u-boot.git/include/tee, branch v2021.07 Unnamed repository; edit this file 'description' to name the repository. lib: optee: migration optee_copy_fdt_nodes for OF_LIVE support 2021-04-12T18:25:31+00:00 Patrick Delaunay patrick.delaunay@foss.st.com 2021-02-08T12:54:31+00:00 a2535243e0114a48a4225a38819aa7d9fdc3d02c The optee_copy_fdt_nodes is only used to copy op-tee nodes of U-Boot device tree (from gd->fdt_blob when OF_LIVE is not activated) to external device tree but it is not compatible with OF_LIVE. This patch migrates all used function fdt_ functions to read node on old_blob to ofnode functions, compatible with OF_LIVE and remove this parameter "old_blob". The generated "device tree" is checked on stm32mp platform with OF_LIVE activated. Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com> 
The optee_copy_fdt_nodes is only used to copy op-tee nodes
of U-Boot device tree (from gd->fdt_blob when OF_LIVE is not activated)
to external device tree but it is not compatible with OF_LIVE.

This patch migrates all used function fdt_ functions to read node on
old_blob to ofnode functions, compatible with OF_LIVE and remove this
parameter "old_blob".

The generated "device tree" is checked on stm32mp platform with OF_LIVE
activated.

Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
common: SCP03 control (enable and provision of keys) 2021-03-13T18:14:52+00:00 Jorge Ramirez-Ortiz jorge@foundries.io 2021-02-14T15:27:23+00:00 166363f2ed9e72ed3e2bf09d9317d6a5fdafcbea This Trusted Application allows enabling SCP03 as well as provisioning the keys on TEE controlled secure element (ie, NXP SE050). All the information flowing on buses (ie I2C) between the processor and the secure element must be encrypted. Secure elements are pre-provisioned with a set of keys known to the user so that the secure channel protocol (encryption) can be enforced on the first boot. This situation is however unsafe since the keys are publically available. For example, in the case of the NXP SE050, these keys would be available in the OP-TEE source tree [2] and of course in the documentation corresponding to the part. To address that, users are required to rotate/provision those keys (ie, generate new keys and write them in the secure element's persistent memory). For information on SCP03, check the Global Platform HomePage and google for that term [1] [1] globalplatform.org [2] https://github.com/OP-TEE/optee_os/ check: core/drivers/crypto/se050/adaptors/utils/scp_config.c Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io> Reviewed-by: Simon Glass <sjg@chromium.org> 
This Trusted Application allows enabling SCP03 as well as provisioning
the keys on TEE controlled secure element (ie, NXP SE050).

All the information flowing on buses (ie I2C) between the processor
and the secure element must be encrypted. Secure elements are
pre-provisioned with a set of keys known to the user so that the
secure channel protocol (encryption) can be enforced on the first
boot. This situation is however unsafe since the keys are publically
available.

For example, in the case of the NXP SE050, these keys would be
available in the OP-TEE source tree [2] and of course in the
documentation corresponding to the part.

To address that, users are required to rotate/provision those keys
(ie, generate new keys and write them in the secure element's
persistent memory).

For information on SCP03, check the Global Platform HomePage and
google for that term [1]
[1] globalplatform.org
[2] https://github.com/OP-TEE/optee_os/
    check:
    core/drivers/crypto/se050/adaptors/utils/scp_config.c

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Simon Glass <sjg@chromium.org>
drivers: tee: sandbox: add rpc test ta emulation 2021-02-16T16:48:20+00:00 Igor Opaniuk igor.opaniuk@foundries.io 2021-01-25T12:28:42+00:00 592b98bb9a65748799c6fd245cd990c8af80c2b6 This adds support for RPC test trusted application emulation, which permits to test reverse RPC calls to TEE supplicant. Currently it covers requests to the I2C bus from TEE. Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io> Reviewed-by: Simon Glass <sjg@chromium.org> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Acked-by: Etienne Carriere <etienne.carriere@linaro.org> 
This adds support for RPC test trusted application emulation, which
permits to test reverse RPC calls to TEE supplicant. Currently it covers
requests to the I2C bus from TEE.

Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
common: Drop image.h from common header 2020-05-18T21:33:33+00:00 Simon Glass sjg@chromium.org 2020-05-10T17:40:01+00:00 4d72caa5b96b71e49b63f98bd8548b194380b544 Move this uncommon header out of the common header. Signed-off-by: Simon Glass <sjg@chromium.org> 
Move this uncommon header out of the common header.

