From patchwork Sun Feb 7 18:26:29 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Jorge Ramirez-Ortiz, Foundries" X-Patchwork-Id: 1437236 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=foundries.io header.i=@foundries.io header.a=rsa-sha256 header.s=google header.b=DE1UxF8c; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DYd0l5Vdvz9sVJ for ; Mon, 8 Feb 2021 05:27:03 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 1EB7582791; Sun, 7 Feb 2021 19:26:53 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=foundries.io Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=foundries.io header.i=@foundries.io header.b="DE1UxF8c"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 70086826F6; Sun, 7 Feb 2021 19:26:47 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id DCE0D826F6 for ; Sun, 7 Feb 2021 19:26:43 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=foundries.io Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jorge@foundries.io Received: by mail-wr1-x435.google.com with SMTP id c12so14589319wrc.7 for ; Sun, 07 Feb 2021 10:26:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foundries.io; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=0vUaZEByBxwNbTiKXtm4FqQVDvKyfcDOoqR5sJkil9E=; b=DE1UxF8ci7LX26/YJwAGYd2nqn15GRkbzR53EmSrrT2zdsXSyS9oScjjnn8j4ATUCQ 03obQqmH12D869bE6+C6WD7qQ15ez6XNRwlKThw6ij9llCmyZW0uDOPP3fXtewrZDMcS cta8aUAdEbfUwrqeWJ7W4Ph2/pVVlFF/n7djwQiJjcr0ZwtzlaELFnd9CqZKZ+fdR4Q5 +GNA/e5rBWZk5V7LbhoutnHQ7qanTEg2mx9Nkmb7GgRAwGsnFwlPYYQwy/ba/1DYzNLs jyYPMpwPzIbzYmhFuY3CiD69VzOsE3JvL2xdsJvluAO2Kc08z76vlz6/fdrPzORQoEQ6 L1Ow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=0vUaZEByBxwNbTiKXtm4FqQVDvKyfcDOoqR5sJkil9E=; b=Bk8TFV2JytYjZwoGEjnx/w7Fj9Ykop3Tcnchr9ihXYUAkH9iuCLQCTFQQcC5tVNr4j SqMn6CGB9RH9jmH5QLtKcrKIs8zSP0Dbx6Um7GHbpT034ZtIu9RL1i3ZH8RIEU4T9BDP 1EzYLd1Fr+03tq6gBFXbywN8UyDG6qjYXjwPm9yjdjFUwx3+DojkboPHtaGrWyuU1Xf3 pplNOoiXnV1t+KBs9MiPUfl+Cp6uPiNvrt/TFZuQocYTlgEhjrnjHiyCX0J5PAu3dtWj yUwx8GQGWcxfW/MQMUE6UnjUvrl+3+yGMI9jsdx2JGDHFIJj1U8FSjyjuDqnHTEM9npH pj8g== X-Gm-Message-State: AOAM531HjMtovbhwSPx6BNomdkmi1e2uQDKqjsprkEr2JOr6CoQHeD3Y 0DD8nmWIu4vL4/y/GziknUlQ2U1nA7XyyQ== X-Google-Smtp-Source: ABdhPJyVZxlXdDlLvRDTMtJJDvTu7n/IJVWdvnakq83vGLJCuame4Evv5G5C4qf4Km4Zn2AxjBLEXQ== X-Received: by 2002:a05:6000:104f:: with SMTP id c15mr16085505wrx.239.1612722403545; Sun, 07 Feb 2021 10:26:43 -0800 (PST) Received: from localhost.localdomain (182.red-79-146-86.dynamicip.rima-tde.net. [79.146.86.182]) by smtp.gmail.com with ESMTPSA id i3sm5173360wrr.19.2021.02.07.10.26.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 07 Feb 2021 10:26:43 -0800 (PST) From: Jorge Ramirez-Ortiz To: jorge@foundries.io, sjg@chromium.org, jens.wiklander@linaro.org Cc: igor.opaniuk@foundries.io, u-boot@lists.denx.de Subject: [PATCHv3 1/4] common: SCP03 control (enable and provision of keys) Date: Sun, 7 Feb 2021 19:26:29 +0100 Message-Id: <20210207182632.24252-2-jorge@foundries.io> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210207182632.24252-1-jorge@foundries.io> References: <20210207182632.24252-1-jorge@foundries.io> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean This Trusted Application allows enabling SCP03 as well as provisioning the keys on TEE controlled secure element (ie, NXP SE050). All the information flowing on buses (ie I2C) between the processor and the secure element must be encrypted. Secure elements are pre-provisioned with a set of keys known to the user so that the secure channel protocol (encryption) can be enforced on the first boot. This situation is however unsafe since the keys are publically available. For example, in the case of the NXP SE050, these keys would be available in the OP-TEE source tree [2] and of course in the documentation corresponding to the part. To address that, users are required to rotate/provision those keys (ie, generate new keys and write them in the secure element's persistent memory). For information on SCP03, check the Global Platform HomePage and google for that term [1] [1] globalplatform.org [2] https://github.com/OP-TEE/optee_os/ check: core/drivers/crypto/se050/adaptors/utils/scp_config.c Signed-off-by: Jorge Ramirez-Ortiz Reviewed-by: Simon Glass --- common/Kconfig | 8 ++++++ common/Makefile | 1 + common/scp03.c | 53 ++++++++++++++++++++++++++++++++++++ include/scp03.h | 21 ++++++++++++++ include/tee/optee_ta_scp03.h | 21 ++++++++++++++ 5 files changed, 104 insertions(+) create mode 100644 common/scp03.c create mode 100644 include/scp03.h create mode 100644 include/tee/optee_ta_scp03.h diff --git a/common/Kconfig b/common/Kconfig index 2bb3798f80..482f123534 100644 --- a/common/Kconfig +++ b/common/Kconfig @@ -588,6 +588,14 @@ config AVB_BUF_SIZE endif # AVB_VERIFY +config SCP03 + bool "Build SCP03 - Secure Channel Protocol O3 - controls" + depends on OPTEE || SANDBOX + depends on TEE + help + This option allows U-Boot to enable and or provision SCP03 on an OPTEE + controlled Secured Element. + config SPL_HASH bool # "Support hashing API (SHA1, SHA256, etc.)" help diff --git a/common/Makefile b/common/Makefile index daeea67cf2..215b8b26fd 100644 --- a/common/Makefile +++ b/common/Makefile @@ -137,3 +137,4 @@ obj-$(CONFIG_CMD_LOADB) += xyzModem.o obj-$(CONFIG_$(SPL_TPL_)YMODEM_SUPPORT) += xyzModem.o obj-$(CONFIG_AVB_VERIFY) += avb_verify.o +obj-$(CONFIG_SCP03) += scp03.o diff --git a/common/scp03.c b/common/scp03.c new file mode 100644 index 0000000000..09ef7b5ba3 --- /dev/null +++ b/common/scp03.c @@ -0,0 +1,53 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * (C) Copyright 2021, Foundries.IO + * + */ + +#include +#include +#include +#include + +static int scp03_enable(bool provision) +{ + const struct tee_optee_ta_uuid uuid = PTA_SCP03_UUID; + struct tee_open_session_arg session; + struct tee_invoke_arg invoke; + struct tee_param param; + struct udevice *tee = NULL; + + tee = tee_find_device(tee, NULL, NULL, NULL); + if (!tee) + return -ENODEV; + + memset(&session, 0, sizeof(session)); + tee_optee_ta_uuid_to_octets(session.uuid, &uuid); + if (tee_open_session(tee, &session, 0, NULL)) + return -ENXIO; + + memset(¶m, 0, sizeof(param)); + param.attr = TEE_PARAM_ATTR_TYPE_VALUE_INPUT; + param.u.value.a = provision; + + memset(&invoke, 