From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by mx.groups.io with SMTP id smtpd.web08.6404.1628682437099371579 for ; Wed, 11 Aug 2021 04:47:17 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=X9l6sy26; spf=pass (domain: kernel.org, ip: 198.145.29.99, mailfrom: ardb@kernel.org) Received: by mail.kernel.org (Postfix) with ESMTPSA id 85C046024A for ; Wed, 11 Aug 2021 11:47:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1628682436; bh=MVdhbZDD3h6+b79WU33EBad18zXPEJbE0dHrMcsK67A=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=X9l6sy26LaNM2NWRk0ntA1eJ+YdXz64yWWpukyzFs6CmPmoFHeTwHsTtc3vv3tp0d VigDE2JjQHlEU0whAU3/lBmyJRYSL/DBeWhf/x+2BuSMwc0WbiVfrxUd6194Y5JeZl UhywWqtv0/mpJ0pNxeYrAF+DED/hyqQ5uFBkA4at2CPLDAUDcGQcS1Gkuiq1gJyaik 70zdQzPt3f70YcLw5N2IoXrc2Pjk+kTCrpXyXgBMH2cncGdorBzlJ8ZPOBBgqGsUCh W2QdObY66f3qYmNYHdzroPJ772fgA6kvPU9oPc1ACfefdF8BC2X+3VZVwiV+6D5TEF TJ1AW6J1Q15ZQ== Received: by mail-ot1-f46.google.com with SMTP id n1-20020a9d1e810000b0290514da4485e4so220785otn.4 for ; Wed, 11 Aug 2021 04:47:16 -0700 (PDT) X-Gm-Message-State: AOAM530FCn8mdsm5ygdQXj77v7dTK1caIMGlbW2OSLxPMK4XXSWEDYtj OXmbPPdip00jSr50qBFSOG+0oMHE9q3M5cIJ5s8= X-Google-Smtp-Source: ABdhPJyDB3Gqkv5n4/xgJw+P8gOsvZ/LLCk/aExHVjQXV9joGl4nRluV3g9K2WBhstSsb+HWw47U+kwRpJvDkovMRkc= X-Received: by 2002:a9d:5cc7:: with SMTP id r7mr8230082oti.108.1628682435826; Wed, 11 Aug 2021 04:47:15 -0700 (PDT) MIME-Version: 1.0 References: <20210810164036.15199-1-etienne.carriere@linaro.org> In-Reply-To: <20210810164036.15199-1-etienne.carriere@linaro.org> From: "Ard Biesheuvel" Date: Wed, 11 Aug 2021 13:47:04 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v3 0/6] Arm 32bit support in PlatformStandaloneMmRpmb To: Etienne Carriere Cc: edk2-devel-groups-io , Ard Biesheuvel , Ilias Apalodimas , Leif Lindholm , Sami Mujawar , Sughosh Ganu , Thomas Abraham Content-Type: text/plain; charset="UTF-8" On Tue, 10 Aug 2021 at 18:40, Etienne Carriere wrote: > > This series brings support for building PlatformStandaloneMmRpmb for > 32bit Arm architectures. This series is based on series tracked through > [1] in edk2 that allows to build StandaloneMm package for 32bit Arm. > This series starts by syncing with paths changes from [1] series, > then comes changes for Arm 32bit support in OpTee drivers and last > updates PlatformStandaloneMmRpmb.dsc for 32bit the ARM architure. > This series is tracked through ticket [2]. > > One can test the generated StMM image with OP-TEE release for > stm32mp157c-ev1 board which integrates an eMMC device with a > RPMB partition. Se below are the fetch/build directives. > Note that enabling EFI secure boot on stm32mp1 needs more than the > build instruction below. At least these show how U-Boot and OP-TEE > can leverage StMM with an RPMB device. > > Step 1: fetch edk2, edk2-platforms, apply patches and Build StMM. > I build edk2 with the following command (one shall replace ${path_to_xxx} > with the appropriate paths. > > # export WORKSPACE=${path_to_edk2_build_dir} > # export PYTHON3_ENABLE=TRUE > # export PACKAGES_PATH=${path_to_edk2}:${path_to_edk2_platforms} > # source ${path_to_edk2}/edksetup.sh > # make -j$(nproc) -C ${path_to_edk2}/BaseTools > # GCC5_ARM_PREFIX=${path_to_arm_tooclain}/bin/arm-linux-gnueabihf- \ > build -n $(nproc) -a ARM -t GCC5 -b RELEASE -D DO_X86EMU=TRUE \ > -p Platform/StandaloneMm/PlatformStandaloneMmPkg/PlatformStandaloneMmRpmb.dsc \ > all > > Step 2: clone and build OP-TEE release for stm32mp1 (see also [3]): > > # mkdir /tmp/optee-stm32mp1-stmm > # cd /tmp/optee-stm32mp1-stmm > # repo init -u https://github.com/OP-TEE/manifest.git -t 3.14.0 -m stm32mp1.xml > # repo sync > # cd build > # make toolchains > # make all > > Step 3: sync with U-Boot master branch, at least commit [4] which merges > a fix in MMC/RPMB driver OP-TEE [5]. Platform defconfig must be changed > to enable StMM and RPMB support. > The command below builds u-boot using OP-TEE build env (from build/ dir) > > # git -C ../u-boot checkout 99bb5f248ade371ee4713e0ef51401708ecbb13c > # echo CONFIG_EFI_MM_COMM_TEE=y >> ../u-boot/configs/stm32mp15_trusted_defconfig > # echo CONFIG_SUPPORT_EMMC_RPMB=y >> ../u-boot/configs/stm32mp15_trusted_defconfig > # make u-boot > > Step 4: rebuild optee_os (and SDcard image) with StMM image embedded in > OP-TEE core wand RPMB support for stm32mp15c-ev1 (the board has an eMMC > device with an RPMB partition). > The command below builds u-boot using OP-TEE build env. > > # make optee-os all \ > CFG_STMM_PATH=${path_to_edk2_build_dir}/Build/MmStandaloneRpmb/RELEASE_GCC5/FV/BL32_AP_MM.fd \ > PLATFORM=stm32mp1-157C_ED1 \ > CFG_RPMB_FS=y CFG_CORE_HUK_SUBKEY_COMPAT=n CFG_RPMB_FS_DEV_ID=1 > > Once done, program SDcard (/dev/sdX relates to SDcard slot device file) > # dd conf=fdatasync if=../out/bin/sdcard of=/dev/sdX # where /dev/sdX is > > The target (stm32mp157c-ev1 board) can boot with the programmed > SDcard. One can interrupt the U-Boot console, possibly program > RPMB key (see note below) and read the EFI variable (read from the > RPMB though StMM executing in OP-TEE. > > $ printenv -e # read EFI variables > $ setenv -e # write an EFI variable > > Note about the RPMB key: > With the build instructions above, OP-TEE assumes the RPMB device key > is generated from a known derivation of an all-zero root key. If the > RPMB device key was not yet programmed, one can program it from the > U-Boot console with command 'mmc rpmc key . The > commands below can be used to program the platform default RPMB > development key that is (hexadecimal notation, first byte first): > 15 46 75 8c 61 8e d8 b8 a2 27 89 02 df 54 ef 63 > 11 de e2 96 49 99 5b d7 d9 12 f1 53 6d 8a 67 c7 > > $ mw.l 0xc0000000 0x8c754615 > $ mw.l 0xc0000004 0xb8d88e61 > $ mw.l 0xc0000008 0x028927a2 > $ mw.l 0xc000000c 0x63ef54df > $ mw.l 0xc0000010 0x96e2de11 > $ mw.l 0xc0000014 0xd75b9949 > $ mw.l 0xc0000018 0x53f112d9 > $ mw.l 0xc000001c 0xc7678a6d > $ mmc rpmb key 0xc0000000 > > [1] https://bugzilla.tianocore.org/show_bug.cgi?id=3381 > [2] https://bugzilla.tianocore.org/show_bug.cgi?id=3383 > [3] https://optee.readthedocs.io/en/latest/building/devices/stm32mp1.html#build-instructions > [4] https://source.denx.de/u-boot/u-boot/-/commit/99bb5f248ade371ee4713e0ef51401708ecbb13c > [5] https://source.denx.de/u-boot/u-boot/-/commit/a9f7be509af90fa5f2c308867ad3b0bd48532c6e > > Etienne Carriere (6): > Platform/ARM/SgiPkg: sync with edk2 StandaloneMmCpu path change > Platform/Socionext/DeveloperBox: sync with edk2 StandaloneMmCpu path > change > Platform/StandaloneMm: sync with edk2 StandaloneMmCpu path change > Drivers/OpTee: Add Aarch32 SVC IDs for 32bit Arm targets > Drivers/OpTee: address cast build warning issue in 32b mode > Platform/StandaloneMm: build StandaloneMmRpmb for 32bit architectures > Pushed as 7b723de06c8e..70b67dc9ab89 Thanks, > Drivers/OpTee/OpteeRpmbPkg/OpTeeRpmbFvb.c | 23 ++++++++++++------- > Drivers/OpTee/OpteeRpmbPkg/OpTeeRpmbFvb.h | 16 +++++++++++-- > Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf | 2 +- > Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc | 2 +- > .../Socionext/DeveloperBox/DeveloperBoxMm.dsc | 2 +- > .../Socionext/DeveloperBox/DeveloperBoxMm.fdf | 2 +- > .../PlatformStandaloneMmRpmb.dsc | 14 +++++++++-- > .../PlatformStandaloneMmRpmb.fdf | 3 ++- > 8 files changed, 47 insertions(+), 17 deletions(-) > > -- > 2.17.1 >