@@ -12,7 +12,7 @@ local_conf_header:
# Include all Secure Partitions into the image
MACHINE_FEATURES:append = " arm-ffa ts-crypto ts-storage ts-its"
MACHINE_FEATURES:append = " ts-attestation ts-smm-gateway optee-spmc-test"
- MACHINE_FEATURES:append = " ts-block-storage"
+ MACHINE_FEATURES:append = " ts-block-storage ts-fwu"
# Include TS demo/test tools into image
IMAGE_INSTALL:append = " packagegroup-ts-tests"
# Include TS PSA Arch tests into image
@@ -20,3 +20,13 @@ local_conf_header:
CORE_IMAGE_EXTRA_INSTALL += "optee-test"
# Set the TS environment
TS_ENV="sp"
+ # Enable and configure semihosting
+ FVP_CONFIG[cluster0.cpu0.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
+ FVP_CONFIG[cluster0.cpu1.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
+ FVP_CONFIG[cluster0.cpu2.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
+ FVP_CONFIG[cluster0.cpu3.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
+ FVP_CONFIG[cluster1.cpu0.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
+ FVP_CONFIG[cluster1.cpu1.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
+ FVP_CONFIG[cluster1.cpu2.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
+ FVP_CONFIG[cluster1.cpu3.semihosting-cwd] = "${DEPLOY_DIR_IMAGE}"
+ FVP_CONFIG[semihosting-enable] = "True"
@@ -18,6 +18,7 @@ features for each [Secure Partition][^2] you would like to include:
| ----------------- | --------------- |
| Attestation | ts-attesation |
| Crypto | ts-crypto |
+| Firmware Update | ts-fwu
| Internal Storage | ts-its |
| Protected Storage | ts-storage |
| se-proxy | ts-se-proxy |
@@ -47,9 +48,10 @@ Other steps depend on your machine/platform definition:
4. Trusted Services supports an SPMC agonistic binary format. To build SPs to this format the `TS_ENV` variable is to be
set to `sp`. The resulting SP binaries should be able to boot under any FF-A v1.1 compliant SPMC implementation.
+
## Normal World applications
-Optionally for testing purposes you can add `packagegroup-ts-tests` into your image. It includes
+Optionally for testing purposes you can add `packagegroup-ts-tests` into your image. It includes
[Trusted Services test and demo tools][^3] and [xtest][^4] configured to include the `ffa_spmc` tests.
## OEQA Trusted Services tests
@@ -65,4 +67,4 @@ See `ci/trusted-services.yml` for an example how to include them into an image.
[^3]: https://trusted-services.readthedocs.io/en/integration/deployments/test-executables.html
-[^4]: https://optee.readthedocs.io/en/latest/building/gits/optee_test.html
\ No newline at end of file
+[^4]: https://optee.readthedocs.io/en/latest/building/gits/optee_test.html
new file mode 100644
@@ -0,0 +1 @@
+require ts-arm-platforms.inc
@@ -67,6 +67,12 @@ SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \
EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \
' CFG_SPMC_TESTS=y', '' , d)}"
+# Firmware Update SP
+DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-fwu', \
+ ' ts-sp-fwu', '' , d)}"
+SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-fwu', \
+ ' ${TS_BIN}/${FWU_UUID}${SP_EXT}', '', d)}"
+
# Block Storage SP
DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-block-storage', \
' ts-sp-block-storage', '' , d)}"
new file mode 100644
@@ -0,0 +1,100 @@
+From 9fbeb9dd8c4f2c842248541b73e4cff9c6f8d26e Mon Sep 17 00:00:00 2001
+From: Gyorgy Szing <gyorgy.szing@arm.com>
+Date: Wed, 27 Mar 2024 21:53:51 +0000
+Subject: [PATCH 1/1] Allow configuring flash image files compile time
+
+Allow configuring image file PATH name for file and semihosted
+block_store using CMake build options.
+
+Upstream-Status: Pending
+
+Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
+---
+ .../block_storage/factory/file/block_store_factory.c | 6 +++++-
+ .../service/block_storage/factory/file/component.cmake | 6 +++++-
+ .../block_storage/factory/semihosting/block_store_factory.c | 6 +++++-
+ .../block_storage/factory/semihosting/component.cmake | 6 +++++-
+ 4 files changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/components/service/block_storage/factory/file/block_store_factory.c b/components/service/block_storage/factory/file/block_store_factory.c
+index c6915107b..ef05ee791 100644
+--- a/components/service/block_storage/factory/file/block_store_factory.c
++++ b/components/service/block_storage/factory/file/block_store_factory.c
+@@ -25,6 +25,10 @@
+ #define FILE_BLOCK_SIZE (512)
+ #endif
+
++#ifndef FILE_BLK_FILE_NAME
++#define FILE_BLK_FILE_NAME "secure-flash.img"
++#endif
++
+ static char disk_img_filename[256];
+
+ struct block_store_assembly {
+@@ -60,7 +64,7 @@ struct block_store *file_block_store_factory_create(void)
+
+ /* Ensure disk image filename is set */
+ if (disk_img_filename[0] == '\0')
+- file_block_store_factory_set_filename("secure-flash.img");
++ file_block_store_factory_set_filename(FILE_BLK_FILE_NAME);
+
+ /* Initialise a file_block_store to provide underlying storage */
+ struct block_store *secure_flash = file_block_store_init(
+diff --git a/components/service/block_storage/factory/file/component.cmake b/components/service/block_storage/factory/file/component.cmake
+index 644f03972..fa15d1399 100644
+--- a/components/service/block_storage/factory/file/component.cmake
++++ b/components/service/block_storage/factory/file/component.cmake
+@@ -17,4 +17,8 @@ if (NOT DEFINED TS_BLOCK_STORE_FACTORY)
+ set(TS_BLOCK_STORE_FACTORY "file_block_store_factory")
+ target_compile_definitions(${TGT} PRIVATE
+ CONCRETE_BLOCK_STORE_FACTORY=${TS_BLOCK_STORE_FACTORY})
+-endif()
+\ No newline at end of file
++endif()
++
++set(FILE_BLK_FILE_NAME "secure-flash.img" CACHE PATH "PATH to block storage flash image file.")
++set_property(SOURCE "${CMAKE_CURRENT_LIST_DIR}/block_store_factory.c" APPEND PROPERTY COMPILE_DEFINITIONS FILE_BLK_FILE_NAME="${FILE_BLK_FILE_NAME}")
++message(status "Block storage image file PATH is ${FILE_BLK_FILE_NAME}")
+diff --git a/components/service/block_storage/factory/semihosting/block_store_factory.c b/components/service/block_storage/factory/semihosting/block_store_factory.c
+index 8e58e3638..09bdb74eb 100644
+--- a/components/service/block_storage/factory/semihosting/block_store_factory.c
++++ b/components/service/block_storage/factory/semihosting/block_store_factory.c
+@@ -21,6 +21,10 @@
+ /* Most common block size for UEFI volumes */
+ #define SEMIHOSTING_BLOCK_SIZE (512)
+
++#ifndef SEMIHOSTING_BLK_FILE_NAME
++#define SEMIHOSTING_BLK_FILE_NAME "secure-flash.img"
++#endif
++
+ struct block_store_assembly
+ {
+ struct semihosting_block_store semihosting_block_store;
+@@ -55,7 +59,7 @@ struct block_store *semihosting_block_store_factory_create(void)
+ /* Initialise a semihosting_block_store to provide underlying storage */
+ struct block_store *secure_flash = semihosting_block_store_init(
+ &assembly->semihosting_block_store,
+- "secure-flash.img",
++ SEMIHOSTING_BLK_FILE_NAME,
+ SEMIHOSTING_BLOCK_SIZE);
+
+ if (secure_flash) {
+diff --git a/components/service/block_storage/factory/semihosting/component.cmake b/components/service/block_storage/factory/semihosting/component.cmake
+index 97affaf49..98d6dcdcb 100644
+--- a/components/service/block_storage/factory/semihosting/component.cmake
++++ b/components/service/block_storage/factory/semihosting/component.cmake
+@@ -17,4 +17,8 @@ if (NOT DEFINED TS_BLOCK_STORE_FACTORY)
+ set(TS_BLOCK_STORE_FACTORY "semihosting_block_store_factory")
+ target_compile_definitions(${TGT} PRIVATE
+ CONCRETE_BLOCK_STORE_FACTORY=${TS_BLOCK_STORE_FACTORY})
+-endif()
+\ No newline at end of file
++endif()
++
++set(SEMIHOSTING_BLK_FILE_NAME "secure-flash.img" CACHE PATH "PATH to block storage flash image file.")
++set_property(SOURCE "${CMAKE_CURRENT_LIST_DIR}/block_store_factory.c" APPEND PROPERTY COMPILE_DEFINITIONS SEMIHOSTING_BLK_FILE_NAME="${SEMIHOSTING_BLK_FILE_NAME}")
++message(status "Block storage semihosting image file PATH is ${SEMIHOSTING_BLK_FILE_NAME}")
+\ No newline at end of file
+--
+2.34.1
+
@@ -10,6 +10,7 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
SRC_URI:append = "\
file://0001-Upgrade-nanopb-to-v0.4.7.patch \
file://0001-Add-boot-order-property-to-SP-manifests.patch \
+ file://0001-Allow-configuring-flash-image-files-compile-time.patch \
"
# Trusted Services; Tag: v1.0.0
new file mode 100644
@@ -0,0 +1,32 @@
+# SPDX-FileCopyrightText: <text>Copyright 2024 Arm Limited and/or its
+# affiliates <open-source-office@arm.com></text>
+#
+# SPDX-License-Identifier: MIT
+
+DESCRIPTION = "Trusted Services Firmware Update Service provider"
+
+require ts-sp-common.inc
+inherit deploy
+
+SP_UUID = "${FWU_UUID}"
+TS_SP_FWU_CONFIG ?= "default"
+
+OECMAKE_SOURCEPATH="${S}/deployments/fwu/config/${TS_SP_FWU_CONFIG}-${TS_ENV}"
+
+# The GPT parser component is needed from TF-A
+SRC_URI += "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;name=tfa;protocol=https;branch=master;destsuffix=git/tf-a"
+SRCREV_tfa = "v2.7.0"
+LIC_FILES_CHKSUM = "file://../tf-a/docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde"
+do_apply_local_src_patches:append() {
+ apply_local_src_patches ${S}/external/tf_a ${WORKDIR}/git/tf-a
+}
+
+EXTRA_OECMAKE:append = "-DTFA_SOURCE_DIR=${WORKDIR}/git/tf-a"
+
+# Deploy the secure flash image.
+do_deploy() {
+ cp -v ${S}/components/media/disk/disk_images/multi_location_fw.img ${DEPLOYDIR}/secure-flash.img
+}
+addtask deploy after do_compile
+
+EXTRA_OECMAKE:append:qemuall = " -DSEMIHOSTING_BLK_FILE_NAME:STRING=${@oe.path.relative('${TMPDIR}', '${DEPLOY_DIR_IMAGE}')}/secure-flash.img"
@@ -11,4 +11,5 @@ SPM_TEST1_UUID = "5c9edbc3-7b3a-4367-9f83-7c191ae86a37"
SPM_TEST2_UUID = "7817164c-c40c-4d1a-867a-9bb2278cf41a"
SPM_TEST3_UUID = "23eb0100-e32a-4497-9052-2f11e584afa6"
SPM_TEST4_UUID = "423762ed-7772-406f-99d8-0c27da0abbf8"
+FWU_UUID = "6823a838-1b06-470e-9774-0cce8bfb53fd"
BLOCK_STORAGE_UUID = "63646e80-eb52-462f-ac4f-8cdf3987519c"
Add a recipe to enable building and deploying the FWU service implemented in the Trusted Services Project. The FWU service can help vendors to meet PSA certification requirements. Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com> --- ci/fvp-base-ts.yml | 12 ++- documentation/trusted-services.md | 6 +- .../trusted-services/ts-sp-fwu_%.bbappend | 1 + .../recipes-security/optee/optee-os-ts.inc | 6 ++ ...uring-flash-image-files-compile-time.patch | 100 ++++++++++++++++++ .../trusted-services/trusted-services-src.inc | 1 + .../trusted-services/ts-sp-fwu_git.bb | 32 ++++++ .../trusted-services/ts-uuid.inc | 1 + 8 files changed, 156 insertions(+), 3 deletions(-) create mode 100644 meta-arm-bsp/recipes-security/trusted-services/ts-sp-fwu_%.bbappend create mode 100644 meta-arm/recipes-security/trusted-services/files/0001-Allow-configuring-flash-image-files-compile-time.patch create mode 100644 meta-arm/recipes-security/trusted-services/ts-sp-fwu_git.bb