[PATCH v3 00/11] Fixes, cleanups and updates for OP-TEE and TAs

[PATCH v3 00/11] Fixes, cleanups and updates for OP-TEE and TAs

[Jan Kiszka]

This summarizes and partially updates previously sent patches to fix and
improve the recently merged OP-TEE changes. Labeling it v3 as some
patches were already sent out in v2.

Improvements over the individual patches:
 - update for WolfSSL in fTPM recipe
 - better unbinding of fTPM on tee-supplicant shutdown

Patch 11 might still have no effect and needs confirmation via larger CI
builds.

Jan

Jan Kiszka (11):
  optee-client: Add missing runtime dependency
  optee-client: Unbind ftpm, rather than remove its driver
  optee-examples-stm32mp15x: Fix parsing error for non-stm32mp15x
    machines
  linux-mainline: Add fTPM support
  initramfs-tee-{ftpm,supplicant}-hook: Move sync loop to ftpm-hook
  initramfs-tee-supplicant-hook: Account for modular optee
  initramfs-tee-ftpm-hook: Lift timeout to 30 s
  Drop stm32mp15x-initramfs in favor of image enabling
  optee-ftpm-stm32mp15x: Recipe cleanups
  optee-ftpm-stm32mp15x: Update WolfSSL to 5.6.3
  optee-ftpm-stm32mp15x: Add patch to fix parallel build issues

 meta-isar/conf/machine/stm32mp15x.conf        |  2 +
 .../optee-examples-stm32mp15x_3.21.0.bb       |  2 +-
 .../0001-Fix-parallel-build-of-optee_ta.patch | 45 +++++++++++++++++++
 .../optee-ftpm-stm32mp15x_0~230316+git.bb     | 11 ++---
 .../images/stm32mp15x-initramfs.bb            | 15 -------
 .../linux/files/ftpm-module.cfg               |  3 ++
 .../linux/linux-mainline_5.4.203.bb           |  2 +
 .../optee-client/files/debian/control.tmpl    |  2 +-
 .../files/debian/tee-supplicant.service       |  2 +-
 .../files/tee-ftpm.script                     |  9 ++++
 .../files/tee-supplicant.script               |  9 +---
 testsuite/citest.py                           |  1 -
 12 files changed, 69 insertions(+), 34 deletions(-)
 create mode 100644 meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-parallel-build-of-optee_ta.patch
 delete mode 100644 meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
 create mode 100644 meta-isar/recipes-kernel/linux/files/ftpm-module.cfg

-- 
2.35.3

[PATCH v3 01/11] optee-client: Add missing runtime dependency

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

The alternative service file uses pgrep and pkill.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 meta/recipes-bsp/optee-client/files/debian/control.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-bsp/optee-client/files/debian/control.tmpl b/meta/recipes-bsp/optee-client/files/debian/control.tmpl
index de780b73..7cd121ee 100644
--- a/meta/recipes-bsp/optee-client/files/debian/control.tmpl
+++ b/meta/recipes-bsp/optee-client/files/debian/control.tmpl
@@ -39,7 +39,7 @@ Description: normal world user space client APIs for OP-TEE
 
 Package: tee-supplicant
 Architecture: ${DISTRO_ARCH}
-Depends: systemd ${misc:Depends}, ${shlibs:Depends}
+Depends: systemd ${misc:Depends}, procps, ${shlibs:Depends}
 Description: normal world user space client APIs for OP-TEE
  OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
  non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
-- 
2.35.3

[PATCH v3 02/11] optee-client: Unbind ftpm, rather than remove its driver

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This allows to support also scenarios where the driver is built into the
kernel. And it also resolves an escaping issue in the old version.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../optee-client/files/debian/tee-supplicant.service            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service b/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
index 4508a142..cc92a5fd 100644
--- a/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
+++ b/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
@@ -14,7 +14,7 @@ RemainAfterExit=yes
 # Start if not already started by the initramfs hook
 ExecStart=/bin/sh -c '/usr/bin/pgrep tee-supplicant >/dev/null || /usr/sbin/tee-supplicant -d'
 ExecStop=/bin/sh -c '/usr/bin/findmnt /sys/firmware/efi/efivars >/dev/null && /usr/bin/umount /sys/firmware/efi/efivars || true'
-ExecStop=/bin/sh -c '/usr/sbin/modinfo -n tpm_ftpm_tee | /usr/bin/grep -E "\.ko$" >/dev/null && /usr/sbin/modprobe -r tpm_ftpm_tee || true'
+ExecStop=/bin/sh -c 'echo -n optee-ta-bc50d971-d4c9-42c4-82cb-343fb7f37896 > /sys/bus/tee/drivers/optee-ftpm/unbind || true'
 ExecStop=/usr/bin/pkill tee-supplicant
 
 [Install]
-- 
2.35.3

[PATCH v3 03/11] optee-examples-stm32mp15x: Fix parsing error for non-stm32mp15x machines

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Hard-code the machine name so that parsing will not fail if a machine
does not provide optee-os-tadevkit-${MACHINE} or
optee-client-${MACHINE}.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../optee-examples/optee-examples-stm32mp15x_3.21.0.bb          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb
index 2a64a86b..e10654e8 100644
--- a/meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb
+++ b/meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb
@@ -16,7 +16,7 @@ SRC_URI[sha256sum] = "9b965f829adc532b5228534d3b9b38ae1fc4f2ac55d73159a39d43e597
 
 S = "${WORKDIR}/optee_examples-${PV}"
 
-OPTEE_NAME = "${MACHINE}"
+OPTEE_NAME = "stm32mp15x"
 OPTEE_PLATFORM = "stm32mp1"
 TA_DEV_KIT_DIR = "/usr/lib/optee-os/${OPTEE_NAME}/export-ta_arm32"
 
-- 
2.35.3

[PATCH v3 04/11] linux-mainline: Add fTPM support

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Needed for the stm32mp15x demo of fTPM.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 meta-isar/recipes-kernel/linux/files/ftpm-module.cfg     | 3 +++
 meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb | 2 ++
 2 files changed, 5 insertions(+)
 create mode 100644 meta-isar/recipes-kernel/linux/files/ftpm-module.cfg

diff --git a/meta-isar/recipes-kernel/linux/files/ftpm-module.cfg b/meta-isar/recipes-kernel/linux/files/ftpm-module.cfg
new file mode 100644
index 00000000..f47620bc
--- /dev/null
+++ b/meta-isar/recipes-kernel/linux/files/ftpm-module.cfg
@@ -0,0 +1,3 @@
+CONFIG_TEE=m
+CONFIG_OPTEE=m
+CONFIG_TCG_FTPM_TEE=m
diff --git a/meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb b/meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb
index 76f73f02..27ebf131 100644
--- a/meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb
+++ b/meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb
@@ -14,6 +14,8 @@ SRC_URI += " \
     file://x86_64_defconfig \
     file://no-ubifs-fs.cfg \
     file://no-root-nfs.cfg;apply=no"
+SRC_URI:append:stm32mp15x = " \
+    file://ftpm-module.cfg"
 
 SRC_URI[sha256sum] = "fc933f5b13066cfa54aacb5e86747a167bad1d8d23972e4a03ab5ee36c29798a"
 
-- 
2.35.3

[PATCH v3 05/11] initramfs-tee-{ftpm,supplicant}-hook: Move sync loop to ftpm-hook

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

There is no FTPM_DEV defined in tee-supplicant.script, and it also makes
no sense to wait for an unrelated fTPM device in the tee-supplicant
starter hook. That is better done in tee-ftpm.script.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../initramfs-tee-ftpm-hook/files/tee-ftpm.script        | 9 +++++++++
 .../files/tee-supplicant.script                          | 8 --------
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
index ce321a09..6e12e6df 100644
--- a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
+++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
@@ -21,6 +21,15 @@ esac
 . /scripts/functions
 
 FTPM_DEV=/dev/tpmrm0
+
+# The tee-supplicant would take some time to be discovered, 10 seconds should be
+# enough
+wait_sec=10
+until test $wait_sec -eq 0 || test -c "${FTPM_DEV}" ; do
+	wait_sec=$((wait_sec-1))
+	sleep 1
+done
+
 if ! test -c "${FTPM_DEV}"; then
     panic "Can't discover the fTPM device ${FTPM_DEV}!"
 fi
diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
index bb6dcc16..76efc1ad 100644
--- a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
+++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
@@ -22,12 +22,4 @@ esac
 
 /usr/sbin/tee-supplicant -d
 
-# The tee-supplicant would take some time to be discovered, 10 seconds should be
-# enough
-wait_sec=10
-until test $wait_sec -eq 0 || test -c "${FTPM_DEV}" ; do
-	wait_sec=$((wait_sec-1))
-	sleep 1
-done
-
 /usr/bin/pgrep tee-supplicant > /dev/null || panic "Can't start the tee-supplicant daemon!"
-- 
2.35.3

[PATCH v3 06/11] initramfs-tee-supplicant-hook: Account for modular optee

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Starting tee-supplicant will fail otherwise.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../initramfs-tee-supplicant-hook/files/tee-supplicant.script    | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
index 76efc1ad..fcb84817 100644
--- a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
+++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
@@ -20,6 +20,7 @@ esac
 
 . /scripts/functions
 
+/usr/sbin/modprobe optee
 /usr/sbin/tee-supplicant -d
 
 /usr/bin/pgrep tee-supplicant > /dev/null || panic "Can't start the tee-supplicant daemon!"
-- 
2.35.3

[PATCH v3 07/11] initramfs-tee-ftpm-hook: Lift timeout to 30 s

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Around 20 s are needed on the stm32mp15x, so let's give things more time
to settle and permit 30 s.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../initramfs-tee-ftpm-hook/files/tee-ftpm.script           | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
index 6e12e6df..053fb046 100644
--- a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
+++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
@@ -22,9 +22,9 @@ esac
 
 FTPM_DEV=/dev/tpmrm0
 
-# The tee-supplicant would take some time to be discovered, 10 seconds should be
-# enough
-wait_sec=10
+# The tee-supplicant would take some time to be discovered, 30 seconds should
+# be enough
+wait_sec=30
 until test $wait_sec -eq 0 || test -c "${FTPM_DEV}" ; do
 	wait_sec=$((wait_sec-1))
 	sleep 1
-- 
2.35.3

[PATCH v3 08/11] Drop stm32mp15x-initramfs in favor of image enabling

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

To really test the hooks on the stm32mp15x, we need them as part of the
initramfs generated for the image, not just stand-alone.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 meta-isar/conf/machine/stm32mp15x.conf            |  2 ++
 .../images/stm32mp15x-initramfs.bb                | 15 ---------------
 testsuite/citest.py                               |  1 -
 3 files changed, 2 insertions(+), 16 deletions(-)
 delete mode 100644 meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb

diff --git a/meta-isar/conf/machine/stm32mp15x.conf b/meta-isar/conf/machine/stm32mp15x.conf
index 4e8142ee..367b1934 100644
--- a/meta-isar/conf/machine/stm32mp15x.conf
+++ b/meta-isar/conf/machine/stm32mp15x.conf
@@ -23,4 +23,6 @@ IMAGE_INSTALL += "u-boot-script \
     optee-examples-stm32mp15x-hotp-host \
     optee-examples-stm32mp15x-random-host \
     optee-examples-stm32mp15x-secure-storage-host \
+    initramfs-tee-supplicant-hook \
+    initramfs-tee-ftpm-hook \
     "
diff --git a/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb b/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
deleted file mode 100644
index 8ec6d7ce..00000000
--- a/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# Copyright (c) Siemens AG, 2023
-#
-# Authors:
-#  Su Bao Cheng <baocheng.su@siemens.com>
-#
-# SPDX-License-Identifier: MIT
-#
-
-inherit initramfs
-
-INITRAMFS_INSTALL += " \
-    initramfs-tee-supplicant-hook \
-    initramfs-tee-ftpm-hook \
-    "
diff --git a/testsuite/citest.py b/testsuite/citest.py
index b81d86f9..f5cf1257 100755
--- a/testsuite/citest.py
+++ b/testsuite/citest.py
@@ -215,7 +215,6 @@ class NoCrossTest(CIBaseTest):
             'mc:bananapi-bullseye:isar-image-base',
             'mc:nanopi-neo-bullseye:isar-image-base',
             'mc:stm32mp15x-bullseye:isar-image-base',
-            'mc:stm32mp15x-bullseye:stm32mp15x-initramfs',
             'mc:qemuamd64-focal:isar-image-ci'
                   ]
 
-- 
2.35.3

[PATCH v3 09/11] optee-ftpm-stm32mp15x: Recipe cleanups

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Remove commented out CHANGELOG_V assignment, remove redundant setting of
OPTEE_NAME to its default, remove setting of non-existing
CFG_FTPM_USE_WOLF config var.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb         | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
index de26ec38..d8c1528d 100644
--- a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
+++ b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
@@ -5,9 +5,8 @@
 #
 # SPDX-License-Identifier: MIT
 #
-require recipes-bsp/optee-ftpm/optee-ftpm.inc
 
-# CHANGELOG_V = "0.1+git+isar"
+require recipes-bsp/optee-ftpm/optee-ftpm.inc
 
 SRC_URI += " \
     https://github.com/Microsoft/ms-tpm-20-ref/archive/${SRCREV}.tar.gz \
@@ -24,10 +23,8 @@ SRC_URI[wolfssl.sha256sum] = "a68c301fa0ee6197158912d808c4258605a2d001e458fd9582
 
 S = "${WORKDIR}/ms-tpm-20-ref-${SRCREV}"
 
-OPTEE_NAME = "${MACHINE}"
 TA_CPU = "cortex-a7"
 TA_DEV_KIT_DIR = "/usr/lib/optee-os/${OPTEE_NAME}/export-ta_arm32"
-OPTEE_FTPM_BUILD_ARGS_EXTRA = "CFG_FTPM_USE_WOLF=y"
 
 do_prepare_build:append() {
     rm -rf ${S}/external/wolfssl
-- 
2.35.3

[PATCH v3 10/11] optee-ftpm-stm32mp15x: Update WolfSSL to 5.6.3

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

The upstream choice is seriously outdated, also security-wise. Choose
the latest stable release instead.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb         | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
index d8c1528d..441bc4ac 100644
--- a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
+++ b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
@@ -15,11 +15,10 @@ SRC_URI += " \
     "
 
 SRCREV = "f74c0d9686625c02b0fdd5b2bbe792a22aa96cb6"
-# according to ms-tpm-20-ref submodules
-SRCREV-wolfssl = "9c87f979a7f1d3a6d786b260653d566c1d31a1c4"
+SRCREV-wolfssl = "3b3c175af0e993ffaae251871421e206cc41963f"
 
 SRC_URI[sha256sum] = "16fabc6ad6cc700d947dbc96efc30ff8ae97e577944466f08193bb37bc1eb64d"
-SRC_URI[wolfssl.sha256sum] = "a68c301fa0ee6197158912d808c4258605a2d001e458fd958257cafba17bfd14"
+SRC_URI[wolfssl.sha256sum] = "1157994b12295b74754dd9054124c857c59093b762e6f744d0a3a3565cb6314d"
 
 S = "${WORKDIR}/ms-tpm-20-ref-${SRCREV}"
 
-- 
2.35.3

[PATCH v3 11/11] optee-ftpm-stm32mp15x: Add patch to fix parallel build issues

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../0001-Fix-parallel-build-of-optee_ta.patch | 45 +++++++++++++++++++
 .../optee-ftpm-stm32mp15x_0~230316+git.bb     |  1 +
 2 files changed, 46 insertions(+)
 create mode 100644 meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-parallel-build-of-optee_ta.patch

diff --git a/meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-parallel-build-of-optee_ta.patch b/meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-parallel-build-of-optee_ta.patch
new file mode 100644
index 00000000..4ee20f41
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-parallel-build-of-optee_ta.patch
@@ -0,0 +1,45 @@
+From ff34f1a64bd5dbc83df26cfc8e74478f854a0acf Mon Sep 17 00:00:00 2001
+From: Jan Kiszka <jan.kiszka@siemens.com>
+Date: Thu, 20 Jul 2023 16:32:26 +0200
+Subject: [PATCH] Fix parallel build of optee_ta
+
+The symlink must be established prio to building any of the source files
+of WolfSSL, or things will fail:
+
+	TA_CROSS_COMPILE= \
+	TA_CPU=cortex-a7 \
+	TA_DEV_KIT_DIR=/usr/lib/optee-os/stm32mp15x/export-ta_arm32 \
+	CFG_TEE_TA_LOG_LEVEL=2 \
+	CFG_FTPM_USE_WOLF=y \
+	/usr/bin/make -j 24
+make[2]: Entering directory '/<<PKGBUILDDIR>>/Samples/ARM32-FirmwareTPM/optee_ta'
+/usr/bin/make -C fTPM CROSS_COMPILE=
+make[3]: Entering directory '/<<PKGBUILDDIR>>/Samples/ARM32-FirmwareTPM/optee_ta/fTPM'
+Checking symlink to the TPM folder: /<<PKGBUILDDIR>>
+Checking symlink to the WolfSSL folder: /<<PKGBUILDDIR>>/external/wolfssl
+Establishing symlink.
+  CC      ../out/fTPM/platform/Cancel.o
+Establishing symlink.
+  CC      ../out/fTPM/platform/AdminPPI.o
+  CC      ../out/fTPM/platform/Entropy.o
+make[3]: *** No rule to make target 'lib/wolf/wolf_symlink/wolfcrypt/src/aes.c', needed by '../out/fTPM/./lib/wolf/wolf_symlink/wolfcrypt/src/aes.o'.  Stop.
+make[3]: *** Waiting for unfinished jobs....
+
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+---
+ Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
+index 0a43f46..eb239e3 100644
+--- a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
++++ b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
+@@ -56,3 +56,5 @@ srcs-y += wolf_symlink/wolfcrypt/src/tfm.c
+ srcs-y += wolf_symlink/wolfcrypt/src/wolfmath.c
+ srcs-y += wolf_symlink/wolfcrypt/src/des3.c
+ srcs-y += wolf_symlink/wolfcrypt/src/random.c
++
++$(srcs-y): wolf_symlink
+-- 
+2.35.3
+
diff --git a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
index 441bc4ac..c92620e1 100644
--- a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
+++ b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
@@ -12,6 +12,7 @@ SRC_URI += " \
     https://github.com/Microsoft/ms-tpm-20-ref/archive/${SRCREV}.tar.gz \
     https://github.com/wolfSSL/wolfssl/archive/${SRCREV-wolfssl}.tar.gz;name=wolfssl \
     file://0001-add-enum-to-ta-flags.patch \
+    file://0001-Fix-parallel-build-of-optee_ta.patch \
     "
 
 SRCREV = "f74c0d9686625c02b0fdd5b2bbe792a22aa96cb6"
-- 
2.35.3

Re: [PATCH v3 04/11] linux-mainline: Add fTPM support

[Uladzimir Bely]

On Thu, 2023-07-20 at 19:08 +0200, 'Jan Kiszka' via isar-users wrote:
> From: Jan Kiszka <jan.kiszka@siemens.com>
> 
> Needed for the stm32mp15x demo of fTPM.
> 
> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> ---
>  meta-isar/recipes-kernel/linux/files/ftpm-module.cfg     | 3 +++
>  meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb | 2 ++
>  2 files changed, 5 insertions(+)
>  create mode 100644 meta-isar/recipes-kernel/linux/files/ftpm-
> module.cfg
> 
> diff --git a/meta-isar/recipes-kernel/linux/files/ftpm-module.cfg
> b/meta-isar/recipes-kernel/linux/files/ftpm-module.cfg
> new file mode 100644
> index 00000000..f47620bc
> --- /dev/null
> +++ b/meta-isar/recipes-kernel/linux/files/ftpm-module.cfg
> @@ -0,0 +1,3 @@
> +CONFIG_TEE=m
> +CONFIG_OPTEE=m
> +CONFIG_TCG_FTPM_TEE=m
> diff --git a/meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb
> b/meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb
> index 76f73f02..27ebf131 100644
> --- a/meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb
> +++ b/meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb
> @@ -14,6 +14,8 @@ SRC_URI += " \
>      file://x86_64_defconfig \
>      file://no-ubifs-fs.cfg \
>      file://no-root-nfs.cfg;apply=no"
> +SRC_URI:append:stm32mp15x = " \
> +    file://ftpm-module.cfg"
>  
>  SRC_URI[sha256sum] =
> "fc933f5b13066cfa54aacb5e86747a167bad1d8d23972e4a03ab5ee36c29798a"
>  
> -- 
> 2.35.3
> 

This patch seems to make CI fail at "CrossTest.test_cross" build.

In this test we build in parallel two "armhf" targets that both use
"mainline" kernel - stm32mp15x-bullseye and de0-nano-soc-bullseye.

Due to the same distro/kernel/arch they are both build in parallel in
the same workdir (build/tmp/work/debian-bullseye-armhf/linux-
mainline/5.4.203-r0) but due to "append:stm32mp15x" they should use
different kernel config. This causes two parallel confliction builds
and results in some weird error:

```
cat: /workspace/build/isar_ub_devel_fast/469/build/tmp/work/debian-
bullseye-armhf/linux-mainline/5.4.203-r0/rootfs/dpkg_partial.log: No
such file or directory
```

By the way, NoCrossTest.test_nocross doesn't fail since it doesn't
build another bullseye/armhf linux-mainline in parallel with one for
stm32mp15x.

