1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2014, STMicroelectronics International N.V. 4 */ 5 6 #include <assert.h> 7 #include <config.h> 8 #include <crypto/crypto.h> 9 #include <kernel/huk_subkey.h> 10 #include <kernel/misc.h> 11 #include <kernel/msg_param.h> 12 #include <kernel/mutex.h> 13 #include <kernel/panic.h> 14 #include <kernel/tee_common.h> 15 #include <kernel/tee_common_otp.h> 16 #include <kernel/tee_misc.h> 17 #include <kernel/thread.h> 18 #include <kernel/user_access.h> 19 #include <mempool.h> 20 #include <mm/core_memprot.h> 21 #include <mm/mobj.h> 22 #include <mm/tee_mm.h> 23 #include <optee_rpc_cmd.h> 24 #include <stdlib.h> 25 #include <string_ext.h> 26 #include <string.h> 27 #include <sys/queue.h> 28 #include <tee/tee_fs.h> 29 #include <tee/tee_fs_key_manager.h> 30 #include <tee/tee_pobj.h> 31 #include <tee/tee_svc_storage.h> 32 #include <trace.h> 33 #include <util.h> 34 35 #define RPMB_STORAGE_START_ADDRESS 0 36 #define RPMB_FS_FAT_START_ADDRESS 512 37 #define RPMB_BLOCK_SIZE_SHIFT 8 38 #define RPMB_CID_PRV_OFFSET 9 39 #define RPMB_CID_CRC_OFFSET 15 40 41 #define RPMB_FS_MAGIC 0x52504D42 42 #define FS_VERSION 2 43 44 #define FILE_IS_ACTIVE (1u << 0) 45 #define FILE_IS_LAST_ENTRY (1u << 1) 46 47 #define TEE_RPMB_FS_FILENAME_LENGTH 224 48 49 #define TMP_BLOCK_SIZE 4096U 50 51 #define RPMB_MAX_RETRIES 10 52 53 /** 54 * Utilized when caching is enabled, i.e., when CFG_RPMB_FS_CACHE_ENTRIES > 0. 55 * Cache size + the number of entries that are repeatedly read in and buffered 56 * once the cache is full. 57 */ 58 #define RPMB_BUF_MAX_ENTRIES (CFG_RPMB_FS_CACHE_ENTRIES + \ 59 CFG_RPMB_FS_RD_ENTRIES) 60 61 /** 62 * FS parameters: Information often used by internal functions. 63 * fat_start_address will be set by rpmb_fs_setup(). 64 * rpmb_fs_parameters can be read by any other function. 65 */ 66 struct rpmb_fs_parameters { 67 uint32_t fat_start_address; 68 uint32_t max_rpmb_address; 69 }; 70 71 /** 72 * File entry for a single file in a RPMB_FS partition. 73 */ 74 struct rpmb_fat_entry { 75 uint32_t start_address; 76 uint32_t data_size; 77 uint32_t flags; 78 uint32_t unused; 79 uint8_t fek[TEE_FS_KM_FEK_SIZE]; 80 char filename[TEE_RPMB_FS_FILENAME_LENGTH]; 81 }; 82 83 /** 84 * Structure that describes buffered/cached FAT FS entries in RPMB storage. 85 * This structure is used in functions traversing the FAT FS. 86 */ 87 struct rpmb_fat_entry_dir { 88 /* 89 * Buffer storing the FAT FS entries read in from RPMB storage. It 90 * includes the optional cache entries (CFG_RPMB_FS_CACHE_ENTRIES) 91 * and entries temporary read for current FAT FS traversal 92 * (CFG_RPMB_FS_RD_ENTRIES) when not found from cached entries. 93 */ 94 struct rpmb_fat_entry *rpmb_fat_entry_buf; 95 /* Current index of FAT FS entry to read from buffer. */ 96 uint32_t idx_curr; 97 /* Total number of FAT FS entries in buffer. */ 98 uint32_t num_buffered; 99 /* Total number of FAT FS entries read during traversal. */ 100 uint32_t num_total_read; 101 /* Indicates that last FAT FS entry was read. */ 102 bool last_reached; 103 }; 104 105 /** 106 * FAT entry context with reference to a FAT entry and its 107 * location in RPMB. 108 */ 109 struct rpmb_file_handle { 110 struct rpmb_fat_entry fat_entry; 111 const TEE_UUID *uuid; 112 char filename[TEE_RPMB_FS_FILENAME_LENGTH]; 113 /* Address for current entry in RPMB */ 114 uint32_t rpmb_fat_address; 115 }; 116 117 /** 118 * RPMB_FS partition data 119 */ 120 struct rpmb_fs_partition { 121 uint32_t rpmb_fs_magic; 122 uint32_t fs_version; 123 uint32_t write_counter; 124 uint32_t fat_start_address; 125 /* Do not use reserved[] for other purpose than partition data. */ 126 uint8_t reserved[112]; 127 }; 128 129 /** 130 * A node in a list of directory entries. 131 */ 132 struct tee_rpmb_fs_dirent { 133 struct tee_fs_dirent entry; 134 SIMPLEQ_ENTRY(tee_rpmb_fs_dirent) link; 135 }; 136 137 /** 138 * The RPMB directory representation. It contains a queue of 139 * RPMB directory entries: 'next'. 140 * The current pointer points to the last directory entry 141 * returned by readdir(). 142 */ 143 struct tee_fs_dir { 144 struct tee_rpmb_fs_dirent *current; 145 /* */ 146 SIMPLEQ_HEAD(next_head, tee_rpmb_fs_dirent) next; 147 }; 148 149 static struct rpmb_fs_parameters *fs_par; 150 static struct rpmb_fat_entry_dir *fat_entry_dir; 151 152 /* 153 * Lower interface to RPMB device 154 */ 155 156 #define RPMB_DATA_OFFSET (RPMB_STUFF_DATA_SIZE + RPMB_KEY_MAC_SIZE) 157 #define RPMB_MAC_PROTECT_DATA_SIZE (RPMB_DATA_FRAME_SIZE - RPMB_DATA_OFFSET) 158 159 #define RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM 0x0001 160 #define RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ 0x0002 161 #define RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE 0x0003 162 #define RPMB_MSG_TYPE_REQ_AUTH_DATA_READ 0x0004 163 #define RPMB_MSG_TYPE_REQ_RESULT_READ 0x0005 164 #define RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM 0x0100 165 #define RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ 0x0200 166 #define RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE 0x0300 167 #define RPMB_MSG_TYPE_RESP_AUTH_DATA_READ 0x0400 168 169 #define RPMB_STUFF_DATA_SIZE 196 170 #define RPMB_KEY_MAC_SIZE 32 171 #define RPMB_DATA_SIZE 256 172 #define RPMB_NONCE_SIZE 16 173 #define RPMB_DATA_FRAME_SIZE 512 174 175 #define RPMB_RESULT_OK 0x00 176 #define RPMB_RESULT_GENERAL_FAILURE 0x01 177 #define RPMB_RESULT_AUTH_FAILURE 0x02 178 #define RPMB_RESULT_COUNTER_FAILURE 0x03 179 #define RPMB_RESULT_ADDRESS_FAILURE 0x04 180 #define RPMB_RESULT_WRITE_FAILURE 0x05 181 #define RPMB_RESULT_READ_FAILURE 0x06 182 #define RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED 0x07 183 #define RPMB_RESULT_MASK 0x3F 184 #define RPMB_RESULT_WR_CNT_EXPIRED 0x80 185 186 /* RPMB internal commands */ 187 #define RPMB_CMD_DATA_REQ 0x00 188 #define RPMB_CMD_GET_DEV_INFO 0x01 189 190 #define RPMB_SIZE_SINGLE (128 * 1024) 191 192 /* Error codes for get_dev_info request/response. */ 193 #define RPMB_CMD_GET_DEV_INFO_RET_OK 0x00 194 #define RPMB_CMD_GET_DEV_INFO_RET_ERROR 0x01 195 196 struct rpmb_data_frame { 197 uint8_t stuff_bytes[RPMB_STUFF_DATA_SIZE]; 198 uint8_t key_mac[RPMB_KEY_MAC_SIZE]; 199 uint8_t data[RPMB_DATA_SIZE]; 200 uint8_t nonce[RPMB_NONCE_SIZE]; 201 uint8_t write_counter[4]; 202 uint8_t address[2]; 203 uint8_t block_count[2]; 204 uint8_t op_result[2]; 205 uint8_t msg_type[2]; 206 }; 207 208 struct rpmb_req { 209 uint16_t cmd; 210 uint16_t dev_id; 211 uint16_t block_count; 212 /* variable length of data */ 213 /* uint8_t data[]; REMOVED! */ 214 }; 215 216 #define TEE_RPMB_REQ_DATA(req) \ 217 ((void *)((struct rpmb_req *)(req) + 1)) 218 219 struct rpmb_raw_data { 220 uint16_t msg_type; 221 uint16_t *op_result; 222 uint16_t *block_count; 223 uint16_t *blk_idx; 224 uint32_t *write_counter; 225 uint8_t *nonce; 226 uint8_t *key_mac; 227 uint8_t *data; 228 /* data length to read or write */ 229 uint32_t len; 230 /* Byte address offset in the first block involved */ 231 uint8_t byte_offset; 232 }; 233 234 #define RPMB_EMMC_CID_SIZE 16 235 struct rpmb_dev_info { 236 uint8_t cid[RPMB_EMMC_CID_SIZE]; 237 /* EXT CSD-slice 168 "RPMB Size" */ 238 uint8_t rpmb_size_mult; 239 /* EXT CSD-slice 222 "Reliable Write Sector Count" */ 240 uint8_t rel_wr_sec_c; 241 /* Check the ret code and accept the data only if it is OK. */ 242 uint8_t ret_code; 243 }; 244 245 /* 246 * Struct for rpmb context data. 247 * 248 * @key RPMB key. 249 * @cid eMMC card ID. 250 * @wr_cnt Current write counter. 251 * @max_blk_idx The highest block index supported by current device. 252 * @rel_wr_blkcnt Max number of data blocks for each reliable write. 253 * @dev_id Device ID of the eMMC device. 254 * @wr_cnt_synced Flag indicating if write counter is synced to RPMB. 255 * @key_derived Flag indicating if key has been generated. 256 * @key_verified Flag indicating the key generated is verified ok. 257 * @dev_info_synced Flag indicating if dev info has been retrieved from RPMB. 258 * @legacy_operation Flag indicating if the legacy interface is used. 259 * @reinit Flag indicating if the device needs to be found again 260 * @shm_type Indicates type of shared memory to allocate 261 */ 262 struct tee_rpmb_ctx { 263 uint8_t key[RPMB_KEY_MAC_SIZE]; 264 uint8_t cid[RPMB_EMMC_CID_SIZE]; 265 uint32_t wr_cnt; 266 uint16_t max_blk_idx; 267 uint16_t rel_wr_blkcnt; 268 uint16_t dev_id; 269 bool wr_cnt_synced; 270 bool key_derived; 271 bool key_verified; 272 bool dev_info_synced; 273 bool legacy_operation; 274 bool reinit; 275 enum thread_shm_type shm_type; 276 }; 277 278 static struct tee_rpmb_ctx *rpmb_ctx; 279 280 /* If set to true, don't try to access RPMB until rebooted */ 281 static bool rpmb_dead; 282 283 /* 284 * Mutex to serialize the operations exported by this file. 285 * It protects rpmb_ctx and prevents overlapping operations on eMMC devices with 286 * different IDs. 287 */ 288 static struct mutex rpmb_mutex = MUTEX_INITIALIZER; 289 290 #ifdef CFG_RPMB_TESTKEY 291 292 static const uint8_t rpmb_test_key[RPMB_KEY_MAC_SIZE] = { 293 0xD3, 0xEB, 0x3E, 0xC3, 0x6E, 0x33, 0x4C, 0x9F, 294 0x98, 0x8C, 0xE2, 0xC0, 0xB8, 0x59, 0x54, 0x61, 295 0x0D, 0x2B, 0xCF, 0x86, 0x64, 0x84, 0x4D, 0xF2, 296 0xAB, 0x56, 0xE6, 0xC6, 0x1B, 0xB7, 0x01, 0xE4 297 }; 298 299 static TEE_Result tee_rpmb_key_gen(uint8_t *key, uint32_t len) 300 { 301 TEE_Result res = TEE_SUCCESS; 302 303 if (!key || RPMB_KEY_MAC_SIZE != len) { 304 res = TEE_ERROR_BAD_PARAMETERS; 305 goto out; 306 } 307 308 DMSG("RPMB: Using test key"); 309 memcpy(key, rpmb_test_key, RPMB_KEY_MAC_SIZE); 310 311 out: 312 return res; 313 } 314 315 #else /* !CFG_RPMB_TESTKEY */ 316 317 static TEE_Result tee_rpmb_key_gen(uint8_t *key, uint32_t len) 318 { 319 uint8_t message[RPMB_EMMC_CID_SIZE]; 320 321 if (!key || RPMB_KEY_MAC_SIZE != len) 322 return TEE_ERROR_BAD_PARAMETERS; 323 324 IMSG("RPMB: Using generated key"); 325 326 /* 327 * PRV/CRC would be changed when doing eMMC FFU 328 * The following fields should be masked off when deriving RPMB key 329 * 330 * CID [55: 48]: PRV (Product revision) 331 * CID [07: 01]: CRC (CRC7 checksum) 332 * CID [00]: not used 333 */ 334 memcpy(message, rpmb_ctx->cid, RPMB_EMMC_CID_SIZE); 335 memset(message + RPMB_CID_PRV_OFFSET, 0, 1); 336 memset(message + RPMB_CID_CRC_OFFSET, 0, 1); 337 return huk_subkey_derive(HUK_SUBKEY_RPMB, message, sizeof(message), 338 key, len); 339 } 340 341 #endif /* !CFG_RPMB_TESTKEY */ 342 343 static void u32_to_bytes(uint32_t u32, uint8_t *bytes) 344 { 345 *bytes = (uint8_t) (u32 >> 24); 346 *(bytes + 1) = (uint8_t) (u32 >> 16); 347 *(bytes + 2) = (uint8_t) (u32 >> 8); 348 *(bytes + 3) = (uint8_t) u32; 349 } 350 351 static void bytes_to_u32(uint8_t *bytes, uint32_t *u32) 352 { 353 *u32 = (uint32_t) ((*(bytes) << 24) + 354 (*(bytes + 1) << 16) + 355 (*(bytes + 2) << 8) + (*(bytes + 3))); 356 } 357 358 static void u16_to_bytes(uint16_t u16, uint8_t *bytes) 359 { 360 *bytes = (uint8_t) (u16 >> 8); 361 *(bytes + 1) = (uint8_t) u16; 362 } 363 364 static void bytes_to_u16(uint8_t *bytes, uint16_t *u16) 365 { 366 *u16 = (uint16_t) ((*bytes << 8) + *(bytes + 1)); 367 } 368 369 static void get_op_result_bits(uint8_t *bytes, uint8_t *res) 370 { 371 *res = *(bytes + 1) & RPMB_RESULT_MASK; 372 } 373 374 static TEE_Result tee_rpmb_mac_calc(uint8_t *mac, uint32_t macsize, 375 uint8_t *key, uint32_t keysize, 376 struct rpmb_data_frame *datafrms, 377 uint16_t blkcnt) 378 { 379 TEE_Result res = TEE_ERROR_GENERIC; 380 int i; 381 void *ctx = NULL; 382 383 if (!mac || !key || !datafrms) 384 return TEE_ERROR_BAD_PARAMETERS; 385 386 res = crypto_mac_alloc_ctx(&ctx, TEE_ALG_HMAC_SHA256); 387 if (res) 388 return res; 389 390 res = crypto_mac_init(ctx, key, keysize); 391 if (res != TEE_SUCCESS) 392 goto func_exit; 393 394 for (i = 0; i < blkcnt; i++) { 395 res = crypto_mac_update(ctx, datafrms[i].data, 396 RPMB_MAC_PROTECT_DATA_SIZE); 397 if (res != TEE_SUCCESS) 398 goto func_exit; 399 } 400 401 res = crypto_mac_final(ctx, mac, macsize); 402 if (res != TEE_SUCCESS) 403 goto func_exit; 404 405 res = TEE_SUCCESS; 406 407 func_exit: 408 crypto_mac_free_ctx(ctx); 409 return res; 410 } 411 412 struct tee_rpmb_mem { 413 struct mobj *mobj; 414 size_t req_size; 415 size_t resp_offs; 416 size_t resp_size; 417 struct rpmb_req *req_hdr; 418 struct rpmb_data_frame *req_data; 419 struct rpmb_data_frame *resp_data; 420 }; 421 422 static TEE_Result tee_rpmb_alloc(size_t req_size, size_t resp_size, 423 struct tee_rpmb_mem *mem) 424 { 425 size_t req_s = 0; 426 size_t resp_s = 0; 427 struct mobj *mobj = NULL; 428 void *va = NULL; 429 430 if (!mem) 431 return TEE_ERROR_BAD_PARAMETERS; 432 433 if (rpmb_ctx->legacy_operation) 434 req_size += sizeof(struct rpmb_req); 435 req_s = ROUNDUP(req_size, SMALL_PAGE_SIZE); 436 resp_s = ROUNDUP(resp_size, SMALL_PAGE_SIZE); 437 va = thread_rpc_shm_cache_alloc(THREAD_SHM_CACHE_USER_RPMB, 438 rpmb_ctx->shm_type, req_s + resp_s, 439 &mobj); 440 if (!va) 441 return TEE_ERROR_OUT_OF_MEMORY; 442 443 *mem = (struct tee_rpmb_mem){ 444 .mobj = mobj, 445 .req_size = req_size, 446 .resp_offs = req_s, 447 .resp_size = resp_size, 448 }; 449 450 if (rpmb_ctx->legacy_operation) { 451 mem->req_hdr = mobj_get_va(mem->mobj, 0, req_s); 452 if (!mem->req_hdr) 453 return TEE_ERROR_GENERIC; 454 mem->req_data = (void *)(mem->req_hdr + 1); 455 } else { 456 mem->req_data = mobj_get_va(mem->mobj, 0, req_s); 457 if (!mem->req_data) 458 return TEE_ERROR_GENERIC; 459 } 460 mem->resp_data = mobj_get_va(mem->mobj, req_s, resp_s); 461 if (!mem->resp_data) 462 return TEE_ERROR_GENERIC; 463 464 return TEE_SUCCESS; 465 } 466 467 static TEE_Result tee_rpmb_invoke(struct tee_rpmb_mem *mem) 468 { 469 struct thread_param params[2] = { 470 [0] = THREAD_PARAM_MEMREF(IN, mem->mobj, 0, mem->req_size), 471 [1] = THREAD_PARAM_MEMREF(OUT, mem->mobj, mem->resp_offs, 472 mem->resp_size), 473 }; 474 uint32_t cmd = OPTEE_RPC_CMD_RPMB_FRAMES; 475 476 if (rpmb_ctx->legacy_operation) 477 cmd = OPTEE_RPC_CMD_RPMB; 478 479 return thread_rpc_cmd(cmd, 2, params); 480 } 481 482 static TEE_Result rpmb_probe_reset(void) 483 { 484 struct thread_param params[1] = { 485 [0] = THREAD_PARAM_VALUE(OUT, 0, 0, 0), 486 }; 487 TEE_Result res = TEE_SUCCESS; 488 489 res = thread_rpc_cmd(OPTEE_RPC_CMD_RPMB_PROBE_RESET, 1, params); 490 if (res) 491 return res; 492 493 rpmb_ctx->legacy_operation = false; 494 rpmb_ctx->dev_id = 0; 495 496 switch (params[0].u.value.a) { 497 case OPTEE_RPC_SHM_TYPE_APPL: 498 rpmb_ctx->shm_type = THREAD_SHM_TYPE_APPLICATION; 499 return TEE_SUCCESS; 500 case OPTEE_RPC_SHM_TYPE_KERNEL: 501 rpmb_ctx->shm_type = THREAD_SHM_TYPE_KERNEL_PRIVATE; 502 return TEE_SUCCESS; 503 default: 504 return TEE_ERROR_GENERIC; 505 } 506 } 507 508 static TEE_Result rpmb_probe_next(struct rpmb_dev_info *dev_info) 509 { 510 struct thread_param params[2] = { }; 511 TEE_Result res = TEE_SUCCESS; 512 struct mobj *mobj = NULL; 513 void *va = NULL; 514 515 va = thread_rpc_shm_cache_alloc(THREAD_SHM_CACHE_USER_RPMB, 516 THREAD_SHM_TYPE_KERNEL_PRIVATE, 517 sizeof(dev_info->cid), &mobj); 518 if (!va) 519 return TEE_ERROR_OUT_OF_MEMORY; 520 521 do { 522 params[0] = THREAD_PARAM_VALUE(OUT, 0, 0, 0); 523 params[1] = THREAD_PARAM_MEMREF(OUT, mobj, 0, 524 sizeof(dev_info->cid)); 525 res = thread_rpc_cmd(OPTEE_RPC_CMD_RPMB_PROBE_NEXT, 2, params); 526 /* 527 * If the ID buffer is too small, perhaps it's a new kind 528 * of RPMB device that we don't know how to communicate 529 * with, let's ignore it for now. 530 */ 531 } while (res == TEE_ERROR_SHORT_BUFFER); 532 if (res) 533 return res; 534 535 if (params[0].u.value.a != OPTEE_RPC_RPMB_EMMC) 536 return TEE_ERROR_NOT_SUPPORTED; 537 538 *dev_info = (struct rpmb_dev_info){ 539 .rpmb_size_mult = params[0].u.value.b, 540 .rel_wr_sec_c = params[0].u.value.c, 541 .ret_code = RPMB_CMD_GET_DEV_INFO_RET_OK, 542 }; 543 memcpy(dev_info->cid, va, sizeof(dev_info->cid)); 544 545 return TEE_SUCCESS; 546 } 547 548 static bool is_zero(const uint8_t *buf, size_t size) 549 { 550 size_t i; 551 552 for (i = 0; i < size; i++) 553 if (buf[i]) 554 return false; 555 return true; 556 } 557 558 static TEE_Result encrypt_block(uint8_t *out, const uint8_t *in, 559 uint16_t blk_idx, const uint8_t *fek, 560 const TEE_UUID *uuid) 561 { 562 return tee_fs_crypt_block(uuid, out, in, RPMB_DATA_SIZE, 563 blk_idx, fek, TEE_MODE_ENCRYPT); 564 } 565 566 static TEE_Result decrypt_block(uint8_t *out, const uint8_t *in, 567 uint16_t blk_idx, const uint8_t *fek, 568 const TEE_UUID *uuid) 569 { 570 return tee_fs_crypt_block(uuid, out, in, RPMB_DATA_SIZE, 571 blk_idx, fek, TEE_MODE_DECRYPT); 572 } 573 574 /* Decrypt/copy at most one block of data */ 575 static TEE_Result decrypt(uint8_t *out, const struct rpmb_data_frame *frm, 576 size_t size, size_t offset, 577 uint16_t blk_idx __maybe_unused, const uint8_t *fek, 578 const TEE_UUID *uuid) 579 { 580 uint8_t *tmp __maybe_unused; 581 TEE_Result res = TEE_SUCCESS; 582 583 584 if ((size + offset < size) || (size + offset > RPMB_DATA_SIZE)) 585 panic("invalid size or offset"); 586 587 if (!fek) { 588 /* Block is not encrypted (not a file data block) */ 589 memcpy(out, frm->data + offset, size); 590 } else if (is_zero(fek, TEE_FS_KM_FEK_SIZE)) { 591 /* The file was created with encryption disabled */ 592 return TEE_ERROR_SECURITY; 593 } else { 594 /* Block is encrypted */ 595 if (size < RPMB_DATA_SIZE) { 596 /* 597 * Since output buffer is not large enough to hold one 598 * block we must allocate a temporary buffer. 599 */ 600 tmp = malloc(RPMB_DATA_SIZE); 601 if (!tmp) 602 return TEE_ERROR_OUT_OF_MEMORY; 603 res = decrypt_block(tmp, frm->data, blk_idx, fek, uuid); 604 if (res == TEE_SUCCESS) 605 memcpy(out, tmp + offset, size); 606 free(tmp); 607 } else { 608 res = decrypt_block(out, frm->data, blk_idx, fek, uuid); 609 } 610 } 611 612 return res; 613 } 614 615 static TEE_Result tee_rpmb_req_pack(struct rpmb_req *req_hdr, 616 struct rpmb_data_frame *req_data, 617 struct rpmb_raw_data *rawdata, 618 uint16_t nbr_frms, 619 const uint8_t *fek, const TEE_UUID *uuid) 620 { 621 TEE_Result res = TEE_ERROR_GENERIC; 622 int i; 623 struct rpmb_data_frame *datafrm; 624 625 if (!req_data || !rawdata || !nbr_frms) 626 return TEE_ERROR_BAD_PARAMETERS; 627 628 /* 629 * Check write blockcount is not bigger than reliable write 630 * blockcount. 631 */ 632 if ((rawdata->msg_type == RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE) && 633 (nbr_frms > rpmb_ctx->rel_wr_blkcnt)) { 634 DMSG("wr_blkcnt(%d) > rel_wr_blkcnt(%d)", nbr_frms, 635 rpmb_ctx->rel_wr_blkcnt); 636 return TEE_ERROR_GENERIC; 637 } 638 639 if (req_hdr) { 640 req_hdr->cmd = RPMB_CMD_DATA_REQ; 641 req_hdr->dev_id = rpmb_ctx->dev_id; 642 } 643 644 /* Allocate memory for construct all data packets and calculate MAC. */ 645 datafrm = calloc(nbr_frms, RPMB_DATA_FRAME_SIZE); 646 if (!datafrm) 647 return TEE_ERROR_OUT_OF_MEMORY; 648 649 for (i = 0; i < nbr_frms; i++) { 650 u16_to_bytes(rawdata->msg_type, datafrm[i].msg_type); 651 652 if (rawdata->block_count) 653 u16_to_bytes(*rawdata->block_count, 654 datafrm[i].block_count); 655 656 if (rawdata->blk_idx) { 657 /* Check the block index is within range. */ 658 if ((*rawdata->blk_idx + nbr_frms - 1) > 659 rpmb_ctx->max_blk_idx) { 660 res = TEE_ERROR_GENERIC; 661 goto func_exit; 662 } 663 u16_to_bytes(*rawdata->blk_idx, datafrm[i].address); 664 } 665 666 if (rawdata->write_counter) 667 u32_to_bytes(*rawdata->write_counter, 668 datafrm[i].write_counter); 669 670 if (rawdata->nonce) 671 memcpy(datafrm[i].nonce, rawdata->nonce, 672 RPMB_NONCE_SIZE); 673 674 if (rawdata->data) { 675 if (fek) { 676 res = encrypt_block(datafrm[i].data, 677 rawdata->data + 678 (i * RPMB_DATA_SIZE), 679 *rawdata->blk_idx + i, 680 fek, uuid); 681 if (res != TEE_SUCCESS) 682 goto func_exit; 683 } else { 684 memcpy(datafrm[i].data, 685 rawdata->data + (i * RPMB_DATA_SIZE), 686 RPMB_DATA_SIZE); 687 } 688 } 689 } 690 691 if (rawdata->key_mac) { 692 if (rawdata->msg_type == RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE) { 693 res = 694 tee_rpmb_mac_calc(rawdata->key_mac, 695 RPMB_KEY_MAC_SIZE, rpmb_ctx->key, 696 RPMB_KEY_MAC_SIZE, datafrm, 697 nbr_frms); 698 if (res != TEE_SUCCESS) 699 goto func_exit; 700 } 701 memcpy(datafrm[nbr_frms - 1].key_mac, 702 rawdata->key_mac, RPMB_KEY_MAC_SIZE); 703 } 704 705 memcpy(req_data, datafrm, nbr_frms * RPMB_DATA_FRAME_SIZE); 706 707 if (IS_ENABLED(CFG_RPMB_FS_DEBUG_DATA)) { 708 for (i = 0; i < nbr_frms; i++) { 709 DMSG("Dumping data frame %d:", i); 710 DHEXDUMP((uint8_t *)&datafrm[i] + RPMB_STUFF_DATA_SIZE, 711 512 - RPMB_STUFF_DATA_SIZE); 712 } 713 } 714 715 res = TEE_SUCCESS; 716 func_exit: 717 free(datafrm); 718 return res; 719 } 720 721 static TEE_Result data_cpy_mac_calc_1b(struct rpmb_raw_data *rawdata, 722 struct rpmb_data_frame *frm, 723 const uint8_t *fek, const TEE_UUID *uuid) 724 { 725 TEE_Result res; 726 uint8_t *data; 727 uint16_t idx; 728 729 if (rawdata->len + rawdata->byte_offset > RPMB_DATA_SIZE) 730 return TEE_ERROR_BAD_PARAMETERS; 731 732 res = tee_rpmb_mac_calc(rawdata->key_mac, RPMB_KEY_MAC_SIZE, 733 rpmb_ctx->key, RPMB_KEY_MAC_SIZE, frm, 1); 734 if (res != TEE_SUCCESS) 735 return res; 736 737 data = rawdata->data; 738 bytes_to_u16(frm->address, &idx); 739 740 res = decrypt(data, frm, rawdata->len, rawdata->byte_offset, idx, fek, 741 uuid); 742 return res; 743 } 744 745 static TEE_Result tee_rpmb_data_cpy_mac_calc(struct rpmb_data_frame *datafrm, 746 struct rpmb_raw_data *rawdata, 747 uint16_t nbr_frms, 748 struct rpmb_data_frame *lastfrm, 749 const uint8_t *fek, 750 const TEE_UUID *uuid) 751 { 752 TEE_Result res = TEE_ERROR_GENERIC; 753 int i; 754 void *ctx = NULL; 755 uint16_t offset; 756 uint32_t size; 757 uint8_t *data; 758 uint16_t start_idx; 759 struct rpmb_data_frame localfrm; 760 761 if (!datafrm || !rawdata || !nbr_frms || !lastfrm) 762 return TEE_ERROR_BAD_PARAMETERS; 763 764 if (nbr_frms == 1) 765 return data_cpy_mac_calc_1b(rawdata, lastfrm, fek, uuid); 766 767 /* nbr_frms > 1 */ 768 769 data = rawdata->data; 770 771 res = crypto_mac_alloc_ctx(&ctx, TEE_ALG_HMAC_SHA256); 772 if (res) 773 goto func_exit; 774 775 res = crypto_mac_init(ctx, rpmb_ctx->key, RPMB_KEY_MAC_SIZE); 776 if (res != TEE_SUCCESS) 777 goto func_exit; 778 779 /* 780 * Note: JEDEC JESD84-B51: "In every packet the address is the start 781 * address of the full access (not address of the individual half a 782 * sector)" 783 */ 784 bytes_to_u16(lastfrm->address, &start_idx); 785 786 for (i = 0; i < (nbr_frms - 1); i++) { 787 788 /* 789 * By working on a local copy of the RPMB frame, we ensure that 790 * the data can not be modified after the MAC is computed but 791 * before the payload is decrypted/copied to the output buffer. 