[meta-ti][scarthgap][PATCH v3] meta-ti-bsp: optee: Enable PKCS#11 with REE_FS

Suhaas Joshi via lists.yoctoproject.org Thu, 13 Nov 2025 02:42:23 -0800

PKCS#11 is a standard that defines an interface for applications to
interact with security modules, including OP-TEE's PKCS#11 TA.


Enable PKCS#11 with REE_FS. CFG_REE_FS=y is set by default, but set it
explicitly for clarity.

Further, copy libckteec library files to the filesystem. These files are
required by pkcs11-tool to interact with the TA.

Signed-off-by: Suhaas Joshi <[email protected]>
---
v2 -> v3:
* As Andrew suggested: RPMB with CFG_RPMB_WRITE_KEY already enabled is a risk.
  Therefore, instead of enabling RPMB, enable only PKCS#11 to work with REE_FS.
  This allows users to try PKCS#11 and run OPTEE secure storage examples,
  with REE_FS.
* By Denys' and Ryan's suggestions, move extra logic away from .bbappend to
  optee-client-ti-overrides.inc file.
* Link to v2:
  
https://lore.kernel.org/yocto-meta-ti/[email protected]/T/#t
---
 .../optee/optee-client-ti-overrides.inc          | 10 ++++++++++
 .../optee/optee-client_%.bbappend                |  5 +++++
 .../optee/optee-os-ti-overrides.inc              | 16 ++++++++++++----
 3 files changed, 27 insertions(+), 4 deletions(-)
 create mode 100644 
meta-ti-bsp/recipes-security/optee/optee-client-ti-overrides.inc

diff --git a/meta-ti-bsp/recipes-security/optee/optee-client-ti-overrides.inc 
b/meta-ti-bsp/recipes-security/optee/optee-client-ti-overrides.inc
new file mode 100644
index 00000000..1ac1684e
--- /dev/null
+++ b/meta-ti-bsp/recipes-security/optee/optee-client-ti-overrides.inc
@@ -0,0 +1,10 @@
+do_install:append:am62axx:am62dxx:am62pxx:am62xx() {
+    install -d ${D}${libdir}
+
+    install -m 0644 ${B}/libckteec/libckteec.so.0.1.0 ${D}${libdir}/
+    ln -v -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0
+    ln -v -sf libckteec.so.0 ${D}${libdir}/libckteec.so
+}
+
+FILES:${PN}:am62axx:am62dxx:am62pxx:am62xx += " ${libdir}/libckteec.so.0 
${libdir}/libckteec.so.0.1.0"
+FILES:${PN}-dev:am62axx:am62dxx:am62pxx:am62xx += " ${libdir}/libckteec.so"
diff --git a/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend 
b/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend
index f193e78b..0cee127f 100644
--- a/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend
+++ b/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend
@@ -2,3 +2,8 @@ OPTEE_TI_VERSION = ""
 OPTEE_TI_VERSION:ti-soc = "${BPN}-ti-version.inc"
 
 require ${OPTEE_TI_VERSION}
+
+OPTEE_TI_OVERRIDES = ""
+OPTEE_TI_OVERRIDES:ti-soc = "${BPN}-ti-overrides.inc"
+
+require ${OPTEE_TI_OVERRIDES}
diff --git a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc 
b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc
index 61a74a06..ece8c50d 100644
--- a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc
+++ b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc
@@ -6,11 +6,11 @@ EXTRA_OEMAKE:remove = "CFG_MAP_EXT_DT_SECURE=y"
 EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_CONSOLE_UART='+ d.getVar('OPTEE_K3_USART') 
if d.getVar('OPTEE_K3_USART') else ''}"
 EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_TZDRAM_START='+ 
d.getVar('OPTEE_K3_TZDRAM_START') if d.getVar('OPTEE_K3_TZDRAM_START') else ''}"
 
-EXTRA_OEMAKE:append:am62xx = " CFG_TEE_CORE_LOG_LEVEL=1"
+EXTRA_OEMAKE:append:am62xx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=y 
CFG_PKCS11_TA=y"
 EXTRA_OEMAKE:append:am62lxx = " CFG_TEE_CORE_LOG_LEVEL=1"
-EXTRA_OEMAKE:append:am62pxx = " CFG_TEE_CORE_LOG_LEVEL=1"
-EXTRA_OEMAKE:append:am62axx = " CFG_TEE_CORE_LOG_LEVEL=1"
-EXTRA_OEMAKE:append:am62dxx = " CFG_TEE_CORE_LOG_LEVEL=1"
+EXTRA_OEMAKE:append:am62pxx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=y 
CFG_PKCS11_TA=y"
+EXTRA_OEMAKE:append:am62axx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=y 
CFG_PKCS11_TA=y"
+EXTRA_OEMAKE:append:am62dxx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=y 
CFG_PKCS11_TA=y"
 EXTRA_OEMAKE:append:j722s = " CFG_TEE_CORE_LOG_LEVEL=1"
 
 do_compile:append:k3() {
@@ -49,6 +49,14 @@ do_install:append() {
     install -m 644 ${B}/*.optee ${D}${nonarch_base_libdir}/firmware/ || true
     install -m 644 ${B}/bl32.bin ${D}${nonarch_base_libdir}/firmware/ || true
     install -m 644 ${B}/bl32.elf ${D}${nonarch_base_libdir}/firmware/ || true
+
+    case "${MACHINE}" in
+        am62pxx-evm|am62xx-evm|am62axx-evm|am62dxx-evm)
+
+        install -d ${D}${nonarch_base_libdir}/optee_armtz
+        install -m 644 ${B}/ta/pkcs11/fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta 
${D}${nonarch_base_libdir}/optee_armtz
+        ;;
+    esac
 }
 
 optee_deploy_legacyhs() {
-- 
2.34.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19266): 
https://lists.yoctoproject.org/g/meta-ti/message/19266
Mute This Topic: https://lists.yoctoproject.org/mt/116272056/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/meta-ti/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

[meta-ti][scarthgap][PATCH v3] meta-ti-bsp: optee: Enable PKCS#11 with REE_FS

Reply via email to