From 152f94fa5616cd692eef73f9b23a166a4c1f0e48 Mon Sep 17 00:00:00 2001 From: Sumit Garg Date: Wed, 4 May 2022 15:18:50 +0530 Subject: [PATCH] Add new target: "qemuarm-secureboot" Add a new 32 bit target as "qemuarm-secureboot" on similar lines as "qemuarm64-secureboot". The boot flow looks like: BL1 (TF-A) -> BL2 (TF-A) -> OP-TEE -> u-boot -> Linux Along with this enable support for OP-TEE based firmware TPM. Signed-off-by: Sumit Garg Signed-off-by: Jon Mason --- meta-arm/conf/machine/qemuarm-secureboot.conf | 22 ++++++++++++++++++ .../trusted-firmware-a_%.bbappend | 23 +++++++++++++++++++ .../recipes-bsp/u-boot/u-boot/qemuarm.cfg | 6 +++++ meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend | 1 + .../linux/linux-yocto_%.bbappend | 5 ++++ .../optee-ftpm/optee-ftpm_git.bb | 1 + meta-arm/recipes-security/optee/optee.inc | 4 +++- meta-arm/wic/qemuarm.cfg | 3 +++ meta-arm/wic/qemuarm.wks | 4 ++++ 9 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 meta-arm/conf/machine/qemuarm-secureboot.conf create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot/qemuarm.cfg create mode 100644 meta-arm/wic/qemuarm.cfg create mode 100644 meta-arm/wic/qemuarm.wks diff --git a/meta-arm/conf/machine/qemuarm-secureboot.conf b/meta-arm/conf/machine/qemuarm-secureboot.conf new file mode 100644 index 00000000..e8085fa6 --- /dev/null +++ b/meta-arm/conf/machine/qemuarm-secureboot.conf @@ -0,0 +1,22 @@ +MACHINEOVERRIDES =. "qemuarm:" + +require ${COREBASE}/meta/conf/machine/qemuarm.conf + +# secure=on can't ever use KVM, so force it off +QEMU_USE_KVM = "" + +QB_MACHINE = "-machine virt,highmem=off,secure=on" +QB_MEM = "-m 1024" +QB_DEFAULT_FSTYPE = "wic.qcow2" +QB_DEFAULT_BIOS = "flash.bin" +QB_FSINFO = "wic:no-kernel-in-fs" +QB_ROOTFS_OPT = "" +QB_KERNEL_ROOT = "/dev/vda2" + +IMAGE_FSTYPES += "wic wic.qcow2" + +WKS_FILE ?= "qemuarm.wks" +WKS_FILE_DEPENDS = "trusted-firmware-a" +IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}" + +MACHINE_FEATURES += "optee-ftpm" diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend index 71055e14..76d2f410 100644 --- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend +++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend @@ -1,18 +1,24 @@ COMPATIBLE_MACHINE:qemuarm64-secureboot = "qemuarm64-secureboot" COMPATIBLE_MACHINE:qemu-generic-arm64 = "qemu-generic-arm64" +COMPATIBLE_MACHINE:qemuarm-secureboot = "qemuarm-secureboot" TFA_PLATFORM:qemuarm64-secureboot = "qemu" TFA_PLATFORM:qemu-generic-arm64 = "qemu_sbsa" +TFA_PLATFORM:qemuarm-secureboot = "qemu" TFA_SPD:qemuarm64-secureboot = "opteed" TFA_UBOOT:qemuarm64-secureboot = "1" +TFA_UBOOT:qemuarm-secureboot = "1" TFA_BUILD_TARGET:aarch64:qemuall = "all fip" +TFA_BUILD_TARGET:arm:qemuall = "all fip" TFA_INSTALL_TARGET:qemuarm64-secureboot = "flash.bin" TFA_INSTALL_TARGET:qemu-generic-arm64 = "bl1 fip" +TFA_INSTALL_TARGET:qemuarm-secureboot = "flash.bin" DEPENDS:append:aarch64:qemuall = " optee-os" +DEPENDS:append:arm:qemuall = " optee-os" EXTRA_OEMAKE:append:aarch64:qemuall = " \ BL32=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-header_v2.bin \ @@ -21,9 +27,26 @@ EXTRA_OEMAKE:append:aarch64:qemuall = " \ BL32_RAM_LOCATION=tdram \ " +EXTRA_OEMAKE:append:arm:qemuall = " \ + BL32=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-header_v2.bin \ + BL32_EXTRA1=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-pager_v2.bin \ + BL32_EXTRA2=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-pageable_v2.bin \ + ARM_ARCH_MAJOR=7 \ + ARCH=aarch32 \ + BL32_RAM_LOCATION=tdram \ + AARCH32_SP=optee \ + " + do_compile:append:qemuarm64-secureboot() { # Create a secure flash image for booting AArch64 Qemu. See: # https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/docs/plat/qemu.rst dd if=${BUILD_DIR}/bl1.bin of=${BUILD_DIR}/flash.bin bs=4096 