Ballerburg9005 has quit [Ping timeout: 268 seconds]
JohnnyonF has joined #linux-amlogic
elastic_dog has quit [Remote host closed the connection]
elastic_dog has joined #linux-amlogic
JohnnyonFlame has quit [Ping timeout: 252 seconds]
elastic_dog has quit [Ping timeout: 260 seconds]
elastic_dog has joined #linux-amlogic
buzzmarshall has quit [Quit: Konversation terminated!]
hexdump0815 has quit [Ping timeout: 268 seconds]
hexdump0815 has joined #linux-amlogic
_whitelogger has joined #linux-amlogic
elastic_dog has quit [Ping timeout: 252 seconds]
elastic_dog has joined #linux-amlogic
emanuel has joined #linux-amlogic
emanuel has quit [Client Quit]
elastic_dog has quit [Remote host closed the connection]
elastic_dog has joined #linux-amlogic
naoki has quit [Quit: naoki]
vagrantc has quit [Quit: leaving]
naoki has joined #linux-amlogic
naoki has quit [Quit: naoki]
naoki has joined #linux-amlogic
naoki has quit [Client Quit]
Ballerburg9005 has joined #linux-amlogic
emanuel has joined #linux-amlogic
emanuel has quit [Client Quit]
buzzmarshall has joined #linux-amlogic
<phh>
Hello. I have a secure-booted s902x2/g12a box, with vendor bootloader, that won't boot un-signed video decoding firmware (looks like the only way to know is that it never sends any interrupt...?), instead the firmware loading process is done by a trusted application. I did a very crude implementation on top of mainline linux. I validated that h264 decoder works and display correct frames, and the vp9 decoder outputs frame (but i don't know if the output is
<phh>
(That's just a FYI, I see no reasonably easy way to upstream this, and don't really plan to spend on stablizing/improving it for my own usage)
Ballerburg9005 has quit [Ping timeout: 260 seconds]
Ballerburg9005 has joined #linux-amlogic
<narmstrong>
phh: it’s pretty cool! I wonder if you could use the optee Linux code to scan the TAs and use it to load the fw if this particular TA is present ?
<phh>
I don't know what you know about TAs, so I'll give more details about it: When Linux is started, no TA is loaded inside optee [1]. The code "tee-load-vid-fw.c" will implicitly load the TA, when receiving that OpenSession call, tee-supplicant will look for /lib/optee_armtz and look for a file whose name is the UUID provided in OpenSession, send that file to optee, and optee will launch that TA. Only then will the smcc calls in my patch succeed. So before "tee
<phh>
on non-vendor optee
<phh>
-load-vid-fw" is called from userspace, kernel can't know whether this TA is present. Maybe it's possible to check for it afterwards, would that work? I can check. Also, something I could explore is the `TEE_SMC_CALLS_UID` call (which in this case actually does nothing, it's just for logs), vendor code checks for the return value of this call to determine whether to go into tee path or not, but I don't know whether it's standard op-tee call, or it'll break
<phh>
I guess I could open the session and close it directly without calling any method inside that session to detect it. This would trigger loading the TA from the FS into optee. At this point, I could maybe even implement tee-load-vid-fw fully in kernel?
<narmstrong>
phh: you would still need to know if you're in secure boot or no, perhaps by cheking if there's en OPTEE loaded ?
mrec has quit [Ping timeout: 252 seconds]
f_ has joined #linux-amlogic
<phh>
actually there is probably a register somewhere saying the platform is secure booted, no need to tinker with optee. also this would help debugging for people trying to boot mainline on a secure boot device since we would be able to provide a nice warning
<phh>
yeah, there is {readl(aobus + 0x228) & 0x10} to know whether secure boot is enabled
<phh>
(register called AO_SEC_SD_CFG10 downstream)