[PATCH v2 0/7] Add optee family and friends

[PATCH v2 0/7] Add optee family and friends

[baocheng_su]

From: Baocheng Su <baocheng.su@siemens.com>

This brings below optee family members:
  optee-ta-devkit, optee-client, optee-examples
and a fTPM running in optee-os, plus some initramfs hooks for tee-supplicant and
the optee-ftpm.

The optee-ta-devkit is used to provide a sdk for building trusted application of
optee.

The optee-client provides the libteec1, the optee-client-dev, and the
tee-supplicant daemon.

The optee-examples provides both the optee TAs and host applications for
demostrating how to use optee-ta-devkit and optee-client-dev.

The initramfs hooks for tee-supplicant and optee-ftpm is used to support
initramfs stage applications that needs the optee-ftpm or other TAs, such as the
disk encryption based on TPM. An example is the LUKS2 implementation in
isar-cip-core.

Also bump the stm32mp15x optee-os version to 3.21.0 to ease the integration.

Since these bits are the common foundation for applications based on ARM 
trustzone, isar should be the best place to hold them.

The idea is partly inspired by the ARM trusted substrace.

This integration use stm32mp15x as the demo platform. However, I might need some
help to verify on the real hardware, since I don't have one :)

Baocheng Su (7):
  stm32mp15x: Bump optee-os to 3.21.0
  Add recipe for optee TA devkit
  Add recipe for optee-client
  Add recipe for optee examples
  Add recipe for optee ftpm
  initramfs: Add recipe for tee-supplicant hook
  initramfs: Add recipe for tee-ftpm hook

 meta-isar/conf/machine/stm32mp15x.conf        |   9 +-
 .../optee-client-stm32mp15x_3.21.0.bb         |  18 +++
 .../optee-examples/files/debian/compat        |   1 +
 .../optee-examples/files/debian/control.tmpl  | 112 ++++++++++++++++++
 .../optee-examples/files/debian/rules.tmpl    |  21 ++++
 .../optee-examples-stm32mp15x_3.21.0.bb       | 100 ++++++++++++++++
 .../files/0001-add-enum-to-ta-flags.patch     |  27 +++++
 .../optee-ftpm-stm32mp15x_0~230316+git.bb     |  35 ++++++
 .../optee-os/optee-os-stm32mp15x_3.11.0.bb    |  29 -----
 .../optee-os/optee-os-stm32mp15x_3.21.0.bb    |  38 ++++++
 .../optee-os/optee-os-stm32mp15x_3.21.0.inc   |  18 +++
 .../optee-os-tadevkit-stm32mp15x_3.21.0.bb    |   7 ++
 .../images/stm32mp15x-initramfs.bb            |  15 +++
 .../lib/wic/canned-wks/stm32mp15x.wks.in      |   2 +-
 .../optee-client/files/debian/compat          |   1 +
 .../optee-client/files/debian/control.tmpl    |  51 ++++++++
 .../optee-client/files/debian/rules.tmpl      |  27 +++++
 .../files/debian/tee-supplicant.service       |  21 ++++
 .../optee-client/optee-client-custom.inc      |  41 +++++++
 .../optee-ftpm/files/debian/compat            |   1 +
 .../optee-ftpm/files/debian/control.tmpl      |  11 ++
 .../optee-ftpm/files/debian/rules.tmpl        |  25 ++++
 meta/recipes-bsp/optee-ftpm/optee-ftpm.inc    |  47 ++++++++
 .../optee-os/files/debian/control.tmpl        |   4 +-
 meta/recipes-bsp/optee-os/optee-os-custom.inc |  29 +----
 .../optee-os/optee-os-tadevkit-custom.inc     |  26 ++++
 .../{optee-os-custom.inc => optee-os.inc}     |  14 +--
 .../files/tee-ftpm.hook                       |  25 ++++
 .../files/tee-ftpm.script                     |  26 ++++
 .../initramfs-tee-ftpm-hook_0.1.bb            |  27 +++++
 .../files/tee-supplicant.hook                 |  33 ++++++
 .../files/tee-supplicant.script               |  33 ++++++
 .../initramfs-tee-supplicant-hook_0.1.bb      |  27 +++++
 testsuite/citest.py                           |   1 +
 34 files changed, 834 insertions(+), 68 deletions(-)
 create mode 100644 meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
 create mode 100644 meta-isar/recipes-bsp/optee-examples/files/debian/compat
 create mode 100644 meta-isar/recipes-bsp/optee-examples/files/debian/control.tmpl
 create mode 100644 meta-isar/recipes-bsp/optee-examples/files/debian/rules.tmpl
 create mode 100644 meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb
 create mode 100644 meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch
 create mode 100644 meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
 delete mode 100644 meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.11.0.bb
 create mode 100644 meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
 create mode 100644 meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.inc
 create mode 100644 meta-isar/recipes-bsp/optee-os/optee-os-tadevkit-stm32mp15x_3.21.0.bb
 create mode 100644 meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
 create mode 100644 meta/recipes-bsp/optee-client/files/debian/compat
 create mode 100644 meta/recipes-bsp/optee-client/files/debian/control.tmpl
 create mode 100755 meta/recipes-bsp/optee-client/files/debian/rules.tmpl
 create mode 100644 meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
 create mode 100644 meta/recipes-bsp/optee-client/optee-client-custom.inc
 create mode 100644 meta/recipes-bsp/optee-ftpm/files/debian/compat
 create mode 100644 meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
 create mode 100755 meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
 create mode 100644 meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
 create mode 100644 meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
 copy meta/recipes-bsp/optee-os/{optee-os-custom.inc => optee-os.inc} (62%)
 create mode 100644 meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.hook
 create mode 100644 meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
 create mode 100644 meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
 create mode 100644 meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.hook
 create mode 100644 meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
 create mode 100644 meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb

-- 
2.30.2

[PATCH v2 1/7] stm32mp15x: Bump optee-os to 3.21.0

[baocheng_su]

From: Baocheng Su <baocheng.su@siemens.com>

Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
---
 ...-os-stm32mp15x_3.11.0.bb => optee-os-stm32mp15x_3.21.0.bb} | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta-isar/recipes-bsp/optee-os/{optee-os-stm32mp15x_3.11.0.bb => optee-os-stm32mp15x_3.21.0.bb} (81%)

diff --git a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.11.0.bb b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
similarity index 81%
rename from meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.11.0.bb
rename to meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
index 08676be..b605149 100644
--- a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.11.0.bb
+++ b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
@@ -6,11 +6,11 @@
 require recipes-bsp/optee-os/optee-os-custom.inc
 
 SRC_URI += "https://github.com/OP-TEE/optee_os/archive/${PV}.tar.gz"
-SRC_URI[sha256sum] = "3c34eda1052fbb9ed36fcfdfaecfd2685023b9290670c1a5982f8a0457bfd2cb"
+SRC_URI[sha256sum] = "92a16e841b0bdb4bfcb1c20b6a1bd3309092203d534ed167dfdb5a5f395bf60b"
 
 S = "${WORKDIR}/optee_os-${PV}"
 
-DEBIAN_BUILD_DEPENDS += ", device-tree-compiler"
+DEBIAN_BUILD_DEPENDS += ", device-tree-compiler, python3-cryptography:native"
 
 OPTEE_PLATFORM = "stm32mp1"
 OPTEE_EXTRA_BUILDARGS = " \
-- 
2.30.2

Re: [PATCH v2 1/7] stm32mp15x: Bump optee-os to 3.21.0

[Henning Schild]

Am Thu, 22 Jun 2023 03:22:11 +0800
schrieb baocheng_su@163.com:

> From: Baocheng Su <baocheng.su@siemens.com>
> 
> Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
> ---
>  ...-os-stm32mp15x_3.11.0.bb => optee-os-stm32mp15x_3.21.0.bb} | 4
> ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
>  rename meta-isar/recipes-bsp/optee-os/{optee-os-stm32mp15x_3.11.0.bb
> => optee-os-stm32mp15x_3.21.0.bb} (81%)
> 
> diff --git
> a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.11.0.bb
> b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
> similarity index 81% rename from
> meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.11.0.bb rename
> to meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb index
> 08676be..b605149 100644 ---
> a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.11.0.bb +++
> b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb @@
> -6,11 +6,11 @@ require recipes-bsp/optee-os/optee-os-custom.inc 
>  SRC_URI += "https://github.com/OP-TEE/optee_os/archive/${PV}.tar.gz"
> -SRC_URI[sha256sum] =
> "3c34eda1052fbb9ed36fcfdfaecfd2685023b9290670c1a5982f8a0457bfd2cb"
> +SRC_URI[sha256sum] =
> "92a16e841b0bdb4bfcb1c20b6a1bd3309092203d534ed167dfdb5a5f395bf60b" S
> = "${WORKDIR}/optee_os-${PV}" 
> -DEBIAN_BUILD_DEPENDS += ", device-tree-compiler"
> +DEBIAN_BUILD_DEPENDS += ", device-tree-compiler,
> python3-cryptography:native" 
>  OPTEE_PLATFORM = "stm32mp1"
>  OPTEE_EXTRA_BUILDARGS = " \

consider updating the Copyright header from 2020 to 2020-2023 in case
there will be another version of these patches

Henning

[PATCH v2 2/7] Add recipe for optee TA devkit

[baocheng_su]

From: Baocheng Su <baocheng.su@siemens.com>

The TA dev kit is used to build trusted applications, details refer to
[1]. A typical use case of this devkit is a firmware TPM reference
implementation, see [2].

1. https://optee.readthedocs.io/en/3.21.0/building/trusted_applications.html
2. https://github.com/microsoft/ms-tpm-20-ref

This brings the .inc for customization, and also an example for
stm32mp15x.

Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
---
 .../optee-os/optee-os-stm32mp15x_3.21.0.bb    | 25 ++--------------
 ...21.0.bb => optee-os-stm32mp15x_3.21.0.inc} | 17 ++---------
 .../optee-os-tadevkit-stm32mp15x_3.21.0.bb    |  7 +++++
 .../optee-os/files/debian/control.tmpl        |  4 +--
 meta/recipes-bsp/optee-os/optee-os-custom.inc | 29 +++----------------
 .../optee-os/optee-os-tadevkit-custom.inc     | 26 +++++++++++++++++
 .../{optee-os-custom.inc => optee-os.inc}     | 14 +++------
 7 files changed, 48 insertions(+), 74 deletions(-)
 copy meta-isar/recipes-bsp/optee-os/{optee-os-stm32mp15x_3.21.0.bb => optee-os-stm32mp15x_3.21.0.inc} (57%)
 create mode 100644 meta-isar/recipes-bsp/optee-os/optee-os-tadevkit-stm32mp15x_3.21.0.bb
 create mode 100644 meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
 copy meta/recipes-bsp/optee-os/{optee-os-custom.inc => optee-os.inc} (62%)

diff --git a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
index b605149..096e263 100644
--- a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
+++ b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
@@ -1,29 +1,8 @@
 #
-# Copyright (c) Siemens AG, 2020
+# Copyright (c) Siemens AG, 2020-2023
 #
 # SPDX-License-Identifier: MIT
 
 require recipes-bsp/optee-os/optee-os-custom.inc
+require optee-os-stm32mp15x_${PV}.inc
 
-SRC_URI += "https://github.com/OP-TEE/optee_os/archive/${PV}.tar.gz"
-SRC_URI[sha256sum] = "92a16e841b0bdb4bfcb1c20b6a1bd3309092203d534ed167dfdb5a5f395bf60b"
-
-S = "${WORKDIR}/optee_os-${PV}"
-
-DEBIAN_BUILD_DEPENDS += ", device-tree-compiler, python3-cryptography:native"
-
-OPTEE_PLATFORM = "stm32mp1"
-OPTEE_EXTRA_BUILDARGS = " \
-    ARCH=arm CFG_EMBED_DTB_SOURCE_FILE=stm32mp157c-ev1.dts \
-    CFG_TEE_CORE_LOG_LEVEL=2"
-OPTEE_BINARIES = "tee-header_v2.stm32 tee-pageable_v2.stm32 tee-pager_v2.stm32"
-
-# Set version manually to PV, the tarball does not contain any hint.
-# Alternative: pull from git and add git as build dependency.
-dpkg_runbuild:prepend() {
-    grep -q "^export TEE_IMPL_VERSION" ${S}/debian/rules ||
-        cat << EOF >> ${S}/debian/rules
-
-export TEE_IMPL_VERSION=${PV}
-EOF
-}
diff --git a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.inc
similarity index 57%
copy from meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
copy to meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.inc
index b605149..cbf6974 100644
--- a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
+++ b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.inc
@@ -1,11 +1,9 @@
 #
-# Copyright (c) Siemens AG, 2020
+# Copyright (c) Siemens AG, 2020-2023
 #
 # SPDX-License-Identifier: MIT
 
-require recipes-bsp/optee-os/optee-os-custom.inc
-
-SRC_URI += "https://github.com/OP-TEE/optee_os/archive/${PV}.tar.gz"
+SRC_URI += "https://github.com/OP-TEE/optee_os/archive/${PV}.tar.gz;downloadfilename=optee_os-${PV}.tar.gz"
 SRC_URI[sha256sum] = "92a16e841b0bdb4bfcb1c20b6a1bd3309092203d534ed167dfdb5a5f395bf60b"
 
 S = "${WORKDIR}/optee_os-${PV}"
@@ -14,16 +12,7 @@ DEBIAN_BUILD_DEPENDS += ", device-tree-compiler, python3-cryptography:native"
 
 OPTEE_PLATFORM = "stm32mp1"
 OPTEE_EXTRA_BUILDARGS = " \
+    TEE_IMPL_VERSION=${PV} \
     ARCH=arm CFG_EMBED_DTB_SOURCE_FILE=stm32mp157c-ev1.dts \
     CFG_TEE_CORE_LOG_LEVEL=2"
 OPTEE_BINARIES = "tee-header_v2.stm32 tee-pageable_v2.stm32 tee-pager_v2.stm32"
-
-# Set version manually to PV, the tarball does not contain any hint.
-# Alternative: pull from git and add git as build dependency.
-dpkg_runbuild:prepend() {
-    grep -q "^export TEE_IMPL_VERSION" ${S}/debian/rules ||
-        cat << EOF >> ${S}/debian/rules
-
-export TEE_IMPL_VERSION=${PV}
-EOF
-}
diff --git a/meta-isar/recipes-bsp/optee-os/optee-os-tadevkit-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-os/optee-os-tadevkit-stm32mp15x_3.21.0.bb
new file mode 100644
index 0000000..2be7a9d
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-os/optee-os-tadevkit-stm32mp15x_3.21.0.bb
@@ -0,0 +1,7 @@
+#
+# Copyright (c) Siemens AG, 2023
+#
+# SPDX-License-Identifier: MIT
+
+require recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
+require optee-os-stm32mp15x_${PV}.inc
diff --git a/meta/recipes-bsp/optee-os/files/debian/control.tmpl b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
index 60b3927..fdf898e 100644
--- a/meta/recipes-bsp/optee-os/files/debian/control.tmpl
+++ b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
@@ -5,6 +5,6 @@ Standards-Version: 3.9.6
 Build-Depends: ${DEBIAN_BUILD_DEPENDS}
 Maintainer: ISAR project <isar-users@googlegroups.com>
 
-Package: optee-os-${OPTEE_NAME}
+Package: ${DEBIAN_PACKAGE_NAME}
 Architecture: ${DISTRO_ARCH}
-Description: ${DESCRIPTION}, firmware binaries
+Description: ${DESCRIPTION}
diff --git a/meta/recipes-bsp/optee-os/optee-os-custom.inc b/meta/recipes-bsp/optee-os/optee-os-custom.inc
index d48827a..abe46e8 100644
--- a/meta/recipes-bsp/optee-os/optee-os-custom.inc
+++ b/meta/recipes-bsp/optee-os/optee-os-custom.inc
@@ -1,38 +1,17 @@
 # Custom OP-TEE OS build
 #
 # This software is a part of ISAR.
-# Copyright (c) Siemens AG, 2020
+# Copyright (c) Siemens AG, 2020-2023
 #
 # SPDX-License-Identifier: MIT
 
-inherit dpkg
+require optee-os.inc
 
-FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
-
-SRC_URI += "file://debian/"
-
-DESCRIPTION ?= "Custom OP-TEE OS"
-
-OPTEE_NAME ?= "${MACHINE}"
-OPTEE_PLATFORM ?= "unknown"
-OPTEE_EXTRA_BUILDARGS ?= ""
-OPTEE_BINARIES ?= "tee-pager_v2.bin"
-
-DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
+DESCRIPTION:append = ", firmware binaries"
 
 PROVIDES += "optee-os-${OPTEE_NAME}"
 
-TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
-TEMPLATE_VARS += "OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
-
-# split strip platform flavor, if any, from the specified platform string
-OPTEE_PLATFORM_BASE = "${@d.getVar('OPTEE_PLATFORM').split('-')[0]}"
-
-do_prepare_build() {
-    cp -r ${WORKDIR}/debian ${S}/
-
-    deb_add_changelog
-
+do_prepare_build:append() {
     rm -f ${S}/debian/optee-os-${OPTEE_NAME}.install
     for binary in ${OPTEE_BINARIES}; do
         echo "out/arm-plat-${OPTEE_PLATFORM_BASE}/core/$binary /usr/lib/optee-os/${OPTEE_NAME}/" >> \
diff --git a/meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc b/meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
new file mode 100644
index 0000000..cfb2cfd
--- /dev/null
+++ b/meta/recipes-bsp/optee-os/optee-os-tadevkit-custom.inc
@@ -0,0 +1,26 @@
+# Custom OP-TEE OS build for TA devkit
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2023
+#
+# SPDX-License-Identifier: MIT
+
+require optee-os.inc
+
+DEBIAN_PACKAGE_NAME = "optee-os-tadevkit-${OPTEE_NAME}"
+DESCRIPTION:append = ", trust application development kit."
+
+PROVIDES += "${DEBIAN_PACKAGE_NAME}"
+
+do_prepare_build:append() {
+    if [ "${DISTRO_ARCH}" = "arm64" ]; then
+        TADEVKIT_DIR="export-ta_arm64"
+    elif [ "${DISTRO_ARCH}" = "armhf" ]; then
+        TADEVKIT_DIR="export-ta_arm32"
+    else
+        bbfatal "${DISTRO_ARCH} does not have a compat arch for optee TA devkit!"
+    fi
+
+    echo "out/arm-plat-${OPTEE_PLATFORM_BASE}/${TADEVKIT_DIR} /usr/lib/optee-os/${OPTEE_NAME}/" > \
+        ${S}/debian/optee-os-tadevkit-${OPTEE_NAME}.install
+}
diff --git a/meta/recipes-bsp/optee-os/optee-os-custom.inc b/meta/recipes-bsp/optee-os/optee-os.inc
similarity index 62%
copy from meta/recipes-bsp/optee-os/optee-os-custom.inc
copy to meta/recipes-bsp/optee-os/optee-os.inc
index d48827a..198746b 100644
--- a/meta/recipes-bsp/optee-os/optee-os-custom.inc
+++ b/meta/recipes-bsp/optee-os/optee-os.inc
@@ -1,7 +1,7 @@
 # Custom OP-TEE OS build
 #
 # This software is a part of ISAR.
-# Copyright (c) Siemens AG, 2020
+# Copyright (c) Siemens AG, 2020-2023
 #
 # SPDX-License-Identifier: MIT
 
@@ -18,12 +18,12 @@ OPTEE_PLATFORM ?= "unknown"
 OPTEE_EXTRA_BUILDARGS ?= ""
 OPTEE_BINARIES ?= "tee-pager_v2.bin"
 
-DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
+DEBIAN_PACKAGE_NAME ?= "optee-os-${OPTEE_NAME}"
 
-PROVIDES += "optee-os-${OPTEE_NAME}"
+DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
 
 TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
-TEMPLATE_VARS += "OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
+TEMPLATE_VARS += "DEBIAN_PACKAGE_NAME OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
 
 # split strip platform flavor, if any, from the specified platform string
 OPTEE_PLATFORM_BASE = "${@d.getVar('OPTEE_PLATFORM').split('-')[0]}"
@@ -32,10 +32,4 @@ do_prepare_build() {
     cp -r ${WORKDIR}/debian ${S}/
 
     deb_add_changelog
-
-    rm -f ${S}/debian/optee-os-${OPTEE_NAME}.install
-    for binary in ${OPTEE_BINARIES}; do
-        echo "out/arm-plat-${OPTEE_PLATFORM_BASE}/core/$binary /usr/lib/optee-os/${OPTEE_NAME}/" >> \
-            ${S}/debian/optee-os-${OPTEE_NAME}.install
-    done
 }
-- 
2.30.2

[PATCH v2 3/7] Add recipe for optee-client

[baocheng_su]

From: Baocheng Su <baocheng.su@siemens.com>

optee-client provides the userland library for communicating with the
trusted applications running in OP-TEE.

