Add support for the TS Firmware Update service

Add a recipe to enable building and deploying the FWU service implemented in the Trusted Services Project. The FWU service can help vendors to meet PSA certification requirements. Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com> Signed-off-by: Jon Mason <jon.mason@arm.com>
2026-01-11 15:00:39 +00:00 · 2024-04-29 17:26:50 +02:00
parent b972dabc1b
commit fa05df1611
8 changed files with 156 additions and 3 deletions
--- a/ci/fvp-base-ts.yml
+++ b/ci/fvp-base-ts.yml
@@ -12,7 +12,7 @@ local_conf_header:
    # Include all Secure Partitions into the image
    MACHINE_FEATURES:append = " arm-ffa ts-crypto ts-storage ts-its"
    MACHINE_FEATURES:append = " ts-attestation ts-smm-gateway optee-spmc-test"
-    MACHINE_FEATURES:append = " ts-block-storage"
+    MACHINE_FEATURES:append = " ts-block-storage ts-fwu"
    # Include TS demo/test tools into image
    IMAGE_INSTALL:append = " packagegroup-ts-tests"
    # Include TS PSA Arch tests into image
@@ -20,3 +20,13 @@ local_conf_header:
    CORE_IMAGE_EXTRA_INSTALL += "optee-test"
    # Set the TS environment
    TS_ENV="sp"
+    # Enable and configure semihosting
+    FVP_CONFIG[cluster0.cpu0.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
+    FVP_CONFIG[cluster0.cpu1.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
+    FVP_CONFIG[cluster0.cpu2.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
+    FVP_CONFIG[cluster0.cpu3.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
+    FVP_CONFIG[cluster1.cpu0.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
+    FVP_CONFIG[cluster1.cpu1.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
+    FVP_CONFIG[cluster1.cpu2.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
+    FVP_CONFIG[cluster1.cpu3.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
+    FVP_CONFIG[semihosting-enable] = "True"
--- a/documentation/trusted-services.md
+++ b/documentation/trusted-services.md
@@ -18,6 +18,7 @@ features for each [Secure Partition][^2] you would like to include:
 | ----------------- | --------------- |
 | Attestation       | ts-attesation   |
 | Crypto            | ts-crypto       |
+| Firmware Update   | ts-fwu
 | Internal Storage  | ts-its          |
 | Protected Storage | ts-storage      |
 | se-proxy          | ts-se-proxy     |
@@ -47,9 +48,10 @@ Other steps depend on your machine/platform definition:
 4. Trusted Services supports an SPMC agonistic binary format. To build SPs to this format the `TS_ENV` variable is to be
   set to `sp`. The resulting SP binaries should be able to boot under any FF-A v1.1 compliant SPMC implementation.

+
 ## Normal World applications

-Optionally for testing purposes you can add `packagegroup-ts-tests` into your image. It includes 
+Optionally for testing purposes you can add `packagegroup-ts-tests` into your image. It includes
 [Trusted Services test and demo tools][^3] and [xtest][^4] configured to include the `ffa_spmc` tests.

 ## OEQA Trusted Services tests
@@ -65,4 +67,4 @@ See `ci/trusted-services.yml` for an example how to include them into an image.

 [^3]: https://trusted-services.readthedocs.io/en/integration/deployments/test-executables.html

-[^4]: https://optee.readthedocs.io/en/latest/building/gits/optee_test.html
+[^4]: https://optee.readthedocs.io/en/latest/building/gits/optee_test.html
--- a/meta-arm-bsp/recipes-security/trusted-services/ts-sp-fwu_%.bbappend
+++ b/meta-arm-bsp/recipes-security/trusted-services/ts-sp-fwu_%.bbappend
@@ -0,0 +1 @@
+require ts-arm-platforms.inc
--- a/meta-arm/recipes-security/optee/optee-os-ts.inc
+++ b/meta-arm/recipes-security/optee/optee-os-ts.inc
@@ -67,6 +67,12 @@ SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \
 EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \
                                        ' CFG_SPMC_TESTS=y', '' , d)}"

+# Firmware Update SP
+DEPENDS:append  = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-fwu', \
+                                        ' ts-sp-fwu', '' , d)}"
+SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-fwu', \
+                                        ' ${TS_BIN}/${FWU_UUID}${SP_EXT}', '', d)}"
+
 # Block Storage SP
 DEPENDS:append  = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-block-storage', \
                                        ' ts-sp-block-storage', '' , d)}"
--- a/meta-arm/recipes-security/trusted-services/files/0001-Allow-configuring-flash-image-files-compile-time.patch
+++ b/meta-arm/recipes-security/trusted-services/files/0001-Allow-configuring-flash-image-files-compile-time.patch
@@ -0,0 +1,100 @@
+From 9fbeb9dd8c4f2c842248541b73e4cff9c6f8d26e Mon Sep 17 00:00:00 2001
+From: Gyorgy Szing <gyorgy.szing@arm.com>
+Date: Wed, 27 Mar 2024 21:53:51 +0000
+Subject: [PATCH 1/1] Allow configuring flash image files compile time
+
+Allow configuring image file PATH name for file and semihosted
+block_store using CMake build options.
+
+Upstream-Status: Pending
+
+Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
+---
+ .../block_storage/factory/file/block_store_factory.c        | 6 +++++-
+ .../service/block_storage/factory/file/component.cmake      | 6 +++++-
+ .../block_storage/factory/semihosting/block_store_factory.c | 6 +++++-
+ .../block_storage/factory/semihosting/component.cmake       | 6 +++++-
+ 4 files changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/components/service/block_storage/factory/file/block_store_factory.c b/components/service/block_storage/factory/file/block_store_factory.c
+index c6915107b..ef05ee791 100644
+--- a/components/service/block_storage/factory/file/block_store_factory.c
+++ b/components/service/block_storage/factory/file/block_store_factory.c
+@@ -25,6 +25,10 @@
+ #define FILE_BLOCK_SIZE (512)
+ #endif
+ 
+#ifndef FILE_BLK_FILE_NAME
+#define FILE_BLK_FILE_NAME "secure-flash.img"
+#endif
+
+ static char disk_img_filename[256];
+ 
+ struct block_store_assembly {
+@@ -60,7 +64,7 @@ struct block_store *file_block_store_factory_create(void)
+ 
+ 		/* Ensure disk image filename is set */
+ 		if (disk_img_filename[0] == '\0')
+-			file_block_store_factory_set_filename("secure-flash.img");
+			file_block_store_factory_set_filename(FILE_BLK_FILE_NAME);
+ 
+ 		/* Initialise a file_block_store to provide underlying storage */
+ 		struct block_store *secure_flash = file_block_store_init(
+diff --git a/components/service/block_storage/factory/file/component.cmake b/components/service/block_storage/factory/file/component.cmake
+index 644f03972..fa15d1399 100644
+--- a/components/service/block_storage/factory/file/component.cmake
+++ b/components/service/block_storage/factory/file/component.cmake
+@@ -17,4 +17,8 @@ if (NOT DEFINED TS_BLOCK_STORE_FACTORY)
+ 	set(TS_BLOCK_STORE_FACTORY "file_block_store_factory")
+ 	target_compile_definitions(${TGT} PRIVATE
+ 		CONCRETE_BLOCK_STORE_FACTORY=${TS_BLOCK_STORE_FACTORY})
+-endif()
+\ No newline at end of file
+endif()
+
+set(FILE_BLK_FILE_NAME "secure-flash.img" CACHE PATH "PATH to block storage flash image file.")
+set_property(SOURCE "${CMAKE_CURRENT_LIST_DIR}/block_store_factory.c" APPEND PROPERTY COMPILE_DEFINITIONS FILE_BLK_FILE_NAME="${FILE_BLK_FILE_NAME}")
+message(status "Block storage image file PATH is ${FILE_BLK_FILE_NAME}")
+diff --git a/components/service/block_storage/factory/semihosting/block_store_factory.c b/components/service/block_storage/factory/semihosting/block_store_factory.c
+index 8e58e3638..09bdb74eb 100644
+--- a/components/service/block_storage/factory/semihosting/block_store_factory.c
+++ b/components/service/block_storage/factory/semihosting/block_store_factory.c
+@@ -21,6 +21,10 @@
+ /* Most common block size for UEFI volumes */
+ #define SEMIHOSTING_BLOCK_SIZE		(512)
+ 
+#ifndef SEMIHOSTING_BLK_FILE_NAME
+#define SEMIHOSTING_BLK_FILE_NAME "secure-flash.img"
+#endif
+
+ struct block_store_assembly
+ {
+ 	struct semihosting_block_store semihosting_block_store;
+@@ -55,7 +59,7 @@ struct block_store *semihosting_block_store_factory_create(void)
+ 		/* Initialise a semihosting_block_store to provide underlying storage */
+ 		struct block_store *secure_flash = semihosting_block_store_init(
+ 			&assembly->semihosting_block_store,
+-			"secure-flash.img",
+			SEMIHOSTING_BLK_FILE_NAME,
+ 			SEMIHOSTING_BLOCK_SIZE);
+ 
+ 		if (secure_flash) {
+diff --git a/components/service/block_storage/factory/semihosting/component.cmake b/components/service/block_storage/factory/semihosting/component.cmake
+index 97affaf49..98d6dcdcb 100644
+--- a/components/service/block_storage/factory/semihosting/component.cmake
+++ b/components/service/block_storage/factory/semihosting/component.cmake
+@@ -17,4 +17,8 @@ if (NOT DEFINED TS_BLOCK_STORE_FACTORY)
+ 	set(TS_BLOCK_STORE_FACTORY "semihosting_block_store_factory")
+ 	target_compile_definitions(${TGT} PRIVATE
+ 		CONCRETE_BLOCK_STORE_FACTORY=${TS_BLOCK_STORE_FACTORY})
+-endif()
+\ No newline at end of file
+endif()
+
+set(SEMIHOSTING_BLK_FILE_NAME "secure-flash.img" CACHE PATH "PATH to block storage flash image file.")
+set_property(SOURCE "${CMAKE_CURRENT_LIST_DIR}/block_store_factory.c" APPEND PROPERTY COMPILE_DEFINITIONS SEMIHOSTING_BLK_FILE_NAME="${SEMIHOSTING_BLK_FILE_NAME}")
+message(status "Block storage semihosting image file PATH is ${SEMIHOSTING_BLK_FILE_NAME}")
+\ No newline at end of file
+-- 
+2.34.1
+
--- a/meta-arm/recipes-security/trusted-services/trusted-services-src.inc
+++ b/meta-arm/recipes-security/trusted-services/trusted-services-src.inc
@@ -10,6 +10,7 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
 SRC_URI:append = "\
 	file://0001-Upgrade-nanopb-to-v0.4.7.patch \
    file://0001-Add-boot-order-property-to-SP-manifests.patch \
+    file://0001-Allow-configuring-flash-image-files-compile-time.patch \
 "

 # Trusted Services; Tag: v1.0.0
--- a/meta-arm/recipes-security/trusted-services/ts-sp-fwu_git.bb
+++ b/meta-arm/recipes-security/trusted-services/ts-sp-fwu_git.bb
@@ -0,0 +1,32 @@
+# SPDX-FileCopyrightText: <text>Copyright 2024 Arm Limited and/or its
+# affiliates <open-source-office@arm.com></text>
+#
+# SPDX-License-Identifier: MIT
+
+DESCRIPTION = "Trusted Services Firmware Update Service provider"
+
+require ts-sp-common.inc
+inherit deploy
+
+SP_UUID = "${FWU_UUID}"
+TS_SP_FWU_CONFIG ?= "default"
+
+OECMAKE_SOURCEPATH="${S}/deployments/fwu/config/${TS_SP_FWU_CONFIG}-${TS_ENV}"
+
+# The GPT parser component is needed from TF-A
+SRC_URI += "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;name=tfa;protocol=https;branch=master;destsuffix=git/tf-a"
+SRCREV_tfa = "v2.7.0"
+LIC_FILES_CHKSUM = "file://../tf-a/docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde"
+do_apply_local_src_patches:append() {
+    apply_local_src_patches ${S}/external/tf_a ${WORKDIR}/git/tf-a
+}
+
+EXTRA_OECMAKE:append = "-DTFA_SOURCE_DIR=${WORKDIR}/git/tf-a"
+
+# Deploy the secure flash image.
+do_deploy() {
+    cp -v ${S}/components/media/disk/disk_images/multi_location_fw.img ${DEPLOYDIR}/secure-flash.img
+}
+addtask deploy after do_compile
+
+EXTRA_OECMAKE:append:qemuall = " -DSEMIHOSTING_BLK_FILE_NAME:STRING=${@oe.path.relative('${TMPDIR}', '${DEPLOY_DIR_IMAGE}')}/secure-flash.img"
--- a/meta-arm/recipes-security/trusted-services/ts-uuid.inc
+++ b/meta-arm/recipes-security/trusted-services/ts-uuid.inc
@@ -11,4 +11,5 @@ SPM_TEST1_UUID   = "5c9edbc3-7b3a-4367-9f83-7c191ae86a37"
 SPM_TEST2_UUID   = "7817164c-c40c-4d1a-867a-9bb2278cf41a"
 SPM_TEST3_UUID   = "23eb0100-e32a-4497-9052-2f11e584afa6"
 SPM_TEST4_UUID   = "423762ed-7772-406f-99d8-0c27da0abbf8"
+FWU_UUID         = "6823a838-1b06-470e-9774-0cce8bfb53fd"
 BLOCK_STORAGE_UUID = "63646e80-eb52-462f-ac4f-8cdf3987519c"