* [ptxdist] [PATCH v2] optee: install in-tree user TAs into rootfs
@ 2025-09-08 13:48 Michael Tretter
0 siblings, 0 replies; only message in thread
From: Michael Tretter @ 2025-09-08 13:48 UTC (permalink / raw)
To: ptxdist; +Cc: Michael Tretter
While user TAs are preferably disabled in a secure system to reduce the
attack surface, it may still be useful to be able to load the in-tree
TAs from the rootfs during development.
Add an option to install the user TAs into the rootfs.
Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
---
v2:
- Move option to platforms/optee.in
- Remove erroneous PTXCONF_ prefix
---
platforms/optee.in | 10 ++++++++++
rules/optee.make | 24 ++++++++++++++++++++++++
2 files changed, 34 insertions(+)
diff --git a/platforms/optee.in b/platforms/optee.in
index 722bf933bc65..ca9973292ec8 100644
--- a/platforms/optee.in
+++ b/platforms/optee.in
@@ -40,4 +40,14 @@ config OPTEE_CFG
Refer to the following file for the CFG_FLAGS:
https://github.com/OP-TEE/optee_os/blob/master/mk/config.mk
+config OPTEE_INSTALL_USER_TAS
+ bool "install in-tree user TAs"
+ help
+ Install the OP-TEE in-tree user TAs.
+
+ Enable this option to install the user TAs, which are included in
+ the OP-TEE OS, into the rootfs. This allows loading the TAs via the
+ tee-supplicant at runtime and removes the requirement to include the
+ TAs as early TAs in the OP-TEE binary.
+
endif
diff --git a/rules/optee.make b/rules/optee.make
index e0655565efc3..e9a4ac302494 100644
--- a/rules/optee.make
+++ b/rules/optee.make
@@ -64,6 +64,10 @@ $(STATEDIR)/optee.install:
@install -vd -m755 $(OPTEE_PKGDIR)/usr/lib/optee-os
@cp -vr $(OPTEE_OUT_DIR)/$(OPTEE_LIB_DIR)/* $(OPTEE_PKGDIR)/usr/lib/optee-os
+ @install -vd -m755 $(OPTEE_PKGDIR)/usr/lib/optee_armtz
+ @install -v -D -m444 $(OPTEE_OUT_DIR)/$(OPTEE_LIB_DIR)/ta/*.ta \
+ $(OPTEE_PKGDIR)/usr/lib/optee_armtz
+
@$(call touch)
# ----------------------------------------------------------------------------
@@ -77,9 +81,29 @@ OPTEE_BINARIES := \
tee-pageable_v2.bin \
tee.elf
+OPTEE_USER_TAS := \
+ 023f8f1a-292a-432b-8fc4-de8471358067.ta \
+ 80a4c275-0a47-4905-8285-1486a9771a08.ta \
+ f04a0fe7-1f5d-4b9b-abf7-619b85b4ce8c.ta \
+ fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta
+
$(STATEDIR)/optee.targetinstall:
@$(call targetinfo)
+ifdef PTXCONF_OPTEE_INSTALL_USER_TAS
+ @$(call install_init, optee)
+ @$(call install_fixup, optee,PRIORITY,optional)
+ @$(call install_fixup, optee,SECTION,base)
+ @$(call install_fixup, optee,AUTHOR,"Rouven Czerwinski <rouven@czerwinskis.de>")
+ @$(call install_fixup, optee,DESCRIPTION,missing)
+
+ @$(foreach ta, $(OPTEE_USER_TAS), \
+ $(call install_copy, optee, 0, 0, 0444, -, \
+ /usr/lib/optee_armtz/$(ta))$(ptx/nl))
+
+ @$(call install_finish, optee)
+endif
+
@$(foreach binary, $(OPTEE_BINARIES), \
$(call ptx/image-install, OPTEE, \
$(OPTEE_OUT_DIR)/core/$(binary), \
--
2.47.3
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2025-09-08 13:48 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-09-08 13:48 [ptxdist] [PATCH v2] optee: install in-tree user TAs into rootfs Michael Tretter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox