From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2607:f8b0:4864:20::e41; helo=mail-vs1-xe41.google.com; envelope-from=sumit.garg@linaro.org; receiver=edk2-devel@lists.01.org Received: from mail-vs1-xe41.google.com (mail-vs1-xe41.google.com [IPv6:2607:f8b0:4864:20::e41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 366BB21189FB9 for ; Thu, 1 Nov 2018 22:24:36 -0700 (PDT) Received: by mail-vs1-xe41.google.com with SMTP id p74so454202vsc.0 for ; Thu, 01 Nov 2018 22:24:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=3tP4eRjh5jeeEUxEXyKvXrIsFUTKniY6KJ1mv/dIAJA=; b=iOQlXYuVf7rjIL5NOElic5RlBHiRYraI6+AypXZegbBie6MFl1OpwcmEdAgAWtQP8G IJbkTpeJbiOKv+YLup6vAmGZFo7rex4Z2C+gCIaIdcINK+An98L8qPqrmgvpi1TOE3D0 qc/KqvcijKbU42j79b6JMVfTiTZHhBvGZyF60= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=3tP4eRjh5jeeEUxEXyKvXrIsFUTKniY6KJ1mv/dIAJA=; b=pOvN0JEuU+QhoJ3QFFIdnpknYNNTszJzs45WB2V5BjR143pmbf7BETLWMKotn9L8Da qZL8xbt4AQkmL/B0dnFTfh03oC5mOog5JmTKOw/zTNrHdcRBNNlK4wsb1xpFJU6uW4PW EVTnsfaQUBHCb221LvZv18Kn5N8HJzzf+mlkSpv2bn1GC1UKGB6c3pEUwD4P8Os8UFQi gWvtxHz0hwOqujFqA2KzEV9XCvh3VYoEOuAFkUz0yVynNxqNU7wD3g8yz7NLhMxPEi5v U3ouSzcUMoV2tIflE0RlCZp2DfTXVIpB6quq8HSfwz7ib4BFDQ3Y1F2sIPmrIkigV3TJ c2xg== X-Gm-Message-State: AGRZ1gKdjJyZA4Fzha/Xc6mnYgBECW4fpABQzoevpAdmuGotxazlb7zF 3wvfHEF0K6Js+DBDvSyO/P0Y7OpDXLl/jCJwpawhLg== X-Google-Smtp-Source: AJdET5cyILyRNsts2UETjHsCudSF2Wx83yzK1HoLp7VYhan3ig+y7Wz7oCpO5DLD++jw1n3byAkVdjI4SuIRmJCORLE= X-Received: by 2002:a67:a95b:: with SMTP id s88mr4594862vse.180.1541136274540; Thu, 01 Nov 2018 22:24:34 -0700 (PDT) MIME-Version: 1.0 References: <20180921082542.35768-1-christopher.co@microsoft.com> <20180921082542.35768-2-christopher.co@microsoft.com> <20181031204305.mkivnbhnna4niy2g@bivouac.eciton.net> In-Reply-To: From: Sumit Garg Date: Fri, 2 Nov 2018 10:54:23 +0530 Message-ID: To: Christopher.Co@microsoft.com Cc: Leif Lindholm , edk2-devel@lists.01.org, Ard Biesheuvel , Michael D Kinney , tee-dev@lists.linaro.org Subject: Re: [PATCH edk2-platforms 01/27] Platform/Microsoft: Add OpteeClientPkg dec X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Nov 2018 05:24:36 -0000 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable + OP-TEE ML. On Fri, 2 Nov 2018 at 06:11, Chris Co wrote: > > Hi Sumit, > > Our full OpteeClientPkg has: > - Our OpteeClientAPI implementation. I was monitoring the merge progress = on OpteeLib and will look into moving over now that it is available. > - The fTPM and AuthVar TA binaries. In our current design, the TA binarie= s are loaded at runtime. We could host the binaries themselves elsewhere on= the filesystem, but we do not want these binaries as early/pseudo TAs. Is = there a plan for OpteeLib to support loading full TAs? Early TAs [1] are basically full TAs only, running in Secure EL0 mode. So instead of loading TA from normal world file-system, they are linked into a special data section in the OP-TEE core blob. Also I don't think loading TAs dynamically especially during boot makes much sense due to following reasons: 1. Increased boot time. 