1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2014, STMicroelectronics International N.V. 4 */ 5 6 #include <assert.h> 7 #include <crypto/crypto.h> 8 #include <kernel/huk_subkey.h> 9 #include <kernel/misc.h> 10 #include <kernel/msg_param.h> 11 #include <kernel/mutex.h> 12 #include <kernel/panic.h> 13 #include <kernel/tee_common.h> 14 #include <kernel/tee_common_otp.h> 15 #include <kernel/tee_misc.h> 16 #include <kernel/thread.h> 17 #include <mm/core_memprot.h> 18 #include <mm/mobj.h> 19 #include <mm/tee_mm.h> 20 #include <optee_rpc_cmd.h> 21 #include <stdlib.h> 22 #include <string_ext.h> 23 #include <string.h> 24 #include <sys/queue.h> 25 #include <tee/tee_fs.h> 26 #include <tee/tee_fs_key_manager.h> 27 #include <tee/tee_pobj.h> 28 #include <tee/tee_svc_storage.h> 29 #include <trace.h> 30 #include <util.h> 31 32 #define RPMB_STORAGE_START_ADDRESS 0 33 #define RPMB_FS_FAT_START_ADDRESS 512 34 #define RPMB_BLOCK_SIZE_SHIFT 8 35 #define RPMB_CID_PRV_OFFSET 9 36 #define RPMB_CID_CRC_OFFSET 15 37 38 #define RPMB_FS_MAGIC 0x52504D42 39 #define FS_VERSION 2 40 #define N_ENTRIES 8 41 42 #define FILE_IS_ACTIVE (1u << 0) 43 #define FILE_IS_LAST_ENTRY (1u << 1) 44 45 #define TEE_RPMB_FS_FILENAME_LENGTH 224 46 47 /** 48 * FS parameters: Information often used by internal functions. 49 * fat_start_address will be set by rpmb_fs_setup(). 50 * rpmb_fs_parameters can be read by any other function. 51 */ 52 struct rpmb_fs_parameters { 53 uint32_t fat_start_address; 54 uint32_t max_rpmb_address; 55 }; 56 57 /** 58 * File entry for a single file in a RPMB_FS partition. 59 */ 60 struct rpmb_fat_entry { 61 uint32_t start_address; 62 uint32_t data_size; 63 uint32_t flags; 64 uint32_t write_counter; 65 uint8_t fek[TEE_FS_KM_FEK_SIZE]; 66 char filename[TEE_RPMB_FS_FILENAME_LENGTH]; 67 }; 68 69 /** 70 * FAT entry context with reference to a FAT entry and its 71 * location in RPMB. 72 */ 73 struct rpmb_file_handle { 74 struct rpmb_fat_entry fat_entry; 75 const TEE_UUID *uuid; 76 char filename[TEE_RPMB_FS_FILENAME_LENGTH]; 77 /* Address for current entry in RPMB */ 78 uint32_t rpmb_fat_address; 79 }; 80 81 /** 82 * RPMB_FS partition data 83 */ 84 struct rpmb_fs_partition { 85 uint32_t rpmb_fs_magic; 86 uint32_t fs_version; 87 uint32_t write_counter; 88 uint32_t fat_start_address; 89 /* Do not use reserved[] for other purpose than partition data. */ 90 uint8_t reserved[112]; 91 }; 92 93 /** 94 * A node in a list of directory entries. 95 */ 96 struct tee_rpmb_fs_dirent { 97 struct tee_fs_dirent entry; 98 SIMPLEQ_ENTRY(tee_rpmb_fs_dirent) link; 99 }; 100 101 /** 102 * The RPMB directory representation. It contains a queue of 103 * RPMB directory entries: 'next'. 104 * The current pointer points to the last directory entry 105 * returned by readdir(). 106 */ 107 struct tee_fs_dir { 108 struct tee_rpmb_fs_dirent *current; 109 /* */ 110 SIMPLEQ_HEAD(next_head, tee_rpmb_fs_dirent) next; 111 }; 112 113 static struct rpmb_fs_parameters *fs_par; 114 115 /* 116 * Lower interface to RPMB device 117 */ 118 119 #define RPMB_DATA_OFFSET (RPMB_STUFF_DATA_SIZE + RPMB_KEY_MAC_SIZE) 120 #define RPMB_MAC_PROTECT_DATA_SIZE (RPMB_DATA_FRAME_SIZE - RPMB_DATA_OFFSET) 121 122 #define RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM 0x0001 123 #define RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ 0x0002 124 #define RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE 0x0003 125 #define RPMB_MSG_TYPE_REQ_AUTH_DATA_READ 0x0004 126 #define RPMB_MSG_TYPE_REQ_RESULT_READ 0x0005 127 #define RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM 0x0100 128 #define RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ 0x0200 129 #define RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE 0x0300 130 #define RPMB_MSG_TYPE_RESP_AUTH_DATA_READ 0x0400 131 132 #define RPMB_STUFF_DATA_SIZE 196 133 #define RPMB_KEY_MAC_SIZE 32 134 #define RPMB_DATA_SIZE 256 135 #define RPMB_NONCE_SIZE 16 136 #define RPMB_DATA_FRAME_SIZE 512 137 138 #define RPMB_RESULT_OK 0x00 139 #define RPMB_RESULT_GENERAL_FAILURE 0x01 140 #define RPMB_RESULT_AUTH_FAILURE 0x02 141 #define RPMB_RESULT_COUNTER_FAILURE 0x03 142 #define RPMB_RESULT_ADDRESS_FAILURE 0x04 143 #define RPMB_RESULT_WRITE_FAILURE 0x05 144 #define RPMB_RESULT_READ_FAILURE 0x06 145 #define RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED 0x07 146 #define RPMB_RESULT_MASK 0x3F 147 #define RPMB_RESULT_WR_CNT_EXPIRED 0x80 148 149 /* RPMB internal commands */ 150 #define RPMB_CMD_DATA_REQ 0x00 151 #define RPMB_CMD_GET_DEV_INFO 0x01 152 153 #define RPMB_SIZE_SINGLE (128 * 1024) 154 155 /* Error codes for get_dev_info request/response. */ 156 #define RPMB_CMD_GET_DEV_INFO_RET_OK 0x00 157 #define RPMB_CMD_GET_DEV_INFO_RET_ERROR 0x01 158 159 struct rpmb_data_frame { 160 uint8_t stuff_bytes[RPMB_STUFF_DATA_SIZE]; 161 uint8_t key_mac[RPMB_KEY_MAC_SIZE]; 162 uint8_t data[RPMB_DATA_SIZE]; 163 uint8_t nonce[RPMB_NONCE_SIZE]; 164 uint8_t write_counter[4]; 165 uint8_t address[2]; 166 uint8_t block_count[2]; 167 uint8_t op_result[2]; 168 uint8_t msg_type[2]; 169 }; 170 171 struct rpmb_req { 172 uint16_t cmd; 173 uint16_t dev_id; 174 uint16_t block_count; 175 /* variable length of data */ 176 /* uint8_t data[]; REMOVED! */ 177 }; 178 179 #define TEE_RPMB_REQ_DATA(req) \ 180 ((void *)((struct rpmb_req *)(req) + 1)) 181 182 struct rpmb_raw_data { 183 uint16_t msg_type; 184 uint16_t *op_result; 185 uint16_t *block_count; 186 uint16_t *blk_idx; 187 uint32_t *write_counter; 188 uint8_t *nonce; 189 uint8_t *key_mac; 190 uint8_t *data; 191 /* data length to read or write */ 192 uint32_t len; 193 /* Byte address offset in the first block involved */ 194 uint8_t byte_offset; 195 }; 196 197 #define RPMB_EMMC_CID_SIZE 16 198 struct rpmb_dev_info { 199 uint8_t cid[RPMB_EMMC_CID_SIZE]; 200 /* EXT CSD-slice 168 "RPMB Size" */ 201 uint8_t rpmb_size_mult; 202 /* EXT CSD-slice 222 "Reliable Write Sector Count" */ 203 uint8_t rel_wr_sec_c; 204 /* Check the ret code and accept the data only if it is OK. */ 205 uint8_t ret_code; 206 }; 207 208 /* 209 * Struct for rpmb context data. 210 * 211 * @key RPMB key. 212 * @cid eMMC card ID. 213 * @wr_cnt Current write counter. 214 * @max_blk_idx The highest block index supported by current device. 215 * @rel_wr_blkcnt Max number of data blocks for each reliable write. 216 * @dev_id Device ID of the eMMC device. 217 * @wr_cnt_synced Flag indicating if write counter is synced to RPMB. 218 * @key_derived Flag indicating if key has been generated. 219 * @key_verified Flag indicating the key generated is verified ok. 220 * @dev_info_synced Flag indicating if dev info has been retrieved from RPMB. 221 */ 222 struct tee_rpmb_ctx { 223 uint8_t key[RPMB_KEY_MAC_SIZE]; 224 uint8_t cid[RPMB_EMMC_CID_SIZE]; 225 uint32_t wr_cnt; 226 uint16_t max_blk_idx; 227 uint16_t rel_wr_blkcnt; 228 uint16_t dev_id; 229 bool wr_cnt_synced; 230 bool key_derived; 231 bool key_verified; 232 bool dev_info_synced; 233 }; 234 235 static struct tee_rpmb_ctx *rpmb_ctx; 236 237 /* 238 * Mutex to serialize the operations exported by this file. 239 * It protects rpmb_ctx and prevents overlapping operations on eMMC devices with 240 * different IDs. 241 */ 242 static struct mutex rpmb_mutex = MUTEX_INITIALIZER; 243 244 #ifdef CFG_RPMB_TESTKEY 245 246 static const uint8_t rpmb_test_key[RPMB_KEY_MAC_SIZE] = { 247 0xD3, 0xEB, 0x3E, 0xC3, 0x6E, 0x33, 0x4C, 0x9F, 248 0x98, 0x8C, 0xE2, 0xC0, 0xB8, 0x59, 0x54, 0x61, 249 0x0D, 0x2B, 0xCF, 0x86, 0x64, 0x84, 0x4D, 0xF2, 250 0xAB, 0x56, 0xE6, 0xC6, 0x1B, 0xB7, 0x01, 0xE4 251 }; 252 253 static TEE_Result tee_rpmb_key_gen(uint16_t dev_id __unused, 254 uint8_t *key, uint32_t len) 255 { 256 TEE_Result res = TEE_SUCCESS; 257 258 if (!key || RPMB_KEY_MAC_SIZE != len) { 259 res = TEE_ERROR_BAD_PARAMETERS; 260 goto out; 261 } 262 263 DMSG("RPMB: Using test key"); 264 memcpy(key, rpmb_test_key, RPMB_KEY_MAC_SIZE); 265 266 out: 267 return res; 268 } 269 270 #else /* !CFG_RPMB_TESTKEY */ 271 272 static TEE_Result tee_rpmb_key_gen(uint16_t dev_id __unused, 273 uint8_t *key, uint32_t len) 274 { 275 uint8_t message[RPMB_EMMC_CID_SIZE]; 276 277 if (!key || RPMB_KEY_MAC_SIZE != len) 278 return TEE_ERROR_BAD_PARAMETERS; 279 280 IMSG("RPMB: Using generated key"); 281 282 /* 283 * PRV/CRC would be changed when doing eMMC FFU 284 * The following fields should be masked off when deriving RPMB key 285 * 286 * CID [55: 48]: PRV (Product revision) 287 * CID [07: 01]: CRC (CRC7 checksum) 288 * CID [00]: not used 289 */ 290 memcpy(message, rpmb_ctx->cid, RPMB_EMMC_CID_SIZE); 291 memset(message + RPMB_CID_PRV_OFFSET, 0, 1); 292 memset(message + RPMB_CID_CRC_OFFSET, 0, 1); 293 return huk_subkey_derive(HUK_SUBKEY_RPMB, message, sizeof(message), 294 key, len); 295 } 296 297 #endif /* !CFG_RPMB_TESTKEY */ 298 299 static void u32_to_bytes(uint32_t u32, uint8_t *bytes) 300 { 301 *bytes = (uint8_t) (u32 >> 24); 302 *(bytes + 1) = (uint8_t) (u32 >> 16); 303 *(bytes + 2) = (uint8_t) (u32 >> 8); 304 *(bytes + 3) = (uint8_t) u32; 305 } 306 307 static void bytes_to_u32(uint8_t *bytes, uint32_t *u32) 308 { 309 *u32 = (uint32_t) ((*(bytes) << 24) + 310 (*(bytes + 1) << 16) + 311 (*(bytes + 2) << 8) + (*(bytes + 3))); 312 } 313 314 static void u16_to_bytes(uint16_t u16, uint8_t *bytes) 315 { 316 *bytes = (uint8_t) (u16 >> 8); 317 *(bytes + 1) = (uint8_t) u16; 318 } 319 320 static void bytes_to_u16(uint8_t *bytes, uint16_t *u16) 321 { 322 *u16 = (uint16_t) ((*bytes << 8) + *(bytes + 1)); 323 } 324 325 static void get_op_result_bits(uint8_t *bytes, uint8_t *res) 326 { 327 *res = *(bytes + 1) & RPMB_RESULT_MASK; 328 } 329 330 static TEE_Result tee_rpmb_mac_calc(uint8_t *mac, uint32_t macsize, 331 uint8_t *key, uint32_t keysize, 332 struct rpmb_data_frame *datafrms, 333 uint16_t blkcnt) 334 { 335 TEE_Result res = TEE_ERROR_GENERIC; 336 int i; 337 void *ctx = NULL; 338 339 if (!mac || !key || !datafrms) 340 return TEE_ERROR_BAD_PARAMETERS; 341 342 res = crypto_mac_alloc_ctx(&ctx, TEE_ALG_HMAC_SHA256); 343 if (res) 344 return res; 345 346 res = crypto_mac_init(ctx, TEE_ALG_HMAC_SHA256, key, keysize); 347 if (res != TEE_SUCCESS) 348 goto func_exit; 349 350 for (i = 0; i < blkcnt; i++) { 351 res = crypto_mac_update(ctx, TEE_ALG_HMAC_SHA256, 352 datafrms[i].data, 353 RPMB_MAC_PROTECT_DATA_SIZE); 354 if (res != TEE_SUCCESS) 355 goto func_exit; 356 } 357 358 res = crypto_mac_final(ctx, TEE_ALG_HMAC_SHA256, mac, macsize); 359 if (res != TEE_SUCCESS) 360 goto func_exit; 361 362 res = TEE_SUCCESS; 363 364 func_exit: 365 crypto_mac_free_ctx(ctx, TEE_ALG_HMAC_SHA256); 366 return res; 367 } 368 369 struct tee_rpmb_mem { 370 struct mobj *phreq_mobj; 371 struct mobj *phresp_mobj; 372 size_t req_size; 373 size_t resp_size; 374 }; 375 376 static void tee_rpmb_free(struct tee_rpmb_mem *mem) 377 { 378 if (!mem) 379 return; 380 381 if (mem->phreq_mobj) { 382 thread_rpc_free_payload(mem->phreq_mobj); 383 mem->phreq_mobj = NULL; 384 } 385 if (mem->phresp_mobj) { 386 thread_rpc_free_payload(mem->phresp_mobj); 387 mem->phresp_mobj = NULL; 388 } 389 } 390 391 392 static TEE_Result tee_rpmb_alloc(size_t req_size, size_t resp_size, 393 struct tee_rpmb_mem *mem, void **req, void **resp) 394 { 395 TEE_Result res = TEE_SUCCESS; 396 size_t req_s = ROUNDUP(req_size, sizeof(uint32_t)); 397 size_t resp_s = ROUNDUP(resp_size, sizeof(uint32_t)); 398 399 if (!mem) 400 return TEE_ERROR_BAD_PARAMETERS; 401 402 memset(mem, 0, sizeof(*mem)); 403 404 mem->phreq_mobj = thread_rpc_alloc_payload(req_s); 405 mem->phresp_mobj = thread_rpc_alloc_payload(resp_s); 406 407 if (!mem->phreq_mobj || !mem->phresp_mobj) { 408 res = TEE_ERROR_OUT_OF_MEMORY; 409 goto out; 410 } 411 412 *req = mobj_get_va(mem->phreq_mobj, 0); 413 *resp = mobj_get_va(mem->phresp_mobj, 0); 414 if (!*req || !*resp) { 415 res = TEE_ERROR_GENERIC; 416 goto out; 417 } 418 419 mem->req_size = req_size; 420 mem->resp_size = resp_size; 421 422 out: 423 if (res != TEE_SUCCESS) 424 tee_rpmb_free(mem); 425 return res; 426 } 427 428 static TEE_Result tee_rpmb_invoke(struct tee_rpmb_mem *mem) 429 { 430 struct thread_param params[2] = { 431 [0] = THREAD_PARAM_MEMREF(IN, mem->phreq_mobj, 0, 432 mem->req_size), 433 [1] = THREAD_PARAM_MEMREF(OUT, mem->phresp_mobj, 0, 434 mem->resp_size), 435 }; 436 437 return thread_rpc_cmd(OPTEE_RPC_CMD_RPMB, 2, params); 438 } 439 440 static bool is_zero(const uint8_t *buf, size_t size) 441 { 442 size_t i; 443 444 for (i = 0; i < size; i++) 445 if (buf[i]) 446 return false; 447 return true; 448 } 449 450 static TEE_Result encrypt_block(uint8_t *out, const uint8_t *in, 451 uint16_t blk_idx, const uint8_t *fek, 452 const TEE_UUID *uuid) 453 { 454 return tee_fs_crypt_block(uuid, out, in, RPMB_DATA_SIZE, 455 blk_idx, fek, TEE_MODE_ENCRYPT); 456 } 457 458 static TEE_Result decrypt_block(uint8_t *out, const uint8_t *in, 459 uint16_t blk_idx, const uint8_t *fek, 460 const TEE_UUID *uuid) 461 { 462 return tee_fs_crypt_block(uuid, out, in, RPMB_DATA_SIZE, 463 blk_idx, fek, TEE_MODE_DECRYPT); 464 } 465 466 /* Decrypt/copy at most one block of data */ 467 static TEE_Result decrypt(uint8_t *out, const struct rpmb_data_frame *frm, 468 size_t size, size_t offset, 469 uint16_t blk_idx __maybe_unused, const uint8_t *fek, 470 const TEE_UUID *uuid) 471 { 472 uint8_t *tmp __maybe_unused; 473 474 475 if ((size + offset < size) || (size + offset > RPMB_DATA_SIZE)) 476 panic("invalid size or offset"); 477 478 if (!fek) { 479 /* Block is not encrypted (not a file data block) */ 480 memcpy(out, frm->data + offset, size); 481 } else if (is_zero(fek, TEE_FS_KM_FEK_SIZE)) { 482 /* The file was created with encryption disabled */ 483 return TEE_ERROR_SECURITY; 484 } else { 485 /* Block is encrypted */ 486 if (size < RPMB_DATA_SIZE) { 487 /* 488 * Since output buffer is not large enough to hold one 489 * block we must allocate a temporary buffer. 490 */ 491 tmp = malloc(RPMB_DATA_SIZE); 492 if (!tmp) 493 return TEE_ERROR_OUT_OF_MEMORY; 494 decrypt_block(tmp, frm->data, blk_idx, fek, uuid); 495 memcpy(out, tmp + offset, size); 496 free(tmp); 497 } else { 498 decrypt_block(out, frm->data, blk_idx, fek, uuid); 499 } 500 } 501 502 return TEE_SUCCESS; 503 } 504 505 static TEE_Result tee_rpmb_req_pack(struct rpmb_req *req, 506 struct rpmb_raw_data *rawdata, 507 uint16_t nbr_frms, uint16_t dev_id, 508 const uint8_t *fek, const TEE_UUID *uuid) 509 { 510 TEE_Result res = TEE_ERROR_GENERIC; 511 int i; 512 struct rpmb_data_frame *datafrm; 513 514 if (!req || !rawdata || !nbr_frms) 515 return TEE_ERROR_BAD_PARAMETERS; 516 517 /* 518 * Check write blockcount is not bigger than reliable write 519 * blockcount. 520 */ 521 if ((rawdata->msg_type == RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE) && 522 (nbr_frms > rpmb_ctx->rel_wr_blkcnt)) { 523 DMSG("wr_blkcnt(%d) > rel_wr_blkcnt(%d)", nbr_frms, 524 rpmb_ctx->rel_wr_blkcnt); 525 return TEE_ERROR_GENERIC; 526 } 527 528 req->cmd = RPMB_CMD_DATA_REQ; 529 req->dev_id = dev_id; 530 531 /* Allocate memory for construct all data packets and calculate MAC. */ 532 datafrm = calloc(nbr_frms, RPMB_DATA_FRAME_SIZE); 533 if (!datafrm) 534 return TEE_ERROR_OUT_OF_MEMORY; 535 536 for (i = 0; i < nbr_frms; i++) { 537 u16_to_bytes(rawdata->msg_type, datafrm[i].msg_type); 538 539 if (rawdata->block_count) 540 u16_to_bytes(*rawdata->block_count, 541 datafrm[i].block_count); 542 543 if (rawdata->blk_idx) { 544 /* Check the block index is within range. */ 545 if ((*rawdata->blk_idx + nbr_frms) > 546 rpmb_ctx->max_blk_idx) { 547 res = TEE_ERROR_GENERIC; 548 goto func_exit; 549 } 550 u16_to_bytes(*rawdata->blk_idx, datafrm[i].address); 551 } 552 553 if (rawdata->write_counter) 554 u32_to_bytes(*rawdata->write_counter, 555 datafrm[i].write_counter); 556 557 if (rawdata->nonce) 558 memcpy(datafrm[i].nonce, rawdata->nonce, 559 RPMB_NONCE_SIZE); 560 561 if (rawdata->data) { 562 if (fek) 563 encrypt_block(datafrm[i].data, 564 rawdata->data + (i * RPMB_DATA_SIZE), 565 *rawdata->blk_idx + i, fek, uuid); 566 else 567 memcpy(datafrm[i].data, 568 rawdata->data + (i * RPMB_DATA_SIZE), 569 RPMB_DATA_SIZE); 570 } 571 } 572 573 if (rawdata->key_mac) { 574 if (rawdata->msg_type == RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE) { 575 res = 576 tee_rpmb_mac_calc(rawdata->key_mac, 577 RPMB_KEY_MAC_SIZE, rpmb_ctx->key, 578 RPMB_KEY_MAC_SIZE, datafrm, 579 nbr_frms); 580 if (res != TEE_SUCCESS) 581 goto func_exit; 582 } 583 memcpy(datafrm[nbr_frms - 1].key_mac, 584 rawdata->key_mac, RPMB_KEY_MAC_SIZE); 585 } 586 587 memcpy(TEE_RPMB_REQ_DATA(req), datafrm, 588 nbr_frms * RPMB_DATA_FRAME_SIZE); 589 590 #ifdef CFG_RPMB_FS_DEBUG_DATA 591 for (i = 0; i < nbr_frms; i++) { 592 DMSG("Dumping data frame %d:", i); 593 DHEXDUMP((uint8_t *)&datafrm[i] + RPMB_STUFF_DATA_SIZE, 594 512 - RPMB_STUFF_DATA_SIZE); 595 } 596 #endif 597 598 res = TEE_SUCCESS; 599 func_exit: 600 free(datafrm); 601 return res; 602 } 603 604 static TEE_Result data_cpy_mac_calc_1b(struct rpmb_raw_data *rawdata, 605 struct rpmb_data_frame *frm, 606 const uint8_t *fek, const TEE_UUID *uuid) 607 { 608 TEE_Result res; 609 uint8_t *data; 610 uint16_t idx; 611 612 if (rawdata->len + rawdata->byte_offset > RPMB_DATA_SIZE) 613 return TEE_ERROR_BAD_PARAMETERS; 614 615 res = tee_rpmb_mac_calc(rawdata->key_mac, RPMB_KEY_MAC_SIZE, 616 rpmb_ctx->key, RPMB_KEY_MAC_SIZE, frm, 1); 617 if (res != TEE_SUCCESS) 618 return res; 619 620 data = rawdata->data; 621 bytes_to_u16(frm->address, &idx); 622 623 res = decrypt(data, frm, rawdata->len, rawdata->byte_offset, idx, fek, 624 uuid); 625 return res; 626 } 627 628 static TEE_Result tee_rpmb_data_cpy_mac_calc(struct rpmb_data_frame *datafrm, 629 struct rpmb_raw_data *rawdata, 630 uint16_t nbr_frms, 631 struct rpmb_data_frame *lastfrm, 632 const uint8_t *fek, 633 const TEE_UUID *uuid) 634 { 635 TEE_Result res = TEE_ERROR_GENERIC; 636 int i; 637 void *ctx = NULL; 638 uint16_t offset; 639 uint32_t size; 640 uint8_t *data; 641 uint16_t start_idx; 642 struct rpmb_data_frame localfrm; 643 644 if (!datafrm || !rawdata || !nbr_frms || !lastfrm) 645 return TEE_ERROR_BAD_PARAMETERS; 646 647 if (nbr_frms == 1) 648 return data_cpy_mac_calc_1b(rawdata, lastfrm, fek, uuid); 649 650 /* nbr_frms > 1 */ 651 652 data = rawdata->data; 653 654 res = crypto_mac_alloc_ctx(&ctx, TEE_ALG_HMAC_SHA256); 655 if (res) 656 goto func_exit; 657 658 res = crypto_mac_init(ctx, TEE_ALG_HMAC_SHA256, rpmb_ctx->key, 659 RPMB_KEY_MAC_SIZE); 660 if (res != TEE_SUCCESS) 661 goto func_exit; 662 663 /* 664 * Note: JEDEC JESD84-B51: "In every packet the address is the start 665 * address of the full access (not address of the individual half a 666 * sector)" 667 */ 668 bytes_to_u16(lastfrm->address, &start_idx); 669 670 for (i = 0; i < (nbr_frms - 1); i++) { 671 672 /* 673 * By working on a local copy of the RPMB frame, we ensure that 674 * the data can not be modified after the MAC is computed but 675 * before the payload is decrypted/copied to the output buffer. 676 */ 677 memcpy(&localfrm, &datafrm[i], RPMB_DATA_FRAME_SIZE); 678 679 res = crypto_mac_update(ctx, TEE_ALG_HMAC_SHA256, localfrm.data, 680 RPMB_MAC_PROTECT_DATA_SIZE); 681 if (res != TEE_SUCCESS) 682 goto func_exit; 683 684 if (i == 0) { 685 /* First block */ 686 offset = rawdata->byte_offset; 687 size = RPMB_DATA_SIZE - offset; 688 } else { 689 /* Middle blocks */ 690 size = RPMB_DATA_SIZE; 691 offset = 0; 692 } 693 694 res = decrypt(data, &localfrm, size, offset, start_idx + i, 695 fek, uuid); 696 if (res != TEE_SUCCESS) 697 goto func_exit; 698 699 data += size; 700 } 701 702 /* Last block */ 703 size = (rawdata->len + rawdata->byte_offset) % RPMB_DATA_SIZE; 704 if (size == 0) 705 size = RPMB_DATA_SIZE; 706 res = decrypt(data, lastfrm, size, 0, start_idx + nbr_frms - 1, fek, 707 uuid); 708 if (res != TEE_SUCCESS) 709 goto func_exit; 710 711 /* Update MAC against the last block */ 712 res = crypto_mac_update(ctx, TEE_ALG_HMAC_SHA256, lastfrm->data, 713 RPMB_MAC_PROTECT_DATA_SIZE); 714 if (res != TEE_SUCCESS) 715 goto func_exit; 716 717 res = crypto_mac_final(ctx, TEE_ALG_HMAC_SHA256, rawdata->key_mac, 718 RPMB_KEY_MAC_SIZE); 719 if (res != TEE_SUCCESS) 720 goto func_exit; 721 722 res = TEE_SUCCESS; 723 724 func_exit: 725 crypto_mac_free_ctx(ctx, TEE_ALG_HMAC_SHA256); 726 return res; 727 } 728 729 static TEE_Result tee_rpmb_resp_unpack_verify(struct rpmb_data_frame *datafrm, 730 struct rpmb_raw_data *rawdata, 731 uint16_t nbr_frms, 732 const uint8_t *fek, 733 const TEE_UUID *uuid) 734 { 735 TEE_Result res = TEE_ERROR_GENERIC; 736 uint16_t msg_type; 737 uint32_t wr_cnt; 738 uint16_t blk_idx; 739 uint8_t op_result; 740 struct rpmb_data_frame lastfrm; 741 742 if (!datafrm || !rawdata || !nbr_frms) 743 return TEE_ERROR_BAD_PARAMETERS; 744 745 #ifdef CFG_RPMB_FS_DEBUG_DATA 746 for (uint32_t i = 0; i < nbr_frms; i++) { 747 DMSG("Dumping data frame %d:", i); 748 DHEXDUMP((uint8_t *)&datafrm[i] + RPMB_STUFF_DATA_SIZE, 749 512 - RPMB_STUFF_DATA_SIZE); 750 } 751 #endif 752 753 /* Make sure the last data packet can't be modified once verified */ 754 memcpy(&lastfrm, &datafrm[nbr_frms - 1], RPMB_DATA_FRAME_SIZE); 755 756 /* Handle operation result and translate to TEEC error code. */ 757 get_op_result_bits(lastfrm.op_result, &op_result); 758 if (op_result == RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED) 759 return TEE_ERROR_ITEM_NOT_FOUND; 760 if (op_result != RPMB_RESULT_OK) 761 return TEE_ERROR_GENERIC; 762 763 /* Check the response msg_type. */ 764 bytes_to_u16(lastfrm.msg_type, &msg_type); 765 if (msg_type != rawdata->msg_type) { 766 DMSG("Unexpected msg_type (0x%04x != 0x%04x)", msg_type, 767 rawdata->msg_type); 768 return TEE_ERROR_GENERIC; 769 } 770 771 if (rawdata->blk_idx) { 772 bytes_to_u16(lastfrm.address, &blk_idx); 773 if (blk_idx != *rawdata->blk_idx) { 774 DMSG("Unexpected block index"); 775 return TEE_ERROR_GENERIC; 776 } 777 } 778 779 if (rawdata->write_counter) { 780 wr_cnt = *rawdata->write_counter; 781 bytes_to_u32(lastfrm.write_counter, rawdata->write_counter); 782 if (msg_type == RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE) { 783 /* Verify the write counter is incremented by 1 */ 784 if (*rawdata->write_counter != wr_cnt + 1) { 785 DMSG("Counter mismatched (0x%04x/0x%04x)", 786 *rawdata->write_counter, wr_cnt + 1); 787 return TEE_ERROR_SECURITY; 788 } 789 rpmb_ctx->wr_cnt++; 790 } 791 } 792 793 if (rawdata->nonce) { 794 if (buf_compare_ct(rawdata->nonce, lastfrm.nonce, 795 RPMB_NONCE_SIZE) != 0) { 796 DMSG("Nonce mismatched"); 797 return TEE_ERROR_SECURITY; 798 } 799 } 800 801 if (rawdata->key_mac) { 802 if (msg_type == RPMB_MSG_TYPE_RESP_AUTH_DATA_READ) { 803 if (!rawdata->data) 804 return TEE_ERROR_GENERIC; 805 806 res = tee_rpmb_data_cpy_mac_calc(datafrm, rawdata, 807 nbr_frms, &lastfrm, 808 fek, uuid); 809 810 if (res != TEE_SUCCESS) 811 return res; 812 } else { 813 /* 814 * There should be only one data frame for 815 * other msg types. 816 */ 817 if (nbr_frms != 1) 818 return TEE_ERROR_GENERIC; 819 820 res = tee_rpmb_mac_calc(rawdata->key_mac, 821 RPMB_KEY_MAC_SIZE, 822 rpmb_ctx->key, 823 RPMB_KEY_MAC_SIZE, 824 &lastfrm, 1); 825 826 if (res != TEE_SUCCESS) 827 return res; 828 } 829 830 #ifndef CFG_RPMB_FS_NO_MAC 831 if (consttime_memcmp(rawdata->key_mac, 832 (datafrm + nbr_frms - 1)->key_mac, 833 RPMB_KEY_MAC_SIZE) != 0) { 834 DMSG("MAC mismatched:"); 835 #ifdef CFG_RPMB_FS_DEBUG_DATA 836 DHEXDUMP((uint8_t *)rawdata->key_mac, 32); 837 #endif 838 return TEE_ERROR_SECURITY; 839 } 840 #endif /* !CFG_RPMB_FS_NO_MAC */ 841 } 842 843 return TEE_SUCCESS; 844 } 845 846 static TEE_Result tee_rpmb_get_dev_info(uint16_t dev_id, 847 struct rpmb_dev_info *dev_info) 848 { 849 TEE_Result res = TEE_ERROR_GENERIC; 850 struct tee_rpmb_mem mem; 851 struct rpmb_dev_info *di; 852 struct rpmb_req *req = NULL; 853 uint8_t *resp = NULL; 854 uint32_t req_size; 855 uint32_t resp_size; 856 857 if (!dev_info) 858 return TEE_ERROR_BAD_PARAMETERS; 859 860 req_size = sizeof(struct rpmb_req); 861 resp_size = sizeof(struct rpmb_dev_info); 862 res = tee_rpmb_alloc(req_size, resp_size, &mem, 863 (void *)&req, (void *)&resp); 864 if (res != TEE_SUCCESS) 865 goto func_exit; 866 867 req->cmd = RPMB_CMD_GET_DEV_INFO; 868 req->dev_id = dev_id; 869 870 di = (struct rpmb_dev_info *)resp; 871 di->ret_code = RPMB_CMD_GET_DEV_INFO_RET_ERROR; 872 873 res = tee_rpmb_invoke(&mem); 874 if (res != TEE_SUCCESS) 875 goto func_exit; 876 877 if (di->ret_code != RPMB_CMD_GET_DEV_INFO_RET_OK) { 878 res = TEE_ERROR_GENERIC; 879 goto func_exit; 880 } 881 882 memcpy((uint8_t *)dev_info, resp, sizeof(struct rpmb_dev_info)); 883 884 #ifdef CFG_RPMB_FS_DEBUG_DATA 885 DMSG("Dumping dev_info:"); 886 DHEXDUMP((uint8_t *)dev_info, sizeof(struct rpmb_dev_info)); 887 #endif 888 889 res = TEE_SUCCESS; 890 891 func_exit: 892 tee_rpmb_free(&mem); 893 return res; 894 } 895 896 static TEE_Result tee_rpmb_init_read_wr_cnt(uint16_t dev_id, 897 uint32_t *wr_cnt, 898 uint16_t *op_result) 899 { 900 TEE_Result res = TEE_ERROR_GENERIC; 901 struct tee_rpmb_mem mem; 902 uint16_t msg_type; 903 uint8_t nonce[RPMB_NONCE_SIZE]; 904 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 905 struct rpmb_req *req = NULL; 906 struct rpmb_data_frame *resp = NULL; 907 struct rpmb_raw_data rawdata; 908 uint32_t req_size; 909 uint32_t resp_size; 910 911 if (!wr_cnt) 912 return TEE_ERROR_BAD_PARAMETERS; 913 914 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 915 resp_size = RPMB_DATA_FRAME_SIZE; 916 res = tee_rpmb_alloc(req_size, resp_size, &mem, 917 (void *)&req, (void *)&resp); 918 if (res != TEE_SUCCESS) 919 goto func_exit; 920 921 res = crypto_rng_read(nonce, RPMB_NONCE_SIZE); 922 if (res != TEE_SUCCESS) 923 goto func_exit; 924 925 msg_type = RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ; 926 927 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 928 rawdata.msg_type = msg_type; 929 rawdata.nonce = nonce; 930 931 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 932 if (res != TEE_SUCCESS) 933 goto func_exit; 934 935 res = tee_rpmb_invoke(&mem); 936 if (res != TEE_SUCCESS) 937 goto func_exit; 938 939 msg_type = RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ; 940 941 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 942 rawdata.msg_type = msg_type; 943 rawdata.op_result = op_result; 944 rawdata.write_counter = wr_cnt; 945 rawdata.nonce = nonce; 946 rawdata.key_mac = hmac; 947 948 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, NULL); 949 if (res != TEE_SUCCESS) 950 goto func_exit; 951 952 res = TEE_SUCCESS; 953 954 func_exit: 955 tee_rpmb_free(&mem); 956 return res; 957 } 958 959 static TEE_Result tee_rpmb_verify_key_sync_counter(uint16_t dev_id) 960 { 961 uint16_t op_result = 0; 962 TEE_Result res = TEE_ERROR_GENERIC; 963 964 res = tee_rpmb_init_read_wr_cnt(dev_id, &rpmb_ctx->wr_cnt, 965 &op_result); 966 967 if (res == TEE_SUCCESS) { 968 rpmb_ctx->key_verified = true; 969 rpmb_ctx->wr_cnt_synced = true; 970 } else 971 EMSG("Verify key returning 0x%x", res); 972 return res; 973 } 974 975 #ifdef CFG_RPMB_WRITE_KEY 976 static TEE_Result tee_rpmb_write_key(uint16_t dev_id) 977 { 978 TEE_Result res = TEE_ERROR_GENERIC; 979 struct tee_rpmb_mem mem = { 0 }; 980 uint16_t msg_type; 981 struct rpmb_req *req = NULL; 982 struct rpmb_data_frame *resp = NULL; 983 struct rpmb_raw_data rawdata; 984 uint32_t req_size; 985 uint32_t resp_size; 986 987 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 988 resp_size = RPMB_DATA_FRAME_SIZE; 989 res = tee_rpmb_alloc(req_size, resp_size, &mem, 990 (void *)&req, (void *)&resp); 991 if (res != TEE_SUCCESS) 992 goto func_exit; 993 994 msg_type = RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM; 995 996 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 997 rawdata.msg_type = msg_type; 998 rawdata.key_mac = rpmb_ctx->key; 999 1000 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 1001 if (res != TEE_SUCCESS) 1002 goto func_exit; 1003 1004 res = tee_rpmb_invoke(&mem); 1005 if (res != TEE_SUCCESS) 1006 goto func_exit; 1007 1008 msg_type = RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM; 1009 1010 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1011 rawdata.msg_type = msg_type; 1012 1013 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, NULL); 1014 if (res != TEE_SUCCESS) 1015 goto func_exit; 1016 1017 res = TEE_SUCCESS; 1018 1019 func_exit: 1020 tee_rpmb_free(&mem); 1021 return res; 1022 } 1023 1024 static TEE_Result tee_rpmb_write_and_verify_key(uint16_t dev_id) 1025 { 1026 TEE_Result res; 1027 1028 DMSG("RPMB INIT: Writing Key value:"); 1029 DHEXDUMP(rpmb_ctx->key, RPMB_KEY_MAC_SIZE); 1030 1031 res = tee_rpmb_write_key(dev_id); 1032 if (res == TEE_SUCCESS) { 1033 DMSG("RPMB INIT: Verifying Key"); 1034 res = tee_rpmb_verify_key_sync_counter(dev_id); 1035 } 1036 return res; 1037 } 1038 #else 1039 static TEE_Result tee_rpmb_write_and_verify_key(uint16_t dev_id __unused) 1040 { 1041 DMSG("RPMB INIT: CFG_RPMB_WRITE_KEY is not set"); 1042 return TEE_ERROR_BAD_STATE; 1043 } 1044 #endif 1045 1046 /* This function must never return TEE_SUCCESS if rpmb_ctx == NULL */ 1047 static TEE_Result tee_rpmb_init(uint16_t dev_id) 1048 { 1049 TEE_Result res = TEE_SUCCESS; 1050 struct rpmb_dev_info dev_info; 1051 uint32_t nblocks = 0; 1052 1053 if (!rpmb_ctx) { 1054 rpmb_ctx = calloc(1, sizeof(struct tee_rpmb_ctx)); 1055 if (!rpmb_ctx) 1056 return TEE_ERROR_OUT_OF_MEMORY; 1057 } else if (rpmb_ctx->dev_id != dev_id) { 1058 memset(rpmb_ctx, 0x00, sizeof(struct tee_rpmb_ctx)); 1059 } 1060 1061 rpmb_ctx->dev_id = dev_id; 1062 1063 if (!rpmb_ctx->dev_info_synced) { 1064 DMSG("RPMB: Syncing device information"); 1065 1066 dev_info.rpmb_size_mult = 0; 1067 dev_info.rel_wr_sec_c = 0; 1068 res = tee_rpmb_get_dev_info(dev_id, &dev_info); 1069 if (res != TEE_SUCCESS) 1070 goto func_exit; 1071 1072 DMSG("RPMB: RPMB size is %d*128 KB", dev_info.rpmb_size_mult); 1073 DMSG("RPMB: Reliable Write Sector Count is %d", 1074 dev_info.rel_wr_sec_c); 1075 1076 if (dev_info.rpmb_size_mult == 0) { 1077 res = TEE_ERROR_GENERIC; 1078 goto func_exit; 1079 } 1080 1081 if (MUL_OVERFLOW(dev_info.rpmb_size_mult, 1082 RPMB_SIZE_SINGLE / RPMB_DATA_SIZE, &nblocks) || 1083 SUB_OVERFLOW(nblocks, 1, &rpmb_ctx->max_blk_idx)) { 1084 res = TEE_ERROR_BAD_PARAMETERS; 1085 goto func_exit; 1086 } 1087 1088 memcpy(rpmb_ctx->cid, dev_info.cid, RPMB_EMMC_CID_SIZE); 1089 1090 #ifdef RPMB_DRIVER_MULTIPLE_WRITE_FIXED 1091 rpmb_ctx->rel_wr_blkcnt = dev_info.rel_wr_sec_c * 2; 1092 #else 1093 rpmb_ctx->rel_wr_blkcnt = 1; 1094 #endif 1095 1096 rpmb_ctx->dev_info_synced = true; 1097 } 1098 1099 if (!rpmb_ctx->key_derived) { 1100 DMSG("RPMB INIT: Deriving key"); 1101 1102 res = tee_rpmb_key_gen(dev_id, rpmb_ctx->key, 1103 RPMB_KEY_MAC_SIZE); 1104 if (res != TEE_SUCCESS) { 1105 EMSG("RPMB INIT: Deriving key failed with error 0x%x", 1106 res); 1107 goto func_exit; 1108 } 1109 1110 rpmb_ctx->key_derived = true; 1111 } 1112 1113 /* Perform a write counter read to verify if the key is ok. */ 1114 if (!rpmb_ctx->wr_cnt_synced || !rpmb_ctx->key_verified) { 1115 DMSG("RPMB INIT: Verifying Key"); 1116 1117 res = tee_rpmb_verify_key_sync_counter(dev_id); 1118 if (res == TEE_ERROR_ITEM_NOT_FOUND && 1119 !rpmb_ctx->key_verified) { 1120 /* 1121 * Need to write the key here and verify it. 1122 */ 1123 DMSG("RPMB INIT: Auth key not yet written"); 1124 res = tee_rpmb_write_and_verify_key(dev_id); 1125 } else if (res != TEE_SUCCESS) { 1126 EMSG("Verify key failed!"); 1127 EMSG("Make sure key here matches device key"); 1128 } 1129 } 1130 1131 func_exit: 1132 return res; 1133 } 1134 1135 /* 1136 * Read RPMB data in bytes. 1137 * 1138 * @dev_id Device ID of the eMMC device. 1139 * @addr Byte address of data. 1140 * @data Pointer to the data. 1141 * @len Size of data in bytes. 1142 * @fek Encrypted File Encryption Key or NULL. 1143 */ 1144 static TEE_Result tee_rpmb_read(uint16_t dev_id, uint32_t addr, uint8_t *data, 1145 uint32_t len, const uint8_t *fek, 1146 const TEE_UUID *uuid) 1147 { 1148 TEE_Result res = TEE_ERROR_GENERIC; 1149 struct tee_rpmb_mem mem = { 0 }; 1150 uint16_t msg_type; 1151 uint8_t nonce[RPMB_NONCE_SIZE]; 1152 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 1153 struct rpmb_req *req = NULL; 1154 struct rpmb_data_frame *resp = NULL; 1155 struct rpmb_raw_data rawdata; 1156 uint32_t req_size; 1157 uint32_t resp_size; 1158 uint16_t blk_idx; 1159 uint16_t blkcnt; 1160 uint8_t byte_offset; 1161 1162 if (!data || !len) 1163 return TEE_ERROR_BAD_PARAMETERS; 1164 1165 blk_idx = addr / RPMB_DATA_SIZE; 1166 byte_offset = addr % RPMB_DATA_SIZE; 1167 1168 if (len + byte_offset + RPMB_DATA_SIZE < RPMB_DATA_SIZE) { 1169 /* Overflow */ 1170 return TEE_ERROR_BAD_PARAMETERS; 1171 } 1172 blkcnt = 1173 ROUNDUP(len + byte_offset, RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1174 res = tee_rpmb_init(dev_id); 1175 if (res != TEE_SUCCESS) 1176 goto func_exit; 1177 1178 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 1179 resp_size = RPMB_DATA_FRAME_SIZE * blkcnt; 1180 res = tee_rpmb_alloc(req_size, resp_size, &mem, 1181 (void *)&req, (void *)&resp); 1182 if (res != TEE_SUCCESS) 1183 goto func_exit; 1184 1185 msg_type = RPMB_MSG_TYPE_REQ_AUTH_DATA_READ; 1186 res = crypto_rng_read(nonce, RPMB_NONCE_SIZE); 1187 if (res != TEE_SUCCESS) 1188 goto func_exit; 1189 1190 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1191 rawdata.msg_type = msg_type; 1192 rawdata.nonce = nonce; 1193 rawdata.blk_idx = &blk_idx; 1194 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 1195 if (res != TEE_SUCCESS) 1196 goto func_exit; 1197 1198 req->block_count = blkcnt; 1199 1200 DMSG("Read %u block%s at index %u", blkcnt, ((blkcnt > 1) ? "s" : ""), 1201 blk_idx); 1202 1203 res = tee_rpmb_invoke(&mem); 1204 if (res != TEE_SUCCESS) 1205 goto func_exit; 1206 1207 msg_type = RPMB_MSG_TYPE_RESP_AUTH_DATA_READ; 1208 1209 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1210 rawdata.msg_type = msg_type; 1211 rawdata.block_count = &blkcnt; 1212 rawdata.blk_idx = &blk_idx; 1213 rawdata.nonce = nonce; 1214 rawdata.key_mac = hmac; 1215 rawdata.data = data; 1216 1217 rawdata.len = len; 1218 rawdata.byte_offset = byte_offset; 1219 1220 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, blkcnt, fek, uuid); 1221 if (res != TEE_SUCCESS) 1222 goto func_exit; 1223 1224 res = TEE_SUCCESS; 1225 1226 func_exit: 1227 tee_rpmb_free(&mem); 1228 return res; 1229 } 1230 1231 static TEE_Result tee_rpmb_write_blk(uint16_t dev_id, uint16_t blk_idx, 1232 const uint8_t *data_blks, uint16_t blkcnt, 1233 const uint8_t *fek, const TEE_UUID *uuid) 1234 { 1235 TEE_Result res; 1236 struct tee_rpmb_mem mem; 1237 uint16_t msg_type; 1238 uint32_t wr_cnt; 1239 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 1240 struct rpmb_req *req = NULL; 1241 struct rpmb_data_frame *resp = NULL; 1242 struct rpmb_raw_data rawdata; 1243 uint32_t req_size; 1244 uint32_t resp_size; 1245 uint32_t nbr_writes; 1246 uint16_t tmp_blkcnt; 1247 uint16_t tmp_blk_idx; 1248 uint16_t i; 1249 1250 DMSG("Write %u block%s at index %u", blkcnt, ((blkcnt > 1) ? "s" : ""), 1251 blk_idx); 1252 1253 if (!data_blks || !blkcnt) 1254 return TEE_ERROR_BAD_PARAMETERS; 1255 1256 res = tee_rpmb_init(dev_id); 1257 if (res != TEE_SUCCESS) 1258 return res; 1259 1260 /* 1261 * We need to split data when block count 1262 * is bigger than reliable block write count. 1263 */ 1264 if (blkcnt < rpmb_ctx->rel_wr_blkcnt) 1265 req_size = sizeof(struct rpmb_req) + 1266 RPMB_DATA_FRAME_SIZE * blkcnt; 1267 else 1268 req_size = sizeof(struct rpmb_req) + 1269 RPMB_DATA_FRAME_SIZE * rpmb_ctx->rel_wr_blkcnt; 1270 1271 resp_size = RPMB_DATA_FRAME_SIZE; 1272 res = tee_rpmb_alloc(req_size, resp_size, &mem, 1273 (void *)&req, (void *)&resp); 1274 if (res != TEE_SUCCESS) 1275 return res; 1276 1277 nbr_writes = blkcnt / rpmb_ctx->rel_wr_blkcnt; 1278 if (blkcnt % rpmb_ctx->rel_wr_blkcnt > 0) 1279 nbr_writes += 1; 1280 1281 tmp_blkcnt = rpmb_ctx->rel_wr_blkcnt; 1282 tmp_blk_idx = blk_idx; 1283 for (i = 0; i < nbr_writes; i++) { 1284 /* 1285 * To handle the last write of block count which is 1286 * equal or smaller than reliable write block count. 1287 */ 1288 if (i == nbr_writes - 1) 1289 tmp_blkcnt = blkcnt - rpmb_ctx->rel_wr_blkcnt * 1290 (nbr_writes - 1); 1291 1292 msg_type = RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE; 1293 wr_cnt = rpmb_ctx->wr_cnt; 1294 1295 memset(req, 0x00, req_size); 1296 memset(resp, 0x00, resp_size); 1297 1298 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1299 rawdata.msg_type = msg_type; 1300 rawdata.block_count = &tmp_blkcnt; 1301 rawdata.blk_idx = &tmp_blk_idx; 1302 rawdata.write_counter = &wr_cnt; 1303 rawdata.key_mac = hmac; 1304 rawdata.data = (uint8_t *)data_blks + 1305 i * rpmb_ctx->rel_wr_blkcnt * RPMB_DATA_SIZE; 1306 1307 res = tee_rpmb_req_pack(req, &rawdata, tmp_blkcnt, dev_id, 1308 fek, uuid); 1309 if (res != TEE_SUCCESS) 1310 goto out; 1311 1312 res = tee_rpmb_invoke(&mem); 1313 if (res != TEE_SUCCESS) { 1314 /* 1315 * To force wr_cnt sync next time, as it might get 1316 * out of sync due to inconsistent operation result! 1317 */ 1318 rpmb_ctx->wr_cnt_synced = false; 1319 goto out; 1320 } 1321 1322 msg_type = RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE; 1323 1324 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1325 rawdata.msg_type = msg_type; 1326 rawdata.block_count = &tmp_blkcnt; 1327 rawdata.blk_idx = &tmp_blk_idx; 1328 rawdata.write_counter = &wr_cnt; 1329 rawdata.key_mac = hmac; 1330 1331 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, 1332 NULL); 1333 if (res != TEE_SUCCESS) { 1334 /* 1335 * To force wr_cnt sync next time, as it might get 1336 * out of sync due to inconsistent operation result! 1337 */ 1338 rpmb_ctx->wr_cnt_synced = false; 1339 goto out; 1340 } 1341 1342 tmp_blk_idx += tmp_blkcnt; 1343 } 1344 1345 out: 1346 tee_rpmb_free(&mem); 1347 return res; 1348 } 1349 1350 static bool tee_rpmb_write_is_atomic(uint16_t dev_id __unused, uint32_t addr, 1351 uint32_t len) 1352 { 1353 uint8_t byte_offset = addr % RPMB_DATA_SIZE; 1354 uint16_t blkcnt = ROUNDUP(len + byte_offset, 1355 RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1356 1357 return (blkcnt <= rpmb_ctx->rel_wr_blkcnt); 1358 } 1359 1360 /* 1361 * Write RPMB data in bytes. 1362 * 1363 * @dev_id Device ID of the eMMC device. 1364 * @addr Byte address of data. 1365 * @data Pointer to the data. 1366 * @len Size of data in bytes. 1367 * @fek Encrypted File Encryption Key or NULL. 1368 */ 1369 static TEE_Result tee_rpmb_write(uint16_t dev_id, uint32_t addr, 1370 const uint8_t *data, uint32_t len, 1371 const uint8_t *fek, const TEE_UUID *uuid) 1372 { 1373 TEE_Result res = TEE_ERROR_GENERIC; 1374 uint8_t *data_tmp = NULL; 1375 uint16_t blk_idx; 1376 uint16_t blkcnt; 1377 uint8_t byte_offset; 1378 1379 blk_idx = addr / RPMB_DATA_SIZE; 1380 byte_offset = addr % RPMB_DATA_SIZE; 1381 1382 blkcnt = 1383 ROUNDUP(len + byte_offset, RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1384 1385 if (byte_offset == 0 && (len % RPMB_DATA_SIZE) == 0) { 1386 res = tee_rpmb_write_blk(dev_id, blk_idx, data, blkcnt, fek, 1387 uuid); 1388 if (res != TEE_SUCCESS) 1389 goto func_exit; 1390 } else { 1391 data_tmp = calloc(blkcnt, RPMB_DATA_SIZE); 1392 if (!data_tmp) { 1393 res = TEE_ERROR_OUT_OF_MEMORY; 1394 goto func_exit; 1395 } 1396 1397 /* Read the complete blocks */ 1398 res = tee_rpmb_read(dev_id, blk_idx * RPMB_DATA_SIZE, data_tmp, 1399 blkcnt * RPMB_DATA_SIZE, fek, uuid); 1400 if (res != TEE_SUCCESS) 1401 goto func_exit; 1402 1403 /* Partial update of the data blocks */ 1404 memcpy(data_tmp + byte_offset, data, len); 1405 1406 res = tee_rpmb_write_blk(dev_id, blk_idx, data_tmp, blkcnt, 1407 fek, uuid); 1408 if (res != TEE_SUCCESS) 1409 goto func_exit; 1410 } 1411 1412 res = TEE_SUCCESS; 1413 1414 func_exit: 1415 free(data_tmp); 1416 return res; 1417 } 1418 1419 /* 1420 * Read the RPMB write counter. 1421 * 1422 * @dev_id Device ID of the eMMC device. 1423 * @counter Pointer to the counter. 1424 */ 1425 static TEE_Result tee_rpmb_get_write_counter(uint16_t dev_id, 1426 uint32_t *counter) 1427 { 1428 TEE_Result res = TEE_SUCCESS; 1429 1430 if (!counter) 1431 return TEE_ERROR_BAD_PARAMETERS; 1432 1433 if (!rpmb_ctx || !rpmb_ctx->wr_cnt_synced) { 1434 res = tee_rpmb_init(dev_id); 1435 if (res != TEE_SUCCESS) 1436 goto func_exit; 1437 } 1438 1439 *counter = rpmb_ctx->wr_cnt; 1440 1441 func_exit: 1442 return res; 1443 } 1444 1445 /* 1446 * Read the RPMB max block. 1447 * 1448 * @dev_id Device ID of the eMMC device. 1449 * @counter Pointer to receive the max block. 1450 */ 1451 static TEE_Result tee_rpmb_get_max_block(uint16_t dev_id, uint32_t *max_block) 1452 { 1453 TEE_Result res = TEE_SUCCESS; 1454 1455 if (!max_block) 1456 return TEE_ERROR_BAD_PARAMETERS; 1457 1458 if (!rpmb_ctx || !rpmb_ctx->dev_info_synced) { 1459 res = tee_rpmb_init(dev_id); 1460 if (res != TEE_SUCCESS) 1461 goto func_exit; 1462 } 1463 1464 *max_block = rpmb_ctx->max_blk_idx; 1465 1466 func_exit: 1467 return res; 1468 } 1469 1470 /* 1471 * End of lower interface to RPMB device 1472 */ 1473 1474 static TEE_Result get_fat_start_address(uint32_t *addr); 1475 1476 static void dump_fat(void) 1477 { 1478 TEE_Result res = TEE_ERROR_GENERIC; 1479 struct rpmb_fat_entry *fat_entries = NULL; 1480 uint32_t fat_address; 1481 size_t size; 1482 int i; 1483 bool last_entry_found = false; 1484 1485 res = get_fat_start_address(&fat_address); 1486 if (res != TEE_SUCCESS) 1487 goto out; 1488 1489 size = N_ENTRIES * sizeof(struct rpmb_fat_entry); 1490 fat_entries = malloc(size); 1491 if (!fat_entries) { 1492 res = TEE_ERROR_OUT_OF_MEMORY; 1493 goto out; 1494 } 1495 1496 while (!last_entry_found) { 1497 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, fat_address, 1498 (uint8_t *)fat_entries, size, NULL, NULL); 1499 if (res != TEE_SUCCESS) 1500 goto out; 1501 1502 for (i = 0; i < N_ENTRIES; i++) { 1503 1504 FMSG("flags 0x%x, size %d, address 0x%x, filename '%s'", 1505 fat_entries[i].flags, 1506 fat_entries[i].data_size, 1507 fat_entries[i].start_address, 1508 fat_entries[i].filename); 1509 1510 if ((fat_entries[i].flags & FILE_IS_LAST_ENTRY) != 0) { 1511 last_entry_found = true; 1512 break; 1513 } 1514 1515 /* Move to next fat_entry. */ 1516 fat_address += sizeof(struct rpmb_fat_entry); 1517 } 1518 } 1519 1520 out: 1521 free(fat_entries); 1522 } 1523 1524 #if (TRACE_LEVEL >= TRACE_DEBUG) 1525 static void dump_fh(struct rpmb_file_handle *fh) 1526 { 1527 DMSG("fh->filename=%s", fh->filename); 1528 DMSG("fh->rpmb_fat_address=%u", fh->rpmb_fat_address); 1529 DMSG("fh->fat_entry.start_address=%u", fh->fat_entry.start_address); 1530 DMSG("fh->fat_entry.data_size=%u", fh->fat_entry.data_size); 1531 } 1532 #else 1533 static void dump_fh(struct rpmb_file_handle *fh __unused) 1534 { 1535 } 1536 #endif 1537 1538 static struct rpmb_file_handle *alloc_file_handle(struct tee_pobj *po, 1539 bool temporary) 1540 { 1541 struct rpmb_file_handle *fh = NULL; 1542 1543 fh = calloc(1, sizeof(struct rpmb_file_handle)); 1544 if (!fh) 1545 return NULL; 1546 1547 if (po) 1548 tee_svc_storage_create_filename(fh->filename, 1549 sizeof(fh->filename), po, 1550 temporary); 1551 1552 return fh; 1553 } 1554 1555 /** 1556 * write_fat_entry: Store info in a fat_entry to RPMB. 1557 */ 1558 static TEE_Result write_fat_entry(struct rpmb_file_handle *fh, 1559 bool update_write_counter) 1560 { 1561 TEE_Result res = TEE_ERROR_GENERIC; 1562 1563 /* Protect partition data. */ 1564 if (fh->rpmb_fat_address < sizeof(struct rpmb_fs_partition)) { 1565 res = TEE_ERROR_ACCESS_CONFLICT; 1566 goto out; 1567 } 1568 1569 if (fh->rpmb_fat_address % sizeof(struct rpmb_fat_entry) != 0) { 1570 res = TEE_ERROR_BAD_PARAMETERS; 1571 goto out; 1572 } 1573 1574 if (update_write_counter) { 1575 res = tee_rpmb_get_write_counter(CFG_RPMB_FS_DEV_ID, 1576 &fh->fat_entry.write_counter); 1577 if (res != TEE_SUCCESS) 1578 goto out; 1579 } 1580 1581 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, fh->rpmb_fat_address, 1582 (uint8_t *)&fh->fat_entry, 1583 sizeof(struct rpmb_fat_entry), NULL, NULL); 1584 1585 dump_fat(); 1586 1587 out: 1588 return res; 1589 } 1590 1591 /** 1592 * rpmb_fs_setup: Setup rpmb fs. 1593 * Set initial partition and FS values and write to RPMB. 1594 * Store frequently used data in RAM. 1595 */ 1596 static TEE_Result rpmb_fs_setup(void) 1597 { 1598 TEE_Result res = TEE_ERROR_GENERIC; 1599 struct rpmb_fs_partition *partition_data = NULL; 1600 struct rpmb_file_handle *fh = NULL; 1601 uint32_t max_rpmb_block = 0; 1602 1603 if (fs_par) { 1604 res = TEE_SUCCESS; 1605 goto out; 1606 } 1607 1608 res = tee_rpmb_get_max_block(CFG_RPMB_FS_DEV_ID, &max_rpmb_block); 1609 if (res != TEE_SUCCESS) 1610 goto out; 1611 1612 partition_data = calloc(1, sizeof(struct rpmb_fs_partition)); 1613 if (!partition_data) { 1614 res = TEE_ERROR_OUT_OF_MEMORY; 1615 goto out; 1616 } 1617 1618 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, RPMB_STORAGE_START_ADDRESS, 1619 (uint8_t *)partition_data, 1620 sizeof(struct rpmb_fs_partition), NULL, NULL); 1621 if (res != TEE_SUCCESS) 1622 goto out; 1623 1624 #ifndef CFG_RPMB_RESET_FAT 1625 if (partition_data->rpmb_fs_magic == RPMB_FS_MAGIC) { 1626 if (partition_data->fs_version == FS_VERSION) { 1627 res = TEE_SUCCESS; 1628 goto store_fs_par; 1629 } else { 1630 EMSG("Wrong software is in use."); 1631 res = TEE_ERROR_ACCESS_DENIED; 1632 goto out; 1633 } 1634 } 1635 #else 1636 EMSG("**** Clearing Storage ****"); 1637 #endif 1638 1639 /* Setup new partition data. */ 1640 partition_data->rpmb_fs_magic = RPMB_FS_MAGIC; 1641 partition_data->fs_version = FS_VERSION; 1642 partition_data->fat_start_address = RPMB_FS_FAT_START_ADDRESS; 1643 1644 /* Initial FAT entry with FILE_IS_LAST_ENTRY flag set. */ 1645 fh = alloc_file_handle(NULL, false); 1646 if (!fh) { 1647 res = TEE_ERROR_OUT_OF_MEMORY; 1648 goto out; 1649 } 1650 fh->fat_entry.flags = FILE_IS_LAST_ENTRY; 1651 fh->rpmb_fat_address = partition_data->fat_start_address; 1652 1653 /* Write init FAT entry and partition data to RPMB. */ 1654 res = write_fat_entry(fh, true); 1655 if (res != TEE_SUCCESS) 1656 goto out; 1657 1658 res = 1659 tee_rpmb_get_write_counter(CFG_RPMB_FS_DEV_ID, 1660 &partition_data->write_counter); 1661 if (res != TEE_SUCCESS) 1662 goto out; 1663 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, RPMB_STORAGE_START_ADDRESS, 1664 (uint8_t *)partition_data, 1665 sizeof(struct rpmb_fs_partition), NULL, NULL); 1666 1667 #ifndef CFG_RPMB_RESET_FAT 1668 store_fs_par: 1669 #endif 1670 1671 /* Store FAT start address. */ 1672 fs_par = calloc(1, sizeof(struct rpmb_fs_parameters)); 1673 if (!fs_par) { 1674 res = TEE_ERROR_OUT_OF_MEMORY; 1675 goto out; 1676 } 1677 1678 fs_par->fat_start_address = partition_data->fat_start_address; 1679 fs_par->max_rpmb_address = max_rpmb_block << RPMB_BLOCK_SIZE_SHIFT; 1680 1681 dump_fat(); 1682 1683 out: 1684 free(fh); 1685 free(partition_data); 1686 return res; 1687 } 1688 1689 /** 1690 * get_fat_start_address: 1691 * FAT start_address from fs_par. 1692 */ 1693 static TEE_Result get_fat_start_address(uint32_t *addr) 1694 { 1695 if (!fs_par) 1696 return TEE_ERROR_NO_DATA; 1697 1698 *addr = fs_par->fat_start_address; 1699 1700 return TEE_SUCCESS; 1701 } 1702 1703 /** 1704 * read_fat: Read FAT entries 1705 * Return matching FAT entry for read, rm rename and stat. 1706 * Build up memory pool and return matching entry for write operation. 1707 * "Last FAT entry" can be returned during write. 1708 */ 1709 static TEE_Result read_fat(struct rpmb_file_handle *fh, tee_mm_pool_t *p) 1710 { 1711 TEE_Result res = TEE_ERROR_GENERIC; 1712 tee_mm_entry_t *mm = NULL; 1713 struct rpmb_fat_entry *fat_entries = NULL; 1714 uint32_t fat_address; 1715 size_t size; 1716 int i; 1717 bool entry_found = false; 1718 bool last_entry_found = false; 1719 bool expand_fat = false; 1720 struct rpmb_file_handle last_fh; 1721 1722 DMSG("fat_address %d", fh->rpmb_fat_address); 1723 1724 res = rpmb_fs_setup(); 1725 if (res != TEE_SUCCESS) 1726 goto out; 1727 1728 res = get_fat_start_address(&fat_address); 1729 if (res != TEE_SUCCESS) 1730 goto out; 1731 1732 size = N_ENTRIES * sizeof(struct rpmb_fat_entry); 1733 fat_entries = malloc(size); 1734 if (!fat_entries) { 1735 res = TEE_ERROR_OUT_OF_MEMORY; 1736 goto out; 1737 } 1738 1739 /* 1740 * The pool is used to represent the current RPMB layout. To find 1741 * a slot for the file tee_mm_alloc is called on the pool. Thus 1742 * if it is not NULL the entire FAT must be traversed to fill in 1743 * the pool. 1744 */ 1745 while (!last_entry_found && (!entry_found || p)) { 1746 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, fat_address, 1747 (uint8_t *)fat_entries, size, NULL, NULL); 1748 if (res != TEE_SUCCESS) 1749 goto out; 1750 1751 for (i = 0; i < N_ENTRIES; i++) { 1752 /* 1753 * Look for an entry, matching filenames. (read, rm, 1754 * rename and stat.). Only store first filename match. 1755 */ 1756 if (fh->filename && 1757 (strcmp(fh->filename, 1758 fat_entries[i].filename) == 0) && 1759 (fat_entries[i].flags & FILE_IS_ACTIVE) && 1760 (!entry_found)) { 1761 entry_found = true; 1762 fh->rpmb_fat_address = fat_address; 1763 memcpy(&fh->fat_entry, &fat_entries[i], 1764 sizeof(struct rpmb_fat_entry)); 1765 if (!p) 1766 break; 1767 } 1768 1769 /* Add existing files to memory pool. (write) */ 1770 if (p) { 1771 if ((fat_entries[i].flags & FILE_IS_ACTIVE) && 1772 (fat_entries[i].data_size > 0)) { 1773 1774 mm = tee_mm_alloc2 1775 (p, 1776 fat_entries[i].start_address, 1777 fat_entries[i].data_size); 1778 if (!mm) { 1779 res = TEE_ERROR_OUT_OF_MEMORY; 1780 goto out; 1781 } 1782 } 1783 1784 /* Unused FAT entries can be reused (write) */ 1785 if (((fat_entries[i].flags & FILE_IS_ACTIVE) == 1786 0) && (fh->rpmb_fat_address == 0)) { 1787 fh->rpmb_fat_address = fat_address; 1788 memcpy(&fh->fat_entry, &fat_entries[i], 1789 sizeof(struct rpmb_fat_entry)); 1790 } 1791 } 1792 1793 if ((fat_entries[i].flags & FILE_IS_LAST_ENTRY) != 0) { 1794 last_entry_found = true; 1795 1796 /* 1797 * If the last entry was reached and was chosen 1798 * by the previous check, then the FAT needs to 1799 * be expanded. 1800 * fh->rpmb_fat_address is the address chosen 1801 * to store the files FAT entry and fat_address 1802 * is the current FAT entry address being 1803 * compared. 1804 */ 1805 if (p && fh->rpmb_fat_address == fat_address) 1806 expand_fat = true; 1807 break; 1808 } 1809 1810 /* Move to next fat_entry. */ 1811 fat_address += sizeof(struct rpmb_fat_entry); 1812 } 1813 } 1814 1815 /* 1816 * Represent the FAT table in the pool. 1817 */ 1818 if (p) { 1819 /* 1820 * Since fat_address is the start of the last entry it needs to 1821 * be moved up by an entry. 1822 */ 1823 fat_address += sizeof(struct rpmb_fat_entry); 1824 1825 /* Make room for yet a FAT entry and add to memory pool. */ 1826 if (expand_fat) 1827 fat_address += sizeof(struct rpmb_fat_entry); 1828 1829 mm = tee_mm_alloc2(p, RPMB_STORAGE_START_ADDRESS, fat_address); 1830 if (!mm) { 1831 res = TEE_ERROR_OUT_OF_MEMORY; 1832 goto out; 1833 } 1834 1835 if (expand_fat) { 1836 /* 1837 * Point fat_address to the beginning of the new 1838 * entry. 1839 */ 1840 fat_address -= sizeof(struct rpmb_fat_entry); 1841 memset(&last_fh, 0, sizeof(last_fh)); 1842 last_fh.fat_entry.flags = FILE_IS_LAST_ENTRY; 1843 last_fh.rpmb_fat_address = fat_address; 1844 res = write_fat_entry(&last_fh, true); 1845 if (res != TEE_SUCCESS) 1846 goto out; 1847 } 1848 } 1849 1850 if (fh->filename && !fh->rpmb_fat_address) 1851 res = TEE_ERROR_ITEM_NOT_FOUND; 1852 1853 out: 1854 free(fat_entries); 1855 return res; 1856 } 1857 1858 static TEE_Result generate_fek(struct rpmb_fat_entry *fe, const TEE_UUID *uuid) 1859 { 1860 TEE_Result res; 1861 1862 again: 1863 res = tee_fs_generate_fek(uuid, fe->fek, sizeof(fe->fek)); 1864 if (res != TEE_SUCCESS) 1865 return res; 1866 1867 if (is_zero(fe->fek, sizeof(fe->fek))) 1868 goto again; 1869 1870 return res; 1871 } 1872 1873 static TEE_Result rpmb_fs_open_internal(struct rpmb_file_handle *fh, 1874 const TEE_UUID *uuid, bool create) 1875 { 1876 tee_mm_pool_t p; 1877 bool pool_result; 1878 TEE_Result res = TEE_ERROR_GENERIC; 1879 1880 /* We need to do setup in order to make sure fs_par is filled in */ 1881 res = rpmb_fs_setup(); 1882 if (res != TEE_SUCCESS) 1883 goto out; 1884 1885 fh->uuid = uuid; 1886 if (create) { 1887 /* Upper memory allocation must be used for RPMB_FS. */ 1888 pool_result = tee_mm_init(&p, 1889 RPMB_STORAGE_START_ADDRESS, 1890 fs_par->max_rpmb_address, 1891 RPMB_BLOCK_SIZE_SHIFT, 1892 TEE_MM_POOL_HI_ALLOC); 1893 1894 