0, sizeof(invoke)); + invoke.func = PTA_CMD_ENABLE_SCP03; + invoke.session = session.session; + + if (tee_invoke_func(tee, &invoke, 1, ¶m)) + return -EIO; + + tee_close_session(tee, session.session); + + return 0; +} + +int tee_enable_scp03(void) +{ + return scp03_enable(false); +} + +int tee_provision_scp03(void) +{ + return scp03_enable(true); +} diff --git a/include/scp03.h b/include/scp03.h new file mode 100644 index 0000000000..729667ccd1 --- /dev/null +++ b/include/scp03.h @@ -0,0 +1,21 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * (C) Copyright 2021, Foundries.IO + * + */ + +#ifndef _SCP03_H +#define _SCP03_H + +/* + * Requests to OPTEE to enable or provision the Secure Channel Protocol on its + * Secure Element + * + * If key provisioning is requested, OPTEE shall generate new SCP03 keys and + * write them to the Secure Element. + * + * Both functions return < 0 on error else 0. + */ +int tee_enable_scp03(void); +int tee_provision_scp03(void); +#endif /* _SCP03_H */ diff --git a/include/tee/optee_ta_scp03.h b/include/tee/optee_ta_scp03.h new file mode 100644 index 0000000000..13f9956d98 --- /dev/null +++ b/include/tee/optee_ta_scp03.h @@ -0,0 +1,21 @@ +/* SPDX-License-Identifier: BSD-3-Clause */ +/* + * (C) Copyright 2021, Foundries.IO + * + */ +#ifndef __TA_SCP03_H +#define __TA_SCP03_H + +#define PTA_SCP03_UUID { 0xbe0e5821, 0xe718, 0x4f77, \ + { 0xab, 0x3e, 0x8e, 0x6c, 0x73, 0xa9, 0xc7, 0x35 } } + +/* + * Enable Secure Channel Protocol functionality (SCP03) on the Secure Element. + * Setting the operation value to something different than NULL will trigger + * the SCP03 provisioning request. + * + * in params[0].a = operation + */ +#define PTA_CMD_ENABLE_SCP03 0 + +#endif /*__TA_SCP03_H*/ From patchwork Sun Feb 7 18:26:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Jorge Ramirez-Ortiz, Foundries" X-Patchwork-Id: 1437237 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=foundries.io header.i=@foundries.io header.a=rsa-sha256 header.s=google header.b=VBZFO9vh; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DYd0y1Jb8z9sVF for ; Mon, 8 Feb 2021 05:27:13 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 7D6A9827C5; Sun, 7 Feb 2021 19:26:55 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=foundries.io Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=foundries.io header.i=@foundries.io header.b="VBZFO9vh"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 24356826FC; Sun, 7 Feb 2021 19:26:49 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id E2234826FC for ; Sun, 7 Feb 2021 19:26:44 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=foundries.io Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jorge@foundries.io Received: by mail-wr1-x430.google.com with SMTP id n6so1792755wrv.8 for ; Sun, 07 Feb 2021 10:26:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foundries.io; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=W9xN9RLp99vGzLCMlL/huxCpVmL0MBe4gBZueqlPS5A=; b=VBZFO9vhZrR4sIGpydw24D8qRx6TfVqDIRB3ZXx51TOzMhjqZul1YzeSbacFDITm/2 HAjUbRjgLAoKIvyuAIFgxJgA2dP1+Y4jMsiXwwX89Rd6wIwXdoJvb4IQiRmvS/7VQ2oG hJeeIKFManD68BxzGyRvWy5pw4WNZi6dk2ph3M33Fen3l4p+f/2AnT2cbDd8Ix8fzff4 CSaHj7UhxMKQwovKt0NG7BTRxQuufvHgJooPIdhfN8eIWqc0kfDDZ/fVcQ45EFfh9jk4 rfsR7twT4PctIrRo2l/n9S4hxleycBT9Pp2OGcDoGMIPJBz56k/tguR13leSKtuKr/Zz x4NA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=W9xN9RLp99vGzLCMlL/huxCpVmL0MBe4gBZueqlPS5A=; b=oK9xqLF/z7ECiuhFFZdevB59V9t4jrBlPPDX0QV0+vkKjPBSGefupBUKqfRPpdHc4r VVk1juptSorxwUb4+6MJyZ1R+t4RxhuMot/x3YYcO36lQ8vIkVLnoOuq1vyOOmJJ1RAH P4C/0s+ZGbrE4ron23Mckifl9ZvjpzV4T+wN/caYtPsjM96j2NOlszLk7gIB164H4awf 7sbedFg0FSLDPOSpNHVKIZnR6/E2sGtG9yUKFamWIU3Gua1ItjeBiXsoqPSdPJWgPJX+ zyC0MmwaXu8wmWeZ2MnCJCQRt9TnvUTzC5cDkuhiQXrp267HRW/gnbCR1In2Nn+sPcs8 5i8w== X-Gm-Message-State: AOAM531SZyflpRiB94y6ajNs0QlavBVGj1do2PGdq/P/jpZMSd9s+MDm BRwBeq1vWZnYF1oEiSEbWlotkg== X-Google-Smtp-Source: ABdhPJwXHx774OWlz3h+iDR15okXz0eL2J8LiUSN9j0k69rtzJzKsSjkPT57VqDBmV0tmhR9J2WDcA== X-Received: by 2002:adf:f8c1:: with SMTP id f1mr16104719wrq.76.1612722404529; Sun, 07 Feb 2021 10:26:44 -0800 (PST) Received: from localhost.localdomain (182.red-79-146-86.dynamicip.rima-tde.net. [79.146.86.182]) by smtp.gmail.com with ESMTPSA id i3sm5173360wrr.19.2021.02.07.10.26.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 07 Feb 2021 10:26:44 -0800 (PST) From: Jorge Ramirez-Ortiz To: jorge@foundries.io, sjg@chromium.org, jens.wiklander@linaro.org Cc: igor.opaniuk@foundries.io, u-boot@lists.denx.de Subject: [PATCHv3 2/4] cmd: SCP03: enable and provision command Date: Sun, 7 Feb 2021 19:26:30 +0100 Message-Id: <20210207182632.24252-3-jorge@foundries.io> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210207182632.24252-1-jorge@foundries.io> References: <20210207182632.24252-1-jorge@foundries.io> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Enable and provision the SCP03 keys on a TEE controlled secured elemt from the U-Boot shell. Executing this command will generate and program new SCP03 encryption keys on the secure element NVM. Depending on the TEE implementation, the keys would then be stored in some persistent storage or better derived from some platform secret (so they can't be lost). Signed-off-by: Jorge Ramirez-Ortiz Reviewed-by: Simon Glass --- cmd/Kconfig | 8 ++++++++ cmd/Makefile | 3 +++ cmd/scp03.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 59 insertions(+) create mode 100644 cmd/scp03.c diff --git a/cmd/Kconfig b/cmd/Kconfig index 928a2a0a2d..6327374f2c 100644 --- a/cmd/Kconfig +++ b/cmd/Kconfig @@ -2021,6 +2021,14 @@ config HASH_VERIFY help Add -v option to verify data against a hash. +config CMD_SCP03 + bool "scp03 - SCP03 enable and rotate/provision operations" + depends on SCP03 + help + This command provides access to a Trusted Application + running in a TEE to request Secure Channel Protocol 03 + (SCP03) enablement and/or rotation of its SCP03 keys. + config CMD_TPM_V1 bool diff --git a/cmd/Makefile b/cmd/Makefile index 176bf925fd..a7017e8452 100644 --- a/cmd/Makefile +++ b/cmd/Makefile @@ -193,6 +193,9 @@ obj-$(CONFIG_CMD_BLOB) += blob.o # Android Verified Boot 2.0 obj-$(CONFIG_CMD_AVB) += avb.o +# Foundries.IO SCP03 +obj-$(CONFIG_CMD_SCP03) += scp03.o + obj-$(CONFIG_ARM) += arm/ obj-$(CONFIG_RISCV) += riscv/ obj-$(CONFIG_SANDBOX) += sandbox/ diff --git a/cmd/scp03.c b/cmd/scp03.c new file mode 100644 index 0000000000..cc1a904923 --- /dev/null +++ b/cmd/scp03.c @@ -0,0 +1,48 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * (C) Copyright 2021, Foundries.IO + * + */ + +#include +#include +#include +#include + +int do_scp03_enable(struct cmd_tbl *cmdtp, int flag, int argc, + char *const argv[]) +{ + if (argc != 1) + return CMD_RET_USAGE; + + if (tee_enable_scp03()) { + printf("TEE failed to enable SCP03\n"); + return CMD_RET_FAILURE; + } + + return CMD_RET_SUCCESS; +} + +int do_scp03_provision(struct cmd_tbl *cmdtp, int flag, int argc, + char *const argv[]) +{ + if (argc != 1) + return CMD_RET_USAGE; + + if (tee_provision_scp03()) { + printf("TEE failed to provision SCP03 keys\n"); + return CMD_RET_FAILURE; + } + + return CMD_RET_SUCCESS; +} + +static char text[] = + "provides a command to enable SCP03 and provision the SCP03 keys\n" + " enable - enable SCP03 on the TEE\n" + " provision - provision SCP03 on the TEE\n"; + +U_BOOT_CMD_WITH_SUBCMDS(scp03, "Secure Channel Protocol 03 control", text, + U_BOOT_SUBCMD_MKENT(enable, 1, 1, do_scp03_enable), + U_BOOT_SUBCMD_MKENT(provision, 1, 1, do_scp03_provision)); + From patchwork Sun Feb 7 18:26:31 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Jorge Ramirez-Ortiz, Foundries" X-Patchwork-Id: 1437238 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=foundries.io header.i=@foundries.io header.a=rsa-sha256 header.s=google header.b=cmJa6QLB; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DYd165WdTz9sVF for ; Mon, 8 Feb 2021 05:27:22 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 52E9A827E5; Sun, 7 Feb 2021 19:26:57 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=foundries.io Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=foundries.io header.i=@foundries.io header.b="cmJa6QLB"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 389218279F; Sun, 7 Feb 2021 19:26:49 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id E202C826E1 for ; Sun, 7 Feb 2021 19:26:45 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=foundries.io Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jorge@foundries.io Received: by mail-wr1-x42a.google.com with SMTP id c12so14589371wrc.7 for ; Sun, 07 Feb 2021 10:26:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foundries.io; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=f4S28UYBN7aeOUgsFT3uKn2LHz8VV13OD+rrFpOp09Q=; b=cmJa6QLBUVhboj5+I5Hf4tQ7XHpYzKZ7FKTqN5eaw7XiQ4VlyOjBpx5GDJMqd02czG C3k43BH+UHt+lbmgQPvAiZ48PAGTrkggCY0TRDdFgkdFSXlzoJQAZZSIvHkp5jNdMY3z oi4Z5frGTBPSYzjkpamsM7yEhWB3fcvv6M2UuTnUI652aeqdRS7saQI8h2thm0Jt/D0L r41mpqzrF/7ulIO5K/TO3D/bY8X6DfYlapja8V8LxDA0W4t6c/AOaiKj75EsZm5kUHsh TnHsrxRX85sxXhgNS83xFXkEghnw29+TlG1ja2hB8ohDT7WwMuX2y6lfih/eqImC4Efe 9eeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=f4S28UYBN7aeOUgsFT3uKn2LHz8VV13OD+rrFpOp09Q=; b=jILiZHqKmTa19FBl+bbL5vQIU6nSBapuzv/0txKoK8ZL4KejcngjpOfvjmvr/YBgZB 17zrk1bHyaZpsVQ7YUOIpUv7arK5tsPyN606FUzkGMvjgcCsouG+RBSZ6LD58E+D88Dv