Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1109500pxf; Fri, 12 Mar 2021 02:02:25 -0800 (PST) X-Google-Smtp-Source: ABdhPJzIEkuh6A+7sz5NHppe2yMohLkQZd2CegdhLK3YOJmgm18ZzVNJgAayoM7dKJkam2+1d+pz X-Received: by 2002:a17:906:2dc1:: with SMTP id h1mr7773448eji.460.1615543345040; Fri, 12 Mar 2021 02:02:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615543345; cv=none; d=google.com; s=arc-20160816; b=LE1nba9CHdTzwUxNtTGgIh9Yd1N/3UuBsXHo7SFj1TlBP6Z7W6+Akk0XaHldRG/use 7CU/cZx6IBcMFnuuZVzULDk27Ffu/03DAvTWnjX74YZnDvmQ/1tLn1l872B3szOGFunf WeMDep//YCI6w0c9pHVjDK2rZ3Suq/GJayepJmP4tEX3cBcaceEeh1mAxBatxLUClqvA vZ8WSJ5OT1eCrUBC46Dbqi+mcAKlcl469iMsKC2zrTgjtx0nCMqF+IcMZVarnjeCbuA1 3nwea7qHkn4QZa420Dc1SVFoO54Xt5VZBCdtTfP2/05UysepefWTa7PZkWYYO0RDtvVa atew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=x7b0YhLiDRYT0yOrjk/x/Y6N+KIRlemcKfsY/iEVybQ=; b=Pb1f5RRYH9YO2cbyiFaXC145ZsHIW7oW9XmeBhP4IA6hIwd6tYGCSLBdULYFB++iUa oDIkNQiLEEdeDIuzrw5KGun0RkUvVGrGicKlfR+L4PhgEDxmGa+VwxSsCHdsNdHdusvl 3kM56q2rhgnuK+77inxoteih+JIJLSz/ZX1rP9tiASpbVhWxDZMbHRML3kCh1/pEt0Zq hTvLVqnJe4WD3jv/pjXdIzjwutbBvG21I6OKmegPvWzR/BhIM0NidD/XgAF76hhqjOxL w4X6ZGJN9NRONCgWEnWaFs+P8WXXEUIHf/09h63V2UJ0fhF5CDwxk+1/XZoM8liKRf5T L45A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=F52JBUW2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u18si3459636ejb.504.2021.03.12.02.01.59; Fri, 12 Mar 2021 02:02:25 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=F52JBUW2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232397AbhCLKA4 (ORCPT + 99 others); Fri, 12 Mar 2021 05:00:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57310 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233019AbhCLKAi (ORCPT ); Fri, 12 Mar 2021 05:00:38 -0500 Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 50507C061763 for ; Fri, 12 Mar 2021 02:00:38 -0800 (PST) Received: by mail-lf1-x136.google.com with SMTP id v2so31764158lft.9 for ; Fri, 12 Mar 2021 02:00:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=x7b0YhLiDRYT0yOrjk/x/Y6N+KIRlemcKfsY/iEVybQ=; b=F52JBUW2RVO02xz7XfNFfnrhSZLb7p6RwfOQXW0+QwKiTpTiaiE/kwYwO+y5kvwTTb xZxDlKTU0zC8iGi9s3eB3O1qh9vAuqnCzdm0FQbgsL4bLr3Ruqn3fhleGWalnmxC38rB FgK2CVQxAaWOiBRWXiXhaAdbIjpvXMgUpIWczpQhvC4dfF3O6uaqfZeXxiEEoU7pYdoh v0OxguUFdiCEoCC7zzxnbDnPPd+iR1h3DsnWmx5o1uALjWmEGFn0rxgH7VcoOP1somqS 7HT5R8y07TA7h0PvmtdQ9IxgC4c4DqqDp/Sprqpgk7IqJYUO5UnI+msLE1D5pICduzc5 BEYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=x7b0YhLiDRYT0yOrjk/x/Y6N+KIRlemcKfsY/iEVybQ=; b=Mt7oelSL59EWfd9qwmDnnISCbeWckSNUxZHmTc916qbA4mGGvb1cEE46xvWS5b8eHn kY2yyH64QV1071wIa0mE8/KqORdce9U+qBZNilGngfYQJcMOmTa6ConrZU9G8nDP8iVn RMb9PRQytWwBpwalZ83K2ywUWH/GpU8S6KwhFKBdIZbhJiEQp2TJDkYTmuQAbrqeYwrc 8n+GXOec6/G4ietYmXeEe1v/nKAQ0IVZLQVja4qbcn9HtFBzp366uRLVolpQwaTeHNim vrH33FNQnHS/yTnYtHAdgsYdm8CF0zNPlb6g50hbVq5ebX4U6fsE5coHMTOjVkA8tz2V