| Message ID | 20251104082759.711246-1-s-joshi@ti.com |
|---|---|
| State | Changes Requested |
| Delegated to: | Ryan Eatmon |
| Headers | show |
| Series | [meta-ti,scarthgap,v2] meta-ti-bsp: optee: Add flags to enable RPMB and PKCS#11 | expand |
meta-ti / na / 20251104082759.711246-1-s-joshi
PRC Results: PASS
=========================================================
check-yocto-patches: PASS
=========================================================
Patches
----------------------------------------
WARN - [meta-ti][scarthgap][PATCH v2] meta-ti-bsp: optee: Add flags to enable RPMB and PKCS#11
WARN: Commit message does not include file/recipe name: meta-ti-bsp: optee: Add flags to enable RPMB and PKCS#11. (COMMIT-MESSAGE-2)
patch
WARN: Commit message should not include directory path to recipe: meta-ti-bsp: optee: Add flags to enable RPMB and PKCS#11.
meta-ti-bsp: (COMMIT-MESSAGE-3)
patch
WARN: Revised patch missing a comment. (REVISION-1)
patch
=========================================================
apply-yocto-patch: PASS
=========================================================
scarthgap
=====================
Summary:
- Patch Series: [meta-ti][scarthgap][PATCH v2] meta-ti-bsp: optee: Add flags to enable RPMB and PKCS#11
- Submitter: From: Suhaas Joshi <s-joshi@ti.com>
- Date: Date: Tue, 4 Nov 2025 13:57:59 +0530
- Num Patches: 1
- Mailing List (public inbox) Commit SHA: afd486232381d1996ca3a09c8a7c3151bca4d3c7
Applied to:
- Repository: lcpd-prc-meta-ti
- Base Branch: scarthgap-wip
- Commit Author: Vishnu Singh <v-singh1@ti.com>
- Commit Subject: ti-librpmsg-dma: update ti-librpmsg-dma SRCREV & LICENSE
- Commit SHA: 879abf6914437e3a4da45fd515f33ac583bbddc5
Patches
----------------------------------------
All patches applied
=========================================================
check-yocto-repo: PASS
=========================================================
scarthgap
=====================
PASS
On 11/4/2025 2:27 AM, Suhaas Joshi via lists.yoctoproject.org wrote: > RPMB is a secure storage mechanism used to store data in a separate > partition of compliant storage devices such as eMMC, NVME etc. It is > provided by TEE's, including OP-TEE. > > Add the following build options to optee_os: > * CFG_REE_FS=n -> disables the default REE_FS, this is so that > RPMB can be be demonstrated > * CFG_RPMB_FS=y -> enables the RPMB feature > * CFG_RPMB_WRITE_KEY=y -> generates and automatically writes the RPMB > key if not already written (see NOTE below). > * CFG_PKCS11_TA=y -> enables PKCS#11 API support in form of a > Trusted Application. This commit also copies this TA to the > relevant location. > > In optee_client, do the following: > * Add RPMB_EMU=1 option. This is enabled by-default, but even so, > enable it explicitly. This option makes tee-supplicant emulate > RPMB instead of using the actual hardware. The actual hardware > should be used consciously since the key, once written, cannot be > re-programmed. But in the emulated flow, each reboot wipes the key > off, since the "emulated RPMB" is just a portion of primary > memory. > * Copy libckteec library files to relevant locations. > > NOTE: > > CFG_RPMB_WRITE_KEY=y sends the key in *plain text* to the normal Linux > world. This might be OK in development environments, but it is a huge > security risk in production! Therefore, this option must always be > disabled in production images. > > RPMB_EMU=1 emulates RPMB, instead of using the real one. With > CFG_RPMB_WRITE_KEY=y, it also prevents the key from being written to the > real device. This option, also, must be disabled (RPMB_EMU=0) in > production environment. > > Both of these options are enabled for the purposes of demo'ing RPMB > examples only, but are unsuited for production. > > Signed-off-by: Suhaas Joshi <s-joshi@ti.com> > --- > changes from v1: > - move "FILES-${PN}*" lines from .bbappend to .inc > - actually add RPMB_EMU=1 explicitly > - give a more elaborate explanation of CFG_RPMB_WRITE_KEY and RPMB_EMU > --- > .../optee/optee-client-ti-version.inc | 3 +++ > .../recipes-security/optee/optee-client_%.bbappend | 14 ++++++++++++++ > .../optee/optee-os-ti-overrides.inc | 10 ++++++---- > 3 files changed, 23 insertions(+), 4 deletions(-) > > diff --git a/meta-ti-bsp/recipes-security/optee/optee-client-ti-version.inc b/meta-ti-bsp/recipes-security/optee/optee-client-ti-version.inc > index 289ca5b5..7e4505ff 100644 > --- a/meta-ti-bsp/recipes-security/optee/optee-client-ti-version.inc > +++ b/meta-ti-bsp/recipes-security/optee/optee-client-ti-version.inc > @@ -1,2 +1,5 @@ > PV = "4.7.0+git" > SRCREV = "23c112a6f05cc5e39bd4aaf52ad515cad532237d" > + > +FILES:${PN} += "${libdir}/libckteec.so.0 ${libdir}/libckteec.so.0.1 ${libdir}/libckteec.so.0.1.0" > +FILES:${PN}-dev += "${libdir}/libckteec.so" These changes should be in the new optee-client-ti-overrides.inc file (see next comment). The optee-client-ti-version.inc should just contain the needed information for changing the version. > diff --git a/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend b/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend > index f193e78b..1727caa5 100644 > --- a/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend > +++ b/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend > @@ -2,3 +2,17 @@ OPTEE_TI_VERSION = "" > OPTEE_TI_VERSION:ti-soc = "${BPN}-ti-version.inc" > > require ${OPTEE_TI_VERSION} > + > +EXTRA_OEMAKE:append:am62xx = " RPMB_EMU=1" > +EXTRA_OEMAKE:append:am62px = " RPMB_EMU=1" > +EXTRA_OEMAKE:append:am62ax = " RPMB_EMU=1" > +EXTRA_OEMAKE:append:am62dx = " RPMB_EMU=1" > + > +do_install:append() { > + install -d ${D}${libdir} > + > + install -m 0644 ${B}/libckteec/libckteec.so.0.1.0 ${D}${libdir}/ > + ln -v -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0.1 > + ln -v -sf libckteec.so.0.1 ${D}${libdir}/libckteec.so.0 > + ln -v -sf libckteec.so.0 ${D}${libdir}/libckteec.so > +} I think you missed Denys' point. There should be NOTHING in the bbappend file except for including two .inc files. So all of the changes above need to move into a new optee-client-ti-overrides.inc file, and the correct include lines in the bbappend. You can see the optee-os_%.bbappend for an example. Also, are these files needed for ALL platforms, just k3, or just the four listed above? Is this libckteec.so file related to the RPMB_EMU=1 option, or does it exist in all situations? > diff --git a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc > index 61a74a06..0b940e5c 100644 > --- a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc > +++ b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc > @@ -6,11 +6,11 @@ EXTRA_OEMAKE:remove = "CFG_MAP_EXT_DT_SECURE=y" > EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_CONSOLE_UART='+ d.getVar('OPTEE_K3_USART') if d.getVar('OPTEE_K3_USART') else ''}" > EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_TZDRAM_START='+ d.getVar('OPTEE_K3_TZDRAM_START') if d.getVar('OPTEE_K3_TZDRAM_START') else ''}" > > -EXTRA_OEMAKE:append:am62xx = " CFG_TEE_CORE_LOG_LEVEL=1" > +EXTRA_OEMAKE:append:am62xx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_PKCS11_TA=y" > EXTRA_OEMAKE:append:am62lxx = " CFG_TEE_CORE_LOG_LEVEL=1" > -EXTRA_OEMAKE:append:am62pxx = " CFG_TEE_CORE_LOG_LEVEL=1" > -EXTRA_OEMAKE:append:am62axx = " CFG_TEE_CORE_LOG_LEVEL=1" > -EXTRA_OEMAKE:append:am62dxx = " CFG_TEE_CORE_LOG_LEVEL=1" > +EXTRA_OEMAKE:append:am62pxx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_PKCS11_TA=y" > +EXTRA_OEMAKE:append:am62axx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_PKCS11_TA=y" > +EXTRA_OEMAKE:append:am62dxx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_PKCS11_TA=y" > EXTRA_OEMAKE:append:j722s = " CFG_TEE_CORE_LOG_LEVEL=1" > > do_compile:append:k3() { > @@ -49,6 +49,8 @@ do_install:append() { > install -m 644 ${B}/*.optee ${D}${nonarch_base_libdir}/firmware/ || true > install -m 644 ${B}/bl32.bin ${D}${nonarch_base_libdir}/firmware/ || true > install -m 644 ${B}/bl32.elf ${D}${nonarch_base_libdir}/firmware/ || true > + install -d ${D}${nonarch_base_libdir}/optee_armtz > + install -m 644 ${B}/ta/pkcs11/fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta ${D}${nonarch_base_libdir}/optee_armtz > } > > optee_deploy_legacyhs() { > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#19223): https://lists.yoctoproject.org/g/meta-ti/message/19223 > Mute This Topic: https://lists.yoctoproject.org/mt/116113939/6551054 > Group Owner: meta-ti+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/meta-ti/unsub [reatmon@ti.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On 11/4/25 2:27 AM, Suhaas Joshi via lists.yoctoproject.org wrote: > RPMB is a secure storage mechanism used to store data in a separate > partition of compliant storage devices such as eMMC, NVME etc. It is > provided by TEE's, including OP-TEE. > > Add the following build options to optee_os: > * CFG_REE_FS=n -> disables the default REE_FS, this is so that > RPMB can be be demonstrated > * CFG_RPMB_FS=y -> enables the RPMB feature > * CFG_RPMB_WRITE_KEY=y -> generates and automatically writes the RPMB > key if not already written (see NOTE below). > * CFG_PKCS11_TA=y -> enables PKCS#11 API support in form of a > Trusted Application. This commit also copies this TA to the > relevant location. > > In optee_client, do the following: > * Add RPMB_EMU=1 option. This is enabled by-default, but even so, > enable it explicitly. This option makes tee-supplicant emulate > RPMB instead of using the actual hardware. The actual hardware > should be used consciously since the key, once written, cannot be > re-programmed. But in the emulated flow, each reboot wipes the key > off, since the "emulated RPMB" is just a portion of primary > memory. > * Copy libckteec library files to relevant locations. > > NOTE: > > CFG_RPMB_WRITE_KEY=y sends the key in *plain text* to the normal Linux > world. This might be OK in development environments, but it is a huge > security risk in production! Therefore, this option must always be > disabled in production images. Then NAK to having it enabled by default in meta-ti. No one is going to read this commit message and images will go into production with this enabled. If you want this for some demo, then write an app-note explaining how to enable it for factory RPMB programming (or just point out one of the many examples already in the OP-TEE docs). Andrew > > RPMB_EMU=1 emulates RPMB, instead of using the real one. With > CFG_RPMB_WRITE_KEY=y, it also prevents the key from being written to the > real device. This option, also, must be disabled (RPMB_EMU=0) in > production environment. > > Both of these options are enabled for the purposes of demo'ing RPMB > examples only, but are unsuited for production. > > Signed-off-by: Suhaas Joshi <s-joshi@ti.com> > --- > changes from v1: > - move "FILES-${PN}*" lines from .bbappend to .inc > - actually add RPMB_EMU=1 explicitly > - give a more elaborate explanation of CFG_RPMB_WRITE_KEY and RPMB_EMU > --- > .../optee/optee-client-ti-version.inc | 3 +++ > .../recipes-security/optee/optee-client_%.bbappend | 14 ++++++++++++++ > .../optee/optee-os-ti-overrides.inc | 10 ++++++---- > 3 files changed, 23 insertions(+), 4 deletions(-) > > diff --git a/meta-ti-bsp/recipes-security/optee/optee-client-ti-version.inc b/meta-ti-bsp/recipes-security/optee/optee-client-ti-version.inc > index 289ca5b5..7e4505ff 100644 > --- a/meta-ti-bsp/recipes-security/optee/optee-client-ti-version.inc > +++ b/meta-ti-bsp/recipes-security/optee/optee-client-ti-version.inc > @@ -1,2 +1,5 @@ > PV = "4.7.0+git" > SRCREV = "23c112a6f05cc5e39bd4aaf52ad515cad532237d" > + > +FILES:${PN} += "${libdir}/libckteec.so.0 ${libdir}/libckteec.so.0.1 ${libdir}/libckteec.so.0.1.0" > +FILES:${PN}-dev += "${libdir}/libckteec.so" > diff --git a/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend b/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend > index f193e78b..1727caa5 100644 > --- a/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend > +++ b/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend > @@ -2,3 +2,17 @@ OPTEE_TI_VERSION = "" > OPTEE_TI_VERSION:ti-soc = "${BPN}-ti-version.inc" > > require ${OPTEE_TI_VERSION} > + > +EXTRA_OEMAKE:append:am62xx = " RPMB_EMU=1" > +EXTRA_OEMAKE:append:am62px = " RPMB_EMU=1" > +EXTRA_OEMAKE:append:am62ax = " RPMB_EMU=1" > +EXTRA_OEMAKE:append:am62dx = " RPMB_EMU=1" > + > +do_install:append() { > + install -d ${D}${libdir} > + > + install -m 0644 ${B}/libckteec/libckteec.so.0.1.0 ${D}${libdir}/ > + ln -v -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0.1 > + ln -v -sf libckteec.so.0.1 ${D}${libdir}/libckteec.so.0 > + ln -v -sf libckteec.so.0 ${D}${libdir}/libckteec.so > +} > diff --git a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc > index 61a74a06..0b940e5c 100644 > --- a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc > +++ b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc > @@ -6,11 +6,11 @@ EXTRA_OEMAKE:remove = "CFG_MAP_EXT_DT_SECURE=y" > EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_CONSOLE_UART='+ d.getVar('OPTEE_K3_USART') if d.getVar('OPTEE_K3_USART') else ''}" > EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_TZDRAM_START='+ d.getVar('OPTEE_K3_TZDRAM_START') if d.getVar('OPTEE_K3_TZDRAM_START') else ''}" > > -EXTRA_OEMAKE:append:am62xx = " CFG_TEE_CORE_LOG_LEVEL=1" > +EXTRA_OEMAKE:append:am62xx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_PKCS11_TA=y" > EXTRA_OEMAKE:append:am62lxx = " CFG_TEE_CORE_LOG_LEVEL=1" > -EXTRA_OEMAKE:append:am62pxx = " CFG_TEE_CORE_LOG_LEVEL=1" > -EXTRA_OEMAKE:append:am62axx = " CFG_TEE_CORE_LOG_LEVEL=1" > -EXTRA_OEMAKE:append:am62dxx = " CFG_TEE_CORE_LOG_LEVEL=1" > +EXTRA_OEMAKE:append:am62pxx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_PKCS11_TA=y" > +EXTRA_OEMAKE:append:am62axx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_PKCS11_TA=y" > +EXTRA_OEMAKE:append:am62dxx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_PKCS11_TA=y" > EXTRA_OEMAKE:append:j722s = " CFG_TEE_CORE_LOG_LEVEL=1" > > do_compile:append:k3() { > @@ -49,6 +49,8 @@ do_install:append() { > install -m 644 ${B}/*.optee ${D}${nonarch_base_libdir}/firmware/ || true > install -m 644 ${B}/bl32.bin ${D}${nonarch_base_libdir}/firmware/ || true > install -m 644 ${B}/bl32.elf ${D}${nonarch_base_libdir}/firmware/ || true > + install -d ${D}${nonarch_base_libdir}/optee_armtz > + install -m 644 ${B}/ta/pkcs11/fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta ${D}${nonarch_base_libdir}/optee_armtz > } > > optee_deploy_legacyhs() { > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#19223): https://lists.yoctoproject.org/g/meta-ti/message/19223 > Mute This Topic: https://lists.yoctoproject.org/mt/116113939/3619733 > Group Owner: meta-ti+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/meta-ti/unsub [afd@ti.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta-ti-bsp/recipes-security/optee/optee-client-ti-version.inc b/meta-ti-bsp/recipes-security/optee/optee-client-ti-version.inc index 289ca5b5..7e4505ff 100644 --- a/meta-ti-bsp/recipes-security/optee/optee-client-ti-version.inc +++ b/meta-ti-bsp/recipes-security/optee/optee-client-ti-version.inc @@ -1,2 +1,5 @@ PV = "4.7.0+git" SRCREV = "23c112a6f05cc5e39bd4aaf52ad515cad532237d" + +FILES:${PN} += "${libdir}/libckteec.so.0 ${libdir}/libckteec.so.0.1 ${libdir}/libckteec.so.0.1.0" +FILES:${PN}-dev += "${libdir}/libckteec.so" diff --git a/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend b/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend index f193e78b..1727caa5 100644 --- a/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend +++ b/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend @@ -2,3 +2,17 @@ OPTEE_TI_VERSION = "" OPTEE_TI_VERSION:ti-soc = "${BPN}-ti-version.inc" require ${OPTEE_TI_VERSION} + +EXTRA_OEMAKE:append:am62xx = " RPMB_EMU=1" +EXTRA_OEMAKE:append:am62px = " RPMB_EMU=1" +EXTRA_OEMAKE:append:am62ax = " RPMB_EMU=1" +EXTRA_OEMAKE:append:am62dx = " RPMB_EMU=1" + +do_install:append() { + install -d ${D}${libdir} + + install -m 0644 ${B}/libckteec/libckteec.so.0.1.0 ${D}${libdir}/ + ln -v -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0.1 + ln -v -sf libckteec.so.0.1 ${D}${libdir}/libckteec.so.0 + ln -v -sf libckteec.so.0 ${D}${libdir}/libckteec.so +} diff --git a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc index 61a74a06..0b940e5c 100644 --- a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc +++ b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc @@ -6,11 +6,11 @@ EXTRA_OEMAKE:remove = "CFG_MAP_EXT_DT_SECURE=y" EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_CONSOLE_UART='+ d.getVar('OPTEE_K3_USART') if d.getVar('OPTEE_K3_USART') else ''}" EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_TZDRAM_START='+ d.getVar('OPTEE_K3_TZDRAM_START') if d.getVar('OPTEE_K3_TZDRAM_START') else ''}" -EXTRA_OEMAKE:append:am62xx = " CFG_TEE_CORE_LOG_LEVEL=1" +EXTRA_OEMAKE:append:am62xx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_PKCS11_TA=y" EXTRA_OEMAKE:append:am62lxx = " CFG_TEE_CORE_LOG_LEVEL=1" -EXTRA_OEMAKE:append:am62pxx = " CFG_TEE_CORE_LOG_LEVEL=1" -EXTRA_OEMAKE:append:am62axx = " CFG_TEE_CORE_LOG_LEVEL=1" -EXTRA_OEMAKE:append:am62dxx = " CFG_TEE_CORE_LOG_LEVEL=1" +EXTRA_OEMAKE:append:am62pxx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_PKCS11_TA=y" +EXTRA_OEMAKE:append:am62axx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_PKCS11_TA=y" +EXTRA_OEMAKE:append:am62dxx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=n CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_PKCS11_TA=y" EXTRA_OEMAKE:append:j722s = " CFG_TEE_CORE_LOG_LEVEL=1" do_compile:append:k3() { @@ -49,6 +49,8 @@ do_install:append() { install -m 644 ${B}/*.optee ${D}${nonarch_base_libdir}/firmware/ || true install -m 644 ${B}/bl32.bin ${D}${nonarch_base_libdir}/firmware/ || true install -m 644 ${B}/bl32.elf ${D}${nonarch_base_libdir}/firmware/ || true + install -d ${D}${nonarch_base_libdir}/optee_armtz + install -m 644 ${B}/ta/pkcs11/fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta ${D}${nonarch_base_libdir}/optee_armtz } optee_deploy_legacyhs() {
RPMB is a secure storage mechanism used to store data in a separate partition of compliant storage devices such as eMMC, NVME etc. It is provided by TEE's, including OP-TEE. Add the following build options to optee_os: * CFG_REE_FS=n -> disables the default REE_FS, this is so that RPMB can be be demonstrated * CFG_RPMB_FS=y -> enables the RPMB feature * CFG_RPMB_WRITE_KEY=y -> generates and automatically writes the RPMB key if not already written (see NOTE below). * CFG_PKCS11_TA=y -> enables PKCS#11 API support in form of a Trusted Application. This commit also copies this TA to the relevant location. In optee_client, do the following: * Add RPMB_EMU=1 option. This is enabled by-default, but even so, enable it explicitly. This option makes tee-supplicant emulate RPMB instead of using the actual hardware. The actual hardware should be used consciously since the key, once written, cannot be re-programmed. But in the emulated flow, each reboot wipes the key off, since the "emulated RPMB" is just a portion of primary memory. * Copy libckteec library files to relevant locations. NOTE: CFG_RPMB_WRITE_KEY=y sends the key in *plain text* to the normal Linux world. This might be OK in development environments, but it is a huge security risk in production! Therefore, this option must always be disabled in production images. RPMB_EMU=1 emulates RPMB, instead of using the real one. With CFG_RPMB_WRITE_KEY=y, it also prevents the key from being written to the real device. This option, also, must be disabled (RPMB_EMU=0) in production environment. Both of these options are enabled for the purposes of demo'ing RPMB examples only, but are unsuited for production. Signed-off-by: Suhaas Joshi <s-joshi@ti.com> --- changes from v1: - move "FILES-${PN}*" lines from .bbappend to .inc - actually add RPMB_EMU=1 explicitly - give a more elaborate explanation of CFG_RPMB_WRITE_KEY and RPMB_EMU --- .../optee/optee-client-ti-version.inc | 3 +++ .../recipes-security/optee/optee-client_%.bbappend | 14 ++++++++++++++ .../optee/optee-os-ti-overrides.inc | 10 ++++++---- 3 files changed, 23 insertions(+), 4 deletions(-)