[v2,14/15] tee: optee: support AVB trusted application

Message ID 20180823104334.16083-15-jens.wiklander@linaro.org
State New
Headers show
Series
  • AVB using OP-TEE
Related show

Commit Message

Jens Wiklander Aug. 23, 2018, 10:43 a.m.
Adds configuration option OPTEE_TA_AVB and a header file describing the
interface to the AVB trusted application provided by OP-TEE.

Tested-by: Igor Opaniuk <igor.opaniuk@linaro.org>

Reviewed-by: Igor Opaniuk <igor.opaniuk@linaro.org>

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

---
 MAINTAINERS                |  1 +
 drivers/tee/optee/Kconfig  | 16 +++++++++++++
 include/tee.h              |  7 ++++++
 include/tee/optee_ta_avb.h | 48 ++++++++++++++++++++++++++++++++++++++
 4 files changed, 72 insertions(+)
 create mode 100644 include/tee/optee_ta_avb.h

-- 
2.17.1

Comments

Simon Glass Aug. 30, 2018, 12:29 a.m. | #1
Hi Jens,

On 23 August 2018 at 04:43, Jens Wiklander <jens.wiklander@linaro.org> wrote:
> Adds configuration option OPTEE_TA_AVB and a header file describing the
> interface to the AVB trusted application provided by OP-TEE.

What is AVB? Can you please write it out in full?

>
> Tested-by: Igor Opaniuk <igor.opaniuk@linaro.org>
> Reviewed-by: Igor Opaniuk <igor.opaniuk@linaro.org>
> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
> ---
>  MAINTAINERS                |  1 +
>  drivers/tee/optee/Kconfig  | 16 +++++++++++++
>  include/tee.h              |  7 ++++++
>  include/tee/optee_ta_avb.h | 48 ++++++++++++++++++++++++++++++++++++++
>  4 files changed, 72 insertions(+)
>  create mode 100644 include/tee/optee_ta_avb.h
>
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 7458c606ee92..cb36c45d74ea 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -576,6 +576,7 @@ M:  Jens Wiklander <jens.wiklander@linaro.org>
>  S:     Maintained
>  F:     drivers/tee/
>  F:     include/tee.h
> +F:     include/tee/
>
>  UBI
>  M:     Kyungmin Park <kmpark@infradead.org>
> diff --git a/drivers/tee/optee/Kconfig b/drivers/tee/optee/Kconfig
> index 8f7ebe161111..a5dc08439629 100644
> --- a/drivers/tee/optee/Kconfig
> +++ b/drivers/tee/optee/Kconfig
> @@ -5,3 +5,19 @@ config OPTEE
>         help
>           This implements the OP-TEE Trusted Execution Environment (TEE)
>           driver.
> +
> +if OPTEE
> +
> +menu "OP-TEE options"
> +
> +config OPTEE_TA_AVB
> +       bool "Support AVB TA"
> +       default y
> +       help
> +         Enables support for the AVB Trusted Application (TA) in OP-TEE.
> +         The TA can support the "avb" subcommands "read_rb", "write"rb"
> +         and "is_unlocked".
> +
> +endmenu
> +
> +endif
> diff --git a/include/tee.h b/include/tee.h
> index 3e6771123ef0..b851d718d32f 100644
> --- a/include/tee.h
> +++ b/include/tee.h
> @@ -48,6 +48,13 @@
>
>  #define TEE_ORIGIN_COMMS               0x00000002
>
> +struct tee_optee_ta_uuid {

Comment on this struct. What is it for?

> +       u32 time_low;
> +       u16 time_mid;
> +       u16 time_hi_and_version;
> +       u8 clock_seq_and_node[8];
> +};
> +
>  /**
>   * struct tee_shm - memory shared with the TEE
>   * @dev:       The TEE device
> diff --git a/include/tee/optee_ta_avb.h b/include/tee/optee_ta_avb.h
> new file mode 100644
> index 000000000000..0e1da084e09d
> --- /dev/null
> +++ b/include/tee/optee_ta_avb.h
> @@ -0,0 +1,48 @@
> +/* SPDX-License-Identifier: BSD-2-Clause */
> +/* Copyright (c) 2018, Linaro Limited */
> +
> +#ifndef __TA_AVB_H
> +#define __TA_AVB_H
> +
> +#define TA_AVB_UUID { 0x023f8f1a, 0x292a, 0x432b, \
> +                     { 0x8f, 0xc4, 0xde, 0x84, 0x71, 0x35, 0x80, 0x67 } }
> +
> +#define TA_AVB_MAX_ROLLBACK_LOCATIONS  256
> +
> +/*
> + * Gets the rollback index corresponding to the given rollback index slot.
> + *
> + * in  params[0].value.a:      rollback index slot
> + * out params[1].value.a:      upper 32 bits of rollback index
> + * out params[1].value.b:      lower 32 bits of rollback index
> + */
> +#define TA_AVB_CMD_READ_ROLLBACK_INDEX 0
> +
> +/*
> + * Updates the rollback index corresponding to the given rollback index slot.
> + *
> + * Will refuse to update a slot with a lower value.
> + *
> + * in  params[0].value.a:      rollback index slot
> + * in  params[1].value.a:      upper 32 bits of rollback index
> + * in  params[1].value.b:      lower 32 bits of rollback index
> + */
> +#define TA_AVB_CMD_WRITE_ROLLBACK_INDEX        1
> +
> +/*
> + * Gets the lock state of the device.
> + *
> + * out params[0].value.a:      lock state
> + */
> +#define TA_AVB_CMD_READ_LOCK_STATE     2
> +
> +/*
> + * Sets the lock state of the device.
> + *
> + * If the lock state is changed all rollback slots will be reset to 0
> + *
> + * in  params[0].value.a:      lock state
> + */
> +#define TA_AVB_CMD_WRITE_LOCK_STATE    3
> +
> +#endif /*__TA_AVB_H*/

Space before */

> --
> 2.17.1
>

Regards,
Simon
Jens Wiklander Aug. 31, 2018, 12:10 p.m. | #2
Hi Simon,

On Wed, Aug 29, 2018 at 06:29:09PM -0600, Simon Glass wrote:
> Hi Jens,
> 
> On 23 August 2018 at 04:43, Jens Wiklander <jens.wiklander@linaro.org> wrote:
> > Adds configuration option OPTEE_TA_AVB and a header file describing the
> > interface to the AVB trusted application provided by OP-TEE.
> 
> What is AVB? Can you please write it out in full?

AVB stands for Android Verified Boot 2.0. However, Google is a bit picky
about how the name Android is used so I'm trying to avoid using it as
much as possible to stay out of trouble. I'll write it out in the commit
message.

> 
> >
> > Tested-by: Igor Opaniuk <igor.opaniuk@linaro.org>
> > Reviewed-by: Igor Opaniuk <igor.opaniuk@linaro.org>
> > Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
> > ---
> >  MAINTAINERS                |  1 +
> >  drivers/tee/optee/Kconfig  | 16 +++++++++++++
> >  include/tee.h              |  7 ++++++
> >  include/tee/optee_ta_avb.h | 48 ++++++++++++++++++++++++++++++++++++++
> >  4 files changed, 72 insertions(+)
> >  create mode 100644 include/tee/optee_ta_avb.h
> >
> > diff --git a/MAINTAINERS b/MAINTAINERS
> > index 7458c606ee92..cb36c45d74ea 100644
> > --- a/MAINTAINERS
> > +++ b/MAINTAINERS
> > @@ -576,6 +576,7 @@ M:  Jens Wiklander <jens.wiklander@linaro.org>
> >  S:     Maintained
> >  F:     drivers/tee/
> >  F:     include/tee.h
> > +F:     include/tee/
> >
> >  UBI
> >  M:     Kyungmin Park <kmpark@infradead.org>
> > diff --git a/drivers/tee/optee/Kconfig b/drivers/tee/optee/Kconfig
> > index 8f7ebe161111..a5dc08439629 100644
> > --- a/drivers/tee/optee/Kconfig
> > +++ b/drivers/tee/optee/Kconfig
> > @@ -5,3 +5,19 @@ config OPTEE
> >         help
> >           This implements the OP-TEE Trusted Execution Environment (TEE)
> >           driver.
> > +
> > +if OPTEE
> > +
> > +menu "OP-TEE options"
> > +
> > +config OPTEE_TA_AVB
> > +       bool "Support AVB TA"
> > +       default y
> > +       help
> > +         Enables support for the AVB Trusted Application (TA) in OP-TEE.
> > +         The TA can support the "avb" subcommands "read_rb", "write"rb"
> > +         and "is_unlocked".
> > +
> > +endmenu
> > +
> > +endif
> > diff --git a/include/tee.h b/include/tee.h
> > index 3e6771123ef0..b851d718d32f 100644
> > --- a/include/tee.h
> > +++ b/include/tee.h
> > @@ -48,6 +48,13 @@
> >
> >  #define TEE_ORIGIN_COMMS               0x00000002
> >
> > +struct tee_optee_ta_uuid {
> 
> Comment on this struct. What is it for?

I'll fix.

> 
> > +       u32 time_low;
> > +       u16 time_mid;
> > +       u16 time_hi_and_version;
> > +       u8 clock_seq_and_node[8];
> > +};
> > +
> >  /**
> >   * struct tee_shm - memory shared with the TEE
> >   * @dev:       The TEE device
> > diff --git a/include/tee/optee_ta_avb.h b/include/tee/optee_ta_avb.h
> > new file mode 100644
> > index 000000000000..0e1da084e09d
> > --- /dev/null
> > +++ b/include/tee/optee_ta_avb.h
> > @@ -0,0 +1,48 @@
> > +/* SPDX-License-Identifier: BSD-2-Clause */
> > +/* Copyright (c) 2018, Linaro Limited */
> > +
> > +#ifndef __TA_AVB_H
> > +#define __TA_AVB_H
> > +
> > +#define TA_AVB_UUID { 0x023f8f1a, 0x292a, 0x432b, \
> > +                     { 0x8f, 0xc4, 0xde, 0x84, 0x71, 0x35, 0x80, 0x67 } }
> > +
> > +#define TA_AVB_MAX_ROLLBACK_LOCATIONS  256
> > +
> > +/*
> > + * Gets the rollback index corresponding to the given rollback index slot.
> > + *
> > + * in  params[0].value.a:      rollback index slot
> > + * out params[1].value.a:      upper 32 bits of rollback index
> > + * out params[1].value.b:      lower 32 bits of rollback index
> > + */
> > +#define TA_AVB_CMD_READ_ROLLBACK_INDEX 0
> > +
> > +/*
> > + * Updates the rollback index corresponding to the given rollback index slot.
> > + *
> > + * Will refuse to update a slot with a lower value.
> > + *
> > + * in  params[0].value.a:      rollback index slot
> > + * in  params[1].value.a:      upper 32 bits of rollback index
> > + * in  params[1].value.b:      lower 32 bits of rollback index
> > + */
> > +#define TA_AVB_CMD_WRITE_ROLLBACK_INDEX        1
> > +
> > +/*
> > + * Gets the lock state of the device.
> > + *
> > + * out params[0].value.a:      lock state
> > + */
> > +#define TA_AVB_CMD_READ_LOCK_STATE     2
> > +
> > +/*
> > + * Sets the lock state of the device.
> > + *
> > + * If the lock state is changed all rollback slots will be reset to 0
> > + *
> > + * in  params[0].value.a:      lock state
> > + */
> > +#define TA_AVB_CMD_WRITE_LOCK_STATE    3
> > +
> > +#endif /*__TA_AVB_H*/
> 
> Space before */
> 
> > --
> > 2.17.1
> >

Thanks for the review,
Jens
Simon Glass Sept. 26, 2018, 5:41 a.m. | #3
Hi Jens,

On 31 August 2018 at 06:10, Jens Wiklander <jens.wiklander@linaro.org> wrote:
>
> Hi Simon,
>
> On Wed, Aug 29, 2018 at 06:29:09PM -0600, Simon Glass wrote:
> > Hi Jens,
> >
> > On 23 August 2018 at 04:43, Jens Wiklander <jens.wiklander@linaro.org> wrote:
> > > Adds configuration option OPTEE_TA_AVB and a header file describing the
> > > interface to the AVB trusted application provided by OP-TEE.
> >
> > What is AVB? Can you please write it out in full?
>
> AVB stands for Android Verified Boot 2.0. However, Google is a bit picky
> about how the name Android is used so I'm trying to avoid using it as
> much as possible to stay out of trouble. I'll write it out in the commit
> message.

