- OP-TEE - lists.trustedfirmware.org

[PATCH v3 00/11] Trusted Execution Environment (TEE) driver for Qualcomm TEE (QTEE)

by Amirreza Zarrabi

This patch series introduces a Trusted Execution Environment (TEE) driver for Qualcomm TEE (QTEE). QTEE enables Trusted Applications (TAs) and services to run securely. It uses an object-based interface, where each service is an object with sets of operations. Clients can invoke these operations on objects, which can generate results, including other objects. For example, an object can load a TA and return another object that represents the loaded TA, allowing access to its services. Kernel and userspace services are also available to QTEE through a similar approach. QTEE makes callback requests that are converted into object invocations. These objects can represent services within the kernel or userspace process. Note: This patch series focuses on QTEE objects and userspace services. Linux already provides a TEE subsystem, which is described in [1]. The tee subsystem provides a generic ioctl interface, TEE_IOC_INVOKE, which can be used by userspace to talk to a TEE backend driver. We extend the Linux TEE subsystem to understand object parameters and an ioctl call so client can invoke objects in QTEE: - TEE_IOCTL_PARAM_ATTR_TYPE_OBJREF_* - TEE_IOC_OBJECT_INVOKE The existing ioctl calls TEE_IOC_SUPPL_RECV and TEE_IOC_SUPPL_SEND are used for invoking services in the userspace process by QTEE. The TEE backend driver uses the QTEE Transport Message to communicate with QTEE. Interactions through the object INVOKE interface are translated into QTEE messages. Likewise, object invocations from QTEE for userspace objects are converted into SEND/RECV ioctl calls to supplicants. The details of QTEE Transport Message to communicate with QTEE is available in [PATCH 10/10] Documentation: tee: Add Qualcomm TEE driver. You can run basic tests with following steps: git clone https://github.com/quic/quic-teec.git cd quic-teec mkdir build cmake .. -DCMAKE_TOOLCHAIN_FILE=CMakeToolchain.txt -DBUILD_UNITTEST=ON https://github.com/quic/quic-teec/blob/main/README.md lists dependancies needed to build the above. This series has been tested for basic QTEE object invocations and callback requests, including loading a TA and requesting services form the TA. Tested platforms: sm8650-mtp [1] https://www.kernel.org/doc/Documentation/tee.txt Signed-off-by: Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com> Changes in v3: - Export shm_bridge create/delete APIs. - Enable support for QTEE memory objects. - Update the memory management code to use the TEE subsystem for all allocations using the pool. - Move all driver states into the driver's main service struct. - Add more documentations. - Link to v2: https://lore.kernel.org/r/20250202-qcom-tee-using-tee-ss-without-mem-obj-v2… Changes in v2: - Clean up commit messages and comments. - Use better names such as ubuf instead of membuf or QCOMTEE prefix instead of QCOM_TEE, or names that are more consistent with other TEE-backend drivers such as qcomtee_context_data instead of qcom_tee_context. - Drop the DTS patch and instantiate the device from the scm driver. - Use a single structure for all driver's internal states. - Drop srcu primitives and use the existing mutex for synchronization between the supplicant and QTEE. - Directly use tee_context to track the lifetime of qcomtee_context_data. - Add close_context() to be called when the user closes the tee_context. - Link to v1: https://lore.kernel.org/r/20241202-qcom-tee-using-tee-ss-without-mem-obj-v1… Changes in v1: - It is a complete rewrite to utilize the TEE subsystem. - Link to RFC: https://lore.kernel.org/all/20240702-qcom-tee-object-and-ioctls-v1-0-633c3d… --- Amirreza Zarrabi (11): tee: allow a driver to allocate a tee_device without a pool tee: add close_context to TEE driver operation tee: add TEE_IOCTL_PARAM_ATTR_TYPE_UBUF tee: add TEE_IOCTL_PARAM_ATTR_TYPE_OBJREF firmware: qcom: scm: add support for object invocation firmware: qcom: scm: remove unused arguments to the shm_brige firmware: qcom: tzmem: export shm_bridge create/delete tee: add Qualcomm TEE driver qcomtee: add primordial object qcomtee: enable TEE_IOC_SHM_ALLOC ioctl Documentation: tee: Add Qualcomm TEE driver Documentation/tee/index.rst | 1 + Documentation/tee/qtee.rst | 150 ++++++ drivers/firmware/qcom/qcom_scm.c | 132 ++++- drivers/firmware/qcom/qcom_scm.h | 7 + drivers/firmware/qcom/qcom_tzmem.c | 57 ++- drivers/tee/Kconfig | 1 + drivers/tee/Makefile | 1 + drivers/tee/qcomtee/Kconfig | 10 + drivers/tee/qcomtee/Makefile | 11 + drivers/tee/qcomtee/async.c | 160 ++++++ drivers/tee/qcomtee/call.c | 759 +++++++++++++++++++++++++++++ drivers/tee/qcomtee/core.c | 810 +++++++++++++++++++++++++++++++ drivers/tee/qcomtee/mem_obj.c | 172 +++++++ drivers/tee/qcomtee/primordial_obj.c | 116 +++++ drivers/tee/qcomtee/qcom_scm.c | 38 ++ drivers/tee/qcomtee/qcomtee_msg.h | 239 +++++++++ drivers/tee/qcomtee/qcomtee_private.h | 264 ++++++++++ drivers/tee/qcomtee/release.c | 48 ++ drivers/tee/qcomtee/shm.c | 146 ++++++ drivers/tee/qcomtee/user_obj.c | 710 +++++++++++++++++++++++++++ drivers/tee/tee_core.c | 159 +++++- drivers/tee/tee_private.h | 6 - include/linux/firmware/qcom/qcom_scm.h | 31 +- include/linux/firmware/qcom/qcom_tee.h | 302 ++++++++++++ include/linux/firmware/qcom/qcom_tzmem.h | 15 + include/linux/tee_core.h | 15 +- include/linux/tee_drv.h | 52 ++ include/uapi/linux/tee.h | 54 ++- 28 files changed, 4434 insertions(+), 32 deletions(-) --- base-commit: db8da9da41bced445077925f8a886c776a47440c change-id: 20241202-qcom-tee-using-tee-ss-without-mem-obj-362c66340527 Best regards, -- Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com>

8 months, 4 weeks

5
31
0 0

OP-TEE 4.6.0 has been released

by Jens Wiklander

Hi, I'm pleased to announce that OP-TEE version 4.6.0 is now available. The list of changes can be found in the changelog [1]. A blog post will be published soon on trustedfirmware.org [2]. We have one known issue in this release [3]. We are collecting further details and solutions for it in the GitHub issue [3]. A big thank you to everyone who participated with contributions and helping out with testing the release [4]. [1] https://github.com/OP-TEE/optee_os/blob/4.6.0/CHANGELOG.md [2] https://www.trustedfirmware.org/blog/ [3] https://github.com/OP-TEE/optee_os/issues/7374 [3] https://github.com/OP-TEE/optee_os/commit/71785645fa6ce42db40dbf5a54e0eaedc… Regards, Jens

9 months

1
0
0 0

Linaro OP-TEE Contribution, LOC, monthly meeting April 22

by Jens Wiklander

Hi, Tomorrow, Tuesday, it's time for another LOC monthly meeting. For time and connection details, see the calendar at https://www.trustedfirmware.org/meetings/ OP-TEE version 4.6.0 is expected to be released on Friday, April 25. Since the 4.6.0-rc1 tag, we have merged a few small patches, but we don't have any known issues that might block the release. We discussed optee_ftpm briefly after that last release in January. The code quality leaves a bit to be desired, with many warnings, an inconsistent coding style, and possibly a few stubbed functions. How can we improve the status? Are there any other topics? Thanks, Jens

9 months

1
0
0 0

[PATCH v16 0/6] Introduction of a remoteproc tee to load signed firmware

by Arnaud Pouliquen

Main updates from version V15[1]: - Removed the rproc_ops:load_fw() operation introduced in the previous version. - Returned to managing the remoteproc firmware loading in rproc_tee_parse_fw to load and authenticate the firmware before getting the resource table. - Added spinlock and dev_link mechanisms in remoteproc TEE to better manage bind/unbind. More details are available in each patch commit message. [1] https://lore.kernel.org/linux-remoteproc/20241128084219.2159197-7-arnaud.po… Tested-on: commit 0a0ba9924445 ("Linux 6.14-rc7") Description of the feature: -------------------------- This series proposes the implementation of a remoteproc tee driver to communicate with a TEE trusted application responsible for authenticating and loading the remoteproc firmware image in an Arm secure context. 1) Principle: The remoteproc tee driver provides services to communicate with the OP-TEE trusted application running on the Trusted Execution Context (TEE). The trusted application in TEE manages the remote processor lifecycle: - authenticating and loading firmware images, - isolating and securing the remote processor memories, - supporting multi-firmware (e.g., TF-M + Zephyr on a Cortex-M33), - managing the start and stop of the firmware by the TEE. 2) Format of the signed image: Refer to: https://github.com/OP-TEE/optee_os/blob/master/ta/remoteproc/src/remoteproc… 3) OP-TEE trusted application API: Refer to: https://github.com/OP-TEE/optee_os/blob/master/ta/remoteproc/include/ta_rem… 4) OP-TEE signature script Refer to: https://github.com/OP-TEE/optee_os/blob/master/scripts/sign_rproc_fw.py Example of usage: sign_rproc_fw.py --in <fw1.elf> --in <fw2.elf> --out <signed_fw.sign> --key ${OP-TEE_PATH}/keys/default.pem 5) Impact on User space Application No sysfs impact. The user only needs to provide the signed firmware image instead of the ELF image. For more information about the implementation, a presentation is available here (note that the format of the signed image has evolved between the presentation and the integration in OP-TEE). https://resources.linaro.org/en/resource/6c5bGvZwUAjX56fvxthxds Arnaud Pouliquen (6): remoteproc: core: Introduce rproc_pa_to_va helper remoteproc: Add TEE support remoteproc: Introduce release_fw optional operation dt-bindings: remoteproc: Add compatibility for TEE support remoteproc: stm32: Create sub-functions to request shutdown and release remoteproc: stm32: Add support of an OP-TEE TA to load the firmware .../bindings/remoteproc/st,stm32-rproc.yaml | 58 +- drivers/remoteproc/Kconfig | 10 + drivers/remoteproc/Makefile | 1 + drivers/remoteproc/remoteproc_core.c | 52 ++ drivers/remoteproc/remoteproc_internal.h | 6 + drivers/remoteproc/remoteproc_tee.c | 619 ++++++++++++++++++ drivers/remoteproc/stm32_rproc.c | 139 +++- include/linux/remoteproc.h | 4 + include/linux/remoteproc_tee.h | 90 +++ 9 files changed, 935 insertions(+), 44 deletions(-) create mode 100644 drivers/remoteproc/remoteproc_tee.c create mode 100644 include/linux/remoteproc_tee.h base-commit: 0a0ba99244455fea8706c4a53f5f66a45d87905d -- 2.25.1

