minkipc: Update tag to v1.2.4 to add support for PKCS#11#1707
minkipc: Update tag to v1.2.4 to add support for PKCS#11#1707ricardosalveti merged 1 commit intoqualcomm-linux:masterfrom
Conversation
harshaldev27
requested review from
anujm1,
koenkooi,
lumag,
ndechesne,
ricardosalveti,
sbanerjee-quic and
vkraleti
as code owners
|
Some issues: You are now installing components of the optee upstream project, make sure this is reflected in the LICENSE description as well. Also, you should either include as a static library or rename the dynamic library as it will conflict with the same ones provided by optee_client, see the build failure https://github.com/qualcomm-linux/meta-qcom/actions/runs/22800268333/job/66143198461?pr=1707 (path conflict). For xtest, make it specific to this recipe as well. |
|
Would it be better to include these explicitly in |
|
Hi @ricardosalveti,
It appears the warnings are because minkipc is using an ssh url instead of an http url. I will fix this and update the tag.
So I realize that the sources we're building and shipping from optee-test and optee-client require us to include the BSD-2-Clause and GPL-2.0-only license. But I don't think there's a way to add checksums for these licenses by referring the paths for the submodules. Should I add these two licenses to the minkipc repo to allow checksum comparison? Legal did not comment on this but I think this should be done.
I am reluctant to change the name of these libraries because users could get confused why the library names have been changed if they are built using exactly the same sources as the ones built by optee_client recipe and provide exactly the same functionality. I had a chat with @b49020 and I think the better approach here would be to skip building minkipc packages for builds with OPTEE support instead of QTEE. Perhaps I should raise a change in |
|
Hi @anujm1,
It's easy to check this by looking at the .gitmodules file in the minkipc repo. 😄 |
I know how to check those. But I won't go to the repository every time I'm looking at the recipe. It also doesn't say which revision is being fetched. It also should be checked whether these are included in SBoM correctly. |
Agreed, but as per the original PR I did try to create a separate recipe for fetching the As for SBoM, I can see from the Yocto documentation that we do generate a list of all compiled sources. This, along with the added license information for the submodules in the minkipc recipe should provide everything we need. If there is some explicit SBoM data you are concerned about, do let me know: https://docs.yoctoproject.org/next/dev-manual/sbom.html |
I didn't suggest separate recipes. I was asking about adding these to |
Yeah, I would also prefer to have the submodules as part of SRC_URI, a lot easier to identify what the recipe is bringing on. |
Add the submodules as part of SRC_URI and you will be able to include them.
No need, we just need to point to the license files available as part of the other repos.
This won't work, our target is to have one single rootfs that would work with both normal optee recipes and minkipc. And in your case they are not providing the same thing, just the same files, so we would need to rename them. |
That sounds like nice end objective which is in line with standard distros like Debian too. @harshaldev27 let's just rename to following: Anyhow, in the longer run we need to start discussions in upstream OP-TEE project for proper integration of QTEE implementation. |
Ack. Thank you for this suggestion @anujm1 |
Ack.
Ack.
Ack. |
I'm trying to take a step back and really think through if this is the only way forward. My biggest concern is, once we have changed the name of the library (I don't care about |
|
I'd prefer if we can have a single roofs which can work in both QTEE and OPTEE cases. |
If they are providing the same symbols, sure, a link would be enough. Otherwise we will just have to document the breaking changes saying they will have to rebuild against an updated ckteec implementation (from the upstream project). We expect this to be temporary anyway. |
Yeah, well I think that in the long run, being able to support pkcs11 for QTEE directly from tip of So Ack. |
|
I just wanted to take a moment to double confirm that the alignment we reached on PR #1379 is still valid. That is, once we have Do let me know since I am relying on this alignment to remain true in the long term. |
If its contents depends on machine features, it's not the same. |
|
Well then, this means to meet the goal of a single rootfs for all machines, we need to indefinitely continue with a separate name for the variant of libckteec for QTEE. This discussion also seems to imply that no usage of |
Ideally we should try to identify a way to not have exclusive build time options (optee or minkipc) like decision via configuration files, dynamic loading the right library, runtime decision based on what is exposed by the kernel, etc. We can still leverage MACHINE_FEATURES if the flag is not excluding other options. |
But aren't we already violating this as part of OPTEE package-group? Where we are only installing optee related libraries when the I understand the overall pros of not wanting too many complex build time configurations to decide what goes into rootfs and what doesn't. But we already seem to have minor deviations from it at places like above. If we want to pursue filling the same rootfs with all libraries for all firmware for all machines (e.g. maintaining all Trusted Application binaries for all QC chipsets in the same rootfs), then at some point we are going to run into a problem like this one, where we need to create re-named variants of the library (which used to be build-time configured) for each specific FW that the machine supports like At this point this seems like a question of weighing the cost, is it cheaper to create a fork whenever we run into a situation like this or it is cheaper to allow the use of In this particular case, I feel just using |
Installing additional packages when the feature is available is completely fine, this is not removing support for other targets. A generic image would include everything by default, here we're just optimizing the build per board while we don't have a working and generic armv8 build for all qcom targets (which is the case for debian already). |
|
Test playlist failing because of issues un-related to us. @ricardosalveti may I request your review once again. |
Test run workflowTest jobs for commit bc33f30
All jobs summary
|
Test run workflowTest jobs for commit bc33f30
All jobs summary
|
Which image flavor / combination did you use here? At least it didn't work for me with https://qli-prod-artifacts.qualcomm.com/qcom-prd-gh-artifacts/qualcomm-linux/meta-qcom/23947872135-2/qcom-distro/rb3gen2-core-kit/qcom-multimedia-image-rb3gen2-core-kit.rootfs.qcomflash.tar.gz, which is produced from this run. |
Ah, it is not supported with this release, why can't you just release and bump this pull-request to the revision that includes the TA? We can't merge a PR that adds support to something that is not functional. |
harshaldev27
force-pushed
the
master
branch
2 times, most recently
from
42881ec to
1292209
Compare
harshaldev27
changed the title
Done. I have bumped up the release to v1.2.4 which installs the PKCS#11 TA for qcm6490, qcs9100, qcs8300 and qcs615 in I have dropped the other two commits in this PR and moved them to a separate PR since they are un-related to this PR and only for mounting persist partition PR #1895. You should now be able to run the pkcs-11 test suite via Please be aware that your device should be RPMB provisioned with test keys before it can run these test suites. The RPMB provisioning tool is planned for release publicly by the storage team soon. Meanwhile you can use the I tried to ensure that only delta in minkipc recipe should be shown in the commit, but git keeps treating minkipc_1.2.4.bb as a brand new file despite my best efforts. Thanks, |
|
Your message still uses |
I only referenced /data for smplap64.mbn because we don't yet have legal approval for releasing it's binary to minkipc and installing it in rootfs. For PKCS#11 tests you don't need to do anything. It's all integrated now. |
We don't need a new repo. As discussed in referenced issue #1454. TA binaries are coming from minkipc repo. They don't need to go to linux-firmware because these aren't firmware binaries driving a device. |
What is the reason for requiring RPMB for this TA? We should not require a test key to be burned there, what happens if I decide to close my device to enable secure-boot (and RPMB provisioning)? Would it work with a test-key as well? I would assume that closing / fusing the device implies using a proper RPMB key. For follow ups, please specify everything that is required as part of the pull-request description, it is not ideal to keep finding additional steps and setups in order to validate the PR. @igoropaniuk maybe you can give us a hand here, since you have a closed device in hands. |
The reason is that PKCS#11 TA uses the TEE core specification API implemented by QTEE to store Persistent Objects in the persist partition. These Persistent Objects are stored/created/manipulated by the Secure File System listener running on the Linux side in qtee_supplicant. The QTEE side implementation of it's state machine stores replay protection counters in the RPMB to safe guard against replay protection of these Persistent Objects.
Yes it will work. In fact test keys are only for secure-boot disabled devices. For secure boot enabled devices there are well documented steps for OEMs to provision the RPMB with proper keys.
Ack, these steps are provided just in-case the device isn't RPMB provisioned. This is rarely the case unless you have a brand new device. Also for external/secure-boot devices, we have sufficient public documentation explaining how to provision the RPMB for security use cases, including PKCS#11.
There is a more complicated procedure for secure boot RPMB provisioning. Please check the documentation. Meanwhile we can validate on internal secure-boot disabled devices via test keys. |
|
One minor point which came to my mind. The RPMB listener is currently not working on EMMC devices. The issue is raised and assigned to storage qualcomm/minkipc#47. So please run your validations on UFS devices for now. |
Are we ever planning to support this TA without RPMB? With OP-TEE I can use the PKCS#11 TA with both RPMB and normal storage. This should be described as part of this PR and in our docs.
We also need to provide clear documentation for normal users and developers here, which seems to be https://docs.qualcomm.com/doc/80-80021-11/topic/customize.html?product=895724676033554725&facet=Security&version=2.0-rc2#section-customize-rpmb-provisioning-label and https://docs.qualcomm.com/doc/80-80021-11/topic/enable-uefi-secure-boot.html?product=895724676033554725&facet=Security&version=2.0-rc2. But back to my question, if I burn a test key they I will probably not be able to use RPMB once I close / fuse my device, right? If so, we should not even suggest this scenario, as it will make RPMB useless and break the secure boot use case. Better to just say that we require secure boot and RPMB to be fused and valid for this TA to work (explaining the reasons behind this).
None of my devices (and the ones we use in our lab) have RPMB provisioned :-)
I won't validate this scenario if this implies burning a test key on RPMB. |
Yes, on Compute chipsets where NVMe storage does not support RPMB, there is a devcfg.mbn flashed which sets a use_rpmb flag to 0. After this, Secure File System uses the persist partition itself to store replay counters in a vTable. This is somewhat less secure but fine for production use cases. You can do this on Kodiak/Lemans/Monaco as well.
I'll work with CE to update the docs once the PR is merged and feature enabled.
Let me review these with CE and update.
Hmm. To be honest, I did not yet come across such a scenario where I enabled secure-boot on a device with RPMB provisioned with test keys and it resulted in issues later. I will have to confirm this with storage team. I also never heard anyone telling is to excercise caution in this regard. I'll try to confirm this.
We can say this in the documentation if I am able to confirm this concern with storage around possible RPMB breakage upon enabling secure-boot on the device. Otherwise, like I said above, TA works without RPMB as well and without secure boot as well.
Yikes, looks like we're operating in different worlds then!
Hmm okay, if you're concerned about your device maybe someone else can volunteer from QIPL who has a secure-boot disabled device and is fine with using test keys? @vivpuar maybe? :) |
Can I use this settings on other targets such as rb3gen2?
Thanks, my assumption is that once the test-key is burned there, there is no way back and securing the device won't make it really secure at that point, since the rpmb key is known.
Yup, please, someone that has access to a closed device (@igoropaniuk ^^) or someone with a test-key burned, then we can add a tested-by git tag in your commit. |
Yes yes. I just updated my comment above to add it's doable for all devices. I have a devcfg.mbn with this flag set to 0 for rb3gen2 if you'd like to use it.
I believe a reprovision of the RPMB is required upon enabling secure-boot to ensure security and overwriting of the test keys. I'll double confirm this regardless.
Sounds great! |
Please, then I can at least test it myself without involving rpmb here. |
Will you accept binaries coming from Lenovo / Dell / other OEMs (see linux-firmware and hexagon-dsp-binaries). |
I don't see any reason why we cannot. As discussed in issue #1454 , we can create soc/vendor specific directories inside the ta folder to place OEM signed TA binaries there. However, I don't really understand why an OEM would want to place their binaries there. If they received a TA binary from us (or built one themselves) it is going to be signed with their own unique key, and so even if it is made public, I don't think it's going to benefit anyone. The OEM can just push/install the binary into the rootfs themselves and ship their product. |
|
@harshaldev27 neither Lenovo nor Dell distribute a Linux rootfs with their laptops. Instead it is expected that a generic Linux distro (like Debian or Fedora) can work on their devices. |
Updated minkipc tag to v1.2.4 which brings support for PKCS#11 on Qualcomm platforms with QTEE support. The support is provided through optee_client and optee_test repos v4.0.0 which are placed in the optee-client/ and optee-test/ sub directories. Only the PKCS#11 relevant library and test suites are built and supported, i.e. libckteec_qtee and xtest_qtee (pkcs11-tests). The recipe license is updated to reflect the licenses of these repos. The PKCS#11 test-signed Trusted Application binaries is also installed for supported targets (qcm6490, qcs9100, qcs8300 and qcs615) under /lib/qtee-tas. On an RPMB provisioned device, the pkcs11-tests can be run by invoking the xtest_qtee binary. Signed-off-by: Harshal Dev <harshal.dev@oss.qualcomm.com>
Tested-by: Vivek Puar vpuar@qti.qualcomm.com |
ricardosalveti
left a comment
ricardosalveti
left a comment
There was a problem hiding this comment.
Result of testsuite pkcs11:
pkcs11_1000 OK
pkcs11_1001 OK
pkcs11_1002 OK
pkcs11_1003 OK
pkcs11_1004 OK
pkcs11_1005 OK
pkcs11_1006 OK
pkcs11_1007 OK
pkcs11_1008 OK
pkcs11_1009 OK
pkcs11_1010 OK
pkcs11_1011 OK
pkcs11_1012 OK
pkcs11_1013 OK
pkcs11_1014 OK
pkcs11_1015 OK
pkcs11_1017 OK
pkcs11_1020 OK
pkcs11_1022 OK
pkcs11_1023 OK
pkcs11_1024 OK
+-----------------------------------------------------
3594 subtests of which 0 failed
21 test cases of which 0 failed
0 test cases were skipped
TEE test application done!
Finally and thanks for all the work on this PR.
|
Merging based on previous approvals. |
9 participants
Updated minkipc tag to v1.2.4 which brings support for PKCS#11 on Qualcomm platforms with QTEE support.
The support is provided through optee_client and optee_test repos v4.0.0 which are placed in the optee-client/ and optee-test/ sub directories. Only the PKCS#11 relevant library and test suites are built and supported, i.e.
libckteec_qtee and xtest_qtee (pkcs11-tests). The recipe license is updated to reflect the licenses of these repos.
The PKCS#11 test-signed Trusted Application binaries is also installed for supported targets (qcm6490, qcs9100, qcs8300 and qcs615) under
/lib/qtee-tasas per conclusions in #1454.On an RPMB provisioned device, the pkcs11-tests can be run by invoking the xtest_qtee binary.
The changes in this PR are as per conclusions based on discussions in the older PR: #1379
Depends on: PR #1733 and PR #1895