added my Recipes

meta-st/meta-st-openstlinux/recipes-security/optee/optee-client/create-tee-supplicant-env

@@ -0,0 +1,20 @@
+#!/bin/sh
+#
+# Create a systemd environment file for tee-supplicant
+# $1 is the path to the file to be generated.
+# At the moment this figures out the --rpmb-cid parameter to be given to
+# tee-supplicant, indicating which eMMC device OP-TEE should use for RPMB
+# storage.
+# No file is generated if no device is found (not an error) or if multiple
+# eMMCs are found (which is an error).
+
+[ "$1" ] || { echo Usage: $0 FILE >&2; exit 1; }
+
+for f in /sys/class/mmc_host/mmc*/mmc*\:*/raw_rpmb_size_mult; do
+  [ "$CID" ] && { echo $0: Multiple eMMC devices found, not chosing one automatically >&2; exit 2; }
+  # POSIX shells don't expand globbing patterns that match no file
+  [ -e $f ] || exit 0
+  SYS_MMC_PATH=$(dirname $f)
+  CID=$(cat $SYS_MMC_PATH/cid)
+done
+[ "$CID" ] && echo RPMB_CID="--rpmb-cid $CID" >$1

meta-st/meta-st-openstlinux/recipes-security/optee/optee-client/optee-udev.rules

@@ -0,0 +1,2 @@
+KERNEL=="tee[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee.device"
+KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="tee", TAG+="systemd", ENV{SYSTEMD_WANTS}+="teepriv.device"

meta-st/meta-st-openstlinux/recipes-security/optee/optee-client/tee-supplicant.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=TEE Supplicant
+Wants=dev-tee0.device
+After=dev-tee0.device
+After=systemd-udevd.service
+
+[Service]
+User=tee
+Group=tee
+EnvironmentFile=-/etc/default/tee-supplicant
+ExecStartPre=/usr/sbin/create-tee-supplicant-env /tmp/tee-supplicant.env
+EnvironmentFile=-/tmp/tee-supplicant.env
+ExecStart=/usr/sbin/tee-supplicant $RPMB_CID $OPTARGS
+
+[Install]
+WantedBy=basic.target

meta-st/meta-st-openstlinux/recipes-security/optee/optee-client_3.19.bb

@@ -0,0 +1,58 @@
+SUMMARY = "OPTEE Client"
+HOMEPAGE = "https://github.com/OP-TEE/optee_client"
+
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=69663ab153298557a59c67a60a743e5b"
+
+inherit python3native systemd cmake pkgconfig
+
+SRC_URI = "git://github.com/OP-TEE/optee_client.git;protocol=https;branch=master \
+           file://tee-supplicant.service \
+           file://create-tee-supplicant-env \
+           file://optee-udev.rules \
+    "
+
+SRCREV = "140bf463046071d3ca5ebbde3fb21ee0854e1951"
+
+PV = "3.19.0+git${SRCPV}"
+
+S = "${WORKDIR}/git"
+
+DEPENDS += "util-linux-libuuid"
+
+SYSTEMD_SERVICE:${PN} = "tee-supplicant.service"
+
+EXTRA_OECMAKE = " \
+    -DCFG_TEE_FS_PARENT_PATH='${localstatedir}/lib/tee' \
+    -DCFG_WERROR=OFF \
+    -DCFG_TEE_CLIENT_LOG_LEVEL=2 \
+    -DCFG_TEE_CLIENT_LOG_FILE='/data/tee/teec.log' \
+    -DBUILD_SHARED_LIBS=ON \
+    -DRPMB_EMU=0 \
+    "
+
+do_install:append() {
+    if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+        sed -i -e s:/etc:${sysconfdir}:g \
+            -e s:/usr/bin:${bindir}:g \
+            ${WORKDIR}/tee-supplicant.service
+
+        install -D -p -m0644 ${WORKDIR}/tee-supplicant.service ${D}${systemd_system_unitdir}/tee-supplicant.service
+        install -D -p -m0755 ${WORKDIR}/create-tee-supplicant-env ${D}${sbindir}/
+    fi
+    install -d ${D}${sysconfdir}/udev/rules.d
+    install -m 0644 ${WORKDIR}/optee-udev.rules ${D}${sysconfdir}/udev/rules.d/optee.rules
+    install -d -m770 -o root -g tee ${D}${localstatedir}/lib/tee
+}
+FILES:${PN} += "${sysconfdir} ${localstatedir}"
+
+inherit useradd
+
+USERADD_PACKAGES = "${PN}"
+# Create groups 'tee' and 'teeclnt'. Permissions are set elsewhere on
+# /dev/teepriv0 and /dev/tee0 so that tee-supplicant should run as a user that
+# is a member of the 'tee' group, and TEE client applications should runs as a
+# user that is a member of the 'teeclnt' group.
+GROUPADD_PARAM:${PN} = "--system tee; --system teeclnt"
+# Create user 'tee' member of group 'tee' to run tee-supplicant
+USERADD_PARAM:${PN} = "--system -d / -M -s /bin/nologin -c 'User for tee-supplicant' -g tee tee"

