[PATCH v2 00/11] Support for building TF-A and OP-TEE, add STM32MP15x board

[PATCH v2 00/11] Support for building TF-A and OP-TEE, add STM32MP15x board

[Jan Kiszka]

Changes in v2:
 - fix wks file so that it becomes compatible with upcoming wic version
   (credits go to Vijai for debugging this)
 - replace kernel patches with upstream U-Boot backports, following
   community suggestions

This adds include files for building custom Trusted Firmware A and Open
Portable Trusted Execution Environment, similar to U-Boot. As a
demonstration target, support for the STM32MP15x board is added, and its
boot is enabled for both TF-a and OP-TEE.

Jan


CC: vijaikumar.kanagarajan@gmail.com

Jan Kiszka (11):
  meta-isar: Lift de0-nano-soc build to buster
  meta-isar: linux-mainline: Update to latest 5.4.70
  meta-isar: u-boot: Update to 2020.10
  meta-isar: u-boot: Factor our de0-nano-soc recipe
  meta-isar: example-raw: Purge securetty from target image
  Add STM32MP15x eval board
  Add recipe include for building custom Trusted Firmware A
  stm32mp15x: Switch to TF-A based boot
  Add recipe include for building custom OP-TEE
  meta-isar: u-boot-stm32mp15x: Add patches needed for OP-TEE usage
  meta-isar: Add OP-TEE to STM32MP15x board

 meta-isar/conf/local.conf.sample              |   3 +-
 meta-isar/conf/machine/de0-nano-soc.conf      |   1 +
 meta-isar/conf/machine/stm32mp15x.conf        |  19 +++
 .../conf/multiconfig/de0-nano-soc-buster.conf |   7 +
 .../multiconfig/de0-nano-soc-stretch.conf     |   7 -
 .../conf/multiconfig/stm32mp15x-buster.conf   |   7 +
 .../recipes-app/example-raw/files/postinst    |   3 +
 .../optee-os/optee-os-stm32mp15x_3.10.0.bb    |  19 +++
 .../trusted-firmware-a-stm32mp15x_2.3.bb      |  21 +++
 ...y-add-property-no-map-to-created-res.patch | 151 ++++++++++++++++++
 ...rty-no-map-to-secure-reserved-memory.patch |  33 ++++
 .../recipes-bsp/u-boot/u-boot-2020.10.inc     |  13 ++
 .../u-boot/u-boot-de0-nano-soc_2020.10.bb     |   9 ++
 .../u-boot/u-boot-stm32mp15x_2020.10.bb       |  10 ++
 .../recipes-bsp/u-boot/u-boot_2018.09.bb      |  14 --
 ...ine_5.4.10.bb => linux-mainline_5.4.70.bb} |   4 +-
 .../lib/wic/canned-wks/stm32mp15x.wks.in      |  16 ++
 meta/recipes-bsp/optee-os/files/debian/compat |   1 +
 .../optee-os/files/debian/control.tmpl        |  10 ++
 meta/recipes-bsp/optee-os/files/debian/rules  |  19 +++
 meta/recipes-bsp/optee-os/optee-os-custom.inc |  43 +++++
 .../trusted-firmware-a/files/debian/compat    |   1 +
 .../files/debian/control.tmpl                 |  10 ++
 .../trusted-firmware-a/files/debian/rules     |  19 +++
 .../trusted-firmware-a-custom.inc             |  43 +++++
 scripts/ci_build.sh                           |   5 +-
 26 files changed, 462 insertions(+), 26 deletions(-)
 create mode 100644 meta-isar/conf/machine/stm32mp15x.conf
 create mode 100644 meta-isar/conf/multiconfig/de0-nano-soc-buster.conf
 delete mode 100644 meta-isar/conf/multiconfig/de0-nano-soc-stretch.conf
 create mode 100644 meta-isar/conf/multiconfig/stm32mp15x-buster.conf
 create mode 100644 meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.10.0.bb
 create mode 100644 meta-isar/recipes-bsp/trusted-firmware-a/trusted-firmware-a-stm32mp15x_2.3.bb
 create mode 100644 meta-isar/recipes-bsp/u-boot/files/0001-fdtdec-optionally-add-property-no-map-to-created-res.patch
 create mode 100644 meta-isar/recipes-bsp/u-boot/files/0002-optee-add-property-no-map-to-secure-reserved-memory.patch
 create mode 100644 meta-isar/recipes-bsp/u-boot/u-boot-2020.10.inc
 create mode 100644 meta-isar/recipes-bsp/u-boot/u-boot-de0-nano-soc_2020.10.bb
 create mode 100644 meta-isar/recipes-bsp/u-boot/u-boot-stm32mp15x_2020.10.bb
 delete mode 100644 meta-isar/recipes-bsp/u-boot/u-boot_2018.09.bb
 rename meta-isar/recipes-kernel/linux/{linux-mainline_5.4.10.bb => linux-mainline_5.4.70.bb} (89%)
 create mode 100644 meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
 create mode 100644 meta/recipes-bsp/optee-os/files/debian/compat
 create mode 100644 meta/recipes-bsp/optee-os/files/debian/control.tmpl
 create mode 100755 meta/recipes-bsp/optee-os/files/debian/rules
 create mode 100644 meta/recipes-bsp/optee-os/optee-os-custom.inc
 create mode 100644 meta/recipes-bsp/trusted-firmware-a/files/debian/compat
 create mode 100644 meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl
 create mode 100755 meta/recipes-bsp/trusted-firmware-a/files/debian/rules
 create mode 100644 meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc

-- 
2.26.2

[PATCH v2 01/11] meta-isar: Lift de0-nano-soc build to buster

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

That's up-to-date, and it will allow building another ARM board while
sharing the same self-built kernel.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 meta-isar/conf/local.conf.sample                     | 2 +-
 meta-isar/conf/multiconfig/de0-nano-soc-buster.conf  | 7 +++++++
 meta-isar/conf/multiconfig/de0-nano-soc-stretch.conf | 7 -------
 scripts/ci_build.sh                                  | 4 ++--
 4 files changed, 10 insertions(+), 10 deletions(-)
 create mode 100644 meta-isar/conf/multiconfig/de0-nano-soc-buster.conf
 delete mode 100644 meta-isar/conf/multiconfig/de0-nano-soc-stretch.conf

diff --git a/meta-isar/conf/local.conf.sample b/meta-isar/conf/local.conf.sample
index 2f82020d..01666fd4 100644
--- a/meta-isar/conf/local.conf.sample
+++ b/meta-isar/conf/local.conf.sample
@@ -56,7 +56,7 @@ BBMULTICONFIG = " \
     qemumipsel-bullseye \
     qemuriscv64-sid-ports \
     bananapi-buster \
-    de0-nano-soc-stretch \
+    de0-nano-soc-buster \
     hikey-stretch \
     nand-ubi-demo-buster \
     nanopi-neo-buster \
diff --git a/meta-isar/conf/multiconfig/de0-nano-soc-buster.conf b/meta-isar/conf/multiconfig/de0-nano-soc-buster.conf
new file mode 100644
index 00000000..0584d193
--- /dev/null
+++ b/meta-isar/conf/multiconfig/de0-nano-soc-buster.conf
@@ -0,0 +1,7 @@
+#
+# Copyright (c) Siemens AG, 2018-2020
+#
+# SPDX-License-Identifier: MIT
+
+MACHINE = "de0-nano-soc"
+DISTRO = "debian-buster"
diff --git a/meta-isar/conf/multiconfig/de0-nano-soc-stretch.conf b/meta-isar/conf/multiconfig/de0-nano-soc-stretch.conf
deleted file mode 100644
index 68824939..00000000
--- a/meta-isar/conf/multiconfig/de0-nano-soc-stretch.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-#
-# Copyright (c) Siemens AG, 2018
-#
-# SPDX-License-Identifier: MIT
-
-MACHINE = "de0-nano-soc"
-DISTRO = "debian-stretch"
diff --git a/scripts/ci_build.sh b/scripts/ci_build.sh
index c0a032e7..f1f6503e 100755
--- a/scripts/ci_build.sh
+++ b/scripts/ci_build.sh
@@ -48,7 +48,7 @@ CROSS_TARGETS_SET="\
                   mc:qemuarm-buster:isar-image-base \
                   mc:qemuarm64-stretch:isar-image-base \
                   mc:qemuamd64-stretch:isar-image-base \
-                  mc:de0-nano-soc-stretch:isar-image-base \
+                  mc:de0-nano-soc-buster:isar-image-base \
                   mc:rpi-stretch:isar-image-base"
 
 CROSS_TARGETS_SET_BULLSEYE="\
@@ -56,7 +56,7 @@ CROSS_TARGETS_SET_BULLSEYE="\
 "
 
 REPRO_TARGETS_SET_SIGNED="\
-            mc:de0-nano-soc-stretch:isar-image-base \
+            mc:de0-nano-soc-buster:isar-image-base \
             mc:qemuarm64-stretch:isar-image-base"
 
 REPRO_TARGETS_SET="\
-- 
2.26.2

[PATCH v2 02/11] meta-isar: linux-mainline: Update to latest 5.4.70

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Just to be more fresh.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../{linux-mainline_5.4.10.bb => linux-mainline_5.4.70.bb}    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta-isar/recipes-kernel/linux/{linux-mainline_5.4.10.bb => linux-mainline_5.4.70.bb} (89%)

diff --git a/meta-isar/recipes-kernel/linux/linux-mainline_5.4.10.bb b/meta-isar/recipes-kernel/linux/linux-mainline_5.4.70.bb
similarity index 89%
rename from meta-isar/recipes-kernel/linux/linux-mainline_5.4.10.bb
rename to meta-isar/recipes-kernel/linux/linux-mainline_5.4.70.bb
index 8ec577cf..209ad9c0 100644
--- a/meta-isar/recipes-kernel/linux/linux-mainline_5.4.10.bb
+++ b/meta-isar/recipes-kernel/linux/linux-mainline_5.4.70.bb
@@ -1,7 +1,7 @@
 # Example recipe for building the mainline kernel
 #
 # This software is a part of ISAR.
-# Copyright (c) Siemens AG, 2018
+# Copyright (c) Siemens AG, 2018-2020
 #
 # SPDX-License-Identifier: MIT
 
@@ -15,7 +15,7 @@ SRC_URI += " \
     file://no-ubifs-fs.cfg \
     file://no-root-nfs.cfg;apply=no"
 
-SRC_URI[sha256sum] = "f23c0218a5e3b363bb5a880972f507bb4dc4a290a787a7da08be07ea12042edd"
+SRC_URI[sha256sum] = "c0b3d8085c5ba235df38b00b740e053659709e8a5ca21957a239f6bc22c45007"
 
 S = "${WORKDIR}/linux-${ARCHIVE_VERSION}"
 
-- 
2.26.2

[PATCH v2 03/11] meta-isar: u-boot: Update to 2020.10

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Will be needed for STM32MP15x addition.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../u-boot/{u-boot_2018.09.bb => u-boot_2020.10.bb}           | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta-isar/recipes-bsp/u-boot/{u-boot_2018.09.bb => u-boot_2020.10.bb} (67%)

diff --git a/meta-isar/recipes-bsp/u-boot/u-boot_2018.09.bb b/meta-isar/recipes-bsp/u-boot/u-boot_2020.10.bb
similarity index 67%
rename from meta-isar/recipes-bsp/u-boot/u-boot_2018.09.bb
rename to meta-isar/recipes-bsp/u-boot/u-boot_2020.10.bb
index e79f340a..605f484b 100644
--- a/meta-isar/recipes-bsp/u-boot/u-boot_2018.09.bb
+++ b/meta-isar/recipes-bsp/u-boot/u-boot_2020.10.bb
@@ -1,5 +1,5 @@
 #
-# Copyright (c) Siemens AG, 2018
+# Copyright (c) Siemens AG, 2018-2020
 #
 # SPDX-License-Identifier: MIT
 
@@ -8,7 +8,7 @@ require recipes-bsp/u-boot/u-boot-custom.inc
 SRC_URI += " \
     https://ftp.denx.de/pub/u-boot/u-boot-${PV}.tar.bz2 \
     "
-SRC_URI[sha256sum] = "839bf23cfe8ce613a77e583a60375179d0ad324e92c82fbdd07bebf0fd142268"
+SRC_URI[sha256sum] = "0d481bbdc05c0ee74908ec2f56a6daa53166cc6a78a0e4fac2ac5d025770a622"
 
 # Just for testing purposes, distro package would be recent enough
 U_BOOT_TOOLS_PACKAGE = "1"
-- 
2.26.2

[PATCH v2 04/11] meta-isar: u-boot: Factor our de0-nano-soc recipe

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

We need to change the name of the recipe as a second user (machine) will
come along.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 meta-isar/conf/machine/de0-nano-soc.conf                 | 1 +
 .../u-boot/{u-boot_2020.10.bb => u-boot-2020.10.inc}     | 3 +--
 .../recipes-bsp/u-boot/u-boot-de0-nano-soc_2020.10.bb    | 9 +++++++++
 3 files changed, 11 insertions(+), 2 deletions(-)
 rename meta-isar/recipes-bsp/u-boot/{u-boot_2020.10.bb => u-boot-2020.10.inc} (75%)
 create mode 100644 meta-isar/recipes-bsp/u-boot/u-boot-de0-nano-soc_2020.10.bb

diff --git a/meta-isar/conf/machine/de0-nano-soc.conf b/meta-isar/conf/machine/de0-nano-soc.conf
index 3a2c0092..5a734d4d 100644
--- a/meta-isar/conf/machine/de0-nano-soc.conf
+++ b/meta-isar/conf/machine/de0-nano-soc.conf
@@ -7,6 +7,7 @@ DISTRO_ARCH ?= "armhf"
 
 KERNEL_NAME ?= "mainline"
 
+PREFERRED_PROVIDER_u-boot-de0-nano-soc = "u-boot-de0-nano-soc"
 U_BOOT_CONFIG_de0-nano-soc = "socfpga_de0_nano_soc_defconfig"
 U_BOOT_BIN_de0-nano-soc = "u-boot-with-spl.sfp"
 
diff --git a/meta-isar/recipes-bsp/u-boot/u-boot_2020.10.bb b/meta-isar/recipes-bsp/u-boot/u-boot-2020.10.inc
similarity index 75%
rename from meta-isar/recipes-bsp/u-boot/u-boot_2020.10.bb
rename to meta-isar/recipes-bsp/u-boot/u-boot-2020.10.inc
index 605f484b..604776a6 100644
--- a/meta-isar/recipes-bsp/u-boot/u-boot_2020.10.bb
+++ b/meta-isar/recipes-bsp/u-boot/u-boot-2020.10.inc
@@ -10,5 +10,4 @@ SRC_URI += " \
     "
 SRC_URI[sha256sum] = "0d481bbdc05c0ee74908ec2f56a6daa53166cc6a78a0e4fac2ac5d025770a622"
 
-# Just for testing purposes, distro package would be recent enough
-U_BOOT_TOOLS_PACKAGE = "1"
+S = "${WORKDIR}/u-boot-${PV}"
diff --git a/meta-isar/recipes-bsp/u-boot/u-boot-de0-nano-soc_2020.10.bb b/meta-isar/recipes-bsp/u-boot/u-boot-de0-nano-soc_2020.10.bb
new file mode 100644
index 00000000..dcb76c53
--- /dev/null
+++ b/meta-isar/recipes-bsp/u-boot/u-boot-de0-nano-soc_2020.10.bb
@@ -0,0 +1,9 @@
+#
+# Copyright (c) Siemens AG, 2018-2020
+#
+# SPDX-License-Identifier: MIT
+
+require u-boot-${PV}.inc
+
+# Just for testing purposes, distro package would be recent enough
+U_BOOT_TOOLS_PACKAGE = "1"
-- 
2.26.2

[PATCH v2 05/11] meta-isar: example-raw: Purge securetty from target image

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Needed for boards which were unsupported by Debian's login package.
Bullseye will drop this as well.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 meta-isar/recipes-app/example-raw/files/postinst | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta-isar/recipes-app/example-raw/files/postinst b/meta-isar/recipes-app/example-raw/files/postinst
index c32ba956..d25c251d 100644
--- a/meta-isar/recipes-app/example-raw/files/postinst
+++ b/meta-isar/recipes-app/example-raw/files/postinst
@@ -19,3 +19,6 @@ cp -RTn /etc/skel ~isar
 chown -R isar:isar ~isar
 
 echo "isar" > /etc/hostname
+
+# this helps with ttys not know to this file (removed upstream with bullseye)
+rm -f /etc/securetty
-- 
2.26.2

[PATCH v2 06/11] Add STM32MP15x eval board

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This adds another ARMv7 board, using buster this time. It's primary
purpose will be acting as a TF-A test target. It was chosen due to its
simplicity and clean upstream support.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 meta-isar/conf/local.conf.sample              |  1 +
 meta-isar/conf/machine/stm32mp15x.conf        | 19 +++++++++++++++++++
 .../conf/multiconfig/stm32mp15x-buster.conf   |  7 +++++++
 .../u-boot/u-boot-stm32mp15x_2020.10.bb       |  6 ++++++
 .../lib/wic/canned-wks/stm32mp15x.wks.in      | 12 ++++++++++++
 scripts/ci_build.sh                           |  1 +
 6 files changed, 46 insertions(+)
 create mode 100644 meta-isar/conf/machine/stm32mp15x.conf
 create mode 100644 meta-isar/conf/multiconfig/stm32mp15x-buster.conf
 create mode 100644 meta-isar/recipes-bsp/u-boot/u-boot-stm32mp15x_2020.10.bb
 create mode 100644 meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in

