[ptxdist] [PATCH v2] optee: install in-tree user TAs into rootfs

[ptxdist] [PATCH v2] optee: install in-tree user TAs into rootfs

[Michael Tretter]

While user TAs are preferably disabled in a secure system to reduce the
attack surface, it may still be useful to be able to load the in-tree
TAs from the rootfs during development.

Add an option to install the user TAs into the rootfs.

Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
---
v2:
- Move option to platforms/optee.in
- Remove erroneous PTXCONF_ prefix
---
 platforms/optee.in | 10 ++++++++++
 rules/optee.make   | 24 ++++++++++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/platforms/optee.in b/platforms/optee.in
index 722bf933bc65..ca9973292ec8 100644
--- a/platforms/optee.in
+++ b/platforms/optee.in
@@ -40,4 +40,14 @@ config OPTEE_CFG
 	  Refer to the following file for the CFG_FLAGS:
 	  https://github.com/OP-TEE/optee_os/blob/master/mk/config.mk
 
+config OPTEE_INSTALL_USER_TAS
+	bool "install in-tree user TAs"
+	help
+	  Install the OP-TEE in-tree user TAs.
+
+	  Enable this option to install the user TAs, which are included in
+	  the OP-TEE OS, into the rootfs. This allows loading the TAs via the
+	  tee-supplicant at runtime and removes the requirement to include the
+	  TAs as early TAs in the OP-TEE binary.
+
 endif
diff --git a/rules/optee.make b/rules/optee.make
index e0655565efc3..e9a4ac302494 100644
--- a/rules/optee.make
+++ b/rules/optee.make
@@ -64,6 +64,10 @@ $(STATEDIR)/optee.install:
 	@install -vd -m755 $(OPTEE_PKGDIR)/usr/lib/optee-os
 	@cp -vr $(OPTEE_OUT_DIR)/$(OPTEE_LIB_DIR)/* $(OPTEE_PKGDIR)/usr/lib/optee-os
 
+	@install -vd -m755 $(OPTEE_PKGDIR)/usr/lib/optee_armtz
+	@install -v -D -m444 $(OPTEE_OUT_DIR)/$(OPTEE_LIB_DIR)/ta/*.ta \
+		$(OPTEE_PKGDIR)/usr/lib/optee_armtz
+
 	@$(call touch)
 
 # ----------------------------------------------------------------------------
@@ -77,9 +81,29 @@ OPTEE_BINARIES := \
 	tee-pageable_v2.bin \
 	tee.elf
 
+OPTEE_USER_TAS := \
+	023f8f1a-292a-432b-8fc4-de8471358067.ta \
+	80a4c275-0a47-4905-8285-1486a9771a08.ta \
+	f04a0fe7-1f5d-4b9b-abf7-619b85b4ce8c.ta \
+	fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta
+
 $(STATEDIR)/optee.targetinstall:
 	@$(call targetinfo)
 
+ifdef PTXCONF_OPTEE_INSTALL_USER_TAS
+	@$(call install_init, optee)
+	@$(call install_fixup, optee,PRIORITY,optional)
+	@$(call install_fixup, optee,SECTION,base)
+	@$(call install_fixup, optee,AUTHOR,"Rouven Czerwinski <rouven@czerwinskis.de>")
+	@$(call install_fixup, optee,DESCRIPTION,missing)
+
+	@$(foreach ta, $(OPTEE_USER_TAS), \
+		$(call install_copy, optee, 0, 0, 0444, -, \
+			/usr/lib/optee_armtz/$(ta))$(ptx/nl))
+
+	@$(call install_finish, optee)
+endif
+
 	@$(foreach binary, $(OPTEE_BINARIES), \
 		$(call ptx/image-install, OPTEE, \
 			$(OPTEE_OUT_DIR)/core/$(binary), \
-- 
2.47.3

Re: [ptxdist] [APPLIED] optee: install in-tree user TAs into rootfs

[Michael Olbrich]

Thanks, applied as 3982189e8fa609c0ff66356619edbc37e3bb1f53.

Michael

[sent from post-receive hook]

On Tue, 16 Sep 2025 21:44:40 +0200, Michael Tretter <m.tretter@pengutronix.de> wrote:
> While user TAs are preferably disabled in a secure system to reduce the
> attack surface, it may still be useful to be able to load the in-tree
> TAs from the rootfs during development.
> 
> Add an option to install the user TAs into the rootfs.
> 
> Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
> Message-Id: <20250908134835.1371073-1-m.tretter@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/platforms/optee.in b/platforms/optee.in
> index 722bf933bc65..ca9973292ec8 100644
> --- a/platforms/optee.in
> +++ b/platforms/optee.in
> @@ -40,4 +40,14 @@ config OPTEE_CFG
>  	  Refer to the following file for the CFG_FLAGS:
>  	  https://github.com/OP-TEE/optee_os/blob/master/mk/config.mk
>  
> +config OPTEE_INSTALL_USER_TAS
> +	bool "install in-tree user TAs"
> +	help
> +	  Install the OP-TEE in-tree user TAs.
> +
> +	  Enable this option to install the user TAs, which are included in
> +	  the OP-TEE OS, into the rootfs. This allows loading the TAs via the
> +	  tee-supplicant at runtime and removes the requirement to include the
> +	  TAs as early TAs in the OP-TEE binary.
> +
>  endif
> diff --git a/rules/optee.make b/rules/optee.make
> index e0655565efc3..e9a4ac302494 100644
> --- a/rules/optee.make
> +++ b/rules/optee.make
> @@ -64,6 +64,10 @@ $(STATEDIR)/optee.install:
>  	@install -vd -m755 $(OPTEE_PKGDIR)/usr/lib/optee-os
>  	@cp -vr $(OPTEE_OUT_DIR)/$(OPTEE_LIB_DIR)/* $(OPTEE_PKGDIR)/usr/lib/optee-os
>  
> +	@install -vd -m755 $(OPTEE_PKGDIR)/usr/lib/optee_armtz
> +	@install -v -D -m444 $(OPTEE_OUT_DIR)/$(OPTEE_LIB_DIR)/ta/*.ta \
> +		$(OPTEE_PKGDIR)/usr/lib/optee_armtz
> +
>  	@$(call touch)
>  
>  # ----------------------------------------------------------------------------
> @@ -77,9 +81,29 @@ OPTEE_BINARIES := \
>  	tee-pageable_v2.bin \
>  	tee.elf
>  
> +OPTEE_USER_TAS := \
> +	023f8f1a-292a-432b-8fc4-de8471358067.ta \
> +	80a4c275-0a47-4905-8285-1486a9771a08.ta \
> +	f04a0fe7-1f5d-4b9b-abf7-619b85b4ce8c.ta \
> +	fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta
> +
>  $(STATEDIR)/optee.targetinstall:
>  	@$(call targetinfo)
>  
> +ifdef PTXCONF_OPTEE_INSTALL_USER_TAS
> +	@$(call install_init, optee)
> +	@$(call install_fixup, optee,PRIORITY,optional)
> +	@$(call install_fixup, optee,SECTION,base)
> +	@$(call install_fixup, optee,AUTHOR,"Rouven Czerwinski <rouven@czerwinskis.de>")
> +	@$(call install_fixup, optee,DESCRIPTION,missing)
> +
> +	@$(foreach ta, $(OPTEE_USER_TAS), \
> +		$(call install_copy, optee, 0, 0, 0444, -, \
> +			/usr/lib/optee_armtz/$(ta))$(ptx/nl))
> +
> +	@$(call install_finish, optee)
> +endif
> +
>  	@$(foreach binary, $(OPTEE_BINARIES), \
>  		$(call ptx/image-install, OPTEE, \
>  			$(OPTEE_OUT_DIR)/core/$(binary), \