siemens AG, Technology
Competence Center Embedded Linux