1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2014, STMicroelectronics International N.V. 4 */ 5 6 #include <assert.h> 7 #include <crypto/crypto.h> 8 #include <kernel/huk_subkey.h> 9 #include <kernel/misc.h> 10 #include <kernel/msg_param.h> 11 #include <kernel/mutex.h> 12 #include <kernel/panic.h> 13 #include <kernel/tee_common.h> 14 #include <kernel/tee_common_otp.h> 15 #include <kernel/tee_misc.h> 16 #include <kernel/thread.h> 17 #include <mm/core_memprot.h> 18 #include <mm/mobj.h> 19 #include <mm/tee_mm.h> 20 #include <optee_rpc_cmd.h> 21 #include <stdlib.h> 22 #include <string_ext.h> 23 #include <string.h> 24 #include <sys/queue.h> 25 #include <tee/tee_fs.h> 26 #include <tee/tee_fs_key_manager.h> 27 #include <tee/tee_pobj.h> 28 #include <tee/tee_svc_storage.h> 29 #include <trace.h> 30 #include <util.h> 31 32 #define RPMB_STORAGE_START_ADDRESS 0 33 #define RPMB_FS_FAT_START_ADDRESS 512 34 #define RPMB_BLOCK_SIZE_SHIFT 8 35 #define RPMB_CID_PRV_OFFSET 9 36 #define RPMB_CID_CRC_OFFSET 15 37 38 #define RPMB_FS_MAGIC 0x52504D42 39 #define FS_VERSION 2 40 #define N_ENTRIES 8 41 42 #define FILE_IS_ACTIVE (1u << 0) 43 #define FILE_IS_LAST_ENTRY (1u << 1) 44 45 #define TEE_RPMB_FS_FILENAME_LENGTH 224 46 47 /** 48 * FS parameters: Information often used by internal functions. 49 * fat_start_address will be set by rpmb_fs_setup(). 50 * rpmb_fs_parameters can be read by any other function. 51 */ 52 struct rpmb_fs_parameters { 53 uint32_t fat_start_address; 54 uint32_t max_rpmb_address; 55 }; 56 57 /** 58 * File entry for a single file in a RPMB_FS partition. 59 */ 60 struct rpmb_fat_entry { 61 uint32_t start_address; 62 uint32_t data_size; 63 uint32_t flags; 64 uint32_t write_counter; 65 uint8_t fek[TEE_FS_KM_FEK_SIZE]; 66 char filename[TEE_RPMB_FS_FILENAME_LENGTH]; 67 }; 68 69 /** 70 * FAT entry context with reference to a FAT entry and its 71 * location in RPMB. 72 */ 73 struct rpmb_file_handle { 74 struct rpmb_fat_entry fat_entry; 75 const TEE_UUID *uuid; 76 char filename[TEE_RPMB_FS_FILENAME_LENGTH]; 77 /* Address for current entry in RPMB */ 78 uint32_t rpmb_fat_address; 79 }; 80 81 /** 82 * RPMB_FS partition data 83 */ 84 struct rpmb_fs_partition { 85 uint32_t rpmb_fs_magic; 86 uint32_t fs_version; 87 uint32_t write_counter; 88 uint32_t fat_start_address; 89 /* Do not use reserved[] for other purpose than partition data. */ 90 uint8_t reserved[112]; 91 }; 92 93 /** 94 * A node in a list of directory entries. 95 */ 96 struct tee_rpmb_fs_dirent { 97 struct tee_fs_dirent entry; 98 SIMPLEQ_ENTRY(tee_rpmb_fs_dirent) link; 99 }; 100 101 /** 102 * The RPMB directory representation. It contains a queue of 103 * RPMB directory entries: 'next'. 104 * The current pointer points to the last directory entry 105 * returned by readdir(). 106 */ 107 struct tee_fs_dir { 108 struct tee_rpmb_fs_dirent *current; 109 /* */ 110 SIMPLEQ_HEAD(next_head, tee_rpmb_fs_dirent) next; 111 }; 112 113 static struct rpmb_fs_parameters *fs_par; 114 115 /* 116 * Lower interface to RPMB device 117 */ 118 119 #define RPMB_DATA_OFFSET (RPMB_STUFF_DATA_SIZE + RPMB_KEY_MAC_SIZE) 120 #define RPMB_MAC_PROTECT_DATA_SIZE (RPMB_DATA_FRAME_SIZE - RPMB_DATA_OFFSET) 121 122 #define RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM 0x0001 123 #define RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ 0x0002 124 #define RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE 0x0003 125 #define RPMB_MSG_TYPE_REQ_AUTH_DATA_READ 0x0004 126 #define RPMB_MSG_TYPE_REQ_RESULT_READ 0x0005 127 #define RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM 0x0100 128 #define RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ 0x0200 129 #define RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE 0x0300 130 #define RPMB_MSG_TYPE_RESP_AUTH_DATA_READ 0x0400 131 132 #define RPMB_STUFF_DATA_SIZE 196 133 #define RPMB_KEY_MAC_SIZE 32 134 #define RPMB_DATA_SIZE 256 135 #define RPMB_NONCE_SIZE 16 136 #define RPMB_DATA_FRAME_SIZE 512 137 138 #define RPMB_RESULT_OK 0x00 139 #define RPMB_RESULT_GENERAL_FAILURE 0x01 140 #define RPMB_RESULT_AUTH_FAILURE 0x02 141 #define RPMB_RESULT_COUNTER_FAILURE 0x03 142 #define RPMB_RESULT_ADDRESS_FAILURE 0x04 143 #define RPMB_RESULT_WRITE_FAILURE 0x05 144 #define RPMB_RESULT_READ_FAILURE 0x06 145 #define RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED 0x07 146 #define RPMB_RESULT_MASK 0x3F 147 #define RPMB_RESULT_WR_CNT_EXPIRED 0x80 148 149 /* RPMB internal commands */ 150 #define RPMB_CMD_DATA_REQ 0x00 151 #define RPMB_CMD_GET_DEV_INFO 0x01 152 153 #define RPMB_SIZE_SINGLE (128 * 1024) 154 155 /* Error codes for get_dev_info request/response. */ 156 #define RPMB_CMD_GET_DEV_INFO_RET_OK 0x00 157 #define RPMB_CMD_GET_DEV_INFO_RET_ERROR 0x01 158 159 struct rpmb_data_frame { 160 uint8_t stuff_bytes[RPMB_STUFF_DATA_SIZE]; 161 uint8_t key_mac[RPMB_KEY_MAC_SIZE]; 162 uint8_t data[RPMB_DATA_SIZE]; 163 uint8_t nonce[RPMB_NONCE_SIZE]; 164 uint8_t write_counter[4]; 165 uint8_t address[2]; 166 uint8_t block_count[2]; 167 uint8_t op_result[2]; 168 uint8_t msg_type[2]; 169 }; 170 171 struct rpmb_req { 172 uint16_t cmd; 173 uint16_t dev_id; 174 uint16_t block_count; 175 /* variable length of data */ 176 /* uint8_t data[]; REMOVED! */ 177 }; 178 179 #define TEE_RPMB_REQ_DATA(req) \ 180 ((void *)((struct rpmb_req *)(req) + 1)) 181 182 struct rpmb_raw_data { 183 uint16_t msg_type; 184 uint16_t *op_result; 185 uint16_t *block_count; 186 uint16_t *blk_idx; 187 uint32_t *write_counter; 188 uint8_t *nonce; 189 uint8_t *key_mac; 190 uint8_t *data; 191 /* data length to read or write */ 192 uint32_t len; 193 /* Byte address offset in the first block involved */ 194 uint8_t byte_offset; 195 }; 196 197 #define RPMB_EMMC_CID_SIZE 16 198 struct rpmb_dev_info { 199 uint8_t cid[RPMB_EMMC_CID_SIZE]; 200 /* EXT CSD-slice 168 "RPMB Size" */ 201 uint8_t rpmb_size_mult; 202 /* EXT CSD-slice 222 "Reliable Write Sector Count" */ 203 uint8_t rel_wr_sec_c; 204 /* Check the ret code and accept the data only if it is OK. */ 205 uint8_t ret_code; 206 }; 207 208 /* 209 * Struct for rpmb context data. 210 * 211 * @key RPMB key. 212 * @cid eMMC card ID. 213 * @wr_cnt Current write counter. 214 * @max_blk_idx The highest block index supported by current device. 215 * @rel_wr_blkcnt Max number of data blocks for each reliable write. 216 * @dev_id Device ID of the eMMC device. 217 * @wr_cnt_synced Flag indicating if write counter is synced to RPMB. 218 * @key_derived Flag indicating if key has been generated. 219 * @key_verified Flag indicating the key generated is verified ok. 220 * @dev_info_synced Flag indicating if dev info has been retrieved from RPMB. 221 */ 222 struct tee_rpmb_ctx { 223 uint8_t key[RPMB_KEY_MAC_SIZE]; 224 uint8_t cid[RPMB_EMMC_CID_SIZE]; 225 uint32_t wr_cnt; 226 uint16_t max_blk_idx; 227 uint16_t rel_wr_blkcnt; 228 uint16_t dev_id; 229 bool wr_cnt_synced; 230 bool key_derived; 231 bool key_verified; 232 bool dev_info_synced; 233 }; 234 235 static struct tee_rpmb_ctx *rpmb_ctx; 236 237 /* 238 * Mutex to serialize the operations exported by this file. 239 * It protects rpmb_ctx and prevents overlapping operations on eMMC devices with 240 * different IDs. 241 */ 242 static struct mutex rpmb_mutex = MUTEX_INITIALIZER; 243 244 #ifdef CFG_RPMB_TESTKEY 245 246 static const uint8_t rpmb_test_key[RPMB_KEY_MAC_SIZE] = { 247 0xD3, 0xEB, 0x3E, 0xC3, 0x6E, 0x33, 0x4C, 0x9F, 248 0x98, 0x8C, 0xE2, 0xC0, 0xB8, 0x59, 0x54, 0x61, 249 0x0D, 0x2B, 0xCF, 0x86, 0x64, 0x84, 0x4D, 0xF2, 250 0xAB, 0x56, 0xE6, 0xC6, 0x1B, 0xB7, 0x01, 0xE4 251 }; 252 253 static TEE_Result tee_rpmb_key_gen(uint16_t dev_id __unused, 254 uint8_t *key, uint32_t len) 255 { 256 TEE_Result res = TEE_SUCCESS; 257 258 if (!key || RPMB_KEY_MAC_SIZE != len) { 259 res = TEE_ERROR_BAD_PARAMETERS; 260 goto out; 261 } 262 263 DMSG("RPMB: Using test key"); 264 memcpy(key, rpmb_test_key, RPMB_KEY_MAC_SIZE); 265 266 out: 267 return res; 268 } 269 270 #else /* !CFG_RPMB_TESTKEY */ 271 272 static TEE_Result tee_rpmb_key_gen(uint16_t dev_id __unused, 273 uint8_t *key, uint32_t len) 274 { 275 uint8_t message[RPMB_EMMC_CID_SIZE]; 276 277 if (!key || RPMB_KEY_MAC_SIZE != len) 278 return TEE_ERROR_BAD_PARAMETERS; 279 280 IMSG("RPMB: Using generated key"); 281 282 /* 283 * PRV/CRC would be changed when doing eMMC FFU 284 * The following fields should be masked off when deriving RPMB key 285 * 286 * CID [55: 48]: PRV (Product revision) 287 * CID [07: 01]: CRC (CRC7 checksum) 288 * CID [00]: not used 289 */ 290 memcpy(message, rpmb_ctx->cid, RPMB_EMMC_CID_SIZE); 291 memset(message + RPMB_CID_PRV_OFFSET, 0, 1); 292 memset(message + RPMB_CID_CRC_OFFSET, 0, 1); 293 return huk_subkey_derive(HUK_SUBKEY_RPMB, message, sizeof(message), 294 key, len); 295 } 296 297 #endif /* !CFG_RPMB_TESTKEY */ 298 299 static void u32_to_bytes(uint32_t u32, uint8_t *bytes) 300 { 301 *bytes = (uint8_t) (u32 >> 24); 302 *(bytes + 1) = (uint8_t) (u32 >> 16); 303 *(bytes + 2) = (uint8_t) (u32 >> 8); 304 *(bytes + 3) = (uint8_t) u32; 305 } 306 307 static void bytes_to_u32(uint8_t *bytes, uint32_t *u32) 308 { 309 *u32 = (uint32_t) ((*(bytes) << 24) + 310 (*(bytes + 1) << 16) + 311 (*(bytes + 2) << 8) + (*(bytes + 3))); 312 } 313 314 static void u16_to_bytes(uint16_t u16, uint8_t *bytes) 315 { 316 *bytes = (uint8_t) (u16 >> 8); 317 *(bytes + 1) = (uint8_t) u16; 318 } 319 320 static void bytes_to_u16(uint8_t *bytes, uint16_t *u16) 321 { 322 *u16 = (uint16_t) ((*bytes << 8) + *(bytes + 1)); 323 } 324 325 static void get_op_result_bits(uint8_t *bytes, uint8_t *res) 326 { 327 *res = *(bytes + 1) & RPMB_RESULT_MASK; 328 } 329 330 static TEE_Result tee_rpmb_mac_calc(uint8_t *mac, uint32_t macsize, 331 uint8_t *key, uint32_t keysize, 332 struct rpmb_data_frame *datafrms, 333 uint16_t blkcnt) 334 { 335 TEE_Result res = TEE_ERROR_GENERIC; 336 int i; 337 void *ctx = NULL; 338 339 if (!mac || !key || !datafrms) 340 return TEE_ERROR_BAD_PARAMETERS; 341 342 res = crypto_mac_alloc_ctx(&ctx, TEE_ALG_HMAC_SHA256); 343 if (res) 344 return res; 345 346 res = crypto_mac_init(ctx, key, keysize); 347 if (res != TEE_SUCCESS) 348 goto func_exit; 349 350 for (i = 0; i < blkcnt; i++) { 351 res = crypto_mac_update(ctx, datafrms[i].data, 352 RPMB_MAC_PROTECT_DATA_SIZE); 353 if (res != TEE_SUCCESS) 354 goto func_exit; 355 } 356 357 res = crypto_mac_final(ctx, mac, macsize); 358 if (res != TEE_SUCCESS) 359 goto func_exit; 360 361 res = TEE_SUCCESS; 362 363 func_exit: 364 crypto_mac_free_ctx(ctx); 365 return res; 366 } 367 368 struct tee_rpmb_mem { 369 struct mobj *phreq_mobj; 370 struct mobj *phresp_mobj; 371 size_t req_size; 372 size_t resp_size; 373 }; 374 375 static void tee_rpmb_free(struct tee_rpmb_mem *mem) 376 { 377 if (!mem) 378 return; 379 380 if (mem->phreq_mobj) { 381 thread_rpc_free_payload(mem->phreq_mobj); 382 mem->phreq_mobj = NULL; 383 } 384 if (mem->phresp_mobj) { 385 thread_rpc_free_payload(mem->phresp_mobj); 386 mem->phresp_mobj = NULL; 387 } 388 } 389 390 391 static TEE_Result tee_rpmb_alloc(size_t req_size, size_t resp_size, 392 struct tee_rpmb_mem *mem, void **req, void **resp) 393 { 394 TEE_Result res = TEE_SUCCESS; 395 size_t req_s = ROUNDUP(req_size, sizeof(uint32_t)); 396 size_t resp_s = ROUNDUP(resp_size, sizeof(uint32_t)); 397 398 if (!mem) 399 return TEE_ERROR_BAD_PARAMETERS; 400 401 memset(mem, 0, sizeof(*mem)); 402 403 mem->phreq_mobj = thread_rpc_alloc_payload(req_s); 404 mem->phresp_mobj = thread_rpc_alloc_payload(resp_s); 405 406 if (!mem->phreq_mobj || !mem->phresp_mobj) { 407 res = TEE_ERROR_OUT_OF_MEMORY; 408 goto out; 409 } 410 411 *req = mobj_get_va(mem->phreq_mobj, 0); 412 *resp = mobj_get_va(mem->phresp_mobj, 0); 413 if (!*req || !*resp) { 414 res = TEE_ERROR_GENERIC; 415 goto out; 416 } 417 418 mem->req_size = req_size; 419 mem->resp_size = resp_size; 420 421 out: 422 if (res != TEE_SUCCESS) 423 tee_rpmb_free(mem); 424 return res; 425 } 426 427 static TEE_Result tee_rpmb_invoke(struct tee_rpmb_mem *mem) 428 { 429 struct thread_param params[2] = { 430 [0] = THREAD_PARAM_MEMREF(IN, mem->phreq_mobj, 0, 431 mem->req_size), 432 [1] = THREAD_PARAM_MEMREF(OUT, mem->phresp_mobj, 0, 433 mem->resp_size), 434 }; 435 436 return thread_rpc_cmd(OPTEE_RPC_CMD_RPMB, 2, params); 437 } 438 439 static bool is_zero(const uint8_t *buf, size_t size) 440 { 441 size_t i; 442 443 for (i = 0; i < size; i++) 444 if (buf[i]) 445 return false; 446 return true; 447 } 448 449 static TEE_Result encrypt_block(uint8_t *out, const uint8_t *in, 450 uint16_t blk_idx, const uint8_t *fek, 451 const TEE_UUID *uuid) 452 { 453 return tee_fs_crypt_block(uuid, out, in, RPMB_DATA_SIZE, 454 blk_idx, fek, TEE_MODE_ENCRYPT); 455 } 456 457 static TEE_Result decrypt_block(uint8_t *out, const uint8_t *in, 458 uint16_t blk_idx, const uint8_t *fek, 459 const TEE_UUID *uuid) 460 { 461 return tee_fs_crypt_block(uuid, out, in, RPMB_DATA_SIZE, 462 blk_idx, fek, TEE_MODE_DECRYPT); 463 } 464 465 /* Decrypt/copy at most one block of data */ 466 static TEE_Result decrypt(uint8_t *out, const struct rpmb_data_frame *frm, 467 size_t size, size_t offset, 468 uint16_t blk_idx __maybe_unused, const uint8_t *fek, 469 const TEE_UUID *uuid) 470 { 471 uint8_t *tmp __maybe_unused; 472 473 474 if ((size + offset < size) || (size + offset > RPMB_DATA_SIZE)) 475 panic("invalid size or offset"); 476 477 if (!fek) { 478 /* Block is not encrypted (not a file data block) */ 479 memcpy(out, frm->data + offset, size); 480 } else if (is_zero(fek, TEE_FS_KM_FEK_SIZE)) { 481 /* The file was created with encryption disabled */ 482 return TEE_ERROR_SECURITY; 483 } else { 484 /* Block is encrypted */ 485 if (size < RPMB_DATA_SIZE) { 486 /* 487 * Since output buffer is not large enough to hold one 488 * block we must allocate a temporary buffer. 489 */ 490 tmp = malloc(RPMB_DATA_SIZE); 491 if (!tmp) 492 return TEE_ERROR_OUT_OF_MEMORY; 493 decrypt_block(tmp, frm->data, blk_idx, fek, uuid); 494 memcpy(out, tmp + offset, size); 495 free(tmp); 496 } else { 497 decrypt_block(out, frm->data, blk_idx, fek, uuid); 498 } 499 } 500 501 return TEE_SUCCESS; 502 } 503 504 static TEE_Result tee_rpmb_req_pack(struct rpmb_req *req, 505 struct rpmb_raw_data *rawdata, 506 uint16_t nbr_frms, uint16_t dev_id, 507 const uint8_t *fek, const TEE_UUID *uuid) 508 { 509 TEE_Result res = TEE_ERROR_GENERIC; 510 int i; 511 struct rpmb_data_frame *datafrm; 512 513 if (!req || !rawdata || !nbr_frms) 514 return TEE_ERROR_BAD_PARAMETERS; 515 516 /* 517 * Check write blockcount is not bigger than reliable write 518 * blockcount. 519 */ 520 if ((rawdata->msg_type == RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE) && 521 (nbr_frms > rpmb_ctx->rel_wr_blkcnt)) { 522 DMSG("wr_blkcnt(%d) > rel_wr_blkcnt(%d)", nbr_frms, 523 rpmb_ctx->rel_wr_blkcnt); 524 return TEE_ERROR_GENERIC; 525 } 526 527 req->cmd = RPMB_CMD_DATA_REQ; 528 req->dev_id = dev_id; 529 530 /* Allocate memory for construct all data packets and calculate MAC. */ 531 datafrm = calloc(nbr_frms, RPMB_DATA_FRAME_SIZE); 532 if (!datafrm) 533 return TEE_ERROR_OUT_OF_MEMORY; 534 535 for (i = 0; i < nbr_frms; i++) { 536 u16_to_bytes(rawdata->msg_type, datafrm[i].msg_type); 537 538 if (rawdata->block_count) 539 u16_to_bytes(*rawdata->block_count, 540 datafrm[i].block_count); 541 542 if (rawdata->blk_idx) { 543 /* Check the block index is within range. */ 544 if ((*rawdata->blk_idx + nbr_frms) > 545 rpmb_ctx->max_blk_idx) { 546 res = TEE_ERROR_GENERIC; 547 goto func_exit; 548 } 549 u16_to_bytes(*rawdata->blk_idx, datafrm[i].address); 550 } 551 552 if (rawdata->write_counter) 553 u32_to_bytes(*rawdata->write_counter, 554 datafrm[i].write_counter); 555 556 if (rawdata->nonce) 557 memcpy(datafrm[i].nonce, rawdata->nonce, 558 RPMB_NONCE_SIZE); 559 560 if (rawdata->data) { 561 if (fek) 562 encrypt_block(datafrm[i].data, 563 rawdata->data + (i * RPMB_DATA_SIZE), 564 *rawdata->blk_idx + i, fek, uuid); 565 else 566 memcpy(datafrm[i].data, 567 rawdata->data + (i * RPMB_DATA_SIZE), 568 RPMB_DATA_SIZE); 569 } 570 } 571 572 if (rawdata->key_mac) { 573 if (rawdata->msg_type == RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE) { 574 res = 575 tee_rpmb_mac_calc(rawdata->key_mac, 576 RPMB_KEY_MAC_SIZE, rpmb_ctx->key, 577 RPMB_KEY_MAC_SIZE, datafrm, 578 nbr_frms); 579 if (res != TEE_SUCCESS) 580 goto func_exit; 581 } 582 memcpy(datafrm[nbr_frms - 1].key_mac, 583 rawdata->key_mac, RPMB_KEY_MAC_SIZE); 584 } 585 586 memcpy(TEE_RPMB_REQ_DATA(req), datafrm, 587 nbr_frms * RPMB_DATA_FRAME_SIZE); 588 589 #ifdef CFG_RPMB_FS_DEBUG_DATA 590 for (i = 0; i < nbr_frms; i++) { 591 DMSG("Dumping data frame %d:", i); 592 DHEXDUMP((uint8_t *)&datafrm[i] + RPMB_STUFF_DATA_SIZE, 593 512 - RPMB_STUFF_DATA_SIZE); 594 } 595 #endif 596 597 res = TEE_SUCCESS; 598 func_exit: 599 free(datafrm); 600 return res; 601 } 602 603 static TEE_Result data_cpy_mac_calc_1b(struct rpmb_raw_data *rawdata, 604 struct rpmb_data_frame *frm, 605 const uint8_t *fek, const TEE_UUID *uuid) 606 { 607 TEE_Result res; 608 uint8_t *data; 609 uint16_t idx; 610 611 if (rawdata->len + rawdata->byte_offset > RPMB_DATA_SIZE) 612 return TEE_ERROR_BAD_PARAMETERS; 613 614 res = tee_rpmb_mac_calc(rawdata->key_mac, RPMB_KEY_MAC_SIZE, 615 rpmb_ctx->key, RPMB_KEY_MAC_SIZE, frm, 1); 616 if (res != TEE_SUCCESS) 617 return res; 618 619 data = rawdata->data; 620 bytes_to_u16(frm->address, &idx); 621 622 res = decrypt(data, frm, rawdata->len, rawdata->byte_offset, idx, fek, 623 uuid); 624 return res; 625 } 626 627 static TEE_Result tee_rpmb_data_cpy_mac_calc(struct rpmb_data_frame *datafrm, 628 struct rpmb_raw_data *rawdata, 629 uint16_t nbr_frms, 630 struct rpmb_data_frame *lastfrm, 631 const uint8_t *fek, 632 const TEE_UUID *uuid) 633 { 634 TEE_Result res = TEE_ERROR_GENERIC; 635 int i; 636 void *ctx = NULL; 637 uint16_t offset; 638 uint32_t size; 639 uint8_t *data; 640 uint16_t start_idx; 641 struct rpmb_data_frame localfrm; 642 643 if (!datafrm || !rawdata || !nbr_frms || !lastfrm) 644 return TEE_ERROR_BAD_PARAMETERS; 645 646 if (nbr_frms == 1) 647 return data_cpy_mac_calc_1b(rawdata, lastfrm, fek, uuid); 648 649 /* nbr_frms > 1 */ 650 651 data = rawdata->data; 652 653 res = crypto_mac_alloc_ctx(&ctx, TEE_ALG_HMAC_SHA256); 654 if (res) 655 goto func_exit; 656 657 res = crypto_mac_init(ctx, rpmb_ctx->key, RPMB_KEY_MAC_SIZE); 658 if (res != TEE_SUCCESS) 659 goto func_exit; 660 661 /* 662 * Note: JEDEC JESD84-B51: "In every packet the address is the start 663 * address of the full access (not address of the individual half a 664 * sector)" 665 */ 666 bytes_to_u16(lastfrm->address, &start_idx); 667 668 for (i = 0; i < (nbr_frms - 1); i++) { 669 670 /* 671 * By working on a local copy of the RPMB frame, we ensure that 672 * the data can not be modified after the MAC is computed but 673 * before the payload is decrypted/copied to the output buffer. 674 */ 675 memcpy(&localfrm, &datafrm[i], RPMB_DATA_FRAME_SIZE); 676 677 res = crypto_mac_update(ctx, localfrm.data, 678 RPMB_MAC_PROTECT_DATA_SIZE); 679 if (res != TEE_SUCCESS) 680 goto func_exit; 681 682 if (i == 0) { 683 /* First block */ 684 offset = rawdata->byte_offset; 685 size = RPMB_DATA_SIZE - offset; 686 } else { 687 /* Middle blocks */ 688 size = RPMB_DATA_SIZE; 689 offset = 0; 690 } 691 692 res = decrypt(data, &localfrm, size, offset, start_idx + i, 693 fek, uuid); 694 if (res != TEE_SUCCESS) 695 goto func_exit; 696 697 data += size; 698 } 699 700 /* Last block */ 701 size = (rawdata->len + rawdata->byte_offset) % RPMB_DATA_SIZE; 702 if (size == 0) 703 size = RPMB_DATA_SIZE; 704 res = decrypt(data, lastfrm, size, 0, start_idx + nbr_frms - 1, fek, 705 uuid); 706 if (res != TEE_SUCCESS) 707 goto func_exit; 708 709 /* Update MAC against the last block */ 710 res = crypto_mac_update(ctx, lastfrm->data, RPMB_MAC_PROTECT_DATA_SIZE); 711 if (res != TEE_SUCCESS) 712 goto func_exit; 713 714 res = crypto_mac_final(ctx, rawdata->key_mac, RPMB_KEY_MAC_SIZE); 715 if (res != TEE_SUCCESS) 716 goto func_exit; 717 718 res = TEE_SUCCESS; 719 720 func_exit: 721 crypto_mac_free_ctx(ctx); 722 return res; 723 } 724 725 static TEE_Result tee_rpmb_resp_unpack_verify(struct rpmb_data_frame *datafrm, 726 struct rpmb_raw_data *rawdata, 727 uint16_t nbr_frms, 728 const uint8_t *fek, 729 const TEE_UUID *uuid) 730 { 731 TEE_Result res = TEE_ERROR_GENERIC; 732 uint16_t msg_type; 733 uint32_t wr_cnt; 734 uint16_t blk_idx; 735 uint8_t op_result; 736 struct rpmb_data_frame lastfrm; 737 738 if (!datafrm || !rawdata || !nbr_frms) 739 return TEE_ERROR_BAD_PARAMETERS; 740 741 #ifdef CFG_RPMB_FS_DEBUG_DATA 742 for (uint32_t i = 0; i < nbr_frms; i++) { 743 DMSG("Dumping data frame %d:", i); 744 DHEXDUMP((uint8_t *)&datafrm[i] + RPMB_STUFF_DATA_SIZE, 745 512 - RPMB_STUFF_DATA_SIZE); 746 } 747 #endif 748 749 /* Make sure the last data packet can't be modified once verified */ 750 memcpy(&lastfrm, &datafrm[nbr_frms - 1], RPMB_DATA_FRAME_SIZE); 751 752 /* Handle operation result and translate to TEEC error code. */ 753 get_op_result_bits(lastfrm.op_result, &op_result); 754 if (op_result == RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED) 755 return TEE_ERROR_ITEM_NOT_FOUND; 756 if (op_result != RPMB_RESULT_OK) 757 return TEE_ERROR_GENERIC; 758 759 /* Check the response msg_type. */ 760 bytes_to_u16(lastfrm.msg_type, &msg_type); 761 if (msg_type != rawdata->msg_type) { 762 DMSG("Unexpected msg_type (0x%04x != 0x%04x)", msg_type, 763 rawdata->msg_type); 764 return TEE_ERROR_GENERIC; 765 } 766 767 if (rawdata->blk_idx) { 768 bytes_to_u16(lastfrm.address, &blk_idx); 769 if (blk_idx != *rawdata->blk_idx) { 770 DMSG("Unexpected block index"); 771 return TEE_ERROR_GENERIC; 772 } 773 } 774 775 if (rawdata->write_counter) { 776 wr_cnt = *rawdata->write_counter; 777 bytes_to_u32(lastfrm.write_counter, rawdata->write_counter); 778 if (msg_type == RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE) { 779 /* Verify the write counter is incremented by 1 */ 780 if (*rawdata->write_counter != wr_cnt + 1) { 781 DMSG("Counter mismatched (0x%04x/0x%04x)", 782 *rawdata->write_counter, wr_cnt + 1); 783 return TEE_ERROR_SECURITY; 784 } 785 rpmb_ctx->wr_cnt++; 786 } 787 } 788 789 if (rawdata->nonce) { 790 if (buf_compare_ct(rawdata->nonce, lastfrm.nonce, 791 RPMB_NONCE_SIZE) != 0) { 792 DMSG("Nonce mismatched"); 793 return TEE_ERROR_SECURITY; 794 } 795 } 796 797 if (rawdata->key_mac) { 798 if (msg_type == RPMB_MSG_TYPE_RESP_AUTH_DATA_READ) { 799 if (!rawdata->data) 800 return TEE_ERROR_GENERIC; 801 802 res = tee_rpmb_data_cpy_mac_calc(datafrm, rawdata, 803 nbr_frms, &lastfrm, 804 fek, uuid); 805 806 if (res != TEE_SUCCESS) 807 return res; 808 } else { 809 /* 810 * There should be only one data frame for 811 * other msg types. 812 */ 813 if (nbr_frms != 1) 814 return TEE_ERROR_GENERIC; 815 816 res = tee_rpmb_mac_calc(rawdata->key_mac, 817 RPMB_KEY_MAC_SIZE, 818 rpmb_ctx->key, 819 RPMB_KEY_MAC_SIZE, 820 &lastfrm, 1); 821 822 if (res != TEE_SUCCESS) 823 return res; 824 } 825 826 #ifndef CFG_RPMB_FS_NO_MAC 827 if (consttime_memcmp(rawdata->key_mac, 828 (datafrm + nbr_frms - 1)->key_mac, 829 RPMB_KEY_MAC_SIZE) != 0) { 830 DMSG("MAC mismatched:"); 831 #ifdef CFG_RPMB_FS_DEBUG_DATA 832 DHEXDUMP((uint8_t *)rawdata->key_mac, 32); 833 #endif 834 return TEE_ERROR_SECURITY; 835 } 836 #endif /* !CFG_RPMB_FS_NO_MAC */ 837 } 838 839 return TEE_SUCCESS; 840 } 841 842 static TEE_Result tee_rpmb_get_dev_info(uint16_t dev_id, 843 struct rpmb_dev_info *dev_info) 844 { 845 TEE_Result res = TEE_ERROR_GENERIC; 846 struct tee_rpmb_mem mem; 847 struct rpmb_dev_info *di; 848 struct rpmb_req *req = NULL; 849 uint8_t *resp = NULL; 850 uint32_t req_size; 851 uint32_t resp_size; 852 853 if (!dev_info) 854 return TEE_ERROR_BAD_PARAMETERS; 855 856 req_size = sizeof(struct rpmb_req); 857 resp_size = sizeof(struct rpmb_dev_info); 858 res = tee_rpmb_alloc(req_size, resp_size, &mem, 859 (void *)&req, (void *)&resp); 860 if (res != TEE_SUCCESS) 861 goto func_exit; 862 863 req->cmd = RPMB_CMD_GET_DEV_INFO; 864 req->dev_id = dev_id; 865 866 di = (struct rpmb_dev_info *)resp; 867 di->ret_code = RPMB_CMD_GET_DEV_INFO_RET_ERROR; 868 869 res = tee_rpmb_invoke(&mem); 870 if (res != TEE_SUCCESS) 871 goto func_exit; 872 873 if (di->ret_code != RPMB_CMD_GET_DEV_INFO_RET_OK) { 874 res = TEE_ERROR_GENERIC; 875 goto func_exit; 876 } 877 878 memcpy((uint8_t *)dev_info, resp, sizeof(struct rpmb_dev_info)); 879 880 #ifdef CFG_RPMB_FS_DEBUG_DATA 881 DMSG("Dumping dev_info:"); 882 DHEXDUMP((uint8_t *)dev_info, sizeof(struct rpmb_dev_info)); 883 #endif 884 885 res = TEE_SUCCESS; 886 887 func_exit: 888 tee_rpmb_free(&mem); 889 return res; 890 } 891 892 static TEE_Result tee_rpmb_init_read_wr_cnt(uint16_t dev_id, 893 uint32_t *wr_cnt, 894 uint16_t *op_result) 895 { 896 TEE_Result res = TEE_ERROR_GENERIC; 897 struct tee_rpmb_mem mem; 898 uint16_t msg_type; 899 uint8_t nonce[RPMB_NONCE_SIZE]; 900 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 901 struct rpmb_req *req = NULL; 902 struct rpmb_data_frame *resp = NULL; 903 struct rpmb_raw_data rawdata; 904 uint32_t req_size; 905 uint32_t resp_size; 906 907 if (!wr_cnt) 908 return TEE_ERROR_BAD_PARAMETERS; 909 910 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 911 resp_size = RPMB_DATA_FRAME_SIZE; 912 res = tee_rpmb_alloc(req_size, resp_size, &mem, 913 (void *)&req, (void *)&resp); 914 if (res != TEE_SUCCESS) 915 goto func_exit; 916 917 res = crypto_rng_read(nonce, RPMB_NONCE_SIZE); 918 if (res != TEE_SUCCESS) 919 goto func_exit; 920 921 msg_type = RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ; 922 923 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 924 rawdata.msg_type = msg_type; 925 rawdata.nonce = nonce; 926 927 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 928 if (res != TEE_SUCCESS) 929 goto func_exit; 930 931 res = tee_rpmb_invoke(&mem); 932 if (res != TEE_SUCCESS) 933 goto func_exit; 934 935 msg_type = RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ; 936 937 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 938 rawdata.msg_type = msg_type; 939 rawdata.op_result = op_result; 940 rawdata.write_counter = wr_cnt; 941 rawdata.nonce = nonce; 942 rawdata.key_mac = hmac; 943 944 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, NULL); 945 if (res != TEE_SUCCESS) 946 goto func_exit; 