| #
fd6196d4 |
| 02-Oct-2025 |
Michael Tretter <m.tretter@pengutronix.de> |
plat-rockchip: rk3588: reject all zero HUK
If the generated HUK consists of all zeros, it cannot be distinguished
from a missing HUK in the OTP. If such a HUK is burned into the OTP, the
next read w
plat-rockchip: rk3588: reject all zero HUK
If the generated HUK consists of all zeros, it cannot be distinguished
from a missing HUK in the OTP. If such a HUK is burned into the OTP, the
next read will return that no HUK was present and generate a new key.
The previous all-zero HUK may already have been used, which violates the
assumption that a HUK doesn't change.
Since a HUK that consists of all zeros is likely an error in the TRNG,
reject the generated HUK, report an error and let upper layers handle
the error.
Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
show more ...
|
| #
951488c0 |
| 27-Aug-2025 |
Michael Tretter <m.tretter@pengutronix.de> |
plat-rockchip: rk3588: cache HUK in memory
I observed timeout errors when OP-TEE reads the HUK from the OTP area
while running the optee-xtests (tests 1006 and 4013) or using the
pkcs#11 TA.
This i
plat-rockchip: rk3588: cache HUK in memory
I observed timeout errors when OP-TEE reads the HUK from the OTP area
while running the optee-xtests (tests 1006 and 4013) or using the
pkcs#11 TA.
This issue is circumvented by reading the HUK once and caching it in
memory for later use. As a side-effect, this reduces the accesses/reads
from the OTP area.
Unfortunately, I don't know the root cause for the timeout while reading
the fuses. I guess that there is a disabled clock which prevents the
read, but I didn't look further, since caching works fine.
While the documentation recommends to never process the HUK in software,
it is read and processed anyway if it can be read from the fuses. Thus,
I don't think that caching has an effect on the security of the HUK.
The caching is inspired by the HUK handling implemented in the nvmem
driver.
Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
show more ...
|
| #
46b94a62 |
| 26-Aug-2025 |
Michael Tretter <m.tretter@pengutronix.de> |
plat-rockchip: rk3588: refactor reading of HUK
Split the function that reads, generates and persists the HUK into
several helper functions to make the code more readable and simplify
error handling.
plat-rockchip: rk3588: refactor reading of HUK
Split the function that reads, generates and persists the HUK into
several helper functions to make the code more readable and simplify
error handling.
Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
show more ...
|
| #
d2c909e8 |
| 07-Aug-2025 |
Michael Tretter <m.tretter@pengutronix.de> |
drivers: rockchip: extract OTP driver from rk3588 platform
The OTP handling is useful outside the rk3588 platform implementation.
For example, the fuses for secure boot are accessible via the OTP.
drivers: rockchip: extract OTP driver from rk3588 platform
The OTP handling is useful outside the rk3588 platform implementation.
For example, the fuses for secure boot are accessible via the OTP.
Extract the OTP write and read support to a separate driver to make it
available for other modules.
Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
Reviewed-by: Etienne Carriere <etienne.carriere@st.com>
show more ...
|
| #
68059d72 |
| 23-Jan-2025 |
Ed Tubbs <ectubbs@gmail.com> |
plat-rockchip: rk3588: add OTP_S support and HUK
Add OTP_S support for Rockchip rk3588
Add tee_otp_get_hw_unique_key()
Signed-off-by: Ed Tubbs <ectubbs@gmail.com>
Acked-by: Etienne Carriere <etienn
plat-rockchip: rk3588: add OTP_S support and HUK
Add OTP_S support for Rockchip rk3588
Add tee_otp_get_hw_unique_key()
Signed-off-by: Ed Tubbs <ectubbs@gmail.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
show more ...
|
| #
b8a9277e |
| 03-Jan-2025 |
Ed Tubbs <ectubbs@gmail.com> |
plat-rockchip: rk3588: add TRNG support
Add TRNG support for Rockchip rk3588
Signed-off-by: Ed Tubbs <ectubbs@gmail.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wik
plat-rockchip: rk3588: add TRNG support
Add TRNG support for Rockchip rk3588
Signed-off-by: Ed Tubbs <ectubbs@gmail.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
show more ...
|
| #
14754b93 |
| 26-Aug-2024 |
Ed Tubbs <ectubbs@gmail.com> |
plat-rockchip: add support for Rockchip rk3588
Enables support for NanoPC-T6
Based on support for ROCK 4
Signed-off-by: Ed Tubbs <ectubbs@gmail.com>
Acked-by: Jerome Forissier <jerome.forissier@lin
plat-rockchip: add support for Rockchip rk3588
Enables support for NanoPC-T6
Based on support for ROCK 4
Signed-off-by: Ed Tubbs <ectubbs@gmail.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Heiko Stuebner <heiko.stuebner@cherry.de> (BSD-3)
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
show more ...
|