meta-st/meta-st-openstlinux/recipes-security/optee/optee-examples_3.19.bb

@@ -0,0 +1,50 @@
+SUMMARY = "OP-TEE examples"
+HOMEPAGE = "https://github.com/linaro-swg/optee_examples"
+
+LICENSE = "GPL-2.0-only"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=cd95ab417e23b94f381dafc453d70c30"
+
+DEPENDS = "optee-client virtual/optee-os python3-pycryptodomex-native"
+DEPENDS += "python3-cryptography-native"
+
+inherit python3native
+
+SRC_URI = "git://github.com/linaro-swg/optee_examples.git;branch=master;protocol=https"
+SRCREV = "f301ee9df2129c0db683e726c91dc2cefe4cdb65"
+
+PV = "3.19.0+git${SRCPV}"
+
+S = "${WORKDIR}/git"
+
+OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
+TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
+TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta"
+
+EXTRA_OEMAKE = " TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
+                 OPTEE_CLIENT_EXPORT=${OPTEE_CLIENT_EXPORT} \
+                 TEEC_EXPORT=${TEEC_EXPORT} \
+                 HOST_CROSS_COMPILE=${TARGET_PREFIX} \
+                 TA_CROSS_COMPILE=${TARGET_PREFIX} \
+                 V=1 \
+               "
+
+do_compile() {
+    export CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST}"
+    export OPENSSL_MODULES=${STAGING_LIBDIR_NATIVE}/ossl-modules/
+    oe_runmake
+}
+
+do_install () {
+    mkdir -p ${D}${nonarch_base_libdir}/optee_armtz
+    mkdir -p ${D}${bindir}
+    install -D -p -m0755 ${S}/out/ca/* ${D}${bindir}
+    install -D -p -m0444 ${S}/out/ta/* ${D}${nonarch_base_libdir}/optee_armtz
+}
+
+# Avoid QA Issue: No GNU_HASH in the elf binary
+INSANE_SKIP:${PN} += "ldflags"
+
+FILES:${PN} += "${nonarch_base_libdir}/optee_armtz/"
+
+# Imports machine specific configs from staging to build
+PACKAGE_ARCH = "${MACHINE_ARCH}"

meta-st/meta-st-openstlinux/recipes-security/optee/optee-stm32mp-addons_3.16.0.bb

@@ -0,0 +1,57 @@
+SUMMARY = "OP-TEE STM32MP examples"
+HOMEPAGE = "www.st.com"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/BSD-3-Clause;md5=550794465ba0ec5312d6919e203a55f9"
+
+SRC_URI = "git://github.com/STMicroelectronics/optee-stm32mp-addons;protocol=https;branch=main"
+SRCREV = "3c3cb0ed91055d3ea23864264fa71bcc6151af56"
+
+PV = "3.16.0.${SRCPV}"
+
+DEPENDS = "optee-client virtual/optee-os python3-pycryptodomex-native"
+DEPENDS += "python3-cryptography-native"
+DEPENDS += "openssl"
+
+inherit python3native systemd
+
+S = "${WORKDIR}/git"
+
+EXTRA_OEMAKE += " \
+    TA_DEV_KIT_DIR=${STAGING_INCDIR}/optee/export-user_ta \
+    OPTEE_CLIENT_EXPORT=${STAGING_DIR_HOST}${prefix} \
+    HOST_CROSS_COMPILE=${TARGET_PREFIX} \
+    TA_CROSS_COMPILE=${TARGET_PREFIX} \
+"
+
+do_compile:prepend() {
+    export CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST}"
+    export OPENSSL_MODULES=${STAGING_LIBDIR_NATIVE}/ossl-modules/
+}
+
+do_install() {
+    if [ -d "${S}/out/ca" ]; then
+        if [ $(find ${S}/out/ca -type f| wc -l) -gt 0 ]; then
+            install -d ${D}${bindir}
+            install -D -p -m 0755 ${S}/out/ca/* ${D}${bindir}
+        fi
+    fi
+
+    if [ -d "${S}/out/ta" ]; then
+        if [ $(find ${S}/out/ta -type f| wc -l) -gt 0 ]; then
+            install -d ${D}${nonarch_base_libdir}/optee_armtz
+            install -D -p -m0444 ${S}/out/ta/* ${D}${nonarch_base_libdir}/optee_armtz
+        fi
+    fi
+
+    if [ -d "${S}/out/scripts" ]; then
+        if [ $(find ${S}/out/scripts -type f| wc -l) -gt 0 ]; then
+            install -d ${D}${systemd_system_unitdir}
+            install -D -p -m0644 ${S}/out/scripts/* ${D}${systemd_system_unitdir}/
+        fi
+    fi
+}
+
+# for Feature calibration
+SYSTEMD_SERVICE:${PN} = "stm32mp-calibration.service stm32mp-calibration.timer"
+
+FILES:${PN} += "${systemd_system_unitdir} ${nonarch_base_libdir}"

