From patchwork Wed Apr 2 14:16:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Szing X-Patchwork-Id: 60615 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id ED0C1C3601A for ; Wed, 2 Apr 2025 14:17:10 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.9659.1743603424663220994 for ; Wed, 02 Apr 2025 07:17:05 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: gyorgy.szing@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id E14A91007; Wed, 2 Apr 2025 07:17:06 -0700 (PDT) Received: from gyoszi01-yocto.budapest.arm.com (ubul2.budapest.arm.com [10.45.25.74]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id D29E63F63F; Wed, 2 Apr 2025 07:17:02 -0700 (PDT) From: Gyorgy Szing To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , tom.hochstein@nxp.com, sahil.malhotra@nxp.com, Ross Burton Subject: [PATCH 1/6] optee-client: use udev rule and systemd service from upstream Date: Wed, 2 Apr 2025 16:16:47 +0200 Message-ID: <20250402141652.380180-1-gyorgy.szing@arm.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 02 Apr 2025 14:17:10 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6435 From: Mikko Rapeli Use backported upstream patch for udev rule and systemd service file. sysvinit script is still used from meta-arm. Don't install systemd service without systemd distro feature, other way round for sysvinit script. tee-supplicant started by systemd service runs as non-root teesuppl user with teepriv group. sysvinit still runs as root since busybox start-stop-daemon doesn't support -g group parameter and -u teesuppl doesn't seem to change the effective user. udev rules allow non-root /dev/tee* access from tee and /dev/teepriv* access from teepriv groups. Tested sysvinit changes with: $ kas build ci/qemuarm64-secureboot.yml:ci/poky.yml:ci/testimage.yml and systemd changes with: $ kas build ci/qemuarm64-secureboot.yml:ci/poky.yml:ci/testimage.yml:ci/uefi-secureboot.yml Cc: tom.hochstein@nxp.com Cc: sahil.malhotra@nxp.com Signed-off-by: Mikko Rapeli Signed-off-by: Ross Burton --- .../recipes-security/optee/optee-client.inc | 30 +-- ...dd-udev-rule-and-systemd-service-fil.patch | 186 ++++++++++++++++++ .../optee/optee-client/optee-udev.rules | 6 - .../optee-client/tee-supplicant@.service | 13 -- .../optee/optee-client_4.3.0.bb | 2 + 5 files changed, 205 insertions(+), 32 deletions(-) create mode 100644 meta-arm/recipes-security/optee/optee-client/0001-tee-supplicant-add-udev-rule-and-systemd-service-fil.patch delete mode 100644 meta-arm/recipes-security/optee/optee-client/optee-udev.rules delete mode 100644 meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service diff --git a/meta-arm/recipes-security/optee/optee-client.inc b/meta-arm/recipes-security/optee/optee-client.inc index f387c805..fc48c302 100644 --- a/meta-arm/recipes-security/optee/optee-client.inc +++ b/meta-arm/recipes-security/optee/optee-client.inc @@ -9,9 +9,7 @@ inherit systemd update-rc.d cmake useradd SRC_URI = " \ git://github.com/OP-TEE/optee_client.git;branch=master;protocol=https \ - file://tee-supplicant@.service \ file://tee-supplicant.sh \ - file://optee-udev.rules \ " UPSTREAM_CHECK_GITTAGREGEX = "^(?P\d+(\.\d+)+)$" @@ -20,20 +18,21 @@ S = "${WORKDIR}/git" EXTRA_OECMAKE = " \ -DBUILD_SHARED_LIBS=ON \ - -DCFG_TEE_FS_PARENT_PATH='${localstatedir}/lib/tee' \ " EXTRA_OECMAKE:append:toolchain-clang = " -DCFG_WERROR=0" do_install:append() { - install -D -p -m0644 ${UNPACKDIR}/tee-supplicant@.service ${D}${systemd_system_unitdir}/tee-supplicant@.service - install -D -p -m0755 ${UNPACKDIR}/tee-supplicant.sh ${D}${sysconfdir}/init.d/tee-supplicant - install -d ${D}${sysconfdir}/udev/rules.d - install -m 0644 ${UNPACKDIR}/optee-udev.rules ${D}${sysconfdir}/udev/rules.d/optee.rules - - sed -i -e s:@sysconfdir@:${sysconfdir}:g \ - -e s:@sbindir@:${sbindir}:g \ - ${D}${systemd_system_unitdir}/tee-supplicant@.service \ - ${D}${sysconfdir}/init.d/tee-supplicant + # installed by default + if ! ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + rm -rf ${D}${libdir}/systemd + fi + if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then + install -D -p -m0755 ${UNPACKDIR}/tee-supplicant.sh ${D}${sysconfdir}/init.d/tee-supplicant + sed -i -e s:@sysconfdir@:${sysconfdir}:g \ + -e s:@sbindir@:${sbindir}:g \ + ${D}${sysconfdir}/init.d/tee-supplicant + fi + install -o teesuppl -g teesuppl -m 0700 -d ${D}${localstatedir}/lib/tee } SYSTEMD_SERVICE:${PN} = "tee-supplicant@.service" @@ -42,5 +41,10 @@ INITSCRIPT_PACKAGES = "${PN}" INITSCRIPT_NAME:${PN} = "tee-supplicant" INITSCRIPT_PARAMS:${PN} = "start 10 1 2 3 4 5 . stop 90 0 6 ." +# Users and groups: +# tee group to access /dev/tee* +# teepriv group to acess /dev/teepriv*, only tee-supplicant +# teesuppl user and group teesuppl to run tee-supplicant USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM:${PN} = "--system teeclnt" +GROUPADD_PARAM:${PN} = "--system tee; --system teepriv; --system teesuppl" +USERADD_PARAM:${PN} = "--system -g teesuppl --groups teepriv --home-dir ${localstatedir}/lib/tee -M --shell /sbin/nologin teesuppl;" diff --git a/meta-arm/recipes-security/optee/optee-client/0001-tee-supplicant-add-udev-rule-and-systemd-service-fil.patch b/meta-arm/recipes-security/optee/optee-client/0001-tee-supplicant-add-udev-rule-and-systemd-service-fil.patch new file mode 100644 index 00000000..18c0d950 --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-client/0001-tee-supplicant-add-udev-rule-and-systemd-service-fil.patch @@ -0,0 +1,186 @@ +From bf0d02758696ee7a9f7af9e95f85f5c238d0e109 Mon Sep 17 00:00:00 2001 +From: Mikko Rapeli +Date: Wed, 2 Oct 2024 15:24:21 +0100 +Subject: [PATCH] tee-supplicant: add udev rule and systemd service file + +tee-supplicant startup with systemd init based +is non-trivial. Add sample udev