Message ID | 20210214152728.8628-3-jorge@foundries.io |
---|---|
State | Accepted |
Commit | 26839e5ddee369ea68acd8cbc8e24c7180c17e82 |
Delegated to: | Tom Rini |
Headers | show |
Series | SCP03 control, documentation and tests. | expand |
On Sun, Feb 14, 2021 at 5:27 PM Jorge Ramirez-Ortiz <jorge@foundries.io> wrote: > > Enable and provision the SCP03 keys on a TEE controlled secured elemt > from the U-Boot shell. > > Executing this command will generate and program new SCP03 encryption > keys on the secure element NVM. > > Depending on the TEE implementation, the keys would then be stored in > some persistent storage or better derived from some platform secret > (so they can't be lost). > > Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> > Reviewed-by: Simon Glass <sjg@chromium.org> > --- > cmd/Kconfig | 8 ++++++++ > cmd/Makefile | 3 +++ > cmd/scp03.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ > 3 files changed, 63 insertions(+) > create mode 100644 cmd/scp03.c > > diff --git a/cmd/Kconfig b/cmd/Kconfig > index 928a2a0a2d..6327374f2c 100644 > --- a/cmd/Kconfig > +++ b/cmd/Kconfig > @@ -2021,6 +2021,14 @@ config HASH_VERIFY > help > Add -v option to verify data against a hash. > > +config CMD_SCP03 > + bool "scp03 - SCP03 enable and rotate/provision operations" > + depends on SCP03 > + help > + This command provides access to a Trusted Application > + running in a TEE to request Secure Channel Protocol 03 > + (SCP03) enablement and/or rotation of its SCP03 keys. > + > config CMD_TPM_V1 > bool > > diff --git a/cmd/Makefile b/cmd/Makefile > index 176bf925fd..a7017e8452 100644 > --- a/cmd/Makefile > +++ b/cmd/Makefile > @@ -193,6 +193,9 @@ obj-$(CONFIG_CMD_BLOB) += blob.o > # Android Verified Boot 2.0 > obj-$(CONFIG_CMD_AVB) += avb.o > > +# Foundries.IO SCP03 > +obj-$(CONFIG_CMD_SCP03) += scp03.o > + > obj-$(CONFIG_ARM) += arm/ > obj-$(CONFIG_RISCV) += riscv/ > obj-$(CONFIG_SANDBOX) += sandbox/ > diff --git a/cmd/scp03.c b/cmd/scp03.c > new file mode 100644 > index 0000000000..655e0bba08 > --- /dev/null > +++ b/cmd/scp03.c > @@ -0,0 +1,52 @@ > +// SPDX-License-Identifier: GPL-2.0+ > +/* > + * (C) Copyright 2021, Foundries.IO > + * > + */ > + > +#include <common.h> > +#include <command.h> > +#include <env.h> > +#include <scp03.h> > + > +int do_scp03_enable(struct cmd_tbl *cmdtp, int flag, int argc, > + char *const argv[]) > +{ > + if (argc != 1) > + return CMD_RET_USAGE; > + > + if (tee_enable_scp03()) { > + printf("TEE failed to enable SCP03\n"); > + return CMD_RET_FAILURE; > + } > + > + printf("SCP03 is enabled\n"); > + > + return CMD_RET_SUCCESS; > +} > + > +int do_scp03_provision(struct cmd_tbl *cmdtp, int flag, int argc, > + char *const argv[]) > +{ > + if (argc != 1) > + return CMD_RET_USAGE; > + > + if (tee_provision_scp03()) { > + printf("TEE failed to provision SCP03 keys\n"); > + return CMD_RET_FAILURE; > + } > + > + printf("SCP03 is provisioned\n"); > + > + return CMD_RET_SUCCESS; > +} > + > +static char text[] = > + "provides a command to enable SCP03 and provision the SCP03 keys\n" > + " enable - enable SCP03 on the TEE\n" > + " provision - provision SCP03 on the TEE\n"; > + > +U_BOOT_CMD_WITH_SUBCMDS(scp03, "Secure Channel Protocol 03 control", text, > + U_BOOT_SUBCMD_MKENT(enable, 1, 1, do_scp03_enable), > + U_BOOT_SUBCMD_MKENT(provision, 1, 1, do_scp03_provision)); > + > -- > 2.30.0 > Reviewed-by: Igor Opaniuk <igor.opaniuk@foundries.io>
On Sun, Feb 14, 2021 at 04:27:24PM +0100, Jorge Ramirez-Ortiz wrote: > Enable and provision the SCP03 keys on a TEE controlled secured elemt > from the U-Boot shell. > > Executing this command will generate and program new SCP03 encryption > keys on the secure element NVM. > > Depending on the TEE implementation, the keys would then be stored in > some persistent storage or better derived from some platform secret > (so they can't be lost). > > Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> > Reviewed-by: Simon Glass <sjg@chromium.org> > Reviewed-by: Igor Opaniuk <igor.opaniuk@foundries.io> Applied to u-boot/next, thanks!
diff --git a/cmd/Kconfig b/cmd/Kconfig index 928a2a0a2d..6327374f2c 100644 --- a/cmd/Kconfig +++ b/cmd/Kconfig @@ -2021,6 +2021,14 @@ config HASH_VERIFY help Add -v option to verify data against a hash. +config CMD_SCP03 + bool "scp03 - SCP03 enable and rotate/provision operations" + depends on SCP03 + help + This command provides access to a Trusted Application + running in a TEE to request Secure Channel Protocol 03 + (SCP03) enablement and/or rotation of its SCP03 keys. + config CMD_TPM_V1 bool diff --git a/cmd/Makefile b/cmd/Makefile index 176bf925fd..a7017e8452 100644 --- a/cmd/Makefile +++ b/cmd/Makefile @@ -193,6 +193,9 @@ obj-$(CONFIG_CMD_BLOB) += blob.o # Android Verified Boot 2.0 obj-$(CONFIG_CMD_AVB) += avb.o +# Foundries.IO SCP03 +obj-$(CONFIG_CMD_SCP03) += scp03.o + obj-$(CONFIG_ARM) += arm/ obj-$(CONFIG_RISCV) += riscv/ obj-$(CONFIG_SANDBOX) += sandbox/ diff --git a/cmd/scp03.c b/cmd/scp03.c new file mode 100644 index 0000000000..655e0bba08 --- /dev/null +++ b/cmd/scp03.c @@ -0,0 +1,52 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * (C) Copyright 2021, Foundries.IO + * + */ + +#include <common.h> +#include <command.h> +#include <env.h> +#include <scp03.h> + +int do_scp03_enable(struct cmd_tbl *cmdtp, int flag, int argc, + char *const argv[]) +{ + if (argc != 1) + return CMD_RET_USAGE; + + if (tee_enable_scp03()) { + printf("TEE failed to enable SCP03\n"); + return CMD_RET_FAILURE; + } + + printf("SCP03 is enabled\n"); + + return CMD_RET_SUCCESS; +} + +int do_scp03_provision(struct cmd_tbl *cmdtp, int flag, int argc, + char *const argv[]) +{ + if (argc != 1) + return CMD_RET_USAGE; + + if (tee_provision_scp03()) { + printf("TEE failed to provision SCP03 keys\n"); + return CMD_RET_FAILURE; + } + + printf("SCP03 is provisioned\n"); + + return CMD_RET_SUCCESS; +} + +static char text[] = + "provides a command to enable SCP03 and provision the SCP03 keys\n" + " enable - enable SCP03 on the TEE\n" + " provision - provision SCP03 on the TEE\n"; + +U_BOOT_CMD_WITH_SUBCMDS(scp03, "Secure Channel Protocol 03 control", text, + U_BOOT_SUBCMD_MKENT(enable, 1, 1, do_scp03_enable), + U_BOOT_SUBCMD_MKENT(provision, 1, 1, do_scp03_provision)); +