meta-st/meta-st-openstlinux/recipes-security/optee/optee-test.inc

@@ -0,0 +1,49 @@
+# Imports machine specific configs from staging to build
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+DEPENDS = "optee-client virtual/optee-os python3-pycryptodomex-native libgcc"
+DEPENDS += "openssl"
+DEPENDS += "python3-cryptography-native"
+
+inherit python3native cmake
+
+OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
+TEEC_EXPORT         = "${STAGING_DIR_HOST}${prefix}"
+TA_DEV_KIT_DIR      = "${STAGING_INCDIR}/optee/export-user_ta"
+TEE_PLUGIN_LOAD_PATH = "${libdir}/tee-supplicant/plugins"
+
+EXTRA_OEMAKE = " TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
+                 OPTEE_CLIENT_EXPORT=${OPTEE_CLIENT_EXPORT} \
+                 TEEC_EXPORT=${TEEC_EXPORT} \
+                 CROSS_COMPILE_HOST=${TARGET_PREFIX} \
+                 CROSS_COMPILE_TA=${TARGET_PREFIX} \
+                 V=1 \
+                 CFG_TEE_CLIENT_LOAD_PATH=${libdir} \
+                 CFG_TEE_PLUGIN_LOAD_PATH=${TEE_PLUGIN_LOAD_PATH} \
+                 DESTDIR=${D} \
+               "
+EXTRA_OECMAKE = "-DOPTEE_TEST_SDK=${TA_DEV_KIT_DIR} \
+                 -DCFG_TEE_CLIENT_LOAD_PATH=${libdir} \
+                 -DCFG_TEE_PLUGIN_LOAD_PATH=${TEE_PLUGIN_LOAD_PATH} \
+                 "
+
+do_compile:prepend() {
+    export CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST}"
+    export OPENSSL_MODULES=${STAGING_LIBDIR_NATIVE}/ossl-modules/
+}
+
+do_compile:append() {
+    cd ${S}
+    oe_runmake ta
+}
+
+do_install:append () {
+    # install path should match the value set in optee-client/tee-supplicant
+    # default TEEC_LOAD_PATH is /lib
+    mkdir -p ${D}${nonarch_base_libdir}/optee_armtz/
+    install -D -p -m0444 ${S}/out/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz/
+}
+
+FILES:${PN} += "${nonarch_base_libdir}/optee_armtz/ ${libdir}"
+FILES:${PN} += "${TEE_PLUGIN_LOAD_PATH}/"
+INSANE_SKIP:${PN} += "host-user-contaminated"

meta-st/meta-st-openstlinux/recipes-security/optee/optee-test/0001-no-error-deprecated-declarations.patch

@@ -0,0 +1,25 @@
+From 313e4dd8c7d74d951726f02cf9cd72ede11f9190 Mon Sep 17 00:00:00 2001
+From: Christophe Priouzeau <christophe.priouzeau@st.com>
+Date: Mon, 2 May 2022 14:57:57 +0200
+Subject: [PATCH] no-error=deprecated-declarations
+
+Signed-off-by: Christophe Priouzeau <christophe.priouzeau@st.com>
+---
+ CMakeLists.txt | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 6b91f23..795b487 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -21,6 +21,7 @@ add_compile_options (
+ 	-Wwrite-strings -Werror -fPIC
+  	-Wno-missing-field-initializers
+ 	-Wno-unused-parameter
++        -Wno-error=deprecated-declarations
+ )
+ 
+ find_program(CCACHE_FOUND ccache)
+-- 
+2.17.1
+

meta-st/meta-st-openstlinux/recipes-security/optee/optee-test/0002-ta-os_test-skip-bget-test-when-pager-is-constrained-.patch

@@ -0,0 +1,83 @@
+From 24fcf0eee546a99658ed050b9c103d025f3ae38a Mon Sep 17 00:00:00 2001
+From: Etienne Carriere <etienne.carriere@linaro.org>
+Date: Tue, 7 Mar 2023 17:44:00 +0100
+Subject: [PATCH 1/2] ta: os_test: skip bget test when pager is constrained
+ (regression 1006)
+
+Skips BGET test when OP-TEE embeds pager with a relatively small page
+pool unless what test can be very slow. The reason is that freed
+buffers have their content wiped and BGET test allocates quite a few
+very big (MByte) paged buffers which content is long to clear when
+operating with the pager.
+
+Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
+---
+ ta/os_test/os_test.c | 42 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 42 insertions(+)
+
+diff --git a/ta/os_test/os_test.c b/ta/os_test/os_test.c
+index b95c0a1..134ad22 100644
+--- a/ta/os_test/os_test.c
++++ b/ta/os_test/os_test.c
+@@ -19,6 +19,14 @@
+ #include "test_float_subj.h"
+ #include "os_test_lib.h"
+ 
++#define STATS_UUID \
++	{ 0xd96a5b40, 0xe2c7, 0xb1af, \
++		{ 0x87, 0x94, 0x10, 0x02, 0xa5, 0xd5, 0xc6, 0x1b } }
++
++#define STATS_CMD_PAGER_STATS		0
++
++#define PAGER_PAGE_COUNT_THRESHOLD	((128 * 1024) / 4096)
++
+ enum p_type {
+ 	P_TYPE_BOOL,
+ 	P_TYPE_INT,
+@@ -735,8 +743,42 @@ static void free_wrapper(void *ptr __unused)
+ {
+ }
+ 
++static bool optee_pager_with_small_pool(void)
++{
++	uint32_t ptypes = TEE_PARAM_TYPES(TEE_PARAM_TYPE_VALUE_OUTPUT,
++					  TEE_PARAM_TYPE_VALUE_OUTPUT,
++					  TEE_PARAM_TYPE_VALUE_OUTPUT,
++					  TEE_PARAM_TYPE_NONE);
++	static const TEE_UUID uuid = STATS_UUID;
++	TEE_TASessionHandle sess = TEE_HANDLE_NULL;
++	TEE_Result res = TEE_ERROR_GENERIC;
++	TEE_Param params[4] = { };
++	uint32_t eo = 0;
++	bool rc = false;
++
++	res = TEE_OpenTASession(&uuid, TEE_TIMEOUT_INFINITE, 0, NULL, &sess,
++				&eo);
++	if (res)
++		return false;
++
++	res = TEE_InvokeTACommand(sess, 0, STATS_CMD_PAGER_STATS,
++				  ptypes, params, &eo);
++	if (res == TEE_SUCCESS &&
++	    params[0].value.b && params[0].value.b <= PAGER_PAGE_COUNT_THRESHOLD)
++		rc = true;
++
++	TEE_CloseTASession(sess);
++
++	return rc;
++}
++
+ static TEE_Result test_bget(void)
+ {
++	if (optee_pager_with_small_pool()) {
++		IMSG("Skip testing bget due to pager pool constraints");
++		return TEE_SUCCESS;
++	}
++
+ 	DMSG("Testing bget");
+ 	if (bget_main_test(malloc_wrapper, free_wrapper)) {
+ 		EMSG("bget_main_test failed");
+-- 
+2.25.1
+

meta-st/meta-st-openstlinux/recipes-security/optee/optee-test/0003-regression-1013-lower-number-of-loops-when-pager-is-.patch

