Corrected README and CHANGELOG for OPK v19.2.

CHANGELOG.md

@@ -15,7 +15,7 @@ General
 
 - Clarified signing algorithm for OEMCrypto_PrepAndSign*() functions in
   OEMCryptoCENC.h header.
-- New L3 API function OEMCrypto_WrapClearPrivateKey() for factory builds.
+- New API function OEMCrypto_WrapClearPrivateKey() for ATSC factory builds.
 - New L3 API function OEMCrypto_MarkOfflineSession() for informing OEMCrypto
   that a session is used for a reloaded offline license.
 - Clarified HDCP level enforcement for downstream devices (see OEMCrypto

oemcrypto/opk/ports/optee/README.md

@@ -7,23 +7,27 @@ other targets, be sure to set up the OP-TEE repos with the corresponding
 manifest (eg to build OPK against an NXP chip target, use the correct NXP
 manifest when cloning and building OP-TEE).
 
-1. Download and build OP-TEE following their online documentation. Set that
+1. Download and build OP-TEE following their online documentation and these
-   destination to the environment variable OPTEE_DIR. For security purposes,
+   security considerations:
-   prefer OP-TEE version 3.20.0 or later since targeted stack protection with
+   - Prefer OP-TEE version 3.20.0 or later since targeted stack protection with
-   `-fstack-protector-strong` is enabled by default and `__stack_chk_guard` is
+     `-fstack-protector-strong` is enabled by default and `__stack_chk_guard` is
-   initialized to a secure, random value at runtime. On AArch64 targets, build
+     initialized to a secure, random value at runtime.
-   OP-TEE with `CFG_CORE_BTI=y`, `CFG_CORE_PAUTH=y`, `CFG_TA_BTI=y`,
+   - On AArch64 targets, build OP-TEE with `CFG_CORE_BTI=y`, `CFG_CORE_PAUTH=y`,
-   and `CFG_TA_PAUTH=y` to enable branch protection with
+     `CFG_TA_BTI=y`, and `CFG_TA_PAUTH=y` to enable branch protection with
-   `-mbranch-protection=pac-ret+leaf+bti`. Branch protection requires that the
+     `-mbranch-protection=pac-ret+leaf+bti`. Branch protection requires that the
-   GCC toolchain is compiled with `--enable-standard-branch-protection`.
+     GCC toolchain is compiled with `--enable-standard-branch-protection`.
-2. If the GCC toolchain is separate from the one included in
+   - Build OP-TEE with `CFG_WITH_SOFTWARE_PRNG=n` and, if not provided by the
+     platform, implement `hw_get_random_bytes` to generate random data using a
+     cryptographically-secure hardware RNG instead of the software PRNG.
+2. Set the OP-TEE download destination to the environment variable OPTEE_DIR.
+3. If the GCC toolchain is separate from the one included in
    $OPTEE_DIR/toolchains, set that path to OPTEE_TOOLCHAIN_DIR.
-3. Set up the third_party directory with the required dependencies. All of these
+4. Set up the third_party directory with the required dependencies. All of these
    dependencies are for unit tests. Run `oemcrypto/opk/setup.sh` to download all
    of the required libraries to `$CDM_DIR/third_party`.
-4. From the top level of this repo (CDM), run `make -j32 -C
+5. From the top level of this repo (CDM), run `make -j32 -C
    ./oemcrypto/opk/ports/optee host ta`
-5. Run on QEMU
+6. Run on QEMU:
 ```
 export QEMU=$OPTEE_DIR/qemu/build/arm-softmmu/qemu-system-arm && \
 export GTEST_FILTER="-*Reboot*" && \