From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Date: Mon, 11 May 2020 11:52:05 +0300
Subject: [PATCH 6/6] doc: uefi.rst: Add OP-TEE variable storage config
 options
In-Reply-To: <3c41f317-4bc0-20a2-a769-17ebdee04e68@gmx.de>
References: <20200506191246.237790-1-ilias.apalodimas@linaro.org>
 <20200506191246.237790-7-ilias.apalodimas@linaro.org>
 <3c41f317-4bc0-20a2-a769-17ebdee04e68@gmx.de>
Message-ID: <20200511085205.GD73895@apalos.home>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

On Sat, May 09, 2020 at 11:51:48AM +0200, Heinrich Schuchardt wrote:
> On 5/6/20 9:12 PM, Ilias Apalodimas wrote:
> > If OP-TEE is compiled with an EDK2 application running in secure world
> > it can process and store UEFI variables in an RPMB.
> > Add documentation for the config options enabling this
> >
> > Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> > ---
> >  doc/uefi/uefi.rst | 10 ++++++++++
> >  1 file changed, 10 insertions(+)
> >
> > diff --git a/doc/uefi/uefi.rst b/doc/uefi/uefi.rst
> > index 4fda00d68721..93b0faadd26e 100644
> > --- a/doc/uefi/uefi.rst
> > +++ b/doc/uefi/uefi.rst
> > @@ -188,6 +188,16 @@ on the sandbox
> >      cd <U-Boot source directory>
> >      pytest.py test/py/tests/test_efi_secboot/test_signed.py --bd sandbox
> >
> > +Using OP-TEE for EFI variables
> > +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > +
> > +If an RPMB and it's drivers is available in U-Boot, OP-TEE can be used for
> 
> %s/is available/are available/
> 
> ..., OP-TEE in conjunction with EDK2's secure management module (SMM)
> can be used to provide variable services.
> 
> > +variable services.
> > +Enabling CONFIG_EFI_MM_COMM_TEE=y will dispatch the variables services to
> 
> %s/dispatch/delegate/
> 
> > +OP-TEE. OP-TEE needs to be compiled with a secure application (coming from EDK2)
> 
> Is it really compiling? I thought it was only linking.
> 
> ... needs to be linked with EDK2's secure management module (SMM) which
> will process the variables ...

It's a bit weird, you practically append the whole binary *after* OP-TEE source
code. So you compile OP-TEE with:
make CFG_ARM64_core=y PLATFORM=<plat> CFG_STMM_PATH=BL32_AP_MM.fd

> 
> > +which will process variables in the Secure World and store them in the RPMB
> > +using the OP-TEE supplicant.
> > +
> >  Executing the boot manager
> >  ~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> >
> 
> We should separate in the description between OP-TEE being used to
> provide variable services and the specific embodiment using SMM, e.g.
> 
> How about:
> 
> 
> Using OP-TEE for EFI variables
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Instead of implementing UEFI variable services inside U-Boot they can
> also be provided in the secure world by a module for OP-TEE[1]. The
> interface between U-Boot and OP-TEE for variable services is enabled by
> CONFIG_EFI_MM_COMM_TEE=y.
> 
> Tianocore EDK II's standalone management mode driver for variables can
> be linked to OP-TEE for this purpose. This module uses the Replay
> Protected Memory Block (RPMB) of an eMMC device for persisting
> non-volatile variables. When calling the variable services via the
> OP-TEE API U-Boot's OP-TEE supplicant relays calls to the RPMB driver
> which has to be enabled via CONFIG_SUPPORT_EMMC_RPMB=y.
> 
> [1] https://optee.readthedocs.io/ - OP-TEE documentation

Ok sounbds better, I'll use this.

Regards
/Ilias
> 
> Best regards
> 
> Heinrich