| Message ID | 20200511181403.19448-6-ilias.apalodimas@linaro.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | EFI variable support via OP-TEE | expand |
On 5/11/20 8:14 PM, Ilias Apalodimas wrote: > If OP-TEE is compiled with an EDK2 application running in secure world > it can process and store UEFI variables in an RPMB. > Add documentation for the config options enabling this > > Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org> Reviewed-by: Heinrich Schuchardt <xypron.glpk at gmx.de> > --- > doc/uefi/uefi.rst | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > > diff --git a/doc/uefi/uefi.rst b/doc/uefi/uefi.rst > index 4fda00d68721..03d6fd0c6aa8 100644 > --- a/doc/uefi/uefi.rst > +++ b/doc/uefi/uefi.rst > @@ -188,6 +188,23 @@ on the sandbox > cd <U-Boot source directory> > pytest.py test/py/tests/test_efi_secboot/test_signed.py --bd sandbox > > +Using OP-TEE for EFI variables > +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + > +Instead of implementing UEFI variable services inside U-Boot they can > +also be provided in the secure world by a module for OP-TEE[1]. The > +interface between U-Boot and OP-TEE for variable services is enabled by > +CONFIG_EFI_MM_COMM_TEE=y. > + > +Tianocore EDK II's standalone management mode driver for variables can > +be linked to OP-TEE for this purpose. This module uses the Replay > +Protected Memory Block (RPMB) of an eMMC device for persisting > +non-volatile variables. When calling the variable services via the > +OP-TEE API U-Boot's OP-TEE supplicant relays calls to the RPMB driver > +which has to be enabled via CONFIG_SUPPORT_EMMC_RPMB=y. > + > +[1] https://optee.readthedocs.io/ - OP-TEE documentation > + > Executing the boot manager > ~~~~~~~~~~~~~~~~~~~~~~~~~~ > >
diff --git a/doc/uefi/uefi.rst b/doc/uefi/uefi.rst index 4fda00d68721..03d6fd0c6aa8 100644 --- a/doc/uefi/uefi.rst +++ b/doc/uefi/uefi.rst @@ -188,6 +188,23 @@ on the sandbox cd <U-Boot source directory> pytest.py test/py/tests/test_efi_secboot/test_signed.py --bd sandbox +Using OP-TEE for EFI variables +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Instead of implementing UEFI variable services inside U-Boot they can +also be provided in the secure world by a module for OP-TEE[1]. The +interface between U-Boot and OP-TEE for variable services is enabled by +CONFIG_EFI_MM_COMM_TEE=y. + +Tianocore EDK II's standalone management mode driver for variables can +be linked to OP-TEE for this purpose. This module uses the Replay +Protected Memory Block (RPMB) of an eMMC device for persisting +non-volatile variables. When calling the variable services via the +OP-TEE API U-Boot's OP-TEE supplicant relays calls to the RPMB driver +which has to be enabled via CONFIG_SUPPORT_EMMC_RPMB=y. + +[1] https://optee.readthedocs.io/ - OP-TEE documentation + Executing the boot manager ~~~~~~~~~~~~~~~~~~~~~~~~~~
If OP-TEE is compiled with an EDK2 application running in secure world it can process and store UEFI variables in an RPMB. Add documentation for the config options enabling this Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org> --- doc/uefi/uefi.rst | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)