rule and systemd +service files here so that distros can co-operate maintaining +them. + +Files are from meta-arm https://git.yoctoproject.org/meta-arm +at commit 7cce43e632daa8650f683ac726f9124681b302a4 with license +MIT and authors: + +Peter Griffin +Joshua Watt +Javier Tia +Mikko Rapeli + +With permission from the authors, files can be relicensed to +BSD-2-Clause like rest of optee client repo. + +The config files expect to find tee and teepriv system groups +and teesuppl user and group (part of teepriv group) for running +tee-supplicant. Additionally state directory /var/lib/tee +must be owned by teesuppl user and group with no rights +to other users. The groups and user can be changed via +CMake variables: + +CFG_TEE_GROUP +CFG_TEEPRIV_GROUP +CFG_TEE_SUPPL_USER +CFG_TEE_SUPPL_GROUP + +Change storage path from /data to /var/lib and +use standard CMake variables also for constructing install +paths which can be override to change the defaults: + +CMAKE_INSTALL_PREFIX, e.g. / +CMAKE_INSTALL_LIBDIR, e.g. /usr/lib +CMAKE_INSTALL_LOCALSTATEDIR /var + +Once these are setup, udev will start tee-supplicant in initramfs +or rootfs with teesuppl user and group when /dev/teepriv +device appears. The systemd service starts before tpm2.target +(new in systemd 256) which starts early in initramfs and in main rootfs. +This covers firmware TPM TA usecases for main rootfs encryption. When +stopping tee-supplicant, the ftpm kernel modules are removed and only +then the main process stopped to avoid fTPM breakage. These workarounds +may be removed once RPMB kernel and optee patches without tee-supplicant +are merged (Linux kernel >= 6.12-rc1, optee_os latest master or >= 4.4). + +Tested on yocto meta-arm setup which runs fTPM and optee-test/xtest +under qemuarm64: + +$ git clone https://git.yoctoproject.org/meta-arm +$ cd meta-arm +$ SSTATE_DIR=$HOME/sstate DL_DIR=$HOME/download kas build \ +ci/qemuarm64-secureboot.yml:ci/poky-altcfg.yml:ci/testimage.yml + +Compiled image can be manually started to qemu serial console with: + +$ SSTATE_DIR=$HOME/sstate DL_DIR=$HOME/download kas shell \ +ci/qemuarm64-secureboot.yml:ci/poky-altcfg.yml:ci/testimage.yml +$ runqemu slirp nographic + +meta-arm maintainers run these tests as part of their CI. + +Note that if the tee-supplicant state directory /var/lib/tee +can not be accessed due permissions or other problems, then +tee-supplicant startup with systemd still works. Only optee-test/xtest +will be failing and fTPM kernel drivers fail to load with error +messages. + +Cc: Peter Griffin +Cc: Joshua Watt +Cc: Javier Tia +Acked-by: Jerome Forissier +Signed-off-by: Mikko Rapeli +--- + config.mk | 2 +- + libteec/CMakeLists.txt | 2 +- + tee-supplicant/CMakeLists.txt | 13 +++++++++++-- + tee-supplicant/optee-udev.rules.in | 7 +++++++ + tee-supplicant/tee-supplicant@.service.in | 17 +++++++++++++++++ + 5 files changed, 37 insertions(+), 4 deletions(-) + create mode 100644 tee-supplicant/optee-udev.rules.in + create mode 100644 tee-supplicant/tee-supplicant@.service.in + +Upstream-Status: Backport + +diff --git a/config.mk b/config.mk +index eae481f..3def087 100644 +--- a/config.mk ++++ b/config.mk +@@ -23,7 +23,7 @@ CFG_TEE_SUPP_LOG_LEVEL?=1 + # This folder can be created with the required permission in an init + # script during boot, else it will be created by the tee-supplicant on + # first REE FS access. +-CFG_TEE_FS_PARENT_PATH ?= /data/tee ++CFG_TEE_FS_PARENT_PATH ?= /var/lib/tee + + # CFG_TEE_CLIENT_LOG_FILE + # The location of the client log file when logging to file is enabled. +diff --git a/libteec/CMakeLists.txt b/libteec/CMakeLists.txt +index c742d31..c857369 100644 +--- a/libteec/CMakeLists.txt ++++ b/libteec/CMakeLists.txt +@@ -14,7 +14,7 @@ endif() + # Configuration flags always included + ################################################################################ + set(CFG_TEE_CLIENT_LOG_LEVEL "1" CACHE STRING "libteec log level") +-set(CFG_TEE_CLIENT_LOG_FILE "/data/tee/teec.log" CACHE STRING "Location of libteec log") ++set(CFG_TEE_CLIENT_LOG_FILE "${CMAKE_INSTALL_LOCALSTATEDIR}/lib/tee/teec.log" CACHE STRING "Location of libteec log") + + ################################################################################ + # Source files +diff --git a/tee-supplicant/CMakeLists.txt b/tee-supplicant/CMakeLists.txt +index 54a34c7..8df9bef 100644 +--- a/tee-supplicant/CMakeLists.txt ++++ b/tee-supplicant/CMakeLists.txt +@@ -11,10 +11,15 @@ option(CFG_TEE_SUPP_PLUGINS "Enable tee-supplicant plugin support" ON) + set(CFG_TEE_SUPP_LOG_LEVEL "1" CACHE STRING "tee-supplicant log level") + # FIXME: Question is, is this really needed? Should just use defaults from # GNUInstallDirs? + set(CFG_TEE_CLIENT_LOAD_PATH "/lib" CACHE STRING "Colon-separated list of paths where to look for TAs (see also --ta-dir)") +-set(CFG_TEE_FS_PARENT_PATH "/data/tee" CACHE STRING "Location of TEE filesystem (secure storage)") ++set(CFG_TEE_FS_PARENT_PATH "${CMAKE_INSTALL_LOCALSTATEDIR}/lib/tee" CACHE STRING "Location of TEE filesystem (secure storage)") + # FIXME: Why do we have if defined(CFG_GP_SOCKETS) && CFG_GP_SOCKETS == 1 in the c-file? + set(CFG_GP_SOCKETS "1" CACHE STRING "Enable GlobalPlatform Socket API support") +-set(CFG_TEE_PLUGIN_LOAD_PATH "/usr/lib/tee-supplicant/plugins/" CACHE STRING "tee-supplicant's plugins path") ++set(CFG_TEE_PLUGIN_LOAD_PATH "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}/${PROJECT_NAME}/plugins/" CACHE STRING "tee-supplicant's plugins path") ++ ++set(CFG_TEE_GROUP "tee" CACHE STRING "Group which has access to /dev/tee* devices") ++set(CFG_TEEPRIV_GROUP "teepriv" CACHE STRING "Group which has access to /dev/teepriv* devices") ++set(CFG_TEE_SUPPL_USER "teesuppl" CACHE STRING "User account which tee-supplicant is started with") ++set(CFG_TEE_SUPPL_GROUP "teesuppl" CACHE STRING "Group account which tee-supplicant is started with") + + if(CFG_TEE_SUPP_PLUGINS) + set(CMAKE_INSTALL_RPATH "${CFG_TEE_PLUGIN_LOAD_PATH}") +@@ -113,3 +118,7 @@ endif() + # Install targets + ################################################################################ + install(TARGETS ${PROJECT_NAME} RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR}) ++configure_file(tee-supplicant@.service.in tee-supplicant@.service @ONLY) ++install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/tee-supplicant@.service DESTINATION ${CMAKE_INSTALL_LIBDIR}/systemd/system) ++configure_file(optee-udev.rules.in optee-udev.rules @ONLY) ++install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/optee-udev.rules DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/udev/rules.d) +diff --git a/tee-supplicant/optee-udev.rules.in b/tee-supplicant/optee-udev.rules.in +new file mode 100644 +index 0000000..275e833 +--- /dev/null ++++ b/tee-supplicant/optee-udev.rules.in +@@ -0,0 +1,7 @@ ++# SPDX-License-Identifier: BSD-2-Clause ++KERNEL=="tee[0-9]*", MODE="0660", OWNER="root", GROUP="@CFG_TEE_GROUP@", TAG+="systemd" ++ ++# If a /dev/teepriv[0-9]* device is detected, start an instance of ++# tee-supplicant.service with the device name as parameter ++KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="@CFG_TEEPRIV_GROUP@", \ ++ TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service" +diff --git a/tee-supplicant/tee-supplicant@.service.in b/tee-supplicant/tee-supplicant@.service.in +new file mode 100644 +index 0000000..e53a935 +--- /dev/null ++++ b/tee-supplicant/tee-supplicant@.service.in +@@ -0,0 +1,17 @@ ++# SPDX-License-Identifier: BSD-2-Clause ++[Unit] ++Description=TEE Supplicant on %i ++DefaultDependencies=no ++After=dev-%i.device ++Wants=dev-%i.device ++Conflicts=shutdown.target ++Before=tpm2.target sysinit.target shutdown.target ++ ++[Service] ++Type=notify ++User=@CFG_TEE_SUPPL_USER@ ++Group=@CFG_TEE_SUPPL_GROUP@ ++EnvironmentFile=-@CMAKE_INSTALL_SYSCONFDIR@/default/tee-supplicant ++ExecStart=@CMAKE_INSTALL_PREFIX@/@CMAKE_INSTALL_SBINDIR@/tee-supplicant $OPTARGS ++# Workaround for fTPM TA: stop kernel module before tee-supplicant ++ExecStop=-/bin/sh -c "/sbin/modprobe -v -r tpm_ftpm_tee ; /bin/kill $MAINPID" +-- +2.34.1 + diff --git a/meta-arm/recipes-security/optee/optee-client/optee-udev.rules b/meta-arm/recipes-security/optee/optee-client/optee-udev.rules deleted file mode 100644 index 075f469c..00000000 --- a/meta-arm/recipes-security/optee/optee-client/optee-udev.rules +++ /dev/null @@ -1,6 +0,0 @@ -KERNEL=="tee[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", TAG+="systemd" - -# If a /dev/teepriv[0-9]* device is detected, start an instance of -# tee-supplicant.service with the device name as parameter -KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", \ - TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service" diff --git a/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service b/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service deleted file mode 100644 index e3039fde..00000000 --- a/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=TEE Supplicant on %i -DefaultDependencies=no -After=dev-%i.device -Wants=dev-%i.device -Conflicts=shutdown.target -Before=tpm2.target sysinit.target shutdown.target - -[Service] -Type=notify -EnvironmentFile=-@sysconfdir@/default/tee-supplicant -ExecStart=@sbindir@/tee-supplicant $OPTARGS -ExecStop=-/bin/sh -c "/sbin/modprobe -v -r tpm_ftpm_tee ; /bin/kill $MAINPID" diff --git a/meta-arm/recipes-security/optee/optee-client_4.3.0.bb b/meta-arm/recipes-security/optee/optee-client_4.3.0.bb index 4a088004..edab4583 100644 --- a/meta-arm/recipes-security/optee/optee-client_4.3.0.bb +++ b/meta-arm/recipes-security/optee/optee-client_4.3.0.bb @@ -2,6 +2,8 @@ require recipes-security/optee/optee-client.inc SRCREV = "a5b1ffcd26e328af0bbf18ab448a38ecd558e05c" +SRC_URI += "file://0001-tee-supplicant-add-udev-rule-and-systemd-service-fil.patch" + inherit pkgconfig DEPENDS += "util-linux" EXTRA_OEMAKE += "PKG_CONFIG=pkg-config" From patchwork Wed Apr 2 14:16:48 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Szing X-Patchwork-Id: 60614 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1D29DC3601E for ; Wed, 2 Apr 2025 14:17:11 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web11.9650.1743603425631481904 for ; Wed, 02 Apr 2025 07:17:05 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: gyorgy.szing@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 2BA881007; Wed, 2 Apr 2025 07:17:08 -0700 (PDT) Received: from gyoszi01-yocto.budapest.arm.com (ubul2.budapest.arm.com [10.45.25.74]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 4584B3F63F; Wed, 2 Apr 2025 07:17:04 -0700 (PDT) From: Gyorgy Szing To: meta-arm@lists.yoctoproject.org Cc: Gyorgy Szing , Bence Balogh , Ross Burton Subject: [PATCH 2/6] optee-os: add v4.4 Date: Wed, 2 Apr 2025 16:16:48 +0200 Message-ID: <20250402141652.380180-2-gyorgy.szing@arm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250402141652.380180-1-gyorgy.szing@arm.com> References: <20250402141652.380180-1-gyorgy.szing@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 02 Apr 2025 14:17:11 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6436 Add recipes to allow building OP-TEE v4.4. This is the first version carrying an SPMC implementation which supports branch protection. Update corstone1000: - to use the new op-tee version - `CFG_TZDRAM_SIZE` is increased further from `0x340000` to `0x360000` as version 4.4.0 of OP-TEE OS requires more memory Signed-off-by: Gyorgy Szing Signed-off-by: Bence Balogh Signed-off-by: Ross Burton optee-os: corestone1000: udpate to op-tee v4.4 Update OP-TEE version and add a patch to increase TZDRAM size to add more memory to OP-TEE. Signed-off-by: Gyorgy Szing --- .../conf/machine/include/corstone1000.inc | 3 +- .../0002-increase-tzdram-size.patch | 28 ----------------- ...orstone1000-increase-CFG_TZDRAM_SIZE.patch | 30 +++++++++++++++++++ .../optee/optee-os-corstone1000-common.inc | 2 +- .../optee/optee-client_4.4.0.bb | 8 +++++ .../optee/optee-examples_4.4.0.bb | 4 +++ .../optee/optee-os-tadevkit_4.4.0.bb | 29 ++++++++++++++++++ .../recipes-security/optee/optee-os_4.4.0.bb | 11 +++++++ .../recipes-security/optee/optee-test.inc | 1 - .../optee/optee-test_4.4.0.bb | 15 ++++++++++ 10 files changed, 100 insertions(+), 31 deletions(-) delete mode 100644 meta-arm-bsp/recipes-security/optee/files/optee-os/corstone1000/0002-increase-tzdram-size.patch create mode 100644 meta-arm-bsp/recipes-security/optee/files/optee-os/corstone1000/0002-plat-corstone1000-increase-CFG_TZDRAM_SIZE.patch create mode 100644 meta-arm/recipes-security/optee/optee-client_4.4.0.bb create mode 100644 meta-arm/recipes-security/optee/optee-examples_4.4.0.bb create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit_4.4.0.bb create mode 100644 meta-arm/recipes-security/optee/optee-os_4.4.0.bb create mode 100644 meta-arm/recipes-security/optee/optee-test_4.4.0.bb diff --git a/meta-arm-bsp/conf/machine/include/corstone1000.inc b/meta-arm-bsp/conf/machine/include/corstone1000.inc index df2a6044..57207499 100644 --- a/meta-arm-bsp/conf/machine/include/corstone1000.inc +++ b/meta-arm-bsp/conf/machine/include/corstone1000.inc @@ -14,7 +14,8 @@ TFA_BL2_BINARY = "bl2-corstone1000.bin" TFA_FIP_BINARY = "fip-corstone1000.bin" # optee -PREFERRED_VERSION_optee-os ?= "4.3.%" +PREFERRED_VERSION_optee-os ?= "4.4.%" +PREFERRED_VERSION_optee-client ?= "4.4.%" # Trusted Services TS_PLATFORM = "arm/corstone1000" diff --git a/meta-arm-bsp/recipes-security/optee/files/optee-os/corstone1000/0002-increase-tzdram-size.patch b/meta-arm-bsp/recipes-security/optee/files/optee-os/corstone1000/0002-increase-tzdram-size.patch deleted file mode 100644 index 0c89bd0e..00000000 --- a/meta-arm-bsp/recipes-security/optee/files/optee-os/corstone1000/0002-increase-tzdram-size.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 1410d9e9c3e73b1319b98be67ad00c7630c4cb2e Mon Sep 17 00:00:00 2001 -From: Emekcan Aras -Date: Wed, 3 Apr 2024 16:05:07 +0100 -Subject: [PATCH] increase tzdram size - -Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/commit/258b72d242cd1a8ae56c87f9572a0624084785c7] -Signed-off-by: Emekcan Aras -Signed-off-by: Harsimran Singh Tungal ---- - core/arch/arm/plat-corstone1000/conf.mk | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/core/arch/arm/plat-corstone1000/conf.mk b/core/arch/arm/plat-corstone1000/conf.mk -index 98347b143..c2dd71f05 100644 ---- a/core/arch/arm/plat-corstone1000/conf.mk -+++ b/core/arch/arm/plat-corstone1000/conf.mk -@@ -34,7 +34,7 @@ CFG_TEE_CORE_NB_CORE ?= 1 - CFG_TZDRAM_START ?= 0x02002000 - - # TEE_RAM (OPTEE kernel + DATA) + TA_RAM = 3MB --CFG_TZDRAM_SIZE ?= 0x300000 -+CFG_TZDRAM_SIZE ?= 0x340000 - CFG_SHMEM_START ?= 0x86000000 - CFG_SHMEM_SIZE ?= 0x00200000 - --- -2.25.1 - diff --git a/meta-arm-bsp/recipes-security/optee/files/optee-os/corstone1000/0002-plat-corstone1000-increase-CFG_TZDRAM_SIZE.patch b/meta-arm-bsp/recipes-security/optee/files/optee-os/corstone1000/0002-plat-corstone1000-increase-CFG_TZDRAM_SIZE.patch new file mode 100644 index 00000000..851e2cd2 --- /dev/null +++ b/meta-arm-bsp/recipes-security/optee/files/optee-os/corstone1000/0002-plat-corstone1000-increase-CFG_TZDRAM_SIZE.patch @@ -0,0 +1,30 @@ +From ce58e4d78dc7a4f3c3b08ee425461eb190d70543 Mon Sep 17 00:00:00 2001 +From: Bence Balogh +Date: Fri, 1 Nov 2024 00:45:53 +0100 +Subject: [PATCH] plat-corstone1000: increase CFG_TZDRAM_SIZE + +TZDRAM is a 4MB SRAM in Corstone-1000. Its start address is `0x0200_0000` +but the first 0x2000 bytes are reserved for future use. `CFG_TZDRAM_SIZE` +can be increased to `0x360000` so OP-TEE has more RAM. + +Signed-off-by: Bence Balogh +Upstream-Status: Pending +--- + core/arch/arm/plat-corstone1000/conf.mk | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/core/arch/arm/plat-corstone1000/conf.mk b/core/arch/arm/plat-corstone1000/conf.mk +index 9fa0729d5..745dc958a 100644 +--- a/core/arch/arm/plat-corstone1000/conf.mk ++++ b/core/arch/arm/plat-corstone1000/conf.mk +@@ -34,7 +34,7 @@ CFG_TEE_CORE_NB_CORE ?= 1 + CFG_TZDRAM_START ?= 0x02002000 + + # TEE_RAM (OP-TEE kernel + DATA) + TA_RAM +-CFG_TZDRAM_SIZE ?= 0x340000 ++CFG_TZDRAM_SIZE ?= 0x360000 + CFG_SHMEM_START ?= 0x86000000 + CFG_SHMEM_SIZE ?= 0x00200000 + +-- +2.25.1 diff --git a/meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc b/meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc index 482aab77..3f6452dc 100644 --- a/meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc +++ b/meta-arm-bsp/recipes-security/optee/optee-os-corstone1000-common.inc @@ -1,7 +1,7 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/files/optee-os/corstone1000:" SRC_URI:append = " \ file://0001-Handle-logging-syscall.patch \ - file://0002-increase-tzdram-size.patch \ + file://0002-plat-corstone1000-increase-CFG_TZDRAM_SIZE.patch \ " COMPATIBLE_MACHINE = "corstone1000" diff --git a/meta-arm/recipes-security/optee/optee-client_4.4.0.bb b/meta-arm/recipes-security/optee/optee-client_4.4.0.bb new file mode 100644 index 00000000..fa7b9564 --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-client_4.4.0.bb @@ -0,0 +1,8 @@ +require recipes-security/optee/optee-client.inc + +# v4.4.0 +SRCREV = "d221676a58b305bddbf97db00395205b3038de8e" + +inherit pkgconfig +DEPENDS += "util-linux" +EXTRA_OEMAKE += "PKG_CONFIG=pkg-config" diff --git a/meta-arm/recipes-security/optee/optee-examples_4.4.0.bb