@@ -0,0 +1,93 @@
+From c0a61722df36bb0d6d3bc7c7f81f18487566bd23 Mon Sep 17 00:00:00 2001
+From: Etienne Carriere <etienne.carriere@linaro.org>
+Date: Tue, 7 Mar 2023 17:47:42 +0100
+Subject: [PATCH 2/2] regression 1013: lower number of loops when pager is
+ constrained
+
+Decreases the number of loops tested in regression_1013 when test
+level is 0 and OP-TEE embeds pager with a relatively small page pool
+unless what the test can be very slow.
+
+Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
+---
+ host/xtest/regression_1000.c | 49 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 49 insertions(+)
+
+diff --git a/host/xtest/regression_1000.c b/host/xtest/regression_1000.c
+index 8570949..f40bf7b 100644
+--- a/host/xtest/regression_1000.c
++++ b/host/xtest/regression_1000.c
+@@ -50,6 +50,14 @@
+ #define MIN(a, b) ((a) < (b) ? (a) : (b))
+ #endif
+ 
++#define STATS_UUID \
++	{ 0xd96a5b40, 0xe2c7, 0xb1af, \
++		{ 0x87, 0x94, 0x10, 0x02, 0xa5, 0xd5, 0xc6, 0x1b } }
++
++#define STATS_CMD_PAGER_STATS		0
++
++#define PAGER_PAGE_COUNT_THRESHOLD	((128 * 1024) / 4096)
++
+ struct xtest_crypto_session {
+ 	ADBG_Case_t *c;
+ 	TEEC_Session *session;
+@@ -58,6 +66,43 @@ struct xtest_crypto_session {
+ 	uint32_t cmd_id_aes256ecb_decrypt;
+ };
+ 
++static bool optee_pager_with_small_pool(void)
++{
++	TEEC_Result res = TEEC_ERROR_GENERIC;
++	TEEC_UUID uuid = STATS_UUID;
++	TEEC_Context ctx = { };
++	TEEC_Session sess = { };
++	TEEC_Operation op = { };
++	uint32_t eo = 0;
++	bool rc = false;
++
++	res = TEEC_InitializeContext(NULL, &ctx);
++	if (res)
++		return false;
++
++	res = TEEC_OpenSession(&ctx, &sess, &uuid, TEEC_LOGIN_PUBLIC, NULL,
++			       NULL, &eo);
++	if (res)
++		goto out_ctx;
++
++	op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_OUTPUT, TEEC_VALUE_OUTPUT,
++					 TEEC_VALUE_OUTPUT, TEEC_NONE);
++	res = TEEC_InvokeCommand(&sess, STATS_CMD_PAGER_STATS, &op, &eo);
++	if (res)
++		goto out_sess;
++
++	if (op.params[0].value.b &&
++	    op.params[0].value.b <= PAGER_PAGE_COUNT_THRESHOLD)
++		rc = true;
++
++out_sess:
++	TEEC_CloseSession(&sess);
++out_ctx:
++	TEEC_FinalizeContext(&ctx);
++
++	return rc;
++}
++
+ static void xtest_crypto_test(struct xtest_crypto_session *cs)
+ {
+ 	uint32_t ret_orig = 0;
+@@ -1125,6 +1170,10 @@ static void xtest_tee_test_1013_single(ADBG_Case_t *c, double *mean_concurrency,
+ 	pthread_t thr[NUM_THREADS] = { };
+ 	bool skip = false;
+ 
++	/* Decrease number of loops when pager has a small page pool */
++	if (level == 0 && optee_pager_with_small_pool())
++		repeat = 250;
++
+ 	Do_ADBG_BeginSubCase(c, "Busy loop repeat %zu", repeat * 10);
+ 	*mean_concurrency = 0;
+ 
+-- 
+2.25.1
+

meta-st/meta-st-openstlinux/recipes-security/optee/optee-test/0004-ta-crypt-remove-CFG_SYSTEM_PTA-ifdef.patch

@@ -0,0 +1,53 @@
+From 96a4d8a63b1b75a3fee92f5d10566437d8b2acd5 Mon Sep 17 00:00:00 2001
+From: Jens Wiklander <jens.wiklander@linaro.org>
+Date: Tue, 6 Dec 2022 12:38:59 +0100
+Subject: [PATCH 1/3] ta/crypt: remove CFG_SYSTEM_PTA ifdef
+
+Removes the CFG_SYSTEM_PTA ifdef, the TA returns a useful error code
+,TEE_ERROR_ITEM_NOT_FOUND, if the System PTA isn't available.
+
+Change-Id: I1824056210bf27ce52c21d3d547cffea8754213c
+Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+[etienne: picked from d09b2ea799c7e8c7a843d5e3b59854be364087f5]
+Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
+---
+ ta/crypt/sub.mk     | 2 +-
+ ta/crypt/ta_entry.c | 2 --
+ 2 files changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/ta/crypt/sub.mk b/ta/crypt/sub.mk
+index 187cbfb..6e4debf 100644
+--- a/ta/crypt/sub.mk
++++ b/ta/crypt/sub.mk
+@@ -5,7 +5,7 @@ srcs-y += cryp_taf.c
+ srcs-y += derive_key_taf.c
+ srcs-y += sha2_impl.c
+ srcs-y += sha2_taf.c
+-srcs-$(CFG_SYSTEM_PTA) += seed_rng_taf.c
++srcs-y += seed_rng_taf.c
+ srcs-y += ta_entry.c
+ srcs-$(CFG_TA_MBEDTLS) += mbedtls_taf.c
+ srcs-y += arith_taf.c
+diff --git a/ta/crypt/ta_entry.c b/ta/crypt/ta_entry.c
+index 17612a1..769ae1f 100644
+--- a/ta/crypt/ta_entry.c
++++ b/ta/crypt/ta_entry.c
+@@ -210,14 +210,12 @@ TEE_Result TA_InvokeCommandEntryPoint(void *pSessionContext,
+ 	case TA_CRYPT_CMD_MBEDTLS_SIGN_CERT:
+ 		return ta_entry_mbedtls_sign_cert(nParamTypes, pParams);
+ #endif
+-#ifdef CFG_SYSTEM_PTA
+ 	case TA_CRYPT_CMD_SEED_RNG_POOL:
+ 		return seed_rng_pool(nParamTypes, pParams);
+ 	case TA_CRYPT_CMD_DERIVE_TA_UNIQUE_KEY:
+ 		return derive_ta_unique_key_test(nParamTypes, pParams);
+ 	case TA_CRYPT_CMD_DERIVE_TA_UNIQUE_KEY_SHM:
+ 		return derive_ta_unique_key_test_shm(nParamTypes, pParams);
+-#endif
+ 	case TA_CRYPT_CMD_ARITH_NEW_VAR:
+ 		return ta_entry_arith_new_var(nParamTypes, pParams);
+ 	case TA_CRYPT_CMD_ARITH_NEW_FMM_CTX:
+-- 
+2.25.1
+

