+1

Documentation/driver-api/index.rst

reviewed

··· 112 112 hte/index 113 113 wmi 114 114 dpll 115 115 + tee 115 116 116 117 .. only:: subproject and html 117 118

+66

Documentation/driver-api/tee.rst

reviewed

··· 1 1 + .. SPDX-License-Identifier: GPL-2.0 2 2 + 3 3 + =============================================== 4 4 + TEE (Trusted Execution Environment) driver API 5 5 + =============================================== 6 6 + 7 7 + Kernel provides a TEE bus infrastructure where a Trusted Application is 8 8 + represented as a device identified via Universally Unique Identifier (UUID) and 9 9 + client drivers register a table of supported device UUIDs. 10 10 + 11 11 + TEE bus infrastructure registers following APIs: 12 12 + 13 13 + match(): 14 14 + iterates over the client driver UUID table to find a corresponding 15 15 + match for device UUID. If a match is found, then this particular device is 16 16 + probed via corresponding probe API registered by the client driver. This 17 17 + process happens whenever a device or a client driver is registered with TEE 18 18 + bus. 19 19 + 20 20 + uevent(): 21 21 + notifies user-space (udev) whenever a new device is registered on 22 22 + TEE bus for auto-loading of modularized client drivers. 23 23 + 24 24 + TEE bus device enumeration is specific to underlying TEE implementation, so it 25 25 + is left open for TEE drivers to provide corresponding implementation. 26 26 + 27 27 + Then TEE client driver can talk to a matched Trusted Application using APIs 28 28 + listed in include/linux/tee_drv.h. 29 29 + 30 30 + TEE client driver example 31 31 + ------------------------- 32 32 + 33 33 + Suppose a TEE client driver needs to communicate with a Trusted Application 34 34 + having UUID: ``ac6a4085-0e82-4c33-bf98-8eb8e118b6c2``, so driver registration 35 35 + snippet would look like:: 36 36 + 37 37 + static const struct tee_client_device_id client_id_table[] = { 38 38 + {UUID_INIT(0xac6a4085, 0x0e82, 0x4c33, 39 39 + 0xbf, 0x98, 0x8e, 0xb8, 0xe1, 0x18, 0xb6, 0xc2)}, 40 40 + {} 41 41 + }; 42 42 + 43 43 + MODULE_DEVICE_TABLE(tee, client_id_table); 44 44 + 45 45 + static struct tee_client_driver client_driver = { 46 46 + .id_table = client_id_table, 47 47 + .driver = { 48 48 + .name = DRIVER_NAME, 49 49 + .bus = &tee_bus_type, 50 50 + .probe = client_probe, 51 51 + .remove = client_remove, 52 52 + }, 53 53 + }; 54 54 + 55 55 + static int __init client_init(void) 56 56 + { 57 57 + return driver_register(&client_driver.driver); 58 58 + } 59 59 + 60 60 + static void __exit client_exit(void) 61 61 + { 62 62 + driver_unregister(&client_driver.driver); 63 63 + } 64 64 + 65 65 + module_init(client_init); 66 66 + module_exit(client_exit);

+1 -1

Documentation/security/keys/trusted-encrypted.rst

reviewed

··· 88 88 (2) TEE 89 89 90 90 TEEs have well-documented, standardized client interface and APIs. For 91 91 - more details refer to ``Documentation/staging/tee.rst``. 91 91 + more details refer to ``Documentation/driver-api/tee.rst``. 92 92 93 93 (3) CAAM 94 94

-1

Documentation/staging/index.rst

reviewed

··· 12 12 rpmsg 13 13 speculation 14 14 static-keys 15 15 - tee 16 15 xz

-364

Documentation/staging/tee.rst

reviewed

··· 1 1 - ============= 2 2 - TEE subsystem 3 3 - ============= 4 4 - 5 5 - This document describes the TEE subsystem in Linux. 6 6 - 7 7 - A TEE (Trusted Execution Environment) is a trusted OS running in some 8 8 - secure environment, for example, TrustZone on ARM CPUs, or a separate 9 9 - secure co-processor etc. A TEE driver handles the details needed to 10 10 - communicate with the TEE. 11 11 - 12 12 - This subsystem deals with: 13 13 - 14 14 - - Registration of TEE drivers 15 15 - 16 16 - - Managing shared memory between Linux and the TEE 17 17 - 18 18 - - Providing a generic API to the TEE 19 19 - 20 20 - The TEE interface 21 21 - ================= 22 22 - 23 23 - include/uapi/linux/tee.h defines the generic interface to a TEE. 24 24 - 25 25 - User space (the client) connects to the driver by opening /dev/tee[0-9]* or 26 26 - /dev/teepriv[0-9]*. 27 27 - 28 28 - - TEE_IOC_SHM_ALLOC allocates shared memory and returns a file descriptor 29 29 - which user space can mmap. When user space doesn't need the file 30 30 - descriptor any more, it should be closed. When shared memory isn't needed 31 31 - any longer it should be unmapped with munmap() to allow the reuse of 32 32 - memory. 33 33 - 34 34 - - TEE_IOC_VERSION lets user space know which TEE this driver handles and 35 35 - its capabilities. 36 36 - 37 37 - - TEE_IOC_OPEN_SESSION opens a new session to a Trusted Application. 38 38 - 39 39 - - TEE_IOC_INVOKE invokes a function in a Trusted Application. 40 40 - 41 41 - - TEE_IOC_CANCEL may cancel an ongoing TEE_IOC_OPEN_SESSION or TEE_IOC_INVOKE. 42 42 - 43 43 - - TEE_IOC_CLOSE_SESSION closes a session to a Trusted Application. 44 44 - 45 45 - There are two classes of clients, normal clients and supplicants. The latter is 46 46 - a helper process for the TEE to access resources in Linux, for example file 47 47 - system access. A normal client opens /dev/tee[0-9]* and a supplicant opens 48 48 - /dev/teepriv[0-9]. 49 49 - 50 50 - Much of the communication between clients and the TEE is opaque to the 51 51 - driver. The main job for the driver is to receive requests from the 52 52 - clients, forward them to the TEE and send back the results. In the case of 53 53 - supplicants the communication goes in the other direction, the TEE sends 54 54 - requests to the supplicant which then sends back the result. 55 55 - 56 56 - The TEE kernel interface 57 57 - ======================== 58 58 - 59 59 - Kernel provides a TEE bus infrastructure where a Trusted Application is 60 60 - represented as a device identified via Universally Unique Identifier (UUID) and 61 61 - client drivers register a table of supported device UUIDs. 62 62 - 63 63 - TEE bus infrastructure registers following APIs: 64 64 - 65 65 - match(): 66 66 - iterates over the client driver UUID table to find a corresponding 67 67 - match for device UUID. If a match is found, then this particular device is 68 68 - probed via corresponding probe API registered by the client driver. This 69 69 - process happens whenever a device or a client driver is registered with TEE 70 70 - bus. 71 71 - 72 72 - uevent(): 73 73 - notifies user-space (udev) whenever a new device is registered on 74 74 - TEE bus for auto-loading of modularized client drivers. 75 75 - 76 76 - TEE bus device enumeration is specific to underlying TEE implementation, so it 77 77 - is left open for TEE drivers to provide corresponding implementation. 78 78 - 79 79 - Then TEE client driver can talk to a matched Trusted Application using APIs 80 80 - listed in include/linux/tee_drv.h. 81 81 - 82 82 - TEE client driver example 83 83 - ------------------------- 84 84 - 85 85 - Suppose a TEE client driver needs to communicate with a Trusted Application 86 86 - having UUID: ``ac6a4085-0e82-4c33-bf98-8eb8e118b6c2``, so driver registration 87 87 - snippet would look like:: 88 88 - 89 89 - static const struct tee_client_device_id client_id_table[] = { 90 90 - {UUID_INIT(0xac6a4085, 0x0e82, 0x4c33, 91 91 - 0xbf, 0x98, 0x8e, 0xb8, 0xe1, 0x18, 0xb6, 0xc2)}, 92 92 - {} 93 93 - }; 94 94 - 95 95 - MODULE_DEVICE_TABLE(tee, client_id_table); 96 96 - 97 97 - static struct tee_client_driver client_driver = { 98 98 - .id_table = client_id_table, 99 99 - .driver = { 100 100 - .name = DRIVER_NAME, 101 101 - .bus = &tee_bus_type, 102 102 - .probe = client_probe, 103 103 - .remove = client_remove, 104 104 - }, 105 105 - }; 106 106 - 107 107 - static int __init client_init(void) 108 108 - { 109 109 - return driver_register(&client_driver.driver); 110 110 - } 111 111 - 112 112 - static void __exit client_exit(void) 113 113 - { 114 114 - driver_unregister(&client_driver.driver); 115 115 - } 116 116 - 117 117 - module_init(client_init); 118 118 - module_exit(client_exit); 119 119 - 120 120 - OP-TEE driver 121 121 - ============= 122 122 - 123 123 - The OP-TEE driver handles OP-TEE [1] based TEEs. Currently it is only the ARM 124 124 - TrustZone based OP-TEE solution that is supported. 125 125 - 126 126 - Lowest level of communication with OP-TEE builds on ARM SMC Calling 127 127 - Convention (SMCCC) [2], which is the foundation for OP-TEE's SMC interface 128 128 - [3] used internally by the driver. Stacked on top of that is OP-TEE Message 129 129 - Protocol [4]. 