Re: [PATCH v3 04/11] linux-mainline: Add fTPM support

[Uladzimir Bely]

On Tue, 2023-07-25 at 16:43 +0300, Uladzimir Bely wrote:
> On Thu, 2023-07-20 at 19:08 +0200, 'Jan Kiszka' via isar-users wrote:
> > From: Jan Kiszka <jan.kiszka@siemens.com>
> > 
> > Needed for the stm32mp15x demo of fTPM.
> > 
> > Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> > ---
> >  meta-isar/recipes-kernel/linux/files/ftpm-module.cfg     | 3 +++
> >  meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb | 2 ++
> >  2 files changed, 5 insertions(+)
> >  create mode 100644 meta-isar/recipes-kernel/linux/files/ftpm-
> > module.cfg
> > 
> > diff --git a/meta-isar/recipes-kernel/linux/files/ftpm-module.cfg
> > b/meta-isar/recipes-kernel/linux/files/ftpm-module.cfg
> > new file mode 100644
> > index 00000000..f47620bc
> > --- /dev/null
> > +++ b/meta-isar/recipes-kernel/linux/files/ftpm-module.cfg
> > @@ -0,0 +1,3 @@
> > +CONFIG_TEE=m
> > +CONFIG_OPTEE=m
> > +CONFIG_TCG_FTPM_TEE=m
> > diff --git a/meta-isar/recipes-kernel/linux/linux-
> > mainline_5.4.203.bb
> > b/meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb
> > index 76f73f02..27ebf131 100644
> > --- a/meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb
> > +++ b/meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb
> > @@ -14,6 +14,8 @@ SRC_URI += " \
> >      file://x86_64_defconfig \
> >      file://no-ubifs-fs.cfg \
> >      file://no-root-nfs.cfg;apply=no"
> > +SRC_URI:append:stm32mp15x = " \
> > +    file://ftpm-module.cfg"
> >  
> >  SRC_URI[sha256sum] =
> > "fc933f5b13066cfa54aacb5e86747a167bad1d8d23972e4a03ab5ee36c29798a"
> >  
> > -- 
> > 2.35.3
> > 
> 
> This patch seems to make CI fail at "CrossTest.test_cross" build.
> 
> In this test we build in parallel two "armhf" targets that both use
> "mainline" kernel - stm32mp15x-bullseye and de0-nano-soc-bullseye.
> 
> Due to the same distro/kernel/arch they are both build in parallel in
> the same workdir (build/tmp/work/debian-bullseye-armhf/linux-
> mainline/5.4.203-r0) but due to "append:stm32mp15x" they should use
> different kernel config. This causes two parallel confliction builds
> and results in some weird error:
> 
> ```
> cat: /workspace/build/isar_ub_devel_fast/469/build/tmp/work/debian-
> bullseye-armhf/linux-mainline/5.4.203-r0/rootfs/dpkg_partial.log: No
> such file or directory
> ```
> 
> By the way, NoCrossTest.test_nocross doesn't fail since it doesn't
> build another bullseye/armhf linux-mainline in parallel with one for
> stm32mp15x.
> 

There are two possible ways to fix the issue:
 1. use "ftpm-module" config fragment not only for stm32mp15x (either
globally, either only for armhf targets)
 2. split "linux-mainline" build

We would actually prefer way [1] since it doesn't increase build time
in CI. Some additional modules should not be a problem even if they are
not really used/required.

I'm going to make a local fix (e.g., use ftpm fragment for all targets)
and to check if it works.

Re: [PATCH v3 04/11] linux-mainline: Add fTPM support

[Jan Kiszka]

On 26.07.23 10:31, Uladzimir Bely wrote:
> On Tue, 2023-07-25 at 16:43 +0300, Uladzimir Bely wrote:
>> On Thu, 2023-07-20 at 19:08 +0200, 'Jan Kiszka' via isar-users wrote:
>>> From: Jan Kiszka <jan.kiszka@siemens.com>
>>>
>>> Needed for the stm32mp15x demo of fTPM.
>>>
>>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
>>> ---
>>>  meta-isar/recipes-kernel/linux/files/ftpm-module.cfg     | 3 +++
>>>  meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb | 2 ++
>>>  2 files changed, 5 insertions(+)
>>>  create mode 100644 meta-isar/recipes-kernel/linux/files/ftpm-
>>> module.cfg
>>>
>>> diff --git a/meta-isar/recipes-kernel/linux/files/ftpm-module.cfg
>>> b/meta-isar/recipes-kernel/linux/files/ftpm-module.cfg
>>> new file mode 100644
>>> index 00000000..f47620bc
>>> --- /dev/null
>>> +++ b/meta-isar/recipes-kernel/linux/files/ftpm-module.cfg
>>> @@ -0,0 +1,3 @@
>>> +CONFIG_TEE=m
>>> +CONFIG_OPTEE=m
>>> +CONFIG_TCG_FTPM_TEE=m
>>> diff --git a/meta-isar/recipes-kernel/linux/linux-
>>> mainline_5.4.203.bb
>>> b/meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb
>>> index 76f73f02..27ebf131 100644
>>> --- a/meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb
>>> +++ b/meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb
>>> @@ -14,6 +14,8 @@ SRC_URI += " \
>>>      file://x86_64_defconfig \
>>>      file://no-ubifs-fs.cfg \
>>>      file://no-root-nfs.cfg;apply=no"
>>> +SRC_URI:append:stm32mp15x = " \
>>> +    file://ftpm-module.cfg"
>>>  
>>>  SRC_URI[sha256sum] =
>>> "fc933f5b13066cfa54aacb5e86747a167bad1d8d23972e4a03ab5ee36c29798a"
>>>  
>>> -- 
>>> 2.35.3
>>>
>>
>> This patch seems to make CI fail at "CrossTest.test_cross" build.
>>
>> In this test we build in parallel two "armhf" targets that both use
>> "mainline" kernel - stm32mp15x-bullseye and de0-nano-soc-bullseye.
>>
>> Due to the same distro/kernel/arch they are both build in parallel in
>> the same workdir (build/tmp/work/debian-bullseye-armhf/linux-
>> mainline/5.4.203-r0) but due to "append:stm32mp15x" they should use
>> different kernel config. This causes two parallel confliction builds
>> and results in some weird error:
>>
>> ```
>> cat: /workspace/build/isar_ub_devel_fast/469/build/tmp/work/debian-
>> bullseye-armhf/linux-mainline/5.4.203-r0/rootfs/dpkg_partial.log: No
>> such file or directory
>> ```
>>
>> By the way, NoCrossTest.test_nocross doesn't fail since it doesn't
>> build another bullseye/armhf linux-mainline in parallel with one for
>> stm32mp15x.
>>
> 
> There are two possible ways to fix the issue:
>  1. use "ftpm-module" config fragment not only for stm32mp15x (either
> globally, either only for armhf targets)
>  2. split "linux-mainline" build
> 
> We would actually prefer way [1] since it doesn't increase build time
> in CI. Some additional modules should not be a problem even if they are
> not really used/required.
> 
> I'm going to make a local fix (e.g., use ftpm fragment for all targets)
> and to check if it works.

