1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2014, STMicroelectronics International N.V. 4 */ 5 6 #include <assert.h> 7 #include <config.h> 8 #include <crypto/crypto.h> 9 #include <kernel/huk_subkey.h> 10 #include <kernel/misc.h> 11 #include <kernel/msg_param.h> 12 #include <kernel/mutex.h> 13 #include <kernel/panic.h> 14 #include <kernel/tee_common.h> 15 #include <kernel/tee_common_otp.h> 16 #include <kernel/tee_misc.h> 17 #include <kernel/thread.h> 18 #include <kernel/user_access.h> 19 #include <mempool.h> 20 #include <mm/core_memprot.h> 21 #include <mm/mobj.h> 22 #include <mm/tee_mm.h> 23 #include <optee_rpc_cmd.h> 24 #include <stdlib.h> 25 #include <string_ext.h> 26 #include <string.h> 27 #include <sys/queue.h> 28 #include <tee/tee_fs.h> 29 #include <tee/tee_fs_key_manager.h> 30 #include <tee/tee_pobj.h> 31 #include <tee/tee_svc_storage.h> 32 #include <trace.h> 33 #include <util.h> 34 35 #define RPMB_STORAGE_START_ADDRESS 0 36 #define RPMB_FS_FAT_START_ADDRESS 512 37 #define RPMB_BLOCK_SIZE_SHIFT 8 38 #define RPMB_CID_PRV_OFFSET 9 39 #define RPMB_CID_CRC_OFFSET 15 40 41 #define RPMB_FS_MAGIC 0x52504D42 42 #define FS_VERSION 2 43 44 #define FILE_IS_ACTIVE (1u << 0) 45 #define FILE_IS_LAST_ENTRY (1u << 1) 46 47 #define TEE_RPMB_FS_FILENAME_LENGTH 224 48 49 #define TMP_BLOCK_SIZE 4096U 50 51 #define RPMB_MAX_RETRIES 10 52 53 /** 54 * Utilized when caching is enabled, i.e., when CFG_RPMB_FS_CACHE_ENTRIES > 0. 55 * Cache size + the number of entries that are repeatedly read in and buffered 56 * once the cache is full. 57 */ 58 #define RPMB_BUF_MAX_ENTRIES (CFG_RPMB_FS_CACHE_ENTRIES + \ 59 CFG_RPMB_FS_RD_ENTRIES) 60 61 /** 62 * FS parameters: Information often used by internal functions. 63 * fat_start_address will be set by rpmb_fs_setup(). 64 * rpmb_fs_parameters can be read by any other function. 65 */ 66 struct rpmb_fs_parameters { 67 uint32_t fat_start_address; 68 uint32_t max_rpmb_address; 69 }; 70 71 /** 72 * File entry for a single file in a RPMB_FS partition. 73 */ 74 struct rpmb_fat_entry { 75 uint32_t start_address; 76 uint32_t data_size; 77 uint32_t flags; 78 uint32_t unused; 79 uint8_t fek[TEE_FS_KM_FEK_SIZE]; 80 char filename[TEE_RPMB_FS_FILENAME_LENGTH]; 81 }; 82 83 /** 84 * Structure that describes buffered/cached FAT FS entries in RPMB storage. 85 * This structure is used in functions traversing the FAT FS. 86 */ 87 struct rpmb_fat_entry_dir { 88 /* 89 * Buffer storing the FAT FS entries read in from RPMB storage. It 90 * includes the optional cache entries (CFG_RPMB_FS_CACHE_ENTRIES) 91 * and entries temporary read for current FAT FS traversal 92 * (CFG_RPMB_FS_RD_ENTRIES) when not found from cached entries. 93 */ 94 struct rpmb_fat_entry *rpmb_fat_entry_buf; 95 /* Current index of FAT FS entry to read from buffer. */ 96 uint32_t idx_curr; 97 /* Total number of FAT FS entries in buffer. */ 98 uint32_t num_buffered; 99 /* Total number of FAT FS entries read during traversal. */ 100 uint32_t num_total_read; 101 /* Indicates that last FAT FS entry was read. */ 102 bool last_reached; 103 }; 104 105 /** 106 * FAT entry context with reference to a FAT entry and its 107 * location in RPMB. 108 */ 109 struct rpmb_file_handle { 110 struct rpmb_fat_entry fat_entry; 111 const TEE_UUID *uuid; 112 char filename[TEE_RPMB_FS_FILENAME_LENGTH]; 113 /* Address for current entry in RPMB */ 114 uint32_t rpmb_fat_address; 115 }; 116 117 /** 118 * RPMB_FS partition data 119 */ 120 struct rpmb_fs_partition { 121 uint32_t rpmb_fs_magic; 122 uint32_t fs_version; 123 uint32_t write_counter; 124 uint32_t fat_start_address; 125 /* Do not use reserved[] for other purpose than partition data. */ 126 uint8_t reserved[112]; 127 }; 128 129 /** 130 * A node in a list of directory entries. 131 */ 132 struct tee_rpmb_fs_dirent { 133 struct tee_fs_dirent entry; 134 SIMPLEQ_ENTRY(tee_rpmb_fs_dirent) link; 135 }; 136 137 /** 138 * The RPMB directory representation. It contains a queue of 139 * RPMB directory entries: 'next'. 140 * The current pointer points to the last directory entry 141 * returned by readdir(). 142 */ 143 struct tee_fs_dir { 144 struct tee_rpmb_fs_dirent *current; 145 /* */ 146 SIMPLEQ_HEAD(next_head, tee_rpmb_fs_dirent) next; 147 }; 148 149 static struct rpmb_fs_parameters *fs_par; 150 static struct rpmb_fat_entry_dir *fat_entry_dir; 151 152 /* 153 * Lower interface to RPMB device 154 */ 155 156 #define RPMB_DATA_OFFSET (RPMB_STUFF_DATA_SIZE + RPMB_KEY_MAC_SIZE) 157 #define RPMB_MAC_PROTECT_DATA_SIZE (RPMB_DATA_FRAME_SIZE - RPMB_DATA_OFFSET) 158 159 #define RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM 0x0001 160 #define RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ 0x0002 161 #define RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE 0x0003 162 #define RPMB_MSG_TYPE_REQ_AUTH_DATA_READ 0x0004 163 #define RPMB_MSG_TYPE_REQ_RESULT_READ 0x0005 164 #define RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM 0x0100 165 #define RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ 0x0200 166 #define RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE 0x0300 167 #define RPMB_MSG_TYPE_RESP_AUTH_DATA_READ 0x0400 168 169 #define RPMB_STUFF_DATA_SIZE 196 170 #define RPMB_KEY_MAC_SIZE 32 171 #define RPMB_DATA_SIZE 256 172 #define RPMB_NONCE_SIZE 16 173 #define RPMB_DATA_FRAME_SIZE 512 174 175 #define RPMB_RESULT_OK 0x00 176 #define RPMB_RESULT_GENERAL_FAILURE 0x01 177 #define RPMB_RESULT_AUTH_FAILURE 0x02 178 #define RPMB_RESULT_COUNTER_FAILURE 0x03 179 #define RPMB_RESULT_ADDRESS_FAILURE 0x04 180 #define RPMB_RESULT_WRITE_FAILURE 0x05 181 #define RPMB_RESULT_READ_FAILURE 0x06 182 #define RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED 0x07 183 #define RPMB_RESULT_MASK 0x3F 184 #define RPMB_RESULT_WR_CNT_EXPIRED 0x80 185 186 /* RPMB internal commands */ 187 #define RPMB_CMD_DATA_REQ 0x00 188 #define RPMB_CMD_GET_DEV_INFO 0x01 189 190 #define RPMB_SIZE_SINGLE (128 * 1024) 191 192 /* Error codes for get_dev_info request/response. */ 193 #define RPMB_CMD_GET_DEV_INFO_RET_OK 0x00 194 #define RPMB_CMD_GET_DEV_INFO_RET_ERROR 0x01 195 196 struct rpmb_data_frame { 197 uint8_t stuff_bytes[RPMB_STUFF_DATA_SIZE]; 198 uint8_t key_mac[RPMB_KEY_MAC_SIZE]; 199 uint8_t data[RPMB_DATA_SIZE]; 200 uint8_t nonce[RPMB_NONCE_SIZE]; 201 uint8_t write_counter[4]; 202 uint8_t address[2]; 203 uint8_t block_count[2]; 204 uint8_t op_result[2]; 205 uint8_t msg_type[2]; 206 }; 207 208 struct rpmb_req { 209 uint16_t cmd; 210 uint16_t dev_id; 211 uint16_t block_count; 212 /* variable length of data */ 213 /* uint8_t data[]; REMOVED! */ 214 }; 215 216 #define TEE_RPMB_REQ_DATA(req) \ 217 ((void *)((struct rpmb_req *)(req) + 1)) 218 219 struct rpmb_raw_data { 220 uint16_t msg_type; 221 uint16_t *op_result; 222 uint16_t *block_count; 223 uint16_t *blk_idx; 224 uint32_t *write_counter; 225 uint8_t *nonce; 226 uint8_t *key_mac; 227 uint8_t *data; 228 /* data length to read or write */ 229 uint32_t len; 230 /* Byte address offset in the first block involved */ 231 uint8_t byte_offset; 232 }; 233 234 #define RPMB_EMMC_CID_SIZE 16 235 struct rpmb_dev_info { 236 uint8_t cid[RPMB_EMMC_CID_SIZE]; 237 /* EXT CSD-slice 168 "RPMB Size" */ 238 uint8_t rpmb_size_mult; 239 /* EXT CSD-slice 222 "Reliable Write Sector Count" */ 240 uint8_t rel_wr_sec_c; 241 /* Check the ret code and accept the data only if it is OK. */ 242 uint8_t ret_code; 243 }; 244 245 /* 246 * Struct for rpmb context data. 247 * 248 * @key RPMB key. 249 * @cid eMMC card ID. 250 * @wr_cnt Current write counter. 251 * @max_blk_idx The highest block index supported by current device. 252 * @rel_wr_blkcnt Max number of data blocks for each reliable write. 253 * @dev_id Device ID of the eMMC device. 