[PATCH 00/11] Support for building TF-A and OP-TEE, add STM32MP15x board

[PATCH 00/11] Support for building TF-A and OP-TEE, add STM32MP15x board

[Jan Kiszka]

This adds include files for building custom Trusted Firmware A and Open
Portable Trusted Execution Environment, similar to U-Boot. As a
demonstration target, support for the STM32MP15x board is added, and its
boot is enabled for both TF-a and OP-TEE.

Jan

Jan Kiszka (11):
  meta-isar: Lift de0-nano-soc build to buster
  meta-isar: linux-mainline: Update to latest 5.4.70
  meta-isar: u-boot: Update to 2020.10
  meta-isar: u-boot: Factor our de0-nano-soc recipe
  meta-isar: example-raw: Purge securetty from target image
  Add STM32MP15x eval board
  Add recipe include for building custom Trusted Firmware A
  stm32mp15x: Switch to TF-A based boot
  Add recipe include for building custom OP-TEE
  meta-isar: linux-mainline: Add patches for stm32mp15x target
  meta-isar: Add OP-TEE to STM32MP15x board

 meta-isar/conf/local.conf.sample              |  3 +-
 meta-isar/conf/machine/de0-nano-soc.conf      |  1 +
 meta-isar/conf/machine/stm32mp15x.conf        | 19 +++++
 .../conf/multiconfig/de0-nano-soc-buster.conf |  7 ++
 .../multiconfig/de0-nano-soc-stretch.conf     |  7 --
 .../conf/multiconfig/stm32mp15x-buster.conf   |  7 ++
 .../recipes-app/example-raw/files/postinst    |  3 +
 .../optee-os/optee-os-stm32mp15x_3.10.0.bb    | 19 +++++
 .../trusted-firmware-a-stm32mp15x_2.3.bb      | 21 +++++
 .../recipes-bsp/u-boot/u-boot-2020.10.inc     | 13 +++
 .../u-boot/u-boot-de0-nano-soc_2020.10.bb     |  9 +++
 .../u-boot/u-boot-stm32mp15x_2020.10.bb       |  6 ++
 .../recipes-bsp/u-boot/u-boot_2018.09.bb      | 14 ----
 ...d-OP-TEE-node-and-its-reserved-memor.patch | 79 +++++++++++++++++++
 ...move-reserve-memory-holes-on-stm32mp.patch | 65 +++++++++++++++
 ...ine_5.4.10.bb => linux-mainline_5.4.70.bb} |  6 +-
 .../lib/wic/canned-wks/stm32mp15x.wks.in      | 16 ++++
 meta/recipes-bsp/optee-os/files/debian/compat |  1 +
 .../optee-os/files/debian/control.tmpl        | 10 +++
 meta/recipes-bsp/optee-os/files/debian/rules  | 19 +++++
 meta/recipes-bsp/optee-os/optee-os-custom.inc | 43 ++++++++++
 .../trusted-firmware-a/files/debian/compat    |  1 +
 .../files/debian/control.tmpl                 | 10 +++
 .../trusted-firmware-a/files/debian/rules     | 19 +++++
 .../trusted-firmware-a-custom.inc             | 43 ++++++++++
 scripts/ci_build.sh                           |  5 +-
 26 files changed, 420 insertions(+), 26 deletions(-)
 create mode 100644 meta-isar/conf/machine/stm32mp15x.conf
 create mode 100644 meta-isar/conf/multiconfig/de0-nano-soc-buster.conf
 delete mode 100644 meta-isar/conf/multiconfig/de0-nano-soc-stretch.conf
 create mode 100644 meta-isar/conf/multiconfig/stm32mp15x-buster.conf
 create mode 100644 meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.10.0.bb
 create mode 100644 meta-isar/recipes-bsp/trusted-firmware-a/trusted-firmware-a-stm32mp15x_2.3.bb
 create mode 100644 meta-isar/recipes-bsp/u-boot/u-boot-2020.10.inc
 create mode 100644 meta-isar/recipes-bsp/u-boot/u-boot-de0-nano-soc_2020.10.bb
 create mode 100644 meta-isar/recipes-bsp/u-boot/u-boot-stm32mp15x_2020.10.bb
 delete mode 100644 meta-isar/recipes-bsp/u-boot/u-boot_2018.09.bb
 create mode 100644 meta-isar/recipes-kernel/linux/files/0001-ARM-dts-stm32-add-OP-TEE-node-and-its-reserved-memor.patch
 create mode 100644 meta-isar/recipes-kernel/linux/files/0002-ARM-dts-stm32-remove-reserve-memory-holes-on-stm32mp.patch
 rename meta-isar/recipes-kernel/linux/{linux-mainline_5.4.10.bb => linux-mainline_5.4.70.bb} (78%)
 create mode 100644 meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
 create mode 100644 meta/recipes-bsp/optee-os/files/debian/compat
 create mode 100644 meta/recipes-bsp/optee-os/files/debian/control.tmpl
 create mode 100755 meta/recipes-bsp/optee-os/files/debian/rules
 create mode 100644 meta/recipes-bsp/optee-os/optee-os-custom.inc
 create mode 100644 meta/recipes-bsp/trusted-firmware-a/files/debian/compat
 create mode 100644 meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl
 create mode 100755 meta/recipes-bsp/trusted-firmware-a/files/debian/rules
 create mode 100644 meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc

-- 
2.26.2

[PATCH 01/11] meta-isar: Lift de0-nano-soc build to buster

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

That's up-to-date, and it will allow building another ARM board while
sharing the same self-built kernel.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 meta-isar/conf/local.conf.sample                     | 2 +-
 meta-isar/conf/multiconfig/de0-nano-soc-buster.conf  | 7 +++++++
 meta-isar/conf/multiconfig/de0-nano-soc-stretch.conf | 7 -------
 scripts/ci_build.sh                                  | 4 ++--
 4 files changed, 10 insertions(+), 10 deletions(-)
 create mode 100644 meta-isar/conf/multiconfig/de0-nano-soc-buster.conf
 delete mode 100644 meta-isar/conf/multiconfig/de0-nano-soc-stretch.conf

