1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2014, STMicroelectronics International N.V. 4 */ 5 6 #include <assert.h> 7 #include <crypto/crypto.h> 8 #include <kernel/huk_subkey.h> 9 #include <kernel/misc.h> 10 #include <kernel/msg_param.h> 11 #include <kernel/mutex.h> 12 #include <kernel/panic.h> 13 #include <kernel/tee_common.h> 14 #include <kernel/tee_common_otp.h> 15 #include <kernel/tee_misc.h> 16 #include <kernel/thread.h> 17 #include <mm/core_memprot.h> 18 #include <mm/mobj.h> 19 #include <mm/tee_mm.h> 20 #include <optee_rpc_cmd.h> 21 #include <stdlib.h> 22 #include <string_ext.h> 23 #include <string.h> 24 #include <sys/queue.h> 25 #include <tee/tee_fs.h> 26 #include <tee/tee_fs_key_manager.h> 27 #include <tee/tee_pobj.h> 28 #include <tee/tee_svc_storage.h> 29 #include <trace.h> 30 #include <util.h> 31 32 #define RPMB_STORAGE_START_ADDRESS 0 33 #define RPMB_FS_FAT_START_ADDRESS 512 34 #define RPMB_BLOCK_SIZE_SHIFT 8 35 #define RPMB_CID_PRV_OFFSET 9 36 #define RPMB_CID_CRC_OFFSET 15 37 38 #define RPMB_FS_MAGIC 0x52504D42 39 #define FS_VERSION 2 40 #define N_ENTRIES 8 41 42 #define FILE_IS_ACTIVE (1u << 0) 43 #define FILE_IS_LAST_ENTRY (1u << 1) 44 45 #define TEE_RPMB_FS_FILENAME_LENGTH 224 46 47 /** 48 * FS parameters: Information often used by internal functions. 49 * fat_start_address will be set by rpmb_fs_setup(). 50 * rpmb_fs_parameters can be read by any other function. 51 */ 52 struct rpmb_fs_parameters { 53 uint32_t fat_start_address; 54 uint32_t max_rpmb_address; 55 }; 56 57 /** 58 * File entry for a single file in a RPMB_FS partition. 59 */ 60 struct rpmb_fat_entry { 61 uint32_t start_address; 62 uint32_t data_size; 63 uint32_t flags; 64 uint32_t write_counter; 65 uint8_t fek[TEE_FS_KM_FEK_SIZE]; 66 char filename[TEE_RPMB_FS_FILENAME_LENGTH]; 67 }; 68 69 /** 70 * FAT entry context with reference to a FAT entry and its 71 * location in RPMB. 72 */ 73 struct rpmb_file_handle { 74 struct rpmb_fat_entry fat_entry; 75 const TEE_UUID *uuid; 76 char filename[TEE_RPMB_FS_FILENAME_LENGTH]; 77 /* Address for current entry in RPMB */ 78 uint32_t rpmb_fat_address; 79 }; 80 81 /** 82 * RPMB_FS partition data 83 */ 84 struct rpmb_fs_partition { 85 uint32_t rpmb_fs_magic; 86 uint32_t fs_version; 87 uint32_t write_counter; 88 uint32_t fat_start_address; 89 /* Do not use reserved[] for other purpose than partition data. */ 90 uint8_t reserved[112]; 91 }; 92 93 /** 94 * A node in a list of directory entries. 95 */ 96 struct tee_rpmb_fs_dirent { 97 struct tee_fs_dirent entry; 98 SIMPLEQ_ENTRY(tee_rpmb_fs_dirent) link; 99 }; 100 101 /** 102 * The RPMB directory representation. It contains a queue of 103 * RPMB directory entries: 'next'. 104 * The current pointer points to the last directory entry 105 * returned by readdir(). 106 */ 107 struct tee_fs_dir { 108 struct tee_rpmb_fs_dirent *current; 109 /* */ 110 SIMPLEQ_HEAD(next_head, tee_rpmb_fs_dirent) next; 111 }; 112 113 static struct rpmb_fs_parameters *fs_par; 114 115 /* 116 * Lower interface to RPMB device 117 */ 118 119 #define RPMB_DATA_OFFSET (RPMB_STUFF_DATA_SIZE + RPMB_KEY_MAC_SIZE) 120 #define RPMB_MAC_PROTECT_DATA_SIZE (RPMB_DATA_FRAME_SIZE - RPMB_DATA_OFFSET) 121 122 #define RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM 0x0001 123 #define RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ 0x0002 124 #define RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE 0x0003 125 #define RPMB_MSG_TYPE_REQ_AUTH_DATA_READ 0x0004 126 #define RPMB_MSG_TYPE_REQ_RESULT_READ 0x0005 127 #define RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM 0x0100 128 #define RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ 0x0200 129 #define RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE 0x0300 130 #define RPMB_MSG_TYPE_RESP_AUTH_DATA_READ 0x0400 131 132 #define RPMB_STUFF_DATA_SIZE 196 133 #define RPMB_KEY_MAC_SIZE 32 134 #define RPMB_DATA_SIZE 256 135 #define RPMB_NONCE_SIZE 16 136 #define RPMB_DATA_FRAME_SIZE 512 137 138 #define RPMB_RESULT_OK 0x00 139 #define RPMB_RESULT_GENERAL_FAILURE 0x01 140 #define RPMB_RESULT_AUTH_FAILURE 0x02 141 #define RPMB_RESULT_COUNTER_FAILURE 0x03 142 #define RPMB_RESULT_ADDRESS_FAILURE 0x04 143 #define RPMB_RESULT_WRITE_FAILURE 0x05 144 #define RPMB_RESULT_READ_FAILURE 0x06 145 #define RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED 0x07 146 #define RPMB_RESULT_MASK 0x3F 147 #define RPMB_RESULT_WR_CNT_EXPIRED 0x80 148 149 /* RPMB internal commands */ 150 #define RPMB_CMD_DATA_REQ 0x00 151 #define RPMB_CMD_GET_DEV_INFO 0x01 152 153 #define RPMB_SIZE_SINGLE (128 * 1024) 154 155 /* Error codes for get_dev_info request/response. */ 156 #define RPMB_CMD_GET_DEV_INFO_RET_OK 0x00 157 #define RPMB_CMD_GET_DEV_INFO_RET_ERROR 0x01 158 159 struct rpmb_data_frame { 160 uint8_t stuff_bytes[RPMB_STUFF_DATA_SIZE]; 161 uint8_t key_mac[RPMB_KEY_MAC_SIZE]; 162 uint8_t data[RPMB_DATA_SIZE]; 163 uint8_t nonce[RPMB_NONCE_SIZE]; 164 uint8_t write_counter[4]; 165 uint8_t address[2]; 166 uint8_t block_count[2]; 167 uint8_t op_result[2]; 168 uint8_t msg_type[2]; 169 }; 170 171 struct rpmb_req { 172 uint16_t cmd; 173 uint16_t dev_id; 174 uint16_t block_count; 175 /* variable length of data */ 176 /* uint8_t data[]; REMOVED! */ 177 }; 178 179 #define TEE_RPMB_REQ_DATA(req) \ 180 ((void *)((struct rpmb_req *)(req) + 1)) 181 182 struct rpmb_raw_data { 183 uint16_t msg_type; 184 uint16_t *op_result; 185 uint16_t *block_count; 186 uint16_t *blk_idx; 187 uint32_t *write_counter; 188 uint8_t *nonce; 189 uint8_t *key_mac; 190 uint8_t *data; 191 /* data length to read or write */ 192 uint32_t len; 193 /* Byte address offset in the first block involved */ 194 uint8_t byte_offset; 195 }; 196 197 #define RPMB_EMMC_CID_SIZE 16 198 struct rpmb_dev_info { 199 uint8_t cid[RPMB_EMMC_CID_SIZE]; 200 /* EXT CSD-slice 168 "RPMB Size" */ 201 uint8_t rpmb_size_mult; 202 /* EXT CSD-slice 222 "Reliable Write Sector Count" */ 203 uint8_t rel_wr_sec_c; 204 /* Check the ret code and accept the data only if it is OK. */ 205 uint8_t ret_code; 206 }; 207 208 /* 209 * Struct for rpmb context data. 210 * 211 * @key RPMB key. 212 * @cid eMMC card ID. 213 * @wr_cnt Current write counter. 214 * @max_blk_idx The highest block index supported by current device. 215 * @rel_wr_blkcnt Max number of data blocks for each reliable write. 216 * @dev_id Device ID of the eMMC device. 217 * @wr_cnt_synced Flag indicating if write counter is synced to RPMB. 218 * @key_derived Flag indicating if key has been generated. 219 * @key_verified Flag indicating the key generated is verified ok. 220 * @dev_info_synced Flag indicating if dev info has been retrieved from RPMB. 221 */ 222 struct tee_rpmb_ctx { 223 uint8_t key[RPMB_KEY_MAC_SIZE]; 224 uint8_t cid[RPMB_EMMC_CID_SIZE]; 225 uint32_t wr_cnt; 226 uint16_t max_blk_idx; 227 uint16_t rel_wr_blkcnt; 228 uint16_t dev_id; 229 bool wr_cnt_synced; 230 bool key_derived; 231 bool key_verified; 232 bool dev_info_synced; 233 }; 234 235 static struct tee_rpmb_ctx *rpmb_ctx; 236 237 /* 238 * Mutex to serialize the operations exported by this file. 239 * It protects rpmb_ctx and prevents overlapping operations on eMMC devices with 240 * different IDs. 241 */ 242 static struct mutex rpmb_mutex = MUTEX_INITIALIZER; 243 244 #ifdef CFG_RPMB_TESTKEY 245 246 static const uint8_t rpmb_test_key[RPMB_KEY_MAC_SIZE] = { 247 0xD3, 0xEB, 0x3E, 0xC3, 0x6E, 0x33, 0x4C, 0x9F, 248 0x98, 0x8C, 0xE2, 0xC0, 0xB8, 0x59, 0x54, 0x61, 249 0x0D, 0x2B, 0xCF, 0x86, 0x64, 0x84, 0x4D, 0xF2, 250 0xAB, 0x56, 0xE6, 0xC6, 0x1B, 0xB7, 0x01, 0xE4 251 }; 252 253 static TEE_Result tee_rpmb_key_gen(uint16_t dev_id __unused, 254 uint8_t *key, uint32_t len) 255 { 256 TEE_Result res = TEE_SUCCESS; 257 258 if (!key || RPMB_KEY_MAC_SIZE != len) { 259 res = TEE_ERROR_BAD_PARAMETERS; 260 goto out; 261 } 262 263 DMSG("RPMB: Using test key"); 264 memcpy(key, rpmb_test_key, RPMB_KEY_MAC_SIZE); 265 266 out: 267 return res; 268 } 269 270 #else /* !CFG_RPMB_TESTKEY */ 271 272 static TEE_Result tee_rpmb_key_gen(uint16_t dev_id __unused, 273 uint8_t *key, uint32_t len) 274 { 275 uint8_t message[RPMB_EMMC_CID_SIZE]; 276 277 if (!key || RPMB_KEY_MAC_SIZE != len) 278 return TEE_ERROR_BAD_PARAMETERS; 279 280 IMSG("RPMB: Using generated key"); 281 282 /* 283 * PRV/CRC would be changed when doing eMMC FFU 284 * The following fields should be masked off when deriving RPMB key 285 * 286 * CID [55: 48]: PRV (Product revision) 287 * CID [07: 01]: CRC (CRC7 checksum) 288 * CID [00]: not used 289 */ 290 memcpy(message, rpmb_ctx->cid, RPMB_EMMC_CID_SIZE); 291 memset(message + RPMB_CID_PRV_OFFSET, 0, 1); 292 memset(message + RPMB_CID_CRC_OFFSET, 0, 1); 293 return huk_subkey_derive(HUK_SUBKEY_RPMB, message, sizeof(message), 294 key, len); 295 } 296 297 #endif /* !CFG_RPMB_TESTKEY */ 298 299 static void u32_to_bytes(uint32_t u32, uint8_t *bytes) 300 { 301 *bytes = (uint8_t) (u32 >> 24); 302 *(bytes + 1) = (uint8_t) (u32 >> 16); 303 *(bytes + 2) = (uint8_t) (u32 >> 8); 304 *(bytes + 3) = (uint8_t) u32; 305 } 306 307 static void bytes_to_u32(uint8_t *bytes, uint32_t *u32) 308 { 309 *u32 = (uint32_t) ((*(bytes) << 24) + 310 (*(bytes + 1) << 16) + 311 (*(bytes + 2) << 8) + (*(bytes + 3))); 312 } 313 314 static void u16_to_bytes(uint16_t u16, uint8_t *bytes) 315 { 316 *bytes = (uint8_t) (u16 >> 8); 317 *(bytes + 1) = (uint8_t) u16; 318 } 319 320 static void bytes_to_u16(uint8_t *bytes, uint16_t *u16) 321 { 322 *u16 = (uint16_t) ((*bytes << 8) + *(bytes + 1)); 323 } 324 325 static TEE_Result tee_rpmb_mac_calc(uint8_t *mac, uint32_t macsize, 326 uint8_t *key, uint32_t keysize, 327 struct rpmb_data_frame *datafrms, 328 uint16_t blkcnt) 329 { 330 TEE_Result res = TEE_ERROR_GENERIC; 331 int i; 332 void *ctx = NULL; 333 334 if (!mac || !key || !datafrms) 335 return TEE_ERROR_BAD_PARAMETERS; 336 337 res = crypto_mac_alloc_ctx(&ctx, TEE_ALG_HMAC_SHA256); 338 if (res) 339 return res; 340 341 res = crypto_mac_init(ctx, TEE_ALG_HMAC_SHA256, key, keysize); 342 if (res != TEE_SUCCESS) 343 goto func_exit; 344 345 for (i = 0; i < blkcnt; i++) { 346 res = crypto_mac_update(ctx, TEE_ALG_HMAC_SHA256, 347 datafrms[i].data, 348 RPMB_MAC_PROTECT_DATA_SIZE); 349 if (res != TEE_SUCCESS) 350 goto func_exit; 351 } 352 353 res = crypto_mac_final(ctx, TEE_ALG_HMAC_SHA256, mac, macsize); 354 if (res != TEE_SUCCESS) 355 goto func_exit; 356 357 res = TEE_SUCCESS; 358 359 func_exit: 360 crypto_mac_free_ctx(ctx, TEE_ALG_HMAC_SHA256); 361 return res; 362 } 363 364 struct tee_rpmb_mem { 365 struct mobj *phreq_mobj; 366 struct mobj *phresp_mobj; 367 size_t req_size; 368 size_t resp_size; 369 }; 370 371 static void tee_rpmb_free(struct tee_rpmb_mem *mem) 372 { 373 if (!mem) 374 return; 375 376 if (mem->phreq_mobj) { 377 thread_rpc_free_payload(mem->phreq_mobj); 378 mem->phreq_mobj = NULL; 379 } 380 if (mem->phresp_mobj) { 381 thread_rpc_free_payload(mem->phresp_mobj); 382 mem->phresp_mobj = NULL; 383 } 384 } 385 386 387 static TEE_Result tee_rpmb_alloc(size_t req_size, size_t resp_size, 388 struct tee_rpmb_mem *mem, void **req, void **resp) 389 { 390 TEE_Result res = TEE_SUCCESS; 391 size_t req_s = ROUNDUP(req_size, sizeof(uint32_t)); 392 size_t resp_s = ROUNDUP(resp_size, sizeof(uint32_t)); 393 394 if (!mem) 395 return TEE_ERROR_BAD_PARAMETERS; 396 397 memset(mem, 0, sizeof(*mem)); 398 399 mem->phreq_mobj = thread_rpc_alloc_payload(req_s); 400 mem->phresp_mobj = thread_rpc_alloc_payload(resp_s); 401 402 if (!mem->phreq_mobj || !mem->phresp_mobj) { 403 res = TEE_ERROR_OUT_OF_MEMORY; 404 goto out; 405 } 406 407 *req = mobj_get_va(mem->phreq_mobj, 0); 408 *resp = mobj_get_va(mem->phresp_mobj, 0); 409 if (!*req || !*resp) { 410 res = TEE_ERROR_GENERIC; 411 goto out; 412 } 413 414 mem->req_size = req_size; 415 mem->resp_size = resp_size; 416 417 out: 418 if (res != TEE_SUCCESS) 419 tee_rpmb_free(mem); 420 return res; 421 } 422 423 static TEE_Result tee_rpmb_invoke(struct tee_rpmb_mem *mem) 424 { 425 struct thread_param params[2] = { 426 [0] = THREAD_PARAM_MEMREF(IN, mem->phreq_mobj, 0, 427 mem->req_size), 428 [1] = THREAD_PARAM_MEMREF(OUT, mem->phresp_mobj, 0, 429 mem->resp_size), 430 }; 431 432 return thread_rpc_cmd(OPTEE_RPC_CMD_RPMB, 2, params); 433 } 434 435 static bool is_zero(const uint8_t *buf, size_t size) 436 { 437 size_t i; 438 439 for (i = 0; i < size; i++) 440 if (buf[i]) 441 return false; 442 return true; 443 } 444 445 static TEE_Result encrypt_block(uint8_t *out, const uint8_t *in, 446 uint16_t blk_idx, const uint8_t *fek, 447 const TEE_UUID *uuid) 448 { 449 return tee_fs_crypt_block(uuid, out, in, RPMB_DATA_SIZE, 450 blk_idx, fek, TEE_MODE_ENCRYPT); 451 } 452 453 static TEE_Result decrypt_block(uint8_t *out, const uint8_t *in, 454 uint16_t blk_idx, const uint8_t *fek, 455 const TEE_UUID *uuid) 456 { 457 return tee_fs_crypt_block(uuid, out, in, RPMB_DATA_SIZE, 458 blk_idx, fek, TEE_MODE_DECRYPT); 459 } 460 461 /* Decrypt/copy at most one block of data */ 462 static TEE_Result decrypt(uint8_t *out, const struct rpmb_data_frame *frm, 463 size_t size, size_t offset, 464 uint16_t blk_idx __maybe_unused, const uint8_t *fek, 465 const TEE_UUID *uuid) 466 { 467 uint8_t *tmp __maybe_unused; 468 469 470 if ((size + offset < size) || (size + offset > RPMB_DATA_SIZE)) 471 panic("invalid size or offset"); 472 473 if (!fek) { 474 /* Block is not encrypted (not a file data block) */ 475 memcpy(out, frm->data + offset, size); 476 } else if (is_zero(fek, TEE_FS_KM_FEK_SIZE)) { 477 /* The file was created with encryption disabled */ 478 return TEE_ERROR_SECURITY; 479 } else { 480 /* Block is encrypted */ 481 if (size < RPMB_DATA_SIZE) { 482 /* 483 * Since output buffer is not large enough to hold one 484 * block we must allocate a temporary buffer. 485 */ 486 tmp = malloc(RPMB_DATA_SIZE); 487 if (!tmp) 488 return TEE_ERROR_OUT_OF_MEMORY; 489 decrypt_block(tmp, frm->data, blk_idx, fek, uuid); 490 memcpy(out, tmp + offset, size); 491 free(tmp); 492 } else { 493 decrypt_block(out, frm->data, blk_idx, fek, uuid); 494 } 495 } 496 497 return TEE_SUCCESS; 498 } 499 500 static TEE_Result tee_rpmb_req_pack(struct rpmb_req *req, 501 struct rpmb_raw_data *rawdata, 502 uint16_t nbr_frms, uint16_t dev_id, 503 const uint8_t *fek, const TEE_UUID *uuid) 504 { 505 TEE_Result res = TEE_ERROR_GENERIC; 506 int i; 507 struct rpmb_data_frame *datafrm; 508 509 if (!req || !rawdata || !nbr_frms) 510 return TEE_ERROR_BAD_PARAMETERS; 511 512 /* 513 * Check write blockcount is not bigger than reliable write 514 * blockcount. 515 */ 516 if ((rawdata->msg_type == RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE) && 517 (nbr_frms > rpmb_ctx->rel_wr_blkcnt)) { 518 DMSG("wr_blkcnt(%d) > rel_wr_blkcnt(%d)", nbr_frms, 519 rpmb_ctx->rel_wr_blkcnt); 520 return TEE_ERROR_GENERIC; 521 } 522 523 req->cmd = RPMB_CMD_DATA_REQ; 524 req->dev_id = dev_id; 525 526 /* Allocate memory for construct all data packets and calculate MAC. */ 527 datafrm = calloc(nbr_frms, RPMB_DATA_FRAME_SIZE); 528 if (!datafrm) 529 return TEE_ERROR_OUT_OF_MEMORY; 530 531 for (i = 0; i < nbr_frms; i++) { 532 u16_to_bytes(rawdata->msg_type, datafrm[i].msg_type); 533 534 if (rawdata->block_count) 535 u16_to_bytes(*rawdata->block_count, 536 datafrm[i].block_count); 537 538 if (rawdata->blk_idx) { 539 /* Check the block index is within range. */ 540 if ((*rawdata->blk_idx + nbr_frms) > 541 rpmb_ctx->max_blk_idx) { 542 res = TEE_ERROR_GENERIC; 543 goto func_exit; 544 } 545 u16_to_bytes(*rawdata->blk_idx, datafrm[i].address); 546 } 547 548 if (rawdata->write_counter) 549 u32_to_bytes(*rawdata->write_counter, 550 datafrm[i].write_counter); 551 552 if (rawdata->nonce) 553 memcpy(datafrm[i].nonce, rawdata->nonce, 554 RPMB_NONCE_SIZE); 555 556 if (rawdata->data) { 557 if (fek) 558 encrypt_block(datafrm[i].data, 559 rawdata->data + (i * RPMB_DATA_SIZE), 560 *rawdata->blk_idx + i, fek, uuid); 561 else 562 memcpy(datafrm[i].data, 563 rawdata->data + (i * RPMB_DATA_SIZE), 564 RPMB_DATA_SIZE); 565 } 566 } 567 568 if (rawdata->key_mac) { 569 if (rawdata->msg_type == RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE) { 570 res = 571 tee_rpmb_mac_calc(rawdata->key_mac, 572 RPMB_KEY_MAC_SIZE, rpmb_ctx->key, 573 RPMB_KEY_MAC_SIZE, datafrm, 574 nbr_frms); 575 if (res != TEE_SUCCESS) 576 goto func_exit; 577 } 578 memcpy(datafrm[nbr_frms - 1].key_mac, 579 rawdata->key_mac, RPMB_KEY_MAC_SIZE); 580 } 581 582 memcpy(TEE_RPMB_REQ_DATA(req), datafrm, 583 nbr_frms * RPMB_DATA_FRAME_SIZE); 584 585 #ifdef CFG_RPMB_FS_DEBUG_DATA 586 for (i = 0; i < nbr_frms; i++) { 587 DMSG("Dumping data frame %d:", i); 588 DHEXDUMP((uint8_t *)&datafrm[i] + RPMB_STUFF_DATA_SIZE, 589 512 - RPMB_STUFF_DATA_SIZE); 590 } 591 #endif 592 593 res = TEE_SUCCESS; 594 func_exit: 595 free(datafrm); 596 return res; 597 } 598 599 static TEE_Result data_cpy_mac_calc_1b(struct rpmb_raw_data *rawdata, 600 struct rpmb_data_frame *frm, 601 const uint8_t *fek, const TEE_UUID *uuid) 602 { 603 TEE_Result res; 604 uint8_t *data; 605 uint16_t idx; 606 607 if (rawdata->len + rawdata->byte_offset > RPMB_DATA_SIZE) 608 return TEE_ERROR_BAD_PARAMETERS; 609 610 res = tee_rpmb_mac_calc(rawdata->key_mac, RPMB_KEY_MAC_SIZE, 611 rpmb_ctx->key, RPMB_KEY_MAC_SIZE, frm, 1); 612 if (res != TEE_SUCCESS) 613 return res; 614 615 data = rawdata->data; 616 bytes_to_u16(frm->address, &idx); 617 618 res = decrypt(data, frm, rawdata->len, rawdata->byte_offset, idx, fek, 619 uuid); 620 return res; 621 } 622 623 static TEE_Result tee_rpmb_data_cpy_mac_calc(struct rpmb_data_frame *datafrm, 624 struct rpmb_raw_data *rawdata, 625 uint16_t nbr_frms, 626 struct rpmb_data_frame *lastfrm, 627 const uint8_t *fek, 628 const TEE_UUID *uuid) 629 { 630 TEE_Result res = TEE_ERROR_GENERIC; 631 int i; 632 void *ctx = NULL; 633 uint16_t offset; 634 uint32_t size; 635 uint8_t *data; 636 uint16_t start_idx; 637 struct rpmb_data_frame localfrm; 638 639 if (!datafrm || !rawdata || !nbr_frms || !lastfrm) 640 return TEE_ERROR_BAD_PARAMETERS; 641 642 if (nbr_frms == 1) 643 return data_cpy_mac_calc_1b(rawdata, lastfrm, fek, uuid); 644 645 /* nbr_frms > 1 */ 646 647 data = rawdata->data; 648 649 res = crypto_mac_alloc_ctx(&ctx, TEE_ALG_HMAC_SHA256); 650 if (res) 651 goto func_exit; 652 653 res = crypto_mac_init(ctx, TEE_ALG_HMAC_SHA256, rpmb_ctx->key, 654 RPMB_KEY_MAC_SIZE); 655 if (res != TEE_SUCCESS) 656 goto func_exit; 657 658 /* 659 * Note: JEDEC JESD84-B51: "In every packet the address is the start 660 * address of the full access (not address of the individual half a 661 * sector)" 662 */ 663 bytes_to_u16(lastfrm->address, &start_idx); 664 665 for (i = 0; i < (nbr_frms - 1); i++) { 666 667 /* 668 * By working on a local copy of the RPMB frame, we ensure that 669 * the data can not be modified after the MAC is computed but 670 * before the payload is decrypted/copied to the output buffer. 671 */ 672 memcpy(&localfrm, &datafrm[i], RPMB_DATA_FRAME_SIZE); 673 674 res = crypto_mac_update(ctx, TEE_ALG_HMAC_SHA256, localfrm.data, 675 RPMB_MAC_PROTECT_DATA_SIZE); 676 if (res != TEE_SUCCESS) 677 goto func_exit; 678 679 if (i == 0) { 680 /* First block */ 681 offset = rawdata->byte_offset; 682 size = RPMB_DATA_SIZE - offset; 683 } else { 684 /* Middle blocks */ 685 size = RPMB_DATA_SIZE; 686 offset = 0; 687 } 688 689 res = decrypt(data, &localfrm, size, offset, start_idx + i, 690 fek, uuid); 691 if (res != TEE_SUCCESS) 692 goto func_exit; 693 694 data += size; 695 } 696 697 /* Last block */ 698 size = (rawdata->len + rawdata->byte_offset) % RPMB_DATA_SIZE; 699 if (size == 0) 700 size = RPMB_DATA_SIZE; 701 res = decrypt(data, lastfrm, size, 0, start_idx + nbr_frms - 1, fek, 702 uuid); 703 if (res != TEE_SUCCESS) 704 goto func_exit; 705 706 /* Update MAC against the last block */ 707 res = crypto_mac_update(ctx, TEE_ALG_HMAC_SHA256, lastfrm->data, 708 RPMB_MAC_PROTECT_DATA_SIZE); 709 if (res != TEE_SUCCESS) 710 goto func_exit; 711 712 res = crypto_mac_final(ctx, TEE_ALG_HMAC_SHA256, rawdata->key_mac, 713 RPMB_KEY_MAC_SIZE); 714 if (res != TEE_SUCCESS) 715 goto func_exit; 716 717 res = TEE_SUCCESS; 718 719 func_exit: 720 crypto_mac_free_ctx(ctx, TEE_ALG_HMAC_SHA256); 721 return res; 722 } 723 724 static TEE_Result tee_rpmb_resp_unpack_verify(struct rpmb_data_frame *datafrm, 725 struct rpmb_raw_data *rawdata, 726 uint16_t nbr_frms, 727 const uint8_t *fek, 728 const TEE_UUID *uuid) 729 { 730 TEE_Result res = TEE_ERROR_GENERIC; 731 uint16_t msg_type; 732 uint32_t wr_cnt; 733 uint16_t blk_idx; 734 uint16_t op_result; 735 struct rpmb_data_frame lastfrm; 736 737 if (!datafrm || !rawdata || !nbr_frms) 738 return TEE_ERROR_BAD_PARAMETERS; 739 740 #ifdef CFG_RPMB_FS_DEBUG_DATA 741 for (uint32_t i = 0; i < nbr_frms; i++) { 742 DMSG("Dumping data frame %d:", i); 743 DHEXDUMP((uint8_t *)&datafrm[i] + RPMB_STUFF_DATA_SIZE, 744 512 - RPMB_STUFF_DATA_SIZE); 745 } 746 #endif 747 748 /* Make sure the last data packet can't be modified once verified */ 749 memcpy(&lastfrm, &datafrm[nbr_frms - 1], RPMB_DATA_FRAME_SIZE); 750 751 /* Handle operation result and translate to TEEC error code. */ 752 bytes_to_u16(lastfrm.op_result, &op_result); 753 if (rawdata->op_result) 754 *rawdata->op_result = op_result; 755 if (op_result == RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED) 756 return TEE_ERROR_ITEM_NOT_FOUND; 757 if (op_result != RPMB_RESULT_OK) 758 return TEE_ERROR_GENERIC; 759 760 /* Check the response msg_type. */ 761 bytes_to_u16(lastfrm.msg_type, &msg_type); 762 if (msg_type != rawdata->msg_type) { 763 DMSG("Unexpected msg_type (0x%04x != 0x%04x)", msg_type, 764 rawdata->msg_type); 765 return TEE_ERROR_GENERIC; 766 } 767 768 if (rawdata->blk_idx) { 769 bytes_to_u16(lastfrm.address, &blk_idx); 770 if (blk_idx != *rawdata->blk_idx) { 771 DMSG("Unexpected block index"); 772 return TEE_ERROR_GENERIC; 773 } 774 } 775 776 if (rawdata->write_counter) { 777 wr_cnt = *rawdata->write_counter; 778 bytes_to_u32(lastfrm.write_counter, rawdata->write_counter); 779 if (msg_type == RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE) { 780 /* Verify the write counter is incremented by 1 */ 781 if (*rawdata->write_counter != wr_cnt + 1) { 782 DMSG("Counter mismatched (0x%04x/0x%04x)", 783 *rawdata->write_counter, wr_cnt + 1); 784 return TEE_ERROR_SECURITY; 785 } 786 rpmb_ctx->wr_cnt++; 787 } 788 } 789 790 if (rawdata->nonce) { 791 if (buf_compare_ct(rawdata->nonce, lastfrm.nonce, 792 RPMB_NONCE_SIZE) != 0) { 793 DMSG("Nonce mismatched"); 794 return TEE_ERROR_SECURITY; 795 } 796 } 797 798 if (rawdata->key_mac) { 799 if (msg_type == RPMB_MSG_TYPE_RESP_AUTH_DATA_READ) { 800 if (!rawdata->data) 801 return TEE_ERROR_GENERIC; 802 803 res = tee_rpmb_data_cpy_mac_calc(datafrm, rawdata, 804 nbr_frms, &lastfrm, 805 fek, uuid); 806 807 if (res != TEE_SUCCESS) 808 return res; 809 } else { 810 /* 811 * There should be only one data frame for 812 * other msg types. 813 */ 814 if (nbr_frms != 1) 815 return TEE_ERROR_GENERIC; 816 817 res = tee_rpmb_mac_calc(rawdata->key_mac, 818 RPMB_KEY_MAC_SIZE, 819 rpmb_ctx->key, 820 RPMB_KEY_MAC_SIZE, 821 &lastfrm, 1); 822 823 if (res != TEE_SUCCESS) 824 return res; 825 } 826 827 #ifndef CFG_RPMB_FS_NO_MAC 828 if (consttime_memcmp(rawdata->key_mac, 829 (datafrm + nbr_frms - 1)->key_mac, 830 RPMB_KEY_MAC_SIZE) != 0) { 831 DMSG("MAC mismatched:"); 832 #ifdef CFG_RPMB_FS_DEBUG_DATA 833 DHEXDUMP((uint8_t *)rawdata->key_mac, 32); 834 #endif 835 return TEE_ERROR_SECURITY; 836 } 837 #endif /* !CFG_RPMB_FS_NO_MAC */ 838 } 839 840 return TEE_SUCCESS; 841 } 842 843 static TEE_Result tee_rpmb_get_dev_info(uint16_t dev_id, 844 struct rpmb_dev_info *dev_info) 845 { 846 TEE_Result res = TEE_ERROR_GENERIC; 847 struct tee_rpmb_mem mem; 848 struct rpmb_dev_info *di; 849 struct rpmb_req *req = NULL; 850 uint8_t *resp = NULL; 851 uint32_t req_size; 852 uint32_t resp_size; 853 854 if (!dev_info) 855 return TEE_ERROR_BAD_PARAMETERS; 856 857 req_size = sizeof(struct rpmb_req); 858 resp_size = sizeof(struct rpmb_dev_info); 859 res = tee_rpmb_alloc(req_size, resp_size, &mem, 860 (void *)&req, (void *)&resp); 861 if (res != TEE_SUCCESS) 862 goto func_exit; 863 864 req->cmd = RPMB_CMD_GET_DEV_INFO; 865 req->dev_id = dev_id; 866 867 di = (struct rpmb_dev_info *)resp; 868 di->ret_code = RPMB_CMD_GET_DEV_INFO_RET_ERROR; 869 870 res = tee_rpmb_invoke(&mem); 871 if (res != TEE_SUCCESS) 872 goto func_exit; 873 874 if (di->ret_code != RPMB_CMD_GET_DEV_INFO_RET_OK) { 875 res = TEE_ERROR_GENERIC; 876 goto func_exit; 877 } 878 879 memcpy((uint8_t *)dev_info, resp, sizeof(struct rpmb_dev_info)); 880 881 #ifdef CFG_RPMB_FS_DEBUG_DATA 882 DMSG("Dumping dev_info:"); 883 DHEXDUMP((uint8_t *)dev_info, sizeof(struct rpmb_dev_info)); 884 #endif 885 886 res = TEE_SUCCESS; 887 888 func_exit: 889 tee_rpmb_free(&mem); 890 return res; 891 } 892 893 static TEE_Result tee_rpmb_init_read_wr_cnt(uint16_t dev_id, 894 uint32_t *wr_cnt, 895 uint16_t *op_result) 896 { 897 TEE_Result res = TEE_ERROR_GENERIC; 898 struct tee_rpmb_mem mem; 899 uint16_t msg_type; 900 uint8_t nonce[RPMB_NONCE_SIZE]; 901 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 902 struct rpmb_req *req = NULL; 903 struct rpmb_data_frame *resp = NULL; 904 struct rpmb_raw_data rawdata; 905 uint32_t req_size; 906 uint32_t resp_size; 907 908 if (!wr_cnt) 909 return TEE_ERROR_BAD_PARAMETERS; 910 911 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 912 resp_size = RPMB_DATA_FRAME_SIZE; 913 res = tee_rpmb_alloc(req_size, resp_size, &mem, 914 (void *)&req, (void *)&resp); 915 if (res != TEE_SUCCESS) 916 goto func_exit; 917 918 res = crypto_rng_read(nonce, RPMB_NONCE_SIZE); 919 if (res != TEE_SUCCESS) 920 goto func_exit; 921 922 msg_type = RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ; 923 924 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 925 rawdata.msg_type = msg_type; 926 rawdata.nonce = nonce; 927 928 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 929 if (res != TEE_SUCCESS) 930 goto func_exit; 931 932 res = tee_rpmb_invoke(&mem); 933 if (res != TEE_SUCCESS) 934 goto func_exit; 935 936 msg_type = RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ; 937 938 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 939 rawdata.msg_type = msg_type; 940 rawdata.op_result = op_result; 941 rawdata.write_counter = wr_cnt; 942 rawdata.nonce = nonce; 943 rawdata.key_mac = hmac; 944 945 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, NULL); 946 if (res != TEE_SUCCESS) 947 goto func_exit; 948 949 res = TEE_SUCCESS; 950 951 func_exit: 952 tee_rpmb_free(&mem); 953 return res; 954 } 955 956 static TEE_Result tee_rpmb_verify_key_sync_counter(uint16_t dev_id) 957 { 958 uint16_t op_result = 0; 959 TEE_Result res = TEE_ERROR_GENERIC; 960 961 res = tee_rpmb_init_read_wr_cnt(dev_id, &rpmb_ctx->wr_cnt, 962 &op_result); 963 964 if (res == TEE_SUCCESS) { 965 rpmb_ctx->key_verified = true; 966 rpmb_ctx->wr_cnt_synced = true; 967 } 968 969 DMSG("Verify key returning 0x%x", res); 970 return res; 971 } 972 973 #ifdef CFG_RPMB_WRITE_KEY 974 static TEE_Result tee_rpmb_write_key(uint16_t dev_id) 975 { 976 TEE_Result res = TEE_ERROR_GENERIC; 977 struct tee_rpmb_mem mem = { 0 }; 978 uint16_t msg_type; 979 struct rpmb_req *req = NULL; 980 struct rpmb_data_frame *resp = NULL; 981 struct rpmb_raw_data rawdata; 982 uint32_t req_size; 983 uint32_t resp_size; 984 985 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 986 resp_size = RPMB_DATA_FRAME_SIZE; 987 res = tee_rpmb_alloc(req_size, resp_size, &mem, 988 (void *)&req, (void *)&resp); 989 if (res != TEE_SUCCESS) 990 goto func_exit; 991 992 msg_type = RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM; 993 994 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 995 rawdata.msg_type = msg_type; 996 rawdata.key_mac = rpmb_ctx->key; 997 998 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 999 if (res != TEE_SUCCESS) 1000 goto func_exit; 1001 1002 res = tee_rpmb_invoke(&mem); 1003 if (res != TEE_SUCCESS) 1004 goto func_exit; 1005 1006 msg_type = RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM; 1007 1008 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1009 rawdata.msg_type = msg_type; 1010 1011 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, NULL); 1012 if (res != TEE_SUCCESS) 1013 goto func_exit; 1014 1015 res = TEE_SUCCESS; 1016 1017 func_exit: 1018 tee_rpmb_free(&mem); 1019 return res; 1020 } 1021 1022 static TEE_Result tee_rpmb_write_and_verify_key(uint16_t dev_id) 1023 { 1024 TEE_Result res; 1025 1026 DMSG("RPMB INIT: Writing Key value:"); 1027 DHEXDUMP(rpmb_ctx->key, RPMB_KEY_MAC_SIZE); 1028 1029 res = tee_rpmb_write_key(dev_id); 1030 if (res == TEE_SUCCESS) { 1031 DMSG("RPMB INIT: Verifying Key"); 1032 res = tee_rpmb_verify_key_sync_counter(dev_id); 1033 } 1034 return res; 1035 } 1036 #else 1037 static TEE_Result tee_rpmb_write_and_verify_key(uint16_t dev_id __unused) 1038 { 1039 DMSG("RPMB INIT: CFG_RPMB_WRITE_KEY is not set"); 1040 return TEE_ERROR_BAD_STATE; 1041 } 1042 #endif 1043 1044 /* This function must never return TEE_SUCCESS if rpmb_ctx == NULL */ 1045 static TEE_Result tee_rpmb_init(uint16_t dev_id) 1046 { 1047 TEE_Result res = TEE_SUCCESS; 1048 struct rpmb_dev_info dev_info; 1049 uint32_t nblocks = 0; 1050 1051 if (!rpmb_ctx) { 1052 rpmb_ctx = calloc(1, sizeof(struct tee_rpmb_ctx)); 1053 if (!rpmb_ctx) 1054 return TEE_ERROR_OUT_OF_MEMORY; 1055 } else if (rpmb_ctx->dev_id != dev_id) { 1056 memset(rpmb_ctx, 0x00, sizeof(struct tee_rpmb_ctx)); 1057 } 1058 1059 rpmb_ctx->dev_id = dev_id; 1060 1061 if (!rpmb_ctx->dev_info_synced) { 1062 DMSG("RPMB: Syncing device information"); 1063 1064 dev_info.rpmb_size_mult = 0; 1065 dev_info.rel_wr_sec_c = 0; 1066 res = tee_rpmb_get_dev_info(dev_id, &dev_info); 1067 if (res != TEE_SUCCESS) 1068 goto func_exit; 1069 1070 DMSG("RPMB: RPMB size is %d*128 KB", dev_info.rpmb_size_mult); 1071 DMSG("RPMB: Reliable Write Sector Count is %d", 1072 dev_info.rel_wr_sec_c); 1073 1074 if (dev_info.rpmb_size_mult == 0) { 1075 res = TEE_ERROR_GENERIC; 1076 goto func_exit; 1077 } 1078 1079 if (MUL_OVERFLOW(dev_info.rpmb_size_mult, 1080 RPMB_SIZE_SINGLE / RPMB_DATA_SIZE, &nblocks) || 1081 SUB_OVERFLOW(nblocks, 1, &rpmb_ctx->max_blk_idx)) { 1082 res = TEE_ERROR_BAD_PARAMETERS; 1083 goto func_exit; 1084 } 1085 1086 memcpy(rpmb_ctx->cid, dev_info.cid, RPMB_EMMC_CID_SIZE); 1087 1088 #ifdef RPMB_DRIVER_MULTIPLE_WRITE_FIXED 1089 rpmb_ctx->rel_wr_blkcnt = dev_info.rel_wr_sec_c * 2; 1090 #else 1091 rpmb_ctx->rel_wr_blkcnt = 1; 1092 #endif 1093 1094 rpmb_ctx->dev_info_synced = true; 1095 } 1096 1097 if (!rpmb_ctx->key_derived) { 1098 DMSG("RPMB INIT: Deriving key"); 1099 1100 res = tee_rpmb_key_gen(dev_id, rpmb_ctx->key, 1101 RPMB_KEY_MAC_SIZE); 1102 if (res != TEE_SUCCESS) { 1103 EMSG("RPMB INIT: Deriving key failed with error 0x%x", 1104 res); 1105 goto func_exit; 1106 } 1107 1108 rpmb_ctx->key_derived = true; 1109 } 1110 1111 /* Perform a write counter read to verify if the key is ok. */ 1112 if (!rpmb_ctx->wr_cnt_synced || !rpmb_ctx->key_verified) { 1113 DMSG("RPMB INIT: Verifying Key"); 1114 1115 res = tee_rpmb_verify_key_sync_counter(dev_id); 1116 if (res == TEE_ERROR_ITEM_NOT_FOUND && 1117 !rpmb_ctx->key_verified) { 1118 /* 1119 * Need to write the key here and verify it. 1120 */ 1121 DMSG("RPMB INIT: Auth key not yet written"); 1122 res = tee_rpmb_write_and_verify_key(dev_id); 1123 } else if (res != TEE_SUCCESS) { 1124 EMSG("Verify key failed!"); 1125 EMSG("Make sure key here matches device key"); 1126 } 1127 } 1128 1129 func_exit: 1130 return res; 1131 } 1132 1133 /* 1134 * Read RPMB data in bytes. 1135 * 1136 * @dev_id Device ID of the eMMC device. 1137 * @addr Byte address of data. 1138 * @data Pointer to the data. 1139 * @len Size of data in bytes. 1140 * @fek Encrypted File Encryption Key or NULL. 1141 */ 1142 static TEE_Result tee_rpmb_read(uint16_t dev_id, uint32_t addr, uint8_t *data, 1143 uint32_t len, const uint8_t *fek, 1144 const TEE_UUID *uuid) 1145 { 1146 TEE_Result res = TEE_ERROR_GENERIC; 1147 struct tee_rpmb_mem mem = { 0 }; 1148 uint16_t msg_type; 1149 uint8_t nonce[RPMB_NONCE_SIZE]; 1150 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 1151 struct rpmb_req *req = NULL; 1152 struct rpmb_data_frame *resp = NULL; 1153 struct rpmb_raw_data rawdata; 1154 uint32_t req_size; 1155 uint32_t resp_size; 1156 uint16_t blk_idx; 1157 uint16_t blkcnt; 1158 uint8_t byte_offset; 1159 1160 if (!data || !len) 1161 return TEE_ERROR_BAD_PARAMETERS; 1162 1163 blk_idx = addr / RPMB_DATA_SIZE; 1164 byte_offset = addr % RPMB_DATA_SIZE; 1165 1166 if (len + byte_offset + RPMB_DATA_SIZE < RPMB_DATA_SIZE) { 1167 /* Overflow */ 1168 return TEE_ERROR_BAD_PARAMETERS; 1169 } 1170 blkcnt = 1171 ROUNDUP(len + byte_offset, RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1172 res = tee_rpmb_init(dev_id); 1173 if (res != TEE_SUCCESS) 1174 goto func_exit; 1175 1176 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 1177 resp_size = RPMB_DATA_FRAME_SIZE * blkcnt; 1178 res = tee_rpmb_alloc(req_size, resp_size, &mem, 1179 (void *)&req, (void *)&resp); 1180 if (res != TEE_SUCCESS) 1181 goto func_exit; 1182 1183 msg_type = RPMB_MSG_TYPE_REQ_AUTH_DATA_READ; 1184 res = crypto_rng_read(nonce, RPMB_NONCE_SIZE); 1185 if (res != TEE_SUCCESS) 1186 goto func_exit; 1187 1188 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1189 rawdata.msg_type = msg_type; 1190 rawdata.nonce = nonce; 1191 rawdata.blk_idx = &blk_idx; 1192 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 1193 if (res != TEE_SUCCESS) 1194 goto func_exit; 1195 1196 req->block_count = blkcnt; 1197 1198 DMSG("Read %u block%s at index %u", blkcnt, ((blkcnt > 1) ? "s" : ""), 1199 blk_idx); 1200 1201 res = tee_rpmb_invoke(&mem); 1202 if (res != TEE_SUCCESS) 1203 goto func_exit; 1204 1205 msg_type = RPMB_MSG_TYPE_RESP_AUTH_DATA_READ; 1206 1207 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1208 rawdata.msg_type = msg_type; 1209 rawdata.block_count = &blkcnt; 1210 rawdata.blk_idx = &blk_idx; 1211 rawdata.nonce = nonce; 1212 rawdata.key_mac = hmac; 1213 rawdata.data = data; 1214 1215 rawdata.len = len; 1216 rawdata.byte_offset = byte_offset; 1217 1218 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, blkcnt, fek, uuid); 1219 if (res != TEE_SUCCESS) 1220 goto func_exit; 1221 1222 res = TEE_SUCCESS; 1223 1224 func_exit: 1225 tee_rpmb_free(&mem); 1226 return res; 1227 } 1228 1229 static TEE_Result tee_rpmb_write_blk(uint16_t dev_id, uint16_t blk_idx, 1230 const uint8_t *data_blks, uint16_t blkcnt, 1231 const uint8_t *fek, const TEE_UUID *uuid) 1232 { 1233 TEE_Result res; 1234 struct tee_rpmb_mem mem; 1235 uint16_t msg_type; 1236 uint32_t wr_cnt; 1237 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 1238 struct rpmb_req *req = NULL; 1239 struct rpmb_data_frame *resp = NULL; 1240 struct rpmb_raw_data rawdata; 1241 uint32_t req_size; 1242 uint32_t resp_size; 1243 uint32_t nbr_writes; 1244 uint16_t tmp_blkcnt; 1245 uint16_t tmp_blk_idx; 1246 uint16_t i; 1247 1248 DMSG("Write %u block%s at index %u", blkcnt, ((blkcnt > 1) ? "s" : ""), 1249 blk_idx); 1250 1251 if (!data_blks || !blkcnt) 1252 return TEE_ERROR_BAD_PARAMETERS; 1253 1254 res = tee_rpmb_init(dev_id); 1255 if (res != TEE_SUCCESS) 1256 return res; 1257 1258 /* 1259 * We need to split data when block count 1260 * is bigger than reliable block write count. 1261 */ 1262 if (blkcnt < rpmb_ctx->rel_wr_blkcnt) 1263 req_size = sizeof(struct rpmb_req) + 1264 RPMB_DATA_FRAME_SIZE * blkcnt; 1265 else 1266 req_size = sizeof(struct rpmb_req) + 1267 RPMB_DATA_FRAME_SIZE * rpmb_ctx->rel_wr_blkcnt; 1268 1269 resp_size = RPMB_DATA_FRAME_SIZE; 1270 res = tee_rpmb_alloc(req_size, resp_size, &mem, 1271 (void *)&req, (void *)&resp); 1272 if (res != TEE_SUCCESS) 1273 return res; 1274 1275 nbr_writes = blkcnt / rpmb_ctx->rel_wr_blkcnt; 1276 if (blkcnt % rpmb_ctx->rel_wr_blkcnt > 0) 1277 nbr_writes += 1; 1278 1279 tmp_blkcnt = rpmb_ctx->rel_wr_blkcnt; 1280 tmp_blk_idx = blk_idx; 1281 for (i = 0; i < nbr_writes; i++) { 1282 /* 1283 * To handle the last write of block count which is 1284 * equal or smaller than reliable write block count. 1285 */ 1286 if (i == nbr_writes - 1) 1287 tmp_blkcnt = blkcnt - rpmb_ctx->rel_wr_blkcnt * 1288 (nbr_writes - 1); 1289 1290 msg_type = RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE; 1291 wr_cnt = rpmb_ctx->wr_cnt; 1292 1293 memset(req, 0x00, req_size); 1294 memset(resp, 0x00, resp_size); 1295 1296 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1297 rawdata.msg_type = msg_type; 1298 rawdata.block_count = &tmp_blkcnt; 1299 rawdata.blk_idx = &tmp_blk_idx; 1300 rawdata.write_counter = &wr_cnt; 1301 rawdata.key_mac = hmac; 1302 rawdata.data = (uint8_t *)data_blks + 1303 i * rpmb_ctx->rel_wr_blkcnt * RPMB_DATA_SIZE; 1304 1305 res = tee_rpmb_req_pack(req, &rawdata, tmp_blkcnt, dev_id, 1306 fek, uuid); 1307 if (res != TEE_SUCCESS) 1308 goto out; 1309 1310 res = tee_rpmb_invoke(&mem); 1311 if (res != TEE_SUCCESS) { 1312 /* 1313 * To force wr_cnt sync next time, as it might get 1314 * out of sync due to inconsistent operation result! 1315 */ 1316 rpmb_ctx->wr_cnt_synced = false; 1317 goto out; 1318 } 1319 1320 msg_type = RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE; 1321 1322 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1323 rawdata.msg_type = msg_type; 1324 rawdata.block_count = &tmp_blkcnt; 1325 rawdata.blk_idx = &tmp_blk_idx; 1326 rawdata.write_counter = &wr_cnt; 1327 rawdata.key_mac = hmac; 1328 1329 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, 1330 NULL); 1331 if (res != TEE_SUCCESS) { 1332 /* 1333 * To force wr_cnt sync next time, as it might get 1334 * out of sync due to inconsistent operation result! 1335 */ 1336 rpmb_ctx->wr_cnt_synced = false; 1337 goto out; 1338 } 1339 1340 tmp_blk_idx += tmp_blkcnt; 1341 } 1342 1343 out: 1344 tee_rpmb_free(&mem); 1345 return res; 1346 } 1347 1348 static bool tee_rpmb_write_is_atomic(uint16_t dev_id __unused, uint32_t addr, 1349 uint32_t len) 1350 { 1351 uint8_t byte_offset = addr % RPMB_DATA_SIZE; 1352 uint16_t blkcnt = ROUNDUP(len + byte_offset, 1353 RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1354 1355 return (blkcnt <= rpmb_ctx->rel_wr_blkcnt); 1356 } 1357 1358 /* 1359 * Write RPMB data in bytes. 1360 * 1361 * @dev_id Device ID of the eMMC device. 1362 * @addr Byte address of data. 1363 * @data Pointer to the data. 1364 * @len Size of data in bytes. 1365 * @fek Encrypted File Encryption Key or NULL. 1366 */ 1367 static TEE_Result tee_rpmb_write(uint16_t dev_id, uint32_t addr, 1368 const uint8_t *data, uint32_t len, 1369 const uint8_t *fek, const TEE_UUID *uuid) 1370 { 1371 TEE_Result res = TEE_ERROR_GENERIC; 1372 uint8_t *data_tmp = NULL; 1373 uint16_t blk_idx; 1374 uint16_t blkcnt; 1375 uint8_t byte_offset; 1376 1377 blk_idx = addr / RPMB_DATA_SIZE; 1378 byte_offset = addr % RPMB_DATA_SIZE; 1379 1380 blkcnt = 1381 ROUNDUP(len + byte_offset, RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1382 1383 if (byte_offset == 0 && (len % RPMB_DATA_SIZE) == 0) { 1384 res = tee_rpmb_write_blk(dev_id, blk_idx, data, blkcnt, fek, 1385 uuid); 1386 if (res != TEE_SUCCESS) 1387 goto func_exit; 1388 } else { 1389 data_tmp = calloc(blkcnt, RPMB_DATA_SIZE); 1390 if (!data_tmp) { 1391 res = TEE_ERROR_OUT_OF_MEMORY; 1392 goto func_exit; 1393 } 1394 1395 /* Read the complete blocks */ 1396 res = tee_rpmb_read(dev_id, blk_idx * RPMB_DATA_SIZE, data_tmp, 1397 blkcnt * RPMB_DATA_SIZE, fek, uuid); 1398 if (res != TEE_SUCCESS) 1399 goto func_exit; 1400 1401 /* Partial update of the data blocks */ 1402 memcpy(data_tmp + byte_offset, data, len); 1403 1404 res = tee_rpmb_write_blk(dev_id, blk_idx, data_tmp, blkcnt, 1405 fek, uuid); 1406 if (res != TEE_SUCCESS) 1407 goto func_exit; 1408 } 1409 1410 res = TEE_SUCCESS; 1411 1412 func_exit: 1413 free(data_tmp); 1414 return res; 1415 } 1416 1417 /* 1418 * Read the RPMB write counter. 1419 * 1420 * @dev_id Device ID of the eMMC device. 1421 * @counter Pointer to the counter. 1422 */ 1423 static TEE_Result tee_rpmb_get_write_counter(uint16_t dev_id, 1424 uint32_t *counter) 1425 { 1426 TEE_Result res = TEE_SUCCESS; 1427 1428 if (!counter) 1429 return TEE_ERROR_BAD_PARAMETERS; 1430 1431 if (!rpmb_ctx || !rpmb_ctx->wr_cnt_synced) { 1432 res = tee_rpmb_init(dev_id); 1433 if (res != TEE_SUCCESS) 1434 goto func_exit; 1435 } 1436 1437 *counter = rpmb_ctx->wr_cnt; 1438 1439 func_exit: 1440 return res; 1441 } 1442 1443 /* 1444 * Read the RPMB max block. 1445 * 1446 * @dev_id Device ID of the eMMC device. 1447 * @counter Pointer to receive the max block. 1448 */ 1449 static TEE_Result tee_rpmb_get_max_block(uint16_t dev_id, uint32_t *max_block) 1450 { 1451 TEE_Result res = TEE_SUCCESS; 1452 1453 if (!max_block) 1454 return TEE_ERROR_BAD_PARAMETERS; 1455 1456 if (!rpmb_ctx || !rpmb_ctx->dev_info_synced) { 1457 res = tee_rpmb_init(dev_id); 1458 if (res != TEE_SUCCESS) 1459 goto func_exit; 1460 } 1461 1462 *max_block = rpmb_ctx->max_blk_idx; 1463 1464 func_exit: 1465 return res; 1466 } 1467 1468 /* 1469 * End of lower interface to RPMB device 1470 */ 1471 1472 static TEE_Result get_fat_start_address(uint32_t *addr); 1473 1474 static void dump_fat(void) 1475 { 1476 TEE_Result res = TEE_ERROR_GENERIC; 1477 struct rpmb_fat_entry *fat_entries = NULL; 1478 uint32_t fat_address; 1479 size_t size; 1480 int i; 1481 bool last_entry_found = false; 1482 1483 res = get_fat_start_address(&fat_address); 1484 if (res != TEE_SUCCESS) 1485 goto out; 1486 1487 size = N_ENTRIES * sizeof(struct rpmb_fat_entry); 1488 fat_entries = malloc(size); 1489 if (!fat_entries) { 1490 res = TEE_ERROR_OUT_OF_MEMORY; 1491 goto out; 1492 } 1493 1494 while (!last_entry_found) { 1495 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, fat_address, 1496 (uint8_t *)fat_entries, size, NULL, NULL); 1497 if (res != TEE_SUCCESS) 1498 goto out; 1499 1500 for (i = 0; i < N_ENTRIES; i++) { 1501 1502 FMSG("flags 0x%x, size %d, address 0x%x, filename '%s'", 1503 fat_entries[i].flags, 1504 fat_entries[i].data_size, 1505 fat_entries[i].start_address, 1506 fat_entries[i].filename); 1507 1508 if ((fat_entries[i].flags & FILE_IS_LAST_ENTRY) != 0) { 1509 last_entry_found = true; 1510 break; 1511 } 1512 1513 /* Move to next fat_entry. */ 1514 fat_address += sizeof(struct rpmb_fat_entry); 1515 } 1516 } 1517 1518 out: 1519 free(fat_entries); 1520 } 1521 1522 #if (TRACE_LEVEL >= TRACE_DEBUG) 1523 static void dump_fh(struct rpmb_file_handle *fh) 1524 { 1525 DMSG("fh->filename=%s", fh->filename); 1526 DMSG("fh->rpmb_fat_address=%u", fh->rpmb_fat_address); 1527 DMSG("fh->fat_entry.start_address=%u", fh->fat_entry.start_address); 1528 DMSG("fh->fat_entry.data_size=%u", fh->fat_entry.data_size); 1529 } 1530 #else 1531 static void dump_fh(struct rpmb_file_handle *fh __unused) 1532 { 1533 } 1534 #endif 1535 1536 static struct rpmb_file_handle *alloc_file_handle(struct tee_pobj *po, 1537 bool temporary) 1538 { 1539 struct rpmb_file_handle *fh = NULL; 1540 1541 fh = calloc(1, sizeof(struct rpmb_file_handle)); 1542 if (!fh) 1543 return NULL; 1544 1545 if (po) 1546 tee_svc_storage_create_filename(fh->filename, 1547 sizeof(fh->filename), po, 1548 temporary); 1549 1550 return fh; 1551 } 1552 1553 /** 1554 * write_fat_entry: Store info in a fat_entry to RPMB. 1555 */ 1556 static TEE_Result write_fat_entry(struct rpmb_file_handle *fh, 1557 bool update_write_counter) 1558 { 1559 TEE_Result res = TEE_ERROR_GENERIC; 1560 1561 /* Protect partition data. */ 1562 if (fh->rpmb_fat_address < sizeof(struct rpmb_fs_partition)) { 1563 res = TEE_ERROR_ACCESS_CONFLICT; 1564 goto out; 1565 } 1566 1567 if (fh->rpmb_fat_address % sizeof(struct rpmb_fat_entry) != 0) { 1568 res = TEE_ERROR_BAD_PARAMETERS; 1569 goto out; 1570 } 1571 1572 if (update_write_counter) { 1573 res = tee_rpmb_get_write_counter(CFG_RPMB_FS_DEV_ID, 1574 &fh->fat_entry.write_counter); 1575 if (res != TEE_SUCCESS) 1576 goto out; 1577 } 1578 1579 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, fh->rpmb_fat_address, 1580 (uint8_t *)&fh->fat_entry, 1581 sizeof(struct rpmb_fat_entry), NULL, NULL); 1582 1583 dump_fat(); 1584 1585 out: 1586 return res; 1587 } 1588 1589 /** 1590 * rpmb_fs_setup: Setup rpmb fs. 1591 * Set initial partition and FS values and write to RPMB. 1592 * Store frequently used data in RAM. 1593 */ 1594 static TEE_Result rpmb_fs_setup(void) 1595 { 1596 TEE_Result res = TEE_ERROR_GENERIC; 1597 struct rpmb_fs_partition *partition_data = NULL; 1598 struct rpmb_file_handle *fh = NULL; 1599 uint32_t max_rpmb_block = 0; 1600 1601 if (fs_par) { 1602 res = TEE_SUCCESS; 1603 goto out; 1604 } 1605 1606 res = tee_rpmb_get_max_block(CFG_RPMB_FS_DEV_ID, &max_rpmb_block); 1607 if (res != TEE_SUCCESS) 1608 goto out; 1609 1610 partition_data = calloc(1, sizeof(struct rpmb_fs_partition)); 1611 if (!partition_data) { 1612 res = TEE_ERROR_OUT_OF_MEMORY; 1613 goto out; 1614 } 1615 1616 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, RPMB_STORAGE_START_ADDRESS, 1617 (uint8_t *)partition_data, 1618 sizeof(struct rpmb_fs_partition), NULL, NULL); 1619 if (res != TEE_SUCCESS) 1620 goto out; 1621 1622 #ifndef CFG_RPMB_RESET_FAT 1623 if (partition_data->rpmb_fs_magic == RPMB_FS_MAGIC) { 1624 if (partition_data->fs_version == FS_VERSION) { 1625 res = TEE_SUCCESS; 1626 goto store_fs_par; 1627 } else { 1628 /* Wrong software is in use. */ 1629 res = TEE_ERROR_ACCESS_DENIED; 1630 goto out; 1631 } 1632 } 1633 #else 1634 EMSG("**** Clearing Storage ****"); 1635 #endif 1636 1637 /* Setup new partition data. */ 1638 partition_data->rpmb_fs_magic = RPMB_FS_MAGIC; 1639 partition_data->fs_version = FS_VERSION; 1640 partition_data->fat_start_address = RPMB_FS_FAT_START_ADDRESS; 1641 1642 /* Initial FAT entry with FILE_IS_LAST_ENTRY flag set. */ 1643 fh = alloc_file_handle(NULL, false); 1644 if (!fh) { 1645 res = TEE_ERROR_OUT_OF_MEMORY; 1646 goto out; 1647 } 1648 fh->fat_entry.flags = FILE_IS_LAST_ENTRY; 1649 fh->rpmb_fat_address = partition_data->fat_start_address; 1650 1651 /* Write init FAT entry and partition data to RPMB. */ 1652 res = write_fat_entry(fh, true); 1653 if (res != TEE_SUCCESS) 1654 goto out; 1655 1656 res = 1657 tee_rpmb_get_write_counter(CFG_RPMB_FS_DEV_ID, 1658 &partition_data->write_counter); 1659 if (res != TEE_SUCCESS) 1660 goto out; 1661 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, RPMB_STORAGE_START_ADDRESS, 1662 (uint8_t *)partition_data, 1663 sizeof(struct rpmb_fs_partition), NULL, NULL); 1664 1665 #ifndef CFG_RPMB_RESET_FAT 1666 store_fs_par: 1667 #endif 1668 1669 /* Store FAT start address. */ 1670 fs_par = calloc(1, sizeof(struct rpmb_fs_parameters)); 1671 if (!fs_par) { 1672 res = TEE_ERROR_OUT_OF_MEMORY; 1673 goto out; 1674 } 1675 1676 fs_par->fat_start_address = partition_data->fat_start_address; 1677 fs_par->max_rpmb_address = max_rpmb_block << RPMB_BLOCK_SIZE_SHIFT; 1678 1679 dump_fat(); 1680 1681 out: 1682 free(fh); 1683 free(partition_data); 1684 return res; 1685 } 1686 1687 /** 1688 * get_fat_start_address: 1689 * FAT start_address from fs_par. 1690 */ 1691 static TEE_Result get_fat_start_address(uint32_t *addr) 1692 { 1693 if (!fs_par) 1694 return TEE_ERROR_NO_DATA; 1695 1696 *addr = fs_par->fat_start_address; 1697 1698 return TEE_SUCCESS; 1699 } 1700 1701 /** 1702 * read_fat: Read FAT entries 1703 * Return matching FAT entry for read, rm rename and stat. 1704 * Build up memory pool and return matching entry for write operation. 1705 * "Last FAT entry" can be returned during write. 1706 */ 1707 static TEE_Result read_fat(struct rpmb_file_handle *fh, tee_mm_pool_t *p) 1708 { 1709 TEE_Result res = TEE_ERROR_GENERIC; 1710 tee_mm_entry_t *mm = NULL; 1711 struct rpmb_fat_entry *fat_entries = NULL; 1712 uint32_t fat_address; 1713 size_t size; 1714 int i; 1715 bool entry_found = false; 1716 bool last_entry_found = false; 1717 bool expand_fat = false; 1718 struct rpmb_file_handle last_fh; 1719 1720 DMSG("fat_address %d", fh->rpmb_fat_address); 1721 1722 res = rpmb_fs_setup(); 1723 if (res != TEE_SUCCESS) 1724 goto out; 1725 1726 res = get_fat_start_address(&fat_address); 1727 if (res != TEE_SUCCESS) 1728 goto out; 1729 1730 size = N_ENTRIES * sizeof(struct rpmb_fat_entry); 1731 fat_entries = malloc(size); 1732 if (!fat_entries) { 1733 res = TEE_ERROR_OUT_OF_MEMORY; 1734 goto out; 1735 } 1736 1737 /* 1738 * The pool is used to represent the current RPMB layout. To find 1739 * a slot for the file tee_mm_alloc is called on the pool. Thus 1740 * if it is not NULL the entire FAT must be traversed to fill in 1741 * the pool. 1742 */ 1743 while (!last_entry_found && (!entry_found || p)) { 1744 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, fat_address, 1745 (uint8_t *)fat_entries, size, NULL, NULL); 1746 if (res != TEE_SUCCESS) 1747 goto out; 1748 1749 for (i = 0; i < N_ENTRIES; i++) { 1750 /* 1751 * Look for an entry, matching filenames. (read, rm, 1752 * rename and stat.). Only store first filename match. 1753 */ 1754 if (fh->filename && 1755 (strcmp(fh->filename, 1756 fat_entries[i].filename) == 0) && 1757 (fat_entries[i].flags & FILE_IS_ACTIVE) && 1758 (!entry_found)) { 1759 entry_found = true; 1760 fh->rpmb_fat_address = fat_address; 1761 memcpy(&fh->fat_entry, &fat_entries[i], 1762 sizeof(struct rpmb_fat_entry)); 1763 if (!p) 1764 break; 1765 } 1766 1767 /* Add existing files to memory pool. (write) */ 1768 if (p) { 1769 if ((fat_entries[i].flags & FILE_IS_ACTIVE) && 1770 (fat_entries[i].data_size > 0)) { 1771 1772 mm = tee_mm_alloc2 1773 (p, 1774 fat_entries[i].start_address, 1775 fat_entries[i].data_size); 1776 if (!mm) { 1777 res = TEE_ERROR_OUT_OF_MEMORY; 1778 goto out; 1779 } 1780 } 1781 1782 /* Unused FAT entries can be reused (write) */ 1783 if (((fat_entries[i].flags & FILE_IS_ACTIVE) == 1784 0) && (fh->rpmb_fat_address == 0)) { 1785 fh->rpmb_fat_address = fat_address; 1786 memcpy(&fh->fat_entry, &fat_entries[i], 1787 sizeof(struct rpmb_fat_entry)); 1788 } 1789 } 1790 1791 if ((fat_entries[i].flags & FILE_IS_LAST_ENTRY) != 0) { 1792 last_entry_found = true; 1793 1794 /* 1795 * If the last entry was reached and was chosen 1796 * by the previous check, then the FAT needs to 1797 * be expanded. 1798 * fh->rpmb_fat_address is the address chosen 1799 * to store the files FAT entry and fat_address 1800 * is the current FAT entry address being 1801 * compared. 1802 */ 1803 if (p && fh->rpmb_fat_address == fat_address) 1804 expand_fat = true; 1805 break; 1806 } 1807 1808 /* Move to next fat_entry. */ 1809 fat_address += sizeof(struct rpmb_fat_entry); 1810 } 1811 } 1812 1813 /* 1814 * Represent the FAT table in the pool. 1815 */ 1816 if (p) { 1817 /* 1818 * Since fat_address is the start of the last entry it needs to 1819 * be moved up by an entry. 1820 */ 1821 fat_address += sizeof(struct rpmb_fat_entry); 1822 1823 /* Make room for yet a FAT entry and add to memory pool. */ 1824 if (expand_fat) 1825 fat_address += sizeof(struct rpmb_fat_entry); 1826 1827 mm = tee_mm_alloc2(p, RPMB_STORAGE_START_ADDRESS, fat_address); 1828 if (!mm) { 1829 res = TEE_ERROR_OUT_OF_MEMORY; 1830 goto out; 1831 } 1832 1833 if (expand_fat) { 1834 /* 1835 * Point fat_address to the beginning of the new 1836 * entry. 1837 */ 1838 fat_address -= sizeof(struct rpmb_fat_entry); 1839 memset(&last_fh, 0, sizeof(last_fh)); 1840 last_fh.fat_entry.flags = FILE_IS_LAST_ENTRY; 1841 last_fh.rpmb_fat_address = fat_address; 1842 res = write_fat_entry(&last_fh, true); 1843 if (res != TEE_SUCCESS) 1844 goto out; 1845 } 1846 } 1847 1848 if (fh->filename && !fh->rpmb_fat_address) 1849 res = TEE_ERROR_ITEM_NOT_FOUND; 1850 1851 out: 1852 free(fat_entries); 1853 return res; 1854 } 1855 1856 static TEE_Result generate_fek(struct rpmb_fat_entry *fe, const TEE_UUID *uuid) 1857 { 1858 TEE_Result res; 1859 1860 again: 1861 res = tee_fs_generate_fek(uuid, fe->fek, sizeof(fe->fek)); 1862 if (res != TEE_SUCCESS) 1863 return res; 1864 1865 if (is_zero(fe->fek, sizeof(fe->fek))) 1866 goto again; 1867 1868 return res; 1869 } 1870 1871 static TEE_Result rpmb_fs_open_internal(struct rpmb_file_handle *fh, 1872 const TEE_UUID *uuid, bool create) 1873 { 1874 tee_mm_pool_t p; 1875 bool pool_result; 1876 TEE_Result res = TEE_ERROR_GENERIC; 1877 1878 /* We need to do setup in order to make sure fs_par is filled in */ 1879 res = rpmb_fs_setup(); 1880 if (res != TEE_SUCCESS) 1881 goto out; 1882 1883 fh->uuid = uuid; 1884 if (create) { 1885 /* Upper memory allocation must be used for RPMB_FS. */ 1886 pool_result = tee_mm_init(&p, 1887 RPMB_STORAGE_START_ADDRESS, 1888 fs_par->max_rpmb_address, 1889 RPMB_BLOCK_SIZE_SHIFT, 1890 TEE_MM_POOL_HI_ALLOC); 1891 1892 if (!pool_result) { 1893 res = TEE_ERROR_OUT_OF_MEMORY; 1894 goto out; 1895 } 1896 1897 res = read_fat(fh, &p); 1898 tee_mm_final(&p); 1899 if (res != TEE_SUCCESS) 1900 goto out; 1901 } else { 1902 res = read_fat(fh, NULL); 1903 if (res != TEE_SUCCESS) 1904 goto out; 1905 } 1906 1907 /* 1908 * If this is opened with create and the entry found was not active 1909 * then this is a new file and the FAT entry must be written 1910 */ 1911 if (create) { 1912 if ((fh->fat_entry.flags & FILE_IS_ACTIVE) == 0) { 1913 memset(&fh->fat_entry, 0, 1914 sizeof(struct rpmb_fat_entry)); 1915 memcpy(fh->fat_entry.filename, fh->filename, 1916 strlen(fh->filename)); 1917 /* Start address and size are 0 */ 1918 fh->fat_entry.flags = FILE_IS_ACTIVE; 1919 1920 res = generate_fek(&fh->fat_entry, uuid); 1921 if (res != TEE_SUCCESS) 1922 goto out; 1923 DMSG("GENERATE FEK key: %p", 1924 (void *)fh->fat_entry.fek); 1925 DHEXDUMP(fh->fat_entry.fek, sizeof(fh->fat_entry.fek)); 1926 1927 res = write_fat_entry(fh, true); 1928 if (res != TEE_SUCCESS) 1929 goto out; 1930 } 1931 } 1932 1933 res = TEE_SUCCESS; 1934 1935 out: 1936 return res; 1937 } 1938 1939 static void rpmb_fs_close(struct tee_file_handle **tfh) 1940 { 1941 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)*tfh; 1942 1943 free(fh); 1944 *tfh = NULL; 1945 } 1946 1947 static TEE_Result rpmb_fs_read(struct tee_file_handle *tfh, size_t pos, 1948 void *buf, size_t *len) 1949 { 1950 TEE_Result res; 1951 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)tfh; 1952 size_t size = *len; 1953 1954 if (!size) 1955 return TEE_SUCCESS; 1956 1957 mutex_lock(&rpmb_mutex); 1958 1959 dump_fh(fh); 1960 1961 res = read_fat(fh, NULL); 1962 if (res != TEE_SUCCESS) 1963 goto out; 1964 1965 if (pos >= fh->fat_entry.data_size) { 1966 *len = 0; 1967 goto out; 1968 } 1969 1970 size = MIN(size, fh->fat_entry.data_size - pos); 1971 if (size) { 1972 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 1973 fh->fat_entry.start_address + pos, buf, 1974 size, fh->fat_entry.fek, fh->uuid); 1975 if (res != TEE_SUCCESS) 1976 goto out; 1977 } 1978 *len = size; 1979 1980 out: 1981 mutex_unlock(&rpmb_mutex); 1982 return res; 1983 } 1984 1985 static TEE_Result rpmb_fs_write_primitive(struct rpmb_file_handle *fh, 1986 size_t pos, const void *buf, 1987 size_t size) 1988 { 1989 TEE_Result res; 1990 tee_mm_pool_t p; 1991 bool pool_result = false; 1992 tee_mm_entry_t *mm; 1993 size_t end; 1994 size_t newsize; 1995 uint8_t *newbuf = NULL; 1996 uintptr_t newaddr; 1997 uint32_t start_addr; 1998 1999 if (!size) 2000 return TEE_SUCCESS; 2001 2002 if (!fs_par) { 2003 res = TEE_ERROR_GENERIC; 2004 goto out; 2005 } 2006 2007 dump_fh(fh); 2008 2009 /* Upper memory allocation must be used for RPMB_FS. */ 2010 pool_result = tee_mm_init(&p, 2011 RPMB_STORAGE_START_ADDRESS, 2012 fs_par->max_rpmb_address, 2013 RPMB_BLOCK_SIZE_SHIFT, 2014 TEE_MM_POOL_HI_ALLOC); 2015 if (!pool_result) { 2016 res = TEE_ERROR_OUT_OF_MEMORY; 2017 goto out; 2018 } 2019 2020 res = read_fat(fh, &p); 2021 if (res != TEE_SUCCESS) 2022 goto out; 2023 2024 if (fh->fat_entry.flags & FILE_IS_LAST_ENTRY) 2025 panic("invalid last entry flag"); 2026 2027 if (ADD_OVERFLOW(pos, size, &end)) { 2028 res = TEE_ERROR_BAD_PARAMETERS; 2029 goto out; 2030 } 2031 if (ADD_OVERFLOW(fh->fat_entry.start_address, pos, &start_addr)) { 2032 res = TEE_ERROR_BAD_PARAMETERS; 2033 goto out; 2034 } 2035 2036 if (end <= fh->fat_entry.data_size && 2037 tee_rpmb_write_is_atomic(CFG_RPMB_FS_DEV_ID, start_addr, size)) { 2038 2039 DMSG("Updating data in-place"); 2040 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, start_addr, buf, 2041 size, fh->fat_entry.fek, fh->uuid); 2042 if (res != TEE_SUCCESS) 2043 goto out; 2044 } else { 2045 /* 2046 * File must be extended, or update cannot be atomic: allocate, 2047 * read, update, write. 2048 */ 2049 2050 DMSG("Need to re-allocate"); 2051 newsize = MAX(end, fh->fat_entry.data_size); 2052 mm = tee_mm_alloc(&p, newsize); 2053 newbuf = calloc(1, newsize); 2054 if (!mm || !newbuf) { 2055 res = TEE_ERROR_OUT_OF_MEMORY; 2056 goto out; 2057 } 2058 2059 if (fh->fat_entry.data_size) { 2060 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 2061 fh->fat_entry.start_address, 2062 newbuf, fh->fat_entry.data_size, 2063 fh->fat_entry.fek, fh->uuid); 2064 if (res != TEE_SUCCESS) 2065 goto out; 2066 } 2067 2068 memcpy(newbuf + pos, buf, size); 2069 2070 newaddr = tee_mm_get_smem(mm); 2071 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, newaddr, newbuf, 2072 newsize, fh->fat_entry.fek, fh->uuid); 2073 if (res != TEE_SUCCESS) 2074 goto out; 2075 2076 fh->fat_entry.data_size = newsize; 2077 fh->fat_entry.start_address = newaddr; 2078 res = write_fat_entry(fh, true); 2079 if (res != TEE_SUCCESS) 2080 goto out; 2081 } 2082 2083 out: 2084 if (pool_result) 2085 tee_mm_final(&p); 2086 if (newbuf) 2087 free(newbuf); 2088 2089 return res; 2090 } 2091 2092 static TEE_Result rpmb_fs_write(struct tee_file_handle *tfh, size_t pos, 2093 const void *buf, size_t size) 2094 { 2095 TEE_Result res; 2096 2097 mutex_lock(&rpmb_mutex); 2098 res = rpmb_fs_write_primitive((struct rpmb_file_handle *)tfh, pos, 2099 buf, size); 2100 mutex_unlock(&rpmb_mutex); 2101 2102 return res; 2103 } 2104 2105 static TEE_Result rpmb_fs_remove_internal(struct rpmb_file_handle *fh) 2106 { 2107 TEE_Result res; 2108 2109 res = read_fat(fh, NULL); 2110 if (res) 2111 return res; 2112 2113 /* Clear this file entry. */ 2114 memset(&fh->fat_entry, 0, sizeof(struct rpmb_fat_entry)); 2115 return write_fat_entry(fh, false); 2116 } 2117 2118 static TEE_Result rpmb_fs_remove(struct tee_pobj *po) 2119 { 2120 TEE_Result res; 2121 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2122 2123 if (!fh) 2124 return TEE_ERROR_OUT_OF_MEMORY; 2125 2126 mutex_lock(&rpmb_mutex); 2127 2128 res = rpmb_fs_remove_internal(fh); 2129 2130 mutex_unlock(&rpmb_mutex); 2131 2132 free(fh); 2133 return res; 2134 } 2135 2136 static TEE_Result rpmb_fs_rename_internal(struct tee_pobj *old, 2137 struct tee_pobj *new, 2138 bool overwrite) 2139 { 2140 TEE_Result res = TEE_ERROR_GENERIC; 2141 struct rpmb_file_handle *fh_old = NULL; 2142 struct rpmb_file_handle *fh_new = NULL; 2143 2144 if (!old) { 2145 res = TEE_ERROR_BAD_PARAMETERS; 2146 goto out; 2147 } 2148 2149 if (new) 2150 fh_old = alloc_file_handle(old, old->temporary); 2151 else 2152 fh_old = alloc_file_handle(old, true); 2153 if (!fh_old) { 2154 res = TEE_ERROR_OUT_OF_MEMORY; 2155 goto out; 2156 } 2157 2158 if (new) 2159 fh_new = alloc_file_handle(new, new->temporary); 2160 else 2161 fh_new = alloc_file_handle(old, false); 2162 if (!fh_new) { 2163 res = TEE_ERROR_OUT_OF_MEMORY; 2164 goto out; 2165 } 2166 2167 res = read_fat(fh_old, NULL); 2168 if (res != TEE_SUCCESS) 2169 goto out; 2170 2171 res = read_fat(fh_new, NULL); 2172 if (res == TEE_SUCCESS) { 2173 if (!overwrite) { 2174 res = TEE_ERROR_ACCESS_CONFLICT; 2175 goto out; 2176 } 2177 2178 /* Clear this file entry. */ 2179 memset(&fh_new->fat_entry, 0, sizeof(struct rpmb_fat_entry)); 2180 res = write_fat_entry(fh_new, false); 2181 if (res != TEE_SUCCESS) 2182 goto out; 2183 } 2184 2185 memset(fh_old->fat_entry.filename, 0, TEE_RPMB_FS_FILENAME_LENGTH); 2186 memcpy(fh_old->fat_entry.filename, fh_new->filename, 2187 strlen(fh_new->filename)); 2188 2189 res = write_fat_entry(fh_old, false); 2190 2191 out: 2192 free(fh_old); 2193 free(fh_new); 2194 2195 return res; 2196 } 2197 2198 static TEE_Result rpmb_fs_rename(struct tee_pobj *old, struct tee_pobj *new, 2199 bool overwrite) 2200 { 2201 TEE_Result res; 2202 2203 mutex_lock(&rpmb_mutex); 2204 res = rpmb_fs_rename_internal(old, new, overwrite); 2205 mutex_unlock(&rpmb_mutex); 2206 2207 return res; 2208 } 2209 2210 static TEE_Result rpmb_fs_truncate(struct tee_file_handle *tfh, size_t length) 2211 { 2212 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)tfh; 2213 tee_mm_pool_t p; 2214 bool pool_result = false; 2215 tee_mm_entry_t *mm; 2216 uint32_t newsize; 2217 uint8_t *newbuf = NULL; 2218 uintptr_t newaddr; 2219 TEE_Result res = TEE_ERROR_GENERIC; 2220 2221 mutex_lock(&rpmb_mutex); 2222 2223 if (length > INT32_MAX) { 2224 res = TEE_ERROR_BAD_PARAMETERS; 2225 goto out; 2226 } 2227 newsize = length; 2228 2229 res = read_fat(fh, NULL); 2230 if (res != TEE_SUCCESS) 2231 goto out; 2232 2233 if (newsize > fh->fat_entry.data_size) { 2234 /* Extend file */ 2235 2236 pool_result = tee_mm_init(&p, 2237 RPMB_STORAGE_START_ADDRESS, 2238 fs_par->max_rpmb_address, 2239 RPMB_BLOCK_SIZE_SHIFT, 2240 TEE_MM_POOL_HI_ALLOC); 2241 if (!pool_result) { 2242 res = TEE_ERROR_OUT_OF_MEMORY; 2243 goto out; 2244 } 2245 res = read_fat(fh, &p); 2246 if (res != TEE_SUCCESS) 2247 goto out; 2248 2249 mm = tee_mm_alloc(&p, newsize); 2250 newbuf = calloc(1, newsize); 2251 