From 96631b362fc12b546cb096d763981c7128bf0230 Mon Sep 17 00:00:00 2001 From: "r.tyminski" Date: Wed, 14 Jun 2017 10:31:43 +0200 Subject: [PATCH] Added packaging and necessary changes for gbs compilation. Packaging for optee-os binary and optee-os TA devkit. Modify pem_to_pub_c.py and sign.py script to use openssl if pycrypto is not available. Allow to disable Terminal User Interface (TUI) from compilation. Compile 32-bit TA devkit with CFG_WITH_VFP=n. GBS compile with softfp. Change-Id: If3ad89d8871c1a8f7f1a519b07941316acdbdd14 --- lib/libutee/sub.mk | 2 +- mk/config.mk | 3 + packaging/optee-os-rpi3.spec | 41 ++++++++++++ packaging/optee-os-ta-devel-rpi3.spec | 76 +++++++++++++++++++++++ scripts/pem_to_pub_c.py | 41 +++++++++--- scripts/sign.py | 113 ++++++++++++++++++++++++---------- 6 files changed, 236 insertions(+), 40 deletions(-) create mode 100644 packaging/optee-os-rpi3.spec create mode 100644 packaging/optee-os-ta-devel-rpi3.spec diff --git a/lib/libutee/sub.mk b/lib/libutee/sub.mk index 8c0d100..4e46e1a 100644 --- a/lib/libutee/sub.mk +++ b/lib/libutee/sub.mk @@ -15,7 +15,7 @@ srcs-y += tee_api_panic.c srcs-y += tee_tcpudp_socket.c srcs-y += tee_socket_pta.c -subdirs-y += tui +subdirs-$(CFG_LIBUTEE_TUI) += tui subdirs-y += arch/$(ARCH) cflags-lib-$(CFG_ULIBS_GPROF) += -pg diff --git a/mk/config.mk b/mk/config.mk index 6fe90f1..2932f49 100644 --- a/mk/config.mk +++ b/mk/config.mk @@ -231,3 +231,6 @@ CFG_GP_SOCKETS ?= y # Enable Secure Data Path support in OP-TEE core (TA may be invoked with # invocation parameters referring to specific secure memories). CFG_SECURE_DATA_PATH ?= n + +# Enable Terminal User Interface (TUI) +CFG_LIBUTEE_TUI ?= y diff --git a/packaging/optee-os-rpi3.spec b/packaging/optee-os-rpi3.spec new file mode 100644 index 0000000..4d5b2fc --- /dev/null +++ b/packaging/optee-os-rpi3.spec @@ -0,0 +1,41 @@ +%define buildplat rpi3 +%define compile_flags CROSS_COMPILE="" CROSS_COMPILE64="" PLATFORM=%{buildplat} CFLAGS=-lgcc_eh CFG_LIBUTEE_TUI=n CFG_TEE_CORE_LOG_LEVEL=3 DEBUG=0 +%if %{__isa_bits} == 64 +%define compile_arch %{compile_flags} CFG_ARM64_core=y +%else +%define compile_arch %{compile_flags} +%endif + +Name: optee-os +Summary: OPTEE trusted operation system. +Version: 2.4.0 +Release: 1%{?dist} +Group: Security/Testing +License: BSD-2-Clause +URL: https://github.com/OP-TEE/optee_os +Source0: %{name}-%{version}.tar.gz + +Provides: tee-pager.bin + +BuildRequires: make +BuildRequires: python +BuildRequires: openssl + +%description +Trusted execution enviroment in Linux using the ARM® TrustZone® technology. + +%prep +%setup -q + +%build +make %{compile_arch} out/arm-plat-%{buildplat}/core/tee-pager.bin + +%install +mkdir -p %{buildroot}/boot/ + +cp -p %{_builddir}/%{name}-%{version}/out/arm-plat-%{buildplat}/core/tee-pager.bin %{buildroot}/boot/ + +%clean + +%files +/boot/tee-pager.bin diff --git a/packaging/optee-os-ta-devel-rpi3.spec b/packaging/optee-os-ta-devel-rpi3.spec new file mode 100644 index 0000000..650dc9a --- /dev/null +++ b/packaging/optee-os-ta-devel-rpi3.spec @@ -0,0 +1,76 @@ +%define buildplat rpi3 +%define compile_flags CROSS_COMPILE="" CROSS_COMPILE64="" PLATFORM=%{buildplat} CFLAGS=-lgcc_eh CFG_LIBUTEE_TUI=n CFG_TEE_CORE_LOG_LEVEL=3 DEBUG=0 +%if %{__isa_bits} == 64 +%define compile_arch %{compile_flags} CFG_ARM64_core=y +%else +%define compile_arch %{compile_flags} CFG_WITH_VFP=n +%endif +%define out_dir out/arm-plat-%{buildplat} +%define out_lib_dir %{out_dir}/ta_arm%{__isa_bits}-lib +%define export_dir export-ta_arm%{__isa_bits} +%define out_export_dir opt/optee/%{export_dir} + +Name: optee-os-ta +Summary: Userspace libraries and devkit for OpTEE OS. +Version: 2.4.0 +Release: 1%{?dist} +Group: Security/Testing +License: BSD-2-Clause +URL: https://github.com/OP-TEE/optee_os +Source0: %{name}-%{version}.tar.gz + +Provides: %{name} + +BuildRequires: make +BuildRequires: python +BuildRequires: openssl + +%description +Trusted execution enviroment in Linux using the ARM® TrustZone® technology. + +%prep +%setup -q + +%build +mkdir -p %{out_dir}/%{export_dir}/mk +make %{compile_arch} %{out_lib_dir}/libutee/libutee.a %{out_lib_dir}/libmpa/libmpa.a %{out_lib_dir}/libpng/libpng.a %{out_lib_dir}/libzlib/libzlib.a %{out_lib_dir}/libutils/libutils.a %{out_dir}/%{export_dir}/mk/conf.mk + +%install +mkdir -p %{buildroot}/%{out_export_dir}/mk +mkdir -p %{buildroot}/%{out_export_dir}/lib +mkdir -p %{buildroot}/%{out_export_dir}/src +mkdir -p %{buildroot}/%{out_export_dir}/scripts +mkdir -p %{buildroot}/%{out_export_dir}/keys +mkdir -p %{buildroot}/%{out_export_dir}/host_include +mkdir -p %{buildroot}/%{out_export_dir}/include + +find %{_builddir}/%{name}-%{version}/%{out_lib_dir}/ -name lib*.a | xargs cp -t %{buildroot}/%{out_export_dir}/lib + +cp %{_builddir}/%{name}-%{version}/%{out_dir}/%{export_dir}/mk/conf.mk %{buildroot}/%{out_export_dir}/mk/ +cp %{_builddir}/%{name}-%{version}/mk/compile.mk %{buildroot}/%{out_export_dir}/mk/ +cp %{_builddir}/%{name}-%{version}/mk/subdir.mk %{buildroot}/%{out_export_dir}/mk/ +cp %{_builddir}/%{name}-%{version}/mk/gcc.mk %{buildroot}/%{out_export_dir}/mk/ +cp %{_builddir}/%{name}-%{version}/mk/cleandirs.mk %{buildroot}/%{out_export_dir}/mk/ +cp %{_builddir}/%{name}-%{version}/ta/arch/arm/link.mk %{buildroot}/%{out_export_dir}/mk/ +cp %{_builddir}/%{name}-%{version}/ta/mk/ta_dev_kit.mk %{buildroot}/%{out_export_dir}/mk/ + +cp %{_builddir}/%{name}-%{version}/ta/arch/arm/*.S %{buildroot}/%{out_export_dir}/src/ +cp %{_builddir}/%{name}-%{version}/ta/arch/arm/user_ta_header.c %{buildroot}/%{out_export_dir}/src/ + +cp %{_builddir}/%{name}-%{version}/scripts/sign.py %{buildroot}/%{out_export_dir}/scripts/ + +cp %{_builddir}/%{name}-%{version}/keys/default_ta.pem %{buildroot}/%{out_export_dir}/keys/ + +cp -rf %{_builddir}/%{name}-%{version}/lib/libutee/include/* %{buildroot}/%{out_export_dir}/host_include/ +cp -rf %{_builddir}/%{name}-%{version}/lib/libmpa/include/* %{buildroot}/%{out_export_dir}/host_include/ +cp -rf %{_builddir}/%{name}-%{version}/lib/libpng/include/* %{buildroot}/%{out_export_dir}/host_include/ +cp -rf %{_builddir}/%{name}-%{version}/lib/libzlib/include/* %{buildroot}/%{out_export_dir}/host_include/ + +cp -rf %{buildroot}/%{out_export_dir}/host_include/* %{buildroot}/%{out_export_dir}/include/ +cp -rf %{_builddir}/%{name}-%{version}/lib/libutils/ext/include/* %{buildroot}/%{out_export_dir}/include/ +cp -rf %{_builddir}/%{name}-%{version}/lib/libutils/isoc/include/* %{buildroot}/%{out_export_dir}/include/ + +%clean + +%files +/%{out_export_dir} diff --git a/scripts/pem_to_pub_c.py b/scripts/pem_to_pub_c.py index 47c004d..92f4b81 100755 --- a/scripts/pem_to_pub_c.py +++ b/scripts/pem_to_pub_c.py @@ -26,6 +26,33 @@ # POSSIBILITY OF SUCH DAMAGE. # +from collections import namedtuple +PublicKey = namedtuple("PublicKey", "e n") + +def importKey_crypto(pem_key_file): + try: + module = __import__("Crypto.PublicKey.RSA") + f = open(pem_key_file, 'r') + key = module.PublicKey.RSA.importKey(f.read()) + f.close() + return PublicKey(e=key.publickey().e, n=module.Util.number.long_to_bytes(key.publickey().n)) + except ImportError: + return None + +def importKey_openssl(pem_key_file): + import subprocess + cmd = "cat " + pem_key_file + " | openssl rsa -inform PEM -noout -text | grep publicE | sed 's/publicExponent: //' | cut -d ' ' -f1 | tr -d '\n'" + e = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT) + if not e: + print "Exporting exponent value from key {0} has failed.".format(pem_key_file) + return None + cmd = "cat " + pem_key_file + " | openssl rsa -inform PEM -noout -modulus | sed 's/Modulus=//' | tr -d '\n'" + n = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT) + if not n: + print "Exporting modulus value from key {0} has failed.".format(pem_key_file) + return None + return PublicKey(e=e, n=n.decode("hex")) + def get_args(): import argparse @@ -42,14 +69,14 @@ def get_args(): def main(): import array - from Crypto.PublicKey import RSA - from Crypto.Util.number import long_to_bytes args = get_args(); - f = open(args.key, 'r') - key = RSA.importKey(f.read()) - f.close + key = importKey_crypto(args.key) + if key is None: + key = importKey_openssl(args.key) + if key is None: + return f = open(args.out, 'w') @@ -57,11 +84,11 @@ def main(): f.write("#include \n\n"); f.write("const uint32_t " + args.prefix + "_exponent = " + - str(key.publickey().e) + ";\n\n") + str(key.e) + ";\n\n") f.write("const uint8_t " + args.prefix + "_modulus[] = {\n") i = 0; - for x in array.array("B", long_to_bytes(key.publickey().n)): + for x in array.array("B", key.n): f.write("0x" + '{0:02x}'.format(x) + ",") i = i + 1; if i % 8 == 0: diff --git a/scripts/sign.py b/scripts/sign.py index f407f3b..cffee18 100755 --- a/scripts/sign.py +++ b/scripts/sign.py @@ -26,55 +26,104 @@ # POSSIBILITY OF SUCH DAMAGE. # -def get_args(): - from argparse import ArgumentParser +import struct +from collections import namedtuple +PublicKey = namedtuple("PublicKey", "e n") - parser = ArgumentParser() - parser.add_argument('--key', required=True, help='Name of key file') - parser.add_argument('--in', required=True, dest='inf', \ - help='Name of in file') - parser.add_argument('--out', required=True, help='Name of out file') - return parser.parse_args() +magic = 0x4f545348 # SHDR_MAGIC +img_type = 0 # SHDR_TA +algo = 0x70004830 # TEE_ALG_RSASSA_PKCS1_V1_5_SHA256 -def main(): - from Crypto.Signature import PKCS1_v1_5 - from Crypto.Hash import SHA256 - from Crypto.PublicKey import RSA - import struct +def sign_crypto(args): + try: + module = __import__("Crypto.PublicKey.RSA") + module_sig = __import__("Crypto.Signature.PKCS1_v1_5") + f = open(args.key, 'rb') + key = module.PublicKey.RSA.importKey(f.read()) + f.close() - args = get_args() + f = open(args.inf, 'rb') + img = f.read() + f.close() - f = open(args.key, 'rb') - key = RSA.importKey(f.read()) - f.close() + signer = module_sig.Signature.PKCS1_v1_5.new(key) + h = module.Hash.SHA256.new() + + digest_len = h.digest_size + sig_len = len(signer.sign(h)) + img_size = len(img) + + shdr = struct.pack('