UDog== X-Gm-Message-State: AOAM530VBBZLpEFANXidYWVBYFX0/SOznTtnOoPFUtEFp7NL2OdYNtir NQVMYxRWqpk0iuI50XZsJT9WcnZBJAT7VV+Jry8M6g== X-Received: by 2002:ac2:4d95:: with SMTP id g21mr5165763lfe.29.1615543236661; Fri, 12 Mar 2021 02:00:36 -0800 (PST) MIME-Version: 1.0 References: <20210303135500.24673-1-alex.bennee@linaro.org> <20210303135500.24673-2-alex.bennee@linaro.org> <20210305075131.GA15940@goby> <6c542548-cc16-af68-c755-df52bd13b209@marcan.st> <02d035ca-697d-1634-a434-a43b9c01f4a9@marcan.st> <87k0qd7615.fsf@linaro.org> In-Reply-To: <87k0qd7615.fsf@linaro.org> From: Linus Walleij Date: Fri, 12 Mar 2021 11:00:24 +0100 Message-ID: Subject: Re: [RFC PATCH 1/5] rpmb: add Replay Protected Memory Block (RPMB) subsystem To: =?UTF-8?B?QWxleCBCZW5uw6ll?= Cc: Hector Martin , Sumit Garg , Arnd Bergmann , "open list:ASYMMETRIC KEYS" , David Howells , Jarkko Sakkinen , Joakim Bech , "linux-kernel@vger.kernel.org" , Maxim Uvarov , Ilias Apalodimas , Ruchika Gupta , "Winkler, Tomas" , yang.huang@intel.com, bing.zhu@intel.com, Matti.Moell@opensynergy.com, hmo@opensynergy.com, linux-mmc , linux-scsi , Ulf Hansson , Arnd Bergmann Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 11, 2021 at 10:08 PM Alex Benn=C3=A9e = wrote: > I guess what we are saying is that real secure monitors should come up > with their own common API for interfacing with RPMB devices without > looking to the Linux kernel for inspiration? The problem is that eMMC at least (I don't know about NVME etc) has serialized commands, meaning you execute one command at a time (some augmentation exist nowadays to speed up things). When it comes to RPMB, the eMMC device must stop all other activity (such as reading/writing any blocks to the eMMC) send a special command to switch to the RPMB partition, then execute the RPMB command(s) then send a special command to switch back to ordinary storage. Someone has to be in control of the eMMC arbitration. Right now Linux MMC/SD storage stack does this. If the secure world want to use RPMB independently of the Linux kernel there are two solutions: - Mount a second eMMC just for the secure world - looks expensive so some other secure counter storage would likely be cheaper and it inevitably increases the BOM which is sensitive to manufacturers (this option is unrealistic) - Let the secure world arbitrate all access to the eMMC - looks inefficient and also dangerous since the secure world now has to implement everything in drivers/mmc/core which is a few 100 KB of really complex code that need to be maintained perpetually. (IMO this option is also unrealistic for performance and maintenance reasons, but who knows what secure world imperialists are out there). This leaves Linux in control of the eMMC RPMB under all circumstances as far as I can see. Yours, Linus Walleij