public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [PATCH edk2-platforms v3 0/2] Add support for running StandaloneMm as OP-TEE TA
@ 2020-12-16 11:09 Sughosh Ganu
  2020-12-16 11:09 ` [PATCH edk2-platforms v3 1/2] Drivers/OpTeeRpmb: Add an OP-TEE backed RPMB driver Sughosh Ganu
  2020-12-16 11:09 ` [PATCH edk2-platforms v3 2/2] StMMRpmb: Add support for building StandaloneMm image for OP-TEE Sughosh Ganu
  0 siblings, 2 replies; 14+ messages in thread
From: Sughosh Ganu @ 2020-12-16 11:09 UTC (permalink / raw)
  To: devel
  Cc: Sami Mujawar, Ard Biesheuvel, Leif Lindholm, Sahil Malhotra,
	Ilias Apalodimas

This patch series is adding a platform definition for compiling StMM
as a flash image, which we can run from OP-TEE.

SPM (responsible for dispatching StMM) and SPD (for OP-TEE) are mutually
exclusive and there's no Trusted Application in OP-TEE for managing
EFI variables (only a Microsoft one, for Authenticated variables).
This means that one can have a secure OS or secure variable storage.

With some recent changes merged in OP-TEE [1] and U-Boot [2] we can
launch StMM from an OP-TEE secure partition which is mimicking SPM.

By re-using StMM we have EDK2s approved application controlling
variable storage and the ability to run a secure world OS. This also
allows various firmware implementations to adopt EDK2 way of storing
variables (including the FTW implementation), as long as OP-TEE is
available on that given platform (or any other secure OS that can launch
StMM and has a supplicant for handling the RPMB partition).
Another advantage is that OP-TEE has the ability to access an eMMC RPMB
partition to store those variables, so any platform with OP-TEE and an
eMMC can store variables securely.
This requires a normal world supplicant, which is implemented in U-Boot
currently.  Similar functionality can be added in EDK2 by porting the
supplicant and adapt it to using the native eMMC drivers.

Although this approach might seem counter-intuitive at first glance,
considering the FFA [3] in Arm architecture, using a Secure Partition that
includes everything seems like a better choice at the moment and is
preferred over a rewritten from scratch TA.

There's is one drawback in using OP-TEE. The current SPM calls need to run
to completion. This contradicts the current OP-TEE RPC call requirements,
used to access the RPMB storage. Thats leads to two different SMC calls for
entering secure world to access StMM (one for SPM and one for SPD).

Since this is quite tricky to compile and test you can use this [4].
Just clone the repo and run ./build.sh. The script will pick up edk2,
edk2-platforms, op-tee, TF-A and U-boot and compile all the necessary
binaries for QEMU. A patch (hack) has been added to U-boot to
allow RPMB emulation through it's supplicant, since QEMU RPMB emulation
is not yet available.
After compiling and launching QEMU the usual U-boot commands for EFI
variable management will store the variables on the emulated RPMB device.

[1] https://github.com/OP-TEE/optee_os/pull/3973
[2] http://u-boot.10912.n7.nabble.com/PATCH-0-7-v4-EFI-variable-support-via-OP-TEE-td412499.html
[3] https://developer.arm.com/documentation/den0077/a
[4] https://git.linaro.org/people/ilias.apalodimas/efi_optee_variables.git/


Changes since V2:
 - Allocate a dynamic number of pages based on the Pcd values instead
   of a static number
 - Clean up unused structs in header file
 - Added checks in OpTeeRpmbFvbGetBlockSize and handle NumLba=0

Changes since V1:
Some enhancements made by Ilias to the Optee Rpmb driver

This series is to be reviewed along with V2 of the patch series for
enablement of Firmware Framework(FF-A)[1]

[1] - https://edk2.groups.io/g/devel/message/68766

Ilias Apalodimas (2):
  Drivers/OpTeeRpmb: Add an OP-TEE backed RPMB driver
  StMMRpmb: Add support for building StandaloneMm image for OP-TEE

 Platform/StMMRpmb/PlatformStandaloneMm.dsc | 168 ++++
 Platform/StMMRpmb/PlatformStandaloneMm.fdf | 111 +++
 Drivers/OpTeeRpmb/FixupPcd.inf             |  44 ++
 Drivers/OpTeeRpmb/OpTeeRpmbFv.inf          |  58 ++
 Drivers/OpTeeRpmb/OpTeeRpmbFvb.h           |  35 +
 Drivers/OpTeeRpmb/FixupPcd.c               |  74 ++
 Drivers/OpTeeRpmb/OpTeeRpmbFvb.c           | 803 ++++++++++++++++++++
 7 files changed, 1293 insertions(+)
 create mode 100644 Platform/StMMRpmb/PlatformStandaloneMm.dsc
 create mode 100644 Platform/StMMRpmb/PlatformStandaloneMm.fdf
 create mode 100644 Drivers/OpTeeRpmb/FixupPcd.inf
 create mode 100644 Drivers/OpTeeRpmb/OpTeeRpmbFv.inf
 create mode 100644 Drivers/OpTeeRpmb/OpTeeRpmbFvb.h
 create mode 100644 Drivers/OpTeeRpmb/FixupPcd.c
 create mode 100644 Drivers/OpTeeRpmb/OpTeeRpmbFvb.c

-- 
2.17.1



^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2021-02-02 16:28 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-12-16 11:09 [PATCH edk2-platforms v3 0/2] Add support for running StandaloneMm as OP-TEE TA Sughosh Ganu
2020-12-16 11:09 ` [PATCH edk2-platforms v3 1/2] Drivers/OpTeeRpmb: Add an OP-TEE backed RPMB driver Sughosh Ganu
2021-01-27 17:10   ` Sami Mujawar
2021-01-29  8:02     ` Ilias Apalodimas
2021-01-29 11:45       ` Sami Mujawar
2021-02-01 14:00       ` Ilias Apalodimas
2021-02-02 10:40         ` Sami Mujawar
2021-02-02 12:33           ` Ilias Apalodimas
2021-02-02 14:49             ` Ilias Apalodimas
2021-02-02 15:13               ` Sami Mujawar
2021-02-02 16:27                 ` Ilias Apalodimas
2020-12-16 11:09 ` [PATCH edk2-platforms v3 2/2] StMMRpmb: Add support for building StandaloneMm image for OP-TEE Sughosh Ganu
2021-01-29 10:29   ` Sami Mujawar
2021-01-29 11:47     ` Ilias Apalodimas

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox