Drops ARM_TSP_RAM_LOCATION from TF_A_FLAGS as it's not needed any
longer.

Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

Always try to enable FF-A in the kernel. The kernel tries to probe for
FF-A, but only enables it if other components supports it.

Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

In order to match all the digits in a number on its own line, use
(\\d+)\r not (\\d+) which could return a truncated value depending
on what the content of input buffer is when the matching is done.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>

When running only the Trusted Keys test in Xen, qemu-check.exp waits
for a prompt twice causing a hang. Move the expect command at the right
place to fix that.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>

Add a new argument for script: qemu-check.exp as the type of tests to be
executed. After this change its possible to run tests granularly as
follows:
- Executes all tests:
  $ make check
  $ make check CHECK_TESTS=all
- Execute only xtest tests:
  $ make check CHECK_TESTS=xtest
- Execute only trusted-keys tests:
  $ make check CHECK_TESTS=trusted-keys

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

Brief description of changes:
- Enable Qemu kernel configs for Trusted Keys.
- Add keyutils buildroot package.
- Enable Trusted Keys early TA in OP-TEE.
- Create a new test script (trusted-keys.exp) which is invoked as part
  of "make check" for automated Trusted Keys tests.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

Lets switch over to using aarch64 hosted cross-compiler for aarch32
rather than building toochain for aarch32 from source which is very
cumbersome. But in case of native build for aarch64 on aarch64 host we
are left with no choice but to use buildroot toolchain as Arm doesn't
provide binary toolchain releases for aarch64 native compiler. Also,
we can't rely on distribution toolchain as buildroot doesn't support it
(refer here [1] for details).

Link: [1] https://buildroot.org/downloads/manual/manual.html#_cross_compilation_toolchain


Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

When running the GitHub action, there is a warning:
  Unexpected input(s) 'exempt-issue-label', 'exempt-pr-label', valid
  inputs are ... 'exempt-issue-labels', 'exempt-pr-labels'.

Add the missing 's' to labels to fix the issue.

This is a new warning after upgrading to the 'Stale' action to v4.1.0,
so they must have changed to the plural version in more recent versions.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

- Update 'stale' from v1.0 to v4.0.1.
- Give 'write' permissions to actions (pull requests and issues).
- Add 'enhancement' to 'exempt-issue-label', so we that stale doesn't
  automatically close issues and pr's with the 'enhancement' label.
- Add 'exempt-pr-label' to match exempt-issue-label'.
- Add and set (to true)
    remove-issue-stale-when-updated
    remove-pr-stale-when-updated
  which will automatically remove the 'Stale' label when someone adds a
  new comment to a ticket marked as stale.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

With optee_os commit "scripts: migrate away from pycryptodome" [1], the
host-python3-cryptography package is required to sign TAs. Keep
host-python3-pycryptodomex for the time being to facilitate the
transition.

Link: [1] https://github.com/OP-TEE/optee_os/pull/4937


Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

"cargo: command not found" occurs when building Rust examples.
BR2_PACKAGE_OPTEE_RUST_EXAMPLES_TC_PATH_ENV clears the PATH
when building optee_rust_examples_ext. Add the cargo PATH to
BR2_PACKAGE_OPTEE_RUST_EXAMPLES_TC_PATH_ENV.

Signed-off-by: Yuan Zhuang <zhuangyuan04@baidu.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

Fix the following build error:

 $ make GDBSERVER=y
 ...
 Makefile.legacy:9: *** "You have legacy configuration in your .config! Please check your configuration.".  Stop.

The error was introduced by the upgrade to Buildroot 2021.08 [1].

The deprecated option can be found by running "make menuconfig" in
out-br/ and checking the "Legacy options" submenu. It shows that
"gcc 8.x support removed" is selected. We can also see that
BR2_GCC_VERSION_8_X=y appears just below the comment "Legacy options
removed in 2021.08" in out-br/.config. This options comes from file
br-ext/configs/toolchain-br.

Upgrade the toolchain to 10.x which is available in Buildroot 2021.08
and corresponds to the pre-built version we use by default ("make
toolchains" currently downloads 10.2).

Link: https://github.com/OP-TEE/manifest/commit/e8d2210


Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

Following error occurs when running make buildroot QEMU_RUST_ENABLE=y:

$ make buildroot QEMU_RUST_ENABLE=y
...
error: linker  not found
  |
  = note: No such file or directory (os error 2)

error: aborting due to previous error

The toolchains path is not add to the PATH. Fix it.