b/meta-arm/recipes-security/optee/optee-examples_4.4.0.bb new file mode 100644 index 00000000..46f08384 --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-examples_4.4.0.bb @@ -0,0 +1,4 @@ +require recipes-security/optee/optee-examples.inc + +# v4.4.0 +SRCREV = "378dc0db2d5dd279f58a3b6cb3f78ffd6b165035" diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit_4.4.0.bb b/meta-arm/recipes-security/optee/optee-os-tadevkit_4.4.0.bb new file mode 100644 index 00000000..961d5251 --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-os-tadevkit_4.4.0.bb @@ -0,0 +1,29 @@ +require recipes-security/optee/optee-os_${PV}.bb + +SUMMARY = "OP-TEE Trusted OS TA devkit" +DESCRIPTION = "OP-TEE TA devkit for build TAs" +HOMEPAGE = "https://www.op-tee.org/" + +DEPENDS += "python3-pycryptodome-native" + +do_install() { + #install TA devkit + install -d ${D}${includedir}/optee/export-user_ta/ + for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do + cp -aR $f ${D}${includedir}/optee/export-user_ta/ + done +} + +do_deploy() { + echo "Do not inherit do_deploy from optee-os." +} + +FILES:${PN} = "${includedir}/optee/" + +# Build paths are currently embedded +INSANE_SKIP:${PN}-dev += "buildpaths" + +# Include extra headers needed by SPMC tests to TA DEVKIT. +# Supported after op-tee v3.20 +EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' CFG_SPMC_TESTS=y', '' , d)}" diff --git a/meta-arm/recipes-security/optee/optee-os_4.4.0.bb b/meta-arm/recipes-security/optee/optee-os_4.4.0.bb new file mode 100644 index 00000000..bd031ef7 --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-os_4.4.0.bb @@ -0,0 +1,11 @@ +require recipes-security/optee/optee-os.inc + +DEPENDS += "dtc-native" + +FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" + +# v4.4.0 +SRCREV = "8f645256efc0dc66bd5c118778b0b50c44469ae1" +SRC_URI += " \ + file://0003-optee-enable-clang-support.patch \ + " diff --git a/meta-arm/recipes-security/optee/optee-test.inc b/meta-arm/recipes-security/optee/optee-test.inc index 58f10139..5f35ad9e 100644 --- a/meta-arm/recipes-security/optee/optee-test.inc +++ b/meta-arm/recipes-security/optee/optee-test.inc @@ -3,7 +3,6 @@ DESCRIPTION = "Open Portable Trusted Execution Environment - Test suite" HOMEPAGE = "https://www.op-tee.org/" LICENSE = "BSD-2-Clause & GPL-2.0-only" -LIC_FILES_CHKSUM = "file://LICENSE.md;md5=daa2bcccc666345ab8940aab1315a4fa" inherit python3native ptest inherit deploy diff --git a/meta-arm/recipes-security/optee/optee-test_4.4.0.bb b/meta-arm/recipes-security/optee/optee-test_4.4.0.bb new file mode 100644 index 00000000..d514c82c --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-test_4.4.0.bb @@ -0,0 +1,15 @@ +require recipes-security/optee/optee-test.inc + +# v4.4.0 +SRCREV = "695231ef8987866663a9ed5afd8f77d1bae3dc08" + +LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a8fa504109e4cd7ea575bc49ea4be560" + + +# Include ffa_spmc test group if the SPMC test is enabled. +# Supported after op-tee v3.20 +EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' CFG_SPMC_TESTS=y CFG_SECURE_PARTITION=y', '' , d)}" + +RDEPENDS:${PN} += "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' arm-ffa-user', '' , d)}" From patchwork Wed Apr 2 14:16:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Szing X-Patchwork-Id: 60616 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E3B5C369A0 for ; Wed, 2 Apr 2025 14:17:11 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.9663.1743603426586979965 for ; Wed, 02 Apr 2025 07:17:06 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: gyorgy.szing@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 450CA1FC4; Wed, 2 Apr 2025 07:17:09 -0700 (PDT) Received: from gyoszi01-yocto.budapest.arm.com (ubul2.budapest.arm.com [10.45.25.74]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 857EF3F63F; Wed, 2 Apr 2025 07:17:05 -0700 (PDT) From: Gyorgy Szing To: meta-arm@lists.yoctoproject.org Cc: Gyorgy Szing , Ross Burton Subject: [PATCH 3/6] optee-client: fix udev and systemd handling Date: Wed, 2 Apr 2025 16:16:49 +0200 Message-ID: <20250402141652.380180-3-gyorgy.szing@arm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250402141652.380180-1-gyorgy.szing@arm.com> References: <20250402141652.380180-1-gyorgy.szing@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 02 Apr 2025 14:17:11 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6437 Eliminate the systemd specific install content fix-up commands appended to do_install. - patch optee-client to allow controlling installation of systemd and udev specific configuration files. - pass driver group names to optee-client build Signed-off-by: Gyorgy Szing Signed-off-by: Ross Burton --- .../recipes-security/optee/optee-client.inc | 12 ++- ...ant-update-udev-systemd-install-code.patch | 78 +++++++++++++++++++ .../optee/optee-client_4.3.0.bb | 3 +- .../optee/optee-client_4.4.0.bb | 1 + 4 files changed, 89 insertions(+), 5 deletions(-) create mode 100644 meta-arm/recipes-security/optee/optee-client/0001-tee-supplicant-update-udev-systemd-install-code.patch diff --git a/meta-arm/recipes-security/optee/optee-client.inc b/meta-arm/recipes-security/optee/optee-client.inc index fc48c302..519041d6 100644 --- a/meta-arm/recipes-security/optee/optee-client.inc +++ b/meta-arm/recipes-security/optee/optee-client.inc @@ -18,14 +18,16 @@ S = "${WORKDIR}/git" EXTRA_OECMAKE = " \ -DBUILD_SHARED_LIBS=ON \ + -DCFG_USE_PKGCONFIG=ON \ " + +EXTRA_OECMAKE += " -DCFG_ENABLE_SYSTEMD=On -DSYSTEMD_UNIT_DIR=${systemd_system_unitdir}/" +EXTRA_OECMAKE += " -DCFG_ENABLE_UDEV=On -DUDEV_UDEV_DIR=${nonarch_base_libdir}/udev/rules.d/" +EXTRA_OECMAKE += " -DCFG_TEE_GROUP=tee -DCFG_TEEPRIV_GROUP=teepriv" + EXTRA_OECMAKE:append:toolchain-clang = " -DCFG_WERROR=0" do_install:append() { - # installed by default - if ! ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - rm -rf ${D}${libdir}/systemd - fi if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then install -D -p -m0755 ${UNPACKDIR}/tee-supplicant.sh ${D}${sysconfdir}/init.d/tee-supplicant sed -i -e s:@sysconfdir@:${sysconfdir}:g \ @@ -41,6 +43,8 @@ INITSCRIPT_PACKAGES = "${PN}" INITSCRIPT_NAME:${PN} = "tee-supplicant" INITSCRIPT_PARAMS:${PN} = "start 10 1 2 3 4 5 . stop 90 0 6 ." +FILES:${PN} += "${nonarch_base_libdir}/udev/rules.d/" + # Users and groups: # tee group to access /dev/tee* # teepriv group to acess /dev/teepriv*, only tee-supplicant diff --git a/meta-arm/recipes-security/optee/optee-client/0001-tee-supplicant-update-udev-systemd-install-code.patch b/meta-arm/recipes-security/optee/optee-client/0001-tee-supplicant-update-udev-systemd-install-code.patch new file mode 100644 index 00000000..d243f297 --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-client/0001-tee-supplicant-update-udev-systemd-install-code.patch @@ -0,0 +1,78 @@ +From 5ddaac7c0770a423eca0cb727403b2f06657ffea Mon Sep 17 00:00:00 2001 +From: Gyorgy Szing +Date: Tue, 14 Jan 2025 09:42:25 +0100 +Subject: [PATCH 1/1] tee-supplicant: update udev & systemd install code + +- Allow optionally using pkg-config to discover install location of + systemd service and udev rule files. +- Make systemd service file generation and installation optional. +- Make udev rule file generation and installation optional. + +Changes are backwards compatible and the default operation is unchanged. + +Upstream-Status: Pending + +Signed-off-by: Gyorgy Szing +--- + tee-supplicant/CMakeLists.txt | 39 +++++++++++++++++++++++++++++++---- + 1 file changed, 35 insertions(+), 4 deletions(-) + +diff --git a/tee-supplicant/CMakeLists.txt b/tee-supplicant/CMakeLists.txt +index 8df9bef..ae1f5a4 100644 +--- a/tee-supplicant/CMakeLists.txt ++++ b/tee-supplicant/CMakeLists.txt +@@ -7,6 +7,9 @@ option(RPMB_EMU "Enable tee-supplicant to emulate RPMB" ON) + option(CFG_TA_GPROF_SUPPORT "Enable tee-supplicant support for TAs instrumented with gprof" ON) + option(CFG_FTRACE_SUPPORT "Enable tee-supplicant support for TAs instrumented with ftrace" ON) + option(CFG_TEE_SUPP_PLUGINS "Enable tee-supplicant plugin support" ON) ++option(CFG_ENABLE_SYSTEMD "Enable systemd service unit file generation." ON) ++option(CFG_ENABLE_UDEV "Enable udev rules file generation." ON) ++option(CFG_USE_PKGCONFIG "Use pkg-config for discovering install target directory for systemd and udev files." OFF) + + set(CFG_TEE_SUPP_LOG_LEVEL "1" CACHE STRING "tee-supplicant log level") + # FIXME: Question is, is this really needed? Should just use defaults from # GNUInstallDirs? +@@ -117,8 +120,36 @@ endif() + ################################################################################ + # Install targets + ################################################################################ ++# Discover target install location of the systemd and udev files using pkg-config ++if (CFG_USE_PKGCONFIG) ++ # Note: pkg-config should return setting valid for the target platform and not the host. ++ include(FindPkgConfig) ++ if (PKG_CONFIG_FOUND) ++ pkg_search_module(SYSTEMD systemd) ++ if (SYSTEMD_FOUND AND CFG_ENABLE_SYSTEMD) ++ pkg_get_variable(UNIT_DIR systemd systemd_system_unit_dir) ++ set(SYSTEMD_UNIT_DIR "${UNIT_DIR}" CACHE PATH "Location of systemd unit files.") ++ unset(UNIT_DIR) ++ endif() ++ pkg_search_module(UDEV udev) ++ if (UDEV_FOUND) ++ pkg_get_variable(UDEV_DIR udev udev_dir) ++ set(UDEV_UDEV_DIR "${UDEV_DIR}" CACHE PATH "Location of udev files.") ++ unset(UDEV_DIR) ++ endif() ++ endif() ++endif() ++ ++# Some sane defaults is discovering through pkgconfig fails or is disabled. ++set(SYSTEMD_UNIT_DIR "${CMAKE_INSTALL_LIBDIR}/systemd/system" CACHE PATH "Location of systemd unit files.") ++set(UDEV_UDEV_DIR "${CMAKE_INSTALL_SYSCONFDIR}/udev/rules.d" CACHE PATH "Location of udev files.") ++ + install(TARGETS ${PROJECT_NAME} RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR}) +-configure_file(tee-supplicant@.service.in tee-supplicant@.service @ONLY) +-install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/tee-supplicant@.service DESTINATION ${CMAKE_INSTALL_LIBDIR}/systemd/system) +-configure_file(optee-udev.rules.in optee-udev.rules @ONLY) +-install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/optee-udev.rules DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/udev/rules.d) ++if (CFG_ENABLE_SYSTEMD) ++ configure_file(tee-supplicant@.service.in tee-supplicant@.service @ONLY) ++ install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/tee-supplicant@.service DESTINATION ${SYSTEMD_UNIT_DIR}) ++endif() ++if (CFG_ENABLE_UDEV) ++ configure_file(optee-udev.rules.in optee-udev.rules @ONLY) ++ install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/optee-udev.rules DESTINATION ${UDEV_UDEV_DIR}) ++endif() +\ No newline at end of file +-- +2.43.0 + diff --git a/meta-arm/recipes-security/optee/optee-client_4.3.0.bb b/meta-arm/recipes-security/optee/optee-client_4.3.0.bb index edab4583..fae453ad 100644 --- a/meta-arm/recipes-security/optee/optee-client_4.3.0.bb +++ b/meta-arm/recipes-security/optee/optee-client_4.3.0.bb @@ -2,7 +2,8 @@ require recipes-security/optee/optee-client.inc SRCREV = "a5b1ffcd26e328af0bbf18ab448a38ecd558e05c" -SRC_URI += "file://0001-tee-supplicant-add-udev-rule-and-systemd-service-fil.patch" +SRC_URI += "file://0001-tee-supplicant-add-udev-rule-and-systemd-service-fil.patch \ + file://0001-tee-supplicant-update-udev-systemd-install-code.patch" inherit pkgconfig DEPENDS += "util-linux" diff --git a/meta-arm/recipes-security/optee/optee-client_4.4.0.bb b/meta-arm/recipes-security/optee/optee-client_4.4.0.bb index