Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1102691pxf; Fri, 12 Mar 2021 01:49:25 -0800 (PST) X-Google-Smtp-Source: ABdhPJx/HVNnvgAE/KLZz/KUDCDiYPzNyj/aF/BGiX9G1DlAxTBaUVG/C3HfWJ73Dc/W3FsE/yLV X-Received: by 2002:a17:906:f891:: with SMTP id lg17mr7688997ejb.69.1615542565677; Fri, 12 Mar 2021 01:49:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615542565; cv=none; d=google.com; s=arc-20160816; b=SbNRyepx8LvrAF8eEZ2w340GL3v7X3S0Ew2+rbfYMxMzXt481sC8jpkVhayH2l21Ce beZEXBJRxb3wyji9TIP67Xf7bLkcXb0HMjFdMYzSp/zyWR2KOXq9uZAWAlIlvXziuvtu 8YwC0QPlqRET5HF9lL8Zor9EOm5fJY+HUv3fxceMH3UisN06iJWdxz+XkHyb0LyTU7XN FaoK33lwLwM6BNk+qrsRI+I1To1qhUbEI0eX1Oyu53WryALq/7wU8bmeIen7d2tTgKRv OcH0mzbEDQDqgOvXXQcmxVYnpj9qJz/LZoRruwP9M9x8mOiZyjS2OE2nTMyEivRP6scS Vobg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=VMk9ZOPG5drs53p+SuNaGTRJ/y2LmEHScXuPR6AdCe8=; b=h+z7vn2uSxUVR7GYab989dvN0t7213mtl5hJ+nuksHIs2B45kIYo6qIhNHLJd/Bdl7 YA7rGNjO0Lt+n/keuUyWFY5NH1Up9fMq3hd/9OR8m1paPen9aoCBB+/I/CDKOuk6Yvf2 EJull2PNmqF26+qrsTQN0FrVDtpOBKzLS7Z8HGhzCviW4+U0Gk8VYR1NkUXfYyGvuwNv VvVBmZn2Qwc9TyN3Haqw+iIppN/mvK35vy+VLbCKcewcBshwoaFnD8x4PhTPQKjDfcoh 5/eN7oDGbnoHNM6CobUTdycPPyWBAXfXwEwLtqEAtk45F5Hn6IF/rvlMRYQkFWso93tv Lrmw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="w/JETIl+"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b24si3475679edr.415.2021.03.12.01.49.02; Fri, 12 Mar 2021 01:49:25 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="w/JETIl+"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232955AbhCLJr5 (ORCPT + 99 others); Fri, 12 Mar 2021 04:47:57 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54364 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232834AbhCLJrf (ORCPT ); Fri, 12 Mar 2021 04:47:35 -0500 Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8F92FC061574 for ; Fri, 12 Mar 2021 01:47:34 -0800 (PST) Received: by mail-lf1-x132.google.com with SMTP id r3so36553748lfc.13 for ; Fri, 12 Mar 2021 01:47:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VMk9ZOPG5drs53p+SuNaGTRJ/y2LmEHScXuPR6AdCe8=; b=w/JETIl+jQpqvLCzn65MfrNC+8dTeF7KPKuQmMEOIbfX+jVeeA7NaQgQWGUwT2Rxsg pTAP60qjPN4LU5FcusSQZTv1JZfc9SlNHr7cl8Q5SbAcp3Mnaprsyck5NHPd85i8uj4I aSPTwaD6/RWpoysa3nFv9ZL/ZGFUv4kJkMrIy7xKD2fqtJu5vWfsJeCo1WyoOpH+iy8w T520hqje2419f+Hn33AHVMTRrN8mdybSM4zmVUrpRpSUHm0wrq4HJeLNUksNJZ1gd4TJ AwyOn+1R/+Uf20b6CwA4QCQqdwpn/uWjRs970tvXuNyO3BQygdJsKzyaj73sTpgV+en3 O9rQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VMk9ZOPG5drs53p+SuNaGTRJ/y2LmEHScXuPR6AdCe8=; b=RYi35AP3dXZfTrGrjNxJIoEY4pekGC3inRRnZkuvg0l/w2cYKf9mz38oIeYL7MZtcO Pdb7XXoCahKY4EQlgFWMMh51L1y1hth4NNxpGONa5puqYA2RMYFzqUmLVTXZxK4BzLhA mC6DyfQyfuKU9YFBFs/oqZYTavUXbwtizb9kUMQTCRTmmAEz9o3s5SEuEqFGx+Jl9m9o N6T6tEjQFikFrNlmLReD6j1yj7mwB9eupkm/vmR6ZDLhmK+Cvxde3eLzDIRJ0N40FcGN YqrNmHULTuvw+GpPtJFwCFrX32yPqujlXqpOha/nKpnr5qU7n9LaV/CEcKXNjQFa41kF mgKw== X-Gm-Message-State: AOAM532E/0HPXmbiGqYsAdRSUGnVxAjyG/aBwUwy3LNNg5ZlqOpSmyQE hY13vXrkqCY0v6WQW7jYbBPTdGHxBGm356ottPCpTw== X-Received: by 2002:a19:6b13:: with SMTP id d19mr4768518lfa.291.1615542453087; Fri, 12 Mar 2021 01:47:33 -0800 (PST) MIME-Version: 1.0 References: <20210303135500.24673-1-alex.bennee@linaro.org> <20210303135500.24673-2-alex.bennee@linaro.org> <20210305075131.GA15940@goby> <6c542548-cc16-af68-c755-df52bd13b209@marcan.st> <02d035ca-697d-1634-a434-a43b9c01f4a9@marcan.st> In-Reply-To: <02d035ca-697d-1634-a434-a43b9c01f4a9@marcan.st> From: Linus Walleij Date: Fri, 12 Mar 2021 10:47:21 +0100 Message-ID: Subject: Re: [RFC PATCH 1/5] rpmb: add Replay Protected Memory Block (RPMB) subsystem To: Hector Martin Cc: Sumit Garg , Arnd Bergmann , "open list:ASYMMETRIC KEYS" , David Howells , Jarkko Sakkinen , Joakim Bech , =?UTF-8?B?QWxleCBCZW5uw6ll?