Merged PR 10172292: Add symcrypt build for optee env

## Description:

## Admin Checklist:
- [ ] You have updated documentation in symcrypt.h to reflect any changes in behavior
- [ ] You have updated CHANGELOG.md to reflect any changes in behavior
- [ ] You have updated symcryptunittest to exercise any new functionality
- [ ] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest
- [ ] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features
- [ ] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations
- [ ] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary

Add symcrypt build for optee env

Signed-off-by: v-shlevy <v-shlevy@microsoft.com>

Related work items: #49419416

cmake-configs/SymCrypt-Platforms.cmake

@@ -3,7 +3,11 @@
 # Choose which environment to use based on the host platform
 # We don't support cross-compiling from one platform to another (e.g. compiling Windows binaries on Linux)
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
-    set(SYMCRYPT_TARGET_ENV "LinuxUserMode")
+    if(SYMCRYPT_OPTEE MATCHES "ON")
+        set(SYMCRYPT_TARGET_ENV "OPTEE")
+    else()
+        set(SYMCRYPT_TARGET_ENV "LinuxUserMode")
+    endif()
 elseif(CMAKE_SYSTEM_NAME MATCHES "Windows")
     set(SYMCRYPT_TARGET_ENV "WindowsUserMode")
 else()
@@ -51,6 +55,21 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
         # Enable a baseline of features for the compiler to support everywhere
         # Assumes that the compiler will not emit crypto instructions as a result of normal C code
         set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -march=armv8-a+simd+crypto")
+        
+        if(SYMCRYPT_TARGET_ENV MATCHES "OPTEE")
+            # TA DEV KIT is require for OPTEE TA compilation 
+            if(DEFINED TA_DEV_KIT_INC)
+                # Get the compiler toolchain include
+                execute_process(COMMAND ${CMAKE_C_COMPILER} -print-file-name=include OUTPUT_VARIABLE TOOLCHAIN_INCLUDE)
+                string(STRIP "${TOOLCHAIN_INCLUDE}" TOOLCHAIN_INCLUDE)
+                # OPTEE env has a different stdlib and doesn't support atomic operations or multithreading.
+                add_compile_options(-mno-outline-atomics -nostdinc -isystem ${TOOLCHAIN_INCLUDE})
+                include_directories(${TA_DEV_KIT_INC})
+            else()
+                message(FATAL_ERROR "TA_DEV_KIT_INC must be defined for OPTEE build")
+            endif()
+        endif()
+
         # GCC complains about implicit casting between ASIMD registers (i.e. uint8x16_t -> uint64x2_t) by default,
         # whereas clang and MSVC do not. Setting -flax-vector-conversions to build Arm64 intrinsics code with GCC.
         set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -flax-vector-conversions")

inc/symcrypt.h

@@ -493,6 +493,8 @@ SymCryptUint64Bytesize( UINT64 value );
 //
 // SYMCRYPT_ENVIRONMENT_LINUX_USERMODE                      // use for Linux
 //
+// SYMCRYPT_ENVIRONMENT_OPTEE_TA                            // use for OPTEE
+//
 // SYMCRYPT_ENVIRONMENT_GENERIC                             // use for all other situations
 //
 

inc/symcrypt_internal.h

@@ -2884,6 +2884,7 @@ SYMCRYPT_EXTERN_C_END
 
 #define SYMCRYPT_ENVIRONMENT_WINDOWS_KERNELMODE_LEGACY          SYMCRYPT_ENVIRONMENT_GENERIC
 
+#ifdef NTDDI_VERSION
 #if (NTDDI_VERSION >= NTDDI_WIN7)
 #define SYMCRYPT_ENVIRONMENT_WINDOWS_KERNELMODE_WIN7_N_LATER    SYMCRYPT_ENVIRONMENT_DEFS( WindowsKernelmodeWin7nLater )
 #endif
@@ -2909,12 +2910,16 @@ SYMCRYPT_EXTERN_C_END
 #if (NTDDI_VERSION >= NTDDI_WIN10)
 #define SYMCRYPT_ENVIRONMENT_WINDOWS_USERMODE_WIN10_SGX         SYMCRYPT_ENVIRONMENT_DEFS( Win10Sgx )
 #endif
+#endif // NTDDI_VERSION
 
 #define SYMCRYPT_ENVIRONMENT_WINDOWS_USERMODE_LATEST            SYMCRYPT_ENVIRONMENT_WINDOWS_USERMODE_WIN8_1_N_LATER
 
 
 #define SYMCRYPT_ENVIRONMENT_LINUX_USERMODE                     SYMCRYPT_ENVIRONMENT_DEFS( LinuxUsermode )
 
+
+#define SYMCRYPT_ENVIRONMENT_OPTEE_TA                           SYMCRYPT_ENVIRONMENT_DEFS( OpteeTa )
+
 //////////////////////////////////////////////////////////
 //
 // SymCryptWipe & SymCryptWipeKnownSize

lib/CMakeLists.txt

@@ -393,9 +393,24 @@ if(NOT WIN32)
         endif()
     endif()
 
-    add_library(symcrypt_linuxusermode STATIC env_linuxUserMode.c)
+    if(SYMCRYPT_TARGET_ENV MATCHES "LinuxUserMode")
-    set_target_properties(symcrypt_linuxusermode PROPERTIES PREFIX "")
+        add_library(symcrypt_linuxusermode STATIC env_linuxUserMode.c)
-    target_link_libraries(symcrypt_linuxusermode symcrypt_common)
+        set_target_properties(symcrypt_linuxusermode PROPERTIES PREFIX "")
+        target_link_libraries(symcrypt_linuxusermode symcrypt_common)
+    elseif(SYMCRYPT_TARGET_ENV MATCHES "OPTEE")
+        # Remove files from symcrypt_common that are not supported in optee env.
+        # aes-asm.c - use SymCryptAesDecryptAsm which is not defined for ARM64
+        # cpuid_um.c - include auxv.h and use getauxval
+        # session.c - use atomic operations (__atomic_compare_exchange)
+        list(REMOVE_ITEM SOURCES_COMMON
+            aes-asm.c
+            cpuid_um.c
+            session.c)
+
+        add_library(symcrypt_envOpteeTa STATIC env_opteeTa.c)
+        set_target_properties(symcrypt_envOpteeTa PROPERTIES PREFIX "")
+        target_link_libraries(symcrypt_envOpteeTa symcrypt_common)
+    endif()
 endif()
 
 include_directories(${CMAKE_SOURCE_DIR}/inc)

lib/env_opteeTa.c

@@ -0,0 +1,80 @@
+//
+// env_opteeTa.c
+// Platform-specific code for OPTEE TA.
+//
+// Copyright (c) Microsoft Corporation. Licensed under the MIT license.
+//
+
+#include "precomp.h"
+
+// OPTEE TA specific data
+#define TEE_ERROR_BAD_STATE               0xFFFF0007
+
+typedef uint32_t TEE_Result;
+
+void TEE_Panic(TEE_Result panicCode);
+
+
+SYMCRYPT_CPU_FEATURES SYMCRYPT_CALL SymCryptCpuFeaturesNeverPresentEnvOpteeTa(void)
+{
+    return 0;
+}
+
+VOID
+SYMCRYPT_CALL
+SymCryptInitEnvOpteeTa( UINT32 version )
+{
+    if( g_SymCryptFlags & SYMCRYPT_FLAG_LIB_INITIALIZED )
+    {
+        return;
+    }
+    
+    // Optee module relies on the unconditional availability of certain CPU features (ASIMD, AES, PMULL, SHA256)
+    g_SymCryptCpuFeaturesNotPresent = (SYMCRYPT_CPU_FEATURES) ~(SYMCRYPT_CPU_FEATURE_NEON|SYMCRYPT_CPU_FEATURE_NEON_AES|SYMCRYPT_CPU_FEATURE_NEON_PMULL|SYMCRYPT_CPU_FEATURE_NEON_SHA256);
+
+    SymCryptInitEnvCommon( version );
+}
+
+_Analysis_noreturn_
+VOID
+SYMCRYPT_CALL
+SymCryptFatalEnvOpteeTa( ULONG fatalCode )
+{
+    UINT32 fatalCodeVar;
+
+    SymCryptFatalIntercept( fatalCode );
+
+    //
+    // Put the fatal code in a location where it shows up in the dump
+    //
+    SYMCRYPT_FORCE_WRITE32( &fatalCodeVar, fatalCode );
+
+    //
+    // Our first preference is to fastfail,
+    // the second to create an AV, which can trigger a core dump so that we get to
+    // see what is going wrong.
+    //
+    __fastfail( FAST_FAIL_CRYPTO_LIBRARY );
+
+    TEE_Panic(TEE_ERROR_BAD_STATE);
+    
+    //
+    // Next we write to the NULL pointer, this causes an AV
+    //
+    SYMCRYPT_FORCE_WRITE32( (volatile UINT32 *)NULL, fatalCode );
+
+    SymCryptFatalHang( fatalCode );
+}
+
+VOID
+SYMCRYPT_CALL
+SymCryptTestInjectErrorEnvOpteeTa( PBYTE pbBuf, SIZE_T cbBuf )
+{
+    //
+    // This feature is only used during testing. In production it is always
+    // an empty function that the compiler can optimize away.
+    //
+    UNREFERENCED_PARAMETER( pbBuf );
+    UNREFERENCED_PARAMETER( cbBuf );
+}
+

modules/linux/CMakeLists.txt

@@ -1,5 +1,12 @@
 add_subdirectory(common) # Common functionality for Linux modules
-add_subdirectory(generic) # Generic Linux module
+
-if(SYMCRYPT_USE_ASM AND SYMCRYPT_TARGET_ARCH MATCHES "AMD64")
+if(SYMCRYPT_TARGET_ENV MATCHES "LinuxUserMode")
-    add_subdirectory(oe_full) # OpenEnclave with all functionality
+
+    add_subdirectory(generic) # Generic Linux module
+    
+    if(SYMCRYPT_USE_ASM AND SYMCRYPT_TARGET_ARCH MATCHES "AMD64")
+        add_subdirectory(oe_full) # OpenEnclave with all functionality
+    endif()
+elseif(SYMCRYPT_TARGET_ENV MATCHES "OPTEE")
+    add_subdirectory(optee) # OPTEE module
 endif()

modules/linux/common/callbacks_pthread.c

@@ -0,0 +1,73 @@
+//
+// callbacks_pthread.c
+// Contains symcrypt call back functions for pthreads
+//
+// Copyright (c) Microsoft Corporation. Licensed under the MIT license.
+//
+
+#include <pthread.h>
+#include "precomp.h"
+
+PVOID
+SYMCRYPT_CALL
+SymCryptCallbackAlloc( SIZE_T nBytes )
+{
+    return aligned_alloc(SYMCRYPT_ASYM_ALIGN_VALUE, nBytes);
+}
+
+VOID
+SYMCRYPT_CALL
+SymCryptCallbackFree( VOID * pMem )
+{
+    free( pMem );
+}
+
+SYMCRYPT_ERROR
+SYMCRYPT_CALL
+SymCryptCallbackRandom( PBYTE pbBuffer, SIZE_T cbBuffer )
+{
+    SymCryptRandom( pbBuffer, cbBuffer );
+    return SYMCRYPT_NO_ERROR;
+}
+
+
+PVOID
+SYMCRYPT_CALL
+SymCryptCallbackAllocateMutexFastInproc(void)
+{
+    PVOID ptr = malloc(sizeof(pthread_mutex_t));
+
+    if( ptr )
+    {
+        if( pthread_mutex_init( (pthread_mutex_t *)ptr, NULL ) != 0 )
+        {
+            free(ptr);
+            ptr = NULL;
+        }
+    }
+    
+    return ptr;
+}
+
+VOID
+SYMCRYPT_CALL
+SymCryptCallbackFreeMutexFastInproc( PVOID pMutex )
+{
+    pthread_mutex_destroy( (pthread_mutex_t *)pMutex );
+
+    free(pMutex);
+}
+
+VOID
+SYMCRYPT_CALL
+SymCryptCallbackAcquireMutexFastInproc( PVOID pMutex )
+{
+    pthread_mutex_lock( (pthread_mutex_t *)pMutex );
+}
+
+VOID
+SYMCRYPT_CALL
+SymCryptCallbackReleaseMutexFastInproc( PVOID pMutex )
+{
+    pthread_mutex_unlock( (pthread_mutex_t *)pMutex );
+}

