From patchwork Sun Feb 14 15:27:24 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Jorge Ramirez-Ortiz, Foundries" X-Patchwork-Id: 1440291 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=foundries.io header.i=@foundries.io header.a=rsa-sha256 header.s=google header.b=jOKifKP6; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Ddrj466Zjz9sBJ for ; Mon, 15 Feb 2021 02:28:08 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id AD37882717; Sun, 14 Feb 2021 16:27:48 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=foundries.io Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=foundries.io header.i=@foundries.io header.b="jOKifKP6"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id CF5CE826FC; Sun, 14 Feb 2021 16:27:40 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 557DB82385 for ; Sun, 14 Feb 2021 16:27:36 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=foundries.io Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jorge@foundries.io Received: by mail-wm1-x32b.google.com with SMTP id l17so4016347wmq.2 for ; Sun, 14 Feb 2021 07:27:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foundries.io; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=1hSZkWzu1HKGxQTECBmWnVjyCwoLk2JMjm7u9CNSqVo=; b=jOKifKP6qOSVQu+G2/K2aq39lMizbO8Rh1t0CgzfbOUa26eFGX9gB/kZTPWjmk5HVy WDTzfD9RHRPEjWacWshmeZaYRohTECDD/0GT3HEEEwS/XXs9JQkOHTFPN1WeiLghSHK9 Rh7d6AJvnzssVYfsRgiTqEKJ9505B6UA7F3EPxQ1njDmX8iOYwtYi79qzE7/Twb7S6a1 29x06iLgumRo1T8wMHCX4gosi/Em4d3JMT0ZcHDb1hCR6a7K8/kxJcMoFEjbm80Ajn6m Q61F9+D3RFGc5MJv31jndK5jZk8HNc4yZKbJTIQZP9buQP/OmR35RD0ffFgFHBKW3/4z 67dg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=1hSZkWzu1HKGxQTECBmWnVjyCwoLk2JMjm7u9CNSqVo=; b=AFUGMMHVSoNx7c+t4Yn8v82Bziq1rU4y/5s7/ainx1bEFYb3yfInLcc16+WpSsol3s VcoJo2mtOWngFUum6GRZar3LAOv4ttuKr9+w4uD2x2L3Z6Jo07kOTz1YFCTm1fqK5//x Stvf7qN3ukmYXc/7Ju8xPlwSi7K6ItZuMb1veCzE0hNB7DEQfJLt5nYdftE1nDMEDKrS GWuLMAz5FDMikwvg9L8i4ZlIkII2CaxA1MUm/ksn2SZ4TA/9sso/hi3Utb4QfeSy95Ho dGta3YyNOml4y5GEZwc7lQtkqPfsvwYx1aqzm9AACIXlEA6QgMLzHK6z0joZu1tJbhYx gIPg== X-Gm-Message-State: AOAM532QzFxxxo5A1JoMWDcvYB+ReE1Kzo/v+jenFwKih98p8v8aeOd8 sbVv12zOiQ6GSWh9sYmaS9f6Qg== X-Google-Smtp-Source: ABdhPJx1rn3fqz//w3GgNDx1mMqvRdkyRiu80/sE1jRQAtrv4O9gAO50ZgY/beTFIMbe7Y+3MgAPKQ== X-Received: by 2002:a1c:f001:: with SMTP id a1mr10615453wmb.21.1613316455927; Sun, 14 Feb 2021 07:27:35 -0800 (PST) Received: from localhost.localdomain (182.red-79-146-86.dynamicip.rima-tde.net. [79.146.86.182]) by smtp.gmail.com with ESMTPSA id f7sm10520801wmh.39.2021.02.14.07.27.