Re: [ptxdist] [APPLIED] optee: install in-tree user TAs into rootfs

[Michael Olbrich <m.olbrich@pengutronix.de>]

Thanks, applied as 3982189e8fa609c0ff66356619edbc37e3bb1f53.

Michael

[sent from post-receive hook]

On Tue, 16 Sep 2025 21:44:40 +0200, Michael Tretter <m.tretter@pengutronix.de> wrote:
> While user TAs are preferably disabled in a secure system to reduce the
> attack surface, it may still be useful to be able to load the in-tree
> TAs from the rootfs during development.
> 
> Add an option to install the user TAs into the rootfs.
> 
> Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
> Message-Id: <20250908134835.1371073-1-m.tretter@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/platforms/optee.in b/platforms/optee.in
> index 722bf933bc65..ca9973292ec8 100644
> --- a/platforms/optee.in
> +++ b/platforms/optee.in
> @@ -40,4 +40,14 @@ config OPTEE_CFG
>  	  Refer to the following file for the CFG_FLAGS:
>  	  https://github.com/OP-TEE/optee_os/blob/master/mk/config.mk
>  
> +config OPTEE_INSTALL_USER_TAS
> +	bool "install in-tree user TAs"
> +	help
> +	  Install the OP-TEE in-tree user TAs.
> +
> +	  Enable this option to install the user TAs, which are included in
> +	  the OP-TEE OS, into the rootfs. This allows loading the TAs via the
> +	  tee-supplicant at runtime and removes the requirement to include the
> +	  TAs as early TAs in the OP-TEE binary.
> +
>  endif
> diff --git a/rules/optee.make b/rules/optee.make
> index e0655565efc3..e9a4ac302494 100644
> --- a/rules/optee.make
> +++ b/rules/optee.make
> @@ -64,6 +64,10 @@ $(STATEDIR)/optee.install:
>  	@install -vd -m755 $(OPTEE_PKGDIR)/usr/lib/optee-os
>  	@cp -vr $(OPTEE_OUT_DIR)/$(OPTEE_LIB_DIR)/* $(OPTEE_PKGDIR)/usr/lib/optee-os
>  
> +	@install -vd -m755 $(OPTEE_PKGDIR)/usr/lib/optee_armtz
> +	@install -v -D -m444 $(OPTEE_OUT_DIR)/$(OPTEE_LIB_DIR)/ta/*.ta \
> +		$(OPTEE_PKGDIR)/usr/lib/optee_armtz
> +
>  	@$(call touch)
>  
>  # ----------------------------------------------------------------------------
> @@ -77,9 +81,29 @@ OPTEE_BINARIES := \
>  	tee-pageable_v2.bin \
>  	tee.elf
>  
> +OPTEE_USER_TAS := \
> +	023f8f1a-292a-432b-8fc4-de8471358067.ta \
> +	80a4c275-0a47-4905-8285-1486a9771a08.ta \
> +	f04a0fe7-1f5d-4b9b-abf7-619b85b4ce8c.ta \
> +	fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta
> +
>  $(STATEDIR)/optee.targetinstall:
>  	@$(call targetinfo)
>  
> +ifdef PTXCONF_OPTEE_INSTALL_USER_TAS
> +	@$(call install_init, optee)
> +	@$(call install_fixup, optee,PRIORITY,optional)
> +	@$(call install_fixup, optee,SECTION,base)
> +	@$(call install_fixup, optee,AUTHOR,"Rouven Czerwinski <rouven@czerwinskis.de>")
> +	@$(call install_fixup, optee,DESCRIPTION,missing)
> +
> +	@$(foreach ta, $(OPTEE_USER_TAS), \
> +		$(call install_copy, optee, 0, 0, 0444, -, \
> +			/usr/lib/optee_armtz/$(ta))$(ptx/nl))
> +
> +	@$(call install_finish, optee)
> +endif
> +
>  	@$(foreach binary, $(OPTEE_BINARIES), \
>  		$(call ptx/image-install, OPTEE, \
>  			$(OPTEE_OUT_DIR)/core/$(binary), \