Recipes for Trusted Services Secure Partitions

We define dedicated recipes for all supported TS SPs. The recipes produce stripped.elf and DTB files for SPs. These files are automatically included into optee-os image. See meta-arm/recipes-security/trusted-services/optee-os-ts.inc This approach allows us to: - include only required SPs into an optee-os image using MACHINE_FEATURES - use Yocto cmake bbclass - fetch and build only required dependencies - use simple SP specific bbapend files if required Signed-off-by: Anton Antonov <Anton.Antonov@arm.com> Signed-off-by: Jon Mason <jon.mason@arm.com>
2026-05-07 16:59:30 +00:00 · 2022-08-31 19:41:52 +01:00
parent 805054c292
commit 85494c88f3
12 changed files with 143 additions and 2 deletions
@@ -2,7 +2,6 @@ SUMMARY ?= "The Trusted Services: framework for developing root-of-trust service
 HOMEPAGE = "https://trusted-services.readthedocs.io/en/latest/index.html"

 LICENSE = "Apache-2.0 & BSD-3-Clause & Zlib"
-LIC_FILES_CHKSUM = "file://${S}/license.rst;md5=ea160bac7f690a069c608516b17997f4"

 inherit python3native cmake

@@ -10,6 +9,12 @@ COMPATIBLE_HOST = "aarch64.*-linux"

 require trusted-services-src.inc

+# By default bitbake includes only ${S} (i.e git/trusted-services) in the maps.
+# We also need to include the TS dependencies source trees.
+DEBUG_PREFIX_MAP:append = "-fmacro-prefix-map=${WORKDIR}/git=/usr/src/debug/${PN}/${EXTENDPE}${PV}-${PR} \
+ -fdebug-prefix-map=${WORKDIR}/git=/usr/src/debug/${PN}/${EXTENDPE}${PV}-${PR} \
+"
+
 TS_PLATFORM ?= "ts/mock"

 # SP images are embedded into optee-os image
@@ -18,7 +23,7 @@ SP_PACKAGING_METHOD ?= "embedded"

 SYSROOT_DIRS += "/usr/opteesp /usr/arm-linux"

