[PATCHv5 0/6] SCP03 control, documentation and tests.

[PATCHv5 0/6] SCP03 control, documentation and tests.

[Jorge Ramirez-Ortiz]

Simply adding the reviewed-by tags to the v5 series.

Igor Opaniuk (2):
  sandbox: imply SCP03 and CMD_SCP03
  test: py: add initial coverage for scp03 cmd

Jorge Ramirez-Ortiz (4):
  common: SCP03 control (enable and provision of keys)
  cmd: SCP03: enable and provision command
  drivers: tee: sandbox: SCP03 control emulator
  doc: describe the scp03 command

 arch/Kconfig                 |  2 ++
 cmd/Kconfig                  |  8 +++++
 cmd/Makefile                 |  3 ++
 cmd/scp03.c                  | 52 ++++++++++++++++++++++++++++++++
 common/Kconfig               |  8 +++++
 common/Makefile              |  1 +
 common/scp03.c               | 53 +++++++++++++++++++++++++++++++++
 doc/usage/index.rst          |  1 +
 doc/usage/scp03.rst          | 33 +++++++++++++++++++++
 drivers/tee/optee/Kconfig    |  6 ++++
 drivers/tee/sandbox.c        | 57 ++++++++++++++++++++++++++++++++++--
 include/scp03.h              | 21 +++++++++++++
 include/tee/optee_ta_scp03.h | 21 +++++++++++++
 test/py/tests/test_scp03.py  | 27 +++++++++++++++++
 14 files changed, 291 insertions(+), 2 deletions(-)
 create mode 100644 cmd/scp03.c
 create mode 100644 common/scp03.c
 create mode 100644 doc/usage/scp03.rst
 create mode 100644 include/scp03.h
 create mode 100644 include/tee/optee_ta_scp03.h
 create mode 100644 test/py/tests/test_scp03.py

-- 
2.30.0

[PATCHv5 1/6] common: SCP03 control (enable and provision of keys)

[Jorge Ramirez-Ortiz]

This Trusted Application allows enabling SCP03 as well as provisioning
the keys on TEE controlled secure element (ie, NXP SE050).

All the information flowing on buses (ie I2C) between the processor
and the secure element must be encrypted. Secure elements are
pre-provisioned with a set of keys known to the user so that the
secure channel protocol (encryption) can be enforced on the first
boot. This situation is however unsafe since the keys are publically
available.

For example, in the case of the NXP SE050, these keys would be
available in the OP-TEE source tree [2] and of course in the
documentation corresponding to the part.

To address that, users are required to rotate/provision those keys
(ie, generate new keys and write them in the secure element's
persistent memory).

For information on SCP03, check the Global Platform HomePage and
google for that term [1]
[1] globalplatform.org
[2] https://github.com/OP-TEE/optee_os/
    check:
    core/drivers/crypto/se050/adaptors/utils/scp_config.c

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 common/Kconfig               |  8 ++++++
 common/Makefile              |  1 +
 common/scp03.c               | 53 ++++++++++++++++++++++++++++++++++++
 include/scp03.h              | 21 ++++++++++++++
 include/tee/optee_ta_scp03.h | 21 ++++++++++++++
 5 files changed, 104 insertions(+)
 create mode 100644 common/scp03.c
 create mode 100644 include/scp03.h
 create mode 100644 include/tee/optee_ta_scp03.h

diff --git a/common/Kconfig b/common/Kconfig
index 2bb3798f80..482f123534 100644
--- a/common/Kconfig
+++ b/common/Kconfig
@@ -588,6 +588,14 @@ config AVB_BUF_SIZE
 
 endif # AVB_VERIFY
 
+config SCP03
+	bool "Build SCP03 - Secure Channel Protocol O3 - controls"
+	depends on OPTEE || SANDBOX
+	depends on TEE
+	help
+	  This option allows U-Boot to enable and or provision SCP03 on an OPTEE
+	  controlled Secured Element.
+
 config SPL_HASH
 	bool # "Support hashing API (SHA1, SHA256, etc.)"
 	help
diff --git a/common/Makefile b/common/Makefile
index daeea67cf2..215b8b26fd 100644
--- a/common/Makefile
+++ b/common/Makefile
@@ -137,3 +137,4 @@ obj-$(CONFIG_CMD_LOADB) += xyzModem.o
 obj-$(CONFIG_$(SPL_TPL_)YMODEM_SUPPORT) += xyzModem.o
 
