optee: migration 4.2.0 to 4.4.0

[ldts]

optee-os+fio:
[email protected]:OP-TEE/optee_os.git
tag: 4.4.0

optee-os+fio-imx:
[email protected]:nxp-imx/imx-optee-os.git
tag: lf-6.6.52-2.2.0

Tests: MACHINE=qemuarm64-secureboot

xtest regression and pkcs11
39990 subtests of which 0 failed
137 test cases of which 0 failed
0 test cases were skipped

[ricardosalveti]

optee-test does not build, needs license changes.

ERROR: optee-test-4.4.0-r0 do_populate_lic: QA Issue: optee-test: The LIC_FILES_CHKSUM does not match for file:///home/rsalveti/build/lmp-secondary/build-lmp/tmp-lmp/work/qemuarm64_secureboot-lmp-linux/optee-test/4.4.0/git/LICENSE.md;md5=daa2bcccc666345ab8940aab1315a4fa
optee-test: The new md5 checksum is a8fa504109e4cd7ea575bc49ea4be560
optee-test: Here is the selected license text:
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
The client applications (`optee_test/host/*`) are provided under the
[GPL-2.0](LICENSE-GPL) license.

The user TAs (`optee_test/ta/*`) are provided under the
[BSD 2-Clause](LICENSE-BSD) license.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
optee-test: Check if the license information has changed in /home/rsalveti/build/lmp-secondary/build-lmp/tmp-lmp/work/qemuarm64_secureboot-lmp-linux/optee-test/4.4.0/git/LICENSE.md to verify that the LICENSE value "BSD-2-Clause & GPL-2.0-only" remains valid [license-checksum]
ERROR: optee-test-4.4.0-r0 do_populate_lic: Fatal QA errors were found, failing task.
ERROR: Logfile of failure stored in: /home/rsalveti/build/lmp-secondary/build-lmp/tmp-lmp/work/qemuarm64_secureboot-lmp-linux/optee-test/4.4.0/temp/log.do_populate_lic.2381104
ERROR: Task (/home/rsalveti/build/lmp-secondary/build-lmp/conf/../../layers/meta-lmp/meta-lmp-base/recipes-security/optee/optee-test_4.4.0.bb:do_populate_lic) failed with exit code '1'

[ricardosalveti]

License is the same, but upstream changed the license URL, which causes a different chksum.

diff --git a/meta-lmp-base/recipes-security/optee/optee-test_4.4.0.bb b/meta-lmp-base/recipes-security/optee/optee-test_4.4.0.bb
index 2aed6e207..6306f18bb 100644
--- a/meta-lmp-base/recipes-security/optee/optee-test_4.4.0.bb
+++ b/meta-lmp-base/recipes-security/optee/optee-test_4.4.0.bb
@@ -1,6 +1,7 @@
 require optee-test-fio.inc

 SRCREV = "695231ef8987866663a9ed5afd8f77d1bae3dc08"
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a8fa504109e4cd7ea575bc49ea4be560"

 # Due OpenSSL 3.0 deprecated warnings
 CFLAGS += "-Wno-error=deprecated-declarations"

[ricardosalveti]

There are also a few other changes that will be required, like syncing the general recipe updates done at https://git.yoctoproject.org/meta-arm/tree/meta-arm/recipes-security/optee (which also includes this LIC_FILES change), and switching to the tee-supplicant file from optee-client upstream (and fixing the missing user).

root@qemuarm64-secureboot:~# cat /usr/lib/systemd/system/tee-supplicant\@.service
# SPDX-License-Identifier: BSD-2-Clause
[Unit]
Description=TEE Supplicant on %i
DefaultDependencies=no
After=dev-%i.device
Wants=dev-%i.device
Conflicts=shutdown.target
Before=tpm2.target sysinit.target shutdown.target

[Service]
Type=notify
User=teesuppl
Group=teesuppl
EnvironmentFile=-/etc/default/tee-supplicant
ExecStart=/usr/sbin/tee-supplicant $OPTARGS
# Workaround for fTPM TA: stop kernel module before tee-supplicant
ExecStop=-/bin/sh -c "/sbin/modprobe -v -r tpm_ftpm_tee ; /bin/kill $MAINPID"

root@qemuarm64-secureboot:~# systemctl status [email protected]
× [email protected] - TEE Supplicant on teepriv0
     Loaded: loaded (/usr/lib/systemd/system/[email protected]; static)
     Active: failed (Result: exit-code) since Wed 2025-02-19 23:06:04 UTC; 43s ago
   Main PID: 372 (code=exited, status=217/USER)
        CPU: 153ms

Feb 19 23:06:03 qemuarm64-secureboot systemd[1]: Starting TEE Supplicant on teepriv0...
Feb 19 23:06:03 qemuarm64-secureboot (pplicant)[372]: [email protected]: Failed to determine user credentials: No such process
Feb 19 23:06:04 qemuarm64-secureboot systemd[1]: [email protected]: Main process exited, code=exited, status=217/USER
Feb 19 23:06:04 qemuarm64-secureboot systemd[1]: [email protected]: Failed with result 'exit-code'.
Feb 19 23:06:04 qemuarm64-secureboot systemd[1]: Failed to start TEE Supplicant on teepriv0.

[ldts]

After the update.

* tee-supplicant.service - TEE Supplicant                                                                                                                                                                                                                                                                                                                                               
     Loaded: loaded (]8;;file://qemuarm64-secureboot/usr/lib/systemd/system/tee-supplicant.serviceG/usr/lib/systemd/system/tee-supplicant.service]8;;G; enabled; preset: enabled)
     Active: active (running) since Thu 2025-02-20 13:05:52 UTC; 10min ago
   Main PID: 403 (tee-supplicant)
      Tasks: 6 (limit: 2282)
     Memory: 8.7M (peak: 8.9M)
        CPU: 19.404s
     CGroup: /system.slice/tee-supplicant.service
             `-403 /usr/sbin/tee-supplicant

Feb 20 13:05:52 qemuarm64-secureboot systemd[1]: Started TEE Supplicant.
Feb 20 13:05:54 qemuarm64-secureboot (pplicant)[403]: tee-supplicant.service: Referenced but unset environment variable evaluates to an empty string: OPTARGS

root@qemuarm64-secureboot:/var/rootdirs/home/fio# dmesg | grep optee
[    0.000000] OF: reserved mem: 0x000000000e100000..0x000000000effffff (15360 KiB) nomap non-reusable optee_core@e100000
[    0.000000] OF: reserved mem: 0x0000000042000000..0x00000000421fffff (2048 KiB) nomap non-reusable optee_shm@42000000
[    1.645679] optee: probing for conduit method.
[    1.646486] optee: revision 4.4 (6e413a200213e986)
[    1.650876] optee: Asynchronous notifications enabled
[    1.651657] optee: dynamic shared memory is enabled
[    1.664237] optee: initialized driver

xtests for qemuarm64-secureboot:

[,...]
regression_6010 OK                                                                                                                                                                                                                                                                                                                                                                      
regression_6012 OK                                                                                                                                                                                                                                                                                                                                                                      
regression_6013 OK                                                                                                                                                                                                                                                                                                                                                                      
regression_6014 OK                                                                                                                                                                                                                                                                                                                                                                      
regression_6015 OK                                                                                                                                                                                                                                                                                                                                                                      
regression_6016 OK                                                                                                                                                                                                                                                                                                                                                                      
regression_6017 OK                                                                                                                                                                                                                                                                                                                                                                      
regression_6018 OK                                                                                                                                                                                                                                                                                                                                                                      
regression_6019 OK
regression_6020 OK
regression_6021 OK
regression_8001 OK
regression_8002 OK
regression_8101 OK
regression_8102 OK
regression_8103 OK
pkcs11_1000 OK
pkcs11_1001 OK
pkcs11_1002 OK
[...]
39990 subtests of which 0 failed
137 test cases of which 0 failed
0 test cases were skipped

[ldts]

@rsalveti can the supplicant update to upstream wait after scarthgap - ie, can we merge as is?

[ldts]

to accelerate things as per our follow up I updated to synch with meta-arm.

I cant understand why inheriting from useradd seems to be a problem - ignores the recipe altogether!- so ended up inheriting from useradd_base

1. all xtests passed

* [email protected] - TEE Supplicant on teepriv0
     Loaded: loaded (]8;;file://qemuarm64-secureboot/usr/lib/systemd/system/[email protected]/usr/lib/systemd/system/[email protected]]8;;G; static)
     Active: active (running) since Thu 2025-02-20 19:13:21 UTC; 6min ago
   Main PID: 350 (tee-supplicant)
      Tasks: 6 (limit: 2282)
     Memory: 6.8M (peak: 7.2M)
        CPU: 21.291s
     CGroup: /system.slice/system-tee\x2dsupplicant.slice/[email protected]
             `-350 /usr/sbin/tee-supplicant

Feb 20 19:13:21 qemuarm64-secureboot systemd[1]: Starting TEE Supplicant on teepriv0...
Feb 20 19:13:21 qemuarm64-secureboot (pplicant)[350]: tee-supplicant@
```teepriv0.service: Referenced but unset environment variable evaluates to an empty string: OPTARGS
Feb 20 19:13:21 qemuarm64-secureboot systemd[1]: Started TEE Supplicant on teepriv0.

[quaresmajose]

I have found some little differences from the one in meta-arm

--- a/meta-lmp-base/recipes-security/optee/optee-client-fio.inc 
+++ b/meta-lmp-base/recipes-security/optee/optee-client-fio.inc 
@@ -5,9 +5,7 @@ HOMEPAGE = "https://www.op-tee.org/" 
 LICENSE = "BSD-2-Clause" 
 LIC_FILES_CHKSUM = "file://license/;md5=69663ab153298557a59c67a60a743e5b" 
  
-inherit systemd cmake pkgconfig useradd_base 
- 
-DEPENDS = "util-linux-libuuid" 
+inherit systemd update-rc.d cmake useradd 
  
 SRC_URI = " \ 
    git://github.com/OP-TEE/optee_client.git;protocol=https;branch=master \ 
@@ -22,8 +20,7 @@ S = "${WORKDIR}/git" 
  
 EXTRA_OECMAKE = " \ 
    -DBUILD_SHARED_LIBS=ON \ 
-   -DRPMB_EMU=OFF \ 
-   -DCFG_TEE_FS_PARENT_PATH='${localstatedir}/tee' \ 
+   -DCFG_TEE_FS_PARENT_PATH='${localstatedir}/lib/tee' \ 
 " 
 EXTRA_OECMAKE:append:toolchain-clang = " -DCFG_WERROR=0"

[ldts]

I dont think we want to change the CFG_TEE_FS_PARENT_PATH. And we need uuid for sysroot AFAIR.
I tried a clean local build with useradd and still wont work for me. maybe I need to clear the cache...

[quaresmajose]

to fix the version issue another patch is needed

--- a/meta-lmp-base/files/lmp-group-table
+++ b/meta-lmp-base/files/lmp-group-table
@@ -50,6 +50,7 @@ shutdown:x:70:
 nobody:*:99:
 users:x:100:
 pulse:x:171:
+teeclnt:x:967:
 ptest:x:968:
 sgx:x:969:
 lpadmin:x:970:

[ldts]

amazing! I was wondering how it could work without that group - I dont see it created and yet the service was being started. ok thanks, I'll fix.