Hello Valentin,
On Thu, Mar 5, 2015 at 12:27 PM, Valentin Manea valentin.manea@huawei.com wrote:
Hi Jerome, On 05.03.2015 12:19, Jerome Forissier wrote:
Hi all,
I second Emmanuel's concerns. It seems to me that with the current definitions, the generic driver would almost be an empty pipe, and add little value to the solution.
In my opinion, the generic driver has to define a precise interface and not allow opaque commands that would depend on the TEE solution. Otherwise what assumptions can the user space make when it opens the device? Should it probe the driver to detect which language it speaks? Better have one driver for each "language" (GlobalPlatform or whatever).
So I would drop the "generic driver" and focus on a "GlobalPlatform TEE driver". If someone needs to implement a different interface than GP, then he would write another driver (is it something we have to consider short-term?)
[...]
If you put it like that I don't see much value in a GP driver and I would guess upstream also wouldn't see value in it anyway, this is the reason I was proposing something more generic. But to give a specific example for my reasons: how do you implement secure storage? In Huawei TEE case there is a secure storage daemon that has a separate channel to TEE - this channel is outside GP specifications completely and it's homebrew. This is just one short example, but there enough of these implementation details where just saying we want a GP driver would not be enough and a separate channel would be created between user space and kernel. So basically the GP TEE driver would not bring enough value.
OK, this make sense. Among non-GP operations that would have to go through the driver, there's also the loading of TA binaries for instance. Still, my point is: can we try to define the operations (i.e., ioctls essentially) as precisely as we can, so that user space code is as simple and portable (on different TEEs with the same generic driver) as possible? We would define all GP operations (create session, invoke command...) plus what's needed to support them (helpers for secure storage, TA loading, shared memory management...). We would still allow private commands to go through the generic driver to the specific backend.
PS: I think you are in the same building as the Trustonic guys, maybe inviting them would not be a bad idea - while I wrote most of the driver, I would rather not talk for them. If you don't know anybody I can suggest a few contacts.
Good idea. Please send me some names in PM. I can contact them and suggest they join the list.