Message ID | 20210206230504.1958-3-jorge@foundries.io |
---|---|
State | Superseded |
Delegated to: | Tom Rini |
Headers | show |
Series | drivers: tee: sandbox: secure channel protocol control | expand |
Hi Jorge, On Sat, 6 Feb 2021 at 16:05, Jorge Ramirez-Ortiz <jorge@foundries.io> wrote: > > Enable and provision the SCP03 keys on a TEE controlled secured elemt > from the U-Boot shell. > > Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> > --- > cmd/Kconfig | 9 ++++++++ > cmd/Makefile | 3 +++ > cmd/scp03.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++ > 3 files changed, 76 insertions(+) > create mode 100644 cmd/scp03.c Can we have a test for this please? See mem_search.c for an example. > > diff --git a/cmd/Kconfig b/cmd/Kconfig > index 928a2a0a2d..4f990249b4 100644 > --- a/cmd/Kconfig > +++ b/cmd/Kconfig > @@ -2021,6 +2021,15 @@ config HASH_VERIFY > help > Add -v option to verify data against a hash. > > +config CMD_SCP03 > + bool "scp03 - SCP03 enable and rotate/provision operations" > + depends on SCP03 > + help > + Enables the SCP03 commands to activate I2C channel encryption and I2C-channel ? > + provision the SCP03 keys. > + scp03 enable > + scp03 provision Also add this to doc/usage (see 'make htmldocs') > + > config CMD_TPM_V1 > bool > > diff --git a/cmd/Makefile b/cmd/Makefile > index 176bf925fd..a7017e8452 100644 > --- a/cmd/Makefile > +++ b/cmd/Makefile > @@ -193,6 +193,9 @@ obj-$(CONFIG_CMD_BLOB) += blob.o > # Android Verified Boot 2.0 > obj-$(CONFIG_CMD_AVB) += avb.o > > +# Foundries.IO SCP03 > +obj-$(CONFIG_CMD_SCP03) += scp03.o > + > obj-$(CONFIG_ARM) += arm/ > obj-$(CONFIG_RISCV) += riscv/ > obj-$(CONFIG_SANDBOX) += sandbox/ > diff --git a/cmd/scp03.c b/cmd/scp03.c > new file mode 100644 > index 0000000000..07913dbd3e > --- /dev/null > +++ b/cmd/scp03.c > @@ -0,0 +1,64 @@ > +// SPDX-License-Identifier: GPL-2.0+ > +/* > + * (C) Copyright 2021, Foundries.IO > + * > + */ > + > +#include <common.h> > +#include <command.h> > +#include <env.h> > +#include <scp03.h> > + > +int do_scp03_enable(struct cmd_tbl *cmdtp, int flag, int argc, > + char *const argv[]) > +{ > + if (argc != 1) > + return CMD_RET_USAGE; > + > + if (tee_enable_scp03()) Do you want to report the failure with a message? > + return CMD_RET_FAILURE; > + > + return CMD_RET_SUCCESS; > +} > + > +int do_scp03_provision(struct cmd_tbl *cmdtp, int flag, int argc, > + char *const argv[]) > +{ > + if (argc != 1) > + return CMD_RET_USAGE; > + > + if (tee_provision_scp03()) > + return CMD_RET_FAILURE; > + > + return CMD_RET_SUCCESS; > +} > + > +static struct cmd_tbl cmd_scp03[] = { > + U_BOOT_CMD_MKENT(enable, 1, 0, do_scp03_enable, "", ""), > + U_BOOT_CMD_MKENT(provision, 1, 0, do_scp03_provision, "", ""), > +}; > + > +static int do_scp03(struct cmd_tbl *cmdtp, int flag, int argc, > + char * const argv[]) You could use U_BOOT_CMD_WITH_SUBCMDS() which might save some hassle here. > +{ > + struct cmd_tbl *cp; > + > + cp = find_cmd_tbl(argv[1], cmd_scp03, ARRAY_SIZE(cmd_scp03)); > + > + argc--; > + argv++; > + > + if (!cp || argc > cp->maxargs) > + return CMD_RET_USAGE; > + > + if (flag == CMD_FLAG_REPEAT) > + return CMD_RET_FAILURE; > + > + return cp->cmd(cmdtp, flag, argc, argv); > +} > + > +U_BOOT_CMD(scp03, 2, 0, do_scp03, > + "Provides a command to enable SCP03 and provision the SCP03 keys\n", > + "\tenable - enable SCP03\n" > + "\tprovision - provision SCP03\n" > +); > -- > 2.30.0 > Regards, Simon
On 07/02/21, Simon Glass wrote: > Hi Jorge, > > On Sat, 6 Feb 2021 at 16:05, Jorge Ramirez-Ortiz <jorge@foundries.io> wrote: > > > > Enable and provision the SCP03 keys on a TEE controlled secured elemt > > from the U-Boot shell. > > > > Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> > > --- > > cmd/Kconfig | 9 ++++++++ > > cmd/Makefile | 3 +++ > > cmd/scp03.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++ > > 3 files changed, 76 insertions(+) > > create mode 100644 cmd/scp03.c > > Can we have a test for this please? See mem_search.c for an example. you mean other than what I posted already (the sandbox test using the TEE emulator)? I am not really sure what else can it do: this command sends a request to a TEE and waits to a response (and both are emulated on the sandbox). > > > > > diff --git a/cmd/Kconfig b/cmd/Kconfig > > index 928a2a0a2d..4f990249b4 100644 > > --- a/cmd/Kconfig > > +++ b/cmd/Kconfig > > @@ -2021,6 +2021,15 @@ config HASH_VERIFY > > help > > Add -v option to verify data against a hash. > > > > +config CMD_SCP03 > > + bool "scp03 - SCP03 enable and rotate/provision operations" > > + depends on SCP03 > > + help > > + Enables the SCP03 commands to activate I2C channel encryption and > > I2C-channel ? sure > > > + provision the SCP03 keys. > > + scp03 enable > > + scp03 provision > > Also add this to doc/usage (see 'make htmldocs') ok > > > + > > config CMD_TPM_V1 > > bool > > > > diff --git a/cmd/Makefile b/cmd/Makefile > > index 176bf925fd..a7017e8452 100644 > > --- a/cmd/Makefile > > +++ b/cmd/Makefile > > @@ -193,6 +193,9 @@ obj-$(CONFIG_CMD_BLOB) += blob.o > > # Android Verified Boot 2.0 > > obj-$(CONFIG_CMD_AVB) += avb.o > > > > +# Foundries.IO SCP03 > > +obj-$(CONFIG_CMD_SCP03) += scp03.o > > + > > obj-$(CONFIG_ARM) += arm/ > > obj-$(CONFIG_RISCV) += riscv/ > > obj-$(CONFIG_SANDBOX) += sandbox/ > > diff --git a/cmd/scp03.c b/cmd/scp03.c > > new file mode 100644 > > index 0000000000..07913dbd3e > > --- /dev/null > > +++ b/cmd/scp03.c > > @@ -0,0 +1,64 @@ > > +// SPDX-License-Identifier: GPL-2.0+ > > +/* > > + * (C) Copyright 2021, Foundries.IO > > + * > > + */ > > + > > +#include <common.h> > > +#include <command.h> > > +#include <env.h> > > +#include <scp03.h> > > + > > +int do_scp03_enable(struct cmd_tbl *cmdtp, int flag, int argc, > > + char *const argv[]) > > +{ > > + if (argc != 1) > > + return CMD_RET_USAGE; > > + > > + if (tee_enable_scp03()) > > Do you want to report the failure with a message? ok > > > + return CMD_RET_FAILURE; > > + > > + return CMD_RET_SUCCESS; > > +} > > + > > +int do_scp03_provision(struct cmd_tbl *cmdtp, int flag, int argc, > > + char *const argv[]) > > +{ > > + if (argc != 