 obj-$(CONFIG_AVB_VERIFY) += avb_verify.o
+obj-$(CONFIG_SCP03) += scp03.o
diff --git a/common/scp03.c b/common/scp03.c
new file mode 100644
index 0000000000..09ef7b5ba3
--- /dev/null
+++ b/common/scp03.c
@@ -0,0 +1,53 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * (C) Copyright 2021, Foundries.IO
+ *
+ */
+
+#include <common.h>
+#include <scp03.h>
+#include <tee.h>
+#include <tee/optee_ta_scp03.h>
+
+static int scp03_enable(bool provision)
+{
+	const struct tee_optee_ta_uuid uuid = PTA_SCP03_UUID;
+	struct tee_open_session_arg session;
+	struct tee_invoke_arg invoke;
+	struct tee_param param;
+	struct udevice *tee = NULL;
+
+	tee = tee_find_device(tee, NULL, NULL, NULL);
+	if (!tee)
+		return -ENODEV;
+
+	memset(&session, 0, sizeof(session));
+	tee_optee_ta_uuid_to_octets(session.uuid, &uuid);
+	if (tee_open_session(tee, &session, 0, NULL))
+		return -ENXIO;
+
+	memset(&param, 0, sizeof(param));
+	param.attr = TEE_PARAM_ATTR_TYPE_VALUE_INPUT;
+	param.u.value.a = provision;
+
+	memset(&invoke, 0, sizeof(invoke));
+	invoke.func = PTA_CMD_ENABLE_SCP03;
+	invoke.session = session.session;
+
+	if (tee_invoke_func(tee, &invoke, 1, &param))
+		return -EIO;
+
+	tee_close_session(tee, session.session);
+
+	return 0;
+}
+
+int tee_enable_scp03(void)
+{
+	return scp03_enable(false);
+}
+
+int tee_provision_scp03(void)
+{
+	return scp03_enable(true);
+}
diff --git a/include/scp03.h b/include/scp03.h
new file mode 100644
index 0000000000..729667ccd1
--- /dev/null
+++ b/include/scp03.h
@@ -0,0 +1,21 @@
+/* SPDX-License-Identifier: GPL-2.0+ */
+/*
+ * (C) Copyright 2021, Foundries.IO
+ *
+ */
+
+#ifndef _SCP03_H
+#define _SCP03_H
+
+/*
+ * Requests to OPTEE to enable or provision the Secure Channel Protocol on its
+ * Secure Element
+ *
+ *  If key provisioning is requested, OPTEE shall generate new SCP03 keys and
+ *  write them to the Secure Element.
+ *
+ *  Both functions return < 0 on error else 0.
+ */
+int tee_enable_scp03(void);
+int tee_provision_scp03(void);
+#endif /* _SCP03_H */
diff --git a/include/tee/optee_ta_scp03.h b/include/tee/optee_ta_scp03.h
new file mode 100644
index 0000000000..13f9956d98
--- /dev/null
+++ b/include/tee/optee_ta_scp03.h
@@ -0,0 +1,21 @@
+/* SPDX-License-Identifier: BSD-3-Clause */
+/*
+ * (C) Copyright 2021, Foundries.IO
+ *
+ */
+#ifndef __TA_SCP03_H
+#define __TA_SCP03_H
+
+#define PTA_SCP03_UUID { 0xbe0e5821, 0xe718, 0x4f77, \
+			{ 0xab, 0x3e, 0x8e, 0x6c, 0x73, 0xa9, 0xc7, 0x35 } }
+
+/*
+ * Enable Secure Channel Protocol functionality (SCP03) on the Secure Element.
+ *   Setting the operation value to something different than NULL will trigger
+ *   the SCP03 provisioning request.
+ *
+ *   in	params[0].a = operation
+ */
+#define PTA_CMD_ENABLE_SCP03	0
+
+#endif /*__TA_SCP03_H*/
-- 
2.30.0

[PATCHv5 1/6] common: SCP03 control (enable and provision of keys)

[Tom Rini]

On Sun, Feb 14, 2021 at 04:27:23PM +0100, Jorge Ramirez-Ortiz wrote:

> This Trusted Application allows enabling SCP03 as well as provisioning
> the keys on TEE controlled secure element (ie, NXP SE050).
> 
> All the information flowing on buses (ie I2C) between the processor
> and the secure element must be encrypted. Secure elements are
> pre-provisioned with a set of keys known to the user so that the
> secure channel protocol (encryption) can be enforced on the first
> boot. This situation is however unsafe since the keys are publically
> available.
> 
> For example, in the case of the NXP SE050, these keys would be
> available in the OP-TEE source tree [2] and of course in the
> documentation corresponding to the part.
> 
> To address that, users are required to rotate/provision those keys
> (ie, generate new keys and write them in the secure element's
> persistent memory).
> 
> For information on SCP03, check the Global Platform HomePage and
> google for that term [1]
> [1] globalplatform.org
> [2] https://github.com/OP-TEE/optee_os/
>     check:
>     core/drivers/crypto/se050/adaptors/utils/scp_config.c
> 
> Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
> Reviewed-by: Simon Glass <sjg@chromium.org>

Applied to u-boot/next, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210315/7bb5392d/attachment.sig>

[PATCHv5 2/6] cmd: SCP03: enable and provision command

[Jorge Ramirez-Ortiz]

Enable and provision the SCP03 keys on a TEE controlled secured elemt
from the U-Boot shell.

Executing this command will generate and program new SCP03 encryption
keys on the secure element NVM.

Depending on the TEE implementation, the keys would then be stored in
some persistent storage or better derived from some platform secret
(so they can't be lost).

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 cmd/Kconfig  |  8 ++++++++
 cmd/Makefile |  3 +++
 cmd/scp03.c  | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 63 insertions(+)
 create mode 100644 cmd/scp03.c

diff --git a/cmd/Kconfig b/cmd/Kconfig
index 928a2a0a2d..6327374f2c 100644
--- a/cmd/Kconfig
+++ b/cmd/Kconfig
@@ -2021,6 +2021,14 @@ config HASH_VERIFY
 	help
 	  Add -v option to verify data against a hash.
 
+config CMD_SCP03
+	bool "scp03 - SCP03 enable and rotate/provision operations"
+	depends on SCP03
+	help
+	  This command provides access to a Trusted Application
+	  running in a TEE to request Secure Channel Protocol 03
+	  (SCP03) enablement and/or rotation of its SCP03 keys.
+
 config CMD_TPM_V1
 	bool
 
diff --git a/cmd/Makefile b/cmd/Makefile
index 176bf925fd..a7017e8452 100644
--- a/cmd/Makefile
+++ b/cmd/Makefile
@@ -193,6 +193,9 @@ obj-$(CONFIG_CMD_BLOB) += blob.o
 # Android Verified Boot 2.0
 obj-$(CONFIG_CMD_AVB) += avb.o
 
+# Foundries.IO SCP03
+obj-$(CONFIG_CMD_SCP03) += scp03.o
+
 obj-$(CONFIG_ARM) += arm/
 obj-$(CONFIG_RISCV) += riscv/
 obj-$(CONFIG_SANDBOX) += sandbox/
diff --git a/cmd/scp03.c b/cmd/scp03.c
new file mode 100644
index 0000000000..655e0bba08
--- /dev/null
+++ b/cmd/scp03.c
@@ -0,0 +1,52 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * (C) Copyright 2021, Foundries.IO
+ *
+ */
+
+#include <common.h>
+#include <command.h>
+#include <env.h>
+#include <scp03.h>
+
+int do_scp03_enable(struct cmd_tbl *cmdtp, int flag, int argc,
+		    char *const argv[])
+{
+	if (argc != 1)
+		return CMD_RET_USAGE;
+
+	if (tee_enable_scp03()) {
+		printf("TEE failed to enable SCP03\n");
+		return CMD_RET_FAILURE;
+	}
+
+	printf("SCP03 is enabled\n");
+
+	return CMD_RET_SUCCESS;
+}
+
+int do_scp03_provision(struct cmd_tbl *cmdtp, int flag, int argc,
+		       char *const argv[])
+{
+	if (argc != 1)
+		return CMD_RET_USAGE;
+
+	if (tee_provision_scp03()) {
+		printf("TEE failed to provision SCP03 keys\n");
+		return CMD_RET_FAILURE;
+	}
+
+	printf("SCP03 is provisioned\n");
+
+	return CMD_RET_SUCCESS;
+}
+
+static char text[] =
+	"provides a command to enable SCP03 and provision the SCP03 keys\n"
+	" enable    - enable SCP03 on the TEE\n"
+	" provision - provision SCP03 on the TEE\n";
+
+U_BOOT_CMD_WITH_SUBCMDS(scp03, "Secure Channel Protocol 03 control", text,
+	U_BOOT_SUBCMD_MKENT(enable, 1, 1, do_scp03_enable),
+	U_BOOT_SUBCMD_MKENT(provision, 1, 1, do_scp03_provision));
+
-- 
2.30.0

[PATCHv5 2/6] cmd: SCP03: enable and provision command

[Igor Opaniuk]

On Sun, Feb 14, 2021 at 5:27 PM Jorge Ramirez-Ortiz <jorge@foundries.io> wrote:
>
> Enable and provision the SCP03 keys on a TEE controlled secured elemt
> from the U-Boot shell.
>
> Executing this command will generate and program new SCP03 encryption
> keys on the secure element NVM.
>
> Depending on the TEE implementation, the keys would then be stored in
> some persistent storage or better derived from some platform secret
> (so they can't be lost).
>
> Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
> Reviewed-by: Simon Glass <sjg@chromium.org>
> ---
>  cmd/Kconfig  |  8 ++++++++
>  cmd/Makefile |  3 +++
>  cmd/scp03.c  | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 63 insertions(+)
>  create mode 100644 cmd/scp03.c
>
> diff --git a/cmd/Kconfig b/cmd/Kconfig
> index 928a2a0a2d..6327374f2c 100644
> --- a/cmd/Kconfig
> +++ b/cmd/Kconfig
> @@ -2021,6 +2021,14 @@ config HASH_VERIFY
>         help
>           Add -v option to verify data against a hash.
>
> +config CMD_SCP03
> +       bool "scp03 - SCP03 enable and rotate/provision operations"
> +       depends on SCP03
> +       help
> +         This command provides access to a Trusted Application
> +         running in a TEE to request Secure Channel Protocol 03
> +         (SCP03) enablement and/or rotation of its SCP03 keys.
> +
>  config CMD_TPM_V1
>         bool
>
> diff --git a/cmd/Makefile b/cmd/Makefile
> index 176bf925fd..a7017e8452 100644
> --- a/cmd/Makefile
> +++ b/cmd/Makefile
> @@ -193,6 +193,9 @@ obj-$(CONFIG_CMD_BLOB) += blob.o
>  # Android Verified Boot 2.0
>  obj-$(CONFIG_CMD_AVB) += avb.o
>
> +# Foundries.IO SCP03
> +obj-$(CONFIG_CMD_SCP03) += scp03.o
> +
>  obj-$(CONFIG_ARM) += arm/
>  obj-$(CONFIG_RISCV) += riscv/
>  obj-$(CONFIG_SANDBOX) += sandbox/
> diff --git a/cmd/scp03.c b/cmd/scp03.c
> new file mode 100644
> index 0000000000..655e0bba08
> --- /dev/null
> +++ b/cmd/scp03.c
> @@ -0,0 +1,52 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +/*
> + * (C) Copyright 2021, Foundries.IO
> + *
> + */
> +
> +#include <common.h>
> +#include <command.h>
> +#include <env.h>
> +#include <scp03.h>
> +
> +int do_scp03_enable(struct cmd_tbl *cmdtp, int flag, int argc,
> +                   char *const argv[])
> +{
> +       if (argc != 1)
> +               return CMD_RET_USAGE;
> +
> +       if (tee_enable_scp03()) {
> +               printf("TEE failed to enable SCP03\n");
> +               return CMD_RET_FAILURE;
> +       }
> +
> +       printf("SCP03 is enabled\n");
> +
> +       return CMD_RET_SUCCESS;
> +}
> +
> +int do_scp03_provision(struct cmd_tbl *cmdtp, int flag, int argc,
> +                      char *const argv[])
> +{
> +       if (argc != 1)
> +               return CMD_RET_USAGE;
> +
> +       if (tee_provision_scp03()) {
> +               printf("TEE failed to provision SCP03 keys\n");
> +               return CMD_RET_FAILURE;
> +       }
> +
> +       printf("SCP03 is provisioned\n");
> +
> +       return CMD_RET_SUCCESS;
> +}
> +
> +static char text[] =
> +       "provides a command to enable SCP03 and provision the SCP03 keys\n"
> +       " enable    - enable SCP03 on the TEE\n"
> +       " provision - provision SCP03 on the TEE\n";
> +
> +U_BOOT_CMD_WITH_SUBCMDS(scp03, "Secure Channel Protocol 03 control", text,
> +       U_BOOT_SUBCMD_MKENT(enable, 1, 1, do_scp03_enable),
> +       U_BOOT_SUBCMD_MKENT(provision, 1, 1, do_scp03_provision));
> +
> --
> 2.30.0
>

