From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sumit Garg Date: Thu, 14 May 2020 07:39:35 +0000 Subject: Re: [PATCH v4 2/4] KEYS: trusted: Introduce TEE based Trusted Keys Message-Id: MIME-Version: 1 Content-Type: multipart/mixed; boundary="00000000000021218505a596a2dc" List-Id: References: <1588758017-30426-1-git-send-email-sumit.garg@linaro.org> <1588758017-30426-3-git-send-email-sumit.garg@linaro.org> In-Reply-To: To: Jarkko Sakkinen Cc: "tee-dev @ lists . linaro . org" , Daniel Thompson , op-tee@lists.trustedfirmware.org, Jonathan Corbet , James Bottomley , Janne Karhunen , Linux Doc Mailing List , James Morris , Mimi Zohar , Linux Kernel Mailing List , dhowells@redhat.com, linux-security-module@vger.kernel.org, "open list:ASYMMETRIC KEYS" , Markus Wamser , Casey Schaufler , linux-integrity@vger.kernel.org, Jens Wiklander , linux-arm-kernel , "Serge E. Hallyn" --00000000000021218505a596a2dc Content-Type: text/plain; charset="UTF-8" On Thu, 14 May 2020 at 05:58, Jarkko Sakkinen wrote: > > On Wed, 2020-05-06 at 15:10 +0530, Sumit Garg wrote: > > Add support for TEE based trusted keys where TEE provides the functionality > > to seal and unseal trusted keys using hardware unique key. > > > > Refer to Documentation/tee.txt for detailed information about TEE. > > > > Signed-off-by: Sumit Garg > > The implementation looks solid but how or who could possibly test this? > > I do posses (personally, not from employer) bunch of ARM boards but my > TZ knowledge is somewhat limited (e.g. how can I get something running > in TZ). > Although, it should be fairly easy to test this implementation on an ARM board which supports OP-TEE. But since you are new to ARM TrustZone world, I would suggest you get used to OP-TEE on Qemu based setup. You could find pretty good documentation for this here [1] but for simplicity let me document steps here to test this trusted keys feature from scratch: # Install prerequisites as mentioned here [2] # Get the source code $ mkdir -p $ cd $ repo init -u https://github.com/OP-TEE/manifest.git -m qemu_v8.xml $ repo sync -j4 --no-clone-bundle # Get the toolchain $ cd /build $ make -j2 toolchains # As trusted keys work is based on latest tpmdd/master, so we can change Linux base as follows: $ cd /linux $ git remote add tpmdd git://git.infradead.org/users/jjs/linux-tpmdd.git $ git pull tpmdd $ git checkout -b tpmdd-master remotes/tpmdd/master # Cherry-pick and apply TEE features patch-set from this PR[3] # Apply this Linux trusted keys patch-set. # Now move on to build the source code $ cd /build # Apply attached "keyctl_change" patch $ patch -p1 < keyctl_change $ make -j`nproc` CFG_IN_TREE_EARLY_TAS=trusted_keys/f04a0fe7-1f5d-4b9b-abf7-619b85b4ce8c # Run QEMU setup $ make run-only # Type "c" on QEMU console to continue boot # Now there should be two virtual consoles up, one for OP-TEE and other for Linux # On Linux console, you can play with "keyctl" utility to have trusted and encrypted keys based on TEE. Do let me know in case you are stuck while following the above steps. [1] https://optee.readthedocs.io/en/latest/building/devices/qemu.html#qemu-v8 [2] https://optee.readthedocs.io/en/latest/building/prerequisites.html#prerequisites [3] https://lkml.org/lkml/2020/5/4/1062 -Sumit > /Jarkko > --00000000000021218505a596a2dc Content-Type: application/octet-stream; name=keyctl_change Content-Disposition: attachment; filename=keyctl_change Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_ka6g56md0 ZGlmZiAtLWdpdCBhL2NvbW1vbi5tayBiL2NvbW1vbi5tawppbmRleCBhZWI3YjQxLi42NjNlNTI4 IDEwMDY0NAotLS0gYS9jb21tb24ubWsKKysrIGIvY29tbW9uLm1rCkBAIC0yMjksNiArMjI5LDcg QEAgQlIyX1BBQ0tBR0VfT1BURUVfVEVTVF9TREsgPz0gJChPUFRFRV9PU19UQV9ERVZfS0lUX0RJ UikKIEJSMl9QQUNLQUdFX09QVEVFX1RFU1RfU0lURSA/PSAkKE9QVEVFX1RFU1RfUEFUSCkKIEJS Ml9QQUNLQUdFX1NUUkFDRSA/PSB5CiBCUjJfVEFSR0VUX0dFTkVSSUNfR0VUVFlfUE9SVCA/PSAk KGlmICQoQ0ZHX05XX0NPTlNPTEVfVUFSVCksdHR5QU1BJChDRkdfTldfQ09OU09MRV9VQVJUKSx0 dHlBTUEwKQorQlIyX1BBQ0tBR0VfS0VZVVRJTFMgOj0geQogCiAjIEFsbCBCUjJfKiB2YXJpYWJs ZXMgZnJvbSB0aGUgbWFrZWZpbGUgb3IgdGhlIGVudmlyb25tZW50IGFyZSBhcHBlbmRlZCB0bwog IyAuLi9vdXQtYnIvZXh0cmEuY29uZi4gQWxsIHZhbHVlcyBhcmUgcXVvdGVkICIuLi4iIGV4Y2Vw dCB5IGFuZCBuLgpkaWZmIC0tZ2l0IGEva2NvbmZpZ3MvcWVtdS5jb25mIGIva2NvbmZpZ3MvcWVt dS5jb25mCmluZGV4IDM2OGMxOGEuLjgzMmFiNzQgMTAwNjQ0Ci0tLSBhL2tjb25maWdzL3FlbXUu Y29uZgorKysgYi9rY29uZmlncy9xZW11LmNvbmYKQEAgLTIwLDMgKzIwLDUgQEAgQ09ORklHXzlQ X0ZTPXkKIENPTkZJR185UF9GU19QT1NJWF9BQ0w9eQogQ09ORklHX0hXX1JBTkRPTT15CiBDT05G SUdfSFdfUkFORE9NX1ZJUlRJTz15CitDT05GSUdfVFJVU1RFRF9LRVlTPXkKK0NPTkZJR19FTkNS WVBURURfS0VZUz15Cg== --00000000000021218505a596a2dc-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 83F11C433DF for ; Thu, 14 May 2020 07:27:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6512F205CB for ; Thu, 14 May 2020 07:27:51 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="T58w69kB" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726101AbgENH1u (ORCPT ); Thu, 14 May 2020 03:27:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54154 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725909AbgENH1t (ORCPT ); Thu, 14 May 2020 03:27:49 -0400 Received: from mail-lf1-x143.google.com (mail-lf1-x143.google.com [IPv6:2a00:1450:4864:20::143]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DEAD1C061A0C for ; Thu, 14 May 2020 00:27:48 -0700 (PDT) Received: by mail-lf1-x143.google.com with SMTP id c21so1734791lfb.3 for ; Thu, 14 May 2020 00:27:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OvIg8OTmvpD4AIra61gchuv+YQzJPkLcRjdOE9A6l2A=; b=T58w69kBOxFktle1yYsy3hLN3gMn/osjm5YR8FTXl4uYp8PjKu2TZzOiHNgCx36vrE Wl/ZIQZLvdR8y6+piwx3KEwGBHD8kyjMwzas/eYyJaxuJxY8/KGnPz4HlvtDAulI9I15 lGRt7VR2EK+bxqp2oZhR93/egU4OCxQtySGt6pV8RF67V5Vj3IcxPdw3Km1KhdoaRiaq bSo22sNuywieNiZ1fpmYK7epfyyHEaUnQ1U7yB7K1aXP/AJXWde5jIFrUkDbeeALECIL u0FuTV6q/ZfQm1Z7KARSGRX7zu3oek6QkvyBvFcfjjmEMIagj6XaGUbGVW2NX71/UJ7h Omtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OvIg8OTmvpD4AIra61gchuv+YQzJPkLcRjdOE9A6l2A=; b=Gxm0WSKTJWWx2w+zN4QR3SmQxl7ojLTsBmLm4BgcGIvQsOF4NI2wVcl6EIwsq3iqlA Fj/QOYb7/AoF6oS4qlwZN61dGe8N3P9hcgZ5F7jE2WZqQeOXP0qRid1tUOsJKBV7D2ve odPWPfvIBcRttr4FoJUjrS33b3sHPh20ZJLJ//tXBV4zCTX30jt8dWwb/orTz+G8fjRx J1g9dxu9/VRt6VVJA/1iXXGJo2wk41NciQC3lN+B1JwCREG+834pqUQMIAx8KokmzKm4 LmSbOkKa8yoC8dFrSATdSnVq/3MS6bVCpABl1Q5Y+sCp+bDI35uMb/5/DAKGrRgwchyg KxGg== X-Gm-Message-State: AOAM5304BtWZb7G40aZmaR69QBsSv6V+5k2wPBXD65ErTvT7xOQ6pkCI wH371rYOT60w7vUM2lSgCGRx2xMVC8f+DzVFa7Bibg== X-Google-Smtp-Source: ABdhPJzL0WsvMihqen9758VYmk6yEgm/ZN9/XilvuCWzmgJOy/SB9sZscduKIMjRAKM98dv/ishZnbn+Lr4DfqPaa0A= X-Received: by 2002:a19:ccce:: with SMTP id c197mr2356496lfg.59.1589441267234; Thu, 14 May 2020 00:27:47 -0700 (PDT) MIME-Version: 1.0 References: <1588758017-30426-1-git-send-email-sumit.garg@linaro.org> <1588758017-30426-3-git-send-email-sumit.garg@linaro.org> In-Reply-To: From: Sumit Garg Date: Thu, 14 May 2020 12:57:35 +0530 Message-ID: Subject: Re: [PATCH v4 2/4] KEYS: trusted: Introduce TEE based Trusted Keys To: Jarkko Sakkinen Cc: Mimi Zohar , James Bottomley , dhowells@redhat.com, Jens Wiklander , Jonathan Corbet , James Morris , "Serge E. Hallyn" , Casey Schaufler , Janne Karhunen , Daniel Thompson , Markus Wamser , "open list:ASYMMETRIC KEYS" , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, Linux Doc Mailing List , Linux Kernel Mailing List , linux-arm-kernel , op-tee@lists.trustedfirmware.org, "tee-dev @ lists . linaro . org" Content-Type: multipart/mixed; boundary="00000000000021218505a596a2dc" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --00000000000021218505a596a2dc Content-Type: text/plain; charset="UTF-8" On Thu, 14 May 2020 at 05:58, Jarkko Sakkinen wrote: > > On Wed, 2020-05-06 at 15:10 +0530, Sumit Garg wrote: > > Add support for TEE based trusted keys where TEE provides the functionality > > to seal and unseal trusted keys using hardware unique key. > > > > Refer to Documentation/tee.txt for detailed information about TEE. > > > > Signed-off-by: Sumit Garg > > The implementation looks solid but how or who could possibly test this? > > I do posses (personally, not from employer) bunch of ARM boards but my > TZ knowledge is somewhat limited (e.g. how can I get something running > in TZ). > Although, it should be fairly easy to test this implementation on an ARM board which supports OP-TEE. But since you are new to ARM TrustZone world, I would suggest you get used to OP-TEE on Qemu based setup. You could find pretty good documentation for this here [1] but for simplicity let me document steps here to test this trusted keys feature from scratch: # Install prerequisites as mentioned here [2] # Get the source code $ mkdir -p $ cd $ repo init -u https://github.com/OP-TEE/manifest.git -m qemu_v8.xml $ repo sync -j4 --no-clone-bundle # Get the toolchain $ cd /build $ make -j2 toolchains # As trusted keys work is based on latest tpmdd/master, so we can change Linux base as follows: $ cd /linux $ git remote add tpmdd git://git.infradead.org/users/jjs/linux-tpmdd.git $ git pull tpmdd $ git checkout -b tpmdd-master remotes/tpmdd/master # Cherry-pick and apply TEE features patch-set from this PR[3] # Apply this Linux trusted keys patch-set. # Now move on to build the source code $ cd /build # Apply attached "keyctl_change" patch $ patch -p1 < keyctl_change $ make -j`nproc` CFG_IN_TREE_EARLY_TAS=trusted_keys/f04a0fe7-1f5d-4b9b-abf7-619b85b4ce8c # Run QEMU setup $ make run-only # Type "c" on QEMU console to continue boot # Now there should be two virtual consoles up, one for OP-TEE and other for Linux # On Linux console, you can play with "keyctl" utility to have trusted and encrypted keys based on TEE. Do let me know in case you are stuck while following the above steps. [1] https://optee.readthedocs.io/en/latest/building/devices/qemu.html#qemu-v8 [2] https://optee.readthedocs.io/en/latest/building/prerequisites.html#prerequisites [3] https://lkml.org/lkml/2020/5/4/1062 -Sumit > /Jarkko > --00000000000021218505a596a2dc Content-Type: application/octet-stream; name=keyctl_change Content-Disposition: attachment; filename=keyctl_change Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_ka6g56md0 ZGlmZiAtLWdpdCBhL2NvbW1vbi5tayBiL2NvbW1vbi5tawppbmRleCBhZWI3YjQxLi42NjNlNTI4 IDEwMDY0NAotLS0gYS9jb21tb24ubWsKKysrIGIvY29tbW9uLm1rCkBAIC0yMjksNiArMjI5LDcg QEAgQlIyX1BBQ0tBR0VfT1BURUVfVEVTVF9TREsgPz0gJChPUFRFRV9PU19UQV9ERVZfS0lUX0RJ UikKIEJSMl9QQUNLQUdFX09QVEVFX1RFU1RfU0lURSA/PSAkKE9QVEVFX1RFU1RfUEFUSCkKIEJS Ml9QQUNLQUdFX1NUUkFDRSA/PSB5CiBCUjJfVEFSR0VUX0dFTkVSSUNfR0VUVFlfUE9SVCA/PSAk KGlmICQoQ0ZHX05XX0NPTlNPTEVfVUFSVCksdHR5QU1BJChDRkdfTldfQ09OU09MRV9VQVJUKSx0 dHlBTUEwKQorQlIyX1BBQ0tBR0VfS0VZVVRJTFMgOj0geQogCiAjIEFsbCBCUjJfKiB2YXJpYWJs ZXMgZnJvbSB0aGUgbWFrZWZpbGUgb3IgdGhlIGVudmlyb25tZW50IGFyZSBhcHBlbmRlZCB0bwog IyAuLi9vdXQtYnIvZXh0cmEuY29uZi4gQWxsIHZhbHVlcyBhcmUgcXVvdGVkICIuLi4iIGV4Y2Vw dCB5IGFuZCBuLgpkaWZmIC0tZ2l0IGEva2NvbmZpZ3MvcWVtdS5jb25mIGIva2NvbmZpZ3MvcWVt dS5jb25mCmluZGV4IDM2OGMxOGEuLjgzMmFiNzQgMTAwNjQ0Ci0tLSBhL2tjb25maWdzL3FlbXUu Y29uZgorKysgYi9rY29uZmlncy9xZW11LmNvbmYKQEAgLTIwLDMgKzIwLDUgQEAgQ09ORklHXzlQ X0ZTPXkKIENPTkZJR185UF9GU19QT1NJWF9BQ0w9eQogQ09ORklHX0hXX1JBTkRPTT15CiBDT05G SUdfSFdfUkFORE9NX1ZJUlRJTz15CitDT05GSUdfVFJVU1RFRF9LRVlTPXkKK0NPTkZJR19FTkNS WVBURURfS0VZUz15Cg== --00000000000021218505a596a2dc-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C82AFC433E1 for ; Thu, 14 May 2020 07:27:52 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id A49E2205CB for ; Thu, 14 May 2020 07:27:52 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="pQPvGNWx"; dkim=fail reason="signature verification failed" (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="T58w69kB" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A49E2205CB Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+infradead-linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Type:To: Subject:Message-ID:Date:From:In-Reply-To:References:MIME-Version:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=KfAN8+7fHvqJcHyUPR7kJdnjJxcZbxH5f4dkl229vKk=; b=pQPvGNWxn7wSskXEzBz2YSqtZ Sr0w8Qx1XKii6gCVCp14ysLVU/Pvu7F3ECcoQjD8sCn8gc6SYL7UKuFnHiGIhNDNf1iiPews9HeEi Yne52nPfXc/QUEhSziBV1QGbhDcADYDMGFTVySEFXyQFed1R3qbgF2RfK80S95s9m/MeqUvLnV9x7 qDkly/qum4Q6aD6yUKdy4mFLJTuhrKAymN9raIMtBaJwfDlfAssq3v0kfPUm6nKR13tr/xpnSlmzw t0qDweoTsExE8c55ni4XIY9DgiKJs71RP1nNUmjPF8hQ1i7UYrOXWl6ZEiFl97iw5CbANuZKoAHBQ 5+volnwLg==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1jZ8HY-0003Wm-6G; Thu, 14 May 2020 07:27:52 +0000 Received: from mail-lf1-x144.google.com ([2a00:1450:4864:20::144]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1jZ8HV-0003WD-Kx for linux-arm-kernel@lists.infradead.org; Thu, 14 May 2020 07:27:51 +0000 Received: by mail-lf1-x144.google.com with SMTP id z22so1762731lfd.0 for ; Thu, 14 May 2020 00:27:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OvIg8OTmvpD4AIra61gchuv+YQzJPkLcRjdOE9A6l2A=; b=T58w69kBOxFktle1yYsy3hLN3gMn/osjm5YR8FTXl4uYp8PjKu2TZzOiHNgCx36vrE Wl/ZIQZLvdR8y6+piwx3KEwGBHD8kyjMwzas/eYyJaxuJxY8/KGnPz4HlvtDAulI9I15 lGRt7VR2EK+bxqp2oZhR93/egU4OCxQtySGt6pV8RF67V5Vj3IcxPdw3Km1KhdoaRiaq bSo22sNuywieNiZ1fpmYK7epfyyHEaUnQ1U7yB7K1aXP/AJXWde5jIFrUkDbeeALECIL u0FuTV6q/ZfQm1Z7KARSGRX7zu3oek6QkvyBvFcfjjmEMIagj6XaGUbGVW2NX71/UJ7h Omtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OvIg8OTmvpD4AIra61gchuv+YQzJPkLcRjdOE9A6l2A=; b=iuiwR42NrFPPFSs9y4B13qtgQKplA2g0uHvKg6yfNOYX0oK/1SnZCxUi41HdNMf/Xn yXuYeVtZZBXcDmfVlLPm+NZEAOoj7j8faZjzYeUcAzi35k46+Lha+UXd6PSSAuNj/yxE VskrpU7ccq3TuAiiamVlBH2o+kmCp737PXCUELLbLWATGKn7/c3xaD6+NLNwQIOW+cAS