Hi Jens,
As we are developing platforms to enable RPMB secure storage + fTPM TA, we realize that the current design of optee-os relying on a user space daemon tee-supplicant to serve requests cannot meet requirements of another open source linux kernel, IMA(Integrity Measurement Architecture). This module will try to collect data from TPM devices, which in our case, is fTPM TA. It has to collect data when kernel space is booting up, so we cannot delay these requests further until user space is up. With RPMB as our secure storage, some requests will be sent back to kernel space, but tee-supplicant context is not yet initialized, which results in IMA detection of TPM devices failed. Therefore, failed on the measurements we need. I am wondering if we have related discussion on how modify the design to serve optee-os requests during kernel bootup. I can't find related topics in LKML archive.
Thank you. Judy.
Cat from /Documentation/ABI/testing/sysfs-bus-optee-devices What: /sys/bus/tee/devices/optee-ta-<uuid>/ Date: May 2020 KernelVersion 5.8 Contact: op-tee@lists.trustedfirmware.orgmailto:op-tee@lists.trustedfirmware.org Description: OP-TEE bus provides reference to registered drivers under this directory. The <uuid> matches Trusted Application (TA) driver and corresponding TA in secure OS. Drivers are free to create needed API under optee-ta-<uuid> directory.
Reference:
fTPM TA: microsoft/MSRSec: Security and Privacy Research at Microsoft (github.com)https://github.com/microsoft/MSRSec IMA enabling: https://sourceforge.net/p/linux-ima/wiki/Home/#enabling-ima-measurement:~:te...