Message ID | 20210209201038.28747-1-jorge@foundries.io |
---|---|
State | Superseded |
Delegated to: | Tom Rini |
Headers | show |
Series | [PATCHv5,1/6] common: SCP03 control (enable and provision of keys) | expand |
On 09/02/21, Jorge Ramirez-Ortiz wrote: > This Trusted Application allows enabling SCP03 as well as provisioning > the keys on TEE controlled secure element (ie, NXP SE050). > > All the information flowing on buses (ie I2C) between the processor > and the secure element must be encrypted. Secure elements are > pre-provisioned with a set of keys known to the user so that the > secure channel protocol (encryption) can be enforced on the first > boot. This situation is however unsafe since the keys are publically > available. > > For example, in the case of the NXP SE050, these keys would be > available in the OP-TEE source tree [2] and of course in the > documentation corresponding to the part. > > To address that, users are required to rotate/provision those keys > (ie, generate new keys and write them in the secure element's > persistent memory). > > For information on SCP03, check the Global Platform HomePage and > google for that term [1] > [1] globalplatform.org > [2] https://github.com/OP-TEE/optee_os/ > check: > core/drivers/crypto/se050/adaptors/utils/scp_config.c > hi Simon, we added the tests that you asked for. all ok with this series? thanks! > Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> > Reviewed-by: Simon Glass <sjg@chromium.org> > --- > common/Kconfig | 8 ++++++ > common/Makefile | 1 + > common/scp03.c | 53 ++++++++++++++++++++++++++++++++++++ > include/scp03.h | 21 ++++++++++++++ > include/tee/optee_ta_scp03.h | 21 ++++++++++++++ > 5 files changed, 104 insertions(+) > create mode 100644 common/scp03.c > create mode 100644 include/scp03.h > create mode 100644 include/tee/optee_ta_scp03.h > > diff --git a/common/Kconfig b/common/Kconfig > index 2bb3798f80..482f123534 100644 > --- a/common/Kconfig > +++ b/common/Kconfig > @@ -588,6 +588,14 @@ config AVB_BUF_SIZE > > endif # AVB_VERIFY > > +config SCP03 > + bool "Build SCP03 - Secure Channel Protocol O3 - controls" > + depends on OPTEE || SANDBOX > + depends on TEE > + help > + This option allows U-Boot to enable and or provision SCP03 on an OPTEE > + controlled Secured Element. > + > config SPL_HASH > bool # "Support hashing API (SHA1, SHA256, etc.)" > help > diff --git a/common/Makefile b/common/Makefile > index daeea67cf2..215b8b26fd 100644 > --- a/common/Makefile > +++ b/common/Makefile > @@ -137,3 +137,4 @@ obj-$(CONFIG_CMD_LOADB) += xyzModem.o > obj-$(CONFIG_$(SPL_TPL_)YMODEM_SUPPORT) += xyzModem.o > > obj-$(CONFIG_AVB_VERIFY) += avb_verify.o > +obj-$(CONFIG_SCP03) += scp03.o > diff --git a/common/scp03.c b/common/scp03.c > new file mode 100644 > index 0000000000..09ef7b5ba3 > --- /dev/null > +++ b/common/scp03.c > @@ -0,0 +1,53 @@ > +// SPDX-License-Identifier: GPL-2.0+ > +/* > + * (C) Copyright 2021, Foundries.IO > + * > + */ > + > +#include <common.h> > +#include <scp03.h> > +#include <tee.h> > +#include <tee/optee_ta_scp03.h> > + > +static int scp03_enable(bool provision) > +{ > + const struct tee_optee_ta_uuid uuid = PTA_SCP03_UUID; > + struct tee_open_session_arg session; > + struct tee_invoke_arg invoke; > + struct tee_param param; > + struct udevice *tee = NULL; > + > + tee = tee_find_device(tee, NULL, NULL, NULL); > + if (!tee) > + return -ENODEV; > + > + memset(&session, 0, sizeof(session)); > + tee_optee_ta_uuid_to_octets(session.uuid, &uuid); > + if (tee_open_session(tee, &session, 0, NULL)) > + return -ENXIO; > + > + memset(¶m, 0, sizeof(param)); > + param.attr = TEE_PARAM_ATTR_TYPE_VALUE_INPUT; > + param.u.value.a = provision; > + > + memset(&invoke, 0, sizeof(invoke)); > + invoke.func = PTA_CMD_ENABLE_SCP03; > + invoke.session = session.session; > + > + if (tee_invoke_func(tee, &invoke, 1, ¶m)) > + return -EIO; > + > + tee_close_session(tee, session.session); > + > + return 0; > +} > + > +int tee_enable_scp03(void) > +{ > + return scp03_enable(false); > +} > + > +int tee_provision_scp03(void) > +{ > + return scp03_enable(true); > +} > diff --git a/include/scp03.h b/include/scp03.h > new file mode 100644 > index 0000000000..729667ccd1 > --- /dev/null > +++ b/include/scp03.h > @@ -0,0 +1,21 @@ > +/* SPDX-License-Identifier: GPL-2.0+ */ > +/* > + * (C) Copyright 2021, Foundries.IO > + * > + */ > + > +#ifndef _SCP03_H > +#define _SCP03_H > + > +/* > + * Requests to OPTEE to enable or provision the Secure Channel Protocol on its > + * Secure Element > + * > + * If key provisioning is requested, OPTEE shall generate new SCP03 keys and > + * write them to the Secure Element. > + * > + * Both functions return < 0 on error else 0. > + */ > +int tee_enable_scp03(void); > +int tee_provision_scp03(void); > +#endif /* _SCP03_H */ > diff --git a/include/tee/optee_ta_scp03.h b/include/tee/optee_ta_scp03.h > new file mode 100644 > index 0000000000..13f9956d98 > --- /dev/null > +++ b/include/tee/optee_ta_scp03.h > @@ -0,0 +1,21 @@ > +/* SPDX-License-Identifier: BSD-3-Clause */ > +/* > + * (C) Copyright 2021, Foundries.IO > + * > + */ > +#ifndef __TA_SCP03_H > +#define __TA_SCP03_H > + > +#define PTA_SCP03_UUID { 0xbe0e5821, 0xe718, 0x4f77, \ > + { 0xab, 0x3e, 0x8e, 0x6c, 0x73, 0xa9, 0xc7, 0x35 } } > + > +/* > + * Enable Secure Channel Protocol functionality (SCP03) on the Secure Element. > + * Setting the operation value to something different than NULL will trigger > + * the SCP03 provisioning request. > + * > + * in params[0].a = operation > + */ > +#define PTA_CMD_ENABLE_SCP03 0 > + > +#endif /*__TA_SCP03_H*/ > -- > 2.30.0 >
diff --git a/common/Kconfig b/common/Kconfig index 2bb3798f80..482f123534 100644 --- a/common/Kconfig +++ b/common/Kconfig @@ -588,6 +588,14 @@ config AVB_BUF_SIZE endif # AVB_VERIFY +config SCP03 + bool "Build SCP03 - Secure Channel Protocol O3 - controls" + depends on OPTEE || SANDBOX + depends on TEE + help + This option allows U-Boot to enable and or provision SCP03 on an OPTEE + controlled Secured Element. + config SPL_HASH bool # "Support hashing API (SHA1, SHA256, etc.)" help diff --git a/common/Makefile b/common/Makefile index daeea67cf2..215b8b26fd 100644 --- a/common/Makefile +++ b/common/Makefile @@ -137,3 +137,4 @@ obj-$(CONFIG_CMD_LOADB) += xyzModem.o obj-$(CONFIG_$(SPL_TPL_)YMODEM_SUPPORT) += xyzModem.o obj-$(CONFIG_AVB_VERIFY) += avb_verify.o +obj-$(CONFIG_SCP03) += scp03.o diff --git a/common/scp03.c b/common/scp03.c new file mode 100644 index 0000000000..09ef7b5ba3 --- /dev/null +++ b/common/scp03.c @@ -0,0 +1,53 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * (C) Copyright 2021, Foundries.IO + * + */ + +#include <common.h> +#include <scp03.h> +#include <tee.h> +#include <tee/optee_ta_scp03.h> + +static int scp03_enable(bool provision) +{ + const struct tee_optee_ta_uuid uuid = PTA_SCP03_UUID; + struct tee_open_session_arg session; + struct tee_invoke_arg invoke; + struct tee_param param; + struct udevice *tee = NULL; + + tee = tee_find_device(tee, NULL, NULL, NULL); + if (!tee) + return -ENODEV; + + memset(&session, 0, sizeof(session)); + tee_optee_ta_uuid_to_octets(session.uuid, &uuid); + if (tee_open_session(tee, &session, 0, NULL)) + return -ENXIO; + + memset(¶m, 0, sizeof(param)); + param.attr = TEE_PARAM_ATTR_TYPE_VALUE_INPUT; + param.u.value.a = provision; + + memset(&invoke, 0, sizeof(invoke)); + invoke.func = PTA_CMD_ENABLE_SCP03; + invoke.session = session.session; + + if (tee_invoke_func(tee, &invoke, 1, ¶m)) + return -EIO; + + tee_close_session(tee, session.session); + + return 0; +} + +int tee_enable_scp03(void) +{ + return scp03_enable(false); +} + +int tee_provision_scp03(void) +{ + return scp03_enable(true); +} diff --git a/include/scp03.h b/include/scp03.h new file mode 100644 index 0000000000..729667ccd1 --- /dev/null +++ b/include/scp03.h @@ -0,0 +1,21 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * (C) Copyright 2021, Foundries.IO + * + */ + +#ifndef _SCP03_H +#define _SCP03_H + +/* + * Requests to OPTEE to enable or provision the Secure Channel Protocol on its + * Secure Element + * + * If key provisioning is requested, OPTEE shall generate new SCP03 keys and + * write them to the Secure Element. + * + * Both functions return < 0 on error else 0. + */ +int tee_enable_scp03(void); +int tee_provision_scp03(void); +#endif /* _SCP03_H */ diff --git a/include/tee/optee_ta_scp03.h b/include/tee/optee_ta_scp03.h new file mode 100644 index 0000000000..13f9956d98 --- /dev/null +++ b/include/tee/optee_ta_scp03.h @@ -0,0 +1,21 @@ +/* SPDX-License-Identifier: BSD-3-Clause */ +/* + * (C) Copyright 2021, Foundries.IO + * + */ +#ifndef __TA_SCP03_H +#define __TA_SCP03_H + +#define PTA_SCP03_UUID { 0xbe0e5821, 0xe718, 0x4f77, \ + { 0xab, 0x3e, 0x8e, 0x6c, 0x73, 0xa9, 0xc7, 0x35 } } + +/* + * Enable Secure Channel Protocol functionality (SCP03) on the Secure Element. + * Setting the operation value to something different than NULL will trigger + * the SCP03 provisioning request. + * + * in params[0].a = operation + */ +#define PTA_CMD_ENABLE_SCP03 0 + +#endif /*__TA_SCP03_H*/