diff --git a/meta-isar/conf/local.conf.sample b/meta-isar/conf/local.conf.sample
index 2f82020d..01666fd4 100644
--- a/meta-isar/conf/local.conf.sample
+++ b/meta-isar/conf/local.conf.sample
@@ -56,7 +56,7 @@ BBMULTICONFIG = " \
     qemumipsel-bullseye \
     qemuriscv64-sid-ports \
     bananapi-buster \
-    de0-nano-soc-stretch \
+    de0-nano-soc-buster \
     hikey-stretch \
     nand-ubi-demo-buster \
     nanopi-neo-buster \
diff --git a/meta-isar/conf/multiconfig/de0-nano-soc-buster.conf b/meta-isar/conf/multiconfig/de0-nano-soc-buster.conf
new file mode 100644
index 00000000..0584d193
--- /dev/null
+++ b/meta-isar/conf/multiconfig/de0-nano-soc-buster.conf
@@ -0,0 +1,7 @@
+#
+# Copyright (c) Siemens AG, 2018-2020
+#
+# SPDX-License-Identifier: MIT
+
+MACHINE = "de0-nano-soc"
+DISTRO = "debian-buster"
diff --git a/meta-isar/conf/multiconfig/de0-nano-soc-stretch.conf b/meta-isar/conf/multiconfig/de0-nano-soc-stretch.conf
deleted file mode 100644
index 68824939..00000000
--- a/meta-isar/conf/multiconfig/de0-nano-soc-stretch.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-#
-# Copyright (c) Siemens AG, 2018
-#
-# SPDX-License-Identifier: MIT
-
-MACHINE = "de0-nano-soc"
-DISTRO = "debian-stretch"
diff --git a/scripts/ci_build.sh b/scripts/ci_build.sh
index c0a032e7..f1f6503e 100755
--- a/scripts/ci_build.sh
+++ b/scripts/ci_build.sh
@@ -48,7 +48,7 @@ CROSS_TARGETS_SET="\
                   mc:qemuarm-buster:isar-image-base \
                   mc:qemuarm64-stretch:isar-image-base \
                   mc:qemuamd64-stretch:isar-image-base \
-                  mc:de0-nano-soc-stretch:isar-image-base \
+                  mc:de0-nano-soc-buster:isar-image-base \
                   mc:rpi-stretch:isar-image-base"
 
 CROSS_TARGETS_SET_BULLSEYE="\
@@ -56,7 +56,7 @@ CROSS_TARGETS_SET_BULLSEYE="\
 "
 
 REPRO_TARGETS_SET_SIGNED="\
-            mc:de0-nano-soc-stretch:isar-image-base \
+            mc:de0-nano-soc-buster:isar-image-base \
             mc:qemuarm64-stretch:isar-image-base"
 
 REPRO_TARGETS_SET="\
-- 
2.26.2

[PATCH 02/11] meta-isar: linux-mainline: Update to latest 5.4.70

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Just to be more fresh.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../{linux-mainline_5.4.10.bb => linux-mainline_5.4.70.bb}    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta-isar/recipes-kernel/linux/{linux-mainline_5.4.10.bb => linux-mainline_5.4.70.bb} (89%)

diff --git a/meta-isar/recipes-kernel/linux/linux-mainline_5.4.10.bb b/meta-isar/recipes-kernel/linux/linux-mainline_5.4.70.bb
similarity index 89%
rename from meta-isar/recipes-kernel/linux/linux-mainline_5.4.10.bb
rename to meta-isar/recipes-kernel/linux/linux-mainline_5.4.70.bb
index 8ec577cf..209ad9c0 100644
--- a/meta-isar/recipes-kernel/linux/linux-mainline_5.4.10.bb
+++ b/meta-isar/recipes-kernel/linux/linux-mainline_5.4.70.bb
@@ -1,7 +1,7 @@
 # Example recipe for building the mainline kernel
 #
 # This software is a part of ISAR.
-# Copyright (c) Siemens AG, 2018
+# Copyright (c) Siemens AG, 2018-2020
 #
 # SPDX-License-Identifier: MIT
 
@@ -15,7 +15,7 @@ SRC_URI += " \
     file://no-ubifs-fs.cfg \
     file://no-root-nfs.cfg;apply=no"
 
-SRC_URI[sha256sum] = "f23c0218a5e3b363bb5a880972f507bb4dc4a290a787a7da08be07ea12042edd"
+SRC_URI[sha256sum] = "c0b3d8085c5ba235df38b00b740e053659709e8a5ca21957a239f6bc22c45007"
 
 S = "${WORKDIR}/linux-${ARCHIVE_VERSION}"
 
-- 
2.26.2

[PATCH 03/11] meta-isar: u-boot: Update to 2020.10

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Will be needed for STM32MP15x addition.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../u-boot/{u-boot_2018.09.bb => u-boot_2020.10.bb}           | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta-isar/recipes-bsp/u-boot/{u-boot_2018.09.bb => u-boot_2020.10.bb} (67%)

diff --git a/meta-isar/recipes-bsp/u-boot/u-boot_2018.09.bb b/meta-isar/recipes-bsp/u-boot/u-boot_2020.10.bb
similarity index 67%
rename from meta-isar/recipes-bsp/u-boot/u-boot_2018.09.bb
rename to meta-isar/recipes-bsp/u-boot/u-boot_2020.10.bb
index e79f340a..605f484b 100644
--- a/meta-isar/recipes-bsp/u-boot/u-boot_2018.09.bb
+++ b/meta-isar/recipes-bsp/u-boot/u-boot_2020.10.bb
@@ -1,5 +1,5 @@
 #
-# Copyright (c) Siemens AG, 2018
+# Copyright (c) Siemens AG, 2018-2020
 #
 # SPDX-License-Identifier: MIT
 
@@ -8,7 +8,7 @@ require recipes-bsp/u-boot/u-boot-custom.inc
 SRC_URI += " \
     https://ftp.denx.de/pub/u-boot/u-boot-${PV}.tar.bz2 \
     "
-SRC_URI[sha256sum] = "839bf23cfe8ce613a77e583a60375179d0ad324e92c82fbdd07bebf0fd142268"
+SRC_URI[sha256sum] = "0d481bbdc05c0ee74908ec2f56a6daa53166cc6a78a0e4fac2ac5d025770a622"
 
