Hi Peng,
On 3 Sep 2020, at 11:14, Peng Fan peng.fan@nxp.com wrote:
Subject: Re: Linaro OP-TEE Contributions meeting Aug 2020
Hi Peng,
On 3 Sep 2020, at 10:34, Jens Wiklander via OP-TEE
op-tee@lists.trustedfirmware.org wrote:
Hi Peng,
On Fri, Aug 28, 2020 at 9:10 AM Peng Fan via OP-TEE op-tee@lists.trustedfirmware.org wrote:
I was not able to join the meeting. Just wonder for S-EL2, is there any
platform supporting it? How to test?
Just to be sure, you mean support for running OP-TEE under a Hypervisor/SPM in S-EL2?
Yes. Actually I not follow the design decision that supporting multiple TEEs in secure world. But anyway current OP-TEE support multiple XEN VMs contributed by EPAM, could this not serve normal world VM per future requirement?
A couple of things assuming I am understanding your question/concern correctly.
S-EL2 enables deployment of multiple TEEs. However, this is not the only use case. More importantly, it allows the TEE to access only the physical address space it needs to. This helps in mitigating attacks on the Normal world from the TEE. Furthermore, it enables isolation/separation of a TEE from privileged firmware in EL3 and S-EL2. This helps in compartmentalising the TCB if not reduce its size altogether. So there is the “defense in depth/principle of least privilege” argument too.
This is the first step in the S-EL2 enablement story for OP-TEE i.e. run OP-TEE as a Secure VM under TF-A in EL3 and SPM in S-EL2. We have done some work on the FVP within Arm to enable this and will share it with Jens and publicly soon.
Multiple-TEEs is a deployment choice. For example, Vendor A has TEE1 on which its Trusted Apps run. Vendor B has TEE2 which implements drivers to Secure peripherals that TAs of TEE1 need. It might not be practical or feasible for Vendor A to port its TAs to TEE2. Hence, the two TEEs need to co-exist and communicate. S-EL2 enables isolation between TEE1 and TEE2. This helps reduce the level of trust that TEE2 should have on TEE1 and vice-versa.
EPAM’s contribution adds awareness of virtualisation in the Normal world to OP-TEE. This enables OP-TEE to isolate communication channels, data etc associated with one VM from another. Without this isolation, there is a risk of information of one VM leaking into another. Jens should have more detail on this topic.
I hope this helps to clarify your concerns. Please let me know.
Cheers, Achin
Thanks, Peng.
Cheers, Achin
This is tested and developed using FVP as far as I know.
Cheers, Jens
Thanks, Peng.
From: Joakim Bech [mailto:joakim.bech@linaro.org] Sent: 2020年8月27日 16:21 To: op-tee@lists.trustedfirmware.org Subject: Re: Linaro OP-TEE Contributions meeting Aug 2020
Hi,
Just a friendly reminder, that we have the first public "Linaro OP-TEE
Contributions" meeting taking place later today.
2020-08-27@16.00mailto:2020-08-27@16.00 UTC+2, 1h duration (for
other timezones, use this URL https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Feveryti mezone.com%2Fs%2F12a83ab5&data=02%7C01%7Cpeng.fan%40nxp.co m%7C66d0df88519741b75aff08d84fef6af3%7C686ea1d3bc2b4c6fa92cd99c5 c301635%7C0%7C0%7C637347236997122381&sdata=3T5L%2F0kMhB GT%2BTu1FWxClGihm1mcKIhe52xYJeCUc68%3D&reserved=0https://e ur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Feverytimezone. com%2Fs%2F12a83ab5&data=02%7C01%7Cpeng.fan%40nxp.com%7C6 6d0df88519741b75aff08d84fef6af3%7C686ea1d3bc2b4c6fa92cd99c5c30163 5%7C0%7C0%7C637347236997122381&sdata=3T5L%2F0kMhBGT%2BT u1FWxClGihm1mcKIhe52xYJeCUc68%3D&reserved=0). Connection details and etc can be found in the email below.
This time I've also included more people on BCC who might not have
subscribed to the <op-tee@lists.trustedfirmware.org<mailto:op-tee@lists.trustedfirmware.org
list.
Regards, Joakim
On Wed, 19 Aug 2020 at 15:52, Joakim Bech via OP-TEE
<op-tee@lists.trustedfirmware.org<mailto:op-tee@lists.trustedfirmware.org
wrote: Hi,
As part of opening up Linaro projects to the general public we plan to have an open monthly meeting where we discuss Linaro's activities
around OP-TEE.
The way that we've planned to do this is that we send out an email to this email list
(https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.tr ustedfirmware.org%2Fmailman%2Flistinfo%2Fop-tee&data=02%7C01% 7Cpeng.fan%40nxp.com%7C66d0df88519741b75aff08d84fef6af3%7C686ea1 d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637347236997122381&s data=7fvZW6dyQ3xlsH0WqW%2BEXnzkmSvNinZwf3oYR%2BOP4U8%3D&am p;reserved=0https://eur01.safelinks.protection.outlook.com/?url=https%3A %2F%2Flists.trustedfirmware.org%2Fmailman%2Flistinfo%2Fop-tee&dat a=02%7C01%7Cpeng.fan%40nxp.com%7C66d0df88519741b75aff08d84fef6af 3%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C63734723699712 2381&sdata=7fvZW6dyQ3xlsH0WqW%2BEXnzkmSvNinZwf3oYR%2BOP4 U8%3D&reserved=0) to gather topics to discuss. If there are no topics, then there is no meeting.
Anyone can suggest a topic by replying to this email thread.
As a first topic for this first meeting, we want to talk a bit about:
- Linaro and the relation to TrustedFirmware.org when it comes to OP-TEE.
- Where to find information.
- What is on the agenda for the next development cycle.
Calendar invitation? I could just send one out here and now, but due to Zoom bombing and that it'd be a logistic exercise inviting people, I've decided to try another approach and that is to provide the connection details in the meeting notes and leave it up to the attendees to add it to their own calendars. To try to limit confusion I've explicitly added the timezone and a link to everytimezone.com<https://eur01.safelinks.protection.outlook.com/?url
=http%3A%2F%2Feverytimezone.com%2F&data=02%7C01%7Cpeng.fan %40nxp.
com%7C66d0df88519741b75aff08d84fef6af3%7C686ea1d3bc2b4c6fa92cd99 c5c301635%7C0%7C0%7C637347236997122381&sdata=1sod0wFduTTl zsTmEz%2F0J4qJSIu1e15Js423GmXGyTQ%3D&reserved=0> so it should be easy to get the information in your own timezone. If this approach doesn't turn out to be good, then we will try something different in the future (I understand that canceling or shifting day/time will become a problem).
Meeting details:
Date/time: Thursday Aug 27th@16.00mailto:27th@16.00 (UTC+2) https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Feve
rytimezone.com%2Fs%2F12a83ab5&data=02%7C01%7Cpeng.fan%40nx p.com%7
C66d0df88519741b75aff08d84fef6af3%7C686ea1d3bc2b4c6fa92cd99c5c301 635%
7C0%7C0%7C637347236997122381&sdata=3T5L%2F0kMhBGT%2BTu1F WxClGihm1
mcKIhe52xYJeCUc68%3D&reserved=0<https://eur01.safelinks.protectio
n.outlook.com/?url=https%3A%2F%2Feverytimezone.com%2Fs%2F12a83ab5 &
;data=02%7C01%7Cpeng.fan%40nxp.com%7C66d0df88519741b75aff08d8
4fef6af3
%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637347236997
122381&
sdata=3T5L%2F0kMhBGT%2BTu1FWxClGihm1mcKIhe52xYJeCUc68%3D&am p;reserved
=0> Invitation/connection details: In the meeting notes Meeting notes: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdoc
s.google.com%2Fdocument%2Fd%2F15XsqgGktCrRRWiqyaz-erp_cZykwGjkBk hMD2X
tUlUY&data=02%7C01%7Cpeng.fan%40nxp.com%7C66d0df88519741b7 5aff08d
84fef6af3%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C6373472 3699713
2377&sdata=p03kMVWuiSLGZvtkCpK1tHlW%2Fodgv924%2BW9YrU1ZCT Y%3D&
;reserved=0<https://eur01.safelinks.protection.outlook.com/?url=https %3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F15XsqgGktCrRRWiqy
az-erp_cZy
kwGjkBkhMD2XtUlUY&data=02%7C01%7Cpeng.fan%40nxp.com%7C66d 0df88519
741b75aff08d84fef6af3%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C 0%7C63
7347236997132377&sdata=p03kMVWuiSLGZvtkCpK1tHlW%2Fodgv924 %2BW9YrU
1ZCTY%3D&reserved=0>
Regards, Joakim on behalf of the Linaro OP-TEE team -- OP-TEE mailing list OP-TEE@lists.trustedfirmware.orgmailto:OP-TEE@lists.trustedfirmware. org https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flis
ts.trustedfirmware.org%2Fmailman%2Flistinfo%2Fop-tee&data=02%7C0 1
%7Cpeng.fan%40nxp.com%7C66d0df88519741b75aff08d84fef6af3%7C68
6ea1d3bc
2b4c6fa92cd99c5c301635%7C0%7C0%7C637347236997132377&sdata =cgkP%2B
DaYQpahvfbuiWsBoLjrTLayJkta%2F5rMX0tOteI%3D&reserved=0<https:/ /eu
r01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.trusted
firmware.org%2Fmailman%2Flistinfo%2Fop-tee&data=02%7C01%7Cpen g.fa
n%40nxp.com%7C66d0df88519741b75aff08d84fef6af3%7C686ea1d3bc2b4c 6fa92c
d99c5c301635%7C0%7C0%7C637347236997132377&sdata=cgkP%2BD aYQpahvfb
uiWsBoLjrTLayJkta%2F5rMX0tOteI%3D&reserved=0>