[U-Boot] [PATCH v2 14/15] tee: optee: support AVB trusted application

Jens Wiklander jens.wiklander at linaro.org
Fri Aug 31 12:10:34 UTC 2018 

Hi Simon,

On Wed, Aug 29, 2018 at 06:29:09PM -0600, Simon Glass wrote:
> Hi Jens,
> 
> On 23 August 2018 at 04:43, Jens Wiklander <jens.wiklander at linaro.org> wrote:
> > Adds configuration option OPTEE_TA_AVB and a header file describing the
> > interface to the AVB trusted application provided by OP-TEE.
> 
> What is AVB? Can you please write it out in full?

AVB stands for Android Verified Boot 2.0. However, Google is a bit picky
about how the name Android is used so I'm trying to avoid using it as
much as possible to stay out of trouble. I'll write it out in the commit
message.

> 
> >
> > Tested-by: Igor Opaniuk <igor.opaniuk at linaro.org>
> > Reviewed-by: Igor Opaniuk <igor.opaniuk at linaro.org>
> > Signed-off-by: Jens Wiklander <jens.wiklander at linaro.org>
> > ---
> >  MAINTAINERS                |  1 +
> >  drivers/tee/optee/Kconfig  | 16 +++++++++++++
> >  include/tee.h              |  7 ++++++
> >  include/tee/optee_ta_avb.h | 48 ++++++++++++++++++++++++++++++++++++++
> >  4 files changed, 72 insertions(+)
> >  create mode 100644 include/tee/optee_ta_avb.h
> >
> > diff --git a/MAINTAINERS b/MAINTAINERS
> > index 7458c606ee92..cb36c45d74ea 100644
> > --- a/MAINTAINERS
> > +++ b/MAINTAINERS
> > @@ -576,6 +576,7 @@ M:  Jens Wiklander <jens.wiklander at linaro.org>
> >  S:     Maintained
> >  F:     drivers/tee/
> >  F:     include/tee.h
> > +F:     include/tee/
> >
> >  UBI
> >  M:     Kyungmin Park <kmpark at infradead.org>
> > diff --git a/drivers/tee/optee/Kconfig b/drivers/tee/optee/Kconfig
> > index 8f7ebe161111..a5dc08439629 100644
> > --- a/drivers/tee/optee/Kconfig
> > +++ b/drivers/tee/optee/Kconfig
> > @@ -5,3 +5,19 @@ config OPTEE
> >         help
> >           This implements the OP-TEE Trusted Execution Environment (TEE)
> >           driver.
> > +
> > +if OPTEE
> > +
> > +menu "OP-TEE options"
> > +
> > +config OPTEE_TA_AVB
> > +       bool "Support AVB TA"
> > +       default y
> > +       help
> > +         Enables support for the AVB Trusted Application (TA) in OP-TEE.
> > +         The TA can support the "avb" subcommands "read_rb", "write"rb"
> > +         and "is_unlocked".
> > +
> > +endmenu
> > +
> > +endif
> > diff --git a/include/tee.h b/include/tee.h
> > index 3e6771123ef0..b851d718d32f 100644
> > --- a/include/tee.h
> > +++ b/include/tee.h
> > @@ -48,6 +48,13 @@
> >
> >  #define TEE_ORIGIN_COMMS               0x00000002
> >
> > +struct tee_optee_ta_uuid {
> 
> Comment on this struct. What is it for?

I'll fix.

> 
> > +       u32 time_low;
> > +       u16 time_mid;
> > +       u16 time_hi_and_version;
> > +       u8 clock_seq_and_node[8];
> > +};
> > +
> >  /**
> >   * struct tee_shm - memory shared with the TEE
> >   * @dev:       The TEE device
> > diff --git a/include/tee/optee_ta_avb.h b/include/tee/optee_ta_avb.h
> > new file mode 100644
> > index 000000000000..0e1da084e09d
> > --- /dev/null
> > +++ b/include/tee/optee_ta_avb.h
> > @@ -0,0 +1,48 @@
> > +/* SPDX-License-Identifier: BSD-2-Clause */
> > +/* Copyright (c) 2018, Linaro Limited */
> > +
> > +#ifndef __TA_AVB_H
> > +#define __TA_AVB_H
> > +
> > +#define TA_AVB_UUID { 0x023f8f1a, 0x292a, 0x432b, \
> > +                     { 0x8f, 0xc4, 0xde, 0x84, 0x71, 0x35, 0x80, 0x67 } }
> > +
> > +#define TA_AVB_MAX_ROLLBACK_LOCATIONS  256
> > +
> > +/*
> > + * Gets the rollback index corresponding to the given rollback index slot.
> > + *
> > + * in  params[0].value.a:      rollback index slot
> > + * out params[1].value.a:      upper 32 bits of rollback index
> > + * out params[1].value.b:      lower 32 bits of rollback index
> > + */
> > +#define TA_AVB_CMD_READ_ROLLBACK_INDEX 0
> > +
> > +/*
> > + * Updates the rollback index corresponding to the given rollback index slot.
> > + *
> > + * Will refuse to update a slot with a lower value.
> > + *
> > + * in  params[0].value.a:      rollback index slot
> > + * in  params[1].value.a:      upper 32 bits of rollback index
> > + * in  params[1].value.b:      lower 32 bits of rollback index
> > + */
> > +#define TA_AVB_CMD_WRITE_ROLLBACK_INDEX        1
> > +
> > +/*
> > + * Gets the lock state of the device.
> > + *
> > + * out params[0].value.a:      lock state
> > + */
> > +#define TA_AVB_CMD_READ_LOCK_STATE     2
> > +
> > +/*
> > + * Sets the lock state of the device.
> > + *
> > + * If the lock state is changed all rollback slots will be reset to 0
> > + *
> > + * in  params[0].value.a:      lock state
> > + */
> > +#define TA_AVB_CMD_WRITE_LOCK_STATE    3
> > +
> > +#endif /*__TA_AVB_H*/
> 
> Space before */
> 
> > --
> > 2.17.1
> >

Thanks for the review,
Jens

More information about the U-Boot mailing list