From: Simon Glass <sjg@chromium.org>
To: u-boot@lists.denx.de
Subject: [PATCHv2 1/3] common: SCP03 control (enable and provision of keys)
Date: Sun, 7 Feb 2021 07:37:56 -0700 [thread overview]
Message-ID: <CAPnjgZ3cuNbVCac9ArUuYRkFJutuqF4hq=NankpQyKeZJvJsPg@mail.gmail.com> (raw)
In-Reply-To: <20210206231147.5368-1-jorge@foundries.io>
Hi Jorge,
On Sat, 6 Feb 2021 at 16:11, Jorge Ramirez-Ortiz <jorge@foundries.io> wrote:
>
> This Trusted Application allows enabling and provisioning SCP03 keys
> on TEE controlled secure element (ie, NXP SE050)
>
> For information on SCP03, check the Global Platform HomePage[1]
> [1] globalplatform.org
>
> Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
> ---
> common/Kconfig | 8 ++++++
> common/Makefile | 1 +
> common/scp03.c | 52 ++++++++++++++++++++++++++++++++++++
> include/scp03.h | 19 +++++++++++++
> include/tee/optee_ta_scp03.h | 21 +++++++++++++++
> 5 files changed, 101 insertions(+)
> create mode 100644 common/scp03.c
> create mode 100644 include/scp03.h
> create mode 100644 include/tee/optee_ta_scp03.h
Reviewed-by: Simon Glass <sjg@chromium.org>
But please see below
>
> diff --git a/common/Kconfig b/common/Kconfig
> index 2bb3798f80..482f123534 100644
> --- a/common/Kconfig
> +++ b/common/Kconfig
> @@ -588,6 +588,14 @@ config AVB_BUF_SIZE
>
> endif # AVB_VERIFY
>
> +config SCP03
> + bool "Build SCP03 - Secure Channel Protocol O3 - controls"
> + depends on OPTEE || SANDBOX
> + depends on TEE
> + help
> + This option allows U-Boot to enable and or provision SCP03 on an OPTEE
> + controlled Secured Element.
Why would you want to do that? Please expand this a bit
> +
> config SPL_HASH
> bool # "Support hashing API (SHA1, SHA256, etc.)"
> help
> diff --git a/common/Makefile b/common/Makefile
> index daeea67cf2..215b8b26fd 100644
> --- a/common/Makefile
> +++ b/common/Makefile
> @@ -137,3 +137,4 @@ obj-$(CONFIG_CMD_LOADB) += xyzModem.o
> obj-$(CONFIG_$(SPL_TPL_)YMODEM_SUPPORT) += xyzModem.o
>
> obj-$(CONFIG_AVB_VERIFY) += avb_verify.o
> +obj-$(CONFIG_SCP03) += scp03.o
> diff --git a/common/scp03.c b/common/scp03.c
> new file mode 100644
> index 0000000000..c655283387
> --- /dev/null
> +++ b/common/scp03.c
> @@ -0,0 +1,52 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +/*
> + * (C) Copyright 2021, Foundries.IO
> + *
> + */
> +
common.h
> +#include <scp03.h>
> +#include <tee.h>
> +#include <tee/optee_ta_scp03.h>
> +
> +static int scp03_enable(bool provision)
> +{
> + const struct tee_optee_ta_uuid uuid = PTA_SCP03_UUID;
> + struct tee_open_session_arg session;
> + struct tee_invoke_arg invoke;
> + struct tee_param param;
> + struct udevice *tee = NULL;
> +
> + tee = tee_find_device(tee, NULL, NULL, NULL);
> + if (!tee)
> + return -ENODEV;
> +
> + memset(&session, 0, sizeof(session));
> + tee_optee_ta_uuid_to_octets(session.uuid, &uuid);
> + if (tee_open_session(tee, &session, 0, NULL))
> + return -ENODEV;
Should return the actual error from tee_open_session(). You can't
return -ENODEV as there is a device.
> +
> + memset(¶m, 0, sizeof(param));
> + param.attr = TEE_PARAM_ATTR_TYPE_VALUE_INPUT;
> + param.u.value.a = provision;
> +
> + memset(&invoke, 0, sizeof(invoke));
> + invoke.func = PTA_CMD_ENABLE_SCP03;
> + invoke.session = session.session;
> +
> + if (tee_invoke_func(tee, &invoke, 1, ¶m))
> + return -EIO;
Please return the actual error
> +
> + tee_close_session(tee, session.session);
> +
> + return 0;
> +}
> +
> +int tee_enable_scp03(void)
> +{
> + return scp03_enable(false);
> +}
> +
> +int tee_provision_scp03(void)
> +{
> + return scp03_enable(true);
> +}
> diff --git a/include/scp03.h b/include/scp03.h
> new file mode 100644
> index 0000000000..034796ada3
> --- /dev/null
> +++ b/include/scp03.h
> @@ -0,0 +1,19 @@
> +/* SPDX-License-Identifier: GPL-2.0+ */
> +/*
> + * (C) Copyright 2021, Foundries.IO
> + *
> + */
> +
> +#ifndef _SCP03_H
> +#define _SCP03_H
> +
> +/*
> + * Requests to OPTEE to enable or provision the Secure Channel Protocol on its
> + * Secure Element
> + *
> + * If key provisioning is requested, OPTEE shall generate new SCP03 keys and
> + * write them to the Secure Element.
@return
> + */
> +int tee_enable_scp03(void);
> +int tee_provision_scp03(void);
> +#endif /* _SCP03_H */
Regards,
Simon
next prev parent reply other threads:[~2021-02-07 14:37 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-06 23:11 [PATCHv2 1/3] common: SCP03 control (enable and provision of keys) Jorge Ramirez-Ortiz
2021-02-06 23:11 ` [PATCHv2 2/3] cmd: SCP03: enable and provision command Jorge Ramirez-Ortiz
2021-02-07 14:38 ` Simon Glass
2021-02-06 23:11 ` [PATCHv2 3/3] drivers: tee: sandbox: secure channel protocol control Jorge Ramirez-Ortiz
2021-02-07 14:38 ` Simon Glass
2021-02-07 14:37 ` Simon Glass [this message]
2021-02-07 15:58 ` [PATCHv2 1/3] common: SCP03 control (enable and provision of keys) Jorge
2021-02-07 16:19 ` Simon Glass
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAPnjgZ3cuNbVCac9ArUuYRkFJutuqF4hq=NankpQyKeZJvJsPg@mail.gmail.com' \
--to=sjg@chromium.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.