xtest: add --install-tas argument #240
Conversation
|
Seems to be unhappy about the |
|
Thanks @jbech-linaro, so there's a mutual dependency between the two PRs. |
host/xtest/xtest_main.c
Outdated
| @@ -65,6 +66,7 @@ void usage(char *program) | |||
| printf("applets:\n"); | |||
| printf("\t--sha-perf [opts] SHA performance testing tool (-h for usage)\n"); | |||
| printf("\t--aes-perf [opts] AES performance testing tool (-h for usage)\n"); | |||
| printf("\t--install-tas [opts] Install TAs (-h for usage)\n"); | |||
There was a problem hiding this comment.
minor: remove [opts] and (-h for usage)
host/xtest/install_tas.c
Outdated
| TEEC_UUID uuid = PTA_MANAGEMENT_UUID; | ||
| TEEC_Context ctx; | ||
| TEEC_Session sess; | ||
| const char *ta_dir = "/lib/optee_armtz"; |
There was a problem hiding this comment.
#ifndef TA_DIR
# ifdef __ANDROID__
#define TA_DIR "/system/lib/optee_armtz"
# else
#define TA_DIR "/lib/optee_armtz"
# endif
#endif
-> see regression_1000.c
const char *ta_dir = TA_DIR;
|
Update |
|
Update to pass all test together with OP-TEE/optee_os#1928 |
|
It would be more flexible as |
|
In noticed that if I install the TAs several times, more objects keep being added into the secure storage ( |
|
Thanks |
|
Update |
There was a problem hiding this comment.
- In "regression: remove 9xxx test series", you should say why you are removing it.
--install-tashould be enabled only ifCFG_SECSTOR_TA_MGMT_PTA=y- Since "legacy" TAs are till supported, i'd rather not remove regression_1008. And
load_corrupt_tathat your are modifying here should be a new functioninstall_corrupt_tainstead.
|
|
||
| if (S_ISDIR(sb.st_mode)) | ||
| install_dir(&sess, argv[i]); | ||
| else if (S_ISREG(sb.st_mode)) |
There was a problem hiding this comment.
Nitpick: S_ISLNK is probably OK, too
There was a problem hiding this comment.
That's why I'm using stat() instead of lstat()
There was a problem hiding this comment.
Ah, right, I missed that. It's fine then.
host/xtest/xtest_main.c
Outdated
| @@ -66,7 +66,8 @@ void usage(char *program) | |||
| printf("applets:\n"); | |||
| printf("\t--sha-perf [opts] SHA performance testing tool (-h for usage)\n"); | |||
| printf("\t--aes-perf [opts] AES performance testing tool (-h for usage)\n"); | |||
| printf("\t--install-tas Install TAs\n"); | |||
| printf("\t--install-ta [directory or list of TAs]\n"); | |||
There was a problem hiding this comment.
Nitpicking: several directories may be given, and the naming convention should be explained (<dir>/*.ta).
How about:
--install-ta DIR|FILE...
Install Trusted Application(s). If DIR is given,
all files matching DIR/*.ta are installed.
host/xtest/install_ta.c
Outdated
| res = TEEC_InvokeCommand(sess, PTA_SECSTOR_TA_MGMT_BOOTSTRAP, &op, | ||
| &err_origin); | ||
| if (res) | ||
| errx(1, "install_ta: TEEC_InvokeCommand: %#" PRIx32 " err_origin %#" PRIx32, res, err_origin); |
|
If "legacy" testing is to be kept in 1008, what are supposed to do when the uuid of the TA we're testing with is installed in the tadb and the TA isn't fetch from REE FS TA storage? |
|
Update |
|
If "legacy" testing is to be kept in 1008, we do have to make sure the tested UUIDs are not installed in the tadb. AFAICT, there are only two UUIDs:
|
|
We also need |
|
Why is the legacy testing so important, in the end the same code is tested (core/crypto/signed_hdr.c)? PTA_SECSTOR_TA_MGMT currently only supports installing TAs, not listing or uninstalling. I'm not sure that will ever be exposed directly to normal world either. |
Maybe it's not.
OK, but an uninstall option is still useful for testing. Case in point: This tells me we have a memory leak somewhere :( |
Try it using Valgrind, it has helped me look at various OP-TEE components in the past, including xtest (If you have no rootfs including it, let me know and I can share something with you). |
|
Valgrind on the TEE core? ;-) |
Ah, sorry, that could be harder 😅 ... I was reading it as you suspected a memory leak from xtest, but that is of course not the case here. |
|
Memory leak plugged in #1928 |
|
Next step is to add a test TA handles a security domain. That TA will be able to uninstall TAs etc. The reason I don't want it directly available to normal world is that it would be a nice security hole that would be enabled with testing enabled or something. |
Confirmed.
As long as we have a simple way to exercise the install/uninstall code, it's fine. |
We will not have it in this PR, but hopefully the next. |
|
@jenswi-linaro sure, that was my understanding. Thanks. |
host/xtest/xtest_test.h
Outdated
| # endif | ||
| #endif | ||
|
|
||
| #ifndef TA_TEST_DIR |
There was a problem hiding this comment.
Looks like TA_TEST_DIR is not used anymore
There was a problem hiding this comment.
It's still used in host/xtest/regression_1000.c. Should I move it back to host/xtest/regression_1000.c again?
There was a problem hiding this comment.
It's not used in the HEAD of this PR, right?
$ git fetch origin pull/240/head
From https://github.com/OP-TEE/optee_test
* branch refs/pull/240/head -> FETCH_HEAD
$ git checkout FETCH_HEAD
HEAD is now at 80b8e5941579... [review] xtest: add --install-tas argument
$ git grep TA_TEST_DIR
host/xtest/xtest_test.h:#ifndef TA_TEST_DIR
host/xtest/xtest_test.h:# define TA_TEST_DIR "/data/tee/optee_armtz"
host/xtest/xtest_test.h:# define TA_TEST_DIR "/tmp/optee_armtz"
So I think it should remain in host/xtest/regression_1000.c until it finally gets removed by "regression 1008: test with corrupt BSTA".
There was a problem hiding this comment.
Aha, sorry I confused it with TA_DIR.
|
Addressed the comments, except the one about |
|
Rebased and addressed the |
|
How does this affect the AOSP builds? I theory it should just work I guess, but it'd be good to have some confidence that it still works before pushing this. Maybe Yongqin or Vee could help out testing. |
|
I'll run a test later today and report back. |
host/xtest/install_ta.c
Outdated
| @@ -0,0 +1,157 @@ | |||
| /* | |||
| * Copyright (c) 2017, Linaro Limited | |||
| * All rights reserved. | |||
There was a problem hiding this comment.
"All rights reserved" is useless noise. https://reuse.software/practices/.
host/xtest/regression_1000.c
Outdated
| @@ -31,6 +32,11 @@ | |||
| #include <ta_sims_test.h> | |||
| #include <ta_concurrent.h> | |||
| #include <sdp_basic.h> | |||
| #include <pta_secstor_ta_mgmt.h> | |||
|
Please add changes in |
|
Sorry for the delay. Had several build errors to fix. So:
|
|
Added (untested) Android patches |
That's what I have so should be ok. Thanks! |
|
Do I smell a tested-by tag? ;-) |
|
Continued testing from #240 (comment)
|
Oops, forgot. :)
|
jenswi-linaro
force-pushed
the
ta_mgt
branch
2 times, most recently
from
216cb12 to
3a79af5
Compare
|
Squashed and tag applied |
| #include <errno.h> | ||
| #include <fnmatch.h> | ||
| #include <inttypes.h> | ||
| #include <pta_secstor_ta_mgmt.h> |
There was a problem hiding this comment.
Build regression not addressed
There was a problem hiding this comment.
Don't just read/say that include too quickly 😄
|
|
Adds --install-tas argument which will install all bootstrap TAs (/lib/optee_armtz/*.bsta) in the OP-TEE TA database. Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Removes the 9xxx test series as there's new internal tests in OP-TEE testing this instead. Also when TAs are stored in secure storage all the file these tests depends on will changed in an even more unpredictable way. Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Removes the load_fake_ta() test, it's not applicable with bootstrap TAs. Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Updates case 1008 to corrupt bootstrap TAs instead. Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> Tested-by: Victor Chong <victor.chong@linaro.org> (hikey aosp) Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
Tag applied |
Adds --install-tas argument which will install all bootstrap TAs
(/lib/optee_armtz/*.bsta) in the OP-TEE TA database.
Signed-off-by: Jens Wiklander jens.wiklander@linaro.org
Needed by OP-TEE/optee_os#1928 to install bootstrap TAs.