From patchwork Sun Feb 14 15:27:23 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Jorge Ramirez-Ortiz, Foundries" X-Patchwork-Id: 1440289 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=foundries.io header.i=@foundries.io header.a=rsa-sha256 header.s=google header.b=UCBvUWft; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Ddrhw4zmVz9sBJ for ; Mon, 15 Feb 2021 02:27:57 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 9DE7382709; Sun, 14 Feb 2021 16:27:44 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=foundries.io Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=foundries.io header.i=@foundries.io header.b="UCBvUWft"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id CAE21806C5; Sun, 14 Feb 2021 16:27:38 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 7A682806C5 for ; Sun, 14 Feb 2021 16:27:35 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=foundries.io Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jorge@foundries.io Received: by mail-wm1-x329.google.com with SMTP id l17so4016323wmq.2 for ; Sun, 14 Feb 2021 07:27:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foundries.io; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=0vUaZEByBxwNbTiKXtm4FqQVDvKyfcDOoqR5sJkil9E=; b=UCBvUWftFXtlTol3qubv5+Z10gXXQ7w/oLpM6dYzBVgKEKKQZLd3Sb5P4SVVfRGO3R CT9IuP4aVd5HTZcJ/VDa8hBPk1lF0OquQADowLjldY81Zw+MRoNFjOI1o4tno8R7t+zG 7b0minm7ruoxdqhIV0b85VBQRyXR2k3eX3O46YjDdZ1wBN35HsB5BhyImK2HAH/ZjVoy +KlEiuorGx2mWlf2qUn+H90rANaMnO5vq/3GVu0GRIJD9tVgEdCgXDmhsMHNpIhzj0VE XAeSukMSAT5ugboDFrdObntgVLkA0Tj1gOfmVLmaWvYbD6iUOMWQAaIum35MJqAtHBBW mD9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=0vUaZEByBxwNbTiKXtm4FqQVDvKyfcDOoqR5sJkil9E=; b=I33iSdWRia1pOj3JDmRBqpe214nxwN6oRwi8mS7rcFaZTA/ZBXt2yn+/+TA5FyeaQA XODlmlPDn3AK/Ge1gV6iLREUx+ruryV0nGSMoa/hufCvSS94QsXobkleQKPCMFnPDVZa xk2JgZzwGyaf2b5dmuuzvFbgEdGdkXecopMEWB98mF8oz9OfMQYNTQxTBnkR4x/aotQo MKzGcGgh15lDLFPiJPRT+Ot7Us2CZ9AZECh3S2UJpc1uJpOGyaFP5bDDzq2gZTb7vACp ANU0UhqJdTsyBqoF45OaGtbxFAoOHKYVrIPqW0AsnKuyWNvFAJzrsYUynP2PRAthmEfP +SbA== X-Gm-Message-State: AOAM531AsGNmlTGF4YNN+s1Fqx6p0j3nIXP2/l44QNw1S0G2gIGbLI7V MSC6lwYjgp2bn+o/ZtzgqZPW1g== X-Google-Smtp-Source: ABdhPJxzlCmwFxZoKrH0wBP/kdq6u3Nu9E84R2U3qAd70CDFM8xamHE4LGHZE2GIGZihBl63ymnQeA== X-Received: by 2002:a7b:cb05:: with SMTP id u5mr10606538wmj.140.1613316455056; Sun, 14 Feb 2021 07:27:35 -0800 (PST) Received: from localhost.localdomain (182.red-79-146-86.dynamicip.rima-tde.net. [79.146.86.182]) by smtp.gmail.com with ESMTPSA id f7sm10520801wmh.39.2021.02.14.07.27.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 14 Feb 2021 07:27:34 -0800 (PST) From: Jorge Ramirez-Ortiz To: jorge@foundries.io, sjg@chromium.org, jens.wiklander@linaro.org Cc: igor.opaniuk@foundries.io, u-boot@lists.denx.de Subject: [PATCHv5 1/6] common: SCP03 control (enable and provision of keys) Date: Sun, 14 Feb 2021 16:27:23 +0100 Message-Id: <20210214152728.8628-2-jorge@foundries.io> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210214152728.8628-1-jorge@foundries.io> References: <20210214152728.8628-1-jorge@foundries.io> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean This Trusted Application allows enabling SCP03 as well as provisioning the keys on TEE controlled secure element (ie, NXP SE050). All the information flowing on buses (ie I2C) between the processor and the secure element must be encrypted. Secure elements are pre-provisioned with a set of keys known to the user so that the secure channel protocol (encryption) can be enforced on the first boot. This situation is however unsafe since the keys are publically available. For example, in the case of the NXP SE050, these keys would be available in the OP-TEE source tree [2] and of course in the documentation corresponding to the part. To address that, users are required to rotate/provision those keys (ie, generate new keys and write them in the secure element's persistent memory). For information on SCP03, check the Global Platform