Arm 32bit support in PlatformStandaloneMmRpmb

[edk2-devel] [PATCH v3 0/6] Arm 32bit support in PlatformStandaloneMmRpmb

Posted by Etienne Carriere 2 years, 8 months ago

This series brings support for building PlatformStandaloneMmRpmb for
32bit Arm architectures. This series is based on series tracked through
[1] in edk2 that allows to build StandaloneMm package for 32bit Arm.
This series starts by syncing with paths changes from [1] series,
then comes changes for Arm 32bit support in OpTee drivers and last
updates PlatformStandaloneMmRpmb.dsc for 32bit the ARM architure.
This series is tracked through ticket [2].

One can test the generated StMM image with OP-TEE release for
stm32mp157c-ev1 board which integrates an eMMC device with a
RPMB partition. Se below are the fetch/build directives.
Note that enabling EFI secure boot on stm32mp1 needs more than the
build instruction below. At least these show how U-Boot and OP-TEE
can leverage StMM with an RPMB device.

Step 1: fetch edk2, edk2-platforms, apply patches and Build StMM.
I build edk2 with the following command (one shall replace ${path_to_xxx}
with the appropriate paths.

  # export WORKSPACE=${path_to_edk2_build_dir}
  # export PYTHON3_ENABLE=TRUE
  # export PACKAGES_PATH=${path_to_edk2}:${path_to_edk2_platforms}
  # source ${path_to_edk2}/edksetup.sh
  # make -j$(nproc) -C ${path_to_edk2}/BaseTools
  # GCC5_ARM_PREFIX=${path_to_arm_tooclain}/bin/arm-linux-gnueabihf- \
      build -n $(nproc) -a ARM -t GCC5 -b RELEASE -D DO_X86EMU=TRUE \
       -p Platform/StandaloneMm/PlatformStandaloneMmPkg/PlatformStandaloneMmRpmb.dsc \
       all

Step 2: clone and build OP-TEE release for stm32mp1 (see also [3]):

  # mkdir /tmp/optee-stm32mp1-stmm
  # cd /tmp/optee-stm32mp1-stmm
  # repo init -u https://github.com/OP-TEE/manifest.git -t 3.14.0 -m stm32mp1.xml
  # repo sync
  # cd build
  # make toolchains
  # make all 

Step 3: sync with U-Boot master branch, at least commit [4] which merges
a fix in MMC/RPMB driver OP-TEE [5]. Platform defconfig must be changed
to enable StMM and RPMB support.
The command below builds u-boot using OP-TEE build env (from build/ dir)

  # git -C ../u-boot checkout 99bb5f248ade371ee4713e0ef51401708ecbb13c
  # echo CONFIG_EFI_MM_COMM_TEE=y >> ../u-boot/configs/stm32mp15_trusted_defconfig
  # echo CONFIG_SUPPORT_EMMC_RPMB=y >> ../u-boot/configs/stm32mp15_trusted_defconfig
  # make u-boot

Step 4: rebuild optee_os (and SDcard image) with StMM image embedded in
OP-TEE core wand RPMB support for stm32mp15c-ev1 (the board has an eMMC
device with an RPMB partition).
The command below builds u-boot using OP-TEE build env.
  
  # make optee-os all \
     CFG_STMM_PATH=${path_to_edk2_build_dir}/Build/MmStandaloneRpmb/RELEASE_GCC5/FV/BL32_AP_MM.fd \
     PLATFORM=stm32mp1-157C_ED1 \
     CFG_RPMB_FS=y CFG_CORE_HUK_SUBKEY_COMPAT=n CFG_RPMB_FS_DEV_ID=1

Once done, program SDcard (/dev/sdX relates to SDcard slot device file)
  # dd conf=fdatasync if=../out/bin/sdcard of=/dev/sdX # where /dev/sdX is

The target (stm32mp157c-ev1 board) can boot with the programmed
SDcard. One can interrupt the U-Boot console, possibly program
RPMB key (see note below) and read the EFI variable (read from the
RPMB though StMM executing in OP-TEE.

  $ printenv -e              # read EFI variables
  $ setenv -e <some args>    # write an EFI variable

Note about the RPMB key:
  With the build instructions above, OP-TEE assumes the RPMB device key
  is generated from a known derivation of an all-zero root key. If the
  RPMB device key was not yet programmed, one can program it from the
  U-Boot console with command 'mmc rpmc key <key-data-address>. The
  commands below can be used to program the platform default RPMB
  development key that is (hexadecimal notation, first byte first):
    15 46 75 8c 61 8e d8 b8 a2 27 89 02 df 54 ef 63
    11 de e2 96 49 99 5b d7 d9 12 f1 53 6d 8a 67 c7

  $ mw.l 0xc0000000 0x8c754615
  $ mw.l 0xc0000004 0xb8d88e61
  $ mw.l 0xc0000008 0x028927a2
  $ mw.l 0xc000000c 0x63ef54df
  $ mw.l 0xc0000010 0x96e2de11
  $ mw.l 0xc0000014 0xd75b9949
  $ mw.l 0xc0000018 0x53f112d9
  $ mw.l 0xc000001c 0xc7678a6d
  $ mmc rpmb key 0xc0000000

