diff --git a/recipes-security/optee/optee-client/0001-Update-Makefile-for-OE-compatibility.patch b/recipes-security/optee/optee-client/0001-Update-Makefile-for-OE-compatibility.patch new file mode 100644 index 00000000..2c4d020f --- /dev/null +++ b/recipes-security/optee/optee-client/0001-Update-Makefile-for-OE-compatibility.patch @@ -0,0 +1,67 @@ +From 3088da2e93ca40f45cef2b33f3fa595fccd73ddf Mon Sep 17 00:00:00 2001 +From: Matt Madison +Date: Sun, 23 Oct 2022 05:53:33 -0700 +Subject: [PATCH] Update Makefile for OE compatibility + +* Use install instead of cp +* Use GBS standard names for target directory variables + +Signed-off-by: Matt Madison +--- + Makefile | 36 +++++++++++++++++++++--------------- + 1 file changed, 21 insertions(+), 15 deletions(-) + +diff --git a/Makefile b/Makefile +index d7aa316..9be28f8 100644 +--- a/Makefile ++++ b/Makefile +@@ -12,9 +12,9 @@ export VPREFIX + + EXPORT_DIR ?= $(O)/export + DESTDIR ?= $(EXPORT_DIR) +-SBINDIR ?= /usr/sbin +-LIBDIR ?= /usr/lib +-INCLUDEDIR ?= /usr/include ++sbindir ?= /usr/sbin ++libdir ?= /usr/lib ++includedir ?= /usr/include + + .PHONY: all build build-libteec build-libckteec build-libseteec install copy_export \ + clean cscope clean-cscope \ +@@ -135,15 +135,21 @@ checkpatch-all-files: checkpatch-pre-req + distclean: clean + + copy_export: build +- mkdir -p $(DESTDIR)$(SBINDIR) $(DESTDIR)$(LIBDIR) $(DESTDIR)$(INCLUDEDIR) +- cp config.mk $(DESTDIR)/$(INCLUDEDIR)/optee_client_config.mk +- cp -a ${O}/libteec/libteec.so* $(DESTDIR)$(LIBDIR) +- cp -a ${O}/libteec/libteec.a $(DESTDIR)$(LIBDIR) +- cp ${O}/tee-supplicant/tee-supplicant $(DESTDIR)$(SBINDIR) +- cp public/*.h $(DESTDIR)$(INCLUDEDIR) +- cp libckteec/include/*.h $(DESTDIR)$(INCLUDEDIR) +- cp -a ${O}/libckteec/libckteec.so* $(DESTDIR)$(LIBDIR) +- cp -a ${O}/libckteec/libckteec.a $(DESTDIR)$(LIBDIR) +- cp libseteec/include/*.h $(DESTDIR)$(INCLUDEDIR) +- cp -a ${O}/libseteec/libseteec.so* $(DESTDIR)$(LIBDIR) +- cp -a ${O}/libseteec/libseteec.a $(DESTDIR)$(LIBDIR) ++ install -d $(DESTDIR)$(sbindir) $(DESTDIR)$(libdir) $(DESTDIR)$(includedir) ++ install -m 0644 config.mk $(DESTDIR)/$(includedir)/optee_client_config.mk ++ install -m 0644 ${O}/libteec/libteec.so.1.0.0 $(DESTDIR)$(libdir) ++ ln -sf libteec.so.1.0.0 $(DESTDIR)$(libdir)/libteec.so.1.0 ++ ln -sf libteec.so.1.0.0 $(DESTDIR)$(libdir)/libteec.so.1 ++ install -m 0644 ${O}/libteec/libteec.a $(DESTDIR)$(libdir) ++ install -m 0755 ${O}/tee-supplicant/tee-supplicant $(DESTDIR)$(sbindir) ++ install -m 0644 public/*.h $(DESTDIR)$(includedir) ++ install -m 0644 libckteec/include/*.h $(DESTDIR)$(includedir) ++ install -m 0644 ${O}/libckteec/libckteec.so.0.1.0 $(DESTDIR)$(libdir) ++ ln -sf libckteec.so.0.1.0 $(DESTDIR)$(libdir)/libckteec.so.0.1 ++ ln -sf libckteec.so.0.1.0 $(DESTDIR)$(libdir)/libckteec.so.0 ++ install -m 0644 ${O}/libckteec/libckteec.a $(DESTDIR)$(libdir) ++ install -m 0644 libseteec/include/*.h $(DESTDIR)$(includedir) ++ install -m 0644 ${O}/libseteec/libseteec.so.0.1.0 $(DESTDIR)$(libdir) ++ ln -sf libseteec.so.0.1.0 $(DESTDIR)$(libdir)/libseteec.so.0.1 ++ ln -sf libseteec.so.0.1.0 $(DESTDIR)$(libdir)/libseteec.so.0 ++ install -m 0644 ${O}/libseteec/libseteec.a $(DESTDIR)$(libdir) +-- +2.34.1 + diff --git a/recipes-security/optee/optee-client/tee-supplicant.service.in b/recipes-security/optee/optee-client/tee-supplicant.service.in new file mode 100644 index 00000000..c273832d --- /dev/null +++ b/recipes-security/optee/optee-client/tee-supplicant.service.in @@ -0,0 +1,10 @@ +[Unit] +Description=TEE Supplicant + +[Service] +User=root +EnvironmentFile=-@sysconfdir@/default/tee-supplicant +ExecStart=@sbindir@/tee-supplicant $OPTARGS + +[Install] +WantedBy=basic.target diff --git a/recipes-security/optee/optee-client/tee-supplicant.sh.in b/recipes-security/optee/optee-client/tee-supplicant.sh.in new file mode 100644 index 00000000..c39df276 --- /dev/null +++ b/recipes-security/optee/optee-client/tee-supplicant.sh.in @@ -0,0 +1,41 @@ +#!/bin/sh + +NAME=tee-supplicant +PATH=@stripped_path@ +DESC="OP-TEE Supplicant" + +DAEMON=@sbindir@/$NAME +OPTARGS= + +test -f $DAEMON || exit 0 + +test -f @sysconfdir@/default/$NAME && . @sysconfdir@/default/$NAME +test -f @sysconfdir@/default/rcS && . @sysconfdir@/default/rcS + +SSD_OPTIONS="--oknodo --quiet --exec $DAEMON -- -d $OPTARGS" + +set -e + +case $1 in + start) + echo -n "Starting $DESC: " + start-stop-daemon --start $SSD_OPTIONS + echo "${DAEMON##*/}." + ;; + stop) + echo -n "Stopping $DESC: " + start-stop-daemon --stop $SSD_OPTIONS + echo "${DAEMON##*/}." + ;; + restart|force-reload) + $0 stop + sleep 1 + $0 start + ;; + *) + echo "Usage: $0 {start|stop|restart|force-reload}" >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/recipes-security/optee/optee-client_3.16.0-l4t-r35.1.0.bb b/recipes-security/optee/optee-client_3.16.0-l4t-r35.1.0.bb new file mode 100644 index 00000000..d2df9d13 --- /dev/null +++ b/recipes-security/optee/optee-client_3.16.0-l4t-r35.1.0.bb @@ -0,0 +1,51 @@ +SUMMARY = "OP-TEE Client API" +DESCRIPTION = "Open Portable Trusted Execution Environment - Normal World \ + Client side of the TEE" +HOMEPAGE = "https://www.op-tee.org/" + +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=69663ab153298557a59c67a60a743e5b" + +require optee-l4t.inc + +TEGRA_SRC_SUBARCHIVE_OPTS = "--strip-components=1 optee/optee_client" + +SRC_URI += "\ + file://0001-Update-Makefile-for-OE-compatibility.patch \ + file://tee-supplicant.service.in \ + file://tee-supplicant.sh.in \ +" + +DEPENDS = "optee-os-tadevkit" + +S = "${WORKDIR}/optee_client" +B = "${WORKDIR}/build" + +inherit systemd update-rc.d + +OPTEE_FS_PARENT_PATH ?= "${localstatedir}/lib/tee" + +EXTRA_OEMAKE += "CFG_TEE_FS_PARENT_PATH=${OPTEE_FS_PARENT_PATH}" + +do_compile() { + oe_runmake -C ${S} build + sed -e's,@sbindir@,${sbindir},g' \ + -e's,@sysconfdir@,${sysconfdir},g' \ + ${WORKDIR}/tee-supplicant.service.in >${B}/tee-supplicant.service + sed -e's,@sbindir@,${sbindir},g' \ + -e's,@sysconfdir@,${sysconfdir},g' \ + -e's,@stripped_path@,${base_sbindir}:${base_bindir}:${sbindir}:${bindir},g' \ + ${WORKDIR}/tee-supplicant.sh.in >${B}/tee-supplicant.sh +} + +do_install() { + oe_runmake -C ${S} install DESTDIR="${D}" + install -d ${D}${systemd_system_unitdir} ${D}${sysconfdir}/init.d + install -m 0644 ${B}/tee-supplicant.service ${D}${systemd_system_unitdir}/ + install -m 0755 ${B}/tee-supplicant.sh ${D}${sysconfdir}/init.d/ +} + +SYSTEMD_SERVICE:${PN} = "tee-supplicant.service" +INITSCRIPT_PACKAGES = "${PN}" +INITSCRIPT_NAME:${PN} = "tee-supplicant" +INITSCRIPT_PARAMS:${PN} = "start 10 1 2 3 4 5 . stop 90 0 6 ." diff --git