On Wed, 2 Dec 2020, Masami Hiramatsu via Stratos-dev wrote:
Hi Joakim,
2020年12月2日(水) 17:10 Joakim Bech joakim.bech@linaro.org:
On Wed, Dec 02, 2020 at 07:54:48AM +0000, Alex Bennée via Stratos-dev wrote:
Masami Hiramatsu masami.hiramatsu@linaro.org writes:
Hi Alex,
Have you enabled the OP-TEE support on Xen on your matchartbin?
No I haven't... I'm not even sure how you would do so.
When I ran Xen Dom0 with OP-TEE, I got below error.
[ 6.482047] optee: probing for conduit method. (XEN) d0v18 Unhandled SMC/HVC: 0xbf00ff01 [ 6.482301] nvme nvme0: 1/0/0 default/read/poll queues [ 6.490154] optee: api uid mismatch [ 6.498962] optee: probe of firmware:optee failed with error -22
Would you know this issue?
No - perhaps some of the security folk have some insight?
When the kernel first run it either does a SMC or a HVC to see whether OP-TEE is running and runs with the expected version. I believe that is what is failing here. Which one depends on what you have it configured to be in DT. Since this is Xen it must be configured to use HVC. So as Ruchika mentioned in another reply, I'd guess that OP-TEE (TEE core on secure side hasn't been built with Virtualization enabled). It's a long time since I tried this personally, but the information for how to run it can be found here: https://optee.readthedocs.io/en/latest/architecture/virtualization.html
Thank you for the information. Yes, currently I configured OP-TEE to use SMC on my machine. OK, I'll try to follow the above instruction.
I haven't worked with optee so I don't know how to help you on this specific issue.
However, I just want to point out that since Xen can trap HVM and SMC just as easily, there is no need to switch from SMC to HVC for OPTEE. It should work fine (or not fine) regardless, and I think EPAM mostly tested with SMC as transport.
In short, the issue is most probably something else.
Hi Stefano,
2020年12月3日(木) 12:20 Stefano Stabellini stefano.stabellini@xilinx.com:
On Wed, 2 Dec 2020, Masami Hiramatsu via Stratos-dev wrote:
Hi Joakim,
2020年12月2日(水) 17:10 Joakim Bech joakim.bech@linaro.org:
On Wed, Dec 02, 2020 at 07:54:48AM +0000, Alex Bennée via Stratos-dev wrote:
Masami Hiramatsu masami.hiramatsu@linaro.org writes:
Hi Alex,
Have you enabled the OP-TEE support on Xen on your matchartbin?
No I haven't... I'm not even sure how you would do so.
When I ran Xen Dom0 with OP-TEE, I got below error.
[ 6.482047] optee: probing for conduit method. (XEN) d0v18 Unhandled SMC/HVC: 0xbf00ff01 [ 6.482301] nvme nvme0: 1/0/0 default/read/poll queues [ 6.490154] optee: api uid mismatch [ 6.498962] optee: probe of firmware:optee failed with error -22
Would you know this issue?
No - perhaps some of the security folk have some insight?
When the kernel first run it either does a SMC or a HVC to see whether OP-TEE is running and runs with the expected version. I believe that is what is failing here. Which one depends on what you have it configured to be in DT. Since this is Xen it must be configured to use HVC. So as Ruchika mentioned in another reply, I'd guess that OP-TEE (TEE core on secure side hasn't been built with Virtualization enabled). It's a long time since I tried this personally, but the information for how to run it can be found here: https://optee.readthedocs.io/en/latest/architecture/virtualization.html
Thank you for the information. Yes, currently I configured OP-TEE to use SMC on my machine. OK, I'll try to follow the above instruction.
I haven't worked with optee so I don't know how to help you on this specific issue.
However, I just want to point out that since Xen can trap HVM and SMC just as easily, there is no need to switch from SMC to HVC for OPTEE. It should work fine (or not fine) regardless, and I think EPAM mostly tested with SMC as transport.
Yeah, I misread the document, the OP-TEE with CFG_VIRTUALIZATION will prepare the guest partition but still get SMC. Xen will send a request to initialize the guest partition to the OP-TEE.
In short, the issue is most probably something else.
Ok, I see.
Anyway, when I tried to build it, the firmware size became bigger than the limitation on DeveloperBox. I need to fix it somehow at first.
Thank you,
Hi Stefano,
Stefano Stabellini writes:
On Wed, 2 Dec 2020, Masami Hiramatsu via Stratos-dev wrote:
Hi Joakim,
2020年12月2日(水) 17:10 Joakim Bech joakim.bech@linaro.org:
On Wed, Dec 02, 2020 at 07:54:48AM +0000, Alex Bennée via Stratos-dev wrote:
Masami Hiramatsu masami.hiramatsu@linaro.org writes:
Hi Alex,
Have you enabled the OP-TEE support on Xen on your matchartbin?
No I haven't... I'm not even sure how you would do so.
When I ran Xen Dom0 with OP-TEE, I got below error.
[ 6.482047] optee: probing for conduit method. (XEN) d0v18 Unhandled SMC/HVC: 0xbf00ff01 [ 6.482301] nvme nvme0: 1/0/0 default/read/poll queues [ 6.490154] optee: api uid mismatch [ 6.498962] optee: probe of firmware:optee failed with error -22
Would you know this issue?
No - perhaps some of the security folk have some insight?
When the kernel first run it either does a SMC or a HVC to see whether OP-TEE is running and runs with the expected version. I believe that is what is failing here. Which one depends on what you have it configured to be in DT. Since this is Xen it must be configured to use HVC. So as Ruchika mentioned in another reply, I'd guess that OP-TEE (TEE core on secure side hasn't been built with Virtualization enabled). It's a long time since I tried this personally, but the information for how to run it can be found here: https://urldefense.com/v3/__https://optee.readthedocs.io/en/latest/architect... [optee[.]readthedocs[.]io]
Thank you for the information. Yes, currently I configured OP-TEE to use SMC on my machine. OK, I'll try to follow the above instruction.
I haven't worked with optee so I don't know how to help you on this specific issue.
However, I just want to point out that since Xen can trap HVM and SMC just as easily, there is no need to switch from SMC to HVC for OPTEE. It should work fine (or not fine) regardless, and I think EPAM mostly tested with SMC as transport.
Actually, xen toolstack is configured to provide "hvc" method for guests. But it should work both ways, because SMC/HVC handler in Xen makes no difference in this case.
In short, the issue is most probably something else.
Agree there. It requires correct configuration of Xen, OP-TEE and a fresh Linux kernel.
stratos-dev@op-lists.linaro.org
-
Masami Hiramatsu -
Stefano Stabellini -
Volodymyr Babchuk