Received: by 2002:a05:7412:798b:b0:fc:a2b0:25d7 with SMTP id fb11csp234919rdb; Thu, 22 Feb 2024 01:55:52 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXMOC5qtZ56L0g8DJfRJLrn+Z1z2m1P6XDITEMmtgC6N7djGEwuGCzmrhYEgARkZdVeU4QuuWiVezHLGmzZUx0Tv+wbZXHUnqk2WUKWuA== X-Google-Smtp-Source: AGHT+IGczQeYYzWdJKiDDMKyFqiExB44Cear6dIGplyccF1nNmXvCut427S6SwpAMakgQnDa/TsI X-Received: by 2002:a17:906:517:b0:a3e:f00c:ee25 with SMTP id j23-20020a170906051700b00a3ef00cee25mr4776301eja.25.1708595752687; Thu, 22 Feb 2024 01:55:52 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708595752; cv=pass; d=google.com; s=arc-20160816; b=M765XX0KiBQZt+x3Eah/Hd265Dh2ycg2hqjElv2XY4e/pYkw4dwbZCOycHys63TFfb lE6EzUTTzRrrAZ3p6J9Fxd/585nd+XwkH2/kF97xVozyLln46cGYX7WcznJr4Yn33zGr 7s8Ne5Hrf5Gy9mRb0V7UXrZdG2kMxnQTEY5PmpK2o/k97/D9uy1UwoVKW8CQmLScbuNn syjvVvOp0Z30HMYdtew1IobUWMDvbUzCJT5KH/shmUScVhnNFLcWtfayRFwy0yT1nBq1 Bap8KGy4vCg7seV/7ZP58vMyaQsV6040UtXls5To1SQLG+AXYwtfFVSFBTRkVdeD33l+ 4M4Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=5OuU5m7TxwbK/rp6+K5E68Y6ra0FqJ05hWgHbe7cVJc=; fh=2jBVQO0abGnnZazKwa7yeszNFIPTLZxGXLPs58RWBtY=; b=BfDeuBwPUZNUOR6W7AgKfoHR0/NQF+KCes+oe6MZZGV1sIuA2kCjnvHEu5ZtEDFQuj 3yw2rRk3vhE1lHqgzhfJnW/XZh0ZZjppqb6xGIYSZi3llcQsfoJNB+bPFt+x1+TqDI8D wjHT14HsqzLKfzgvHJVePb6wsirIXy1pS5vUObYMgzpmQ94sLPcyRT1t4AYUeuGOHDfE Kpu4uFZfZOg9W2TAbVkUs+DmDYTlDUu7KK/DIFVMr+GGd0a3cHBpgoLk1ArV2rSwxwd+ 5Z6oOTJfFbdeZcZQaUq1ZRIcWPzdH/N750A9MY2wTSp89KvQwZviqEyeYHqfOAnDzbVj 3vwA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b="O/GS/WZ5"; arc=pass (i=1 spf=pass spfdomain=quicinc.com dkim=pass dkdomain=quicinc.com dmarc=pass fromdomain=quicinc.com); spf=pass (google.com: domain of linux-kernel+bounces-76278-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-76278-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id v2-20020a1709064e8200b00a3efa292cf3si2292774eju.542.2024.02.22.01.55.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Feb 2024 01:55:52 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-76278-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b="O/GS/WZ5"; arc=pass (i=1 spf=pass spfdomain=quicinc.com dkim=pass dkdomain=quicinc.com dmarc=pass fromdomain=quicinc.com); spf=pass (google.com: domain of linux-kernel+bounces-76278-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-76278-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 436541F261F8 for ; Thu, 22 Feb 2024 09:55:52 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 6DE8639864; Thu, 22 Feb 2024 09:55:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b="O/GS/WZ5" Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DAAF1182DA; Thu, 22 Feb 2024 09:55:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708595746; cv=none; b=qy8joQESn8nQw4kYxLJq/mUJzVgQ4E0OE3q+P5w+3VkkobtbhxUTdcUWnrGuB/bB7SGcEVySubqVc5IPs7TgTVy/JCTChS4QErmRMd1wqGXjgq4WmKOQSembjPU9i9PVYugnD3Y+45hqm0wYsJxEqs0U6uao7Cr18xIG1fOkN1g= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708595746; c=relaxed/simple; bh=2HDnhOVRJHbojLSnYAS7XkzG2gdqjQq7B1JmqC5MQZs=; h=Message-ID:Date:MIME-Version:Subject:To:CC:References:From: In-Reply-To:Content-Type; b=qwurXiUwlCISue9jCsYmbRgmIPB7ErOrBQiFYgtiLmM2qNum7LTRqrTzHvZ9Zv8GIzmdxRy7GNt3oTb4IyNWkcZN/GHhhDVA9iFRtRdHPipXo21iXpFkD+1OMznvuAwIH76cEVVdZfoGobkUTjsPGcNRGxajAPN+MR/MsiGioAk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com; spf=pass smtp.mailfrom=quicinc.com; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b=O/GS/WZ5; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quicinc.com Received: from pps.filterd (m0279871.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 41M56fhw010101; Thu, 22 Feb 2024 09:55:20 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= message-id:date:mime-version:subject:to:cc:references:from :in-reply-to:content-type:content-transfer-encoding; s= qcppdkim1; bh=5OuU5m7TxwbK/rp6+K5E68Y6ra0FqJ05hWgHbe7cVJc=; b=O/ GS/WZ5rs00m9jUJroN0OHjbBEIWTS5tyBjkIS7TsWomoy8qy9BYNfgqU2k/LMdfO d9RyobazqPT0HxO6AiOSt1OO0FrpaPUYBL3myR6I6BIlstC5mImQ3P1Z7KRbBW7o iOvMNdtcDWnt0+ddxihfFTNv4H1Pr+S7KFvHyLpnaHnPIe+xS00gN8zpUuk2ABwi 46ni31THTP6jwms0K4i4SE4t5mq8xXP2er80zgUKRymNUMeHUe3qpKn/p+FJ7z0m bySlxh68sowiC9xl2510tmrOfoSfD0TUrXIF4TE8Jct2nyJoeCt1PYNcLA0nTHZi sjffwU9UyVsrT95BzGTA== Received: from nalasppmta03.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3wdw13963a-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 22 Feb 2024 09:55:20 +0000 (GMT) Received: from nalasex01a.na.qualcomm.com (nalasex01a.na.qualcomm.com [10.47.209.196]) by NALASPPMTA03.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 41M9tIUx025649 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 22 Feb 2024 09:55:18 GMT Received: from [10.214.82.119] (10.80.80.8) by nalasex01a.na.qualcomm.com (10.47.209.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.40; Thu, 22 Feb 2024 01:55:14 -0800 Message-ID: <8af59b01-53cf-4fc4-9946-6c630fb7b38e@quicinc.com> Date: Thu, 22 Feb 2024 15:25:11 +0530 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v3 0/7] Introduction of a remoteproc tee to load signed firmware Content-Language: en-US To: Arnaud POULIQUEN , Bjorn Andersson , Mathieu Poirier , Jens Wiklander , Rob Herring , Krzysztof Kozlowski , Conor Dooley CC: , , , , , References: <20240214172127.1022199-1-arnaud.pouliquen@foss.st.com> From: Naman Jain In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nalasex01a.na.qualcomm.com (10.47.209.196) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-ORIG-GUID: Yac_XNlh0Nv6ycv1GnJ3h6WLqaY_ujej X-Proofpoint-GUID: Yac_XNlh0Nv6ycv1GnJ3h6WLqaY_ujej X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-02-22_06,2024-02-22_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 malwarescore=0 impostorscore=0 bulkscore=0 adultscore=0 mlxscore=0 clxscore=1015 lowpriorityscore=0 spamscore=0 priorityscore=1501 phishscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2402120000 definitions=main-2402220078 On 2/22/2024 2:17 PM, Arnaud POULIQUEN wrote: > Hello Naman, > > On 2/22/24 06:43, Naman Jain wrote: >> On 2/14/2024 10:51 PM, Arnaud Pouliquen wrote: >>> Updates from the previous version [1]: >>> >>> This version proposes another approach based on an alternate load and boot >>> of the coprocessor. Therefore, the constraint introduced by tee_remoteproc >>> is that the firmware has to be authenticated and loaded before the resource >>> table can be obtained. >>> >>> The existing boot sequence is: > >>>    1) Get the resource table and store it in a cache, >>>       calling rproc->ops->parse_fw(). >>>    2) Parse the resource table and handle resources, >>>       calling rproc_handle_resources. >>>    3) Load the firmware, calling rproc->ops->load(). >>>    4) Start the firmware, calling rproc->ops->start(). >>>   => Steps 1 and 2 are executed in rproc_fw_boot(), while steps 3 and 4 are >>>     executed in rproc_start(). >>> => the use of rproc->ops->load() ops is mandatory >>> >>> The boot sequence needed for TEE boot is: >>> >>>    1) Load the firmware. >>>    2) Get the loaded resource, no cache. >>>    3) Parse the resource table and handle resources. >>>    4) Start the firmware. >> >> Hi, >> What problem are we really addressing here by reordering load, parse of >> FW resources? > > The feature introduced in TEE is the signature of the firmware images. That > means that before getting the resource table, we need to first authenticate the > firmware images. > Authenticating a firmware image means that we have to copy the firmware into > protected memory that cannot be corrupted by the non-secure and then verify the > signature. > The strategy implemented in OP-TEE is to load the firmware into destination > memory and then authenticate it. > This strategy avoids having a temporary copy of the whole images in a secure memory. > This strategy imposes loading the firmware images before retrieving the resource > table. > >> Basically, what are the limitations of the current design you are referring to? >> I understood that TEE is designed that way. > > The limitation of the current design is that we obtain the resource table before > loading the firmware. Following the current design would impose constraints in > TEE that are not straightforward. Step 1 (getting the resource table and storing > it in a cache) would require having a copy of the resource table in TEE after > authenticating the images. However, authenticating the firmware, as explained > before, depends on the strategy implemented. In TEE implementation, we load the > firmware to authenticate it in the destination memory. > > Regards, > Arnaud Hello Arnaud, I think now I got your point. In TEE, you don't want to do anything(read resource table) with FW images, until its loaded and authenticated. Since current design was not allowing you to do it, you had to reorganize the code so that this can be achieved. Generally speaking, in current design, if authentication fails for some reason later, one can handle it, but it depends on the implementation of parse_fw op if the damage is already done. Please correct me if this is wrong assumption. Patch looks good to me. Regards, Naman Jain