-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Offline signing of TAs: Improve the documentation #223
Offline signing of TAs: Improve the documentation #223
Conversation
Please add a |
d43ca08
to
eeccbc8
Compare
I think it should be good now |
eeccbc8
to
159ced1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Commit header line:
building: improve offline TA signing documentation
building/trusted_applications.rst
Outdated
|
||
.. note:: | ||
It may be necessary to make use of the ``--ta-version`` flag here in some cases, | ||
e.g when building Widevine's oemcrypto with the Yocto toolchain. Check the make output of optee-os |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/e.g/e.g./
s/flag/option/ ?
Yocto toolchain or Yocto environment?
For consistency, prefer 100 char/line max.t
By curiosity: why does Yocto require --ta-version
to be specified for the Widewive TAs? If not set, the default TA version number used is 0.
Yocto environment would probably be more precise. Actually Yocto is the project, Bitbake the build system and it builds its own toolchains. In my use case I needed the in-tree TAs and oemcrypto for Widevine, which comes with its own recipe that pulls TA devkit as a dependency. I couldn't sign it manually at first and it took me quite a while to figure this out. I had to enable verbose build output, look at the make command to see that the version was different. So it may not even be Yocto but the TA devkit version oemcrypto ships with or requires. Since Yocto is very prominent nowadays I wanted to give this hint here. Do you think it is too much? |
Which in-tree do you need? There doesn't seem to be an in-tree TA related to WV support.
I guess you could sign the TA but could not use it on your target due to your TAs (of some of) being already used on your target with a version number value higher than 0. I think the doc should not say that Yocto requires By the way, what is the right wording of |
159ced1
to
517f0be
Compare
Well, in my case the in-tree TAs were compiled with the default version 0 and oemcrypto with
I changed it to argument and wrapped the lines before hitting the 100 character limit. |
517f0be
to
3045c90
Compare
The version number is used for protection against version rollback TA binaries. The secure storage of your target likely stored that your WV TA has been used with that version number so OP-TEE will only accept WV TA with version number higher of equal to that value. It fully make sense to use TA versioning. TA version number is a TA property defined by the GP TEE specification. Few info can be found in OP-TEE doc on TAs.
May I ask you to append fixup commit(s) on top of your series rather than force pushing an updated commit? It would help reviewers to see what you have modified regarding the previously reviewed version of your changes. |
So rather make many commits and squash afterwards? I can do that from now on. It there anything else you would like me to change? |
Yes please. Thanks.
Yes, please: discard .giticonfig file. |
3045c90
to
f8ecb7b
Compare
Oh sorry. This one I force-pushed though, since I don't want it to end up in the history. |
Is this good to merge or should I still change things? |
Looks good to me. |
Commit header line: With that addressed |
The documentation was partly faulty: - The private key was specified for the digest and stitch steps - The Nitrokey HSM section was not correct and did not execute in the shell This commit extends the documentation and explicitly sets elfs, digest, signature and .ta locations for completeness. This is needed for automated build environments like Yocto, since it builds TAs in several different recipes. Signed-off-by: Jan Claussen <jan.claussen10@web.de> Acked-by: Jens Wiklander <jens.wiklander@linaro.org> Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
f8ecb7b
to
212f263
Compare
Sorry, I force-pushed again. This is a habit from work, where we use Gitlab that can still display the diffs between the pushes. |
Thanks for the contribution @jclsn , I'm merging this now! |
You are welcome! Happy to be able to help |
The documentation was partly faulty:
This commit extends the documentation and explicitly sets elfs, digest, signature and .ta locations for completeness. This is needed for automated build environments like Yocto, since it builds TAs in several different recipes.
Fixes #224