widevine-partner/oemcrypto
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Corrected README and CHANGELOG for OPK v19.2.

Browse Source
This commit is contained in:
Alex Dale
2024-06-27 18:20:56 -07:00
parent a084ab5489
commit 9fe69a896c
2 changed files with 18 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@@ -15,7 +15,7 @@ General
- Clarified signing algorithm for OEMCrypto_PrepAndSign*() functions in
OEMCryptoCENC.h header.
- New L3 API function OEMCrypto_WrapClearPrivateKey() for factory builds.
- New API function OEMCrypto_WrapClearPrivateKey() for ATSC factory builds.
- New L3 API function OEMCrypto_MarkOfflineSession() for informing OEMCrypto
that a session is used for a reloaded offline license.
- Clarified HDCP level enforcement for downstream devices (see OEMCrypto

30
oemcrypto/opk/ports/optee/README.md
View File

@@ -7,23 +7,27 @@ other targets, be sure to set up the OP-TEE repos with the corresponding
manifest (eg to build OPK against an NXP chip target, use the correct NXP
manifest when cloning and building OP-TEE).
1. Download and build OP-TEE following their online documentation. Set that
destination to the environment variable OPTEE_DIR. For security purposes,
prefer OP-TEE version 3.20.0 or later since targeted stack protection with
`-fstack-protector-strong` is enabled by default and `__stack_chk_guard` is
initialized to a secure, random value at runtime. On AArch64 targets, build
OP-TEE with `CFG_CORE_BTI=y`, `CFG_CORE_PAUTH=y`, `CFG_TA_BTI=y`,
and `CFG_TA_PAUTH=y` to enable branch protection with
`-mbranch-protection=pac-ret+leaf+bti`. Branch protection requires that the
GCC toolchain is compiled with `--enable-standard-branch-protection`.
2. If the GCC toolchain is separate from the one included in
1. Download and build OP-TEE following their online documentation and these
security considerations:
- Prefer OP-TEE version 3.20.0 or later since targeted stack protection with
`-fstack-protector-strong` is enabled by default and `__stack_chk_guard` is
initialized to a secure, random value at runtime.
- On AArch64 targets, build OP-TEE with `CFG_CORE_BTI=y`, `CFG_CORE_PAUTH=y`,
`CFG_TA_BTI=y`, and `CFG_TA_PAUTH=y` to enable branch protection with
`-mbranch-protection=pac-ret+leaf+bti`. Branch protection requires that the
GCC toolchain is compiled with `--enable-standard-branch-protection`.
- Build OP-TEE with `CFG_WITH_SOFTWARE_PRNG=n` and, if not provided by the
platform, implement `hw_get_random_bytes` to generate random data using a
cryptographically-secure hardware RNG instead of the software PRNG.
2. Set the OP-TEE download destination to the environment variable OPTEE_DIR.
3. If the GCC toolchain is separate from the one included in
$OPTEE_DIR/toolchains, set that path to OPTEE_TOOLCHAIN_DIR.
3. Set up the third_party directory with the required dependencies. All of these
4. Set up the third_party directory with the required dependencies. All of these
dependencies are for unit tests. Run `oemcrypto/opk/setup.sh` to download all
of the required libraries to `$CDM_DIR/third_party`.
4. From the top level of this repo (CDM), run `make -j32 -C
5. From the top level of this repo (CDM), run `make -j32 -C
./oemcrypto/opk/ports/optee host ta`
5. Run on QEMU
6. Run on QEMU:
```
export QEMU=$OPTEE_DIR/qemu/build/arm-softmmu/qemu-system-arm && \
export GTEST_FILTER="-*Reboot*" && \