Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

optee-os: add optee rpmb support #326

Merged
merged 3 commits into from
Sep 27, 2022
Merged

optee-os: add optee rpmb support #326

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d6dfb36
optee-os: add optee rpmb support
fr0st61te Jun 9, 2022
9621383
optee: add rpmb build setup
fr0st61te Jun 27, 2022
69fc6d3
optee: add patch prepend for prevention using secureboot and rpmb-setup
fr0st61te Jun 30, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions Kconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,15 @@ config OTP_PROVISIONING
WARNING: This uses the dummy keys by default. Do not use these keys
in production, they are for demonstration purposes only.

config RPMB_SETUP
bool "OPTEE RPMB setup for OTP key write"
depends on IMAGE_BOOT_PG2 && !SECURE_BOOT
help
Enable one-time pairing between processor and secure storage
(RPMB on eMMC). Do not sign and distribute this version. Run it
only in a secure environment on the target device, then replace it
with signed production firmware and enable secure boot.

config KAS_INCLUDE_SECURE_BOOT
string
default "kas/opt/secure-boot.yml"
Expand All @@ -164,6 +173,11 @@ config KAS_INCLUDE_OTP_PROVISIONING
default "kas/opt/otpcmd/key-switch-2to3.yml" if OTP_PROVISIONING_KEY_SWITCHING_2TO3
depends on OTP_PROVISIONING

config KAS_INCLUDE_RPMB_SETUP
string
default "kas/opt/rpmb-setup.yml"
depends on RPMB_SETUP

comment "Build options"

config SDK
Expand Down
16 changes: 16 additions & 0 deletions kas/opt/rpmb-setup.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
#
# Copyright (c) Siemens AG, 2022
#
# Authors:
# Ivan Mikhaylov <[email protected]>
#
# This file is subject to the terms and conditions of the MIT License. See
# COPYING.MIT file in the top-level directory.
#

header:
version: 10

local_conf_header:
optee-os-iot2050_override: |
OVERRIDES .= ":rpmb-setup"
15 changes: 13 additions & 2 deletions ...s-bsp/optee-os/optee-os-iot2050_3.16.0.bb → ...s-bsp/optee-os/optee-os-iot2050_3.18.0.bb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
require recipes-bsp/optee-os/optee-os-custom.inc

SRC_URI += "https://github.com/OP-TEE/optee_os/archive/${PV}.tar.gz"
SRC_URI[sha256sum] = "ebc8e18ad2039ee97c34f74a7546de9119e26f04c368b6c7fd0c55f93d33d2d6"
SRC_URI[sha256sum] = "bdd309697745ec4406951652094b50d9adb06c3612f01bd8a3d72682ec8e03e8"

S = "${WORKDIR}/optee_os-${PV}"

Expand All @@ -22,7 +22,18 @@ OPTEE_NAME = "iot2050"
OPTEE_PLATFORM = "k3-am65x"
OPTEE_EXTRA_BUILDARGS = " \
CFG_ARM64_core=y CFG_TEE_CORE_LOG_LEVEL=2 CFG_USER_TA_TARGETS=ta_arm64 \
CFG_CONSOLE_UART=1"
CFG_CONSOLE_UART=1 CFG_RPMB_FS=y CFG_RPMB_FS_DEV_ID=1 CFG_CORE_DYN_SHM=y \
CFG_IN_TREE_EARLY_TAS=avb/023f8f1a-292a-432b-8fc4-de8471358067"

OPTEE_EXTRA_BUILDARGS_append_rpmb-setup = " CFG_RPMB_WRITE_KEY=y"

python do_patch_prepend() {
import re

overrides = d.getVar('OVERRIDES')
if re.search("rpmb-setup", overrides) and re.search("secureboot", overrides):
bb.fatal("Not possible to use Secure Boot and RPMB setup for OPTEE")
}
BaochengSu marked this conversation as resolved.
Show resolved Hide resolved

dpkg_runbuild_prepend() {
export TEE_IMPL_VERSION=${PV}
Expand Down