diff --git a/meta-isar/conf/local.conf.sample b/meta-isar/conf/local.conf.sample
index 01666fd4..de1c6a87 100644
--- a/meta-isar/conf/local.conf.sample
+++ b/meta-isar/conf/local.conf.sample
@@ -60,6 +60,7 @@ BBMULTICONFIG = " \
     hikey-stretch \
     nand-ubi-demo-buster \
     nanopi-neo-buster \
+    stm32mp15x-buster \
     rpi-stretch \
     sifive-fu540-sid-ports \
 "
diff --git a/meta-isar/conf/machine/stm32mp15x.conf b/meta-isar/conf/machine/stm32mp15x.conf
new file mode 100644
index 00000000..7ef36e68
--- /dev/null
+++ b/meta-isar/conf/machine/stm32mp15x.conf
@@ -0,0 +1,19 @@
+#
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+DISTRO_ARCH ?= "armhf"
+
+KERNEL_NAME ?= "mainline"
+
+PREFERRED_PROVIDER_u-boot-stm32mp15x = "u-boot-stm32mp15x"
+U_BOOT_CONFIG_stm32mp15x = "stm32mp15_basic_defconfig"
+U_BOOT_BIN_stm32mp15x = "u-boot-spl.stm32 u-boot.img"
+
+IMAGE_TYPE ?= "wic-img"
+WKS_FILE ?= "stm32mp15x.wks.in"
+IMAGER_INSTALL += "u-boot-stm32mp15x"
+IMAGER_BUILD_DEPS += "u-boot-stm32mp15x"
+
+IMAGE_INSTALL += "u-boot-script"
diff --git a/meta-isar/conf/multiconfig/stm32mp15x-buster.conf b/meta-isar/conf/multiconfig/stm32mp15x-buster.conf
new file mode 100644
index 00000000..d1b76d0f
--- /dev/null
+++ b/meta-isar/conf/multiconfig/stm32mp15x-buster.conf
@@ -0,0 +1,7 @@
+#
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+MACHINE = "stm32mp15x"
+DISTRO = "debian-buster"
diff --git a/meta-isar/recipes-bsp/u-boot/u-boot-stm32mp15x_2020.10.bb b/meta-isar/recipes-bsp/u-boot/u-boot-stm32mp15x_2020.10.bb
new file mode 100644
index 00000000..6d956434
--- /dev/null
+++ b/meta-isar/recipes-bsp/u-boot/u-boot-stm32mp15x_2020.10.bb
@@ -0,0 +1,6 @@
+#
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+require u-boot-${PV}.inc
diff --git a/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in b/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
new file mode 100644
index 00000000..a9fb332d
--- /dev/null
+++ b/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
@@ -0,0 +1,12 @@
+#
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+part fsbl1 --part-name fsbl1 --source rawcopy --sourceparams "file=/usr/lib/u-boot/${MACHINE}/u-boot-spl.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
+part fsbl2 --part-name fsbl2 --source rawcopy --sourceparams "file=/usr/lib/u-boot/${MACHINE}/u-boot-spl.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
+part ssbl --part-name ssbl --source rawcopy --sourceparams "file=/usr/lib/u-boot/${MACHINE}/u-boot.img" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 2048K
+
+part / --source rootfs-u-boot --fstype ext4 --label root --align 1024 --active --use-uuid
+
+bootloader --ptable gpt --append="rootwait rw console=ttySTM0,115200"
diff --git a/scripts/ci_build.sh b/scripts/ci_build.sh
index f1f6503e..0053809c 100755
--- a/scripts/ci_build.sh
+++ b/scripts/ci_build.sh
@@ -49,6 +49,7 @@ CROSS_TARGETS_SET="\
                   mc:qemuarm64-stretch:isar-image-base \
                   mc:qemuamd64-stretch:isar-image-base \
                   mc:de0-nano-soc-buster:isar-image-base \
+                  mc:stm32mp15x-buster:isar-image-base \
                   mc:rpi-stretch:isar-image-base"
 
 CROSS_TARGETS_SET_BULLSEYE="\
-- 
2.26.2

[PATCH v2 07/11] Add recipe include for building custom Trusted Firmware A

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Analogously to U-Boot, this adds an include file to be used in custom
TF-A recipes. The typical customization points are TF_A_PLATFORM and
possibly a couple of TF_A_EXTRA_BUILDARGS. The to-be-packaged binaries
can be defined via TF_A_BINARIES.

Debian has a binary package called "arm-trusted-firmware", targeting a
couple of sunxi boards. We do not follow that legacy naming by intention
and rather use the new official one. Debian will probably follow at some
point.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../trusted-firmware-a/files/debian/compat    |  1 +
 .../files/debian/control.tmpl                 | 10 +++++
 .../trusted-firmware-a/files/debian/rules     | 19 ++++++++
 .../trusted-firmware-a-custom.inc             | 43 +++++++++++++++++++
 4 files changed, 73 insertions(+)
 create mode 100644 meta/recipes-bsp/trusted-firmware-a/files/debian/compat
 create mode 100644 meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl
 create mode 100755 meta/recipes-bsp/trusted-firmware-a/files/debian/rules
 create mode 100644 meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc

diff --git a/meta/recipes-bsp/trusted-firmware-a/files/debian/compat b/meta/recipes-bsp/trusted-firmware-a/files/debian/compat
new file mode 100644
index 00000000..f599e28b
--- /dev/null
+++ b/meta/recipes-bsp/trusted-firmware-a/files/debian/compat
@@ -0,0 +1 @@
+10
diff --git a/meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl b/meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl
new file mode 100644
index 00000000..7ffd189d
--- /dev/null
+++ b/meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl
@@ -0,0 +1,10 @@
+Source: ${PN}
+Section: admin
+Priority: optional
+Standards-Version: 3.9.6
+Build-Depends: ${DEBIAN_BUILD_DEPENDS}
+Maintainer: ISAR project <isar-users@googlegroups.com>
+
+Package: trusted-firmware-a-${TF_A_NAME}
+Architecture: ${DISTRO_ARCH}
+Description: ${DESCRIPTION}, firmware binaries
diff --git a/meta/recipes-bsp/trusted-firmware-a/files/debian/rules b/meta/recipes-bsp/trusted-firmware-a/files/debian/rules
new file mode 100755
index 00000000..70e1dd66
--- /dev/null
+++ b/meta/recipes-bsp/trusted-firmware-a/files/debian/rules
@@ -0,0 +1,19 @@
+#!/usr/bin/make -f
+
+# Debian rules for custom Trusted Firmware A build
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
+endif
+
+override_dh_auto_build:
+	CFLAGS= LDFLAGS= $(MAKE) $(PARALLEL_MAKE) PLAT=$(TF_A_PLATFORM) \
+		$(TF_A_EXTRA_BUILDARGS)
+
+%:
+	dh $@
diff --git a/meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc b/meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc
new file mode 100644
index 00000000..a065ce71
--- /dev/null
+++ b/meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc
@@ -0,0 +1,43 @@
+# Custom Trusted Firmware A build
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/files:"
+
+SRC_URI += "file://debian/"
+
+DESCRIPTION ?= "Custom Trusted Firmware A"
+
+TF_A_NAME ?= "${MACHINE}"
+TF_A_PLATFORM ?= "unknown"
+TF_A_EXTRA_BUILDARGS ?= ""
+TF_A_BINARIES ?= "bl31.bin"
+
+DEBIAN_BUILD_DEPENDS ?= ""
+
+PROVIDES += "trusted-firmware-a-${TF_A_NAME}"
+
+TEMPLATE_FILES = "debian/control.tmpl"
+TEMPLATE_VARS += "TF_A_NAME DEBIAN_BUILD_DEPENDS"
+
+do_prepare_build() {
+    cp -r ${WORKDIR}/debian ${S}/
+
+    deb_add_changelog
+
+    rm -f ${S}/debian/trusted-firmware-a-${TF_A_NAME}.install
+    for binary in ${TF_A_BINARIES}; do
+        echo "build/${TF_A_PLATFORM}/release/$binary /usr/lib/trusted-firmware-a/${TF_A_NAME}/" >> \
+            ${S}/debian/trusted-firmware-a-${TF_A_NAME}.install
+    done
+}
+
+dpkg_runbuild_prepend() {
+    export TF_A_PLATFORM="${TF_A_PLATFORM}"
+    export TF_A_EXTRA_BUILDARGS="${TF_A_EXTRA_BUILDARGS}"
+}
-- 
2.26.2

[PATCH v3 07/11] Add recipe include for building custom Trusted Firmware A

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Analogously to U-Boot, this adds an include file to be used in custom
TF-A recipes. The typical customization points are TF_A_PLATFORM and
possibly a couple of TF_A_EXTRA_BUILDARGS. The to-be-packaged binaries
can be defined via TF_A_BINARIES.

Debian has a binary package called "arm-trusted-firmware", targeting a
couple of sunxi boards. We do not follow that legacy naming by intention
and rather use the new official one. Debian will probably follow at some
point.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---

Changes in v3:
 - more flexible TF_A_BINARIES definition, supporting also platforms
   with custom BUILD_PLAT definitions (k3, rk3399, tegra)

 .../trusted-firmware-a/files/debian/compat    |  1 +
 .../files/debian/control.tmpl                 | 10 +++++
 .../trusted-firmware-a/files/debian/rules     | 19 ++++++++
 .../trusted-firmware-a-custom.inc             | 43 +++++++++++++++++++
 4 files changed, 73 insertions(+)
 create mode 100644 meta/recipes-bsp/trusted-firmware-a/files/debian/compat
 create mode 100644 meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl
 create mode 100755 meta/recipes-bsp/trusted-firmware-a/files/debian/rules
 create mode 100644 meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc

diff --git a/meta/recipes-bsp/trusted-firmware-a/files/debian/compat b/meta/recipes-bsp/trusted-firmware-a/files/debian/compat
new file mode 100644
index 00000000..f599e28b
--- /dev/null
+++ b/meta/recipes-bsp/trusted-firmware-a/files/debian/compat
@@ -0,0 +1 @@
+10
diff --git a/meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl b/meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl
new file mode 100644
index 00000000..7ffd189d
--- /dev/null
+++ b/meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl
@@ -0,0 +1,10 @@
+Source: ${PN}
+Section: admin
+Priority: optional
+Standards-Version: 3.9.6
+Build-Depends: ${DEBIAN_BUILD_DEPENDS}
+Maintainer: ISAR project <isar-users@googlegroups.com>
+
+Package: trusted-firmware-a-${TF_A_NAME}
+Architecture: ${DISTRO_ARCH}
+Description: ${DESCRIPTION}, firmware binaries
diff --git a/meta/recipes-bsp/trusted-firmware-a/files/debian/rules b/meta/recipes-bsp/trusted-firmware-a/files/debian/rules
new file mode 100755
index 00000000..70e1dd66
--- /dev/null
+++ b/meta/recipes-bsp/trusted-firmware-a/files/debian/rules
@@ -0,0 +1,19 @@
+#!/usr/bin/make -f
+
+# Debian rules for custom Trusted Firmware A build
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
+endif
+
+override_dh_auto_build:
+	CFLAGS= LDFLAGS= $(MAKE) $(PARALLEL_MAKE) PLAT=$(TF_A_PLATFORM) \
+		$(TF_A_EXTRA_BUILDARGS)
+
+%:
+	dh $@
diff --git a/meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc b/meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc
new file mode 100644
index 00000000..1142bfce
--- /dev/null
+++ b/meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc
@@ -0,0 +1,43 @@
+# Custom Trusted Firmware A build
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/files:"
+
+SRC_URI += "file://debian/"
+
+DESCRIPTION ?= "Custom Trusted Firmware A"
+
+TF_A_NAME ?= "${MACHINE}"
+TF_A_PLATFORM ?= "unknown"
+TF_A_EXTRA_BUILDARGS ?= ""
+TF_A_BINARIES ?= "release/bl31.bin"
+
+DEBIAN_BUILD_DEPENDS ?= ""
+
+PROVIDES += "trusted-firmware-a-${TF_A_NAME}"
+
+TEMPLATE_FILES = "debian/control.tmpl"
+TEMPLATE_VARS += "TF_A_NAME DEBIAN_BUILD_DEPENDS"
+
+do_prepare_build() {
+    cp -r ${WORKDIR}/debian ${S}/
+
+    deb_add_changelog
+
+    rm -f ${S}/debian/trusted-firmware-a-${TF_A_NAME}.install
+    for binary in ${TF_A_BINARIES}; do
+        echo "build/${TF_A_PLATFORM}/$binary /usr/lib/trusted-firmware-a/${TF_A_NAME}/" >> \
+            ${S}/debian/trusted-firmware-a-${TF_A_NAME}.install
+    done
+}
+
+dpkg_runbuild_prepend() {
+    export TF_A_PLATFORM="${TF_A_PLATFORM}"
+    export TF_A_EXTRA_BUILDARGS="${TF_A_EXTRA_BUILDARGS}"
+}
-- 
2.26.2

[PATCH v2 08/11] stm32mp15x: Switch to TF-A based boot

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This demonstrates the usage of the TF-A include for building custom
firmware versions.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 meta-isar/conf/machine/stm32mp15x.conf        |  8 +++----
 .../trusted-firmware-a-stm32mp15x_2.3.bb      | 21 +++++++++++++++++++
 .../lib/wic/canned-wks/stm32mp15x.wks.in      |  6 +++---
 3 files changed, 28 insertions(+), 7 deletions(-)
 create mode 100644 meta-isar/recipes-bsp/trusted-firmware-a/trusted-firmware-a-stm32mp15x_2.3.bb

diff --git a/meta-isar/conf/machine/stm32mp15x.conf b/meta-isar/conf/machine/stm32mp15x.conf
index 7ef36e68..66a47df4 100644
--- a/meta-isar/conf/machine/stm32mp15x.conf
+++ b/meta-isar/conf/machine/stm32mp15x.conf
@@ -8,12 +8,12 @@ DISTRO_ARCH ?= "armhf"
 KERNEL_NAME ?= "mainline"
 
 PREFERRED_PROVIDER_u-boot-stm32mp15x = "u-boot-stm32mp15x"
-U_BOOT_CONFIG_stm32mp15x = "stm32mp15_basic_defconfig"
-U_BOOT_BIN_stm32mp15x = "u-boot-spl.stm32 u-boot.img"
+U_BOOT_CONFIG_stm32mp15x = "stm32mp15_trusted_defconfig"
+U_BOOT_BIN_stm32mp15x = "u-boot.stm32"
 
 IMAGE_TYPE ?= "wic-img"
 WKS_FILE ?= "stm32mp15x.wks.in"
-IMAGER_INSTALL += "u-boot-stm32mp15x"
-IMAGER_BUILD_DEPS += "u-boot-stm32mp15x"
+IMAGER_INSTALL += "trusted-firmware-a-stm32mp15x u-boot-stm32mp15x"
+IMAGER_BUILD_DEPS += "trusted-firmware-a-stm32mp15x u-boot-stm32mp15x"
 
 IMAGE_INSTALL += "u-boot-script"
diff --git a/meta-isar/recipes-bsp/trusted-firmware-a/trusted-firmware-a-stm32mp15x_2.3.bb b/meta-isar/recipes-bsp/trusted-firmware-a/trusted-firmware-a-stm32mp15x_2.3.bb
new file mode 100644
index 00000000..0a45ec36
--- /dev/null
+++ b/meta-isar/recipes-bsp/trusted-firmware-a/trusted-firmware-a-stm32mp15x_2.3.bb
@@ -0,0 +1,21 @@
+#
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+require recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc
+
+SRC_URI += "https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/snapshot/trusted-firmware-a-${PV}.tar.gz"
+SRC_URI[sha256sum] = "37f917922bcef181164908c470a2f941006791c0113d738c498d39d95d543b21"
+
+S = "${WORKDIR}/trusted-firmware-a-${PV}"
+
+DEBIAN_BUILD_DEPENDS += ", device-tree-compiler"
+
+TF_A_PLATFORM = "stm32mp1"
+TF_A_EXTRA_BUILDARGS = " \
+    ARCH=aarch32 ARM_ARCH_MAJOR=7 AARCH32_SP=sp_min \
+    STM32MP_SDMMC=1 STM32MP_EMMC=1 \
+    STM32MP_RAW_NAND=1 STM32MP_SPI_NAND=1 STM32MP_SPI_NOR=1 \
+    DTB_FILE_NAME=stm32mp157c-ev1.dtb"
+TF_A_BINARIES = "tf-a-stm32mp157c-ev1.stm32"
diff --git a/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in b/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
index a9fb332d..5abaa833 100644
--- a/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
+++ b/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
@@ -3,9 +3,9 @@
 #
 # SPDX-License-Identifier: MIT
 
-part fsbl1 --part-name fsbl1 --source rawcopy --sourceparams "file=/usr/lib/u-boot/${MACHINE}/u-boot-spl.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
-part fsbl2 --part-name fsbl2 --source rawcopy --sourceparams "file=/usr/lib/u-boot/${MACHINE}/u-boot-spl.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
-part ssbl --part-name ssbl --source rawcopy --sourceparams "file=/usr/lib/u-boot/${MACHINE}/u-boot.img" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 2048K
+part fsbl1 --part-name fsbl1 --source rawcopy --sourceparams "file=/usr/lib/trusted-firmware-a/${MACHINE}/tf-a-stm32mp157c-ev1.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
+part fsbl2 --part-name fsbl2 --source rawcopy --sourceparams "file=/usr/lib/trusted-firmware-a/${MACHINE}/tf-a-stm32mp157c-ev1.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
+part ssbl --part-name ssbl --source rawcopy --sourceparams "file=/usr/lib/u-boot/${MACHINE}/u-boot.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 2048K
 
 part / --source rootfs-u-boot --fstype ext4 --label root --align 1024 --active --use-uuid
 
-- 
2.26.2

[PATCH v3 08/11] stm32mp15x: Switch to TF-A based boot

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This demonstrates the usage of the TF-A include for building custom
firmware versions.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---

Changes in v3:
 - adjust TF_A_BINARIES

 meta-isar/conf/machine/stm32mp15x.conf        |  8 +++----
 .../trusted-firmware-a-stm32mp15x_2.3.bb      | 21 +++++++++++++++++++
 .../lib/wic/canned-wks/stm32mp15x.wks.in      |  6 +++---
 3 files changed, 28 insertions(+), 7 deletions(-)
 create mode 100644 meta-isar/recipes-bsp/trusted-firmware-a/trusted-firmware-a-stm32mp15x_2.3.bb

diff --git a/meta-isar/conf/machine/stm32mp15x.conf b/meta-isar/conf/machine/stm32mp15x.conf
index 7ef36e68..66a47df4 100644
--- a/meta-isar/conf/machine/stm32mp15x.conf
+++ b/meta-isar/conf/machine/stm32mp15x.conf
@@ -8,12 +8,12 @@ DISTRO_ARCH ?= "armhf"
 KERNEL_NAME ?= "mainline"
 
 PREFERRED_PROVIDER_u-boot-stm32mp15x = "u-boot-stm32mp15x"
-U_BOOT_CONFIG_stm32mp15x = "stm32mp15_basic_defconfig"
-U_BOOT_BIN_stm32mp15x = "u-boot-spl.stm32 u-boot.img"
+U_BOOT_CONFIG_stm32mp15x = "stm32mp15_trusted_defconfig"
+U_BOOT_BIN_stm32mp15x = "u-boot.stm32"
 
 IMAGE_TYPE ?= "wic-img"
 WKS_FILE ?= "stm32mp15x.wks.in"
-IMAGER_INSTALL += "u-boot-stm32mp15x"
-IMAGER_BUILD_DEPS += "u-boot-stm32mp15x"
+IMAGER_INSTALL += "trusted-firmware-a-stm32mp15x u-boot-stm32mp15x"
+IMAGER_BUILD_DEPS += "trusted-firmware-a-stm32mp15x u-boot-stm32mp15x"
 
 IMAGE_INSTALL += "u-boot-script"
diff --git a/meta-isar/recipes-bsp/trusted-firmware-a/trusted-firmware-a-stm32mp15x_2.3.bb b/meta-isar/recipes-bsp/trusted-firmware-a/trusted-firmware-a-stm32mp15x_2.3.bb
new file mode 100644
index 00000000..97d683f7
--- /dev/null
+++ b/meta-isar/recipes-bsp/trusted-firmware-a/trusted-firmware-a-stm32mp15x_2.3.bb
@@ -0,0 +1,21 @@
+#
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+require recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc
+
+SRC_URI += "https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/snapshot/trusted-firmware-a-${PV}.tar.gz"
+SRC_URI[sha256sum] = "37f917922bcef181164908c470a2f941006791c0113d738c498d39d95d543b21"
+
+S = "${WORKDIR}/trusted-firmware-a-${PV}"
+
+DEBIAN_BUILD_DEPENDS += ", device-tree-compiler"
+
+TF_A_PLATFORM = "stm32mp1"
+TF_A_EXTRA_BUILDARGS = " \
+    ARCH=aarch32 ARM_ARCH_MAJOR=7 AARCH32_SP=sp_min \
+    STM32MP_SDMMC=1 STM32MP_EMMC=1 \
+    STM32MP_RAW_NAND=1 STM32MP_SPI_NAND=1 STM32MP_SPI_NOR=1 \
+    DTB_FILE_NAME=stm32mp157c-ev1.dtb"
+TF_A_BINARIES = "release/tf-a-stm32mp157c-ev1.stm32"
diff --git a/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in b/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
index a9fb332d..5abaa833 100644
--- a/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
+++ b/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
@@ -3,9 +3,9 @@
 #
 # SPDX-License-Identifier: MIT
 
