Packaging for optee-os binary and optee-os TA devkit.
Modify pem_to_pub_c.py and sign.py script to use openssl
if pycrypto is not available.
Allow to disable Terminal User Interface (TUI) from compilation.
Compile 32-bit TA devkit with CFG_WITH_VFP=n. GBS compile with softfp.
Change-Id: If3ad89d8871c1a8f7f1a519b07941316acdbdd14
srcs-y += tee_tcpudp_socket.c
srcs-y += tee_socket_pta.c
-subdirs-y += tui
+subdirs-$(CFG_LIBUTEE_TUI) += tui
subdirs-y += arch/$(ARCH)
cflags-lib-$(CFG_ULIBS_GPROF) += -pg
# Enable Secure Data Path support in OP-TEE core (TA may be invoked with
# invocation parameters referring to specific secure memories).
CFG_SECURE_DATA_PATH ?= n
+
+# Enable Terminal User Interface (TUI)
+CFG_LIBUTEE_TUI ?= y
--- /dev/null
+%define buildplat rpi3
+%define compile_flags CROSS_COMPILE="" CROSS_COMPILE64="" PLATFORM=%{buildplat} CFLAGS=-lgcc_eh CFG_LIBUTEE_TUI=n CFG_TEE_CORE_LOG_LEVEL=3 DEBUG=0
+%if %{__isa_bits} == 64
+%define compile_arch %{compile_flags} CFG_ARM64_core=y
+%else
+%define compile_arch %{compile_flags}
+%endif
+
+Name: optee-os
+Summary: OPTEE trusted operation system.
+Version: 2.4.0
+Release: 1%{?dist}
+Group: Security/Testing
+License: BSD-2-Clause
+URL: https://github.com/OP-TEE/optee_os
+Source0: %{name}-%{version}.tar.gz
+
+Provides: tee-pager.bin
+
+BuildRequires: make
+BuildRequires: python
+BuildRequires: openssl
+
+%description
+Trusted execution enviroment in Linux using the ARM® TrustZone® technology.
+
+%prep
+%setup -q
+
+%build
+make %{compile_arch} out/arm-plat-%{buildplat}/core/tee-pager.bin
+
+%install
+mkdir -p %{buildroot}/boot/
+
+cp -p %{_builddir}/%{name}-%{version}/out/arm-plat-%{buildplat}/core/tee-pager.bin %{buildroot}/boot/
+
+%clean
+
+%files
+/boot/tee-pager.bin
--- /dev/null
+%define buildplat rpi3
+%define compile_flags CROSS_COMPILE="" CROSS_COMPILE64="" PLATFORM=%{buildplat} CFLAGS=-lgcc_eh CFG_LIBUTEE_TUI=n CFG_TEE_CORE_LOG_LEVEL=3 DEBUG=0
+%if %{__isa_bits} == 64
+%define compile_arch %{compile_flags} CFG_ARM64_core=y
+%else
+%define compile_arch %{compile_flags} CFG_WITH_VFP=n
+%endif
+%define out_dir out/arm-plat-%{buildplat}
+%define out_lib_dir %{out_dir}/ta_arm%{__isa_bits}-lib
+%define export_dir export-ta_arm%{__isa_bits}
+%define out_export_dir opt/optee/%{export_dir}
+
+Name: optee-os-ta
+Summary: Userspace libraries and devkit for OpTEE OS.
+Version: 2.4.0
+Release: 1%{?dist}
+Group: Security/Testing
+License: BSD-2-Clause
+URL: https://github.com/OP-TEE/optee_os
+Source0: %{name}-%{version}.tar.gz
+
+Provides: %{name}
+
+BuildRequires: make
+BuildRequires: python
+BuildRequires: openssl
+
+%description
+Trusted execution enviroment in Linux using the ARM® TrustZone® technology.
+
+%prep
+%setup -q
+
+%build
+mkdir -p %{out_dir}/%{export_dir}/mk
+make %{compile_arch} %{out_lib_dir}/libutee/libutee.a %{out_lib_dir}/libmpa/libmpa.a %{out_lib_dir}/libpng/libpng.a %{out_lib_dir}/libzlib/libzlib.a %{out_lib_dir}/libutils/libutils.a %{out_dir}/%{export_dir}/mk/conf.mk
+
+%install
+mkdir -p %{buildroot}/%{out_export_dir}/mk
+mkdir -p %{buildroot}/%{out_export_dir}/lib
+mkdir -p %{buildroot}/%{out_export_dir}/src
+mkdir -p %{buildroot}/%{out_export_dir}/scripts
+mkdir -p %{buildroot}/%{out_export_dir}/keys
+mkdir -p %{buildroot}/%{out_export_dir}/host_include
+mkdir -p %{buildroot}/%{out_export_dir}/include
+
+find %{_builddir}/%{name}-%{version}/%{out_lib_dir}/ -name lib*.a | xargs cp -t %{buildroot}/%{out_export_dir}/lib
+
+cp %{_builddir}/%{name}-%{version}/%{out_dir}/%{export_dir}/mk/conf.mk %{buildroot}/%{out_export_dir}/mk/
+cp %{_builddir}/%{name}-%{version}/mk/compile.mk %{buildroot}/%{out_export_dir}/mk/
+cp %{_builddir}/%{name}-%{version}/mk/subdir.mk %{buildroot}/%{out_export_dir}/mk/
+cp %{_builddir}/%{name}-%{version}/mk/gcc.mk %{buildroot}/%{out_export_dir}/mk/
+cp %{_builddir}/%{name}-%{version}/mk/cleandirs.mk %{buildroot}/%{out_export_dir}/mk/
+cp %{_builddir}/%{name}-%{version}/ta/arch/arm/link.mk %{buildroot}/%{out_export_dir}/mk/
+cp %{_builddir}/%{name}-%{version}/ta/mk/ta_dev_kit.mk %{buildroot}/%{out_export_dir}/mk/
+
+cp %{_builddir}/%{name}-%{version}/ta/arch/arm/*.S %{buildroot}/%{out_export_dir}/src/
+cp %{_builddir}/%{name}-%{version}/ta/arch/arm/user_ta_header.c %{buildroot}/%{out_export_dir}/src/
+
+cp %{_builddir}/%{name}-%{version}/scripts/sign.py %{buildroot}/%{out_export_dir}/scripts/
+
+cp %{_builddir}/%{name}-%{version}/keys/default_ta.pem %{buildroot}/%{out_export_dir}/keys/
+
+cp -rf %{_builddir}/%{name}-%{version}/lib/libutee/include/* %{buildroot}/%{out_export_dir}/host_include/
+cp -rf %{_builddir}/%{name}-%{version}/lib/libmpa/include/* %{buildroot}/%{out_export_dir}/host_include/
+cp -rf %{_builddir}/%{name}-%{version}/lib/libpng/include/* %{buildroot}/%{out_export_dir}/host_include/
+cp -rf %{_builddir}/%{name}-%{version}/lib/libzlib/include/* %{buildroot}/%{out_export_dir}/host_include/
+
+cp -rf %{buildroot}/%{out_export_dir}/host_include/* %{buildroot}/%{out_export_dir}/include/
+cp -rf %{_builddir}/%{name}-%{version}/lib/libutils/ext/include/* %{buildroot}/%{out_export_dir}/include/
+cp -rf %{_builddir}/%{name}-%{version}/lib/libutils/isoc/include/* %{buildroot}/%{out_export_dir}/include/
+
+%clean
+
+%files
+/%{out_export_dir}
# POSSIBILITY OF SUCH DAMAGE.
#
+from collections import namedtuple
+PublicKey = namedtuple("PublicKey", "e n")
+
+def importKey_crypto(pem_key_file):
+ try:
+ module = __import__("Crypto.PublicKey.RSA")
+ f = open(pem_key_file, 'r')
+ key = module.PublicKey.RSA.importKey(f.read())
+ f.close()
+ return PublicKey(e=key.publickey().e, n=module.Util.number.long_to_bytes(key.publickey().n))
+ except ImportError:
+ return None
+
+def importKey_openssl(pem_key_file):
+ import subprocess
+ cmd = "cat " + pem_key_file + " | openssl rsa -inform PEM -noout -text | grep publicE | sed 's/publicExponent: //' | cut -d ' ' -f1 | tr -d '\n'"
+ e = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
+ if not e:
+ print "Exporting exponent value from key {0} has failed.".format(pem_key_file)
+ return None
+ cmd = "cat " + pem_key_file + " | openssl rsa -inform PEM -noout -modulus | sed 's/Modulus=//' | tr -d '\n'"
+ n = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
+ if not n:
+ print "Exporting modulus value from key {0} has failed.".format(pem_key_file)
+ return None
+ return PublicKey(e=e, n=n.decode("hex"))
+
def get_args():
import argparse
def main():
import array
- from Crypto.PublicKey import RSA
- from Crypto.Util.number import long_to_bytes
args = get_args();
- f = open(args.key, 'r')
- key = RSA.importKey(f.read())
- f.close
+ key = importKey_crypto(args.key)
+ if key is None:
+ key = importKey_openssl(args.key)
+ if key is None:
+ return
f = open(args.out, 'w')
f.write("#include <stddef.h>\n\n");
f.write("const uint32_t " + args.prefix + "_exponent = " +
- str(key.publickey().e) + ";\n\n")
+ str(key.e) + ";\n\n")
f.write("const uint8_t " + args.prefix + "_modulus[] = {\n")
i = 0;
- for x in array.array("B", long_to_bytes(key.publickey().n)):
+ for x in array.array("B", key.n):
f.write("0x" + '{0:02x}'.format(x) + ",")
i = i + 1;
if i % 8 == 0:
# POSSIBILITY OF SUCH DAMAGE.
#
-def get_args():
- from argparse import ArgumentParser
+import struct
+from collections import namedtuple
+PublicKey = namedtuple("PublicKey", "e n")
- parser = ArgumentParser()
- parser.add_argument('--key', required=True, help='Name of key file')
- parser.add_argument('--in', required=True, dest='inf', \
- help='Name of in file')
- parser.add_argument('--out', required=True, help='Name of out file')
- return parser.parse_args()
+magic = 0x4f545348 # SHDR_MAGIC
+img_type = 0 # SHDR_TA
+algo = 0x70004830 # TEE_ALG_RSASSA_PKCS1_V1_5_SHA256
-def main():
- from Crypto.Signature import PKCS1_v1_5
- from Crypto.Hash import SHA256
- from Crypto.PublicKey import RSA
- import struct
+def sign_crypto(args):
+ try:
+ module = __import__("Crypto.PublicKey.RSA")
+ module_sig = __import__("Crypto.Signature.PKCS1_v1_5")
+ f = open(args.key, 'rb')
+ key = module.PublicKey.RSA.importKey(f.read())
+ f.close()
- args = get_args()
+ f = open(args.inf, 'rb')
+ img = f.read()
+ f.close()
- f = open(args.key, 'rb')
- key = RSA.importKey(f.read())
- f.close()
+ signer = module_sig.Signature.PKCS1_v1_5.new(key)
+ h = module.Hash.SHA256.new()
+
+ digest_len = h.digest_size
+ sig_len = len(signer.sign(h))
+ img_size = len(img)
+
+ shdr = struct.pack('<IIIIHH', \
+ magic, img_type, img_size, algo, digest_len, sig_len)
+ h.update(shdr)
+ h.update(img)
+ sig = signer.sign(h)
+ f = open(args.out, 'wb')
+ f.write(shdr)
+ f.write(h.digest())
+ f.write(sig)
+ f.write(img)
+ f.close()
+ return True
+ except ImportError:
+ return False
+
+def sign_openssl(args):
+ import subprocess
f = open(args.inf, 'rb')
img = f.read()
f.close()
- signer = PKCS1_v1_5.new(key)
- h = SHA256.new()
-
- digest_len = h.digest_size
- sig_len = len(signer.sign(h))
+ digest_len = 32
+ sig_len = 256
img_size = len(img)
- magic = 0x4f545348 # SHDR_MAGIC
- img_type = 0 # SHDR_TA
- algo = 0x70004830 # TEE_ALG_RSASSA_PKCS1_V1_5_SHA256
- shdr = struct.pack('<IIIIHH', \
- magic, img_type, img_size, algo, digest_len, sig_len)
+ shdr = struct.pack('<IIIIHH', magic, img_type, img_size, algo, digest_len, sig_len)
+
+ f = open(args.inf + ".tmp", 'wb')
+ f.write(shdr)
+ f.write(img)
+ f.close()
+
+ cmd = "openssl dgst -binary -sha256 " + args.inf + ".tmp"
+ hash_img = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
+ if not hash_img:
+ print "Generating hash from {0} has failed.".format(args.inf + ".tmp")
+ return False
- h.update(shdr)
- h.update(img)
- sig = signer.sign(h)
+ cmd = "openssl dgst -binary -sha256 -sign " + args.key + " " + args.inf + ".tmp"
+ sig_img = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
+ if not sig_img:
+ print "Generating signature from {0} with key {1} has failed.".format(args.inf + ".hash", args.key)
+ return False
f = open(args.out, 'wb')
f.write(shdr)
- f.write(h.digest())
- f.write(sig)
+ f.write(hash_img)
+ f.write(sig_img)
f.write(img)
f.close()
+ return True
+
+def get_args():
+ from argparse import ArgumentParser
+
+ parser = ArgumentParser()
+ parser.add_argument('--key', required=True, help='Name of key file')
+ parser.add_argument('--in', required=True, dest='inf', \
+ help='Name of in file')
+ parser.add_argument('--out', required=True, help='Name of out file')
+ return parser.parse_args()
+
+def main():
+ args = get_args()
+
+ sig = sign_crypto(args)
+ if sig is False:
+ sig = sign_openssl(args)
+ if sig is False:
+ return -1
if __name__ == "__main__":
main()