From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Wed, 03 Apr 2024 18:48:25 +0200
Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104])
	by lore.white.stw.pengutronix.de with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <distrokit-bounces+lore=lore.pengutronix.de@pengutronix.de>)
	id 1rs3mj-006nD1-1o
	for lore@lore.pengutronix.de;
	Wed, 03 Apr 2024 18:48:25 +0200
Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de)
	by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <distrokit-bounces@pengutronix.de>)
	id 1rs3mi-00085t-Mr; Wed, 03 Apr 2024 18:48:24 +0200
Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2])
 by metis.whiteo.stw.pengutronix.de with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <a.fatoum@pengutronix.de>)
 id 1rs3mb-0007u5-Gm; Wed, 03 Apr 2024 18:48:17 +0200
Received: from [2a0a:edc0:0:1101:1d::54] (helo=dude05.red.stw.pengutronix.de)
 by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2)
 (envelope-from <a.fatoum@pengutronix.de>)
 id 1rs3mb-00ADLx-46; Wed, 03 Apr 2024 18:48:17 +0200
Received: from localhost ([::1] helo=dude05.red.stw.pengutronix.de)
 by dude05.red.stw.pengutronix.de with esmtp (Exim 4.96)
 (envelope-from <a.fatoum@pengutronix.de>) id 1rs3mb-00GUKn-00;
 Wed, 03 Apr 2024 18:48:17 +0200
From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: distrokit@pengutronix.de
Date: Wed,  3 Apr 2024 18:48:12 +0200
Message-Id: <20240403164815.3929378-6-a.fatoum@pengutronix.de>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <20240403164815.3929378-1-a.fatoum@pengutronix.de>
References: <20240403164815.3929378-1-a.fatoum@pengutronix.de>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [DistroKit] [PATCH v3 5/8] v7a: build OP-TEE for STM32MP13
X-BeenThere: distrokit@pengutronix.de
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DistroKit Mailinglist <distrokit.pengutronix.de>
List-Unsubscribe: <https://metis.pengutronix.de/mailman/options/distrokit>,
 <mailto:distrokit-request@pengutronix.de?subject=unsubscribe>
List-Archive: <https://metis.pengutronix.de/mailman/private/distrokit/>
List-Post: <mailto:distrokit@pengutronix.de>
List-Help: <mailto:distrokit-request@pengutronix.de?subject=help>
List-Subscribe: <https://metis.pengutronix.de/mailman/listinfo/distrokit>,
 <mailto:distrokit-request@pengutronix.de?subject=subscribe>
Cc: Ahmad Fatoum <a.fatoum@pengutronix.de>
Sender: "DistroKit" <distrokit-bounces@pengutronix.de>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: distrokit-bounces@pengutronix.de
X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false

For the STM32MP13, ST decided that everyone should be using OP-TEE as
System Control and Management Interface (SCMI) provider and the kernel
driver for the reset and clock control (RCC) peripheral will talk to
the SCMI provider. Therefore let's enable OP-TEE, so we can make use of
this.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Link: https://lore.pengutronix.de/20240315211240.3016716-10-a.fatoum@pengutronix.de
Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de>
---
v2 -> v3:
  - add CFG_STM32MP13 as precondition to reason override (mol)
v1 -> v2:
  - disable unused options CFG_GP_SOCKETS=n CFG_TA_MBEDTLS_SELF_TEST=n
    (mol)
  - add bsp.ref exceptions for potentially useful debugging options
---
 configs/bsp.ref                     | 12 ++++++++++++
 configs/platform-v7a/platformconfig |  7 ++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/configs/bsp.ref b/configs/bsp.ref
index 56e83b160eb3..fe2e2b4d60f5 100644
--- a/configs/bsp.ref
+++ b/configs/bsp.ref
@@ -33,6 +33,18 @@ kernel_initrd:
       value: True
     - value: False
 
+optee_disabled_features:
+  description: |
+    OP-TEE is used as secure monitor on STM32MP13x providing power
+    management and clock/reset control support. We don't use it as
+    part of a trusted boot setup, so we prefer debuggability over
+    reduction of the attack surface.
+  condition: kconfig.OPTEEConfig()['CFG_STM32MP13']
+  present:
+    - CFG_DEBUG_INFO
+    - CFG_ENABLE_EMBEDDED_TESTS
+    - CFG_TEE_CORE_TA_TRACE
+
 rootfs_unused_libraries:
   description: |
     - libatomic is needed on mips and rpi1 by libcrypto, but for simplicity ship it on all platforms
diff --git a/configs/platform-v7a/platformconfig b/configs/platform-v7a/platformconfig
index 2efae02cb241..f9c095916c22 100644
--- a/configs/platform-v7a/platformconfig
+++ b/configs/platform-v7a/platformconfig
@@ -199,7 +199,10 @@ PTXCONF_BAREBOX_ARCH_STRING="arm"
 PTXCONF_BOOTLOADER=y
 # PTXCONF_GRUB is not set
 # PTXCONF_HOST_MXS_UTILS is not set
-# PTXCONF_OPTEE is not set
+PTXCONF_OPTEE=y
+PTXCONF_OPTEE_PLATFORM="stm32mp1"
+PTXCONF_OPTEE_PLATFORM_FLAVOUR="135F_DK"
+PTXCONF_OPTEE_CFG="CFG_TEE_CORE_LOG_LEVEL=2 CFG_WITH_PAGER=n CFG_GP_SOCKETS=n CFG_TA_MBEDTLS_SELF_TEST=n"
 PTXCONF_TF_A=y
 PTXCONF_TF_A_URL="https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/snapshot"
 PTXCONF_TF_A_VERSION="v2.10"
@@ -349,7 +352,9 @@ PTXCONF_HOST_SYSTEM_PYTHON3_PYPROJECT_HOOKS=y
 PTXCONF_HOST_SYSTEM_PYTHON3_TOMLI=y
 PTXCONF_HOST_SYSTEM_PYTHON3_WHEEL=y
 PTXCONF_HOST_SYSTEM_PYTHON3=y
+PTXCONF_HOST_SYSTEM_PYTHON3_CRYPTOGRAPHY=y
 PTXCONF_HOST_SYSTEM_PYTHON3_SETUPTOOLS=y
+PTXCONF_HOST_SYSTEM_PYTHON3_PYELFTOOLS=y
 PTXCONF_HOST_UTIL_LINUX=y
 PTXCONF_HOST_ZLIB=y
 PTXCONF_HOST_TF_A=y
-- 
2.39.2