diff mbox series

[meta-rockchip,2/2] add support for baking OP-TEE OS into U-Boot proper binary

Message ID 20260126-optee-os-v1-2-874261a77dad@cherry.de
State New
Headers show
Series add support for (upstream) OP-TEE OS | expand

Commit Message

Quentin Schulz Jan. 26, 2026, 2:48 p.m. UTC 
From: Quentin Schulz <quentin.schulz@cherry.de>

TF-A has support for loading OP-TEE OS as BL32 which allows us to have
the following boot flow on supported Rockchip SoCs:

BootROM -> U-Boot TPL/SPL -> TF-A (BL31) -> OP-TEE OS (BL32) -> U-Boot
proper -> Linux kernel

TF-A must be built with support for the opteed payload via the SPD
variable. It can always be set, the downside is that if it's set and no
OP-TEE OS is available to load, it'll complain with

  ERROR:   Error initializing runtime service opteed_fast

but will still continue the boot flow.

U-Boot proper must be built with OPTEE_LIB enabled (forced enabled on
U-Boot v2026.01 when a TEE environment variable is set) otherwise random
crashes may happen while in Linux as the memory marked as secure for
OP-TEE OS isn't reserved and the kernel may use it and trigger a
security exception.

This has only been tested with `xtest` on PX30, RK3399 and RK3588
platforms, all tests pass. Note that this is unsecure by default as it's
using the default development key in OP-TEE OS tree which isn't secret
at all. I have not looked into how to provide your own key pair.

Note that xtest has two fails on RK3588 with OP-TEE OS v4.7.0. They are
fixed since v4.8.0 (v4.9.0 series for meta-arm has been posted
already[1]).

We also pass a few variables to make such that we avoid panics when an
FDT is passed by TF-A (happens when SPL_ATF_NO_PLATFORM_PARAM is not
set) due to the memory area to store the FDT being too small, also avoid
panics when the device is using a different console than the default in
OP-TEE OS by simply disabling the early console (thus relying on FDT to
find which one to write to) and enable Arm Cryptographic Extensions on
PX30 for faster crypto (xtest in 3m11s vs 3min32s).

[1] https://lore.kernel.org/yocto-meta-arm/20260121140356.16818-1-hugues.kambampiana@arm.com/
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
---
 README                                             | 42 ++++++++++++++++++++++
 conf/machine/include/px30.inc                      |  7 ++++
 conf/machine/include/rk3399.inc                    |  7 ++++
 conf/machine/include/rk3588s.inc                   |  7 ++++
 recipes-bsp/u-boot/u-boot-rockchip.inc             |  6 ++++
 .../optee/optee-os-tadevkit_%.bbappend             |  3 ++
 recipes-security/optee/optee-os_%.bbappend         | 19 ++++++++++
 recipes-security/optee/optee-test_%.bbappend       |  3 ++
 8 files changed, 94 insertions(+)
diff mbox series

Patch

diff --git a/README b/README
index c2697d1..f49fdb5 100644
--- a/README
+++ b/README
@@ -222,6 +222,48 @@  Notes:
 	NOTE: this variable must be set before any include/require in the
 	      machine configuration file
 
+  OP-TEE
+
+	PX30, RK3399 and RK3588 are all supported by upstream OP-TEE OS. By
+	default, OP-TEE OS is not baked into U-Boot.
+
+	You can bake OP-TEE OS in U-Boot by setting:
+
+		RK_UBOOT_TEE = "1"
+
+	in a configuration file.
+
+	Your U-Boot defconfig must enable CONFIG_OPTEE_LIB otherwise random
+	crashes in Linux will occur. It is force-enabled since v2026.01 so you
+	may omit this if running that or a more recent version.
+
+	Note that this has only been tested with upstream OP-TEE OS and upstream
+	TF-A. Please consider disabling CONFIG_SPL_ATF_NO_PLATFORM_PARAM in your
+	U-Boot's defconfig such that both upstream TF-A and OP-TEE OS are passed
+	the FDT (useful for debugging since it specifies the serial console).
+
+	Note that this is only adding OP-TEE OS to the U-Boot proper
+	(u-boot.itb) binary. It is *NOT* secure by default as it'll use
+	development keys contained in-tree, see
+	https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html#trusted-application-private-public-keypair.
+	How to properly specify the private/public key pair is left to the user
+	for now.
+
+	By default, early console is disabled because a misconfiguration of the
+	serial console will silently crash your device. You may enable it again
+	by setting:
+
+		OPTEE_OS_EARLY_CONSOLE = "y"
+
+	This only controls early console, before OP-TEE OS finds the FDT and
+	parse it to know which UART controller to use.
+	If you are not using the default serial controller (UART2), you must
+	change CFG_EARLY_CONSOLE_BASE to the appropriate UART controller base
+	address. You may have to set CFG_EARLY_CONSOLE_SIZE if it isn't set by
+	default.
+	CFG_EARLY_CONSOLE_* variables must be passed directly via EXTRA_OEMAKE
+	BitBake variable.
+
 U-Boot Environment:
 ------------------
 	In order to configure U-Boot to be able to store its environment into the
diff --git a/conf/machine/include/px30.inc b/conf/machine/include/px30.inc
index 1997f6f..689a745 100644
--- a/conf/machine/include/px30.inc
+++ b/conf/machine/include/px30.inc
@@ -14,6 +14,13 @@  KBUILD_DEFCONFIG ?= "defconfig"
 
 TFA_PLATFORM = "px30"
 TFA_BUILD_TARGET = "bl31"
+# Allow TF-A to load OP-TEE OS
+# If no OP-TEE OS, it'll simply print
+#  ERROR:   Error initializing runtime service opteed_fast
+# and the boot process will continue.
+TFA_SPD ?= "opteed"
+
+OPTEEMACHINE = "rockchip-px30"
 
 UBOOT_SUFFIX ?= "itb"
 UBOOT_ENTRYPOINT ?= "0x06000000"
diff --git a/conf/machine/include/rk3399.inc b/conf/machine/include/rk3399.inc
index 166db7b..93594bc 100644
--- a/conf/machine/include/rk3399.inc
+++ b/conf/machine/include/rk3399.inc
@@ -14,6 +14,13 @@  KBUILD_DEFCONFIG ?= "defconfig"
 
 TFA_PLATFORM = "rk3399"
 TFA_BUILD_TARGET = "bl31"
+# Allow TF-A to load OP-TEE OS
+# If no OP-TEE OS, it'll simply print
+#  ERROR:   Error initializing runtime service opteed_fast
+# and the boot process will continue.
+TFA_SPD ?= "opteed"
+
+OPTEEMACHINE = "rockchip-rk3399"
 
 UBOOT_SUFFIX ?= "itb"
 UBOOT_ENTRYPOINT ?= "0x06000000"
diff --git a/conf/machine/include/rk3588s.inc b/conf/machine/include/rk3588s.inc
index 18c2fb2..ab16e1a 100644
--- a/conf/machine/include/rk3588s.inc
+++ b/conf/machine/include/rk3588s.inc
@@ -18,5 +18,12 @@  UBOOT_ENTRYPOINT ?= "0x06000000"
 
 TFA_PLATFORM = "rk3588"
 TFA_BUILD_TARGET = "bl31"
+# Allow TF-A to load OP-TEE OS
+# If no OP-TEE OS, it'll simply print
+#  ERROR:   Error initializing runtime service opteed_fast
+# and the boot process will continue.
+TFA_SPD ?= "opteed"
+
+OPTEEMACHINE = "rockchip-rk3588"
 
 ENABLE_STATELESS_VPU_GST ?= "1"
diff --git a/recipes-bsp/u-boot/u-boot-rockchip.inc b/recipes-bsp/u-boot/u-boot-rockchip.inc
index 2b5bbd7..19f7c8a 100644
--- a/recipes-bsp/u-boot/u-boot-rockchip.inc
+++ b/recipes-bsp/u-boot/u-boot-rockchip.inc
@@ -7,6 +7,12 @@  TFA_DEPENDS ??= ""
 TFA_DEPENDS:rockchip:aarch64 = " trusted-firmware-a:do_deploy"
 do_compile[depends] .= "${TFA_DEPENDS}"
 
+EXTRA_OEMAKE:append:rockchip = "${@' TEE=${DEPLOY_DIR_IMAGE}/optee/tee.bin' if bb.utils.to_boolean(d.getVar('RK_UBOOT_TEE'), False) else ''}"
+
+TEE_DEPENDS ??= ""
+TEE_DEPENDS:rockchip = "${@' optee-os:do_deploy' if bb.utils.to_boolean(d.getVar('RK_UBOOT_TEE'), False) else ''}"
+do_compile[depends] .= "${TEE_DEPENDS}"
+
 # No open-source TPL (yet)
 ROCKCHIP_TPL:closed-tpl = "${DEPLOY_DIR_IMAGE}/ddr-${SOC_FAMILY}.bin"
 # SOC_FAMILY for RK3588S is rk3588s but it should use the binaries from rk3588
diff --git a/recipes-security/optee/optee-os-tadevkit_%.bbappend b/recipes-security/optee/optee-os-tadevkit_%.bbappend
new file mode 100644
index 0000000..e4fc87b
--- /dev/null
+++ b/recipes-security/optee/optee-os-tadevkit_%.bbappend
@@ -0,0 +1,3 @@ 
+COMPATIBLE_MACHINE:px30 = "px30"
+COMPATIBLE_MACHINE:rk3399 = "rk3399"
+COMPATIBLE_MACHINE:rk3588s = "rk3588s"
diff --git a/recipes-security/optee/optee-os_%.bbappend b/recipes-security/optee/optee-os_%.bbappend
new file mode 100644
index 0000000..2a5ec8b
--- /dev/null
+++ b/recipes-security/optee/optee-os_%.bbappend
@@ -0,0 +1,19 @@ 
+# Increase size for FDT in OP-TEE OS to the one in TF-A since v2.13 to avoid
+# panics on 64+KiB FDT passed by U-Boot to TF-A to OP-TEE OS.
+# Can be removed once https://github.com/OP-TEE/optee_os/pull/7687 is merged.
+EXTRA_OEMAKE:append:rockchip:aarch64 = " CFG_DTB_MAX_SIZE=0x60000"
+
+# Disable early console by default to avoid OP-TEE OS panicking on boards with
+# their UART console different from OP-TEE OS default (UART2 for rk322x, rk3399
+# and rk3588(s)).
+# In-tree default changes if https://github.com/OP-TEE/optee_os/pull/7688 merged
+OPTEE_OS_EARLY_CONSOLE ?= "n"
+EXTRA_OEMAKE:append:rockchip = " CFG_EARLY_CONSOLE=${OPTEE_OS_EARLY_CONSOLE}"
+
+# Enable hardware acceleration using Arm Cryptography Extensions on PX30.
+# Can be removed once https://github.com/OP-TEE/optee_os/pull/7689 is merged.
+EXTRA_OEMAKE:append:px30 = " CFG_CRYPTO_WITH_CE=y"
+
+COMPATIBLE_MACHINE:px30 = "px30"
+COMPATIBLE_MACHINE:rk3399 = "rk3399"
+COMPATIBLE_MACHINE:rk3588s = "rk3588s"
diff --git a/recipes-security/optee/optee-test_%.bbappend b/recipes-security/optee/optee-test_%.bbappend
new file mode 100644
index 0000000..e4fc87b
--- /dev/null
+++ b/recipes-security/optee/optee-test_%.bbappend
@@ -0,0 +1,3 @@ 
+COMPATIBLE_MACHINE:px30 = "px30"
+COMPATIBLE_MACHINE:rk3399 = "rk3399"
+COMPATIBLE_MACHINE:rk3588s = "rk3588s"