-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
early TA: avb #3357
Comments
|
Hi Jorge, I'm afraid that this piece of code hasn't been much tested and exercised since @igoropaniuk left Linaro as an assignee. So, I wouldn't be completely surprised if there is a bug or something like that. I have too like experience with AVB myself, so I'm unable to give an good advice. @igoropaniuk , anything you remember/recall? |
Hi Jorge, Not sure about OE but at least make sure the instructions here [1] work first. [1] https://github.com/OP-TEE/optee_os/blob/master/mk/config.mk#L238 |
hi Joakim and Vee, Looking at the trace it seems that the elf file is indeed loaded properly. It is just when routing the call, somehow it never executes the interface declared in user_ta.c that should land in the TA
but instead if executes pseudo_ta.c
|
I haven't looked in details, but don't be fooled by the PTA traces. The user TA loading is now done by |
not sure I follow...what do you mean by user space? isnt early TA supposed to load and allow access before userspace boots? we need uboot access to the TA for security validation. |
Early TAs execute in secure user space (SEL0) like "normal" TAs. They are just available earlier since they are not stored in the REE FS. |
ah by userspace you were also implying exception level. ok I am with you now. I am a bit at lost since uboot does not complain: avb TA invoke requests do succeed (not sure why or how?) but they are not handled in the TA (023f8f1a) since I see no invoke logs coming from it I simplified the trace: I can see open/close of the TA session (avb/entry.c) but none of the invokes:
|
Hi @ldts, Just some initial questions to start with:
Thanks |
I noticed that the situation I described above is reproduceable when dcache is disabled on u-boot (otherwise it works as expected so will not investigate further). Just for completeness, I disabled the cache as an investigate on 1) reported cache issues in the transfer while executing a tee RPMB request 2) key being rejected when uboot attempts to access the avb TA. Those problems are both fixable on u-boot.
I'll try to post those fixes to u-boot in the coming week |
Using the following head
I have configured optee_os to enable AVB early just so it can be accessed from u-boot:
During boot, I can see that the TA is available:
However when I try to access it, calls - even though they succeed, they never reach AVB (they seem to be handled by PTA.
I added some debug info printing the function number and line number on the file:
Similarly, when I try to read, calls do succeed by the returned value is not what was written.
I instrumented the TA and I can confirm that calls never reach AVB.
Is there any additional configuration that needs to be set beyond what I specified in the yocto layer?
thanks
The text was updated successfully, but these errors were encountered: