| Message ID | 20200506191246.237790-7-ilias.apalodimas@linaro.org |
|---|---|
| State | New |
| Headers | show |
| Series | EFI variable support via OP-TEE | expand |
On 5/6/20 9:12 PM, Ilias Apalodimas wrote: > If OP-TEE is compiled with an EDK2 application running in secure world > it can process and store UEFI variables in an RPMB. > Add documentation for the config options enabling this > > Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org> > --- > doc/uefi/uefi.rst | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/doc/uefi/uefi.rst b/doc/uefi/uefi.rst > index 4fda00d68721..93b0faadd26e 100644 > --- a/doc/uefi/uefi.rst > +++ b/doc/uefi/uefi.rst > @@ -188,6 +188,16 @@ on the sandbox > cd <U-Boot source directory> > pytest.py test/py/tests/test_efi_secboot/test_signed.py --bd sandbox > > +Using OP-TEE for EFI variables > +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + > +If an RPMB and it's drivers is available in U-Boot, OP-TEE can be used for %s/is available/are available/ ..., OP-TEE in conjunction with EDK2's secure management module (SMM) can be used to provide variable services. > +variable services. > +Enabling CONFIG_EFI_MM_COMM_TEE=y will dispatch the variables services to %s/dispatch/delegate/ > +OP-TEE. OP-TEE needs to be compiled with a secure application (coming from EDK2) Is it really compiling? I thought it was only linking. ... needs to be linked with EDK2's secure management module (SMM) which will process the variables ... > +which will process variables in the Secure World and store them in the RPMB > +using the OP-TEE supplicant. > + > Executing the boot manager > ~~~~~~~~~~~~~~~~~~~~~~~~~~ > > We should separate in the description between OP-TEE being used to provide variable services and the specific embodiment using SMM, e.g. How about: Using OP-TEE for EFI variables ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Instead of implementing UEFI variable services inside U-Boot they can also be provided in the secure world by a module for OP-TEE[1]. The interface between U-Boot and OP-TEE for variable services is enabled by CONFIG_EFI_MM_COMM_TEE=y. Tianocore EDK II's standalone management mode driver for variables can be linked to OP-TEE for this purpose. This module uses the Replay Protected Memory Block (RPMB) of an eMMC device for persisting non-volatile variables. When calling the variable services via the OP-TEE API U-Boot's OP-TEE supplicant relays calls to the RPMB driver which has to be enabled via CONFIG_SUPPORT_EMMC_RPMB=y. [1] https://optee.readthedocs.io/ - OP-TEE documentation Best regards Heinrich
On Sat, May 09, 2020 at 11:51:48AM +0200, Heinrich Schuchardt wrote: > On 5/6/20 9:12 PM, Ilias Apalodimas wrote: > > If OP-TEE is compiled with an EDK2 application running in secure world > > it can process and store UEFI variables in an RPMB. > > Add documentation for the config options enabling this > > > > Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org> > > --- > > doc/uefi/uefi.rst | 10 ++++++++++ > > 1 file changed, 10 insertions(+) > > > > diff --git a/doc/uefi/uefi.rst b/doc/uefi/uefi.rst > > index 4fda00d68721..93b0faadd26e 100644 > > --- a/doc/uefi/uefi.rst > > +++ b/doc/uefi/uefi.rst > > @@ -188,6 +188,16 @@ on the sandbox > > cd <U-Boot source directory> > > pytest.py test/py/tests/test_efi_secboot/test_signed.py --bd sandbox > > > > +Using OP-TEE for EFI variables > > +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > + > > +If an RPMB and it's drivers is available in U-Boot, OP-TEE can be used for > > %s/is available/are available/ > > ..., OP-TEE in conjunction with EDK2's secure management module (SMM) > can be used to provide variable services. > > > +variable services. > > +Enabling CONFIG_EFI_MM_COMM_TEE=y will dispatch the variables services to > > %s/dispatch/delegate/ > > > +OP-TEE. OP-TEE needs to be compiled with a secure application (coming from EDK2) > > Is it really compiling? I thought it was only linking. > > ... needs to be linked with EDK2's secure management module (SMM) which > will process the variables ... It's a bit weird, you practically append the whole binary *after* OP-TEE source code. So you compile OP-TEE with: make CFG_ARM64_core=y PLATFORM=<plat> CFG_STMM_PATH=BL32_AP_MM.fd > > > +which will process variables in the Secure World and store them in the RPMB > > +using the OP-TEE supplicant. > > + > > Executing the boot manager > > ~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > > > We should separate in the description between OP-TEE being used to > provide variable services and the specific embodiment using SMM, e.g. > > How about: > > > Using OP-TEE for EFI variables > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Instead of implementing UEFI variable services inside U-Boot they can > also be provided in the secure world by a module for OP-TEE[1]. The > interface between U-Boot and OP-TEE for variable services is enabled by > CONFIG_EFI_MM_COMM_TEE=y. > > Tianocore EDK II's standalone management mode driver for variables can > be linked to OP-TEE for this purpose. This module uses the Replay > Protected Memory Block (RPMB) of an eMMC device for persisting > non-volatile variables. When calling the variable services via the > OP-TEE API U-Boot's OP-TEE supplicant relays calls to the RPMB driver > which has to be enabled via CONFIG_SUPPORT_EMMC_RPMB=y. > > [1] https://optee.readthedocs.io/ - OP-TEE documentation Ok sounbds better, I'll use this. Regards /Ilias > > Best regards > > Heinrich
diff --git a/doc/uefi/uefi.rst b/doc/uefi/uefi.rst index 4fda00d68721..93b0faadd26e 100644 --- a/doc/uefi/uefi.rst +++ b/doc/uefi/uefi.rst @@ -188,6 +188,16 @@ on the sandbox cd <U-Boot source directory> pytest.py test/py/tests/test_efi_secboot/test_signed.py --bd sandbox +Using OP-TEE for EFI variables +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +If an RPMB and it's drivers is available in U-Boot, OP-TEE can be used for +variable services. +Enabling CONFIG_EFI_MM_COMM_TEE=y will dispatch the variables services to +OP-TEE. OP-TEE needs to be compiled with a secure application (coming from EDK2) +which will process variables in the Secure World and store them in the RPMB +using the OP-TEE supplicant. + Executing the boot manager ~~~~~~~~~~~~~~~~~~~~~~~~~~
If OP-TEE is compiled with an EDK2 application running in secure world it can process and store UEFI variables in an RPMB. Add documentation for the config options enabling this Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org> --- doc/uefi/uefi.rst | 10 ++++++++++ 1 file changed, 10 insertions(+)