k4+aacfB6N+pXhL/YGx34o3ys8Bg4j5vTCjC+PReSVuhEr+INqlVOH+0m4YVfGvHmO06 DXTgh4c6as+Yn1mEA0DZnwUf9hqInuWG3v8neclPS2hdSXvB7Q4HmfC/A/GsbzjqlIPO 3wB1sR545lonATnmaOLRN6mjXI60zO13Tom9utn4upzTU7XW2HEFMr0TvxgRwVfVlix1 wC4A== X-Gm-Message-State: AOAM5335e1sL1LDwShbJOKvxw0W1I2siVFVMUnnIPb7IAwGEUF0x7Bhi ZUn4bVNYwZ22aAhkgyl3zLgP/w== X-Google-Smtp-Source: ABdhPJz7lyzh2RM2Gi/7SWJkIB3Qz4/s4VIt42fu6Nbwao9L3/7GSaQYubIv8VLTYc0n8wpigOPZeQ== X-Received: by 2002:a5d:654d:: with SMTP id z13mr4045406wrv.62.1612722405543; Sun, 07 Feb 2021 10:26:45 -0800 (PST) Received: from localhost.localdomain (182.red-79-146-86.dynamicip.rima-tde.net. [79.146.86.182]) by smtp.gmail.com with ESMTPSA id i3sm5173360wrr.19.2021.02.07.10.26.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 07 Feb 2021 10:26:45 -0800 (PST) From: Jorge Ramirez-Ortiz To: jorge@foundries.io, sjg@chromium.org, jens.wiklander@linaro.org Cc: igor.opaniuk@foundries.io, u-boot@lists.denx.de Subject: [PATCHv3 3/4] drivers: tee: sandbox: SCP03 control emulator Date: Sun, 7 Feb 2021 19:26:31 +0100 Message-Id: <20210207182632.24252-4-jorge@foundries.io> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210207182632.24252-1-jorge@foundries.io> References: <20210207182632.24252-1-jorge@foundries.io> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean Adds support for a working SCP03 emulation. Input parameters are validated however the commands (enable, provision) executed by the TEE are assumed to always succeed. Signed-off-by: Jorge Ramirez-Ortiz Reviewed-by: Simon Glass --- drivers/tee/optee/Kconfig | 6 ++++ drivers/tee/sandbox.c | 60 +++++++++++++++++++++++++++++++++++++-- 2 files changed, 64 insertions(+), 2 deletions(-) diff --git a/drivers/tee/optee/Kconfig b/drivers/tee/optee/Kconfig index d489834df9..98988c38f0 100644 --- a/drivers/tee/optee/Kconfig +++ b/drivers/tee/optee/Kconfig @@ -22,6 +22,12 @@ config OPTEE_TA_AVB The TA can support the "avb" subcommands "read_rb", "write"rb" and "is_unlocked". +config OPTEE_TA_SCP03 + bool "Support SCP03 TA" + default y + help + Enables support for controlling (enabling, provisioning) the + Secure Channel Protocol 03 operation in the OP-TEE SCP03 TA. endmenu endif diff --git a/drivers/tee/sandbox.c b/drivers/tee/sandbox.c index e1ba027fd6..273c23239a 100644 --- a/drivers/tee/sandbox.c +++ b/drivers/tee/sandbox.c @@ -7,6 +7,7 @@ #include #include #include +#include /* * The sandbox tee driver tries to emulate a generic Trusted Exectution @@ -32,7 +33,7 @@ struct ta_entry { struct tee_param *params); }; -#ifdef CONFIG_OPTEE_TA_AVB +#if defined(CONFIG_OPTEE_TA_SCP03) || defined(CONFIG_OPTEE_TA_AVB) static u32 get_attr(uint n, uint num_params, struct tee_param *params) { if (n >= num_params) @@ -44,7 +45,7 @@ static u32 get_attr(uint n, uint num_params, struct tee_param *params) static u32 check_params(u8 p0, u8 p1, u8 p2, u8 p3, uint num_params, struct tee_param *params) { - u8 p[] = { p0, p1, p2, p3}; + u8 p[] = { p0, p1, p2, p3 }; uint n; for (n = 0; n < ARRAY_SIZE(p); n++) @@ -62,6 +63,55 @@ bad_params: return TEE_ERROR_BAD_PARAMETERS; } +#endif + +#ifdef CONFIG_OPTEE_TA_SCP03 +static u32 pta_scp03_open_session(struct udevice *dev, uint num_params, + struct tee_param *params) +{ + /* + * We don't expect additional parameters when opening a session to + * this TA. + */ + return check_params(TEE_PARAM_ATTR_TYPE_NONE, TEE_PARAM_ATTR_TYPE_NONE, + TEE_PARAM_ATTR_TYPE_NONE, TEE_PARAM_ATTR_TYPE_NONE, + num_params, params); +} + +static u32 pta_scp03_invoke_func(struct udevice *dev, u32 func, uint num_params, + struct tee_param *params) +{ + u32 res; + static bool enabled; + + switch (func) { + case PTA_CMD_ENABLE_SCP03: + res = check_params(TEE_PARAM_ATTR_TYPE_VALUE_INPUT, + TEE_PARAM_ATTR_TYPE_NONE, + TEE_PARAM_ATTR_TYPE_NONE, + TEE_PARAM_ATTR_TYPE_NONE, + num_params, params); + if (res) + return res; + + if (!enabled) { + printf("SCP03 enabled\n"); + enabled = true; + } else { + printf("SCP03 already enabled, no action\n"); + } + + if (params[0].u.value.a) + printf("SCP03 keys rotated\n"); + + return TEE_SUCCESS; + default: + return TEE_ERROR_NOT_SUPPORTED; + } +} +#endif + +#ifdef CONFIG_OPTEE_TA_AVB static u32 ta_avb_open_session(struct udevice *dev, uint num_params, struct tee_param *params) @@ -223,6 +273,12 @@ static const struct ta_entry ta_entries[] = { .invoke_func = ta_avb_invoke_func, }, #endif +#ifdef CONFIG_OPTEE_TA_SCP03 + { .uuid = PTA_SCP03_UUID, + .open_session = pta_scp03_open_session, + .invoke_func = pta_scp03_invoke_func, + }, +#endif }; static void sandbox_tee_get_version(struct udevice *dev, From patchwork Sun Feb 7 18:26:32 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Jorge Ramirez-Ortiz, Foundries" X-Patchwork-Id: 1437239 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=foundries.io header.i=@foundries.io header.a=rsa-sha256 header.s=google header.b=UlFcCtpS; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DYd1J0ghrz9sVF for ; Mon, 8 Feb 2021 05:27:32 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id BF624827C7; Sun, 7 Feb 2021 19:26:59 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=foundries.io Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=foundries.io header.i=@foundries.io header.b="UlFcCtpS"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 3928E82791; Sun, 7 Feb 2021 19:26:51 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com [IPv6:2a00:1450:4864:20::432]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 05CD58278B for ; Sun, 7 Feb 2021 19:26:47 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=foundries.io Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jorge@foundries.io Received: by mail-wr1-x432.google.com with SMTP id n6so1792856wrv.8 for ; Sun, 07 Feb 2021 10:26:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foundries.io; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=M76zgkg51jsSiGaAz5wiwNelUViZSJPCbB0L4hflxDg=; b=UlFcCtpS8qgLx7HeDr/AERa3/37SopnTjfH/kSlN0wxyily3hZh9sUD45wr1umXLtS ZVXxn5VAW9qtv0HDNTBhNJ1/8da1fb1/yqUZQytqHH44FsRI6Xz9gydo5vtSRn3Q2QS0 Vg4+FbLh8h4j3vMhYXBqTtxHV9RzhcFz/y/0qWp93ZEZrSu2y2rZKv2X4c5gRgJDkVgv 3x/lEvWEYpmlEuwQ2gPAXdTXn0mNgv/HXTTwqFLoeUsSAnOmNBD8i9p4COggtvEsFg0O mGlaU3ebpsTmrTJKiI6zDk4dbggLvKW955ppObGItpg2LhsWzzFXcqLPnWyanhc3Ldf1 