-part fsbl1 --part-name fsbl1 --source rawcopy --sourceparams "file=/usr/lib/u-boot/${MACHINE}/u-boot-spl.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
-part fsbl2 --part-name fsbl2 --source rawcopy --sourceparams "file=/usr/lib/u-boot/${MACHINE}/u-boot-spl.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
-part ssbl --part-name ssbl --source rawcopy --sourceparams "file=/usr/lib/u-boot/${MACHINE}/u-boot.img" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 2048K
+part fsbl1 --part-name fsbl1 --source rawcopy --sourceparams "file=/usr/lib/trusted-firmware-a/${MACHINE}/tf-a-stm32mp157c-ev1.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
+part fsbl2 --part-name fsbl2 --source rawcopy --sourceparams "file=/usr/lib/trusted-firmware-a/${MACHINE}/tf-a-stm32mp157c-ev1.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
+part ssbl --part-name ssbl --source rawcopy --sourceparams "file=/usr/lib/u-boot/${MACHINE}/u-boot.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 2048K
 
 part / --source rootfs-u-boot --fstype ext4 --label root --align 1024 --active --use-uuid
 
-- 
2.26.2

[PATCH v2 09/11] Add recipe include for building custom OP-TEE

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Analogously to TF-A, this adds an include file to be used in custom
Open Portable Trusted Execution Environment. The typical customization
points are OPTEE_PLATFORM and possibly a couple of
OPTEE_EXTRA_BUILDARGS. The to-be-packaged binaries can be defined via
OPTEE_BINARIES.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 meta/recipes-bsp/optee-os/files/debian/compat |  1 +
 .../optee-os/files/debian/control.tmpl        | 10 +++++
 meta/recipes-bsp/optee-os/files/debian/rules  | 19 ++++++++
 meta/recipes-bsp/optee-os/optee-os-custom.inc | 43 +++++++++++++++++++
 4 files changed, 73 insertions(+)
 create mode 100644 meta/recipes-bsp/optee-os/files/debian/compat
 create mode 100644 meta/recipes-bsp/optee-os/files/debian/control.tmpl
 create mode 100755 meta/recipes-bsp/optee-os/files/debian/rules
 create mode 100644 meta/recipes-bsp/optee-os/optee-os-custom.inc

diff --git a/meta/recipes-bsp/optee-os/files/debian/compat b/meta/recipes-bsp/optee-os/files/debian/compat
new file mode 100644
index 00000000..f599e28b
--- /dev/null
+++ b/meta/recipes-bsp/optee-os/files/debian/compat
@@ -0,0 +1 @@
+10
diff --git a/meta/recipes-bsp/optee-os/files/debian/control.tmpl b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
new file mode 100644
index 00000000..60b39279
--- /dev/null
+++ b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
@@ -0,0 +1,10 @@
+Source: ${PN}
+Section: admin
+Priority: optional
+Standards-Version: 3.9.6
+Build-Depends: ${DEBIAN_BUILD_DEPENDS}
+Maintainer: ISAR project <isar-users@googlegroups.com>
+
+Package: optee-os-${OPTEE_NAME}
+Architecture: ${DISTRO_ARCH}
+Description: ${DESCRIPTION}, firmware binaries
diff --git a/meta/recipes-bsp/optee-os/files/debian/rules b/meta/recipes-bsp/optee-os/files/debian/rules
new file mode 100755
index 00000000..d2e9900f
--- /dev/null
+++ b/meta/recipes-bsp/optee-os/files/debian/rules
@@ -0,0 +1,19 @@
+#!/usr/bin/make -f
+
+# Debian rules for custom OP-TEE OS build
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
+endif
+
+override_dh_auto_build:
+	CFLAGS= LDFLAGS= $(MAKE) $(PARALLEL_MAKE) PLATFORM=$(OPTEE_PLATFORM) \
+		$(OPTEE_EXTRA_BUILDARGS)
+
+%:
+	dh $@
diff --git a/meta/recipes-bsp/optee-os/optee-os-custom.inc b/meta/recipes-bsp/optee-os/optee-os-custom.inc
new file mode 100644
index 00000000..54c47fef
--- /dev/null
+++ b/meta/recipes-bsp/optee-os/optee-os-custom.inc
@@ -0,0 +1,43 @@
+# Custom OP-TEE OS build
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/files:"
+
+SRC_URI += "file://debian/"
+
+DESCRIPTION ?= "Custom OP-TEE OS"
+
+OPTEE_NAME ?= "${MACHINE}"
+OPTEE_PLATFORM ?= "unknown"
+OPTEE_EXTRA_BUILDARGS ?= ""
+OPTEE_BINARIES ?= "tee-pager_v2.bin"
+
+DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
+
+PROVIDES += "optee-os-${OPTEE_NAME}"
+
+TEMPLATE_FILES = "debian/control.tmpl"
+TEMPLATE_VARS += "OPTEE_NAME DEBIAN_BUILD_DEPENDS"
+
+do_prepare_build() {
+    cp -r ${WORKDIR}/debian ${S}/
+
+    deb_add_changelog
+
+    rm -f ${S}/debian/optee-os-${OPTEE_NAME}.install
+    for binary in ${OPTEE_BINARIES}; do
+        echo "out/arm-plat-${OPTEE_PLATFORM}/core/$binary /usr/lib/optee-os/${OPTEE_NAME}/" >> \
+            ${S}/debian/optee-os-${OPTEE_NAME}.install
+    done
+}
+
+dpkg_runbuild_prepend() {
+    export OPTEE_PLATFORM="${OPTEE_PLATFORM}"
+    export OPTEE_EXTRA_BUILDARGS="${OPTEE_EXTRA_BUILDARGS}"
+}
-- 
2.26.2

[PATCH v3 09/11] Add recipe include for building custom OP-TEE

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Analogously to TF-A, this adds an include file to be used in custom
Open Portable Trusted Execution Environment. The typical customization
points are OPTEE_PLATFORM and possibly a couple of
OPTEE_EXTRA_BUILDARGS. The to-be-packaged binaries can be defined via
OPTEE_BINARIES.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---

Changes in v3:
 - account for platform flavors in OPTEE_PLATFORM

 meta/recipes-bsp/optee-os/files/debian/compat |  1 +
 .../optee-os/files/debian/control.tmpl        | 10 ++++
 meta/recipes-bsp/optee-os/files/debian/rules  | 19 ++++++++
 meta/recipes-bsp/optee-os/optee-os-custom.inc | 46 +++++++++++++++++++
 4 files changed, 76 insertions(+)
 create mode 100644 meta/recipes-bsp/optee-os/files/debian/compat
 create mode 100644 meta/recipes-bsp/optee-os/files/debian/control.tmpl
 create mode 100755 meta/recipes-bsp/optee-os/files/debian/rules
 create mode 100644 meta/recipes-bsp/optee-os/optee-os-custom.inc

diff --git a/meta/recipes-bsp/optee-os/files/debian/compat b/meta/recipes-bsp/optee-os/files/debian/compat
new file mode 100644
index 00000000..f599e28b
--- /dev/null
+++ b/meta/recipes-bsp/optee-os/files/debian/compat
@@ -0,0 +1 @@
+10
diff --git a/meta/recipes-bsp/optee-os/files/debian/control.tmpl b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
new file mode 100644
index 00000000..60b39279
--- /dev/null
+++ b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
@@ -0,0 +1,10 @@
+Source: ${PN}
+Section: admin
+Priority: optional
+Standards-Version: 3.9.6
+Build-Depends: ${DEBIAN_BUILD_DEPENDS}
+Maintainer: ISAR project <isar-users@googlegroups.com>
+
+Package: optee-os-${OPTEE_NAME}
+Architecture: ${DISTRO_ARCH}
+Description: ${DESCRIPTION}, firmware binaries
diff --git a/meta/recipes-bsp/optee-os/files/debian/rules b/meta/recipes-bsp/optee-os/files/debian/rules
new file mode 100755
index 00000000..d2e9900f
--- /dev/null
+++ b/meta/recipes-bsp/optee-os/files/debian/rules
@@ -0,0 +1,19 @@
+#!/usr/bin/make -f
+
+# Debian rules for custom OP-TEE OS build
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
+endif
+
+override_dh_auto_build:
+	CFLAGS= LDFLAGS= $(MAKE) $(PARALLEL_MAKE) PLATFORM=$(OPTEE_PLATFORM) \
+		$(OPTEE_EXTRA_BUILDARGS)
+
+%:
+	dh $@
diff --git a/meta/recipes-bsp/optee-os/optee-os-custom.inc b/meta/recipes-bsp/optee-os/optee-os-custom.inc
new file mode 100644
index 00000000..1bd51969
--- /dev/null
+++ b/meta/recipes-bsp/optee-os/optee-os-custom.inc
@@ -0,0 +1,46 @@
+# Custom OP-TEE OS build
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/files:"
+
+SRC_URI += "file://debian/"
+
+DESCRIPTION ?= "Custom OP-TEE OS"
+
+OPTEE_NAME ?= "${MACHINE}"
+OPTEE_PLATFORM ?= "unknown"
+OPTEE_EXTRA_BUILDARGS ?= ""
+OPTEE_BINARIES ?= "tee-pager_v2.bin"
+
+DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
+
+PROVIDES += "optee-os-${OPTEE_NAME}"
+
+TEMPLATE_FILES = "debian/control.tmpl"
+TEMPLATE_VARS += "OPTEE_NAME DEBIAN_BUILD_DEPENDS"
+
+# split strip platform flavor, if any, from the specified platform string
+OPTEE_PLATFORM_BASE = "${@d.getVar('OPTEE_PLATFORM').split('-')[0]}"
+
+do_prepare_build() {
+    cp -r ${WORKDIR}/debian ${S}/
+
+    deb_add_changelog
+
+    rm -f ${S}/debian/optee-os-${OPTEE_NAME}.install
+    for binary in ${OPTEE_BINARIES}; do
+        echo "out/arm-plat-${OPTEE_PLATFORM_BASE}/core/$binary /usr/lib/optee-os/${OPTEE_NAME}/" >> \
+            ${S}/debian/optee-os-${OPTEE_NAME}.install
+    done
+}
+
+dpkg_runbuild_prepend() {
+    export OPTEE_PLATFORM="${OPTEE_PLATFORM}"
+    export OPTEE_EXTRA_BUILDARGS="${OPTEE_EXTRA_BUILDARGS}"
+}
-- 
2.26.2

[PATCH v2 10/11] meta-isar: u-boot-stm32mp15x: Add patches needed for OP-TEE usage

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

These two patches didn't make it into 2020.10 but are needed in order
to boot Linux when OP-TEE is present. See also

https://www.mail-archive.com/u-boot@lists.denx.de/msg386193.html

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 ...y-add-property-no-map-to-created-res.patch | 151 ++++++++++++++++++
 ...rty-no-map-to-secure-reserved-memory.patch |  33 ++++
 .../u-boot/u-boot-stm32mp15x_2020.10.bb       |   4 +
 3 files changed, 188 insertions(+)
 create mode 100644 meta-isar/recipes-bsp/u-boot/files/0001-fdtdec-optionally-add-property-no-map-to-created-res.patch
 create mode 100644 meta-isar/recipes-bsp/u-boot/files/0002-optee-add-property-no-map-to-secure-reserved-memory.patch

diff --git a/meta-isar/recipes-bsp/u-boot/files/0001-fdtdec-optionally-add-property-no-map-to-created-res.patch b/meta-isar/recipes-bsp/u-boot/files/0001-fdtdec-optionally-add-property-no-map-to-created-res.patch
new file mode 100644
index 00000000..8a32fc11
--- /dev/null
+++ b/meta-isar/recipes-bsp/u-boot/files/0001-fdtdec-optionally-add-property-no-map-to-created-res.patch
@@ -0,0 +1,151 @@
+From ccaa5747bdeae4261199dd7e80771e4de1c550ca Mon Sep 17 00:00:00 2001
+From: Etienne Carriere <etienne.carriere@st.com>
+Date: Thu, 10 Sep 2020 10:49:59 +0200
+Subject: [PATCH] fdtdec: optionally add property no-map to created reserved
+ memory node
+
+Add boolean input argument @no_map to helper function
+fdtdec_add_reserved_memory() to add or not "no-map" property
+for an added reserved memory node.
+
+Property no-map is used by the Linux kernel to not not map memory
+in its static memory mapping. It is needed for example for the|
+consistency of system non-cached memory and to prevent speculative
+accesses to some firewalled memory.
+
+No functional change. A later change will update to OPTEE library to
+add no-map property to OP-TEE reserved memory nodes.
+
+Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
+Signed-off-by: Patrice Chotard <patrice.chotard@st.com>
+Reviewed-by: Simon Glass <sjg@chromium.org>
+---
+ arch/riscv/lib/fdt_fixup.c |  2 +-
+ include/fdtdec.h           |  5 +++--
+ lib/fdtdec.c               | 10 ++++++++--
+ lib/optee/optee.c          |  2 +-
+ test/dm/fdtdec.c           |  6 +++---
+ 5 files changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/arch/riscv/lib/fdt_fixup.c b/arch/riscv/lib/fdt_fixup.c
+index 5b2420243f..d02062fd5b 100644
+--- a/arch/riscv/lib/fdt_fixup.c
++++ b/arch/riscv/lib/fdt_fixup.c
+@@ -75,7 +75,7 @@ int riscv_fdt_copy_resv_mem_node(const void *src, void *dst)
+ 		pmp_mem.start = addr;
+ 		pmp_mem.end = addr + size - 1;
+ 		err = fdtdec_add_reserved_memory(dst, basename, &pmp_mem,
+-						 &phandle);
++						 &phandle, false);
+ 		if (err < 0 && err != -FDT_ERR_EXISTS) {
+ 			log_err("failed to add reserved memory: %d\n", err);
+ 			return err;
+diff --git a/include/fdtdec.h b/include/fdtdec.h
+index 152eb07b9e..62d1660973 100644
+--- a/include/fdtdec.h
++++ b/include/fdtdec.h
+@@ -1029,7 +1029,7 @@ static inline int fdtdec_set_phandle(void *blob, int node, uint32_t phandle)
+  *     };
+  *     uint32_t phandle;
+  *
+- *     fdtdec_add_reserved_memory(fdt, "framebuffer", &fb, &phandle);
++ *     fdtdec_add_reserved_memory(fdt, "framebuffer", &fb, &phandle, false);
+  *
+  * This results in the following subnode being added to the top-level
+  * /reserved-memory node:
+@@ -1056,11 +1056,12 @@ static inline int fdtdec_set_phandle(void *blob, int node, uint32_t phandle)
+  * @param carveout	information about the carveout region
+  * @param phandlep	return location for the phandle of the carveout region
+  *			can be NULL if no phandle should be added
++ * @param no_map	add "no-map" property if true
+  * @return 0 on success or a negative error code on failure
+  */
+ int fdtdec_add_reserved_memory(void *blob, const char *basename,
+ 			       const struct fdt_memory *carveout,
+-			       uint32_t *phandlep);
++			       uint32_t *phandlep, bool no_map);
+ 
+ /**
+  * fdtdec_get_carveout() - reads a carveout from an FDT
+diff --git a/lib/fdtdec.c b/lib/fdtdec.c
+index 56bf9fcc79..b8fc5e2bff 100644
+--- a/lib/fdtdec.c
++++ b/lib/fdtdec.c
+@@ -1316,7 +1316,7 @@ static int fdtdec_init_reserved_memory(void *blob)
+ 
+ int fdtdec_add_reserved_memory(void *blob, const char *basename,
+ 			       const struct fdt_memory *carveout,
+-			       uint32_t *phandlep)
++			       uint32_t *phandlep, bool no_map)
+ {
+ 	fdt32_t cells[4] = {}, *ptr = cells;
+ 	uint32_t upper, lower, phandle;
+@@ -1416,6 +1416,12 @@ int fdtdec_add_reserved_memory(void *blob, const char *basename,
+ 	if (err < 0)
+ 		return err;
+ 
++	if (no_map) {
++		err = fdt_setprop(blob, node, "no-map", NULL, 0);
++		if (err < 0)
++			return err;
++	}
++
+ 	/* return the phandle for the new node for the caller to use */
+ 	if (phandlep)
+ 		*phandlep = phandle;
+@@ -1481,7 +1487,7 @@ int fdtdec_set_carveout(void *blob, const char *node, const char *prop_name,
+ 	fdt32_t value;
+ 	void *prop;
+ 
+-	err = fdtdec_add_reserved_memory(blob, name, carveout, &phandle);
++	err = fdtdec_add_reserved_memory(blob, name, carveout, &phandle, false);
+ 	if (err < 0) {
+ 		debug("failed to add reserved memory: %d\n", err);
+ 		return err;
+diff --git a/lib/optee/optee.c b/lib/optee/optee.c
+index 457d4cca8a..963c2ff430 100644
+--- a/lib/optee/optee.c
++++ b/lib/optee/optee.c
+@@ -192,7 +192,7 @@ int optee_copy_fdt_nodes(const void *old_blob, void *new_blob)
+ 				ret = fdtdec_add_reserved_memory(new_blob,
+ 								 nodename,
+ 								 &carveout,
+-								 NULL);
++								 NULL, false);
+ 				free(oldname);
+ 
+ 				if (ret < 0)
+diff --git a/test/dm/fdtdec.c b/test/dm/fdtdec.c
+index 716993f706..4119003041 100644
+--- a/test/dm/fdtdec.c
++++ b/test/dm/fdtdec.c
+@@ -80,7 +80,7 @@ static int dm_test_fdtdec_add_reserved_memory(struct unit_test_state *uts)
+ 	resv.start = 0x1000;
+ 	resv.end = 0x1fff;
+ 	ut_assertok(fdtdec_add_reserved_memory(blob, "rsvd_region",
+-					       &resv, &phandle));
++					       &resv, &phandle, false));
+ 
+ 	/* Test /reserve-memory and its subnode should exist */
+ 	parent = fdt_path_offset(blob, "/reserved-memory");
+@@ -101,7 +101,7 @@ static int dm_test_fdtdec_add_reserved_memory(struct unit_test_state *uts)
+ 	resv.start = 0x2000;
+ 	resv.end = 0x2fff;
+ 	ut_assertok(fdtdec_add_reserved_memory(blob, "rsvd_region1",
+-					       &resv, &phandle1));
++					       &resv, &phandle1, false));
+ 	subnode = fdt_path_offset(blob, "/reserved-memory/rsvd_region1");
+ 	ut_assert(subnode > 0);
+ 
+@@ -115,7 +115,7 @@ static int dm_test_fdtdec_add_reserved_memory(struct unit_test_state *uts)
+ 	resv.start = 0x1000;
+ 	resv.end = 0x1fff;
+ 	ut_assertok(fdtdec_add_reserved_memory(blob, "rsvd_region2",
+-					       &resv, &phandle1));
++					       &resv, &phandle1, false));
+ 	subnode = fdt_path_offset(blob, "/reserved-memory/rsvd_region2");
+ 	ut_assert(subnode < 0);
+ 
+-- 
+2.26.2
+
diff --git a/meta-isar/recipes-bsp/u-boot/files/0002-optee-add-property-no-map-to-secure-reserved-memory.patch b/meta-isar/recipes-bsp/u-boot/files/0002-optee-add-property-no-map-to-secure-reserved-memory.patch
new file mode 100644
index 00000000..6a39968b
--- /dev/null
+++ b/meta-isar/recipes-bsp/u-boot/files/0002-optee-add-property-no-map-to-secure-reserved-memory.patch
@@ -0,0 +1,33 @@
+From 3e15c315f97401f394ae83ed17fbef72b765222a Mon Sep 17 00:00:00 2001
+From: Etienne Carriere <etienne.carriere@st.com>
+Date: Thu, 10 Sep 2020 10:50:01 +0200
+Subject: [PATCH] optee: add property no-map to secure reserved memory
+
+OP-TEE reserved memory node must set property "no-map" to prevent
+Linux kernel from mapping secure memory unless what non-secure world
+speculative accesses of the CPU can violate the memory firmware
+configuration.
+
+Fixes: 6ccb05eae01b ("image: fdt: copy possible optee nodes to a loaded devicetree")
+Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
+Signed-off-by: Patrice Chotard <patrice.chotard@st.com>
+---
+ lib/optee/optee.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/optee/optee.c b/lib/optee/optee.c
+index 963c2ff430..9e6606568f 100644
+--- a/lib/optee/optee.c
++++ b/lib/optee/optee.c
+@@ -192,7 +192,7 @@ int optee_copy_fdt_nodes(const void *old_blob, void *new_blob)
+ 				ret = fdtdec_add_reserved_memory(new_blob,
+ 								 nodename,
+ 								 &carveout,
+-								 NULL, false);
++								 NULL, true);
+ 				free(oldname);
+ 
+ 				if (ret < 0)
+-- 
+2.26.2
+
diff --git a/meta-isar/recipes-bsp/u-boot/u-boot-stm32mp15x_2020.10.bb b/meta-isar/recipes-bsp/u-boot/u-boot-stm32mp15x_2020.10.bb
index 6d956434..39fceb2f 100644
--- a/meta-isar/recipes-bsp/u-boot/u-boot-stm32mp15x_2020.10.bb
+++ b/meta-isar/recipes-bsp/u-boot/u-boot-stm32mp15x_2020.10.bb
@@ -4,3 +4,7 @@
 # SPDX-License-Identifier: MIT
 
