RE: [PATCH v7 1/2] fTPM: firmware TPM running in TEE
From: Thirupathaiah Annapureddy
Date: Thu Jul 04 2019 - 02:28:27 EST
Hi Ilias,
> -----Original Message-----
> From: Ilias Apalodimas <ilias.apalodimas@xxxxxxxxxx>
> Sent: Wednesday, July 3, 2019 1:12 AM
> To: Thirupathaiah Annapureddy <thiruan@xxxxxxxxxxxxx>
> Cc: Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx>; Sasha Levin
> <sashal@xxxxxxxxxx>; peterhuewe@xxxxxx; jgg@xxxxxxxx; corbet@xxxxxxx; linux-
> kernel@xxxxxxxxxxxxxxx; linux-doc@xxxxxxxxxxxxxxx; linux-
> integrity@xxxxxxxxxxxxxxx; Microsoft Linux Kernel List <linux-
> kernel@xxxxxxxxxxxxx>; Bryan Kelly (CSI) <bryankel@xxxxxxxxxxxxx>; tee-
> dev@xxxxxxxxxxxxxxxx; sumit.garg@xxxxxxxxxx; rdunlap@xxxxxxxxxxxxx; Joakim Bech
> <joakim.bech@xxxxxxxxxx>
> Subject: Re: [PATCH v7 1/2] fTPM: firmware TPM running in TEE
>
> Hi Thirupathaiah,
>
> (+Joakim)
>
> On Wed, 3 Jul 2019 at 09:58, Ilias Apalodimas
> <ilias.apalodimas@xxxxxxxxxx> wrote:
> >
> > Hi Thirupathaiah,
> > >
> > > First of all, Thanks a lot for trying to test the driver.
> > >
> > np
> >
> > [...]
> > > > I managed to do some quick testing in QEMU.
> > > > Everything works fine when i build this as a module (using IBM's TPM 2.0
> > > > TSS)
> > > >
> > > > - As module
> > > > # insmod /lib/modules/5.2.0-rc1/kernel/drivers/char/tpm/tpm_ftpm_tee.ko
> > > > # getrandom -by 8
> > > > randomBytes length 8
> > > > 23 b9 3d c3 90 13 d9 6b
> > > >
> > > > - Built-in
> > > > # dmesg | grep optee
> > > > ftpm-tee firmware:optee: ftpm_tee_probe:tee_client_open_session failed,
> > > > err=ffff0008
> > > This (0xffff0008) translates to TEE_ERROR_ITEM_NOT_FOUND.
> > >
> > > Where is fTPM TA located in the your test setup?
> > > Is it stitched into TEE binary as an EARLY_TA or
> > > Is it expected to be loaded during run-time with the help of user mode OP-
> TEE supplicant?
> > >
> > > My guess is that you are trying to load fTPM TA through user mode OP-TEE
> supplicant.
> > > Can you confirm?
> > I tried both
> >
>
> Ok apparently there was a failure with my built-in binary which i
> didn't notice. I did a full rebuilt and checked the elf this time :)
>
> Built as an earlyTA my error now is:
> ftpm-tee firmware:optee: ftpm_tee_probe:tee_client_open_session
> failed, err=ffff3024 (translates to TEE_ERROR_TARGET_DEAD)
> Since you tested it on real hardware i guess you tried both
> module/built-in. Which TEE version are you using?
I am glad that the first issue (TEE_ERROR_ITEM_NOT_FOUND) is resolved after stitching
fTPM TA as an EARLY_TA.
Regarding TEE_ERROR_TARGET_DEAD error, may I know which HW platform you are using to test?
What is the preboot environment (UEFI or U-boot)?
Where is the secure storage in that HW platform?
I could think of two classes of secure storage.
1. UFS/eMMC RPMB : If Supplicant in U-boot/UEFI initializes the
fTPM TA NV Storage, there should be no issue.
If fTPM TA NV storage is not initialized in pre-boot environment and you are using
built-in fTPM Linux driver, you can run into this issue as TA will try to initialize
NV store and fail.
2. other storage devices like QSPI accessible to only secure mode after
EBS/ReadyToBoot mile posts during boot. In this case, there should be no issue at all
as there is no dependency on non-secure side services provided by supplicant.
If you let me know the HW platform details, I am happy to work with you to enable/integrate
fTPM TA on that HW platform.
Best Regards,
Thiru