9 months, 1 week

2
7
0 0

Kernel crash when interrupting user space application accessing PKCS11 TA

by Stauffer Thomas MTANA

Platform: Toradex Verdin iMX8MP OP-TEE OS & Client: 4.5 Linux Kernel: Mainline 6.6.80 OP-TEE OS Build Options: OPTEE_OS_OPTIONS=ARCH=arm PLATFORM=imx PLATFORM_FLAVOR=mx8mpevk CFG_CRYPTO_DRIVER=y CFG_NXP_CAAM=y CFG_NXP_CAAM_RNG_DRV=y CFG_RPMB_FS_DEV_ID=2 CFG_REE_FS=y CFG_RPMB_FS=n CFG_RPMB_TESTKEY=n CFG_RPMB_WRITE_KEY=n CFG_REE_FS_TA=n CFG_SECSTOR_TA=n CFG_TEE_CORE_LOG_LEVEL=4 CFG_TEE_TA_LOG_LEVEL=4 CFG_CORE_DUMP_OOM=y CFG_UART_BASE=0x30880000 CFG_DDR_SIZE=0x100000000 CFG_TZDRAM_START=0x56000000 CFG_TZDRAM_SIZE=0x01c00000 CFG_SHMEM_SIZE=0x00400000 CFG_EARLY_TA=y OPTEE_OS_OPTIONS_EARLYTA=EARLY_TA_PATHS="$(PWD)/optee_os/out/arm-plat-imx/ta/pkcs11/fd02c9da-306c-48c7-a49c-bbd827ae86ee.stripped.elf" I've quite a few cases where the Linux kernel crashes. One case is the following example export MODULE=libckteec.so.0 while true ; do pkcs11-tool --module $MODULE --init-token --label "$TOKEN" --so-pin "$SOPIN" ; pkcs11-tool --module $MODULE --init-pin --so-pin "$SOPIN" --pin "$PIN" ; done Normally this runs fine. I tested this up to 40 hours without any issue. The moment I press Ctrl+C the linux kernel often crashes (ca. 20% chance). This can be reproduced easily (in less than 1 minute). It looks like always syscall_storage_obj_open is part of the execution path, often followed by a panic (which I assume is ok, if the underlining process dies) I believe the OPTEE RAM and SHM are correctly passed to the kernel [ 0.000000] OF: reserved mem: 0x0000000056000000..0x0000000057bfffff (28672 KiB) nomap non-reusable optee_core@56000000 [ 0.000000] OF: reserved mem: 0x0000000057c00000..0x0000000057ffffff (4096 KiB) nomap non-reusable optee_shm@57c00000 The kernel/OP-TEE logs are added below. Is this an issue anyone knows? I/TA: PKCS11 session 1: login D/TA: TA_InvokeCommandEntryPoint:364 PKCS11_CMD_LOGIN rc 0/OK D/TA: TA_InvokeCommandEntryPoint:143 PKCS11_CMD_TOKEN_INFO p#0 4@0x80018000, p#1 --- 0@0x0, p#2 out 160@0x80017000 D/TA: TA_InvokeCommandEntryPoint:364 PKCS11_CMD_TOKEN_INFO rc 0/OK D/TA: TA_InvokeCommandEntryPoint:143 PKCS11_CMD_INIT_PIN p#0 38@0x80017000, p#1 --- 0@0x0, p#2 --- 0@0x0 I/TA: PKCS11 session 1: init PIN F/TC:? 0 trace_syscall:147 syscall #33 (syscall_cryp_random_number_generate) F/TC:? 0 trace_syscall:147 syscall #15 (syscall_cryp_state_alloc) F/TC:? 0 trace_syscall:147 syscall #18 (syscall_hash_init) F/TC:? 0 trace_syscall:147 syscall #19 (syscall_hash_update) F/TC:? 0 trace_syscall:147 syscall #19 (syscall_hash_update) F/TC:? 0 trace_syscall:147 syscall #8 (syscall_check_access_rights) F/TC:? 0 trace_syscall:147 syscall #20 (syscall_hash_final) F/TC:? 0 trace_syscall:147 syscall #18 (syscall_hash_init) F/TC:? 0 trace_syscall:147 syscall #17 (syscall_cryp_state_free) F/TC:? 0 trace_syscall:147 syscall #8 (syscall_check_access_rights) F/TC:? 0 trace_syscall:147 syscall #41 (syscall_storage_obj_open) E/TC:? 0 get_rpc_alloc_res:644 RPC allocation failed. Non-secure world result: ret=0xffff000c ret_origin=0x2 E/TA: update_persistent_db:61 Failed to open token persistent db: 0xffff000c F/TC:? 0 trace_syscall:147 syscall #2 (syscall_panic) [ 401.775062] Unable to handle kernel paging request at virtual address 0000000000001000 [ 401.775077] Mem abort info: [ 401.775079] ESR = 0x0000000096000044 [ 401.775081] EC = 0x25: DABT (current EL), IL = 32 bits [ 401.775085] SET = 0, FnV = 0 [ 401.775087] EA = 0, S1PTW = 0 [ 401.775089] FSC = 0x04: level 0 translation fault [ 401.775092] Data abort info: [ 401.775094] ISV = 0, ISS = 0x00000044, ISS2 = 0x00000000 [ 401.775096] CM = 0, WnR = 1, TnD = 0, TagAccess = 0 [ 401.775100] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 401.775103] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000139bfb000 [ 401.775107] [0000000000001000] pgd=0000000000000000, p4d=0000000000000000 [ 401.775115] Internal error: Oops: 0000000096000044 [#1] PREEMPT_RT SMP [ 401.775121] CPU: 0 PID: 1197 Comm: pkcs11-tool Not tainted 6.6.80-rt51 #23 [ 401.775128] Hardware name: Toradex Verdin iMX8M Plus [ 401.775131] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 401.775136] pc : __arm_smccc_smc+0xc/0x30 [ 401.775148] lr : optee_smccc_smc+0x20/0x34 [ 401.775156] sp : ffff80008367bad0 [ 401.775158] x29: ffff80008367bae0 x28: 0000000000000000 x27: 0000000000000000 [ 401.775168] x26: ffff0000c14fa528 x25: 0000000032000003 x24: 0000000000000000 [ 401.775177] x23: ffff0000c8331b40 x22: ffff80008367bba8 x21: 0000000000000000 [ 401.775185] x20: ffff0000c14fa400 x19: 0000000000000000 x18: ffff800081dc1050 [ 401.775192] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffd1b39d28 [ 401.775201] x14: 0000000000000259 x13: 0000000000000001 x12: 0000000000000002 [ 401.775210] x11: 0000000000000001 x10: 0000000000000b60 x9 : ffff80008367b8b0 [ 401.775217] x8 : ffff80008367bba8 x7 : 0000000000000000 x6 : 0000000000000000 [ 401.775224] x5 : 0000000000000000 x4 : 0000000000001000 x3 : 0000000000000000 [ 401.775233] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 00000000ffff0004 [ 401.775243] Call trace: [ 401.775245] __arm_smccc_smc+0xc/0x30 [ 401.775252] optee_smc_do_call_with_arg+0x178/0x634 [ 401.775258] optee_invoke_func+0x124/0x1dc [ 401.775266] tee_ioctl+0xf14/0x11d0 [ 401.775271] __arm64_sys_ioctl+0xc8/0xe8 [ 401.775277] invoke_syscall+0x4c/0x124 [ 401.775283] el0_svc_common.constprop.0+0x44/0xec [ 401.775290] do_el0_svc+0x20/0x30 [ 401.775298] el0_svc+0x3c/0xd8 [ 401.775305] el0t_64_sync_handler+0x108/0x134 [ 401.775311] el0t_64_sync+0x198/0x19c [ 401.775319] Code: d53cd043 d503245f d4000003 f94003e4 (a9000480) [ 401.775324] ---[ end trace 0000000000000000 ]--- [ 401.775328] Kernel panic - not syncing: Oops: Fatal exception [ 401.775331] SMP: stopping secondary CPUs [ 401.775338] Kernel Offset: disabled [ 401.775340] CPU features: 0x0,00000008,00020000,1000420b [ 401.775344] Memory Limit: none F/TC:? 0 trace_syscall:147 syscall #8 (syscall_check_access_rights) F/TC:? 0 read_compressed:178 156 bytes F/TC:? 0 read_compressed:178 1024 bytes F/TC:? 0 read_compressed:178 128 bytes F/TC:? 0 trace_syscall:147 syscall #6 (syscall_close_ta_session) F/TC:? 0 trace_syscall:147 syscall #3 (syscall_get_property) D/LD: ldelf:176 ELF (fd02c9da-306c-48c7-a49c-bbd827ae86ee) at 0x8002a000 F/TC:? 0 trace_syscall:147 syscall #33 (syscall_cryp_random_number_generate) F/TC:? 0 trace_syscall:147 syscall #8 (syscall_check_access_rights) F/TC:? 0 trace_syscall:147 syscall #8 (syscall_check_access_rights) F/TC:? 0 trace_syscall:147 syscall #4 (syscall_get_property_name_to_index) F/TC:? 0 trace_syscall:147 syscall #8 (syscall_check_access_rights) F/TC:? 0 trace_syscall:147 syscall #41 (syscall_storage_obj_open) F/TC:? 0 plat_prng_add_jitter_entropy:68 0xC6 F/TC:? 0 trace_syscall:147 syscall #2 (syscall_panic) E/TC:? 0 E/TC:? 0 TA panicked with code 0xffff000e E/LD: Status of TA fd02c9da-306c-48c7-a49c-bbd827ae86ee E/LD: arch: aarch64 E/LD: region 0: va 0x80005000 pa 0x56112000 size 0x002000 flags rw-s (ldelf) E/LD: region 1: va 0x80007000 pa 0x56114000 size 0x008000 flags r-xs (ldelf) E/LD: region 2: va 0x8000f000 pa 0x5611c000 size 0x001000 flags rw-s (ldelf) E/LD: region 3: va 0x80010000 pa 0x5611d000 size 0x004000 flags rw-s (ldelf) E/LD: region 4: va 0x80014000 pa 0x56121000 size 0x001000 flags r--s E/LD: region 5: va 0x80015000 pa 0x5619a000 size 0x002000 flags rw-s (stack) E/LD: region 6: va 0x8002a000 pa 0x56122000 size 0x063000 flags r-xs [0] E/LD: region 7: va 0x8008d000 pa 0x56185000 size 0x015000 flags rw-s [0] E/LD: [0] fd02c9da-306c-48c7-a49c-bbd827ae86ee @ 0x8002a000 E/LD: Call stack: E/LD: 0x800426e8 E/LD: 0x8002d1f0 E/LD: 0x8002e104 E/LD: 0x800332d8 E/LD: 0x80049264 E/LD: 0x8003e9ec D/TC:? 0 user_ta_enter:195 tee_user_ta_enter: TA panicked with code 0xffff000e D/TC:? 0 release_ta_ctx:670 Releasing panicked TA ctx D/TC:? 0 tee_ta_close_session:460 csess 0x560f2120 id 1 D/TC:? 0 tee_ta_close_session:479 Destroy session D/TC:? 0 destroy_context:318 Destroy TA ctx (0x560f20c0) E/TC:? 0 tee_ta_open_session:745 Failed for TA fd02c9da-306c-48c7-a49c-bbd827ae86ee. Return error 0xffff3024 [ 201.922583] Unable to handle kernel paging request at virtual address ffff8000812803f0 [ 201.922600] Mem abort info: [ 201.922602] ESR = 0x0000000096000047 [ 201.922604] EC = 0x25: DABT (current EL), IL = 32 bits [ 201.922608] SET = 0, FnV = 0 [ 201.922611] EA = 0, S1PTW = 0 [ 201.922613] FSC = 0x07: level 3 translation fault [ 201.922616] Data abort info: [ 201.922618] ISV = 0, ISS = 0x00000047, ISS2 = 0x00000000 [ 201.922621] CM = 0, WnR = 1, TnD = 0, TagAccess = 0 [ 201.922624] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 201.922627] swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000411ca000 [ 201.922631] [ffff8000812803f0] pgd=100000013ffff003, p4d=100000013ffff003, pud=100000013fffe003, pmd=100000013fffa003, pte=0000000000000000 [ 201.922646] Internal error: Oops: 0000000096000047 [#1] PREEMPT_RT SMP [ 201.922652] CPU: 0 PID: 1059 Comm: pkcs11-tool Not tainted 6.6.80-rt51 #23 [ 201.922658] Hardware name: Toradex Verdin iMX8M Plus [ 201.922661] pstate: a00000c5 (NzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 201.922667] pc : queued_spin_lock_slowpath+0x22c/0x330 [ 201.922680] lr : _raw_spin_lock_irqsave+0x80/0x98 [ 201.922686] sp : ffff80008362b960 [ 201.922688] x29: ffff80008362b960 x28: ffff0000029a8000 x27: 0000000000000000 [ 201.922696] x26: ffff0000c0d9e128 x25: 0000000000000000 x24: 0000000000000000 [ 201.922703] x23: ffff000008a48f00 x22: 00000000ffff000e x21: ffff0000c0d9e198 [ 201.922710] x20: ffff0000c237c3f8 x19: 0000000000000000 x18: ffff8000829cf088 [ 201.922720] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000040 [ 201.922727] x14: 0000000000000004 x13: ffff0000c0d9e1d8 x12: 0000000000000000 [ 201.922734] x11: ffff0000cb440b98 x10: ffff0000cb440b68 x9 : ffff800081447558 [ 201.922741] x8 : 0000000000000000 x7 : ffff8000812803f0 x6 : 0000000000000000 [ 201.922751] x5 : ffff0000ff76b3c0 x4 : 0000000000040000 x3 : ffff0000ff76b3c0 [ 201.922758] x2 : ffff8000812803c0 x1 : ffff0000ff76b3c8 x0 : ffff0000c237c3f8 [ 201.922766] Call trace: [ 201.922768] queued_spin_lock_slowpath+0x22c/0x330 [ 201.922775] complete+0x28/0x9c [ 201.922783] optee_supp_release+0x5c/0x12c [ 201.922790] optee_release_supp+0x44/0x58 [ 201.922795] teedev_ctx_put.part.0+0x90/0xc8 [ 201.922800] teedev_ctx_put+0x20/0x30 [ 201.922805] tee_shm_put+0x110/0x188 D/TA: TA_InvokeCommandEntryPoint:364 PKCS11_CMD_SLOT_INFO rc 0/OK D/TA: TA_InvokeCommandEntryPoint:143 PKCS11_CMD_OPEN_SESSION p#0 8@0x80018000, p#1 --- 0@0x0, p#2 out 4@0x80017000 D/TA: entry_ck_open_session:681 Open PKCS11 session 1 D/TA: TA_InvokeCommandEntryPoint:364 PKCS11_CMD_OPEN_SESSION rc 0/OK D/TA: TA_InvokeCommandEntryPoint:143 PKCS11_CMD_TOKEN_INFO p#0 4@0x80018000, p#1 --- 0@0x0, p#2 out 160@0x80017000 D/TA: TA_InvokeCommandEntryPoint:364 PKCS11_CMD_TOKEN_INFO rc 0/OK D/TA: TA_InvokeCommandEntryPoint:143 PKCS11_CMD_LOGIN p#0 42@0x80017000, p#1 --- 0@0x0, p#2 --- 0@0x0 F/TC:? 0 trace_syscall:147 syscall #8 (syscall_check_access_rights) F/TC:? 