stm-st-stm32mp: optee: add support to ConnectCore MP25 DVK platform

Add support based on v3.19.0 version from STM release
openstlinux-6.1-yocto-mickledore-mp2-v23.12.06.

https://onedigi.atlassian.net/browse/DEL-8995

Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>

meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-os-stm32mp2-common.inc

@@ -0,0 +1,172 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os:"
+
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+PROVIDES += "virtual/optee-os"
+RPROVIDES:${PN} += "virtual/optee-os virtual/systemd-bootconf"
+
+CVE_PRODUCT = "op-tee:op-tee_os"
+
+#############################################################
+#inherit external-dt scp-firmware
+
+# Enable use of scp-firmware shared folder
+STAGING_SCPFW_DIR = "${TMPDIR}/work-shared/${MACHINE}/scp-firmware"
+
+do_compile[depends] += "scp-firmware:do_configure"
+
+
+STAGING_EXTDT_DIR = "${TMPDIR}/work-shared/${MACHINE}/external-dt"
+#############################################################
+
+B = "${WORKDIR}/build"
+# Configure build dir for externalsrc class usage through devtool
+EXTERNALSRC_BUILD:pn-${PN} = "${WORKDIR}/build"
+
+DEPENDS += "dtc-native"
+DEPENDS += "python3-pycryptodomex-native"
+DEPENDS += "python3-pyelftools-native"
+DEPENDS += "libgcc python3-cryptography-native"
+DEPENDS += "python3-pillow-native"
+
+inherit deploy python3native
+
+OPTEEMACHINE ?= "${MACHINE}"
+OPTEEOUTPUTMACHINE ?= "${MACHINE}"
+
+# Default log level
+ST_OPTEE_DEBUG_LOG_LEVEL ??= "2"
+
+# default core debug
+ST_OPTEE_CORE_DEBUG ??= "y"
+ST_OPTEE_CORE_DEBUG:stm32mp15common ?= "n"
+
+EXTRA_OEMAKE = "PLATFORM=${OPTEEMACHINE}"
+EXTRA_OEMAKE += "CROSS_COMPILE_core=${HOST_PREFIX}"
+EXTRA_OEMAKE += "CROSS_COMPILE_ta_arm64=${HOST_PREFIX}"
+EXTRA_OEMAKE += "${@bb.utils.contains('TUNE_FEATURES', 'aarch64', 'ARCH=arm CFG_ARM64_core=y', 'ARCH=arm CFG_ARM32_core=y CROSS_COMPILE_ta_arm32=${HOST_PREFIX}', d)}"
+EXTRA_OEMAKE += "NOWERROR=1"
+EXTRA_OEMAKE += "LDFLAGS="
+# Set external-dt support
+EXTRA_OEMAKE += "${@bb.utils.contains('EXTERNAL_DT_ENABLED', '1', 'CFG_EXT_DTS=${STAGING_EXTDT_DIR}/optee', '', d)}"
+# Set scp-firmware support
+EXTRA_OEMAKE += "CFG_SCP_FIRMWARE=${STAGING_SCPFW_DIR}"
+
+# debug and trace
+EXTRA_OEMAKE += "${@bb.utils.contains('ST_OPTEE_DEBUG_TRACE', '1', 'CFG_TEE_CORE_LOG_LEVEL=${ST_OPTEE_DEBUG_LOG_LEVEL} CFG_TEE_CORE_DEBUG=${ST_OPTEE_CORE_DEBUG}', '', d)}"
+
+# OPTEE in sysram
+EXTRA_OEMAKE:append:stm32mp15common = " ${@bb.utils.contains('ST_OPTEE_IN_SYSRAM', '1', 'CFG_STM32MP1_OPTEE_IN_SYSRAM=y', '', d)}"
+
+# SCP firmware
+#EXTRA_OEMAKE_SCP_FIRMWARE ??= ""
+EXTRA_OEMAKE_SCP_FIRMWARE:stm32mp15common ??= ""
+EXTRA_OEMAKE_SCP_FIRMWARE:stm32mp13common ??= "${@bb.utils.contains('ENABLE_SCMI_SCPFW', '1', 'CFG_SCMI_SCPFW=y', 'CFG_SCMI_SCPFW=n', d)}"
+EXTRA_OEMAKE_SCP_FIRMWARE:stm32mp25common ??= "CFG_SCMI_SCPFW=y"
+EXTRA_OEMAKE += " ${EXTRA_OEMAKE_SCP_FIRMWARE}"
+
+OPTEE_ARCH:armv7a = "arm32"
+OPTEE_ARCH:armv7ve = "arm32"
+OPTEE_ARCH:aarch64 = "arm64"
+
+do_configure:prepend(){
+    chmod 755 ${S}/scripts/bin_to_c.py
+}
+
+do_compile() {
+    export CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST}"
+    export OPENSSL_MODULES=${STAGING_LIBDIR_NATIVE}/ossl-modules/
+    if [ -n "${OPTEE_CONF}" ]; then
+        for conf in ${OPTEE_CONF}; do
+            # Configure SOC switch
+            soc_extra=""
+            for soc in ${STM32MP_SOC_NAME}; do
+                if [ "$(echo ${conf} | grep -c ${soc})" -eq 1 ]; then
+                    soc_extra="$(echo CFG_${soc} | awk '{print toupper($0)}')=y"
+                    break
+                fi
+            done
+
+            oe_runmake -C ${S} O=${B}/${conf} CFG_EMBED_DTB_SOURCE_FILE=${conf}.dts ${soc_extra}
+        done
+    else
+        oe_runmake -C ${S} O=${B}/out
+    fi
+}
+
+do_install:stm32mp1common() {
+    #install TA devkit
+    install -d ${D}${includedir}/optee/export-user_ta/
+
+    if [ -n "${OPTEE_CONF}" ]; then
+        for conf in ${OPTEE_CONF}; do
+            for f in  ${B}/${conf}/export-ta_${OPTEE_ARCH}/* ; do
+                cp -aRf  $f ${D}${includedir}/optee/export-user_ta/
+            done
+        done
+    fi
+}
+do_install:stm32mp2common() {
+    #install TA devkit
+    install -d ${D}${includedir}/optee/export-user_ta_arm32/
+    install -d ${D}${includedir}/optee/export-user_ta_arm64/
+
+    if [ -n "${OPTEE_CONF}" ]; then
+        for conf in ${OPTEE_CONF}; do
+            if [ -d  ${B}/${conf}/export-ta_arm32 ]; then
+                for f in  ${B}/${conf}/export-ta_arm32/* ; do
+                    cp -aRf  $f ${D}${includedir}/optee/export-user_ta_arm32/
+                done
+            fi
+            if [ -d  ${B}/${conf}/export-ta_arm64 ]; then
+                for f in  ${B}/${conf}/export-ta_arm64/* ; do
+                    cp -aRf  $f ${D}${includedir}/optee/export-user_ta_arm64/
+                done
+            fi
+        done
+    fi
+}
+
+
+# Configure optee binaries
+OPTEE_HEADER    = "tee-header_v2"
+OPTEE_PAGEABLE  = "tee-pageable_v2"
+OPTEE_PAGER     = "tee-pager_v2"
+OPTEE_SUFFIX    = "bin"
+# Output the ELF generated
+ELF_DEBUG_ENABLE ?= ""
+OPTEE_ELF = "tee"
+OPTEE_ELF_SUFFIX = "elf"
+
+do_deploy[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}/optee"
+do_deploy() {
+    install -d ${DEPLOYDIR}/debug
+    if [ -n "${OPTEE_CONF}" ]; then
+        for conf in ${OPTEE_CONF}; do
+            install -m 644 ${B}/${conf}/core/${OPTEE_HEADER}.${OPTEE_SUFFIX} ${DEPLOYDIR}/${OPTEE_HEADER}-${conf}.${OPTEE_SUFFIX}
+            install -m 644 ${B}/${conf}/core/${OPTEE_PAGER}.${OPTEE_SUFFIX} ${DEPLOYDIR}/${OPTEE_PAGER}-${conf}.${OPTEE_SUFFIX}
+            install -m 644 ${B}/${conf}/core/${OPTEE_PAGEABLE}.${OPTEE_SUFFIX} ${DEPLOYDIR}/${OPTEE_PAGEABLE}-${conf}.${OPTEE_SUFFIX}
+            if [ -n "${ELF_DEBUG_ENABLE}" ]; then
+                install -m 644 ${B}/${conf}/core/${OPTEE_ELF}.${OPTEE_ELF_SUFFIX} ${DEPLOYDIR}/debug/${OPTEE_ELF}-${conf}.${OPTEE_ELF_SUFFIX}
+            fi
+        done
+    else
+        install -m 644 ${B}/core/${OPTEE_HEADER}.${OPTEE_SUFFIX} ${DEPLOYDIR}/${OPTEE_HEADER}.${OPTEE_SUFFIX}
+        install -m 644 ${B}/core/${OPTEE_PAGER}.${OPTEE_SUFFIX} ${DEPLOYDIR}/${OPTEE_PAGER}.${OPTEE_SUFFIX}
+        install -m 644 ${B}/core/${OPTEE_PAGEABLE}.${OPTEE_SUFFIX} ${DEPLOYDIR}/${OPTEE_PAGEABLE}.${OPTEE_SUFFIX}
+        if [ -n "${ELF_DEBUG_ENABLE}" ]; then
+            install -m 644 ${B}/core/${OPTEE_ELF}.${OPTEE_ELF_SUFFIX} ${DEPLOYDIR}/debug/${OPTEE_ELF}.${OPTEE_ELF_SUFFIX}
+        fi
+    fi
+}
+addtask deploy before do_build after do_compile
+
+FILES:${PN} = "${nonarch_base_libdir}/firmware/"
+FILES:${PN}-dev = "/usr/include/optee"
+
+INSANE_SKIP:${PN}-dev = "staticdev"
+
+INHIBIT_PACKAGE_STRIP = "1"
+# ---------------------------------------------------------------------
+# Avoid QA Issue: contains reference to TMPDIR [buildpaths]
+INSANE_SKIP:${PN} += "buildpaths"

meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-os-stm32mp_3.19.0.bb

@@ -0,0 +1,62 @@
+SUMMARY = "OPTEE TA development kit for stm32mp"
+LICENSE = "BSD-2-Clause & BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=c1f21c4f72f372ef38a5a4aee55ec173"
+
+# Select internal or Github OPTEE repo
+OPTEE_URI_STASH = "${DIGI_MTK_GIT}/emp/optee_os.git;protocol=ssh"
+OPTEE_URI_GITHUB = "${DIGI_GITHUB_GIT}/optee_os.git;protocol=https"
+OPTEE_GIT_URI ?= "${@oe.utils.conditional('DIGI_INTERNAL_GIT', '1' , '${OPTEE_URI_STASH}', '${OPTEE_URI_GITHUB}', d)}"
+
+SRCBRANCH = "3.19.0/stm/master"
+SRCREV = "${AUTOREV}"
+
+SRC_URI = " \
+    ${OPTEE_GIT_URI};branch=${SRCBRANCH};name=os \
+    file://fonts.tar.gz;subdir=git;name=fonts \
+"
+
+SRC_URI[fonts.sha256sum] = "4941e8bb6d8ac377838e27b214bf43008c496a24a8f897e0b06433988cbd53b2"
+
+OPTEE_VERSION = "3.19.0"
+OPTEE_SUBVERSION = "stm32mp"
+OPTEE_RELEASE = "beta-r1"
+
+PV = "${OPTEE_VERSION}-${OPTEE_SUBVERSION}-${OPTEE_RELEASE}"
+
+ARCHIVER_ST_BRANCH = "${OPTEE_VERSION}-${OPTEE_SUBVERSION}"
+ARCHIVER_ST_REVISION = "${PV}"
+ARCHIVER_COMMUNITY_BRANCH = "master"
+ARCHIVER_COMMUNITY_REVISION = "${OPTEE_VERSION}"
+
+S = "${WORKDIR}/git"
+
+OPTEEMACHINE ?= "stm32mp1"
+OPTEEMACHINE:stm32mp1common = "stm32mp1"
+OPTEEMACHINE:stm32mp2common = "stm32mp2"
+
+OPTEEOUTPUTMACHINE ?= "stm32mp1"
+OPTEEOUTPUTMACHINE:stm32mp1common = "stm32mp1"
+OPTEEOUTPUTMACHINE:stm32mp2common = "stm32mp2"
+
+# The package is empty but must be generated to avoid apt-get installation issue
+ALLOW_EMPTY:${PN} = "1"
+
+require optee-os-stm32mp2-common.inc
+
+# Specific for revA board
+EXTRA_OEMAKE_REVA:stm32mp25revabcommon:append = " CFG_STM32MP25x_REVA=y "
+EXTRA_OEMAKE += " ${EXTRA_OEMAKE_REVA}"
+
+# ---------------------------------
+# Configure archiver use
+# ---------------------------------
+include ${@oe.utils.ifelse(d.getVar('ST_ARCHIVER_ENABLE') == '1', 'optee-os-stm32mp-archiver.inc','')}
+
+# ---------------------------------
+# Configure default preference to manage dynamic selection between tarball and github
+# ---------------------------------
+STM32MP_SOURCE_SELECTION ?= "tarball"
+
+DEFAULT_PREFERENCE = "${@bb.utils.contains('STM32MP_SOURCE_SELECTION', 'github', '-1', '1', d)}"
+
+COMPATIBLE_MACHINE = "(ccmp2)"

meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/scp-firmware/scp-firmware-archiver.inc

@@ -0,0 +1,10 @@
+#
+# Archiver Configuration
+#
+SRC_URI:append = " file://README.HOW_TO.txt "
+COPYLEFT_LICENSE_INCLUDE:append = " BSD-3* "
+
+inherit archiver
+ARCHIVER_MODE[src] = "original"
+
+inherit archiver_stm32mp_clean

meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/scp-firmware/scp-firmware.bb

@@ -0,0 +1,74 @@
+SUMMARY = "SCP Firmware for stm32mp"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://${S}/license.md;md5=ef610a65bfb6d16f79778877cbfd45df"
+
+SRC_URI = "gitsm://github.com/ARM-software/SCP-firmware;protocol=https;nobranch=1"
+SRCREV = "0c7236b1851d90124210a0414fd982dc55322c7c"
+
+SRC_URI += " \
+	file://0001-2.12-stm32mp-r1.patch \
+	file://0001-Correct-git-error.patch \
+"
+
+SCPFW_VERSION    = "2.12"
+SCPFW_SUBVERSION = "stm32mp"
+SCPFW_RELEASE    = "r1"
+
+PV = "${SCPFW_VERSION}-${SCPFW_SUBVERSION}-${SCPFW_RELEASE}"
+
+S = "${WORKDIR}/git"
+
+###################################################################
+#inherit scp-firmware
+
+# Enable use of scp-firmware shared folder
+STAGING_SCPFW_DIR = "${TMPDIR}/work-shared/${MACHINE}/scp-firmware"
+
+do_compile[depends] += "scp-firmware:do_configure"
+###################################################################
+
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+COMPATIBLE_MACHINE = "(stm32mpcommon)"
+
+# Do not remove source code, even if rm_work is configured
+RM_WORK_EXCLUDE += "${PN}"
+
+# -----------------------------------------------
+# Enable use of work-shared folder
+# Make sure to move ${S} to STAGING_SCPFW_DIR. We can't just
+# create the symlink in advance as the git fetcher can't cope with
+# the symlink.
+do_unpack[cleandirs] += "${S}"
+do_unpack[cleandirs] += "${STAGING_SCPFW_DIR}"
+do_clean[cleandirs] += "${S}"
+do_clean[cleandirs] += "${STAGING_SCPFW_DIR}"
+python do_symlink_scpfirmwaresrc() {
+    # Specific part to update devtool-source class
+    if bb.data.inherits_class('devtool-source', d):
+        # We don't want to move the source to STAGING_SCPFW_DIR here
+        if d.getVar('STAGING_SCPFW_DIR', d):
+            d.setVar('STAGING_SCPFW_DIR', '${S}')
+
+    # Copy/Paste from kernel class with adaptation to SCPFW var
+    s = d.getVar("S")
+    if s[-1] == '/':
+        # drop trailing slash, so that os.symlink(scpscr, s) doesn't use s as directory name and fail
+        s=s[:-1]
+    scpscr = d.getVar("STAGING_SCPFW_DIR")
+    if s != scpscr:
+        bb.utils.mkdirhier(scpscr)
+        bb.utils.remove(scpscr, recurse=True)
+        if d.getVar("EXTERNALSRC"):
+            # With EXTERNALSRC S will not be wiped so we can symlink to it
+            os.symlink(s, scpscr)
+        else:
+            import shutil
+            shutil.move(s, scpscr)
+            os.symlink(scpscr, s)
+}
+addtask symlink_scpfirmwaresrc before do_patch do_configure after do_unpack
+
+# ---------------------------------
+# Configure archiver use
+# ---------------------------------
+include ${@oe.utils.ifelse(d.getVar('ST_ARCHIVER_ENABLE') == '1', 'scp-firmware-archiver.inc','')}

meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/scp-firmware/scp-firmware/0001-Correct-git-error.patch

@@ -0,0 +1,32 @@
+From 27dd5642469b49aa6a94d99d97bce793f2473053 Mon Sep 17 00:00:00 2001
+From: Christophe Priouzeau <christophe.priouzeau@foss.st.com>
+Date: Tue, 28 Nov 2023 14:18:02 +0100
+Subject: [PATCH] Correct git error
+
+When there is no .git for scp firmware, the git describe command
+return error:
+fatal: not a git repository (or any parent up to mount point /mnt)
+Stopping at filesystem boundary (GIT_DISCOVERY_ACROSS_FILESYSTEM not set).
+
+To correct this kind of error, we can redirect the error on a variable
+
+Signed-off-by: Christophe Priouzeau <christophe.priouzeau@foss.st.com>
+---
+ framework/CMakeLists.txt | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/framework/CMakeLists.txt b/framework/CMakeLists.txt
+index 9b9bb229..9a9f0bd4 100644
+--- a/framework/CMakeLists.txt
++++ b/framework/CMakeLists.txt
+@@ -197,6 +197,7 @@ if(GIT_FOUND)
+         COMMAND "${GIT_EXECUTABLE}" describe --tags --dirty --always
+         WORKING_DIRECTORY "${SCP_SOURCE_DIR}"
+         OUTPUT_VARIABLE SCP_DESCRIBE
++        ERROR_VARIABLE _errorOut
+         OUTPUT_STRIP_TRAILING_WHITESPACE)
+ endif()
+ 
+-- 
+2.34.1
+

meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/scp-firmware/scp-firmware/README.HOW_TO.txt

@@ -0,0 +1,56 @@
+Sharing scp firmware
+1. Prepare scp firmware source
+2. Manage scp firmware source code with GIT
+3. Configure scp firmware source code
+4. Test scp firmware source code
+
+--------------------------------------
+1. Prepare scp-firmware source
+--------------------------------------
+If not already done, extract the sources from Developer Package tarball, for example:
+    $ tar xf en.SOURCES-stm32mp1-*.tar.xz
+
+In the scp firmware source directory (sources/*/##BP##-##PR##),
+you have one external dt tarball:
+   - ##BP##-##PR##.tar.xz
+   - 00*.patch
+
+If you would like to have a git management for the source code move to
+to section 2 [Management of external dt source code with GIT].
+
+Otherwise, to manage scp firmware source code without git, you must extract the
+tarball now and apply the patch:
+
+    $> tar xf ##BP##-##PR##.tar.xz
+    $> cd ##BP##
+    $> for p in `ls -1 ../*.patch`; do patch -p1 < $p; done
+
+You can now move to section 3 [Configure scp firmware source code].
+
+-------------------------------------
+2. Manage external dt source code with GIT
+-------------------------------------
+If you like to have a better management of change made on external dt source, you
+have following solutions to use git.
+
+2.1 Create Git from tarball
+---------------------------
+    $ cd <directory to scp firmware source code>
+    $ test -d .git || git init . && git add . && git commit -m "new scp-firwmare" && git gc
+    $ git checkout -b WORKING
+  NB: this is the fastest way to get your scp firmware source code ready for development
+
+-------------------------------
+3. Configure scp firmware source code
+-------------------------------
+To enable use of scp firmware source code for other component, you must set the
+SCPFW_DIR variable to your shell environement:
+
+    $> export SCPFW_DIR=$PWD/##BP##
+
+---------------------------
+4. Test scp firmware source code
+---------------------------
+Nothing to do, scp-firmware is directly used by other component.
+
+    #> echo "*** Nothing to test ***"