hSGbgZe/I8LhA5Xm0a4B9m6ZxqhwNi0ebrbEyDCvbWJW3/hsF98+yhLJSrQYInBV+T/Z s1L+8qvzoaq2hWsfpfIs5FDRKEHj1CRadHaVOap5oe2Hln1vkrT8a7qnb6dk+KPNhTV8 9XhQ== X-Gm-Message-State: AOAM533nGgAAwYbxBsArQJaTVDTvVrSVwYJzIRGMia6fT7Fz+BQ0Cpa+ 7PGXwiCSkhhFfvYqrZXRn7cI6Nxa4U9MA4XX9/Cnyw== X-Google-Smtp-Source: ABdhPJzL0WsvMihqen9758VYmk6yEgm/ZN9/XilvuCWzmgJOy/SB9sZscduKIMjRAKM98dv/ishZnbn+Lr4DfqPaa0A= X-Received: by 2002:a19:ccce:: with SMTP id c197mr2356496lfg.59.1589441267234; Thu, 14 May 2020 00:27:47 -0700 (PDT) MIME-Version: 1.0 References: <1588758017-30426-1-git-send-email-sumit.garg@linaro.org> <1588758017-30426-3-git-send-email-sumit.garg@linaro.org> In-Reply-To: From: Sumit Garg Date: Thu, 14 May 2020 12:57:35 +0530 Message-ID: Subject: Re: [PATCH v4 2/4] KEYS: trusted: Introduce TEE based Trusted Keys To: Jarkko Sakkinen Content-Type: multipart/mixed; boundary="00000000000021218505a596a2dc" X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200514_002749_692117_D2FF8479 X-CRM114-Status: GOOD ( 17.28 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "tee-dev @ lists . linaro . org" , Daniel Thompson , op-tee@lists.trustedfirmware.org, Jonathan Corbet , James Bottomley , Janne Karhunen , Linux Doc Mailing List , James Morris , Mimi Zohar , Linux Kernel Mailing List , dhowells@redhat.com, linux-security-module@vger.kernel.org, "open list:ASYMMETRIC KEYS" , Markus Wamser , Casey Schaufler , linux-integrity@vger.kernel.org, Jens Wiklander , linux-arm-kernel , "Serge E. Hallyn" Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+infradead-linux-arm-kernel=archiver.kernel.org@lists.infradead.org --00000000000021218505a596a2dc Content-Type: text/plain; charset="UTF-8" On Thu, 14 May 2020 at 05:58, Jarkko Sakkinen wrote: > > On Wed, 2020-05-06 at 15:10 +0530, Sumit Garg wrote: > > Add support for TEE based trusted keys where TEE provides the functionality > > to seal and unseal trusted keys using hardware unique key. > > > > Refer to Documentation/tee.txt for detailed information about TEE. > > > > Signed-off-by: Sumit Garg > > The implementation looks solid but how or who could possibly test this? > > I do posses (personally, not from employer) bunch of ARM boards but my > TZ knowledge is somewhat limited (e.g. how can I get something running > in TZ). > Although, it should be fairly easy to test this implementation on an ARM board which supports OP-TEE. But since you are new to ARM TrustZone world, I would suggest you get used to OP-TEE on Qemu based setup. You could find pretty good documentation for this here [1] but for simplicity let me document steps here to test this trusted keys feature from scratch: # Install prerequisites as mentioned here [2] # Get the source code $ mkdir -p $ cd $ repo init -u https://github.com/OP-TEE/manifest.git -m qemu_v8.xml $ repo sync -j4 --no-clone-bundle # Get the toolchain $ cd /build $ make -j2 toolchains # As trusted keys work is based on latest tpmdd/master, so we can change Linux base as follows: $ cd /linux $ git remote add tpmdd git://git.infradead.org/users/jjs/linux-tpmdd.git $ git pull tpmdd $ git checkout -b tpmdd-master remotes/tpmdd/master # Cherry-pick and apply TEE features patch-set from this PR[3] # Apply this Linux trusted keys patch-set. # Now move on to build the source code $ cd /build # Apply attached "keyctl_change" patch $ patch -p1 < keyctl_change $ make -j`nproc` CFG_IN_TREE_EARLY_TAS=trusted_keys/f04a0fe7-1f5d-4b9b-abf7-619b85b4ce8c # Run QEMU setup $ make run-only # Type "c" on QEMU console to continue boot # Now there should be two virtual consoles up, one for OP-TEE and other for Linux # On Linux console, you can play with "keyctl" utility to have trusted and encrypted keys based on TEE. Do let me know in case you are stuck while following the above steps. [1] https://optee.readthedocs.io/en/latest/building/devices/qemu.html#qemu-v8 [2] https://optee.readthedocs.io/en/latest/building/prerequisites.html#prerequisites [3] https://lkml.org/lkml/2020/5/4/1062 -Sumit > /Jarkko > --00000000000021218505a596a2dc Content-Type: application/octet-stream; name=keyctl_change Content-Disposition: attachment; filename=keyctl_change Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_ka6g56md0 ZGlmZiAtLWdpdCBhL2NvbW1vbi5tayBiL2NvbW1vbi5tawppbmRleCBhZWI3YjQxLi42NjNlNTI4 IDEwMDY0NAotLS0gYS9jb21tb24ubWsKKysrIGIvY29tbW9uLm1rCkBAIC0yMjksNiArMjI5LDcg QEAgQlIyX1BBQ0tBR0VfT1BURUVfVEVTVF9TREsgPz0gJChPUFRFRV9PU19UQV9ERVZfS0lUX0RJ UikKIEJSMl9QQUNLQUdFX09QVEVFX1RFU1RfU0lURSA/PSAkKE9QVEVFX1RFU1RfUEFUSCkKIEJS Ml9QQUNLQUdFX1NUUkFDRSA/PSB5CiBCUjJfVEFSR0VUX0dFTkVSSUNfR0VUVFlfUE9SVCA/PSAk KGlmICQoQ0ZHX05XX0NPTlNPTEVfVUFSVCksdHR5QU1BJChDRkdfTldfQ09OU09MRV9VQVJUKSx0 dHlBTUEwKQorQlIyX1BBQ0tBR0VfS0VZVVRJTFMgOj0geQogCiAjIEFsbCBCUjJfKiB2YXJpYWJs ZXMgZnJvbSB0aGUgbWFrZWZpbGUgb3IgdGhlIGVudmlyb25tZW50IGFyZSBhcHBlbmRlZCB0bwog IyAuLi9vdXQtYnIvZXh0cmEuY29uZi4gQWxsIHZhbHVlcyBhcmUgcXVvdGVkICIuLi4iIGV4Y2Vw dCB5IGFuZCBuLgpkaWZmIC0tZ2l0IGEva2NvbmZpZ3MvcWVtdS5jb25mIGIva2NvbmZpZ3MvcWVt dS5jb25mCmluZGV4IDM2OGMxOGEuLjgzMmFiNzQgMTAwNjQ0Ci0tLSBhL2tjb25maWdzL3FlbXUu Y29uZgorKysgYi9rY29uZmlncy9xZW11LmNvbmYKQEAgLTIwLDMgKzIwLDUgQEAgQ09ORklHXzlQ X0ZTPXkKIENPTkZJR185UF9GU19QT1NJWF9BQ0w9eQogQ09ORklHX0hXX1JBTkRPTT15CiBDT05G SUdfSFdfUkFORE9NX1ZJUlRJTz15CitDT05GSUdfVFJVU1RFRF9LRVlTPXkKK0NPTkZJR19FTkNS WVBURURfS0VZUz15Cg== --00000000000021218505a596a2dc Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel --00000000000021218505a596a2dc--