1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2014, STMicroelectronics International N.V. 4 */ 5 6 #include <assert.h> 7 #include <crypto/crypto.h> 8 #include <kernel/huk_subkey.h> 9 #include <kernel/misc.h> 10 #include <kernel/msg_param.h> 11 #include <kernel/mutex.h> 12 #include <kernel/panic.h> 13 #include <kernel/tee_common.h> 14 #include <kernel/tee_common_otp.h> 15 #include <kernel/tee_misc.h> 16 #include <kernel/thread.h> 17 #include <mm/core_memprot.h> 18 #include <mm/mobj.h> 19 #include <mm/tee_mm.h> 20 #include <optee_rpc_cmd.h> 21 #include <stdlib.h> 22 #include <string_ext.h> 23 #include <string.h> 24 #include <sys/queue.h> 25 #include <tee/tee_fs.h> 26 #include <tee/tee_fs_key_manager.h> 27 #include <tee/tee_pobj.h> 28 #include <tee/tee_svc_storage.h> 29 #include <trace.h> 30 #include <util.h> 31 32 #define RPMB_STORAGE_START_ADDRESS 0 33 #define RPMB_FS_FAT_START_ADDRESS 512 34 #define RPMB_BLOCK_SIZE_SHIFT 8 35 #define RPMB_CID_PRV_OFFSET 9 36 #define RPMB_CID_CRC_OFFSET 15 37 38 #define RPMB_FS_MAGIC 0x52504D42 39 #define FS_VERSION 2 40 #define N_ENTRIES 8 41 42 #define FILE_IS_ACTIVE (1u << 0) 43 #define FILE_IS_LAST_ENTRY (1u << 1) 44 45 #define TEE_RPMB_FS_FILENAME_LENGTH 224 46 47 /** 48 * FS parameters: Information often used by internal functions. 49 * fat_start_address will be set by rpmb_fs_setup(). 50 * rpmb_fs_parameters can be read by any other function. 51 */ 52 struct rpmb_fs_parameters { 53 uint32_t fat_start_address; 54 uint32_t max_rpmb_address; 55 }; 56 57 /** 58 * File entry for a single file in a RPMB_FS partition. 59 */ 60 struct rpmb_fat_entry { 61 uint32_t start_address; 62 uint32_t data_size; 63 uint32_t flags; 64 uint32_t write_counter; 65 uint8_t fek[TEE_FS_KM_FEK_SIZE]; 66 char filename[TEE_RPMB_FS_FILENAME_LENGTH]; 67 }; 68 69 /** 70 * FAT entry context with reference to a FAT entry and its 71 * location in RPMB. 72 */ 73 struct rpmb_file_handle { 74 struct rpmb_fat_entry fat_entry; 75 const TEE_UUID *uuid; 76 char filename[TEE_RPMB_FS_FILENAME_LENGTH]; 77 /* Address for current entry in RPMB */ 78 uint32_t rpmb_fat_address; 79 }; 80 81 /** 82 * RPMB_FS partition data 83 */ 84 struct rpmb_fs_partition { 85 uint32_t rpmb_fs_magic; 86 uint32_t fs_version; 87 uint32_t write_counter; 88 uint32_t fat_start_address; 89 /* Do not use reserved[] for other purpose than partition data. */ 90 uint8_t reserved[112]; 91 }; 92 93 /** 94 * A node in a list of directory entries. 95 */ 96 struct tee_rpmb_fs_dirent { 97 struct tee_fs_dirent entry; 98 SIMPLEQ_ENTRY(tee_rpmb_fs_dirent) link; 99 }; 100 101 /** 102 * The RPMB directory representation. It contains a queue of 103 * RPMB directory entries: 'next'. 104 * The current pointer points to the last directory entry 105 * returned by readdir(). 106 */ 107 struct tee_fs_dir { 108 struct tee_rpmb_fs_dirent *current; 109 /* */ 110 SIMPLEQ_HEAD(next_head, tee_rpmb_fs_dirent) next; 111 }; 112 113 static struct rpmb_fs_parameters *fs_par; 114 115 /* 116 * Lower interface to RPMB device 117 */ 118 119 #define RPMB_DATA_OFFSET (RPMB_STUFF_DATA_SIZE + RPMB_KEY_MAC_SIZE) 120 #define RPMB_MAC_PROTECT_DATA_SIZE (RPMB_DATA_FRAME_SIZE - RPMB_DATA_OFFSET) 121 122 #define RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM 0x0001 123 #define RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ 0x0002 124 #define RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE 0x0003 125 #define RPMB_MSG_TYPE_REQ_AUTH_DATA_READ 0x0004 126 #define RPMB_MSG_TYPE_REQ_RESULT_READ 0x0005 127 #define RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM 0x0100 128 #define RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ 0x0200 129 #define RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE 0x0300 130 #define RPMB_MSG_TYPE_RESP_AUTH_DATA_READ 0x0400 131 132 #define RPMB_STUFF_DATA_SIZE 196 133 #define RPMB_KEY_MAC_SIZE 32 134 #define RPMB_DATA_SIZE 256 135 #define RPMB_NONCE_SIZE 16 136 #define RPMB_DATA_FRAME_SIZE 512 137 138 #define RPMB_RESULT_OK 0x00 139 #define RPMB_RESULT_GENERAL_FAILURE 0x01 140 #define RPMB_RESULT_AUTH_FAILURE 0x02 141 #define RPMB_RESULT_COUNTER_FAILURE 0x03 142 #define RPMB_RESULT_ADDRESS_FAILURE 0x04 143 #define RPMB_RESULT_WRITE_FAILURE 0x05 144 #define RPMB_RESULT_READ_FAILURE 0x06 145 #define RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED 0x07 146 #define RPMB_RESULT_MASK 0x3F 147 #define RPMB_RESULT_WR_CNT_EXPIRED 0x80 148 149 /* RPMB internal commands */ 150 #define RPMB_CMD_DATA_REQ 0x00 151 #define RPMB_CMD_GET_DEV_INFO 0x01 152 153 #define RPMB_SIZE_SINGLE (128 * 1024) 154 155 /* Error codes for get_dev_info request/response. */ 156 #define RPMB_CMD_GET_DEV_INFO_RET_OK 0x00 157 #define RPMB_CMD_GET_DEV_INFO_RET_ERROR 0x01 158 159 struct rpmb_data_frame { 160 uint8_t stuff_bytes[RPMB_STUFF_DATA_SIZE]; 161 uint8_t key_mac[RPMB_KEY_MAC_SIZE]; 162 uint8_t data[RPMB_DATA_SIZE]; 163 uint8_t nonce[RPMB_NONCE_SIZE]; 164 uint8_t write_counter[4]; 165 uint8_t address[2]; 166 uint8_t block_count[2]; 167 uint8_t op_result[2]; 168 uint8_t msg_type[2]; 169 }; 170 171 struct rpmb_req { 172 uint16_t cmd; 173 uint16_t dev_id; 174 uint16_t block_count; 175 /* variable length of data */ 176 /* uint8_t data[]; REMOVED! */ 177 }; 178 179 #define TEE_RPMB_REQ_DATA(req) \ 180 ((void *)((struct rpmb_req *)(req) + 1)) 181 182 struct rpmb_raw_data { 183 uint16_t msg_type; 184 uint16_t *op_result; 185 uint16_t *block_count; 186 uint16_t *blk_idx; 187 uint32_t *write_counter; 188 uint8_t *nonce; 189 uint8_t *key_mac; 190 uint8_t *data; 191 /* data length to read or write */ 192 uint32_t len; 193 /* Byte address offset in the first block involved */ 194 uint8_t byte_offset; 195 }; 196 197 #define RPMB_EMMC_CID_SIZE 16 198 struct rpmb_dev_info { 199 uint8_t cid[RPMB_EMMC_CID_SIZE]; 200 /* EXT CSD-slice 168 "RPMB Size" */ 201 uint8_t rpmb_size_mult; 202 /* EXT CSD-slice 222 "Reliable Write Sector Count" */ 203 uint8_t rel_wr_sec_c; 204 /* Check the ret code and accept the data only if it is OK. */ 205 uint8_t ret_code; 206 }; 207 208 /* 209 * Struct for rpmb context data. 210 * 211 * @key RPMB key. 212 * @cid eMMC card ID. 213 * @wr_cnt Current write counter. 214 * @max_blk_idx The highest block index supported by current device. 215 * @rel_wr_blkcnt Max number of data blocks for each reliable write. 216 * @dev_id Device ID of the eMMC device. 217 * @wr_cnt_synced Flag indicating if write counter is synced to RPMB. 218 * @key_derived Flag indicating if key has been generated. 219 * @key_verified Flag indicating the key generated is verified ok. 220 * @dev_info_synced Flag indicating if dev info has been retrieved from RPMB. 221 */ 222 struct tee_rpmb_ctx { 223 uint8_t key[RPMB_KEY_MAC_SIZE]; 224 uint8_t cid[RPMB_EMMC_CID_SIZE]; 225 uint32_t wr_cnt; 226 uint16_t max_blk_idx; 227 uint16_t rel_wr_blkcnt; 228 uint16_t dev_id; 229 bool wr_cnt_synced; 230 bool key_derived; 231 bool key_verified; 232 bool dev_info_synced; 233 }; 234 235 static struct tee_rpmb_ctx *rpmb_ctx; 236 237 /* 238 * Mutex to serialize the operations exported by this file. 239 * It protects rpmb_ctx and prevents overlapping operations on eMMC devices with 240 * different IDs. 241 */ 242 static struct mutex rpmb_mutex = MUTEX_INITIALIZER; 243 244 #ifdef CFG_RPMB_TESTKEY 245 246 static const uint8_t rpmb_test_key[RPMB_KEY_MAC_SIZE] = { 247 0xD3, 0xEB, 0x3E, 0xC3, 0x6E, 0x33, 0x4C, 0x9F, 248 0x98, 0x8C, 0xE2, 0xC0, 0xB8, 0x59, 0x54, 0x61, 249 0x0D, 0x2B, 0xCF, 0x86, 0x64, 0x84, 0x4D, 0xF2, 250 0xAB, 0x56, 0xE6, 0xC6, 0x1B, 0xB7, 0x01, 0xE4 251 }; 252 253 static TEE_Result tee_rpmb_key_gen(uint16_t dev_id __unused, 254 uint8_t *key, uint32_t len) 255 { 256 TEE_Result res = TEE_SUCCESS; 257 258 if (!key || RPMB_KEY_MAC_SIZE != len) { 259 res = TEE_ERROR_BAD_PARAMETERS; 260 goto out; 261 } 262 263 DMSG("RPMB: Using test key"); 264 memcpy(key, rpmb_test_key, RPMB_KEY_MAC_SIZE); 265 266 out: 267 return res; 268 } 269 270 #else /* !CFG_RPMB_TESTKEY */ 271 272 static TEE_Result tee_rpmb_key_gen(uint16_t dev_id __unused, 273 uint8_t *key, uint32_t len) 274 { 275 uint8_t message[RPMB_EMMC_CID_SIZE]; 276 277 if (!key || RPMB_KEY_MAC_SIZE != len) 278 return TEE_ERROR_BAD_PARAMETERS; 279 280 IMSG("RPMB: Using generated key"); 281 282 /* 283 * PRV/CRC would be changed when doing eMMC FFU 284 * The following fields should be masked off when deriving RPMB key 285 * 286 * CID [55: 48]: PRV (Product revision) 287 * CID [07: 01]: CRC (CRC7 checksum) 288 * CID [00]: not used 289 */ 290 memcpy(message, rpmb_ctx->cid, RPMB_EMMC_CID_SIZE); 291 memset(message + RPMB_CID_PRV_OFFSET, 0, 1); 292 memset(message + RPMB_CID_CRC_OFFSET, 0, 1); 293 return huk_subkey_derive(HUK_SUBKEY_RPMB, message, sizeof(message), 294 key, len); 295 } 296 297 #endif /* !CFG_RPMB_TESTKEY */ 298 299 static void u32_to_bytes(uint32_t u32, uint8_t *bytes) 300 { 301 *bytes = (uint8_t) (u32 >> 24); 302 *(bytes + 1) = (uint8_t) (u32 >> 16); 303 *(bytes + 2) = (uint8_t) (u32 >> 8); 304 *(bytes + 3) = (uint8_t) u32; 305 } 306 307 static void bytes_to_u32(uint8_t *bytes, uint32_t *u32) 308 { 309 *u32 = (uint32_t) ((*(bytes) << 24) + 310 (*(bytes + 1) << 16) + 311 (*(bytes + 2) << 8) + (*(bytes + 3))); 312 } 313 314 static void u16_to_bytes(uint16_t u16, uint8_t *bytes) 315 { 316 *bytes = (uint8_t) (u16 >> 8); 317 *(bytes + 1) = (uint8_t) u16; 318 } 319 320 static void bytes_to_u16(uint8_t *bytes, uint16_t *u16) 321 { 322 *u16 = (uint16_t) ((*bytes << 8) + *(bytes + 1)); 323 } 324 325 static TEE_Result tee_rpmb_mac_calc(uint8_t *mac, uint32_t macsize, 326 uint8_t *key, uint32_t keysize, 327 struct rpmb_data_frame *datafrms, 328 uint16_t blkcnt) 329 { 330 TEE_Result res = TEE_ERROR_GENERIC; 331 int i; 332 void *ctx = NULL; 333 334 if (!mac || !key || !datafrms) 335 return TEE_ERROR_BAD_PARAMETERS; 336 337 res = crypto_mac_alloc_ctx(&ctx, TEE_ALG_HMAC_SHA256); 338 if (res) 339 return res; 340 341 res = crypto_mac_init(ctx, TEE_ALG_HMAC_SHA256, key, keysize); 342 if (res != TEE_SUCCESS) 343 goto func_exit; 344 345 for (i = 0; i < blkcnt; i++) { 346 res = crypto_mac_update(ctx, TEE_ALG_HMAC_SHA256, 347 datafrms[i].data, 348 RPMB_MAC_PROTECT_DATA_SIZE); 349 if (res != TEE_SUCCESS) 350 goto func_exit; 351 } 352 353 res = crypto_mac_final(ctx, TEE_ALG_HMAC_SHA256, mac, macsize); 354 if (res != TEE_SUCCESS) 355 goto func_exit; 356 357 res = TEE_SUCCESS; 358 359 func_exit: 360 crypto_mac_free_ctx(ctx, TEE_ALG_HMAC_SHA256); 361 return res; 362 } 363 364 struct tee_rpmb_mem { 365 struct mobj *phreq_mobj; 366 struct mobj *phresp_mobj; 367 size_t req_size; 368 size_t resp_size; 369 }; 370 371 static void tee_rpmb_free(struct tee_rpmb_mem *mem) 372 { 373 if (!mem) 374 return; 375 376 if (mem->phreq_mobj) { 377 thread_rpc_free_payload(mem->phreq_mobj); 378 mem->phreq_mobj = NULL; 379 } 380 if (mem->phresp_mobj) { 381 thread_rpc_free_payload(mem->phresp_mobj); 382 mem->phresp_mobj = NULL; 383 } 384 } 385 386 387 static TEE_Result tee_rpmb_alloc(size_t req_size, size_t resp_size, 388 struct tee_rpmb_mem *mem, void **req, void **resp) 389 { 390 TEE_Result res = TEE_SUCCESS; 391 size_t req_s = ROUNDUP(req_size, sizeof(uint32_t)); 392 size_t resp_s = ROUNDUP(resp_size, sizeof(uint32_t)); 393 394 if (!mem) 395 return TEE_ERROR_BAD_PARAMETERS; 396 397 memset(mem, 0, sizeof(*mem)); 398 399 mem->phreq_mobj = thread_rpc_alloc_payload(req_s); 400 mem->phresp_mobj = thread_rpc_alloc_payload(resp_s); 401 402 if (!mem->phreq_mobj || !mem->phresp_mobj) { 403 res = TEE_ERROR_OUT_OF_MEMORY; 404 goto out; 405 } 406 407 *req = mobj_get_va(mem->phreq_mobj, 0); 408 *resp = mobj_get_va(mem->phresp_mobj, 0); 409 if (!*req || !*resp) { 410 res = TEE_ERROR_GENERIC; 411 goto out; 412 } 413 414 mem->req_size = req_size; 415 mem->resp_size = resp_size; 416 417 out: 418 if (res != TEE_SUCCESS) 419 tee_rpmb_free(mem); 420 return res; 421 } 422 423 static TEE_Result tee_rpmb_invoke(struct tee_rpmb_mem *mem) 424 { 425 struct thread_param params[2] = { 426 [0] = THREAD_PARAM_MEMREF(IN, mem->phreq_mobj, 0, 427 mem->req_size), 428 [1] = THREAD_PARAM_MEMREF(OUT, mem->phresp_mobj, 0, 429 mem->resp_size), 430 }; 431 432 return thread_rpc_cmd(OPTEE_RPC_CMD_RPMB, 2, params); 433 } 434 435 static bool is_zero(const uint8_t *buf, size_t size) 436 { 437 size_t i; 438 439 for (i = 0; i < size; i++) 440 if (buf[i]) 441 return false; 442 return true; 443 } 444 445 static TEE_Result encrypt_block(uint8_t *out, const uint8_t *in, 446 uint16_t blk_idx, const uint8_t *fek, 447 const TEE_UUID *uuid) 448 { 449 return tee_fs_crypt_block(uuid, out, in, RPMB_DATA_SIZE, 450 blk_idx, fek, TEE_MODE_ENCRYPT); 451 } 452 453 static TEE_Result decrypt_block(uint8_t *out, const uint8_t *in, 454 uint16_t blk_idx, const uint8_t *fek, 455 const TEE_UUID *uuid) 456 { 457 return tee_fs_crypt_block(uuid, out, in, RPMB_DATA_SIZE, 458 blk_idx, fek, TEE_MODE_DECRYPT); 459 } 460 461 /* Decrypt/copy at most one block of data */ 462 static TEE_Result decrypt(uint8_t *out, const struct rpmb_data_frame *frm, 463 size_t size, size_t offset, 464 uint16_t blk_idx __maybe_unused, const uint8_t *fek, 465 const TEE_UUID *uuid) 466 { 467 uint8_t *tmp __maybe_unused; 468 469 470 if ((size + offset < size) || (size + offset > RPMB_DATA_SIZE)) 471 panic("invalid size or offset"); 472 473 if (!fek) { 474 /* Block is not encrypted (not a file data block) */ 475 memcpy(out, frm->data + offset, size); 476 } else if (is_zero(fek, TEE_FS_KM_FEK_SIZE)) { 477 /* The file was created with encryption disabled */ 478 return TEE_ERROR_SECURITY; 479 } else { 480 /* Block is encrypted */ 481 if (size < RPMB_DATA_SIZE) { 482 /* 483 * Since output buffer is not large enough to hold one 484 * block we must allocate a temporary buffer. 485 */ 486 tmp = malloc(RPMB_DATA_SIZE); 487 if (!tmp) 488 return TEE_ERROR_OUT_OF_MEMORY; 489 decrypt_block(tmp, frm->data, blk_idx, fek, uuid); 490 memcpy(out, tmp + offset, size); 491 free(tmp); 492 } else { 493 decrypt_block(out, frm->data, blk_idx, fek, uuid); 494 } 495 } 496 497 return TEE_SUCCESS; 498 } 499 500 static TEE_Result tee_rpmb_req_pack(struct rpmb_req *req, 501 struct rpmb_raw_data *rawdata, 502 uint16_t nbr_frms, uint16_t dev_id, 503 const uint8_t *fek, const TEE_UUID *uuid) 504 { 505 TEE_Result res = TEE_ERROR_GENERIC; 506 int i; 507 struct rpmb_data_frame *datafrm; 508 509 if (!req || !rawdata || !nbr_frms) 510 return TEE_ERROR_BAD_PARAMETERS; 511 512 /* 513 * Check write blockcount is not bigger than reliable write 514 * blockcount. 515 */ 516 if ((rawdata->msg_type == RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE) && 517 (nbr_frms > rpmb_ctx->rel_wr_blkcnt)) { 518 DMSG("wr_blkcnt(%d) > rel_wr_blkcnt(%d)", nbr_frms, 519 rpmb_ctx->rel_wr_blkcnt); 520 return TEE_ERROR_GENERIC; 521 } 522 523 req->cmd = RPMB_CMD_DATA_REQ; 524 req->dev_id = dev_id; 525 526 /* Allocate memory for construct all data packets and calculate MAC. */ 527 datafrm = calloc(nbr_frms, RPMB_DATA_FRAME_SIZE); 528 if (!datafrm) 529 return TEE_ERROR_OUT_OF_MEMORY; 530 531 for (i = 0; i < nbr_frms; i++) { 532 u16_to_bytes(rawdata->msg_type, datafrm[i].msg_type); 533 534 if (rawdata->block_count) 535 u16_to_bytes(*rawdata->block_count, 536 datafrm[i].block_count); 537 538 if (rawdata->blk_idx) { 539 /* Check the block index is within range. */ 540 if ((*rawdata->blk_idx + nbr_frms) > 541 rpmb_ctx->max_blk_idx) { 542 res = TEE_ERROR_GENERIC; 543 goto func_exit; 544 } 545 u16_to_bytes(*rawdata->blk_idx, datafrm[i].address); 546 } 547 548 if (rawdata->write_counter) 549 u32_to_bytes(*rawdata->write_counter, 550 datafrm[i].write_counter); 551 552 if (rawdata->nonce) 553 memcpy(datafrm[i].nonce, rawdata->nonce, 554 RPMB_NONCE_SIZE); 555 556 if (rawdata->data) { 557 if (fek) 558 encrypt_block(datafrm[i].data, 559 rawdata->data + (i * RPMB_DATA_SIZE), 560 *rawdata->blk_idx + i, fek, uuid); 561 else 562 memcpy(datafrm[i].data, 563 rawdata->data + (i * RPMB_DATA_SIZE), 564 RPMB_DATA_SIZE); 565 } 566 } 567 568 if (rawdata->key_mac) { 569 if (rawdata->msg_type == RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE) { 570 res = 571 tee_rpmb_mac_calc(rawdata->key_mac, 572 RPMB_KEY_MAC_SIZE, rpmb_ctx->key, 573 RPMB_KEY_MAC_SIZE, datafrm, 574 nbr_frms); 575 if (res != TEE_SUCCESS) 576 goto func_exit; 577 } 578 memcpy(datafrm[nbr_frms - 1].key_mac, 579 rawdata->key_mac, RPMB_KEY_MAC_SIZE); 580 } 581 582 memcpy(TEE_RPMB_REQ_DATA(req), datafrm, 583 nbr_frms * RPMB_DATA_FRAME_SIZE); 584 585 #ifdef CFG_RPMB_FS_DEBUG_DATA 586 for (i = 0; i < nbr_frms; i++) { 587 DMSG("Dumping data frame %d:", i); 588 DHEXDUMP((uint8_t *)&datafrm[i] + RPMB_STUFF_DATA_SIZE, 589 512 - RPMB_STUFF_DATA_SIZE); 590 } 591 #endif 592 593 res = TEE_SUCCESS; 594 func_exit: 595 free(datafrm); 596 return res; 597 } 598 599 static TEE_Result data_cpy_mac_calc_1b(struct rpmb_raw_data *rawdata, 600 struct rpmb_data_frame *frm, 601 const uint8_t *fek, const TEE_UUID *uuid) 602 { 603 TEE_Result res; 604 uint8_t *data; 605 uint16_t idx; 606 607 if (rawdata->len + rawdata->byte_offset > RPMB_DATA_SIZE) 608 return TEE_ERROR_BAD_PARAMETERS; 609 610 res = tee_rpmb_mac_calc(rawdata->key_mac, RPMB_KEY_MAC_SIZE, 611 rpmb_ctx->key, RPMB_KEY_MAC_SIZE, frm, 1); 612 if (res != TEE_SUCCESS) 613 return res; 614 615 data = rawdata->data; 616 bytes_to_u16(frm->address, &idx); 617 618 res = decrypt(data, frm, rawdata->len, rawdata->byte_offset, idx, fek, 619 uuid); 620 return res; 621 } 622 623 static TEE_Result tee_rpmb_data_cpy_mac_calc(struct rpmb_data_frame *datafrm, 624 struct rpmb_raw_data *rawdata, 625 uint16_t nbr_frms, 626 struct rpmb_data_frame *lastfrm, 627 const uint8_t *fek, 628 const TEE_UUID *uuid) 629 { 630 TEE_Result res = TEE_ERROR_GENERIC; 631 int i; 632 void *ctx = NULL; 633 uint16_t offset; 634 uint32_t size; 635 uint8_t *data; 636 uint16_t start_idx; 637 struct rpmb_data_frame localfrm; 638 639 if (!datafrm || !rawdata || !nbr_frms || !lastfrm) 640 return TEE_ERROR_BAD_PARAMETERS; 641 642 if (nbr_frms == 1) 643 return data_cpy_mac_calc_1b(rawdata, lastfrm, fek, uuid); 644 645 /* nbr_frms > 1 */ 646 647 data = rawdata->data; 648 649 res = crypto_mac_alloc_ctx(&ctx, TEE_ALG_HMAC_SHA256); 650 if (res) 651 goto func_exit; 652 653 res = crypto_mac_init(ctx, TEE_ALG_HMAC_SHA256, rpmb_ctx->key, 654 RPMB_KEY_MAC_SIZE); 655 if (res != TEE_SUCCESS) 656 goto func_exit; 657 658 /* 659 * Note: JEDEC JESD84-B51: "In every packet the address is the start 660 * address of the full access (not address of the individual half a 661 * sector)" 662 */ 663 bytes_to_u16(lastfrm->address, &start_idx); 664 665 for (i = 0; i < (nbr_frms - 1); i++) { 666 667 /* 668 * By working on a local copy of the RPMB frame, we ensure that 669 * the data can not be modified after the MAC is computed but 670 * before the payload is decrypted/copied to the output buffer. 671 */ 672 memcpy(&localfrm, &datafrm[i], RPMB_DATA_FRAME_SIZE); 673 674 res = crypto_mac_update(ctx, TEE_ALG_HMAC_SHA256, localfrm.data, 675 RPMB_MAC_PROTECT_DATA_SIZE); 676 if (res != TEE_SUCCESS) 677 goto func_exit; 678 679 if (i == 0) { 680 /* First block */ 681 offset = rawdata->byte_offset; 682 size = RPMB_DATA_SIZE - offset; 683 } else { 684 /* Middle blocks */ 685 size = RPMB_DATA_SIZE; 686 offset = 0; 687 } 688 689 res = decrypt(data, &localfrm, size, offset, start_idx + i, 690 fek, uuid); 691 if (res != TEE_SUCCESS) 692 goto func_exit; 693 694 data += size; 695 } 696 697 /* Last block */ 698 size = (rawdata->len + rawdata->byte_offset) % RPMB_DATA_SIZE; 699 if (size == 0) 700 size = RPMB_DATA_SIZE; 701 res = decrypt(data, lastfrm, size, 0, start_idx + nbr_frms - 1, fek, 702 uuid); 703 if (res != TEE_SUCCESS) 704 goto func_exit; 705 706 /* Update MAC against the last block */ 707 res = crypto_mac_update(ctx, TEE_ALG_HMAC_SHA256, lastfrm->data, 708 RPMB_MAC_PROTECT_DATA_SIZE); 709 if (res != TEE_SUCCESS) 710 goto func_exit; 711 712 res = crypto_mac_final(ctx, TEE_ALG_HMAC_SHA256, rawdata->key_mac, 713 RPMB_KEY_MAC_SIZE); 714 if (res != TEE_SUCCESS) 715 goto func_exit; 716 717 res = TEE_SUCCESS; 718 719 func_exit: 720 crypto_mac_free_ctx(ctx, TEE_ALG_HMAC_SHA256); 721 return res; 722 } 723 724 static TEE_Result tee_rpmb_resp_unpack_verify(struct rpmb_data_frame *datafrm, 725 struct rpmb_raw_data *rawdata, 726 uint16_t nbr_frms, 727 const uint8_t *fek, 728 const TEE_UUID *uuid) 729 { 730 TEE_Result res = TEE_ERROR_GENERIC; 731 uint16_t msg_type; 732 uint32_t wr_cnt; 733 uint16_t blk_idx; 734 uint16_t op_result; 735 struct rpmb_data_frame lastfrm; 736 737 if (!datafrm || !rawdata || !nbr_frms) 738 return TEE_ERROR_BAD_PARAMETERS; 739 740 #ifdef CFG_RPMB_FS_DEBUG_DATA 741 for (uint32_t i = 0; i < nbr_frms; i++) { 742 DMSG("Dumping data frame %d:", i); 743 DHEXDUMP((uint8_t *)&datafrm[i] + RPMB_STUFF_DATA_SIZE, 744 512 - RPMB_STUFF_DATA_SIZE); 745 } 746 #endif 747 748 /* Make sure the last data packet can't be modified once verified */ 749 memcpy(&lastfrm, &datafrm[nbr_frms - 1], RPMB_DATA_FRAME_SIZE); 750 751 /* Handle operation result and translate to TEEC error code. */ 752 bytes_to_u16(lastfrm.op_result, &op_result); 753 if (rawdata->op_result) 754 *rawdata->op_result = op_result; 755 if (op_result == RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED) 756 return TEE_ERROR_ITEM_NOT_FOUND; 757 if (op_result != RPMB_RESULT_OK) 758 return TEE_ERROR_GENERIC; 759 760 /* Check the response msg_type. */ 761 bytes_to_u16(lastfrm.msg_type, &msg_type); 762 if (msg_type != rawdata->msg_type) { 763 DMSG("Unexpected msg_type (0x%04x != 0x%04x)", msg_type, 764 rawdata->msg_type); 765 return TEE_ERROR_GENERIC; 766 } 767 768 if (rawdata->blk_idx) { 769 bytes_to_u16(lastfrm.address, &blk_idx); 770 if (blk_idx != *rawdata->blk_idx) { 771 DMSG("Unexpected block index"); 772 return TEE_ERROR_GENERIC; 773 } 774 } 775 776 if (rawdata->write_counter) { 777 wr_cnt = *rawdata->write_counter; 778 bytes_to_u32(lastfrm.write_counter, rawdata->write_counter); 779 if (msg_type == RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE) { 780 /* Verify the write counter is incremented by 1 */ 781 if (*rawdata->write_counter != wr_cnt + 1) { 782 DMSG("Counter mismatched (0x%04x/0x%04x)", 783 *rawdata->write_counter, wr_cnt + 1); 784 return TEE_ERROR_SECURITY; 785 } 786 rpmb_ctx->wr_cnt++; 787 } 788 } 789 790 if (rawdata->nonce) { 791 if (buf_compare_ct(rawdata->nonce, lastfrm.nonce, 792 RPMB_NONCE_SIZE) != 0) { 793 DMSG("Nonce mismatched"); 794 return TEE_ERROR_SECURITY; 795 } 796 } 797 798 if (rawdata->key_mac) { 799 if (msg_type == RPMB_MSG_TYPE_RESP_AUTH_DATA_READ) { 800 if (!rawdata->data) 801 return TEE_ERROR_GENERIC; 802 803 res = tee_rpmb_data_cpy_mac_calc(datafrm, rawdata, 804 nbr_frms, &lastfrm, 805 fek, uuid); 806 807 if (res != TEE_SUCCESS) 808 return res; 809 } else { 810 /* 811 * There should be only one data frame for 812 * other msg types. 813 */ 814 if (nbr_frms != 1) 815 return TEE_ERROR_GENERIC; 816 817 res = tee_rpmb_mac_calc(rawdata->key_mac, 818 RPMB_KEY_MAC_SIZE, 819 rpmb_ctx->key, 820 RPMB_KEY_MAC_SIZE, 821 &lastfrm, 1); 822 823 if (res != TEE_SUCCESS) 824 return res; 825 } 826 827 #ifndef CFG_RPMB_FS_NO_MAC 828 if (consttime_memcmp(rawdata->key_mac, 829 (datafrm + nbr_frms - 1)->key_mac, 830 RPMB_KEY_MAC_SIZE) != 0) { 831 DMSG("MAC mismatched:"); 832 #ifdef CFG_RPMB_FS_DEBUG_DATA 833 DHEXDUMP((uint8_t *)rawdata->key_mac, 32); 834 #endif 835 return TEE_ERROR_SECURITY; 836 } 837 #endif /* !CFG_RPMB_FS_NO_MAC */ 838 } 839 840 return TEE_SUCCESS; 841 } 842 843 static TEE_Result tee_rpmb_get_dev_info(uint16_t dev_id, 844 struct rpmb_dev_info *dev_info) 845 { 846 TEE_Result res = TEE_ERROR_GENERIC; 847 struct tee_rpmb_mem mem; 848 struct rpmb_dev_info *di; 849 struct rpmb_req *req = NULL; 850 uint8_t *resp = NULL; 851 uint32_t req_size; 852 uint32_t resp_size; 853 854 if (!dev_info) 855 return TEE_ERROR_BAD_PARAMETERS; 856 857 req_size = sizeof(struct rpmb_req); 858 resp_size = sizeof(struct rpmb_dev_info); 859 res = tee_rpmb_alloc(req_size, resp_size, &mem, 860 (void *)&req, (void *)&resp); 861 if (res != TEE_SUCCESS) 862 goto func_exit; 863 864 req->cmd = RPMB_CMD_GET_DEV_INFO; 865 req->dev_id = dev_id; 866 867 di = (struct rpmb_dev_info *)resp; 868 di->ret_code = RPMB_CMD_GET_DEV_INFO_RET_ERROR; 869 870 res = tee_rpmb_invoke(&mem); 871 if (res != TEE_SUCCESS) 872 goto func_exit; 873 874 if (di->ret_code != RPMB_CMD_GET_DEV_INFO_RET_OK) { 875 res = TEE_ERROR_GENERIC; 876 goto func_exit; 877 } 878 879 memcpy((uint8_t *)dev_info, resp, sizeof(struct rpmb_dev_info)); 880 881 #ifdef CFG_RPMB_FS_DEBUG_DATA 882 DMSG("Dumping dev_info:"); 883 DHEXDUMP((uint8_t *)dev_info, sizeof(struct rpmb_dev_info)); 884 #endif 885 886 res = TEE_SUCCESS; 887 888 func_exit: 889 tee_rpmb_free(&mem); 890 return res; 891 } 892 893 static TEE_Result tee_rpmb_init_read_wr_cnt(uint16_t dev_id, 894 uint32_t *wr_cnt, 895 uint16_t *op_result) 896 { 897 TEE_Result res = TEE_ERROR_GENERIC; 898 struct tee_rpmb_mem mem; 899 uint16_t msg_type; 900 uint8_t nonce[RPMB_NONCE_SIZE]; 901 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 902 struct rpmb_req *req = NULL; 903 struct rpmb_data_frame *resp = NULL; 904 struct rpmb_raw_data rawdata; 905 uint32_t req_size; 906 uint32_t resp_size; 907 908 if (!wr_cnt) 909 return TEE_ERROR_BAD_PARAMETERS; 910 911 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 912 resp_size = RPMB_DATA_FRAME_SIZE; 913 res = tee_rpmb_alloc(req_size, resp_size, &mem, 914 (void *)&req, (void *)&resp); 915 if (res != TEE_SUCCESS) 916 goto func_exit; 917 918 res = crypto_rng_read(nonce, RPMB_NONCE_SIZE); 919 if (res != TEE_SUCCESS) 920 goto func_exit; 921 922 msg_type = RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ; 923 924 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 925 rawdata.msg_type = msg_type; 926 rawdata.nonce = nonce; 927 928 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 929 if (res != TEE_SUCCESS) 930 goto func_exit; 931 932 res = tee_rpmb_invoke(&mem); 933 if (res != TEE_SUCCESS) 934 goto func_exit; 935 936 msg_type = RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ; 937 938 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 939 rawdata.msg_type = msg_type; 940 rawdata.op_result = op_result; 941 rawdata.write_counter = wr_cnt; 942 rawdata.nonce = nonce; 943 rawdata.key_mac = hmac; 944 945 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, NULL); 946 if (res != TEE_SUCCESS) 947 goto func_exit; 948 949 res = TEE_SUCCESS; 950 951 func_exit: 952 tee_rpmb_free(&mem); 953 return res; 954 } 955 956 static TEE_Result tee_rpmb_verify_key_sync_counter(uint16_t dev_id) 957 { 958 uint16_t op_result = 0; 959 TEE_Result res = TEE_ERROR_GENERIC; 960 961 res = tee_rpmb_init_read_wr_cnt(dev_id, &rpmb_ctx->wr_cnt, 962 &op_result); 963 964 if (res == TEE_SUCCESS) { 965 rpmb_ctx->key_verified = true; 966 rpmb_ctx->wr_cnt_synced = true; 967 } else 968 EMSG("Verify key returning 0x%x", res); 969 return res; 970 } 971 972 #ifdef CFG_RPMB_WRITE_KEY 973 static TEE_Result tee_rpmb_write_key(uint16_t dev_id) 974 { 975 TEE_Result res = TEE_ERROR_GENERIC; 976 struct tee_rpmb_mem mem = { 0 }; 977 uint16_t msg_type; 978 struct rpmb_req *req = NULL; 979 struct rpmb_data_frame *resp = NULL; 980 struct rpmb_raw_data rawdata; 981 uint32_t req_size; 982 uint32_t resp_size; 983 984 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 985 resp_size = RPMB_DATA_FRAME_SIZE; 986 res = tee_rpmb_alloc(req_size, resp_size, &mem, 987 (void *)&req, (void *)&resp); 988 if (res != TEE_SUCCESS) 989 goto func_exit; 990 991 msg_type = RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM; 992 993 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 994 rawdata.msg_type = msg_type; 995 rawdata.key_mac = rpmb_ctx->key; 996 997 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 998 if (res != TEE_SUCCESS) 999 goto func_exit; 1000 1001 res = tee_rpmb_invoke(&mem); 1002 if (res != TEE_SUCCESS) 1003 goto func_exit; 1004 1005 msg_type = RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM; 1006 1007 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1008 rawdata.msg_type = msg_type; 1009 1010 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, NULL); 1011 if (res != TEE_SUCCESS) 1012 goto func_exit; 1013 1014 res = TEE_SUCCESS; 1015 1016 func_exit: 1017 tee_rpmb_free(&mem); 1018 return res; 1019 } 1020 1021 static TEE_Result tee_rpmb_write_and_verify_key(uint16_t dev_id) 1022 { 1023 TEE_Result res; 1024 1025 DMSG("RPMB INIT: Writing Key value:"); 1026 DHEXDUMP(rpmb_ctx->key, RPMB_KEY_MAC_SIZE); 1027 1028 res = tee_rpmb_write_key(dev_id); 1029 if (res == TEE_SUCCESS) { 1030 DMSG("RPMB INIT: Verifying Key"); 1031 res = tee_rpmb_verify_key_sync_counter(dev_id); 1032 } 1033 return res; 1034 } 1035 #else 1036 static TEE_Result tee_rpmb_write_and_verify_key(uint16_t dev_id __unused) 1037 { 1038 DMSG("RPMB INIT: CFG_RPMB_WRITE_KEY is not set"); 1039 return TEE_ERROR_BAD_STATE; 1040 } 1041 #endif 1042 1043 /* This function must never return TEE_SUCCESS if rpmb_ctx == NULL */ 1044 static TEE_Result tee_rpmb_init(uint16_t dev_id) 1045 { 1046 TEE_Result res = TEE_SUCCESS; 1047 struct rpmb_dev_info dev_info; 1048 uint32_t nblocks = 0; 1049 1050 if (!rpmb_ctx) { 1051 rpmb_ctx = calloc(1, sizeof(struct tee_rpmb_ctx)); 1052 if (!rpmb_ctx) 1053 return TEE_ERROR_OUT_OF_MEMORY; 1054 } else if (rpmb_ctx->dev_id != dev_id) { 1055 memset(rpmb_ctx, 0x00, sizeof(struct tee_rpmb_ctx)); 1056 } 1057 1058 rpmb_ctx->dev_id = dev_id; 1059 1060 if (!rpmb_ctx->dev_info_synced) { 1061 DMSG("RPMB: Syncing device information"); 1062 1063 dev_info.rpmb_size_mult = 0; 1064 dev_info.rel_wr_sec_c = 0; 1065 res = tee_rpmb_get_dev_info(dev_id, &dev_info); 1066 if (res != TEE_SUCCESS) 1067 goto func_exit; 1068 1069 DMSG("RPMB: RPMB size is %d*128 KB", dev_info.rpmb_size_mult); 1070 DMSG("RPMB: Reliable Write Sector Count is %d", 1071 dev_info.rel_wr_sec_c); 1072 1073 if (dev_info.rpmb_size_mult == 0) { 1074 res = TEE_ERROR_GENERIC; 1075 goto func_exit; 1076 } 1077 1078 if (MUL_OVERFLOW(dev_info.rpmb_size_mult, 1079 RPMB_SIZE_SINGLE / RPMB_DATA_SIZE, &nblocks) || 1080 SUB_OVERFLOW(nblocks, 1, &rpmb_ctx->max_blk_idx)) { 1081 res = TEE_ERROR_BAD_PARAMETERS; 1082 goto func_exit; 1083 } 1084 1085 memcpy(rpmb_ctx->cid, dev_info.cid, RPMB_EMMC_CID_SIZE); 1086 1087 #ifdef RPMB_DRIVER_MULTIPLE_WRITE_FIXED 1088 rpmb_ctx->rel_wr_blkcnt = dev_info.rel_wr_sec_c * 2; 1089 #else 1090 rpmb_ctx->rel_wr_blkcnt = 1; 1091 #endif 1092 1093 rpmb_ctx->dev_info_synced = true; 1094 } 1095 1096 if (!rpmb_ctx->key_derived) { 1097 DMSG("RPMB INIT: Deriving key"); 1098 1099 res = tee_rpmb_key_gen(dev_id, rpmb_ctx->key, 1100 RPMB_KEY_MAC_SIZE); 1101 if (res != TEE_SUCCESS) { 1102 EMSG("RPMB INIT: Deriving key failed with error 0x%x", 1103 res); 1104 goto func_exit; 1105 } 1106 1107 rpmb_ctx->key_derived = true; 1108 } 1109 1110 /* Perform a write counter read to verify if the key is ok. */ 1111 if (!rpmb_ctx->wr_cnt_synced || !rpmb_ctx->key_verified) { 1112 DMSG("RPMB INIT: Verifying Key"); 1113 1114 res = tee_rpmb_verify_key_sync_counter(dev_id); 1115 if (res == TEE_ERROR_ITEM_NOT_FOUND && 1116 !rpmb_ctx->key_verified) { 1117 /* 1118 * Need to write the key here and verify it. 1119 */ 1120 DMSG("RPMB INIT: Auth key not yet written"); 1121 res = tee_rpmb_write_and_verify_key(dev_id); 1122 } else if (res != TEE_SUCCESS) { 1123 EMSG("Verify key failed!"); 1124 EMSG("Make sure key here matches device key"); 1125 } 1126 } 1127 1128 func_exit: 1129 return res; 1130 } 1131 1132 /* 1133 * Read RPMB data in bytes. 1134 * 1135 * @dev_id Device ID of the eMMC device. 1136 * @addr Byte address of data. 1137 * @data Pointer to the data. 1138 * @len Size of data in bytes. 1139 * @fek Encrypted File Encryption Key or NULL. 1140 */ 1141 static TEE_Result tee_rpmb_read(uint16_t dev_id, uint32_t addr, uint8_t *data, 1142 uint32_t len, const uint8_t *fek, 1143 const TEE_UUID *uuid) 1144 { 1145 TEE_Result res = TEE_ERROR_GENERIC; 1146 struct tee_rpmb_mem mem = { 0 }; 1147 uint16_t msg_type; 1148 uint8_t nonce[RPMB_NONCE_SIZE]; 1149 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 1150 struct rpmb_req *req = NULL; 1151 struct rpmb_data_frame *resp = NULL; 1152 struct rpmb_raw_data rawdata; 1153 uint32_t req_size; 1154 uint32_t resp_size; 1155 uint16_t blk_idx; 1156 uint16_t blkcnt; 1157 uint8_t byte_offset; 1158 1159 if (!data || !len) 1160 return TEE_ERROR_BAD_PARAMETERS; 1161 1162 blk_idx = addr / RPMB_DATA_SIZE; 1163 byte_offset = addr % RPMB_DATA_SIZE; 1164 1165 if (len + byte_offset + RPMB_DATA_SIZE < RPMB_DATA_SIZE) { 1166 /* Overflow */ 1167 return TEE_ERROR_BAD_PARAMETERS; 1168 } 1169 blkcnt = 1170 ROUNDUP(len + byte_offset, RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1171 res = tee_rpmb_init(dev_id); 1172 if (res != TEE_SUCCESS) 1173 goto func_exit; 1174 1175 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 1176 resp_size = RPMB_DATA_FRAME_SIZE * blkcnt; 1177 res = tee_rpmb_alloc(req_size, resp_size, &mem, 1178 (void *)&req, (void *)&resp); 1179 if (res != TEE_SUCCESS) 1180 goto func_exit; 1181 1182 msg_type = RPMB_MSG_TYPE_REQ_AUTH_DATA_READ; 1183 res = crypto_rng_read(nonce, RPMB_NONCE_SIZE); 1184 if (res != TEE_SUCCESS) 1185 goto func_exit; 1186 1187 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1188 rawdata.msg_type = msg_type; 1189 rawdata.nonce = nonce; 1190 rawdata.blk_idx = &blk_idx; 1191 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 1192 if (res != TEE_SUCCESS) 1193 goto func_exit; 1194 1195 req->block_count = blkcnt; 1196 1197 DMSG("Read %u block%s at index %u", blkcnt, ((blkcnt > 1) ? "s" : ""), 1198 blk_idx); 1199 1200 res = tee_rpmb_invoke(&mem); 1201 if (res != TEE_SUCCESS) 1202 goto func_exit; 1203 1204 msg_type = RPMB_MSG_TYPE_RESP_AUTH_DATA_READ; 1205 1206 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1207 rawdata.msg_type = msg_type; 1208 rawdata.block_count = &blkcnt; 1209 rawdata.blk_idx = &blk_idx; 1210 rawdata.nonce = nonce; 1211 rawdata.key_mac = hmac; 1212 rawdata.data = data; 1213 1214 rawdata.len = len; 1215 rawdata.byte_offset = byte_offset; 1216 1217 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, blkcnt, fek, uuid); 1218 if (res != TEE_SUCCESS) 1219 goto func_exit; 1220 1221 res = TEE_SUCCESS; 1222 1223 func_exit: 1224 tee_rpmb_free(&mem); 1225 return res; 1226 } 1227 1228 static TEE_Result tee_rpmb_write_blk(uint16_t dev_id, uint16_t blk_idx, 1229 const uint8_t *data_blks, uint16_t blkcnt, 1230 const uint8_t *fek, const TEE_UUID *uuid) 1231 { 1232 TEE_Result res; 1233 struct tee_rpmb_mem mem; 1234 uint16_t msg_type; 1235 uint32_t wr_cnt; 1236 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 1237 struct rpmb_req *req = NULL; 1238 struct rpmb_data_frame *resp = NULL; 1239 struct rpmb_raw_data rawdata; 1240 uint32_t req_size; 1241 uint32_t resp_size; 1242 uint32_t nbr_writes; 1243 uint16_t tmp_blkcnt; 1244 uint16_t tmp_blk_idx; 1245 uint16_t i; 1246 1247 DMSG("Write %u block%s at index %u", blkcnt, ((blkcnt > 1) ? "s" : ""), 1248 blk_idx); 1249 1250 if (!data_blks || !blkcnt) 1251 return TEE_ERROR_BAD_PARAMETERS; 1252 1253 res = tee_rpmb_init(dev_id); 1254 if (res != TEE_SUCCESS) 1255 return res; 1256 1257 /* 1258 * We need to split data when block count 1259 * is bigger than reliable block write count. 1260 */ 1261 if (blkcnt < rpmb_ctx->rel_wr_blkcnt) 1262 req_size = sizeof(struct rpmb_req) + 1263 RPMB_DATA_FRAME_SIZE * blkcnt; 1264 else 1265 req_size = sizeof(struct rpmb_req) + 1266 RPMB_DATA_FRAME_SIZE * rpmb_ctx->rel_wr_blkcnt; 1267 1268 resp_size = RPMB_DATA_FRAME_SIZE; 1269 res = tee_rpmb_alloc(req_size, resp_size, &mem, 1270 (void *)&req, (void *)&resp); 1271 if (res != TEE_SUCCESS) 1272 return res; 1273 1274 nbr_writes = blkcnt / rpmb_ctx->rel_wr_blkcnt; 1275 if (blkcnt % rpmb_ctx->rel_wr_blkcnt > 0) 1276 nbr_writes += 1; 1277 1278 tmp_blkcnt = rpmb_ctx->rel_wr_blkcnt; 1279 tmp_blk_idx = blk_idx; 1280 for (i = 0; i < nbr_writes; i++) { 1281 /* 1282 * To handle the last write of block count which is 1283 * equal or smaller than reliable write block count. 1284 */ 1285 if (i == nbr_writes - 1) 1286 tmp_blkcnt = blkcnt - rpmb_ctx->rel_wr_blkcnt * 1287 (nbr_writes - 1); 1288 1289 msg_type = RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE; 1290 wr_cnt = rpmb_ctx->wr_cnt; 1291 1292 memset(req, 0x00, req_size); 1293 memset(resp, 0x00, resp_size); 1294 1295 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1296 rawdata.msg_type = msg_type; 1297 rawdata.block_count = &tmp_blkcnt; 1298 rawdata.blk_idx = &tmp_blk_idx; 1299 rawdata.write_counter = &wr_cnt; 1300 rawdata.key_mac = hmac; 1301 rawdata.data = (uint8_t *)data_blks + 1302 i * rpmb_ctx->rel_wr_blkcnt * RPMB_DATA_SIZE; 1303 1304 res = tee_rpmb_req_pack(req, &rawdata, tmp_blkcnt, dev_id, 1305 fek, uuid); 1306 if (res != TEE_SUCCESS) 1307 goto out; 1308 1309 res = tee_rpmb_invoke(&mem); 1310 if (res != TEE_SUCCESS) { 1311 /* 1312 * To force wr_cnt sync next time, as it might get 1313 * out of sync due to inconsistent operation result! 1314 */ 1315 rpmb_ctx->wr_cnt_synced = false; 1316 goto out; 1317 } 1318 1319 msg_type = RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE; 1320 1321 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1322 rawdata.msg_type = msg_type; 1323 rawdata.block_count = &tmp_blkcnt; 1324 rawdata.blk_idx = &tmp_blk_idx; 1325 rawdata.write_counter = &wr_cnt; 1326 rawdata.key_mac = hmac; 1327 1328 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, 1329 NULL); 1330 if (res != TEE_SUCCESS) { 1331 /* 1332 * To force wr_cnt sync next time, as it might get 1333 * out of sync due to inconsistent operation result! 1334 */ 1335 rpmb_ctx->wr_cnt_synced = false; 1336 goto out; 1337 } 1338 1339 tmp_blk_idx += tmp_blkcnt; 1340 } 1341 1342 out: 1343 tee_rpmb_free(&mem); 1344 return res; 1345 } 1346 1347 static bool tee_rpmb_write_is_atomic(uint16_t dev_id __unused, uint32_t addr, 1348 uint32_t len) 1349 { 1350 uint8_t byte_offset = addr % RPMB_DATA_SIZE; 1351 uint16_t blkcnt = ROUNDUP(len + byte_offset, 1352 RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1353 1354 return (blkcnt <= rpmb_ctx->rel_wr_blkcnt); 1355 } 1356 1357 /* 1358 * Write RPMB data in bytes. 1359 * 1360 * @dev_id Device ID of the eMMC device. 1361 * @addr Byte address of data. 1362 * @data Pointer to the data. 1363 * @len Size of data in bytes. 1364 * @fek Encrypted File Encryption Key or NULL. 1365 */ 1366 static TEE_Result tee_rpmb_write(uint16_t dev_id, uint32_t addr, 1367 const uint8_t *data, uint32_t len, 1368 const uint8_t *fek, const TEE_UUID *uuid) 1369 { 1370 TEE_Result res = TEE_ERROR_GENERIC; 1371 uint8_t *data_tmp = NULL; 1372 uint16_t blk_idx; 1373 uint16_t blkcnt; 1374 uint8_t byte_offset; 1375 1376 blk_idx = addr / RPMB_DATA_SIZE; 1377 byte_offset = addr % RPMB_DATA_SIZE; 1378 1379 blkcnt = 1380 ROUNDUP(len + byte_offset, RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1381 1382 if (byte_offset == 0 && (len % RPMB_DATA_SIZE) == 0) { 1383 res = tee_rpmb_write_blk(dev_id, blk_idx, data, blkcnt, fek, 1384 uuid); 1385 if (res != TEE_SUCCESS) 1386 goto func_exit; 1387 } else { 1388 data_tmp = calloc(blkcnt, RPMB_DATA_SIZE); 1389 if (!data_tmp) { 1390 res = TEE_ERROR_OUT_OF_MEMORY; 1391 goto func_exit; 1392 } 1393 1394 /* Read the complete blocks */ 1395 res = tee_rpmb_read(dev_id, blk_idx * RPMB_DATA_SIZE, data_tmp, 1396 blkcnt * RPMB_DATA_SIZE, fek, uuid); 1397 if (res != TEE_SUCCESS) 1398 goto func_exit; 1399 1400 /* Partial update of the data blocks */ 1401 memcpy(data_tmp + byte_offset, data, len); 1402 1403 res = tee_rpmb_write_blk(dev_id, blk_idx, data_tmp, blkcnt, 1404 fek, uuid); 1405 if (res != TEE_SUCCESS) 1406 goto func_exit; 1407 } 1408 1409 res = TEE_SUCCESS; 1410 1411 func_exit: 1412 free(data_tmp); 1413 return res; 1414 } 1415 1416 /* 1417 * Read the RPMB write counter. 1418 * 1419 * @dev_id Device ID of the eMMC device. 1420 * @counter Pointer to the counter. 1421 */ 1422 static TEE_Result tee_rpmb_get_write_counter(uint16_t dev_id, 1423 uint32_t *counter) 1424 { 1425 TEE_Result res = TEE_SUCCESS; 1426 1427 if (!counter) 1428 return TEE_ERROR_BAD_PARAMETERS; 1429 1430 if (!rpmb_ctx || !rpmb_ctx->wr_cnt_synced) { 1431 res = tee_rpmb_init(dev_id); 1432 if (res != TEE_SUCCESS) 1433 goto func_exit; 1434 } 1435 1436 *counter = rpmb_ctx->wr_cnt; 1437 1438 func_exit: 1439 return res; 1440 } 1441 1442 /* 1443 * Read the RPMB max block. 1444 * 1445 * @dev_id Device ID of the eMMC device. 1446 * @counter Pointer to receive the max block. 1447 */ 1448 static TEE_Result tee_rpmb_get_max_block(uint16_t dev_id, uint32_t *max_block) 1449 { 1450 TEE_Result res = TEE_SUCCESS; 1451 1452 if (!max_block) 1453 return TEE_ERROR_BAD_PARAMETERS; 1454 1455 if (!rpmb_ctx || !rpmb_ctx->dev_info_synced) { 1456 res = tee_rpmb_init(dev_id); 1457 if (res != TEE_SUCCESS) 1458 goto func_exit; 1459 } 1460 1461 *max_block = rpmb_ctx->max_blk_idx; 1462 1463 func_exit: 1464 return res; 1465 } 1466 1467 /* 1468 * End of lower interface to RPMB device 1469 */ 1470 1471 static TEE_Result get_fat_start_address(uint32_t *addr); 1472 1473 static void dump_fat(void) 1474 { 1475 TEE_Result res = TEE_ERROR_GENERIC; 1476 struct rpmb_fat_entry *fat_entries = NULL; 1477 uint32_t fat_address; 1478 size_t size; 1479 int i; 1480 bool last_entry_found = false; 1481 1482 res = get_fat_start_address(&fat_address); 1483 if (res != TEE_SUCCESS) 1484 goto out; 1485 1486 size = N_ENTRIES * sizeof(struct rpmb_fat_entry); 1487 fat_entries = malloc(size); 1488 if (!fat_entries) { 1489 res = TEE_ERROR_OUT_OF_MEMORY; 1490 goto out; 1491 } 1492 1493 while (!last_entry_found) { 1494 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, fat_address, 1495 (uint8_t *)fat_entries, size, NULL, NULL); 1496 if (res != TEE_SUCCESS) 1497 goto out; 1498 1499 for (i = 0; i < N_ENTRIES; i++) { 1500 1501 FMSG("flags 0x%x, size %d, address 0x%x, filename '%s'", 1502 fat_entries[i].flags, 1503 fat_entries[i].data_size, 1504 fat_entries[i].start_address, 1505 fat_entries[i].filename); 1506 1507 if ((fat_entries[i].flags & FILE_IS_LAST_ENTRY) != 0) { 1508 last_entry_found = true; 1509 break; 1510 } 1511 1512 /* Move to next fat_entry. */ 1513 fat_address += sizeof(struct rpmb_fat_entry); 1514 } 1515 } 1516 1517 out: 1518 free(fat_entries); 1519 } 1520 1521 #if (TRACE_LEVEL >= TRACE_DEBUG) 1522 static void dump_fh(struct rpmb_file_handle *fh) 1523 { 1524 DMSG("fh->filename=%s", fh->filename); 1525 DMSG("fh->rpmb_fat_address=%u", fh->rpmb_fat_address); 1526 DMSG("fh->fat_entry.start_address=%u", fh->fat_entry.start_address); 1527 DMSG("fh->fat_entry.data_size=%u", fh->fat_entry.data_size); 1528 } 1529 #else 1530 static void dump_fh(struct rpmb_file_handle *fh __unused) 1531 { 1532 } 1533 #endif 1534 1535 static struct rpmb_file_handle *alloc_file_handle(struct tee_pobj *po, 1536 bool temporary) 1537 { 1538 struct rpmb_file_handle *fh = NULL; 1539 1540 fh = calloc(1, sizeof(struct rpmb_file_handle)); 1541 if (!fh) 1542 return NULL; 1543 1544 if (po) 1545 tee_svc_storage_create_filename(fh->filename, 1546 sizeof(fh->filename), po, 1547 temporary); 1548 1549 return fh; 1550 } 1551 1552 /** 1553 * write_fat_entry: Store info in a fat_entry to RPMB. 1554 */ 1555 static TEE_Result write_fat_entry(struct rpmb_file_handle *fh, 1556 bool update_write_counter) 1557 { 1558 TEE_Result res = TEE_ERROR_GENERIC; 1559 1560 /* Protect partition data. */ 1561 if (fh->rpmb_fat_address < sizeof(struct rpmb_fs_partition)) { 1562 res = TEE_ERROR_ACCESS_CONFLICT; 1563 goto out; 1564 } 1565 1566 if (fh->rpmb_fat_address % sizeof(struct rpmb_fat_entry) != 0) { 1567 res = TEE_ERROR_BAD_PARAMETERS; 1568 goto out; 1569 } 1570 1571 if (update_write_counter) { 1572 res = tee_rpmb_get_write_counter(CFG_RPMB_FS_DEV_ID, 1573 &fh->fat_entry.write_counter); 1574 