[v4,00/19] AVB using OP-TEE

Message ID 20180925144023.24555-1-jens.wiklander@linaro.org
Headers show
Series
  • AVB using OP-TEE
Related show

Message

Jens Wiklander Sept. 25, 2018, 2:40 p.m.
Hi,

This adds support for storing AVB rollback indexes in the RPMB partition.
The RPMB partition (content and key) is managed by OP-TEE
(https://www.op-tee.org/) which is a secure OS leveraging ARM TrustZone.

The Linux kernel can already support OP-TEE with reading and updating
rollback indexes in the RPMB partition, the catch is that this is needed
before the kernel has booted.

The design here is the same as what is in the Linux kernel, with the
exception that the user space daemon tee-supplicant is integrated in the
OP-TEE driver here (drivers/tee/optee/supplicant.c) instead. A new uclass
(UCLASS_TEE) is introduced to provide an abstraction for interfacing with a
Trusted Execution Environment (TEE). There's also the OP-TEE driver using
UCLASS_TEE for registration.

A Trusted Application (TA) interface is added to be used by the AVB verify
functions which are updated accordingly. The TA is managed by OP-TEE and is
executed in a secure TrustZone protected environment.

The header files drivers/tee/optee/optee_{msg,msg_supplicant,smc}.h and
include/tee/optee_ta_avb.h are copied from
https://github.com/OP-TEE/optee_os/tree/master more or less unmodified.
They may need to be updated from time to time in order to support new
features.

In MMC there's a new function, mmc_rpmb_route_frames(), which as the name
suggests is used to route RPMB frames to/from the MMC. This saves OP-TEE
from implementing an MMC driver which would need to share resources with
its counterpart here in U-Boot.

This was tested on a Hikey (Kirin 620) board.

I've added myself as maintainer of the TEE stuff.

changes in v4:
* Addressed review comments from Simon Glass
* Rebased on v2018.09
* "avb_verify: bugfix avb_ops_free() skipping free" removed due to the rebase
* Commits "dt/bindings: add bindings for optee",
  "sandbox: imply CONFIG_TEE (TEE uclass)",
  "tee: add sandbox driver",
  "avb_verify: support using OP-TEE TA AVB",
  "test_avb: Update pymark.buildconfigspec information for the AVB tests",
  "Kconfig: sandbox: enable cmd_avb and dependencies",
  Reviewed-by: Simon Glass <sjg@chromium.org>

* Added descriptions of additional structs and functions
* In commit "avb_verify: support sandbox configuration" avoid the
  #ifdef CONFIG_SANDBOX in get_sector_buf() as suggested by Simon.

changes in v3:
* Addressed review comments from Simon Glass
* A few new patches
  - "avb_verify: bugfix avb_ops_free() skipping free"
  - "tee: add sandbox driver"
  - "test_avb: Update pymark.buildconfigspec information for the AVB tests"
  - "avb_verify: support sandbox configuration"
  - "Kconfig: sandbox: enable cmd_avb and dependencies"
* "sandbox: imply CONFIG_TEE (TEE uclass)", replacing
  "configs: sandbox: enable CONFIG_TEE (TEE uclass)"
* Moved sandbox driver to drivers/tee and added code to emulate the AVB TA
* Enabled a few AVB tests (test/py/tests/test_avb.py) for sandbox
* Bugfix tee_find_device()
* Commits "dm: fdt: scan for devices under /firmware too",
  "cmd: avb read_rb: print rb_idx in hexadecimal",
  "cmd: avb: print error message if command fails",
  "Add UCLASS_TEE for Trusted Execution Environment",
  "tee: add OP-TEE driver",
  "Documentation: tee uclass and op-tee driver",
  "test: tee: test TEE uclass",
  "arm: dt: hikey: Add optee node" and
  "sandbox: dt: add sandbox_tee node"
  Reviewed-by: Simon Glass <sjg@chromium.org>


changes in v2:
* Added sandbox driver and a test in test/dm for the new TEE uclass:
  Commit ("test: tee: test TEE uclass") and the enabling commits
  ("sandbox: dt: add sandbox_tee node") and
  ("configs: sandbox: enable CONFIG_TEE (TEE uclass)")
* Added descriptions of exported structs and functions
* Added documentation for the TEE uclass and the OP-TEE driver with
  the new commit ("Documentation: tee uclass and op-tee driver")
* Added documentation for the changes in avb_verify
* Addressed review comments from Simon Glass
* Added the commit ("cmd: avb: print error message if command fails")
* Made a few functions static in the OP-TEE driver
* Commit ("cmd: avb read_rb: print rb_idx in hexadecimal") and
  ("tee: optee: support AVB trusted application");
  Reviewed-by: Igor Opaniuk <igor.opaniuk@linaro.org>


Thanks,
Jens

Jens Wiklander (19):
  dm: fdt: scan for devices under /firmware too
  cmd: avb read_rb: print rb_idx in hexadecimal
  cmd: avb: print error message if command fails
  mmc: rpmb: add mmc_rpmb_route_frames()
  Add UCLASS_TEE for Trusted Execution Environment
  dt/bindings: add bindings for optee
  tee: add OP-TEE driver
  Documentation: tee uclass and op-tee driver
  arm: dt: hikey: Add optee node
  optee: support routing of rpmb data frames to mmc
  tee: optee: support AVB trusted application
  sandbox: dt: add sandbox_tee node
  sandbox: imply CONFIG_TEE (TEE uclass)
  tee: add sandbox driver
  test: tee: test TEE uclass
  avb_verify: support using OP-TEE TA AVB
  test_avb: Update pymark.buildconfigspec information for the AVB tests
  avb_verify: support sandbox configuration
  Kconfig: sandbox: enable cmd_avb and dependencies

 MAINTAINERS                                   |   7 +
 arch/Kconfig                                  |   5 +
 arch/arm/dts/hi6220-hikey.dts                 |   7 +
 arch/sandbox/dts/sandbox.dts                  |   4 +
 arch/sandbox/dts/sandbox64.dts                |   4 +
 arch/sandbox/dts/test.dts                     |   4 +
 cmd/avb.c                                     |  19 +-
 common/avb_verify.c                           | 118 +++-
 doc/README.avb2                               |  13 +
 doc/README.tee                                | 112 +++
 .../firmware/linaro,optee-tz.txt              |  31 +
 drivers/Kconfig                               |   2 +
 drivers/Makefile                              |   1 +
 drivers/core/root.c                           |  15 +-
 drivers/fastboot/Kconfig                      |   2 +
 drivers/mmc/rpmb.c                            | 160 +++++
 drivers/tee/Kconfig                           |  35 +
 drivers/tee/Makefile                          |   5 +
 drivers/tee/optee/Kconfig                     |  27 +
 drivers/tee/optee/Makefile                    |   5 +
 drivers/tee/optee/core.c                      | 662 ++++++++++++++++++
 drivers/tee/optee/optee_msg.h                 | 425 +++++++++++
 drivers/tee/optee/optee_msg_supplicant.h      | 240 +++++++
 drivers/tee/optee/optee_private.h             |  65 ++
 drivers/tee/optee/optee_smc.h                 | 450 ++++++++++++
 drivers/tee/optee/rpmb.c                      | 181 +++++
 drivers/tee/optee/supplicant.c                |  96 +++
 drivers/tee/sandbox.c                         | 308 ++++++++
 drivers/tee/tee-uclass.c                      | 233 ++++++
 include/avb_verify.h                          |   7 +-
 include/dm/uclass-id.h                        |   1 +
 include/mmc.h                                 |  19 +
 include/sandboxtee.h                          |  21 +
 include/tee.h                                 | 374 ++++++++++
 include/tee/optee_ta_avb.h                    |  48 ++
 test/dm/Makefile                              |   1 +
 test/dm/tee.c                                 |  98 +++
 test/py/tests/test_avb.py                     |   8 +-
 38 files changed, 3802 insertions(+), 11 deletions(-)
 create mode 100644 doc/README.tee
 create mode 100644 doc/device-tree-bindings/firmware/linaro,optee-tz.txt
 create mode 100644 drivers/tee/Kconfig
 create mode 100644 drivers/tee/Makefile
 create mode 100644 drivers/tee/optee/Kconfig
 create mode 100644 drivers/tee/optee/Makefile
 create mode 100644 drivers/tee/optee/core.c
 create mode 100644 drivers/tee/optee/optee_msg.h
 create mode 100644 drivers/tee/optee/optee_msg_supplicant.h
 create mode 100644 drivers/tee/optee/optee_private.h
 create mode 100644 drivers/tee/optee/optee_smc.h
 create mode 100644 drivers/tee/optee/rpmb.c
 create mode 100644 drivers/tee/optee/supplicant.c
 create mode 100644 drivers/tee/sandbox.c
 create mode 100644 drivers/tee/tee-uclass.c
 create mode 100644 include/sandboxtee.h
 create mode 100644 include/tee.h
 create mode 100644 include/tee/optee_ta_avb.h
 create mode 100644 test/dm/tee.c

-- 
2.17.1

Comments

Simon Glass Oct. 2, 2018, 11:21 a.m. | #1
Hi Jen,

On 25 September 2018 at 07:40, Jens Wiklander <jens.wiklander@linaro.org> wrote:
> Hi,
>
> This adds support for storing AVB rollback indexes in the RPMB partition.
> The RPMB partition (content and key) is managed by OP-TEE
> (https://www.op-tee.org/) which is a secure OS leveraging ARM TrustZone.
>
> The Linux kernel can already support OP-TEE with reading and updating
> rollback indexes in the RPMB partition, the catch is that this is needed
> before the kernel has booted.
>
> The design here is the same as what is in the Linux kernel, with the
> exception that the user space daemon tee-supplicant is integrated in the
> OP-TEE driver here (drivers/tee/optee/supplicant.c) instead. A new uclass
> (UCLASS_TEE) is introduced to provide an abstraction for interfacing with a
> Trusted Execution Environment (TEE). There's also the OP-TEE driver using
> UCLASS_TEE for registration.
>
> A Trusted Application (TA) interface is added to be used by the AVB verify
> functions which are updated accordingly. The TA is managed by OP-TEE and is
> executed in a secure TrustZone protected environment.
>
> The header files drivers/tee/optee/optee_{msg,msg_supplicant,smc}.h and
> include/tee/optee_ta_avb.h are copied from
> https://github.com/OP-TEE/optee_os/tree/master more or less unmodified.
> They may need to be updated from time to time in order to support new
> features.
>
> In MMC there's a new function, mmc_rpmb_route_frames(), which as the name
> suggests is used to route RPMB frames to/from the MMC. This saves OP-TEE
> from implementing an MMC driver which would need to share resources with
> its counterpart here in U-Boot.
>
> This was tested on a Hikey (Kirin 620) board.
>
> I've added myself as maintainer of the TEE stuff.
>
> changes in v4:
> * Addressed review comments from Simon Glass
> * Rebased on v2018.09
> * "avb_verify: bugfix avb_ops_free() skipping free" removed due to the rebase
> * Commits "dt/bindings: add bindings for optee",
>   "sandbox: imply CONFIG_TEE (TEE uclass)",
>   "tee: add sandbox driver",
>   "avb_verify: support using OP-TEE TA AVB",
>   "test_avb: Update pymark.buildconfigspec information for the AVB tests",
>   "Kconfig: sandbox: enable cmd_avb and dependencies",
>   Reviewed-by: Simon Glass <sjg@chromium.org>
> * Added descriptions of additional structs and functions
> * In commit "avb_verify: support sandbox configuration" avoid the
>   #ifdef CONFIG_SANDBOX in get_sector_buf() as suggested by Simon.

You might consider using patman, where you add the change log for each
patch individually, and it produces the change log for the series
automatically.

I find it harder to review patches which don't have their own
individual change log.

Regards,
Simon
Jens Wiklander Oct. 8, 2018, 7:18 a.m. | #2
Hi Simon,

On Tue, Oct 2, 2018 at 1:21 PM, Simon Glass <sjg@chromium.org> wrote:
> Hi Jen,
>
> On 25 September 2018 at 07:40, Jens Wiklander <jens.wiklander@linaro.org> wrote:
>> Hi,
>>
>> This adds support for storing AVB rollback indexes in the RPMB partition.
>> The RPMB partition (content and key) is managed by OP-TEE
>> (https://www.op-tee.org/) which is a secure OS leveraging ARM TrustZone.
>>
>> The Linux kernel can already support OP-TEE with reading and updating
>> rollback indexes in the RPMB partition, the catch is that this is needed
>> before the kernel has booted.
>>
>> The design here is the same as what is in the Linux kernel, with the
>> exception that the user space daemon tee-supplicant is integrated in the
>> OP-TEE driver here (drivers/tee/optee/supplicant.c) instead. A new uclass
>> (UCLASS_TEE) is introduced to provide an abstraction for interfacing with a
>> Trusted Execution Environment (TEE). There's also the OP-TEE driver using
>> UCLASS_TEE for registration.
>>
>> A Trusted Application (TA) interface is added to be used by the AVB verify
>> functions which are updated accordingly. The TA is managed by OP-TEE and is
>> executed in a secure TrustZone protected environment.
>>
>> The header files drivers/tee/optee/optee_{msg,msg_supplicant,smc}.h and
>> include/tee/optee_ta_avb.h are copied from
>> https://github.com/OP-TEE/optee_os/tree/master more or less unmodified.
>> They may need to be updated from time to time in order to support new
>> features.
>>
>> In MMC there's a new function, mmc_rpmb_route_frames(), which as the name
>> suggests is used to route RPMB frames to/from the MMC. This saves OP-TEE
>> from implementing an MMC driver which would need to share resources with
>> its counterpart here in U-Boot.
>>
>> This was tested on a Hikey (Kirin 620) board.
>>
>> I've added myself as maintainer of the TEE stuff.
>>
>> changes in v4:
>> * Addressed review comments from Simon Glass
>> * Rebased on v2018.09
>> * "avb_verify: bugfix avb_ops_free() skipping free" removed due to the rebase
>> * Commits "dt/bindings: add bindings for optee",
>>   "sandbox: imply CONFIG_TEE (TEE uclass)",
>>   "tee: add sandbox driver",
>>   "avb_verify: support using OP-TEE TA AVB",
>>   "test_avb: Update patiensepymark.buildconfigspec information for the AVB tests",
>>   "Kconfig: sandbox: enable cmd_avb and dependencies",
>>   Reviewed-by: Simon Glass <sjg@chromium.org>
>> * Added descriptions of additional structs and functions
>> * In commit "avb_verify: support sandbox configuration" avoid the
>>   #ifdef CONFIG_SANDBOX in get_sector_buf() as suggested by Simon.
>
> You might consider using patman, where you add the change log for each
> patch individually, and it produces the change log for the series
> automatically.
>
> I find it harder to review patches which don't have their own
> individual change log.

I'll try patman next time. A big thank you for reviewing this patch series.

--
Jens
Simon Glass Oct. 9, 2018, 3:40 a.m. | #3
Hi Jens,

On 8 October 2018 at 01:18, Jens Wiklander <jens.wiklander@linaro.org> wrote:
> Hi Simon,
>
> On Tue, Oct 2, 2018 at 1:21 PM, Simon Glass <sjg@chromium.org> wrote:
>> Hi Jen,
>>
>> On 25 September 2018 at 07:40, Jens Wiklander <jens.wiklander@linaro.org> wrote:
>>> Hi,
>>>
>>> This adds support for storing AVB rollback indexes in the RPMB partition.
>>> The RPMB partition (content and key) is managed by OP-TEE
>>> (https://www.op-tee.org/) which is a secure OS leveraging ARM TrustZone.
>>>
>>> The Linux kernel can already support OP-TEE with reading and updating
>>> rollback indexes in the RPMB partition, the catch is that this is needed
>>> before the kernel has booted.
>>>
>>> The design here is the same as what is in the Linux kernel, with the
>>> exception that the user space daemon tee-supplicant is integrated in the
>>> OP-TEE driver here (drivers/tee/optee/supplicant.c) instead. A new uclass
>>> (UCLASS_TEE) is introduced to provide an abstraction for interfacing with a
>>> Trusted Execution Environment (TEE). There's also the OP-TEE driver using
>>> UCLASS_TEE for registration.
>>>
>>> A Trusted Application (TA) interface is added to be used by the AVB verify
>>> functions which are updated accordingly. The TA is managed by OP-TEE and is
>>> executed in a secure TrustZone protected environment.
>>>
>>> The header files drivers/tee/optee/optee_{msg,msg_supplicant,smc}.h and
>>> include/tee/optee_ta_avb.h are copied from
>>> https://github.com/OP-TEE/optee_os/tree/master more or less unmodified.
>>> They may need to be updated from time to time in order to support new
>>> features.
>>>
>>> In MMC there's a new function, mmc_rpmb_route_frames(), which as the name
>>> suggests is used to route RPMB frames to/from the MMC. This saves OP-TEE
>>> from implementing an MMC driver which would need to share resources with
>>> its counterpart here in U-Boot.
>>>
>>> This was tested on a Hikey (Kirin 620) board.
>>>
>>> I've added myself as maintainer of the TEE stuff.
>>>
>>> changes in v4:
>>> * Addressed review comments from Simon Glass
>>> * Rebased on v2018.09
>>> * "avb_verify: bugfix avb_ops_free() skipping free" removed due to the rebase
>>> * Commits "dt/bindings: add bindings for optee",
>>>   "sandbox: imply CONFIG_TEE (TEE uclass)",
>>>   "tee: add sandbox driver",
>>>   "avb_verify: support using OP-TEE TA AVB",
>>>   "test_avb: Update patiensepymark.buildconfigspec information for the AVB tests",
>>>   "Kconfig: sandbox: enable cmd_avb and dependencies",
>>>   Reviewed-by: Simon Glass <sjg@chromium.org>
>>> * Added descriptions of additional structs and functions
>>> * In commit "avb_verify: support sandbox configuration" avoid the
>>>   #ifdef CONFIG_SANDBOX in get_sector_buf() as suggested by Simon.
>>
>> You might consider using patman, where you add the change log for each
>> patch individually, and it produces the change log for the series
>> automatically.
>>
>> I find it harder to review patches which don't have their own
>> individual change log.
>
> I'll try patman next time. A big thank you for reviewing this patch series.

You made it pretty easy :-) Thanks.

- Simon