| Message ID | 20230215193355.9676-4-afd@ti.com |
|---|---|
| State | Accepted |
| Delegated to: | Ryan Eatmon |
| Headers | show |
| Series | ti-rtos-firmware and secdev | expand |
On Wed, Feb 15, 2023 at 01:33:43PM -0600, Andrew Davis via lists.yoctoproject.org wrote: > Use the new ti-k3-secdev package to pull in the signing tools if they are > not provided by the environment. This allows us to use these tools > unconditionally. Remove the checks for the script and do the signing > for all K3 machines. The signature is automatically stripped from > the binaries on non-HS devices at boot time as needed so this change > is harmless for GP devices. > > Signed-off-by: Andrew Davis <afd@ti.com> Tested-by: Denys Dmytriyenko <denys@konsulko.com> > --- > .../optee/optee-os_3.16%.bbappend | 43 +++---------------- > 1 file changed, 7 insertions(+), 36 deletions(-) > > diff --git a/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend b/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend > index 6913851b..1e0072ef 100644 > --- a/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend > +++ b/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend > @@ -1,14 +1,13 @@ > PV:ti-soc = "3.19.0+git${SRCPV}" > SRCREV:ti-soc = "afacf356f9593a7f83cae9f96026824ec242ff52" > > +# Use TI SECDEV for signing > +inherit ti-secdev > + > EXTRA_OEMAKE:append:k3 = "${@ ' CFG_CONSOLE_UART='+ d.getVar('OPTEE_K3_USART') if d.getVar('OPTEE_K3_USART') else ''}" > > EXTRA_OEMAKE:append:am62xx = " CFG_WITH_SOFTWARE_PRNG=y CFG_TEE_CORE_LOG_LEVEL=1" > > -do_compile:prepend:ti-soc() { > - export TI_SECURE_DEV_PKG=${TI_SECURE_DEV_PKG} > -} > - > do_compile:append:k3() { > ( cd ${B}/core/; \ > cp tee-pager_v2.bin ${B}/bl32.bin; \ > @@ -35,20 +34,6 @@ optee_sign_legacyhs() { > fi > } > > -# Signing procedure for K3 HS devices > -optee_sign_k3hs() { > - ( cd ${B}/core/; \ > - if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \ > - ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh tee-pager_v2.bin tee-pager.bin.signed; \ > - else \ > - echo "Warning: TI_SECURE_DEV_PKG not set, OP-TEE not signed."; \ > - cp tee-pager_v2.bin tee-pager.bin.signed; \ > - fi; \ > - mv tee-pager.bin.signed ${B}/bl32.bin; \ > - cp tee.elf ${B}/bl32.elf; \ > - ) > -} > - > do_compile:append:ti43x() { > optee_sign_legacyhs > } > @@ -57,24 +42,10 @@ do_compile:append:dra7xx() { > optee_sign_legacyhs > } > > -do_compile:append:am65xx-hs-evm() { > - optee_sign_k3hs > -} > - > -do_compile:append:am64xx-evm() { > - optee_sign_k3hs > -} > - > -do_compile:append:j721e-hs-evm() { > - optee_sign_k3hs > -} > - > -do_compile:append:j7200-hs-evm() { > - optee_sign_k3hs > -} > - > -do_compile:append:j721s2-hs-evm() { > - optee_sign_k3hs > +# Signing procedure for K3 devices > +do_compile:append:k3() { > + ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${B}/core/tee-pager_v2.bin ${B}/bl32.bin > + cp ${B}/core/tee.elf ${B}/bl32.elf > } > > do_install:append:ti-soc() { > -- > 2.39.1
diff --git a/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend b/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend index 6913851b..1e0072ef 100644 --- a/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend +++ b/meta-ti-bsp/recipes-security/optee/optee-os_3.16%.bbappend @@ -1,14 +1,13 @@ PV:ti-soc = "3.19.0+git${SRCPV}" SRCREV:ti-soc = "afacf356f9593a7f83cae9f96026824ec242ff52" +# Use TI SECDEV for signing +inherit ti-secdev + EXTRA_OEMAKE:append:k3 = "${@ ' CFG_CONSOLE_UART='+ d.getVar('OPTEE_K3_USART') if d.getVar('OPTEE_K3_USART') else ''}" EXTRA_OEMAKE:append:am62xx = " CFG_WITH_SOFTWARE_PRNG=y CFG_TEE_CORE_LOG_LEVEL=1" -do_compile:prepend:ti-soc() { - export TI_SECURE_DEV_PKG=${TI_SECURE_DEV_PKG} -} - do_compile:append:k3() { ( cd ${B}/core/; \ cp tee-pager_v2.bin ${B}/bl32.bin; \ @@ -35,20 +34,6 @@ optee_sign_legacyhs() { fi } -# Signing procedure for K3 HS devices -optee_sign_k3hs() { - ( cd ${B}/core/; \ - if [ -f ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ]; then \ - ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh tee-pager_v2.bin tee-pager.bin.signed; \ - else \ - echo "Warning: TI_SECURE_DEV_PKG not set, OP-TEE not signed."; \ - cp tee-pager_v2.bin tee-pager.bin.signed; \ - fi; \ - mv tee-pager.bin.signed ${B}/bl32.bin; \ - cp tee.elf ${B}/bl32.elf; \ - ) -} - do_compile:append:ti43x() { optee_sign_legacyhs } @@ -57,24 +42,10 @@ do_compile:append:dra7xx() { optee_sign_legacyhs } -do_compile:append:am65xx-hs-evm() { - optee_sign_k3hs -} - -do_compile:append:am64xx-evm() { - optee_sign_k3hs -} - -do_compile:append:j721e-hs-evm() { - optee_sign_k3hs -} - -do_compile:append:j7200-hs-evm() { - optee_sign_k3hs -} - -do_compile:append:j721s2-hs-evm() { - optee_sign_k3hs +# Signing procedure for K3 devices +do_compile:append:k3() { + ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh ${B}/core/tee-pager_v2.bin ${B}/bl32.bin + cp ${B}/core/tee.elf ${B}/bl32.elf } do_install:append:ti-soc() {
Use the new ti-k3-secdev package to pull in the signing tools if they are not provided by the environment. This allows us to use these tools unconditionally. Remove the checks for the script and do the signing for all K3 machines. The signature is automatically stripped from the binaries on non-HS devices at boot time as needed so this change is harmless for GP devices. Signed-off-by: Andrew Davis <afd@ti.com> --- .../optee/optee-os_3.16%.bbappend | 43 +++---------------- 1 file changed, 7 insertions(+), 36 deletions(-)