| Message ID | 20251113104156.1436579-1-s-joshi@ti.com |
|---|---|
| State | Superseded |
| Delegated to: | Ryan Eatmon |
| Headers | show |
| Series | [meta-ti,scarthgap,v3] meta-ti-bsp: optee: Enable PKCS#11 with REE_FS | expand |
meta-ti / na / 20251113104156.1436579-1-s-joshi
PRC Results: PASS
=========================================================
check-yocto-patches: PASS
=========================================================
Patches
----------------------------------------
WARN - [meta-ti][scarthgap][PATCH v3] meta-ti-bsp: optee: Enable PKCS#11 with REE_FS
WARN: Commit message does not include file/recipe name: meta-ti-bsp: optee: Enable PKCS#11 with REE_FS. (COMMIT-MESSAGE-2)
patch
WARN: Commit message should not include directory path to recipe: meta-ti-bsp: optee: Enable PKCS#11 with REE_FS.
meta-ti-bsp: (COMMIT-MESSAGE-3)
patch
=========================================================
apply-yocto-patch: PASS
=========================================================
scarthgap
=====================
Summary:
- Patch Series: [meta-ti][scarthgap][PATCH v3] meta-ti-bsp: optee: Enable PKCS#11 with REE_FS
- Submitter: From: Suhaas Joshi <s-joshi@ti.com>
- Date: Date: Thu, 13 Nov 2025 16:11:56 +0530
- Num Patches: 1
- Mailing List (public inbox) Commit SHA: 1ed21cd09cd27b494e4fdd3bb3c8e1d0e157186b
Applied to:
- Repository: lcpd-prc-meta-ti
- Base Branch: scarthgap-wip
- Commit Author: Antonios Christidis <a-christidis@ti.com>
- Commit Subject: ti-img-rogue-*: Migrate GPU driver version 24.2 -> 25.2
- Commit SHA: 52b9de1bcbebdc835641c33655e26e9e54441866
Patches
----------------------------------------
All patches applied
=========================================================
check-yocto-repo: PASS
=========================================================
scarthgap
=====================
PASS
On Thu, Nov 13, 2025 at 04:42 AM, Suhaas Joshi wrote: > > PKCS#11 is a standard that defines an interface for applications to > interact with security modules, including OP-TEE's PKCS#11 TA. > > Enable PKCS#11 with REE_FS. CFG_REE_FS=y is set by default, but set it > explicitly for clarity. > > Further, copy libckteec library files to the filesystem. These files are > required by pkcs11-tool to interact with the TA. > > Signed-off-by: Suhaas Joshi <s-joshi@ti.com> > --- > v2 -> v3: > * As Andrew suggested: RPMB with CFG_RPMB_WRITE_KEY already enabled is a risk. > Therefore, instead of enabling RPMB, enable only PKCS#11 to work with > REE_FS. > This allows users to try PKCS#11 and run OPTEE secure storage examples, > with REE_FS. > * By Denys' and Ryan's suggestions, move extra logic away from .bbappend to > optee-client-ti-overrides.inc file. > * Link to v2: > > https://lore.kernel.org/yocto-meta-ti/8ad8d349-0841-497a-91a3-340ec08a3ea5@ti.com/T/#t > --- > .../optee/optee-client-ti-overrides.inc | 10 ++++++++++ > .../optee/optee-client_%.bbappend | 5 +++++ > .../optee/optee-os-ti-overrides.inc | 16 ++++++++++++---- > 3 files changed, 27 insertions(+), 4 deletions(-) > create mode 100644 > meta-ti-bsp/recipes-security/optee/optee-client-ti-overrides.inc > > diff --git a/meta-ti-bsp/recipes-security/optee/optee-client-ti-overrides.inc > b/meta-ti-bsp/recipes-security/optee/optee-client-ti-overrides.inc > new file mode 100644 > index 00000000..1ac1684e > --- /dev/null > +++ b/meta-ti-bsp/recipes-security/optee/optee-client-ti-overrides.inc > @@ -0,0 +1,10 @@ > +do_install:append:am62axx:am62dxx:am62pxx:am62xx() { > + install -d ${D}${libdir} > + > + install -m 0644 ${B}/libckteec/libckteec.so.0.1.0 ${D}${libdir}/ > + ln -v -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0 > + ln -v -sf libckteec.so.0 ${D}${libdir}/libckteec.so > +} > + > +FILES:${PN}:am62axx:am62dxx:am62pxx:am62xx += " ${libdir}/libckteec.so.0 > ${libdir}/libckteec.so.0.1.0" > +FILES:${PN}-dev:am62axx:am62dxx:am62pxx:am62xx += " ${libdir}/libckteec.so" I'm not sure these additions will work correctly. I think chained overrides like this require that all of the overrides be present in order to have the statement apply. Plus this is just really unreadable. For the do_install:append I think you need to create a variable that you can default to "" and then override for all of the platforms listed above. Something like: LIBCKTEEC = "" LIBCKTEEC:am62xx = "${libdir}/libckteec.so*" LIBCKTEEC:am62axx = "${libdir}/libckteec.so*" LIBCKTEEC:am62dxx = "${libdir}/libckteec.so*" LIBCKTEEC:am62pxx = "${libdir}/libckteec.so*" do_install:append() { if [ "${LIBCKTEEC}" != "" ]; then install -d ${D}${libdir} install -m 0644 ${B}/libckteec/libckteec.so.0.1.0 ${D}${libdir}/ ln -v -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0 ln -v -sf libckteec.so.0 ${D}${libdir}/libckteec.so fi } FILES:${PN} += "${LIBCKTEEC}" I don't think you need the FILES:${PN}-dev. It just including another symlink and not additional files or headers needed for dev. Just have the the link in the single package. > diff --git a/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend > b/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend > index f193e78b..0cee127f 100644 > --- a/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend > +++ b/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend > @@ -2,3 +2,8 @@ OPTEE_TI_VERSION = "" > OPTEE_TI_VERSION:ti-soc = "${BPN}-ti-version.inc" > > require ${OPTEE_TI_VERSION} > + > +OPTEE_TI_OVERRIDES = "" > +OPTEE_TI_OVERRIDES:ti-soc = "${BPN}-ti-overrides.inc" > + > +require ${OPTEE_TI_OVERRIDES} > diff --git a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc > b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc > index 61a74a06..ece8c50d 100644 > --- a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc > +++ b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc > @@ -6,11 +6,11 @@ EXTRA_OEMAKE:remove = "CFG_MAP_EXT_DT_SECURE=y" > EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_CONSOLE_UART='+ > d.getVar('OPTEE_K3_USART') if d.getVar('OPTEE_K3_USART') else ''}" > EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_TZDRAM_START='+ > d.getVar('OPTEE_K3_TZDRAM_START') if d.getVar('OPTEE_K3_TZDRAM_START') else > ''}" > > -EXTRA_OEMAKE:append:am62xx = " CFG_TEE_CORE_LOG_LEVEL=1" > +EXTRA_OEMAKE:append:am62xx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=y > CFG_PKCS11_TA=y" > EXTRA_OEMAKE:append:am62lxx = " CFG_TEE_CORE_LOG_LEVEL=1" > -EXTRA_OEMAKE:append:am62pxx = " CFG_TEE_CORE_LOG_LEVEL=1" > -EXTRA_OEMAKE:append:am62axx = " CFG_TEE_CORE_LOG_LEVEL=1" > -EXTRA_OEMAKE:append:am62dxx = " CFG_TEE_CORE_LOG_LEVEL=1" > +EXTRA_OEMAKE:append:am62pxx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=y > CFG_PKCS11_TA=y" > +EXTRA_OEMAKE:append:am62axx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=y > CFG_PKCS11_TA=y" > +EXTRA_OEMAKE:append:am62dxx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=y > CFG_PKCS11_TA=y" > EXTRA_OEMAKE:append:j722s = " CFG_TEE_CORE_LOG_LEVEL=1" > > do_compile:append:k3() { > @@ -49,6 +49,14 @@ do_install:append() { > install -m 644 ${B}/*.optee ${D}${nonarch_base_libdir}/firmware/ || true > install -m 644 ${B}/bl32.bin ${D}${nonarch_base_libdir}/firmware/ || true > install -m 644 ${B}/bl32.elf ${D}${nonarch_base_libdir}/firmware/ || true > + > + case "${MACHINE}" in > + am62pxx-evm|am62xx-evm|am62axx-evm|am62dxx-evm) > + > + install -d ${D}${nonarch_base_libdir}/optee_armtz > + install -m 644 ${B}/ta/pkcs11/fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta > ${D}${nonarch_base_libdir}/optee_armtz > + ;; > + esac This should be done with an append and not a case statement. At the very least, you could create a new variable that defaults to "" and then override it with "1" for the platforms that need the extra steps and then have an if on the variable in the existing do_install:append. > } > > optee_deploy_legacyhs() { > -- > 2.34.1 > >
diff --git a/meta-ti-bsp/recipes-security/optee/optee-client-ti-overrides.inc b/meta-ti-bsp/recipes-security/optee/optee-client-ti-overrides.inc new file mode 100644 index 00000000..1ac1684e --- /dev/null +++ b/meta-ti-bsp/recipes-security/optee/optee-client-ti-overrides.inc @@ -0,0 +1,10 @@ +do_install:append:am62axx:am62dxx:am62pxx:am62xx() { + install -d ${D}${libdir} + + install -m 0644 ${B}/libckteec/libckteec.so.0.1.0 ${D}${libdir}/ + ln -v -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0 + ln -v -sf libckteec.so.0 ${D}${libdir}/libckteec.so +} + +FILES:${PN}:am62axx:am62dxx:am62pxx:am62xx += " ${libdir}/libckteec.so.0 ${libdir}/libckteec.so.0.1.0" +FILES:${PN}-dev:am62axx:am62dxx:am62pxx:am62xx += " ${libdir}/libckteec.so" diff --git a/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend b/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend index f193e78b..0cee127f 100644 --- a/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend +++ b/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend @@ -2,3 +2,8 @@ OPTEE_TI_VERSION = "" OPTEE_TI_VERSION:ti-soc = "${BPN}-ti-version.inc" require ${OPTEE_TI_VERSION} + +OPTEE_TI_OVERRIDES = "" +OPTEE_TI_OVERRIDES:ti-soc = "${BPN}-ti-overrides.inc" + +require ${OPTEE_TI_OVERRIDES} diff --git a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc index 61a74a06..ece8c50d 100644 --- a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc +++ b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc @@ -6,11 +6,11 @@ EXTRA_OEMAKE:remove = "CFG_MAP_EXT_DT_SECURE=y" EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_CONSOLE_UART='+ d.getVar('OPTEE_K3_USART') if d.getVar('OPTEE_K3_USART') else ''}" EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_TZDRAM_START='+ d.getVar('OPTEE_K3_TZDRAM_START') if d.getVar('OPTEE_K3_TZDRAM_START') else ''}" -EXTRA_OEMAKE:append:am62xx = " CFG_TEE_CORE_LOG_LEVEL=1" +EXTRA_OEMAKE:append:am62xx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=y CFG_PKCS11_TA=y" EXTRA_OEMAKE:append:am62lxx = " CFG_TEE_CORE_LOG_LEVEL=1" -EXTRA_OEMAKE:append:am62pxx = " CFG_TEE_CORE_LOG_LEVEL=1" -EXTRA_OEMAKE:append:am62axx = " CFG_TEE_CORE_LOG_LEVEL=1" -EXTRA_OEMAKE:append:am62dxx = " CFG_TEE_CORE_LOG_LEVEL=1" +EXTRA_OEMAKE:append:am62pxx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=y CFG_PKCS11_TA=y" +EXTRA_OEMAKE:append:am62axx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=y CFG_PKCS11_TA=y" +EXTRA_OEMAKE:append:am62dxx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=y CFG_PKCS11_TA=y" EXTRA_OEMAKE:append:j722s = " CFG_TEE_CORE_LOG_LEVEL=1" do_compile:append:k3() { @@ -49,6 +49,14 @@ do_install:append() { install -m 644 ${B}/*.optee ${D}${nonarch_base_libdir}/firmware/ || true install -m 644 ${B}/bl32.bin ${D}${nonarch_base_libdir}/firmware/ || true install -m 644 ${B}/bl32.elf ${D}${nonarch_base_libdir}/firmware/ || true + + case "${MACHINE}" in + am62pxx-evm|am62xx-evm|am62axx-evm|am62dxx-evm) + + install -d ${D}${nonarch_base_libdir}/optee_armtz + install -m 644 ${B}/ta/pkcs11/fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta ${D}${nonarch_base_libdir}/optee_armtz + ;; + esac } optee_deploy_legacyhs() {
PKCS#11 is a standard that defines an interface for applications to interact with security modules, including OP-TEE's PKCS#11 TA. Enable PKCS#11 with REE_FS. CFG_REE_FS=y is set by default, but set it explicitly for clarity. Further, copy libckteec library files to the filesystem. These files are required by pkcs11-tool to interact with the TA. Signed-off-by: Suhaas Joshi <s-joshi@ti.com> --- v2 -> v3: * As Andrew suggested: RPMB with CFG_RPMB_WRITE_KEY already enabled is a risk. Therefore, instead of enabling RPMB, enable only PKCS#11 to work with REE_FS. This allows users to try PKCS#11 and run OPTEE secure storage examples, with REE_FS. * By Denys' and Ryan's suggestions, move extra logic away from .bbappend to optee-client-ti-overrides.inc file. * Link to v2: https://lore.kernel.org/yocto-meta-ti/8ad8d349-0841-497a-91a3-340ec08a3ea5@ti.com/T/#t --- .../optee/optee-client-ti-overrides.inc | 10 ++++++++++ .../optee/optee-client_%.bbappend | 5 +++++ .../optee/optee-os-ti-overrides.inc | 16 ++++++++++++---- 3 files changed, 27 insertions(+), 4 deletions(-) create mode 100644 meta-ti-bsp/recipes-security/optee/optee-client-ti-overrides.inc