cip-dev@lists.cip-project.org | [isar-cip-core][PATCH 3/8] Include optee into u-boot

Home Messages Hashtags Subgroups

Date Date 1 - 9 of 9

[isar-cip-core][PATCH 3/8] Include optee into u-boot

Schultschik, Sven #9807 From: Sven Schultschik <sven.schultschik@...> Optee is part of u-boot In the secureboot scenario to use optee and RPMB as secure storage. Signed-off-by: Sven Schultschik <sven.schultschik@...> --- recipes-bsp/u-boot/files/secure-boot.cfg.tmpl \| 7 +++++++ recipes-bsp/u-boot/u-boot-qemu-common.inc \| 2 ++ 2 files changed, 9 insertions(+) diff --git a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl index 956dcbfed..8e6428238 100644 --- a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl +++ b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl @@ -4,3 +4,10 @@ CONFIG_USE_BOOTCOMMAND=y CONFIG_BOOTCOMMAND="setenv scan_dev_for_boot 'if test -e ${devtype} ${devnum}:${distro_bootpart} efi/boot/boot${EFI_ARCH}.efi; then load ${devtype} ${devnum}:${distro_bootpart} ${kernel_addr_r} efi/boot/boot${EFI_ARCH}.efi; bootefi ${kernel_addr_r} ${fdtcontroladdr}; fi'; run distro_bootcmd; echo 'EFI Boot failed!'; sleep 1000; reset" CONFIG_EFI_VARIABLES_PRESEED=y CONFIG_EFI_SECURE_BOOT=y +### OPTEE config +CONFIG_CMD_OPTEE_RPMB=y +CONFIG_MMC=y +CONFIG_SUPPORT_EMMC_RPMB=y +CONFIG_TEE=y +CONFIG_OPTEE=y +CONFIG_EFI_MM_COMM_TEE=y diff --git a/recipes-bsp/u-boot/u-boot-qemu-common.inc b/recipes-bsp/u-boot/u-boot-qemu-common.inc index 0a9a15a0f..802fc5056 100644 --- a/recipes-bsp/u-boot/u-boot-qemu-common.inc +++ b/recipes-bsp/u-boot/u-boot-qemu-common.inc @@ -13,6 +13,8 @@ require recipes-bsp/u-boot/u-boot-common.inc U_BOOT_BIN = "u-boot.bin" +DEPENDS_append_secureboot = " optee-os-${MACHINE}" + do_deploy[dirs] = "${DEPLOY_DIR_IMAGE}" do_deploy() { dpkg --fsys-tarfile "${WORKDIR}/u-boot-${MACHINE}_${PV}_${DISTRO_ARCH}.deb" \| \ -- 2.30.2
More All Messages By This Member
Su, Bao Cheng #9841 On Mon, 2022-10-24 at 14:27 +0200, sven.schultschik@... wrote: From: Sven Schultschik <sven.schultschik@...> Optee is part of u-boot In the secureboot scenario to use optee and RPMB as secure storage. Signed-off-by: Sven Schultschik <sven.schultschik@...> --- recipes-bsp/u-boot/files/secure-boot.cfg.tmpl \| 7 +++++++ recipes-bsp/u-boot/u-boot-qemu-common.inc \| 2 ++ 2 files changed, 9 insertions(+) diff --git a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl index 956dcbfed..8e6428238 100644 --- a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl +++ b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl @@ -4,3 +4,10 @@ CONFIG_USE_BOOTCOMMAND=y CONFIG_BOOTCOMMAND="setenv scan_dev_for_boot 'if test -e ${devtype} ${devnum}:${distro_bootpart} efi/boot/boot${EFI_ARCH}.efi; then load ${devtype} ${devnum}:${distro_bootpart} ${kernel_addr_r} efi/boot/boot${EFI_ARCH}.efi; bootefi ${kernel_addr_r} ${fdtcontroladdr}; fi'; run distro_bootcmd; echo 'EFI Boot failed!'; sleep 1000; reset" CONFIG_EFI_VARIABLES_PRESEED=y CONFIG_EFI_SECURE_BOOT=y +### OPTEE config +CONFIG_CMD_OPTEE_RPMB=y +CONFIG_MMC=y +CONFIG_SUPPORT_EMMC_RPMB=y +CONFIG_TEE=y +CONFIG_OPTEE=y +CONFIG_EFI_MM_COMM_TEE=y According to lib/efi_loader/Makefile: ifeq ($(CONFIG_EFI_MM_COMM_TEE),y) obj-y += efi_variable_tee.o else obj-y += efi_variable.o obj-$(CONFIG_EFI_VARIABLES_PRESEED) += efi_var_seed.o endif The `CONFIG_EFI_MM_COMM_TEE` conflicts with `CONFIG_EFI_VARIABLES_PRESEED`, so you have to choose one. - Baocheng diff --git a/recipes-bsp/u-boot/u-boot-qemu-common.inc b/recipes-bsp/u-boot/u-boot-qemu-common.inc index 0a9a15a0f..802fc5056 100644 --- a/recipes-bsp/u-boot/u-boot-qemu-common.inc +++ b/recipes-bsp/u-boot/u-boot-qemu-common.inc @@ -13,6 +13,8 @@ require recipes-bsp/u-boot/u-boot-common.inc U_BOOT_BIN = "u-boot.bin" +DEPENDS_append_secureboot = " optee-os-${MACHINE}" + do_deploy[dirs] = "${DEPLOY_DIR_IMAGE}" do_deploy() { dpkg --fsys-tarfile "${WORKDIR}/u-boot-${MACHINE}_${PV}_${DISTRO_ARCH}.deb" \| \
More All Messages By This Member
Jan Kiszka #9844 On 26.10.22 09:36, Su, Bao Cheng wrote: On Mon, 2022-10-24 at 14:27 +0200, sven.schultschik@... wrote: From: Sven Schultschik <sven.schultschik@...> Optee is part of u-boot In the secureboot scenario to use optee and RPMB as secure storage. Signed-off-by: Sven Schultschik <sven.schultschik@...> --- recipes-bsp/u-boot/files/secure-boot.cfg.tmpl \| 7 +++++++ recipes-bsp/u-boot/u-boot-qemu-common.inc \| 2 ++ 2 files changed, 9 insertions(+) diff --git a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl index 956dcbfed..8e6428238 100644 --- a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl +++ b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl @@ -4,3 +4,10 @@ CONFIG_USE_BOOTCOMMAND=y CONFIG_BOOTCOMMAND="setenv scan_dev_for_boot 'if test -e ${devtype} ${devnum}:${distro_bootpart} efi/boot/boot${EFI_ARCH}.efi; then load ${devtype} ${devnum}:${distro_bootpart} ${kernel_addr_r} efi/boot/boot${EFI_ARCH}.efi; bootefi ${kernel_addr_r} ${fdtcontroladdr}; fi'; run distro_bootcmd; echo 'EFI Boot failed!'; sleep 1000; reset" CONFIG_EFI_VARIABLES_PRESEED=y CONFIG_EFI_SECURE_BOOT=y +### OPTEE config +CONFIG_CMD_OPTEE_RPMB=y +CONFIG_MMC=y +CONFIG_SUPPORT_EMMC_RPMB=y +CONFIG_TEE=y +CONFIG_OPTEE=y +CONFIG_EFI_MM_COMM_TEE=y According to lib/efi_loader/Makefile: ifeq ($(CONFIG_EFI_MM_COMM_TEE),y) obj-y += efi_variable_tee.o else obj-y += efi_variable.o obj-$(CONFIG_EFI_VARIABLES_PRESEED) += efi_var_seed.o endif The `CONFIG_EFI_MM_COMM_TEE` conflicts with `CONFIG_EFI_VARIABLES_PRESEED`, so you have to choose one. Right. When we switch this, we also need to switch the secure boot setup procedure so that the result remains securely booted. Jan -- Siemens AG, Technology Competence Center Embedded Linux
More All Messages By This Member
Schultschik, Sven #9866 -----Ursprüngliche Nachricht----- Von: Kiszka, Jan (T CED) <jan.kiszka@...> Gesendet: Mittwoch, 26. Oktober 2022 10:53 An: Su, Bao Cheng (DI FA CTR IPC CN PRC4) <baocheng.su@...>; Schultschik, Sven (DI PA DCP R&D 2) <sven.schultschik@...>; cip- dev@... Betreff: Re: [isar-cip-core][PATCH 3/8] Include optee into u-boot On 26.10.22 09:36, Su, Bao Cheng wrote: On Mon, 2022-10-24 at 14:27 +0200, sven.schultschik@... wrote: From: Sven Schultschik <sven.schultschik@...> Optee is part of u-boot In the secureboot scenario to use optee and RPMB as secure storage. Signed-off-by: Sven Schultschik <sven.schultschik@...> --- recipes-bsp/u-boot/files/secure-boot.cfg.tmpl \| 7 +++++++ recipes-bsp/u-boot/u-boot-qemu-common.inc \| 2 ++ 2 files changed, 9 insertions(+) diff --git a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl index 956dcbfed..8e6428238 100644 --- a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl +++ b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl @@ -4,3 +4,10 @@ CONFIG_USE_BOOTCOMMAND=y CONFIG_BOOTCOMMAND="setenv scan_dev_for_boot 'if test -e ${devtype} ${devnum}:${distro_bootpart} efi/boot/boot${EFI_ARCH}.efi; then load ${devtype} ${devnum}:${distro_bootpart} ${kernel_addr_r} efi/boot/boot${EFI_ARCH}.efi; bootefi ${kernel_addr_r} ${fdtcontroladdr}; fi'; run distro_bootcmd; echo 'EFI Boot failed!'; sleep 1000; reset" CONFIG_EFI_VARIABLES_PRESEED=y CONFIG_EFI_SECURE_BOOT=y +### OPTEE config +CONFIG_CMD_OPTEE_RPMB=y +CONFIG_MMC=y +CONFIG_SUPPORT_EMMC_RPMB=y +CONFIG_TEE=y +CONFIG_OPTEE=y +CONFIG_EFI_MM_COMM_TEE=y According to lib/efi_loader/Makefile: ifeq ($(CONFIG_EFI_MM_COMM_TEE),y) obj-y += efi_variable_tee.o else obj-y += efi_variable.o obj-$(CONFIG_EFI_VARIABLES_PRESEED) += efi_var_seed.o endif The `CONFIG_EFI_MM_COMM_TEE` conflicts with `CONFIG_EFI_VARIABLES_PRESEED`, so you have to choose one. Right. When we switch this, we also need to switch the secure boot setup procedure so that the result remains securely booted. Jan Do you want to do those adjustments within this patch series or do it separately? Sven smime.p7s smime.p7s