 # Just for testing purposes, distro package would be recent enough
 U_BOOT_TOOLS_PACKAGE = "1"
-- 
2.26.2

[PATCH 04/11] meta-isar: u-boot: Factor our de0-nano-soc recipe

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

We need to change the name of the recipe as a second user (machine) will
come along.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 meta-isar/conf/machine/de0-nano-soc.conf                 | 1 +
 .../u-boot/{u-boot_2020.10.bb => u-boot-2020.10.inc}     | 3 +--
 .../recipes-bsp/u-boot/u-boot-de0-nano-soc_2020.10.bb    | 9 +++++++++
 3 files changed, 11 insertions(+), 2 deletions(-)
 rename meta-isar/recipes-bsp/u-boot/{u-boot_2020.10.bb => u-boot-2020.10.inc} (75%)
 create mode 100644 meta-isar/recipes-bsp/u-boot/u-boot-de0-nano-soc_2020.10.bb

diff --git a/meta-isar/conf/machine/de0-nano-soc.conf b/meta-isar/conf/machine/de0-nano-soc.conf
index 3a2c0092..5a734d4d 100644
--- a/meta-isar/conf/machine/de0-nano-soc.conf
+++ b/meta-isar/conf/machine/de0-nano-soc.conf
@@ -7,6 +7,7 @@ DISTRO_ARCH ?= "armhf"
 
 KERNEL_NAME ?= "mainline"
 
+PREFERRED_PROVIDER_u-boot-de0-nano-soc = "u-boot-de0-nano-soc"
 U_BOOT_CONFIG_de0-nano-soc = "socfpga_de0_nano_soc_defconfig"
 U_BOOT_BIN_de0-nano-soc = "u-boot-with-spl.sfp"
 
diff --git a/meta-isar/recipes-bsp/u-boot/u-boot_2020.10.bb b/meta-isar/recipes-bsp/u-boot/u-boot-2020.10.inc
similarity index 75%
rename from meta-isar/recipes-bsp/u-boot/u-boot_2020.10.bb
rename to meta-isar/recipes-bsp/u-boot/u-boot-2020.10.inc
index 605f484b..604776a6 100644
--- a/meta-isar/recipes-bsp/u-boot/u-boot_2020.10.bb
+++ b/meta-isar/recipes-bsp/u-boot/u-boot-2020.10.inc
@@ -10,5 +10,4 @@ SRC_URI += " \
     "
 SRC_URI[sha256sum] = "0d481bbdc05c0ee74908ec2f56a6daa53166cc6a78a0e4fac2ac5d025770a622"
 
-# Just for testing purposes, distro package would be recent enough
-U_BOOT_TOOLS_PACKAGE = "1"
+S = "${WORKDIR}/u-boot-${PV}"
diff --git a/meta-isar/recipes-bsp/u-boot/u-boot-de0-nano-soc_2020.10.bb b/meta-isar/recipes-bsp/u-boot/u-boot-de0-nano-soc_2020.10.bb
new file mode 100644
index 00000000..dcb76c53
--- /dev/null
+++ b/meta-isar/recipes-bsp/u-boot/u-boot-de0-nano-soc_2020.10.bb
@@ -0,0 +1,9 @@
+#
+# Copyright (c) Siemens AG, 2018-2020
+#
+# SPDX-License-Identifier: MIT
+
+require u-boot-${PV}.inc
+
+# Just for testing purposes, distro package would be recent enough
+U_BOOT_TOOLS_PACKAGE = "1"
-- 
2.26.2

[PATCH 05/11] meta-isar: example-raw: Purge securetty from target image

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Needed for boards which were unsupported by Debian's login package.
Bullseye will drop this as well.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 meta-isar/recipes-app/example-raw/files/postinst | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta-isar/recipes-app/example-raw/files/postinst b/meta-isar/recipes-app/example-raw/files/postinst
index c32ba956..d25c251d 100644
--- a/meta-isar/recipes-app/example-raw/files/postinst
+++ b/meta-isar/recipes-app/example-raw/files/postinst
@@ -19,3 +19,6 @@ cp -RTn /etc/skel ~isar
 chown -R isar:isar ~isar
 
 echo "isar" > /etc/hostname
+
+# this helps with ttys not know to this file (removed upstream with bullseye)
+rm -f /etc/securetty
-- 
2.26.2

[PATCH 06/11] Add STM32MP15x eval board

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This adds another ARMv7 board, using buster this time. It's primary
purpose will be acting as a TF-A test target. It was chosen due to its
simplicity and clean upstream support.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 meta-isar/conf/local.conf.sample              |  1 +
 meta-isar/conf/machine/stm32mp15x.conf        | 19 +++++++++++++++++++
 .../conf/multiconfig/stm32mp15x-buster.conf   |  7 +++++++
 .../u-boot/u-boot-stm32mp15x_2020.10.bb       |  6 ++++++
 .../lib/wic/canned-wks/stm32mp15x.wks.in      | 12 ++++++++++++
 scripts/ci_build.sh                           |  1 +
 6 files changed, 46 insertions(+)
 create mode 100644 meta-isar/conf/machine/stm32mp15x.conf
 create mode 100644 meta-isar/conf/multiconfig/stm32mp15x-buster.conf
 create mode 100644 meta-isar/recipes-bsp/u-boot/u-boot-stm32mp15x_2020.10.bb
 create mode 100644 meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in

diff --git a/meta-isar/conf/local.conf.sample b/meta-isar/conf/local.conf.sample
index 01666fd4..de1c6a87 100644
--- a/meta-isar/conf/local.conf.sample
+++ b/meta-isar/conf/local.conf.sample
@@ -60,6 +60,7 @@ BBMULTICONFIG = " \
     hikey-stretch \
     nand-ubi-demo-buster \
     nanopi-neo-buster \
+    stm32mp15x-buster \
     rpi-stretch \
     sifive-fu540-sid-ports \
 "
diff --git a/meta-isar/conf/machine/stm32mp15x.conf b/meta-isar/conf/machine/stm32mp15x.conf
new file mode 100644
index 00000000..7ef36e68
--- /dev/null
+++ b/meta-isar/conf/machine/stm32mp15x.conf
@@ -0,0 +1,19 @@
+#
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+DISTRO_ARCH ?= "armhf"
+
+KERNEL_NAME ?= "mainline"
+
+PREFERRED_PROVIDER_u-boot-stm32mp15x = "u-boot-stm32mp15x"
+U_BOOT_CONFIG_stm32mp15x = "stm32mp15_basic_defconfig"
+U_BOOT_BIN_stm32mp15x = "u-boot-spl.stm32 u-boot.img"
+
+IMAGE_TYPE ?= "wic-img"
+WKS_FILE ?= "stm32mp15x.wks.in"
+IMAGER_INSTALL += "u-boot-stm32mp15x"
+IMAGER_BUILD_DEPS += "u-boot-stm32mp15x"
+
+IMAGE_INSTALL += "u-boot-script"
diff --git a/meta-isar/conf/multiconfig/stm32mp15x-buster.conf b/meta-isar/conf/multiconfig/stm32mp15x-buster.conf
new file mode 100644
index 00000000..d1b76d0f
--- /dev/null
+++ b/meta-isar/conf/multiconfig/stm32mp15x-buster.conf
@@ -0,0 +1,7 @@
+#
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+MACHINE = "stm32mp15x"
+DISTRO = "debian-buster"
diff --git a/meta-isar/recipes-bsp/u-boot/u-boot-stm32mp15x_2020.10.bb b/meta-isar/recipes-bsp/u-boot/u-boot-stm32mp15x_2020.10.bb
new file mode 100644
index 00000000..6d956434
--- /dev/null
+++ b/meta-isar/recipes-bsp/u-boot/u-boot-stm32mp15x_2020.10.bb
@@ -0,0 +1,6 @@
+#
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+require u-boot-${PV}.inc
diff --git a/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in b/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
new file mode 100644
index 00000000..a8dc3727
--- /dev/null
+++ b/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
@@ -0,0 +1,12 @@
+#
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+part fsbl1 --label fsbl1 --source rawcopy --sourceparams "file=/usr/lib/u-boot/${MACHINE}/u-boot-spl.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
+part fsbl2 --label fsbl2 --source rawcopy --sourceparams "file=/usr/lib/u-boot/${MACHINE}/u-boot-spl.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
+part ssbl --label ssbl --source rawcopy --sourceparams "file=/usr/lib/u-boot/${MACHINE}/u-boot.img" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 2048K
+
+part / --source rootfs-u-boot --fstype ext4 --label root --align 1024 --active --use-uuid
+
+bootloader --ptable gpt --append="rootwait rw console=ttySTM0,115200"
diff --git a/scripts/ci_build.sh b/scripts/ci_build.sh
index f1f6503e..0053809c 100755
--- a/scripts/ci_build.sh
+++ b/scripts/ci_build.sh
@@ -49,6 +49,7 @@ CROSS_TARGETS_SET="\
                   mc:qemuarm64-stretch:isar-image-base \
                   mc:qemuamd64-stretch:isar-image-base \
                   mc:de0-nano-soc-buster:isar-image-base \
+                  mc:stm32mp15x-buster:isar-image-base \
                   mc:rpi-stretch:isar-image-base"
 
 CROSS_TARGETS_SET_BULLSEYE="\
-- 
2.26.2

[PATCH 07/11] Add recipe include for building custom Trusted Firmware A

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Analogously to U-Boot, this adds an include file to be used in custom
TF-A recipes. The typical customization points are TF_A_PLATFORM and
possibly a couple of TF_A_EXTRA_BUILDARGS. The to-be-packaged binaries
can be defined via TF_A_BINARIES.

Debian has a binary package called "arm-trusted-firmware", targeting a
couple of sunxi boards. We do not follow that legacy naming by intention
and rather use the new official one. Debian will probably follow at some
point.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../trusted-firmware-a/files/debian/compat    |  1 +
 .../files/debian/control.tmpl                 | 10 +++++
 .../trusted-firmware-a/files/debian/rules     | 19 ++++++++
 .../trusted-firmware-a-custom.inc             | 43 +++++++++++++++++++
 4 files changed, 73 insertions(+)
 create mode 100644 meta/recipes-bsp/trusted-firmware-a/files/debian/compat
 create mode 100644 meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl
 create mode 100755 meta/recipes-bsp/trusted-firmware-a/files/debian/rules
 create mode 100644 meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc

diff --git a/meta/recipes-bsp/trusted-firmware-a/files/debian/compat b/meta/recipes-bsp/trusted-firmware-a/files/debian/compat
new file mode 100644
index 00000000..f599e28b
--- /dev/null
+++ b/meta/recipes-bsp/trusted-firmware-a/files/debian/compat
@@ -0,0 +1 @@
+10
diff --git a/meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl b/meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl
new file mode 100644
index 00000000..7ffd189d
--- /dev/null
+++ b/meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl
@@ -0,0 +1,10 @@
+Source: ${PN}
+Section: admin
+Priority: optional
+Standards-Version: 3.9.6
+Build-Depends: ${DEBIAN_BUILD_DEPENDS}
+Maintainer: ISAR project <isar-users@googlegroups.com>
+
+Package: trusted-firmware-a-${TF_A_NAME}
+Architecture: ${DISTRO_ARCH}
+Description: ${DESCRIPTION}, firmware binaries
diff --git a/meta/recipes-bsp/trusted-firmware-a/files/debian/rules b/meta/recipes-bsp/trusted-firmware-a/files/debian/rules
new file mode 100755
index 00000000..70e1dd66
--- /dev/null
+++ b/meta/recipes-bsp/trusted-firmware-a/files/debian/rules
@@ -0,0 +1,19 @@
+#!/usr/bin/make -f
+
+# Debian rules for custom Trusted Firmware A build
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
+endif
+
+override_dh_auto_build:
+	CFLAGS= LDFLAGS= $(MAKE) $(PARALLEL_MAKE) PLAT=$(TF_A_PLATFORM) \
+		$(TF_A_EXTRA_BUILDARGS)
+
+%:
+	dh $@
diff --git a/meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc b/meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc
new file mode 100644
index 00000000..a065ce71
--- /dev/null
+++ b/meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc
@@ -0,0 +1,43 @@
+# Custom Trusted Firmware A build
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/files:"
+
+SRC_URI += "file://debian/"
+
+DESCRIPTION ?= "Custom Trusted Firmware A"
+
+TF_A_NAME ?= "${MACHINE}"
+TF_A_PLATFORM ?= "unknown"
+TF_A_EXTRA_BUILDARGS ?= ""
+TF_A_BINARIES ?= "bl31.bin"
+
+DEBIAN_BUILD_DEPENDS ?= ""
+
+PROVIDES += "trusted-firmware-a-${TF_A_NAME}"
+
+TEMPLATE_FILES = "debian/control.tmpl"
+TEMPLATE_VARS += "TF_A_NAME DEBIAN_BUILD_DEPENDS"
+
+do_prepare_build() {
+    cp -r ${WORKDIR}/debian ${S}/
+
+    deb_add_changelog
+
+    rm -f ${S}/debian/trusted-firmware-a-${TF_A_NAME}.install
+    for binary in ${TF_A_BINARIES}; do
+        echo "build/${TF_A_PLATFORM}/release/$binary /usr/lib/trusted-firmware-a/${TF_A_NAME}/" >> \
+            ${S}/debian/trusted-firmware-a-${TF_A_NAME}.install
+    done
+}
+
+dpkg_runbuild_prepend() {
+    export TF_A_PLATFORM="${TF_A_PLATFORM}"
+    export TF_A_EXTRA_BUILDARGS="${TF_A_EXTRA_BUILDARGS}"
+}
-- 
2.26.2

