- OP-TEE - lists.trustedfirmware.org

[PATCH] tee: fix compiler warning in tee_shm_register()

by Jens Wiklander

Include <linux/uaccess.h> to avoid the warning: drivers/tee/tee_shm.c: In function 'tee_shm_register': >> drivers/tee/tee_shm.c:242:14: error: implicit declaration of function 'access_ok' [-Werror=implicit-function-declaration] 242 | if (!access_ok((void __user *)addr, length)) | ^~~~~~~~~ cc1: some warnings being treated as errors Fixes: 573ae4f13f63 ("tee: add overflow check in register_shm_helper()") Reported-by: kernel test robot <lkp(a)intel.com> Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> --- drivers/tee/tee_shm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index 1175f3a46859..27295bda3e0b 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -9,6 +9,7 @@ #include <linux/sched.h> #include <linux/slab.h> #include <linux/tee_drv.h> +#include <linux/uaccess.h> #include <linux/uio.h> #include "tee_private.h" -- 2.31.1

3 years, 2 months

2
2
0 0

[PATCH v3] tee: add overflow check in register_shm_helper()

by Jens Wiklander

With special lengths supplied by user space, register_shm_helper() has an integer overflow when calculating the number of pages covered by a supplied user space memory region. This causes internal_get_user_pages_fast() a helper function of pin_user_pages_fast() to do a NULL pointer dereference. [ 14.141620] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 [ 14.142556] Mem abort info: [ 14.142829] ESR = 0x0000000096000044 [ 14.143237] EC = 0x25: DABT (current EL), IL = 32 bits [ 14.143742] SET = 0, FnV = 0 [ 14.144052] EA = 0, S1PTW = 0 [ 14.144348] FSC = 0x04: level 0 translation fault [ 14.144767] Data abort info: [ 14.145053] ISV = 0, ISS = 0x00000044 [ 14.145394] CM = 0, WnR = 1 [ 14.145766] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004278e000 [ 14.146279] [0000000000000010] pgd=0000000000000000, p4d=0000000000000000 [ 14.147435] Internal error: Oops: 96000044 [#1] PREEMPT SMP [ 14.148026] Modules linked in: [ 14.148595] CPU: 1 PID: 173 Comm: optee_example_a Not tainted 5.19.0 #11 [ 14.149204] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015 [ 14.149832] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 14.150481] pc : internal_get_user_pages_fast+0x474/0xa80 [ 14.151640] lr : internal_get_user_pages_fast+0x404/0xa80 [ 14.152408] sp : ffff80000a88bb30 [ 14.152711] x29: ffff80000a88bb30 x28: 0000fffff836d000 x27: 0000fffff836e000 [ 14.153580] x26: fffffc0000000000 x25: fffffc0000f4a1c0 x24: ffff00000289fb70 [ 14.154634] x23: ffff000002702e08 x22: 0000000000040001 x21: ffff8000097eec60 [ 14.155378] x20: 0000000000f4a1c0 x19: 00e800007d287f43 x18: 0000000000000000 [ 14.156215] x17: 0000000000000000 x16: 0000000000000000 x15: 0000fffff836cfb0 [ 14.157068] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 14.157747] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 [ 14.158576] x8 : ffff00000276ec80 x7 : 0000000000000000 x6 : 000000000000003f [ 14.159243] x5 : 0000000000000000 x4 : ffff000041ec4eac x3 : ffff000002774cb8 [ 14.159977] x2 : 0000000000000004 x1 : 0000000000000010 x0 : 0000000000000000 [ 14.160883] Call trace: [ 14.161166] internal_get_user_pages_fast+0x474/0xa80 [ 14.161763] pin_user_pages_fast+0x24/0x4c [ 14.162227] register_shm_helper+0x194/0x330 [ 14.162734] tee_shm_register_user_buf+0x78/0x120 [ 14.163290] tee_ioctl+0xd0/0x11a0 [ 14.163739] __arm64_sys_ioctl+0xa8/0xec [ 14.164227] invoke_syscall+0x48/0x114 [ 14.164653] el0_svc_common.constprop.0+0x44/0xec [ 14.165130] do_el0_svc+0x2c/0xc0 [ 14.165498] el0_svc+0x2c/0x84 [ 14.165847] el0t_64_sync_handler+0x1ac/0x1b0 [ 14.166258] el0t_64_sync+0x18c/0x190 [ 14.166878] Code: 91002318 11000401 b900f7e1 f9403be1 (f820d839) [ 14.167666] ---[ end trace 0000000000000000 ]--- Fix this by adding an overflow check when calculating the end of the memory range. Also add an explicit call to access_ok() in tee_shm_register_user_buf() to catch an invalid user space address early. Fixes: 033ddf12bcf5 ("tee: add register user memory") Cc: stable(a)vger.kernel.org Reported-by: Nimish Mishra <neelam.nimish(a)gmail.com> Reported-by: Anirban Chakraborty <ch.anirban00727(a)gmail.com> Reported-by: Debdeep Mukhopadhyay <debdeep.mukhopadhyay(a)gmail.com> Suggested-by: Linus Torvalds <torvalds(a)linuxfoundation.org> Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> --- v2 -> v3: - Public review - Relies entirely on access_ok() for overflow checks as suggested - Check against zero registersted pages is kept - Replaced Suggested-by tag v1 -> v2: - Non-public review - Added access_ok() and overflow check with roundup() drivers/tee/tee_shm.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index f2b1bcefcadd..a88669d6ea68 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -240,6 +240,14 @@ register_shm_helper(struct tee_context *ctx, unsigned long addr, void *ret; int rc; + addr = untagged_addr(addr); + start = rounddown(addr, PAGE_SIZE); + num_pages = (roundup(addr + length, PAGE_SIZE) - start) / PAGE_SIZE; + + /* Error out early if no pages are to be registered */ + if (!num_pages) + return ERR_PTR(-EINVAL); + if (!tee_device_get(teedev)) return ERR_PTR(-EINVAL); @@ -261,11 +269,8 @@ register_shm_helper(struct tee_context *ctx, unsigned long addr, shm->flags = flags; shm->ctx = ctx; shm->id = id; - addr = untagged_addr(addr); - start = rounddown(addr, PAGE_SIZE); shm->offset = addr - start; shm->size = length; - num_pages = (roundup(addr + length, PAGE_SIZE) - start) / PAGE_SIZE; shm->pages = kcalloc(num_pages, sizeof(*shm->pages), GFP_KERNEL); if (!shm->pages) { ret = ERR_PTR(-ENOMEM); @@ -326,6 +331,9 @@ struct tee_shm *tee_shm_register_user_buf(struct tee_context *ctx, void *ret; int id; + if (!access_ok((void __user *)addr, length)) + return ERR_PTR(-EFAULT); + mutex_lock(&teedev->mutex); id = idr_alloc(&teedev->idr, NULL, 1, 0, GFP_KERNEL); mutex_unlock(&teedev->mutex); -- 2.31.1

3 years, 2 months

3
3
0 0

[PATCH v2] tee: add overflow check in register_shm_helper()

by Jens Wiklander

With special lengths supplied by user space, register_shm_helper() has an integer overflow when calculating the number of pages covered by a supplied user space memory region. This causes internal_get_user_pages_fast() a helper function of pin_user_pages_fast() to do a NULL pointer dereference. [ 14.141620] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 [ 14.142556] Mem abort info: [ 14.142829] ESR = 0x0000000096000044 [ 14.143237] EC = 0x25: DABT (current EL), IL = 32 bits [ 14.143742] SET = 0, FnV = 0 [ 14.144052] EA = 0, S1PTW = 0 [ 14.144348] FSC = 0x04: level 0 translation fault [ 14.144767] Data abort info: [ 14.145053] ISV = 0, ISS = 0x00000044 [ 14.145394] CM = 0, WnR = 1 [ 14.145766] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004278e000 [ 14.146279] [0000000000000010] pgd=0000000000000000, p4d=0000000000000000 [ 14.147435] Internal error: Oops: 96000044 [#1] PREEMPT SMP [ 14.148026] Modules linked in: [ 14.148595] CPU: 1 PID: 173 Comm: optee_example_a Not tainted 5.19.0 #11 [ 14.149204] Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015 [ 14.149832] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 14.150481] pc : internal_get_user_pages_fast+0x474/0xa80 [ 14.151640] lr : internal_get_user_pages_fast+0x404/0xa80 [ 14.152408] sp : ffff80000a88bb30 [ 14.152711] x29: ffff80000a88bb30 x28: 0000fffff836d000 x27: 0000fffff836e000 [ 14.153580] x26: fffffc0000000000 x25: fffffc0000f4a1c0 x24: ffff00000289fb70 [ 14.154634] x23: ffff000002702e08 x22: 0000000000040001 x21: ffff8000097eec60 [ 14.155378] x20: 0000000000f4a1c0 x19: 00e800007d287f43 x18: 0000000000000000 [ 14.156215] x17: 0000000000000000 x16: 0000000000000000 x15: 0000fffff836cfb0 [ 14.157068] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 14.157747] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 [ 14.158576] x8 : ffff00000276ec80 x7 : 0000000000000000 x6 : 000000000000003f [ 14.159243] x5 : 0000000000000000 x4 : ffff000041ec4eac x3 : ffff000002774cb8 [ 14.159977] x2 : 0000000000000004 x1 : 0000000000000010 x0 : 0000000000000000 [ 14.160883] Call trace: [ 14.161166] internal_get_user_pages_fast+0x474/0xa80 [ 14.161763] pin_user_pages_fast+0x24/0x4c [ 14.162227] register_shm_helper+0x194/0x330 [ 14.162734] tee_shm_register_user_buf+0x78/0x120 [ 14.163290] tee_ioctl+0xd0/0x11a0 [ 14.163739] __arm64_sys_ioctl+0xa8/0xec [ 14.164227] invoke_syscall+0x48/0x114 [ 14.164653] el0_svc_common.constprop.0+0x44/0xec [ 14.165130] do_el0_svc+0x2c/0xc0 [ 14.165498] el0_svc+0x2c/0x84 [ 14.165847] el0t_64_sync_handler+0x1ac/0x1b0 [ 14.166258] el0t_64_sync+0x18c/0x190 [ 14.166878] Code: 91002318 11000401 b900f7e1 f9403be1 (f820d839) [ 14.167666] ---[ end trace 0000000000000000 ]--- Fix this by adding an overflow check when calculating the end of the memory range. Also add an explicit call to access_ok() in tee_shm_register_user_buf() to catch an invalid user space address early. Fixes: 033ddf12bcf5 ("tee: add register user memory") Cc: stable(a)vger.kernel.org Reported-by: Nimish Mishra <neelam.nimish(a)gmail.com> Reported-by: Anirban Chakraborty <ch.anirban00727(a)gmail.com> Reported-by: Debdeep Mukhopadhyay <debdeep.mukhopadhyay(a)gmail.com> Suggested-by: Jerome Forissier <jerome.forissier(a)linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> --- drivers/tee/tee_shm.c | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index f2b1bcefcadd..f71651021c8d 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -231,15 +231,30 @@ EXPORT_SYMBOL_GPL(tee_shm_alloc_priv_buf); static struct tee_shm * register_shm_helper(struct tee_context *ctx, unsigned long addr, - size_t length, u32 flags, int id) + unsigned long length, u32 flags, int id) { struct tee_device *teedev = ctx->teedev; + unsigned long end_addr; struct tee_shm *shm; unsigned long start; size_t num_pages; void *ret; int rc; + /* Check for overflows, this may be input from user space */ + addr = untagged_addr(addr); + start = rounddown(addr, PAGE_SIZE); + if (check_add_overflow(addr, length, &end_addr)) + return ERR_PTR(-EINVAL); + end_addr = roundup(end_addr, PAGE_SIZE); + if (end_addr < start) + return ERR_PTR(-EINVAL); + num_pages = (end_addr - start) / PAGE_SIZE; + + /* Error out early if no pages are to be registered */ + if (!num_pages) + return ERR_PTR(-EINVAL); + if (!tee_device_get(teedev)) return ERR_PTR(-EINVAL); @@ -261,11 +276,8 @@ register_shm_helper(struct tee_context *ctx, unsigned long addr, shm->flags = flags; shm->ctx = ctx; shm->id = id; - addr = untagged_addr(addr); - start = rounddown(addr, PAGE_SIZE); shm->offset = addr - start; shm->size = length; - num_pages = (roundup(addr + length, PAGE_SIZE) - start) / PAGE_SIZE; shm->pages = kcalloc(num_pages, sizeof(*shm->pages), GFP_KERNEL); if (!shm->pages) { ret = ERR_PTR(-ENOMEM); @@ -326,6 +338,9 @@ struct tee_shm *tee_shm_register_user_buf(struct tee_context *ctx, void *ret; int id; + if (!access_ok((void __user *)addr, length)) + return ERR_PTR(-EFAULT); + mutex_lock(&teedev->mutex); id = idr_alloc(&teedev->idr, NULL, 1, 0, GFP_KERNEL); mutex_unlock(&teedev->mutex); -- 2.31.1

