On 27 Feb 2024, at 8:14, Sumit Garg wrote:
On Fri, 23 Feb 2024 at 15:23, Balint Dobszay balint.dobszay@arm.com wrote:
Add documentation for the Trusted Services TEE driver.
Signed-off-by: Balint Dobszay balint.dobszay@arm.com
Documentation/tee/index.rst | 1 + Documentation/tee/ts-tee.rst | 71 ++++++++++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+) create mode 100644 Documentation/tee/ts-tee.rst
Acked-by: Sumit Garg sumit.garg@linaro.org
-Sumit
Thanks, I'll apply the tag in the next version.
Regards, Balint
diff --git a/Documentation/tee/index.rst b/Documentation/tee/index.rst index a23bd08847e5..4be6e69d7837 100644 --- a/Documentation/tee/index.rst +++ b/Documentation/tee/index.rst @@ -10,6 +10,7 @@ TEE Subsystem tee op-tee amd-tee
- ts-tee
.. only:: subproject and html
diff --git a/Documentation/tee/ts-tee.rst b/Documentation/tee/ts-tee.rst new file mode 100644 index 000000000000..843e34422648 --- /dev/null +++ b/Documentation/tee/ts-tee.rst @@ -0,0 +1,71 @@ +.. SPDX-License-Identifier: GPL-2.0
+================================= +TS-TEE (Trusted Services project) +=================================
+This driver provides access to secure services implemented by Trusted Services.
+Trusted Services [1] is a TrustedFirmware.org project that provides a framework +for developing and deploying device Root of Trust services in FF-A [2] S-EL0 +Secure Partitions. The project hosts the reference implementation of the Arm +Platform Security Architecture [3] for Arm A-profile devices.
+The FF-A Secure Partitions (SP) are accessible through the FF-A driver [4] which +provides the low level communication for this driver. On top of that the Trusted +Services RPC protocol is used [5]. To use the driver from user space a reference +implementation is provided at [6], which is part of the Trusted Services client +library called libts [7].
+All Trusted Services (TS) SPs have the same FF-A UUID; it identifies the TS RPC +protocol. A TS SP can host one or more services (e.g. PSA Crypto, PSA ITS, etc). +A service is identified by its service UUID; the same type of service cannot be +present twice in the same SP. During SP boot each service in the SP is assigned +an "interface ID". This is just a short ID to simplify message addressing.
+The generic TEE design is to share memory at once with the Trusted OS, which can +then be reused to communicate with multiple applications running on the Trusted +OS. However, in case of FF-A, memory sharing works on an endpoint level, i.e. +memory is shared with a specific SP. User space has to be able to separately +share memory with each SP based on its endpoint ID; therefore a separate TEE +device is registered for each discovered TS SP. Opening the SP corresponds to +opening the TEE device and creating a TEE context. A TS SP hosts one or more +services. Opening a service corresponds to opening a session in the given +tee_context.
+Overview of a system with Trusted Services components::
- User space Kernel space Secure world
- +--------+ +-------------+
- | Client | | Trusted |
- +--------+ | Services SP |
/\ +-------------+|| /\|| |||| ||\/ \/- +-------+ +----------+--------+ +-------------+
- | libts | | TEE | TS-TEE | | FF-A SPMC |
- | | | subsys | driver | | + SPMD |
- +-------+----------------+----+-----+--------+-----------+-------------+
- | Generic TEE API | | FF-A | TS RPC protocol |
- | IOCTL (TEE_IOC_*) | | driver | over FF-A |
- +-----------------------------+ +--------+-------------------------+
+References +==========
+[1] https://www.trustedfirmware.org/projects/trusted-services/
+[2] https://developer.arm.com/documentation/den0077/
+[3] https://www.arm.com/architecture/security-features/platform-security
+[4] drivers/firmware/arm_ffa/
+[5] https://trusted-services.readthedocs.io/en/v1.0.0/developer/service-access-p...
+[6] https://git.trustedfirmware.org/TS/trusted-services.git/tree/components/rpc/...
+[7] https://git.trustedfirmware.org/TS/trusted-services.git/tree/deployments/lib...
2.34.1