[PATCH 08/11] stm32mp15x: Switch to TF-A based boot

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This demonstrates the usage of the TF-A include for building custom
firmware versions.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 meta-isar/conf/machine/stm32mp15x.conf        |  8 +++----
 .../trusted-firmware-a-stm32mp15x_2.3.bb      | 21 +++++++++++++++++++
 .../lib/wic/canned-wks/stm32mp15x.wks.in      |  6 +++---
 3 files changed, 28 insertions(+), 7 deletions(-)
 create mode 100644 meta-isar/recipes-bsp/trusted-firmware-a/trusted-firmware-a-stm32mp15x_2.3.bb

diff --git a/meta-isar/conf/machine/stm32mp15x.conf b/meta-isar/conf/machine/stm32mp15x.conf
index 7ef36e68..66a47df4 100644
--- a/meta-isar/conf/machine/stm32mp15x.conf
+++ b/meta-isar/conf/machine/stm32mp15x.conf
@@ -8,12 +8,12 @@ DISTRO_ARCH ?= "armhf"
 KERNEL_NAME ?= "mainline"
 
 PREFERRED_PROVIDER_u-boot-stm32mp15x = "u-boot-stm32mp15x"
-U_BOOT_CONFIG_stm32mp15x = "stm32mp15_basic_defconfig"
-U_BOOT_BIN_stm32mp15x = "u-boot-spl.stm32 u-boot.img"
+U_BOOT_CONFIG_stm32mp15x = "stm32mp15_trusted_defconfig"
+U_BOOT_BIN_stm32mp15x = "u-boot.stm32"
 
 IMAGE_TYPE ?= "wic-img"
 WKS_FILE ?= "stm32mp15x.wks.in"
-IMAGER_INSTALL += "u-boot-stm32mp15x"
-IMAGER_BUILD_DEPS += "u-boot-stm32mp15x"
+IMAGER_INSTALL += "trusted-firmware-a-stm32mp15x u-boot-stm32mp15x"
+IMAGER_BUILD_DEPS += "trusted-firmware-a-stm32mp15x u-boot-stm32mp15x"
 
 IMAGE_INSTALL += "u-boot-script"
diff --git a/meta-isar/recipes-bsp/trusted-firmware-a/trusted-firmware-a-stm32mp15x_2.3.bb b/meta-isar/recipes-bsp/trusted-firmware-a/trusted-firmware-a-stm32mp15x_2.3.bb
new file mode 100644
index 00000000..0a45ec36
--- /dev/null
+++ b/meta-isar/recipes-bsp/trusted-firmware-a/trusted-firmware-a-stm32mp15x_2.3.bb
@@ -0,0 +1,21 @@
+#
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+require recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc
+
+SRC_URI += "https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/snapshot/trusted-firmware-a-${PV}.tar.gz"
+SRC_URI[sha256sum] = "37f917922bcef181164908c470a2f941006791c0113d738c498d39d95d543b21"
+
+S = "${WORKDIR}/trusted-firmware-a-${PV}"
+
+DEBIAN_BUILD_DEPENDS += ", device-tree-compiler"
+
+TF_A_PLATFORM = "stm32mp1"
+TF_A_EXTRA_BUILDARGS = " \
+    ARCH=aarch32 ARM_ARCH_MAJOR=7 AARCH32_SP=sp_min \
+    STM32MP_SDMMC=1 STM32MP_EMMC=1 \
+    STM32MP_RAW_NAND=1 STM32MP_SPI_NAND=1 STM32MP_SPI_NOR=1 \
+    DTB_FILE_NAME=stm32mp157c-ev1.dtb"
+TF_A_BINARIES = "tf-a-stm32mp157c-ev1.stm32"
diff --git a/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in b/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
index a8dc3727..5a518d3f 100644
--- a/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
+++ b/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
@@ -3,9 +3,9 @@
 #
 # SPDX-License-Identifier: MIT
 
-part fsbl1 --label fsbl1 --source rawcopy --sourceparams "file=/usr/lib/u-boot/${MACHINE}/u-boot-spl.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
-part fsbl2 --label fsbl2 --source rawcopy --sourceparams "file=/usr/lib/u-boot/${MACHINE}/u-boot-spl.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
-part ssbl --label ssbl --source rawcopy --sourceparams "file=/usr/lib/u-boot/${MACHINE}/u-boot.img" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 2048K
+part fsbl1 --label fsbl1 --source rawcopy --sourceparams "file=/usr/lib/trusted-firmware-a/${MACHINE}/tf-a-stm32mp157c-ev1.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
+part fsbl2 --label fsbl2 --source rawcopy --sourceparams "file=/usr/lib/trusted-firmware-a/${MACHINE}/tf-a-stm32mp157c-ev1.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
+part ssbl --label ssbl --source rawcopy --sourceparams "file=/usr/lib/u-boot/${MACHINE}/u-boot.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 2048K
 
 part / --source rootfs-u-boot --fstype ext4 --label root --align 1024 --active --use-uuid
 
-- 
2.26.2

[PATCH 09/11] Add recipe include for building custom OP-TEE

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Analogously to TF-A, this adds an include file to be used in custom
Open Portable Trusted Execution Environment. The typical customization
points are OPTEE_PLATFORM and possibly a couple of
OPTEE_EXTRA_BUILDARGS. The to-be-packaged binaries can be defined via
OPTEE_BINARIES.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 meta/recipes-bsp/optee-os/files/debian/compat |  1 +
 .../optee-os/files/debian/control.tmpl        | 10 +++++
 meta/recipes-bsp/optee-os/files/debian/rules  | 19 ++++++++
 meta/recipes-bsp/optee-os/optee-os-custom.inc | 43 +++++++++++++++++++
 4 files changed, 73 insertions(+)
 create mode 100644 meta/recipes-bsp/optee-os/files/debian/compat
 create mode 100644 meta/recipes-bsp/optee-os/files/debian/control.tmpl
 create mode 100755 meta/recipes-bsp/optee-os/files/debian/rules
 create mode 100644 meta/recipes-bsp/optee-os/optee-os-custom.inc

