From 8ac378837660549b66ff21e3cc6dabed6d4f7f7f Mon Sep 17 00:00:00 2001 From: Sudeep Holla Date: Thu, 23 May 2024 15:16:41 +0100 Subject: [PATCH 1/4] docker: Use pip packages instead of debian for cryptography and pyelftools Some projects that depend on python cryptography and pyelftools packages fail to build even when debian packages are installed. However, the same works just fine with pip packages for the same. Hence, lets move those couple of debian packages to pip packages instead. Signed-off-by: Sudeep Holla --- docker/Dockerfile.slim | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docker/Dockerfile.slim b/docker/Dockerfile.slim index bf3beb9..3ede369 100644 --- a/docker/Dockerfile.slim +++ b/docker/Dockerfile.slim @@ -109,9 +109,7 @@ RUN apt-get install --assume-yes --no-install-recommends --option=debug::pkgProb mtools \ netcat-openbsd \ ninja-build \ - python3-cryptography \ python3-pip \ - python3-pyelftools \ python3-serial \ python-is-python3 \ rsync \ @@ -122,6 +120,10 @@ RUN apt-get install --assume-yes --no-install-recommends --option=debug::pkgProb xterm \ xz-utils \ zlib1g-dev +RUN pip3 install \ + cryptography \ + pyelftools + # Install packages requried by EDK2. # From https://developer.arm.com/documentation/102571/0100/Build-firmware-on-a-Linux-host. -- GitLab From 29ca8ec1383a1425fc4a2e9079565f156f462a34 Mon Sep 17 00:00:00 2001 From: Sudeep Holla Date: Sun, 12 Mar 2023 21:21:13 +0000 Subject: [PATCH 2/4] config: Add base configuration OPTEE OS partition This config adds support to build OPTEE OS. Currently only 64-bit mode is added as it is the one widely used and also to avoid dependency on 32-bit compilers. Signed-off-by: Sudeep Holla --- config/optee-base.yaml | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 config/optee-base.yaml diff --git a/config/optee-base.yaml b/config/optee-base.yaml new file mode 100644 index 0000000..0cdcea6 --- /dev/null +++ b/config/optee-base.yaml @@ -0,0 +1,38 @@ +# Copyright (c) 2022, Arm Limited. +# SPDX-License-Identifier: MIT + +%YAML 1.2 +--- +description: >- + This provides the baseline for OPTEE 64-bit build. + +build: + # Provides secure partitions that run under Hafnium for demonstration. + optee: + repo: + remote: https://github.com/OP-TEE/optee_os.git + revision: 4.2.0 + + toolchain: aarch64-linux-gnu- + + params: + CFG_ARM_GICV3: y + CFG_ARM64_core: y + CFG_CALLOUT: y + CFG_CORE_HEAP_SIZE: 131072 + CFG_DEBUG_INFO: y + CFG_NOTIF_TEST_WD: y + CFG_TEE_CORE_LOG_LEVEL: 2 + CFG_USER_TA_TARGETS: ta_arm64 + CROSS_COMPILE: aarch64-linux-gnu- + CROSS_COMPILE_core: aarch64-linux-gnu- + CROSS_COMPILE_ta_arm64: aarch64-linux-gnu- + DEBUG: 0 + PLATFORM: vexpress-fvp + build: + - make O=${param:builddir} ${param:join_equal} all + + artifacts: + OPTEE_HDR_BIN: ${param:builddir}/core/tee-header_v2.bin + OPTEE_PAGER_BIN: ${param:builddir}/core/tee-pager_v2.bin + OPTEE_PAGEABLE_BIN: ${param:builddir}/core/tee-pageable_v2.bin -- GitLab From db915c71431018a1e96c02d318f3a9fe6ca11602 Mon Sep 17 00:00:00 2001 From: Sudeep Holla Date: Tue, 4 Jun 2024 19:31:10 +0100 Subject: [PATCH 3/4] config: Add support to run optee in SEL1 with no FF-A or SEL2/Hafnium This is base configuration to run OPTEE in the secure world. It doesn't include any FF-A or S-EL2/Hafnium. This is useful to compare it with other configurations that include FF-A and/or Hafnium in S-EL2. Signed-off-by: Sudeep Holla --- config/ns-edk2-optee.yaml | 41 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 config/ns-edk2-optee.yaml diff --git a/config/ns-edk2-optee.yaml b/config/ns-edk2-optee.yaml new file mode 100644 index 0000000..73bdc55 --- /dev/null +++ b/config/ns-edk2-optee.yaml @@ -0,0 +1,41 @@ +# Copyright (c) 2023, Arm Limited. +# SPDX-License-Identifier: MIT + +%YAML 1.2 +--- +description: >- + Brings together a software stack to demonstrate OPTEE in secure EL1 + with TF-A in secure EL3 but without FF-A and secure EL2(Hafnium). + Secure partition dispatcher exists inside OPTEE. + +concrete: true + +layers: + - ns-edk2.yaml + - optee-base.yaml + +build: + tfa: + params: + BL32: ${artifact:OPTEE_HDR_BIN} + BL32_EXTRA1: ${artifact:OPTEE_PAGER_BIN} + BL32_EXTRA2: ${artifact:OPTEE_PAGEABLE_BIN} + SPD: opteed + ARM_TSP_RAM_LOCATION: tdram + dt: + build: + # When using the default fvp-base-revc.dts, an overlay is added which + # adds extra properties that OPTEE requires to enable OPTEE driver + # in the kernel. + - if [ "$${DTS}" = "fvp-base-revc.dts" ]; then + - >- + OVERLAY="/ { + firmware { + optee { + compatible = \"linaro,optee-tz\"; + method = \"smc\"; + }; + }; + };" + - ( dtc -q -O dts -I dtb $${DTB_FINAL} ; echo -e "$${OVERLAY}" ) | dtc -q -O dtb -o $${DTB_FINAL} + - fi -- GitLab From 9ff718e0d21690f6f3f3b901fabf32246ed9d549 Mon Sep 17 00:00:00 2001 From: Sudeep Holla Date: Fri, 21 Jun 2024 11:16:51 +0100 Subject: [PATCH 4/4] test: Include basic OPTEE without FF-A into test vector A configuration with OPTEE in secure EL1 with TF-A in secure EL3 without FF-A and secure EL2/Hafnium is being adding. Let us add the same into the test vector for build and boot test coverage. There is no ACPI binding for this non-FFA configuration of running OPTEE and hence no ACPI coverage needed for it. Signed-off-by: Sudeep Holla --- test/test.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/test/test.py b/test/test.py index edf93e6..6bf64c9 100755 --- a/test/test.py +++ b/test/test.py @@ -49,6 +49,14 @@ CONFIGS = [ }, 'arch': {'start': 'v8.0', 'end': ARCH_LATEST}, }, + { + 'config': 'ns-edk2-optee.yaml', + 'btvars': {}, + 'rtvars': { + 'default': {'KERNEL': KERNEL, 'ROOTFS': ROOTFS}, + }, + 'arch': {'start': 'v8.0', 'end': ARCH_LATEST}, + }, { 'config': 'ffa-tftf.yaml', 'btvars': {}, -- GitLab