More All Messages By This Member
Jan Kiszka #9867 On 26.10.22 17:27, Schultschik, Sven (DI PA DCP R&D 2) wrote: -----Ursprüngliche Nachricht----- Von: Kiszka, Jan (T CED) <jan.kiszka@...> Gesendet: Mittwoch, 26. Oktober 2022 10:53 An: Su, Bao Cheng (DI FA CTR IPC CN PRC4) <baocheng.su@...>; Schultschik, Sven (DI PA DCP R&D 2) <sven.schultschik@...>; cip- dev@... Betreff: Re: [isar-cip-core][PATCH 3/8] Include optee into u-boot On 26.10.22 09:36, Su, Bao Cheng wrote: On Mon, 2022-10-24 at 14:27 +0200, sven.schultschik@... wrote: From: Sven Schultschik <sven.schultschik@...> Optee is part of u-boot In the secureboot scenario to use optee and RPMB as secure storage. Signed-off-by: Sven Schultschik <sven.schultschik@...> --- recipes-bsp/u-boot/files/secure-boot.cfg.tmpl \| 7 +++++++ recipes-bsp/u-boot/u-boot-qemu-common.inc \| 2 ++ 2 files changed, 9 insertions(+) diff --git a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl index 956dcbfed..8e6428238 100644 --- a/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl +++ b/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl @@ -4,3 +4,10 @@ CONFIG_USE_BOOTCOMMAND=y CONFIG_BOOTCOMMAND="setenv scan_dev_for_boot 'if test -e ${devtype} ${devnum}:${distro_bootpart} efi/boot/boot${EFI_ARCH}.efi; then load ${devtype} ${devnum}:${distro_bootpart} ${kernel_addr_r} efi/boot/boot${EFI_ARCH}.efi; bootefi ${kernel_addr_r} ${fdtcontroladdr}; fi'; run distro_bootcmd; echo 'EFI Boot failed!'; sleep 1000; reset" CONFIG_EFI_VARIABLES_PRESEED=y CONFIG_EFI_SECURE_BOOT=y +### OPTEE config +CONFIG_CMD_OPTEE_RPMB=y +CONFIG_MMC=y +CONFIG_SUPPORT_EMMC_RPMB=y +CONFIG_TEE=y +CONFIG_OPTEE=y +CONFIG_EFI_MM_COMM_TEE=y According to lib/efi_loader/Makefile: ifeq ($(CONFIG_EFI_MM_COMM_TEE),y) obj-y += efi_variable_tee.o else obj-y += efi_variable.o obj-$(CONFIG_EFI_VARIABLES_PRESEED) += efi_var_seed.o endif The `CONFIG_EFI_MM_COMM_TEE` conflicts with `CONFIG_EFI_VARIABLES_PRESEED`, so you have to choose one. Right. When we switch this, we also need to switch the secure boot setup procedure so that the result remains securely booted. Jan Do you want to do those adjustments within this patch series or do it separately? Well, if we leave out enabling CONFIG_EFI_MM_COMM_TEE from this series, would that leave something testable / minimally useful behind? If not, we need the transition to secure boot keys in RPMB already in this series. Jan -- Siemens AG, Technology Competence Center Embedded Linux
More All Messages By This Member
Schultschik, Sven #9942 Right. When we switch this, we also need to switch the secure boot setup procedure so that the result remains securely booted. Jan Do you want to do those adjustments within this patch series or do it separately? Well, if we leave out enabling CONFIG_EFI_MM_COMM_TEE from this series, would that leave something testable / minimally useful behind? If not, we need the transition to secure boot keys in RPMB already in this series. If we go fully on the optee rpmb solution only with the manual test patch 8/8 Else we would need to provide a - PK, KEK and db - a u-boot script which does on every boot such things fatload virtio 1:1 40000000 PK.auth setenv -e -nv -bs -rt -at -i 40000000:$filesize PK fatload virtio 1:1 40000000 KEK.auth setenv -e -nv -bs -rt -at -i 40000000:$filesize KEK fatload virtio 1:1 40000000 db.auth setenv -e -nv -bs -rt -at -i 40000000:$filesize db Why? The secure UEFI environment is not persistent in the patched u-boot qemu setting. The RPMB in u-boot is emulated as struct in memory. Jan we could make a small talk if you want to discuss further steps. Sven smime.p7s smime.p7s
More All Messages By This Member
Jan Kiszka #9943 On 07.11.22 17:57, Schultschik, Sven (DI PA DCP R&D 2) wrote: Right. When we switch this, we also need to switch the secure boot setup procedure so that the result remains securely booted. Jan Do you want to do those adjustments within this patch series or do it separately? Well, if we leave out enabling CONFIG_EFI_MM_COMM_TEE from this series, would that leave something testable / minimally useful behind? If not, we need the transition to secure boot keys in RPMB already in this series. If we go fully on the optee rpmb solution only with the manual test patch 8/8 Else we would need to provide a - PK, KEK and db - a u-boot script which does on every boot such things fatload virtio 1:1 40000000 PK.auth setenv -e -nv -bs -rt -at -i 40000000:$filesize PK fatload virtio 1:1 40000000 KEK.auth setenv -e -nv -bs -rt -at -i 40000000:$filesize KEK fatload virtio 1:1 40000000 db.auth setenv -e -nv -bs -rt -at -i 40000000:$filesize db Why? The secure UEFI environment is not persistent in the patched u-boot qemu setting. The RPMB in u-boot is emulated as struct in memory. Ouch... We need a persistent and consistent (u-boot vs. kernel) RPMB to actually test this with realistic scenarios, I suppose. Jan we could make a small talk if you want to discuss further steps. Can you summarize again here what options we have now? It seems we need a proper RPMB emulation rather sooner than later. Jan -- Siemens AG, Technology Competence Center Embedded Linux
More All Messages By This Member
Schultschik, Sven #9996 Can you summarize again here what options we have now? It seems we need a proper RPMB emulation rather sooner than later. Option 1: - Keep it as it is - CONFIG_BOOTDELAY=5 - manually set PK, KEK, db on every boot Option 2: - Write a small u-boot script für qemu u-boot (never done this before) - This script runs on every boot - This script initializes secure efi env with PK, KEK, db Option 3: - Proper RPMB emulation, which takes to long for now smime.p7s smime.p7s
More All Messages By This Member
Jan Kiszka #10003 On 10.11.22 12:01, Schultschik, Sven (DI PA DCP R&D 2) wrote: Can you summarize again here what options we have now? It seems we need a proper RPMB emulation rather sooner than later. Option 1: - Keep it as it is - CONFIG_BOOTDELAY=5 - manually set PK, KEK, db on every boot Option 2: - Write a small u-boot script für qemu u-boot (never done this before) - This script runs on every boot - This script initializes secure efi env with PK, KEK, db You can basically put the commands you would manually execute into CONFIG_BOOTCOMMAND. We already have a custom string there for secure boot, see https://gitlab.com/cip-project/cip-core/isar-cip-core/-/blob/master/recipes-bsp/u-boot/files/secure-boot.cfg.tmpl. Would likely qualify for separating this "special" extension for the secure-boot.cfg.tmpl baseline. Option 3: - Proper RPMB emulation, which takes to long for now Yes, likely. At least I did step 0.1, registered with jedec.org and fetched the spec. It's not done over an afternoon, but possibly also only within few weeks (with some experience with QEMU). Jan -- Siemens AG, Technology Competence Center Embedded Linux
More All Messages By This Member

1 - 9 of 9

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms