zarhus · DaniilKl · Aug 20, 2024 · Mar 3, 2025 · Mar 17, 2025 · Mar 17, 2025
diff --git a/.oelint-custom-overrides.json b/.oelint-custom-overrides.json
@@ -2,6 +2,9 @@
     "replacements": {
         "distros": [
             "dbg"
-        ]
+        ],
+	"machines": [
+	    "rk3566"
+	]
     }
 }
diff --git a/.oelint-ruleset.json b/.oelint-ruleset.json
@@ -139,7 +139,7 @@
   "oelint.var.licenseremotefile": "info",
   "oelint.vars.licensesdpx": "warning",
   "oelint.vars.licfileprefix": "warning",
-  "oelint.vars.mispell": "warning",
+  "oelint.vars.mispell": "info",
   "oelint.vars.multilineident": "warning",
   "oelint.vars.overrideappend": "warning",
   "oelint.vars.pbpusage": "error",

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -42,7 +42,7 @@ repos:
         args: ["--severity=warning"]
 
   - repo: https://github.com/priv-kweihmann/oelint-adv
-    rev: 5.7.2
+    rev: 6.7.1
     hooks:
       - id: oelint-adv
         args: [--rulefile=.oelint-ruleset.json, --hide=info, --quiet, --fix, --constantmods=+.oelint-custom-overrides.json]

diff --git a/kas/optee.yml b/kas/optee.yml
@@ -0,0 +1,10 @@
+---
+header:
+  version: 11
+
+distro: zarhus-distro-webkit
+
+repos:
+  meta-zarhus:
+    layers:
+      meta-zarhus-security:
diff --git a/meta-zarhus-bsp/meta-zarhus-bsp-rockchip/conf/machine/quartz64-a.conf b/meta-zarhus-bsp/meta-zarhus-bsp-rockchip/conf/machine/quartz64-a.conf
@@ -0,0 +1,18 @@
+#@TYPE: Machine
+#@NAME: Quartz64 Model A
+#@DESCRIPTION: The Quartz64 Model A is powered by a Rockchip RK3566 quad-core
+# ARM Cortex A55 64-Bit Processor with a Mali G-52 GPU. It comes equipped with
+# 2GB, 4GB or 8GB LPDDR4 system memory, and a 128Mb SPI boot flash.
+# https://pine64.org/devices/quartz64_model_a/
+
+require conf/machine/include/rk3566.inc
+
+KERNEL_DEVICETREE = "rockchip/rk3566-quartz64-a.dtb"
+MACHINE_EXTRA_RRECOMMENDS += "kernel-modules"
+
+UBOOT_MACHINE = "quartz64-a-rk3566_defconfig"
+
+REFFERED_PROVIDER_optee-os = "zarhus-security"
+PREFFERED_PROVIDER_optee-ta-devkit = "zarhus-security"
+PREFFERED_PROVIDER_optee-test = "zarhus-security"
+PREFFERED_PROVIDER_optee-client = "zarhus-security"
diff --git a/meta-zarhus-bsp/meta-zarhus-bsp-rockchip/recipes-kernel/linux/linux-yocto/quartz64a.cfg b/meta-zarhus-bsp/meta-zarhus-bsp-rockchip/recipes-kernel/linux/linux-yocto/quartz64a.cfg
@@ -0,0 +1,92 @@
+CONFIG_MDIO=y
+CONFIG_IAVF=y
+CONFIG_I40EVF=y
+CONFIG_ICE=y
+CONFIG_ICE_SWITCHDEV=y
+CONFIG_FM10K=y
+CONFIG_IGC=y
+CONFIG_NET_VENDOR_WANGXUN=y
+CONFIG_NET_VENDOR_ADI=y
+CONFIG_NET_VENDOR_PACKET_ENGINES=y
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+CONFIG_R8169=y
+# CONFIG_NET_VENDOR_RENESAS is not set
+# CONFIG_NET_VENDOR_ROCKER is not set