diff --git a/meta/recipes-bsp/optee-os/files/debian/compat b/meta/recipes-bsp/optee-os/files/debian/compat
new file mode 100644
index 00000000..f599e28b
--- /dev/null
+++ b/meta/recipes-bsp/optee-os/files/debian/compat
@@ -0,0 +1 @@
+10
diff --git a/meta/recipes-bsp/optee-os/files/debian/control.tmpl b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
new file mode 100644
index 00000000..60b39279
--- /dev/null
+++ b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
@@ -0,0 +1,10 @@
+Source: ${PN}
+Section: admin
+Priority: optional
+Standards-Version: 3.9.6
+Build-Depends: ${DEBIAN_BUILD_DEPENDS}
+Maintainer: ISAR project <isar-users@googlegroups.com>
+
+Package: optee-os-${OPTEE_NAME}
+Architecture: ${DISTRO_ARCH}
+Description: ${DESCRIPTION}, firmware binaries
diff --git a/meta/recipes-bsp/optee-os/files/debian/rules b/meta/recipes-bsp/optee-os/files/debian/rules
new file mode 100755
index 00000000..d2e9900f
--- /dev/null
+++ b/meta/recipes-bsp/optee-os/files/debian/rules
@@ -0,0 +1,19 @@
+#!/usr/bin/make -f
+
+# Debian rules for custom OP-TEE OS build
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
+endif
+
+override_dh_auto_build:
+	CFLAGS= LDFLAGS= $(MAKE) $(PARALLEL_MAKE) PLATFORM=$(OPTEE_PLATFORM) \
+		$(OPTEE_EXTRA_BUILDARGS)
+
+%:
+	dh $@
diff --git a/meta/recipes-bsp/optee-os/optee-os-custom.inc b/meta/recipes-bsp/optee-os/optee-os-custom.inc
new file mode 100644
index 00000000..54c47fef
--- /dev/null
+++ b/meta/recipes-bsp/optee-os/optee-os-custom.inc
@@ -0,0 +1,43 @@
+# Custom OP-TEE OS build
+#
+# This software is a part of ISAR.
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+inherit dpkg
+
+FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/files:"
+
+SRC_URI += "file://debian/"
+
+DESCRIPTION ?= "Custom OP-TEE OS"
+
+OPTEE_NAME ?= "${MACHINE}"
+OPTEE_PLATFORM ?= "unknown"
+OPTEE_EXTRA_BUILDARGS ?= ""
+OPTEE_BINARIES ?= "tee-pager_v2.bin"
+
+DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
+
+PROVIDES += "optee-os-${OPTEE_NAME}"
+
+TEMPLATE_FILES = "debian/control.tmpl"
+TEMPLATE_VARS += "OPTEE_NAME DEBIAN_BUILD_DEPENDS"
+
+do_prepare_build() {
+    cp -r ${WORKDIR}/debian ${S}/
+
+    deb_add_changelog
+
+    rm -f ${S}/debian/optee-os-${OPTEE_NAME}.install
+    for binary in ${OPTEE_BINARIES}; do
+        echo "out/arm-plat-${OPTEE_PLATFORM}/core/$binary /usr/lib/optee-os/${OPTEE_NAME}/" >> \
+            ${S}/debian/optee-os-${OPTEE_NAME}.install
+    done
+}
+
+dpkg_runbuild_prepend() {
+    export OPTEE_PLATFORM="${OPTEE_PLATFORM}"
+    export OPTEE_EXTRA_BUILDARGS="${OPTEE_EXTRA_BUILDARGS}"
+}
-- 
2.26.2

[PATCH 10/11] meta-isar: linux-mainline: Add patches for stm32mp15x target

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

These two patches are needed when activating OP-TEE for that target.
Otherwise, Linux will access memory reserved for the trusted world and
trigger a violation.

See also https://www.mail-archive.com/u-boot@lists.denx.de/msg386171.html

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 ...d-OP-TEE-node-and-its-reserved-memor.patch | 79 +++++++++++++++++++
 ...move-reserve-memory-holes-on-stm32mp.patch | 65 +++++++++++++++
 .../linux/linux-mainline_5.4.70.bb            |  2 +
 3 files changed, 146 insertions(+)
 create mode 100644 meta-isar/recipes-kernel/linux/files/0001-ARM-dts-stm32-add-OP-TEE-node-and-its-reserved-memor.patch
 create mode 100644 meta-isar/recipes-kernel/linux/files/0002-ARM-dts-stm32-remove-reserve-memory-holes-on-stm32mp.patch

diff --git a/meta-isar/recipes-kernel/linux/files/0001-ARM-dts-stm32-add-OP-TEE-node-and-its-reserved-memor.patch b/meta-isar/recipes-kernel/linux/files/0001-ARM-dts-stm32-add-OP-TEE-node-and-its-reserved-memor.patch
new file mode 100644
index 00000000..e40fe4ce
--- /dev/null
+++ b/meta-isar/recipes-kernel/linux/files/0001-ARM-dts-stm32-add-OP-TEE-node-and-its-reserved-memor.patch
@@ -0,0 +1,79 @@
+From 3602c4835344fe2124406608fcec5737a176d7d8 Mon Sep 17 00:00:00 2001
+From: Etienne Carriere <etienne.carriere@st.com>
+Date: Fri, 8 Nov 2019 13:56:15 +0100
+Subject: [PATCH 1/2] ARM: dts: stm32: add OP-TEE node and its reserved-memory
+ node for stm32mp157
+
+Adds firmware/optee node and adds a reserved-memory node named
+optee for the DDR reserved to OP-TEE.
+
+SoC defines a default disabled OP-TEE node.
+DK1 defines a default disabled OP-TEE reserved-memory node.
+DK2 enables OP-TEE and its reserved memory.
+ED1 defines a default disabled OP-TEE reserved-memory node and
+enables OP-TEE node.
+
+Change-Id: I7b5d50a27a2a81b7cb510ae14ee96e975e41bb97
+Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
+Reviewed-on: https://gerrit.st.com/c/mpu/oe/st/linux-stm32/+/148795
+Tested-by: Alexandre TORGUE <alexandre.torgue@st.com>
+Reviewed-by: Alexandre TORGUE <alexandre.torgue@st.com>
+---
+ arch/arm/boot/dts/stm32mp157a-dk1.dts | 6 ++++++
+ arch/arm/boot/dts/stm32mp157c-dk2.dts | 8 ++++++++
+ arch/arm/boot/dts/stm32mp157c.dtsi    | 8 ++++++++
+ 3 files changed, 22 insertions(+)
+
+diff --git a/arch/arm/boot/dts/stm32mp157a-dk1.dts b/arch/arm/boot/dts/stm32mp157a-dk1.dts
+index 0615d1c8a6fc..589d08bdffa0 100644
+--- a/arch/arm/boot/dts/stm32mp157a-dk1.dts
++++ b/arch/arm/boot/dts/stm32mp157a-dk1.dts
+@@ -73,6 +73,12 @@
+ 			reg = <0xd4000000 0x4000000>;
+ 			no-map;
+ 		};
++
++		optee_memory: optee@0xde000000 {
++			reg = <0xde000000 0x02000000>;
++			no-map;
++			status = "disabled";
++		};
+ 	};
+ 
+ 	led {
+diff --git a/arch/arm/boot/dts/stm32mp157c-dk2.dts b/arch/arm/boot/dts/stm32mp157c-dk2.dts
+index 20ea601a546d..9248ee3eb98a 100644
+--- a/arch/arm/boot/dts/stm32mp157c-dk2.dts
++++ b/arch/arm/boot/dts/stm32mp157c-dk2.dts
+@@ -74,3 +74,11 @@
+ 		};
+ 	};
+ };
++ 
++&optee_memory {
++	status = "okay";
++};
++
++&optee {
++	status = "okay";
++};
+diff --git a/arch/arm/boot/dts/stm32mp157c.dtsi b/arch/arm/boot/dts/stm32mp157c.dtsi
+index f98e0370c0bc..84d34120aab3 100644
+--- a/arch/arm/boot/dts/stm32mp157c.dtsi
++++ b/arch/arm/boot/dts/stm32mp157c.dtsi
+@@ -1509,4 +1509,12 @@
+ 			status = "disabled";
+ 		};
+ 	};
++
++	firmware {
++		optee: optee {
++			compatible = "linaro,optee-tz";
++			method = "smc";
++			status = "disabled";
++		};
++	};
+ };
+-- 
+2.26.2
+
diff --git a/meta-isar/recipes-kernel/linux/files/0002-ARM-dts-stm32-remove-reserve-memory-holes-on-stm32mp.patch b/meta-isar/recipes-kernel/linux/files/0002-ARM-dts-stm32-remove-reserve-memory-holes-on-stm32mp.patch
new file mode 100644
index 00000000..99860f45
--- /dev/null
+++ b/meta-isar/recipes-kernel/linux/files/0002-ARM-dts-stm32-remove-reserve-memory-holes-on-stm32mp.patch
@@ -0,0 +1,65 @@
+From a7eb535f0f1c818202b0a0a8ec2aee506a0114e7 Mon Sep 17 00:00:00 2001
+From: Alexandre Torgue <alexandre.torgue@st.com>
+Date: Fri, 29 Nov 2019 18:30:37 +0100
+Subject: [PATCH 2/2] ARM: dts: stm32: remove reserve memory holes on
+ stm32mp157 boards
+
+This commit removes hole between GPU and OPTEE reserve memory in order to
+optimize Linux memory management.
+
+Signed-off-by: Alexandre Torgue <alexandre.torgue@st.com>
+Change-Id: I4461085fd34139ee1b88c5f5116dd5c1de0e10ac
+Reviewed-on: https://gerrit.st.com/c/mpu/oe/st/linux-stm32/+/151463
+Reviewed-by: CITOOLS <smet-aci-reviews@lists.codex.cro.st.com>
+Reviewed-by: CIBUILD <smet-aci-builds@lists.codex.cro.st.com>
+---
+ arch/arm/boot/dts/stm32mp157a-dk1.dts |  4 ++--
+ arch/arm/boot/dts/stm32mp157c-ed1.dts | 13 +++++++++++--
+ 2 files changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm/boot/dts/stm32mp157a-dk1.dts b/arch/arm/boot/dts/stm32mp157a-dk1.dts
+index 589d08bdffa0..da762b301d72 100644
+--- a/arch/arm/boot/dts/stm32mp157a-dk1.dts
++++ b/arch/arm/boot/dts/stm32mp157a-dk1.dts
+@@ -69,8 +69,8 @@
+ 			no-map;
+ 		};
+ 
+-		gpu_reserved: gpu@d4000000 {
+-			reg = <0xd4000000 0x4000000>;
++		gpu_reserved: gpu@da000000 {
++			reg = <0xda000000 0x4000000>;
+ 			no-map;
+ 		};
+ 
+diff --git a/arch/arm/boot/dts/stm32mp157c-ed1.dts b/arch/arm/boot/dts/stm32mp157c-ed1.dts
+index 1d426ea8bdaf..4e0f665c5810 100644
+--- a/arch/arm/boot/dts/stm32mp157c-ed1.dts
++++ b/arch/arm/boot/dts/stm32mp157c-ed1.dts
+@@ -64,8 +64,13 @@
+ 			no-map;
+ 		};
+ 
+-		gpu_reserved: gpu@e8000000 {
+-			reg = <0xe8000000 0x8000000>;
++		gpu_reserved: gpu@f6000000 {
++			reg = <0xf6000000 0x8000000>;
++			no-map;
++		};
++
++		optee_memory: optee@0xfe000000 {
++			reg = <0xfe000000 0x02000000>;
+ 			no-map;
+ 		};
+ 	};
+@@ -329,3 +334,7 @@
+ 	vdda1v1-supply = <&reg11>;
+ 	vdda1v8-supply = <&reg18>;
+ };
++
++&optee {
++	status = "okay";
++};
+-- 
+2.26.2
+
diff --git a/meta-isar/recipes-kernel/linux/linux-mainline_5.4.70.bb b/meta-isar/recipes-kernel/linux/linux-mainline_5.4.70.bb
index 209ad9c0..91eb4463 100644
--- a/meta-isar/recipes-kernel/linux/linux-mainline_5.4.70.bb
+++ b/meta-isar/recipes-kernel/linux/linux-mainline_5.4.70.bb
@@ -11,6 +11,8 @@ ARCHIVE_VERSION = "${@ d.getVar('PV')[:-2] if d.getVar('PV').endswith('.0') else
 
 SRC_URI += " \
     https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-${ARCHIVE_VERSION}.tar.xz \
+    file://0001-ARM-dts-stm32-add-OP-TEE-node-and-its-reserved-memor.patch \
+    file://0002-ARM-dts-stm32-remove-reserve-memory-holes-on-stm32mp.patch \
     file://x86_64_defconfig \
     file://no-ubifs-fs.cfg \
     file://no-root-nfs.cfg;apply=no"
-- 
2.26.2

[PATCH 11/11] meta-isar: Add OP-TEE to STM32MP15x board

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This builds OP-TEE 3.10.0 for the "stm32mp1" platform and installs the
generated binaries in the required partitions for the STM32MP15x. Serves
as a demo and test for building custom OP-TEE packages.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 meta-isar/conf/machine/stm32mp15x.conf        |  4 ++--
 .../optee-os/optee-os-stm32mp15x_3.10.0.bb    | 19 +++++++++++++++++++
 .../trusted-firmware-a-stm32mp15x_2.3.bb      |  2 +-
 .../lib/wic/canned-wks/stm32mp15x.wks.in      |  4 ++++
 4 files changed, 26 insertions(+), 3 deletions(-)
 create mode 100644 meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.10.0.bb

diff --git a/meta-isar/conf/machine/stm32mp15x.conf b/meta-isar/conf/machine/stm32mp15x.conf
index 66a47df4..e963d080 100644
--- a/meta-isar/conf/machine/stm32mp15x.conf
+++ b/meta-isar/conf/machine/stm32mp15x.conf
@@ -13,7 +13,7 @@ U_BOOT_BIN_stm32mp15x = "u-boot.stm32"
 
 IMAGE_TYPE ?= "wic-img"
 WKS_FILE ?= "stm32mp15x.wks.in"
-IMAGER_INSTALL += "trusted-firmware-a-stm32mp15x u-boot-stm32mp15x"
-IMAGER_BUILD_DEPS += "trusted-firmware-a-stm32mp15x u-boot-stm32mp15x"
+IMAGER_INSTALL += "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x u-boot-stm32mp15x"
+IMAGER_BUILD_DEPS += "trusted-firmware-a-stm32mp15x optee-os-stm32mp15x u-boot-stm32mp15x"
 
 IMAGE_INSTALL += "u-boot-script"
diff --git a/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.10.0.bb b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.10.0.bb
new file mode 100644
index 00000000..a2570946
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-os/optee-os-stm32mp15x_3.10.0.bb
@@ -0,0 +1,19 @@
+#
+# Copyright (c) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+require recipes-bsp/optee-os/optee-os-custom.inc
+
+SRC_URI += "https://github.com/OP-TEE/optee_os/archive/${PV}.tar.gz"
+SRC_URI[sha256sum] = "d30776ab051b701cdd2b71d32ff5cd54285a688440cc90aefd14b4f0f6495d7c"
+
+S = "${WORKDIR}/optee_os-${PV}"
+
+DEBIAN_BUILD_DEPENDS += ", device-tree-compiler"
+
+OPTEE_PLATFORM = "stm32mp1"
+OPTEE_EXTRA_BUILDARGS = " \
+    ARCH=arm CFG_EMBED_DTB_SOURCE_FILE=stm32mp157c-ev1.dts \
+    CFG_TEE_CORE_LOG_LEVEL=2"
+OPTEE_BINARIES = "tee-header_v2.stm32 tee-pageable_v2.stm32 tee-pager_v2.stm32"
diff --git a/meta-isar/recipes-bsp/trusted-firmware-a/trusted-firmware-a-stm32mp15x_2.3.bb b/meta-isar/recipes-bsp/trusted-firmware-a/trusted-firmware-a-stm32mp15x_2.3.bb
index 0a45ec36..33836ea9 100644
--- a/meta-isar/recipes-bsp/trusted-firmware-a/trusted-firmware-a-stm32mp15x_2.3.bb
+++ b/meta-isar/recipes-bsp/trusted-firmware-a/trusted-firmware-a-stm32mp15x_2.3.bb
@@ -14,7 +14,7 @@ DEBIAN_BUILD_DEPENDS += ", device-tree-compiler"
 
 TF_A_PLATFORM = "stm32mp1"
 TF_A_EXTRA_BUILDARGS = " \
-    ARCH=aarch32 ARM_ARCH_MAJOR=7 AARCH32_SP=sp_min \
+    ARCH=aarch32 ARM_ARCH_MAJOR=7 AARCH32_SP=optee \
     STM32MP_SDMMC=1 STM32MP_EMMC=1 \
     STM32MP_RAW_NAND=1 STM32MP_SPI_NAND=1 STM32MP_SPI_NOR=1 \
     DTB_FILE_NAME=stm32mp157c-ev1.dtb"
diff --git a/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in b/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
index 5a518d3f..878e86de 100644
--- a/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
+++ b/meta-isar/scripts/lib/wic/canned-wks/stm32mp15x.wks.in
@@ -7,6 +7,10 @@ part fsbl1 --label fsbl1 --source rawcopy --sourceparams "file=/usr/lib/trusted-
 part fsbl2 --label fsbl2 --source rawcopy --sourceparams "file=/usr/lib/trusted-firmware-a/${MACHINE}/tf-a-stm32mp157c-ev1.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
 part ssbl --label ssbl --source rawcopy --sourceparams "file=/usr/lib/u-boot/${MACHINE}/u-boot.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 2048K
 
+part teeh --label teeh --source rawcopy --sourceparams "file=/usr/lib/optee-os/${MACHINE}/tee-header_v2.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
+part teed --label teed --source rawcopy --sourceparams "file=/usr/lib/optee-os/${MACHINE}/tee-pageable_v2.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 512K
+part teex --label teex --source rawcopy --sourceparams "file=/usr/lib/optee-os/${MACHINE}/tee-pager_v2.stm32" --fstype=ext4 --fsoptions "noauto" --part-type 0x8301 --fixed-size 256K
+
 part / --source rootfs-u-boot --fstype ext4 --label root --align 1024 --active --use-uuid
 
 bootloader --ptable gpt --append="rootwait rw console=ttySTM0,115200"
-- 
2.26.2

Re: [PATCH 00/11] Support for building TF-A and OP-TEE, add STM32MP15x board

[Jan Kiszka]

On 13.10.20 09:50, [ext] Jan Kiszka wrote:
> This adds include files for building custom Trusted Firmware A and Open
> Portable Trusted Execution Environment, similar to U-Boot. As a
> demonstration target, support for the STM32MP15x board is added, and its
> boot is enabled for both TF-a and OP-TEE.
> 

Forgot to mention that at least the TF-A abstraction has been stressed
by jailhouse-images extensively already. It works fine to model 4 more
boards [1].

Jan

[1] https://groups.google.com/forum/#!topic/jailhouse-dev/JQXKZUdlxpU

-- 
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux