1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2014, STMicroelectronics International N.V. 4 */ 5 6 #include <assert.h> 7 #include <crypto/crypto.h> 8 #include <kernel/huk_subkey.h> 9 #include <kernel/misc.h> 10 #include <kernel/msg_param.h> 11 #include <kernel/mutex.h> 12 #include <kernel/panic.h> 13 #include <kernel/tee_common.h> 14 #include <kernel/tee_common_otp.h> 15 #include <kernel/tee_misc.h> 16 #include <kernel/thread.h> 17 #include <mm/core_memprot.h> 18 #include <mm/mobj.h> 19 #include <mm/tee_mm.h> 20 #include <optee_rpc_cmd.h> 21 #include <stdlib.h> 22 #include <string_ext.h> 23 #include <string.h> 24 #include <sys/queue.h> 25 #include <tee/tee_fs.h> 26 #include <tee/tee_fs_key_manager.h> 27 #include <tee/tee_pobj.h> 28 #include <tee/tee_svc_storage.h> 29 #include <trace.h> 30 #include <util.h> 31 32 #define RPMB_STORAGE_START_ADDRESS 0 33 #define RPMB_FS_FAT_START_ADDRESS 512 34 #define RPMB_BLOCK_SIZE_SHIFT 8 35 #define RPMB_CID_PRV_OFFSET 9 36 #define RPMB_CID_CRC_OFFSET 15 37 38 #define RPMB_FS_MAGIC 0x52504D42 39 #define FS_VERSION 2 40 41 #define FILE_IS_ACTIVE (1u << 0) 42 #define FILE_IS_LAST_ENTRY (1u << 1) 43 44 #define TEE_RPMB_FS_FILENAME_LENGTH 224 45 46 #define RPMB_MAX_RETRIES 10 47 48 /** 49 * Utilized when caching is enabled, i.e., when CFG_RPMB_FS_CACHE_ENTRIES > 0. 50 * Cache size + the number of entries that are repeatedly read in and buffered 51 * once the cache is full. 52 */ 53 #define RPMB_BUF_MAX_ENTRIES (CFG_RPMB_FS_CACHE_ENTRIES + \ 54 CFG_RPMB_FS_RD_ENTRIES) 55 56 /** 57 * FS parameters: Information often used by internal functions. 58 * fat_start_address will be set by rpmb_fs_setup(). 59 * rpmb_fs_parameters can be read by any other function. 60 */ 61 struct rpmb_fs_parameters { 62 uint32_t fat_start_address; 63 uint32_t max_rpmb_address; 64 }; 65 66 /** 67 * File entry for a single file in a RPMB_FS partition. 68 */ 69 struct rpmb_fat_entry { 70 uint32_t start_address; 71 uint32_t data_size; 72 uint32_t flags; 73 uint32_t write_counter; 74 uint8_t fek[TEE_FS_KM_FEK_SIZE]; 75 char filename[TEE_RPMB_FS_FILENAME_LENGTH]; 76 }; 77 78 /** 79 * Structure that describes buffered/cached FAT FS entries in RPMB storage. 80 * This structure is used in functions traversing the FAT FS. 81 */ 82 struct rpmb_fat_entry_dir { 83 /* 84 * Buffer storing the FAT FS entries read in from RPMB storage. It 85 * includes the optional cache entries (CFG_RPMB_FS_CACHE_ENTRIES) 86 * and entries temporary read for current FAT FS traversal 87 * (CFG_RPMB_FS_RD_ENTRIES) when not found from cached entries. 88 */ 89 struct rpmb_fat_entry *rpmb_fat_entry_buf; 90 /* Current index of FAT FS entry to read from buffer. */ 91 uint32_t idx_curr; 92 /* Total number of FAT FS entries in buffer. */ 93 uint32_t num_buffered; 94 /* Total number of FAT FS entries read during traversal. */ 95 uint32_t num_total_read; 96 /* Indicates that last FAT FS entry was read. */ 97 bool last_reached; 98 }; 99 100 /** 101 * FAT entry context with reference to a FAT entry and its 102 * location in RPMB. 103 */ 104 struct rpmb_file_handle { 105 struct rpmb_fat_entry fat_entry; 106 const TEE_UUID *uuid; 107 char filename[TEE_RPMB_FS_FILENAME_LENGTH]; 108 /* Address for current entry in RPMB */ 109 uint32_t rpmb_fat_address; 110 }; 111 112 /** 113 * RPMB_FS partition data 114 */ 115 struct rpmb_fs_partition { 116 uint32_t rpmb_fs_magic; 117 uint32_t fs_version; 118 uint32_t write_counter; 119 uint32_t fat_start_address; 120 /* Do not use reserved[] for other purpose than partition data. */ 121 uint8_t reserved[112]; 122 }; 123 124 /** 125 * A node in a list of directory entries. 126 */ 127 struct tee_rpmb_fs_dirent { 128 struct tee_fs_dirent entry; 129 SIMPLEQ_ENTRY(tee_rpmb_fs_dirent) link; 130 }; 131 132 /** 133 * The RPMB directory representation. It contains a queue of 134 * RPMB directory entries: 'next'. 135 * The current pointer points to the last directory entry 136 * returned by readdir(). 137 */ 138 struct tee_fs_dir { 139 struct tee_rpmb_fs_dirent *current; 140 /* */ 141 SIMPLEQ_HEAD(next_head, tee_rpmb_fs_dirent) next; 142 }; 143 144 static struct rpmb_fs_parameters *fs_par; 145 static struct rpmb_fat_entry_dir *fat_entry_dir; 146 147 /* 148 * Lower interface to RPMB device 149 */ 150 151 #define RPMB_DATA_OFFSET (RPMB_STUFF_DATA_SIZE + RPMB_KEY_MAC_SIZE) 152 #define RPMB_MAC_PROTECT_DATA_SIZE (RPMB_DATA_FRAME_SIZE - RPMB_DATA_OFFSET) 153 154 #define RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM 0x0001 155 #define RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ 0x0002 156 #define RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE 0x0003 157 #define RPMB_MSG_TYPE_REQ_AUTH_DATA_READ 0x0004 158 #define RPMB_MSG_TYPE_REQ_RESULT_READ 0x0005 159 #define RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM 0x0100 160 #define RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ 0x0200 161 #define RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE 0x0300 162 #define RPMB_MSG_TYPE_RESP_AUTH_DATA_READ 0x0400 163 164 #define RPMB_STUFF_DATA_SIZE 196 165 #define RPMB_KEY_MAC_SIZE 32 166 #define RPMB_DATA_SIZE 256 167 #define RPMB_NONCE_SIZE 16 168 #define RPMB_DATA_FRAME_SIZE 512 169 170 #define RPMB_RESULT_OK 0x00 171 #define RPMB_RESULT_GENERAL_FAILURE 0x01 172 #define RPMB_RESULT_AUTH_FAILURE 0x02 173 #define RPMB_RESULT_COUNTER_FAILURE 0x03 174 #define RPMB_RESULT_ADDRESS_FAILURE 0x04 175 #define RPMB_RESULT_WRITE_FAILURE 0x05 176 #define RPMB_RESULT_READ_FAILURE 0x06 177 #define RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED 0x07 178 #define RPMB_RESULT_MASK 0x3F 179 #define RPMB_RESULT_WR_CNT_EXPIRED 0x80 180 181 /* RPMB internal commands */ 182 #define RPMB_CMD_DATA_REQ 0x00 183 #define RPMB_CMD_GET_DEV_INFO 0x01 184 185 #define RPMB_SIZE_SINGLE (128 * 1024) 186 187 /* Error codes for get_dev_info request/response. */ 188 #define RPMB_CMD_GET_DEV_INFO_RET_OK 0x00 189 #define RPMB_CMD_GET_DEV_INFO_RET_ERROR 0x01 190 191 struct rpmb_data_frame { 192 uint8_t stuff_bytes[RPMB_STUFF_DATA_SIZE]; 193 uint8_t key_mac[RPMB_KEY_MAC_SIZE]; 194 uint8_t data[RPMB_DATA_SIZE]; 195 uint8_t nonce[RPMB_NONCE_SIZE]; 196 uint8_t write_counter[4]; 197 uint8_t address[2]; 198 uint8_t block_count[2]; 199 uint8_t op_result[2]; 200 uint8_t msg_type[2]; 201 }; 202 203 struct rpmb_req { 204 uint16_t cmd; 205 uint16_t dev_id; 206 uint16_t block_count; 207 /* variable length of data */ 208 /* uint8_t data[]; REMOVED! */ 209 }; 210 211 #define TEE_RPMB_REQ_DATA(req) \ 212 ((void *)((struct rpmb_req *)(req) + 1)) 213 214 struct rpmb_raw_data { 215 uint16_t msg_type; 216 uint16_t *op_result; 217 uint16_t *block_count; 218 uint16_t *blk_idx; 219 uint32_t *write_counter; 220 uint8_t *nonce; 221 uint8_t *key_mac; 222 uint8_t *data; 223 /* data length to read or write */ 224 uint32_t len; 225 /* Byte address offset in the first block involved */ 226 uint8_t byte_offset; 227 }; 228 229 #define RPMB_EMMC_CID_SIZE 16 230 struct rpmb_dev_info { 231 uint8_t cid[RPMB_EMMC_CID_SIZE]; 232 /* EXT CSD-slice 168 "RPMB Size" */ 233 uint8_t rpmb_size_mult; 234 /* EXT CSD-slice 222 "Reliable Write Sector Count" */ 235 uint8_t rel_wr_sec_c; 236 /* Check the ret code and accept the data only if it is OK. */ 237 uint8_t ret_code; 238 }; 239 240 /* 241 * Struct for rpmb context data. 242 * 243 * @key RPMB key. 244 * @cid eMMC card ID. 245 * @wr_cnt Current write counter. 246 * @max_blk_idx The highest block index supported by current device. 247 * @rel_wr_blkcnt Max number of data blocks for each reliable write. 248 * @dev_id Device ID of the eMMC device. 249 * @wr_cnt_synced Flag indicating if write counter is synced to RPMB. 250 * @key_derived Flag indicating if key has been generated. 251 * @key_verified Flag indicating the key generated is verified ok. 252 * @dev_info_synced Flag indicating if dev info has been retrieved from RPMB. 253 */ 254 struct tee_rpmb_ctx { 255 uint8_t key[RPMB_KEY_MAC_SIZE]; 256 uint8_t cid[RPMB_EMMC_CID_SIZE]; 257 uint32_t wr_cnt; 258 uint16_t max_blk_idx; 259 uint16_t rel_wr_blkcnt; 260 uint16_t dev_id; 261 bool wr_cnt_synced; 262 bool key_derived; 263 bool key_verified; 264 bool dev_info_synced; 265 }; 266 267 static struct tee_rpmb_ctx *rpmb_ctx; 268 269 /* If set to true, don't try to access RPMB until rebooted */ 270 static bool rpmb_dead; 271 272 /* 273 * Mutex to serialize the operations exported by this file. 274 * It protects rpmb_ctx and prevents overlapping operations on eMMC devices with 275 * different IDs. 276 */ 277 static struct mutex rpmb_mutex = MUTEX_INITIALIZER; 278 279 #ifdef CFG_RPMB_TESTKEY 280 281 static const uint8_t rpmb_test_key[RPMB_KEY_MAC_SIZE] = { 282 0xD3, 0xEB, 0x3E, 0xC3, 0x6E, 0x33, 0x4C, 0x9F, 283 0x98, 0x8C, 0xE2, 0xC0, 0xB8, 0x59, 0x54, 0x61, 284 0x0D, 0x2B, 0xCF, 0x86, 0x64, 0x84, 0x4D, 0xF2, 285 0xAB, 0x56, 0xE6, 0xC6, 0x1B, 0xB7, 0x01, 0xE4 286 }; 287 288 static TEE_Result tee_rpmb_key_gen(uint16_t dev_id __unused, 289 uint8_t *key, uint32_t len) 290 { 291 TEE_Result res = TEE_SUCCESS; 292 293 if (!key || RPMB_KEY_MAC_SIZE != len) { 294 res = TEE_ERROR_BAD_PARAMETERS; 295 goto out; 296 } 297 298 DMSG("RPMB: Using test key"); 299 memcpy(key, rpmb_test_key, RPMB_KEY_MAC_SIZE); 300 301 out: 302 return res; 303 } 304 305 #else /* !CFG_RPMB_TESTKEY */ 306 307 static TEE_Result tee_rpmb_key_gen(uint16_t dev_id __unused, 308 uint8_t *key, uint32_t len) 309 { 310 uint8_t message[RPMB_EMMC_CID_SIZE]; 311 312 if (!key || RPMB_KEY_MAC_SIZE != len) 313 return TEE_ERROR_BAD_PARAMETERS; 314 315 IMSG("RPMB: Using generated key"); 316 317 /* 318 * PRV/CRC would be changed when doing eMMC FFU 319 * The following fields should be masked off when deriving RPMB key 320 * 321 * CID [55: 48]: PRV (Product revision) 322 * CID [07: 01]: CRC (CRC7 checksum) 323 * CID [00]: not used 324 */ 325 memcpy(message, rpmb_ctx->cid, RPMB_EMMC_CID_SIZE); 326 memset(message + RPMB_CID_PRV_OFFSET, 0, 1); 327 memset(message + RPMB_CID_CRC_OFFSET, 0, 1); 328 return huk_subkey_derive(HUK_SUBKEY_RPMB, message, sizeof(message), 329 key, len); 330 } 331 332 #endif /* !CFG_RPMB_TESTKEY */ 333 334 static void u32_to_bytes(uint32_t u32, uint8_t *bytes) 335 { 336 *bytes = (uint8_t) (u32 >> 24); 337 *(bytes + 1) = (uint8_t) (u32 >> 16); 338 *(bytes + 2) = (uint8_t) (u32 >> 8); 339 *(bytes + 3) = (uint8_t) u32; 340 } 341 342 static void bytes_to_u32(uint8_t *bytes, uint32_t *u32) 343 { 344 *u32 = (uint32_t) ((*(bytes) << 24) + 345 (*(bytes + 1) << 16) + 346 (*(bytes + 2) << 8) + (*(bytes + 3))); 347 } 348 349 static void u16_to_bytes(uint16_t u16, uint8_t *bytes) 350 { 351 *bytes = (uint8_t) (u16 >> 8); 352 *(bytes + 1) = (uint8_t) u16; 353 } 354 355 static void bytes_to_u16(uint8_t *bytes, uint16_t *u16) 356 { 357 *u16 = (uint16_t) ((*bytes << 8) + *(bytes + 1)); 358 } 359 360 static void get_op_result_bits(uint8_t *bytes, uint8_t *res) 361 { 362 *res = *(bytes + 1) & RPMB_RESULT_MASK; 363 } 364 365 static TEE_Result tee_rpmb_mac_calc(uint8_t *mac, uint32_t macsize, 366 uint8_t *key, uint32_t keysize, 367 struct rpmb_data_frame *datafrms, 368 uint16_t blkcnt) 369 { 370 TEE_Result res = TEE_ERROR_GENERIC; 371 int i; 372 void *ctx = NULL; 373 374 if (!mac || !key || !datafrms) 375 return TEE_ERROR_BAD_PARAMETERS; 376 377 res = crypto_mac_alloc_ctx(&ctx, TEE_ALG_HMAC_SHA256); 378 if (res) 379 return res; 380 381 res = crypto_mac_init(ctx, key, keysize); 382 if (res != TEE_SUCCESS) 383 goto func_exit; 384 385 for (i = 0; i < blkcnt; i++) { 386 res = crypto_mac_update(ctx, datafrms[i].data, 387 RPMB_MAC_PROTECT_DATA_SIZE); 388 if (res != TEE_SUCCESS) 389 goto func_exit; 390 } 391 392 res = crypto_mac_final(ctx, mac, macsize); 393 if (res != TEE_SUCCESS) 394 goto func_exit; 395 396 res = TEE_SUCCESS; 397 398 func_exit: 399 crypto_mac_free_ctx(ctx); 400 return res; 401 } 402 403 struct tee_rpmb_mem { 404 struct mobj *phreq_mobj; 405 struct mobj *phresp_mobj; 406 size_t req_size; 407 size_t resp_size; 408 }; 409 410 static void tee_rpmb_free(struct tee_rpmb_mem *mem) 411 { 412 if (!mem) 413 return; 414 415 if (mem->phreq_mobj) { 416 thread_rpc_free_payload(mem->phreq_mobj); 417 mem->phreq_mobj = NULL; 418 } 419 if (mem->phresp_mobj) { 420 thread_rpc_free_payload(mem->phresp_mobj); 421 mem->phresp_mobj = NULL; 422 } 423 } 424 425 426 static TEE_Result tee_rpmb_alloc(size_t req_size, size_t resp_size, 427 struct tee_rpmb_mem *mem, void **req, void **resp) 428 { 429 TEE_Result res = TEE_SUCCESS; 430 size_t req_s = ROUNDUP(req_size, sizeof(uint32_t)); 431 size_t resp_s = ROUNDUP(resp_size, sizeof(uint32_t)); 432 433 if (!mem) 434 return TEE_ERROR_BAD_PARAMETERS; 435 436 memset(mem, 0, sizeof(*mem)); 437 438 mem->phreq_mobj = thread_rpc_alloc_payload(req_s); 439 mem->phresp_mobj = thread_rpc_alloc_payload(resp_s); 440 441 if (!mem->phreq_mobj || !mem->phresp_mobj) { 442 res = TEE_ERROR_OUT_OF_MEMORY; 443 goto out; 444 } 445 446 *req = mobj_get_va(mem->phreq_mobj, 0); 447 *resp = mobj_get_va(mem->phresp_mobj, 0); 448 if (!*req || !*resp) { 449 res = TEE_ERROR_GENERIC; 450 goto out; 451 } 452 453 mem->req_size = req_size; 454 mem->resp_size = resp_size; 455 456 out: 457 if (res != TEE_SUCCESS) 458 tee_rpmb_free(mem); 459 return res; 460 } 461 462 static TEE_Result tee_rpmb_invoke(struct tee_rpmb_mem *mem) 463 { 464 struct thread_param params[2] = { 465 [0] = THREAD_PARAM_MEMREF(IN, mem->phreq_mobj, 0, 466 mem->req_size), 467 [1] = THREAD_PARAM_MEMREF(OUT, mem->phresp_mobj, 0, 468 mem->resp_size), 469 }; 470 471 return thread_rpc_cmd(OPTEE_RPC_CMD_RPMB, 2, params); 472 } 473 474 static bool is_zero(const uint8_t *buf, size_t size) 475 { 476 size_t i; 477 478 for (i = 0; i < size; i++) 479 if (buf[i]) 480 return false; 481 return true; 482 } 483 484 static TEE_Result encrypt_block(uint8_t *out, const uint8_t *in, 485 uint16_t blk_idx, const uint8_t *fek, 486 const TEE_UUID *uuid) 487 { 488 return tee_fs_crypt_block(uuid, out, in, RPMB_DATA_SIZE, 489 blk_idx, fek, TEE_MODE_ENCRYPT); 490 } 491 492 static TEE_Result decrypt_block(uint8_t *out, const uint8_t *in, 493 uint16_t blk_idx, const uint8_t *fek, 494 const TEE_UUID *uuid) 495 { 496 return tee_fs_crypt_block(uuid, out, in, RPMB_DATA_SIZE, 497 blk_idx, fek, TEE_MODE_DECRYPT); 498 } 499 500 /* Decrypt/copy at most one block of data */ 501 static TEE_Result decrypt(uint8_t *out, const struct rpmb_data_frame *frm, 502 size_t size, size_t offset, 503 uint16_t blk_idx __maybe_unused, const uint8_t *fek, 504 const TEE_UUID *uuid) 505 { 506 uint8_t *tmp __maybe_unused; 507 508 509 if ((size + offset < size) || (size + offset > RPMB_DATA_SIZE)) 510 panic("invalid size or offset"); 511 512 if (!fek) { 513 /* Block is not encrypted (not a file data block) */ 514 memcpy(out, frm->data + offset, size); 515 } else if (is_zero(fek, TEE_FS_KM_FEK_SIZE)) { 516 /* The file was created with encryption disabled */ 517 return TEE_ERROR_SECURITY; 518 } else { 519 /* Block is encrypted */ 520 if (size < RPMB_DATA_SIZE) { 521 /* 522 * Since output buffer is not large enough to hold one 523 * block we must allocate a temporary buffer. 524 */ 525 tmp = malloc(RPMB_DATA_SIZE); 526 if (!tmp) 527 return TEE_ERROR_OUT_OF_MEMORY; 528 decrypt_block(tmp, frm->data, blk_idx, fek, uuid); 529 memcpy(out, tmp + offset, size); 530 free(tmp); 531 } else { 532 decrypt_block(out, frm->data, blk_idx, fek, uuid); 533 } 534 } 535 536 return TEE_SUCCESS; 537 } 538 539 static TEE_Result tee_rpmb_req_pack(struct rpmb_req *req, 540 struct rpmb_raw_data *rawdata, 541 uint16_t nbr_frms, uint16_t dev_id, 542 const uint8_t *fek, const TEE_UUID *uuid) 543 { 544 TEE_Result res = TEE_ERROR_GENERIC; 545 int i; 546 struct rpmb_data_frame *datafrm; 547 548 if (!req || !rawdata || !nbr_frms) 549 return TEE_ERROR_BAD_PARAMETERS; 550 551 /* 552 * Check write blockcount is not bigger than reliable write 553 * blockcount. 554 */ 555 if ((rawdata->msg_type == RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE) && 556 (nbr_frms > rpmb_ctx->rel_wr_blkcnt)) { 557 DMSG("wr_blkcnt(%d) > rel_wr_blkcnt(%d)", nbr_frms, 558 rpmb_ctx->rel_wr_blkcnt); 559 return TEE_ERROR_GENERIC; 560 } 561 562 req->cmd = RPMB_CMD_DATA_REQ; 563 req->dev_id = dev_id; 564 565 /* Allocate memory for construct all data packets and calculate MAC. */ 566 datafrm = calloc(nbr_frms, RPMB_DATA_FRAME_SIZE); 567 if (!datafrm) 568 return TEE_ERROR_OUT_OF_MEMORY; 569 570 for (i = 0; i < nbr_frms; i++) { 571 u16_to_bytes(rawdata->msg_type, datafrm[i].msg_type); 572 573 if (rawdata->block_count) 574 u16_to_bytes(*rawdata->block_count, 575 datafrm[i].block_count); 576 577 if (rawdata->blk_idx) { 578 /* Check the block index is within range. */ 579 if ((*rawdata->blk_idx + nbr_frms - 1) > 580 rpmb_ctx->max_blk_idx) { 581 res = TEE_ERROR_GENERIC; 582 goto func_exit; 583 } 584 u16_to_bytes(*rawdata->blk_idx, datafrm[i].address); 585 } 586 587 if (rawdata->write_counter) 588 u32_to_bytes(*rawdata->write_counter, 589 datafrm[i].write_counter); 590 591 if (rawdata->nonce) 592 memcpy(datafrm[i].nonce, rawdata->nonce, 593 RPMB_NONCE_SIZE); 594 595 if (rawdata->data) { 596 if (fek) { 597 res = encrypt_block(datafrm[i].data, 598 rawdata->data + 599 (i * RPMB_DATA_SIZE), 600 *rawdata->blk_idx + i, 601 fek, uuid); 602 if (res != TEE_SUCCESS) 603 goto func_exit; 604 } else { 605 memcpy(datafrm[i].data, 606 rawdata->data + (i * RPMB_DATA_SIZE), 607 RPMB_DATA_SIZE); 608 } 609 } 610 } 611 612 if (rawdata->key_mac) { 613 if (rawdata->msg_type == RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE) { 614 res = 615 tee_rpmb_mac_calc(rawdata->key_mac, 616 RPMB_KEY_MAC_SIZE, rpmb_ctx->key, 617 RPMB_KEY_MAC_SIZE, datafrm, 618 nbr_frms); 619 if (res != TEE_SUCCESS) 620 goto func_exit; 621 } 622 memcpy(datafrm[nbr_frms - 1].key_mac, 623 rawdata->key_mac, RPMB_KEY_MAC_SIZE); 624 } 625 626 memcpy(TEE_RPMB_REQ_DATA(req), datafrm, 627 nbr_frms * RPMB_DATA_FRAME_SIZE); 628 629 #ifdef CFG_RPMB_FS_DEBUG_DATA 630 for (i = 0; i < nbr_frms; i++) { 631 DMSG("Dumping data frame %d:", i); 632 DHEXDUMP((uint8_t *)&datafrm[i] + RPMB_STUFF_DATA_SIZE, 633 512 - RPMB_STUFF_DATA_SIZE); 634 } 635 #endif 636 637 res = TEE_SUCCESS; 638 func_exit: 639 free(datafrm); 640 return res; 641 } 642 643 static TEE_Result data_cpy_mac_calc_1b(struct rpmb_raw_data *rawdata, 644 struct rpmb_data_frame *frm, 645 const uint8_t *fek, const TEE_UUID *uuid) 646 { 647 TEE_Result res; 648 uint8_t *data; 649 uint16_t idx; 650 651 if (rawdata->len + rawdata->byte_offset > RPMB_DATA_SIZE) 652 return TEE_ERROR_BAD_PARAMETERS; 653 654 res = tee_rpmb_mac_calc(rawdata->key_mac, RPMB_KEY_MAC_SIZE, 655 rpmb_ctx->key, RPMB_KEY_MAC_SIZE, frm, 1); 656 if (res != TEE_SUCCESS) 657 return res; 658 659 data = rawdata->data; 660 bytes_to_u16(frm->address, &idx); 661 662 res = decrypt(data, frm, rawdata->len, rawdata->byte_offset, idx, fek, 663 uuid); 664 return res; 665 } 666 667 static TEE_Result tee_rpmb_data_cpy_mac_calc(struct rpmb_data_frame *datafrm, 668 struct rpmb_raw_data *rawdata, 669 uint16_t nbr_frms, 670 struct rpmb_data_frame *lastfrm, 671 const uint8_t *fek, 672 const TEE_UUID *uuid) 673 { 674 TEE_Result res = TEE_ERROR_GENERIC; 675 int i; 676 void *ctx = NULL; 677 uint16_t offset; 678 uint32_t size; 679 uint8_t *data; 680 uint16_t start_idx; 681 struct rpmb_data_frame localfrm; 682 683 if (!datafrm || !rawdata || !nbr_frms || !lastfrm) 684 return TEE_ERROR_BAD_PARAMETERS; 685 686 if (nbr_frms == 1) 687 return data_cpy_mac_calc_1b(rawdata, lastfrm, fek, uuid); 688 689 /* nbr_frms > 1 */ 690 691 data = rawdata->data; 692 693 res = crypto_mac_alloc_ctx(&ctx, TEE_ALG_HMAC_SHA256); 694 if (res) 695 goto func_exit; 696 697 res = crypto_mac_init(ctx, rpmb_ctx->key, RPMB_KEY_MAC_SIZE); 698 if (res != TEE_SUCCESS) 699 goto func_exit; 700 701 /* 702 * Note: JEDEC JESD84-B51: "In every packet the address is the start 703 * address of the full access (not address of the individual half a 704 * sector)" 705 */ 706 bytes_to_u16(lastfrm->address, &start_idx); 707 708 for (i = 0; i < (nbr_frms - 1); i++) { 709 710 /* 711 * By working on a local copy of the RPMB frame, we ensure that 712 * the data can not be modified after the MAC is computed but 713 * before the payload is decrypted/copied to the output buffer. 