0 trace_syscall:147 syscall #41 (syscall_storage_obj_open) [ 72.460688] Unable to handle kernel paging request at virtual address ffff0000c5270459 [ 72.460703] Mem abort info: [ 72.460705] ESR = 0x0000000096000021 [ 72.460707] EC = 0x25: DABT (current EL), IL = 32 bits [ 72.460711] SET = 0, FnV = 0 [ 72.460714] EA = 0, S1PTW = 0 [ 72.460716] FSC = 0x21: alignment fault [ 72.460719] Data abort info: [ 72.460720] ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000 [ 72.460723] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 72.460726] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 72.460729] swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000411ca000 [ 72.460734] [ffff0000c5270459] pgd=180000013fff8003, p4d=180000013fff8003, pud=180000013fa1b003, pmd=180000013f9f1003, pte=0068000105270707 [ 72.460748] Internal error: Oops: 0000000096000021 [#1] PREEMPT_RT SMP [ 72.460755] CPU: 0 PID: 836 Comm: tee-supplicant Not tainted 6.6.80-rt51 #23 [ 72.460760] Hardware name: Toradex Verdin iMX8M Plus [ 72.460763] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 72.460769] pc : tee_shm_get_fd+0x84/0xd8 [ 72.460780] lr : tee_ioctl+0xb14/0x11d0 [ 72.460785] sp : ffff800082fe3c50 [ 72.460787] x29: ffff800082fe3c50 x28: ffff000001ba4ec0 x27: 0000000000000000 [ 72.460795] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 [ 72.460802] x23: 0000ffffc685f9a8 x22: 00000000c018a409 x21: 0000ffffc685f9a8 [ 72.460812] x20: ffff0000c5270421 x19: ffff0000c5270421 x18: ffff8000820fd040 [ 72.460819] x17: 0000000000000000 x16: ffff800080f92850 x15: ffff800082fe3d40 [ 72.460827] x14: 0000000000000000 x13: 1fffe000186fa581 x12: ffff800082fe3b78 [ 72.460834] x11: 0000000000000040 x10: ffff0000c1600420 x9 : ffff0000c16003f8 [ 72.460843] x8 : 0000000000001000 x7 : 0000aaab1a59c000 x6 : 0000ffffc685f9c0 [ 72.460850] x5 : 0000ffffc685f9c0 x4 : ffff0000c5270459 x3 : 0000000100000000 [ 72.460857] x2 : 0000000000000018 x1 : ffff800082fe3d58 x0 : ffff0000c5270459 [ 72.460867] Call trace: [ 72.460870] tee_shm_get_fd+0x84/0xd8 [ 72.460878] tee_ioctl+0xb14/0x11d0 [ 72.460882] __arm64_sys_ioctl+0xc8/0xe8 [ 72.460889] invoke_syscall+0x4c/0x124 [ 72.460897] el0_svc_common.constprop.0+0xcc/0xec [ 72.460905] do_el0_svc+0x20/0x30 [ 72.460911] el0_svc+0x3c/0xd8 [ 72.460918] el0t_64_sync_handler+0x108/0x134 [ 72.460924] el0t_64_sync+0x198/0x19c [ 72.460935] Code: d50323bf d65f03c0 9100e264 f9800091 (885f7c81) F/TC:? 0 trace_syscall:147 syscall #8 (syscall_check_access_rights) F/TC:? 0 trace_syscall:147 syscall #41 (syscall_storage_obj_open) F/TC:? 0 plat_prng_add_jitter_entropy:68 0xDB F/TC:? 0 plat_prng_add_jitter_entropy:68 0x49 F/TC:? 0 plat_prng_add_jitter_entropy:68 0x68 F/TC:? 0 plat_prng_add_jitter_entropy:68 0x14 F/TC:? 0 plat_prng_add_jitter_entropy:68 0xF0 F/TC:? 0 trace_syscall:147 syscall #51 (syscall_storage_obj_write) F/TC:? 0 plat_prng_add_jitter_entropy:68 0xE2 F/TC:? 0 plat_prng_add_jitter_entropy:68 0x54 F/TC:? 0 trace_syscall:147 syscall #2 (syscall_panic) E/TC:? 0 E/TC:? 0 TA panicked with code 0xffff000e E/LD: Status of TA fd02c9da-306c-48c7-a49c-bbd827ae86ee E/LD: arch: aarch64 E/LD: region 0: va 0x80005000 pa 0x56112000 size 0x002000 flags rw-s (ldelf) E/LD: region 1: va 0x80007000 pa 0x56114000 size 0x008000 flags r-xs (ldelf) E/LD: region 2: va 0x8000f000 pa 0x5611c000 size 0x001000 flags rw-s (ldelf) E/LD: region 3: va 0x80010000 pa 0x5611d000 size 0x004000 flags rw-s (ldelf) E/LD: region 4: va 0x80014000 pa 0x56121000 size 0x001000 flags r--s E/LD: region 5: va 0x80015000 pa 0x5619a000 size 0x002000 flags rw-s (stack) E/LD: region 6: va 0x80017000 pa 0x541a2000 size 0x001000 flags rw-- (param) E/LD: region 7: va 0x8001c000 pa 0x56122000 size 0x063000 flags r-xs [0] E/LD: region 8: va 0x8007f000 pa 0x56185000 size 0x015000 flags rw-s [0] E/LD: [0] fd02c9da-306c-48c7-a49c-bbd827ae86ee @ 0x8001c000 E/LD: Call stack: E/LD: 0x80034ef4 E/LD: 0x8001f28c E/LD: 0x80024eb0 E/LD: 0x8002694c E/LD: 0x8001d27c E/LD: 0x8003b3b4 E/LD: 0x800309ec D/TC:? 0 user_ta_enter:195 tee_user_ta_enter: TA panicked with code 0xffff000e D/TC:? 0 release_ta_ctx:670 Releasing panicked TA ctx D/TC:? 0 tee_ta_invoke_command:798 Error: ffff3024 of 3 D/TC:? 0 tee_ta_close_session:460 csess 0x560f1150 id 1 D/TC:? 0 tee_ta_close_session:479 Destroy session [ 263.892611] Unable to handle kernel paging request at virtual address 50ffff0000c4079d [ 263.892623] Mem abort info: [ 263.892624] ESR = 0x0000000096000004 [ 263.892627] EC = 0x25: DABT (current EL), IL = 32 bits [ 263.892631] SET = 0, FnV = 0 [ 263.892633] EA = 0, S1PTW = 0 [ 263.892635] FSC = 0x04: level 0 translation fault [ 263.892638] Data abort info: [ 263.892640] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 263.892642] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 263.892645] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 263.892649] [50ffff0000c4079d] address between user and kernel address ranges [ 263.892653] Internal error: Oops: 0000000096000004 [#1] PREEMPT_RT SMP [ 263.892659] CPU: 0 PID: 1 Comm: systemd Not tainted 6.6.80-rt51 #23 [ 263.892664] Hardware name: Toradex Verdin iMX8M Plus [ 263.892667] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 263.892673] pc : ___slab_alloc+0x408/0x958 [ 263.892685] lr : ___slab_alloc+0x90/0x958 [ 263.892696] sp : ffff80008160b940 [ 263.892698] x29: ffff80008160b940 x28: 0000000000000000 x27: ffff8000811b5838 [ 263.892708] x26: 0000000000000000 x25: ffff8000802f7624 x24: fffffc0003101d80 [ 263.892715] x23: 50ffff0000c4076d x22: ffff0000c0001600 x21: 0000000000000060 [ 263.892722] x20: 00000000ffffffff x19: ffff0000ff76bcc0 x18: ffff8000815f5078 [ 263.892732] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 263.892739] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 263.892745] x11: 0000000000000000 x10: fffffffffdab3428 x9 : 0000000000000000 [ 263.892752] x8 : ffff0000c1fbbb40 x7 : 0000000000000000 x6 : ffff0000c00b0000 [ 263.892764] x5 : 0000000000000060 x4 : ffff0000ff76bcf8 x3 : 0000000000000000 [ 263.892771] x2 : 0000000000000000 x1 : 0000000000000030 x0 : 000000000042d800 [ 263.892778] Call trace: [ 263.892781] ___slab_alloc+0x408/0x958 [ 263.892787] __kmem_cache_alloc_node+0xd4/0x1fc [ 263.892795] kmalloc_trace+0x24/0x34 [ 263.892802] kernfs_fop_open+0x2f0/0x390 [ 263.892808] do_dentry_open+0x16c/0x50c [ 263.892814] vfs_open+0x30/0x40 [ 263.892822] path_openat+0xb2c/0xee0 [ 263.892829] do_filp_open+0xa4/0x15c [ 263.892836] do_sys_openat2+0xc8/0xfc [ 263.892841] __arm64_sys_openat+0x68/0xac [ 263.892847] invoke_syscall+0x4c/0x124 [ 263.892854] el0_svc_common.constprop.0+0x44/0xec [ 263.892862] do_el0_svc+0x20/0x30 [ 263.892868] el0_svc+0x3c/0xd8 [ 263.892875] el0t_64_sync_handler+0x108/0x134 [ 263.892881] el0t_64_sync+0x198/0x19c [ 263.892890] Code: f9000a60 a94573fb b9402ac1 f9400660 (f8616ae1) [ 263.892894] ---[ end trace 0000000000000000 ]--- [ 263.892899] Kernel panic - not syncing: Oops: Fatal exception [ 263.892902] SMP: stopping secondary CPUs [ 263.896937] Kernel Offset: disabled [ 263.896939] CPU features: 0x0,00000008,00020000,1000420b [ 263.896944] Memory Limit: none Without OP-TEE Debug Output [ 917.500140] Unable to handle kernel paging request at virtual address 00000000fffffff7 [ 917.500159] Mem abort info: [ 917.500161] ESR = 0x0000000096000004 [ 917.500164] EC = 0x25: DABT (current EL), IL = 32 bits [ 917.500169] SET = 0, FnV = 0 [ 917.500173] EA = 0, S1PTW = 0 [ 917.500176] FSC = 0x04: level 0 translation fault [ 917.500180] Data abort info: [ 917.500181] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 917.500185] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 917.500189] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 917.500194] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046120000 [ 917.500199] [00000000fffffff7] pgd=0000000000000000, p4d=0000000000000000 [ 917.500210] Internal error: Oops: 0000000096000004 [#1] PREEMPT_RT SMP [ 917.500218] CPU: 1 PID: 962 Comm: tee-supplicant Not tainted 6.6.80-rt51 #22 [ 917.500225] Hardware name: Toradex Verdin iMX8M Plus [ 917.500229] pstate: 000000c5 (nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 917.500236] pc : complete+0x5c/0x9c [ 917.500252] lr : complete+0x28/0x9c [ 917.500261] sp : ffff8000833e3bb0 [ 917.500264] x29: ffff8000833e3bb0 x28: ffff000002855e80 x27: 0000000000000000 [ 917.500274] x26: 0000000000000000 x25: 0000000000000000 x24: ffff000002856480 [ 917.500284] x23: ffff0000c007aca0 x22: 00000000ffff000e x21: 0000000000000000 [ 917.500293] x20: ffff0000c393a8d8 x19: 00000000ffffffff x18: ffff8000826f9090 [ 917.500303] x17: 0000000000000100 x16: ffff800080f92850 x15: 0000000000000040 [ 917.500313] x14: 0000000000000004 x13: ffff0000c0d625d8 x12: 0000000000000000 [ 917.500322] x11: ffff000001d51700 x10: ffff000001d516d0 x9 : ffff0000c0d625d8 [ 917.500332] x8 : ffff000001d516f8 x7 : 0000000000000000 x6 : 0000000000000228 [ 917.500341] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000001 [ 917.500350] x2 : 0000000000000000 x1 : 0000000000000003 x0 : ffff0000c393a8e0 [ 917.500362] Call trace: [ 917.500365] complete+0x5c/0x9c [ 917.500373] optee_supp_release+0x5c/0x12c [ 917.500383] optee_release_supp+0x44/0x58 [ 917.500390] teedev_ctx_put.part.0+0x90/0xc8 [ 917.500397] teedev_ctx_put+0x20/0x30 [ 917.500403] tee_shm_put+0x110/0x188 [ 917.500409] tee_shm_fop_release+0x18/0x2c [ 917.500416] __fput+0xc0/0x26c [ 917.500425] ____fput+0x14/0x24 [ 917.500433] task_work_run+0x7c/0xdc [ 917.500440] do_exit+0x2d8/0x8d8 [ 917.500447] do_group_exit+0x38/0x94 [ 917.500455] __wake_up_parent+0x0/0x38 [ 917.500462] invoke_syscall+0x4c/0x124 [ 917.500471] el0_svc_common.constprop.0+0x44/0xec [ 160.985670] Unable to handle kernel paging request at virtual address ffff0000c4a18039 [ 160.985686] Mem abort info: [ 160.985688] ESR = 0x0000000096000021 [ 160.985690] EC = 0x25: DABT (current EL), IL = 32 bits [ 160.985694] SET = 0, FnV = 0 [ 160.985696] EA = 0, S1PTW = 0 [ 160.985699] FSC = 0x21: alignment fault [ 160.985701] Data abort info: [ 160.985703] ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000 [ 160.985705] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 160.985709] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 160.985712] swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000411ca000 [ 160.985716] [ffff0000c4a18039] pgd=180000013fff8003, p4d=180000013fff8003, pud=180000013fa1b003, pmd=180000013f9f5003, pte=0068000104a18707 [ 160.985730] Internal error: Oops: 0000000096000021 [#1] PREEMPT_RT SMP [ 160.985736] CPU: 1 PID: 2894 Comm: pkcs11-tool Not tainted 6.6.80-rt51 #22 [ 160.985742] Hardware name: Toradex Verdin iMX8M Plus [ 160.985746] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 160.985751] pc : tee_shm_put+0x144/0x188 [ 160.985762] lr : tee_shm_put+0x34/0x188 [ 160.985767] sp : ffff800083e63b30 [ 160.985769] x29: ffff800083e63b30 x28: ffff0000145fb000 x27: ffff0000c4a18001 [ 160.985777] x26: ffff0000c7455f58 x25: ffff0000145d0000 x24: ffff0000c09c4400 [ 160.985786] x23: ffff0000c4a185a0 x22: ffff0000c0836800 x21: ffff0000c0836bd8 [ 160.985794] x20: ffff0000c4a18039 x19: ffff0000c4a18001 x18: ffff8000837a5060 [ 160.985801] x17: 0000000000000100 x16: ffff800080f92850 x15: 0000000000000000 [ 160.985808] x14: 0000000000000000 x13: 0000000000000001 x12: 00000000000a122e [ 160.985817] x11: ffff8000811b5000 x10: 00007fffffffffff x9 : 0001000000000000 [ 160.985825] x8 : ffff800083e63b18 x7 : 0000000000000000 x6 : 0000000000000000 [ 160.985832] x5 : ffff0000c09c4540 x4 : ffff0000c4a18039 x3 : 0000000000000000 [ 160.985839] x2 : 0000000000000000 x1 : 0000000000000001 x0 : 0000000000000000 [ 160.985849] Call trace: [ 160.985851] tee_shm_put+0x144/0x188 [ 160.985856] tee_shm_free+0x14/0x24 [ 160.985861] optee_shm_register+0x1a4/0x1dc [ 160.985868] register_shm_helper+0x1cc/0x29c [ 160.985874] tee_shm_register_user_buf+0xb0/0x14c [ 160.985881] tee_ioctl+0xc4/0x11d0 [ 160.985886] __arm64_sys_ioctl+0xc8/0xe8 [ 160.985892] invoke_syscall+0x4c/0x124 [ 160.985899] el0_svc_common.constprop.0+0x44/0xec [ 160.985906] do_el0_svc+0x20/0x30 [ 160.985913] el0_svc+0x3c/0xd8 [ 160.985921] el0t_64_sync_handler+0x108/0x134 [ 160.985927] el0t_64_sync+0x198/0x19c [ 160.985935] Code: d65f03c0 9100e264 52800021 f9800091 (885f7c80) [ 160.985942] ---[ end trace 0000000000000000 ]--- [ 160.985945] Kernel panic - not syncing: Oops: Fatal exception [ 160.985949] SMP: stopping secondary CPUs [ 160.985957] Kernel Offset: disabled [ 160.985959] CPU features: 0x0,00000008,00020000,1000420b [ 160.985963] Memory Limit: none