Thanks, fine with me.

Jan

-- 
Siemens AG, Technology
Linux Expert Center

Re: [PATCH v3 04/11] linux-mainline: Add fTPM support

[Uladzimir Bely]

On Wed, 2023-07-26 at 11:32 +0200, Jan Kiszka wrote:
> On 26.07.23 10:31, Uladzimir Bely wrote:
> > On Tue, 2023-07-25 at 16:43 +0300, Uladzimir Bely wrote:
> > > On Thu, 2023-07-20 at 19:08 +0200, 'Jan Kiszka' via isar-users
> > > wrote:
> > > > From: Jan Kiszka <jan.kiszka@siemens.com>
> > > > 
> > > > Needed for the stm32mp15x demo of fTPM.
> > > > 
> > > > Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> > > > ---
> > > >  meta-isar/recipes-kernel/linux/files/ftpm-module.cfg     | 3
> > > > +++
> > > >  meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb | 2
> > > > ++
> > > >  2 files changed, 5 insertions(+)
> > > >  create mode 100644 meta-isar/recipes-kernel/linux/files/ftpm-
> > > > module.cfg
> > > > 
> > > > diff --git a/meta-isar/recipes-kernel/linux/files/ftpm-
> > > > module.cfg
> > > > b/meta-isar/recipes-kernel/linux/files/ftpm-module.cfg
> > > > new file mode 100644
> > > > index 00000000..f47620bc
> > > > --- /dev/null
> > > > +++ b/meta-isar/recipes-kernel/linux/files/ftpm-module.cfg
> > > > @@ -0,0 +1,3 @@
> > > > +CONFIG_TEE=m
> > > > +CONFIG_OPTEE=m
> > > > +CONFIG_TCG_FTPM_TEE=m
> > > > diff --git a/meta-isar/recipes-kernel/linux/linux-
> > > > mainline_5.4.203.bb
> > > > b/meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb
> > > > index 76f73f02..27ebf131 100644
> > > > --- a/meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb
> > > > +++ b/meta-isar/recipes-kernel/linux/linux-mainline_5.4.203.bb
> > > > @@ -14,6 +14,8 @@ SRC_URI += " \
> > > >      file://x86_64_defconfig \
> > > >      file://no-ubifs-fs.cfg \
> > > >      file://no-root-nfs.cfg;apply=no"
> > > > +SRC_URI:append:stm32mp15x = " \
> > > > +    file://ftpm-module.cfg"
> > > >  
> > > >  SRC_URI[sha256sum] =
> > > > "fc933f5b13066cfa54aacb5e86747a167bad1d8d23972e4a03ab5ee36c2979
> > > > 8a"
> > > >  
> > > > -- 
> > > > 2.35.3
> > > > 
> > > 
> > > This patch seems to make CI fail at "CrossTest.test_cross" build.
> > > 
> > > In this test we build in parallel two "armhf" targets that both
> > > use
> > > "mainline" kernel - stm32mp15x-bullseye and de0-nano-soc-
> > > bullseye.
> > > 
> > > Due to the same distro/kernel/arch they are both build in
> > > parallel in
> > > the same workdir (build/tmp/work/debian-bullseye-armhf/linux-
> > > mainline/5.4.203-r0) but due to "append:stm32mp15x" they should
> > > use
> > > different kernel config. This causes two parallel confliction
> > > builds
> > > and results in some weird error:
> > > 
> > > ```
> > > cat:
> > > /workspace/build/isar_ub_devel_fast/469/build/tmp/work/debian-
> > > bullseye-armhf/linux-mainline/5.4.203-r0/rootfs/dpkg_partial.log:
> > > No
> > > such file or directory
> > > ```
> > > 
> > > By the way, NoCrossTest.test_nocross doesn't fail since it
> > > doesn't
> > > build another bullseye/armhf linux-mainline in parallel with one
> > > for
> > > stm32mp15x.
> > > 
> > 
> > There are two possible ways to fix the issue:
> >  1. use "ftpm-module" config fragment not only for stm32mp15x
> > (either
> > globally, either only for armhf targets)
> >  2. split "linux-mainline" build
> > 
> > We would actually prefer way [1] since it doesn't increase build
> > time
> > in CI. Some additional modules should not be a problem even if they
> > are
> > not really used/required.
> > 
> > I'm going to make a local fix (e.g., use ftpm fragment for all
> > targets)
> > and to check if it works.
> 
> Thanks, fine with me.
> 
> Jan
> 

Fast CI passed now, when I added ftpm-module fragment globally.

But suddenly I again got full CI failed with the older "No rule to make
target 'lib/wolf/wolf_symlink/wolfcrypt/src/aes.c" problem. E.g., patch
11 (fix parallel build issues) was applied, but didn't help this time. 

Re: [PATCH v3 11/11] optee-ftpm-stm32mp15x: Add patch to fix parallel build issues

[Uladzimir Bely]

On Thu, 2023-07-20 at 19:08 +0200, 'Jan Kiszka' via isar-users wrote:
> From: Jan Kiszka <jan.kiszka@siemens.com>
> 
> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> ---
>  .../0001-Fix-parallel-build-of-optee_ta.patch | 45
> +++++++++++++++++++
>  .../optee-ftpm-stm32mp15x_0~230316+git.bb     |  1 +
>  2 files changed, 46 insertions(+)
>  create mode 100644 meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-
> parallel-build-of-optee_ta.patch
> 
> diff --git a/meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-
> parallel-build-of-optee_ta.patch b/meta-isar/recipes-bsp/optee-
> ftpm/files/0001-Fix-parallel-build-of-optee_ta.patch
> new file mode 100644
> index 00000000..4ee20f41
> --- /dev/null
> +++ b/meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-parallel-build-
> of-optee_ta.patch
> @@ -0,0 +1,45 @@
> +From ff34f1a64bd5dbc83df26cfc8e74478f854a0acf Mon Sep 17 00:00:00
> 2001
> +From: Jan Kiszka <jan.kiszka@siemens.com>
> +Date: Thu, 20 Jul 2023 16:32:26 +0200
> +Subject: [PATCH] Fix parallel build of optee_ta
> +
> +The symlink must be established prio to building any of the source
> files
> +of WolfSSL, or things will fail:
> +
> +       TA_CROSS_COMPILE= \
> +       TA_CPU=cortex-a7 \
> +       TA_DEV_KIT_DIR=/usr/lib/optee-os/stm32mp15x/export-ta_arm32 \
> +       CFG_TEE_TA_LOG_LEVEL=2 \
> +       CFG_FTPM_USE_WOLF=y \
> +       /usr/bin/make -j 24
> +make[2]: Entering directory '/<<PKGBUILDDIR>>/Samples/ARM32-
> FirmwareTPM/optee_ta'
> +/usr/bin/make -C fTPM CROSS_COMPILE=
> +make[3]: Entering directory '/<<PKGBUILDDIR>>/Samples/ARM32-
> FirmwareTPM/optee_ta/fTPM'
> +Checking symlink to the TPM folder: /<<PKGBUILDDIR>>
> +Checking symlink to the WolfSSL folder:
> /<<PKGBUILDDIR>>/external/wolfssl
> +Establishing symlink.
> +  CC      ../out/fTPM/platform/Cancel.o
> +Establishing symlink.
> +  CC      ../out/fTPM/platform/AdminPPI.o
> +  CC      ../out/fTPM/platform/Entropy.o
> +make[3]: *** No rule to make target
> 'lib/wolf/wolf_symlink/wolfcrypt/src/aes.c', needed by
> '../out/fTPM/./lib/wolf/wolf_symlink/wolfcrypt/src/aes.o'.  Stop.
> +make[3]: *** Waiting for unfinished jobs....
> +
> +Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> +---
> + Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
> b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
> +index 0a43f46..eb239e3 100644
> +--- a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
> ++++ b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
> +@@ -56,3 +56,5 @@ srcs-y += wolf_symlink/wolfcrypt/src/tfm.c
> + srcs-y += wolf_symlink/wolfcrypt/src/wolfmath.c
> + srcs-y += wolf_symlink/wolfcrypt/src/des3.c
> + srcs-y += wolf_symlink/wolfcrypt/src/random.c
> ++
> ++$(srcs-y): wolf_symlink
> +-- 
> +2.35.3
> +
> diff --git a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-
> stm32mp15x_0~230316+git.bb b/meta-isar/recipes-bsp/optee-ftpm/optee-
> ftpm-stm32mp15x_0~230316+git.bb
> index 441bc4ac..c92620e1 100644
> --- a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-
> stm32mp15x_0~230316+git.bb
> +++ b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-
> stm32mp15x_0~230316+git.bb
> @@ -12,6 +12,7 @@ SRC_URI += " \
>     
> https://github.com/Microsoft/ms-tpm-20-ref/archive/${SRCREV}.tar.gz \
>     
> https://github.com/wolfSSL/wolfssl/archive/${SRCREV-wolfssl}.tar.gz;name=wolfssl
>  \
>      file://0001-add-enum-to-ta-flags.patch \
> +    file://0001-Fix-parallel-build-of-optee_ta.patch \
>      "
>  
>  SRCREV = "f74c0d9686625c02b0fdd5b2bbe792a22aa96cb6"
> -- 
> 2.35.3
> 

Caught build issue again, despite of applied patch...

Maybe patch should look like not
| +$(srcs-y): wolf_symlink
but like
| +$(srcs-y): ./lib/wolf/wolf_symlink
?