130 130 - 131 131 - OP-TEE SMC interface provides the basic functions required by SMCCC and some 132 132 - additional functions specific for OP-TEE. The most interesting functions are: 133 133 - 134 134 - - OPTEE_SMC_FUNCID_CALLS_UID (part of SMCCC) returns the version information 135 135 - which is then returned by TEE_IOC_VERSION 136 136 - 137 137 - - OPTEE_SMC_CALL_GET_OS_UUID returns the particular OP-TEE implementation, used 138 138 - to tell, for instance, a TrustZone OP-TEE apart from an OP-TEE running on a 139 139 - separate secure co-processor. 140 140 - 141 141 - - OPTEE_SMC_CALL_WITH_ARG drives the OP-TEE message protocol 142 142 - 143 143 - - OPTEE_SMC_GET_SHM_CONFIG lets the driver and OP-TEE agree on which memory 144 144 - range to used for shared memory between Linux and OP-TEE. 145 145 - 146 146 - The GlobalPlatform TEE Client API [5] is implemented on top of the generic 147 147 - TEE API. 148 148 - 149 149 - Picture of the relationship between the different components in the 150 150 - OP-TEE architecture:: 151 151 - 152 152 - User space Kernel Secure world 153 153 - ~~~~~~~~~~ ~~~~~~ ~~~~~~~~~~~~ 154 154 - +--------+ +-------------+ 155 155 - | Client | | Trusted | 156 156 - +--------+ | Application | 157 157 - /\ +-------------+ 158 158 - || +----------+ /\ 159 159 - || |tee- | || 160 160 - || |supplicant| \/ 161 161 - || +----------+ +-------------+ 162 162 - \/ /\ | TEE Internal| 163 163 - +-------+ || | API | 164 164 - + TEE | || +--------+--------+ +-------------+ 165 165 - | Client| || | TEE | OP-TEE | | OP-TEE | 166 166 - | API | \/ | subsys | driver | | Trusted OS | 167 167 - +-------+----------------+----+-------+----+-----------+-------------+ 168 168 - | Generic TEE API | | OP-TEE MSG | 169 169 - | IOCTL (TEE_IOC_*) | | SMCCC (OPTEE_SMC_CALL_*) | 170 170 - +-----------------------------+ +------------------------------+ 171 171 - 172 172 - RPC (Remote Procedure Call) are requests from secure world to kernel driver 173 173 - or tee-supplicant. An RPC is identified by a special range of SMCCC return 174 174 - values from OPTEE_SMC_CALL_WITH_ARG. RPC messages which are intended for the 175 175 - kernel are handled by the kernel driver. Other RPC messages will be forwarded to 176 176 - tee-supplicant without further involvement of the driver, except switching 177 177 - shared memory buffer representation. 178 178 - 179 179 - OP-TEE device enumeration 180 180 - ------------------------- 181 181 - 182 182 - OP-TEE provides a pseudo Trusted Application: drivers/tee/optee/device.c in 183 183 - order to support device enumeration. In other words, OP-TEE driver invokes this 184 184 - application to retrieve a list of Trusted Applications which can be registered 185 185 - as devices on the TEE bus. 186 186 - 187 187 - OP-TEE notifications 188 188 - -------------------- 189 189 - 190 190 - There are two kinds of notifications that secure world can use to make 191 191 - normal world aware of some event. 192 192 - 193 193 - 1. Synchronous notifications delivered with ``OPTEE_RPC_CMD_NOTIFICATION`` 194 194 - using the ``OPTEE_RPC_NOTIFICATION_SEND`` parameter. 195 195 - 2. Asynchronous notifications delivered with a combination of a non-secure 196 196 - edge-triggered interrupt and a fast call from the non-secure interrupt 197 197 - handler. 198 198 - 199 199 - Synchronous notifications are limited by depending on RPC for delivery, 200 200 - this is only usable when secure world is entered with a yielding call via 201 201 - ``OPTEE_SMC_CALL_WITH_ARG``. This excludes such notifications from secure 202 202 - world interrupt handlers. 203 203 - 204 204 - An asynchronous notification is delivered via a non-secure edge-triggered 205 205 - interrupt to an interrupt handler registered in the OP-TEE driver. The 206 206 - actual notification value are retrieved with the fast call 207 207 - ``OPTEE_SMC_GET_ASYNC_NOTIF_VALUE``. Note that one interrupt can represent 208 208 - multiple notifications. 209 209 - 210 210 - One notification value ``OPTEE_SMC_ASYNC_NOTIF_VALUE_DO_BOTTOM_HALF`` has a 211 211 - special meaning. When this value is received it means that normal world is 212 212 - supposed to make a yielding call ``OPTEE_MSG_CMD_DO_BOTTOM_HALF``. This 213 213 - call is done from the thread assisting the interrupt handler. This is a 214 214 - building block for OP-TEE OS in secure world to implement the top half and 215 215 - bottom half style of device drivers. 216 216 - 217 217 - OPTEE_INSECURE_LOAD_IMAGE Kconfig option 218 218 - ---------------------------------------- 219 219 - 220 220 - The OPTEE_INSECURE_LOAD_IMAGE Kconfig option enables the ability to load the 221 221 - BL32 OP-TEE image from the kernel after the kernel boots, rather than loading 222 222 - it from the firmware before the kernel boots. This also requires enabling the 223 223 - corresponding option in Trusted Firmware for Arm. The Trusted Firmware for Arm 224 224 - documentation [8] explains the security threat associated with enabling this as 225 225 - well as mitigations at the firmware and platform level. 226 226 - 227 227 - There are additional attack vectors/mitigations for the kernel that should be 228 228 - addressed when using this option. 229 229 - 230 230 - 1. Boot chain security. 231 231 - 232 232 - * Attack vector: Replace the OP-TEE OS image in the rootfs to gain control of 233 233 - the system. 234 234 - 235 235 - * Mitigation: There must be boot chain security that verifies the kernel and 236 236 - rootfs, otherwise an attacker can modify the loaded OP-TEE binary by 237 237 - modifying it in the rootfs. 238 238 - 239 239 - 2. Alternate boot modes. 240 240 - 241 241 - * Attack vector: Using an alternate boot mode (i.e. recovery mode), the 242 242 - OP-TEE driver isn't loaded, leaving the SMC hole open. 243 243 - 244 244 - * Mitigation: If there are alternate methods of booting the device, such as a 245 245 - recovery mode, it should be ensured that the same mitigations are applied 246 246 - in that mode. 247 247 - 248 248 - 3. Attacks prior to SMC invocation. 249 249 - 250 250 - * Attack vector: Code that is executed prior to issuing the SMC call to load 251 251 - OP-TEE can be exploited to then load an alternate OS image. 252 252 - 253 253 - * Mitigation: The OP-TEE driver must be loaded before any potential attack 254 254 - vectors are opened up. This should include mounting of any modifiable 255 255 - filesystems, opening of network ports or communicating with external 256 256 - devices (e.g. USB). 257 257 - 258 258 - 4. Blocking SMC call to load OP-TEE. 259 259 - 260 260 - * Attack vector: Prevent the driver from being probed, so the SMC call to 261 261 - load OP-TEE isn't executed when desired, leaving it open to being executed 262 262 - later and loading a modified OS. 263 263 - 264 264 - * Mitigation: It is recommended to build the OP-TEE driver as builtin driver 265 265 - rather than as a module to prevent exploits that may cause the module to 266 266 - not be loaded. 267 267 - 268 268 - AMD-TEE driver 269 269 - ============== 270 270 - 271 271 - The AMD-TEE driver handles the communication with AMD's TEE environment. The 272 272 - TEE environment is provided by AMD Secure Processor. 273 273 - 274 274 - The AMD Secure Processor (formerly called Platform Security Processor or PSP) 275 275 - is a dedicated processor that features ARM TrustZone technology, along with a 276 276 - software-based Trusted Execution Environment (TEE) designed to enable 277 277 - third-party Trusted Applications. This feature is currently enabled only for 278 278 - APUs. 279 279 - 280 280 - The following picture shows a high level overview of AMD-TEE:: 281 281 - 282 282 - | 283 283 - x86 | 284 284 - | 285 285 - User space (Kernel space) | AMD Secure Processor (PSP) 286 286 - ~~~~~~~~~~ ~~~~~~~~~~~~~~ | ~~~~~~~~~~~~~~~~~~~~~~~~~~ 287 287 - | 288 288 - +--------+ | +-------------+ 289 289 - | Client | | | Trusted | 290 290 - +--------+ | | Application | 291 291 - /\ | +-------------+ 292 292 - || | /\ 293 293 - || | || 294 294 - || | \/ 295 295 - || | +----------+ 296 296 - || | | TEE | 297 297 - || | | Internal | 298 298 - \/ | | API | 299 299 - +---------+ +-----------+---------+ +----------+ 300 300 - | TEE | | TEE | AMD-TEE | | AMD-TEE | 301 301 - | Client | | subsystem | driver | | Trusted | 302 302 - | API | | | | | OS | 303 303 - +---------+-----------+----+------+---------+---------+----------+ 304 304 - | Generic TEE API | | ASP | Mailbox | 305 305 - | IOCTL (TEE_IOC_*) | | driver | Register Protocol | 306 306 - +--------------------------+ +---------+--------------------+ 307 307 - 308 308 - At the lowest level (in x86), the AMD Secure Processor (ASP) driver uses the 309 309 - CPU to PSP mailbox register to submit commands to the PSP. The format of the 310 310 - command buffer is opaque to the ASP driver. It's role is to submit commands to 311 311 - the secure processor and return results to AMD-TEE driver. The interface 312 312 - between AMD-TEE driver and AMD Secure Processor driver can be found in [6]. 313 313 - 314 314 - The AMD-TEE driver packages the command buffer payload for processing in TEE. 315 315 - The command buffer format for the different TEE commands can be found in [7]. 316 316 - 317 317 - The TEE commands supported by AMD-TEE Trusted OS are: 318 318 - 319 319 - * TEE_CMD_ID_LOAD_TA - loads a Trusted Application (TA) binary into 320 320 - TEE environment. 321 321 - * TEE_CMD_ID_UNLOAD_TA - unloads TA binary from TEE environment. 322 322 - * TEE_CMD_ID_OPEN_SESSION - opens a session with a loaded TA. 323 323 - * TEE_CMD_ID_CLOSE_SESSION - closes session with loaded TA 324 324 - * TEE_CMD_ID_INVOKE_CMD - invokes a command with loaded TA 325 325 - * TEE_CMD_ID_MAP_SHARED_MEM - maps shared memory 326 326 - * TEE_CMD_ID_UNMAP_SHARED_MEM - unmaps shared memory 327 327 - 328 328 - AMD-TEE Trusted OS is the firmware running on AMD Secure Processor. 329 329 - 330 330 - The AMD-TEE driver registers itself with TEE subsystem and implements the 331 331 - following driver function callbacks: 332 332 - 333 333 - * get_version - returns the driver implementation id and capability. 334 334 - * open - sets up the driver context data structure. 335 335 - * release - frees up driver resources. 336 336 - * open_session - loads the TA binary and opens session with loaded TA. 337 337 - * close_session - closes session with loaded TA and unloads it. 338 338 - * invoke_func - invokes a command with loaded TA. 339 339 - 340 340 - cancel_req driver callback is not supported by AMD-TEE. 341 341 - 342 342 - The GlobalPlatform TEE Client API [5] can be used by the user space (client) to 343 343 - talk to AMD's TEE. AMD's TEE provides a secure environment for loading, opening 344 344 - a session, invoking commands and closing session with TA. 345 345 - 346 346 - References 347 347 - ========== 348 348 - 349 349 - [1] https://github.com/OP-TEE/optee_os 350 350 - 351 351 - [2] http://infocenter.arm.com/help/topic/com.arm.doc.den0028a/index.html 352 352 - 353 353 - [3] drivers/tee/optee/optee_smc.h 354 354 - 355 355 - [4] drivers/tee/optee/optee_msg.h 356 356 - 357 357 - [5] http://www.globalplatform.org/specificationsdevice.asp look for 358 358 - "TEE Client API Specification v1.0" and click download. 359 359 - 360 360 - [6] include/linux/psp-tee.h 361 361 - 362 362 - [7] drivers/tee/amdtee/amdtee_if.h 363 363 - 364 364 - [8] https://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html

+1

Documentation/subsystem-apis.rst

reviewed

··· 86 86 misc-devices/index 87 87 peci/index 88 88 wmi/index 89 89 + tee/index

+90

Documentation/tee/amd-tee.rst

reviewed

··· 1 1 + .. SPDX-License-Identifier: GPL-2.0 2 2 + 3 3 + ============================================= 4 4 + AMD-TEE (AMD's Trusted Execution Environment) 5 5 + ============================================= 6 6 + 7 7 + The AMD-TEE driver handles the communication with AMD's TEE environment. The 8 8 + TEE environment is provided by AMD Secure Processor. 9 9 + 10 10 + The AMD Secure Processor (formerly called Platform Security Processor or PSP) 11 11 + is a dedicated processor that features ARM TrustZone technology, along with a 12 12 + software-based Trusted Execution Environment (TEE) designed to enable 13 13 + third-party Trusted Applications. This feature is currently enabled only for 14 14 + APUs. 15 15 + 16 16 + The following picture shows a high level overview of AMD-TEE:: 17 17 + 18 18 + | 19 19 + x86 | 20 20 + | 21 21 + User space (Kernel space) | AMD Secure Processor (PSP) 22 22 + ~~~~~~~~~~ ~~~~~~~~~~~~~~ | ~~~~~~~~~~~~~~~~~~~~~~~~~~ 23 23 + | 24 24 + +--------+ | +-------------+ 25 25 + | Client | | | Trusted | 26 26 + +--------+ | | Application | 27 27 + /\ | +-------------+ 28 28 + || | /\ 29 29 + || | || 30 30 + || | \/ 31 31 + || | +----------+ 32 32 + || | | TEE | 33 33 + || | | Internal | 34 34 + \/ | | API | 35 35 + +---------+ +-----------+---------+ +----------+ 36 36 + | TEE | | TEE | AMD-TEE | | AMD-TEE | 37 37 + | Client | | subsystem | driver | | Trusted | 38 38 + | API | | | | | OS | 39 39 + +---------+-----------+----+------+---------+---------+----------+ 40 40 + | Generic TEE API | | ASP | Mailbox | 41 41 + | IOCTL (TEE_IOC_*) | | driver | Register Protocol | 42 42 + +--------------------------+ +---------+--------------------+ 43 43 + 44 44 + At the lowest level (in x86), the AMD Secure Processor (ASP) driver uses the 45 45 + CPU to PSP mailbox register to submit commands to the PSP. The format of the 46 46 + command buffer is opaque to the ASP driver. It's role is to submit commands to 47 47 + the secure processor and return results to AMD-TEE driver. The interface 48 48 + between AMD-TEE driver and AMD Secure Processor driver can be found in [1]. 49 49 + 50 50 + The AMD-TEE driver packages the command buffer payload for processing in TEE. 51 51 + The command buffer format for the different TEE commands can be found in [2]. 52 52 + 53 53 + The TEE commands supported by AMD-TEE Trusted OS are: 54 54 + 55 55 + * TEE_CMD_ID_LOAD_TA - loads a Trusted Application (TA) binary into 56 56 + TEE environment. 57 57 + * TEE_CMD_ID_UNLOAD_TA - unloads TA binary from TEE environment. 58 58 + * TEE_CMD_ID_OPEN_SESSION - opens a session with a loaded TA. 59 59 + * TEE_CMD_ID_CLOSE_SESSION - closes session with loaded TA 60 60 + * TEE_CMD_ID_INVOKE_CMD - invokes a command with loaded TA 61 61 + * TEE_CMD_ID_MAP_SHARED_MEM - maps shared memory 62 62 + * TEE_CMD_ID_UNMAP_SHARED_MEM - unmaps shared memory 63 63 + 64 64 + AMD-TEE Trusted OS is the firmware running on AMD Secure Processor. 65 65 + 66 66 + The AMD-TEE driver registers itself with TEE subsystem and implements the 67 67 + following driver function callbacks: 68 68 + 69 69 + * get_version - returns the driver implementation id and capability. 70 70 + * open - sets up the driver context data structure. 71 71 + * release - frees up driver resources. 72 72 + * open_session - loads the TA binary and opens session with loaded TA. 73 73 + * close_session - closes session with loaded TA and unloads it. 74 74 + * invoke_func - invokes a command with loaded TA. 75 75 + 76 76 + cancel_req driver callback is not supported by AMD-TEE. 77 77 + 78 78 + The GlobalPlatform TEE Client API [3] can be used by the user space (client) to 79 79 + talk to AMD's TEE. AMD's TEE provides a secure environment for loading, opening 80 80 + a session, invoking commands and closing session with TA. 81 81 + 82 82 + References 83 83 + ========== 84 84 + 85 85 + [1] include/linux/psp-tee.h 86 86 + 87 87 + [2] drivers/tee/amdtee/amdtee_if.h 88 88 + 89 89 + [3] http://www.globalplatform.org/specificationsdevice.asp look for 90 90 + "TEE Client API Specification v1.0" and click download.

+19

Documentation/tee/index.rst

reviewed

··· 1 1 + .. SPDX-License-Identifier: GPL-2.0 2 2 + 3 3 + ============= 4 4 + TEE Subsystem 5 5 + ============= 6 6 + 7 7 + .. toctree:: 8 8 + :maxdepth: 1 9 9 + 10 10 + tee 11 11 + op-tee 12 12 + amd-tee 13 13 + 14 14 + .. only:: subproject and html 15 15 + 16 16 + Indices 17 17 + ======= 18 18 + 19 19 + * :ref:`genindex`

+166

Documentation/tee/op-tee.rst

reviewed

··· 1 1 + .. SPDX-License-Identifier: GPL-2.0 2 2 + 3 3 + ==================================================== 4 4 + OP-TEE (Open Portable Trusted Execution Environment) 5 5 + ==================================================== 6 6 + 7 7 + The OP-TEE driver handles OP-TEE [1] based TEEs. Currently it is only the ARM 8 8 + TrustZone based OP-TEE solution that is supported. 9 9 + 10 10 + Lowest level of communication with OP-TEE builds on ARM SMC Calling 11 11 + Convention (SMCCC) [2], which is the foundation for OP-TEE's SMC interface 12 12 + [3] used internally by the driver. Stacked on top of that is OP-TEE Message 13 13 + Protocol [4]. 14 14 + 15 15 + OP-TEE SMC interface provides the basic functions required by SMCCC and some 16 16 + additional functions specific for OP-TEE. The most interesting functions are: 17 17 + 18 18 + - OPTEE_SMC_FUNCID_CALLS_UID (part of SMCCC) returns the version information 19 19 + which is then returned by TEE_IOC_VERSION 20 20 + 21 21 + - OPTEE_SMC_CALL_GET_OS_UUID returns the particular OP-TEE implementation, used 22 22 + to tell, for instance, a TrustZone OP-TEE apart from an OP-TEE running on a 23 23 + separate secure co-processor. 24 24 + 25 25 + - OPTEE_SMC_CALL_WITH_ARG drives the OP-TEE message protocol 26 26 + 27 27 + - OPTEE_SMC_GET_SHM_CONFIG lets the driver and OP-TEE agree on which memory 28 28 + range to used for shared memory between Linux and OP-TEE. 29 29 + 30 30 + The GlobalPlatform TEE Client API [5] is implemented on top of the generic 31 31 + TEE API. 32 32 + 33 33 + Picture of the relationship between the different components in the 34 34 + OP-TEE architecture:: 35 35 + 36 36 + User space Kernel Secure world 37 37 + ~~~~~~~~~~ ~~~~~~ ~~~~~~~~~~~~ 38 38 + +--------+ +-------------+ 39 39 + | Client | | Trusted | 40 40 + +--------+ | Application | 41 41 + /\ +-------------+ 42 42 + || +----------+ /\ 43 43 + || |tee- | || 44 44 + || |supplicant| \/ 45 45 + || +----------+ +-------------+ 46 46 + \/ /\ | TEE Internal| 47 47 + +-------+ || | API | 48 48 + + TEE | || +--------+--------+ +-------------+ 49 49 + | Client| || | TEE | OP-TEE | | OP-TEE | 50 50 + | API | \/ | subsys | driver | | Trusted OS | 51 51 + +-------+----------------+----+-------+----+-----------+-------------+ 52 52 + | Generic TEE API | | OP-TEE MSG | 53 53 + | IOCTL (TEE_IOC_*) | | SMCCC (OPTEE_SMC_CALL_*) | 54 54 + +-----------------------------+ +------------------------------+ 55 55 + 56 56 + RPC (Remote Procedure Call) are requests from secure world to kernel driver 57 57 + or tee-supplicant. An RPC is identified by a special range of SMCCC return 58 58 + values from OPTEE_SMC_CALL_WITH_ARG. RPC messages which are intended for the 59 59 + kernel are handled by the kernel driver. Other RPC messages will be forwarded to 60 60 + tee-supplicant without further involvement of the driver, except switching 61 61 + shared memory buffer representation. 62 62 + 63 63 + OP-TEE device enumeration 64 64 + ------------------------- 65 65 + 66 66 + OP-TEE provides a pseudo Trusted Application: drivers/tee/optee/device.c in 67 67 + order to support device enumeration. In other words, OP-TEE driver invokes this 68 68 + application to retrieve a list of Trusted Applications which can be registered 69 69 + as devices on the TEE bus. 70 70 + 71 71 + OP-TEE notifications 72 72 + -------------------- 73 73 + 74 74 + There are two kinds of notifications that secure world can use to make 75 75 + normal world aware of some event. 76 76 + 77 77 + 1. Synchronous notifications delivered with ``OPTEE_RPC_CMD_NOTIFICATION`` 78 78 + using the ``OPTEE_RPC_NOTIFICATION_SEND`` parameter. 79 79 + 2. Asynchronous notifications delivered with a combination of a non-secure 80 80 + edge-triggered interrupt and a fast call from the non-secure interrupt 81 81 + handler. 82 82 + 83 83 + Synchronous notifications are limited by depending on RPC for delivery, 84 84 + this is only usable when secure world is entered with a yielding call via 85 85 + ``OPTEE_SMC_CALL_WITH_ARG``. This excludes such notifications from secure 86 86 + world interrupt handlers. 87 87 + 88 88 + An asynchronous notification is delivered via a non-secure edge-triggered 89 89 + interrupt to an interrupt handler registered in the OP-TEE driver. The 90 90 + actual notification value are retrieved with the fast call 91 91 + ``OPTEE_SMC_GET_ASYNC_NOTIF_VALUE``. Note that one interrupt can represent 92 92 + multiple notifications. 93 93 + 94 94 + One notification value ``OPTEE_SMC_ASYNC_NOTIF_VALUE_DO_BOTTOM_HALF`` has a 95 95 + special meaning. When this value is received it means that normal world is 96 96 + supposed to make a yielding call ``OPTEE_MSG_CMD_DO_BOTTOM_HALF``. This 97 97 + call is done from the thread assisting the interrupt handler. This is a 98 98 + building block for OP-TEE OS in secure world to implement the top half and 99 99 + bottom half style of device drivers. 100 100 + 101 101 + OPTEE_INSECURE_LOAD_IMAGE Kconfig option 102 102 + ---------------------------------------- 103 103 + 104 104 + The OPTEE_INSECURE_LOAD_IMAGE Kconfig option enables the ability to load the 105 105 + BL32 OP-TEE image from the kernel after the kernel boots, rather than loading 106 106 + it from the firmware before the kernel boots. This also requires enabling the 107 107 + corresponding option in Trusted Firmware for Arm. The Trusted Firmware for Arm 108 108 + documentation [6] explains the security threat associated with enabling this as 109 109 + well as mitigations at the firmware and platform level. 110 110 + 111 111 + There are additional attack vectors/mitigations for the kernel that should be 112 112 + addressed when using this option. 113 113 + 114 114 + 1. Boot chain security. 115 115 + 116 116 + * Attack vector: Replace the OP-TEE OS image in the rootfs to gain control of 117 117 + the system. 118 118 + 119 119 + * Mitigation: There must be boot chain security that verifies the kernel and 120 120 + rootfs, otherwise an attacker can modify the loaded OP-TEE binary by 121 121 + modifying it in the rootfs. 122 122 + 123 123 + 2. Alternate boot modes. 124 124 + 125 125 + * Attack vector: Using an alternate boot mode (i.e. recovery mode), the 126 126 + OP-TEE driver isn't loaded, leaving the SMC hole open. 127 127 + 128 128 + * Mitigation: If there are alternate methods of booting the device, such as a 129 129 + recovery mode, it should be ensured that the same mitigations are applied 130 130 + in that mode. 131 131 + 132 132 + 3. Attacks prior to SMC invocation. 133 133 + 134 134 + * Attack vector: Code that is executed prior to issuing the SMC call to load 135 135 + OP-TEE can be exploited to then load an alternate OS image. 136 136 + 137 137 + * Mitigation: The OP-TEE driver must be loaded before any potential attack 138 138 + vectors are opened up. This should include mounting of any modifiable 139 139 + filesystems, opening of network ports or communicating with external 140 140 + devices (e.g. USB). 141 141 + 142 142 + 4. Blocking SMC call to load OP-TEE. 143 143 + 144 144 + * Attack vector: Prevent the driver from being probed, so the SMC call to 145 145 + load OP-TEE isn't executed when desired, leaving it open to being executed 146 146 + later and loading a modified OS. 147 147 + 148 148 + * Mitigation: It is recommended to build the OP-TEE driver as builtin driver 149 149 + rather than as a module to prevent exploits that may cause the module to 150 150 + not be loaded. 151 151 + 152 152 + References 153 153 + ========== 154 154 + 155 155 + [1] https://github.com/OP-TEE/optee_os 156 156 + 157 157 + [2] http://infocenter.arm.com/help/topic/com.arm.doc.den0028a/index.html 158 158 + 159 159 + [3] drivers/tee/optee/optee_smc.h 160 160 + 161 161 + [4] drivers/tee/optee/optee_msg.h 162 162 + 163 163 + [5] http://www.globalplatform.org/specificationsdevice.asp look for 164 164 + "TEE Client API Specification v1.0" and click download. 165 165 + 166 166 + [6] https://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html