a/recipes-security/optee/optee-l4t.inc b/recipes-security/optee/optee-l4t.inc new file mode 100644 index 00000000..7909961c --- /dev/null +++ b/recipes-security/optee/optee-l4t.inc @@ -0,0 +1,27 @@ +COMPATIBLE_MACHINE = "(tegra)" + +TEGRA_SRC_SUBARCHIVE = "Linux_for_Tegra/source/public/nvidia-jetson-optee-source.tbz2" + +inherit l4t_bsp python3native +require recipes-bsp/tegra-sources/tegra-sources-${L4T_VERSION}.inc + +DEPENDS = "python3-pyelftools-native python3-cryptography-native" +# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the +# right path until this is relocated automatically. +export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules" + +OPTEE_NV_PLATFORM ?= "" +OPTEE_NV_PLATFORM:tegra194 = "t194" +OPTEE_NV_PLATFORM:tegra234 = "t234" + +TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta" + +# Common to all of the builds +EXTRA_OEMAKE = "\ + V=1 \ + O=${B} \ + CFLAGS32='${TOOLCHAIN_OPTIONS} ${DEBUG_PREFIX_MAP}' \ + CFLAGS64='${TOOLCHAIN_OPTIONS} ${DEBUG_PREFIX_MAP}' \ + platform-aflags-generic='${DEBUG_PREFIX_MAP} -pipe' \ + TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \ +" diff --git a/recipes-security/optee/optee-nvsamples/0001-Update-makefiles-for-OE-builds.patch b/recipes-security/optee/optee-nvsamples/0001-Update-makefiles-for-OE-builds.patch new file mode 100644 index 00000000..9b5fee74 --- /dev/null +++ b/recipes-security/optee/optee-nvsamples/0001-Update-makefiles-for-OE-builds.patch @@ -0,0 +1,202 @@ +From 5bf629c5e4e0a3d6812675891f4717e8fa2c5238 Mon Sep 17 00:00:00 2001 +From: Matt Madison +Date: Sun, 23 Oct 2022 07:14:08 -0700 +Subject: [PATCH] Update makefiles for OE builds + +- Remove the OPTEE_CLIENT_EXPORT references +- Use install instead of cp to install host programs +- Add LDFLAGS to nvhwkey-app build + +Signed-off-by: Matt Madison +--- + Makefile | 4 ---- + hwkey-agent/Makefile | 4 ---- + hwkey-agent/host/Makefile | 13 +++++-------- + luks-srv/Makefile | 4 ---- + luks-srv/host/Makefile | 14 +++++--------- + 5 files changed, 10 insertions(+), 29 deletions(-) + +diff --git a/Makefile b/Makefile +index da3f40b..7671e2d 100644 +--- a/Makefile ++++ b/Makefile +@@ -4,8 +4,6 @@ + # Input variables + # CROSS_COMPILE: The cross compiler. + # TA_DEV_KIT_DIR: The base directory of the TA-devkit. +-# OPTEE_CLIENT_EXPORT: The base directory points to optee client's +-# header files and libraries + # O: The base directory for build objects filetree. + + SAMPLE_APPS_LIST := $(subst /,,$(dir $(wildcard */Makefile))) +@@ -21,7 +19,6 @@ sample_apps: + $(MAKE) -C $$apps \ + CROSS_COMPILE=$(CROSS_COMPILE) \ + TA_DEV_KIT_DIR=$(TA_DEV_KIT_DIR) \ +- OPTEE_CLIENT_EXPORT=$(OPTEE_CLIENT_EXPORT) \ + O=$(O) || exit 1; \ + done + +@@ -29,7 +26,6 @@ clean-apps: + @for apps in $(SAMPLE_APPS_LIST); do \ + $(MAKE) -C $$apps \ + TA_DEV_KIT_DIR=$(TA_DEV_KIT_DIR) \ +- OPTEE_CLIENT_EXPORT=$(OPTEE_CLIENT_EXPORT) \ + O=$(O) \ + clean || exit 1; \ + done +diff --git a/hwkey-agent/Makefile b/hwkey-agent/Makefile +index 7deda53..6557e0a 100644 +--- a/hwkey-agent/Makefile ++++ b/hwkey-agent/Makefile +@@ -4,8 +4,6 @@ + # Input variables + # CROSS_COMPILE: The cross compiler. + # TA_DEV_KIT_DIR: The base directory of the TA-devkit. +-# OPTEE_CLIENT_EXPORT: The base directory points to optee client's +-# header files and libraries + # O: The