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 14 Feb 2021 07:27:35 -0800 (PST) From: Jorge Ramirez-Ortiz To: jorge@foundries.io, sjg@chromium.org, jens.wiklander@linaro.org Cc: igor.opaniuk@foundries.io, u-boot@lists.denx.de Subject: [PATCHv5 2/6] cmd: SCP03: enable and provision command Date: Sun, 14 Feb 2021 16:27:24 +0100 Message-Id: <20210214152728.8628-3-jorge@foundries.io> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210214152728.8628-1-jorge@foundries.io> References: <20210214152728.8628-1-jorge@foundries.io> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Enable and provision the SCP03 keys on a TEE controlled secured elemt from the U-Boot shell. Executing this command will generate and program new SCP03 encryption keys on the secure element NVM. Depending on the TEE implementation, the keys would then be stored in some persistent storage or better derived from some platform secret (so they can't be lost). Signed-off-by: Jorge Ramirez-Ortiz Reviewed-by: Simon Glass Reviewed-by: Igor Opaniuk --- cmd/Kconfig | 8 ++++++++ cmd/Makefile | 3 +++ cmd/scp03.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 63 insertions(+) create mode 100644 cmd/scp03.c diff --git a/cmd/Kconfig b/cmd/Kconfig index 928a2a0a2d..6327374f2c 100644 --- a/cmd/Kconfig +++ b/cmd/Kconfig @@ -2021,6 +2021,14 @@ config HASH_VERIFY help Add -v option to verify data against a hash. +config CMD_SCP03 + bool "scp03 - SCP03 enable and rotate/provision operations" + depends on SCP03 + help + This command provides access to a Trusted Application + running in a TEE to request Secure Channel Protocol 03 + (SCP03) enablement and/or rotation of its SCP03 keys. + config CMD_TPM_V1 bool diff --git a/cmd/Makefile b/cmd/Makefile index 176bf925fd..a7017e8452 100644 --- a/cmd/Makefile +++ b/cmd/Makefile @@ -193,6 +193,9 @@ obj-$(CONFIG_CMD_BLOB) += blob.o # Android Verified Boot 2.0 obj-$(CONFIG_CMD_AVB) += avb.o +# Foundries.IO SCP03 +obj-$(CONFIG_CMD_SCP03) += scp03.o + obj-$(CONFIG_ARM) += arm/ obj-$(CONFIG_RISCV) += riscv/ obj-$(CONFIG_SANDBOX) += sandbox/ diff --git a/cmd/scp03.c b/cmd/scp03.c new file mode 100644 index 0000000000..655e0bba08 --- /dev/null +++ b/cmd/scp03.c @@ -0,0 +1,52 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * (C) Copyright 2021, Foundries.IO + * + */ + +#include +#include +#include +#include + +int do_scp03_enable(struct cmd_tbl *cmdtp, int flag, int argc, + char *const argv[]) +{ + if (argc != 1) + return CMD_RET_USAGE; + + if (tee_enable_scp03()) { + printf("TEE failed to enable SCP03\n"); + return CMD_RET_FAILURE; + } + + printf("SCP03 is enabled\n"); + + return CMD_RET_SUCCESS; +} + +int do_scp03_provision(struct cmd_tbl *cmdtp, int flag, int argc, + char *const argv[]) +{ + if (argc != 1) + return CMD_RET_USAGE; + + if (tee_provision_scp03()) { + printf("TEE failed to provision SCP03 keys\n"); + return CMD_RET_FAILURE; + } + + printf("SCP03 is provisioned\n"); + + return CMD_RET_SUCCESS; +} + +static char text[] = + "provides a command to enable SCP03 and provision the SCP03 keys\n" + " enable - enable SCP03 on the TEE\n" + " provision - provision SCP03 on the TEE\n"; + +U_BOOT_CMD_WITH_SUBCMDS(scp03, "Secure Channel Protocol 03 control", text, + U_BOOT_SUBCMD_MKENT(enable, 1, 1, do_scp03_enable), + U_BOOT_SUBCMD_MKENT(provision, 1, 1, do_scp03_provision)); +