 require u-boot-${PV}.inc
+
+SRC_URI += " \
+    file://0001-fdtdec-optionally-add-property-no-map-to-created-res.patch \
+    file://0002-optee-add-property-no-map-to-secure-reserved-memory.patch"
-- 
2.26.2

[PATCH v2 11/11] meta-isar: Add OP-TEE to STM32MP15x board

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This builds OP-TEE 3.10.0 for the "stm32mp1" platform and installs the
generated binaries in the required partitions for the STM32MP15x. Serves
as a demo and test for building custom OP-TEE packages.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 meta-isar/conf/machine/stm32mp15x.conf        |  4 ++--
 .../optee-os/optee-os-stm32mp15x_3.10.0.bb    | 19 +++++++++++++++++++
 .../trusted-firmware-a-stm32mp15x_2.3.bb      |  2 +-
 .../lib/wic/canned-wks/stm32mp15x.wks.in      |  4 ++++
 4 files changed, 26 insertions(+), 3 deletions(-)
 create mode 100644 meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.10.0.bb

diff --git a/meta-isar/conf/machine/stm32mp15x.conf b/meta-isar/conf/machine/stm32mp15x.conf
index 66a47df4..e963d080 100644
--- a/meta-isar/conf/machine/stm32mp15x.conf
+++ b/meta-isar/conf/machine/stm32mp15x.conf
@@ -13,7 +13,7 @@ U_BOOT_BIN_stm32mp15x = "u-boot.stm32"
 
 IMAGE_TYPE ?= "wic-img"
 WKS_FILE ?= "stm32mp15x.wks.in"
-IMAGER_INSTALL += "trusted-firmware-a-stm32mp15x u-boot-stm32mp15x"
-IMAGER_BUILD_DEPS += "trusted-firmware-a-stm32mp15x u-boot-stm32mp15x"
+IMAGER_INSTALL += "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x u-boot-stm32mp15x"
+IMAGER_BUILD_DEPS += "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x u-boot-stm32mp15x"
 
 IMAGE_INSTALL += "u-boot-script"
diff --git a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.10.0.bb b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.10.0.bb
new file mode 100644
index 00000000..a2570946
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.10.0.bb
@@ -0,0 +1,19 @@
+#
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+require recipes-bsp/optee-os/optee-os-custom.inc
+
+SRC_URI += "https://github.com/OP-TEE/optee_os/archive/${PV}.tar.gz"
+SRC_URI[sha256sum] = "d30776ab051b701cdd2b71d32ff5cd54285a688440cc90aefd14b4f0f6495d7c"
+
+S = "${WORKDIR}/optee_os-${PV}"
+
+DEBIAN_BUILD_DEPENDS += ", device-tree-compiler"
+
+OPTEE_PLATFORM = "stm32mp1"
+OPTEE_EXTRA_BUILDARGS = " \
+    ARCH=arm CFG_EMBED_DTB_SOURCE_FILE=stm32mp157c-ev1.dts \
+    CFG_TEE_CORE_LOG_LEVEL=2"
+OPTEE_BINARIES = "tee-header_v2.stm32 tee-pageable_v2.stm32 tee-pager_v2.stm32"
diff --git a/meta-isar/recipes-bsp/trusted-firmware-a/trusted-firmware-a-stm32mp15x_2.3.bb b/meta-isar/recipes-bsp/trusted-firmware-a/trusted-firmware-a-stm32mp15x_2.3.bb
index 0a45ec36..33836ea9 100644
--- a/meta-isar/recipes-bsp/trusted-firmware-a/trusted-firmware-a-stm32mp15x_2.3.bb
+++ b/meta-isar/recipes-bsp/trusted-firmware-a/trusted-firmware-a-stm32mp15x_2.3.bb
@@ -14,7 +14,7 @@ DEBIAN_BUILD_DEPENDS += ", device-tree-compiler"
 
 TF_A_PLATFORM = "stm32mp1"
 TF_A_EXTRA_BUILDARGS = " \
-    ARCH=aarch32 ARM_ARCH_MAJOR=7 AARCH32_SP=sp_min \
+    ARCH=aarch32 ARM_ARCH_MAJOR=7 AARCH32_SP=optee \
     STM32MP_SDMMC=1 STM32MP_EMMC=1 \
     STM32MP_RAW_NAND=1 STM32MP_SPI_NAND=1 STM32MP_SPI_NOR=1 \
     DTB_FILE_NAME=stm32mp157c-ev1.dtb"
diff --git a/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in b/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
index 5abaa833..744330e6 100644
--- a/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
+++ b/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
@@ -7,6 +7,10 @@ part fsbl1 --part-name fsbl1 --source rawcopy --sourceparams "file=/usr/lib/trus
 part fsbl2 --part-name fsbl2 --source rawcopy --sourceparams "file=/usr/lib/trusted-firmware-a/${MACHINE}/tf-a-stm32mp157c-ev1.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
 part ssbl --part-name ssbl --source rawcopy --sourceparams "file=/usr/lib/u-boot/${MACHINE}/u-boot.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 2048K
 
+part teeh --part-name teeh --source rawcopy --sourceparams "file=/usr/lib/optee-os/${MACHINE}/tee-header_v2.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
+part teed --part-name teed --source rawcopy --sourceparams "file=/usr/lib/optee-os/${MACHINE}/tee-pageable_v2.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 512K
+part teex --part-name teex --source rawcopy --sourceparams "file=/usr/lib/optee-os/${MACHINE}/tee-pager_v2.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
+
 part / --source rootfs-u-boot --fstype ext4 --label root --align 1024 --active --use-uuid
 
 bootloader --ptable gpt --append="rootwait rw console=ttySTM0,115200"
-- 
2.26.2

Re: [PATCH v2 00/11] Support for building TF-A and OP-TEE, add STM32MP15x board

[Jan Kiszka]

On 15.10.20 11:43, [ext] Jan Kiszka wrote:
> Changes in v2:
>  - fix wks file so that it becomes compatible with upcoming wic version
>    (credits go to Vijai for debugging this)
>  - replace kernel patches with upstream U-Boot backports, following
>    community suggestions
> 
> This adds include files for building custom Trusted Firmware A and Open
> Portable Trusted Execution Environment, similar to U-Boot. As a
> demonstration target, support for the STM32MP15x board is added, and its
> boot is enabled for both TF-a and OP-TEE.
> 
> Jan
> 
> 
> CC: vijaikumar.kanagarajan@gmail.com
> 
> Jan Kiszka (11):
>   meta-isar: Lift de0-nano-soc build to buster
>   meta-isar: linux-mainline: Update to latest 5.4.70
>   meta-isar: u-boot: Update to 2020.10
>   meta-isar: u-boot: Factor our de0-nano-soc recipe
>   meta-isar: example-raw: Purge securetty from target image
>   Add STM32MP15x eval board
>   Add recipe include for building custom Trusted Firmware A
>   stm32mp15x: Switch to TF-A based boot
>   Add recipe include for building custom OP-TEE
>   meta-isar: u-boot-stm32mp15x: Add patches needed for OP-TEE usage
>   meta-isar: Add OP-TEE to STM32MP15x board
> 
>  meta-isar/conf/local.conf.sample              |   3 +-
>  meta-isar/conf/machine/de0-nano-soc.conf      |   1 +
>  meta-isar/conf/machine/stm32mp15x.conf        |  19 +++
>  .../conf/multiconfig/de0-nano-soc-buster.conf |   7 +
>  .../multiconfig/de0-nano-soc-stretch.conf     |   7 -
>  .../conf/multiconfig/stm32mp15x-buster.conf   |   7 +
>  .../recipes-app/example-raw/files/postinst    |   3 +
>  .../optee-os/optee-os-stm32mp15x_3.10.0.bb    |  19 +++
>  .../trusted-firmware-a-stm32mp15x_2.3.bb      |  21 +++
>  ...y-add-property-no-map-to-created-res.patch | 151 ++++++++++++++++++
>  ...rty-no-map-to-secure-reserved-memory.patch |  33 ++++
>  .../recipes-bsp/u-boot/u-boot-2020.10.inc     |  13 ++
>  .../u-boot/u-boot-de0-nano-soc_2020.10.bb     |   9 ++
>  .../u-boot/u-boot-stm32mp15x_2020.10.bb       |  10 ++
>  .../recipes-bsp/u-boot/u-boot_2018.09.bb      |  14 --
>  ...ine_5.4.10.bb => linux-mainline_5.4.70.bb} |   4 +-
>  .../lib/wic/canned-wks/stm32mp15x.wks.in      |  16 ++
>  meta/recipes-bsp/optee-os/files/debian/compat |   1 +
>  .../optee-os/files/debian/control.tmpl        |  10 ++
>  meta/recipes-bsp/optee-os/files/debian/rules  |  19 +++
>  meta/recipes-bsp/optee-os/optee-os-custom.inc |  43 +++++
>  .../trusted-firmware-a/files/debian/compat    |   1 +
>  .../files/debian/control.tmpl                 |  10 ++
>  .../trusted-firmware-a/files/debian/rules     |  19 +++
>  .../trusted-firmware-a-custom.inc             |  43 +++++
>  scripts/ci_build.sh                           |   5 +-
>  26 files changed, 462 insertions(+), 26 deletions(-)
>  create mode 100644 meta-isar/conf/machine/stm32mp15x.conf
>  create mode 100644 meta-isar/conf/multiconfig/de0-nano-soc-buster.conf
>  delete mode 100644 meta-isar/conf/multiconfig/de0-nano-soc-stretch.conf
>  create mode 100644 meta-isar/conf/multiconfig/stm32mp15x-buster.conf
>  create mode 100644 meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.10.0.bb
>  create mode 100644 meta-isar/recipes-bsp/trusted-firmware-a/trusted-firmware-a-stm32mp15x_2.3.bb
>  create mode 100644 meta-isar/recipes-bsp/u-boot/files/0001-fdtdec-optionally-add-property-no-map-to-created-res.patch
>  create mode 100644 meta-isar/recipes-bsp/u-boot/files/0002-optee-add-property-no-map-to-secure-reserved-memory.patch
>  create mode 100644 meta-isar/recipes-bsp/u-boot/u-boot-2020.10.inc
>  create mode 100644 meta-isar/recipes-bsp/u-boot/u-boot-de0-nano-soc_2020.10.bb
>  create mode 100644 meta-isar/recipes-bsp/u-boot/u-boot-stm32mp15x_2020.10.bb
>  delete mode 100644 meta-isar/recipes-bsp/u-boot/u-boot_2018.09.bb
>  rename meta-isar/recipes-kernel/linux/{linux-mainline_5.4.10.bb => linux-mainline_5.4.70.bb} (89%)
>  create mode 100644 meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
>  create mode 100644 meta/recipes-bsp/optee-os/files/debian/compat
>  create mode 100644 meta/recipes-bsp/optee-os/files/debian/control.tmpl
>  create mode 100755 meta/recipes-bsp/optee-os/files/debian/rules
>  create mode 100644 meta/recipes-bsp/optee-os/optee-os-custom.inc
>  create mode 100644 meta/recipes-bsp/trusted-firmware-a/files/debian/compat
>  create mode 100644 meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl
>  create mode 100755 meta/recipes-bsp/trusted-firmware-a/files/debian/rules
>  create mode 100644 meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc
> 

Ping for this series, more and more downstream layers would love to use
these patterns.

Jan

-- 
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux

Re: [PATCH v2 00/11] Support for building TF-A and OP-TEE, add STM32MP15x board

[Jan Kiszka]

On 21.11.20 08:35, [ext] Jan Kiszka wrote:
> On 15.10.20 11:43, [ext] Jan Kiszka wrote:
>> Changes in v2:
>>  - fix wks file so that it becomes compatible with upcoming wic version
>>    (credits go to Vijai for debugging this)
>>  - replace kernel patches with upstream U-Boot backports, following
>>    community suggestions
>>
>> This adds include files for building custom Trusted Firmware A and Open
>> Portable Trusted Execution Environment, similar to U-Boot. As a
>> demonstration target, support for the STM32MP15x board is added, and its
>> boot is enabled for both TF-a and OP-TEE.
>>
>> Jan
>>
>>
>> CC: vijaikumar.kanagarajan@gmail.com
>>
>> Jan Kiszka (11):
>>   meta-isar: Lift de0-nano-soc build to buster
>>   meta-isar: linux-mainline: Update to latest 5.4.70
>>   meta-isar: u-boot: Update to 2020.10
>>   meta-isar: u-boot: Factor our de0-nano-soc recipe
>>   meta-isar: example-raw: Purge securetty from target image
>>   Add STM32MP15x eval board
>>   Add recipe include for building custom Trusted Firmware A
>>   stm32mp15x: Switch to TF-A based boot
>>   Add recipe include for building custom OP-TEE
>>   meta-isar: u-boot-stm32mp15x: Add patches needed for OP-TEE usage
>>   meta-isar: Add OP-TEE to STM32MP15x board
>>
>>  meta-isar/conf/local.conf.sample              |   3 +-
>>  meta-isar/conf/machine/de0-nano-soc.conf      |   1 +
>>  meta-isar/conf/machine/stm32mp15x.conf        |  19 +++
>>  .../conf/multiconfig/de0-nano-soc-buster.conf |   7 +
>>  .../multiconfig/de0-nano-soc-stretch.conf     |   7 -
>>  .../conf/multiconfig/stm32mp15x-buster.conf   |   7 +
>>  .../recipes-app/example-raw/files/postinst    |   3 +
>>  .../optee-os/optee-os-stm32mp15x_3.10.0.bb    |  19 +++
>>  .../trusted-firmware-a-stm32mp15x_2.3.bb      |  21 +++
>>  ...y-add-property-no-map-to-created-res.patch | 151 ++++++++++++++++++
>>  ...rty-no-map-to-secure-reserved-memory.patch |  33 ++++
>>  .../recipes-bsp/u-boot/u-boot-2020.10.inc     |  13 ++
>>  .../u-boot/u-boot-de0-nano-soc_2020.10.bb     |   9 ++
>>  .../u-boot/u-boot-stm32mp15x_2020.10.bb       |  10 ++
>>  .../recipes-bsp/u-boot/u-boot_2018.09.bb      |  14 --
>>  ...ine_5.4.10.bb => linux-mainline_5.4.70.bb} |   4 +-
>>  .../lib/wic/canned-wks/stm32mp15x.wks.in      |  16 ++
>>  meta/recipes-bsp/optee-os/files/debian/compat |   1 +
>>  .../optee-os/files/debian/control.tmpl        |  10 ++
>>  meta/recipes-bsp/optee-os/files/debian/rules  |  19 +++
>>  meta/recipes-bsp/optee-os/optee-os-custom.inc |  43 +++++
>>  .../trusted-firmware-a/files/debian/compat    |   1 +
>>  .../files/debian/control.tmpl                 |  10 ++
>>  .../trusted-firmware-a/files/debian/rules     |  19 +++
>>  .../trusted-firmware-a-custom.inc             |  43 +++++
>>  scripts/ci_build.sh                           |   5 +-
>>  26 files changed, 462 insertions(+), 26 deletions(-)
>>  create mode 100644 meta-isar/conf/machine/stm32mp15x.conf
>>  create mode 100644 meta-isar/conf/multiconfig/de0-nano-soc-buster.conf
>>  delete mode 100644 meta-isar/conf/multiconfig/de0-nano-soc-stretch.conf
>>  create mode 100644 meta-isar/conf/multiconfig/stm32mp15x-buster.conf
>>  create mode 100644 meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.10.0.bb
>>  create mode 100644 meta-isar/recipes-bsp/trusted-firmware-a/trusted-firmware-a-stm32mp15x_2.3.bb
>>  create mode 100644 meta-isar/recipes-bsp/u-boot/files/0001-fdtdec-optionally-add-property-no-map-to-created-res.patch
>>  create mode 100644 meta-isar/recipes-bsp/u-boot/files/0002-optee-add-property-no-map-to-secure-reserved-memory.patch
>>  create mode 100644 meta-isar/recipes-bsp/u-boot/u-boot-2020.10.inc
>>  create mode 100644 meta-isar/recipes-bsp/u-boot/u-boot-de0-nano-soc_2020.10.bb
>>  create mode 100644 meta-isar/recipes-bsp/u-boot/u-boot-stm32mp15x_2020.10.bb
>>  delete mode 100644 meta-isar/recipes-bsp/u-boot/u-boot_2018.09.bb
>>  rename meta-isar/recipes-kernel/linux/{linux-mainline_5.4.10.bb => linux-mainline_5.4.70.bb} (89%)
>>  create mode 100644 meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
>>  create mode 100644 meta/recipes-bsp/optee-os/files/debian/compat
>>  create mode 100644 meta/recipes-bsp/optee-os/files/debian/control.tmpl
>>  create mode 100755 meta/recipes-bsp/optee-os/files/debian/rules
>>  create mode 100644 meta/recipes-bsp/optee-os/optee-os-custom.inc
>>  create mode 100644 meta/recipes-bsp/trusted-firmware-a/files/debian/compat
>>  create mode 100644 meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl
>>  create mode 100755 meta/recipes-bsp/trusted-firmware-a/files/debian/rules
>>  create mode 100644 meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc
>>
> 
> Ping for this series, more and more downstream layers would love to use
> these patterns.
> 

Will send a new series, did some version updates. And found a wic-img
bug. And a stable kernel regression.

Jan

-- 
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux