diff --git a/meta-arm-bsp/conf/machine/include/corstone1000.inc b/meta-arm-bsp/conf/machine/include/corstone1000.inc index 1af74bd0..4eca5244 100644 --- a/meta-arm-bsp/conf/machine/include/corstone1000.inc +++ b/meta-arm-bsp/conf/machine/include/corstone1000.inc @@ -36,6 +36,8 @@ UBOOT_ARCH = "arm" UBOOT_EXTLINUX = "0" # optee +PREFERRED_VERSION_optee-os ?= "3.14%" +PREFERRED_VERSION_optee-client ?= "3.14%" EXTRA_IMAGEDEPENDS += "optee-os" OPTEE_ARCH = "arm64" OPTEE_BINARY = "tee-pager_v2.bin" diff --git a/meta-arm-bsp/recipes-security/optee/optee-client_3.16.0.bbappend b/meta-arm-bsp/recipes-security/optee/optee-client_3.16.0.bbappend new file mode 100644 index 00000000..d2b023b1 --- /dev/null +++ b/meta-arm-bsp/recipes-security/optee/optee-client_3.16.0.bbappend @@ -0,0 +1,6 @@ +# Machine specific configurations + +MACHINE_OPTEE_CLIENT_REQUIRE ?= "" +MACHINE_OPTEE_CLIENT_REQUIRE:tc = "optee-client-tc.inc" + +require ${MACHINE_OPTEE_CLIENT_REQUIRE} diff --git a/meta-arm-bsp/recipes-security/optee/optee-os-tadevkit_3.14.0.bbappend b/meta-arm-bsp/recipes-security/optee/optee-os-tadevkit_3.16.0.bbappend similarity index 100% rename from meta-arm-bsp/recipes-security/optee/optee-os-tadevkit_3.14.0.bbappend rename to meta-arm-bsp/recipes-security/optee/optee-os-tadevkit_3.16.0.bbappend diff --git a/meta-arm-bsp/recipes-security/optee/optee-os_3.16.0.bbappend b/meta-arm-bsp/recipes-security/optee/optee-os_3.16.0.bbappend new file mode 100644 index 00000000..7834b64b --- /dev/null +++ b/meta-arm-bsp/recipes-security/optee/optee-os_3.16.0.bbappend @@ -0,0 +1,7 @@ +# Machine specific configurations + +MACHINE_OPTEE_OS_REQUIRE ?= "" +MACHINE_OPTEE_OS_REQUIRE:corstone1000 = "optee-os_corstone1000.inc" +MACHINE_OPTEE_OS_REQUIRE:tc = "optee-os-tc.inc" + +require ${MACHINE_OPTEE_OS_REQUIRE} diff --git a/meta-arm-bsp/recipes-security/optee/optee-test_3.14.0.bbappend b/meta-arm-bsp/recipes-security/optee/optee-test_3.16.0.bbappend similarity index 100% rename from meta-arm-bsp/recipes-security/optee/optee-test_3.14.0.bbappend rename to meta-arm-bsp/recipes-security/optee/optee-test_3.16.0.bbappend diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb index f2a74da3..1a54e99f 100644 --- a/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb @@ -15,7 +15,7 @@ inherit deploy python3native LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=27e94c0280987ab296b0b8dd02ab9fe5" -DEPENDS = "python3-pycryptodome-native python3-pycryptodomex-native python3-pyelftools-native optee-os-tadevkit" +DEPENDS = "python3-pyelftools-native optee-os-tadevkit python3-cryptography-native " FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896" @@ -48,6 +48,10 @@ EXTRA_OEMAKE:append:aarch64:qemuall = "\ CFG_ARM64_ta_arm64=y \ " +# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the +# right path until this is relocated automatically. +export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules" + PARALLEL_MAKE = "" do_compile() { diff --git a/meta-arm/recipes-security/optee/optee-client_3.16.0.bb b/meta-arm/recipes-security/optee/optee-client_3.16.0.bb new file mode 100644 index 00000000..4a36cbc1 --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-client_3.16.0.bb @@ -0,0 +1,3 @@ +require optee-client.inc + +SRCREV = "06db73b3f3fdb8d23eceaedbc46c49c0b45fd1e2" diff --git a/meta-arm/recipes-security/optee/optee-examples.inc b/meta-arm/recipes-security/optee/optee-examples.inc index 656722e4..e6feb993 100644 --- a/meta-arm/recipes-security/optee/optee-examples.inc +++ b/meta-arm/recipes-security/optee/optee-examples.inc @@ -5,16 +5,14 @@ HOMEPAGE = "https://github.com/linaro-swg/optee_examples" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=cd95ab417e23b94f381dafc453d70c30" -DEPENDS = "optee-client optee-os-tadevkit python3-pycryptodome-native" +DEPENDS = "optee-client optee-os-tadevkit python3-cryptography-native" inherit python3native require optee.inc SRC_URI = "git://github.com/linaro-swg/optee_examples.git;branch=master;protocol=https \ - file://0001-plugins-Honour-default-cross-compiler-environment-se.patch \ - file://0002-Makefile-Enable-plugins-installation-in-rootfs.patch \ - " + file://0001-Makefile-Fix-non-portable-sh-check-for-plugins.patch" EXTRA_OEMAKE += "TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \ HOST_CROSS_COMPILE=${HOST_PREFIX} \ @@ -25,6 +23,7 @@ EXTRA_OEMAKE += "TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \ S = "${WORKDIR}/git" B = "${WORKDIR}/build" + do_compile() { oe_runmake -C ${S} } diff --git a/meta-arm/recipes-security/optee/optee-examples/0001-Makefile-Fix-non-portable-sh-check-for-plugins.patch b/meta-arm/recipes-security/optee/optee-examples/0001-Makefile-Fix-non-portable-sh-check-for-plugins.patch new file mode 100644 index 00000000..70add62d --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-examples/0001-Makefile-Fix-non-portable-sh-check-for-plugins.patch @@ -0,0 +1,46 @@ +From 11610debf750f15c7a104db7315dcd7d69e282a8 Mon Sep 17 00:00:00 2001 +From: Alejandro Enedino Hernandez Samaniego +Date: Sat, 26 Feb 2022 01:52:26 +0000 +Subject: [PATCH] Makefile: Fix non-portable sh check for plugins + +Upstream-Status: Pending + +We previously held a patch that used "=" for comparison, but when +that patch got upstreamed it was changed to "==" which is non-portable, +resulting in an error: + +/bin/sh: 6: [: acipher: unexpected operator +/bin/sh: 6: [: plugins: unexpected operator +/bin/sh: 6: [: hello_world: unexpected operator +/bin/sh: 6: [: hotp: unexpected operator +/bin/sh: 6: [: aes: unexpected operator +/bin/sh: 6: [: random: unexpected operator +/bin/sh: 6: [: secure_storage: unexpected operator + +if /bin/sh doesnt point to bash. + +Which in turn causes our do_install task to fail since plugins arent +where we expect them to be. + + +Signed-off-by: Alejandro Enedino Hernandez Samaniego +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index b3f16aa..9359d95 100644 +--- a/Makefile ++++ b/Makefile +@@ -31,7 +31,7 @@ prepare-for-rootfs: examples + cp -p $$example/host/optee_example_$$example $(OUTPUT_DIR)/ca/; \ + fi; \ + cp -pr $$example/ta/*.ta $(OUTPUT_DIR)/ta/; \ +- if [ $$example == plugins ]; then \ ++ if [ $$example = plugins ]; then \ + cp -p plugins/syslog/*.plugin $(OUTPUT_DIR)/plugins/; \ + fi; \ + done +-- +2.25.1 + diff --git a/meta-arm/recipes-security/optee/optee-examples/0001-plugins-Honour-default-cross-compiler-environment-se.patch b/meta-arm/recipes-security/optee/optee-examples/0001-plugins-Honour-default-cross-compiler-environment-se.patch deleted file mode 100644 index 033e48ce..00000000 --- a/meta-arm/recipes-security/optee/optee-examples/0001-plugins-Honour-default-cross-compiler-environment-se.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 79c826c249001700007a6dffe80c3d61ff4428ef Mon Sep 17 00:00:00 2001 -From: Sumit Garg -Date: Tue, 20 Jul 2021 13:54:30 +0530 -Subject: [PATCH 1/2] plugins: Honour default cross compiler environment setup - -Honour default $(CC), $(CFLAGS) and $(LDFLAGS) variables. Without this -plugins example fails to build for OE/Yocto. - -Upstream-Status: Submitted [https://github.com/linaro-swg/optee_examples/pull/87] - -Signed-off-by: Sumit Garg ---- - plugins/Makefile | 2 +- - plugins/host/Makefile | 2 +- - plugins/syslog/Makefile | 16 ++++++++++++---- - 3 files changed, 14 insertions(+), 6 deletions(-) - -diff --git a/plugins/Makefile b/plugins/Makefile -index 2372b38..ea472b4 100644 ---- a/plugins/Makefile -+++ b/plugins/Makefile -@@ -8,7 +8,7 @@ TA_CROSS_COMPILE ?= $(CROSS_COMPILE) - all: - $(MAKE) -C host CROSS_COMPILE="$(HOST_CROSS_COMPILE)" --no-builtin-variables - $(MAKE) -C ta CROSS_COMPILE="$(TA_CROSS_COMPILE)" LDFLAGS="" -- $(MAKE) -C syslog CROSS_COMPILE="$(HOST_CROSS_COMPILE)" -+ $(MAKE) -C syslog CROSS_COMPILE="$(HOST_CROSS_COMPILE)" --no-builtin-variables - - .PHONY: clean - clean: -diff --git a/plugins/host/Makefile b/plugins/host/Makefile -index 7285104..76244c7 100644 ---- a/plugins/host/Makefile -+++ b/plugins/host/Makefile -@@ -20,7 +20,7 @@ BINARY = optee_example_plugins - all: $(BINARY) - - $(BINARY): $(OBJS) -- $(CC) -o $@ $< $(LDADD) -+ $(CC) $(LDFLAGS) -o $@ $< $(LDADD) - - .PHONY: clean - clean: -diff --git a/plugins/syslog/Makefile b/plugins/syslog/Makefile -index 62d916a..71f5f92 100644 ---- a/plugins/syslog/Makefile -+++ b/plugins/syslog/Makefile -@@ -1,3 +1,11 @@ -+CC ?= $(CROSS_COMPILE)gcc -+LD ?= $(CROSS_COMPILE)ld -+AR ?= $(CROSS_COMPILE)ar -+NM ?= $(CROSS_COMPILE)nm -+OBJCOPY ?= $(CROSS_COMPILE)objcopy -+OBJDUMP ?= $(CROSS_COMPILE)objdump -+READELF ?= $(CROSS_COMPILE)readelf -+ - PLUGIN_UUID = 96bcf744-4f72-4866-bf1d-8634fd9c65e5 - - PLUGIN = $(PLUGIN_UUID).plugin -@@ -6,17 +14,17 @@ PLUGIN_OBJ = $(patsubst %.c, %.o, $(PLUGIN_SRS)) - PLUGIN_INCLUDES_DIR = $(CURDIR) $(TEEC_EXPORT)/include - - PLUGIN_INCLUDES = $(addprefix -I, $(PLUGIN_INCLUDES_DIR)) --PLUGIN_CCFLAGS = -Wall -fPIC --PLUGIN_LDFLAGS = -shared -+PLUGIN_CCFLAGS = $(CFLAGS) -Wall -fPIC -+PLUGIN_LDFLAGS = $(LDFLAGS) -shared - - .PHONY: all - all: $(PLUGIN) - - $(PLUGIN): $(PLUGIN_OBJ) -- $(CROSS_COMPILE)gcc $(PLUGIN_LDFLAGS) $(PLUGIN_OBJ) -o $@ -+ $(CC) $(PLUGIN_LDFLAGS) $(PLUGIN_OBJ) -o $@ - - %.o: %.c -- $(CROSS_COMPILE)gcc $(PLUGIN_CCFLAGS) $(PLUGIN_INCLUDES) -c $*.c -o $*.o -+ $(CC) $(PLUGIN_CCFLAGS) $(PLUGIN_INCLUDES) -c $*.c -o $*.o - - .PHONY: clean - clean: --- -2.25.1 - diff --git a/meta-arm/recipes-security/optee/optee-examples/0002-Makefile-Enable-plugins-installation-in-rootfs.patch b/meta-arm/recipes-security/optee/optee-examples/0002-Makefile-Enable-plugins-installation-in-rootfs.patch deleted file mode 100644 index 80e6b5fb..00000000 --- a/meta-arm/recipes-security/optee/optee-examples/0002-Makefile-Enable-plugins-installation-in-rootfs.patch +++ /dev/null @@ -1,37 +0,0 @@ -From f4e5e74548d92258855434b550c58fe44993c148 Mon Sep 17 00:00:00 2001 -From: Sumit Garg -Date: Tue, 20 Jul 2021 14:20:10 +0530 -Subject: [PATCH] Makefile: Enable plugins installation in rootfs - -Upstream-Status: Submitted [https://github.com/linaro-swg/optee_examples/pull/87] - -Signed-off-by: Sumit Garg - ---- - Makefile | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/Makefile b/Makefile -index a275842..9359d95 100644 ---- a/Makefile -+++ b/Makefile -@@ -25,14 +25,19 @@ prepare-for-rootfs: examples - @mkdir -p $(OUTPUT_DIR) - @mkdir -p $(OUTPUT_DIR)/ta - @mkdir -p $(OUTPUT_DIR)/ca -+ @mkdir -p $(OUTPUT_DIR)/plugins - @for example in $(EXAMPLE_LIST); do \ - if [ -e $$example/host/optee_example_$$example ]; then \ - cp -p $$example/host/optee_example_$$example $(OUTPUT_DIR)/ca/; \ - fi; \ - cp -pr $$example/ta/*.ta $(OUTPUT_DIR)/ta/; \ -+ if [ $$example = plugins ]; then \ -+ cp -p plugins/syslog/*.plugin $(OUTPUT_DIR)/plugins/; \ -+ fi; \ - done - - prepare-for-rootfs-clean: - @rm -rf $(OUTPUT_DIR)/ta - @rm -rf $(OUTPUT_DIR)/ca -+ @rm -rf $(OUTPUT_DIR)/plugins - @rmdir --ignore-fail-on-non-empty $(OUTPUT_DIR) || test ! -e $(OUTPUT_DIR) diff --git a/meta-arm/recipes-security/optee/optee-examples_3.14.0.bb b/meta-arm/recipes-security/optee/optee-examples_3.14.0.bb deleted file mode 100644 index f2b5f7dd..00000000 --- a/meta-arm/recipes-security/optee/optee-examples_3.14.0.bb +++ /dev/null @@ -1,4 +0,0 @@ -require optee-examples.inc - -SRCREV = "e9c870525af8f7e7fccf575a0ca5394ce55adcec" - diff --git a/meta-arm/recipes-security/optee/optee-examples_3.16.0.bb b/meta-arm/recipes-security/optee/optee-examples_3.16.0.bb new file mode 100644 index 00000000..b5f62692 --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-examples_3.16.0.bb @@ -0,0 +1,3 @@ +require optee-examples.inc + +SRCREV = "65fc74309e12189ad5b6ce3ffec37c8011088a5a" diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.16.0.bb similarity index 94% rename from meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb rename to meta-arm/recipes-security/optee/optee-os-tadevkit_3.16.0.bb index 0d37a528..c710e27f 100644 --- a/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb +++ b/meta-arm/recipes-security/optee/optee-os-tadevkit_3.16.0.bb @@ -1,10 +1,11 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os:" -require optee-os_3.14.0.bb +require optee-os_3.16.0.bb SUMMARY = "OP-TEE Trusted OS TA devkit" DESCRIPTION = "OP-TEE TA devkit for build TAs" HOMEPAGE = "https://www.op-tee.org/" + do_install() { #install TA devkit install -d ${D}${includedir}/optee/export-user_ta/ diff --git a/meta-arm/recipes-security/optee/optee-os.inc b/meta-arm/recipes-security/optee/optee-os.inc index 1506a58d..eee715f5 100644 --- a/meta-arm/recipes-security/optee/optee-os.inc +++ b/meta-arm/recipes-security/optee/optee-os.inc @@ -10,7 +10,7 @@ require optee.inc CVE_PRODUCT = "linaro:op-tee op-tee:op-tee_os" -DEPENDS = "python3-pycryptodome-native python3-pyelftools-native" +DEPENDS = "python3-pyelftools-native python3-cryptography-native" DEPENDS:append:toolchain-clang = " compiler-rt" diff --git a/meta-arm/recipes-security/optee/optee-os_3.14.0.bb b/meta-arm/recipes-security/optee/optee-os_3.14.0.bb