stm-st-stm32mp: add optee-client recipe based on v4.0.0

This commit integrates optee-client support from the meta-st-openstlinux layer, based on the openstlinux-6.6-yocto-scarthgap-mpu-v25.03.19 tag. https://onedigi.atlassian.net/browse/DEL-9442 Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
2025-03-18 17:52:48 +01:00 · 2025-03-18 17:52:48 +01:00 · 30751b0eef
parent 250acb9041
commit 30751b0eef
5 changed files with 99 additions and 0 deletions
--- a/meta-digi-arm/conf/machine/include/ccmp2.inc
+++ b/meta-digi-arm/conf/machine/include/ccmp2.inc
@ -42,6 +42,8 @@ TF_A_METADATA_TOOL_ARGS ?= "-g -i 1 -b 2 -v ${TF_A_METADATA_TOOL_VERSION} ${DEVI
 # optee-os
 # =========================================================================
 PREFERRED_PROVIDER_virtual/optee-os = "optee-os-stm32mp"
 # OPTEE runtime packages to install
 OPTEE_PKGS ??= "optee-client"
 # =========================================================================
 # Kernel
--- a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client/create-tee-supplicant-env
+++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client/create-tee-supplicant-env
@ -0,0 +1,21 @@
 #!/bin/sh
 #
 # Create a systemd environment file for tee-supplicant
 # $1 is the path to the file to be generated.
 # At the moment this figures out the --rpmb-cid parameter to be given to
 # tee-supplicant, indicating which eMMC device OP-TEE should use for RPMB
 # storage.
 # No file is generated if no device is found (not an error) or if multiple
 # eMMCs are found (which is an error).
 [ "$1" ] || { echo Usage: $0 FILE >&2; exit 1; }
 touch $1
 for f in /sys/class/mmc_host/mmc*/mmc*\:*/mmcblk?rmpb; do
  [ "$CID" ] && { echo $0: Multiple eMMC devices found, not chosing one automatically >&2; exit 2; }
  # POSIX shells don't expand globbing patterns that match no file
  [ -e $f ] || exit 0
  CID=$(cat $(dirname $f)/cid)
 done
 [ "$CID" ] && echo RPMB_CID="--rpmb-cid $CID" >$1
--- a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client/optee-udev.rules
+++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client/optee-udev.rules
@ -0,0 +1,2 @@
 KERNEL=="tee[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee.device"
 KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="tee", TAG+="systemd", ENV{SYSTEMD_WANTS}+="teepriv.device"
--- a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client/tee-supplicant.service
+++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client/tee-supplicant.service
@ -0,0 +1,16 @@
 [Unit]
 Description=TEE Supplicant
 Wants=dev-tee0.device
 After=dev-tee0.device
 After=systemd-udevd.service
 [Service]
 User=tee
 Group=tee
 EnvironmentFile=-/etc/default/tee-supplicant
 ExecStartPre=/usr/sbin/create-tee-supplicant-env /tmp/tee-supplicant.env
 EnvironmentFile=-/tmp/tee-supplicant.env
 ExecStart=/usr/sbin/tee-supplicant $RPMB_CID $OPTARGS
 [Install]
 WantedBy=basic.target
--- a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_4.0.bb
+++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_4.0.bb
@ -0,0 +1,58 @@
 SUMMARY = "OPTEE Client"
 HOMEPAGE = "https://github.com/OP-TEE/optee_client"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=69663ab153298557a59c67a60a743e5b"
 inherit python3native systemd cmake pkgconfig
 SRC_URI = "git://github.com/OP-TEE/optee_client.git;protocol=https;branch=master \
           file://tee-supplicant.service \
           file://create-tee-supplicant-env \
           file://optee-udev.rules \
    "
 SRCREV = "acb0885c117e73cb6c5c9b1dd9054cb3f93507ee"
 PV = "4.0.0+git${SRCPV}"
 S = "${WORKDIR}/git"
 DEPENDS += "util-linux-libuuid"
 SYSTEMD_SERVICE:${PN} = "tee-supplicant.service"
 EXTRA_OECMAKE = " \
    -DCFG_TEE_FS_PARENT_PATH='${localstatedir}/lib/tee' \
    -DCFG_WERROR=OFF \
    -DCFG_TEE_CLIENT_LOG_LEVEL=2 \
    -DCFG_TEE_CLIENT_LOG_FILE='/data/tee/teec.log' \
    -DBUILD_SHARED_LIBS=ON \
    -DRPMB_EMU=0 \
    "
 do_install:append() {
    if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
        sed -i -e s:/etc:${sysconfdir}:g \
            -e s:/usr/bin:${bindir}:g \
            ${WORKDIR}/tee-supplicant.service
        install -D -p -m0644 ${WORKDIR}/tee-supplicant.service ${D}${systemd_system_unitdir}/tee-supplicant.service
        install -D -p -m0755 ${WORKDIR}/create-tee-supplicant-env ${D}${sbindir}/
    fi
    install -d ${D}${sysconfdir}/udev/rules.d
    install -m 0644 ${WORKDIR}/optee-udev.rules ${D}${sysconfdir}/udev/rules.d/optee.rules
    install -d -m770 -o root -g tee ${D}${localstatedir}/lib/tee
 }
 FILES:${PN} += "${sysconfdir} ${localstatedir}"
 inherit useradd
 USERADD_PACKAGES = "${PN}"
 # Create groups 'tee' and 'teeclnt'. Permissions are set elsewhere on
 # /dev/teepriv0 and /dev/tee0 so that tee-supplicant should run as a user that
 # is a member of the 'tee' group, and TEE client applications should runs as a
 # user that is a member of the 'teeclnt' group.
 GROUPADD_PARAM:${PN} = "--system tee; --system teeclnt"
 # Create user 'tee' member of group 'tee' to run tee-supplicant
 USERADD_PARAM:${PN} = "--system -d / -M -s /bin/nologin -c 'User for tee-supplicant' -g tee tee"
		`@ -0,0 +1,2 @@`
							`KERNEL=="tee[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee.device"`
							`KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="tee", TAG+="systemd", ENV{SYSTEMD_WANTS}+="teepriv.device"`