It also provides a optee-client-dev package for developing host
application that talks to the TA counterpart.

Also a user land deamon tee-supplicant is provided to serve the trusted
applications for user-land resources such as RPMB accessing.

This brings the .inc for customization, and also a demo recipe for
stm32mp15x.

The debianization is learnt from the debian offical package. The
tee-supplicant.service is refined by Jan to fix some timing issues.

Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
---
 meta-isar/conf/machine/stm32mp15x.conf        |  2 +-
 .../optee-client-stm32mp15x_3.21.0.bb         | 18 +++++++
 .../optee-client/files/debian/compat          |  1 +
 .../optee-client/files/debian/control.tmpl    | 51 +++++++++++++++++++
 .../optee-client/files/debian/rules.tmpl      | 27 ++++++++++
 .../files/debian/tee-supplicant.service       | 21 ++++++++
 .../optee-client/optee-client-custom.inc      | 41 +++++++++++++++
 7 files changed, 160 insertions(+), 1 deletion(-)
 create mode 100644 meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
 create mode 100644 meta/recipes-bsp/optee-client/files/debian/compat
 create mode 100644 meta/recipes-bsp/optee-client/files/debian/control.tmpl
 create mode 100755 meta/recipes-bsp/optee-client/files/debian/rules.tmpl
 create mode 100644 meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
 create mode 100644 meta/recipes-bsp/optee-client/optee-client-custom.inc

diff --git a/meta-isar/conf/machine/stm32mp15x.conf b/meta-isar/conf/machine/stm32mp15x.conf
index 4fa4051..0b200d2 100644
--- a/meta-isar/conf/machine/stm32mp15x.conf
+++ b/meta-isar/conf/machine/stm32mp15x.conf
@@ -16,4 +16,4 @@ WKS_FILE ?= "stm32mp15x.wks.in"
 IMAGER_INSTALL += "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x u-boot-stm32mp15x"
 IMAGER_BUILD_DEPS += "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x u-boot-stm32mp15x"
 
-IMAGE_INSTALL += "u-boot-script"
+IMAGE_INSTALL += "u-boot-script tee-supplicant"
diff --git a/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
new file mode 100644
index 0000000..18525e3
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
@@ -0,0 +1,18 @@
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+require recipes-bsp/optee-client/optee-client-custom.inc
+
+SRC_URI += "https://github.com/OP-TEE/optee_client/archive/${PV}.tar.gz;downloadfilename=optee_client-${PV}.tar.gz"
+SRC_URI[sha256sum] = "368164a539b85557d2079fa6cd839ec444869109f96de65d6569e58b0615d026"
+
+S = "${WORKDIR}/optee_client-${PV}"
+
+# Use RPMB emulation
+RPMB_EMU_BUILD_OPT = ""
diff --git a/meta/recipes-bsp/optee-client/files/debian/compat b/meta/recipes-bsp/optee-client/files/debian/compat
new file mode 100644
index 0000000..f599e28
--- /dev/null
+++ b/meta/recipes-bsp/optee-client/files/debian/compat
@@ -0,0 +1 @@
+10
diff --git a/meta/recipes-bsp/optee-client/files/debian/control.tmpl b/meta/recipes-bsp/optee-client/files/debian/control.tmpl
new file mode 100644
index 0000000..6c68b1d
--- /dev/null
+++ b/meta/recipes-bsp/optee-client/files/debian/control.tmpl
@@ -0,0 +1,51 @@
+Source: ${PN}
+Priority: optional
+Maintainer: Unknown maintainer <unknown@example.com>
+Build-Depends: pkg-config, uuid-dev
+Standards-Version: 4.1.3
+Section: libs
+Homepage: https://github.com/OP-TEE/optee_client
+Rules-Requires-Root: no
+
+Package: optee-client-dev
+Section: libdevel
+Architecture: ${DISTRO_ARCH}
+Multi-Arch: same
+Depends: libteec1 (= ${binary:Version}),
+         ${misc:Depends}
+Description: normal world user space client APIs for OP-TEE (development)
+ OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
+ non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
+ technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API
+ exposed to Trusted Applications and the TEE Client API v1.0, which is the
+ API describing how to communicate with a TEE. This package provides the TEE
+ Client API library.
+ .
+ This package contains the development files OpTEE Client API
+
+Package: libteec1
+Architecture: ${DISTRO_ARCH}
+Multi-Arch: same
+Depends: ${misc:Depends}, ${shlibs:Depends}
+Description: normal world user space client APIs for OP-TEE
+ OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
+ non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
+ technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API
+ exposed to Trusted Applications and the TEE Client API v1.0, which is the
+ API describing how to communicate with a TEE. This package provides the TEE
+ Client API library.
+ .
+ This package contains libteec library.
+
+Package: tee-supplicant
+Architecture: ${DISTRO_ARCH}
+Depends: ${misc:Depends}, ${shlibs:Depends}
+Description: normal world user space client APIs for OP-TEE
+ OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
+ non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
+ technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API
+ exposed to Trusted Applications and the TEE Client API v1.0, which is the
+ API describing how to communicate with a TEE. This package provides the TEE
+ Client API library.
+ .
+ This package contains tee-supplicant executable.
diff --git a/meta/recipes-bsp/optee-client/files/debian/rules.tmpl b/meta/recipes-bsp/optee-client/files/debian/rules.tmpl
new file mode 100755
index 0000000..a0a8983
--- /dev/null
+++ b/meta/recipes-bsp/optee-client/files/debian/rules.tmpl
@@ -0,0 +1,27 @@
+#!/usr/bin/make -f
+#
+# Debian rules for custom OP-TEE Client build
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2023
+#
+# SPDX-License-Identifier: MIT
+
+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
+endif
+
+%:
+	dh $@ --exclude=.a
+
+override_dh_auto_build:
+	dh_auto_build -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
+		CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH} ${RPMB_EMU_BUILD_OPT}
+
+override_dh_auto_install:
+	dh_auto_install -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
+		CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH} ${RPMB_EMU_BUILD_OPT}
+
+override_dh_auto_clean:
+	dh_auto_clean
+	rm -rf $(CURDIR)/out
diff --git a/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service b/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
new file mode 100644
index 0000000..4508a14
--- /dev/null
+++ b/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
@@ -0,0 +1,21 @@
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2023
+#
+# SPDX-License-Identifier: MIT
+[Unit]
+Description=TEE Supplicant
+DefaultDependencies=no
+Before=systemd-remount-fs.service shutdown.target
+Conflicts=shutdown.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+# Start if not already started by the initramfs hook
+ExecStart=/bin/sh -c '/usr/bin/pgrep tee-supplicant >/dev/null || /usr/sbin/tee-supplicant -d'
+ExecStop=/bin/sh -c '/usr/bin/findmnt /sys/firmware/efi/efivars >/dev/null && /usr/bin/umount /sys/firmware/efi/efivars || true'
+ExecStop=/bin/sh -c '/usr/sbin/modinfo -n tpm_ftpm_tee | /usr/bin/grep -E "\.ko$" >/dev/null && /usr/sbin/modprobe -r tpm_ftpm_tee || true'
+ExecStop=/usr/bin/pkill tee-supplicant
+
+[Install]
+WantedBy=sysinit.target
diff --git a/meta/recipes-bsp/optee-client/optee-client-custom.inc b/meta/recipes-bsp/optee-client/optee-client-custom.inc
new file mode 100644
index 0000000..5c88dad
--- /dev/null
+++ b/meta/recipes-bsp/optee-client/optee-client-custom.inc
@@ -0,0 +1,41 @@
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg
+
+FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
+
+DESCRIPTION = "OPTee Client"
+
+PROVIDES = "libteec1 optee-client-dev tee-supplicant"
+
+SRC_URI += "file://debian"
+
+TEE_FS_PARENT_PATH ?= "/var/lib/optee-client/data/tee"
+# To use the builtin RPMB emulation, empty this
+RPMB_EMU_BUILD_OPT ?= "RPMB_EMU=0"
+
+TEMPLATE_FILES = "debian/rules.tmpl debian/control.tmpl"
+TEMPLATE_VARS += "TEE_FS_PARENT_PATH RPMB_EMU_BUILD_OPT"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+    cp -r ${WORKDIR}/debian ${S}/
+
+    deb_add_changelog
+
+    echo "/usr/sbin/*" > ${S}/debian/tee-supplicant.install
+    echo "lib/optee_armtz/" > ${S}/debian/tee-supplicant.dirs
+    echo "usr/lib/tee-supplicant/plugins/" >> ${S}/debian/tee-supplicant.dirs
+
+    echo "usr/lib/*/libteec*.so.*" > ${S}/debian/libteec1.install
+
+    echo "usr/include/*" > ${S}/debian/optee-client-dev.install
+    echo "usr/lib/*/lib*.so" >> ${S}/debian/optee-client-dev.install
+}
-- 
2.30.2

Re: [PATCH v2 3/7] Add recipe for optee-client

[Jan Kiszka]

On 21.06.23 21:22, baocheng_su@163.com wrote:
> From: Baocheng Su <baocheng.su@siemens.com>
> 
> optee-client provides the userland library for communicating with the
> trusted applications running in OP-TEE.
> 
> It also provides a optee-client-dev package for developing host
> application that talks to the TA counterpart.
> 
> Also a user land deamon tee-supplicant is provided to serve the trusted
> applications for user-land resources such as RPMB accessing.
> 
> This brings the .inc for customization, and also a demo recipe for
> stm32mp15x.
> 
> The debianization is learnt from the debian offical package. The
> tee-supplicant.service is refined by Jan to fix some timing issues.
> 
> Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
> ---
>  meta-isar/conf/machine/stm32mp15x.conf        |  2 +-
>  .../optee-client-stm32mp15x_3.21.0.bb         | 18 +++++++
>  .../optee-client/files/debian/compat          |  1 +
>  .../optee-client/files/debian/control.tmpl    | 51 +++++++++++++++++++
>  .../optee-client/files/debian/rules.tmpl      | 27 ++++++++++
>  .../files/debian/tee-supplicant.service       | 21 ++++++++
>  .../optee-client/optee-client-custom.inc      | 41 +++++++++++++++
>  7 files changed, 160 insertions(+), 1 deletion(-)
>  create mode 100644 meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
>  create mode 100644 meta/recipes-bsp/optee-client/files/debian/compat
>  create mode 100644 meta/recipes-bsp/optee-client/files/debian/control.tmpl
>  create mode 100755 meta/recipes-bsp/optee-client/files/debian/rules.tmpl
>  create mode 100644 meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
>  create mode 100644 meta/recipes-bsp/optee-client/optee-client-custom.inc
> 
> diff --git a/meta-isar/conf/machine/stm32mp15x.conf b/meta-isar/conf/machine/stm32mp15x.conf
> index 4fa4051..0b200d2 100644
> --- a/meta-isar/conf/machine/stm32mp15x.conf
> +++ b/meta-isar/conf/machine/stm32mp15x.conf
> @@ -16,4 +16,4 @@ WKS_FILE ?= "stm32mp15x.wks.in"
>  IMAGER_INSTALL += "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x u-boot-stm32mp15x"
>  IMAGER_BUILD_DEPS += "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x u-boot-stm32mp15x"
>  
> -IMAGE_INSTALL += "u-boot-script"
> +IMAGE_INSTALL += "u-boot-script tee-supplicant"
> diff --git a/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
> new file mode 100644
> index 0000000..18525e3
> --- /dev/null
> +++ b/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
> @@ -0,0 +1,18 @@
> +#
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Su Bao Cheng <baocheng.su@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +require recipes-bsp/optee-client/optee-client-custom.inc
> +
> +SRC_URI += "https://github.com/OP-TEE/optee_client/archive/${PV}.tar.gz;downloadfilename=optee_client-${PV}.tar.gz"
> +SRC_URI[sha256sum] = "368164a539b85557d2079fa6cd839ec444869109f96de65d6569e58b0615d026"
> +
> +S = "${WORKDIR}/optee_client-${PV}"
> +
> +# Use RPMB emulation
> +RPMB_EMU_BUILD_OPT = ""
> diff --git a/meta/recipes-bsp/optee-client/files/debian/compat b/meta/recipes-bsp/optee-client/files/debian/compat
> new file mode 100644
> index 0000000..f599e28
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-client/files/debian/compat
> @@ -0,0 +1 @@
> +10
> diff --git a/meta/recipes-bsp/optee-client/files/debian/control.tmpl b/meta/recipes-bsp/optee-client/files/debian/control.tmpl
> new file mode 100644
> index 0000000..6c68b1d
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-client/files/debian/control.tmpl
> @@ -0,0 +1,51 @@
> +Source: ${PN}
> +Priority: optional
> +Maintainer: Unknown maintainer <unknown@example.com>
> +Build-Depends: pkg-config, uuid-dev
> +Standards-Version: 4.1.3
> +Section: libs
> +Homepage: https://github.com/OP-TEE/optee_client
> +Rules-Requires-Root: no
> +
> +Package: optee-client-dev
> +Section: libdevel
> +Architecture: ${DISTRO_ARCH}
> +Multi-Arch: same
> +Depends: libteec1 (= ${binary:Version}),
> +         ${misc:Depends}
> +Description: normal world user space client APIs for OP-TEE (development)
> + OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
> + non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
> + technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API
> + exposed to Trusted Applications and the TEE Client API v1.0, which is the
> + API describing how to communicate with a TEE. This package provides the TEE
> + Client API library.
> + .
> + This package contains the development files OpTEE Client API
> +
> +Package: libteec1
> +Architecture: ${DISTRO_ARCH}
> +Multi-Arch: same
> +Depends: ${misc:Depends}, ${shlibs:Depends}
> +Description: normal world user space client APIs for OP-TEE
> + OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
> + non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
> + technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API
> + exposed to Trusted Applications and the TEE Client API v1.0, which is the
> + API describing how to communicate with a TEE. This package provides the TEE
> + Client API library.
> + .
> + This package contains libteec library.
> +
> +Package: tee-supplicant
> +Architecture: ${DISTRO_ARCH}
> +Depends: ${misc:Depends}, ${shlibs:Depends}
> +Description: normal world user space client APIs for OP-TEE
> + OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
> + non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
> + technology. OP-TEE implements TEE Internal Core API v1.1.x which is the API
> + exposed to Trusted Applications and the TEE Client API v1.0, which is the
> + API describing how to communicate with a TEE. This package provides the TEE
> + Client API library.
> + .
> + This package contains tee-supplicant executable.
> diff --git a/meta/recipes-bsp/optee-client/files/debian/rules.tmpl b/meta/recipes-bsp/optee-client/files/debian/rules.tmpl
> new file mode 100755
> index 0000000..a0a8983
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-client/files/debian/rules.tmpl
> @@ -0,0 +1,27 @@
> +#!/usr/bin/make -f
> +#
> +# Debian rules for custom OP-TEE Client build
> +#
> +# This software is a part of ISAR.
> +# Copyright (c) Siemens AG, 2023
> +#
> +# SPDX-License-Identifier: MIT
> +
> +ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
> +export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
> +endif
> +
> +%:
> +	dh $@ --exclude=.a
> +
> +override_dh_auto_build:
> +	dh_auto_build -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
> +		CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH} ${RPMB_EMU_BUILD_OPT}
> +
> +override_dh_auto_install:
> +	dh_auto_install -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
> +		CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH} ${RPMB_EMU_BUILD_OPT}
> +
> +override_dh_auto_clean:
> +	dh_auto_clean
> +	rm -rf $(CURDIR)/out
> diff --git a/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service b/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
> new file mode 100644
> index 0000000..4508a14
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
> @@ -0,0 +1,21 @@
> +# This software is a part of ISAR.
> +# Copyright (c) Siemens AG, 2023
> +#
> +# SPDX-License-Identifier: MIT
> +[Unit]
> +Description=TEE Supplicant
> +DefaultDependencies=no
> +Before=systemd-remount-fs.service shutdown.target
> +Conflicts=shutdown.target
> +
> +[Service]
> +Type=oneshot
> +RemainAfterExit=yes
> +# Start if not already started by the initramfs hook
> +ExecStart=/bin/sh -c '/usr/bin/pgrep tee-supplicant >/dev/null || /usr/sbin/tee-supplicant -d'
> +ExecStop=/bin/sh -c '/usr/bin/findmnt /sys/firmware/efi/efivars >/dev/null && /usr/bin/umount /sys/firmware/efi/efivars || true'
> +ExecStop=/bin/sh -c '/usr/sbin/modinfo -n tpm_ftpm_tee | /usr/bin/grep -E "\.ko$" >/dev/null && /usr/sbin/modprobe -r tpm_ftpm_tee || true'
> +ExecStop=/usr/bin/pkill tee-supplicant
> +
> +[Install]
> +WantedBy=sysinit.target
> diff --git a/meta/recipes-bsp/optee-client/optee-client-custom.inc b/meta/recipes-bsp/optee-client/optee-client-custom.inc
> new file mode 100644
> index 0000000..5c88dad
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-client/optee-client-custom.inc
> @@ -0,0 +1,41 @@
> +#
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Su Bao Cheng <baocheng.su@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +inherit dpkg
> +
> +FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
> +
> +DESCRIPTION = "OPTee Client"
> +
> +PROVIDES = "libteec1 optee-client-dev tee-supplicant"
> +
> +SRC_URI += "file://debian"
> +
> +TEE_FS_PARENT_PATH ?= "/var/lib/optee-client/data/tee"
> +# To use the builtin RPMB emulation, empty this
> +RPMB_EMU_BUILD_OPT ?= "RPMB_EMU=0"

Why not defining RPMB_EMU ?= "0" directly at recipe level and then
adding "RPMB_EMU=${RPMB_EMU}" to the rules file? Or even just accepting
a generic build option form the user of optee-client-custom.inc so that
stm32 demo above could set its RPMB_EMU=1 that way? Similar to
OPTEE_EXTRA_BUILDARGS in optee-os-custom.inc.

> +
> +TEMPLATE_FILES = "debian/rules.tmpl debian/control.tmpl"
> +TEMPLATE_VARS += "TEE_FS_PARENT_PATH RPMB_EMU_BUILD_OPT"
> +
> +do_prepare_build[cleandirs] += "${S}/debian"
> +do_prepare_build() {
> +    cp -r ${WORKDIR}/debian ${S}/
> +
> +    deb_add_changelog
> +
> +    echo "/usr/sbin/*" > ${S}/debian/tee-supplicant.install
> +    echo "lib/optee_armtz/" > ${S}/debian/tee-supplicant.dirs
> +    echo "usr/lib/tee-supplicant/plugins/" >> ${S}/debian/tee-supplicant.dirs
> +
> +    echo "usr/lib/*/libteec*.so.*" > ${S}/debian/libteec1.install
> +
> +    echo "usr/include/*" > ${S}/debian/optee-client-dev.install
> +    echo "usr/lib/*/lib*.so" >> ${S}/debian/optee-client-dev.install
> +}

Jan

-- 
Siemens AG, Technology
Competence Center Embedded Linux

Re: [PATCH v2 3/7] Add recipe for optee-client

[Henning Schild]

Am Thu, 22 Jun 2023 03:22:13 +0800
schrieb baocheng_su@163.com:

> From: Baocheng Su <baocheng.su@siemens.com>
> 
> optee-client provides the userland library for communicating with the
> trusted applications running in OP-TEE.
> 
> It also provides a optee-client-dev package for developing host
> application that talks to the TA counterpart.
> 
> Also a user land deamon tee-supplicant is provided to serve the
> trusted applications for user-land resources such as RPMB accessing.
> 
> This brings the .inc for customization, and also a demo recipe for
> stm32mp15x.
> 
> The debianization is learnt from the debian offical package. The
> tee-supplicant.service is refined by Jan to fix some timing issues.
> 
> Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
> ---
>  meta-isar/conf/machine/stm32mp15x.conf        |  2 +-
>  .../optee-client-stm32mp15x_3.21.0.bb         | 18 +++++++
>  .../optee-client/files/debian/compat          |  1 +
>  .../optee-client/files/debian/control.tmpl    | 51
> +++++++++++++++++++ .../optee-client/files/debian/rules.tmpl      |
> 27 ++++++++++ .../files/debian/tee-supplicant.service       | 21
> ++++++++ .../optee-client/optee-client-custom.inc      | 41
> +++++++++++++++ 7 files changed, 160 insertions(+), 1 deletion(-)
>  create mode 100644
> meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
> create mode 100644 meta/recipes-bsp/optee-client/files/debian/compat
> create mode 100644
> meta/recipes-bsp/optee-client/files/debian/control.tmpl create mode
> 100755 meta/recipes-bsp/optee-client/files/debian/rules.tmpl create
> mode 100644
> meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
> create mode 100644
> meta/recipes-bsp/optee-client/optee-client-custom.inc
> 
> diff --git a/meta-isar/conf/machine/stm32mp15x.conf
> b/meta-isar/conf/machine/stm32mp15x.conf index 4fa4051..0b200d2 100644
> --- a/meta-isar/conf/machine/stm32mp15x.conf
> +++ b/meta-isar/conf/machine/stm32mp15x.conf
> @@ -16,4 +16,4 @@ WKS_FILE ?= "stm32mp15x.wks.in"
>  IMAGER_INSTALL += "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x
> u-boot-stm32mp15x" IMAGER_BUILD_DEPS +=
> "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x u-boot-stm32mp15x" 
> -IMAGE_INSTALL += "u-boot-script"
> +IMAGE_INSTALL += "u-boot-script tee-supplicant"
> diff --git
> a/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
> b/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
> new file mode 100644 index 0000000..18525e3 --- /dev/null
> +++
> b/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
> @@ -0,0 +1,18 @@ +#
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Su Bao Cheng <baocheng.su@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +require recipes-bsp/optee-client/optee-client-custom.inc
> +
> +SRC_URI +=
> "https://github.com/OP-TEE/optee_client/archive/${PV}.tar.gz;downloadfilename=optee_client-${PV}.tar.gz"
> +SRC_URI[sha256sum] =
> "368164a539b85557d2079fa6cd839ec444869109f96de65d6569e58b0615d026" +
> +S = "${WORKDIR}/optee_client-${PV}" +
> +# Use RPMB emulation
> +RPMB_EMU_BUILD_OPT = ""
> diff --git a/meta/recipes-bsp/optee-client/files/debian/compat
> b/meta/recipes-bsp/optee-client/files/debian/compat new file mode
> 100644 index 0000000..f599e28
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-client/files/debian/compat
> @@ -0,0 +1 @@
> +10
> diff --git a/meta/recipes-bsp/optee-client/files/debian/control.tmpl
> b/meta/recipes-bsp/optee-client/files/debian/control.tmpl new file
> mode 100644 index 0000000..6c68b1d
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-client/files/debian/control.tmpl
> @@ -0,0 +1,51 @@

Since there is that ".service" file i would expect a "Depends: systemd"
somewhere in here.

You wrote that the debianization is copied/inspired from somewhere,
maybe that Depends needs to be upstreamed.

Henning

> +Source: ${PN}
> +Priority: optional
> +Maintainer: Unknown maintainer <unknown@example.com>
> +Build-Depends: pkg-config, uuid-dev
> +Standards-Version: 4.1.3
> +Section: libs
> +Homepage: https://github.com/OP-TEE/optee_client
> +Rules-Requires-Root: no
> +
> +Package: optee-client-dev
> +Section: libdevel
> +Architecture: ${DISTRO_ARCH}
> +Multi-Arch: same
> +Depends: libteec1 (= ${binary:Version}),
> +         ${misc:Depends}
> +Description: normal world user space client APIs for OP-TEE
> (development)
> + OP-TEE is a Trusted Execution Environment (TEE) designed as
> companion to a
> + non-secure Linux kernel running on Arm; Cortex-A cores using the
> TrustZone
> + technology. OP-TEE implements TEE Internal Core API v1.1.x which is
> the API
> + exposed to Trusted Applications and the TEE Client API v1.0, which
> is the
> + API describing how to communicate with a TEE. This package provides
> the TEE
> + Client API library.
> + .
> + This package contains the development files OpTEE Client API
> +
> +Package: libteec1
> +Architecture: ${DISTRO_ARCH}
> +Multi-Arch: same
> +Depends: ${misc:Depends}, ${shlibs:Depends}
> +Description: normal world user space client APIs for OP-TEE
> + OP-TEE is a Trusted Execution Environment (TEE) designed as
> companion to a
> + non-secure Linux kernel running on Arm; Cortex-A cores using the
> TrustZone
> + technology. OP-TEE implements TEE Internal Core API v1.1.x which is
> the API
> + exposed to Trusted Applications and the TEE Client API v1.0, which
> is the
> + API describing how to communicate with a TEE. This package provides
> the TEE
> + Client API library.
> + .
> + This package contains libteec library.
> +
> +Package: tee-supplicant
> +Architecture: ${DISTRO_ARCH}
> +Depends: ${misc:Depends}, ${shlibs:Depends}
> +Description: normal world user space client APIs for OP-TEE
> + OP-TEE is a Trusted Execution Environment (TEE) designed as
> companion to a
> + non-secure Linux kernel running on Arm; Cortex-A cores using the
> TrustZone
> + technology. OP-TEE implements TEE Internal Core API v1.1.x which is
> the API
> + exposed to Trusted Applications and the TEE Client API v1.0, which
> is the
> + API describing how to communicate with a TEE. This package provides
> the TEE
> + Client API library.
> + .
> + This package contains tee-supplicant executable.
> diff --git a/meta/recipes-bsp/optee-client/files/debian/rules.tmpl
> b/meta/recipes-bsp/optee-client/files/debian/rules.tmpl new file mode
> 100755 index 0000000..a0a8983
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-client/files/debian/rules.tmpl
> @@ -0,0 +1,27 @@
> +#!/usr/bin/make -f
> +#
> +# Debian rules for custom OP-TEE Client build
> +#
> +# This software is a part of ISAR.
> +# Copyright (c) Siemens AG, 2023
> +#
> +# SPDX-License-Identifier: MIT
> +
> +ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
> +export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
> +endif
> +
> +%:
> +	dh $@ --exclude=.a
> +
> +override_dh_auto_build:
> +	dh_auto_build -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
> +		CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH}
> ${RPMB_EMU_BUILD_OPT} +
> +override_dh_auto_install:
> +	dh_auto_install -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
> +		CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH}
> ${RPMB_EMU_BUILD_OPT} +
> +override_dh_auto_clean:
> +	dh_auto_clean
> +	rm -rf $(CURDIR)/out
> diff --git
> a/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
> b/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
> new file mode 100644 index 0000000..4508a14 --- /dev/null
> +++
> b/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
> @@ -0,0 +1,21 @@ +# This software is a part of ISAR.
> +# Copyright (c) Siemens AG, 2023
> +#
> +# SPDX-License-Identifier: MIT
> +[Unit]
> +Description=TEE Supplicant
> +DefaultDependencies=no
> +Before=systemd-remount-fs.service shutdown.target
> +Conflicts=shutdown.target
> +
> +[Service]
> +Type=oneshot
> +RemainAfterExit=yes
> +# Start if not already started by the initramfs hook
> +ExecStart=/bin/sh -c '/usr/bin/pgrep tee-supplicant >/dev/null ||
> /usr/sbin/tee-supplicant -d' +ExecStop=/bin/sh -c '/usr/bin/findmnt
> /sys/firmware/efi/efivars >/dev/null && /usr/bin/umount
> /sys/firmware/efi/efivars || true' +ExecStop=/bin/sh -c
> '/usr/sbin/modinfo -n tpm_ftpm_tee | /usr/bin/grep -E "\.ko$"
> >/dev/null && /usr/sbin/modprobe -r tpm_ftpm_tee || true'
> >+ExecStop=/usr/bin/pkill tee-supplicant + +[Install]
> +WantedBy=sysinit.target
> diff --git a/meta/recipes-bsp/optee-client/optee-client-custom.inc
> b/meta/recipes-bsp/optee-client/optee-client-custom.inc new file mode
> 100644 index 0000000..5c88dad
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-client/optee-client-custom.inc
> @@ -0,0 +1,41 @@
> +#
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Su Bao Cheng <baocheng.su@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +inherit dpkg
> +
> +FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
> +
> +DESCRIPTION = "OPTee Client"
> +
> +PROVIDES = "libteec1 optee-client-dev tee-supplicant"
> +
> +SRC_URI += "file://debian"
> +
> +TEE_FS_PARENT_PATH ?= "/var/lib/optee-client/data/tee"
> +# To use the builtin RPMB emulation, empty this
> +RPMB_EMU_BUILD_OPT ?= "RPMB_EMU=0"
> +
> +TEMPLATE_FILES = "debian/rules.tmpl debian/control.tmpl"
> +TEMPLATE_VARS += "TEE_FS_PARENT_PATH RPMB_EMU_BUILD_OPT"
> +
> +do_prepare_build[cleandirs] += "${S}/debian"
> +do_prepare_build() {
> +    cp -r ${WORKDIR}/debian ${S}/
> +
> +    deb_add_changelog
> +
> +    echo "/usr/sbin/*" > ${S}/debian/tee-supplicant.install
> +    echo "lib/optee_armtz/" > ${S}/debian/tee-supplicant.dirs
> +    echo "usr/lib/tee-supplicant/plugins/" >>
> ${S}/debian/tee-supplicant.dirs +
> +    echo "usr/lib/*/libteec*.so.*" > ${S}/debian/libteec1.install
> +
> +    echo "usr/include/*" > ${S}/debian/optee-client-dev.install
> +    echo "usr/lib/*/lib*.so" >> ${S}/debian/optee-client-dev.install
> +}

Re: [PATCH v2 3/7] Add recipe for optee-client

[Jan Kiszka]

On 22.06.23 20:00, Henning Schild wrote:
> Am Thu, 22 Jun 2023 03:22:13 +0800
> schrieb baocheng_su@163.com:
> 
>> From: Baocheng Su <baocheng.su@siemens.com>
>>
>> optee-client provides the userland library for communicating with the
>> trusted applications running in OP-TEE.
>>
>> It also provides a optee-client-dev package for developing host
>> application that talks to the TA counterpart.
>>
>> Also a user land deamon tee-supplicant is provided to serve the
>> trusted applications for user-land resources such as RPMB accessing.
>>
>> This brings the .inc for customization, and also a demo recipe for
>> stm32mp15x.
>>
>> The debianization is learnt from the debian offical package. The
>> tee-supplicant.service is refined by Jan to fix some timing issues.
>>
>> Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
>> ---
>>  meta-isar/conf/machine/stm32mp15x.conf        |  2 +-
>>  .../optee-client-stm32mp15x_3.21.0.bb         | 18 +++++++
>>  .../optee-client/files/debian/compat          |  1 +
>>  .../optee-client/files/debian/control.tmpl    | 51
>> +++++++++++++++++++ .../optee-client/files/debian/rules.tmpl      |
>> 27 ++++++++++ .../files/debian/tee-supplicant.service       | 21
>> ++++++++ .../optee-client/optee-client-custom.inc      | 41
>> +++++++++++++++ 7 files changed, 160 insertions(+), 1 deletion(-)
>>  create mode 100644
>> meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
>> create mode 100644 meta/recipes-bsp/optee-client/files/debian/compat
>> create mode 100644
>> meta/recipes-bsp/optee-client/files/debian/control.tmpl create mode
>> 100755 meta/recipes-bsp/optee-client/files/debian/rules.tmpl create
>> mode 100644
>> meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
>> create mode 100644
>> meta/recipes-bsp/optee-client/optee-client-custom.inc
>>
>> diff --git a/meta-isar/conf/machine/stm32mp15x.conf
>> b/meta-isar/conf/machine/stm32mp15x.conf index 4fa4051..0b200d2 100644
>> --- a/meta-isar/conf/machine/stm32mp15x.conf
>> +++ b/meta-isar/conf/machine/stm32mp15x.conf
>> @@ -16,4 +16,4 @@ WKS_FILE ?= "stm32mp15x.wks.in"
>>  IMAGER_INSTALL += "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x
>> u-boot-stm32mp15x" IMAGER_BUILD_DEPS +=
>> "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x u-boot-stm32mp15x" 
>> -IMAGE_INSTALL += "u-boot-script"
>> +IMAGE_INSTALL += "u-boot-script tee-supplicant"
>> diff --git
>> a/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
>> b/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
>> new file mode 100644 index 0000000..18525e3 --- /dev/null
>> +++
>> b/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
>> @@ -0,0 +1,18 @@ +#
>> +# Copyright (c) Siemens AG, 2023
>> +#
>> +# Authors:
>> +#  Su Bao Cheng <baocheng.su@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +
>> +require recipes-bsp/optee-client/optee-client-custom.inc
>> +
>> +SRC_URI +=
>> "https://github.com/OP-TEE/optee_client/archive/${PV}.tar.gz;downloadfilename=optee_client-${PV}.tar.gz"
>> +SRC_URI[sha256sum] =
>> "368164a539b85557d2079fa6cd839ec444869109f96de65d6569e58b0615d026" +
>> +S = "${WORKDIR}/optee_client-${PV}" +
>> +# Use RPMB emulation
>> +RPMB_EMU_BUILD_OPT = ""
>> diff --git a/meta/recipes-bsp/optee-client/files/debian/compat
>> b/meta/recipes-bsp/optee-client/files/debian/compat new file mode
>> 100644 index 0000000..f599e28
>> --- /dev/null
>> +++ b/meta/recipes-bsp/optee-client/files/debian/compat
>> @@ -0,0 +1 @@
>> +10
>> diff --git a/meta/recipes-bsp/optee-client/files/debian/control.tmpl
>> b/meta/recipes-bsp/optee-client/files/debian/control.tmpl new file
>> mode 100644 index 0000000..6c68b1d
>> --- /dev/null
>> +++ b/meta/recipes-bsp/optee-client/files/debian/control.tmpl
>> @@ -0,0 +1,51 @@
> 
> Since there is that ".service" file i would expect a "Depends: systemd"
> somewhere in here.
> 
> You wrote that the debianization is copied/inspired from somewhere,
> maybe that Depends needs to be upstreamed.

It should eventually, and we already tried to reach the package
maintainer regarding how to contribute best, given that his package is
not yet on salsa. No response yet.

Jan

-- 
Siemens AG, Technology
Competence Center Embedded Linux

Re: [PATCH v2 3/7] Add recipe for optee-client

[Henning Schild]

Am Thu, 22 Jun 2023 20:36:17 +0200
schrieb Jan Kiszka <jan.kiszka@siemens.com>:

> On 22.06.23 20:00, Henning Schild wrote:
> > Am Thu, 22 Jun 2023 03:22:13 +0800
> > schrieb baocheng_su@163.com:
> >   
> >> From: Baocheng Su <baocheng.su@siemens.com>
> >>
> >> optee-client provides the userland library for communicating with
> >> the trusted applications running in OP-TEE.
> >>
> >> It also provides a optee-client-dev package for developing host
> >> application that talks to the TA counterpart.
> >>
> >> Also a user land deamon tee-supplicant is provided to serve the
> >> trusted applications for user-land resources such as RPMB
> >> accessing.
> >>
> >> This brings the .inc for customization, and also a demo recipe for
> >> stm32mp15x.
> >>
> >> The debianization is learnt from the debian offical package. The
> >> tee-supplicant.service is refined by Jan to fix some timing issues.
> >>
> >> Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
> >> ---
> >>  meta-isar/conf/machine/stm32mp15x.conf        |  2 +-
> >>  .../optee-client-stm32mp15x_3.21.0.bb         | 18 +++++++
> >>  .../optee-client/files/debian/compat          |  1 +
> >>  .../optee-client/files/debian/control.tmpl    | 51
> >> +++++++++++++++++++ .../optee-client/files/debian/rules.tmpl      |
> >> 27 ++++++++++ .../files/debian/tee-supplicant.service       | 21
> >> ++++++++ .../optee-client/optee-client-custom.inc      | 41
> >> +++++++++++++++ 7 files changed, 160 insertions(+), 1 deletion(-)
> >>  create mode 100644
> >> meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
> >> create mode 100644
> >> meta/recipes-bsp/optee-client/files/debian/compat create mode
> >> 100644 meta/recipes-bsp/optee-client/files/debian/control.tmpl
> >> create mode 100755
> >> meta/recipes-bsp/optee-client/files/debian/rules.tmpl create mode
> >> 100644
> >> meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
> >> create mode 100644
> >> meta/recipes-bsp/optee-client/optee-client-custom.inc
> >>
> >> diff --git a/meta-isar/conf/machine/stm32mp15x.conf
> >> b/meta-isar/conf/machine/stm32mp15x.conf index 4fa4051..0b200d2
> >> 100644 --- a/meta-isar/conf/machine/stm32mp15x.conf
> >> +++ b/meta-isar/conf/machine/stm32mp15x.conf
> >> @@ -16,4 +16,4 @@ WKS_FILE ?= "stm32mp15x.wks.in"
> >>  IMAGER_INSTALL += "trusted-firmware-a-stm32mp15x
> >> optee-os-stm32mp15x u-boot-stm32mp15x" IMAGER_BUILD_DEPS +=
> >> "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x
> >> u-boot-stm32mp15x" -IMAGE_INSTALL += "u-boot-script"
> >> +IMAGE_INSTALL += "u-boot-script tee-supplicant"
> >> diff --git
> >> a/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
> >> b/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
> >> new file mode 100644 index 0000000..18525e3 --- /dev/null
> >> +++
> >> b/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
> >> @@ -0,0 +1,18 @@ +#
> >> +# Copyright (c) Siemens AG, 2023
> >> +#
> >> +# Authors:
> >> +#  Su Bao Cheng <baocheng.su@siemens.com>
> >> +#
> >> +# SPDX-License-Identifier: MIT
> >> +#
> >> +
> >> +require recipes-bsp/optee-client/optee-client-custom.inc
> >> +
> >> +SRC_URI +=
> >> "https://github.com/OP-TEE/optee_client/archive/${PV}.tar.gz;downloadfilename=optee_client-${PV}.tar.gz"
> >> +SRC_URI[sha256sum] =
> >> "368164a539b85557d2079fa6cd839ec444869109f96de65d6569e58b0615d026"
> >> + +S = "${WORKDIR}/optee_client-${PV}" +
> >> +# Use RPMB emulation
> >> +RPMB_EMU_BUILD_OPT = ""
> >> diff --git a/meta/recipes-bsp/optee-client/files/debian/compat
> >> b/meta/recipes-bsp/optee-client/files/debian/compat new file mode
> >> 100644 index 0000000..f599e28
> >> --- /dev/null
> >> +++ b/meta/recipes-bsp/optee-client/files/debian/compat
> >> @@ -0,0 +1 @@
> >> +10
> >> diff --git
> >> a/meta/recipes-bsp/optee-client/files/debian/control.tmpl
> >> b/meta/recipes-bsp/optee-client/files/debian/control.tmpl new file
> >> mode 100644 index 0000000..6c68b1d --- /dev/null
> >> +++ b/meta/recipes-bsp/optee-client/files/debian/control.tmpl
> >> @@ -0,0 +1,51 @@  
> > 
> > Since there is that ".service" file i would expect a "Depends:
> > systemd" somewhere in here.
> > 
> > You wrote that the debianization is copied/inspired from somewhere,
> > maybe that Depends needs to be upstreamed.  
> 
> It should eventually, and we already tried to reach the package
> maintainer regarding how to contribute best, given that his package is
> not yet on salsa. No response yet.

Ok, but the point likely remains. Something "systemd" should be in one
or multiple of the "Depends:"

Henning

> Jan
> 

Re: [PATCH v2 3/7] Add recipe for optee-client

[Jan Kiszka]

On 22.06.23 20:43, Henning Schild wrote:
> Am Thu, 22 Jun 2023 20:36:17 +0200
> schrieb Jan Kiszka <jan.kiszka@siemens.com>:
> 
>> On 22.06.23 20:00, Henning Schild wrote:
>>> Am Thu, 22 Jun 2023 03:22:13 +0800
>>> schrieb baocheng_su@163.com:
>>>   
>>>> From: Baocheng Su <baocheng.su@siemens.com>
>>>>
>>>> optee-client provides the userland library for communicating with
>>>> the trusted applications running in OP-TEE.
>>>>
>>>> It also provides a optee-client-dev package for developing host
>>>> application that talks to the TA counterpart.
>>>>
>>>> Also a user land deamon tee-supplicant is provided to serve the
>>>> trusted applications for user-land resources such as RPMB
>>>> accessing.
>>>>
>>>> This brings the .inc for customization, and also a demo recipe for
>>>> stm32mp15x.
>>>>
>>>> The debianization is learnt from the debian offical package. The
>>>> tee-supplicant.service is refined by Jan to fix some timing issues.
>>>>
>>>> Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
>>>> ---
>>>>  meta-isar/conf/machine/stm32mp15x.conf        |  2 +-
>>>>  .../optee-client-stm32mp15x_3.21.0.bb         | 18 +++++++
>>>>  .../optee-client/files/debian/compat          |  1 +
>>>>  .../optee-client/files/debian/control.tmpl    | 51
>>>> +++++++++++++++++++ .../optee-client/files/debian/rules.tmpl      |
>>>> 27 ++++++++++ .../files/debian/tee-supplicant.service       | 21
>>>> ++++++++ .../optee-client/optee-client-custom.inc      | 41
>>>> +++++++++++++++ 7 files changed, 160 insertions(+), 1 deletion(-)
>>>>  create mode 100644
>>>> meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
>>>> create mode 100644
>>>> meta/recipes-bsp/optee-client/files/debian/compat create mode
>>>> 100644 meta/recipes-bsp/optee-client/files/debian/control.tmpl
>>>> create mode 100755
>>>> meta/recipes-bsp/optee-client/files/debian/rules.tmpl create mode
>>>> 100644
>>>> meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
>>>> create mode 100644
>>>> meta/recipes-bsp/optee-client/optee-client-custom.inc
>>>>
>>>> diff --git a/meta-isar/conf/machine/stm32mp15x.conf
>>>> b/meta-isar/conf/machine/stm32mp15x.conf index 4fa4051..0b200d2
>>>> 100644 --- a/meta-isar/conf/machine/stm32mp15x.conf
>>>> +++ b/meta-isar/conf/machine/stm32mp15x.conf
>>>> @@ -16,4 +16,4 @@ WKS_FILE ?= "stm32mp15x.wks.in"
>>>>  IMAGER_INSTALL += "trusted-firmware-a-stm32mp15x
>>>> optee-os-stm32mp15x u-boot-stm32mp15x" IMAGER_BUILD_DEPS +=
>>>> "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x
>>>> u-boot-stm32mp15x" -IMAGE_INSTALL += "u-boot-script"
>>>> +IMAGE_INSTALL += "u-boot-script tee-supplicant"
>>>> diff --git
>>>> a/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
>>>> b/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
>>>> new file mode 100644 index 0000000..18525e3 --- /dev/null
>>>> +++
>>>> b/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
>>>> @@ -0,0 +1,18 @@ +#
>>>> +# Copyright (c) Siemens AG, 2023
>>>> +#
>>>> +# Authors:
>>>> +#  Su Bao Cheng <baocheng.su@siemens.com>
>>>> +#
>>>> +# SPDX-License-Identifier: MIT
>>>> +#
>>>> +
>>>> +require recipes-bsp/optee-client/optee-client-custom.inc
>>>> +
>>>> +SRC_URI +=
>>>> "https://github.com/OP-TEE/optee_client/archive/${PV}.tar.gz;downloadfilename=optee_client-${PV}.tar.gz"
>>>> +SRC_URI[sha256sum] =
>>>> "368164a539b85557d2079fa6cd839ec444869109f96de65d6569e58b0615d026"
>>>> + +S = "${WORKDIR}/optee_client-${PV}" +
>>>> +# Use RPMB emulation
>>>> +RPMB_EMU_BUILD_OPT = ""
>>>> diff --git a/meta/recipes-bsp/optee-client/files/debian/compat
>>>> b/meta/recipes-bsp/optee-client/files/debian/compat new file mode
>>>> 100644 index 0000000..f599e28
>>>> --- /dev/null
>>>> +++ b/meta/recipes-bsp/optee-client/files/debian/compat
>>>> @@ -0,0 +1 @@
>>>> +10
>>>> diff --git
>>>> a/meta/recipes-bsp/optee-client/files/debian/control.tmpl
>>>> b/meta/recipes-bsp/optee-client/files/debian/control.tmpl new file
>>>> mode 100644 index 0000000..6c68b1d --- /dev/null
>>>> +++ b/meta/recipes-bsp/optee-client/files/debian/control.tmpl
>>>> @@ -0,0 +1,51 @@  
>>>
>>> Since there is that ".service" file i would expect a "Depends:
>>> systemd" somewhere in here.
>>>
>>> You wrote that the debianization is copied/inspired from somewhere,
>>> maybe that Depends needs to be upstreamed.  
>>
>> It should eventually, and we already tried to reach the package
>> maintainer regarding how to contribute best, given that his package is
>> not yet on salsa. No response yet.
> 
> Ok, but the point likely remains. Something "systemd" should be in one
> or multiple of the "Depends:"

Not unlikely, yes.

Jan

-- 
Siemens AG, Technology
Competence Center Embedded Linux

Re: [PATCH v2 3/7] Add recipe for optee-client

[Henning Schild]

Am Thu, 22 Jun 2023 03:22:13 +0800
schrieb baocheng_su@163.com:

> From: Baocheng Su <baocheng.su@siemens.com>
> 
> optee-client provides the userland library for communicating with the
> trusted applications running in OP-TEE.
> 
> It also provides a optee-client-dev package for developing host
> application that talks to the TA counterpart.
> 
> Also a user land deamon tee-supplicant is provided to serve the
> trusted applications for user-land resources such as RPMB accessing.
> 
> This brings the .inc for customization, and also a demo recipe for
> stm32mp15x.
> 
> The debianization is learnt from the debian offical package. The
> tee-supplicant.service is refined by Jan to fix some timing issues.
> 
> Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
> ---
>  meta-isar/conf/machine/stm32mp15x.conf        |  2 +-
>  .../optee-client-stm32mp15x_3.21.0.bb         | 18 +++++++
>  .../optee-client/files/debian/compat          |  1 +
>  .../optee-client/files/debian/control.tmpl    | 51
> +++++++++++++++++++ .../optee-client/files/debian/rules.tmpl      |
> 27 ++++++++++ .../files/debian/tee-supplicant.service       | 21
> ++++++++ .../optee-client/optee-client-custom.inc      | 41
> +++++++++++++++ 7 files changed, 160 insertions(+), 1 deletion(-)
>  create mode 100644
> meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
> create mode 100644 meta/recipes-bsp/optee-client/files/debian/compat
> create mode 100644
> meta/recipes-bsp/optee-client/files/debian/control.tmpl create mode
> 100755 meta/recipes-bsp/optee-client/files/debian/rules.tmpl create
> mode 100644
> meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
> create mode 100644
> meta/recipes-bsp/optee-client/optee-client-custom.inc
> 
> diff --git a/meta-isar/conf/machine/stm32mp15x.conf
> b/meta-isar/conf/machine/stm32mp15x.conf index 4fa4051..0b200d2 100644
> --- a/meta-isar/conf/machine/stm32mp15x.conf
> +++ b/meta-isar/conf/machine/stm32mp15x.conf
> @@ -16,4 +16,4 @@ WKS_FILE ?= "stm32mp15x.wks.in"
>  IMAGER_INSTALL += "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x
> u-boot-stm32mp15x" IMAGER_BUILD_DEPS +=
> "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x u-boot-stm32mp15x" 
> -IMAGE_INSTALL += "u-boot-script"
> +IMAGE_INSTALL += "u-boot-script tee-supplicant"
> diff --git
> a/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
> b/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
> new file mode 100644 index 0000000..18525e3 --- /dev/null
> +++
> b/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
> @@ -0,0 +1,18 @@ +#
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Su Bao Cheng <baocheng.su@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +require recipes-bsp/optee-client/optee-client-custom.inc
> +
> +SRC_URI +=
> "https://github.com/OP-TEE/optee_client/archive/${PV}.tar.gz;downloadfilename=optee_client-${PV}.tar.gz"
> +SRC_URI[sha256sum] =
> "368164a539b85557d2079fa6cd839ec444869109f96de65d6569e58b0615d026" +
> +S = "${WORKDIR}/optee_client-${PV}" +
> +# Use RPMB emulation
> +RPMB_EMU_BUILD_OPT = ""
> diff --git a/meta/recipes-bsp/optee-client/files/debian/compat
> b/meta/recipes-bsp/optee-client/files/debian/compat new file mode
> 100644 index 0000000..f599e28
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-client/files/debian/compat
> @@ -0,0 +1 @@
> +10
> diff --git a/meta/recipes-bsp/optee-client/files/debian/control.tmpl
> b/meta/recipes-bsp/optee-client/files/debian/control.tmpl new file
> mode 100644 index 0000000..6c68b1d
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-client/files/debian/control.tmpl
> @@ -0,0 +1,51 @@
> +Source: ${PN}
> +Priority: optional
> +Maintainer: Unknown maintainer <unknown@example.com>
> +Build-Depends: pkg-config, uuid-dev
> +Standards-Version: 4.1.3
> +Section: libs
> +Homepage: https://github.com/OP-TEE/optee_client
> +Rules-Requires-Root: no
> +
> +Package: optee-client-dev
> +Section: libdevel
> +Architecture: ${DISTRO_ARCH}
> +Multi-Arch: same
> +Depends: libteec1 (= ${binary:Version}),
> +         ${misc:Depends}
> +Description: normal world user space client APIs for OP-TEE
> (development)
> + OP-TEE is a Trusted Execution Environment (TEE) designed as
> companion to a
> + non-secure Linux kernel running on Arm; Cortex-A cores using the
> TrustZone
> + technology. OP-TEE implements TEE Internal Core API v1.1.x which is
> the API
> + exposed to Trusted Applications and the TEE Client API v1.0, which
> is the
> + API describing how to communicate with a TEE. This package provides
> the TEE
> + Client API library.
> + .
> + This package contains the development files OpTEE Client API
> +
> +Package: libteec1
> +Architecture: ${DISTRO_ARCH}
> +Multi-Arch: same
> +Depends: ${misc:Depends}, ${shlibs:Depends}
> +Description: normal world user space client APIs for OP-TEE
> + OP-TEE is a Trusted Execution Environment (TEE) designed as
> companion to a
> + non-secure Linux kernel running on Arm; Cortex-A cores using the
> TrustZone
> + technology. OP-TEE implements TEE Internal Core API v1.1.x which is
> the API
> + exposed to Trusted Applications and the TEE Client API v1.0, which
> is the
> + API describing how to communicate with a TEE. This package provides
> the TEE
> + Client API library.
> + .
> + This package contains libteec library.
> +
> +Package: tee-supplicant
> +Architecture: ${DISTRO_ARCH}
> +Depends: ${misc:Depends}, ${shlibs:Depends}
> +Description: normal world user space client APIs for OP-TEE
> + OP-TEE is a Trusted Execution Environment (TEE) designed as
> companion to a
> + non-secure Linux kernel running on Arm; Cortex-A cores using the
> TrustZone
> + technology. OP-TEE implements TEE Internal Core API v1.1.x which is
> the API
> + exposed to Trusted Applications and the TEE Client API v1.0, which
> is the
> + API describing how to communicate with a TEE. This package provides
> the TEE
> + Client API library.
> + .
> + This package contains tee-supplicant executable.
> diff --git a/meta/recipes-bsp/optee-client/files/debian/rules.tmpl
> b/meta/recipes-bsp/optee-client/files/debian/rules.tmpl new file mode
> 100755 index 0000000..a0a8983
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-client/files/debian/rules.tmpl
> @@ -0,0 +1,27 @@
> +#!/usr/bin/make -f
> +#
> +# Debian rules for custom OP-TEE Client build
> +#
> +# This software is a part of ISAR.
> +# Copyright (c) Siemens AG, 2023
> +#
> +# SPDX-License-Identifier: MIT
> +
> +ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
> +export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
> +endif
> +
> +%:
> +	dh $@ --exclude=.a
> +
> +override_dh_auto_build:
> +	dh_auto_build -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
> +		CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH}
> ${RPMB_EMU_BUILD_OPT} +
> +override_dh_auto_install:
> +	dh_auto_install -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
> +		CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH}
> ${RPMB_EMU_BUILD_OPT} +
> +override_dh_auto_clean:
> +	dh_auto_clean
> +	rm -rf $(CURDIR)/out
> diff --git
> a/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
> b/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
> new file mode 100644 index 0000000..4508a14 --- /dev/null
> +++
> b/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
> @@ -0,0 +1,21 @@ +# This software is a part of ISAR.
> +# Copyright (c) Siemens AG, 2023
> +#
> +# SPDX-License-Identifier: MIT
> +[Unit]
> +Description=TEE Supplicant
> +DefaultDependencies=no
> +Before=systemd-remount-fs.service shutdown.target
> +Conflicts=shutdown.target
> +
> +[Service]
> +Type=oneshot
> +RemainAfterExit=yes
> +# Start if not already started by the initramfs hook
> +ExecStart=/bin/sh -c '/usr/bin/pgrep tee-supplicant >/dev/null ||
> /usr/sbin/tee-supplicant -d' +ExecStop=/bin/sh -c '/usr/bin/findmnt
> /sys/firmware/efi/efivars >/dev/null && /usr/bin/umount
> /sys/firmware/efi/efivars || true' +ExecStop=/bin/sh -c
> '/usr/sbin/modinfo -n tpm_ftpm_tee | /usr/bin/grep -E "\.ko$"
> >/dev/null && /usr/sbin/modprobe -r tpm_ftpm_tee || true'
> >+ExecStop=/usr/bin/pkill tee-supplicant + +[Install]
> +WantedBy=sysinit.target
> diff --git a/meta/recipes-bsp/optee-client/optee-client-custom.inc
> b/meta/recipes-bsp/optee-client/optee-client-custom.inc new file mode
> 100644 index 0000000..5c88dad
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-client/optee-client-custom.inc
> @@ -0,0 +1,41 @@
> +#
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Su Bao Cheng <baocheng.su@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +inherit dpkg
> +
> +FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"

This looks weird, is it really needed?

Henning

> +
> +DESCRIPTION = "OPTee Client"
> +
> +PROVIDES = "libteec1 optee-client-dev tee-supplicant"
> +
> +SRC_URI += "file://debian"
> +
> +TEE_FS_PARENT_PATH ?= "/var/lib/optee-client/data/tee"
> +# To use the builtin RPMB emulation, empty this
> +RPMB_EMU_BUILD_OPT ?= "RPMB_EMU=0"
> +
> +TEMPLATE_FILES = "debian/rules.tmpl debian/control.tmpl"
> +TEMPLATE_VARS += "TEE_FS_PARENT_PATH RPMB_EMU_BUILD_OPT"
> +
> +do_prepare_build[cleandirs] += "${S}/debian"
> +do_prepare_build() {
> +    cp -r ${WORKDIR}/debian ${S}/
> +
> +    deb_add_changelog
> +
> +    echo "/usr/sbin/*" > ${S}/debian/tee-supplicant.install
> +    echo "lib/optee_armtz/" > ${S}/debian/tee-supplicant.dirs
> +    echo "usr/lib/tee-supplicant/plugins/" >>
> ${S}/debian/tee-supplicant.dirs +
> +    echo "usr/lib/*/libteec*.so.*" > ${S}/debian/libteec1.install
> +
> +    echo "usr/include/*" > ${S}/debian/optee-client-dev.install
> +    echo "usr/lib/*/lib*.so" >> ${S}/debian/optee-client-dev.install
> +}

Re: [PATCH v2 3/7] Add recipe for optee-client

[Jan Kiszka]

On 22.06.23 20:02, Henning Schild wrote:
> Am Thu, 22 Jun 2023 03:22:13 +0800
> schrieb baocheng_su@163.com:
> 
>> From: Baocheng Su <baocheng.su@siemens.com>
>>
>> optee-client provides the userland library for communicating with the
>> trusted applications running in OP-TEE.
>>
>> It also provides a optee-client-dev package for developing host
>> application that talks to the TA counterpart.
>>
>> Also a user land deamon tee-supplicant is provided to serve the
>> trusted applications for user-land resources such as RPMB accessing.
>>
>> This brings the .inc for customization, and also a demo recipe for
>> stm32mp15x.
>>
>> The debianization is learnt from the debian offical package. The
>> tee-supplicant.service is refined by Jan to fix some timing issues.
>>
>> Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
>> ---
>>  meta-isar/conf/machine/stm32mp15x.conf        |  2 +-
>>  .../optee-client-stm32mp15x_3.21.0.bb         | 18 +++++++
>>  .../optee-client/files/debian/compat          |  1 +
>>  .../optee-client/files/debian/control.tmpl    | 51
>> +++++++++++++++++++ .../optee-client/files/debian/rules.tmpl      |
>> 27 ++++++++++ .../files/debian/tee-supplicant.service       | 21
>> ++++++++ .../optee-client/optee-client-custom.inc      | 41
>> +++++++++++++++ 7 files changed, 160 insertions(+), 1 deletion(-)
>>  create mode 100644
>> meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
>> create mode 100644 meta/recipes-bsp/optee-client/files/debian/compat
>> create mode 100644
>> meta/recipes-bsp/optee-client/files/debian/control.tmpl create mode
>> 100755 meta/recipes-bsp/optee-client/files/debian/rules.tmpl create
>> mode 100644
>> meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
>> create mode 100644
>> meta/recipes-bsp/optee-client/optee-client-custom.inc
>>
>> diff --git a/meta-isar/conf/machine/stm32mp15x.conf
>> b/meta-isar/conf/machine/stm32mp15x.conf index 4fa4051..0b200d2 100644
>> --- a/meta-isar/conf/machine/stm32mp15x.conf
>> +++ b/meta-isar/conf/machine/stm32mp15x.conf
>> @@ -16,4 +16,4 @@ WKS_FILE ?= "stm32mp15x.wks.in"
>>  IMAGER_INSTALL += "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x
>> u-boot-stm32mp15x" IMAGER_BUILD_DEPS +=
>> "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x u-boot-stm32mp15x" 
>> -IMAGE_INSTALL += "u-boot-script"
>> +IMAGE_INSTALL += "u-boot-script tee-supplicant"
>> diff --git
>> a/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
>> b/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
>> new file mode 100644 index 0000000..18525e3 --- /dev/null
>> +++
>> b/meta-isar/recipes-bsp/optee-client/optee-client-stm32mp15x_3.21.0.bb
>> @@ -0,0 +1,18 @@ +#
>> +# Copyright (c) Siemens AG, 2023
>> +#
>> +# Authors:
>> +#  Su Bao Cheng <baocheng.su@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +
>> +require recipes-bsp/optee-client/optee-client-custom.inc
>> +
>> +SRC_URI +=
>> "https://github.com/OP-TEE/optee_client/archive/${PV}.tar.gz;downloadfilename=optee_client-${PV}.tar.gz"
>> +SRC_URI[sha256sum] =
>> "368164a539b85557d2079fa6cd839ec444869109f96de65d6569e58b0615d026" +
>> +S = "${WORKDIR}/optee_client-${PV}" +
>> +# Use RPMB emulation
>> +RPMB_EMU_BUILD_OPT = ""
>> diff --git a/meta/recipes-bsp/optee-client/files/debian/compat
>> b/meta/recipes-bsp/optee-client/files/debian/compat new file mode
>> 100644 index 0000000..f599e28
>> --- /dev/null
>> +++ b/meta/recipes-bsp/optee-client/files/debian/compat
>> @@ -0,0 +1 @@
>> +10
>> diff --git a/meta/recipes-bsp/optee-client/files/debian/control.tmpl
>> b/meta/recipes-bsp/optee-client/files/debian/control.tmpl new file
>> mode 100644 index 0000000..6c68b1d
>> --- /dev/null
>> +++ b/meta/recipes-bsp/optee-client/files/debian/control.tmpl
>> @@ -0,0 +1,51 @@
>> +Source: ${PN}
>> +Priority: optional
>> +Maintainer: Unknown maintainer <unknown@example.com>
>> +Build-Depends: pkg-config, uuid-dev
>> +Standards-Version: 4.1.3
>> +Section: libs
>> +Homepage: https://github.com/OP-TEE/optee_client
>> +Rules-Requires-Root: no
>> +
>> +Package: optee-client-dev
>> +Section: libdevel
>> +Architecture: ${DISTRO_ARCH}
>> +Multi-Arch: same
>> +Depends: libteec1 (= ${binary:Version}),
>> +         ${misc:Depends}
>> +Description: normal world user space client APIs for OP-TEE
>> (development)
>> + OP-TEE is a Trusted Execution Environment (TEE) designed as
>> companion to a
>> + non-secure Linux kernel running on Arm; Cortex-A cores using the
>> TrustZone
>> + technology. OP-TEE implements TEE Internal Core API v1.1.x which is
>> the API
>> + exposed to Trusted Applications and the TEE Client API v1.0, which
>> is the
>> + API describing how to communicate with a TEE. This package provides
>> the TEE
>> + Client API library.
>> + .
>> + This package contains the development files OpTEE Client API
>> +
>> +Package: libteec1
>> +Architecture: ${DISTRO_ARCH}
>> +Multi-Arch: same
>> +Depends: ${misc:Depends}, ${shlibs:Depends}
>> +Description: normal world user space client APIs for OP-TEE
>> + OP-TEE is a Trusted Execution Environment (TEE) designed as
>> companion to a
>> + non-secure Linux kernel running on Arm; Cortex-A cores using the
>> TrustZone
>> + technology. OP-TEE implements TEE Internal Core API v1.1.x which is
>> the API
>> + exposed to Trusted Applications and the TEE Client API v1.0, which
>> is the
>> + API describing how to communicate with a TEE. This package provides
>> the TEE
>> + Client API library.
>> + .
>> + This package contains libteec library.
>> +
>> +Package: tee-supplicant
>> +Architecture: ${DISTRO_ARCH}
>> +Depends: ${misc:Depends}, ${shlibs:Depends}
>> +Description: normal world user space client APIs for OP-TEE
>> + OP-TEE is a Trusted Execution Environment (TEE) designed as
>> companion to a
>> + non-secure Linux kernel running on Arm; Cortex-A cores using the
>> TrustZone
>> + technology. OP-TEE implements TEE Internal Core API v1.1.x which is
>> the API
>> + exposed to Trusted Applications and the TEE Client API v1.0, which
>> is the
>> + API describing how to communicate with a TEE. This package provides
>> the TEE
>> + Client API library.
>> + .
>> + This package contains tee-supplicant executable.
>> diff --git a/meta/recipes-bsp/optee-client/files/debian/rules.tmpl
>> b/meta/recipes-bsp/optee-client/files/debian/rules.tmpl new file mode
>> 100755 index 0000000..a0a8983
>> --- /dev/null
>> +++ b/meta/recipes-bsp/optee-client/files/debian/rules.tmpl
>> @@ -0,0 +1,27 @@
>> +#!/usr/bin/make -f
>> +#
>> +# Debian rules for custom OP-TEE Client build
>> +#
>> +# This software is a part of ISAR.
>> +# Copyright (c) Siemens AG, 2023
>> +#
>> +# SPDX-License-Identifier: MIT
>> +
>> +ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
>> +export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
>> +endif
>> +
>> +%:
>> +	dh $@ --exclude=.a
>> +
>> +override_dh_auto_build:
>> +	dh_auto_build -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
>> +		CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH}
>> ${RPMB_EMU_BUILD_OPT} +
>> +override_dh_auto_install:
>> +	dh_auto_install -- LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
>> +		CFG_TEE_FS_PARENT_PATH=${TEE_FS_PARENT_PATH}
>> ${RPMB_EMU_BUILD_OPT} +
>> +override_dh_auto_clean:
>> +	dh_auto_clean
>> +	rm -rf $(CURDIR)/out
>> diff --git
>> a/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
>> b/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
>> new file mode 100644 index 0000000..4508a14 --- /dev/null
>> +++
>> b/meta/recipes-bsp/optee-client/files/debian/tee-supplicant.service
>> @@ -0,0 +1,21 @@ +# This software is a part of ISAR.
>> +# Copyright (c) Siemens AG, 2023
>> +#
>> +# SPDX-License-Identifier: MIT
>> +[Unit]
>> +Description=TEE Supplicant
>> +DefaultDependencies=no
>> +Before=systemd-remount-fs.service shutdown.target
>> +Conflicts=shutdown.target
>> +
>> +[Service]
>> +Type=oneshot
>> +RemainAfterExit=yes
>> +# Start if not already started by the initramfs hook
>> +ExecStart=/bin/sh -c '/usr/bin/pgrep tee-supplicant >/dev/null ||
>> /usr/sbin/tee-supplicant -d' +ExecStop=/bin/sh -c '/usr/bin/findmnt
>> /sys/firmware/efi/efivars >/dev/null && /usr/bin/umount
>> /sys/firmware/efi/efivars || true' +ExecStop=/bin/sh -c
>> '/usr/sbin/modinfo -n tpm_ftpm_tee | /usr/bin/grep -E "\.ko$"
>>> /dev/null && /usr/sbin/modprobe -r tpm_ftpm_tee || true'
>>> +ExecStop=/usr/bin/pkill tee-supplicant + +[Install]
>> +WantedBy=sysinit.target
>> diff --git a/meta/recipes-bsp/optee-client/optee-client-custom.inc
>> b/meta/recipes-bsp/optee-client/optee-client-custom.inc new file mode
>> 100644 index 0000000..5c88dad
>> --- /dev/null
>> +++ b/meta/recipes-bsp/optee-client/optee-client-custom.inc
>> @@ -0,0 +1,41 @@
>> +#
>> +# Copyright (c) Siemens AG, 2023
>> +#
>> +# Authors:
>> +#  Su Bao Cheng <baocheng.su@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +
>> +inherit dpkg
>> +
>> +FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
> 
> This looks weird, is it really needed?
> 

Yes, because of...

> Henning
> 
>> +
>> +DESCRIPTION = "OPTee Client"
>> +
>> +PROVIDES = "libteec1 optee-client-dev tee-supplicant"
>> +
>> +SRC_URI += "file://debian"

...this line.

Jan

>> +
>> +TEE_FS_PARENT_PATH ?= "/var/lib/optee-client/data/tee"
>> +# To use the builtin RPMB emulation, empty this
>> +RPMB_EMU_BUILD_OPT ?= "RPMB_EMU=0"
>> +
>> +TEMPLATE_FILES = "debian/rules.tmpl debian/control.tmpl"
>> +TEMPLATE_VARS += "TEE_FS_PARENT_PATH RPMB_EMU_BUILD_OPT"
>> +
>> +do_prepare_build[cleandirs] += "${S}/debian"
>> +do_prepare_build() {
>> +    cp -r ${WORKDIR}/debian ${S}/
>> +
>> +    deb_add_changelog
>> +
>> +    echo "/usr/sbin/*" > ${S}/debian/tee-supplicant.install
>> +    echo "lib/optee_armtz/" > ${S}/debian/tee-supplicant.dirs
>> +    echo "usr/lib/tee-supplicant/plugins/" >>
>> ${S}/debian/tee-supplicant.dirs +
>> +    echo "usr/lib/*/libteec*.so.*" > ${S}/debian/libteec1.install
>> +
>> +    echo "usr/include/*" > ${S}/debian/optee-client-dev.install
>> +    echo "usr/lib/*/lib*.so" >> ${S}/debian/optee-client-dev.install
>> +}
> 

-- 
Siemens AG, Technology
Competence Center Embedded Linux

[PATCH v2 4/7] Add recipe for optee examples

[baocheng_su]

From: Baocheng Su <baocheng.su@siemens.com>

The optee-examples repo is provided to demostrate the trusted
application and the host counterpart.

The stm32mp15x is used as the demo platform.

Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
---
 meta-isar/conf/machine/stm32mp15x.conf        |   9 +-
 .../optee-examples/files/debian/compat        |   1 +
 .../optee-examples/files/debian/control.tmpl  | 112 ++++++++++++++++++
 .../optee-examples/files/debian/rules.tmpl    |  21 ++++
 .../optee-examples-stm32mp15x_3.21.0.bb       | 100 ++++++++++++++++
 .../optee-os/optee-os-stm32mp15x_3.21.0.bb    |  22 ++++
 .../lib/wic/canned-wks/stm32mp15x.wks.in      |   2 +-
 7 files changed, 265 insertions(+), 2 deletions(-)
 create mode 100644 meta-isar/recipes-bsp/optee-examples/files/debian/compat
 create mode 100644 meta-isar/recipes-bsp/optee-examples/files/debian/control.tmpl
 create mode 100644 meta-isar/recipes-bsp/optee-examples/files/debian/rules.tmpl
 create mode 100644 meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb

diff --git a/meta-isar/conf/machine/stm32mp15x.conf b/meta-isar/conf/machine/stm32mp15x.conf
index 0b200d2..4e8142e 100644
--- a/meta-isar/conf/machine/stm32mp15x.conf
+++ b/meta-isar/conf/machine/stm32mp15x.conf
@@ -16,4 +16,11 @@ WKS_FILE ?= "stm32mp15x.wks.in"
 IMAGER_INSTALL += "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x u-boot-stm32mp15x"
 IMAGER_BUILD_DEPS += "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x u-boot-stm32mp15x"
 
-IMAGE_INSTALL += "u-boot-script tee-supplicant"
+IMAGE_INSTALL += "u-boot-script \
+    optee-examples-stm32mp15x-acipher-host \
+    optee-examples-stm32mp15x-aes-host \
+    optee-examples-stm32mp15x-hello-world-host \
+    optee-examples-stm32mp15x-hotp-host \
+    optee-examples-stm32mp15x-random-host \
+    optee-examples-stm32mp15x-secure-storage-host \
+    "
diff --git a/meta-isar/recipes-bsp/optee-examples/files/debian/compat b/meta-isar/recipes-bsp/optee-examples/files/debian/compat
new file mode 100644
index 0000000..f599e28
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-examples/files/debian/compat
@@ -0,0 +1 @@
+10
diff --git a/meta-isar/recipes-bsp/optee-examples/files/debian/control.tmpl b/meta-isar/recipes-bsp/optee-examples/files/debian/control.tmpl
new file mode 100644
index 0000000..b0e7039
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-examples/files/debian/control.tmpl
@@ -0,0 +1,112 @@
+Source: ${PN}
+Section: admin
+Priority: optional
+Standards-Version: 3.9.6
+Build-Depends: ${DEBIAN_BUILD_DEPENDS}
+Maintainer: ISAR project <isar-users@googlegroups.com>
+
+Package: ${PN}-acipher-ta
+Architecture: ${DISTRO_ARCH}
+Description: OP-TEE Trusted Application example - acipher
+ Generates an RSA key pair of specified size and encrypts a supplied string with
+ it using the GlobalPlatform TEE Internal Core API.
+ .
+ UUID: a734eed9-d6a1-4244-aa50-7c99719e7b7b
+
+Package: ${PN}-acipher-host
+Architecture: ${DISTRO_ARCH}
+Depends: libteec1, tee-supplicant,
+         ${misc:Depends}
+Description: OP-TEE Trusted Application example - acipher (host application)
+ Generates an RSA key pair of specified size and encrypts a supplied string with
+ it using the GlobalPlatform TEE Internal Core API.
+ .
+ UUID: a734eed9-d6a1-4244-aa50-7c99719e7b7b
+
+Package: ${PN}-aes-ta
+Architecture: ${DISTRO_ARCH}
+Description: OP-TEE Trusted Application example - aes
+ Runs an AES encryption and decryption from a TA using the GlobalPlatform TEE
+ Internal Core API. Non secure test application provides the key, initial vector
+ and ciphered data.
+ .
+ UUID: 5dbac793-f574-4871-8ad3-04331ec17f24
+
+Package: ${PN}-aes-host
+Architecture: ${DISTRO_ARCH}
+Depends: libteec1, tee-supplicant,
+         ${misc:Depends}
+Description: OP-TEE Trusted Application example - aes (host application)
+ Runs an AES encryption and decryption from a TA using the GlobalPlatform TEE
+ Internal Core API. Non secure test application provides the key, initial vector
+ and ciphered data.
+ .
+ UUID: 5dbac793-f574-4871-8ad3-04331ec17f24
+
+Package: ${PN}-hello-world-ta
+Architecture: ${DISTRO_ARCH}
+Description: OP-TEE Trusted Application example - hello_world
+ This is a very simple Trusted Application to answer a hello command and
+ incrementing an integer value.
+ .
+ UUID: 8aaaf200-2450-11e4-abe2-0002a5d5c51b
+
+Package: ${PN}-hello-world-host
+Architecture: ${DISTRO_ARCH}
+Depends: libteec1, tee-supplicant,
+         ${misc:Depends}
+Description: OP-TEE Trusted Application example - hello_world (host application)
+ This is a very simple Trusted Application to answer a hello command and
+ incrementing an integer value.
+ .
+ UUID: 8aaaf200-2450-11e4-abe2-0002a5d5c51b
+
+Package: ${PN}-hotp-ta
+Architecture: ${DISTRO_ARCH}
+Description: OP-TEE Trusted Application example - hotp
+ HMAC based One Time Password in OP-TEE.
+ .
+ UUID: 484d4143-2d53-4841-3120-4a6f636b6542
+
+Package: ${PN}-hotp-host
+Architecture: ${DISTRO_ARCH}
+Depends: libteec1, tee-supplicant,
+         ${misc:Depends}
+Description: OP-TEE Trusted Application example - hotp (host application)
+ HMAC based One Time Password in OP-TEE.
+ .
+ UUID: 484d4143-2d53-4841-3120-4a6f636b6542
+
+Package: ${PN}-random-ta
+Architecture: ${DISTRO_ARCH}
+Description: OP-TEE Trusted Application example - random
+ Generates a random UUID using capabilities of TEE API (TEE_GenerateRandom()).
+ .
+ UUID: b6c53aba-9669-4668-a7f2-205629d00f86
+
+Package: ${PN}-random-host
+Architecture: ${DISTRO_ARCH}
+Depends: libteec1, tee-supplicant,
+         ${misc:Depends}
+Description: OP-TEE Trusted Application example - random (host application)
+ Generates a random UUID using capabilities of TEE API (TEE_GenerateRandom()).
+ .
+ UUID: b6c53aba-9669-4668-a7f2-205629d00f86
+
+Package: ${PN}-secure-storage-ta
+Architecture: ${DISTRO_ARCH}
+Description: OP-TEE Trusted Application example - secure_storage
+ A Trusted Application to read/write raw data into the OP-TEE secure storage
+ using the GlobalPlatform TEE Internal Core API.
+ .
+ UUID: f4e750bb-1437-4fbf-8785-8d3580c34994
+
+Package: ${PN}-secure-storage-host
+Architecture: ${DISTRO_ARCH}
+Depends: libteec1, tee-supplicant,
+         ${misc:Depends}
+Description: OP-TEE Trusted Application example - secure_storage (host application)
+ A Trusted Application to read/write raw data into the OP-TEE secure storage
+ using the GlobalPlatform TEE Internal Core API.
+ .
+ UUID: f4e750bb-1437-4fbf-8785-8d3580c34994
diff --git a/meta-isar/recipes-bsp/optee-examples/files/debian/rules.tmpl b/meta-isar/recipes-bsp/optee-examples/files/debian/rules.tmpl
new file mode 100644
index 0000000..7e4be39
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-examples/files/debian/rules.tmpl
@@ -0,0 +1,21 @@
+#!/usr/bin/make -f
+#
+# Debian rules for custom OP-TEE Examples build
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2023
+#
+# SPDX-License-Identifier: MIT
+
+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
+endif
+
+%:
+	dh $@
+
+override_dh_auto_build:
+	dh_auto_build -- HOST_CROSS_COMPILE=${CROSS_COMPILE} \
+    PLATFORM=${OPTEE_PLATFORM} \
+    TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
+    examples
diff --git a/meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb
new file mode 100644
index 0000000..2a64a86
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb
@@ -0,0 +1,100 @@
+#
+# Copyright (c) Siemens AG, 2023
+#
+# SPDX-License-Identifier: MIT
+inherit dpkg
+
+DESCRIPTION ?= "OP-TEE examples"
+
+FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
+
+SRC_URI += " \
+    https://github.com/linaro-swg/optee_examples/archive/${PV}.tar.gz;downloadfilename=optee_examples-${PV}.tar.gz \
+    file://debian \
+    "
+SRC_URI[sha256sum] = "9b965f829adc532b5228534d3b9b38ae1fc4f2ac55d73159a39d43e59749f3ed"
+
+S = "${WORKDIR}/optee_examples-${PV}"
+
+OPTEE_NAME = "${MACHINE}"
+OPTEE_PLATFORM = "stm32mp1"
+TA_DEV_KIT_DIR = "/usr/lib/optee-os/${OPTEE_NAME}/export-ta_arm32"
+
+PROVIDES += " \
+    optee-examples-${OPTEE_NAME}-acipher-host \
+    optee-examples-${OPTEE_NAME}-acipher-ta \
+    optee-examples-${OPTEE_NAME}-aes-host \
+    optee-examples-${OPTEE_NAME}-aes-ta \
+    optee-examples-${OPTEE_NAME}-hello-world-host \
+    optee-examples-${OPTEE_NAME}-hello-world-ta \
+    optee-examples-${OPTEE_NAME}-hotp-host \
+    optee-examples-${OPTEE_NAME}-hotp-ta \
+    optee-examples-${OPTEE_NAME}-random-host \
+    optee-examples-${OPTEE_NAME}-random-ta \
+    optee-examples-${OPTEE_NAME}-secure-storage-host \
+    optee-examples-${OPTEE_NAME}-secure-storage-ta \
+    "
+
+DEPENDS = "optee-os-tadevkit-${OPTEE_NAME} optee-client-${OPTEE_NAME}"
+DEBIAN_BUILD_DEPENDS ?= " \
+    python3-pycryptodome:native, \
+    python3-cryptography:native, \
+    optee-client-dev, \
+    optee-os-tadevkit-${OPTEE_NAME}"
+
+TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
+TEMPLATE_VARS += "DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM TA_DEV_KIT_DIR"
+
+do_prepare_build() {
+    cp -r ${WORKDIR}/debian ${S}/
+
+    deb_add_changelog
+
+    # acipher.install
+    echo "acipher/ta/a734eed9-d6a1-4244-aa50-7c99719e7b7b.ta /usr/lib/optee-os/${OPTEE_NAME}/ta" > \
+        ${S}/debian/${PN}-acipher-ta.install
+    echo "acipher/ta/a734eed9-d6a1-4244-aa50-7c99719e7b7b.stripped.elf /usr/lib/optee-os/${OPTEE_NAME}/ta" >> \
+        ${S}/debian/${PN}-acipher-ta.install
+    echo "acipher/host/optee_example_acipher /usr/lib/optee-os/${OPTEE_NAME}/ca" > \
+        ${S}/debian/${PN}-acipher-host.install
+
+    # aes.install
+    echo "aes/ta/5dbac793-f574-4871-8ad3-04331ec17f24.ta /usr/lib/optee-os/${OPTEE_NAME}/ta" > \
+        ${S}/debian/${PN}-aes-ta.install
+    echo "aes/ta/5dbac793-f574-4871-8ad3-04331ec17f24.stripped.elf /usr/lib/optee-os/${OPTEE_NAME}/ta" >> \
+        ${S}/debian/${PN}-aes-ta.install
+    echo "aes/host/optee_example_aes /usr/lib/optee-os/${OPTEE_NAME}/ca" > \
+        ${S}/debian/${PN}-aes-host.install
+
+    # hello-world.install
+    echo "hello_world/ta/8aaaf200-2450-11e4-abe2-0002a5d5c51b.ta /usr/lib/optee-os/${OPTEE_NAME}/ta" > \
+        ${S}/debian/${PN}-hello-world-ta.install
+    echo "hello_world/ta/8aaaf200-2450-11e4-abe2-0002a5d5c51b.stripped.elf /usr/lib/optee-os/${OPTEE_NAME}/ta" >> \
+        ${S}/debian/${PN}-hello-world-ta.install
+    echo "hello_world/host/optee_example_hello_world /usr/lib/optee-os/${OPTEE_NAME}/ca" > \
+        ${S}/debian/${PN}-hello-world-host.install
+
+    # hotp.install
+    echo "hotp/ta/484d4143-2d53-4841-3120-4a6f636b6542.ta /usr/lib/optee-os/${OPTEE_NAME}/ta" > \
+        ${S}/debian/${PN}-hotp-ta.install
+    echo "hotp/ta/484d4143-2d53-4841-3120-4a6f636b6542.stripped.elf /usr/lib/optee-os/${OPTEE_NAME}/ta" >> \
+        ${S}/debian/${PN}-hotp-ta.install
+    echo "hotp/host/optee_example_hotp /usr/lib/optee-os/${OPTEE_NAME}/ca" > \
+        ${S}/debian/${PN}-hotp-host.install
+
+    # random.install
+    echo "random/ta/b6c53aba-9669-4668-a7f2-205629d00f86.ta /usr/lib/optee-os/${OPTEE_NAME}/ta" > \
+        ${S}/debian/${PN}-random-ta.install
+    echo "random/ta/b6c53aba-9669-4668-a7f2-205629d00f86.stripped.elf /usr/lib/optee-os/${OPTEE_NAME}/ta" >> \
+        ${S}/debian/${PN}-random-ta.install
+    echo "random/host/optee_example_random /usr/lib/optee-os/${OPTEE_NAME}/ca" > \
+        ${S}/debian/${PN}-random-host.install
+
+    # secure-storage.install
+    echo "secure_storage/ta/f4e750bb-1437-4fbf-8785-8d3580c34994.ta /usr/lib/optee-os/${OPTEE_NAME}/ta" > \
+        ${S}/debian/${PN}-secure-storage-ta.install
+    echo "secure_storage/ta/f4e750bb-1437-4fbf-8785-8d3580c34994.stripped.elf /usr/lib/optee-os/${OPTEE_NAME}/ta" >> \
+        ${S}/debian/${PN}-secure-storage-ta.install
+    echo "secure_storage/host/optee_example_secure_storage /usr/lib/optee-os/${OPTEE_NAME}/ca" > \
+        ${S}/debian/${PN}-secure-storage-host.install
+}
diff --git a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
index 096e263..7468ca6 100644
--- a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
+++ b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
@@ -6,3 +6,25 @@
 require recipes-bsp/optee-os/optee-os-custom.inc
 require optee-os-stm32mp15x_${PV}.inc
 
+# optee-examples integration
+DEPENDS += "optee-examples-stm32mp15x"
+DEBIAN_BUILD_DEPENDS += " \
+    , optee-examples-stm32mp15x-acipher-ta \
+    , optee-examples-stm32mp15x-aes-ta \
+    , optee-examples-stm32mp15x-hello-world-ta \
+    , optee-examples-stm32mp15x-hotp-ta \
+    , optee-examples-stm32mp15x-random-ta \
+    , optee-examples-stm32mp15x-secure-storage-ta \
+    "
+EARLY_TA_PATHS = " \
+    /usr/lib/optee-os/${OPTEE_NAME}/ta/a734eed9-d6a1-4244-aa50-7c99719e7b7b.stripped.elf \
+    /usr/lib/optee-os/${OPTEE_NAME}/ta/5dbac793-f574-4871-8ad3-04331ec17f24.stripped.elf \
+    /usr/lib/optee-os/${OPTEE_NAME}/ta/8aaaf200-2450-11e4-abe2-0002a5d5c51b.stripped.elf \
+    /usr/lib/optee-os/${OPTEE_NAME}/ta/484d4143-2d53-4841-3120-4a6f636b6542.stripped.elf \
+    /usr/lib/optee-os/${OPTEE_NAME}/ta/b6c53aba-9669-4668-a7f2-205629d00f86.stripped.elf \
+    /usr/lib/optee-os/${OPTEE_NAME}/ta/f4e750bb-1437-4fbf-8785-8d3580c34994.stripped.elf \
+    "
+OPTEE_EXTRA_BUILDARGS += " \
+    CFG_EARLY_TA=y \
+    EARLY_TA_PATHS='${EARLY_TA_PATHS}' \
+    "
diff --git a/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in b/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
index 4ed4ee8..5d96f65 100644
--- a/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
+++ b/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
@@ -8,7 +8,7 @@ part fsbl2 --part-name fsbl2 --source rawcopy --sourceparams "file=/usr/lib/trus
 part ssbl --part-name ssbl --source rawcopy --sourceparams "file=/usr/lib/u-boot/${MACHINE}/u-boot.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 2048K
 
 part teeh --part-name teeh --source rawcopy --sourceparams "file=/usr/lib/optee-os/${MACHINE}/tee-header_v2.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
-part teed --part-name teed --source rawcopy --sourceparams "file=/usr/lib/optee-os/${MACHINE}/tee-pageable_v2.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 512K
+part teed --part-name teed --source rawcopy --sourceparams "file=/usr/lib/optee-os/${MACHINE}/tee-pageable_v2.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 1024K
 part teex --part-name teex --source rawcopy --sourceparams "file=/usr/lib/optee-os/${MACHINE}/tee-pager_v2.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
 
 part / --source rootfs-u-boot --fstype ext4 --mkfs-extraopts "-T default" --label root --align 1024 --active --use-uuid
-- 
2.30.2

[PATCH v2 5/7] Add recipe for optee ftpm

[baocheng_su]

From: Baocheng Su <baocheng.su@siemens.com>

This integrate Microsoft's reference implementation of the TCG TPM2.0 as an
OPTee trusted application, see [1] and [2] for details, esp.
meta-ts/layers/meta-arm/meta-arm/recipes-security/optee-ftpm

Since the OPTee secure storage on IOT2050 is RPMB-based, and the RPMB accessing
is provided by linux tee-supplicant, this TA is only discoverable when
tee-supplicant is running.

To help to gracefully manage the tee-supplicant, the kernel drive
tpm_ftpm_tee should be compile as .ko and be loaded/unloaded dynamically.

[1]: https://github.com/microsoft/ms-tpm-20-ref/
[2]: https://gitlab.com/Linaro/trustedsubstrate/meta-ts

Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
---
 .../files/0001-add-enum-to-ta-flags.patch     | 27 +++++++++++
 .../optee-ftpm-stm32mp15x_0~230316+git.bb     | 35 ++++++++++++++
 .../optee-os/optee-os-stm32mp15x_3.21.0.bb    | 10 +++-
 .../optee-ftpm/files/debian/compat            |  1 +
 .../optee-ftpm/files/debian/control.tmpl      | 11 +++++
 .../optee-ftpm/files/debian/rules.tmpl        | 25 ++++++++++
 meta/recipes-bsp/optee-ftpm/optee-ftpm.inc    | 47 +++++++++++++++++++
 7 files changed, 155 insertions(+), 1 deletion(-)
 create mode 100644 meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch
 create mode 100644 meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
 create mode 100644 meta/recipes-bsp/optee-ftpm/files/debian/compat
 create mode 100644 meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
 create mode 100755 meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
 create mode 100644 meta/recipes-bsp/optee-ftpm/optee-ftpm.inc