modules/linux/common/callbacks_singlethreaded.c

@@ -0,0 +1,52 @@
+//
+// callbacks_singlethreaded.c
+// Contains symcrypt call back functions for single threaded applications.
+//
+// Copyright (c) Microsoft Corporation. Licensed under the MIT license.
+//
+
+#include "precomp.h"
+
+PVOID
+SYMCRYPT_CALL
+SymCryptCallbackAlloc( SIZE_T nBytes )
+{
+    return aligned_alloc(SYMCRYPT_ASYM_ALIGN_VALUE, nBytes);;
+}
+
+VOID
+SYMCRYPT_CALL
+SymCryptCallbackFree( VOID * pMem )
+{
+    free( pMem );
+}
+
+SYMCRYPT_ERROR
+SYMCRYPT_CALL
+SymCryptCallbackRandom( PBYTE pbBuffer, SIZE_T cbBuffer )
+{
+    SymCryptRandom( pbBuffer, cbBuffer );
+    return SYMCRYPT_NO_ERROR;
+}
+
+PVOID
+SYMCRYPT_CALL
+SymCryptCallbackAllocateMutexFastInproc(void)
+{
+    static const BYTE byte = 0;
+
+    // we want to return a valid non-NULL address so caller can check for NULL
+    return (PVOID)&byte;
+}
+
+VOID
+SYMCRYPT_CALL
+SymCryptCallbackFreeMutexFastInproc( PVOID pMutex ) {}
+
+VOID
+SYMCRYPT_CALL
+SymCryptCallbackAcquireMutexFastInproc( PVOID pMutex ) {}
+
+VOID
+SYMCRYPT_CALL
+SymCryptCallbackReleaseMutexFastInproc( PVOID pMutex ) {}

modules/linux/common/module.c

@@ -7,7 +7,6 @@
 
 #include "precomp.h"
 
-SYMCRYPT_ENVIRONMENT_LINUX_USERMODE
 
 // Module main function executed by the runtime upon load
 VOID __attribute__((constructor)) SymCryptModuleMain(void)
@@ -75,77 +74,6 @@ VOID __attribute__((destructor)) SymCryptModuleDestructor(void)
     SymCryptRngUninit();
 }
 
-PVOID
-SYMCRYPT_CALL
-SymCryptCallbackAlloc( SIZE_T nBytes )
-{
-    PVOID ptr = NULL;
-    if(posix_memalign( &ptr, SYMCRYPT_ASYM_ALIGN_VALUE, nBytes ) != 0)
-    {
-        return NULL;
-    }
-
-    return ptr;
-}
-
-VOID
-SYMCRYPT_CALL
-SymCryptCallbackFree( VOID * pMem )
-{
-    free( pMem );
-}
-
-SYMCRYPT_ERROR
-SYMCRYPT_CALL
-SymCryptCallbackRandom( PBYTE pbBuffer, SIZE_T cbBuffer )
-{
-    SymCryptRandom( pbBuffer, cbBuffer );
-    return SYMCRYPT_NO_ERROR;
-}
-
-
-PVOID
-SYMCRYPT_CALL
-SymCryptCallbackAllocateMutexFastInproc(void)
-{
-    PVOID ptr = malloc(sizeof(pthread_mutex_t));
-
-    if( ptr )
-    {
-        if( pthread_mutex_init( (pthread_mutex_t *)ptr, NULL ) != 0 )
-        {
-            free(ptr);
-            ptr = NULL;
-        }
-    }
-
-    return ptr;
-}
-
-VOID
-SYMCRYPT_CALL
-SymCryptCallbackFreeMutexFastInproc( PVOID pMutex )
-{
-    pthread_mutex_destroy( (pthread_mutex_t *)pMutex );
-
-    free(pMutex);
-}
-
-VOID
-SYMCRYPT_CALL
-SymCryptCallbackAcquireMutexFastInproc( PVOID pMutex )
-{
-    pthread_mutex_lock( (pthread_mutex_t *)pMutex );
-}
-
-VOID
-SYMCRYPT_CALL
-SymCryptCallbackReleaseMutexFastInproc( PVOID pMutex )
-{
-    pthread_mutex_unlock( (pthread_mutex_t *)pMutex );
-}
-
-
 VOID SYMCRYPT_CALL SymCryptModuleInit( UINT32 api, UINT32 minor )
 {
     if( api != SYMCRYPT_CODE_VERSION_API ||

modules/linux/common/optional/module_linuxUserMode.c

@@ -0,0 +1,10 @@
+//
+// module_linuxUserMode.c
+// SymCrypt env defined for linux user mode
+//
+// Copyright (c) Microsoft Corporation. Licensed under the MIT license.
+//
+
+#include "precomp.h"
+
+SYMCRYPT_ENVIRONMENT_LINUX_USERMODE

modules/linux/common/precomp.h

@@ -4,7 +4,6 @@
 // Copyright (c) Microsoft Corporation. Licensed under the MIT license.
 //
 