if (!mm || !newbuf) { 2252 res = TEE_ERROR_OUT_OF_MEMORY; 2253 goto out; 2254 } 2255 2256 if (fh->fat_entry.data_size) { 2257 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 2258 fh->fat_entry.start_address, 2259 newbuf, fh->fat_entry.data_size, 2260 fh->fat_entry.fek, fh->uuid); 2261 if (res != TEE_SUCCESS) 2262 goto out; 2263 } 2264 2265 newaddr = tee_mm_get_smem(mm); 2266 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, newaddr, newbuf, 2267 newsize, fh->fat_entry.fek, fh->uuid); 2268 if (res != TEE_SUCCESS) 2269 goto out; 2270 2271 } else { 2272 /* Don't change file location */ 2273 newaddr = fh->fat_entry.start_address; 2274 } 2275 2276 /* fh->pos is unchanged */ 2277 fh->fat_entry.data_size = newsize; 2278 fh->fat_entry.start_address = newaddr; 2279 res = write_fat_entry(fh, true); 2280 2281 out: 2282 mutex_unlock(&rpmb_mutex); 2283 if (pool_result) 2284 tee_mm_final(&p); 2285 if (newbuf) 2286 free(newbuf); 2287 2288 return res; 2289 } 2290 2291 static void rpmb_fs_dir_free(struct tee_fs_dir *dir) 2292 { 2293 struct tee_rpmb_fs_dirent *e; 2294 2295 if (!dir) 2296 return; 2297 2298 free(dir->current); 2299 2300 while ((e = SIMPLEQ_FIRST(&dir->next))) { 2301 SIMPLEQ_REMOVE_HEAD(&dir->next, link); 2302 free(e); 2303 } 2304 } 2305 2306 static TEE_Result rpmb_fs_dir_populate(const char *path, 2307 struct tee_fs_dir *dir) 2308 { 2309 struct tee_rpmb_fs_dirent *current = NULL; 2310 struct rpmb_fat_entry *fat_entries = NULL; 2311 uint32_t fat_address; 2312 uint32_t filelen; 2313 char *filename; 2314 int i; 2315 bool last_entry_found = false; 2316 bool matched; 2317 struct tee_rpmb_fs_dirent *next = NULL; 2318 uint32_t pathlen; 2319 TEE_Result res = TEE_ERROR_GENERIC; 2320 uint32_t size; 2321 char temp; 2322 2323 mutex_lock(&rpmb_mutex); 2324 2325 res = rpmb_fs_setup(); 2326 if (res != TEE_SUCCESS) 2327 goto out; 2328 2329 res = get_fat_start_address(&fat_address); 2330 if (res != TEE_SUCCESS) 2331 goto out; 2332 2333 size = N_ENTRIES * sizeof(struct rpmb_fat_entry); 2334 fat_entries = malloc(size); 2335 if (!fat_entries) { 2336 res = TEE_ERROR_OUT_OF_MEMORY; 2337 goto out; 2338 } 2339 2340 pathlen = strlen(path); 2341 while (!last_entry_found) { 2342 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, fat_address, 2343 (uint8_t *)fat_entries, size, NULL, NULL); 2344 if (res != TEE_SUCCESS) 2345 goto out; 2346 2347 for (i = 0; i < N_ENTRIES; i++) { 2348 filename = fat_entries[i].filename; 2349 if (fat_entries[i].flags & FILE_IS_ACTIVE) { 2350 matched = false; 2351 filelen = strlen(filename); 2352 if (filelen > pathlen) { 2353 temp = filename[pathlen]; 2354 filename[pathlen] = '\0'; 2355 if (strcmp(filename, path) == 0) 2356 matched = true; 2357 2358 filename[pathlen] = temp; 2359 } 2360 2361 if (matched) { 2362 next = malloc(sizeof(*next)); 2363 if (!next) { 2364 res = TEE_ERROR_OUT_OF_MEMORY; 2365 goto out; 2366 } 2367 2368 next->entry.oidlen = tee_hs2b( 2369 (uint8_t *)&filename[pathlen], 2370 next->entry.oid, 2371 filelen - pathlen, 2372 sizeof(next->entry.oid)); 2373 if (next->entry.oidlen) { 2374 SIMPLEQ_INSERT_TAIL(&dir->next, 2375 next, link); 2376 current = next; 2377 } else { 2378 free(next); 2379 next = NULL; 2380 } 2381 2382 } 2383 } 2384 2385 if (fat_entries[i].flags & FILE_IS_LAST_ENTRY) { 2386 last_entry_found = true; 2387 break; 2388 } 2389 2390 /* Move to next fat_entry. */ 2391 fat_address += sizeof(struct rpmb_fat_entry); 2392 } 2393 } 2394 2395 if (current) 2396 res = TEE_SUCCESS; 2397 else 2398 res = TEE_ERROR_ITEM_NOT_FOUND; /* No directories were found. */ 2399 2400 out: 2401 mutex_unlock(&rpmb_mutex); 2402 if (res != TEE_SUCCESS) 2403 rpmb_fs_dir_free(dir); 2404 if (fat_entries) 2405 free(fat_entries); 2406 2407 return res; 2408 } 2409 2410 static TEE_Result rpmb_fs_opendir(const TEE_UUID *uuid, struct tee_fs_dir **dir) 2411 { 2412 uint32_t len; 2413 char path_local[TEE_RPMB_FS_FILENAME_LENGTH]; 2414 TEE_Result res = TEE_ERROR_GENERIC; 2415 struct tee_fs_dir *rpmb_dir = NULL; 2416 2417 if (!uuid || !dir) { 2418 res = TEE_ERROR_BAD_PARAMETERS; 2419 goto out; 2420 } 2421 2422 memset(path_local, 0, sizeof(path_local)); 2423 if (tee_svc_storage_create_dirname(path_local, sizeof(path_local) - 1, 2424 uuid) != TEE_SUCCESS) { 2425 res = TEE_ERROR_BAD_PARAMETERS; 2426 goto out; 2427 } 2428 len = strlen(path_local); 2429 2430 /* Add a slash to correctly match the full directory name. */ 2431 if (path_local[len - 1] != '/') 2432 path_local[len] = '/'; 2433 2434 rpmb_dir = calloc(1, sizeof(*rpmb_dir)); 2435 if (!rpmb_dir) { 2436 res = TEE_ERROR_OUT_OF_MEMORY; 2437 goto out; 2438 } 2439 SIMPLEQ_INIT(&rpmb_dir->next); 2440 2441 res = rpmb_fs_dir_populate(path_local, rpmb_dir); 2442 if (res != TEE_SUCCESS) { 2443 free(rpmb_dir); 2444 rpmb_dir = NULL; 2445 goto out; 2446 } 2447 2448 *dir = rpmb_dir; 2449 2450 out: 2451 return res; 2452 } 2453 2454 static TEE_Result rpmb_fs_readdir(struct tee_fs_dir *dir, 2455 struct tee_fs_dirent **ent) 2456 { 2457 if (!dir) 2458 return TEE_ERROR_GENERIC; 2459 2460 free(dir->current); 2461 2462 dir->current = SIMPLEQ_FIRST(&dir->next); 2463 if (!dir->current) 2464 return TEE_ERROR_ITEM_NOT_FOUND; 2465 2466 SIMPLEQ_REMOVE_HEAD(&dir->next, link); 2467 2468 *ent = &dir->current->entry; 2469 return TEE_SUCCESS; 2470 } 2471 2472 static void rpmb_fs_closedir(struct tee_fs_dir *dir) 2473 { 2474 if (dir) { 2475 rpmb_fs_dir_free(dir); 2476 free(dir); 2477 } 2478 } 2479 2480 static TEE_Result rpmb_fs_open(struct tee_pobj *po, size_t *size, 2481 struct tee_file_handle **ret_fh) 2482 { 2483 TEE_Result res; 2484 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2485 2486 if (!fh) 2487 return TEE_ERROR_OUT_OF_MEMORY; 2488 2489 mutex_lock(&rpmb_mutex); 2490 2491 res = rpmb_fs_open_internal(fh, &po->uuid, false); 2492 if (!res && size) 2493 *size = fh->fat_entry.data_size; 2494 2495 mutex_unlock(&rpmb_mutex); 2496 2497 if (res) 2498 free(fh); 2499 else 2500 *ret_fh = (struct tee_file_handle *)fh; 2501 2502 return res; 2503 } 2504 2505 static TEE_Result rpmb_fs_create(struct tee_pobj *po, bool overwrite, 2506 const void *head, size_t head_size, 2507 const void *attr, size_t attr_size, 2508 const void *data, size_t data_size, 2509 struct tee_file_handle **ret_fh) 2510 { 2511 TEE_Result res; 2512 size_t pos = 0; 2513 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2514 2515 if (!fh) 2516 return TEE_ERROR_OUT_OF_MEMORY; 2517 2518 mutex_lock(&rpmb_mutex); 2519 res = rpmb_fs_open_internal(fh, &po->uuid, true); 2520 if (res) 2521 goto out; 2522 2523 if (head && head_size) { 2524 res = rpmb_fs_write_primitive(fh, pos, head, head_size); 2525 if (res) 2526 goto out; 2527 pos += head_size; 2528 } 2529 2530 if (attr && attr_size) { 2531 res = rpmb_fs_write_primitive(fh, pos, attr, attr_size); 2532 if (res) 2533 goto out; 2534 pos += attr_size; 2535 } 2536 2537 if (data && data_size) { 2538 res = rpmb_fs_write_primitive(fh, pos, data, data_size); 2539 if (res) 2540 goto out; 2541 } 2542 2543 if (po->temporary) { 2544 /* 2545 * If it's a temporary filename (which it normally is) 2546 * rename into the final filename now that the file is 2547 * fully initialized. 2548 */ 2549 po->temporary = false; 2550 res = rpmb_fs_rename_internal(po, NULL, overwrite); 2551 if (res) { 2552 po->temporary = true; 2553 goto out; 2554 } 2555 /* Update file handle after rename. */ 2556 tee_svc_storage_create_filename(fh->filename, 2557 sizeof(fh->filename), 2558 po, false); 2559 } 2560 2561 out: 2562 if (res) { 2563 rpmb_fs_remove_internal(fh); 2564 free(fh); 2565 } else { 2566 *ret_fh = (struct tee_file_handle *)fh; 2567 } 2568 mutex_unlock(&rpmb_mutex); 2569 2570 return res; 2571 } 2572 2573 const struct tee_file_operations rpmb_fs_ops = { 2574 .open = rpmb_fs_open, 2575 .create = rpmb_fs_create, 2576 .close = rpmb_fs_close, 2577 .read = rpmb_fs_read, 2578 .write = rpmb_fs_write, 2579 .truncate = rpmb_fs_truncate, 2580 .rename = rpmb_fs_rename, 2581 .remove = rpmb_fs_remove, 2582 .opendir = rpmb_fs_opendir, 2583 .closedir = rpmb_fs_closedir, 2584 .readdir = rpmb_fs_readdir, 2585 }; 2586 2587 TEE_Result tee_rpmb_fs_raw_open(const char *fname, bool create, 2588 struct tee_file_handle **ret_fh) 2589 { 2590 TEE_Result res; 2591 struct rpmb_file_handle *fh = calloc(1, sizeof(*fh)); 2592 static const TEE_UUID uuid = { 0 }; 2593 2594 if (!fh) 2595 return TEE_ERROR_OUT_OF_MEMORY; 2596 2597 snprintf(fh->filename, sizeof(fh->filename), "/%s", fname); 2598 2599 mutex_lock(&rpmb_mutex); 2600 2601 res = rpmb_fs_open_internal(fh, &uuid, create); 2602 2603 mutex_unlock(&rpmb_mutex); 2604 2605 if (res) { 2606 if (create) 2607 rpmb_fs_remove_internal(fh); 2608 free(fh); 2609 } else { 2610 *ret_fh = (struct tee_file_handle *)fh; 2611 } 2612 2613 return res; 2614 } 2615