core: rpmb: get RPMB storage space allocation stats

Add rpmb_mem_stats() to get the RPMB secure storage space allocation
statistics.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
A

core: rpmb: get RPMB storage space allocation stats

Add rpmb_mem_stats() to get the RPMB secure storage space allocation
statistics.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: rpmb: fix mutex in directory populate

Fix mutex unlocking in rpmb_fs_dir_populate() that should protect
fat_entry_dir_deinit() execution.

Fixes: 5f68d7848fe8 ("core: RPMB FS: Caching for FAT

core: rpmb: fix mutex in directory populate

Fix mutex unlocking in rpmb_fs_dir_populate() that should protect
fat_entry_dir_deinit() execution.

Fixes: 5f68d7848fe8 ("core: RPMB FS: Caching for FAT FS entries")
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: rpmb: handle not-implemented error code on device probing

Consider that non-secure world may report TEE_ERROR_NOT_IMPLEMENTED
error code on OPTEE_RPC_CMD_RPMB_PROBE_RESET RPC command when that

core: rpmb: handle not-implemented error code on device probing

Consider that non-secure world may report TEE_ERROR_NOT_IMPLEMENTED
error code on OPTEE_RPC_CMD_RPMB_PROBE_RESET RPC command when that
RPC command is not supported. This is needed to support U-Boot
that provides this return code, at least up to its release tag
v2025.01 [1].

Without this change, OP-TEE fails to communicate with U-Boot RPMB
RPC service since RPMB probe capability was merged in OP-TEE
(Fixes: tag below).

Link: https://source.denx.de/u-boot/u-boot/-/blame/v2025.01/drivers/tee/optee/supplicant.c?ref_type=tags#L96 [1]
Reported-by: Gavin Liu <gavin.liu@mediatek.com>
Closes: https://github.com/OP-TEE/optee_os/issues/7200
Fixes: 8dfdf3927214 ("core: rpmb: probe for kernel RPMB driver")
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

tree-wide: use ROUNDUP_DIV() where applicable

Use ROUNDUP_DIV() instead of ROUNDUP(..., size) / size where applicable.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Je

tree-wide: use ROUNDUP_DIV() where applicable

Use ROUNDUP_DIV() instead of ROUNDUP(..., size) / size where applicable.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: rpmb: probe for kernel RPMB driver

Three RPC functions are added to support RPMB probing and properly align
RPMB frames, OPTEE_RPC_CMD_RPMB_PROBE_RESET,
OPTEE_RPC_CMD_RPMB_PROBE_NEXT, and OPTE

core: rpmb: probe for kernel RPMB driver

Three RPC functions are added to support RPMB probing and properly align
RPMB frames, OPTEE_RPC_CMD_RPMB_PROBE_RESET,
OPTEE_RPC_CMD_RPMB_PROBE_NEXT, and OPTEE_RPC_CMD_RPMB_FRAMES.

OPTEE_RPC_CMD_RPMB_PROBE_RESET resets probing to a well known state and
returns the shared memory type needed when allocating shared memory for
communication with later RPMB functions.

OPTEE_RPC_CMD_RPMB_PROBE_NEXT selects the next RPMB device and returns
its device information. Later calls to OPTEE_RPC_CMD_RPMB will use this
selected device.

OPTEE_RPC_CMD_RPMB_FRAMES sends the raw RPMB frames to normal world for
further routing to the RPMB device.

tee_rpmb_reinit() is added to allow re-initializing the RPMB FS if a
boot stage has used RPMB.

Backwards compatibility is maintained by falling back to the old type of
initialization if OPTEE_RPC_CMD_RPMB_PROBE_RESET returns
TEE_ERROR_NOT_SUPPORTED.

Whether RPMB devices are probed by the kernel or tee-supplicant is
decided by the kernel driver where the shared memory type returned by
OPTEE_RPC_CMD_RPMB_PROBE_RESET plays a vital role.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: rpmb: use thread_rpc_shm_cache_alloc()

Use thread_rpc_shm_cache_alloc() to cache shared memory allocations to
simplify and make the code slightly more efficient.

Signed-off-by: Jens Wiklander

core: rpmb: use thread_rpc_shm_cache_alloc()

Use thread_rpc_shm_cache_alloc() to cache shared memory allocations to
simplify and make the code slightly more efficient.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: rpmb: set device ID in tee_rpmb_init()

Until now, when initializing RPMB the devices ID has been passed to
tee_rpmb_init(), but there isn't any flexibility since it's always
CFG_RPMB_FS_DEV_ID

core: rpmb: set device ID in tee_rpmb_init()

Until now, when initializing RPMB the devices ID has been passed to
tee_rpmb_init(), but there isn't any flexibility since it's always
CFG_RPMB_FS_DEV_ID passed along. So simplify the code a bit and
use CFG_RPMB_FS_DEV_ID directly in tee_rpmb_init().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: rpmb: cleanup useless write_counter in struct rpmb_fat_entry

The write_counter field of the rpmb_fat_entry struct is set from the
RPMB device but never used. Rename it to 'unused' and cleanup

core: rpmb: cleanup useless write_counter in struct rpmb_fat_entry

The write_counter field of the rpmb_fat_entry struct is set from the
RPMB device but never used. Rename it to 'unused' and cleanup the
associated code.

Tested on QEMUv8 with:

$ make CFG_RPMB_FS=y CFG_RPMB_WRITE_KEY=y CFG_RPMB_TESKEY=y check

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Tested-by: Etienne Carriere <etienne.carriere@foss.st.com> (stm32mp157c-ev1 w/ RPMB)

show more ...

core: update FS storage API with user space buffer

Updates the create(), read(), and write() function pointers in struct
ts_store_ops to take a user space buffer in addition to the previous
core buf

core: update FS storage API with user space buffer

Updates the create(), read(), and write() function pointers in struct
ts_store_ops to take a user space buffer in addition to the previous
core buffer. Core buffers are normal secure memory while user space
buffers should only be accessed using the user_access.h functions.

The different FS storage implementations are updated accordingly.

Note that the RPMB FS storage implementation resorts to using
enter_user_access() and exit_user_access() due to internal complexities.

Fixes: 4e154320e47c ("core: Apply finer-grained PAN")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: mmu: Fix wrong input argument of tee_mm_init()

Since commit [1], tee_mm_init() take pool size instead of end address.
This change corrects the input arg of caller which still use old
definitio

core: mmu: Fix wrong input argument of tee_mm_init()

Since commit [1], tee_mm_init() take pool size instead of end address.
This change corrects the input arg of caller which still use old
definition.

Link: [1] 2380d70 ("core: mmu: fix overflow with high address in tee_mm_pool_t")
Signed-off-by: james.jiang <james.jiang@mediatek.com>
Signed-off-by: Mark-PK Tsai <mark-pk.tsai@mediatek.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix TA crash if RPMB key is not provisioned

If optee-os is set with CFG_RPMB_WRITE_KEY=n, returning
TEE_ERROR_BAD_STATE will result in TA panic because of exit checks
in /lib/libutee/tee_api_o

core: fix TA crash if RPMB key is not provisioned

If optee-os is set with CFG_RPMB_WRITE_KEY=n, returning
TEE_ERROR_BAD_STATE will result in TA panic because of exit checks
in /lib/libutee/tee_api_objects.c APIs. Returning
TEE_ERROR_STORAGE_NOT_AVAILABLE to avoid TA panic and signal TA
RPMB is not ready for use, therefore TA could perform error handling.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Judy Wang <wangjudy@microsoft.com>

show more ...

core: Fix compile warning in RPMB storage initialization

Fix the below warning when GCC 10.2.0 toolchain is used:

core/tee/tee_rpmb_fs.c:1137:3: warning: ‘dev_info’ may be used uninitialized in thi

core: Fix compile warning in RPMB storage initialization

Fix the below warning when GCC 10.2.0 toolchain is used:

core/tee/tee_rpmb_fs.c:1137:3: warning: ‘dev_info’ may be used uninitialized in this function [-Wmaybe-uninitialized]
memcpy(rpmb_ctx->cid, dev_info.cid, RPMB_EMMC_CID_SIZE);

Signed-off-by: Sadiq Hussain <sadiq.muchumarri@intel.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: make mobj_get_va() more secure

Adds a length parameter to allow mobj_get_va() to check that the entire
va range requested is available.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.

core: make mobj_get_va() more secure

Adds a length parameter to allow mobj_get_va() to check that the entire
va range requested is available.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: move functions from tee_svc_storage.c to tee_rpmb_fs.c

tee_svc_storage_create_filename() and tee_svc_storage_create_dirname() are
only used in core/tee/tee_rpmb_fs.c, so move them there and ma

core: move functions from tee_svc_storage.c to tee_rpmb_fs.c

tee_svc_storage_create_filename() and tee_svc_storage_create_dirname() are
only used in core/tee/tee_rpmb_fs.c, so move them there and make them
static. Since they now have file scope they may as well be given shorter
names.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: rpmb: use IS_ENABLED on CFG_RPMB_FS_DEBUG_DATA

Replace #ifdef with if (IS_ENABLED()) for CFG_RPMB_FS_DEBUG_DATA.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jen

core: rpmb: use IS_ENABLED on CFG_RPMB_FS_DEBUG_DATA

Replace #ifdef with if (IS_ENABLED()) for CFG_RPMB_FS_DEBUG_DATA.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: rpmb: remove CFG_RPMB_FS_NO_MAC

Remove CFG_RPMB_FS_NO_MAC that disabled authentication of RPMB frames
read from the device. The switch was not documented never enabled in
the project hence it

core: rpmb: remove CFG_RPMB_FS_NO_MAC

Remove CFG_RPMB_FS_NO_MAC that disabled authentication of RPMB frames
read from the device. The switch was not documented never enabled in
the project hence it simply removed.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix bad memset() in update_write_helper()

update_write_helper() is clearing uninitialized parts of blk_buf.
There's an error in the logic calculating how much should be cleared
resulting in a

core: fix bad memset() in update_write_helper()

update_write_helper() is clearing uninitialized parts of blk_buf.
There's an error in the logic calculating how much should be cleared
resulting in a negative size being supplied to memset(). Fix this by
always clearing blk_buf before usage.

