[PATCH] optee-ftpm: Add support for new optee_ftpm repo
10 views
Skip to first unread message
Jan Kiszka
Aug 18, 2025, 11:16:01 AMAug 18
to isar-users, Su, Bao Cheng (RC-CN DF FA R&D), Zhao, Zhao Hui (RC-CN DF FA R&D), Sai Sree Kartheek Adivi
From: Jan Kiszka <jan.k...@siemens.com>
Since MS dropped the OP-TEE TA bits from the reference implementation
repo, OP-TEE took over and is now hosting those. This means that
different repos need to be integrated, also because the cryptolib is now
provided by OP-TEE itself (dropped the need for WolfSSL).
Adjust the foundational code for optee-ftpm to the new model while
keeping backward compatibility. Only when MS_TPM_20_REF_DIR is set to
the subdir that contains the ms-tpm-20-ref code (besides optee_ftpm),
the new mode is activated.
Signed-off-by: Jan Kiszka <jan.k...@siemens.com>
---
Build-tested against the stm32mp15x in-tree (old repo) and runtime
tested out of tree with a full isar-cip-core stack (new optee_ftpm
repo).
RECIPE-API-CHANGELOG.md | 7 +++++
.../optee-ftpm/files/debian/rules.tmpl | 8 +++--
meta/recipes-bsp/optee-ftpm/optee-ftpm.inc | 31 ++++++++++++++-----
3 files changed, 36 insertions(+), 10 deletions(-)
diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
index 730a4c91..02bc1d93 100644
--- a/RECIPE-API-CHANGELOG.md
+++ b/RECIPE-API-CHANGELOG.md
@@ -734,3 +734,10 @@ Set `TEE_SUPPLICANT_IN_USERLAND` to 0 if you are using a kernel that supports
`CONFIG_RPMB` and you only need the daemon for RPMB access. Default is 1, but
this will eventually be changed to 0. Therefore, explicitly set the variable
to 1 to stay compatible.
+
+### Support for new optee_ftpm
+
+By setting `MS_TPM_20_REF_DIR` in an optee-ftpm recipe, it is now possible to
+use the new optee_ftpm code base from the OP-TEE project. That variable has to
+point to a subdir in `WORKDIR` which contains the unpacked ms-tpm-20-ref source
+code.
diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl b/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
index 19d4e083..4bfd2f56 100755
--- a/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
+++ b/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
@@ -1,10 +1,11 @@
#!/usr/bin/make -f
# Debian rules for optee-ftpm
#
-# Copyright (c) Siemens AG, 2023
+# Copyright (c) Siemens AG, 2023-2025
#
# Authors:
# Su Bao Cheng <baoch...@siemens.com>
+# Jan Kiszka <jan.k...@siemens.com>
#
# SPDX-License-Identifier: MIT
@@ -12,8 +13,11 @@ ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
endif
+export CFG_MS_TPM_20_REF=${MS_TPM_20_REF_DIR}
+export O=out
+
override_dh_auto_build:
- cd Samples/ARM32-FirmwareTPM/optee_ta && \
+ cd ${OPTEE_FTPM_SRCDIR} && \
TA_CROSS_COMPILE=${CROSS_COMPILE} \
TA_CPU=${TA_CPU} \
TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
diff --git a/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
index 738b694a..d7d00ae1 100644
--- a/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
+++ b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
@@ -2,14 +2,15 @@
#
# Authors:
# Su Bao Cheng <baoch...@siemens.com>
+# Jan Kiszka <jan.k...@siemens.com>
#
# SPDX-License-Identifier: MIT
#
inherit dpkg
-SUMMARY = "OPTEE fTPM Microsoft TA"
-DESCRIPTION = "TCG reference implementation of the TPM 2.0 Specification."
-HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/"
+SUMMARY = "OP-TEE fTPM TA"
+DESCRIPTION = "Firmware TPM as OP-TEE TCG TA, using Microsoft's TPM 2.0 reference implementation"
+HOMEPAGE = "https://github.com/OP-TEE/optee_ftpm"
FILESPATH:append := ":${FILE_DIRNAME}/files"
@@ -27,22 +28,36 @@ TA_CPU ?= "unknown"
TA_DEV_KIT_DIR ?= "unknown"
OPTEE_FTPM_BUILD_ARGS_EXTRA ?= " "
+# Set to the subdir in WORKDIR containing the unpacked ms-tpm-20-ref sources
+# Leave empty for if still using ms-tpm-20-ref for OP-TEE TA integration
+MS_TPM_20_REF_DIR ?= ""
+
+OPTEE_FTPM_SRCDIR = "${@'Samples/ARM32-FirmwareTPM/optee_ta' if d.getVar('MS_TPM_20_REF_DIR') == '' else '.'}"
+OPTEE_FTPM_BINDIR = "${@'Samples/ARM32-FirmwareTPM/optee_ta/fTPM' if d.getVar('MS_TPM_20_REF_DIR') == '' else '.'}"
+
TEMPLATE_FILES = "debian/rules.tmpl debian/control.tmpl"
TEMPLATE_VARS += "DEBIAN_BUILD_DEPENDS \
DEBIAN_COMPAT \
OPTEE_FTPM_BUILD_ARGS_EXTRA \
TA_CPU \
- TA_DEV_KIT_DIR"
+ TA_DEV_KIT_DIR \
+ MS_TPM_20_REF_DIR \
+ OPTEE_FTPM_SRCDIR"
do_prepare_build() {
- rm -rf ${S}/debian
- cp -r ${WORKDIR}/debian ${S}/
+ rm -rf "${S}/debian"
+ cp -r "${WORKDIR}/debian" "${S}/"
deb_add_changelog
rm -f ${S}/debian/optee-ftpm-${OPTEE_NAME}.install
- echo "Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/bc50d971-d4c9-42c4-82cb-343fb7f37896.ta /usr/lib/optee-os/${OPTEE_NAME}/ta" > \
+ echo "${OPTEE_FTPM_BINDIR}/out/bc50d971-d4c9-42c4-82cb-343fb7f37896.ta /usr/lib/optee-os/${OPTEE_NAME}/ta" > \
${S}/debian/optee-ftpm-${OPTEE_NAME}.install
- echo "Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf /usr/lib/optee-os/${OPTEE_NAME}/ta" >> \
+ echo "${OPTEE_FTPM_BINDIR}/out/bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf /usr/lib/optee-os/${OPTEE_NAME}/ta" >> \
${S}/debian/optee-ftpm-${OPTEE_NAME}.install
+
+ if [ -n "${MS_TPM_20_REF_DIR}" ] && [ -e "${WORKDIR}/${MS_TPM_20_REF_DIR}" ]; then
+ rm -rf "${S}/${MS_TPM_20_REF_DIR}"
+ cp -a "${WORKDIR}/${MS_TPM_20_REF_DIR}" "${S}/"
+ fi
}
--
2.43.0
Since MS dropped the OP-TEE TA bits from the reference implementation
repo, OP-TEE took over and is now hosting those. This means that
different repos need to be integrated, also because the cryptolib is now
provided by OP-TEE itself (dropped the need for WolfSSL).
Adjust the foundational code for optee-ftpm to the new model while
keeping backward compatibility. Only when MS_TPM_20_REF_DIR is set to
the subdir that contains the ms-tpm-20-ref code (besides optee_ftpm),
the new mode is activated.
Signed-off-by: Jan Kiszka <jan.k...@siemens.com>
---
Build-tested against the stm32mp15x in-tree (old repo) and runtime
tested out of tree with a full isar-cip-core stack (new optee_ftpm
repo).
RECIPE-API-CHANGELOG.md | 7 +++++
.../optee-ftpm/files/debian/rules.tmpl | 8 +++--
meta/recipes-bsp/optee-ftpm/optee-ftpm.inc | 31 ++++++++++++++-----
3 files changed, 36 insertions(+), 10 deletions(-)
diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
index 730a4c91..02bc1d93 100644
--- a/RECIPE-API-CHANGELOG.md
+++ b/RECIPE-API-CHANGELOG.md
@@ -734,3 +734,10 @@ Set `TEE_SUPPLICANT_IN_USERLAND` to 0 if you are using a kernel that supports
`CONFIG_RPMB` and you only need the daemon for RPMB access. Default is 1, but
this will eventually be changed to 0. Therefore, explicitly set the variable
to 1 to stay compatible.
+
+### Support for new optee_ftpm
+
+By setting `MS_TPM_20_REF_DIR` in an optee-ftpm recipe, it is now possible to
+use the new optee_ftpm code base from the OP-TEE project. That variable has to
+point to a subdir in `WORKDIR` which contains the unpacked ms-tpm-20-ref source
+code.
diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl b/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
index 19d4e083..4bfd2f56 100755
--- a/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
+++ b/meta/recipes-bsp/optee-ftpm/files/debian/rules.tmpl
@@ -1,10 +1,11 @@
#!/usr/bin/make -f
# Debian rules for optee-ftpm
#
-# Copyright (c) Siemens AG, 2023
+# Copyright (c) Siemens AG, 2023-2025
#
# Authors:
# Su Bao Cheng <baoch...@siemens.com>
+# Jan Kiszka <jan.k...@siemens.com>
#
# SPDX-License-Identifier: MIT
@@ -12,8 +13,11 @@ ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
export CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)-
endif
+export CFG_MS_TPM_20_REF=${MS_TPM_20_REF_DIR}
+export O=out
+
override_dh_auto_build:
- cd Samples/ARM32-FirmwareTPM/optee_ta && \
+ cd ${OPTEE_FTPM_SRCDIR} && \
TA_CROSS_COMPILE=${CROSS_COMPILE} \
TA_CPU=${TA_CPU} \
TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
diff --git a/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
index 738b694a..d7d00ae1 100644
--- a/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
+++ b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
@@ -2,14 +2,15 @@
#
# Authors:
# Su Bao Cheng <baoch...@siemens.com>
+# Jan Kiszka <jan.k...@siemens.com>
#
# SPDX-License-Identifier: MIT
#
inherit dpkg
-SUMMARY = "OPTEE fTPM Microsoft TA"
-DESCRIPTION = "TCG reference implementation of the TPM 2.0 Specification."
-HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/"
+SUMMARY = "OP-TEE fTPM TA"
+DESCRIPTION = "Firmware TPM as OP-TEE TCG TA, using Microsoft's TPM 2.0 reference implementation"
+HOMEPAGE = "https://github.com/OP-TEE/optee_ftpm"
FILESPATH:append := ":${FILE_DIRNAME}/files"
@@ -27,22 +28,36 @@ TA_CPU ?= "unknown"
TA_DEV_KIT_DIR ?= "unknown"
OPTEE_FTPM_BUILD_ARGS_EXTRA ?= " "
+# Set to the subdir in WORKDIR containing the unpacked ms-tpm-20-ref sources
+# Leave empty for if still using ms-tpm-20-ref for OP-TEE TA integration
+MS_TPM_20_REF_DIR ?= ""
+
+OPTEE_FTPM_SRCDIR = "${@'Samples/ARM32-FirmwareTPM/optee_ta' if d.getVar('MS_TPM_20_REF_DIR') == '' else '.'}"
+OPTEE_FTPM_BINDIR = "${@'Samples/ARM32-FirmwareTPM/optee_ta/fTPM' if d.getVar('MS_TPM_20_REF_DIR') == '' else '.'}"
+
TEMPLATE_FILES = "debian/rules.tmpl debian/control.tmpl"
TEMPLATE_VARS += "DEBIAN_BUILD_DEPENDS \
DEBIAN_COMPAT \
OPTEE_FTPM_BUILD_ARGS_EXTRA \
TA_CPU \
- TA_DEV_KIT_DIR"
+ TA_DEV_KIT_DIR \
+ MS_TPM_20_REF_DIR \
+ OPTEE_FTPM_SRCDIR"
do_prepare_build() {
- rm -rf ${S}/debian
- cp -r ${WORKDIR}/debian ${S}/
+ rm -rf "${S}/debian"
+ cp -r "${WORKDIR}/debian" "${S}/"
deb_add_changelog
rm -f ${S}/debian/optee-ftpm-${OPTEE_NAME}.install
- echo "Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/bc50d971-d4c9-42c4-82cb-343fb7f37896.ta /usr/lib/optee-os/${OPTEE_NAME}/ta" > \
+ echo "${OPTEE_FTPM_BINDIR}/out/bc50d971-d4c9-42c4-82cb-343fb7f37896.ta /usr/lib/optee-os/${OPTEE_NAME}/ta" > \
${S}/debian/optee-ftpm-${OPTEE_NAME}.install
- echo "Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf /usr/lib/optee-os/${OPTEE_NAME}/ta" >> \
+ echo "${OPTEE_FTPM_BINDIR}/out/bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf /usr/lib/optee-os/${OPTEE_NAME}/ta" >> \
${S}/debian/optee-ftpm-${OPTEE_NAME}.install
+
+ if [ -n "${MS_TPM_20_REF_DIR}" ] && [ -e "${WORKDIR}/${MS_TPM_20_REF_DIR}" ]; then
+ rm -rf "${S}/${MS_TPM_20_REF_DIR}"
+ cp -a "${WORKDIR}/${MS_TPM_20_REF_DIR}" "${S}/"
+ fi
}
--
2.43.0
Reply all
Reply to author
Forward
0 new messages