meta-st/meta-st-openstlinux/recipes-security/optee/optee-test/0005-regression-4012-4016-remove-CFG_SYSTEM_PTA-dependenc.patch

@@ -0,0 +1,102 @@
+From 6c4f4d9aa1eb80742333e09e1ed294319555f824 Mon Sep 17 00:00:00 2001
+From: Jens Wiklander <jens.wiklander@linaro.org>
+Date: Fri, 2 Dec 2022 20:56:49 +0100
+Subject: [PATCH 2/3] regression 4012-4016: remove CFG_SYSTEM_PTA dependency
+
+The regression cases 4012-4016 indicates an unnecessary build-time
+dependency on CFG_SYSTEM_PTA. So remove the ifdef.
+
+The affected test cases (4012 and 4013) instead skip these tests if it
+turns out that the system PTA isn't available.
+
+Change-Id: I5e5ddf150dd9154508d525cda1491cdf33a7c87b
+Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+[etienne: picked from c44350d720cbec1c9eb29ba983f7b81b810297bc]
+Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
+---
+ host/xtest/regression_4000.c | 34 +++++++++++++++++++++-------------
+ 1 file changed, 21 insertions(+), 13 deletions(-)
+
+diff --git a/host/xtest/regression_4000.c b/host/xtest/regression_4000.c
+index c840d78..3db6250 100644
+--- a/host/xtest/regression_4000.c
++++ b/host/xtest/regression_4000.c
+@@ -5260,9 +5260,9 @@ out:
+ ADBG_CASE_DEFINE(regression, 4011, xtest_tee_test_4011,
+ 		"Test TEE Internal API Bleichenbacher attack (negative)");
+ 
+-#ifdef CFG_SYSTEM_PTA
+ static void xtest_tee_test_4012(ADBG_Case_t *c)
+ {
++	TEEC_Result res = TEEC_SUCCESS;
+ 	TEEC_Session session = { };
+ 	uint32_t ret_orig = 0;
+ 	TEEC_Operation op = TEEC_OPERATION_INITIALIZER;
+@@ -5290,11 +5290,15 @@ static void xtest_tee_test_4012(ADBG_Case_t *c)
+ 					&ret_orig)))
+ 		return;
+ 
+-	(void)ADBG_EXPECT_TEEC_SUCCESS(c,
+-				       TEEC_InvokeCommand(&session,
+-					TA_CRYPT_CMD_SEED_RNG_POOL,
+-					&op,
+-					&ret_orig));
++       res = TEEC_InvokeCommand(&session, TA_CRYPT_CMD_SEED_RNG_POOL,
++				&op, &ret_orig);
++	if (res == TEEC_ERROR_ITEM_NOT_FOUND &&
++	    ADBG_EXPECT_TEEC_ERROR_ORIGIN(c, ret_orig,
++					  TEEC_ORIGIN_TRUSTED_APP))
++		Do_ADBG_Log("System PTA not available, skipping test 4012");
++	else
++		ADBG_EXPECT_TEEC_SUCCESS(c, res);
++
+ 	TEEC_CloseSession(&session);
+ }
+ ADBG_CASE_DEFINE(regression, 4012, xtest_tee_test_4012,
+@@ -5302,6 +5306,7 @@ ADBG_CASE_DEFINE(regression, 4012, xtest_tee_test_4012,
+ 
+ static void xtest_tee_test_4013(ADBG_Case_t *c)
+ {
++	TEEC_Result res = TEEC_SUCCESS;
+ 	TEEC_Session session = { };
+ 	uint32_t ret_orig = 0;
+ 	TEEC_Operation op = TEEC_OPERATION_INITIALIZER;
+@@ -5317,11 +5322,15 @@ static void xtest_tee_test_4013(ADBG_Case_t *c)
+ 						NULL, &ret_orig)))
+ 		return;
+ 
+-	(void)ADBG_EXPECT_TEEC_SUCCESS(c,
+-			TEEC_InvokeCommand(&session,
+-					  TA_CRYPT_CMD_DERIVE_TA_UNIQUE_KEY,
+-					  &op,
+-					  &ret_orig));
++	res = TEEC_InvokeCommand(&session, TA_CRYPT_CMD_DERIVE_TA_UNIQUE_KEY,
++				 &op, &ret_orig);
++	if (res == TEEC_ERROR_ITEM_NOT_FOUND &&
++	    ADBG_EXPECT_TEEC_ERROR_ORIGIN(c, ret_orig,
++					  TEEC_ORIGIN_TRUSTED_APP)) {
++		Do_ADBG_Log("System PTA not available, skipping test 4013");
++		goto out;
++	}
++	ADBG_EXPECT_TEEC_SUCCESS(c, res);
+ 
+ 	/* Negative test using non-secure memory */
+ 	memset(&op, 0, sizeof(op));
+@@ -5341,6 +5350,7 @@ static void xtest_tee_test_4013(ADBG_Case_t *c)
+ 					   &op,
+ 					   &ret_orig));
+ 
++out:
+ 	TEEC_CloseSession(&session);
+ }
+ ADBG_CASE_DEFINE(regression, 4013, xtest_tee_test_4013,
+@@ -5984,5 +5994,3 @@ out:
+ }
+ ADBG_CASE_DEFINE(regression, 4016_ed25519, xtest_tee_test_4016_ed25519,
+ 		 "Test TEE Internal API ED25519 sign/verify");
+-
+-#endif /*CFG_SYSTEM_PTA*/
+-- 
+2.25.1
+

meta-st/meta-st-openstlinux/recipes-security/optee/optee-test/0006-xtest-remove-CFG_SECSTOR_TA_MGMT_PTA-dependency.patch

@@ -0,0 +1,75 @@
+From 0dd3aea147926812f1ae91a927507d4105ee33db Mon Sep 17 00:00:00 2001
+From: Etienne Carriere <etienne.carriere@foss.st.com>
+Date: Fri, 31 Mar 2023 10:13:51 +0200
+Subject: [PATCH 3/3] xtest: remove CFG_SECSTOR_TA_MGMT_PTA dependency
+
+Embed TA install interface in xtest even if devkit says the secure
+storage TA management PTA service is not available. This change does not
+change xtest regression suite behavior and will alos return an
+error message if one uses --install-ta option while the effective
+embedded TEE does not provide this service.
+
+Change-Id: I853a68a151604ef3946e577fde828c77548ec1ff
+Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
+---
+ host/xtest/CMakeLists.txt | 2 +-
+ host/xtest/Makefile       | 2 --
+ host/xtest/xtest_main.c   | 4 ----
+ 3 files changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/host/xtest/CMakeLists.txt b/host/xtest/CMakeLists.txt
+index 320d336..39a512d 100644
+--- a/host/xtest/CMakeLists.txt
++++ b/host/xtest/CMakeLists.txt
+@@ -99,7 +99,7 @@ if (CFG_GP_SOCKETS)
+ 	)
+ endif()
+ 
+-if (CFG_SECSTOR_TA_MGMT_PTA)
++if (TRUE)
+ 	list (APPEND SRC install_ta.c)
+ endif()
+ 
+diff --git a/host/xtest/Makefile b/host/xtest/Makefile
+index af45f5e..146a715 100644
+--- a/host/xtest/Makefile
++++ b/host/xtest/Makefile
+@@ -87,9 +87,7 @@ ifeq ($(CFG_SECURE_PARTITION)-$(CFG_SPMC_TESTS),y-y)
+ srcs += ffa_spmc_1000.c
+ endif
+ 
+-ifeq ($(CFG_SECSTOR_TA_MGMT_PTA),y)
+ srcs += install_ta.c
+-endif
+ 
+ ifeq ($(CFG_SECURE_DATA_PATH),y)
+ srcs += sdp_basic.c
+diff --git a/host/xtest/xtest_main.c b/host/xtest/xtest_main.c
+index c61f4db..f297371 100644
+--- a/host/xtest/xtest_main.c
++++ b/host/xtest/xtest_main.c
+@@ -100,10 +100,8 @@ void usage(char *program)
+ 	printf("applets:\n");
+ 	printf("\t--sha-perf [opts]  SHA performance testing tool (-h for usage)\n");
+ 	printf("\t--aes-perf [opts]  AES performance testing tool (-h for usage)\n");
+-#ifdef CFG_SECSTOR_TA_MGMT_PTA
+ 	printf("\t--install-ta [directory or list of TAs]\n");
+ 	printf("\t                   Install TAs\n");
+-#endif
+ #ifdef CFG_SECURE_DATA_PATH
+ 	printf("\t--sdp-basic [opts] Basic Secure Data Path test setup ('-h' for usage)\n");
+ #endif
+@@ -156,10 +154,8 @@ int main(int argc, char *argv[])
+ 		return sha_perf_runner_cmd_parser(argc-1, &argv[1]);
+ 	else if (argc > 1 && !strcmp(argv[1], "--aes-perf"))
+ 		return aes_perf_runner_cmd_parser(argc-1, &argv[1]);
+-#ifdef CFG_SECSTOR_TA_MGMT_PTA
+ 	else if (argc > 1 && !strcmp(argv[1], "--install-ta"))
+ 		return install_ta_runner_cmd_parser(argc - 1, argv + 1);
+-#endif
+ #ifdef CFG_SECURE_DATA_PATH
+ 	else if (argc > 1 && !strcmp(argv[1], "--sdp-basic"))
+ 		return sdp_basic_runner_cmd_parser(argc-1, &argv[1]);
+-- 
+2.25.1
+

