[RFC] optee: use software PRNG for real-time kernel builds

The 4.7.0 release of OP-TEE is causing unacceptable latency issues with
the real-time kernel. Migrate to software PRNG until they can be
resolved in a later release.

Signed-off-by: Bryan Brattlof <bb@ti.com>
---
Debugging a +30us latency regression has lead us to the hardware
accelerated RNG drivers in OP-TEE. Falling back to software PRNG
restores the context switch latency back to acceptable levels.

Because this only affects real-time kernels this is more an RFC
until we can fix the firmware or find an alternative for the
builds where latency is prioritized over random number generation

Happy Hacking
~Bryan
---
 meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)


---
base-commit: 69aaa6f1f8f608e22353d38ec6629ded743c4dec
change-id: 20251002-rtl-optee-hack-515fab8e6a76

Best regards,

On Thu, Oct 02, 2025 at 07:28:27AM -0500, Bryan Brattlof via lists.yoctoproject.org wrote:
> The 4.7.0 release of OP-TEE is causing unacceptable latency issues with
> the real-time kernel. Migrate to software PRNG until they can be
> resolved in a later release.
> 
> Signed-off-by: Bryan Brattlof <bb@ti.com>
> ---
> Debugging a +30us latency regression has lead us to the hardware
> accelerated RNG drivers in OP-TEE. Falling back to software PRNG
> restores the context switch latency back to acceptable levels.
> 
> Because this only affects real-time kernels this is more an RFC
> until we can fix the firmware or find an alternative for the
> builds where latency is prioritized over random number generation

I don't see the change being specific to real-time kernel, which the commit 
message above imlies several times - is it intended?


> Happy Hacking
> ~Bryan
> ---
>  meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc | 12 ++++++------
>  1 file changed, 6 insertions(+), 6 deletions(-)
> 
> diff --git a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc
> index 61a74a069886a24fbb518cf748be198d99a02cbe..5d00b8f6f8b045e660338c4a4d74001478a41aa0 100644
> --- a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc
> +++ b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc
> @@ -6,12 +6,12 @@ EXTRA_OEMAKE:remove = "CFG_MAP_EXT_DT_SECURE=y"
>  EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_CONSOLE_UART='+ d.getVar('OPTEE_K3_USART') if d.getVar('OPTEE_K3_USART') else ''}"
>  EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_TZDRAM_START='+ d.getVar('OPTEE_K3_TZDRAM_START') if d.getVar('OPTEE_K3_TZDRAM_START') else ''}"
>  
> -EXTRA_OEMAKE:append:am62xx = " CFG_TEE_CORE_LOG_LEVEL=1"
> -EXTRA_OEMAKE:append:am62lxx = " CFG_TEE_CORE_LOG_LEVEL=1"
> -EXTRA_OEMAKE:append:am62pxx = " CFG_TEE_CORE_LOG_LEVEL=1"
> -EXTRA_OEMAKE:append:am62axx = " CFG_TEE_CORE_LOG_LEVEL=1"
> -EXTRA_OEMAKE:append:am62dxx = " CFG_TEE_CORE_LOG_LEVEL=1"
> -EXTRA_OEMAKE:append:j722s = " CFG_TEE_CORE_LOG_LEVEL=1"
> +EXTRA_OEMAKE:append:am62xx = " CFG_WITH_SOFTWARE_PRNG=y CFG_TEE_CORE_LOG_LEVEL=1"
> +EXTRA_OEMAKE:append:am62lxx = " CFG_WITH_SOFTWARE_PRNG=y CFG_TEE_CORE_LOG_LEVEL=1"
> +EXTRA_OEMAKE:append:am62pxx = " CFG_WITH_SOFTWARE_PRNG=y CFG_TEE_CORE_LOG_LEVEL=1"
> +EXTRA_OEMAKE:append:am62axx = " CFG_WITH_SOFTWARE_PRNG=y CFG_TEE_CORE_LOG_LEVEL=1"
> +EXTRA_OEMAKE:append:am62dxx = " CFG_WITH_SOFTWARE_PRNG=y CFG_TEE_CORE_LOG_LEVEL=1"
> +EXTRA_OEMAKE:append:j722s = " CFG_WITH_SOFTWARE_PRNG=y CFG_TEE_CORE_LOG_LEVEL=1"
>  
>  do_compile:append:k3() {
>      cp ${B}/core/tee-pager_v2.bin ${B}/bl32.bin
> 
> ---
> base-commit: 69aaa6f1f8f608e22353d38ec6629ded743c4dec
> change-id: 20251002-rtl-optee-hack-515fab8e6a76
> 
> Best regards,
> -- 
> Bryan Brattlof <bb@ti.com>

On October  2, 2025 thus sayeth Denys Dmytriyenko:
> On Thu, Oct 02, 2025 at 07:28:27AM -0500, Bryan Brattlof via lists.yoctoproject.org wrote:
> > The 4.7.0 release of OP-TEE is causing unacceptable latency issues with
> > the real-time kernel. Migrate to software PRNG until they can be
> > resolved in a later release.
> > 
> > Signed-off-by: Bryan Brattlof <bb@ti.com>
> > ---
> > Debugging a +30us latency regression has lead us to the hardware
> > accelerated RNG drivers in OP-TEE. Falling back to software PRNG
> > restores the context switch latency back to acceptable levels.
> > 
> > Because this only affects real-time kernels this is more an RFC
> > until we can fix the firmware or find an alternative for the
> > builds where latency is prioritized over random number generation
> 
> I don't see the change being specific to real-time kernel, which the commit 
> message above imlies several times - is it intended?

I need to talk to the security people if disabling the true RNG drivers 
is acceptable. But you're right, if it is deemed acceptable, I can add a 
switch to append the pseudo RNG flag to the real-time kernel only. I'm 
just not sure I fully understand the consequences moving to a PRNG 
driver has for the security focused team

~Bryan