[PATCH v3 00/11] Fixes, cleanups and updates for OP-TEE and TAs
8 views
Skip to first unread message
Jan Kiszka
Jul 20, 2023, 1:08:15 PM7/20/23
to isar-users, Bao Cheng Su
This summarizes and partially updates previously sent patches to fix and
improve the recently merged OP-TEE changes. Labeling it v3 as some
patches were already sent out in v2.
Improvements over the individual patches:
- update for WolfSSL in fTPM recipe
- better unbinding of fTPM on tee-supplicant shutdown
Patch 11 might still have no effect and needs confirmation via larger CI
builds.
Jan
Jan Kiszka (11):
optee-client: Add missing runtime dependency
optee-client: Unbind ftpm, rather than remove its driver
optee-examples-stm32mp15x: Fix parsing error for non-stm32mp15x
machines
linux-mainline: Add fTPM support
initramfs-tee-{ftpm,supplicant}-hook: Move sync loop to ftpm-hook
initramfs-tee-supplicant-hook: Account for modular optee
initramfs-tee-ftpm-hook: Lift timeout to 30 s
Drop stm32mp15x-initramfs in favor of image enabling
optee-ftpm-stm32mp15x: Recipe cleanups
optee-ftpm-stm32mp15x: Update WolfSSL to 5.6.3
optee-ftpm-stm32mp15x: Add patch to fix parallel build issues
meta-isar/conf/machine/stm32mp15x.conf | 2 +
.../optee-examples-stm32mp15x_3.21.0.bb | 2 +-
.../0001-Fix-parallel-build-of-optee_ta.patch | 45 +++++++++++++++++++
.../optee-ftpm-stm32mp15x_0~230316+git.bb | 11 ++---
.../images/stm32mp15x-initramfs.bb | 15 -------
.../linux/files/ftpm-module.cfg | 3 ++
.../linux/linux-mainline_5.4.203.bb | 2 +
.../optee-client/files/debian/control.tmpl | 2 +-
.../files/debian/tee-supplicant.service | 2 +-
.../files/tee-ftpm.script | 9 ++++
.../files/tee-supplicant.script | 9 +---
testsuite/citest.py | 1 -
12 files changed, 69 insertions(+), 34 deletions(-)
create mode 100644 meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-parallel-build-of-optee_ta.patch
delete mode 100644 meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
create mode 100644 meta-isar/recipes-kernel/linux/files/ftpm-module.cfg
--
2.35.3
improve the recently merged OP-TEE changes. Labeling it v3 as some
patches were already sent out in v2.
Improvements over the individual patches:
- update for WolfSSL in fTPM recipe
- better unbinding of fTPM on tee-supplicant shutdown
Patch 11 might still have no effect and needs confirmation via larger CI
builds.
Jan
Jan Kiszka (11):
optee-client: Add missing runtime dependency
optee-client: Unbind ftpm, rather than remove its driver
optee-examples-stm32mp15x: Fix parsing error for non-stm32mp15x
machines
linux-mainline: Add fTPM support
initramfs-tee-{ftpm,supplicant}-hook: Move sync loop to ftpm-hook
initramfs-tee-supplicant-hook: Account for modular optee
initramfs-tee-ftpm-hook: Lift timeout to 30 s
Drop stm32mp15x-initramfs in favor of image enabling
optee-ftpm-stm32mp15x: Recipe cleanups
optee-ftpm-stm32mp15x: Update WolfSSL to 5.6.3
optee-ftpm-stm32mp15x: Add patch to fix parallel build issues
meta-isar/conf/machine/stm32mp15x.conf | 2 +
.../optee-examples-stm32mp15x_3.21.0.bb | 2 +-
.../0001-Fix-parallel-build-of-optee_ta.patch | 45 +++++++++++++++++++
.../optee-ftpm-stm32mp15x_0~230316+git.bb | 11 ++---
.../images/stm32mp15x-initramfs.bb | 15 -------
.../linux/files/ftpm-module.cfg | 3 ++
.../linux/linux-mainline_5.4.203.bb | 2 +
.../optee-client/files/debian/control.tmpl | 2 +-
.../files/debian/tee-supplicant.service | 2 +-
.../files/tee-ftpm.script | 9 ++++
.../files/tee-supplicant.script | 9 +---
testsuite/citest.py | 1 -
12 files changed, 69 insertions(+), 34 deletions(-)
create mode 100644 meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-parallel-build-of-optee_ta.patch
delete mode 100644 meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
create mode 100644 meta-isar/recipes-kernel/linux/files/ftpm-module.cfg
--
2.35.3
Jan Kiszka
Jul 20, 2023, 1:08:15 PM7/20/23
to isar-users, Bao Cheng Su
From: Jan Kiszka <jan.k...@siemens.com>
Hard-code the machine name so that parsing will not fail if a machine
does not provide optee-os-tadevkit-${MACHINE} or
optee-client-${MACHINE}.
Signed-off-by: Jan Kiszka <jan.k...@siemens.com>
---
.../optee-examples/optee-examples-stm32mp15x_3.21.0.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb
index 2a64a86b..e10654e8 100644
--- a/meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb
+++ b/meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb
@@ -16,7 +16,7 @@ SRC_URI[sha256sum] = "9b965f829adc532b5228534d3b9b38ae1fc4f2ac55d73159a39d43e597
S = "${WORKDIR}/optee_examples-${PV}"
-OPTEE_NAME = "${MACHINE}"
+OPTEE_NAME = "stm32mp15x"
OPTEE_PLATFORM = "stm32mp1"
TA_DEV_KIT_DIR = "/usr/lib/optee-os/${OPTEE_NAME}/export-ta_arm32"
--
2.35.3
Hard-code the machine name so that parsing will not fail if a machine
does not provide optee-os-tadevkit-${MACHINE} or
optee-client-${MACHINE}.
Signed-off-by: Jan Kiszka <jan.k...@siemens.com>
---
.../optee-examples/optee-examples-stm32mp15x_3.21.0.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb b/meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb
index 2a64a86b..e10654e8 100644
--- a/meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb
+++ b/meta-isar/recipes-bsp/optee-examples/optee-examples-stm32mp15x_3.21.0.bb
@@ -16,7 +16,7 @@ SRC_URI[sha256sum] = "9b965f829adc532b5228534d3b9b38ae1fc4f2ac55d73159a39d43e597
S = "${WORKDIR}/optee_examples-${PV}"
-OPTEE_NAME = "${MACHINE}"
+OPTEE_NAME = "stm32mp15x"
OPTEE_PLATFORM = "stm32mp1"
TA_DEV_KIT_DIR = "/usr/lib/optee-os/${OPTEE_NAME}/export-ta_arm32"
--
2.35.3
Jan Kiszka
Jul 20, 2023, 1:08:15 PM7/20/23
to isar-users, Bao Cheng Su
From: Jan Kiszka <jan.k...@siemens.com>
There is no FTPM_DEV defined in tee-supplicant.script, and it also makes
no sense to wait for an unrelated fTPM device in the tee-supplicant
starter hook. That is better done in tee-ftpm.script.
.../initramfs-tee-ftpm-hook/files/tee-ftpm.script | 9 +++++++++
.../files/tee-supplicant.script | 8 --------
2 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
index ce321a09..6e12e6df 100644
--- a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
+++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
@@ -21,6 +21,15 @@ esac
. /scripts/functions
FTPM_DEV=/dev/tpmrm0
+
+# The tee-supplicant would take some time to be discovered, 10 seconds should be
+# enough
+wait_sec=10
+until test $wait_sec -eq 0 || test -c "${FTPM_DEV}" ; do
+ wait_sec=$((wait_sec-1))
+ sleep 1
+done
+
if ! test -c "${FTPM_DEV}"; then
panic "Can't discover the fTPM device ${FTPM_DEV}!"
fi
diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
index bb6dcc16..76efc1ad 100644
--- a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
+++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
@@ -22,12 +22,4 @@ esac
/usr/sbin/tee-supplicant -d
-# The tee-supplicant would take some time to be discovered, 10 seconds should be
-# enough
-wait_sec=10
-until test $wait_sec -eq 0 || test -c "${FTPM_DEV}" ; do
- wait_sec=$((wait_sec-1))
- sleep 1
-done
-
/usr/bin/pgrep tee-supplicant > /dev/null || panic "Can't start the tee-supplicant daemon!"
--
2.35.3
There is no FTPM_DEV defined in tee-supplicant.script, and it also makes
no sense to wait for an unrelated fTPM device in the tee-supplicant
starter hook. That is better done in tee-ftpm.script.
.../initramfs-tee-ftpm-hook/files/tee-ftpm.script | 9 +++++++++
.../files/tee-supplicant.script | 8 --------
2 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
index ce321a09..6e12e6df 100644
--- a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
+++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
@@ -21,6 +21,15 @@ esac
. /scripts/functions
FTPM_DEV=/dev/tpmrm0
+
+# The tee-supplicant would take some time to be discovered, 10 seconds should be
+# enough
+wait_sec=10
+until test $wait_sec -eq 0 || test -c "${FTPM_DEV}" ; do
+ wait_sec=$((wait_sec-1))
+ sleep 1
+done
+
if ! test -c "${FTPM_DEV}"; then
panic "Can't discover the fTPM device ${FTPM_DEV}!"
fi
diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
index bb6dcc16..76efc1ad 100644
--- a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
+++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
@@ -22,12 +22,4 @@ esac
/usr/sbin/tee-supplicant -d
-# The tee-supplicant would take some time to be discovered, 10 seconds should be
-# enough
-wait_sec=10
-until test $wait_sec -eq 0 || test -c "${FTPM_DEV}" ; do
- wait_sec=$((wait_sec-1))
- sleep 1
-done
-
/usr/bin/pgrep tee-supplicant > /dev/null || panic "Can't start the tee-supplicant daemon!"
--
2.35.3
Jan Kiszka
Jul 20, 2023, 1:08:15 PM7/20/23
to isar-users, Bao Cheng Su
From: Jan Kiszka <jan.k...@siemens.com>
Starting tee-supplicant will fail otherwise.
.../initramfs-tee-supplicant-hook/files/tee-supplicant.script | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
index 76efc1ad..fcb84817 100644
--- a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
+++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
@@ -20,6 +20,7 @@ esac
. /scripts/functions
+/usr/sbin/modprobe optee
/usr/sbin/tee-supplicant -d
Starting tee-supplicant will fail otherwise.
.../initramfs-tee-supplicant-hook/files/tee-supplicant.script | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
index 76efc1ad..fcb84817 100644
--- a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
+++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script
@@ -20,6 +20,7 @@ esac
. /scripts/functions
+/usr/sbin/modprobe optee
/usr/sbin/tee-supplicant -d
Jan Kiszka
Jul 20, 2023, 1:08:15 PM7/20/23
to isar-users, Bao Cheng Su
From: Jan Kiszka <jan.k...@siemens.com>
The alternative service file uses pgrep and pkill.
meta/recipes-bsp/optee-client/files/debian/control.tmpl | 2 +-
index de780b73..7cd121ee 100644
--- a/meta/recipes-bsp/optee-client/files/debian/control.tmpl
+++ b/meta/recipes-bsp/optee-client/files/debian/control.tmpl
@@ -39,7 +39,7 @@ Description: normal world user space client APIs for OP-TEE
Package: tee-supplicant
Architecture: ${DISTRO_ARCH}
-Depends: systemd ${misc:Depends}, ${shlibs:Depends}
+Depends: systemd ${misc:Depends}, procps, ${shlibs:Depends}
Description: normal world user space client APIs for OP-TEE
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
--
2.35.3
The alternative service file uses pgrep and pkill.
meta/recipes-bsp/optee-client/files/debian/control.tmpl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-bsp/optee-client/files/debian/control.tmpl b/meta/recipes-bsp/optee-client/files/debian/control.tmpl
index de780b73..7cd121ee 100644
--- a/meta/recipes-bsp/optee-client/files/debian/control.tmpl
+++ b/meta/recipes-bsp/optee-client/files/debian/control.tmpl
@@ -39,7 +39,7 @@ Description: normal world user space client APIs for OP-TEE
Package: tee-supplicant
Architecture: ${DISTRO_ARCH}
-Depends: systemd ${misc:Depends}, ${shlibs:Depends}
+Depends: systemd ${misc:Depends}, procps, ${shlibs:Depends}
Description: normal world user space client APIs for OP-TEE
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a
non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone
--
2.35.3
Jan Kiszka
Jul 20, 2023, 1:08:16 PM7/20/23
to isar-users, Bao Cheng Su
From: Jan Kiszka <jan.k...@siemens.com>
Remove commented out CHANGELOG_V assignment, remove redundant setting of
OPTEE_NAME to its default, remove setting of non-existing
CFG_FTPM_USE_WOLF config var.
.../optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
index de26ec38..d8c1528d 100644
--- a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
+++ b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
@@ -5,9 +5,8 @@
#
# SPDX-License-Identifier: MIT
#
-require recipes-bsp/optee-ftpm/optee-ftpm.inc
-# CHANGELOG_V = "0.1+git+isar"
+require recipes-bsp/optee-ftpm/optee-ftpm.inc
SRC_URI += " \
https://github.com/Microsoft/ms-tpm-20-ref/archive/${SRCREV}.tar.gz \
@@ -24,10 +23,8 @@ SRC_URI[wolfssl.sha256sum] = "a68c301fa0ee6197158912d808c4258605a2d001e458fd9582
S = "${WORKDIR}/ms-tpm-20-ref-${SRCREV}"
-OPTEE_NAME = "${MACHINE}"
TA_CPU = "cortex-a7"
do_prepare_build:append() {
rm -rf ${S}/external/wolfssl
--
2.35.3
Remove commented out CHANGELOG_V assignment, remove redundant setting of
OPTEE_NAME to its default, remove setting of non-existing
CFG_FTPM_USE_WOLF config var.
