From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Wed, 27 Aug 2025 12:37:04 +0200
Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104])
	by lore.white.stw.pengutronix.de with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <ptxdist-bounces+lore=lore.pengutronix.de@pengutronix.de>)
	id 1urDWa-0053N7-2l
	for lore@lore.pengutronix.de;
	Wed, 27 Aug 2025 12:37:04 +0200
Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de)
	by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <ptxdist-bounces@pengutronix.de>)
	id 1urDWZ-0000aM-Nl; Wed, 27 Aug 2025 12:37:03 +0200
Received: from dude05.red.stw.pengutronix.de ([2a0a:edc0:0:1101:1d::54])
 by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92)
 (envelope-from <m.tretter@pengutronix.de>)
 id 1urDWE-0000C5-5F; Wed, 27 Aug 2025 12:36:42 +0200
From: Michael Tretter <m.tretter@pengutronix.de>
To: ptxdist@pengutronix.de
Date: Wed, 27 Aug 2025 12:36:41 +0200
Message-ID: <20250827103642.3881930-4-m.tretter@pengutronix.de>
X-Mailer: git-send-email 2.47.2
In-Reply-To: <20250827103642.3881930-1-m.tretter@pengutronix.de>
References: <20250827103642.3881930-1-m.tretter@pengutronix.de>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [ptxdist] [PATCH 4/4] optee: install in-tree user TAs into rootfs
X-BeenThere: ptxdist@pengutronix.de
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <https://metis.pengutronix.de/mailman/options/ptxdist>,
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <https://metis.pengutronix.de/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <https://metis.pengutronix.de/mailman/listinfo/ptxdist>,
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Cc: Michael Tretter <m.tretter@pengutronix.de>
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de
X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false

While user TAs are preferably disabled in a secure system to reduce the
attack surface, it may still be useful to be able to load the in-tree
TAs from the rootfs during development.

The option to install the user TAs into the rootfs.

Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
---
 rules/optee.in   | 17 ++++++++++++++++-
 rules/optee.make | 24 ++++++++++++++++++++++++
 2 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/rules/optee.in b/rules/optee.in
index 0e0f3230d8c6..a6a03a151eb3 100644
--- a/rules/optee.in
+++ b/rules/optee.in
@@ -1,4 +1,19 @@
 ## SECTION=security
 
-config OPTEE
+menuconfig OPTEE
 	tristate
+	prompt "optee"
+
+if OPTEE
+
+config PTXCONF_OPTEE_INSTALL_USER_TAS
+	bool "install in-tree user TAs"
+	help
+	  Install the OP-TEE in-tree user TAs.
+
+	  Enable this option to install the user TAs, which are included in
+	  the OP-TEE OS, into the rootfs. This allows loading the TAs via the
+	  tee-supplicant at runtime and removes the requirement to include the
+	  TAs as early TAs in the OP-TEE binary.
+
+endif
diff --git a/rules/optee.make b/rules/optee.make
index e0655565efc3..e9a4ac302494 100644
--- a/rules/optee.make
+++ b/rules/optee.make
@@ -64,6 +64,10 @@ $(STATEDIR)/optee.install:
 	@install -vd -m755 $(OPTEE_PKGDIR)/usr/lib/optee-os
 	@cp -vr $(OPTEE_OUT_DIR)/$(OPTEE_LIB_DIR)/* $(OPTEE_PKGDIR)/usr/lib/optee-os
 
+	@install -vd -m755 $(OPTEE_PKGDIR)/usr/lib/optee_armtz
+	@install -v -D -m444 $(OPTEE_OUT_DIR)/$(OPTEE_LIB_DIR)/ta/*.ta \
+		$(OPTEE_PKGDIR)/usr/lib/optee_armtz
+
 	@$(call touch)
 
 # ----------------------------------------------------------------------------
@@ -77,9 +81,29 @@ OPTEE_BINARIES := \
 	tee-pageable_v2.bin \
 	tee.elf
 
+OPTEE_USER_TAS := \
+	023f8f1a-292a-432b-8fc4-de8471358067.ta \
+	80a4c275-0a47-4905-8285-1486a9771a08.ta \
+	f04a0fe7-1f5d-4b9b-abf7-619b85b4ce8c.ta \
+	fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta
+
 $(STATEDIR)/optee.targetinstall:
 	@$(call targetinfo)
 
+ifdef PTXCONF_OPTEE_INSTALL_USER_TAS
+	@$(call install_init, optee)
+	@$(call install_fixup, optee,PRIORITY,optional)
+	@$(call install_fixup, optee,SECTION,base)
+	@$(call install_fixup, optee,AUTHOR,"Rouven Czerwinski <rouven@czerwinskis.de>")
+	@$(call install_fixup, optee,DESCRIPTION,missing)
+
+	@$(foreach ta, $(OPTEE_USER_TAS), \
+		$(call install_copy, optee, 0, 0, 0444, -, \
+			/usr/lib/optee_armtz/$(ta))$(ptx/nl))
+
+	@$(call install_finish, optee)
+endif
+
 	@$(foreach binary, $(OPTEE_BINARIES), \
 		$(call ptx/image-install, OPTEE, \
 			$(OPTEE_OUT_DIR)/core/$(binary), \
-- 
2.47.2