From 85494c88f37b80179ad8c904fd3083cdc42e6bb8 Mon Sep 17 00:00:00 2001
From: Anton Antonov <Anton.Antonov@arm.com>
Date: Wed, 31 Aug 2022 19:41:52 +0100
Subject: [PATCH] Recipes for Trusted Services Secure Partitions

We define dedicated recipes for all supported TS SPs.

The recipes produce stripped.elf and DTB files for SPs.
These files are automatically included into optee-os image.
See meta-arm/recipes-security/trusted-services/optee-os-ts.inc

This approach allows us to:
- include only required SPs into an optee-os image using MACHINE_FEATURES
- use Yocto cmake bbclass
- fetch and build only required dependencies
- use simple SP specific bbapend files if required

Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
---
 .../trusted-services/trusted-services.inc     |  9 +++--
 .../trusted-services/ts-sp-attestation_git.bb |  7 ++++
 .../trusted-services/ts-sp-common.inc         | 29 ++++++++++++++++
 .../trusted-services/ts-sp-crypto_git.bb      |  9 +++++
 .../0013-env-test-no-std-libs.patch           | 33 +++++++++++++++++++
 .../trusted-services/ts-sp-env-test_git.bb    | 14 ++++++++
 .../trusted-services/ts-sp-its_git.bb         |  7 ++++
 .../trusted-services/ts-sp-se-proxy_git.bb    |  9 +++++
 .../ts-sp-smm-gateway_%.bbappend              |  5 +++
 .../trusted-services/ts-sp-smm-gateway_git.bb |  7 ++++
 .../trusted-services/ts-sp-storage_git.bb     |  7 ++++
 .../trusted-services/ts-uuid.inc              |  9 +++++
 12 files changed, 143 insertions(+), 2 deletions(-)
 create mode 100644 meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb
 create mode 100644 meta-arm/recipes-security/trusted-services/ts-sp-common.inc
 create mode 100644 meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb
 create mode 100644 meta-arm/recipes-security/trusted-services/ts-sp-env-test/0013-env-test-no-std-libs.patch
 create mode 100644 meta-arm/recipes-security/trusted-services/ts-sp-env-test_git.bb
 create mode 100644 meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb
 create mode 100644 meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb
 create mode 100644 meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend
 create mode 100644 meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb
 create mode 100644 meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb
 create mode 100644 meta-arm/recipes-security/trusted-services/ts-uuid.inc

diff --git a/meta-arm/recipes-security/trusted-services/trusted-services.inc b/meta-arm/recipes-security/trusted-services/trusted-services.inc
index 0853d054..80c08499 100644
--- a/meta-arm/recipes-security/trusted-services/trusted-services.inc
+++ b/meta-arm/recipes-security/trusted-services/trusted-services.inc
@@ -2,7 +2,6 @@ SUMMARY ?= "The Trusted Services: framework for developing root-of-trust service
 HOMEPAGE = "https://trusted-services.readthedocs.io/en/latest/index.html"
 
 LICENSE = "Apache-2.0 & BSD-3-Clause & Zlib"
-LIC_FILES_CHKSUM = "file://${S}/license.rst;md5=ea160bac7f690a069c608516b17997f4"
 
 inherit python3native cmake
 
@@ -10,6 +9,12 @@ COMPATIBLE_HOST = "aarch64.*-linux"
 
 require trusted-services-src.inc
 
+# By default bitbake includes only ${S} (i.e git/trusted-services) in the maps.
+# We also need to include the TS dependencies source trees.
+DEBUG_PREFIX_MAP:append = "-fmacro-prefix-map=${WORKDIR}/git=/usr/src/debug/${PN}/${EXTENDPE}${PV}-${PR} \
+ -fdebug-prefix-map=${WORKDIR}/git=/usr/src/debug/${PN}/${EXTENDPE}${PV}-${PR} \
+"
+
 TS_PLATFORM ?= "ts/mock"
 
 # SP images are embedded into optee-os image
@@ -18,7 +23,7 @@ SP_PACKAGING_METHOD ?= "embedded"
 
 SYSROOT_DIRS += "/usr/opteesp /usr/arm-linux"
 
-# In TS cmake files use find_file() to search through source code and build dirs.
+# TS cmake files use find_file() to search through source code and build dirs.
 # Yocto cmake class limits CMAKE_FIND_ROOT_PATH and find_file() fails.
 # Include the source tree and build dirs into searchable path.
 OECMAKE_EXTRA_ROOT_PATH = "${WORKDIR}/git/ ${WORKDIR}/build/"
diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb
new file mode 100644
index 00000000..eef05fe3
--- /dev/null
+++ b/meta-arm/recipes-security/trusted-services/ts-sp-attestation_git.bb
@@ -0,0 +1,7 @@
+DESCRIPTION = "Trusted Services attestation service provider"
+
+require ts-sp-common.inc
+
+SP_UUID = "${ATTESTATION_UUID}"
+
+OECMAKE_SOURCEPATH="${S}/deployments/attestation/${TS_ENV}"
diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-common.inc b/meta-arm/recipes-security/trusted-services/ts-sp-common.inc
new file mode 100644
index 00000000..e46cd6be
--- /dev/null
+++ b/meta-arm/recipes-security/trusted-services/ts-sp-common.inc
@@ -0,0 +1,29 @@
+# Common part of all Trusted Services SPs recipes
+
+TS_ENV = "opteesp"
+
+require trusted-services.inc
+require ts-uuid.inc
+
+DEPENDS += "dtc-native ts-newlib"
+
+FILES:${PN}-dev = "${TS_INSTALL}"
+
+# Secure Partition DTS file might be updated in bbapend files
+SP_DTS_FILE ?= "${D}${TS_INSTALL}/manifest/${SP_UUID}.dts"
+
+do_install:append() {
+    # Generate SP DTB which will be included automatically by optee-os build process
+    dtc -I dts -O dtb -o ${D}${TS_INSTALL}/manifest/${SP_UUID}.dtb ${SP_DTS_FILE}
+
+    # We do not need libs and headers
+    rm -r --one-file-system ${D}${TS_INSTALL}/lib
+    rm -r --one-file-system ${D}${TS_INSTALL}/include
+}
+
+# Use Yocto debug prefix maps for compiling assembler.
+EXTRA_OECMAKE += '-DCMAKE_ASM_FLAGS="${DEBUG_PREFIX_MAP}"'
+
+# Ignore that SP stripped.elf does not have GNU_HASH
+# Older versions of optee support SYSV hash only.
+INSANE_SKIP:${PN}-dev += "ldflags"
diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb
new file mode 100644
index 00000000..77a28557
--- /dev/null
+++ b/meta-arm/recipes-security/trusted-services/ts-sp-crypto_git.bb
@@ -0,0 +1,9 @@
+DESCRIPTION = "Trusted Services crypto service provider"
+
+require ts-sp-common.inc
+
+SP_UUID = "${CRYPTO_UUID}"
+
+DEPENDS += "python3-protobuf-native"
+
+OECMAKE_SOURCEPATH="${S}/deployments/crypto/${TS_ENV}"
diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-env-test/0013-env-test-no-std-libs.patch b/meta-arm/recipes-security/trusted-services/ts-sp-env-test/0013-env-test-no-std-libs.patch
new file mode 100644
index 00000000..f6269db4
--- /dev/null
+++ b/meta-arm/recipes-security/trusted-services/ts-sp-env-test/0013-env-test-no-std-libs.patch
@@ -0,0 +1,33 @@
+From 7a0dcc40ea736dc20b25813dfc08e576c2615217 Mon Sep 17 00:00:00 2001
+From: Anton Antonov <Anton.Antonov@arm.com>
+Date: Wed, 31 Aug 2022 17:32:47 +0100
+Subject: [PATCH] Do not use standard libraries in env-test opteesp deployment
+
+In opteesp deployments newlib used used. The standard libraries should not be included.
+
+Upstream-Status: Pending
+Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
+---
+ deployments/env-test/opteesp/CMakeLists.txt | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/deployments/env-test/opteesp/CMakeLists.txt b/deployments/env-test/opteesp/CMakeLists.txt
+index cff00ff..60abc0d 100644
+--- a/deployments/env-test/opteesp/CMakeLists.txt
++++ b/deployments/env-test/opteesp/CMakeLists.txt
+@@ -56,9 +56,9 @@ include(../env-test.cmake REQUIRED)
+ #-------------------------------------------------------------------------------
+ add_platform(TARGET env-test)
+ 
+-if(CMAKE_CROSSCOMPILING)
+-	target_link_libraries(env-test PRIVATE stdc++ gcc m)
+-endif()
++#if(CMAKE_CROSSCOMPILING)
++#	target_link_libraries(env-test PRIVATE stdc++ gcc m)
++#endif()
+ 
+ #################################################################
+ 
+-- 
+2.25.1
+
diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-env-test_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-env-test_git.bb
new file mode 100644
index 00000000..9cd73cbc
--- /dev/null
+++ b/meta-arm/recipes-security/trusted-services/ts-sp-env-test_git.bb
@@ -0,0 +1,14 @@
+DESCRIPTION = "Trusted Services test_runner service provider"
+
+require ts-sp-common.inc
+
+# Current version of env-test SP contains hard-coded values for FVP.
+COMPATIBLE_MACHINE ?= "invalid"
+
+SP_UUID = "${ENV_TEST_UUID}"
+
+OECMAKE_SOURCEPATH="${S}/deployments/env-test/${TS_ENV}"
+
+SRC_URI += "\
+            file://0013-env-test-no-std-libs.patch \
+"
diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb
new file mode 100644
index 00000000..4eb5dc5e
--- /dev/null
+++ b/meta-arm/recipes-security/trusted-services/ts-sp-its_git.bb
@@ -0,0 +1,7 @@
+DESCRIPTION = "Trusted Services internal secure storage service provider"
+
+require ts-sp-common.inc
+
+SP_UUID = "${ITS_UUID}"
+
+OECMAKE_SOURCEPATH="${S}/deployments/internal-trusted-storage/${TS_ENV}"
diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb
new file mode 100644
index 00000000..b9246418
--- /dev/null
+++ b/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb
@@ -0,0 +1,9 @@
+DESCRIPTION = "Trusted Services proxy service providers"
+
+require ts-sp-common.inc
+
+SP_UUID = "${SE_PROXY_UUID}"
+
+DEPENDS += "python3-protobuf-native"
+
+OECMAKE_SOURCEPATH="${S}/deployments/se-proxy/${TS_ENV}"
diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend b/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend
new file mode 100644
index 00000000..c485a562
--- /dev/null
+++ b/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend
@@ -0,0 +1,5 @@
+
+# Update MM communication buffer address for qemuarm64 machine
+EXTRA_OECMAKE:append:qemuarm64-secureboot = "-DMM_COMM_BUFFER_ADDRESS="0x00000000 0x42000000" \
+                                             -DMM_COMM_BUFFER_PAGE_COUNT="1" \
+"
diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb
new file mode 100644
index 00000000..06ca6bd1
--- /dev/null
+++ b/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb
@@ -0,0 +1,7 @@
+DESCRIPTION = "Trusted Services service provider for UEFI SMM services"
+
+require ts-sp-common.inc
+
+SP_UUID = "${SMM_GATEWAY_UUID}"
+
+OECMAKE_SOURCEPATH="${S}/deployments/smm-gateway/${TS_ENV}"
diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb
new file mode 100644
index 00000000..c8937546
--- /dev/null
+++ b/meta-arm/recipes-security/trusted-services/ts-sp-storage_git.bb
@@ -0,0 +1,7 @@
+DESCRIPTION = "Trusted Services secure storage service provider"
+
+require ts-sp-common.inc
+
+SP_UUID = "${STORAGE_UUID}"
+
+OECMAKE_SOURCEPATH="${S}/deployments/protected-storage/${TS_ENV}"
diff --git a/meta-arm/recipes-security/trusted-services/ts-uuid.inc b/meta-arm/recipes-security/trusted-services/ts-uuid.inc
new file mode 100644
index 00000000..7a39f733
--- /dev/null
+++ b/meta-arm/recipes-security/trusted-services/ts-uuid.inc
@@ -0,0 +1,9 @@
+# Trusted Services SPs canonical UUIDs
+
+ATTESTATION_UUID = "a1baf155-8876-4695-8f7c-54955e8db974"
+CRYPTO_UUID      = "d9df52d5-16a2-4bb2-9aa4-d26d3b84e8c0"
+ENV_TEST_UUID    = "33c75baf-ac6a-4fe4-8ac7-e9909bee2d17"
+ITS_UUID         = "dc1eef48-b17a-4ccf-ac8b-dfcff7711b14"
+SE_PROXY_UUID    = "46bb39d1-b4d9-45b5-88ff-040027dab249"
+SMM_GATEWAY_UUID = "ed32d533-99e6-4209-9cc0-2d72cdd998a7"
+STORAGE_UUID     = "751bf801-3dde-4768-a514-0f10aeed1790"