[RFC] Bootstrap ta #1928
[RFC] Bootstrap ta #1928
Conversation
|
Uses OP-TEE/optee_test#240 to install bootstrap TAs Note that the 9000 tests will fail if bootstrap TAs are installed. |
|
Hi @jenswi-linaro, just a quick question: what do you mean when you say "security domain"? |
|
Hi @lorc, this for instance: https://tools.ietf.org/html/draft-pei-opentrustprotocol-04#section-5.3 Note that Security Domains doesn't to have provide isolation between TAs in different Security Domains. A Security Domain is just a TA management domain. |
scripts/sign_bsta.py
Outdated
| @@ -0,0 +1,77 @@ | |||
| #!/usr/bin/env python | |||
There was a problem hiding this comment.
Have you tested this script in both python2 and python3?
There was a problem hiding this comment.
I have now, and it seems to work. :-)
scripts/sign_bsta.py
Outdated
| @@ -0,0 +1,77 @@ | |||
| #!/usr/bin/env python | |||
| # | |||
| # Copyright (c) 2015, Linaro Limited | |||
scripts/sign_bsta.py
Outdated
| # | ||
|
|
||
| def uuid_parse(s): | ||
| from uuid import UUID |
There was a problem hiding this comment.
Please check this script with pycodestyle (or with pip8.py). There will be a lot of warnings.
core/tee/tadb.c
Outdated
|
|
||
| if (db->files) | ||
| return TEE_SUCCESS; | ||
|
|
core/tee/tadb.c
Outdated
|
|
||
| assert(db->refc); | ||
| db->refc--; | ||
| if (db->refc) |
There was a problem hiding this comment.
How you can guarantee thread safety in tadb manipulation?
There was a problem hiding this comment.
These functions are supposed to be called from a static TA which will guarantee thread safety.
There was a problem hiding this comment.
I just realized that these functions are used from core/arch/arm/kernel/tadb_store.c which is outside the pseudo TA context. Ideally I should have a read/write lock to allow concurrent loading of TAs.
core/tee/tadb.c
Outdated
| tadb_put(db); | ||
| } | ||
|
|
||
| static TEE_Result populate_files(struct tee_tadb_dir *db) |
There was a problem hiding this comment.
Purpose of this function is bit unclear to me...
There was a problem hiding this comment.
I guess I thought this function was going to be used by several functions when doing the initial design. Now it's clear it's only needed in tee_tadb_ta_create(). I'll move the implementation into tee_tadb_ta_create() instead.
core/tee/tadb.c
Outdated
| size_t idx; | ||
| const TEE_UUID null_uuid = { 0 }; | ||
|
|
||
| if (db->files) |
There was a problem hiding this comment.
There you return if db->files != NULL...
core/tee/tadb.c
Outdated
| if (!memcmp(&entry.prop.uuid, &null_uuid, sizeof(null_uuid))) | ||
| continue; | ||
|
|
||
| if (test_file(db, entry.file_number)) { |
There was a problem hiding this comment.
... and there you use db->files to check if file_number is stored. But at L265 you ensured that db->files is NULL.
There was a problem hiding this comment.
As this is called in a loop, db->files could have been allocated at this point. test_file() and set_file() deals with that.
core/tee/tadb.c
Outdated
| int i = 0; | ||
|
|
||
| if (!ta) | ||
| res = TEE_ERROR_OUT_OF_MEMORY; |
There was a problem hiding this comment.
Looks like you missed return there.
core/tee/tadb.c
Outdated
| size_t num_bytes = 0; | ||
|
|
||
| while (num_bytes < l) { | ||
| uint8_t b[1024 * 4]; |
There was a problem hiding this comment.
Are you really sure, you want to allocate 4kb on stack?
There was a problem hiding this comment.
You're right, it's a bit excessive. I'll replace it with malloc().
core/arch/arm/pta/management.c
Outdated
| res = tee_hash_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(shdr->algo), | ||
| &hash_size); | ||
| if (res != TEE_SUCCESS) | ||
| return res; |
core/arch/arm/pta/management.c
Outdated
|
|
||
| res = crypto_ops.acipher.alloc_rsa_public_key(&key, shdr->sig_size); | ||
| if (res != TEE_SUCCESS) | ||
| return res; |
core/arch/arm/pta/management.c
Outdated
| sizeof(*shdr)); | ||
| if (res) | ||
| goto err_free_hash_ctx; | ||
|
|
|
Addressed comments, except then one with mutex (waiting for the outcome of #1942) |
core/tee/tadb.c
Outdated
| continue; | ||
|
|
||
| if (test_file(db, entry.file_number)) { | ||
| DMSG("Clearing duplicate file number %" PRIu32, |
There was a problem hiding this comment.
If that is not going to happen, then EMSG or at least IMSG will fit much better.
|
|
||
| res = read_ent(db, idx, &entry); | ||
| if (res) { | ||
| if (res == TEE_ERROR_ITEM_NOT_FOUND) |
There was a problem hiding this comment.
It is confusing, that only one successful (apart from L336) return from this function resides in the middle of it.
Now, when I grasped idea of this function, this seems obvious. But it was hard to understand from a first try.
This is just a note. I don't ask you to perform any actions.
core/tee/tadb.c
Outdated
| @@ -670,17 +694,25 @@ TEE_Result tee_tadb_ta_read(struct tee_tadb_ta *ta, void *buf, size_t *len) | |||
| return res; | |||
| } else { | |||
| size_t num_bytes = 0; | |||
| size_t b_size = MIN(SIZE_4K, l - num_bytes); | |||
There was a problem hiding this comment.
You zero out num_bytes at the line above. Better to leave only MIN(SIZE_4k, l). It is easier to read.
scripts/sign_bsta.py
Outdated
| @@ -0,0 +1,77 @@ | |||
| #!/usr/bin/env python | |||
core/include/tee/tee_svc_storage.h
Outdated
| */ | ||
| const struct tee_file_operations *tee_svc_storage_file_ops(uint32_t storage_id); | ||
|
|
||
|
|
There was a problem hiding this comment.
minor: extra empty line.
core/include/signed_hdr.h
Outdated
| @@ -71,5 +72,10 @@ struct shdr { | |||
| #define SHDR_GET_HASH(x) (uint8_t *)(((struct shdr *)(x)) + 1) | |||
| #define SHDR_GET_SIG(x) (SHDR_GET_HASH(x) + (x)->hash_size) | |||
|
|
|||
| struct shdr_bootstrap_ta { | |||
| uint8_t uuid[16]; | |||
There was a problem hiding this comment.
minor: uuid[sizeof(TEE_UUID)] ?
core/include/tee/tadb.h
Outdated
|
|
||
| struct tee_tadb_ta; | ||
|
|
||
| struct tee_tadb_property { |
There was a problem hiding this comment.
maybe add a comment to describe the structure fields.
core/arch/arm/kernel/tadb_store.c
Outdated
| static void secstor_ta_close(struct user_ta_store_handle *h) | ||
| { | ||
| struct tee_tadb_ta *ta = (struct tee_tadb_ta *)h; | ||
| tee_tadb_ta_close(ta); |
There was a problem hiding this comment.
minor: add an empty line.
jenswi-linaro
force-pushed
the
bootstrap_ta
branch
from
8549015
to
f4a4b84
Compare
|
Rebased and squashed on top of master to be able to use the read lock. It turned out atomic reference counting routines where needed too, added that to the beginning of the PR. |
core/include/kernel/refcount.h
Outdated
| unsigned int val; | ||
| }; | ||
|
|
||
| /* Increases refcount by 1, return true if val != 0 else false */ |
There was a problem hiding this comment.
I'm not sure I understand the Api. I read this as "Return true if incremented refcount is not 0.", in which caserefcount_inc() must be changed. If not, maybe clarify the Api.
Same kind of comments on refcount_dec().
There was a problem hiding this comment.
You're right. I'll update the description.
| unsigned int oval = atomic_load_uint(&r->val); | ||
|
|
||
| while (true) { | ||
| nval = oval + 1; |
There was a problem hiding this comment.
I think we should read back in oval an updated value of recount val.
There was a problem hiding this comment.
