Building optee-examples and trusted Apps in Yocto bitbake

yuzarsif · ‎12-06-2021

Hello all,

I'm working on NXP yocto project to build an image that support "optee-examples" using "imx8qmmek" board as target machine.

When I check the meta-imx/meta-bsp/recipes-security/optee-imx I've only found the optee-os optee-client and optee-test but not optee-examples.

Following this link added 4 weeks ago that describes how to make that possible with a hardknott kernel version :

https://community.nxp.com/t5/i-MX-Processors-Knowledge-Base/Build-optee-examples-in-yocto-hardkott/t...

After bitbaking the optee-examples , the result was 100% succeed. But when I boot my machine and check the TA binaries in /lib/optee_armtz/ I don't see any interesting TA example for example the hello_world uuid .ta file which should be "8aaaf200-2450-11e4-abe2-0002a5d5c51b.ta"

And as you can see even after launching the xtest to install the ta file :

I really need help on that please , the question is that the correct way to build optee-examples into IMX yocto project ? If it is , why I can't see the optee-examples .ta files ? Otherwise what should I do to fix this problem because I really need to develop my custom trusted apps in the future ?

Thank You

yuzarsif · ‎12-08-2021

IMPORTANT UPDATE :

I managed to solve the problem. My solution is to only add optee-examples_3.13.0.imx.bb file into the path meta-imx/meta-bsp/recipes-security/optee-imx/ .

After making modifications , here is the content of the recipe file below :

SUMMARY = "OP-TEE examples"
DESCRIPTION = "Open Portable Trusted Execution Environment - Sample Applications"
HOMEPAGE = "https://github.com/linaro-swg/optee_examples"

LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=cd95ab417e23b94f381dafc453d70c30"

DEPENDS = "optee-client optee-os python3-pycryptodome-native"

inherit python3native

SRC_URI = "git://github.com/linaro-swg/optee_examples.git"
SRCREV = "ff4b493e267d40bcf508acc300da296a3a2adac2"

S = "${WORKDIR}/git"
B = "${WORKDIR}/build"

OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta_arm64"

EXTRA_OEMAKE += "TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
                 OPTEE_CLIENT_EXPORT=${OPTEE_CLIENT_EXPORT} \
                 TEEC_EXPORT=${TEEC_EXPORT} \
                 HOST_CROSS_COMPILE=${HOST_PREFIX} \
                 TA_CROSS_COMPILE=${HOST_PREFIX} \
                 -C ${S} OUTPUT_DIR=${B} \
               "

CFLAGS += "--sysroot=${STAGING_DIR_HOST}"

do_compile() {
    oe_runmake
}

do_install () {
    mkdir -p ${D}${nonarch_base_libdir}/optee_armtz
    mkdir -p ${D}${bindir}
    install -D -p -m0755 ${B}/ca/* ${D}${bindir}
    install -D -p -m0444 ${B}/ta/* ${D}${nonarch_base_libdir}/optee_armtz
}

FILES_${PN} += "${nonarch_base_libdir}/optee_armtz/"

# Imports machine specific configs from staging to build
PACKAGE_ARCH = "${MACHINE_ARCH}"

And of course as you suggested adding these lines into local.conf but with little change.

DISTRO_FEATURES_append = " systemd"
DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit"
VIRTUAL-RUNTIME_init_manager = "systemd"
VIRTUAL-RUNTIME_initscripts = "systemd-compat-units"
MACHINE_FEATURES += "optee"
DISTRO_FEATURES += "optee"
IMAGE_INSTALL_append = " optee-test optee-os optee-client optee-examples"

Notice that I used in purpose "IMAGE_INSTALL_append" and not "IMAGE_INSTALL +=" . I passed long time to conclude that with the "IMAGE_INSTALL +=" I don't manage to see my binaries into rootfs of the image but with the append syntax that works correctly. I don't know for what reason is that. But with this way it worked perfectly. According to bitbake documentation that's equivalent but if you have any idea why is that don't hesitate to share it with us.

I hope that will solve the problem for you either if anyone had the same issue !

View solution in original post

yuzarsif · ‎12-08-2021

IMPORTANT UPDATE :

I managed to solve the problem. My solution is to only add optee-examples_3.13.0.imx.bb file into the path meta-imx/meta-bsp/recipes-security/optee-imx/ .

After making modifications , here is the content of the recipe file below :

SUMMARY = "OP-TEE examples"
DESCRIPTION = "Open Portable Trusted Execution Environment - Sample Applications"
HOMEPAGE = "https://github.com/linaro-swg/optee_examples"

LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=cd95ab417e23b94f381dafc453d70c30"

DEPENDS = "optee-client optee-os python3-pycryptodome-native"

inherit python3native

SRC_URI = "git://github.com/linaro-swg/optee_examples.git"
SRCREV = "ff4b493e267d40bcf508acc300da296a3a2adac2"

S = "${WORKDIR}/git"
B = "${WORKDIR}/build"

OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta_arm64"

EXTRA_OEMAKE += "TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
                 OPTEE_CLIENT_EXPORT=${OPTEE_CLIENT_EXPORT} \
                 TEEC_EXPORT=${TEEC_EXPORT} \
                 HOST_CROSS_COMPILE=${HOST_PREFIX} \
                 TA_CROSS_COMPILE=${HOST_PREFIX} \
                 -C ${S} OUTPUT_DIR=${B} \
               "

CFLAGS += "--sysroot=${STAGING_DIR_HOST}"

do_compile() {
    oe_runmake
}

do_install () {
    mkdir -p ${D}${nonarch_base_libdir}/optee_armtz
    mkdir -p ${D}${bindir}
    install -D -p -m0755 ${B}/ca/* ${D}${bindir}
    install -D -p -m0444 ${B}/ta/* ${D}${nonarch_base_libdir}/optee_armtz
}

FILES_${PN} += "${nonarch_base_libdir}/optee_armtz/"

# Imports machine specific configs from staging to build
PACKAGE_ARCH = "${MACHINE_ARCH}"

And of course as you suggested adding these lines into local.conf but with little change.

DISTRO_FEATURES_append = " systemd"
DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit"
VIRTUAL-RUNTIME_init_manager = "systemd"
VIRTUAL-RUNTIME_initscripts = "systemd-compat-units"
MACHINE_FEATURES += "optee"
DISTRO_FEATURES += "optee"
IMAGE_INSTALL_append = " optee-test optee-os optee-client optee-examples"

Notice that I used in purpose "IMAGE_INSTALL_append" and not "IMAGE_INSTALL +=" . I passed long time to conclude that with the "IMAGE_INSTALL +=" I don't manage to see my binaries into rootfs of the image but with the append syntax that works correctly. I don't know for what reason is that. But with this way it worked perfectly. According to bitbake documentation that's equivalent but if you have any idea why is that don't hesitate to share it with us.

I hope that will solve the problem for you either if anyone had the same issue !

Zhiming_Liu · ‎12-06-2021

Have updated that samples, you need use:

DISTRO_FEATURES_append = " systemd"
DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit"
VIRTUAL-RUNTIME_init_manager = "systemd"
VIRTUAL-RUNTIME_initscripts = "systemd-compat-units"
MACHINE_FEATURES += "optee"
DISTRO_FEATURES += "optee"
IMAGE_INSTALL += "optee-test optee-os optee-client optee-examples"

yuzarsif · ‎12-07-2021

Thanks for your suggestion. But I already did that and always not working.

Can you please share any other ideas ?

I've noticed that there is under file optee-examples.inc :

HOST_CROSS_COMPILE=${HOST_PREFIX}

TA_CROSS_COMPILE=${HOST_PREFIX}

But in optee-test file it's :

CROSS_COMPILE_HOST=${HOST_PREFIX}

CROSS_COMPILE_TA=${HOST_PREFIX}

I'm wondering why the syntax is so different ?

yuzarsif · ‎12-06-2021

Update : Is that related to the optee.inc file downloaded via the link ?

I see that the COMPATIBLE_MACHINE variable is fixed to qemuarm64, I tried to add supported machine by defining MACHINE variable as MACHINE = "imx8qmmek" but always same problem.

Building optee-examples and trusted Apps in Yocto bitbake

Building optee-examples and trusted Apps in Yocto bitbake

i.MX 8 Family | i.MX 8QuadMax (8QM) | 8QuadPlus

i.MX 8M | i.MX 8M Mini | i.MX 8M Nano

Security