947 948 res = TEE_SUCCESS; 949 950 func_exit: 951 tee_rpmb_free(&mem); 952 return res; 953 } 954 955 static TEE_Result tee_rpmb_verify_key_sync_counter(uint16_t dev_id) 956 { 957 uint16_t op_result = 0; 958 TEE_Result res = TEE_ERROR_GENERIC; 959 960 res = tee_rpmb_init_read_wr_cnt(dev_id, &rpmb_ctx->wr_cnt, 961 &op_result); 962 963 if (res == TEE_SUCCESS) { 964 rpmb_ctx->key_verified = true; 965 rpmb_ctx->wr_cnt_synced = true; 966 } else 967 EMSG("Verify key returning 0x%x", res); 968 return res; 969 } 970 971 #ifdef CFG_RPMB_WRITE_KEY 972 static TEE_Result tee_rpmb_write_key(uint16_t dev_id) 973 { 974 TEE_Result res = TEE_ERROR_GENERIC; 975 struct tee_rpmb_mem mem = { 0 }; 976 uint16_t msg_type; 977 struct rpmb_req *req = NULL; 978 struct rpmb_data_frame *resp = NULL; 979 struct rpmb_raw_data rawdata; 980 uint32_t req_size; 981 uint32_t resp_size; 982 983 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 984 resp_size = RPMB_DATA_FRAME_SIZE; 985 res = tee_rpmb_alloc(req_size, resp_size, &mem, 986 (void *)&req, (void *)&resp); 987 if (res != TEE_SUCCESS) 988 goto func_exit; 989 990 msg_type = RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM; 991 992 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 993 rawdata.msg_type = msg_type; 994 rawdata.key_mac = rpmb_ctx->key; 995 996 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 997 if (res != TEE_SUCCESS) 998 goto func_exit; 999 1000 res = tee_rpmb_invoke(&mem); 1001 if (res != TEE_SUCCESS) 1002 goto func_exit; 1003 1004 msg_type = RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM; 1005 1006 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1007 rawdata.msg_type = msg_type; 1008 1009 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, NULL); 1010 if (res != TEE_SUCCESS) 1011 goto func_exit; 1012 1013 res = TEE_SUCCESS; 1014 1015 func_exit: 1016 tee_rpmb_free(&mem); 1017 return res; 1018 } 1019 1020 static TEE_Result tee_rpmb_write_and_verify_key(uint16_t dev_id) 1021 { 1022 TEE_Result res; 1023 1024 DMSG("RPMB INIT: Writing Key value:"); 1025 DHEXDUMP(rpmb_ctx->key, RPMB_KEY_MAC_SIZE); 1026 1027 res = tee_rpmb_write_key(dev_id); 1028 if (res == TEE_SUCCESS) { 1029 DMSG("RPMB INIT: Verifying Key"); 1030 res = tee_rpmb_verify_key_sync_counter(dev_id); 1031 } 1032 return res; 1033 } 1034 #else 1035 static TEE_Result tee_rpmb_write_and_verify_key(uint16_t dev_id __unused) 1036 { 1037 DMSG("RPMB INIT: CFG_RPMB_WRITE_KEY is not set"); 1038 return TEE_ERROR_BAD_STATE; 1039 } 1040 #endif 1041 1042 /* This function must never return TEE_SUCCESS if rpmb_ctx == NULL */ 1043 static TEE_Result tee_rpmb_init(uint16_t dev_id) 1044 { 1045 TEE_Result res = TEE_SUCCESS; 1046 struct rpmb_dev_info dev_info; 1047 uint32_t nblocks = 0; 1048 1049 if (!rpmb_ctx) { 1050 rpmb_ctx = calloc(1, sizeof(struct tee_rpmb_ctx)); 1051 if (!rpmb_ctx) 1052 return TEE_ERROR_OUT_OF_MEMORY; 1053 } else if (rpmb_ctx->dev_id != dev_id) { 1054 memset(rpmb_ctx, 0x00, sizeof(struct tee_rpmb_ctx)); 1055 } 1056 1057 rpmb_ctx->dev_id = dev_id; 1058 1059 if (!rpmb_ctx->dev_info_synced) { 1060 DMSG("RPMB: Syncing device information"); 1061 1062 dev_info.rpmb_size_mult = 0; 1063 dev_info.rel_wr_sec_c = 0; 1064 res = tee_rpmb_get_dev_info(dev_id, &dev_info); 1065 if (res != TEE_SUCCESS) 1066 goto func_exit; 1067 1068 DMSG("RPMB: RPMB size is %d*128 KB", dev_info.rpmb_size_mult); 1069 DMSG("RPMB: Reliable Write Sector Count is %d", 1070 dev_info.rel_wr_sec_c); 1071 1072 if (dev_info.rpmb_size_mult == 0) { 1073 res = TEE_ERROR_GENERIC; 1074 goto func_exit; 1075 } 1076 1077 if (MUL_OVERFLOW(dev_info.rpmb_size_mult, 1078 RPMB_SIZE_SINGLE / RPMB_DATA_SIZE, &nblocks) || 1079 SUB_OVERFLOW(nblocks, 1, &rpmb_ctx->max_blk_idx)) { 1080 res = TEE_ERROR_BAD_PARAMETERS; 1081 goto func_exit; 1082 } 1083 1084 memcpy(rpmb_ctx->cid, dev_info.cid, RPMB_EMMC_CID_SIZE); 1085 1086 #ifdef RPMB_DRIVER_MULTIPLE_WRITE_FIXED 1087 rpmb_ctx->rel_wr_blkcnt = dev_info.rel_wr_sec_c * 2; 1088 #else 1089 rpmb_ctx->rel_wr_blkcnt = 1; 1090 #endif 1091 1092 rpmb_ctx->dev_info_synced = true; 1093 } 1094 1095 if (!rpmb_ctx->key_derived) { 1096 DMSG("RPMB INIT: Deriving key"); 1097 1098 res = tee_rpmb_key_gen(dev_id, rpmb_ctx->key, 1099 RPMB_KEY_MAC_SIZE); 1100 if (res != TEE_SUCCESS) { 1101 EMSG("RPMB INIT: Deriving key failed with error 0x%x", 1102 res); 1103 goto func_exit; 1104 } 1105 1106 rpmb_ctx->key_derived = true; 1107 } 1108 1109 /* Perform a write counter read to verify if the key is ok. */ 1110 if (!rpmb_ctx->wr_cnt_synced || !rpmb_ctx->key_verified) { 1111 DMSG("RPMB INIT: Verifying Key"); 1112 1113 res = tee_rpmb_verify_key_sync_counter(dev_id); 1114 if (res == TEE_ERROR_ITEM_NOT_FOUND && 1115 !rpmb_ctx->key_verified) { 1116 /* 1117 * Need to write the key here and verify it. 1118 */ 1119 DMSG("RPMB INIT: Auth key not yet written"); 1120 res = tee_rpmb_write_and_verify_key(dev_id); 1121 } else if (res != TEE_SUCCESS) { 1122 EMSG("Verify key failed!"); 1123 EMSG("Make sure key here matches device key"); 1124 } 1125 } 1126 1127 func_exit: 1128 return res; 1129 } 1130 1131 /* 1132 * Read RPMB data in bytes. 1133 * 1134 * @dev_id Device ID of the eMMC device. 1135 * @addr Byte address of data. 1136 * @data Pointer to the data. 1137 * @len Size of data in bytes. 1138 * @fek Encrypted File Encryption Key or NULL. 1139 */ 1140 static TEE_Result tee_rpmb_read(uint16_t dev_id, uint32_t addr, uint8_t *data, 1141 uint32_t len, const uint8_t *fek, 1142 const TEE_UUID *uuid) 1143 { 1144 TEE_Result res = TEE_ERROR_GENERIC; 1145 struct tee_rpmb_mem mem = { 0 }; 1146 uint16_t msg_type; 1147 uint8_t nonce[RPMB_NONCE_SIZE]; 1148 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 1149 struct rpmb_req *req = NULL; 1150 struct rpmb_data_frame *resp = NULL; 1151 struct rpmb_raw_data rawdata; 1152 uint32_t req_size; 1153 uint32_t resp_size; 1154 uint16_t blk_idx; 1155 uint16_t blkcnt; 1156 uint8_t byte_offset; 1157 1158 if (!data || !len) 1159 return TEE_ERROR_BAD_PARAMETERS; 1160 1161 blk_idx = addr / RPMB_DATA_SIZE; 1162 byte_offset = addr % RPMB_DATA_SIZE; 1163 1164 if (len + byte_offset + RPMB_DATA_SIZE < RPMB_DATA_SIZE) { 1165 /* Overflow */ 1166 return TEE_ERROR_BAD_PARAMETERS; 1167 } 1168 blkcnt = 1169 ROUNDUP(len + byte_offset, RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1170 res = tee_rpmb_init(dev_id); 1171 if (res != TEE_SUCCESS) 1172 goto func_exit; 1173 1174 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 1175 resp_size = RPMB_DATA_FRAME_SIZE * blkcnt; 1176 res = tee_rpmb_alloc(req_size, resp_size, &mem, 1177 (void *)&req, (void *)&resp); 1178 if (res != TEE_SUCCESS) 1179 goto func_exit; 1180 1181 msg_type = RPMB_MSG_TYPE_REQ_AUTH_DATA_READ; 1182 res = crypto_rng_read(nonce, RPMB_NONCE_SIZE); 1183 if (res != TEE_SUCCESS) 1184 goto func_exit; 1185 1186 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1187 rawdata.msg_type = msg_type; 1188 rawdata.nonce = nonce; 1189 rawdata.blk_idx = &blk_idx; 1190 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 1191 if (res != TEE_SUCCESS) 1192 goto func_exit; 1193 1194 req->block_count = blkcnt; 1195 1196 DMSG("Read %u block%s at index %u", blkcnt, ((blkcnt > 1) ? "s" : ""), 1197 blk_idx); 1198 1199 res = tee_rpmb_invoke(&mem); 1200 if (res != TEE_SUCCESS) 1201 goto func_exit; 1202 1203 msg_type = RPMB_MSG_TYPE_RESP_AUTH_DATA_READ; 1204 1205 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1206 rawdata.msg_type = msg_type; 1207 rawdata.block_count = &blkcnt; 1208 rawdata.blk_idx = &blk_idx; 1209 rawdata.nonce = nonce; 1210 rawdata.key_mac = hmac; 1211 rawdata.data = data; 1212 1213 rawdata.len = len; 1214 rawdata.byte_offset = byte_offset; 1215 1216 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, blkcnt, fek, uuid); 1217 if (res != TEE_SUCCESS) 1218 goto func_exit; 1219 1220 res = TEE_SUCCESS; 1221 1222 func_exit: 1223 tee_rpmb_free(&mem); 1224 return res; 1225 } 1226 1227 static TEE_Result tee_rpmb_write_blk(uint16_t dev_id, uint16_t blk_idx, 1228 const uint8_t *data_blks, uint16_t blkcnt, 1229 const uint8_t *fek, const TEE_UUID *uuid) 1230 { 1231 TEE_Result res; 1232 struct tee_rpmb_mem mem; 1233 uint16_t msg_type; 1234 uint32_t wr_cnt; 1235 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 1236 struct rpmb_req *req = NULL; 1237 struct rpmb_data_frame *resp = NULL; 1238 struct rpmb_raw_data rawdata; 1239 uint32_t req_size; 1240 uint32_t resp_size; 1241 uint32_t nbr_writes; 1242 uint16_t tmp_blkcnt; 1243 uint16_t tmp_blk_idx; 1244 uint16_t i; 1245 1246 DMSG("Write %u block%s at index %u", blkcnt, ((blkcnt > 1) ? "s" : ""), 1247 blk_idx); 1248 1249 if (!data_blks || !blkcnt) 1250 return TEE_ERROR_BAD_PARAMETERS; 1251 1252 res = tee_rpmb_init(dev_id); 1253 if (res != TEE_SUCCESS) 1254 return res; 1255 1256 /* 1257 * We need to split data when block count 1258 * is bigger than reliable block write count. 1259 */ 1260 if (blkcnt < rpmb_ctx->rel_wr_blkcnt) 1261 req_size = sizeof(struct rpmb_req) + 1262 RPMB_DATA_FRAME_SIZE * blkcnt; 1263 else 1264 req_size = sizeof(struct rpmb_req) + 1265 RPMB_DATA_FRAME_SIZE * rpmb_ctx->rel_wr_blkcnt; 1266 1267 resp_size = RPMB_DATA_FRAME_SIZE; 1268 res = tee_rpmb_alloc(req_size, resp_size, &mem, 1269 (void *)&req, (void *)&resp); 1270 if (res != TEE_SUCCESS) 1271 return res; 1272 1273 nbr_writes = blkcnt / rpmb_ctx->rel_wr_blkcnt; 1274 if (blkcnt % rpmb_ctx->rel_wr_blkcnt > 0) 1275 nbr_writes += 1; 1276 1277 tmp_blkcnt = rpmb_ctx->rel_wr_blkcnt; 1278 tmp_blk_idx = blk_idx; 1279 for (i = 0; i < nbr_writes; i++) { 1280 /* 1281 * To handle the last write of block count which is 1282 * equal or smaller than reliable write block count. 1283 */ 1284 if (i == nbr_writes - 1) 1285 tmp_blkcnt = blkcnt - rpmb_ctx->rel_wr_blkcnt * 1286 (nbr_writes - 1); 1287 1288 msg_type = RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE; 1289 wr_cnt = rpmb_ctx->wr_cnt; 1290 1291 memset(req, 0x00, req_size); 1292 memset(resp, 0x00, resp_size); 1293 1294 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1295 rawdata.msg_type = msg_type; 1296 rawdata.block_count = &tmp_blkcnt; 1297 rawdata.blk_idx = &tmp_blk_idx; 1298 rawdata.write_counter = &wr_cnt; 1299 rawdata.key_mac = hmac; 1300 rawdata.data = (uint8_t *)data_blks + 1301 i * rpmb_ctx->rel_wr_blkcnt * RPMB_DATA_SIZE; 1302 1303 res = tee_rpmb_req_pack(req, &rawdata, tmp_blkcnt, dev_id, 1304 fek, uuid); 1305 if (res != TEE_SUCCESS) 1306 goto out; 1307 1308 res = tee_rpmb_invoke(&mem); 1309 if (res != TEE_SUCCESS) { 1310 /* 1311 * To force wr_cnt sync next time, as it might get 1312 * out of sync due to inconsistent operation result! 1313 */ 1314 rpmb_ctx->wr_cnt_synced = false; 1315 goto out; 1316 } 1317 1318 msg_type = RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE; 1319 1320 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1321 rawdata.msg_type = msg_type; 1322 rawdata.block_count = &tmp_blkcnt; 1323 rawdata.blk_idx = &tmp_blk_idx; 1324 rawdata.write_counter = &wr_cnt; 1325 rawdata.key_mac = hmac; 1326 1327 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, 1328 NULL); 1329 if (res != TEE_SUCCESS) { 1330 /* 1331 * To force wr_cnt sync next time, as it might get 1332 * out of sync due to inconsistent operation result! 1333 */ 1334 rpmb_ctx->wr_cnt_synced = false; 1335 goto out; 1336 } 1337 1338 tmp_blk_idx += tmp_blkcnt; 1339 } 1340 1341 out: 1342 tee_rpmb_free(&mem); 1343 return res; 1344 } 1345 1346 static bool tee_rpmb_write_is_atomic(uint16_t dev_id __unused, uint32_t addr, 1347 uint32_t len) 1348 { 1349 uint8_t byte_offset = addr % RPMB_DATA_SIZE; 1350 uint16_t blkcnt = ROUNDUP(len + byte_offset, 1351 RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1352 1353 return (blkcnt <= rpmb_ctx->rel_wr_blkcnt); 1354 } 1355 1356 /* 1357 * Write RPMB data in bytes. 1358 * 1359 * @dev_id Device ID of the eMMC device. 1360 * @addr Byte address of data. 1361 * @data Pointer to the data. 1362 * @len Size of data in bytes. 1363 * @fek Encrypted File Encryption Key or NULL. 1364 */ 1365 static TEE_Result tee_rpmb_write(uint16_t dev_id, uint32_t addr, 1366 const uint8_t *data, uint32_t len, 1367 const uint8_t *fek, const TEE_UUID *uuid) 1368 { 1369 TEE_Result res = TEE_ERROR_GENERIC; 1370 uint8_t *data_tmp = NULL; 1371 uint16_t blk_idx; 1372 uint16_t blkcnt; 1373 uint8_t byte_offset; 1374 1375 blk_idx = addr / RPMB_DATA_SIZE; 1376 byte_offset = addr % RPMB_DATA_SIZE; 1377 1378 blkcnt = 1379 ROUNDUP(len + byte_offset, RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1380 1381 if (byte_offset == 0 && (len % RPMB_DATA_SIZE) == 0) { 1382 res = tee_rpmb_write_blk(dev_id, blk_idx, data, blkcnt, fek, 1383 uuid); 1384 if (res != TEE_SUCCESS) 1385 goto func_exit; 1386 } else { 1387 data_tmp = calloc(blkcnt, RPMB_DATA_SIZE); 1388 if (!data_tmp) { 1389 res = TEE_ERROR_OUT_OF_MEMORY; 1390 goto func_exit; 1391 } 1392 1393 /* Read the complete blocks */ 1394 res = tee_rpmb_read(dev_id, blk_idx * RPMB_DATA_SIZE, data_tmp, 1395 blkcnt * RPMB_DATA_SIZE, fek, uuid); 1396 if (res != TEE_SUCCESS) 1397 goto func_exit; 1398 1399 /* Partial update of the data blocks */ 1400 memcpy(data_tmp + byte_offset, data, len); 1401 1402 res = tee_rpmb_write_blk(dev_id, blk_idx, data_tmp, blkcnt, 1403 fek, uuid); 1404 if (res != TEE_SUCCESS) 1405 goto func_exit; 1406 } 1407 1408 res = TEE_SUCCESS; 1409 1410 func_exit: 1411 free(data_tmp); 1412 return res; 1413 } 1414 1415 /* 1416 * Read the RPMB write counter. 1417 * 1418 * @dev_id Device ID of the eMMC device. 1419 * @counter Pointer to the counter. 1420 */ 1421 static TEE_Result tee_rpmb_get_write_counter(uint16_t dev_id, 1422 uint32_t *counter) 1423 { 1424 TEE_Result res = TEE_SUCCESS; 1425 1426 if (!counter) 1427 return TEE_ERROR_BAD_PARAMETERS; 1428 1429 if (!rpmb_ctx || !rpmb_ctx->wr_cnt_synced) { 1430 res = tee_rpmb_init(dev_id); 1431 if (res != TEE_SUCCESS) 1432 goto func_exit; 1433 } 1434 1435 *counter = rpmb_ctx->wr_cnt; 1436 1437 func_exit: 1438 return res; 1439 } 1440 1441 /* 1442 * Read the RPMB max block. 1443 * 1444 * @dev_id Device ID of the eMMC device. 1445 * @counter Pointer to receive the max block. 1446 */ 1447 static TEE_Result tee_rpmb_get_max_block(uint16_t dev_id, uint32_t *max_block) 1448 { 1449 TEE_Result res = TEE_SUCCESS; 1450 1451 if (!max_block) 1452 return TEE_ERROR_BAD_PARAMETERS; 1453 1454 if (!rpmb_ctx || !rpmb_ctx->dev_info_synced) { 1455 res = tee_rpmb_init(dev_id); 1456 if (res != TEE_SUCCESS) 1457 goto func_exit; 1458 } 1459 1460 *max_block = rpmb_ctx->max_blk_idx; 1461 1462 func_exit: 1463 return res; 1464 } 1465 1466 /* 1467 * End of lower interface to RPMB device 1468 */ 1469 1470 static TEE_Result get_fat_start_address(uint32_t *addr); 1471 1472 #if (TRACE_LEVEL >= TRACE_FLOW) 1473 static void dump_fat(void) 1474 { 1475 TEE_Result res = TEE_ERROR_GENERIC; 1476 struct rpmb_fat_entry *fat_entries = NULL; 1477 uint32_t fat_address; 1478 size_t size; 1479 int i; 1480 bool last_entry_found = false; 1481 1482 res = get_fat_start_address(&fat_address); 1483 if (res != TEE_SUCCESS) 1484 goto out; 1485 1486 size = N_ENTRIES * sizeof(struct rpmb_fat_entry); 1487 fat_entries = malloc(size); 1488 if (!fat_entries) { 1489 res = TEE_ERROR_OUT_OF_MEMORY; 1490 goto out; 1491 } 1492 1493 while (!last_entry_found) { 1494 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, fat_address, 1495 (uint8_t *)fat_entries, size, NULL, NULL); 1496 if (res != TEE_SUCCESS) 1497 goto out; 1498 1499 for (i = 0; i < N_ENTRIES; i++) { 1500 1501 FMSG("flags 0x%x, size %d, address 0x%x, filename '%s'", 1502 fat_entries[i].flags, 1503 fat_entries[i].data_size, 1504 fat_entries[i].start_address, 1505 fat_entries[i].filename); 1506 1507 if ((fat_entries[i].flags & FILE_IS_LAST_ENTRY) != 0) { 1508 last_entry_found = true; 1509 break; 1510 } 1511 1512 /* Move to next fat_entry. */ 1513 fat_address += sizeof(struct rpmb_fat_entry); 1514 } 1515 } 1516 1517 out: 1518 free(fat_entries); 1519 } 1520 #else 1521 static void dump_fat(void) 1522 { 1523 } 1524 #endif 1525 1526 #if (TRACE_LEVEL >= TRACE_DEBUG) 1527 static void dump_fh(struct rpmb_file_handle *fh) 1528 { 1529 DMSG("fh->filename=%s", fh->filename); 1530 DMSG("fh->rpmb_fat_address=%u", fh->rpmb_fat_address); 1531 DMSG("fh->fat_entry.start_address=%u", fh->fat_entry.start_address); 1532 DMSG("fh->fat_entry.data_size=%u", fh->fat_entry.data_size); 1533 } 1534 #else 1535 static void dump_fh(struct rpmb_file_handle *fh __unused) 1536 { 1537 } 1538 #endif 1539 1540 static struct rpmb_file_handle *alloc_file_handle(struct tee_pobj *po, 1541 bool temporary) 1542 { 1543 struct rpmb_file_handle *fh = NULL; 1544 1545 fh = calloc(1, sizeof(struct rpmb_file_handle)); 1546 if (!fh) 1547 return NULL; 1548 1549 if (po) 1550 tee_svc_storage_create_filename(fh->filename, 1551 sizeof(fh->filename), po, 1552 temporary); 1553 1554 return fh; 1555 } 1556 1557 /** 1558 * write_fat_entry: Store info in a fat_entry to RPMB. 1559 */ 1560 static TEE_Result write_fat_entry(struct rpmb_file_handle *fh, 1561 bool update_write_counter) 1562 { 1563 TEE_Result res = TEE_ERROR_GENERIC; 1564 1565 /* Protect partition data. */ 1566 if (fh->rpmb_fat_address < sizeof(struct rpmb_fs_partition)) { 1567 res = TEE_ERROR_ACCESS_CONFLICT; 1568 goto out; 1569 } 1570 1571 if (fh->rpmb_fat_address % sizeof(struct rpmb_fat_entry) != 0) { 1572 res = TEE_ERROR_BAD_PARAMETERS; 1573 goto out; 1574 } 1575 1576 if (update_write_counter) { 1577 res = tee_rpmb_get_write_counter(CFG_RPMB_FS_DEV_ID, 1578 &fh->fat_entry.write_counter); 1579 if (res != TEE_SUCCESS) 1580 goto out; 1581 } 1582 1583 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, fh->rpmb_fat_address, 1584 (uint8_t *)&fh->fat_entry, 1585 sizeof(struct rpmb_fat_entry), NULL, NULL); 1586 1587 dump_fat(); 1588 1589 out: 1590 return res; 1591 } 1592 1593 /** 1594 * rpmb_fs_setup: Setup rpmb fs. 1595 * Set initial partition and FS values and write to RPMB. 1596 * Store frequently used data in RAM. 1597 */ 1598 static TEE_Result rpmb_fs_setup(void) 1599 { 1600 TEE_Result res = TEE_ERROR_GENERIC; 1601 struct rpmb_fs_partition *partition_data = NULL; 1602 struct rpmb_file_handle *fh = NULL; 1603 uint32_t max_rpmb_block = 0; 1604 1605 if (fs_par) { 1606 res = TEE_SUCCESS; 1607 goto out; 1608 } 1609 1610 res = tee_rpmb_get_max_block(CFG_RPMB_FS_DEV_ID, &max_rpmb_block); 1611 if (res != TEE_SUCCESS) 1612 goto out; 1613 1614 partition_data = calloc(1, sizeof(struct rpmb_fs_partition)); 1615 if (!partition_data) { 1616 res = TEE_ERROR_OUT_OF_MEMORY; 1617 goto out; 1618 } 1619 1620 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, RPMB_STORAGE_START_ADDRESS, 1621 (uint8_t *)partition_data, 1622 sizeof(struct rpmb_fs_partition), NULL, NULL); 1623 if (res != TEE_SUCCESS) 1624 goto out; 1625 1626 #ifndef CFG_RPMB_RESET_FAT 1627 if (partition_data->rpmb_fs_magic == RPMB_FS_MAGIC) { 1628 if (partition_data->fs_version == FS_VERSION) { 1629 res = TEE_SUCCESS; 1630 goto store_fs_par; 1631 } else { 1632 EMSG("Wrong software is in use."); 1633 res = TEE_ERROR_ACCESS_DENIED; 1634 goto out; 1635 } 1636 } 1637 #else 1638 EMSG("**** Clearing Storage ****"); 1639 #endif 1640 1641 /* Setup new partition data. */ 1642 partition_data->rpmb_fs_magic = RPMB_FS_MAGIC; 1643 partition_data->fs_version = FS_VERSION; 1644 partition_data->fat_start_address = RPMB_FS_FAT_START_ADDRESS; 1645 1646 /* Initial FAT entry with FILE_IS_LAST_ENTRY flag set. */ 1647 fh = alloc_file_handle(NULL, false); 1648 if (!fh) { 1649 res = TEE_ERROR_OUT_OF_MEMORY; 1650 goto out; 1651 } 1652 fh->fat_entry.flags = FILE_IS_LAST_ENTRY; 1653 fh->rpmb_fat_address = partition_data->fat_start_address; 1654 1655 /* Write init FAT entry and partition data to RPMB. */ 1656 res = write_fat_entry(fh, true); 1657 if (res != TEE_SUCCESS) 1658 goto out; 1659 1660 res = 1661 tee_rpmb_get_write_counter(CFG_RPMB_FS_DEV_ID, 1662 &partition_data->write_counter); 1663 if (res != TEE_SUCCESS) 1664 goto out; 1665 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, RPMB_STORAGE_START_ADDRESS, 1666 (uint8_t *)partition_data, 1667 sizeof(struct rpmb_fs_partition), NULL, NULL); 1668 1669 #ifndef CFG_RPMB_RESET_FAT 1670 store_fs_par: 1671 #endif 1672 1673 /* Store FAT start address. */ 1674 fs_par = calloc(1, sizeof(struct rpmb_fs_parameters)); 1675 if (!fs_par) { 1676 res = TEE_ERROR_OUT_OF_MEMORY; 1677 goto out; 1678 } 1679 1680 fs_par->fat_start_address = partition_data->fat_start_address; 1681 fs_par->max_rpmb_address = max_rpmb_block << RPMB_BLOCK_SIZE_SHIFT; 1682 1683 dump_fat(); 1684 1685 out: 1686 free(fh); 1687 free(partition_data); 1688 return res; 1689 } 1690 1691 /** 1692 * get_fat_start_address: 1693 * FAT start_address from fs_par. 1694 */ 1695 static TEE_Result get_fat_start_address(uint32_t *addr) 1696 { 1697 if (!fs_par) 1698 return TEE_ERROR_NO_DATA; 1699 1700 *addr = fs_par->fat_start_address; 1701 1702 return TEE_SUCCESS; 1703 } 1704 1705 /** 1706 * read_fat: Read FAT entries 1707 * Return matching FAT entry for read, rm rename and stat. 1708 * Build up memory pool and return matching entry for write operation. 1709 * "Last FAT entry" can be returned during write. 1710 */ 1711 static TEE_Result read_fat(struct rpmb_file_handle *fh, tee_mm_pool_t *p) 1712 { 1713 TEE_Result res = TEE_ERROR_GENERIC; 1714 tee_mm_entry_t *mm = NULL; 1715 struct rpmb_fat_entry *fat_entries = NULL; 1716 uint32_t fat_address; 1717 size_t size; 1718 int i; 1719 bool entry_found = false; 1720 bool last_entry_found = false; 1721 bool expand_fat = false; 1722 struct rpmb_file_handle last_fh; 1723 1724 DMSG("fat_address %d", fh->rpmb_fat_address); 1725 1726 res = rpmb_fs_setup(); 1727 if (res != TEE_SUCCESS) 1728 goto out; 1729 1730 res = get_fat_start_address(&fat_address); 1731 if (res != TEE_SUCCESS) 1732 goto out; 1733 1734 size = N_ENTRIES * sizeof(struct rpmb_fat_entry); 1735 fat_entries = malloc(size); 1736 if (!fat_entries) { 1737 res = TEE_ERROR_OUT_OF_MEMORY; 1738 goto out; 1739 } 1740 1741 /* 1742 * The pool is used to represent the current RPMB layout. To find 1743 * a slot for the file tee_mm_alloc is called on the pool. Thus 1744 * if it is not NULL the entire FAT must be traversed to fill in 1745 * the pool. 1746 */ 1747 while (!last_entry_found && (!entry_found || p)) { 1748 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, fat_address, 1749 (uint8_t *)fat_entries, size, NULL, NULL); 1750 if (res != TEE_SUCCESS) 1751 goto out; 1752 1753 for (i = 0; i < N_ENTRIES; i++) { 1754 /* 1755 * Look for an entry, matching filenames. (read, rm, 1756 * rename and stat.). Only store first filename match. 1757 */ 1758 if (fh->filename && 1759 (strcmp(fh->filename, 1760 fat_entries[i].filename) == 0) && 1761 (fat_entries[i].flags & FILE_IS_ACTIVE) && 1762 (!entry_found)) { 1763 entry_found = true; 1764 fh->rpmb_fat_address = fat_address; 1765 memcpy(&fh->fat_entry, &fat_entries[i], 1766 sizeof(struct rpmb_fat_entry)); 1767 if (!p) 1768 break; 1769 } 1770 1771 /* Add existing files to memory pool. (write) */ 1772 if (p) { 1773 if ((fat_entries[i].flags & FILE_IS_ACTIVE) && 1774 (fat_entries[i].data_size > 0)) { 1775 1776 mm = tee_mm_alloc2 1777 (p, 1778 fat_entries[i].start_address, 1779 fat_entries[i].data_size); 1780 if (!mm) { 1781 res = TEE_ERROR_OUT_OF_MEMORY; 1782 goto out; 1783 } 1784 } 1785 1786 /* Unused FAT entries can be reused (write) */ 1787 if (((fat_entries[i].flags & FILE_IS_ACTIVE) == 1788 0) && (fh->rpmb_fat_address == 0)) { 1789 fh->rpmb_fat_address = fat_address; 1790 memcpy(&fh->fat_entry, &fat_entries[i], 1791 sizeof(struct rpmb_fat_entry)); 1792 } 1793 } 1794 1795 if ((fat_entries[i].flags & FILE_IS_LAST_ENTRY) != 0) { 1796 last_entry_found = true; 1797 1798 /* 1799 * If the last entry was reached and was chosen 1800 * by the previous check, then the FAT needs to 1801 * be expanded. 1802 * fh->rpmb_fat_address is the address chosen 1803 * to store the files FAT entry and fat_address 1804 * is the current FAT entry address being 1805 * compared. 1806 */ 1807 if (p && fh->rpmb_fat_address == fat_address) 1808 expand_fat = true; 1809 break; 1810 } 1811 1812 /* Move to next fat_entry. */ 1813 fat_address += sizeof(struct rpmb_fat_entry); 1814 } 1815 } 1816 1817 /* 1818 * Represent the FAT table in the pool. 1819 */ 1820 if (p) { 1821 /* 1822 * Since fat_address is the start of the last entry it needs to 1823 * be moved up by an entry. 1824 */ 1825 fat_address += sizeof(struct rpmb_fat_entry); 1826 1827 /* Make room for yet a FAT entry and add to memory pool. */ 1828 if (expand_fat) 1829 fat_address += sizeof(struct rpmb_fat_entry); 1830 1831 mm = tee_mm_alloc2(p, RPMB_STORAGE_START_ADDRESS, fat_address); 1832 if (!mm) { 1833 res = TEE_ERROR_OUT_OF_MEMORY; 1834 goto out; 1835 } 1836 1837 if (expand_fat) { 1838 /* 1839 * Point fat_address to the beginning of the new 1840 * entry. 1841 */ 1842 fat_address -= sizeof(struct rpmb_fat_entry); 1843 memset(&last_fh, 0, sizeof(last_fh)); 1844 last_fh.fat_entry.flags = FILE_IS_LAST_ENTRY; 1845 last_fh.rpmb_fat_address = fat_address; 1846 res = write_fat_entry(&last_fh, true); 1847 if (res != TEE_SUCCESS) 1848 goto out; 1849 } 1850 } 1851 1852 if (fh->filename && !fh->rpmb_fat_address) 1853 res = TEE_ERROR_ITEM_NOT_FOUND; 1854 1855 out: 1856 free(fat_entries); 1857 return res; 1858 } 1859 1860 static TEE_Result generate_fek(struct rpmb_fat_entry *fe, const TEE_UUID *uuid) 1861 { 1862 TEE_Result res; 1863 1864 again: 1865 res = tee_fs_generate_fek(uuid, fe->fek, sizeof(fe->fek)); 1866 if (res != TEE_SUCCESS) 1867 return res; 1868 1869 if (is_zero(fe->fek, sizeof(fe->fek))) 1870 goto again; 1871 1872 return res; 1873 } 1874 1875 static TEE_Result rpmb_fs_open_internal(struct rpmb_file_handle *fh, 1876 const TEE_UUID *uuid, bool create) 1877 { 1878 tee_mm_pool_t p; 1879 bool pool_result; 1880 TEE_Result res = TEE_ERROR_GENERIC; 1881 1882 /* We need to do setup in order to make sure fs_par is filled in */ 1883 res = rpmb_fs_setup(); 1884 if (res != TEE_SUCCESS) 1885 goto out; 1886 1887 fh->uuid = uuid; 1888 if (create) { 1889 /* Upper memory allocation must be used for RPMB_FS. */ 1890 pool_result = tee_mm_init(&p, 1891 RPMB_STORAGE_START_ADDRESS, 1892 fs_par->max_rpmb_address, 1893 RPMB_BLOCK_SIZE_SHIFT, 1894 TEE_MM_POOL_HI_ALLOC); 1895 1896 if (!pool_result) { 1897 res = TEE_ERROR_OUT_OF_MEMORY; 1898 goto out; 1899 } 1900 1901 res = read_fat(fh, &p); 1902 tee_mm_final(&p); 1903 if (res != TEE_SUCCESS) 1904 goto out; 1905 } else { 1906 res = read_fat(fh, NULL); 1907 if (res != TEE_SUCCESS) 1908 goto out; 1909 } 1910 1911 /* 1912 * If this is opened with create and the entry found was not active 1913 * then this is a new file and the FAT entry must be written 1914 */ 1915 if (create) { 1916 if ((fh->fat_entry.flags & FILE_IS_ACTIVE) == 0) { 1917 memset(&fh->fat_entry, 0, 1918 sizeof(struct rpmb_fat_entry)); 1919 memcpy(fh->fat_entry.filename, fh->filename, 1920 strlen(fh->filename)); 1921 /* Start address and size are 0 */ 1922 fh->fat_entry.flags = FILE_IS_ACTIVE; 1923 1924 res = generate_fek(&fh->fat_entry, uuid); 1925 if (res != TEE_SUCCESS) 1926 goto out; 1927 DMSG("GENERATE FEK key: %p", 1928 (void *)fh->fat_entry.fek); 1929 DHEXDUMP(fh->fat_entry.fek, sizeof(fh->fat_entry.fek)); 1930 1931 res = write_fat_entry(fh, true); 1932 if (res != TEE_SUCCESS) 1933 goto out; 1934 } 1935 } 1936 1937 res = TEE_SUCCESS; 1938 1939 out: 1940 return res; 1941 } 1942 1943 static void rpmb_fs_close(struct tee_file_handle **tfh) 1944 { 1945 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)*tfh; 1946 1947 free(fh); 1948 *tfh = NULL; 1949 } 1950 1951 static TEE_Result rpmb_fs_read(struct tee_file_handle *tfh, size_t pos, 1952 void *buf, size_t *len) 1953 { 1954 TEE_Result res; 1955 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)tfh; 1956 size_t size = *len; 1957 1958 if (!size) 1959 return TEE_SUCCESS; 1960 1961 mutex_lock(&rpmb_mutex); 1962 1963 dump_fh(fh); 1964 1965 res = read_fat(fh, NULL); 1966 if (res != TEE_SUCCESS) 1967 goto out; 1968 1969 if (pos >= fh->fat_entry.data_size) { 1970 *len = 0; 1971 goto out; 1972 } 1973 1974 size = MIN(size, fh->fat_entry.data_size - pos); 1975 if (size) { 1976 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 1977 fh->fat_entry.start_address + pos, buf, 1978 size, fh->fat_entry.fek, fh->uuid); 1979 if (res != TEE_SUCCESS) 1980 goto out; 1981 } 1982 *len = size; 1983 1984 out: 1985 mutex_unlock(&rpmb_mutex); 1986 return res; 1987 } 1988 1989 static TEE_Result rpmb_fs_write_primitive(struct rpmb_file_handle *fh, 1990 size_t pos, const void *buf, 1991 size_t size) 1992 { 1993 TEE_Result res; 1994 tee_mm_pool_t p; 1995 bool pool_result = false; 1996 tee_mm_entry_t *mm; 1997 size_t end; 1998 size_t newsize; 1999 uint8_t *newbuf = NULL; 2000 uintptr_t newaddr; 2001 uint32_t start_addr; 2002 2003 if (!size) 2004 return TEE_SUCCESS; 2005 2006 if (!fs_par) { 2007 res = TEE_ERROR_GENERIC; 2008 goto out; 2009 } 2010 2011 dump_fh(fh); 2012 2013 /* Upper memory allocation must be used for RPMB_FS. */ 2014 pool_result = tee_mm_init(&p, 2015 RPMB_STORAGE_START_ADDRESS, 2016 fs_par->max_rpmb_address, 2017 RPMB_BLOCK_SIZE_SHIFT, 2018 TEE_MM_POOL_HI_ALLOC); 2019 if (!pool_result) { 2020 res = TEE_ERROR_OUT_OF_MEMORY; 2021 goto out; 2022 } 2023 2024 res = read_fat(fh, &p); 2025 if (res != TEE_SUCCESS) 2026 goto out; 2027 2028 if (fh->fat_entry.flags & FILE_IS_LAST_ENTRY) 2029 panic("invalid last entry flag"); 2030 2031 if (ADD_OVERFLOW(pos, size, &end)) { 2032 res = TEE_ERROR_BAD_PARAMETERS; 2033 goto out; 2034 } 2035 if (ADD_OVERFLOW(fh->fat_entry.start_address, pos, &start_addr)) { 2036 res = TEE_ERROR_BAD_PARAMETERS; 2037 goto out; 2038 } 2039 2040 if (end <= fh->fat_entry.data_size && 2041 tee_rpmb_write_is_atomic(CFG_RPMB_FS_DEV_ID, start_addr, size)) { 2042 2043 DMSG("Updating data in-place"); 2044 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, start_addr, buf, 2045 size, fh->fat_entry.fek, fh->uuid); 2046 if (res != TEE_SUCCESS) 2047 goto out; 2048 } else { 2049 /* 2050 * File must be extended, or update cannot be atomic: allocate, 2051 * read, update, write. 2052 */ 2053 2054 DMSG("Need to re-allocate"); 2055 newsize = MAX(end, fh->fat_entry.data_size); 2056 mm = tee_mm_alloc(&p, newsize); 2057 newbuf = calloc(1, newsize); 2058 if (!mm || !newbuf) { 2059 res = TEE_ERROR_OUT_OF_MEMORY; 2060 goto out; 2061 } 2062 2063 if (fh->fat_entry.data_size) { 2064 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 2065 fh->fat_entry.start_address, 2066 newbuf, fh->fat_entry.data_size, 2067 fh->fat_entry.fek, fh->uuid); 2068 if (res != TEE_SUCCESS) 2069 goto out; 2070 } 2071 2072 memcpy(newbuf + pos, buf, size); 2073 2074 newaddr = tee_mm_get_smem(mm); 2075 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, newaddr, newbuf, 2076 newsize, fh->fat_entry.fek, fh->uuid); 2077 if (res != TEE_SUCCESS) 2078 goto out; 2079 2080 fh->fat_entry.data_size = newsize; 2081 fh->fat_entry.start_address = newaddr; 2082 res = write_fat_entry(fh, true); 2083 if (res != TEE_SUCCESS) 2084 goto out; 2085 } 2086 2087 out: 2088 if (pool_result) 2089 tee_mm_final(&p); 2090 if (newbuf) 2091 free(newbuf); 2092 2093 return res; 2094 } 2095 2096 static TEE_Result rpmb_fs_write(struct tee_file_handle *tfh, size_t pos, 2097 const void *buf, size_t size) 2098 { 2099 TEE_Result res; 2100 2101 mutex_lock(&rpmb_mutex); 2102 res = rpmb_fs_write_primitive((struct rpmb_file_handle *)tfh, pos, 2103 buf, size); 2104 mutex_unlock(&rpmb_mutex); 2105 2106 return res; 2107 } 2108 2109 static TEE_Result rpmb_fs_remove_internal(struct rpmb_file_handle *fh) 2110 { 2111 TEE_Result res; 2112 2113 res = read_fat(fh, NULL); 2114 if (res) 2115 return res; 2116 2117 /* Clear this file entry. */ 2118 memset(&fh->fat_entry, 0, sizeof(struct rpmb_fat_entry)); 2119 return write_fat_entry(fh, false); 2120 } 2121 2122 static TEE_Result rpmb_fs_remove(struct tee_pobj *po) 2123 { 2124 TEE_Result res; 2125 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2126 2127 if (!fh) 2128 return TEE_ERROR_OUT_OF_MEMORY; 2129 2130 mutex_lock(&rpmb_mutex); 2131 2132 res = rpmb_fs_remove_internal(fh); 2133 2134 mutex_unlock(&rpmb_mutex); 2135 2136 free(fh); 2137 return res; 2138 } 2139 2140 static TEE_Result rpmb_fs_rename_internal(struct tee_pobj *old, 2141 struct tee_pobj *new, 2142 bool overwrite) 2143 { 2144 TEE_Result res = TEE_ERROR_GENERIC; 2145 struct rpmb_file_handle *fh_old = NULL; 2146 struct rpmb_file_handle *fh_new = NULL; 2147 2148 if (!old) { 2149 res = TEE_ERROR_BAD_PARAMETERS; 2150 goto out; 2151 } 2152 2153 if (new) 2154 fh_old = alloc_file_handle(old, old->temporary); 2155 else 2156 fh_old = alloc_file_handle(old, true); 2157 if (!fh_old) { 2158 res = TEE_ERROR_OUT_OF_MEMORY; 2159 goto out; 2160 } 2161 2162 if (new) 2163 fh_new = alloc_file_handle(new, new->temporary); 2164 else 2165 fh_new = alloc_file_handle(old, false); 2166 if (!fh_new) { 2167 res = TEE_ERROR_OUT_OF_MEMORY; 2168 goto out; 2169 } 2170 2171 res = read_fat(fh_old, NULL); 2172 if (res != TEE_SUCCESS) 2173 goto out; 2174 2175 res = read_fat(fh_new, NULL); 2176 if (res == TEE_SUCCESS) { 2177 if (!overwrite) { 2178 res = TEE_ERROR_ACCESS_CONFLICT; 2179 goto out; 2180 } 2181 2182 /* Clear this file entry. */ 2183 memset(&fh_new->fat_entry, 0, sizeof(struct rpmb_fat_entry)); 2184 res = write_fat_entry(fh_new, false); 2185 if (res != TEE_SUCCESS) 2186 goto out; 2187 } 2188 2189 memset(fh_old->fat_entry.filename, 0, TEE_RPMB_FS_FILENAME_LENGTH); 2190 memcpy(fh_old->fat_entry.filename, fh_new->filename, 2191 strlen(fh_new->filename)); 2192 2193 res = write_fat_entry(fh_old, false); 2194 2195 out: 2196 free(fh_old); 2197 free(fh_new); 2198 2199 return res; 2200 } 2201 2202 static TEE_Result rpmb_fs_rename(struct tee_pobj *old, struct tee_pobj *new, 2203 bool overwrite) 2204 { 2205 TEE_Result res; 2206 2207 mutex_lock(&rpmb_mutex); 2208 res = rpmb_fs_rename_internal(old, new, overwrite); 2209 mutex_unlock(&rpmb_mutex); 2210 2211 return res; 2212 } 2213 2214 static TEE_Result rpmb_fs_truncate(struct tee_file_handle *tfh, size_t length) 2215 { 2216 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)tfh; 2217 tee_mm_pool_t p; 2218 bool pool_result = false; 2219 tee_mm_entry_t *mm; 2220 uint32_t newsize; 2221 uint8_t *newbuf = NULL; 2222 uintptr_t newaddr; 2223 TEE_Result res = TEE_ERROR_GENERIC; 2224 2225 mutex_lock(&rpmb_mutex); 2226 2227 if (length > INT32_MAX) { 2228 res = TEE_ERROR_BAD_PARAMETERS; 2229 goto out; 2230 } 2231 newsize = length; 2232 2233 res = read_fat(fh, NULL); 2234 if (res != TEE_SUCCESS) 2235 goto out; 2236 2237 if (newsize > fh->fat_entry.data_size) { 2238 /* Extend file */ 2239 2240 pool_result = tee_mm_init(&p, 2241 RPMB_STORAGE_START_ADDRESS, 2242 fs_par->max_rpmb_address, 2243 RPMB_BLOCK_SIZE_SHIFT, 2244 TEE_MM_POOL_HI_ALLOC); 2245 if (!pool_result) { 2246 res = TEE_ERROR_OUT_OF_MEMORY; 2247 goto out; 2248 } 2249 res = read_fat(fh, &p); 2250 if (res != TEE_SUCCESS) 2251 goto out; 2252 2253 mm = tee_mm_alloc(&p, newsize); 2254 newbuf = calloc(1, newsize); 2255 if (!mm || !newbuf) { 2256 res = TEE_ERROR_OUT_OF_MEMORY; 2257 goto out; 2258 } 2259 2260 if (fh->fat_entry.data_size) { 2261 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 2262 fh->fat_entry.start_address, 2263 newbuf, fh->fat_entry.data_size, 2264 fh->fat_entry.fek, fh->uuid); 2265 if (res != TEE_SUCCESS) 2266 goto out; 2267 } 2268 2269 newaddr = tee_mm_get_smem(mm); 2270 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, newaddr, newbuf, 2271 newsize, fh->fat_entry.fek, fh->uuid); 2272 if (res != TEE_SUCCESS) 2273 goto out; 2274 2275 } else { 2276 /* Don't change file location */ 2277 newaddr = fh->fat_entry.start_address; 2278 } 2279 2280 /* fh->pos is unchanged */ 2281 fh->fat_entry.data_size = newsize; 2282 fh->fat_entry.start_address = newaddr; 2283 res = write_fat_entry(fh, true); 2284 2285 out: 2286 mutex_unlock(&rpmb_mutex); 2287 if (pool_result) 2288 tee_mm_final(&p); 2289 if (newbuf) 2290 free(newbuf); 2291 2292 return res; 2293 } 2294 2295 static void rpmb_fs_dir_free(struct tee_fs_dir *dir) 2296 { 2297 struct tee_rpmb_fs_dirent *e; 2298 2299 if (!dir) 2300 return; 2301 2302 free(dir->current); 2303 2304 while ((e = SIMPLEQ_FIRST(&dir->next))) { 2305 SIMPLEQ_REMOVE_HEAD(&dir->next, link); 2306 free(e); 2307 } 2308 } 2309 2310 static TEE_Result rpmb_fs_dir_populate(const char *path, 2311 struct tee_fs_dir *dir) 2312 { 2313 struct tee_rpmb_fs_dirent *current = NULL; 2314 struct rpmb_fat_entry *fat_entries = NULL; 2315 uint32_t fat_address; 2316 uint32_t filelen; 2317 char *filename; 2318 int i; 2319 bool last_entry_found = false; 2320 bool matched; 2321 struct tee_rpmb_fs_dirent *next = NULL; 2322 uint32_t pathlen; 2323 TEE_Result res = TEE_ERROR_GENERIC; 2324 uint32_t size; 2325 char temp; 2326 2327 mutex_lock(&rpmb_mutex); 2328 2329 res = rpmb_fs_setup(); 2330 if (res != TEE_SUCCESS) 2331 goto out; 2332 2333 res = get_fat_start_address(&fat_address); 2334 if (res != TEE_SUCCESS) 2335 goto out; 2336 2337 size = N_ENTRIES * sizeof(struct rpmb_fat_entry); 2338 fat_entries = malloc(size); 2339 if (!fat_entries) { 2340 res = TEE_ERROR_OUT_OF_MEMORY; 2341 goto out; 2342 } 2343 2344 pathlen = strlen(path); 2345 while (!last_entry_found) { 2346 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, fat_address, 2347 (uint8_t *)fat_entries, size, NULL, NULL); 2348 if (res != TEE_SUCCESS) 2349 goto out; 2350 2351 for (i = 0; i < N_ENTRIES; i++) { 2352 filename = fat_entries[i].filename; 2353 if (fat_entries[i].flags & FILE_IS_ACTIVE) { 2354 matched = false; 2355 filelen = strlen(filename); 2356 if (filelen > pathlen) { 2357 temp = filename[pathlen]; 2358 filename[pathlen] = '\0'; 2359 if (strcmp(filename, path) == 0) 2360 matched = true; 2361 2362 filename[pathlen] = temp; 2363 } 2364 2365 if (matched) { 2366 next = malloc(sizeof(*next)); 2367 if (!next) { 2368 res = TEE_ERROR_OUT_OF_MEMORY; 2369 goto out; 2370 } 2371 2372 next->entry.oidlen = tee_hs2b( 2373 (uint8_t *)&filename[pathlen], 2374 next->entry.oid, 2375 filelen - pathlen, 2376 sizeof(next->entry.oid)); 2377 if (next->entry.oidlen) { 2378 SIMPLEQ_INSERT_TAIL(&dir->next, 2379 next, link); 2380 current = next; 2381 } else { 2382 free(next); 2383 next = NULL; 2384 } 2385 2386 } 2387 } 2388 2389 if (fat_entries[i].flags & FILE_IS_LAST_ENTRY) { 2390 last_entry_found = true; 2391 break; 2392 } 2393 2394 /* Move to next fat_entry. */ 2395 fat_address += sizeof(struct rpmb_fat_entry); 2396 } 2397 } 2398 2399 if (current) 2400 res = TEE_SUCCESS; 2401 else 2402 res = TEE_ERROR_ITEM_NOT_FOUND; /* No directories were found. */ 2403 2404 out: 2405 mutex_unlock(&rpmb_mutex); 2406 if (res != TEE_SUCCESS) 2407 rpmb_fs_dir_free(dir); 2408 if (fat_entries) 2409 free(fat_entries); 2410 2411 return res; 2412 } 2413 2414 static TEE_Result rpmb_fs_opendir(const TEE_UUID *uuid, struct tee_fs_dir **dir) 2415 { 2416 uint32_t len; 2417 char path_local[TEE_RPMB_FS_FILENAME_LENGTH]; 2418 TEE_Result res = TEE_ERROR_GENERIC; 2419 struct tee_fs_dir *rpmb_dir = NULL; 2420 2421 if (!uuid || !dir) { 2422 res = TEE_ERROR_BAD_PARAMETERS; 2423 goto out; 2424 } 2425 2426 memset(path_local, 0, sizeof(path_local)); 2427 if (tee_svc_storage_create_dirname(path_local, sizeof(path_local) - 1, 2428 uuid) != TEE_SUCCESS) { 2429 res = TEE_ERROR_BAD_PARAMETERS; 2430 goto out; 2431 } 2432 len = strlen(path_local); 2433 2434 /* Add a slash to correctly match the full directory name. */ 2435 if (path_local[len - 1] != '/') 2436 path_local[len] = '/'; 2437 2438 rpmb_dir = calloc(1, sizeof(*rpmb_dir)); 2439 if (!rpmb_dir) { 2440 res = TEE_ERROR_OUT_OF_MEMORY; 2441 goto out; 2442 } 2443 SIMPLEQ_INIT(&rpmb_dir->next); 2444 2445 res = rpmb_fs_dir_populate(path_local, rpmb_dir); 2446 if (res != TEE_SUCCESS) { 2447 free(rpmb_dir); 2448 rpmb_dir = NULL; 2449 goto out; 2450 } 2451 2452 *dir = rpmb_dir; 2453 2454 out: 2455 return res; 2456 } 2457 2458 static TEE_Result rpmb_fs_readdir(struct tee_fs_dir *dir, 2459 struct tee_fs_dirent **ent) 2460 { 2461 if (!dir) 2462 return TEE_ERROR_GENERIC; 2463 2464 free(dir->current); 2465 2466 dir->current = SIMPLEQ_FIRST(&dir->next); 2467 if (!dir->current) 2468 return TEE_ERROR_ITEM_NOT_FOUND; 2469 2470 SIMPLEQ_REMOVE_HEAD(&dir->next, link); 2471 2472 *ent = &dir->current->entry; 2473 return TEE_SUCCESS; 2474 } 2475 2476 static void rpmb_fs_closedir(struct tee_fs_dir *dir) 2477 { 2478 if (dir) { 2479 rpmb_fs_dir_free(dir); 2480 free(dir); 2481 } 2482 } 2483 2484 static TEE_Result rpmb_fs_open(struct tee_pobj *po, size_t *size, 2485 struct tee_file_handle **ret_fh) 2486 { 2487 TEE_Result res; 2488 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2489 2490 if (!fh) 2491 return TEE_ERROR_OUT_OF_MEMORY; 2492 2493 mutex_lock(&rpmb_mutex); 2494 2495 res = rpmb_fs_open_internal(fh, &po->uuid, false); 2496 if (!res && size) 2497 *size = fh->fat_entry.data_size; 2498 2499 mutex_unlock(&rpmb_mutex); 2500 2501 if (res) 2502 free(fh); 2503 else 2504 *ret_fh = (struct tee_file_handle *)fh; 2505 2506 return res; 2507 } 2508 2509 static TEE_Result rpmb_fs_create(struct tee_pobj *po, bool overwrite, 2510 const void *head, size_t head_size, 2511 const void *attr, size_t attr_size, 2512 const void *data, size_t data_size, 2513 struct tee_file_handle **ret_fh) 2514 { 2515 TEE_Result res; 2516 size_t pos = 0; 2517 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2518 2519 if (!fh) 2520 return TEE_ERROR_OUT_OF_MEMORY; 2521 2522 mutex_lock(&rpmb_mutex); 2523 res = rpmb_fs_open_internal(fh, &po->uuid, true); 2524 if (res) 2525 goto out; 2526 2527 if (head && head_size) { 2528 res = rpmb_fs_write_primitive(fh, pos, head, head_size); 2529 if (res) 2530 goto out; 2531 pos += head_size; 2532 } 2533 2534 if (attr && attr_size) { 2535 res = rpmb_fs_write_primitive(fh, pos, attr, attr_size); 2536 if (res) 2537 goto out; 2538 pos += attr_size; 2539 } 2540 2541 if (data && data_size) { 2542 res = rpmb_fs_write_primitive(fh, pos, data, data_size); 2543 if (res) 2544 goto out; 2545 } 2546 2547 if (po->temporary) { 2548 /* 2549 * If it's a temporary filename (which it normally is) 2550 * rename into the final filename now that the file is 2551 * fully initialized. 2552 */ 2553 po->temporary = false; 2554 res = rpmb_fs_rename_internal(po, NULL, overwrite); 2555 if (res) { 2556 po->temporary = true; 2557 goto out; 2558 } 2559 /* Update file handle after rename. */ 2560 tee_svc_storage_create_filename(fh->filename, 2561 sizeof(fh->filename), 2562 po, false); 2563 } 2564 2565 out: 2566 if (res) { 2567 rpmb_fs_remove_internal(fh); 2568 free(fh); 2569 } else { 2570 *ret_fh = (struct tee_file_handle *)fh; 2571 } 2572 mutex_unlock(&rpmb_mutex); 2573 2574 return res; 2575 } 2576 2577 const struct tee_file_operations rpmb_fs_ops = { 2578 .open = rpmb_fs_open, 2579 .create = rpmb_fs_create, 2580 .close = rpmb_fs_close, 2581 .read = rpmb_fs_read, 2582 .write = rpmb_fs_write, 2583 .truncate = rpmb_fs_truncate, 2584 .rename = rpmb_fs_rename, 2585 .remove = rpmb_fs_remove, 2586 .opendir = rpmb_fs_opendir, 2587 .closedir = rpmb_fs_closedir, 2588 .readdir = rpmb_fs_readdir, 2589 }; 2590 2591 TEE_Result tee_rpmb_fs_raw_open(const char *fname, bool create, 2592 struct tee_file_handle **ret_fh) 2593 { 2594 TEE_Result res; 2595 struct rpmb_file_handle *fh = calloc(1, sizeof(*fh)); 2596 static const TEE_UUID uuid = { 0 }; 2597 2598 if (!fh) 2599 return TEE_ERROR_OUT_OF_MEMORY; 2600 2601 snprintf(fh->filename, sizeof(fh->filename), "/%s", fname); 2602 2603 mutex_lock(&rpmb_mutex); 2604 2605 res = rpmb_fs_open_internal(fh, &uuid, create); 2606 2607 mutex_unlock(&rpmb_mutex); 2608 2609 if (res) { 2610 if (create) 2611 rpmb_fs_remove_internal(fh); 2612 free(fh); 2613 } else { 2614 *ret_fh = (struct tee_file_handle *)fh; 2615 } 2616 2617 return res; 2618 } 2619