base directory for build objects filetree. + + TARGET_DIR := $(notdir $(shell pwd)) +@@ -18,7 +16,6 @@ all: + O=$(O)/ta/$(TARGET_DIR) + $(MAKE) -C host \ + CROSS_COMPILE=$(CROSS_COMPILE) \ +- OPTEE_CLIENT_EXPORT=$(OPTEE_CLIENT_EXPORT) \ + O=$(O)/ca/$(TARGET_DIR) \ + --no-builtin-variables + +@@ -29,7 +26,6 @@ clean: + O=$(O)/ta/$(TARGET_DIR) \ + clean + $(MAKE) -C host \ +- OPTEE_CLIENT_EXPORT=$(OPTEE_CLIENT_EXPORT) \ + O=$(O)/ca/$(TARGET_DIR) \ + clean + rm -rf $(O)/ca/$(TARGET_DIR) +diff --git a/hwkey-agent/host/Makefile b/hwkey-agent/host/Makefile +index b7c2113..6807bbc 100644 +--- a/hwkey-agent/host/Makefile ++++ b/hwkey-agent/host/Makefile +@@ -3,34 +3,31 @@ + + # Input variables + # CROSS_COMPILE: The cross compiler. +-# OPTEE_CLIENT_EXPORT: The base directory points to optee client's +-# header files and libraries + # O: The base directory for build objects filetree. + + CC ?= $(CROSS_COMPILE)gcc + + CFLAGS += -Wall -I../ta/include -I./include +-CFLAGS += -I$(OPTEE_CLIENT_EXPORT)/include + CFLAGS += -fstack-protector-strong +-LDADD += -lteec -L$(OPTEE_CLIENT_EXPORT)/lib ++LDADD += -lteec + + SRCS = hwkey_agent_ca.c + OBJS = $(patsubst %.c,$(O)/%.o,$(SRCS)) + BINARY = nvhwkey-app + + .PHONY: all install +-all: $(BINARY) install ++all: $(BINARY) + + $(BINARY): $(OBJS) +- $(CC) -o $(O)/$@ $< $(LDADD) ++ $(CC) $(LDFLAGS) -o $(O)/$@ $< $(LDADD) + + $(O)/%.o: %.c + mkdir -p $(O) + $(CC) $(CFLAGS) -c $< -o $@ + + install: $(BINARY) +- mkdir -p $(OPTEE_CLIENT_EXPORT)/sbin +- cp $(O)/$(BINARY) $(OPTEE_CLIENT_EXPORT)/sbin ++ install -d $(DESTDIR)$(sbindir) ++ install -m 0755 $(O)/$(BINARY) $(DESTDIR)$(sbindir)/ + + .PHONY: clean + clean: +diff --git a/luks-srv/Makefile b/luks-srv/Makefile +index dd71d34..875e893 100644 +--- a/luks-srv/Makefile ++++ b/luks-srv/Makefile +@@ -4,8 +4,6 @@ + # Input variables + # CROSS_COMPILE: The cross compiler. + # TA_DEV_KIT_DIR: The base directory of the TA-devkit. +-# OPTEE_CLIENT_EXPORT: The base directory points to optee client's +-# header files and libraries + # O: The base directory for build objects filetree. + + TARGET_DIR := $(notdir $(shell pwd)) +@@ -18,7 +16,6 @@ all: early_ta_dir + O=$(O)/early_ta/$(TARGET_DIR) + $(MAKE) -C host \ + CROSS_COMPILE=$(CROSS_COMPILE) \ +- OPTEE_CLIENT_EXPORT=$(OPTEE_CLIENT_EXPORT) \ + O=$(O)/ca/$(TARGET_DIR) \ + --no-builtin-variables + +@@ -32,7 +29,6 @@ clean: + O=$(O)/early_ta/$(TARGET_DIR) \ + clean + $(MAKE) -C host \ +- OPTEE_CLIENT_EXPORT=$(OPTEE_CLIENT_EXPORT) \ + O=$(O)/ca/$(TARGET_DIR) \ + clean + rm -rf $(O)/early_ta/$(TARGET_DIR) +diff --git a/luks-srv/host/Makefile b/luks-srv/host/Makefile +index c9a2dcc..7b72181 100644 +--- a/luks-srv/host/Makefile ++++ b/luks-srv/host/Makefile +@@ -3,8 +3,6 @@ + + # Input variables + # CROSS_COMPILE: The cross compiler. +-# OPTEE_CLIENT_EXPORT: The base directory points to optee client's +-# header files and libraries + # O: The base directory for build objects filetree. + + CC ?= $(CROSS_COMPILE)gcc +@@ -12,10 +10,9 @@ LD ?= $(CROSS_COMPILE)ld + STRIP ?= $(CROSS_COMPILE)strip + + CFLAGS += -Wall -I../ta/include -I./include +-CFLAGS += -I$(OPTEE_CLIENT_EXPORT)/include + CFLAGS += -fstack-protector-strong + LDADD += -pthread -lpthread +-LDADD += -lteec -L$(OPTEE_CLIENT_EXPORT)/lib ++LDADD += -lteec + LDFLAGS := -static + + SRCS = luks_srv_ca.c +@@ -23,20 +20,19 @@ OBJS = $(patsubst %.c,$(O)/%.o,$(SRCS)) + BINARY = nvluks-srv-app + + .PHONY: all install +-all: $(BINARY) install ++all: $(BINARY) + + $(BINARY): $(OBJS) + $(CC) $(LDFLAGS) -o $(O)/$@ $< $(LDADD) +- $(STRIP) $(O)/$@ + + $(O)/%.o: %.c + mkdir -p $(O) + $(CC) $(CFLAGS) -c $< -o $@ + + install: $(BINARY) +- mkdir -p $(OPTEE_CLIENT_EXPORT)/sbin +- cp $(O)/$(BINARY) $(OPTEE_CLIENT_EXPORT)/sbin ++ install -d $(DESTDIR)$(sbindir) ++ install -m 0755 $(O)/$(BINARY) $(DESTDIR)$(sbindir)/ + + .PHONY: clean + clean: +- rm -f $(OBJS) $(O)/$(BINARY) $(OPTEE_CLIENT_EXPORT)/sbin/$(BINARY) ++ rm -f $(OBJS) $(O)/$(BINARY) +-- +2.34.1 + diff --git a/recipes-security/optee/optee-nvsamples_35.1.0.bb b/recipes-security/optee/optee-nvsamples_35.1.0.bb new file mode 100644 index 00000000..0a424fd3 --- /dev/null +++ b/recipes-security/optee/optee-nvsamples_35.1.0.bb @@ -0,0 +1,39 @@ +DESCRIPTION = "NVIDIA OP-TEE sample applications for Jetson platforms" +HOMEPAGE = "https://developer.nvidia.com/embedded" +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=6938d70d5e5d49d31049419e85bb82f8" + +require optee-l4t.inc +TEGRA_SRC_SUBARCHIVE_OPTS = "--strip-components=1 optee/samples" + +SRC_URI += " file://0001-Update-makefiles-for-OE-builds.patch" + +DEPENDS += "optee-os-tadevkit optee-client" + +S = "${WORKDIR}/samples" +B = "${WORKDIR}/build" + +EXTRA_OEMAKE += "CROSS_COMPILE=${HOST_PREFIX}" + +do_compile() { + oe_runmake -C ${S} all +} +do_compile[cleandirs] = "${B}" + +do_install() { + install -d ${D}${nonarch_base_libdir}/optee_armtz + install -m 0644 ${B}/ta/hwkey-agent/82154947-c1bc-4bdf-b89d-04f93c0ea97c.ta ${D}${nonarch_base_libdir}/optee_armtz + oe_runmake -C ${S}/hwkey-agent/host install DESTDIR="${D}" + + install -d ${D}${includedir}/optee/early_ta/luks-srv + install -m 0755 ${B}/early_ta/luks-srv/b83d14a8-7128-49df-9624-35f14f65ca6c.stripped.elf ${D}${includedir}/optee/early_ta/luks-srv + oe_runmake -C ${S}/luks-srv/host install DESTDIR="${D}" +} + +PACKAGES =+ "${PN}-luks-srv ${PN}-hwkey-agent" +FILES:${PN}-hwkey-agent = "${nonarch_base_libdir}/optee_armtz/82154947-c1bc-4bdf-b89d-04f93c0ea97c.ta ${sbindir}/nvhwkey-app" +FILES:${PN}-luks-srv = "${sbindir}/nvluks-srv-app" +ALLOW_EMPTY:${PN} = "1" +RDEPENDS:${PN} = "${PN}-luks-srv ${PN}-hwkey-agent" +INHIBIT_SYSROOT_STRIP = "1" +INSANE_SKIP:${PN} = "already-stripped" diff --git a/recipes-security/optee/optee-os-l4t.inc b/recipes-security/optee/optee-os-l4t.inc new file mode 100644 index 00000000..d3476469 --- /dev/null +++ b/recipes-security/optee/optee-os-l4t.inc @@ -0,0 +1,49 @@ +require optee-l4t.inc +TEGRA_SRC_SUBARCHIVE_OPTS = "--strip-components=1 optee/optee_os" + +LICENSE = "BSD-2-Clause & Proprietary" +LIC_FILES_CHKSUM = " \ + file://LICENSE;md5=2f6a2cb48b5cc5cd0bd3f87a836cb407 \ + file://LICENSE.NVIDIA;md5=ba16bc74328d76e24af960ba01c937dc \ +" + +SRC_URI += "\ + file://0001-core-link-add-no-warn-rwx-segments.patch \ + file://0002-core-arm.mk-add-fcommon-to-cflags.patch \ +" + +OPTEEMACHINE ?= "invalid" +OPTEEMACHINE:tegra ?= "tegra" + +OPTEE_ARCH = "null" +OPTEE_ARCH:aarch64 = "arm64" + +NV_CCC_PREBUILT = "" +NV_CCC_PREBUILT:tegra234 = "${S}/prebuilt/${OPTEE_NV_PLATFORM}/libcommon_crypto.a" + +S = "${WORKDIR}/optee_os" +B = "${WORKDIR}/build" + +CFLAGS[unexport] = "1" +LDFLAGS[unexport] = "1" +CPPFLAGS[unexport] = "1" +AS[unexport] = "1" +LD[unexport] = "1" + +do_configure[noexec] = "1" + +EXTRA_OEMAKE += "\ + PLATFORM=${OPTEEMACHINE} \ + PLATFORM_FLAVOR=${OPTEE_NV_PLATFORM} \ + CROSS_COMPILE_core=${HOST_PREFIX} \ + CROSS_COMPILE_ta_${OPTEE_ARCH}=${HOST_PREFIX} \ + ${@' NV_CCC_PREBUILT=${NV_CCC_PREBUILT}' if d.getVar('NV_CCC_PREBUILT') else ''} \ +" + +do_compile() { + oe_runmake -C ${S} all +} +do_compile[cleandirs] = "${B}" + +INHIBIT_PACKAGE_STRIP = "1" +INHIBIT_SYSROOT_STRIP = "1" diff --git a/recipes-security/optee/optee-os-tadevkit_3.16.0-l4t-r35.1.0.bb b/recipes-security/optee/optee-os-tadevkit_3.16.0-l4t-r35.1.0.bb new file mode 100644 index 00000000..73a397c5 --- /dev/null +++ b/recipes-security/optee/optee-os-tadevkit_3.16.0-l4t-r35.1.0.bb @@ -0,0 +1,17 @@ +SUMMARY = "OP-TEE Trusted OS TA devkit" +DESCRIPTION = "OP-TEE TA devkit for build TAs" +HOMEPAGE = "https://www.op-tee.org/" + +FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os:" +require optee-os-l4t.inc + +do_install() { + install -d ${D}${includedir}/optee/export-user_ta/ + for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do + cp -aR $f ${D}${includedir}/optee/export-user_ta/ + done + sed -i -r -e's!-f(macro|debug)-prefix-map=[^ ]+!!g' ${D}${includedir}/optee/export-user_ta/mk/conf.mk +} + +FILES:${PN} = "${includedir}/optee/" +INSANE_SKIP:${PN}-dev = "staticdev" diff --git a/recipes-security/optee/optee-os/0001-core-link-add-no-warn-rwx-segments.patch b/recipes-security/optee/optee-os/0001-core-link-add-no-warn-rwx-segments.patch new file mode 100644 index 00000000..a9161da3 --- /dev/null +++ b/recipes-security/optee/optee-os/0001-core-link-add-no-warn-rwx-segments.patch @@ -0,0 +1,61 @@ +From 2852b22fe999c96a57d017bf7cf79019b73f4d19 Mon Sep 17 00:00:00 2001 +From: Jerome Forissier +Date: Fri, 5 Aug 2022 09:48:03 +0200 +Subject: [PATCH] core: link: add --no-warn-rwx-segments + +binutils ld.bfd generates one RWX LOAD segment by merging several sections +with mixed R/W/X attributes (.text, .rodata, .data). After version 2.38 it +also warns by default when that happens [1], which breaks the build due to +--fatal-warnings. The RWX segment is not a problem for the TEE core, since +that information is not used to set memory permissions. Therefore, silence +the warning. + +Link: [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107 +Link: https://sourceware.org/bugzilla/show_bug.cgi?id=29448 +Reported-by: Dominique Martinet +Signed-off-by: Jerome Forissier +Acked-by: Jens Wiklander +--- + core/arch/arm/kernel/link.mk | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/core/arch/arm/kernel/link.mk b/core/arch/arm/kernel/link.mk +index 51808b8..4b18f4d 100644 +--- a/core/arch/arm/kernel/link.mk ++++ b/core/arch/arm/kernel/link.mk +@@ -25,6 +25,7 @@ link-ldflags += -T $(link-script-pp) -Map=$(link-out-dir)/tee.map + link-ldflags += --sort-section=alignment + link-ldflags += --fatal-warnings + link-ldflags += --gc-sections ++link-ldflags += $(call ld-option,--no-warn-rwx-segments) + + link-ldadd = $(LDADD) + link-ldadd += $(ldflags-external) +@@ -49,6 +50,7 @@ link-script-cppflags := \ + $(cppflagscore)) + + ldargs-all_objs := -T $(link-script-dummy) --no-check-sections \ ++ $(call ld-option,--no-warn-rwx-segments) \ + $(link-objs) $(link-ldadd) $(libgcccore) + cleanfiles += $(link-out-dir)/all_objs.o + $(link-out-dir)/all_objs.o: $(objs) $(libdeps) $(MAKEFILE_LIST) +@@ -61,7 +63,8 @@ $(link-out-dir)/unpaged_entries.txt: $(link-out-dir)/all_objs.o + $(q)$(NMcore) $< | \ + $(AWK) '/ ____keep_pager/ { printf "-u%s ", $$3 }' > $@ + +-unpaged-ldargs = -T $(link-script-dummy) --no-check-sections --gc-sections ++unpaged-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \ ++ $(call ld-option,--no-warn-rwx-segments) + unpaged-ldadd := $(objs) $(link-ldadd) $(libgcccore) + cleanfiles += $(link-out-dir)/unpaged.o + $(link-out-dir)/unpaged.o: $(link-out-dir)/unpaged_entries.txt +@@ -89,7 +92,8 @@ $(link-out-dir)/init_entries.txt: $(link-out-dir)/all_objs.o + $(q)$(NMcore) $< | \ + $(AWK) '/ ____keep_init/ { printf "-u%s ", $$3 }' > $@ + +-init-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections ++init-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \ ++ $(call ld-option,--no-warn-rwx-segments) + init-ldadd := $(link-objs-init) $(link-out-dir)/version.o $(link-ldadd) \ + $(libgcccore) + cleanfiles += $(link-out-dir)/init.o diff --git a/recipes-security/optee/optee-os/0002-core-arm.mk-add-fcommon-to-cflags.patch b/recipes-security/optee/optee-os/0002-core-arm.mk-add-fcommon-to-cflags.patch new file mode 100644 index 00000000..1d7bad82 --- /dev/null +++ b/recipes-security/optee/optee-os/0002-core-arm.mk-add-fcommon-to-cflags.patch @@ -0,0 +1,27 @@ +From af8164d5634911d8684e193291690c23bc4e123b Mon Sep 17 00:00:00 2001 +From: Matt Madison +Date: Sun, 23 Oct 2022 04:41:29 -0700 +Subject: [PATCH] core: arm.mk: add -fcommon to cflags + +NVIDIA's patches to the core memory management code +introduces some global variables that require this +flag, which is on by default in older versions. + +Signed-off-by: Matt Madison +--- + core/arch/arm/arm.mk | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/core/arch/arm/arm.mk b/core/arch/arm/arm.mk +index dff305b..5e7895f 100644 +--- a/core/arch/arm/arm.mk ++++ b/core/arch/arm/arm.mk +@@ -139,7 +139,7 @@ endif + arm64-platform-cppflags += -DARM64=1 -D__LP64__=1 + arm32-platform-cppflags += -DARM32=1 -D__ILP32__=1 + +-platform-cflags-generic ?= -ffunction-sections -fdata-sections -pipe ++platform-cflags-generic ?= -ffunction-sections -fdata-sections -fcommon -pipe + platform-aflags-generic ?= -pipe + + arm32-platform-aflags += -marm diff --git a/recipes-security/optee/optee-os_3.16.0-l4t-r35.1.0.bb b/recipes-security/optee/optee-os_3.16.0-l4t-r35.1.0.bb new file mode 100644 index 00000000..340613b5 --- /dev/null +++ b/recipes-security/optee/optee-os_3.16.0-l4t-r35.1.0.bb @@ -0,0 +1,30 @@ +SUMMARY = "OP-TEE Trusted OS" +DESCRIPTION = "Open Portable Trusted Execution Environment - Trusted side of the TEE" +HOMEPAGE = "https://www.op-tee.org/" + +require optee-os-l4t.inc + +CVE_PRODUCT = "linaro:op-tee op-tee:op-tee_os" + +DEPENDS += "optee-nvsamples" + +EXTRA_OEMAKE += "\ + EARLY_TA_PATHS='${STAGING_INCDIR}/optee/early_ta/luks-srv/b83d14a8-7128-49df-9624-35f14f65ca6c.stripped.elf' \ +" + +do_install() { + install -d ${D}${datadir}/trusted-os + install -m 0644 ${B}/core/*.bin ${B}/core/tee.elf ${D}${datadir}/trusted-os/ + + # Install embedded TAs + install -d ${D}${nonarch_base_libdir}/optee_armtz + find ${B}/ta -name '*.ta' | while read name; do + install -m 444 $name ${D}${nonarch_base_libdir}/optee_armtz/ + done +} + +FILES:${PN} = "${nonarch_base_libdir}/optee_armtz" +FILES:${PN}-dev = "${datadir}/trusted-os" +INSANE_SKIP:${PN}-dev = "textrel" + +PACKAGE_ARCH = "${MACHINE_ARCH}" diff --git a/recipes-security/optee/optee-test_3.16.0-l4t-r35.1.0.bb b/recipes-security/optee/optee-test_3.16.0-l4t-r35.1.0.bb new file mode 100644 index 00000000..07299790 --- /dev/null +++ b/recipes-security/optee/optee-test_3.16.0-l4t-r35.1.0.bb @@ -0,0 +1,46 @@ +SUMMARY = "OP-TEE sanity testsuite" +DESCRIPTION = "Open Portable Trusted Execution Environment - Test suite" +HOMEPAGE = "https://www.op-tee.org/" + +LICENSE = "BSD-2-Clause & GPL-2.0-only" +LIC_FILES_CHKSUM = "file://LICENSE.md;md5=daa2bcccc666345ab8940aab1315a4fa" + +require optee-l4t.inc + +TEGRA_SRC_SUBARCHIVE_OPTS = "--strip-components=1 optee/optee_test" + +DEPENDS += "optee-os-tadevkit optee-client" + +S = "${WORKDIR}/optee_test" +B = "${WORKDIR}/build" + +EXTRA_OEMAKE += " \ + CROSS_COMPILE_HOST=${HOST_PREFIX} \ + CROSS_COMPILE_TA=${HOST_PREFIX} \ + OPTEE_CLIENT_EXPORT=${STAGING_DIR_HOST}${prefix} \ +" + +do_compile() { + # Upstream recipe notes that top-level makefile has parallelism issues + oe_runmake -C ${S} xtest + oe_runmake -C ${S} ta + oe_runmake -C ${S} test_plugin +} +do_compile[cleandirs] = "${B}" + +do_install () { + install -d ${D}${bindir} + install -m 0755 ${B}/xtest/xtest ${D}${bindir} + + install -d ${D}${nonarch_base_libdir}/optee_armtz/ + install -m 0644 ${B}/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz/ + install -d ${D}${libdir}/tee-supplicant/plugins + install -m 0644 ${B}/supp_plugin/*.plugin ${D}${libdir}/tee-supplicant/plugins/ +} + +FILES:${PN} += " \ + ${nonarch_base_libdir}/optee_armtz \ + ${libdir}/tee-supplicant/plugins \ +" + +RDEPENDS:${PN} = "optee-os optee-client" diff --git a/recipes-security/optee/tos-optee_35.1.0.bb b/recipes-security/optee/tos-optee_35.1.0.bb new file mode 100644 index 00000000..0fe21b95 --- /dev/null +++ b/recipes-security/optee/tos-optee_35.1.0.bb @@ -0,0 +1,43 @@ +DESCRIPTION = "Construct a trusted OS image with ATF and OP-TEE" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +require optee-l4t.inc + +# We only need the device tree file for this recipe +TEGRA_SRC_SUBARCHIVE_OPTS = "optee/${SOC_FAMILY}-optee.dts" + +TOSIMG ?= "tos-optee_${OPTEE_NV_PLATFORM}.img" +PREFERRED_PROVIDER_virtual/secure-os ??= "" +PROVIDES += "trusted-os virtual/secure-os" +TOS_IMAGE ?= "tos-${MACHINE}-${PV}-${PR}.img" +TOS_SYMLINK ?= "tos-${MACHINE}.img" + +inherit deploy nopackages + +DEPENDS = "tegra-flashtools-native dtc-native optee-os arm-trusted-firmware" + +S = "${WORKDIR}/optee" + +do_configure[noexec] = "1" + +do_compile() { + dtc -I dts -O dtb -o ${S}/${SOC_FAMILY}-optee.dtb ${S}/${SOC_FAMILY}-optee.dts + + ${PYTHON} ${STAGING_BINDIR_NATIVE}/tegra-flash/gen_tos_part_img.py --monitor ${STAGING_DATADIR}/trusted-os/bl31.bin \ + --os ${STAGING_DATADIR}/trusted-os/tee-raw.bin \ + --dtb ${S}/${SOC_FAMILY}-optee.dtb \ + --tostype optee ${TOSIMG} +} + +do_install[noexec] = "1" + +do_deploy() { + install -d ${DEPLOYDIR} + install -m 0644 ${S}/${TOSIMG} ${DEPLOYDIR}/${TOS_IMAGE} + ln -sf ${TOS_IMAGE} ${DEPLOYDIR}/${TOS_SYMLINK} +} + +addtask deploy before do_build after do_compile + +PACKAGE_ARCH = "${MACHINE_ARCH}"