1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2014, STMicroelectronics International N.V. 4 */ 5 6 #include <assert.h> 7 #include <config.h> 8 #include <crypto/crypto.h> 9 #include <kernel/huk_subkey.h> 10 #include <kernel/misc.h> 11 #include <kernel/msg_param.h> 12 #include <kernel/mutex.h> 13 #include <kernel/panic.h> 14 #include <kernel/tee_common.h> 15 #include <kernel/tee_common_otp.h> 16 #include <kernel/tee_misc.h> 17 #include <kernel/thread.h> 18 #include <kernel/user_access.h> 19 #include <mempool.h> 20 #include <mm/core_memprot.h> 21 #include <mm/mobj.h> 22 #include <mm/tee_mm.h> 23 #include <optee_rpc_cmd.h> 24 #include <stdlib.h> 25 #include <string_ext.h> 26 #include <string.h> 27 #include <sys/queue.h> 28 #include <tee/tee_fs.h> 29 #include <tee/tee_fs_key_manager.h> 30 #include <tee/tee_pobj.h> 31 #include <tee/tee_svc_storage.h> 32 #include <trace.h> 33 #include <util.h> 34 35 #define RPMB_STORAGE_START_ADDRESS 0 36 #define RPMB_FS_FAT_START_ADDRESS 512 37 #define RPMB_BLOCK_SIZE_SHIFT 8 38 #define RPMB_CID_PRV_OFFSET 9 39 #define RPMB_CID_CRC_OFFSET 15 40 41 #define RPMB_FS_MAGIC 0x52504D42 42 #define FS_VERSION 2 43 44 #define FILE_IS_ACTIVE (1u << 0) 45 #define FILE_IS_LAST_ENTRY (1u << 1) 46 47 #define TEE_RPMB_FS_FILENAME_LENGTH 224 48 49 #define TMP_BLOCK_SIZE 4096U 50 51 #define RPMB_MAX_RETRIES 10 52 53 /** 54 * Utilized when caching is enabled, i.e., when CFG_RPMB_FS_CACHE_ENTRIES > 0. 55 * Cache size + the number of entries that are repeatedly read in and buffered 56 * once the cache is full. 57 */ 58 #define RPMB_BUF_MAX_ENTRIES (CFG_RPMB_FS_CACHE_ENTRIES + \ 59 CFG_RPMB_FS_RD_ENTRIES) 60 61 /** 62 * FS parameters: Information often used by internal functions. 63 * fat_start_address will be set by rpmb_fs_setup(). 64 * rpmb_fs_parameters can be read by any other function. 65 */ 66 struct rpmb_fs_parameters { 67 uint32_t fat_start_address; 68 uint32_t max_rpmb_address; 69 }; 70 71 /** 72 * File entry for a single file in a RPMB_FS partition. 73 */ 74 struct rpmb_fat_entry { 75 uint32_t start_address; 76 uint32_t data_size; 77 uint32_t flags; 78 uint32_t write_counter; 79 uint8_t fek[TEE_FS_KM_FEK_SIZE]; 80 char filename[TEE_RPMB_FS_FILENAME_LENGTH]; 81 }; 82 83 /** 84 * Structure that describes buffered/cached FAT FS entries in RPMB storage. 85 * This structure is used in functions traversing the FAT FS. 86 */ 87 struct rpmb_fat_entry_dir { 88 /* 89 * Buffer storing the FAT FS entries read in from RPMB storage. It 90 * includes the optional cache entries (CFG_RPMB_FS_CACHE_ENTRIES) 91 * and entries temporary read for current FAT FS traversal 92 * (CFG_RPMB_FS_RD_ENTRIES) when not found from cached entries. 93 */ 94 struct rpmb_fat_entry *rpmb_fat_entry_buf; 95 /* Current index of FAT FS entry to read from buffer. */ 96 uint32_t idx_curr; 97 /* Total number of FAT FS entries in buffer. */ 98 uint32_t num_buffered; 99 /* Total number of FAT FS entries read during traversal. */ 100 uint32_t num_total_read; 101 /* Indicates that last FAT FS entry was read. */ 102 bool last_reached; 103 }; 104 105 /** 106 * FAT entry context with reference to a FAT entry and its 107 * location in RPMB. 108 */ 109 struct rpmb_file_handle { 110 struct rpmb_fat_entry fat_entry; 111 const TEE_UUID *uuid; 112 char filename[TEE_RPMB_FS_FILENAME_LENGTH]; 113 /* Address for current entry in RPMB */ 114 uint32_t rpmb_fat_address; 115 }; 116 117 /** 118 * RPMB_FS partition data 119 */ 120 struct rpmb_fs_partition { 121 uint32_t rpmb_fs_magic; 122 uint32_t fs_version; 123 uint32_t write_counter; 124 uint32_t fat_start_address; 125 /* Do not use reserved[] for other purpose than partition data. */ 126 uint8_t reserved[112]; 127 }; 128 129 /** 130 * A node in a list of directory entries. 131 */ 132 struct tee_rpmb_fs_dirent { 133 struct tee_fs_dirent entry; 134 SIMPLEQ_ENTRY(tee_rpmb_fs_dirent) link; 135 }; 136 137 /** 138 * The RPMB directory representation. It contains a queue of 139 * RPMB directory entries: 'next'. 140 * The current pointer points to the last directory entry 141 * returned by readdir(). 142 */ 143 struct tee_fs_dir { 144 struct tee_rpmb_fs_dirent *current; 145 /* */ 146 SIMPLEQ_HEAD(next_head, tee_rpmb_fs_dirent) next; 147 }; 148 149 static struct rpmb_fs_parameters *fs_par; 150 static struct rpmb_fat_entry_dir *fat_entry_dir; 151 152 /* 153 * Lower interface to RPMB device 154 */ 155 156 #define RPMB_DATA_OFFSET (RPMB_STUFF_DATA_SIZE + RPMB_KEY_MAC_SIZE) 157 #define RPMB_MAC_PROTECT_DATA_SIZE (RPMB_DATA_FRAME_SIZE - RPMB_DATA_OFFSET) 158 159 #define RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM 0x0001 160 #define RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ 0x0002 161 #define RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE 0x0003 162 #define RPMB_MSG_TYPE_REQ_AUTH_DATA_READ 0x0004 163 #define RPMB_MSG_TYPE_REQ_RESULT_READ 0x0005 164 #define RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM 0x0100 165 #define RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ 0x0200 166 #define RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE 0x0300 167 #define RPMB_MSG_TYPE_RESP_AUTH_DATA_READ 0x0400 168 169 #define RPMB_STUFF_DATA_SIZE 196 170 #define RPMB_KEY_MAC_SIZE 32 171 #define RPMB_DATA_SIZE 256 172 #define RPMB_NONCE_SIZE 16 173 #define RPMB_DATA_FRAME_SIZE 512 174 175 #define RPMB_RESULT_OK 0x00 176 #define RPMB_RESULT_GENERAL_FAILURE 0x01 177 #define RPMB_RESULT_AUTH_FAILURE 0x02 178 #define RPMB_RESULT_COUNTER_FAILURE 0x03 179 #define RPMB_RESULT_ADDRESS_FAILURE 0x04 180 #define RPMB_RESULT_WRITE_FAILURE 0x05 181 #define RPMB_RESULT_READ_FAILURE 0x06 182 #define RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED 0x07 183 #define RPMB_RESULT_MASK 0x3F 184 #define RPMB_RESULT_WR_CNT_EXPIRED 0x80 185 186 /* RPMB internal commands */ 187 #define RPMB_CMD_DATA_REQ 0x00 188 #define RPMB_CMD_GET_DEV_INFO 0x01 189 190 #define RPMB_SIZE_SINGLE (128 * 1024) 191 192 /* Error codes for get_dev_info request/response. */ 193 #define RPMB_CMD_GET_DEV_INFO_RET_OK 0x00 194 #define RPMB_CMD_GET_DEV_INFO_RET_ERROR 0x01 195 196 struct rpmb_data_frame { 197 uint8_t stuff_bytes[RPMB_STUFF_DATA_SIZE]; 198 uint8_t key_mac[RPMB_KEY_MAC_SIZE]; 199 uint8_t data[RPMB_DATA_SIZE]; 200 uint8_t nonce[RPMB_NONCE_SIZE]; 201 uint8_t write_counter[4]; 202 uint8_t address[2]; 203 uint8_t block_count[2]; 204 uint8_t op_result[2]; 205 uint8_t msg_type[2]; 206 }; 207 208 struct rpmb_req { 209 uint16_t cmd; 210 uint16_t dev_id; 211 uint16_t block_count; 212 /* variable length of data */ 213 /* uint8_t data[]; REMOVED! */ 214 }; 215 216 #define TEE_RPMB_REQ_DATA(req) \ 217 ((void *)((struct rpmb_req *)(req) + 1)) 218 219 struct rpmb_raw_data { 220 uint16_t msg_type; 221 uint16_t *op_result; 222 uint16_t *block_count; 223 uint16_t *blk_idx; 224 uint32_t *write_counter; 225 uint8_t *nonce; 226 uint8_t *key_mac; 227 uint8_t *data; 228 /* data length to read or write */ 229 uint32_t len; 230 /* Byte address offset in the first block involved */ 231 uint8_t byte_offset; 232 }; 233 234 #define RPMB_EMMC_CID_SIZE 16 235 struct rpmb_dev_info { 236 uint8_t cid[RPMB_EMMC_CID_SIZE]; 237 /* EXT CSD-slice 168 "RPMB Size" */ 238 uint8_t rpmb_size_mult; 239 /* EXT CSD-slice 222 "Reliable Write Sector Count" */ 240 uint8_t rel_wr_sec_c; 241 /* Check the ret code and accept the data only if it is OK. */ 242 uint8_t ret_code; 243 }; 244 245 /* 246 * Struct for rpmb context data. 247 * 248 * @key RPMB key. 249 * @cid eMMC card ID. 250 * @wr_cnt Current write counter. 251 * @max_blk_idx The highest block index supported by current device. 252 * @rel_wr_blkcnt Max number of data blocks for each reliable write. 253 * @dev_id Device ID of the eMMC device. 254 * @wr_cnt_synced Flag indicating if write counter is synced to RPMB. 255 * @key_derived Flag indicating if key has been generated. 256 * @key_verified Flag indicating the key generated is verified ok. 257 * @dev_info_synced Flag indicating if dev info has been retrieved from RPMB. 258 */ 259 struct tee_rpmb_ctx { 260 uint8_t key[RPMB_KEY_MAC_SIZE]; 261 uint8_t cid[RPMB_EMMC_CID_SIZE]; 262 uint32_t wr_cnt; 263 uint16_t max_blk_idx; 264 uint16_t rel_wr_blkcnt; 265 uint16_t dev_id; 266 bool wr_cnt_synced; 267 bool key_derived; 268 bool key_verified; 269 bool dev_info_synced; 270 }; 271 272 static struct tee_rpmb_ctx *rpmb_ctx; 273 274 /* If set to true, don't try to access RPMB until rebooted */ 275 static bool rpmb_dead; 276 277 /* 278 * Mutex to serialize the operations exported by this file. 279 * It protects rpmb_ctx and prevents overlapping operations on eMMC devices with 280 * different IDs. 281 */ 282 static struct mutex rpmb_mutex = MUTEX_INITIALIZER; 283 284 #ifdef CFG_RPMB_TESTKEY 285 286 static const uint8_t rpmb_test_key[RPMB_KEY_MAC_SIZE] = { 287 0xD3, 0xEB, 0x3E, 0xC3, 0x6E, 0x33, 0x4C, 0x9F, 288 0x98, 0x8C, 0xE2, 0xC0, 0xB8, 0x59, 0x54, 0x61, 289 0x0D, 0x2B, 0xCF, 0x86, 0x64, 0x84, 0x4D, 0xF2, 290 0xAB, 0x56, 0xE6, 0xC6, 0x1B, 0xB7, 0x01, 0xE4 291 }; 292 293 static TEE_Result tee_rpmb_key_gen(uint16_t dev_id __unused, 294 uint8_t *key, uint32_t len) 295 { 296 TEE_Result res = TEE_SUCCESS; 297 298 if (!key || RPMB_KEY_MAC_SIZE != len) { 299 res = TEE_ERROR_BAD_PARAMETERS; 300 goto out; 301 } 302 303 DMSG("RPMB: Using test key"); 304 memcpy(key, rpmb_test_key, RPMB_KEY_MAC_SIZE); 305 306 out: 307 return res; 308 } 309 310 #else /* !CFG_RPMB_TESTKEY */ 311 312 static TEE_Result tee_rpmb_key_gen(uint16_t dev_id __unused, 313 uint8_t *key, uint32_t len) 314 { 315 uint8_t message[RPMB_EMMC_CID_SIZE]; 316 317 if (!key || RPMB_KEY_MAC_SIZE != len) 318 return TEE_ERROR_BAD_PARAMETERS; 319 320 IMSG("RPMB: Using generated key"); 321 322 /* 323 * PRV/CRC would be changed when doing eMMC FFU 324 * The following fields should be masked off when deriving RPMB key 325 * 326 * CID [55: 48]: PRV (Product revision) 327 * CID [07: 01]: CRC (CRC7 checksum) 328 * CID [00]: not used 329 */ 330 memcpy(message, rpmb_ctx->cid, RPMB_EMMC_CID_SIZE); 331 memset(message + RPMB_CID_PRV_OFFSET, 0, 1); 332 memset(message + RPMB_CID_CRC_OFFSET, 0, 1); 333 return huk_subkey_derive(HUK_SUBKEY_RPMB, message, sizeof(message), 334 key, len); 335 } 336 337 #endif /* !CFG_RPMB_TESTKEY */ 338 339 static void u32_to_bytes(uint32_t u32, uint8_t *bytes) 340 { 341 *bytes = (uint8_t) (u32 >> 24); 342 *(bytes + 1) = (uint8_t) (u32 >> 16); 343 *(bytes + 2) = (uint8_t) (u32 >> 8); 344 *(bytes + 3) = (uint8_t) u32; 345 } 346 347 static void bytes_to_u32(uint8_t *bytes, uint32_t *u32) 348 { 349 *u32 = (uint32_t) ((*(bytes) << 24) + 350 (*(bytes + 1) << 16) + 351 (*(bytes + 2) << 8) + (*(bytes + 3))); 352 } 353 354 static void u16_to_bytes(uint16_t u16, uint8_t *bytes) 355 { 356 *bytes = (uint8_t) (u16 >> 8); 357 *(bytes + 1) = (uint8_t) u16; 358 } 359 360 static void bytes_to_u16(uint8_t *bytes, uint16_t *u16) 361 { 362 *u16 = (uint16_t) ((*bytes << 8) + *(bytes + 1)); 363 } 364 365 static void get_op_result_bits(uint8_t *bytes, uint8_t *res) 366 { 367 *res = *(bytes + 1) & RPMB_RESULT_MASK; 368 } 369 370 static TEE_Result tee_rpmb_mac_calc(uint8_t *mac, uint32_t macsize, 371 uint8_t *key, uint32_t keysize, 372 struct rpmb_data_frame *datafrms, 373 uint16_t blkcnt) 374 { 375 TEE_Result res = TEE_ERROR_GENERIC; 376 int i; 377 void *ctx = NULL; 378 379 if (!mac || !key || !datafrms) 380 return TEE_ERROR_BAD_PARAMETERS; 381 382 res = crypto_mac_alloc_ctx(&ctx, TEE_ALG_HMAC_SHA256); 383 if (res) 384 return res; 385 386 res = crypto_mac_init(ctx, key, keysize); 387 if (res != TEE_SUCCESS) 388 goto func_exit; 389 390 for (i = 0; i < blkcnt; i++) { 391 res = crypto_mac_update(ctx, datafrms[i].data, 392 RPMB_MAC_PROTECT_DATA_SIZE); 393 if (res != TEE_SUCCESS) 394 goto func_exit; 395 } 396 397 res = crypto_mac_final(ctx, mac, macsize); 398 if (res != TEE_SUCCESS) 399 goto func_exit; 400 401 res = TEE_SUCCESS; 402 403 func_exit: 404 crypto_mac_free_ctx(ctx); 405 return res; 406 } 407 408 struct tee_rpmb_mem { 409 struct mobj *phreq_mobj; 410 struct mobj *phresp_mobj; 411 size_t req_size; 412 size_t resp_size; 413 }; 414 415 static void tee_rpmb_free(struct tee_rpmb_mem *mem) 416 { 417 if (!mem) 418 return; 419 420 if (mem->phreq_mobj) { 421 thread_rpc_free_payload(mem->phreq_mobj); 422 mem->phreq_mobj = NULL; 423 } 424 if (mem->phresp_mobj) { 425 thread_rpc_free_payload(mem->phresp_mobj); 426 mem->phresp_mobj = NULL; 427 } 428 } 429 430 431 static TEE_Result tee_rpmb_alloc(size_t req_size, size_t resp_size, 432 struct tee_rpmb_mem *mem, void **req, void **resp) 433 { 434 TEE_Result res = TEE_SUCCESS; 435 size_t req_s = ROUNDUP(req_size, sizeof(uint32_t)); 436 size_t resp_s = ROUNDUP(resp_size, sizeof(uint32_t)); 437 438 if (!mem) 439 return TEE_ERROR_BAD_PARAMETERS; 440 441 memset(mem, 0, sizeof(*mem)); 442 443 mem->phreq_mobj = thread_rpc_alloc_payload(req_s); 444 mem->phresp_mobj = thread_rpc_alloc_payload(resp_s); 445 446 if (!mem->phreq_mobj || !mem->phresp_mobj) { 447 res = TEE_ERROR_OUT_OF_MEMORY; 448 goto out; 449 } 450 451 *req = mobj_get_va(mem->phreq_mobj, 0, req_s); 452 *resp = mobj_get_va(mem->phresp_mobj, 0, resp_s); 453 if (!*req || !*resp) { 454 res = TEE_ERROR_GENERIC; 455 goto out; 456 } 457 458 mem->req_size = req_size; 459 mem->resp_size = resp_size; 460 461 out: 462 if (res != TEE_SUCCESS) 463 tee_rpmb_free(mem); 464 return res; 465 } 466 467 static TEE_Result tee_rpmb_invoke(struct tee_rpmb_mem *mem) 468 { 469 struct thread_param params[2] = { 470 [0] = THREAD_PARAM_MEMREF(IN, mem->phreq_mobj, 0, 471 mem->req_size), 472 [1] = THREAD_PARAM_MEMREF(OUT, mem->phresp_mobj, 0, 473 mem->resp_size), 474 }; 475 476 return thread_rpc_cmd(OPTEE_RPC_CMD_RPMB, 2, params); 477 } 478 479 static bool is_zero(const uint8_t *buf, size_t size) 480 { 481 size_t i; 482 483 for (i = 0; i < size; i++) 484 if (buf[i]) 485 return false; 486 return true; 487 } 488 489 static TEE_Result encrypt_block(uint8_t *out, const uint8_t *in, 490 uint16_t blk_idx, const uint8_t *fek, 491 const TEE_UUID *uuid) 492 { 493 return tee_fs_crypt_block(uuid, out, in, RPMB_DATA_SIZE, 494 blk_idx, fek, TEE_MODE_ENCRYPT); 495 } 496 497 static TEE_Result decrypt_block(uint8_t *out, const uint8_t *in, 498 uint16_t blk_idx, const uint8_t *fek, 499 const TEE_UUID *uuid) 500 { 501 return tee_fs_crypt_block(uuid, out, in, RPMB_DATA_SIZE, 502 blk_idx, fek, TEE_MODE_DECRYPT); 503 } 504 505 /* Decrypt/copy at most one block of data */ 506 static TEE_Result decrypt(uint8_t *out, const struct rpmb_data_frame *frm, 507 size_t size, size_t offset, 508 uint16_t blk_idx __maybe_unused, const uint8_t *fek, 509 const TEE_UUID *uuid) 510 { 511 uint8_t *tmp __maybe_unused; 512 TEE_Result res = TEE_SUCCESS; 513 514 515 if ((size + offset < size) || (size + offset > RPMB_DATA_SIZE)) 516 panic("invalid size or offset"); 517 518 if (!fek) { 519 /* Block is not encrypted (not a file data block) */ 520 memcpy(out, frm->data + offset, size); 521 } else if (is_zero(fek, TEE_FS_KM_FEK_SIZE)) { 522 /* The file was created with encryption disabled */ 523 return TEE_ERROR_SECURITY; 524 } else { 525 /* Block is encrypted */ 526 if (size < RPMB_DATA_SIZE) { 527 /* 528 * Since output buffer is not large enough to hold one 529 * block we must allocate a temporary buffer. 530 */ 531 tmp = malloc(RPMB_DATA_SIZE); 532 if (!tmp) 533 return TEE_ERROR_OUT_OF_MEMORY; 534 res = decrypt_block(tmp, frm->data, blk_idx, fek, uuid); 535 if (res == TEE_SUCCESS) 536 memcpy(out, tmp + offset, size); 537 free(tmp); 538 } else { 539 res = decrypt_block(out, frm->data, blk_idx, fek, uuid); 540 } 541 } 542 543 return res; 544 } 545 546 static TEE_Result tee_rpmb_req_pack(struct rpmb_req *req, 547 struct rpmb_raw_data *rawdata, 548 uint16_t nbr_frms, uint16_t dev_id, 549 const uint8_t *fek, const TEE_UUID *uuid) 550 { 551 TEE_Result res = TEE_ERROR_GENERIC; 552 int i; 553 struct rpmb_data_frame *datafrm; 554 555 if (!req || !rawdata || !nbr_frms) 556 return TEE_ERROR_BAD_PARAMETERS; 557 558 /* 559 * Check write blockcount is not bigger than reliable write 560 * blockcount. 561 */ 562 if ((rawdata->msg_type == RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE) && 563 (nbr_frms > rpmb_ctx->rel_wr_blkcnt)) { 564 DMSG("wr_blkcnt(%d) > rel_wr_blkcnt(%d)", nbr_frms, 565 rpmb_ctx->rel_wr_blkcnt); 566 return TEE_ERROR_GENERIC; 567 } 568 569 req->cmd = RPMB_CMD_DATA_REQ; 570 req->dev_id = dev_id; 571 572 /* Allocate memory for construct all data packets and calculate MAC. */ 573 datafrm = calloc(nbr_frms, RPMB_DATA_FRAME_SIZE); 574 if (!datafrm) 575 return TEE_ERROR_OUT_OF_MEMORY; 576 577 for (i = 0; i < nbr_frms; i++) { 578 u16_to_bytes(rawdata->msg_type, datafrm[i].msg_type); 579 580 if (rawdata->block_count) 581 u16_to_bytes(*rawdata->block_count, 582 datafrm[i].block_count); 583 584 if (rawdata->blk_idx) { 585 /* Check the block index is within range. */ 586 if ((*rawdata->blk_idx + nbr_frms - 1) > 587 rpmb_ctx->max_blk_idx) { 588 res = TEE_ERROR_GENERIC; 589 goto func_exit; 590 } 591 u16_to_bytes(*rawdata->blk_idx, datafrm[i].address); 592 } 593 594 if (rawdata->write_counter) 595 u32_to_bytes(*rawdata->write_counter, 596 datafrm[i].write_counter); 597 598 if (rawdata->nonce) 599 memcpy(datafrm[i].nonce, rawdata->nonce, 600 RPMB_NONCE_SIZE); 601 602 if (rawdata->data) { 603 if (fek) { 604 res = encrypt_block(datafrm[i].data, 605 rawdata->data + 606 (i * RPMB_DATA_SIZE), 607 *rawdata->blk_idx + i, 608 fek, uuid); 609 if (res != TEE_SUCCESS) 610 goto func_exit; 611 } else { 612 memcpy(datafrm[i].data, 613 rawdata->data + (i * RPMB_DATA_SIZE), 614 RPMB_DATA_SIZE); 615 } 616 } 617 } 618 619 if (rawdata->key_mac) { 620 if (rawdata->msg_type == RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE) { 621 res = 622 tee_rpmb_mac_calc(rawdata->key_mac, 623 RPMB_KEY_MAC_SIZE, rpmb_ctx->key, 624 RPMB_KEY_MAC_SIZE, datafrm, 625 nbr_frms); 626 if (res != TEE_SUCCESS) 627 goto func_exit; 628 } 629 memcpy(datafrm[nbr_frms - 1].key_mac, 630 rawdata->key_mac, RPMB_KEY_MAC_SIZE); 631 } 632 633 memcpy(TEE_RPMB_REQ_DATA(req), datafrm, 634 nbr_frms * RPMB_DATA_FRAME_SIZE); 635 636 if (IS_ENABLED(CFG_RPMB_FS_DEBUG_DATA)) { 637 for (i = 0; i < nbr_frms; i++) { 638 DMSG("Dumping data frame %d:", i); 639 DHEXDUMP((uint8_t *)&datafrm[i] + RPMB_STUFF_DATA_SIZE, 640 512 - RPMB_STUFF_DATA_SIZE); 641 } 642 } 643 644 res = TEE_SUCCESS; 645 func_exit: 646 free(datafrm); 647 return res; 648 } 649 650 static TEE_Result data_cpy_mac_calc_1b(struct rpmb_raw_data *rawdata, 651 struct rpmb_data_frame *frm, 652 const uint8_t *fek, const TEE_UUID *uuid) 653 { 654 TEE_Result res; 655 uint8_t *data; 656 uint16_t idx; 657 658 if (rawdata->len + rawdata->byte_offset > RPMB_DATA_SIZE) 659 return TEE_ERROR_BAD_PARAMETERS; 660 661 res = tee_rpmb_mac_calc(rawdata->key_mac, RPMB_KEY_MAC_SIZE, 662 rpmb_ctx->key, RPMB_KEY_MAC_SIZE, frm, 1); 663 if (res != TEE_SUCCESS) 664 return res; 665 666 data = rawdata->data; 667 bytes_to_u16(frm->address, &idx); 668 669 res = decrypt(data, frm, rawdata->len, rawdata->byte_offset, idx, fek, 670 uuid); 671 return res; 672 } 673 674 static TEE_Result tee_rpmb_data_cpy_mac_calc(struct rpmb_data_frame *datafrm, 675 struct rpmb_raw_data *rawdata, 676 uint16_t nbr_frms, 677 struct rpmb_data_frame *lastfrm, 678 const uint8_t *fek, 679 const TEE_UUID *uuid) 680 { 681 TEE_Result res = TEE_ERROR_GENERIC; 682 int i; 683 void *ctx = NULL; 684 uint16_t offset; 685 uint32_t size; 686 uint8_t *data; 687 uint16_t start_idx; 688 struct rpmb_data_frame localfrm; 689 690 if (!datafrm || !rawdata || !nbr_frms || !lastfrm) 691 return TEE_ERROR_BAD_PARAMETERS; 692 693 if (nbr_frms == 1) 694 return data_cpy_mac_calc_1b(rawdata, lastfrm, fek, uuid); 695 696 /* nbr_frms > 1 */ 697 698 data = rawdata->data; 699 700 res = crypto_mac_alloc_ctx(&ctx, TEE_ALG_HMAC_SHA256); 701 if (res) 702 goto func_exit; 703 704 res = crypto_mac_init(ctx, rpmb_ctx->key, RPMB_KEY_MAC_SIZE); 705 if (res != TEE_SUCCESS) 706 goto func_exit; 707 708 /* 709 * Note: JEDEC JESD84-B51: "In every packet the address is the start 710 * address of the full access (not address of the individual half a 711 * sector)" 712 */ 713 bytes_to_u16(lastfrm->address, &start_idx); 714 715 for (i = 0; i < (nbr_frms - 1); i++) { 716 717 /* 718 * By working on a local copy of the RPMB frame, we ensure that 719 * the data can not be modified after the MAC is computed but 720 * before the payload is decrypted/copied to the output buffer. 721 */ 722 memcpy(&localfrm, &datafrm[i], RPMB_DATA_FRAME_SIZE); 723 724 res = crypto_mac_update(ctx, localfrm.data, 725 RPMB_MAC_PROTECT_DATA_SIZE); 726 if (res != TEE_SUCCESS) 727 goto func_exit; 728 729 if (i == 0) { 730 /* First block */ 731 offset = rawdata->byte_offset; 732 size = RPMB_DATA_SIZE - offset; 733 } else { 734 /* Middle blocks */ 735 size = RPMB_DATA_SIZE; 736 offset = 0; 737 } 738 739 res = decrypt(data, &localfrm, size, offset, start_idx + i, 740 fek, uuid); 741 if (res != TEE_SUCCESS) 742 goto func_exit; 743 744 data += size; 745 } 746 747 /* Last block */ 748 size = (rawdata->len + rawdata->byte_offset) % RPMB_DATA_SIZE; 749 if (size == 0) 750 size = RPMB_DATA_SIZE; 751 res = decrypt(data, lastfrm, size, 0, start_idx + nbr_frms - 1, fek, 752 uuid); 753 if (res != TEE_SUCCESS) 754 goto func_exit; 755 756 /* Update MAC against the last block */ 757 res = crypto_mac_update(ctx, lastfrm->data, RPMB_MAC_PROTECT_DATA_SIZE); 758 if (res != TEE_SUCCESS) 759 goto func_exit; 760 761 res = crypto_mac_final(ctx, rawdata->key_mac, RPMB_KEY_MAC_SIZE); 762 if (res != TEE_SUCCESS) 763 goto func_exit; 764 765 res = TEE_SUCCESS; 766 767 func_exit: 768 crypto_mac_free_ctx(ctx); 769 return res; 770 } 771 772 static TEE_Result tee_rpmb_resp_unpack_verify(struct rpmb_data_frame *datafrm, 773 struct rpmb_raw_data *rawdata, 774 uint16_t nbr_frms, 775 const uint8_t *fek, 776 const TEE_UUID *uuid) 777 { 778 TEE_Result res = TEE_ERROR_GENERIC; 779 uint16_t msg_type; 780 uint32_t wr_cnt; 781 uint16_t blk_idx; 782 uint8_t op_result; 783 struct rpmb_data_frame lastfrm; 784 785 if (!datafrm || !rawdata || !nbr_frms) 786 return TEE_ERROR_BAD_PARAMETERS; 787 788 if (IS_ENABLED(CFG_RPMB_FS_DEBUG_DATA)) { 789 size_t i = 0; 790 791 for (i = 0; i < nbr_frms; i++) { 792 DMSG("Dumping data frame %zu:", i); 793 DHEXDUMP((uint8_t *)&datafrm[i] + RPMB_STUFF_DATA_SIZE, 794 512 - RPMB_STUFF_DATA_SIZE); 795 } 796 } 797 798 /* Make sure the last data packet can't be modified once verified */ 799 memcpy(&lastfrm, &datafrm[nbr_frms - 1], RPMB_DATA_FRAME_SIZE); 800 801 /* Handle operation result and translate to TEEC error code. */ 802 get_op_result_bits(lastfrm.op_result, &op_result); 803 if (op_result == RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED) 804 return TEE_ERROR_ITEM_NOT_FOUND; 805 if (op_result != RPMB_RESULT_OK) 806 return TEE_ERROR_GENERIC; 807 808 /* Check the response msg_type. */ 809 bytes_to_u16(lastfrm.msg_type, &msg_type); 810 if (msg_type != rawdata->msg_type) { 811 DMSG("Unexpected msg_type (0x%04x != 0x%04x)", msg_type, 812 rawdata->msg_type); 813 return TEE_ERROR_GENERIC; 814 } 815 816 if (rawdata->blk_idx) { 817 bytes_to_u16(lastfrm.address, &blk_idx); 818 if (blk_idx != *rawdata->blk_idx) { 819 DMSG("Unexpected block index"); 820 return TEE_ERROR_GENERIC; 821 } 822 } 823 824 if (rawdata->write_counter) { 825 wr_cnt = *rawdata->write_counter; 826 bytes_to_u32(lastfrm.write_counter, rawdata->write_counter); 827 if (msg_type == RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE) { 828 /* Verify the write counter is incremented by 1 */ 829 if (*rawdata->write_counter != wr_cnt + 1) { 830 DMSG("Counter mismatched (0x%04x/0x%04x)", 831 *rawdata->write_counter, wr_cnt + 1); 832 return TEE_ERROR_SECURITY; 833 } 834 rpmb_ctx->wr_cnt++; 835 } 836 } 837 838 if (rawdata->nonce) { 839 if (buf_compare_ct(rawdata->nonce, lastfrm.nonce, 840 RPMB_NONCE_SIZE) != 0) { 841 DMSG("Nonce mismatched"); 842 return TEE_ERROR_SECURITY; 843 } 844 } 845 846 if (rawdata->key_mac) { 847 if (msg_type == RPMB_MSG_TYPE_RESP_AUTH_DATA_READ) { 848 if (!rawdata->data) 849 return TEE_ERROR_GENERIC; 850 851 res = tee_rpmb_data_cpy_mac_calc(datafrm, rawdata, 852 nbr_frms, &lastfrm, 853 fek, uuid); 854 855 if (res != TEE_SUCCESS) 856 return res; 857 } else { 858 /* 859 * There should be only one data frame for 860 * other msg types. 861 */ 862 if (nbr_frms != 1) 863 return TEE_ERROR_GENERIC; 864 865 res = tee_rpmb_mac_calc(rawdata->key_mac, 866 RPMB_KEY_MAC_SIZE, 867 rpmb_ctx->key, 868 RPMB_KEY_MAC_SIZE, 869 &lastfrm, 1); 870 871 if (res != TEE_SUCCESS) 872 return res; 873 } 874 875 if (consttime_memcmp(rawdata->key_mac, 876 (datafrm + nbr_frms - 1)->key_mac, 877 RPMB_KEY_MAC_SIZE) != 0) { 878 DMSG("MAC mismatched:"); 879 if (IS_ENABLED(CFG_RPMB_FS_DEBUG_DATA)) 880 DHEXDUMP(rawdata->key_mac, RPMB_KEY_MAC_SIZE); 881 882 return TEE_ERROR_SECURITY; 883 } 884 } 885 886 return TEE_SUCCESS; 887 } 888 889 static TEE_Result tee_rpmb_get_dev_info(uint16_t dev_id, 890 struct rpmb_dev_info *dev_info) 891 { 892 TEE_Result res = TEE_ERROR_GENERIC; 893 struct tee_rpmb_mem mem; 894 struct rpmb_dev_info *di; 895 struct rpmb_req *req = NULL; 896 uint8_t *resp = NULL; 897 uint32_t req_size; 898 uint32_t resp_size; 899 900 if (!dev_info) 901 return TEE_ERROR_BAD_PARAMETERS; 902 903 req_size = sizeof(struct rpmb_req); 904 resp_size = sizeof(struct rpmb_dev_info); 905 res = tee_rpmb_alloc(req_size, resp_size, &mem, 906 (void *)&req, (void *)&resp); 907 if (res != TEE_SUCCESS) 908 goto func_exit; 909 910 req->cmd = RPMB_CMD_GET_DEV_INFO; 911 req->dev_id = dev_id; 912 913 di = (struct rpmb_dev_info *)resp; 914 di->ret_code = RPMB_CMD_GET_DEV_INFO_RET_ERROR; 915 916 res = tee_rpmb_invoke(&mem); 917 if (res != TEE_SUCCESS) 918 goto func_exit; 919 920 if (di->ret_code != RPMB_CMD_GET_DEV_INFO_RET_OK) { 921 res = TEE_ERROR_GENERIC; 922 goto func_exit; 923 } 924 925 memcpy((uint8_t *)dev_info, resp, sizeof(struct rpmb_dev_info)); 926 927 if (IS_ENABLED(CFG_RPMB_FS_DEBUG_DATA)) { 928 DMSG("Dumping dev_info:"); 929 DHEXDUMP((uint8_t *)dev_info, sizeof(struct rpmb_dev_info)); 930 } 931 932 res = TEE_SUCCESS; 933 934 func_exit: 935 tee_rpmb_free(&mem); 936 return res; 937 } 938 939 static TEE_Result tee_rpmb_init_read_wr_cnt(uint16_t dev_id, 940 uint32_t *wr_cnt, 941 uint16_t *op_result) 942 { 943 TEE_Result res = TEE_ERROR_GENERIC; 944 struct tee_rpmb_mem mem; 945 uint16_t msg_type; 946 uint8_t nonce[RPMB_NONCE_SIZE]; 947 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 948 struct rpmb_req *req = NULL; 949 struct rpmb_data_frame *resp = NULL; 950 struct rpmb_raw_data rawdata; 951 uint32_t req_size; 952 uint32_t resp_size; 953 954 if (!wr_cnt) 955 return TEE_ERROR_BAD_PARAMETERS; 956 957 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 958 resp_size = RPMB_DATA_FRAME_SIZE; 959 res = tee_rpmb_alloc(req_size, resp_size, &mem, 960 (void *)&req, (void *)&resp); 961 if (res != TEE_SUCCESS) 962 goto func_exit; 963 964 res = crypto_rng_read(nonce, RPMB_NONCE_SIZE); 965 if (res != TEE_SUCCESS) 966 goto func_exit; 967 968 msg_type = RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ; 969 970 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 971 rawdata.msg_type = msg_type; 972 rawdata.nonce = nonce; 973 974 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 975 if (res != TEE_SUCCESS) 976 goto func_exit; 977 978 res = tee_rpmb_invoke(&mem); 979 if (res != TEE_SUCCESS) 980 goto func_exit; 981 982 msg_type = RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ; 983 984 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 985 rawdata.msg_type = msg_type; 986 rawdata.op_result = op_result; 987 rawdata.write_counter = wr_cnt; 988 rawdata.nonce = nonce; 989 rawdata.key_mac = hmac; 990 991 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, NULL); 992 if (res != TEE_SUCCESS) 993 goto func_exit; 994 995 res = TEE_SUCCESS; 996 997 func_exit: 998 tee_rpmb_free(&mem); 999 return res; 1000 } 1001 1002 static TEE_Result tee_rpmb_verify_key_sync_counter(uint16_t dev_id) 1003 { 1004 uint16_t op_result = 0; 1005 TEE_Result res = TEE_ERROR_GENERIC; 1006 1007 res = tee_rpmb_init_read_wr_cnt(dev_id, &rpmb_ctx->wr_cnt, 1008 &op_result); 1009 1010 if (res == TEE_SUCCESS) { 1011 rpmb_ctx->key_verified = true; 1012 rpmb_ctx->wr_cnt_synced = true; 1013 } else 1014 EMSG("Verify key returning 0x%x", res); 1015 return res; 1016 } 1017 1018 #ifdef CFG_RPMB_WRITE_KEY 1019 static TEE_Result tee_rpmb_write_key(uint16_t dev_id) 1020 { 1021 TEE_Result res = TEE_ERROR_GENERIC; 1022 struct tee_rpmb_mem mem = { 0 }; 1023 uint16_t msg_type; 1024 struct rpmb_req *req = NULL; 1025 struct rpmb_data_frame *resp = NULL; 1026 struct rpmb_raw_data rawdata; 1027 uint32_t req_size; 1028 uint32_t resp_size; 1029 1030 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 1031 resp_size = RPMB_DATA_FRAME_SIZE; 1032 res = tee_rpmb_alloc(req_size, resp_size, &mem, 1033 (void *)&req, (void *)&resp); 1034 if (res != TEE_SUCCESS) 1035 goto func_exit; 1036 1037 msg_type = RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM; 1038 1039 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1040 rawdata.msg_type = msg_type; 1041 rawdata.key_mac = rpmb_ctx->key; 1042 1043 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 1044 if (res != TEE_SUCCESS) 1045 goto func_exit; 1046 1047 res = tee_rpmb_invoke(&mem); 1048 if (res != TEE_SUCCESS) 1049 goto func_exit; 1050 1051 msg_type = RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM; 1052 1053 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1054 rawdata.msg_type = msg_type; 1055 1056 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, NULL); 1057 if (res != TEE_SUCCESS) 1058 goto func_exit; 1059 1060 res = TEE_SUCCESS; 1061 1062 func_exit: 1063 tee_rpmb_free(&mem); 1064 return res; 1065 } 1066 1067 static TEE_Result tee_rpmb_write_and_verify_key(uint16_t dev_id) 1068 { 1069 TEE_Result res; 1070 1071 if (!plat_rpmb_key_is_ready()) { 1072 DMSG("RPMB INIT: platform indicates RPMB key is not ready"); 1073 return TEE_ERROR_BAD_STATE; 1074 } 1075 1076 DMSG("RPMB INIT: Writing Key value:"); 1077 DHEXDUMP(rpmb_ctx->key, RPMB_KEY_MAC_SIZE); 1078 1079 res = tee_rpmb_write_key(dev_id); 1080 if (res == TEE_SUCCESS) { 1081 DMSG("RPMB INIT: Verifying Key"); 1082 res = tee_rpmb_verify_key_sync_counter(dev_id); 1083 } 1084 return res; 1085 } 1086 #else 1087 static TEE_Result tee_rpmb_write_and_verify_key(uint16_t dev_id __unused) 1088 { 1089 DMSG("RPMB INIT: CFG_RPMB_WRITE_KEY is not set"); 1090 return TEE_ERROR_STORAGE_NOT_AVAILABLE; 1091 } 1092 #endif 1093 1094 /* This function must never return TEE_SUCCESS if rpmb_ctx == NULL */ 1095 static TEE_Result tee_rpmb_init(uint16_t dev_id) 1096 { 1097 TEE_Result res = TEE_SUCCESS; 1098 struct rpmb_dev_info dev_info = { }; 1099 uint32_t nblocks = 0; 1100 1101 if (rpmb_dead) 1102 return TEE_ERROR_COMMUNICATION; 1103 1104 if (!rpmb_ctx) { 1105 rpmb_ctx = calloc(1, sizeof(struct tee_rpmb_ctx)); 1106 if (!rpmb_ctx) 1107 return TEE_ERROR_OUT_OF_MEMORY; 1108 } else if (rpmb_ctx->dev_id != dev_id) { 1109 memset(rpmb_ctx, 0x00, sizeof(struct tee_rpmb_ctx)); 1110 } 1111 1112 rpmb_ctx->dev_id = dev_id; 1113 1114 if (!rpmb_ctx->dev_info_synced) { 1115 DMSG("RPMB: Syncing device information"); 1116 1117 dev_info.rpmb_size_mult = 0; 1118 dev_info.rel_wr_sec_c = 0; 1119 res = tee_rpmb_get_dev_info(dev_id, &dev_info); 1120 if (res != TEE_SUCCESS) 1121 goto func_exit; 1122 1123 DMSG("RPMB: RPMB size is %d*128 KB", dev_info.rpmb_size_mult); 1124 DMSG("RPMB: Reliable Write Sector Count is %d", 1125 dev_info.rel_wr_sec_c); 1126 1127 if (dev_info.rpmb_size_mult == 0) { 1128 res = TEE_ERROR_GENERIC; 1129 goto func_exit; 1130 } 1131 1132 if (MUL_OVERFLOW(dev_info.rpmb_size_mult, 1133 RPMB_SIZE_SINGLE / RPMB_DATA_SIZE, &nblocks) || 1134 SUB_OVERFLOW(nblocks, 1, &rpmb_ctx->max_blk_idx)) { 1135 res = TEE_ERROR_BAD_PARAMETERS; 1136 goto func_exit; 1137 } 1138 1139 memcpy(rpmb_ctx->cid, dev_info.cid, RPMB_EMMC_CID_SIZE); 1140 1141 #ifdef RPMB_DRIVER_MULTIPLE_WRITE_FIXED 1142 rpmb_ctx->rel_wr_blkcnt = dev_info.rel_wr_sec_c * 2; 1143 #else 1144 rpmb_ctx->rel_wr_blkcnt = 1; 1145 #endif 1146 1147 rpmb_ctx->dev_info_synced = true; 1148 } 1149 1150 if (!rpmb_ctx->key_derived) { 1151 DMSG("RPMB INIT: Deriving key"); 1152 1153 res = tee_rpmb_key_gen(dev_id, rpmb_ctx->key, 1154 RPMB_KEY_MAC_SIZE); 1155 if (res != TEE_SUCCESS) { 1156 EMSG("RPMB INIT: Deriving key failed with error 0x%x", 1157 res); 1158 goto func_exit; 1159 } 1160 1161 rpmb_ctx->key_derived = true; 1162 } 1163 1164 /* Perform a write counter read to verify if the key is ok. */ 1165 if (!rpmb_ctx->wr_cnt_synced || !rpmb_ctx->key_verified) { 1166 DMSG("RPMB INIT: Verifying Key"); 1167 1168 res = tee_rpmb_verify_key_sync_counter(dev_id); 1169 if (res == TEE_ERROR_ITEM_NOT_FOUND && 1170 !rpmb_ctx->key_verified) { 1171 /* 1172 * Need to write the key here and verify it. 1173 */ 1174 DMSG("RPMB INIT: Auth key not yet written"); 1175 res = tee_rpmb_write_and_verify_key(dev_id); 1176 } else if (res != TEE_SUCCESS) { 1177 EMSG("Verify key failed!"); 1178 EMSG("Make sure key here matches device key"); 1179 } 1180 } 1181 1182 func_exit: 1183 return res; 1184 } 1185 1186 /* 1187 * Read RPMB data in bytes. 1188 * 1189 * @dev_id Device ID of the eMMC device. 1190 * @addr Byte address of data. 1191 * @data Pointer to the data. 1192 * @len Size of data in bytes. 1193 * @fek Encrypted File Encryption Key or NULL. 1194 */ 1195 static TEE_Result tee_rpmb_read(uint16_t dev_id, uint32_t addr, uint8_t *data, 1196 uint32_t len, const uint8_t *fek, 1197 const TEE_UUID *uuid) 1198 { 1199 TEE_Result res = TEE_ERROR_GENERIC; 1200 struct tee_rpmb_mem mem = { 0 }; 1201 uint16_t msg_type; 1202 uint8_t nonce[RPMB_NONCE_SIZE]; 1203 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 1204 struct rpmb_req *req = NULL; 1205 struct rpmb_data_frame *resp = NULL; 1206 struct rpmb_raw_data rawdata; 1207 uint32_t req_size; 1208 uint32_t resp_size; 1209 uint16_t blk_idx; 1210 uint16_t blkcnt; 1211 uint8_t byte_offset; 1212 1213 if (!data || !len) 1214 return TEE_ERROR_BAD_PARAMETERS; 1215 1216 blk_idx = addr / RPMB_DATA_SIZE; 1217 byte_offset = addr % RPMB_DATA_SIZE; 1218 1219 if (len + byte_offset + RPMB_DATA_SIZE < RPMB_DATA_SIZE) { 1220 /* Overflow */ 1221 return TEE_ERROR_BAD_PARAMETERS; 1222 } 1223 blkcnt = 1224 ROUNDUP(len + byte_offset, RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1225 res = tee_rpmb_init(dev_id); 1226 if (res != TEE_SUCCESS) 1227 goto func_exit; 1228 1229 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 1230 resp_size = RPMB_DATA_FRAME_SIZE * blkcnt; 1231 res = tee_rpmb_alloc(req_size, resp_size, &mem, 1232 (void *)&req, (void *)&resp); 1233 if (res != TEE_SUCCESS) 1234 goto func_exit; 1235 1236 msg_type = RPMB_MSG_TYPE_REQ_AUTH_DATA_READ; 1237 res = crypto_rng_read(nonce, RPMB_NONCE_SIZE); 1238 if (res != TEE_SUCCESS) 1239 goto func_exit; 1240 1241 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1242 rawdata.msg_type = msg_type; 1243 rawdata.nonce = nonce; 1244 rawdata.blk_idx = &blk_idx; 1245 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 1246 if (res != TEE_SUCCESS) 1247 goto func_exit; 1248 1249 req->block_count = blkcnt; 1250 1251 DMSG("Read %u block%s at index %u", blkcnt, ((blkcnt > 1) ? "s" : ""), 1252 blk_idx); 1253 1254 res = tee_rpmb_invoke(&mem); 1255 if (res != TEE_SUCCESS) 1256 goto func_exit; 1257 1258 msg_type = RPMB_MSG_TYPE_RESP_AUTH_DATA_READ; 1259 1260 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1261 rawdata.msg_type = msg_type; 1262 rawdata.block_count = &blkcnt; 1263 rawdata.blk_idx = &blk_idx; 1264 rawdata.nonce = nonce; 1265 rawdata.key_mac = hmac; 1266 rawdata.data = data; 1267 1268 rawdata.len = len; 1269 rawdata.byte_offset = byte_offset; 1270 1271 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, blkcnt, fek, uuid); 1272 if (res != TEE_SUCCESS) 1273 goto func_exit; 1274 1275 res = TEE_SUCCESS; 1276 1277 func_exit: 1278 tee_rpmb_free(&mem); 1279 return res; 1280 } 1281 1282 static TEE_Result write_req(uint16_t dev_id, uint16_t blk_idx, 1283 const void *data_blks, uint16_t blkcnt, 1284 const uint8_t *fek, const TEE_UUID *uuid, 1285 struct tee_rpmb_mem *mem, void *req, void *resp) 1286 { 1287 TEE_Result res = TEE_SUCCESS; 1288 uint8_t hmac[RPMB_KEY_MAC_SIZE] = { }; 1289 uint32_t wr_cnt = rpmb_ctx->wr_cnt; 1290 struct rpmb_raw_data rawdata = { }; 1291 size_t retry_count = 0; 1292 1293 assert(mem->req_size <= 1294 sizeof(struct rpmb_req) + blkcnt * RPMB_DATA_FRAME_SIZE); 1295 assert(mem->resp_size <= RPMB_DATA_FRAME_SIZE); 1296 1297 while (true) { 1298 memset(req, 0, mem->req_size); 1299 memset(resp, 0, mem->resp_size); 1300 1301 memset(&rawdata, 0, sizeof(struct rpmb_raw_data)); 1302 rawdata.msg_type = RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE; 1303 rawdata.block_count = &blkcnt; 1304 rawdata.blk_idx = &blk_idx; 1305 rawdata.write_counter = &wr_cnt; 1306 rawdata.key_mac = hmac; 1307 rawdata.data = (uint8_t *)data_blks; 1308 1309 res = tee_rpmb_req_pack(req, &rawdata, blkcnt, dev_id, fek, 1310 uuid); 1311 if (res) { 1312 /* 1313 * If we haven't tried to send a request yet we can 1314 * allow a failure here since there's no chance of 1315 * an intercepted request with a valid write 1316 * counter. 1317 */ 1318 if (!retry_count) 1319 return res; 1320 1321 retry_count++; 1322 if (retry_count >= RPMB_MAX_RETRIES) 1323 goto out_of_retries; 1324 1325 DMSG("Request pack failed, retrying %zu", retry_count); 1326 continue; 1327 } 1328 1329 res = tee_rpmb_invoke(mem); 1330 if (res != TEE_SUCCESS) { 1331 retry_count++; 1332 if (retry_count >= RPMB_MAX_RETRIES) 1333 goto out_of_retries; 1334 /* 1335 * To force wr_cnt sync next time, as it might get 1336 * out of sync due to inconsistent operation result! 1337 */ 1338 rpmb_ctx->wr_cnt_synced = false; 1339 DMSG("Write invoke failed, retrying %zu", retry_count); 1340 continue; 1341 } 1342 1343 memset(&rawdata, 0, sizeof(struct rpmb_raw_data)); 1344 rawdata.msg_type = RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE; 1345 rawdata.block_count = &blkcnt; 1346 rawdata.blk_idx = &blk_idx; 1347 rawdata.write_counter = &wr_cnt; 1348 rawdata.key_mac = hmac; 1349 1350 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, 1351 NULL); 1352 if (res != TEE_SUCCESS) { 1353 retry_count++; 1354 if (retry_count >= RPMB_MAX_RETRIES) 1355 goto out_of_retries; 1356 /* 1357 * To force wr_cnt sync next time, as it might get 1358 * out of sync due to inconsistent operation result! 1359 */ 1360 rpmb_ctx->wr_cnt_synced = false; 1361 DMSG("Write resp unpack verify failed, retrying %zu", 1362 retry_count); 1363 continue; 1364 } 1365 1366 return TEE_SUCCESS; 1367 } 1368 1369 out_of_retries: 1370 rpmb_dead = true; 1371 /* 1372 * We're using this error code to cause an eventuall calling TA to 1373 * panic since we don't know if the data to be written has been 1374 * committed to storage or not. 1375 */ 1376 return TEE_ERROR_COMMUNICATION; 1377 } 1378 1379 static TEE_Result tee_rpmb_write_blk(uint16_t dev_id, uint16_t blk_idx, 1380 const uint8_t *data_blks, uint16_t blkcnt, 1381 const uint8_t *fek, const TEE_UUID *uuid) 1382 { 1383 TEE_Result res; 1384 struct tee_rpmb_mem mem; 1385 struct rpmb_req *req = NULL; 1386 struct rpmb_data_frame *resp = NULL; 1387 uint32_t req_size; 1388 uint32_t resp_size; 1389 uint32_t nbr_writes; 1390 uint16_t tmp_blkcnt; 1391 uint16_t tmp_blk_idx; 1392 uint16_t i; 1393 1394 DMSG("Write %u block%s at index %u", blkcnt, ((blkcnt > 1) ? "s" : ""), 1395 blk_idx); 1396 1397 if (!data_blks || !blkcnt) 1398 return TEE_ERROR_BAD_PARAMETERS; 1399 1400 res = tee_rpmb_init(dev_id); 1401 if (res != TEE_SUCCESS) 1402 return res; 1403 1404 /* 1405 * We need to split data when block count 1406 * is bigger than reliable block write count. 1407 */ 1408 if (blkcnt < rpmb_ctx->rel_wr_blkcnt) 1409 req_size = sizeof(struct rpmb_req) + 1410 RPMB_DATA_FRAME_SIZE * blkcnt; 1411 else 1412 req_size = sizeof(struct rpmb_req) + 1413 RPMB_DATA_FRAME_SIZE * rpmb_ctx->rel_wr_blkcnt; 1414 1415 resp_size = RPMB_DATA_FRAME_SIZE; 1416 res = tee_rpmb_alloc(req_size, resp_size, &mem, 1417 (void *)&req, (void *)&resp); 1418 if (res != TEE_SUCCESS) 1419 return res; 1420 1421 nbr_writes = blkcnt / rpmb_ctx->rel_wr_blkcnt; 1422 if (blkcnt % rpmb_ctx->rel_wr_blkcnt > 0) 1423 nbr_writes += 1; 1424 1425 tmp_blkcnt = rpmb_ctx->rel_wr_blkcnt; 1426 tmp_blk_idx = blk_idx; 1427 for (i = 0; i < nbr_writes; i++) { 1428 size_t offs = i * rpmb_ctx->rel_wr_blkcnt * RPMB_DATA_SIZE; 1429 1430 /* 1431 * To handle the last write of block count which is 1432 * equal or smaller than reliable write block count. 1433 */ 1434 if (i == nbr_writes - 1) 1435 tmp_blkcnt = blkcnt - rpmb_ctx->rel_wr_blkcnt * 1436 (nbr_writes - 1); 1437 1438 res = write_req(dev_id, tmp_blk_idx, data_blks + offs, 1439 tmp_blkcnt, fek, uuid, &mem, req, resp); 1440 if (res) 1441 goto out; 1442 1443 1444 tmp_blk_idx += tmp_blkcnt; 1445 } 1446 1447 out: 1448 tee_rpmb_free(&mem); 1449 return res; 1450 } 1451 1452 static bool tee_rpmb_write_is_atomic(uint16_t dev_id __unused, uint32_t addr, 1453 uint32_t len) 1454 { 1455 uint8_t byte_offset = addr % RPMB_DATA_SIZE; 1456 uint16_t blkcnt = ROUNDUP(len + byte_offset, 1457 RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1458 1459 return (blkcnt <= rpmb_ctx->rel_wr_blkcnt); 1460 } 1461 1462 /* 1463 * Write RPMB data in bytes. 1464 * 1465 * @dev_id Device ID of the eMMC device. 1466 * @addr Byte address of data. 1467 * @data Pointer to the data. 1468 * @len Size of data in bytes. 1469 * @fek Encrypted File Encryption Key or NULL. 1470 */ 1471 static TEE_Result tee_rpmb_write(uint16_t dev_id, uint32_t addr, 1472 const uint8_t *data, uint32_t len, 1473 const uint8_t *fek, const TEE_UUID *uuid) 1474 { 1475 TEE_Result res = TEE_ERROR_GENERIC; 1476 uint8_t *data_tmp = NULL; 1477 uint16_t blk_idx; 1478 uint16_t blkcnt; 1479 uint8_t byte_offset; 1480 1481 blk_idx = addr / RPMB_DATA_SIZE; 1482 byte_offset = addr % RPMB_DATA_SIZE; 1483 1484 blkcnt = 1485 ROUNDUP(len + byte_offset, RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1486 1487 if (byte_offset == 0 && (len % RPMB_DATA_SIZE) == 0) { 1488 res = tee_rpmb_write_blk(dev_id, blk_idx, data, blkcnt, fek, 1489 uuid); 1490 if (res != TEE_SUCCESS) 1491 goto func_exit; 1492 } else { 1493 data_tmp = calloc(blkcnt, RPMB_DATA_SIZE); 1494 if (!data_tmp) { 1495 res = TEE_ERROR_OUT_OF_MEMORY; 1496 goto func_exit; 1497 } 1498 1499 /* Read the complete blocks */ 1500 res = tee_rpmb_read(dev_id, blk_idx * RPMB_DATA_SIZE, data_tmp, 1501 blkcnt * RPMB_DATA_SIZE, fek, uuid); 1502 if (res != TEE_SUCCESS) 1503 goto func_exit; 1504 1505 /* Partial update of the data blocks */ 1506 memcpy(data_tmp + byte_offset, data, len); 1507 1508 res = tee_rpmb_write_blk(dev_id, blk_idx, data_tmp, blkcnt, 1509 fek, uuid); 1510 if (res != TEE_SUCCESS) 1511 goto func_exit; 1512 } 1513 1514 res = TEE_SUCCESS; 1515 1516 func_exit: 1517 free(data_tmp); 1518 return res; 1519 } 1520 1521 /* 1522 * Read the RPMB write counter. 1523 * 1524 * @dev_id Device ID of the eMMC device. 1525 * @counter Pointer to the counter. 1526 */ 1527 static TEE_Result tee_rpmb_get_write_counter(uint16_t dev_id, 1528 uint32_t *counter) 1529 { 1530 TEE_Result res = TEE_SUCCESS; 1531 1532 if (!counter) 1533 return TEE_ERROR_BAD_PARAMETERS; 1534 1535 if (rpmb_dead) 1536 return TEE_ERROR_COMMUNICATION; 1537 1538 if (!rpmb_ctx || !rpmb_ctx->wr_cnt_synced) { 1539 res = tee_rpmb_init(dev_id); 1540 if (res != TEE_SUCCESS) 1541 goto func_exit; 1542 } 1543 1544 *counter = rpmb_ctx->wr_cnt; 1545 1546 func_exit: 1547 return res; 1548 } 1549 1550 /* 1551 * Read the RPMB max block. 1552 * 1553 * @dev_id Device ID of the eMMC device. 1554 * @counter Pointer to receive the max block. 1555 */ 1556 static TEE_Result tee_rpmb_get_max_block(uint16_t dev_id, uint32_t *max_block) 1557 { 1558 TEE_Result res = TEE_SUCCESS; 1559 1560 if (!max_block) 1561 return TEE_ERROR_BAD_PARAMETERS; 1562 1563 if (rpmb_dead) 1564 return TEE_ERROR_COMMUNICATION; 1565 1566 if (!rpmb_ctx || !rpmb_ctx->dev_info_synced) { 1567 res = tee_rpmb_init(dev_id); 1568 if (res != TEE_SUCCESS) 1569 goto func_exit; 1570 } 1571 1572 *max_block = rpmb_ctx->max_blk_idx; 1573 1574 func_exit: 1575 return res; 1576 } 1577 1578 /* 1579 * End of lower interface to RPMB device 1580 */ 1581 1582 static TEE_Result get_fat_start_address(uint32_t *addr); 1583 static TEE_Result rpmb_fs_setup(void); 1584 1585 /** 1586 * fat_entry_dir_free: Free the FAT entry dir. 1587 */ 1588 static void fat_entry_dir_free(void) 1589 { 1590 if (fat_entry_dir) { 1591 free(fat_entry_dir->rpmb_fat_entry_buf); 1592 free(fat_entry_dir); 1593 fat_entry_dir = NULL; 1594 } 1595 } 1596 1597 /** 1598 * fat_entry_dir_init: Initialize the FAT FS entry buffer/cache 1599 * This function must be called before reading FAT FS entries using the 1600 * function fat_entry_dir_get_next. This initializes the buffer/cache with the 1601 * first FAT FS entries. 1602 */ 1603 static TEE_Result fat_entry_dir_init(void) 1604 { 1605 TEE_Result res = TEE_ERROR_GENERIC; 1606 struct rpmb_fat_entry *fe = NULL; 1607 uint32_t fat_address = 0; 1608 uint32_t num_elems_read = 0; 1609 1610 if (fat_entry_dir) 1611 return TEE_SUCCESS; 1612 1613 res = rpmb_fs_setup(); 1614 if (res) 1615 return res; 1616 1617 res = get_fat_start_address(&fat_address); 1618 if (res) 1619 return res; 1620 1621 fat_entry_dir = calloc(1, sizeof(struct rpmb_fat_entry_dir)); 1622 if (!fat_entry_dir) 1623 return TEE_ERROR_OUT_OF_MEMORY; 1624 1625 /* 1626 * If caching is enabled, read in up to the maximum cache size, but 1627 * never more than the single read in size. Otherwise, read in as many 1628 * entries fit into the temporary buffer. 1629 */ 1630 if (CFG_RPMB_FS_CACHE_ENTRIES) 1631 num_elems_read = MIN(CFG_RPMB_FS_CACHE_ENTRIES, 1632 CFG_RPMB_FS_RD_ENTRIES); 1633 else 1634 num_elems_read = CFG_RPMB_FS_RD_ENTRIES; 1635 1636 /* 1637 * Allocate memory for the FAT FS entries to read in. 1638 */ 1639 fe = calloc(num_elems_read, sizeof(struct rpmb_fat_entry)); 1640 if (!fe) { 1641 res = TEE_ERROR_OUT_OF_MEMORY; 1642 goto out; 1643 } 1644 1645 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, fat_address, (uint8_t *)fe, 1646 num_elems_read * sizeof(*fe), NULL, NULL); 1647 if (res) 1648 goto out; 1649 1650 fat_entry_dir->rpmb_fat_entry_buf = fe; 1651 1652 /* 1653 * We use this variable when getting next entries from the buffer/cache 1654 * to see whether we have to read in more entries from storage. 1655 */ 1656 fat_entry_dir->num_buffered = num_elems_read; 1657 1658 return TEE_SUCCESS; 1659 out: 1660 fat_entry_dir_free(); 1661 free(fe); 1662 return res; 1663 } 1664 1665 /** 1666 * fat_entry_dir_deinit: If caching is enabled, free the temporary buffer for 1667 * FAT FS entries in case the cache was too small. Keep the elements in the 1668 * cache. Reset the counter variables to start the next traversal from fresh 1669 * from the first cached entry. If caching is disabled, just free the 1670 * temporary buffer by calling fat_entry_dir_free and return. 1671 */ 1672 static void fat_entry_dir_deinit(void) 1673 { 1674 struct rpmb_fat_entry *fe = NULL; 1675 1676 if (!fat_entry_dir) 1677 return; 1678 1679 if (!CFG_RPMB_FS_CACHE_ENTRIES) { 1680 fat_entry_dir_free(); 1681 return; 1682 } 1683 1684 fe = fat_entry_dir->rpmb_fat_entry_buf; 1685 fat_entry_dir->idx_curr = 0; 1686 fat_entry_dir->num_total_read = 0; 1687 fat_entry_dir->last_reached = false; 1688 1689 if (fat_entry_dir->num_buffered > CFG_RPMB_FS_CACHE_ENTRIES) { 1690 fat_entry_dir->num_buffered = CFG_RPMB_FS_CACHE_ENTRIES; 1691 1692 fe = realloc(fe, fat_entry_dir->num_buffered * sizeof(*fe)); 1693 1694 /* 1695 * In case realloc fails, we are on the safe side if we destroy 1696 * the whole structure. Upon the next init, the cache has to be 1697 * re-established, but this case should not happen in practice. 1698 */ 1699 if (!fe) 1700 fat_entry_dir_free(); 1701 else 1702 fat_entry_dir->rpmb_fat_entry_buf = fe; 1703 } 1704 } 1705 1706 /** 1707 * fat_entry_dir_update: Updates a persisted FAT FS entry in the cache. 1708 * This function updates the FAT entry fat_entry that was written to address 1709 * fat_address onto RPMB storage in the cache. 1710 */ 1711 static TEE_Result __maybe_unused fat_entry_dir_update 1712 (struct rpmb_fat_entry *fat_entry, 1713 uint32_t fat_address) 1714 { 1715 uint32_t fat_entry_buf_idx = 0; 1716 /* Use a temp var to avoid compiler warning if caching disabled. */ 1717 uint32_t max_cache_entries = CFG_RPMB_FS_CACHE_ENTRIES; 1718 1719 assert(!((fat_address - RPMB_FS_FAT_START_ADDRESS) % 1720 sizeof(struct rpmb_fat_entry))); 1721 1722 /* Nothing to update if the cache is not initialized. */ 1723 if (!fat_entry_dir) 1724 return TEE_SUCCESS; 1725 1726 fat_entry_buf_idx = (fat_address - RPMB_FS_FAT_START_ADDRESS) / 1727 sizeof(struct rpmb_fat_entry); 1728 1729 /* Only need to write if index points to an entry in cache. */ 1730 if (fat_entry_buf_idx < fat_entry_dir->num_buffered && 1731 fat_entry_buf_idx < max_cache_entries) { 1732 memcpy(fat_entry_dir->rpmb_fat_entry_buf + fat_entry_buf_idx, 1733 fat_entry, sizeof(struct rpmb_fat_entry)); 1734 } 1735 1736 return TEE_SUCCESS; 1737 } 1738 1739 /** 1740 * fat_entry_dir_get_next: Get next FAT FS entry. 1741 * Read either from cache/buffer, or by reading from RPMB storage if the 1742 * elements in the buffer/cache are fully read. When reading in from RPMB 1743 * storage, the buffer is overwritten in case caching is disabled. 1744 * In case caching is enabled, the cache is either further filled, or a 1745 * temporary buffer populated if the cache is already full. 1746 * The FAT FS entry is written to fat_entry. The respective address in RPMB 1747 * storage is written to fat_address, if not NULL. When the last FAT FS entry 1748 * was previously read, the function indicates this case by writing a NULL 1749 * pointer to fat_entry. 1750 * Returns a value different TEE_SUCCESS if the next FAT FS entry could not be 1751 * retrieved. 1752 */ 1753 static TEE_Result fat_entry_dir_get_next(struct rpmb_fat_entry **fat_entry, 1754 uint32_t *fat_address) 1755 { 1756 TEE_Result res = TEE_ERROR_GENERIC; 1757 struct rpmb_fat_entry *fe = NULL; 1758 uint32_t num_elems_read = 0; 1759 uint32_t fat_address_local = 0; 1760 1761 assert(fat_entry_dir && fat_entry); 1762 1763 /* Don't read further if we previously read the last FAT FS entry. */ 1764 if (fat_entry_dir->last_reached) { 1765 *fat_entry = NULL; 1766 return TEE_SUCCESS; 1767 } 1768 1769 fe = fat_entry_dir->rpmb_fat_entry_buf; 1770 1771 /* Determine address of FAT FS entry in RPMB storage. */ 1772 fat_address_local = RPMB_FS_FAT_START_ADDRESS + 1773 (fat_entry_dir->num_total_read * 1774 sizeof(struct rpmb_fat_entry)); 1775 1776 /* 1777 * We've read all so-far buffered elements, so we need to 1778 * read in more entries from RPMB storage. 1779 */ 1780 if (fat_entry_dir->idx_curr >= fat_entry_dir->num_buffered) { 1781 /* 1782 * This is the case where we do not cache entries, so just read 1783 * in next set of FAT FS entries into the buffer. 1784 * Goto the end of the when statement if that is done. 1785 */ 1786 if (!CFG_RPMB_FS_CACHE_ENTRIES) { 1787 num_elems_read = CFG_RPMB_FS_RD_ENTRIES; 1788 fat_entry_dir->idx_curr = 0; 1789 1790 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 1791 fat_address_local, (uint8_t *)fe, 1792 num_elems_read * sizeof(*fe), NULL, 1793 NULL); 1794 if (res) 1795 return res; 1796 goto post_read_in; 1797 } 1798 1799 /* 1800 * We cache FAT FS entries, and the buffer is not completely 1801 * filled. Further keep on extending the buffer up to its max 1802 * size by reading in from RPMB. 1803 */ 1804 if (fat_entry_dir->num_total_read < RPMB_BUF_MAX_ENTRIES) { 1805 /* 1806 * Read at most as many elements as fit in the buffer 1807 * and no more than the defined number of entries to 1808 * read in at once. 1809 */ 1810 num_elems_read = MIN(RPMB_BUF_MAX_ENTRIES - 1811 fat_entry_dir->num_total_read, 1812 (uint32_t)CFG_RPMB_FS_RD_ENTRIES); 1813 1814 /* 1815 * Expand the buffer to fit in the additional entries. 1816 */ 1817 fe = realloc(fe, 1818 (fat_entry_dir->num_buffered + 1819 num_elems_read) * sizeof(*fe)); 1820 if (!fe) 1821 return TEE_ERROR_OUT_OF_MEMORY; 1822 1823 fat_entry_dir->rpmb_fat_entry_buf = fe; 1824 1825 /* Read in to the next free slot in the buffer/cache. */ 1826 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 1827 fat_address_local, 1828 (uint8_t *)(fe + 1829 fat_entry_dir->num_total_read), 1830 num_elems_read * sizeof(*fe), 1831 NULL, NULL); 1832 if (res) 1833 return res; 1834 1835 fat_entry_dir->num_buffered += num_elems_read; 1836 } else { 1837 /* 1838 * This happens when we have read as many elements as 1839 * can possibly fit into the buffer. 1840 * As the first part of the buffer serves as our cache, 1841 * we only overwrite the last part that serves as our 1842 * temporary buffer used to iteratively read in entries 1843 * when the cache is full. Read in the temporary buffer 1844 * maximum size. 1845 */ 1846 num_elems_read = CFG_RPMB_FS_RD_ENTRIES; 1847 /* Reset index to beginning of the temporary buffer. */ 1848 fat_entry_dir->idx_curr = CFG_RPMB_FS_CACHE_ENTRIES; 1849 1850 /* Read in elements after the end of the cache. */ 1851 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 1852 fat_address_local, 1853 (uint8_t *)(fe + 1854 fat_entry_dir->idx_curr), 1855 num_elems_read * sizeof(*fe), 1856 NULL, NULL); 1857 if (res) 1858 return res; 1859 } 1860 } 1861 1862 post_read_in: 1863 if (fat_address) 1864 *fat_address = fat_address_local; 1865 1866 *fat_entry = fe + fat_entry_dir->idx_curr; 1867 1868 fat_entry_dir->idx_curr++; 1869 fat_entry_dir->num_total_read++; 1870 1871 /* 1872 * Indicate last entry was read. 1873 * Ensures we return a zero value for fat_entry on next invocation. 1874 */ 1875 if ((*fat_entry)->flags & FILE_IS_LAST_ENTRY) 1876 fat_entry_dir->last_reached = true; 1877 1878 return TEE_SUCCESS; 1879 } 1880 1881 #if (TRACE_LEVEL >= TRACE_FLOW) 1882 static void dump_fat(void) 1883 { 1884 TEE_Result res = TEE_ERROR_SECURITY; 1885 struct rpmb_fat_entry *fe = NULL; 1886 1887 if (!fs_par) 1888 return; 1889 1890 if (fat_entry_dir_init()) 1891 return; 1892 1893 while (true) { 1894 res = fat_entry_dir_get_next(&fe, NULL); 1895 if (res || !fe) 1896 break; 1897 1898 FMSG("flags %#"PRIx32", size %"PRIu32", address %#"PRIx32 1899 ", filename '%s'", 1900 fe->flags, fe->data_size, fe->start_address, fe->filename); 1901 } 1902 1903 fat_entry_dir_deinit(); 1904 } 1905 #else 1906 static void dump_fat(void) 1907 { 1908 } 1909 #endif 1910 1911 #if (TRACE_LEVEL >= TRACE_DEBUG) 1912 static void dump_fh(struct rpmb_file_handle *fh) 1913 { 1914 DMSG("fh->filename=%s", fh->filename); 1915 DMSG("fh->rpmb_fat_address=%u", fh->rpmb_fat_address); 1916 DMSG("fh->fat_entry.start_address=%u", fh->fat_entry.start_address); 1917 DMSG("fh->fat_entry.data_size=%u", fh->fat_entry.data_size); 1918 } 1919 #else 1920 static void dump_fh(struct rpmb_file_handle *fh __unused) 1921 { 1922 } 1923 #endif 1924 1925 /* "/TA_uuid/object_id" or "/TA_uuid/.object_id" */ 1926 static TEE_Result create_filename(void *buf, size_t blen, struct tee_pobj *po, 1927 bool transient) 1928 { 1929 uint8_t *file = buf; 1930 uint32_t pos = 0; 1931 uint32_t hslen = 1 /* Leading slash */ 1932 + TEE_B2HS_HSBUF_SIZE(sizeof(TEE_UUID) + po->obj_id_len) 1933 + 1; /* Intermediate slash */ 1934 1935 /* +1 for the '.' (temporary persistent object) */ 1936 if (transient) 1937 hslen++; 1938 1939 if (blen < hslen) 1940 return TEE_ERROR_SHORT_BUFFER; 1941 1942 file[pos++] = '/'; 1943 pos += tee_b2hs((uint8_t *)&po->uuid, &file[pos], 1944 sizeof(TEE_UUID), hslen); 1945 file[pos++] = '/'; 1946 1947 if (transient) 1948 file[pos++] = '.'; 1949 1950 tee_b2hs(po->obj_id, file + pos, po->obj_id_len, hslen - pos); 1951 1952 return TEE_SUCCESS; 1953 } 1954 1955 /* "/TA_uuid" */ 1956 static TEE_Result create_dirname(void *buf, size_t blen, const TEE_UUID *uuid) 1957 { 1958 uint8_t *dir = buf; 1959 uint32_t hslen = TEE_B2HS_HSBUF_SIZE(sizeof(TEE_UUID)) + 1; 1960 1961 if (blen < hslen) 1962 return TEE_ERROR_SHORT_BUFFER; 1963 1964 dir[0] = '/'; 1965 tee_b2hs((uint8_t *)uuid, dir + 1, sizeof(TEE_UUID), hslen); 1966 1967 return TEE_SUCCESS; 1968 } 1969 1970 static struct rpmb_file_handle *alloc_file_handle(struct tee_pobj *po, 1971 bool temporary) 1972 { 1973 struct rpmb_file_handle *fh = NULL; 1974 1975 fh = calloc(1, sizeof(struct rpmb_file_handle)); 1976 if (!fh) 1977 return NULL; 1978 1979 if (po) 1980 create_filename(fh->filename, sizeof(fh->filename), po, 1981 temporary); 1982 1983 return fh; 1984 } 1985 1986 /** 1987 * write_fat_entry: Store info in a fat_entry to RPMB. 1988 */ 1989 static TEE_Result write_fat_entry(struct rpmb_file_handle *fh, 1990 bool update_write_counter) 1991 { 1992 TEE_Result res = TEE_ERROR_GENERIC; 1993 1994 /* Protect partition data. */ 1995 if (fh->rpmb_fat_address < sizeof(struct rpmb_fs_partition)) { 1996 res = TEE_ERROR_ACCESS_CONFLICT; 1997 goto out; 1998 } 1999 2000 if (fh->rpmb_fat_address % sizeof(struct rpmb_fat_entry) != 0) { 2001 res = TEE_ERROR_BAD_PARAMETERS; 2002 goto out; 2003 } 2004 2005 if (update_write_counter) { 2006 res = tee_rpmb_get_write_counter(CFG_RPMB_FS_DEV_ID, 2007 &fh->fat_entry.write_counter); 2008 if (res) 2009 goto out; 2010 } 2011 2012 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, fh->rpmb_fat_address, 2013 (uint8_t *)&fh->fat_entry, 2014 sizeof(struct rpmb_fat_entry), NULL, NULL); 2015 2016 dump_fat(); 2017 2018 /* If caching enabled, update a successfully written entry in cache. */ 2019 if (CFG_RPMB_FS_CACHE_ENTRIES && !res) 2020 res = fat_entry_dir_update(&fh->fat_entry, 2021 fh->rpmb_fat_address); 2022 2023 out: 2024 return res; 2025 } 2026 2027 /** 2028 * rpmb_fs_setup: Setup RPMB FS. 2029 * Set initial partition and FS values and write to RPMB. 2030 * Store frequently used data in RAM. 2031 */ 2032 static TEE_Result rpmb_fs_setup(void) 2033 { 2034 TEE_Result res = TEE_ERROR_GENERIC; 2035 struct rpmb_fs_partition *partition_data = NULL; 2036 struct rpmb_file_handle *fh = NULL; 2037 uint32_t max_rpmb_block = 0; 2038 2039 if (fs_par) { 2040 res = TEE_SUCCESS; 2041 goto out; 2042 } 2043 2044 res = tee_rpmb_get_max_block(CFG_RPMB_FS_DEV_ID, &max_rpmb_block); 2045 if (res != TEE_SUCCESS) 2046 goto out; 2047 2048 /* 2049 * We're going to read a full block in order to have a full block 2050 * for the dummy write below. 2051 */ 2052 COMPILE_TIME_ASSERT(sizeof(struct rpmb_fs_partition) <= 2053 RPMB_DATA_SIZE); 2054 partition_data = calloc(1, RPMB_DATA_SIZE); 2055 if (!partition_data) { 2056 res = TEE_ERROR_OUT_OF_MEMORY; 2057 goto out; 2058 } 2059 2060 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, RPMB_STORAGE_START_ADDRESS, 2061 (uint8_t *)partition_data, RPMB_DATA_SIZE, 2062 NULL, NULL); 2063 if (res != TEE_SUCCESS) 2064 goto out; 2065 /* 2066 * Perform a write in order to increase the write counter. This 2067 * prevents late usage (replay attack) of a previously blocked 2068 * request with a valid write counter value. 2069 */ 2070 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, RPMB_STORAGE_START_ADDRESS, 2071 (uint8_t *)partition_data, RPMB_DATA_SIZE, 2072 NULL, NULL); 2073 if (res != TEE_SUCCESS) 2074 goto out; 2075 /* 2076 * We're reading again in case a stale request was committed 2077 * instead of the one issued above. If this succeeds we're in sync 2078 * with the RPMB block since there are no other possible stale 2079 * blocks with valid write counters available. 2080 */ 2081 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, RPMB_STORAGE_START_ADDRESS, 2082 (uint8_t *)partition_data, 2083 sizeof(struct rpmb_fs_partition), NULL, NULL); 2084 if (res != TEE_SUCCESS) 2085 goto out; 2086 2087 #ifndef CFG_RPMB_RESET_FAT 2088 if (partition_data->rpmb_fs_magic == RPMB_FS_MAGIC) { 2089 if (partition_data->fs_version == FS_VERSION) { 2090 res = TEE_SUCCESS; 2091 goto store_fs_par; 2092 } else { 2093 EMSG("Wrong software is in use."); 2094 res = TEE_ERROR_ACCESS_DENIED; 2095 goto out; 2096 } 2097 } 2098 #else 2099 EMSG("**** Clearing Storage ****"); 2100 #endif 2101 2102 /* Setup new partition data. */ 2103 partition_data->rpmb_fs_magic = RPMB_FS_MAGIC; 2104 partition_data->fs_version = FS_VERSION; 2105 partition_data->fat_start_address = RPMB_FS_FAT_START_ADDRESS; 2106 2107 /* Initial FAT entry with FILE_IS_LAST_ENTRY flag set. */ 2108 fh = alloc_file_handle(NULL, false); 2109 if (!fh) { 2110 res = TEE_ERROR_OUT_OF_MEMORY; 2111 goto out; 2112 } 2113 fh->fat_entry.flags = FILE_IS_LAST_ENTRY; 2114 fh->rpmb_fat_address = partition_data->fat_start_address; 2115 2116 /* Write init FAT entry and partition data to RPMB. */ 2117 res = write_fat_entry(fh, true); 2118 if (res != TEE_SUCCESS) 2119 goto out; 2120 2121 res = 2122 tee_rpmb_get_write_counter(CFG_RPMB_FS_DEV_ID, 2123 &partition_data->write_counter); 2124 if (res != TEE_SUCCESS) 2125 goto out; 2126 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, RPMB_STORAGE_START_ADDRESS, 2127 (uint8_t *)partition_data, 2128 sizeof(struct rpmb_fs_partition), NULL, NULL); 2129 2130 #ifndef CFG_RPMB_RESET_FAT 2131 store_fs_par: 2132 #endif 2133 2134 /* Store FAT start address. */ 2135 fs_par = calloc(1, sizeof(struct rpmb_fs_parameters)); 2136 if (!fs_par) { 2137 res = TEE_ERROR_OUT_OF_MEMORY; 2138 goto out; 2139 } 2140 2141 fs_par->fat_start_address = partition_data->fat_start_address; 2142 fs_par->max_rpmb_address = max_rpmb_block << RPMB_BLOCK_SIZE_SHIFT; 2143 2144 dump_fat(); 2145 2146 out: 2147 free(fh); 2148 free(partition_data); 2149 return res; 2150 } 2151 2152 /** 2153 * get_fat_start_address: 2154 * FAT start_address from fs_par. 2155 */ 2156 static TEE_Result get_fat_start_address(uint32_t *addr) 2157 { 2158 if (!fs_par) 2159 return TEE_ERROR_NO_DATA; 2160 2161 *addr = fs_par->fat_start_address; 2162 2163 return TEE_SUCCESS; 2164 } 2165 2166 /** 2167 * read_fat: Read FAT entries 2168 * Return matching FAT entry for read, rm rename and stat. 2169 * Build up memory pool and return matching entry for write operation. 2170 * "Last FAT entry" can be returned during write. 2171 */ 2172 static TEE_Result read_fat(struct rpmb_file_handle *fh, tee_mm_pool_t *p) 2173 { 2174 TEE_Result res = TEE_ERROR_GENERIC; 2175 tee_mm_entry_t *mm = NULL; 2176 struct rpmb_fat_entry *fe = NULL; 2177 uint32_t fat_address; 2178 bool entry_found = false; 2179 bool expand_fat = false; 2180 struct rpmb_file_handle last_fh; 2181 2182 DMSG("fat_address %d", fh->rpmb_fat_address); 2183 2184 res = fat_entry_dir_init(); 2185 if (res) 2186 goto out; 2187 2188 /* 2189 * The pool is used to represent the current RPMB layout. To find 2190 * a slot for the file tee_mm_alloc is called on the pool. Thus 2191 * if it is not NULL the entire FAT must be traversed to fill in 2192 * the pool. 2193 */ 2194 while (true) { 2195 res = fat_entry_dir_get_next(&fe, &fat_address); 2196 if (res || !fe) 2197 break; 2198 2199 /* 2200 * Look for an entry, matching filenames. (read, rm, 2201 * rename and stat.). Only store first filename match. 2202 */ 2203 if ((!strcmp(fh->filename, fe->filename)) && 2204 (fe->flags & FILE_IS_ACTIVE) && !entry_found) { 2205 entry_found = true; 2206 fh->rpmb_fat_address = fat_address; 2207 memcpy(&fh->fat_entry, fe, sizeof(*fe)); 2208 if (!p) 2209 break; 2210 } 2211 2212 /* Add existing files to memory pool. (write) */ 2213 if (p) { 2214 if ((fe->flags & FILE_IS_ACTIVE) && fe->data_size > 0) { 2215 2216 mm = tee_mm_alloc2(p, fe->start_address, 2217 fe->data_size); 2218 if (!mm) { 2219 res = TEE_ERROR_OUT_OF_MEMORY; 2220 goto out; 2221 } 2222 } 2223 2224 /* Unused FAT entries can be reused (write) */ 2225 if (((fe->flags & FILE_IS_ACTIVE) == 0) && 2226 fh->rpmb_fat_address == 0) { 2227 fh->rpmb_fat_address = fat_address; 2228 memcpy(&fh->fat_entry, fe, 2229 sizeof(struct rpmb_fat_entry)); 2230 } 2231 2232 if (((fe->flags & FILE_IS_LAST_ENTRY) != 0) && 2233 fh->rpmb_fat_address == fat_address) { 2234 2235 /* 2236 * If the last entry was reached and was chosen 2237 * by the previous check, then the FAT needs to 2238 * be expanded. 2239 * fh->rpmb_fat_address is the address chosen 2240 * to store the files FAT entry and fat_address 2241 * is the current FAT entry address being 2242 * compared. 2243 */ 2244 expand_fat = true; 2245 } 2246 } 2247 } 2248 2249 if (res) 2250 goto out; 2251 /* 2252 * Represent the FAT table in the pool. 2253 */ 2254 if (p) { 2255 /* 2256 * Since fat_address is the start of the last entry it needs to 2257 * be moved up by an entry. 2258 */ 2259 fat_address += sizeof(struct rpmb_fat_entry); 2260 2261 /* Make room for yet a FAT entry and add to memory pool. */ 2262 if (expand_fat) 2263 fat_address += sizeof(struct rpmb_fat_entry); 2264 2265 mm = tee_mm_alloc2(p, RPMB_STORAGE_START_ADDRESS, fat_address); 2266 if (!mm) { 2267 res = TEE_ERROR_OUT_OF_MEMORY; 2268 goto out; 2269 } 2270 2271 if (expand_fat) { 2272 /* 2273 * Point fat_address to the beginning of the new 2274 * entry. 