arm/trusted-services: simplify SmmGW configuration

Bound Authenticated Variable configuration related settings to yocto
variables. The aim is easier configuration by hiding SmmGW build system
internals at the yocto recipe level.

For details please see documentation/trusted-services.md

Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>

ci/fvp-base-ts.yml

@@ -15,6 +15,8 @@ local_conf_header:
     MACHINE_FEATURES:append = " arm-ffa ts-crypto ts-storage ts-its"
     MACHINE_FEATURES:append = " ts-attestation ts-smm-gateway optee-spmc-test"
     MACHINE_FEATURES:append = " ts-block-storage ts-fwu"
+    MACHINE_FEATURES:append = " arm-branch-protection"
+    SMMGW_AUTH_VAR = "1"
     # Include TS demo/test tools into image
     IMAGE_INSTALL:append = " packagegroup-ts-tests"
     # Include TS PSA Arch tests into image

documentation/trusted-services.md

@@ -57,6 +57,18 @@ Optionally for testing purposes you can add `packagegroup-ts-tests` into your im
   meta-arm also includes Trusted Service OEQA tests which can be used for automated testing.
 See `ci/trusted-services.yml` for an example how to include them into an image.
 
+## Configuration options
+
+Some TS recipes support yocto variables to set build configuration. These variables can be set in .conf files (machine
+specific or local.conf), or .bbappend files. 
+
+SmmGW SP recipe supports the following configuration variables
+
+| Variable name         | Type | Description                                                                                            |
+|-----------------------|------|--------------------------------------------------------------------------------------------------------|
+| SMMGW_AUTH_VAR        | Bool | Enable Authenticated variable support                                                                  |
+| SMMGW_INTERNAL_CRYPTO | Bool | Use MbedTLS build into SmmGW for authentication related crypto operations. Depends on SMMGW_AUTH_VAR=1 |
+
 
 ------
 [^1]: https://trusted-services.readthedocs.io/en/integration/overview/index.html

meta-arm-bsp/conf/machine/include/corstone1000.inc

@@ -67,3 +67,8 @@ ARM_SYSTEMREADY_ACS_CONSOLE ?= "default"
 
 # Workaround IMAGE_ROOTFS_EXTRA_SPACE being ignored when images are repacked
 IMAGE_ROOTFS_EXTRA_ARGS += "--extra-space ${@${IMAGE_ROOTFS_EXTRA_SPACE}}K"
+
+# Enable Authenticated variable support in SmmGW
+SMMGW_AUTH_VAR="1"
+# Use MbedTLS build into SmmGW for authentication related crypto operations.
+SMMGW_INTERNAL_CRYPTO="1"

meta-arm-bsp/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend

@@ -2,8 +2,6 @@ require ts-arm-platforms.inc
 
 EXTRA_OECMAKE:append:corstone1000 = " -DMM_COMM_BUFFER_ADDRESS="0x00000000 0x81FFF000" \
     -DMM_COMM_BUFFER_PAGE_COUNT="1" \
-    -DUEFI_AUTH_VAR=ON \
-    -DUEFI_INTERNAL_CRYPTO=ON \
     -DSMM_GATEWAY_MAX_UEFI_VARIABLES=60 \
     "
 

meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb

@@ -6,3 +6,6 @@ SP_UUID = "${SMM_GATEWAY_UUID}"
 TS_SP_SMM_GATEWAY_CONFIG ?= "default"
 
 OECMAKE_SOURCEPATH = "${S}/deployments/smm-gateway/config/${TS_SP_SMM_GATEWAY_CONFIG}-${TS_ENV}"
+
+EXTRA_OECMAKE:append = "${@oe.utils.vartrue("SMMGW_AUTH_VAR", " -DUEFI_AUTH_VAR=ON ", "", d)}"
+EXTRA_OECMAKE:append = "${@oe.utils.ifelse(oe.types.boolean(d.getVar("SMMGW_AUTH_VAR")) and oe.types.boolean(d.getVar("SMMGW_INTERNAL_CRYPTO")), " -DUEFI_INTERNAL_CRYPTO=On ", "")}"