lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 3 Apr 2016 19:27:23 +0000
From:	"Winkler, Tomas" <tomas.winkler@...el.com>
To:	Andy Lutomirski <luto@...nel.org>,
	"gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
	Ulf Hansson <ulf.hansson@...aro.org>,
	"Hunter, Adrian" <adrian.hunter@...el.com>,
	James Bottomley <James.Bottomley@...senPartnership.com>,
	"Martin K. Petersen" <martin.petersen@...cle.com>,
	Vinayak Holikatti <vinholikatti@...il.com>
CC:	Christoph Hellwig <hch@....de>,
	Yaniv Gardi <ygardi@...eaurora.org>,
	"Joao Pinto" <Joao.Pinto@...opsys.com>,
	"linux-mmc@...r.kernel.org" <linux-mmc@...r.kernel.org>,
	"linux-scsi@...r.kernel.org" <linux-scsi@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH 0/8] Replay Protected Memory Block (RPMB) subsystem



On 04/03/2016 02:42 AM, Tomas Winkler wrote:
> Few storage technology such is EMMC, UFS, and NVMe support RPMB 
> hardware partition with common protocol and frame layout.
> The RPMB partition cannot be accessed via standard block layer, but by 
> a set of specific commands: WRITE, READ, GET_WRITE_COUNTER, and 
> PROGRAM_KEY.
> Such a partition provides authenticated and replay protected access, 
> hence suitable as a secure storage.
>
> A storage device registers its RPMB hardware (emmc) partition or RPMB 
> W-LUN (ufs) with the RPMB layer providing an implementation for
> send_rpmb_req() handler.
> Tere is as well simulation platform device. This is handy as an RPMB 
> key can be programmed only once at storage device lifetime.
>
> The RPMB layer aims to provide in-kernel API for Trusted Execution 
> Environment (TEE) devices that are capable to securely compute block 
> frame signature. A TEE driver can claim rpmb interface, for example, 
> via  class_interface_register ().

What's the workflow?  Does the TEE ask the kernel to do RPMB operations for it and supply the kernel with the authenticated request blobs to forward to the RPMB?

Exactly, though it's not exactly a blob, just the data part,  but it has to have the whole frame in orther to copute the signature correctly.   Neither emmc nor ufs  have dual head so a TEE device cannot access the RPMB partition directly and the access has to done via kernel storage device.

Thanks
Tomas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