- OP-TEE - lists.trustedfirmware.org

[RFC PATCH v2 0/2] TEE subsystem for restricted dma-buf allocations

by Jens Wiklander

Hi, This patch set allocates the restricted DMA-bufs via the TEE subsystem. This a complete rewrite compared to the previous patch set [1], and other earlier proposals [2] and [3] with a separate restricted heap. The TEE subsystem handles the DMA-buf allocations since it is the TEE (OP-TEE, AMD-TEE, TS-TEE, or a future QTEE) which sets up the restrictions for the memory used for the DMA-bufs. I've added a new IOCTL, TEE_IOC_RSTMEM_ALLOC, to allocate the restricted DMA-bufs. This new IOCTL reaches the backend TEE driver, allowing it to choose how to allocate the restricted physical memory. TEE_IOC_RSTMEM_ALLOC is quite similar to TEE_IOC_SHM_ALLOC so it's tempting to extend TEE_IOC_SHM_ALLOC with two new flags TEE_IOC_SHM_FLAG_SECURE_VIDEO and TEE_IOC_SHM_FLAG_SECURE_TRUSTED_UI for the same feature. However, it might be a bit confusing since TEE_IOC_SHM_ALLOC only returns an anonymous file descriptor, but TEE_IOC_SHM_FLAG_SECURE_VIDEO and TEE_IOC_SHM_FLAG_SECURE_TRUSTED_UI would return a DMA-buf file descriptor instead. What do others think? This can be tested on QEMU with the following steps: repo init -u https://github.com/jenswi-linaro/manifest.git -m qemu_v8.xml \ -b prototype/sdp-v2 repo sync -j8 cd build make toolchains -j4 make all -j$(nproc) make run-only # login and at the prompt: xtest --sdp-basic https://optee.readthedocs.io/en/latest/building/prerequisites.html list dependencies needed to build the above. The tests are pretty basic, mostly checking that a Trusted Application in the secure world can access and manipulate the memory. There are also some negative tests for out of bounds buffers etc. Thanks, Jens [1] https://lore.kernel.org/lkml/20240830070351.2855919-1-jens.wiklander@linaro… [2] https://lore.kernel.org/dri-devel/20240515112308.10171-1-yong.wu@mediatek.c… [3] https://lore.kernel.org/lkml/20220805135330.970-1-olivier.masse@nxp.com/ Changes since the V1 RFC: * Based on v6.11 * Complete rewrite, replacing the restricted heap with TEE_IOC_RSTMEM_ALLOC Changes since Olivier's post [2]: * Based on Yong Wu's post [1] where much of dma-buf handling is done in the generic restricted heap * Simplifications and cleanup * New commit message for "dma-buf: heaps: add Linaro restricted dmabuf heap support" * Replaced the word "secure" with "restricted" where applicable Jens Wiklander (2): tee: add restricted memory allocation optee: support restricted memory allocation drivers/tee/Makefile | 1 + drivers/tee/optee/core.c | 21 ++++ drivers/tee/optee/optee_private.h | 6 + drivers/tee/optee/optee_smc.h | 35 ++++++ drivers/tee/optee/smc_abi.c | 45 ++++++- drivers/tee/tee_core.c | 33 ++++- drivers/tee/tee_private.h | 2 + drivers/tee/tee_rstmem.c | 200 ++++++++++++++++++++++++++++++ drivers/tee/tee_shm.c | 2 + drivers/tee/tee_shm_pool.c | 69 ++++++++++- include/linux/tee_core.h | 6 + include/linux/tee_drv.h | 9 ++ include/uapi/linux/tee.h | 33 ++++- 13 files changed, 455 insertions(+), 7 deletions(-) create mode 100644 drivers/tee/tee_rstmem.c -- 2.43.0

1 month

2
6
0 0

Padding on Optee + AES Block Cyphers

by Hareesh Das Ulleri

Dear Op-Tee support team, Required some expert opinion - Could you please confirm whether AES block cyphers (ECB and CBC mode) support non-block aligned input for cryption ? My Use case as below App (say input buffer as 17 bytes) -> OpTee (CA + TA) -> HSM. In the above mentioned case, Does Op-Tee can take care the input buffer with any size or does it expect block-size aligned input buffer ? In which layer does the padding recommended ? Could you please provide any suggestions / links ? Thanks & Regards, Hareesh

1 month, 1 week

2
2
0 0

[RFC PATCH v1 32/57] optee: Remove PAGE_SIZE compile-time constant assumption

by Ryan Roberts

To prepare for supporting boot-time page size selection, refactor code to remove assumptions about PAGE_SIZE being compile-time constant. Code intended to be equivalent when compile-time page size is active. Updated BUILD_BUG_ON() to test against limit. Refactored "struct optee_shm_arg_entry" to use a flexible array member for "map", since its length depends on PAGE_SIZE. Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com> --- ***NOTE*** Any confused maintainers may want to read the cover note here for context: https://lore.kernel.org/all/20241014105514.3206191-1-ryan.roberts@arm.com/ drivers/tee/optee/call.c | 7 +++++-- drivers/tee/optee/smc_abi.c | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/tee/optee/call.c b/drivers/tee/optee/call.c index 16eb953e14bb6..41bd7ace6606e 100644 --- a/drivers/tee/optee/call.c +++ b/drivers/tee/optee/call.c @@ -36,7 +36,7 @@ struct optee_shm_arg_entry { struct list_head list_node; struct tee_shm *shm; - DECLARE_BITMAP(map, MAX_ARG_COUNT_PER_ENTRY); + unsigned long map[]; }; void optee_cq_init(struct optee_call_queue *cq, int thread_count) @@ -271,6 +271,7 @@ struct optee_msg_arg *optee_get_msg_arg(struct tee_context *ctx, struct optee_shm_arg_entry *entry; struct optee_msg_arg *ma; size_t args_per_entry; + size_t entry_sz; u_long bit; u_int offs; void *res; @@ -293,7 +294,9 @@ struct optee_msg_arg *optee_get_msg_arg(struct tee_context *ctx, /* * No entry was found, let's allocate a new. */ - entry = kzalloc(sizeof(*entry), GFP_KERNEL); + entry_sz = struct_size(entry, map, + BITS_TO_LONGS(MAX_ARG_COUNT_PER_ENTRY)); + entry = kzalloc(entry_sz, GFP_KERNEL); if (!entry) { res = ERR_PTR(-ENOMEM); goto out; diff --git a/drivers/tee/optee/smc_abi.c b/drivers/tee/optee/smc_abi.c index 844285d4f03c1..005689380d848 100644 --- a/drivers/tee/optee/smc_abi.c +++ b/drivers/tee/optee/smc_abi.c @@ -418,7 +418,7 @@ static void optee_fill_pages_list(u64 *dst, struct page **pages, int num_pages, * code heavily relies on this assumption, so it is better be * safe than sorry. */ - BUILD_BUG_ON(PAGE_SIZE < OPTEE_MSG_NONCONTIG_PAGE_SIZE); + BUILD_BUG_ON(PAGE_SIZE_MIN < OPTEE_MSG_NONCONTIG_PAGE_SIZE); pages_data = (void *)dst; /* -- 2.43.0

1 month, 1 week

1
0
0 0

Preparing for OP-TEE 4.4.0

by Jérôme Forissier

[BCC all OP-TEE maintainers] Hi OP-TEE maintainers & contributors, OP-TEE v4.4.0 is scheduled to be released on 2024-10-18. So, now is a good time to start testing the master branch on the various platforms and report/fix any bugs. The GitHub pull request for collecting Tested-by tags or any other comments is https://github.com/OP-TEE/optee_os/pull/7058. As usual, we will create a release candidate tag one week before the release date for final testing. In addition to that you can find some additional information related to releases here: https://optee.readthedocs.io/en/latest/general/releases.html Thanks, -- Jerome

1 month, 1 week

2
1
0 0

[PATCH v10 0/7] Introduction of a remoteproc tee to load signed firmware

by Arnaud Pouliquen

Main updates from version V9[1]: - Introduce release_fw remoteproc ops to avoid direct call of tee_rproc_release_fw() in remoteproc_core.c: - allow to remove link between remoteproc and remoteproc_tee - allow to build the remoteproc_tee as a module [1] https://lore.kernel.org/linux-arm-kernel/ZuMIEp4cVrp1hWa7@p14s/T/ Tested-on: commit 9852d85ec9d4 ("Linux 6.12-rc1") Description of the feature: -------------------------- This series proposes the implementation of a remoteproc tee driver to communicate with a TEE trusted application responsible for authenticating and loading the remoteproc firmware image in an Arm secure context. 1) Principle: The remoteproc tee driver provides services to communicate with the OP-TEE trusted application running on the Trusted Execution Context (TEE). The trusted application in TEE manages the remote processor lifecycle: - authenticating and loading firmware images, - isolating and securing the remote processor memories, - supporting multi-firmware (e.g., TF-M + Zephyr on a Cortex-M33), - managing the start and stop of the firmware by the TEE. 2) Format of the signed image: Refer to: https://github.com/OP-TEE/optee_os/blob/master/ta/remoteproc/src/remoteproc… 3) OP-TEE trusted application API: Refer to: https://github.com/OP-TEE/optee_os/blob/master/ta/remoteproc/include/ta_rem… 4) OP-TEE signature script Refer to: https://github.com/OP-TEE/optee_os/blob/master/scripts/sign_rproc_fw.py Example of usage: sign_rproc_fw.py --in <fw1.elf> --in <fw2.elf> --out <signed_fw.sign> --key ${OP-TEE_PATH}/keys/default.pem 5) Impact on User space Application No sysfs impact. The user only needs to provide the signed firmware image instead of the ELF image. For more information about the implementation, a presentation is available here (note that the format of the signed image has evolved between the presentation and the integration in OP-TEE). https://resources.linaro.org/en/resource/6c5bGvZwUAjX56fvxthxds Arnaud Pouliquen (7): remoteproc: core: Introduce rproc_pa_to_va helper remoteproc: Add TEE support remoteproc: core: Refactor resource table cleanup into rproc_release_fw remoteproc: Introduce release_fw optional operation dt-bindings: remoteproc: Add compatibility for TEE support remoteproc: stm32: Create sub-functions to request shutdown and release remoteproc: stm32: Add support of an OP-TEE TA to load the firmware .../bindings/remoteproc/st,stm32-rproc.yaml | 58 +- drivers/remoteproc/Kconfig | 11 + drivers/remoteproc/Makefile | 1 + drivers/remoteproc/remoteproc_core.c | 72 ++- drivers/remoteproc/remoteproc_tee.c | 506 ++++++++++++++++++ drivers/remoteproc/stm32_rproc.c | 145 +++-- include/linux/remoteproc.h | 8 + include/linux/remoteproc_tee.h | 107 ++++ 8 files changed, 853 insertions(+), 55 deletions(-) create mode 100644 drivers/remoteproc/remoteproc_tee.c create mode 100644 include/linux/remoteproc_tee.h base-commit: 9852d85ec9d492ebef56dc5f229416c925758edc -- 2.25.1

1 month, 2 weeks

3
11
0 0

[RFC PATCH 0/4] Linaro restricted heap

by Jens Wiklander

Hi, This patch set is based on top of Yong Wu's restricted heap patch set [1]. It's also a continuation on Olivier's Add dma-buf secure-heap patch set [2]. The Linaro restricted heap uses genalloc in the kernel to manage the heap carvout. This is a difference from the Mediatek restricted heap which relies on the secure world to manage the carveout. I've tried to adress the comments on [2], but [1] introduces changes so I'm afraid I've had to skip some comments. This can be tested on QEMU with the following steps: repo init -u https://github.com/jenswi-linaro/manifest.git -m qemu_v8.xml \ -b prototype/sdp-v1 repo sync -j8 cd build make toolchains -j4 make all -j$(nproc) make run-only # login and at the prompt: xtest --sdp-basic https://optee.readthedocs.io/en/latest/building/prerequisites.html list dependencies needed to build the above. The tests are pretty basic, mostly checking that a Trusted Application in the secure world can access and manipulate the memory. Cheers, Jens [1] https://lore.kernel.org/dri-devel/20240515112308.10171-1-yong.wu@mediatek.c… [2] https://lore.kernel.org/lkml/20220805135330.970-1-olivier.masse@nxp.com/ Changes since Olivier's post [2]: * Based on Yong Wu's post [1] where much of dma-buf handling is done in the generic restricted heap * Simplifications and cleanup * New commit message for "dma-buf: heaps: add Linaro restricted dmabuf heap support" * Replaced the word "secure" with "restricted" where applicable Etienne Carriere (1): tee: new ioctl to a register tee_shm from a dmabuf file descriptor Jens Wiklander (2): dma-buf: heaps: restricted_heap: add no_map attribute dma-buf: heaps: add Linaro restricted dmabuf heap support Olivier Masse (1): dt-bindings: reserved-memory: add linaro,restricted-heap .../linaro,restricted-heap.yaml | 56 ++++++ drivers/dma-buf/heaps/Kconfig | 10 ++ drivers/dma-buf/heaps/Makefile | 1 + drivers/dma-buf/heaps/restricted_heap.c | 17 +- drivers/dma-buf/heaps/restricted_heap.h | 2 + .../dma-buf/heaps/restricted_heap_linaro.c | 165 ++++++++++++++++++ drivers/tee/tee_core.c | 38 ++++ drivers/tee/tee_shm.c | 104 ++++++++++- include/linux/tee_drv.h | 11 ++ include/uapi/linux/tee.h | 29 +++ 10 files changed, 426 insertions(+), 7 deletions(-) create mode 100644 Documentation/devicetree/bindings/reserved-memory/linaro,restricted-heap.yaml create mode 100644 drivers/dma-buf/heaps/restricted_heap_linaro.c -- 2.34.1

1 month, 3 weeks

10
35
0 0

[PATCH v9 0/7] Introduction of a remoteproc tee to load signed firmware

by Arnaud Pouliquen

Main updates from version V8[1]: Add support for tee_rproc_release_fw(), which allows releasing firmware that has been loaded. This service is used if an error occurs between the loading of the firmware image and the start of the remote processor. It is also called on remote processor shutdown. Associated with this series, an update has been sent to OP-TEE for the support of the TA_RPROC_CMD_RELEASE_FW TEE command [2]. [1] https://lore.kernel.org/linux-arm-kernel/20240621143759.547793-4-arnaud.pou… [2]https://github.com/OP-TEE/optee_os/pull/7019 Tested-on: commit 5be63fc19fca ("Linux 6.11-rc5") Description of the feature: -------------------------- This series proposes the implementation of a remoteproc tee driver to communicate with a TEE trusted application responsible for authenticating and loading the remoteproc firmware image in an Arm secure context. 1) Principle: The remoteproc tee driver provides services to communicate with the OP-TEE trusted application running on the Trusted Execution Context (TEE). The trusted application in TEE manages the remote processor lifecycle: - authenticating and loading firmware images, - isolating and securing the remote processor memories, - supporting multi-firmware (e.g., TF-M + Zephyr on a Cortex-M33), - managing the start and stop of the firmware by the TEE. 2) Format of the signed image: Refer to: https://github.com/OP-TEE/optee_os/blob/master/ta/remoteproc/src/remoteproc… 3) OP-TEE trusted application API: Refer to: https://github.com/OP-TEE/optee_os/blob/master/ta/remoteproc/include/ta_rem… 4) OP-TEE signature script Refer to: https://github.com/OP-TEE/optee_os/blob/master/scripts/sign_rproc_fw.py Example of usage: sign_rproc_fw.py --in <fw1.elf> --in <fw2.elf> --out <signed_fw.sign> --key ${OP-TEE_PATH}/keys/default.pem 5) Impact on User space Application No sysfs impact.the user only needs to provide the signed firmware image instead of the ELF image. For more information about the implementation, a presentation is available here (note that the format of the signed image has evolved between the presentation and the integration in OP-TEE). https://resources.linaro.org/en/resource/6c5bGvZwUAjX56fvxthxds Arnaud Pouliquen (7): remoteproc: core: Introduce rproc_pa_to_va helper remoteproc: Add TEE support remoteproc: core: Refactor resource table cleanup into rproc_release_fw remoteproc: core: Add TEE interface support for firmware release dt-bindings: remoteproc: Add compatibility for TEE support remoteproc: stm32: Create sub-functions to request shutdown and release remoteproc: stm32: Add support of an OP-TEE TA to load the firmware .../bindings/remoteproc/st,stm32-rproc.yaml | 58 ++- drivers/remoteproc/Kconfig | 10 + drivers/remoteproc/Makefile | 1 + drivers/remoteproc/remoteproc_core.c | 77 ++- drivers/remoteproc/remoteproc_tee.c | 486 ++++++++++++++++++ drivers/remoteproc/stm32_rproc.c | 147 ++++-- include/linux/remoteproc.h | 5 + include/linux/remoteproc_tee.h | 109 ++++ 8 files changed, 836 insertions(+), 57 deletions(-) create mode 100644 drivers/remoteproc/remoteproc_tee.c create mode 100644 include/linux/remoteproc_tee.h base-commit: 5be63fc19fcaa4c236b307420483578a56986a37 -- 2.25.1

1 month, 3 weeks

5
24
0 0

[PATCH v1 1/1] tee: amdtee: Use %pUl printk() format specifier to print GUIDs

by Andy Shevchenko

Replace the custom approach with the %pUl printk() format specifier. No functional change intended. Signed-off-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> --- drivers/tee/amdtee/core.c | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/drivers/tee/amdtee/core.c b/drivers/tee/amdtee/core.c index e487231d25dc..d3201eff1b74 100644 --- a/drivers/tee/amdtee/core.c +++ b/drivers/tee/amdtee/core.c @@ -14,6 +14,7 @@ #include <linux/mm.h> #include <linux/uaccess.h> #include <linux/firmware.h> +#include <linux/uuid.h> #include "amdtee_private.h" #include <linux/psp-tee.h> @@ -172,21 +173,11 @@ static int copy_ta_binary(struct tee_context *ctx, void *ptr, void **ta, { const struct firmware *fw; char fw_name[TA_PATH_MAX]; - struct { - u32 lo; - u16 mid; - u16 hi_ver; - u8 seq_n[8]; - } *uuid = ptr; int n, rc = 0; + guid_t uuid; - n = snprintf(fw_name, TA_PATH_MAX, - "%s/%08x-%04x-%04x-%02x%02x%02x%02x%02x%02x%02x%02x.bin", - TA_LOAD_PATH, uuid->lo, uuid->mid, uuid->hi_ver, - uuid->seq_n[0], uuid->seq_n[1], - uuid->seq_n[2], uuid->seq_n[3], - uuid->seq_n[4], uuid->seq_n[5], - uuid->seq_n[6], uuid->seq_n[7]); + import_guid(&uuid, ptr); + n = snprintf(fw_name, TA_PATH_MAX, "%s/%pUl.bin", TA_LOAD_PATH, &uuid); if (n < 0 || n >= TA_PATH_MAX) { pr_err("failed to get firmware name\n"); return -EINVAL; -- 2.43.0.rc1.1336.g36b5255a03ac

2 months

4
9
0 0

Linaro OP-TEE Contribution, LOC, monthly meeting September 24

by Jens Wiklander

Hi, Tomorrow, Tuesday, it's time for another LOC monthly meeting. For time and connection details see the calendar at https://www.trustedfirmware.org/meetings/ I've started to work on importing the TA specific part of fTPM into the OP-TEE git, based on the patches published at https://github.com/zeschg/ms-tpm-20-ref/tree/feat_add_tee_crypto replacing the third-party crypto library with TEE Internal core API. I'd appreciate help reviewing this when I publish the work. We'll need a way to test that the imported fTPM implementation works as expected, preferably something we can have in our CI loop. Are there any other topics? Cheers, Jens

2 months

1
0
0 0

[PATCH next] optee: Fix a NULL vs IS_ERR() check

by Dan Carpenter

The tee_shm_get_va() function never returns NULL, it returns error pointers. Update the check to match. Fixes: f0c8431568ee ("optee: probe RPMB device using RPMB subsystem") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> --- drivers/tee/optee/rpc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tee/optee/rpc.c b/drivers/tee/optee/rpc.c index a4b49fd1d46d..ebbbd42b0e3e 100644 --- a/drivers/tee/optee/rpc.c +++ b/drivers/tee/optee/rpc.c @@ -332,7 +332,7 @@ static void handle_rpc_func_rpmb_probe_next(struct tee_context *ctx, } buf = tee_shm_get_va(params[1].u.memref.shm, params[1].u.memref.shm_offs); - if (!buf) { + if (IS_ERR(buf)) { arg->ret = TEEC_ERROR_BAD_PARAMETERS; return; } -- 2.45.2

2 months, 2 weeks

3
2
0 0

2024

2023

2022

2021

2020

OP-TEE