1) > > + return CMD_RET_USAGE; > > + > > + if (tee_provision_scp03()) > > + return CMD_RET_FAILURE; > > + > > + return CMD_RET_SUCCESS; > > +} > > + > > +static struct cmd_tbl cmd_scp03[] = { > > + U_BOOT_CMD_MKENT(enable, 1, 0, do_scp03_enable, "", ""), > > + U_BOOT_CMD_MKENT(provision, 1, 0, do_scp03_provision, "", ""), > > +}; > > + > > +static int do_scp03(struct cmd_tbl *cmdtp, int flag, int argc, > > + char * const argv[]) > > You could use U_BOOT_CMD_WITH_SUBCMDS() which might save some hassle > here. yes, much nicer. thanks > > > +{ > > + struct cmd_tbl *cp; > > + > > + cp = find_cmd_tbl(argv[1], cmd_scp03, ARRAY_SIZE(cmd_scp03)); > > + > > + argc--; > > + argv++; > > + > > + if (!cp || argc > cp->maxargs) > > + return CMD_RET_USAGE; > > + > > + if (flag == CMD_FLAG_REPEAT) > > + return CMD_RET_FAILURE; > > + > > + return cp->cmd(cmdtp, flag, argc, argv); > > +} > > + > > +U_BOOT_CMD(scp03, 2, 0, do_scp03, > > + "Provides a command to enable SCP03 and provision the SCP03 keys\n", > > + "\tenable - enable SCP03\n" > > + "\tprovision - provision SCP03\n" > > +); > > -- > > 2.30.0 > > > > Regards, > Simon
Hi Jorge, On Sun, 7 Feb 2021 at 11:11, Jorge Ramirez-Ortiz, Foundries <jorge@foundries.io> wrote: > > On 07/02/21, Simon Glass wrote: > > Hi Jorge, > > > > On Sat, 6 Feb 2021 at 16:05, Jorge Ramirez-Ortiz <jorge@foundries.io> wrote: > > > > > > Enable and provision the SCP03 keys on a TEE controlled secured elemt > > > from the U-Boot shell. > > > > > > Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> > > > --- > > > cmd/Kconfig | 9 ++++++++ > > > cmd/Makefile | 3 +++ > > > cmd/scp03.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++ > > > 3 files changed, 76 insertions(+) > > > create mode 100644 cmd/scp03.c > > > > Can we have a test for this please? See mem_search.c for an example. > > you mean other than what I posted already (the sandbox test using the > TEE emulator)? > > I am not really sure what else can it do: this command sends a request > to a TEE and waits to a response (and both are emulated on the sandbox). It should just be a few lines of code to test the basics. E.g.: https://github.com/u-boot/u-boot/blob/3936fd998668846f77468d8f6a662e906920969c/test/cmd/test_echo.c#L42 Regards, Simon
On 08/02/21, Simon Glass wrote: > Hi Jorge, > > On Sun, 7 Feb 2021 at 11:11, Jorge Ramirez-Ortiz, Foundries > <jorge@foundries.io> wrote: > > > > On 07/02/21, Simon Glass wrote: > > > Hi Jorge, > > > > > > On Sat, 6 Feb 2021 at 16:05, Jorge Ramirez-Ortiz <jorge@foundries.io> wrote: > > > > > > > > Enable and provision the SCP03 keys on a TEE controlled secured elemt > > > > from the U-Boot shell. > > > > > > > > Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> > > > > --- > > > > cmd/Kconfig | 9 ++++++++ > > > > cmd/Makefile | 3 +++ > > > > cmd/scp03.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++ > > > > 3 files changed, 76 insertions(+) > > > > create mode 100644 cmd/scp03.c > > > > > > Can we have a test for this please? See mem_search.c for an example. > > > > you mean other than what I posted already (the sandbox test using the > > TEE emulator)? > > > > I am not really sure what else can it do: this command sends a request > > to a TEE and waits to a response (and both are emulated on the sandbox). > > It should just be a few lines of code to test the basics. E.g.: > > https://github.com/u-boot/u-boot/blob/3936fd998668846f77468d8f6a662e906920969c/test/cmd/test_echo.c#L42 ah ok I see what you mean. I'll have a look > > Regards, > Simon