That's actually taken care of by atomic_cas_uint()
core/tee/tadb.c
Outdated
| * grow the bitfield as needed. | ||
| * | ||
| * At the same time clean out duplicate file numbers, the first | ||
| * entry with the file number has precedence. Duplicate entries is |
There was a problem hiding this comment.
minor: double space beforeDuplicate and before supposed at next line.
| #include <tee/tee_svc_storage.h> | ||
| #include <utee_defines.h> | ||
|
|
||
| #define TADB_MAX_BUFFER_SIZE (64U * 1024) |
There was a problem hiding this comment.
where does this comes from?
There was a problem hiding this comment.
We do need some value, 64KiB is nothing for normal world to allocate as shared memory.
core/tee/tadb.c
Outdated
| #define TADB_TAG_SIZE TEE_AES_BLOCK_SIZE | ||
| #define TADB_KEY_SIZE TEE_AES_MAX_KEY_SIZE | ||
|
|
||
| struct user_ta_store_handle; |
core/include/tee/tadb.h
Outdated
| * TA binary | ||
| * @bin_size: Size of the binary TA | ||
| * @is_ta: True if this is a TA | ||
| * @is_root: True if this is a root SD or a TA without an SD |
There was a problem hiding this comment.
It depends on how you pronounce it, I pronounce it ess-dee
| unsigned int oval = atomic_load_uint(&r->val); | ||
|
|
||
| while (true) { | ||
| nval = oval + 1; |
core/include/tee/tadb.h
Outdated
| */ | ||
| struct tee_tadb_property { | ||
| TEE_UUID uuid; | ||
| TEE_UUID parent;/* parent security domain, zeroes if nonexistent */ |
There was a problem hiding this comment.
minor: tab before comment.
There was a problem hiding this comment.
It doesn't fit on the line then. I'll remove it now that there's a description of the struct above.
|
minor: could you rename the pTA "management" into sometihng like "TA management"? For example management.c being a bit too generic, even in pta/ subdir. Something like ta_management.c? |
|
Update |
|
In order to give an opinion on this RFC, I need to understand the big picture. How does it work (high-level)? What problem are you trying to address? What is different from what we are currently doing? What is a bootstrap TA? Why does it have a different extension as mentioned in the Sorry I don't feel like trying to figure this out from code only :( |
|
Some description available here: |
core/arch/arm/pta/ta_management.c
Outdated
| offs += sizeof(bs_ta); | ||
|
|
||
| memset(&property, 0, sizeof(property)); | ||
| COMPILE_TIME_ASSERT(sizeof(property.uuid) == sizeof(property.uuid)); |
ta/arch/arm/link.mk
Outdated
|
|
||
| $(link-out-dir)/$(binary).bsta: $(link-out-dir)/$(binary).stripped.elf \ | ||
| $(TA_SIGN_KEY) | ||
| @echo ' SIGN $@' |
There was a problem hiding this comment.
@$(cmd-echo-silent) (and fix above)
ta/arch/arm/link.mk
Outdated
| $(link-out-dir)/$(binary).bsta: $(link-out-dir)/$(binary).stripped.elf \ | ||
| $(TA_SIGN_KEY) | ||
| @echo ' SIGN $@' | ||
| $(q)$(SIGN_BSTA) --key $(TA_SIGN_KEY) --uuid $(binary) --version 0 \ |
There was a problem hiding this comment.
s/TA_SIGN_KEY/BSTA_SIGN_KEY/? (default BSTA_SIGN_KEY ?= $(TA_SIGN_KEY))
ta/arch/arm/link.mk
Outdated
| TA_SIGN_KEY ?= $(TA_DEV_KIT_DIR)/keys/default_ta.pem | ||
|
|
||
| all: $(link-out-dir)/$(binary).elf $(link-out-dir)/$(binary).dmp \ | ||
| $(link-out-dir)/$(binary).stripped.elf $(link-out-dir)/$(binary).ta | ||
| $(link-out-dir)/$(binary).stripped.elf $(link-out-dir)/$(binary).ta \ | ||
| $(link-out-dir)/$(binary).bsta |
There was a problem hiding this comment.