HomePage and google for that term [1] [1] globalplatform.org [2] https://github.com/OP-TEE/optee_os/ check: core/drivers/crypto/se050/adaptors/utils/scp_config.c Signed-off-by: Jorge Ramirez-Ortiz Reviewed-by: Simon Glass --- common/Kconfig | 8 ++++++ common/Makefile | 1 + common/scp03.c | 53 ++++++++++++++++++++++++++++++++++++ include/scp03.h | 21 ++++++++++++++ include/tee/optee_ta_scp03.h | 21 ++++++++++++++ 5 files changed, 104 insertions(+) create mode 100644 common/scp03.c create mode 100644 include/scp03.h create mode 100644 include/tee/optee_ta_scp03.h diff --git a/common/Kconfig b/common/Kconfig index 2bb3798f80..482f123534 100644 --- a/common/Kconfig +++ b/common/Kconfig @@ -588,6 +588,14 @@ config AVB_BUF_SIZE endif # AVB_VERIFY +config SCP03 + bool "Build SCP03 - Secure Channel Protocol O3 - controls" + depends on OPTEE || SANDBOX + depends on TEE + help + This option allows U-Boot to enable and or provision SCP03 on an OPTEE + controlled Secured Element. + config SPL_HASH bool # "Support hashing API (SHA1, SHA256, etc.)" help diff --git a/common/Makefile b/common/Makefile index daeea67cf2..215b8b26fd 100644 --- a/common/Makefile +++ b/common/Makefile @@ -137,3 +137,4 @@ obj-$(CONFIG_CMD_LOADB) += xyzModem.o obj-$(CONFIG_$(SPL_TPL_)YMODEM_SUPPORT) += xyzModem.o obj-$(CONFIG_AVB_VERIFY) += avb_verify.o +obj-$(CONFIG_SCP03) += scp03.o diff --git a/common/scp03.c b/common/scp03.c new file mode 100644 index 0000000000..09ef7b5ba3 --- /dev/null +++ b/common/scp03.c @@ -0,0 +1,53 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * (C) Copyright 2021, Foundries.IO + * + */ + +#include +#include +#include +#include + +static int scp03_enable(bool provision) +{ + const struct tee_optee_ta_uuid uuid = PTA_SCP03_UUID; + struct tee_open_session_arg session; + struct tee_invoke_arg invoke; + struct tee_param param; + struct udevice *tee = NULL; + + tee = tee_find_device(tee, NULL, NULL, NULL); + if (!tee) + return -ENODEV; + + memset(&session, 0, sizeof(session)); + tee_optee_ta_uuid_to_octets(session.uuid, &uuid); + if (tee_open_session(tee, &session, 0, NULL)) + return -ENXIO; + + memset(¶m, 0, sizeof(param)); + param.attr = TEE_PARAM_ATTR_TYPE_VALUE_INPUT; + param.u.value.a = provision; + + memset(&invoke, 0, sizeof(invoke)); + invoke.func = PTA_CMD_ENABLE_SCP03; + invoke.session = session.session; + + if (tee_invoke_func(tee, &invoke, 1, ¶m)) + return -EIO; + + tee_close_session(tee, session.session); + + return 0; +} + +int tee_enable_scp03(void) +{ + return scp03_enable(false); +} + +int tee_provision_scp03(void) +{ + return scp03_enable(true); +} diff --git a/include/scp03.h b/include/scp03.h new file mode 100644 index 0000000000..729667ccd1 --- /dev/null +++ b/include/scp03.h @@ -0,0 +1,21 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * (C) Copyright 2021, Foundries.IO + * + */ + +#ifndef _SCP03_H +#define _SCP03_H + +/* + * Requests to OPTEE to enable or provision the Secure Channel Protocol on its + * Secure Element + * + * If key provisioning is requested, OPTEE shall generate new SCP03 keys and + * write them to the Secure Element. + * + * Both functions return < 0 on error else 0. + */ +int tee_enable_scp03(void); +int tee_provision_scp03(void); +#endif /* _SCP03_H */ diff --git a/include/tee/optee_ta_scp03.h b/include/tee/optee_ta_scp03.h new file mode 100644 index 0000000000..13f9956d98 --- /dev/null +++ b/include/tee/optee_ta_scp03.h @@ -0,0 +1,21 @@ +/* SPDX-License-Identifier: BSD-3-Clause */ +/* + * (C) Copyright 2021, Foundries.IO + * + */ +#ifndef __TA_SCP03_H +#define __TA_SCP03_H + +#define PTA_SCP03_UUID { 0xbe0e5821, 0xe718, 0x4f77, \ + { 0xab, 0x3e, 0x8e, 0x6c, 0x73, 0xa9, 0xc7, 0x35 } } + +/* + * Enable Secure Channel Protocol functionality (SCP03) on the Secure Element. + * Setting the operation value to something different than NULL will trigger + * the SCP03 provisioning request. + * + * in params[0].a = operation + */ +#define PTA_CMD_ENABLE_SCP03 0 + +#endif /*__TA_SCP03_H*/