Message ID | 20190322095818.19914-2-etienne.carriere@linaro.org |
---|---|
State | Accepted |
Headers | show |
Series | [v3,1/4] boot/arm-trusted-firmware: support alternate image files | expand |
Hi Etienne, On 22/03/2019 10:58, Etienne Carriere wrote: > This change introduces a Qemu board for an Armv7-A target executing > with OP-TEE secure world services. The target Linux based normal world > embeds the standard minimal filesystem with OP-TEE non-secure components > embedded files from OP-TEE test, examples and benchmark packages. > > qemu_arm_vexpress_tz_defconfig differs from qemu_arm_vexpress_defconfig. > Supporting both secure and non-secure worlds on the Arm target mandates > a secure world, here OP-TEE OS, and a bootloader to boot both worlds, > here TF-A (boot/arm-trusted-firmware). Here non-secure Linux kernel is > booted through U-boot > > TF-A bootloader (BL1/BL2) => OP-TEE (BL32) => U-boot (BL33). > | Executes as secure | Secure | Execs as Non-secure > | Loads BL32/BL33 in RAM | Jumps to BL33 | Always booted after > | Jumps to BL32 once done | as Non-secure | secure world inits > > Vexpress and vexpress-tz defconfigs also differs in that Qemu emulates > a Cortex-A9 in the former and a Cortex-A15 in the later. Cortex-A15 > is the Armv7-A CPU used in upstream TF-A and OP-TEE OS packages hence > selected here. > > Defconfig adds a fragment to the Linux kernel native configuration to > enable OP-TEE driver support. > > Defconfig adds a fragment to the U-Boot native configuration set boot > command, enable semihosting and remove U-Boot persistent environment > storage support. > > The defconfig also enables build of the Qemu emulator in case the > system installed Qemu does not yet support CPU TrustZone secure state. > > Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org> Applied to master, thanks, but with some changes... First of all, thank you for the very extensive and clear commit message and readme file. [snip] > +Board qemu_arm_vexpress_tz builds a Qemu Armv7-A target system with > +OP-TEE running in the TrustZone secure world and a Linux based > +OS running in the non-secure world. The board configuration enable > +builds of the Qemu host Arm target emulator. > + > + make qemu_arm_vexpress_tz_defconfig > + make > + > +BIOS used in the Qemu host is the Arm Trusted Firmware-A (TF-A). TF-A > +uses Qemu semihosting file access to access boot image files. The > +Qemu platform is quite specific for that in TF-A and one needs to > +run the emulation from the image directory for TF-A to boot the > +secure and non-secure worlds. This semihosting approach is not so nice, because it only works on qemu. It would be nicer to have a single image that contains everything (except bl1 I guess) and use that as virtual flash, so it matches what would happen on a real board. But this is not a bad start, and it might make debugging the optee part easier. > + > + cd output/images && ../host/bin/qemu-system-arm \ > + -machine virt -machine secure=on -cpu cortex-a15 \ > + -smp 1 -s -m 1024 -d unimp \ > + -serial stdio \ > + -netdev user,id=vmnic -device virtio-net-device,netdev=vmnic \ > + -semihosting-config enable,target=native \ > + -bios bl1.bin I'm a bit worried that the script in the toolchains-builder will not be able to parse this. But because of the cd, it will anyway not work, so OK. It anyway looks a lot nicer like this than how it's done in the other readmes. [snip] > @@ -0,0 +1,47 @@ > +# Architecture > +BR2_arm=y > +BR2_cortex_a15=y > +BR2_ARM_ENABLE_NEON=y > +BR2_ARM_ENABLE_VFP=y > +BR2_ARM_FPU_VFPV3D16=y > +# System Please add an empty line before the different sections. > +BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0" > +# Filesystems (support several boot config) > +BR2_TARGET_ROOTFS_CPIO=y > +BR2_TARGET_ROOTFS_CPIO_GZIP=y > +BR2_TARGET_ROOTFS_EXT2=y There's no reason at all to add ext2 and tar, so I removed both of them. If you want to support several boot configs, it should be mentioned in the readme file how to do that. > +# Generic > +BR2_ROOTFS_POST_BUILD_SCRIPT="board/qemu/arm-vexpress-tz/post-build.sh" > +# Linux 4.19 series > +BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y > +BR2_LINUX_KERNEL=y > +BR2_LINUX_KERNEL_CUSTOM_VERSION=y > +BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16" > +BR2_LINUX_KERNEL_DEFCONFIG="vexpress" > +BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="board/qemu/arm-vexpress-tz/linux.fragment" > +BR2_LINUX_KERNEL_DTS_SUPPORT=y > +BR2_LINUX_KERNEL_INTREE_DTS_NAME="vexpress-v2p-ca15_a7" > +# TF-A for booting OP-TEE secure and uboot/linux non secure > +BR2_TARGET_ARM_TRUSTED_FIRMWARE=y > +BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_GIT=y > +BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_REPO_URL="https://github.com/ARM-software/arm-trusted-firmware.git" > +BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_REPO_VERSION="v2.0" There is a version selection available now, so I used that instead of the git download. BTW, our current ATF version is still v1.4, maybe it should be bumped? > +BR2_TARGET_ARM_TRUSTED_FIRMWARE_PLATFORM="qemu" > +BR2_TARGET_ARM_TRUSTED_FIRMWARE_BL32_OPTEE=y > +BR2_TARGET_ARM_TRUSTED_FIRMWARE_UBOOT_AS_BL33=y > +BR2_TARGET_ARM_TRUSTED_FIRMWARE_ADDITIONAL_VARIABLES="BL32_RAM_LOCATION=tdram" > +# OP-TEE components > +BR2_TARGET_OPTEE_OS=y > +BR2_TARGET_OPTEE_OS_PLATFORM="vexpress-qemu_virt" > +BR2_PACKAGE_OPTEE_CLIENT=y > +BR2_PACKAGE_OPTEE_TEST=y > +BR2_PACKAGE_OPTEE_EXAMPLES=y > +BR2_PACKAGE_OPTEE_BENCHMARK=y > +# U-boot for booting the dear Linux kernel :-) > +BR2_TARGET_UBOOT=y You have to specify the U-Boot version. I'm not sure what you tested with, but I used 2019.01 and it worked. > +BR2_TARGET_UBOOT_BUILD_SYSTEM_KCONFIG=y > +BR2_TARGET_UBOOT_BOARD_DEFCONFIG="qemu_arm" > +BR2_TARGET_UBOOT_CONFIG_FRAGMENT_FILES="board/qemu/arm-vexpress-tz/u-boot.config" > +# Build Qemu emulator for the Arm target I changed this in what we use everywhere else: host-qemu for gitlab testing Regards, Arnout > +BR2_PACKAGE_HOST_QEMU=y > +BR2_PACKAGE_HOST_QEMU_SYSTEM_MODE=y >
On Sun, 27 Oct 2019 at 15:55, Arnout Vandecappelle <arnout@mind.be> wrote: > > Hi Etienne, > > On 22/03/2019 10:58, Etienne Carriere wrote: > > This change introduces a Qemu board for an Armv7-A target executing > > with OP-TEE secure world services. The target Linux based normal world > > embeds the standard minimal filesystem with OP-TEE non-secure components > > embedded files from OP-TEE test, examples and benchmark packages. > > > > qemu_arm_vexpress_tz_defconfig differs from qemu_arm_vexpress_defconfig. > > Supporting both secure and non-secure worlds on the Arm target mandates > > a secure world, here OP-TEE OS, and a bootloader to boot both worlds, > > here TF-A (boot/arm-trusted-firmware). Here non-secure Linux kernel is > > booted through U-boot > > > > TF-A bootloader (BL1/BL2) => OP-TEE (BL32) => U-boot (BL33). > > | Executes as secure | Secure | Execs as Non-secure > > | Loads BL32/BL33 in RAM | Jumps to BL33 | Always booted after > > | Jumps to BL32 once done | as Non-secure | secure world inits > > > > Vexpress and vexpress-tz defconfigs also differs in that Qemu emulates > > a Cortex-A9 in the former and a Cortex-A15 in the later. Cortex-A15 > > is the Armv7-A CPU used in upstream TF-A and OP-TEE OS packages hence > > selected here. > > > > Defconfig adds a fragment to the Linux kernel native configuration to > > enable OP-TEE driver support. > > > > Defconfig adds a fragment to the U-Boot native configuration set boot > > command, enable semihosting and remove U-Boot persistent environment > > storage support. > > > > The defconfig also enables build of the Qemu emulator in case the > > system installed Qemu does not yet support CPU TrustZone secure state. > > > > Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org> > > Applied to master, thanks, but with some changes... > > [snip] > > +Board qemu_arm_vexpress_tz builds a Qemu Armv7-A target system with > > +OP-TEE running in the TrustZone secure world and a Linux based > > +OS running in the non-secure world. The board configuration enable > > +builds of the Qemu host Arm target emulator. > > + > > + make qemu_arm_vexpress_tz_defconfig > > + make > > + > > +BIOS used in the Qemu host is the Arm Trusted Firmware-A (TF-A). TF-A > > +uses Qemu semihosting file access to access boot image files. The > > +Qemu platform is quite specific for that in TF-A and one needs to > > +run the emulation from the image directory for TF-A to boot the > > +secure and non-secure worlds. > > This semihosting approach is not so nice, because it only works on qemu. It > would be nicer to have a single image that contains everything (except bl1 I > guess) and use that as virtual flash, so it matches what would happen on a real > board. But this is not a bad start, and it might make debugging the optee part > easier. > > > + > > + cd output/images && ../host/bin/qemu-system-arm \ > > + -machine virt -machine secure=on -cpu cortex-a15 \ > > + -smp 1 -s -m 1024 -d unimp \ > > + -serial stdio \ > > + -netdev user,id=vmnic -device virtio-net-device,netdev=vmnic \ > > + -semihosting-config enable,target=native \ > > + -bios bl1.bin > > I'm a bit worried that the script in the toolchains-builder will not be able to > parse this. But because of the cd, it will anyway not work, so OK. It anyway > looks a lot nicer like this than how it's done in the other readmes. Thanks, > > [snip] > > @@ -0,0 +1,47 @@ > > +# Architecture > > +BR2_arm=y > > +BR2_cortex_a15=y > > +BR2_ARM_ENABLE_NEON=y > > +BR2_ARM_ENABLE_VFP=y > > +BR2_ARM_FPU_VFPV3D16=y > > +# System > > Please add an empty line before the different sections. > > > +BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0" > > +# Filesystems (support several boot config) > > +BR2_TARGET_ROOTFS_CPIO=y > > +BR2_TARGET_ROOTFS_CPIO_GZIP=y > > +BR2_TARGET_ROOTFS_EXT2=y > > There's no reason at all to add ext2 and tar, so I removed both of them. If you > want to support several boot configs, it should be mentioned in the readme file > how to do that. > > > +# Generic > > +BR2_ROOTFS_POST_BUILD_SCRIPT="board/qemu/arm-vexpress-tz/post-build.sh" > > +# Linux 4.19 series > > +BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y > > +BR2_LINUX_KERNEL=y > > +BR2_LINUX_KERNEL_CUSTOM_VERSION=y > > +BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16" > > +BR2_LINUX_KERNEL_DEFCONFIG="vexpress" > > +BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="board/qemu/arm-vexpress-tz/linux.fragment" > > +BR2_LINUX_KERNEL_DTS_SUPPORT=y > > +BR2_LINUX_KERNEL_INTREE_DTS_NAME="vexpress-v2p-ca15_a7" > > +# TF-A for booting OP-TEE secure and uboot/linux non secure > > +BR2_TARGET_ARM_TRUSTED_FIRMWARE=y > > +BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_GIT=y > > +BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_REPO_URL="https://github.com/ARM-software/arm-trusted-firmware.git" > > +BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_REPO_VERSION="v2.0" > > There is a version selection available now, so I used that instead of the git > download. > > BTW, our current ATF version is still v1.4, maybe it should be bumped? > > > +BR2_TARGET_ARM_TRUSTED_FIRMWARE_PLATFORM="qemu" > > +BR2_TARGET_ARM_TRUSTED_FIRMWARE_BL32_OPTEE=y > > +BR2_TARGET_ARM_TRUSTED_FIRMWARE_UBOOT_AS_BL33=y > > +BR2_TARGET_ARM_TRUSTED_FIRMWARE_ADDITIONAL_VARIABLES="BL32_RAM_LOCATION=tdram" > > +# OP-TEE components > > +BR2_TARGET_OPTEE_OS=y > > +BR2_TARGET_OPTEE_OS_PLATFORM="vexpress-qemu_virt" > > +BR2_PACKAGE_OPTEE_CLIENT=y > > +BR2_PACKAGE_OPTEE_TEST=y > > +BR2_PACKAGE_OPTEE_EXAMPLES=y > > +BR2_PACKAGE_OPTEE_BENCHMARK=y > > +# U-boot for booting the dear Linux kernel > > :-) > > > +BR2_TARGET_UBOOT=y > > You have to specify the U-Boot version. I'm not sure what you tested with, but > I used 2019.01 and it worked. Would be nice to use BR2_TARGET_UBOOT_LATEST_VERSION. BR2_TARGET_UBOOT_LATEST_VERSION=y As for the linux kernel, i wonder if the generic config would be better? > > > +BR2_TARGET_UBOOT_BUILD_SYSTEM_KCONFIG=y > > +BR2_TARGET_UBOOT_BOARD_DEFCONFIG="qemu_arm" > > +BR2_TARGET_UBOOT_CONFIG_FRAGMENT_FILES="board/qemu/arm-vexpress-tz/u-boot.config" > > +# Build Qemu emulator for the Arm target > > I changed this in what we use everywhere else: host-qemu for gitlab testing Thanks. Regards, Etienne > > Regards, > Arnout > > > +BR2_PACKAGE_HOST_QEMU=y > > +BR2_PACKAGE_HOST_QEMU_SYSTEM_MODE=y > >
On Tue, 29 Oct 2019 at 09:08, Etienne Carriere <etienne.carriere@linaro.org> wrote: > > On Sun, 27 Oct 2019 at 15:55, Arnout Vandecappelle <arnout@mind.be> wrote: > > [snip] > > > > > +BR2_TARGET_UBOOT=y > > > > You have to specify the U-Boot version. I'm not sure what you tested with, but > > I used 2019.01 and it worked. > > Would be nice to use BR2_TARGET_UBOOT_LATEST_VERSION. > BR2_TARGET_UBOOT_LATEST_VERSION=y > > As for the linux kernel, i wonder if the generic config would be better? Sorry: mail popped from my fingers while I was typing. I meant, would it be better if the qemu/tz defconfig is based on: BR2_TARGET_UBOOT_LATEST_VERSION=y BR2_LINUX_KERNEL_LATEST_VERSION=y BR2_LINUX_KERNEL_USE_ARCH_DEFAULT_CONFIG=y Regards, Etienne
On 29/10/2019 09:11, Etienne Carriere wrote: > On Tue, 29 Oct 2019 at 09:08, Etienne Carriere > <etienne.carriere@linaro.org> wrote: >> >> On Sun, 27 Oct 2019 at 15:55, Arnout Vandecappelle <arnout@mind.be> wrote: >>> [snip] >>> >>>> +BR2_TARGET_UBOOT=y >>> >>> You have to specify the U-Boot version. I'm not sure what you tested with, but >>> I used 2019.01 and it worked. >> >> Would be nice to use BR2_TARGET_UBOOT_LATEST_VERSION. >> BR2_TARGET_UBOOT_LATEST_VERSION=y >> >> As for the linux kernel, i wonder if the generic config would be better? > > Sorry: mail popped from my fingers while I was typing. > > I meant, would it be better if the qemu/tz defconfig is based on: > BR2_TARGET_UBOOT_LATEST_VERSION=y > BR2_LINUX_KERNEL_LATEST_VERSION=y > BR2_LINUX_KERNEL_USE_ARCH_DEFAULT_CONFIG=y You original submission had this, and that didn't build because some of the config options were invalid. That shows that you *have* to have the version. Regards, Arnout
Hello Etienne, On Fri, 22 Mar 2019 10:58:16 +0100 Etienne Carriere <etienne.carriere@linaro.org> wrote: > board/qemu/arm-vexpress-tz/linux.fragment | 3 + > board/qemu/arm-vexpress-tz/post-build.sh | 10 ++ > board/qemu/arm-vexpress-tz/readme.txt | 135 ++++++++++++++++++++++ > board/qemu/arm-vexpress-tz/u-boot.config | 7 ++ > configs/qemu_arm_vexpress_tz_defconfig | 47 ++++++++ > 5 files changed, 202 insertions(+) This defconfig causes a build failure, reported at https://gitlab.com/buildroot.org/buildroot/-/jobs/389451835, like this: 486 Traceback (most recent call last): 487 File "scripts/pem_to_pub_c.py", line 61, in <module> 488 main() 489 File "scripts/pem_to_pub_c.py", line 24, in main 490 from Crypto.PublicKey import RSA 491 ImportError: No module named 'Crypto' Could you have a look ? Best regards, Thomas
Hello Thomas and all, My best wishes for this new year to you and your beloved. On Sat, 28 Dec 2019 at 12:35, Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote: > Hello Etienne, > > On Fri, 22 Mar 2019 10:58:16 +0100 > Etienne Carriere <etienne.carriere@linaro.org> wrote: > > > board/qemu/arm-vexpress-tz/linux.fragment | 3 + > > board/qemu/arm-vexpress-tz/post-build.sh | 10 ++ > > board/qemu/arm-vexpress-tz/readme.txt | 135 ++++++++++++++++++++++ > > board/qemu/arm-vexpress-tz/u-boot.config | 7 ++ > > configs/qemu_arm_vexpress_tz_defconfig | 47 ++++++++ > > 5 files changed, 202 insertions(+) > > This defconfig causes a build failure, reported at > https://gitlab.com/buildroot.org/buildroot/-/jobs/389451835, like this: > > 486 Traceback (most recent call last): > 487 File "scripts/pem_to_pub_c.py", line 61, in <module> > 488 main() > 489 File "scripts/pem_to_pub_c.py", line 24, in main > 490 from Crypto.PublicKey import RSA > 491 ImportError: No module named 'Crypto' > > Could you have a look ? > This issue was reported by Romain [1] when I posted an upgrade from optee-3.5.0 to 3.7.0 in BR. Actually, I'm still not sure I really understand the issue since optee-os.mk already specifies pycrypto as a dependency. OPTEE_OS_DEPENDENCIES = host-openssl host-python-pycrypto host-python-pyelftools Maybe it is an issue related to python versioning (2 vs 3)? I'll try to have a look in the coming... days, but I quite busy on some other topics. Will do my best :| Regards, Etienne [1] http://buildroot-busybox.2317881.n4.nabble.com/PATCH-1-5-boot-optee-os-bump-version-to-3-7-0-tp237817p239519.html > Best regards, > > Thomas > -- > Thomas Petazzoni, CTO, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com >
Hi Etienne, Le 07/01/2020 à 08:56, Etienne Carriere a écrit : > Hello Thomas and all, > > My best wishes for this new year to you and your beloved. > > > On Sat, 28 Dec 2019 at 12:35, Thomas Petazzoni <thomas.petazzoni@bootlin.com > <mailto:thomas.petazzoni@bootlin.com>> wrote: > > Hello Etienne, > > On Fri, 22 Mar 2019 10:58:16 +0100 > Etienne Carriere <etienne.carriere@linaro.org > <mailto:etienne.carriere@linaro.org>> wrote: > > > board/qemu/arm-vexpress-tz/linux.fragment | 3 + > > board/qemu/arm-vexpress-tz/post-build.sh | 10 ++ > > board/qemu/arm-vexpress-tz/readme.txt | 135 ++++++++++++++++++++++ > > board/qemu/arm-vexpress-tz/u-boot.config | 7 ++ > > configs/qemu_arm_vexpress_tz_defconfig | 47 ++++++++ > > 5 files changed, 202 insertions(+) > > This defconfig causes a build failure, reported at > https://gitlab.com/buildroot.org/buildroot/-/jobs/389451835, like this: > > 486 Traceback (most recent call last): > 487 File "scripts/pem_to_pub_c.py", line 61, in <module> > 488 main() > 489 File "scripts/pem_to_pub_c.py", line 24, in main > 490 from Crypto.PublicKey import RSA > 491 ImportError: No module named 'Crypto' > > Could you have a look ? > > > This issue was reported by Romain [1] when I posted an upgrade from optee-3.5.0 > to 3.7.0 in BR. > Actually, I'm still not sure I really understand the issue since optee-os.mk > <http://optee-os.mk> already specifies pycrypto as a dependency. > > OPTEE_OS_DEPENDENCIES = host-openssl host-python-pycrypto host-python-pyelftools > > Maybe it is an issue related to python versioning (2 vs 3)? > I'll try to have a look in the coming... days, but I quite busy on some other > topics. > Will do my best :| Indeed, this is an issue related to host-python dependencies. Since optee-3.7.0 all scripts are python3 only [1] but the optee package still depends on host-python (python2). But even if we modify to use host-python3, we still need host-python3 modules being build for python3 (host-python-pycrypto host-python-pyelftools). Since we can't build host python modules for both python2 and python3, the issue appear again when host-python (python2) is used as host python interpreter. This is a similar issue that for mesa3d where host-python3-make package was introduced to be able to build. We can fixes this issue by adding host-python3-pycrypto host-python3-pyelftools package (and reverse dependencies if any). I guess we don't have the issue only if python3 and pycrypto pyelftools are installed on the host. [1] https://github.com/OP-TEE/optee_os/commit/bbaeed4dc6258006e846543197b8aff95d80abbf Best regards, Romain > > Regards, > Etienne > > [1] > http://buildroot-busybox.2317881.n4.nabble.com/PATCH-1-5-boot-optee-os-bump-version-to-3-7-0-tp237817p239519.html > > > > Best regards, > > Thomas > -- > Thomas Petazzoni, CTO, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com > > > _______________________________________________ > buildroot mailing list > buildroot@busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot >
Hi Etienne, Le 09/02/2020 à 18:55, Romain Naour a écrit : > Hi Etienne, > > Le 07/01/2020 à 08:56, Etienne Carriere a écrit : >> Hello Thomas and all, >> >> My best wishes for this new year to you and your beloved. >> >> >> On Sat, 28 Dec 2019 at 12:35, Thomas Petazzoni <thomas.petazzoni@bootlin.com >> <mailto:thomas.petazzoni@bootlin.com>> wrote: >> >> Hello Etienne, >> >> On Fri, 22 Mar 2019 10:58:16 +0100 >> Etienne Carriere <etienne.carriere@linaro.org >> <mailto:etienne.carriere@linaro.org>> wrote: >> >> > board/qemu/arm-vexpress-tz/linux.fragment | 3 + >> > board/qemu/arm-vexpress-tz/post-build.sh | 10 ++ >> > board/qemu/arm-vexpress-tz/readme.txt | 135 ++++++++++++++++++++++ >> > board/qemu/arm-vexpress-tz/u-boot.config | 7 ++ >> > configs/qemu_arm_vexpress_tz_defconfig | 47 ++++++++ >> > 5 files changed, 202 insertions(+) >> >> This defconfig causes a build failure, reported at >> https://gitlab.com/buildroot.org/buildroot/-/jobs/389451835, like this: >> >> 486 Traceback (most recent call last): >> 487 File "scripts/pem_to_pub_c.py", line 61, in <module> >> 488 main() >> 489 File "scripts/pem_to_pub_c.py", line 24, in main >> 490 from Crypto.PublicKey import RSA >> 491 ImportError: No module named 'Crypto' >> >> Could you have a look ? >> >> >> This issue was reported by Romain [1] when I posted an upgrade from optee-3.5.0 >> to 3.7.0 in BR. >> Actually, I'm still not sure I really understand the issue since optee-os.mk >> <http://optee-os.mk> already specifies pycrypto as a dependency. >> >> OPTEE_OS_DEPENDENCIES = host-openssl host-python-pycrypto host-python-pyelftools >> >> Maybe it is an issue related to python versioning (2 vs 3)? >> I'll try to have a look in the coming... days, but I quite busy on some other >> topics. >> Will do my best :| > > Indeed, this is an issue related to host-python dependencies. > > Since optee-3.7.0 all scripts are python3 only [1] but the optee package still > depends on host-python (python2). > > But even if we modify to use host-python3, we still need host-python3 modules > being build for python3 (host-python-pycrypto host-python-pyelftools). Since we > can't build host python modules for both python2 and python3, the issue appear > again when host-python (python2) is used as host python interpreter. > > This is a similar issue that for mesa3d where host-python3-make package was > introduced to be able to build. We can fixes this issue by adding > host-python3-pycrypto host-python3-pyelftools package (and reverse dependencies > if any). > > I guess we don't have the issue only if python3 and pycrypto pyelftools are > installed on the host. > > [1] > https://github.com/OP-TEE/optee_os/commit/bbaeed4dc6258006e846543197b8aff95d80abbf I tried to build this defconfig with host-python3 as default python interpreter (by selecting python3 on the target) but there are several other issues: First python-pycrypto doesn't work with python-3.8 due to time.clock() that was removed from python 3.8. There is a patch pending: https://github.com/dlitz/pycrypto/pull/296/commits/6d41ad025331afce9e495d7be3205730ddfa8f07 The build continue up to optee-test package: >>> optee-test 3.7.0 Building Traceback (most recent call last): File "../../scripts/file_to_c.py", line 48, in <module> [...] TypeError: cannot use a str to initialize an array with typecode 'B' So, it seems the optee stack is not in good shape due to python 3.8 bump. Can you take a look? Best regards, Romain > > Best regards, > Romain > >> >> Regards, >> Etienne >> >> [1] >> http://buildroot-busybox.2317881.n4.nabble.com/PATCH-1-5-boot-optee-os-bump-version-to-3-7-0-tp237817p239519.html >> >> >> >> Best regards, >> >> Thomas >> -- >> Thomas Petazzoni, CTO, Bootlin >> Embedded Linux and Kernel engineering >> https://bootlin.com >> >> >> _______________________________________________ >> buildroot mailing list >> buildroot@busybox.net >> http://lists.busybox.net/mailman/listinfo/buildroot >> >
diff --git a/board/qemu/arm-vexpress-tz/linux.fragment b/board/qemu/arm-vexpress-tz/linux.fragment new file mode 100644 index 0000000000..1537d938f1 --- /dev/null +++ b/board/qemu/arm-vexpress-tz/linux.fragment @@ -0,0 +1,3 @@ +### Enable OP-TEE +CONFIG_TEE=y +CONFIG_OPTEE=y diff --git a/board/qemu/arm-vexpress-tz/post-build.sh b/board/qemu/arm-vexpress-tz/post-build.sh new file mode 100755 index 0000000000..7ead69a99a --- /dev/null +++ b/board/qemu/arm-vexpress-tz/post-build.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +set -u +set -e + +# Rename boot images for the dear TF-A +ln -sf u-boot.bin ${BINARIES_DIR}/bl33.bin +ln -sf tee-header_v2.bin ${BINARIES_DIR}/bl32.bin +ln -sf tee-pager_v2.bin ${BINARIES_DIR}/bl32_extra1.bin +ln -sf tee-pageable_v2.bin ${BINARIES_DIR}/bl32_extra2.bin diff --git a/board/qemu/arm-vexpress-tz/readme.txt b/board/qemu/arm-vexpress-tz/readme.txt new file mode 100644 index 0000000000..95cd6da8c3 --- /dev/null +++ b/board/qemu/arm-vexpress-tz/readme.txt @@ -0,0 +1,135 @@ +Board qemu_arm_vexpress_tz builds a Qemu Armv7-A target system with +OP-TEE running in the TrustZone secure world and a Linux based +OS running in the non-secure world. The board configuration enable +builds of the Qemu host Arm target emulator. + + make qemu_arm_vexpress_tz_defconfig + make + +BIOS used in the Qemu host is the Arm Trusted Firmware-A (TF-A). TF-A +uses Qemu semihosting file access to access boot image files. The +Qemu platform is quite specific for that in TF-A and one needs to +run the emulation from the image directory for TF-A to boot the +secure and non-secure worlds. + + cd output/images && ../host/bin/qemu-system-arm \ + -machine virt -machine secure=on -cpu cortex-a15 \ + -smp 1 -s -m 1024 -d unimp \ + -serial stdio \ + -netdev user,id=vmnic -device virtio-net-device,netdev=vmnic \ + -semihosting-config enable,target=native \ + -bios bl1.bin + +The boot stage traces (if any) followed by the login prompt will appear +in the terminal that started Qemu. + +If you want to emulate more cores use "-smp {1|2|3|4}" to select the +number of cores. + +Note "-netdev user,id=vmnic -device virtio-net-device,netdev=vmnic" +brings network support that is used i.e. in OP-TEE regression tests. + +Tested with QEMU 2.12.0, and 3.1.0. + +-- Boot Details -- + +TF-A is used as Qemu BIOS. Its BL1 image boots and load its BL2 image. In turn, this +image loads the OP-TEE secure world (Armv7-A BL32 stage) and the U-boot as non-secure +bootloader (BL33 stage). + +The Qemu natively host and loads in RAM the Qemu Arm target device tree. OP-TEE reads +and modifes its content according to OP-TEE configuration. + +Enable TF-A traces from LOG_LEVEL (I.e LOG_LEVEL=40) from +BR2_TARGET_ARM_TRUSTED_FIRMWARE_ADDITIONAL_VARIABLES. + +-- OP-TEE Traces -- + +Secure boot stages and/or secure runtime services may use a serial link for +their traces. + +The Arm Trusted Firmware outputs its traces on the Qemu standard (first) +serial interface. + +The OP-TEE OS uses the Qemu second serial interface. + +To get the OP-TEE OS traces one shall append a second -serial argument after +-serial stdio in the Qemu command line. I.e the following enables 2 serial +consoles over telnet connections: + + cd output/images && ../host/bin/qemu-system-arm \ + -machine virt -machine secure=on -cpu cortex-a15 \ + -smp 1 -s -m 1024 -d unimp \ + -serial telnet:127.0.0.1:1235,server \ + -serial telnet:127.0.0.1:1236,server \ + -netdev user,id=vmnic -device virtio-net-device,netdev=vmnic \ + -semihosting-config enable,target=native \ + -bios bl1.bin + +Qemu is now waiting for the telnet connection. From another shell, open a +telnet connection on the port for the U-boot and Linux consoles: + telnet 127.0.0.1 1235 + +and again for the secure console + telnet 127.0.0.1 1236 + +-- Using gdb -- + +One can debug the OP-TEE secure world using GDB through the Qemu host. +To do so, one can simply run the qemu-system-arm emulation then +run a GDB client and connect the Qemu internal GDB server. + +The example below assumes we run Qemu and the GDB client from the same +host computer. We use option -S of qemu-system-arm to make Qemu +waiting for the GDB continue instruction before booting the images. + +From a first shell: + cd output/images && ../host/bin/qemu-system-arm \ + -machine virt -machine secure=on -cpu cortex-a15 \ + -smp 1 -s -m 1024 -d unimp \ + -serial stdio \ + -netdev user,id=vmnic -device virtio-net-device,netdev=vmnic \ + -semihosting-config enable,target=native \ + -bios bl1.bin \ + -S + +From a second shell: + ./output/host/bin/arm-linux-gnueabihf-gd + GNU gdb (GNU Toolchain for the A-profile Architecture 8.2-2018-08 (arm-rel-8.23)) 8.1.1.20180704-git + Copyright (C) 2018 Free Software Foundation, Inc. + ... + For help, type "help". + Type "apropos word" to search for commands related to "word". + (gdb) + +From this GDB console, connect target, load OP-TEE core symbols, set a +breakpoint to its entry (__text_start) and start emulation: + + (gdb) target remote 127.0.0.1:1234 + (gdb) symbol-file ../build/optee_os-<reference>/out/arm/core/tee.elf + (gdb) hbreak __text_start + Hardware assisted breakpoint 1 at 0xe100000: file core/arch/arm/kernel/generic_entry_a32.S, line 246. + (gdb) cont + Continuing. + + Thread 1 hit Breakpoint 1, _start () at core/arch/arm/kernel/generic_entry_a32.S:246 + 246 bootargs_entry + (gdb) + + +Emulation has started, TF-A has loaded OP-TEE and U-boot images in memory and +has booted OP-TEE. Emulation stopped at OP-TEE core entry. + + +Note: Qemu hosts a GDB service listening to TCP port 1234, as set through +qemu-system-arm commandline option -s. + + +Note: GDB server used above (from image/host/bin) was built from Buildroot +using the following extra configuration directives: + + BR2_ENABLE_DEBUG=y + BR2_PACKAGE_GDB=y + BR2_PACKAGE_HOST_GDB=y + BR2_TOOLCHAIN_BUILDROOT_CXX=y + BR2_TOOLCHAIN_BUILDROOT_GLIBC=y diff --git a/board/qemu/arm-vexpress-tz/u-boot.config b/board/qemu/arm-vexpress-tz/u-boot.config new file mode 100644 index 0000000000..fd74bf1fe7 --- /dev/null +++ b/board/qemu/arm-vexpress-tz/u-boot.config @@ -0,0 +1,7 @@ +CONFIG_SYS_TEXT_BASE=0x60000000 +CONFIG_BOOTCOMMAND="fdt addr ${fdt_addr} && fdt resize 1000 && smhload zImage ${kernel_addr_r} && smhload rootfs.cpio.gz ${ramdisk_addr_r} ramdisk_addr_end && setenv bootargs console=ttyAMA0,115200 earlyprintk=serial,ttyAMA0,115200 && fdt chosen ${ramdisk_addr_r} ${ramdisk_addr_end} && bootz ${kernel_addr_r} - ${fdt_addr}" +CONFIG_SEMIHOSTING=y +# Drop flash accesses +CONFIG_ENV_IS_IN_FLASH=n +CONFIG_MTD=n +CONFIG_MTD_NOR_FLASH=n diff --git a/configs/qemu_arm_vexpress_tz_defconfig b/configs/qemu_arm_vexpress_tz_defconfig new file mode 100644 index 0000000000..3ea48768b0 --- /dev/null +++ b/configs/qemu_arm_vexpress_tz_defconfig @@ -0,0 +1,47 @@ +# Architecture +BR2_arm=y +BR2_cortex_a15=y +BR2_ARM_ENABLE_NEON=y +BR2_ARM_ENABLE_VFP=y +BR2_ARM_FPU_VFPV3D16=y +# System +BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0" +# Filesystems (support several boot config) +BR2_TARGET_ROOTFS_CPIO=y +BR2_TARGET_ROOTFS_CPIO_GZIP=y +BR2_TARGET_ROOTFS_EXT2=y +# Generic +BR2_ROOTFS_POST_BUILD_SCRIPT="board/qemu/arm-vexpress-tz/post-build.sh" +# Linux 4.19 series +BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y +BR2_LINUX_KERNEL=y +BR2_LINUX_KERNEL_CUSTOM_VERSION=y +BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16" +BR2_LINUX_KERNEL_DEFCONFIG="vexpress" +BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="board/qemu/arm-vexpress-tz/linux.fragment" +BR2_LINUX_KERNEL_DTS_SUPPORT=y +BR2_LINUX_KERNEL_INTREE_DTS_NAME="vexpress-v2p-ca15_a7" +# TF-A for booting OP-TEE secure and uboot/linux non secure +BR2_TARGET_ARM_TRUSTED_FIRMWARE=y +BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_GIT=y +BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_REPO_URL="https://github.com/ARM-software/arm-trusted-firmware.git" +BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_REPO_VERSION="v2.0" +BR2_TARGET_ARM_TRUSTED_FIRMWARE_PLATFORM="qemu" +BR2_TARGET_ARM_TRUSTED_FIRMWARE_BL32_OPTEE=y +BR2_TARGET_ARM_TRUSTED_FIRMWARE_UBOOT_AS_BL33=y +BR2_TARGET_ARM_TRUSTED_FIRMWARE_ADDITIONAL_VARIABLES="BL32_RAM_LOCATION=tdram" +# OP-TEE components +BR2_TARGET_OPTEE_OS=y +BR2_TARGET_OPTEE_OS_PLATFORM="vexpress-qemu_virt" +BR2_PACKAGE_OPTEE_CLIENT=y +BR2_PACKAGE_OPTEE_TEST=y +BR2_PACKAGE_OPTEE_EXAMPLES=y +BR2_PACKAGE_OPTEE_BENCHMARK=y +# U-boot for booting the dear Linux kernel +BR2_TARGET_UBOOT=y +BR2_TARGET_UBOOT_BUILD_SYSTEM_KCONFIG=y +BR2_TARGET_UBOOT_BOARD_DEFCONFIG="qemu_arm" +BR2_TARGET_UBOOT_CONFIG_FRAGMENT_FILES="board/qemu/arm-vexpress-tz/u-boot.config" +# Build Qemu emulator for the Arm target +BR2_PACKAGE_HOST_QEMU=y +BR2_PACKAGE_HOST_QEMU_SYSTEM_MODE=y
This change introduces a Qemu board for an Armv7-A target executing with OP-TEE secure world services. The target Linux based normal world embeds the standard minimal filesystem with OP-TEE non-secure components embedded files from OP-TEE test, examples and benchmark packages. qemu_arm_vexpress_tz_defconfig differs from qemu_arm_vexpress_defconfig. Supporting both secure and non-secure worlds on the Arm target mandates a secure world, here OP-TEE OS, and a bootloader to boot both worlds, here TF-A (boot/arm-trusted-firmware). Here non-secure Linux kernel is booted through U-boot TF-A bootloader (BL1/BL2) => OP-TEE (BL32) => U-boot (BL33). | Executes as secure | Secure | Execs as Non-secure | Loads BL32/BL33 in RAM | Jumps to BL33 | Always booted after | Jumps to BL32 once done | as Non-secure | secure world inits Vexpress and vexpress-tz defconfigs also differs in that Qemu emulates a Cortex-A9 in the former and a Cortex-A15 in the later. Cortex-A15 is the Armv7-A CPU used in upstream TF-A and OP-TEE OS packages hence selected here. Defconfig adds a fragment to the Linux kernel native configuration to enable OP-TEE driver support. Defconfig adds a fragment to the U-Boot native configuration set boot command, enable semihosting and remove U-Boot persistent environment storage support. The defconfig also enables build of the Qemu emulator in case the system installed Qemu does not yet support CPU TrustZone secure state. Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org> --- Changes v2 -> v3: - Rename board/config: qemu_armv7a_tz_virt => qemu_arm_vexpress_tz - Remove some useless configuration from the defconfig: Linux 9P; Qemu virtfs; TF-A log level; OP-TEE log level. - Add post_build.sh script to rename files in output/images/. - Detail diffs between vexpress and vexpress-tz defconfigs in commit. - Fix typo in defconfig about Linux version number. - Remove info about virtfs from board readme.txt file. - Update TF-A config from recent changes: image filenames; OP-TEE. Changes v1 -> v2: - Bump kernel to 4.19. - Use kernel defconfig and add optee and 9p as config fragments. - Remove ARM_ARCH_MAJOR from platform configuration directive BR2_TARGET_ARM_TRUSTED_FIRMWARE_ADDITIONAL_VARIABLES. --- board/qemu/arm-vexpress-tz/linux.fragment | 3 + board/qemu/arm-vexpress-tz/post-build.sh | 10 ++ board/qemu/arm-vexpress-tz/readme.txt | 135 ++++++++++++++++++++++ board/qemu/arm-vexpress-tz/u-boot.config | 7 ++ configs/qemu_arm_vexpress_tz_defconfig | 47 ++++++++ 5 files changed, 202 insertions(+) create mode 100644 board/qemu/arm-vexpress-tz/linux.fragment create mode 100755 board/qemu/arm-vexpress-tz/post-build.sh create mode 100644 board/qemu/arm-vexpress-tz/readme.txt create mode 100644 board/qemu/arm-vexpress-tz/u-boot.config create mode 100644 configs/qemu_arm_vexpress_tz_defconfig