From mboxrd@z Thu Jan  1 00:00:00 1970
From: Simon Glass <sjg@chromium.org>
Date: Sun, 7 Feb 2021 07:37:56 -0700
Subject: [PATCHv2 1/3] common: SCP03 control (enable and provision of keys)
In-Reply-To: <20210206231147.5368-1-jorge@foundries.io>
References: <20210206231147.5368-1-jorge@foundries.io>
Message-ID: <CAPnjgZ3cuNbVCac9ArUuYRkFJutuqF4hq=NankpQyKeZJvJsPg@mail.gmail.com>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

Hi Jorge,

On Sat, 6 Feb 2021 at 16:11, Jorge Ramirez-Ortiz <jorge@foundries.io> wrote:
>
> This Trusted Application allows enabling and provisioning SCP03 keys
> on TEE controlled secure element (ie, NXP SE050)
>
> For information on SCP03, check the Global Platform HomePage[1]
> [1] globalplatform.org
>
> Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
> ---
>  common/Kconfig               |  8 ++++++
>  common/Makefile              |  1 +
>  common/scp03.c               | 52 ++++++++++++++++++++++++++++++++++++
>  include/scp03.h              | 19 +++++++++++++
>  include/tee/optee_ta_scp03.h | 21 +++++++++++++++
>  5 files changed, 101 insertions(+)
>  create mode 100644 common/scp03.c
>  create mode 100644 include/scp03.h
>  create mode 100644 include/tee/optee_ta_scp03.h

Reviewed-by: Simon Glass <sjg@chromium.org>

But please see below

>
> diff --git a/common/Kconfig b/common/Kconfig
> index 2bb3798f80..482f123534 100644
> --- a/common/Kconfig
> +++ b/common/Kconfig
> @@ -588,6 +588,14 @@ config AVB_BUF_SIZE
>
>  endif # AVB_VERIFY
>
> +config SCP03
> +       bool "Build SCP03 - Secure Channel Protocol O3 - controls"
> +       depends on OPTEE || SANDBOX
> +       depends on TEE
> +       help
> +         This option allows U-Boot to enable and or provision SCP03 on an OPTEE
> +         controlled Secured Element.

Why would you want to do that? Please expand this a bit

> +
>  config SPL_HASH
>         bool # "Support hashing API (SHA1, SHA256, etc.)"
>         help
> diff --git a/common/Makefile b/common/Makefile
> index daeea67cf2..215b8b26fd 100644
> --- a/common/Makefile
> +++ b/common/Makefile
> @@ -137,3 +137,4 @@ obj-$(CONFIG_CMD_LOADB) += xyzModem.o
>  obj-$(CONFIG_$(SPL_TPL_)YMODEM_SUPPORT) += xyzModem.o
>
>  obj-$(CONFIG_AVB_VERIFY) += avb_verify.o
> +obj-$(CONFIG_SCP03) += scp03.o
> diff --git a/common/scp03.c b/common/scp03.c
> new file mode 100644
> index 0000000000..c655283387
> --- /dev/null
> +++ b/common/scp03.c
> @@ -0,0 +1,52 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +/*
> + * (C) Copyright 2021, Foundries.IO
> + *
> + */
> +

common.h

> +#include <scp03.h>
> +#include <tee.h>
> +#include <tee/optee_ta_scp03.h>
> +
> +static int scp03_enable(bool provision)
> +{
> +       const struct tee_optee_ta_uuid uuid = PTA_SCP03_UUID;
> +       struct tee_open_session_arg session;
> +       struct tee_invoke_arg invoke;
> +       struct tee_param param;
> +       struct udevice *tee = NULL;
> +
> +       tee = tee_find_device(tee, NULL, NULL, NULL);
> +       if (!tee)
> +               return -ENODEV;
> +
> +       memset(&session, 0, sizeof(session));
> +       tee_optee_ta_uuid_to_octets(session.uuid, &uuid);
> +       if (tee_open_session(tee, &session, 0, NULL))
> +               return -ENODEV;

Should return the actual error from tee_open_session(). You can't
return -ENODEV as there is a device.

> +
> +       memset(&param, 0, sizeof(param));
> +       param.attr = TEE_PARAM_ATTR_TYPE_VALUE_INPUT;
> +       param.u.value.a = provision;
> +
> +       memset(&invoke, 0, sizeof(invoke));
> +       invoke.func = PTA_CMD_ENABLE_SCP03;
> +       invoke.session = session.session;
> +
> +       if (tee_invoke_func(tee, &invoke, 1, &param))
> +               return -EIO;

Please return the actual error

> +
> +       tee_close_session(tee, session.session);
> +
> +       return 0;
> +}
> +
> +int tee_enable_scp03(void)
> +{
> +       return scp03_enable(false);
> +}
> +
> +int tee_provision_scp03(void)
> +{
> +       return scp03_enable(true);
> +}
> diff --git a/include/scp03.h b/include/scp03.h
> new file mode 100644
> index 0000000000..034796ada3
> --- /dev/null
> +++ b/include/scp03.h
> @@ -0,0 +1,19 @@
> +/* SPDX-License-Identifier: GPL-2.0+ */
> +/*
> + * (C) Copyright 2021, Foundries.IO
> + *
> + */
> +
> +#ifndef _SCP03_H
> +#define _SCP03_H
> +
> +/*
> + * Requests to OPTEE to enable or provision the Secure Channel Protocol on its
> + * Secure Element
> + *
> + *  If key provisioning is requested, OPTEE shall generate new SCP03 keys and
> + *  write them to the Secure Element.

@return

> + */
> +int tee_enable_scp03(void);
> +int tee_provision_scp03(void);
> +#endif /* _SCP03_H */

Regards,
Simon