+ OP-TEE ML.
On Fri, 2 Nov 2018 at 06:11, Chris Co Christopher.Co@microsoft.com wrote:
Hi Sumit,
Our full OpteeClientPkg has:
- Our OpteeClientAPI implementation. I was monitoring the merge progress on OpteeLib and will look into moving over now that it is available.
- The fTPM and AuthVar TA binaries. In our current design, the TA binaries are loaded at runtime. We could host the binaries themselves elsewhere on the filesystem, but we do not want these binaries as early/pseudo TAs. Is there a plan for OpteeLib to support loading full TAs?
Early TAs [1] are basically full TAs only, running in Secure EL0 mode. So instead of loading TA from normal world file-system, they are linked into a special data section in the OP-TEE core blob.
Also I don't think loading TAs dynamically especially during boot makes much sense due to following reasons: 1. Increased boot time. 2. Fixed TAs like in your case which could be linked as early TAs as well.
And you mentioned filesystem, are you referring to root filesystem?
- We have two client drivers: a firmware TPM TA driver and an authenticated variable TA driver. These talk through the tee-supplicant to their respective TAs.
Here from tee-supplicant apart from loading TAs, what other services are you expecting? If you are looking for secure storage via RPMB, that could be an enhancement to OpteeLib adding corresponding RPC handling here [2].
[1] https://github.com/OP-TEE/optee_os/blob/master/documentation/optee_design.md... [2] https://github.com/tianocore/edk2/blob/master/ArmPkg/Library/OpteeLib/Optee....
Regards, Sumit
Chris
-----Original Message----- From: Sumit Garg sumit.garg@linaro.org Sent: Thursday, November 1, 2018 3:55 AM To: Chris Co Christopher.Co@microsoft.com; Leif Lindholm leif.lindholm@linaro.org Cc: edk2-devel@lists.01.org; Ard Biesheuvel ard.biesheuvel@linaro.org; Michael D Kinney michael.d.kinney@intel.com Subject: Re: [PATCH edk2-platforms 01/27] Platform/Microsoft: Add OpteeClientPkg dec
Hi Christopher,
Optee Client library has recently been merged to edk2 source code. It tries to provide a generic interface [1] to OP-TEE based trusted applications (pseudo/early).
AFAIK, you don't need any platform specific hook in client interface to work with upstream OP-TEE. So instead you should use Optee library.
[1] https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.c om%2Ftianocore%2Fedk2%2Fblob%2Fmaster%2FArmPkg%2FInclude%2FLibrary %2FOpteeLib.h&data=02%7C01%7CChristopher.Co%40microsoft.com%7C c19b84ef7f8f4213424108d63fe88f66%7C72f988bf86f141af91ab2d7cd011db47 %7C1%7C0%7C636766665404786500&sdata=m24akbKtoyCERVN77meoSU H6E%2Bpf8W2P5MF7nvU5y7I%3D&reserved=0
Regards, Sumit
On Thu, 1 Nov 2018 at 02:13, Leif Lindholm leif.lindholm@linaro.org wrote:
+Sumit (just to loop you two together). Is there anything Microsoft platform specific about what will go in here?
/ Leif
On Fri, Sep 21, 2018 at 08:25:53AM +0000, Chris Co wrote:
On Windows IoT Core devices with ARM TrustZone capabilities, EDK2 runs in normal world and we use OP-TEE to execute secure world operations. The overall package will contain client-side support to invoke EDK2 services implemented as OP-TEE trusted applications that run in secure world.
This commit adds the initial dec file to add some PCD settings needed by other packages.
Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Christopher Co christopher.co@microsoft.com Cc: Ard Biesheuvel ard.biesheuvel@linaro.org Cc: Leif Lindholm leif.lindholm@linaro.org Cc: Michael D Kinney michael.d.kinney@intel.com
Platform/Microsoft/OpteeClientPkg/OpteeClientPkg.dec | 49 ++++++++++++++++++++ 1 file changed, 49 insertions(+)
diff --git a/Platform/Microsoft/OpteeClientPkg/OpteeClientPkg.dec b/Platform/Microsoft/OpteeClientPkg/OpteeClientPkg.dec new file mode 100644 index 000000000000..4752eab39ce3 --- /dev/null +++ b/Platform/Microsoft/OpteeClientPkg/OpteeClientPkg.dec @@ -0,0 +1,49 @@ +## @file +# +# OP-TEE client package +# +# OP-TEE client package contains the client-side interface to invoke OP-
TEE TAs.
+# Certain EDKII services are implemented in Trusted Applications +running in # the secure world OP-TEE OS. +# +# Copyright (c) 2018 Microsoft Corporation. All rights reserved. +# +# This program and the accompanying materials # are licensed and +made available under the terms and conditions of the BSD License # +which accompanies this distribution. The full text of the license +may be found at # +https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fope +nsource.org%2Flicenses%2Fbsd-
license.php&data=02%7C01%7CChristo
+pher.Co%40microsoft.com%7Cc19b84ef7f8f4213424108d63fe88f66%7C72f988
+bf86f141af91ab2d7cd011db47%7C1%7C0%7C636766665404786500&sda ta=1
+MxFvlsMPhk19grEexBXo5VqRd0jZaCSRjxZCi87A2w%3D&reserved=0 +# +# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" +BASIS, # WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND,
EITHER EXPRESS OR IMPLIED.
+# +##
+[Defines]
- DEC_SPECIFICATION = 0x0001001A
- PACKAGE_NAME = OpteeClientPkg
- PACKAGE_GUID = 77416fcb-10ec-4693-bdc0-1bdd74ec9595
- PACKAGE_VERSION = 0.01
+[Includes]
+[LibraryClasses]
+[Guids]
- gOpteeClientPkgTokenSpaceGuid = { 0x04ad34ca, 0xdd25, 0x4156, {
0x90, 0xf5, 0x16, 0xf9, 0x40, 0xd0, 0x49, 0xe3 }}
+[PcdsFixedAtBuild]
+gOpteeClientPkgTokenSpaceGuid.PcdTpm2AcpiBufferBase|0|UINT64|0x0000
+0005
+gOpteeClientPkgTokenSpaceGuid.PcdTpm2AcpiBufferSize|0|UINT32|0x0000
+0006
- ## The base address of the Trust Zone OpTEE OS private memory
- region # This memory is manager privately by the OpTEE OS.
gOpteeClientPkgTokenSpaceGuid.PcdTrustZonePrivateMemoryBase|0xDEAD
- 1|UINT64|0x00000001
- ## The size of the Trust Zone OpTEE OS private memory region
gOpteeClientPkgTokenSpaceGuid.PcdTrustZonePrivateMemorySize|55|UIN
- T64|0x00000002
- ## The base address of the Trust Zone OpTEE OS shared memory
- region
gOpteeClientPkgTokenSpaceGuid.PcdTrustZoneSharedMemoryBase|0xDEAD2
- |UINT64|0x00000003
- ## The size of the Trust Zone OpTEE OS shared memory region
gOpteeClientPkgTokenSpaceGuid.PcdTrustZoneSharedMemorySize|0xAA|UI
- NT64|0x00000004
-- 2.16.2.gvfs.1.33.gf5370f1