Signed-off-by: Rong Fan <fanrong03@baidu.com>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

GICv3 is newer and more featured version of the interrupt controller.

Signed-off-by: Aleksey Kazantsev <Alexey.Kazantsev@kaspersky.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

Invoke optee_rust/ci/qemu-check.exp in target "check-rust" to
trigger CI test for Rust applications.
Run build and check progress:
$ make CFG_TEE_CORE_LOG_LEVEL=0 OPTEE_RUST_ENABLE=y check-rust

Signed-off-by: Yuan Zhuang <zhuangyuan04@baidu.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Jerome Forissier <jerome@forissier.org>

When upgrading from Buildroot 2021.2 to 2021.08, the following error
occurs:

 $ make buildroot
 ...
   GEN     /home/jerome/work/optee_repo_qemu_v8/out-br/Makefile

 Your PATH contains spaces, TABs, and/or newline (\n) characters.
 This doesn't work. Fix you PATH.
 make[1]: *** [Makefile:23: _all] Error 2
 make[1]: Leaving directory '/home/jerome/work/optee_repo_qemu_v8/out-br'
 make: *** [common.mk:323: buildroot] Error 2

The space comes from the line that appends the toolchain to the PATH in
optee_rust_examples_ext.mk. Fix it.

Signed-off-by: Jerome Forissier <jerome@forissier.org>

Drop ION driver configs from poplar.conf, as since
linaro-swg/linux.git branch optee [1] was rebased onto kernel
v5.12, where ION allocator was removed.

Link: [1] https://github.com/linaro-swg/linux/tree/optee-v5.12-20210628


Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io>

In the current version of linux kernel eMMC is enumerated as mmcblk0
instead of mmcblk1 as before, which causes hang while trying to mount
root partition:

[    1.631806] mmc0: new HS200 MMC card at address 0001
[    1.641686] mmcblk0: mmc0:0001 8WPD3R 7.28 GiB
...
[    2.791837] Waiting for root device /dev/mmcblk1p3...

Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io>

Current ZynqMP build script is based on Xilinx Petalinux tool, which
requires the installation of a proprietary tool. The following patch
removes this dependency and gets closed to the common build Makefile
used by other platforms.

The build is done using Xilinx out-of-tree repositories for Linux,
U-Boot and ATF, while using upstream OP-TEE and Buildroot repositories.

Finally the only non standard piece is the usage of pre-compiled
firmware images from the Xilinx wiki page.

Signed-off-by: Ibai Erkiaga <ibai.erkiaga-elorza@xilinx.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

Add OPTEE_RUST_ENABLE option to common.mk and define buildroot packages
for OP-TEE Rust examples
Build Rust examples in optee_rust/examples:
$ cd build && make OPTEE_RUST_ENABLE=y CFG_TEE_RAM_VA_SIZE=0x00300000

Signed-off-by: Rong Fan <fanrong03@baidu.com>
Signed-off-by: Yuan Zhuang <zhuangyuan04@baidu.com>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

Xen is built from $(ROOT)/xen and Xen tools are built from
$(ROOT)/buildroot/package/xen. They need to be the same major.minor
version, otherwise the Xen tool commands ('xl ...') are likely to fail
in more or less obscure ways.

Add a build time check and fail early if versions do not match.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>

XEN_GZ is not used so remove it.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>

Since Linux commit dcb3b06d9c34 ("tee: optee: replace might_sleep with
cond_resched") in v5.11, setting CONFIG_PREEMPT=y in kconfigs/qemu.conf
is not needed anymore. It was a workaround for the missing call to
cond_resched() in the TEE driver. At that time, might_sleep() together
with preemption enabled allowed to get rid of some RCU warning messages
when running long operations in secure world such as large key generation
(test case: "xtest -l 1 4007_rsa"). With cond_resched() the preemption
settings do not matter anymore.

As a result of this change, QEMUv8 is unmodified (CONFIG_PREEMPT=y is
set by default in the kernel's arch/arm64/configs/defconfig), but 32-bit
QEMU now has CONFIG_PREEMPT disabled. Both platforms are tested and
4007_rsa runs as expected with no warning.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

Current linux config file generation does not add the cross compilation
flag, leading potentially to compilation errors. Not sure how a proper config
file is generated with current implementation but issues are observerd
specially when buildling the linux image with a single thread.

This commit ensures that both ARCH and CROSS_COMPILE flags are set when
using the merge_config script.

Signed-off-by: Ibai Erkiaga <ibai.erkiaga-elorza@xilinx.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

Use soc_term.py instead of the C version and stop building the soc_term
project.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

Adds soc_term.py, a direct replacement for the soc_term tool originally
written in C [1]. This Python version is slightly simpler and does not
need to be compiled (obviously). It is therefore reasonable to have it
here in build.git for use on QEMU and QEMUv8. We can later get rid of
the soc_term project in the manifest file of those platforms.

This script is also useful with FVP, although fvp.xml does not use it;
in a custom work flow the 'xterm' command is replaced by a script which
connects the FVP telnet ports to soc_term.py via the socat command.

Link: [1] https://github.com/linaro-swg/soc_term


Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

Fix issue in ftpm_optee_ext/Config.in where BR2_PACKAGE_FTPM_OPTEE_EXT
both selects and depends on BR2_PACKAGE_OPTEE_OS_EXT. Keep only the
select rule.

The issue was found from a OP-TEE build using GCC-11. The build failed
with the following message:

build/br-ext/package/ftpm_optee_ext/Config.in:1:error: recursive dependency detected!
build/br-ext/package/ftpm_optee_ext/Config.in:1:	symbol BR2_PACKAGE_FTPM_OPTEE_EXT depends on BR2_PACKAGE_OPTEE_OS_EXT
build/br-ext/package/optee_os_ext/Config.in:1:	symbol BR2_PACKAGE_OPTEE_OS_EXT is selected by BR2_PACKAGE_FTPM_OPTEE_EXT

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

When VIRTFS_AUTOMOUNT=y and/or PSS_AUTOMOUNT=y, QEMU prints the
following warning:

 qemu-system-aarch64: warning: 9p: degraded performance: a reasonable
 high msize should be chosen on client/guest side (chosen msize is <=
 8192). See https://wiki.qemu.org/Documentation/9psetup#msize

 for
 details.

Let's set the buffer size to 64K mainly to silence this warning. The
performance is noticeably increased too although it doesn't really
matters for typical OP-TEE use cases.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

Signed-off-by: Aleksey Kazantsev <Alexey.Kazantsev@kaspersky.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

After trying to use upstream EDK2 on my HiKey board without success,
I reached a point where even 'make recovery' would not make the board
bootable again. The recovery process failed like so:

 $ make recovery
 [...]
 Waiting for device... [35][34][33][32][31][30][29][28][27][26][25][24][23][22][21][20][19][18]
 Sending /home/jerome/work/optee_repo_hikey/build/../l-loader/recovery.bin ...
 Done

 fastboot flash loader /home/jerome/work/optee_repo_hikey/build/../l-loader/l-loader.bin
 < waiting for any device >
 Sending 'loader' (39 KB)                           FAILED (remote: 'invalid partition')
 fastboot: error: Command failed
 make: *** [Makefile:351: recovery] Error 1

The solution to this problem is mentioned in [1] and consists in
running 'fastboot getvar partition-size:ptable' before the fastboot
flash command.

Link: [1] https://github.com/96boards/documentation/issues/751

.
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Victor Chong <victor.chong@linaro.org>

qemu-check.exp needs the environment variable $XEN_BOOT to be set,
or the following error is displayed:
 $ make check
 ...
 # no such variable
     (read trace on "::env(XEN_BOOT)")
     invoked from within
 "if {$::env(XEN_BOOT) == "y"} {
         info " (Xen Dom0)"
 }"
     (file "/<...>/qemu-check.exp" line 119)

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>

Replaces virt-make-fs with mke2fs since it's more robust on Ubuntu and
also a bit faster.