meta-st/meta-st-openstlinux/recipes-security/optee/optee-test_3.19.bb

@@ -0,0 +1,21 @@
+SUMMARY = "OP-TEE sanity testsuite"
+HOMEPAGE = "https://github.com/OP-TEE/optee_test"
+
+LICENSE = "BSD-2-Clause & GPL-2.0-only"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE.md;md5=daa2bcccc666345ab8940aab1315a4fa"
+
+SRC_URI = "git://github.com/OP-TEE/optee_test.git;protocol=https;branch=master"
+SRCREV = "ab9863cc187724e54c032b738c28bd6e9460a4db"
+
+SRC_URI += "file://0001-no-error-deprecated-declarations.patch"
+SRC_URI += "file://0002-ta-os_test-skip-bget-test-when-pager-is-constrained-.patch"
+SRC_URI += "file://0003-regression-1013-lower-number-of-loops-when-pager-is-.patch"
+SRC_URI += "file://0004-ta-crypt-remove-CFG_SYSTEM_PTA-ifdef.patch"
+SRC_URI += "file://0005-regression-4012-4016-remove-CFG_SYSTEM_PTA-dependenc.patch"
+SRC_URI += "file://0006-xtest-remove-CFG_SECSTOR_TA_MGMT_PTA-dependency.patch"
+
+PV = "3.19.0+git${SRCPV}"
+
+S = "${WORKDIR}/git"
+
+require optee-test.inc

meta-st/meta-st-openstlinux/recipes-security/packagegroups/packagegroup-optee-core.bb

@@ -0,0 +1,17 @@
+SUMMARY = "OPTEE core packagegroup"
+DESCRIPTION = "Provide optee-client package"
+LICENSE = "LGPL-2.0-or-later"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/LGPL-2.0-or-later;md5=6d2d9952d88b50a51a5c73dc431d06c7"
+
+PACKAGE_ARCH = "${TUNE_PKGARCH}"
+
+inherit packagegroup
+
+PACKAGES = "packagegroup-optee-core"
+
+PROVIDES = "${PACKAGES}"
+
+RDEPENDS:packagegroup-optee-core = "\
+    optee-client \
+    optee-stm32mp-addons \
+"

meta-st/meta-st-openstlinux/recipes-security/packagegroups/packagegroup-optee-test.bb

@@ -0,0 +1,16 @@
+SUMMARY = "OPTEE test packagegroup"
+DESCRIPTION = "Provide optee test and ta-sdp packages"
+LICENSE = "LGPL-2.0-or-later"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/LGPL-2.0-or-later;md5=6d2d9952d88b50a51a5c73dc431d06c7"
+
+PACKAGE_ARCH = "${TUNE_PKGARCH}"
+
+inherit packagegroup
+
+PACKAGES = "packagegroup-optee-test"
+
+PROVIDES = "${PACKAGES}"
+
+RDEPENDS:packagegroup-optee-test = "\
+    optee-test \
+"