Reviewed-by: Igor Opaniuk <igor.opaniuk@foundries.io>

-- 
Best regards - Freundliche Gr?sse - Meilleures salutations

Igor Opaniuk
Embedded Software Engineer
T:  +380 938364067
E: igor.opaniuk at foundries.io
W: www.foundries.io

[PATCHv5 2/6] cmd: SCP03: enable and provision command

[Tom Rini]

On Sun, Feb 14, 2021 at 04:27:24PM +0100, Jorge Ramirez-Ortiz wrote:

> Enable and provision the SCP03 keys on a TEE controlled secured elemt
> from the U-Boot shell.
> 
> Executing this command will generate and program new SCP03 encryption
> keys on the secure element NVM.
> 
> Depending on the TEE implementation, the keys would then be stored in
> some persistent storage or better derived from some platform secret
> (so they can't be lost).
> 
> Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
> Reviewed-by: Simon Glass <sjg@chromium.org>
> Reviewed-by: Igor Opaniuk <igor.opaniuk@foundries.io>

Applied to u-boot/next, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210315/d3e87775/attachment.sig>

[PATCHv5 3/6] drivers: tee: sandbox: SCP03 control emulator

[Jorge Ramirez-Ortiz]

Adds support for a working SCP03 emulation. Input parameters are
validated however the commands (enable, provision) executed by the TEE
are assumed to always succeed.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 drivers/tee/optee/Kconfig |  6 +++++
 drivers/tee/sandbox.c     | 57 +++++++++++++++++++++++++++++++++++++--
 2 files changed, 61 insertions(+), 2 deletions(-)

diff --git a/drivers/tee/optee/Kconfig b/drivers/tee/optee/Kconfig
index d489834df9..98988c38f0 100644
--- a/drivers/tee/optee/Kconfig
+++ b/drivers/tee/optee/Kconfig
@@ -22,6 +22,12 @@ config OPTEE_TA_AVB
 	  The TA can support the "avb" subcommands "read_rb", "write"rb"
 	  and "is_unlocked".
 
+config OPTEE_TA_SCP03
+	bool "Support SCP03 TA"
+	default y
+	help
+	  Enables support for controlling (enabling, provisioning) the
+	  Secure Channel Protocol 03 operation in the OP-TEE SCP03 TA.
 endmenu
 
 endif
diff --git a/drivers/tee/sandbox.c b/drivers/tee/sandbox.c
index e1ba027fd6..f25cdd47e4 100644
--- a/drivers/tee/sandbox.c
+++ b/drivers/tee/sandbox.c
@@ -7,6 +7,7 @@
 #include <sandboxtee.h>
 #include <tee.h>
 #include <tee/optee_ta_avb.h>
+#include <tee/optee_ta_scp03.h>
 
 /*
  * The sandbox tee driver tries to emulate a generic Trusted Exectution
@@ -32,7 +33,7 @@ struct ta_entry {
 			   struct tee_param *params);
 };
 
