On Wed, Aug 27, 2025 at 12:36:41PM +0200, Michael Tretter wrote: > While user TAs are preferably disabled in a secure system to reduce the > attack surface, it may still be useful to be able to load the in-tree > TAs from the rootfs during development. > > The option to install the user TAs into the rootfs. > > Signed-off-by: Michael Tretter <[email protected]> > --- > rules/optee.in | 17 ++++++++++++++++- > rules/optee.make | 24 ++++++++++++++++++++++++ > 2 files changed, 40 insertions(+), 1 deletion(-) > > diff --git a/rules/optee.in b/rules/optee.in > index 0e0f3230d8c6..a6a03a151eb3 100644 > --- a/rules/optee.in > +++ b/rules/optee.in > @@ -1,4 +1,19 @@ > ## SECTION=security > > -config OPTEE > +menuconfig OPTEE > tristate > + prompt "optee" > + > +if OPTEE > + > +config PTXCONF_OPTEE_INSTALL_USER_TAS > + bool "install in-tree user TAs" > + help > + Install the OP-TEE in-tree user TAs. > + > + Enable this option to install the user TAs, which are included in > + the OP-TEE OS, into the rootfs. This allows loading the TAs via the > + tee-supplicant at runtime and removes the requirement to include the > + TAs as early TAs in the OP-TEE binary.
Hmm, I would expect that this is platform specific, so it should probably be in platforms/optee.in instead. Michael > + > +endif > diff --git a/rules/optee.make b/rules/optee.make > index e0655565efc3..e9a4ac302494 100644 > --- a/rules/optee.make > +++ b/rules/optee.make > @@ -64,6 +64,10 @@ $(STATEDIR)/optee.install: > @install -vd -m755 $(OPTEE_PKGDIR)/usr/lib/optee-os > @cp -vr $(OPTEE_OUT_DIR)/$(OPTEE_LIB_DIR)/* > $(OPTEE_PKGDIR)/usr/lib/optee-os > > + @install -vd -m755 $(OPTEE_PKGDIR)/usr/lib/optee_armtz > + @install -v -D -m444 $(OPTEE_OUT_DIR)/$(OPTEE_LIB_DIR)/ta/*.ta \ > + $(OPTEE_PKGDIR)/usr/lib/optee_armtz > + > @$(call touch) > > # > ---------------------------------------------------------------------------- > @@ -77,9 +81,29 @@ OPTEE_BINARIES := \ > tee-pageable_v2.bin \ > tee.elf > > +OPTEE_USER_TAS := \ > + 023f8f1a-292a-432b-8fc4-de8471358067.ta \ > + 80a4c275-0a47-4905-8285-1486a9771a08.ta \ > + f04a0fe7-1f5d-4b9b-abf7-619b85b4ce8c.ta \ > + fd02c9da-306c-48c7-a49c-bbd827ae86ee.ta > + > $(STATEDIR)/optee.targetinstall: > @$(call targetinfo) > > +ifdef PTXCONF_OPTEE_INSTALL_USER_TAS > + @$(call install_init, optee) > + @$(call install_fixup, optee,PRIORITY,optional) > + @$(call install_fixup, optee,SECTION,base) > + @$(call install_fixup, optee,AUTHOR,"Rouven Czerwinski > <[email protected]>") > + @$(call install_fixup, optee,DESCRIPTION,missing) > + > + @$(foreach ta, $(OPTEE_USER_TAS), \ > + $(call install_copy, optee, 0, 0, 0444, -, \ > + /usr/lib/optee_armtz/$(ta))$(ptx/nl)) > + > + @$(call install_finish, optee) > +endif > + > @$(foreach binary, $(OPTEE_BINARIES), \ > $(call ptx/image-install, OPTEE, \ > $(OPTEE_OUT_DIR)/core/$(binary), \ > -- > 2.47.2 > > > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
