From d6dfb36bc718c9e1ce83ea8b8f9c8f822d96d59f Mon Sep 17 00:00:00 2001 From: Ivan Mikhaylov Date: Thu, 9 Jun 2022 12:34:54 -0400 Subject: [PATCH 1/3] optee-os: add optee rpmb support This patch provides rpmb support for IOT2050 on am65 which includes: * TISCI protocol support * DKEK retrieval * DDR setup for DYNSHM * compile option changes for optee Signed-off-by: Ivan Mikhaylov --- ...optee-os-iot2050_3.16.0.bb => optee-os-iot2050_3.18.0.bb} | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) rename recipes-bsp/optee-os/{optee-os-iot2050_3.16.0.bb => optee-os-iot2050_3.18.0.bb} (73%) diff --git a/recipes-bsp/optee-os/optee-os-iot2050_3.16.0.bb b/recipes-bsp/optee-os/optee-os-iot2050_3.18.0.bb similarity index 73% rename from recipes-bsp/optee-os/optee-os-iot2050_3.16.0.bb rename to recipes-bsp/optee-os/optee-os-iot2050_3.18.0.bb index dc56f7b86..6cc66b5a4 100644 --- a/recipes-bsp/optee-os/optee-os-iot2050_3.16.0.bb +++ b/recipes-bsp/optee-os/optee-os-iot2050_3.18.0.bb @@ -11,7 +11,7 @@ require recipes-bsp/optee-os/optee-os-custom.inc SRC_URI += "https://github.com/OP-TEE/optee_os/archive/${PV}.tar.gz" -SRC_URI[sha256sum] = "ebc8e18ad2039ee97c34f74a7546de9119e26f04c368b6c7fd0c55f93d33d2d6" +SRC_URI[sha256sum] = "bdd309697745ec4406951652094b50d9adb06c3612f01bd8a3d72682ec8e03e8" S = "${WORKDIR}/optee_os-${PV}" @@ -22,7 +22,8 @@ OPTEE_NAME = "iot2050" OPTEE_PLATFORM = "k3-am65x" OPTEE_EXTRA_BUILDARGS = " \ CFG_ARM64_core=y CFG_TEE_CORE_LOG_LEVEL=2 CFG_USER_TA_TARGETS=ta_arm64 \ - CFG_CONSOLE_UART=1" + CFG_CONSOLE_UART=1 CFG_RPMB_FS=y CFG_RPMB_FS_DEV_ID=1 CFG_CORE_DYN_SHM=y \ + CFG_IN_TREE_EARLY_TAS=avb/023f8f1a-292a-432b-8fc4-de8471358067" dpkg_runbuild_prepend() { export TEE_IMPL_VERSION=${PV} From 9621383ca7f5d3b73ae879b62cf211342b90a8ff Mon Sep 17 00:00:00 2001 From: Ivan Mikhaylov Date: Mon, 27 Jun 2022 14:03:49 -0400 Subject: [PATCH 2/3] optee: add rpmb build setup Signed-off-by: Ivan Mikhaylov --- Kconfig | 14 ++++++++++++++ kas/opt/rpmb-setup.yml | 16 ++++++++++++++++ recipes-bsp/optee-os/optee-os-iot2050_3.18.0.bb | 2 ++ 3 files changed, 32 insertions(+) create mode 100644 kas/opt/rpmb-setup.yml diff --git a/Kconfig b/Kconfig index d976b55e2..b42292acc 100644 --- a/Kconfig +++ b/Kconfig @@ -149,6 +149,15 @@ config OTP_PROVISIONING WARNING: This uses the dummy keys by default. Do not use these keys in production, they are for demonstration purposes only. +config RPMB_SETUP + bool "OPTEE RPMB setup for OTP key write" + depends on IMAGE_BOOT_PG2 && !SECURE_BOOT + help + Enable one-time pairing between processor and secure storage + (RPMB on eMMC). Do not sign and distribute this version. Run it + only in a secure environment on the target device, then replace it + with signed production firmware and enable secure boot. + config KAS_INCLUDE_SECURE_BOOT string default "kas/opt/secure-boot.yml" @@ -164,6 +173,11 @@ config KAS_INCLUDE_OTP_PROVISIONING default "kas/opt/otpcmd/key-switch-2to3.yml" if OTP_PROVISIONING_KEY_SWITCHING_2TO3 depends on OTP_PROVISIONING +config KAS_INCLUDE_RPMB_SETUP + string + default "kas/opt/rpmb-setup.yml" + depends on RPMB_SETUP + comment "Build options" config SDK diff --git a/kas/opt/rpmb-setup.yml b/kas/opt/rpmb-setup.yml new file mode 100644 index 000000000..d52977938 --- /dev/null +++ b/kas/opt/rpmb-setup.yml @@ -0,0 +1,16 @@ +# +# Copyright (c) Siemens AG, 2022 +# +# Authors: +# Ivan Mikhaylov +# +# This file is subject to the terms and conditions of the MIT License. See +# COPYING.MIT file in the top-level directory. +# + +header: + version: 10 + +local_conf_header: + optee-os-iot2050_override: | + OVERRIDES .= ":rpmb-setup" diff --git a/recipes-bsp/optee-os/optee-os-iot2050_3.18.0.bb b/recipes-bsp/optee-os/optee-os-iot2050_3.18.0.bb index 6cc66b5a4..4948dd653 100644 --- a/recipes-bsp/optee-os/optee-os-iot2050_3.18.0.bb +++ b/recipes-bsp/optee-os/optee-os-iot2050_3.18.0.bb @@ -25,6 +25,8 @@ OPTEE_EXTRA_BUILDARGS = " \ CFG_CONSOLE_UART=1 CFG_RPMB_FS=y CFG_RPMB_FS_DEV_ID=1 CFG_CORE_DYN_SHM=y \ CFG_IN_TREE_EARLY_TAS=avb/023f8f1a-292a-432b-8fc4-de8471358067" +OPTEE_EXTRA_BUILDARGS_append_rpmb-setup = " CFG_RPMB_WRITE_KEY=y" + dpkg_runbuild_prepend() { export TEE_IMPL_VERSION=${PV} } From 69fc6d362b30a9c45e9acf7339e66099526c80b6 Mon Sep 17 00:00:00 2001 From: Ivan Mikhaylov Date: Thu, 30 Jun 2022 05:34:00 -0400 Subject: [PATCH 3/3] optee: add patch prepend for prevention using secureboot and rpmb-setup This patch provides do_patch_prepend for OPTEE recipe which needed for prevention of usage rpmb-setup and secureboot because rpmb-setup shouldn't be used on production systems. Signed-off-by: Ivan Mikhaylov --- recipes-bsp/optee-os/optee-os-iot2050_3.18.0.bb | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/recipes-bsp/optee-os/optee-os-iot2050_3.18.0.bb b/recipes-bsp/optee-os/optee-os-iot2050_3.18.0.bb index 4948dd653..8cf69f5f9 100644 --- a/recipes-bsp/optee-os/optee-os-iot2050_3.18.0.bb +++ b/recipes-bsp/optee-os/optee-os-iot2050_3.18.0.bb @@ -27,6 +27,14 @@ OPTEE_EXTRA_BUILDARGS = " \ OPTEE_EXTRA_BUILDARGS_append_rpmb-setup = " CFG_RPMB_WRITE_KEY=y" +python do_patch_prepend() { + import re + + overrides = d.getVar('OVERRIDES') + if re.search("rpmb-setup", overrides) and re.search("secureboot", overrides): + bb.fatal("Not possible to use Secure Boot and RPMB setup for OPTEE") +} + dpkg_runbuild_prepend() { export TEE_IMPL_VERSION=${PV} }