diff --git a/meta-digi-arm/conf/machine/include/ccmp2.inc b/meta-digi-arm/conf/machine/include/ccmp2.inc index 90b82496d..a5020a602 100644 --- a/meta-digi-arm/conf/machine/include/ccmp2.inc +++ b/meta-digi-arm/conf/machine/include/ccmp2.inc @@ -42,6 +42,8 @@ TF_A_METADATA_TOOL_ARGS ?= "-g -i 1 -b 2 -v ${TF_A_METADATA_TOOL_VERSION} ${DEVI # optee-os # ========================================================================= PREFERRED_PROVIDER_virtual/optee-os = "optee-os-stm32mp" +# OPTEE runtime packages to install +OPTEE_PKGS ??= "optee-client" # ========================================================================= # Kernel diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client/create-tee-supplicant-env b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client/create-tee-supplicant-env new file mode 100644 index 000000000..c9db5584e --- /dev/null +++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client/create-tee-supplicant-env @@ -0,0 +1,21 @@ +#!/bin/sh +# +# Create a systemd environment file for tee-supplicant +# $1 is the path to the file to be generated. +# At the moment this figures out the --rpmb-cid parameter to be given to +# tee-supplicant, indicating which eMMC device OP-TEE should use for RPMB +# storage. +# No file is generated if no device is found (not an error) or if multiple +# eMMCs are found (which is an error). + +[ "$1" ] || { echo Usage: $0 FILE >&2; exit 1; } + +touch $1 + +for f in /sys/class/mmc_host/mmc*/mmc*\:*/mmcblk?rmpb; do + [ "$CID" ] && { echo $0: Multiple eMMC devices found, not chosing one automatically >&2; exit 2; } + # POSIX shells don't expand globbing patterns that match no file + [ -e $f ] || exit 0 + CID=$(cat $(dirname $f)/cid) +done +[ "$CID" ] && echo RPMB_CID="--rpmb-cid $CID" >$1 diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client/optee-udev.rules b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client/optee-udev.rules new file mode 100644 index 000000000..63101d993 --- /dev/null +++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client/optee-udev.rules @@ -0,0 +1,2 @@ +KERNEL=="tee[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee.device" +KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="tee", TAG+="systemd", ENV{SYSTEMD_WANTS}+="teepriv.device" diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client/tee-supplicant.service b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client/tee-supplicant.service new file mode 100644 index 000000000..bfcc56b6e --- /dev/null +++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client/tee-supplicant.service @@ -0,0 +1,16 @@ +[Unit] +Description=TEE Supplicant +Wants=dev-tee0.device +After=dev-tee0.device +After=systemd-udevd.service + +[Service] +User=tee +Group=tee +EnvironmentFile=-/etc/default/tee-supplicant +ExecStartPre=/usr/sbin/create-tee-supplicant-env /tmp/tee-supplicant.env +EnvironmentFile=-/tmp/tee-supplicant.env +ExecStart=/usr/sbin/tee-supplicant $RPMB_CID $OPTARGS + +[Install] +WantedBy=basic.target diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_4.0.bb b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_4.0.bb new file mode 100755 index 000000000..1fde6e3ff --- /dev/null +++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_4.0.bb @@ -0,0 +1,58 @@ +SUMMARY = "OPTEE Client" +HOMEPAGE = "https://github.com/OP-TEE/optee_client" + +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=69663ab153298557a59c67a60a743e5b" + +inherit python3native systemd cmake pkgconfig + +SRC_URI = "git://github.com/OP-TEE/optee_client.git;protocol=https;branch=master \ + file://tee-supplicant.service \ + file://create-tee-supplicant-env \ + file://optee-udev.rules \ + " + +SRCREV = "acb0885c117e73cb6c5c9b1dd9054cb3f93507ee" + +PV = "4.0.0+git${SRCPV}" + +S = "${WORKDIR}/git" + +DEPENDS += "util-linux-libuuid" + +SYSTEMD_SERVICE:${PN} = "tee-supplicant.service" + +EXTRA_OECMAKE = " \ + -DCFG_TEE_FS_PARENT_PATH='${localstatedir}/lib/tee' \ + -DCFG_WERROR=OFF \ + -DCFG_TEE_CLIENT_LOG_LEVEL=2 \ + -DCFG_TEE_CLIENT_LOG_FILE='/data/tee/teec.log' \ + -DBUILD_SHARED_LIBS=ON \ + -DRPMB_EMU=0 \ + " + +do_install:append() { + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then + sed -i -e s:/etc:${sysconfdir}:g \ + -e s:/usr/bin:${bindir}:g \ + ${WORKDIR}/tee-supplicant.service + + install -D -p -m0644 ${WORKDIR}/tee-supplicant.service ${D}${systemd_system_unitdir}/tee-supplicant.service + install -D -p -m0755 ${WORKDIR}/create-tee-supplicant-env ${D}${sbindir}/ + fi + install -d ${D}${sysconfdir}/udev/rules.d + install -m 0644 ${WORKDIR}/optee-udev.rules ${D}${sysconfdir}/udev/rules.d/optee.rules + install -d -m770 -o root -g tee ${D}${localstatedir}/lib/tee +} +FILES:${PN} += "${sysconfdir} ${localstatedir}" + +inherit useradd + +USERADD_PACKAGES = "${PN}" +# Create groups 'tee' and 'teeclnt'. Permissions are set elsewhere on +# /dev/teepriv0 and /dev/tee0 so that tee-supplicant should run as a user that +# is a member of the 'tee' group, and TEE client applications should runs as a +# user that is a member of the 'teeclnt' group. +GROUPADD_PARAM:${PN} = "--system tee; --system teeclnt" +# Create user 'tee' member of group 'tee' to run tee-supplicant +USERADD_PARAM:${PN} = "--system -d / -M -s /bin/nologin -c 'User for tee-supplicant' -g tee tee"