awsiot-optee: update container to match v91 LmP release

Signed-off-by: Milosz Wasilewski <[email protected]>
foundriesio · Oct 4, 2023 · 2d441a8 · 2d441a8
1 parent 3fa5a89
commit 2d441a8
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 11 deletions.
diff --git a/awsiot-optee/Dockerfile b/awsiot-optee/Dockerfile
@@ -1,7 +1,7 @@
-FROM alpine:3.15 as p11
+FROM alpine:3.18 as p11
 
-# A bit ahead of 3.17.0, to include support for secure element control (used by SE05X)
-ENV OPTEE_CLIENT_VER "9a337049c52495e5e16b4a94decaa3e58fce793e"
+# Version 3.20 to match base OS v91
+ENV OPTEE_CLIENT_VER "dd2d39b49975d2ada7870fe2b7f5a84d0d3860dc"
 
 WORKDIR /src
 
@@ -10,7 +10,7 @@ RUN apk add --virtual build-deps git build-base linux-headers
 RUN \
 	git clone https://github.com/OP-TEE/optee_client.git && \
 	cd optee_client && git checkout ${OPTEE_CLIENT_VER} && \
-	wget https://raw.githubusercontent.com/foundriesio/meta-lmp/mp-87/meta-lmp-base/recipes-security/optee/optee-client/0001-FIO-extras-pkcs11-change-UUID-to-avoid-conflict-with.patch && \
+	wget https://raw.githubusercontent.com/foundriesio/meta-lmp/mp-91/meta-lmp-base/recipes-security/optee/optee-client/0001-FIO-extras-pkcs11-change-UUID-to-avoid-conflict-with.patch && \
 	patch -p1 < 0001-FIO-extras-pkcs11-change-UUID-to-avoid-conflict-with.patch && \
 	make -C libteec/ && \
 	make -C libseteec && \
@@ -20,19 +20,19 @@ RUN \
 WORKDIR /src
 RUN apk add openssl-dev cjson-dev util-linux-dev
 RUN \
-	wget https://github.com/OpenSC/libp11/releases/download/libp11-0.4.11/libp11-0.4.11.tar.gz && \
-	tar xvzf libp11-0.4.11.tar.gz && \
-	cd libp11-0.4.11 && \
+	wget https://github.com/OpenSC/libp11/releases/download/libp11-0.4.12/libp11-0.4.12.tar.gz && \
+	tar xvzf libp11-0.4.12.tar.gz && \
+	cd libp11-0.4.12 && \
 	./configure && \
 	make && \
 	make install
 
-FROM alpine:3.15 as aws
+FROM alpine:3.18 as aws
 # build mosquitto with pkcs11
 RUN apk add --virtual build-deps build-base cmake git linux-headers python3 python3-dev py3-pip
-RUN pip3 install awsiotsdk==1.11.3
+RUN pip3 install awsiotsdk==1.19.0
 
-FROM alpine:3.15
+FROM alpine:3.18
 RUN apk --no-cache add opensc openssl python3
 ADD ["https://www.websecurity.digicert.com/content/dam/websitesecurity/digitalassets/desktop/pdfs/roots/VeriSign-Class 3-Public-Primary-Certification-Authority-G5.pem", "/etc/aws-ca.pem"]
 ADD ["https://www.amazontrust.com/repository/AmazonRootCA3.pem", "https://www.amazontrust.com/repository/G2-RootCA3.pem", "https://www.amazontrust.com/repository/SFSRootCAG2.pem", "/etc/"]
@@ -41,7 +41,7 @@ RUN cat /etc/AmazonRootCA3.pem /etc/G2-RootCA3.pem /etc/SFSRootCAG2.pem > /etc/a
 COPY --from=p11 /src/optee_client/out/libteec/libteec.so* /usr/lib/
 COPY --from=p11 /src/optee_client/out/libseteec/libseteec.so* /usr/lib/
 COPY --from=p11 /src/optee_client/out/libckteec/libckteec.so* /usr/lib/
-COPY --from=aws /usr/lib/python3.9/site-packages /usr/lib/python3.9/site-packages
+COPY --from=aws /usr/lib/python3.11/site-packages /usr/lib/python3.11/site-packages
 
 COPY demo_pub.py /
 CMD "/demo_pub.py"
diff --git a/awsiot-optee/README.md b/awsiot-optee/README.md
@@ -4,3 +4,8 @@ the SE05X can communicate with the AWS IOT MQTT service.
 
 You can use the [AWS IOT JITP](https://foundries.io/insights/blog/aws-iot-jitp/)
 blog as a guide for setting this up.
+
+Run container on LmP:
+    docker run -it -e AWS_ENDPOINT=<YOUR AWS ENDPOINT>.amazonaws.com -e SLOT_ID=0 --device=/dev/tee0:/dev/tee0 hub.foundries.io/lmp/awsiot-optee:postmerge
+
+Note: change SLOT_ID if EL2GO agent uses a different one