254 * @wr_cnt_synced Flag indicating if write counter is synced to RPMB. 255 * @key_derived Flag indicating if key has been generated. 256 * @key_verified Flag indicating the key generated is verified ok. 257 * @dev_info_synced Flag indicating if dev info has been retrieved from RPMB. 258 * @shm_type Indicates type of shared memory to allocate 259 */ 260 struct tee_rpmb_ctx { 261 uint8_t key[RPMB_KEY_MAC_SIZE]; 262 uint8_t cid[RPMB_EMMC_CID_SIZE]; 263 uint32_t wr_cnt; 264 uint16_t max_blk_idx; 265 uint16_t rel_wr_blkcnt; 266 uint16_t dev_id; 267 bool wr_cnt_synced; 268 bool key_derived; 269 bool key_verified; 270 bool dev_info_synced; 271 enum thread_shm_type shm_type; 272 }; 273 274 static struct tee_rpmb_ctx *rpmb_ctx; 275 276 /* If set to true, don't try to access RPMB until rebooted */ 277 static bool rpmb_dead; 278 279 /* 280 * Mutex to serialize the operations exported by this file. 281 * It protects rpmb_ctx and prevents overlapping operations on eMMC devices with 282 * different IDs. 283 */ 284 static struct mutex rpmb_mutex = MUTEX_INITIALIZER; 285 286 #ifdef CFG_RPMB_TESTKEY 287 288 static const uint8_t rpmb_test_key[RPMB_KEY_MAC_SIZE] = { 289 0xD3, 0xEB, 0x3E, 0xC3, 0x6E, 0x33, 0x4C, 0x9F, 290 0x98, 0x8C, 0xE2, 0xC0, 0xB8, 0x59, 0x54, 0x61, 291 0x0D, 0x2B, 0xCF, 0x86, 0x64, 0x84, 0x4D, 0xF2, 292 0xAB, 0x56, 0xE6, 0xC6, 0x1B, 0xB7, 0x01, 0xE4 293 }; 294 295 static TEE_Result tee_rpmb_key_gen(uint8_t *key, uint32_t len) 296 { 297 TEE_Result res = TEE_SUCCESS; 298 299 if (!key || RPMB_KEY_MAC_SIZE != len) { 300 res = TEE_ERROR_BAD_PARAMETERS; 301 goto out; 302 } 303 304 DMSG("RPMB: Using test key"); 305 memcpy(key, rpmb_test_key, RPMB_KEY_MAC_SIZE); 306 307 out: 308 return res; 309 } 310 311 #else /* !CFG_RPMB_TESTKEY */ 312 313 static TEE_Result tee_rpmb_key_gen(uint8_t *key, uint32_t len) 314 { 315 uint8_t message[RPMB_EMMC_CID_SIZE]; 316 317 if (!key || RPMB_KEY_MAC_SIZE != len) 318 return TEE_ERROR_BAD_PARAMETERS; 319 320 IMSG("RPMB: Using generated key"); 321 322 /* 323 * PRV/CRC would be changed when doing eMMC FFU 324 * The following fields should be masked off when deriving RPMB key 325 * 326 * CID [55: 48]: PRV (Product revision) 327 * CID [07: 01]: CRC (CRC7 checksum) 328 * CID [00]: not used 329 */ 330 memcpy(message, rpmb_ctx->cid, RPMB_EMMC_CID_SIZE); 331 memset(message + RPMB_CID_PRV_OFFSET, 0, 1); 332 memset(message + RPMB_CID_CRC_OFFSET, 0, 1); 333 return huk_subkey_derive(HUK_SUBKEY_RPMB, message, sizeof(message), 334 key, len); 335 } 336 337 #endif /* !CFG_RPMB_TESTKEY */ 338 339 static void u32_to_bytes(uint32_t u32, uint8_t *bytes) 340 { 341 *bytes = (uint8_t) (u32 >> 24); 342 *(bytes + 1) = (uint8_t) (u32 >> 16); 343 *(bytes + 2) = (uint8_t) (u32 >> 8); 344 *(bytes + 3) = (uint8_t) u32; 345 } 346 347 static void bytes_to_u32(uint8_t *bytes, uint32_t *u32) 348 { 349 *u32 = (uint32_t) ((*(bytes) << 24) + 350 (*(bytes + 1) << 16) + 351 (*(bytes + 2) << 8) + (*(bytes + 3))); 352 } 353 354 static void u16_to_bytes(uint16_t u16, uint8_t *bytes) 355 { 356 *bytes = (uint8_t) (u16 >> 8); 357 *(bytes + 1) = (uint8_t) u16; 358 } 359 360 static void bytes_to_u16(uint8_t *bytes, uint16_t *u16) 361 { 362 *u16 = (uint16_t) ((*bytes << 8) + *(bytes + 1)); 363 } 364 365 static void get_op_result_bits(uint8_t *bytes, uint8_t *res) 366 { 367 *res = *(bytes + 1) & RPMB_RESULT_MASK; 368 } 369 370 static TEE_Result tee_rpmb_mac_calc(uint8_t *mac, uint32_t macsize, 371 uint8_t *key, uint32_t keysize, 372 struct rpmb_data_frame *datafrms, 373 uint16_t blkcnt) 374 { 375 TEE_Result res = TEE_ERROR_GENERIC; 376 int i; 377 void *ctx = NULL; 378 379 if (!mac || !key || !datafrms) 380 return TEE_ERROR_BAD_PARAMETERS; 381 382 res = crypto_mac_alloc_ctx(&ctx, TEE_ALG_HMAC_SHA256); 383 if (res) 384 return res; 385 386 res = crypto_mac_init(ctx, key, keysize); 387 if (res != TEE_SUCCESS) 388 goto func_exit; 389 390 for (i = 0; i < blkcnt; i++) { 391 res = crypto_mac_update(ctx, datafrms[i].data, 392 RPMB_MAC_PROTECT_DATA_SIZE); 393 if (res != TEE_SUCCESS) 394 goto func_exit; 395 } 396 397 res = crypto_mac_final(ctx, mac, macsize); 398 if (res != TEE_SUCCESS) 399 goto func_exit; 400 401 res = TEE_SUCCESS; 402 403 func_exit: 404 crypto_mac_free_ctx(ctx); 405 return res; 406 } 407 408 struct tee_rpmb_mem { 409 struct mobj *mobj; 410 size_t req_size; 411 size_t resp_size; 412 }; 413 414 static TEE_Result tee_rpmb_alloc(size_t req_size, size_t resp_size, 415 struct tee_rpmb_mem *mem, void **req, void **resp) 416 { 417 size_t req_s = ROUNDUP(req_size, sizeof(uint32_t)); 418 size_t resp_s = ROUNDUP(resp_size, sizeof(uint32_t)); 419 struct mobj *mobj = NULL; 420 void *va = NULL; 421 422 if (!mem) 423 return TEE_ERROR_BAD_PARAMETERS; 424 425 va = thread_rpc_shm_cache_alloc(THREAD_SHM_CACHE_USER_RPMB, 426 rpmb_ctx->shm_type, req_s + resp_s, 427 &mobj); 428 if (!va) 429 return TEE_ERROR_OUT_OF_MEMORY; 430 431 *mem = (struct tee_rpmb_mem){ 432 .mobj = mobj, 433 .req_size = req_size, 434 .resp_size = resp_size, 435 }; 436 437 *req = mobj_get_va(mem->mobj, 0, req_s); 438 *resp = mobj_get_va(mem->mobj, req_s, resp_s); 439 if (!*req || !*resp) 440 return TEE_ERROR_GENERIC; 441 442 return TEE_SUCCESS; 443 } 444 445 static TEE_Result tee_rpmb_invoke(struct tee_rpmb_mem *mem) 446 { 447 struct thread_param params[2] = { 448 [0] = THREAD_PARAM_MEMREF(IN, mem->mobj, 0, mem->req_size), 449 [1] = THREAD_PARAM_MEMREF(OUT, mem->mobj, 450 ROUNDUP(mem->req_size, 451 sizeof(uint32_t)), 452 mem->resp_size), 453 }; 454 455 return thread_rpc_cmd(OPTEE_RPC_CMD_RPMB, 2, params); 456 } 457 458 static bool is_zero(const uint8_t *buf, size_t size) 459 { 460 size_t i; 461 462 for (i = 0; i < size; i++) 463 if (buf[i]) 464 return false; 465 return true; 466 } 467 468 static TEE_Result encrypt_block(uint8_t *out, const uint8_t *in, 469 uint16_t blk_idx, const uint8_t *fek, 470 const TEE_UUID *uuid) 471 { 472 return tee_fs_crypt_block(uuid, out, in, RPMB_DATA_SIZE, 473 blk_idx, fek, TEE_MODE_ENCRYPT); 474 } 475 476 static TEE_Result decrypt_block(uint8_t *out, const uint8_t *in, 477 uint16_t blk_idx, const uint8_t *fek, 478 const TEE_UUID *uuid) 479 { 480 return tee_fs_crypt_block(uuid, out, in, RPMB_DATA_SIZE, 481 blk_idx, fek, TEE_MODE_DECRYPT); 482 } 483 484 /* Decrypt/copy at most one block of data */ 485 static TEE_Result decrypt(uint8_t *out, const struct rpmb_data_frame *frm, 486 size_t size, size_t offset, 487 uint16_t blk_idx __maybe_unused, const uint8_t *fek, 488 const TEE_UUID *uuid) 489 { 490 uint8_t *tmp __maybe_unused; 491 TEE_Result res = TEE_SUCCESS; 492 493 494 if ((size + offset < size) || (size + offset > RPMB_DATA_SIZE)) 495 panic("invalid size or offset"); 496 497 if (!fek) { 498 /* Block is not encrypted (not a file data block) */ 499 memcpy(out, frm->data + offset, size); 500 } else if (is_zero(fek, TEE_FS_KM_FEK_SIZE)) { 501 /* The file was created with encryption disabled */ 502 return TEE_ERROR_SECURITY; 503 } else { 504 /* Block is encrypted */ 505 if (size < RPMB_DATA_SIZE) { 506 /* 507 * Since output buffer is not large enough to hold one 508 * block we must allocate a temporary buffer. 509 */ 510 tmp = malloc(RPMB_DATA_SIZE); 511 if (!tmp) 512 return TEE_ERROR_OUT_OF_MEMORY; 513 res = decrypt_block(tmp, frm->data, blk_idx, fek, uuid); 514 if (res == TEE_SUCCESS) 515 memcpy(out, tmp + offset, size); 516 free(tmp); 517 } else { 518 res = decrypt_block(out, frm->data, blk_idx, fek, uuid); 519 } 520 } 521 522 return res; 523 } 524 525 static TEE_Result tee_rpmb_req_pack(struct rpmb_req *req, 526 struct rpmb_raw_data *rawdata, 527 uint16_t nbr_frms, 528 const uint8_t *fek, const TEE_UUID *uuid) 529 { 530 TEE_Result res = TEE_ERROR_GENERIC; 531 int i; 532 struct rpmb_data_frame *datafrm; 533 534 if (!req || !rawdata || !nbr_frms) 535 return TEE_ERROR_BAD_PARAMETERS; 536 537 /* 538 * Check write blockcount is not bigger than reliable write 539 * blockcount. 