From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Wed, 27 Aug 2025 16:36:45 +0200 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1urHGY-0056z0-1D for lore@lore.pengutronix.de; Wed, 27 Aug 2025 16:36:45 +0200 Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1urHGX-0007h0-Hh; Wed, 27 Aug 2025 16:36:45 +0200 Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1urHGH-0007gm-DT; Wed, 27 Aug 2025 16:36:29 +0200 Received: from dude05.red.stw.pengutronix.de ([2a0a:edc0:0:1101:1d::54]) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1urHGH-002PRY-0k; Wed, 27 Aug 2025 16:36:29 +0200 Received: from mol by dude05.red.stw.pengutronix.de with local (Exim 4.98.2) (envelope-from ) id 1urHGH-0000000FCm4-0kGI; Wed, 27 Aug 2025 16:36:29 +0200 Date: Wed, 27 Aug 2025 16:36:29 +0200 From: Michael Olbrich To: ptxdist@pengutronix.de Message-ID: References: <20250827103642.3881930-1-m.tretter@pengutronix.de> <20250827103642.3881930-4-m.tretter@pengutronix.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20250827103642.3881930-4-m.tretter@pengutronix.de> X-Sent-From: Pengutronix Hildesheim X-URL: http://www.pengutronix.de/ X-IRC: #ptxdist @freenode X-Accept-Language: de,en X-Accept-Content-Type: text/plain Subject: Re: [ptxdist] [PATCH 4/4] optee: install in-tree user TAs into rootfs X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: Michael Tretter Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false On Wed, Aug 27, 2025 at 12:36:41PM +0200, Michael Tretter wrote: > While user TAs are preferably disabled in a secure system to reduce the > attack surface, it may still be useful to be able to load the in-tree > TAs from the rootfs during development. > > The option to install the user TAs into the rootfs. > > Signed-off-by: Michael Tretter > --- > rules/optee.in | 17 ++++++++++++++++- > rules/optee.make | 24 ++++++++++++++++++++++++ > 2 files changed, 40 insertions(+), 1 deletion(-) > > diff --git a/rules/optee.in b/rules/optee.in > index 0e0f3230d8c6..a6a03a151eb3 100644 > --- a/rules/optee.in > +++ b/rules/optee.in > @@ -1,4 +1,19 @@ > ## SECTION=security > > -config OPTEE > +menuconfig OPTEE > tristate > + prompt "optee" > + > +if OPTEE > + > +config PTXCONF_OPTEE_INSTALL_USER_TAS > + bool "install in-tree user TAs" > + help > + Install the OP-TEE in-tree user TAs. > + > + Enable this option to install the user TAs, which are included in > + the OP-TEE OS, into the rootfs. This allows loading the TAs via the > + tee-supplicant at runtime and removes the requirement to include the > + TAs as early TAs in the OP-TEE binary. Hmm, I would expect that this is platform specific, so it should probably be in platforms/optee.in instead. Michael > + > +endif > diff --git a/rules/optee.make b/rules/optee.make > index e0655565efc3..e9a4ac302494 100644 > --- a/rules/optee.make > +++ b/rules/optee.make > @@ -64,6 +64,10 @@ $(STATEDIR)/optee.install: > @install -vd -m755 $(OPTEE_PKGDIR)/usr/lib/optee-os > @cp -vr $(OPTEE_OUT_DIR)/$(OPTEE_LIB_DIR)/* $(OPTEE_PKGDIR)/usr/lib/optee-os > > + @install -vd -m755 $(OPTEE_PKGDIR)/usr/lib/optee_armtz > + @install -v -D -m444 $(OPTEE_OUT_DIR)/$(OPTEE_LIB_DIR)/ta/*.ta \ > + $(OPTEE_PKGDIR)/usr/lib/optee_armtz > + > @$(call touch) > > # ---------------------------------------------------------------------------- > @@ -77,9 +81,29 @@ OPTEE_BINARIES := \ > tee-pageable_v2.bin \ > tee.elf > > +OPTEE_USER_TAS := \ > + 023f8f1a-292a-432b-8fc4-de8471358067.ta \ > + 80a4c275-0a47-4905-8285-1486a9771a08.ta \ > + f04a0fe7-1f5d-4b9b-abf7-619b85b4ce8c.ta \ > + fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta > + > $(STATEDIR)/optee.targetinstall: > @$(call targetinfo) > > +ifdef PTXCONF_OPTEE_INSTALL_USER_TAS > + @$(call install_init, optee) > + @$(call install_fixup, optee,PRIORITY,optional) > + @$(call install_fixup, optee,SECTION,base) > + @$(call install_fixup, optee,AUTHOR,"Rouven Czerwinski ") > + @$(call install_fixup, optee,DESCRIPTION,missing) > + > + @$(foreach ta, $(OPTEE_USER_TAS), \ > + $(call install_copy, optee, 0, 0, 0444, -, \ > + /usr/lib/optee_armtz/$(ta))$(ptx/nl)) > + > + @$(call install_finish, optee) > +endif > + > @$(foreach binary, $(OPTEE_BINARIES), \ > $(call ptx/image-install, OPTEE, \ > $(OPTEE_OUT_DIR)/core/$(binary), \ > -- > 2.47.2 > > > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |