1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2014, STMicroelectronics International N.V. 4 */ 5 6 #include <assert.h> 7 #include <config.h> 8 #include <crypto/crypto.h> 9 #include <kernel/huk_subkey.h> 10 #include <kernel/misc.h> 11 #include <kernel/msg_param.h> 12 #include <kernel/mutex.h> 13 #include <kernel/panic.h> 14 #include <kernel/tee_common.h> 15 #include <kernel/tee_common_otp.h> 16 #include <kernel/tee_misc.h> 17 #include <kernel/thread.h> 18 #include <kernel/user_access.h> 19 #include <mempool.h> 20 #include <mm/core_memprot.h> 21 #include <mm/mobj.h> 22 #include <mm/tee_mm.h> 23 #include <optee_rpc_cmd.h> 24 #include <stdlib.h> 25 #include <string_ext.h> 26 #include <string.h> 27 #include <sys/queue.h> 28 #include <tee/tee_fs.h> 29 #include <tee/tee_fs_key_manager.h> 30 #include <tee/tee_pobj.h> 31 #include <tee/tee_svc_storage.h> 32 #include <trace.h> 33 #include <util.h> 34 35 #define RPMB_STORAGE_START_ADDRESS 0 36 #define RPMB_FS_FAT_START_ADDRESS 512 37 #define RPMB_BLOCK_SIZE_SHIFT 8 38 #define RPMB_CID_PRV_OFFSET 9 39 #define RPMB_CID_CRC_OFFSET 15 40 41 #define RPMB_FS_MAGIC 0x52504D42 42 #define FS_VERSION 2 43 44 #define FILE_IS_ACTIVE (1u << 0) 45 #define FILE_IS_LAST_ENTRY (1u << 1) 46 47 #define TEE_RPMB_FS_FILENAME_LENGTH 224 48 49 #define TMP_BLOCK_SIZE 4096U 50 51 #define RPMB_MAX_RETRIES 10 52 53 /** 54 * Utilized when caching is enabled, i.e., when CFG_RPMB_FS_CACHE_ENTRIES > 0. 55 * Cache size + the number of entries that are repeatedly read in and buffered 56 * once the cache is full. 57 */ 58 #define RPMB_BUF_MAX_ENTRIES (CFG_RPMB_FS_CACHE_ENTRIES + \ 59 CFG_RPMB_FS_RD_ENTRIES) 60 61 /** 62 * FS parameters: Information often used by internal functions. 63 * fat_start_address will be set by rpmb_fs_setup(). 64 * rpmb_fs_parameters can be read by any other function. 65 */ 66 struct rpmb_fs_parameters { 67 uint32_t fat_start_address; 68 uint32_t max_rpmb_address; 69 }; 70 71 /** 72 * File entry for a single file in a RPMB_FS partition. 73 */ 74 struct rpmb_fat_entry { 75 uint32_t start_address; 76 uint32_t data_size; 77 uint32_t flags; 78 uint32_t unused; 79 uint8_t fek[TEE_FS_KM_FEK_SIZE]; 80 char filename[TEE_RPMB_FS_FILENAME_LENGTH]; 81 }; 82 83 /** 84 * Structure that describes buffered/cached FAT FS entries in RPMB storage. 85 * This structure is used in functions traversing the FAT FS. 86 */ 87 struct rpmb_fat_entry_dir { 88 /* 89 * Buffer storing the FAT FS entries read in from RPMB storage. It 90 * includes the optional cache entries (CFG_RPMB_FS_CACHE_ENTRIES) 91 * and entries temporary read for current FAT FS traversal 92 * (CFG_RPMB_FS_RD_ENTRIES) when not found from cached entries. 93 */ 94 struct rpmb_fat_entry *rpmb_fat_entry_buf; 95 /* Current index of FAT FS entry to read from buffer. */ 96 uint32_t idx_curr; 97 /* Total number of FAT FS entries in buffer. */ 98 uint32_t num_buffered; 99 /* Total number of FAT FS entries read during traversal. */ 100 uint32_t num_total_read; 101 /* Indicates that last FAT FS entry was read. */ 102 bool last_reached; 103 }; 104 105 /** 106 * FAT entry context with reference to a FAT entry and its 107 * location in RPMB. 108 */ 109 struct rpmb_file_handle { 110 struct rpmb_fat_entry fat_entry; 111 const TEE_UUID *uuid; 112 char filename[TEE_RPMB_FS_FILENAME_LENGTH]; 113 /* Address for current entry in RPMB */ 114 uint32_t rpmb_fat_address; 115 }; 116 117 /** 118 * RPMB_FS partition data 119 */ 120 struct rpmb_fs_partition { 121 uint32_t rpmb_fs_magic; 122 uint32_t fs_version; 123 uint32_t write_counter; 124 uint32_t fat_start_address; 125 /* Do not use reserved[] for other purpose than partition data. */ 126 uint8_t reserved[112]; 127 }; 128 129 /** 130 * A node in a list of directory entries. 131 */ 132 struct tee_rpmb_fs_dirent { 133 struct tee_fs_dirent entry; 134 SIMPLEQ_ENTRY(tee_rpmb_fs_dirent) link; 135 }; 136 137 /** 138 * The RPMB directory representation. It contains a queue of 139 * RPMB directory entries: 'next'. 140 * The current pointer points to the last directory entry 141 * returned by readdir(). 142 */ 143 struct tee_fs_dir { 144 struct tee_rpmb_fs_dirent *current; 145 /* */ 146 SIMPLEQ_HEAD(next_head, tee_rpmb_fs_dirent) next; 147 }; 148 149 static struct rpmb_fs_parameters *fs_par; 150 static struct rpmb_fat_entry_dir *fat_entry_dir; 151 152 /* 153 * Lower interface to RPMB device 154 */ 155 156 #define RPMB_DATA_OFFSET (RPMB_STUFF_DATA_SIZE + RPMB_KEY_MAC_SIZE) 157 #define RPMB_MAC_PROTECT_DATA_SIZE (RPMB_DATA_FRAME_SIZE - RPMB_DATA_OFFSET) 158 159 #define RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM 0x0001 160 #define RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ 0x0002 161 #define RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE 0x0003 162 #define RPMB_MSG_TYPE_REQ_AUTH_DATA_READ 0x0004 163 #define RPMB_MSG_TYPE_REQ_RESULT_READ 0x0005 164 #define RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM 0x0100 165 #define RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ 0x0200 166 #define RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE 0x0300 167 #define RPMB_MSG_TYPE_RESP_AUTH_DATA_READ 0x0400 168 169 #define RPMB_STUFF_DATA_SIZE 196 170 #define RPMB_KEY_MAC_SIZE 32 171 #define RPMB_DATA_SIZE 256 172 #define RPMB_NONCE_SIZE 16 173 #define RPMB_DATA_FRAME_SIZE 512 174 175 #define RPMB_RESULT_OK 0x00 176 #define RPMB_RESULT_GENERAL_FAILURE 0x01 177 #define RPMB_RESULT_AUTH_FAILURE 0x02 178 #define RPMB_RESULT_COUNTER_FAILURE 0x03 179 #define RPMB_RESULT_ADDRESS_FAILURE 0x04 180 #define RPMB_RESULT_WRITE_FAILURE 0x05 181 #define RPMB_RESULT_READ_FAILURE 0x06 182 #define RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED 0x07 183 #define RPMB_RESULT_MASK 0x3F 184 #define RPMB_RESULT_WR_CNT_EXPIRED 0x80 185 186 /* RPMB internal commands */ 187 #define RPMB_CMD_DATA_REQ 0x00 188 #define RPMB_CMD_GET_DEV_INFO 0x01 189 190 #define RPMB_SIZE_SINGLE (128 * 1024) 191 192 /* Error codes for get_dev_info request/response. */ 193 #define RPMB_CMD_GET_DEV_INFO_RET_OK 0x00 194 #define RPMB_CMD_GET_DEV_INFO_RET_ERROR 0x01 195 196 struct rpmb_data_frame { 197 uint8_t stuff_bytes[RPMB_STUFF_DATA_SIZE]; 198 uint8_t key_mac[RPMB_KEY_MAC_SIZE]; 199 uint8_t data[RPMB_DATA_SIZE]; 200 uint8_t nonce[RPMB_NONCE_SIZE]; 201 uint8_t write_counter[4]; 202 uint8_t address[2]; 203 uint8_t block_count[2]; 204 uint8_t op_result[2]; 205 uint8_t msg_type[2]; 206 }; 207 208 struct rpmb_req { 209 uint16_t cmd; 210 uint16_t dev_id; 211 uint16_t block_count; 212 /* variable length of data */ 213 /* uint8_t data[]; REMOVED! */ 214 }; 215 216 #define TEE_RPMB_REQ_DATA(req) \ 217 ((void *)((struct rpmb_req *)(req) + 1)) 218 219 struct rpmb_raw_data { 220 uint16_t msg_type; 221 uint16_t *op_result; 222 uint16_t *block_count; 223 uint16_t *blk_idx; 224 uint32_t *write_counter; 225 uint8_t *nonce; 226 uint8_t *key_mac; 227 uint8_t *data; 228 /* data length to read or write */ 229 uint32_t len; 230 /* Byte address offset in the first block involved */ 231 uint8_t byte_offset; 232 }; 233 234 #define RPMB_EMMC_CID_SIZE 16 235 struct rpmb_dev_info { 236 uint8_t cid[RPMB_EMMC_CID_SIZE]; 237 /* EXT CSD-slice 168 "RPMB Size" */ 238 uint8_t rpmb_size_mult; 239 /* EXT CSD-slice 222 "Reliable Write Sector Count" */ 240 uint8_t rel_wr_sec_c; 241 /* Check the ret code and accept the data only if it is OK. */ 242 uint8_t ret_code; 243 }; 244 245 /* 246 * Struct for rpmb context data. 247 * 248 * @key RPMB key. 249 * @cid eMMC card ID. 250 * @wr_cnt Current write counter. 251 * @max_blk_idx The highest block index supported by current device. 252 * @rel_wr_blkcnt Max number of data blocks for each reliable write. 253 * @dev_id Device ID of the eMMC device. 254 * @wr_cnt_synced Flag indicating if write counter is synced to RPMB. 255 * @key_derived Flag indicating if key has been generated. 256 * @key_verified Flag indicating the key generated is verified ok. 257 * @dev_info_synced Flag indicating if dev info has been retrieved from RPMB. 258 * @legacy_operation Flag indicating if the legacy interface is used. 259 * @reinit Flag indicating if the device needs to be found again 260 * @shm_type Indicates type of shared memory to allocate 261 */ 262 struct tee_rpmb_ctx { 263 uint8_t key[RPMB_KEY_MAC_SIZE]; 264 uint8_t cid[RPMB_EMMC_CID_SIZE]; 265 uint32_t wr_cnt; 266 uint16_t max_blk_idx; 267 uint16_t rel_wr_blkcnt; 268 uint16_t dev_id; 269 bool wr_cnt_synced; 270 bool key_derived; 271 bool key_verified; 272 bool dev_info_synced; 273 bool legacy_operation; 274 bool reinit; 275 enum thread_shm_type shm_type; 276 }; 277 278 static struct tee_rpmb_ctx *rpmb_ctx; 279 280 /* If set to true, don't try to access RPMB until rebooted */ 281 static bool rpmb_dead; 282 283 /* 284 * Mutex to serialize the operations exported by this file. 285 * It protects rpmb_ctx and prevents overlapping operations on eMMC devices with 286 * different IDs. 287 */ 288 static struct mutex rpmb_mutex = MUTEX_INITIALIZER; 289 290 #ifdef CFG_RPMB_TESTKEY 291 292 static const uint8_t rpmb_test_key[RPMB_KEY_MAC_SIZE] = { 293 0xD3, 0xEB, 0x3E, 0xC3, 0x6E, 0x33, 0x4C, 0x9F, 294 0x98, 0x8C, 0xE2, 0xC0, 0xB8, 0x59, 0x54, 0x61, 295 0x0D, 0x2B, 0xCF, 0x86, 0x64, 0x84, 0x4D, 0xF2, 296 0xAB, 0x56, 0xE6, 0xC6, 0x1B, 0xB7, 0x01, 0xE4 297 }; 298 299 static TEE_Result tee_rpmb_key_gen(uint8_t *key, uint32_t len) 300 { 301 TEE_Result res = TEE_SUCCESS; 302 303 if (!key || RPMB_KEY_MAC_SIZE != len) { 304 res = TEE_ERROR_BAD_PARAMETERS; 305 goto out; 306 } 307 308 DMSG("RPMB: Using test key"); 309 memcpy(key, rpmb_test_key, RPMB_KEY_MAC_SIZE); 310 311 out: 312 return res; 313 } 314 315 #else /* !CFG_RPMB_TESTKEY */ 316 317 static TEE_Result tee_rpmb_key_gen(uint8_t *key, uint32_t len) 318 { 319 uint8_t message[RPMB_EMMC_CID_SIZE]; 320 321 if (!key || RPMB_KEY_MAC_SIZE != len) 322 return TEE_ERROR_BAD_PARAMETERS; 323 324 IMSG("RPMB: Using generated key"); 325 326 /* 327 * PRV/CRC would be changed when doing eMMC FFU 328 * The following fields should be masked off when deriving RPMB key 329 * 330 * CID [55: 48]: PRV (Product revision) 331 * CID [07: 01]: CRC (CRC7 checksum) 332 * CID [00]: not used 333 */ 334 memcpy(message, rpmb_ctx->cid, RPMB_EMMC_CID_SIZE); 335 memset(message + RPMB_CID_PRV_OFFSET, 0, 1); 336 memset(message + RPMB_CID_CRC_OFFSET, 0, 1); 337 return huk_subkey_derive(HUK_SUBKEY_RPMB, message, sizeof(message), 338 key, len); 339 } 340 341 #endif /* !CFG_RPMB_TESTKEY */ 342 343 static void u32_to_bytes(uint32_t u32, uint8_t *bytes) 344 { 345 *bytes = (uint8_t) (u32 >> 24); 346 *(bytes + 1) = (uint8_t) (u32 >> 16); 347 *(bytes + 2) = (uint8_t) (u32 >> 8); 348 *(bytes + 3) = (uint8_t) u32; 349 } 350 351 static void bytes_to_u32(uint8_t *bytes, uint32_t *u32) 352 { 353 *u32 = (uint32_t) ((*(bytes) << 24) + 354 (*(bytes + 1) << 16) + 355 (*(bytes + 2) << 8) + (*(bytes + 3))); 356 } 357 358 static void u16_to_bytes(uint16_t u16, uint8_t *bytes) 359 { 360 *bytes = (uint8_t) (u16 >> 8); 361 *(bytes + 1) = (uint8_t) u16; 362 } 363 364 static void bytes_to_u16(uint8_t *bytes, uint16_t *u16) 365 { 366 *u16 = (uint16_t) ((*bytes << 8) + *(bytes + 1)); 367 } 368 369 static void get_op_result_bits(uint8_t *bytes, uint8_t *res) 370 { 371 *res = *(bytes + 1) & RPMB_RESULT_MASK; 372 } 373 374 static TEE_Result tee_rpmb_mac_calc(uint8_t *mac, uint32_t macsize, 375 uint8_t *key, uint32_t keysize, 376 struct rpmb_data_frame *datafrms, 377 uint16_t blkcnt) 378 { 379 TEE_Result res = TEE_ERROR_GENERIC; 380 int i; 381 void *ctx = NULL; 382 383 if (!mac || !key || !datafrms) 384 return TEE_ERROR_BAD_PARAMETERS; 385 386 res = crypto_mac_alloc_ctx(&ctx, TEE_ALG_HMAC_SHA256); 387 if (res) 388 return res; 389 390 res = crypto_mac_init(ctx, key, keysize); 391 if (res != TEE_SUCCESS) 392 goto func_exit; 393 394 for (i = 0; i < blkcnt; i++) { 395 res = crypto_mac_update(ctx, datafrms[i].data, 396 RPMB_MAC_PROTECT_DATA_SIZE); 397 if (res != TEE_SUCCESS) 398 goto func_exit; 399 } 400 401 res = crypto_mac_final(ctx, mac, macsize); 402 if (res != TEE_SUCCESS) 403 goto func_exit; 404 405 res = TEE_SUCCESS; 406 407 func_exit: 408 crypto_mac_free_ctx(ctx); 409 return res; 410 } 411 412 struct tee_rpmb_mem { 413 struct mobj *mobj; 414 size_t req_size; 415 size_t resp_offs; 416 size_t resp_size; 417 struct rpmb_req *req_hdr; 418 struct rpmb_data_frame *req_data; 419 struct rpmb_data_frame *resp_data; 420 }; 421 422 static TEE_Result tee_rpmb_alloc(size_t req_size, size_t resp_size, 423 struct tee_rpmb_mem *mem) 424 { 425 size_t req_s = 0; 426 size_t resp_s = 0; 427 struct mobj *mobj = NULL; 428 void *va = NULL; 429 430 if (!mem) 431 return TEE_ERROR_BAD_PARAMETERS; 432 433 if (rpmb_ctx->legacy_operation) 434 req_size += sizeof(struct rpmb_req); 435 req_s = ROUNDUP(req_size, SMALL_PAGE_SIZE); 436 resp_s = ROUNDUP(resp_size, SMALL_PAGE_SIZE); 437 va = thread_rpc_shm_cache_alloc(THREAD_SHM_CACHE_USER_RPMB, 438 rpmb_ctx->shm_type, req_s + resp_s, 439 &mobj); 440 if (!va) 441 return TEE_ERROR_OUT_OF_MEMORY; 442 443 *mem = (struct tee_rpmb_mem){ 444 .mobj = mobj, 445 .req_size = req_size, 446 .resp_offs = req_s, 447 .resp_size = resp_size, 448 }; 449 450 if (rpmb_ctx->legacy_operation) { 451 mem->req_hdr = mobj_get_va(mem->mobj, 0, req_s); 452 if (!mem->req_hdr) 453 return TEE_ERROR_GENERIC; 454 mem->req_data = (void *)(mem->req_hdr + 1); 455 } else { 456 mem->req_data = mobj_get_va(mem->mobj, 0, req_s); 457 if (!mem->req_data) 458 return TEE_ERROR_GENERIC; 459 } 460 mem->resp_data = mobj_get_va(mem->mobj, req_s, resp_s); 461 if (!mem->resp_data) 462 return TEE_ERROR_GENERIC; 463 464 return TEE_SUCCESS; 465 } 466 467 static TEE_Result tee_rpmb_invoke(struct tee_rpmb_mem *mem) 468 { 469 struct thread_param params[2] = { 470 [0] = THREAD_PARAM_MEMREF(IN, mem->mobj, 0, mem->req_size), 471 [1] = THREAD_PARAM_MEMREF(OUT, mem->mobj, mem->resp_offs, 472 mem->resp_size), 473 }; 474 uint32_t cmd = OPTEE_RPC_CMD_RPMB_FRAMES; 475 476 if (rpmb_ctx->legacy_operation) 477 cmd = OPTEE_RPC_CMD_RPMB; 478 479 return thread_rpc_cmd(cmd, 2, params); 480 } 481 482 static TEE_Result rpmb_probe_reset(void) 483 { 484 struct thread_param params[1] = { 485 [0] = THREAD_PARAM_VALUE(OUT, 0, 0, 0), 486 }; 487 TEE_Result res = TEE_SUCCESS; 488 489 res = thread_rpc_cmd(OPTEE_RPC_CMD_RPMB_PROBE_RESET, 1, params); 490 if (res) 491 return res; 492 493 rpmb_ctx->legacy_operation = false; 494 rpmb_ctx->dev_id = 0; 495 496 switch (params[0].u.value.a) { 497 case OPTEE_RPC_SHM_TYPE_APPL: 498 rpmb_ctx->shm_type = THREAD_SHM_TYPE_APPLICATION; 499 return TEE_SUCCESS; 500 case OPTEE_RPC_SHM_TYPE_KERNEL: 501 rpmb_ctx->shm_type = THREAD_SHM_TYPE_KERNEL_PRIVATE; 502 return TEE_SUCCESS; 503 default: 504 return TEE_ERROR_GENERIC; 505 } 506 } 507 508 static TEE_Result rpmb_probe_next(struct rpmb_dev_info *dev_info) 509 { 510 struct thread_param params[2] = { }; 511 TEE_Result res = TEE_SUCCESS; 512 struct mobj *mobj = NULL; 513 void *va = NULL; 514 515 va = thread_rpc_shm_cache_alloc(THREAD_SHM_CACHE_USER_RPMB, 516 THREAD_SHM_TYPE_KERNEL_PRIVATE, 517 sizeof(dev_info->cid), &mobj); 518 if (!va) 519 return TEE_ERROR_OUT_OF_MEMORY; 520 521 do { 522 params[0] = THREAD_PARAM_VALUE(OUT, 0, 0, 0); 523 params[1] = THREAD_PARAM_MEMREF(OUT, mobj, 0, 524 sizeof(dev_info->cid)); 525 res = thread_rpc_cmd(OPTEE_RPC_CMD_RPMB_PROBE_NEXT, 2, params); 526 /* 527 * If the ID buffer is too small, perhaps it's a new kind 528 * of RPMB device that we don't know how to communicate 529 * with, let's ignore it for now. 530 */ 531 } while (res == TEE_ERROR_SHORT_BUFFER); 532 if (res) 533 return res; 534 535 if (params[0].u.value.a != OPTEE_RPC_RPMB_EMMC) 536 return TEE_ERROR_NOT_SUPPORTED; 537 538 *dev_info = (struct rpmb_dev_info){ 539 .rpmb_size_mult = params[0].u.value.b, 540 .rel_wr_sec_c = params[0].u.value.c, 541 .ret_code = RPMB_CMD_GET_DEV_INFO_RET_OK, 542 }; 543 memcpy(dev_info->cid, va, sizeof(dev_info->cid)); 544 545 return TEE_SUCCESS; 546 } 547 548 static bool is_zero(const uint8_t *buf, size_t size) 549 { 550 size_t i; 551 552 for (i = 0; i < size; i++) 553 if (buf[i]) 554 return false; 555 return true; 556 } 557 558 static TEE_Result encrypt_block(uint8_t *out, const uint8_t *in, 559 uint16_t blk_idx, const uint8_t *fek, 560 const TEE_UUID *uuid) 561 { 562 return tee_fs_crypt_block(uuid, out, in, RPMB_DATA_SIZE, 563 blk_idx, fek, TEE_MODE_ENCRYPT); 564 } 565 566 static TEE_Result decrypt_block(uint8_t *out, const uint8_t *in, 567 uint16_t blk_idx, const uint8_t *fek, 568 const TEE_UUID *uuid) 569 { 570 return tee_fs_crypt_block(uuid, out, in, RPMB_DATA_SIZE, 571 blk_idx, fek, TEE_MODE_DECRYPT); 572 } 573 574 /* Decrypt/copy at most one block of data */ 575 static TEE_Result decrypt(uint8_t *out, const struct rpmb_data_frame *frm, 576 size_t size, size_t offset, 577 uint16_t blk_idx __maybe_unused, const uint8_t *fek, 578 const TEE_UUID *uuid) 579 { 580 uint8_t *tmp __maybe_unused; 581 TEE_Result res = TEE_SUCCESS; 582 583 584 if ((size + offset < size) || (size + offset > RPMB_DATA_SIZE)) 585 panic("invalid size or offset"); 586 587 if (!fek) { 588 /* Block is not encrypted (not a file data block) */ 589 memcpy(out, frm->data + offset, size); 590 } else if (is_zero(fek, TEE_FS_KM_FEK_SIZE)) { 591 /* The file was created with encryption disabled */ 592 return TEE_ERROR_SECURITY; 593 } else { 594 /* Block is encrypted */ 595 if (size < RPMB_DATA_SIZE) { 596 /* 597 * Since output buffer is not large enough to hold one 598 * block we must allocate a temporary buffer. 599 */ 600 tmp = malloc(RPMB_DATA_SIZE); 601 if (!tmp) 602 return TEE_ERROR_OUT_OF_MEMORY; 603 res = decrypt_block(tmp, frm->data, blk_idx, fek, uuid); 604 if (res == TEE_SUCCESS) 605 memcpy(out, tmp + offset, size); 606 free(tmp); 607 } else { 608 res = decrypt_block(out, frm->data, blk_idx, fek, uuid); 609 } 610 } 611 612 return res; 613 } 614 615 static TEE_Result tee_rpmb_req_pack(struct rpmb_req *req_hdr, 616 struct rpmb_data_frame *req_data, 617 struct rpmb_raw_data *rawdata, 618 uint16_t nbr_frms, 619 const uint8_t *fek, const TEE_UUID *uuid) 620 { 621 TEE_Result res = TEE_ERROR_GENERIC; 622 int i; 623 struct rpmb_data_frame *datafrm; 624 625 if (!req_data || !rawdata || !nbr_frms) 626 return TEE_ERROR_BAD_PARAMETERS; 627 628 /* 629 * Check write blockcount is not bigger than reliable write 630 * blockcount. 631 */ 632 if ((rawdata->msg_type == RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE) && 633 (nbr_frms > rpmb_ctx->rel_wr_blkcnt)) { 634 DMSG("wr_blkcnt(%d) > rel_wr_blkcnt(%d)", nbr_frms, 635 rpmb_ctx->rel_wr_blkcnt); 636 return TEE_ERROR_GENERIC; 637 } 638 639 if (req_hdr) { 640 req_hdr->cmd = RPMB_CMD_DATA_REQ; 641 req_hdr->dev_id = rpmb_ctx->dev_id; 642 } 643 644 /* Allocate memory for construct all data packets and calculate MAC. */ 645 datafrm = calloc(nbr_frms, RPMB_DATA_FRAME_SIZE); 646 if (!datafrm) 647 return TEE_ERROR_OUT_OF_MEMORY; 648 649 for (i = 0; i < nbr_frms; i++) { 650 u16_to_bytes(rawdata->msg_type, datafrm[i].msg_type); 651 652 if (rawdata->block_count) 653 u16_to_bytes(*rawdata->block_count, 654 datafrm[i].block_count); 655 656 if (rawdata->blk_idx) { 657 /* Check the block index is within range. */ 658 if ((*rawdata->blk_idx + nbr_frms - 1) > 659 rpmb_ctx->max_blk_idx) { 660 res = TEE_ERROR_GENERIC; 661 goto func_exit; 662 } 663 u16_to_bytes(*rawdata->blk_idx, datafrm[i].address); 664 } 665 666 if (rawdata->write_counter) 667 u32_to_bytes(*rawdata->write_counter, 668 datafrm[i].write_counter); 669 670 if (rawdata->nonce) 671 memcpy(datafrm[i].nonce, rawdata->nonce, 672 RPMB_NONCE_SIZE); 673 674 if (rawdata->data) { 675 if (fek) { 676 res = encrypt_block(datafrm[i].data, 677 rawdata->data + 678 (i * RPMB_DATA_SIZE), 679 *rawdata->blk_idx + i, 680 fek, uuid); 681 if (res != TEE_SUCCESS) 682 goto func_exit; 683 } else { 684 memcpy(datafrm[i].data, 685 rawdata->data + (i * RPMB_DATA_SIZE), 686 RPMB_DATA_SIZE); 687 } 688 } 689 } 690 691 if (rawdata->key_mac) { 692 if (rawdata->msg_type == RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE) { 693 res = 694 tee_rpmb_mac_calc(rawdata->key_mac, 695 RPMB_KEY_MAC_SIZE, rpmb_ctx->key, 696 RPMB_KEY_MAC_SIZE, datafrm, 697 nbr_frms); 698 if (res != TEE_SUCCESS) 699 goto func_exit; 700 } 701 memcpy(datafrm[nbr_frms - 1].key_mac, 702 rawdata->key_mac, RPMB_KEY_MAC_SIZE); 703 } 704 705 memcpy(req_data, datafrm, nbr_frms * RPMB_DATA_FRAME_SIZE); 706 707 if (IS_ENABLED(CFG_RPMB_FS_DEBUG_DATA)) { 708 for (i = 0; i < nbr_frms; i++) { 709 DMSG("Dumping data frame %d:", i); 710 DHEXDUMP((uint8_t *)&datafrm[i] + RPMB_STUFF_DATA_SIZE, 711 512 - RPMB_STUFF_DATA_SIZE); 712 } 713 } 714 715 res = TEE_SUCCESS; 716 func_exit: 717 free(datafrm); 718 return res; 719 } 720 721 static TEE_Result data_cpy_mac_calc_1b(struct rpmb_raw_data *rawdata, 722 struct rpmb_data_frame *frm, 723 const uint8_t *fek, const TEE_UUID *uuid) 724 { 725 TEE_Result res; 726 uint8_t *data; 727 uint16_t idx; 728 729 if (rawdata->len + rawdata->byte_offset > RPMB_DATA_SIZE) 730 return TEE_ERROR_BAD_PARAMETERS; 731 732 res = tee_rpmb_mac_calc(rawdata->key_mac, RPMB_KEY_MAC_SIZE, 733 rpmb_ctx->key, RPMB_KEY_MAC_SIZE, frm, 1); 734 if (res != TEE_SUCCESS) 735 return res; 736 737 data = rawdata->data; 738 bytes_to_u16(frm->address, &idx); 739 740 res = decrypt(data, frm, rawdata->len, rawdata->byte_offset, idx, fek, 741 uuid); 742 return res; 743 } 744 745 static TEE_Result tee_rpmb_data_cpy_mac_calc(struct rpmb_data_frame *datafrm, 746 struct rpmb_raw_data *rawdata, 747 uint16_t nbr_frms, 748 struct rpmb_data_frame *lastfrm, 749 const uint8_t *fek, 750 const TEE_UUID *uuid) 751 { 752 TEE_Result res = TEE_ERROR_GENERIC; 753 int i; 754 void *ctx = NULL; 755 uint16_t offset; 756 uint32_t size; 757 uint8_t *data; 758 uint16_t start_idx; 759 struct rpmb_data_frame localfrm; 760 761 if (!datafrm || !rawdata || !nbr_frms || !lastfrm) 762 return TEE_ERROR_BAD_PARAMETERS; 763 764 if (nbr_frms == 1) 765 return data_cpy_mac_calc_1b(rawdata, lastfrm, fek, uuid); 766 767 /* nbr_frms > 1 */ 768 769 data = rawdata->data; 770 771 res = crypto_mac_alloc_ctx(&ctx, TEE_ALG_HMAC_SHA256); 772 if (res) 773 goto func_exit; 774 775 res = crypto_mac_init(ctx, rpmb_ctx->key, RPMB_KEY_MAC_SIZE); 776 if (res != TEE_SUCCESS) 777 goto func_exit; 778 779 /* 780 * Note: JEDEC JESD84-B51: "In every packet the address is the start 781 * address of the full access (not address of the individual half a 782 * sector)" 783 */ 784 bytes_to_u16(lastfrm->address, &start_idx); 785 786 for (i = 0; i < (nbr_frms - 1); i++) { 787 788 /* 789 * By working on a local copy of the RPMB frame, we ensure that 790 * the data can not be modified after the MAC is computed but 791 * before the payload is decrypted/copied to the output buffer. 792 */ 793 memcpy(&localfrm, &datafrm[i], RPMB_DATA_FRAME_SIZE); 794 795 res = crypto_mac_update(ctx, localfrm.data, 796 RPMB_MAC_PROTECT_DATA_SIZE); 797 if (res != TEE_SUCCESS) 798 goto func_exit; 799 800 if (i == 0) { 801 /* First block */ 802 offset = rawdata->byte_offset; 803 size = RPMB_DATA_SIZE - offset; 804 } else { 805 /* Middle blocks */ 806 size = RPMB_DATA_SIZE; 807 offset = 0; 808 } 809 810 res = decrypt(data, &localfrm, size, offset, start_idx + i, 811 fek, uuid); 812 if (res != TEE_SUCCESS) 813 goto func_exit; 814 815 data += size; 816 } 817 818 /* Last block */ 819 size = (rawdata->len + rawdata->byte_offset) % RPMB_DATA_SIZE; 820 if (size == 0) 821 size = RPMB_DATA_SIZE; 822 res = decrypt(data, lastfrm, size, 0, start_idx + nbr_frms - 1, fek, 823 uuid); 824 if (res != TEE_SUCCESS) 825 goto func_exit; 826 827 /* Update MAC against the last block */ 828 res = crypto_mac_update(ctx, lastfrm->data, RPMB_MAC_PROTECT_DATA_SIZE); 829 if (res != TEE_SUCCESS) 830 goto func_exit; 831 832 res = crypto_mac_final(ctx, rawdata->key_mac, RPMB_KEY_MAC_SIZE); 833 if (res != TEE_SUCCESS) 834 goto func_exit; 835 836 res = TEE_SUCCESS; 837 838 func_exit: 839 crypto_mac_free_ctx(ctx); 840 return res; 841 } 842 843 static TEE_Result tee_rpmb_resp_unpack_verify(struct rpmb_data_frame *datafrm, 844 struct rpmb_raw_data *rawdata, 845 uint16_t nbr_frms, 846 const uint8_t *fek, 847 const TEE_UUID *uuid) 848 { 849 TEE_Result res = TEE_ERROR_GENERIC; 850 uint16_t msg_type; 851 uint32_t wr_cnt; 852 uint16_t blk_idx; 853 uint8_t op_result; 854 struct rpmb_data_frame lastfrm; 855 856 if (!datafrm || !rawdata || !nbr_frms) 857 return TEE_ERROR_BAD_PARAMETERS; 858 859 if (IS_ENABLED(CFG_RPMB_FS_DEBUG_DATA)) { 860 size_t i = 0; 861 862 for (i = 0; i < nbr_frms; i++) { 863 DMSG("Dumping data frame %zu:", i); 864 DHEXDUMP((uint8_t *)&datafrm[i] + RPMB_STUFF_DATA_SIZE, 865 512 - RPMB_STUFF_DATA_SIZE); 866 } 867 } 868 869 /* Make sure the last data packet can't be modified once verified */ 870 memcpy(&lastfrm, &datafrm[nbr_frms - 1], RPMB_DATA_FRAME_SIZE); 871 872 /* Handle operation result and translate to TEEC error code. */ 873 get_op_result_bits(lastfrm.op_result, &op_result); 874 if (op_result == RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED) 875 return TEE_ERROR_ITEM_NOT_FOUND; 876 if (op_result != RPMB_RESULT_OK) 877 return TEE_ERROR_GENERIC; 878 879 /* Check the response msg_type. */ 880 bytes_to_u16(lastfrm.msg_type, &msg_type); 881 if (msg_type != rawdata->msg_type) { 882 DMSG("Unexpected msg_type (0x%04x != 0x%04x)", msg_type, 883 rawdata->msg_type); 884 return TEE_ERROR_GENERIC; 885 } 886 887 if (rawdata->blk_idx) { 888 bytes_to_u16(lastfrm.address, &blk_idx); 889 if (blk_idx != *rawdata->blk_idx) { 890 DMSG("Unexpected block index"); 891 return TEE_ERROR_GENERIC; 892 } 893 } 894 895 if (rawdata->write_counter) { 896 wr_cnt = *rawdata->write_counter; 897 bytes_to_u32(lastfrm.write_counter, rawdata->write_counter); 898 if (msg_type == RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE) { 899 /* Verify the write counter is incremented by 1 */ 900 if (*rawdata->write_counter != wr_cnt + 1) { 901 DMSG("Counter mismatched (0x%04x/0x%04x)", 902 *rawdata->write_counter, wr_cnt + 1); 903 return TEE_ERROR_SECURITY; 904 } 905 rpmb_ctx->wr_cnt++; 906 } 907 } 908 909 if (rawdata->nonce) { 910 if (buf_compare_ct(rawdata->nonce, lastfrm.nonce, 911 RPMB_NONCE_SIZE) != 0) { 912 DMSG("Nonce mismatched"); 913 return TEE_ERROR_SECURITY; 914 } 915 } 916 917 if (rawdata->key_mac) { 918 if (msg_type == RPMB_MSG_TYPE_RESP_AUTH_DATA_READ) { 919 if (!rawdata->data) 920 return TEE_ERROR_GENERIC; 921 922 res = tee_rpmb_data_cpy_mac_calc(datafrm, rawdata, 923 nbr_frms, &lastfrm, 924 fek, uuid); 925 926 if (res != TEE_SUCCESS) 927 return res; 928 } else { 929 /* 930 * There should be only one data frame for 931 * other msg types. 932 */ 933 if (nbr_frms != 1) 934 return TEE_ERROR_GENERIC; 935 936 res = tee_rpmb_mac_calc(rawdata->key_mac, 937 RPMB_KEY_MAC_SIZE, 938 rpmb_ctx->key, 939 RPMB_KEY_MAC_SIZE, 940 &lastfrm, 1); 941 942 if (res != TEE_SUCCESS) 943 return res; 944 } 945 946 if (consttime_memcmp(rawdata->key_mac, 947 (datafrm + nbr_frms - 1)->key_mac, 948 RPMB_KEY_MAC_SIZE) != 0) { 949 DMSG("MAC mismatched:"); 950 if (IS_ENABLED(CFG_RPMB_FS_DEBUG_DATA)) 951 DHEXDUMP(rawdata->key_mac, RPMB_KEY_MAC_SIZE); 952 953 return TEE_ERROR_SECURITY; 954 } 955 } 956 957 return TEE_SUCCESS; 958 } 959 960 static TEE_Result tee_rpmb_get_dev_info(struct rpmb_dev_info *dev_info) 961 { 962 TEE_Result res = TEE_ERROR_GENERIC; 963 struct tee_rpmb_mem mem; 964 struct rpmb_dev_info *di; 965 966 if (!dev_info || !rpmb_ctx->legacy_operation) 967 return TEE_ERROR_BAD_PARAMETERS; 968 969 res = tee_rpmb_alloc(0, sizeof(struct rpmb_dev_info), &mem); 970 if (res != TEE_SUCCESS) 971 return res; 972 973 mem.req_hdr->cmd = RPMB_CMD_GET_DEV_INFO; 974 mem.req_hdr->dev_id = rpmb_ctx->dev_id; 975 976 di = (struct rpmb_dev_info *)mem.resp_data; 977 di->ret_code = RPMB_CMD_GET_DEV_INFO_RET_ERROR; 978 979 res = tee_rpmb_invoke(&mem); 980 if (res != TEE_SUCCESS) 981 return res; 982 983 *dev_info = *di; 984 if (dev_info->ret_code != RPMB_CMD_GET_DEV_INFO_RET_OK) 985 return TEE_ERROR_GENERIC; 986 987 if (IS_ENABLED(CFG_RPMB_FS_DEBUG_DATA)) { 988 DMSG("Dumping dev_info:"); 989 DHEXDUMP((uint8_t *)dev_info, sizeof(struct rpmb_dev_info)); 990 } 991 992 return TEE_SUCCESS; 993 } 994 995 static TEE_Result tee_rpmb_init_read_wr_cnt(uint32_t *wr_cnt) 996 { 997 TEE_Result res = TEE_ERROR_GENERIC; 998 struct tee_rpmb_mem mem; 999 uint16_t msg_type; 1000 uint8_t nonce[RPMB_NONCE_SIZE]; 1001 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 1002 struct rpmb_raw_data rawdata; 1003 uint16_t op_result = 0; 1004 1005 if (!wr_cnt) 1006 return TEE_ERROR_BAD_PARAMETERS; 1007 1008 res = tee_rpmb_alloc(RPMB_DATA_FRAME_SIZE, RPMB_DATA_FRAME_SIZE, &mem); 1009 if (res != TEE_SUCCESS) 1010 return res; 1011 1012 res = crypto_rng_read(nonce, RPMB_NONCE_SIZE); 1013 if (res != TEE_SUCCESS) 1014 return res; 1015 1016 msg_type = RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ; 1017 1018 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1019 rawdata.msg_type = msg_type; 1020 rawdata.nonce = nonce; 1021 1022 res = tee_rpmb_req_pack(mem.req_hdr, mem.req_data, &rawdata, 1, NULL, 1023 NULL); 1024 if (res != TEE_SUCCESS) 1025 return res; 1026 1027 res = tee_rpmb_invoke(&mem); 1028 if (res != TEE_SUCCESS) 1029 return res; 1030 1031 msg_type = RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ; 1032 1033 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1034 rawdata.msg_type = msg_type; 1035 rawdata.op_result = &op_result; 1036 rawdata.write_counter = wr_cnt; 1037 rawdata.nonce = nonce; 1038 rawdata.key_mac = hmac; 1039 1040 return tee_rpmb_resp_unpack_verify(mem.resp_data, &rawdata, 1, NULL, 1041 NULL); 1042 } 1043 1044 #ifdef CFG_RPMB_WRITE_KEY 1045 static TEE_Result tee_rpmb_write_key(void) 1046 { 1047 TEE_Result res = TEE_ERROR_GENERIC; 1048 struct tee_rpmb_mem mem = { 0 }; 1049 uint16_t msg_type; 1050 struct rpmb_raw_data rawdata; 1051 1052 res = tee_rpmb_alloc(RPMB_DATA_FRAME_SIZE, RPMB_DATA_FRAME_SIZE, &mem); 1053 if (res != TEE_SUCCESS) 1054 return res; 1055 1056 msg_type = RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM; 1057 1058 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1059 rawdata.msg_type = msg_type; 1060 rawdata.key_mac = rpmb_ctx->key; 1061 1062 res = tee_rpmb_req_pack(mem.req_hdr, mem.req_data, &rawdata, 1, NULL, 1063 NULL); 1064 if (res != TEE_SUCCESS) 1065 return res; 1066 1067 res = tee_rpmb_invoke(&mem); 1068 if (res != TEE_SUCCESS) 1069 return res; 1070 1071 msg_type = RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM; 1072 1073 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1074 rawdata.msg_type = msg_type; 1075 1076 return tee_rpmb_resp_unpack_verify(mem.resp_data, &rawdata, 1, NULL, 1077 NULL); 1078 } 1079 1080 static TEE_Result tee_rpmb_write_and_verify_key(void) 1081 { 1082 TEE_Result res; 1083 1084 if (!plat_rpmb_key_is_ready()) { 1085 DMSG("RPMB INIT: platform indicates RPMB key is not ready"); 1086 return TEE_ERROR_BAD_STATE; 1087 } 1088 1089 DMSG("RPMB INIT: Writing Key value:"); 1090 DHEXDUMP(rpmb_ctx->key, RPMB_KEY_MAC_SIZE); 1091 1092 res = tee_rpmb_write_key(); 1093 if (res == TEE_SUCCESS) { 1094 DMSG("RPMB INIT: Verifying Key"); 1095 res = tee_rpmb_init_read_wr_cnt(&rpmb_ctx->wr_cnt); 1096 } 1097 return res; 1098 } 1099 #else 1100 static TEE_Result tee_rpmb_write_and_verify_key(void) 1101 { 1102 DMSG("RPMB INIT: CFG_RPMB_WRITE_KEY is not set"); 1103 return TEE_ERROR_STORAGE_NOT_AVAILABLE; 1104 } 1105 #endif 1106 1107 static TEE_Result rpmb_set_dev_info(const struct rpmb_dev_info *dev_info) 1108 { 1109 uint32_t nblocks = 0; 1110 1111 DMSG("RPMB: Syncing device information"); 1112 1113 DMSG("RPMB: RPMB size is %"PRIu8"*128 KB", dev_info->rpmb_size_mult); 1114 DMSG("RPMB: Reliable Write Sector Count is %"PRIu8, 1115 dev_info->rel_wr_sec_c); 1116 DMSG("RPMB: CID"); 1117 DHEXDUMP(dev_info->cid, sizeof(dev_info->cid)); 1118 1119 if (!dev_info->rpmb_size_mult) 1120 return TEE_ERROR_GENERIC; 1121 1122 if (MUL_OVERFLOW(dev_info->rpmb_size_mult, 1123 RPMB_SIZE_SINGLE / RPMB_DATA_SIZE, &nblocks) || 1124 SUB_OVERFLOW(nblocks, 1, &rpmb_ctx->max_blk_idx)) 1125 return TEE_ERROR_BAD_PARAMETERS; 1126 1127 memcpy(rpmb_ctx->cid, dev_info->cid, RPMB_EMMC_CID_SIZE); 1128 1129 if (IS_ENABLED(RPMB_DRIVER_MULTIPLE_WRITE_FIXED)) 1130 rpmb_ctx->rel_wr_blkcnt = dev_info->rel_wr_sec_c * 2; 1131 else 1132 rpmb_ctx->rel_wr_blkcnt = 1; 1133 1134 return TEE_SUCCESS; 1135 } 1136 1137 static TEE_Result legacy_rpmb_init(void) 1138 { 1139 TEE_Result res = TEE_SUCCESS; 1140 struct rpmb_dev_info dev_info = { }; 1141 1142 DMSG("Trying legacy RPMB init"); 1143 rpmb_ctx->legacy_operation = true; 1144 rpmb_ctx->dev_id = CFG_RPMB_FS_DEV_ID; 1145 rpmb_ctx->shm_type = THREAD_SHM_TYPE_APPLICATION; 