Fixes: cd799689cd3d ("core: rpmb: fix initialization of new rpmb data")
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Tested-by: Jerome Forissier <jerome@forissier.org> (HiKey)
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: rpmb: fix initialization of new rpmb data

Add memset() calls to ensure added object is extended with byte value 0
as specified in GPD TEE specification.

Fixes: 64c6d2917d12 ("core: rpmb fs us

core: rpmb: fix initialization of new rpmb data

Add memset() calls to ensure added object is extended with byte value 0
as specified in GPD TEE specification.

Fixes: 64c6d2917d12 ("core: rpmb fs uses mempool for temporary transfer buffers")
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: tee_rpmb_fs: Return error when block decryption fails

When decrypt_block fails (although unlikely) it shouldn't be silently
ignored. In such case the data in the buffer pointed to by *out is
u

core: tee_rpmb_fs: Return error when block decryption fails

When decrypt_block fails (although unlikely) it shouldn't be silently
ignored. In such case the data in the buffer pointed to by *out is
unmodified or bogus while the return code is TEE_SUCCESS.

Signed-off-by: Robin van der Gracht <robin@protonic.nl>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: rpmb fs uses mempool for temporary transfer buffers

RPMB FS driver may allocates a temporary buffer of size the one provided
by userland caller. These may be big buffer of dozens of kbytes and

core: rpmb fs uses mempool for temporary transfer buffers

RPMB FS driver may allocates a temporary buffer of size the one provided
by userland caller. These may be big buffer of dozens of kbytes and may
exhaust the heap capacities. Change the implementation to use a 4kByte
temporary buffer to update RPMB data instead of an allocated buffer of
the object target size. RPMB FAT entry data is updated by chunks of the
temporary buffer size, and RPMB FAT meta data is updated afterwards as
prior this change.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: rpmb: return TEE_ERROR_STORAGE_NO_SPACE if no space left

So far the error TEE_ERROR_OUT_OF_MEMORY was returned if no
free memory could be allocated in the RPMB to store new data.
According to

core: rpmb: return TEE_ERROR_STORAGE_NO_SPACE if no space left

So far the error TEE_ERROR_OUT_OF_MEMORY was returned if no
free memory could be allocated in the RPMB to store new data.
According to TEE Internal Core API Specification the error
TEE_ERROR_STORAGE_NO_SPACE shall be returned if insufficient
space is available to create the persistent object.

Signed-off-by: Stefan Schmidt <snst@meek.de>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: fix RPMB rollback vulnerability

Normal world is used to pass the RPMB request to the eMMC. If normal
world saves a write request and returns an error instead it can be used
at a later stage wh

core: fix RPMB rollback vulnerability

Normal world is used to pass the RPMB request to the eMMC. If normal
world saves a write request and returns an error instead it can be used
at a later stage where OP-TEE doesn't expect a certain block to be
updated. For more details on possible attacks and mitigations see [1]
and [2].

The mitigation consists of two parts, while initializing and later how
each write request is handled.

While initializing the RPMB file system we don't have a spare dummy
block so the alternative method of reading a block and writing it again
is used instead.

For normal write request all errors after the request message has been
created will be retried 10 times. If a write request fails after 10
retries RPMB is disabled entirely until next boot. An eventual
requesting TA is with an unexpected error code since we can't tell if
the request has been committed to storage or not.

Link: [1] https://www.westerndigital.com/support/productsecurity/wdc-20008-replay-attack-vulnerabilities-rpmb-protocol-applications
Link: [2] https://documents.westerndigital.com/content/dam/doc-library/en_us/assets/public/western-digital/collateral/white-paper/white-paper-replay-protected-memory-block-protocol-vulernabilities.pdf

Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: rpmb: check return value of encrypt_block()

Added error handling if call of function encrypt_block() fails
in tee_rpmb_req_pack().

Signed-off-by: Stefan Schmidt <snst@meek.de>
Reviewed-by: Je

core: rpmb: check return value of encrypt_block()

Added error handling if call of function encrypt_block() fails
in tee_rpmb_req_pack().

Signed-off-by: Stefan Schmidt <snst@meek.de>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: rpmb: fix off-by-one in block index check

The max block index check in tee_rpmb_req_pack() is incorrect and would
fail when trying to access the last block of the partition.

Signed-off-by: Je

core: rpmb: fix off-by-one in block index check

The max block index check in tee_rpmb_req_pack() is incorrect and would
fail when trying to access the last block of the partition.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: Fix RPMB fat entry cache buffer overflow

Ensure that fat_entry_dir_update can only update entries less than
the current cache size and not just the maximum size limit of the cache.

Signed-off

core: Fix RPMB fat entry cache buffer overflow

Ensure that fat_entry_dir_update can only update entries less than
the current cache size and not just the maximum size limit of the cache.

Signed-off-by: Neil Shipp <neilsh@microsoft.com>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...