From patchwork Wed Apr 17 11:07:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikko Rapeli X-Patchwork-Id: 42604 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8131CC4345F for ; Wed, 17 Apr 2024 11:07:52 +0000 (UTC) Received: from mail-lf1-f43.google.com (mail-lf1-f43.google.com [209.85.167.43]) by mx.groups.io with SMTP id smtpd.web11.10177.1713352069749718779 for ; Wed, 17 Apr 2024 04:07:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=Uli7+DQi; spf=pass (domain: linaro.org, ip: 209.85.167.43, mailfrom: mikko.rapeli@linaro.org) Received: by mail-lf1-f43.google.com with SMTP id 2adb3069b0e04-5194a4da476so586095e87.3 for ; Wed, 17 Apr 2024 04:07:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1713352068; x=1713956868; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=lFbeBJfkCazYlaTP/GNFnuK/S+C7yulSq/e202qjHZ0=; b=Uli7+DQih2o9fPekwuiM2DCh5dmTHMhdJ/wv6vZTI3+wBHdxtAyCLntruTuzgn3Suz Gt/mm7kf/L0kxEly0v5Tn+sh5FxOBmedvXvgTS6LdVlmvs1PN3lnPLlrQAy496+CxODG zB6mhhvtDP3BUR2MBDg3R8k74XjL05yjiXfy4NiPnOjqkiNqirsuxqB5NO9qSqNoFllm FOhHJ0ZsDsmlx3EE3pbK4UW+fzjwO8rO6rj72ZhaqpPpwjeP4NnR/p1fTtwWM3BVzpOw rqdy0/2vqYX/vA0vS58wNrFlNUCHeT41Dg+RTOVqEX03KPLEUnh66SkwbO0bMEpyzQQE cHaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713352068; x=1713956868; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lFbeBJfkCazYlaTP/GNFnuK/S+C7yulSq/e202qjHZ0=; b=Tw3kOzZrckn0I/PM1JKLHpnLbGpi3IAGzXZ7huXNVoPKLKgpnYKTqzrbeN1jzpjIyb VJmjcx1RfofKP11H3i7ZxUVaxhLFnHnL350VVc+b4T5RHTq4Zv+n1vVtoovb34LsdJJJ 9KE8eWnFIq5Eo9aiVjQ48IOy1K5CEwSUGGmKH6MZ7N9TmdtovpBIV4JonPgzK0HEG5TX PiyMrWceeRqsLlNlTUyHeUNeLTYM+deFHtqdTfyHx31OilUZTGoBG4LdVja+Zt9NUHNt NqERC1k5aGwGqgCamfeR3KEKyjxfPN4q6ehyjTvdpUcyMddAe503Zyta/h2TtnuMoXI2 ZfLQ== X-Gm-Message-State: AOJu0YxhIcbMHcsY00mS1p1w38i6Mi9H9X9uZkGFzSAXd8QgpVlu1/HI Z2jx2pWD+i60olC4NP7Ms3xooHtWYCMPdIlUhFJ99tfLreLIrSz3gzWbbVXgZRQh0BHeN2Rcplr rINs= X-Google-Smtp-Source: AGHT+IEIraDB8Uk5+QMpNN0svXJWjySbnEtQVa+eqlQJLcAw39r48scndhZHsrapdScyrHAcUvWcCQ== X-Received: by 2002:ac2:4c17:0:b0:517:870b:a13d with SMTP id t23-20020ac24c17000000b00517870ba13dmr11421193lfq.37.1713352067642; Wed, 17 Apr 2024 04:07:47 -0700 (PDT) Received: from localhost.localdomain (87-100-245-199.bb.dnainternet.fi. [87.100.245.199]) by smtp.gmail.com with ESMTPSA id cf4-20020a056512280400b00518bf12488csm1194790lfb.160.2024.04.17.04.07.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Apr 2024 04:07:47 -0700 (PDT) From: Mikko Rapeli To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli Subject: [PATCH 1/2] trusted-firmware-a: continue if TPM device is missing Date: Wed, 17 Apr 2024 14:07:21 +0300 Message-Id: <20240417110722.283283-1-mikko.rapeli@linaro.org> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 17 Apr 2024 11:07:52 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5554 All other firmware boot components also continue booting if TPM is not found. It is up to subsequent SW components to e.g. fail if rootfs can't be decrypted. Enables policies like fall back to unencrypted rootfs if TPM device is not found with qemu and swtpm. Signed-off-by: Mikko Rapeli --- ...ot.c-ignore-TPM-error-and-continue-w.patch | 36 +++++++++++++++++++ .../trusted-firmware-a_2.10.3.bb | 5 +++ 2 files changed, 41 insertions(+) create mode 100644 meta-arm/recipes-bsp/trusted-firmware-a/files/0001-qemu_measured_boot.c-ignore-TPM-error-and-continue-w.patch diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/files/0001-qemu_measured_boot.c-ignore-TPM-error-and-continue-w.patch b/meta-arm/recipes-bsp/trusted-firmware-a/files/0001-qemu_measured_boot.c-ignore-TPM-error-and-continue-w.patch new file mode 100644 index 00000000..2d189d8e --- /dev/null +++ b/meta-arm/recipes-bsp/trusted-firmware-a/files/0001-qemu_measured_boot.c-ignore-TPM-error-and-continue-w.patch @@ -0,0 +1,36 @@ +From 1d1425bde8435d6e2b3e4f2b7bcb2eb293ef9601 Mon Sep 17 00:00:00 2001 +From: Mikko Rapeli +Date: Mon, 15 Jan 2024 09:26:56 +0000 +Subject: [PATCH] qemu_measured_boot.c: ignore TPM error and continue with boot + +If firmware is configured with TPM support but it's missing +on HW, e.g. swtpm not started and/or configured with qemu, +then continue booting. Missing TPM is not a fatal error. +Enables testing boot without TPM device to see that +missing TPM is detected further up the SW stack and correct +fallback actions are taken. + +Upstream-Status: Pending + +Signed-off-by: Mikko Rapeli +--- + plat/qemu/qemu/qemu_measured_boot.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/plat/qemu/qemu/qemu_measured_boot.c b/plat/qemu/qemu/qemu_measured_boot.c +index 122bb23b14..731b081c47 100644 +--- a/plat/qemu/qemu/qemu_measured_boot.c ++++ b/plat/qemu/qemu/qemu_measured_boot.c +@@ -79,7 +79,8 @@ void bl2_plat_mboot_finish(void) + * Note: In QEMU platform, OP-TEE uses nt_fw_config to get the + * secure Event Log buffer address. + */ +- panic(); ++ ERROR("Ignoring TPM errors, continuing without\n"); ++ return; + } + + /* Copy Event Log to Non-secure memory */ +-- +2.34.1 + diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.3.bb b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.3.bb index b30ac725..13942dbb 100644 --- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.3.bb +++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.3.bb @@ -11,3 +11,8 @@ SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=ht SRCREV_mbedtls = "72718dd87e087215ce9155a826ee5a66cfbe9631" LIC_FILES_CHKSUM_MBEDTLS = "file://mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" + +# continue to boot also without TPM +SRC_URI += "\ + file://0001-qemu_measured_boot.c-ignore-TPM-error-and-continue-w.patch \ +" From patchwork Wed Apr 17 11:07:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikko Rapeli X-Patchwork-Id: 42605 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 89A06C4345F for ; Wed, 17 Apr 2024 11:08:02 +0000 (UTC) Received: from mail-lf1-f45.google.com (mail-lf1-f45.google.com [209.85.167.45]) by mx.groups.io with SMTP id smtpd.web10.10078.1713352075801442648 for ; Wed, 17 Apr 2024 04:07:56 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=ZzHHxW+q; spf=pass (domain: linaro.org, ip: 209.85.167.45, mailfrom: mikko.rapeli@linaro.org) Received: by mail-lf1-f45.google.com with SMTP id 2adb3069b0e04-5194cebd6caso495095e87.0 