diff --git a/cmd/Kconfig b/cmd/Kconfig index 928a2a0a2d..4f990249b4 100644 --- a/cmd/Kconfig +++ b/cmd/Kconfig @@ -2021,6 +2021,15 @@ config HASH_VERIFY help Add -v option to verify data against a hash. +config CMD_SCP03 + bool "scp03 - SCP03 enable and rotate/provision operations" + depends on SCP03 + help + Enables the SCP03 commands to activate I2C channel encryption and + provision the SCP03 keys. + scp03 enable + scp03 provision + config CMD_TPM_V1 bool diff --git a/cmd/Makefile b/cmd/Makefile index 176bf925fd..a7017e8452 100644 --- a/cmd/Makefile +++ b/cmd/Makefile @@ -193,6 +193,9 @@ obj-$(CONFIG_CMD_BLOB) += blob.o # Android Verified Boot 2.0 obj-$(CONFIG_CMD_AVB) += avb.o +# Foundries.IO SCP03 +obj-$(CONFIG_CMD_SCP03) += scp03.o + obj-$(CONFIG_ARM) += arm/ obj-$(CONFIG_RISCV) += riscv/ obj-$(CONFIG_SANDBOX) += sandbox/ diff --git a/cmd/scp03.c b/cmd/scp03.c new file mode 100644 index 0000000000..07913dbd3e --- /dev/null +++ b/cmd/scp03.c @@ -0,0 +1,64 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * (C) Copyright 2021, Foundries.IO + * + */ + +#include <common.h> +#include <command.h> +#include <env.h> +#include <scp03.h> + +int do_scp03_enable(struct cmd_tbl *cmdtp, int flag, int argc, + char *const argv[]) +{ + if (argc != 1) + return CMD_RET_USAGE; + + if (tee_enable_scp03()) + return CMD_RET_FAILURE; + + return CMD_RET_SUCCESS; +} + +int do_scp03_provision(struct cmd_tbl *cmdtp, int flag, int argc, + char *const argv[]) +{ + if (argc != 1) + return CMD_RET_USAGE; + + if (tee_provision_scp03()) + return CMD_RET_FAILURE; + + return CMD_RET_SUCCESS; +} + +static struct cmd_tbl cmd_scp03[] = { + U_BOOT_CMD_MKENT(enable, 1, 0, do_scp03_enable, "", ""), + U_BOOT_CMD_MKENT(provision, 1, 0, do_scp03_provision, "", ""), +}; + +static int do_scp03(struct cmd_tbl *cmdtp, int flag, int argc, + char * const argv[]) +{ + struct cmd_tbl *cp; + + cp = find_cmd_tbl(argv[1], cmd_scp03, ARRAY_SIZE(cmd_scp03)); + + argc--; + argv++; + + if (!cp || argc > cp->maxargs) + return CMD_RET_USAGE; + + if (flag == CMD_FLAG_REPEAT) + return CMD_RET_FAILURE; + + return cp->cmd(cmdtp, flag, argc, argv); +} + +U_BOOT_CMD(scp03, 2, 0, do_scp03, + "Provides a command to enable SCP03 and provision the SCP03 keys\n", + "\tenable - enable SCP03\n" + "\tprovision - provision SCP03\n" +);
Enable and provision the SCP03 keys on a TEE controlled secured elemt from the U-Boot shell. Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> --- cmd/Kconfig | 9 ++++++++ cmd/Makefile | 3 +++ cmd/scp03.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 76 insertions(+) create mode 100644 cmd/scp03.c