-# In TS cmake files use find_file() to search through source code and build dirs.
+# TS cmake files use find_file() to search through source code and build dirs.
 # Yocto cmake class limits CMAKE_FIND_ROOT_PATH and find_file() fails.
 # Include the source tree and build dirs into searchable path.
 OECMAKE_EXTRA_ROOT_PATH = "${WORKDIR}/git/ ${WORKDIR}/build/"
@@ -0,0 +1,7 @@
+DESCRIPTION = "Trusted Services attestation service provider"
+
+require ts-sp-common.inc
+
+SP_UUID = "${ATTESTATION_UUID}"
+
+OECMAKE_SOURCEPATH="${S}/deployments/attestation/${TS_ENV}"
@@ -0,0 +1,29 @@
+# Common part of all Trusted Services SPs recipes
+
+TS_ENV = "opteesp"
+
+require trusted-services.inc
+require ts-uuid.inc
+
+DEPENDS += "dtc-native ts-newlib"
+
+FILES:${PN}-dev = "${TS_INSTALL}"
+
+# Secure Partition DTS file might be updated in bbapend files
+SP_DTS_FILE ?= "${D}${TS_INSTALL}/manifest/${SP_UUID}.dts"
+
+do_install:append() {
+    # Generate SP DTB which will be included automatically by optee-os build process
+    dtc -I dts -O dtb -o ${D}${TS_INSTALL}/manifest/${SP_UUID}.dtb ${SP_DTS_FILE}
+
+    # We do not need libs and headers
+    rm -r --one-file-system ${D}${TS_INSTALL}/lib
+    rm -r --one-file-system ${D}${TS_INSTALL}/include
+}
+
+# Use Yocto debug prefix maps for compiling assembler.
+EXTRA_OECMAKE += '-DCMAKE_ASM_FLAGS="${DEBUG_PREFIX_MAP}"'
+
+# Ignore that SP stripped.elf does not have GNU_HASH
+# Older versions of optee support SYSV hash only.
+INSANE_SKIP:${PN}-dev += "ldflags"
@@ -0,0 +1,9 @@
+DESCRIPTION = "Trusted Services crypto service provider"
+
+require ts-sp-common.inc
+
+SP_UUID = "${CRYPTO_UUID}"
+
+DEPENDS += "python3-protobuf-native"
+
+OECMAKE_SOURCEPATH="${S}/deployments/crypto/${TS_ENV}"
@@ -0,0 +1,33 @@
+From 7a0dcc40ea736dc20b25813dfc08e576c2615217 Mon Sep 17 00:00:00 2001
+From: Anton Antonov <Anton.Antonov@arm.com>
+Date: Wed, 31 Aug 2022 17:32:47 +0100
+Subject: [PATCH] Do not use standard libraries in env-test opteesp deployment
+
+In opteesp deployments newlib used used. The standard libraries should not be included.
+
+Upstream-Status: Pending
+Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
+---
+ deployments/env-test/opteesp/CMakeLists.txt | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/deployments/env-test/opteesp/CMakeLists.txt b/deployments/env-test/opteesp/CMakeLists.txt
+index cff00ff..60abc0d 100644
+--- a/deployments/env-test/opteesp/CMakeLists.txt
+++ b/deployments/env-test/opteesp/CMakeLists.txt
+@@ -56,9 +56,9 @@ include(../env-test.cmake REQUIRED)
+ #-------------------------------------------------------------------------------
+ add_platform(TARGET env-test)
+ 
+-if(CMAKE_CROSSCOMPILING)
+-	target_link_libraries(env-test PRIVATE stdc++ gcc m)
+-endif()
+#if(CMAKE_CROSSCOMPILING)
+#	target_link_libraries(env-test PRIVATE stdc++ gcc m)
+#endif()
+ 
+ #################################################################
+ 
+-- 
+2.25.1
+
@@ -0,0 +1,14 @@
+DESCRIPTION = "Trusted Services test_runner service provider"
+
+require ts-sp-common.inc
+
+# Current version of env-test SP contains hard-coded values for FVP.
+COMPATIBLE_MACHINE ?= "invalid"
+
+SP_UUID = "${ENV_TEST_UUID}"
+
+OECMAKE_SOURCEPATH="${S}/deployments/env-test/${TS_ENV}"
+
+SRC_URI += "\
+            file://0013-env-test-no-std-libs.patch \
+"
@@ -0,0 +1,7 @@
+DESCRIPTION = "Trusted Services internal secure storage service provider"
+
+require ts-sp-common.inc
+
+SP_UUID = "${ITS_UUID}"
+
+OECMAKE_SOURCEPATH="${S}/deployments/internal-trusted-storage/${TS_ENV}"
@@ -0,0 +1,9 @@
+DESCRIPTION = "Trusted Services proxy service providers"
+
+require ts-sp-common.inc
+
+SP_UUID = "${SE_PROXY_UUID}"
+
+DEPENDS += "python3-protobuf-native"
+
+OECMAKE_SOURCEPATH="${S}/deployments/se-proxy/${TS_ENV}"
@@ -0,0 +1,5 @@
+
+# Update MM communication buffer address for qemuarm64 machine
+EXTRA_OECMAKE:append:qemuarm64-secureboot = "-DMM_COMM_BUFFER_ADDRESS="0x00000000 0x42000000" \
+                                             -DMM_COMM_BUFFER_PAGE_COUNT="1" \
+"
@@ -0,0 +1,7 @@
+DESCRIPTION = "Trusted Services service provider for UEFI SMM services"
+
+require ts-sp-common.inc
+
+SP_UUID = "${SMM_GATEWAY_UUID}"
+
+OECMAKE_SOURCEPATH="${S}/deployments/smm-gateway/${TS_ENV}"
@@ -0,0 +1,7 @@
+DESCRIPTION = "Trusted Services secure storage service provider"
+
+require ts-sp-common.inc
+
+SP_UUID = "${STORAGE_UUID}"
+
+OECMAKE_SOURCEPATH="${S}/deployments/protected-storage/${TS_ENV}"
@@ -0,0 +1,9 @@
+# Trusted Services SPs canonical UUIDs
+
+ATTESTATION_UUID = "a1baf155-8876-4695-8f7c-54955e8db974"
+CRYPTO_UUID      = "d9df52d5-16a2-4bb2-9aa4-d26d3b84e8c0"
+ENV_TEST_UUID    = "33c75baf-ac6a-4fe4-8ac7-e9909bee2d17"
+ITS_UUID         = "dc1eef48-b17a-4ccf-ac8b-dfcff7711b14"
+SE_PROXY_UUID    = "46bb39d1-b4d9-45b5-88ff-040027dab249"
+SMM_GATEWAY_UUID = "ed32d533-99e6-4209-9cc0-2d72cdd998a7"
+STORAGE_UUID     = "751bf801-3dde-4768-a514-0f10aeed1790"