-#include <pthread.h>
 #include <stddef.h>
 #include <stdint.h>
 #include <stdlib.h>

modules/linux/common/rng.c

@@ -13,7 +13,8 @@
 #define  RANDOM_NUM_CACHE_SIZE         128
 #define  MAX_GENERATE_BEFORE_RESEED    8192
 
-pthread_mutex_t g_rngLock; // lock around access to following global variable
+PVOID g_rngLock; // lock around access to following global variable
+
 BOOLEAN g_RngStateInstantiated = FALSE;
 SYMCRYPT_RNG_AES_STATE g_AesRngState;
 
@@ -53,7 +54,9 @@ VOID
 SYMCRYPT_CALL
 SymCryptRngInit(void)
 {
-    if( pthread_mutex_init( &g_rngLock, NULL ) != 0)
+    g_rngLock = SymCryptCallbackAllocateMutexFastInproc();
+
+    if (g_rngLock == NULL)
     {
         SymCryptFatal( 'rngi' );
     }
@@ -112,7 +115,7 @@ SymCryptRngUninit(void)
     SymCryptEntropyFipsUninit();
     SymCryptEntropySecureUninit();
     SymCryptRngAesUninstantiate( &g_AesRngState );
-    pthread_mutex_destroy( &g_rngLock );
+    SymCryptCallbackFreeMutexFastInproc( g_rngLock );
 }
 
 // This function fills pbRandom with cbRandom bytes. For small requests,
@@ -130,8 +133,8 @@ SymCryptRandom( PBYTE pbRandom, SIZE_T cbRandom )
     {
         return;
     }
-
+    
-    pthread_mutex_lock( &g_rngLock );
+    SymCryptCallbackAcquireMutexFastInproc( g_rngLock );
 
     if( !g_RngStateInstantiated )
     {
@@ -223,7 +226,7 @@ SymCryptRandom( PBYTE pbRandom, SIZE_T cbRandom )
         );
     }
 
-    pthread_mutex_unlock( &g_rngLock );
+    SymCryptCallbackReleaseMutexFastInproc( g_rngLock );
 }
 
 // This function mixes the provided entropy into the RNG state using a call to SymCryptRngAesGenerateSmall
@@ -247,7 +250,7 @@ SymCryptProvideEntropy( PCBYTE pbEntropy, SIZE_T cbEntropy )
     // Get hash result in additionalInput buffer.
     SymCryptSha256Result( &hashState, additionalInput );
 
-    pthread_mutex_lock( &g_rngLock );
+    SymCryptCallbackAcquireMutexFastInproc( g_rngLock );
 
     scError = SymCryptRngAesGenerateSmall(
         &g_AesRngState,
@@ -260,7 +263,7 @@ SymCryptProvideEntropy( PCBYTE pbEntropy, SIZE_T cbEntropy )
         SymCryptFatal( 'acdx' );
     }
 
-    pthread_mutex_unlock( &g_rngLock );
+    SymCryptCallbackReleaseMutexFastInproc( g_rngLock );
 
     SymCryptWipeKnownSize( additionalInput, sizeof(additionalInput) );
 }

modules/linux/generic/CMakeLists.txt

@@ -2,7 +2,9 @@ set(SOURCES
     statusindicator.c
     ../common/optional/rngfipsjitter.c
     ../common/optional/rngforkdetection.c
-    ../common/optional/rngsecureurandom.c)
+    ../common/optional/rngsecureurandom.c
+    ../common/optional/module_linuxUserMode.c
+    ../common/callbacks_pthread.c)
 
 # Enable integrity verification if compiling for AMD64 or ARM64 or ARM
 if(SYMCRYPT_TARGET_ARCH MATCHES "AMD64|ARM")

modules/linux/oe_full/CMakeLists.txt

@@ -1,7 +1,9 @@
 set(SOURCES
     ../common/integrity.c
     statusindicator.c
-    rng.c)
+    rng.c
+    ../common/optional/module_linuxUserMode.c
+    ../common/callbacks_pthread.c)
 
 include_directories(${CMAKE_SOURCE_DIR}/inc ../common)
 

modules/linux/optee/CMakeLists.txt

@@ -0,0 +1,10 @@
+set(SOURCES
+    rng.c
+    module_opteeTa.c
+    ../common/nointegrity.c
+    ../common/callbacks_singlethreaded.c)
+
+include_directories(../common)
+
+# Build SymCrypt lib for OPTEE
+add_library(symcrypt_optee STATIC ${SOURCES} $<TARGET_OBJECTS:symcrypt_envOpteeTa> $<TARGET_OBJECTS:symcrypt_common> $<TARGET_OBJECTS:symcrypt_module_linux_common>)

modules/linux/optee/module_opteeTa.c

@@ -0,0 +1,10 @@
+//
+// module_opteeTa.c
+// SymCrypt env defined for optee TA
+//
+// Copyright (c) Microsoft Corporation. Licensed under the MIT license.
+//
+
+#include "precomp.h"
+
+SYMCRYPT_ENVIRONMENT_OPTEE_TA

modules/linux/optee/rng.c

@@ -0,0 +1,61 @@
+//
+// rng.c
+// Defines secure entropy functions using TEE_GenerateRandom() as the source
+//
+// Copyright (c) Microsoft Corporation. Licensed under the MIT license.
+//
+
+#include "precomp.h"
+#include "rng.h"
+
+// TEE_GenerateRandom gets FIPS/secure RNG from OPTEE (will be Unresolved symbol and will be resolved in linker phase with OPTEE Application)
+void TEE_GenerateRandom(void *randomBuffer, size_t randomBufferLen);
+
+VOID
+SYMCRYPT_CALL
+SymCryptEntropyFipsInit()
+{}
+
+VOID
+SYMCRYPT_CALL
+SymCryptEntropyFipsUninit()
+{}
+
+VOID
+SYMCRYPT_CALL
+SymCryptEntropyFipsGet( _Out_writes_( cbResult ) PBYTE pbResult, SIZE_T cbResult )
+{
+    // TEE_GenerateRandom gets FIPS/secure RNG from OPTEE (implementation is platform specific)
+    TEE_GenerateRandom((void *)pbResult, cbResult);
+}
+
+VOID
+SYMCRYPT_CALL
+SymCryptEntropySecureInit()
+{}
+
+VOID
+SYMCRYPT_CALL
+SymCryptEntropySecureUninit()
+{}
+
+VOID
+SYMCRYPT_CALL
+SymCryptEntropySecureGet( _Out_writes_( cbResult ) PBYTE pbResult, SIZE_T cbResult )
+{
+    // TEE_GenerateRandom gets FIPS/secure RNG from OPTEE (implementation is platform specific)
+    TEE_GenerateRandom((void *)pbResult, cbResult);
+}
+
+// Fork is not supported in Optee so no need to detect it
+VOID
+SYMCRYPT_CALL
+SymCryptRngForkDetectionInit()
+{}
+
+BOOLEAN
+SYMCRYPT_CALL
+SymCryptRngForkDetect()
+{
+    return FALSE;
+}

scripts/build.py

@@ -120,6 +120,12 @@ def configure_cmake(args : argparse.Namespace) -> None:
     if args.openssl_branch:
         cmake_args.append("-DOPENSSL_BUILD_BRANCH=" + args.openssl_branch)
 
+    # OPTEE
+    if args.optee:
+        cmake_args.append("-DSYMCRYPT_OPTEE=ON")
+    
+    if args.ta_dev_kit_inc:
+        cmake_args.append("-DTA_DEV_KIT_INC=" + args.ta_dev_kit_inc)
 
     if args.clean and args.build_dir.exists():
         shutil.rmtree(args.build_dir)
@@ -146,6 +152,9 @@ def build_cmake(args : argparse.Namespace) -> None:
     if args.parallel_build:
         cmake_args.append("-j")
 
+    if args.target:
+        cmake_args.append("--target " + args.target)
+
     invoke_build_tool("cmake", cmake_args)
 
 def build_msbuild(args : argparse.Namespace) -> None:
@@ -217,6 +226,11 @@ def main() -> None:
     parser_cmake.add_argument("--openssl", action = "store_true", help = "Enable OpenSSL performance comparison.", default = False)
     parser_cmake.add_argument("--openssl-branch", type = str, help = "Checkout and build specified branch of OpenSSL.", default = None)
     parser_cmake.add_argument("--openssl-build-from-source", action = "store_true", help = "Build OpenSSL from source.", default = False)
+    parser_cmake.add_argument("--target", type = str, help = "Build a specific target.")
+    
+    # OPTEE
+    parser_cmake.add_argument("--optee", action = "store_true", help = "Build SymCrypt for OPTEE env.", default = False)
+    parser_cmake.add_argument("--ta_dev_kit_inc", type = str, help = "TA DEV KIT include folder, needed for OPTEE TA compilation.")
 
     # MSBuild build options
     parser_msbuild = subparsers.add_parser("msbuild", help = "Build using MSBuild.")