search

OP-TEE / optee_os

Trusted side of the TEE
Other
1.6k stars 1.07k forks source link

fTPM TA not opening the context #7080

Open Palatrauss00 opened 1 month ago

Palatrauss00 commented 1 month ago

Hi, for my master thesis I am working at implementing a fTPM on OPTEE and adding new libraries to it. I have seen the this implementation but it does not work and it is a bit outdated. So, I'm working to adapt the fTPM TA to the latest version of optee .

I am having issues to run the ftpm TA. Running the command ./getRandom, I have received this error

TSS_Dev_Open: Error opening /dev/tpm0 getrandom: failed, rc 000b0008 TSS_RC_NO_CONNECTION - Failure connecting to lower layer I think the error is inside the loading of the kernel module, because the function ftpm_tee_probe that opens the context seems it is not called. So, I think that the fTPM TA is never run but the kernel module is loaded inside the kernel because I have launched lsmod and the tpm_ftpm_tee is printed. What could be the issue?

jenswi-linaro commented 1 month ago

We're currently working on importing the fTPM TA into OP-TEE, have you seen https://github.com/OP-TEE/optee_os/pull/7054?

Palatrauss00 commented 1 month ago

In these days I've seen what you do. But what is the difference between inserting into optee_os and building as external TA?

Also how can I test that is properly working?

Palatrauss00 commented 3 weeks ago

Another thing, with this implementation I've added also Measured Boot. Where the measures are saved?

jenswi-linaro commented 2 weeks ago

fTPM does some self-tests when probed by the kernel. More testing or a better understanding of the coverage of the self-tests is desirable, but this is what we have today.

Regarding the measured boot, I don't know. We should add a section about fTPM in the documentation, but we're not there yet.

Palatrauss00 commented 1 week ago

Another question, I've followed all your progress in #7054 , and now I have to add another library into the ftpm ta inside optee_os, how can I do it?

Now, my Makefile is

BINARY=bc50d971-d4c9-42c4-82cb-343fb7f37896

-include $(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk
ldargs-$(binary).elf += -loqs

ifeq ($(wildcard $(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk), )

while the sub.mk I've added the rows

libnames += oqs

libdirs += /home/palatrauss/optee_ftpm/liboqs/build/lib

libdeps += /home/palatrauss/optee_ftpm/liboqs/build/lib/liboqs.a
jenswi-linaro commented 1 week ago

Libraries should be compiled using the OP-TEE make files to get consistent compiler flags. Do you need a library? Doesn't adding a sub-directory with subdirs-y work?

Palatrauss00 commented 6 days ago

I have tried it but I had problems related to openssl, since the library needs also openssl. I have to add all the libraries of openssl?

With this setting, the ftpm ta is considered as Pseudo TA? Because from the logs in the Secure World it seems it is treated like a Pseudo TA

jenswi-linaro commented 5 days ago

All the libraries against which a TA links must be compiled for a TA environment. Generally, taking a library compiled for another environment will not work.

No, the fTPM TA does not become a Pseudo TA because of that. You might have changed some of the flags in the TA header.

Palatrauss00 commented 23 hours ago

The flags that I have inserted into the header are

#define TA_FLAGS                    (TA_FLAG_SINGLE_INSTANCE | \
                     TA_FLAG_INSTANCE_KEEP_ALIVE | \
                     TA_FLAG_DEVICE_ENUM_TEE_STORAGE_PRIVATE)

Are these the flags you were referring to?