9 months, 1 week

1
0
0 0

Preparing for OP-TEE 4.6.0

by Jens Wiklander

[BCC all OP-TEE maintainers] Hi OP-TEE maintainers & contributors, OP-TEE version 4.6.0 is scheduled to be released on 2025-04-25. So, now is a good time to start testing the master branch on the various platforms and report/fix any bugs. The GitHub pull request for collecting Tested-by tags or any other comments is https://github.com/OP-TEE/optee_os/pull/7359. We will create the release candidate tag 4.6.0-rc1 this Friday, allowing for a two-week testing period before the planned release. You can find more information related to releases here: https://optee.readthedocs.io/en/latest/general/releases.html Thanks, Jens

9 months, 2 weeks

1
1
0 0

[PATCH v6 00/10] TEE subsystem for restricted dma-buf allocations

by Jens Wiklander

Hi, This patch set allocates the restricted DMA-bufs from a DMA-heap instantiated from the TEE subsystem. The TEE subsystem handles the DMA-buf allocations since it is the TEE (OP-TEE, AMD-TEE, TS-TEE, or perhaps a future QTEE) which sets up the restrictions for the memory used for the DMA-bufs. The DMA-heap uses a restricted memory pool provided by the backend TEE driver, allowing it to choose how to allocate the restricted physical memory. The allocated DMA-bufs must be imported with a new TEE_IOC_SHM_REGISTER_FD before they can be passed as arguments when requesting services from the secure world. Three use-cases (Secure Video Playback, Trusted UI, and Secure Video Recording) has been identified so far to serve as examples of what can be expected. The use-cases has predefined DMA-heap names, "restricted,secure-video", "restricted,trusted-ui", and "restricted,secure-video-record". The backend driver registers restricted memory pools for the use-cases it supports. Each use-case has it's own restricted memory pool since different use-cases requires isolation from different parts of the system. A restricted memory pool can be based on a static carveout instantiated while probing the TEE backend driver, or dynamically allocated from CMA and made restricted as needed by the TEE. This can be tested on a RockPi 4B+ with the following steps: repo init -u https://github.com/jenswi-linaro/manifest.git -m rockpi4.xml \ -b prototype/sdp-v6 repo sync -j8 cd build make toolchains -j$(nproc) make all -j$(nproc) # Copy ../out/rockpi4.img to an SD card and boot the RockPi from that # Connect a monitor to the RockPi # login and at the prompt: gst-launch-1.0 videotestsrc ! \ aesenc key=1f9423681beb9a79215820f6bda73d0f \ iv=e9aa8e834d8d70b7e0d254ff670dd718 serialize-iv=true ! \ aesdec key=1f9423681beb9a79215820f6bda73d0f ! \ kmssink The aesdec module has been hacked to use an OP-TEE TA to decrypt the stream into restricted DMA-bufs which are consumed by the kmssink. The primitive QEMU tests from previous patch set can be tested on RockPi in the same way with: xtest --sdp-basic The primitive test are tested on QEMU with the following steps: repo init -u https://github.com/jenswi-linaro/manifest.git -m qemu_v8.xml \ -b prototype/sdp-v6 repo sync -j8 cd build make toolchains -j$(nproc) make SPMC_AT_EL=1 all -j$(nproc) make SPMC_AT_EL=1 run-only # login and at the prompt: xtest --sdp-basic The SPMC_AT_EL=1 parameter configures the build with FF-A and an SPMC at S-EL1 inside OP-TEE. The parameter can be changed into SPMC_AT_EL=n to test without FF-A using the original SMC ABI instead. Please remember to do %rm -rf ../trusted-firmware-a/build/qemu for TF-A to be rebuilt properly using the new configuration. https://optee.readthedocs.io/en/latest/building/prerequisites.html list dependencies needed to build the above. The tests are pretty basic, mostly checking that a Trusted Application in the secure world can access and manipulate the memory. There are also some negative tests for out of bounds buffers etc. Thanks, Jens Changes since V5: * Removing "tee: add restricted memory allocation" and "tee: add TEE_IOC_RSTMEM_FD_INFO" * Adding "tee: implement restricted DMA-heap", "tee: new ioctl to a register tee_shm from a dmabuf file descriptor", "tee: add tee_shm_alloc_cma_phys_mem()", "optee: pass parent device to tee_device_alloc()", and "tee: tee_device_alloc(): copy dma_mask from parent device" * The two TEE driver OPs "rstmem_alloc()" and "rstmem_free()" are replaced with a struct tee_rstmem_pool abstraction. * Replaced the the TEE_IOC_RSTMEM_ALLOC user space API with the DMA-heap API Changes since V4: * Adding the patch "tee: add TEE_IOC_RSTMEM_FD_INFO" needed by the GStreamer demo * Removing the dummy CPU access and mmap functions from the dma_buf_ops * Fixing a compile error in "optee: FF-A: dynamic restricted memory allocation" reported by kernel test robot <lkp(a)intel.com> Changes since V3: * Make the use_case and flags field in struct tee_shm u32's instead of u16's * Add more description for TEE_IOC_RSTMEM_ALLOC in the header file * Import namespace DMA_BUF in module tee, reported by lkp(a)intel.com * Added a note in the commit message for "optee: account for direction while converting parameters" why it's needed * Factor out dynamic restricted memory allocation from "optee: support restricted memory allocation" into two new commits "optee: FF-A: dynamic restricted memory allocation" and "optee: smc abi: dynamic restricted memory allocation" * Guard CMA usage with #ifdef CONFIG_CMA, effectively disabling dynamic restricted memory allocate if CMA isn't configured Changes since the V2 RFC: * Based on v6.12 * Replaced the flags for SVP and Trusted UID memory with a u32 field with unique id for each use case * Added dynamic allocation of restricted memory pools * Added OP-TEE ABI both with and without FF-A for dynamic restricted memory * Added support for FF-A with FFA_LEND Changes since the V1 RFC: * Based on v6.11 * Complete rewrite, replacing the restricted heap with TEE_IOC_RSTMEM_ALLOC Changes since Olivier's post [2]: * Based on Yong Wu's post [1] where much of dma-buf handling is done in the generic restricted heap * Simplifications and cleanup * New commit message for "dma-buf: heaps: add Linaro restricted dmabuf heap support" * Replaced the word "secure" with "restricted" where applicable Etienne Carriere (1): tee: new ioctl to a register tee_shm from a dmabuf file descriptor Jens Wiklander (9): tee: tee_device_alloc(): copy dma_mask from parent device optee: pass parent device to tee_device_alloc() optee: account for direction while converting parameters optee: sync secure world ABI headers tee: implement restricted DMA-heap tee: add tee_shm_alloc_cma_phys_mem() optee: support restricted memory allocation optee: FF-A: dynamic restricted memory allocation optee: smc abi: dynamic restricted memory allocation drivers/tee/Makefile | 1 + drivers/tee/optee/Makefile | 1 + drivers/tee/optee/call.c | 10 +- drivers/tee/optee/core.c | 1 + drivers/tee/optee/ffa_abi.c | 194 +++++++++++- drivers/tee/optee/optee_ffa.h | 27 +- drivers/tee/optee/optee_msg.h | 65 ++++- drivers/tee/optee/optee_private.h | 55 +++- drivers/tee/optee/optee_smc.h | 71 ++++- drivers/tee/optee/rpc.c | 31 +- drivers/tee/optee/rstmem.c | 329 +++++++++++++++++++++ drivers/tee/optee/smc_abi.c | 190 ++++++++++-- drivers/tee/tee_core.c | 147 +++++++--- drivers/tee/tee_heap.c | 470 ++++++++++++++++++++++++++++++ drivers/tee/tee_private.h | 7 + drivers/tee/tee_shm.c | 199 ++++++++++++- include/linux/tee_core.h | 67 +++++ include/linux/tee_drv.h | 10 + include/uapi/linux/tee.h | 29 ++ 19 files changed, 1781 insertions(+), 123 deletions(-) create mode 100644 drivers/tee/optee/rstmem.c create mode 100644 drivers/tee/tee_heap.c base-commit: 7eb172143d5508b4da468ed59ee857c6e5e01da6 -- 2.43.0

9 months, 2 weeks

3
47
0 0

Extract RPMB Key

by Stauffer Thomas MTANA

As far as I understand there are currently two possibilities to setup an RPMB with an appropriate key. 1. Use a specialized OP-TEE with CFG_RPMB_WRITE_KEY=y during production in an environment were leaking the key is ok. 2. Get the HUK, get the CID from the MMC, then use scripts/derive_rpmb_key.py to calculate the RPMB key and set e.g. via mmc tool. I've the impression when I read through some message on https://github.com/OP-TEE/optee_os/issues, that 1 is not considered the best idea. Currently I'm working on a iMX8M platform and using CFG_RPMB_WRITE_KEY also has the drawback to use the legacy RPMB interface, which makes tee-supplicant still necessary, which otherwise would not be needed. The problem at least on iMX8M is that its not easy possible to get the HUK, and the HUK also is different, depending if a device is in a closed state or not. To extract the whole HUK, even in a sensible environment during production, seems unnecessary. What I did now, something very simple. I extended tee_rpmb_fs.c a little bit and made a function which allows to retrieve the RPMB key, I added also a tiny PTA, and a corresponding user space application to get the RPMB key, only as long CFG_INSECURE is set, therefore also only a specialized OP-TEE build can provide this functionality. Someone can now decide to get the RPMB key either before the device is closed (for testing devices), or afterwards. Write then the RPMB key manually (e.g. via mmc tool) and/or also store it securly in a production data database. What would be the advantages, compared to CFG_RPMB_WRITE_KEY=y - HUK is still not leaked, as it may be used to derive other secrets - derive_rpmb_key.py is not necessary - It is guaranteed that the correct RPMB key is retrieved, 100% matches how OP-TEE was configured (e.g. with compat mode enabled or not) - Because the RPMB key is known, one can manually still delete the RPMB and see how OP-TEE handles this situation, at least during development - Testing this functionality also on an open device (which is currently not possible at least on iMX8M, due to plat_rpmb_key_is_ready) My question is, if there would be any interest to open a PR, so other people also can use this?