+# CONFIG_NET_VENDOR_SAMSUNG is not set
+# CONFIG_NET_VENDOR_SEEQ is not set
+# CONFIG_NET_VENDOR_SILAN is not set
+# CONFIG_NET_VENDOR_SIS is not set
+# CONFIG_NET_VENDOR_SOLARFLARE is not set
+# CONFIG_NET_VENDOR_SMSC is not set
+# CONFIG_NET_VENDOR_SOCIONEXT is not set
+CONFIG_NET_VENDOR_STMICRO=y
+CONFIG_STMMAC_ETH=y
+# CONFIG_STMMAC_SELFTESTS is not set
+CONFIG_STMMAC_PLATFORM=y
+CONFIG_DWMAC_DWC_QOS_ETH=y
+CONFIG_DWMAC_GENERIC=y
+CONFIG_DWMAC_ROCKCHIP=y
+# CONFIG_DWMAC_INTEL_PLAT is not set
+# CONFIG_DWMAC_LOONGSON is not set
+# CONFIG_STMMAC_PCI is not set
+# CONFIG_NET_VENDOR_SUN is not set
+CONFIG_NET_VENDOR_SYNOPSYS=y
+# CONFIG_DWC_XLGMAC is not set
+# CONFIG_NET_VENDOR_TEHUTI is not set
+# CONFIG_NET_VENDOR_TI is not set
+# CONFIG_NET_VENDOR_VERTEXCOM is not set
+# CONFIG_NET_VENDOR_VIA is not set
+# CONFIG_NET_VENDOR_WIZNET is not set
+# CONFIG_NET_VENDOR_XILINX is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+CONFIG_PHYLINK=y
+CONFIG_PHYLIB=y
+CONFIG_SWPHY=y
+# CONFIG_LED_TRIGGER_PHY is not set
+CONFIG_FIXED_PHY=y
+# CONFIG_SFP is not set
+
+#
+# MII PHY device drivers
+#
+# CONFIG_AMD_PHY is not set
+# CONFIG_ADIN_PHY is not set
+# CONFIG_ADIN1100_PHY is not set
+CONFIG_AQUANTIA_PHY=y
+CONFIG_AX88796B_PHY=m
+CONFIG_BROADCOM_PHY=m
+CONFIG_BCM54140_PHY=m
+CONFIG_BCM7XXX_PHY=m
+# CONFIG_BCM84881_PHY is not set
+# CONFIG_BCM87XX_PHY is not set
+CONFIG_BCM_NET_PHYLIB=m
+# CONFIG_CICADA_PHY is not set
+# CONFIG_CORTINA_PHY is not set
+# CONFIG_DAVICOM_PHY is not set
+# CONFIG_ICPLUS_PHY is not set
+# CONFIG_LXT_PHY is not set
+# CONFIG_INTEL_XWAY_PHY is not set
+# CONFIG_LSI_ET1011C_PHY is not set
+CONFIG_MARVELL_PHY=m
+CONFIG_MARVELL_10G_PHY=m
+# CONFIG_MARVELL_88X2222_PHY is not set
+# CONFIG_MAXLINEAR_GPHY is not set
+# CONFIG_MEDIATEK_GE_PHY is not set
+CONFIG_MICREL_PHY=y
+CONFIG_MICROCHIP_PHY=m
+# CONFIG_MICROCHIP_T1_PHY is not set
+CONFIG_MICROSEMI_PHY=y
+CONFIG_MOTORCOMM_PHY=y
+# CONFIG_NATIONAL_PHY is not set
+# CONFIG_NXP_C45_TJA11XX_PHY is not set
+# CONFIG_NXP_TJA11XX_PHY is not set
+CONFIG_AT803X_PHY=y
+# CONFIG_QSEMI_PHY is not set
+CONFIG_REALTEK_PHY=y
+# CONFIG_RENESAS_PHY is not set
+CONFIG_ROCKCHIP_PHY=y
+CONFIG_SMSC_PHY=m
diff --git a/meta-zarhus-bsp/meta-zarhus-bsp-rockchip/recipes-kernel/linux/linux-yocto_%.bbappend b/meta-zarhus-bsp/meta-zarhus-bsp-rockchip/recipes-kernel/linux/linux-yocto_%.bbappend
@@ -15,6 +15,9 @@ SRC_URI:append = " \
     file://disable-nfs.cfg \
     file://enable-cmdline-bool.cfg \
     file://enable-debug-stackoverflow.cfg \
+    file://0001-rk356x.dtsi-reserve-optee-memory.patch \
+    file://0001-rk356x.dtsi-add-optee-firmware-entry.patch \
+    file://quartz64a.cfg \
 "
 
 SRC_URI:append = " \
@@ -29,3 +32,4 @@ do_configure:append() {
 }
 
 COMPATIBLE_MACHINE:orangepi-cm4 = "orangepi-cm4"
+COMPATIBLE_MACHINE:quartz64-a = "quartz64-a"
diff --git a/meta-zarhus-distro/conf/distro/zarhus-distro-optee.conf b/meta-zarhus-distro/conf/distro/zarhus-distro-optee.conf
@@ -0,0 +1,4 @@
+require conf/distro/include/zarhus-distro-common.conf
+
+DISTRO = "zarhus-distro-optee"
+DISTRO_NAME = "Distro for Zarhus product with OPTEE and ARM TrustZone support"
diff --git a/meta-zarhus-security/README.md b/meta-zarhus-security/README.md
@@ -0,0 +1,3 @@
+# meta-zarhus-security
+
+This layer adds security features to your Zarhus image.
diff --git a/meta-zarhus-security/conf/layer.conf b/meta-zarhus-security/conf/layer.conf
@@ -0,0 +1,20 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH .= ":${LAYERDIR}"
+
+# We have recipes-* directories, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes-*/*/*.bb ${LAYERDIR}/recipes-*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "zarhus-security"
+BBFILE_PATTERN_zarhus-security = "^${LAYERDIR}/"
+BBFILE_PRIORITY_zarhus-security = "1"
+
+# This should only be incremented on significant changes that will
+# cause compatibility issues with other layers
+LAYERVERSION_zarhus-security = "1"
+
+LAYERDEPENDS_zarhus-security = " \
+    core \
+    openembedded-layer \
+    "
+
+LAYERSERIES_COMPAT_zarhus-security = "scarthgap master"
diff --git a/meta-zarhus-security/recipes-bsp/rockchip-rkbin/files/optee.ld b/meta-zarhus-security/recipes-bsp/rockchip-rkbin/files/optee.ld
@@ -0,0 +1,9 @@
+ENTRY(_binary_tee_rk3566_bin_start);
+
+SECTIONS
+{
+        . = 0x08400000;
+        .data : {
+                *(.data)
+        }
+}
diff --git a/meta-zarhus-security/recipes-bsp/rockchip-rkbin/rockchip-rkbin-rk3566.inc b/meta-zarhus-security/recipes-bsp/rockchip-rkbin/rockchip-rkbin-rk3566.inc
@@ -0,0 +1,56 @@
+# Add trusted binaries for rk3566:
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+COMPATIBLE_MACHINE = "rk3566"
+
+DEPENDS:append = " openssl-native rk-tee-user-native binutils-cross-aarch64"
+
+SRC_URI:append = " file://optee.ld"
+
+# Without this line build will fail with following error:
+#
+# ERROR: Multiple .bb files are due to be built which each provide optee-os
+#   /work/meta-rockchip/recipes-bsp/rkbin/rockchip-rkbin_git.bb
+#   /work/meta-arm/meta-arm/recipes-security/optee/optee-os_4.1.0.bb
+#
+# This happens because both packages provide OPTEE OS, but only Rockchip binary
+# of OPTEE OS from rockchip-rkbin is being used in here. Even if optee-os
+# package is not included into build explicitly it is being pulled in by
+# optee-os-ta or optee-os-tadevkit, hence causing this error.
+# One of the ways to solve this is to make an imge to depend not on optee-os but
+# directly on rockchip-rkbin, and remove optee-os from rockchip-rkbin:
+PROVIDES:remove = "optee-os"
+
+KEYS_DIRECTORY="${DEPLOY_DIR_IMAGE}/keys"
+
+do_prepare_elf() {
+        install -d ${KEYS_DIRECTORY}
+        # Generate key:
+        openssl genrsa -out ${KEYS_DIRECTORY}/rsa2048.pem 2048
+        openssl rsa -in ${KEYS_DIRECTORY}/rsa2048.pem -pubout -out ${KEYS_DIRECTORY}/rsa2048_pub.pem
+
+        # Embed key into OPTEE OS binary:
+        install ${S}/bin/rk35/rk3568_bl32_v*.bin ${WORKDIR}/
+        change_puk --teebin ${WORKDIR}/rk3568_bl32_v*.bin --key ${KEYS_DIRECTORY}/rsa2048_pub.pem
+
+        # Create final .elf file:
+        cp ${WORKDIR}/rk3568_bl32_v*.bin ${WORKDIR}/tee-rk3566.bin
+        aarch64-zarhus-linux-objcopy -B aarch64 -I binary -O elf64-littleaarch64 ${WORKDIR}/tee-rk3566.bin ${WORKDIR}/tee-rk3566.o
+        # The 0x08400000 is from here:
+        # https://github.com/rockchip-linux/rkbin/blob/0f8ac860f0479da56a1decae207ddc99e289f2e2/RKTRUST/RK3566TRUST_ULTRA.ini#L13
+        aarch64-zarhus-linux-ld --entry=0x08400000 ${WORKDIR}/tee-rk3566.o -T ${WORKDIR}/optee.ld -o ${WORKDIR}/tee-rk3566.elf
+}
+
+# do_prepare_elf depends on rkbin repository (from do_unpack) and some tools
+# from do_prepare_recipe_sysroot. do_configure depends on both of these tasks,
+# so do_prepare_elf can depend on it:
+addtask do_prepare_elf before do_deploy after do_configure
+
+do_deploy:rk3566() {
+        # Prebuilt TF-A
+        install -m 644 ${S}/bin/rk35/rk3568_bl31_v*.elf ${DEPLOYDIR}/bl31-rk3566.elf
+        # Prebuilt OPTEE-OS
+        install -m 644 ${WORKDIR}/tee-rk3566.elf ${DEPLOYDIR}/
+        # Prebuilt U-Boot TPL (DDR init)
+        install -m 644 ${S}/bin/rk35/rk3566_ddr_1056MHz_v1.18.bin ${DEPLOYDIR}/ddr-rk3566.bin
+}
diff --git a/meta-zarhus-security/recipes-bsp/rockchip-rkbin/rockchip-rkbin_%.bbappend b/meta-zarhus-security/recipes-bsp/rockchip-rkbin/rockchip-rkbin_%.bbappend
@@ -0,0 +1,3 @@
+MACHINE_REQUIRE:rk3566 = "rockchip-rkbin-rk3566.inc"
+
+require ${MACHINE_REQUIRE}
diff --git a/meta-zarhus-security/recipes-bsp/u-boot/u-boot/enable-optee.cfg b/meta-zarhus-security/recipes-bsp/u-boot/u-boot/enable-optee.cfg
@@ -0,0 +1,23 @@
+# Compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110
+CONFIG_GCC_VERSION=100201
+# CONFIG_SCP03 is not set
+# CONFIG_SPL_OPTEE_IMAGE=y
+# CONFIG_CMD_OPTEE_RPMB is not set
+CONFIG_TEE=y
+
+#
+# TEE drivers
+#
+CONFIG_OPTEE=y
+
+#
+# OP-TEE options
+#
+CONFIG_OPTEE_TA_AVB=y
+CONFIG_OPTEE_TA_SCP03=y
+CONFIG_OPTEE_SERVICE_DISCOVERY=y
+CONFIG_CHIMP_OPTEE=y
+# CONFIG_EFI_MM_COMM_TEE is not set
+CONFIG_OPTEE_LIB=y
+CONFIG_OPTEE_IMAGE=y
+CONFIG_OPTEE_TZDRAM_SIZE=0x1100000
diff --git a/meta-zarhus-security/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-zarhus-security/recipes-bsp/u-boot/u-boot_%.bbappend
@@ -0,0 +1,19 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+
+# rockchip-rkbin provides OPTEE OS tee-rk3566.elf:
+DEPENDS += " rockchip-rkbin"
+
+SRC_URI += " \
+    file://enable-optee.cfg \
+    file://optee.dtsi \
+"
+
+EXTRA_OEMAKE:append:rk3566 = " \
+    BL31=${DEPLOY_DIR_IMAGE}/bl31-rk3566.elf \
+    ROCKCHIP_TPL=${DEPLOY_DIR_IMAGE}/ddr-rk3566.bin \
+    TEE=${DEPLOY_DIR_IMAGE}/tee-rk3566.elf \
+"
+
+do_configure:prepend() {
+    install -m 644 "${WORKDIR}/optee.dtsi" "${S}/arch/arm/dts"
+}
diff --git a/meta-zarhus-security/recipes-devtools/rk-tee-user-native/rk-tee-user-native_1.2.4a.bb b/meta-zarhus-security/recipes-devtools/rk-tee-user-native/rk-tee-user-native_1.2.4a.bb
@@ -0,0 +1,21 @@
+SUMMARY = "Rockchip Firmware and Tool Binaries"
+HOMEPAGE = "https://gitlab.com/firefly-linux/external/security/rk_tee_user"
+# No license provided, assuming closed:
+LICENSE = "CLOSED"
+LIC_FILES_CHKSUM = ""
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/rk-tee-user:"
+
+# The change_puk binary was downloaded from
+# https://gitlab.com/firefly-linux/external/security/rk_tee_user, from commit
+# 15d87232f3418b49b5b706f4a655d1d2dc384bdf. It cannot be compiled manually,
+# because Rockchip does not share source code, and there is no other way to
+# replace keys inside Rockchip OPTEE OS binary.
+SRC_URI = "file://change_puk"
+
+inherit_defer native
+
+do_install() {
+        install -d ${D}${bindir}
+        install -m 0755 ${WORKDIR}/change_puk ${D}${bindir}
+}
diff --git a/meta-zarhus-security/recipes-devtools/rk-tee-user-native/rk-tee-user/change_puk b/meta-zarhus-security/recipes-devtools/rk-tee-user-native/rk-tee-user/change_puk
diff --git a/meta-zarhus-security/recipes-kernel/linux/linux-yocto/optee.dtsi b/meta-zarhus-security/recipes-kernel/linux/linux-yocto/optee.dtsi
@@ -0,0 +1,28 @@
+/ {
+	compatible = "rockchip,rk3566";
+
+	reserved-memory {
+		#address-cells = <2>;
+		#size-cells = <2>;
+		ranges;
+
+		// Memory for OP-TEE OS use only:
+		optee_tzdram: optee-tzdram@8400000 {
+                       reg = <0x0 0x08400000 0x0 0x00E00000>;
+                       no-map;
+		};
+
+		// Memory shared between TEE and REE:
+		optee_shmem: optee-shmem@9400000 {
+                       reg = <0x0 0x09200000 0x0 0x00200000>;
+		};
+	};
+
+	firmware {
+		optee: optee {
+			compatible = "linaro,optee-tz";
+			method = "smc";
+			shm = <&optee_shmem>;
+		};
+	};
+};
diff --git a/meta-zarhus-security/recipes-kernel/linux/linux-yocto_%.bbappend b/meta-zarhus-security/recipes-kernel/linux/linux-yocto_%.bbappend
@@ -0,0 +1,5 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += " \
+    file://optee.dtsi \
+"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		# meta-zarhus-security

		This layer adds security features to your Zarhus image.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		MACHINE_REQUIRE:rk3566 = "rockchip-rkbin-rk3566.inc"

		require ${MACHINE_REQUIRE}