-#ifdef CONFIG_OPTEE_TA_AVB
+#if defined(CONFIG_OPTEE_TA_SCP03) || defined(CONFIG_OPTEE_TA_AVB)
 static u32 get_attr(uint n, uint num_params, struct tee_param *params)
 {
 	if (n >= num_params)
@@ -44,7 +45,7 @@ static u32 get_attr(uint n, uint num_params, struct tee_param *params)
 static u32 check_params(u8 p0, u8 p1, u8 p2, u8 p3, uint num_params,
 			struct tee_param *params)
 {
-	u8 p[] = { p0, p1, p2, p3};
+	u8 p[] = { p0, p1, p2, p3 };
 	uint n;
 
 	for (n = 0; n < ARRAY_SIZE(p); n++)
@@ -62,6 +63,52 @@ bad_params:
 
 	return TEE_ERROR_BAD_PARAMETERS;
 }
+#endif
+
+#ifdef CONFIG_OPTEE_TA_SCP03
+static u32 pta_scp03_open_session(struct udevice *dev, uint num_params,
+				  struct tee_param *params)
+{
+	/*
+	 * We don't expect additional parameters when opening a session to
+	 * this TA.
+	 */
+	return check_params(TEE_PARAM_ATTR_TYPE_NONE, TEE_PARAM_ATTR_TYPE_NONE,
+			    TEE_PARAM_ATTR_TYPE_NONE, TEE_PARAM_ATTR_TYPE_NONE,
+			    num_params, params);
+}
+
+static u32 pta_scp03_invoke_func(struct udevice *dev, u32 func, uint num_params,
+				 struct tee_param *params)
+{
+	u32 res;
+	static bool enabled;
+
+	switch (func) {
+	case PTA_CMD_ENABLE_SCP03:
+		res = check_params(TEE_PARAM_ATTR_TYPE_VALUE_INPUT,
+				   TEE_PARAM_ATTR_TYPE_NONE,
+				   TEE_PARAM_ATTR_TYPE_NONE,
+				   TEE_PARAM_ATTR_TYPE_NONE,
+				   num_params, params);
+		if (res)
+			return res;
+
+		if (!enabled) {
+			enabled = true;
+		} else {
+		}
+
+		if (params[0].u.value.a)
+
+		return TEE_SUCCESS;
+	default:
+		return TEE_ERROR_NOT_SUPPORTED;
+	}
+}
+#endif
+
+#ifdef CONFIG_OPTEE_TA_AVB
 
 static u32 ta_avb_open_session(struct udevice *dev, uint num_params,
 			       struct tee_param *params)
@@ -223,6 +270,12 @@ static const struct ta_entry ta_entries[] = {
 	  .invoke_func = ta_avb_invoke_func,
 	},
 #endif
+#ifdef CONFIG_OPTEE_TA_SCP03
+	{ .uuid = PTA_SCP03_UUID,
+	  .open_session = pta_scp03_open_session,
+	  .invoke_func = pta_scp03_invoke_func,
+	},
+#endif
 };
 
 static void sandbox_tee_get_version(struct udevice *dev,
-- 
2.30.0

[PATCHv5 3/6] drivers: tee: sandbox: SCP03 control emulator

[Tom Rini]

On Sun, Feb 14, 2021 at 04:27:25PM +0100, Jorge Ramirez-Ortiz wrote:

> Adds support for a working SCP03 emulation. Input parameters are
> validated however the commands (enable, provision) executed by the TEE
> are assumed to always succeed.
> 
> Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
> Reviewed-by: Simon Glass <sjg@chromium.org>

Applied to u-boot/next, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210315/0e7c70b9/attachment.sig>

[PATCHv5 4/6] doc: describe the scp03 command

[Jorge Ramirez-Ortiz]

The Secure Channel Protocol 03 command sends control requests
(enable/provision) to the TEE implementing the protocol between the
processor and the secure element.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 doc/usage/index.rst |  1 +
 doc/usage/scp03.rst | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 doc/usage/scp03.rst

diff --git a/doc/usage/index.rst b/doc/usage/index.rst
index 5754958d7e..fa1c4160b9 100644
--- a/doc/usage/index.rst
+++ b/doc/usage/index.rst
@@ -29,3 +29,4 @@ Shell commands
    pstore
    sbi
    true
+   scp03
diff --git a/doc/usage/scp03.rst b/doc/usage/scp03.rst
new file mode 100644
index 0000000000..7ff87ed85a
--- /dev/null
+++ b/doc/usage/scp03.rst
@@ -0,0 +1,33 @@
+.. SPDX-License-Identifier: GPL-2.0+
+
+scp03 command
+=============
+
+Synopsis
+--------
+
+::
+
+    scp03 enable
+    scp03 provision
+
+Description
+-----------
+
+The *scp03* command calls into a Trusted Application executing in a
+Trusted Execution Environment to enable (if present) the Secure
+Channel Protocol 03 stablished between the processor and the secure
+element.
+
+This protocol encrypts all the communication between the processor and
+the secure element using a set of pre-defined keys. These keys can be
+rotated (provisioned) using the *provision* request.
+
+See also
+--------
+
+For some information on the internals implemented in the TEE, please
+check the GlobalPlatform documentation on `Secure Channel Protocol '03'`_
+
+.. _Secure Channel Protocol '03':
+   https://globalplatform.org/wp-content/uploads/2014/07/GPC_2.3_D_SCP03_v1.1.2_PublicRelease.pdf
-- 
2.30.0

[PATCHv5 4/6] doc: describe the scp03 command

[Tom Rini]

On Sun, Feb 14, 2021 at 04:27:26PM +0100, Jorge Ramirez-Ortiz wrote:

> The Secure Channel Protocol 03 command sends control requests
> (enable/provision) to the TEE implementing the protocol between the
> processor and the secure element.
> 
> Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
> Reviewed-by: Simon Glass <sjg@chromium.org>

Applied to u-boot/next, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210315/b95e5b0c/attachment.sig>

[PATCHv5 5/6] sandbox: imply SCP03 and CMD_SCP03

[Jorge Ramirez-Ortiz]

From: Igor Opaniuk <igor.opaniuk@foundries.io>

Enable by default SCP_03/CMD_SCP03 for sandbox target.

Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 arch/Kconfig | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/Kconfig b/arch/Kconfig
index 27843cd79c..7023223927 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -142,6 +142,8 @@ config SANDBOX
 	imply AVB_VERIFY
 	imply LIBAVB
 	imply CMD_AVB
+	imply SCP03
+	imply CMD_SCP03
 	imply UDP_FUNCTION_FASTBOOT
 	imply VIRTIO_MMIO
 	imply VIRTIO_PCI
-- 
2.30.0

[PATCHv5 5/6] sandbox: imply SCP03 and CMD_SCP03

[Tom Rini]

On Sun, Feb 14, 2021 at 04:27:27PM +0100, Jorge Ramirez-Ortiz wrote:

> From: Igor Opaniuk <igor.opaniuk@foundries.io>
> 
> Enable by default SCP_03/CMD_SCP03 for sandbox target.
> 
> Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io>
> Reviewed-by: Simon Glass <sjg@chromium.org>

Applied to u-boot/next, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210315/d4f72b67/attachment.sig>

[PATCHv5 6/6] test: py: add initial coverage for scp03 cmd

[Jorge Ramirez-Ortiz]

From: Igor Opaniuk <igor.opaniuk@foundries.io>

Add initial test coverage for SCP03 command.

Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 test/py/tests/test_scp03.py | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 test/py/tests/test_scp03.py

diff --git a/test/py/tests/test_scp03.py b/test/py/tests/test_scp03.py
new file mode 100644
index 0000000000..1f689252dd
--- /dev/null
+++ b/test/py/tests/test_scp03.py
@@ -0,0 +1,27 @@
+# Copyright (c) 2021 Foundries.io Ltd
+#
+# SPDX-License-Identifier:  GPL-2.0+
+#
+# SCP03 command test
+
+"""
+This tests SCP03 command in U-boot.
+
+For additional details check doc/usage/scp03.rst
+"""
+
+import pytest
+import u_boot_utils as util
+
+ at pytest.mark.buildconfigspec('cmd_scp03')
+def test_scp03(u_boot_console):
+    """Enable and provision keys with SCP03
+    """
+
+    success_str1 = "SCP03 is enabled"
+    success_str2 = "SCP03 is provisioned"
+
+    response = u_boot_console.run_command('scp03 enable')
+    assert success_str1 in response
+    response = u_boot_console.run_command('scp03 provision')
+    assert success_str2 in response
-- 
2.30.0

[PATCHv5 6/6] test: py: add initial coverage for scp03 cmd

[Tom Rini]

On Sun, Feb 14, 2021 at 04:27:28PM +0100, Jorge Ramirez-Ortiz wrote:

> From: Igor Opaniuk <igor.opaniuk@foundries.io>
> 
> Add initial test coverage for SCP03 command.
> 
> Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io>
> Reviewed-by: Simon Glass <sjg@chromium.org>

Applied to u-boot/next, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210315/da0b892b/attachment.sig>

[PATCHv5 0/6] SCP03 control, documentation and tests.

[Jorge]

On 14/02/21, Jorge Ramirez-Ortiz wrote:
> Simply adding the reviewed-by tags to the v5 series.

why has this not been merged yet?

> 
> Igor Opaniuk (2):
>   sandbox: imply SCP03 and CMD_SCP03
>   test: py: add initial coverage for scp03 cmd
> 
> Jorge Ramirez-Ortiz (4):
>   common: SCP03 control (enable and provision of keys)
>   cmd: SCP03: enable and provision command
>   drivers: tee: sandbox: SCP03 control emulator
>   doc: describe the scp03 command
> 
>  arch/Kconfig                 |  2 ++
>  cmd/Kconfig                  |  8 +++++
>  cmd/Makefile                 |  3 ++
>  cmd/scp03.c                  | 52 ++++++++++++++++++++++++++++++++
>  common/Kconfig               |  8 +++++
>  common/Makefile              |  1 +
>  common/scp03.c               | 53 +++++++++++++++++++++++++++++++++
>  doc/usage/index.rst          |  1 +
>  doc/usage/scp03.rst          | 33 +++++++++++++++++++++
>  drivers/tee/optee/Kconfig    |  6 ++++
>  drivers/tee/sandbox.c        | 57 ++++++++++++++++++++++++++++++++++--
>  include/scp03.h              | 21 +++++++++++++
>  include/tee/optee_ta_scp03.h | 21 +++++++++++++
>  test/py/tests/test_scp03.py  | 27 +++++++++++++++++
>  14 files changed, 291 insertions(+), 2 deletions(-)
>  create mode 100644 cmd/scp03.c
>  create mode 100644 common/scp03.c
>  create mode 100644 doc/usage/scp03.rst
>  create mode 100644 include/scp03.h
>  create mode 100644 include/tee/optee_ta_scp03.h
>  create mode 100644 test/py/tests/test_scp03.py
> 
> -- 
> 2.30.0
> 

[PATCHv5 0/6] SCP03 control, documentation and tests.

[Simon Glass]

Hi Foundries,

On Wed, 10 Mar 2021 at 09:59, Jorge Ramirez-Ortiz, Foundries
<jorge@foundries.io> wrote:
>
> On 14/02/21, Jorge Ramirez-Ortiz wrote:
> > Simply adding the reviewed-by tags to the v5 series.
>
> why has this not been merged yet?

You can check in patchwork to see whose queue it is in.

Regards,
Simon

[PATCHv5 0/6] SCP03 control, documentation and tests.

[Jorge]

On 11/03/21, Simon Glass wrote:
> Hi Foundries,
> 
> On Wed, 10 Mar 2021 at 09:59, Jorge Ramirez-Ortiz, Foundries
> <jorge@foundries.io> wrote:
> >
> > On 14/02/21, Jorge Ramirez-Ortiz wrote:
> > > Simply adding the reviewed-by tags to the v5 series.
> >
> > why has this not been merged yet?
> 
> You can check in patchwork to see whose queue it is in.

ah ok, thanks Simon.
(adding Tom to the thread now).

> 
> Regards,
> Simon

[PATCHv5 0/6] SCP03 control, documentation and tests.

[Tom Rini]

On Fri, Mar 12, 2021 at 09:28:25AM +0100, Jorge Ramirez-Ortiz, Foundries wrote:
> On 11/03/21, Simon Glass wrote:
> > Hi Foundries,
> > 
> > On Wed, 10 Mar 2021 at 09:59, Jorge Ramirez-Ortiz, Foundries
> > <jorge@foundries.io> wrote:
> > >
> > > On 14/02/21, Jorge Ramirez-Ortiz wrote:
> > > > Simply adding the reviewed-by tags to the v5 series.
> > >
> > > why has this not been merged yet?
> > 
> > You can check in patchwork to see whose queue it is in.
> 
> ah ok, thanks Simon.
> (adding Tom to the thread now).

I am a bit behind on merging stuff to -next, sorry.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210312/e97d92bc/attachment.sig>

[PATCHv5 0/6] SCP03 control, documentation and tests.

[Jorge]

On 12/03/21, Tom Rini wrote:
> On Fri, Mar 12, 2021 at 09:28:25AM +0100, Jorge Ramirez-Ortiz, Foundries wrote:
> > On 11/03/21, Simon Glass wrote:
> > > Hi Foundries,
> > > 
> > > On Wed, 10 Mar 2021 at 09:59, Jorge Ramirez-Ortiz, Foundries
> > > <jorge@foundries.io> wrote:
> > > >
> > > > On 14/02/21, Jorge Ramirez-Ortiz wrote:
> > > > > Simply adding the reviewed-by tags to the v5 series.
> > > >
> > > > why has this not been merged yet?
> > > 
> > > You can check in patchwork to see whose queue it is in.
> > 
> > ah ok, thanks Simon.
> > (adding Tom to the thread now).
> 
> I am a bit behind on merging stuff to -next, sorry.

np thanks! I am a bit paranoid sometimes :)

> 
> -- 
> Tom

[PATCHv5 1/6] common: SCP03 control (enable and provision of keys)

[Jorge Ramirez-Ortiz]

This Trusted Application allows enabling SCP03 as well as provisioning
the keys on TEE controlled secure element (ie, NXP SE050).

All the information flowing on buses (ie I2C) between the processor
and the secure element must be encrypted. Secure elements are
pre-provisioned with a set of keys known to the user so that the
secure channel protocol (encryption) can be enforced on the first
boot. This situation is however unsafe since the keys are publically
available.

For example, in the case of the NXP SE050, these keys would be
available in the OP-TEE source tree [2] and of course in the
documentation corresponding to the part.

To address that, users are required to rotate/provision those keys
(ie, generate new keys and write them in the secure element's
persistent memory).

For information on SCP03, check the Global Platform HomePage and
google for that term [1]
[1] globalplatform.org
[2] https://github.com/OP-TEE/optee_os/
    check:
    core/drivers/crypto/se050/adaptors/utils/scp_config.c

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 common/Kconfig               |  8 ++++++
 common/Makefile              |  1 +
 common/scp03.c               | 53 ++++++++++++++++++++++++++++++++++++
 include/scp03.h              | 21 ++++++++++++++
 include/tee/optee_ta_scp03.h | 21 ++++++++++++++
 5 files changed, 104 insertions(+)
 create mode 100644 common/scp03.c
 create mode 100644 include/scp03.h
 create mode 100644 include/tee/optee_ta_scp03.h

diff --git a/common/Kconfig b/common/Kconfig
index 2bb3798f80..482f123534 100644
--- a/common/Kconfig
+++ b/common/Kconfig
@@ -588,6 +588,14 @@ config AVB_BUF_SIZE
 
 endif # AVB_VERIFY
 
+config SCP03
+	bool "Build SCP03 - Secure Channel Protocol O3 - controls"
+	depends on OPTEE || SANDBOX
+	depends on TEE
+	help
+	  This option allows U-Boot to enable and or provision SCP03 on an OPTEE
+	  controlled Secured Element.
+
 config SPL_HASH
 	bool # "Support hashing API (SHA1, SHA256, etc.)"
 	help
diff --git a/common/Makefile b/common/Makefile
index daeea67cf2..215b8b26fd 100644
--- a/common/Makefile
+++ b/common/Makefile
@@ -137,3 +137,4 @@ obj-$(CONFIG_CMD_LOADB) += xyzModem.o
 obj-$(CONFIG_$(SPL_TPL_)YMODEM_SUPPORT) += xyzModem.o
 
 obj-$(CONFIG_AVB_VERIFY) += avb_verify.o
+obj-$(CONFIG_SCP03) += scp03.o
diff --git a/common/scp03.c b/common/scp03.c
new file mode 100644
index 0000000000..09ef7b5ba3
--- /dev/null
+++ b/common/scp03.c
@@ -0,0 +1,53 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * (C) Copyright 2021, Foundries.IO
+ *
+ */
+
+#include <common.h>
+#include <scp03.h>
+#include <tee.h>
+#include <tee/optee_ta_scp03.h>
+
+static int scp03_enable(bool provision)
+{
+	const struct tee_optee_ta_uuid uuid = PTA_SCP03_UUID;
+	struct tee_open_session_arg session;
+	struct tee_invoke_arg invoke;
+	struct tee_param param;
+	struct udevice *tee = NULL;
+
+	tee = tee_find_device(tee, NULL, NULL, NULL);
+	if (!tee)
+		return -ENODEV;
+
+	memset(&session, 0, sizeof(session));
+	tee_optee_ta_uuid_to_octets(session.uuid, &uuid);
+	if (tee_open_session(tee, &session, 0, NULL))
+		return -ENXIO;
+
+	memset(&param, 0, sizeof(param));
+	param.attr = TEE_PARAM_ATTR_TYPE_VALUE_INPUT;
+	param.u.value.a = provision;
+
+	memset(&invoke, 0, sizeof(invoke));
+	invoke.func = PTA_CMD_ENABLE_SCP03;
+	invoke.session = session.session;
+
+	if (tee_invoke_func(tee, &invoke, 1, &param))
+		return -EIO;
+
+	tee_close_session(tee, session.session);
+
+	return 0;
+}
+
+int tee_enable_scp03(void)
+{
+	return scp03_enable(false);
+}
+
+int tee_provision_scp03(void)
+{
+	return scp03_enable(true);
+}
diff --git a/include/scp03.h b/include/scp03.h
new file mode 100644
index 0000000000..729667ccd1
--- /dev/null
+++ b/include/scp03.h
@@ -0,0 +1,21 @@
+/* SPDX-License-Identifier: GPL-2.0+ */
+/*
+ * (C) Copyright 2021, Foundries.IO
+ *
+ */
+
+#ifndef _SCP03_H
+#define _SCP03_H
+
+/*
+ * Requests to OPTEE to enable or provision the Secure Channel Protocol on its
+ * Secure Element
+ *
+ *  If key provisioning is requested, OPTEE shall generate new SCP03 keys and
+ *  write them to the Secure Element.
+ *
+ *  Both functions return < 0 on error else 0.
+ */
+int tee_enable_scp03(void);
+int tee_provision_scp03(void);
+#endif /* _SCP03_H */
diff --git a/include/tee/optee_ta_scp03.h b/include/tee/optee_ta_scp03.h
new file mode 100644
index 0000000000..13f9956d98
--- /dev/null
+++ b/include/tee/optee_ta_scp03.h
@@ -0,0 +1,21 @@
+/* SPDX-License-Identifier: BSD-3-Clause */
+/*
+ * (C) Copyright 2021, Foundries.IO
+ *
+ */
+#ifndef __TA_SCP03_H
+#define __TA_SCP03_H
+
+#define PTA_SCP03_UUID { 0xbe0e5821, 0xe718, 0x4f77, \
+			{ 0xab, 0x3e, 0x8e, 0x6c, 0x73, 0xa9, 0xc7, 0x35 } }
+
+/*
+ * Enable Secure Channel Protocol functionality (SCP03) on the Secure Element.
+ *   Setting the operation value to something different than NULL will trigger
+ *   the SCP03 provisioning request.
+ *
+ *   in	params[0].a = operation
+ */
+#define PTA_CMD_ENABLE_SCP03	0
+
+#endif /*__TA_SCP03_H*/
-- 
2.30.0

[PATCHv5 5/6] sandbox: imply SCP03 and CMD_SCP03

[Jorge Ramirez-Ortiz]

From: Igor Opaniuk <igor.opaniuk@foundries.io>

Enable by default SCP_03/CMD_SCP03 for sandbox target.

Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io>
---
 arch/Kconfig | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/Kconfig b/arch/Kconfig
index 27843cd79c..7023223927 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -142,6 +142,8 @@ config SANDBOX
 	imply AVB_VERIFY
 	imply LIBAVB
 	imply CMD_AVB
+	imply SCP03
+	imply CMD_SCP03
 	imply UDP_FUNCTION_FASTBOOT
 	imply VIRTIO_MMIO
 	imply VIRTIO_PCI
-- 
2.30.0

[PATCHv5 5/6] sandbox: imply SCP03 and CMD_SCP03

[Simon Glass]

On Tue, 9 Feb 2021 at 13:10, Jorge Ramirez-Ortiz <jorge@foundries.io> wrote:
>
> From: Igor Opaniuk <igor.opaniuk@foundries.io>
>
> Enable by default SCP_03/CMD_SCP03 for sandbox target.
>
> Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io>
> ---
>  arch/Kconfig | 2 ++
>  1 file changed, 2 insertions(+)
>

Reviewed-by: Simon Glass <sjg@chromium.org>