9 months, 2 weeks

2
2
0 0

Conflict with "fallthrough" define

by Jacob Kroon

Hi, We are using OP-TEE together with a library that provides its own "fallthrough" define, similar to what OP-TEE does in lib/libutils/ext/include/compiler.h: #define fallthrough __attribute__((__fallthrough__)) However, this other library checks for fallthrough attribute support by first doing: #if __has_cpp_attribute(fallthrough) ... #endif which fails to compile due to the OP-TEE define. Would OP-TEE accept a patch to rename the "fallthrough" define to something like "optee_fallthrough", "FALLTHROUGH", <other suggestion> ? Or should we upstream a patch to the library to do: #if __has_cpp_attribute(__fallthrough__) ... #endif (which is what OP-TEE currently does) Regards Jacob

9 months, 3 weeks

3
2
0 0

[RFC PATCH 0/7] KVM: optee: Introduce OP-TEE Mediator for exposing secure world to KVM guests

by Yuvraj Sakshith

A KVM guest running on an arm64 machine will not be able to interact with a trusted execution environment (which supports non-secure guests) like OP-TEE in the secure world. This is because, instructions provided by the architecture (such as, SMC) which switch control to the firmware, are trapped in EL2 when the guest is executes them. This series adds a feature into the kernel called the TEE mediator abstraction layer, which lets a guest interact with the secure world. Additionally, a OP-TEE specific mediator is also implemented, which hooks itself to the TEE mediator layer and intercepts guest SMCs targetted at OP-TEE. Overview ========= Essentially, if the kernel wants to interact with OP-TEE, it makes an "smc - secure monitor call instruction", after loading in arguments into CPU registers. What these arguments consists of and how both these entities communicate can vary. If a guest wants to establish a connection with the secure world, its not possible. This is because of the fact that "smc" by the guest are trapped by the hypervisor in EL2. This is done by setting the HCR_EL2.TSC bit before entering the guest. Hence, this feature which I we may call TEE mediator, acts as an intermediary between the guest and OP-TEE. Instead of denying the guest SMC and jumping back into the guest, the mediator forwards the request to OP-TEE. OP-TEE supports virtualization in the normal world and expects 6 things from the NS-hypervisor: 1. Notify OP-TEE when a VM is created. 2. Notify OP-TEE when a VM is destroyed. 3. Any SMC to OP-TEE has to contain the VMID in x7. If its the hypervisor sending, then VMID is 0. 4. Hypervisor has to perform IPA->PA translations of the memory addresses sent by guest. 5. Memory shared by the VM to OP-TEE has to remain pinned. 6. The hypervisor has to follow the OP-TEE protocol, so the guest thinks it is directly speaking to OP-TEE. Its important to note that, if OP-TEE is built with NS-virtualization support, it can only function if there is a hypervisor with a mediator in normal world. This implementation has been heavily inspired by Xen's OP-TEE mediator. Design ====== The unique design of KVM makes it quite challenging to implement such a mediator. OP-TEE is not aware of the host-guest paradigm. Hence, the mediator treats the host as a VM with VMID 1. The guests are assigned VMIDs starting from 2 (note, these are not the VMIDs tagged in TLB, rather we implement our own simple indexing mechanism). When the host's OP-TEE driver is initialised or released, OP-TEE is notified about VM 1 being created/destroyed. When a VMM (such as, QEMU) created a guest through KVM ioctls, a call to the TEE mediator layer is made, which in-turn calls OP-TEE mediator which eventually assigns a VM context, VMID, etc. and notifies OP-TEE about guest creation. The opposite happens on guest destruction. When the guest makes an SMC targetting OP-TEE, it is trapped by the hypervisor and the register state (kvm_vcpu) is sent to the OP-TEE mediator through the TEE layer. Here there are two possibilities. The guest may make an SMC with arguments which are simple numeric values, exchanging UUID, version information, etc. In this case, the mediator has much less work. It has to attach VMID into X7 and pass the register state to OP-TEE. But, when guest passes memory addresses as arguments, the mediator has to translate these into physical addresses from intermediate physical addresses (IPA). According to the OP-TEE protocol (as documented in optee_smc.h and optee_msg.h), the guest OP-TEE driver would share a buffer filled with pointers, which the mediator translates. The OP-TEE mediator also keeps track of active calls between each guest and OP-TEE, and pins pages which are already shared. This is to avoid swapping of shared pages by the host under memory pressure. These pages are unpinned as soon as guest's transaction completes with OP-TEE. Testing ======= The feature has been tested on QEMU virt platform using "xtest" as the test suite. As of now, all of 35000+ tests pass. The mediator has also been stressed under memory pressure and all tests pass too. Any suggestions on further testing the feature are welcome. Call for review =============== Any insights/suggestions regarding the implementation are appreciated. Yuvraj Sakshith (7): firmware: smccc: Add macros for Trusted OS/App owner check on SMC value tee: Add TEE Mediator module which aims to expose TEE to a KVM guest. KVM: Notify TEE Mediator when KVM creates and destroys guests KVM: arm64: Forward guest CPU state to TEE mediator on SMC trap tee: optee: Add OPTEE_SMC_VM_CREATED and OPTEE_SMC_VM_DESTROYED tee: optee: Add OP-TEE Mediator tee: optee: Notify TEE Mediator on OP-TEE driver initialization and release arch/arm64/kvm/hypercalls.c | 15 +- drivers/tee/Kconfig | 5 + drivers/tee/Makefile | 1 + drivers/tee/optee/Kconfig | 7 + drivers/tee/optee/Makefile | 1 + drivers/tee/optee/core.c | 13 +- drivers/tee/optee/optee_mediator.c | 1319 ++++++++++++++++++++++++++++ drivers/tee/optee/optee_mediator.h | 103 +++ drivers/tee/optee/optee_smc.h | 53 ++ drivers/tee/optee/smc_abi.c | 6 + drivers/tee/tee_mediator.c | 145 +++ include/linux/arm-smccc.h | 8 + include/linux/tee_mediator.h | 39 + virt/kvm/kvm_main.c | 11 +- 14 files changed, 1721 insertions(+), 5 deletions(-) create mode 100644 drivers/tee/optee/optee_mediator.c create mode 100644 drivers/tee/optee/optee_mediator.h create mode 100644 drivers/tee/tee_mediator.c create mode 100644 include/linux/tee_mediator.h -- 2.43.0

9 months, 3 weeks

2
11
0 0

2026

2025

2024

2023

2022

2021

2020

OP-TEE