lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <1459147d-8944-b01b-6f45-65a7fb7018c4@gmail.com>
Date:   Mon, 30 Jan 2023 22:46:35 +0100
From:   Maximilian Luz <luzmaximilian@...il.com>
To:     Rob Herring <robh@...nel.org>
Cc:     Bjorn Andersson <andersson@...nel.org>,
        Andy Gross <agross@...nel.org>,
        Konrad Dybcio <konrad.dybcio@...aro.org>,
        Ard Biesheuvel <ardb@...nel.org>,
        Krzysztof Kozlowski <krzysztof.kozlowski+dt@...aro.org>,
        Johan Hovold <johan@...nel.org>,
        Sudeep Holla <sudeep.holla@....com>,
        Ilias Apalodimas <ilias.apalodimas@...aro.org>,
        Srinivas Kandagatla <srinivas.kandagatla@...aro.org>,
        Sumit Garg <sumit.garg@...aro.org>,
        Steev Klimaszewski <steev@...i.org>,
        linux-arm-msm@...r.kernel.org, linux-kernel@...r.kernel.org,
        devicetree@...r.kernel.org
Subject: Re: [PATCH v2 3/4] dt-bindings: firmware: Add Qualcomm QSEECOM
 interface

On 1/30/23 22:05, Rob Herring wrote:
> On Fri, Jan 27, 2023 at 07:46:49PM +0100, Maximilian Luz wrote:
>> Add bindings for the Qualcomm Secure Execution Environment interface
>> (QSEECOM).
>>
>> Signed-off-by: Maximilian Luz <luzmaximilian@...il.com>
>> ---
>>
>> Changes in v2:
>>   - Replaces uefisecapp bindings.
>>   - Fix various dt-checker complaints.
>>
>> ---
>>   .../bindings/firmware/qcom,qseecom.yaml       | 49 +++++++++++++++++++
>>   MAINTAINERS                                   |  1 +
>>   2 files changed, 50 insertions(+)
>>   create mode 100644 Documentation/devicetree/bindings/firmware/qcom,qseecom.yaml
>>
>> diff --git a/Documentation/devicetree/bindings/firmware/qcom,qseecom.yaml b/Documentation/devicetree/bindings/firmware/qcom,qseecom.yaml
>> new file mode 100644
>> index 000000000000..540a604f81bc
>> --- /dev/null
>> +++ b/Documentation/devicetree/bindings/firmware/qcom,qseecom.yaml
>> @@ -0,0 +1,49 @@
>> +# SPDX-License-Identifier: (GPL-2.0 OR BSD-2-Clause)
>> +%YAML 1.2
>> +---
>> +$id: http://devicetree.org/schemas/firmware/qcom,qseecom.yaml#
>> +$schema: http://devicetree.org/meta-schemas/core.yaml#
>> +
>> +title: Qualcomm Secure Execution Environment Communication Interface
>> +
>> +maintainers:
>> +  - Maximilian Luz <luzmaximilian@...il.com>
>> +
>> +description: |
>> +  QSEECOM provides an interface to Qualcomm's Secure Execution Environment
>> +  (SEE) running in the Trust Zone via SCM calls. In particular, it allows
> 
> SCM is SMCCC or something else?

It's whatever qcom-scm.c uses. I'm not too familiar with the specifics,
so maybe someone else can answer this better.

>> +  communication with secure applications running therein.
>> +
>> +  Applications running in this environment can, for example, include
>> +  'uefisecapp', which is required for accessing UEFI variables on certain
>> +  systems as these cannot be accessed directly.
>> +
>> +properties:
>> +  compatible:
>> +    items:
>> +      - enum:
>> +          - qcom,qseecom-sc8280xp
>> +      - const: qcom,qseecom
>> +
>> +  qcom,scm:
>> +    $ref: '/schemas/types.yaml#/definitions/phandle'
>> +    description:
>> +      A phandle pointing to the QCOM SCM device (see ./qcom,scm.yaml).
>> +
>> +required:
>> +  - compatible
>> +  - qcom,scm
>> +
>> +additionalProperties: false
>> +
>> +examples:
>> +  - |
>> +    firmware {
>> +        scm {
>> +            compatible = "qcom,scm-sc8280xp", "qcom,scm";
>> +        };
>> +        qseecom {
>> +            compatible = "qcom,qseecom-sc8280xp", "qcom,qseecom";
>> +            qcom,scm = <&scm>;
> 
> Why do you need this in DT? If you already know you have a firmware
> interface (via "qcom,scm"), then query the firmware to see if the SEE is
> there.

Unfortunately I don't know of any way to query this, but please let me
know if you do.

As I've briefly mentioned in the cover letter: There are two interfaces
to manage secure apps. QSEECOM (on older and current-gen laptop devices)
and scminvoke (on newer and some current-gen mobile devices if I
understood right). ACPI also uses a separate device for this
(QCOM0476), so it seemed like the best option to follow that.

Ideally, scminvoke would be preferred since that can be integrated as
TEE driver, but I've been told that on platforms where apps (like
uefisecapp) are loaded via QSEECOM by firmware, we can only use QSEECOM
to communicate with those.

Regards,
Max

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