Re: [RFC PATCH v3 0/4] TEE driver for AMD APUs

[Jens Wiklander <jens.wiklander@linaro.org>]

+Olof and Arnd, who are usually taking my pull requests.

On Mon, Dec 16, 2019 at 06:35:03PM +0530, Thomas, Rijo-john wrote:
> +Herbert
> 
> Hi Jens,
> 
> On 16/12/19 6:09 pm, Jens Wiklander wrote:
> > Hi Rijo,
> > 
> > On Thu, Dec 12, 2019 at 06:04:24PM +0530, Thomas, Rijo-john wrote:
> >> Hi Jens,
> >>
> >> Please let me know if there are any comments for this patch series. I
> >> shall address them, if any, and post for next review.
> > 
> > This looks good, I have no further comments.
> > 
> > How do you intend to upstream this? There's the dependency towards "Add
> > TEE interface support to AMD Secure Processor driver"
> > (https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flkml.org%2Flkml%2F2019%2F12%2F4%2F42&data=02%7C01%7CRijo-john.Thomas%40amd.com%7C3be32c79103640faefdc08d78224f703%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637120967585713342&sdata=I2lQNxu%2BBeIrL3Yk09IOYlUGsxWeCmLJhCcFuyqSJkA%3D&reserved=0) to take into account too.
> 
> Thanks! If you are okay, can you give an Acked-by so that I can ask the crypto
> subsystem maintainer to pull these patches as well.

Sounds good. The risk for merge conflicts with other patches via the
normal path (arm-soc) should be minimal, if there's any I expect them to
be trivial to resolve.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

Thanks,
Jens

> 
> Thanks,
> Rijo
> 
> > 
> > Thanks,
> > Jens
> > 
> >>
> >> Thanks,
> >> Rijo
> >>
> >> On 06/12/19 10:48 am, Rijo Thomas wrote:
> >>> This patch series introduces Trusted Execution Environment (TEE) driver
> >>> for AMD APU enabled systems. The TEE is a secure area of a processor which
> >>> ensures that sensitive data is stored, processed and protected in an
> >>> isolated and trusted environment. The AMD Secure Processor is a dedicated
> >>> processor which provides TEE to enable HW platform security. It offers
> >>> protection against software attacks generated in Rich Operating
> >>> System (Rich OS) such as Linux running on x86. The AMD-TEE Trusted OS
> >>> running on AMD Secure Processor allows loading and execution of security
> >>> sensitive applications called Trusted Applications (TAs). An example of
> >>> a TA would be a DRM (Digital Rights Management) TA written to enforce
> >>> content protection.
> >>>
> >>> Linux already provides a tee subsystem, which is described in [1]. The tee
> >>> subsystem provides a generic TEE ioctl interface which can be used by user
> >>> space to talk to a TEE driver. AMD-TEE driver registers with tee subsystem
> >>> and implements tee function callbacks in an AMD platform specific manner.
> >>>
> >>> The following TEE commands are recognized by AMD-TEE Trusted OS:
> >>> 1. TEE_CMD_ID_LOAD_TA : Load Trusted Application (TA) binary into TEE
> >>>    environment
> >>> 2. TEE_CMD_ID_UNLOAD_TA : Unload TA binary from TEE environment
> >>> 3. TEE_CMD_ID_OPEN_SESSION : Open session with loaded TA
> >>> 4. TEE_CMD_ID_CLOSE_SESSION : Close session with loaded TA
> >>> 5. TEE_CMD_ID_INVOKE_CMD : Invoke a command with loaded TA
> >>> 6. TEE_CMD_ID_MAP_SHARED_MEM : Map shared memory
> >>> 7. TEE_CMD_ID_UNMAP_SHARED_MEM : Unmap shared memory
> >>>
> >>> Each command has its own payload format. The AMD-TEE driver creates a
> >>> command buffer payload for submission to AMD-TEE Trusted OS.
> >>>
> >>> This patch series has a dependency on another patch set titled - Add TEE
> >>> interface support to AMD Secure Processor driver.
> >>> Link: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flkml.org%2Flkml%2F2019%2F12%2F4%2F42&amp;data=02%7C01%7CRijo-john.Thomas%40amd.com%7C3be32c79103640faefdc08d78224f703%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637120967585713342&amp;sdata=I2lQNxu%2BBeIrL3Yk09IOYlUGsxWeCmLJhCcFuyqSJkA%3D&amp;reserved=0
> >>>
> >>> v3:
> >>> * Updated [1] with driver details
> >>>
> >>> v2:
> >>> * Added a helper API in AMD Secure Processor driver, which can be
> >>>   called by AMD-TEE driver during module init to check if TEE is
> >>>   present on the device
> >>> * Added proper checks for parameter attribute variable
> >>> * Used tee_shm_pool_alloc() to allocate struct tee_shm_pool data structure
> >>> * Removed all references to tee_private.h header file in driver code,
> >>>   except for the file drivers/tee/amdtee/core.c. The driver loads TA binary
> >>>   by calling request_firmware(), which takes struct device* as one of its
> >>>   arguments. The device 'dev' field is part of struct tee_device, defined
> >>>   in tee_private.h
> >>>
> >>> [1] https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.kernel.org%2Fdoc%2FDocumentation%2Ftee.txt&amp;data=02%7C01%7CRijo-john.Thomas%40amd.com%7C3be32c79103640faefdc08d78224f703%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637120967585713342&amp;sdata=3nmaMDGsdbqRdR3ocM0xoEFsNRbd2IgUj6tvCKJhk2w%3D&amp;reserved=0
> >>>
> >>> Rijo Thomas (4):
> >>>   tee: allow compilation of tee subsystem for AMD CPUs
> >>>   tee: add AMD-TEE driver
> >>>   tee: amdtee: check TEE status during driver initialization
> >>>   Documentation: tee: add AMD-TEE driver details
> >>>
> >>>  Documentation/tee.txt               |  81 ++++++
> >>>  drivers/crypto/ccp/tee-dev.c        |  11 +
> >>>  drivers/tee/Kconfig                 |   4 +-
> >>>  drivers/tee/Makefile                |   1 +
> >>>  drivers/tee/amdtee/Kconfig          |   8 +
> >>>  drivers/tee/amdtee/Makefile         |   5 +
> >>>  drivers/tee/amdtee/amdtee_if.h      | 183 +++++++++++++
> >>>  drivers/tee/amdtee/amdtee_private.h | 159 +++++++++++
> >>>  drivers/tee/amdtee/call.c           | 373 ++++++++++++++++++++++++++
> >>>  drivers/tee/amdtee/core.c           | 516 ++++++++++++++++++++++++++++++++++++
> >>>  drivers/tee/amdtee/shm_pool.c       |  93 +++++++
> >>>  include/linux/psp-tee.h             |  18 ++
> >>>  include/uapi/linux/tee.h            |   1 +
> >>>  13 files changed, 1451 insertions(+), 2 deletions(-)
> >>>  create mode 100644 drivers/tee/amdtee/Kconfig
> >>>  create mode 100644 drivers/tee/amdtee/Makefile
> >>>  create mode 100644 drivers/tee/amdtee/amdtee_if.h
> >>>  create mode 100644 drivers/tee/amdtee/amdtee_private.h
> >>>  create mode 100644 drivers/tee/amdtee/call.c
> >>>  create mode 100644 drivers/tee/amdtee/core.c
> >>>  create mode 100644 drivers/tee/amdtee/shm_pool.c
> >>>
> >>> --
> >>> 1.9.1
> >>>