1146 1147 if (!rpmb_ctx->dev_info_synced) { 1148 dev_info.rpmb_size_mult = 0; 1149 dev_info.rel_wr_sec_c = 0; 1150 res = tee_rpmb_get_dev_info(&dev_info); 1151 if (res != TEE_SUCCESS) 1152 return res; 1153 1154 res = rpmb_set_dev_info(&dev_info); 1155 if (res) 1156 return res; 1157 1158 rpmb_ctx->dev_info_synced = true; 1159 } 1160 1161 if (!rpmb_ctx->key_derived) { 1162 DMSG("RPMB INIT: Deriving key"); 1163 1164 res = tee_rpmb_key_gen(rpmb_ctx->key, RPMB_KEY_MAC_SIZE); 1165 if (res != TEE_SUCCESS) { 1166 EMSG("RPMB INIT: Deriving key failed with error 0x%x", 1167 res); 1168 return res; 1169 } 1170 1171 rpmb_ctx->key_derived = true; 1172 } 1173 1174 /* Perform a write counter read to verify if the key is ok. */ 1175 if (!rpmb_ctx->wr_cnt_synced || !rpmb_ctx->key_verified) { 1176 DMSG("RPMB INIT: Verifying Key"); 1177 1178 res = tee_rpmb_init_read_wr_cnt(&rpmb_ctx->wr_cnt); 1179 if (res == TEE_SUCCESS) { 1180 DMSG("Found working RPMB device"); 1181 rpmb_ctx->key_verified = true; 1182 rpmb_ctx->wr_cnt_synced = true; 1183 } else if (res == TEE_ERROR_ITEM_NOT_FOUND && 1184 !rpmb_ctx->key_verified) { 1185 /* 1186 * Need to write the key here and verify it. 1187 */ 1188 DMSG("RPMB INIT: Auth key not yet written"); 1189 res = tee_rpmb_write_and_verify_key(); 1190 } else { 1191 EMSG("Verify key failed! %#"PRIx32, res); 1192 EMSG("Make sure key here matches device key"); 1193 } 1194 } 1195 1196 return res; 1197 } 1198 1199 /* This function must never return TEE_SUCCESS if rpmb_ctx == NULL */ 1200 static TEE_Result tee_rpmb_init(void) 1201 { 1202 TEE_Result res = TEE_SUCCESS; 1203 struct rpmb_dev_info dev_info = { }; 1204 1205 if (rpmb_dead) 1206 return TEE_ERROR_COMMUNICATION; 1207 1208 if (!rpmb_ctx) { 1209 rpmb_ctx = calloc(1, sizeof(struct tee_rpmb_ctx)); 1210 if (!rpmb_ctx) 1211 return TEE_ERROR_OUT_OF_MEMORY; 1212 } 1213 1214 if (rpmb_ctx->reinit) { 1215 if (!rpmb_ctx->key_verified) { 1216 rpmb_ctx->wr_cnt_synced = false; 1217 rpmb_ctx->key_derived = false; 1218 rpmb_ctx->dev_info_synced = false; 1219 rpmb_ctx->reinit = false; 1220 goto next; 1221 } 1222 res = rpmb_probe_reset(); 1223 if (res) { 1224 if (res != TEE_ERROR_NOT_SUPPORTED && 1225 res != TEE_ERROR_NOT_IMPLEMENTED) 1226 return res; 1227 return legacy_rpmb_init(); 1228 } 1229 while (true) { 1230 res = rpmb_probe_next(&dev_info); 1231 if (res) { 1232 DMSG("rpmb_probe_next error %#"PRIx32, res); 1233 return res; 1234 } 1235 if (!memcmp(rpmb_ctx->cid, dev_info.cid, 1236 RPMB_EMMC_CID_SIZE)) { 1237 rpmb_ctx->reinit = false; 1238 return TEE_SUCCESS; 1239 } 1240 } 1241 } 1242 1243 if (rpmb_ctx->key_verified) 1244 return TEE_SUCCESS; 1245 1246 next: 1247 if (IS_ENABLED(CFG_RPMB_WRITE_KEY)) 1248 return legacy_rpmb_init(); 1249 1250 res = rpmb_probe_reset(); 1251 if (res) { 1252 if (res != TEE_ERROR_NOT_SUPPORTED && 1253 res != TEE_ERROR_NOT_IMPLEMENTED) 1254 return res; 1255 return legacy_rpmb_init(); 1256 } 1257 1258 while (true) { 1259 res = rpmb_probe_next(&dev_info); 1260 if (res) { 1261 DMSG("rpmb_probe_next error %#"PRIx32, res); 1262 return res; 1263 } 1264 res = rpmb_set_dev_info(&dev_info); 1265 if (res) { 1266 DMSG("Invalid device info, looking for another device"); 1267 continue; 1268 } 1269 1270 res = tee_rpmb_key_gen(rpmb_ctx->key, RPMB_KEY_MAC_SIZE); 1271 if (res) 1272 return res; 1273 1274 res = tee_rpmb_init_read_wr_cnt(&rpmb_ctx->wr_cnt); 1275 if (res) 1276 continue; 1277 break; 1278 } 1279 1280 DMSG("Found working RPMB device"); 1281 rpmb_ctx->key_verified = true; 1282 rpmb_ctx->wr_cnt_synced = true; 1283 1284 return TEE_SUCCESS; 1285 } 1286 1287 TEE_Result tee_rpmb_reinit(void) 1288 { 1289 if (rpmb_ctx) 1290 rpmb_ctx->reinit = true; 1291 return tee_rpmb_init(); 1292 } 1293 1294 /* 1295 * Read RPMB data in bytes. 1296 * 1297 * @addr Byte address of data. 1298 * @data Pointer to the data. 1299 * @len Size of data in bytes. 1300 * @fek Encrypted File Encryption Key or NULL. 1301 */ 1302 static TEE_Result tee_rpmb_read(uint32_t addr, uint8_t *data, 1303 uint32_t len, const uint8_t *fek, 1304 const TEE_UUID *uuid) 1305 { 1306 TEE_Result res = TEE_ERROR_GENERIC; 1307 struct tee_rpmb_mem mem = { 0 }; 1308 uint16_t msg_type; 1309 uint8_t nonce[RPMB_NONCE_SIZE]; 1310 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 1311 struct rpmb_raw_data rawdata; 1312 uint16_t blk_idx; 1313 uint16_t blkcnt; 1314 uint8_t byte_offset; 1315 1316 if (!data || !len) 1317 return TEE_ERROR_BAD_PARAMETERS; 1318 1319 blk_idx = addr / RPMB_DATA_SIZE; 1320 byte_offset = addr % RPMB_DATA_SIZE; 1321 1322 if (len + byte_offset + RPMB_DATA_SIZE < RPMB_DATA_SIZE) { 1323 /* Overflow */ 1324 return TEE_ERROR_BAD_PARAMETERS; 1325 } 1326 blkcnt = ROUNDUP_DIV(len + byte_offset, RPMB_DATA_SIZE); 1327 res = tee_rpmb_init(); 1328 if (res != TEE_SUCCESS) 1329 return res; 1330 1331 res = tee_rpmb_alloc(RPMB_DATA_FRAME_SIZE, 1332 RPMB_DATA_FRAME_SIZE * blkcnt, &mem); 1333 if (res != TEE_SUCCESS) 1334 return res; 1335 1336 msg_type = RPMB_MSG_TYPE_REQ_AUTH_DATA_READ; 1337 res = crypto_rng_read(nonce, RPMB_NONCE_SIZE); 1338 if (res != TEE_SUCCESS) 1339 return res; 1340 1341 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1342 rawdata.msg_type = msg_type; 1343 rawdata.nonce = nonce; 1344 rawdata.blk_idx = &blk_idx; 1345 res = tee_rpmb_req_pack(mem.req_hdr, mem.req_data, &rawdata, 1, NULL, 1346 NULL); 1347 if (res != TEE_SUCCESS) 1348 return res; 1349 1350 if (mem.req_hdr) 1351 mem.req_hdr->block_count = blkcnt; 1352 1353 DMSG("Read %u block%s at index %u", blkcnt, ((blkcnt > 1) ? "s" : ""), 1354 blk_idx); 1355 1356 res = tee_rpmb_invoke(&mem); 1357 if (res != TEE_SUCCESS) 1358 return res; 1359 1360 msg_type = RPMB_MSG_TYPE_RESP_AUTH_DATA_READ; 1361 1362 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1363 rawdata.msg_type = msg_type; 1364 rawdata.block_count = &blkcnt; 1365 rawdata.blk_idx = &blk_idx; 1366 rawdata.nonce = nonce; 1367 rawdata.key_mac = hmac; 1368 rawdata.data = data; 1369 1370 rawdata.len = len; 1371 rawdata.byte_offset = byte_offset; 1372 1373 return tee_rpmb_resp_unpack_verify(mem.resp_data, &rawdata, blkcnt, 1374 fek, uuid); 1375 } 1376 1377 static TEE_Result write_req(uint16_t blk_idx, 1378 const void *data_blks, uint16_t blkcnt, 1379 const uint8_t *fek, const TEE_UUID *uuid, 1380 struct tee_rpmb_mem *mem) 1381 { 1382 TEE_Result res = TEE_SUCCESS; 1383 uint8_t hmac[RPMB_KEY_MAC_SIZE] = { }; 1384 uint32_t wr_cnt = rpmb_ctx->wr_cnt; 1385 struct rpmb_raw_data rawdata = { }; 1386 size_t retry_count = 0; 1387 1388 while (true) { 1389 if (mem->req_hdr) 1390 memset(mem->req_hdr, 0, mem->req_size); 1391 else 1392 memset(mem->req_data, 0, mem->req_size); 1393 memset(mem->resp_data, 0, mem->resp_size); 1394 1395 memset(&rawdata, 0, sizeof(struct rpmb_raw_data)); 1396 rawdata.msg_type = RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE; 1397 rawdata.block_count = &blkcnt; 1398 rawdata.blk_idx = &blk_idx; 1399 rawdata.write_counter = &wr_cnt; 1400 rawdata.key_mac = hmac; 1401 rawdata.data = (uint8_t *)data_blks; 1402 1403 res = tee_rpmb_req_pack(mem->req_hdr, mem->req_data, &rawdata, 1404 blkcnt, fek, uuid); 1405 if (res) { 1406 /* 1407 * If we haven't tried to send a request yet we can 1408 * allow a failure here since there's no chance of 1409 * an intercepted request with a valid write 1410 * counter. 1411 */ 1412 if (!retry_count) 1413 return res; 1414 1415 retry_count++; 1416 if (retry_count >= RPMB_MAX_RETRIES) 1417 goto out_of_retries; 1418 1419 DMSG("Request pack failed, retrying %zu", retry_count); 1420 continue; 1421 } 1422 1423 res = tee_rpmb_invoke(mem); 1424 if (res != TEE_SUCCESS) { 1425 retry_count++; 1426 if (retry_count >= RPMB_MAX_RETRIES) 1427 goto out_of_retries; 1428 /* 1429 * To force wr_cnt sync next time, as it might get 1430 * out of sync due to inconsistent operation result! 1431 */ 1432 rpmb_ctx->wr_cnt_synced = false; 1433 DMSG("Write invoke failed, retrying %zu", retry_count); 1434 continue; 1435 } 1436 1437 memset(&rawdata, 0, sizeof(struct rpmb_raw_data)); 1438 rawdata.msg_type = RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE; 1439 rawdata.block_count = &blkcnt; 1440 rawdata.blk_idx = &blk_idx; 1441 rawdata.write_counter = &wr_cnt; 1442 rawdata.key_mac = hmac; 1443 1444 res = tee_rpmb_resp_unpack_verify(mem->resp_data, &rawdata, 1, 1445 NULL, NULL); 1446 if (res != TEE_SUCCESS) { 1447 retry_count++; 1448 if (retry_count >= RPMB_MAX_RETRIES) 1449 goto out_of_retries; 1450 /* 1451 * To force wr_cnt sync next time, as it might get 1452 * out of sync due to inconsistent operation result! 1453 */ 1454 rpmb_ctx->wr_cnt_synced = false; 1455 DMSG("Write resp unpack verify failed, retrying %zu", 1456 retry_count); 1457 continue; 1458 } 1459 1460 return TEE_SUCCESS; 1461 } 1462 1463 out_of_retries: 1464 rpmb_dead = true; 1465 /* 1466 * We're using this error code to cause an eventuall calling TA to 1467 * panic since we don't know if the data to be written has been 1468 * committed to storage or not. 1469 */ 1470 return TEE_ERROR_COMMUNICATION; 1471 } 1472 1473 static TEE_Result tee_rpmb_write_blk(uint16_t blk_idx, 1474 const uint8_t *data_blks, uint16_t blkcnt, 1475 const uint8_t *fek, const TEE_UUID *uuid) 1476 { 1477 TEE_Result res; 1478 struct tee_rpmb_mem mem; 1479 uint32_t req_size; 1480 uint32_t nbr_writes; 1481 uint16_t tmp_blkcnt; 1482 uint16_t tmp_blk_idx; 1483 uint16_t i; 1484 1485 DMSG("Write %u block%s at index %u", blkcnt, ((blkcnt > 1) ? "s" : ""), 1486 blk_idx); 1487 1488 if (!data_blks || !blkcnt) 1489 return TEE_ERROR_BAD_PARAMETERS; 1490 1491 res = tee_rpmb_init(); 1492 if (res != TEE_SUCCESS) 1493 return res; 1494 1495 /* 1496 * We need to split data when block count 1497 * is bigger than reliable block write count. 1498 */ 1499 req_size = RPMB_DATA_FRAME_SIZE * MIN(blkcnt, rpmb_ctx->rel_wr_blkcnt); 1500 res = tee_rpmb_alloc(req_size, RPMB_DATA_FRAME_SIZE, &mem); 1501 if (res != TEE_SUCCESS) 1502 return res; 1503 1504 nbr_writes = blkcnt / rpmb_ctx->rel_wr_blkcnt; 1505 if (blkcnt % rpmb_ctx->rel_wr_blkcnt > 0) 1506 nbr_writes += 1; 1507 1508 tmp_blkcnt = rpmb_ctx->rel_wr_blkcnt; 1509 tmp_blk_idx = blk_idx; 1510 for (i = 0; i < nbr_writes; i++) { 1511 size_t offs = i * rpmb_ctx->rel_wr_blkcnt * RPMB_DATA_SIZE; 1512 1513 /* 1514 * To handle the last write of block count which is 1515 * equal or smaller than reliable write block count. 1516 */ 1517 if (i == nbr_writes - 1) 1518 tmp_blkcnt = blkcnt - rpmb_ctx->rel_wr_blkcnt * 1519 (nbr_writes - 1); 1520 1521 res = write_req(tmp_blk_idx, data_blks + offs, 1522 tmp_blkcnt, fek, uuid, &mem); 1523 if (res) 1524 return res; 1525 1526 1527 tmp_blk_idx += tmp_blkcnt; 1528 } 1529 1530 return TEE_SUCCESS; 1531 } 1532 1533 static bool tee_rpmb_write_is_atomic(uint32_t addr, uint32_t len) 1534 { 1535 uint8_t byte_offset = addr % RPMB_DATA_SIZE; 1536 uint16_t blkcnt = ROUNDUP_DIV(len + byte_offset, RPMB_DATA_SIZE); 1537 1538 return (blkcnt <= rpmb_ctx->rel_wr_blkcnt); 1539 } 1540 1541 /* 1542 * Write RPMB data in bytes. 1543 * 1544 * @addr Byte address of data. 1545 * @data Pointer to the data. 1546 * @len Size of data in bytes. 1547 * @fek Encrypted File Encryption Key or NULL. 1548 */ 1549 static TEE_Result tee_rpmb_write(uint32_t addr, 1550 const uint8_t *data, uint32_t len, 1551 const uint8_t *fek, const TEE_UUID *uuid) 1552 { 1553 TEE_Result res = TEE_ERROR_GENERIC; 1554 uint8_t *data_tmp = NULL; 1555 uint16_t blk_idx; 1556 uint16_t blkcnt; 1557 uint8_t byte_offset; 1558 1559 blk_idx = addr / RPMB_DATA_SIZE; 1560 byte_offset = addr % RPMB_DATA_SIZE; 1561 1562 blkcnt = ROUNDUP_DIV(len + byte_offset, RPMB_DATA_SIZE); 1563 1564 if (byte_offset == 0 && (len % RPMB_DATA_SIZE) == 0) { 1565 res = tee_rpmb_write_blk(blk_idx, data, blkcnt, fek, uuid); 1566 if (res != TEE_SUCCESS) 1567 goto func_exit; 1568 } else { 1569 data_tmp = calloc(blkcnt, RPMB_DATA_SIZE); 1570 if (!data_tmp) { 1571 res = TEE_ERROR_OUT_OF_MEMORY; 1572 goto func_exit; 1573 } 1574 1575 /* Read the complete blocks */ 1576 res = tee_rpmb_read(blk_idx * RPMB_DATA_SIZE, data_tmp, 1577 blkcnt * RPMB_DATA_SIZE, fek, uuid); 1578 if (res != TEE_SUCCESS) 1579 goto func_exit; 1580 1581 /* Partial update of the data blocks */ 1582 memcpy(data_tmp + byte_offset, data, len); 1583 1584 res = tee_rpmb_write_blk(blk_idx, data_tmp, blkcnt, fek, uuid); 1585 if (res != TEE_SUCCESS) 1586 goto func_exit; 1587 } 1588 1589 res = TEE_SUCCESS; 1590 1591 func_exit: 1592 free(data_tmp); 1593 return res; 1594 } 1595 1596 /* 1597 * Read the RPMB max block. 1598 * 1599 * @counter Pointer to receive the max block. 1600 */ 1601 static TEE_Result tee_rpmb_get_max_block(uint32_t *max_block) 1602 { 1603 TEE_Result res = TEE_SUCCESS; 1604 1605 if (!max_block) 1606 return TEE_ERROR_BAD_PARAMETERS; 1607 1608 if (rpmb_dead) 1609 return TEE_ERROR_COMMUNICATION; 1610 1611 if (!rpmb_ctx || !rpmb_ctx->dev_info_synced) { 1612 res = tee_rpmb_init(); 1613 if (res != TEE_SUCCESS) 1614 goto func_exit; 1615 } 1616 1617 *max_block = rpmb_ctx->max_blk_idx; 1618 1619 func_exit: 1620 return res; 1621 } 1622 1623 /* 1624 * End of lower interface to RPMB device 1625 */ 1626 1627 static TEE_Result get_fat_start_address(uint32_t *addr); 1628 static TEE_Result rpmb_fs_setup(void); 1629 1630 /** 1631 * fat_entry_dir_free: Free the FAT entry dir. 1632 */ 1633 static void fat_entry_dir_free(void) 1634 { 1635 if (fat_entry_dir) { 1636 free(fat_entry_dir->rpmb_fat_entry_buf); 1637 free(fat_entry_dir); 1638 fat_entry_dir = NULL; 1639 } 1640 } 1641 1642 /** 1643 * fat_entry_dir_init: Initialize the FAT FS entry buffer/cache 1644 * This function must be called before reading FAT FS entries using the 1645 * function fat_entry_dir_get_next. This initializes the buffer/cache with the 1646 * first FAT FS entries. 1647 */ 1648 static TEE_Result fat_entry_dir_init(void) 1649 { 1650 TEE_Result res = TEE_ERROR_GENERIC; 1651 struct rpmb_fat_entry *fe = NULL; 1652 uint32_t fat_address = 0; 1653 uint32_t num_elems_read = 0; 1654 1655 if (fat_entry_dir) 1656 return TEE_SUCCESS; 1657 1658 res = rpmb_fs_setup(); 1659 if (res) 1660 return res; 1661 1662 res = get_fat_start_address(&fat_address); 1663 if (res) 1664 return res; 1665 1666 fat_entry_dir = calloc(1, sizeof(struct rpmb_fat_entry_dir)); 1667 if (!fat_entry_dir) 1668 return TEE_ERROR_OUT_OF_MEMORY; 1669 1670 /* 1671 * If caching is enabled, read in up to the maximum cache size, but 1672 * never more than the single read in size. Otherwise, read in as many 1673 * entries fit into the temporary buffer. 1674 */ 1675 if (CFG_RPMB_FS_CACHE_ENTRIES) 1676 num_elems_read = MIN(CFG_RPMB_FS_CACHE_ENTRIES, 1677 CFG_RPMB_FS_RD_ENTRIES); 1678 else 1679 num_elems_read = CFG_RPMB_FS_RD_ENTRIES; 1680 1681 /* 1682 * Allocate memory for the FAT FS entries to read in. 1683 */ 1684 fe = calloc(num_elems_read, sizeof(struct rpmb_fat_entry)); 1685 if (!fe) { 1686 res = TEE_ERROR_OUT_OF_MEMORY; 1687 goto out; 1688 } 1689 1690 res = tee_rpmb_read(fat_address, (uint8_t *)fe, 1691 num_elems_read * sizeof(*fe), NULL, NULL); 1692 if (res) 1693 goto out; 1694 1695 fat_entry_dir->rpmb_fat_entry_buf = fe; 1696 1697 /* 1698 * We use this variable when getting next entries from the buffer/cache 1699 * to see whether we have to read in more entries from storage. 1700 */ 1701 fat_entry_dir->num_buffered = num_elems_read; 1702 1703 return TEE_SUCCESS; 1704 out: 1705 fat_entry_dir_free(); 1706 free(fe); 1707 return res; 1708 } 1709 1710 /** 1711 * fat_entry_dir_deinit: If caching is enabled, free the temporary buffer for 1712 * FAT FS entries in case the cache was too small. Keep the elements in the 1713 * cache. Reset the counter variables to start the next traversal from fresh 1714 * from the first cached entry. If caching is disabled, just free the 1715 * temporary buffer by calling fat_entry_dir_free and return. 1716 */ 1717 static void fat_entry_dir_deinit(void) 1718 { 1719 struct rpmb_fat_entry *fe = NULL; 1720 1721 if (!fat_entry_dir) 1722 return; 1723 1724 if (!CFG_RPMB_FS_CACHE_ENTRIES) { 1725 fat_entry_dir_free(); 1726 return; 1727 } 1728 1729 fe = fat_entry_dir->rpmb_fat_entry_buf; 1730 fat_entry_dir->idx_curr = 0; 1731 fat_entry_dir->num_total_read = 0; 1732 fat_entry_dir->last_reached = false; 1733 1734 if (fat_entry_dir->num_buffered > CFG_RPMB_FS_CACHE_ENTRIES) { 1735 fat_entry_dir->num_buffered = CFG_RPMB_FS_CACHE_ENTRIES; 1736 1737 fe = realloc(fe, fat_entry_dir->num_buffered * sizeof(*fe)); 1738 1739 /* 1740 * In case realloc fails, we are on the safe side if we destroy 1741 * the whole structure. Upon the next init, the cache has to be 1742 * re-established, but this case should not happen in practice. 1743 */ 1744 if (!fe) 1745 fat_entry_dir_free(); 1746 else 1747 fat_entry_dir->rpmb_fat_entry_buf = fe; 1748 } 1749 } 1750 1751 /** 1752 * fat_entry_dir_update: Updates a persisted FAT FS entry in the cache. 1753 * This function updates the FAT entry fat_entry that was written to address 1754 * fat_address onto RPMB storage in the cache. 1755 */ 1756 static TEE_Result __maybe_unused fat_entry_dir_update 1757 (struct rpmb_fat_entry *fat_entry, 1758 uint32_t fat_address) 1759 { 1760 uint32_t fat_entry_buf_idx = 0; 1761 /* Use a temp var to avoid compiler warning if caching disabled. */ 1762 uint32_t max_cache_entries = CFG_RPMB_FS_CACHE_ENTRIES; 1763 1764 assert(!((fat_address - RPMB_FS_FAT_START_ADDRESS) % 1765 sizeof(struct rpmb_fat_entry))); 1766 1767 /* Nothing to update if the cache is not initialized. */ 1768 if (!fat_entry_dir) 1769 return TEE_SUCCESS; 1770 1771 fat_entry_buf_idx = (fat_address - RPMB_FS_FAT_START_ADDRESS) / 1772 sizeof(struct rpmb_fat_entry); 1773 1774 /* Only need to write if index points to an entry in cache. */ 1775 if (fat_entry_buf_idx < fat_entry_dir->num_buffered && 1776 fat_entry_buf_idx < max_cache_entries) { 1777 memcpy(fat_entry_dir->rpmb_fat_entry_buf + fat_entry_buf_idx, 1778 fat_entry, sizeof(struct rpmb_fat_entry)); 1779 } 1780 1781 return TEE_SUCCESS; 1782 } 1783 1784 /** 1785 * fat_entry_dir_get_next: Get next FAT FS entry. 1786 * Read either from cache/buffer, or by reading from RPMB storage if the 1787 * elements in the buffer/cache are fully read. When reading in from RPMB 1788 * storage, the buffer is overwritten in case caching is disabled. 1789 * In case caching is enabled, the cache is either further filled, or a 1790 * temporary buffer populated if the cache is already full. 1791 * The FAT FS entry is written to fat_entry. The respective address in RPMB 1792 * storage is written to fat_address, if not NULL. When the last FAT FS entry 1793 * was previously read, the function indicates this case by writing a NULL 1794 * pointer to fat_entry. 1795 * Returns a value different TEE_SUCCESS if the next FAT FS entry could not be 1796 * retrieved. 1797 */ 1798 static TEE_Result fat_entry_dir_get_next(struct rpmb_fat_entry **fat_entry, 1799 uint32_t *fat_address) 1800 { 1801 TEE_Result res = TEE_ERROR_GENERIC; 1802 struct rpmb_fat_entry *fe = NULL; 1803 uint32_t num_elems_read = 0; 1804 uint32_t fat_address_local = 0; 1805 1806 assert(fat_entry_dir && fat_entry); 1807 1808 /* Don't read further if we previously read the last FAT FS entry. */ 1809 if (fat_entry_dir->last_reached) { 1810 *fat_entry = NULL; 1811 return TEE_SUCCESS; 1812 } 1813 1814 fe = fat_entry_dir->rpmb_fat_entry_buf; 1815 1816 /* Determine address of FAT FS entry in RPMB storage. */ 1817 fat_address_local = RPMB_FS_FAT_START_ADDRESS + 1818 (fat_entry_dir->num_total_read * 1819 sizeof(struct rpmb_fat_entry)); 1820 1821 /* 1822 * We've read all so-far buffered elements, so we need to 1823 * read in more entries from RPMB storage. 1824 */ 1825 if (fat_entry_dir->idx_curr >= fat_entry_dir->num_buffered) { 1826 /* 1827 * This is the case where we do not cache entries, so just read 1828 * in next set of FAT FS entries into the buffer. 1829 * Goto the end of the when statement if that is done. 1830 */ 1831 if (!CFG_RPMB_FS_CACHE_ENTRIES) { 1832 num_elems_read = CFG_RPMB_FS_RD_ENTRIES; 1833 fat_entry_dir->idx_curr = 0; 1834 1835 res = tee_rpmb_read(fat_address_local, (uint8_t *)fe, 1836 num_elems_read * sizeof(*fe), NULL, 1837 NULL); 1838 if (res) 1839 return res; 1840 goto post_read_in; 1841 } 1842 1843 /* 1844 * We cache FAT FS entries, and the buffer is not completely 1845 * filled. Further keep on extending the buffer up to its max 1846 * size by reading in from RPMB. 1847 */ 1848 if (fat_entry_dir->num_total_read < RPMB_BUF_MAX_ENTRIES) { 1849 /* 1850 * Read at most as many elements as fit in the buffer 1851 * and no more than the defined number of entries to 1852 * read in at once. 1853 */ 1854 num_elems_read = MIN(RPMB_BUF_MAX_ENTRIES - 1855 fat_entry_dir->num_total_read, 1856 (uint32_t)CFG_RPMB_FS_RD_ENTRIES); 1857 1858 /* 1859 * Expand the buffer to fit in the additional entries. 1860 */ 1861 fe = realloc(fe, 1862 (fat_entry_dir->num_buffered + 1863 num_elems_read) * sizeof(*fe)); 1864 if (!fe) 1865 return TEE_ERROR_OUT_OF_MEMORY; 1866 1867 fat_entry_dir->rpmb_fat_entry_buf = fe; 1868 1869 /* Read in to the next free slot in the buffer/cache. */ 1870 res = tee_rpmb_read(fat_address_local, 1871 (uint8_t *)(fe + 1872 fat_entry_dir->num_total_read), 1873 num_elems_read * sizeof(*fe), 1874 NULL, NULL); 1875 if (res) 1876 return res; 1877 1878 fat_entry_dir->num_buffered += num_elems_read; 1879 } else { 1880 /* 1881 * This happens when we have read as many elements as 1882 * can possibly fit into the buffer. 1883 * As the first part of the buffer serves as our cache, 1884 * we only overwrite the last part that serves as our 1885 * temporary buffer used to iteratively read in entries 1886 * when the cache is full. Read in the temporary buffer 1887 * maximum size. 1888 */ 1889 num_elems_read = CFG_RPMB_FS_RD_ENTRIES; 1890 /* Reset index to beginning of the temporary buffer. */ 1891 fat_entry_dir->idx_curr = CFG_RPMB_FS_CACHE_ENTRIES; 1892 1893 /* Read in elements after the end of the cache. */ 1894 res = tee_rpmb_read(fat_address_local, 1895 (uint8_t *)(fe + 1896 fat_entry_dir->idx_curr), 1897 num_elems_read * sizeof(*fe), 1898 NULL, NULL); 1899 if (res) 1900 return res; 1901 } 1902 } 1903 1904 post_read_in: 1905 if (fat_address) 1906 *fat_address = fat_address_local; 1907 1908 *fat_entry = fe + fat_entry_dir->idx_curr; 1909 1910 fat_entry_dir->idx_curr++; 1911 fat_entry_dir->num_total_read++; 1912 1913 /* 1914 * Indicate last entry was read. 1915 * Ensures we return a zero value for fat_entry on next invocation. 1916 */ 1917 if ((*fat_entry)->flags & FILE_IS_LAST_ENTRY) 1918 fat_entry_dir->last_reached = true; 1919 1920 return TEE_SUCCESS; 1921 } 1922 1923 #if (TRACE_LEVEL >= TRACE_FLOW) 1924 static void dump_fat(void) 1925 { 1926 TEE_Result res = TEE_ERROR_SECURITY; 1927 struct rpmb_fat_entry *fe = NULL; 1928 1929 if (!fs_par) 1930 return; 1931 1932 if (fat_entry_dir_init()) 1933 return; 1934 1935 while (true) { 1936 res = fat_entry_dir_get_next(&fe, NULL); 1937 if (res || !fe) 1938 break; 1939 1940 FMSG("flags %#"PRIx32", size %"PRIu32", address %#"PRIx32 1941 ", filename '%s'", 1942 fe->flags, fe->data_size, fe->start_address, fe->filename); 1943 } 1944 1945 fat_entry_dir_deinit(); 1946 } 1947 #else 1948 static void dump_fat(void) 1949 { 1950 } 1951 #endif 1952 1953 #if (TRACE_LEVEL >= TRACE_DEBUG) 1954 static void dump_fh(struct rpmb_file_handle *fh) 1955 { 1956 DMSG("fh->filename=%s", fh->filename); 1957 DMSG("fh->rpmb_fat_address=%u", fh->rpmb_fat_address); 1958 DMSG("fh->fat_entry.start_address=%u", fh->fat_entry.start_address); 1959 DMSG("fh->fat_entry.data_size=%u", fh->fat_entry.data_size); 1960 } 1961 #else 1962 static void dump_fh(struct rpmb_file_handle *fh __unused) 1963 { 1964 } 1965 #endif 1966 1967 /* "/TA_uuid/object_id" or "/TA_uuid/.object_id" */ 1968 static TEE_Result create_filename(void *buf, size_t blen, struct tee_pobj *po, 1969 bool transient) 1970 { 1971 uint8_t *file = buf; 1972 uint32_t pos = 0; 1973 uint32_t hslen = 1 /* Leading slash */ 1974 + TEE_B2HS_HSBUF_SIZE(sizeof(TEE_UUID) + po->obj_id_len) 1975 + 1; /* Intermediate slash */ 1976 1977 /* +1 for the '.' (temporary persistent object) */ 1978 if (transient) 1979 hslen++; 1980 1981 if (blen < hslen) 1982 return TEE_ERROR_SHORT_BUFFER; 1983 1984 file[pos++] = '/'; 1985 pos += tee_b2hs((uint8_t *)&po->uuid, &file[pos], 1986 sizeof(TEE_UUID), hslen); 1987 file[pos++] = '/'; 1988 1989 if (transient) 1990 file[pos++] = '.'; 1991 1992 tee_b2hs(po->obj_id, file + pos, po->obj_id_len, hslen - pos); 1993 1994 return TEE_SUCCESS; 1995 } 1996 1997 /* "/TA_uuid" */ 1998 static TEE_Result create_dirname(void *buf, size_t blen, const TEE_UUID *uuid) 1999 { 2000 uint8_t *dir = buf; 2001 uint32_t hslen = TEE_B2HS_HSBUF_SIZE(sizeof(TEE_UUID)) + 1; 2002 2003 if (blen < hslen) 2004 return TEE_ERROR_SHORT_BUFFER; 2005 2006 dir[0] = '/'; 2007 tee_b2hs((uint8_t *)uuid, dir + 1, sizeof(TEE_UUID), hslen); 2008 2009 return TEE_SUCCESS; 2010 } 2011 2012 static struct rpmb_file_handle *alloc_file_handle(struct tee_pobj *po, 2013 bool temporary) 2014 { 2015 struct rpmb_file_handle *fh = NULL; 2016 2017 fh = calloc(1, sizeof(struct rpmb_file_handle)); 2018 if (!fh) 2019 return NULL; 2020 2021 if (po) 2022 create_filename(fh->filename, sizeof(fh->filename), po, 2023 temporary); 2024 2025 return fh; 2026 } 2027 2028 /** 2029 * write_fat_entry: Store info in a fat_entry to RPMB. 2030 */ 2031 static TEE_Result write_fat_entry(struct rpmb_file_handle *fh) 2032 { 2033 TEE_Result res = TEE_ERROR_GENERIC; 2034 2035 /* Protect partition data. */ 2036 if (fh->rpmb_fat_address < sizeof(struct rpmb_fs_partition)) { 2037 res = TEE_ERROR_ACCESS_CONFLICT; 2038 goto out; 2039 } 2040 2041 if (fh->rpmb_fat_address % sizeof(struct rpmb_fat_entry) != 0) { 2042 res = TEE_ERROR_BAD_PARAMETERS; 2043 goto out; 2044 } 2045 2046 res = tee_rpmb_write(fh->rpmb_fat_address, (uint8_t *)&fh->fat_entry, 2047 sizeof(struct rpmb_fat_entry), NULL, NULL); 2048 2049 dump_fat(); 2050 2051 /* If caching enabled, update a successfully written entry in cache. */ 2052 if (CFG_RPMB_FS_CACHE_ENTRIES && !res) 2053 res = fat_entry_dir_update(&fh->fat_entry, 2054 fh->rpmb_fat_address); 2055 2056 out: 2057 return res; 2058 } 2059 2060 /** 2061 * rpmb_fs_setup: Setup RPMB FS. 2062 * Set initial partition and FS values and write to RPMB. 2063 * Store frequently used data in RAM. 2064 */ 2065 static TEE_Result rpmb_fs_setup(void) 2066 { 2067 TEE_Result res = TEE_ERROR_GENERIC; 2068 struct rpmb_fs_partition *partition_data = NULL; 2069 struct rpmb_file_handle *fh = NULL; 2070 uint32_t max_rpmb_block = 0; 2071 2072 if (fs_par) { 2073 res = TEE_SUCCESS; 2074 goto out; 2075 } 2076 2077 res = tee_rpmb_get_max_block(&max_rpmb_block); 2078 if (res != TEE_SUCCESS) 2079 goto out; 2080 2081 /* 2082 * We're going to read a full block in order to have a full block 2083 * for the dummy write below. 2084 */ 2085 COMPILE_TIME_ASSERT(sizeof(struct rpmb_fs_partition) <= 2086 RPMB_DATA_SIZE); 2087 partition_data = calloc(1, RPMB_DATA_SIZE); 2088 if (!partition_data) { 2089 res = TEE_ERROR_OUT_OF_MEMORY; 2090 goto out; 2091 } 2092 2093 res = tee_rpmb_read(RPMB_STORAGE_START_ADDRESS, 2094 (uint8_t *)partition_data, RPMB_DATA_SIZE, 2095 NULL, NULL); 2096 if (res != TEE_SUCCESS) 2097 goto out; 2098 /* 2099 * Perform a write in order to increase the write counter. This 2100 * prevents late usage (replay attack) of a previously blocked 2101 * request with a valid write counter value. 2102 */ 2103 res = tee_rpmb_write(RPMB_STORAGE_START_ADDRESS, 2104 (uint8_t *)partition_data, RPMB_DATA_SIZE, 2105 NULL, NULL); 2106 if (res != TEE_SUCCESS) 2107 goto out; 2108 /* 2109 * We're reading again in case a stale request was committed 2110 * instead of the one issued above. If this succeeds we're in sync 2111 * with the RPMB block since there are no other possible stale 2112 * blocks with valid write counters available. 2113 */ 2114 res = tee_rpmb_read(RPMB_STORAGE_START_ADDRESS, 2115 (uint8_t *)partition_data, 2116 sizeof(struct rpmb_fs_partition), NULL, NULL); 2117 if (res != TEE_SUCCESS) 2118 goto out; 2119 2120 #ifndef CFG_RPMB_RESET_FAT 2121 if (partition_data->rpmb_fs_magic == RPMB_FS_MAGIC) { 2122 if (partition_data->fs_version == FS_VERSION) { 2123 res = TEE_SUCCESS; 2124 goto store_fs_par; 2125 } else { 2126 EMSG("Wrong software is in use."); 2127 res = TEE_ERROR_ACCESS_DENIED; 2128 goto out; 2129 } 2130 } 2131 #else 2132 EMSG("**** Clearing Storage ****"); 2133 #endif 2134 2135 /* Setup new partition data. */ 2136 partition_data->rpmb_fs_magic = RPMB_FS_MAGIC; 2137 partition_data->fs_version = FS_VERSION; 2138 partition_data->fat_start_address = RPMB_FS_FAT_START_ADDRESS; 2139 2140 /* Initial FAT entry with FILE_IS_LAST_ENTRY flag set. */ 2141 fh = alloc_file_handle(NULL, false); 2142 if (!fh) { 2143 res = TEE_ERROR_OUT_OF_MEMORY; 2144 goto out; 2145 } 2146 fh->fat_entry.flags = FILE_IS_LAST_ENTRY; 2147 fh->rpmb_fat_address = partition_data->fat_start_address; 2148 2149 /* Write init FAT entry and partition data to RPMB. */ 2150 res = write_fat_entry(fh); 2151 if (res != TEE_SUCCESS) 2152 goto out; 2153 2154 res = tee_rpmb_write(RPMB_STORAGE_START_ADDRESS, 2155 (uint8_t *)partition_data, 2156 sizeof(struct rpmb_fs_partition), NULL, NULL); 2157 2158 #ifndef CFG_RPMB_RESET_FAT 2159 store_fs_par: 2160 #endif 2161 2162 /* Store FAT start address. */ 2163 fs_par = calloc(1, sizeof(struct rpmb_fs_parameters)); 2164 if (!fs_par) { 2165 res = TEE_ERROR_OUT_OF_MEMORY; 2166 goto out; 2167 } 2168 2169 fs_par->fat_start_address = partition_data->fat_start_address; 2170 fs_par->max_rpmb_address = max_rpmb_block << RPMB_BLOCK_SIZE_SHIFT; 2171 2172 dump_fat(); 2173 2174 out: 2175 free(fh); 2176 free(partition_data); 2177 return res; 2178 } 2179 2180 /** 2181 * get_fat_start_address: 2182 * FAT start_address from fs_par. 2183 */ 2184 static TEE_Result get_fat_start_address(uint32_t *addr) 2185 { 2186 if (!fs_par) 2187 return TEE_ERROR_NO_DATA; 2188 2189 *addr = fs_par->fat_start_address; 2190 2191 return TEE_SUCCESS; 2192 } 2193 2194 /** 2195 * read_fat: Read FAT entries 2196 * Return matching FAT entry for read, rm rename and stat. 2197 * Build up memory pool and return matching entry for write operation. 2198 * "Last FAT entry" can be returned during write. 2199 */ 2200 static TEE_Result read_fat(struct rpmb_file_handle *fh, tee_mm_pool_t *p) 2201 { 2202 TEE_Result res = TEE_ERROR_GENERIC; 2203 tee_mm_entry_t *mm = NULL; 2204 struct rpmb_fat_entry *fe = NULL; 2205 uint32_t fat_address; 2206 bool entry_found = false; 2207 bool expand_fat = false; 2208 struct rpmb_file_handle last_fh; 2209 2210 DMSG("fat_address %d", fh->rpmb_fat_address); 2211 2212 res = fat_entry_dir_init(); 2213 if (res) 2214 goto out; 2215 2216 /* 2217 * The pool is used to represent the current RPMB layout. To find 2218 * a slot for the file tee_mm_alloc is called on the pool. Thus 2219 * if it is not NULL the entire FAT must be traversed to fill in 2220 * the pool. 2221 */ 2222 while (true) { 2223 res = fat_entry_dir_get_next(&fe, &fat_address); 2224 if (res || !fe) 2225 break; 2226 2227 /* 2228 * Look for an entry, matching filenames. (read, rm, 2229 * rename and stat.). Only store first filename match. 2230 */ 2231 if ((!strcmp(fh->filename, fe->filename)) && 2232 (fe->flags & FILE_IS_ACTIVE) && !entry_found) { 2233 entry_found = true; 2234 fh->rpmb_fat_address = fat_address; 2235 memcpy(&fh->fat_entry, fe, sizeof(*fe)); 2236 if (!p) 2237 break; 2238 } 2239 2240 /* Add existing files to memory pool. (write) */ 2241 if (p) { 2242 if ((fe->flags & FILE_IS_ACTIVE) && fe->data_size > 0) { 2243 2244 mm = tee_mm_alloc2(p, fe->start_address, 2245 fe->data_size); 2246 if (!mm) { 2247 res = TEE_ERROR_OUT_OF_MEMORY; 2248 goto out; 2249 } 2250 } 2251 2252 /* Unused FAT entries can be reused (write) */ 2253 if (((fe->flags & FILE_IS_ACTIVE) == 0) && 2254 fh->rpmb_fat_address == 0) { 2255 fh->rpmb_fat_address = fat_address; 2256 memcpy(&fh->fat_entry, fe, 2257 sizeof(struct rpmb_fat_entry)); 2258 } 2259 2260 if (((fe->flags & FILE_IS_LAST_ENTRY) != 0) && 2261 fh->rpmb_fat_address == fat_address) { 2262 2263 /* 2264 * If the last entry was reached and was chosen 2265 * by the previous check, then the FAT needs to 2266 * be expanded. 2267 * fh->rpmb_fat_address is the address chosen 2268 * to store the files FAT entry and fat_address 2269 * is the current FAT entry address being 2270 * compared. 2271 */ 2272 expand_fat = true; 2273 } 2274 } 2275 } 2276 2277 if (res) 2278 goto out; 2279 /* 2280 * Represent the FAT table in the pool. 2281 */ 2282 if (p) { 2283 /* 2284 * Since fat_address is the start of the last entry it needs to 2285 * be moved up by an entry. 