Signed-off-by: Simon Glass <sjg@chromium.org>
image: fdt: copy possible optee nodes to a loaded devicetree 2019-11-14T13:09:34+00:00 Heiko Stuebner heiko.stuebner@theobroma-systems.com 2019-10-23T14:46:40+00:00 6ccb05eae01b660b0585accf338302af1069f419 The loading convention for optee or any other tee on arm64 is as bl32 parameter to the trusted-firmware. So TF-A gets invoked with the TEE as bl32 and main u-boot as bl33. Once it has done its startup TF-A jumps into the bl32 for the TEE startup, returns to TF-A and then jumps to bl33. All of them get passed a devicetree as parameter and all components often get loaded from a FIT image. OP-TEE will create additional nodes in that devicetree namely a firmware node and possibly multiple reserved-memory nodes. While this devicetree is used in main u-boot, in most cases it won't be the one passed to the actual kernel. Instead most boot commands will load a new devicetree from somewhere like mass storage of the network, so if that happens u-boot should transfer the optee nodes to that new devicetree. To make that happen introduce optee_copy_fdt_nodes() called from the dt setup function in image-fdt which after checking for the optee presence in the u-boot dt will make sure a optee node is present in the kernel dt and transfer any reserved-memory regions it can find. Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> 
The loading convention for optee or any other tee on arm64 is as bl32
parameter to the trusted-firmware. So TF-A gets invoked with the TEE as
bl32 and main u-boot as bl33. Once it has done its startup TF-A jumps
into the bl32 for the TEE startup, returns to TF-A and then jumps to bl33.

All of them get passed a devicetree as parameter and all components often
get loaded from a FIT image.

OP-TEE will create additional nodes in that devicetree namely a firmware
node and possibly multiple reserved-memory nodes.

While this devicetree is used in main u-boot, in most cases it won't be
the one passed to the actual kernel. Instead most boot commands will load
a new devicetree from somewhere like mass storage of the network, so if
that happens u-boot should transfer the optee nodes to that new devicetree.

To make that happen introduce optee_copy_fdt_nodes() called from the dt
setup function in image-fdt which after checking for the optee presence
in the u-boot dt will make sure a optee node is present in the kernel dt
and transfer any reserved-memory regions it can find.

Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
avb: add support for named persistent values 2019-04-26T22:58:22+00:00 Igor Opaniuk igor.opaniuk@gmail.com 2019-04-09T13:38:14+00:00 fc1fe01b08cedd77a194bb82fa81af4fe1e39031 AVB 2.0 spec. revision 1.1 introduces support for named persistent values that must be tamper evident and allows AVB to store arbitrary key-value pairs [1]. Introduce implementation of two additional AVB operations read_persistent_value()/write_persistent_value() for retrieving/storing named persistent values. Correspondent pull request in the OP-TEE OS project repo [2]. [1]: https://android.googlesource.com/platform/external/avb/+/android-9.0.0_r22 [2]: https://github.com/OP-TEE/optee_os/pull/2699 Reviewed-by: Simon Glass <sjg@chromium.org> Reviewed-by: Sam Protsenko <semen.protsenko@linaro.org> Signed-off-by: Igor Opaniuk <igor.opaniuk@gmail.com> 
AVB 2.0 spec. revision 1.1 introduces support for named persistent values
that must be tamper evident and allows AVB to store arbitrary key-value
pairs [1].

Introduce implementation of two additional AVB operations
read_persistent_value()/write_persistent_value() for retrieving/storing
named persistent values.

Correspondent pull request in the OP-TEE OS project repo [2].

[1]: https://android.googlesource.com/platform/external/avb/+/android-9.0.0_r22
[2]: https://github.com/OP-TEE/optee_os/pull/2699

Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Sam Protsenko <semen.protsenko@linaro.org>
Signed-off-by: Igor Opaniuk <igor.opaniuk@gmail.com>
tee: optee: support AVB trusted application 2018-10-07T14:47:38+00:00 Jens Wiklander jens.wiklander@linaro.org 2018-09-25T14:40:15+00:00 1cc8cc4e675e32cde76487292c8bace5fa927eee Adds configuration option OPTEE_TA_AVB and a header file describing the interface to the Android Verified Boot 2.0 (AVB) trusted application provided by OP-TEE. Tested-by: Igor Opaniuk <igor.opaniuk@linaro.org> Reviewed-by: Igor Opaniuk <igor.opaniuk@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Simon Glass <sjg@chromium.org> 
Adds configuration option OPTEE_TA_AVB and a header file describing the
interface to the Android Verified Boot 2.0 (AVB) trusted application
provided by OP-TEE.

