common: SCP03 control (enable and provision of keys)

This Trusted Application allows enabling SCP03 as well as provisioning
the keys on TEE controlled secure element (ie, NXP SE050).

All the information flowing on buses (ie I2C) between the processor
and the secure element must be encrypted. Secure elements are
pre-provisioned with a set of keys known to the user so that the
secure channel protocol (encryption) can be enforced on the first
boot. This situation is however unsafe since the keys are publically
available.

For example, in the case of the NXP SE050, these keys would be
available in the OP-TEE source tree [2] and of course in the
documentation corresponding to the part.

To address that, users are required to rotate/provision those keys
(ie, generate new keys and write them in the secure element's
persistent memory).

For information on SCP03, check the Global Platform HomePage and
google for that term [1]
[1] globalplatform.org
[2] https://github.com/OP-TEE/optee_os/
    check:
    core/drivers/crypto/se050/adaptors/utils/scp_config.c

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Simon Glass <sjg@chromium.org>

diff --git a/common/Kconfig b/common/Kconfig
index 2bb3798f808eea070447894a3b7da002434618b0..482f123534793e6618c64cfd83d8cfff01274688 100644 (file)
--- a/common/Kconfig
+++ b/common/Kconfig
@@ -588,6 +588,14 @@ config AVB_BUF_SIZE
 
 endif # AVB_VERIFY
 
+config SCP03
+       bool "Build SCP03 - Secure Channel Protocol O3 - controls"
+       depends on OPTEE || SANDBOX
+       depends on TEE
+       help
+         This option allows U-Boot to enable and or provision SCP03 on an OPTEE
+         controlled Secured Element.
+
 config SPL_HASH
        bool # "Support hashing API (SHA1, SHA256, etc.)"
        help

diff --git a/common/Makefile b/common/Makefile
index daeea67cf29328b75c154b034626cc76c9a7c334..215b8b26fdc8e47a4175594f0fbdb47be1a5c5db 100644 (file)
--- a/common/Makefile
+++ b/common/Makefile
@@ -137,3 +137,4 @@ obj-$(CONFIG_CMD_LOADB) += xyzModem.o
 obj-$(CONFIG_$(SPL_TPL_)YMODEM_SUPPORT) += xyzModem.o
 
 obj-$(CONFIG_AVB_VERIFY) += avb_verify.o
+obj-$(CONFIG_SCP03) += scp03.o

diff --git a/common/scp03.c b/common/scp03.c
new file mode 100644 (file)
index 0000000..09ef7b5
--- /dev/null
+++ b/common/scp03.c
@@ -0,0 +1,53 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * (C) Copyright 2021, Foundries.IO
+ *
+ */
+
+#include <common.h>
+#include <scp03.h>
+#include <tee.h>
+#include <tee/optee_ta_scp03.h>
+
+static int scp03_enable(bool provision)
+{
+       const struct tee_optee_ta_uuid uuid = PTA_SCP03_UUID;
+       struct tee_open_session_arg session;
+       struct tee_invoke_arg invoke;
+       struct tee_param param;
+       struct udevice *tee = NULL;
+
+       tee = tee_find_device(tee, NULL, NULL, NULL);
+       if (!tee)
+               return -ENODEV;
+
+       memset(&session, 0, sizeof(session));
+       tee_optee_ta_uuid_to_octets(session.uuid, &uuid);
+       if (tee_open_session(tee, &session, 0, NULL))
+               return -ENXIO;
+
+       memset(&param, 0, sizeof(param));
+       param.attr = TEE_PARAM_ATTR_TYPE_VALUE_INPUT;
+       param.u.value.a = provision;
+
+       memset(&invoke, 0, sizeof(invoke));
+       invoke.func = PTA_CMD_ENABLE_SCP03;
+       invoke.session = session.session;
+
+       if (tee_invoke_func(tee, &invoke, 1, &param))
+               return -EIO;
+
+       tee_close_session(tee, session.session);
+
+       return 0;
+}
+
+int tee_enable_scp03(void)
+{
+       return scp03_enable(false);
+}
+
+int tee_provision_scp03(void)
+{
+       return scp03_enable(true);
+}

diff --git a/include/scp03.h b/include/scp03.h
new file mode 100644 (file)
index 0000000..729667c
--- /dev/null
+++ b/include/scp03.h
@@ -0,0 +1,21 @@
+/* SPDX-License-Identifier: GPL-2.0+ */
+/*
+ * (C) Copyright 2021, Foundries.IO
+ *
+ */
+
+#ifndef _SCP03_H
+#define _SCP03_H
+
+/*
+ * Requests to OPTEE to enable or provision the Secure Channel Protocol on its
+ * Secure Element
+ *
+ *  If key provisioning is requested, OPTEE shall generate new SCP03 keys and
+ *  write them to the Secure Element.
+ *
+ *  Both functions return < 0 on error else 0.
+ */
+int tee_enable_scp03(void);
+int tee_provision_scp03(void);
+#endif /* _SCP03_H */

diff --git a/include/tee/optee_ta_scp03.h b/include/tee/optee_ta_scp03.h
new file mode 100644 (file)
index 0000000..13f9956
--- /dev/null
+++ b/include/tee/optee_ta_scp03.h
@@ -0,0 +1,21 @@
+/* SPDX-License-Identifier: BSD-3-Clause */
+/*
+ * (C) Copyright 2021, Foundries.IO
+ *
+ */
+#ifndef __TA_SCP03_H
+#define __TA_SCP03_H
+
+#define PTA_SCP03_UUID { 0xbe0e5821, 0xe718, 0x4f77, \
+                       { 0xab, 0x3e, 0x8e, 0x6c, 0x73, 0xa9, 0xc7, 0x35 } }
+
+/*
+ * Enable Secure Channel Protocol functionality (SCP03) on the Secure Element.
+ *   Setting the operation value to something different than NULL will trigger
+ *   the SCP03 provisioning request.
+ *
+ *   in        params[0].a = operation
+ */
+#define PTA_CMD_ENABLE_SCP03   0
+
+#endif /*__TA_SCP03_H*/