714 */ 715 memcpy(&localfrm, &datafrm[i], RPMB_DATA_FRAME_SIZE); 716 717 res = crypto_mac_update(ctx, localfrm.data, 718 RPMB_MAC_PROTECT_DATA_SIZE); 719 if (res != TEE_SUCCESS) 720 goto func_exit; 721 722 if (i == 0) { 723 /* First block */ 724 offset = rawdata->byte_offset; 725 size = RPMB_DATA_SIZE - offset; 726 } else { 727 /* Middle blocks */ 728 size = RPMB_DATA_SIZE; 729 offset = 0; 730 } 731 732 res = decrypt(data, &localfrm, size, offset, start_idx + i, 733 fek, uuid); 734 if (res != TEE_SUCCESS) 735 goto func_exit; 736 737 data += size; 738 } 739 740 /* Last block */ 741 size = (rawdata->len + rawdata->byte_offset) % RPMB_DATA_SIZE; 742 if (size == 0) 743 size = RPMB_DATA_SIZE; 744 res = decrypt(data, lastfrm, size, 0, start_idx + nbr_frms - 1, fek, 745 uuid); 746 if (res != TEE_SUCCESS) 747 goto func_exit; 748 749 /* Update MAC against the last block */ 750 res = crypto_mac_update(ctx, lastfrm->data, RPMB_MAC_PROTECT_DATA_SIZE); 751 if (res != TEE_SUCCESS) 752 goto func_exit; 753 754 res = crypto_mac_final(ctx, rawdata->key_mac, RPMB_KEY_MAC_SIZE); 755 if (res != TEE_SUCCESS) 756 goto func_exit; 757 758 res = TEE_SUCCESS; 759 760 func_exit: 761 crypto_mac_free_ctx(ctx); 762 return res; 763 } 764 765 static TEE_Result tee_rpmb_resp_unpack_verify(struct rpmb_data_frame *datafrm, 766 struct rpmb_raw_data *rawdata, 767 uint16_t nbr_frms, 768 const uint8_t *fek, 769 const TEE_UUID *uuid) 770 { 771 TEE_Result res = TEE_ERROR_GENERIC; 772 uint16_t msg_type; 773 uint32_t wr_cnt; 774 uint16_t blk_idx; 775 uint8_t op_result; 776 struct rpmb_data_frame lastfrm; 777 778 if (!datafrm || !rawdata || !nbr_frms) 779 return TEE_ERROR_BAD_PARAMETERS; 780 781 #ifdef CFG_RPMB_FS_DEBUG_DATA 782 for (uint32_t i = 0; i < nbr_frms; i++) { 783 DMSG("Dumping data frame %d:", i); 784 DHEXDUMP((uint8_t *)&datafrm[i] + RPMB_STUFF_DATA_SIZE, 785 512 - RPMB_STUFF_DATA_SIZE); 786 } 787 #endif 788 789 /* Make sure the last data packet can't be modified once verified */ 790 memcpy(&lastfrm, &datafrm[nbr_frms - 1], RPMB_DATA_FRAME_SIZE); 791 792 /* Handle operation result and translate to TEEC error code. */ 793 get_op_result_bits(lastfrm.op_result, &op_result); 794 if (op_result == RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED) 795 return TEE_ERROR_ITEM_NOT_FOUND; 796 if (op_result != RPMB_RESULT_OK) 797 return TEE_ERROR_GENERIC; 798 799 /* Check the response msg_type. */ 800 bytes_to_u16(lastfrm.msg_type, &msg_type); 801 if (msg_type != rawdata->msg_type) { 802 DMSG("Unexpected msg_type (0x%04x != 0x%04x)", msg_type, 803 rawdata->msg_type); 804 return TEE_ERROR_GENERIC; 805 } 806 807 if (rawdata->blk_idx) { 808 bytes_to_u16(lastfrm.address, &blk_idx); 809 if (blk_idx != *rawdata->blk_idx) { 810 DMSG("Unexpected block index"); 811 return TEE_ERROR_GENERIC; 812 } 813 } 814 815 if (rawdata->write_counter) { 816 wr_cnt = *rawdata->write_counter; 817 bytes_to_u32(lastfrm.write_counter, rawdata->write_counter); 818 if (msg_type == RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE) { 819 /* Verify the write counter is incremented by 1 */ 820 if (*rawdata->write_counter != wr_cnt + 1) { 821 DMSG("Counter mismatched (0x%04x/0x%04x)", 822 *rawdata->write_counter, wr_cnt + 1); 823 return TEE_ERROR_SECURITY; 824 } 825 rpmb_ctx->wr_cnt++; 826 } 827 } 828 829 if (rawdata->nonce) { 830 if (buf_compare_ct(rawdata->nonce, lastfrm.nonce, 831 RPMB_NONCE_SIZE) != 0) { 832 DMSG("Nonce mismatched"); 833 return TEE_ERROR_SECURITY; 834 } 835 } 836 837 if (rawdata->key_mac) { 838 if (msg_type == RPMB_MSG_TYPE_RESP_AUTH_DATA_READ) { 839 if (!rawdata->data) 840 return TEE_ERROR_GENERIC; 841 842 res = tee_rpmb_data_cpy_mac_calc(datafrm, rawdata, 843 nbr_frms, &lastfrm, 844 fek, uuid); 845 846 if (res != TEE_SUCCESS) 847 return res; 848 } else { 849 /* 850 * There should be only one data frame for 851 * other msg types. 852 */ 853 if (nbr_frms != 1) 854 return TEE_ERROR_GENERIC; 855 856 res = tee_rpmb_mac_calc(rawdata->key_mac, 857 RPMB_KEY_MAC_SIZE, 858 rpmb_ctx->key, 859 RPMB_KEY_MAC_SIZE, 860 &lastfrm, 1); 861 862 if (res != TEE_SUCCESS) 863 return res; 864 } 865 866 #ifndef CFG_RPMB_FS_NO_MAC 867 if (consttime_memcmp(rawdata->key_mac, 868 (datafrm + nbr_frms - 1)->key_mac, 869 RPMB_KEY_MAC_SIZE) != 0) { 870 DMSG("MAC mismatched:"); 871 #ifdef CFG_RPMB_FS_DEBUG_DATA 872 DHEXDUMP((uint8_t *)rawdata->key_mac, 32); 873 #endif 874 return TEE_ERROR_SECURITY; 875 } 876 #endif /* !CFG_RPMB_FS_NO_MAC */ 877 } 878 879 return TEE_SUCCESS; 880 } 881 882 static TEE_Result tee_rpmb_get_dev_info(uint16_t dev_id, 883 struct rpmb_dev_info *dev_info) 884 { 885 TEE_Result res = TEE_ERROR_GENERIC; 886 struct tee_rpmb_mem mem; 887 struct rpmb_dev_info *di; 888 struct rpmb_req *req = NULL; 889 uint8_t *resp = NULL; 890 uint32_t req_size; 891 uint32_t resp_size; 892 893 if (!dev_info) 894 return TEE_ERROR_BAD_PARAMETERS; 895 896 req_size = sizeof(struct rpmb_req); 897 resp_size = sizeof(struct rpmb_dev_info); 898 res = tee_rpmb_alloc(req_size, resp_size, &mem, 899 (void *)&req, (void *)&resp); 900 if (res != TEE_SUCCESS) 901 goto func_exit; 902 903 req->cmd = RPMB_CMD_GET_DEV_INFO; 904 req->dev_id = dev_id; 905 906 di = (struct rpmb_dev_info *)resp; 907 di->ret_code = RPMB_CMD_GET_DEV_INFO_RET_ERROR; 908 909 res = tee_rpmb_invoke(&mem); 910 if (res != TEE_SUCCESS) 911 goto func_exit; 912 913 if (di->ret_code != RPMB_CMD_GET_DEV_INFO_RET_OK) { 914 res = TEE_ERROR_GENERIC; 915 goto func_exit; 916 } 917 918 memcpy((uint8_t *)dev_info, resp, sizeof(struct rpmb_dev_info)); 919 920 #ifdef CFG_RPMB_FS_DEBUG_DATA 921 DMSG("Dumping dev_info:"); 922 DHEXDUMP((uint8_t *)dev_info, sizeof(struct rpmb_dev_info)); 923 #endif 924 925 res = TEE_SUCCESS; 926 927 func_exit: 928 tee_rpmb_free(&mem); 929 return res; 930 } 931 932 static TEE_Result tee_rpmb_init_read_wr_cnt(uint16_t dev_id, 933 uint32_t *wr_cnt, 934 uint16_t *op_result) 935 { 936 TEE_Result res = TEE_ERROR_GENERIC; 937 struct tee_rpmb_mem mem; 938 uint16_t msg_type; 939 uint8_t nonce[RPMB_NONCE_SIZE]; 940 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 941 struct rpmb_req *req = NULL; 942 struct rpmb_data_frame *resp = NULL; 943 struct rpmb_raw_data rawdata; 944 uint32_t req_size; 945 uint32_t resp_size; 946 947 if (!wr_cnt) 948 return TEE_ERROR_BAD_PARAMETERS; 949 950 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 951 resp_size = RPMB_DATA_FRAME_SIZE; 952 res = tee_rpmb_alloc(req_size, resp_size, &mem, 953 (void *)&req, (void *)&resp); 954 if (res != TEE_SUCCESS) 955 goto func_exit; 956 957 res = crypto_rng_read(nonce, RPMB_NONCE_SIZE); 958 if (res != TEE_SUCCESS) 959 goto func_exit; 960 961 msg_type = RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ; 962 963 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 964 rawdata.msg_type = msg_type; 965 rawdata.nonce = nonce; 966 967 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 968 if (res != TEE_SUCCESS) 969 goto func_exit; 970 971 res = tee_rpmb_invoke(&mem); 972 if (res != TEE_SUCCESS) 973 goto func_exit; 974 975 msg_type = RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ; 976 977 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 978 rawdata.msg_type = msg_type; 979 rawdata.op_result = op_result; 980 rawdata.write_counter = wr_cnt; 981 rawdata.nonce = nonce; 982 rawdata.key_mac = hmac; 983 984 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, NULL); 985 if (res != TEE_SUCCESS) 986 goto func_exit; 987 988 res = TEE_SUCCESS; 989 990 func_exit: 991 tee_rpmb_free(&mem); 992 return res; 993 } 994 995 static TEE_Result tee_rpmb_verify_key_sync_counter(uint16_t dev_id) 996 { 997 uint16_t op_result = 0; 998 TEE_Result res = TEE_ERROR_GENERIC; 999 1000 res = tee_rpmb_init_read_wr_cnt(dev_id, &rpmb_ctx->wr_cnt, 1001 &op_result); 1002 1003 if (res == TEE_SUCCESS) { 1004 rpmb_ctx->key_verified = true; 1005 rpmb_ctx->wr_cnt_synced = true; 1006 } else 1007 EMSG("Verify key returning 0x%x", res); 1008 return res; 1009 } 1010 1011 #ifdef CFG_RPMB_WRITE_KEY 1012 static TEE_Result tee_rpmb_write_key(uint16_t dev_id) 1013 { 1014 TEE_Result res = TEE_ERROR_GENERIC; 1015 struct tee_rpmb_mem mem = { 0 }; 1016 uint16_t msg_type; 1017 struct rpmb_req *req = NULL; 1018 struct rpmb_data_frame *resp = NULL; 1019 struct rpmb_raw_data rawdata; 1020 uint32_t req_size; 1021 uint32_t resp_size; 1022 1023 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 1024 resp_size = RPMB_DATA_FRAME_SIZE; 1025 res = tee_rpmb_alloc(req_size, resp_size, &mem, 1026 (void *)&req, (void *)&resp); 1027 if (res != TEE_SUCCESS) 1028 goto func_exit; 1029 1030 msg_type = RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM; 1031 1032 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1033 rawdata.msg_type = msg_type; 1034 rawdata.key_mac = rpmb_ctx->key; 1035 1036 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 1037 if (res != TEE_SUCCESS) 1038 goto func_exit; 1039 1040 res = tee_rpmb_invoke(&mem); 1041 if (res != TEE_SUCCESS) 1042 goto func_exit; 1043 1044 msg_type = RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM; 1045 1046 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1047 rawdata.msg_type = msg_type; 1048 1049 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, NULL); 1050 if (res != TEE_SUCCESS) 1051 goto func_exit; 1052 1053 res = TEE_SUCCESS; 1054 1055 func_exit: 1056 tee_rpmb_free(&mem); 1057 return res; 1058 } 1059 1060 static TEE_Result tee_rpmb_write_and_verify_key(uint16_t dev_id) 1061 { 1062 TEE_Result res; 1063 1064 if (!plat_rpmb_key_is_ready()) { 1065 DMSG("RPMB INIT: platform indicates RPMB key is not ready"); 1066 return TEE_ERROR_BAD_STATE; 1067 } 1068 1069 DMSG("RPMB INIT: Writing Key value:"); 1070 DHEXDUMP(rpmb_ctx->key, RPMB_KEY_MAC_SIZE); 1071 1072 res = tee_rpmb_write_key(dev_id); 1073 if (res == TEE_SUCCESS) { 1074 DMSG("RPMB INIT: Verifying Key"); 1075 res = tee_rpmb_verify_key_sync_counter(dev_id); 1076 } 1077 return res; 1078 } 1079 #else 1080 static TEE_Result tee_rpmb_write_and_verify_key(uint16_t dev_id __unused) 1081 { 1082 DMSG("RPMB INIT: CFG_RPMB_WRITE_KEY is not set"); 1083 return TEE_ERROR_BAD_STATE; 1084 } 1085 #endif 1086 1087 /* This function must never return TEE_SUCCESS if rpmb_ctx == NULL */ 1088 static TEE_Result tee_rpmb_init(uint16_t dev_id) 1089 { 1090 TEE_Result res = TEE_SUCCESS; 1091 struct rpmb_dev_info dev_info; 1092 uint32_t nblocks = 0; 1093 1094 if (rpmb_dead) 1095 return TEE_ERROR_COMMUNICATION; 1096 1097 if (!rpmb_ctx) { 1098 rpmb_ctx = calloc(1, sizeof(struct tee_rpmb_ctx)); 