diff --git a/ci/fvp-base-ts.yml b/ci/fvp-base-ts.yml index 9f13bac7..89a3e1f2 100644 --- a/ci/fvp-base-ts.yml +++ b/ci/fvp-base-ts.yml @@ -15,6 +15,8 @@ local_conf_header: MACHINE_FEATURES:append = " arm-ffa ts-crypto ts-storage ts-its" MACHINE_FEATURES:append = " ts-attestation ts-smm-gateway optee-spmc-test" MACHINE_FEATURES:append = " ts-block-storage ts-fwu" + MACHINE_FEATURES:append = " arm-branch-protection" + SMMGW_AUTH_VAR = "1" # Include TS demo/test tools into image IMAGE_INSTALL:append = " packagegroup-ts-tests" # Include TS PSA Arch tests into image diff --git a/documentation/trusted-services.md b/documentation/trusted-services.md index 636ccbf3..3dd045c7 100644 --- a/documentation/trusted-services.md +++ b/documentation/trusted-services.md @@ -57,6 +57,18 @@ Optionally for testing purposes you can add `packagegroup-ts-tests` into your im meta-arm also includes Trusted Service OEQA tests which can be used for automated testing. See `ci/trusted-services.yml` for an example how to include them into an image. +## Configuration options + +Some TS recipes support yocto variables to set build configuration. These variables can be set in .conf files (machine +specific or local.conf), or .bbappend files. + +SmmGW SP recipe supports the following configuration variables + +| Variable name | Type | Description | +|-----------------------|------|--------------------------------------------------------------------------------------------------------| +| SMMGW_AUTH_VAR | Bool | Enable Authenticated variable support | +| SMMGW_INTERNAL_CRYPTO | Bool | Use MbedTLS build into SmmGW for authentication related crypto operations. Depends on SMMGW_AUTH_VAR=1 | + ------ [^1]: https://trusted-services.readthedocs.io/en/integration/overview/index.html diff --git a/meta-arm-bsp/conf/machine/include/corstone1000.inc b/meta-arm-bsp/conf/machine/include/corstone1000.inc index 57207499..80ff9bbe 100644 --- a/meta-arm-bsp/conf/machine/include/corstone1000.inc +++ b/meta-arm-bsp/conf/machine/include/corstone1000.inc @@ -67,3 +67,8 @@ ARM_SYSTEMREADY_ACS_CONSOLE ?= "default" # Workaround IMAGE_ROOTFS_EXTRA_SPACE being ignored when images are repacked IMAGE_ROOTFS_EXTRA_ARGS += "--extra-space ${@${IMAGE_ROOTFS_EXTRA_SPACE}}K" + +# Enable Authenticated variable support in SmmGW +SMMGW_AUTH_VAR="1" +# Use MbedTLS build into SmmGW for authentication related crypto operations. +SMMGW_INTERNAL_CRYPTO="1" diff --git a/meta-arm-bsp/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend b/meta-arm-bsp/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend index 628dfb48..3d8f0d25 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend +++ b/meta-arm-bsp/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend @@ -2,8 +2,6 @@ require ts-arm-platforms.inc EXTRA_OECMAKE:append:corstone1000 = " -DMM_COMM_BUFFER_ADDRESS="0x00000000 0x81FFF000" \ -DMM_COMM_BUFFER_PAGE_COUNT="1" \ - -DUEFI_AUTH_VAR=ON \ - -DUEFI_INTERNAL_CRYPTO=ON \ -DSMM_GATEWAY_MAX_UEFI_VARIABLES=60 \ " diff --git a/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb b/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb index d72e8946..2ca43c78 100644 --- a/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb +++ b/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb @@ -6,3 +6,6 @@ SP_UUID = "${SMM_GATEWAY_UUID}" TS_SP_SMM_GATEWAY_CONFIG ?= "default" OECMAKE_SOURCEPATH = "${S}/deployments/smm-gateway/config/${TS_SP_SMM_GATEWAY_CONFIG}-${TS_ENV}" + +EXTRA_OECMAKE:append = "${@oe.utils.vartrue("SMMGW_AUTH_VAR", " -DUEFI_AUTH_VAR=ON ", "", d)}" +EXTRA_OECMAKE:append = "${@oe.utils.ifelse(oe.types.boolean(d.getVar("SMMGW_AUTH_VAR")) and oe.types.boolean(d.getVar("SMMGW_INTERNAL_CRYPTO")), " -DUEFI_INTERNAL_CRYPTO=On ", "")}"