Hi Simon, On Tue, Oct 2, 2018 at 1:21 PM, Simon Glass <s...@chromium.org> wrote: > Hi Jen, > > On 25 September 2018 at 07:40, Jens Wiklander <jens.wiklan...@linaro.org> > wrote: >> Hi, >> >> This adds support for storing AVB rollback indexes in the RPMB partition. >> The RPMB partition (content and key) is managed by OP-TEE >> (https://www.op-tee.org/) which is a secure OS leveraging ARM TrustZone. >> >> The Linux kernel can already support OP-TEE with reading and updating >> rollback indexes in the RPMB partition, the catch is that this is needed >> before the kernel has booted. >> >> The design here is the same as what is in the Linux kernel, with the >> exception that the user space daemon tee-supplicant is integrated in the >> OP-TEE driver here (drivers/tee/optee/supplicant.c) instead. A new uclass >> (UCLASS_TEE) is introduced to provide an abstraction for interfacing with a >> Trusted Execution Environment (TEE). There's also the OP-TEE driver using >> UCLASS_TEE for registration. >> >> A Trusted Application (TA) interface is added to be used by the AVB verify >> functions which are updated accordingly. The TA is managed by OP-TEE and is >> executed in a secure TrustZone protected environment. >> >> The header files drivers/tee/optee/optee_{msg,msg_supplicant,smc}.h and >> include/tee/optee_ta_avb.h are copied from >> https://github.com/OP-TEE/optee_os/tree/master more or less unmodified. >> They may need to be updated from time to time in order to support new >> features. >> >> In MMC there's a new function, mmc_rpmb_route_frames(), which as the name >> suggests is used to route RPMB frames to/from the MMC. This saves OP-TEE >> from implementing an MMC driver which would need to share resources with >> its counterpart here in U-Boot. >> >> This was tested on a Hikey (Kirin 620) board. >> >> I've added myself as maintainer of the TEE stuff. >> >> changes in v4: >> * Addressed review comments from Simon Glass >> * Rebased on v2018.09 >> * "avb_verify: bugfix avb_ops_free() skipping free" removed due to the rebase >> * Commits "dt/bindings: add bindings for optee", >> "sandbox: imply CONFIG_TEE (TEE uclass)", >> "tee: add sandbox driver", >> "avb_verify: support using OP-TEE TA AVB", >> "test_avb: Update patiensepymark.buildconfigspec information for the AVB >> tests", >> "Kconfig: sandbox: enable cmd_avb and dependencies", >> Reviewed-by: Simon Glass <s...@chromium.org> >> * Added descriptions of additional structs and functions >> * In commit "avb_verify: support sandbox configuration" avoid the >> #ifdef CONFIG_SANDBOX in get_sector_buf() as suggested by Simon. > > You might consider using patman, where you add the change log for each > patch individually, and it produces the change log for the series > automatically. > > I find it harder to review patches which don't have their own > individual change log.
I'll try patman next time. A big thank you for reviewing this patch series. -- Jens _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