2. Fixed TAs like in your case which could be linked as early TAs as well. And you mentioned filesystem, are you referring to root filesystem? > - We have two client drivers: a firmware TPM TA driver and an authenticat= ed variable TA driver. These talk through the tee-supplicant to their respe= ctive TAs. > Here from tee-supplicant apart from loading TAs, what other services are you expecting? If you are looking for secure storage via RPMB, that could be an enhancement to OpteeLib adding corresponding RPC handling here [2]. [1] https://github.com/OP-TEE/optee_os/blob/master/documentation/optee_desi= gn.md#early-trusted-applications [2] https://github.com/tianocore/edk2/blob/master/ArmPkg/Library/OpteeLib/O= ptee.c#L147 Regards, Sumit > Chris > > > -----Original Message----- > > From: Sumit Garg > > Sent: Thursday, November 1, 2018 3:55 AM > > To: Chris Co ; Leif Lindholm > > > > Cc: edk2-devel@lists.01.org; Ard Biesheuvel = ; > > Michael D Kinney > > Subject: Re: [PATCH edk2-platforms 01/27] Platform/Microsoft: Add > > OpteeClientPkg dec > > > > Hi Christopher, > > > > Optee Client library has recently been merged to edk2 source code. It t= ries to > > provide a generic interface [1] to OP-TEE based trusted applications > > (pseudo/early). > > > > AFAIK, you don't need any platform specific hook in client interface to= work > > with upstream OP-TEE. So instead you should use Optee library. > > > > [1] > > https://na01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fgith= ub.c > > om%2Ftianocore%2Fedk2%2Fblob%2Fmaster%2FArmPkg%2FInclude%2FLibrary > > %2FOpteeLib.h&data=3D02%7C01%7CChristopher.Co%40microsoft.com%7C > > c19b84ef7f8f4213424108d63fe88f66%7C72f988bf86f141af91ab2d7cd011db47 > > %7C1%7C0%7C636766665404786500&sdata=3Dm24akbKtoyCERVN77meoSU > > H6E%2Bpf8W2P5MF7nvU5y7I%3D&reserved=3D0 > > > > Regards, > > Sumit > > > > On Thu, 1 Nov 2018 at 02:13, Leif Lindholm w= rote: > > > > > > +Sumit (just to loop you two together). Is there anything Microsoft > > > platform specific about what will go in here? > > > > > > / > > > Leif > > > > > > On Fri, Sep 21, 2018 at 08:25:53AM +0000, Chris Co wrote: > > > > On Windows IoT Core devices with ARM TrustZone capabilities, > > > > EDK2 runs in normal world and we use OP-TEE to execute secure world > > > > operations. The overall package will contain client-side support to > > > > invoke EDK2 services implemented as OP-TEE trusted applications tha= t > > > > run in secure world. > > > > > > > > This commit adds the initial dec file to add some PCD settings > > > > needed by other packages. > > > > > > > > Contributed-under: TianoCore Contribution Agreement 1.1 > > > > Signed-off-by: Christopher Co > > > > Cc: Ard Biesheuvel > > > > Cc: Leif Lindholm > > > > Cc: Michael D Kinney > > > > --- > > > > Platform/Microsoft/OpteeClientPkg/OpteeClientPkg.dec | 49 > > > > ++++++++++++++++++++ > > > > 1 file changed, 49 insertions(+) > > > > > > > > diff --git a/Platform/Microsoft/OpteeClientPkg/OpteeClientPkg.dec > > > > b/Platform/Microsoft/OpteeClientPkg/OpteeClientPkg.dec > > > > new file mode 100644 > > > > index 000000000000..4752eab39ce3 > > > > --- /dev/null > > > > +++ b/Platform/Microsoft/OpteeClientPkg/OpteeClientPkg.dec > > > > @@ -0,0 +1,49 @@ > > > > +## @file > > > > +# > > > > +# OP-TEE client package > > > > +# > > > > +# OP-TEE client package contains the client-side interface to inv= oke OP- > > TEE TAs. > > > > +# Certain EDKII services are implemented in Trusted Applications > > > > +running in # the secure world OP-TEE OS. > > > > +# > > > > +# Copyright (c) 2018 Microsoft Corporation. All rights reserved. > > > > +# > > > > +# This program and the accompanying materials # are licensed and > > > > +made available under the terms and conditions of the BSD License # > > > > +which accompanies this distribution. The full text of the license > > > > +may be found at # > > > > +https://na01.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2F= ope > > > > +nsource.org%2Flicenses%2Fbsd- > > license.php&data=3D02%7C01%7CChristo > > > > > > +pher.Co%40microsoft.com%7Cc19b84ef7f8f4213424108d63fe88f66%7C72f988 > > > > > > +bf86f141af91ab2d7cd011db47%7C1%7C0%7C636766665404786500&sda > > ta=3D1 > > > > +MxFvlsMPhk19grEexBXo5VqRd0jZaCSRjxZCi87A2w%3D&reserved=3D0 > > > > +# > > > > +# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" > > > > +BASIS, # WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, > > EITHER EXPRESS OR IMPLIED. > > > > +# > > > > +## > > > > + > > > > +[Defines] > > > > + DEC_SPECIFICATION =3D 0x0001001A > > > > + PACKAGE_NAME =3D OpteeClientPkg > > > > + PACKAGE_GUID =3D 77416fcb-10ec-4693-bdc0-1bdd7= 4ec9595 > > > > + PACKAGE_VERSION =3D 0.01 > > > > + > > > > +[Includes] > > > > + > > > > +[LibraryClasses] > > > > + > > > > +[Guids] > > > > + gOpteeClientPkgTokenSpaceGuid =3D { 0x04ad34ca, 0xdd25, 0x4156= , { > > 0x90, 0xf5, 0x16, 0xf9, 0x40, 0xd0, 0x49, 0xe3 }} > > > > + > > > > +[PcdsFixedAtBuild] > > > > + > > > > > > +gOpteeClientPkgTokenSpaceGuid.PcdTpm2AcpiBufferBase|0|UINT64|0x0000 > > > > +0005 > > > > + > > > > > > +gOpteeClientPkgTokenSpaceGuid.PcdTpm2AcpiBufferSize|0|UINT32|0x0000 > > > > +0006 > > > > + > > > > + ## The base address of the Trust Zone OpTEE OS private memory > > > > + region # This memory is manager privately by the OpTEE OS. > > > > + > > > > + > > gOpteeClientPkgTokenSpaceGuid.PcdTrustZonePrivateMemoryBase|0xDEAD > > > > + 1|UINT64|0x00000001 > > > > + > > > > + ## The size of the Trust Zone OpTEE OS private memory region > > > > + > > > > + > > gOpteeClientPkgTokenSpaceGuid.PcdTrustZonePrivateMemorySize|55|UIN > > > > + T64|0x00000002 > > > > + > > > > + ## The base address of the Trust Zone OpTEE OS shared memory > > > > + region > > > > + > > > > + > > gOpteeClientPkgTokenSpaceGuid.PcdTrustZoneSharedMemoryBase|0xDEAD2 > > > > + |UINT64|0x00000003 > > > > + > > > > + ## The size of the Trust Zone OpTEE OS shared memory region > > > > + > > > > + > > gOpteeClientPkgTokenSpaceGuid.PcdTrustZoneSharedMemorySize|0xAA|UI > > > > + NT64|0x00000004 > > > > -- > > > > 2.16.2.gvfs.1.33.gf5370f1 > > > >