From: Michael Olbrich <m.olbrich@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: Michael Tretter <m.tretter@pengutronix.de>
Subject: Re: [ptxdist] [PATCH 4/4] optee: install in-tree user TAs into rootfs
Date: Wed, 27 Aug 2025 16:36:29 +0200 [thread overview]
Message-ID: <aK8X7Xaz-RydG0QL@pengutronix.de> (raw)
In-Reply-To: <20250827103642.3881930-4-m.tretter@pengutronix.de>
On Wed, Aug 27, 2025 at 12:36:41PM +0200, Michael Tretter wrote:
> While user TAs are preferably disabled in a secure system to reduce the
> attack surface, it may still be useful to be able to load the in-tree
> TAs from the rootfs during development.
>
> The option to install the user TAs into the rootfs.
>
> Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
> ---
> rules/optee.in | 17 ++++++++++++++++-
> rules/optee.make | 24 ++++++++++++++++++++++++
> 2 files changed, 40 insertions(+), 1 deletion(-)
>
> diff --git a/rules/optee.in b/rules/optee.in
> index 0e0f3230d8c6..a6a03a151eb3 100644
> --- a/rules/optee.in
> +++ b/rules/optee.in
> @@ -1,4 +1,19 @@
> ## SECTION=security
>
> -config OPTEE
> +menuconfig OPTEE
> tristate
> + prompt "optee"
> +
> +if OPTEE
> +
> +config PTXCONF_OPTEE_INSTALL_USER_TAS
> + bool "install in-tree user TAs"
> + help
> + Install the OP-TEE in-tree user TAs.
> +
> + Enable this option to install the user TAs, which are included in
> + the OP-TEE OS, into the rootfs. This allows loading the TAs via the
> + tee-supplicant at runtime and removes the requirement to include the
> + TAs as early TAs in the OP-TEE binary.
Hmm, I would expect that this is platform specific, so it should probably
be in platforms/optee.in instead.
Michael
> +
> +endif
> diff --git a/rules/optee.make b/rules/optee.make
> index e0655565efc3..e9a4ac302494 100644
> --- a/rules/optee.make
> +++ b/rules/optee.make
> @@ -64,6 +64,10 @@ $(STATEDIR)/optee.install:
> @install -vd -m755 $(OPTEE_PKGDIR)/usr/lib/optee-os
> @cp -vr $(OPTEE_OUT_DIR)/$(OPTEE_LIB_DIR)/* $(OPTEE_PKGDIR)/usr/lib/optee-os
>
> + @install -vd -m755 $(OPTEE_PKGDIR)/usr/lib/optee_armtz
> + @install -v -D -m444 $(OPTEE_OUT_DIR)/$(OPTEE_LIB_DIR)/ta/*.ta \
> + $(OPTEE_PKGDIR)/usr/lib/optee_armtz
> +
> @$(call touch)
>
> # ----------------------------------------------------------------------------
> @@ -77,9 +81,29 @@ OPTEE_BINARIES := \
> tee-pageable_v2.bin \
> tee.elf
>
> +OPTEE_USER_TAS := \
> + 023f8f1a-292a-432b-8fc4-de8471358067.ta \
> + 80a4c275-0a47-4905-8285-1486a9771a08.ta \
> + f04a0fe7-1f5d-4b9b-abf7-619b85b4ce8c.ta \
> + fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta
> +
> $(STATEDIR)/optee.targetinstall:
> @$(call targetinfo)
>
> +ifdef PTXCONF_OPTEE_INSTALL_USER_TAS
> + @$(call install_init, optee)
> + @$(call install_fixup, optee,PRIORITY,optional)
> + @$(call install_fixup, optee,SECTION,base)
> + @$(call install_fixup, optee,AUTHOR,"Rouven Czerwinski <rouven@czerwinskis.de>")
> + @$(call install_fixup, optee,DESCRIPTION,missing)
> +
> + @$(foreach ta, $(OPTEE_USER_TAS), \
> + $(call install_copy, optee, 0, 0, 0444, -, \
> + /usr/lib/optee_armtz/$(ta))$(ptx/nl))
> +
> + @$(call install_finish, optee)
> +endif
> +
> @$(foreach binary, $(OPTEE_BINARIES), \
> $(call ptx/image-install, OPTEE, \
> $(OPTEE_OUT_DIR)/core/$(binary), \
> --
> 2.47.2
>
>
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
next prev parent reply other threads:[~2025-08-27 14:36 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-27 10:36 [ptxdist] [PATCH 1/4] optee: version bump 4.6.0 -> 4.7.0 Michael Tretter
2025-08-27 10:36 ` [ptxdist] [PATCH 2/4] optee: add license file Michael Tretter
2025-08-29 9:46 ` [ptxdist] [APPLIED] " Michael Olbrich
2025-08-27 10:36 ` [ptxdist] [PATCH 3/4] optee: remove install_init Michael Tretter
2025-08-29 9:46 ` [ptxdist] [APPLIED] " Michael Olbrich
2025-08-27 10:36 ` [ptxdist] [PATCH 4/4] optee: install in-tree user TAs into rootfs Michael Tretter
2025-08-27 14:36 ` Michael Olbrich [this message]
2025-08-29 9:46 ` [ptxdist] [APPLIED] optee: version bump 4.6.0 -> 4.7.0 Michael Olbrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aK8X7Xaz-RydG0QL@pengutronix.de \
--to=m.olbrich@pengutronix.de \
--cc=m.tretter@pengutronix.de \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox