1.. SPDX-License-Identifier: GPL-2.0 2 3============================================= 4AMD-TEE (AMD's Trusted Execution Environment) 5============================================= 6 7The AMD-TEE driver handles the communication with AMD's TEE environment. The 8TEE environment is provided by AMD Secure Processor. 9 10The AMD Secure Processor (formerly called Platform Security Processor or PSP) 11is a dedicated processor that features ARM TrustZone technology, along with a 12software-based Trusted Execution Environment (TEE) designed to enable 13third-party Trusted Applications. This feature is currently enabled only for 14APUs. 15 16The following picture shows a high level overview of AMD-TEE:: 17 18 | 19 x86 | 20 | 21 User space (Kernel space) | AMD Secure Processor (PSP) 22 ~~~~~~~~~~ ~~~~~~~~~~~~~~ | ~~~~~~~~~~~~~~~~~~~~~~~~~~ 23 | 24 +--------+ | +-------------+ 25 | Client | | | Trusted | 26 +--------+ | | Application | 27 /\ | +-------------+ 28 || | /\ 29 || | || 30 || | \/ 31 || | +----------+ 32 || | | TEE | 33 || | | Internal | 34 \/ | | API | 35 +---------+ +-----------+---------+ +----------+ 36 | TEE | | TEE | AMD-TEE | | AMD-TEE | 37 | Client | | subsystem | driver | | Trusted | 38 | API | | | | | OS | 39 +---------+-----------+----+------+---------+---------+----------+ 40 | Generic TEE API | | ASP | Mailbox | 41 | IOCTL (TEE_IOC_*) | | driver | Register Protocol | 42 +--------------------------+ +---------+--------------------+ 43 44At the lowest level (in x86), the AMD Secure Processor (ASP) driver uses the 45CPU to PSP mailbox register to submit commands to the PSP. The format of the 46command buffer is opaque to the ASP driver. It's role is to submit commands to 47the secure processor and return results to AMD-TEE driver. The interface 48between AMD-TEE driver and AMD Secure Processor driver can be found in [1]. 49 50The AMD-TEE driver packages the command buffer payload for processing in TEE. 51The command buffer format for the different TEE commands can be found in [2]. 52 53The TEE commands supported by AMD-TEE Trusted OS are: 54 55* TEE_CMD_ID_LOAD_TA - loads a Trusted Application (TA) binary into 56 TEE environment. 57* TEE_CMD_ID_UNLOAD_TA - unloads TA binary from TEE environment. 58* TEE_CMD_ID_OPEN_SESSION - opens a session with a loaded TA. 59* TEE_CMD_ID_CLOSE_SESSION - closes session with loaded TA 60* TEE_CMD_ID_INVOKE_CMD - invokes a command with loaded TA 61* TEE_CMD_ID_MAP_SHARED_MEM - maps shared memory 62* TEE_CMD_ID_UNMAP_SHARED_MEM - unmaps shared memory 63 64AMD-TEE Trusted OS is the firmware running on AMD Secure Processor. 65 66The AMD-TEE driver registers itself with TEE subsystem and implements the 67following driver function callbacks: 68 69* get_version - returns the driver implementation id and capability. 70* open - sets up the driver context data structure. 71* release - frees up driver resources. 72* open_session - loads the TA binary and opens session with loaded TA. 73* close_session - closes session with loaded TA and unloads it. 74* invoke_func - invokes a command with loaded TA. 75 76cancel_req driver callback is not supported by AMD-TEE. 77 78The GlobalPlatform TEE Client API [3] can be used by the user space (client) to 79talk to AMD's TEE. AMD's TEE provides a secure environment for loading, opening 80a session, invoking commands and closing session with TA. 81 82References 83========== 84 85[1] include/linux/psp-tee.h 86 87[2] drivers/tee/amdtee/amdtee_if.h 88 89[3] http://www.globalplatform.org/specificationsdevice.asp look for 90 "TEE Client API Specification v1.0" and click download. 91