.../optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
index de26ec38..d8c1528d 100644
--- a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
+++ b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
@@ -5,9 +5,8 @@
#
# SPDX-License-Identifier: MIT
#
-require recipes-bsp/optee-ftpm/optee-ftpm.inc
-# CHANGELOG_V = "0.1+git+isar"
+require recipes-bsp/optee-ftpm/optee-ftpm.inc
SRC_URI += " \
https://github.com/Microsoft/ms-tpm-20-ref/archive/${SRCREV}.tar.gz \
@@ -24,10 +23,8 @@ SRC_URI[wolfssl.sha256sum] = "a68c301fa0ee6197158912d808c4258605a2d001e458fd9582
S = "${WORKDIR}/ms-tpm-20-ref-${SRCREV}"
-OPTEE_NAME = "${MACHINE}"
TA_CPU = "cortex-a7"
TA_DEV_KIT_DIR = "/usr/lib/optee-os/${OPTEE_NAME}/export-ta_arm32"
-OPTEE_FTPM_BUILD_ARGS_EXTRA = "CFG_FTPM_USE_WOLF=y"
do_prepare_build:append() {
rm -rf ${S}/external/wolfssl
--
2.35.3
Jan Kiszka
Jul 20, 2023, 1:08:16 PM7/20/23
to isar-users, Bao Cheng Su
From: Jan Kiszka <jan.k...@siemens.com>
Around 20 s are needed on the stm32mp15x, so let's give things more time
to settle and permit 30 s.
.../initramfs-tee-ftpm-hook/files/tee-ftpm.script | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
index 6e12e6df..053fb046 100644
--- a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
+++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
@@ -22,9 +22,9 @@ esac
FTPM_DEV=/dev/tpmrm0
-# The tee-supplicant would take some time to be discovered, 10 seconds should be
-# enough
-wait_sec=10
+# The tee-supplicant would take some time to be discovered, 30 seconds should
+# be enough
+wait_sec=30
sleep 1
--
2.35.3
Around 20 s are needed on the stm32mp15x, so let's give things more time
to settle and permit 30 s.
.../initramfs-tee-ftpm-hook/files/tee-ftpm.script | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
index 6e12e6df..053fb046 100644
--- a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
+++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
@@ -22,9 +22,9 @@ esac
FTPM_DEV=/dev/tpmrm0
-# The tee-supplicant would take some time to be discovered, 10 seconds should be
-# enough
-wait_sec=10
+# be enough
+wait_sec=30
until test $wait_sec -eq 0 || test -c "${FTPM_DEV}" ; do
wait_sec=$((wait_sec-1))
sleep 1
--
2.35.3
Jan Kiszka
Jul 20, 2023, 1:08:16 PM7/20/23
to isar-users, Bao Cheng Su
From: Jan Kiszka <jan.k...@siemens.com>
To really test the hooks on the stm32mp15x, we need them as part of the
initramfs generated for the image, not just stand-alone.
meta-isar/conf/machine/stm32mp15x.conf | 2 ++
.../images/stm32mp15x-initramfs.bb | 15 ---------------
testsuite/citest.py | 1 -
3 files changed, 2 insertions(+), 16 deletions(-)
delete mode 100644 meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
diff --git a/meta-isar/conf/machine/stm32mp15x.conf b/meta-isar/conf/machine/stm32mp15x.conf
index 4e8142ee..367b1934 100644
--- a/meta-isar/conf/machine/stm32mp15x.conf
+++ b/meta-isar/conf/machine/stm32mp15x.conf
@@ -23,4 +23,6 @@ IMAGE_INSTALL += "u-boot-script \
optee-examples-stm32mp15x-hotp-host \
optee-examples-stm32mp15x-random-host \
optee-examples-stm32mp15x-secure-storage-host \
+ initramfs-tee-supplicant-hook \
+ initramfs-tee-ftpm-hook \
"
diff --git a/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb b/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
deleted file mode 100644
index 8ec6d7ce..00000000
--- a/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# Copyright (c) Siemens AG, 2023
-#
-# Authors:
-# Su Bao Cheng <baoch...@siemens.com>
-#
-# SPDX-License-Identifier: MIT
-#
-
-inherit initramfs
-
-INITRAMFS_INSTALL += " \
- initramfs-tee-supplicant-hook \
- initramfs-tee-ftpm-hook \
- "
diff --git a/testsuite/citest.py b/testsuite/citest.py
index b81d86f9..f5cf1257 100755
--- a/testsuite/citest.py
+++ b/testsuite/citest.py
@@ -215,7 +215,6 @@ class NoCrossTest(CIBaseTest):
'mc:bananapi-bullseye:isar-image-base',
'mc:nanopi-neo-bullseye:isar-image-base',
'mc:stm32mp15x-bullseye:isar-image-base',
- 'mc:stm32mp15x-bullseye:stm32mp15x-initramfs',
'mc:qemuamd64-focal:isar-image-ci'
]
--
2.35.3
To really test the hooks on the stm32mp15x, we need them as part of the
initramfs generated for the image, not just stand-alone.
meta-isar/conf/machine/stm32mp15x.conf | 2 ++
.../images/stm32mp15x-initramfs.bb | 15 ---------------
testsuite/citest.py | 1 -
3 files changed, 2 insertions(+), 16 deletions(-)
delete mode 100644 meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
diff --git a/meta-isar/conf/machine/stm32mp15x.conf b/meta-isar/conf/machine/stm32mp15x.conf
index 4e8142ee..367b1934 100644
--- a/meta-isar/conf/machine/stm32mp15x.conf
+++ b/meta-isar/conf/machine/stm32mp15x.conf
@@ -23,4 +23,6 @@ IMAGE_INSTALL += "u-boot-script \
optee-examples-stm32mp15x-hotp-host \
optee-examples-stm32mp15x-random-host \
optee-examples-stm32mp15x-secure-storage-host \
+ initramfs-tee-supplicant-hook \
+ initramfs-tee-ftpm-hook \
"
diff --git a/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb b/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
deleted file mode 100644
index 8ec6d7ce..00000000
--- a/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# Copyright (c) Siemens AG, 2023
-#
-# Authors:
-# Su Bao Cheng <baoch...@siemens.com>
-#
-# SPDX-License-Identifier: MIT
-#
-
-inherit initramfs
-
-INITRAMFS_INSTALL += " \
- initramfs-tee-supplicant-hook \
- initramfs-tee-ftpm-hook \
- "
diff --git a/testsuite/citest.py b/testsuite/citest.py
index b81d86f9..f5cf1257 100755
--- a/testsuite/citest.py
+++ b/testsuite/citest.py
@@ -215,7 +215,6 @@ class NoCrossTest(CIBaseTest):
'mc:bananapi-bullseye:isar-image-base',
'mc:nanopi-neo-bullseye:isar-image-base',
'mc:stm32mp15x-bullseye:isar-image-base',
- 'mc:stm32mp15x-bullseye:stm32mp15x-initramfs',
'mc:qemuamd64-focal:isar-image-ci'
]
--
2.35.3
Jan Kiszka
Jul 20, 2023, 1:08:16 PM7/20/23
to isar-users, Bao Cheng Su
From: Jan Kiszka <jan.k...@siemens.com>
.../0001-Fix-parallel-build-of-optee_ta.patch | 45 +++++++++++++++++++
.../optee-ftpm-stm32mp15x_0~230316+git.bb | 1 +
2 files changed, 46 insertions(+)
create mode 100644 meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-parallel-build-of-optee_ta.patch
diff --git a/meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-parallel-build-of-optee_ta.patch b/meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-parallel-build-of-optee_ta.patch
new file mode 100644
index 00000000..4ee20f41
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-parallel-build-of-optee_ta.patch
@@ -0,0 +1,45 @@
+From ff34f1a64bd5dbc83df26cfc8e74478f854a0acf Mon Sep 17 00:00:00 2001
+From: Jan Kiszka <jan.k...@siemens.com>
+Date: Thu, 20 Jul 2023 16:32:26 +0200
+Subject: [PATCH] Fix parallel build of optee_ta
+
+The symlink must be established prio to building any of the source files
+of WolfSSL, or things will fail:
+
+ TA_CROSS_COMPILE= \
+ TA_CPU=cortex-a7 \
+ TA_DEV_KIT_DIR=/usr/lib/optee-os/stm32mp15x/export-ta_arm32 \
+ CFG_TEE_TA_LOG_LEVEL=2 \
+ CFG_FTPM_USE_WOLF=y \
+ /usr/bin/make -j 24
+make[2]: Entering directory '/<<PKGBUILDDIR>>/Samples/ARM32-FirmwareTPM/optee_ta'
+/usr/bin/make -C fTPM CROSS_COMPILE=
+make[3]: Entering directory '/<<PKGBUILDDIR>>/Samples/ARM32-FirmwareTPM/optee_ta/fTPM'
+Checking symlink to the TPM folder: /<<PKGBUILDDIR>>
+Checking symlink to the WolfSSL folder: /<<PKGBUILDDIR>>/external/wolfssl
+Establishing symlink.
+ CC ../out/fTPM/platform/Cancel.o
+Establishing symlink.
+ CC ../out/fTPM/platform/AdminPPI.o
+ CC ../out/fTPM/platform/Entropy.o
+make[3]: *** No rule to make target 'lib/wolf/wolf_symlink/wolfcrypt/src/aes.c', needed by '../out/fTPM/./lib/wolf/wolf_symlink/wolfcrypt/src/aes.o'. Stop.
+make[3]: *** Waiting for unfinished jobs....
+
+Signed-off-by: Jan Kiszka <jan.k...@siemens.com>
+---
+ Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
+index 0a43f46..eb239e3 100644
+--- a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
++++ b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
+@@ -56,3 +56,5 @@ srcs-y += wolf_symlink/wolfcrypt/src/tfm.c
+ srcs-y += wolf_symlink/wolfcrypt/src/wolfmath.c
+ srcs-y += wolf_symlink/wolfcrypt/src/des3.c
+ srcs-y += wolf_symlink/wolfcrypt/src/random.c
++
++$(srcs-y): wolf_symlink
+--
+2.35.3
+
diff --git a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
index 441bc4ac..c92620e1 100644
--- a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
+++ b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
@@ -12,6 +12,7 @@ SRC_URI += " \
https://github.com/Microsoft/ms-tpm-20-ref/archive/${SRCREV}.tar.gz \
https://github.com/wolfSSL/wolfssl/archive/${SRCREV-wolfssl}.tar.gz;name=wolfssl \
file://0001-add-enum-to-ta-flags.patch \
+ file://0001-Fix-parallel-build-of-optee_ta.patch \
"
SRCREV = "f74c0d9686625c02b0fdd5b2bbe792a22aa96cb6"
--
2.35.3
.../0001-Fix-parallel-build-of-optee_ta.patch | 45 +++++++++++++++++++
.../optee-ftpm-stm32mp15x_0~230316+git.bb | 1 +
2 files changed, 46 insertions(+)
create mode 100644 meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-parallel-build-of-optee_ta.patch
diff --git a/meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-parallel-build-of-optee_ta.patch b/meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-parallel-build-of-optee_ta.patch
new file mode 100644
index 00000000..4ee20f41
--- /dev/null
+++ b/meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-parallel-build-of-optee_ta.patch
@@ -0,0 +1,45 @@
+From ff34f1a64bd5dbc83df26cfc8e74478f854a0acf Mon Sep 17 00:00:00 2001
+From: Jan Kiszka <jan.k...@siemens.com>
+Date: Thu, 20 Jul 2023 16:32:26 +0200
+Subject: [PATCH] Fix parallel build of optee_ta
+
+The symlink must be established prio to building any of the source files
+of WolfSSL, or things will fail:
+
+ TA_CROSS_COMPILE= \
+ TA_CPU=cortex-a7 \
+ TA_DEV_KIT_DIR=/usr/lib/optee-os/stm32mp15x/export-ta_arm32 \
+ CFG_TEE_TA_LOG_LEVEL=2 \
+ CFG_FTPM_USE_WOLF=y \
+ /usr/bin/make -j 24
+make[2]: Entering directory '/<<PKGBUILDDIR>>/Samples/ARM32-FirmwareTPM/optee_ta'
+/usr/bin/make -C fTPM CROSS_COMPILE=
+make[3]: Entering directory '/<<PKGBUILDDIR>>/Samples/ARM32-FirmwareTPM/optee_ta/fTPM'
+Checking symlink to the TPM folder: /<<PKGBUILDDIR>>
+Checking symlink to the WolfSSL folder: /<<PKGBUILDDIR>>/external/wolfssl
+Establishing symlink.
+ CC ../out/fTPM/platform/Cancel.o
+Establishing symlink.
+ CC ../out/fTPM/platform/AdminPPI.o
+ CC ../out/fTPM/platform/Entropy.o
+make[3]: *** No rule to make target 'lib/wolf/wolf_symlink/wolfcrypt/src/aes.c', needed by '../out/fTPM/./lib/wolf/wolf_symlink/wolfcrypt/src/aes.o'. Stop.