792 */ 793 memcpy(&localfrm, &datafrm[i], RPMB_DATA_FRAME_SIZE); 794 795 res = crypto_mac_update(ctx, localfrm.data, 796 RPMB_MAC_PROTECT_DATA_SIZE); 797 if (res != TEE_SUCCESS) 798 goto func_exit; 799 800 if (i == 0) { 801 /* First block */ 802 offset = rawdata->byte_offset; 803 size = RPMB_DATA_SIZE - offset; 804 } else { 805 /* Middle blocks */ 806 size = RPMB_DATA_SIZE; 807 offset = 0; 808 } 809 810 res = decrypt(data, &localfrm, size, offset, start_idx + i, 811 fek, uuid); 812 if (res != TEE_SUCCESS) 813 goto func_exit; 814 815 data += size; 816 } 817 818 /* Last block */ 819 size = (rawdata->len + rawdata->byte_offset) % RPMB_DATA_SIZE; 820 if (size == 0) 821 size = RPMB_DATA_SIZE; 822 res = decrypt(data, lastfrm, size, 0, start_idx + nbr_frms - 1, fek, 823 uuid); 824 if (res != TEE_SUCCESS) 825 goto func_exit; 826 827 /* Update MAC against the last block */ 828 res = crypto_mac_update(ctx, lastfrm->data, RPMB_MAC_PROTECT_DATA_SIZE); 829 if (res != TEE_SUCCESS) 830 goto func_exit; 831 832 res = crypto_mac_final(ctx, rawdata->key_mac, RPMB_KEY_MAC_SIZE); 833 if (res != TEE_SUCCESS) 834 goto func_exit; 835 836 res = TEE_SUCCESS; 837 838 func_exit: 839 crypto_mac_free_ctx(ctx); 840 return res; 841 } 842 843 static TEE_Result tee_rpmb_resp_unpack_verify(struct rpmb_data_frame *datafrm, 844 struct rpmb_raw_data *rawdata, 845 uint16_t nbr_frms, 846 const uint8_t *fek, 847 const TEE_UUID *uuid) 848 { 849 TEE_Result res = TEE_ERROR_GENERIC; 850 uint16_t msg_type; 851 uint32_t wr_cnt; 852 uint16_t blk_idx; 853 uint8_t op_result; 854 struct rpmb_data_frame lastfrm; 855 856 if (!datafrm || !rawdata || !nbr_frms) 857 return TEE_ERROR_BAD_PARAMETERS; 858 859 if (IS_ENABLED(CFG_RPMB_FS_DEBUG_DATA)) { 860 size_t i = 0; 861 862 for (i = 0; i < nbr_frms; i++) { 863 DMSG("Dumping data frame %zu:", i); 864 DHEXDUMP((uint8_t *)&datafrm[i] + RPMB_STUFF_DATA_SIZE, 865 512 - RPMB_STUFF_DATA_SIZE); 866 } 867 } 868 869 /* Make sure the last data packet can't be modified once verified */ 870 memcpy(&lastfrm, &datafrm[nbr_frms - 1], RPMB_DATA_FRAME_SIZE); 871 872 /* Handle operation result and translate to TEEC error code. */ 873 get_op_result_bits(lastfrm.op_result, &op_result); 874 if (op_result == RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED) 875 return TEE_ERROR_ITEM_NOT_FOUND; 876 if (op_result != RPMB_RESULT_OK) 877 return TEE_ERROR_GENERIC; 878 879 /* Check the response msg_type. */ 880 bytes_to_u16(lastfrm.msg_type, &msg_type); 881 if (msg_type != rawdata->msg_type) { 882 DMSG("Unexpected msg_type (0x%04x != 0x%04x)", msg_type, 883 rawdata->msg_type); 884 return TEE_ERROR_GENERIC; 885 } 886 887 if (rawdata->blk_idx) { 888 bytes_to_u16(lastfrm.address, &blk_idx); 889 if (blk_idx != *rawdata->blk_idx) { 890 DMSG("Unexpected block index"); 891 return TEE_ERROR_GENERIC; 892 } 893 } 894 895 if (rawdata->write_counter) { 896 wr_cnt = *rawdata->write_counter; 897 bytes_to_u32(lastfrm.write_counter, rawdata->write_counter); 898 if (msg_type == RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE) { 899 /* Verify the write counter is incremented by 1 */ 900 if (*rawdata->write_counter != wr_cnt + 1) { 901 DMSG("Counter mismatched (0x%04x/0x%04x)", 902 *rawdata->write_counter, wr_cnt + 1); 903 return TEE_ERROR_SECURITY; 904 } 905 rpmb_ctx->wr_cnt++; 906 } 907 } 908 909 if (rawdata->nonce) { 910 if (buf_compare_ct(rawdata->nonce, lastfrm.nonce, 911 RPMB_NONCE_SIZE) != 0) { 912 DMSG("Nonce mismatched"); 913 return TEE_ERROR_SECURITY; 914 } 915 } 916 917 if (rawdata->key_mac) { 918 if (msg_type == RPMB_MSG_TYPE_RESP_AUTH_DATA_READ) { 919 if (!rawdata->data) 920 return TEE_ERROR_GENERIC; 921 922 res = tee_rpmb_data_cpy_mac_calc(datafrm, rawdata, 923 nbr_frms, &lastfrm, 924 fek, uuid); 925 926 if (res != TEE_SUCCESS) 927 return res; 928 } else { 929 /* 930 * There should be only one data frame for 931 * other msg types. 932 */ 933 if (nbr_frms != 1) 934 return TEE_ERROR_GENERIC; 935 936 res = tee_rpmb_mac_calc(rawdata->key_mac, 937 RPMB_KEY_MAC_SIZE, 938 rpmb_ctx->key, 939 RPMB_KEY_MAC_SIZE, 940 &lastfrm, 1); 941 942 if (res != TEE_SUCCESS) 943 return res; 944 } 945 946 if (consttime_memcmp(rawdata->key_mac, 947 (datafrm + nbr_frms - 1)->key_mac, 948 RPMB_KEY_MAC_SIZE) != 0) { 949 DMSG("MAC mismatched:"); 950 if (IS_ENABLED(CFG_RPMB_FS_DEBUG_DATA)) 951 DHEXDUMP(rawdata->key_mac, RPMB_KEY_MAC_SIZE); 952 953 return TEE_ERROR_SECURITY; 954 } 955 } 956 957 return TEE_SUCCESS; 958 } 959 960 static TEE_Result tee_rpmb_get_dev_info(struct rpmb_dev_info *dev_info) 961 { 962 TEE_Result res = TEE_ERROR_GENERIC; 963 struct tee_rpmb_mem mem; 964 struct rpmb_dev_info *di; 965 966 if (!dev_info || !rpmb_ctx->legacy_operation) 967 return TEE_ERROR_BAD_PARAMETERS; 968 969 res = tee_rpmb_alloc(0, sizeof(struct rpmb_dev_info), &mem); 970 if (res != TEE_SUCCESS) 971 return res; 972 973 mem.req_hdr->cmd = RPMB_CMD_GET_DEV_INFO; 974 mem.req_hdr->dev_id = rpmb_ctx->dev_id; 975 976 di = (struct rpmb_dev_info *)mem.resp_data; 977 di->ret_code = RPMB_CMD_GET_DEV_INFO_RET_ERROR; 978 979 res = tee_rpmb_invoke(&mem); 980 if (res != TEE_SUCCESS) 981 return res; 982 983 *dev_info = *di; 984 if (dev_info->ret_code != RPMB_CMD_GET_DEV_INFO_RET_OK) 985 return TEE_ERROR_GENERIC; 986 987 if (IS_ENABLED(CFG_RPMB_FS_DEBUG_DATA)) { 988 DMSG("Dumping dev_info:"); 989 DHEXDUMP((uint8_t *)dev_info, sizeof(struct rpmb_dev_info)); 990 } 991 992 return TEE_SUCCESS; 993 } 994 995 static TEE_Result tee_rpmb_init_read_wr_cnt(uint32_t *wr_cnt) 996 { 997 TEE_Result res = TEE_ERROR_GENERIC; 998 struct tee_rpmb_mem mem; 999 uint16_t msg_type; 1000 uint8_t nonce[RPMB_NONCE_SIZE]; 1001 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 1002 struct rpmb_raw_data rawdata; 1003 uint16_t op_result = 0; 1004 1005 if (!wr_cnt) 1006 return TEE_ERROR_BAD_PARAMETERS; 1007 1008 res = tee_rpmb_alloc(RPMB_DATA_FRAME_SIZE, RPMB_DATA_FRAME_SIZE, &mem); 1009 if (res != TEE_SUCCESS) 1010 return res; 1011 1012 res = crypto_rng_read(nonce, RPMB_NONCE_SIZE); 1013 if (res != TEE_SUCCESS) 1014 return res; 1015 1016 msg_type = RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ; 1017 1018 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1019 rawdata.msg_type = msg_type; 1020 rawdata.nonce = nonce; 1021 1022 res = tee_rpmb_req_pack(mem.req_hdr, mem.req_data, &rawdata, 1, NULL, 1023 NULL); 1024 if (res != TEE_SUCCESS) 1025 return res; 1026 1027 res = tee_rpmb_invoke(&mem); 1028 if (res != TEE_SUCCESS) 1029 return res; 1030 1031 msg_type = RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ; 1032 1033 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1034 rawdata.msg_type = msg_type; 1035 rawdata.op_result = &op_result; 1036 rawdata.write_counter = wr_cnt; 1037 rawdata.nonce = nonce; 1038 rawdata.key_mac = hmac; 1039 1040 return tee_rpmb_resp_unpack_verify(mem.resp_data, &rawdata, 1, NULL, 1041 NULL); 1042 } 1043 1044 #ifdef CFG_RPMB_WRITE_KEY 1045 static TEE_Result tee_rpmb_write_key(void) 1046 { 1047 TEE_Result res = TEE_ERROR_GENERIC; 1048 struct tee_rpmb_mem mem = { 0 }; 1049 uint16_t msg_type; 1050 struct rpmb_raw_data rawdata; 1051 1052 res = tee_rpmb_alloc(RPMB_DATA_FRAME_SIZE, RPMB_DATA_FRAME_SIZE, &mem); 1053 if (res != TEE_SUCCESS) 1054 return res; 1055 1056 msg_type = RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM; 1057 1058 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1059 rawdata.msg_type = msg_type; 1060 rawdata.key_mac = rpmb_ctx->key; 1061 1062 res = tee_rpmb_req_pack(mem.req_hdr, mem.req_data, &rawdata, 1, NULL, 1063 NULL); 1064 if (res != TEE_SUCCESS) 1065 return res; 1066 1067 res = tee_rpmb_invoke(&mem); 1068 if (res != TEE_SUCCESS) 1069 return res; 1070 1071 msg_type = RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM; 1072 1073 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1074 rawdata.msg_type = msg_type; 1075 1076 return tee_rpmb_resp_unpack_verify(mem.resp_data, &rawdata, 1, NULL, 1077 NULL); 1078 } 1079 1080 static TEE_Result tee_rpmb_write_and_verify_key(void) 1081 { 1082 TEE_Result res; 1083 1084 if (!plat_rpmb_key_is_ready()) { 1085 DMSG("RPMB INIT: platform indicates RPMB key is not ready"); 1086 return TEE_ERROR_BAD_STATE; 1087 } 1088 1089 DMSG("RPMB INIT: Writing Key value:"); 1090 DHEXDUMP(rpmb_ctx->key, RPMB_KEY_MAC_SIZE); 1091 1092 res = tee_rpmb_write_key(); 1093 if (res == TEE_SUCCESS) { 1094 DMSG("RPMB INIT: Verifying Key"); 1095 res = tee_rpmb_init_read_wr_cnt(&rpmb_ctx->wr_cnt); 1096 } 1097 return res; 1098 } 1099 #else 1100 static TEE_Result tee_rpmb_write_and_verify_key(void) 1101 { 1102 DMSG("RPMB INIT: CFG_RPMB_WRITE_KEY is not set"); 1103 return TEE_ERROR_STORAGE_NOT_AVAILABLE; 1104 } 1105 #endif 1106 1107 static TEE_Result rpmb_set_dev_info(const struct rpmb_dev_info *dev_info) 1108 { 1109 uint32_t nblocks = 0; 1110 1111 DMSG("RPMB: Syncing device information"); 1112 1113 DMSG("RPMB: RPMB size is %"PRIu8"*128 KB", dev_info->rpmb_size_mult); 1114 DMSG("RPMB: Reliable Write Sector Count is %"PRIu8, 1115 dev_info->rel_wr_sec_c); 1116 DMSG("RPMB: CID"); 1117 DHEXDUMP(dev_info->cid, sizeof(dev_info->cid)); 1118 1119 if (!dev_info->rpmb_size_mult) 1120 return TEE_ERROR_GENERIC; 1121 1122 if (MUL_OVERFLOW(dev_info->rpmb_size_mult, 1123 RPMB_SIZE_SINGLE / RPMB_DATA_SIZE, &nblocks) || 1124 SUB_OVERFLOW(nblocks, 1, &rpmb_ctx->max_blk_idx)) 1125 return TEE_ERROR_BAD_PARAMETERS; 1126 1127 memcpy(rpmb_ctx->cid, dev_info->cid, RPMB_EMMC_CID_SIZE); 1128 1129 if (IS_ENABLED(RPMB_DRIVER_MULTIPLE_WRITE_FIXED)) 1130 rpmb_ctx->rel_wr_blkcnt = dev_info->rel_wr_sec_c * 2; 1131 else 1132 rpmb_ctx->rel_wr_blkcnt = 1; 1133 1134 return TEE_SUCCESS; 1135 } 1136 1137 static TEE_Result legacy_rpmb_init(void) 1138 { 1139 TEE_Result res = TEE_SUCCESS; 1140 struct rpmb_dev_info dev_info = { }; 1141 1142 DMSG("Trying legacy RPMB init"); 1143 rpmb_ctx->legacy_operation = true; 1144 rpmb_ctx->dev_id = CFG_RPMB_FS_DEV_ID; 1145 rpmb_ctx->shm_type = THREAD_SHM_TYPE_APPLICATION; 1146 1147 if (!rpmb_ctx->dev_info_synced) { 1148 dev_info.rpmb_size_mult = 0; 1149 dev_info.rel_wr_sec_c = 0; 1150 res = tee_rpmb_get_dev_info(&dev_info); 1151 if (res != TEE_SUCCESS) 1152 return res; 1153 1154 res = rpmb_set_dev_info(&dev_info); 1155 if (res) 1156 return res; 1157 1158 rpmb_ctx->dev_info_synced = true; 1159 } 1160 1161 if (!rpmb_ctx->key_derived) { 1162 DMSG("RPMB INIT: Deriving key"); 1163 1164 res = tee_rpmb_key_gen(rpmb_ctx->key, RPMB_KEY_MAC_SIZE); 1165 if (res != TEE_SUCCESS) { 1166 EMSG("RPMB INIT: Deriving key failed with error 0x%x", 1167 res); 1168 return res; 1169 } 1170 1171 rpmb_ctx->key_derived = true; 1172 } 1173 1174 /* Perform a write counter read to verify if the key is ok. */ 1175 if (!rpmb_ctx->wr_cnt_synced || !rpmb_ctx->key_verified) { 1176 DMSG("RPMB INIT: Verifying Key"); 1177 1178 res = tee_rpmb_init_read_wr_cnt(&rpmb_ctx->wr_cnt); 1179 if (res == TEE_SUCCESS) { 1180 DMSG("Found working RPMB device"); 1181 rpmb_ctx->key_verified = true; 1182 rpmb_ctx->wr_cnt_synced = true; 1183 } else if (res == TEE_ERROR_ITEM_NOT_FOUND && 1184 !rpmb_ctx->key_verified) { 1185 /* 1186 * Need to write the key here and verify it. 1187 */ 1188 DMSG("RPMB INIT: Auth key not yet written"); 1189 res = tee_rpmb_write_and_verify_key(); 1190 } else { 1191 EMSG("Verify key failed! %#"PRIx32, res); 1192 EMSG("Make sure key here matches device key"); 1193 } 1194 } 1195 1196 return res; 1197 } 1198 1199 /* This function must never return TEE_SUCCESS if rpmb_ctx == NULL */ 1200 static TEE_Result tee_rpmb_init(void) 1201 { 1202 TEE_Result res = TEE_SUCCESS; 1203 struct rpmb_dev_info dev_info = { }; 1204 1205 if (rpmb_dead) 1206 return TEE_ERROR_COMMUNICATION; 1207 1208 if (!rpmb_ctx) { 1209 rpmb_ctx = calloc(1, sizeof(struct tee_rpmb_ctx)); 1210 if (!rpmb_ctx) 1211 return TEE_ERROR_OUT_OF_MEMORY; 1212 } 1213 1214 if (rpmb_ctx->reinit) { 1215 if (!rpmb_ctx->key_verified) { 1216 rpmb_ctx->wr_cnt_synced = false; 1217 rpmb_ctx->key_derived = false; 1218 rpmb_ctx->dev_info_synced = false; 1219 rpmb_ctx->reinit = false; 1220 goto next; 1221 } 1222 res = rpmb_probe_reset(); 1223 if (res) { 1224 if (res != TEE_ERROR_NOT_SUPPORTED) 1225 return res; 1226 return legacy_rpmb_init(); 1227 } 1228 while (true) { 1229 res = rpmb_probe_next(&dev_info); 1230 if (res) { 1231 DMSG("rpmb_probe_next error %#"PRIx32, res); 1232 return res; 1233 } 1234 if (!memcmp(rpmb_ctx->cid, dev_info.cid, 1235 RPMB_EMMC_CID_SIZE)) { 1236 rpmb_ctx->reinit = false; 1237 return TEE_SUCCESS; 1238 } 1239 } 1240 } 1241 1242 if (rpmb_ctx->key_verified) 1243 return TEE_SUCCESS; 1244 1245 next: 1246 if (IS_ENABLED(CFG_RPMB_WRITE_KEY)) 1247 return legacy_rpmb_init(); 1248 1249 res = rpmb_probe_reset(); 1250 if (res) { 1251 if (res != TEE_ERROR_NOT_SUPPORTED) 1252 return res; 1253 return legacy_rpmb_init(); 1254 } 1255 1256 while (true) { 1257 res = rpmb_probe_next(&dev_info); 1258 if (res) { 1259 DMSG("rpmb_probe_next error %#"PRIx32, res); 1260 return res; 1261 } 1262 res = rpmb_set_dev_info(&dev_info); 1263 if (res) { 1264 DMSG("Invalid device info, looking for another device"); 1265 continue; 1266 } 1267 1268 res = tee_rpmb_key_gen(rpmb_ctx->key, RPMB_KEY_MAC_SIZE); 1269 if (res) 1270 return res; 1271 1272 res = tee_rpmb_init_read_wr_cnt(&rpmb_ctx->wr_cnt); 1273 if (res) 1274 continue; 1275 break; 1276 } 1277 1278 DMSG("Found working RPMB device"); 1279 rpmb_ctx->key_verified = true; 1280 rpmb_ctx->wr_cnt_synced = true; 1281 1282 return TEE_SUCCESS; 1283 } 1284 1285 TEE_Result tee_rpmb_reinit(void) 1286 { 1287 if (rpmb_ctx) 1288 rpmb_ctx->reinit = true; 1289 return tee_rpmb_init(); 1290 } 1291 1292 /* 1293 * Read RPMB data in bytes. 1294 * 1295 * @addr Byte address of data. 1296 * @data Pointer to the data. 1297 * @len Size of data in bytes. 1298 * @fek Encrypted File Encryption Key or NULL. 1299 */ 1300 static TEE_Result tee_rpmb_read(uint32_t addr, uint8_t *data, 1301 uint32_t len, const uint8_t *fek, 1302 const TEE_UUID *uuid) 1303 { 1304 TEE_Result res = TEE_ERROR_GENERIC; 1305 struct tee_rpmb_mem mem = { 0 }; 1306 uint16_t msg_type; 1307 uint8_t nonce[RPMB_NONCE_SIZE]; 1308 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 1309 struct rpmb_raw_data rawdata; 1310 uint16_t blk_idx; 1311 uint16_t blkcnt; 1312 uint8_t byte_offset; 1313 1314 if (!data || !len) 1315 return TEE_ERROR_BAD_PARAMETERS; 1316 1317 blk_idx = addr / RPMB_DATA_SIZE; 1318 byte_offset = addr % RPMB_DATA_SIZE; 1319 1320 if (len + byte_offset + RPMB_DATA_SIZE < RPMB_DATA_SIZE) { 1321 /* Overflow */ 1322 return TEE_ERROR_BAD_PARAMETERS; 1323 } 1324 blkcnt = 1325 ROUNDUP(len + byte_offset, RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1326 res = tee_rpmb_init(); 1327 if (res != TEE_SUCCESS) 1328 return res; 1329 1330 res = tee_rpmb_alloc(RPMB_DATA_FRAME_SIZE, 1331 RPMB_DATA_FRAME_SIZE * blkcnt, &mem); 1332 if (res != TEE_SUCCESS) 1333 return res; 1334 1335 msg_type = RPMB_MSG_TYPE_REQ_AUTH_DATA_READ; 1336 res = crypto_rng_read(nonce, RPMB_NONCE_SIZE); 1337 if (res != TEE_SUCCESS) 1338 return res; 1339 1340 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1341 rawdata.msg_type = msg_type; 1342 rawdata.nonce = nonce; 1343 rawdata.blk_idx = &blk_idx; 1344 res = tee_rpmb_req_pack(mem.req_hdr, mem.req_data, &rawdata, 1, NULL, 1345 NULL); 1346 if (res != TEE_SUCCESS) 1347 return res; 1348 1349 if (mem.req_hdr) 1350 mem.req_hdr->block_count = blkcnt; 1351 1352 DMSG("Read %u block%s at index %u", blkcnt, ((blkcnt > 1) ? "s" : ""), 1353 blk_idx); 1354 1355 res = tee_rpmb_invoke(&mem); 1356 if (res != TEE_SUCCESS) 1357 return res; 1358 1359 msg_type = RPMB_MSG_TYPE_RESP_AUTH_DATA_READ; 1360 1361 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1362 rawdata.msg_type = msg_type; 1363 rawdata.block_count = &blkcnt; 1364 rawdata.blk_idx = &blk_idx; 1365 rawdata.nonce = nonce; 1366 rawdata.key_mac = hmac; 1367 rawdata.data = data; 1368 1369 rawdata.len = len; 1370 rawdata.byte_offset = byte_offset; 1371 1372 return tee_rpmb_resp_unpack_verify(mem.resp_data, &rawdata, blkcnt, 1373 fek, uuid); 1374 } 1375 1376 static TEE_Result write_req(uint16_t blk_idx, 1377 const void *data_blks, uint16_t blkcnt, 1378 const uint8_t *fek, const TEE_UUID *uuid, 1379 struct tee_rpmb_mem *mem) 1380 { 1381 TEE_Result res = TEE_SUCCESS; 1382 uint8_t hmac[RPMB_KEY_MAC_SIZE] = { }; 1383 uint32_t wr_cnt = rpmb_ctx->wr_cnt; 1384 struct rpmb_raw_data rawdata = { }; 1385 size_t retry_count = 0; 1386 1387 while (true) { 1388 if (mem->req_hdr) 1389 memset(mem->req_hdr, 0, mem->req_size); 1390 else 1391 memset(mem->req_data, 0, mem->req_size); 1392 memset(mem->resp_data, 0, mem->resp_size); 1393 1394 memset(&rawdata, 0, sizeof(struct rpmb_raw_data)); 1395 rawdata.msg_type = RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE; 1396 rawdata.block_count = &blkcnt; 1397 rawdata.blk_idx = &blk_idx; 1398 rawdata.write_counter = &wr_cnt; 1399 rawdata.key_mac = hmac; 1400 rawdata.data = (uint8_t *)data_blks; 1401 1402 res = tee_rpmb_req_pack(mem->req_hdr, mem->req_data, &rawdata, 1403 blkcnt, fek, uuid); 1404 if (res) { 1405 /* 1406 * If we haven't tried to send a request yet we can 1407 * allow a failure here since there's no chance of 1408 * an intercepted request with a valid write 1409 * counter. 1410 */ 1411 if (!retry_count) 1412 return res; 1413 1414 retry_count++; 1415 if (retry_count >= RPMB_MAX_RETRIES) 1416 goto out_of_retries; 1417 1418 DMSG("Request pack failed, retrying %zu", retry_count); 1419 continue; 1420 } 1421 1422 res = tee_rpmb_invoke(mem); 1423 if (res != TEE_SUCCESS) { 1424 retry_count++; 1425 if (retry_count >= RPMB_MAX_RETRIES) 1426 goto out_of_retries; 1427 /* 1428 * To force wr_cnt sync next time, as it might get 1429 * out of sync due to inconsistent operation result! 1430 */ 1431 rpmb_ctx->wr_cnt_synced = false; 1432 DMSG("Write invoke failed, retrying %zu", retry_count); 1433 continue; 1434 } 1435 1436 memset(&rawdata, 0, sizeof(struct rpmb_raw_data)); 1437 rawdata.msg_type = RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE; 1438 rawdata.block_count = &blkcnt; 1439 rawdata.blk_idx = &blk_idx; 1440 rawdata.write_counter = &wr_cnt; 1441 rawdata.key_mac = hmac; 1442 1443 res = tee_rpmb_resp_unpack_verify(mem->resp_data, &rawdata, 1, 1444 NULL, NULL); 1445 if (res != TEE_SUCCESS) { 1446 retry_count++; 1447 if (retry_count >= RPMB_MAX_RETRIES) 1448 goto out_of_retries; 1449 /* 1450 * To force wr_cnt sync next time, as it might get 1451 * out of sync due to inconsistent operation result! 1452 */ 1453 rpmb_ctx->wr_cnt_synced = false; 1454 DMSG("Write resp unpack verify failed, retrying %zu", 1455 retry_count); 1456 continue; 1457 } 1458 1459 return TEE_SUCCESS; 1460 } 1461 1462 out_of_retries: 1463 rpmb_dead = true; 1464 /* 1465 * We're using this error code to cause an eventuall calling TA to 1466 * panic since we don't know if the data to be written has been 1467 * committed to storage or not. 1468 */ 1469 return TEE_ERROR_COMMUNICATION; 1470 } 1471 1472 static TEE_Result tee_rpmb_write_blk(uint16_t blk_idx, 1473 const uint8_t *data_blks, uint16_t blkcnt, 1474 const uint8_t *fek, const TEE_UUID *uuid) 1475 { 1476 TEE_Result res; 1477 struct tee_rpmb_mem mem; 1478 uint32_t req_size; 1479 uint32_t nbr_writes; 1480 uint16_t tmp_blkcnt; 1481 uint16_t tmp_blk_idx; 1482 uint16_t i; 1483 1484 DMSG("Write %u block%s at index %u", blkcnt, ((blkcnt > 1) ? "s" : ""), 1485 blk_idx); 1486 1487 if (!data_blks || !blkcnt) 1488 return TEE_ERROR_BAD_PARAMETERS; 1489 1490 res = tee_rpmb_init(); 1491 if (res != TEE_SUCCESS) 1492 return res; 1493 1494 /* 1495 * We need to split data when block count 1496 * is bigger than reliable block write count. 1497 */ 1498 req_size = RPMB_DATA_FRAME_SIZE * MIN(blkcnt, rpmb_ctx->rel_wr_blkcnt); 1499 res = tee_rpmb_alloc(req_size, RPMB_DATA_FRAME_SIZE, &mem); 1500 if (res != TEE_SUCCESS) 1501 return res; 1502 1503 nbr_writes = blkcnt / rpmb_ctx->rel_wr_blkcnt; 1504 if (blkcnt % rpmb_ctx->rel_wr_blkcnt > 0) 1505 nbr_writes += 1; 1506 1507 tmp_blkcnt = rpmb_ctx->rel_wr_blkcnt; 1508 tmp_blk_idx = blk_idx; 1509 for (i = 0; i < nbr_writes; i++) { 1510 size_t offs = i * rpmb_ctx->rel_wr_blkcnt * RPMB_DATA_SIZE; 1511 1512 /* 1513 * To handle the last write of block count which is 1514 * equal or smaller than reliable write block count. 1515 */ 1516 if (i == nbr_writes - 1) 1517 tmp_blkcnt = blkcnt - rpmb_ctx->rel_wr_blkcnt * 1518 (nbr_writes - 1); 1519 1520 res = write_req(tmp_blk_idx, data_blks + offs, 1521 tmp_blkcnt, fek, uuid, &mem); 1522 if (res) 1523 return res; 1524 1525 1526 tmp_blk_idx += tmp_blkcnt; 1527 } 1528 1529 return TEE_SUCCESS; 1530 } 1531 1532 static bool tee_rpmb_write_is_atomic(uint32_t addr, uint32_t len) 1533 { 1534 uint8_t byte_offset = addr % RPMB_DATA_SIZE; 1535 uint16_t blkcnt = ROUNDUP(len + byte_offset, 1536 RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1537 1538 return (blkcnt <= rpmb_ctx->rel_wr_blkcnt); 1539 } 1540 1541 /* 1542 * Write RPMB data in bytes. 1543 * 1544 * @addr Byte address of data. 1545 * @data Pointer to the data. 1546 * @len Size of data in bytes. 1547 * @fek Encrypted File Encryption Key or NULL. 1548 */ 1549 static TEE_Result tee_rpmb_write(uint32_t addr, 1550 const uint8_t *data, uint32_t len, 1551 const uint8_t *fek, const TEE_UUID *uuid) 1552 { 1553 TEE_Result res = TEE_ERROR_GENERIC; 1554 uint8_t *data_tmp = NULL; 1555 uint16_t blk_idx; 1556 uint16_t blkcnt; 1557 uint8_t byte_offset; 1558 1559 blk_idx = addr / RPMB_DATA_SIZE; 1560 byte_offset = addr % RPMB_DATA_SIZE; 1561 1562 blkcnt = 1563 ROUNDUP(len + byte_offset, RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1564 1565 if (byte_offset == 0 && (len % RPMB_DATA_SIZE) == 0) { 1566 res = tee_rpmb_write_blk(blk_idx, data, blkcnt, fek, uuid); 1567 if (res != TEE_SUCCESS) 1568 goto func_exit; 1569 } else { 1570 data_tmp = calloc(blkcnt, RPMB_DATA_SIZE); 1571 if (!data_tmp) { 1572 res = TEE_ERROR_OUT_OF_MEMORY; 1573 goto func_exit; 1574 } 1575 1576 /* Read the complete blocks */ 1577 res = tee_rpmb_read(blk_idx * RPMB_DATA_SIZE, data_tmp, 1578 blkcnt * RPMB_DATA_SIZE, fek, uuid); 1579 if (res != TEE_SUCCESS) 1580 goto func_exit; 1581 1582 /* Partial update of the data blocks */ 1583 memcpy(data_tmp + byte_offset, data, len); 1584 1585 res = tee_rpmb_write_blk(blk_idx, data_tmp, blkcnt, fek, uuid); 1586 if (res != TEE_SUCCESS) 1587 goto func_exit; 1588 } 1589 1590 res = TEE_SUCCESS; 1591 1592 func_exit: 1593 free(data_tmp); 1594 return res; 1595 } 1596 1597 /* 1598 * Read the RPMB max block. 1599 * 1600 * @counter Pointer to receive the max block. 1601 */ 1602 static TEE_Result tee_rpmb_get_max_block(uint32_t *max_block) 1603 { 1604 TEE_Result res = TEE_SUCCESS; 1605 1606 if (!max_block) 1607 return TEE_ERROR_BAD_PARAMETERS; 1608 1609 if (rpmb_dead) 1610 return TEE_ERROR_COMMUNICATION; 1611 1612 if (!rpmb_ctx || !rpmb_ctx->dev_info_synced) { 1613 res = tee_rpmb_init(); 1614 if (res != TEE_SUCCESS) 1615 goto func_exit; 1616 } 1617 1618 *max_block = rpmb_ctx->max_blk_idx; 1619 1620 func_exit: 1621 return res; 1622 } 1623 1624 /* 1625 * End of lower interface to RPMB device 1626 */ 1627 1628 static TEE_Result get_fat_start_address(uint32_t *addr); 1629 static TEE_Result rpmb_fs_setup(void); 1630 1631 /** 1632 * fat_entry_dir_free: Free the FAT entry dir. 1633 */ 1634 static void fat_entry_dir_free(void) 1635 { 1636 if (fat_entry_dir) { 1637 free(fat_entry_dir->rpmb_fat_entry_buf); 1638 free(fat_entry_dir); 1639 fat_entry_dir = NULL; 1640 } 1641 } 1642 1643 /** 1644 * fat_entry_dir_init: Initialize the FAT FS entry buffer/cache 1645 * This function must be called before reading FAT FS entries using the 1646 * function fat_entry_dir_get_next. This initializes the buffer/cache with the 1647 * first FAT FS entries. 1648 */ 1649 static TEE_Result fat_entry_dir_init(void) 1650 { 1651 TEE_Result res = TEE_ERROR_GENERIC; 1652 struct rpmb_fat_entry *fe = NULL; 1653 uint32_t fat_address = 0; 1654 uint32_t num_elems_read = 0; 1655 1656 if (fat_entry_dir) 1657 return TEE_SUCCESS; 1658 1659 res = rpmb_fs_setup(); 1660 if (res) 1661 return res; 1662 1663 res = get_fat_start_address(&fat_address); 1664 if (res) 1665 return res; 1666 1667 fat_entry_dir = calloc(1, sizeof(struct rpmb_fat_entry_dir)); 1668 if (!fat_entry_dir) 1669 return TEE_ERROR_OUT_OF_MEMORY; 1670 1671 /* 1672 * If caching is enabled, read in up to the maximum cache size, but 1673 * never more than the single read in size. Otherwise, read in as many 1674 * entries fit into the temporary buffer. 1675 */ 1676 if (CFG_RPMB_FS_CACHE_ENTRIES) 1677 num_elems_read = MIN(CFG_RPMB_FS_CACHE_ENTRIES, 1678 CFG_RPMB_FS_RD_ENTRIES); 1679 else 1680 num_elems_read = CFG_RPMB_FS_RD_ENTRIES; 1681 1682 /* 1683 * Allocate memory for the FAT FS entries to read in. 1684 */ 1685 fe = calloc(num_elems_read, sizeof(struct rpmb_fat_entry)); 1686 if (!fe) { 1687 res = TEE_ERROR_OUT_OF_MEMORY; 1688 goto out; 1689 } 1690 1691 res = tee_rpmb_read(fat_address, (uint8_t *)fe, 1692 num_elems_read * sizeof(*fe), NULL, NULL); 1693 if (res) 1694 goto out; 1695 1696 fat_entry_dir->rpmb_fat_entry_buf = fe; 1697 1698 /* 1699 * We use this variable when getting next entries from the buffer/cache 1700 * to see whether we have to read in more entries from storage. 1701 */ 1702 fat_entry_dir->num_buffered = num_elems_read; 1703 1704 return TEE_SUCCESS; 1705 out: 1706 fat_entry_dir_free(); 1707 free(fe); 1708 return res; 1709 } 1710 1711 /** 1712 * fat_entry_dir_deinit: If caching is enabled, free the temporary buffer for 1713 * FAT FS entries in case the cache was too small. Keep the elements in the 1714 * cache. Reset the counter variables to start the next traversal from fresh 1715 * from the first cached entry. If caching is disabled, just free the 1716 * temporary buffer by calling fat_entry_dir_free and return. 1717 */ 1718 static void fat_entry_dir_deinit(void) 1719 { 1720 struct rpmb_fat_entry *fe = NULL; 1721 1722 if (!fat_entry_dir) 1723 return; 1724 1725 if (!CFG_RPMB_FS_CACHE_ENTRIES) { 1726 fat_entry_dir_free(); 1727 return; 1728 } 1729 1730 fe = fat_entry_dir->rpmb_fat_entry_buf; 1731 fat_entry_dir->idx_curr = 0; 1732 fat_entry_dir->num_total_read = 0; 1733 fat_entry_dir->last_reached = false; 1734 1735 if (fat_entry_dir->num_buffered > CFG_RPMB_FS_CACHE_ENTRIES) { 1736 fat_entry_dir->num_buffered = CFG_RPMB_FS_CACHE_ENTRIES; 1737 1738 fe = realloc(fe, fat_entry_dir->num_buffered * sizeof(*fe)); 1739 1740 /* 1741 * In case realloc fails, we are on the safe side if we destroy 1742 * the whole structure. Upon the next init, the cache has to be 1743 * re-established, but this case should not happen in practice. 1744 */ 1745 if (!fe) 1746 fat_entry_dir_free(); 1747 else 1748 fat_entry_dir->rpmb_fat_entry_buf = fe; 1749 } 1750 } 1751 1752 /** 1753 * fat_entry_dir_update: Updates a persisted FAT FS entry in the cache. 1754 * This function updates the FAT entry fat_entry that was written to address 1755 * fat_address onto RPMB storage in the cache. 1756 */ 1757 static TEE_Result __maybe_unused fat_entry_dir_update 1758 (struct rpmb_fat_entry *fat_entry, 1759 uint32_t fat_address) 1760 { 1761 uint32_t fat_entry_buf_idx = 0; 1762 /* Use a temp var to avoid compiler warning if caching disabled. */ 1763 uint32_t max_cache_entries = CFG_RPMB_FS_CACHE_ENTRIES; 1764 1765 assert(!((fat_address - RPMB_FS_FAT_START_ADDRESS) % 1766 sizeof(struct rpmb_fat_entry))); 1767 1768 /* Nothing to update if the cache is not initialized. */ 1769 if (!fat_entry_dir) 1770 return TEE_SUCCESS; 1771 1772 fat_entry_buf_idx = (fat_address - RPMB_FS_FAT_START_ADDRESS) / 1773 sizeof(struct rpmb_fat_entry); 1774 1775 /* Only need to write if index points to an entry in cache. */ 1776 if (fat_entry_buf_idx < fat_entry_dir->num_buffered && 1777 fat_entry_buf_idx < max_cache_entries) { 1778 memcpy(fat_entry_dir->rpmb_fat_entry_buf + fat_entry_buf_idx, 1779 fat_entry, sizeof(struct rpmb_fat_entry)); 1780 } 1781 1782 return TEE_SUCCESS; 1783 } 1784 1785 /** 1786 * fat_entry_dir_get_next: Get next FAT FS entry. 1787 * Read either from cache/buffer, or by reading from RPMB storage if the 1788 * elements in the buffer/cache are fully read. When reading in from RPMB 1789 * storage, the buffer is overwritten in case caching is disabled. 1790 * In case caching is enabled, the cache is either further filled, or a 1791 * temporary buffer populated if the cache is already full. 1792 * The FAT FS entry is written to fat_entry. The respective address in RPMB 1793 * storage is written to fat_address, if not NULL. When the last FAT FS entry 1794 * was previously read, the function indicates this case by writing a NULL 1795 * pointer to fat_entry. 1796 * Returns a value different TEE_SUCCESS if the next FAT FS entry could not be 1797 * retrieved. 1798 */ 1799 static TEE_Result fat_entry_dir_get_next(struct rpmb_fat_entry **fat_entry, 1800 uint32_t *fat_address) 1801 { 1802 TEE_Result res = TEE_ERROR_GENERIC; 1803 struct rpmb_fat_entry *fe = NULL; 1804 uint32_t num_elems_read = 0; 1805 uint32_t fat_address_local = 0; 1806 1807 assert(fat_entry_dir && fat_entry); 1808 1809 /* Don't read further if we previously read the last FAT FS entry. */ 1810 if (fat_entry_dir->last_reached) { 1811 *fat_entry = NULL; 1812 return TEE_SUCCESS; 1813 } 1814 1815 fe = fat_entry_dir->rpmb_fat_entry_buf; 1816 1817 /* Determine address of FAT FS entry in RPMB storage. */ 1818 fat_address_local = RPMB_FS_FAT_START_ADDRESS + 1819 (fat_entry_dir->num_total_read * 1820 sizeof(struct rpmb_fat_entry)); 1821 1822 /* 1823 * We've read all so-far buffered elements, so we need to 1824 * read in more entries from RPMB storage. 1825 */ 1826 if (fat_entry_dir->idx_curr >= fat_entry_dir->num_buffered) { 1827 /* 1828 * This is the case where we do not cache entries, so just read 1829 * in next set of FAT FS entries into the buffer. 1830 * Goto the end of the when statement if that is done. 1831 */ 1832 if (!CFG_RPMB_FS_CACHE_ENTRIES) { 1833 num_elems_read = CFG_RPMB_FS_RD_ENTRIES; 1834 fat_entry_dir->idx_curr = 0; 1835 1836 res = tee_rpmb_read(fat_address_local, (uint8_t *)fe, 1837 num_elems_read * sizeof(*fe), NULL, 1838 NULL); 1839 if (res) 1840 return res; 1841 goto post_read_in; 1842 } 1843 1844 /* 1845 * We cache FAT FS entries, and the buffer is not completely 1846 * filled. Further keep on extending the buffer up to its max 1847 * size by reading in from RPMB. 1848 */ 1849 if (fat_entry_dir->num_total_read < RPMB_BUF_MAX_ENTRIES) { 1850 /* 1851 * Read at most as many elements as fit in the buffer 1852 * and no more than the defined number of entries to 1853 * read in at once. 1854 */ 1855 num_elems_read = MIN(RPMB_BUF_MAX_ENTRIES - 1856 fat_entry_dir->num_total_read, 1857 (uint32_t)CFG_RPMB_FS_RD_ENTRIES); 1858 1859 /* 1860 * Expand the buffer to fit in the additional entries. 1861 */ 1862 fe = realloc(fe, 1863 (fat_entry_dir->num_buffered + 1864 num_elems_read) * sizeof(*fe)); 1865 if (!fe) 1866 return TEE_ERROR_OUT_OF_MEMORY; 1867 1868 fat_entry_dir->rpmb_fat_entry_buf = fe; 1869 1870 /* Read in to the next free slot in the buffer/cache. */ 1871 res = tee_rpmb_read(fat_address_local, 1872 (uint8_t *)(fe + 1873 fat_entry_dir->num_total_read), 1874 num_elems_read * sizeof(*fe), 1875 NULL, NULL); 1876 if (res) 1877 return res; 1878 1879 fat_entry_dir->num_buffered += num_elems_read; 1880 } else { 1881 /* 1882 * This happens when we have read as many elements as 1883 * can possibly fit into the buffer. 1884 * As the first part of the buffer serves as our cache, 1885 * we only overwrite the last part that serves as our 1886 * temporary buffer used to iteratively read in entries 1887 * when the cache is full. Read in the temporary buffer 1888 * maximum size. 1889 */ 1890 num_elems_read = CFG_RPMB_FS_RD_ENTRIES; 1891 /* Reset index to beginning of the temporary buffer. */ 1892 fat_entry_dir->idx_curr = CFG_RPMB_FS_CACHE_ENTRIES; 1893 1894 /* Read in elements after the end of the cache. */ 1895 res = tee_rpmb_read(fat_address_local, 1896 (uint8_t *)(fe + 1897 fat_entry_dir->idx_curr), 1898 num_elems_read * sizeof(*fe), 1899 NULL, NULL); 1900 if (res) 1901 return res; 1902 } 1903 } 1904 1905 post_read_in: 1906 if (fat_address) 1907 *fat_address = fat_address_local; 1908 1909 *fat_entry = fe + fat_entry_dir->idx_curr; 1910 1911 fat_entry_dir->idx_curr++; 1912 fat_entry_dir->num_total_read++; 1913 1914 /* 1915 * Indicate last entry was read. 1916 * Ensures we return a zero value for fat_entry on next invocation. 1917 */ 1918 if ((*fat_entry)->flags & FILE_IS_LAST_ENTRY) 1919 fat_entry_dir->last_reached = true; 1920 1921 return TEE_SUCCESS; 1922 } 1923 1924 #if (TRACE_LEVEL >= TRACE_FLOW) 1925 static void dump_fat(void) 1926 { 1927 TEE_Result res = TEE_ERROR_SECURITY; 1928 struct rpmb_fat_entry *fe = NULL; 1929 1930 if (!fs_par) 1931 return; 1932 1933 if (fat_entry_dir_init()) 1934 return; 1935 1936 while (true) { 1937 res = fat_entry_dir_get_next(&fe, NULL); 1938 if (res || !fe) 1939 break; 1940 1941 FMSG("flags %#"PRIx32", size %"PRIu32", address %#"PRIx32 1942 ", filename '%s'", 1943 fe->flags, fe->data_size, fe->start_address, fe->filename); 1944 } 1945 1946 fat_entry_dir_deinit(); 1947 } 1948 #else 1949 static void dump_fat(void) 1950 { 1951 } 1952 #endif 1953 1954 #if (TRACE_LEVEL >= TRACE_DEBUG) 1955 static void dump_fh(struct rpmb_file_handle *fh) 1956 { 1957 DMSG("fh->filename=%s", fh->filename); 1958 DMSG("fh->rpmb_fat_address=%u", fh->rpmb_fat_address); 1959 DMSG("fh->fat_entry.start_address=%u", fh->fat_entry.start_address); 1960 DMSG("fh->fat_entry.data_size=%u", fh->fat_entry.data_size); 1961 } 1962 #else 1963 static void dump_fh(struct rpmb_file_handle *fh __unused) 1964 { 1965 } 1966 #endif 1967 1968 /* "/TA_uuid/object_id" or "/TA_uuid/.object_id" */ 1969 static TEE_Result create_filename(void *buf, size_t blen, struct tee_pobj *po, 1970 bool transient) 1971 { 1972 uint8_t *file = buf; 1973 uint32_t pos = 0; 1974 uint32_t hslen = 1 /* Leading slash */ 1975 + TEE_B2HS_HSBUF_SIZE(sizeof(TEE_UUID) + po->obj_id_len) 1976 + 1; /* Intermediate slash */ 1977 1978 /* +1 for the '.' (temporary persistent object) */ 1979 if (transient) 1980 hslen++; 1981 1982 if (blen < hslen) 1983 return TEE_ERROR_SHORT_BUFFER; 1984 1985 file[pos++] = '/'; 1986 pos += tee_b2hs((uint8_t *)&po->uuid, &file[pos], 1987 sizeof(TEE_UUID), hslen); 1988 file[pos++] = '/'; 1989 1990 if (transient) 1991 file[pos++] = '.'; 1992 1993 tee_b2hs(po->obj_id, file + pos, po->obj_id_len, hslen - pos); 1994 1995 return TEE_SUCCESS; 1996 } 1997 1998 /* "/TA_uuid" */ 1999 static TEE_Result create_dirname(void *buf, size_t blen, const TEE_UUID *uuid) 2000 { 2001 uint8_t *dir = buf; 2002 uint32_t hslen = TEE_B2HS_HSBUF_SIZE(sizeof(TEE_UUID)) + 1; 2003 2004 if (blen < hslen) 2005 return TEE_ERROR_SHORT_BUFFER; 2006 2007 dir[0] = '/'; 2008 tee_b2hs((uint8_t *)uuid, dir + 1, sizeof(TEE_UUID), hslen); 2009 2010 return TEE_SUCCESS; 2011 } 2012 2013 static struct rpmb_file_handle *alloc_file_handle(struct tee_pobj *po, 2014 bool temporary) 2015 { 2016 struct rpmb_file_handle *fh = NULL; 2017 2018 fh = calloc(1, sizeof(struct rpmb_file_handle)); 2019 if (!fh) 2020 return NULL; 2021 2022 if (po) 2023 create_filename(fh->filename, sizeof(fh->filename), po, 2024 temporary); 2025 2026 return fh; 2027 } 2028 2029 /** 2030 * write_fat_entry: Store info in a fat_entry to RPMB. 2031 */ 2032 static TEE_Result write_fat_entry(struct rpmb_file_handle *fh) 2033 { 2034 TEE_Result res = TEE_ERROR_GENERIC; 2035 2036 /* Protect partition data. */ 2037 if (fh->rpmb_fat_address < sizeof(struct rpmb_fs_partition)) { 2038 res = TEE_ERROR_ACCESS_CONFLICT; 2039 goto out; 2040 } 2041 2042 if (fh->rpmb_fat_address % sizeof(struct rpmb_fat_entry) != 0) { 2043 res = TEE_ERROR_BAD_PARAMETERS; 2044 goto out; 2045 } 2046 2047 res = tee_rpmb_write(fh->rpmb_fat_address, (uint8_t *)&fh->fat_entry, 2048 sizeof(struct rpmb_fat_entry), NULL, NULL); 2049 2050 dump_fat(); 2051 2052 /* If caching enabled, update a successfully written entry in cache. */ 2053 if (CFG_RPMB_FS_CACHE_ENTRIES && !res) 2054 res = fat_entry_dir_update(&fh->fat_entry, 2055 fh->rpmb_fat_address); 2056 2057 out: 2058 return res; 2059 } 2060 2061 /** 2062 * rpmb_fs_setup: Setup RPMB FS. 2063 * Set initial partition and FS values and write to RPMB. 2064 * Store frequently used data in RAM. 2065 */ 2066 static TEE_Result rpmb_fs_setup(void) 2067 { 2068 TEE_Result res = TEE_ERROR_GENERIC; 2069 struct rpmb_fs_partition *partition_data = NULL; 2070 struct rpmb_file_handle *fh = NULL; 2071 uint32_t max_rpmb_block = 0; 2072 2073 if (fs_par) { 2074 res = TEE_SUCCESS; 2075 goto out; 2076 } 2077 2078 res = tee_rpmb_get_max_block(&max_rpmb_block); 2079 if (res != TEE_SUCCESS) 2080 goto out; 2081 2082 /* 2083 * We're going to read a full block in order to have a full block 2084 * for the dummy write below. 2085 */ 2086 COMPILE_TIME_ASSERT(sizeof(struct rpmb_fs_partition) <= 2087 RPMB_DATA_SIZE); 2088 partition_data = calloc(1, RPMB_DATA_SIZE); 2089 if (!partition_data) { 2090 res = TEE_ERROR_OUT_OF_MEMORY; 2091 goto out; 2092 } 2093 2094 res = tee_rpmb_read(RPMB_STORAGE_START_ADDRESS, 2095 (uint8_t *)partition_data, RPMB_DATA_SIZE, 2096 NULL, NULL); 2097 if (res != TEE_SUCCESS) 2098 goto out; 2099 /* 2100 * Perform a write in order to increase the write counter. This 2101 * prevents late usage (replay attack) of a previously blocked 2102 * request with a valid write counter value. 2103 */ 2104 res = tee_rpmb_write(RPMB_STORAGE_START_ADDRESS, 2105 (uint8_t *)partition_data, RPMB_DATA_SIZE, 2106 NULL, NULL); 2107 if (res != TEE_SUCCESS) 2108 goto out; 2109 /* 2110 * We're reading again in case a stale request was committed 2111 * instead of the one issued above. If this succeeds we're in sync 2112 * with the RPMB block since there are no other possible stale 2113 * blocks with valid write counters available. 2114 */ 2115 res = tee_rpmb_read(RPMB_STORAGE_START_ADDRESS, 2116 (uint8_t *)partition_data, 2117 sizeof(struct rpmb_fs_partition), NULL, NULL); 2118 if (res != TEE_SUCCESS) 2119 goto out; 2120 2121 #ifndef CFG_RPMB_RESET_FAT 2122 if (partition_data->rpmb_fs_magic == RPMB_FS_MAGIC) { 2123 if (partition_data->fs_version == FS_VERSION) { 2124 res = TEE_SUCCESS; 2125 goto store_fs_par; 2126 } else { 2127 EMSG("Wrong software is in use."); 2128 res = TEE_ERROR_ACCESS_DENIED; 2129 goto out; 2130 } 2131 } 2132 #else 2133 EMSG("**** Clearing Storage ****"); 2134 #endif 2135 2136 /* Setup new partition data. */ 2137 partition_data->rpmb_fs_magic = RPMB_FS_MAGIC; 2138 partition_data->fs_version = FS_VERSION; 2139 partition_data->fat_start_address = RPMB_FS_FAT_START_ADDRESS; 2140 2141 /* Initial FAT entry with FILE_IS_LAST_ENTRY flag set. */ 2142 fh = alloc_file_handle(NULL, false); 2143 if (!fh) { 2144 res = TEE_ERROR_OUT_OF_MEMORY; 2145 goto out; 2146 } 2147 fh->fat_entry.flags = FILE_IS_LAST_ENTRY; 2148 fh->rpmb_fat_address = partition_data->fat_start_address; 2149 2150 /* Write init FAT entry and partition data to RPMB. */ 2151 res = write_fat_entry(fh); 2152 if (res != TEE_SUCCESS) 2153 goto out; 2154 2155 res = tee_rpmb_write(RPMB_STORAGE_START_ADDRESS, 2156 (uint8_t *)partition_data, 2157 sizeof(struct rpmb_fs_partition), NULL, NULL); 2158 2159 #ifndef CFG_RPMB_RESET_FAT 2160 store_fs_par: 2161 #endif 2162 2163 /* Store FAT start address. */ 2164 fs_par = calloc(1, sizeof(struct rpmb_fs_parameters)); 2165 if (!fs_par) { 2166 res = TEE_ERROR_OUT_OF_MEMORY; 2167 goto out; 2168 } 2169 2170 fs_par->fat_start_address = partition_data->fat_start_address; 2171 fs_par->max_rpmb_address = max_rpmb_block << RPMB_BLOCK_SIZE_SHIFT; 2172 2173 dump_fat(); 2174 2175 out: 2176 free(fh); 2177 free(partition_data); 2178 return res; 2179 } 2180 2181 /** 2182 * get_fat_start_address: 2183 * FAT start_address from fs_par. 2184 */ 2185 static TEE_Result get_fat_start_address(uint32_t *addr) 2186 { 2187 if (!fs_par) 2188 return TEE_ERROR_NO_DATA; 2189 2190 *addr = fs_par->fat_start_address; 2191 2192 return TEE_SUCCESS; 2193 } 2194 2195 /** 2196 * read_fat: Read FAT entries 2197 * Return matching FAT entry for read, rm rename and stat. 2198 * Build up memory pool and return matching entry for write operation. 2199 * "Last FAT entry" can be returned during write. 2200 */ 2201 static TEE_Result read_fat(struct rpmb_file_handle *fh, tee_mm_pool_t *p) 2202 { 2203 TEE_Result res = TEE_ERROR_GENERIC; 2204 tee_mm_entry_t *mm = NULL; 2205 struct rpmb_fat_entry *fe = NULL; 2206 uint32_t fat_address; 2207 bool entry_found = false; 2208 bool expand_fat = false; 2209 struct rpmb_file_handle last_fh; 2210 2211 DMSG("fat_address %d", fh->rpmb_fat_address); 2212 2213 res = fat_entry_dir_init(); 2214 if (res) 2215 goto out; 2216 2217 /* 2218 * The pool is used to represent the current RPMB layout. To find 2219 * a slot for the file tee_mm_alloc is called on the pool. Thus 2220 * if it is not NULL the entire FAT must be traversed to fill in 2221 * the pool. 2222 */ 2223 while (true) { 2224 res = fat_entry_dir_get_next(&fe, &fat_address); 2225 if (res || !fe) 2226 break; 2227 2228 /* 2229 * Look for an entry, matching filenames. (read, rm, 2230 * rename and stat.). Only store first filename match. 2231 */ 2232 if ((!strcmp(fh->filename, fe->filename)) && 2233 (fe->flags & FILE_IS_ACTIVE) && !entry_found) { 2234 entry_found = true; 2235 fh->rpmb_fat_address = fat_address; 2236 memcpy(&fh->fat_entry, fe, sizeof(*fe)); 2237 if (!p) 2238 break; 2239 } 2240 2241 /* Add existing files to memory pool. (write) */ 2242 if (p) { 2243 if ((fe->flags & FILE_IS_ACTIVE) && fe->data_size > 0) { 2244 2245 mm = tee_mm_alloc2(p, fe->start_address, 2246 fe->data_size); 2247 if (!mm) { 2248 res = TEE_ERROR_OUT_OF_MEMORY; 2249 goto out; 2250 } 2251 } 2252 2253 /* Unused FAT entries can be reused (write) */ 2254 if (((fe->flags & FILE_IS_ACTIVE) == 0) && 2255 fh->rpmb_fat_address == 0) { 2256 fh->rpmb_fat_address = fat_address; 2257 memcpy(&fh->fat_entry, fe, 2258 sizeof(struct rpmb_fat_entry)); 2259 } 2260 2261 if (((fe->flags & FILE_IS_LAST_ENTRY) != 0) && 2262 fh->rpmb_fat_address == fat_address) { 2263 2264 /* 2265 * If the last entry was reached and was chosen 2266 * by the previous check, then the FAT needs to 2267 * be expanded. 2268 * fh->rpmb_fat_address is the address chosen 2269 * to store the files FAT entry and fat_address 2270 * is the current FAT entry address being 2271 * compared. 2272 */ 2273 expand_fat = true; 2274 } 2275 } 2276 } 2277 2278 if (res) 2279 goto out; 2280 /* 2281 * Represent the FAT table in the pool. 2282 */ 2283 if (p) { 2284 /* 2285 * Since fat_address is the start of the last entry it needs to 2286 * be moved up by an entry. 2287 */ 2288 fat_address += sizeof(struct rpmb_fat_entry); 2289 2290 /* Make room for yet a FAT entry and add to memory pool. */ 2291 if (expand_fat) 2292 fat_address += sizeof(struct rpmb_fat_entry); 2293 2294 mm = tee_mm_alloc2(p, RPMB_STORAGE_START_ADDRESS, fat_address); 2295 if (!mm) { 2296 res = TEE_ERROR_OUT_OF_MEMORY; 2297 goto out; 2298 } 2299 2300 if (expand_fat) { 2301 /* 2302 * Point fat_address to the beginning of the new 2303 * entry. 2304 */ 2305 fat_address -= sizeof(struct rpmb_fat_entry); 2306 memset(&last_fh, 0, sizeof(last_fh)); 2307 last_fh.fat_entry.flags = FILE_IS_LAST_ENTRY; 2308 last_fh.rpmb_fat_address = fat_address; 2309 res = write_fat_entry(&last_fh); 2310 if (res != TEE_SUCCESS) 2311 goto out; 2312 } 2313 } 2314 2315 if (!fh->rpmb_fat_address) 2316 res = TEE_ERROR_ITEM_NOT_FOUND; 2317 2318 out: 2319 fat_entry_dir_deinit(); 2320 return res; 2321 } 2322 2323 static TEE_Result generate_fek(struct rpmb_fat_entry *fe, const TEE_UUID *uuid) 2324 { 2325 TEE_Result res; 2326 2327 again: 2328 res = tee_fs_generate_fek(uuid, fe->fek, sizeof(fe->fek)); 2329 if (res != TEE_SUCCESS) 2330 return res; 2331 2332 if (is_zero(fe->fek, sizeof(fe->fek))) 2333 goto again; 2334 2335 return res; 2336 } 2337 2338 static TEE_Result rpmb_fs_open_internal(struct rpmb_file_handle *fh, 2339 const TEE_UUID *uuid, bool create) 2340 { 2341 tee_mm_pool_t p; 2342 bool pool_result; 2343 paddr_size_t pool_sz = 0; 2344 TEE_Result res = TEE_ERROR_GENERIC; 2345 2346 /* We need to do setup in order to make sure fs_par is filled in */ 2347 res = rpmb_fs_setup(); 2348 if (res != TEE_SUCCESS) 2349 goto out; 2350 2351 fh->uuid = uuid; 2352 if (create) { 2353 /* Upper memory allocation must be used for RPMB_FS. */ 2354 pool_sz = fs_par->max_rpmb_address - RPMB_STORAGE_START_ADDRESS; 2355 pool_result = tee_mm_init(&p, 2356 RPMB_STORAGE_START_ADDRESS, 2357 pool_sz, 2358 RPMB_BLOCK_SIZE_SHIFT, 2359 TEE_MM_POOL_HI_ALLOC); 2360 2361 if (!pool_result) { 2362 res = TEE_ERROR_OUT_OF_MEMORY; 2363 goto out; 2364 } 2365 2366 res = read_fat(fh, &p); 2367 tee_mm_final(&p); 2368 if (res != TEE_SUCCESS) 2369 goto out; 2370 } else { 2371 res = read_fat(fh, NULL); 2372 if (res != TEE_SUCCESS) 2373 goto out; 2374 } 2375 2376 /* 2377 * If this is opened with create and the entry found was not active 2378 * then this is a new file and the FAT entry must be written 2379 */ 2380 if (create) { 2381 if ((fh->fat_entry.flags & FILE_IS_ACTIVE) == 0) { 2382 memset(&fh->fat_entry, 0, 2383 sizeof(struct rpmb_fat_entry)); 2384 memcpy(fh->fat_entry.filename, fh->filename, 2385 strlen(fh->filename)); 2386 /* Start address and size are 0 */ 2387 fh->fat_entry.flags = FILE_IS_ACTIVE; 2388 2389 res = generate_fek(&fh->fat_entry, uuid); 2390 if (res != TEE_SUCCESS) 2391 goto out; 2392 DMSG("GENERATE FEK key: %p", 2393 (void *)fh->fat_entry.fek); 2394 DHEXDUMP(fh->fat_entry.fek, sizeof(fh->fat_entry.fek)); 2395 2396 res = write_fat_entry(fh); 2397 if (res != TEE_SUCCESS) 2398 goto out; 2399 } 2400 } 2401 2402 res = TEE_SUCCESS; 2403 2404 out: 2405 return res; 2406 } 2407 2408 static void rpmb_fs_close(struct tee_file_handle **tfh) 2409 { 2410 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)*tfh; 2411 2412 free(fh); 2413 *tfh = NULL; 2414 } 2415 2416 static TEE_Result rpmb_fs_read(struct tee_file_handle *tfh, size_t pos, 2417 void *buf_core, void *buf_user, size_t *len) 2418 { 2419 TEE_Result res; 2420 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)tfh; 2421 size_t size = *len; 2422 2423 /* One of buf_core and buf_user must be NULL */ 2424 assert(!buf_core || !buf_user); 2425 2426 if (!size) 2427 return TEE_SUCCESS; 2428 2429 mutex_lock(&rpmb_mutex); 2430 2431 dump_fh(fh); 2432 2433 res = read_fat(fh, NULL); 2434 if (res != TEE_SUCCESS) 2435 goto out; 2436 2437 if (pos >= fh->fat_entry.data_size) { 2438 *len = 0; 2439 goto out; 2440 } 2441 2442 size = MIN(size, fh->fat_entry.data_size - pos); 2443 if (size) { 2444 if (buf_core) { 2445 res = tee_rpmb_read(fh->fat_entry.start_address + pos, 2446 buf_core, size, fh->fat_entry.fek, 2447 fh->uuid); 2448 if (res != TEE_SUCCESS) 2449 goto out; 2450 } else if (buf_user) { 2451 uint32_t f = TEE_MEMORY_ACCESS_WRITE; 2452 2453 res = check_user_access(f, buf_user, size); 2454 if (res) 2455 goto out; 2456 enter_user_access(); 2457 res = tee_rpmb_read(fh->fat_entry.start_address + pos, 2458 buf_user, size, fh->fat_entry.fek, 2459 fh->uuid); 2460 exit_user_access(); 2461 if (res) 2462 goto out; 2463 } 2464 } 2465 *len = size; 2466 2467 out: 2468 mutex_unlock(&rpmb_mutex); 2469 return res; 2470 } 2471 2472 static TEE_Result update_write_helper(struct rpmb_file_handle *fh, 2473 size_t pos, const void *buf, 2474 size_t size, uintptr_t new_fat, 2475 size_t new_size) 2476 { 2477 uintptr_t old_fat = fh->fat_entry.start_address; 2478 size_t old_size = fh->fat_entry.data_size; 2479 const uint8_t *rem_buf = buf; 2480 size_t rem_size = size; 2481 uint8_t *blk_buf = NULL; 2482 size_t blk_offset = 0; 2483 size_t blk_size = 0; 2484 TEE_Result res = TEE_SUCCESS; 2485 2486 blk_buf = mempool_alloc(mempool_default, TMP_BLOCK_SIZE); 2487 if (!blk_buf) 2488 return TEE_ERROR_OUT_OF_MEMORY; 2489 2490 while (blk_offset < new_size) { 2491 uint8_t *copy_dst = blk_buf; 2492 size_t copy_size = 0; 2493 size_t rd_size = 0; 2494 2495 blk_size = MIN(TMP_BLOCK_SIZE, new_size - blk_offset); 2496 memset(blk_buf, 0, blk_size); 2497 2498 /* Possibly read old RPMB data in temporary buffer */ 2499 if (blk_offset < pos && blk_offset < old_size) { 2500 rd_size = MIN(blk_size, old_size - blk_offset); 2501 2502 res = tee_rpmb_read(old_fat + blk_offset, blk_buf, 2503 rd_size, fh->fat_entry.fek, 2504 fh->uuid); 2505 if (res != TEE_SUCCESS) 2506 break; 2507 } 2508 2509 /* Possibly update data in temporary buffer */ 2510 if ((blk_offset + TMP_BLOCK_SIZE > pos) && 2511 (blk_offset < pos + size)) { 2512 size_t offset = 0; 2513 2514 copy_dst = blk_buf; 2515 copy_size = TMP_BLOCK_SIZE; 2516 2517 if (blk_offset < pos) { 2518 offset = pos - blk_offset; 2519 2520 copy_dst += offset; 2521 copy_size -= offset; 2522 } 2523 copy_size = MIN(copy_size, rem_size); 2524 2525 memcpy(copy_dst, rem_buf, copy_size); 2526 rem_buf += copy_size; 2527 rem_size -= copy_size; 2528 } 2529 2530 /* Write temporary buffer to new RPMB destination */ 2531 res = tee_rpmb_write(new_fat + blk_offset, blk_buf, blk_size, 2532 fh->fat_entry.fek, fh->uuid); 2533 if (res != TEE_SUCCESS) 2534 break; 2535 2536 blk_offset += blk_size; 2537 } 2538 2539 mempool_free(mempool_default, blk_buf); 2540 2541 return res; 2542 } 2543 2544 static TEE_Result rpmb_fs_write_primitive(struct rpmb_file_handle *fh, 2545 size_t pos, const void *buf, 2546 size_t size) 2547 { 2548 TEE_Result res = TEE_ERROR_GENERIC; 2549 tee_mm_pool_t p = { }; 2550 bool pool_result = false; 2551 size_t end = 0; 2552 uint32_t start_addr = 0; 2553 paddr_size_t pool_sz = 0; 2554 2555 if (!size) 2556 return TEE_SUCCESS; 2557 2558 if (!fs_par) { 2559 res = TEE_ERROR_GENERIC; 2560 goto out; 2561 } 2562 2563 dump_fh(fh); 2564 2565 /* Upper memory allocation must be used for RPMB_FS. */ 2566 pool_sz = fs_par->max_rpmb_address - RPMB_STORAGE_START_ADDRESS; 2567 pool_result = tee_mm_init(&p, 2568 RPMB_STORAGE_START_ADDRESS, 2569 pool_sz, 2570 RPMB_BLOCK_SIZE_SHIFT, 2571 TEE_MM_POOL_HI_ALLOC); 2572 if (!pool_result) { 2573 res = TEE_ERROR_OUT_OF_MEMORY; 2574 goto out; 2575 } 2576 2577 res = read_fat(fh, &p); 2578 if (res != TEE_SUCCESS) 2579 goto out; 2580 2581 if (fh->fat_entry.flags & FILE_IS_LAST_ENTRY) 2582 panic("invalid last entry flag"); 2583 2584 if (ADD_OVERFLOW(pos, size, &end)) { 2585 res = TEE_ERROR_BAD_PARAMETERS; 2586 goto out; 2587 } 2588 if (ADD_OVERFLOW(fh->fat_entry.start_address, pos, &start_addr)) { 2589 res = TEE_ERROR_BAD_PARAMETERS; 2590 goto out; 2591 } 2592 2593 if (end <= fh->fat_entry.data_size && 2594 tee_rpmb_write_is_atomic(start_addr, size)) { 2595 2596 DMSG("Updating data in-place"); 2597 res = tee_rpmb_write(start_addr, buf, 2598 size, fh->fat_entry.fek, fh->uuid); 2599 } else { 2600 /* 2601 * File must be extended, or update cannot be atomic: allocate, 2602 * read, update, write. 2603 */ 2604 size_t new_size = MAX(end, fh->fat_entry.data_size); 2605 tee_mm_entry_t *mm = tee_mm_alloc(&p, new_size); 2606 uintptr_t new_fat_entry = 0; 2607 2608 DMSG("Need to re-allocate"); 2609 if (!mm) { 2610 DMSG("RPMB: No space left"); 2611 res = TEE_ERROR_STORAGE_NO_SPACE; 2612 goto out; 2613 } 2614 2615 new_fat_entry = tee_mm_get_smem(mm); 2616 2617 res = update_write_helper(fh, pos, buf, size, 2618 new_fat_entry, new_size); 2619 if (res == TEE_SUCCESS) { 2620 fh->fat_entry.data_size = new_size; 2621 fh->fat_entry.start_address = new_fat_entry; 2622 2623 res = write_fat_entry(fh); 2624 } 2625 } 2626 2627 out: 2628 if (pool_result) 2629 tee_mm_final(&p); 2630 2631 return res; 2632 } 2633 2634 static TEE_Result rpmb_fs_write(struct tee_file_handle *tfh, size_t pos, 2635 const void *buf_core, const void *buf_user, 2636 size_t size) 2637 { 2638 TEE_Result res = TEE_SUCCESS; 2639 2640 /* One of buf_core and buf_user must be NULL */ 2641 assert(!buf_core || !buf_user); 2642 2643 if (!size) 2644 return TEE_SUCCESS; 2645 2646 mutex_lock(&rpmb_mutex); 2647 if (buf_core) { 2648 res = rpmb_fs_write_primitive((struct rpmb_file_handle *)tfh, 2649 pos, buf_core, size); 2650 } else if (buf_user) { 2651 uint32_t f = TEE_MEMORY_ACCESS_READ; 2652 2653 res = check_user_access(f, buf_user, size); 2654 if (res) 2655 goto out; 2656 enter_user_access(); 2657 res = rpmb_fs_write_primitive((struct rpmb_file_handle *)tfh, 2658 pos, buf_user, size); 2659 exit_user_access(); 2660 } 2661 out: 2662 mutex_unlock(&rpmb_mutex); 2663 2664 return res; 2665 } 2666 2667 static TEE_Result rpmb_fs_remove_internal(struct rpmb_file_handle *fh) 2668 { 2669 TEE_Result res; 2670 2671 res = read_fat(fh, NULL); 2672 if (res) 2673 return res; 2674 2675 /* Clear this file entry. */ 2676 memset(&fh->fat_entry, 0, sizeof(struct rpmb_fat_entry)); 2677 return write_fat_entry(fh); 2678 } 2679 2680 static TEE_Result rpmb_fs_remove(struct tee_pobj *po) 2681 { 2682 TEE_Result res; 2683 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2684 2685 if (!fh) 2686 return TEE_ERROR_OUT_OF_MEMORY; 2687 2688 mutex_lock(&rpmb_mutex); 2689 2690 res = rpmb_fs_remove_internal(fh); 2691 2692 mutex_unlock(&rpmb_mutex); 2693 2694 free(fh); 2695 return res; 2696 } 2697 2698 static TEE_Result rpmb_fs_rename_internal(struct tee_pobj *old, 2699 struct tee_pobj *new, 2700 bool overwrite) 2701 { 2702 TEE_Result res = TEE_ERROR_GENERIC; 2703 struct rpmb_file_handle *fh_old = NULL; 2704 struct rpmb_file_handle *fh_new = NULL; 2705 2706 if (!old) { 2707 res = TEE_ERROR_BAD_PARAMETERS; 2708 goto out; 2709 } 2710 2711 if (new) 2712 fh_old = alloc_file_handle(old, old->temporary); 2713 else 2714 fh_old = alloc_file_handle(old, true); 2715 if (!fh_old) { 2716 res = TEE_ERROR_OUT_OF_MEMORY; 2717 goto out; 2718 } 2719 2720 if (new) 2721 fh_new = alloc_file_handle(new, new->temporary); 2722 else 2723 fh_new = alloc_file_handle(old, false); 2724 if (!fh_new) { 2725 res = TEE_ERROR_OUT_OF_MEMORY; 2726 goto out; 2727 } 2728 2729 res = read_fat(fh_old, NULL); 2730 if (res != TEE_SUCCESS) 2731 goto out; 2732 2733 res = read_fat(fh_new, NULL); 2734 if (res == TEE_SUCCESS) { 2735 if (!overwrite) { 2736 res = TEE_ERROR_ACCESS_CONFLICT; 2737 goto out; 2738 } 2739 2740 /* Clear this file entry. */ 2741 memset(&fh_new->fat_entry, 0, sizeof(struct rpmb_fat_entry)); 2742 res = write_fat_entry(fh_new); 2743 if (res != TEE_SUCCESS) 2744 goto out; 2745 } 2746 2747 memset(fh_old->fat_entry.filename, 0, TEE_RPMB_FS_FILENAME_LENGTH); 2748 memcpy(fh_old->fat_entry.filename, fh_new->filename, 2749 strlen(fh_new->filename)); 2750 2751 res = write_fat_entry(fh_old); 2752 2753 out: 2754 free(fh_old); 2755 free(fh_new); 2756 2757 return res; 2758 } 2759 2760 static TEE_Result rpmb_fs_rename(struct tee_pobj *old, struct tee_pobj *new, 2761 bool overwrite) 2762 { 2763 TEE_Result res; 2764 2765 mutex_lock(&rpmb_mutex); 2766 res = rpmb_fs_rename_internal(old, new, overwrite); 2767 mutex_unlock(&rpmb_mutex); 2768 2769 return res; 2770 } 2771 2772 static TEE_Result rpmb_fs_truncate(struct tee_file_handle *tfh, size_t length) 2773 { 2774 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)tfh; 2775 tee_mm_pool_t p; 2776 bool pool_result = false; 2777 tee_mm_entry_t *mm; 2778 uint32_t newsize; 2779 uint8_t *newbuf = NULL; 2780 uintptr_t newaddr; 2781 TEE_Result res = TEE_ERROR_GENERIC; 2782 paddr_size_t pool_sz = 0; 2783 2784 mutex_lock(&rpmb_mutex); 2785 2786 if (length > INT32_MAX) { 2787 res = TEE_ERROR_BAD_PARAMETERS; 2788 goto out; 2789 } 2790 newsize = length; 2791 2792 res = read_fat(fh, NULL); 2793 if (res != TEE_SUCCESS) 2794 goto out; 2795 2796 if (newsize > fh->fat_entry.data_size) { 2797 /* Extend file */ 2798 2799 pool_sz = fs_par->max_rpmb_address - RPMB_STORAGE_START_ADDRESS; 2800 pool_result = tee_mm_init(&p, 2801 RPMB_STORAGE_START_ADDRESS, 2802 pool_sz, 2803 RPMB_BLOCK_SIZE_SHIFT, 2804 TEE_MM_POOL_HI_ALLOC); 2805 if (!pool_result) { 2806 res = TEE_ERROR_OUT_OF_MEMORY; 2807 goto out; 2808 } 2809 res = read_fat(fh, &p); 2810 if (res != TEE_SUCCESS) 2811 goto out; 2812 2813 mm = tee_mm_alloc(&p, newsize); 2814 newbuf = calloc(1, newsize); 2815 if (!mm || !newbuf) { 2816 res = TEE_ERROR_OUT_OF_MEMORY; 2817 goto out; 2818 } 2819 2820 if (fh->fat_entry.data_size) { 2821 res = tee_rpmb_read(fh->fat_entry.start_address, 2822 newbuf, fh->fat_entry.data_size, 2823 fh->fat_entry.fek, fh->uuid); 2824 if (res != TEE_SUCCESS) 2825 goto out; 2826 } 2827 2828 newaddr = tee_mm_get_smem(mm); 2829 res = tee_rpmb_write(newaddr, newbuf, 2830 newsize, fh->fat_entry.fek, fh->uuid); 2831 if (res != TEE_SUCCESS) 2832 goto out; 2833 2834 } else { 2835 /* Don't change file location */ 2836 newaddr = fh->fat_entry.start_address; 2837 } 2838 2839 /* fh->pos is unchanged */ 2840 fh->fat_entry.data_size = newsize; 2841 fh->fat_entry.start_address = newaddr; 2842 res = write_fat_entry(fh); 2843 2844 out: 2845 mutex_unlock(&rpmb_mutex); 2846 if (pool_result) 2847 tee_mm_final(&p); 2848 if (newbuf) 2849 free(newbuf); 2850 2851 return res; 2852 } 2853 2854 static void rpmb_fs_dir_free(struct tee_fs_dir *dir) 2855 { 2856 struct tee_rpmb_fs_dirent *e; 2857 2858 if (!dir) 2859 return; 2860 2861 free(dir->current); 2862 2863 while ((e = SIMPLEQ_FIRST(&dir->next))) { 2864 SIMPLEQ_REMOVE_HEAD(&dir->next, link); 2865 free(e); 2866 } 2867 } 2868 2869 static TEE_Result rpmb_fs_dir_populate(const char *path, 2870 struct tee_fs_dir *dir) 2871 { 2872 struct tee_rpmb_fs_dirent *current = NULL; 2873 struct rpmb_fat_entry *fe = NULL; 2874 uint32_t fat_address; 2875 uint32_t filelen; 2876 char *filename; 2877 bool matched; 2878 struct tee_rpmb_fs_dirent *next = NULL; 2879 uint32_t pathlen; 2880 TEE_Result res = TEE_ERROR_GENERIC; 2881 char temp; 2882 2883 mutex_lock(&rpmb_mutex); 2884 2885 res = fat_entry_dir_init(); 2886 if (res) 2887 goto out; 2888 2889 pathlen = strlen(path); 2890 2891 while (true) { 2892 res = fat_entry_dir_get_next(&fe, &fat_address); 2893 if (res || !fe) 2894 break; 2895 2896 filename = fe->filename; 2897 if (fe->flags & FILE_IS_ACTIVE) { 2898 matched = false; 2899 filelen = strlen(filename); 2900 if (filelen > pathlen) { 2901 temp = filename[pathlen]; 2902 filename[pathlen] = '\0'; 2903 if (strcmp(filename, path) == 0) 2904 matched = true; 2905 2906 filename[pathlen] = temp; 2907 } 2908 2909 if (matched) { 2910 next = malloc(sizeof(*next)); 2911 if (!next) { 2912 res = TEE_ERROR_OUT_OF_MEMORY; 2913 goto out; 2914 } 2915 2916 next->entry.oidlen = tee_hs2b((uint8_t *) 2917 &filename[pathlen], 2918 next->entry.oid, 2919 filelen - pathlen, 2920 sizeof(next->entry.oid)); 2921 if (next->entry.oidlen) { 2922 SIMPLEQ_INSERT_TAIL(&dir->next, 2923 next, link); 2924 current = next; 2925 } else { 2926 free(next); 2927 next = NULL; 2928 } 2929 } 2930 } 2931 } 2932 2933 if (res) 2934 goto out; 2935 2936 if (current) 2937 res = TEE_SUCCESS; 2938 else 2939 res = TEE_ERROR_ITEM_NOT_FOUND; /* No directories were found. */ 2940 2941 out: 2942 mutex_unlock(&rpmb_mutex); 2943 fat_entry_dir_deinit(); 2944 if (res) 2945 rpmb_fs_dir_free(dir); 2946 2947 return res; 2948 } 2949 2950 static TEE_Result rpmb_fs_opendir(const TEE_UUID *uuid, struct tee_fs_dir **dir) 2951 { 2952 uint32_t len; 2953 char path_local[TEE_RPMB_FS_FILENAME_LENGTH]; 2954 TEE_Result res = TEE_ERROR_GENERIC; 2955 struct tee_fs_dir *rpmb_dir = NULL; 2956 2957 if (!uuid || !dir) { 2958 res = TEE_ERROR_BAD_PARAMETERS; 2959 goto out; 2960 } 2961 2962 memset(path_local, 0, sizeof(path_local)); 2963 if (create_dirname(path_local, sizeof(path_local) - 1, uuid)) { 2964 res = TEE_ERROR_BAD_PARAMETERS; 2965 goto out; 2966 } 2967 len = strlen(path_local); 2968 2969 /* Add a slash to correctly match the full directory name. */ 2970 if (path_local[len - 1] != '/') 2971 path_local[len] = '/'; 2972 2973 rpmb_dir = calloc(1, sizeof(*rpmb_dir)); 2974 if (!rpmb_dir) { 2975 res = TEE_ERROR_OUT_OF_MEMORY; 2976 goto out; 2977 } 2978 SIMPLEQ_INIT(&rpmb_dir->next); 2979 2980 res = rpmb_fs_dir_populate(path_local, rpmb_dir); 2981 if (res != TEE_SUCCESS) { 2982 free(rpmb_dir); 2983 rpmb_dir = NULL; 2984 goto out; 2985 } 2986 2987 *dir = rpmb_dir; 2988 2989 out: 2990 return res; 2991 } 2992 2993 static TEE_Result rpmb_fs_readdir(struct tee_fs_dir *dir, 2994 struct tee_fs_dirent **ent) 2995 { 2996 if (!dir) 2997 return TEE_ERROR_GENERIC; 2998 2999 free(dir->current); 3000 3001 dir->current = SIMPLEQ_FIRST(&dir->next); 3002 if (!dir->current) 3003 return TEE_ERROR_ITEM_NOT_FOUND; 3004 3005 SIMPLEQ_REMOVE_HEAD(&dir->next, link); 3006 3007 *ent = &dir->current->entry; 3008 return TEE_SUCCESS; 3009 } 3010 3011 static void rpmb_fs_closedir(struct tee_fs_dir *dir) 3012 { 3013 if (dir) { 3014 rpmb_fs_dir_free(dir); 3015 free(dir); 3016 } 3017 } 3018 3019 static TEE_Result rpmb_fs_open(struct tee_pobj *po, size_t *size, 3020 struct tee_file_handle **ret_fh) 3021 { 3022 TEE_Result res; 3023 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 3024 3025 if (!fh) 3026 return TEE_ERROR_OUT_OF_MEMORY; 3027 3028 mutex_lock(&rpmb_mutex); 3029 3030 res = rpmb_fs_open_internal(fh, &po->uuid, false); 3031 if (!res && size) 3032 *size = fh->fat_entry.data_size; 3033 3034 mutex_unlock(&rpmb_mutex); 3035 3036 if (res) 3037 free(fh); 3038 else 3039 *ret_fh = (struct tee_file_handle *)fh; 3040 3041 return res; 3042 } 3043 3044 static TEE_Result rpmb_fs_create(struct tee_pobj *po, bool overwrite, 3045 const void *head, size_t head_size, 3046 const void *attr, size_t attr_size, 3047 const void *data_core, const void *data_user, 3048 size_t data_size, 3049 struct tee_file_handle **ret_fh) 3050 { 3051 TEE_Result res; 3052 size_t pos = 0; 3053 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 3054 3055 /* One of data_core and data_user must be NULL */ 3056 assert(!data_core || !data_user); 3057 3058 if (!fh) 3059 return TEE_ERROR_OUT_OF_MEMORY; 3060 3061 mutex_lock(&rpmb_mutex); 3062 res = rpmb_fs_open_internal(fh, &po->uuid, true); 3063 if (res) 3064 goto out; 3065 3066 if (head && head_size) { 3067 res = rpmb_fs_write_primitive(fh, pos, head, head_size); 3068 if (res) 3069 goto out; 3070 pos += head_size; 3071 } 3072 3073 if (attr && attr_size) { 3074 res = rpmb_fs_write_primitive(fh, pos, attr, attr_size); 3075 if (res) 3076 goto out; 3077 pos += attr_size; 3078 } 3079 3080 if (data_size) { 3081 if (data_core) { 3082 res = rpmb_fs_write_primitive(fh, pos, data_core, 3083 data_size); 3084 if (res) 3085 goto out; 3086 } else if (data_user) { 3087 uint32_t f = TEE_MEMORY_ACCESS_READ | 3088 TEE_MEMORY_ACCESS_ANY_OWNER; 3089 3090 res = check_user_access(f, data_user, data_size); 3091 if (res) 3092 goto out; 3093 enter_user_access(); 3094 res = rpmb_fs_write_primitive(fh, pos, data_user, 3095 data_size); 3096 exit_user_access(); 3097 if (res) 3098 goto out; 3099 } 3100 } 3101 3102 if (po->temporary) { 3103 /* 3104 * If it's a temporary filename (which it normally is) 3105 * rename into the final filename now that the file is 3106 * fully initialized. 3107 */ 3108 po->temporary = false; 3109 res = rpmb_fs_rename_internal(po, NULL, overwrite); 3110 if (res) { 3111 po->temporary = true; 3112 goto out; 3113 } 3114 /* Update file handle after rename. */ 3115 create_filename(fh->filename, sizeof(fh->filename), po, false); 3116 } 3117 3118 out: 3119 if (res) { 3120 rpmb_fs_remove_internal(fh); 3121 free(fh); 3122 } else { 3123 *ret_fh = (struct tee_file_handle *)fh; 3124 } 3125 mutex_unlock(&rpmb_mutex); 3126 3127 return res; 3128 } 3129 3130 const struct tee_file_operations rpmb_fs_ops = { 3131 .open = rpmb_fs_open, 3132 .create = rpmb_fs_create, 3133 .close = rpmb_fs_close, 3134 .read = rpmb_fs_read, 3135 .write = rpmb_fs_write, 3136 .truncate = rpmb_fs_truncate, 3137 .rename = rpmb_fs_rename, 3138 .remove = rpmb_fs_remove, 3139 .opendir = rpmb_fs_opendir, 3140 .closedir = rpmb_fs_closedir, 3141 .readdir = rpmb_fs_readdir, 3142 }; 3143 3144 TEE_Result tee_rpmb_fs_raw_open(const char *fname, bool create, 3145 struct tee_file_handle **ret_fh) 3146 { 3147 TEE_Result res; 3148 struct rpmb_file_handle *fh = calloc(1, sizeof(*fh)); 3149 static const TEE_UUID uuid = { 0 }; 3150 3151 if (!fh) 3152 return TEE_ERROR_OUT_OF_MEMORY; 3153 3154 snprintf(fh->filename, sizeof(fh->filename), "/%s", fname); 3155 3156 mutex_lock(&rpmb_mutex); 3157 3158 res = rpmb_fs_open_internal(fh, &uuid, create); 3159 3160 mutex_unlock(&rpmb_mutex); 3161 3162 if (res) { 3163 if (create) 3164 rpmb_fs_remove_internal(fh); 3165 free(fh); 3166 } else { 3167 *ret_fh = (struct tee_file_handle *)fh; 3168 } 3169 3170 return res; 3171 } 3172 3173 bool __weak plat_rpmb_key_is_ready(void) 3174 { 3175 return true; 3176 } 3177