+22

Documentation/tee/tee.rst

reviewed

··· 1 1 + .. SPDX-License-Identifier: GPL-2.0 2 2 + 3 3 + =================================== 4 4 + TEE (Trusted Execution Environment) 5 5 + =================================== 6 6 + 7 7 + This document describes the TEE subsystem in Linux. 8 8 + 9 9 + Overview 10 10 + ======== 11 11 + 12 12 + A TEE is a trusted OS running in some secure environment, for example, 13 13 + TrustZone on ARM CPUs, or a separate secure co-processor etc. A TEE driver 14 14 + handles the details needed to communicate with the TEE. 15 15 + 16 16 + This subsystem deals with: 17 17 + 18 18 + - Registration of TEE drivers 19 19 + 20 20 + - Managing shared memory between Linux and the TEE 21 21 + 22 22 + - Providing a generic API to the TEE

+1

Documentation/userspace-api/index.rst

reviewed

··· 30 30 sysfs-platform_profile 31 31 vduse 32 32 futex2 33 33 + tee 33 34 34 35 .. only:: subproject and html 35 36

+39

Documentation/userspace-api/tee.rst

reviewed

··· 1 1 + .. SPDX-License-Identifier: GPL-2.0 2 2 + .. tee: 3 3 + 4 4 + ================================================== 5 5 + TEE (Trusted Execution Environment) Userspace API 6 6 + ================================================== 7 7 + 8 8 + include/uapi/linux/tee.h defines the generic interface to a TEE. 9 9 + 10 10 + User space (the client) connects to the driver by opening /dev/tee[0-9]* or 11 11 + /dev/teepriv[0-9]*. 12 12 + 13 13 + - TEE_IOC_SHM_ALLOC allocates shared memory and returns a file descriptor 14 14 + which user space can mmap. When user space doesn't need the file 15 15 + descriptor any more, it should be closed. When shared memory isn't needed 16 16 + any longer it should be unmapped with munmap() to allow the reuse of 17 17 + memory. 18 18 + 19 19 + - TEE_IOC_VERSION lets user space know which TEE this driver handles and 20 20 + its capabilities. 21 21 + 22 22 + - TEE_IOC_OPEN_SESSION opens a new session to a Trusted Application. 23 23 + 24 24 + - TEE_IOC_INVOKE invokes a function in a Trusted Application. 25 25 + 26 26 + - TEE_IOC_CANCEL may cancel an ongoing TEE_IOC_OPEN_SESSION or TEE_IOC_INVOKE. 27 27 + 28 28 + - TEE_IOC_CLOSE_SESSION closes a session to a Trusted Application. 29 29 + 30 30 + There are two classes of clients, normal clients and supplicants. The latter is 31 31 + a helper process for the TEE to access resources in Linux, for example file 32 32 + system access. A normal client opens /dev/tee[0-9]* and a supplicant opens 33 33 + /dev/teepriv[0-9]. 34 34 + 35 35 + Much of the communication between clients and the TEE is opaque to the 36 36 + driver. The main job for the driver is to receive requests from the 37 37 + clients, forward them to the TEE and send back the results. In the case of 38 38 + supplicants the communication goes in the other direction, the TEE sends 39 39 + requests to the supplicant which then sends back the result.

+3 -1

MAINTAINERS

reviewed

··· 21351 21351 R: Sumit Garg <sumit.garg@linaro.org> 21352 21352 L: op-tee@lists.trustedfirmware.org 21353 21353 S: Maintained 21354 21354 - F: Documentation/staging/tee.rst 21354 21354 + F: Documentation/driver-api/tee.rst 21355 21355 + F: Documentation/tee/ 21356 21356 + F: Documentation/userspace-api/tee.rst 21355 21357 F: drivers/tee/ 21356 21358 F: include/linux/tee_drv.h 21357 21359 F: include/uapi/linux/tee.h

+1 -1

drivers/tee/optee/Kconfig

reviewed

··· 23 23 https://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html 24 24 25 25 Additional documentation on kernel security risks are at 26 26 - Documentation/staging/tee.rst. 26 26 + Documentation/tee/op-tee.rst.