[1] https://bugzilla.tianocore.org/show_bug.cgi?id=3381
[2] https://bugzilla.tianocore.org/show_bug.cgi?id=3383
[3] https://optee.readthedocs.io/en/latest/building/devices/stm32mp1.html#build-instructions
[4] https://source.denx.de/u-boot/u-boot/-/commit/99bb5f248ade371ee4713e0ef51401708ecbb13c
[5] https://source.denx.de/u-boot/u-boot/-/commit/a9f7be509af90fa5f2c308867ad3b0bd48532c6e

Etienne Carriere (6):
  Platform/ARM/SgiPkg: sync with edk2 StandaloneMmCpu path change
  Platform/Socionext/DeveloperBox: sync with edk2 StandaloneMmCpu path
    change
  Platform/StandaloneMm: sync with edk2 StandaloneMmCpu path change
  Drivers/OpTee: Add Aarch32 SVC IDs for 32bit Arm targets
  Drivers/OpTee: address cast build warning issue in 32b mode
  Platform/StandaloneMm: build StandaloneMmRpmb for 32bit architectures

 Drivers/OpTee/OpteeRpmbPkg/OpTeeRpmbFvb.c     | 23 ++++++++++++-------
 Drivers/OpTee/OpteeRpmbPkg/OpTeeRpmbFvb.h     | 16 +++++++++++--
 Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf  |  2 +-
 Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc     |  2 +-
 .../Socionext/DeveloperBox/DeveloperBoxMm.dsc |  2 +-
 .../Socionext/DeveloperBox/DeveloperBoxMm.fdf |  2 +-
 .../PlatformStandaloneMmRpmb.dsc              | 14 +++++++++--
 .../PlatformStandaloneMmRpmb.fdf              |  3 ++-
 8 files changed, 47 insertions(+), 17 deletions(-)

-- 
2.17.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#79037): https://edk2.groups.io/g/devel/message/79037
Mute This Topic: https://groups.io/mt/84797245/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v3 0/6] Arm 32bit support in PlatformStandaloneMmRpmb