fa7b9564..8bd03868 100644 --- a/meta-arm/recipes-security/optee/optee-client_4.4.0.bb +++ b/meta-arm/recipes-security/optee/optee-client_4.4.0.bb @@ -2,6 +2,7 @@ require recipes-security/optee/optee-client.inc # v4.4.0 SRCREV = "d221676a58b305bddbf97db00395205b3038de8e" +SRC_URI += "file://0001-tee-supplicant-update-udev-systemd-install-code.patch" inherit pkgconfig DEPENDS += "util-linux" From patchwork Wed Apr 2 14:16:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Szing X-Patchwork-Id: 60611 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F1266C3601B for ; Wed, 2 Apr 2025 14:17:10 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.9665.1743603427864772489 for ; Wed, 02 Apr 2025 07:17:07 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: gyorgy.szing@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 5E3BC1007; Wed, 2 Apr 2025 07:17:10 -0700 (PDT) Received: from gyoszi01-yocto.budapest.arm.com (ubul2.budapest.arm.com [10.45.25.74]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 9EBFD3F63F; Wed, 2 Apr 2025 07:17:06 -0700 (PDT) From: Gyorgy Szing To: meta-arm@lists.yoctoproject.org Cc: Gyorgy Szing , Ross Burton Subject: [PATCH 4/6] optee-client: drop privileges of tee-supplicant Date: Wed, 2 Apr 2025 16:16:50 +0200 Message-ID: <20250402141652.380180-4-gyorgy.szing@arm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250402141652.380180-1-gyorgy.szing@arm.com> References: <20250402141652.380180-1-gyorgy.szing@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 02 Apr 2025 14:17:10 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6438 Stop the tee-supplicant being run with root privileges when the system is not using systemd. Signed-off-by: Gyorgy Szing Signed-off-by: Ross Burton --- meta-arm/recipes-security/optee/optee-client.inc | 2 ++ meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/meta-arm/recipes-security/optee/optee-client.inc b/meta-arm/recipes-security/optee/optee-client.inc index 519041d6..ac003a24 100644 --- a/meta-arm/recipes-security/optee/optee-client.inc +++ b/meta-arm/recipes-security/optee/optee-client.inc @@ -32,6 +32,8 @@ do_install:append() { install -D -p -m0755 ${UNPACKDIR}/tee-supplicant.sh ${D}${sysconfdir}/init.d/tee-supplicant sed -i -e s:@sysconfdir@:${sysconfdir}:g \ -e s:@sbindir@:${sbindir}:g \ + -e s:@supluser@:teesuppl:g \ + -e s:@suplgroup@:teesuppl:g \ ${D}${sysconfdir}/init.d/tee-supplicant fi install -o teesuppl -g teesuppl -m 0700 -d ${D}${localstatedir}/lib/tee diff --git a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh index b4d21950..12e81770 100644 --- a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh +++ b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh @@ -14,7 +14,7 @@ test -f $DAEMON || exit 0 test -f @sysconfdir@/default/$NAME && . @sysconfdir@/default/$NAME test -f @sysconfdir@/default/rcS && . @sysconfdir@/default/rcS -SSD_OPTIONS="--oknodo --quiet --exec $DAEMON -- -d $OPTARGS" +SSD_OPTIONS="-c @supluser@:@suplgroup@ --oknodo --quiet --exec $DAEMON -- -d $OPTARGS" set -e From patchwork Wed Apr 2 14:16:51 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Szing X-Patchwork-Id: 60612 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 04806C36017 for ; Wed, 2 Apr 2025 14:17:11 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.9668.1743603428797460225 for ; Wed, 02 Apr 2025 07:17:08 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: gyorgy.szing@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 77CD01F91; Wed, 2 Apr 2025 07:17:11 -0700 (PDT) Received: from gyoszi01-yocto.budapest.arm.com (ubul2.budapest.arm.com [10.45.25.74]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id B83023F63F; Wed, 2 Apr 2025 07:17:07 -0700 (PDT) From: Gyorgy Szing To: meta-arm@lists.yoctoproject.org Cc: Gyorgy Szing , Ross Burton Subject: [PATCH 5/6] optee-client: use the same tee group as libts Date: Wed, 2 Apr 2025 16:16:51 +0200 Message-ID: <20250402141652.380180-5-gyorgy.szing@arm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250402141652.380180-1-gyorgy.szing@arm.com> References: <20250402141652.380180-1-gyorgy.szing@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 02 Apr 2025 14:17:11 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6439 Change optee-client to use the same bitbake variable to configure the group name used for controlling access to /dev/tee* devices on the target. The aim is to simplify system configuration by aligning the two recipes. Signed-off-by: Gyorgy Szing Signed-off-by: Ross Burton --- meta-arm/recipes-security/optee/optee-client.inc | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/meta-arm/recipes-security/optee/optee-client.inc b/meta-arm/recipes-security/optee/optee-client.inc index ac003a24..f9650249 100644 --- a/meta-arm/recipes-security/optee/optee-client.inc +++ b/meta-arm/recipes-security/optee/optee-client.inc @@ -21,9 +21,12 @@ EXTRA_OECMAKE = " \ -DCFG_USE_PKGCONFIG=ON \ " +# libts uses /dev/tee devices too. Add a common variable to allow configuring the same group. +TEE_GROUP_NAME ?