Add support for booting qemu with TFA and optee

Adds support for booting AArch64 Qemu machines using TF-A + optee +
u-boot. Most of the changes are applicable to any AArch64 qemu target,
and a reference machine called qemuarm64-secureboot has been added that
show how to enable support for it.

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Reviewed-by: Denys Dmytriyenko <denys@ti.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>

meta-arm/conf/machine/qemuarm64-secureboot.conf

@@ -0,0 +1,26 @@
+MACHINEOVERRIDES =. "qemuarm64:"
+
+require ${COREBASE}/meta/conf/machine/qemuarm64.conf
+
+KMACHINE = "qemuarm64"
+
+UBOOT_MACHINE = "qemu_arm64_defconfig"
+
+# The 5.4 kernel panics when booting, so use the development kernel until the
+# default kernel is upgraded (5.5. supposedly works)
+PREFERRED_PROVIDER_virtual/kernel = "linux-yocto-dev"
+
+QB_MACHINE = "-machine virt,secure=on"
+QB_OPT_APPEND += "-no-acpi"
+QB_MEM = "-m 1G"
+QB_DEFAULT_FSTYPE = "wic.qcow2"
+QB_DEFAULT_BIOS = "flash.bin"
+QB_FSINFO = "wic:no-kernel-in-fs"
+QB_ROOTFS_OPT = ""
+
+IMAGE_FSTYPES += "wic wic.qcow2"
+
+WKS_FILE ?= "qemuarm64.wks"
+WKS_FILE_DEPENDS = "trusted-firmware-a"
+IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
+

meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc

@@ -8,9 +8,11 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
 inherit deploy
 
 COMPATIBLE_MACHINE ?= "invalid"
+COMPATIBLE_MACHINE_qemuarm64 ?= "qemuarm64"
 
 # Platform must be set for each machine
 TFA_PLATFORM ?= "invalid"
+TFA_PLATFORM_aarch64_qemuall ?= "qemu"
 
 # Some platforms can have multiple board configurations
 # Leave empty for default behavior
@@ -20,6 +22,7 @@ TFA_BOARD ?= ""
 # Few options are "opteed", "tlkd", "trusty", "tspd"...
 # Leave empty to not use SPD
 TFA_SPD ?= ""
+TFA_SPD_aarch64_qemuall ?= "opteed"
 
 # Build for debug (set TFA_DEBUG to 1 to activate)
 TFA_DEBUG ?= "0"
@@ -44,16 +47,19 @@ SRCREV_FORMAT_append = "${@bb.utils.contains('TFA_MBEDTLS', '1', '_mbedtls', '',
 # U-boot support (set TFA_UBOOT to 1 to activate)
 # When U-Boot support is activated BL33 is activated with u-boot.bin file
 TFA_UBOOT ?= "0"
+TFA_UBOOT_aarch64_qemuall ?= "1"
 
 # What to build
 # By default we only build bl1, do_deploy will copy
 # everything listed in this variable (by default bl1.bin)
 TFA_BUILD_TARGET ?= "bl1"
+TFA_BUILD_TARGET_aarch64_qemuall ?= "all fip"
 
 # What to install
 # do_install and do_deploy will install everything listed in this
 # variable. It is set by default to TFA_BUILD_TARGET
 TFA_INSTALL_TARGET ?= "${TFA_BUILD_TARGET}"
+TFA_INSTALL_TARGET_aarch64_qemuall ?= "flash.bin"
 
 # Requires CROSS_COMPILE set by hand as there is no configure script
 export CROSS_COMPILE="${TARGET_PREFIX}"
@@ -70,13 +76,13 @@ do_configure[noexec] = "1"
 # We need dtc for dtbs compilation
 # We need openssl for fiptool
 DEPENDS_append = " dtc-native openssl-native"
+DEPENDS_append_aarch64_qemuall ?= " optee-os"
 
 # Add platform parameter
 EXTRA_OEMAKE += "BUILD_BASE=${B} PLAT=${TFA_PLATFORM}"
 
 # Handle TFA_BOARD parameter
 EXTRA_OEMAKE += "${@'TARGET_BOARD=${TFA_BOARD}' if d.getVar('TFA_BOARD') else ''}"
-BUILD_DIR = "${TFA_PLATFORM}${@'/${TFA_BOARD}' if d.getVar('TFA_BOARD') else ''}"
 
 # Handle TFA_SPD parameter
 EXTRA_OEMAKE += "${@'SPD=${TFA_SPD}' if d.getVar('TFA_SPD') else ''}"
@@ -92,6 +98,17 @@ DEPENDS += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot', '', d)}"
 do_compile[depends] += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot:do_deploy', '', d)}"
 EXTRA_OEMAKE += "${@bb.utils.contains('TFA_UBOOT', '1', 'BL33=${DEPLOY_DIR_IMAGE}/u-boot.bin', '',d)}"
 
+EXTRA_OEMAKE_append_aarch64_qemuall = " \
+    BL32=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-header_v2.bin \
+    BL32_EXTRA1=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-pager_v2.bin \
+    BL32_EXTRA2=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-pageable_v2.bin \
+    BL32_RAM_LOCATION=tdram \
+    "
+
+BUILD_DIR = "${B}/${TFA_PLATFORM}"
+BUILD_DIR .= "${@'/${TFA_BOARD}' if d.getVar('TFA_BOARD') else ''}"
+BUILD_DIR .= "/${@'debug' if d.getVar("TFA_DEBUG") == '1' else 'release'}"
+
 # The following hack is needed to fit properly in yocto build environment
 # TFA is forcing the host compiler and its flags in the Makefile using :=
 # assignment for GCC and CFLAGS.
@@ -107,13 +124,14 @@ do_compile() {
 }
 do_compile[cleandirs] = "${B}"
 
-do_install() {
-    if ${@"true" if d.getVar('TFA_DEBUG') == '1' else "false"}; then
-        BUILD_PLAT=${B}/${BUILD_DIR}/debug/
-    else
-        BUILD_PLAT=${B}/${BUILD_DIR}/release/
-    fi
+do_compile_append_aarch64_qemuall() {
+    # Create a secure flash image for booting AArch64 Qemu. See:
+    # https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/docs/plat/qemu.rst
+    dd if=${BUILD_DIR}/bl1.bin of=${BUILD_DIR}/flash.bin bs=4096 conv=notrunc
+    dd if=${BUILD_DIR}/fip.bin of=${BUILD_DIR}/flash.bin seek=64 bs=4096 conv=notrunc
+}
 
+do_install() {
     install -d -m 755 ${D}/firmware
     for atfbin in ${TFA_INSTALL_TARGET}; do
         processes="0"
@@ -125,23 +143,23 @@ do_install() {
             exit 1
         fi
 
-        if [ -f $BUILD_PLAT/$atfbin.bin ]; then
+        if [ -f ${BUILD_DIR}/$atfbin.bin ]; then
             echo "Install $atfbin.bin"
-            install -m 0644 $BUILD_PLAT/$atfbin.bin \
+            install -m 0644 ${BUILD_DIR}/$atfbin.bin \
                 ${D}/firmware/$atfbin-${TFA_PLATFORM}.bin
             ln -sf $atfbin-${TFA_PLATFORM}.bin ${D}/firmware/$atfbin.bin
             processes="1"
         fi
-        if [ -f $BUILD_PLAT/$atfbin/$atfbin.elf ]; then
+        if [ -f ${BUILD_DIR}/$atfbin/$atfbin.elf ]; then
             echo "Install $atfbin.elf"
-            install -m 0644 $BUILD_PLAT/$atfbin/$atfbin.elf \
+            install -m 0644 ${BUILD_DIR}/$atfbin/$atfbin.elf \
                 ${D}/firmware/$atfbin-${TFA_PLATFORM}.elf
             ln -sf $atfbin-${TFA_PLATFORM}.elf ${D}/firmware/$atfbin.elf
             processes="1"
         fi
-        if [ -f $BUILD_PLAT/$atfbin ]; then
+        if [ -f ${BUILD_DIR}/$atfbin ]; then
             echo "Install $atfbin"
-            install -m 0644 $BUILD_PLAT/$atfbin \
+            install -m 0644 ${BUILD_DIR}/$atfbin \
                 ${D}/firmware/$atfbin-${TFA_PLATFORM}
             ln -sf $atfbin-${TFA_PLATFORM} ${D}/firmware/$atfbin
             processes="1"

meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg

@@ -0,0 +1,4 @@
+CONFIG_TFABOOT=y
+# This must match the address that TF-A jumps to for BL33
+CONFIG_SYS_TEXT_BASE=0x60000000
+

meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend

@@ -0,0 +1,3 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI_append_qemuarm64-secureboot = " file://qemuarm64.cfg"

meta-arm/recipes-kernel/linux/linux-yocto-dev.bbappend

@@ -0,0 +1,4 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI_append_qemuarm64-secureboot = " file://tee.cfg"
+

meta-arm/recipes-kernel/linux/linux-yocto-dev/tee.cfg

@@ -0,0 +1,4 @@
+CONFIG_HW_RANDOM_OPTEE=m
+CONFIG_TEE=m
+CONFIG_OPTEE=m
+CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=10

meta-arm/recipes-security/optee/optee-os_git.bb

@@ -23,6 +23,7 @@ S = "${WORKDIR}/git"
 B = "${WORKDIR}/build"
 
 OPTEEMACHINE ?= "${MACHINE}"
+OPTEEMACHINE_aarch64_qemuall ?= "vexpress-qemu_armv8a"
 OPTEE_ARCH = "null"
 OPTEE_ARCH_armv7a = "arm32"
 OPTEE_ARCH_aarch64 = "arm64"
@@ -75,6 +76,8 @@ do_deploy() {
 
 addtask deploy before do_build after do_install
 
+SYSROOT_DIRS += "${nonarch_base_libdir}/firmware"
+
 FILES_${PN} = "${nonarch_base_libdir}/firmware/"
 FILES_${PN}-dev = "${includedir}/optee/"
 

meta-arm/recipes-security/optee/optee.inc

@@ -1,2 +1,3 @@
 COMPATIBLE_MACHINE ?= "invalid"
+COMPATIBLE_MACHINE_qemuarm64 ?= "qemuarm64"
 # Please add supported machines below or set it in .bbappend or .conf

meta-arm/wic/qemuarm64.wks

@@ -0,0 +1,4 @@
+bootloader --ptable gpt
+
+part /boot --ondisk=vda --align 64 --size=100M --active --source bootimg-partition --fstype=ext4 --label boot --sourceparams="loader=u-boot"
+part /     --ondisk=vda                                 --source rootfs            --fstype=ext4 --label root