From: Allen Pais <apais(a)linux.microsoft.com>
The following out of memory errors are seen on kexec reboot
from the optee core.
[ 0.368428] tee_bnxt_fw optee-clnt0: tee_shm_alloc failed
[ 0.368461] tee_bnxt_fw: probe of optee-clnt0 failed with error -22
tee_shm_release() is not invoked on dma shm buffer.
Implement .shutdown() in optee core as well as bnxt firmware driver
to handle the release of the buffers correctly.
More info:
https://github.com/OP-TEE/optee_os/issues/3637
Allen Pais (2):
optee: fix tee out of memory failure seen during kexec reboot
firmware: tee_bnxt: implement shutdown method to handle kexec reboots
drivers/firmware/broadcom/tee_bnxt_fw.c | 9 ++++
drivers/tee/optee/core.c | 69 ++++++++++++++++++-------
2 files changed, 58 insertions(+), 20 deletions(-)
--
2.25.1
Hi,
LOC monthly meeting is planned to take place on Thursday February 25th @
16.00 (UTC+1).
We're looking for topics to discuss in general. Eventually we'll have a
presentation from Achin Gupta from Arm talking about the FF-A spec.
Meeting details:
---------------
Date/time: Thursday Feb 25th(a)16.00 (UTC+1)
https://everytimezone.com/s/c4e5d6a3
Connection details: https://www.trustedfirmware.org/meetings/
Meeting notes: http://bit.ly/loc-notes
Project page: https://www.linaro.org/projects/#LOC
Regards,
Joakim on behalf of the Linaro OP-TEE team
Hi Robert,
On 2/22/21 11:01 AM, Robert Delien via OP-TEE wrote:
> Hi,
>
> In imx_csu.c, the Central Security Unit's CSU_CSL*n* registers are set,
> configuring access privileges for different peripherals. These registers
> range from CSU_CSL0 (@ 0x021c0000) to CSU_CSL39 (@ 0x021c009c).
>
> The different i.MX6 platform variants each have their individual tables,
> filled with sets of CSL index and register value, terminated by a sentinel
> set with the index set to -1. (the reason for the parentheses around -1
> espaces me)
>
> in .../core/arch/arm/plat-imx/drivers/imx_csu.c:csu_init()@115, a while
> loop runs through this aforementioned table, setting the CSL registers
> according to the table. However, this loop loops on CSL index values > 0:
> while (csu_setting->csu_index *>* 0) {
> io_write32(csu_base + (csu_setting->csu_index * 4),
> csu_setting->value);
>
> csu_setting++;
> }
> I think it should loop on CSL index values >= 0, because index 0 is a valid
> index, utilized for the PWM peripherals. (I also think csl_index is a more
> descriptive name, but that's besides the point).
>
> I have attached a patch for his.
It does look like a genuine bug to me, but I will let the i.MX expert
comment further. Unfortunately, the OP-TEE ML strips attachments. Would
you mind creating a GitHub pull request [1] (preferred method), or send
the patch inline?
[1] https://github.com/OP-TEE/optee_os/pulls
Thanks,
--
Jerome
Hi,
In imx_csu.c, the Central Security Unit's CSU_CSL*n* registers are set,
configuring access privileges for different peripherals. These registers
range from CSU_CSL0 (@ 0x021c0000) to CSU_CSL39 (@ 0x021c009c).
The different i.MX6 platform variants each have their individual tables,
filled with sets of CSL index and register value, terminated by a sentinel
set with the index set to -1. (the reason for the parentheses around -1
espaces me)
in .../core/arch/arm/plat-imx/drivers/imx_csu.c:csu_init()@115, a while
loop runs through this aforementioned table, setting the CSL registers
according to the table. However, this loop loops on CSL index values > 0:
while (csu_setting->csu_index *>* 0) {
io_write32(csu_base + (csu_setting->csu_index * 4),
csu_setting->value);
csu_setting++;
}
I think it should loop on CSL index values >= 0, because index 0 is a valid
index, utilized for the PWM peripherals. (I also think csl_index is a more
descriptive name, but that's besides the point).
I have attached a patch for his.
With kind regards,
Robert.
--
DISCLAIMER
De informatie, verzonden in of met dit e-mailbericht, is
vertrouwelijk en uitsluitend voor de geadresseerde(n) bestemd. Het gebruik
van de informatie in dit bericht, de openbaarmaking, vermenigvuldiging,
verspreiding en|of verstrekking daarvan aan derden is niet toegestaan.
Gebruik van deze informatie door anderen dan geadresseerde(n) is strikt
verboden. Aan deze informatie kunnen geen rechten worden ontleend. U wordt
verzocht bij onjuiste adressering de afzender direct te informeren door het
bericht te retourneren en het bericht uit uw computersysteem te verwijderen.
Add support for TEE based trusted keys where TEE provides the functionality
to seal and unseal trusted keys using hardware unique key. Also, this is
an alternative in case platform doesn't possess a TPM device.
This patch-set has been tested with OP-TEE based early TA which is already
merged in upstream [1].
[1] https://github.com/OP-TEE/optee_os/commit/f86ab8e7e0de869dfa25ca05a37ee070d…
Changes in v8:
1. Added static calls support instead of indirect calls.
2. Documented trusted keys source module parameter.
3. Refined patch #1 commit message discription.
4. Addressed misc. comments on patch #2.
5. Added myself as Trusted Keys co-maintainer instead.
6. Rebased to latest tpmdd master.
Changes in v7:
1. Added a trusted.source module parameter in order to enforce user's
choice in case a particular platform posses both TPM and TEE.
2. Refine commit description for patch #1.
Changes in v6:
1. Revert back to dynamic detection of trust source.
2. Drop author mention from trusted_core.c and trusted_tpm1.c files.
3. Rebased to latest tpmdd/master.
Changes in v5:
1. Drop dynamic detection of trust source and use compile time flags
instead.
2. Rename trusted_common.c -> trusted_core.c.
3. Rename callback: cleanup() -> exit().
4. Drop "tk" acronym.
5. Other misc. comments.
6. Added review tags for patch #3 and #4.
Changes in v4:
1. Pushed independent TEE features separately:
- Part of recent TEE PR: https://lkml.org/lkml/2020/5/4/1062
2. Updated trusted-encrypted doc with TEE as a new trust source.
3. Rebased onto latest tpmdd/master.
Changes in v3:
1. Update patch #2 to support registration of multiple kernel pages.
2. Incoporate dependency patch #4 in this patch-set:
https://patchwork.kernel.org/patch/11091435/
Changes in v2:
1. Add reviewed-by tags for patch #1 and #2.
2. Incorporate comments from Jens for patch #3.
3. Switch to use generic trusted keys framework.
Sumit Garg (4):
KEYS: trusted: Add generic trusted keys framework
KEYS: trusted: Introduce TEE based Trusted Keys
doc: trusted-encrypted: updates with TEE as a new trust source
MAINTAINERS: Add myself as Trusted Keys co-maintainer
Documentation/admin-guide/kernel-parameters.txt | 12 +
Documentation/security/keys/trusted-encrypted.rst | 203 +++++++++++--
MAINTAINERS | 2 +
include/keys/trusted-type.h | 47 +++
include/keys/trusted_tee.h | 55 ++++
include/keys/trusted_tpm.h | 17 +-
security/keys/trusted-keys/Makefile | 2 +
security/keys/trusted-keys/trusted_core.c | 354 ++++++++++++++++++++++
security/keys/trusted-keys/trusted_tee.c | 278 +++++++++++++++++
security/keys/trusted-keys/trusted_tpm1.c | 336 ++++----------------
10 files changed, 979 insertions(+), 327 deletions(-)
create mode 100644 include/keys/trusted_tee.h
create mode 100644 security/keys/trusted-keys/trusted_core.c
create mode 100644 security/keys/trusted-keys/trusted_tee.c
--
2.7.4
Hi Kris,
[CC op-tee(a)lists.trustedfirmware.org the newer ML for OP-TEE which is
now under the TrustedFirmware.org umbrella]
On 2/9/21 11:04 PM, Kris Kwiatkowski wrote:
> Hello,
>
> I've recently been involved in producing PoC, which utilizes OP-TEE
> to produce proof of a secret key possession. That is used during tunnel
> establishment by OpenVPN.
>
> In case someone finds it interesting, for example as kind of "real-world"
> use case of OP-TEE, then details are described here:
> https://www.amongbytes.com/post/20210112-optee-openssl-engine/
Thanks for sharing! It is a well-written article, quite interesting to
read IMO. I always like to see how OP-TEE is used in various scenarios.
As upstream project maintainers we hear about bug reports and we review
new contributions of course, but there is clearly a lot of activity
going on downstream that we don't know much about. Yet, a bit of context
certainly helps take the good decisions for the project going forward!
> and code is here:
> https://github.com/henrydcase/optee_eng
>
> The actual PoC used post-quantum schemes integrated into TEE OS and TF-A
> (secure boot). Those two points are not described really described for brevity
> (and probably there is low interest anyway).
>
> Kind regards,
> Kris
> _______________________________________________
> Tee-dev mailing list
> Tee-dev(a)lists.linaro.org
> https://lists.linaro.org/mailman/listinfo/tee-dev
Thanks,
--
Jerome
Hello arm-soc maintainers,
Please pull this fix eliminating a stack frame size warning and also
simplifying I2C access in the OP-TEE driver.
Thanks,
Jens
The following changes since commit e71ba9452f0b5b2e8dc8aa5445198cd9214a6a62:
Linux 5.11-rc2 (2021-01-03 15:55:30 -0800)
are available in the Git repository at:
git://git.linaro.org/people/jens.wiklander/linux-tee.git tags/optee-simplify-i2c-access_for-v5.12
for you to fetch changes up to 67bc809752796acb2641ca343cad5b45eef31d7c:
optee: simplify i2c access (2021-02-08 13:42:31 +0100)
----------------------------------------------------------------
Simplify i2c acess in OP-TEE driver
----------------------------------------------------------------
Arnd Bergmann (1):
optee: simplify i2c access
drivers/tee/optee/rpc.c | 31 ++++++++++++++++---------------
1 file changed, 16 insertions(+), 15 deletions(-)