| Message ID | 20230208231031.16363-2-afd@ti.com |
|---|---|
| State | Superseded |
| Delegated to: | Ryan Eatmon |
| Headers | show |
| Series | [meta-ti,master/kirkstone,1/4] trusted-firmware-a: Use ti-k3-secdev if TI_SECURE_DEV_PKG_K3 is not defined | expand |
I had to hand apply the patch to master since the file names for optee_os differ between the two branches due to this kirkstone patch: https://lists.yoctoproject.org/g/meta-ti/message/15331 On 2/8/2023 17:10, Andrew Davis wrote: > Use the new ti-k3-secdev package to pull in the signing tools if they are > not provided by the environment. This allows us to use these tools > unconditionally. Remove the checks for the script and do the signing > for all K3 machines. The signature is automatically stripped from > the binaries on non-HS devices at boot time as needed so this change > is harmless for GP devices. > > Signed-off-by: Andrew Davis <afd@ti.com> > --- > .../optee/optee-os_3.16%.bbappend | 44 +++++-------------- > 1 file changed, 12 insertions(+), 32 deletions(-) > > diff --git a/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend b/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend > index 6913851b..5a693247 100644 > --- a/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend > +++ b/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend > @@ -1,6 +1,14 @@ > PV:ti-soc = "3.19.0+git${SRCPV}" > SRCREV:ti-soc = "afacf356f9593a7f83cae9f96026824ec242ff52" > > +# Use default package TI SECDEV is one is not provided > +DEPENDS:append:k3 = "${@ '' if d.getVar('TI_SECURE_DEV_PKG_K3') else ' ti-k3-secdev-native' }" > + > +# set a default value for TI_K3_SECDEV_INSTALL_DIR > +export TI_K3_SECDEV_INSTALL_DIR = "${STAGING_DIR_NATIVE}${datadir}/ti/ti-k3-secdev" > +include recipes-ti/includes/ti-paths.inc > +TI_SECURE_DEV_PKG:k3 = "${@ d.getVar('TI_SECURE_DEV_PKG_K3') or d.getVar('TI_K3_SECDEV_INSTALL_DIR') }" > + > EXTRA_OEMAKE:append:k3 = "${@ ' CFG_CONSOLE_UART='+ d.getVar('OPTEE_K3_USART') if d.getVar('OPTEE_K3_USART') else ''}" > > EXTRA_OEMAKE:append:am62xx = " CFG_WITH_SOFTWARE_PRNG=y CFG_TEE_CORE_LOG_LEVEL=1" > @@ -35,20 +43,6 @@ optee_sign_legacyhs() { > fi > } > > -# Signing procedure for K3 HS devices > -optee_sign_k3hs() { > - ( cd ${B}/core/; \ > - if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \ > - ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh tee-pager_v2.bin tee-pager.bin.signed; \ > - else \ > - echo "Warning: TI_SECURE_DEV_PKG not set, OP-TEE not signed."; \ > - cp tee-pager_v2.bin tee-pager.bin.signed; \ > - fi; \ > - mv tee-pager.bin.signed ${B}/bl32.bin; \ > - cp tee.elf ${B}/bl32.elf; \ > - ) > -} > - > do_compile:append:ti43x() { > optee_sign_legacyhs > } > @@ -57,24 +51,10 @@ do_compile:append:dra7xx() { > optee_sign_legacyhs > } > > -do_compile:append:am65xx-hs-evm() { > - optee_sign_k3hs > -} > - > -do_compile:append:am64xx-evm() { > - optee_sign_k3hs > -} > - > -do_compile:append:j721e-hs-evm() { > - optee_sign_k3hs > -} > - > -do_compile:append:j7200-hs-evm() { > - optee_sign_k3hs > -} > - > -do_compile:append:j721s2-hs-evm() { > - optee_sign_k3hs > +# Signing procedure for K3 devices > +do_compile:append:k3() { > + ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${B}/core/tee-pager_v2.bin ${B}/bl32.bin > + cp ${B}/core/tee.elf ${B}/bl32.elf > } > > do_install:append:ti-soc() {
On Wed, Feb 08, 2023 at 05:10:29PM -0600, Andrew Davis via lists.yoctoproject.org wrote: > Use the new ti-k3-secdev package to pull in the signing tools if they are > not provided by the environment. This allows us to use these tools > unconditionally. Remove the checks for the script and do the signing > for all K3 machines. The signature is automatically stripped from > the binaries on non-HS devices at boot time as needed so this change > is harmless for GP devices. > > Signed-off-by: Andrew Davis <afd@ti.com> > --- > .../optee/optee-os_3.16%.bbappend | 44 +++++-------------- > 1 file changed, 12 insertions(+), 32 deletions(-) > > diff --git a/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend b/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend > index 6913851b..5a693247 100644 > --- a/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend > +++ b/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend > @@ -1,6 +1,14 @@ > PV:ti-soc = "3.19.0+git${SRCPV}" > SRCREV:ti-soc = "afacf356f9593a7f83cae9f96026824ec242ff52" > > +# Use default package TI SECDEV is one is not provided Same typo > +DEPENDS:append:k3 = "${@ '' if d.getVar('TI_SECURE_DEV_PKG_K3') else ' ti-k3-secdev-native' }" > + > +# set a default value for TI_K3_SECDEV_INSTALL_DIR > +export TI_K3_SECDEV_INSTALL_DIR = "${STAGING_DIR_NATIVE}${datadir}/ti/ti-k3-secdev" > +include recipes-ti/includes/ti-paths.inc Same comment > +TI_SECURE_DEV_PKG:k3 = "${@ d.getVar('TI_SECURE_DEV_PKG_K3') or d.getVar('TI_K3_SECDEV_INSTALL_DIR') }" > + > EXTRA_OEMAKE:append:k3 = "${@ ' CFG_CONSOLE_UART='+ d.getVar('OPTEE_K3_USART') if d.getVar('OPTEE_K3_USART') else ''}" > > EXTRA_OEMAKE:append:am62xx = " CFG_WITH_SOFTWARE_PRNG=y CFG_TEE_CORE_LOG_LEVEL=1" > @@ -35,20 +43,6 @@ optee_sign_legacyhs() { > fi > } > > -# Signing procedure for K3 HS devices > -optee_sign_k3hs() { > - ( cd ${B}/core/; \ > - if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \ > - ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh tee-pager_v2.bin tee-pager.bin.signed; \ > - else \ > - echo "Warning: TI_SECURE_DEV_PKG not set, OP-TEE not signed."; \ > - cp tee-pager_v2.bin tee-pager.bin.signed; \ > - fi; \ > - mv tee-pager.bin.signed ${B}/bl32.bin; \ > - cp tee.elf ${B}/bl32.elf; \ > - ) > -} > - > do_compile:append:ti43x() { > optee_sign_legacyhs > } > @@ -57,24 +51,10 @@ do_compile:append:dra7xx() { > optee_sign_legacyhs > } > > -do_compile:append:am65xx-hs-evm() { > - optee_sign_k3hs > -} > - > -do_compile:append:am64xx-evm() { > - optee_sign_k3hs > -} > - > -do_compile:append:j721e-hs-evm() { > - optee_sign_k3hs > -} > - > -do_compile:append:j7200-hs-evm() { > - optee_sign_k3hs > -} > - > -do_compile:append:j721s2-hs-evm() { > - optee_sign_k3hs > +# Signing procedure for K3 devices > +do_compile:append:k3() { > + ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${B}/core/tee-pager_v2.bin ${B}/bl32.bin > + cp ${B}/core/tee.elf ${B}/bl32.elf > } > > do_install:append:ti-soc() { > -- > 2.39.1
diff --git a/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend b/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend index 6913851b..5a693247 100644 --- a/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend +++ b/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend @@ -1,6 +1,14 @@ PV:ti-soc = "3.19.0+git${SRCPV}" SRCREV:ti-soc = "afacf356f9593a7f83cae9f96026824ec242ff52" +# Use default package TI SECDEV is one is not provided +DEPENDS:append:k3 = "${@ '' if d.getVar('TI_SECURE_DEV_PKG_K3') else ' ti-k3-secdev-native' }" + +# set a default value for TI_K3_SECDEV_INSTALL_DIR +export TI_K3_SECDEV_INSTALL_DIR = "${STAGING_DIR_NATIVE}${datadir}/ti/ti-k3-secdev" +include recipes-ti/includes/ti-paths.inc +TI_SECURE_DEV_PKG:k3 = "${@ d.getVar('TI_SECURE_DEV_PKG_K3') or d.getVar('TI_K3_SECDEV_INSTALL_DIR') }" + EXTRA_OEMAKE:append:k3 = "${@ ' CFG_CONSOLE_UART='+ d.getVar('OPTEE_K3_USART') if d.getVar('OPTEE_K3_USART') else ''}" EXTRA_OEMAKE:append:am62xx = " CFG_WITH_SOFTWARE_PRNG=y CFG_TEE_CORE_LOG_LEVEL=1" @@ -35,20 +43,6 @@ optee_sign_legacyhs() { fi } -# Signing procedure for K3 HS devices -optee_sign_k3hs() { - ( cd ${B}/core/; \ - if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \ - ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh tee-pager_v2.bin tee-pager.bin.signed; \ - else \ - echo "Warning: TI_SECURE_DEV_PKG not set, OP-TEE not signed."; \ - cp tee-pager_v2.bin tee-pager.bin.signed; \ - fi; \ - mv tee-pager.bin.signed ${B}/bl32.bin; \ - cp tee.elf ${B}/bl32.elf; \ - ) -} - do_compile:append:ti43x() { optee_sign_legacyhs } @@ -57,24 +51,10 @@ do_compile:append:dra7xx() { optee_sign_legacyhs } -do_compile:append:am65xx-hs-evm() { - optee_sign_k3hs -} - -do_compile:append:am64xx-evm() { - optee_sign_k3hs -} - -do_compile:append:j721e-hs-evm() { - optee_sign_k3hs -} - -do_compile:append:j7200-hs-evm() { - optee_sign_k3hs -} - -do_compile:append:j721s2-hs-evm() { - optee_sign_k3hs +# Signing procedure for K3 devices +do_compile:append:k3() { + ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${B}/core/tee-pager_v2.bin ${B}/bl32.bin + cp ${B}/core/tee.elf ${B}/bl32.elf } do_install:append:ti-soc() {
Use the new ti-k3-secdev package to pull in the signing tools if they are not provided by the environment. This allows us to use these tools unconditionally. Remove the checks for the script and do the signing for all K3 machines. The signature is automatically stripped from the binaries on non-HS devices at boot time as needed so this change is harmless for GP devices. Signed-off-by: Andrew Davis <afd@ti.com> --- .../optee/optee-os_3.16%.bbappend | 44 +++++-------------- 1 file changed, 12 insertions(+), 32 deletions(-)