- OP-TEE - lists.trustedfirmware.org

[PATCH] tee: fix uninitialized pointers with free attr

by Ally Heev

Uninitialized pointers with `__free` attribute can cause undefined behaviour as the memory assigned(randomly) to the pointer is freed automatically when the pointer goes out of scope tee doesn't have any bugs related to this as of now, but it is better to initialize and assign pointers with `__free` attr in one statement to ensure proper scope-based cleanup Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Closes: https://lore.kernel.org/all/aPiG_F5EBQUjZqsl@stanley.mountain/ Signed-off-by: Ally Heev <allyheev(a)gmail.com> --- drivers/tee/qcomtee/call.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/tee/qcomtee/call.c b/drivers/tee/qcomtee/call.c index ac134452cc9cfd384c28d41547545f2c5748d86c..8b7b4decddd8d1811dc0a7cc46a4a4fbada45526 100644 --- a/drivers/tee/qcomtee/call.c +++ b/drivers/tee/qcomtee/call.c @@ -645,12 +645,13 @@ static void qcomtee_get_version(struct tee_device *teedev, static void qcomtee_get_qtee_feature_list(struct tee_context *ctx, u32 id, u32 *version) { - struct qcomtee_object_invoke_ctx *oic __free(kfree); struct qcomtee_object *client_env, *service; struct qcomtee_arg u[3] = { 0 }; int result; - oic = qcomtee_object_invoke_ctx_alloc(ctx); + struct qcomtee_object_invoke_ctx *oic __free(kfree) = + qcomtee_object_invoke_ctx_alloc(ctx); + if (!oic) return; --- base-commit: c9cfc122f03711a5124b4aafab3211cf4d35a2ac change-id: 20251105-aheev-uninitialized-free-attr-tee-0221e45ec5a2 Best regards, -- Ally Heev <allyheev(a)gmail.com>

3 months

3
2
0 0

[PATCH] tee: fix illegal pointer dereference in tee_shm_put()

by yangzhao

In tee_shm_put(), there is not only the NULL pointer dereference, but also the illegal pointer dereference. shutdown() ---> __optee_disable_shm_cache --> shm = reg_pair_to_ptr(...); tee_shm_free(shm); --> tee_shm_put(shm); //crash: shm->ctx maybe NULL pointer or illegal pointer Check whether the pointer is NULL and whether the pointer address is valid. This issue occurs when rich world uses the 6.x version of the kernel and optee secure world uses a lower version (such as version 3.2), and it is highly likely to trigger a kernel panic when conducting hibernate tests. Fixes: e4a718a3a47e ("tee: fix NULL pointer dereference in tee_shm_put") Signed-off-by: yangzhao <yangzhao(a)kylinos.cn> --- drivers/tee/tee_shm.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index 4a47de4bb2e5..de01d16409c1 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -722,7 +722,14 @@ void tee_shm_put(struct tee_shm *shm) struct tee_device *teedev; bool do_release = false; - if (!shm || !shm->ctx || !shm->ctx->teedev) + /* checking pointer */ + if (IS_ERR_OR_NULL(shm) || !virt_addr_valid(shm)) + return; + + if (IS_ERR_OR_NULL(shm->ctx) || !virt_addr_valid(shm->ctx)) + return; + + if (IS_ERR_OR_NULL(shm->ctx->teedev) || !virt_addr_valid(shm->ctx->teedev)) return; teedev = shm->ctx->teedev; -- 2.25.1

3 months

2
3
0 0

[PATCH] hwrng: tpm: Do not enable by default

by Jan Kiszka

From: Jan Kiszka <jan.kiszka(a)siemens.com> As seen with optee_ftpm, which uses ms-tpm-20-ref [1], a TPM may write the current time epoch to its NV storage every 4 seconds if there are commands sent to it. The 60 seconds periodic update of the entropy pool that the hwrng kthread does triggers this, causing about 4 writes per requests. Makes 2 millions per year for a 24/7 device, and that is a lot for its backing NV storage. It is therefore better to make the user intentionally enable this, providing a chance to read the warning. [1] https://github.com/Microsoft/ms-tpm-20-ref Signed-off-by: Jan Kiszka <jan.kiszka(a)siemens.com> --- drivers/char/tpm/Kconfig | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig index 8a8f692b6088..d64c929cacbe 100644 --- a/drivers/char/tpm/Kconfig +++ b/drivers/char/tpm/Kconfig @@ -45,13 +45,17 @@ config TCG_TPM2_HMAC config HW_RANDOM_TPM bool "TPM HW Random Number Generator support" depends on TCG_TPM && HW_RANDOM && !(TCG_TPM=y && HW_RANDOM=m) - default y help This setting exposes the TPM's Random Number Generator as a hwrng device. This allows the kernel to collect randomness from the TPM at boot, and provides the TPM randomines in /dev/hwrng. - If unsure, say Y. + WARNING: Specifically firmware-based TPMs, possibly also hardware + variants, can wear-out from the frequent requests issued by the + Hardware Random Number Generator Core when filling the kernel's + entropy pool. These requests are sent once every minute by default, + and the TPM may write the current time to its NV storage for each of + them. config TCG_TIS_CORE tristate -- 2.51.0

3 months

3
6
0 0

Linaro OP-TEE Contribution, LOC, monthly meeting October 28

by Jens Wiklander

Hi, Tomorrow, Tuesday, it's time for another LOC monthly meeting. For time and connection details, see the calendar at https://www.trustedfirmware.org/meetings/ - OP-TEE version 4.8.0 has been released - We have an op-tee channel at the Trusted Firmware Discord server [1]. Last week, there was a message about improving the order of all the config options we have in OP-TEE, the CFG_* variables. In the long term, we might still aim for Kconfig, but that's quite a large step. However, there are intermediate steps that we can take. I hope we'll see more of this. Are there any other topics? [1] https://www.trustedfirmware.org/faq/ Cheers, Jens

3 months, 2 weeks

1
0
0 0

OP-TEE 4.8.0 has been released

by Jens Wiklander

Hi, I'm pleased to announce that OP-TEE version 4.6.0 is now available. The list of changes can be found in the changelog [1]. A big thank you to everyone who participated with contributions and helping out with testing the release [2]. [1] https://github.com/OP-TEE/optee_os/blob/4.8.0/CHANGELOG.md [2] https://github.com/OP-TEE/optee_os/commit/86660925433a8d4d1b19cfa5fe940081d… Regards, Jens

3 months, 2 weeks

1
0
0 0

[PATCH] core: Relax StMM dependency to TEE_STORAGE_PRIVATE

by Jan Kiszka

From: Jan Kiszka <jan.kiszka(a)siemens.com> This allows to run StMM without the userspace supplicant if the in-kernel RPMB service is available. Signed-off-by: Jan Kiszka <jan.kiszka(a)siemens.com> --- core/pta/device.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/pta/device.c b/core/pta/device.c index 39ad3ddda..21c13bd94 100644 --- a/core/pta/device.c +++ b/core/pta/device.c @@ -67,8 +67,8 @@ static TEE_Result get_devices(uint32_t types, add_ta(ta->flags, &ta->uuid, buf, blen, &pos, rflags); if (stmm_get_uuid()) - add_ta(TA_FLAG_DEVICE_ENUM_SUPP, stmm_get_uuid(), buf, blen, - &pos, rflags); + add_ta(TA_FLAG_DEVICE_ENUM_TEE_STORAGE_PRIVATE, + stmm_get_uuid(), buf, blen, &pos, rflags); if (IS_ENABLED(CFG_EARLY_TA)) for_each_early_ta(eta) -- 2.51.0

3 months, 3 weeks

2
2
0 0

Re: [PATCH 0/8] sd: Add RPMB emulation to eMMC model

by Jan Kiszka

FYI: QEMU model is working fine, upstreaming started, feedback welcome. Jan On 24.08.25 09:18, Jan Kiszka wrote: > This closes an old gap in system integration testing for the very > complex ARM firmware stacks by adding fairly advanced Replay Protected > Memory Block (RPMB) emulation to the eMMC device model. Key programming > and message authentication are working, so is the write counter. Known > users are happy with the result. What is missing, but not only for RPMB- > related registers, is state persistence across QEMU restarts. This is OK > at this stage for most test scenarios, though, and could still be added > later on. > > What can already be done with it is demonstrated in the WIP branch of > isar-cip-core at [1]: TF-A + OP-TEE + StandaloneMM TA + fTPM TA, used by > U-Boot and Linux for UEFI variable storage and TPM scenarios. If you > want to try: build qemu-arm64 target for trixie with 6.12-cip *head* > kernel, enable secure boot and disk encryption, then run > > $ QEMU_PATH=/path/to/qemu-build/ ./start-qemu.sh > > Deploy snakeoil keys into PK, KEK and db after first boot to enable > secure booting: > > root@demo:~# cert-to-efi-sig-list PkKek-1-snakeoil.pem PK.esl > root@demo:~# sign-efi-sig-list -k PkKek-1-snakeoil.key -c PkKek-1-snakeoil.pem PK PK.esl PK.auth > root@demo:~# efi-updatevar -f PK.auth db > root@demo:~# efi-updatevar -f PK.auth KEK > root@demo:~# efi-updatevar -f PK.auth PK > > Note that emulation is a bit slow in general, and specifically the > partition encryption on first boot is taking 20 min. - we should > probably reduce its size or understand if there is still something to > optimize. > > Jan > > [1] https://gitlab.com/cip-project/cip-core/isar-cip-core/-/commits/wip/qemu-rp… > > Cc: "Daniel P. Berrangé" <berrange(a)redhat.com> > > Jan Kiszka (8): > hw/sd/sdcard: Fix size check for backing block image > hw/sd/sdcard: Add validation for boot-partition-size > hw/sd/sdcard: Allow user-instantiated eMMC > hw/sd/sdcard: Refactor sd_bootpart_offset > hw/sd/sdcard: Add basic support for RPMB partition > crypto/hmac: Allow to build hmac over multiple > qcrypto_gnutls_hmac_bytes[v] calls > hw/sd/sdcard: Handle RPMB MAC field > scripts: Add helper script to generate eMMC block device images > > crypto/hmac-gcrypt.c | 4 +- > crypto/hmac-glib.c | 4 +- > crypto/hmac-gnutls.c | 4 +- > crypto/hmac-nettle.c | 4 +- > hw/sd/sd.c | 314 ++++++++++++++++++++++++++++++++++++++--- > hw/sd/sdmmc-internal.h | 24 +++- > hw/sd/trace-events | 2 + > include/crypto/hmac.h | 12 ++ > scripts/mkemmc.sh | 185 ++++++++++++++++++++++++ > 9 files changed, 530 insertions(+), 23 deletions(-) > create mode 100755 scripts/mkemmc.sh > -- Siemens AG, Foundational Technologies Linux Expert Center

3 months, 3 weeks

3
4
0 0

Preparing for OP-TEE 4.8.0

by Jens Wiklander

[BCC all OP-TEE maintainers] Hi OP-TEE maintainers & contributors, OP-TEE version 4.8.0 is now scheduled to be released on 2025-10-24. So, now is a good time to start testing the master branch on the various platforms and report/fix any bugs. The GitHub pull request for collecting Tested-by tags or any other comments is https://github.com/OP-TEE/optee_os/pull/7567. We will create the release candidate tag 4.8.0-rc1 this Friday, allowing for a one-week testing period before the planned release. You can find more information related to releases here: https://optee.readthedocs.io/en/latest/general/releases.html Thanks, Jens

3 months, 3 weeks

1
1
0 0

[PATCH v19 0/6] Introduction of a remoteproc tee to load signed firmware

by Arnaud Pouliquen

Main updates from version V18[2]: - rework documentation for the release_fw ops - rework function documentation in remoteproc_tee.c - replace spinlock by mutex and generalize usage in remoteproc_tee.c Main updates from version V17[1]: - Fix: warning: EXPORT_SYMBOL() is used, but #include <linux/export.h> is missing More details are available in each patch commit message. [1] https://lore.kernel.org/linux-remoteproc/20250613091650.2337411-1-arnaud.po… [2] https://lore.kernel.org/linux-remoteproc/20250616075530.4106090-1-arnaud.po… Tested-on: commit 19272b37aa4f ("Linux 6.16-rc1") Description of the feature: -------------------------- This series proposes the implementation of a remoteproc tee driver to communicate with a TEE trusted application responsible for authenticating and loading the remoteproc firmware image in an Arm secure context. 1) Principle: The remoteproc tee driver provides services to communicate with the OP-TEE trusted application running on the Trusted Execution Context (TEE). The trusted application in TEE manages the remote processor lifecycle: - authenticating and loading firmware images, - isolating and securing the remote processor memories, - supporting multi-firmware (e.g., TF-M + Zephyr on a Cortex-M33), - managing the start and stop of the firmware by the TEE. 2) Format of the signed image: Refer to: https://github.com/OP-TEE/optee_os/blob/master/ta/remoteproc/src/remoteproc… 3) OP-TEE trusted application API: Refer to: https://github.com/OP-TEE/optee_os/blob/master/ta/remoteproc/include/ta_rem… 4) OP-TEE signature script Refer to: https://github.com/OP-TEE/optee_os/blob/master/scripts/sign_rproc_fw.py Example of usage: sign_rproc_fw.py --in <fw1.elf> --in <fw2.elf> --out <signed_fw.sign> --key ${OP-TEE_PATH}/keys/default.pem 5) Impact on User space Application No sysfs impact. The user only needs to provide the signed firmware image instead of the ELF image. For more information about the implementation, a presentation is available here (note that the format of the signed image has evolved between the presentation and the integration in OP-TEE). https://resources.linaro.org/en/resource/6c5bGvZwUAjX56fvxthxds Arnaud Pouliquen (6): remoteproc: core: Introduce rproc_pa_to_va helper remoteproc: Add TEE support remoteproc: Introduce optional release_fw operation dt-bindings: remoteproc: Add compatibility for TEE support remoteproc: stm32: Create sub-functions to request shutdown and release remoteproc: stm32: Add support of an OP-TEE TA to load the firmware .../bindings/remoteproc/st,stm32-rproc.yaml | 58 +- drivers/remoteproc/Kconfig | 10 + drivers/remoteproc/Makefile | 1 + drivers/remoteproc/remoteproc_core.c | 52 ++ drivers/remoteproc/remoteproc_internal.h | 6 + drivers/remoteproc/remoteproc_tee.c | 708 ++++++++++++++++++ drivers/remoteproc/stm32_rproc.c | 139 +++- include/linux/remoteproc.h | 6 + include/linux/remoteproc_tee.h | 87 +++ 9 files changed, 1023 insertions(+), 44 deletions(-) create mode 100644 drivers/remoteproc/remoteproc_tee.c create mode 100644 include/linux/remoteproc_tee.h base-commit: 19272b37aa4f83ca52bdf9c16d5d81bdd1354494 -- 2.25.1

4 months

6
30
0 0

[PATCH AUTOSEL 6.17-5.4] tee: allow a driver to allocate a tee_device without a pool

by Sasha Levin

From: Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com> [ Upstream commit 6dbcd5a9ab6cb6644e7d728521da1c9035ec7235 ] A TEE driver doesn't always need to provide a pool if it doesn't support memory sharing ioctls and can allocate memory for TEE messages in another way. Although this is mentioned in the documentation for tee_device_alloc(), it is not handled correctly. Reviewed-by: Sumit Garg <sumit.garg(a)oss.qualcomm.com> Signed-off-by: Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com> Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: YES - The change simply drops the `|| !pool` guard in `tee_device_alloc()` (`drivers/tee/tee_core.c:892`), which currently rejects drivers that intentionally omit a shared-memory pool even though the API contract and docs (`include/linux/tee_core.h:123`) have long advertised `pool` as optional. Today that mismatch means such drivers cannot register at all, so user-visible functionality is blocked. - Other subsystem code already treats a missing pool as a valid state and bails out safely: shared-memory allocators check `if (!teedev->pool)` before dereferencing it and return an error to user space (`drivers/tee/tee_shm.c:78`), so allowing allocation without a pool doesn’t create new NULL dereferences or change behaviour for drivers that do use shared memory. - Existing in-tree TEE implementations still guard their pool setup with `IS_ERR()` checks (e.g. OP-TEE in `drivers/tee/optee/smc_abi.c:1651`), so a genuine failure still propagates an error instead of slipping through; we only unblock the documented “no pool” case. - The patch is tiny, self-contained, and doesn’t alter ioctls or data structures, making the regression risk very low while fixing a long- standing real bug that prevents compliant drivers from loading. Backporting keeps the stable tree consistent with the exported TEE API and supports downstream drivers that rely on the documented behaviour. drivers/tee/tee_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c index acc7998758ad8..133447f250657 100644 --- a/drivers/tee/tee_core.c +++ b/drivers/tee/tee_core.c @@ -889,7 +889,7 @@ struct tee_device *tee_device_alloc(const struct tee_desc *teedesc, if (!teedesc || !teedesc->name || !teedesc->ops || !teedesc->ops->get_version || !teedesc->ops->open || - !teedesc->ops->release || !pool) + !teedesc->ops->release) return ERR_PTR(-EINVAL); teedev = kzalloc(sizeof(*teedev), GFP_KERNEL); -- 2.51.0

4 months

1
0
0 0

2026

2025

2024

2023

2022

2021

2020

OP-TEE