Do we really want to always generate a .bsta? Of course it is convenient for testing, but normally only one format will be used. So we should make this optional. For instance, only if Update: following your email and your proposal to have only one TA header (the new bsta one), the last part of this comment is not really relevant. I agree one header format would be more convenient.$(BOOTSTRAP_TA)=y. This variable would be set or not by the Makefile for each TA. And, it could also be set globally for instance when building xtest (make BOOSTRAP_TA=y).
core/arch/arm/kernel/sub.mk
Outdated
| @@ -2,6 +2,9 @@ ifeq ($(CFG_WITH_USER_TA),y) | |||
| srcs-y += user_ta.c | |||
| srcs-$(CFG_REE_FS_TA) += ree_fs_ta.c | |||
| srcs-$(CFG_EARLY_TA) += early_ta.c | |||
|
|
|||
| $(call force,CFG_SECURE_STORAGE_TA,y,required by CFG_MANAGEMENT_PTA) | |||
| srcs-$(CFG_SECURE_STORAGE_TA) += tadb_store.c | |||
There was a problem hiding this comment.
For consistency with ree_fs_ta.c and early_ta.c, tadb_store.c, how about secure_storage_ta.c?
core/include/kernel/refcount.h
Outdated
| * When val becomes 0 refcount_inc() refuses to change the value any longer | ||
| * and returns false. | ||
| * | ||
| * refcount_dec() returns true becuase this call caused the value to become |
There was a problem hiding this comment.
sp
May also be good to say that the function decrements the vallue: "refcount_dec() decrements the value and returns true when the call caused the value to become 0, false otherwise", or something like that.
core/kernel/refcount.c
Outdated
| while (true) { | ||
| nval = oval + 1; | ||
|
|
||
| /* r->val is 0, we can't doing anything more. */ |
core/include/kernel/refcount.h
Outdated
|
|
||
| /* Increases refcount by 1, return true if val > 0 else false */ | ||
| bool refcount_inc(struct refcount *r); | ||
| /* Decreases refcount by 1, return true if val > 0 else false */ |
There was a problem hiding this comment.
return true if val == 0
core/include/kernel/refcount.h
Outdated
| * Reference conter | ||
| * | ||
| * When val becomes 0 refcount_inc() refuses to change the value any longer | ||
| * and returns false. |
There was a problem hiding this comment.
I find the wording a bit weird, a more neutral tone may be better: "When val is 0, refcount_inc() does not change the value and returns false.". You may add "Otherwise, it increments the value and returns true".
core/tee/sub.mk
Outdated
| @@ -40,6 +40,9 @@ srcs-y += tee_obj.c | |||
| srcs-y += tee_pobj.c | |||
| srcs-y += tee_time_generic.c | |||
|
|
|||
| $(call force,CFG_SECURE_STORAGE_TA,y,required by CFG_MANAGEMENT_PTA) | |||
jenswi-linaro
force-pushed
the
bootstrap_ta
branch
2 times, most recently
from
deecfc3
to
87b4bff
Compare
|
Squashed and inserted some extra commit but not rebased to make it easier to compare with the old a2aa4a0 state. History is reordered to instead of adding a new sign script, the old one is replaced/updated and there's no .bsta file any longer. The REE FS TA storage now supports the new TA format as well as the old format. I missed addressing the refcount comments, will make an update commit later. Documentation will also follow later. |
|
Fixes problem with old filenumbers not being reused. |
|
Addresses the refcount comments |
|
Added documentation in #1986 |
core/tee/tadb.c
Outdated
| size_t rl = len; | ||
| struct tee_fs_rpc_operation op; | ||
|
|
||
| assert(tadb_check_state(ta, TEE_MODE_ENCRYPT)); |
There was a problem hiding this comment.
Should return an error instead, I think.
There was a problem hiding this comment.
This is an API usage error (programmers error). In the case of tee_tadb_ta_write(), tee_tadb_ta_read() and tee_tadb_ta_close_and_commit() it's possible to return an error, but the two functions tee_tadb_ta_close_and_delete(), tee_tadb_ta_close() are void functions.
In all of the cases there's no good cleanup action that the caller can perform.There's obviously some confusion regarding what the handle is to be used for. Initially I was using two different structs for the "read" class and "write" class of functions. Perhaps I should reintroduce that instead?
There was a problem hiding this comment.
If there's no cleanup possible, then indeed a return code is useless.
Initially I was using two different structs for the "read" class and "write" class of functions. Perhaps I should reintroduce that instead?
Yes, I think I would like it better.
core/tee/tadb.c
Outdated
|
|
||
| void tee_tadb_ta_close_and_delete(struct tee_tadb_ta *ta) | ||
| { | ||
| assert(tadb_check_state(ta, TEE_MODE_ENCRYPT)); |
core/tee/tadb.c
Outdated
| size_t sz = sizeof(ta->entry.tag); | ||
| size_t idx; | ||
|
|
||
| assert(tadb_check_state(ta, TEE_MODE_ENCRYPT)); |
core/tee/tadb.c
Outdated
| const size_t sz = ta->entry.prop.custom_size + ta->entry.prop.bin_size; | ||
| size_t l = MIN(*len, sz - ta->pos); | ||
|
|
||
| assert(tadb_check_state(ta, TEE_MODE_DECRYPT)); |
core/tee/tadb.c
Outdated
|
|
||
| void tee_tadb_ta_close(struct tee_tadb_ta *ta) | ||
| { | ||
| assert(tadb_check_state(ta, TEE_MODE_DECRYPT)); |
mk/config.mk
Outdated
| @@ -262,6 +262,12 @@ CFG_GP_SOCKETS ?= y | |||
| # invocation parameters referring to specific secure memories). | |||
| CFG_SECURE_DATA_PATH ?= n | |||
|
|
|||
| # Enable storage for TAs in secure storage | |||
| CFG_SECSTOR_TA ?= y | |||
There was a problem hiding this comment.
Depends on CFG_REE_FS=y.
I find the comment slightly misleading, since the bulk of the TA is actually not in secure storage but directly stored in the REE FS. How about adding: "TA binaries are stored in the REE FS and are protected by metadata in secure storage." or something like that. Will make the dependancy on CFG_REE_FS=y obvious.
There was a problem hiding this comment.
Updated comment is fine. About the dependency I meant:
CFG_SECSTOR_TA ?= $(CFG_REE_FS)
$(call cfg-depends-all,CFG_SECSTOR_TA,CFG_REE_FS)
| from argparse import ArgumentParser | ||
|
|
||
| parser = ArgumentParser() | ||
| parser.add_argument('--uuid', required=True, |
There was a problem hiding this comment.
Could be optional (default: parse --in file name).
There was a problem hiding this comment.
On the other hand, the name of the TA file doesn't have to be an UUID. Sounds like complicated usage to me.
| @@ -58,4 +58,5 @@ $(link-out-dir)/$(binary).stripped.elf: $(link-out-dir)/$(binary).elf | |||
| $(link-out-dir)/$(binary).ta: $(link-out-dir)/$(binary).stripped.elf \ | |||
| $(TA_SIGN_KEY) | |||
| @echo ' SIGN $@' | |||
| $(q)$(SIGN) --key $(TA_SIGN_KEY) --in $< --out $@ | |||
| $(q)$(SIGN) --key $(TA_SIGN_KEY) --uuid $(binary) --version 0 \ | |||
There was a problem hiding this comment.
Assuming --uuid is optional, the command could remain unchanged
|
How about s/bootstrap/secure storage/g? My reasoning is: bootstrapping another TA management method (OTrP, etc.) is only one way this "secure storage TA" feature may be used. It is also perfectly valid to install all TAs in secure storage. So it would be more neutral and more general to use "secure storage TA", |
core/include/tee/tadb.h
Outdated
| uint32_t custom_size; | ||
| uint32_t bin_size; | ||
| bool is_ta; | ||
| bool is_root; |
There was a problem hiding this comment.
Since parent, handler, is_ta and is_root are currently not used, I'd rather introduce them later. It is fine to mention in the commit log that this may be a first step towards supporting SDs, but it should not show in the code yet. The "secure storage TA" feature is useful on its own.
|
I don't agree with s/bootstrap/secure storage/g. I don't expect this to be used for anything but bootstrapping in a product. Test usage is another story, there we'll bootstrap a lot :-) I'm expecting this flow in a product:
As you see bootstrap signed TAs are only supposed to be used for just that, that they happen to be stored in secure storage has nothing to do with what they are. The main reason why a new format was needed is to be able to protect against downgrade attack of the bootstrap TA. |
|
@lorc, sorry, addressed the comments now. |
jenswi-linaro
force-pushed
the
bootstrap_ta
branch
from
bef845d
to
6f8cc0f
Compare
|
Squashed and rebased, for reference the old state was bef845d |
|
Fixed checkpatch error |
There was a problem hiding this comment.
Why is xtest _9 failing in CI?
A few more comments here and there. Note that the SPDX/copyright stuff applies to a number of files. So, with my comments addressed:
- For commit b70515f ("libutils: add atomic load, store and cas"):
Reviewed-by: Jerome Forissier <[email protected]> - For commit 648d206 ("core: add refcount routines"), with or without my comment addressed:
Reviewed-by: Jerome Forissier <[email protected]> - For commit 95e5e7a ("core: fs_htree: bugfix creating empty file"):
Acked-by: Jerome Forissier <[email protected]> - For commit 9c11ac0 ("core: provide tee_svc_storage_file_ops()"):
Reviewed-by: Jerome Forissier <[email protected]> - For commit 1ffb3c8 ("core: add shdr type SHDR_BOOTSTRAP_TA"): s/bootstram/bootstrap/ in the commit log, with that:
Reviewed-by: Jerome Forissier <[email protected]> - For commit 712ae81 ("core: crypto: add struct shdr helper functions")
Reviewed-by: Jerome Forissier <[email protected]> - For commit 6f59c74 ("core: ree fs ta store: use new shdr_*() helpers"):
Reviewed-by: Jerome Forissier <[email protected]> - For commit cf8a284 ("core: ree fs ta store: support bootstrap TA format"):
Reviewed-by: Jerome Forissier <[email protected]> - For commit 7e18023 ("Sign TAs as bootstrap TAs"):
Reviewed-by: Jerome Forissier <[email protected]> - For commit 4447470 ("core: add tadb"):
Acked-by: Jerome Forissier <[email protected]> - For commit b7659f9 ("core: add ta storage based on tadb"):
Reviewed-by: Jerome Forissier <[email protected]> - For commit 6f8cc0f ("core: add management pseudo TA"): I recommend appending "for secstor TAs" to the commit subject, anyway:
Reviewed-by: Jerome Forissier <[email protected]>
Tested-by: Jerome Forissier <[email protected]> (HiKey960)
core/kernel/refcount.c
Outdated
| /* | ||
| * Note that atomic_cas_uint() updates oval to the current | ||
| * r->val read, regardless of return value. | ||
| */ |
There was a problem hiding this comment.
Minor:
I was a bit disturbed by this comment, because:
- We're only interested in what happens with
ovalwhen the function returns false. - When the function returns true,
ovalalready has the value ofr->val, so it is not really updated anyway
I'd suggest: /* At this point atomic_cas_uint() has updated oval to the current r->val */ after the if().
Same below.
lib/libutils/ext/include/atomic.h
Outdated
| * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | ||
| * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | ||
| * POSSIBILITY OF SUCH DAMAGE. | ||
| * SPDX-License-Identifier: BSD-2-Clause |
There was a problem hiding this comment.
Keep the license text and add the SPDX ID before.
core/include/kernel/refcount.h
Outdated
| @@ -0,0 +1,71 @@ | |||
| /* | |||
| * Copyright (c) 2017, Linaro Limited | |||
| * All rights reserved. | |||
There was a problem hiding this comment.
"All rights reserved" is cargo cult and IMO should better be omitted in new files (Wikipedia).
| return NULL; | ||
| memcpy(shdr, img, shdr_size); | ||
|
|
||
| /* Check that the data wasn't modified before the copy was completed */ |
There was a problem hiding this comment.
Does this add any security? I fail to imagine a case where continuing would be a problem, since the TA is signed.
There was a problem hiding this comment.
