diff mbox series

[1/2] arm/optee-ftpm: Switch to new fTPM TA fork

Message ID 20250714120714.337891-2-mariam.elshakfy@linaro.org
State New
Headers show
Series optee: Switch to new optee-ftpm fork and fix CVE-2025-46733 | expand

Commit Message

Mariam Elshakfy July 14, 2025, 12:07 p.m. UTC 
Use Linaro's optee-ftpm fork instead of historical sample in
Microsoft's TPM reference.

Signed-off-by: Mariam Elshakfy <mariam.elshakfy@linaro.org>
---
 .../0001-add-enum-to-ta-flags.patch           | 27 -----------
 ...{optee-ftpm_git.bb => optee-ftpm_4.6.0.bb} | 46 +++++++++++--------
 2 files changed, 28 insertions(+), 45 deletions(-)
 delete mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch
 rename meta-arm/recipes-security/optee-ftpm/{optee-ftpm_git.bb => optee-ftpm_4.6.0.bb} (58%)
diff mbox series

Patch

diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch
deleted file mode 100644
index 3506127c..00000000
--- a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch
+++ /dev/null
@@ -1,27 +0,0 @@ 
-From 2bb67529a8b6096fadd3dd0cf740beded9a01432 Mon Sep 17 00:00:00 2001
-From: Maxim Uvarov <maxim.uvarov@linaro.org>
-Date: Fri, 17 Apr 2020 12:05:53 +0100
-Subject: [PATCH] add enum to ta flags
-
-If we compile this TA into OPTEE-OS we need to define a flag
-that this TA can be discovered on the optee bus.
-Upstream-Status: Submitted [https://github.com/microsoft/MSRSec/pull/34]
-
-Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
----
- .../ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h    | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h
-index 92c33c169320..e83619d55d3c 100644
---- a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h
-+++ b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h
-@@ -44,7 +44,7 @@
- 
- #define TA_UUID                     TA_FTPM_UUID
- 
--#define TA_FLAGS                    (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE)
-+#define TA_FLAGS                    (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP)
- #define TA_STACK_SIZE               (64 * 1024)
- #define TA_DATA_SIZE                (32 * 1024)
- 
diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_4.6.0.bb
similarity index 58%
rename from meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb
rename to meta-arm/recipes-security/optee-ftpm/optee-ftpm_4.6.0.bb
index 3d459d6f..f611a451 100644
--- a/meta-arm/recipes-security/optee-ftpm/optee-ftpm_git.bb
+++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_4.6.0.bb
@@ -15,37 +15,50 @@  inherit deploy python3native
 
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=5a3925ece0806073ae9ebbb08ff6f11e"
+LIC_FILES_CHKSUM += "file://optee-ta/LICENSE;md5=5a3925ece0806073ae9ebbb08ff6f11e"
 
 DEPENDS = "python3-pyelftools-native optee-os-tadevkit python3-cryptography-native "
 
 FTPM_UUID = "bc50d971-d4c9-42c4-82cb-343fb7f37896"
 
-SRC_URI = "gitsm://github.com/Microsoft/ms-tpm-20-ref;branch=main;protocol=https \
-           file://0001-add-enum-to-ta-flags.patch"
-SRCREV = "e9fc7b89d865536c46deb63f9c7d0121a3ded49c"
+SRC_URI_ms-tpm   ?= "gitsm://github.com/Microsoft/ms-tpm-20-ref;protocol=https"
+SRC_URI_optee-ta ?= "gitsm://github.com/OP-TEE/optee_ftpm.git;protocol=https"
+
+SRCBRANCH_ms-tpm    = "main"
+SRCBRANCH_optee-ta  = "master"
+
+SRC_URI = "\
+    ${SRC_URI_ms-tpm};branch=${SRCBRANCH_ms-tpm};name=ms-tpm;destsuffix=ms-tpm \
+    ${SRC_URI_optee-ta};branch=${SRCBRANCH_optee-ta};name=optee-ta;destsuffix=ms-tpm/optee-ta \
+"
+
+# As per optee-ftpm TA documentation, we have to use this SHA of MS TPM reference
+SRCREV_ms-tpm   ?= "98b60a44aba79b15fcce1c0d1e46cf5918400f6a"
+
+# v4.6.0
+SRCREV_optee-ta ?= "6f99e783eb9bb57c314a881433d4ec970de87959"
+
+SRCREV_FORMAT    = "ms-tpm_optee-ta"
 
 UPSTREAM_CHECK_COMMITS = "1"
 
+S = "${UNPACKDIR}/ms-tpm"
+
 OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
 TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
 TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta"
 
 EXTRA_OEMAKE += '\
-    CFG_FTPM_USE_WOLF=y \
     TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
-    TA_CROSS_COMPILE=${TARGET_PREFIX} \
-    CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST} -I${WORKDIR}/optee-os" \
+    CROSS_COMPILE=${TARGET_PREFIX} \
+    CFG_MS_TPM_20_REF="${S}" \
+    CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST}" \
 '
 
 EXTRA_OEMAKE:append:aarch64:qemuall = "\
     CFG_ARM64_ta_arm64=y \
 "
 
-# TODO: GCC 14.1 is finding genuine issues with the code but as upstream appear to be removing
-# the code we're building (https://github.com/microsoft/ms-tpm-20-ref/pull/108) lets just
-# ignore them for now.
-CFLAGS += "-Wno-implicit-function-declaration -Wno-incompatible-pointer-types"
-
 # python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the
 # right path until this is relocated automatically.
 export OPENSSL_MODULES = "${STAGING_LIBDIR_NATIVE}/ossl-modules"
@@ -53,22 +66,19 @@  export OPENSSL_MODULES = "${STAGING_LIBDIR_NATIVE}/ossl-modules"
 PARALLEL_MAKE = ""
 
 do_compile() {
-    # The internal ${CC} includes the correct -mcpu option
-    sed -i 's/-mcpu=$(TA_CPU)//' Samples/ARM32-FirmwareTPM/optee_ta/fTPM/sub.mk
-    # there's also a secure variable storage TA called authvars
-    cd ${S}/Samples/ARM32-FirmwareTPM/optee_ta
+    cd ${S}/optee-ta
     oe_runmake
 }
 
 do_install () {
     mkdir -p ${D}/${nonarch_base_libdir}/optee_armtz
-    install -D -p -m 0644 ${S}/Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/${FTPM_UUID}.ta ${D}/${nonarch_base_libdir}/optee_armtz/
-    install -D -p -m 0644 ${S}/Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/${FTPM_UUID}.stripped.elf ${D}/${nonarch_base_libdir}/optee_armtz/
+    install -D -p -m 0644 ${S}/optee-ta/${FTPM_UUID}.ta ${D}/${nonarch_base_libdir}/optee_armtz/
+    install -D -p -m 0644 ${S}/optee-ta/${FTPM_UUID}.stripped.elf ${D}/${nonarch_base_libdir}/optee_armtz/
 }
 
 do_deploy () {
     install -d ${DEPLOYDIR}/optee
-    install -D -p -m 0644 ${S}/Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/${FTPM_UUID}.stripped.elf ${DEPLOYDIR}/optee/
+    install -D -p -m 0644 ${S}/optee-ta/${FTPM_UUID}.stripped.elf ${DEPLOYDIR}/optee/
 }
 
 addtask deploy before do_build after do_install