lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAFA6WYMekJC8dOUU-d7DJDK6fiUh27sWw8xbVMvFGmBe8VYxLA@mail.gmail.com>
Date:   Thu, 17 Aug 2023 14:52:46 +0530
From:   Sumit Garg <sumit.garg@...aro.org>
To:     Jan Kiszka <jan.kiszka@...mens.com>
Cc:     Ilias Apalodimas <ilias.apalodimas@...aro.org>,
        Masahisa Kojima <masahisa.kojima@...aro.org>,
        Ard Biesheuvel <ardb@...nel.org>,
        Heinrich Schuchardt <heinrich.schuchardt@...onical.com>,
        Jens Wiklander <jens.wiklander@...aro.org>,
        Johan Hovold <johan+linaro@...nel.org>,
        Jonathan Cameron <Jonathan.Cameron@...wei.com>,
        Randy Dunlap <rdunlap@...radead.org>,
        linux-kernel@...r.kernel.org, op-tee@...ts.trustedfirmware.org
Subject: Re: [PATCH v8 0/5] introduce tee-based EFI Runtime Variable Service

On Wed, 16 Aug 2023 at 19:37, Jan Kiszka <jan.kiszka@...mens.com> wrote:
>
> On 16.08.23 13:58, Ilias Apalodimas wrote:
> > On Tue, 15 Aug 2023 at 05:41, Masahisa Kojima
> > <masahisa.kojima@...aro.org> wrote:
> >>
> >> Hi Jan,
> >>
> >> 2023年8月15日(火) 2:23 Jan Kiszka <jan.kiszka@...mens.com>:
> >>>
> >>> On 14.08.23 11:24, Ilias Apalodimas wrote:
> >>>> Hi Jan,
> >>>>
> >>>> On Mon, 7 Aug 2023 at 05:53, Masahisa Kojima <masahisa.kojima@...aro.org> wrote:
> >>>>>
> >>>>> This series introduces the tee based EFI Runtime Variable Service.
> >>>>>
> >>>>> The eMMC device is typically owned by the non-secure world(linux in
> >>>>> this case). There is an existing solution utilizing eMMC RPMB partition
> >>>>> for EFI Variables, it is implemented by interacting with
> >>>>> OP-TEE, StandaloneMM(as EFI Variable Service Pseudo TA), eMMC driver
> >>>>> and tee-supplicant. The last piece is the tee-based variable access
> >>>>> driver to interact with OP-TEE and StandaloneMM.
> >>>>>
> >>>>> Changelog:
> >>>>> v7 -> v8
> >>>>> Only patch #3 "efi: Add tee-based EFI variable driver" is updated.
> >>>>> - fix typos
> >>>>> - refactor error handling, direct return if applicable
> >>>>> - use devm_add_action_or_reset() for closing of tee context/session
> >>>>> - remove obvious comment
> >>>>
> >>>> Any chance you can run this and see if it solves your issues?
> >>>>
> >>>
> >>> I also need [1], and I still need a cleanup script before terminating
> >>> the tee-supplicant, right?
> >>
> >>
> >> Yes, we need patch[1] and a cleanup script.
> >> Sorry, I should note in the cover letter.
> >>
> >>> And if need some service in the initrd
> >>> already, I still need to start the supplicant there and transfer its
> >>> ownership to systemd later on?
> >>
> >> Yes.
> >>
> >>> These patches here only make life easier
> >>> if the supplicant is started by systemd, after efivarfs has been
> >>> mounted, correct?
> >
> > Not systemd specifically.  Any tool that can signal
> > <dev>/driver/unbind would work.  Sumit is just reusing the default
> > unbind notification mechanism
> >
>
> I was referring to the boot ordering topic, not the shutdown issue.
>
> The latter has now a nicer way to trigger the device shutdown prior to
> killing tee-supplicant, but you still need to do that explicitly, no?
>

Yeah it has to be done explicitly in user-space. As you have already
seen, my first try (v1 patch) to do it in kernel space failed. The
reason being that when those devices are being removed, the
tee-supplicant has to be alive to handle RPC calls. The kernel only
gets notified once "/dev/teepriv0" fd is closed and by that time
tee-supplicant is already dead.

-Sumit

> Jan
>
> --
> Siemens AG, Technology
> Linux Expert Center
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