new file mode 100644
@@ -0,0 +1,31 @@
+From f2f867d3d84415f82c1750fa8d1f47842a7b7287 Mon Sep 17 00:00:00 2001
+From: kas User <kas@example.com>
+Date: Tue, 11 Mar 2025 15:19:58 +0000
+Subject: [PATCH 1/1] Relax pyelftools dependency
+
+tools/python/elf_segments_to_manifest.py was only accpeting pyelftools v0.31.
+Relax this requirement to accept v0.31 and newer versions.
+
+Upstream-Status: Pending
+Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
+
+---
+ tools/python/elf_segments_to_manifest.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/python/elf_segments_to_manifest.py b/tools/python/elf_segments_to_manifest.py
+index 378c318d4..52c12e0f4 100644
+--- a/tools/python/elf_segments_to_manifest.py
++++ b/tools/python/elf_segments_to_manifest.py
+@@ -16,7 +16,7 @@ from elftools import __version__ as module_version
+ from elftools.elf.elffile import ELFFile
+ from elftools.elf.constants import P_FLAGS
+
+-assert module_version == "0.31"
++assert module_version >= "0.31"
+
+ class ElfSegmentsToManifest:
+ """
+--
+2.43.0
+
new file mode 100644
@@ -0,0 +1,57 @@
+From 919015a92dc0b98bbef81fb68cd9f90b89abb2dd Mon Sep 17 00:00:00 2001
+From: Gyorgy Szing <gyorgy.szing@arm.com>
+Date: Thu, 17 Oct 2024 09:46:58 +0000
+Subject: [PATCH 1/1] Fix MbedTLS 3.6 and GCC 14 compatibility
+
+For details please see the patch file.
+
+Upstream-Status: Pending
+
+Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
+---
+ ...or-triggered-build-issue-with-gcc-14.patch | 33 +++++++++++++++++++
+ 1 file changed, 33 insertions(+)
+ create mode 100644 external/MbedTLS/0002-Fix-Werror-triggered-build-issue-with-gcc-14.patch
+
+diff --git a/external/MbedTLS/0002-Fix-Werror-triggered-build-issue-with-gcc-14.patch b/external/MbedTLS/0002-Fix-Werror-triggered-build-issue-with-gcc-14.patch
+new file mode 100644
+index 000000000..6e195f927
+--- /dev/null
++++ b/external/MbedTLS/0002-Fix-Werror-triggered-build-issue-with-gcc-14.patch
+@@ -0,0 +1,33 @@
++From 390c4bd9822b44b1f4c366e62634d328e8baf9a1 Mon Sep 17 00:00:00 2001
++From: Gyorgy Szing <gyorgy.szing@arm.com>
++Date: Thu, 17 Oct 2024 08:54:22 +0000
++Subject: [PATCH 1/1] Fix -Werror triggered build issue with gcc 14
++
++GCC 14 emits new warnings when compiling MbedTLS v3.6. This is
++a known issue (see [1]) and I am taking the proposed fix.
++
++https://github.com/Mbed-TLS/mbedtls/issues/9003#issuecomment-2108239255
++
++Upstream-Status: Pending
++
++Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
++---
++ library/common.h | 2 +-
++ 1 file changed, 1 insertion(+), 1 deletion(-)
++
++diff --git a/library/common.h b/library/common.h
++index 3936ffdfe1..d8c4073198 100644
++--- a/library/common.h
+++++ b/library/common.h
++@@ -199,7 +199,7 @@ static inline void mbedtls_xor(unsigned char *r,
++ uint8x16_t x = veorq_u8(v1, v2);
++ vst1q_u8(r + i, x);
++ }
++-#if defined(__IAR_SYSTEMS_ICC__)
+++#if defined(__IAR_SYSTEMS_ICC__) || defined(MBEDTLS_COMPILER_IS_GCC)
++ /* This if statement helps some compilers (e.g., IAR) optimise out the byte-by-byte tail case
++ * where n is a constant multiple of 16.
++ * For other compilers (e.g. recent gcc and clang) it makes no difference if n is a compile-time
++--
++2.43.0
++
+--
+2.43.0
+
deleted file mode 100644
@@ -1,223 +0,0 @@
-From cc9589c03cb0fcd9c3248b95f05cce1afaa37d0f Mon Sep 17 00:00:00 2001
-From: Balint Dobszay <balint.dobszay@arm.com>
-Date: Thu, 19 Oct 2023 16:35:05 +0200
-Subject: [PATCH] Remove TEE driver external component
-
-The TSTEE driver has been merged to Linux kernel v6.10, which makes the
-out-of-tree version deprecated. Remove the external component that was
-downloading it. Also, the in-tree version doesn't have a module version
-field defined, so the sanity check for reading the out-of-tree module's
-version is removed too.
-
-Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>
-Change-Id: I57ee44293c5e940ee7fa944d1420ebcba624fc56
-Upstream-Status: Backport
----
- .../rpc/ts_rpc/caller/linux/component.cmake | 6 --
- .../ts_rpc/caller/linux/ts_rpc_caller_linux.c | 56 +++----------------
- .../spm/optee/userspace-programs-on-fvp.rst | 3 +-
- docs/quickstart/optee-testing.rst | 1 -
- .../LinuxFfaTeeDriver/LinuxFfaTeeDriver.cmake | 54 ------------------
- 5 files changed, 9 insertions(+), 111 deletions(-)
- delete mode 100644 external/LinuxFfaTeeDriver/LinuxFfaTeeDriver.cmake
-
-diff --git a/components/rpc/ts_rpc/caller/linux/component.cmake b/components/rpc/ts_rpc/caller/linux/component.cmake
-index c9f439e20da4..f8e4a52fb70c 100644
---- a/components/rpc/ts_rpc/caller/linux/component.cmake
-+++ b/components/rpc/ts_rpc/caller/linux/component.cmake
-@@ -8,8 +8,6 @@ if (NOT DEFINED TGT)
- message(FATAL_ERROR "mandatory parameter TGT is not defined.")
- endif()
-
--include(${TS_ROOT}/external/LinuxFfaTeeDriver/LinuxFfaTeeDriver.cmake)
--
- set_property(TARGET ${TGT} APPEND PROPERTY PUBLIC_HEADER
- "${CMAKE_CURRENT_LIST_DIR}/ts_rpc_caller_linux.h"
- )
-@@ -17,7 +15,3 @@ set_property(TARGET ${TGT} APPEND PROPERTY PUBLIC_HEADER
- target_sources(${TGT} PRIVATE
- "${CMAKE_CURRENT_LIST_DIR}/ts_rpc_caller_linux.c"
- )
--
--target_include_directories(${TGT} PRIVATE
-- "${LINUX_FFA_TEE_DRIVER_INCLUDE_DIR}"
-- )
-diff --git a/components/rpc/ts_rpc/caller/linux/ts_rpc_caller_linux.c b/components/rpc/ts_rpc/caller/linux/ts_rpc_caller_linux.c
-index 7c4606e56f09..3402a9f6ae2b 100644
---- a/components/rpc/ts_rpc/caller/linux/ts_rpc_caller_linux.c
-+++ b/components/rpc/ts_rpc/caller/linux/ts_rpc_caller_linux.c
-@@ -6,7 +6,6 @@
-
- #include "ts_rpc_caller_linux.h"
-
--#include <arm_tstee.h>
- #include <errno.h>
- #include <fcntl.h>
- #include <linux/tee.h>
-@@ -24,11 +23,16 @@
-
- #define INVALID_SESS_ID 0
- #define MAX_TEE_DEV_NUM 16
--#define TS_TEE_DRV_REQ_VER_MAJOR 2
--#define TS_TEE_DRV_REQ_VER_MINOR 0
--#define TS_TEE_DRV_REQ_VER_PATCH 0
- #define TS_TEE_DRV_INVALID_SHM_ID (0)
-
-+/*
-+ * This define is part of linux/tee.h starting from Linux v6.10
-+ * Let's keep a copy here in case the kernel headers come from an older version
-+ */
-+#ifndef TEE_IMPL_ID_TSTEE
-+#define TEE_IMPL_ID_TSTEE 3
-+#endif
-+
- struct ts_tee_dev {
- uint16_t endpoint_id;
- char path[16];
-@@ -236,47 +240,6 @@ static rpc_status_t call(void *context, uint16_t opcode,
- return RPC_SUCCESS;
- }
-
--static bool ts_tee_drv_check_version(void)
--{
-- unsigned int major = 0;
-- unsigned int minor = 0;
-- unsigned int patch = 0;
-- FILE *f = NULL;
-- int cnt = 0;
--
-- f = fopen("/sys/module/arm_tstee/version", "r");
-- if (f) {
-- cnt = fscanf(f, "%u.%u.%u", &major, &minor, &patch);
-- fclose(f);
--
-- if (cnt != 3) {
-- printf("error: cannot read TS TEE driver version\n");
-- return false;
-- }
-- } else {
-- printf("error: TS TEE driver not available\n");
-- return false;
-- }
--
-- if (major != TS_TEE_DRV_REQ_VER_MAJOR)
-- goto err;
--
-- if (minor < TS_TEE_DRV_REQ_VER_MINOR)
-- goto err;
--
-- if (minor == TS_TEE_DRV_REQ_VER_MINOR)
-- if (patch < TS_TEE_DRV_REQ_VER_PATCH)
-- goto err;
--
-- return true;
--
--err:
-- printf("error: TS TEE driver is v%u.%u.%u but required v%u.%u.%u\n", major, minor, patch,
-- TS_TEE_DRV_REQ_VER_MAJOR, TS_TEE_DRV_REQ_VER_MINOR, TS_TEE_DRV_REQ_VER_PATCH);
--
-- return false;
--}
--
- static void ts_tee_drv_discover(struct ts_tee_dev *ts_tee_devs, size_t count)
- {
- struct tee_ioctl_version_data vers = { 0 };
-@@ -314,9 +277,6 @@ rpc_status_t ts_rpc_caller_linux_init(struct rpc_caller_interface *rpc_caller)
- if (!rpc_caller || rpc_caller->context)
- return RPC_ERROR_INVALID_VALUE;
-
-- if (!ts_tee_drv_check_version())
-- return RPC_ERROR_INTERNAL;
--
- context = (struct ts_rpc_caller_linux_context *)calloc(
- 1, sizeof(struct ts_rpc_caller_linux_context));
- if (!context)
-diff --git a/docs/environments/secure-partitions/spm/optee/userspace-programs-on-fvp.rst b/docs/environments/secure-partitions/spm/optee/userspace-programs-on-fvp.rst
-index f81e1dff3264..aeb26fb3462a 100644
---- a/docs/environments/secure-partitions/spm/optee/userspace-programs-on-fvp.rst
-+++ b/docs/environments/secure-partitions/spm/optee/userspace-programs-on-fvp.rst
-@@ -59,8 +59,7 @@ Once it boots to the login prompt, log in as root and from the FVP terminal, ent
- # Install the shared library and executables
- cp -vat /usr out/ts-install/arm-linux/lib out/ts-install/arm-linux/bin
-
-- # Load the kernel modules
-- out/linux-arm-ffa-tee/load_module.sh
-+ # Load the kernel module
- out/linux-arm-ffa-user/load_module.sh
-
- # Run the test application
-diff --git a/docs/quickstart/optee-testing.rst b/docs/quickstart/optee-testing.rst
-index 7eccf7ab9031..9ff2421d5565 100644
---- a/docs/quickstart/optee-testing.rst
-+++ b/docs/quickstart/optee-testing.rst
-@@ -47,7 +47,6 @@ Once it boots to the login prompt, log in as root and from the FVP terminal, ent
-
- cd /mnt/host
- cp -vat /usr out/ts-install/arm-linux/lib out/ts-install/arm-linux/bin
-- out/linux-arm-ffa-tee/load_module.sh
- out/linux-arm-ffa-user/load_module.sh
- ts-service-test -v
-
-diff --git a/external/LinuxFfaTeeDriver/LinuxFfaTeeDriver.cmake b/external/LinuxFfaTeeDriver/LinuxFfaTeeDriver.cmake
-deleted file mode 100644
-index da0a5b3def7e..000000000000
---- a/external/LinuxFfaTeeDriver/LinuxFfaTeeDriver.cmake
-+++ /dev/null
-@@ -1,54 +0,0 @@
--#-------------------------------------------------------------------------------
--# Copyright (c) 2020-2023, Arm Limited and Contributors. All rights reserved.
--#
--# SPDX-License-Identifier: BSD-3-Clause
--#
--#-------------------------------------------------------------------------------
--
--# If the driver is already installed, try to find that
--find_path(LINUX_FFA_TEE_DRIVER_INCLUDE_DIR
-- NAMES arm_tstee.h
-- DOC "Linux FF-A TEE driver include directory"
--)
--
--# If not found, download it
--if(NOT LINUX_FFA_TEE_DRIVER_INCLUDE_DIR)
-- set(LINUX_FFA_TEE_DRIVER_URL "https://git.gitlab.arm.com/linux-arm/linux-trusted-services.git"
-- CACHE STRING "Linux FF-A TEE driver repository URL")
--
-- # Note: the aim of this external component is to make the header file defining the IOCTL API
-- # available. Fetching a moving reference is ok as long as API compatibility is guaranteed.
-- set(LINUX_FFA_TEE_DRIVER_REFSPEC "origin/tee-v2"
-- CACHE STRING "Linux FF-A TEE driver git refspec")
--
-- set(LINUX_FFA_TEE_DRIVER_SOURCE_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/linux_ffa_tee_driver-src"
-- CACHE PATH "Location of Linux TEE driver source.")
--
-- if (DEFINED ENV{LINUX_FFA_TEE_DRIVER_SOURCE_DIR})
-- set(LINUX_FFA_TEE_DRIVER_SOURCE_DIR $ENV{LINUX_FFA_TEE_DRIVER_SOURCE_DIR}
-- CACHE PATH "Location of Linux TEE driver source." FORCE)
-- endif()
--
-- set(GIT_OPTIONS
-- GIT_REPOSITORY ${LINUX_FFA_TEE_DRIVER_URL}
-- GIT_TAG ${LINUX_FFA_TEE_DRIVER_REFSPEC}
-- GIT_SHALLOW TRUE
-- )
-- include(${TS_ROOT}/tools/cmake/common/LazyFetch.cmake REQUIRED)
-- LazyFetch_MakeAvailable(
-- DEP_NAME linux_ffa_tee_driver
-- FETCH_OPTIONS "${GIT_OPTIONS}"
-- SOURCE_DIR ${LINUX_FFA_TEE_DRIVER_SOURCE_DIR}
-- )
--
-- find_path(LINUX_FFA_TEE_DRIVER_INCLUDE_DIR
-- NAMES arm_tstee.h
-- PATHS ${LINUX_FFA_TEE_DRIVER_SOURCE_DIR}/uapi
-- NO_DEFAULT_PATH
-- REQUIRED
-- DOC "Linux FF-A TEE driver include directory"
-- )
--endif()
--
--set_property(DIRECTORY APPEND PROPERTY CMAKE_CONFIGURE_DEPENDS
-- "${LINUX_FFA_TEE_DRIVER_INCLUDE_DIR}/arm_tstee.h")
-2.39.2
-
@@ -5,8 +5,6 @@ TS_ENV = "arm-linux"
require trusted-services.inc
-SRC_URI += "file://0001-Remove-TEE-driver-external-component.patch \
- "
# If optee-client is not included, take care of udev and related configuration.
require ${@bb.utils.contains('IMAGE_INSTALL', 'optee-client', '', 'libts-udev.inc', d)}
@@ -9,10 +9,12 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
SRC_URI:append = "\
file://0001-Allow-configuring-flash-image-files-compile-time.patch \
+ file://0002-Fix-MbedTLS-3.6-and-GCC-14-compatibility.patch \
+ file://0001-Relax-pyelftools-dependency.patch \
"
-# Trusted Services; aka. 2024 April 19
-SRCREV_trusted-services = "602be607198ea784bc5ab1c0c9d3ac4e2c67f1d9"
+# Trusted Services; aka. v1.1.0
+SRCREV_trusted-services = "83bd53b6689ebb071bc13fcd4e01618bab2e74ca"
LIC_FILES_CHKSUM = "file://${S}/license.rst;md5=ea160bac7f690a069c608516b17997f4"
S = "${WORKDIR}/git/trusted-services"
@@ -24,14 +26,14 @@ SRC_URI += "git://github.com/dgibson/dtc;name=dtc;protocol=https;branch=main;des
SRCREV_dtc = "b6910bec11614980a21e46fbccc35934b671bd81"
LIC_FILES_CHKSUM += "file://../dtc/README.license;md5=a1eb22e37f09df5b5511b8a278992d0e"
-# MbedTLS, tag "v3.5.1"
-SRC_URI += "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;branch=main;destsuffix=git/mbedtls"
-SRCREV_mbedtls = "15254759342494c7e969766d5424d78d7deb9bfa"
+# MbedTLS, tag "v3.6.0"
+SRC_URI += "gitsm://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;branch=master;destsuffix=git/mbedtls"
+SRCREV_mbedtls = "2ca6c285a0dd3f33982dd57299012dacab1ff206"
LIC_FILES_CHKSUM += "file://../mbedtls/LICENSE;md5=379d5819937a6c2f1ef1630d341e026d"
-# Nanopb, tag "nanopb-0.4.7" plus some further fixes
+# Nanopb, tag "nanopb-0.4.8" plus some further fixes
SRC_URI += "git://github.com/nanopb/nanopb.git;name=nanopb;protocol=https;branch=master;destsuffix=git/nanopb"
-SRCREV_nanopb = "dbbf5d8992295aae669b8071eadad02f87d5faf0"
+SRCREV_nanopb = "6cfe48d6f1593f8fa5c0f90437f5e6522587745e"
LIC_FILES_CHKSUM += "file://../nanopb/LICENSE.txt;md5=9db4b73a55a3994384112efcdb37c01f"
# qcbor, tag "v1.0.0"
@@ -63,11 +65,6 @@ do_apply_local_src_patches() {
apply_local_src_patches ${S}/external/nanopb ${WORKDIR}/git/nanopb
}
-do_config:append:() {
- # Fine tune MbedTLS configuration for crypto only operation.
- sh -c "cd ${WORKDIR}/git/mbedtls; python3 scripts/config.py crypto"
-}
-
# Paths to dependencies required by some TS SPs/tools
EXTRA_OECMAKE += "-DDTC_SOURCE_DIR=${WORKDIR}/git/dtc \
-DCPPUTEST_SOURCE_DIR=${WORKDIR}/git/cpputest \
Bump the TS SHA to latest integration. Set the version of TS dependencies as required. Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com> --- .../0001-Relax-pyelftools-dependency.patch | 31 +++ ...MbedTLS-3.6-and-GCC-14-compatibility.patch | 57 +++++ ...Remove-TEE-driver-external-component.patch | 223 ------------------ .../trusted-services/libts_git.bb | 2 - .../trusted-services/trusted-services-src.inc | 21 +- 5 files changed, 97 insertions(+), 237 deletions(-) create mode 100644 meta-arm/recipes-security/trusted-services/files/0001-Relax-pyelftools-dependency.patch create mode 100644 meta-arm/recipes-security/trusted-services/files/0002-Fix-MbedTLS-3.6-and-GCC-14-compatibility.patch delete mode 100644 meta-arm/recipes-security/trusted-services/libts/0001-Remove-TEE-driver-external-component.patch