for ; Wed, 17 Apr 2024 04:07:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1713352074; x=1713956874; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=msknvOtn+PK6DVBy+6oqWzRBRfl5bPhcqLPbfEE0rqo=; b=ZzHHxW+q6z02Dtxy5mtAXJWWAClZ5RFwdzU53/QjH1G8yu1FSToOtDryMtjPFoHs1c EbKJeQ8qLax5YQUaoxA4tTmoITMUE4PQG4xp+STqo/vGe80GTHimjAz9Upt+s4/rXvQ5 2N1V/R1VFHoc+QV1kQY8wXQ0rhgIcUy3SlDYmc/HULxjlFO0IAmlm4rWCwx1a2zTz/2o 4xKkU689dzT+aIeGl+xADA1EFewu1094jv4nuG43Vgj4ywV4Xde9JlEyn5ZJTDwKbINg dRpsLNvkK4gD8RDXWzeXVGc/xfBmHLCAAAjrZZ4F2LW5LiB7sPRYTrBj6Ihc+Y80CL4o wrOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713352074; x=1713956874; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=msknvOtn+PK6DVBy+6oqWzRBRfl5bPhcqLPbfEE0rqo=; b=ZiImo34606eyixfxzhZu6Zxr0Ykj8VvjnbnPWqyE/Ln2oEwiyKjAQ/T0zdrWsnIJ88 OYGSsWeTt/DVn/wrxfBQ+q/omX+lYxFdZRQvFXCc5DOR9vcbjUYcs0W8mAbUYtznyWo9 MbGPWEm4TBKauyaxBDi6LqEnFVLy9rA1lNZS7DDJ27sdQ/5/W4T1XC6GuU/is9ML1qwm cg87PwAAU1AFkpMc2LNMAihF1N77QV453bYaSltYRFFD2e66TaaNVyt/5JKr2Kx+y2l6 Kn4/MMWd4xYCmR9BXR7hsorQ6aVSPoGgi0neJS5XRb09nJv7NRXeRcMpHPu7k0GCaRJk 9Kdw== X-Gm-Message-State: AOJu0YyPEPhbcd/a7I/hG0JHAaBVeFeUYPatkt78hlTbhAJNfpJtnRXg cNHRH11CLeSopjY4cw27O9izdcx1630hWZivkfXETBuHMM3d6IUEb+RidqtpbTye5WVUAF+tYRv zBqE= X-Google-Smtp-Source: AGHT+IFnoUlfVlczh21YxBJRsPcWNmGUkO34fiyi9/TC7f26N060p/UgS4WyD6pRWcj18Y8gyZcVhQ== X-Received: by 2002:a05:6512:3137:b0:515:a733:2e0e with SMTP id p23-20020a056512313700b00515a7332e0emr9950469lfd.25.1713352073973; Wed, 17 Apr 2024 04:07:53 -0700 (PDT) Received: from localhost.localdomain (87-100-245-199.bb.dnainternet.fi. [87.100.245.199]) by smtp.gmail.com with ESMTPSA id cf4-20020a056512280400b00518bf12488csm1194790lfb.160.2024.04.17.04.07.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Apr 2024 04:07:53 -0700 (PDT) From: Mikko Rapeli To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli Subject: [PATCH 2/2] optee-ftpm: enumerate also without tee-supplicant Date: Wed, 17 Apr 2024 14:07:22 +0300 Message-Id: <20240417110722.283283-2-mikko.rapeli@linaro.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240417110722.283283-1-mikko.rapeli@linaro.org> References: <20240417110722.283283-1-mikko.rapeli@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 17 Apr 2024 11:08:02 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5555 Userspace like systemd boot manager would need to know how to find TPM and fTPM devices for rootfs encryption. Thus expose an fTPM TA enumeration also without tee-supplicant so that early boot managers can start tee-supplicant and wait for the fTPM device before continuing with TPM2 use cases. Signed-off-by: Mikko Rapeli --- .../optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch index 7c61105b..175875c1 100644 --- a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch @@ -21,7 +21,7 @@ index 92c33c1..e83619d 100644 #define TA_UUID TA_FTPM_UUID -#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE) -+#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP) ++#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM ) #define TA_STACK_SIZE (64 * 1024) #define TA_DATA_SIZE (32 * 1024)