[PATCHv5 1/6] common: SCP03 control (enable and provision of keys)

Jorge Ramirez-Ortiz, Foundries jorge at foundries.io
Fri Feb 12 09:16:56 CET 2021 

On 09/02/21, Jorge Ramirez-Ortiz wrote:
> This Trusted Application allows enabling SCP03 as well as provisioning
> the keys on TEE controlled secure element (ie, NXP SE050).
> 
> All the information flowing on buses (ie I2C) between the processor
> and the secure element must be encrypted. Secure elements are
> pre-provisioned with a set of keys known to the user so that the
> secure channel protocol (encryption) can be enforced on the first
> boot. This situation is however unsafe since the keys are publically
> available.
> 
> For example, in the case of the NXP SE050, these keys would be
> available in the OP-TEE source tree [2] and of course in the
> documentation corresponding to the part.
> 
> To address that, users are required to rotate/provision those keys
> (ie, generate new keys and write them in the secure element's
> persistent memory).
> 
> For information on SCP03, check the Global Platform HomePage and
> google for that term [1]
> [1] globalplatform.org
> [2] https://github.com/OP-TEE/optee_os/
>     check:
>     core/drivers/crypto/se050/adaptors/utils/scp_config.c
>

hi Simon, we added the tests that you asked for. all ok with this
series?

thanks!


> Signed-off-by: Jorge Ramirez-Ortiz <jorge at foundries.io>
> Reviewed-by: Simon Glass <sjg at chromium.org>
> ---
>  common/Kconfig               |  8 ++++++
>  common/Makefile              |  1 +
>  common/scp03.c               | 53 ++++++++++++++++++++++++++++++++++++
>  include/scp03.h              | 21 ++++++++++++++
>  include/tee/optee_ta_scp03.h | 21 ++++++++++++++
>  5 files changed, 104 insertions(+)
>  create mode 100644 common/scp03.c
>  create mode 100644 include/scp03.h
>  create mode 100644 include/tee/optee_ta_scp03.h
> 
> diff --git a/common/Kconfig b/common/Kconfig
> index 2bb3798f80..482f123534 100644
> --- a/common/Kconfig
> +++ b/common/Kconfig
> @@ -588,6 +588,14 @@ config AVB_BUF_SIZE
>  
>  endif # AVB_VERIFY
>  
> +config SCP03
> +	bool "Build SCP03 - Secure Channel Protocol O3 - controls"
> +	depends on OPTEE || SANDBOX
> +	depends on TEE
> +	help
> +	  This option allows U-Boot to enable and or provision SCP03 on an OPTEE
> +	  controlled Secured Element.
> +
>  config SPL_HASH
>  	bool # "Support hashing API (SHA1, SHA256, etc.)"
>  	help
> diff --git a/common/Makefile b/common/Makefile
> index daeea67cf2..215b8b26fd 100644
> --- a/common/Makefile
> +++ b/common/Makefile
> @@ -137,3 +137,4 @@ obj-$(CONFIG_CMD_LOADB) += xyzModem.o
>  obj-$(CONFIG_$(SPL_TPL_)YMODEM_SUPPORT) += xyzModem.o
>  
>  obj-$(CONFIG_AVB_VERIFY) += avb_verify.o
> +obj-$(CONFIG_SCP03) += scp03.o
> diff --git a/common/scp03.c b/common/scp03.c
> new file mode 100644
> index 0000000000..09ef7b5ba3
> --- /dev/null
> +++ b/common/scp03.c
> @@ -0,0 +1,53 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +/*
> + * (C) Copyright 2021, Foundries.IO
> + *
> + */
> +
> +#include <common.h>
> +#include <scp03.h>
> +#include <tee.h>
> +#include <tee/optee_ta_scp03.h>
> +
> +static int scp03_enable(bool provision)
> +{
> +	const struct tee_optee_ta_uuid uuid = PTA_SCP03_UUID;
> +	struct tee_open_session_arg session;
> +	struct tee_invoke_arg invoke;
> +	struct tee_param param;
> +	struct udevice *tee = NULL;
> +
> +	tee = tee_find_device(tee, NULL, NULL, NULL);
> +	if (!tee)
> +		return -ENODEV;
> +
> +	memset(&session, 0, sizeof(session));
> +	tee_optee_ta_uuid_to_octets(session.uuid, &uuid);
> +	if (tee_open_session(tee, &session, 0, NULL))
> +		return -ENXIO;
> +
> +	memset(&param, 0, sizeof(param));
> +	param.attr = TEE_PARAM_ATTR_TYPE_VALUE_INPUT;
> +	param.u.value.a = provision;
> +
> +	memset(&invoke, 0, sizeof(invoke));
> +	invoke.func = PTA_CMD_ENABLE_SCP03;
> +	invoke.session = session.session;
> +
> +	if (tee_invoke_func(tee, &invoke, 1, &param))
> +		return -EIO;
> +
> +	tee_close_session(tee, session.session);
> +
> +	return 0;
> +}
> +
> +int tee_enable_scp03(void)
> +{
> +	return scp03_enable(false);
> +}
> +
> +int tee_provision_scp03(void)
> +{
> +	return scp03_enable(true);
> +}
> diff --git a/include/scp03.h b/include/scp03.h
> new file mode 100644
> index 0000000000..729667ccd1
> --- /dev/null
> +++ b/include/scp03.h
> @@ -0,0 +1,21 @@
> +/* SPDX-License-Identifier: GPL-2.0+ */
> +/*
> + * (C) Copyright 2021, Foundries.IO
> + *
> + */
> +
> +#ifndef _SCP03_H
> +#define _SCP03_H
> +
> +/*
> + * Requests to OPTEE to enable or provision the Secure Channel Protocol on its
> + * Secure Element
> + *
> + *  If key provisioning is requested, OPTEE shall generate new SCP03 keys and
> + *  write them to the Secure Element.
> + *
> + *  Both functions return < 0 on error else 0.
> + */
> +int tee_enable_scp03(void);
> +int tee_provision_scp03(void);
> +#endif /* _SCP03_H */
> diff --git a/include/tee/optee_ta_scp03.h b/include/tee/optee_ta_scp03.h
> new file mode 100644
> index 0000000000..13f9956d98
> --- /dev/null
> +++ b/include/tee/optee_ta_scp03.h
> @@ -0,0 +1,21 @@
> +/* SPDX-License-Identifier: BSD-3-Clause */
> +/*
> + * (C) Copyright 2021, Foundries.IO
> + *
> + */
> +#ifndef __TA_SCP03_H
> +#define __TA_SCP03_H
> +
> +#define PTA_SCP03_UUID { 0xbe0e5821, 0xe718, 0x4f77, \
> +			{ 0xab, 0x3e, 0x8e, 0x6c, 0x73, 0xa9, 0xc7, 0x35 } }
> +
> +/*
> + * Enable Secure Channel Protocol functionality (SCP03) on the Secure Element.
> + *   Setting the operation value to something different than NULL will trigger
> + *   the SCP03 provisioning request.
> + *
> + *   in	params[0].a = operation
> + */
> +#define PTA_CMD_ENABLE_SCP03	0
> +
> +#endif /*__TA_SCP03_H*/
> -- 
> 2.30.0
>

More information about the U-Boot mailing list