From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Tue, 16 Sep 2025 21:45:01 +0200
Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104])
	by lore.white.stw.pengutronix.de with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <ptxdist-bounces+lore=lore.pengutronix.de@pengutronix.de>)
	id 1uybbp-003nfP-0Q
	for lore@lore.pengutronix.de;
	Tue, 16 Sep 2025 21:45:01 +0200
Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de)
	by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <ptxdist-bounces@pengutronix.de>)
	id 1uybbo-00040r-OM; Tue, 16 Sep 2025 21:45:00 +0200
Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2])
 by metis.whiteo.stw.pengutronix.de with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mol@pengutronix.de>)
 id 1uybbU-0003rG-K5; Tue, 16 Sep 2025 21:44:40 +0200
Received: from dude05.red.stw.pengutronix.de ([2a0a:edc0:0:1101:1d::54])
 by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96)
 (envelope-from <mol@pengutronix.de>) id 1uybbU-001dp6-1P;
 Tue, 16 Sep 2025 21:44:40 +0200
Received: from mol by dude05.red.stw.pengutronix.de with local (Exim 4.98.2)
 (envelope-from <mol@pengutronix.de>) id 1uybbU-00000002Nlk-1bDa;
 Tue, 16 Sep 2025 21:44:40 +0200
From: Michael Olbrich <m.olbrich@pengutronix.de>
To: ptxdist@pengutronix.de
Date: Tue, 16 Sep 2025 21:44:40 +0200
Message-ID: <20250916194440.568017-1-m.olbrich@pengutronix.de>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <20250908134835.1371073-1-m.tretter@pengutronix.de>
References: <20250908134835.1371073-1-m.tretter@pengutronix.de>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: Re: [ptxdist] [APPLIED] optee: install in-tree user TAs into rootfs
X-BeenThere: ptxdist@pengutronix.de
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <https://metis.pengutronix.de/mailman/options/ptxdist>,
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <https://metis.pengutronix.de/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <https://metis.pengutronix.de/mailman/listinfo/ptxdist>,
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Cc: Michael Tretter <m.tretter@pengutronix.de>
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de
X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false

Thanks, applied as 3982189e8fa609c0ff66356619edbc37e3bb1f53.

Michael

[sent from post-receive hook]

On Tue, 16 Sep 2025 21:44:40 +0200, Michael Tretter <m.tretter@pengutronix.de> wrote:
> While user TAs are preferably disabled in a secure system to reduce the
> attack surface, it may still be useful to be able to load the in-tree
> TAs from the rootfs during development.
> 
> Add an option to install the user TAs into the rootfs.
> 
> Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
> Message-Id: <20250908134835.1371073-1-m.tretter@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/platforms/optee.in b/platforms/optee.in
> index 722bf933bc65..ca9973292ec8 100644
> --- a/platforms/optee.in
> +++ b/platforms/optee.in
> @@ -40,4 +40,14 @@ config OPTEE_CFG
>  	  Refer to the following file for the CFG_FLAGS:
>  	  https://github.com/OP-TEE/optee_os/blob/master/mk/config.mk
>  
> +config OPTEE_INSTALL_USER_TAS
> +	bool "install in-tree user TAs"
> +	help
> +	  Install the OP-TEE in-tree user TAs.
> +
> +	  Enable this option to install the user TAs, which are included in
> +	  the OP-TEE OS, into the rootfs. This allows loading the TAs via the
> +	  tee-supplicant at runtime and removes the requirement to include the
> +	  TAs as early TAs in the OP-TEE binary.
> +
>  endif
> diff --git a/rules/optee.make b/rules/optee.make
> index e0655565efc3..e9a4ac302494 100644
> --- a/rules/optee.make
> +++ b/rules/optee.make
> @@ -64,6 +64,10 @@ $(STATEDIR)/optee.install:
>  	@install -vd -m755 $(OPTEE_PKGDIR)/usr/lib/optee-os
>  	@cp -vr $(OPTEE_OUT_DIR)/$(OPTEE_LIB_DIR)/* $(OPTEE_PKGDIR)/usr/lib/optee-os
>  
> +	@install -vd -m755 $(OPTEE_PKGDIR)/usr/lib/optee_armtz
> +	@install -v -D -m444 $(OPTEE_OUT_DIR)/$(OPTEE_LIB_DIR)/ta/*.ta \
> +		$(OPTEE_PKGDIR)/usr/lib/optee_armtz
> +
>  	@$(call touch)
>  
>  # ----------------------------------------------------------------------------
> @@ -77,9 +81,29 @@ OPTEE_BINARIES := \
>  	tee-pageable_v2.bin \
>  	tee.elf
>  
> +OPTEE_USER_TAS := \
> +	023f8f1a-292a-432b-8fc4-de8471358067.ta \
> +	80a4c275-0a47-4905-8285-1486a9771a08.ta \
> +	f04a0fe7-1f5d-4b9b-abf7-619b85b4ce8c.ta \
> +	fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta
> +
>  $(STATEDIR)/optee.targetinstall:
>  	@$(call targetinfo)
>  
> +ifdef PTXCONF_OPTEE_INSTALL_USER_TAS
> +	@$(call install_init, optee)
> +	@$(call install_fixup, optee,PRIORITY,optional)
> +	@$(call install_fixup, optee,SECTION,base)
> +	@$(call install_fixup, optee,AUTHOR,"Rouven Czerwinski <rouven@czerwinskis.de>")
> +	@$(call install_fixup, optee,DESCRIPTION,missing)
> +
> +	@$(foreach ta, $(OPTEE_USER_TAS), \
> +		$(call install_copy, optee, 0, 0, 0444, -, \
> +			/usr/lib/optee_armtz/$(ta))$(ptx/nl))
> +
> +	@$(call install_finish, optee)
> +endif
> +
>  	@$(foreach binary, $(OPTEE_BINARIES), \
>  		$(call ptx/image-install, OPTEE, \
>  			$(OPTEE_OUT_DIR)/core/$(binary), \