From: Arnd Bergmann <arnd@linaro.org>
To: "Alex Bennée" <alex.bennee@linaro.org>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Maxim Uvarov <maxim.uvarov@linaro.org>,
Joakim Bech <joakim.bech@linaro.org>,
Ilias Apalodimas <ilias.apalodimas@linaro.org>,
ruchika.gupta@linaro.org, "Winkler,
Tomas" <tomas.winkler@intel.com>,
yang.huang@intel.com, bing.zhu@intel.com,
Matti.Moell@opensynergy.com, hmo@opensynergy.com,
linux-mmc <linux-mmc@vger.kernel.org>,
linux-scsi <linux-scsi@vger.kernel.org>,
linux-nvme@vger.kernel.org, Ulf Hansson <ulf.hansson@linaro.org>,
Linus Walleij <linus.walleij@linaro.org>,
Arnd Bergmann <arnd.bergmann@linaro.org>
Subject: Re: [RFC PATCH 1/5] rpmb: add Replay Protected Memory Block (RPMB) subsystem
Date: Thu, 4 Mar 2021 21:56:24 +0100 [thread overview]
Message-ID: <CAK8P3a0W5X8Mvq0tDrz7d67SfQA=PqthpnGDhn8w1Xhwa030-A@mail.gmail.com> (raw)
In-Reply-To: <20210303135500.24673-2-alex.bennee@linaro.org>
On Wed, Mar 3, 2021 at 2:54 PM Alex Bennée <alex.bennee@linaro.org> wrote:
>
> A number of storage technologies support a specialised hardware
> partition designed to be resistant to replay attacks. The underlying
> HW protocols differ but the operations are common. The RPMB partition
> cannot be accessed via standard block layer, but by a set of specific
> commands: WRITE, READ, GET_WRITE_COUNTER, and PROGRAM_KEY. Such a
> partition provides authenticated and replay protected access, hence
> suitable as a secure storage.
>
> The RPMB layer aims to provide in-kernel API for Trusted Execution
> Environment (TEE) devices that are capable to securely compute block
> frame signature. In case a TEE device wishes to store a replay
> protected data, requests the storage device via RPMB layer to store
> the data.
>
> A TEE device driver can claim the RPMB interface, for example, via
> class_interface_register(). The RPMB layer provides a series of
> operations for interacting with the device.
>
> * program_key - a one time operation for setting up a new device
> * get_capacity - introspect the device capacity
> * get_write_count - check the write counter
> * write_blocks - write a series of blocks to the RPMB device
> * read_blocks - read a series of blocks from the RPMB device
Based on the discussion we had today in a meeting, it seems the
main change that is needed is to get back to the original model
of passing the encrypted data to the kernel instead of cleartext
data, as the main use case we know of is to have the key inside of
the TEE device and not available to the kernel or user space.
This is also required to be able to forward the encrypted data
through the same interface on a KVM host, when the guest
uses virtio-rpmb, and the host forwards the data into an mmc or
ufs device.
That said, I can also imagine use cases where we do want to
store the key in the kernel's keyring, so maybe we end up needing
both.
> The detailed operation of implementing the access is left to the TEE
> device driver itself.
>
> [This is based-on Thomas Winkler's proposed API from:
>
> https://lore.kernel.org/linux-mmc/1478548394-8184-2-git-send-email-tomas.winkler@intel.com/
>
> The principle difference is the framing details and HW specific
> bits (JDEC vs NVME frames) are left to the lower level TEE driver to
> worry about. The eventual userspace ioctl interface will aim to be
> similarly generic. This is an RFC to follow up on:
>
> Subject: RPMB user space ABI
> Date: Thu, 11 Feb 2021 14:07:00 +0000
> Message-ID: <87mtwashi4.fsf@linaro.org>]
>
> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
> Cc: Tomas Winkler <tomas.winkler@intel.com>
> Cc: Ulf Hansson <ulf.hansson@linaro.org>
> Cc: Linus Walleij <linus.walleij@linaro.org>
> Cc: Arnd Bergmann <arnd.bergmann@linaro.org>
> Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> ---
> MAINTAINERS | 7 +
> drivers/char/Kconfig | 2 +
> drivers/char/Makefile | 1 +
> drivers/char/rpmb/Kconfig | 11 +
> drivers/char/rpmb/Makefile | 7 +
> drivers/char/rpmb/core.c | 429 +++++++++++++++++++++++++++++++++++++
> include/linux/rpmb.h | 163 ++++++++++++++
My feeling is that it should be a top-level subsystem, in drivers/rpmb
rather than drivers/char/rpmb, as you implement an abstraction layer
that other drivers can plug into, rather than a simple driver.
Arnd
next prev parent reply other threads:[~2021-03-04 20:58 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-03 13:54 [RFC PATCH 0/5] RPMB internal and user-space API + WIP virtio-rpmb frontend Alex Bennée
2021-03-03 13:54 ` [RFC PATCH 1/5] rpmb: add Replay Protected Memory Block (RPMB) subsystem Alex Bennée
2021-03-03 15:28 ` Ulf Hansson
2021-03-03 19:37 ` Alex Bennée
2021-03-04 20:56 ` Arnd Bergmann [this message]
2021-03-05 7:51 ` Joakim Bech
2021-03-05 8:44 ` Arnd Bergmann
2021-03-08 16:20 ` Linus Walleij
2021-03-09 21:09 ` Hector Martin
2021-03-10 5:14 ` Sumit Garg
2021-03-10 8:47 ` Hector Martin
2021-03-10 9:48 ` Linus Walleij
2021-03-10 13:52 ` Hector Martin
2021-03-11 0:36 ` Linus Walleij
2021-03-11 9:22 ` Hector Martin
2021-03-11 14:06 ` Linus Walleij
2021-03-11 20:02 ` Hector Martin
2021-03-12 9:22 ` Linus Walleij
2021-03-10 10:29 ` Sumit Garg
2021-03-11 0:49 ` Linus Walleij
2021-03-11 1:07 ` James Bottomley
2021-03-11 9:45 ` Hector Martin
2021-03-11 14:31 ` Linus Walleij
2021-03-11 20:29 ` Hector Martin
2021-03-11 20:57 ` Alex Bennée
2021-03-12 10:00 ` Linus Walleij
2021-03-12 9:47 ` Linus Walleij
2021-03-12 11:59 ` Sumit Garg
2021-03-12 12:08 ` Ilias Apalodimas
2021-03-09 17:12 ` David Howells
2021-03-10 4:54 ` Sumit Garg
2021-03-10 9:33 ` Linus Walleij
2021-03-03 13:54 ` [RFC PATCH 2/5] char: rpmb: provide a user space interface Alex Bennée
2021-03-04 7:01 ` Winkler, Tomas
2021-03-04 10:19 ` Alex Bennée
2021-03-04 10:34 ` Winkler, Tomas
2021-03-04 17:52 ` Alex Bennée
2021-03-04 19:54 ` Winkler, Tomas
2021-03-04 21:43 ` Arnd Bergmann
2021-03-05 6:31 ` Winkler, Tomas
2021-03-04 21:08 ` Arnd Bergmann
2021-03-03 13:54 ` [RFC PATCH 3/5] tools rpmb: add RPBM access tool Alex Bennée
2021-03-03 13:54 ` [RFC PATCH 4/5] rpmb: create virtio rpmb frontend driver [WIP] Alex Bennée
2021-03-03 13:55 ` [RFC PATCH 5/5] tools/rpmb: simple test sequence Alex Bennée
2021-03-09 13:27 ` [RFC PATCH 0/5] RPMB internal and user-space API + WIP virtio-rpmb frontend Avri Altman
2021-03-10 14:29 ` Alex Bennée
2021-03-11 13:45 ` Avri Altman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAK8P3a0W5X8Mvq0tDrz7d67SfQA=PqthpnGDhn8w1Xhwa030-A@mail.gmail.com' \
--to=arnd@linaro.org \
--cc=Matti.Moell@opensynergy.com \
--cc=alex.bennee@linaro.org \
--cc=arnd.bergmann@linaro.org \
--cc=bing.zhu@intel.com \
--cc=hmo@opensynergy.com \
--cc=ilias.apalodimas@linaro.org \
--cc=joakim.bech@linaro.org \
--cc=linus.walleij@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mmc@vger.kernel.org \
--cc=linux-nvme@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=maxim.uvarov@linaro.org \
--cc=ruchika.gupta@linaro.org \
--cc=tomas.winkler@intel.com \
--cc=ulf.hansson@linaro.org \
--cc=yang.huang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).