cargo-optee: add build ca cmds and resolve issues

- enable build ca
- add sub-command: ta and ca
- revise param "arch" from string to enum
- fix building error for 32bit TAs, related to optee-utee-build
- fix license

Author: DemesneGH

.licenserc.yaml

@@ -29,7 +29,7 @@ header:
     - '**/Cargo.lock'
     - 'KEYS'
     - 'DISCLAIMER'
-    - '*.json'
+    - '**/*.json'
     - 'examples/tls_server-rs/ta/test-ca/**'
     - '**/uuid.txt'
     - '**/plugin_uuid.txt'

cargo-optee/Cargo.toml

@@ -1,3 +1,20 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
 [package]
 name = "cargo-optee"
 version = "0.1.0"

cargo-optee/src/main.rs

@@ -15,14 +15,17 @@
 // specific language governing permissions and limitations
 // under the License.
 
-use anyhow::bail;
 use clap::{Parser, Subcommand};
 use std::env;
 use std::path::PathBuf;
 use std::process::abort;
 
+mod ca_builder;
+mod common;
 mod ta_builder;
 
+use common::Arch;
+
 #[derive(Debug, Parser)]
 #[clap(version = env!("CARGO_PKG_VERSION"))]
 #[clap(about = "Build tool for OP-TEE Rust projects")]
@@ -31,23 +34,29 @@ pub(crate) struct Cli {
     cmd: Command,
 }
 
-#[derive(Debug, Subcommand)]
-enum Command {
-    /// Build a Trusted Application (TA)
-    #[clap(name = "build")]
-    Build {
-        /// Type of build target (currently only 'ta' is supported)
-        #[arg(value_name = "TYPE")]
-        build_type: String,
-
-        /// Path to the TA directory (default: current directory)
-        #[arg(long = "path", default_value = ".")]
-        path: PathBuf,
-
-        /// Target architecture: aarch64 or arm (default: aarch64)
-        #[arg(long = "arch", default_value = "aarch64")]
-        arch: String,
+#[derive(Debug, Parser)]
+struct BuildTypeCommonOptions {
+    /// Path to the app directory (default: current directory)
+    #[arg(long = "path", default_value = ".")]
+    path: PathBuf,
+
+    /// Target architecture: aarch64 or arm (default: aarch64)
+    #[arg(long = "arch", default_value = "aarch64")]
+    arch: Arch,
+
+    /// Path to the UUID file (default: ../uuid.txt)
+    #[arg(long = "uuid_path", default_value = "../uuid.txt")]
+    uuid_path: PathBuf,
+
+    /// Build in debug mode (default is release)
+    #[arg(long = "debug")]
+    debug: bool,
+}
 
+#[derive(Debug, Subcommand)]
+enum BuildCommand {
+    /// Build a Trusted Application
+    TA {
         /// Enable std feature for the TA
         #[arg(long = "std")]
         std: bool,
@@ -60,16 +69,28 @@ enum Command {
         #[arg(long = "signing_key")]
         signing_key: Option<PathBuf>,
 
-        /// Path to the UUID file (default: ../uuid.txt)
-        #[arg(long = "uuid_path", default_value = "../uuid.txt")]
-        uuid_path: PathBuf,
-
-        /// Build in debug mode (default is release)
-        #[arg(long = "debug")]
-        debug: bool,
+        #[command(flatten)]
+        common: BuildTypeCommonOptions,
+    },
+    /// Build a Client Application (Host)
+    CA {
+        /// Path to the OP-TEE client export directory (mandatory)
+        #[arg(long = "optee_client_export", required = true)]
+        optee_client_export: PathBuf,
+
+        #[command(flatten)]
+        common: BuildTypeCommonOptions,
     },
 }
 
+#[derive(Debug, Subcommand)]
+enum Command {
+    /// Build OP-TEE components
+    #[clap(name = "build")]
+    #[command(subcommand)]
+    Build(BuildCommand),
+}
+
 fn main() {
     env_logger::Builder::from_env(env_logger::Env::default().default_filter_or("info"))
         .format_timestamp_millis()
@@ -102,37 +123,36 @@ fn main() {
 
 fn execute_command(cmd: Command) -> anyhow::Result<()> {
     match cmd {
-        Command::Build {
-            build_type,
-            path,
-            arch,
-            std,
-            ta_dev_kit_dir,
-            signing_key,
-            uuid_path,
-            debug,
-        } => {
-            // Validate build type
-            if build_type != "ta" {
-                bail!(
-                    "Invalid build type '{}'. Only 'ta' is supported.",
-                    build_type
-                );
-            }
-
-            // Determine signing key path
-            let signing_key_path =
-                signing_key.unwrap_or_else(|| ta_dev_kit_dir.join("keys").join("default_ta.pem"));
-
-            ta_builder::build_ta(ta_builder::TaBuildConfig {
-                arch,
+        Command::Build(build_cmd) => match build_cmd {
+            BuildCommand::TA {
                 std,
                 ta_dev_kit_dir,
-                signing_key: signing_key_path,
-                uuid_path,
-                debug,
-                path,
-            })
-        }
+                signing_key,
+                common,
+            } => {
+                // Determine signing key path
+                let signing_key_path = signing_key
+                    .unwrap_or_else(|| ta_dev_kit_dir.join("keys").join("default_ta.pem"));
+
+                ta_builder::build_ta(ta_builder::TaBuildConfig {
+                    arch: common.arch,
+                    std,
+                    ta_dev_kit_dir,
+                    signing_key: signing_key_path,
+                    uuid_path: common.uuid_path,
+                    debug: common.debug,
+                    path: common.path,
+                })
+            }
+            BuildCommand::CA {
+                optee_client_export,
+                common,
+            } => ca_builder::build_ca(ca_builder::CaBuildConfig {
+                arch: common.arch,
+                optee_client_export,
+                debug: common.debug,
+                path: common.path,
+            }),
+        },
     }
 }

cargo-optee/src/ta_builder.rs

@@ -18,35 +18,19 @@
 use anyhow::{bail, Result};
 use std::env;
 use std::fs;
-use std::path::{Path, PathBuf};
-use std::process::{Command, Output};
+use std::path::Path;
+use std::path::PathBuf;
+use std::process::Command;
 use tempfile::TempDir;
 
+use crate::common::{print_output_and_bail, Arch, ChangeDirectoryGuard};
+
 // Embed the target JSON files at compile time
 const AARCH64_TARGET_JSON: &str = include_str!("../aarch64-unknown-optee.json");
 const ARM_TARGET_JSON: &str = include_str!("../arm-unknown-optee.json");
 
-// Helper function to print command output and return error
-fn print_output_and_bail(cmd_name: &str, output: &Output) -> Result<()> {
-    eprintln!(
-        "{} stdout: {}",
-        cmd_name,
-        String::from_utf8_lossy(&output.stdout)
-    );
-    eprintln!(
-        "{} stderr: {}",
-        cmd_name,
-        String::from_utf8_lossy(&output.stderr)
-    );
-    bail!(
-        "{} failed with exit code: {:?}",
-        cmd_name,
-        output.status.code()
-    )
-}
-
 pub struct TaBuildConfig {
-    pub arch: String,            // "aarch64" or "arm"
+    pub arch: Arch,              // Architecture
     pub std: bool,               // Enable std feature
     pub ta_dev_kit_dir: PathBuf, // Path to TA dev kit
     pub signing_key: PathBuf,    // Path to signing key
@@ -56,9 +40,9 @@ pub struct TaBuildConfig {
 }
 
 // Helper function to derive target and cross-compile from arch and std
-fn get_target_and_cross_compile(arch: &str, std: bool) -> (String, String) {
+fn get_target_and_cross_compile(arch: Arch, std: bool) -> (String, String) {
     match arch {
-        "arm" => {
+        Arch::Arm => {
             if std {
                 (
                     "arm-unknown-optee".to_string(),
@@ -71,7 +55,7 @@ fn get_target_and_cross_compile(arch: &str, std: bool) -> (String, String) {
                 )
             }
         }
-        _ => {
+        Arch::Aarch64 => {
             if std {
                 (
                     "aarch64-unknown-optee".to_string(),
@@ -108,7 +92,7 @@ fn setup_build_command(
     command: &str,
 ) -> Result<(Command, Option<TempDir>)> {
     // Determine target and cross-compile based on arch
-    let (target, _cross_compile) = get_target_and_cross_compile(&config.arch, config.std);
+    let (target, _cross_compile) = get_target_and_cross_compile(config.arch, config.std);
 
     // Determine builder (cargo or xargo)
     let builder = if config.std { "xargo" } else { "cargo" };
@@ -151,14 +135,7 @@ fn setup_build_command(
 // Main function to build the TA
 pub fn build_ta(config: TaBuildConfig) -> Result<()> {
     // Change to the TA directory
-    let original_dir = env::current_dir()?;
-
-    env::set_current_dir(&config.path)?;
-
-    // Ensure we return to the original directory when done
-    let _guard = ChangeDirectoryGuard {
-        original: original_dir.clone(),
-    };
+    let _guard = ChangeDirectoryGuard::new(&config.path)?;
 
     println!("Building TA in directory: {:?}", config.path);
 
@@ -211,7 +188,7 @@ fn build_binary(config: &TaBuildConfig) -> Result<()> {
     println!("Building TA binary...");
 
     // Determine target and cross-compile based on arch
-    let (target, cross_compile) = get_target_and_cross_compile(&config.arch, config.std);
+    let (target, cross_compile) = get_target_and_cross_compile(config.arch, config.std);
 
     // Setup build command with common environment
     let (mut build_cmd, _temp_dir) = setup_build_command(config, "build")?;
@@ -238,7 +215,7 @@ fn strip_binary(config: &TaBuildConfig) -> Result<PathBuf> {
     println!("Stripping binary...");
 
     // Determine target based on arch
-    let (target, cross_compile) = get_target_and_cross_compile(&config.arch, config.std);
+    let (target, cross_compile) = get_target_and_cross_compile(config.arch, config.std);
 
     let profile = if config.debug { "debug" } else { "release" };
     let target_dir = PathBuf::from("target").join(target).join(profile);
@@ -286,7 +263,7 @@ fn sign_ta(config: &TaBuildConfig, stripped_path: &Path) -> Result<()> {
     }
 
     // Determine target based on arch
-    let (target, _) = get_target_and_cross_compile(&config.arch, config.std);
+    let (target, _) = get_target_and_cross_compile(config.arch, config.std);
 
     // Output path
     let profile = if config.debug { "debug" } else { "release" };
@@ -316,14 +293,3 @@ fn sign_ta(config: &TaBuildConfig, stripped_path: &Path) -> Result<()> {
 
     Ok(())
 }
-
-// Guard to ensure we return to the original directory
-struct ChangeDirectoryGuard {
-    original: PathBuf,
-}
-
-impl Drop for ChangeDirectoryGuard {
-    fn drop(&mut self) {
-        let _ = env::set_current_dir(&self.original);
-    }
-}

optee-utee-build/src/linker.rs

@@ -126,10 +126,11 @@ impl Linker {
         out_dir: PathBuf,
         ta_dev_kit_dir: PathBuf,
     ) -> Result<(), Error> {
-        const ENV_TARGET_TA: &str = "TARGET_TA";
-        println!("cargo:rerun-if-env-changed={}", ENV_TARGET_TA);
+        // cargo passes TARGET as env to the build scripts
+        const ENV_TARGET: &str = "TARGET";
+        println!("cargo:rerun-if-env-changed={}", ENV_TARGET);
         let mut aarch64_flag = true;
-        match env::var(ENV_TARGET_TA) {
+        match env::var(ENV_TARGET) {
             Ok(ref v) if v == "arm-unknown-linux-gnueabihf" || v == "arm-unknown-optee" => {
                 match self.linker_type {
                     LinkerType::Cc => println!("cargo:rustc-link-arg=-Wl,--no-warn-mismatch"),