+make[3]: *** Waiting for unfinished jobs....
+
+Signed-off-by: Jan Kiszka <jan.k...@siemens.com>
+---
+ Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
+index 0a43f46..eb239e3 100644
+--- a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
++++ b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
+@@ -56,3 +56,5 @@ srcs-y += wolf_symlink/wolfcrypt/src/tfm.c
+ srcs-y += wolf_symlink/wolfcrypt/src/wolfmath.c
+ srcs-y += wolf_symlink/wolfcrypt/src/des3.c
+ srcs-y += wolf_symlink/wolfcrypt/src/random.c
++
++$(srcs-y): wolf_symlink
+--
+2.35.3
+
diff --git a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
index 441bc4ac..c92620e1 100644
--- a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
+++ b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
@@ -12,6 +12,7 @@ SRC_URI += " \
https://github.com/Microsoft/ms-tpm-20-ref/archive/${SRCREV}.tar.gz \
https://github.com/wolfSSL/wolfssl/archive/${SRCREV-wolfssl}.tar.gz;name=wolfssl \
file://0001-add-enum-to-ta-flags.patch \
+ file://0001-Fix-parallel-build-of-optee_ta.patch \
"
SRCREV = "f74c0d9686625c02b0fdd5b2bbe792a22aa96cb6"
--
2.35.3
Jan Kiszka
Jul 20, 2023, 1:08:16 PM7/20/23
to isar-users, Bao Cheng Su
From: Jan Kiszka <jan.k...@siemens.com>
The upstream choice is seriously outdated, also security-wise. Choose
the latest stable release instead.
.../optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
index d8c1528d..441bc4ac 100644
--- a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
+++ b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
@@ -15,11 +15,10 @@ SRC_URI += " \
"
SRCREV = "f74c0d9686625c02b0fdd5b2bbe792a22aa96cb6"
-# according to ms-tpm-20-ref submodules
-SRCREV-wolfssl = "9c87f979a7f1d3a6d786b260653d566c1d31a1c4"
+SRCREV-wolfssl = "3b3c175af0e993ffaae251871421e206cc41963f"
SRC_URI[sha256sum] = "16fabc6ad6cc700d947dbc96efc30ff8ae97e577944466f08193bb37bc1eb64d"
-SRC_URI[wolfssl.sha256sum] = "a68c301fa0ee6197158912d808c4258605a2d001e458fd958257cafba17bfd14"
+SRC_URI[wolfssl.sha256sum] = "1157994b12295b74754dd9054124c857c59093b762e6f744d0a3a3565cb6314d"
S = "${WORKDIR}/ms-tpm-20-ref-${SRCREV}"
--
2.35.3
The upstream choice is seriously outdated, also security-wise. Choose
the latest stable release instead.
.../optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
index d8c1528d..441bc4ac 100644
--- a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
+++ b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-stm32mp15x_0~230316+git.bb
@@ -15,11 +15,10 @@ SRC_URI += " \
"
SRCREV = "f74c0d9686625c02b0fdd5b2bbe792a22aa96cb6"
-# according to ms-tpm-20-ref submodules
-SRCREV-wolfssl = "9c87f979a7f1d3a6d786b260653d566c1d31a1c4"
+SRCREV-wolfssl = "3b3c175af0e993ffaae251871421e206cc41963f"
SRC_URI[sha256sum] = "16fabc6ad6cc700d947dbc96efc30ff8ae97e577944466f08193bb37bc1eb64d"
-SRC_URI[wolfssl.sha256sum] = "a68c301fa0ee6197158912d808c4258605a2d001e458fd958257cafba17bfd14"
+SRC_URI[wolfssl.sha256sum] = "1157994b12295b74754dd9054124c857c59093b762e6f744d0a3a3565cb6314d"
S = "${WORKDIR}/ms-tpm-20-ref-${SRCREV}"
2.35.3
Uladzimir Bely
Jul 27, 2023, 3:13:48 AM7/27/23
to Jan Kiszka, isar-users
Maybe patch should look like not
| +$(srcs-y): wolf_symlink
but like
| +$(srcs-y): ./lib/wolf/wolf_symlink
?
Uladzimir Bely
Jul 28, 2023, 4:58:34 AM7/28/23
to Jan Kiszka, isar-users, Bao Cheng Su
On Thu, 2023-07-20 at 19:08 +0200, 'Jan Kiszka' via isar-users wrote:
> From: Jan Kiszka <jan.k...@siemens.com>
>
> Signed-off-by: Jan Kiszka <jan.k...@siemens.com>
> ---
> .../0001-Fix-parallel-build-of-optee_ta.patch | 45
> +++++++++++++++++++
> .../optee-ftpm-stm32mp15x_0~230316+git.bb | 1 +
> 2 files changed, 46 insertions(+)
>
> Signed-off-by: Jan Kiszka <jan.k...@siemens.com>
> ---
> .../0001-Fix-parallel-build-of-optee_ta.patch | 45
> +++++++++++++++++++
> .../optee-ftpm-stm32mp15x_0~230316+git.bb | 1 +
> 2 files changed, 46 insertions(+)
> create mode 100644 meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-
> parallel-build-of-optee_ta.patch
>
> diff --git a/meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-
> parallel-build-of-optee_ta.patch b/meta-isar/recipes-bsp/optee-
> ftpm/files/0001-Fix-parallel-build-of-optee_ta.patch
> parallel-build-of-optee_ta.patch
>
> diff --git a/meta-isar/recipes-bsp/optee-ftpm/files/0001-Fix-
> parallel-build-of-optee_ta.patch b/meta-isar/recipes-bsp/optee-
> ftpm/files/0001-Fix-parallel-build-of-optee_ta.patch
> diff --git a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-
> stm32mp15x_0~230316+git.bb b/meta-isar/recipes-bsp/optee-ftpm/optee-
> ftpm-stm32mp15x_0~230316+git.bb
> index 441bc4ac..c92620e1 100644
> --- a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-
> stm32mp15x_0~230316+git.bb
> +++ b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-
> stm32mp15x_0~230316+git.bb
> stm32mp15x_0~230316+git.bb b/meta-isar/recipes-bsp/optee-ftpm/optee-
> ftpm-stm32mp15x_0~230316+git.bb
> index 441bc4ac..c92620e1 100644
> --- a/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-
> stm32mp15x_0~230316+git.bb
> +++ b/meta-isar/recipes-bsp/optee-ftpm/optee-ftpm-
> stm32mp15x_0~230316+git.bb
> @@ -12,6 +12,7 @@ SRC_URI += " \
>
> https://github.com/Microsoft/ms-tpm-20-ref/archive/${SRCREV}.tar.gz \
>
> https://github.com/wolfSSL/wolfssl/archive/${SRCREV-wolfssl}.tar.gz;name=wolfssl
> \
> file://0001-add-enum-to-ta-flags.patch \
> + file://0001-Fix-parallel-build-of-optee_ta.patch \
> "
>
> SRCREV = "f74c0d9686625c02b0fdd5b2bbe792a22aa96cb6"
> --
> 2.35.3
>
Found easy way to reproduce the issue with local build. Need to just
>
> https://github.com/Microsoft/ms-tpm-20-ref/archive/${SRCREV}.tar.gz \
>
> https://github.com/wolfSSL/wolfssl/archive/${SRCREV-wolfssl}.tar.gz;name=wolfssl
> \
> file://0001-add-enum-to-ta-flags.patch \
> + file://0001-Fix-parallel-build-of-optee_ta.patch \
> "
>
> SRCREV = "f74c0d9686625c02b0fdd5b2bbe792a22aa96cb6"
> --
> 2.35.3
>
add small delay before symlink creation like:
diff --git a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/tpm/sub.mk
b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/tpm/sub.mk
index 68bdfe2..a3ddade 100644
--- a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/tpm/sub.mk
+++ b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/tpm/sub.mk
@@ -45,7 +45,8 @@ endif
then \
echo Symlink already established ; \
else \
- echo Establishing symlink. ; \
+ echo Establishing symlink $@. ; \
+ sleep 1 ; \
ln -s ../../$(TPM_ROOT) ./lib/tpm/tpm_symlink; \
fi
diff --git a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
index 0a43f46..44deafd 100644
--- a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
+++ b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/lib/wolf/sub.mk
@@ -30,7 +30,8 @@ cflags-y += $(WOLF_SSL_FLAGS)
$(WOLF_WARNING_SUPPRESS)
then \
echo Symlink already established ; \
else \
- echo Establishing symlink. ; \
+ echo Establishing symlink $@. ; \
+ sleep 1 ; \
ln -s ../../$(WOLF_ROOT) ./lib/wolf/wolf_symlink; \
fi
If makefile dependencies were OK, it would not lead to the issue. But
it is...
And, things like adding `+$(srcs-y): wolf_symlink` don't work.
Reply all
Reply to author
Forward
0 new messages