[PATCH 2/3] cmd: SCP03: enable and provision command

Sun Feb 7 15:37:58 CET 2021

Hi Jorge,

On Sat, 6 Feb 2021 at 16:05, Jorge Ramirez-Ortiz <jorge at foundries.io> wrote:
>
> Enable and provision the SCP03 keys on a TEE controlled secured elemt
> from the U-Boot shell.
>
> Signed-off-by: Jorge Ramirez-Ortiz <jorge at foundries.io>
> ---
>  cmd/Kconfig  |  9 ++++++++
>  cmd/Makefile |  3 +++
>  cmd/scp03.c  | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 76 insertions(+)
>  create mode 100644 cmd/scp03.c

Can we have a test for this please? See mem_search.c for an example.

>
> diff --git a/cmd/Kconfig b/cmd/Kconfig
> index 928a2a0a2d..4f990249b4 100644
> --- a/cmd/Kconfig
> +++ b/cmd/Kconfig
> @@ -2021,6 +2021,15 @@ config HASH_VERIFY
>         help
>           Add -v option to verify data against a hash.
>
> +config CMD_SCP03
> +       bool "scp03 - SCP03 enable and rotate/provision operations"
> +       depends on SCP03
> +       help
> +         Enables the SCP03 commands to activate I2C channel encryption and

I2C-channel ?

> +         provision the SCP03 keys.
> +           scp03 enable
> +           scp03 provision

Also add this to doc/usage (see 'make htmldocs')

> +
>  config CMD_TPM_V1
>         bool
>
> diff --git a/cmd/Makefile b/cmd/Makefile
> index 176bf925fd..a7017e8452 100644
> --- a/cmd/Makefile
> +++ b/cmd/Makefile
> @@ -193,6 +193,9 @@ obj-$(CONFIG_CMD_BLOB) += blob.o
>  # Android Verified Boot 2.0
>  obj-$(CONFIG_CMD_AVB) += avb.o
>
> +# Foundries.IO SCP03
> +obj-$(CONFIG_CMD_SCP03) += scp03.o
> +
>  obj-$(CONFIG_ARM) += arm/
>  obj-$(CONFIG_RISCV) += riscv/
>  obj-$(CONFIG_SANDBOX) += sandbox/
> diff --git a/cmd/scp03.c b/cmd/scp03.c
> new file mode 100644
> index 0000000000..07913dbd3e
> --- /dev/null
> +++ b/cmd/scp03.c
> @@ -0,0 +1,64 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +/*
> + * (C) Copyright 2021, Foundries.IO
> + *
> + */
> +
> +#include <common.h>
> +#include <command.h>
> +#include <env.h>
> +#include <scp03.h>
> +
> +int do_scp03_enable(struct cmd_tbl *cmdtp, int flag, int argc,
> +                   char *const argv[])
> +{
> +       if (argc != 1)
> +               return CMD_RET_USAGE;
> +
> +       if (tee_enable_scp03())

Do you want to report the failure with a message?

> +               return CMD_RET_FAILURE;
> +
> +       return CMD_RET_SUCCESS;
> +}
> +
> +int do_scp03_provision(struct cmd_tbl *cmdtp, int flag, int argc,
> +                      char *const argv[])
> +{
> +       if (argc != 1)
> +               return CMD_RET_USAGE;
> +
> +       if (tee_provision_scp03())
> +               return CMD_RET_FAILURE;
> +
> +       return CMD_RET_SUCCESS;
> +}
> +
> +static struct cmd_tbl cmd_scp03[] = {
> +       U_BOOT_CMD_MKENT(enable, 1, 0, do_scp03_enable, "", ""),
> +       U_BOOT_CMD_MKENT(provision, 1, 0, do_scp03_provision, "", ""),
> +};
> +
> +static int do_scp03(struct cmd_tbl *cmdtp, int flag, int argc,
> +                   char * const argv[])

You could use U_BOOT_CMD_WITH_SUBCMDS() which might save some hassle here.

> +{
> +       struct cmd_tbl *cp;
> +
> +       cp = find_cmd_tbl(argv[1], cmd_scp03, ARRAY_SIZE(cmd_scp03));
> +
> +       argc--;
> +       argv++;
> +
> +       if (!cp || argc > cp->maxargs)
> +               return CMD_RET_USAGE;
> +
> +       if (flag == CMD_FLAG_REPEAT)
> +               return CMD_RET_FAILURE;
> +
> +       return cp->cmd(cmdtp, flag, argc, argv);
> +}
> +
> +U_BOOT_CMD(scp03, 2, 0, do_scp03,
> +          "Provides a command to enable SCP03 and provision the SCP03 keys\n",
> +          "\tenable    - enable SCP03\n"
> +          "\tprovision - provision SCP03\n"
> +);
> --
> 2.30.0
>

Regards,
Simon