From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7247222195536003072 X-Received: by 2002:a92:dd10:0:b0:340:c2a2:1e4f with SMTP id n16-20020a92dd10000000b00340c2a21e4fmr8883884ilm.13.1687414918624; Wed, 21 Jun 2023 23:21:58 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:6e02:1aa8:b0:32e:2d9d:f290 with SMTP id l8-20020a056e021aa800b0032e2d9df290ls273756ilv.1.-pod-prod-07-us; Wed, 21 Jun 2023 23:21:58 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4/iv6YB4A/2shjoT7vDD4/KWEzBdaQYW5x89oz6Er7GnEDS3a4qCMK+RcizlZrz4Rs2Wky X-Received: by 2002:a92:d091:0:b0:33b:94d:b61b with SMTP id h17-20020a92d091000000b0033b094db61bmr15469526ilh.22.1687414917932; Wed, 21 Jun 2023 23:21:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687414917; cv=none; d=google.com; s=arc-20160816; b=ZiE9lbIOuilG21JFtqaxuFrzTg8d87JcF+Q9xDR1ixs3BkzzWqtVRTo30yjqNhfRCe aHMLplHVnhx+D1w8aGuobADXfp6ZWP5R0folnVl+AywjLHBL35th1V/Cz+7rDmMqfSwD fHfC+fVPoBchz9GDCMNiRTAs1ZfvC6Bu7kq0wSVDFWgkheBLAJy55KvRBESJroraj7Ne LuoXvNfz+wpJ8pW/t9lnF9XlMVQIRhMjqFDTwbVpVg39gjVw0COasOJFowOfoAuVp4rt 5NpB7uoLIMtOFbw80eU91aMtJZpbPIXVOdwkw0jmbjItr5OVeMg/WMwZCneXWH6ZAIeY 53EQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :dkim-signature; bh=IbYkwY0F5+RH4bKxSvhww6Fl3bmDL0xxOUfX6QDl6cE=; b=t8LCOjNz7oQvzWIyI4X+7Gx7yq8Uc6CF8Pnm9YbOdtwEVxyFGB8ozBOAbr8xb6MbnJ TwGlGDV9hVWX1+tcnOTeO3JPgzFeeQO/zzMo0XK0idXa5wM/OWBGd7uSACSzbvIAZNXj 7DVobtpvYvn5BwY8R3YKQoFZk1SOHHKunb5fJU2oVKwy55OrKHFcVG+WyySrvjROGq3F 2ecidk8I4AglJ+jomWrmhJ4jkPjJkskoEjrsxGMH7Lf/sNgeXOP2EaCKwaiikqupIjL4 PWwdxKh6GmSTSwy8DJoHcm3xmJsel1dLNYw/kcQBAIcPR4iWay+Bjj3ZYDclSWcGYqxb mUoA== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=BcQ1YbS8; spf=pass (google.com: domain of baocheng_su@163.com designates 220.181.12.217 as permitted sender) smtp.mailfrom=baocheng_su@163.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com Return-Path: Received: from m12.mail.163.com (m12.mail.163.com. [220.181.12.217]) by gmr-mx.google.com with ESMTP id q10-20020a056e0220ea00b00341c41c04e9si522856ilv.3.2023.06.21.23.21.56 for ; Wed, 21 Jun 2023 23:21:57 -0700 (PDT) Received-SPF: pass (google.com: domain of baocheng_su@163.com designates 220.181.12.217 as permitted sender) client-ip=220.181.12.217; Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=BcQ1YbS8; spf=pass (google.com: domain of baocheng_su@163.com designates 220.181.12.217 as permitted sender) smtp.mailfrom=baocheng_su@163.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=Message-ID:Date:MIME-Version:Subject:From: Content-Type; bh=IbYkwY0F5+RH4bKxSvhww6Fl3bmDL0xxOUfX6QDl6cE=; b=BcQ1YbS8rmdRtjd4e1MKsRl6kywdEZ4kdXLSF7j76GQUCClS0RiXbt+bHuqafs TfHgsDIQrpD4dao40KxrxNELh7Cq6vHb9N2cGRs2k3AHt50PR/1Q/hatSuXs4HJZ TX6C6+PkioXAtZqRRQcGFiRHJ7T7evuf0JBQOf69QQkuo= Received: from [192.168.11.173] (unknown [182.148.93.108]) by zwqz-smtp-mta-g0-3 (Coremail) with SMTP id _____wBHl89s6JNkzUVlAg--.40807S2; Thu, 22 Jun 2023 14:21:32 +0800 (CST) Message-ID: <9a5eccff-1747-f437-f802-9b09235e2f3e@163.com> Date: Thu, 22 Jun 2023 14:21:32 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.12.0 Subject: Re: [PATCH v2 5/7] Add recipe for optee ftpm To: Jan Kiszka , isar-users@googlegroups.com, felix.moessbauer@siemens.com Cc: christian.storm@siemens.com, quirin.gylstorff@siemens.com, baocheng.su@siemens.com References: <20230621192217.2045717-1-baocheng_su@163.com> <20230621192217.2045717-6-baocheng_su@163.com> <08d9440a-0680-e0af-dd50-2705c0f8d56b@siemens.com> Content-Language: en-US From: Su Baocheng In-Reply-To: <08d9440a-0680-e0af-dd50-2705c0f8d56b@siemens.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-CM-TRANSID:_____wBHl89s6JNkzUVlAg--.40807S2 X-Coremail-Antispam: 1Uf129KBjvJXoW3Aw48XFW3Gw48Cr1DAw4UXFb_yoWkGryDpF yrGFyDXa1xJ3W7Wa9akF17urWaq3ykA3Z5CFsrt348Zr93AFnxtw4xKFy3WF9rWr4rXw12 qFs8Xa4fGr4fJaDanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07UthLnUUUUU= X-Originating-IP: [182.148.93.108] X-CM-SenderInfo: pedrux5hqjs2rx6rljoofrz/1tbisQ6WJ2Mr+ox1rwAAsq X-TUID: StOfRls0lKR1 On 2023/6/22 14:02, Jan Kiszka wrote: > On 21.06.23 21:22, baocheng_su@163.com wrote: >> From: Baocheng Su >> >> This integrate Microsoft's reference implementation of the TCG TPM2.0 as an >> OPTee trusted application, see [1] and [2] for details, esp. >> meta-ts/layers/meta-arm/meta-arm/recipes-security/optee-ftpm >> >> Since the OPTee secure storage on IOT2050 is RPMB-based, and the RPMB accessing >> is provided by linux tee-supplicant, this TA is only discoverable when >> tee-supplicant is running. >> >> To help to gracefully manage the tee-supplicant, the kernel drive >> tpm_ftpm_tee should be compile as .ko and be loaded/unloaded dynamically. >> >> [1]: https://github.com/microsoft/ms-tpm-20-ref/ >> [2]: https://gitlab.com/Linaro/trustedsubstrate/meta-ts >> >> Signed-off-by: Baocheng Su >> --- >> .../files/0001-add-enum-to-ta-flags.patch | 27 +++++++++++ >> .../optee-ftpm-stm32mp15x_0~230316+git.bb | 35 ++++++++++++++ > > The version should probably be 0~20230316+git when following Debian > suggestions. > According to [1], there are two possoble version strings, YYYYMMDD or 0~YYMMDD, the later ensures a smooth transition to a normal 0.1 in the future when upstreaming starts to use normal version. 1. https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#name-version > Jan > >> .../optee-os/optee-os-stm32mp15x_3.21.0.bb | 10 +++- >> .../optee-ftpm/files/debian/compat | 1 + >> .../optee-ftpm/files/debian/control.tmpl | 11 +++++ >> .../optee-ftpm/files/debian/rules.tmpl | 25 ++++++++++ >> meta/recipes-bsp/optee-ftpm/optee-ftpm.inc | 47 +++++++++++++++++++ >> 7 files changed, 155 insertions(+), 1 deletion(-) >> create mode 100644 meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch >> create mode 100644 meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb >> create mode 100644 meta/recipes-bsp/optee-ftpm/files/debian/compat >> create mode 100644 meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl >> create mode 100755 meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl >> create mode 100644 meta/recipes-bsp/optee-ftpm/optee-ftpm.inc >> >> diff --git a/meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch b/meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch >> new file mode 100644 >> index 0000000..57917ba >> --- /dev/null >> +++ b/meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch >> @@ -0,0 +1,27 @@ >> +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 >> +From: Maxim Uvarov >> +Date: Fri, 17 Apr 2020 12:05:53 +0100 >> +Subject: [PATCH] add enum to ta flags >> + >> +If we compile this TA into OPTEE-OS we need to define a flag >> +that this TA can be discovered on the optee bus. >> +Upstream-Status: Submitted [https://github.com/microsoft/MSRSec/pull/34] >> + >> +Signed-off-by: Maxim Uvarov >> +--- >> + .../ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h | 2 +- >> + 1 file changed, 1 insertion(+), 1 deletion(-) >> + >> +diff --git a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h >> +index 92c33c1..e83619d 100644 >> +--- a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h >> ++++ b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h >> +@@ -44,7 +44,7 @@ >> + >> + #define TA_UUID TA_FTPM_UUID >> + >> +-#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE) >> ++#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP) >> + #define TA_STACK_SIZE (64 * 1024) >> + #define TA_DATA_SIZE (32 * 1024) >> + >> diff --git a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb >> new file mode 100644 >> index 0000000..de26ec3 >> --- /dev/null >> +++ b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb >> @@ -0,0 +1,35 @@ >> +# Copyright (c) Siemens AG, 2023 >> +# >> +# Authors: >> +# Su Bao Cheng >> +# >> +# SPDX-License-Identifier: MIT >> +# >> +require recipes-bsp/optee-ftpm/optee-ftpm.inc >> + >> +# CHANGELOG_V = "0.1+git+isar" >> + >> +SRC_URI += " \ >> + https://github.com/Microsoft/ms-tpm-20-ref/archive/${SRCREV}.tar.gz \ >> + https://github.com/wolfSSL/wolfssl/archive/${SRCREV-wolfssl}.tar.gz;name=wolfssl \ >> + file://0001-add-enum-to-ta-flags.patch \ >> + " >> + >> +SRCREV = "f74c0d9686625c02b0fdd5b2bbe792a22aa96cb6" >> +# according to ms-tpm-20-ref submodules >> +SRCREV-wolfssl = "9c87f979a7f1d3a6d786b260653d566c1d31a1c4" >> + >> +SRC_URI[sha256sum] = "16fabc6ad6cc700d947dbc96efc30ff8ae97e577944466f08193bb37bc1eb64d" >> +SRC_URI[wolfssl.sha256sum] = "a68c301fa0ee6197158912d808c4258605a2d001e458fd958257cafba17bfd14" >> + >> +S = "${WORKDIR}/ms-tpm-20-ref-${SRCREV}" >> + >> +OPTEE_NAME = "${MACHINE}" >> +TA_CPU = "cortex-a7" >> +TA_DEV_KIT_DIR = "/usr/lib/optee-os/${OPTEE_NAME}/export-ta_arm32" >> +OPTEE_FTPM_BUILD_ARGS_EXTRA = "CFG_FTPM_USE_WOLF=y" >> + >> +do_prepare_build:append() { >> + rm -rf ${S}/external/wolfssl >> + cp -a ${S}/../wolfssl-${SRCREV-wolfssl} ${S}/external/wolfssl >> +} >> diff --git a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb >> index 7468ca6..1b920cd 100644 >> --- a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb >> +++ b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb >> @@ -16,7 +16,7 @@ DEBIAN_BUILD_DEPENDS += " \ >> , optee-examples-stm32mp15x-random-ta \ >> , optee-examples-stm32mp15x-secure-storage-ta \ >> " >> -EARLY_TA_PATHS = " \ >> +EARLY_TA_PATHS += " \ >> /usr/lib/optee-os/${OPTEE_NAME}/ta/a734eed9-d6a1-4244-aa50-7c99719e7b7b.stripped.elf \ >> /usr/lib/optee-os/${OPTEE_NAME}/ta/5dbac793-f574-4871-8ad3-04331ec17f24.stripped.elf \ >> /usr/lib/optee-os/${OPTEE_NAME}/ta/8aaaf200-2450-11e4-abe2-0002a5d5c51b.stripped.elf \ >> @@ -24,6 +24,14 @@ EARLY_TA_PATHS = " \ >> /usr/lib/optee-os/${OPTEE_NAME}/ta/b6c53aba-9669-4668-a7f2-205629d00f86.stripped.elf \ >> /usr/lib/optee-os/${OPTEE_NAME}/ta/f4e750bb-1437-4fbf-8785-8d3580c34994.stripped.elf \ >> " >> + >> +# optee-ftpm integration >> +DEPENDS += "optee-ftpm-stm32mp15x" >> +DEBIAN_BUILD_DEPENDS += ", optee-ftpm-stm32mp15x" >> +EARLY_TA_PATHS += " \ >> + /usr/lib/optee-os/${OPTEE_NAME}/ta/bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf \ >> + " >> + >> OPTEE_EXTRA_BUILDARGS += " \ >> CFG_EARLY_TA=y \ >> EARLY_TA_PATHS='${EARLY_TA_PATHS}' \ >> diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/compat b/meta/recipes-bsp/optee-ftpm/files/debian/compat >> new file mode 100644 >> index 0000000..f599e28 >> --- /dev/null >> +++ b/meta/recipes-bsp/optee-ftpm/files/debian/compat >> @@ -0,0 +1 @@ >> +10 >> diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl b/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl >> new file mode 100644 >> index 0000000..abab42e >> --- /dev/null >> +++ b/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl >> @@ -0,0 +1,11 @@ >> +Source: ${PN} >> +Section: misc >> +Priority: optional >> +Standards-Version: 3.9.6 >> +Maintainer: Unknown maintainer >> +Build-Depends: debhelper (>= 10), ${DEBIAN_BUILD_DEPENDS} >> + >> +Package: ${PN} >> +Architecture: any >> +Depends: >> +Description: TCG reference implementation of the TPM 2.0 Specification. >> diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl b/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl >> new file mode 100755 >> index 0000000..19d4e08 >> --- /dev/null >> +++ b/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl >> @@ -0,0 +1,25 @@ >> +#!/usr/bin/make -f >> +# Debian rules for optee-ftpm >> +# >> +# Copyright (c) Siemens AG, 2023 >> +# >> +# Authors: >> +# Su Bao Cheng >> +# >> +# SPDX-License-Identifier: MIT >> + >> +ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE)) >> +export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- >> +endif >> + >> +override_dh_auto_build: >> + cd Samples/ARM32-FirmwareTPM/optee_ta && \ >> + TA_CROSS_COMPILE=${CROSS_COMPILE} \ >> + TA_CPU=${TA_CPU} \ >> + TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \ >> + CFG_TEE_TA_LOG_LEVEL=2 \ >> + ${OPTEE_FTPM_BUILD_ARGS_EXTRA} \ >> + $(MAKE) $(PARALLEL_MAKE) >> + >> +%: >> + dh $@ >> diff --git a/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc >> new file mode 100644 >> index 0000000..2f6dc30 >> --- /dev/null >> +++ b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc >> @@ -0,0 +1,47 @@ >> +# Copyright (c) Siemens AG, 2023 >> +# >> +# Authors: >> +# Su Bao Cheng >> +# >> +# SPDX-License-Identifier: MIT >> +# >> +inherit dpkg >> + >> +SUMMARY = "OPTEE fTPM Microsoft TA" >> +DESCRIPTION = "TCG reference implementation of the TPM 2.0 Specification." >> +HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/" >> + >> +FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:" >> + >> +SRC_URI += "file://debian" >> + >> +OPTEE_NAME ?= "${MACHINE}" >> + >> +DEPENDS = "optee-os-tadevkit-${OPTEE_NAME}" >> +DEBIAN_BUILD_DEPENDS ?= " \ >> + python3-cryptography:native, \ >> + optee-os-tadevkit-${OPTEE_NAME} \ >> + " >> + >> +TA_CPU ?= "unknown" >> +TA_DEV_KIT_DIR ?= "unknown" >> +OPTEE_FTPM_BUILD_ARGS_EXTRA ?= " " >> + >> +TEMPLATE_FILES = "debian/rules.tmpl debian/control.tmpl" >> +TEMPLATE_VARS += "DEBIAN_BUILD_DEPENDS \ >> + OPTEE_FTPM_BUILD_ARGS_EXTRA \ >> + TA_CPU \ >> + TA_DEV_KIT_DIR" >> + >> +do_prepare_build() { >> + rm -rf ${S}/debian >> + cp -r ${WORKDIR}/debian ${S}/ >> + >> + deb_add_changelog >> + >> + rm -f ${S}/debian/optee-ftpm-${OPTEE_NAME}.install >> + echo "Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/bc50d971-d4c9-42c4-82cb-343fb7f37896.ta /usr/lib/optee-os/${OPTEE_NAME}/ta" > \ >> + ${S}/debian/optee-ftpm-${OPTEE_NAME}.install >> + echo "Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf /usr/lib/optee-os/${OPTEE_NAME}/ta" >> \ >> + ${S}/debian/optee-ftpm-${OPTEE_NAME}.install >> +} >