if (res != TEE_SUCCESS) 1575 goto out; 1576 } 1577 1578 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, fh->rpmb_fat_address, 1579 (uint8_t *)&fh->fat_entry, 1580 sizeof(struct rpmb_fat_entry), NULL, NULL); 1581 1582 dump_fat(); 1583 1584 out: 1585 return res; 1586 } 1587 1588 /** 1589 * rpmb_fs_setup: Setup rpmb fs. 1590 * Set initial partition and FS values and write to RPMB. 1591 * Store frequently used data in RAM. 1592 */ 1593 static TEE_Result rpmb_fs_setup(void) 1594 { 1595 TEE_Result res = TEE_ERROR_GENERIC; 1596 struct rpmb_fs_partition *partition_data = NULL; 1597 struct rpmb_file_handle *fh = NULL; 1598 uint32_t max_rpmb_block = 0; 1599 1600 if (fs_par) { 1601 res = TEE_SUCCESS; 1602 goto out; 1603 } 1604 1605 res = tee_rpmb_get_max_block(CFG_RPMB_FS_DEV_ID, &max_rpmb_block); 1606 if (res != TEE_SUCCESS) 1607 goto out; 1608 1609 partition_data = calloc(1, sizeof(struct rpmb_fs_partition)); 1610 if (!partition_data) { 1611 res = TEE_ERROR_OUT_OF_MEMORY; 1612 goto out; 1613 } 1614 1615 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, RPMB_STORAGE_START_ADDRESS, 1616 (uint8_t *)partition_data, 1617 sizeof(struct rpmb_fs_partition), NULL, NULL); 1618 if (res != TEE_SUCCESS) 1619 goto out; 1620 1621 #ifndef CFG_RPMB_RESET_FAT 1622 if (partition_data->rpmb_fs_magic == RPMB_FS_MAGIC) { 1623 if (partition_data->fs_version == FS_VERSION) { 1624 res = TEE_SUCCESS; 1625 goto store_fs_par; 1626 } else { 1627 EMSG("Wrong software is in use."); 1628 res = TEE_ERROR_ACCESS_DENIED; 1629 goto out; 1630 } 1631 } 1632 #else 1633 EMSG("**** Clearing Storage ****"); 1634 #endif 1635 1636 /* Setup new partition data. */ 1637 partition_data->rpmb_fs_magic = RPMB_FS_MAGIC; 1638 partition_data->fs_version = FS_VERSION; 1639 partition_data->fat_start_address = RPMB_FS_FAT_START_ADDRESS; 1640 1641 /* Initial FAT entry with FILE_IS_LAST_ENTRY flag set. */ 1642 fh = alloc_file_handle(NULL, false); 1643 if (!fh) { 1644 res = TEE_ERROR_OUT_OF_MEMORY; 1645 goto out; 1646 } 1647 fh->fat_entry.flags = FILE_IS_LAST_ENTRY; 1648 fh->rpmb_fat_address = partition_data->fat_start_address; 1649 1650 /* Write init FAT entry and partition data to RPMB. */ 1651 res = write_fat_entry(fh, true); 1652 if (res != TEE_SUCCESS) 1653 goto out; 1654 1655 res = 1656 tee_rpmb_get_write_counter(CFG_RPMB_FS_DEV_ID, 1657 &partition_data->write_counter); 1658 if (res != TEE_SUCCESS) 1659 goto out; 1660 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, RPMB_STORAGE_START_ADDRESS, 1661 (uint8_t *)partition_data, 1662 sizeof(struct rpmb_fs_partition), NULL, NULL); 1663 1664 #ifndef CFG_RPMB_RESET_FAT 1665 store_fs_par: 1666 #endif 1667 1668 /* Store FAT start address. */ 1669 fs_par = calloc(1, sizeof(struct rpmb_fs_parameters)); 1670 if (!fs_par) { 1671 res = TEE_ERROR_OUT_OF_MEMORY; 1672 goto out; 1673 } 1674 1675 fs_par->fat_start_address = partition_data->fat_start_address; 1676 fs_par->max_rpmb_address = max_rpmb_block << RPMB_BLOCK_SIZE_SHIFT; 1677 1678 dump_fat(); 1679 1680 out: 1681 free(fh); 1682 free(partition_data); 1683 return res; 1684 } 1685 1686 /** 1687 * get_fat_start_address: 1688 * FAT start_address from fs_par. 1689 */ 1690 static TEE_Result get_fat_start_address(uint32_t *addr) 1691 { 1692 if (!fs_par) 1693 return TEE_ERROR_NO_DATA; 1694 1695 *addr = fs_par->fat_start_address; 1696 1697 return TEE_SUCCESS; 1698 } 1699 1700 /** 1701 * read_fat: Read FAT entries 1702 * Return matching FAT entry for read, rm rename and stat. 1703 * Build up memory pool and return matching entry for write operation. 1704 * "Last FAT entry" can be returned during write. 1705 */ 1706 static TEE_Result read_fat(struct rpmb_file_handle *fh, tee_mm_pool_t *p) 1707 { 1708 TEE_Result res = TEE_ERROR_GENERIC; 1709 tee_mm_entry_t *mm = NULL; 1710 struct rpmb_fat_entry *fat_entries = NULL; 1711 uint32_t fat_address; 1712 size_t size; 1713 int i; 1714 bool entry_found = false; 1715 bool last_entry_found = false; 1716 bool expand_fat = false; 1717 struct rpmb_file_handle last_fh; 1718 1719 DMSG("fat_address %d", fh->rpmb_fat_address); 1720 1721 res = rpmb_fs_setup(); 1722 if (res != TEE_SUCCESS) 1723 goto out; 1724 1725 res = get_fat_start_address(&fat_address); 1726 if (res != TEE_SUCCESS) 1727 goto out; 1728 1729 size = N_ENTRIES * sizeof(struct rpmb_fat_entry); 1730 fat_entries = malloc(size); 1731 if (!fat_entries) { 1732 res = TEE_ERROR_OUT_OF_MEMORY; 1733 goto out; 1734 } 1735 1736 /* 1737 * The pool is used to represent the current RPMB layout. To find 1738 * a slot for the file tee_mm_alloc is called on the pool. Thus 1739 * if it is not NULL the entire FAT must be traversed to fill in 1740 * the pool. 1741 */ 1742 while (!last_entry_found && (!entry_found || p)) { 1743 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, fat_address, 1744 (uint8_t *)fat_entries, size, NULL, NULL); 1745 if (res != TEE_SUCCESS) 1746 goto out; 1747 1748 for (i = 0; i < N_ENTRIES; i++) { 1749 /* 1750 * Look for an entry, matching filenames. (read, rm, 1751 * rename and stat.). Only store first filename match. 1752 */ 1753 if (fh->filename && 1754 (strcmp(fh->filename, 1755 fat_entries[i].filename) == 0) && 1756 (fat_entries[i].flags & FILE_IS_ACTIVE) && 1757 (!entry_found)) { 1758 entry_found = true; 1759 fh->rpmb_fat_address = fat_address; 1760 memcpy(&fh->fat_entry, &fat_entries[i], 1761 sizeof(struct rpmb_fat_entry)); 1762 if (!p) 1763 break; 1764 } 1765 1766 /* Add existing files to memory pool. (write) */ 1767 if (p) { 1768 if ((fat_entries[i].flags & FILE_IS_ACTIVE) && 1769 (fat_entries[i].data_size > 0)) { 1770 1771 mm = tee_mm_alloc2 1772 (p, 1773 fat_entries[i].start_address, 1774 fat_entries[i].data_size); 1775 if (!mm) { 1776 res = TEE_ERROR_OUT_OF_MEMORY; 1777 goto out; 1778 } 1779 } 1780 1781 /* Unused FAT entries can be reused (write) */ 1782 if (((fat_entries[i].flags & FILE_IS_ACTIVE) == 1783 0) && (fh->rpmb_fat_address == 0)) { 1784 fh->rpmb_fat_address = fat_address; 1785 memcpy(&fh->fat_entry, &fat_entries[i], 1786 sizeof(struct rpmb_fat_entry)); 1787 } 1788 } 1789 1790 if ((fat_entries[i].flags & FILE_IS_LAST_ENTRY) != 0) { 1791 last_entry_found = true; 1792 1793 /* 1794 * If the last entry was reached and was chosen 1795 * by the previous check, then the FAT needs to 1796 * be expanded. 1797 * fh->rpmb_fat_address is the address chosen 1798 * to store the files FAT entry and fat_address 1799 * is the current FAT entry address being 1800 * compared. 1801 */ 1802 if (p && fh->rpmb_fat_address == fat_address) 1803 expand_fat = true; 1804 break; 1805 } 1806 1807 /* Move to next fat_entry. */ 1808 fat_address += sizeof(struct rpmb_fat_entry); 1809 } 1810 } 1811 1812 /* 1813 * Represent the FAT table in the pool. 1814 */ 1815 if (p) { 1816 /* 1817 * Since fat_address is the start of the last entry it needs to 1818 * be moved up by an entry. 1819 */ 1820 fat_address += sizeof(struct rpmb_fat_entry); 1821 1822 /* Make room for yet a FAT entry and add to memory pool. */ 1823 if (expand_fat) 1824 fat_address += sizeof(struct rpmb_fat_entry); 1825 1826 mm = tee_mm_alloc2(p, RPMB_STORAGE_START_ADDRESS, fat_address); 1827 if (!mm) { 1828 res = TEE_ERROR_OUT_OF_MEMORY; 1829 goto out; 1830 } 1831 1832 if (expand_fat) { 1833 /* 1834 * Point fat_address to the beginning of the new 1835 * entry. 1836 */ 1837 fat_address -= sizeof(struct rpmb_fat_entry); 1838 memset(&last_fh, 0, sizeof(last_fh)); 1839 last_fh.fat_entry.flags = FILE_IS_LAST_ENTRY; 1840 last_fh.rpmb_fat_address = fat_address; 1841 res = write_fat_entry(&last_fh, true); 1842 if (res != TEE_SUCCESS) 1843 goto out; 1844 } 1845 } 1846 1847 if (fh->filename && !fh->rpmb_fat_address) 1848 res = TEE_ERROR_ITEM_NOT_FOUND; 1849 1850 out: 1851 free(fat_entries); 1852 return res; 1853 } 1854 1855 static TEE_Result generate_fek(struct rpmb_fat_entry *fe, const TEE_UUID *uuid) 1856 { 1857 TEE_Result res; 1858 1859 again: 1860 res = tee_fs_generate_fek(uuid, fe->fek, sizeof(fe->fek)); 1861 if (res != TEE_SUCCESS) 1862 return res; 1863 1864 if (is_zero(fe->fek, sizeof(fe->fek))) 1865 goto again; 1866 1867 return res; 1868 } 1869 1870 static TEE_Result rpmb_fs_open_internal(struct rpmb_file_handle *fh, 1871 const TEE_UUID *uuid, bool create) 1872 { 1873 tee_mm_pool_t p; 1874 bool pool_result; 1875 TEE_Result res = TEE_ERROR_GENERIC; 1876 1877 /* We need to do setup in order to make sure fs_par is filled in */ 1878 res = rpmb_fs_setup(); 1879 if (res != TEE_SUCCESS) 1880 goto out; 1881 1882 fh->uuid = uuid; 1883 if (create) { 1884 /* Upper memory allocation must be used for RPMB_FS. */ 1885 pool_result = tee_mm_init(&p, 1886 RPMB_STORAGE_START_ADDRESS, 1887 fs_par->max_rpmb_address, 1888 RPMB_BLOCK_SIZE_SHIFT, 1889 TEE_MM_POOL_HI_ALLOC); 1890 1891 if (!pool_result) { 1892 res = TEE_ERROR_OUT_OF_MEMORY; 1893 goto out; 1894 } 1895 1896 res = read_fat(fh, &p); 1897 tee_mm_final(&p); 1898 if (res != TEE_SUCCESS) 1899 goto out; 1900 } else { 1901 res = read_fat(fh, NULL); 1902 if (res != TEE_SUCCESS) 1903 goto out; 1904 } 1905 1906 /* 1907 * If this is opened with create and the entry found was not active 1908 * then this is a new file and the FAT entry must be written 1909 */ 1910 if (create) { 1911 if ((fh->fat_entry.flags & FILE_IS_ACTIVE) == 0) { 1912 memset(&fh->fat_entry, 0, 1913 sizeof(struct rpmb_fat_entry)); 1914 memcpy(fh->fat_entry.filename, fh->filename, 1915 strlen(fh->filename)); 1916 /* Start address and size are 0 */ 1917 fh->fat_entry.flags = FILE_IS_ACTIVE; 1918 1919 res = generate_fek(&fh->fat_entry, uuid); 1920 if (res != TEE_SUCCESS) 1921 goto out; 1922 DMSG("GENERATE FEK key: %p", 1923 (void *)fh->fat_entry.fek); 1924 DHEXDUMP(fh->fat_entry.fek, sizeof(fh->fat_entry.fek)); 1925 1926 res = write_fat_entry(fh, true); 1927 if (res != TEE_SUCCESS) 1928 goto out; 1929 } 1930 } 1931 1932 res = TEE_SUCCESS; 1933 1934 out: 1935 return res; 1936 } 1937 1938 static void rpmb_fs_close(struct tee_file_handle **tfh) 1939 { 1940 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)*tfh; 1941 1942 free(fh); 1943 *tfh = NULL; 1944 } 1945 1946 static TEE_Result rpmb_fs_read(struct tee_file_handle *tfh, size_t pos, 1947 void *buf, size_t *len) 1948 { 1949 TEE_Result res; 1950 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)tfh; 1951 size_t size = *len; 1952 1953 if (!size) 1954 return TEE_SUCCESS; 1955 1956 mutex_lock(&rpmb_mutex); 1957 1958 dump_fh(fh); 1959 1960 res = read_fat(fh, NULL); 1961 if (res != TEE_SUCCESS) 1962 goto out; 1963 1964 if (pos >= fh->fat_entry.data_size) { 1965 *len = 0; 1966 goto out; 1967 } 1968 1969 size = MIN(size, fh->fat_entry.data_size - pos); 1970 if (size) { 1971 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 1972 fh->fat_entry.start_address + pos, buf, 1973 size, fh->fat_entry.fek, fh->uuid); 1974 if (res != TEE_SUCCESS) 1975 goto out; 1976 } 1977 *len = size; 1978 1979 out: 1980 mutex_unlock(&rpmb_mutex); 1981 return res; 1982 } 1983 1984 static TEE_Result rpmb_fs_write_primitive(struct rpmb_file_handle *fh, 1985 size_t pos, const void *buf, 1986 size_t size) 1987 { 1988 TEE_Result res; 1989 tee_mm_pool_t p; 1990 bool pool_result = false; 1991 tee_mm_entry_t *mm; 1992 size_t end; 1993 size_t newsize; 1994 uint8_t *newbuf = NULL; 1995 uintptr_t newaddr; 1996 uint32_t start_addr; 1997 1998 if (!size) 1999 return TEE_SUCCESS; 2000 2001 if (!fs_par) { 2002 res = TEE_ERROR_GENERIC; 2003 goto out; 2004 } 2005 2006 dump_fh(fh); 2007 2008 /* Upper memory allocation must be used for RPMB_FS. */ 2009 pool_result = tee_mm_init(&p, 2010 RPMB_STORAGE_START_ADDRESS, 2011 fs_par->max_rpmb_address, 2012 RPMB_BLOCK_SIZE_SHIFT, 2013 TEE_MM_POOL_HI_ALLOC); 2014 if (!pool_result) { 2015 res = TEE_ERROR_OUT_OF_MEMORY; 2016 goto out; 2017 } 2018 2019 res = read_fat(fh, &p); 2020 if (res != TEE_SUCCESS) 2021 goto out; 2022 2023 if (fh->fat_entry.flags & FILE_IS_LAST_ENTRY) 2024 panic("invalid last entry flag"); 2025 2026 if (ADD_OVERFLOW(pos, size, &end)) { 2027 res = TEE_ERROR_BAD_PARAMETERS; 2028 goto out; 2029 } 2030 if (ADD_OVERFLOW(fh->fat_entry.start_address, pos, &start_addr)) { 2031 res = TEE_ERROR_BAD_PARAMETERS; 2032 goto out; 2033 } 2034 2035 if (end <= fh->fat_entry.data_size && 2036 tee_rpmb_write_is_atomic(CFG_RPMB_FS_DEV_ID, start_addr, size)) { 2037 2038 DMSG("Updating data in-place"); 2039 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, start_addr, buf, 2040 size, fh->fat_entry.fek, fh->uuid); 2041 if (res != TEE_SUCCESS) 2042 goto out; 2043 } else { 2044 /* 2045 * File must be extended, or update cannot be atomic: allocate, 2046 * read, update, write. 2047 */ 2048 2049 DMSG("Need to re-allocate"); 2050 newsize = MAX(end, fh->fat_entry.data_size); 2051 mm = tee_mm_alloc(&p, newsize); 2052 newbuf = calloc(1, newsize); 2053 if (!mm || !newbuf) { 2054 res = TEE_ERROR_OUT_OF_MEMORY; 2055 goto out; 2056 } 2057 2058 if (fh->fat_entry.data_size) { 2059 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 2060 fh->fat_entry.start_address, 2061 newbuf, fh->fat_entry.data_size, 2062 fh->fat_entry.fek, fh->uuid); 2063 if (res != TEE_SUCCESS) 2064 goto out; 2065 } 2066 2067 memcpy(newbuf + pos, buf, size); 2068 2069 newaddr = tee_mm_get_smem(mm); 2070 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, newaddr, newbuf, 2071 newsize, fh->fat_entry.fek, fh->uuid); 2072 if (res != TEE_SUCCESS) 2073 goto out; 2074 2075 fh->fat_entry.data_size = newsize; 2076 fh->fat_entry.start_address = newaddr; 2077 res = write_fat_entry(fh, true); 2078 if (res != TEE_SUCCESS) 2079 goto out; 2080 } 2081 2082 out: 2083 if (pool_result) 2084 tee_mm_final(&p); 2085 if (newbuf) 2086 free(newbuf); 2087 2088 return res; 2089 } 2090 2091 static TEE_Result rpmb_fs_write(struct tee_file_handle *tfh, size_t pos, 2092 const void *buf, size_t size) 2093 { 2094 TEE_Result res; 2095 2096 mutex_lock(&rpmb_mutex); 2097 res = rpmb_fs_write_primitive((struct rpmb_file_handle *)tfh, pos, 2098 buf, size); 2099 mutex_unlock(&rpmb_mutex); 2100 2101 return res; 2102 } 2103 2104 static TEE_Result rpmb_fs_remove_internal(struct rpmb_file_handle *fh) 2105 { 2106 TEE_Result res; 2107 2108 res = read_fat(fh, NULL); 2109 if (res) 2110 return res; 2111 2112 /* Clear this file entry. */ 2113 memset(&fh->fat_entry, 0, sizeof(struct rpmb_fat_entry)); 2114 return write_fat_entry(fh, false); 2115 } 2116 2117 static TEE_Result rpmb_fs_remove(struct tee_pobj *po) 2118 { 2119 TEE_Result res; 2120 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2121 2122 if (!fh) 2123 return TEE_ERROR_OUT_OF_MEMORY; 2124 2125 mutex_lock(&rpmb_mutex); 2126 2127 res = rpmb_fs_remove_internal(fh); 2128 2129 mutex_unlock(&rpmb_mutex); 2130 2131 free(fh); 2132 return res; 2133 } 2134 2135 static TEE_Result rpmb_fs_rename_internal(struct tee_pobj *old, 2136 struct tee_pobj *new, 2137 bool overwrite) 2138 { 2139 TEE_Result res = TEE_ERROR_GENERIC; 2140 struct rpmb_file_handle *fh_old = NULL; 2141 struct rpmb_file_handle *fh_new = NULL; 2142 2143 if (!old) { 2144 res = TEE_ERROR_BAD_PARAMETERS; 2145 goto out; 2146 } 2147 2148 if (new) 2149 fh_old = alloc_file_handle(old, old->temporary); 2150 else 2151 fh_old = alloc_file_handle(old, true); 2152 if (!fh_old) { 2153 res = TEE_ERROR_OUT_OF_MEMORY; 2154 goto out; 2155 } 2156 2157 if (new) 2158 fh_new = alloc_file_handle(new, new->temporary); 2159 else 2160 fh_new = alloc_file_handle(old, false); 2161 if (!fh_new) { 2162 res = TEE_ERROR_OUT_OF_MEMORY; 2163 goto out; 2164 } 2165 2166 res = read_fat(fh_old, NULL); 2167 if (res != TEE_SUCCESS) 2168 goto out; 2169 2170 res = read_fat(fh_new, NULL); 2171 if (res == TEE_SUCCESS) { 2172 if (!overwrite) { 2173 res = TEE_ERROR_ACCESS_CONFLICT; 2174 goto out; 2175 } 2176 2177 /* Clear this file entry. */ 2178 memset(&fh_new->fat_entry, 0, sizeof(struct rpmb_fat_entry)); 2179 res = write_fat_entry(fh_new, false); 2180 if (res != TEE_SUCCESS) 2181 goto out; 2182 } 2183 2184 memset(fh_old->fat_entry.filename, 0, TEE_RPMB_FS_FILENAME_LENGTH); 2185 memcpy(fh_old->fat_entry.filename, fh_new->filename, 2186 strlen(fh_new->filename)); 2187 2188 res = write_fat_entry(fh_old, false); 2189 2190 out: 2191 free(fh_old); 2192 free(fh_new); 2193 2194 return res; 2195 } 2196 2197 static TEE_Result rpmb_fs_rename(struct tee_pobj *old, struct tee_pobj *new, 2198 bool overwrite) 2199 { 2200 TEE_Result res; 2201 2202 mutex_lock(&rpmb_mutex); 2203 res = rpmb_fs_rename_internal(old, new, overwrite); 2204 mutex_unlock(&rpmb_mutex); 2205 2206 return res; 2207 } 2208 2209 static TEE_Result rpmb_fs_truncate(struct tee_file_handle *tfh, size_t length) 2210 { 2211 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)tfh; 2212 tee_mm_pool_t p; 2213 bool pool_result = false; 2214 tee_mm_entry_t *mm; 2215 uint32_t newsize; 2216 uint8_t *newbuf = NULL; 2217 uintptr_t newaddr; 2218 TEE_Result res = TEE_ERROR_GENERIC; 2219 2220 mutex_lock(&rpmb_mutex); 2221 2222 if (length > INT32_MAX) { 2223 res = TEE_ERROR_BAD_PARAMETERS; 2224 goto out; 2225 } 2226 newsize = length; 2227 2228 res = read_fat(fh, NULL); 2229 if (res != TEE_SUCCESS) 2230 goto out; 2231 2232 if (newsize > fh->fat_entry.data_size) { 2233 /* Extend file */ 2234 2235 pool_result = tee_mm_init(&p, 2236 RPMB_STORAGE_START_ADDRESS, 2237 fs_par->max_rpmb_address, 2238 RPMB_BLOCK_SIZE_SHIFT, 2239 TEE_MM_POOL_HI_ALLOC); 2240 if (!pool_result) { 2241 res = TEE_ERROR_OUT_OF_MEMORY; 2242 goto out; 2243 } 2244 res = read_fat(fh, &p); 2245 if (res != TEE_SUCCESS) 2246 goto out; 2247 2248 mm = tee_mm_alloc(&p, newsize); 2249 newbuf = calloc(1, newsize); 2250 if (!mm || !newbuf) { 2251 res = TEE_ERROR_OUT_OF_MEMORY; 2252 goto out; 2253 } 2254 2255 if (fh->fat_entry.data_size) { 2256 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 2257 fh->fat_entry.start_address, 2258 newbuf, fh->fat_entry.data_size, 2259 fh->fat_entry.fek, fh->uuid); 2260 if (res != TEE_SUCCESS) 2261 goto out; 2262 } 2263 2264 newaddr = tee_mm_get_smem(mm); 2265 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, newaddr, newbuf, 2266 newsize, fh->fat_entry.fek, fh->uuid); 2267 if (res != TEE_SUCCESS) 2268 goto out; 2269 2270 } else { 2271 /* Don't change file location */ 2272 newaddr = fh->fat_entry.start_address; 2273 } 2274 2275 /* fh->pos is unchanged */ 2276 fh->fat_entry.data_size = newsize; 2277 fh->fat_entry.start_address = newaddr; 2278 res = write_fat_entry(fh, true); 2279 2280 out: 2281 mutex_unlock(&rpmb_mutex); 2282 if (pool_result) 2283 tee_mm_final(&p); 2284 if (newbuf) 2285 free(newbuf); 2286 2287 return res; 2288 } 2289 2290 static void rpmb_fs_dir_free(struct tee_fs_dir *dir) 2291 { 2292 struct tee_rpmb_fs_dirent *e; 2293 2294 if (!dir) 2295 return; 2296 2297 free(dir->current); 2298 2299 while ((e = SIMPLEQ_FIRST(&dir->next))) { 2300 SIMPLEQ_REMOVE_HEAD(&dir->next, link); 2301 free(e); 2302 } 2303 } 2304 2305 static TEE_Result rpmb_fs_dir_populate(const char *path, 2306 struct tee_fs_dir *dir) 2307 { 2308 struct tee_rpmb_fs_dirent *current = NULL; 2309 struct rpmb_fat_entry *fat_entries = NULL; 2310 uint32_t fat_address; 2311 uint32_t filelen; 2312 char *filename; 2313 int i; 2314 bool last_entry_found = false; 2315 bool matched; 2316 struct tee_rpmb_fs_dirent *next = NULL; 2317 uint32_t pathlen; 2318 TEE_Result res = TEE_ERROR_GENERIC; 2319 uint32_t size; 2320 char temp; 2321 2322 mutex_lock(&rpmb_mutex); 2323 2324 res = rpmb_fs_setup(); 2325 if (res != TEE_SUCCESS) 2326 goto out; 2327 2328 res = get_fat_start_address(&fat_address); 2329 if (res != TEE_SUCCESS) 2330 goto out; 2331 2332 size = N_ENTRIES * sizeof(struct rpmb_fat_entry); 2333 fat_entries = malloc(size); 2334 if (!fat_entries) { 2335 res = TEE_ERROR_OUT_OF_MEMORY; 2336 goto out; 2337 } 2338 2339 pathlen = strlen(path); 2340 while (!last_entry_found) { 2341 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, fat_address, 2342 (uint8_t *)fat_entries, size, NULL, NULL); 2343 if (res != TEE_SUCCESS) 2344 goto out; 2345 2346 for (i = 0; i < N_ENTRIES; i++) { 2347 filename = fat_entries[i].filename; 2348 if (fat_entries[i].flags & FILE_IS_ACTIVE) { 2349 matched = false; 2350 filelen = strlen(filename); 2351 if (filelen > pathlen) { 2352 temp = filename[pathlen]; 2353 filename[pathlen] = '\0'; 2354 if (strcmp(filename, path) == 0) 2355 matched = true; 2356 2357 filename[pathlen] = temp; 2358 } 2359 2360 if (matched) { 2361 next = malloc(sizeof(*next)); 2362 if (!next) { 2363 res = TEE_ERROR_OUT_OF_MEMORY; 2364 goto out; 2365 } 2366 2367 next->entry.oidlen = tee_hs2b( 2368 (uint8_t *)&filename[pathlen], 2369 next->entry.oid, 2370 filelen - pathlen, 2371 sizeof(next->entry.oid)); 2372 if (next->entry.oidlen) { 2373 SIMPLEQ_INSERT_TAIL(&dir->next, 2374 next, link); 2375 current = next; 2376 } else { 2377 free(next); 2378 next = NULL; 2379 } 2380 2381 } 2382 } 2383 2384 if (fat_entries[i].flags & FILE_IS_LAST_ENTRY) { 2385 last_entry_found = true; 2386 break; 2387 } 2388 2389 /* Move to next fat_entry. */ 2390 fat_address += sizeof(struct rpmb_fat_entry); 2391 } 2392 } 2393 2394 if (current) 2395 res = TEE_SUCCESS; 2396 else 2397 res = TEE_ERROR_ITEM_NOT_FOUND; /* No directories were found. */ 2398 2399 out: 2400 mutex_unlock(&rpmb_mutex); 2401 if (res != TEE_SUCCESS) 2402 rpmb_fs_dir_free(dir); 2403 if (fat_entries) 2404 free(fat_entries); 2405 2406 return res; 2407 } 2408 2409 static TEE_Result rpmb_fs_opendir(const TEE_UUID *uuid, struct tee_fs_dir **dir) 2410 { 2411 uint32_t len; 2412 char path_local[TEE_RPMB_FS_FILENAME_LENGTH]; 2413 TEE_Result res = TEE_ERROR_GENERIC; 2414 struct tee_fs_dir *rpmb_dir = NULL; 2415 2416 if (!uuid || !dir) { 2417 res = TEE_ERROR_BAD_PARAMETERS; 2418 goto out; 2419 } 2420 2421 memset(path_local, 0, sizeof(path_local)); 2422 if (tee_svc_storage_create_dirname(path_local, sizeof(path_local) - 1, 2423 uuid) != TEE_SUCCESS) { 2424 res = TEE_ERROR_BAD_PARAMETERS; 2425 goto out; 2426 } 2427 len = strlen(path_local); 2428 2429 /* Add a slash to correctly match the full directory name. */ 2430 if (path_local[len - 1] != '/') 2431 path_local[len] = '/'; 2432 2433 rpmb_dir = calloc(1, sizeof(*rpmb_dir)); 2434 if (!rpmb_dir) { 2435 res = TEE_ERROR_OUT_OF_MEMORY; 2436 goto out; 2437 } 2438 SIMPLEQ_INIT(&rpmb_dir->next); 2439 2440 res = rpmb_fs_dir_populate(path_local, rpmb_dir); 2441 if (res != TEE_SUCCESS) { 2442 free(rpmb_dir); 2443 rpmb_dir = NULL; 2444 goto out; 2445 } 2446 2447 *dir = rpmb_dir; 2448 2449 out: 2450 return res; 2451 } 2452 2453 static TEE_Result rpmb_fs_readdir(struct tee_fs_dir *dir, 2454 struct tee_fs_dirent **ent) 2455 { 2456 if (!dir) 2457 return TEE_ERROR_GENERIC; 2458 2459 free(dir->current); 2460 2461 dir->current = SIMPLEQ_FIRST(&dir->next); 2462 if (!dir->current) 2463 return TEE_ERROR_ITEM_NOT_FOUND; 2464 2465 SIMPLEQ_REMOVE_HEAD(&dir->next, link); 2466 2467 *ent = &dir->current->entry; 2468 return TEE_SUCCESS; 2469 } 2470 2471 static void rpmb_fs_closedir(struct tee_fs_dir *dir) 2472 { 2473 if (dir) { 2474 rpmb_fs_dir_free(dir); 2475 free(dir); 2476 } 2477 } 2478 2479 static TEE_Result rpmb_fs_open(struct tee_pobj *po, size_t *size, 2480 struct tee_file_handle **ret_fh) 2481 { 2482 TEE_Result res; 2483 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2484 2485 if (!fh) 2486 return TEE_ERROR_OUT_OF_MEMORY; 2487 2488 mutex_lock(&rpmb_mutex); 2489 2490 res = rpmb_fs_open_internal(fh, &po->uuid, false); 2491 if (!res && size) 2492 *size = fh->fat_entry.data_size; 2493 2494 mutex_unlock(&rpmb_mutex); 2495 2496 if (res) 2497 free(fh); 2498 else 2499 *ret_fh = (struct tee_file_handle *)fh; 2500 2501 return res; 2502 } 2503 2504 static TEE_Result rpmb_fs_create(struct tee_pobj *po, bool overwrite, 2505 const void *head, size_t head_size, 2506 const void *attr, size_t attr_size, 2507 const void *data, size_t data_size, 2508 struct tee_file_handle **ret_fh) 2509 { 2510 TEE_Result res; 2511 size_t pos = 0; 2512 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2513 2514 if (!fh) 2515 return TEE_ERROR_OUT_OF_MEMORY; 2516 2517 mutex_lock(&rpmb_mutex); 2518 res = rpmb_fs_open_internal(fh, &po->uuid, true); 2519 if (res) 2520 goto out; 2521 2522 if (head && head_size) { 2523 res = rpmb_fs_write_primitive(fh, pos, head, head_size); 2524 if (res) 2525 goto out; 2526 pos += head_size; 2527 } 2528 2529 if (attr && attr_size) { 2530 res = rpmb_fs_write_primitive(fh, pos, attr, attr_size); 2531 if (res) 2532 goto out; 2533 pos += attr_size; 2534 } 2535 2536 if (data && data_size) { 2537 res = rpmb_fs_write_primitive(fh, pos, data, data_size); 2538 if (res) 2539 goto out; 2540 } 2541 2542 if (po->temporary) { 2543 /* 2544 * If it's a temporary filename (which it normally is) 2545 * rename into the final filename now that the file is 2546 * fully initialized. 2547 */ 2548 po->temporary = false; 2549 res = rpmb_fs_rename_internal(po, NULL, overwrite); 2550 if (res) { 2551 po->temporary = true; 2552 goto out; 2553 } 2554 /* Update file handle after rename. */ 2555 tee_svc_storage_create_filename(fh->filename, 2556 sizeof(fh->filename), 2557 po, false); 2558 } 2559 2560 out: 2561 if (res) { 2562 rpmb_fs_remove_internal(fh); 2563 free(fh); 2564 } else { 2565 *ret_fh = (struct tee_file_handle *)fh; 2566 } 2567 mutex_unlock(&rpmb_mutex); 2568 2569 return res; 2570 } 2571 2572 const struct tee_file_operations rpmb_fs_ops = { 2573 .open = rpmb_fs_open, 2574 .create = rpmb_fs_create, 2575 .close = rpmb_fs_close, 2576 .read = rpmb_fs_read, 2577 .write = rpmb_fs_write, 2578 .truncate = rpmb_fs_truncate, 2579 .rename = rpmb_fs_rename, 2580 .remove = rpmb_fs_remove, 2581 .opendir = rpmb_fs_opendir, 2582 .closedir = rpmb_fs_closedir, 2583 .readdir = rpmb_fs_readdir, 2584 }; 2585 2586 TEE_Result tee_rpmb_fs_raw_open(const char *fname, bool create, 2587 struct tee_file_handle **ret_fh) 2588 { 2589 TEE_Result res; 2590 struct rpmb_file_handle *fh = calloc(1, sizeof(*fh)); 2591 static const TEE_UUID uuid = { 0 }; 2592 2593 if (!fh) 2594 return TEE_ERROR_OUT_OF_MEMORY; 2595 2596 snprintf(fh->filename, sizeof(fh->filename), "/%s", fname); 2597 2598 mutex_lock(&rpmb_mutex); 2599 2600 res = rpmb_fs_open_internal(fh, &uuid, create); 2601 2602 mutex_unlock(&rpmb_mutex); 2603 2604 if (res) { 2605 if (create) 2606 rpmb_fs_remove_internal(fh); 2607 free(fh); 2608 } else { 2609 *ret_fh = (struct tee_file_handle *)fh; 2610 } 2611 2612 return res; 2613 } 2614