On 11.05.20 20:14, Ilias Apalodimas wrote: > In OP-TEE we can run EDK2's StandAloneMM on a secure partition. > StandAloneMM is responsible for the UEFI variable support. In > combination with OP-TEE and it's U-Boot supplicant, variables are > authenticated/validated in secure world and stored on an RPMB partition. > > So let's add a new config option in U-Boot implementing the necessary > calls to OP-TEE for the variable management. > > Signed-off-by: Ilias Apalodimas <[email protected]> > Signed-off-by: Pipat Methavanitpong <[email protected]> > Signed-off-by: Sughosh Ganu <[email protected]> > --- > lib/efi_loader/Kconfig | 9 + > lib/efi_loader/Makefile | 4 + > lib/efi_loader/efi_variable_tee.c | 643 ++++++++++++++++++++++++++++++ > 3 files changed, 656 insertions(+) > create mode 100644 lib/efi_loader/efi_variable_tee.c > > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig > index 1cfa24ffcf72..e385cd0b9dae 100644 > --- a/lib/efi_loader/Kconfig > +++ b/lib/efi_loader/Kconfig > @@ -164,4 +164,13 @@ config EFI_SECURE_BOOT > it is signed with a trusted key. To do that, you need to install, > at least, PK, KEK and db. > > +config EFI_MM_COMM_TEE > + bool "UEFI variables storage service via OP-TEE" > + depends on SUPPORT_EMMC_RPMB > + default n > + help > + If OP-TEE is present and running StandAloneMM dispatch all UEFI > variable > + related operations to that. The application will verify, authenticate > and > + store the variables on an RPMB > + > endif
Dear Ilias, at least CONFIG_TEE=y is needed as dependency. Otherwise compiling fails. If OP-TEE is not found: => bootefi hello Unable to open OP-TEE session (err=-19) mm_communicate failed! Error: Cannot initialize UEFI sub-system, r = 3 I think it could be allowable to boot without variable support unless we are in secure boot audit mode. So if CONFIG_EFI_SECURE_BOOT=n, maybe we should be less strict. I guess it will end up in weighing user friendliness against complexity. What are your ideas? Best regards Heinrich
