Skip to content

feat(optee): Update RPMB sections to be shown for AM62L #662

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jsuhaas22 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat(optee): Update RPMB sections to be shown for AM62L #662

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 25 additions & 43 deletions source/linux/Foundational_Components_OPTEE.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,56 +110,40 @@
*********************

OP-TEE provides secure storage functionality through two mechanisms:
**REE FS** (Rich Execution Environment Filesystem) and **RPMB**
(Replay Protected Memory Block).
**Rich Execution Environment Filesystem (REE FS)** and **Replay Protected Memory Block (RPMB)**.

Check warning on line 113 in source/linux/Foundational_Components_OPTEE.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Definitions] Define acronyms and abbreviations (such as 'REE') on first occurrence if they're likely to be unfamiliar.

Raw Output:
{"message": "[RedHat.Definitions] Define acronyms and abbreviations (such as 'REE') on first occurrence if they're likely to be unfamiliar.", "location": {"path": "source/linux/Foundational_Components_OPTEE.rst", "range": {"start": {"line": 113, "column": 42}}}, "severity": "INFO"}

TI SDK enables REE FS by-default, and configures OP-TEE to store
encrypted binary blobs created by REE FS in
:file:`/var/lib/tee/`.

.. ifconfig:: CONFIG_part_variant in ('AM62LX')

.. note::

Presently, AM62L does not support RPMB. This support will be added
in subsequent releases. It does support REE FS.

The remaining devices support both: REE FS by-default and RPMB if
OP-TEE binaries are re-compiled with required flags.

For learning more about secure storage in OP-TEE, refer:
https://optee.readthedocs.io/en/latest/architecture/secure_storage.html

.. ifconfig:: CONFIG_part_variant not in ('AM62LX')

RPMB works in TI SoCs with HS configuration. These embed a KEK
that programs across OP-TEE instances in a derived manner. Each HS
device has its own HUK signing key (DKEK), which is different from
other HS devices. TI SDK disables RPMB by-default. To enable it,
re-compiling OP-TEE with ``CFG_RPMB_FS=y`` flag.
RPMB works in TI SoCs with HS configuration. These embed a Key Encryption Key (KEK)
that programs across OP-TEE instances in a derived manner. Each HS
device has its own Hardware Unique Key (HUK) signing key Derived Key Encryption Key (DKEK), which is different from
other HS devices. TI SDK disables RPMB by-default. To enable it,
re-compiling OP-TEE with ``CFG_RPMB_FS=y`` flag.

For learning more about secure storage in OP-TEE, and instructions to
enable RPMB, refer:
https://optee.readthedocs.io/en/latest/architecture/secure_storage.html
For learning more about secure storage in OP-TEE, and instructions to
enable RPMB, refer:
https://optee.readthedocs.io/en/latest/architecture/secure_storage.html

There is a hybrid mode in which both the flags i.e `CFG_REE_FS=y` and `CFG_RPMB_FS=y` are enabled.
This mode stores the state of the Secure Storage directory in RPMB partition to check for the
integrity of the data present in it. It is the recommended way.
There is a hybrid mode, which enables both ``CFG_REE_FS=y`` and ``CFG_RPMB_FS=y``.
This mode stores the state of the Secure Storage directory in RPMB partition to check for the
integrity of the data present in it. It is the recommended way.

E.g. For enabling hybrid mode of RPMB along with REE_FS
E.g. For enabling hybrid mode of RPMB along with REE_FS

.. ifconfig:: CONFIG_part_variant in ('J721S2')
.. ifconfig:: CONFIG_part_variant in ('J721S2')

.. code-block:: console
.. code-block:: console

$ export CFG_CONSOLE_UART=0x8
$ export CFG_CONSOLE_UART=0x8

.. parsed-literal::
.. parsed-literal::

$ make CROSS_COMPILE64="$CROSS_COMPILE_64" PLATFORM=\ |__OPTEE_PLATFORM_FLAVOR__| CFG_ARM64_core=y CFG_REE_FS=y CFG_RPMB_FS=y
$ make CROSS_COMPILE64="$CROSS_COMPILE_64" PLATFORM=\ |__OPTEE_PLATFORM_FLAVOR__| CFG_ARM64_core=y CFG_REE_FS=y CFG_RPMB_FS=y

OPTEE-client also needs to be updated to enable the use of real
emmc instead of the virtual emmc that is enabled by default
Also update optee-client to enable the use of real
eMMC instead of the virtual eMMC, which is the default option.

As an example to show the usage of secure storage, the filesystem
provides a binary :file:`/usr/bin/optee_examples_secure_storage`.
Expand Down Expand Up @@ -221,12 +205,10 @@

|

.. ifconfig:: CONFIG_part_variant not in ('AM62LX')

.. rubric:: PKCS#11
.. rubric:: PKCS#11

Check warning on line 208 in source/linux/Foundational_Components_OPTEE.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Definitions] Define acronyms and abbreviations (such as 'PKCS') on first occurrence if they're likely to be unfamiliar.

Raw Output:
{"message": "[RedHat.Definitions] Define acronyms and abbreviations (such as 'PKCS') on first occurrence if they're likely to be unfamiliar.", "location": {"path": "source/linux/Foundational_Components_OPTEE.rst", "range": {"start": {"line": 208, "column": 13}}}, "severity": "INFO"}

PKCS#11 is a cryptographic token interface standard that allows applications
to access cryptographic services through a platform-independent API.
Public Key Cryptography Standard #11 (PKCS#11) is a cryptographic token interface standard that allows applications

Check warning on line 210 in source/linux/Foundational_Components_OPTEE.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Definitions] Define acronyms and abbreviations (such as 'PKCS') on first occurrence if they're likely to be unfamiliar.

Raw Output:
{"message": "[RedHat.Definitions] Define acronyms and abbreviations (such as 'PKCS') on first occurrence if they're likely to be unfamiliar.", "location": {"path": "source/linux/Foundational_Components_OPTEE.rst", "range": {"start": {"line": 210, "column": 39}}}, "severity": "INFO"}
to access cryptographic services through a platform-independent API.

For userland integration details, refer:
https://optee.readthedocs.io/en/latest/building/userland_integration.html
For userspace integration details, refer:
https://optee.readthedocs.io/en/latest/building/userland_integration.html
Loading