1099 if (!rpmb_ctx) 1100 return TEE_ERROR_OUT_OF_MEMORY; 1101 } else if (rpmb_ctx->dev_id != dev_id) { 1102 memset(rpmb_ctx, 0x00, sizeof(struct tee_rpmb_ctx)); 1103 } 1104 1105 rpmb_ctx->dev_id = dev_id; 1106 1107 if (!rpmb_ctx->dev_info_synced) { 1108 DMSG("RPMB: Syncing device information"); 1109 1110 dev_info.rpmb_size_mult = 0; 1111 dev_info.rel_wr_sec_c = 0; 1112 res = tee_rpmb_get_dev_info(dev_id, &dev_info); 1113 if (res != TEE_SUCCESS) 1114 goto func_exit; 1115 1116 DMSG("RPMB: RPMB size is %d*128 KB", dev_info.rpmb_size_mult); 1117 DMSG("RPMB: Reliable Write Sector Count is %d", 1118 dev_info.rel_wr_sec_c); 1119 1120 if (dev_info.rpmb_size_mult == 0) { 1121 res = TEE_ERROR_GENERIC; 1122 goto func_exit; 1123 } 1124 1125 if (MUL_OVERFLOW(dev_info.rpmb_size_mult, 1126 RPMB_SIZE_SINGLE / RPMB_DATA_SIZE, &nblocks) || 1127 SUB_OVERFLOW(nblocks, 1, &rpmb_ctx->max_blk_idx)) { 1128 res = TEE_ERROR_BAD_PARAMETERS; 1129 goto func_exit; 1130 } 1131 1132 memcpy(rpmb_ctx->cid, dev_info.cid, RPMB_EMMC_CID_SIZE); 1133 1134 #ifdef RPMB_DRIVER_MULTIPLE_WRITE_FIXED 1135 rpmb_ctx->rel_wr_blkcnt = dev_info.rel_wr_sec_c * 2; 1136 #else 1137 rpmb_ctx->rel_wr_blkcnt = 1; 1138 #endif 1139 1140 rpmb_ctx->dev_info_synced = true; 1141 } 1142 1143 if (!rpmb_ctx->key_derived) { 1144 DMSG("RPMB INIT: Deriving key"); 1145 1146 res = tee_rpmb_key_gen(dev_id, rpmb_ctx->key, 1147 RPMB_KEY_MAC_SIZE); 1148 if (res != TEE_SUCCESS) { 1149 EMSG("RPMB INIT: Deriving key failed with error 0x%x", 1150 res); 1151 goto func_exit; 1152 } 1153 1154 rpmb_ctx->key_derived = true; 1155 } 1156 1157 /* Perform a write counter read to verify if the key is ok. */ 1158 if (!rpmb_ctx->wr_cnt_synced || !rpmb_ctx->key_verified) { 1159 DMSG("RPMB INIT: Verifying Key"); 1160 1161 res = tee_rpmb_verify_key_sync_counter(dev_id); 1162 if (res == TEE_ERROR_ITEM_NOT_FOUND && 1163 !rpmb_ctx->key_verified) { 1164 /* 1165 * Need to write the key here and verify it. 1166 */ 1167 DMSG("RPMB INIT: Auth key not yet written"); 1168 res = tee_rpmb_write_and_verify_key(dev_id); 1169 } else if (res != TEE_SUCCESS) { 1170 EMSG("Verify key failed!"); 1171 EMSG("Make sure key here matches device key"); 1172 } 1173 } 1174 1175 func_exit: 1176 return res; 1177 } 1178 1179 /* 1180 * Read RPMB data in bytes. 1181 * 1182 * @dev_id Device ID of the eMMC device. 1183 * @addr Byte address of data. 1184 * @data Pointer to the data. 1185 * @len Size of data in bytes. 1186 * @fek Encrypted File Encryption Key or NULL. 1187 */ 1188 static TEE_Result tee_rpmb_read(uint16_t dev_id, uint32_t addr, uint8_t *data, 1189 uint32_t len, const uint8_t *fek, 1190 const TEE_UUID *uuid) 1191 { 1192 TEE_Result res = TEE_ERROR_GENERIC; 1193 struct tee_rpmb_mem mem = { 0 }; 1194 uint16_t msg_type; 1195 uint8_t nonce[RPMB_NONCE_SIZE]; 1196 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 1197 struct rpmb_req *req = NULL; 1198 struct rpmb_data_frame *resp = NULL; 1199 struct rpmb_raw_data rawdata; 1200 uint32_t req_size; 1201 uint32_t resp_size; 1202 uint16_t blk_idx; 1203 uint16_t blkcnt; 1204 uint8_t byte_offset; 1205 1206 if (!data || !len) 1207 return TEE_ERROR_BAD_PARAMETERS; 1208 1209 blk_idx = addr / RPMB_DATA_SIZE; 1210 byte_offset = addr % RPMB_DATA_SIZE; 1211 1212 if (len + byte_offset + RPMB_DATA_SIZE < RPMB_DATA_SIZE) { 1213 /* Overflow */ 1214 return TEE_ERROR_BAD_PARAMETERS; 1215 } 1216 blkcnt = 1217 ROUNDUP(len + byte_offset, RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1218 res = tee_rpmb_init(dev_id); 1219 if (res != TEE_SUCCESS) 1220 goto func_exit; 1221 1222 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 1223 resp_size = RPMB_DATA_FRAME_SIZE * blkcnt; 1224 res = tee_rpmb_alloc(req_size, resp_size, &mem, 1225 (void *)&req, (void *)&resp); 1226 if (res != TEE_SUCCESS) 1227 goto func_exit; 1228 1229 msg_type = RPMB_MSG_TYPE_REQ_AUTH_DATA_READ; 1230 res = crypto_rng_read(nonce, RPMB_NONCE_SIZE); 1231 if (res != TEE_SUCCESS) 1232 goto func_exit; 1233 1234 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1235 rawdata.msg_type = msg_type; 1236 rawdata.nonce = nonce; 1237 rawdata.blk_idx = &blk_idx; 1238 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 1239 if (res != TEE_SUCCESS) 1240 goto func_exit; 1241 1242 req->block_count = blkcnt; 1243 1244 DMSG("Read %u block%s at index %u", blkcnt, ((blkcnt > 1) ? "s" : ""), 1245 blk_idx); 1246 1247 res = tee_rpmb_invoke(&mem); 1248 if (res != TEE_SUCCESS) 1249 goto func_exit; 1250 1251 msg_type = RPMB_MSG_TYPE_RESP_AUTH_DATA_READ; 1252 1253 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1254 rawdata.msg_type = msg_type; 1255 rawdata.block_count = &blkcnt; 1256 rawdata.blk_idx = &blk_idx; 1257 rawdata.nonce = nonce; 1258 rawdata.key_mac = hmac; 1259 rawdata.data = data; 1260 1261 rawdata.len = len; 1262 rawdata.byte_offset = byte_offset; 1263 1264 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, blkcnt, fek, uuid); 1265 if (res != TEE_SUCCESS) 1266 goto func_exit; 1267 1268 res = TEE_SUCCESS; 1269 1270 func_exit: 1271 tee_rpmb_free(&mem); 1272 return res; 1273 } 1274 1275 static TEE_Result write_req(uint16_t dev_id, uint16_t blk_idx, 1276 const void *data_blks, uint16_t blkcnt, 1277 const uint8_t *fek, const TEE_UUID *uuid, 1278 struct tee_rpmb_mem *mem, void *req, void *resp) 1279 { 1280 TEE_Result res = TEE_SUCCESS; 1281 uint8_t hmac[RPMB_KEY_MAC_SIZE] = { }; 1282 uint32_t wr_cnt = rpmb_ctx->wr_cnt; 1283 struct rpmb_raw_data rawdata = { }; 1284 size_t retry_count = 0; 1285 1286 assert(mem->req_size <= 1287 sizeof(struct rpmb_req) + blkcnt * RPMB_DATA_FRAME_SIZE); 1288 assert(mem->resp_size <= RPMB_DATA_FRAME_SIZE); 1289 1290 while (true) { 1291 memset(req, 0, mem->req_size); 1292 memset(resp, 0, mem->resp_size); 1293 1294 memset(&rawdata, 0, sizeof(struct rpmb_raw_data)); 1295 rawdata.msg_type = RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE; 1296 rawdata.block_count = &blkcnt; 1297 rawdata.blk_idx = &blk_idx; 1298 rawdata.write_counter = &wr_cnt; 1299 rawdata.key_mac = hmac; 1300 rawdata.data = (uint8_t *)data_blks; 1301 1302 res = tee_rpmb_req_pack(req, &rawdata, blkcnt, dev_id, fek, 1303 uuid); 1304 if (res) { 1305 /* 1306 * If we haven't tried to send a request yet we can 1307 * allow a failure here since there's no chance of 1308 * an intercepted request with a valid write 1309 * counter. 1310 */ 1311 if (!retry_count) 1312 return res; 1313 1314 retry_count++; 1315 if (retry_count >= RPMB_MAX_RETRIES) 1316 goto out_of_retries; 1317 1318 DMSG("Request pack failed, retrying %zu", retry_count); 1319 continue; 1320 } 1321 1322 res = tee_rpmb_invoke(mem); 1323 if (res != TEE_SUCCESS) { 1324 retry_count++; 1325 if (retry_count >= RPMB_MAX_RETRIES) 1326 goto out_of_retries; 1327 /* 1328 * To force wr_cnt sync next time, as it might get 1329 * out of sync due to inconsistent operation result! 1330 */ 1331 rpmb_ctx->wr_cnt_synced = false; 1332 DMSG("Write invoke failed, retrying %zu", retry_count); 1333 continue; 1334 } 1335 1336 memset(&rawdata, 0, sizeof(struct rpmb_raw_data)); 1337 rawdata.msg_type = RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE; 1338 rawdata.block_count = &blkcnt; 1339 rawdata.blk_idx = &blk_idx; 1340 rawdata.write_counter = &wr_cnt; 1341 rawdata.key_mac = hmac; 1342 1343 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, 1344 NULL); 1345 if (res != TEE_SUCCESS) { 1346 retry_count++; 1347 if (retry_count >= RPMB_MAX_RETRIES) 1348 goto out_of_retries; 1349 /* 1350 * To force wr_cnt sync next time, as it might get 1351 * out of sync due to inconsistent operation result! 1352 */ 1353 rpmb_ctx->wr_cnt_synced = false; 1354 DMSG("Write resp unpack verify failed, retrying %zu", 1355 retry_count); 1356 continue; 1357 } 1358 1359 return TEE_SUCCESS; 1360 } 1361 1362 out_of_retries: 1363 rpmb_dead = true; 1364 /* 1365 * We're using this error code to cause an eventuall calling TA to 1366 * panic since we don't know if the data to be written has been 1367 * committed to storage or not. 1368 */ 1369 return TEE_ERROR_COMMUNICATION; 1370 } 1371 1372 static TEE_Result tee_rpmb_write_blk(uint16_t dev_id, uint16_t blk_idx, 1373 const uint8_t *data_blks, uint16_t blkcnt, 1374 const uint8_t *fek, const TEE_UUID *uuid) 1375 { 1376 TEE_Result res; 1377 struct tee_rpmb_mem mem; 1378 struct rpmb_req *req = NULL; 1379 struct rpmb_data_frame *resp = NULL; 1380 uint32_t req_size; 1381 uint32_t resp_size; 1382 uint32_t nbr_writes; 1383 uint16_t tmp_blkcnt; 1384 uint16_t tmp_blk_idx; 1385 uint16_t i; 1386 1387 DMSG("Write %u block%s at index %u", blkcnt, ((blkcnt > 1) ? "s" : ""), 1388 blk_idx); 1389 1390 if (!data_blks || !blkcnt) 1391 return TEE_ERROR_BAD_PARAMETERS; 1392 1393 res = tee_rpmb_init(dev_id); 1394 if (res != TEE_SUCCESS) 1395 return res; 1396 1397 /* 1398 * We need to split data when block count 1399 * is bigger than reliable block write count. 1400 */ 1401 if (blkcnt < rpmb_ctx->rel_wr_blkcnt) 1402 req_size = sizeof(struct rpmb_req) + 1403 RPMB_DATA_FRAME_SIZE * blkcnt; 1404 else 1405 req_size = sizeof(struct rpmb_req) + 1406 RPMB_DATA_FRAME_SIZE * rpmb_ctx->rel_wr_blkcnt; 1407 1408 resp_size = RPMB_DATA_FRAME_SIZE; 1409 res = tee_rpmb_alloc(req_size, resp_size, &mem, 1410 (void *)&req, (void *)&resp); 1411 if (res != TEE_SUCCESS) 1412 return res; 1413 1414 nbr_writes = blkcnt / rpmb_ctx->rel_wr_blkcnt; 1415 if (blkcnt % rpmb_ctx->rel_wr_blkcnt > 0) 1416 nbr_writes += 1; 1417 1418 tmp_blkcnt = rpmb_ctx->rel_wr_blkcnt; 1419 tmp_blk_idx = blk_idx; 1420 for (i = 0; i < nbr_writes; i++) { 1421 size_t offs = i * rpmb_ctx->rel_wr_blkcnt * RPMB_DATA_SIZE; 1422 1423 /* 1424 * To handle the last write of block count which is 1425 * equal or smaller than reliable write block count. 1426 */ 1427 if (i == nbr_writes - 1) 1428 tmp_blkcnt = blkcnt - rpmb_ctx->rel_wr_blkcnt * 1429 (nbr_writes - 1); 1430 1431 res = write_req(dev_id, tmp_blk_idx, data_blks + offs, 1432 tmp_blkcnt, fek, uuid, &mem, req, resp); 1433 if (res) 1434 goto out; 1435 1436 1437 tmp_blk_idx += tmp_blkcnt; 1438 } 1439 1440 out: 1441 tee_rpmb_free(&mem); 1442 return res; 1443 } 1444 1445 static bool tee_rpmb_write_is_atomic(uint16_t dev_id __unused, uint32_t addr, 1446 uint32_t len) 1447 { 1448 uint8_t byte_offset = addr % RPMB_DATA_SIZE; 1449 uint16_t blkcnt = ROUNDUP(len + byte_offset, 1450 RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1451 1452 return (blkcnt <= rpmb_ctx->rel_wr_blkcnt); 1453 } 1454 1455 /* 1456 * Write RPMB data in bytes. 1457 * 1458 * @dev_id Device ID of the eMMC device. 1459 * @addr Byte address of data. 1460 * @data Pointer to the data. 1461 * @len Size of data in bytes. 1462 * @fek Encrypted File Encryption Key or NULL. 1463 */ 1464 static TEE_Result tee_rpmb_write(uint16_t dev_id, uint32_t addr, 1465 const uint8_t *data, uint32_t len, 1466 const uint8_t *fek, const TEE_UUID *uuid) 1467 { 1468 TEE_Result res = TEE_ERROR_GENERIC; 1469 uint8_t *data_tmp = NULL; 1470 uint16_t blk_idx; 1471 uint16_t blkcnt; 1472 uint8_t byte_offset; 1473 1474 blk_idx = addr / RPMB_DATA_SIZE; 1475 byte_offset = addr % RPMB_DATA_SIZE; 1476 1477 blkcnt = 1478 ROUNDUP(len + byte_offset, RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1479 1480 if (byte_offset == 0 && (len % RPMB_DATA_SIZE) == 0) { 1481 res = tee_rpmb_write_blk(dev_id, blk_idx, data, blkcnt, fek, 1482 uuid); 1483 if (res != TEE_SUCCESS) 1484 goto func_exit; 1485 } else { 1486 data_tmp = calloc(blkcnt, RPMB_DATA_SIZE); 1487 if (!data_tmp) { 1488 res = TEE_ERROR_OUT_OF_MEMORY; 1489 goto func_exit; 1490 } 1491 1492 /* Read the complete blocks */ 1493 res = tee_rpmb_read(dev_id, blk_idx * RPMB_DATA_SIZE, data_tmp, 1494 blkcnt * RPMB_DATA_SIZE, fek, uuid); 1495 if (res != TEE_SUCCESS) 1496 goto func_exit; 1497 1498 /* Partial update of the data blocks */ 1499 memcpy(data_tmp + byte_offset, data, len); 1500 1501 res = tee_rpmb_write_blk(dev_id, blk_idx, data_tmp, blkcnt, 1502 fek, uuid); 1503 if (res != TEE_SUCCESS) 1504 goto func_exit; 1505 } 1506 1507 res = TEE_SUCCESS; 1508 1509 func_exit: 1510 free(data_tmp); 1511 return res; 1512 } 1513 1514 /* 1515 * Read the RPMB write counter. 1516 * 1517 * @dev_id Device ID of the eMMC device. 1518 * @counter Pointer to the counter. 1519 */ 1520 static TEE_Result tee_rpmb_get_write_counter(uint16_t dev_id, 1521 uint32_t *counter) 1522 { 1523 TEE_Result res = TEE_SUCCESS; 1524 1525 if (!counter) 1526 return TEE_ERROR_BAD_PARAMETERS; 1527 1528 if (rpmb_dead) 1529 return TEE_ERROR_COMMUNICATION; 1530 1531 if (!rpmb_ctx || !rpmb_ctx->wr_cnt_synced) { 1532 res = tee_rpmb_init(dev_id); 1533 if (res != TEE_SUCCESS) 1534 goto func_exit; 1535 } 1536 1537 *counter = rpmb_ctx->wr_cnt; 1538 1539 func_exit: 1540 return res; 1541 } 1542 1543 /* 1544 * Read the RPMB max block. 1545 * 1546 * @dev_id Device ID of the eMMC device. 1547 * @counter Pointer to receive the max block. 1548 */ 1549 static TEE_Result tee_rpmb_get_max_block(uint16_t dev_id, uint32_t *max_block) 1550 { 1551 TEE_Result res = TEE_SUCCESS; 1552 1553 if (!max_block) 1554 return TEE_ERROR_BAD_PARAMETERS; 1555 1556 if (rpmb_dead) 1557 return TEE_ERROR_COMMUNICATION; 1558 1559 if (!rpmb_ctx || !rpmb_ctx->dev_info_synced) { 1560 res = tee_rpmb_init(dev_id); 1561 if (res != TEE_SUCCESS) 1562 goto func_exit; 1563 } 1564 1565 *max_block = rpmb_ctx->max_blk_idx; 1566 1567 func_exit: 1568 return res; 1569 } 1570 1571 /* 1572 * End of lower interface to RPMB device 1573 */ 1574 1575 static TEE_Result get_fat_start_address(uint32_t *addr); 1576 static TEE_Result rpmb_fs_setup(void); 1577 1578 /** 1579 * fat_entry_dir_free: Free the FAT entry dir. 1580 */ 1581 static void fat_entry_dir_free(void) 1582 { 1583 if (fat_entry_dir) { 1584 free(fat_entry_dir->rpmb_fat_entry_buf); 1585 free(fat_entry_dir); 1586 fat_entry_dir = NULL; 1587 } 1588 } 1589 1590 /** 1591 * fat_entry_dir_init: Initialize the FAT FS entry buffer/cache 1592 * This function must be called before reading FAT FS entries using the 1593 * function fat_entry_dir_get_next. This initializes the buffer/cache with the 1594 * first FAT FS entries. 1595 */ 1596 static TEE_Result fat_entry_dir_init(void) 1597 { 1598 TEE_Result res = TEE_ERROR_GENERIC; 1599 struct rpmb_fat_entry *fe = NULL; 1600 uint32_t fat_address = 0; 1601 uint32_t num_elems_read = 0; 1602 1603 if (fat_entry_dir) 1604 return TEE_SUCCESS; 1605 1606 res = rpmb_fs_setup(); 1607 if (res) 1608 return res; 1609 1610 res = get_fat_start_address(&fat_address); 1611 if (res) 1612 return res; 1613 1614 fat_entry_dir = calloc(1, sizeof(struct rpmb_fat_entry_dir)); 1615 if (!fat_entry_dir) 1616 return TEE_ERROR_OUT_OF_MEMORY; 1617 1618 /* 1619 * If caching is enabled, read in up to the maximum cache size, but 1620 * never more than the single read in size. Otherwise, read in as many 1621 * entries fit into the temporary buffer. 1622 */ 1623 if (CFG_RPMB_FS_CACHE_ENTRIES) 1624 num_elems_read = MIN(CFG_RPMB_FS_CACHE_ENTRIES, 1625 CFG_RPMB_FS_RD_ENTRIES); 1626 else 1627 num_elems_read = CFG_RPMB_FS_RD_ENTRIES; 1628 1629 /* 1630 * Allocate memory for the FAT FS entries to read in. 1631 */ 1632 fe = calloc(num_elems_read, sizeof(struct rpmb_fat_entry)); 1633 if (!fe) { 1634 res = TEE_ERROR_OUT_OF_MEMORY; 1635 goto out; 1636 } 1637 1638 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, fat_address, (uint8_t *)fe, 1639 num_elems_read * sizeof(*fe), NULL, NULL); 1640 if (res) 1641 goto out; 1642 1643 fat_entry_dir->rpmb_fat_entry_buf = fe; 1644 1645 /* 1646 * We use this variable when getting next entries from the buffer/cache 1647 * to see whether we have to read in more entries from storage. 1648 */ 1649 fat_entry_dir->num_buffered = num_elems_read; 1650 1651 return TEE_SUCCESS; 1652 out: 1653 fat_entry_dir_free(); 1654 free(fe); 1655 return res; 1656 } 1657 1658 /** 1659 * fat_entry_dir_deinit: If caching is enabled, free the temporary buffer for 1660 * FAT FS entries in case the cache was too small. Keep the elements in the 1661 * cache. Reset the counter variables to start the next traversal from fresh 1662 * from the first cached entry. If caching is disabled, just free the 1663 * temporary buffer by calling fat_entry_dir_free and return. 1664 */ 1665 static void fat_entry_dir_deinit(void) 1666 { 1667 struct rpmb_fat_entry *fe = NULL; 1668 1669 if (!fat_entry_dir) 1670 return; 1671 1672 if (!CFG_RPMB_FS_CACHE_ENTRIES) { 1673 fat_entry_dir_free(); 1674 return; 1675 } 1676 1677 fe = fat_entry_dir->rpmb_fat_entry_buf; 1678 fat_entry_dir->idx_curr = 0; 1679 fat_entry_dir->num_total_read = 0; 1680 fat_entry_dir->last_reached = false; 1681 1682 if (fat_entry_dir->num_buffered > CFG_RPMB_FS_CACHE_ENTRIES) { 1683 fat_entry_dir->num_buffered = CFG_RPMB_FS_CACHE_ENTRIES; 1684 1685 fe = realloc(fe, fat_entry_dir->num_buffered * sizeof(*fe)); 1686 1687 /* 1688 * In case realloc fails, we are on the safe side if we destroy 1689 * the whole structure. Upon the next init, the cache has to be 1690 * re-established, but this case should not happen in practice. 1691 */ 1692 if (!fe) 1693 fat_entry_dir_free(); 1694 else 1695 fat_entry_dir->rpmb_fat_entry_buf = fe; 1696 } 1697 } 1698 1699 /** 1700 * fat_entry_dir_update: Updates a persisted FAT FS entry in the cache. 1701 * This function updates the FAT entry fat_entry that was written to address 1702 * fat_address onto RPMB storage in the cache. 1703 */ 1704 static TEE_Result __maybe_unused fat_entry_dir_update 1705 (struct rpmb_fat_entry *fat_entry, 1706 uint32_t fat_address) 1707 { 1708 uint32_t fat_entry_buf_idx = 0; 1709 /* Use a temp var to avoid compiler warning if caching disabled. */ 1710 uint32_t max_cache_entries = CFG_RPMB_FS_CACHE_ENTRIES; 1711 1712 assert(!((fat_address - RPMB_FS_FAT_START_ADDRESS) % 1713 sizeof(struct rpmb_fat_entry))); 1714 1715 /* Nothing to update if the cache is not initialized. */ 1716 if (!fat_entry_dir) 1717 return TEE_SUCCESS; 1718 1719 fat_entry_buf_idx = (fat_address - RPMB_FS_FAT_START_ADDRESS) / 1720 sizeof(struct rpmb_fat_entry); 1721 1722 /* Only need to write if index points to an entry in cache. */ 1723 if (fat_entry_buf_idx < fat_entry_dir->num_buffered && 1724 fat_entry_buf_idx < max_cache_entries) { 1725 memcpy(fat_entry_dir->rpmb_fat_entry_buf + fat_entry_buf_idx, 1726 fat_entry, sizeof(struct rpmb_fat_entry)); 1727 } 1728 1729 return TEE_SUCCESS; 1730 } 1731 1732 /** 1733 * fat_entry_dir_get_next: Get next FAT FS entry. 1734 * Read either from cache/buffer, or by reading from RPMB storage if the 1735 * elements in the buffer/cache are fully read. When reading in from RPMB 1736 * storage, the buffer is overwritten in case caching is disabled. 1737 * In case caching is enabled, the cache is either further filled, or a 1738 * temporary buffer populated if the cache is already full. 1739 * The FAT FS entry is written to fat_entry. The respective address in RPMB 1740 * storage is written to fat_address, if not NULL. When the last FAT FS entry 1741 * was previously read, the function indicates this case by writing a NULL 1742 * pointer to fat_entry. 1743 * Returns a value different TEE_SUCCESS if the next FAT FS entry could not be 1744 * retrieved. 1745 */ 1746 static TEE_Result fat_entry_dir_get_next(struct rpmb_fat_entry **fat_entry, 1747 uint32_t *fat_address) 1748 { 1749 TEE_Result res = TEE_ERROR_GENERIC; 1750 struct rpmb_fat_entry *fe = NULL; 1751 uint32_t num_elems_read = 0; 1752 uint32_t fat_address_local = 0; 1753 1754 assert(fat_entry_dir && fat_entry); 1755 1756 /* Don't read further if we previously read the last FAT FS entry. */ 1757 if (fat_entry_dir->last_reached) { 1758 *fat_entry = NULL; 1759 return TEE_SUCCESS; 1760 } 1761 1762 fe = fat_entry_dir->rpmb_fat_entry_buf; 1763 1764 /* Determine address of FAT FS entry in RPMB storage. */ 1765 fat_address_local = RPMB_FS_FAT_START_ADDRESS + 1766 (fat_entry_dir->num_total_read * 1767 sizeof(struct rpmb_fat_entry)); 1768 1769 /* 1770 * We've read all so-far buffered elements, so we need to 1771 * read in more entries from RPMB storage. 1772 */ 1773 if (fat_entry_dir->idx_curr >= fat_entry_dir->num_buffered) { 1774 /* 1775 * This is the case where we do not cache entries, so just read 1776 * in next set of FAT FS entries into the buffer. 