Add optee os for stm32mp machine

Signed-off-by: Christophe Priouzeau <christophe.priouzeau@st.com>

recipes-security/optee/optee-os-stm32mp.inc

@@ -0,0 +1,135 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/optee-os:"
+
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+B = "${WORKDIR}/build"
+# Configure build dir for externalsrc class usage through devtool
+EXTERNALSRC_BUILD_pn-${PN} = "${WORKDIR}/build"
+
+DEPENDS += "dtc-native python-pycrypto-native"
+
+inherit deploy pythonnative
+
+OPTEEMACHINE ?= "${MACHINE}"
+OPTEEOUTPUTMACHINE ?= "${MACHINE}"
+
+EXTRA_OEMAKE = "PLATFORM=${OPTEEMACHINE} \
+                CROSS_COMPILE_core=${HOST_PREFIX} \
+                CROSS_COMPILE_ta_arm64=${HOST_PREFIX} \
+                ${@bb.utils.contains('TUNE_FEATURES', 'aarch64', 'CFG_ARM64_core=y ta-targets=ta_arm64', 'CFG_ARM32_core=y CROSS_COMPILE_ta_arm32=${HOST_PREFIX}', d)} \
+                NOWERROR=1 \
+                LDFLAGS= \
+                LIBGCC_LOCATE_CFLAGS=--sysroot=${STAGING_DIR_HOST} \
+        "
+
+EXTRA_OEMAKE += "CFG_TEE_CORE_LOG_LEVEL=2"
+EXTRA_OEMAKE += "CFG_TEE_CORE_DEBUG=n"
+EXTRA_OEMAKE += "comp-cflagscore='--sysroot=${STAGING_DIR_TARGET}'"
+
+OPTEE_ARCH_armv7a = "arm32"
+OPTEE_ARCH_armv7ve = "arm32"
+OPTEE_ARCH_aarch64 = "arm64"
+
+do_compile() {
+    unset -v CFLAGS CPPFLAGS LDFLAGS LDADD
+    if [ -n "${OPTEE_CONF}" ]; then
+        for conf in ${OPTEE_CONF}; do
+            oe_runmake -C ${S} O=${B}/${conf} CFG_SECURE_DT=${conf}
+        done
+    else
+        oe_runmake -C ${S} O=${B}/out
+    fi
+}
+
+do_install() {
+    #install TA devkit
+    install -d ${D}${includedir}/optee/export-user_ta/
+
+    if [ -n "${OPTEE_CONF}" ]; then
+        for conf in ${OPTEE_CONF}; do
+            for f in  ${B}/${conf}/export-ta_${OPTEE_ARCH}/* ; do
+                cp -aRf  $f ${D}${includedir}/optee/export-user_ta/
+            done
+        done
+    fi
+}
+
+# Configure optee binaries
+OPTEE_BOOTCHAIN = "optee"
+OPTEE_HEADER    = "tee-header_v2"
+OPTEE_PAGEABLE  = "tee-pageable_v2"
+OPTEE_PAGER     = "tee-pager_v2"
+OPTEE_SUFFIX    = "stm32"
+
+do_deploy() {
+    install -d ${DEPLOYDIR}
+    if [ -n "${OPTEE_CONF}" ]; then
+        for conf in ${OPTEE_CONF}; do
+            install -m 644 ${B}/${conf}/core/${OPTEE_HEADER}.${OPTEE_SUFFIX} ${DEPLOYDIR}/${OPTEE_HEADER}-${conf}-${OPTEE_BOOTCHAIN}.${OPTEE_SUFFIX}
+            install -m 644 ${B}/${conf}/core/${OPTEE_PAGER}.${OPTEE_SUFFIX} ${DEPLOYDIR}/${OPTEE_PAGER}-${conf}-${OPTEE_BOOTCHAIN}.${OPTEE_SUFFIX}
+            install -m 644 ${B}/${conf}/core/${OPTEE_PAGEABLE}.${OPTEE_SUFFIX} ${DEPLOYDIR}/${OPTEE_PAGEABLE}-${conf}-${OPTEE_BOOTCHAIN}.${OPTEE_SUFFIX}
+        done
+    else
+        install -m 644 ${B}/core/${OPTEE_HEADER}.${OPTEE_SUFFIX} ${DEPLOYDIR}/${OPTEE_HEADER}-${OPTEE_BOOTCHAIN}.${OPTEE_SUFFIX}
+        install -m 644 ${B}/core/${OPTEE_PAGER}.${OPTEE_SUFFIX} ${DEPLOYDIR}/${OPTEE_PAGER}-${OPTEE_BOOTCHAIN}.${OPTEE_SUFFIX}
+        install -m 644 ${B}/core/${OPTEE_PAGEABLE}.${OPTEE_SUFFIX} ${DEPLOYDIR}/${OPTEE_PAGEABLE}-${OPTEE_BOOTCHAIN}.${OPTEE_SUFFIX}
+    fi
+}
+addtask deploy before do_build after do_compile
+
+FILES_${PN} = "${nonarch_base_libdir}/firmware/"
+FILES_${PN}-dev = "/usr/include/optee"
+
+INSANE_SKIP_${PN}-dev = "staticdev"
+
+INHIBIT_PACKAGE_STRIP = "1"
+
+# ----------------------------------------
+# ARCHIVER
+#
+inherit archiver
+ARCHIVER_MODE[src] = "${@'original' if d.getVar('ST_ARCHIVER_ENABLE') == '1' else ''}"
+SRC_URI += "file://README.HOW_TO.txt"
+
+inherit archiver_stm32mp_clean
+
+archiver_create_makefile_for_sdk() {
+    mkdir -p ${ARCHIVER_OUTDIR}
+
+    #remove default variable
+    echo "LDFLAGS=" > ${ARCHIVER_OUTDIR}/Makefile.sdk
+    echo "CFLAGS=" >> ${ARCHIVER_OUTDIR}/Makefile.sdk
+    echo "CPPFLAGS=" >> ${ARCHIVER_OUTDIR}/Makefile.sdk
+    echo "" >> ${ARCHIVER_OUTDIR}/Makefile.sdk
+
+    echo "LOCAL_PATH=\$(PWD)" >> ${ARCHIVER_OUTDIR}/Makefile.sdk
+    echo "" >> ${ARCHIVER_OUTDIR}/Makefile.sdk
+
+    #set default CONFIGURATION with configured OPTEE_CONF
+    if [ -n "${OPTEE_CONF}" ]; then
+        echo "PLATFORM ?= ${MACHINE}" >> ${ARCHIVER_OUTDIR}/Makefile.sdk
+        echo "CFG_SECURE_DT ?= ${OPTEE_CONF}" >> ${ARCHIVER_OUTDIR}/Makefile.sdk
+    fi
+
+    echo -n "EXTRA_OEMAKE=" >> ${ARCHIVER_OUTDIR}/Makefile.sdk
+    echo "${EXTRA_OEMAKE}" | sed "s|LIBGCC_LOCATE_CFLAGS=[^ ]* |LIBGCC_LOCATE_CFLAGS=\$(OECORE_NATIVE_SYSROOTK) |;s|comp-cflagscore='[^']*'|comp-cflagscore='\$(KCFLAGS)'|" >> ${ARCHIVER_OUTDIR}/Makefile.sdk
+
+    echo "" >> ${ARCHIVER_OUTDIR}/Makefile.sdk
+    echo "all:" >> ${ARCHIVER_OUTDIR}/Makefile.sdk
+    echo "	if test -n \"\$(CFG_SECURE_DT)\" ; then \\" >> ${ARCHIVER_OUTDIR}/Makefile.sdk
+    echo "		for dt in \$(CFG_SECURE_DT) ; do \\" >> ${ARCHIVER_OUTDIR}/Makefile.sdk
+    echo "			\$(MAKE) \$(EXTRA_OEMAKE) -C \$(LOCAL_PATH) PREFIX=\$(SDKTARGETSYSROOT) O=\$(LOCAL_PATH)/../build/\$\$dt CFG_SECURE_DT=\$\$dt ; \\" >> ${ARCHIVER_OUTDIR}/Makefile.sdk
+    # Copy binary files with explicit name
+    echo "			cp ../build/\$\$dt/core/${OPTEE_HEADER}.${OPTEE_SUFFIX} ../build/${OPTEE_HEADER}-\$\$dt-${OPTEE_BOOTCHAIN}.${OPTEE_SUFFIX} ; \\" >> ${ARCHIVER_OUTDIR}/Makefile.sdk
+    echo "			cp ../build/\$\$dt/core/${OPTEE_PAGER}.${OPTEE_SUFFIX} ../build/${OPTEE_PAGER}-\$\$dt-${OPTEE_BOOTCHAIN}.${OPTEE_SUFFIX} ; \\" >> ${ARCHIVER_OUTDIR}/Makefile.sdk
+    echo "			cp ../build/\$\$dt/core/${OPTEE_PAGEABLE}.${OPTEE_SUFFIX} ../build/${OPTEE_PAGEABLE}-\$\$dt-${OPTEE_BOOTCHAIN}.${OPTEE_SUFFIX} ; \\" >> ${ARCHIVER_OUTDIR}/Makefile.sdk
+    echo "		done ; \\" >> ${ARCHIVER_OUTDIR}/Makefile.sdk
+    echo "	else \\" >> ${ARCHIVER_OUTDIR}/Makefile.sdk
+    echo "		\$(MAKE) \$(EXTRA_OEMAKE) -C \$(LOCAL_PATH) PREFIX=\$(SDKTARGETSYSROOT) O=\$(LOCAL_PATH)/../build/ ; \\" >> ${ARCHIVER_OUTDIR}/Makefile.sdk
+    # Copy binary files with explicit name
+    echo "		cp ../build/core/${OPTEE_HEADER}.${OPTEE_SUFFIX} ../build/${OPTEE_HEADER}-${OPTEE_BOOTCHAIN}.${OPTEE_SUFFIX} ; \\" >> ${ARCHIVER_OUTDIR}/Makefile.sdk
+    echo "		cp ../build/core/${OPTEE_PAGER}.${OPTEE_SUFFIX} ../build/${OPTEE_PAGER}-${OPTEE_BOOTCHAIN}.${OPTEE_SUFFIX} ; \\" >> ${ARCHIVER_OUTDIR}/Makefile.sdk
+    echo "		cp ../build/core/${OPTEE_PAGEABLE}.${OPTEE_SUFFIX} ../build/${OPTEE_PAGEABLE}-${OPTEE_BOOTCHAIN}.${OPTEE_SUFFIX} ; \\" >> ${ARCHIVER_OUTDIR}/Makefile.sdk
+    echo "	fi" >> ${ARCHIVER_OUTDIR}/Makefile.sdk
+}
+do_ar_original[prefuncs] += "archiver_create_makefile_for_sdk"

recipes-security/optee/optee-os-stm32mp_3.3.0.bb

@@ -0,0 +1,40 @@
+SUMMARY = "OPTEE TA development kit for stm32mp"
+LICENSE = "BSD"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=69663ab153298557a59c67a60a743e5b"
+
+COMPATIBLE_MACHINE = "(stm32mpcommon)"
+
+SRC_URI = "https://github.com/OP-TEE/optee_os/archive/${PV}.tar.gz"
+SRC_URI[md5sum] = "7cb56c333066fd576460358fc97da85f"
+SRC_URI[sha256sum] = "7b62e9fe650e197473eb2f4dc35c09d1e6395eb48dc1c16cc139d401b359ac6f"
+
+SRC_URI += " \
+    file://0001-st-updates-r1.patch \
+    "
+
+require optee-os-stm32mp.inc
+
+PV = "3.3.0"
+
+S = "${WORKDIR}/optee_os-${PV}"
+
+PROVIDES += "optee-os"
+
+do_configure_prepend(){
+    chmod 755 ${S}/scripts/bin_to_c.py
+}
+
+# ---------------------------------
+# Configure devupstream class usage
+# ---------------------------------
+BBCLASSEXTEND = "devupstream:target"
+
+SRC_URI_class-devupstream = "git://github.com/STMicroelectronics/optee_os.git;protocol=https;branch=3.3.0-stm32mp"
+SRCREV_class-devupstream = "5f5cc70dfd04419be2ba66b87f41584b6136118c"
+
+# ---------------------------------
+# Configure default preference to manage dynamic selection between tarball and github
+# ---------------------------------
+STM32MP_SOURCE_SELECTION ?= "tarball"
+
+DEFAULT_PREFERENCE = "${@bb.utils.contains('STM32MP_SOURCE_SELECTION', 'github', '-1', '1', d)}"

recipes-security/optee/optee-os/README.HOW_TO.txt

@@ -0,0 +1,147 @@
+Compilation of Optee-os (Trusted Execution Environment):
+1. Pre-requisite
+2. Initialise cross-compilation via SDK
+3. Prepare optee-os source code
+4. Management of optee-os source code
+5. Compile optee-os source code
+6. Update software on board
+
+1. Pre-requisite:
+-----------------
+OpenSTLinux SDK must be installed.
+
+For optee-os build you need to install:
+- Wand python and/or python crypto package
+    Ubuntu: sudo apt-get install python-wand python-crypto python-pycryptopp
+    Fedora: sudo yum install python-wand python-crypto
+- git:
+    Ubuntu: sudo apt-get install git-core gitk
+    Fedora: sudo yum install git
+
+If you have never configured you git configuration:
+    $> git config --global user.name "your_name"
+    $> git config --global user.email "your_email@example.com"
+
+2. Initialise cross-compilation via SDK:
+---------------------------------------
+ Source SDK environment:
+    $> source <path to SDK>/environment-setup-cortexa7t2hf-neon-vfpv4-openstlinux_weston-linux-gnueabi
+
+ To verify if your cross-compilation environment have put in place:
+    $> set | grep CROSS
+    CROSS_COMPILE=arm-openstlinux_weston-linux-gnueabi-
+
+Warning: the environment are valid only on the shell session where you have
+ sourced the sdk environment.
+
+3. Prepare optee-os source:
+------------------------
+If you have the tarball and the list of patch then you must extract the
+tarball and apply the patch.
+    $> tar xfz <optee-os source>.tar.gz
+    or
+    $> tar xfj <optee-os source>.tar.bz2
+    or
+    $> tar xfJ <optee-os source>.tar.xz
+    $> cd <directory to optee-os source code>
+NB: if there is no git management on source code and you would like to have a git management
+on the code see section 4 [Management of optee-os source code]
+    if there is some patch, please apply it on source code
+    $> for p in `ls -1 <path to patch>/*.patch`; do patch -p1 < $p; done
+
+4. Management of optee-os source code:
+-----------------------------------
+If you like to have a better management of change made on optee-os source, you
+can use git:
+    $> cd <optee-os source>
+    $> test -d .git || git init . && git add . && git commit -m "optee-ossource code" && git gc
+    $> git checkout -b WORKING
+    $> for p in `ls -1 <path to patch>/*.patch`; do git am $p; done
+
+MANDATORY: You must update sources
+    $> cd <directory to optee-os source code>
+    $> chmod 755 scripts/bin_to_c.py
+
+NB: you can use directly the source from the community:
+    URL: git://github.com/OP-TEE/optee_os.git
+    Branch: ##GIT_BRANCH##
+    Revision: ##GIT_SRCREV##
+
+    $> git clone git://github.com/OP-TEE/optee_os.git
+    $> cd <optee-os source>
+    $> git checkout -b WORKING ##GIT_SRCREV##
+    $> for p in `ls -1 <path to patch>/*.patch`; do git am $p; done
+
+MANDATORY: You must update sources
+    $> cd <directory to optee-os source code>
+    $> chmod 755 scripts/bin_to_c.py
+
+5. Build optee-os source code:
+--------------------------------
+To compile optee-os source code
+    $> cd <directory to optee-os source code>
+    $> make -f $PWD/../Makefile.sdk
+or for a specific config :
+    $> make -f $PWD/../Makefile.sdk CFG_SECURE_DT=stm32mp157c-ev1
+
+By default, binaries are located in $PWD/../build
+
+6. Update software on board:
+----------------------------
+6.1. partitioning of binaries:
+-----------------------------
+Using the above command, the OP-TEE provides 3 binary files which MUST
+be loaded in their respective partition as listed below:
+- "tee-header-*-optee.stm32" in "teeh" partition
+- "tee-pageable-*-optee.stm32" in "teed" partition
+- "tee-pager-*-optee.stm32" in "teex" partition
+
+6.2. Update via SDCARD:
+-----------------------
+Copy each binary to its dedicated partition, on SDCARD/USB disk
+the OP-TEE partitions are the partitions 4/5/6:
+ - SDCARD: /dev/mmcblkXp4 /dev/mmcblkXp5 /dev/mmcblkXp6
+           (where X is the instance number)
+ - SDCARD via USB reader: /dev/sdX4 /dev/sdX5 /dev/sdX6
+                          (where X is the instance identifier)
+So, for each binary:
+$> dd if=<op-tee binary> of=/dev/<device partition> bs=1M conv=fdatasync
+
+6.3. Update via USB mass storage on U-boot:
+-------------------------------------------
+* Plug the SDCARD on Board.
+* Start the board and stop on U-boot shell:
+ Hit any key to stop autoboot: 0
+  STM32MP>
+* plug an USB cable between the PC and the board via USB OTG port.
+* On U-Boot shell, call the USB mass storage functionnality:
+ STM32MP> ums 0 mmc 0
+
+ ums <USB controller> <dev type: mmc|usb> <dev[:part]>
+  ex.:
+For SDCARD:      ums 0 mmc 0
+For USB disk:    ums 0 usb 0
+
+* Follow section 6.2 to load the "tee-*-optee.stm32" image files in the target
+  partitions /dev/sd<X><Y>.
+
+
+
+FAQ: Partitions identification
+
+To find the partition associated to a specific label, connect the
+SDCARD to your PC or run on target U-boot 'ums' command
+and list /dev/disk/by-partlabel/ content, i.e:
+
+  $> ls -l /dev/disk/by-partlabel/
+  total 0
+  lrwxrwxrwx 1 root root 15 Jan 23 19:11 bootfs -> ../../mmcblk0p7
+  lrwxrwxrwx 1 root root 15 Jan 23 19:11 fsbl1 -> ../../mmcblk0p1     # FSBL (TF-A)
+  lrwxrwxrwx 1 root root 15 Jan 23 19:11 fsbl2 -> ../../mmcblk0p2     # FSBL backup (TF-A backup – same content as FSBL)
+  lrwxrwxrwx 1 root root 15 Jan 23 19:11 rootfs -> ../../mmcblk0p9
+  lrwxrwxrwx 1 root root 15 Jan 23 19:11 ssbl -> ../../mmcblk0p3      # SSBL (U-Boot)
+  lrwxrwxrwx 1 root root 15 Jan 23 19:11 teed -> ../../mmcblk0p5      # TEED (OP-TEE tee-pageable)
+  lrwxrwxrwx 1 root root 15 Jan 23 19:11 teeh -> ../../mmcblk0p4      # TEEH (OP-TEE tee-header)
+  lrwxrwxrwx 1 root root 15 Jan 23 19:11 teex -> ../../mmcblk0p6      # TEEX (OP-TEE tee-pager)
+  lrwxrwxrwx 1 root root 16 Jan 23 19:11 userfs -> ../../mmcblk0p10
+  lrwxrwxrwx 1 root root 15 Jan 23 19:11 vendorfs -> ../../mmcblk0p8