Device tree usage in TF-A & OP-Tee consultation

Device tree usage in TF-A & OP-Tee consultation

[Yi Chou]

Hi, Linux device tree maintainers,

I am writing to you today to request a review of some custom device
tree bindings that we have developed. These bindings are not used by
the Linux kernel, but they are used by OP-TEE[1], a secure execution
environment for embedded systems.

We have placed these bindings under the "chosen" node in the device
tree, as suggested by Jeffrey Kardatzke.[2]
The full bindings path would be "chosen/widevine/{tpm-auth-pk, huk,
widevine-dice, widevine-ta-key}".

We would like to have our bindings reviewed by a device tree
maintainer to ensure that they are correct. We would also like to get
your feedback on the best way to document these bindings.

Thank you for your time and consultation.

Sincerely,
Yi

[1]: https://github.com/OP-TEE/optee_os
[2]: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/20442

Re: Device tree usage in TF-A & OP-Tee consultation

[Rob Herring]

On Mon, Jun 12, 2023 at 10:29 PM Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
>
> Hi, Linux device tree maintainers,

devicetree-spec is not Linux specific.

> I am writing to you today to request a review of some custom device
> tree bindings that we have developed. These bindings are not used by
> the Linux kernel, but they are used by OP-TEE[1], a secure execution
> environment for embedded systems.
>
> We have placed these bindings under the "chosen" node in the device
> tree, as suggested by Jeffrey Kardatzke.[2]
> The full bindings path would be "chosen/widevine/{tpm-auth-pk, huk,
> widevine-dice, widevine-ta-key}".

I would advise against using /chosen as it is pretty much geared to be
consumed by a single client (typically "the OS"). Instead, /options
node[1] may be a better option which is what we did for u-boot
configuration. It somewhat depends on what components consume the DT.
If the DT is only ever going to be consumed by OP-TEE, then using
/chosen is probably fine. However, if say TF-A and OP-TEE use the same
DT, then you have 2 components to configure.

> We would like to have our bindings reviewed by a device tree
> maintainer to ensure that they are correct. We would also like to get
> your feedback on the best way to document these bindings.
>
> Thank you for your time and consultation.
>
> Sincerely,
> Yi
>
> [1]: https://github.com/OP-TEE/optee_os
> [2]: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/20442

I don't see any bindings here. Am I supposed to study the code to
figure out the binding? Please write a binding doc/schema if you want
it reviewed.

Rob

[1] https://github.com/devicetree-org/dt-schema/blob/main/dtschema/schemas/options.yaml

Re: Device tree usage in TF-A & OP-Tee consultation

[Simon Glass]

Hi,

On Tue, 13 Jun 2023 at 05:29, Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
>
> Hi, Linux device tree maintainers,
>
> I am writing to you today to request a review of some custom device
> tree bindings that we have developed. These bindings are not used by
> the Linux kernel, but they are used by OP-TEE[1], a secure execution
> environment for embedded systems.
>
> We have placed these bindings under the "chosen" node in the device
> tree, as suggested by Jeffrey Kardatzke.[2]
> The full bindings path would be "chosen/widevine/{tpm-auth-pk, huk,
> widevine-dice, widevine-ta-key}".
>
> We would like to have our bindings reviewed by a device tree
> maintainer to ensure that they are correct. We would also like to get
> your feedback on the best way to document these bindings.
>
> Thank you for your time and consultation.

Do you have a link to the binding, please?

Regards,
Simon


>
> Sincerely,
> Yi
>
> [1]: https://github.com/OP-TEE/optee_os
> [2]: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/20442

Re: Device tree usage in TF-A & OP-Tee consultation

[Yi Chou]

Hi,

On Tue, Jun 13, 2023 at 10:38 PM Rob Herring <robh-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
>
> On Mon, Jun 12, 2023 at 10:29 PM Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> >
> > Hi, Linux device tree maintainers,
>
> devicetree-spec is not Linux specific.
>
> > I am writing to you today to request a review of some custom device
> > tree bindings that we have developed. These bindings are not used by
> > the Linux kernel, but they are used by OP-TEE[1], a secure execution
> > environment for embedded systems.
> >
> > We have placed these bindings under the "chosen" node in the device
> > tree, as suggested by Jeffrey Kardatzke.[2]
> > The full bindings path would be "chosen/widevine/{tpm-auth-pk, huk,
> > widevine-dice, widevine-ta-key}".
>
> I would advise against using /chosen as it is pretty much geared to be
> consumed by a single client (typically "the OS"). Instead, /options
> node[1] may be a better option which is what we did for u-boot
> configuration. It somewhat depends on what components consume the DT.
> If the DT is only ever going to be consumed by OP-TEE, then using
> /chosen is probably fine. However, if say TF-A and OP-TEE use the same
> DT, then you have 2 components to configure.

In our use case, the TF-A will generate the DT, and the DT will only be
consumed by the OP-TEE. The Linux kernel should not see these data for
security reasons, I'm still not sure if it is a good idea to put the bindings
in the Linux source tree.

>
> > We would like to have our bindings reviewed by a device tree
> > maintainer to ensure that they are correct. We would also like to get
> > your feedback on the best way to document these bindings.
> >
> > Thank you for your time and consultation.
> >
> > Sincerely,
> > Yi
> >
> > [1]: https://github.com/OP-TEE/optee_os
> > [2]: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/20442
>
> I don't see any bindings here. Am I supposed to study the code to
> figure out the binding? Please write a binding doc/schema if you want
> it reviewed.
>
> Rob
>
> [1] https://github.com/devicetree-org/dt-schema/blob/main/dtschema/schemas/options.yaml

Here is the patch of the binding, but I'm still not sure where is the
correct place to put the binding.

From 2b828cc3c5aad0ff2c5bc2baea874d3a3fe8f1c3 Mon Sep 17 00:00:00 2001
From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
Date: Wed, 14 Jun 2023 14:49:46 +0800
Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters

The necessary fields to initialize the widevine related functions in OP-TEE.

Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
---
 .../bindings/chosen/google,widevine.yaml      | 61 +++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644
Documentation/devicetree/bindings/chosen/google,widevine.yaml

diff --git a/Documentation/devicetree/bindings/chosen/google,widevine.yaml
b/Documentation/devicetree/bindings/chosen/google,widevine.yaml
new file mode 100644
index 0000000000000..2fc16b1a1fcc4
--- /dev/null
+++ b/Documentation/devicetree/bindings/chosen/google,widevine.yaml
@@ -0,0 +1,61 @@
+# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+%YAML 1.2
+---
+$id: http://devicetree.org/schemas/chosen/google,widevine.yaml#
+$schema: http://devicetree.org/meta-schemas/core.yaml#
+
+title: Google Widevine initialize parameters.
+
+maintainers:
+  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
+  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
+
+description:
+  The necessary fields to initialize the widevine related functions in
+  OP-TEE. This node does not represent a real device, but serves as a
+  place for passing data between firmware and OP-TEE.
+
+properties:
+  compatible:
+    const: google,widevine
+
+  huk:
+    $ref: /schemas/types.yaml#/definitions/string
+    description:
+      The encryption key of the Widevine OP-TEE storage.
+
+  tpm-auth-pk:
+    $ref: /schemas/types.yaml#/definitions/string
+    description:
+      The TPM auth public key. Used to communicate the TPM from OP-TEE.
+
+  widevine-dice:
+    $ref: /schemas/types.yaml#/definitions/string
+    description:
+      The Widevine boot certificate chain(Device Identifier Composition
+      Engine) of this device. Used to provision the device status with
+      the Widevine server in OP-TEE.
+
+  widevine-ta-key:
+    $ref: /schemas/types.yaml#/definitions/string
+    description:
+      The Widevine private key corresponding to the widevine-dice.
+      Used to signing the widevine request in OP-TEE.
+
+required:
+  - compatible
+
+additionalProperties: false
+
+examples:
+  - |+
+    chosen {
+      widevine: {
+        compatible = "google,widevine";
+
+        huk = [00 de ad be af aa bb cc],
+        tpm-auth-pk = [00 de ad be af aa bb cc],
+        widevine-dice = [00 de ad be af aa bb cc],
+        widevine-ta-key = [00 de ad be af aa bb cc],
+      };
+    };

Re: Device tree usage in TF-A & OP-Tee consultation

[Simon Glass]

Hi Yi,

On Wed, 14 Jun 2023 at 08:52, Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
>
> Hi,
>
> On Tue, Jun 13, 2023 at 10:38 PM Rob Herring <robh-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
> >
> > On Mon, Jun 12, 2023 at 10:29 PM Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> > >
> > > Hi, Linux device tree maintainers,
> >
> > devicetree-spec is not Linux specific.
> >
> > > I am writing to you today to request a review of some custom device
> > > tree bindings that we have developed. These bindings are not used by
> > > the Linux kernel, but they are used by OP-TEE[1], a secure execution
> > > environment for embedded systems.
> > >
> > > We have placed these bindings under the "chosen" node in the device
> > > tree, as suggested by Jeffrey Kardatzke.[2]
> > > The full bindings path would be "chosen/widevine/{tpm-auth-pk, huk,
> > > widevine-dice, widevine-ta-key}".
> >
> > I would advise against using /chosen as it is pretty much geared to be
> > consumed by a single client (typically "the OS"). Instead, /options
> > node[1] may be a better option which is what we did for u-boot
> > configuration. It somewhat depends on what components consume the DT.
> > If the DT is only ever going to be consumed by OP-TEE, then using
> > /chosen is probably fine. However, if say TF-A and OP-TEE use the same
> > DT, then you have 2 components to configure.
>
> In our use case, the TF-A will generate the DT, and the DT will only be
> consumed by the OP-TEE. The Linux kernel should not see these data for
> security reasons, I'm still not sure if it is a good idea to put the bindings
> in the Linux source tree.
>
> >
> > > We would like to have our bindings reviewed by a device tree
> > > maintainer to ensure that they are correct. We would also like to get
> > > your feedback on the best way to document these bindings.
> > >
> > > Thank you for your time and consultation.
> > >
> > > Sincerely,
> > > Yi
> > >
> > > [1]: https://github.com/OP-TEE/optee_os
> > > [2]: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/20442
> >
> > I don't see any bindings here. Am I supposed to study the code to
> > figure out the binding? Please write a binding doc/schema if you want
> > it reviewed.
> >
> > Rob
> >
> > [1] https://github.com/devicetree-org/dt-schema/blob/main/dtschema/schemas/options.yaml
>
> Here is the patch of the binding, but I'm still not sure where is the
> correct place to put the binding.
>
> From 2b828cc3c5aad0ff2c5bc2baea874d3a3fe8f1c3 Mon Sep 17 00:00:00 2001
> From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> Date: Wed, 14 Jun 2023 14:49:46 +0800
> Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters
>
> The necessary fields to initialize the widevine related functions in OP-TEE.
>
> Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
> Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> ---
>  .../bindings/chosen/google,widevine.yaml      | 61 +++++++++++++++++++
>  1 file changed, 61 insertions(+)
>  create mode 100644
> Documentation/devicetree/bindings/chosen/google,widevine.yaml
>
> diff --git a/Documentation/devicetree/bindings/chosen/google,widevine.yaml
> b/Documentation/devicetree/bindings/chosen/google,widevine.yaml
> new file mode 100644
> index 0000000000000..2fc16b1a1fcc4
> --- /dev/null
> +++ b/Documentation/devicetree/bindings/chosen/google,widevine.yaml
> @@ -0,0 +1,61 @@
> +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> +%YAML 1.2
> +---
> +$id: http://devicetree.org/schemas/chosen/google,widevine.yaml#
> +$schema: http://devicetree.org/meta-schemas/core.yaml#
> +
> +title: Google Widevine initialize parameters.
> +
> +maintainers:
> +  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> +  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> +
> +description:
> +  The necessary fields to initialize the widevine related functions in
> +  OP-TEE. This node does not represent a real device, but serves as a
> +  place for passing data between firmware and OP-TEE.
> +
> +properties:
> +  compatible:
> +    const: google,widevine
> +
> +  huk:
> +    $ref: /schemas/types.yaml#/definitions/string
> +    description:
> +      The encryption key of the Widevine OP-TEE storage.
> +
> +  tpm-auth-pk:
> +    $ref: /schemas/types.yaml#/definitions/string
> +    description:
> +      The TPM auth public key. Used to communicate the TPM from OP-TEE.
> +
> +  widevine-dice:
> +    $ref: /schemas/types.yaml#/definitions/string
> +    description:
> +      The Widevine boot certificate chain(Device Identifier Composition
> +      Engine) of this device. Used to provision the device status with
> +      the Widevine server in OP-TEE.
> +
> +  widevine-ta-key:
> +    $ref: /schemas/types.yaml#/definitions/string
> +    description:
> +      The Widevine private key corresponding to the widevine-dice.
> +      Used to signing the widevine request in OP-TEE.
> +
> +required:
> +  - compatible
> +
> +additionalProperties: false
> +
> +examples:
> +  - |+
> +    chosen {
> +      widevine: {
> +        compatible = "google,widevine";
> +
> +        huk = [00 de ad be af aa bb cc],
> +        tpm-auth-pk = [00 de ad be af aa bb cc],
> +        widevine-dice = [00 de ad be af aa bb cc],
> +        widevine-ta-key = [00 de ad be af aa bb cc],
> +      };
> +    };
> --
> 2.39.2

The binding looks OK to me, but I'm not sure about using /chosen since
that is intended for the OS.

Perhaps we could use /options instead?

Regards,
Simon

Re: Device tree usage in TF-A & OP-Tee consultation

[Rob Herring]

On Tue, Jun 20, 2023 at 1:11 PM Julius Werner <jwerner-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
>
> Wouldn't something like /firmware/widevine make most sense for this? It seems similar in nature to what other bindings in /firmware already do.

/firmware is generally consumed by the OS containing providers
implemented by firmware.

>
> On Tue, Jun 20, 2023, 9:50 AM Simon Glass <sjg-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
>>
>> Hi Yi,
>>
>> On Wed, 14 Jun 2023 at 08:52, Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
>> >
>> > Hi,
>> >
>> > On Tue, Jun 13, 2023 at 10:38 PM Rob Herring <robh-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
>> > >
>> > > On Mon, Jun 12, 2023 at 10:29 PM Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
>> > > >
>> > > > Hi, Linux device tree maintainers,
>> > >
>> > > devicetree-spec is not Linux specific.
>> > >
>> > > > I am writing to you today to request a review of some custom device
>> > > > tree bindings that we have developed. These bindings are not used by
>> > > > the Linux kernel, but they are used by OP-TEE[1], a secure execution
>> > > > environment for embedded systems.
>> > > >
>> > > > We have placed these bindings under the "chosen" node in the device
>> > > > tree, as suggested by Jeffrey Kardatzke.[2]
>> > > > The full bindings path would be "chosen/widevine/{tpm-auth-pk, huk,
>> > > > widevine-dice, widevine-ta-key}".
>> > >
>> > > I would advise against using /chosen as it is pretty much geared to be
>> > > consumed by a single client (typically "the OS"). Instead, /options
>> > > node[1] may be a better option which is what we did for u-boot
>> > > configuration. It somewhat depends on what components consume the DT.
>> > > If the DT is only ever going to be consumed by OP-TEE, then using
>> > > /chosen is probably fine. However, if say TF-A and OP-TEE use the same
>> > > DT, then you have 2 components to configure.
>> >
>> > In our use case, the TF-A will generate the DT, and the DT will only be
>> > consumed by the OP-TEE. The Linux kernel should not see these data for
>> > security reasons, I'm still not sure if it is a good idea to put the bindings
>> > in the Linux source tree.
>> >
>> > >
>> > > > We would like to have our bindings reviewed by a device tree
>> > > > maintainer to ensure that they are correct. We would also like to get
>> > > > your feedback on the best way to document these bindings.
>> > > >
>> > > > Thank you for your time and consultation.
>> > > >
>> > > > Sincerely,
>> > > > Yi
>> > > >
>> > > > [1]: https://github.com/OP-TEE/optee_os
>> > > > [2]: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/20442
>> > >
>> > > I don't see any bindings here. Am I supposed to study the code to
>> > > figure out the binding? Please write a binding doc/schema if you want
>> > > it reviewed.
>> > >
>> > > Rob
>> > >
>> > > [1] https://github.com/devicetree-org/dt-schema/blob/main/dtschema/schemas/options.yaml
>> >
>> > Here is the patch of the binding, but I'm still not sure where is the
>> > correct place to put the binding.
>> >
>> > From 2b828cc3c5aad0ff2c5bc2baea874d3a3fe8f1c3 Mon Sep 17 00:00:00 2001
>> > From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
>> > Date: Wed, 14 Jun 2023 14:49:46 +0800
>> > Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters
>> >
>> > The necessary fields to initialize the widevine related functions in OP-TEE.
>> >
>> > Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
>> > Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
>> > ---
>> >  .../bindings/chosen/google,widevine.yaml      | 61 +++++++++++++++++++
>> >  1 file changed, 61 insertions(+)
>> >  create mode 100644
>> > Documentation/devicetree/bindings/chosen/google,widevine.yaml
>> >
>> > diff --git a/Documentation/devicetree/bindings/chosen/google,widevine.yaml
>> > b/Documentation/devicetree/bindings/chosen/google,widevine.yaml
>> > new file mode 100644
>> > index 0000000000000..2fc16b1a1fcc4
>> > --- /dev/null
>> > +++ b/Documentation/devicetree/bindings/chosen/google,widevine.yaml
>> > @@ -0,0 +1,61 @@
>> > +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
>> > +%YAML 1.2
>> > +---
>> > +$id: http://devicetree.org/schemas/chosen/google,widevine.yaml#
>> > +$schema: http://devicetree.org/meta-schemas/core.yaml#
>> > +
>> > +title: Google Widevine initialize parameters.
>> > +
>> > +maintainers:
>> > +  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
>> > +  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
>> > +
>> > +description:
>> > +  The necessary fields to initialize the widevine related functions in
>> > +  OP-TEE. This node does not represent a real device, but serves as a
>> > +  place for passing data between firmware and OP-TEE.
>> > +
>> > +properties:
>> > +  compatible:
>> > +    const: google,widevine
>> > +
>> > +  huk:
>> > +    $ref: /schemas/types.yaml#/definitions/string
>> > +    description:
>> > +      The encryption key of the Widevine OP-TEE storage.
>> > +
>> > +  tpm-auth-pk:
>> > +    $ref: /schemas/types.yaml#/definitions/string
>> > +    description:
>> > +      The TPM auth public key. Used to communicate the TPM from OP-TEE.
>> > +
>> > +  widevine-dice:
>> > +    $ref: /schemas/types.yaml#/definitions/string
>> > +    description:
>> > +      The Widevine boot certificate chain(Device Identifier Composition
>> > +      Engine) of this device. Used to provision the device status with
>> > +      the Widevine server in OP-TEE.
>> > +
>> > +  widevine-ta-key:
>> > +    $ref: /schemas/types.yaml#/definitions/string
>> > +    description:
>> > +      The Widevine private key corresponding to the widevine-dice.
>> > +      Used to signing the widevine request in OP-TEE.
>> > +
>> > +required:
>> > +  - compatible
>> > +
>> > +additionalProperties: false
>> > +
>> > +examples:
>> > +  - |+
>> > +    chosen {
>> > +      widevine: {
>> > +        compatible = "google,widevine";
>> > +
>> > +        huk = [00 de ad be af aa bb cc],
>> > +        tpm-auth-pk = [00 de ad be af aa bb cc],
>> > +        widevine-dice = [00 de ad be af aa bb cc],
>> > +        widevine-ta-key = [00 de ad be af aa bb cc],
>> > +      };
>> > +    };
>> > --
>> > 2.39.2
>>
>> The binding looks OK to me, but I'm not sure about using /chosen since
>> that is intended for the OS.
>>
>> Perhaps we could use /options instead?
>>
>> Regards,
>> Simon

Re: Device tree usage in TF-A & OP-Tee consultation

[Yi Chou]

Sorry for the late reply,
this is the new version that moved the bindings to the /options node.