Tested-by: Igor Opaniuk <igor.opaniuk@linaro.org>
Reviewed-by: Igor Opaniuk <igor.opaniuk@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07T13:34:12+00:00 Tom Rini trini@konsulko.com 2018-05-06T21:58:06+00:00 83d290c56fab2d38cd1ab4c4cc7099559c1d5046 When U-Boot started using SPDX tags we were among the early adopters and there weren't a lot of other examples to borrow from. So we picked the area of the file that usually had a full license text and replaced it with an appropriate SPDX-License-Identifier: entry. Since then, the Linux Kernel has adopted SPDX tags and they place it as the very first line in a file (except where shebangs are used, then it's second line) and with slightly different comment styles than us. In part due to community overlap, in part due to better tag visibility and in part for other minor reasons, switch over to that style. This commit changes all instances where we have a single declared license in the tag as both the before and after are identical in tag contents. There's also a few places where I found we did not have a tag and have introduced one. Signed-off-by: Tom Rini <trini@konsulko.com> 
When U-Boot started using SPDX tags we were among the early adopters and
there weren't a lot of other examples to borrow from.  So we picked the
area of the file that usually had a full license text and replaced it
with an appropriate SPDX-License-Identifier: entry.  Since then, the
Linux Kernel has adopted SPDX tags and they place it as the very first
line in a file (except where shebangs are used, then it's second line)
and with slightly different comment styles than us.

In part due to community overlap, in part due to better tag visibility
and in part for other minor reasons, switch over to that style.

This commit changes all instances where we have a single declared
license in the tag as both the before and after are identical in tag
contents.  There's also a few places where I found we did not have a tag
and have introduced one.

Signed-off-by: Tom Rini <trini@konsulko.com>
optee: Add optee_verify_bootm_image() 2018-03-19T20:14:24+00:00 Bryan O'Donoghue bryan.odonoghue@linaro.org 2018-03-13T16:50:33+00:00 c5a6e8bd00cc7257541a904682206bdc0be2bab4 This patch adds optee_verify_bootm_image() which will be subsequently used to verify the parameters encoded in the OPTEE header match the memory allocated to the OPTEE region, OPTEE header magic and version prior to handing off control to the OPTEE image. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Harinarayan Bhatta <harinarayan@ti.com> Cc: Andrew F. Davis <afd@ti.com> Cc: Tom Rini <trini@konsulko.com> Cc: Kever Yang <kever.yang@rock-chips.com> Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com> Cc: Peng Fan <peng.fan@nxp.com> 
This patch adds optee_verify_bootm_image() which will be subsequently used
to verify the parameters encoded in the OPTEE header match the memory
allocated to the OPTEE region, OPTEE header magic and version prior to
handing off control to the OPTEE image.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Harinarayan Bhatta <harinarayan@ti.com>
Cc: Andrew F. Davis <afd@ti.com>
Cc: Tom Rini <trini@konsulko.com>
Cc: Kever Yang <kever.yang@rock-chips.com>
Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Cc: Peng Fan <peng.fan@nxp.com>
optee: Add optee_image_get_load_addr() 2018-03-19T20:14:24+00:00 Bryan O'Donoghue bryan.odonoghue@linaro.org 2018-03-13T16:50:32+00:00 dd5a12e28799366d3c64434f6b347550a4600231 This patch adds optee_image_get_load_addr() a helper function used to calculate the load-address of an OPTEE image based on the lower entry-point address given in the OPTEE header. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Cc: Harinarayan Bhatta <harinarayan@ti.com> Cc: Andrew F. Davis <afd@ti.com> Cc: Tom Rini <trini@konsulko.com> Cc: Kever Yang <kever.yang@rock-chips.com> Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com> Cc: Peng Fan <peng.fan@nxp.com> Tested-by: Peng Fan <peng.fan@nxp.com> 
This patch adds optee_image_get_load_addr() a helper function used to
calculate the load-address of an OPTEE image based on the lower
entry-point address given in the OPTEE header.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Harinarayan Bhatta <harinarayan@ti.com>
Cc: Andrew F. Davis <afd@ti.com>
Cc: Tom Rini <trini@konsulko.com>
Cc: Kever Yang <kever.yang@rock-chips.com>
Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Cc: Peng Fan <peng.fan@nxp.com>
Tested-by: Peng Fan <peng.fan@nxp.com>