arm-bsp: enable Trusted Services on the fvp-base platform

Add configuration settings to TF-A, OP-TEE and TS SPs needed to get TS
built and run on the fvp-base machine.

Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>

.gitlab-ci.yml

@@ -140,7 +140,8 @@ fvp-base:
   extends: .build
   parallel:
     matrix:
-      - TESTING: testimage
+      - TS: [none, fvp-base-ts]
+        TESTING: testimage
       - FIRMWARE: edk2
       - SYSTEMREADY_FIRMWARE: arm-systemready-firmware
 

ci/fvp-base-ts.yml

@@ -0,0 +1,22 @@
+header:
+  version: 14
+  includes:
+    - ci/fvp-base.yml
+    - ci/meta-openembedded.yml
+    - ci/testimage.yml
+
+local_conf_header:
+  trusted_services: |
+    # Enable the needed test suites
+    TEST_SUITES = " ping ssh trusted_services"
+    # Include all Secure Partitions into the image
+    MACHINE_FEATURES:append = " arm-ffa ts-crypto ts-storage ts-its"
+    MACHINE_FEATURES:append = " ts-attestation ts-smm-gateway optee-spmc-test"
+    MACHINE_FEATURES:append = " ts-block-storage"
+    # Include TS demo/test tools into image
+    IMAGE_INSTALL:append = " packagegroup-ts-tests"
+    # Include TS PSA Arch tests into image
+    IMAGE_INSTALL:append = " packagegroup-ts-tests-psa"
+    CORE_IMAGE_EXTRA_INSTALL += "optee-test"
+    # Set the TS environment
+    TS_ENV="sp"

meta-arm-bsp/conf/machine/fvp-base.conf

@@ -62,3 +62,4 @@ FVP_TERMINALS[bp.terminal_0] ?= "Console"
 FVP_TERMINALS[bp.terminal_1] ?= ""
 FVP_TERMINALS[bp.terminal_2] ?= ""
 FVP_TERMINALS[bp.terminal_3] ?= ""
+FVP_CONFIG[bp.secure_memory] ?= "1"

meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/fvp-base/optee_spmc_maifest.dts

@@ -0,0 +1,116 @@
+/* SPDX-License-Identifier: BSD-3-Clause */
+/*
+ * Copyright (c) 2022-2023, Arm Limited. All rights reserved.
+ */
+
+
+/*
+ * The content of the SPMC manifest may depend on integration settings like the
+ * set of deployed SP. This information lives in the integration system and 
+ * hence this file should be store in meta-arm. This avoids indirect
+ * dependencies between integration systems using the same file which would
+ * enforce some from of cooperation. 
+ */
+
+/dts-v1/;
+
+/ {
+	compatible = "arm,ffa-core-manifest-1.0";
+	#address-cells = <2>;
+	#size-cells = <1>;
+
+	attribute {
+		spmc_id = <0x8000>;
+		maj_ver = <0x1>;
+		min_ver = <0x0>;
+		exec_state = <0x0>;
+		load_address = <0x0 0x6000000>;
+		entrypoint = <0x0 0x6000000>;
+		binary_size = <0x80000>;
+	};
+
+/*
+ * This file will be preprocessed by TF-A's build system. If Measured Boot is
+ * enabled in TF-A's config, the build system will add the MEASURED_BOOT=1 macro
+ * to the preprocessor arguments.
+ */
+#if MEASURED_BOOT
+	tpm_event_log {
+		compatible = "arm,tpm_event_log";
+		tpm_event_log_addr = <0x0 0x0>;
+		tpm_event_log_size = <0x0>;
+		tpm_event_log_max_size = <0x0>;
+	};
+#endif
+
+/* If the ARM_BL2_SP_LIST_DTS is defined, SPs should be loaded from FIP */
+#ifdef ARM_BL2_SP_LIST_DTS
+	sp_packages {
+		compatible = "arm,sp_pkg";
+#if !SPMC_TESTS
+		block_storage {
+			uuid = <0x806e6463 0x2f4652eb 0xdf8c4fac 0x9c518739>;
+			load-address = <0x0 0x7a00000>;
+		};
+		internal_trusted_storage {
+			uuid = <0x48ef1edc 0xcf4c7ab1 0xcfdf8bac 0x141b71f7>;
+			load-address = <0x0 0x7a80000>;
+		};
+
+		protected_storage_sp {
+			uuid = <0x01f81b75 0x6847de3d 0x100f14a5 0x9017edae>;
+			load-address = <0x0 0x7b00000>;
+		};
+
+		crypto_sp {
+			uuid = <0xd552dfd9 0xb24ba216 0x6dd2a49a 0xc0e8843b>;
+			load-address = <0x0 0x7b80000>;
+		};
+
+#if MEASURED_BOOT
+		initial_attestation_sp {
+			uuid = <0x55f1baa1 0x95467688 0x95547c8f 0x74b98d5e>;
+			load-address = <0x0 0x7c80000>;
+		};
+#endif
+
+#if TS_SMM_GATEWAY
+		smm_gateway {
+			uuid = <0x33d532ed 0x0942e699 0x722dc09c 0xa798d9cd>;
+			load-address = <0x0 0x7d00000>;
+		};
+#endif /* TS_SMM_GATEWAY */
+
+#if TS_FW_UPDATE
+		fwu {
+			uuid = <0x38a82368 0x0e47061b 0xce0c7497 0xfd53fb8b>;
+			load-address = <0x0 0x7d80000>;
+		};
+#endif /* TS_FW_UPDATE */
+
+#else /* SPMC_TESTS */
+		test_sp1 {
+			uuid = <0xc3db9e5c 0x67433a7b 0x197c839f 0x376ae81a>;
+			load-address = <0x0 0x7a00000>;
+		};
+
+		test_sp2 {
+			uuid = <0x4c161778 0x1a4d0cc4 0xb29b7a86 0x1af48c27>;
+			load-address = <0x0 0x7a20000>;
+		};
+
+		test_sp3 {
+			uuid = <0x0001eb23 0x97442ae3 0x112f5290 0xa6af84e5>;
+			load-address = <0x0 0x7a40000>;
+		};
+
+		test_sp4 {
+			/* SP binary UUID */
+			uuid = <0xed623742 0x6f407277 0x270cd899 0xf8bb0ada>;
+			load-address = <0x0 0x7a80000>;
+		};
+#endif /* SPMC_TESTS */
+
+	};
+#endif /* ARM_BL2_SP_LIST_DTS */
+};

meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp-base.inc

@@ -4,17 +4,62 @@
 # Armv8-A Base Platform FVP
 #
 
-FILESEXTRAPATHS:prepend := "${THISDIR}/files/:"
-SRC_URI:append = " file://0001-fdts-fvp-base-Add-stdout-path-and-virtio-net-and-rng.patch"
+FILESEXTRAPATHS:prepend := "${THISDIR}/files/:${THISDIR}/files/fvp-base"
 
+SRC_URI:append = " \
+    file://0001-fdts-fvp-base-Add-stdout-path-and-virtio-net-and-rng.patch \
+    file://optee_spmc_maifest.dts;subdir=git/plat/arm/board/fvp/fdts \
+"
+
+# OP-TEE SPMC related configuration
+SPMC_IS_OPTEE = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', '0' \
+                 if d.getVar('SEL2_SPMC') == '1' else '1', '0', d)}"
+# Configure the SPMC manifest file.
+TFA_ARM_SPMC_MANIFEST_DTS = "${@oe.utils.conditional('SPMC_IS_OPTEE', '1', \
+                '${S}/plat/arm/board/fvp/fdts/optee_spmc_maifest.dts', '', d)}"
+EXTRA_OEMAKE += "${@bb.utils.contains('MACHINE_FEATURES','arm-ffa', \
+                'ARM_SPMC_MANIFEST_DTS=${TFA_ARM_SPMC_MANIFEST_DTS}' \
+                    if d.getVar('TFA_ARM_SPMC_MANIFEST_DTS') else '', '', d)}"
+
+# Set OP-TEE SPMC specific TF-A config settings
+TFA_SPMD_SPM_AT_SEL2 := '0'
+TFA_SPD := "${@oe.utils.conditional('SPMC_IS_OPTEE', '1', 'spmd', \
+            d.getVar('TFA_SPD'), d)}"
+DEPENDS += " ${@oe.utils.conditional('SPMC_IS_OPTEE', '1', 'optee-os', '', d)}"
+
+# Configure measured boot if the attestation SP is deployed.
+TFA_MB_FLAGS += " \
+    ARM_ROTPK_LOCATION=devel_rsa \
+    EVENT_LOG_LEVEL=20 \
+    GENERATE_COT=1 \
+    MBOOT_EL_HASH_ALG=sha256 \
+    MEASURED_BOOT=1 \
+    ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem \
+    TRUSTED_BOARD_BOOT=1 \
+"
+EXTRA_OEMAKE += "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation',\
+                 '${TFA_MB_FLAGS}','', d)}"
+
+# Add OP-TEE as BL32.
+BL32 = "${@oe.utils.conditional('SPMC_IS_OPTEE', '1',\
+        '${RECIPE_SYSROOT}/${nonarch_base_libdir}/firmware/tee-pager_v2.bin',\
+        '', d)}"
+EXTRA_OEMAKE += "${@oe.utils.conditional('SPMC_IS_OPTEE', '1', \
+                ' BL32=${BL32}', '', d)}"
+
+# Generic configuration
 COMPATIBLE_MACHINE = "fvp-base"
 TFA_PLATFORM = "fvp"
-TFA_DEBUG = "1"
-TFA_MBEDTLS = "1"
+# Disable debug build if measured boot is enabled.
+TFA_DEBUG := "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation', '0',\
+              d.getVar('TFA_DEBUG'), d)}"
+# Add mbedtls if measured boot is enabled
+TFA_MBEDTLS := "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation',\
+               '1', d.getVar('TFA_MBEDTLS'), d)}"
 TFA_UBOOT ?= "1"
 TFA_BUILD_TARGET = "bl1 bl2 bl31 dtbs fip"
 
-EXTRA_OEMAKE += "FVP_DT_PREFIX=fvp-base-gicv3-psci-1t"
+EXTRA_OEMAKE += "FVP_DT_PREFIX=fvp-base-gicv3-psci-1t FVP_USE_GIC_DRIVER=FVP_GICV3"
 
 # Our fvp-base machine explicitly has v8.4 cores
 EXTRA_OEMAKE += "ARM_ARCH_MAJOR=8 ARM_ARCH_MINOR=4"

meta-arm-bsp/recipes-kernel/linux/linux-arm-platforms.inc

@@ -48,8 +48,14 @@ KERNEL_FEATURES:corstone1000 = ""
 #
 COMPATIBLE_MACHINE:fvp-base = "fvp-base"
 KMACHINE:fvp-base = "fvp"
-FILESEXTRAPATHS:prepend:fvp-base := "${ARMBSPFILESPATHS}"
-SRC_URI:append:fvp-base = " file://0001-arm64-dts-fvp-Enable-virtio-rng-support.patch"
+FILESEXTRAPATHS:prepend:fvp-base := "${ARMBSPFILESPATHS}:${ARMFILESPATHS}"
+SRC_URI:append:fvp-base = " \
+    file://0001-arm64-dts-fvp-Enable-virtio-rng-support.patch \
+    file://tee.cfg \
+    ${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \
+                         'file://no-strict-devmem.cfg', '' , d)} \
+"
+
 
 #
 # Juno KMACHINE

meta-arm-bsp/recipes-security/optee/optee-os-fvp-base.inc

@@ -0,0 +1,13 @@
+COMPATIBLE_MACHINE = "fvp-base"
+
+OPTEEMACHINE = "vexpress-fvp"
+# Enable boot logs
+EXTRA_OEMAKE += " CFG_TEE_CORE_LOG_LEVEL=4"
+
+# default disable latency benchmarks (over all OP-TEE layers)
+EXTRA_OEMAKE += " CFG_TEE_BENCHMARK=n"
+
+# If FF-A is enabled configure to be the SPMC.
+EXTRA_OEMAKE += "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', ' CFG_CORE_HEAP_SIZE=131072 CFG_CORE_SEL1_SPMC=y CFG_DT=y', '' ,d)}"
+
+EXTRA_OEMAKE += " CFG_ARM_GICV3=y"

meta-arm-bsp/recipes-security/optee/optee-os-tadevkit_4.%.bbappend

@@ -2,5 +2,6 @@
 
 MACHINE_OPTEE_OS_TADEVKIT_REQUIRE ?= ""
 MACHINE_OPTEE_OS_TADEVKIT_REQUIRE:n1sdp = "optee-os-n1sdp.inc"
+MACHINE_OPTEE_OS_TADEVKIT_REQUIRE:fvp-base = "optee-os-fvp-base.inc"
 
 require ${MACHINE_OPTEE_OS_TADEVKIT_REQUIRE}

meta-arm-bsp/recipes-security/optee/optee-os_4.%.bbappend

@@ -3,5 +3,6 @@
 MACHINE_OPTEE_OS_REQUIRE ?= ""
 MACHINE_OPTEE_OS_REQUIRE:corstone1000 = "optee-os-corstone1000-common.inc"
 MACHINE_OPTEE_OS_REQUIRE:n1sdp = "optee-os-n1sdp.inc"
+MACHINE_OPTEE_OS_REQUIRE:fvp-base = "optee-os-fvp-base.inc"
 
 require ${MACHINE_OPTEE_OS_REQUIRE}

meta-arm-bsp/recipes-security/optee/optee-test-fvp-base.inc

@@ -0,0 +1,3 @@
+# fvp-base specific configuration
+
+COMPATIBLE_MACHINE = "fvp-base"

meta-arm-bsp/recipes-security/optee/optee-test_4.%.bbappend

@@ -2,5 +2,6 @@
 
 MACHINE_OPTEE_TEST_REQUIRE ?= ""
 MACHINE_OPTEE_TEST_REQUIRE:n1sdp = "optee-os-generic-n1sdp.inc"
+MACHINE_OPTEE_TEST_REQUIRE:fvp-base = "optee-test-fvp-base.inc"
 
 require ${MACHINE_OPTEE_TEST_REQUIRE}

meta-arm-bsp/recipes-security/packagegroups/packagegroup-ts-tests.bbappend

@@ -1,2 +1,3 @@
 COMPATIBLE_MACHINE:corstone1000 = "corstone1000"
 COMPATIBLE_MACHINE:n1sdp = "n1sdp"
+COMPATIBLE_MACHINE:fvp-base = "fvp-base"

meta-arm-bsp/recipes-security/trusted-services/libts_%.bbappend

@@ -3,3 +3,7 @@ require ts-arm-platforms.inc
 EXTRA_OECMAKE:append:corstone1000 = "-DMM_COMM_BUFFER_ADDRESS=0x81FFF000 \
                                      -DMM_COMM_BUFFER_PAGE_COUNT=1 \
                                     "
+
+EXTRA_OECMAKE:append:fvp-base = " -DMM_COMM_BUFFER_ADDRESS=0x81000000 \
+                                  -DMM_COMM_BUFFER_PAGE_COUNT=8 \
+    "

meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc

@@ -15,3 +15,6 @@ SRC_URI:append:corstone1000  = " \
 
 
 COMPATIBLE_MACHINE:n1sdp = "n1sdp"
+
+COMPATIBLE_MACHINE:fvp-base = "fvp-base"
+TS_PLATFORM:fvp-base = "arm/fvp/fvp_base_revc-2xaemv8a"

meta-arm-bsp/recipes-security/trusted-services/ts-newlib_%.bbappend

@@ -6,3 +6,4 @@ SRC_URI:append:corstone1000 = " \
 "
 
 COMPATIBLE_MACHINE:n1sdp = "n1sdp"
+COMPATIBLE_MACHINE:fvp-base = "fvp-base"

meta-arm-bsp/recipes-security/trusted-services/ts-sp-se-proxy_%.bbappend

@@ -3,3 +3,7 @@ require ts-arm-platforms.inc
 EXTRA_OECMAKE:append:corstone1000 = " -DMM_COMM_BUFFER_ADDRESS="0x00000000 0x81FFF000" \
     -DMM_COMM_BUFFER_PAGE_COUNT="1" \
     "
+
+# Proxy is pointless on fvp-base as there is no dedicated security subsystem. It could be
+# deployed configured to have dummy service providers for build testing purposes.
+COMPATIBLE_MACHINE:remove:fvp-base = "fvp-base"

meta-arm-bsp/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend

@@ -3,3 +3,7 @@ require ts-arm-platforms.inc
 EXTRA_OECMAKE:append:corstone1000 = " -DMM_COMM_BUFFER_ADDRESS="0x00000000 0x81FFF000" \
     -DMM_COMM_BUFFER_PAGE_COUNT="1" \
     "
+
+EXTRA_OECMAKE:append:fvp-base = " -DMM_COMM_BUFFER_ADDRESS="0x00000000 0x81000000" \
+    -DMM_COMM_BUFFER_PAGE_COUNT="8" \
+    "

meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test1_%.bbappend

@@ -0,0 +1 @@
+require ts-arm-platforms.inc

meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test2_%.bbappend

@@ -0,0 +1 @@
+require ts-arm-platforms.inc

meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test3_%.bbappend

@@ -0,0 +1 @@
+require ts-arm-platforms.inc

meta-arm-bsp/recipes-security/trusted-services/ts-sp-spm-test4_%.bbappend

@@ -0,0 +1 @@
+require ts-arm-platforms.inc