From 1662ec6c6a9cbb07d83157ad9411897b4acaf1f0 Mon Sep 17 00:00:00 2001
From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
Date: Wed, 14 Jun 2023 14:49:46 +0800
Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters

The necessary fields to initialize the widevine related functions in
OP-TEE.

Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
---
 .../bindings/options/google,widevine.yaml     | 61 +++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644
Documentation/devicetree/bindings/options/google,widevine.yaml

diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
b/Documentation/devicetree/bindings/options/google,widevine.yaml
new file mode 100644
index 0000000000000..acfc96d162c88
--- /dev/null
+++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
@@ -0,0 +1,61 @@
+# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+%YAML 1.2
+---
+$id: http://devicetree.org/schemas/options/google,widevine.yaml#
+$schema: http://devicetree.org/meta-schemas/core.yaml#
+
+title: Google Widevine initialize parameters.
+
+maintainers:
+  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
+  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
+
+description:
+  The necessary fields to initialize the widevine related functions in
+  OP-TEE. This node does not represent a real device, but serves as a
+  place for passing data between firmware and OP-TEE.
+
+properties:
+  compatible:
+    const: google,widevine
+
+  huk:
+    $ref: /schemas/types.yaml#/definitions/string
+    description:
+      The encryption key of the Widevine OP-TEE storage.
+
+  tpm-auth-pk:
+    $ref: /schemas/types.yaml#/definitions/string
+    description:
+      The TPM auth public key. Used to communicate the TPM from OP-TEE.
+
+  widevine-dice:
+    $ref: /schemas/types.yaml#/definitions/string
+    description:
+      The Widevine boot certificate chain(Device Identifier Composition
+      Engine) of this device. Used to provision the device status with
+      the Widevine server in OP-TEE.
+
+  widevine-ta-key:
+    $ref: /schemas/types.yaml#/definitions/string
+    description:
+      The Widevine private key corresponding to the widevine-dice.
+      Used to signing the widevine request in OP-TEE.
+
+required:
+  - compatible
+
+additionalProperties: false
+
+examples:
+  - |+
+    options {
+      widevine: {
+        compatible = "google,widevine";
+
+        huk = [00 de ad be af aa bb cc],
+        tpm-auth-pk = [00 de ad be af aa bb cc],
+        widevine-dice = [00 de ad be af aa bb cc],
+        widevine-ta-key = [00 de ad be af aa bb cc],
+      };
+    };
--
2.39.2

Sincerely,
Yi

On Sat, Jul 8, 2023 at 4:35 AM Rob Herring <robh-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
>
> On Tue, Jun 20, 2023 at 1:11 PM Julius Werner <jwerner@chromium.org> wrote:
> >
> > Wouldn't something like /firmware/widevine make most sense for this? It seems similar in nature to what other bindings in /firmware already do.
>
> /firmware is generally consumed by the OS containing providers
> implemented by firmware.
>
> >
> > On Tue, Jun 20, 2023, 9:50 AM Simon Glass <sjg-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> >>
> >> Hi Yi,
> >>
> >> On Wed, 14 Jun 2023 at 08:52, Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> >> >
> >> > Hi,
> >> >
> >> > On Tue, Jun 13, 2023 at 10:38 PM Rob Herring <robh-DgEjT+Ai2yhQFI55V6+gNQ@public.gmane.orgg> wrote:
> >> > >
> >> > > On Mon, Jun 12, 2023 at 10:29 PM Yi Chou <yich-F7+t8E8rja8pug/h7KTFAQ@public.gmane.orgg> wrote:
> >> > > >
> >> > > > Hi, Linux device tree maintainers,
> >> > >
> >> > > devicetree-spec is not Linux specific.
> >> > >
> >> > > > I am writing to you today to request a review of some custom device
> >> > > > tree bindings that we have developed. These bindings are not used by
> >> > > > the Linux kernel, but they are used by OP-TEE[1], a secure execution
> >> > > > environment for embedded systems.
> >> > > >
> >> > > > We have placed these bindings under the "chosen" node in the device
> >> > > > tree, as suggested by Jeffrey Kardatzke.[2]
> >> > > > The full bindings path would be "chosen/widevine/{tpm-auth-pk, huk,
> >> > > > widevine-dice, widevine-ta-key}".
> >> > >
> >> > > I would advise against using /chosen as it is pretty much geared to be
> >> > > consumed by a single client (typically "the OS"). Instead, /options
> >> > > node[1] may be a better option which is what we did for u-boot
> >> > > configuration. It somewhat depends on what components consume the DT.
> >> > > If the DT is only ever going to be consumed by OP-TEE, then using
> >> > > /chosen is probably fine. However, if say TF-A and OP-TEE use the same
> >> > > DT, then you have 2 components to configure.
> >> >
> >> > In our use case, the TF-A will generate the DT, and the DT will only be
> >> > consumed by the OP-TEE. The Linux kernel should not see these data for
> >> > security reasons, I'm still not sure if it is a good idea to put the bindings
> >> > in the Linux source tree.
> >> >
> >> > >
> >> > > > We would like to have our bindings reviewed by a device tree
> >> > > > maintainer to ensure that they are correct. We would also like to get
> >> > > > your feedback on the best way to document these bindings.
> >> > > >
> >> > > > Thank you for your time and consultation.
> >> > > >
> >> > > > Sincerely,
> >> > > > Yi
> >> > > >
> >> > > > [1]: https://github.com/OP-TEE/optee_os
> >> > > > [2]: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/20442
> >> > >
> >> > > I don't see any bindings here. Am I supposed to study the code to
> >> > > figure out the binding? Please write a binding doc/schema if you want
> >> > > it reviewed.
> >> > >
> >> > > Rob
> >> > >
> >> > > [1] https://github.com/devicetree-org/dt-schema/blob/main/dtschema/schemas/options.yaml
> >> >
> >> > Here is the patch of the binding, but I'm still not sure where is the
> >> > correct place to put the binding.
> >> >
> >> > From 2b828cc3c5aad0ff2c5bc2baea874d3a3fe8f1c3 Mon Sep 17 00:00:00 2001
> >> > From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> >> > Date: Wed, 14 Jun 2023 14:49:46 +0800
> >> > Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters
> >> >
> >> > The necessary fields to initialize the widevine related functions in OP-TEE.
> >> >
> >> > Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
> >> > Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> >> > ---
> >> >  .../bindings/chosen/google,widevine.yaml      | 61 +++++++++++++++++++
> >> >  1 file changed, 61 insertions(+)
> >> >  create mode 100644
> >> > Documentation/devicetree/bindings/chosen/google,widevine.yaml
> >> >
> >> > diff --git a/Documentation/devicetree/bindings/chosen/google,widevine.yaml
> >> > b/Documentation/devicetree/bindings/chosen/google,widevine.yaml
> >> > new file mode 100644
> >> > index 0000000000000..2fc16b1a1fcc4
> >> > --- /dev/null
> >> > +++ b/Documentation/devicetree/bindings/chosen/google,widevine.yaml
> >> > @@ -0,0 +1,61 @@
> >> > +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> >> > +%YAML 1.2
> >> > +---
> >> > +$id: http://devicetree.org/schemas/chosen/google,widevine.yaml#
> >> > +$schema: http://devicetree.org/meta-schemas/core.yaml#
> >> > +
> >> > +title: Google Widevine initialize parameters.
> >> > +
> >> > +maintainers:
> >> > +  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> >> > +  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> >> > +
> >> > +description:
> >> > +  The necessary fields to initialize the widevine related functions in
> >> > +  OP-TEE. This node does not represent a real device, but serves as a
> >> > +  place for passing data between firmware and OP-TEE.
> >> > +
> >> > +properties:
> >> > +  compatible:
> >> > +    const: google,widevine
> >> > +
> >> > +  huk:
> >> > +    $ref: /schemas/types.yaml#/definitions/string
> >> > +    description:
> >> > +      The encryption key of the Widevine OP-TEE storage.
> >> > +
> >> > +  tpm-auth-pk:
> >> > +    $ref: /schemas/types.yaml#/definitions/string
> >> > +    description:
> >> > +      The TPM auth public key. Used to communicate the TPM from OP-TEE.
> >> > +
> >> > +  widevine-dice:
> >> > +    $ref: /schemas/types.yaml#/definitions/string
> >> > +    description:
> >> > +      The Widevine boot certificate chain(Device Identifier Composition
> >> > +      Engine) of this device. Used to provision the device status with
> >> > +      the Widevine server in OP-TEE.
> >> > +
> >> > +  widevine-ta-key:
> >> > +    $ref: /schemas/types.yaml#/definitions/string
> >> > +    description:
> >> > +      The Widevine private key corresponding to the widevine-dice.
> >> > +      Used to signing the widevine request in OP-TEE.
> >> > +
> >> > +required:
> >> > +  - compatible
> >> > +
> >> > +additionalProperties: false
> >> > +
> >> > +examples:
> >> > +  - |+
> >> > +    chosen {
> >> > +      widevine: {
> >> > +        compatible = "google,widevine";
> >> > +
> >> > +        huk = [00 de ad be af aa bb cc],
> >> > +        tpm-auth-pk = [00 de ad be af aa bb cc],
> >> > +        widevine-dice = [00 de ad be af aa bb cc],
> >> > +        widevine-ta-key = [00 de ad be af aa bb cc],
> >> > +      };
> >> > +    };
> >> > --
> >> > 2.39.2
> >>
> >> The binding looks OK to me, but I'm not sure about using /chosen since
> >> that is intended for the OS.
> >>
> >> Perhaps we could use /options instead?
> >>
> >> Regards,
> >> Simon

Re: Device tree usage in TF-A & OP-Tee consultation

[Simon Glass]

On Mon, 24 Jul 2023 at 04:02, Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
>
> Sorry for the late reply,
> this is the new version that moved the bindings to the /options node.
>
> From 1662ec6c6a9cbb07d83157ad9411897b4acaf1f0 Mon Sep 17 00:00:00 2001
> From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> Date: Wed, 14 Jun 2023 14:49:46 +0800
> Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters
>
> The necessary fields to initialize the widevine related functions in
> OP-TEE.
>
> Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
> Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> ---
>  .../bindings/options/google,widevine.yaml     | 61 +++++++++++++++++++
>  1 file changed, 61 insertions(+)
>  create mode 100644
> Documentation/devicetree/bindings/options/google,widevine.yaml
>
> diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
> b/Documentation/devicetree/bindings/options/google,widevine.yaml
> new file mode 100644
> index 0000000000000..acfc96d162c88
> --- /dev/null
> +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
> @@ -0,0 +1,61 @@
> +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> +%YAML 1.2
> +---
> +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
> +$schema: http://devicetree.org/meta-schemas/core.yaml#
> +
> +title: Google Widevine initialize parameters.
> +
> +maintainers:
> +  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> +  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> +
> +description:
> +  The necessary fields to initialize the widevine related functions in
> +  OP-TEE. This node does not represent a real device, but serves as a
> +  place for passing data between firmware and OP-TEE.
> +
> +properties:
> +  compatible:
> +    const: google,widevine
> +
> +  huk:
> +    $ref: /schemas/types.yaml#/definitions/string
> +    description:
> +      The encryption key of the Widevine OP-TEE storage.
> +
> +  tpm-auth-pk:
> +    $ref: /schemas/types.yaml#/definitions/string
> +    description:
> +      The TPM auth public key. Used to communicate the TPM from OP-TEE.

Can you add more details about this key. What format is it in? How is
it created?

> +
> +  widevine-dice:

We should avoid the 'widevine-' prefix since it is already this node.

I don't know what the words mean in the description, so I cannot offer
a better idea.

> +    $ref: /schemas/types.yaml#/definitions/string
> +    description:
> +      The Widevine boot certificate chain(Device Identifier Composition
> +      Engine) of this device. Used to provision the device status with
> +      the Widevine server in OP-TEE.

Ditto

> +
> +  widevine-ta-key:

As above
> +    $ref: /schemas/types.yaml#/definitions/string
> +    description:
> +      The Widevine private key corresponding to the widevine-dice.
> +      Used to signing the widevine request in OP-TEE.

Again, more details please

> +
> +required:
> +  - compatible
> +
> +additionalProperties: false
> +
> +examples:
> +  - |+
> +    options {
> +      widevine: {
> +        compatible = "google,widevine";
> +
> +        huk = [00 de ad be af aa bb cc],
> +        tpm-auth-pk = [00 de ad be af aa bb cc],
> +        widevine-dice = [00 de ad be af aa bb cc],
> +        widevine-ta-key = [00 de ad be af aa bb cc],
> +      };
> +    };
> --
> 2.39.2
>

[..]

Regards,
Simon

Re: Device tree usage in TF-A & OP-Tee consultation

[Rob Herring]

On Tue, Jul 25, 2023 at 8:52 AM Simon Glass <sjg-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
>
> On Mon, 24 Jul 2023 at 04:02, Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> >
> > Sorry for the late reply,
> > this is the new version that moved the bindings to the /options node.
> >
> > From 1662ec6c6a9cbb07d83157ad9411897b4acaf1f0 Mon Sep 17 00:00:00 2001
> > From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > Date: Wed, 14 Jun 2023 14:49:46 +0800
> > Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters
> >
> > The necessary fields to initialize the widevine related functions in
> > OP-TEE.
> >
> > Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
> > Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > ---
> >  .../bindings/options/google,widevine.yaml     | 61 +++++++++++++++++++
> >  1 file changed, 61 insertions(+)
> >  create mode 100644
> > Documentation/devicetree/bindings/options/google,widevine.yaml
> >
> > diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
> > b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > new file mode 100644
> > index 0000000000000..acfc96d162c88
> > --- /dev/null
> > +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > @@ -0,0 +1,61 @@
> > +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> > +%YAML 1.2
> > +---
> > +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
> > +$schema: http://devicetree.org/meta-schemas/core.yaml#
> > +
> > +title: Google Widevine initialize parameters.
> > +
> > +maintainers:
> > +  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > +  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > +
> > +description:
> > +  The necessary fields to initialize the widevine related functions in
> > +  OP-TEE. This node does not represent a real device, but serves as a
> > +  place for passing data between firmware and OP-TEE.
> > +
> > +properties:
> > +  compatible:
> > +    const: google,widevine
> > +
> > +  huk:
> > +    $ref: /schemas/types.yaml#/definitions/string
> > +    description:
> > +      The encryption key of the Widevine OP-TEE storage.
> > +
> > +  tpm-auth-pk:
> > +    $ref: /schemas/types.yaml#/definitions/string
> > +    description:
> > +      The TPM auth public key. Used to communicate the TPM from OP-TEE.
>
> Can you add more details about this key. What format is it in? How is
> it created?
>
> > +
> > +  widevine-dice:
>
> We should avoid the 'widevine-' prefix since it is already this node.

Yes, but then 'dice' is pretty vague. It is preferred that property
names are unique enough to only have 1 type globally (at least within
a defined size). This allows using the schemas to decode DT data.

>
> I don't know what the words mean in the description, so I cannot offer
> a better idea.
>
> > +    $ref: /schemas/types.yaml#/definitions/string
> > +    description:
> > +      The Widevine boot certificate chain(Device Identifier Composition
> > +      Engine) of this device. Used to provision the device status with
> > +      the Widevine server in OP-TEE.
>
> Ditto
>
> > +
> > +  widevine-ta-key:
>
> As above
> > +    $ref: /schemas/types.yaml#/definitions/string
> > +    description:
> > +      The Widevine private key corresponding to the widevine-dice.
> > +      Used to signing the widevine request in OP-TEE.
>
> Again, more details please
>
> > +
> > +required:
> > +  - compatible

What's the point of this binding if none of the other properties are required?

> > +
> > +additionalProperties: false
> > +
> > +examples:
> > +  - |+
> > +    options {
> > +      widevine: {
> > +        compatible = "google,widevine";
> > +
> > +        huk = [00 de ad be af aa bb cc],
> > +        tpm-auth-pk = [00 de ad be af aa bb cc],
> > +        widevine-dice = [00 de ad be af aa bb cc],
> > +        widevine-ta-key = [00 de ad be af aa bb cc],
> > +      };
> > +    };
> > --
> > 2.39.2
> >
>
> [..]
>
> Regards,
> Simon

Re: Device tree usage in TF-A & OP-Tee consultation

[Yi Chou]

On Wed, Jul 26, 2023 at 12:37 AM Rob Herring <robh-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
>
> On Tue, Jul 25, 2023 at 8:52 AM Simon Glass <sjg-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> >
> > On Mon, 24 Jul 2023 at 04:02, Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> > >
> > > Sorry for the late reply,
> > > this is the new version that moved the bindings to the /options node.
> > >
> > > From 1662ec6c6a9cbb07d83157ad9411897b4acaf1f0 Mon Sep 17 00:00:00 2001
> > > From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > Date: Wed, 14 Jun 2023 14:49:46 +0800
> > > Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters
> > >
> > > The necessary fields to initialize the widevine related functions in
> > > OP-TEE.
> > >
> > > Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
> > > Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > ---
> > >  .../bindings/options/google,widevine.yaml     | 61 +++++++++++++++++++
> > >  1 file changed, 61 insertions(+)
> > >  create mode 100644
> > > Documentation/devicetree/bindings/options/google,widevine.yaml
> > >
> > > diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > new file mode 100644
> > > index 0000000000000..acfc96d162c88
> > > --- /dev/null
> > > +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > @@ -0,0 +1,61 @@
> > > +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> > > +%YAML 1.2
> > > +---
> > > +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
> > > +$schema: http://devicetree.org/meta-schemas/core.yaml#
> > > +
> > > +title: Google Widevine initialize parameters.
> > > +
> > > +maintainers:
> > > +  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > +  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > +
> > > +description:
> > > +  The necessary fields to initialize the widevine related functions in
> > > +  OP-TEE. This node does not represent a real device, but serves as a
> > > +  place for passing data between firmware and OP-TEE.
> > > +
> > > +properties:
> > > +  compatible:
> > > +    const: google,widevine
> > > +
> > > +  huk:
> > > +    $ref: /schemas/types.yaml#/definitions/string
> > > +    description:
> > > +      The encryption key of the Widevine OP-TEE storage.
> > > +
> > > +  tpm-auth-pk:
> > > +    $ref: /schemas/types.yaml#/definitions/string
> > > +    description:
> > > +      The TPM auth public key. Used to communicate the TPM from OP-TEE.
> >
> > Can you add more details about this key. What format is it in? How is
> > it created?
> >
> > > +
> > > +  widevine-dice:
> >
> > We should avoid the 'widevine-' prefix since it is already this node.
>
> Yes, but then 'dice' is pretty vague. It is preferred that property
> names are unique enough to only have 1 type globally (at least within
> a defined size). This allows using the schemas to decode DT data.
>
> >
> > I don't know what the words mean in the description, so I cannot offer
> > a better idea.
> >
> > > +    $ref: /schemas/types.yaml#/definitions/string
> > > +    description:
> > > +      The Widevine boot certificate chain(Device Identifier Composition
> > > +      Engine) of this device. Used to provision the device status with
> > > +      the Widevine server in OP-TEE.
> >
> > Ditto
> >
> > > +
> > > +  widevine-ta-key:
> >
> > As above
> > > +    $ref: /schemas/types.yaml#/definitions/string
> > > +    description:
> > > +      The Widevine private key corresponding to the widevine-dice.
> > > +      Used to signing the widevine request in OP-TEE.
> >
> > Again, more details please
> >
> > > +
> > > +required:
> > > +  - compatible
>
> What's the point of this binding if none of the other properties are required?
>
> > > +
> > > +additionalProperties: false
> > > +
> > > +examples:
> > > +  - |+
> > > +    options {
> > > +      widevine: {
> > > +        compatible = "google,widevine";
> > > +
> > > +        huk = [00 de ad be af aa bb cc],
> > > +        tpm-auth-pk = [00 de ad be af aa bb cc],
> > > +        widevine-dice = [00 de ad be af aa bb cc],
> > > +        widevine-ta-key = [00 de ad be af aa bb cc],
> > > +      };
> > > +    };
> > > --
> > > 2.39.2
> > >
> >
> > [..]
> >
> > Regards,
> > Simon

Sorry for the late reply.
We changed the internal format of the "widevine-dice" from COSE to
X.509 recently.
And here is the new patch with the corresponding changes.

From 9f754c8872c411e3e4216a181b4028875f1f54fc Mon Sep 17 00:00:00 2001
From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
Date: Wed, 14 Jun 2023 14:49:46 +0800
Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters

The necessary fields to initialize the widevine related functions in
OP-TEE.

Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
---
.../bindings/options/google,widevine.yaml | 63 +++++++++++++++++++
1 file changed, 63 insertions(+)
create mode 100644
Documentation/devicetree/bindings/options/google,widevine.yaml

diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
b/Documentation/devicetree/bindings/options/google,widevine.yaml
new file mode 100644
index 0000000000000..874f62598b087
--- /dev/null
+++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
@@ -0,0 +1,63 @@
+# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+%YAML 1.2
+---
+$id: http://devicetree.org/schemas/options/google,widevine.yaml#
+$schema: http://devicetree.org/meta-schemas/core.yaml#
+
+title: Google Widevine initialize parameters.
+
+maintainers:
+ - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
+ - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
+
+description:
+ The necessary fields to initialize the widevine related functions in
+ OP-TEE. This node does not represent a real device, but serves as a
+ place for passing data between firmware and OP-TEE.
+
+properties:
+ compatible:
+ const: google,widevine
+
+ huk:
+ $ref: /schemas/types.yaml#/definitions/string
+ description:
+ The encryption key of the Widevine OP-TEE storage. The length
+ should be 32 bytes.
+
+ tpm-auth-pk:
+ $ref: /schemas/types.yaml#/definitions/string
+ description:
+ The TPM auth public key. Used to communicate the TPM from OP-TEE.
+ The format of data should be TPM2B_PUBLIC.
+
+ rot:
+ $ref: /schemas/types.yaml#/definitions/string
+ description:
+ The Widevine root of trust secret. Used to signing the widevine
+ request in OP-TEE. The length should be 32 bytes.
+
+ rot-cert:
+ $ref: /schemas/types.yaml#/definitions/string
+ description:
+ The X.509 certificate of the Widevine root of trust on this
+ device. Used to provision the device status with the Widevine
+ server in OP-TEE.
+
+required:
+ - compatible
+ - huk
+ - rot
+
+additionalProperties: false
+
+examples:
+ - |+
+ options {
+ widevine: {
+ compatible = "google,widevine";
+
+ huk = [00 de ad be af aa bb cc],
+ rot = [00 de ad be af aa bb cc],
+ };
+ };

Re: Device tree usage in TF-A & OP-Tee consultation

[Rob Herring]

On Tue, Aug 8, 2023 at 2:08 AM Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
>
> On Wed, Jul 26, 2023 at 12:37 AM Rob Herring <robh-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
> >
> > On Tue, Jul 25, 2023 at 8:52 AM Simon Glass <sjg-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> > >
> > > On Mon, 24 Jul 2023 at 04:02, Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> > > >
> > > > Sorry for the late reply,
> > > > this is the new version that moved the bindings to the /options node.
> > > >
> > > > From 1662ec6c6a9cbb07d83157ad9411897b4acaf1f0 Mon Sep 17 00:00:00 2001
> > > > From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > > Date: Wed, 14 Jun 2023 14:49:46 +0800
> > > > Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters
> > > >
> > > > The necessary fields to initialize the widevine related functions in
> > > > OP-TEE.
> > > >
> > > > Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
> > > > Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > > ---
> > > >  .../bindings/options/google,widevine.yaml     | 61 +++++++++++++++++++
> > > >  1 file changed, 61 insertions(+)
> > > >  create mode 100644
> > > > Documentation/devicetree/bindings/options/google,widevine.yaml
> > > >
> > > > diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > new file mode 100644
> > > > index 0000000000000..acfc96d162c88
> > > > --- /dev/null
> > > > +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > @@ -0,0 +1,61 @@
> > > > +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> > > > +%YAML 1.2
> > > > +---
> > > > +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
> > > > +$schema: http://devicetree.org/meta-schemas/core.yaml#
> > > > +
> > > > +title: Google Widevine initialize parameters.
> > > > +
> > > > +maintainers:
> > > > +  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > > +  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > > +
> > > > +description:
> > > > +  The necessary fields to initialize the widevine related functions in
> > > > +  OP-TEE. This node does not represent a real device, but serves as a
> > > > +  place for passing data between firmware and OP-TEE.
> > > > +
> > > > +properties:
> > > > +  compatible:
> > > > +    const: google,widevine
> > > > +
> > > > +  huk:
> > > > +    $ref: /schemas/types.yaml#/definitions/string
> > > > +    description:
> > > > +      The encryption key of the Widevine OP-TEE storage.
> > > > +
> > > > +  tpm-auth-pk:
> > > > +    $ref: /schemas/types.yaml#/definitions/string
> > > > +    description:
> > > > +      The TPM auth public key. Used to communicate the TPM from OP-TEE.
> > >
> > > Can you add more details about this key. What format is it in? How is
> > > it created?
> > >
> > > > +
> > > > +  widevine-dice:
> > >
> > > We should avoid the 'widevine-' prefix since it is already this node.
> >
> > Yes, but then 'dice' is pretty vague. It is preferred that property
> > names are unique enough to only have 1 type globally (at least within
> > a defined size). This allows using the schemas to decode DT data.
> >
> > >
> > > I don't know what the words mean in the description, so I cannot offer
> > > a better idea.
> > >
> > > > +    $ref: /schemas/types.yaml#/definitions/string
> > > > +    description:
> > > > +      The Widevine boot certificate chain(Device Identifier Composition
> > > > +      Engine) of this device. Used to provision the device status with
> > > > +      the Widevine server in OP-TEE.
> > >
> > > Ditto
> > >
> > > > +
> > > > +  widevine-ta-key:
> > >
> > > As above
> > > > +    $ref: /schemas/types.yaml#/definitions/string
> > > > +    description:
> > > > +      The Widevine private key corresponding to the widevine-dice.
> > > > +      Used to signing the widevine request in OP-TEE.
> > >
> > > Again, more details please
> > >
> > > > +
> > > > +required:
> > > > +  - compatible
> >
> > What's the point of this binding if none of the other properties are required?
> >
> > > > +
> > > > +additionalProperties: false
> > > > +
> > > > +examples:
> > > > +  - |+
> > > > +    options {
> > > > +      widevine: {
> > > > +        compatible = "google,widevine";
> > > > +
> > > > +        huk = [00 de ad be af aa bb cc],
> > > > +        tpm-auth-pk = [00 de ad be af aa bb cc],
> > > > +        widevine-dice = [00 de ad be af aa bb cc],
> > > > +        widevine-ta-key = [00 de ad be af aa bb cc],
> > > > +      };
> > > > +    };
> > > > --
> > > > 2.39.2
> > > >
> > >
> > > [..]
> > >
> > > Regards,
> > > Simon
>
> Sorry for the late reply.
> We changed the internal format of the "widevine-dice" from COSE to
> X.509 recently.
> And here is the new patch with the corresponding changes.
>
> From 9f754c8872c411e3e4216a181b4028875f1f54fc Mon Sep 17 00:00:00 2001
> From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> Date: Wed, 14 Jun 2023 14:49:46 +0800
> Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters
>
> The necessary fields to initialize the widevine related functions in
> OP-TEE.
>
> Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
> Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> ---
> .../bindings/options/google,widevine.yaml | 63 +++++++++++++++++++
> 1 file changed, 63 insertions(+)
> create mode 100644
> Documentation/devicetree/bindings/options/google,widevine.yaml
>
> diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
> b/Documentation/devicetree/bindings/options/google,widevine.yaml
> new file mode 100644
> index 0000000000000..874f62598b087
> --- /dev/null
> +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
> @@ -0,0 +1,63 @@
> +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> +%YAML 1.2
> +---
> +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
> +$schema: http://devicetree.org/meta-schemas/core.yaml#
> +
> +title: Google Widevine initialize parameters.
> +
> +maintainers:
> + - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> + - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> +
> +description:
> + The necessary fields to initialize the widevine related functions in
> + OP-TEE. This node does not represent a real device, but serves as a
> + place for passing data between firmware and OP-TEE.
> +
> +properties:
> + compatible:
> + const: google,widevine

This isn't valid json-schema as the indentation is wrong. Please test
your schema with the tools.

> +
> + huk:

As mentioned previously, this is too vague.

> + $ref: /schemas/types.yaml#/definitions/string

Doesn't look like a string from the example.

> + description:
> + The encryption key of the Widevine OP-TEE storage. The length
> + should be 32 bytes.

Your example is 8 bytes.

> +
> + tpm-auth-pk:
> + $ref: /schemas/types.yaml#/definitions/string
> + description:
> + The TPM auth public key. Used to communicate the TPM from OP-TEE.
> + The format of data should be TPM2B_PUBLIC.
> +
> + rot:
> + $ref: /schemas/types.yaml#/definitions/string
> + description:
> + The Widevine root of trust secret. Used to signing the widevine
> + request in OP-TEE. The length should be 32 bytes.
> +
> + rot-cert:
> + $ref: /schemas/types.yaml#/definitions/string
> + description:
> + The X.509 certificate of the Widevine root of trust on this
> + device. Used to provision the device status with the Widevine
> + server in OP-TEE.
> +
> +required:
> + - compatible
> + - huk
> + - rot
> +
> +additionalProperties: false
> +
> +examples:
> + - |+
> + options {
> + widevine: {
> + compatible = "google,widevine";
> +
> + huk = [00 de ad be af aa bb cc],
> + rot = [00 de ad be af aa bb cc],
> + };
> + };
> --
> 2.39.2
>
> Sincerely,
> Yi

Re: Device tree usage in TF-A & OP-Tee consultation

[Yi Chou]

On Wed, Aug 9, 2023 at 10:58 PM Rob Herring <robh-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
>
> On Tue, Aug 8, 2023 at 2:08 AM Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> >
> > On Wed, Jul 26, 2023 at 12:37 AM Rob Herring <robh-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
> > >
> > > On Tue, Jul 25, 2023 at 8:52 AM Simon Glass <sjg-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> > > >
> > > > On Mon, 24 Jul 2023 at 04:02, Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> > > > >
> > > > > Sorry for the late reply,
> > > > > this is the new version that moved the bindings to the /options node.
> > > > >
> > > > > From 1662ec6c6a9cbb07d83157ad9411897b4acaf1f0 Mon Sep 17 00:00:00 2001
> > > > > From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > > > Date: Wed, 14 Jun 2023 14:49:46 +0800
> > > > > Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters
> > > > >
> > > > > The necessary fields to initialize the widevine related functions in
> > > > > OP-TEE.
> > > > >
> > > > > Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
> > > > > Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > > > ---
> > > > >  .../bindings/options/google,widevine.yaml     | 61 +++++++++++++++++++
> > > > >  1 file changed, 61 insertions(+)
> > > > >  create mode 100644
> > > > > Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > >
> > > > > diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > new file mode 100644
> > > > > index 0000000000000..acfc96d162c88
> > > > > --- /dev/null
> > > > > +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > @@ -0,0 +1,61 @@
> > > > > +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> > > > > +%YAML 1.2
> > > > > +---
> > > > > +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
> > > > > +$schema: http://devicetree.org/meta-schemas/core.yaml#
> > > > > +
> > > > > +title: Google Widevine initialize parameters.
> > > > > +
> > > > > +maintainers:
> > > > > +  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > > > +  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > > > +
> > > > > +description:
> > > > > +  The necessary fields to initialize the widevine related functions in
> > > > > +  OP-TEE. This node does not represent a real device, but serves as a
> > > > > +  place for passing data between firmware and OP-TEE.
> > > > > +
> > > > > +properties:
> > > > > +  compatible:
> > > > > +    const: google,widevine
> > > > > +
> > > > > +  huk:
> > > > > +    $ref: /schemas/types.yaml#/definitions/string
> > > > > +    description:
> > > > > +      The encryption key of the Widevine OP-TEE storage.
> > > > > +
> > > > > +  tpm-auth-pk:
> > > > > +    $ref: /schemas/types.yaml#/definitions/string
> > > > > +    description:
> > > > > +      The TPM auth public key. Used to communicate the TPM from OP-TEE.
> > > >
> > > > Can you add more details about this key. What format is it in? How is
> > > > it created?
> > > >
> > > > > +
> > > > > +  widevine-dice:
> > > >
> > > > We should avoid the 'widevine-' prefix since it is already this node.
> > >
> > > Yes, but then 'dice' is pretty vague. It is preferred that property
> > > names are unique enough to only have 1 type globally (at least within
> > > a defined size). This allows using the schemas to decode DT data.
> > >
> > > >
> > > > I don't know what the words mean in the description, so I cannot offer
> > > > a better idea.
> > > >
> > > > > +    $ref: /schemas/types.yaml#/definitions/string
> > > > > +    description:
> > > > > +      The Widevine boot certificate chain(Device Identifier Composition
> > > > > +      Engine) of this device. Used to provision the device status with
> > > > > +      the Widevine server in OP-TEE.
> > > >
> > > > Ditto
> > > >
> > > > > +
> > > > > +  widevine-ta-key:
> > > >
> > > > As above
> > > > > +    $ref: /schemas/types.yaml#/definitions/string
> > > > > +    description:
> > > > > +      The Widevine private key corresponding to the widevine-dice.
> > > > > +      Used to signing the widevine request in OP-TEE.
> > > >
> > > > Again, more details please
> > > >
> > > > > +
> > > > > +required:
> > > > > +  - compatible
> > >
> > > What's the point of this binding if none of the other properties are required?
> > >
> > > > > +
> > > > > +additionalProperties: false
> > > > > +
> > > > > +examples:
> > > > > +  - |+
> > > > > +    options {
> > > > > +      widevine: {
> > > > > +        compatible = "google,widevine";
> > > > > +
> > > > > +        huk = [00 de ad be af aa bb cc],
> > > > > +        tpm-auth-pk = [00 de ad be af aa bb cc],
> > > > > +        widevine-dice = [00 de ad be af aa bb cc],
> > > > > +        widevine-ta-key = [00 de ad be af aa bb cc],
> > > > > +      };
> > > > > +    };
> > > > > --
> > > > > 2.39.2
> > > > >
> > > >
> > > > [..]
> > > >
> > > > Regards,
> > > > Simon
> >
> > Sorry for the late reply.
> > We changed the internal format of the "widevine-dice" from COSE to
> > X.509 recently.
> > And here is the new patch with the corresponding changes.
> >
> > From 9f754c8872c411e3e4216a181b4028875f1f54fc Mon Sep 17 00:00:00 2001
> > From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > Date: Wed, 14 Jun 2023 14:49:46 +0800
> > Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters
> >
> > The necessary fields to initialize the widevine related functions in
> > OP-TEE.
> >
> > Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
> > Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > ---
> > .../bindings/options/google,widevine.yaml | 63 +++++++++++++++++++
> > 1 file changed, 63 insertions(+)
> > create mode 100644
> > Documentation/devicetree/bindings/options/google,widevine.yaml
> >
> > diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
> > b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > new file mode 100644
> > index 0000000000000..874f62598b087
> > --- /dev/null
> > +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > @@ -0,0 +1,63 @@
> > +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> > +%YAML 1.2
> > +---
> > +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
> > +$schema: http://devicetree.org/meta-schemas/core.yaml#
> > +
> > +title: Google Widevine initialize parameters.
> > +
> > +maintainers:
> > + - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > + - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > +
> > +description:
> > + The necessary fields to initialize the widevine related functions in
> > + OP-TEE. This node does not represent a real device, but serves as a
> > + place for passing data between firmware and OP-TEE.
> > +
> > +properties:
> > + compatible:
> > + const: google,widevine
>
> This isn't valid json-schema as the indentation is wrong. Please test
> your schema with the tools.
>
> > +
> > + huk:
>
> As mentioned previously, this is too vague.
>
> > + $ref: /schemas/types.yaml#/definitions/string
>
> Doesn't look like a string from the example.
>
> > + description:
> > + The encryption key of the Widevine OP-TEE storage. The length
> > + should be 32 bytes.
>
> Your example is 8 bytes.
>
> > +
> > + tpm-auth-pk:
> > + $ref: /schemas/types.yaml#/definitions/string
> > + description:
> > + The TPM auth public key. Used to communicate the TPM from OP-TEE.
> > + The format of data should be TPM2B_PUBLIC.
> > +
> > + rot:
> > + $ref: /schemas/types.yaml#/definitions/string
> > + description:
> > + The Widevine root of trust secret. Used to signing the widevine
> > + request in OP-TEE. The length should be 32 bytes.
> > +
> > + rot-cert:
> > + $ref: /schemas/types.yaml#/definitions/string
> > + description:
> > + The X.509 certificate of the Widevine root of trust on this
> > + device. Used to provision the device status with the Widevine
> > + server in OP-TEE.
> > +
> > +required:
> > + - compatible
> > + - huk
> > + - rot
> > +
> > +additionalProperties: false
> > +
> > +examples:
> > + - |+
> > + options {
> > + widevine: {
> > + compatible = "google,widevine";
> > +
> > + huk = [00 de ad be af aa bb cc],
> > + rot = [00 de ad be af aa bb cc],
> > + };
> > + };
> > --
> > 2.39.2
> >
> > Sincerely,
> > Yi

Thanks for the reply, this is the new version of this patch.

From 360c63617c8cd595da41b04430993b9d435b0865 Mon Sep 17 00:00:00 2001
From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
Date: Wed, 14 Jun 2023 14:49:46 +0800
Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters

The necessary fields to initialize the widevine related functions in
OP-TEE.

Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
---
 .../bindings/options/google,widevine.yaml     | 68 +++++++++++++++++++
 1 file changed, 68 insertions(+)
 create mode 100644
Documentation/devicetree/bindings/options/google,widevine.yaml

diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
b/Documentation/devicetree/bindings/options/google,widevine.yaml
new file mode 100644
index 0000000000000..e77e9ac5be29a
--- /dev/null
+++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
@@ -0,0 +1,68 @@
+# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+%YAML 1.2
+---
+$id: http://devicetree.org/schemas/options/google,widevine.yaml#
+$schema: http://devicetree.org/meta-schemas/core.yaml#
+
+title: Google Widevine initialize parameters.
+
+maintainers:
+  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
+  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
+
+description:
+  The necessary fields to initialize the widevine related functions in
+  OP-TEE. This node does not represent a real device, but serves as a
+  place for passing data between firmware and OP-TEE.
+
+properties:
+  compatible:
+    const: google,widevine
+
+  hardware-unique-key:
+    $ref: /schemas/types.yaml#/definitions/uint8-array
+    description:
+      The hardware unique key of the Widevine OP-TEE. It will be used
+      to derive the secure storage key. The length should be 32 bytes.
+
+  tpm-auth-public-key:
+    $ref: /schemas/types.yaml#/definitions/uint8-array
+    description:
+      The TPM auth public key. Used to communicate the TPM from OP-TEE.
+      The format of data should be TPM2B_PUBLIC.
+
+  root-of-trust:
+    $ref: /schemas/types.yaml#/definitions/uint8-array
+    description:
+      The Widevine root of trust secret. Used to sign the widevine
+      request in OP-TEE. The length should be 32 bytes.
+
+  root-of-trust-cert:
+    $ref: /schemas/types.yaml#/definitions/uint8-array
+    description:
+      The X.509 certificate of the Widevine root of trust on this
+      device. Used to provision the device status with the Widevine
+      server in OP-TEE.
+
+required:
+  - compatible
+  - hardware-unique-key
+  - root-of-trust
+
+additionalProperties: false
+
+examples:
+  - |+
+    options {
+      widevine {
+        compatible = "google,widevine";
+        hardware-unique-key = /bits/ 8 <
+          0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+          6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+        >;
+        root-of-trust = /bits/ 8 <
+          0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+          6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+        >;
+      };
+    };

Re: Device tree usage in TF-A & OP-Tee consultation

[Simon Glass]

Hi,

On Thu, 10 Aug 2023 at 01:39, Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
>
> On Wed, Aug 9, 2023 at 10:58 PM Rob Herring <robh-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
> >
> > On Tue, Aug 8, 2023 at 2:08 AM Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> > >
> > > On Wed, Jul 26, 2023 at 12:37 AM Rob Herring <robh-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
> > > >
> > > > On Tue, Jul 25, 2023 at 8:52 AM Simon Glass <sjg@chromium.org> wrote:
> > > > >
> > > > > On Mon, 24 Jul 2023 at 04:02, Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> > > > > >
> > > > > > Sorry for the late reply,
> > > > > > this is the new version that moved the bindings to the /options node.
> > > > > >
> > > > > > From 1662ec6c6a9cbb07d83157ad9411897b4acaf1f0 Mon Sep 17 00:00:00 2001
> > > > > > From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > > > > Date: Wed, 14 Jun 2023 14:49:46 +0800
> > > > > > Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters
> > > > > >
> > > > > > The necessary fields to initialize the widevine related functions in
> > > > > > OP-TEE.
> > > > > >
> > > > > > Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
> > > > > > Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > > > > ---
> > > > > >  .../bindings/options/google,widevine.yaml     | 61 +++++++++++++++++++
> > > > > >  1 file changed, 61 insertions(+)
> > > > > >  create mode 100644
> > > > > > Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > >
> > > > > > diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > > b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > > new file mode 100644
> > > > > > index 0000000000000..acfc96d162c88
> > > > > > --- /dev/null
> > > > > > +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > > @@ -0,0 +1,61 @@
> > > > > > +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> > > > > > +%YAML 1.2
> > > > > > +---
> > > > > > +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
> > > > > > +$schema: http://devicetree.org/meta-schemas/core.yaml#
> > > > > > +
> > > > > > +title: Google Widevine initialize parameters.
> > > > > > +
> > > > > > +maintainers:
> > > > > > +  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > > > > +  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > > > > +
> > > > > > +description:
> > > > > > +  The necessary fields to initialize the widevine related functions in
> > > > > > +  OP-TEE. This node does not represent a real device, but serves as a
> > > > > > +  place for passing data between firmware and OP-TEE.
> > > > > > +
> > > > > > +properties:
> > > > > > +  compatible:
> > > > > > +    const: google,widevine
> > > > > > +
> > > > > > +  huk:
> > > > > > +    $ref: /schemas/types.yaml#/definitions/string
> > > > > > +    description:
> > > > > > +      The encryption key of the Widevine OP-TEE storage.
> > > > > > +
> > > > > > +  tpm-auth-pk:
> > > > > > +    $ref: /schemas/types.yaml#/definitions/string
> > > > > > +    description:
> > > > > > +      The TPM auth public key. Used to communicate the TPM from OP-TEE.
> > > > >
> > > > > Can you add more details about this key. What format is it in? How is
> > > > > it created?
> > > > >
> > > > > > +
> > > > > > +  widevine-dice:
> > > > >
> > > > > We should avoid the 'widevine-' prefix since it is already this node.
> > > >
> > > > Yes, but then 'dice' is pretty vague. It is preferred that property
> > > > names are unique enough to only have 1 type globally (at least within
> > > > a defined size). This allows using the schemas to decode DT data.
> > > >
> > > > >
> > > > > I don't know what the words mean in the description, so I cannot offer
> > > > > a better idea.
> > > > >
> > > > > > +    $ref: /schemas/types.yaml#/definitions/string
> > > > > > +    description:
> > > > > > +      The Widevine boot certificate chain(Device Identifier Composition
> > > > > > +      Engine) of this device. Used to provision the device status with
> > > > > > +      the Widevine server in OP-TEE.
> > > > >
> > > > > Ditto
> > > > >
> > > > > > +
> > > > > > +  widevine-ta-key:
> > > > >
> > > > > As above
> > > > > > +    $ref: /schemas/types.yaml#/definitions/string
> > > > > > +    description:
> > > > > > +      The Widevine private key corresponding to the widevine-dice.
> > > > > > +      Used to signing the widevine request in OP-TEE.
> > > > >
> > > > > Again, more details please
> > > > >
> > > > > > +
> > > > > > +required:
> > > > > > +  - compatible
> > > >
> > > > What's the point of this binding if none of the other properties are required?
> > > >
> > > > > > +
> > > > > > +additionalProperties: false
> > > > > > +
> > > > > > +examples:
> > > > > > +  - |+
> > > > > > +    options {
> > > > > > +      widevine: {
> > > > > > +        compatible = "google,widevine";
> > > > > > +
> > > > > > +        huk = [00 de ad be af aa bb cc],
> > > > > > +        tpm-auth-pk = [00 de ad be af aa bb cc],
> > > > > > +        widevine-dice = [00 de ad be af aa bb cc],
> > > > > > +        widevine-ta-key = [00 de ad be af aa bb cc],
> > > > > > +      };
> > > > > > +    };
> > > > > > --
> > > > > > 2.39.2
> > > > > >
> > > > >
> > > > > [..]
> > > > >
> > > > > Regards,
> > > > > Simon
> > >
> > > Sorry for the late reply.
> > > We changed the internal format of the "widevine-dice" from COSE to
> > > X.509 recently.
> > > And here is the new patch with the corresponding changes.
> > >
> > > From 9f754c8872c411e3e4216a181b4028875f1f54fc Mon Sep 17 00:00:00 2001
> > > From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > Date: Wed, 14 Jun 2023 14:49:46 +0800
> > > Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters
> > >
> > > The necessary fields to initialize the widevine related functions in
> > > OP-TEE.
> > >
> > > Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
> > > Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > ---
> > > .../bindings/options/google,widevine.yaml | 63 +++++++++++++++++++
> > > 1 file changed, 63 insertions(+)
> > > create mode 100644
> > > Documentation/devicetree/bindings/options/google,widevine.yaml
> > >
> > > diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > new file mode 100644
> > > index 0000000000000..874f62598b087
> > > --- /dev/null
> > > +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > @@ -0,0 +1,63 @@
> > > +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> > > +%YAML 1.2
> > > +---
> > > +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
> > > +$schema: http://devicetree.org/meta-schemas/core.yaml#
> > > +
> > > +title: Google Widevine initialize parameters.
> > > +
> > > +maintainers:
> > > + - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > + - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > +
> > > +description:
> > > + The necessary fields to initialize the widevine related functions in
> > > + OP-TEE. This node does not represent a real device, but serves as a
> > > + place for passing data between firmware and OP-TEE.
> > > +
> > > +properties:
> > > + compatible:
> > > + const: google,widevine
> >
> > This isn't valid json-schema as the indentation is wrong. Please test
> > your schema with the tools.
> >
> > > +
> > > + huk:
> >
> > As mentioned previously, this is too vague.
> >
> > > + $ref: /schemas/types.yaml#/definitions/string
> >
> > Doesn't look like a string from the example.
> >
> > > + description:
> > > + The encryption key of the Widevine OP-TEE storage. The length
> > > + should be 32 bytes.
> >
> > Your example is 8 bytes.
> >
> > > +
> > > + tpm-auth-pk:
> > > + $ref: /schemas/types.yaml#/definitions/string
> > > + description:
> > > + The TPM auth public key. Used to communicate the TPM from OP-TEE.
> > > + The format of data should be TPM2B_PUBLIC.
> > > +
> > > + rot:
> > > + $ref: /schemas/types.yaml#/definitions/string
> > > + description:
> > > + The Widevine root of trust secret. Used to signing the widevine
> > > + request in OP-TEE. The length should be 32 bytes.
> > > +
> > > + rot-cert:
> > > + $ref: /schemas/types.yaml#/definitions/string
> > > + description:
> > > + The X.509 certificate of the Widevine root of trust on this
> > > + device. Used to provision the device status with the Widevine
> > > + server in OP-TEE.
> > > +
> > > +required:
> > > + - compatible
> > > + - huk
> > > + - rot
> > > +
> > > +additionalProperties: false
> > > +
> > > +examples:
> > > + - |+
> > > + options {
> > > + widevine: {
> > > + compatible = "google,widevine";
> > > +
> > > + huk = [00 de ad be af aa bb cc],
> > > + rot = [00 de ad be af aa bb cc],
> > > + };
> > > + };
> > > --
> > > 2.39.2
> > >
> > > Sincerely,
> > > Yi
>
> Thanks for the reply, this is the new version of this patch.
>
> From 360c63617c8cd595da41b04430993b9d435b0865 Mon Sep 17 00:00:00 2001
> From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> Date: Wed, 14 Jun 2023 14:49:46 +0800
> Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters
>
> The necessary fields to initialize the widevine related functions in
> OP-TEE.
>
> Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
> Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> ---
>  .../bindings/options/google,widevine.yaml     | 68 +++++++++++++++++++
>  1 file changed, 68 insertions(+)
>  create mode 100644
> Documentation/devicetree/bindings/options/google,widevine.yaml
>
> diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
> b/Documentation/devicetree/bindings/options/google,widevine.yaml
> new file mode 100644
> index 0000000000000..e77e9ac5be29a
> --- /dev/null
> +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
> @@ -0,0 +1,68 @@
> +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> +%YAML 1.2
> +---
> +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
> +$schema: http://devicetree.org/meta-schemas/core.yaml#
> +
> +title: Google Widevine initialize parameters.

'initialization' would be better I think

> +
> +maintainers:
> +  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> +  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> +

The property names you have used seem good to me.

> +description:
> +  The necessary fields to initialize the widevine related functions in
> +  OP-TEE. This node does not represent a real device, but serves as a
> +  place for passing data between firmware and OP-TEE.
> +
> +properties:
> +  compatible:
> +    const: google,widevine
> +
> +  hardware-unique-key:
> +    $ref: /schemas/types.yaml#/definitions/uint8-array
> +    description:
> +      The hardware unique key of the Widevine OP-TEE. It will be used

hardware-unique key

> +      to derive the secure storage key. The length should be 32 bytes.

What is the format of this? Do you have a link?

> +
> +  tpm-auth-public-key:
> +    $ref: /schemas/types.yaml#/definitions/uint8-array
> +    description:
> +      The TPM auth public key. Used to communicate the TPM from OP-TEE.
> +      The format of data should be TPM2B_PUBLIC.

Same here. I tried to look up TPM2B_PUBLIC but didn't get very far.

If this is omitted, what does it mean?

> +
> +  root-of-trust:
> +    $ref: /schemas/types.yaml#/definitions/uint8-array
> +    description:
> +      The Widevine root of trust secret. Used to sign the widevine
> +      request in OP-TEE. The length should be 32 bytes.

What is the format of this? Do you have a link?

> +
> +  root-of-trust-cert:
> +    $ref: /schemas/types.yaml#/definitions/uint8-array
> +    description:
> +      The X.509 certificate of the Widevine root of trust on this
> +      device. Used to provision the device status with the Widevine
> +      server in OP-TEE.

Which format is used for the X.509 certificate?

If this is omitted, what does it mean?

> +
> +required:
> +  - compatible
> +  - hardware-unique-key
> +  - root-of-trust
> +
> +additionalProperties: false
> +
> +examples:
> +  - |+
> +    options {
> +      widevine {
> +        compatible = "google,widevine";
> +        hardware-unique-key = /bits/ 8 <
> +          0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
> +          6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
> +        >;
> +        root-of-trust = /bits/ 8 <
> +          0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
> +          6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
> +        >;

Can you please add the other fields to your example? Perhaps this
would be better to use the [] encoding for the bytes?

> +      };
> +    };
> --
> 2.39.2
>
> Sincerely,
> Yi

Regards,
Simon

Re: Device tree usage in TF-A & OP-Tee consultation

[Yi Chou]

On Tue, Aug 15, 2023 at 10:44 PM Simon Glass <sjg-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
>
> Hi,
>
> On Thu, 10 Aug 2023 at 01:39, Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> >
> > On Wed, Aug 9, 2023 at 10:58 PM Rob Herring <robh-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
> > >
> > > On Tue, Aug 8, 2023 at 2:08 AM Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> > > >
> > > > On Wed, Jul 26, 2023 at 12:37 AM Rob Herring <robh@kernel.org> wrote:
> > > > >
> > > > > On Tue, Jul 25, 2023 at 8:52 AM Simon Glass <sjg@chromium.org> wrote:
> > > > > >
> > > > > > On Mon, 24 Jul 2023 at 04:02, Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> > > > > > >
> > > > > > > Sorry for the late reply,
> > > > > > > this is the new version that moved the bindings to the /options node.
> > > > > > >
> > > > > > > From 1662ec6c6a9cbb07d83157ad9411897b4acaf1f0 Mon Sep 17 00:00:00 2001
> > > > > > > From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > > > > > Date: Wed, 14 Jun 2023 14:49:46 +0800
> > > > > > > Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters
> > > > > > >
> > > > > > > The necessary fields to initialize the widevine related functions in
> > > > > > > OP-TEE.
> > > > > > >
> > > > > > > Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
> > > > > > > Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > > > > > ---
> > > > > > >  .../bindings/options/google,widevine.yaml     | 61 +++++++++++++++++++
> > > > > > >  1 file changed, 61 insertions(+)
> > > > > > >  create mode 100644
> > > > > > > Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > > >
> > > > > > > diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > > > b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > > > new file mode 100644
> > > > > > > index 0000000000000..acfc96d162c88
> > > > > > > --- /dev/null
> > > > > > > +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > > > @@ -0,0 +1,61 @@
> > > > > > > +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> > > > > > > +%YAML 1.2
> > > > > > > +---
> > > > > > > +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
> > > > > > > +$schema: http://devicetree.org/meta-schemas/core.yaml#
> > > > > > > +
> > > > > > > +title: Google Widevine initialize parameters.
> > > > > > > +
> > > > > > > +maintainers:
> > > > > > > +  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > > > > > +  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > > > > > +
> > > > > > > +description:
> > > > > > > +  The necessary fields to initialize the widevine related functions in
> > > > > > > +  OP-TEE. This node does not represent a real device, but serves as a
> > > > > > > +  place for passing data between firmware and OP-TEE.
> > > > > > > +
> > > > > > > +properties:
> > > > > > > +  compatible:
> > > > > > > +    const: google,widevine
> > > > > > > +
> > > > > > > +  huk:
> > > > > > > +    $ref: /schemas/types.yaml#/definitions/string
> > > > > > > +    description:
> > > > > > > +      The encryption key of the Widevine OP-TEE storage.
> > > > > > > +
> > > > > > > +  tpm-auth-pk:
> > > > > > > +    $ref: /schemas/types.yaml#/definitions/string
> > > > > > > +    description:
> > > > > > > +      The TPM auth public key. Used to communicate the TPM from OP-TEE.
> > > > > >
> > > > > > Can you add more details about this key. What format is it in? How is
> > > > > > it created?
> > > > > >
> > > > > > > +
> > > > > > > +  widevine-dice:
> > > > > >
> > > > > > We should avoid the 'widevine-' prefix since it is already this node.
> > > > >
> > > > > Yes, but then 'dice' is pretty vague. It is preferred that property
> > > > > names are unique enough to only have 1 type globally (at least within
> > > > > a defined size). This allows using the schemas to decode DT data.
> > > > >
> > > > > >
> > > > > > I don't know what the words mean in the description, so I cannot offer
> > > > > > a better idea.
> > > > > >
> > > > > > > +    $ref: /schemas/types.yaml#/definitions/string
> > > > > > > +    description:
> > > > > > > +      The Widevine boot certificate chain(Device Identifier Composition
> > > > > > > +      Engine) of this device. Used to provision the device status with
> > > > > > > +      the Widevine server in OP-TEE.
> > > > > >
> > > > > > Ditto
> > > > > >
> > > > > > > +
> > > > > > > +  widevine-ta-key:
> > > > > >
> > > > > > As above
> > > > > > > +    $ref: /schemas/types.yaml#/definitions/string
> > > > > > > +    description:
> > > > > > > +      The Widevine private key corresponding to the widevine-dice.
> > > > > > > +      Used to signing the widevine request in OP-TEE.
> > > > > >
> > > > > > Again, more details please
> > > > > >
> > > > > > > +
> > > > > > > +required:
> > > > > > > +  - compatible
> > > > >
> > > > > What's the point of this binding if none of the other properties are required?
> > > > >
> > > > > > > +
> > > > > > > +additionalProperties: false
> > > > > > > +
> > > > > > > +examples:
> > > > > > > +  - |+
> > > > > > > +    options {
> > > > > > > +      widevine: {
> > > > > > > +        compatible = "google,widevine";
> > > > > > > +
> > > > > > > +        huk = [00 de ad be af aa bb cc],
> > > > > > > +        tpm-auth-pk = [00 de ad be af aa bb cc],
> > > > > > > +        widevine-dice = [00 de ad be af aa bb cc],
> > > > > > > +        widevine-ta-key = [00 de ad be af aa bb cc],
> > > > > > > +      };
> > > > > > > +    };
> > > > > > > --
> > > > > > > 2.39.2
> > > > > > >
> > > > > >
> > > > > > [..]
> > > > > >
> > > > > > Regards,
> > > > > > Simon
> > > >
> > > > Sorry for the late reply.
> > > > We changed the internal format of the "widevine-dice" from COSE to
> > > > X.509 recently.
> > > > And here is the new patch with the corresponding changes.
> > > >
> > > > From 9f754c8872c411e3e4216a181b4028875f1f54fc Mon Sep 17 00:00:00 2001
> > > > From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > > Date: Wed, 14 Jun 2023 14:49:46 +0800
> > > > Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters
> > > >
> > > > The necessary fields to initialize the widevine related functions in
> > > > OP-TEE.
> > > >
> > > > Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
> > > > Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > > ---
> > > > .../bindings/options/google,widevine.yaml | 63 +++++++++++++++++++
> > > > 1 file changed, 63 insertions(+)
> > > > create mode 100644
> > > > Documentation/devicetree/bindings/options/google,widevine.yaml
> > > >
> > > > diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > new file mode 100644
> > > > index 0000000000000..874f62598b087
> > > > --- /dev/null
> > > > +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > @@ -0,0 +1,63 @@
> > > > +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> > > > +%YAML 1.2
> > > > +---
> > > > +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
> > > > +$schema: http://devicetree.org/meta-schemas/core.yaml#
> > > > +
> > > > +title: Google Widevine initialize parameters.
> > > > +
> > > > +maintainers:
> > > > + - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > > + - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > > +
> > > > +description:
> > > > + The necessary fields to initialize the widevine related functions in
> > > > + OP-TEE. This node does not represent a real device, but serves as a
> > > > + place for passing data between firmware and OP-TEE.
> > > > +
> > > > +properties:
> > > > + compatible:
> > > > + const: google,widevine
> > >
> > > This isn't valid json-schema as the indentation is wrong. Please test
> > > your schema with the tools.
> > >
> > > > +
> > > > + huk:
> > >
> > > As mentioned previously, this is too vague.
> > >
> > > > + $ref: /schemas/types.yaml#/definitions/string
> > >
> > > Doesn't look like a string from the example.
> > >
> > > > + description:
> > > > + The encryption key of the Widevine OP-TEE storage. The length
> > > > + should be 32 bytes.
> > >
> > > Your example is 8 bytes.
> > >
> > > > +
> > > > + tpm-auth-pk:
> > > > + $ref: /schemas/types.yaml#/definitions/string
> > > > + description:
> > > > + The TPM auth public key. Used to communicate the TPM from OP-TEE.
> > > > + The format of data should be TPM2B_PUBLIC.
> > > > +
> > > > + rot:
> > > > + $ref: /schemas/types.yaml#/definitions/string
> > > > + description:
> > > > + The Widevine root of trust secret. Used to signing the widevine
> > > > + request in OP-TEE. The length should be 32 bytes.
> > > > +
> > > > + rot-cert:
> > > > + $ref: /schemas/types.yaml#/definitions/string
> > > > + description:
> > > > + The X.509 certificate of the Widevine root of trust on this
> > > > + device. Used to provision the device status with the Widevine
> > > > + server in OP-TEE.
> > > > +
> > > > +required:
> > > > + - compatible
> > > > + - huk
> > > > + - rot
> > > > +
> > > > +additionalProperties: false
> > > > +
> > > > +examples:
> > > > + - |+
> > > > + options {
> > > > + widevine: {
> > > > + compatible = "google,widevine";
> > > > +
> > > > + huk = [00 de ad be af aa bb cc],
> > > > + rot = [00 de ad be af aa bb cc],
> > > > + };
> > > > + };
> > > > --
> > > > 2.39.2
> > > >
> > > > Sincerely,
> > > > Yi
> >
> > Thanks for the reply, this is the new version of this patch.
> >
> > From 360c63617c8cd595da41b04430993b9d435b0865 Mon Sep 17 00:00:00 2001
> > From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > Date: Wed, 14 Jun 2023 14:49:46 +0800
> > Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters
> >
> > The necessary fields to initialize the widevine related functions in
> > OP-TEE.
> >
> > Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
> > Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > ---
> >  .../bindings/options/google,widevine.yaml     | 68 +++++++++++++++++++
> >  1 file changed, 68 insertions(+)
> >  create mode 100644
> > Documentation/devicetree/bindings/options/google,widevine.yaml
> >
> > diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
> > b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > new file mode 100644
> > index 0000000000000..e77e9ac5be29a
> > --- /dev/null
> > +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > @@ -0,0 +1,68 @@
> > +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> > +%YAML 1.2
> > +---
> > +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
> > +$schema: http://devicetree.org/meta-schemas/core.yaml#
> > +
> > +title: Google Widevine initialize parameters.
>
> 'initialization' would be better I think
>
> > +
> > +maintainers:
> > +  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > +  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > +
>
> The property names you have used seem good to me.
>
> > +description:
> > +  The necessary fields to initialize the widevine related functions in
> > +  OP-TEE. This node does not represent a real device, but serves as a
> > +  place for passing data between firmware and OP-TEE.
> > +
> > +properties:
> > +  compatible:
> > +    const: google,widevine
> > +
> > +  hardware-unique-key:
> > +    $ref: /schemas/types.yaml#/definitions/uint8-array
> > +    description:
> > +      The hardware unique key of the Widevine OP-TEE. It will be used
>
> hardware-unique key
>
> > +      to derive the secure storage key. The length should be 32 bytes.
>
> What is the format of this? Do you have a link?
>
> > +
> > +  tpm-auth-public-key:
> > +    $ref: /schemas/types.yaml#/definitions/uint8-array
> > +    description:
> > +      The TPM auth public key. Used to communicate the TPM from OP-TEE.
> > +      The format of data should be TPM2B_PUBLIC.
>
> Same here. I tried to look up TPM2B_PUBLIC but didn't get very far.
>
> If this is omitted, what does it mean?
>
> > +
> > +  root-of-trust:
> > +    $ref: /schemas/types.yaml#/definitions/uint8-array
> > +    description:
> > +      The Widevine root of trust secret. Used to sign the widevine
> > +      request in OP-TEE. The length should be 32 bytes.
>
> What is the format of this? Do you have a link?
>
> > +
> > +  root-of-trust-cert:
> > +    $ref: /schemas/types.yaml#/definitions/uint8-array
> > +    description:
> > +      The X.509 certificate of the Widevine root of trust on this
> > +      device. Used to provision the device status with the Widevine
> > +      server in OP-TEE.
>
> Which format is used for the X.509 certificate?
>
> If this is omitted, what does it mean?
>
> > +
> > +required:
> > +  - compatible
> > +  - hardware-unique-key
> > +  - root-of-trust
> > +
> > +additionalProperties: false
> > +
> > +examples:
> > +  - |+
> > +    options {
> > +      widevine {
> > +        compatible = "google,widevine";
> > +        hardware-unique-key = /bits/ 8 <
> > +          0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
> > +          6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
> > +        >;
> > +        root-of-trust = /bits/ 8 <
> > +          0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
> > +          6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
> > +        >;
>
> Can you please add the other fields to your example? Perhaps this
> would be better to use the [] encoding for the bytes?
>
> > +      };
> > +    };
> > --
> > 2.39.2
> >
> > Sincerely,
> > Yi
>
> Regards,
> Simon

Thanks for the reply, I added more references of the format into the doc.
And also added examples of tpm-auth-public-key and root-of-trust-cert.

From fb8fa5684a36e4b59a9543691cd17e201ab9a226 Mon Sep 17 00:00:00 2001
From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
Date: Wed, 14 Jun 2023 14:49:46 +0800
Subject: [PATCH] dt-bindings: Add Google Widevine initialization parameters

The necessary fields to initialize the widevine related functions in
OP-TEE.

Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
---
 .../bindings/options/google,widevine.yaml     | 121 ++++++++++++++++++
 1 file changed, 121 insertions(+)
 create mode 100644
Documentation/devicetree/bindings/options/google,widevine.yaml

diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
b/Documentation/devicetree/bindings/options/google,widevine.yaml
new file mode 100644
index 0000000000000..233f5756f2c48
--- /dev/null
+++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
@@ -0,0 +1,121 @@
+# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+%YAML 1.2
+---
+$id: http://devicetree.org/schemas/options/google,widevine.yaml#
+$schema: http://devicetree.org/meta-schemas/core.yaml#
+
+title: Google Widevine initialization parameters.
+
+maintainers:
+  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
+  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
+
+description:
+  The necessary fields to initialize the widevine related functions in
+  OP-TEE. This node does not represent a real device, but serves as a
+  place for passing data between firmware and OP-TEE.
+
+properties:
+  compatible:
+    const: google,widevine
+
+  hardware-unique-key:
+    $ref: /schemas/types.yaml#/definitions/uint8-array
+    description: |
+      The hardware-unique key of the Widevine OP-TEE. It will be used
+      to derive the secure storage key. The length should be 32 bytes.
+      For more information, please reference:
+      https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html#hardware-unique-key
+
+  tpm-auth-public-key:
+    $ref: /schemas/types.yaml#/definitions/uint8-array
+    description: |
+      The TPM auth public key. Used to communicate the TPM from OP-TEE.
+      The format of data should be TPM2B_PUBLIC.
+      For more information, please reference the 12.2.5 section:
+      https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p59_Part2_Structures_pub.pdf
+
+  root-of-trust:
+    $ref: /schemas/types.yaml#/definitions/uint8-array
+    description: |
+      The Widevine root of trust secret. Used to sign the widevine
+      request in OP-TEE. The length should be 32 bytes. The value
+      is an ECC NIST P-256 scalar.
+      For more information, please reference the G.1.2 section:
+      https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf
+
+  root-of-trust-cert:
+    $ref: /schemas/types.yaml#/definitions/uint8-array
+    description: |
+      The X.509 certificate of the Widevine root of trust on this
+      device. Used to provision the device status with the Widevine
+      server in OP-TEE.
+      For more information, please reference:
+      https://www.itu.int/rec/T-REC-X.509
+
+required:
+  - compatible
+  - hardware-unique-key
+  - root-of-trust
+
+additionalProperties: false
+
+examples:
+  - |+
+    options {
+      widevine {
+        compatible = "google,widevine";
+        hardware-unique-key = [
+          12 f7 98 d2 0e d2 85 92 a5 82 bf 98 b8 99 2b c0
+          c6 6f 19 85 79 86 65 18 55 eb ff 9b 6c c0 ac 27
+        ];
+        tpm-auth-public-key = [
+          00 76 00 23 00 0b 00 02 04 b2 00 20 e1 47 bf 27
+          e1 74 30 c8 16 ab 72 4d 5c 77 e1 5c 61 2d 56 81
+          b3 35 cd 9d eb 67 41 37 69 f0 32 41 00 10 00 10
+          00 03 00 10 00 20 70 9a df 50 f9 0f d5 f4 40 e0
+          ea 2c e8 f2 26 9f 0e 5c 02 70 16 c3 6c c1 83 03
+          2d 04 10 bd 85 7a 00 20 83 03 c2 66 6e 01 32 34
+          5c 5e 80 22 c7 48 24 3c 70 6b b8 e4 24 42 74 a9
+          cf fc ab f8 30 e9 de 51
+        ];
+        root-of-trust = [
+          ac 0d 86 c3 d7 b5 b7 a2 6f c3 d9 93 f7 de bc bb
+          d5 c4 25 9b 21 5f 36 af b5 dd 6d 29 9d 08 c0 10
+        ];
+        root-of-trust-cert = [
+          30 82 01 f4 30 82 01 9b a0 03 02 01 02 02 10 11
+          01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 30
+          0a 06 08 2a 86 48 ce 3d 04 03 02 30 0f 31 0d 30
+          0b 06 03 55 04 03 0c 04 54 69 35 30 30 22 18 0f
+          32 30 30 30 30 31 30 31 30 30 30 30 30 30 5a 18
+          0f 32 30 39 39 31 32 33 31 32 33 35 39 35 39 5a
+          30 0f 31 0d 30 0b 06 03 55 04 03 0c 04 54 69 35
+          30 30 59 30 13 06 07 2a 86 48 ce 3d 02 01 06 08
+          2a 86 48 ce 3d 03 01 07 03 42 00 04 ec ef cb 0c
+          68 7e 30 f4 d5 8f 2c 88 16 f4 7f b5 8b 5b 06 77
+          d7 47 fe 1e 91 4c a3 c5 a1 54 f5 40 9c f8 a5 4e
+          85 a0 fa 05 1a 01 98 da e4 b1 e5 ff 95 0d cf 8f
+          d9 c1 ce 28 0f 91 75 ca 06 e4 91 3b a3 81 d4 30
+          81 d1 30 1a 06 0a 2b 06 01 04 01 d6 79 02 01 21
+          04 0c 5a 53 5a 56 a5 ac a5 a9 7f 7f 00 00 30 0f
+          06 0a 2b 06 01 04 01 d6 79 02 01 22 04 01 21 30
+          2e 06 0a 2b 06 01 04 01 d6 79 02 01 23 04 20 23
+          e1 4d d9 bb 51 a5 0e 16 91 1f 7e 11 df 1e 1a af
+          0b 17 13 4d c7 39 c5 65 36 07 a1 ec 8d d3 7a 30
+          2e 06 0a 2b 06 01 04 01 d6 79 02 01 24 04 20 00
+          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30
+          2e 06 0a 2b 06 01 04 01 d6 79 02 01 25 04 20 00
+          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30
+          12 06 0a 2b 06 01 04 01 d6 79 02 01 26 04 04 00
+          00 00 00 30 0a 06 08 2a 86 48 ce 3d 04 03 02 03
+          47 00 30 44 02 20 62 a8 d3 23 db 1e 9c 64 91 49
+          45 5e b3 49 8d cc 1a ae 76 70 e3 12 d2 25 65 69
+          df f1 7e bc 4b d8 02 20 25 99 7c 36 cb b3 fd ce
+          6e 84 ee d7 ea eb 05 cf 69 cf 72 75 20 f3 ba 7f
+          8b 9f 06 f3 e4 11 bc cd
+        ];
+      };
+    };

Re: Device tree usage in TF-A & OP-Tee consultation

[Simon Glass]

Hi Yi,

On Tue, 15 Aug 2023 at 17:58, Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
>
> On Tue, Aug 15, 2023 at 10:44 PM Simon Glass <sjg-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> >
> > Hi,
> >
> > On Thu, 10 Aug 2023 at 01:39, Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> > >
> > > On Wed, Aug 9, 2023 at 10:58 PM Rob Herring <robh-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
> > > >
> > > > On Tue, Aug 8, 2023 at 2:08 AM Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> > > > >
> > > > > On Wed, Jul 26, 2023 at 12:37 AM Rob Herring <robh@kernel.org> wrote:
> > > > > >
> > > > > > On Tue, Jul 25, 2023 at 8:52 AM Simon Glass <sjg@chromium.org> wrote:
> > > > > > >
> > > > > > > On Mon, 24 Jul 2023 at 04:02, Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> > > > > > > >
> > > > > > > > Sorry for the late reply,
> > > > > > > > this is the new version that moved the bindings to the /options node.
> > > > > > > >
> > > > > > > > From 1662ec6c6a9cbb07d83157ad9411897b4acaf1f0 Mon Sep 17 00:00:00 2001
> > > > > > > > From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > > > > > > Date: Wed, 14 Jun 2023 14:49:46 +0800
> > > > > > > > Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters
> > > > > > > >
> > > > > > > > The necessary fields to initialize the widevine related functions in
> > > > > > > > OP-TEE.
> > > > > > > >
> > > > > > > > Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
> > > > > > > > Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > > > > > > ---
> > > > > > > >  .../bindings/options/google,widevine.yaml     | 61 +++++++++++++++++++
> > > > > > > >  1 file changed, 61 insertions(+)
> > > > > > > >  create mode 100644
> > > > > > > > Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > > > >
> > > > > > > > diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > > > > b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > > > > new file mode 100644
> > > > > > > > index 0000000000000..acfc96d162c88
> > > > > > > > --- /dev/null
> > > > > > > > +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > > > > @@ -0,0 +1,61 @@
> > > > > > > > +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> > > > > > > > +%YAML 1.2
> > > > > > > > +---
> > > > > > > > +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
> > > > > > > > +$schema: http://devicetree.org/meta-schemas/core.yaml#
> > > > > > > > +
> > > > > > > > +title: Google Widevine initialize parameters.
> > > > > > > > +
> > > > > > > > +maintainers:
> > > > > > > > +  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > > > > > > +  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > > > > > > +
> > > > > > > > +description:
> > > > > > > > +  The necessary fields to initialize the widevine related functions in
> > > > > > > > +  OP-TEE. This node does not represent a real device, but serves as a
> > > > > > > > +  place for passing data between firmware and OP-TEE.
> > > > > > > > +
> > > > > > > > +properties:
> > > > > > > > +  compatible:
> > > > > > > > +    const: google,widevine
> > > > > > > > +
> > > > > > > > +  huk:
> > > > > > > > +    $ref: /schemas/types.yaml#/definitions/string
> > > > > > > > +    description:
> > > > > > > > +      The encryption key of the Widevine OP-TEE storage.
> > > > > > > > +
> > > > > > > > +  tpm-auth-pk:
> > > > > > > > +    $ref: /schemas/types.yaml#/definitions/string
> > > > > > > > +    description:
> > > > > > > > +      The TPM auth public key. Used to communicate the TPM from OP-TEE.
> > > > > > >
> > > > > > > Can you add more details about this key. What format is it in? How is
> > > > > > > it created?
> > > > > > >
> > > > > > > > +
> > > > > > > > +  widevine-dice:
> > > > > > >
> > > > > > > We should avoid the 'widevine-' prefix since it is already this node.
> > > > > >
> > > > > > Yes, but then 'dice' is pretty vague. It is preferred that property
> > > > > > names are unique enough to only have 1 type globally (at least within
> > > > > > a defined size). This allows using the schemas to decode DT data.
> > > > > >
> > > > > > >
> > > > > > > I don't know what the words mean in the description, so I cannot offer
> > > > > > > a better idea.
> > > > > > >
> > > > > > > > +    $ref: /schemas/types.yaml#/definitions/string
> > > > > > > > +    description:
> > > > > > > > +      The Widevine boot certificate chain(Device Identifier Composition
> > > > > > > > +      Engine) of this device. Used to provision the device status with
> > > > > > > > +      the Widevine server in OP-TEE.
> > > > > > >
> > > > > > > Ditto
> > > > > > >
> > > > > > > > +
> > > > > > > > +  widevine-ta-key:
> > > > > > >
> > > > > > > As above
> > > > > > > > +    $ref: /schemas/types.yaml#/definitions/string
> > > > > > > > +    description:
> > > > > > > > +      The Widevine private key corresponding to the widevine-dice.
> > > > > > > > +      Used to signing the widevine request in OP-TEE.
> > > > > > >
> > > > > > > Again, more details please
> > > > > > >
> > > > > > > > +
> > > > > > > > +required:
> > > > > > > > +  - compatible
> > > > > >
> > > > > > What's the point of this binding if none of the other properties are required?
> > > > > >
> > > > > > > > +
> > > > > > > > +additionalProperties: false
> > > > > > > > +
> > > > > > > > +examples:
> > > > > > > > +  - |+
> > > > > > > > +    options {
> > > > > > > > +      widevine: {
> > > > > > > > +        compatible = "google,widevine";
> > > > > > > > +
> > > > > > > > +        huk = [00 de ad be af aa bb cc],
> > > > > > > > +        tpm-auth-pk = [00 de ad be af aa bb cc],
> > > > > > > > +        widevine-dice = [00 de ad be af aa bb cc],
> > > > > > > > +        widevine-ta-key = [00 de ad be af aa bb cc],
> > > > > > > > +      };
> > > > > > > > +    };
> > > > > > > > --
> > > > > > > > 2.39.2
> > > > > > > >
> > > > > > >
> > > > > > > [..]
> > > > > > >
> > > > > > > Regards,
> > > > > > > Simon
> > > > >
> > > > > Sorry for the late reply.
> > > > > We changed the internal format of the "widevine-dice" from COSE to
> > > > > X.509 recently.
> > > > > And here is the new patch with the corresponding changes.
> > > > >
> > > > > From 9f754c8872c411e3e4216a181b4028875f1f54fc Mon Sep 17 00:00:00 2001
> > > > > From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > > > Date: Wed, 14 Jun 2023 14:49:46 +0800
> > > > > Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters
> > > > >
> > > > > The necessary fields to initialize the widevine related functions in
> > > > > OP-TEE.
> > > > >
> > > > > Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
> > > > > Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > > > ---
> > > > > .../bindings/options/google,widevine.yaml | 63 +++++++++++++++++++
> > > > > 1 file changed, 63 insertions(+)
> > > > > create mode 100644
> > > > > Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > >
> > > > > diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > new file mode 100644
> > > > > index 0000000000000..874f62598b087
> > > > > --- /dev/null
> > > > > +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > @@ -0,0 +1,63 @@
> > > > > +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> > > > > +%YAML 1.2
> > > > > +---
> > > > > +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
> > > > > +$schema: http://devicetree.org/meta-schemas/core.yaml#
> > > > > +
> > > > > +title: Google Widevine initialize parameters.
> > > > > +
> > > > > +maintainers:
> > > > > + - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > > > + - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > > > +
> > > > > +description:
> > > > > + The necessary fields to initialize the widevine related functions in
> > > > > + OP-TEE. This node does not represent a real device, but serves as a
> > > > > + place for passing data between firmware and OP-TEE.
> > > > > +
> > > > > +properties:
> > > > > + compatible:
> > > > > + const: google,widevine
> > > >
> > > > This isn't valid json-schema as the indentation is wrong. Please test
> > > > your schema with the tools.
> > > >
> > > > > +
> > > > > + huk:
> > > >
> > > > As mentioned previously, this is too vague.
> > > >
> > > > > + $ref: /schemas/types.yaml#/definitions/string
> > > >
> > > > Doesn't look like a string from the example.
> > > >
> > > > > + description:
> > > > > + The encryption key of the Widevine OP-TEE storage. The length
> > > > > + should be 32 bytes.
> > > >
> > > > Your example is 8 bytes.
> > > >
> > > > > +
> > > > > + tpm-auth-pk:
> > > > > + $ref: /schemas/types.yaml#/definitions/string
> > > > > + description:
> > > > > + The TPM auth public key. Used to communicate the TPM from OP-TEE.
> > > > > + The format of data should be TPM2B_PUBLIC.
> > > > > +
> > > > > + rot:
> > > > > + $ref: /schemas/types.yaml#/definitions/string
> > > > > + description:
> > > > > + The Widevine root of trust secret. Used to signing the widevine
> > > > > + request in OP-TEE. The length should be 32 bytes.
> > > > > +
> > > > > + rot-cert:
> > > > > + $ref: /schemas/types.yaml#/definitions/string
> > > > > + description:
> > > > > + The X.509 certificate of the Widevine root of trust on this
> > > > > + device. Used to provision the device status with the Widevine
> > > > > + server in OP-TEE.
> > > > > +
> > > > > +required:
> > > > > + - compatible
> > > > > + - huk
> > > > > + - rot
> > > > > +
> > > > > +additionalProperties: false
> > > > > +
> > > > > +examples:
> > > > > + - |+
> > > > > + options {
> > > > > + widevine: {
> > > > > + compatible = "google,widevine";
> > > > > +
> > > > > + huk = [00 de ad be af aa bb cc],
> > > > > + rot = [00 de ad be af aa bb cc],
> > > > > + };
> > > > > + };
> > > > > --
> > > > > 2.39.2
> > > > >
> > > > > Sincerely,
> > > > > Yi
> > >
> > > Thanks for the reply, this is the new version of this patch.
> > >
> > > From 360c63617c8cd595da41b04430993b9d435b0865 Mon Sep 17 00:00:00 2001
> > > From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > Date: Wed, 14 Jun 2023 14:49:46 +0800
> > > Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters
> > >
> > > The necessary fields to initialize the widevine related functions in
> > > OP-TEE.
> > >
> > > Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
> > > Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > ---
> > >  .../bindings/options/google,widevine.yaml     | 68 +++++++++++++++++++
> > >  1 file changed, 68 insertions(+)
> > >  create mode 100644
> > > Documentation/devicetree/bindings/options/google,widevine.yaml
> > >
> > > diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > new file mode 100644
> > > index 0000000000000..e77e9ac5be29a
> > > --- /dev/null
> > > +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > @@ -0,0 +1,68 @@
> > > +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> > > +%YAML 1.2
> > > +---
> > > +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
> > > +$schema: http://devicetree.org/meta-schemas/core.yaml#
> > > +
> > > +title: Google Widevine initialize parameters.
> >
> > 'initialization' would be better I think
> >
> > > +
> > > +maintainers:
> > > +  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > +  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > +
> >
> > The property names you have used seem good to me.
> >
> > > +description:
> > > +  The necessary fields to initialize the widevine related functions in
> > > +  OP-TEE. This node does not represent a real device, but serves as a
> > > +  place for passing data between firmware and OP-TEE.
> > > +
> > > +properties:
> > > +  compatible:
> > > +    const: google,widevine
> > > +
> > > +  hardware-unique-key:
> > > +    $ref: /schemas/types.yaml#/definitions/uint8-array
> > > +    description:
> > > +      The hardware unique key of the Widevine OP-TEE. It will be used
> >
> > hardware-unique key
> >
> > > +      to derive the secure storage key. The length should be 32 bytes.
> >
> > What is the format of this? Do you have a link?
> >
> > > +
> > > +  tpm-auth-public-key:
> > > +    $ref: /schemas/types.yaml#/definitions/uint8-array
> > > +    description:
> > > +      The TPM auth public key. Used to communicate the TPM from OP-TEE.
> > > +      The format of data should be TPM2B_PUBLIC.
> >
> > Same here. I tried to look up TPM2B_PUBLIC but didn't get very far.
> >
> > If this is omitted, what does it mean?
> >
> > > +
> > > +  root-of-trust:
> > > +    $ref: /schemas/types.yaml#/definitions/uint8-array
> > > +    description:
> > > +      The Widevine root of trust secret. Used to sign the widevine
> > > +      request in OP-TEE. The length should be 32 bytes.
> >
> > What is the format of this? Do you have a link?
> >
> > > +
> > > +  root-of-trust-cert:
> > > +    $ref: /schemas/types.yaml#/definitions/uint8-array
> > > +    description:
> > > +      The X.509 certificate of the Widevine root of trust on this
> > > +      device. Used to provision the device status with the Widevine
> > > +      server in OP-TEE.
> >
> > Which format is used for the X.509 certificate?
> >
> > If this is omitted, what does it mean?
> >
> > > +
> > > +required:
> > > +  - compatible
> > > +  - hardware-unique-key
> > > +  - root-of-trust
> > > +
> > > +additionalProperties: false
> > > +
> > > +examples:
> > > +  - |+
> > > +    options {
> > > +      widevine {
> > > +        compatible = "google,widevine";
> > > +        hardware-unique-key = /bits/ 8 <
> > > +          0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
> > > +          6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
> > > +        >;
> > > +        root-of-trust = /bits/ 8 <
> > > +          0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
> > > +          6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
> > > +        >;
> >
> > Can you please add the other fields to your example? Perhaps this
> > would be better to use the [] encoding for the bytes?
> >
> > > +      };
> > > +    };
> > > --
> > > 2.39.2
> > >
> > > Sincerely,
> > > Yi
> >
> > Regards,
> > Simon
>
> Thanks for the reply, I added more references of the format into the doc.
> And also added examples of tpm-auth-public-key and root-of-trust-cert.
>
> From fb8fa5684a36e4b59a9543691cd17e201ab9a226 Mon Sep 17 00:00:00 2001
> From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> Date: Wed, 14 Jun 2023 14:49:46 +0800
> Subject: [PATCH] dt-bindings: Add Google Widevine initialization parameters
>
> The necessary fields to initialize the widevine related functions in
> OP-TEE.
>
> Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
> Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> ---
>  .../bindings/options/google,widevine.yaml     | 121 ++++++++++++++++++
>  1 file changed, 121 insertions(+)
>  create mode 100644
> Documentation/devicetree/bindings/options/google,widevine.yaml

Reviewed-by: Simon Glass <sjg-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>

It still isn't clear to me why some fields are optional and some not,
but at least we have the links now.

>
> diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
> b/Documentation/devicetree/bindings/options/google,widevine.yaml
> new file mode 100644
> index 0000000000000..233f5756f2c48
> --- /dev/null
> +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
> @@ -0,0 +1,121 @@
> +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> +%YAML 1.2
> +---
> +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
> +$schema: http://devicetree.org/meta-schemas/core.yaml#
> +
> +title: Google Widevine initialization parameters.
> +
> +maintainers:
> +  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> +  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> +
> +description:
> +  The necessary fields to initialize the widevine related functions in
> +  OP-TEE. This node does not represent a real device, but serves as a
> +  place for passing data between firmware and OP-TEE.
> +
> +properties:
> +  compatible:
> +    const: google,widevine
> +
> +  hardware-unique-key:
> +    $ref: /schemas/types.yaml#/definitions/uint8-array
> +    description: |
> +      The hardware-unique key of the Widevine OP-TEE. It will be used
> +      to derive the secure storage key. The length should be 32 bytes.
> +      For more information, please reference:
> +      https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html#hardware-unique-key
> +
> +  tpm-auth-public-key:
> +    $ref: /schemas/types.yaml#/definitions/uint8-array
> +    description: |
> +      The TPM auth public key. Used to communicate the TPM from OP-TEE.
> +      The format of data should be TPM2B_PUBLIC.
> +      For more information, please reference the 12.2.5 section:
> +      https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p59_Part2_Structures_pub.pdf
> +
> +  root-of-trust:
> +    $ref: /schemas/types.yaml#/definitions/uint8-array
> +    description: |
> +      The Widevine root of trust secret. Used to sign the widevine
> +      request in OP-TEE. The length should be 32 bytes. The value
> +      is an ECC NIST P-256 scalar.
> +      For more information, please reference the G.1.2 section:
> +      https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf
> +
> +  root-of-trust-cert:
> +    $ref: /schemas/types.yaml#/definitions/uint8-array
> +    description: |
> +      The X.509 certificate of the Widevine root of trust on this
> +      device. Used to provision the device status with the Widevine
> +      server in OP-TEE.
> +      For more information, please reference:
> +      https://www.itu.int/rec/T-REC-X.509
> +
> +required:
> +  - compatible
> +  - hardware-unique-key
> +  - root-of-trust
> +
> +additionalProperties: false
> +
> +examples:
> +  - |+
> +    options {
> +      widevine {
> +        compatible = "google,widevine";
> +        hardware-unique-key = [
> +          12 f7 98 d2 0e d2 85 92 a5 82 bf 98 b8 99 2b c0
> +          c6 6f 19 85 79 86 65 18 55 eb ff 9b 6c c0 ac 27
> +        ];
> +        tpm-auth-public-key = [
> +          00 76 00 23 00 0b 00 02 04 b2 00 20 e1 47 bf 27
> +          e1 74 30 c8 16 ab 72 4d 5c 77 e1 5c 61 2d 56 81
> +          b3 35 cd 9d eb 67 41 37 69 f0 32 41 00 10 00 10
> +          00 03 00 10 00 20 70 9a df 50 f9 0f d5 f4 40 e0
> +          ea 2c e8 f2 26 9f 0e 5c 02 70 16 c3 6c c1 83 03
> +          2d 04 10 bd 85 7a 00 20 83 03 c2 66 6e 01 32 34
> +          5c 5e 80 22 c7 48 24 3c 70 6b b8 e4 24 42 74 a9
> +          cf fc ab f8 30 e9 de 51
> +        ];
> +        root-of-trust = [
> +          ac 0d 86 c3 d7 b5 b7 a2 6f c3 d9 93 f7 de bc bb
> +          d5 c4 25 9b 21 5f 36 af b5 dd 6d 29 9d 08 c0 10
> +        ];
> +        root-of-trust-cert = [
> +          30 82 01 f4 30 82 01 9b a0 03 02 01 02 02 10 11
> +          01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 30
> +          0a 06 08 2a 86 48 ce 3d 04 03 02 30 0f 31 0d 30
> +          0b 06 03 55 04 03 0c 04 54 69 35 30 30 22 18 0f
> +          32 30 30 30 30 31 30 31 30 30 30 30 30 30 5a 18
> +          0f 32 30 39 39 31 32 33 31 32 33 35 39 35 39 5a
> +          30 0f 31 0d 30 0b 06 03 55 04 03 0c 04 54 69 35
> +          30 30 59 30 13 06 07 2a 86 48 ce 3d 02 01 06 08
> +          2a 86 48 ce 3d 03 01 07 03 42 00 04 ec ef cb 0c
> +          68 7e 30 f4 d5 8f 2c 88 16 f4 7f b5 8b 5b 06 77
> +          d7 47 fe 1e 91 4c a3 c5 a1 54 f5 40 9c f8 a5 4e
> +          85 a0 fa 05 1a 01 98 da e4 b1 e5 ff 95 0d cf 8f
> +          d9 c1 ce 28 0f 91 75 ca 06 e4 91 3b a3 81 d4 30
> +          81 d1 30 1a 06 0a 2b 06 01 04 01 d6 79 02 01 21
> +          04 0c 5a 53 5a 56 a5 ac a5 a9 7f 7f 00 00 30 0f
> +          06 0a 2b 06 01 04 01 d6 79 02 01 22 04 01 21 30
> +          2e 06 0a 2b 06 01 04 01 d6 79 02 01 23 04 20 23
> +          e1 4d d9 bb 51 a5 0e 16 91 1f 7e 11 df 1e 1a af
> +          0b 17 13 4d c7 39 c5 65 36 07 a1 ec 8d d3 7a 30
> +          2e 06 0a 2b 06 01 04 01 d6 79 02 01 24 04 20 00
> +          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> +          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30
> +          2e 06 0a 2b 06 01 04 01 d6 79 02 01 25 04 20 00
> +          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> +          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30
> +          12 06 0a 2b 06 01 04 01 d6 79 02 01 26 04 04 00
> +          00 00 00 30 0a 06 08 2a 86 48 ce 3d 04 03 02 03
> +          47 00 30 44 02 20 62 a8 d3 23 db 1e 9c 64 91 49
> +          45 5e b3 49 8d cc 1a ae 76 70 e3 12 d2 25 65 69
> +          df f1 7e bc 4b d8 02 20 25 99 7c 36 cb b3 fd ce
> +          6e 84 ee d7 ea eb 05 cf 69 cf 72 75 20 f3 ba 7f
> +          8b 9f 06 f3 e4 11 bc cd
> +        ];
> +      };
> +    };
> --
> 2.39.2
>
> Sincerely,
> Yi

Regards,
Simon

Re: Device tree usage in TF-A & OP-Tee consultation

[Yi Chou]

On Wed, Aug 16, 2023 at 9:57 AM Simon Glass <sjg-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
>
> Hi Yi,
>
> On Tue, 15 Aug 2023 at 17:58, Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> >
> > On Tue, Aug 15, 2023 at 10:44 PM Simon Glass <sjg-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> > >
> > > Hi,
> > >
> > > On Thu, 10 Aug 2023 at 01:39, Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> > > >
> > > > On Wed, Aug 9, 2023 at 10:58 PM Rob Herring <robh-DgEjT+Ai2yhQFI55V6+gNQ@public.gmane.orgg> wrote:
> > > > >
> > > > > On Tue, Aug 8, 2023 at 2:08 AM Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> > > > > >
> > > > > > On Wed, Jul 26, 2023 at 12:37 AM Rob Herring <robh@kernel.org> wrote:
> > > > > > >
> > > > > > > On Tue, Jul 25, 2023 at 8:52 AM Simon Glass <sjg@chromium.org> wrote:
> > > > > > > >
> > > > > > > > On Mon, 24 Jul 2023 at 04:02, Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> wrote:
> > > > > > > > >
> > > > > > > > > Sorry for the late reply,
> > > > > > > > > this is the new version that moved the bindings to the /options node.
> > > > > > > > >
> > > > > > > > > From 1662ec6c6a9cbb07d83157ad9411897b4acaf1f0 Mon Sep 17 00:00:00 2001
> > > > > > > > > From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > > > > > > > Date: Wed, 14 Jun 2023 14:49:46 +0800
> > > > > > > > > Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters
> > > > > > > > >
> > > > > > > > > The necessary fields to initialize the widevine related functions in
> > > > > > > > > OP-TEE.
> > > > > > > > >
> > > > > > > > > Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
> > > > > > > > > Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > > > > > > > ---
> > > > > > > > >  .../bindings/options/google,widevine.yaml     | 61 +++++++++++++++++++
> > > > > > > > >  1 file changed, 61 insertions(+)
> > > > > > > > >  create mode 100644
> > > > > > > > > Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > > > > >
> > > > > > > > > diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > > > > > b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > > > > > new file mode 100644
> > > > > > > > > index 0000000000000..acfc96d162c88
> > > > > > > > > --- /dev/null
> > > > > > > > > +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > > > > > @@ -0,0 +1,61 @@
> > > > > > > > > +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> > > > > > > > > +%YAML 1.2
> > > > > > > > > +---
> > > > > > > > > +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
> > > > > > > > > +$schema: http://devicetree.org/meta-schemas/core.yaml#
> > > > > > > > > +
> > > > > > > > > +title: Google Widevine initialize parameters.
> > > > > > > > > +
> > > > > > > > > +maintainers:
> > > > > > > > > +  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > > > > > > > +  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > > > > > > > +
> > > > > > > > > +description:
> > > > > > > > > +  The necessary fields to initialize the widevine related functions in
> > > > > > > > > +  OP-TEE. This node does not represent a real device, but serves as a
> > > > > > > > > +  place for passing data between firmware and OP-TEE.
> > > > > > > > > +
> > > > > > > > > +properties:
> > > > > > > > > +  compatible:
> > > > > > > > > +    const: google,widevine
> > > > > > > > > +
> > > > > > > > > +  huk:
> > > > > > > > > +    $ref: /schemas/types.yaml#/definitions/string
> > > > > > > > > +    description:
> > > > > > > > > +      The encryption key of the Widevine OP-TEE storage.
> > > > > > > > > +
> > > > > > > > > +  tpm-auth-pk:
> > > > > > > > > +    $ref: /schemas/types.yaml#/definitions/string
> > > > > > > > > +    description:
> > > > > > > > > +      The TPM auth public key. Used to communicate the TPM from OP-TEE.
> > > > > > > >
> > > > > > > > Can you add more details about this key. What format is it in? How is
> > > > > > > > it created?
> > > > > > > >
> > > > > > > > > +
> > > > > > > > > +  widevine-dice:
> > > > > > > >
> > > > > > > > We should avoid the 'widevine-' prefix since it is already this node.
> > > > > > >
> > > > > > > Yes, but then 'dice' is pretty vague. It is preferred that property
> > > > > > > names are unique enough to only have 1 type globally (at least within
> > > > > > > a defined size). This allows using the schemas to decode DT data.
> > > > > > >
> > > > > > > >
> > > > > > > > I don't know what the words mean in the description, so I cannot offer
> > > > > > > > a better idea.
> > > > > > > >
> > > > > > > > > +    $ref: /schemas/types.yaml#/definitions/string
> > > > > > > > > +    description:
> > > > > > > > > +      The Widevine boot certificate chain(Device Identifier Composition
> > > > > > > > > +      Engine) of this device. Used to provision the device status with
> > > > > > > > > +      the Widevine server in OP-TEE.
> > > > > > > >
> > > > > > > > Ditto
> > > > > > > >
> > > > > > > > > +
> > > > > > > > > +  widevine-ta-key:
> > > > > > > >
> > > > > > > > As above
> > > > > > > > > +    $ref: /schemas/types.yaml#/definitions/string
> > > > > > > > > +    description:
> > > > > > > > > +      The Widevine private key corresponding to the widevine-dice.
> > > > > > > > > +      Used to signing the widevine request in OP-TEE.
> > > > > > > >
> > > > > > > > Again, more details please
> > > > > > > >
> > > > > > > > > +
> > > > > > > > > +required:
> > > > > > > > > +  - compatible
> > > > > > >
> > > > > > > What's the point of this binding if none of the other properties are required?
> > > > > > >
> > > > > > > > > +
> > > > > > > > > +additionalProperties: false
> > > > > > > > > +
> > > > > > > > > +examples:
> > > > > > > > > +  - |+
> > > > > > > > > +    options {
> > > > > > > > > +      widevine: {
> > > > > > > > > +        compatible = "google,widevine";
> > > > > > > > > +
> > > > > > > > > +        huk = [00 de ad be af aa bb cc],
> > > > > > > > > +        tpm-auth-pk = [00 de ad be af aa bb cc],
> > > > > > > > > +        widevine-dice = [00 de ad be af aa bb cc],
> > > > > > > > > +        widevine-ta-key = [00 de ad be af aa bb cc],
> > > > > > > > > +      };
> > > > > > > > > +    };
> > > > > > > > > --
> > > > > > > > > 2.39.2
> > > > > > > > >
> > > > > > > >
> > > > > > > > [..]
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > > Simon
> > > > > >
> > > > > > Sorry for the late reply.
> > > > > > We changed the internal format of the "widevine-dice" from COSE to
> > > > > > X.509 recently.
> > > > > > And here is the new patch with the corresponding changes.
> > > > > >
> > > > > > From 9f754c8872c411e3e4216a181b4028875f1f54fc Mon Sep 17 00:00:00 2001
> > > > > > From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > > > > Date: Wed, 14 Jun 2023 14:49:46 +0800
> > > > > > Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters
> > > > > >
> > > > > > The necessary fields to initialize the widevine related functions in
> > > > > > OP-TEE.
> > > > > >
> > > > > > Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
> > > > > > Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > > > > ---
> > > > > > .../bindings/options/google,widevine.yaml | 63 +++++++++++++++++++
> > > > > > 1 file changed, 63 insertions(+)
> > > > > > create mode 100644
> > > > > > Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > >
> > > > > > diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > > b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > > new file mode 100644
> > > > > > index 0000000000000..874f62598b087
> > > > > > --- /dev/null
> > > > > > +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > > > @@ -0,0 +1,63 @@
> > > > > > +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> > > > > > +%YAML 1.2
> > > > > > +---
> > > > > > +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
> > > > > > +$schema: http://devicetree.org/meta-schemas/core.yaml#
> > > > > > +
> > > > > > +title: Google Widevine initialize parameters.
> > > > > > +
> > > > > > +maintainers:
> > > > > > + - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > > > > + - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > > > > +
> > > > > > +description:
> > > > > > + The necessary fields to initialize the widevine related functions in
> > > > > > + OP-TEE. This node does not represent a real device, but serves as a
> > > > > > + place for passing data between firmware and OP-TEE.
> > > > > > +
> > > > > > +properties:
> > > > > > + compatible:
> > > > > > + const: google,widevine
> > > > >
> > > > > This isn't valid json-schema as the indentation is wrong. Please test
> > > > > your schema with the tools.
> > > > >
> > > > > > +
> > > > > > + huk:
> > > > >
> > > > > As mentioned previously, this is too vague.
> > > > >
> > > > > > + $ref: /schemas/types.yaml#/definitions/string
> > > > >
> > > > > Doesn't look like a string from the example.
> > > > >
> > > > > > + description:
> > > > > > + The encryption key of the Widevine OP-TEE storage. The length
> > > > > > + should be 32 bytes.
> > > > >
> > > > > Your example is 8 bytes.
> > > > >
> > > > > > +
> > > > > > + tpm-auth-pk:
> > > > > > + $ref: /schemas/types.yaml#/definitions/string
> > > > > > + description:
> > > > > > + The TPM auth public key. Used to communicate the TPM from OP-TEE.
> > > > > > + The format of data should be TPM2B_PUBLIC.
> > > > > > +
> > > > > > + rot:
> > > > > > + $ref: /schemas/types.yaml#/definitions/string
> > > > > > + description:
> > > > > > + The Widevine root of trust secret. Used to signing the widevine
> > > > > > + request in OP-TEE. The length should be 32 bytes.
> > > > > > +
> > > > > > + rot-cert:
> > > > > > + $ref: /schemas/types.yaml#/definitions/string
> > > > > > + description:
> > > > > > + The X.509 certificate of the Widevine root of trust on this
> > > > > > + device. Used to provision the device status with the Widevine
> > > > > > + server in OP-TEE.
> > > > > > +
> > > > > > +required:
> > > > > > + - compatible
> > > > > > + - huk
> > > > > > + - rot
> > > > > > +
> > > > > > +additionalProperties: false
> > > > > > +
> > > > > > +examples:
> > > > > > + - |+
> > > > > > + options {
> > > > > > + widevine: {
> > > > > > + compatible = "google,widevine";
> > > > > > +
> > > > > > + huk = [00 de ad be af aa bb cc],
> > > > > > + rot = [00 de ad be af aa bb cc],
> > > > > > + };
> > > > > > + };
> > > > > > --
> > > > > > 2.39.2
> > > > > >
> > > > > > Sincerely,
> > > > > > Yi
> > > >
> > > > Thanks for the reply, this is the new version of this patch.
> > > >
> > > > From 360c63617c8cd595da41b04430993b9d435b0865 Mon Sep 17 00:00:00 2001
> > > > From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > > Date: Wed, 14 Jun 2023 14:49:46 +0800
> > > > Subject: [PATCH] dt-bindings: Add Google Widevine initialize parameters
> > > >
> > > > The necessary fields to initialize the widevine related functions in
> > > > OP-TEE.
> > > >
> > > > Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
> > > > Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > > > ---
> > > >  .../bindings/options/google,widevine.yaml     | 68 +++++++++++++++++++
> > > >  1 file changed, 68 insertions(+)
> > > >  create mode 100644
> > > > Documentation/devicetree/bindings/options/google,widevine.yaml
> > > >
> > > > diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > new file mode 100644
> > > > index 0000000000000..e77e9ac5be29a
> > > > --- /dev/null
> > > > +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > > > @@ -0,0 +1,68 @@
> > > > +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> > > > +%YAML 1.2
> > > > +---
> > > > +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
> > > > +$schema: http://devicetree.org/meta-schemas/core.yaml#
> > > > +
> > > > +title: Google Widevine initialize parameters.
> > >
> > > 'initialization' would be better I think
> > >
> > > > +
> > > > +maintainers:
> > > > +  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > > +  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > > > +
> > >
> > > The property names you have used seem good to me.
> > >
> > > > +description:
> > > > +  The necessary fields to initialize the widevine related functions in
> > > > +  OP-TEE. This node does not represent a real device, but serves as a
> > > > +  place for passing data between firmware and OP-TEE.
> > > > +
> > > > +properties:
> > > > +  compatible:
> > > > +    const: google,widevine
> > > > +
> > > > +  hardware-unique-key:
> > > > +    $ref: /schemas/types.yaml#/definitions/uint8-array
> > > > +    description:
> > > > +      The hardware unique key of the Widevine OP-TEE. It will be used
> > >
> > > hardware-unique key
> > >
> > > > +      to derive the secure storage key. The length should be 32 bytes.
> > >
> > > What is the format of this? Do you have a link?
> > >
> > > > +
> > > > +  tpm-auth-public-key:
> > > > +    $ref: /schemas/types.yaml#/definitions/uint8-array
> > > > +    description:
> > > > +      The TPM auth public key. Used to communicate the TPM from OP-TEE.
> > > > +      The format of data should be TPM2B_PUBLIC.
> > >
> > > Same here. I tried to look up TPM2B_PUBLIC but didn't get very far.
> > >
> > > If this is omitted, what does it mean?
> > >
> > > > +
> > > > +  root-of-trust:
> > > > +    $ref: /schemas/types.yaml#/definitions/uint8-array
> > > > +    description:
> > > > +      The Widevine root of trust secret. Used to sign the widevine
> > > > +      request in OP-TEE. The length should be 32 bytes.
> > >
> > > What is the format of this? Do you have a link?
> > >
> > > > +
> > > > +  root-of-trust-cert:
> > > > +    $ref: /schemas/types.yaml#/definitions/uint8-array
> > > > +    description:
> > > > +      The X.509 certificate of the Widevine root of trust on this
> > > > +      device. Used to provision the device status with the Widevine
> > > > +      server in OP-TEE.
> > >
> > > Which format is used for the X.509 certificate?
> > >
> > > If this is omitted, what does it mean?
> > >
> > > > +
> > > > +required:
> > > > +  - compatible
> > > > +  - hardware-unique-key
> > > > +  - root-of-trust
> > > > +
> > > > +additionalProperties: false
> > > > +
> > > > +examples:
> > > > +  - |+
> > > > +    options {
> > > > +      widevine {
> > > > +        compatible = "google,widevine";
> > > > +        hardware-unique-key = /bits/ 8 <
> > > > +          0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
> > > > +          6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
> > > > +        >;
> > > > +        root-of-trust = /bits/ 8 <
> > > > +          0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
> > > > +          6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
> > > > +        >;
> > >
> > > Can you please add the other fields to your example? Perhaps this
> > > would be better to use the [] encoding for the bytes?
> > >
> > > > +      };
> > > > +    };
> > > > --
> > > > 2.39.2
> > > >
> > > > Sincerely,
> > > > Yi
> > >
> > > Regards,
> > > Simon
> >
> > Thanks for the reply, I added more references of the format into the doc.
> > And also added examples of tpm-auth-public-key and root-of-trust-cert.
> >
> > From fb8fa5684a36e4b59a9543691cd17e201ab9a226 Mon Sep 17 00:00:00 2001
> > From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > Date: Wed, 14 Jun 2023 14:49:46 +0800
> > Subject: [PATCH] dt-bindings: Add Google Widevine initialization parameters
> >
> > The necessary fields to initialize the widevine related functions in
> > OP-TEE.
> >
> > Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
> > Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > ---
> >  .../bindings/options/google,widevine.yaml     | 121 ++++++++++++++++++
> >  1 file changed, 121 insertions(+)
> >  create mode 100644
> > Documentation/devicetree/bindings/options/google,widevine.yaml
>
> Reviewed-by: Simon Glass <sjg-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
>
> It still isn't clear to me why some fields are optional and some not,
> but at least we have the links now.
>
> >
> > diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
> > b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > new file mode 100644
> > index 0000000000000..233f5756f2c48
> > --- /dev/null
> > +++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
> > @@ -0,0 +1,121 @@
> > +# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> > +%YAML 1.2
> > +---
> > +$id: http://devicetree.org/schemas/options/google,widevine.yaml#
> > +$schema: http://devicetree.org/meta-schemas/core.yaml#
> > +
> > +title: Google Widevine initialization parameters.
> > +
> > +maintainers:
> > +  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > +  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> > +
> > +description:
> > +  The necessary fields to initialize the widevine related functions in
> > +  OP-TEE. This node does not represent a real device, but serves as a
> > +  place for passing data between firmware and OP-TEE.
> > +
> > +properties:
> > +  compatible:
> > +    const: google,widevine
> > +
> > +  hardware-unique-key:
> > +    $ref: /schemas/types.yaml#/definitions/uint8-array
> > +    description: |
> > +      The hardware-unique key of the Widevine OP-TEE. It will be used
> > +      to derive the secure storage key. The length should be 32 bytes.
> > +      For more information, please reference:
> > +      https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html#hardware-unique-key
> > +
> > +  tpm-auth-public-key:
> > +    $ref: /schemas/types.yaml#/definitions/uint8-array
> > +    description: |
> > +      The TPM auth public key. Used to communicate the TPM from OP-TEE.
> > +      The format of data should be TPM2B_PUBLIC.
> > +      For more information, please reference the 12.2.5 section:
> > +      https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p59_Part2_Structures_pub.pdf
> > +
> > +  root-of-trust:
> > +    $ref: /schemas/types.yaml#/definitions/uint8-array
> > +    description: |
> > +      The Widevine root of trust secret. Used to sign the widevine
> > +      request in OP-TEE. The length should be 32 bytes. The value
> > +      is an ECC NIST P-256 scalar.
> > +      For more information, please reference the G.1.2 section:
> > +      https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf
> > +
> > +  root-of-trust-cert:
> > +    $ref: /schemas/types.yaml#/definitions/uint8-array
> > +    description: |
> > +      The X.509 certificate of the Widevine root of trust on this
> > +      device. Used to provision the device status with the Widevine
> > +      server in OP-TEE.
> > +      For more information, please reference:
> > +      https://www.itu.int/rec/T-REC-X.509
> > +
> > +required:
> > +  - compatible
> > +  - hardware-unique-key
> > +  - root-of-trust
> > +
> > +additionalProperties: false
> > +
> > +examples:
> > +  - |+
> > +    options {
> > +      widevine {
> > +        compatible = "google,widevine";
> > +        hardware-unique-key = [
> > +          12 f7 98 d2 0e d2 85 92 a5 82 bf 98 b8 99 2b c0
> > +          c6 6f 19 85 79 86 65 18 55 eb ff 9b 6c c0 ac 27
> > +        ];
> > +        tpm-auth-public-key = [
> > +          00 76 00 23 00 0b 00 02 04 b2 00 20 e1 47 bf 27
> > +          e1 74 30 c8 16 ab 72 4d 5c 77 e1 5c 61 2d 56 81
> > +          b3 35 cd 9d eb 67 41 37 69 f0 32 41 00 10 00 10
> > +          00 03 00 10 00 20 70 9a df 50 f9 0f d5 f4 40 e0
> > +          ea 2c e8 f2 26 9f 0e 5c 02 70 16 c3 6c c1 83 03
> > +          2d 04 10 bd 85 7a 00 20 83 03 c2 66 6e 01 32 34
> > +          5c 5e 80 22 c7 48 24 3c 70 6b b8 e4 24 42 74 a9
> > +          cf fc ab f8 30 e9 de 51
> > +        ];
> > +        root-of-trust = [
> > +          ac 0d 86 c3 d7 b5 b7 a2 6f c3 d9 93 f7 de bc bb
> > +          d5 c4 25 9b 21 5f 36 af b5 dd 6d 29 9d 08 c0 10
> > +        ];
> > +        root-of-trust-cert = [
> > +          30 82 01 f4 30 82 01 9b a0 03 02 01 02 02 10 11
> > +          01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 30
> > +          0a 06 08 2a 86 48 ce 3d 04 03 02 30 0f 31 0d 30
> > +          0b 06 03 55 04 03 0c 04 54 69 35 30 30 22 18 0f
> > +          32 30 30 30 30 31 30 31 30 30 30 30 30 30 5a 18
> > +          0f 32 30 39 39 31 32 33 31 32 33 35 39 35 39 5a
> > +          30 0f 31 0d 30 0b 06 03 55 04 03 0c 04 54 69 35
> > +          30 30 59 30 13 06 07 2a 86 48 ce 3d 02 01 06 08
> > +          2a 86 48 ce 3d 03 01 07 03 42 00 04 ec ef cb 0c
> > +          68 7e 30 f4 d5 8f 2c 88 16 f4 7f b5 8b 5b 06 77
> > +          d7 47 fe 1e 91 4c a3 c5 a1 54 f5 40 9c f8 a5 4e
> > +          85 a0 fa 05 1a 01 98 da e4 b1 e5 ff 95 0d cf 8f
> > +          d9 c1 ce 28 0f 91 75 ca 06 e4 91 3b a3 81 d4 30
> > +          81 d1 30 1a 06 0a 2b 06 01 04 01 d6 79 02 01 21
> > +          04 0c 5a 53 5a 56 a5 ac a5 a9 7f 7f 00 00 30 0f
> > +          06 0a 2b 06 01 04 01 d6 79 02 01 22 04 01 21 30
> > +          2e 06 0a 2b 06 01 04 01 d6 79 02 01 23 04 20 23
> > +          e1 4d d9 bb 51 a5 0e 16 91 1f 7e 11 df 1e 1a af
> > +          0b 17 13 4d c7 39 c5 65 36 07 a1 ec 8d d3 7a 30
> > +          2e 06 0a 2b 06 01 04 01 d6 79 02 01 24 04 20 00
> > +          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > +          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30
> > +          2e 06 0a 2b 06 01 04 01 d6 79 02 01 25 04 20 00
> > +          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > +          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30
> > +          12 06 0a 2b 06 01 04 01 d6 79 02 01 26 04 04 00
> > +          00 00 00 30 0a 06 08 2a 86 48 ce 3d 04 03 02 03
> > +          47 00 30 44 02 20 62 a8 d3 23 db 1e 9c 64 91 49
> > +          45 5e b3 49 8d cc 1a ae 76 70 e3 12 d2 25 65 69
> > +          df f1 7e bc 4b d8 02 20 25 99 7c 36 cb b3 fd ce
> > +          6e 84 ee d7 ea eb 05 cf 69 cf 72 75 20 f3 ba 7f
> > +          8b 9f 06 f3 e4 11 bc cd
> > +        ];
> > +      };
> > +    };
> > --
> > 2.39.2
> >
> > Sincerely,
> > Yi
>
> Regards,
> Simon

Thanks, I added a small section about why those public fields can be
ignored in the description.
We might want to omit those public fields to improve the boot time in
the future.

From 39975741d2a7380aa65e43a449af90d496e800cf Mon Sep 17 00:00:00 2001
From: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
Date: Wed, 14 Jun 2023 14:49:46 +0800
Subject: [PATCH] dt-bindings: Add Google Widevine initialization parameters

The necessary fields to initialize the widevine related functions in
OP-TEE.

Change-Id: Iceb6c533bcb60034e811d4fdf9310d9df48507de
Signed-off-by: Yi Chou <yich-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
Reviewed-by: Simon Glass <sjg-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
---
 .../bindings/options/google,widevine.yaml     | 124 ++++++++++++++++++
 1 file changed, 124 insertions(+)
 create mode 100644
Documentation/devicetree/bindings/options/google,widevine.yaml

diff --git a/Documentation/devicetree/bindings/options/google,widevine.yaml
b/Documentation/devicetree/bindings/options/google,widevine.yaml
new file mode 100644
index 0000000000000..8e1f0a252b18c
--- /dev/null
+++ b/Documentation/devicetree/bindings/options/google,widevine.yaml
@@ -0,0 +1,124 @@
+# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+%YAML 1.2
+---
+$id: http://devicetree.org/schemas/options/google,widevine.yaml#
+$schema: http://devicetree.org/meta-schemas/core.yaml#
+
+title: Google Widevine initialization parameters.
+
+maintainers:
+  - Jeffrey Kardatzke <jkardatzke-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
+  - Yi Chou <yich-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
+
+description:
+  The necessary fields to initialize the widevine related functions in
+  OP-TEE. This node does not represent a real device, but serves as a
+  place for passing data between firmware and OP-TEE.
+  The public fields (e.g. tpm-auth-public-key & root-of-trust-cert) can
+  be ignored because it's safe to pass the public information with the
+  other methods(e.g. userland OP-TEE plugins).
+
+properties:
+  compatible:
+    const: google,widevine
+
+  hardware-unique-key:
+    $ref: /schemas/types.yaml#/definitions/uint8-array
+    description: |
+      The hardware-unique key of the Widevine OP-TEE. It will be used
+      to derive the secure storage key. The length should be 32 bytes.
+      For more information, please reference:
+      https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html#hardware-unique-key
+
+  tpm-auth-public-key:
+    $ref: /schemas/types.yaml#/definitions/uint8-array
+    description: |
+      The TPM auth public key. Used to communicate the TPM from OP-TEE.
+      The format of data should be TPM2B_PUBLIC.
+      For more information, please reference the 12.2.5 section:
+      https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p59_Part2_Structures_pub.pdf
+
+  root-of-trust:
+    $ref: /schemas/types.yaml#/definitions/uint8-array
+    description: |
+      The Widevine root of trust secret. Used to sign the widevine
+      request in OP-TEE. The length should be 32 bytes. The value
+      is an ECC NIST P-256 scalar.
+      For more information, please reference the G.1.2 section:
+      https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf
+
+  root-of-trust-cert:
+    $ref: /schemas/types.yaml#/definitions/uint8-array
+    description: |
+      The X.509 certificate of the Widevine root of trust on this
+      device. Used to provision the device status with the Widevine
+      server in OP-TEE.
+      For more information, please reference:
+      https://www.itu.int/rec/T-REC-X.509
+
+required:
+  - compatible
+  - hardware-unique-key
+  - root-of-trust
+
+additionalProperties: false
+
+examples:
+  - |+
+    options {
+      widevine {
+        compatible = "google,widevine";
+        hardware-unique-key = [
+          12 f7 98 d2 0e d2 85 92 a5 82 bf 98 b8 99 2b c0
+          c6 6f 19 85 79 86 65 18 55 eb ff 9b 6c c0 ac 27
+        ];
+        tpm-auth-public-key = [
+          00 76 00 23 00 0b 00 02 04 b2 00 20 e1 47 bf 27
+          e1 74 30 c8 16 ab 72 4d 5c 77 e1 5c 61 2d 56 81
+          b3 35 cd 9d eb 67 41 37 69 f0 32 41 00 10 00 10
+          00 03 00 10 00 20 70 9a df 50 f9 0f d5 f4 40 e0
+          ea 2c e8 f2 26 9f 0e 5c 02 70 16 c3 6c c1 83 03
+          2d 04 10 bd 85 7a 00 20 83 03 c2 66 6e 01 32 34
+          5c 5e 80 22 c7 48 24 3c 70 6b b8 e4 24 42 74 a9
+          cf fc ab f8 30 e9 de 51
+        ];
+        root-of-trust = [
+          ac 0d 86 c3 d7 b5 b7 a2 6f c3 d9 93 f7 de bc bb
+          d5 c4 25 9b 21 5f 36 af b5 dd 6d 29 9d 08 c0 10
+        ];
+        root-of-trust-cert = [
+          30 82 01 f4 30 82 01 9b a0 03 02 01 02 02 10 11
+          01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 30
+          0a 06 08 2a 86 48 ce 3d 04 03 02 30 0f 31 0d 30
+          0b 06 03 55 04 03 0c 04 54 69 35 30 30 22 18 0f
+          32 30 30 30 30 31 30 31 30 30 30 30 30 30 5a 18
+          0f 32 30 39 39 31 32 33 31 32 33 35 39 35 39 5a
+          30 0f 31 0d 30 0b 06 03 55 04 03 0c 04 54 69 35
+          30 30 59 30 13 06 07 2a 86 48 ce 3d 02 01 06 08
+          2a 86 48 ce 3d 03 01 07 03 42 00 04 ec ef cb 0c
+          68 7e 30 f4 d5 8f 2c 88 16 f4 7f b5 8b 5b 06 77
+          d7 47 fe 1e 91 4c a3 c5 a1 54 f5 40 9c f8 a5 4e
+          85 a0 fa 05 1a 01 98 da e4 b1 e5 ff 95 0d cf 8f
+          d9 c1 ce 28 0f 91 75 ca 06 e4 91 3b a3 81 d4 30
+          81 d1 30 1a 06 0a 2b 06 01 04 01 d6 79 02 01 21
+          04 0c 5a 53 5a 56 a5 ac a5 a9 7f 7f 00 00 30 0f
+          06 0a 2b 06 01 04 01 d6 79 02 01 22 04 01 21 30
+          2e 06 0a 2b 06 01 04 01 d6 79 02 01 23 04 20 23
+          e1 4d d9 bb 51 a5 0e 16 91 1f 7e 11 df 1e 1a af
+          0b 17 13 4d c7 39 c5 65 36 07 a1 ec 8d d3 7a 30
+          2e 06 0a 2b 06 01 04 01 d6 79 02 01 24 04 20 00
+          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30
+          2e 06 0a 2b 06 01 04 01 d6 79 02 01 25 04 20 00
+          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30
+          12 06 0a 2b 06 01 04 01 d6 79 02 01 26 04 04 00
+          00 00 00 30 0a 06 08 2a 86 48 ce 3d 04 03 02 03
+          47 00 30 44 02 20 62 a8 d3 23 db 1e 9c 64 91 49
+          45 5e b3 49 8d cc 1a ae 76 70 e3 12 d2 25 65 69
+          df f1 7e bc 4b d8 02 20 25 99 7c 36 cb b3 fd ce
+          6e 84 ee d7 ea eb 05 cf 69 cf 72 75 20 f3 ba 7f
+          8b 9f 06 f3 e4 11 bc cd
+        ];
+      };
+    };