core: fix error handling in tee_svc_storage_read_head()

Prior to this all errors except TEE_ERROR_OUT_OF_MEMORY from
fops->read() was reported as TEE_ERROR_CORRUPT_OBJECT leading
to removal of the o

core: fix error handling in tee_svc_storage_read_head()

Prior to this all errors except TEE_ERROR_OUT_OF_MEMORY from
fops->read() was reported as TEE_ERROR_CORRUPT_OBJECT leading
to removal of the object.
We should not treat all errors as corrupt, so remove the error
code translation.

Signed-off-by: Pengguang Zhu <pengguang.zhu@amlogic.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: remove unnecessary includes

Remove unnecessary includes.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander

core: remove unnecessary includes

Remove unnecessary includes.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: fix objectUsage handling for persistent objects

Before this patch was the object usage field stored in the
non-persistent part of an object handle, regardless of whether the
storage object was

core: fix objectUsage handling for persistent objects

Before this patch was the object usage field stored in the
non-persistent part of an object handle, regardless of whether the
storage object was persistent. This prevents updates to this field from
being restored the next time the persistent object is opened. Updates to
the field are also not replicated to eventual other open handles for the
object. Fix this by storing the "usage" bits in a new obj_info_usage
field in struct tee_pobj for persistent objects. Updates to the field
are also written into secure storage to preserve the content the next
time the object is opened.

Fixes: b01047730e77 ("Open-source the TEE Core")
Closes: https://github.com/OP-TEE/optee_os/issues/6495
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: simplify calls to bb_memdup_user_private()

Now that bb_memdup_user_private() supports supplying zero-lenth buffers
remove checks for zero-length buffer before calling
bb_memdup_user_private().

core: simplify calls to bb_memdup_user_private()

Now that bb_memdup_user_private() supports supplying zero-lenth buffers
remove checks for zero-length buffer before calling
bb_memdup_user_private().

Removes calls to memtag_strip_tag() for input buffer to
bb_memdup_user_private() since that's also dealt with internally by that
function.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: update FS storage API with user space buffer

Updates the create(), read(), and write() function pointers in struct
ts_store_ops to take a user space buffer in addition to the previous
core buf

core: update FS storage API with user space buffer

Updates the create(), read(), and write() function pointers in struct
ts_store_ops to take a user space buffer in addition to the previous
core buffer. Core buffers are normal secure memory while user space
buffers should only be accessed using the user_access.h functions.

The different FS storage implementations are updated accordingly.

Note that the RPMB FS storage implementation resorts to using
enter_user_access() and exit_user_access() due to internal complexities.

Fixes: 4e154320e47c ("core: Apply finer-grained PAN")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: syscall_storage_obj_rename(): fix direct user memory access

Fixes a direct user memory access in syscall_storage_obj_rename() which
can lead to a data abort if PAN is enabled.

Fixes: 84f78978

core: syscall_storage_obj_rename(): fix direct user memory access

Fixes a direct user memory access in syscall_storage_obj_rename() which
can lead to a data abort if PAN is enabled.

Fixes: 84f78978974b ("core: use user-access functions for storage svc")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: use user-access functions for storage svc

Use user-access functions within storage service syscalls, mainly to
copy object id from user-spaced buffers.

Signed-off-by: Seonghyun Park <seonghp@

core: use user-access functions for storage svc

Use user-access functions within storage service syscalls, mainly to
copy object id from user-spaced buffers.

Signed-off-by: Seonghyun Park <seonghp@amazon.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

GP131: Add TA property gpd.ta.doesNotCloseHandleOnCorruptObject

Adds the TA property gpd.ta.doesNotCloseHandleOnCorruptObject.

All syscalls operating on an object handle and can return
TEE_ERROR_CO

GP131: Add TA property gpd.ta.doesNotCloseHandleOnCorruptObject

Adds the TA property gpd.ta.doesNotCloseHandleOnCorruptObject.

All syscalls operating on an object handle and can return
TEE_ERROR_CORRUPT_OBJECT must also do special treatment when
TEE_ERROR_CORRUPT_OBJECT is returned. Prior to
gpd.ta.doesNotCloseHandleOnCorruptObject this meant removing the object
and closing the object handle. With the
gpd.ta.doesNotCloseHandleOnCorruptObject property the object handle
shouldn't be close if this the current TA has the property set to true.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: Update TEE_CreatePersistentObject()

Update TEE_CreatePersistentObject() according to TEE Internal Core API
version 1.3.1. The objectIDLen parameter is changed to use size_t
instead of uint32_

GP131: Update TEE_CreatePersistentObject()

Update TEE_CreatePersistentObject() according to TEE Internal Core API
version 1.3.1. The objectIDLen parameter is changed to use size_t
instead of uint32_t.

The object parameter is now an optional pointer to a handle. When NULL
the standard says:
If attributes is a handle on an initialized transient object,
the initialized transient object SHALL be transformed to a
persistent object.
So syscall_storage_obj_create() is also updated accordingly.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: syscall_storage_obj_write(): handle corrupt object

All syscalls operating on an object handle and can return
TEE_ERROR_CORRUPT_OBJECT must also remove the object if the return code
is TEE_ERRO

core: syscall_storage_obj_write(): handle corrupt object

All syscalls operating on an object handle and can return
TEE_ERROR_CORRUPT_OBJECT must also remove the object if the return code
is TEE_ERROR_CORRUPT_OBJECT. This is missing in
syscall_storage_obj_write() so add the missing call to remove the object
if it is corrupt.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: tee_svc_storage: remove unused local variable

Removes file local variable from syscall_storage_obj_open() that is
not used.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewe

core: tee_svc_storage: remove unused local variable

Removes file local variable from syscall_storage_obj_open() that is
not used.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

Use struct utee_object_info in TA syscall abi

TEE_ObjectInfo was until now used in the syscall ABI provided to TAs.
TEE_ObjectInfo changes in later versions of the TEE Internal Core API so
add an in

Use struct utee_object_info in TA syscall abi

TEE_ObjectInfo was until now used in the syscall ABI provided to TAs.
TEE_ObjectInfo changes in later versions of the TEE Internal Core API so
add an independent definition with struct utee_object_info in order to
preserve a stable ABI.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: update to new field names in TEE_ObjectInfo

With GP TEE Internal Core API version 1.1.1 the two fields keySize and
maxKeySize was renamed to objectSize and maxObjectSize respectively.
Update t

core: update to new field names in TEE_ObjectInfo

With GP TEE Internal Core API version 1.1.1 the two fields keySize and
maxKeySize was renamed to objectSize and maxObjectSize respectively.
Update the rest of the core code to reflect that change as a preparation
for future updates.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

crypto: se050: updates to the crypto object deletion interface

Keys created on the Secure Element NVM via the PKCS#11 TA are removed
by scanning the data buffer holding the reference to the key duri

crypto: se050: updates to the crypto object deletion interface

Keys created on the Secure Element NVM via the PKCS#11 TA are removed
by scanning the data buffer holding the reference to the key during
the release of the object.

The storage allocated to hold those keys (ECC/RSA) is always below the
page size length which seems like a reasonable figure to use for future
extensions.

- This commit avoids scanning objects larger than that length.

This commit also updates the interface to delegate the actual handling
of the object to the crypto driver instead of passing just the raw data
contained in the object.

The cryptographic layer is also being allowed to block the deletion of
the object. This is to cover the scenario where the I2C device is not
accessible while a reference to the key is being removed from the secure
storage in the filesystem.

Incidentally also fixes regression 6018: this test releases an object
of size 0xA0000 which can't be scanned due to this part of the code
hitting an Out of Memory condition.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: syscalls: strip tags from user space pointers

Strips the tags from user space pointers before using them.
We're relying on TCR_EL1.TCMA0=1 to make the accesses unchecked.

Acked-by: Jerome For

core: syscalls: strip tags from user space pointers

Strips the tags from user space pointers before using them.
We're relying on TCR_EL1.TCMA0=1 to make the accesses unchecked.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: storage: do not check object ID buffer when its size is zero

The storage syscalls syscall_storage_obj_open(),
syscall_storage_obj_create() and syscall_storage_obj_rename() must not
call vm_che

core: storage: do not check object ID buffer when its size is zero

The storage syscalls syscall_storage_obj_open(),
syscall_storage_obj_create() and syscall_storage_obj_rename() must not
call vm_check_access_rights() on the object ID buffer when its length is
zero, because it is a valid case but vm_check_access_rights() rejects
such a buffer with TEE_ERROR_ACCESS_DENIED.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: move functions from tee_svc_storage.c to tee_rpmb_fs.c

tee_svc_storage_create_filename() and tee_svc_storage_create_dirname() are
only used in core/tee/tee_rpmb_fs.c, so move them there and ma

core: move functions from tee_svc_storage.c to tee_rpmb_fs.c

tee_svc_storage_create_filename() and tee_svc_storage_create_dirname() are
only used in core/tee/tee_rpmb_fs.c, so move them there and make them
static. Since they now have file scope they may as well be given shorter
names.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: move tee_svc_storage_create_filename_dfh() to core/tee/tee_fs_rpc.c

tee_svc_storage_create_filename_dfh() is only used in
core/tee/tee_fs_rpc.c, so move it there, make it static and give it a

core: move tee_svc_storage_create_filename_dfh() to core/tee/tee_fs_rpc.c

tee_svc_storage_create_filename_dfh() is only used in
core/tee/tee_fs_rpc.c, so move it there, make it static and give it a
shorter name: create_filename().

Fundamentally, this function is needed when CFG_REE_FS=y but the whole
file core/tee/tee_svc_storage.c (which is the current location of this
function) essentially defines the storage syscalls for TAs and is
therefore not needed when CFG_WITH_USER_TA=n. If we want to later be
able to exclude it from the build while still providing secure storage
to kernel code, the function has to move.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: allow configuration without any secure storage

Support a configuration with no secure storage (CFG_REE_FS=n and
CFG_RPMB_FS=n). In such a case, user TAs will get error code
TEEC_ERROR_ITEM_NOT

core: allow configuration without any secure storage

Support a configuration with no secure storage (CFG_REE_FS=n and
CFG_RPMB_FS=n). In such a case, user TAs will get error code
TEEC_ERROR_ITEM_NOT_FOUND when trying to access persistent objects.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: fix file handle leakage in syscall_storage_next_enum()

Prior to this patch was syscall_storage_next_enum() opening a file
handle with tee_svc_storage_read_head() but never freeing the handle.

core: fix file handle leakage in syscall_storage_next_enum()

Prior to this patch was syscall_storage_next_enum() opening a file
handle with tee_svc_storage_read_head() but never freeing the handle.
Fix this by closing the file handle as part of cleaning up before
returning.

Fixes: 928efd065222 ("core: syscall_storage_next_enum() use live pobj")
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: svc store: delete keys from secure elements

The cryptographic API provides an interface for the creation of
cryptographic keys.

These keys can be stored in secure elements and handlers to the

core: svc store: delete keys from secure elements

The cryptographic API provides an interface for the creation of
cryptographic keys.

These keys can be stored in secure elements and handlers to these keys
(since the keys themselves can not be read from the secure elements)
given back to the caller.

When the object holding a key is being deleted, the cryptographic API
must be informed in order to proceed with the deletion of the real
key from the secure element.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: replace tee_mmu prefix with vm

Replaces the tee_mmu prefix with vm. tee_mmu.h is renamed to vm.h and
core/arch/arm/mm/tee_mmu.c is moved to core/mm/vm.c. Public functions
belonging to these fi

core: replace tee_mmu prefix with vm

Replaces the tee_mmu prefix with vm. tee_mmu.h is renamed to vm.h and
core/arch/arm/mm/tee_mmu.c is moved to core/mm/vm.c. Public functions
belonging to these files are renamed with a vm prefix.

Introduces: vm_map_param(), vm_clean_param(),
vm_buf_is_inside_private(), vm_buf_intersects_private(),
vm_buf_to_mboj_offs(), vm_buf_is_inside_um_private(),
vm_buf_intersects_um_private(), vm_add_rwmem(), vm_rem_rwmem(),
vm_va2pa(), vm_pa2va(), vm_check_access_rights(), vm_set_ctx() replacing
their tee_mmu_*() counterpart.

Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add generic struct ts_session

As a step in making room for Secure Partitions (SPs) running at S-EL0
add a Trusted Service (TS) abstraction. Both TAs and SPs is a TS.

Adds the generic struct t

core: add generic struct ts_session

As a step in making room for Secure Partitions (SPs) running at S-EL0
add a Trusted Service (TS) abstraction. Both TAs and SPs is a TS.

Adds the generic struct ts_session. All future sessions structs
(currently only struct tee_ta_session exists) should add this struct to
allow generic session operations.

With this struct comes new functions replacing previous struct
tee_ta_session oriented functions. The following functions are replaced
as:
tee_ta_get_current_session() -> ts_get_current_session()
tee_ta_push_current_session() -> ts_push_current_session()
tee_ta_pop_current_session() -> ts_pop_current_session()
tee_ta_get_calling_session() -> ts_get_calling_session()

ts_get_current_session() is changed compared to its predecessor to
panic() in case of failure to return a valid pointer.

A new function ts_get_current_session_may_fail() is added to handle an
eventual case where a return NULL session may be handled.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: use vaddr_t instead of uint32_t for object IDs

Some function incorrectly use uint32_t for object identifiers:
tee_obj_get(), tee_svc_cryp_get_state() and tee_svc_storage_get_enum().
Those obje

core: use vaddr_t instead of uint32_t for object IDs

Some function incorrectly use uint32_t for object identifiers:
tee_obj_get(), tee_svc_cryp_get_state() and tee_svc_storage_get_enum().
Those object IDs are actually virtual addresses so they need to be of
type vaddr_t.

Link: https://github.com/OP-TEE/optee_os/issues/4035#issuecomment-680037072
Signed-off-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: strict buffer check in syscalls following GP 1.1

GP 1.1 [1] and also earlier specifications has certain annotation in the
description of API functions to among other things describe which kind

core: strict buffer check in syscalls following GP 1.1

GP 1.1 [1] and also earlier specifications has certain annotation in the
description of API functions to among other things describe which kind
of memory a buffer is required to reside in. It could be readable,
writeable, in shared memory in TA private memory.

The following syscalls are updated with slightly stricter checks with
regards to TA private memory where needed:
- syscall_open_ta_session()
- syscall_invoke_ta_command()
- syscall_get_time()
- syscall_set_ta_time()
- syscall_cryp_obj_get_info()
- syscall_cryp_random_number_generate()
- syscall_authenc_dec_final()
- syscall_storage_next_enum()
- syscall_storage_obj_read()
- syscall_storage_obj_write()

[1]: GlobalPlatform TEE Internal Core API Specification v1.1

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...