H/TQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=M76zgkg51jsSiGaAz5wiwNelUViZSJPCbB0L4hflxDg=; b=b0S0wMUZjeswscpI3YLwM33tq5xxutWw1/q/7ThzgPJ4kD2sy+sPeLGYuvLRvrAAmU xqTNcwmx6dBUupOQyID7tjHOhyGwcVPMtsCnaioeQ85awEMVVJ4z7AlPju/Uwogvkd83 XEo9XIJqY6ARMvA5mKZUJe4k2qJtmre9HB2foY9o0mYcQoc1EXmKIBp2qa0gyvdeh60B jTja6fJR5iCw1QDq06XG3gH/mtcYIo553jTYmcumUloMWi7zgakCr9t49eQrrutH5Y+H ogBKN0Pg86R5hx+MLTqF8qOGWqxo2K4xt8OAYIjf5BJ/bW5SYdwsJSFTssATldByjiRm oNpA== X-Gm-Message-State: AOAM531mtSwtfvpP5DhXo3udQAn4vG2rL4SbrmDBbe+yTs/aQl3pgJLm B0VGSXHlmp+XNdKkiRNJajjggg== X-Google-Smtp-Source: ABdhPJxyj74fAucLUYxUsTHCBVF4ki/rgsR9a61lo5WBGW65Mto+tKHwHxuRKcxn5szN7/AV3GgXHg== X-Received: by 2002:adf:b64f:: with SMTP id i15mr15656751wre.279.1612722406594; Sun, 07 Feb 2021 10:26:46 -0800 (PST) Received: from localhost.localdomain (182.red-79-146-86.dynamicip.rima-tde.net. [79.146.86.182]) by smtp.gmail.com with ESMTPSA id i3sm5173360wrr.19.2021.02.07.10.26.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 07 Feb 2021 10:26:46 -0800 (PST) From: Jorge Ramirez-Ortiz To: jorge@foundries.io, sjg@chromium.org, jens.wiklander@linaro.org Cc: igor.opaniuk@foundries.io, u-boot@lists.denx.de Subject: [PATCHv3 4/4] doc: describe the scp03 command Date: Sun, 7 Feb 2021 19:26:32 +0100 Message-Id: <20210207182632.24252-5-jorge@foundries.io> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210207182632.24252-1-jorge@foundries.io> References: <20210207182632.24252-1-jorge@foundries.io> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean The Secure Channel Protocol 03 command sends control requests (enable/provision) to the TEE implementing the protocol between the processor and the secure element. Signed-off-by: Jorge Ramirez-Ortiz --- doc/usage/index.rst | 1 + doc/usage/scp03.rst | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 doc/usage/scp03.rst diff --git a/doc/usage/index.rst b/doc/usage/index.rst index 5754958d7e..fa1c4160b9 100644 --- a/doc/usage/index.rst +++ b/doc/usage/index.rst @@ -29,3 +29,4 @@ Shell commands pstore sbi true + scp03 diff --git a/doc/usage/scp03.rst b/doc/usage/scp03.rst new file mode 100644 index 0000000000..7ff87ed85a --- /dev/null +++ b/doc/usage/scp03.rst @@ -0,0 +1,33 @@ +.. SPDX-License-Identifier: GPL-2.0+ + +scp03 command +============= + +Synopsis +-------- + +:: + + scp03 enable + scp03 provision + +Description +----------- + +The *scp03* command calls into a Trusted Application executing in a +Trusted Execution Environment to enable (if present) the Secure +Channel Protocol 03 stablished between the processor and the secure +element. + +This protocol encrypts all the communication between the processor and +the secure element using a set of pre-defined keys. These keys can be +rotated (provisioned) using the *provision* request. + +See also +-------- + +For some information on the internals implemented in the TEE, please +check the GlobalPlatform documentation on `Secure Channel Protocol '03'`_ + +.. _Secure Channel Protocol '03': + https://globalplatform.org/wp-content/uploads/2014/07/GPC_2.3_D_SCP03_v1.1.2_PublicRelease.pdf