if (!pool_result) { 1895 res = TEE_ERROR_OUT_OF_MEMORY; 1896 goto out; 1897 } 1898 1899 res = read_fat(fh, &p); 1900 tee_mm_final(&p); 1901 if (res != TEE_SUCCESS) 1902 goto out; 1903 } else { 1904 res = read_fat(fh, NULL); 1905 if (res != TEE_SUCCESS) 1906 goto out; 1907 } 1908 1909 /* 1910 * If this is opened with create and the entry found was not active 1911 * then this is a new file and the FAT entry must be written 1912 */ 1913 if (create) { 1914 if ((fh->fat_entry.flags & FILE_IS_ACTIVE) == 0) { 1915 memset(&fh->fat_entry, 0, 1916 sizeof(struct rpmb_fat_entry)); 1917 memcpy(fh->fat_entry.filename, fh->filename, 1918 strlen(fh->filename)); 1919 /* Start address and size are 0 */ 1920 fh->fat_entry.flags = FILE_IS_ACTIVE; 1921 1922 res = generate_fek(&fh->fat_entry, uuid); 1923 if (res != TEE_SUCCESS) 1924 goto out; 1925 DMSG("GENERATE FEK key: %p", 1926 (void *)fh->fat_entry.fek); 1927 DHEXDUMP(fh->fat_entry.fek, sizeof(fh->fat_entry.fek)); 1928 1929 res = write_fat_entry(fh, true); 1930 if (res != TEE_SUCCESS) 1931 goto out; 1932 } 1933 } 1934 1935 res = TEE_SUCCESS; 1936 1937 out: 1938 return res; 1939 } 1940 1941 static void rpmb_fs_close(struct tee_file_handle **tfh) 1942 { 1943 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)*tfh; 1944 1945 free(fh); 1946 *tfh = NULL; 1947 } 1948 1949 static TEE_Result rpmb_fs_read(struct tee_file_handle *tfh, size_t pos, 1950 void *buf, size_t *len) 1951 { 1952 TEE_Result res; 1953 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)tfh; 1954 size_t size = *len; 1955 1956 if (!size) 1957 return TEE_SUCCESS; 1958 1959 mutex_lock(&rpmb_mutex); 1960 1961 dump_fh(fh); 1962 1963 res = read_fat(fh, NULL); 1964 if (res != TEE_SUCCESS) 1965 goto out; 1966 1967 if (pos >= fh->fat_entry.data_size) { 1968 *len = 0; 1969 goto out; 1970 } 1971 1972 size = MIN(size, fh->fat_entry.data_size - pos); 1973 if (size) { 1974 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 1975 fh->fat_entry.start_address + pos, buf, 1976 size, fh->fat_entry.fek, fh->uuid); 1977 if (res != TEE_SUCCESS) 1978 goto out; 1979 } 1980 *len = size; 1981 1982 out: 1983 mutex_unlock(&rpmb_mutex); 1984 return res; 1985 } 1986 1987 static TEE_Result rpmb_fs_write_primitive(struct rpmb_file_handle *fh, 1988 size_t pos, const void *buf, 1989 size_t size) 1990 { 1991 TEE_Result res; 1992 tee_mm_pool_t p; 1993 bool pool_result = false; 1994 tee_mm_entry_t *mm; 1995 size_t end; 1996 size_t newsize; 1997 uint8_t *newbuf = NULL; 1998 uintptr_t newaddr; 1999 uint32_t start_addr; 2000 2001 if (!size) 2002 return TEE_SUCCESS; 2003 2004 if (!fs_par) { 2005 res = TEE_ERROR_GENERIC; 2006 goto out; 2007 } 2008 2009 dump_fh(fh); 2010 2011 /* Upper memory allocation must be used for RPMB_FS. */ 2012 pool_result = tee_mm_init(&p, 2013 RPMB_STORAGE_START_ADDRESS, 2014 fs_par->max_rpmb_address, 2015 RPMB_BLOCK_SIZE_SHIFT, 2016 TEE_MM_POOL_HI_ALLOC); 2017 if (!pool_result) { 2018 res = TEE_ERROR_OUT_OF_MEMORY; 2019 goto out; 2020 } 2021 2022 res = read_fat(fh, &p); 2023 if (res != TEE_SUCCESS) 2024 goto out; 2025 2026 if (fh->fat_entry.flags & FILE_IS_LAST_ENTRY) 2027 panic("invalid last entry flag"); 2028 2029 if (ADD_OVERFLOW(pos, size, &end)) { 2030 res = TEE_ERROR_BAD_PARAMETERS; 2031 goto out; 2032 } 2033 if (ADD_OVERFLOW(fh->fat_entry.start_address, pos, &start_addr)) { 2034 res = TEE_ERROR_BAD_PARAMETERS; 2035 goto out; 2036 } 2037 2038 if (end <= fh->fat_entry.data_size && 2039 tee_rpmb_write_is_atomic(CFG_RPMB_FS_DEV_ID, start_addr, size)) { 2040 2041 DMSG("Updating data in-place"); 2042 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, start_addr, buf, 2043 size, fh->fat_entry.fek, fh->uuid); 2044 if (res != TEE_SUCCESS) 2045 goto out; 2046 } else { 2047 /* 2048 * File must be extended, or update cannot be atomic: allocate, 2049 * read, update, write. 2050 */ 2051 2052 DMSG("Need to re-allocate"); 2053 newsize = MAX(end, fh->fat_entry.data_size); 2054 mm = tee_mm_alloc(&p, newsize); 2055 newbuf = calloc(1, newsize); 2056 if (!mm || !newbuf) { 2057 res = TEE_ERROR_OUT_OF_MEMORY; 2058 goto out; 2059 } 2060 2061 if (fh->fat_entry.data_size) { 2062 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 2063 fh->fat_entry.start_address, 2064 newbuf, fh->fat_entry.data_size, 2065 fh->fat_entry.fek, fh->uuid); 2066 if (res != TEE_SUCCESS) 2067 goto out; 2068 } 2069 2070 memcpy(newbuf + pos, buf, size); 2071 2072 newaddr = tee_mm_get_smem(mm); 2073 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, newaddr, newbuf, 2074 newsize, fh->fat_entry.fek, fh->uuid); 2075 if (res != TEE_SUCCESS) 2076 goto out; 2077 2078 fh->fat_entry.data_size = newsize; 2079 fh->fat_entry.start_address = newaddr; 2080 res = write_fat_entry(fh, true); 2081 if (res != TEE_SUCCESS) 2082 goto out; 2083 } 2084 2085 out: 2086 if (pool_result) 2087 tee_mm_final(&p); 2088 if (newbuf) 2089 free(newbuf); 2090 2091 return res; 2092 } 2093 2094 static TEE_Result rpmb_fs_write(struct tee_file_handle *tfh, size_t pos, 2095 const void *buf, size_t size) 2096 { 2097 TEE_Result res; 2098 2099 mutex_lock(&rpmb_mutex); 2100 res = rpmb_fs_write_primitive((struct rpmb_file_handle *)tfh, pos, 2101 buf, size); 2102 mutex_unlock(&rpmb_mutex); 2103 2104 return res; 2105 } 2106 2107 static TEE_Result rpmb_fs_remove_internal(struct rpmb_file_handle *fh) 2108 { 2109 TEE_Result res; 2110 2111 res = read_fat(fh, NULL); 2112 if (res) 2113 return res; 2114 2115 /* Clear this file entry. */ 2116 memset(&fh->fat_entry, 0, sizeof(struct rpmb_fat_entry)); 2117 return write_fat_entry(fh, false); 2118 } 2119 2120 static TEE_Result rpmb_fs_remove(struct tee_pobj *po) 2121 { 2122 TEE_Result res; 2123 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2124 2125 if (!fh) 2126 return TEE_ERROR_OUT_OF_MEMORY; 2127 2128 mutex_lock(&rpmb_mutex); 2129 2130 res = rpmb_fs_remove_internal(fh); 2131 2132 mutex_unlock(&rpmb_mutex); 2133 2134 free(fh); 2135 return res; 2136 } 2137 2138 static TEE_Result rpmb_fs_rename_internal(struct tee_pobj *old, 2139 struct tee_pobj *new, 2140 bool overwrite) 2141 { 2142 TEE_Result res = TEE_ERROR_GENERIC; 2143 struct rpmb_file_handle *fh_old = NULL; 2144 struct rpmb_file_handle *fh_new = NULL; 2145 2146 if (!old) { 2147 res = TEE_ERROR_BAD_PARAMETERS; 2148 goto out; 2149 } 2150 2151 if (new) 2152 fh_old = alloc_file_handle(old, old->temporary); 2153 else 2154 fh_old = alloc_file_handle(old, true); 2155 if (!fh_old) { 2156 res = TEE_ERROR_OUT_OF_MEMORY; 2157 goto out; 2158 } 2159 2160 if (new) 2161 fh_new = alloc_file_handle(new, new->temporary); 2162 else 2163 fh_new = alloc_file_handle(old, false); 2164 if (!fh_new) { 2165 res = TEE_ERROR_OUT_OF_MEMORY; 2166 goto out; 2167 } 2168 2169 res = read_fat(fh_old, NULL); 2170 if (res != TEE_SUCCESS) 2171 goto out; 2172 2173 res = read_fat(fh_new, NULL); 2174 if (res == TEE_SUCCESS) { 2175 if (!overwrite) { 2176 res = TEE_ERROR_ACCESS_CONFLICT; 2177 goto out; 2178 } 2179 2180 /* Clear this file entry. */ 2181 memset(&fh_new->fat_entry, 0, sizeof(struct rpmb_fat_entry)); 2182 res = write_fat_entry(fh_new, false); 2183 if (res != TEE_SUCCESS) 2184 goto out; 2185 } 2186 2187 memset(fh_old->fat_entry.filename, 0, TEE_RPMB_FS_FILENAME_LENGTH); 2188 memcpy(fh_old->fat_entry.filename, fh_new->filename, 2189 strlen(fh_new->filename)); 2190 2191 res = write_fat_entry(fh_old, false); 2192 2193 out: 2194 free(fh_old); 2195 free(fh_new); 2196 2197 return res; 2198 } 2199 2200 static TEE_Result rpmb_fs_rename(struct tee_pobj *old, struct tee_pobj *new, 2201 bool overwrite) 2202 { 2203 TEE_Result res; 2204 2205 mutex_lock(&rpmb_mutex); 2206 res = rpmb_fs_rename_internal(old, new, overwrite); 2207 mutex_unlock(&rpmb_mutex); 2208 2209 return res; 2210 } 2211 2212 static TEE_Result rpmb_fs_truncate(struct tee_file_handle *tfh, size_t length) 2213 { 2214 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)tfh; 2215 tee_mm_pool_t p; 2216 bool pool_result = false; 2217 tee_mm_entry_t *mm; 2218 uint32_t newsize; 2219 uint8_t *newbuf = NULL; 2220 uintptr_t newaddr; 2221 TEE_Result res = TEE_ERROR_GENERIC; 2222 2223 mutex_lock(&rpmb_mutex); 2224 2225 if (length > INT32_MAX) { 2226 res = TEE_ERROR_BAD_PARAMETERS; 2227 goto out; 2228 } 2229 newsize = length; 2230 2231 res = read_fat(fh, NULL); 2232 if (res != TEE_SUCCESS) 2233 goto out; 2234 2235 if (newsize > fh->fat_entry.data_size) { 2236 /* Extend file */ 2237 2238 pool_result = tee_mm_init(&p, 2239 RPMB_STORAGE_START_ADDRESS, 2240 fs_par->max_rpmb_address, 2241 RPMB_BLOCK_SIZE_SHIFT, 2242 TEE_MM_POOL_HI_ALLOC); 2243 if (!pool_result) { 2244 res = TEE_ERROR_OUT_OF_MEMORY; 2245 goto out; 2246 } 2247 res = read_fat(fh, &p); 2248 if (res != TEE_SUCCESS) 2249 goto out; 2250 2251 mm = tee_mm_alloc(&p, newsize); 2252 newbuf = calloc(1, newsize); 2253 if (!mm || !newbuf) { 2254 res = TEE_ERROR_OUT_OF_MEMORY; 2255 goto out; 2256 } 2257 2258 if (fh->fat_entry.data_size) { 2259 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 2260 fh->fat_entry.start_address, 2261 newbuf, fh->fat_entry.data_size, 2262 fh->fat_entry.fek, fh->uuid); 2263 if (res != TEE_SUCCESS) 2264 goto out; 2265 } 2266 2267 newaddr = tee_mm_get_smem(mm); 2268 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, newaddr, newbuf, 2269 newsize, fh->fat_entry.fek, fh->uuid); 2270 if (res != TEE_SUCCESS) 2271 goto out; 2272 2273 } else { 2274 /* Don't change file location */ 2275 newaddr = fh->fat_entry.start_address; 2276 } 2277 2278 /* fh->pos is unchanged */ 2279 fh->fat_entry.data_size = newsize; 2280 fh->fat_entry.start_address = newaddr; 2281 res = write_fat_entry(fh, true); 2282 2283 out: 2284 mutex_unlock(&rpmb_mutex); 2285 if (pool_result) 2286 tee_mm_final(&p); 2287 if (newbuf) 2288 free(newbuf); 2289 2290 return res; 2291 } 2292 2293 static void rpmb_fs_dir_free(struct tee_fs_dir *dir) 2294 { 2295 struct tee_rpmb_fs_dirent *e; 2296 2297 if (!dir) 2298 return; 2299 2300 free(dir->current); 2301 2302 while ((e = SIMPLEQ_FIRST(&dir->next))) { 2303 SIMPLEQ_REMOVE_HEAD(&dir->next, link); 2304 free(e); 2305 } 2306 } 2307 2308 static TEE_Result rpmb_fs_dir_populate(const char *path, 2309 struct tee_fs_dir *dir) 2310 { 2311 struct tee_rpmb_fs_dirent *current = NULL; 2312 struct rpmb_fat_entry *fat_entries = NULL; 2313 uint32_t fat_address; 2314 uint32_t filelen; 2315 char *filename; 2316 int i; 2317 bool last_entry_found = false; 2318 bool matched; 2319 struct tee_rpmb_fs_dirent *next = NULL; 2320 uint32_t pathlen; 2321 TEE_Result res = TEE_ERROR_GENERIC; 2322 uint32_t size; 2323 char temp; 2324 2325 mutex_lock(&rpmb_mutex); 2326 2327 res = rpmb_fs_setup(); 2328 if (res != TEE_SUCCESS) 2329 goto out; 2330 2331 res = get_fat_start_address(&fat_address); 2332 if (res != TEE_SUCCESS) 2333 goto out; 2334 2335 size = N_ENTRIES * sizeof(struct rpmb_fat_entry); 2336 fat_entries = malloc(size); 2337 if (!fat_entries) { 2338 res = TEE_ERROR_OUT_OF_MEMORY; 2339 goto out; 2340 } 2341 2342 pathlen = strlen(path); 2343 while (!last_entry_found) { 2344 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, fat_address, 2345 (uint8_t *)fat_entries, size, NULL, NULL); 2346 if (res != TEE_SUCCESS) 2347 goto out; 2348 2349 for (i = 0; i < N_ENTRIES; i++) { 2350 filename = fat_entries[i].filename; 2351 if (fat_entries[i].flags & FILE_IS_ACTIVE) { 2352 matched = false; 2353 filelen = strlen(filename); 2354 if (filelen > pathlen) { 2355 temp = filename[pathlen]; 2356 filename[pathlen] = '\0'; 2357 if (strcmp(filename, path) == 0) 2358 matched = true; 2359 2360 filename[pathlen] = temp; 2361 } 2362 2363 if (matched) { 2364 next = malloc(sizeof(*next)); 2365 if (!next) { 2366 res = TEE_ERROR_OUT_OF_MEMORY; 2367 goto out; 2368 } 2369 2370 next->entry.oidlen = tee_hs2b( 2371 (uint8_t *)&filename[pathlen], 2372 next->entry.oid, 2373 filelen - pathlen, 2374 sizeof(next->entry.oid)); 2375 if (next->entry.oidlen) { 2376 SIMPLEQ_INSERT_TAIL(&dir->next, 2377 next, link); 2378 current = next; 2379 } else { 2380 free(next); 2381 next = NULL; 2382 } 2383 2384 } 2385 } 2386 2387 if (fat_entries[i].flags & FILE_IS_LAST_ENTRY) { 2388 last_entry_found = true; 2389 break; 2390 } 2391 2392 /* Move to next fat_entry. */ 2393 fat_address += sizeof(struct rpmb_fat_entry); 2394 } 2395 } 2396 2397 if (current) 2398 res = TEE_SUCCESS; 2399 else 2400 res = TEE_ERROR_ITEM_NOT_FOUND; /* No directories were found. */ 2401 2402 out: 2403 mutex_unlock(&rpmb_mutex); 2404 if (res != TEE_SUCCESS) 2405 rpmb_fs_dir_free(dir); 2406 if (fat_entries) 2407 free(fat_entries); 2408 2409 return res; 2410 } 2411 2412 static TEE_Result rpmb_fs_opendir(const TEE_UUID *uuid, struct tee_fs_dir **dir) 2413 { 2414 uint32_t len; 2415 char path_local[TEE_RPMB_FS_FILENAME_LENGTH]; 2416 TEE_Result res = TEE_ERROR_GENERIC; 2417 struct tee_fs_dir *rpmb_dir = NULL; 2418 2419 if (!uuid || !dir) { 2420 res = TEE_ERROR_BAD_PARAMETERS; 2421 goto out; 2422 } 2423 2424 memset(path_local, 0, sizeof(path_local)); 2425 if (tee_svc_storage_create_dirname(path_local, sizeof(path_local) - 1, 2426 uuid) != TEE_SUCCESS) { 2427 res = TEE_ERROR_BAD_PARAMETERS; 2428 goto out; 2429 } 2430 len = strlen(path_local); 2431 2432 /* Add a slash to correctly match the full directory name. */ 2433 if (path_local[len - 1] != '/') 2434 path_local[len] = '/'; 2435 2436 rpmb_dir = calloc(1, sizeof(*rpmb_dir)); 2437 if (!rpmb_dir) { 2438 res = TEE_ERROR_OUT_OF_MEMORY; 2439 goto out; 2440 } 2441 SIMPLEQ_INIT(&rpmb_dir->next); 2442 2443 res = rpmb_fs_dir_populate(path_local, rpmb_dir); 2444 if (res != TEE_SUCCESS) { 2445 free(rpmb_dir); 2446 rpmb_dir = NULL; 2447 goto out; 2448 } 2449 2450 *dir = rpmb_dir; 2451 2452 out: 2453 return res; 2454 } 2455 2456 static TEE_Result rpmb_fs_readdir(struct tee_fs_dir *dir, 2457 struct tee_fs_dirent **ent) 2458 { 2459 if (!dir) 2460 return TEE_ERROR_GENERIC; 2461 2462 free(dir->current); 2463 2464 dir->current = SIMPLEQ_FIRST(&dir->next); 2465 if (!dir->current) 2466 return TEE_ERROR_ITEM_NOT_FOUND; 2467 2468 SIMPLEQ_REMOVE_HEAD(&dir->next, link); 2469 2470 *ent = &dir->current->entry; 2471 return TEE_SUCCESS; 2472 } 2473 2474 static void rpmb_fs_closedir(struct tee_fs_dir *dir) 2475 { 2476 if (dir) { 2477 rpmb_fs_dir_free(dir); 2478 free(dir); 2479 } 2480 } 2481 2482 static TEE_Result rpmb_fs_open(struct tee_pobj *po, size_t *size, 2483 struct tee_file_handle **ret_fh) 2484 { 2485 TEE_Result res; 2486 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2487 2488 if (!fh) 2489 return TEE_ERROR_OUT_OF_MEMORY; 2490 2491 mutex_lock(&rpmb_mutex); 2492 2493 res = rpmb_fs_open_internal(fh, &po->uuid, false); 2494 if (!res && size) 2495 *size = fh->fat_entry.data_size; 2496 2497 mutex_unlock(&rpmb_mutex); 2498 2499 if (res) 2500 free(fh); 2501 else 2502 *ret_fh = (struct tee_file_handle *)fh; 2503 2504 return res; 2505 } 2506 2507 static TEE_Result rpmb_fs_create(struct tee_pobj *po, bool overwrite, 2508 const void *head, size_t head_size, 2509 const void *attr, size_t attr_size, 2510 const void *data, size_t data_size, 2511 struct tee_file_handle **ret_fh) 2512 { 2513 TEE_Result res; 2514 size_t pos = 0; 2515 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2516 2517 if (!fh) 2518 return TEE_ERROR_OUT_OF_MEMORY; 2519 2520 mutex_lock(&rpmb_mutex); 2521 res = rpmb_fs_open_internal(fh, &po->uuid, true); 2522 if (res) 2523 goto out; 2524 2525 if (head && head_size) { 2526 res = rpmb_fs_write_primitive(fh, pos, head, head_size); 2527 if (res) 2528 goto out; 2529 pos += head_size; 2530 } 2531 2532 if (attr && attr_size) { 2533 res = rpmb_fs_write_primitive(fh, pos, attr, attr_size); 2534 if (res) 2535 goto out; 2536 pos += attr_size; 2537 } 2538 2539 if (data && data_size) { 2540 res = rpmb_fs_write_primitive(fh, pos, data, data_size); 2541 if (res) 2542 goto out; 2543 } 2544 2545 if (po->temporary) { 2546 /* 2547 * If it's a temporary filename (which it normally is) 2548 * rename into the final filename now that the file is 2549 * fully initialized. 2550 */ 2551 po->temporary = false; 2552 res = rpmb_fs_rename_internal(po, NULL, overwrite); 2553 if (res) { 2554 po->temporary = true; 2555 goto out; 2556 } 2557 /* Update file handle after rename. */ 2558 tee_svc_storage_create_filename(fh->filename, 2559 sizeof(fh->filename), 2560 po, false); 2561 } 2562 2563 out: 2564 if (res) { 2565 rpmb_fs_remove_internal(fh); 2566 free(fh); 2567 } else { 2568 *ret_fh = (struct tee_file_handle *)fh; 2569 } 2570 mutex_unlock(&rpmb_mutex); 2571 2572 return res; 2573 } 2574 2575 const struct tee_file_operations rpmb_fs_ops = { 2576 .open = rpmb_fs_open, 2577 .create = rpmb_fs_create, 2578 .close = rpmb_fs_close, 2579 .read = rpmb_fs_read, 2580 .write = rpmb_fs_write, 2581 .truncate = rpmb_fs_truncate, 2582 .rename = rpmb_fs_rename, 2583 .remove = rpmb_fs_remove, 2584 .opendir = rpmb_fs_opendir, 2585 .closedir = rpmb_fs_closedir, 2586 .readdir = rpmb_fs_readdir, 2587 }; 2588 2589 TEE_Result tee_rpmb_fs_raw_open(const char *fname, bool create, 2590 struct tee_file_handle **ret_fh) 2591 { 2592 TEE_Result res; 2593 struct rpmb_file_handle *fh = calloc(1, sizeof(*fh)); 2594 static const TEE_UUID uuid = { 0 }; 2595 2596 if (!fh) 2597 return TEE_ERROR_OUT_OF_MEMORY; 2598 2599 snprintf(fh->filename, sizeof(fh->filename), "/%s", fname); 2600 2601 mutex_lock(&rpmb_mutex); 2602 2603 res = rpmb_fs_open_internal(fh, &uuid, create); 2604 2605 mutex_unlock(&rpmb_mutex); 2606 2607 if (res) { 2608 if (create) 2609 rpmb_fs_remove_internal(fh); 2610 free(fh); 2611 } else { 2612 *ret_fh = (struct tee_file_handle *)fh; 2613 } 2614 2615 return res; 2616 } 2617