Add support for TEE based trusted keys where TEE provides the functionality
to seal and unseal trusted keys using hardware unique key. Also, this is
an alternative in case platform doesn't possess a TPM device.
This patch-set has been tested with OP-TEE based early TA which is already
merged in upstream [1].
[1] https://github.com/OP-TEE/optee_os/commit/f86ab8e7e0de869dfa25ca05a37ee070d…
Changes in v6:
1. Revert back to dynamic detection of trust source.
2. Drop author mention from trusted_core.c and trusted_tpm1.c files.
3. Rebased to latest tpmdd/master.
Changes in v5:
1. Drop dynamic detection of trust source and use compile time flags
instead.
2. Rename trusted_common.c -> trusted_core.c.
3. Rename callback: cleanup() -> exit().
4. Drop "tk" acronym.
5. Other misc. comments.
6. Added review tags for patch #3 and #4.
Changes in v4:
1. Pushed independent TEE features separately:
- Part of recent TEE PR: https://lkml.org/lkml/2020/5/4/1062
2. Updated trusted-encrypted doc with TEE as a new trust source.
3. Rebased onto latest tpmdd/master.
Changes in v3:
1. Update patch #2 to support registration of multiple kernel pages.
2. Incoporate dependency patch #4 in this patch-set:
https://patchwork.kernel.org/patch/11091435/
Changes in v2:
1. Add reviewed-by tags for patch #1 and #2.
2. Incorporate comments from Jens for patch #3.
3. Switch to use generic trusted keys framework.
Sumit Garg (4):
KEYS: trusted: Add generic trusted keys framework
KEYS: trusted: Introduce TEE based Trusted Keys
doc: trusted-encrypted: updates with TEE as a new trust source
MAINTAINERS: Add entry for TEE based Trusted Keys
Documentation/security/keys/trusted-encrypted.rst | 203 ++++++++++---
MAINTAINERS | 8 +
include/keys/trusted-type.h | 42 +++
include/keys/trusted_tee.h | 55 ++++
include/keys/trusted_tpm.h | 17 +-
security/keys/trusted-keys/Makefile | 2 +
security/keys/trusted-keys/trusted_core.c | 325 +++++++++++++++++++++
security/keys/trusted-keys/trusted_tee.c | 278 ++++++++++++++++++
security/keys/trusted-keys/trusted_tpm1.c | 336 ++++------------------
9 files changed, 939 insertions(+), 327 deletions(-)
create mode 100644 include/keys/trusted_tee.h
create mode 100644 security/keys/trusted-keys/trusted_core.c
create mode 100644 security/keys/trusted-keys/trusted_tee.c
--
2.7.4
> When shm->num_pages <= 0, we should avoid calling
> release_registered_pages() in error handling path.
* Would an imperative wording become helpful for the change description?
* I suggest to add the tag “Fixes” to the commit message.
Regards,
Markus
Hi Peng,
> On 3 Sep 2020, at 10:34, Jens Wiklander via OP-TEE <op-tee(a)lists.trustedfirmware.org> wrote:
>
> Hi Peng,
>
> On Fri, Aug 28, 2020 at 9:10 AM Peng Fan via OP-TEE
> <op-tee(a)lists.trustedfirmware.org> wrote:
>>
>> I was not able to join the meeting. Just wonder for S-EL2, is there any platform supporting it? How to test?
Just to be sure, you mean support for running OP-TEE under a Hypervisor/SPM in S-EL2?
Cheers,
Achin
>
> This is tested and developed using FVP as far as I know.
>
> Cheers,
> Jens
>
>>
>> Thanks,
>> Peng.
>>
>> From: Joakim Bech [mailto:joakim.bech@linaro.org]
>> Sent: 2020年8月27日 16:21
>> To: op-tee(a)lists.trustedfirmware.org
>> Subject: Re: Linaro OP-TEE Contributions meeting Aug 2020
>>
>> Hi,
>>
>> Just a friendly reminder, that we have the first public "Linaro OP-TEE Contributions" meeting taking place later today.
>> 2020-08-27(a)16.00<mailto:2020-08-27@16.00> UTC+2, 1h duration (for other timezones, use this URL https://everytimezone.com/s/12a83ab5<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Feverytime…>). Connection details and etc can be found in the email below.
>>
>> This time I've also included more people on BCC who might not have subscribed to the <op-tee(a)lists.trustedfirmware.org<mailto:op-tee@lists.trustedfirmware.org>> list.
>>
>> Regards,
>> Joakim
>>
>> On Wed, 19 Aug 2020 at 15:52, Joakim Bech via OP-TEE <op-tee(a)lists.trustedfirmware.org<mailto:op-tee@lists.trustedfirmware.org>> wrote:
>> Hi,
>>
>> As part of opening up Linaro projects to the general public we plan to have
>> an open monthly meeting where we discuss Linaro's activities around OP-TEE.
>> The way that we've planned to do this is that we send out an email to this
>> email list (https://lists.trustedfirmware.org/mailman/listinfo/op-tee<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.tru…>) to
>> gather topics to discuss. If there are no topics, then there is no meeting.
>> Anyone can suggest a topic by replying to this email thread.
>>
>> As a first topic for this first meeting, we want to talk a bit about:
>> - Linaro and the relation to TrustedFirmware.org when it comes to OP-TEE.
>> - Where to find information.
>> - What is on the agenda for the next development cycle.
>>
>> Calendar invitation? I could just send one out here and now, but due to
>> Zoom bombing and that it'd be a logistic exercise inviting people, I've
>> decided to try another approach and that is to provide the connection
>> details in the meeting notes and leave it up to the attendees to add it to
>> their own calendars. To try to limit confusion I've explicitly added the
>> timezone and a link to everytimezone.com<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Feverytimez…> so it should be easy to get the
>> information in your own timezone. If this approach doesn't turn out to be
>> good, then we will try something different in the future (I understand that
>> canceling or shifting day/time will become a problem).
>>
>> Meeting details:
>> ---------------
>> Date/time: Thursday Aug 27th(a)16.00<mailto:27th@16.00> (UTC+2)
>> https://everytimezone.com/s/12a83ab5<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Feverytime…>
>> Invitation/connection details: In the meeting notes
>> Meeting notes:
>> https://docs.google.com/document/d/15XsqgGktCrRRWiqyaz-erp_cZykwGjkBkhMD2Xt…<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.goog…>
>>
>> Regards,
>> Joakim on behalf of the Linaro OP-TEE team
>> --
>> OP-TEE mailing list
>> OP-TEE(a)lists.trustedfirmware.org<mailto:OP-TEE@lists.trustedfirmware.org>
>> https://lists.trustedfirmware.org/mailman/listinfo/op-tee<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.tru…>
Hi Peng,
On Fri, Aug 28, 2020 at 9:10 AM Peng Fan via OP-TEE
<op-tee(a)lists.trustedfirmware.org> wrote:
>
> I was not able to join the meeting. Just wonder for S-EL2, is there any platform supporting it? How to test?
This is tested and developed using FVP as far as I know.
Cheers,
Jens
>
> Thanks,
> Peng.
>
> From: Joakim Bech [mailto:joakim.bech@linaro.org]
> Sent: 2020年8月27日 16:21
> To: op-tee(a)lists.trustedfirmware.org
> Subject: Re: Linaro OP-TEE Contributions meeting Aug 2020
>
> Hi,
>
> Just a friendly reminder, that we have the first public "Linaro OP-TEE Contributions" meeting taking place later today.
> 2020-08-27(a)16.00<mailto:2020-08-27@16.00> UTC+2, 1h duration (for other timezones, use this URL https://everytimezone.com/s/12a83ab5<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Feverytime…>). Connection details and etc can be found in the email below.
>
> This time I've also included more people on BCC who might not have subscribed to the <op-tee(a)lists.trustedfirmware.org<mailto:op-tee@lists.trustedfirmware.org>> list.
>
> Regards,
> Joakim
>
> On Wed, 19 Aug 2020 at 15:52, Joakim Bech via OP-TEE <op-tee(a)lists.trustedfirmware.org<mailto:op-tee@lists.trustedfirmware.org>> wrote:
> Hi,
>
> As part of opening up Linaro projects to the general public we plan to have
> an open monthly meeting where we discuss Linaro's activities around OP-TEE.
> The way that we've planned to do this is that we send out an email to this
> email list (https://lists.trustedfirmware.org/mailman/listinfo/op-tee<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.tru…>) to
> gather topics to discuss. If there are no topics, then there is no meeting.
> Anyone can suggest a topic by replying to this email thread.
>
> As a first topic for this first meeting, we want to talk a bit about:
> - Linaro and the relation to TrustedFirmware.org when it comes to OP-TEE.
> - Where to find information.
> - What is on the agenda for the next development cycle.
>
> Calendar invitation? I could just send one out here and now, but due to
> Zoom bombing and that it'd be a logistic exercise inviting people, I've
> decided to try another approach and that is to provide the connection
> details in the meeting notes and leave it up to the attendees to add it to
> their own calendars. To try to limit confusion I've explicitly added the
> timezone and a link to everytimezone.com<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Feverytimez…> so it should be easy to get the
> information in your own timezone. If this approach doesn't turn out to be
> good, then we will try something different in the future (I understand that
> canceling or shifting day/time will become a problem).
>
> Meeting details:
> ---------------
> Date/time: Thursday Aug 27th(a)16.00<mailto:27th@16.00> (UTC+2)
> https://everytimezone.com/s/12a83ab5<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Feverytime…>
> Invitation/connection details: In the meeting notes
> Meeting notes:
> https://docs.google.com/document/d/15XsqgGktCrRRWiqyaz-erp_cZykwGjkBkhMD2Xt…<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.goog…>
>
> Regards,
> Joakim on behalf of the Linaro OP-TEE team
> --
> OP-TEE mailing list
> OP-TEE(a)lists.trustedfirmware.org<mailto:OP-TEE@lists.trustedfirmware.org>
> https://lists.trustedfirmware.org/mailman/listinfo/op-tee<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.tru…>
Hello arm-soc maintainers,
Please pull this small patch fixing a build issue in the previous OP-TEE
I2C patch. The test IS_REACHABLE(CONFIG_I2C) is used instead of
IS_ENABLED(CONFIG_I2C) to see if the I2C functions are available from
the OP-TEE driver.
If you rather have the patches squashed feel free to do so.
Thanks,
Jens
The following changes since commit c05210ab975771e161427eb47696b869d820bdaf:
drivers: optee: allow op-tee to access devices on the i2c bus (2020-08-21 11:41:45 +0200)
are available in the Git repository at:
git://git.linaro.org:/people/jens.wiklander/linux-tee.git tags/optee-i2c-fix-for-v5.10
for you to fetch changes up to 539f8fc253ece5501fdea1a6aa227d0618374111:
drivers: optee: fix i2c build issue (2020-09-01 12:03:16 +0200)
----------------------------------------------------------------
Make sure I2C functions used in OP-TEE are reachable with IS_REACHABLE()
----------------------------------------------------------------
Jorge Ramirez-Ortiz (1):
drivers: optee: fix i2c build issue
drivers/tee/optee/rpc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Hi,
Just a friendly reminder, that we have the first public "Linaro OP-TEE
Contributions" meeting taking place later today.
2020-08-27(a)16.00 UTC+2, 1h duration (for other timezones, use this URL
https://everytimezone.com/s/12a83ab5). Connection details and etc can be
found in the email below.
This time I've also included more people on BCC who might not have
subscribed to the <op-tee(a)lists.trustedfirmware.org> list.
Regards,
Joakim
On Wed, 19 Aug 2020 at 15:52, Joakim Bech via OP-TEE <
op-tee(a)lists.trustedfirmware.org> wrote:
> Hi,
>
> As part of opening up Linaro projects to the general public we plan to have
> an open monthly meeting where we discuss Linaro's activities around OP-TEE.
> The way that we've planned to do this is that we send out an email to this
> email list (https://lists.trustedfirmware.org/mailman/listinfo/op-tee) to
> gather topics to discuss. If there are no topics, then there is no meeting.
> Anyone can suggest a topic by replying to this email thread.
>
> As a first topic for this first meeting, we want to talk a bit about:
> - Linaro and the relation to TrustedFirmware.org when it comes to OP-TEE.
> - Where to find information.
> - What is on the agenda for the next development cycle.
>
> Calendar invitation? I could just send one out here and now, but due to
> Zoom bombing and that it'd be a logistic exercise inviting people, I've
> decided to try another approach and that is to provide the connection
> details in the meeting notes and leave it up to the attendees to add it to
> their own calendars. To try to limit confusion I've explicitly added the
> timezone and a link to everytimezone.com so it should be easy to get the
> information in your own timezone. If this approach doesn't turn out to be
> good, then we will try something different in the future (I understand that
> canceling or shifting day/time will become a problem).
>
> Meeting details:
> ---------------
> Date/time: Thursday Aug 27th(a)16.00 (UTC+2)
> https://everytimezone.com/s/12a83ab5
> Invitation/connection details: In the meeting notes
> Meeting notes:
>
> https://docs.google.com/document/d/15XsqgGktCrRRWiqyaz-erp_cZykwGjkBkhMD2Xt…
>
> Regards,
> Joakim on behalf of the Linaro OP-TEE team
> --
> OP-TEE mailing list
> OP-TEE(a)lists.trustedfirmware.org
> https://lists.trustedfirmware.org/mailman/listinfo/op-tee
>
Hello arm-soc maintainers,
Please pull this small patch converting the tee subsystem to use
pin_user_pages() instead of get_user_pages().
Thanks,
Jens
The following changes since commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5:
Linux 5.9-rc1 (2020-08-16 13:04:57 -0700)
are available in the Git repository at:
git://git.linaro.org/people/jens.wiklander/linux-tee.git tags/tee-pin-user-pages-for-5.10
for you to fetch changes up to 4300cd6374a5192a2c8122a4a48ed647bdcb0214:
tee: convert get_user_pages() --> pin_user_pages() (2020-08-25 11:01:06 +0200)
----------------------------------------------------------------
Converts tee subsystem to use pin_user_pages() instead of get_user_pages()
----------------------------------------------------------------
John Hubbard (1):
tee: convert get_user_pages() --> pin_user_pages()
drivers/tee/tee_shm.c | 32 +++++++++++++++++++-------------
1 file changed, 19 insertions(+), 13 deletions(-)
Hello arm-soc maintainers,
Please pull this patch enabling a TEE client to indicate a NULL pointer
instead of a valid buffer when invoking a Trusted Application.
Thanks,
Jens
The following changes since commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5:
Linux 5.9-rc1 (2020-08-16 13:04:57 -0700)
are available in the Git repository at:
git://git.linaro.org/people/jens.wiklander/linux-tee.git tags/tee-memref-null-for-v5.10
for you to fetch changes up to ba171d3f0850003216fd1a85190d17b1feddb961:
driver: tee: Handle NULL pointer indication from client (2020-08-21 08:55:13 +0200)
----------------------------------------------------------------
Handle NULL pointer indication from tee client
Adds support to indicate NULL pointers instead of a valid buffer when
querying the needed size of a buffer.
----------------------------------------------------------------
Cedric Neveux (1):
driver: tee: Handle NULL pointer indication from client
drivers/tee/optee/core.c | 7 +++++++
drivers/tee/optee/optee_smc.h | 3 +++
drivers/tee/tee_core.c | 49 +++++++++++++++++++++++++++----------------
include/linux/tee_drv.h | 3 +++
include/uapi/linux/tee.h | 13 ++++++++++++
5 files changed, 57 insertions(+), 18 deletions(-)