Re: [PATCH v3 11/11] optee-ftpm-stm32mp15x: Add patch to fix parallel build issues

[Uladzimir Bely]

On Thu, 2023-07-20 at 19:08 +0200, 'Jan Kiszka' via isar-users wrote:
> From: Jan Kiszka <jan.kiszka@siemens.com>
> 
> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> ---
>  .../0001-Fix-parallel-build-of-optee_ta.patch | 45
> +++++++++++++++++++
>  .../optee-ftpm-stm32mp15x_0~230316+git.bb     |  1 +
>  2 files changed, 46 insertions(+)
>  create mode 100644 meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-
> parallel-build-of-optee_ta.patch
> 
> diff --git a/meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-
> parallel-build-of-optee_ta.patch b/meta-isar/recipes-bsp/optee-
> ftpm/files/0001-Fix-parallel-build-of-optee_ta.patch
> new file mode 100644
> index 00000000..4ee20f41
> --- /dev/null
> +++ b/meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-parallel-build-
> of-optee_ta.patch
> @@ -0,0 +1,45 @@
> +From ff34f1a64bd5dbc83df26cfc8e74478f854a0acf Mon Sep 17 00:00:00
> 2001
> +From: Jan Kiszka <jan.kiszka@siemens.com>
> +Date: Thu, 20 Jul 2023 16:32:26 +0200
> +Subject: [PATCH] Fix parallel build of optee_ta
> +
> +The symlink must be established prio to building any of the source
> files
> +of WolfSSL, or things will fail:
> +
> +       TA_CROSS_COMPILE= \
> +       TA_CPU=cortex-a7 \
> +       TA_DEV_KIT_DIR=/usr/lib/optee-os/stm32mp15x/export-ta_arm32 \
> +       CFG_TEE_TA_LOG_LEVEL=2 \
> +       CFG_FTPM_USE_WOLF=y \
> +       /usr/bin/make -j 24
> +make[2]: Entering directory '/<<PKGBUILDDIR>>/Samples/ARM32-
> FirmwareTPM/optee_ta'
> +/usr/bin/make -C fTPM CROSS_COMPILE=
> +make[3]: Entering directory '/<<PKGBUILDDIR>>/Samples/ARM32-
> FirmwareTPM/optee_ta/fTPM'
> +Checking symlink to the TPM folder: /<<PKGBUILDDIR>>
> +Checking symlink to the WolfSSL folder:
> /<<PKGBUILDDIR>>/external/wolfssl
> +Establishing symlink.
> +  CC      ../out/fTPM/platform/Cancel.o
> +Establishing symlink.
> +  CC      ../out/fTPM/platform/AdminPPI.o
> +  CC      ../out/fTPM/platform/Entropy.o
> +make[3]: *** No rule to make target
> 'lib/wolf/wolf_symlink/wolfcrypt/src/aes.c', needed by
> '../out/fTPM/./lib/wolf/wolf_symlink/wolfcrypt/src/aes.o'.  Stop.
> +make[3]: *** Waiting for unfinished jobs....
> +
> +Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> +---
> + Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
> b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
> +index 0a43f46..eb239e3 100644
> +--- a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
> ++++ b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
> +@@ -56,3 +56,5 @@ srcs-y += wolf_symlink/wolfcrypt/src/tfm.c
> + srcs-y += wolf_symlink/wolfcrypt/src/wolfmath.c
> + srcs-y += wolf_symlink/wolfcrypt/src/des3.c
> + srcs-y += wolf_symlink/wolfcrypt/src/random.c
> ++
> ++$(srcs-y): wolf_symlink
> +-- 
> +2.35.3
> +
> diff --git a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-
> stm32mp15x_0~230316+git.bb b/meta-isar/recipes-bsp/optee-ftpm/optee-
> ftpm-stm32mp15x_0~230316+git.bb
> index 441bc4ac..c92620e1 100644
> --- a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-
> stm32mp15x_0~230316+git.bb
> +++ b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-
> stm32mp15x_0~230316+git.bb
> @@ -12,6 +12,7 @@ SRC_URI += " \
>     
> https://github.com/Microsoft/ms-tpm-20-ref/archive/${SRCREV}.tar.gz \
>     
> https://github.com/wolfSSL/wolfssl/archive/${SRCREV-wolfssl}.tar.gz;name=wolfssl
>  \
>      file://0001-add-enum-to-ta-flags.patch \
> +    file://0001-Fix-parallel-build-of-optee_ta.patch \
>      "
>  
>  SRCREV = "f74c0d9686625c02b0fdd5b2bbe792a22aa96cb6"
> -- 
> 2.35.3
> 

Found easy way to reproduce the issue with local build. Need to just
add small delay before symlink creation like:

diff --git a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/tpm/sub.mk
b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/tpm/sub.mk
index 68bdfe2..a3ddade 100644
--- a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/tpm/sub.mk
+++ b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/tpm/sub.mk
@@ -45,7 +45,8 @@ endif
 	then \
 	echo Symlink already established ; \
 	else \
-	echo Establishing symlink. ; \
+	echo Establishing symlink $@. ; \
+	sleep 1 ; \
 	ln -s ../../$(TPM_ROOT) ./lib/tpm/tpm_symlink; \
 	fi
 
diff --git a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
index 0a43f46..44deafd 100644
--- a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
+++ b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
@@ -30,7 +30,8 @@ cflags-y += $(WOLF_SSL_FLAGS)
$(WOLF_WARNING_SUPPRESS)
 	then \
 	echo Symlink already established ; \
 	else \
-	echo Establishing symlink. ; \
+	echo Establishing symlink $@. ; \
+	sleep 1 ; \
 	ln -s ../../$(WOLF_ROOT) ./lib/wolf/wolf_symlink; \
 	fi
 
If makefile dependencies were OK, it would not lead to the issue. But
it is...

And, things like adding `+$(srcs-y): wolf_symlink` don't work.