I think it should be somewhere in the docs at least. It looks like
this is what you need to follow:

https://developer.android.com/distribute/marketing-tools/brand-guidelines

Regards,
Simon

Patch

diff --git a/MAINTAINERS b/MAINTAINERS
index 7458c606ee92..cb36c45d74ea 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -576,6 +576,7 @@  M:	Jens Wiklander <jens.wiklander@linaro.org>
 S:	Maintained
 F:	drivers/tee/
 F:	include/tee.h
+F:	include/tee/
 
 UBI
 M:	Kyungmin Park <kmpark@infradead.org>
diff --git a/drivers/tee/optee/Kconfig b/drivers/tee/optee/Kconfig
index 8f7ebe161111..a5dc08439629 100644
--- a/drivers/tee/optee/Kconfig
+++ b/drivers/tee/optee/Kconfig
@@ -5,3 +5,19 @@  config OPTEE
 	help
 	  This implements the OP-TEE Trusted Execution Environment (TEE)
 	  driver.
+
+if OPTEE
+
+menu "OP-TEE options"
+
+config OPTEE_TA_AVB
+	bool "Support AVB TA"
+	default y
+	help
+	  Enables support for the AVB Trusted Application (TA) in OP-TEE.
+	  The TA can support the "avb" subcommands "read_rb", "write"rb"
+	  and "is_unlocked".
+
+endmenu
+
+endif
diff --git a/include/tee.h b/include/tee.h
index 3e6771123ef0..b851d718d32f 100644
--- a/include/tee.h
+++ b/include/tee.h
@@ -48,6 +48,13 @@ 
 
 #define TEE_ORIGIN_COMMS		0x00000002
 
+struct tee_optee_ta_uuid {
+	u32 time_low;
+	u16 time_mid;
+	u16 time_hi_and_version;
+	u8 clock_seq_and_node[8];
+};
+
 /**
  * struct tee_shm - memory shared with the TEE
  * @dev:	The TEE device
diff --git a/include/tee/optee_ta_avb.h b/include/tee/optee_ta_avb.h
new file mode 100644
index 000000000000..0e1da084e09d
--- /dev/null
+++ b/include/tee/optee_ta_avb.h
@@ -0,0 +1,48 @@ 
+/* SPDX-License-Identifier: BSD-2-Clause */
+/* Copyright (c) 2018, Linaro Limited */
+
+#ifndef __TA_AVB_H
+#define __TA_AVB_H
+
+#define TA_AVB_UUID { 0x023f8f1a, 0x292a, 0x432b, \
+		      { 0x8f, 0xc4, 0xde, 0x84, 0x71, 0x35, 0x80, 0x67 } }
+
+#define TA_AVB_MAX_ROLLBACK_LOCATIONS	256
+
+/*
+ * Gets the rollback index corresponding to the given rollback index slot.
+ *
+ * in	params[0].value.a:	rollback index slot
+ * out	params[1].value.a:	upper 32 bits of rollback index
+ * out	params[1].value.b:	lower 32 bits of rollback index
+ */
+#define TA_AVB_CMD_READ_ROLLBACK_INDEX	0
+
+/*
+ * Updates the rollback index corresponding to the given rollback index slot.
+ *
+ * Will refuse to update a slot with a lower value.
+ *
+ * in	params[0].value.a:	rollback index slot
+ * in	params[1].value.a:	upper 32 bits of rollback index
+ * in	params[1].value.b:	lower 32 bits of rollback index
+ */
+#define TA_AVB_CMD_WRITE_ROLLBACK_INDEX	1
+
+/*
+ * Gets the lock state of the device.
+ *
+ * out	params[0].value.a:	lock state
+ */
+#define TA_AVB_CMD_READ_LOCK_STATE	2
+
+/*
+ * Sets the lock state of the device.
+ *
+ * If the lock state is changed all rollback slots will be reset to 0
+ *
+ * in	params[0].value.a:	lock state
+ */
+#define TA_AVB_CMD_WRITE_LOCK_STATE	3
+
+#endif /*__TA_AVB_H*/