lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <660cec45-d0d1-433f-b58e-a22a07a289fb@siemens.com>
Date:   Mon, 14 Aug 2023 19:23:26 +0200
From:   Jan Kiszka <jan.kiszka@...mens.com>
To:     Ilias Apalodimas <ilias.apalodimas@...aro.org>,
        Masahisa Kojima <masahisa.kojima@...aro.org>
Cc:     Ard Biesheuvel <ardb@...nel.org>,
        Jens Wiklander <jens.wiklander@...aro.org>,
        Sumit Garg <sumit.garg@...aro.org>,
        linux-kernel@...r.kernel.org, op-tee@...ts.trustedfirmware.org,
        Johan Hovold <johan+linaro@...nel.org>,
        Randy Dunlap <rdunlap@...radead.org>,
        Heinrich Schuchardt <heinrich.schuchardt@...onical.com>,
        Jonathan Cameron <Jonathan.Cameron@...wei.com>
Subject: Re: [PATCH v8 0/5] introduce tee-based EFI Runtime Variable Service

On 14.08.23 11:24, Ilias Apalodimas wrote:
> Hi Jan,
> 
> On Mon, 7 Aug 2023 at 05:53, Masahisa Kojima <masahisa.kojima@...aro.org> wrote:
>>
>> This series introduces the tee based EFI Runtime Variable Service.
>>
>> The eMMC device is typically owned by the non-secure world(linux in
>> this case). There is an existing solution utilizing eMMC RPMB partition
>> for EFI Variables, it is implemented by interacting with
>> OP-TEE, StandaloneMM(as EFI Variable Service Pseudo TA), eMMC driver
>> and tee-supplicant. The last piece is the tee-based variable access
>> driver to interact with OP-TEE and StandaloneMM.
>>
>> Changelog:
>> v7 -> v8
>> Only patch #3 "efi: Add tee-based EFI variable driver" is updated.
>> - fix typos
>> - refactor error handling, direct return if applicable
>> - use devm_add_action_or_reset() for closing of tee context/session
>> - remove obvious comment
> 
> Any chance you can run this and see if it solves your issues?
> 

I also need [1], and I still need a cleanup script before terminating
the tee-supplicant, right? And if need some service in the initrd
already, I still need to start the supplicant there and transfer its
ownership to systemd later on? These patches here only make life easier
if the supplicant is started by systemd, after efivarfs has been
mounted, correct?

Jan

[1] https://lkml.org/lkml/2023/7/28/853

-- 
Siemens AG, Technology
Linux Expert Center

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