2286 */ 2287 fat_address += sizeof(struct rpmb_fat_entry); 2288 2289 /* Make room for yet a FAT entry and add to memory pool. */ 2290 if (expand_fat) 2291 fat_address += sizeof(struct rpmb_fat_entry); 2292 2293 mm = tee_mm_alloc2(p, RPMB_STORAGE_START_ADDRESS, fat_address); 2294 if (!mm) { 2295 res = TEE_ERROR_OUT_OF_MEMORY; 2296 goto out; 2297 } 2298 2299 if (expand_fat) { 2300 /* 2301 * Point fat_address to the beginning of the new 2302 * entry. 2303 */ 2304 fat_address -= sizeof(struct rpmb_fat_entry); 2305 memset(&last_fh, 0, sizeof(last_fh)); 2306 last_fh.fat_entry.flags = FILE_IS_LAST_ENTRY; 2307 last_fh.rpmb_fat_address = fat_address; 2308 res = write_fat_entry(&last_fh); 2309 if (res != TEE_SUCCESS) 2310 goto out; 2311 } 2312 } 2313 2314 if (!fh->rpmb_fat_address) 2315 res = TEE_ERROR_ITEM_NOT_FOUND; 2316 2317 out: 2318 fat_entry_dir_deinit(); 2319 return res; 2320 } 2321 2322 static TEE_Result generate_fek(struct rpmb_fat_entry *fe, const TEE_UUID *uuid) 2323 { 2324 TEE_Result res; 2325 2326 again: 2327 res = tee_fs_generate_fek(uuid, fe->fek, sizeof(fe->fek)); 2328 if (res != TEE_SUCCESS) 2329 return res; 2330 2331 if (is_zero(fe->fek, sizeof(fe->fek))) 2332 goto again; 2333 2334 return res; 2335 } 2336 2337 static TEE_Result rpmb_fs_open_internal(struct rpmb_file_handle *fh, 2338 const TEE_UUID *uuid, bool create) 2339 { 2340 tee_mm_pool_t p; 2341 bool pool_result; 2342 paddr_size_t pool_sz = 0; 2343 TEE_Result res = TEE_ERROR_GENERIC; 2344 2345 /* We need to do setup in order to make sure fs_par is filled in */ 2346 res = rpmb_fs_setup(); 2347 if (res != TEE_SUCCESS) 2348 goto out; 2349 2350 fh->uuid = uuid; 2351 if (create) { 2352 /* Upper memory allocation must be used for RPMB_FS. */ 2353 pool_sz = fs_par->max_rpmb_address - RPMB_STORAGE_START_ADDRESS; 2354 pool_result = tee_mm_init(&p, 2355 RPMB_STORAGE_START_ADDRESS, 2356 pool_sz, 2357 RPMB_BLOCK_SIZE_SHIFT, 2358 TEE_MM_POOL_HI_ALLOC); 2359 2360 if (!pool_result) { 2361 res = TEE_ERROR_OUT_OF_MEMORY; 2362 goto out; 2363 } 2364 2365 res = read_fat(fh, &p); 2366 tee_mm_final(&p); 2367 if (res != TEE_SUCCESS) 2368 goto out; 2369 } else { 2370 res = read_fat(fh, NULL); 2371 if (res != TEE_SUCCESS) 2372 goto out; 2373 } 2374 2375 /* 2376 * If this is opened with create and the entry found was not active 2377 * then this is a new file and the FAT entry must be written 2378 */ 2379 if (create) { 2380 if ((fh->fat_entry.flags & FILE_IS_ACTIVE) == 0) { 2381 memset(&fh->fat_entry, 0, 2382 sizeof(struct rpmb_fat_entry)); 2383 memcpy(fh->fat_entry.filename, fh->filename, 2384 strlen(fh->filename)); 2385 /* Start address and size are 0 */ 2386 fh->fat_entry.flags = FILE_IS_ACTIVE; 2387 2388 res = generate_fek(&fh->fat_entry, uuid); 2389 if (res != TEE_SUCCESS) 2390 goto out; 2391 DMSG("GENERATE FEK key: %p", 2392 (void *)fh->fat_entry.fek); 2393 DHEXDUMP(fh->fat_entry.fek, sizeof(fh->fat_entry.fek)); 2394 2395 res = write_fat_entry(fh); 2396 if (res != TEE_SUCCESS) 2397 goto out; 2398 } 2399 } 2400 2401 res = TEE_SUCCESS; 2402 2403 out: 2404 return res; 2405 } 2406 2407 static void rpmb_fs_close(struct tee_file_handle **tfh) 2408 { 2409 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)*tfh; 2410 2411 free(fh); 2412 *tfh = NULL; 2413 } 2414 2415 static TEE_Result rpmb_fs_read(struct tee_file_handle *tfh, size_t pos, 2416 void *buf_core, void *buf_user, size_t *len) 2417 { 2418 TEE_Result res; 2419 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)tfh; 2420 size_t size = *len; 2421 2422 /* One of buf_core and buf_user must be NULL */ 2423 assert(!buf_core || !buf_user); 2424 2425 if (!size) 2426 return TEE_SUCCESS; 2427 2428 mutex_lock(&rpmb_mutex); 2429 2430 dump_fh(fh); 2431 2432 res = read_fat(fh, NULL); 2433 if (res != TEE_SUCCESS) 2434 goto out; 2435 2436 if (pos >= fh->fat_entry.data_size) { 2437 *len = 0; 2438 goto out; 2439 } 2440 2441 size = MIN(size, fh->fat_entry.data_size - pos); 2442 if (size) { 2443 if (buf_core) { 2444 res = tee_rpmb_read(fh->fat_entry.start_address + pos, 2445 buf_core, size, fh->fat_entry.fek, 2446 fh->uuid); 2447 if (res != TEE_SUCCESS) 2448 goto out; 2449 } else if (buf_user) { 2450 uint32_t f = TEE_MEMORY_ACCESS_WRITE; 2451 2452 res = check_user_access(f, buf_user, size); 2453 if (res) 2454 goto out; 2455 enter_user_access(); 2456 res = tee_rpmb_read(fh->fat_entry.start_address + pos, 2457 buf_user, size, fh->fat_entry.fek, 2458 fh->uuid); 2459 exit_user_access(); 2460 if (res) 2461 goto out; 2462 } 2463 } 2464 *len = size; 2465 2466 out: 2467 mutex_unlock(&rpmb_mutex); 2468 return res; 2469 } 2470 2471 static TEE_Result update_write_helper(struct rpmb_file_handle *fh, 2472 size_t pos, const void *buf, 2473 size_t size, uintptr_t new_fat, 2474 size_t new_size) 2475 { 2476 uintptr_t old_fat = fh->fat_entry.start_address; 2477 size_t old_size = fh->fat_entry.data_size; 2478 const uint8_t *rem_buf = buf; 2479 size_t rem_size = size; 2480 uint8_t *blk_buf = NULL; 2481 size_t blk_offset = 0; 2482 size_t blk_size = 0; 2483 TEE_Result res = TEE_SUCCESS; 2484 2485 blk_buf = mempool_alloc(mempool_default, TMP_BLOCK_SIZE); 2486 if (!blk_buf) 2487 return TEE_ERROR_OUT_OF_MEMORY; 2488 2489 while (blk_offset < new_size) { 2490 uint8_t *copy_dst = blk_buf; 2491 size_t copy_size = 0; 2492 size_t rd_size = 0; 2493 2494 blk_size = MIN(TMP_BLOCK_SIZE, new_size - blk_offset); 2495 memset(blk_buf, 0, blk_size); 2496 2497 /* Possibly read old RPMB data in temporary buffer */ 2498 if (blk_offset < pos && blk_offset < old_size) { 2499 rd_size = MIN(blk_size, old_size - blk_offset); 2500 2501 res = tee_rpmb_read(old_fat + blk_offset, blk_buf, 2502 rd_size, fh->fat_entry.fek, 2503 fh->uuid); 2504 if (res != TEE_SUCCESS) 2505 break; 2506 } 2507 2508 /* Possibly update data in temporary buffer */ 2509 if ((blk_offset + TMP_BLOCK_SIZE > pos) && 2510 (blk_offset < pos + size)) { 2511 size_t offset = 0; 2512 2513 copy_dst = blk_buf; 2514 copy_size = TMP_BLOCK_SIZE; 2515 2516 if (blk_offset < pos) { 2517 offset = pos - blk_offset; 2518 2519 copy_dst += offset; 2520 copy_size -= offset; 2521 } 2522 copy_size = MIN(copy_size, rem_size); 2523 2524 memcpy(copy_dst, rem_buf, copy_size); 2525 rem_buf += copy_size; 2526 rem_size -= copy_size; 2527 } 2528 2529 /* Write temporary buffer to new RPMB destination */ 2530 res = tee_rpmb_write(new_fat + blk_offset, blk_buf, blk_size, 2531 fh->fat_entry.fek, fh->uuid); 2532 if (res != TEE_SUCCESS) 2533 break; 2534 2535 blk_offset += blk_size; 2536 } 2537 2538 mempool_free(mempool_default, blk_buf); 2539 2540 return res; 2541 } 2542 2543 static TEE_Result rpmb_fs_write_primitive(struct rpmb_file_handle *fh, 2544 size_t pos, const void *buf, 2545 size_t size) 2546 { 2547 TEE_Result res = TEE_ERROR_GENERIC; 2548 tee_mm_pool_t p = { }; 2549 bool pool_result = false; 2550 size_t end = 0; 2551 uint32_t start_addr = 0; 2552 paddr_size_t pool_sz = 0; 2553 2554 if (!size) 2555 return TEE_SUCCESS; 2556 2557 if (!fs_par) { 2558 res = TEE_ERROR_GENERIC; 2559 goto out; 2560 } 2561 2562 dump_fh(fh); 2563 2564 /* Upper memory allocation must be used for RPMB_FS. */ 2565 pool_sz = fs_par->max_rpmb_address - RPMB_STORAGE_START_ADDRESS; 2566 pool_result = tee_mm_init(&p, 2567 RPMB_STORAGE_START_ADDRESS, 2568 pool_sz, 2569 RPMB_BLOCK_SIZE_SHIFT, 2570 TEE_MM_POOL_HI_ALLOC); 2571 if (!pool_result) { 2572 res = TEE_ERROR_OUT_OF_MEMORY; 2573 goto out; 2574 } 2575 2576 res = read_fat(fh, &p); 2577 if (res != TEE_SUCCESS) 2578 goto out; 2579 2580 if (fh->fat_entry.flags & FILE_IS_LAST_ENTRY) 2581 panic("invalid last entry flag"); 2582 2583 if (ADD_OVERFLOW(pos, size, &end)) { 2584 res = TEE_ERROR_BAD_PARAMETERS; 2585 goto out; 2586 } 2587 if (ADD_OVERFLOW(fh->fat_entry.start_address, pos, &start_addr)) { 2588 res = TEE_ERROR_BAD_PARAMETERS; 2589 goto out; 2590 } 2591 2592 if (end <= fh->fat_entry.data_size && 2593 tee_rpmb_write_is_atomic(start_addr, size)) { 2594 2595 DMSG("Updating data in-place"); 2596 res = tee_rpmb_write(start_addr, buf, 2597 size, fh->fat_entry.fek, fh->uuid); 2598 } else { 2599 /* 2600 * File must be extended, or update cannot be atomic: allocate, 2601 * read, update, write. 2602 */ 2603 size_t new_size = MAX(end, fh->fat_entry.data_size); 2604 tee_mm_entry_t *mm = tee_mm_alloc(&p, new_size); 2605 uintptr_t new_fat_entry = 0; 2606 2607 DMSG("Need to re-allocate"); 2608 if (!mm) { 2609 DMSG("RPMB: No space left"); 2610 res = TEE_ERROR_STORAGE_NO_SPACE; 2611 goto out; 2612 } 2613 2614 new_fat_entry = tee_mm_get_smem(mm); 2615 2616 res = update_write_helper(fh, pos, buf, size, 2617 new_fat_entry, new_size); 2618 if (res == TEE_SUCCESS) { 2619 fh->fat_entry.data_size = new_size; 2620 fh->fat_entry.start_address = new_fat_entry; 2621 2622 res = write_fat_entry(fh); 2623 } 2624 } 2625 2626 out: 2627 if (pool_result) 2628 tee_mm_final(&p); 2629 2630 return res; 2631 } 2632 2633 static TEE_Result rpmb_fs_write(struct tee_file_handle *tfh, size_t pos, 2634 const void *buf_core, const void *buf_user, 2635 size_t size) 2636 { 2637 TEE_Result res = TEE_SUCCESS; 2638 2639 /* One of buf_core and buf_user must be NULL */ 2640 assert(!buf_core || !buf_user); 2641 2642 if (!size) 2643 return TEE_SUCCESS; 2644 2645 mutex_lock(&rpmb_mutex); 2646 if (buf_core) { 2647 res = rpmb_fs_write_primitive((struct rpmb_file_handle *)tfh, 2648 pos, buf_core, size); 2649 } else if (buf_user) { 2650 uint32_t f = TEE_MEMORY_ACCESS_READ; 2651 2652 res = check_user_access(f, buf_user, size); 2653 if (res) 2654 goto out; 2655 enter_user_access(); 2656 res = rpmb_fs_write_primitive((struct rpmb_file_handle *)tfh, 2657 pos, buf_user, size); 2658 exit_user_access(); 2659 } 2660 out: 2661 mutex_unlock(&rpmb_mutex); 2662 2663 return res; 2664 } 2665 2666 static TEE_Result rpmb_fs_remove_internal(struct rpmb_file_handle *fh) 2667 { 2668 TEE_Result res; 2669 2670 res = read_fat(fh, NULL); 2671 if (res) 2672 return res; 2673 2674 /* Clear this file entry. */ 2675 memset(&fh->fat_entry, 0, sizeof(struct rpmb_fat_entry)); 2676 return write_fat_entry(fh); 2677 } 2678 2679 static TEE_Result rpmb_fs_remove(struct tee_pobj *po) 2680 { 2681 TEE_Result res; 2682 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2683 2684 if (!fh) 2685 return TEE_ERROR_OUT_OF_MEMORY; 2686 2687 mutex_lock(&rpmb_mutex); 2688 2689 res = rpmb_fs_remove_internal(fh); 2690 2691 mutex_unlock(&rpmb_mutex); 2692 2693 free(fh); 2694 return res; 2695 } 2696 2697 static TEE_Result rpmb_fs_rename_internal(struct tee_pobj *old, 2698 struct tee_pobj *new, 2699 bool overwrite) 2700 { 2701 TEE_Result res = TEE_ERROR_GENERIC; 2702 struct rpmb_file_handle *fh_old = NULL; 2703 struct rpmb_file_handle *fh_new = NULL; 2704 2705 if (!old) { 2706 res = TEE_ERROR_BAD_PARAMETERS; 2707 goto out; 2708 } 2709 2710 if (new) 2711 fh_old = alloc_file_handle(old, old->temporary); 2712 else 2713 fh_old = alloc_file_handle(old, true); 2714 if (!fh_old) { 2715 res = TEE_ERROR_OUT_OF_MEMORY; 2716 goto out; 2717 } 2718 2719 if (new) 2720 fh_new = alloc_file_handle(new, new->temporary); 2721 else 2722 fh_new = alloc_file_handle(old, false); 2723 if (!fh_new) { 2724 res = TEE_ERROR_OUT_OF_MEMORY; 2725 goto out; 2726 } 2727 2728 res = read_fat(fh_old, NULL); 2729 if (res != TEE_SUCCESS) 2730 goto out; 2731 2732 res = read_fat(fh_new, NULL); 2733 if (res == TEE_SUCCESS) { 2734 if (!overwrite) { 2735 res = TEE_ERROR_ACCESS_CONFLICT; 2736 goto out; 2737 } 2738 2739 /* Clear this file entry. */ 2740 memset(&fh_new->fat_entry, 0, sizeof(struct rpmb_fat_entry)); 2741 res = write_fat_entry(fh_new); 2742 if (res != TEE_SUCCESS) 2743 goto out; 2744 } 2745 2746 memset(fh_old->fat_entry.filename, 0, TEE_RPMB_FS_FILENAME_LENGTH); 2747 memcpy(fh_old->fat_entry.filename, fh_new->filename, 2748 strlen(fh_new->filename)); 2749 2750 res = write_fat_entry(fh_old); 2751 2752 out: 2753 free(fh_old); 2754 free(fh_new); 2755 2756 return res; 2757 } 2758 2759 static TEE_Result rpmb_fs_rename(struct tee_pobj *old, struct tee_pobj *new, 2760 bool overwrite) 2761 { 2762 TEE_Result res; 2763 2764 mutex_lock(&rpmb_mutex); 2765 res = rpmb_fs_rename_internal(old, new, overwrite); 2766 mutex_unlock(&rpmb_mutex); 2767 2768 return res; 2769 } 2770 2771 static TEE_Result rpmb_fs_truncate(struct tee_file_handle *tfh, size_t length) 2772 { 2773 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)tfh; 2774 tee_mm_pool_t p; 2775 bool pool_result = false; 2776 tee_mm_entry_t *mm; 2777 uint32_t newsize; 2778 uint8_t *newbuf = NULL; 2779 uintptr_t newaddr; 2780 TEE_Result res = TEE_ERROR_GENERIC; 2781 paddr_size_t pool_sz = 0; 2782 2783 mutex_lock(&rpmb_mutex); 2784 2785 if (length > INT32_MAX) { 2786 res = TEE_ERROR_BAD_PARAMETERS; 2787 goto out; 2788 } 2789 newsize = length; 2790 2791 res = read_fat(fh, NULL); 2792 if (res != TEE_SUCCESS) 2793 goto out; 2794 2795 if (newsize > fh->fat_entry.data_size) { 2796 /* Extend file */ 2797 2798 pool_sz = fs_par->max_rpmb_address - RPMB_STORAGE_START_ADDRESS; 2799 pool_result = tee_mm_init(&p, 2800 RPMB_STORAGE_START_ADDRESS, 2801 pool_sz, 2802 RPMB_BLOCK_SIZE_SHIFT, 2803 TEE_MM_POOL_HI_ALLOC); 2804 if (!pool_result) { 2805 res = TEE_ERROR_OUT_OF_MEMORY; 2806 goto out; 2807 } 2808 res = read_fat(fh, &p); 2809 if (res != TEE_SUCCESS) 2810 goto out; 2811 2812 mm = tee_mm_alloc(&p, newsize); 2813 newbuf = calloc(1, newsize); 2814 if (!mm || !newbuf) { 2815 res = TEE_ERROR_OUT_OF_MEMORY; 2816 goto out; 2817 } 2818 2819 if (fh->fat_entry.data_size) { 2820 res = tee_rpmb_read(fh->fat_entry.start_address, 2821 newbuf, fh->fat_entry.data_size, 2822 fh->fat_entry.fek, fh->uuid); 2823 if (res != TEE_SUCCESS) 2824 goto out; 2825 } 2826 2827 newaddr = tee_mm_get_smem(mm); 2828 res = tee_rpmb_write(newaddr, newbuf, 2829 newsize, fh->fat_entry.fek, fh->uuid); 2830 if (res != TEE_SUCCESS) 2831 goto out; 2832 2833 } else { 2834 /* Don't change file location */ 2835 newaddr = fh->fat_entry.start_address; 2836 } 2837 2838 /* fh->pos is unchanged */ 2839 fh->fat_entry.data_size = newsize; 2840 fh->fat_entry.start_address = newaddr; 2841 res = write_fat_entry(fh); 2842 2843 out: 2844 mutex_unlock(&rpmb_mutex); 2845 if (pool_result) 2846 tee_mm_final(&p); 2847 if (newbuf) 2848 free(newbuf); 2849 2850 return res; 2851 } 2852 2853 static void rpmb_fs_dir_free(struct tee_fs_dir *dir) 2854 { 2855 struct tee_rpmb_fs_dirent *e; 2856 2857 if (!dir) 2858 return; 2859 2860 free(dir->current); 2861 2862 while ((e = SIMPLEQ_FIRST(&dir->next))) { 2863 SIMPLEQ_REMOVE_HEAD(&dir->next, link); 2864 free(e); 2865 } 2866 } 2867 2868 static TEE_Result rpmb_fs_dir_populate(const char *path, 2869 struct tee_fs_dir *dir) 2870 { 2871 struct tee_rpmb_fs_dirent *current = NULL; 2872 struct rpmb_fat_entry *fe = NULL; 2873 uint32_t fat_address; 2874 uint32_t filelen; 2875 char *filename; 2876 bool matched; 2877 struct tee_rpmb_fs_dirent *next = NULL; 2878 uint32_t pathlen; 2879 TEE_Result res = TEE_ERROR_GENERIC; 2880 char temp; 2881 2882 mutex_lock(&rpmb_mutex); 2883 2884 res = fat_entry_dir_init(); 2885 if (res) 2886 goto out; 2887 2888 pathlen = strlen(path); 2889 2890 while (true) { 2891 res = fat_entry_dir_get_next(&fe, &fat_address); 2892 if (res || !fe) 2893 break; 2894 2895 filename = fe->filename; 2896 if (fe->flags & FILE_IS_ACTIVE) { 2897 matched = false; 2898 filelen = strlen(filename); 2899 if (filelen > pathlen) { 2900 temp = filename[pathlen]; 2901 filename[pathlen] = '\0'; 2902 if (strcmp(filename, path) == 0) 2903 matched = true; 2904 2905 filename[pathlen] = temp; 2906 } 2907 2908 if (matched) { 2909 next = malloc(sizeof(*next)); 2910 if (!next) { 2911 res = TEE_ERROR_OUT_OF_MEMORY; 2912 goto out; 2913 } 2914 2915 next->entry.oidlen = tee_hs2b((uint8_t *) 2916 &filename[pathlen], 2917 next->entry.oid, 2918 filelen - pathlen, 2919 sizeof(next->entry.oid)); 2920 if (next->entry.oidlen) { 2921 SIMPLEQ_INSERT_TAIL(&dir->next, 2922 next, link); 2923 current = next; 2924 } else { 2925 free(next); 2926 next = NULL; 2927 } 2928 } 2929 } 2930 } 2931 2932 if (res) 2933 goto out; 2934 2935 if (current) 2936 res = TEE_SUCCESS; 2937 else 2938 res = TEE_ERROR_ITEM_NOT_FOUND; /* No directories were found. */ 2939 2940 out: 2941 mutex_unlock(&rpmb_mutex); 2942 fat_entry_dir_deinit(); 2943 if (res) 2944 rpmb_fs_dir_free(dir); 2945 2946 return res; 2947 } 2948 2949 static TEE_Result rpmb_fs_opendir(const TEE_UUID *uuid, struct tee_fs_dir **dir) 2950 { 2951 uint32_t len; 2952 char path_local[TEE_RPMB_FS_FILENAME_LENGTH]; 2953 TEE_Result res = TEE_ERROR_GENERIC; 2954 struct tee_fs_dir *rpmb_dir = NULL; 2955 2956 if (!uuid || !dir) { 2957 res = TEE_ERROR_BAD_PARAMETERS; 2958 goto out; 2959 } 2960 2961 memset(path_local, 0, sizeof(path_local)); 2962 if (create_dirname(path_local, sizeof(path_local) - 1, uuid)) { 2963 res = TEE_ERROR_BAD_PARAMETERS; 2964 goto out; 2965 } 2966 len = strlen(path_local); 2967 2968 /* Add a slash to correctly match the full directory name. */ 2969 if (path_local[len - 1] != '/') 2970 path_local[len] = '/'; 2971 2972 rpmb_dir = calloc(1, sizeof(*rpmb_dir)); 2973 if (!rpmb_dir) { 2974 res = TEE_ERROR_OUT_OF_MEMORY; 2975 goto out; 2976 } 2977 SIMPLEQ_INIT(&rpmb_dir->next); 2978 2979 res = rpmb_fs_dir_populate(path_local, rpmb_dir); 2980 if (res != TEE_SUCCESS) { 2981 free(rpmb_dir); 2982 rpmb_dir = NULL; 2983 goto out; 2984 } 2985 2986 *dir = rpmb_dir; 2987 2988 out: 2989 return res; 2990 } 2991 2992 static TEE_Result rpmb_fs_readdir(struct tee_fs_dir *dir, 2993 struct tee_fs_dirent **ent) 2994 { 2995 if (!dir) 2996 return TEE_ERROR_GENERIC; 2997 2998 free(dir->current); 2999 3000 dir->current = SIMPLEQ_FIRST(&dir->next); 3001 if (!dir->current) 3002 return TEE_ERROR_ITEM_NOT_FOUND; 3003 3004 SIMPLEQ_REMOVE_HEAD(&dir->next, link); 3005 3006 *ent = &dir->current->entry; 3007 return TEE_SUCCESS; 3008 } 3009 3010 static void rpmb_fs_closedir(struct tee_fs_dir *dir) 3011 { 3012 if (dir) { 3013 rpmb_fs_dir_free(dir); 3014 free(dir); 3015 } 3016 } 3017 3018 static TEE_Result rpmb_fs_open(struct tee_pobj *po, size_t *size, 3019 struct tee_file_handle **ret_fh) 3020 { 3021 TEE_Result res; 3022 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 3023 3024 if (!fh) 3025 return TEE_ERROR_OUT_OF_MEMORY; 3026 3027 mutex_lock(&rpmb_mutex); 3028 3029 res = rpmb_fs_open_internal(fh, &po->uuid, false); 3030 if (!res && size) 3031 *size = fh->fat_entry.data_size; 3032 3033 mutex_unlock(&rpmb_mutex); 3034 3035 if (res) 3036 free(fh); 3037 else 3038 *ret_fh = (struct tee_file_handle *)fh; 3039 3040 return res; 3041 } 3042 3043 static TEE_Result rpmb_fs_create(struct tee_pobj *po, bool overwrite, 3044 const void *head, size_t head_size, 3045 const void *attr, size_t attr_size, 3046 const void *data_core, const void *data_user, 3047 size_t data_size, 3048 struct tee_file_handle **ret_fh) 3049 { 3050 TEE_Result res; 3051 size_t pos = 0; 3052 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 3053 3054 /* One of data_core and data_user must be NULL */ 3055 assert(!data_core || !data_user); 3056 3057 if (!fh) 3058 return TEE_ERROR_OUT_OF_MEMORY; 3059 3060 mutex_lock(&rpmb_mutex); 3061 res = rpmb_fs_open_internal(fh, &po->uuid, true); 3062 if (res) 3063 goto out; 3064 3065 if (head && head_size) { 3066 res = rpmb_fs_write_primitive(fh, pos, head, head_size); 3067 if (res) 3068 goto out; 3069 pos += head_size; 3070 } 3071 3072 if (attr && attr_size) { 3073 res = rpmb_fs_write_primitive(fh, pos, attr, attr_size); 3074 if (res) 3075 goto out; 3076 pos += attr_size; 3077 } 3078 3079 if (data_size) { 3080 if (data_core) { 3081 res = rpmb_fs_write_primitive(fh, pos, data_core, 3082 data_size); 3083 if (res) 3084 goto out; 3085 } else if (data_user) { 3086 uint32_t f = TEE_MEMORY_ACCESS_READ | 3087 TEE_MEMORY_ACCESS_ANY_OWNER; 3088 3089 res = check_user_access(f, data_user, data_size); 3090 if (res) 3091 goto out; 3092 enter_user_access(); 3093 res = rpmb_fs_write_primitive(fh, pos, data_user, 3094 data_size); 3095 exit_user_access(); 3096 if (res) 3097 goto out; 3098 } 3099 } 3100 3101 if (po->temporary) { 3102 /* 3103 * If it's a temporary filename (which it normally is) 3104 * rename into the final filename now that the file is 3105 * fully initialized. 3106 */ 3107 po->temporary = false; 3108 res = rpmb_fs_rename_internal(po, NULL, overwrite); 3109 if (res) { 3110 po->temporary = true; 3111 goto out; 3112 } 3113 /* Update file handle after rename. */ 3114 create_filename(fh->filename, sizeof(fh->filename), po, false); 3115 } 3116 3117 out: 3118 if (res) { 3119 rpmb_fs_remove_internal(fh); 3120 free(fh); 3121 } else { 3122 *ret_fh = (struct tee_file_handle *)fh; 3123 } 3124 mutex_unlock(&rpmb_mutex); 3125 3126 return res; 3127 } 3128 3129 const struct tee_file_operations rpmb_fs_ops = { 3130 .open = rpmb_fs_open, 3131 .create = rpmb_fs_create, 3132 .close = rpmb_fs_close, 3133 .read = rpmb_fs_read, 3134 .write = rpmb_fs_write, 3135 .truncate = rpmb_fs_truncate, 3136 .rename = rpmb_fs_rename, 3137 .remove = rpmb_fs_remove, 3138 .opendir = rpmb_fs_opendir, 3139 .closedir = rpmb_fs_closedir, 3140 .readdir = rpmb_fs_readdir, 3141 }; 3142 3143 TEE_Result tee_rpmb_fs_raw_open(const char *fname, bool create, 3144 struct tee_file_handle **ret_fh) 3145 { 3146 TEE_Result res; 3147 struct rpmb_file_handle *fh = calloc(1, sizeof(*fh)); 3148 static const TEE_UUID uuid = { 0 }; 3149 3150 if (!fh) 3151 return TEE_ERROR_OUT_OF_MEMORY; 3152 3153 snprintf(fh->filename, sizeof(fh->filename), "/%s", fname); 3154 3155 mutex_lock(&rpmb_mutex); 3156 3157 res = rpmb_fs_open_internal(fh, &uuid, create); 3158 3159 mutex_unlock(&rpmb_mutex); 3160 3161 if (res) { 3162 if (create) 3163 rpmb_fs_remove_internal(fh); 3164 free(fh); 3165 } else { 3166 *ret_fh = (struct tee_file_handle *)fh; 3167 } 3168 3169 return res; 3170 } 3171 3172 bool __weak plat_rpmb_key_is_ready(void) 3173 { 3174 return true; 3175 } 3176