If shdr->hash_size or shdr->sig_size is increased we may access data outside the allocated buffer later on.
scripts/sign.py
Outdated
| # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | ||
| # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | ||
| # POSSIBILITY OF SUCH DAMAGE. | ||
| # SPDX-License-Identifier: BSD-2-Clause |
| # TA binaries are stored encrypted in the REE FS and are protected by | ||
| # metadata in secure storage. | ||
| CFG_SECSTOR_TA ?= $(call cfg-all-enabled,CFG_REE_FS CFG_WITH_USER_TA) | ||
| $(eval $(call cfg-depends-all,CFG_SECSTOR_TA,CFG_REE_FS CFG_WITH_USER_TA)) |
There was a problem hiding this comment.
These two lines should go into commit "core: add ta storage based on tadb", not in "core: add management pseudo TA".
|
|
jenswi-linaro
force-pushed
the
bootstrap_ta
branch
from
59f4fa9
to
2ff58f2
Compare
|
Comments, addressed, squashed and tags applied. |
|
|
* Adds atomic_load_uint() and atomic_load_u32() * Adds atomic_store_uint() and atomic_store_u32() * Adds atomic_cas_uint() and atomic_cas_u32(), compare and store Reviewed-by: Volodymyr Babchuk <[email protected]> Reviewed-by: Jerome Forissier <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Adds refcount_inc() and refcount_dec() Reviewed-by: Volodymyr Babchuk <[email protected]> Reviewed-by: Jerome Forissier <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Fixes problem with creating an empty htree file. Reviewed-by: Volodymyr Babchuk <[email protected]> Acked-by: Jerome Forissier <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Reviewed-by: Volodymyr Babchuk <[email protected]> Reviewed-by: Jerome Forissier <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Adds a signed header type for bootstrap TA. This type is used when there isn't any security domains installed yet. Reviewed-by: Volodymyr Babchuk <[email protected]> Reviewed-by: Jerome Forissier <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Adds struct shdr helper functions to allocate and verify a struct shdr. Reviewed-by: Volodymyr Babchuk <[email protected]> Reviewed-by: Jerome Forissier <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Uses the new shdr_*() helper functions to verify a signed header. Reviewed-by: Volodymyr Babchuk <[email protected]> Reviewed-by: Jerome Forissier <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Adds support for the new bootstrap TA format to the REE FS TA storage. Reviewed-by: Volodymyr Babchuk <[email protected]> Reviewed-by: Jerome Forissier <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Changes to TA sign script to sign TAs as Bootstrap TAs (img_type == SHDR_BOOTSTRAP_TA) instead of the legacy TA format (img_type == SHDR_TA). Reviewed-by: Volodymyr Babchuk <[email protected]> Reviewed-by: Jerome Forissier <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Adds tadb which is a database in which TAs can be stored leveraging secure storage for anti-rollback, key storage and list of TAs. Reviewed-by: Volodymyr Babchuk <[email protected]> Acked-by: Jerome Forissier <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Adds ta storage based on tadb. The TAs has to be installed in tadb before they can be loaded. Reviewed-by: Volodymyr Babchuk <[email protected]> Reviewed-by: Jerome Forissier <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Adds a pseudo TA for management of Trusted Applications and Security Domains. The pseudo TA only provides a minimal interface, a more advanced interface is supposed to be provided by a user TA using this pseudo TA. Such a TA could for instance implement Global Platforms TEE Management Framework or OTrP. The management TA currently only supports installing bootstrap packaged TAs in secure storage. Reviewed-by: Volodymyr Babchuk <[email protected]> Reviewed-by: Jerome Forissier <[email protected]> Tested-by: Jerome Forissier <[email protected]> (HiKey960) Tested-by: Jens Wiklander <[email protected]> (QEMU) Signed-off-by: Jens Wiklander <[email protected]>
jenswi-linaro
force-pushed
the
bootstrap_ta
branch
from
2ff58f2
to
ff305df
Compare
|
Tag applied |
|
What's next step here? |
|
Since this breaks the |
|
All good now. Thanks. |
This pull request introduces bootstrap TAs which can completely replace the current TAs depending on how we'd like to progress.
I see some ways forward:
Doing 2 (or 3) doesn't mean that we have to remove the old code, we could just make it optional. But we'd change our current test setup to only install TAs via bootstrap TAs (or via a security domain).
Bootstrap TA are basically only the solution to the chicken and egg problem for security domains. Next step would be to introduce a security domain.