This is currently a work in progress.
Testing with Petalinux v2024.2 and OP-TEE v4.5.0
Download the BSP file for the zcu104 from here.
$ petalinux-create -t project -s /path/of/bsp/file -n <name-of-the-project>
-t project is deprecated. It is better to use the new argument project:
$ petalinux-create project -s /path/of/bsp/file -n <name-of-the-project>
Add in the <project-root>/project-spec/meta-user/conf/layer.conf
PREFERRED_PROVIDER_virtual/arm-trusted-firmware = "arm-trusted-firmware"
PREFERRED_VERSION_arm-trusted-firmware = "2.8-xilinx-v2023.2+git"
$ petalinux-build --sdk
$ petalinux-config
Navigate to Yocto Settings -> Yocto Machine Name and change it to zynqmp-zcu104.
$ cat meta-xilinx/meta-xilinx-core/recipes-bsp/arm-trusted-firmware/arm-trusted-firmware_%.bbappend >> <project-root>/components/yocto/layers/meta-xilinx/meta-xilinx-core/recipes-bsp/arm-trust-firmware/arm-trusted-firmware_%.bbappend
$ petalinux-build -c arm-trusted-firmware
- optee
- optee-ftpm
To update OP-TEE and its fTPM component in your PetaLinux project, you need to remove the old recipe directories and replace them with the updated versions from the GitHub repository.
These components are located in:
<petalinux-proj>/components/yocto/layers/meta-arm/recipes-security/
Navigate to the recipes-security folder and delete the existing OP-TEE recipe directories:
rm -rf <petalinux-proj>/components/yocto/layers/meta-arm/recipes-security/optee
rm -rf <petalinux-proj>/components/yocto/layers/meta-arm/recipes-security/optee-ftpm
Clone or download optee and optee-ftpm updated versions from meta-arm/recipes-security/
In this version, everything required for measured boot is integrated.
Add in the <project-root>/project-spec/meta-user/recipes-bsp/device-tree/files/system-user.dtsi:
/include/ "system-conf.dtsi"
/ {
firmware {
optee {
compatible = "linaro,optee-tz";
method = "smc";
};
};
// Reserve the memory region
reserved-memory {
#address-cells = <2>;
#size-cells = <2>;
ranges;
tpm_event_log_reserved: memory@70000000 {
reg = <0x00000000 0x79640000 0x00000000 0x00001000>; /* Base 0x79640000, Size 4KB */
no-map;
};
};
};
$ petalinux-build -c optee-os
$ petalinux-build -c optee-examples
$ petalinux-build -c optee-test
$ petalinux-build -c optee-client
$ petalinux-build -c optee-ftpm
Copy the kernel_optee.cfg file in <project-root>/project-spec/meta-user/recipes-kernel/linux/linux-xlnx:
$ cp project-spec/meta-user/recipes-kernel/linux/linux-xlnx/kernel_optee.cfg <project-root>/project-spec/meta-user/recipes-kernel/linux/linux-xlnx
Add these lines to the <project-root>/project-spec/meta-user/recipes-kernel/linux/linux-xlnx_%.bbappend:
SRC_URI:append = " file://kernel_optee.cfg"
KERNEL_FEATURES:append = " kernel_optee.cfg"
Add this line to the <project-root>/project-spec/meta-user/conf/petalinuxbsp.conf:
IMAGE_INSTALL:append = " optee-examples optee-client optee-test"
Add these lines in <project-root>/project-spec/meta-user/conf/user-rootfsconfig:
CONFIG_optee-client
CONFIG_optee-examples
CONFIG_optee-test
Then enable the packages:
$ petalinux-config -c rootfs
Navigate to user packages and enable optee-client, optee-examples and optee-test.
In addition, navigate to Filesystem Packages -> misc -> tpm2 and enable the following packages:
tpm2-abrmd
tpm2-abrmd-dev
tpm2-pkcs11
tpm2-tools
tpm2-tools-dev
tpm2-tools-dbg
tpm2-tss
tpm2-tss-dbg
tpm2-tss-engine
tpm2-tss-engine-dev
In addition to updating the OP-TEE components, a patch is required to fix issues with IMA (Integrity Measurement Architecture) and fTPM. Follow these steps to integrate the patch into the kernel.
- Patch File:
0001-combined-patch.patch
This patch contains the necessary changes to resolve issues with IMA and fTPM.
- Ima config file:
ima_hash.cfg
CONFIG_IMA_DEFAULT_HASH set to sha256
-
Target File:
project-root/project-spec/meta-user/recipes-kernel/linux/linux-xlnx/linux-xlnx_%.bbappend -
Actions:
- Place the two files in the following directory:
project-root/project-spec/meta-user/recipes-kernel/linux/linux-xlnx/ - Modify the
linux-xlnx_%.bbappendfile to include files by adding the following line:SRC_URI += "file://0001-combined-patch.patch \ file://ima_hash.cfg \ "
- Place the two files in the following directory:
To integrate your custom IMA policy into your PetaLinux project, follow these steps:
- Directory Structure:
project-root/project-spec/meta-user/recipes-security/my-ima-policy/
(first you need to create recipes-security directory)
- Files:
my-ima-policy.bbfiles/my_custom_policy
Place your custom IMA policy in my-ima-policy/files/my_custom_policy and create the BitBake recipe my-ima-policy/my-ima-policy.bb in the same directory (my-ima-policy).