= "tee" + EXTRA_OECMAKE += " -DCFG_ENABLE_SYSTEMD=On -DSYSTEMD_UNIT_DIR=${systemd_system_unitdir}/" EXTRA_OECMAKE += " -DCFG_ENABLE_UDEV=On -DUDEV_UDEV_DIR=${nonarch_base_libdir}/udev/rules.d/" -EXTRA_OECMAKE += " -DCFG_TEE_GROUP=tee -DCFG_TEEPRIV_GROUP=teepriv" +EXTRA_OECMAKE += " -DCFG_TEE_GROUP=${TEE_GROUP_NAME} -DCFG_TEEPRIV_GROUP=teepriv" EXTRA_OECMAKE:append:toolchain-clang = " -DCFG_WERROR=0" @@ -48,9 +51,9 @@ INITSCRIPT_PARAMS:${PN} = "start 10 1 2 3 4 5 . stop 90 0 6 ." FILES:${PN} += "${nonarch_base_libdir}/udev/rules.d/" # Users and groups: -# tee group to access /dev/tee* +# TEE_GROUP_NAME group to access /dev/tee* # teepriv group to acess /dev/teepriv*, only tee-supplicant # teesuppl user and group teesuppl to run tee-supplicant USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM:${PN} = "--system tee; --system teepriv; --system teesuppl" +GROUPADD_PARAM:${PN} = "--system ${TEE_GROUP_NAME}; --system teepriv; --system teesuppl" USERADD_PARAM:${PN} = "--system -g teesuppl --groups teepriv --home-dir ${localstatedir}/lib/tee -M --shell /sbin/nologin teesuppl;" From patchwork Wed Apr 2 14:16:52 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Szing X-Patchwork-Id: 60613 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0D50FC3601C for ; Wed, 2 Apr 2025 14:17:11 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web11.9653.1743603429780679734 for ; Wed, 02 Apr 2025 07:17:09 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: gyorgy.szing@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 6ADA21FC4; Wed, 2 Apr 2025 07:17:12 -0700 (PDT) Received: from gyoszi01-yocto.budapest.arm.com (ubul2.budapest.arm.com [10.45.25.74]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id D18FE3F63F; Wed, 2 Apr 2025 07:17:08 -0700 (PDT) From: Gyorgy Szing To: meta-arm@lists.yoctoproject.org Cc: Gyorgy Szing Subject: [PATCH 6/6] arm/trusted-services: fix udev management in libts Date: Wed, 2 Apr 2025 16:16:52 +0200 Message-ID: <20250402141652.380180-6-gyorgy.szing@arm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250402141652.380180-1-gyorgy.szing@arm.com> References: <20250402141652.380180-1-gyorgy.szing@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 02 Apr 2025 14:17:11 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6440 - Change libts to stop making udev related configuration if optee-client is deployed to the target to avoid conflicts. - Remove the executable permission from installed tee-udev.rules file. - Remove teepriv device from udev file as this device is op-tee specific. Signed-off-by: Gyorgy Szing --- .../trusted-services/libts-udev.inc | 21 ++++++++++++++++++ .../trusted-services/libts/tee-udev.rules | 5 ----- .../trusted-services/libts_git.bb | 22 +++++-------------- 3 files changed, 26 insertions(+), 22 deletions(-) create mode 100644 meta-arm/recipes-security/trusted-services/libts-udev.inc diff --git a/meta-arm/recipes-security/trusted-services/libts-udev.inc b/meta-arm/recipes-security/trusted-services/libts-udev.inc new file mode 100644 index 00000000..2eedfefe --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/libts-udev.inc @@ -0,0 +1,21 @@ +# Sour out /dev/tee* device creation and access control +SRC_URI += "file://tee-udev.rules \ + " + +# Unix group name for dev/tee* ownership. +TEE_GROUP_NAME ?= "tee" + +do_install:append () { + if ${@oe.utils.conditional('VIRTUAL-RUNTIME_dev_manager', 'busybox-mdev', 'false', 'true', d)}; then + install -d ${D}${nonarch_base_libdir}/udev/rules.d/ + install -m 755 ${UNPACKDIR}/tee-udev.rules ${D}${nonarch_base_libdir}/udev/rules.d/ + sed -i -e "s/teeclnt/${TEE_GROUP_NAME}/" ${D}${nonarch_base_libdir}/udev/rules.d/tee-udev.rules + fi +} + + +inherit ${@oe.utils.conditional('VIRTUAL-RUNTIME_dev_manager', 'busybox-mdev', '', 'useradd', d)} +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM:${PN} = "--system ${TEE_GROUP_NAME}" + +FILES:${PN} += " ${nonarch_base_libdir}/udev/rules.d/" diff --git a/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules b/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules index 43fafd8c..216fe993 100644 --- a/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules +++ b/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules @@ -1,7 +1,2 @@ # tee devices can only be accessed by the teeclnt group members KERNEL=="tee[0-9]*", TAG+="systemd", MODE="0660", GROUP="teeclnt" - -# If a /dev/teepriv[0-9]* device is detected, start an instance of -# tee-supplicant.service with the device name as parameter -KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="tee", \ - TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service" diff --git a/meta-arm/recipes-security/trusted-services/libts_git.bb b/meta-arm/recipes-security/trusted-services/libts_git.bb index 635e4769..de299b9a 100644 --- a/meta-arm/recipes-security/trusted-services/libts_git.bb +++ b/meta-arm/recipes-security/trusted-services/libts_git.bb @@ -5,24 +5,16 @@ TS_ENV = "arm-linux" require trusted-services.inc -SRC_URI += "file://tee-udev.rules \ - file://0001-Remove-TEE-driver-external-component.patch \ +SRC_URI += "file://0001-Remove-TEE-driver-external-component.patch \ " +# If optee-client is not included, take care of udev and related configuration. +require ${@bb.utils.contains('IMAGE_INSTALL', 'optee-client', '', 'libts-udev.inc', d)} OECMAKE_SOURCEPATH="${S}/deployments/libts/${TS_ENV}" DEPENDS += "arm-ffa-user" -# Unix group name for dev/tee* ownership. -TEE_GROUP_NAME ?= "teeclnt" - do_install:append () { - if ${@oe.utils.conditional('VIRTUAL-RUNTIME_dev_manager', 'busybox-mdev', 'false', 'true', d)}; then - install -d ${D}${nonarch_base_libdir}/udev/rules.d/ - install -m 755 ${UNPACKDIR}/tee-udev.rules ${D}${nonarch_base_libdir}/udev/rules.d/ - sed -i -e "s/teeclnt/${TEE_GROUP_NAME}/" ${D}${nonarch_base_libdir}/udev/rules.d/tee-udev.rules - fi - # Move the dynamic libraries into the standard place. install -d ${D}${libdir} mv ${D}${TS_INSTALL}/lib/libts* ${D}${libdir} @@ -34,9 +26,5 @@ do_install:append () { fi } -inherit ${@oe.utils.conditional('VIRTUAL-RUNTIME_dev_manager', 'busybox-mdev', '', 'useradd', d)} -USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM:${PN} = "--system ${TEE_GROUP_NAME}" - -FILES:${PN} = "${libdir}/libts.so.* ${nonarch_base_libdir}/udev/rules.d/" -FILES:${PN}-dev = "${TS_INSTALL}/lib/cmake ${TS_INSTALL}/include ${libdir}/libts.so" +FILES:${PN} += " ${libdir}/libts*.so.*" +FILES:${PN}-dev += " ${TS_INSTALL}/lib/cmake ${TS_INSTALL}/include ${libdir}/libts*.so"