• Masahisa Kojima's avatar
    efi: Add tee-based EFI variable driver · c44b6be6
    Masahisa Kojima authored
    When the flash is not owned by the non-secure world, accessing the EFI
    variables is straight-forward and done via EFI Runtime Variable
    Services.  In this case, critical variables for system integrity and
    security are normally stored in the dedicated secure storage and can
    only be manipulated directly from the secure world.
    
    Usually, small embedded devices don't have the special dedicated secure
    storage. The eMMC device with an RPMB partition is becoming more common,
    and we can use this RPMB partition to store the EFI Variables.
    
    The eMMC device is typically owned by the non-secure world (Linux in our
    case). There is an existing solution utilizing eMMC RPMB partition for
    EFI Variables, it is implemented by interacting with TEE (OP-TEE in this
    case), StandaloneMM (as EFI Variable Service Pseudo TA), eMMC driver and
    tee-supplicant. The last piece is the tee-based variable access driver
    to interact with TEE and StandaloneMM.
    
    So let's add the kernel functions needed.
    
    This feature is implemented as a kernel module.  StMM PTA has
    TA_FLAG_DEVICE_ENUM_SUPP flag when registered to OP-TEE so that this
    tee_stmm_efi module is probed after tee-supplicant starts, since
    "SetVariable" EFI Runtime Variable Service requires to interact with
    tee-supplicant.
    Acked-by: default avatarSumit Garg <sumit.garg@linaro.org>
    Co-developed-by: default avatarIlias Apalodimas <ilias.apalodimas@linaro.org>
    Signed-off-by: default avatarIlias Apalodimas <ilias.apalodimas@linaro.org>
    Signed-off-by: default avatarMasahisa Kojima <masahisa.kojima@linaro.org>
    Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
    c44b6be6
Kconfig 11.3 KB