2275 */ 2276 fat_address -= sizeof(struct rpmb_fat_entry); 2277 memset(&last_fh, 0, sizeof(last_fh)); 2278 last_fh.fat_entry.flags = FILE_IS_LAST_ENTRY; 2279 last_fh.rpmb_fat_address = fat_address; 2280 res = write_fat_entry(&last_fh, true); 2281 if (res != TEE_SUCCESS) 2282 goto out; 2283 } 2284 } 2285 2286 if (!fh->rpmb_fat_address) 2287 res = TEE_ERROR_ITEM_NOT_FOUND; 2288 2289 out: 2290 fat_entry_dir_deinit(); 2291 return res; 2292 } 2293 2294 static TEE_Result generate_fek(struct rpmb_fat_entry *fe, const TEE_UUID *uuid) 2295 { 2296 TEE_Result res; 2297 2298 again: 2299 res = tee_fs_generate_fek(uuid, fe->fek, sizeof(fe->fek)); 2300 if (res != TEE_SUCCESS) 2301 return res; 2302 2303 if (is_zero(fe->fek, sizeof(fe->fek))) 2304 goto again; 2305 2306 return res; 2307 } 2308 2309 static TEE_Result rpmb_fs_open_internal(struct rpmb_file_handle *fh, 2310 const TEE_UUID *uuid, bool create) 2311 { 2312 tee_mm_pool_t p; 2313 bool pool_result; 2314 paddr_size_t pool_sz = 0; 2315 TEE_Result res = TEE_ERROR_GENERIC; 2316 2317 /* We need to do setup in order to make sure fs_par is filled in */ 2318 res = rpmb_fs_setup(); 2319 if (res != TEE_SUCCESS) 2320 goto out; 2321 2322 fh->uuid = uuid; 2323 if (create) { 2324 /* Upper memory allocation must be used for RPMB_FS. */ 2325 pool_sz = fs_par->max_rpmb_address - RPMB_STORAGE_START_ADDRESS; 2326 pool_result = tee_mm_init(&p, 2327 RPMB_STORAGE_START_ADDRESS, 2328 pool_sz, 2329 RPMB_BLOCK_SIZE_SHIFT, 2330 TEE_MM_POOL_HI_ALLOC); 2331 2332 if (!pool_result) { 2333 res = TEE_ERROR_OUT_OF_MEMORY; 2334 goto out; 2335 } 2336 2337 res = read_fat(fh, &p); 2338 tee_mm_final(&p); 2339 if (res != TEE_SUCCESS) 2340 goto out; 2341 } else { 2342 res = read_fat(fh, NULL); 2343 if (res != TEE_SUCCESS) 2344 goto out; 2345 } 2346 2347 /* 2348 * If this is opened with create and the entry found was not active 2349 * then this is a new file and the FAT entry must be written 2350 */ 2351 if (create) { 2352 if ((fh->fat_entry.flags & FILE_IS_ACTIVE) == 0) { 2353 memset(&fh->fat_entry, 0, 2354 sizeof(struct rpmb_fat_entry)); 2355 memcpy(fh->fat_entry.filename, fh->filename, 2356 strlen(fh->filename)); 2357 /* Start address and size are 0 */ 2358 fh->fat_entry.flags = FILE_IS_ACTIVE; 2359 2360 res = generate_fek(&fh->fat_entry, uuid); 2361 if (res != TEE_SUCCESS) 2362 goto out; 2363 DMSG("GENERATE FEK key: %p", 2364 (void *)fh->fat_entry.fek); 2365 DHEXDUMP(fh->fat_entry.fek, sizeof(fh->fat_entry.fek)); 2366 2367 res = write_fat_entry(fh, true); 2368 if (res != TEE_SUCCESS) 2369 goto out; 2370 } 2371 } 2372 2373 res = TEE_SUCCESS; 2374 2375 out: 2376 return res; 2377 } 2378 2379 static void rpmb_fs_close(struct tee_file_handle **tfh) 2380 { 2381 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)*tfh; 2382 2383 free(fh); 2384 *tfh = NULL; 2385 } 2386 2387 static TEE_Result rpmb_fs_read(struct tee_file_handle *tfh, size_t pos, 2388 void *buf_core, void *buf_user, size_t *len) 2389 { 2390 TEE_Result res; 2391 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)tfh; 2392 size_t size = *len; 2393 2394 /* One of buf_core and buf_user must be NULL */ 2395 assert(!buf_core || !buf_user); 2396 2397 if (!size) 2398 return TEE_SUCCESS; 2399 2400 mutex_lock(&rpmb_mutex); 2401 2402 dump_fh(fh); 2403 2404 res = read_fat(fh, NULL); 2405 if (res != TEE_SUCCESS) 2406 goto out; 2407 2408 if (pos >= fh->fat_entry.data_size) { 2409 *len = 0; 2410 goto out; 2411 } 2412 2413 size = MIN(size, fh->fat_entry.data_size - pos); 2414 if (size) { 2415 if (buf_core) { 2416 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 2417 fh->fat_entry.start_address + pos, 2418 buf_core, size, fh->fat_entry.fek, 2419 fh->uuid); 2420 if (res != TEE_SUCCESS) 2421 goto out; 2422 } else if (buf_user) { 2423 uint32_t f = TEE_MEMORY_ACCESS_WRITE; 2424 2425 res = check_user_access(f, buf_user, size); 2426 if (res) 2427 goto out; 2428 enter_user_access(); 2429 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 2430 fh->fat_entry.start_address + pos, 2431 buf_user, size, fh->fat_entry.fek, 2432 fh->uuid); 2433 exit_user_access(); 2434 if (res) 2435 goto out; 2436 } 2437 } 2438 *len = size; 2439 2440 out: 2441 mutex_unlock(&rpmb_mutex); 2442 return res; 2443 } 2444 2445 static TEE_Result update_write_helper(struct rpmb_file_handle *fh, 2446 size_t pos, const void *buf, 2447 size_t size, uintptr_t new_fat, 2448 size_t new_size) 2449 { 2450 uintptr_t old_fat = fh->fat_entry.start_address; 2451 size_t old_size = fh->fat_entry.data_size; 2452 const uint8_t *rem_buf = buf; 2453 size_t rem_size = size; 2454 uint8_t *blk_buf = NULL; 2455 size_t blk_offset = 0; 2456 size_t blk_size = 0; 2457 TEE_Result res = TEE_SUCCESS; 2458 2459 blk_buf = mempool_alloc(mempool_default, TMP_BLOCK_SIZE); 2460 if (!blk_buf) 2461 return TEE_ERROR_OUT_OF_MEMORY; 2462 2463 while (blk_offset < new_size) { 2464 uint8_t *copy_dst = blk_buf; 2465 size_t copy_size = 0; 2466 size_t rd_size = 0; 2467 2468 blk_size = MIN(TMP_BLOCK_SIZE, new_size - blk_offset); 2469 memset(blk_buf, 0, blk_size); 2470 2471 /* Possibly read old RPMB data in temporary buffer */ 2472 if (blk_offset < pos && blk_offset < old_size) { 2473 rd_size = MIN(blk_size, old_size - blk_offset); 2474 2475 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 2476 old_fat + blk_offset, blk_buf, 2477 rd_size, fh->fat_entry.fek, 2478 fh->uuid); 2479 if (res != TEE_SUCCESS) 2480 break; 2481 } 2482 2483 /* Possibly update data in temporary buffer */ 2484 if ((blk_offset + TMP_BLOCK_SIZE > pos) && 2485 (blk_offset < pos + size)) { 2486 size_t offset = 0; 2487 2488 copy_dst = blk_buf; 2489 copy_size = TMP_BLOCK_SIZE; 2490 2491 if (blk_offset < pos) { 2492 offset = pos - blk_offset; 2493 2494 copy_dst += offset; 2495 copy_size -= offset; 2496 } 2497 copy_size = MIN(copy_size, rem_size); 2498 2499 memcpy(copy_dst, rem_buf, copy_size); 2500 rem_buf += copy_size; 2501 rem_size -= copy_size; 2502 } 2503 2504 /* Write temporary buffer to new RPMB destination */ 2505 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, new_fat + blk_offset, 2506 blk_buf, blk_size, 2507 fh->fat_entry.fek, fh->uuid); 2508 if (res != TEE_SUCCESS) 2509 break; 2510 2511 blk_offset += blk_size; 2512 } 2513 2514 mempool_free(mempool_default, blk_buf); 2515 2516 return res; 2517 } 2518 2519 static TEE_Result rpmb_fs_write_primitive(struct rpmb_file_handle *fh, 2520 size_t pos, const void *buf, 2521 size_t size) 2522 { 2523 TEE_Result res = TEE_ERROR_GENERIC; 2524 tee_mm_pool_t p = { }; 2525 bool pool_result = false; 2526 size_t end = 0; 2527 uint32_t start_addr = 0; 2528 paddr_size_t pool_sz = 0; 2529 2530 if (!size) 2531 return TEE_SUCCESS; 2532 2533 if (!fs_par) { 2534 res = TEE_ERROR_GENERIC; 2535 goto out; 2536 } 2537 2538 dump_fh(fh); 2539 2540 /* Upper memory allocation must be used for RPMB_FS. */ 2541 pool_sz = fs_par->max_rpmb_address - RPMB_STORAGE_START_ADDRESS; 2542 pool_result = tee_mm_init(&p, 2543 RPMB_STORAGE_START_ADDRESS, 2544 pool_sz, 2545 RPMB_BLOCK_SIZE_SHIFT, 2546 TEE_MM_POOL_HI_ALLOC); 2547 if (!pool_result) { 2548 res = TEE_ERROR_OUT_OF_MEMORY; 2549 goto out; 2550 } 2551 2552 res = read_fat(fh, &p); 2553 if (res != TEE_SUCCESS) 2554 goto out; 2555 2556 if (fh->fat_entry.flags & FILE_IS_LAST_ENTRY) 2557 panic("invalid last entry flag"); 2558 2559 if (ADD_OVERFLOW(pos, size, &end)) { 2560 res = TEE_ERROR_BAD_PARAMETERS; 2561 goto out; 2562 } 2563 if (ADD_OVERFLOW(fh->fat_entry.start_address, pos, &start_addr)) { 2564 res = TEE_ERROR_BAD_PARAMETERS; 2565 goto out; 2566 } 2567 2568 if (end <= fh->fat_entry.data_size && 2569 tee_rpmb_write_is_atomic(CFG_RPMB_FS_DEV_ID, start_addr, size)) { 2570 2571 DMSG("Updating data in-place"); 2572 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, start_addr, buf, 2573 size, fh->fat_entry.fek, fh->uuid); 2574 } else { 2575 /* 2576 * File must be extended, or update cannot be atomic: allocate, 2577 * read, update, write. 2578 */ 2579 size_t new_size = MAX(end, fh->fat_entry.data_size); 2580 tee_mm_entry_t *mm = tee_mm_alloc(&p, new_size); 2581 uintptr_t new_fat_entry = 0; 2582 2583 DMSG("Need to re-allocate"); 2584 if (!mm) { 2585 DMSG("RPMB: No space left"); 2586 res = TEE_ERROR_STORAGE_NO_SPACE; 2587 goto out; 2588 } 2589 2590 new_fat_entry = tee_mm_get_smem(mm); 2591 2592 res = update_write_helper(fh, pos, buf, size, 2593 new_fat_entry, new_size); 2594 if (res == TEE_SUCCESS) { 2595 fh->fat_entry.data_size = new_size; 2596 fh->fat_entry.start_address = new_fat_entry; 2597 2598 res = write_fat_entry(fh, true); 2599 } 2600 } 2601 2602 out: 2603 if (pool_result) 2604 tee_mm_final(&p); 2605 2606 return res; 2607 } 2608 2609 static TEE_Result rpmb_fs_write(struct tee_file_handle *tfh, size_t pos, 2610 const void *buf_core, const void *buf_user, 2611 size_t size) 2612 { 2613 TEE_Result res = TEE_SUCCESS; 2614 2615 /* One of buf_core and buf_user must be NULL */ 2616 assert(!buf_core || !buf_user); 2617 2618 if (!size) 2619 return TEE_SUCCESS; 2620 2621 mutex_lock(&rpmb_mutex); 2622 if (buf_core) { 2623 res = rpmb_fs_write_primitive((struct rpmb_file_handle *)tfh, 2624 pos, buf_core, size); 2625 } else if (buf_user) { 2626 uint32_t f = TEE_MEMORY_ACCESS_READ; 2627 2628 res = check_user_access(f, buf_user, size); 2629 if (res) 2630 goto out; 2631 enter_user_access(); 2632 res = rpmb_fs_write_primitive((struct rpmb_file_handle *)tfh, 2633 pos, buf_user, size); 2634 exit_user_access(); 2635 } 2636 out: 2637 mutex_unlock(&rpmb_mutex); 2638 2639 return res; 2640 } 2641 2642 static TEE_Result rpmb_fs_remove_internal(struct rpmb_file_handle *fh) 2643 { 2644 TEE_Result res; 2645 2646 res = read_fat(fh, NULL); 2647 if (res) 2648 return res; 2649 2650 /* Clear this file entry. */ 2651 memset(&fh->fat_entry, 0, sizeof(struct rpmb_fat_entry)); 2652 return write_fat_entry(fh, false); 2653 } 2654 2655 static TEE_Result rpmb_fs_remove(struct tee_pobj *po) 2656 { 2657 TEE_Result res; 2658 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2659 2660 if (!fh) 2661 return TEE_ERROR_OUT_OF_MEMORY; 2662 2663 mutex_lock(&rpmb_mutex); 2664 2665 res = rpmb_fs_remove_internal(fh); 2666 2667 mutex_unlock(&rpmb_mutex); 2668 2669 free(fh); 2670 return res; 2671 } 2672 2673 static TEE_Result rpmb_fs_rename_internal(struct tee_pobj *old, 2674 struct tee_pobj *new, 2675 bool overwrite) 2676 { 2677 TEE_Result res = TEE_ERROR_GENERIC; 2678 struct rpmb_file_handle *fh_old = NULL; 2679 struct rpmb_file_handle *fh_new = NULL; 2680 2681 if (!old) { 2682 res = TEE_ERROR_BAD_PARAMETERS; 2683 goto out; 2684 } 2685 2686 if (new) 2687 fh_old = alloc_file_handle(old, old->temporary); 2688 else 2689 fh_old = alloc_file_handle(old, true); 2690 if (!fh_old) { 2691 res = TEE_ERROR_OUT_OF_MEMORY; 2692 goto out; 2693 } 2694 2695 if (new) 2696 fh_new = alloc_file_handle(new, new->temporary); 2697 else 2698 fh_new = alloc_file_handle(old, false); 2699 if (!fh_new) { 2700 res = TEE_ERROR_OUT_OF_MEMORY; 2701 goto out; 2702 } 2703 2704 res = read_fat(fh_old, NULL); 2705 if (res != TEE_SUCCESS) 2706 goto out; 2707 2708 res = read_fat(fh_new, NULL); 2709 if (res == TEE_SUCCESS) { 2710 if (!overwrite) { 2711 res = TEE_ERROR_ACCESS_CONFLICT; 2712 goto out; 2713 } 2714 2715 /* Clear this file entry. */ 2716 memset(&fh_new->fat_entry, 0, sizeof(struct rpmb_fat_entry)); 2717 res = write_fat_entry(fh_new, false); 2718 if (res != TEE_SUCCESS) 2719 goto out; 2720 } 2721 2722 memset(fh_old->fat_entry.filename, 0, TEE_RPMB_FS_FILENAME_LENGTH); 2723 memcpy(fh_old->fat_entry.filename, fh_new->filename, 2724 strlen(fh_new->filename)); 2725 2726 res = write_fat_entry(fh_old, false); 2727 2728 out: 2729 free(fh_old); 2730 free(fh_new); 2731 2732 return res; 2733 } 2734 2735 static TEE_Result rpmb_fs_rename(struct tee_pobj *old, struct tee_pobj *new, 2736 bool overwrite) 2737 { 2738 TEE_Result res; 2739 2740 mutex_lock(&rpmb_mutex); 2741 res = rpmb_fs_rename_internal(old, new, overwrite); 2742 mutex_unlock(&rpmb_mutex); 2743 2744 return res; 2745 } 2746 2747 static TEE_Result rpmb_fs_truncate(struct tee_file_handle *tfh, size_t length) 2748 { 2749 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)tfh; 2750 tee_mm_pool_t p; 2751 bool pool_result = false; 2752 tee_mm_entry_t *mm; 2753 uint32_t newsize; 2754 uint8_t *newbuf = NULL; 2755 uintptr_t newaddr; 2756 TEE_Result res = TEE_ERROR_GENERIC; 2757 paddr_size_t pool_sz = 0; 2758 2759 mutex_lock(&rpmb_mutex); 2760 2761 if (length > INT32_MAX) { 2762 res = TEE_ERROR_BAD_PARAMETERS; 2763 goto out; 2764 } 2765 newsize = length; 2766 2767 res = read_fat(fh, NULL); 2768 if (res != TEE_SUCCESS) 2769 goto out; 2770 2771 if (newsize > fh->fat_entry.data_size) { 2772 /* Extend file */ 2773 2774 pool_sz = fs_par->max_rpmb_address - RPMB_STORAGE_START_ADDRESS; 2775 pool_result = tee_mm_init(&p, 2776 RPMB_STORAGE_START_ADDRESS, 2777 pool_sz, 2778 RPMB_BLOCK_SIZE_SHIFT, 2779 TEE_MM_POOL_HI_ALLOC); 2780 if (!pool_result) { 2781 res = TEE_ERROR_OUT_OF_MEMORY; 2782 goto out; 2783 } 2784 res = read_fat(fh, &p); 2785 if (res != TEE_SUCCESS) 2786 goto out; 2787 2788 mm = tee_mm_alloc(&p, newsize); 2789 newbuf = calloc(1, newsize); 2790 if (!mm || !newbuf) { 2791 res = TEE_ERROR_OUT_OF_MEMORY; 2792 goto out; 2793 } 2794 2795 if (fh->fat_entry.data_size) { 2796 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 2797 fh->fat_entry.start_address, 2798 newbuf, fh->fat_entry.data_size, 2799 fh->fat_entry.fek, fh->uuid); 2800 if (res != TEE_SUCCESS) 2801 goto out; 2802 } 2803 2804 newaddr = tee_mm_get_smem(mm); 2805 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, newaddr, newbuf, 2806 newsize, fh->fat_entry.fek, fh->uuid); 2807 if (res != TEE_SUCCESS) 2808 goto out; 2809 2810 } else { 2811 /* Don't change file location */ 2812 newaddr = fh->fat_entry.start_address; 2813 } 2814 2815 /* fh->pos is unchanged */ 2816 fh->fat_entry.data_size = newsize; 2817 fh->fat_entry.start_address = newaddr; 2818 res = write_fat_entry(fh, true); 2819 2820 out: 2821 mutex_unlock(&rpmb_mutex); 2822 if (pool_result) 2823 tee_mm_final(&p); 2824 if (newbuf) 2825 free(newbuf); 2826 2827 return res; 2828 } 2829 2830 static void rpmb_fs_dir_free(struct tee_fs_dir *dir) 2831 { 2832 struct tee_rpmb_fs_dirent *e; 2833 2834 if (!dir) 2835 return; 2836 2837 free(dir->current); 2838 2839 while ((e = SIMPLEQ_FIRST(&dir->next))) { 2840 SIMPLEQ_REMOVE_HEAD(&dir->next, link); 2841 free(e); 2842 } 2843 } 2844 2845 static TEE_Result rpmb_fs_dir_populate(const char *path, 2846 struct tee_fs_dir *dir) 2847 { 2848 struct tee_rpmb_fs_dirent *current = NULL; 2849 struct rpmb_fat_entry *fe = NULL; 2850 uint32_t fat_address; 2851 uint32_t filelen; 2852 char *filename; 2853 bool matched; 2854 struct tee_rpmb_fs_dirent *next = NULL; 2855 uint32_t pathlen; 2856 TEE_Result res = TEE_ERROR_GENERIC; 2857 char temp; 2858 2859 mutex_lock(&rpmb_mutex); 2860 2861 res = fat_entry_dir_init(); 2862 if (res) 2863 goto out; 2864 2865 pathlen = strlen(path); 2866 2867 while (true) { 2868 res = fat_entry_dir_get_next(&fe, &fat_address); 2869 if (res || !fe) 2870 break; 2871 2872 filename = fe->filename; 2873 if (fe->flags & FILE_IS_ACTIVE) { 2874 matched = false; 2875 filelen = strlen(filename); 2876 if (filelen > pathlen) { 2877 temp = filename[pathlen]; 2878 filename[pathlen] = '\0'; 2879 if (strcmp(filename, path) == 0) 2880 matched = true; 2881 2882 filename[pathlen] = temp; 2883 } 2884 2885 if (matched) { 2886 next = malloc(sizeof(*next)); 2887 if (!next) { 2888 res = TEE_ERROR_OUT_OF_MEMORY; 2889 goto out; 2890 } 2891 2892 next->entry.oidlen = tee_hs2b((uint8_t *) 2893 &filename[pathlen], 2894 next->entry.oid, 2895 filelen - pathlen, 2896 sizeof(next->entry.oid)); 2897 if (next->entry.oidlen) { 2898 SIMPLEQ_INSERT_TAIL(&dir->next, 2899 next, link); 2900 current = next; 2901 } else { 2902 free(next); 2903 next = NULL; 2904 } 2905 } 2906 } 2907 } 2908 2909 if (res) 2910 goto out; 2911 2912 if (current) 2913 res = TEE_SUCCESS; 2914 else 2915 res = TEE_ERROR_ITEM_NOT_FOUND; /* No directories were found. */ 2916 2917 out: 2918 mutex_unlock(&rpmb_mutex); 2919 fat_entry_dir_deinit(); 2920 if (res) 2921 rpmb_fs_dir_free(dir); 2922 2923 return res; 2924 } 2925 2926 static TEE_Result rpmb_fs_opendir(const TEE_UUID *uuid, struct tee_fs_dir **dir) 2927 { 2928 uint32_t len; 2929 char path_local[TEE_RPMB_FS_FILENAME_LENGTH]; 2930 TEE_Result res = TEE_ERROR_GENERIC; 2931 struct tee_fs_dir *rpmb_dir = NULL; 2932 2933 if (!uuid || !dir) { 2934 res = TEE_ERROR_BAD_PARAMETERS; 2935 goto out; 2936 } 2937 2938 memset(path_local, 0, sizeof(path_local)); 2939 if (create_dirname(path_local, sizeof(path_local) - 1, uuid)) { 2940 res = TEE_ERROR_BAD_PARAMETERS; 2941 goto out; 2942 } 2943 len = strlen(path_local); 2944 2945 /* Add a slash to correctly match the full directory name. */ 2946 if (path_local[len - 1] != '/') 2947 path_local[len] = '/'; 2948 2949 rpmb_dir = calloc(1, sizeof(*rpmb_dir)); 2950 if (!rpmb_dir) { 2951 res = TEE_ERROR_OUT_OF_MEMORY; 2952 goto out; 2953 } 2954 SIMPLEQ_INIT(&rpmb_dir->next); 2955 2956 res = rpmb_fs_dir_populate(path_local, rpmb_dir); 2957 if (res != TEE_SUCCESS) { 2958 free(rpmb_dir); 2959 rpmb_dir = NULL; 2960 goto out; 2961 } 2962 2963 *dir = rpmb_dir; 2964 2965 out: 2966 return res; 2967 } 2968 2969 static TEE_Result rpmb_fs_readdir(struct tee_fs_dir *dir, 2970 struct tee_fs_dirent **ent) 2971 { 2972 if (!dir) 2973 return TEE_ERROR_GENERIC; 2974 2975 free(dir->current); 2976 2977 dir->current = SIMPLEQ_FIRST(&dir->next); 2978 if (!dir->current) 2979 return TEE_ERROR_ITEM_NOT_FOUND; 2980 2981 SIMPLEQ_REMOVE_HEAD(&dir->next, link); 2982 2983 *ent = &dir->current->entry; 2984 return TEE_SUCCESS; 2985 } 2986 2987 static void rpmb_fs_closedir(struct tee_fs_dir *dir) 2988 { 2989 if (dir) { 2990 rpmb_fs_dir_free(dir); 2991 free(dir); 2992 } 2993 } 2994 2995 static TEE_Result rpmb_fs_open(struct tee_pobj *po, size_t *size, 2996 struct tee_file_handle **ret_fh) 2997 { 2998 TEE_Result res; 2999 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 3000 3001 if (!fh) 3002 return TEE_ERROR_OUT_OF_MEMORY; 3003 3004 mutex_lock(&rpmb_mutex); 3005 3006 res = rpmb_fs_open_internal(fh, &po->uuid, false); 3007 if (!res && size) 3008 *size = fh->fat_entry.data_size; 3009 3010 mutex_unlock(&rpmb_mutex); 3011 3012 if (res) 3013 free(fh); 3014 else 3015 *ret_fh = (struct tee_file_handle *)fh; 3016 3017 return res; 3018 } 3019 3020 static TEE_Result rpmb_fs_create(struct tee_pobj *po, bool overwrite, 3021 const void *head, size_t head_size, 3022 const void *attr, size_t attr_size, 3023 const void *data_core, const void *data_user, 3024 size_t data_size, 3025 struct tee_file_handle **ret_fh) 3026 { 3027 TEE_Result res; 3028 size_t pos = 0; 3029 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 3030 3031 /* One of data_core and data_user must be NULL */ 3032 assert(!data_core || !data_user); 3033 3034 if (!fh) 3035 return TEE_ERROR_OUT_OF_MEMORY; 3036 3037 mutex_lock(&rpmb_mutex); 3038 res = rpmb_fs_open_internal(fh, &po->uuid, true); 3039 if (res) 3040 goto out; 3041 3042 if (head && head_size) { 3043 res = rpmb_fs_write_primitive(fh, pos, head, head_size); 3044 if (res) 3045 goto out; 3046 pos += head_size; 3047 } 3048 3049 if (attr && attr_size) { 3050 res = rpmb_fs_write_primitive(fh, pos, attr, attr_size); 3051 if (res) 3052 goto out; 3053 pos += attr_size; 3054 } 3055 3056 if (data_size) { 3057 if (data_core) { 3058 res = rpmb_fs_write_primitive(fh, pos, data_core, 3059 data_size); 3060 if (res) 3061 goto out; 3062 } else if (data_user) { 3063 uint32_t f = TEE_MEMORY_ACCESS_READ | 3064 TEE_MEMORY_ACCESS_ANY_OWNER; 3065 3066 res = check_user_access(f, data_user, data_size); 3067 if (res) 3068 goto out; 3069 enter_user_access(); 3070 res = rpmb_fs_write_primitive(fh, pos, data_user, 3071 data_size); 3072 exit_user_access(); 3073 if (res) 3074 goto out; 3075 } 3076 } 3077 3078 if (po->temporary) { 3079 /* 3080 * If it's a temporary filename (which it normally is) 3081 * rename into the final filename now that the file is 3082 * fully initialized. 3083 */ 3084 po->temporary = false; 3085 res = rpmb_fs_rename_internal(po, NULL, overwrite); 3086 if (res) { 3087 po->temporary = true; 3088 goto out; 3089 } 3090 /* Update file handle after rename. */ 3091 create_filename(fh->filename, sizeof(fh->filename), po, false); 3092 } 3093 3094 out: 3095 if (res) { 3096 rpmb_fs_remove_internal(fh); 3097 free(fh); 3098 } else { 3099 *ret_fh = (struct tee_file_handle *)fh; 3100 } 3101 mutex_unlock(&rpmb_mutex); 3102 3103 return res; 3104 } 3105 3106 const struct tee_file_operations rpmb_fs_ops = { 3107 .open = rpmb_fs_open, 3108 .create = rpmb_fs_create, 3109 .close = rpmb_fs_close, 3110 .read = rpmb_fs_read, 3111 .write = rpmb_fs_write, 3112 .truncate = rpmb_fs_truncate, 3113 .rename = rpmb_fs_rename, 3114 .remove = rpmb_fs_remove, 3115 .opendir = rpmb_fs_opendir, 3116 .closedir = rpmb_fs_closedir, 3117 .readdir = rpmb_fs_readdir, 3118 }; 3119 3120 TEE_Result tee_rpmb_fs_raw_open(const char *fname, bool create, 3121 struct tee_file_handle **ret_fh) 3122 { 3123 TEE_Result res; 3124 struct rpmb_file_handle *fh = calloc(1, sizeof(*fh)); 3125 static const TEE_UUID uuid = { 0 }; 3126 3127 if (!fh) 3128 return TEE_ERROR_OUT_OF_MEMORY; 3129 3130 snprintf(fh->filename, sizeof(fh->filename), "/%s", fname); 3131 3132 mutex_lock(&rpmb_mutex); 3133 3134 res = rpmb_fs_open_internal(fh, &uuid, create); 3135 3136 mutex_unlock(&rpmb_mutex); 3137 3138 if (res) { 3139 if (create) 3140 rpmb_fs_remove_internal(fh); 3141 free(fh); 3142 } else { 3143 *ret_fh = (struct tee_file_handle *)fh; 3144 } 3145 3146 return res; 3147 } 3148 3149 bool __weak plat_rpmb_key_is_ready(void) 3150 { 3151 return true; 3152 } 3153