core: add interface to load and decrypt/authenticate user TAs #1513
Conversation
core/arch/arm/kernel/ree_fs_ta.c
Outdated
| if (!*shdr) | ||
| return TEE_ERROR_SECURITY; | ||
| memcpy(*shdr, nw_ta, shdr_size); | ||
|
|
There was a problem hiding this comment.
I think we should check shdr_size == SHDR_GET_SIZE(*shdr)
| * Last read: time to check if our digest matches the expected | ||
| * one (from the signed header) | ||
| */ | ||
| res = check_digest(h); |
There was a problem hiding this comment.
This seems a bit fragile. What if there's some mismatch that prevents h->offs from reaching h->nw_ta_size?
I don't have a good idea how to fix this right now.
There was a problem hiding this comment.
Well the algorithm is unchanged actually, and we can consider it is a contract between the TA store and the TEE core that ta_get_size() bytes should be read (unless the core considers this size is unacceptable for some reason, or some other error occurs).
There was a problem hiding this comment.
OK, please update the description of the interface to make that clear.
|
Updated. I'll probably rephrase the commit subject to be "core: add interface to load user TAs" because |
|
With my last comment addressed: |
core/sub.mk
Outdated
| @@ -2,9 +2,11 @@ subdirs-y += kernel | |||
| subdirs-y += tee | |||
| subdirs-y += drivers | |||
|
|
|||
| ifeq ($(CFG_WITH_USER_TA)$(CFG_REE_FS_TA),yy) | |||
There was a problem hiding this comment.
nitpicking: prevent failure if one is not set and the other falsely set to yy:
ifeq ($(CFG_WITH_USER_TA)-$(CFG_REE_FS_TA),y-y)
core/arch/arm/kernel/user_ta.c
Outdated
| DMSG(" Load dynamic TA"); | ||
| /* load and verify */ | ||
| res = ta_load(uuid, signed_ta, &s->ctx); | ||
| DMSG("Load user TA %pUl", (void *)uuid); |
There was a problem hiding this comment.
minor: is this trace (the uuid address) useful ?
There was a problem hiding this comment.
It's the "special" format pUl ("pointer to UUID in little-endian format") so it will print the UUID, not the address ;)
There was a problem hiding this comment.
nice, i didn't notice that (i saw it was merged more than 1 year ago!)
core/arch/arm/kernel/user_ta.c
Outdated
|
|
||
| DMSG(" dyn TA : %pUl", (void *)&s->ctx->uuid); | ||
|
|
||
| assert(!memcmp(uuid, &s->ctx->uuid, sizeof(TEE_UUID))); |
There was a problem hiding this comment.
Replace assert() with a non debug test.
core/arch/arm/kernel/user_ta.c
Outdated
| ta_head->flags, opt_flags, man_flags); | ||
| if ((ta_head->flags & optional_flags) != ta_head->flags || | ||
| (ta_head->flags & mandatory_flags) != mandatory_flags) { | ||
| EMSG("TA flag issue: flags=%x optional=%X mandatory=%X", |
There was a problem hiding this comment.
minor: ("issue" already in previous code) trace all field in either uppercase or lowercase.
| if (!phta) | ||
| return TEE_ERROR_OUT_OF_MEMORY; | ||
|
|
||
| *ta = phys_to_virt(phta, MEM_AREA_NSEC_SHM); |
There was a problem hiding this comment.
minor: thread_rpc_alloc_payload() already insures that the overall buffer in non secure memory. Could assert or panic here.
| static inline TEE_Result tee_ta_register_ta_store( | ||
| const struct user_ta_store_ops *ops __unused) | ||
| { | ||
| return TEE_SUCCESS; |
There was a problem hiding this comment.
Should return TEE_ERROR_NOT_SUPPORTED
jforissier
force-pushed
the
custom-ta-load2
branch
from
e508168
to
744c693
Compare
core/arch/arm/kernel/user_ta.c
Outdated
| DMSG(" dyn TA : %pUl", (void *)&s->ctx->uuid); | ||
|
|
||
| if (memcmp(uuid, &s->ctx->uuid, sizeof(TEE_UUID))); | ||
| panic(); |
There was a problem hiding this comment.
Really panic here ? We can reach this case if the REE provides a TA binary that does not contain the requested TA. I think TEE should not panic here, but simply refuse to load the TA. I believe it should not be possible for the REE to make the TEE panicking.
Sorry if I was not that explicit in my previous comment.
There was a problem hiding this comment.
This "can't happen" since ta_load() already does a memcmp() and returns an error on mismatch. The assert() should be good enough if that's even needed.
There was a problem hiding this comment.
Exactly, I'll remove this check and while I'm at it, drop init_session_with_ta_store() and call ta_load() directly from tee_ta_init_user_ta_session().
There was a problem hiding this comment.
true. my fault. this test is useless.
|
Updated |
core/arch/arm/kernel/user_ta.c
Outdated
| DMSG(" dyn TA : %pUl", (void *)&s->ctx->uuid); | ||
|
|
||
| if (memcmp(uuid, &s->ctx->uuid, sizeof(TEE_UUID))); | ||
| panic(); |
There was a problem hiding this comment.
true. my fault. this test is useless.
|
Still OK with me. |
jforissier
force-pushed
the
custom-ta-load2
branch
from
3700b0f
to
af7809d
Compare
Some use cases may require custom load and verification methods for user-mode Trusted Applications. Introduce struct user_ta_store_ops with open(), get_size(), read() and close() functions to abstract these tasks from the ELF loader code. Do the communication with tee-supplicant as well as the hashing and signature verification of the TA binary in core/arch/arm/kernel/ree_fs_ta.c, which may be disabled and replaced by a different implementation if need be. CC: Zeng Tao <prime.zeng@hisilicon.com> Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey, QEMU) Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
jforissier
force-pushed
the
custom-ta-load2
branch
from
af7809d
to
ee664c1
Compare
Some use cases may require custom load and verification methods for
user-mode Trusted Applications. Introduce struct user_ta_store_ops with
open(), get_size(), read() and close() functions to abstract these
tasks from the ELF loader code. Do the communication with
tee-supplicant as well as the hashing and signature verification of the
TA binary in core/arch/arm/kernel/ree_fs_ta.c, which may be disabled
and replaced by a different implementation if need be.
CC: Zeng Tao prime.zeng@hisilicon.com
Signed-off-by: Jerome Forissier jerome.forissier@linaro.org
Tested-by: Jerome Forissier jerome.forissier@linaro.org (HiKey, QEMU)