540 */ 541 if ((rawdata->msg_type == RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE) && 542 (nbr_frms > rpmb_ctx->rel_wr_blkcnt)) { 543 DMSG("wr_blkcnt(%d) > rel_wr_blkcnt(%d)", nbr_frms, 544 rpmb_ctx->rel_wr_blkcnt); 545 return TEE_ERROR_GENERIC; 546 } 547 548 req->cmd = RPMB_CMD_DATA_REQ; 549 req->dev_id = rpmb_ctx->dev_id; 550 551 /* Allocate memory for construct all data packets and calculate MAC. */ 552 datafrm = calloc(nbr_frms, RPMB_DATA_FRAME_SIZE); 553 if (!datafrm) 554 return TEE_ERROR_OUT_OF_MEMORY; 555 556 for (i = 0; i < nbr_frms; i++) { 557 u16_to_bytes(rawdata->msg_type, datafrm[i].msg_type); 558 559 if (rawdata->block_count) 560 u16_to_bytes(*rawdata->block_count, 561 datafrm[i].block_count); 562 563 if (rawdata->blk_idx) { 564 /* Check the block index is within range. */ 565 if ((*rawdata->blk_idx + nbr_frms - 1) > 566 rpmb_ctx->max_blk_idx) { 567 res = TEE_ERROR_GENERIC; 568 goto func_exit; 569 } 570 u16_to_bytes(*rawdata->blk_idx, datafrm[i].address); 571 } 572 573 if (rawdata->write_counter) 574 u32_to_bytes(*rawdata->write_counter, 575 datafrm[i].write_counter); 576 577 if (rawdata->nonce) 578 memcpy(datafrm[i].nonce, rawdata->nonce, 579 RPMB_NONCE_SIZE); 580 581 if (rawdata->data) { 582 if (fek) { 583 res = encrypt_block(datafrm[i].data, 584 rawdata->data + 585 (i * RPMB_DATA_SIZE), 586 *rawdata->blk_idx + i, 587 fek, uuid); 588 if (res != TEE_SUCCESS) 589 goto func_exit; 590 } else { 591 memcpy(datafrm[i].data, 592 rawdata->data + (i * RPMB_DATA_SIZE), 593 RPMB_DATA_SIZE); 594 } 595 } 596 } 597 598 if (rawdata->key_mac) { 599 if (rawdata->msg_type == RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE) { 600 res = 601 tee_rpmb_mac_calc(rawdata->key_mac, 602 RPMB_KEY_MAC_SIZE, rpmb_ctx->key, 603 RPMB_KEY_MAC_SIZE, datafrm, 604 nbr_frms); 605 if (res != TEE_SUCCESS) 606 goto func_exit; 607 } 608 memcpy(datafrm[nbr_frms - 1].key_mac, 609 rawdata->key_mac, RPMB_KEY_MAC_SIZE); 610 } 611 612 memcpy(TEE_RPMB_REQ_DATA(req), datafrm, 613 nbr_frms * RPMB_DATA_FRAME_SIZE); 614 615 if (IS_ENABLED(CFG_RPMB_FS_DEBUG_DATA)) { 616 for (i = 0; i < nbr_frms; i++) { 617 DMSG("Dumping data frame %d:", i); 618 DHEXDUMP((uint8_t *)&datafrm[i] + RPMB_STUFF_DATA_SIZE, 619 512 - RPMB_STUFF_DATA_SIZE); 620 } 621 } 622 623 res = TEE_SUCCESS; 624 func_exit: 625 free(datafrm); 626 return res; 627 } 628 629 static TEE_Result data_cpy_mac_calc_1b(struct rpmb_raw_data *rawdata, 630 struct rpmb_data_frame *frm, 631 const uint8_t *fek, const TEE_UUID *uuid) 632 { 633 TEE_Result res; 634 uint8_t *data; 635 uint16_t idx; 636 637 if (rawdata->len + rawdata->byte_offset > RPMB_DATA_SIZE) 638 return TEE_ERROR_BAD_PARAMETERS; 639 640 res = tee_rpmb_mac_calc(rawdata->key_mac, RPMB_KEY_MAC_SIZE, 641 rpmb_ctx->key, RPMB_KEY_MAC_SIZE, frm, 1); 642 if (res != TEE_SUCCESS) 643 return res; 644 645 data = rawdata->data; 646 bytes_to_u16(frm->address, &idx); 647 648 res = decrypt(data, frm, rawdata->len, rawdata->byte_offset, idx, fek, 649 uuid); 650 return res; 651 } 652 653 static TEE_Result tee_rpmb_data_cpy_mac_calc(struct rpmb_data_frame *datafrm, 654 struct rpmb_raw_data *rawdata, 655 uint16_t nbr_frms, 656 struct rpmb_data_frame *lastfrm, 657 const uint8_t *fek, 658 const TEE_UUID *uuid) 659 { 660 TEE_Result res = TEE_ERROR_GENERIC; 661 int i; 662 void *ctx = NULL; 663 uint16_t offset; 664 uint32_t size; 665 uint8_t *data; 666 uint16_t start_idx; 667 struct rpmb_data_frame localfrm; 668 669 if (!datafrm || !rawdata || !nbr_frms || !lastfrm) 670 return TEE_ERROR_BAD_PARAMETERS; 671 672 if (nbr_frms == 1) 673 return data_cpy_mac_calc_1b(rawdata, lastfrm, fek, uuid); 674 675 /* nbr_frms > 1 */ 676 677 data = rawdata->data; 678 679 res = crypto_mac_alloc_ctx(&ctx, TEE_ALG_HMAC_SHA256); 680 if (res) 681 goto func_exit; 682 683 res = crypto_mac_init(ctx, rpmb_ctx->key, RPMB_KEY_MAC_SIZE); 684 if (res != TEE_SUCCESS) 685 goto func_exit; 686 687 /* 688 * Note: JEDEC JESD84-B51: "In every packet the address is the start 689 * address of the full access (not address of the individual half a 690 * sector)" 691 */ 692 bytes_to_u16(lastfrm->address, &start_idx); 693 694 for (i = 0; i < (nbr_frms - 1); i++) { 695 696 /* 697 * By working on a local copy of the RPMB frame, we ensure that 698 * the data can not be modified after the MAC is computed but 699 * before the payload is decrypted/copied to the output buffer. 700 */ 701 memcpy(&localfrm, &datafrm[i], RPMB_DATA_FRAME_SIZE); 702 703 res = crypto_mac_update(ctx, localfrm.data, 704 RPMB_MAC_PROTECT_DATA_SIZE); 705 if (res != TEE_SUCCESS) 706 goto func_exit; 707 708 if (i == 0) { 709 /* First block */ 710 offset = rawdata->byte_offset; 711 size = RPMB_DATA_SIZE - offset; 712 } else { 713 /* Middle blocks */ 714 size = RPMB_DATA_SIZE; 715 offset = 0; 716 } 717 718 res = decrypt(data, &localfrm, size, offset, start_idx + i, 719 fek, uuid); 720 if (res != TEE_SUCCESS) 721 goto func_exit; 722 723 data += size; 724 } 725 726 /* Last block */ 727 size = (rawdata->len + rawdata->byte_offset) % RPMB_DATA_SIZE; 728 if (size == 0) 729 size = RPMB_DATA_SIZE; 730 res = decrypt(data, lastfrm, size, 0, start_idx + nbr_frms - 1, fek, 731 uuid); 732 if (res != TEE_SUCCESS) 733 goto func_exit; 734 735 /* Update MAC against the last block */ 736 res = crypto_mac_update(ctx, lastfrm->data, RPMB_MAC_PROTECT_DATA_SIZE); 737 if (res != TEE_SUCCESS) 738 goto func_exit; 739 740 res = crypto_mac_final(ctx, rawdata->key_mac, RPMB_KEY_MAC_SIZE); 741 if (res != TEE_SUCCESS) 742 goto func_exit; 743 744 res = TEE_SUCCESS; 745 746 func_exit: 747 crypto_mac_free_ctx(ctx); 748 return res; 749 } 750 751 static TEE_Result tee_rpmb_resp_unpack_verify(struct rpmb_data_frame *datafrm, 752 struct rpmb_raw_data *rawdata, 753 uint16_t nbr_frms, 754 const uint8_t *fek, 755 const TEE_UUID *uuid) 756 { 757 TEE_Result res = TEE_ERROR_GENERIC; 758 uint16_t msg_type; 759 uint32_t wr_cnt; 760 uint16_t blk_idx; 761 uint8_t op_result; 762 struct rpmb_data_frame lastfrm; 763 764 if (!datafrm || !rawdata || !nbr_frms) 765 return TEE_ERROR_BAD_PARAMETERS; 766 767 if (IS_ENABLED(CFG_RPMB_FS_DEBUG_DATA)) { 768 size_t i = 0; 769 770 for (i = 0; i < nbr_frms; i++) { 771 DMSG("Dumping data frame %zu:", i); 772 DHEXDUMP((uint8_t *)&datafrm[i] + RPMB_STUFF_DATA_SIZE, 773 512 - RPMB_STUFF_DATA_SIZE); 774 } 775 } 776 777 /* Make sure the last data packet can't be modified once verified */ 778 memcpy(&lastfrm, &datafrm[nbr_frms - 1], RPMB_DATA_FRAME_SIZE); 779 780 /* Handle operation result and translate to TEEC error code. */ 781 get_op_result_bits(lastfrm.op_result, &op_result); 782 if (op_result == RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED) 783 return TEE_ERROR_ITEM_NOT_FOUND; 784 if (op_result != RPMB_RESULT_OK) 785 return TEE_ERROR_GENERIC; 786 787 /* Check the response msg_type. */ 788 bytes_to_u16(lastfrm.msg_type, &msg_type); 789 if (msg_type != rawdata->msg_type) { 790 DMSG("Unexpected msg_type (0x%04x != 0x%04x)", msg_type, 791 rawdata->msg_type); 792 return TEE_ERROR_GENERIC; 793 } 794 795 if (rawdata->blk_idx) { 796 bytes_to_u16(lastfrm.address, &blk_idx); 797 if (blk_idx != *rawdata->blk_idx) { 798 DMSG("Unexpected block index"); 799 return TEE_ERROR_GENERIC; 800 } 801 } 802 803 if (rawdata->write_counter) { 804 wr_cnt = *rawdata->write_counter; 805 bytes_to_u32(lastfrm.write_counter, rawdata->write_counter); 806 if (msg_type == RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE) { 807 /* Verify the write counter is incremented by 1 */ 808 if (*rawdata->write_counter != wr_cnt + 1) { 809 DMSG("Counter mismatched (0x%04x/0x%04x)", 810 *rawdata->write_counter, wr_cnt + 1); 811 return TEE_ERROR_SECURITY; 812 } 813 rpmb_ctx->wr_cnt++; 814 } 815 } 816 817 if (rawdata->nonce) { 818 if (buf_compare_ct(rawdata->nonce, lastfrm.nonce, 819 RPMB_NONCE_SIZE) != 0) { 820 DMSG("Nonce mismatched"); 821 return TEE_ERROR_SECURITY; 822 } 823 } 824 825 if (rawdata->key_mac) { 826 if (msg_type == RPMB_MSG_TYPE_RESP_AUTH_DATA_READ) { 827 if (!rawdata->data) 828 return TEE_ERROR_GENERIC; 829 830 res = tee_rpmb_data_cpy_mac_calc(datafrm, rawdata, 831 nbr_frms, &lastfrm, 832 fek, uuid); 833 834 if (res != TEE_SUCCESS) 835 return res; 836 } else { 837 /* 838 * There should be only one data frame for 839 * other msg types. 840 */ 841 if (nbr_frms != 1) 842 return TEE_ERROR_GENERIC; 843 844 res = tee_rpmb_mac_calc(rawdata->key_mac, 845 RPMB_KEY_MAC_SIZE, 846 rpmb_ctx->key, 847 RPMB_KEY_MAC_SIZE, 848 &lastfrm, 1); 849 850 if (res != TEE_SUCCESS) 851 return res; 852 } 853 854 if (consttime_memcmp(rawdata->key_mac, 855 (datafrm + nbr_frms - 1)->key_mac, 856 RPMB_KEY_MAC_SIZE) != 0) { 857 DMSG("MAC mismatched:"); 858 if (IS_ENABLED(CFG_RPMB_FS_DEBUG_DATA)) 859 DHEXDUMP(rawdata->key_mac, RPMB_KEY_MAC_SIZE); 860 861 return TEE_ERROR_SECURITY; 862 } 863 } 864 865 return TEE_SUCCESS; 866 } 867 868 static TEE_Result tee_rpmb_get_dev_info(struct rpmb_dev_info *dev_info) 869 { 870 TEE_Result res = TEE_ERROR_GENERIC; 871 struct tee_rpmb_mem mem; 872 struct rpmb_dev_info *di; 873 struct rpmb_req *req = NULL; 874 uint8_t *resp = NULL; 875 uint32_t req_size; 876 uint32_t resp_size; 877 878 if (!dev_info) 879 return TEE_ERROR_BAD_PARAMETERS; 880 881 req_size = sizeof(struct rpmb_req); 882 resp_size = sizeof(struct rpmb_dev_info); 883 res = tee_rpmb_alloc(req_size, resp_size, &mem, 884 (void *)&req, (void *)&resp); 885 if (res != TEE_SUCCESS) 886 return res; 887 888 req->cmd = RPMB_CMD_GET_DEV_INFO; 889 mem.req_hdr->dev_id = rpmb_ctx->dev_id; 890 891 di = (struct rpmb_dev_info *)resp; 892 di->ret_code = RPMB_CMD_GET_DEV_INFO_RET_ERROR; 893 894 res = tee_rpmb_invoke(&mem); 895 if (res != TEE_SUCCESS) 896 return res; 897 898 if (di->ret_code != RPMB_CMD_GET_DEV_INFO_RET_OK) 899 return TEE_ERROR_GENERIC; 900 901 memcpy((uint8_t *)dev_info, resp, sizeof(struct rpmb_dev_info)); 902 903 if (IS_ENABLED(CFG_RPMB_FS_DEBUG_DATA)) { 904 DMSG("Dumping dev_info:"); 905 DHEXDUMP((uint8_t *)dev_info, sizeof(struct rpmb_dev_info)); 906 } 907 908 return TEE_SUCCESS; 909 } 910 911 static TEE_Result tee_rpmb_init_read_wr_cnt(uint32_t *wr_cnt, 912 uint16_t *op_result) 913 { 914 TEE_Result res = TEE_ERROR_GENERIC; 915 struct tee_rpmb_mem mem; 916 uint16_t msg_type; 917 uint8_t nonce[RPMB_NONCE_SIZE]; 918 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 919 struct rpmb_req *req = NULL; 920 struct rpmb_data_frame *resp = NULL; 921 struct rpmb_raw_data rawdata; 922 uint32_t req_size; 923 uint32_t resp_size; 924 925 if (!wr_cnt) 926 return TEE_ERROR_BAD_PARAMETERS; 927 928 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 929 resp_size = RPMB_DATA_FRAME_SIZE; 930 res = tee_rpmb_alloc(req_size, resp_size, &mem, 931 (void *)&req, (void *)&resp); 932 if (res != TEE_SUCCESS) 933 return res; 934 935 res = crypto_rng_read(nonce, RPMB_NONCE_SIZE); 936 if (res != TEE_SUCCESS) 937 return res; 938 939 msg_type = RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ; 940 941 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 942 rawdata.msg_type = msg_type; 943 rawdata.nonce = nonce; 944 945 res = tee_rpmb_req_pack(req, &rawdata, 1, NULL, NULL); 946 if (res != TEE_SUCCESS) 947 return res; 948 949 res = tee_rpmb_invoke(&mem); 950 if (res != TEE_SUCCESS) 951 return res; 952 953 msg_type = RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ; 954 955 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 956 rawdata.msg_type = msg_type; 957 rawdata.op_result = op_result; 958 rawdata.write_counter = wr_cnt; 959 rawdata.nonce = nonce; 960 rawdata.key_mac = hmac; 961 962 return tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, NULL); 963 } 964 965 static TEE_Result tee_rpmb_verify_key_sync_counter(void) 966 { 967 uint16_t op_result = 0; 968 TEE_Result res = TEE_ERROR_GENERIC; 969 970 res = tee_rpmb_init_read_wr_cnt(&rpmb_ctx->wr_cnt, &op_result); 971 972 if (res == TEE_SUCCESS) { 973 rpmb_ctx->key_verified = true; 974 rpmb_ctx->wr_cnt_synced = true; 975 } else 976 EMSG("Verify key returning 0x%x", res); 977 return res; 978 } 979 980 #ifdef CFG_RPMB_WRITE_KEY 981 static TEE_Result tee_rpmb_write_key(void) 982 { 983 TEE_Result res = TEE_ERROR_GENERIC; 984 struct tee_rpmb_mem mem = { 0 }; 985 uint16_t msg_type; 986 struct rpmb_req *req = NULL; 987 struct rpmb_data_frame *resp = NULL; 988 struct rpmb_raw_data rawdata; 989 uint32_t req_size; 990 uint32_t resp_size; 991 992 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 993 resp_size = RPMB_DATA_FRAME_SIZE; 994 res = tee_rpmb_alloc(req_size, resp_size, &mem, 995 (void *)&req, (void *)&resp); 996 if (res != TEE_SUCCESS) 997 return res; 998 999 msg_type = RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM; 1000 1001 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1002 rawdata.msg_type = msg_type; 1003 rawdata.key_mac = rpmb_ctx->key; 1004 1005 res = tee_rpmb_req_pack(req, &rawdata, 1, NULL, NULL); 1006 if (res != TEE_SUCCESS) 1007 return res; 1008 1009 res = tee_rpmb_invoke(&mem); 1010 if (res != TEE_SUCCESS) 1011 return res; 1012 1013 msg_type = RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM; 1014 1015 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1016 rawdata.msg_type = msg_type; 1017 1018 return tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, NULL); 1019 } 1020 1021 static TEE_Result tee_rpmb_write_and_verify_key(void) 1022 { 1023 TEE_Result res; 1024 1025 if (!plat_rpmb_key_is_ready()) { 1026 DMSG("RPMB INIT: platform indicates RPMB key is not ready"); 1027 return TEE_ERROR_BAD_STATE; 1028 } 1029 1030 DMSG("RPMB INIT: Writing Key value:"); 1031 DHEXDUMP(rpmb_ctx->key, RPMB_KEY_MAC_SIZE); 1032 1033 res = tee_rpmb_write_key(); 1034 if (res == TEE_SUCCESS) { 1035 DMSG("RPMB INIT: Verifying Key"); 1036 res = tee_rpmb_verify_key_sync_counter(); 1037 } 1038 return res; 1039 } 1040 #else 1041 static TEE_Result tee_rpmb_write_and_verify_key(void) 1042 { 1043 DMSG("RPMB INIT: CFG_RPMB_WRITE_KEY is not set"); 1044 return TEE_ERROR_STORAGE_NOT_AVAILABLE; 1045 } 1046 #endif 1047 1048 /* This function must never return TEE_SUCCESS if rpmb_ctx == NULL */ 1049 static TEE_Result tee_rpmb_init(void) 1050 { 1051 TEE_Result res = TEE_SUCCESS; 1052 struct rpmb_dev_info dev_info = { }; 1053 uint32_t nblocks = 0; 1054 1055 if (rpmb_dead) 1056 return TEE_ERROR_COMMUNICATION; 1057 1058 if (!rpmb_ctx) { 1059 rpmb_ctx = calloc(1, sizeof(struct tee_rpmb_ctx)); 1060 if (!rpmb_ctx) 1061 return TEE_ERROR_OUT_OF_MEMORY; 1062 rpmb_ctx->dev_id = CFG_RPMB_FS_DEV_ID; 1063 rpmb_ctx->shm_type = THREAD_SHM_TYPE_APPLICATION; 1064 } 1065 1066 1067 if (!rpmb_ctx->dev_info_synced) { 1068 DMSG("RPMB: Syncing device information"); 1069 1070 dev_info.rpmb_size_mult = 0; 1071 dev_info.rel_wr_sec_c = 0; 1072 res = tee_rpmb_get_dev_info(&dev_info); 1073 if (res != TEE_SUCCESS) 1074 goto func_exit; 1075 1076 DMSG("RPMB: RPMB size is %d*128 KB", dev_info.rpmb_size_mult); 1077 DMSG("RPMB: Reliable Write Sector Count is %d", 1078 dev_info.rel_wr_sec_c); 1079 1080 if (dev_info.rpmb_size_mult == 0) { 1081 res = TEE_ERROR_GENERIC; 1082 goto func_exit; 1083 } 1084 1085 if (MUL_OVERFLOW(dev_info.rpmb_size_mult, 1086 RPMB_SIZE_SINGLE / RPMB_DATA_SIZE, &nblocks) || 1087 SUB_OVERFLOW(nblocks, 1, &rpmb_ctx->max_blk_idx)) { 1088 res = TEE_ERROR_BAD_PARAMETERS; 1089 goto func_exit; 1090 } 1091 1092 memcpy(rpmb_ctx->cid, dev_info.cid, RPMB_EMMC_CID_SIZE); 1093 1094 #ifdef RPMB_DRIVER_MULTIPLE_WRITE_FIXED 1095 rpmb_ctx->rel_wr_blkcnt = dev_info.rel_wr_sec_c * 2; 1096 #else 1097 rpmb_ctx->rel_wr_blkcnt = 1; 1098 #endif 1099 1100 rpmb_ctx->dev_info_synced = true; 1101 } 1102 1103 if (!rpmb_ctx->key_derived) { 1104 DMSG("RPMB INIT: Deriving key"); 1105 1106 res = tee_rpmb_key_gen(rpmb_ctx->key, RPMB_KEY_MAC_SIZE); 1107 if (res != TEE_SUCCESS) { 1108 EMSG("RPMB INIT: Deriving key failed with error 0x%x", 1109 res); 1110 goto func_exit; 1111 } 1112 1113 rpmb_ctx->key_derived = true; 1114 } 1115 1116 /* Perform a write counter read to verify if the key is ok. */ 1117 if (!rpmb_ctx->wr_cnt_synced || !rpmb_ctx->key_verified) { 1118 DMSG("RPMB INIT: Verifying Key"); 1119 1120 res = tee_rpmb_verify_key_sync_counter(); 1121 if (res == TEE_ERROR_ITEM_NOT_FOUND && 1122 !rpmb_ctx->key_verified) { 1123 /* 1124 * Need to write the key here and verify it. 1125 */ 1126 DMSG("RPMB INIT: Auth key not yet written"); 1127 res = tee_rpmb_write_and_verify_key(); 1128 } else if (res != TEE_SUCCESS) { 1129 EMSG("Verify key failed!"); 1130 EMSG("Make sure key here matches device key"); 1131 } 1132 } 1133 1134 func_exit: 1135 return res; 1136 } 1137 1138 /* 1139 * Read RPMB data in bytes. 1140 * 1141 * @addr Byte address of data. 1142 * @data Pointer to the data. 1143 * @len Size of data in bytes. 1144 * @fek Encrypted File Encryption Key or NULL. 1145 */ 1146 static TEE_Result tee_rpmb_read(uint32_t addr, uint8_t *data, 1147 uint32_t len, const uint8_t *fek, 1148 const TEE_UUID *uuid) 1149 { 1150 TEE_Result res = TEE_ERROR_GENERIC; 1151 struct tee_rpmb_mem mem = { 0 }; 1152 uint16_t msg_type; 1153 uint8_t nonce[RPMB_NONCE_SIZE]; 1154 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 1155 struct rpmb_req *req = NULL; 1156 struct rpmb_data_frame *resp = NULL; 1157 struct rpmb_raw_data rawdata; 1158 uint32_t req_size; 1159 uint32_t resp_size; 1160 uint16_t blk_idx; 1161 uint16_t blkcnt; 1162 uint8_t byte_offset; 1163 1164 if (!data || !len) 1165 return TEE_ERROR_BAD_PARAMETERS; 1166 1167 blk_idx = addr / RPMB_DATA_SIZE; 1168 byte_offset = addr % RPMB_DATA_SIZE; 1169 1170 if (len + byte_offset + RPMB_DATA_SIZE < RPMB_DATA_SIZE) { 1171 /* Overflow */ 1172 return TEE_ERROR_BAD_PARAMETERS; 1173 } 1174 blkcnt = 1175 ROUNDUP(len + byte_offset, RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1176 res = tee_rpmb_init(); 1177 if (res != TEE_SUCCESS) 1178 return res; 1179 1180 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 1181 resp_size = RPMB_DATA_FRAME_SIZE * blkcnt; 1182 res = tee_rpmb_alloc(req_size, resp_size, &mem, 1183 (void *)&req, (void *)&resp); 1184 if (res != TEE_SUCCESS) 1185 return res; 1186 1187 msg_type = RPMB_MSG_TYPE_REQ_AUTH_DATA_READ; 1188 res = crypto_rng_read(nonce, RPMB_NONCE_SIZE); 1189 if (res != TEE_SUCCESS) 1190 return res; 1191 1192 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1193 rawdata.msg_type = msg_type; 1194 rawdata.nonce = nonce; 1195 rawdata.blk_idx = &blk_idx; 1196 res = tee_rpmb_req_pack(req, &rawdata, 1, NULL, NULL); 1197 if (res != TEE_SUCCESS) 1198 return res; 1199 1200 req->block_count = blkcnt; 1201 1202 DMSG("Read %u block%s at index %u", blkcnt, ((blkcnt > 1) ? "s" : ""), 1203 blk_idx); 1204 1205 res = tee_rpmb_invoke(&mem); 1206 if (res != TEE_SUCCESS) 1207 return res; 1208 1209 msg_type = RPMB_MSG_TYPE_RESP_AUTH_DATA_READ; 1210 1211 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1212 rawdata.msg_type = msg_type; 1213 rawdata.block_count = &blkcnt; 1214 rawdata.blk_idx = &blk_idx; 1215 rawdata.nonce = nonce; 1216 rawdata.key_mac = hmac; 1217 rawdata.data = data; 1218 1219 rawdata.len = len; 1220 rawdata.byte_offset = byte_offset; 1221 1222 return tee_rpmb_resp_unpack_verify(resp, &rawdata, blkcnt, fek, uuid); 1223 } 1224 1225 static TEE_Result write_req(uint16_t blk_idx, 1226 const void *data_blks, uint16_t blkcnt, 1227 const uint8_t *fek, const TEE_UUID *uuid, 1228 struct tee_rpmb_mem *mem, void *req, void *resp) 1229 { 1230 TEE_Result res = TEE_SUCCESS; 1231 uint8_t hmac[RPMB_KEY_MAC_SIZE] = { }; 1232 uint32_t wr_cnt = rpmb_ctx->wr_cnt; 1233 struct rpmb_raw_data rawdata = { }; 1234 size_t retry_count = 0; 1235 1236 assert(mem->req_size <= 1237 sizeof(struct rpmb_req) + blkcnt * RPMB_DATA_FRAME_SIZE); 1238 assert(mem->resp_size <= RPMB_DATA_FRAME_SIZE); 1239 1240 while (true) { 1241 memset(req, 0, mem->req_size); 1242 memset(resp, 0, mem->resp_size); 1243 1244 memset(&rawdata, 0, sizeof(struct rpmb_raw_data)); 1245 rawdata.msg_type = RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE; 1246 rawdata.block_count = &blkcnt; 1247 rawdata.blk_idx = &blk_idx; 1248 rawdata.write_counter = &wr_cnt; 1249 rawdata.key_mac = hmac; 1250 rawdata.data = (uint8_t *)data_blks; 1251 1252 res = tee_rpmb_req_pack(req, &rawdata, blkcnt, fek, uuid); 1253 if (res) { 1254 /* 1255 * If we haven't tried to send a request yet we can 1256 * allow a failure here since there's no chance of 1257 * an intercepted request with a valid write 1258 * counter. 1259 */ 1260 if (!retry_count) 1261 return res; 1262 1263 retry_count++; 1264 if (retry_count >= RPMB_MAX_RETRIES) 1265 goto out_of_retries; 1266 1267 DMSG("Request pack failed, retrying %zu", retry_count); 1268 continue; 1269 } 1270 1271 res = tee_rpmb_invoke(mem); 1272 if (res != TEE_SUCCESS) { 1273 retry_count++; 1274 if (retry_count >= RPMB_MAX_RETRIES) 1275 goto out_of_retries; 1276 /* 1277 * To force wr_cnt sync next time, as it might get 1278 * out of sync due to inconsistent operation result! 1279 */ 1280 rpmb_ctx->wr_cnt_synced = false; 1281 DMSG("Write invoke failed, retrying %zu", retry_count); 1282 continue; 1283 } 1284 1285 memset(&rawdata, 0, sizeof(struct rpmb_raw_data)); 1286 rawdata.msg_type = RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE; 1287 rawdata.block_count = &blkcnt; 1288 rawdata.blk_idx = &blk_idx; 1289 rawdata.write_counter = &wr_cnt; 1290 rawdata.key_mac = hmac; 1291 1292 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, 1293 NULL); 1294 if (res != TEE_SUCCESS) { 1295 retry_count++; 1296 if (retry_count >= RPMB_MAX_RETRIES) 1297 goto out_of_retries; 1298 /* 1299 * To force wr_cnt sync next time, as it might get 1300 * out of sync due to inconsistent operation result! 1301 */ 1302 rpmb_ctx->wr_cnt_synced = false; 1303 DMSG("Write resp unpack verify failed, retrying %zu", 1304 retry_count); 1305 continue; 1306 } 1307 1308 return TEE_SUCCESS; 1309 } 1310 1311 out_of_retries: 1312 rpmb_dead = true; 1313 /* 1314 * We're using this error code to cause an eventuall calling TA to 1315 * panic since we don't know if the data to be written has been 1316 * committed to storage or not. 1317 */ 1318 return TEE_ERROR_COMMUNICATION; 1319 } 1320 1321 static TEE_Result tee_rpmb_write_blk(uint16_t blk_idx, 1322 const uint8_t *data_blks, uint16_t blkcnt, 1323 const uint8_t *fek, const TEE_UUID *uuid) 1324 { 1325 TEE_Result res; 1326 struct tee_rpmb_mem mem; 1327 struct rpmb_req *req = NULL; 1328 struct rpmb_data_frame *resp = NULL; 1329 uint32_t req_size; 1330 uint32_t resp_size; 1331 uint32_t nbr_writes; 1332 uint16_t tmp_blkcnt; 1333 uint16_t tmp_blk_idx; 1334 uint16_t i; 1335 1336 DMSG("Write %u block%s at index %u", blkcnt, ((blkcnt > 1) ? "s" : ""), 1337 blk_idx); 1338 1339 if (!data_blks || !blkcnt) 1340 return TEE_ERROR_BAD_PARAMETERS; 1341 1342 res = tee_rpmb_init(); 1343 if (res != TEE_SUCCESS) 1344 return res; 1345 1346 /* 1347 * We need to split data when block count 1348 * is bigger than reliable block write count. 1349 */ 1350 if (blkcnt < rpmb_ctx->rel_wr_blkcnt) 1351 req_size = sizeof(struct rpmb_req) + 1352 RPMB_DATA_FRAME_SIZE * blkcnt; 1353 else 1354 req_size = sizeof(struct rpmb_req) + 1355 RPMB_DATA_FRAME_SIZE * rpmb_ctx->rel_wr_blkcnt; 1356 1357 resp_size = RPMB_DATA_FRAME_SIZE; 1358 res = tee_rpmb_alloc(req_size, resp_size, &mem, 1359 (void *)&req, (void *)&resp); 1360 if (res != TEE_SUCCESS) 1361 return res; 1362 1363 nbr_writes = blkcnt / rpmb_ctx->rel_wr_blkcnt; 1364 if (blkcnt % rpmb_ctx->rel_wr_blkcnt > 0) 1365 nbr_writes += 1; 1366 1367 tmp_blkcnt = rpmb_ctx->rel_wr_blkcnt; 1368 tmp_blk_idx = blk_idx; 1369 for (i = 0; i < nbr_writes; i++) { 1370 size_t offs = i * rpmb_ctx->rel_wr_blkcnt * RPMB_DATA_SIZE; 1371 1372 /* 1373 * To handle the last write of block count which is 1374 * equal or smaller than reliable write block count. 1375 */ 1376 if (i == nbr_writes - 1) 1377 tmp_blkcnt = blkcnt - rpmb_ctx->rel_wr_blkcnt * 1378 (nbr_writes - 1); 1379 1380 res = write_req(tmp_blk_idx, data_blks + offs, 1381 tmp_blkcnt, fek, uuid, &mem, req, resp); 1382 if (res) 1383 return res; 1384 1385 1386 tmp_blk_idx += tmp_blkcnt; 1387 } 1388 1389 return TEE_SUCCESS; 1390 } 1391 1392 static bool tee_rpmb_write_is_atomic(uint32_t addr, uint32_t len) 1393 { 1394 uint8_t byte_offset = addr % RPMB_DATA_SIZE; 1395 uint16_t blkcnt = ROUNDUP(len + byte_offset, 1396 RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1397 1398 return (blkcnt <= rpmb_ctx->rel_wr_blkcnt); 1399 } 1400 1401 /* 1402 * Write RPMB data in bytes. 1403 * 1404 * @addr Byte address of data. 1405 * @data Pointer to the data. 1406 * @len Size of data in bytes. 1407 * @fek Encrypted File Encryption Key or NULL. 1408 */ 1409 static TEE_Result tee_rpmb_write(uint32_t addr, 1410 const uint8_t *data, uint32_t len, 1411 const uint8_t *fek, const TEE_UUID *uuid) 1412 { 1413 TEE_Result res = TEE_ERROR_GENERIC; 1414 uint8_t *data_tmp = NULL; 1415 uint16_t blk_idx; 1416 uint16_t blkcnt; 1417 uint8_t byte_offset; 1418 1419 blk_idx = addr / RPMB_DATA_SIZE; 1420 byte_offset = addr % RPMB_DATA_SIZE; 1421 1422 blkcnt = 1423 ROUNDUP(len + byte_offset, RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1424 1425 if (byte_offset == 0 && (len % RPMB_DATA_SIZE) == 0) { 1426 res = tee_rpmb_write_blk(blk_idx, data, blkcnt, fek, uuid); 1427 if (res != TEE_SUCCESS) 1428 goto func_exit; 1429 } else { 1430 data_tmp = calloc(blkcnt, RPMB_DATA_SIZE); 1431 if (!data_tmp) { 1432 res = TEE_ERROR_OUT_OF_MEMORY; 1433 goto func_exit; 1434 } 1435 1436 /* Read the complete blocks */ 1437 res = tee_rpmb_read(blk_idx * RPMB_DATA_SIZE, data_tmp, 1438 blkcnt * RPMB_DATA_SIZE, fek, uuid); 1439 if (res != TEE_SUCCESS) 1440 goto func_exit; 1441 1442 /* Partial update of the data blocks */ 1443 memcpy(data_tmp + byte_offset, data, len); 1444 1445 res = tee_rpmb_write_blk(blk_idx, data_tmp, blkcnt, fek, uuid); 1446 if (res != TEE_SUCCESS) 1447 goto func_exit; 1448 } 1449 1450 res = TEE_SUCCESS; 1451 1452 func_exit: 1453 free(data_tmp); 1454 return res; 1455 } 1456 1457 /* 1458 * Read the RPMB max block. 1459 * 1460 * @counter Pointer to receive the max block. 1461 */ 1462 static TEE_Result tee_rpmb_get_max_block(uint32_t *max_block) 1463 { 1464 TEE_Result res = TEE_SUCCESS; 1465 1466 if (!max_block) 1467 return TEE_ERROR_BAD_PARAMETERS; 1468 1469 if (rpmb_dead) 1470 return TEE_ERROR_COMMUNICATION; 1471 1472 if (!rpmb_ctx || !rpmb_ctx->dev_info_synced) { 1473 res = tee_rpmb_init(); 1474 if (res != TEE_SUCCESS) 1475 goto func_exit; 1476 } 1477 1478 *max_block = rpmb_ctx->max_blk_idx; 1479 1480 func_exit: 1481 return res; 1482 } 1483 1484 /* 1485 * End of lower interface to RPMB device 1486 */ 1487 1488 static TEE_Result get_fat_start_address(uint32_t *addr); 1489 static TEE_Result rpmb_fs_setup(void); 1490 1491 /** 1492 * fat_entry_dir_free: Free the FAT entry dir. 1493 */ 1494 static void fat_entry_dir_free(void) 1495 { 1496 if (fat_entry_dir) { 1497 free(fat_entry_dir->rpmb_fat_entry_buf); 1498 free(fat_entry_dir); 1499 fat_entry_dir = NULL; 1500 } 1501 } 1502 1503 /** 1504 * fat_entry_dir_init: Initialize the FAT FS entry buffer/cache 1505 * This function must be called before reading FAT FS entries using the 1506 * function fat_entry_dir_get_next. This initializes the buffer/cache with the 1507 * first FAT FS entries. 1508 */ 1509 static TEE_Result fat_entry_dir_init(void) 1510 { 1511 TEE_Result res = TEE_ERROR_GENERIC; 1512 struct rpmb_fat_entry *fe = NULL; 1513 uint32_t fat_address = 0; 1514 uint32_t num_elems_read = 0; 1515 1516 if (fat_entry_dir) 1517 return TEE_SUCCESS; 1518 1519 res = rpmb_fs_setup(); 1520 if (res) 1521 return res; 1522 1523 res = get_fat_start_address(&fat_address); 1524 if (res) 1525 return res; 1526 1527 fat_entry_dir = calloc(1, sizeof(struct rpmb_fat_entry_dir)); 1528 if (!fat_entry_dir) 1529 return TEE_ERROR_OUT_OF_MEMORY; 1530 1531 /* 1532 * If caching is enabled, read in up to the maximum cache size, but 1533 * never more than the single read in size. Otherwise, read in as many 1534 * entries fit into the temporary buffer. 1535 */ 1536 if (CFG_RPMB_FS_CACHE_ENTRIES) 1537 num_elems_read = MIN(CFG_RPMB_FS_CACHE_ENTRIES, 1538 CFG_RPMB_FS_RD_ENTRIES); 1539 else 1540 num_elems_read = CFG_RPMB_FS_RD_ENTRIES; 1541 1542 /* 1543 * Allocate memory for the FAT FS entries to read in. 1544 */ 1545 fe = calloc(num_elems_read, sizeof(struct rpmb_fat_entry)); 1546 if (!fe) { 1547 res = TEE_ERROR_OUT_OF_MEMORY; 1548 goto out; 1549 } 1550 1551 res = tee_rpmb_read(fat_address, (uint8_t *)fe, 1552 num_elems_read * sizeof(*fe), NULL, NULL); 1553 if (res) 1554 goto out; 1555 1556 fat_entry_dir->rpmb_fat_entry_buf = fe; 1557 1558 /* 1559 * We use this variable when getting next entries from the buffer/cache 1560 * to see whether we have to read in more entries from storage. 1561 */ 1562 fat_entry_dir->num_buffered = num_elems_read; 1563 1564 return TEE_SUCCESS; 1565 out: 1566 fat_entry_dir_free(); 1567 free(fe); 1568 return res; 1569 } 1570 1571 /** 1572 * fat_entry_dir_deinit: If caching is enabled, free the temporary buffer for 1573 * FAT FS entries in case the cache was too small. Keep the elements in the 1574 * cache. Reset the counter variables to start the next traversal from fresh 1575 * from the first cached entry. If caching is disabled, just free the 1576 * temporary buffer by calling fat_entry_dir_free and return. 1577 */ 1578 static void fat_entry_dir_deinit(void) 1579 { 1580 struct rpmb_fat_entry *fe = NULL; 1581 1582 if (!fat_entry_dir) 1583 return; 1584 1585 if (!CFG_RPMB_FS_CACHE_ENTRIES) { 1586 fat_entry_dir_free(); 1587 return; 1588 } 1589 1590 fe = fat_entry_dir->rpmb_fat_entry_buf; 1591 fat_entry_dir->idx_curr = 0; 1592 fat_entry_dir->num_total_read = 0; 1593 fat_entry_dir->last_reached = false; 1594 1595 if (fat_entry_dir->num_buffered > CFG_RPMB_FS_CACHE_ENTRIES) { 1596 fat_entry_dir->num_buffered = CFG_RPMB_FS_CACHE_ENTRIES; 1597 1598 fe = realloc(fe, fat_entry_dir->num_buffered * sizeof(*fe)); 1599 1600 /* 1601 * In case realloc fails, we are on the safe side if we destroy 1602 * the whole structure. Upon the next init, the cache has to be 1603 * re-established, but this case should not happen in practice. 1604 */ 1605 if (!fe) 1606 fat_entry_dir_free(); 1607 else 1608 fat_entry_dir->rpmb_fat_entry_buf = fe; 1609 } 1610 } 1611 1612 /** 1613 * fat_entry_dir_update: Updates a persisted FAT FS entry in the cache. 1614 * This function updates the FAT entry fat_entry that was written to address 1615 * fat_address onto RPMB storage in the cache. 1616 */ 1617 static TEE_Result __maybe_unused fat_entry_dir_update 1618 (struct rpmb_fat_entry *fat_entry, 1619 uint32_t fat_address) 1620 { 1621 uint32_t fat_entry_buf_idx = 0; 1622 /* Use a temp var to avoid compiler warning if caching disabled. */ 1623 uint32_t max_cache_entries = CFG_RPMB_FS_CACHE_ENTRIES; 1624 1625 assert(!((fat_address - RPMB_FS_FAT_START_ADDRESS) % 1626 sizeof(struct rpmb_fat_entry))); 1627 1628 /* Nothing to update if the cache is not initialized. */ 1629 if (!fat_entry_dir) 1630 return TEE_SUCCESS; 1631 1632 fat_entry_buf_idx = (fat_address - RPMB_FS_FAT_START_ADDRESS) / 1633 sizeof(struct rpmb_fat_entry); 1634 1635 /* Only need to write if index points to an entry in cache. */ 1636 if (fat_entry_buf_idx < fat_entry_dir->num_buffered && 1637 fat_entry_buf_idx < max_cache_entries) { 1638 memcpy(fat_entry_dir->rpmb_fat_entry_buf + fat_entry_buf_idx, 1639 fat_entry, sizeof(struct rpmb_fat_entry)); 1640 } 1641 1642 return TEE_SUCCESS; 1643 } 1644 1645 /** 1646 * fat_entry_dir_get_next: Get next FAT FS entry. 1647 * Read either from cache/buffer, or by reading from RPMB storage if the 1648 * elements in the buffer/cache are fully read. When reading in from RPMB 1649 * storage, the buffer is overwritten in case caching is disabled. 1650 * In case caching is enabled, the cache is either further filled, or a 1651 * temporary buffer populated if the cache is already full. 1652 * The FAT FS entry is written to fat_entry. The respective address in RPMB 1653 * storage is written to fat_address, if not NULL. When the last FAT FS entry 1654 * was previously read, the function indicates this case by writing a NULL 1655 * pointer to fat_entry. 1656 * Returns a value different TEE_SUCCESS if the next FAT FS entry could not be 1657 * retrieved. 1658 */ 1659 static TEE_Result fat_entry_dir_get_next(struct rpmb_fat_entry **fat_entry, 1660 uint32_t *fat_address) 1661 { 1662 TEE_Result res = TEE_ERROR_GENERIC; 1663 struct rpmb_fat_entry *fe = NULL; 1664 uint32_t num_elems_read = 0; 1665 uint32_t fat_address_local = 0; 1666 1667 assert(fat_entry_dir && fat_entry); 1668 1669 /* Don't read further if we previously read the last FAT FS entry. */ 1670 if (fat_entry_dir->last_reached) { 1671 *fat_entry = NULL; 1672 return TEE_SUCCESS; 1673 } 1674 1675 fe = fat_entry_dir->rpmb_fat_entry_buf; 1676 1677 /* Determine address of FAT FS entry in RPMB storage. */ 1678 fat_address_local = RPMB_FS_FAT_START_ADDRESS + 1679 (fat_entry_dir->num_total_read * 1680 sizeof(struct rpmb_fat_entry)); 1681 1682 /* 1683 * We've read all so-far buffered elements, so we need to 1684 * read in more entries from RPMB storage. 1685 */ 1686 if (fat_entry_dir->idx_curr >= fat_entry_dir->num_buffered) { 1687 /* 1688 * This is the case where we do not cache entries, so just read 1689 * in next set of FAT FS entries into the buffer. 1690 * Goto the end of the when statement if that is done. 1691 */ 1692 if (!CFG_RPMB_FS_CACHE_ENTRIES) { 1693 num_elems_read = CFG_RPMB_FS_RD_ENTRIES; 1694 fat_entry_dir->idx_curr = 0; 1695 1696 res = tee_rpmb_read(fat_address_local, (uint8_t *)fe, 1697 num_elems_read * sizeof(*fe), NULL, 1698 NULL); 1699 if (res) 1700 return res; 1701 goto post_read_in; 1702 } 1703 1704 /* 1705 * We cache FAT FS entries, and the buffer is not completely 1706 * filled. Further keep on extending the buffer up to its max 1707 * size by reading in from RPMB. 1708 */ 1709 if (fat_entry_dir->num_total_read < RPMB_BUF_MAX_ENTRIES) { 1710 /* 1711 * Read at most as many elements as fit in the buffer 1712 * and no more than the defined number of entries to 1713 * read in at once. 1714 */ 1715 num_elems_read = MIN(RPMB_BUF_MAX_ENTRIES - 1716 fat_entry_dir->num_total_read, 1717 (uint32_t)CFG_RPMB_FS_RD_ENTRIES); 1718 1719 /* 1720 * Expand the buffer to fit in the additional entries. 1721 */ 1722 fe = realloc(fe, 1723 (fat_entry_dir->num_buffered + 1724 num_elems_read) * sizeof(*fe)); 1725 if (!fe) 1726 return TEE_ERROR_OUT_OF_MEMORY; 1727 1728 fat_entry_dir->rpmb_fat_entry_buf = fe; 1729 1730 /* Read in to the next free slot in the buffer/cache. */ 1731 res = tee_rpmb_read(fat_address_local, 1732 (uint8_t *)(fe + 1733 fat_entry_dir->num_total_read), 1734 num_elems_read * sizeof(*fe), 1735 NULL, NULL); 1736 if (res) 1737 return res; 1738 1739 fat_entry_dir->num_buffered += num_elems_read; 1740 } else { 1741 /* 1742 * This happens when we have read as many elements as 1743 * can possibly fit into the buffer. 1744 * As the first part of the buffer serves as our cache, 1745 * we only overwrite the last part that serves as our 1746 * temporary buffer used to iteratively read in entries 1747 * when the cache is full. Read in the temporary buffer 1748 * maximum size. 1749 */ 1750 num_elems_read = CFG_RPMB_FS_RD_ENTRIES; 1751 /* Reset index to beginning of the temporary buffer. */ 1752 fat_entry_dir->idx_curr = CFG_RPMB_FS_CACHE_ENTRIES; 1753 1754 /* Read in elements after the end of the cache. */ 1755 res = tee_rpmb_read(fat_address_local, 1756 (uint8_t *)(fe + 1757 fat_entry_dir->idx_curr), 1758 num_elems_read * sizeof(*fe), 1759 NULL, NULL); 1760 if (res) 1761 return res; 1762 } 1763 } 1764 1765 post_read_in: 1766 if (fat_address) 1767 *fat_address = fat_address_local; 1768 1769 *fat_entry = fe + fat_entry_dir->idx_curr; 1770 1771 fat_entry_dir->idx_curr++; 1772 fat_entry_dir->num_total_read++; 1773 1774 /* 1775 * Indicate last entry was read. 1776 * Ensures we return a zero value for fat_entry on next invocation. 1777 */ 1778 if ((*fat_entry)->flags & FILE_IS_LAST_ENTRY) 1779 fat_entry_dir->last_reached = true; 1780 1781 return TEE_SUCCESS; 1782 } 1783 1784 #if (TRACE_LEVEL >= TRACE_FLOW) 1785 static void dump_fat(void) 1786 { 1787 TEE_Result res = TEE_ERROR_SECURITY; 1788 struct rpmb_fat_entry *fe = NULL; 1789 1790 if (!fs_par) 1791 return; 1792 1793 if (fat_entry_dir_init()) 1794 return; 1795 1796 while (true) { 1797 res = fat_entry_dir_get_next(&fe, NULL); 1798 if (res || !fe) 1799 break; 1800 1801 FMSG("flags %#"PRIx32", size %"PRIu32", address %#"PRIx32 1802 ", filename '%s'", 1803 fe->flags, fe->data_size, fe->start_address, fe->filename); 1804 } 1805 1806 fat_entry_dir_deinit(); 1807 } 1808 #else 1809 static void dump_fat(void) 1810 { 1811 } 1812 #endif 1813 1814 #if (TRACE_LEVEL >= TRACE_DEBUG) 1815 static void dump_fh(struct rpmb_file_handle *fh) 1816 { 1817 DMSG("fh->filename=%s", fh->filename); 1818 DMSG("fh->rpmb_fat_address=%u", fh->rpmb_fat_address); 1819 DMSG("fh->fat_entry.start_address=%u", fh->fat_entry.start_address); 1820 DMSG("fh->fat_entry.data_size=%u", fh->fat_entry.data_size); 1821 } 1822 #else 1823 static void dump_fh(struct rpmb_file_handle *fh __unused) 1824 { 1825 } 1826 #endif 1827 1828 /* "/TA_uuid/object_id" or "/TA_uuid/.object_id" */ 1829 static TEE_Result create_filename(void *buf, size_t blen, struct tee_pobj *po, 1830 bool transient) 1831 { 1832 uint8_t *file = buf; 1833 uint32_t pos = 0; 1834 uint32_t hslen = 1 /* Leading slash */ 1835 + TEE_B2HS_HSBUF_SIZE(sizeof(TEE_UUID) + po->obj_id_len) 1836 + 1; /* Intermediate slash */ 1837 1838 /* +1 for the '.' (temporary persistent object) */ 1839 if (transient) 1840 hslen++; 1841 1842 if (blen < hslen) 1843 return TEE_ERROR_SHORT_BUFFER; 1844 1845 file[pos++] = '/'; 1846 pos += tee_b2hs((uint8_t *)&po->uuid, &file[pos], 1847 sizeof(TEE_UUID), hslen); 1848 file[pos++] = '/'; 1849 1850 if (transient) 1851 file[pos++] = '.'; 1852 1853 tee_b2hs(po->obj_id, file + pos, po->obj_id_len, hslen - pos); 1854 1855 return TEE_SUCCESS; 1856 } 1857 1858 /* "/TA_uuid" */ 1859 static TEE_Result create_dirname(void *buf, size_t blen, const TEE_UUID *uuid) 1860 { 1861 uint8_t *dir = buf; 1862 uint32_t hslen = TEE_B2HS_HSBUF_SIZE(sizeof(TEE_UUID)) + 1; 1863 1864 if (blen < hslen) 1865 return TEE_ERROR_SHORT_BUFFER; 1866 1867 dir[0] = '/'; 1868 tee_b2hs((uint8_t *)uuid, dir + 1, sizeof(TEE_UUID), hslen); 1869 1870 return TEE_SUCCESS; 1871 } 1872 1873 static struct rpmb_file_handle *alloc_file_handle(struct tee_pobj *po, 1874 bool temporary) 1875 { 1876 struct rpmb_file_handle *fh = NULL; 