index 95d82bb3..92e1f88e 100644 --- a/meta-arm/recipes-security/optee/optee-os_3.14.0.bb +++ b/meta-arm/recipes-security/optee/optee-os_3.14.0.bb @@ -6,3 +6,4 @@ SRC_URI:append = " \ file://0006-allow-setting-sysroot-for-libgcc-lookup.patch \ file://0007-allow-setting-sysroot-for-clang.patch \ " +DEPENDS = "python3-pycryptodome-native python3-pyelftools-native" diff --git a/meta-arm/recipes-security/optee/optee-os_3.16.0.bb b/meta-arm/recipes-security/optee/optee-os_3.16.0.bb new file mode 100644 index 00000000..873e964b --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-os_3.16.0.bb @@ -0,0 +1,8 @@ +require optee-os.inc + +SRCREV = "d0b742d1564834dac903f906168d7357063d5459" + +SRC_URI:append = " \ + file://0006-allow-setting-sysroot-for-libgcc-lookup.patch \ + file://0007-allow-setting-sysroot-for-clang.patch \ +" diff --git a/meta-arm/recipes-security/optee/optee-spdevkit_git.bb b/meta-arm/recipes-security/optee/optee-spdevkit_git.bb index 16ad7518..ec1b2056 100644 --- a/meta-arm/recipes-security/optee/optee-spdevkit_git.bb +++ b/meta-arm/recipes-security/optee/optee-spdevkit_git.bb @@ -10,7 +10,7 @@ require optee.inc CVE_PRODUCT = "linaro:op-tee op-tee:op-tee_os" -DEPENDS = "python3-pycryptodome-native python3-pycryptodomex-native python3-pyelftools-native" +DEPENDS = "python3-pyelftools-native" DEPENDS:append:toolchain-clang = " compiler-rt" diff --git a/meta-arm/recipes-security/optee/optee-test.inc b/meta-arm/recipes-security/optee/optee-test.inc index aada2432..3ba87880 100644 --- a/meta-arm/recipes-security/optee/optee-test.inc +++ b/meta-arm/recipes-security/optee/optee-test.inc @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://${S}/LICENSE.md;md5=daa2bcccc666345ab8940aab1315a4fa" inherit python3native ptest require optee.inc -DEPENDS = "optee-client optee-os-tadevkit python3-pycryptodome-native" +DEPENDS = "optee-client optee-os-tadevkit python3-cryptography-native" SRC_URI = "git://github.com/OP-TEE/optee_test.git;branch=master;protocol=https \ file://run-ptest \ diff --git a/meta-arm/recipes-security/optee/optee-test_3.14.0.bb b/meta-arm/recipes-security/optee/optee-test_3.14.0.bb deleted file mode 100644 index 6367c276..00000000 --- a/meta-arm/recipes-security/optee/optee-test_3.14.0.bb +++ /dev/null @@ -1,3 +0,0 @@ -require optee-test.inc - -SRCREV = "f2eb88affbb7f028561b4fd5cbd049d5d704f741" diff --git a/meta-arm/recipes-security/optee/optee-test_3.16.0.bb b/meta-arm/recipes-security/optee/optee-test_3.16.0.bb new file mode 100644 index 00000000..03f9c34a --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-test_3.16.0.bb @@ -0,0 +1,3 @@ +require optee-test.inc + +SRCREV = "1cf0e6d2bdd1145370033d4e182634458528579d" diff --git a/meta-arm/recipes-security/optee/optee.inc b/meta-arm/recipes-security/optee/optee.inc index f02a0220..beae3667 100644 --- a/meta-arm/recipes-security/optee/optee.inc +++ b/meta-arm/recipes-security/optee/optee.inc @@ -26,3 +26,6 @@ EXTRA_OEMAKE += "V=1 \ OPTEE_CLIENT_EXPORT=${STAGING_DIR_HOST}${prefix} \ TEEC_EXPORT=${STAGING_DIR_HOST}${prefix} \ " +# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the +# right path until this is relocated automatically. +export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"