1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2014, STMicroelectronics International N.V. 4 */ 5 6 #include <assert.h> 7 #include <crypto/crypto.h> 8 #include <kernel/huk_subkey.h> 9 #include <kernel/misc.h> 10 #include <kernel/msg_param.h> 11 #include <kernel/mutex.h> 12 #include <kernel/panic.h> 13 #include <kernel/tee_common.h> 14 #include <kernel/tee_common_otp.h> 15 #include <kernel/tee_misc.h> 16 #include <kernel/thread.h> 17 #include <mm/core_memprot.h> 18 #include <mm/mobj.h> 19 #include <mm/tee_mm.h> 20 #include <optee_rpc_cmd.h> 21 #include <stdlib.h> 22 #include <string_ext.h> 23 #include <string.h> 24 #include <sys/queue.h> 25 #include <tee/tee_fs.h> 26 #include <tee/tee_fs_key_manager.h> 27 #include <tee/tee_pobj.h> 28 #include <tee/tee_svc_storage.h> 29 #include <trace.h> 30 #include <util.h> 31 32 #define RPMB_STORAGE_START_ADDRESS 0 33 #define RPMB_FS_FAT_START_ADDRESS 512 34 #define RPMB_BLOCK_SIZE_SHIFT 8 35 #define RPMB_CID_PRV_OFFSET 9 36 #define RPMB_CID_CRC_OFFSET 15 37 38 #define RPMB_FS_MAGIC 0x52504D42 39 #define FS_VERSION 2 40 #define N_ENTRIES 8 41 42 #define FILE_IS_ACTIVE (1u << 0) 43 #define FILE_IS_LAST_ENTRY (1u << 1) 44 45 #define TEE_RPMB_FS_FILENAME_LENGTH 224 46 47 /** 48 * FS parameters: Information often used by internal functions. 49 * fat_start_address will be set by rpmb_fs_setup(). 50 * rpmb_fs_parameters can be read by any other function. 51 */ 52 struct rpmb_fs_parameters { 53 uint32_t fat_start_address; 54 uint32_t max_rpmb_address; 55 }; 56 57 /** 58 * File entry for a single file in a RPMB_FS partition. 59 */ 60 struct rpmb_fat_entry { 61 uint32_t start_address; 62 uint32_t data_size; 63 uint32_t flags; 64 uint32_t write_counter; 65 uint8_t fek[TEE_FS_KM_FEK_SIZE]; 66 char filename[TEE_RPMB_FS_FILENAME_LENGTH]; 67 }; 68 69 /** 70 * FAT entry context with reference to a FAT entry and its 71 * location in RPMB. 72 */ 73 struct rpmb_file_handle { 74 struct rpmb_fat_entry fat_entry; 75 const TEE_UUID *uuid; 76 char filename[TEE_RPMB_FS_FILENAME_LENGTH]; 77 /* Address for current entry in RPMB */ 78 uint32_t rpmb_fat_address; 79 }; 80 81 /** 82 * RPMB_FS partition data 83 */ 84 struct rpmb_fs_partition { 85 uint32_t rpmb_fs_magic; 86 uint32_t fs_version; 87 uint32_t write_counter; 88 uint32_t fat_start_address; 89 /* Do not use reserved[] for other purpose than partition data. */ 90 uint8_t reserved[112]; 91 }; 92 93 /** 94 * A node in a list of directory entries. 95 */ 96 struct tee_rpmb_fs_dirent { 97 struct tee_fs_dirent entry; 98 SIMPLEQ_ENTRY(tee_rpmb_fs_dirent) link; 99 }; 100 101 /** 102 * The RPMB directory representation. It contains a queue of 103 * RPMB directory entries: 'next'. 104 * The current pointer points to the last directory entry 105 * returned by readdir(). 106 */ 107 struct tee_fs_dir { 108 struct tee_rpmb_fs_dirent *current; 109 /* */ 110 SIMPLEQ_HEAD(next_head, tee_rpmb_fs_dirent) next; 111 }; 112 113 static struct rpmb_fs_parameters *fs_par; 114 115 /* 116 * Lower interface to RPMB device 117 */ 118 119 #define RPMB_DATA_OFFSET (RPMB_STUFF_DATA_SIZE + RPMB_KEY_MAC_SIZE) 120 #define RPMB_MAC_PROTECT_DATA_SIZE (RPMB_DATA_FRAME_SIZE - RPMB_DATA_OFFSET) 121 122 #define RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM 0x0001 123 #define RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ 0x0002 124 #define RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE 0x0003 125 #define RPMB_MSG_TYPE_REQ_AUTH_DATA_READ 0x0004 126 #define RPMB_MSG_TYPE_REQ_RESULT_READ 0x0005 127 #define RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM 0x0100 128 #define RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ 0x0200 129 #define RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE 0x0300 130 #define RPMB_MSG_TYPE_RESP_AUTH_DATA_READ 0x0400 131 132 #define RPMB_STUFF_DATA_SIZE 196 133 #define RPMB_KEY_MAC_SIZE 32 134 #define RPMB_DATA_SIZE 256 135 #define RPMB_NONCE_SIZE 16 136 #define RPMB_DATA_FRAME_SIZE 512 137 138 #define RPMB_RESULT_OK 0x00 139 #define RPMB_RESULT_GENERAL_FAILURE 0x01 140 #define RPMB_RESULT_AUTH_FAILURE 0x02 141 #define RPMB_RESULT_COUNTER_FAILURE 0x03 142 #define RPMB_RESULT_ADDRESS_FAILURE 0x04 143 #define RPMB_RESULT_WRITE_FAILURE 0x05 144 #define RPMB_RESULT_READ_FAILURE 0x06 145 #define RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED 0x07 146 #define RPMB_RESULT_MASK 0x3F 147 #define RPMB_RESULT_WR_CNT_EXPIRED 0x80 148 149 /* RPMB internal commands */ 150 #define RPMB_CMD_DATA_REQ 0x00 151 #define RPMB_CMD_GET_DEV_INFO 0x01 152 153 #define RPMB_SIZE_SINGLE (128 * 1024) 154 155 /* Error codes for get_dev_info request/response. */ 156 #define RPMB_CMD_GET_DEV_INFO_RET_OK 0x00 157 #define RPMB_CMD_GET_DEV_INFO_RET_ERROR 0x01 158 159 struct rpmb_data_frame { 160 uint8_t stuff_bytes[RPMB_STUFF_DATA_SIZE]; 161 uint8_t key_mac[RPMB_KEY_MAC_SIZE]; 162 uint8_t data[RPMB_DATA_SIZE]; 163 uint8_t nonce[RPMB_NONCE_SIZE]; 164 uint8_t write_counter[4]; 165 uint8_t address[2]; 166 uint8_t block_count[2]; 167 uint8_t op_result[2]; 168 uint8_t msg_type[2]; 169 }; 170 171 struct rpmb_req { 172 uint16_t cmd; 173 uint16_t dev_id; 174 uint16_t block_count; 175 /* variable length of data */ 176 /* uint8_t data[]; REMOVED! */ 177 }; 178 179 #define TEE_RPMB_REQ_DATA(req) \ 180 ((void *)((struct rpmb_req *)(req) + 1)) 181 182 struct rpmb_raw_data { 183 uint16_t msg_type; 184 uint16_t *op_result; 185 uint16_t *block_count; 186 uint16_t *blk_idx; 187 uint32_t *write_counter; 188 uint8_t *nonce; 189 uint8_t *key_mac; 190 uint8_t *data; 191 /* data length to read or write */ 192 uint32_t len; 193 /* Byte address offset in the first block involved */ 194 uint8_t byte_offset; 195 }; 196 197 #define RPMB_EMMC_CID_SIZE 16 198 struct rpmb_dev_info { 199 uint8_t cid[RPMB_EMMC_CID_SIZE]; 200 /* EXT CSD-slice 168 "RPMB Size" */ 201 uint8_t rpmb_size_mult; 202 /* EXT CSD-slice 222 "Reliable Write Sector Count" */ 203 uint8_t rel_wr_sec_c; 204 /* Check the ret code and accept the data only if it is OK. */ 205 uint8_t ret_code; 206 }; 207 208 /* 209 * Struct for rpmb context data. 210 * 211 * @key RPMB key. 212 * @cid eMMC card ID. 213 * @wr_cnt Current write counter. 214 * @max_blk_idx The highest block index supported by current device. 215 * @rel_wr_blkcnt Max number of data blocks for each reliable write. 216 * @dev_id Device ID of the eMMC device. 217 * @wr_cnt_synced Flag indicating if write counter is synced to RPMB. 218 * @key_derived Flag indicating if key has been generated. 219 * @key_verified Flag indicating the key generated is verified ok. 220 * @dev_info_synced Flag indicating if dev info has been retrieved from RPMB. 221 */ 222 struct tee_rpmb_ctx { 223 uint8_t key[RPMB_KEY_MAC_SIZE]; 224 uint8_t cid[RPMB_EMMC_CID_SIZE]; 225 uint32_t wr_cnt; 226 uint16_t max_blk_idx; 227 uint16_t rel_wr_blkcnt; 228 uint16_t dev_id; 229 bool wr_cnt_synced; 230 bool key_derived; 231 bool key_verified; 232 bool dev_info_synced; 233 }; 234 235 static struct tee_rpmb_ctx *rpmb_ctx; 236 237 /* 238 * Mutex to serialize the operations exported by this file. 239 * It protects rpmb_ctx and prevents overlapping operations on eMMC devices with 240 * different IDs. 241 */ 242 static struct mutex rpmb_mutex = MUTEX_INITIALIZER; 243 244 #ifdef CFG_RPMB_TESTKEY 245 246 static const uint8_t rpmb_test_key[RPMB_KEY_MAC_SIZE] = { 247 0xD3, 0xEB, 0x3E, 0xC3, 0x6E, 0x33, 0x4C, 0x9F, 248 0x98, 0x8C, 0xE2, 0xC0, 0xB8, 0x59, 0x54, 0x61, 249 0x0D, 0x2B, 0xCF, 0x86, 0x64, 0x84, 0x4D, 0xF2, 250 0xAB, 0x56, 0xE6, 0xC6, 0x1B, 0xB7, 0x01, 0xE4 251 }; 252 253 static TEE_Result tee_rpmb_key_gen(uint16_t dev_id __unused, 254 uint8_t *key, uint32_t len) 255 { 256 TEE_Result res = TEE_SUCCESS; 257 258 if (!key || RPMB_KEY_MAC_SIZE != len) { 259 res = TEE_ERROR_BAD_PARAMETERS; 260 goto out; 261 } 262 263 DMSG("RPMB: Using test key"); 264 memcpy(key, rpmb_test_key, RPMB_KEY_MAC_SIZE); 265 266 out: 267 return res; 268 } 269 270 #else /* !CFG_RPMB_TESTKEY */ 271 272 static TEE_Result tee_rpmb_key_gen(uint16_t dev_id __unused, 273 uint8_t *key, uint32_t len) 274 { 275 uint8_t message[RPMB_EMMC_CID_SIZE]; 276 277 if (!key || RPMB_KEY_MAC_SIZE != len) 278 return TEE_ERROR_BAD_PARAMETERS; 279 280 IMSG("RPMB: Using generated key"); 281 282 /* 283 * PRV/CRC would be changed when doing eMMC FFU 284 * The following fields should be masked off when deriving RPMB key 285 * 286 * CID [55: 48]: PRV (Product revision) 287 * CID [07: 01]: CRC (CRC7 checksum) 288 * CID [00]: not used 289 */ 290 memcpy(message, rpmb_ctx->cid, RPMB_EMMC_CID_SIZE); 291 memset(message + RPMB_CID_PRV_OFFSET, 0, 1); 292 memset(message + RPMB_CID_CRC_OFFSET, 0, 1); 293 return huk_subkey_derive(HUK_SUBKEY_RPMB, message, sizeof(message), 294 key, len); 295 } 296 297 #endif /* !CFG_RPMB_TESTKEY */ 298 299 static void u32_to_bytes(uint32_t u32, uint8_t *bytes) 300 { 301 *bytes = (uint8_t) (u32 >> 24); 302 *(bytes + 1) = (uint8_t) (u32 >> 16); 303 *(bytes + 2) = (uint8_t) (u32 >> 8); 304 *(bytes + 3) = (uint8_t) u32; 305 } 306 307 static void bytes_to_u32(uint8_t *bytes, uint32_t *u32) 308 { 309 *u32 = (uint32_t) ((*(bytes) << 24) + 310 (*(bytes + 1) << 16) + 311 (*(bytes + 2) << 8) + (*(bytes + 3))); 312 } 313 314 static void u16_to_bytes(uint16_t u16, uint8_t *bytes) 315 { 316 *bytes = (uint8_t) (u16 >> 8); 317 *(bytes + 1) = (uint8_t) u16; 318 } 319 320 static void bytes_to_u16(uint8_t *bytes, uint16_t *u16) 321 { 322 *u16 = (uint16_t) ((*bytes << 8) + *(bytes + 1)); 323 } 324 325 static void get_op_result_bits(uint8_t *bytes, uint8_t *res) 326 { 327 *res = *(bytes + 1) & RPMB_RESULT_MASK; 328 } 329 330 static TEE_Result tee_rpmb_mac_calc(uint8_t *mac, uint32_t macsize, 331 uint8_t *key, uint32_t keysize, 332 struct rpmb_data_frame *datafrms, 333 uint16_t blkcnt) 334 { 335 TEE_Result res = TEE_ERROR_GENERIC; 336 int i; 337 void *ctx = NULL; 338 339 if (!mac || !key || !datafrms) 340 return TEE_ERROR_BAD_PARAMETERS; 341 342 res = crypto_mac_alloc_ctx(&ctx, TEE_ALG_HMAC_SHA256); 343 if (res) 344 return res; 345 346 res = crypto_mac_init(ctx, key, keysize); 347 if (res != TEE_SUCCESS) 348 goto func_exit; 349 350 for (i = 0; i < blkcnt; i++) { 351 res = crypto_mac_update(ctx, datafrms[i].data, 352 RPMB_MAC_PROTECT_DATA_SIZE); 353 if (res != TEE_SUCCESS) 354 goto func_exit; 355 } 356 357 res = crypto_mac_final(ctx, mac, macsize); 358 if (res != TEE_SUCCESS) 359 goto func_exit; 360 361 res = TEE_SUCCESS; 362 363 func_exit: 364 crypto_mac_free_ctx(ctx); 365 return res; 366 } 367 368 struct tee_rpmb_mem { 369 struct mobj *phreq_mobj; 370 struct mobj *phresp_mobj; 371 size_t req_size; 372 size_t resp_size; 373 }; 374 375 static void tee_rpmb_free(struct tee_rpmb_mem *mem) 376 { 377 if (!mem) 378 return; 379 380 if (mem->phreq_mobj) { 381 thread_rpc_free_payload(mem->phreq_mobj); 382 mem->phreq_mobj = NULL; 383 } 384 if (mem->phresp_mobj) { 385 thread_rpc_free_payload(mem->phresp_mobj); 386 mem->phresp_mobj = NULL; 387 } 388 } 389 390 391 static TEE_Result tee_rpmb_alloc(size_t req_size, size_t resp_size, 392 struct tee_rpmb_mem *mem, void **req, void **resp) 393 { 394 TEE_Result res = TEE_SUCCESS; 395 size_t req_s = ROUNDUP(req_size, sizeof(uint32_t)); 396 size_t resp_s = ROUNDUP(resp_size, sizeof(uint32_t)); 397 398 if (!mem) 399 return TEE_ERROR_BAD_PARAMETERS; 400 401 memset(mem, 0, sizeof(*mem)); 402 403 mem->phreq_mobj = thread_rpc_alloc_payload(req_s); 404 mem->phresp_mobj = thread_rpc_alloc_payload(resp_s); 405 406 if (!mem->phreq_mobj || !mem->phresp_mobj) { 407 res = TEE_ERROR_OUT_OF_MEMORY; 408 goto out; 409 } 410 411 *req = mobj_get_va(mem->phreq_mobj, 0); 412 *resp = mobj_get_va(mem->phresp_mobj, 0); 413 if (!*req || !*resp) { 414 res = TEE_ERROR_GENERIC; 415 goto out; 416 } 417 418 mem->req_size = req_size; 419 mem->resp_size = resp_size; 420 421 out: 422 if (res != TEE_SUCCESS) 423 tee_rpmb_free(mem); 424 return res; 425 } 426 427 static TEE_Result tee_rpmb_invoke(struct tee_rpmb_mem *mem) 428 { 429 struct thread_param params[2] = { 430 [0] = THREAD_PARAM_MEMREF(IN, mem->phreq_mobj, 0, 431 mem->req_size), 432 [1] = THREAD_PARAM_MEMREF(OUT, mem->phresp_mobj, 0, 433 mem->resp_size), 434 }; 435 436 return thread_rpc_cmd(OPTEE_RPC_CMD_RPMB, 2, params); 437 } 438 439 static bool is_zero(const uint8_t *buf, size_t size) 440 { 441 size_t i; 442 443 for (i = 0; i < size; i++) 444 if (buf[i]) 445 return false; 446 return true; 447 } 448 449 static TEE_Result encrypt_block(uint8_t *out, const uint8_t *in, 450 uint16_t blk_idx, const uint8_t *fek, 451 const TEE_UUID *uuid) 452 { 453 return tee_fs_crypt_block(uuid, out, in, RPMB_DATA_SIZE, 454 blk_idx, fek, TEE_MODE_ENCRYPT); 455 } 456 457 static TEE_Result decrypt_block(uint8_t *out, const uint8_t *in, 458 uint16_t blk_idx, const uint8_t *fek, 459 const TEE_UUID *uuid) 460 { 461 return tee_fs_crypt_block(uuid, out, in, RPMB_DATA_SIZE, 462 blk_idx, fek, TEE_MODE_DECRYPT); 463 } 464 465 /* Decrypt/copy at most one block of data */ 466 static TEE_Result decrypt(uint8_t *out, const struct rpmb_data_frame *frm, 467 size_t size, size_t offset, 468 uint16_t blk_idx __maybe_unused, const uint8_t *fek, 469 const TEE_UUID *uuid) 470 { 471 uint8_t *tmp __maybe_unused; 472 473 474 if ((size + offset < size) || (size + offset > RPMB_DATA_SIZE)) 475 panic("invalid size or offset"); 476 477 if (!fek) { 478 /* Block is not encrypted (not a file data block) */ 479 memcpy(out, frm->data + offset, size); 480 } else if (is_zero(fek, TEE_FS_KM_FEK_SIZE)) { 481 /* The file was created with encryption disabled */ 482 return TEE_ERROR_SECURITY; 483 } else { 484 /* Block is encrypted */ 485 if (size < RPMB_DATA_SIZE) { 486 /* 487 * Since output buffer is not large enough to hold one 488 * block we must allocate a temporary buffer. 489 */ 490 tmp = malloc(RPMB_DATA_SIZE); 491 if (!tmp) 492 return TEE_ERROR_OUT_OF_MEMORY; 493 decrypt_block(tmp, frm->data, blk_idx, fek, uuid); 494 memcpy(out, tmp + offset, size); 495 free(tmp); 496 } else { 497 decrypt_block(out, frm->data, blk_idx, fek, uuid); 498 } 499 } 500 501 return TEE_SUCCESS; 502 } 503 504 static TEE_Result tee_rpmb_req_pack(struct rpmb_req *req, 505 struct rpmb_raw_data *rawdata, 506 uint16_t nbr_frms, uint16_t dev_id, 507 const uint8_t *fek, const TEE_UUID *uuid) 508 { 509 TEE_Result res = TEE_ERROR_GENERIC; 510 int i; 511 struct rpmb_data_frame *datafrm; 512 513 if (!req || !rawdata || !nbr_frms) 514 return TEE_ERROR_BAD_PARAMETERS; 515 516 /* 517 * Check write blockcount is not bigger than reliable write 518 * blockcount. 519 */ 520 if ((rawdata->msg_type == RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE) && 521 (nbr_frms > rpmb_ctx->rel_wr_blkcnt)) { 522 DMSG("wr_blkcnt(%d) > rel_wr_blkcnt(%d)", nbr_frms, 523 rpmb_ctx->rel_wr_blkcnt); 524 return TEE_ERROR_GENERIC; 525 } 526 527 req->cmd = RPMB_CMD_DATA_REQ; 528 req->dev_id = dev_id; 529 530 /* Allocate memory for construct all data packets and calculate MAC. */ 531 datafrm = calloc(nbr_frms, RPMB_DATA_FRAME_SIZE); 532 if (!datafrm) 533 return TEE_ERROR_OUT_OF_MEMORY; 534 535 for (i = 0; i < nbr_frms; i++) { 536 u16_to_bytes(rawdata->msg_type, datafrm[i].msg_type); 537 538 if (rawdata->block_count) 539 u16_to_bytes(*rawdata->block_count, 540 datafrm[i].block_count); 541 542 if (rawdata->blk_idx) { 543 /* Check the block index is within range. */ 544 if ((*rawdata->blk_idx + nbr_frms) > 545 rpmb_ctx->max_blk_idx) { 546 res = TEE_ERROR_GENERIC; 547 goto func_exit; 548 } 549 u16_to_bytes(*rawdata->blk_idx, datafrm[i].address); 550 } 551 552 if (rawdata->write_counter) 553 u32_to_bytes(*rawdata->write_counter, 554 datafrm[i].write_counter); 555 556 if (rawdata->nonce) 557 memcpy(datafrm[i].nonce, rawdata->nonce, 558 RPMB_NONCE_SIZE); 559 560 if (rawdata->data) { 561 if (fek) 562 encrypt_block(datafrm[i].data, 563 rawdata->data + (i * RPMB_DATA_SIZE), 564 *rawdata->blk_idx + i, fek, uuid); 565 else 566 memcpy(datafrm[i].data, 567 rawdata->data + (i * RPMB_DATA_SIZE), 568 RPMB_DATA_SIZE); 569 } 570 } 571 572 if (rawdata->key_mac) { 573 if (rawdata->msg_type == RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE) { 574 res = 575 tee_rpmb_mac_calc(rawdata->key_mac, 576 RPMB_KEY_MAC_SIZE, rpmb_ctx->key, 577 RPMB_KEY_MAC_SIZE, datafrm, 578 nbr_frms); 579 if (res != TEE_SUCCESS) 580 goto func_exit; 581 } 582 memcpy(datafrm[nbr_frms - 1].key_mac, 583 rawdata->key_mac, RPMB_KEY_MAC_SIZE); 584 } 585 586 memcpy(TEE_RPMB_REQ_DATA(req), datafrm, 587 nbr_frms * RPMB_DATA_FRAME_SIZE); 588 589 #ifdef CFG_RPMB_FS_DEBUG_DATA 590 for (i = 0; i < nbr_frms; i++) { 591 DMSG("Dumping data frame %d:", i); 592 DHEXDUMP((uint8_t *)&datafrm[i] + RPMB_STUFF_DATA_SIZE, 593 512 - RPMB_STUFF_DATA_SIZE); 594 } 595 #endif 596 597 res = TEE_SUCCESS; 598 func_exit: 599 free(datafrm); 600 return res; 601 } 602 603 static TEE_Result data_cpy_mac_calc_1b(struct rpmb_raw_data *rawdata, 604 struct rpmb_data_frame *frm, 605 const uint8_t *fek, const TEE_UUID *uuid) 606 { 607 TEE_Result res; 608 uint8_t *data; 609 uint16_t idx; 610 611 if (rawdata->len + rawdata->byte_offset > RPMB_DATA_SIZE) 612 return TEE_ERROR_BAD_PARAMETERS; 613 614 res = tee_rpmb_mac_calc(rawdata->key_mac, RPMB_KEY_MAC_SIZE, 615 rpmb_ctx->key, RPMB_KEY_MAC_SIZE, frm, 1); 616 if (res != TEE_SUCCESS) 617 return res; 618 619 data = rawdata->data; 620 bytes_to_u16(frm->address, &idx); 621 622 res = decrypt(data, frm, rawdata->len, rawdata->byte_offset, idx, fek, 623 uuid); 624 return res; 625 } 626 627 static TEE_Result tee_rpmb_data_cpy_mac_calc(struct rpmb_data_frame *datafrm, 628 struct rpmb_raw_data *rawdata, 629 uint16_t nbr_frms, 630 struct rpmb_data_frame *lastfrm, 631 const uint8_t *fek, 632 const TEE_UUID *uuid) 633 { 634 TEE_Result res = TEE_ERROR_GENERIC; 635 int i; 636 void *ctx = NULL; 637 uint16_t offset; 638 uint32_t size; 639 uint8_t *data; 640 uint16_t start_idx; 641 struct rpmb_data_frame localfrm; 642 643 if (!datafrm || !rawdata || !nbr_frms || !lastfrm) 644 return TEE_ERROR_BAD_PARAMETERS; 645 646 if (nbr_frms == 1) 647 return data_cpy_mac_calc_1b(rawdata, lastfrm, fek, uuid); 648 649 /* nbr_frms > 1 */ 650 651 data = rawdata->data; 652 653 res = crypto_mac_alloc_ctx(&ctx, TEE_ALG_HMAC_SHA256); 654 if (res) 655 goto func_exit; 656 657 res = crypto_mac_init(ctx, rpmb_ctx->key, RPMB_KEY_MAC_SIZE); 658 if (res != TEE_SUCCESS) 659 goto func_exit; 660 661 /* 662 * Note: JEDEC JESD84-B51: "In every packet the address is the start 663 * address of the full access (not address of the individual half a 664 * sector)" 665 */ 666 bytes_to_u16(lastfrm->address, &start_idx); 667 668 for (i = 0; i < (nbr_frms - 1); i++) { 669 670 /* 671 * By working on a local copy of the RPMB frame, we ensure that 672 * the data can not be modified after the MAC is computed but 673 * before the payload is decrypted/copied to the output buffer. 674 */ 675 memcpy(&localfrm, &datafrm[i], RPMB_DATA_FRAME_SIZE); 676 677 res = crypto_mac_update(ctx, localfrm.data, 678 RPMB_MAC_PROTECT_DATA_SIZE); 679 if (res != TEE_SUCCESS) 680 goto func_exit; 681 682 if (i == 0) { 683 /* First block */ 684 offset = rawdata->byte_offset; 685 size = RPMB_DATA_SIZE - offset; 686 } else { 687 /* Middle blocks */ 688 size = RPMB_DATA_SIZE; 689 offset = 0; 690 } 691 692 res = decrypt(data, &localfrm, size, offset, start_idx + i, 693 fek, uuid); 694 if (res != TEE_SUCCESS) 695 goto func_exit; 696 697 data += size; 698 } 699 700 /* Last block */ 701 size = (rawdata->len + rawdata->byte_offset) % RPMB_DATA_SIZE; 702 if (size == 0) 703 size = RPMB_DATA_SIZE; 704 res = decrypt(data, lastfrm, size, 0, start_idx + nbr_frms - 1, fek, 705 uuid); 706 if (res != TEE_SUCCESS) 707 goto func_exit; 708 709 /* Update MAC against the last block */ 710 res = crypto_mac_update(ctx, lastfrm->data, RPMB_MAC_PROTECT_DATA_SIZE); 711 if (res != TEE_SUCCESS) 712 goto func_exit; 713 714 res = crypto_mac_final(ctx, rawdata->key_mac, RPMB_KEY_MAC_SIZE); 715 if (res != TEE_SUCCESS) 716 goto func_exit; 717 718 res = TEE_SUCCESS; 719 720 func_exit: 721 crypto_mac_free_ctx(ctx); 722 return res; 723 } 724 725 static TEE_Result tee_rpmb_resp_unpack_verify(struct rpmb_data_frame *datafrm, 726 struct rpmb_raw_data *rawdata, 727 uint16_t nbr_frms, 728 const uint8_t *fek, 729 const TEE_UUID *uuid) 730 { 731 TEE_Result res = TEE_ERROR_GENERIC; 732 uint16_t msg_type; 733 uint32_t wr_cnt; 734 uint16_t blk_idx; 735 uint8_t op_result; 736 struct rpmb_data_frame lastfrm; 737 738 if (!datafrm || !rawdata || !nbr_frms) 739 return TEE_ERROR_BAD_PARAMETERS; 740 741 #ifdef CFG_RPMB_FS_DEBUG_DATA 742 for (uint32_t i = 0; i < nbr_frms; i++) { 743 DMSG("Dumping data frame %d:", i); 744 DHEXDUMP((uint8_t *)&datafrm[i] + RPMB_STUFF_DATA_SIZE, 745 512 - RPMB_STUFF_DATA_SIZE); 746 } 747 #endif 748 749 /* Make sure the last data packet can't be modified once verified */ 750 memcpy(&lastfrm, &datafrm[nbr_frms - 1], RPMB_DATA_FRAME_SIZE); 751 752 /* Handle operation result and translate to TEEC error code. */ 753 get_op_result_bits(lastfrm.op_result, &op_result); 754 if (op_result == RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED) 755 return TEE_ERROR_ITEM_NOT_FOUND; 756 if (op_result != RPMB_RESULT_OK) 757 return TEE_ERROR_GENERIC; 758 759 /* Check the response msg_type. */ 760 bytes_to_u16(lastfrm.msg_type, &msg_type); 761 if (msg_type != rawdata->msg_type) { 762 DMSG("Unexpected msg_type (0x%04x != 0x%04x)", msg_type, 763 rawdata->msg_type); 764 return TEE_ERROR_GENERIC; 765 } 766 767 if (rawdata->blk_idx) { 768 bytes_to_u16(lastfrm.address, &blk_idx); 769 if (blk_idx != *rawdata->blk_idx) { 770 DMSG("Unexpected block index"); 771 return TEE_ERROR_GENERIC; 772 } 773 } 774 775 if (rawdata->write_counter) { 776 wr_cnt = *rawdata->write_counter; 777 bytes_to_u32(lastfrm.write_counter, rawdata->write_counter); 778 if (msg_type == RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE) { 779 /* Verify the write counter is incremented by 1 */ 780 if (*rawdata->write_counter != wr_cnt + 1) { 781 DMSG("Counter mismatched (0x%04x/0x%04x)", 782 *rawdata->write_counter, wr_cnt + 1); 783 return TEE_ERROR_SECURITY; 784 } 785 rpmb_ctx->wr_cnt++; 786 } 787 } 788 789 if (rawdata->nonce) { 790 if (buf_compare_ct(rawdata->nonce, lastfrm.nonce, 791 RPMB_NONCE_SIZE) != 0) { 792 DMSG("Nonce mismatched"); 793 return TEE_ERROR_SECURITY; 794 } 795 } 796 797 if (rawdata->key_mac) { 798 if (msg_type == RPMB_MSG_TYPE_RESP_AUTH_DATA_READ) { 799 if (!rawdata->data) 800 return TEE_ERROR_GENERIC; 801 802 res = tee_rpmb_data_cpy_mac_calc(datafrm, rawdata, 803 nbr_frms, &lastfrm, 804 fek, uuid); 805 806 if (res != TEE_SUCCESS) 807 return res; 808 } else { 809 /* 810 * There should be only one data frame for 811 * other msg types. 812 */ 813 if (nbr_frms != 1) 814 return TEE_ERROR_GENERIC; 815 816 res = tee_rpmb_mac_calc(rawdata->key_mac, 817 RPMB_KEY_MAC_SIZE, 818 rpmb_ctx->key, 819 RPMB_KEY_MAC_SIZE, 820 &lastfrm, 1); 821 822 if (res != TEE_SUCCESS) 823 return res; 824 } 825 826 #ifndef CFG_RPMB_FS_NO_MAC 827 if (consttime_memcmp(rawdata->key_mac, 828 (datafrm + nbr_frms - 1)->key_mac, 829 RPMB_KEY_MAC_SIZE) != 0) { 830 DMSG("MAC mismatched:"); 831 #ifdef CFG_RPMB_FS_DEBUG_DATA 832 DHEXDUMP((uint8_t *)rawdata->key_mac, 32); 833 #endif 834 return TEE_ERROR_SECURITY; 835 } 836 #endif /* !CFG_RPMB_FS_NO_MAC */ 837 } 838 839 return TEE_SUCCESS; 840 } 841 842 static TEE_Result tee_rpmb_get_dev_info(uint16_t dev_id, 843 struct rpmb_dev_info *dev_info) 844 { 845 TEE_Result res = TEE_ERROR_GENERIC; 846 struct tee_rpmb_mem mem; 847 struct rpmb_dev_info *di; 848 struct rpmb_req *req = NULL; 849 uint8_t *resp = NULL; 850 uint32_t req_size; 851 uint32_t resp_size; 852 853 if (!dev_info) 854 return TEE_ERROR_BAD_PARAMETERS; 855 856 req_size = sizeof(struct rpmb_req); 857 resp_size = sizeof(struct rpmb_dev_info); 858 res = tee_rpmb_alloc(req_size, resp_size, &mem, 859 (void *)&req, (void *)&resp); 860 if (res != TEE_SUCCESS) 861 goto func_exit; 862 863 req->cmd = RPMB_CMD_GET_DEV_INFO; 864 req->dev_id = dev_id; 865 866 di = (struct rpmb_dev_info *)resp; 867 di->ret_code = RPMB_CMD_GET_DEV_INFO_RET_ERROR; 868 869 res = tee_rpmb_invoke(&mem); 870 if (res != TEE_SUCCESS) 871 goto func_exit; 872 873 if (di->ret_code != RPMB_CMD_GET_DEV_INFO_RET_OK) { 874 res = TEE_ERROR_GENERIC; 875 goto func_exit; 876 } 877 878 memcpy((uint8_t *)dev_info, resp, sizeof(struct rpmb_dev_info)); 879 880 #ifdef CFG_RPMB_FS_DEBUG_DATA 881 DMSG("Dumping dev_info:"); 882 DHEXDUMP((uint8_t *)dev_info, sizeof(struct rpmb_dev_info)); 883 #endif 884 885 res = TEE_SUCCESS; 886 887 func_exit: 888 tee_rpmb_free(&mem); 889 return res; 890 } 891 892 static TEE_Result tee_rpmb_init_read_wr_cnt(uint16_t dev_id, 893 uint32_t *wr_cnt, 894 uint16_t *op_result) 895 { 896 TEE_Result res = TEE_ERROR_GENERIC; 897 struct tee_rpmb_mem mem; 898 uint16_t msg_type; 899 uint8_t nonce[RPMB_NONCE_SIZE]; 900 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 901 struct rpmb_req *req = NULL; 902 struct rpmb_data_frame *resp = NULL; 903 struct rpmb_raw_data rawdata; 904 uint32_t req_size; 905 uint32_t resp_size; 906 907 if (!wr_cnt) 908 return TEE_ERROR_BAD_PARAMETERS; 909 910 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 911 resp_size = RPMB_DATA_FRAME_SIZE; 912 res = tee_rpmb_alloc(req_size, resp_size, &mem, 913 (void *)&req, (void *)&resp); 914 if (res != TEE_SUCCESS) 915 goto func_exit; 916 917 res = crypto_rng_read(nonce, RPMB_NONCE_SIZE); 918 if (res != TEE_SUCCESS) 919 goto func_exit; 920 921 msg_type = RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ; 922 923 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 924 rawdata.msg_type = msg_type; 925 rawdata.nonce = nonce; 926 927 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 928 if (res != TEE_SUCCESS) 929 goto func_exit; 930 931 res = tee_rpmb_invoke(&mem); 932 if (res != TEE_SUCCESS) 933 goto func_exit; 934 935 msg_type = RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ; 936 937 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 938 rawdata.msg_type = msg_type; 939 rawdata.op_result = op_result; 940 rawdata.write_counter = wr_cnt; 941 rawdata.nonce = nonce; 942 rawdata.key_mac = hmac; 943 944 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, NULL); 945 if (res != TEE_SUCCESS) 946 goto func_exit; 947 948 res = TEE_SUCCESS; 949 950 func_exit: 951 tee_rpmb_free(&mem); 952 return res; 953 } 954 955 static TEE_Result tee_rpmb_verify_key_sync_counter(uint16_t dev_id) 956 { 957 uint16_t op_result = 0; 958 TEE_Result res = TEE_ERROR_GENERIC; 959 960 res = tee_rpmb_init_read_wr_cnt(dev_id, &rpmb_ctx->wr_cnt, 961 &op_result); 962 963 if (res == TEE_SUCCESS) { 964 rpmb_ctx->key_verified = true; 965 rpmb_ctx->wr_cnt_synced = true; 966 } else 967 EMSG("Verify key returning 0x%x", res); 968 return res; 969 } 970 971 #ifdef CFG_RPMB_WRITE_KEY 972 static TEE_Result tee_rpmb_write_key(uint16_t dev_id) 973 { 974 TEE_Result res = TEE_ERROR_GENERIC; 975 struct tee_rpmb_mem mem = { 0 }; 976 uint16_t msg_type; 977 struct rpmb_req *req = NULL; 978 struct rpmb_data_frame *resp = NULL; 979 struct rpmb_raw_data rawdata; 980 uint32_t req_size; 981 uint32_t resp_size; 982 983 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 984 resp_size = RPMB_DATA_FRAME_SIZE; 985 res = tee_rpmb_alloc(req_size, resp_size, &mem, 986 (void *)&req, (void *)&resp); 987 if (res != TEE_SUCCESS) 988 goto func_exit; 989 990 msg_type = RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM; 991 992 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 993 rawdata.msg_type = msg_type; 994 rawdata.key_mac = rpmb_ctx->key; 995 996 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 997 if (res != TEE_SUCCESS) 998 goto func_exit; 999 1000 res = tee_rpmb_invoke(&mem); 1001 if (res != TEE_SUCCESS) 1002 goto func_exit; 1003 1004 msg_type = RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM; 1005 1006 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1007 rawdata.msg_type = msg_type; 1008 1009 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, NULL); 1010 if (res != TEE_SUCCESS) 1011 goto func_exit; 1012 1013 res = TEE_SUCCESS; 1014 1015 func_exit: 1016 tee_rpmb_free(&mem); 1017 return res; 1018 } 1019 1020 static TEE_Result tee_rpmb_write_and_verify_key(uint16_t dev_id) 1021 { 1022 TEE_Result res; 1023 1024 DMSG("RPMB INIT: Writing Key value:"); 1025 DHEXDUMP(rpmb_ctx->key, RPMB_KEY_MAC_SIZE); 1026 1027 res = tee_rpmb_write_key(dev_id); 1028 if (res == TEE_SUCCESS) { 1029 DMSG("RPMB INIT: Verifying Key"); 1030 res = tee_rpmb_verify_key_sync_counter(dev_id); 1031 } 1032 return res; 1033 } 1034 #else 1035 static TEE_Result tee_rpmb_write_and_verify_key(uint16_t dev_id __unused) 1036 { 1037 DMSG("RPMB INIT: CFG_RPMB_WRITE_KEY is not set"); 1038 return TEE_ERROR_BAD_STATE; 1039 } 1040 #endif 1041 1042 /* This function must never return TEE_SUCCESS if rpmb_ctx == NULL */ 1043 static TEE_Result tee_rpmb_init(uint16_t dev_id) 1044 { 1045 TEE_Result res = TEE_SUCCESS; 1046 struct rpmb_dev_info dev_info; 1047 uint32_t nblocks = 0; 1048 1049 if (!rpmb_ctx) { 1050 rpmb_ctx = calloc(1, sizeof(struct tee_rpmb_ctx)); 1051 if (!rpmb_ctx) 1052 return TEE_ERROR_OUT_OF_MEMORY; 1053 } else if (rpmb_ctx->dev_id != dev_id) { 1054 memset(rpmb_ctx, 0x00, sizeof(struct tee_rpmb_ctx)); 1055 } 1056 1057 rpmb_ctx->dev_id = dev_id; 1058 1059 if (!rpmb_ctx->dev_info_synced) { 1060 DMSG("RPMB: Syncing device information"); 1061 1062 dev_info.rpmb_size_mult = 0; 1063 dev_info.rel_wr_sec_c = 0; 1064 res = tee_rpmb_get_dev_info(dev_id, &dev_info); 1065 if (res != TEE_SUCCESS) 1066 goto func_exit; 1067 1068 DMSG("RPMB: RPMB size is %d*128 KB", dev_info.rpmb_size_mult); 1069 DMSG("RPMB: Reliable Write Sector Count is %d", 1070 dev_info.rel_wr_sec_c); 1071 1072 if (dev_info.rpmb_size_mult == 0) { 1073 res = TEE_ERROR_GENERIC; 1074 goto func_exit; 1075 } 1076 1077 if (MUL_OVERFLOW(dev_info.rpmb_size_mult, 1078 RPMB_SIZE_SINGLE / RPMB_DATA_SIZE, &nblocks) || 1079 SUB_OVERFLOW(nblocks, 1, &rpmb_ctx->max_blk_idx)) { 1080 res = TEE_ERROR_BAD_PARAMETERS; 1081 goto func_exit; 1082 } 1083 1084 memcpy(rpmb_ctx->cid, dev_info.cid, RPMB_EMMC_CID_SIZE); 1085 1086 #ifdef RPMB_DRIVER_MULTIPLE_WRITE_FIXED 1087 rpmb_ctx->rel_wr_blkcnt = dev_info.rel_wr_sec_c * 2; 1088 #else 1089 rpmb_ctx->rel_wr_blkcnt = 1; 1090 #endif 1091 1092 rpmb_ctx->dev_info_synced = true; 1093 } 1094 1095 if (!rpmb_ctx->key_derived) { 1096 DMSG("RPMB INIT: Deriving key"); 1097 1098 res = tee_rpmb_key_gen(dev_id, rpmb_ctx->key, 1099 RPMB_KEY_MAC_SIZE); 1100 if (res != TEE_SUCCESS) { 1101 EMSG("RPMB INIT: Deriving key failed with error 0x%x", 1102 res); 1103 goto func_exit; 1104 } 1105 1106 rpmb_ctx->key_derived = true; 1107 } 1108 1109 /* Perform a write counter read to verify if the key is ok. */ 1110 if (!rpmb_ctx->wr_cnt_synced || !rpmb_ctx->key_verified) { 1111 DMSG("RPMB INIT: Verifying Key"); 1112 1113 res = tee_rpmb_verify_key_sync_counter(dev_id); 1114 if (res == TEE_ERROR_ITEM_NOT_FOUND && 1115 !rpmb_ctx->key_verified) { 1116 /* 1117 * Need to write the key here and verify it. 1118 */ 1119 DMSG("RPMB INIT: Auth key not yet written"); 1120 res = tee_rpmb_write_and_verify_key(dev_id); 1121 } else if (res != TEE_SUCCESS) { 1122 EMSG("Verify key failed!"); 1123 EMSG("Make sure key here matches device key"); 1124 } 1125 } 1126 1127 func_exit: 1128 return res; 1129 } 1130 1131 /* 1132 * Read RPMB data in bytes. 1133 * 1134 * @dev_id Device ID of the eMMC device. 1135 * @addr Byte address of data. 1136 * @data Pointer to the data. 1137 * @len Size of data in bytes. 1138 * @fek Encrypted File Encryption Key or NULL. 1139 */ 1140 static TEE_Result tee_rpmb_read(uint16_t dev_id, uint32_t addr, uint8_t *data, 1141 uint32_t len, const uint8_t *fek, 1142 const TEE_UUID *uuid) 1143 { 1144 TEE_Result res = TEE_ERROR_GENERIC; 1145 struct tee_rpmb_mem mem = { 0 }; 1146 uint16_t msg_type; 1147 uint8_t nonce[RPMB_NONCE_SIZE]; 1148 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 1149 struct rpmb_req *req = NULL; 1150 struct rpmb_data_frame *resp = NULL; 1151 struct rpmb_raw_data rawdata; 1152 uint32_t req_size; 1153 uint32_t resp_size; 1154 uint16_t blk_idx; 1155 uint16_t blkcnt; 1156 uint8_t byte_offset; 1157 1158 if (!data || !len) 1159 return TEE_ERROR_BAD_PARAMETERS; 1160 1161 blk_idx = addr / RPMB_DATA_SIZE; 1162 byte_offset = addr % RPMB_DATA_SIZE; 1163 1164 if (len + byte_offset + RPMB_DATA_SIZE < RPMB_DATA_SIZE) { 1165 /* Overflow */ 1166 return TEE_ERROR_BAD_PARAMETERS; 1167 } 1168 blkcnt = 1169 ROUNDUP(len + byte_offset, RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1170 res = tee_rpmb_init(dev_id); 1171 if (res != TEE_SUCCESS) 1172 goto func_exit; 1173 1174 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 1175 resp_size = RPMB_DATA_FRAME_SIZE * blkcnt; 1176 res = tee_rpmb_alloc(req_size, resp_size, &mem, 1177 (void *)&req, (void *)&resp); 1178 if (res != TEE_SUCCESS) 1179 goto func_exit; 1180 1181 msg_type = RPMB_MSG_TYPE_REQ_AUTH_DATA_READ; 1182 res = crypto_rng_read(nonce, RPMB_NONCE_SIZE); 1183 if (res != TEE_SUCCESS) 1184 goto func_exit; 1185 1186 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1187 rawdata.msg_type = msg_type; 1188 rawdata.nonce = nonce; 1189 rawdata.blk_idx = &blk_idx; 1190 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 1191 if (res != TEE_SUCCESS) 1192 goto func_exit; 1193 1194 req->block_count = blkcnt; 1195 1196 DMSG("Read %u block%s at index %u", blkcnt, ((blkcnt > 1) ? "s" : ""), 1197 blk_idx); 1198 1199 res = tee_rpmb_invoke(&mem); 1200 if (res != TEE_SUCCESS) 1201 goto func_exit; 1202 1203 msg_type = RPMB_MSG_TYPE_RESP_AUTH_DATA_READ; 1204 1205 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1206 rawdata.msg_type = msg_type; 1207 rawdata.block_count = &blkcnt; 1208 rawdata.blk_idx = &blk_idx; 1209 rawdata.nonce = nonce; 1210 rawdata.key_mac = hmac; 1211 rawdata.data = data; 1212 1213 rawdata.len = len; 1214 rawdata.byte_offset = byte_offset; 1215 1216 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, blkcnt, fek, uuid); 1217 if (res != TEE_SUCCESS) 1218 goto func_exit; 1219 1220 res = TEE_SUCCESS; 1221 1222 func_exit: 1223 tee_rpmb_free(&mem); 1224 return res; 1225 } 1226 1227 static TEE_Result tee_rpmb_write_blk(uint16_t dev_id, uint16_t blk_idx, 1228 const uint8_t *data_blks, uint16_t blkcnt, 1229 const uint8_t *fek, const TEE_UUID *uuid) 1230 { 1231 TEE_Result res; 1232 struct tee_rpmb_mem mem; 1233 uint16_t msg_type; 1234 uint32_t wr_cnt; 1235 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 1236 struct rpmb_req *req = NULL; 1237 struct rpmb_data_frame *resp = NULL; 1238 struct rpmb_raw_data rawdata; 1239 uint32_t req_size; 1240 uint32_t resp_size; 1241 uint32_t nbr_writes; 1242 uint16_t tmp_blkcnt; 1243 uint16_t tmp_blk_idx; 1244 uint16_t i; 1245 1246 DMSG("Write %u block%s at index %u", blkcnt, ((blkcnt > 1) ? "s" : ""), 1247 blk_idx); 1248 1249 if (!data_blks || !blkcnt) 1250 return TEE_ERROR_BAD_PARAMETERS; 1251 1252 res = tee_rpmb_init(dev_id); 1253 if (res != TEE_SUCCESS) 1254 return res; 1255 1256 /* 1257 * We need to split data when block count 1258 * is bigger than reliable block write count. 1259 */ 1260 if (blkcnt < rpmb_ctx->rel_wr_blkcnt) 1261 req_size = sizeof(struct rpmb_req) + 1262 RPMB_DATA_FRAME_SIZE * blkcnt; 1263 else 1264 req_size = sizeof(struct rpmb_req) + 1265 RPMB_DATA_FRAME_SIZE * rpmb_ctx->rel_wr_blkcnt; 1266 1267 resp_size = RPMB_DATA_FRAME_SIZE; 1268 res = tee_rpmb_alloc(req_size, resp_size, &mem, 1269 (void *)&req, (void *)&resp); 1270 if (res != TEE_SUCCESS) 1271 return res; 1272 1273 nbr_writes = blkcnt / rpmb_ctx->rel_wr_blkcnt; 1274 if (blkcnt % rpmb_ctx->rel_wr_blkcnt > 0) 1275 nbr_writes += 1; 1276 1277 tmp_blkcnt = rpmb_ctx->rel_wr_blkcnt; 1278 tmp_blk_idx = blk_idx; 1279 for (i = 0; i < nbr_writes; i++) { 1280 /* 1281 * To handle the last write of block count which is 1282 * equal or smaller than reliable write block count. 1283 */ 1284 if (i == nbr_writes - 1) 1285 tmp_blkcnt = blkcnt - rpmb_ctx->rel_wr_blkcnt * 1286 (nbr_writes - 1); 1287 1288 msg_type = RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE; 1289 wr_cnt = rpmb_ctx->wr_cnt; 1290 1291 memset(req, 0x00, req_size); 1292 memset(resp, 0x00, resp_size); 1293 1294 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1295 rawdata.msg_type = msg_type; 1296 rawdata.block_count = &tmp_blkcnt; 1297 rawdata.blk_idx = &tmp_blk_idx; 1298 rawdata.write_counter = &wr_cnt; 1299 rawdata.key_mac = hmac; 1300 rawdata.data = (uint8_t *)data_blks + 1301 i * rpmb_ctx->rel_wr_blkcnt * RPMB_DATA_SIZE; 1302 1303 res = tee_rpmb_req_pack(req, &rawdata, tmp_blkcnt, dev_id, 1304 fek, uuid); 1305 if (res != TEE_SUCCESS) 1306 goto out; 1307 1308 res = tee_rpmb_invoke(&mem); 1309 if (res != TEE_SUCCESS) { 1310 /* 1311 * To force wr_cnt sync next time, as it might get 1312 * out of sync due to inconsistent operation result! 1313 */ 1314 rpmb_ctx->wr_cnt_synced = false; 1315 goto out; 1316 } 1317 1318 msg_type = RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE; 1319 1320 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1321 rawdata.msg_type = msg_type; 1322 rawdata.block_count = &tmp_blkcnt; 1323 rawdata.blk_idx = &tmp_blk_idx; 1324 rawdata.write_counter = &wr_cnt; 1325 rawdata.key_mac = hmac; 1326 1327 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, 1328 NULL); 1329 if (res != TEE_SUCCESS) { 1330 /* 1331 * To force wr_cnt sync next time, as it might get 1332 * out of sync due to inconsistent operation result! 1333 */ 1334 rpmb_ctx->wr_cnt_synced = false; 1335 goto out; 1336 } 1337 1338 tmp_blk_idx += tmp_blkcnt; 1339 } 1340 1341 out: 1342 tee_rpmb_free(&mem); 1343 return res; 1344 } 1345 1346 static bool tee_rpmb_write_is_atomic(uint16_t dev_id __unused, uint32_t addr, 1347 uint32_t len) 1348 { 1349 uint8_t byte_offset = addr % RPMB_DATA_SIZE; 1350 uint16_t blkcnt = ROUNDUP(len + byte_offset, 1351 RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1352 1353 return (blkcnt <= rpmb_ctx->rel_wr_blkcnt); 1354 } 1355 1356 /* 1357 * Write RPMB data in bytes. 1358 * 1359 * @dev_id Device ID of the eMMC device. 1360 * @addr Byte address of data. 1361 * @data Pointer to the data. 1362 * @len Size of data in bytes. 1363 * @fek Encrypted File Encryption Key or NULL. 1364 */ 1365 static TEE_Result tee_rpmb_write(uint16_t dev_id, uint32_t addr, 1366 const uint8_t *data, uint32_t len, 1367 const uint8_t *fek, const TEE_UUID *uuid) 1368 { 1369 TEE_Result res = TEE_ERROR_GENERIC; 1370 uint8_t *data_tmp = NULL; 1371 uint16_t blk_idx; 1372 uint16_t blkcnt; 1373 uint8_t byte_offset; 1374 1375 blk_idx = addr / RPMB_DATA_SIZE; 1376 byte_offset = addr % RPMB_DATA_SIZE; 1377 1378 blkcnt = 1379 ROUNDUP(len + byte_offset, RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1380 1381 if (byte_offset == 0 && (len % RPMB_DATA_SIZE) == 0) { 1382 res = tee_rpmb_write_blk(dev_id, blk_idx, data, blkcnt, fek, 1383 uuid); 1384 if (res != TEE_SUCCESS) 1385 goto func_exit; 1386 } else { 1387 data_tmp = calloc(blkcnt, RPMB_DATA_SIZE); 1388 if (!data_tmp) { 1389 res = TEE_ERROR_OUT_OF_MEMORY; 1390 goto func_exit; 1391 } 1392 1393 /* Read the complete blocks */ 1394 res = tee_rpmb_read(dev_id, blk_idx * RPMB_DATA_SIZE, data_tmp, 1395 blkcnt * RPMB_DATA_SIZE, fek, uuid); 1396 if (res != TEE_SUCCESS) 1397 goto func_exit; 1398 1399 /* Partial update of the data blocks */ 1400 memcpy(data_tmp + byte_offset, data, len); 1401 1402 res = tee_rpmb_write_blk(dev_id, blk_idx, data_tmp, blkcnt, 1403 fek, uuid); 1404 if (res != TEE_SUCCESS) 1405 goto func_exit; 1406 } 1407 1408 res = TEE_SUCCESS; 1409 1410 func_exit: 1411 free(data_tmp); 1412 return res; 1413 } 1414 1415 /* 1416 * Read the RPMB write counter. 1417 * 1418 * @dev_id Device ID of the eMMC device. 1419 * @counter Pointer to the counter. 1420 */ 1421 static TEE_Result tee_rpmb_get_write_counter(uint16_t dev_id, 1422 uint32_t *counter) 1423 { 1424 TEE_Result res = TEE_SUCCESS; 1425 1426 if (!counter) 1427 return TEE_ERROR_BAD_PARAMETERS; 1428 1429 if (!rpmb_ctx || !rpmb_ctx->wr_cnt_synced) { 1430 res = tee_rpmb_init(dev_id); 1431 if (res != TEE_SUCCESS) 1432 goto func_exit; 1433 } 1434 1435 *counter = rpmb_ctx->wr_cnt; 1436 1437 func_exit: 1438 return res; 1439 } 1440 1441 /* 1442 * Read the RPMB max block. 1443 * 1444 * @dev_id Device ID of the eMMC device. 1445 * @counter Pointer to receive the max block. 1446 */ 1447 static TEE_Result tee_rpmb_get_max_block(uint16_t dev_id, uint32_t *max_block) 1448 { 1449 TEE_Result res = TEE_SUCCESS; 1450 1451 if (!max_block) 1452 return TEE_ERROR_BAD_PARAMETERS; 1453 1454 if (!rpmb_ctx || !rpmb_ctx->dev_info_synced) { 1455 res = tee_rpmb_init(dev_id); 1456 if (res != TEE_SUCCESS) 1457 goto func_exit; 1458 } 1459 1460 *max_block = rpmb_ctx->max_blk_idx; 1461 1462 func_exit: 1463 return res; 1464 } 1465 1466 /* 1467 * End of lower interface to RPMB device 1468 */ 1469 1470 static TEE_Result get_fat_start_address(uint32_t *addr); 1471 1472 static void dump_fat(void) 1473 { 1474 TEE_Result res = TEE_ERROR_GENERIC; 1475 struct rpmb_fat_entry *fat_entries = NULL; 1476 uint32_t fat_address; 1477 size_t size; 1478 int i; 1479 bool last_entry_found = false; 1480 1481 res = get_fat_start_address(&fat_address); 1482 if (res != TEE_SUCCESS) 1483 goto out; 1484 1485 size = N_ENTRIES * sizeof(struct rpmb_fat_entry); 1486 fat_entries = malloc(size); 1487 if (!fat_entries) { 1488 res = TEE_ERROR_OUT_OF_MEMORY; 1489 goto out; 1490 } 1491 1492 while (!last_entry_found) { 1493 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, fat_address, 1494 (uint8_t *)fat_entries, size, NULL, NULL); 1495 if (res != TEE_SUCCESS) 1496 goto out; 1497 1498 for (i = 0; i < N_ENTRIES; i++) { 1499 1500 FMSG("flags 0x%x, size %d, address 0x%x, filename '%s'", 1501 fat_entries[i].flags, 1502 fat_entries[i].data_size, 1503 fat_entries[i].start_address, 1504 fat_entries[i].filename); 1505 1506 if ((fat_entries[i].flags & FILE_IS_LAST_ENTRY) != 0) { 1507 last_entry_found = true; 1508 break; 1509 } 1510 1511 /* Move to next fat_entry. */ 1512 fat_address += sizeof(struct rpmb_fat_entry); 1513 } 1514 } 1515 1516 out: 1517 free(fat_entries); 1518 } 1519 1520 #if (TRACE_LEVEL >= TRACE_DEBUG) 1521 static void dump_fh(struct rpmb_file_handle *fh) 1522 { 1523 DMSG("fh->filename=%s", fh->filename); 1524 DMSG("fh->rpmb_fat_address=%u", fh->rpmb_fat_address); 1525 DMSG("fh->fat_entry.start_address=%u", fh->fat_entry.start_address); 1526 DMSG("fh->fat_entry.data_size=%u", fh->fat_entry.data_size); 1527 } 1528 #else 1529 static void dump_fh(struct rpmb_file_handle *fh __unused) 1530 { 1531 } 1532 #endif 1533 1534 static struct rpmb_file_handle *alloc_file_handle(struct tee_pobj *po, 1535 bool temporary) 1536 { 1537 struct rpmb_file_handle *fh = NULL; 1538 1539 fh = calloc(1, sizeof(struct rpmb_file_handle)); 1540 if (!fh) 1541 return NULL; 1542 1543 if (po) 1544 tee_svc_storage_create_filename(fh->filename, 1545 sizeof(fh->filename), po, 1546 temporary); 1547 1548 return fh; 1549 } 1550 1551 /** 1552 * write_fat_entry: Store info in a fat_entry to RPMB. 1553 */ 1554 static TEE_Result write_fat_entry(struct rpmb_file_handle *fh, 1555 bool update_write_counter) 1556 { 1557 TEE_Result res = TEE_ERROR_GENERIC; 1558 1559 /* Protect partition data. */ 1560 if (fh->rpmb_fat_address < sizeof(struct rpmb_fs_partition)) { 1561 res = TEE_ERROR_ACCESS_CONFLICT; 1562 goto out; 1563 } 1564 1565 if (fh->rpmb_fat_address % sizeof(struct rpmb_fat_entry) != 0) { 1566 res = TEE_ERROR_BAD_PARAMETERS; 1567 goto out; 1568 } 1569 1570 if (update_write_counter) { 1571 res = tee_rpmb_get_write_counter(CFG_RPMB_FS_DEV_ID, 1572 &fh->fat_entry.write_counter); 1573 if (res != TEE_SUCCESS) 1574 goto out; 1575 } 1576 1577 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, fh->rpmb_fat_address, 1578 (uint8_t *)&fh->fat_entry, 1579 sizeof(struct rpmb_fat_entry), NULL, NULL); 1580 1581 dump_fat(); 1582 1583 out: 1584 return res; 1585 } 1586 1587 /** 1588 * rpmb_fs_setup: Setup rpmb fs. 1589 * Set initial partition and FS values and write to RPMB. 1590 * Store frequently used data in RAM. 1591 */ 1592 static TEE_Result rpmb_fs_setup(void) 1593 { 1594 TEE_Result res = TEE_ERROR_GENERIC; 1595 struct rpmb_fs_partition *partition_data = NULL; 1596 struct rpmb_file_handle *fh = NULL; 1597 uint32_t max_rpmb_block = 0; 1598 1599 if (fs_par) { 1600 res = TEE_SUCCESS; 1601 goto out; 1602 } 1603 1604 res = tee_rpmb_get_max_block(CFG_RPMB_FS_DEV_ID, &max_rpmb_block); 1605 if (res != TEE_SUCCESS) 1606 goto out; 1607 1608 partition_data = calloc(1, sizeof(struct rpmb_fs_partition)); 1609 if (!partition_data) { 1610 res = TEE_ERROR_OUT_OF_MEMORY; 1611 goto out; 1612 } 1613 1614 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, RPMB_STORAGE_START_ADDRESS, 1615 (uint8_t *)partition_data, 1616 sizeof(struct rpmb_fs_partition), NULL, NULL); 1617 if (res != TEE_SUCCESS) 1618 goto out; 1619 1620 #ifndef CFG_RPMB_RESET_FAT 1621 if (partition_data->rpmb_fs_magic == RPMB_FS_MAGIC) { 1622 if (partition_data->fs_version == FS_VERSION) { 1623 res = TEE_SUCCESS; 1624 goto store_fs_par; 1625 } else { 1626 EMSG("Wrong software is in use."); 1627 res = TEE_ERROR_ACCESS_DENIED; 1628 goto out; 1629 } 1630 } 1631 #else 1632 EMSG("**** Clearing Storage ****"); 1633 #endif 1634 1635 /* Setup new partition data. */ 1636 partition_data->rpmb_fs_magic = RPMB_FS_MAGIC; 1637 partition_data->fs_version = FS_VERSION; 1638 partition_data->fat_start_address = RPMB_FS_FAT_START_ADDRESS; 1639 1640 /* Initial FAT entry with FILE_IS_LAST_ENTRY flag set. */ 1641 fh = alloc_file_handle(NULL, false); 1642 if (!fh) { 1643 res = TEE_ERROR_OUT_OF_MEMORY; 1644 goto out; 1645 } 1646 fh->fat_entry.flags = FILE_IS_LAST_ENTRY; 1647 fh->rpmb_fat_address = partition_data->fat_start_address; 1648 1649 /* Write init FAT entry and partition data to RPMB. */ 1650 res = write_fat_entry(fh, true); 1651 if (res != TEE_SUCCESS) 1652 goto out; 1653 1654 res = 1655 tee_rpmb_get_write_counter(CFG_RPMB_FS_DEV_ID, 1656 &partition_data->write_counter); 1657 if (res != TEE_SUCCESS) 1658 goto out; 1659 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, RPMB_STORAGE_START_ADDRESS, 1660 (uint8_t *)partition_data, 1661 sizeof(struct rpmb_fs_partition), NULL, NULL); 1662 1663 #ifndef CFG_RPMB_RESET_FAT 1664 store_fs_par: 1665 #endif 1666 1667 /* Store FAT start address. */ 1668 fs_par = calloc(1, sizeof(struct rpmb_fs_parameters)); 1669 if (!fs_par) { 1670 res = TEE_ERROR_OUT_OF_MEMORY; 1671 goto out; 1672 } 1673 1674 fs_par->fat_start_address = partition_data->fat_start_address; 1675 fs_par->max_rpmb_address = max_rpmb_block << RPMB_BLOCK_SIZE_SHIFT; 1676 1677 dump_fat(); 1678 1679 out: 1680 free(fh); 1681 free(partition_data); 1682 return res; 1683 } 1684 1685 /** 1686 * get_fat_start_address: 1687 * FAT start_address from fs_par. 1688 */ 1689 static TEE_Result get_fat_start_address(uint32_t *addr) 1690 { 1691 if (!fs_par) 1692 return TEE_ERROR_NO_DATA; 1693 1694 *addr = fs_par->fat_start_address; 1695 1696 return TEE_SUCCESS; 1697 } 1698 1699 /** 1700 * read_fat: Read FAT entries 1701 * Return matching FAT entry for read, rm rename and stat. 1702 * Build up memory pool and return matching entry for write operation. 1703 * "Last FAT entry" can be returned during write. 1704 */ 1705 static TEE_Result read_fat(struct rpmb_file_handle *fh, tee_mm_pool_t *p) 1706 { 1707 TEE_Result res = TEE_ERROR_GENERIC; 1708 tee_mm_entry_t *mm = NULL; 1709 struct rpmb_fat_entry *fat_entries = NULL; 1710 uint32_t fat_address; 1711 size_t size; 1712 int i; 1713 bool entry_found = false; 1714 bool last_entry_found = false; 1715 bool expand_fat = false; 1716 struct rpmb_file_handle last_fh; 1717 1718 DMSG("fat_address %d", fh->rpmb_fat_address); 1719 1720 res = rpmb_fs_setup(); 1721 if (res != TEE_SUCCESS) 1722 goto out; 1723 1724 res = get_fat_start_address(&fat_address); 1725 if (res != TEE_SUCCESS) 1726 goto out; 1727 1728 size = N_ENTRIES * sizeof(struct rpmb_fat_entry); 1729 fat_entries = malloc(size); 1730 if (!fat_entries) { 1731 res = TEE_ERROR_OUT_OF_MEMORY; 1732 goto out; 1733 } 1734 1735 /* 1736 * The pool is used to represent the current RPMB layout. To find 1737 * a slot for the file tee_mm_alloc is called on the pool. Thus 1738 * if it is not NULL the entire FAT must be traversed to fill in 1739 * the pool. 1740 */ 1741 while (!last_entry_found && (!entry_found || p)) { 1742 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, fat_address, 1743 (uint8_t *)fat_entries, size, NULL, NULL); 1744 if (res != TEE_SUCCESS) 1745 goto out; 1746 1747 for (i = 0; i < N_ENTRIES; i++) { 1748 /* 1749 * Look for an entry, matching filenames. (read, rm, 1750 * rename and stat.). Only store first filename match. 1751 */ 1752 if (fh->filename && 1753 (strcmp(fh->filename, 1754 fat_entries[i].filename) == 0) && 1755 (fat_entries[i].flags & FILE_IS_ACTIVE) && 1756 (!entry_found)) { 1757 entry_found = true; 1758 fh->rpmb_fat_address = fat_address; 1759 memcpy(&fh->fat_entry, &fat_entries[i], 1760 sizeof(struct rpmb_fat_entry)); 1761 if (!p) 1762 break; 1763 } 1764 1765 /* Add existing files to memory pool. (write) */ 1766 if (p) { 1767 if ((fat_entries[i].flags & FILE_IS_ACTIVE) && 1768 (fat_entries[i].data_size > 0)) { 1769 1770 mm = tee_mm_alloc2 1771 (p, 1772 fat_entries[i].start_address, 1773 fat_entries[i].data_size); 1774 if (!mm) { 1775 res = TEE_ERROR_OUT_OF_MEMORY; 1776 goto out; 1777 } 1778 } 1779 1780 /* Unused FAT entries can be reused (write) */ 1781 if (((fat_entries[i].flags & FILE_IS_ACTIVE) == 1782 0) && (fh->rpmb_fat_address == 0)) { 1783 fh->rpmb_fat_address = fat_address; 1784 memcpy(&fh->fat_entry, &fat_entries[i], 1785 sizeof(struct rpmb_fat_entry)); 1786 } 1787 } 1788 1789 if ((fat_entries[i].flags & FILE_IS_LAST_ENTRY) != 0) { 1790 last_entry_found = true; 1791 1792 /* 1793 * If the last entry was reached and was chosen 1794 * by the previous check, then the FAT needs to 1795 * be expanded. 1796 * fh->rpmb_fat_address is the address chosen 1797 * to store the files FAT entry and fat_address 1798 * is the current FAT entry address being 1799 * compared. 1800 */ 1801 if (p && fh->rpmb_fat_address == fat_address) 1802 expand_fat = true; 1803 break; 1804 } 1805 1806 /* Move to next fat_entry. */ 1807 fat_address += sizeof(struct rpmb_fat_entry); 1808 } 1809 } 1810 1811 /* 1812 * Represent the FAT table in the pool. 1813 */ 1814 if (p) { 1815 /* 1816 * Since fat_address is the start of the last entry it needs to 1817 * be moved up by an entry. 1818 */ 1819 fat_address += sizeof(struct rpmb_fat_entry); 1820 1821 /* Make room for yet a FAT entry and add to memory pool. */ 1822 if (expand_fat) 1823 fat_address += sizeof(struct rpmb_fat_entry); 1824 1825 mm = tee_mm_alloc2(p, RPMB_STORAGE_START_ADDRESS, fat_address); 1826 if (!mm) { 1827 res = TEE_ERROR_OUT_OF_MEMORY; 1828 goto out; 1829 } 1830 1831 if (expand_fat) { 1832 /* 1833 * Point fat_address to the beginning of the new 1834 * entry. 1835 */ 1836 fat_address -= sizeof(struct rpmb_fat_entry); 1837 memset(&last_fh, 0, sizeof(last_fh)); 1838 last_fh.fat_entry.flags = FILE_IS_LAST_ENTRY; 1839 last_fh.rpmb_fat_address = fat_address; 1840 res = write_fat_entry(&last_fh, true); 1841 if (res != TEE_SUCCESS) 1842 goto out; 1843 } 1844 } 1845 1846 if (fh->filename && !fh->rpmb_fat_address) 1847 res = TEE_ERROR_ITEM_NOT_FOUND; 1848 1849 out: 1850 free(fat_entries); 1851 return res; 1852 } 1853 1854 static TEE_Result generate_fek(struct rpmb_fat_entry *fe, const TEE_UUID *uuid) 1855 { 1856 TEE_Result res; 1857 1858 again: 1859 res = tee_fs_generate_fek(uuid, fe->fek, sizeof(fe->fek)); 1860 if (res != TEE_SUCCESS) 1861 return res; 1862 1863 if (is_zero(fe->fek, sizeof(fe->fek))) 1864 goto again; 1865 1866 return res; 1867 } 1868 1869 static TEE_Result rpmb_fs_open_internal(struct rpmb_file_handle *fh, 1870 const TEE_UUID *uuid, bool create) 1871 { 1872 tee_mm_pool_t p; 1873 bool pool_result; 1874 TEE_Result res = TEE_ERROR_GENERIC; 1875 1876 /* We need to do setup in order to make sure fs_par is filled in */ 1877 res = rpmb_fs_setup(); 1878 if (res != TEE_SUCCESS) 1879 goto out; 1880 1881 fh->uuid = uuid; 1882 if (create) { 1883 /* Upper memory allocation must be used for RPMB_FS. */ 1884 pool_result = tee_mm_init(&p, 1885 RPMB_STORAGE_START_ADDRESS, 1886 fs_par->max_rpmb_address, 1887 RPMB_BLOCK_SIZE_SHIFT, 1888 TEE_MM_POOL_HI_ALLOC); 1889 1890 if (!pool_result) { 1891 res = TEE_ERROR_OUT_OF_MEMORY; 1892 goto out; 1893 } 1894 1895 res = read_fat(fh, &p); 1896 tee_mm_final(&p); 1897 if (res != TEE_SUCCESS) 1898 goto out; 1899 } else { 1900 res = read_fat(fh, NULL); 1901 if (res != TEE_SUCCESS) 1902 goto out; 1903 } 1904 1905 /* 1906 * If this is opened with create and the entry found was not active 1907 * then this is a new file and the FAT entry must be written 1908 */ 1909 if (create) { 1910 if ((fh->fat_entry.flags & FILE_IS_ACTIVE) == 0) { 1911 memset(&fh->fat_entry, 0, 1912 sizeof(struct rpmb_fat_entry)); 1913 memcpy(fh->fat_entry.filename, fh->filename, 1914 strlen(fh->filename)); 1915 /* Start address and size are 0 */ 1916 fh->fat_entry.flags = FILE_IS_ACTIVE; 1917 1918 res = generate_fek(&fh->fat_entry, uuid); 1919 if (res != TEE_SUCCESS) 1920 goto out; 1921 DMSG("GENERATE FEK key: %p", 1922 (void *)fh->fat_entry.fek); 1923 DHEXDUMP(fh->fat_entry.fek, sizeof(fh->fat_entry.fek)); 1924 1925 res = write_fat_entry(fh, true); 1926 if (res != TEE_SUCCESS) 1927 goto out; 1928 } 1929 } 1930 1931 res = TEE_SUCCESS; 1932 1933 out: 1934 return res; 1935 } 1936 1937 static void rpmb_fs_close(struct tee_file_handle **tfh) 1938 { 1939 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)*tfh; 1940 1941 free(fh); 1942 *tfh = NULL; 1943 } 1944 1945 static TEE_Result rpmb_fs_read(struct tee_file_handle *tfh, size_t pos, 1946 void *buf, size_t *len) 1947 { 1948 TEE_Result res; 1949 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)tfh; 1950 size_t size = *len; 1951 1952 if (!size) 1953 return TEE_SUCCESS; 1954 1955 mutex_lock(&rpmb_mutex); 1956 1957 dump_fh(fh); 1958 1959 res = read_fat(fh, NULL); 1960 if (res != TEE_SUCCESS) 1961 goto out; 1962 1963 if (pos >= fh->fat_entry.data_size) { 1964 *len = 0; 1965 goto out; 1966 } 1967 1968 size = MIN(size, fh->fat_entry.data_size - pos); 1969 if (size) { 1970 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 1971 fh->fat_entry.start_address + pos, buf, 1972 size, fh->fat_entry.fek, fh->uuid); 1973 if (res != TEE_SUCCESS) 1974 goto out; 1975 } 1976 *len = size; 1977 1978 out: 1979 mutex_unlock(&rpmb_mutex); 1980 return res; 1981 } 1982 1983 static TEE_Result rpmb_fs_write_primitive(struct rpmb_file_handle *fh, 1984 size_t pos, const void *buf, 1985 size_t size) 1986 { 1987 TEE_Result res; 1988 tee_mm_pool_t p; 1989 bool pool_result = false; 1990 tee_mm_entry_t *mm; 1991 size_t end; 1992 size_t newsize; 1993 uint8_t *newbuf = NULL; 1994 uintptr_t newaddr; 1995 uint32_t start_addr; 1996 1997 if (!size) 1998 return TEE_SUCCESS; 1999 2000 if (!fs_par) { 2001 res = TEE_ERROR_GENERIC; 2002 goto out; 2003 } 2004 2005 dump_fh(fh); 2006 2007 /* Upper memory allocation must be used for RPMB_FS. */ 2008 pool_result = tee_mm_init(&p, 2009 RPMB_STORAGE_START_ADDRESS, 2010 fs_par->max_rpmb_address, 2011 RPMB_BLOCK_SIZE_SHIFT, 2012 TEE_MM_POOL_HI_ALLOC); 2013 if (!pool_result) { 2014 res = TEE_ERROR_OUT_OF_MEMORY; 2015 goto out; 2016 } 2017 2018 res = read_fat(fh, &p); 2019 if (res != TEE_SUCCESS) 2020 goto out; 2021 2022 if (fh->fat_entry.flags & FILE_IS_LAST_ENTRY) 2023 panic("invalid last entry flag"); 2024 2025 if (ADD_OVERFLOW(pos, size, &end)) { 2026 res = TEE_ERROR_BAD_PARAMETERS; 2027 goto out; 2028 } 2029 if (ADD_OVERFLOW(fh->fat_entry.start_address, pos, &start_addr)) { 2030 res = TEE_ERROR_BAD_PARAMETERS; 2031 goto out; 2032 } 2033 2034 if (end <= fh->fat_entry.data_size && 2035 tee_rpmb_write_is_atomic(CFG_RPMB_FS_DEV_ID, start_addr, size)) { 2036 2037 DMSG("Updating data in-place"); 2038 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, start_addr, buf, 2039 size, fh->fat_entry.fek, fh->uuid); 2040 if (res != TEE_SUCCESS) 2041 goto out; 2042 } else { 2043 /* 2044 * File must be extended, or update cannot be atomic: allocate, 2045 * read, update, write. 2046 */ 2047 2048 DMSG("Need to re-allocate"); 2049 newsize = MAX(end, fh->fat_entry.data_size); 2050 mm = tee_mm_alloc(&p, newsize); 2051 newbuf = calloc(1, newsize); 2052 if (!mm || !newbuf) { 2053 res = TEE_ERROR_OUT_OF_MEMORY; 2054 goto out; 2055 } 2056 2057 if (fh->fat_entry.data_size) { 2058 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 2059 fh->fat_entry.start_address, 2060 newbuf, fh->fat_entry.data_size, 2061 fh->fat_entry.fek, fh->uuid); 2062 if (res != TEE_SUCCESS) 2063 goto out; 2064 } 2065 2066 memcpy(newbuf + pos, buf, size); 2067 2068 newaddr = tee_mm_get_smem(mm); 2069 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, newaddr, newbuf, 2070 newsize, fh->fat_entry.fek, fh->uuid); 2071 if (res != TEE_SUCCESS) 2072 goto out; 2073 2074 fh->fat_entry.data_size = newsize; 2075 fh->fat_entry.start_address = newaddr; 2076 res = write_fat_entry(fh, true); 2077 if (res != TEE_SUCCESS) 2078 goto out; 2079 } 2080 2081 out: 2082 if (pool_result) 2083 tee_mm_final(&p); 2084 if (newbuf) 2085 free(newbuf); 2086 2087 return res; 2088 } 2089 2090 static TEE_Result rpmb_fs_write(struct tee_file_handle *tfh, size_t pos, 2091 const void *buf, size_t size) 2092 { 2093 TEE_Result res; 2094 2095 mutex_lock(&rpmb_mutex); 2096 res = rpmb_fs_write_primitive((struct rpmb_file_handle *)tfh, pos, 2097 buf, size); 2098 mutex_unlock(&rpmb_mutex); 2099 2100 return res; 2101 } 2102 2103 static TEE_Result rpmb_fs_remove_internal(struct rpmb_file_handle *fh) 2104 { 2105 TEE_Result res; 2106 2107 res = read_fat(fh, NULL); 2108 if (res) 2109 return res; 2110 2111 /* Clear this file entry. */ 2112 memset(&fh->fat_entry, 0, sizeof(struct rpmb_fat_entry)); 2113 return write_fat_entry(fh, false); 2114 } 2115 2116 static TEE_Result rpmb_fs_remove(struct tee_pobj *po) 2117 { 2118 TEE_Result res; 2119 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2120 2121 if (!fh) 2122 return TEE_ERROR_OUT_OF_MEMORY; 2123 2124 mutex_lock(&rpmb_mutex); 2125 2126 res = rpmb_fs_remove_internal(fh); 2127 2128 mutex_unlock(&rpmb_mutex); 2129 2130 free(fh); 2131 return res; 2132 } 2133 2134 static TEE_Result rpmb_fs_rename_internal(struct tee_pobj *old, 2135 struct tee_pobj *new, 2136 bool overwrite) 2137 { 2138 TEE_Result res = TEE_ERROR_GENERIC; 2139 struct rpmb_file_handle *fh_old = NULL; 2140 struct rpmb_file_handle *fh_new = NULL; 2141 2142 if (!old) { 2143 res = TEE_ERROR_BAD_PARAMETERS; 2144 goto out; 2145 } 2146 2147 if (new) 2148 fh_old = alloc_file_handle(old, old->temporary); 2149 else 2150 fh_old = alloc_file_handle(old, true); 2151 if (!fh_old) { 2152 res = TEE_ERROR_OUT_OF_MEMORY; 2153 goto out; 2154 } 2155 2156 if (new) 2157 fh_new = alloc_file_handle(new, new->temporary); 2158 else 2159 fh_new = alloc_file_handle(old, false); 2160 if (!fh_new) { 2161 res = TEE_ERROR_OUT_OF_MEMORY; 2162 goto out; 2163 } 2164 2165 res = read_fat(fh_old, NULL); 2166 if (res != TEE_SUCCESS) 2167 goto out; 2168 2169 res = read_fat(fh_new, NULL); 2170 if (res == TEE_SUCCESS) { 2171 if (!overwrite) { 2172 res = TEE_ERROR_ACCESS_CONFLICT; 2173 goto out; 2174 } 2175 2176 /* Clear this file entry. */ 2177 memset(&fh_new->fat_entry, 0, sizeof(struct rpmb_fat_entry)); 2178 res = write_fat_entry(fh_new, false); 2179 if (res != TEE_SUCCESS) 2180 goto out; 2181 } 2182 2183 memset(fh_old->fat_entry.filename, 0, TEE_RPMB_FS_FILENAME_LENGTH); 2184 memcpy(fh_old->fat_entry.filename, fh_new->filename, 2185 strlen(fh_new->filename)); 2186 2187 res = write_fat_entry(fh_old, false); 2188 2189 out: 2190 free(fh_old); 2191 free(fh_new); 2192 2193 return res; 2194 } 2195 2196 static TEE_Result rpmb_fs_rename(struct tee_pobj *old, struct tee_pobj *new, 2197 bool overwrite) 2198 { 2199 TEE_Result res; 2200 2201 mutex_lock(&rpmb_mutex); 2202 res = rpmb_fs_rename_internal(old, new, overwrite); 2203 mutex_unlock(&rpmb_mutex); 2204 2205 return res; 2206 } 2207 2208 static TEE_Result rpmb_fs_truncate(struct tee_file_handle *tfh, size_t length) 2209 { 2210 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)tfh; 2211 tee_mm_pool_t p; 2212 bool pool_result = false; 2213 tee_mm_entry_t *mm; 2214 uint32_t newsize; 2215 uint8_t *newbuf = NULL; 2216 uintptr_t newaddr; 2217 TEE_Result res = TEE_ERROR_GENERIC; 2218 2219 mutex_lock(&rpmb_mutex); 2220 2221 if (length > INT32_MAX) { 2222 res = TEE_ERROR_BAD_PARAMETERS; 2223 goto out; 2224 } 2225 newsize = length; 2226 2227 res = read_fat(fh, NULL); 2228 if (res != TEE_SUCCESS) 2229 goto out; 2230 2231 if (newsize > fh->fat_entry.data_size) { 2232 /* Extend file */ 2233 2234 pool_result = tee_mm_init(&p, 2235 RPMB_STORAGE_START_ADDRESS, 2236 fs_par->max_rpmb_address, 2237 RPMB_BLOCK_SIZE_SHIFT, 2238 TEE_MM_POOL_HI_ALLOC); 2239 if (!pool_result) { 2240 res = TEE_ERROR_OUT_OF_MEMORY; 2241 goto out; 2242 } 2243 res = read_fat(fh, &p); 2244 if (res != TEE_SUCCESS) 2245 goto out; 2246 2247 mm = tee_mm_alloc(&p, newsize); 2248 newbuf = calloc(1, newsize); 2249 if (!mm || !newbuf) { 2250 res = TEE_ERROR_OUT_OF_MEMORY; 2251 goto out; 2252 } 2253 2254 if (fh->fat_entry.data_size) { 2255 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 2256 fh->fat_entry.start_address, 2257 newbuf, fh->fat_entry.data_size, 2258 fh->fat_entry.fek, fh->uuid); 2259 if (res != TEE_SUCCESS) 2260 goto out; 2261 } 2262 2263 newaddr = tee_mm_get_smem(mm); 2264 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, newaddr, newbuf, 2265 newsize, fh->fat_entry.fek, fh->uuid); 2266 if (res != TEE_SUCCESS) 2267 goto out; 2268 2269 } else { 2270 /* Don't change file location */ 2271 newaddr = fh->fat_entry.start_address; 2272 } 2273 2274 /* fh->pos is unchanged */ 2275 fh->fat_entry.data_size = newsize; 2276 fh->fat_entry.start_address = newaddr; 2277 res = write_fat_entry(fh, true); 2278 2279 out: 2280 mutex_unlock(&rpmb_mutex); 2281 if (pool_result) 2282 tee_mm_final(&p); 2283 if (newbuf) 2284 free(newbuf); 2285 2286 return res; 2287 } 2288 2289 static void rpmb_fs_dir_free(struct tee_fs_dir *dir) 2290 { 2291 struct tee_rpmb_fs_dirent *e; 2292 2293 if (!dir) 2294 return; 2295 2296 free(dir->current); 2297 2298 while ((e = SIMPLEQ_FIRST(&dir->next))) { 2299 SIMPLEQ_REMOVE_HEAD(&dir->next, link); 2300 free(e); 2301 } 2302 } 2303 2304 static TEE_Result rpmb_fs_dir_populate(const char *path, 2305 struct tee_fs_dir *dir) 2306 { 2307 struct tee_rpmb_fs_dirent *current = NULL; 2308 struct rpmb_fat_entry *fat_entries = NULL; 2309 uint32_t fat_address; 2310 uint32_t filelen; 2311 char *filename; 2312 int i; 2313 bool last_entry_found = false; 2314 bool matched; 2315 struct tee_rpmb_fs_dirent *next = NULL; 2316 uint32_t pathlen; 2317 TEE_Result res = TEE_ERROR_GENERIC; 2318 uint32_t size; 2319 char temp; 2320 2321 mutex_lock(&rpmb_mutex); 2322 2323 res = rpmb_fs_setup(); 2324 if (res != TEE_SUCCESS) 2325 goto out; 2326 2327 res = get_fat_start_address(&fat_address); 2328 if (res != TEE_SUCCESS) 2329 goto out; 2330 2331 size = N_ENTRIES * sizeof(struct rpmb_fat_entry); 2332 fat_entries = malloc(size); 2333 if (!fat_entries) { 2334 res = TEE_ERROR_OUT_OF_MEMORY; 2335 goto out; 2336 } 2337 2338 pathlen = strlen(path); 2339 while (!last_entry_found) { 2340 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, fat_address, 2341 (uint8_t *)fat_entries, size, NULL, NULL); 2342 if (res != TEE_SUCCESS) 2343 goto out; 2344 2345 for (i = 0; i < N_ENTRIES; i++) { 2346 filename = fat_entries[i].filename; 2347 if (fat_entries[i].flags & FILE_IS_ACTIVE) { 2348 matched = false; 2349 filelen = strlen(filename); 2350 if (filelen > pathlen) { 2351 temp = filename[pathlen]; 2352 filename[pathlen] = '\0'; 2353 if (strcmp(filename, path) == 0) 2354 matched = true; 2355 2356 filename[pathlen] = temp; 2357 } 2358 2359 if (matched) { 2360 next = malloc(sizeof(*next)); 2361 if (!next) { 2362 res = TEE_ERROR_OUT_OF_MEMORY; 2363 goto out; 2364 } 2365 2366 next->entry.oidlen = tee_hs2b( 2367 (uint8_t *)&filename[pathlen], 2368 next->entry.oid, 2369 filelen - pathlen, 2370 sizeof(next->entry.oid)); 2371 if (next->entry.oidlen) { 2372 SIMPLEQ_INSERT_TAIL(&dir->next, 2373 next, link); 2374 current = next; 2375 } else { 2376 free(next); 2377 next = NULL; 2378 } 2379 2380 } 2381 } 2382 2383 if (fat_entries[i].flags & FILE_IS_LAST_ENTRY) { 2384 last_entry_found = true; 2385 break; 2386 } 2387 2388 /* Move to next fat_entry. */ 2389 fat_address += sizeof(struct rpmb_fat_entry); 2390 } 2391 } 2392 2393 if (current) 2394 res = TEE_SUCCESS; 2395 else 2396 res = TEE_ERROR_ITEM_NOT_FOUND; /* No directories were found. */ 2397 2398 out: 2399 mutex_unlock(&rpmb_mutex); 2400 if (res != TEE_SUCCESS) 2401 rpmb_fs_dir_free(dir); 2402 if (fat_entries) 2403 free(fat_entries); 2404 2405 return res; 2406 } 2407 2408 static TEE_Result rpmb_fs_opendir(const TEE_UUID *uuid, struct tee_fs_dir **dir) 2409 { 2410 uint32_t len; 2411 char path_local[TEE_RPMB_FS_FILENAME_LENGTH]; 2412 TEE_Result res = TEE_ERROR_GENERIC; 2413 struct tee_fs_dir *rpmb_dir = NULL; 2414 2415 if (!uuid || !dir) { 2416 res = TEE_ERROR_BAD_PARAMETERS; 2417 goto out; 2418 } 2419 2420 memset(path_local, 0, sizeof(path_local)); 2421 if (tee_svc_storage_create_dirname(path_local, sizeof(path_local) - 1, 2422 uuid) != TEE_SUCCESS) { 2423 res = TEE_ERROR_BAD_PARAMETERS; 2424 goto out; 2425 } 2426 len = strlen(path_local); 2427 2428 /* Add a slash to correctly match the full directory name. */ 2429 if (path_local[len - 1] != '/') 2430 path_local[len] = '/'; 2431 2432 rpmb_dir = calloc(1, sizeof(*rpmb_dir)); 2433 if (!rpmb_dir) { 2434 res = TEE_ERROR_OUT_OF_MEMORY; 2435 goto out; 2436 } 2437 SIMPLEQ_INIT(&rpmb_dir->next); 2438 2439 res = rpmb_fs_dir_populate(path_local, rpmb_dir); 2440 if (res != TEE_SUCCESS) { 2441 free(rpmb_dir); 2442 rpmb_dir = NULL; 2443 goto out; 2444 } 2445 2446 *dir = rpmb_dir; 2447 2448 out: 2449 return res; 2450 } 2451 2452 static TEE_Result rpmb_fs_readdir(struct tee_fs_dir *dir, 2453 struct tee_fs_dirent **ent) 2454 { 2455 if (!dir) 2456 return TEE_ERROR_GENERIC; 2457 2458 free(dir->current); 2459 2460 dir->current = SIMPLEQ_FIRST(&dir->next); 2461 if (!dir->current) 2462 return TEE_ERROR_ITEM_NOT_FOUND; 2463 2464 SIMPLEQ_REMOVE_HEAD(&dir->next, link); 2465 2466 *ent = &dir->current->entry; 2467 return TEE_SUCCESS; 2468 } 2469 2470 static void rpmb_fs_closedir(struct tee_fs_dir *dir) 2471 { 2472 if (dir) { 2473 rpmb_fs_dir_free(dir); 2474 free(dir); 2475 } 2476 } 2477 2478 static TEE_Result rpmb_fs_open(struct tee_pobj *po, size_t *size, 2479 struct tee_file_handle **ret_fh) 2480 { 2481 TEE_Result res; 2482 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2483 2484 if (!fh) 2485 return TEE_ERROR_OUT_OF_MEMORY; 2486 2487 mutex_lock(&rpmb_mutex); 2488 2489 res = rpmb_fs_open_internal(fh, &po->uuid, false); 2490 if (!res && size) 2491 *size = fh->fat_entry.data_size; 2492 2493 mutex_unlock(&rpmb_mutex); 2494 2495 if (res) 2496 free(fh); 2497 else 2498 *ret_fh = (struct tee_file_handle *)fh; 2499 2500 return res; 2501 } 2502 2503 static TEE_Result rpmb_fs_create(struct tee_pobj *po, bool overwrite, 2504 const void *head, size_t head_size, 2505 const void *attr, size_t attr_size, 2506 const void *data, size_t data_size, 2507 struct tee_file_handle **ret_fh) 2508 { 2509 TEE_Result res; 2510 size_t pos = 0; 2511 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2512 2513 if (!fh) 2514 return TEE_ERROR_OUT_OF_MEMORY; 2515 2516 mutex_lock(&rpmb_mutex); 2517 res = rpmb_fs_open_internal(fh, &po->uuid, true); 2518 if (res) 2519 goto out; 2520 2521 if (head && head_size) { 2522 res = rpmb_fs_write_primitive(fh, pos, head, head_size); 2523 if (res) 2524 goto out; 2525 pos += head_size; 2526 } 2527 2528 if (attr && attr_size) { 2529 res = rpmb_fs_write_primitive(fh, pos, attr, attr_size); 2530 if (res) 2531 goto out; 2532 pos += attr_size; 2533 } 2534 2535 if (data && data_size) { 2536 res = rpmb_fs_write_primitive(fh, pos, data, data_size); 2537 if (res) 2538 goto out; 2539 } 2540 2541 if (po->temporary) { 2542 /* 2543 * If it's a temporary filename (which it normally is) 2544 * rename into the final filename now that the file is 2545 * fully initialized. 2546 */ 2547 po->temporary = false; 2548 res = rpmb_fs_rename_internal(po, NULL, overwrite); 2549 if (res) { 2550 po->temporary = true; 2551 goto out; 2552 } 2553 /* Update file handle after rename. */ 2554 tee_svc_storage_create_filename(fh->filename, 2555 sizeof(fh->filename), 2556 po, false); 2557 } 2558 2559 out: 2560 if (res) { 2561 rpmb_fs_remove_internal(fh); 2562 free(fh); 2563 } else { 2564 *ret_fh = (struct tee_file_handle *)fh; 2565 } 2566 mutex_unlock(&rpmb_mutex); 2567 2568 return res; 2569 } 2570 2571 const struct tee_file_operations rpmb_fs_ops = { 2572 .open = rpmb_fs_open, 2573 .create = rpmb_fs_create, 2574 .close = rpmb_fs_close, 2575 .read = rpmb_fs_read, 2576 .write = rpmb_fs_write, 2577 .truncate = rpmb_fs_truncate, 2578 .rename = rpmb_fs_rename, 2579 .remove = rpmb_fs_remove, 2580 .opendir = rpmb_fs_opendir, 2581 .closedir = rpmb_fs_closedir, 2582 .readdir = rpmb_fs_readdir, 2583 }; 2584 2585 TEE_Result tee_rpmb_fs_raw_open(const char *fname, bool create, 2586 struct tee_file_handle **ret_fh) 2587 { 2588 TEE_Result res; 2589 struct rpmb_file_handle *fh = calloc(1, sizeof(*fh)); 2590 static const TEE_UUID uuid = { 0 }; 2591 2592 if (!fh) 2593 return TEE_ERROR_OUT_OF_MEMORY; 2594 2595 snprintf(fh->filename, sizeof(fh->filename), "/%s", fname); 2596 2597 mutex_lock(&rpmb_mutex); 2598 2599 res = rpmb_fs_open_internal(fh, &uuid, create); 2600 2601 mutex_unlock(&rpmb_mutex); 2602 2603 if (res) { 2604 if (create) 2605 rpmb_fs_remove_internal(fh); 2606 free(fh); 2607 } else { 2608 *ret_fh = (struct tee_file_handle *)fh; 2609 } 2610 2611 return res; 2612 } 2613