Fixes build problems like:
virt-make-fs -t ext4
/home/jens/work/repos/qemu_v8_xen/build/../out/bin/xen_files
/home/jens/work/repos/qemu_v8_xen/build/../out/bin/xen.ext4
Image Name:   Root file system
Created:      Wed Jun 30 19:34:06 2021
Image Type:   AArch64 Linux RAMDisk Image (gzip compressed)
Data Size:    31978230 Bytes = 31228.74 KiB = 30.50 MiB
Load Address: 44000000
Entry Point:  44000000
libguestfs: error: tar_in: tar subcommand failed on directory: /: tar:
./rootfs.cpio.gz: Wrote only 6144 of 10240 bytes
tar: Exiting with failure status due to previous errors
make: *** [Makefile:362: xen-create-image] Error 1

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

This patch enables Measured Boot on TF-A and builds the TSS tools
and the TPM Kernel Module for the FVP toolkit.

The functionality is disabled by default. To enable it, build with
MEASURED_BOOT=y.

Signed-off-by: Javier Almansa Sobrino <javier.almansasobrino@arm.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

TF-A v2.4 and earlier is used with the SCP binaries provided in the
vexpress-firmware git. With TF-A v2.5 is supposed to use the SCP
binaries released at [1] instead. So update to download the SCP binaries
from [1] instead.

Link [1]: https://downloads.trustedfirmware.org/tf-a/css_scp_2.8.0/juno


Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

make-virt-fs is used to generate xen.ext4 but is passed '-t vfat'
instead of '-t ext4'. Fix that.

In fact '-t vfat' happens to be working in general, presumably because
the actual format of the image is detected at runtime. However, I could
not manage to make a VFAT image work in a Docker container based on
Ubuntu 21.04 and with the following kernel image package installed:

  linux-image-kvm/hirsute-updates,now 5.11.0.1009.9 amd64 [installed]

The error messages are as follows:

root@32b61ad4d7f3:~/optee_repo_qemu_v8/build# LIBGUESTFS_DEBUG=1 LIBGUESTFS_TRACE=1 virt-make-fs -t vfat /root/optee_repo_qemu_v8/build/../out/bin/xen_files /root/optee_repo_qemu_v8/build/../out/bin/xen.ext4
[...]
libguestfs: trace: mount_options "utf8" "/dev/sda" "/"
guestfsd: => mkfs (0x116) took 0.47 secs
guestfsd: <= mount_options (0x4a) request length 68 bytes
commandrvf: stdout=n stderr=y flags=0x0
commandrvf: udevadm --debug settle -E /dev/sda
SELinux enabled state cached to: disabled
No filesystem is currently mounted on /sys/fs/cgroup.
Failed to determine unit we run in, ignoring: No data available
command: mount '-o' 'utf8' '/dev/sda' '/sysroot//'
[   11.673076] squashfs: Unknown parameter 'utf8'
[   11.694908] fuseblk: Unknown parameter 'utf8'
command: mount returned 32
command: mount: stderr:
mount: /sysroot: wrong fs type, bad option, bad superblock on /dev/sda, missing codepage or helper program, or other error.
ocaml_exn: 'mount_options' raised 'Failure' exception
guestfsd: error: mount exited with status 32: mount: /sysroot: wrong fs type, bad option, bad superblock on /dev/sda, missing codepage or helper program, or other error.
guestfsd: => mount_options (0x4a) took 0.40 secs
libguestfs: trace: mount_options = -1 (error)
libguestfs: error: mount_options: mount exited with status 32: mount: /sysroot: wrong fs type, bad option, bad superblock on /dev/sda, missing codepage or helper program, or other error.
libguestfs: trace: close
libguestfs: closing guestfs handle 0x55f423503430 (state 2)
[...]

With '-t ext4', the issue is gone.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>

Update broken URLs in the issue and PR templates.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

Adds a helper script to create a Xen DomU from a Dom0 root shell.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>

Use security_model mapped-xattr for QEMU_PSS_HOST_DIR.
This allows folders/files below /data/tee to be owned by
any uid/gid of the QEMU context.

Fixes https://github.com/OP-TEE/build/issues/478



Signed-off-by: Christoph Gellner <cgellner@de.adit-jv.com>
Suggested-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

Build script updated to use Petalinux 2020.2 release. Custom recipes
removed in order to use upstream recipes insted for optee and python
devtool dependencies.

Signed-off-by: Ibai Erkiaga <ibai.erkiaga-elorza@xilinx.com>
Acked-by: Michael Grand <michael.grand.mg@gmail.com>
Tested-by: Michael Grand <michael.grand.mg@gmail.com>

The readability check of the host kernel makes sense only when
XEN_BOOT=y, so avoid annoying users that are not concerned by this.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>