Added packaging and necessary changes for gbs compilation.

Packaging for optee-os binary and optee-os TA devkit.
Modify pem_to_pub_c.py and sign.py script to use openssl
if pycrypto is not available.
Allow to disable Terminal User Interface (TUI) from compilation.
Compile 32-bit TA devkit with CFG_WITH_VFP=n. GBS compile with softfp.

Change-Id: If3ad89d8871c1a8f7f1a519b07941316acdbdd14

diff --git a/lib/libutee/sub.mk b/lib/libutee/sub.mk
index 8c0d100..4e46e1a 100644 (file)
--- a/lib/libutee/sub.mk
+++ b/lib/libutee/sub.mk
@@ -15,7 +15,7 @@ srcs-y += tee_api_panic.c
 srcs-y += tee_tcpudp_socket.c
 srcs-y += tee_socket_pta.c
 
-subdirs-y += tui
+subdirs-$(CFG_LIBUTEE_TUI) += tui
 subdirs-y += arch/$(ARCH)
 
 cflags-lib-$(CFG_ULIBS_GPROF) += -pg

diff --git a/mk/config.mk b/mk/config.mk
index 6fe90f1..2932f49 100644 (file)
--- a/mk/config.mk
+++ b/mk/config.mk
@@ -231,3 +231,6 @@ CFG_GP_SOCKETS ?= y
 # Enable Secure Data Path support in OP-TEE core (TA may be invoked with
 # invocation parameters referring to specific secure memories).
 CFG_SECURE_DATA_PATH ?= n
+
+# Enable Terminal User Interface (TUI)
+CFG_LIBUTEE_TUI ?= y

diff --git a/packaging/optee-os-rpi3.spec b/packaging/optee-os-rpi3.spec
new file mode 100644 (file)
index 0000000..4d5b2fc
--- /dev/null
+++ b/packaging/optee-os-rpi3.spec
@@ -0,0 +1,41 @@
+%define buildplat rpi3
+%define compile_flags CROSS_COMPILE="" CROSS_COMPILE64="" PLATFORM=%{buildplat} CFLAGS=-lgcc_eh CFG_LIBUTEE_TUI=n CFG_TEE_CORE_LOG_LEVEL=3 DEBUG=0
+%if %{__isa_bits} == 64
+%define compile_arch %{compile_flags} CFG_ARM64_core=y
+%else
+%define compile_arch %{compile_flags}
+%endif
+
+Name:       optee-os
+Summary:    OPTEE trusted operation system.
+Version:    2.4.0
+Release:    1%{?dist}
+Group:      Security/Testing
+License:    BSD-2-Clause
+URL:        https://github.com/OP-TEE/optee_os
+Source0:    %{name}-%{version}.tar.gz
+
+Provides:   tee-pager.bin
+
+BuildRequires: make
+BuildRequires: python
+BuildRequires: openssl
+
+%description
+Trusted execution enviroment in Linux using the ARM® TrustZone® technology.
+
+%prep
+%setup -q
+
+%build
+make %{compile_arch} out/arm-plat-%{buildplat}/core/tee-pager.bin
+
+%install
+mkdir -p %{buildroot}/boot/
+
+cp -p %{_builddir}/%{name}-%{version}/out/arm-plat-%{buildplat}/core/tee-pager.bin %{buildroot}/boot/
+
+%clean
+
+%files
+/boot/tee-pager.bin

diff --git a/packaging/optee-os-ta-devel-rpi3.spec b/packaging/optee-os-ta-devel-rpi3.spec
new file mode 100644 (file)
index 0000000..650dc9a
--- /dev/null
+++ b/packaging/optee-os-ta-devel-rpi3.spec
@@ -0,0 +1,76 @@
+%define buildplat rpi3
+%define compile_flags CROSS_COMPILE="" CROSS_COMPILE64="" PLATFORM=%{buildplat} CFLAGS=-lgcc_eh CFG_LIBUTEE_TUI=n CFG_TEE_CORE_LOG_LEVEL=3 DEBUG=0
+%if %{__isa_bits} == 64
+%define compile_arch %{compile_flags} CFG_ARM64_core=y
+%else
+%define compile_arch %{compile_flags} CFG_WITH_VFP=n
+%endif
+%define out_dir out/arm-plat-%{buildplat}
+%define out_lib_dir %{out_dir}/ta_arm%{__isa_bits}-lib
+%define export_dir export-ta_arm%{__isa_bits}
+%define out_export_dir opt/optee/%{export_dir}
+
+Name:       optee-os-ta
+Summary:    Userspace libraries and devkit for OpTEE OS.
+Version:    2.4.0
+Release:    1%{?dist}
+Group:      Security/Testing
+License:    BSD-2-Clause
+URL:        https://github.com/OP-TEE/optee_os
+Source0:    %{name}-%{version}.tar.gz
+
+Provides:   %{name}
+
+BuildRequires: make
+BuildRequires: python
+BuildRequires: openssl
+
+%description
+Trusted execution enviroment in Linux using the ARM® TrustZone® technology.
+
+%prep
+%setup -q
+
+%build
+mkdir -p %{out_dir}/%{export_dir}/mk
+make %{compile_arch} %{out_lib_dir}/libutee/libutee.a %{out_lib_dir}/libmpa/libmpa.a %{out_lib_dir}/libpng/libpng.a %{out_lib_dir}/libzlib/libzlib.a %{out_lib_dir}/libutils/libutils.a %{out_dir}/%{export_dir}/mk/conf.mk 
+
+%install
+mkdir -p %{buildroot}/%{out_export_dir}/mk
+mkdir -p %{buildroot}/%{out_export_dir}/lib
+mkdir -p %{buildroot}/%{out_export_dir}/src
+mkdir -p %{buildroot}/%{out_export_dir}/scripts
+mkdir -p %{buildroot}/%{out_export_dir}/keys
+mkdir -p %{buildroot}/%{out_export_dir}/host_include
+mkdir -p %{buildroot}/%{out_export_dir}/include
+
+find %{_builddir}/%{name}-%{version}/%{out_lib_dir}/ -name lib*.a | xargs cp -t %{buildroot}/%{out_export_dir}/lib
+
+cp %{_builddir}/%{name}-%{version}/%{out_dir}/%{export_dir}/mk/conf.mk %{buildroot}/%{out_export_dir}/mk/
+cp %{_builddir}/%{name}-%{version}/mk/compile.mk %{buildroot}/%{out_export_dir}/mk/
+cp %{_builddir}/%{name}-%{version}/mk/subdir.mk %{buildroot}/%{out_export_dir}/mk/
+cp %{_builddir}/%{name}-%{version}/mk/gcc.mk %{buildroot}/%{out_export_dir}/mk/
+cp %{_builddir}/%{name}-%{version}/mk/cleandirs.mk %{buildroot}/%{out_export_dir}/mk/
+cp %{_builddir}/%{name}-%{version}/ta/arch/arm/link.mk %{buildroot}/%{out_export_dir}/mk/
+cp %{_builddir}/%{name}-%{version}/ta/mk/ta_dev_kit.mk %{buildroot}/%{out_export_dir}/mk/
+
+cp %{_builddir}/%{name}-%{version}/ta/arch/arm/*.S %{buildroot}/%{out_export_dir}/src/
+cp %{_builddir}/%{name}-%{version}/ta/arch/arm/user_ta_header.c %{buildroot}/%{out_export_dir}/src/
+
+cp %{_builddir}/%{name}-%{version}/scripts/sign.py %{buildroot}/%{out_export_dir}/scripts/
+
+cp %{_builddir}/%{name}-%{version}/keys/default_ta.pem %{buildroot}/%{out_export_dir}/keys/
+
+cp -rf %{_builddir}/%{name}-%{version}/lib/libutee/include/*  %{buildroot}/%{out_export_dir}/host_include/
+cp -rf %{_builddir}/%{name}-%{version}/lib/libmpa/include/*  %{buildroot}/%{out_export_dir}/host_include/
+cp -rf %{_builddir}/%{name}-%{version}/lib/libpng/include/*  %{buildroot}/%{out_export_dir}/host_include/
+cp -rf %{_builddir}/%{name}-%{version}/lib/libzlib/include/*  %{buildroot}/%{out_export_dir}/host_include/
+
+cp -rf %{buildroot}/%{out_export_dir}/host_include/*  %{buildroot}/%{out_export_dir}/include/
+cp -rf %{_builddir}/%{name}-%{version}/lib/libutils/ext/include/*  %{buildroot}/%{out_export_dir}/include/
+cp -rf %{_builddir}/%{name}-%{version}/lib/libutils/isoc/include/*  %{buildroot}/%{out_export_dir}/include/
+
+%clean
+
+%files
+/%{out_export_dir}

diff --git a/scripts/pem_to_pub_c.py b/scripts/pem_to_pub_c.py
index 47c004d..92f4b81 100755 (executable)
--- a/scripts/pem_to_pub_c.py
+++ b/scripts/pem_to_pub_c.py
@@ -26,6 +26,33 @@
 # POSSIBILITY OF SUCH DAMAGE.
 #
 
+from collections import namedtuple
+PublicKey = namedtuple("PublicKey", "e n")
+
+def importKey_crypto(pem_key_file):
+       try:
+               module = __import__("Crypto.PublicKey.RSA")
+               f = open(pem_key_file, 'r')
+               key = module.PublicKey.RSA.importKey(f.read())
+               f.close()
+               return PublicKey(e=key.publickey().e, n=module.Util.number.long_to_bytes(key.publickey().n))
+       except ImportError:
+               return None
+
+def importKey_openssl(pem_key_file):
+       import subprocess
+       cmd = "cat " + pem_key_file + " | openssl rsa -inform PEM -noout -text | grep publicE | sed 's/publicExponent: //' | cut -d ' ' -f1 | tr -d '\n'"
+       e = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
+       if not e:
+               print "Exporting exponent value from key {0} has failed.".format(pem_key_file)
+                return None
+       cmd = "cat " + pem_key_file + " | openssl rsa -inform PEM -noout -modulus | sed 's/Modulus=//' | tr -d '\n'"
+       n = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
+       if not n:
+               print "Exporting modulus value from key {0} has failed.".format(pem_key_file)
+               return None
+       return PublicKey(e=e, n=n.decode("hex"))
+
 def get_args():
        import argparse
 
@@ -42,14 +69,14 @@ def get_args():
 
 def main():
        import array
-       from Crypto.PublicKey import RSA
-       from Crypto.Util.number import long_to_bytes
 
        args = get_args();
 
-       f = open(args.key, 'r')
-       key = RSA.importKey(f.read())
-       f.close
+       key = importKey_crypto(args.key)
+       if key is None:
+               key = importKey_openssl(args.key)
+               if key is None:
+                       return
 
        f = open(args.out, 'w')
 
@@ -57,11 +84,11 @@ def main():
        f.write("#include <stddef.h>\n\n");
 
        f.write("const uint32_t " + args.prefix + "_exponent = " +
-               str(key.publickey().e) + ";\n\n")
+               str(key.e) + ";\n\n")
 
        f.write("const uint8_t " + args.prefix + "_modulus[] = {\n")
        i = 0;
-       for x in array.array("B", long_to_bytes(key.publickey().n)):
+       for x in array.array("B", key.n):
                f.write("0x" + '{0:02x}'.format(x) + ",")
                i = i + 1;
                if i % 8 == 0:

diff --git a/scripts/sign.py b/scripts/sign.py
index f407f3b..cffee18 100755 (executable)
--- a/scripts/sign.py
+++ b/scripts/sign.py
@@ -26,55 +26,104 @@
 # POSSIBILITY OF SUCH DAMAGE.
 #
 
-def get_args():
-       from argparse import ArgumentParser
+import struct
+from collections import namedtuple
+PublicKey = namedtuple("PublicKey", "e n")
 
-       parser = ArgumentParser()
-       parser.add_argument('--key', required=True, help='Name of key file')
-       parser.add_argument('--in', required=True, dest='inf', \
-                       help='Name of in file')
-       parser.add_argument('--out', required=True, help='Name of out file')
-       return parser.parse_args()
+magic = 0x4f545348     # SHDR_MAGIC
+img_type = 0           # SHDR_TA
+algo = 0x70004830      # TEE_ALG_RSASSA_PKCS1_V1_5_SHA256
 
-def main():
-       from Crypto.Signature import PKCS1_v1_5
-       from Crypto.Hash import SHA256
-       from Crypto.PublicKey import RSA
-       import struct
+def sign_crypto(args):
+       try:
+               module = __import__("Crypto.PublicKey.RSA")
+               module_sig = __import__("Crypto.Signature.PKCS1_v1_5")
+               f = open(args.key, 'rb')
+               key = module.PublicKey.RSA.importKey(f.read())
+               f.close()
 
-       args = get_args()
+               f = open(args.inf, 'rb')
+               img = f.read()
+               f.close()
 
-       f = open(args.key, 'rb')
-       key = RSA.importKey(f.read())
-       f.close()
+               signer = module_sig.Signature.PKCS1_v1_5.new(key)
+               h = module.Hash.SHA256.new()
+
+               digest_len = h.digest_size
+               sig_len = len(signer.sign(h))
+               img_size = len(img)
+
+               shdr = struct.pack('<IIIIHH', \
+                       magic, img_type, img_size, algo, digest_len, sig_len)
 
+               h.update(shdr)
+               h.update(img)
+               sig = signer.sign(h)
+               f = open(args.out, 'wb')
+               f.write(shdr)
+               f.write(h.digest())
+               f.write(sig)
+               f.write(img)
+               f.close()
+               return True
+       except ImportError:
+               return False
+
+def sign_openssl(args):
+       import subprocess
        f = open(args.inf, 'rb')
        img = f.read()
        f.close()
 
-       signer = PKCS1_v1_5.new(key)
-       h = SHA256.new()
-
-       digest_len = h.digest_size
-       sig_len = len(signer.sign(h))
+       digest_len = 32
+       sig_len = 256
        img_size = len(img)
 
-       magic = 0x4f545348      # SHDR_MAGIC
-       img_type = 0            # SHDR_TA
-       algo = 0x70004830       # TEE_ALG_RSASSA_PKCS1_V1_5_SHA256
-       shdr = struct.pack('<IIIIHH', \
-               magic, img_type, img_size, algo, digest_len, sig_len)
+       shdr = struct.pack('<IIIIHH', magic, img_type, img_size, algo, digest_len, sig_len)
+
+       f = open(args.inf + ".tmp", 'wb')
+       f.write(shdr)
+       f.write(img)
+       f.close()
+
+       cmd = "openssl dgst -binary -sha256 " + args.inf + ".tmp"
+       hash_img = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
+       if not hash_img:
+               print "Generating hash from {0} has failed.".format(args.inf + ".tmp")
+                return False
 
-       h.update(shdr)
-       h.update(img)
-       sig = signer.sign(h)
+       cmd = "openssl dgst -binary -sha256 -sign " + args.key + " " + args.inf + ".tmp"
+       sig_img = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
+       if not sig_img:
+               print "Generating signature from {0} with key {1} has failed.".format(args.inf + ".hash", args.key)
+                return False
 
        f = open(args.out, 'wb')
        f.write(shdr)
-       f.write(h.digest())
-       f.write(sig)
+       f.write(hash_img)
+       f.write(sig_img)
        f.write(img)
        f.close()
+       return True
+
+def get_args():
+       from argparse import ArgumentParser
+
+       parser = ArgumentParser()
+       parser.add_argument('--key', required=True, help='Name of key file')
+       parser.add_argument('--in', required=True, dest='inf', \
+                       help='Name of in file')
+       parser.add_argument('--out', required=True, help='Name of out file')
+       return parser.parse_args()
+
+def main():
+       args = get_args()
+
+       sig = sign_crypto(args)
+       if sig is False:
+               sig = sign_openssl(args)
+               if sig is False:
+                       return -1
 
 if __name__ == "__main__":
        main()