Re: [PATCH v7 1/2] fTPM: firmware TPM running in TEE

[Ilias Apalodimas <ilias.apalodimas@linaro.org>]

Hi Thirupathaiah,
> 
> First of all, Thanks a lot for trying to test the driver. 
> 
np

[...]
> > I managed to do some quick testing in QEMU.
> > Everything works fine when i build this as a module (using IBM's TPM 2.0
> > TSS)
> > 
> > - As module
> > # insmod /lib/modules/5.2.0-rc1/kernel/drivers/char/tpm/tpm_ftpm_tee.ko
> > # getrandom -by 8
> > randomBytes length 8
> > 23 b9 3d c3 90 13 d9 6b
> > 
> > - Built-in
> > # dmesg | grep optee
> > ftpm-tee firmware:optee: ftpm_tee_probe:tee_client_open_session failed,
> > err=ffff0008
> This (0xffff0008) translates to TEE_ERROR_ITEM_NOT_FOUND.
> 
> Where is fTPM TA located in the your test setup? 
> Is it stitched into TEE binary as an EARLY_TA or 
> Is it expected to be loaded during run-time with the help of user mode OP-TEE supplicant?
> 
> My guess is that you are trying to load fTPM TA through user mode OP-TEE supplicant. 
> Can you confirm? 
I tried both

> If that is the true, 
> - In the case of driver built as a module (CONFIG_TCG_FTPM_TEE=m), this is works fine 
> as user mode supplicant is ready. 
> - In the built-in case (CONFIG_TCG_FTPM_TEE=y), 
> This would result in the above error 0xffff0008 as TEE is unable to find fTPM TA. 
Maybe i did something wrong and never noticed it wasn't built as an earlyTA

> 
> The expectation is that fTPM TA is built as an EARLY_TA (in BL32) so that
> U-boot and Linux driver stacks work seamlessly without dependency on supplicant.  
> 
You can add my tested-by tag for the module. I'll go back to testing it as
built-in at some point in real hardware and let you know if i have any issues.

If someone's is interested in the QEMU testing: 
1. compile this https://github.com/jbech-linaro/manifest/blob/ftpm/README.md
2. replace the whole linux kernel on the root-dir with a latest version + fTPM 
char driver
3. Apply a hack on kernel and disable dynamic shm (Need for this depends on 
kernel + op-tee version)

diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c
index 1854a3db..7aea8a5 100644
--- a/drivers/tee/optee/core.c
+++ b/drivers/tee/optee/core.c
@@ -588,13 +588,15 @@ static struct optee *optee_probe(struct device_node *np)
        /*
         * Try to use dynamic shared memory if possible
         */
+#if 0
        if (sec_caps & OPTEE_SMC_SEC_CAP_DYNAMIC_SHM)
                pool = optee_config_dyn_shm();
+#endif

        /*
         * If dynamic shared memory is not available or failed - try static one
         */
-       if (IS_ERR(pool) && (sec_caps & OPTEE_SMC_SEC_CAP_HAVE_RESERVED_SHM))
+       if (sec_caps & OPTEE_SMC_SEC_CAP_HAVE_RESERVED_SHM)
                pool = optee_config_shm_memremap(invoke_fn, &memremaped_shm);

        if (IS_ERR(pool))


For the module part:
Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>