diff --git a/meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch b/meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch
new file mode 100644
index 0000000..57917ba
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch
@@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Maxim Uvarov <maxim.uvarov@linaro.org>
+Date: Fri, 17 Apr 2020 12:05:53 +0100
+Subject: [PATCH] add enum to ta flags
+
+If we compile this TA into OPTEE-OS we need to define a flag
+that this TA can be discovered on the optee bus.
+Upstream-Status: Submitted [https://github.com/microsoft/MSRSec/pull/34]
+
+Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
+---
+ .../ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h    | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h
+index 92c33c1..e83619d 100644
+--- a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h
++++ b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h
+@@ -44,7 +44,7 @@
+ 
+ #define TA_UUID                     TA_FTPM_UUID
+ 
+-#define TA_FLAGS                    (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE)
++#define TA_FLAGS                    (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP)
+ #define TA_STACK_SIZE               (64 * 1024)
+ #define TA_DATA_SIZE                (32 * 1024)
+ 
diff --git a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
new file mode 100644
index 0000000..de26ec3
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
@@ -0,0 +1,35 @@
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+require recipes-bsp/optee-ftpm/optee-ftpm.inc
+
+# CHANGELOG_V = "0.1+git+isar"
+
+SRC_URI += " \
+    https://github.com/Microsoft/ms-tpm-20-ref/archive/${SRCREV}.tar.gz \
+    https://github.com/wolfSSL/wolfssl/archive/${SRCREV-wolfssl}.tar.gz;name=wolfssl \
+    file://0001-add-enum-to-ta-flags.patch \
+    "
+
+SRCREV = "f74c0d9686625c02b0fdd5b2bbe792a22aa96cb6"
+# according to ms-tpm-20-ref submodules
+SRCREV-wolfssl = "9c87f979a7f1d3a6d786b260653d566c1d31a1c4"
+
+SRC_URI[sha256sum] = "16fabc6ad6cc700d947dbc96efc30ff8ae97e577944466f08193bb37bc1eb64d"
+SRC_URI[wolfssl.sha256sum] = "a68c301fa0ee6197158912d808c4258605a2d001e458fd958257cafba17bfd14"
+
+S = "${WORKDIR}/ms-tpm-20-ref-${SRCREV}"
+
+OPTEE_NAME = "${MACHINE}"
+TA_CPU = "cortex-a7"
+TA_DEV_KIT_DIR = "/usr/lib/optee-os/${OPTEE_NAME}/export-ta_arm32"
+OPTEE_FTPM_BUILD_ARGS_EXTRA = "CFG_FTPM_USE_WOLF=y"
+
+do_prepare_build:append() {
+    rm -rf ${S}/external/wolfssl
+    cp -a ${S}/../wolfssl-${SRCREV-wolfssl} ${S}/external/wolfssl
+}
diff --git a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
index 7468ca6..1b920cd 100644
--- a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
+++ b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
@@ -16,7 +16,7 @@ DEBIAN_BUILD_DEPENDS += " \
     , optee-examples-stm32mp15x-random-ta \
     , optee-examples-stm32mp15x-secure-storage-ta \
     "
-EARLY_TA_PATHS = " \
+EARLY_TA_PATHS += " \
     /usr/lib/optee-os/${OPTEE_NAME}/ta/a734eed9-d6a1-4244-aa50-7c99719e7b7b.stripped.elf \
     /usr/lib/optee-os/${OPTEE_NAME}/ta/5dbac793-f574-4871-8ad3-04331ec17f24.stripped.elf \
     /usr/lib/optee-os/${OPTEE_NAME}/ta/8aaaf200-2450-11e4-abe2-0002a5d5c51b.stripped.elf \
@@ -24,6 +24,14 @@ EARLY_TA_PATHS = " \
     /usr/lib/optee-os/${OPTEE_NAME}/ta/b6c53aba-9669-4668-a7f2-205629d00f86.stripped.elf \
     /usr/lib/optee-os/${OPTEE_NAME}/ta/f4e750bb-1437-4fbf-8785-8d3580c34994.stripped.elf \
     "
+
+# optee-ftpm integration
+DEPENDS += "optee-ftpm-stm32mp15x"
+DEBIAN_BUILD_DEPENDS += ", optee-ftpm-stm32mp15x"
+EARLY_TA_PATHS += " \
+    /usr/lib/optee-os/${OPTEE_NAME}/ta/bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf \
+    "
+
 OPTEE_EXTRA_BUILDARGS += " \
     CFG_EARLY_TA=y \
     EARLY_TA_PATHS='${EARLY_TA_PATHS}' \
diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/compat b/meta/recipes-bsp/optee-ftpm/files/debian/compat
new file mode 100644
index 0000000..f599e28
--- /dev/null
+++ b/meta/recipes-bsp/optee-ftpm/files/debian/compat
@@ -0,0 +1 @@
+10
diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl b/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
new file mode 100644
index 0000000..abab42e
--- /dev/null
+++ b/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
@@ -0,0 +1,11 @@
+Source: ${PN}
+Section: misc
+Priority: optional
+Standards-Version: 3.9.6
+Maintainer: Unknown maintainer <unknown@example.com>
+Build-Depends: debhelper (>= 10), ${DEBIAN_BUILD_DEPENDS}
+
+Package: ${PN}
+Architecture: any
+Depends:
+Description: TCG reference implementation of the TPM 2.0 Specification.
diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl b/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
new file mode 100755
index 0000000..19d4e08
--- /dev/null
+++ b/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
@@ -0,0 +1,25 @@
+#!/usr/bin/make -f
+# Debian rules for optee-ftpm
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
+endif
+
+override_dh_auto_build:
+	cd Samples/ARM32-FirmwareTPM/optee_ta && \
+		TA_CROSS_COMPILE=${CROSS_COMPILE} \
+		TA_CPU=${TA_CPU} \
+		TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
+		CFG_TEE_TA_LOG_LEVEL=2 \
+		${OPTEE_FTPM_BUILD_ARGS_EXTRA} \
+		$(MAKE) $(PARALLEL_MAKE)
+
+%:
+	dh $@
diff --git a/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
new file mode 100644
index 0000000..2f6dc30
--- /dev/null
+++ b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
@@ -0,0 +1,47 @@
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+inherit dpkg
+
+SUMMARY = "OPTEE fTPM Microsoft TA"
+DESCRIPTION = "TCG reference implementation of the TPM 2.0 Specification."
+HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/"
+
+FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
+
+SRC_URI += "file://debian"
+
+OPTEE_NAME ?= "${MACHINE}"
+
+DEPENDS = "optee-os-tadevkit-${OPTEE_NAME}"
+DEBIAN_BUILD_DEPENDS ?= " \
+    python3-cryptography:native,                                        \
+    optee-os-tadevkit-${OPTEE_NAME}                                     \
+    "
+
+TA_CPU ?= "unknown"
+TA_DEV_KIT_DIR ?= "unknown"
+OPTEE_FTPM_BUILD_ARGS_EXTRA ?= " "
+
+TEMPLATE_FILES = "debian/rules.tmpl debian/control.tmpl"
+TEMPLATE_VARS += "DEBIAN_BUILD_DEPENDS \
+    OPTEE_FTPM_BUILD_ARGS_EXTRA \
+    TA_CPU \
+    TA_DEV_KIT_DIR"
+
+do_prepare_build() {
+    rm -rf ${S}/debian
+    cp -r ${WORKDIR}/debian ${S}/
+
+    deb_add_changelog
+
+    rm -f ${S}/debian/optee-ftpm-${OPTEE_NAME}.install
+    echo "Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/bc50d971-d4c9-42c4-82cb-343fb7f37896.ta /usr/lib/optee-os/${OPTEE_NAME}/ta" > \
+        ${S}/debian/optee-ftpm-${OPTEE_NAME}.install
+    echo "Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf /usr/lib/optee-os/${OPTEE_NAME}/ta" >> \
+        ${S}/debian/optee-ftpm-${OPTEE_NAME}.install
+}
-- 
2.30.2

Re: [PATCH v2 5/7] Add recipe for optee ftpm

[Jan Kiszka]

On 21.06.23 21:22, baocheng_su@163.com wrote:
> From: Baocheng Su <baocheng.su@siemens.com>
> 
> This integrate Microsoft's reference implementation of the TCG TPM2.0 as an
> OPTee trusted application, see [1] and [2] for details, esp.
> meta-ts/layers/meta-arm/meta-arm/recipes-security/optee-ftpm
> 
> Since the OPTee secure storage on IOT2050 is RPMB-based, and the RPMB accessing
> is provided by linux tee-supplicant, this TA is only discoverable when
> tee-supplicant is running.
> 
> To help to gracefully manage the tee-supplicant, the kernel drive
> tpm_ftpm_tee should be compile as .ko and be loaded/unloaded dynamically.
> 
> [1]: https://github.com/microsoft/ms-tpm-20-ref/
> [2]: https://gitlab.com/Linaro/trustedsubstrate/meta-ts
> 
> Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
> ---
>  .../files/0001-add-enum-to-ta-flags.patch     | 27 +++++++++++
>  .../optee-ftpm-stm32mp15x_0~230316+git.bb     | 35 ++++++++++++++

The version should probably be 0~20230316+git when following Debian
suggestions.

Jan

>  .../optee-os/optee-os-stm32mp15x_3.21.0.bb    | 10 +++-
>  .../optee-ftpm/files/debian/compat            |  1 +
>  .../optee-ftpm/files/debian/control.tmpl      | 11 +++++
>  .../optee-ftpm/files/debian/rules.tmpl        | 25 ++++++++++
>  meta/recipes-bsp/optee-ftpm/optee-ftpm.inc    | 47 +++++++++++++++++++
>  7 files changed, 155 insertions(+), 1 deletion(-)
>  create mode 100644 meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch
>  create mode 100644 meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
>  create mode 100644 meta/recipes-bsp/optee-ftpm/files/debian/compat
>  create mode 100644 meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
>  create mode 100755 meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
>  create mode 100644 meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
> 
> diff --git a/meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch b/meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch
> new file mode 100644
> index 0000000..57917ba
> --- /dev/null
> +++ b/meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch
> @@ -0,0 +1,27 @@
> +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
> +From: Maxim Uvarov <maxim.uvarov@linaro.org>
> +Date: Fri, 17 Apr 2020 12:05:53 +0100
> +Subject: [PATCH] add enum to ta flags
> +
> +If we compile this TA into OPTEE-OS we need to define a flag
> +that this TA can be discovered on the optee bus.
> +Upstream-Status: Submitted [https://github.com/microsoft/MSRSec/pull/34]
> +
> +Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
> +---
> + .../ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h    | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h
> +index 92c33c1..e83619d 100644
> +--- a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h
> ++++ b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h
> +@@ -44,7 +44,7 @@
> + 
> + #define TA_UUID                     TA_FTPM_UUID
> + 
> +-#define TA_FLAGS                    (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE)
> ++#define TA_FLAGS                    (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP)
> + #define TA_STACK_SIZE               (64 * 1024)
> + #define TA_DATA_SIZE                (32 * 1024)
> + 
> diff --git a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
> new file mode 100644
> index 0000000..de26ec3
> --- /dev/null
> +++ b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
> @@ -0,0 +1,35 @@
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Su Bao Cheng <baocheng.su@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +require recipes-bsp/optee-ftpm/optee-ftpm.inc
> +
> +# CHANGELOG_V = "0.1+git+isar"
> +
> +SRC_URI += " \
> +    https://github.com/Microsoft/ms-tpm-20-ref/archive/${SRCREV}.tar.gz \
> +    https://github.com/wolfSSL/wolfssl/archive/${SRCREV-wolfssl}.tar.gz;name=wolfssl \
> +    file://0001-add-enum-to-ta-flags.patch \
> +    "
> +
> +SRCREV = "f74c0d9686625c02b0fdd5b2bbe792a22aa96cb6"
> +# according to ms-tpm-20-ref submodules
> +SRCREV-wolfssl = "9c87f979a7f1d3a6d786b260653d566c1d31a1c4"
> +
> +SRC_URI[sha256sum] = "16fabc6ad6cc700d947dbc96efc30ff8ae97e577944466f08193bb37bc1eb64d"
> +SRC_URI[wolfssl.sha256sum] = "a68c301fa0ee6197158912d808c4258605a2d001e458fd958257cafba17bfd14"
> +
> +S = "${WORKDIR}/ms-tpm-20-ref-${SRCREV}"
> +
> +OPTEE_NAME = "${MACHINE}"
> +TA_CPU = "cortex-a7"
> +TA_DEV_KIT_DIR = "/usr/lib/optee-os/${OPTEE_NAME}/export-ta_arm32"
> +OPTEE_FTPM_BUILD_ARGS_EXTRA = "CFG_FTPM_USE_WOLF=y"
> +
> +do_prepare_build:append() {
> +    rm -rf ${S}/external/wolfssl
> +    cp -a ${S}/../wolfssl-${SRCREV-wolfssl} ${S}/external/wolfssl
> +}
> diff --git a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
> index 7468ca6..1b920cd 100644
> --- a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
> +++ b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
> @@ -16,7 +16,7 @@ DEBIAN_BUILD_DEPENDS += " \
>      , optee-examples-stm32mp15x-random-ta \
>      , optee-examples-stm32mp15x-secure-storage-ta \
>      "
> -EARLY_TA_PATHS = " \
> +EARLY_TA_PATHS += " \
>      /usr/lib/optee-os/${OPTEE_NAME}/ta/a734eed9-d6a1-4244-aa50-7c99719e7b7b.stripped.elf \
>      /usr/lib/optee-os/${OPTEE_NAME}/ta/5dbac793-f574-4871-8ad3-04331ec17f24.stripped.elf \
>      /usr/lib/optee-os/${OPTEE_NAME}/ta/8aaaf200-2450-11e4-abe2-0002a5d5c51b.stripped.elf \
> @@ -24,6 +24,14 @@ EARLY_TA_PATHS = " \
>      /usr/lib/optee-os/${OPTEE_NAME}/ta/b6c53aba-9669-4668-a7f2-205629d00f86.stripped.elf \
>      /usr/lib/optee-os/${OPTEE_NAME}/ta/f4e750bb-1437-4fbf-8785-8d3580c34994.stripped.elf \
>      "
> +
> +# optee-ftpm integration
> +DEPENDS += "optee-ftpm-stm32mp15x"
> +DEBIAN_BUILD_DEPENDS += ", optee-ftpm-stm32mp15x"
> +EARLY_TA_PATHS += " \
> +    /usr/lib/optee-os/${OPTEE_NAME}/ta/bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf \
> +    "
> +
>  OPTEE_EXTRA_BUILDARGS += " \
>      CFG_EARLY_TA=y \
>      EARLY_TA_PATHS='${EARLY_TA_PATHS}' \
> diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/compat b/meta/recipes-bsp/optee-ftpm/files/debian/compat
> new file mode 100644
> index 0000000..f599e28
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-ftpm/files/debian/compat
> @@ -0,0 +1 @@
> +10
> diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl b/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
> new file mode 100644
> index 0000000..abab42e
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
> @@ -0,0 +1,11 @@
> +Source: ${PN}
> +Section: misc
> +Priority: optional
> +Standards-Version: 3.9.6
> +Maintainer: Unknown maintainer <unknown@example.com>
> +Build-Depends: debhelper (>= 10), ${DEBIAN_BUILD_DEPENDS}
> +
> +Package: ${PN}
> +Architecture: any
> +Depends:
> +Description: TCG reference implementation of the TPM 2.0 Specification.
> diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl b/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
> new file mode 100755
> index 0000000..19d4e08
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
> @@ -0,0 +1,25 @@
> +#!/usr/bin/make -f
> +# Debian rules for optee-ftpm
> +#
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Su Bao Cheng <baocheng.su@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +
> +ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
> +export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
> +endif
> +
> +override_dh_auto_build:
> +	cd Samples/ARM32-FirmwareTPM/optee_ta && \
> +		TA_CROSS_COMPILE=${CROSS_COMPILE} \
> +		TA_CPU=${TA_CPU} \
> +		TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
> +		CFG_TEE_TA_LOG_LEVEL=2 \
> +		${OPTEE_FTPM_BUILD_ARGS_EXTRA} \
> +		$(MAKE) $(PARALLEL_MAKE)
> +
> +%:
> +	dh $@
> diff --git a/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
> new file mode 100644
> index 0000000..2f6dc30
> --- /dev/null
> +++ b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
> @@ -0,0 +1,47 @@
> +# Copyright (c) Siemens AG, 2023
> +#
> +# Authors:
> +#  Su Bao Cheng <baocheng.su@siemens.com>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +inherit dpkg
> +
> +SUMMARY = "OPTEE fTPM Microsoft TA"
> +DESCRIPTION = "TCG reference implementation of the TPM 2.0 Specification."
> +HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/"
> +
> +FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
> +
> +SRC_URI += "file://debian"
> +
> +OPTEE_NAME ?= "${MACHINE}"
> +
> +DEPENDS = "optee-os-tadevkit-${OPTEE_NAME}"
> +DEBIAN_BUILD_DEPENDS ?= " \
> +    python3-cryptography:native,                                        \
> +    optee-os-tadevkit-${OPTEE_NAME}                                     \
> +    "
> +
> +TA_CPU ?= "unknown"
> +TA_DEV_KIT_DIR ?= "unknown"
> +OPTEE_FTPM_BUILD_ARGS_EXTRA ?= " "
> +
> +TEMPLATE_FILES = "debian/rules.tmpl debian/control.tmpl"
> +TEMPLATE_VARS += "DEBIAN_BUILD_DEPENDS \
> +    OPTEE_FTPM_BUILD_ARGS_EXTRA \
> +    TA_CPU \
> +    TA_DEV_KIT_DIR"
> +
> +do_prepare_build() {
> +    rm -rf ${S}/debian
> +    cp -r ${WORKDIR}/debian ${S}/
> +
> +    deb_add_changelog
> +
> +    rm -f ${S}/debian/optee-ftpm-${OPTEE_NAME}.install
> +    echo "Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/bc50d971-d4c9-42c4-82cb-343fb7f37896.ta /usr/lib/optee-os/${OPTEE_NAME}/ta" > \
> +        ${S}/debian/optee-ftpm-${OPTEE_NAME}.install
> +    echo "Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf /usr/lib/optee-os/${OPTEE_NAME}/ta" >> \
> +        ${S}/debian/optee-ftpm-${OPTEE_NAME}.install
> +}

-- 
Siemens AG, Technology
Competence Center Embedded Linux

Re: [PATCH v2 5/7] Add recipe for optee ftpm

[Su Baocheng]

On 2023/6/22 14:02, Jan Kiszka wrote:
> On 21.06.23 21:22, baocheng_su@163.com wrote:
>> From: Baocheng Su <baocheng.su@siemens.com>
>>
>> This integrate Microsoft's reference implementation of the TCG TPM2.0 as an
>> OPTee trusted application, see [1] and [2] for details, esp.
>> meta-ts/layers/meta-arm/meta-arm/recipes-security/optee-ftpm
>>
>> Since the OPTee secure storage on IOT2050 is RPMB-based, and the RPMB accessing
>> is provided by linux tee-supplicant, this TA is only discoverable when
>> tee-supplicant is running.
>>
>> To help to gracefully manage the tee-supplicant, the kernel drive
>> tpm_ftpm_tee should be compile as .ko and be loaded/unloaded dynamically.
>>
>> [1]: https://github.com/microsoft/ms-tpm-20-ref/
>> [2]: https://gitlab.com/Linaro/trustedsubstrate/meta-ts
>>
>> Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
>> ---
>>   .../files/0001-add-enum-to-ta-flags.patch     | 27 +++++++++++
>>   .../optee-ftpm-stm32mp15x_0~230316+git.bb     | 35 ++++++++++++++
> 
> The version should probably be 0~20230316+git when following Debian
> suggestions.
> 

According to [1], there are two possoble version strings, YYYYMMDD or 
0~YYMMDD, the later ensures a smooth transition to a normal 0.1 in the 
future when upstreaming starts to use normal version.

1. https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#name-version
> Jan
> 
>>   .../optee-os/optee-os-stm32mp15x_3.21.0.bb    | 10 +++-
>>   .../optee-ftpm/files/debian/compat            |  1 +
>>   .../optee-ftpm/files/debian/control.tmpl      | 11 +++++
>>   .../optee-ftpm/files/debian/rules.tmpl        | 25 ++++++++++
>>   meta/recipes-bsp/optee-ftpm/optee-ftpm.inc    | 47 +++++++++++++++++++
>>   7 files changed, 155 insertions(+), 1 deletion(-)
>>   create mode 100644 meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch
>>   create mode 100644 meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
>>   create mode 100644 meta/recipes-bsp/optee-ftpm/files/debian/compat
>>   create mode 100644 meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
>>   create mode 100755 meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
>>   create mode 100644 meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
>>
>> diff --git a/meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch b/meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch
>> new file mode 100644
>> index 0000000..57917ba
>> --- /dev/null
>> +++ b/meta-isar/recipes-bsp/optee-ftpm/files/0001-add-enum-to-ta-flags.patch
>> @@ -0,0 +1,27 @@
>> +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
>> +From: Maxim Uvarov <maxim.uvarov@linaro.org>
>> +Date: Fri, 17 Apr 2020 12:05:53 +0100
>> +Subject: [PATCH] add enum to ta flags
>> +
>> +If we compile this TA into OPTEE-OS we need to define a flag
>> +that this TA can be discovered on the optee bus.
>> +Upstream-Status: Submitted [https://github.com/microsoft/MSRSec/pull/34]
>> +
>> +Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
>> +---
>> + .../ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h    | 2 +-
>> + 1 file changed, 1 insertion(+), 1 deletion(-)
>> +
>> +diff --git a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h
>> +index 92c33c1..e83619d 100644
>> +--- a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h
>> ++++ b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h
>> +@@ -44,7 +44,7 @@
>> +
>> + #define TA_UUID                     TA_FTPM_UUID
>> +
>> +-#define TA_FLAGS                    (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE)
>> ++#define TA_FLAGS                    (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP)
>> + #define TA_STACK_SIZE               (64 * 1024)
>> + #define TA_DATA_SIZE                (32 * 1024)
>> +
>> diff --git a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
>> new file mode 100644
>> index 0000000..de26ec3
>> --- /dev/null
>> +++ b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
>> @@ -0,0 +1,35 @@
>> +# Copyright (c) Siemens AG, 2023
>> +#
>> +# Authors:
>> +#  Su Bao Cheng <baocheng.su@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +require recipes-bsp/optee-ftpm/optee-ftpm.inc
>> +
>> +# CHANGELOG_V = "0.1+git+isar"
>> +
>> +SRC_URI += " \
>> +    https://github.com/Microsoft/ms-tpm-20-ref/archive/${SRCREV}.tar.gz \
>> +    https://github.com/wolfSSL/wolfssl/archive/${SRCREV-wolfssl}.tar.gz;name=wolfssl \
>> +    file://0001-add-enum-to-ta-flags.patch \
>> +    "
>> +
>> +SRCREV = "f74c0d9686625c02b0fdd5b2bbe792a22aa96cb6"
>> +# according to ms-tpm-20-ref submodules
>> +SRCREV-wolfssl = "9c87f979a7f1d3a6d786b260653d566c1d31a1c4"
>> +
>> +SRC_URI[sha256sum] = "16fabc6ad6cc700d947dbc96efc30ff8ae97e577944466f08193bb37bc1eb64d"
>> +SRC_URI[wolfssl.sha256sum] = "a68c301fa0ee6197158912d808c4258605a2d001e458fd958257cafba17bfd14"
>> +
>> +S = "${WORKDIR}/ms-tpm-20-ref-${SRCREV}"
>> +
>> +OPTEE_NAME = "${MACHINE}"
>> +TA_CPU = "cortex-a7"
>> +TA_DEV_KIT_DIR = "/usr/lib/optee-os/${OPTEE_NAME}/export-ta_arm32"
>> +OPTEE_FTPM_BUILD_ARGS_EXTRA = "CFG_FTPM_USE_WOLF=y"
>> +
>> +do_prepare_build:append() {
>> +    rm -rf ${S}/external/wolfssl
>> +    cp -a ${S}/../wolfssl-${SRCREV-wolfssl} ${S}/external/wolfssl
>> +}
>> diff --git a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
>> index 7468ca6..1b920cd 100644
>> --- a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
>> +++ b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.21.0.bb
>> @@ -16,7 +16,7 @@ DEBIAN_BUILD_DEPENDS += " \
>>       , optee-examples-stm32mp15x-random-ta \
>>       , optee-examples-stm32mp15x-secure-storage-ta \
>>       "
>> -EARLY_TA_PATHS = " \
>> +EARLY_TA_PATHS += " \
>>       /usr/lib/optee-os/${OPTEE_NAME}/ta/a734eed9-d6a1-4244-aa50-7c99719e7b7b.stripped.elf \
>>       /usr/lib/optee-os/${OPTEE_NAME}/ta/5dbac793-f574-4871-8ad3-04331ec17f24.stripped.elf \
>>       /usr/lib/optee-os/${OPTEE_NAME}/ta/8aaaf200-2450-11e4-abe2-0002a5d5c51b.stripped.elf \
>> @@ -24,6 +24,14 @@ EARLY_TA_PATHS = " \
>>       /usr/lib/optee-os/${OPTEE_NAME}/ta/b6c53aba-9669-4668-a7f2-205629d00f86.stripped.elf \
>>       /usr/lib/optee-os/${OPTEE_NAME}/ta/f4e750bb-1437-4fbf-8785-8d3580c34994.stripped.elf \
>>       "
>> +
>> +# optee-ftpm integration
>> +DEPENDS += "optee-ftpm-stm32mp15x"
>> +DEBIAN_BUILD_DEPENDS += ", optee-ftpm-stm32mp15x"
>> +EARLY_TA_PATHS += " \
>> +    /usr/lib/optee-os/${OPTEE_NAME}/ta/bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf \
>> +    "
>> +
>>   OPTEE_EXTRA_BUILDARGS += " \
>>       CFG_EARLY_TA=y \
>>       EARLY_TA_PATHS='${EARLY_TA_PATHS}' \
>> diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/compat b/meta/recipes-bsp/optee-ftpm/files/debian/compat
>> new file mode 100644
>> index 0000000..f599e28
>> --- /dev/null
>> +++ b/meta/recipes-bsp/optee-ftpm/files/debian/compat
>> @@ -0,0 +1 @@
>> +10
>> diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl b/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
>> new file mode 100644
>> index 0000000..abab42e
>> --- /dev/null
>> +++ b/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
>> @@ -0,0 +1,11 @@
>> +Source: ${PN}
>> +Section: misc
>> +Priority: optional
>> +Standards-Version: 3.9.6
>> +Maintainer: Unknown maintainer <unknown@example.com>
>> +Build-Depends: debhelper (>= 10), ${DEBIAN_BUILD_DEPENDS}
>> +
>> +Package: ${PN}
>> +Architecture: any
>> +Depends:
>> +Description: TCG reference implementation of the TPM 2.0 Specification.
>> diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl b/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
>> new file mode 100755
>> index 0000000..19d4e08
>> --- /dev/null
>> +++ b/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
>> @@ -0,0 +1,25 @@
>> +#!/usr/bin/make -f
>> +# Debian rules for optee-ftpm
>> +#
>> +# Copyright (c) Siemens AG, 2023
>> +#
>> +# Authors:
>> +#  Su Bao Cheng <baocheng.su@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +
>> +ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
>> +export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
>> +endif
>> +
>> +override_dh_auto_build:
>> +	cd Samples/ARM32-FirmwareTPM/optee_ta && \
>> +		TA_CROSS_COMPILE=${CROSS_COMPILE} \
>> +		TA_CPU=${TA_CPU} \
>> +		TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
>> +		CFG_TEE_TA_LOG_LEVEL=2 \
>> +		${OPTEE_FTPM_BUILD_ARGS_EXTRA} \
>> +		$(MAKE) $(PARALLEL_MAKE)
>> +
>> +%:
>> +	dh $@
>> diff --git a/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
>> new file mode 100644
>> index 0000000..2f6dc30
>> --- /dev/null
>> +++ b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
>> @@ -0,0 +1,47 @@
>> +# Copyright (c) Siemens AG, 2023
>> +#
>> +# Authors:
>> +#  Su Bao Cheng <baocheng.su@siemens.com>
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +inherit dpkg
>> +
>> +SUMMARY = "OPTEE fTPM Microsoft TA"
>> +DESCRIPTION = "TCG reference implementation of the TPM 2.0 Specification."
>> +HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/"
>> +
>> +FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:"
>> +
>> +SRC_URI += "file://debian"
>> +
>> +OPTEE_NAME ?= "${MACHINE}"
>> +
>> +DEPENDS = "optee-os-tadevkit-${OPTEE_NAME}"
>> +DEBIAN_BUILD_DEPENDS ?= " \
>> +    python3-cryptography:native,                                        \
>> +    optee-os-tadevkit-${OPTEE_NAME}                                     \
>> +    "
>> +
>> +TA_CPU ?= "unknown"
>> +TA_DEV_KIT_DIR ?= "unknown"
>> +OPTEE_FTPM_BUILD_ARGS_EXTRA ?= " "
>> +
>> +TEMPLATE_FILES = "debian/rules.tmpl debian/control.tmpl"
>> +TEMPLATE_VARS += "DEBIAN_BUILD_DEPENDS \
>> +    OPTEE_FTPM_BUILD_ARGS_EXTRA \
>> +    TA_CPU \
>> +    TA_DEV_KIT_DIR"
>> +
>> +do_prepare_build() {
>> +    rm -rf ${S}/debian
>> +    cp -r ${WORKDIR}/debian ${S}/
>> +
>> +    deb_add_changelog
>> +
>> +    rm -f ${S}/debian/optee-ftpm-${OPTEE_NAME}.install
>> +    echo "Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/bc50d971-d4c9-42c4-82cb-343fb7f37896.ta /usr/lib/optee-os/${OPTEE_NAME}/ta" > \
>> +        ${S}/debian/optee-ftpm-${OPTEE_NAME}.install
>> +    echo "Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf /usr/lib/optee-os/${OPTEE_NAME}/ta" >> \
>> +        ${S}/debian/optee-ftpm-${OPTEE_NAME}.install
>> +}
> 

Re: [PATCH v2 5/7] Add recipe for optee ftpm

[Jan Kiszka]

On 22.06.23 08:21, Su Baocheng wrote:
> 
> 
> On 2023/6/22 14:02, Jan Kiszka wrote:
>> On 21.06.23 21:22, baocheng_su@163.com wrote:
>>> From: Baocheng Su <baocheng.su@siemens.com>
>>>
>>> This integrate Microsoft's reference implementation of the TCG TPM2.0
>>> as an
>>> OPTee trusted application, see [1] and [2] for details, esp.
>>> meta-ts/layers/meta-arm/meta-arm/recipes-security/optee-ftpm
>>>
>>> Since the OPTee secure storage on IOT2050 is RPMB-based, and the RPMB
>>> accessing
>>> is provided by linux tee-supplicant, this TA is only discoverable when
>>> tee-supplicant is running.
>>>
>>> To help to gracefully manage the tee-supplicant, the kernel drive
>>> tpm_ftpm_tee should be compile as .ko and be loaded/unloaded
>>> dynamically.
>>>
>>> [1]: https://github.com/microsoft/ms-tpm-20-ref/
>>> [2]: https://gitlab.com/Linaro/trustedsubstrate/meta-ts
>>>
>>> Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
>>> ---
>>>   .../files/0001-add-enum-to-ta-flags.patch     | 27 +++++++++++
>>>   .../optee-ftpm-stm32mp15x_0~230316+git.bb     | 35 ++++++++++++++
>>
>> The version should probably be 0~20230316+git when following Debian
>> suggestions.
>>
> 
> According to [1], there are two possoble version strings, YYYYMMDD or
> 0~YYMMDD, the later ensures a smooth transition to a normal 0.1 in the
> future when upstreaming starts to use normal version.
> 
> 1. https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#name-version

Ok, then keep it as it is.

Jan

-- 
Siemens AG, Technology
Competence Center Embedded Linux

[PATCH v2 6/7] initramfs: Add recipe for tee-supplicant hook

[baocheng_su]

From: Baocheng Su <baocheng.su@siemens.com>

This adds the tee-supplicant hook so that the tee supplicant daemon is
started at the initrd stage.

The tee-supplicant daemon is used to provide service to trust
applications running in optee, for example to provide RPMB access
service for StMM or fTPM TAs.

By running tee-supplicant at initrd stage, disk encryption based on fTPM
is possible.

stm32mp15x is used to demo the building of this hook, so add a new ci
target for the initramfs image of stm32mp15x.

Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
---
 .../images/stm32mp15x-initramfs.bb            | 14 ++++++++
 .../files/tee-supplicant.hook                 | 33 +++++++++++++++++++
 .../files/tee-supplicant.script               | 33 +++++++++++++++++++
 .../initramfs-tee-supplicant-hook_0.1.bb      | 27 +++++++++++++++
 testsuite/citest.py                           |  1 +
 5 files changed, 108 insertions(+)
 create mode 100644 meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
 create mode 100644 meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.hook
 create mode 100644 meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
 create mode 100644 meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb

diff --git a/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb b/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
new file mode 100644
index 0000000..211c201
--- /dev/null
+++ b/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
@@ -0,0 +1,14 @@
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit initramfs
+
+INITRAMFS_INSTALL += " \
+    initramfs-tee-supplicant-hook \
+    "
diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.hook b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.hook
new file mode 100644
index 0000000..0af277b
--- /dev/null
+++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.hook
@@ -0,0 +1,33 @@
+#!/bin/sh
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+PREREQ=""
+prereqs()
+{
+    echo "$PREREQ"
+}
+case $1 in
+prereqs)
+    prereqs
+    exit 0
+    ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+hook_error() {
+    echo "(ERROR): $2" >&2
+    exit 1
+}
+
+# For stock debian bookworm arm64 kernel, these two .ko exist, but not built-in.
+manual_add_modules tee
+manual_add_modules optee
+
+copy_exec /usr/sbin/tee-supplicant || hook_error "/usr/sbin/tee-supplicant not found"
+copy_exec /usr/bin/pgrep || hook_error "/usr/bin/pgrep not found"
diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
new file mode 100644
index 0000000..bb6dcc1
--- /dev/null
+++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
@@ -0,0 +1,33 @@
+#!/bin/sh
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+PREREQ=""
+prereqs()
+{
+	echo "$PREREQ"
+}
+case $1 in
+prereqs)
+	prereqs
+	exit 0
+	;;
+esac
+
+. /scripts/functions
+
+/usr/sbin/tee-supplicant -d
+
+# The tee-supplicant would take some time to be discovered, 10 seconds should be
+# enough
+wait_sec=10
+until test $wait_sec -eq 0 || test -c "${FTPM_DEV}" ; do
+	wait_sec=$((wait_sec-1))
+	sleep 1
+done
+
+/usr/bin/pgrep tee-supplicant > /dev/null || panic "Can't start the tee-supplicant daemon!"
diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
new file mode 100644
index 0000000..3768b8e
--- /dev/null
+++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
@@ -0,0 +1,27 @@
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+SRC_URI += " \
+    file://tee-supplicant.hook \
+    file://tee-supplicant.script \
+    "
+
+DEBIAN_DEPENDS = "initramfs-tools, tee-supplicant, procps"
+
+do_install[cleandirs] += " \
+    ${D}/usr/share/initramfs-tools/hooks \
+    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
+
+do_install() {
+    install -m 0755 "${WORKDIR}/tee-supplicant.hook" \
+        "${D}/usr/share/initramfs-tools/hooks/tee-supplicant"
+    install -m 0755 "${WORKDIR}/tee-supplicant.script" \
+        "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-supplicant"
+}
diff --git a/testsuite/citest.py b/testsuite/citest.py
index 17a9024..1aa2928 100755
--- a/testsuite/citest.py
+++ b/testsuite/citest.py
@@ -214,6 +214,7 @@ class NoCrossTest(CIBaseTest):
             'mc:bananapi-bullseye:isar-image-base',
             'mc:nanopi-neo-bullseye:isar-image-base',
             'mc:stm32mp15x-bullseye:isar-image-base',
+            'mc:stm32mp15x-bullseye:stm32mp15x-initramfs',
             'mc:qemuamd64-focal:isar-image-ci'
                   ]
 
-- 
2.30.2

[PATCH v2 7/7] initramfs: Add recipe for tee-ftpm hook

[baocheng_su]

From: Baocheng Su <baocheng.su@siemens.com>

This adds the tee-ftpm hook, that mainly load the kernel module tpm-ftpm-tee
during the initrd stage.

This makes the fTPM device avaible during the initrd stage so that the
encrypted partitions could be unlocked via keys stored in fTPM.

stm32mp15x platform is used to demo the building of this hook.

Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
---
 .../images/stm32mp15x-initramfs.bb            |  1 +
 .../files/tee-ftpm.hook                       | 25 +++++++++++++++++
 .../files/tee-ftpm.script                     | 26 ++++++++++++++++++
 .../initramfs-tee-ftpm-hook_0.1.bb            | 27 +++++++++++++++++++
 4 files changed, 79 insertions(+)
 create mode 100644 meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.hook
 create mode 100644 meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
 create mode 100644 meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb

diff --git a/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb b/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
index 211c201..8ec6d7c 100644
--- a/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
+++ b/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
@@ -11,4 +11,5 @@ inherit initramfs
 
 INITRAMFS_INSTALL += " \
     initramfs-tee-supplicant-hook \
+    initramfs-tee-ftpm-hook \
     "
diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.hook b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.hook
new file mode 100644
index 0000000..b7f7859
--- /dev/null
+++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.hook
@@ -0,0 +1,25 @@
+#!/bin/sh
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+PREREQ="tee-supplicant"
+prereqs()
+{
+    echo "$PREREQ"
+}
+case $1 in
+prereqs)
+    prereqs
+    exit 0
+    ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+# The tpm_ftpm_tee.ko does not exist in any stock debian kernels, it could be
+# provided by customized kernel.
+manual_add_modules tpm_ftpm_tee
diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
new file mode 100644
index 0000000..8b089eb
--- /dev/null
+++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
@@ -0,0 +1,26 @@
+#!/bin/sh
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+PREREQ="tee-supplicant"
+prereqs()
+{
+	echo "$PREREQ"
+}
+case $1 in
+prereqs)
+	prereqs
+	exit 0
+	;;
+esac
+
+. /scripts/functions
+
+FTPM_DEV=/dev/tpmrm0
+if ! test -c "${FTPM_DEV}"; then
+    panic "Can't discover the fTPM device ${FTPM_DEV}!"
+fi
\ No newline at end of file
diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
new file mode 100644
index 0000000..12064c0
--- /dev/null
+++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
@@ -0,0 +1,27 @@
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+SRC_URI += " \
+    file://tee-ftpm.hook \
+    file://tee-ftpm.script \
+    "
+
+DEBIAN_DEPENDS = "initramfs-tools"
+
+do_install[cleandirs] += " \
+    ${D}/usr/share/initramfs-tools/hooks \
+    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
+
+do_install() {
+    install -m 0755 "${WORKDIR}/tee-ftpm.hook" \
+        "${D}/usr/share/initramfs-tools/hooks/tee-ftpm"
+    install -m 0755 "${WORKDIR}/tee-ftpm.script" \
+        "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-ftpm"
+}
\ No newline at end of file
-- 
2.30.2

Re: [PATCH v2 0/7] Add optee family and friends

[Jan Kiszka]

On 21.06.23 21:22, baocheng_su@163.com wrote:
> From: Baocheng Su <baocheng.su@siemens.com>
> 
> This brings below optee family members:
>   optee-ta-devkit, optee-client, optee-examples
> and a fTPM running in optee-os, plus some initramfs hooks for tee-supplicant and
> the optee-ftpm.
> 
> The optee-ta-devkit is used to provide a sdk for building trusted application of
> optee.
> 
> The optee-client provides the libteec1, the optee-client-dev, and the
> tee-supplicant daemon.
> 
> The optee-examples provides both the optee TAs and host applications for
> demostrating how to use optee-ta-devkit and optee-client-dev.
> 
> The initramfs hooks for tee-supplicant and optee-ftpm is used to support
> initramfs stage applications that needs the optee-ftpm or other TAs, such as the
> disk encryption based on TPM. An example is the LUKS2 implementation in
> isar-cip-core.
> 
> Also bump the stm32mp15x optee-os version to 3.21.0 to ease the integration.
> 
> Since these bits are the common foundation for applications based on ARM 
> trustzone, isar should be the best place to hold them.
> 
> The idea is partly inspired by the ARM trusted substrace.

substract :)

Looks generally good to me now. Maybe we could even move over [1] later
on by using the RPMB or RPMB emulation of the stm32mp15x board.

> 
> This integration use stm32mp15x as the demo platform. However, I might need some
> help to verify on the real hardware, since I don't have one :)

We will try to organize this here, maybe even later today.

Thanks,
Jan

[1]
https://gitlab.com/cip-project/cip-core/isar-cip-core/-/tree/master/recipes-bsp/edk2

-- 
Siemens AG, Technology
Competence Center Embedded Linux