On 5/6/20 9:12 PM, Ilias Apalodimas wrote:
If OP-TEE is compiled with an EDK2 application running in secure world it can process and store UEFI variables in an RPMB. Add documentation for the config options enabling this
Signed-off-by: Ilias Apalodimas ilias.apalodimas@linaro.org
doc/uefi/uefi.rst | 10 ++++++++++ 1 file changed, 10 insertions(+)
diff --git a/doc/uefi/uefi.rst b/doc/uefi/uefi.rst index 4fda00d68721..93b0faadd26e 100644 --- a/doc/uefi/uefi.rst +++ b/doc/uefi/uefi.rst @@ -188,6 +188,16 @@ on the sandbox cd <U-Boot source directory> pytest.py test/py/tests/test_efi_secboot/test_signed.py --bd sandbox
+Using OP-TEE for EFI variables +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+If an RPMB and it's drivers is available in U-Boot, OP-TEE can be used for
%s/is available/are available/
..., OP-TEE in conjunction with EDK2's secure management module (SMM) can be used to provide variable services.
+variable services. +Enabling CONFIG_EFI_MM_COMM_TEE=y will dispatch the variables services to
%s/dispatch/delegate/
+OP-TEE. OP-TEE needs to be compiled with a secure application (coming from EDK2)
Is it really compiling? I thought it was only linking.
... needs to be linked with EDK2's secure management module (SMM) which will process the variables ...
+which will process variables in the Secure World and store them in the RPMB +using the OP-TEE supplicant.
Executing the boot manager
We should separate in the description between OP-TEE being used to provide variable services and the specific embodiment using SMM, e.g.
How about:
Using OP-TEE for EFI variables ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Instead of implementing UEFI variable services inside U-Boot they can also be provided in the secure world by a module for OP-TEE[1]. The interface between U-Boot and OP-TEE for variable services is enabled by CONFIG_EFI_MM_COMM_TEE=y.
Tianocore EDK II's standalone management mode driver for variables can be linked to OP-TEE for this purpose. This module uses the Replay Protected Memory Block (RPMB) of an eMMC device for persisting non-volatile variables. When calling the variable services via the OP-TEE API U-Boot's OP-TEE supplicant relays calls to the RPMB driver which has to be enabled via CONFIG_SUPPORT_EMMC_RPMB=y.
[1] https://optee.readthedocs.io/ - OP-TEE documentation
Best regards
Heinrich