Posted by Ard Biesheuvel 2 years, 8 months ago

On Tue, 10 Aug 2021 at 18:40, Etienne Carriere
<etienne.carriere@linaro.org> wrote:
>
> This series brings support for building PlatformStandaloneMmRpmb for
> 32bit Arm architectures. This series is based on series tracked through
> [1] in edk2 that allows to build StandaloneMm package for 32bit Arm.
> This series starts by syncing with paths changes from [1] series,
> then comes changes for Arm 32bit support in OpTee drivers and last
> updates PlatformStandaloneMmRpmb.dsc for 32bit the ARM architure.
> This series is tracked through ticket [2].
>
> One can test the generated StMM image with OP-TEE release for
> stm32mp157c-ev1 board which integrates an eMMC device with a
> RPMB partition. Se below are the fetch/build directives.
> Note that enabling EFI secure boot on stm32mp1 needs more than the
> build instruction below. At least these show how U-Boot and OP-TEE
> can leverage StMM with an RPMB device.
>
> Step 1: fetch edk2, edk2-platforms, apply patches and Build StMM.
> I build edk2 with the following command (one shall replace ${path_to_xxx}
> with the appropriate paths.
>
>   # export WORKSPACE=${path_to_edk2_build_dir}
>   # export PYTHON3_ENABLE=TRUE
>   # export PACKAGES_PATH=${path_to_edk2}:${path_to_edk2_platforms}
>   # source ${path_to_edk2}/edksetup.sh
>   # make -j$(nproc) -C ${path_to_edk2}/BaseTools
>   # GCC5_ARM_PREFIX=${path_to_arm_tooclain}/bin/arm-linux-gnueabihf- \
>       build -n $(nproc) -a ARM -t GCC5 -b RELEASE -D DO_X86EMU=TRUE \
>        -p Platform/StandaloneMm/PlatformStandaloneMmPkg/PlatformStandaloneMmRpmb.dsc \
>        all
>
> Step 2: clone and build OP-TEE release for stm32mp1 (see also [3]):
>
>   # mkdir /tmp/optee-stm32mp1-stmm
>   # cd /tmp/optee-stm32mp1-stmm
>   # repo init -u https://github.com/OP-TEE/manifest.git -t 3.14.0 -m stm32mp1.xml
>   # repo sync
>   # cd build
>   # make toolchains
>   # make all
>
> Step 3: sync with U-Boot master branch, at least commit [4] which merges
> a fix in MMC/RPMB driver OP-TEE [5]. Platform defconfig must be changed
> to enable StMM and RPMB support.
> The command below builds u-boot using OP-TEE build env (from build/ dir)
>
>   # git -C ../u-boot checkout 99bb5f248ade371ee4713e0ef51401708ecbb13c
>   # echo CONFIG_EFI_MM_COMM_TEE=y >> ../u-boot/configs/stm32mp15_trusted_defconfig
>   # echo CONFIG_SUPPORT_EMMC_RPMB=y >> ../u-boot/configs/stm32mp15_trusted_defconfig
>   # make u-boot
>
> Step 4: rebuild optee_os (and SDcard image) with StMM image embedded in
> OP-TEE core wand RPMB support for stm32mp15c-ev1 (the board has an eMMC
> device with an RPMB partition).
> The command below builds u-boot using OP-TEE build env.
>
>   # make optee-os all \
>      CFG_STMM_PATH=${path_to_edk2_build_dir}/Build/MmStandaloneRpmb/RELEASE_GCC5/FV/BL32_AP_MM.fd \
>      PLATFORM=stm32mp1-157C_ED1 \
>      CFG_RPMB_FS=y CFG_CORE_HUK_SUBKEY_COMPAT=n CFG_RPMB_FS_DEV_ID=1
>
> Once done, program SDcard (/dev/sdX relates to SDcard slot device file)
>   # dd conf=fdatasync if=../out/bin/sdcard of=/dev/sdX # where /dev/sdX is
>
> The target (stm32mp157c-ev1 board) can boot with the programmed
> SDcard. One can interrupt the U-Boot console, possibly program
> RPMB key (see note below) and read the EFI variable (read from the
> RPMB though StMM executing in OP-TEE.
>
>   $ printenv -e              # read EFI variables
>   $ setenv -e <some args>    # write an EFI variable
>
> Note about the RPMB key:
>   With the build instructions above, OP-TEE assumes the RPMB device key
>   is generated from a known derivation of an all-zero root key. If the
>   RPMB device key was not yet programmed, one can program it from the
>   U-Boot console with command 'mmc rpmc key <key-data-address>. The
>   commands below can be used to program the platform default RPMB
>   development key that is (hexadecimal notation, first byte first):
>     15 46 75 8c 61 8e d8 b8 a2 27 89 02 df 54 ef 63
>     11 de e2 96 49 99 5b d7 d9 12 f1 53 6d 8a 67 c7
>
>   $ mw.l 0xc0000000 0x8c754615
>   $ mw.l 0xc0000004 0xb8d88e61
>   $ mw.l 0xc0000008 0x028927a2
>   $ mw.l 0xc000000c 0x63ef54df
>   $ mw.l 0xc0000010 0x96e2de11
>   $ mw.l 0xc0000014 0xd75b9949
>   $ mw.l 0xc0000018 0x53f112d9
>   $ mw.l 0xc000001c 0xc7678a6d
>   $ mmc rpmb key 0xc0000000
>
> [1] https://bugzilla.tianocore.org/show_bug.cgi?id=3381
> [2] https://bugzilla.tianocore.org/show_bug.cgi?id=3383
> [3] https://optee.readthedocs.io/en/latest/building/devices/stm32mp1.html#build-instructions
> [4] https://source.denx.de/u-boot/u-boot/-/commit/99bb5f248ade371ee4713e0ef51401708ecbb13c
> [5] https://source.denx.de/u-boot/u-boot/-/commit/a9f7be509af90fa5f2c308867ad3b0bd48532c6e
>
> Etienne Carriere (6):
>   Platform/ARM/SgiPkg: sync with edk2 StandaloneMmCpu path change
>   Platform/Socionext/DeveloperBox: sync with edk2 StandaloneMmCpu path
>     change
>   Platform/StandaloneMm: sync with edk2 StandaloneMmCpu path change
>   Drivers/OpTee: Add Aarch32 SVC IDs for 32bit Arm targets
>   Drivers/OpTee: address cast build warning issue in 32b mode
>   Platform/StandaloneMm: build StandaloneMmRpmb for 32bit architectures
>

Pushed as 7b723de06c8e..70b67dc9ab89

Thanks,

>  Drivers/OpTee/OpteeRpmbPkg/OpTeeRpmbFvb.c     | 23 ++++++++++++-------
>  Drivers/OpTee/OpteeRpmbPkg/OpTeeRpmbFvb.h     | 16 +++++++++++--
>  Platform/ARM/SgiPkg/PlatformStandaloneMm.fdf  |  2 +-
>  Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc     |  2 +-
>  .../Socionext/DeveloperBox/DeveloperBoxMm.dsc |  2 +-
>  .../Socionext/DeveloperBox/DeveloperBoxMm.fdf |  2 +-
>  .../PlatformStandaloneMmRpmb.dsc              | 14 +++++++++--
>  .../PlatformStandaloneMmRpmb.fdf              |  3 ++-
>  8 files changed, 47 insertions(+), 17 deletions(-)
>
> --
> 2.17.1
>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#79106): https://edk2.groups.io/g/devel/message/79106
Mute This Topic: https://groups.io/mt/84797245/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-