3 years, 2 months

3
5
0 0

[PATCH 0/1] tee: Add tee_shm_register_fd

by Olivier Masse

Add a new ioctl called TEE_IOC_SHM_REGISTER_FD to register a shared memory from a dmabuf file descriptor. Etienne Carriere (1): tee: new ioctl to a register tee_shm from a dmabuf file descriptor drivers/tee/tee_core.c | 38 +++++++++++++++ drivers/tee/tee_shm.c | 99 +++++++++++++++++++++++++++++++++++++++- include/linux/tee_drv.h | 11 +++++ include/uapi/linux/tee.h | 29 ++++++++++++ 4 files changed, 175 insertions(+), 2 deletions(-) -- 2.25.0

3 years, 2 months

4
7
0 0

Current design of tee-supplicant can't support ftpm requests during kernel space bootup

by Judy Wang

Hi Jens, As we are developing platforms to enable RPMB secure storage + fTPM TA, we realize that the current design of optee-os relying on a user space daemon tee-supplicant to serve requests cannot meet requirements of another open source linux kernel, IMA(Integrity Measurement Architecture). This module will try to collect data from TPM devices, which in our case, is fTPM TA. It has to collect data when kernel space is booting up, so we cannot delay these requests further until user space is up. With RPMB as our secure storage, some requests will be sent back to kernel space, but tee-supplicant context is not yet initialized, which results in IMA detection of TPM devices failed. Therefore, failed on the measurements we need. I am wondering if we have related discussion on how modify the design to serve optee-os requests during kernel bootup. I can't find related topics in LKML archive. Thank you. Judy. Cat from /Documentation/ABI/testing/sysfs-bus-optee-devices What: /sys/bus/tee/devices/optee-ta-<uuid>/ Date: May 2020 KernelVersion 5.8 Contact: op-tee(a)lists.trustedfirmware.org<mailto:op-tee@lists.trustedfirmware.org> Description: OP-TEE bus provides reference to registered drivers under this directory. The <uuid> matches Trusted Application (TA) driver and corresponding TA in secure OS. Drivers are free to create needed API under optee-ta-<uuid> directory. Reference: fTPM TA: microsoft/MSRSec: Security and Privacy Research at Microsoft (github.com)<https://github.com/microsoft/MSRSec> IMA enabling: https://sourceforge.net/p/linux-ima/wiki/Home/#enabling-ima-measurement:~:t…

3 years, 2 months

4
9
0 0

Issue related to mempool allocation

by ramakanth varala

Hi All, I want to generate a rsa key pair with 4096 bits. Using below mbedTLS api , inside my TEE server side implementation. ret = mbedtls_rsa_gen_key( mbedtls_pk_rsa( key ), mbedtls_ctr_drbg_random, &ctr_drbg, 4096, 65537 ); This is resulting in the below error. mempool_alloc:197Failed to allocate 288 bytes, please tune the pool size failed Mines is arm64 infrastructure, with kernel 4.19.183 and optee_os 3.7.0 We tried doing below change (courtesy: https://github.com/OP-TEE/optee_os/issues/3328) and recompiling tomcrypt library In core/lib/libtomcrypt/mpi_desc.c, we changed MPI_MEMPOOL_SIZE #define MPI_MEMPOOL_SIZE (42 * 1024) to #define MPI_MEMPOOL_SIZE (82 * 1024) This didn’t help, kindly provide your inputs. Thanks

3 years, 2 months

2
2
0 0

OP-TEE BTI support

by Olivier Deprez

Hi, (in context of testing BTI support when OP-TEE is loaded as a secure partition on top of SEL2/Hafnium) I read through the OP-TEE documentation, and would like to confirm: CFG_CORE_BTI=y seems mandatorily required to support BTI in TAs. It means we cannot enable independently BTI for TAs and 'disable' for TEE core, is this correct? Interestingly I noticed I can build with CFG_CORE_BTI=n and CTG_TA_BTI=y but I appreciate the end result is that the TA get BTI landpads but is not effectively leveraging the arch extension because code page aren't guarde if TEE core option isn't enabled. I was investigating a way to omit building a specific toolchain as it appears to be required when CFG_CORE_BTI=y, but I'll go ahead if there's no way round. Out of curiosity is OP-TEE core pulling gcc libraries? And if yes, which kind? I naively thought OP-TEE core would be freestanding or be independent from toolchain libs. Thanks & Regards, Olivier.

3 years, 2 months

2
3
0 0

Linaro OP-TEE Contributions (LOC) monthly meeting - July 28 CANCELLED

by Jens Wiklander

Hi, We don't have any topics for the meeting this month. Hence canceling. Regards, Jens on behalf of OP-TEE team

3 years, 3 months

1
0
0 0

OP-TEE 3.18 SPMC status

by Balint Dobszay

Hi All, This is a follow-up email to the OP-TEE 3.18 release, highlighting the updates to the SPMC and related components. Short summary of introduced changes: - optee_os: Added support to the SPMC to process memory regions described in the SP manifest. This enables running the Trusted Services smm-gateway SP. - manifest: Added new manifest (derived from the fvp manifest) which includes Trusted Services and related kernel modules [1]. - build: Added new top level Makefile to configure optee_os as S-EL1 SPMC, build Trusted Services SPs and test apps [2]. For more details on how to get, build and test the SPMC, please see [3]. Regards, Balint [1]: https://github.com/OP-TEE/manifest/blob/3.18.0/fvp-ts.xml [2]: https://github.com/OP-TEE/build/blob/3.18.0/fvp-psa-sp.mk [3]: https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc

3 years, 3 months

1
0
0 0

OP-TEE 3.18.0 has been released

by Jens Wiklander

Hi, I'm pleased to announce that OP-TEE version 3.18.0 is now available. The list of changes can be found in the changelog [1]. A big thank you to everyone who participated with contributions and helping out with testing the release [2]. [1] https://github.com/OP-TEE/optee_os/blob/master/CHANGELOG.md [2] https://github.com/OP-TEE/optee_os/commit/1ee647035939e073a2e8dddb727c0f019… Regards, Jens

3 years, 3 months

1
0
0 0

2025

2024

2023

2022

2021

2020

OP-TEE