1777 * Goto the end of the when statement if that is done. 1778 */ 1779 if (!CFG_RPMB_FS_CACHE_ENTRIES) { 1780 num_elems_read = CFG_RPMB_FS_RD_ENTRIES; 1781 fat_entry_dir->idx_curr = 0; 1782 1783 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 1784 fat_address_local, (uint8_t *)fe, 1785 num_elems_read * sizeof(*fe), NULL, 1786 NULL); 1787 if (res) 1788 return res; 1789 goto post_read_in; 1790 } 1791 1792 /* 1793 * We cache FAT FS entries, and the buffer is not completely 1794 * filled. Further keep on extending the buffer up to its max 1795 * size by reading in from RPMB. 1796 */ 1797 if (fat_entry_dir->num_total_read < RPMB_BUF_MAX_ENTRIES) { 1798 /* 1799 * Read at most as many elements as fit in the buffer 1800 * and no more than the defined number of entries to 1801 * read in at once. 1802 */ 1803 num_elems_read = MIN(RPMB_BUF_MAX_ENTRIES - 1804 fat_entry_dir->num_total_read, 1805 (uint32_t)CFG_RPMB_FS_RD_ENTRIES); 1806 1807 /* 1808 * Expand the buffer to fit in the additional entries. 1809 */ 1810 fe = realloc(fe, 1811 (fat_entry_dir->num_buffered + 1812 num_elems_read) * sizeof(*fe)); 1813 if (!fe) 1814 return TEE_ERROR_OUT_OF_MEMORY; 1815 1816 fat_entry_dir->rpmb_fat_entry_buf = fe; 1817 1818 /* Read in to the next free slot in the buffer/cache. */ 1819 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 1820 fat_address_local, 1821 (uint8_t *)(fe + 1822 fat_entry_dir->num_total_read), 1823 num_elems_read * sizeof(*fe), 1824 NULL, NULL); 1825 if (res) 1826 return res; 1827 1828 fat_entry_dir->num_buffered += num_elems_read; 1829 } else { 1830 /* 1831 * This happens when we have read as many elements as 1832 * can possibly fit into the buffer. 1833 * As the first part of the buffer serves as our cache, 1834 * we only overwrite the last part that serves as our 1835 * temporary buffer used to iteratively read in entries 1836 * when the cache is full. Read in the temporary buffer 1837 * maximum size. 1838 */ 1839 num_elems_read = CFG_RPMB_FS_RD_ENTRIES; 1840 /* Reset index to beginning of the temporary buffer. */ 1841 fat_entry_dir->idx_curr = CFG_RPMB_FS_CACHE_ENTRIES; 1842 1843 /* Read in elements after the end of the cache. */ 1844 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 1845 fat_address_local, 1846 (uint8_t *)(fe + 1847 fat_entry_dir->idx_curr), 1848 num_elems_read * sizeof(*fe), 1849 NULL, NULL); 1850 if (res) 1851 return res; 1852 } 1853 } 1854 1855 post_read_in: 1856 if (fat_address) 1857 *fat_address = fat_address_local; 1858 1859 *fat_entry = fe + fat_entry_dir->idx_curr; 1860 1861 fat_entry_dir->idx_curr++; 1862 fat_entry_dir->num_total_read++; 1863 1864 /* 1865 * Indicate last entry was read. 1866 * Ensures we return a zero value for fat_entry on next invocation. 1867 */ 1868 if ((*fat_entry)->flags & FILE_IS_LAST_ENTRY) 1869 fat_entry_dir->last_reached = true; 1870 1871 return TEE_SUCCESS; 1872 } 1873 1874 #if (TRACE_LEVEL >= TRACE_FLOW) 1875 static void dump_fat(void) 1876 { 1877 TEE_Result res = TEE_ERROR_SECURITY; 1878 struct rpmb_fat_entry *fe = NULL; 1879 1880 if (!fs_par) 1881 return; 1882 1883 if (fat_entry_dir_init()) 1884 return; 1885 1886 while (true) { 1887 res = fat_entry_dir_get_next(&fe, NULL); 1888 if (res || !fe) 1889 break; 1890 1891 FMSG("flags %#"PRIx32", size %"PRIu32", address %#"PRIx32 1892 ", filename '%s'", 1893 fe->flags, fe->data_size, fe->start_address, fe->filename); 1894 } 1895 1896 fat_entry_dir_deinit(); 1897 } 1898 #else 1899 static void dump_fat(void) 1900 { 1901 } 1902 #endif 1903 1904 #if (TRACE_LEVEL >= TRACE_DEBUG) 1905 static void dump_fh(struct rpmb_file_handle *fh) 1906 { 1907 DMSG("fh->filename=%s", fh->filename); 1908 DMSG("fh->rpmb_fat_address=%u", fh->rpmb_fat_address); 1909 DMSG("fh->fat_entry.start_address=%u", fh->fat_entry.start_address); 1910 DMSG("fh->fat_entry.data_size=%u", fh->fat_entry.data_size); 1911 } 1912 #else 1913 static void dump_fh(struct rpmb_file_handle *fh __unused) 1914 { 1915 } 1916 #endif 1917 1918 static struct rpmb_file_handle *alloc_file_handle(struct tee_pobj *po, 1919 bool temporary) 1920 { 1921 struct rpmb_file_handle *fh = NULL; 1922 1923 fh = calloc(1, sizeof(struct rpmb_file_handle)); 1924 if (!fh) 1925 return NULL; 1926 1927 if (po) 1928 tee_svc_storage_create_filename(fh->filename, 1929 sizeof(fh->filename), po, 1930 temporary); 1931 1932 return fh; 1933 } 1934 1935 /** 1936 * write_fat_entry: Store info in a fat_entry to RPMB. 1937 */ 1938 static TEE_Result write_fat_entry(struct rpmb_file_handle *fh, 1939 bool update_write_counter) 1940 { 1941 TEE_Result res = TEE_ERROR_GENERIC; 1942 1943 /* Protect partition data. */ 1944 if (fh->rpmb_fat_address < sizeof(struct rpmb_fs_partition)) { 1945 res = TEE_ERROR_ACCESS_CONFLICT; 1946 goto out; 1947 } 1948 1949 if (fh->rpmb_fat_address % sizeof(struct rpmb_fat_entry) != 0) { 1950 res = TEE_ERROR_BAD_PARAMETERS; 1951 goto out; 1952 } 1953 1954 if (update_write_counter) { 1955 res = tee_rpmb_get_write_counter(CFG_RPMB_FS_DEV_ID, 1956 &fh->fat_entry.write_counter); 1957 if (res) 1958 goto out; 1959 } 1960 1961 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, fh->rpmb_fat_address, 1962 (uint8_t *)&fh->fat_entry, 1963 sizeof(struct rpmb_fat_entry), NULL, NULL); 1964 1965 dump_fat(); 1966 1967 /* If caching enabled, update a successfully written entry in cache. */ 1968 if (CFG_RPMB_FS_CACHE_ENTRIES && !res) 1969 res = fat_entry_dir_update(&fh->fat_entry, 1970 fh->rpmb_fat_address); 1971 1972 out: 1973 return res; 1974 } 1975 1976 /** 1977 * rpmb_fs_setup: Setup RPMB FS. 1978 * Set initial partition and FS values and write to RPMB. 1979 * Store frequently used data in RAM. 1980 */ 1981 static TEE_Result rpmb_fs_setup(void) 1982 { 1983 TEE_Result res = TEE_ERROR_GENERIC; 1984 struct rpmb_fs_partition *partition_data = NULL; 1985 struct rpmb_file_handle *fh = NULL; 1986 uint32_t max_rpmb_block = 0; 1987 1988 if (fs_par) { 1989 res = TEE_SUCCESS; 1990 goto out; 1991 } 1992 1993 res = tee_rpmb_get_max_block(CFG_RPMB_FS_DEV_ID, &max_rpmb_block); 1994 if (res != TEE_SUCCESS) 1995 goto out; 1996 1997 /* 1998 * We're going to read a full block in order to have a full block 1999 * for the dummy write below. 2000 */ 2001 COMPILE_TIME_ASSERT(sizeof(struct rpmb_fs_partition) <= 2002 RPMB_DATA_SIZE); 2003 partition_data = calloc(1, RPMB_DATA_SIZE); 2004 if (!partition_data) { 2005 res = TEE_ERROR_OUT_OF_MEMORY; 2006 goto out; 2007 } 2008 2009 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, RPMB_STORAGE_START_ADDRESS, 2010 (uint8_t *)partition_data, RPMB_DATA_SIZE, 2011 NULL, NULL); 2012 if (res != TEE_SUCCESS) 2013 goto out; 2014 /* 2015 * Perform a write in order to increase the write counter. This 2016 * prevents late usage (replay attack) of a previously blocked 2017 * request with a valid write counter value. 2018 */ 2019 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, RPMB_STORAGE_START_ADDRESS, 2020 (uint8_t *)partition_data, RPMB_DATA_SIZE, 2021 NULL, NULL); 2022 if (res != TEE_SUCCESS) 2023 goto out; 2024 /* 2025 * We're reading again in case a stale request was committed 2026 * instead of the one issued above. If this succeeds we're in sync 2027 * with the RPMB block since there are no other possible stale 2028 * blocks with valid write counters available. 2029 */ 2030 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, RPMB_STORAGE_START_ADDRESS, 2031 (uint8_t *)partition_data, 2032 sizeof(struct rpmb_fs_partition), NULL, NULL); 2033 if (res != TEE_SUCCESS) 2034 goto out; 2035 2036 #ifndef CFG_RPMB_RESET_FAT 2037 if (partition_data->rpmb_fs_magic == RPMB_FS_MAGIC) { 2038 if (partition_data->fs_version == FS_VERSION) { 2039 res = TEE_SUCCESS; 2040 goto store_fs_par; 2041 } else { 2042 EMSG("Wrong software is in use."); 2043 res = TEE_ERROR_ACCESS_DENIED; 2044 goto out; 2045 } 2046 } 2047 #else 2048 EMSG("**** Clearing Storage ****"); 2049 #endif 2050 2051 /* Setup new partition data. */ 2052 partition_data->rpmb_fs_magic = RPMB_FS_MAGIC; 2053 partition_data->fs_version = FS_VERSION; 2054 partition_data->fat_start_address = RPMB_FS_FAT_START_ADDRESS; 2055 2056 /* Initial FAT entry with FILE_IS_LAST_ENTRY flag set. */ 2057 fh = alloc_file_handle(NULL, false); 2058 if (!fh) { 2059 res = TEE_ERROR_OUT_OF_MEMORY; 2060 goto out; 2061 } 2062 fh->fat_entry.flags = FILE_IS_LAST_ENTRY; 2063 fh->rpmb_fat_address = partition_data->fat_start_address; 2064 2065 /* Write init FAT entry and partition data to RPMB. */ 2066 res = write_fat_entry(fh, true); 2067 if (res != TEE_SUCCESS) 2068 goto out; 2069 2070 res = 2071 tee_rpmb_get_write_counter(CFG_RPMB_FS_DEV_ID, 2072 &partition_data->write_counter); 2073 if (res != TEE_SUCCESS) 2074 goto out; 2075 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, RPMB_STORAGE_START_ADDRESS, 2076 (uint8_t *)partition_data, 2077 sizeof(struct rpmb_fs_partition), NULL, NULL); 2078 2079 #ifndef CFG_RPMB_RESET_FAT 2080 store_fs_par: 2081 #endif 2082 2083 /* Store FAT start address. */ 2084 fs_par = calloc(1, sizeof(struct rpmb_fs_parameters)); 2085 if (!fs_par) { 2086 res = TEE_ERROR_OUT_OF_MEMORY; 2087 goto out; 2088 } 2089 2090 fs_par->fat_start_address = partition_data->fat_start_address; 2091 fs_par->max_rpmb_address = max_rpmb_block << RPMB_BLOCK_SIZE_SHIFT; 2092 2093 dump_fat(); 2094 2095 out: 2096 free(fh); 2097 free(partition_data); 2098 return res; 2099 } 2100 2101 /** 2102 * get_fat_start_address: 2103 * FAT start_address from fs_par. 2104 */ 2105 static TEE_Result get_fat_start_address(uint32_t *addr) 2106 { 2107 if (!fs_par) 2108 return TEE_ERROR_NO_DATA; 2109 2110 *addr = fs_par->fat_start_address; 2111 2112 return TEE_SUCCESS; 2113 } 2114 2115 /** 2116 * read_fat: Read FAT entries 2117 * Return matching FAT entry for read, rm rename and stat. 2118 * Build up memory pool and return matching entry for write operation. 2119 * "Last FAT entry" can be returned during write. 2120 */ 2121 static TEE_Result read_fat(struct rpmb_file_handle *fh, tee_mm_pool_t *p) 2122 { 2123 TEE_Result res = TEE_ERROR_GENERIC; 2124 tee_mm_entry_t *mm = NULL; 2125 struct rpmb_fat_entry *fe = NULL; 2126 uint32_t fat_address; 2127 bool entry_found = false; 2128 bool expand_fat = false; 2129 struct rpmb_file_handle last_fh; 2130 2131 DMSG("fat_address %d", fh->rpmb_fat_address); 2132 2133 res = fat_entry_dir_init(); 2134 if (res) 2135 goto out; 2136 2137 /* 2138 * The pool is used to represent the current RPMB layout. To find 2139 * a slot for the file tee_mm_alloc is called on the pool. Thus 2140 * if it is not NULL the entire FAT must be traversed to fill in 2141 * the pool. 2142 */ 2143 while (true) { 2144 res = fat_entry_dir_get_next(&fe, &fat_address); 2145 if (res || !fe) 2146 break; 2147 2148 /* 2149 * Look for an entry, matching filenames. (read, rm, 2150 * rename and stat.). Only store first filename match. 2151 */ 2152 if ((!strcmp(fh->filename, fe->filename)) && 2153 (fe->flags & FILE_IS_ACTIVE) && !entry_found) { 2154 entry_found = true; 2155 fh->rpmb_fat_address = fat_address; 2156 memcpy(&fh->fat_entry, fe, sizeof(*fe)); 2157 if (!p) 2158 break; 2159 } 2160 2161 /* Add existing files to memory pool. (write) */ 2162 if (p) { 2163 if ((fe->flags & FILE_IS_ACTIVE) && fe->data_size > 0) { 2164 2165 mm = tee_mm_alloc2(p, fe->start_address, 2166 fe->data_size); 2167 if (!mm) { 2168 res = TEE_ERROR_OUT_OF_MEMORY; 2169 goto out; 2170 } 2171 } 2172 2173 /* Unused FAT entries can be reused (write) */ 2174 if (((fe->flags & FILE_IS_ACTIVE) == 0) && 2175 fh->rpmb_fat_address == 0) { 2176 fh->rpmb_fat_address = fat_address; 2177 memcpy(&fh->fat_entry, fe, 2178 sizeof(struct rpmb_fat_entry)); 2179 } 2180 2181 if (((fe->flags & FILE_IS_LAST_ENTRY) != 0) && 2182 fh->rpmb_fat_address == fat_address) { 2183 2184 /* 2185 * If the last entry was reached and was chosen 2186 * by the previous check, then the FAT needs to 2187 * be expanded. 2188 * fh->rpmb_fat_address is the address chosen 2189 * to store the files FAT entry and fat_address 2190 * is the current FAT entry address being 2191 * compared. 2192 */ 2193 expand_fat = true; 2194 } 2195 } 2196 } 2197 2198 if (res) 2199 goto out; 2200 /* 2201 * Represent the FAT table in the pool. 2202 */ 2203 if (p) { 2204 /* 2205 * Since fat_address is the start of the last entry it needs to 2206 * be moved up by an entry. 2207 */ 2208 fat_address += sizeof(struct rpmb_fat_entry); 2209 2210 /* Make room for yet a FAT entry and add to memory pool. */ 2211 if (expand_fat) 2212 fat_address += sizeof(struct rpmb_fat_entry); 2213 2214 mm = tee_mm_alloc2(p, RPMB_STORAGE_START_ADDRESS, fat_address); 2215 if (!mm) { 2216 res = TEE_ERROR_OUT_OF_MEMORY; 2217 goto out; 2218 } 2219 2220 if (expand_fat) { 2221 /* 2222 * Point fat_address to the beginning of the new 2223 * entry. 2224 */ 2225 fat_address -= sizeof(struct rpmb_fat_entry); 2226 memset(&last_fh, 0, sizeof(last_fh)); 2227 last_fh.fat_entry.flags = FILE_IS_LAST_ENTRY; 2228 last_fh.rpmb_fat_address = fat_address; 2229 res = write_fat_entry(&last_fh, true); 2230 if (res != TEE_SUCCESS) 2231 goto out; 2232 } 2233 } 2234 2235 if (!fh->rpmb_fat_address) 2236 res = TEE_ERROR_ITEM_NOT_FOUND; 2237 2238 out: 2239 fat_entry_dir_deinit(); 2240 return res; 2241 } 2242 2243 static TEE_Result generate_fek(struct rpmb_fat_entry *fe, const TEE_UUID *uuid) 2244 { 2245 TEE_Result res; 2246 2247 again: 2248 res = tee_fs_generate_fek(uuid, fe->fek, sizeof(fe->fek)); 2249 if (res != TEE_SUCCESS) 2250 return res; 2251 2252 if (is_zero(fe->fek, sizeof(fe->fek))) 2253 goto again; 2254 2255 return res; 2256 } 2257 2258 static TEE_Result rpmb_fs_open_internal(struct rpmb_file_handle *fh, 2259 const TEE_UUID *uuid, bool create) 2260 { 2261 tee_mm_pool_t p; 2262 bool pool_result; 2263 TEE_Result res = TEE_ERROR_GENERIC; 2264 2265 /* We need to do setup in order to make sure fs_par is filled in */ 2266 res = rpmb_fs_setup(); 2267 if (res != TEE_SUCCESS) 2268 goto out; 2269 2270 fh->uuid = uuid; 2271 if (create) { 2272 /* Upper memory allocation must be used for RPMB_FS. */ 2273 pool_result = tee_mm_init(&p, 2274 RPMB_STORAGE_START_ADDRESS, 2275 fs_par->max_rpmb_address, 2276 RPMB_BLOCK_SIZE_SHIFT, 2277 TEE_MM_POOL_HI_ALLOC); 2278 2279 if (!pool_result) { 2280 res = TEE_ERROR_OUT_OF_MEMORY; 2281 goto out; 2282 } 2283 2284 res = read_fat(fh, &p); 2285 tee_mm_final(&p); 2286 if (res != TEE_SUCCESS) 2287 goto out; 2288 } else { 2289 res = read_fat(fh, NULL); 2290 if (res != TEE_SUCCESS) 2291 goto out; 2292 } 2293 2294 /* 2295 * If this is opened with create and the entry found was not active 2296 * then this is a new file and the FAT entry must be written 2297 */ 2298 if (create) { 2299 if ((fh->fat_entry.flags & FILE_IS_ACTIVE) == 0) { 2300 memset(&fh->fat_entry, 0, 2301 sizeof(struct rpmb_fat_entry)); 2302 memcpy(fh->fat_entry.filename, fh->filename, 2303 strlen(fh->filename)); 2304 /* Start address and size are 0 */ 2305 fh->fat_entry.flags = FILE_IS_ACTIVE; 2306 2307 res = generate_fek(&fh->fat_entry, uuid); 2308 if (res != TEE_SUCCESS) 2309 goto out; 2310 DMSG("GENERATE FEK key: %p", 2311 (void *)fh->fat_entry.fek); 2312 DHEXDUMP(fh->fat_entry.fek, sizeof(fh->fat_entry.fek)); 2313 2314 res = write_fat_entry(fh, true); 2315 if (res != TEE_SUCCESS) 2316 goto out; 2317 } 2318 } 2319 2320 res = TEE_SUCCESS; 2321 2322 out: 2323 return res; 2324 } 2325 2326 static void rpmb_fs_close(struct tee_file_handle **tfh) 2327 { 2328 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)*tfh; 2329 2330 free(fh); 2331 *tfh = NULL; 2332 } 2333 2334 static TEE_Result rpmb_fs_read(struct tee_file_handle *tfh, size_t pos, 2335 void *buf, size_t *len) 2336 { 2337 TEE_Result res; 2338 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)tfh; 2339 size_t size = *len; 2340 2341 if (!size) 2342 return TEE_SUCCESS; 2343 2344 mutex_lock(&rpmb_mutex); 2345 2346 dump_fh(fh); 2347 2348 res = read_fat(fh, NULL); 2349 if (res != TEE_SUCCESS) 2350 goto out; 2351 2352 if (pos >= fh->fat_entry.data_size) { 2353 *len = 0; 2354 goto out; 2355 } 2356 2357 size = MIN(size, fh->fat_entry.data_size - pos); 2358 if (size) { 2359 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 2360 fh->fat_entry.start_address + pos, buf, 2361 size, fh->fat_entry.fek, fh->uuid); 2362 if (res != TEE_SUCCESS) 2363 goto out; 2364 } 2365 *len = size; 2366 2367 out: 2368 mutex_unlock(&rpmb_mutex); 2369 return res; 2370 } 2371 2372 static TEE_Result rpmb_fs_write_primitive(struct rpmb_file_handle *fh, 2373 size_t pos, const void *buf, 2374 size_t size) 2375 { 2376 TEE_Result res; 2377 tee_mm_pool_t p; 2378 bool pool_result = false; 2379 tee_mm_entry_t *mm; 2380 size_t end; 2381 size_t newsize; 2382 uint8_t *newbuf = NULL; 2383 uintptr_t newaddr; 2384 uint32_t start_addr; 2385 2386 if (!size) 2387 return TEE_SUCCESS; 2388 2389 if (!fs_par) { 2390 res = TEE_ERROR_GENERIC; 2391 goto out; 2392 } 2393 2394 dump_fh(fh); 2395 2396 /* Upper memory allocation must be used for RPMB_FS. */ 2397 pool_result = tee_mm_init(&p, 2398 RPMB_STORAGE_START_ADDRESS, 2399 fs_par->max_rpmb_address, 2400 RPMB_BLOCK_SIZE_SHIFT, 2401 TEE_MM_POOL_HI_ALLOC); 2402 if (!pool_result) { 2403 res = TEE_ERROR_OUT_OF_MEMORY; 2404 goto out; 2405 } 2406 2407 res = read_fat(fh, &p); 2408 if (res != TEE_SUCCESS) 2409 goto out; 2410 2411 if (fh->fat_entry.flags & FILE_IS_LAST_ENTRY) 2412 panic("invalid last entry flag"); 2413 2414 if (ADD_OVERFLOW(pos, size, &end)) { 2415 res = TEE_ERROR_BAD_PARAMETERS; 2416 goto out; 2417 } 2418 if (ADD_OVERFLOW(fh->fat_entry.start_address, pos, &start_addr)) { 2419 res = TEE_ERROR_BAD_PARAMETERS; 2420 goto out; 2421 } 2422 2423 if (end <= fh->fat_entry.data_size && 2424 tee_rpmb_write_is_atomic(CFG_RPMB_FS_DEV_ID, start_addr, size)) { 2425 2426 DMSG("Updating data in-place"); 2427 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, start_addr, buf, 2428 size, fh->fat_entry.fek, fh->uuid); 2429 if (res != TEE_SUCCESS) 2430 goto out; 2431 } else { 2432 /* 2433 * File must be extended, or update cannot be atomic: allocate, 2434 * read, update, write. 2435 */ 2436 2437 DMSG("Need to re-allocate"); 2438 newsize = MAX(end, fh->fat_entry.data_size); 2439 mm = tee_mm_alloc(&p, newsize); 2440 newbuf = calloc(1, newsize); 2441 if (!mm || !newbuf) { 2442 res = TEE_ERROR_OUT_OF_MEMORY; 2443 goto out; 2444 } 2445 2446 if (fh->fat_entry.data_size) { 2447 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 2448 fh->fat_entry.start_address, 2449 newbuf, fh->fat_entry.data_size, 2450 fh->fat_entry.fek, fh->uuid); 2451 if (res != TEE_SUCCESS) 2452 goto out; 2453 } 2454 2455 memcpy(newbuf + pos, buf, size); 2456 2457 newaddr = tee_mm_get_smem(mm); 2458 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, newaddr, newbuf, 2459 newsize, fh->fat_entry.fek, fh->uuid); 2460 if (res != TEE_SUCCESS) 2461 goto out; 2462 2463 fh->fat_entry.data_size = newsize; 2464 fh->fat_entry.start_address = newaddr; 2465 res = write_fat_entry(fh, true); 2466 if (res != TEE_SUCCESS) 2467 goto out; 2468 } 2469 2470 out: 2471 if (pool_result) 2472 tee_mm_final(&p); 2473 if (newbuf) 2474 free(newbuf); 2475 2476 return res; 2477 } 2478 2479 static TEE_Result rpmb_fs_write(struct tee_file_handle *tfh, size_t pos, 2480 const void *buf, size_t size) 2481 { 2482 TEE_Result res; 2483 2484 mutex_lock(&rpmb_mutex); 2485 res = rpmb_fs_write_primitive((struct rpmb_file_handle *)tfh, pos, 2486 buf, size); 2487 mutex_unlock(&rpmb_mutex); 2488 2489 return res; 2490 } 2491 2492 static TEE_Result rpmb_fs_remove_internal(struct rpmb_file_handle *fh) 2493 { 2494 TEE_Result res; 2495 2496 res = read_fat(fh, NULL); 2497 if (res) 2498 return res; 2499 2500 /* Clear this file entry. */ 2501 memset(&fh->fat_entry, 0, sizeof(struct rpmb_fat_entry)); 2502 return write_fat_entry(fh, false); 2503 } 2504 2505 static TEE_Result rpmb_fs_remove(struct tee_pobj *po) 2506 { 2507 TEE_Result res; 2508 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2509 2510 if (!fh) 2511 return TEE_ERROR_OUT_OF_MEMORY; 2512 2513 mutex_lock(&rpmb_mutex); 2514 2515 res = rpmb_fs_remove_internal(fh); 2516 2517 mutex_unlock(&rpmb_mutex); 2518 2519 free(fh); 2520 return res; 2521 } 2522 2523 static TEE_Result rpmb_fs_rename_internal(struct tee_pobj *old, 2524 struct tee_pobj *new, 2525 bool overwrite) 2526 { 2527 TEE_Result res = TEE_ERROR_GENERIC; 2528 struct rpmb_file_handle *fh_old = NULL; 2529 struct rpmb_file_handle *fh_new = NULL; 2530 2531 if (!old) { 2532 res = TEE_ERROR_BAD_PARAMETERS; 2533 goto out; 2534 } 2535 2536 if (new) 2537 fh_old = alloc_file_handle(old, old->temporary); 2538 else 2539 fh_old = alloc_file_handle(old, true); 2540 if (!fh_old) { 2541 res = TEE_ERROR_OUT_OF_MEMORY; 2542 goto out; 2543 } 2544 2545 if (new) 2546 fh_new = alloc_file_handle(new, new->temporary); 2547 else 2548 fh_new = alloc_file_handle(old, false); 2549 if (!fh_new) { 2550 res = TEE_ERROR_OUT_OF_MEMORY; 2551 goto out; 2552 } 2553 2554 res = read_fat(fh_old, NULL); 2555 if (res != TEE_SUCCESS) 2556 goto out; 2557 2558 res = read_fat(fh_new, NULL); 2559 if (res == TEE_SUCCESS) { 2560 if (!overwrite) { 2561 res = TEE_ERROR_ACCESS_CONFLICT; 2562 goto out; 2563 } 2564 2565 /* Clear this file entry. */ 2566 memset(&fh_new->fat_entry, 0, sizeof(struct rpmb_fat_entry)); 2567 res = write_fat_entry(fh_new, false); 2568 if (res != TEE_SUCCESS) 2569 goto out; 2570 } 2571 2572 memset(fh_old->fat_entry.filename, 0, TEE_RPMB_FS_FILENAME_LENGTH); 2573 memcpy(fh_old->fat_entry.filename, fh_new->filename, 2574 strlen(fh_new->filename)); 2575 2576 res = write_fat_entry(fh_old, false); 2577 2578 out: 2579 free(fh_old); 2580 free(fh_new); 2581 2582 return res; 2583 } 2584 2585 static TEE_Result rpmb_fs_rename(struct tee_pobj *old, struct tee_pobj *new, 2586 bool overwrite) 2587 { 2588 TEE_Result res; 2589 2590 mutex_lock(&rpmb_mutex); 2591 res = rpmb_fs_rename_internal(old, new, overwrite); 2592 mutex_unlock(&rpmb_mutex); 2593 2594 return res; 2595 } 2596 2597 static TEE_Result rpmb_fs_truncate(struct tee_file_handle *tfh, size_t length) 2598 { 2599 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)tfh; 2600 tee_mm_pool_t p; 2601 bool pool_result = false; 2602 tee_mm_entry_t *mm; 2603 uint32_t newsize; 2604 uint8_t *newbuf = NULL; 2605 uintptr_t newaddr; 2606 TEE_Result res = TEE_ERROR_GENERIC; 2607 2608 mutex_lock(&rpmb_mutex); 2609 2610 if (length > INT32_MAX) { 2611 res = TEE_ERROR_BAD_PARAMETERS; 2612 goto out; 2613 } 2614 newsize = length; 2615 2616 res = read_fat(fh, NULL); 2617 if (res != TEE_SUCCESS) 2618 goto out; 2619 2620 if (newsize > fh->fat_entry.data_size) { 2621 /* Extend file */ 2622 2623 pool_result = tee_mm_init(&p, 2624 RPMB_STORAGE_START_ADDRESS, 2625 fs_par->max_rpmb_address, 2626 RPMB_BLOCK_SIZE_SHIFT, 2627 TEE_MM_POOL_HI_ALLOC); 2628 if (!pool_result) { 2629 res = TEE_ERROR_OUT_OF_MEMORY; 2630 goto out; 2631 } 2632 res = read_fat(fh, &p); 2633 if (res != TEE_SUCCESS) 2634 goto out; 2635 2636 mm = tee_mm_alloc(&p, newsize); 2637 newbuf = calloc(1, newsize); 2638 if (!mm || !newbuf) { 2639 res = TEE_ERROR_OUT_OF_MEMORY; 2640 goto out; 2641 } 2642 2643 if (fh->fat_entry.data_size) { 2644 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 2645 fh->fat_entry.start_address, 2646 newbuf, fh->fat_entry.data_size, 2647 fh->fat_entry.fek, fh->uuid); 2648 if (res != TEE_SUCCESS) 2649 goto out; 2650 } 2651 2652 newaddr = tee_mm_get_smem(mm); 2653 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, newaddr, newbuf, 2654 newsize, fh->fat_entry.fek, fh->uuid); 2655 if (res != TEE_SUCCESS) 2656 goto out; 2657 2658 } else { 2659 /* Don't change file location */ 2660 newaddr = fh->fat_entry.start_address; 2661 } 2662 2663 /* fh->pos is unchanged */ 2664 fh->fat_entry.data_size = newsize; 2665 fh->fat_entry.start_address = newaddr; 2666 res = write_fat_entry(fh, true); 2667 2668 out: 2669 mutex_unlock(&rpmb_mutex); 2670 if (pool_result) 2671 tee_mm_final(&p); 2672 if (newbuf) 2673 free(newbuf); 2674 2675 return res; 2676 } 2677 2678 static void rpmb_fs_dir_free(struct tee_fs_dir *dir) 2679 { 2680 struct tee_rpmb_fs_dirent *e; 2681 2682 if (!dir) 2683 return; 2684 2685 free(dir->current); 2686 2687 while ((e = SIMPLEQ_FIRST(&dir->next))) { 2688 SIMPLEQ_REMOVE_HEAD(&dir->next, link); 2689 free(e); 2690 } 2691 } 2692 2693 static TEE_Result rpmb_fs_dir_populate(const char *path, 2694 struct tee_fs_dir *dir) 2695 { 2696 struct tee_rpmb_fs_dirent *current = NULL; 2697 struct rpmb_fat_entry *fe = NULL; 2698 uint32_t fat_address; 2699 uint32_t filelen; 2700 char *filename; 2701 bool matched; 2702 struct tee_rpmb_fs_dirent *next = NULL; 2703 uint32_t pathlen; 2704 TEE_Result res = TEE_ERROR_GENERIC; 2705 char temp; 2706 2707 mutex_lock(&rpmb_mutex); 2708 2709 res = fat_entry_dir_init(); 2710 if (res) 2711 goto out; 2712 2713 pathlen = strlen(path); 2714 2715 while (true) { 2716 res = fat_entry_dir_get_next(&fe, &fat_address); 2717 if (res || !fe) 2718 break; 2719 2720 filename = fe->filename; 2721 if (fe->flags & FILE_IS_ACTIVE) { 2722 matched = false; 2723 filelen = strlen(filename); 2724 if (filelen > pathlen) { 2725 temp = filename[pathlen]; 2726 filename[pathlen] = '\0'; 2727 if (strcmp(filename, path) == 0) 2728 matched = true; 2729 2730 filename[pathlen] = temp; 2731 } 2732 2733 if (matched) { 2734 next = malloc(sizeof(*next)); 2735 if (!next) { 2736 res = TEE_ERROR_OUT_OF_MEMORY; 2737 goto out; 2738 } 2739 2740 next->entry.oidlen = tee_hs2b((uint8_t *) 2741 &filename[pathlen], 2742 next->entry.oid, 2743 filelen - pathlen, 2744 sizeof(next->entry.oid)); 2745 if (next->entry.oidlen) { 2746 SIMPLEQ_INSERT_TAIL(&dir->next, 2747 next, link); 2748 current = next; 2749 } else { 2750 free(next); 2751 next = NULL; 2752 } 2753 } 2754 } 2755 } 2756 2757 if (res) 2758 goto out; 2759 2760 if (current) 2761 res = TEE_SUCCESS; 2762 else 2763 res = TEE_ERROR_ITEM_NOT_FOUND; /* No directories were found. */ 2764 2765 out: 2766 mutex_unlock(&rpmb_mutex); 2767 fat_entry_dir_deinit(); 2768 if (res) 2769 rpmb_fs_dir_free(dir); 2770 2771 return res; 2772 } 2773 2774 static TEE_Result rpmb_fs_opendir(const TEE_UUID *uuid, struct tee_fs_dir **dir) 2775 { 2776 uint32_t len; 2777 char path_local[TEE_RPMB_FS_FILENAME_LENGTH]; 2778 TEE_Result res = TEE_ERROR_GENERIC; 2779 struct tee_fs_dir *rpmb_dir = NULL; 2780 2781 if (!uuid || !dir) { 2782 res = TEE_ERROR_BAD_PARAMETERS; 2783 goto out; 2784 } 2785 2786 memset(path_local, 0, sizeof(path_local)); 2787 if (tee_svc_storage_create_dirname(path_local, sizeof(path_local) - 1, 2788 uuid) != TEE_SUCCESS) { 2789 res = TEE_ERROR_BAD_PARAMETERS; 2790 goto out; 2791 } 2792 len = strlen(path_local); 2793 2794 /* Add a slash to correctly match the full directory name. */ 2795 if (path_local[len - 1] != '/') 2796 path_local[len] = '/'; 2797 2798 rpmb_dir = calloc(1, sizeof(*rpmb_dir)); 2799 if (!rpmb_dir) { 2800 res = TEE_ERROR_OUT_OF_MEMORY; 2801 goto out; 2802 } 2803 SIMPLEQ_INIT(&rpmb_dir->next); 2804 2805 res = rpmb_fs_dir_populate(path_local, rpmb_dir); 2806 if (res != TEE_SUCCESS) { 2807 free(rpmb_dir); 2808 rpmb_dir = NULL; 2809 goto out; 2810 } 2811 2812 *dir = rpmb_dir; 2813 2814 out: 2815 return res; 2816 } 2817 2818 static TEE_Result rpmb_fs_readdir(struct tee_fs_dir *dir, 2819 struct tee_fs_dirent **ent) 2820 { 2821 if (!dir) 2822 return TEE_ERROR_GENERIC; 2823 2824 free(dir->current); 2825 2826 dir->current = SIMPLEQ_FIRST(&dir->next); 2827 if (!dir->current) 2828 return TEE_ERROR_ITEM_NOT_FOUND; 2829 2830 SIMPLEQ_REMOVE_HEAD(&dir->next, link); 2831 2832 *ent = &dir->current->entry; 2833 return TEE_SUCCESS; 2834 } 2835 2836 static void rpmb_fs_closedir(struct tee_fs_dir *dir) 2837 { 2838 if (dir) { 2839 rpmb_fs_dir_free(dir); 2840 free(dir); 2841 } 2842 } 2843 2844 static TEE_Result rpmb_fs_open(struct tee_pobj *po, size_t *size, 2845 struct tee_file_handle **ret_fh) 2846 { 2847 TEE_Result res; 2848 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2849 2850 if (!fh) 2851 return TEE_ERROR_OUT_OF_MEMORY; 2852 2853 mutex_lock(&rpmb_mutex); 2854 2855 res = rpmb_fs_open_internal(fh, &po->uuid, false); 2856 if (!res && size) 2857 *size = fh->fat_entry.data_size; 2858 2859 mutex_unlock(&rpmb_mutex); 2860 2861 if (res) 2862 free(fh); 2863 else 2864 *ret_fh = (struct tee_file_handle *)fh; 2865 2866 return res; 2867 } 2868 2869 static TEE_Result rpmb_fs_create(struct tee_pobj *po, bool overwrite, 2870 const void *head, size_t head_size, 2871 const void *attr, size_t attr_size, 2872 const void *data, size_t data_size, 2873 struct tee_file_handle **ret_fh) 2874 { 2875 TEE_Result res; 2876 size_t pos = 0; 2877 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2878 2879 if (!fh) 2880 return TEE_ERROR_OUT_OF_MEMORY; 2881 2882 mutex_lock(&rpmb_mutex); 2883 res = rpmb_fs_open_internal(fh, &po->uuid, true); 2884 if (res) 2885 goto out; 2886 2887 if (head && head_size) { 2888 res = rpmb_fs_write_primitive(fh, pos, head, head_size); 2889 if (res) 2890 goto out; 2891 pos += head_size; 2892 } 2893 2894 if (attr && attr_size) { 2895 res = rpmb_fs_write_primitive(fh, pos, attr, attr_size); 2896 if (res) 2897 goto out; 2898 pos += attr_size; 2899 } 2900 2901 if (data && data_size) { 2902 res = rpmb_fs_write_primitive(fh, pos, data, data_size); 2903 if (res) 2904 goto out; 2905 } 2906 2907 if (po->temporary) { 2908 /* 2909 * If it's a temporary filename (which it normally is) 2910 * rename into the final filename now that the file is 2911 * fully initialized. 2912 */ 2913 po->temporary = false; 2914 res = rpmb_fs_rename_internal(po, NULL, overwrite); 2915 if (res) { 2916 po->temporary = true; 2917 goto out; 2918 } 2919 /* Update file handle after rename. */ 2920 tee_svc_storage_create_filename(fh->filename, 2921 sizeof(fh->filename), 2922 po, false); 2923 } 2924 2925 out: 2926 if (res) { 2927 rpmb_fs_remove_internal(fh); 2928 free(fh); 2929 } else { 2930 *ret_fh = (struct tee_file_handle *)fh; 2931 } 2932 mutex_unlock(&rpmb_mutex); 2933 2934 return res; 2935 } 2936 2937 const struct tee_file_operations rpmb_fs_ops = { 2938 .open = rpmb_fs_open, 2939 .create = rpmb_fs_create, 2940 .close = rpmb_fs_close, 2941 .read = rpmb_fs_read, 2942 .write = rpmb_fs_write, 2943 .truncate = rpmb_fs_truncate, 2944 .rename = rpmb_fs_rename, 2945 .remove = rpmb_fs_remove, 2946 .opendir = rpmb_fs_opendir, 2947 .closedir = rpmb_fs_closedir, 2948 .readdir = rpmb_fs_readdir, 2949 }; 2950 2951 TEE_Result tee_rpmb_fs_raw_open(const char *fname, bool create, 2952 struct tee_file_handle **ret_fh) 2953 { 2954 TEE_Result res; 2955 struct rpmb_file_handle *fh = calloc(1, sizeof(*fh)); 2956 static const TEE_UUID uuid = { 0 }; 2957 2958 if (!fh) 2959 return TEE_ERROR_OUT_OF_MEMORY; 2960 2961 snprintf(fh->filename, sizeof(fh->filename), "/%s", fname); 2962 2963 mutex_lock(&rpmb_mutex); 2964 2965 res = rpmb_fs_open_internal(fh, &uuid, create); 2966 2967 mutex_unlock(&rpmb_mutex); 2968 2969 if (res) { 2970 if (create) 2971 rpmb_fs_remove_internal(fh); 2972 free(fh); 2973 } else { 2974 *ret_fh = (struct tee_file_handle *)fh; 2975 } 2976 2977 return res; 2978 } 2979 2980 bool __weak plat_rpmb_key_is_ready(void) 2981 { 2982 return true; 2983 } 2984