1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2014, STMicroelectronics International N.V. 4 */ 5 6 #include <assert.h> 7 #include <crypto/crypto.h> 8 #include <kernel/huk_subkey.h> 9 #include <kernel/misc.h> 10 #include <kernel/msg_param.h> 11 #include <kernel/mutex.h> 12 #include <kernel/panic.h> 13 #include <kernel/tee_common.h> 14 #include <kernel/tee_common_otp.h> 15 #include <kernel/tee_misc.h> 16 #include <kernel/thread.h> 17 #include <mm/core_memprot.h> 18 #include <mm/mobj.h> 19 #include <mm/tee_mm.h> 20 #include <optee_rpc_cmd.h> 21 #include <stdlib.h> 22 #include <string_ext.h> 23 #include <string.h> 24 #include <sys/queue.h> 25 #include <tee/tee_fs.h> 26 #include <tee/tee_fs_key_manager.h> 27 #include <tee/tee_pobj.h> 28 #include <tee/tee_svc_storage.h> 29 #include <trace.h> 30 #include <util.h> 31 32 #define RPMB_STORAGE_START_ADDRESS 0 33 #define RPMB_FS_FAT_START_ADDRESS 512 34 #define RPMB_BLOCK_SIZE_SHIFT 8 35 #define RPMB_CID_PRV_OFFSET 9 36 #define RPMB_CID_CRC_OFFSET 15 37 38 #define RPMB_FS_MAGIC 0x52504D42 39 #define FS_VERSION 2 40 #define N_ENTRIES 8 41 42 #define FILE_IS_ACTIVE (1u << 0) 43 #define FILE_IS_LAST_ENTRY (1u << 1) 44 45 #define TEE_RPMB_FS_FILENAME_LENGTH 224 46 47 /** 48 * FS parameters: Information often used by internal functions. 49 * fat_start_address will be set by rpmb_fs_setup(). 50 * rpmb_fs_parameters can be read by any other function. 51 */ 52 struct rpmb_fs_parameters { 53 uint32_t fat_start_address; 54 uint32_t max_rpmb_address; 55 }; 56 57 /** 58 * File entry for a single file in a RPMB_FS partition. 59 */ 60 struct rpmb_fat_entry { 61 uint32_t start_address; 62 uint32_t data_size; 63 uint32_t flags; 64 uint32_t write_counter; 65 uint8_t fek[TEE_FS_KM_FEK_SIZE]; 66 char filename[TEE_RPMB_FS_FILENAME_LENGTH]; 67 }; 68 69 /** 70 * FAT entry context with reference to a FAT entry and its 71 * location in RPMB. 72 */ 73 struct rpmb_file_handle { 74 struct rpmb_fat_entry fat_entry; 75 const TEE_UUID *uuid; 76 char filename[TEE_RPMB_FS_FILENAME_LENGTH]; 77 /* Address for current entry in RPMB */ 78 uint32_t rpmb_fat_address; 79 }; 80 81 /** 82 * RPMB_FS partition data 83 */ 84 struct rpmb_fs_partition { 85 uint32_t rpmb_fs_magic; 86 uint32_t fs_version; 87 uint32_t write_counter; 88 uint32_t fat_start_address; 89 /* Do not use reserved[] for other purpose than partition data. */ 90 uint8_t reserved[112]; 91 }; 92 93 /** 94 * A node in a list of directory entries. 95 */ 96 struct tee_rpmb_fs_dirent { 97 struct tee_fs_dirent entry; 98 SIMPLEQ_ENTRY(tee_rpmb_fs_dirent) link; 99 }; 100 101 /** 102 * The RPMB directory representation. It contains a queue of 103 * RPMB directory entries: 'next'. 104 * The current pointer points to the last directory entry 105 * returned by readdir(). 106 */ 107 struct tee_fs_dir { 108 struct tee_rpmb_fs_dirent *current; 109 /* */ 110 SIMPLEQ_HEAD(next_head, tee_rpmb_fs_dirent) next; 111 }; 112 113 static struct rpmb_fs_parameters *fs_par; 114 115 /* 116 * Lower interface to RPMB device 117 */ 118 119 #define RPMB_DATA_OFFSET (RPMB_STUFF_DATA_SIZE + RPMB_KEY_MAC_SIZE) 120 #define RPMB_MAC_PROTECT_DATA_SIZE (RPMB_DATA_FRAME_SIZE - RPMB_DATA_OFFSET) 121 122 #define RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM 0x0001 123 #define RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ 0x0002 124 #define RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE 0x0003 125 #define RPMB_MSG_TYPE_REQ_AUTH_DATA_READ 0x0004 126 #define RPMB_MSG_TYPE_REQ_RESULT_READ 0x0005 127 #define RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM 0x0100 128 #define RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ 0x0200 129 #define RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE 0x0300 130 #define RPMB_MSG_TYPE_RESP_AUTH_DATA_READ 0x0400 131 132 #define RPMB_STUFF_DATA_SIZE 196 133 #define RPMB_KEY_MAC_SIZE 32 134 #define RPMB_DATA_SIZE 256 135 #define RPMB_NONCE_SIZE 16 136 #define RPMB_DATA_FRAME_SIZE 512 137 138 #define RPMB_RESULT_OK 0x00 139 #define RPMB_RESULT_GENERAL_FAILURE 0x01 140 #define RPMB_RESULT_AUTH_FAILURE 0x02 141 #define RPMB_RESULT_COUNTER_FAILURE 0x03 142 #define RPMB_RESULT_ADDRESS_FAILURE 0x04 143 #define RPMB_RESULT_WRITE_FAILURE 0x05 144 #define RPMB_RESULT_READ_FAILURE 0x06 145 #define RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED 0x07 146 #define RPMB_RESULT_MASK 0x3F 147 #define RPMB_RESULT_WR_CNT_EXPIRED 0x80 148 149 /* RPMB internal commands */ 150 #define RPMB_CMD_DATA_REQ 0x00 151 #define RPMB_CMD_GET_DEV_INFO 0x01 152 153 #define RPMB_SIZE_SINGLE (128 * 1024) 154 155 /* Error codes for get_dev_info request/response. */ 156 #define RPMB_CMD_GET_DEV_INFO_RET_OK 0x00 157 #define RPMB_CMD_GET_DEV_INFO_RET_ERROR 0x01 158 159 struct rpmb_data_frame { 160 uint8_t stuff_bytes[RPMB_STUFF_DATA_SIZE]; 161 uint8_t key_mac[RPMB_KEY_MAC_SIZE]; 162 uint8_t data[RPMB_DATA_SIZE]; 163 uint8_t nonce[RPMB_NONCE_SIZE]; 164 uint8_t write_counter[4]; 165 uint8_t address[2]; 166 uint8_t block_count[2]; 167 uint8_t op_result[2]; 168 uint8_t msg_type[2]; 169 }; 170 171 struct rpmb_req { 172 uint16_t cmd; 173 uint16_t dev_id; 174 uint16_t block_count; 175 /* variable length of data */ 176 /* uint8_t data[]; REMOVED! */ 177 }; 178 179 #define TEE_RPMB_REQ_DATA(req) \ 180 ((void *)((struct rpmb_req *)(req) + 1)) 181 182 struct rpmb_raw_data { 183 uint16_t msg_type; 184 uint16_t *op_result; 185 uint16_t *block_count; 186 uint16_t *blk_idx; 187 uint32_t *write_counter; 188 uint8_t *nonce; 189 uint8_t *key_mac; 190 uint8_t *data; 191 /* data length to read or write */ 192 uint32_t len; 193 /* Byte address offset in the first block involved */ 194 uint8_t byte_offset; 195 }; 196 197 #define RPMB_EMMC_CID_SIZE 16 198 struct rpmb_dev_info { 199 uint8_t cid[RPMB_EMMC_CID_SIZE]; 200 /* EXT CSD-slice 168 "RPMB Size" */ 201 uint8_t rpmb_size_mult; 202 /* EXT CSD-slice 222 "Reliable Write Sector Count" */ 203 uint8_t rel_wr_sec_c; 204 /* Check the ret code and accept the data only if it is OK. */ 205 uint8_t ret_code; 206 }; 207 208 /* 209 * Struct for rpmb context data. 210 * 211 * @key RPMB key. 212 * @cid eMMC card ID. 213 * @wr_cnt Current write counter. 214 * @max_blk_idx The highest block index supported by current device. 215 * @rel_wr_blkcnt Max number of data blocks for each reliable write. 216 * @dev_id Device ID of the eMMC device. 217 * @wr_cnt_synced Flag indicating if write counter is synced to RPMB. 218 * @key_derived Flag indicating if key has been generated. 219 * @key_verified Flag indicating the key generated is verified ok. 220 * @dev_info_synced Flag indicating if dev info has been retrieved from RPMB. 221 */ 222 struct tee_rpmb_ctx { 223 uint8_t key[RPMB_KEY_MAC_SIZE]; 224 uint8_t cid[RPMB_EMMC_CID_SIZE]; 225 uint32_t wr_cnt; 226 uint16_t max_blk_idx; 227 uint16_t rel_wr_blkcnt; 228 uint16_t dev_id; 229 bool wr_cnt_synced; 230 bool key_derived; 231 bool key_verified; 232 bool dev_info_synced; 233 }; 234 235 static struct tee_rpmb_ctx *rpmb_ctx; 236 237 /* 238 * Mutex to serialize the operations exported by this file. 239 * It protects rpmb_ctx and prevents overlapping operations on eMMC devices with 240 * different IDs. 241 */ 242 static struct mutex rpmb_mutex = MUTEX_INITIALIZER; 243 244 #ifdef CFG_RPMB_TESTKEY 245 246 static const uint8_t rpmb_test_key[RPMB_KEY_MAC_SIZE] = { 247 0xD3, 0xEB, 0x3E, 0xC3, 0x6E, 0x33, 0x4C, 0x9F, 248 0x98, 0x8C, 0xE2, 0xC0, 0xB8, 0x59, 0x54, 0x61, 249 0x0D, 0x2B, 0xCF, 0x86, 0x64, 0x84, 0x4D, 0xF2, 250 0xAB, 0x56, 0xE6, 0xC6, 0x1B, 0xB7, 0x01, 0xE4 251 }; 252 253 static TEE_Result tee_rpmb_key_gen(uint16_t dev_id __unused, 254 uint8_t *key, uint32_t len) 255 { 256 TEE_Result res = TEE_SUCCESS; 257 258 if (!key || RPMB_KEY_MAC_SIZE != len) { 259 res = TEE_ERROR_BAD_PARAMETERS; 260 goto out; 261 } 262 263 DMSG("RPMB: Using test key"); 264 memcpy(key, rpmb_test_key, RPMB_KEY_MAC_SIZE); 265 266 out: 267 return res; 268 } 269 270 #else /* !CFG_RPMB_TESTKEY */ 271 272 static TEE_Result tee_rpmb_key_gen(uint16_t dev_id __unused, 273 uint8_t *key, uint32_t len) 274 { 275 uint8_t message[RPMB_EMMC_CID_SIZE]; 276 277 if (!key || RPMB_KEY_MAC_SIZE != len) 278 return TEE_ERROR_BAD_PARAMETERS; 279 280 IMSG("RPMB: Using generated key"); 281 282 /* 283 * PRV/CRC would be changed when doing eMMC FFU 284 * The following fields should be masked off when deriving RPMB key 285 * 286 * CID [55: 48]: PRV (Product revision) 287 * CID [07: 01]: CRC (CRC7 checksum) 288 * CID [00]: not used 289 */ 290 memcpy(message, rpmb_ctx->cid, RPMB_EMMC_CID_SIZE); 291 memset(message + RPMB_CID_PRV_OFFSET, 0, 1); 292 memset(message + RPMB_CID_CRC_OFFSET, 0, 1); 293 return huk_subkey_derive(HUK_SUBKEY_RPMB, message, sizeof(message), 294 key, len); 295 } 296 297 #endif /* !CFG_RPMB_TESTKEY */ 298 299 static void u32_to_bytes(uint32_t u32, uint8_t *bytes) 300 { 301 *bytes = (uint8_t) (u32 >> 24); 302 *(bytes + 1) = (uint8_t) (u32 >> 16); 303 *(bytes + 2) = (uint8_t) (u32 >> 8); 304 *(bytes + 3) = (uint8_t) u32; 305 } 306 307 static void bytes_to_u32(uint8_t *bytes, uint32_t *u32) 308 { 309 *u32 = (uint32_t) ((*(bytes) << 24) + 310 (*(bytes + 1) << 16) + 311 (*(bytes + 2) << 8) + (*(bytes + 3))); 312 } 313 314 static void u16_to_bytes(uint16_t u16, uint8_t *bytes) 315 { 316 *bytes = (uint8_t) (u16 >> 8); 317 *(bytes + 1) = (uint8_t) u16; 318 } 319 320 static void bytes_to_u16(uint8_t *bytes, uint16_t *u16) 321 { 322 *u16 = (uint16_t) ((*bytes << 8) + *(bytes + 1)); 323 } 324 325 static TEE_Result tee_rpmb_mac_calc(uint8_t *mac, uint32_t macsize, 326 uint8_t *key, uint32_t keysize, 327 struct rpmb_data_frame *datafrms, 328 uint16_t blkcnt) 329 { 330 TEE_Result res = TEE_ERROR_GENERIC; 331 int i; 332 void *ctx = NULL; 333 334 if (!mac || !key || !datafrms) 335 return TEE_ERROR_BAD_PARAMETERS; 336 337 res = crypto_mac_alloc_ctx(&ctx, TEE_ALG_HMAC_SHA256); 338 if (res) 339 return res; 340 341 res = crypto_mac_init(ctx, TEE_ALG_HMAC_SHA256, key, keysize); 342 if (res != TEE_SUCCESS) 343 goto func_exit; 344 345 for (i = 0; i < blkcnt; i++) { 346 res = crypto_mac_update(ctx, TEE_ALG_HMAC_SHA256, 347 datafrms[i].data, 348 RPMB_MAC_PROTECT_DATA_SIZE); 349 if (res != TEE_SUCCESS) 350 goto func_exit; 351 } 352 353 res = crypto_mac_final(ctx, TEE_ALG_HMAC_SHA256, mac, macsize); 354 if (res != TEE_SUCCESS) 355 goto func_exit; 356 357 res = TEE_SUCCESS; 358 359 func_exit: 360 crypto_mac_free_ctx(ctx, TEE_ALG_HMAC_SHA256); 361 return res; 362 } 363 364 struct tee_rpmb_mem { 365 struct mobj *phreq_mobj; 366 struct mobj *phresp_mobj; 367 size_t req_size; 368 size_t resp_size; 369 }; 370 371 static void tee_rpmb_free(struct tee_rpmb_mem *mem) 372 { 373 if (!mem) 374 return; 375 376 if (mem->phreq_mobj) { 377 thread_rpc_free_payload(mem->phreq_mobj); 378 mem->phreq_mobj = NULL; 379 } 380 if (mem->phresp_mobj) { 381 thread_rpc_free_payload(mem->phresp_mobj); 382 mem->phresp_mobj = NULL; 383 } 384 } 385 386 387 static TEE_Result tee_rpmb_alloc(size_t req_size, size_t resp_size, 388 struct tee_rpmb_mem *mem, void **req, void **resp) 389 { 390 TEE_Result res = TEE_SUCCESS; 391 size_t req_s = ROUNDUP(req_size, sizeof(uint32_t)); 392 size_t resp_s = ROUNDUP(resp_size, sizeof(uint32_t)); 393 394 if (!mem) 395 return TEE_ERROR_BAD_PARAMETERS; 396 397 memset(mem, 0, sizeof(*mem)); 398 399 mem->phreq_mobj = thread_rpc_alloc_payload(req_s); 400 mem->phresp_mobj = thread_rpc_alloc_payload(resp_s); 401 402 if (!mem->phreq_mobj || !mem->phresp_mobj) { 403 res = TEE_ERROR_OUT_OF_MEMORY; 404 goto out; 405 } 406 407 *req = mobj_get_va(mem->phreq_mobj, 0); 408 *resp = mobj_get_va(mem->phresp_mobj, 0); 409 if (!*req || !*resp) { 410 res = TEE_ERROR_GENERIC; 411 goto out; 412 } 413 414 mem->req_size = req_size; 415 mem->resp_size = resp_size; 416 417 out: 418 if (res != TEE_SUCCESS) 419 tee_rpmb_free(mem); 420 return res; 421 } 422 423 static TEE_Result tee_rpmb_invoke(struct tee_rpmb_mem *mem) 424 { 425 struct thread_param params[2] = { 426 [0] = THREAD_PARAM_MEMREF(IN, mem->phreq_mobj, 0, 427 mem->req_size), 428 [1] = THREAD_PARAM_MEMREF(OUT, mem->phresp_mobj, 0, 429 mem->resp_size), 430 }; 431 432 return thread_rpc_cmd(OPTEE_RPC_CMD_RPMB, 2, params); 433 } 434 435 static bool is_zero(const uint8_t *buf, size_t size) 436 { 437 size_t i; 438 439 for (i = 0; i < size; i++) 440 if (buf[i]) 441 return false; 442 return true; 443 } 444 445 static TEE_Result encrypt_block(uint8_t *out, const uint8_t *in, 446 uint16_t blk_idx, const uint8_t *fek, 447 const TEE_UUID *uuid) 448 { 449 return tee_fs_crypt_block(uuid, out, in, RPMB_DATA_SIZE, 450 blk_idx, fek, TEE_MODE_ENCRYPT); 451 } 452 453 static TEE_Result decrypt_block(uint8_t *out, const uint8_t *in, 454 uint16_t blk_idx, const uint8_t *fek, 455 const TEE_UUID *uuid) 456 { 457 return tee_fs_crypt_block(uuid, out, in, RPMB_DATA_SIZE, 458 blk_idx, fek, TEE_MODE_DECRYPT); 459 } 460 461 /* Decrypt/copy at most one block of data */ 462 static TEE_Result decrypt(uint8_t *out, const struct rpmb_data_frame *frm, 463 size_t size, size_t offset, 464 uint16_t blk_idx __maybe_unused, const uint8_t *fek, 465 const TEE_UUID *uuid) 466 { 467 uint8_t *tmp __maybe_unused; 468 469 470 if ((size + offset < size) || (size + offset > RPMB_DATA_SIZE)) 471 panic("invalid size or offset"); 472 473 if (!fek) { 474 /* Block is not encrypted (not a file data block) */ 475 memcpy(out, frm->data + offset, size); 476 } else if (is_zero(fek, TEE_FS_KM_FEK_SIZE)) { 477 /* The file was created with encryption disabled */ 478 return TEE_ERROR_SECURITY; 479 } else { 480 /* Block is encrypted */ 481 if (size < RPMB_DATA_SIZE) { 482 /* 483 * Since output buffer is not large enough to hold one 484 * block we must allocate a temporary buffer. 485 */ 486 tmp = malloc(RPMB_DATA_SIZE); 487 if (!tmp) 488 return TEE_ERROR_OUT_OF_MEMORY; 489 decrypt_block(tmp, frm->data, blk_idx, fek, uuid); 490 memcpy(out, tmp + offset, size); 491 free(tmp); 492 } else { 493 decrypt_block(out, frm->data, blk_idx, fek, uuid); 494 } 495 } 496 497 return TEE_SUCCESS; 498 } 499 500 static TEE_Result tee_rpmb_req_pack(struct rpmb_req *req, 501 struct rpmb_raw_data *rawdata, 502 uint16_t nbr_frms, uint16_t dev_id, 503 const uint8_t *fek, const TEE_UUID *uuid) 504 { 505 TEE_Result res = TEE_ERROR_GENERIC; 506 int i; 507 struct rpmb_data_frame *datafrm; 508 509 if (!req || !rawdata || !nbr_frms) 510 return TEE_ERROR_BAD_PARAMETERS; 511 512 /* 513 * Check write blockcount is not bigger than reliable write 514 * blockcount. 515 */ 516 if ((rawdata->msg_type == RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE) && 517 (nbr_frms > rpmb_ctx->rel_wr_blkcnt)) { 518 DMSG("wr_blkcnt(%d) > rel_wr_blkcnt(%d)", nbr_frms, 519 rpmb_ctx->rel_wr_blkcnt); 520 return TEE_ERROR_GENERIC; 521 } 522 523 req->cmd = RPMB_CMD_DATA_REQ; 524 req->dev_id = dev_id; 525 526 /* Allocate memory for construct all data packets and calculate MAC. */ 527 datafrm = calloc(nbr_frms, RPMB_DATA_FRAME_SIZE); 528 if (!datafrm) 529 return TEE_ERROR_OUT_OF_MEMORY; 530 531 for (i = 0; i < nbr_frms; i++) { 532 u16_to_bytes(rawdata->msg_type, datafrm[i].msg_type); 533 534 if (rawdata->block_count) 535 u16_to_bytes(*rawdata->block_count, 536 datafrm[i].block_count); 537 538 if (rawdata->blk_idx) { 539 /* Check the block index is within range. */ 540 if ((*rawdata->blk_idx + nbr_frms) > 541 rpmb_ctx->max_blk_idx) { 542 res = TEE_ERROR_GENERIC; 543 goto func_exit; 544 } 545 u16_to_bytes(*rawdata->blk_idx, datafrm[i].address); 546 } 547 548 if (rawdata->write_counter) 549 u32_to_bytes(*rawdata->write_counter, 550 datafrm[i].write_counter); 551 552 if (rawdata->nonce) 553 memcpy(datafrm[i].nonce, rawdata->nonce, 554 RPMB_NONCE_SIZE); 555 556 if (rawdata->data) { 557 if (fek) 558 encrypt_block(datafrm[i].data, 559 rawdata->data + (i * RPMB_DATA_SIZE), 560 *rawdata->blk_idx + i, fek, uuid); 561 else 562 memcpy(datafrm[i].data, 563 rawdata->data + (i * RPMB_DATA_SIZE), 564 RPMB_DATA_SIZE); 565 } 566 } 567 568 if (rawdata->key_mac) { 569 if (rawdata->msg_type == RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE) { 570 res = 571 tee_rpmb_mac_calc(rawdata->key_mac, 572 RPMB_KEY_MAC_SIZE, rpmb_ctx->key, 573 RPMB_KEY_MAC_SIZE, datafrm, 574 nbr_frms); 575 if (res != TEE_SUCCESS) 576 goto func_exit; 577 } 578 memcpy(datafrm[nbr_frms - 1].key_mac, 579 rawdata->key_mac, RPMB_KEY_MAC_SIZE); 580 } 581 582 memcpy(TEE_RPMB_REQ_DATA(req), datafrm, 583 nbr_frms * RPMB_DATA_FRAME_SIZE); 584 585 #ifdef CFG_RPMB_FS_DEBUG_DATA 586 for (i = 0; i < nbr_frms; i++) { 587 DMSG("Dumping data frame %d:", i); 588 DHEXDUMP((uint8_t *)&datafrm[i] + RPMB_STUFF_DATA_SIZE, 589 512 - RPMB_STUFF_DATA_SIZE); 590 } 591 #endif 592 593 res = TEE_SUCCESS; 594 func_exit: 595 free(datafrm); 596 return res; 597 } 598 599 static TEE_Result data_cpy_mac_calc_1b(struct rpmb_raw_data *rawdata, 600 struct rpmb_data_frame *frm, 601 const uint8_t *fek, const TEE_UUID *uuid) 602 { 603 TEE_Result res; 604 uint8_t *data; 605 uint16_t idx; 606 607 if (rawdata->len + rawdata->byte_offset > RPMB_DATA_SIZE) 608 return TEE_ERROR_BAD_PARAMETERS; 609 610 res = tee_rpmb_mac_calc(rawdata->key_mac, RPMB_KEY_MAC_SIZE, 611 rpmb_ctx->key, RPMB_KEY_MAC_SIZE, frm, 1); 612 if (res != TEE_SUCCESS) 613 return res; 614 615 data = rawdata->data; 616 bytes_to_u16(frm->address, &idx); 617 618 res = decrypt(data, frm, rawdata->len, rawdata->byte_offset, idx, fek, 619 uuid); 620 return res; 621 } 622 623 static TEE_Result tee_rpmb_data_cpy_mac_calc(struct rpmb_data_frame *datafrm, 624 struct rpmb_raw_data *rawdata, 625 uint16_t nbr_frms, 626 struct rpmb_data_frame *lastfrm, 627 const uint8_t *fek, 628 const TEE_UUID *uuid) 629 { 630 TEE_Result res = TEE_ERROR_GENERIC; 631 int i; 632 void *ctx = NULL; 633 uint16_t offset; 634 uint32_t size; 635 uint8_t *data; 636 uint16_t start_idx; 637 struct rpmb_data_frame localfrm; 638 639 if (!datafrm || !rawdata || !nbr_frms || !lastfrm) 640 return TEE_ERROR_BAD_PARAMETERS; 641 642 if (nbr_frms == 1) 643 return data_cpy_mac_calc_1b(rawdata, lastfrm, fek, uuid); 644 645 /* nbr_frms > 1 */ 646 647 data = rawdata->data; 648 649 res = crypto_mac_alloc_ctx(&ctx, TEE_ALG_HMAC_SHA256); 650 if (res) 651 goto func_exit; 652 653 res = crypto_mac_init(ctx, TEE_ALG_HMAC_SHA256, rpmb_ctx->key, 654 RPMB_KEY_MAC_SIZE); 655 if (res != TEE_SUCCESS) 656 goto func_exit; 657 658 /* 659 * Note: JEDEC JESD84-B51: "In every packet the address is the start 660 * address of the full access (not address of the individual half a 661 * sector)" 662 */ 663 bytes_to_u16(lastfrm->address, &start_idx); 664 665 for (i = 0; i < (nbr_frms - 1); i++) { 666 667 /* 668 * By working on a local copy of the RPMB frame, we ensure that 669 * the data can not be modified after the MAC is computed but 670 * before the payload is decrypted/copied to the output buffer. 671 */ 672 memcpy(&localfrm, &datafrm[i], RPMB_DATA_FRAME_SIZE); 673 674 res = crypto_mac_update(ctx, TEE_ALG_HMAC_SHA256, localfrm.data, 675 RPMB_MAC_PROTECT_DATA_SIZE); 676 if (res != TEE_SUCCESS) 677 goto func_exit; 678 679 if (i == 0) { 680 /* First block */ 681 offset = rawdata->byte_offset; 682 size = RPMB_DATA_SIZE - offset; 683 } else { 684 /* Middle blocks */ 685 size = RPMB_DATA_SIZE; 686 offset = 0; 687 } 688 689 res = decrypt(data, &localfrm, size, offset, start_idx + i, 690 fek, uuid); 691 if (res != TEE_SUCCESS) 692 goto func_exit; 693 694 data += size; 695 } 696 697 /* Last block */ 698 size = (rawdata->len + rawdata->byte_offset) % RPMB_DATA_SIZE; 699 if (size == 0) 700 size = RPMB_DATA_SIZE; 701 res = decrypt(data, lastfrm, size, 0, start_idx + nbr_frms - 1, fek, 702 uuid); 703 if (res != TEE_SUCCESS) 704 goto func_exit; 705 706 /* Update MAC against the last block */ 707 res = crypto_mac_update(ctx, TEE_ALG_HMAC_SHA256, lastfrm->data, 708 RPMB_MAC_PROTECT_DATA_SIZE); 709 if (res != TEE_SUCCESS) 710 goto func_exit; 711 712 res = crypto_mac_final(ctx, TEE_ALG_HMAC_SHA256, rawdata->key_mac, 713 RPMB_KEY_MAC_SIZE); 714 if (res != TEE_SUCCESS) 715 goto func_exit; 716 717 res = TEE_SUCCESS; 718 719 func_exit: 720 crypto_mac_free_ctx(ctx, TEE_ALG_HMAC_SHA256); 721 return res; 722 } 723 724 static TEE_Result tee_rpmb_resp_unpack_verify(struct rpmb_data_frame *datafrm, 725 struct rpmb_raw_data *rawdata, 726 uint16_t nbr_frms, 727 const uint8_t *fek, 728 const TEE_UUID *uuid) 729 { 730 TEE_Result res = TEE_ERROR_GENERIC; 731 uint16_t msg_type; 732 uint32_t wr_cnt; 733 uint16_t blk_idx; 734 uint16_t op_result; 735 struct rpmb_data_frame lastfrm; 736 737 if (!datafrm || !rawdata || !nbr_frms) 738 return TEE_ERROR_BAD_PARAMETERS; 739 740 #ifdef CFG_RPMB_FS_DEBUG_DATA 741 for (uint32_t i = 0; i < nbr_frms; i++) { 742 DMSG("Dumping data frame %d:", i); 743 DHEXDUMP((uint8_t *)&datafrm[i] + RPMB_STUFF_DATA_SIZE, 744 512 - RPMB_STUFF_DATA_SIZE); 745 } 746 #endif 747 748 /* Make sure the last data packet can't be modified once verified */ 749 memcpy(&lastfrm, &datafrm[nbr_frms - 1], RPMB_DATA_FRAME_SIZE); 750 751 /* Handle operation result and translate to TEEC error code. */ 752 bytes_to_u16(lastfrm.op_result, &op_result); 753 if (rawdata->op_result) 754 *rawdata->op_result = op_result; 755 if (op_result == RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED) 756 return TEE_ERROR_ITEM_NOT_FOUND; 757 if (op_result != RPMB_RESULT_OK) 758 return TEE_ERROR_GENERIC; 759 760 /* Check the response msg_type. */ 761 bytes_to_u16(lastfrm.msg_type, &msg_type); 762 if (msg_type != rawdata->msg_type) { 763 DMSG("Unexpected msg_type (0x%04x != 0x%04x)", msg_type, 764 rawdata->msg_type); 765 return TEE_ERROR_GENERIC; 766 } 767 768 if (rawdata->blk_idx) { 769 bytes_to_u16(lastfrm.address, &blk_idx); 770 if (blk_idx != *rawdata->blk_idx) { 771 DMSG("Unexpected block index"); 772 return TEE_ERROR_GENERIC; 773 } 774 } 775 776 if (rawdata->write_counter) { 777 wr_cnt = *rawdata->write_counter; 778 bytes_to_u32(lastfrm.write_counter, rawdata->write_counter); 779 if (msg_type == RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE) { 780 /* Verify the write counter is incremented by 1 */ 781 if (*rawdata->write_counter != wr_cnt + 1) { 782 DMSG("Counter mismatched (0x%04x/0x%04x)", 783 *rawdata->write_counter, wr_cnt + 1); 784 return TEE_ERROR_SECURITY; 785 } 786 rpmb_ctx->wr_cnt++; 787 } 788 } 789 790 if (rawdata->nonce) { 791 if (buf_compare_ct(rawdata->nonce, lastfrm.nonce, 792 RPMB_NONCE_SIZE) != 0) { 793 DMSG("Nonce mismatched"); 794 return TEE_ERROR_SECURITY; 795 } 796 } 797 798 if (rawdata->key_mac) { 799 if (msg_type == RPMB_MSG_TYPE_RESP_AUTH_DATA_READ) { 800 if (!rawdata->data) 801 return TEE_ERROR_GENERIC; 802 803 res = tee_rpmb_data_cpy_mac_calc(datafrm, rawdata, 804 nbr_frms, &lastfrm, 805 fek, uuid); 806 807 if (res != TEE_SUCCESS) 808 return res; 809 } else { 810 /* 811 * There should be only one data frame for 812 * other msg types. 813 */ 814 if (nbr_frms != 1) 815 return TEE_ERROR_GENERIC; 816 817 res = tee_rpmb_mac_calc(rawdata->key_mac, 818 RPMB_KEY_MAC_SIZE, 819 rpmb_ctx->key, 820 RPMB_KEY_MAC_SIZE, 821 &lastfrm, 1); 822 823 if (res != TEE_SUCCESS) 824 return res; 825 } 826 827 #ifndef CFG_RPMB_FS_NO_MAC 828 if (consttime_memcmp(rawdata->key_mac, 829 (datafrm + nbr_frms - 1)->key_mac, 830 RPMB_KEY_MAC_SIZE) != 0) { 831 DMSG("MAC mismatched:"); 832 #ifdef CFG_RPMB_FS_DEBUG_DATA 833 DHEXDUMP((uint8_t *)rawdata->key_mac, 32); 834 #endif 835 return TEE_ERROR_SECURITY; 836 } 837 #endif /* !CFG_RPMB_FS_NO_MAC */ 838 } 839 840 return TEE_SUCCESS; 841 } 842 843 static TEE_Result tee_rpmb_get_dev_info(uint16_t dev_id, 844 struct rpmb_dev_info *dev_info) 845 { 846 TEE_Result res = TEE_ERROR_GENERIC; 847 struct tee_rpmb_mem mem; 848 struct rpmb_dev_info *di; 849 struct rpmb_req *req = NULL; 850 uint8_t *resp = NULL; 851 uint32_t req_size; 852 uint32_t resp_size; 853 854 if (!dev_info) 855 return TEE_ERROR_BAD_PARAMETERS; 856 857 req_size = sizeof(struct rpmb_req); 858 resp_size = sizeof(struct rpmb_dev_info); 859 res = tee_rpmb_alloc(req_size, resp_size, &mem, 860 (void *)&req, (void *)&resp); 861 if (res != TEE_SUCCESS) 862 goto func_exit; 863 864 req->cmd = RPMB_CMD_GET_DEV_INFO; 865 req->dev_id = dev_id; 866 867 di = (struct rpmb_dev_info *)resp; 868 di->ret_code = RPMB_CMD_GET_DEV_INFO_RET_ERROR; 869 870 res = tee_rpmb_invoke(&mem); 871 if (res != TEE_SUCCESS) 872 goto func_exit; 873 874 if (di->ret_code != RPMB_CMD_GET_DEV_INFO_RET_OK) { 875 res = TEE_ERROR_GENERIC; 876 goto func_exit; 877 } 878 879 memcpy((uint8_t *)dev_info, resp, sizeof(struct rpmb_dev_info)); 880 881 #ifdef CFG_RPMB_FS_DEBUG_DATA 882 DMSG("Dumping dev_info:"); 883 DHEXDUMP((uint8_t *)dev_info, sizeof(struct rpmb_dev_info)); 884 #endif 885 886 res = TEE_SUCCESS; 887 888 func_exit: 889 tee_rpmb_free(&mem); 890 return res; 891 } 892 893 static TEE_Result tee_rpmb_init_read_wr_cnt(uint16_t dev_id, 894 uint32_t *wr_cnt, 895 uint16_t *op_result) 896 { 897 TEE_Result res = TEE_ERROR_GENERIC; 898 struct tee_rpmb_mem mem; 899 uint16_t msg_type; 900 uint8_t nonce[RPMB_NONCE_SIZE]; 901 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 902 struct rpmb_req *req = NULL; 903 struct rpmb_data_frame *resp = NULL; 904 struct rpmb_raw_data rawdata; 905 uint32_t req_size; 906 uint32_t resp_size; 907 908 if (!wr_cnt) 909 return TEE_ERROR_BAD_PARAMETERS; 910 911 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 912 resp_size = RPMB_DATA_FRAME_SIZE; 913 res = tee_rpmb_alloc(req_size, resp_size, &mem, 914 (void *)&req, (void *)&resp); 915 if (res != TEE_SUCCESS) 916 goto func_exit; 917 918 res = crypto_rng_read(nonce, RPMB_NONCE_SIZE); 919 if (res != TEE_SUCCESS) 920 goto func_exit; 921 922 msg_type = RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ; 923 924 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 925 rawdata.msg_type = msg_type; 926 rawdata.nonce = nonce; 927 928 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 929 if (res != TEE_SUCCESS) 930 goto func_exit; 931 932 res = tee_rpmb_invoke(&mem); 933 if (res != TEE_SUCCESS) 934 goto func_exit; 935 936 msg_type = RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ; 937 938 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 939 rawdata.msg_type = msg_type; 940 rawdata.op_result = op_result; 941 rawdata.write_counter = wr_cnt; 942 rawdata.nonce = nonce; 943 rawdata.key_mac = hmac; 944 945 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, NULL); 946 if (res != TEE_SUCCESS) 947 goto func_exit; 948 949 res = TEE_SUCCESS; 950 951 func_exit: 952 tee_rpmb_free(&mem); 953 return res; 954 } 955 956 static TEE_Result tee_rpmb_verify_key_sync_counter(uint16_t dev_id) 957 { 958 uint16_t op_result = 0; 959 TEE_Result res = TEE_ERROR_GENERIC; 960 961 res = tee_rpmb_init_read_wr_cnt(dev_id, &rpmb_ctx->wr_cnt, 962 &op_result); 963 964 if (res == TEE_SUCCESS) { 965 rpmb_ctx->key_verified = true; 966 rpmb_ctx->wr_cnt_synced = true; 967 } 968 969 DMSG("Verify key returning 0x%x", res); 970 return res; 971 } 972 973 #ifdef CFG_RPMB_WRITE_KEY 974 static TEE_Result tee_rpmb_write_key(uint16_t dev_id) 975 { 976 TEE_Result res = TEE_ERROR_GENERIC; 977 struct tee_rpmb_mem mem = { 0 }; 978 uint16_t msg_type; 979 struct rpmb_req *req = NULL; 980 struct rpmb_data_frame *resp = NULL; 981 struct rpmb_raw_data rawdata; 982 uint32_t req_size; 983 uint32_t resp_size; 984 985 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 986 resp_size = RPMB_DATA_FRAME_SIZE; 987 res = tee_rpmb_alloc(req_size, resp_size, &mem, 988 (void *)&req, (void *)&resp); 989 if (res != TEE_SUCCESS) 990 goto func_exit; 991 992 msg_type = RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM; 993 994 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 995 rawdata.msg_type = msg_type; 996 rawdata.key_mac = rpmb_ctx->key; 997 998 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 999 if (res != TEE_SUCCESS) 1000 goto func_exit; 1001 1002 res = tee_rpmb_invoke(&mem); 1003 if (res != TEE_SUCCESS) 1004 goto func_exit; 1005 1006 msg_type = RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM; 1007 1008 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1009 rawdata.msg_type = msg_type; 1010 1011 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, NULL); 1012 if (res != TEE_SUCCESS) 1013 goto func_exit; 1014 1015 res = TEE_SUCCESS; 1016 1017 func_exit: 1018 tee_rpmb_free(&mem); 1019 return res; 1020 } 1021 1022 static TEE_Result tee_rpmb_write_and_verify_key(uint16_t dev_id) 1023 { 1024 TEE_Result res; 1025 1026 DMSG("RPMB INIT: Writing Key"); 1027 res = tee_rpmb_write_key(dev_id); 1028 if (res == TEE_SUCCESS) { 1029 DMSG("RPMB INIT: Verifying Key"); 1030 res = tee_rpmb_verify_key_sync_counter(dev_id); 1031 } 1032 return res; 1033 } 1034 #else 1035 static TEE_Result tee_rpmb_write_and_verify_key(uint16_t dev_id __unused) 1036 { 1037 DMSG("RPMB INIT: CFG_RPMB_WRITE_KEY is not set"); 1038 return TEE_ERROR_BAD_STATE; 1039 } 1040 #endif 1041 1042 /* This function must never return TEE_SUCCESS if rpmb_ctx == NULL */ 1043 static TEE_Result tee_rpmb_init(uint16_t dev_id) 1044 { 1045 TEE_Result res = TEE_SUCCESS; 1046 struct rpmb_dev_info dev_info; 1047 uint32_t nblocks = 0; 1048 1049 if (!rpmb_ctx) { 1050 rpmb_ctx = calloc(1, sizeof(struct tee_rpmb_ctx)); 1051 if (!rpmb_ctx) 1052 return TEE_ERROR_OUT_OF_MEMORY; 1053 } else if (rpmb_ctx->dev_id != dev_id) { 1054 memset(rpmb_ctx, 0x00, sizeof(struct tee_rpmb_ctx)); 1055 } 1056 1057 rpmb_ctx->dev_id = dev_id; 1058 1059 if (!rpmb_ctx->dev_info_synced) { 1060 DMSG("RPMB: Syncing device information"); 1061 1062 dev_info.rpmb_size_mult = 0; 1063 dev_info.rel_wr_sec_c = 0; 1064 res = tee_rpmb_get_dev_info(dev_id, &dev_info); 1065 if (res != TEE_SUCCESS) 1066 goto func_exit; 1067 1068 DMSG("RPMB: RPMB size is %d*128 KB", dev_info.rpmb_size_mult); 1069 DMSG("RPMB: Reliable Write Sector Count is %d", 1070 dev_info.rel_wr_sec_c); 1071 1072 if (dev_info.rpmb_size_mult == 0) { 1073 res = TEE_ERROR_GENERIC; 1074 goto func_exit; 1075 } 1076 1077 if (MUL_OVERFLOW(dev_info.rpmb_size_mult, 1078 RPMB_SIZE_SINGLE / RPMB_DATA_SIZE, &nblocks) || 1079 SUB_OVERFLOW(nblocks, 1, &rpmb_ctx->max_blk_idx)) { 1080 res = TEE_ERROR_BAD_PARAMETERS; 1081 goto func_exit; 1082 } 1083 1084 memcpy(rpmb_ctx->cid, dev_info.cid, RPMB_EMMC_CID_SIZE); 1085 1086 #ifdef RPMB_DRIVER_MULTIPLE_WRITE_FIXED 1087 rpmb_ctx->rel_wr_blkcnt = dev_info.rel_wr_sec_c * 2; 1088 #else 1089 rpmb_ctx->rel_wr_blkcnt = 1; 1090 #endif 1091 1092 rpmb_ctx->dev_info_synced = true; 1093 } 1094 1095 if (!rpmb_ctx->key_derived) { 1096 DMSG("RPMB INIT: Deriving key"); 1097 1098 res = tee_rpmb_key_gen(dev_id, rpmb_ctx->key, 1099 RPMB_KEY_MAC_SIZE); 1100 if (res != TEE_SUCCESS) 1101 goto func_exit; 1102 1103 rpmb_ctx->key_derived = true; 1104 } 1105 1106 /* Perform a write counter read to verify if the key is ok. */ 1107 if (!rpmb_ctx->wr_cnt_synced || !rpmb_ctx->key_verified) { 1108 DMSG("RPMB INIT: Verifying Key"); 1109 1110 res = tee_rpmb_verify_key_sync_counter(dev_id); 1111 if (res == TEE_ERROR_ITEM_NOT_FOUND && 1112 !rpmb_ctx->key_verified) { 1113 /* 1114 * Need to write the key here and verify it. 1115 */ 1116 DMSG("RPMB INIT: Auth key not yet written"); 1117 res = tee_rpmb_write_and_verify_key(dev_id); 1118 } else if (res != TEE_SUCCESS) { 1119 EMSG("Verify key failed!"); 1120 EMSG("Make sure key here matches device key"); 1121 } 1122 } 1123 1124 func_exit: 1125 return res; 1126 } 1127 1128 /* 1129 * Read RPMB data in bytes. 1130 * 1131 * @dev_id Device ID of the eMMC device. 1132 * @addr Byte address of data. 1133 * @data Pointer to the data. 1134 * @len Size of data in bytes. 1135 * @fek Encrypted File Encryption Key or NULL. 1136 */ 1137 static TEE_Result tee_rpmb_read(uint16_t dev_id, uint32_t addr, uint8_t *data, 1138 uint32_t len, const uint8_t *fek, 1139 const TEE_UUID *uuid) 1140 { 1141 TEE_Result res = TEE_ERROR_GENERIC; 1142 struct tee_rpmb_mem mem = { 0 }; 1143 uint16_t msg_type; 1144 uint8_t nonce[RPMB_NONCE_SIZE]; 1145 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 1146 struct rpmb_req *req = NULL; 1147 struct rpmb_data_frame *resp = NULL; 1148 struct rpmb_raw_data rawdata; 1149 uint32_t req_size; 1150 uint32_t resp_size; 1151 uint16_t blk_idx; 1152 uint16_t blkcnt; 1153 uint8_t byte_offset; 1154 1155 if (!data || !len) 1156 return TEE_ERROR_BAD_PARAMETERS; 1157 1158 blk_idx = addr / RPMB_DATA_SIZE; 1159 byte_offset = addr % RPMB_DATA_SIZE; 1160 1161 if (len + byte_offset + RPMB_DATA_SIZE < RPMB_DATA_SIZE) { 1162 /* Overflow */ 1163 return TEE_ERROR_BAD_PARAMETERS; 1164 } 1165 blkcnt = 1166 ROUNDUP(len + byte_offset, RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1167 res = tee_rpmb_init(dev_id); 1168 if (res != TEE_SUCCESS) 1169 goto func_exit; 1170 1171 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 1172 resp_size = RPMB_DATA_FRAME_SIZE * blkcnt; 1173 res = tee_rpmb_alloc(req_size, resp_size, &mem, 1174 (void *)&req, (void *)&resp); 1175 if (res != TEE_SUCCESS) 1176 goto func_exit; 1177 1178 msg_type = RPMB_MSG_TYPE_REQ_AUTH_DATA_READ; 1179 res = crypto_rng_read(nonce, RPMB_NONCE_SIZE); 1180 if (res != TEE_SUCCESS) 1181 goto func_exit; 1182 1183 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1184 rawdata.msg_type = msg_type; 1185 rawdata.nonce = nonce; 1186 rawdata.blk_idx = &blk_idx; 1187 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 1188 if (res != TEE_SUCCESS) 1189 goto func_exit; 1190 1191 req->block_count = blkcnt; 1192 1193 DMSG("Read %u block%s at index %u", blkcnt, ((blkcnt > 1) ? "s" : ""), 1194 blk_idx); 1195 1196 res = tee_rpmb_invoke(&mem); 1197 if (res != TEE_SUCCESS) 1198 goto func_exit; 1199 1200 msg_type = RPMB_MSG_TYPE_RESP_AUTH_DATA_READ; 1201 1202 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1203 rawdata.msg_type = msg_type; 1204 rawdata.block_count = &blkcnt; 1205 rawdata.blk_idx = &blk_idx; 1206 rawdata.nonce = nonce; 1207 rawdata.key_mac = hmac; 1208 rawdata.data = data; 1209 1210 rawdata.len = len; 1211 rawdata.byte_offset = byte_offset; 1212 1213 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, blkcnt, fek, uuid); 1214 if (res != TEE_SUCCESS) 1215 goto func_exit; 1216 1217 res = TEE_SUCCESS; 1218 1219 func_exit: 1220 tee_rpmb_free(&mem); 1221 return res; 1222 } 1223 1224 static TEE_Result tee_rpmb_write_blk(uint16_t dev_id, uint16_t blk_idx, 1225 const uint8_t *data_blks, uint16_t blkcnt, 1226 const uint8_t *fek, const TEE_UUID *uuid) 1227 { 1228 TEE_Result res; 1229 struct tee_rpmb_mem mem; 1230 uint16_t msg_type; 1231 uint32_t wr_cnt; 1232 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 1233 struct rpmb_req *req = NULL; 1234 struct rpmb_data_frame *resp = NULL; 1235 struct rpmb_raw_data rawdata; 1236 uint32_t req_size; 1237 uint32_t resp_size; 1238 uint32_t nbr_writes; 1239 uint16_t tmp_blkcnt; 1240 uint16_t tmp_blk_idx; 1241 uint16_t i; 1242 1243 DMSG("Write %u block%s at index %u", blkcnt, ((blkcnt > 1) ? "s" : ""), 1244 blk_idx); 1245 1246 if (!data_blks || !blkcnt) 1247 return TEE_ERROR_BAD_PARAMETERS; 1248 1249 res = tee_rpmb_init(dev_id); 1250 if (res != TEE_SUCCESS) 1251 return res; 1252 1253 /* 1254 * We need to split data when block count 1255 * is bigger than reliable block write count. 1256 */ 1257 if (blkcnt < rpmb_ctx->rel_wr_blkcnt) 1258 req_size = sizeof(struct rpmb_req) + 1259 RPMB_DATA_FRAME_SIZE * blkcnt; 1260 else 1261 req_size = sizeof(struct rpmb_req) + 1262 RPMB_DATA_FRAME_SIZE * rpmb_ctx->rel_wr_blkcnt; 1263 1264 resp_size = RPMB_DATA_FRAME_SIZE; 1265 res = tee_rpmb_alloc(req_size, resp_size, &mem, 1266 (void *)&req, (void *)&resp); 1267 if (res != TEE_SUCCESS) 1268 return res; 1269 1270 nbr_writes = blkcnt / rpmb_ctx->rel_wr_blkcnt; 1271 if (blkcnt % rpmb_ctx->rel_wr_blkcnt > 0) 1272 nbr_writes += 1; 1273 1274 tmp_blkcnt = rpmb_ctx->rel_wr_blkcnt; 1275 tmp_blk_idx = blk_idx; 1276 for (i = 0; i < nbr_writes; i++) { 1277 /* 1278 * To handle the last write of block count which is 1279 * equal or smaller than reliable write block count. 1280 */ 1281 if (i == nbr_writes - 1) 1282 tmp_blkcnt = blkcnt - rpmb_ctx->rel_wr_blkcnt * 1283 (nbr_writes - 1); 1284 1285 msg_type = RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE; 1286 wr_cnt = rpmb_ctx->wr_cnt; 1287 1288 memset(req, 0x00, req_size); 1289 memset(resp, 0x00, resp_size); 1290 1291 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1292 rawdata.msg_type = msg_type; 1293 rawdata.block_count = &tmp_blkcnt; 1294 rawdata.blk_idx = &tmp_blk_idx; 1295 rawdata.write_counter = &wr_cnt; 1296 rawdata.key_mac = hmac; 1297 rawdata.data = (uint8_t *)data_blks + 1298 i * rpmb_ctx->rel_wr_blkcnt * RPMB_DATA_SIZE; 1299 1300 res = tee_rpmb_req_pack(req, &rawdata, tmp_blkcnt, dev_id, 1301 fek, uuid); 1302 if (res != TEE_SUCCESS) 1303 goto out; 1304 1305 res = tee_rpmb_invoke(&mem); 1306 if (res != TEE_SUCCESS) { 1307 /* 1308 * To force wr_cnt sync next time, as it might get 1309 * out of sync due to inconsistent operation result! 1310 */ 1311 rpmb_ctx->wr_cnt_synced = false; 1312 goto out; 1313 } 1314 1315 msg_type = RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE; 1316 1317 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1318 rawdata.msg_type = msg_type; 1319 rawdata.block_count = &tmp_blkcnt; 1320 rawdata.blk_idx = &tmp_blk_idx; 1321 rawdata.write_counter = &wr_cnt; 1322 rawdata.key_mac = hmac; 1323 1324 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, 1325 NULL); 1326 if (res != TEE_SUCCESS) { 1327 /* 1328 * To force wr_cnt sync next time, as it might get 1329 * out of sync due to inconsistent operation result! 1330 */ 1331 rpmb_ctx->wr_cnt_synced = false; 1332 goto out; 1333 } 1334 1335 tmp_blk_idx += tmp_blkcnt; 1336 } 1337 1338 out: 1339 tee_rpmb_free(&mem); 1340 return res; 1341 } 1342 1343 static bool tee_rpmb_write_is_atomic(uint16_t dev_id __unused, uint32_t addr, 1344 uint32_t len) 1345 { 1346 uint8_t byte_offset = addr % RPMB_DATA_SIZE; 1347 uint16_t blkcnt = ROUNDUP(len + byte_offset, 1348 RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1349 1350 return (blkcnt <= rpmb_ctx->rel_wr_blkcnt); 1351 } 1352 1353 /* 1354 * Write RPMB data in bytes. 1355 * 1356 * @dev_id Device ID of the eMMC device. 1357 * @addr Byte address of data. 1358 * @data Pointer to the data. 1359 * @len Size of data in bytes. 1360 * @fek Encrypted File Encryption Key or NULL. 1361 */ 1362 static TEE_Result tee_rpmb_write(uint16_t dev_id, uint32_t addr, 1363 const uint8_t *data, uint32_t len, 1364 const uint8_t *fek, const TEE_UUID *uuid) 1365 { 1366 TEE_Result res = TEE_ERROR_GENERIC; 1367 uint8_t *data_tmp = NULL; 1368 uint16_t blk_idx; 1369 uint16_t blkcnt; 1370 uint8_t byte_offset; 1371 1372 blk_idx = addr / RPMB_DATA_SIZE; 1373 byte_offset = addr % RPMB_DATA_SIZE; 1374 1375 blkcnt = 1376 ROUNDUP(len + byte_offset, RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1377 1378 if (byte_offset == 0 && (len % RPMB_DATA_SIZE) == 0) { 1379 res = tee_rpmb_write_blk(dev_id, blk_idx, data, blkcnt, fek, 1380 uuid); 1381 if (res != TEE_SUCCESS) 1382 goto func_exit; 1383 } else { 1384 data_tmp = calloc(blkcnt, RPMB_DATA_SIZE); 1385 if (!data_tmp) { 1386 res = TEE_ERROR_OUT_OF_MEMORY; 1387 goto func_exit; 1388 } 1389 1390 /* Read the complete blocks */ 1391 res = tee_rpmb_read(dev_id, blk_idx * RPMB_DATA_SIZE, data_tmp, 1392 blkcnt * RPMB_DATA_SIZE, fek, uuid); 1393 if (res != TEE_SUCCESS) 1394 goto func_exit; 1395 1396 /* Partial update of the data blocks */ 1397 memcpy(data_tmp + byte_offset, data, len); 1398 1399 res = tee_rpmb_write_blk(dev_id, blk_idx, data_tmp, blkcnt, 1400 fek, uuid); 1401 if (res != TEE_SUCCESS) 1402 goto func_exit; 1403 } 1404 1405 res = TEE_SUCCESS; 1406 1407 func_exit: 1408 free(data_tmp); 1409 return res; 1410 } 1411 1412 /* 1413 * Read the RPMB write counter. 1414 * 1415 * @dev_id Device ID of the eMMC device. 1416 * @counter Pointer to the counter. 1417 */ 1418 static TEE_Result tee_rpmb_get_write_counter(uint16_t dev_id, 1419 uint32_t *counter) 1420 { 1421 TEE_Result res = TEE_SUCCESS; 1422 1423 if (!counter) 1424 return TEE_ERROR_BAD_PARAMETERS; 1425 1426 if (!rpmb_ctx || !rpmb_ctx->wr_cnt_synced) { 1427 res = tee_rpmb_init(dev_id); 1428 if (res != TEE_SUCCESS) 1429 goto func_exit; 1430 } 1431 1432 *counter = rpmb_ctx->wr_cnt; 1433 1434 func_exit: 1435 return res; 1436 } 1437 1438 /* 1439 * Read the RPMB max block. 1440 * 1441 * @dev_id Device ID of the eMMC device. 1442 * @counter Pointer to receive the max block. 1443 */ 1444 static TEE_Result tee_rpmb_get_max_block(uint16_t dev_id, uint32_t *max_block) 1445 { 1446 TEE_Result res = TEE_SUCCESS; 1447 1448 if (!max_block) 1449 return TEE_ERROR_BAD_PARAMETERS; 1450 1451 if (!rpmb_ctx || !rpmb_ctx->dev_info_synced) { 1452 res = tee_rpmb_init(dev_id); 1453 if (res != TEE_SUCCESS) 1454 goto func_exit; 1455 } 1456 1457 *max_block = rpmb_ctx->max_blk_idx; 1458 1459 func_exit: 1460 return res; 1461 } 1462 1463 /* 1464 * End of lower interface to RPMB device 1465 */ 1466 1467 static TEE_Result get_fat_start_address(uint32_t *addr); 1468 1469 static void dump_fat(void) 1470 { 1471 TEE_Result res = TEE_ERROR_GENERIC; 1472 struct rpmb_fat_entry *fat_entries = NULL; 1473 uint32_t fat_address; 1474 size_t size; 1475 int i; 1476 bool last_entry_found = false; 1477 1478 res = get_fat_start_address(&fat_address); 1479 if (res != TEE_SUCCESS) 1480 goto out; 1481 1482 size = N_ENTRIES * sizeof(struct rpmb_fat_entry); 1483 fat_entries = malloc(size); 1484 if (!fat_entries) { 1485 res = TEE_ERROR_OUT_OF_MEMORY; 1486 goto out; 1487 } 1488 1489 while (!last_entry_found) { 1490 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, fat_address, 1491 (uint8_t *)fat_entries, size, NULL, NULL); 1492 if (res != TEE_SUCCESS) 1493 goto out; 1494 1495 for (i = 0; i < N_ENTRIES; i++) { 1496 1497 FMSG("flags 0x%x, size %d, address 0x%x, filename '%s'", 1498 fat_entries[i].flags, 1499 fat_entries[i].data_size, 1500 fat_entries[i].start_address, 1501 fat_entries[i].filename); 1502 1503 if ((fat_entries[i].flags & FILE_IS_LAST_ENTRY) != 0) { 1504 last_entry_found = true; 1505 break; 1506 } 1507 1508 /* Move to next fat_entry. */ 1509 fat_address += sizeof(struct rpmb_fat_entry); 1510 } 1511 } 1512 1513 out: 1514 free(fat_entries); 1515 } 1516 1517 #if (TRACE_LEVEL >= TRACE_DEBUG) 1518 static void dump_fh(struct rpmb_file_handle *fh) 1519 { 1520 DMSG("fh->filename=%s", fh->filename); 1521 DMSG("fh->rpmb_fat_address=%u", fh->rpmb_fat_address); 1522 DMSG("fh->fat_entry.start_address=%u", fh->fat_entry.start_address); 1523 DMSG("fh->fat_entry.data_size=%u", fh->fat_entry.data_size); 1524 } 1525 #else 1526 static void dump_fh(struct rpmb_file_handle *fh __unused) 1527 { 1528 } 1529 #endif 1530 1531 static struct rpmb_file_handle *alloc_file_handle(struct tee_pobj *po, 1532 bool temporary) 1533 { 1534 struct rpmb_file_handle *fh = NULL; 1535 1536 fh = calloc(1, sizeof(struct rpmb_file_handle)); 1537 if (!fh) 1538 return NULL; 1539 1540 if (po) 1541 tee_svc_storage_create_filename(fh->filename, 1542 sizeof(fh->filename), po, 1543 temporary); 1544 1545 return fh; 1546 } 1547 1548 /** 1549 * write_fat_entry: Store info in a fat_entry to RPMB. 1550 */ 1551 static TEE_Result write_fat_entry(struct rpmb_file_handle *fh, 1552 bool update_write_counter) 1553 { 1554 TEE_Result res = TEE_ERROR_GENERIC; 1555 1556 /* Protect partition data. */ 1557 if (fh->rpmb_fat_address < sizeof(struct rpmb_fs_partition)) { 1558 res = TEE_ERROR_ACCESS_CONFLICT; 1559 goto out; 1560 } 1561 1562 if (fh->rpmb_fat_address % sizeof(struct rpmb_fat_entry) != 0) { 1563 res = TEE_ERROR_BAD_PARAMETERS; 1564 goto out; 1565 } 1566 1567 if (update_write_counter) { 1568 res = tee_rpmb_get_write_counter(CFG_RPMB_FS_DEV_ID, 1569 &fh->fat_entry.write_counter); 1570 if (res != TEE_SUCCESS) 1571 goto out; 1572 } 1573 1574 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, fh->rpmb_fat_address, 1575 (uint8_t *)&fh->fat_entry, 1576 sizeof(struct rpmb_fat_entry), NULL, NULL); 1577 1578 dump_fat(); 1579 1580 out: 1581 return res; 1582 } 1583 1584 /** 1585 * rpmb_fs_setup: Setup rpmb fs. 1586 * Set initial partition and FS values and write to RPMB. 1587 * Store frequently used data in RAM. 1588 */ 1589 static TEE_Result rpmb_fs_setup(void) 1590 { 1591 TEE_Result res = TEE_ERROR_GENERIC; 1592 struct rpmb_fs_partition *partition_data = NULL; 1593 struct rpmb_file_handle *fh = NULL; 1594 uint32_t max_rpmb_block = 0; 1595 1596 if (fs_par) { 1597 res = TEE_SUCCESS; 1598 goto out; 1599 } 1600 1601 res = tee_rpmb_get_max_block(CFG_RPMB_FS_DEV_ID, &max_rpmb_block); 1602 if (res != TEE_SUCCESS) 1603 goto out; 1604 1605 partition_data = calloc(1, sizeof(struct rpmb_fs_partition)); 1606 if (!partition_data) { 1607 res = TEE_ERROR_OUT_OF_MEMORY; 1608 goto out; 1609 } 1610 1611 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, RPMB_STORAGE_START_ADDRESS, 1612 (uint8_t *)partition_data, 1613 sizeof(struct rpmb_fs_partition), NULL, NULL); 1614 if (res != TEE_SUCCESS) 1615 goto out; 1616 1617 #ifndef CFG_RPMB_RESET_FAT 1618 if (partition_data->rpmb_fs_magic == RPMB_FS_MAGIC) { 1619 if (partition_data->fs_version == FS_VERSION) { 1620 res = TEE_SUCCESS; 1621 goto store_fs_par; 1622 } else { 1623 /* Wrong software is in use. */ 1624 res = TEE_ERROR_ACCESS_DENIED; 1625 goto out; 1626 } 1627 } 1628 #else 1629 EMSG("**** Clearing Storage ****"); 1630 #endif 1631 1632 /* Setup new partition data. */ 1633 partition_data->rpmb_fs_magic = RPMB_FS_MAGIC; 1634 partition_data->fs_version = FS_VERSION; 1635 partition_data->fat_start_address = RPMB_FS_FAT_START_ADDRESS; 1636 1637 /* Initial FAT entry with FILE_IS_LAST_ENTRY flag set. */ 1638 fh = alloc_file_handle(NULL, false); 1639 if (!fh) { 1640 res = TEE_ERROR_OUT_OF_MEMORY; 1641 goto out; 1642 } 1643 fh->fat_entry.flags = FILE_IS_LAST_ENTRY; 1644 fh->rpmb_fat_address = partition_data->fat_start_address; 1645 1646 /* Write init FAT entry and partition data to RPMB. */ 1647 res = write_fat_entry(fh, true); 1648 if (res != TEE_SUCCESS) 1649 goto out; 1650 1651 res = 1652 tee_rpmb_get_write_counter(CFG_RPMB_FS_DEV_ID, 1653 &partition_data->write_counter); 1654 if (res != TEE_SUCCESS) 1655 goto out; 1656 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, RPMB_STORAGE_START_ADDRESS, 1657 (uint8_t *)partition_data, 1658 sizeof(struct rpmb_fs_partition), NULL, NULL); 1659 1660 #ifndef CFG_RPMB_RESET_FAT 1661 store_fs_par: 1662 #endif 1663 1664 /* Store FAT start address. */ 1665 fs_par = calloc(1, sizeof(struct rpmb_fs_parameters)); 1666 if (!fs_par) { 1667 res = TEE_ERROR_OUT_OF_MEMORY; 1668 goto out; 1669 } 1670 1671 fs_par->fat_start_address = partition_data->fat_start_address; 1672 fs_par->max_rpmb_address = max_rpmb_block << RPMB_BLOCK_SIZE_SHIFT; 1673 1674 dump_fat(); 1675 1676 out: 1677 free(fh); 1678 free(partition_data); 1679 return res; 1680 } 1681 1682 /** 1683 * get_fat_start_address: 1684 * FAT start_address from fs_par. 1685 */ 1686 static TEE_Result get_fat_start_address(uint32_t *addr) 1687 { 1688 if (!fs_par) 1689 return TEE_ERROR_NO_DATA; 1690 1691 *addr = fs_par->fat_start_address; 1692 1693 return TEE_SUCCESS; 1694 } 1695 1696 /** 1697 * read_fat: Read FAT entries 1698 * Return matching FAT entry for read, rm rename and stat. 1699 * Build up memory pool and return matching entry for write operation. 1700 * "Last FAT entry" can be returned during write. 1701 */ 1702 static TEE_Result read_fat(struct rpmb_file_handle *fh, tee_mm_pool_t *p) 1703 { 1704 TEE_Result res = TEE_ERROR_GENERIC; 1705 tee_mm_entry_t *mm = NULL; 1706 struct rpmb_fat_entry *fat_entries = NULL; 1707 uint32_t fat_address; 1708 size_t size; 1709 int i; 1710 bool entry_found = false; 1711 bool last_entry_found = false; 1712 bool expand_fat = false; 1713 struct rpmb_file_handle last_fh; 1714 1715 DMSG("fat_address %d", fh->rpmb_fat_address); 1716 1717 res = rpmb_fs_setup(); 1718 if (res != TEE_SUCCESS) 1719 goto out; 1720 1721 res = get_fat_start_address(&fat_address); 1722 if (res != TEE_SUCCESS) 1723 goto out; 1724 1725 size = N_ENTRIES * sizeof(struct rpmb_fat_entry); 1726 fat_entries = malloc(size); 1727 if (!fat_entries) { 1728 res = TEE_ERROR_OUT_OF_MEMORY; 1729 goto out; 1730 } 1731 1732 /* 1733 * The pool is used to represent the current RPMB layout. To find 1734 * a slot for the file tee_mm_alloc is called on the pool. Thus 1735 * if it is not NULL the entire FAT must be traversed to fill in 1736 * the pool. 1737 */ 1738 while (!last_entry_found && (!entry_found || p)) { 1739 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, fat_address, 1740 (uint8_t *)fat_entries, size, NULL, NULL); 1741 if (res != TEE_SUCCESS) 1742 goto out; 1743 1744 for (i = 0; i < N_ENTRIES; i++) { 1745 /* 1746 * Look for an entry, matching filenames. (read, rm, 1747 * rename and stat.). Only store first filename match. 1748 */ 1749 if (fh->filename && 1750 (strcmp(fh->filename, 1751 fat_entries[i].filename) == 0) && 1752 (fat_entries[i].flags & FILE_IS_ACTIVE) && 1753 (!entry_found)) { 1754 entry_found = true; 1755 fh->rpmb_fat_address = fat_address; 1756 memcpy(&fh->fat_entry, &fat_entries[i], 1757 sizeof(struct rpmb_fat_entry)); 1758 if (!p) 1759 break; 1760 } 1761 1762 /* Add existing files to memory pool. (write) */ 1763 if (p) { 1764 if ((fat_entries[i].flags & FILE_IS_ACTIVE) && 1765 (fat_entries[i].data_size > 0)) { 1766 1767 mm = tee_mm_alloc2 1768 (p, 1769 fat_entries[i].start_address, 1770 fat_entries[i].data_size); 1771 if (!mm) { 1772 res = TEE_ERROR_OUT_OF_MEMORY; 1773 goto out; 1774 } 1775 } 1776 1777 /* Unused FAT entries can be reused (write) */ 1778 if (((fat_entries[i].flags & FILE_IS_ACTIVE) == 1779 0) && (fh->rpmb_fat_address == 0)) { 1780 fh->rpmb_fat_address = fat_address; 1781 memcpy(&fh->fat_entry, &fat_entries[i], 1782 sizeof(struct rpmb_fat_entry)); 1783 } 1784 } 1785 1786 if ((fat_entries[i].flags & FILE_IS_LAST_ENTRY) != 0) { 1787 last_entry_found = true; 1788 1789 /* 1790 * If the last entry was reached and was chosen 1791 * by the previous check, then the FAT needs to 1792 * be expanded. 1793 * fh->rpmb_fat_address is the address chosen 1794 * to store the files FAT entry and fat_address 1795 * is the current FAT entry address being 1796 * compared. 1797 */ 1798 if (p && fh->rpmb_fat_address == fat_address) 1799 expand_fat = true; 1800 break; 1801 } 1802 1803 /* Move to next fat_entry. */ 1804 fat_address += sizeof(struct rpmb_fat_entry); 1805 } 1806 } 1807 1808 /* 1809 * Represent the FAT table in the pool. 1810 */ 1811 if (p) { 1812 /* 1813 * Since fat_address is the start of the last entry it needs to 1814 * be moved up by an entry. 1815 */ 1816 fat_address += sizeof(struct rpmb_fat_entry); 1817 1818 /* Make room for yet a FAT entry and add to memory pool. */ 1819 if (expand_fat) 1820 fat_address += sizeof(struct rpmb_fat_entry); 1821 1822 mm = tee_mm_alloc2(p, RPMB_STORAGE_START_ADDRESS, fat_address); 1823 if (!mm) { 1824 res = TEE_ERROR_OUT_OF_MEMORY; 1825 goto out; 1826 } 1827 1828 if (expand_fat) { 1829 /* 1830 * Point fat_address to the beginning of the new 1831 * entry. 1832 */ 1833 fat_address -= sizeof(struct rpmb_fat_entry); 1834 memset(&last_fh, 0, sizeof(last_fh)); 1835 last_fh.fat_entry.flags = FILE_IS_LAST_ENTRY; 1836 last_fh.rpmb_fat_address = fat_address; 1837 res = write_fat_entry(&last_fh, true); 1838 if (res != TEE_SUCCESS) 1839 goto out; 1840 } 1841 } 1842 1843 if (fh->filename && !fh->rpmb_fat_address) 1844 res = TEE_ERROR_ITEM_NOT_FOUND; 1845 1846 out: 1847 free(fat_entries); 1848 return res; 1849 } 1850 1851 static TEE_Result generate_fek(struct rpmb_fat_entry *fe, const TEE_UUID *uuid) 1852 { 1853 TEE_Result res; 1854 1855 again: 1856 res = tee_fs_generate_fek(uuid, fe->fek, sizeof(fe->fek)); 1857 if (res != TEE_SUCCESS) 1858 return res; 1859 1860 if (is_zero(fe->fek, sizeof(fe->fek))) 1861 goto again; 1862 1863 return res; 1864 } 1865 1866 static TEE_Result rpmb_fs_open_internal(struct rpmb_file_handle *fh, 1867 const TEE_UUID *uuid, bool create) 1868 { 1869 tee_mm_pool_t p; 1870 bool pool_result; 1871 TEE_Result res = TEE_ERROR_GENERIC; 1872 1873 /* We need to do setup in order to make sure fs_par is filled in */ 1874 res = rpmb_fs_setup(); 1875 if (res != TEE_SUCCESS) 1876 goto out; 1877 1878 fh->uuid = uuid; 1879 if (create) { 1880 /* Upper memory allocation must be used for RPMB_FS. */ 1881 pool_result = tee_mm_init(&p, 1882 RPMB_STORAGE_START_ADDRESS, 1883 fs_par->max_rpmb_address, 1884 RPMB_BLOCK_SIZE_SHIFT, 1885 TEE_MM_POOL_HI_ALLOC); 1886 1887 if (!pool_result) { 1888 res = TEE_ERROR_OUT_OF_MEMORY; 1889 goto out; 1890 } 1891 1892 res = read_fat(fh, &p); 1893 tee_mm_final(&p); 1894 if (res != TEE_SUCCESS) 1895 goto out; 1896 } else { 1897 res = read_fat(fh, NULL); 1898 if (res != TEE_SUCCESS) 1899 goto out; 1900 } 1901 1902 /* 1903 * If this is opened with create and the entry found was not active 1904 * then this is a new file and the FAT entry must be written 1905 */ 1906 if (create) { 1907 if ((fh->fat_entry.flags & FILE_IS_ACTIVE) == 0) { 1908 memset(&fh->fat_entry, 0, 1909 sizeof(struct rpmb_fat_entry)); 1910 memcpy(fh->fat_entry.filename, fh->filename, 1911 strlen(fh->filename)); 1912 /* Start address and size are 0 */ 1913 fh->fat_entry.flags = FILE_IS_ACTIVE; 1914 1915 res = generate_fek(&fh->fat_entry, uuid); 1916 if (res != TEE_SUCCESS) 1917 goto out; 1918 DMSG("GENERATE FEK key: %p", 1919 (void *)fh->fat_entry.fek); 1920 DHEXDUMP(fh->fat_entry.fek, sizeof(fh->fat_entry.fek)); 1921 1922 res = write_fat_entry(fh, true); 1923 if (res != TEE_SUCCESS) 1924 goto out; 1925 } 1926 } 1927 1928 res = TEE_SUCCESS; 1929 1930 out: 1931 return res; 1932 } 1933 1934 static void rpmb_fs_close(struct tee_file_handle **tfh) 1935 { 1936 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)*tfh; 1937 1938 free(fh); 1939 *tfh = NULL; 1940 } 1941 1942 static TEE_Result rpmb_fs_read(struct tee_file_handle *tfh, size_t pos, 1943 void *buf, size_t *len) 1944 { 1945 TEE_Result res; 1946 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)tfh; 1947 size_t size = *len; 1948 1949 if (!size) 1950 return TEE_SUCCESS; 1951 1952 mutex_lock(&rpmb_mutex); 1953 1954 dump_fh(fh); 1955 1956 res = read_fat(fh, NULL); 1957 if (res != TEE_SUCCESS) 1958 goto out; 1959 1960 if (pos >= fh->fat_entry.data_size) { 1961 *len = 0; 1962 goto out; 1963 } 1964 1965 size = MIN(size, fh->fat_entry.data_size - pos); 1966 if (size) { 1967 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 1968 fh->fat_entry.start_address + pos, buf, 1969 size, fh->fat_entry.fek, fh->uuid); 1970 if (res != TEE_SUCCESS) 1971 goto out; 1972 } 1973 *len = size; 1974 1975 out: 1976 mutex_unlock(&rpmb_mutex); 1977 return res; 1978 } 1979 1980 static TEE_Result rpmb_fs_write_primitive(struct rpmb_file_handle *fh, 1981 size_t pos, const void *buf, 1982 size_t size) 1983 { 1984 TEE_Result res; 1985 tee_mm_pool_t p; 1986 bool pool_result = false; 1987 tee_mm_entry_t *mm; 1988 size_t end; 1989 size_t newsize; 1990 uint8_t *newbuf = NULL; 1991 uintptr_t newaddr; 1992 uint32_t start_addr; 1993 1994 if (!size) 1995 return TEE_SUCCESS; 1996 1997 if (!fs_par) { 1998 res = TEE_ERROR_GENERIC; 1999 goto out; 2000 } 2001 2002 dump_fh(fh); 2003 2004 /* Upper memory allocation must be used for RPMB_FS. */ 2005 pool_result = tee_mm_init(&p, 2006 RPMB_STORAGE_START_ADDRESS, 2007 fs_par->max_rpmb_address, 2008 RPMB_BLOCK_SIZE_SHIFT, 2009 TEE_MM_POOL_HI_ALLOC); 2010 if (!pool_result) { 2011 res = TEE_ERROR_OUT_OF_MEMORY; 2012 goto out; 2013 } 2014 2015 res = read_fat(fh, &p); 2016 if (res != TEE_SUCCESS) 2017 goto out; 2018 2019 if (fh->fat_entry.flags & FILE_IS_LAST_ENTRY) 2020 panic("invalid last entry flag"); 2021 2022 if (ADD_OVERFLOW(pos, size, &end)) { 2023 res = TEE_ERROR_BAD_PARAMETERS; 2024 goto out; 2025 } 2026 if (ADD_OVERFLOW(fh->fat_entry.start_address, pos, &start_addr)) { 2027 res = TEE_ERROR_BAD_PARAMETERS; 2028 goto out; 2029 } 2030 2031 if (end <= fh->fat_entry.data_size && 2032 tee_rpmb_write_is_atomic(CFG_RPMB_FS_DEV_ID, start_addr, size)) { 2033 2034 DMSG("Updating data in-place"); 2035 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, start_addr, buf, 2036 size, fh->fat_entry.fek, fh->uuid); 2037 if (res != TEE_SUCCESS) 2038 goto out; 2039 } else { 2040 /* 2041 * File must be extended, or update cannot be atomic: allocate, 2042 * read, update, write. 2043 */ 2044 2045 DMSG("Need to re-allocate"); 2046 newsize = MAX(end, fh->fat_entry.data_size); 2047 mm = tee_mm_alloc(&p, newsize); 2048 newbuf = calloc(1, newsize); 2049 if (!mm || !newbuf) { 2050 res = TEE_ERROR_OUT_OF_MEMORY; 2051 goto out; 2052 } 2053 2054 if (fh->fat_entry.data_size) { 2055 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 2056 fh->fat_entry.start_address, 2057 newbuf, fh->fat_entry.data_size, 2058 fh->fat_entry.fek, fh->uuid); 2059 if (res != TEE_SUCCESS) 2060 goto out; 2061 } 2062 2063 memcpy(newbuf + pos, buf, size); 2064 2065 newaddr = tee_mm_get_smem(mm); 2066 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, newaddr, newbuf, 2067 newsize, fh->fat_entry.fek, fh->uuid); 2068 if (res != TEE_SUCCESS) 2069 goto out; 2070 2071 fh->fat_entry.data_size = newsize; 2072 fh->fat_entry.start_address = newaddr; 2073 res = write_fat_entry(fh, true); 2074 if (res != TEE_SUCCESS) 2075 goto out; 2076 } 2077 2078 out: 2079 if (pool_result) 2080 tee_mm_final(&p); 2081 if (newbuf) 2082 free(newbuf); 2083 2084 return res; 2085 } 2086 2087 static TEE_Result rpmb_fs_write(struct tee_file_handle *tfh, size_t pos, 2088 const void *buf, size_t size) 2089 { 2090 TEE_Result res; 2091 2092 mutex_lock(&rpmb_mutex); 2093 res = rpmb_fs_write_primitive((struct rpmb_file_handle *)tfh, pos, 2094 buf, size); 2095 mutex_unlock(&rpmb_mutex); 2096 2097 return res; 2098 } 2099 2100 static TEE_Result rpmb_fs_remove_internal(struct rpmb_file_handle *fh) 2101 { 2102 TEE_Result res; 2103 2104 res = read_fat(fh, NULL); 2105 if (res) 2106 return res; 2107 2108 /* Clear this file entry. */ 2109 memset(&fh->fat_entry, 0, sizeof(struct rpmb_fat_entry)); 2110 return write_fat_entry(fh, false); 2111 } 2112 2113 static TEE_Result rpmb_fs_remove(struct tee_pobj *po) 2114 { 2115 TEE_Result res; 2116 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2117 2118 if (!fh) 2119 return TEE_ERROR_OUT_OF_MEMORY; 2120 2121 mutex_lock(&rpmb_mutex); 2122 2123 res = rpmb_fs_remove_internal(fh); 2124 2125 mutex_unlock(&rpmb_mutex); 2126 2127 free(fh); 2128 return res; 2129 } 2130 2131 static TEE_Result rpmb_fs_rename_internal(struct tee_pobj *old, 2132 struct tee_pobj *new, 2133 bool overwrite) 2134 { 2135 TEE_Result res = TEE_ERROR_GENERIC; 2136 struct rpmb_file_handle *fh_old = NULL; 2137 struct rpmb_file_handle *fh_new = NULL; 2138 2139 if (!old) { 2140 res = TEE_ERROR_BAD_PARAMETERS; 2141 goto out; 2142 } 2143 2144 if (new) 2145 fh_old = alloc_file_handle(old, old->temporary); 2146 else 2147 fh_old = alloc_file_handle(old, true); 2148 if (!fh_old) { 2149 res = TEE_ERROR_OUT_OF_MEMORY; 2150 goto out; 2151 } 2152 2153 if (new) 2154 fh_new = alloc_file_handle(new, new->temporary); 2155 else 2156 fh_new = alloc_file_handle(old, false); 2157 if (!fh_new) { 2158 res = TEE_ERROR_OUT_OF_MEMORY; 2159 goto out; 2160 } 2161 2162 res = read_fat(fh_old, NULL); 2163 if (res != TEE_SUCCESS) 2164 goto out; 2165 2166 res = read_fat(fh_new, NULL); 2167 if (res == TEE_SUCCESS) { 2168 if (!overwrite) { 2169 res = TEE_ERROR_ACCESS_CONFLICT; 2170 goto out; 2171 } 2172 2173 /* Clear this file entry. */ 2174 memset(&fh_new->fat_entry, 0, sizeof(struct rpmb_fat_entry)); 2175 res = write_fat_entry(fh_new, false); 2176 if (res != TEE_SUCCESS) 2177 goto out; 2178 } 2179 2180 memset(fh_old->fat_entry.filename, 0, TEE_RPMB_FS_FILENAME_LENGTH); 2181 memcpy(fh_old->fat_entry.filename, fh_new->filename, 2182 strlen(fh_new->filename)); 2183 2184 res = write_fat_entry(fh_old, false); 2185 2186 out: 2187 free(fh_old); 2188 free(fh_new); 2189 2190 return res; 2191 } 2192 2193 static TEE_Result rpmb_fs_rename(struct tee_pobj *old, struct tee_pobj *new, 2194 bool overwrite) 2195 { 2196 TEE_Result res; 2197 2198 mutex_lock(&rpmb_mutex); 2199 res = rpmb_fs_rename_internal(old, new, overwrite); 2200 mutex_unlock(&rpmb_mutex); 2201 2202 return res; 2203 } 2204 2205 static TEE_Result rpmb_fs_truncate(struct tee_file_handle *tfh, size_t length) 2206 { 2207 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)tfh; 2208 tee_mm_pool_t p; 2209 bool pool_result = false; 2210 tee_mm_entry_t *mm; 2211 uint32_t newsize; 2212 uint8_t *newbuf = NULL; 2213 uintptr_t newaddr; 2214 TEE_Result res = TEE_ERROR_GENERIC; 2215 2216 mutex_lock(&rpmb_mutex); 2217 2218 if (length > INT32_MAX) { 2219 res = TEE_ERROR_BAD_PARAMETERS; 2220 goto out; 2221 } 2222 newsize = length; 2223 2224 res = read_fat(fh, NULL); 2225 if (res != TEE_SUCCESS) 2226 goto out; 2227 2228 if (newsize > fh->fat_entry.data_size) { 2229 /* Extend file */ 2230 2231 pool_result = tee_mm_init(&p, 2232 RPMB_STORAGE_START_ADDRESS, 2233 fs_par->max_rpmb_address, 2234 RPMB_BLOCK_SIZE_SHIFT, 2235 TEE_MM_POOL_HI_ALLOC); 2236 if (!pool_result) { 2237 res = TEE_ERROR_OUT_OF_MEMORY; 2238 goto out; 2239 } 2240 res = read_fat(fh, &p); 2241 if (res != TEE_SUCCESS) 2242 goto out; 2243 2244 mm = tee_mm_alloc(&p, newsize); 2245 newbuf = calloc(1, newsize); 2246 if (!mm || !newbuf) { 2247 res = TEE_ERROR_OUT_OF_MEMORY; 2248 goto out; 2249 } 2250 2251 if (fh->fat_entry.data_size) { 2252 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 2253 fh->fat_entry.start_address, 2254 newbuf, fh->fat_entry.data_size, 2255 fh->fat_entry.fek, fh->uuid); 2256 if (res != TEE_SUCCESS) 2257 goto out; 2258 } 2259 2260 newaddr = tee_mm_get_smem(mm); 2261 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, newaddr, newbuf, 2262 newsize, fh->fat_entry.fek, fh->uuid); 2263 if (res != TEE_SUCCESS) 2264 goto out; 2265 2266 } else { 2267 /* Don't change file location */ 2268 newaddr = fh->fat_entry.start_address; 2269 } 2270 2271 /* fh->pos is unchanged */ 2272 fh->fat_entry.data_size = newsize; 2273 fh->fat_entry.start_address = newaddr; 2274 res = write_fat_entry(fh, true); 2275 2276 out: 2277 mutex_unlock(&rpmb_mutex); 2278 if (pool_result) 2279 tee_mm_final(&p); 2280 if (newbuf) 2281 free(newbuf); 2282 2283 return res; 2284 } 2285 2286 static void rpmb_fs_dir_free(struct tee_fs_dir *dir) 2287 { 2288 struct tee_rpmb_fs_dirent *e; 2289 2290 if (!dir) 2291 return; 2292 2293 free(dir->current); 2294 2295 while ((e = SIMPLEQ_FIRST(&dir->next))) { 2296 SIMPLEQ_REMOVE_HEAD(&dir->next, link); 2297 free(e); 2298 } 2299 } 2300 2301 static TEE_Result rpmb_fs_dir_populate(const char *path, 2302 struct tee_fs_dir *dir) 2303 { 2304 struct tee_rpmb_fs_dirent *current = NULL; 2305 struct rpmb_fat_entry *fat_entries = NULL; 2306 uint32_t fat_address; 2307 uint32_t filelen; 2308 char *filename; 2309 int i; 2310 bool last_entry_found = false; 2311 bool matched; 2312 struct tee_rpmb_fs_dirent *next = NULL; 2313 uint32_t pathlen; 2314 TEE_Result res = TEE_ERROR_GENERIC; 2315 uint32_t size; 2316 char temp; 2317 2318 mutex_lock(&rpmb_mutex); 2319 2320 res = rpmb_fs_setup(); 2321 if (res != TEE_SUCCESS) 2322 goto out; 2323 2324 res = get_fat_start_address(&fat_address); 2325 if (res != TEE_SUCCESS) 2326 goto out; 2327 2328 size = N_ENTRIES * sizeof(struct rpmb_fat_entry); 2329 fat_entries = malloc(size); 2330 if (!fat_entries) { 2331 res = TEE_ERROR_OUT_OF_MEMORY; 2332 goto out; 2333 } 2334 2335 pathlen = strlen(path); 2336 while (!last_entry_found) { 2337 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, fat_address, 2338 (uint8_t *)fat_entries, size, NULL, NULL); 2339 if (res != TEE_SUCCESS) 2340 goto out; 2341 2342 for (i = 0; i < N_ENTRIES; i++) { 2343 filename = fat_entries[i].filename; 2344 if (fat_entries[i].flags & FILE_IS_ACTIVE) { 2345 matched = false; 2346 filelen = strlen(filename); 2347 if (filelen > pathlen) { 2348 temp = filename[pathlen]; 2349 filename[pathlen] = '\0'; 2350 if (strcmp(filename, path) == 0) 2351 matched = true; 2352 2353 filename[pathlen] = temp; 2354 } 2355 2356 if (matched) { 2357 next = malloc(sizeof(*next)); 2358 if (!next) { 2359 res = TEE_ERROR_OUT_OF_MEMORY; 2360 goto out; 2361 } 2362 2363 next->entry.oidlen = tee_hs2b( 2364 (uint8_t *)&filename[pathlen], 2365 next->entry.oid, 2366 filelen - pathlen, 2367 sizeof(next->entry.oid)); 2368 if (next->entry.oidlen) { 2369 SIMPLEQ_INSERT_TAIL(&dir->next, 2370 next, link); 2371 current = next; 2372 } else { 2373 free(next); 2374 next = NULL; 2375 } 2376 2377 } 2378 } 2379 2380 if (fat_entries[i].flags & FILE_IS_LAST_ENTRY) { 2381 last_entry_found = true; 2382 break; 2383 } 2384 2385 /* Move to next fat_entry. */ 2386 fat_address += sizeof(struct rpmb_fat_entry); 2387 } 2388 } 2389 2390 if (current) 2391 res = TEE_SUCCESS; 2392 else 2393 res = TEE_ERROR_ITEM_NOT_FOUND; /* No directories were found. */ 2394 2395 out: 2396 mutex_unlock(&rpmb_mutex); 2397 if (res != TEE_SUCCESS) 2398 rpmb_fs_dir_free(dir); 2399 if (fat_entries) 2400 free(fat_entries); 2401 2402 return res; 2403 } 2404 2405 static TEE_Result rpmb_fs_opendir(const TEE_UUID *uuid, struct tee_fs_dir **dir) 2406 { 2407 uint32_t len; 2408 char path_local[TEE_RPMB_FS_FILENAME_LENGTH]; 2409 TEE_Result res = TEE_ERROR_GENERIC; 2410 struct tee_fs_dir *rpmb_dir = NULL; 2411 2412 if (!uuid || !dir) { 2413 res = TEE_ERROR_BAD_PARAMETERS; 2414 goto out; 2415 } 2416 2417 memset(path_local, 0, sizeof(path_local)); 2418 if (tee_svc_storage_create_dirname(path_local, sizeof(path_local) - 1, 2419 uuid) != TEE_SUCCESS) { 2420 res = TEE_ERROR_BAD_PARAMETERS; 2421 goto out; 2422 } 2423 len = strlen(path_local); 2424 2425 /* Add a slash to correctly match the full directory name. */ 2426 if (path_local[len - 1] != '/') 2427 path_local[len] = '/'; 2428 2429 rpmb_dir = calloc(1, sizeof(*rpmb_dir)); 2430 if (!rpmb_dir) { 2431 res = TEE_ERROR_OUT_OF_MEMORY; 2432 goto out; 2433 } 2434 SIMPLEQ_INIT(&rpmb_dir->next); 2435 2436 res = rpmb_fs_dir_populate(path_local, rpmb_dir); 2437 if (res != TEE_SUCCESS) { 2438 free(rpmb_dir); 2439 rpmb_dir = NULL; 2440 goto out; 2441 } 2442 2443 *dir = rpmb_dir; 2444 2445 out: 2446 return res; 2447 } 2448 2449 static TEE_Result rpmb_fs_readdir(struct tee_fs_dir *dir, 2450 struct tee_fs_dirent **ent) 2451 { 2452 if (!dir) 2453 return TEE_ERROR_GENERIC; 2454 2455 free(dir->current); 2456 2457 dir->current = SIMPLEQ_FIRST(&dir->next); 2458 if (!dir->current) 2459 return TEE_ERROR_ITEM_NOT_FOUND; 2460 2461 SIMPLEQ_REMOVE_HEAD(&dir->next, link); 2462 2463 *ent = &dir->current->entry; 2464 return TEE_SUCCESS; 2465 } 2466 2467 static void rpmb_fs_closedir(struct tee_fs_dir *dir) 2468 { 2469 if (dir) { 2470 rpmb_fs_dir_free(dir); 2471 free(dir); 2472 } 2473 } 2474 2475 static TEE_Result rpmb_fs_open(struct tee_pobj *po, size_t *size, 2476 struct tee_file_handle **ret_fh) 2477 { 2478 TEE_Result res; 2479 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2480 2481 if (!fh) 2482 return TEE_ERROR_OUT_OF_MEMORY; 2483 2484 mutex_lock(&rpmb_mutex); 2485 2486 res = rpmb_fs_open_internal(fh, &po->uuid, false); 2487 if (!res && size) 2488 *size = fh->fat_entry.data_size; 2489 2490 mutex_unlock(&rpmb_mutex); 2491 2492 if (res) 2493 free(fh); 2494 else 2495 *ret_fh = (struct tee_file_handle *)fh; 2496 2497 return res; 2498 } 2499 2500 static TEE_Result rpmb_fs_create(struct tee_pobj *po, bool overwrite, 2501 const void *head, size_t head_size, 2502 const void *attr, size_t attr_size, 2503 const void *data, size_t data_size, 2504 struct tee_file_handle **ret_fh) 2505 { 2506 TEE_Result res; 2507 size_t pos = 0; 2508 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2509 2510 if (!fh) 2511 return TEE_ERROR_OUT_OF_MEMORY; 2512 2513 mutex_lock(&rpmb_mutex); 2514 res = rpmb_fs_open_internal(fh, &po->uuid, true); 2515 if (res) 2516 goto out; 2517 2518 if (head && head_size) { 2519 res = rpmb_fs_write_primitive(fh, pos, head, head_size); 2520 if (res) 2521 goto out; 2522 pos += head_size; 2523 } 2524 2525 if (attr && attr_size) { 2526 res = rpmb_fs_write_primitive(fh, pos, attr, attr_size); 2527 if (res) 2528 goto out; 2529 pos += attr_size; 2530 } 2531 2532 if (data && data_size) { 2533 res = rpmb_fs_write_primitive(fh, pos, data, data_size); 2534 if (res) 2535 goto out; 2536 } 2537 2538 if (po->temporary) { 2539 /* 2540 * If it's a temporary filename (which it normally is) 2541 * rename into the final filename now that the file is 2542 * fully initialized. 2543 */ 2544 po->temporary = false; 2545 res = rpmb_fs_rename_internal(po, NULL, overwrite); 2546 if (res) { 2547 po->temporary = true; 2548 goto out; 2549 } 2550 /* Update file handle after rename. */ 2551 tee_svc_storage_create_filename(fh->filename, 2552 sizeof(fh->filename), 2553 po, false); 2554 } 2555 2556 out: 2557 if (res) { 2558 rpmb_fs_remove_internal(fh); 2559 free(fh); 2560 } else { 2561 *ret_fh = (struct tee_file_handle *)fh; 2562 } 2563 mutex_unlock(&rpmb_mutex); 2564 2565 return res; 2566 } 2567 2568 const struct tee_file_operations rpmb_fs_ops = { 2569 .open = rpmb_fs_open, 2570 .create = rpmb_fs_create, 2571 .close = rpmb_fs_close, 2572 .read = rpmb_fs_read, 2573 .write = rpmb_fs_write, 2574 .truncate = rpmb_fs_truncate, 2575 .rename = rpmb_fs_rename, 2576 .remove = rpmb_fs_remove, 2577 .opendir = rpmb_fs_opendir, 2578 .closedir = rpmb_fs_closedir, 2579 .readdir = rpmb_fs_readdir, 2580 }; 2581 2582 TEE_Result tee_rpmb_fs_raw_open(const char *fname, bool create, 2583 struct tee_file_handle **ret_fh) 2584 { 2585 TEE_Result res; 2586 struct rpmb_file_handle *fh = calloc(1, sizeof(*fh)); 2587 static const TEE_UUID uuid = { 0 }; 2588 2589 if (!fh) 2590 return TEE_ERROR_OUT_OF_MEMORY; 2591 2592 snprintf(fh->filename, sizeof(fh->filename), "/%s", fname); 2593 2594 mutex_lock(&rpmb_mutex); 2595 2596 res = rpmb_fs_open_internal(fh, &uuid, create); 2597 2598 mutex_unlock(&rpmb_mutex); 2599 2600 if (res) { 2601 if (create) 2602 rpmb_fs_remove_internal(fh); 2603 free(fh); 2604 } else { 2605 *ret_fh = (struct tee_file_handle *)fh; 2606 } 2607 2608 return res; 2609 } 2610