= , "linux-kernel@vger.kernel.org" , Maxim Uvarov , Ilias Apalodimas , Ruchika Gupta , "Winkler, Tomas" , yang.huang@intel.com, bing.zhu@intel.com, Matti.Moell@opensynergy.com, hmo@opensynergy.com, linux-mmc , linux-scsi , linux-nvme@vger.kernel.org, Ulf Hansson , Arnd Bergmann Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Hector, I see a misunderstanding here :) explaining below. On Thu, Mar 11, 2021 at 9:29 PM Hector Martin wrote: > And so we're back to embedded platforms like Android phones and other > SoC stuff... user-controlled secureboot is already somewhat rare here, > and even rarer are the cases where the user controls the whole chain > including the TEE if any (otherwise it'll be using RPMB already); this > pretty much excludes all production Android phones except for a few > designed as completely open systems; we're left with those and a subset > of dev boards (e.g. the Jetson TX1 I did fuse experiments on). In the > end, those systems will probably end up with fairly bespoke set-ups for > any given device or SoC family, for using RPMB. Hehe. I think we have different ideas of "user-controlled" here, our "users" include OP-TEE, which develop and deploy a TEE which is open source. https://www.op-tee.org/ Joakim who works on this project is on CC he's just not saying anything (yet). This project is forked and deployed by different Android and other Arm SoC-using vendors. Some vendors have written their own TEE from scratch. So our users include these guys. :) As in: they take an active interest in what we are designing here. They have access to devices where they can replace the whole secure world for development. They work actively with the kernel and created the drivers/tee subsystem which is the pipe where the kernel and the TEE communicate. > But then again, if you have a full secureboot system where you control > the TEE level, wouldn't you want to put the RPMB shenanigans there and > get some semblance of secure TPM/keystore/attempt throttling > functionality that is robust against Linux exploits and has a smaller > attack surface? Systems without EL3 are rare (Apple M1 :-)) so it makes > more sense to do this on those that do have it. If you're paranoid > enough to be getting into building your own secure system with > anti-rollback for retry counters, you should be heading in that directly > anyway. > > And now Linux's RPMB code is useless because you're running the stack in > the secure monitor instead :-) The way OP-TEE makes use of RPMB is to call out to a userspace daemon called tee-supplicant, which issues ioctl()s down to the eMMC device to read/write counters. AFAIK other TEE implementations use a similar scheme. (Judging from feedback I got when rewriting the RPMB code in the MMC subsystem, it mattered to them.) Their source code is here: https://github.com/OP-TEE/optee_client/blob/master/tee-supplicant/src/rpmb.c So Linux' eMMC RPMB code is already in wide use for this, it is what I think all Android phones are actually using to read/write RPMB counters. It's not like they're accessing RPMB "on the side" or so. (I might be wrong!) Since reading/writing RPMB on eMMC needs to be serialized alongside Linux' read/write commands it is absolutely necessary that the secure world and the Linux storage drivers cooperate so the solution is to let Linux handle this arbitration. Now the question for this patch set is: is TEE software the only user we need to care about? Yours, Linus Walleij