Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Message-ID: <871ece13-7d6e-44d4-3bda-317658202f6f@siemens.com>
Date:   Wed, 7 Jun 2023 21:46:02 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.11.0
Subject: Re: [PATCH v5 3/3] efi: Add tee-based EFI variable driver
Content-Language: en-US
To:     Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc:     Sumit Garg <sumit.garg@linaro.org>,
        Ard Biesheuvel <ardb@kernel.org>,
        Masahisa Kojima <masahisa.kojima@linaro.org>,
        Jens Wiklander <jens.wiklander@linaro.org>,
        linux-kernel@vger.kernel.org, op-tee@lists.trustedfirmware.org,
        Johan Hovold <johan+linaro@kernel.org>,
        Maxime Coquelin <mcoquelin.stm32@gmail.com>,
        Alexandre Torgue <alexandre.torgue@foss.st.com>,
        linux-efi@vger.kernel.org,
        linux-stm32@st-md-mailman.stormreply.com,
        linux-arm-kernel@lists.infradead.org,
        "Su, Bao Cheng (RC-CN DF FA R&D)" <baocheng.su@siemens.com>
References: <20230526010748.1222-1-masahisa.kojima@linaro.org>
 <20230526010748.1222-4-masahisa.kojima@linaro.org>
 <0d3e0370-eb76-010f-3d30-9acc9b59645c@siemens.com>
 <CAFA6WYPnWJNPvhT2JDkO-qXRUaJoxBGZEvSfhxcRynV7=VSdQA@mail.gmail.com>
 <CAMj1kXFM45PCTU--+CCed6Cq_N5XqDG6tTu6fnQTSCpW2BWA5A@mail.gmail.com>
 <4ff09002-e871-38b9-43ec-227a64bac731@siemens.com>
 <CAC_iWjJJ5E9Q1or5yTiDynzv_WAYH-g+N24aRdu9rvcsbWqnrg@mail.gmail.com>
 <CAFA6WYNFYB1LiOFB_iwTsdD5PmnDdSbtDSH2J4FVFPx3uik8rQ@mail.gmail.com>
 <CAC_iWj+E7-XK6dCeSn4205K0O3EZCLxCaC+adu-14ST6sdudfA@mail.gmail.com>
 <76da826f-b608-6add-5401-6de818b180e3@siemens.com>
 <CAFA6WYPCDRjFzsUMU=SNzEt88nT7Fcm1eOFL8z4HiQO+=2JeVA@mail.gmail.com>
 <cc6bd203-83ea-c247-0986-7fec6f327ee8@siemens.com>
 <CAC_iWjKZNHJxq4VMFnV7oQngwBBCQveh=s34u1LZ59YUqViPbw@mail.gmail.com>
 <CAC_iWjJMv68yLC606SBhMmBYkR4wVC8SvUcPvNM=RX_qL=9Bvw@mail.gmail.com>
 <b9b8c1d3-fc8e-df94-d12b-a9e3debf3418@siemens.com>
 <CAC_iWj+cP4RfDNu_n-ZOp7A62W34drLpPszN_hrkqF_aPTLtMg@mail.gmail.com>
From:   Jan Kiszka <jan.kiszka@siemens.com>
In-Reply-To: <CAC_iWj+cP4RfDNu_n-ZOp7A62W34drLpPszN_hrkqF_aPTLtMg@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?a3lKWXh1WHltelMvVVNxd25DQXdGU2tVRWV0L2xrdEtQMmhYYVEydDRmNkRT?=
 =?utf-8?B?NzRVUVhrZHh1S0JwY2NnSG1rTkluR0lYV1dzajRIalk3UmNQNGpleFFCZzNJ?=
 =?utf-8?B?cTJXeDUwNUtEY2pOSVFGaGpvQXZaZkU2amRwbHEyOERBem8xNVpuQ3R6ZVhT?=
 =?utf-8?B?bWdJN0djUzNKc3Fpazl0TWVLWXFnL3pBTzlJNHl6MW9BbERiQ0tTVHRidmdl?=
 =?utf-8?B?VTdUVnNLZ2F4WTZFQ0VkeWd1Z01VZE14T1RzSEpSeXAzanBVRHNkeW0xTm52?=
 =?utf-8?B?L2ZGczd1ZFJMbUZsS3lycWo0N3hlbkUwNzlKUEQ4Ym5sN0RkUHdNMmMwSENy?=
 =?utf-8?B?RTZVZmI1Q3ErMFQvb3JxZWUyMUFjNzI2SGkrdklxelRlOE15QzhoaVROMGZl?=
 =?utf-8?B?MTJEQmRZZWhzQ29PME5kclhOOEtVNVRkS0lkSDNabTE4SDJ1RE5VUHJ3ZjBz?=
 =?utf-8?B?QVhnR2k4RVhDUS9LckE3YkVOY1oxYisxcXNrS3ovTDNhT3V1OTJ2Y2pNdTJs?=
 =?utf-8?B?Q3NHYXYrWUhocGlsLzRvRysvbjJ6bUpscmJTTDNSdVJET2pkQ0d1aG0zaXZY?=
 =?utf-8?B?NkVnblN1TmIrSUFFelJKL3JuTzVQZlptUEVJQUxubkZpekkraW9rbGt4LzYr?=
 =?utf-8?B?OXZ6R1pJbHpLUHA1b25FYmh5K3hkZVBGaWFmWHBYM2FpVDg0Q1p2UnJOL0hM?=
 =?utf-8?B?dWM1MFltTStvL1I0TDFyZE10VTRxOUg4bXpYZWwwZTBQM1o3aUh5ek4yYlJX?=
 =?utf-8?B?SktDY0xvaVNqamhSNXBSNXhpbXRoTWJ6alJDS051bE5GU2hmKzBVS0toelBy?=
 =?utf-8?B?a3daZzJESHQyb3c3YzJSVWVGODFsT0krc1lYaGpraHNjUWNIT21tM1BDWW9z?=
 =?utf-8?B?Q2sySng2b2FTaXpxL1RPeXJHSEhlZ1c2RmNHb1kwUFlZbDlEdFJCaG1Wak1h?=
 =?utf-8?B?NTA4cDVVbVlTeXYxSFQ0WGM4ek12bnFHZjd2Z0hQSHo5NmJVc3B2SXBwaFdB?=
 =?utf-8?B?aWVVMzVlYVY5UWFWNktWMlRHeU5hZ0lkZlZ1ck9CdDcyM2MyTTFxRnA2T0VD?=
 =?utf-8?B?eVI5My85L1ZrcFdnZlkwSUQ0bmhUQ3dJVWMwOXVsNmlPbkUwN1NoaUhST1pw?=
 =?utf-8?B?c2pRU2xqR3MxNW1kSDZjTVVpMUxOT2V5TXpOcE0vaDY2N1FtaGw3U2ZBaUNV?=
 =?utf-8?B?L00yOUFTK1k5bFkzd25tdERmd3VyK3NueFZyZ3BJaUFSSHVUbnZQMVdIVXVu?=
 =?utf-8?B?SGhuUG5zSXl0dGFCbXdjZTRXUUp6U21UR0tER2QrYnNZczRwYkIyTWZSc1VO?=
 =?utf-8?B?MUliUHA0aGF4SXQyZHVkMmo3cmRYaS8vWEpYM1hUOHZTZGp5UTJ2VlJ3cDdk?=
 =?utf-8?B?Wm85ZEpLbGEwcHdUZlBNbDF0Q1RMN1E1NE9OVExocW0xa29Fbk8vcnkrd1ln?=
 =?utf-8?B?SHduSjkzOEVhK1gyZi9kRDBSblY1RVJCMUlabFZzbkx4b3R3OFBSVWcwMTlN?=
 =?utf-8?B?U1VnSXdYOXc0NEJFTXE2YkNJcEE1REczdmxVMCtTd2tRNFdjR0Y0N0crc3hL?=
 =?utf-8?B?YVdsY2Z2VFozQS95NHBYbHlLd0lDY1JLMTFWM0E0eWZNYk1VWURqVWRCdEtO?=
 =?utf-8?B?Skg2YXFhWGxKZXU0ZVpqcTZaMk13eTJ1ZTJxL1doemRRN0drMWx3OXlnWHV5?=
 =?utf-8?B?TG9jd0VyMitlcVN3R1Y5ZnJmSE5sZkFaOXRVamFtMnY3SnNFaTkydWFDeTla?=
 =?utf-8?B?c2w2QlFRaEZ2RzNPdDUveUZzZFIzdjVtd3dEOS80UTVsM214RVl1N0FaZFha?=
 =?utf-8?B?Wjd2VUVmWFBKKzlHRmVYN0lVaG9iKzBINjBPOWdGU2JsR3FXVnErSDFwS3hG?=
 =?utf-8?B?TkJQTVNLVjlRTy9HdFV4ZTI4Q3lMRjMvRURpS2krNzJzaFZpRUJYU2FwVDEz?=
 =?utf-8?B?eUFDZlhCOENUSjRBZldZdnZxTVZEMzZFQTRqU2h1c3B0TDYveERkZTJ1ZWR1?=
 =?utf-8?B?c0I1V1N4Wml3NkEzTUZFTHFIT2hwVnhFOWN1cEV0clUvL1Uwa2N3aXowWGZl?=
 =?utf-8?B?M2hBOGU4OWxMdFphTGhGUWo3V1A1S2hHNTNBZ29zL3I4YkRDZTc1aW9FcEtL?=
 =?utf-8?B?ZjhtbnQ0YVV4SUl3MmFTN2czNnFibCtRaHdxMmVKNjQzc0Y3VzR6TS8reSt5?=
 =?utf-8?B?SkE9PQ==?=
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1cfaaf9a-be70-4335-eeb0-08db678fd5d9
X-MS-Exchange-CrossTenant-AuthSource: AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jun 2023 19:46:07.1206
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: a1AohzRNm/AlYdhm9GiKWzz7rco8ALIhijIk2ClCFaBIM+Ts02Aomevwa1zugYQ8h+/DKznFA7+nREFl35ARDA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV2PR10MB6933
X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_SPF_HELO,
        NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,
        SPF_NONE,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=no
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 07.06.23 20:17, Ilias Apalodimas wrote:
> On Wed, 7 Jun 2023 at 20:14, Jan Kiszka <jan.kiszka@siemens.com> wrote:
>>
>> On 07.06.23 18:59, Ilias Apalodimas wrote:
>>> On Wed, 7 Jun 2023 at 19:09, Ilias Apalodimas
>>> <ilias.apalodimas@linaro.org> wrote:
>>>>
>>>> Hi Jan,
>>>>
>>>> [...]
>>>>>>>> No I don't, this will work reliably without the need to remount the efivarfs.
>>>>>>>> As you point out you will still have this dependency if you end up
>>>>>>>> building them as modules and you manage to mount the efivarfs before
>>>>>>>> those get inserted.  Does anyone see a reasonable workaround?
>>>>>>>> Deceiving the kernel and making the bootloader set the RT property bit
>>>>>>>> to force the filesystem being mounted as rw is a nasty hack that we
>>>>>>>> should avoid.  Maybe adding a kernel command line parameter that says
>>>>>>>> "Ignore the RTPROP I know what I am doing"?  I don't particularly love
>>>>>>>> this either, but it's not unreasonable.
>>>>>>>
>>>>>>> In the context of https://github.com/OP-TEE/optee_os/issues/6094,
>>>>>>> basically this issue mapped on reboot/shutdown, I would really love to
>>>>>>> see the unhandy tee-supplicant daemon to be overcome.
>>>>>>
>>>>>> I have seen this error before and it has been on my todo list. So I
>>>>>> have tried to fix it here [1]. Feel free to test it and let me know if
>>>>>> you see any further issues.
>>>>>>
>>>>>> [1] https://lkml.org/lkml/2023/6/7/927
>>>>>>
>>>>>
>>>>> Ah, nice, will test ASAP!
>>>>>
>>>>> Meanwhile more food: I managed to build a firmware that was missing
>>>>> STMM. But the driver loaded, and I got this:
>>>>
>>>> Thanks for the testing. I'll try to reproduce it locally and get back to you
>>>
>>> Can you provide a bit more info on how that was triggered btw? I would
>>> be helpful to know
>>>
>>> - OP-TEE version
>>
>> Today's master, 145953d55.
>>
>>> - was it compiled as a module or built-in?
>>
>> Sorry, not sure anymore, switching back and forth right now. I think it
>> was built-in.
>>
>>> - was the supplicant running?
>>
>> Yes.
>>
> 
> Ok thanks, that helps.  I guess this also means U-Boot was compiled to
> store the variables in a file in the ESP instead of the RPMB right?
> Otherwise, I can't see how the device booted in the first place.

U-Boot was not configured to perform secure booting in this case. It had
RPMB support enabled, just didn't have to use it.

Jan

-- 
Siemens AG, Technology
Competence Center Embedded Linux