conv=notrunc dd if=${BUILD_DIR}/fip.bin of=${BUILD_DIR}/flash.bin seek=64 bs=4096 conv=notrunc } + +do_compile:append:qemuarm-secureboot() { + # Create a secure flash image for booting AArch64 Qemu. See: + # https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/docs/plat/qemu.rst + dd if=${BUILD_DIR}/bl1.bin of=${BUILD_DIR}/flash.bin bs=4096 conv=notrunc + dd if=${BUILD_DIR}/fip.bin of=${BUILD_DIR}/flash.bin seek=64 bs=4096 conv=notrunc +} diff --git a/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm.cfg b/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm.cfg new file mode 100644 index 00000000..db8dfec0 --- /dev/null +++ b/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm.cfg @@ -0,0 +1,6 @@ +# This must match the address that TF-A jumps to for BL33 +CONFIG_SYS_TEXT_BASE=0x60000000 +CONFIG_ENV_IS_NOWHERE=y +# CONFIG_ENV_IS_IN_FLASH is not set +# CONFIG_MTD is not set +# CONFIG_MTD_NOR_FLASH is not set diff --git a/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend index f7251566..0683a783 100644 --- a/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend +++ b/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend @@ -1,3 +1,4 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" SRC_URI:append:qemuarm64-secureboot = " file://qemuarm64.cfg" +SRC_URI:append:qemuarm-secureboot = " file://qemuarm.cfg" diff --git a/meta-arm/recipes-kernel/linux/linux-yocto_%.bbappend b/meta-arm/recipes-kernel/linux/linux-yocto_%.bbappend index f12dc7cb..f9bd2d66 100644 --- a/meta-arm/recipes-kernel/linux/linux-yocto_%.bbappend +++ b/meta-arm/recipes-kernel/linux/linux-yocto_%.bbappend @@ -11,3 +11,8 @@ SRC_URI:append:qemuarm64-secureboot = " \ file://zone_dma_revert.patch \ file://tee.cfg \ " + +FILESEXTRAPATHS:prepend:qemuarm-secureboot = "${ARMFILESPATHS}" +SRC_URI:append:qemuarm-secureboot = " \ + file://tee.cfg \ + " diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb index bafb2c47..8dfbad7b 100644 --- a/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb @@ -6,6 +6,7 @@ COMPATIBLE_MACHINE ?= "invalid" COMPATIBLE_MACHINE:qemuarm64 = "qemuarm64" COMPATIBLE_MACHINE:qemuarm64-secureboot = "qemuarm64" COMPATIBLE_MACHINE:qemu-generic-arm64 = "qemu-generic-arm64" +COMPATIBLE_MACHINE:qemuarm-secureboot = "qemuarm" #FIXME - doesn't currently work with clang TOOLCHAIN = "gcc" diff --git a/meta-arm/recipes-security/optee/optee.inc b/meta-arm/recipes-security/optee/optee.inc index beae3667..0dd08a76 100644 --- a/meta-arm/recipes-security/optee/optee.inc +++ b/meta-arm/recipes-security/optee/optee.inc @@ -3,13 +3,15 @@ UPSTREAM_CHECK_GITTAGREGEX = "^(?P\d+(\.\d+)+)$" COMPATIBLE_MACHINE ?= "invalid" COMPATIBLE_MACHINE:qemuarm64 ?= "qemuarm64" COMPATIBLE_MACHINE:qemu-generic-arm64 ?= "qemu-generic-arm64" +COMPATIBLE_MACHINE:qemuarm ?= "qemuarm" # Please add supported machines below or set it in .bbappend or .conf OPTEEMACHINE ?= "${MACHINE}" OPTEEMACHINE:aarch64:qemuall ?= "vexpress-qemu_armv8a" +OPTEEMACHINE:arm:qemuall ?= "vexpress-qemu_virt" OPTEE_ARCH = "null" -OPTEE_ARCH:armv7a = "arm32" +OPTEE_ARCH:arm = "arm32" OPTEE_ARCH:aarch64 = "arm64" OPTEE_CORE = "${@d.getVar('OPTEE_ARCH').upper()}" diff --git a/meta-arm/wic/qemuarm.cfg b/meta-arm/wic/qemuarm.cfg new file mode 100644 index 00000000..79ce7b4a --- /dev/null +++ b/meta-arm/wic/qemuarm.cfg @@ -0,0 +1,3 @@ +default Yocto +label Yocto + kernel /zImage diff --git a/meta-arm/wic/qemuarm.wks b/meta-arm/wic/qemuarm.wks new file mode 100644 index 00000000..ccd53c28 --- /dev/null +++ b/meta-arm/wic/qemuarm.wks @@ -0,0 +1,4 @@ +bootloader --ptable gpt --configfile="qemuarm.cfg" + +part /boot --ondisk=vda --align 64 --size=100M --active --source bootimg-partition --fstype=ext4 --label boot --sourceparams="loader=u-boot" +part / --ondisk=vda --source rootfs --fstype=ext4 --label root