Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1109500pxf;
        Fri, 12 Mar 2021 02:02:25 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzIEkuh6A+7sz5NHppe2yMohLkQZd2CegdhLK3YOJmgm18ZzVNJgAayoM7dKJkam2+1d+pz
X-Received: by 2002:a17:906:2dc1:: with SMTP id h1mr7773448eji.460.1615543345040;
        Fri, 12 Mar 2021 02:02:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1615543345; cv=none;
        d=google.com; s=arc-20160816;
        b=LE1nba9CHdTzwUxNtTGgIh9Yd1N/3UuBsXHo7SFj1TlBP6Z7W6+Akk0XaHldRG/use
         7CU/cZx6IBcMFnuuZVzULDk27Ffu/03DAvTWnjX74YZnDvmQ/1tLn1l872B3szOGFunf
         WeMDep//YCI6w0c9pHVjDK2rZ3Suq/GJayepJmP4tEX3cBcaceEeh1mAxBatxLUClqvA
         vZ8WSJ5OT1eCrUBC46Dbqi+mcAKlcl469iMsKC2zrTgjtx0nCMqF+IcMZVarnjeCbuA1
         3nwea7qHkn4QZa420Dc1SVFoO54Xt5VZBCdtTfP2/05UysepefWTa7PZkWYYO0RDtvVa
         atew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=x7b0YhLiDRYT0yOrjk/x/Y6N+KIRlemcKfsY/iEVybQ=;
        b=Pb1f5RRYH9YO2cbyiFaXC145ZsHIW7oW9XmeBhP4IA6hIwd6tYGCSLBdULYFB++iUa
         oDIkNQiLEEdeDIuzrw5KGun0RkUvVGrGicKlfR+L4PhgEDxmGa+VwxSsCHdsNdHdusvl
         3kM56q2rhgnuK+77inxoteih+JIJLSz/ZX1rP9tiASpbVhWxDZMbHRML3kCh1/pEt0Zq
         hTvLVqnJe4WD3jv/pjXdIzjwutbBvG21I6OKmegPvWzR/BhIM0NidD/XgAF76hhqjOxL
         w4X6ZGJN9NRONCgWEnWaFs+P8WXXEUIHf/09h63V2UJ0fhF5CDwxk+1/XZoM8liKRf5T
         L45A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=F52JBUW2;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id u18si3459636ejb.504.2021.03.12.02.01.59;
        Fri, 12 Mar 2021 02:02:25 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=F52JBUW2;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232397AbhCLKA4 (ORCPT <rfc822;m15259695263@gmail.com>
        + 99 others); Fri, 12 Mar 2021 05:00:56 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57310 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233019AbhCLKAi (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 12 Mar 2021 05:00:38 -0500
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 50507C061763
        for <linux-kernel@vger.kernel.org>; Fri, 12 Mar 2021 02:00:38 -0800 (PST)
Received: by mail-lf1-x136.google.com with SMTP id v2so31764158lft.9
        for <linux-kernel@vger.kernel.org>; Fri, 12 Mar 2021 02:00:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=x7b0YhLiDRYT0yOrjk/x/Y6N+KIRlemcKfsY/iEVybQ=;
        b=F52JBUW2RVO02xz7XfNFfnrhSZLb7p6RwfOQXW0+QwKiTpTiaiE/kwYwO+y5kvwTTb
         xZxDlKTU0zC8iGi9s3eB3O1qh9vAuqnCzdm0FQbgsL4bLr3Ruqn3fhleGWalnmxC38rB
         FgK2CVQxAaWOiBRWXiXhaAdbIjpvXMgUpIWczpQhvC4dfF3O6uaqfZeXxiEEoU7pYdoh
         v0OxguUFdiCEoCC7zzxnbDnPPd+iR1h3DsnWmx5o1uALjWmEGFn0rxgH7VcoOP1somqS
         7HT5R8y07TA7h0PvmtdQ9IxgC4c4DqqDp/Sprqpgk7IqJYUO5UnI+msLE1D5pICduzc5
         BEYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=x7b0YhLiDRYT0yOrjk/x/Y6N+KIRlemcKfsY/iEVybQ=;
        b=Mt7oelSL59EWfd9qwmDnnISCbeWckSNUxZHmTc916qbA4mGGvb1cEE46xvWS5b8eHn
         kY2yyH64QV1071wIa0mE8/KqORdce9U+qBZNilGngfYQJcMOmTa6ConrZU9G8nDP8iVn
         RMb9PRQytWwBpwalZ83K2ywUWH/GpU8S6KwhFKBdIZbhJiEQp2TJDkYTmuQAbrqeYwrc
         8n+GXOec6/G4ietYmXeEe1v/nKAQ0IVZLQVja4qbcn9HtFBzp366uRLVolpQwaTeHNim
         vrH33FNQnHS/yTnYtHAdgsYdm8CF0zNPlb6g50hbVq5ebX4U6fsE5coHMTOjVkA8tz2V
         UDog==
X-Gm-Message-State: AOAM530VBBZLpEFANXidYWVBYFX0/SOznTtnOoPFUtEFp7NL2OdYNtir
        NQVMYxRWqpk0iuI50XZsJT9WcnZBJAT7VV+Jry8M6g==
X-Received: by 2002:ac2:4d95:: with SMTP id g21mr5165763lfe.29.1615543236661;
 Fri, 12 Mar 2021 02:00:36 -0800 (PST)
MIME-Version: 1.0
References: <20210303135500.24673-1-alex.bennee@linaro.org>
 <20210303135500.24673-2-alex.bennee@linaro.org> <CAK8P3a0W5X8Mvq0tDrz7d67SfQA=PqthpnGDhn8w1Xhwa030-A@mail.gmail.com>
 <20210305075131.GA15940@goby> <CAK8P3a0qtByN4Fnutr1yetdVZkPJn87yK+w+_DAUXOMif-13aA@mail.gmail.com>
 <CACRpkdb4RkQvDBgTMW_+7yYBsHNRyJZiT5bn04uQJgk7tKGDOA@mail.gmail.com>
 <6c542548-cc16-af68-c755-df52bd13b209@marcan.st> <CAFA6WYOYmTgguVDwpyjnt3gLssqW48qzAkRD_nyPYg0nNhxT2A@mail.gmail.com>
 <beca6bc8-8970-bd01-8de0-6ded1fb69be2@marcan.st> <CAFA6WYMSJxK2CjmoLJ6mdNNEfOQOMVXZPbbFRfah7KLeZNfguw@mail.gmail.com>
 <CACRpkdZb5UMyq5qSJE==3ZnH-7fh92q_t4AnE8mPm0oFEJxqpQ@mail.gmail.com>
 <e5d3f4b5-748e-0700-b897-393187b2bb1a@marcan.st> <CACRpkdYxMGN3N-jFt1Uw4AkBR-x=dRj6HEvDp6g+2ku7+qCLwg@mail.gmail.com>
 <02d035ca-697d-1634-a434-a43b9c01f4a9@marcan.st> <87k0qd7615.fsf@linaro.org>
In-Reply-To: <87k0qd7615.fsf@linaro.org>
From:   Linus Walleij <linus.walleij@linaro.org>
Date:   Fri, 12 Mar 2021 11:00:24 +0100
Message-ID: <CACRpkdYNdoK9T503en6dPfz5sSc0eDGLzhnUBqRUbZR3j43byA@mail.gmail.com>
Subject: Re: [RFC PATCH 1/5] rpmb: add Replay Protected Memory Block (RPMB) subsystem
To:     =?UTF-8?B?QWxleCBCZW5uw6ll?= <alex.bennee@linaro.org>
Cc:     Hector Martin <marcan@marcan.st>,
        Sumit Garg <sumit.garg@linaro.org>,
        Arnd Bergmann <arnd@linaro.org>,
        "open list:ASYMMETRIC KEYS" <keyrings@vger.kernel.org>,
        David Howells <dhowells@redhat.com>,
        Jarkko Sakkinen <jarkko@kernel.org>,
        Joakim Bech <joakim.bech@linaro.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Maxim Uvarov <maxim.uvarov@linaro.org>,
        Ilias Apalodimas <ilias.apalodimas@linaro.org>,
        Ruchika Gupta <ruchika.gupta@linaro.org>,
        "Winkler, Tomas" <tomas.winkler@intel.com>, yang.huang@intel.com,
        bing.zhu@intel.com, Matti.Moell@opensynergy.com,
        hmo@opensynergy.com, linux-mmc <linux-mmc@vger.kernel.org>,
        linux-scsi <linux-scsi@vger.kernel.org>,
        Ulf Hansson <ulf.hansson@linaro.org>,
        Arnd Bergmann <arnd.bergmann@linaro.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Mar 11, 2021 at 10:08 PM Alex Benn=C3=A9e <alex.bennee@linaro.org> =
wrote:

> I guess what we are saying is that real secure monitors should come up
> with their own common API for interfacing with RPMB devices without
> looking to the Linux kernel for inspiration?

The problem is that eMMC at least (I don't know about NVME etc)
has serialized commands, meaning you execute one command at
a time (some augmentation exist nowadays to speed up things).

When it comes to RPMB, the eMMC device must stop all other
activity (such as reading/writing any blocks to the eMMC) send a
special command to switch to the RPMB  partition, then execute
the RPMB command(s) then send a special command to switch
back to ordinary storage.

Someone has to be in control of the eMMC arbitration. Right now
Linux MMC/SD storage stack does this.

If the secure world want to use RPMB independently of the Linux
kernel there are two solutions:

- Mount a second eMMC just for the secure world - looks expensive
  so some other secure counter storage would likely be cheaper
  and it inevitably increases the BOM which is sensitive to
  manufacturers (this option is unrealistic)

- Let the secure world arbitrate all access to the eMMC - looks
  inefficient and also dangerous since the secure world now has to
  implement everything in drivers/mmc/core which is a few 100
  KB of really complex code that need to be maintained perpetually.
  (IMO this option is also unrealistic for performance and
  maintenance reasons, but who knows what secure world
  imperialists are out there).

This leaves Linux in control of the eMMC RPMB under all
circumstances as far as I can see.

Yours,
Linus Walleij