-
Target File:
project-root/project-spec/meta-user/conf/petalinuxbsp.conf -
Actions:
- Append your custom IMA policy to the image installation:
IMAGE_INSTALL:append = " my-ima-policy"
- Enable the IMA feature by appending:
DISTRO_FEATURES:append = " ima"
-
Target File:
project-root/project-spec/meta-user/conf/user-rootfsconfig -
Action:
-
Add the following line to enable your custom IMA policy:
CONFIG_my-ima-policy
Then enable the packages:
$ petalinux-config -c rootfs
Navigate to user packages and enable my-ima-policy .
- Directory Structure:
project-root/project-spec/meta-user/recipes-app/keylime/
(first you need to create recipes-app directory)
- Files:
files/keylime_agentfiles/keylime_agent.servicefiles/keylime-agent.conffiles/LICENSEfiles/setup_keylime.shfiles/var-lib-keylime-secure.mountkeylime.bb
Place these files in the same directory (keylime).
The file keylime_agent is not included in this repository because its size exceeds GitHub's 100 MB file size limit.
-
Target File:
project-root/project-spec/meta-user/conf/petalinuxbsp.conf -
Actions:
- Append your custom IMA policy to the image installation:
IMAGE_INSTALL:append = " keylime"
-
Target File:
project-root/project-spec/meta-user/conf/user-rootfsconfig -
Action:
-
Add the following line to enable keylime agent:
CONFIG_keylime
Then enable the packages:
$ petalinux-config -c rootfs
Navigate to user packages and enable keylime .
This section explains how to integrate liboqs (v0.10.0) into a PetaLinux project to enable support for MLDsa post-quantum signatures across OP-TEE, fTPM, and the TPM2 software stack.
-
Target Directory:
<project-root>/project-spec/meta-user/recipes-tpm/liboqs/ -
Action:
Create the directory recipes-tpm/liboqs/ if it doesn't exist. Add the following recipe:
liboqs_0.10.0.bb
-
Target Directory:
<project-root>/components/yocto/layers/meta-arm/recipes-security/Modified Files:
optee-os-tadevkit_4.5.0.bb optee-ftpm_git.bb optee-os_4.5.0.bb optee-os_4.%.bbappend -
Action:
The listed recipes have been updated to integrate liboqs support, including necessary adjustments to build steps, dependencies, and library usage where required.
-
Target Files:
TPM2-Tools:
<project-root>/components/yocto/layers/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.7.2.bbTPM2-Tss:
<project-root>/components/yocto/layers/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.2.2.1.bb -
Action:
The recipe sources have been updated to point to modified upstream archives compatible with liboqs, and the recipes have been adapted accordingly to support these updated versions.
-
Target Patch File:
<project-root>/project-spec/meta-user/recipes-kernel/linux/linux-xlnx/0002-combined-patch.patch -
Action:
Apply the patch to introduce support for liboqs-related features.
Modify the following file:
project-root/project-spec/meta-user/recipes-kernel/linux/linux-xlnx_%.bbappendAppend the following lines to SRC_URI:
SRC_URI += "file://0001-combined-patch.patch \ file://0002-combined-patch.patch \ file://ima_hash.cfg \ "
$ petalinux-config
Navigate to DTG Settings -> Kernel Bootargs and disable generate boot args automatically.
Then set earlycon console=ttyUSB1,115200 root=/dev/mmcblk0p2 rw rootwait ima_policy=tcb ignore_loglevel in user set kernel bootargs.
Note: Ensure you verify the actual serial port to which the board is connected.
In this case, it is USB1, but it may vary depending on your setup.
Adjust the console boot argument accordingly (e.g., console=ttyUSB0 or console=ttyUSB2).
It is IMPORTANT to verify the packaged image name:
$ petalinux-config
Navigate to Image Packaging Configuration and check that INITRAMFS/INITRD Image name is set to petalinux-image-minimal.
$ petalinux-build
Ensure the bootgen.bif file includes the custom measured_boot_fsbl.elf and properly loads the OP-TEE binary:
the_ROM_image:
{
[bootloader, destination_cpu=a53-0] <petalinux-proj>/measured_boot_fsbl.elf
[pmufw_image] images/linux/pmufw.elf
[destination_device=pl] images/linux/system.bit
[destination_cpu=a53-0, exception_level=el-3, trustzone] images/linux/bl31.elf
[destination_cpu=a53-0, load=0x100000] images/linux/system.dtb
[destination_cpu=a53-0, exception_level=el-2] images/linux/u-boot.elf
[load=0x60000000, startup=0x60000000, exception_level=el-1, trustzone, destination_cpu=a53-0] images/linux/tee_raw.bin
}
Use this command to obtain BOOT.bin image
$ petalinux-package boot --bif bootgen.bif --force
Before flashing, format the SD card to create two partitions:
- One FAT32 partition for the boot image.
- One ext4 partition for the root filesystem.
$ rm -rf sd1/*
$ rm -rf sd2/*
$ cp <petalinux-proj>/images/linux/{BOOT.BIN,image.ub,boot.scr} ./sd1
$ cp <petalinux-proj>/images/linux/rootfs.tar.gz ./sd2
$ sudo mkfs.vfat /dev/sdb1
$ sudo mkfs.ext4 /dev/sdb2
$ sudo mount /dev/sdb1 /mnt/boot/
$ sudo mount /dev/sdb2 /mnt/rootfs/
$ sudo cp sd1/* /mnt/boot/
$ sudo tar xvfp sd2/rootfs.tar.gz --directory /mnt/rootfs
$ sudo cp sd2/* /mnt/rootfs/
$ sudo umount /mnt/boot
$ sudo umount /mnt/rootfs