On Thu, Nov 13, 2025 at 04:42 AM, Suhaas Joshi wrote:
>
> PKCS#11 is a standard that defines an interface for applications to
> interact with security modules, including OP-TEE's PKCS#11 TA.
>
> Enable PKCS#11 with REE_FS. CFG_REE_FS=y is set by default, but set it
> explicitly for clarity.
>
> Further, copy libckteec library files to the filesystem. These files are
> required by pkcs11-tool to interact with the TA.
>
> Signed-off-by: Suhaas Joshi <[email protected]>
> ---
> v2 -> v3:
> * As Andrew suggested: RPMB with CFG_RPMB_WRITE_KEY already enabled is a risk.
> Therefore, instead of enabling RPMB, enable only PKCS#11 to work with
> REE_FS.
> This allows users to try PKCS#11 and run OPTEE secure storage examples,
> with REE_FS.
> * By Denys' and Ryan's suggestions, move extra logic away from .bbappend to
> optee-client-ti-overrides.inc file.
> * Link to v2:
>
> https://lore.kernel.org/yocto-meta-ti/[email protected]/T/#t
> ---
> .../optee/optee-client-ti-overrides.inc | 10 ++++++++++
> .../optee/optee-client_%.bbappend | 5 +++++
> .../optee/optee-os-ti-overrides.inc | 16 ++++++++++++----
> 3 files changed, 27 insertions(+), 4 deletions(-)
> create mode 100644
> meta-ti-bsp/recipes-security/optee/optee-client-ti-overrides.inc
>
> diff --git a/meta-ti-bsp/recipes-security/optee/optee-client-ti-overrides.inc
> b/meta-ti-bsp/recipes-security/optee/optee-client-ti-overrides.inc
> new file mode 100644
> index 00000000..1ac1684e
> --- /dev/null
> +++ b/meta-ti-bsp/recipes-security/optee/optee-client-ti-overrides.inc
> @@ -0,0 +1,10 @@
> +do_install:append:am62axx:am62dxx:am62pxx:am62xx() {
> + install -d ${D}${libdir}
> +
> + install -m 0644 ${B}/libckteec/libckteec.so.0.1.0 ${D}${libdir}/
> + ln -v -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0
> + ln -v -sf libckteec.so.0 ${D}${libdir}/libckteec.so
> +}
> +
> +FILES:${PN}:am62axx:am62dxx:am62pxx:am62xx += " ${libdir}/libckteec.so.0
> ${libdir}/libckteec.so.0.1.0"
> +FILES:${PN}-dev:am62axx:am62dxx:am62pxx:am62xx += " ${libdir}/libckteec.so"
I'm not sure these additions will work correctly. I think chained overrides
like this require that all of the overrides be present in order to have the
statement apply. Plus this is just really unreadable.
For the do_install:append I think you need to create a variable that you can
default to "" and then override for all of the platforms listed above.
Something like:
LIBCKTEEC = ""
LIBCKTEEC:am62xx = "${libdir}/libckteec.so*"
LIBCKTEEC:am62axx = "${libdir}/libckteec.so*"
LIBCKTEEC:am62dxx = "${libdir}/libckteec.so*"
LIBCKTEEC:am62pxx = "${libdir}/libckteec.so*"
do_install:append() {
if [ "${LIBCKTEEC}" != "" ]; then
install -d ${D}${libdir}
install -m 0644 ${B}/libckteec/libckteec.so.0.1.0 ${D}${libdir}/
ln -v -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0
ln -v -sf libckteec.so.0 ${D}${libdir}/libckteec.so
fi
}
FILES:${PN} += "${LIBCKTEEC}"
I don't think you need the FILES:${PN}-dev. It just including another symlink
and not additional files or headers needed for dev. Just have the the link in
the single package.
> diff --git a/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend
> b/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend
> index f193e78b..0cee127f 100644
> --- a/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend
> +++ b/meta-ti-bsp/recipes-security/optee/optee-client_%.bbappend
> @@ -2,3 +2,8 @@ OPTEE_TI_VERSION = ""
> OPTEE_TI_VERSION:ti-soc = "${BPN}-ti-version.inc"
>
> require ${OPTEE_TI_VERSION}
> +
> +OPTEE_TI_OVERRIDES = ""
> +OPTEE_TI_OVERRIDES:ti-soc = "${BPN}-ti-overrides.inc"
> +
> +require ${OPTEE_TI_OVERRIDES}
> diff --git a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc
> b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc
> index 61a74a06..ece8c50d 100644
> --- a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc
> +++ b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc
> @@ -6,11 +6,11 @@ EXTRA_OEMAKE:remove = "CFG_MAP_EXT_DT_SECURE=y"
> EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_CONSOLE_UART='+
> d.getVar('OPTEE_K3_USART') if d.getVar('OPTEE_K3_USART') else ''}"
> EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_TZDRAM_START='+
> d.getVar('OPTEE_K3_TZDRAM_START') if d.getVar('OPTEE_K3_TZDRAM_START') else
> ''}"
>
> -EXTRA_OEMAKE:append:am62xx = " CFG_TEE_CORE_LOG_LEVEL=1"
> +EXTRA_OEMAKE:append:am62xx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=y
> CFG_PKCS11_TA=y"
> EXTRA_OEMAKE:append:am62lxx = " CFG_TEE_CORE_LOG_LEVEL=1"
> -EXTRA_OEMAKE:append:am62pxx = " CFG_TEE_CORE_LOG_LEVEL=1"
> -EXTRA_OEMAKE:append:am62axx = " CFG_TEE_CORE_LOG_LEVEL=1"
> -EXTRA_OEMAKE:append:am62dxx = " CFG_TEE_CORE_LOG_LEVEL=1"
> +EXTRA_OEMAKE:append:am62pxx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=y
> CFG_PKCS11_TA=y"
> +EXTRA_OEMAKE:append:am62axx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=y
> CFG_PKCS11_TA=y"
> +EXTRA_OEMAKE:append:am62dxx = " CFG_TEE_CORE_LOG_LEVEL=1 CFG_REE_FS=y
> CFG_PKCS11_TA=y"
> EXTRA_OEMAKE:append:j722s = " CFG_TEE_CORE_LOG_LEVEL=1"
>
> do_compile:append:k3() {
> @@ -49,6 +49,14 @@ do_install:append() {
> install -m 644 ${B}/*.optee ${D}${nonarch_base_libdir}/firmware/ || true
> install -m 644 ${B}/bl32.bin ${D}${nonarch_base_libdir}/firmware/ || true
> install -m 644 ${B}/bl32.elf ${D}${nonarch_base_libdir}/firmware/ || true
> +
> + case "${MACHINE}" in
> + am62pxx-evm|am62xx-evm|am62axx-evm|am62dxx-evm)
> +
> + install -d ${D}${nonarch_base_libdir}/optee_armtz
> + install -m 644 ${B}/ta/pkcs11/fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta
> ${D}${nonarch_base_libdir}/optee_armtz
> + ;;
> + esac
This should be done with an append and not a case statement. At the very
least, you could create a new variable that defaults to "" and then override it
with "1" for the platforms that need the extra steps and then have an if on the
variable in the existing do_install:append.
> }
>
> optee_deploy_legacyhs() {
> --
> 2.34.1
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19273):
https://lists.yoctoproject.org/g/meta-ti/message/19273
Mute This Topic: https://lists.yoctoproject.org/mt/116272056/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/meta-ti/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