1877 1878 fh = calloc(1, sizeof(struct rpmb_file_handle)); 1879 if (!fh) 1880 return NULL; 1881 1882 if (po) 1883 create_filename(fh->filename, sizeof(fh->filename), po, 1884 temporary); 1885 1886 return fh; 1887 } 1888 1889 /** 1890 * write_fat_entry: Store info in a fat_entry to RPMB. 1891 */ 1892 static TEE_Result write_fat_entry(struct rpmb_file_handle *fh) 1893 { 1894 TEE_Result res = TEE_ERROR_GENERIC; 1895 1896 /* Protect partition data. */ 1897 if (fh->rpmb_fat_address < sizeof(struct rpmb_fs_partition)) { 1898 res = TEE_ERROR_ACCESS_CONFLICT; 1899 goto out; 1900 } 1901 1902 if (fh->rpmb_fat_address % sizeof(struct rpmb_fat_entry) != 0) { 1903 res = TEE_ERROR_BAD_PARAMETERS; 1904 goto out; 1905 } 1906 1907 res = tee_rpmb_write(fh->rpmb_fat_address, (uint8_t *)&fh->fat_entry, 1908 sizeof(struct rpmb_fat_entry), NULL, NULL); 1909 1910 dump_fat(); 1911 1912 /* If caching enabled, update a successfully written entry in cache. */ 1913 if (CFG_RPMB_FS_CACHE_ENTRIES && !res) 1914 res = fat_entry_dir_update(&fh->fat_entry, 1915 fh->rpmb_fat_address); 1916 1917 out: 1918 return res; 1919 } 1920 1921 /** 1922 * rpmb_fs_setup: Setup RPMB FS. 1923 * Set initial partition and FS values and write to RPMB. 1924 * Store frequently used data in RAM. 1925 */ 1926 static TEE_Result rpmb_fs_setup(void) 1927 { 1928 TEE_Result res = TEE_ERROR_GENERIC; 1929 struct rpmb_fs_partition *partition_data = NULL; 1930 struct rpmb_file_handle *fh = NULL; 1931 uint32_t max_rpmb_block = 0; 1932 1933 if (fs_par) { 1934 res = TEE_SUCCESS; 1935 goto out; 1936 } 1937 1938 res = tee_rpmb_get_max_block(&max_rpmb_block); 1939 if (res != TEE_SUCCESS) 1940 goto out; 1941 1942 /* 1943 * We're going to read a full block in order to have a full block 1944 * for the dummy write below. 1945 */ 1946 COMPILE_TIME_ASSERT(sizeof(struct rpmb_fs_partition) <= 1947 RPMB_DATA_SIZE); 1948 partition_data = calloc(1, RPMB_DATA_SIZE); 1949 if (!partition_data) { 1950 res = TEE_ERROR_OUT_OF_MEMORY; 1951 goto out; 1952 } 1953 1954 res = tee_rpmb_read(RPMB_STORAGE_START_ADDRESS, 1955 (uint8_t *)partition_data, RPMB_DATA_SIZE, 1956 NULL, NULL); 1957 if (res != TEE_SUCCESS) 1958 goto out; 1959 /* 1960 * Perform a write in order to increase the write counter. This 1961 * prevents late usage (replay attack) of a previously blocked 1962 * request with a valid write counter value. 1963 */ 1964 res = tee_rpmb_write(RPMB_STORAGE_START_ADDRESS, 1965 (uint8_t *)partition_data, RPMB_DATA_SIZE, 1966 NULL, NULL); 1967 if (res != TEE_SUCCESS) 1968 goto out; 1969 /* 1970 * We're reading again in case a stale request was committed 1971 * instead of the one issued above. If this succeeds we're in sync 1972 * with the RPMB block since there are no other possible stale 1973 * blocks with valid write counters available. 1974 */ 1975 res = tee_rpmb_read(RPMB_STORAGE_START_ADDRESS, 1976 (uint8_t *)partition_data, 1977 sizeof(struct rpmb_fs_partition), NULL, NULL); 1978 if (res != TEE_SUCCESS) 1979 goto out; 1980 1981 #ifndef CFG_RPMB_RESET_FAT 1982 if (partition_data->rpmb_fs_magic == RPMB_FS_MAGIC) { 1983 if (partition_data->fs_version == FS_VERSION) { 1984 res = TEE_SUCCESS; 1985 goto store_fs_par; 1986 } else { 1987 EMSG("Wrong software is in use."); 1988 res = TEE_ERROR_ACCESS_DENIED; 1989 goto out; 1990 } 1991 } 1992 #else 1993 EMSG("**** Clearing Storage ****"); 1994 #endif 1995 1996 /* Setup new partition data. */ 1997 partition_data->rpmb_fs_magic = RPMB_FS_MAGIC; 1998 partition_data->fs_version = FS_VERSION; 1999 partition_data->fat_start_address = RPMB_FS_FAT_START_ADDRESS; 2000 2001 /* Initial FAT entry with FILE_IS_LAST_ENTRY flag set. */ 2002 fh = alloc_file_handle(NULL, false); 2003 if (!fh) { 2004 res = TEE_ERROR_OUT_OF_MEMORY; 2005 goto out; 2006 } 2007 fh->fat_entry.flags = FILE_IS_LAST_ENTRY; 2008 fh->rpmb_fat_address = partition_data->fat_start_address; 2009 2010 /* Write init FAT entry and partition data to RPMB. */ 2011 res = write_fat_entry(fh); 2012 if (res != TEE_SUCCESS) 2013 goto out; 2014 2015 res = tee_rpmb_write(RPMB_STORAGE_START_ADDRESS, 2016 (uint8_t *)partition_data, 2017 sizeof(struct rpmb_fs_partition), NULL, NULL); 2018 2019 #ifndef CFG_RPMB_RESET_FAT 2020 store_fs_par: 2021 #endif 2022 2023 /* Store FAT start address. */ 2024 fs_par = calloc(1, sizeof(struct rpmb_fs_parameters)); 2025 if (!fs_par) { 2026 res = TEE_ERROR_OUT_OF_MEMORY; 2027 goto out; 2028 } 2029 2030 fs_par->fat_start_address = partition_data->fat_start_address; 2031 fs_par->max_rpmb_address = max_rpmb_block << RPMB_BLOCK_SIZE_SHIFT; 2032 2033 dump_fat(); 2034 2035 out: 2036 free(fh); 2037 free(partition_data); 2038 return res; 2039 } 2040 2041 /** 2042 * get_fat_start_address: 2043 * FAT start_address from fs_par. 2044 */ 2045 static TEE_Result get_fat_start_address(uint32_t *addr) 2046 { 2047 if (!fs_par) 2048 return TEE_ERROR_NO_DATA; 2049 2050 *addr = fs_par->fat_start_address; 2051 2052 return TEE_SUCCESS; 2053 } 2054 2055 /** 2056 * read_fat: Read FAT entries 2057 * Return matching FAT entry for read, rm rename and stat. 2058 * Build up memory pool and return matching entry for write operation. 2059 * "Last FAT entry" can be returned during write. 2060 */ 2061 static TEE_Result read_fat(struct rpmb_file_handle *fh, tee_mm_pool_t *p) 2062 { 2063 TEE_Result res = TEE_ERROR_GENERIC; 2064 tee_mm_entry_t *mm = NULL; 2065 struct rpmb_fat_entry *fe = NULL; 2066 uint32_t fat_address; 2067 bool entry_found = false; 2068 bool expand_fat = false; 2069 struct rpmb_file_handle last_fh; 2070 2071 DMSG("fat_address %d", fh->rpmb_fat_address); 2072 2073 res = fat_entry_dir_init(); 2074 if (res) 2075 goto out; 2076 2077 /* 2078 * The pool is used to represent the current RPMB layout. To find 2079 * a slot for the file tee_mm_alloc is called on the pool. Thus 2080 * if it is not NULL the entire FAT must be traversed to fill in 2081 * the pool. 2082 */ 2083 while (true) { 2084 res = fat_entry_dir_get_next(&fe, &fat_address); 2085 if (res || !fe) 2086 break; 2087 2088 /* 2089 * Look for an entry, matching filenames. (read, rm, 2090 * rename and stat.). Only store first filename match. 2091 */ 2092 if ((!strcmp(fh->filename, fe->filename)) && 2093 (fe->flags & FILE_IS_ACTIVE) && !entry_found) { 2094 entry_found = true; 2095 fh->rpmb_fat_address = fat_address; 2096 memcpy(&fh->fat_entry, fe, sizeof(*fe)); 2097 if (!p) 2098 break; 2099 } 2100 2101 /* Add existing files to memory pool. (write) */ 2102 if (p) { 2103 if ((fe->flags & FILE_IS_ACTIVE) && fe->data_size > 0) { 2104 2105 mm = tee_mm_alloc2(p, fe->start_address, 2106 fe->data_size); 2107 if (!mm) { 2108 res = TEE_ERROR_OUT_OF_MEMORY; 2109 goto out; 2110 } 2111 } 2112 2113 /* Unused FAT entries can be reused (write) */ 2114 if (((fe->flags & FILE_IS_ACTIVE) == 0) && 2115 fh->rpmb_fat_address == 0) { 2116 fh->rpmb_fat_address = fat_address; 2117 memcpy(&fh->fat_entry, fe, 2118 sizeof(struct rpmb_fat_entry)); 2119 } 2120 2121 if (((fe->flags & FILE_IS_LAST_ENTRY) != 0) && 2122 fh->rpmb_fat_address == fat_address) { 2123 2124 /* 2125 * If the last entry was reached and was chosen 2126 * by the previous check, then the FAT needs to 2127 * be expanded. 2128 * fh->rpmb_fat_address is the address chosen 2129 * to store the files FAT entry and fat_address 2130 * is the current FAT entry address being 2131 * compared. 2132 */ 2133 expand_fat = true; 2134 } 2135 } 2136 } 2137 2138 if (res) 2139 goto out; 2140 /* 2141 * Represent the FAT table in the pool. 2142 */ 2143 if (p) { 2144 /* 2145 * Since fat_address is the start of the last entry it needs to 2146 * be moved up by an entry. 2147 */ 2148 fat_address += sizeof(struct rpmb_fat_entry); 2149 2150 /* Make room for yet a FAT entry and add to memory pool. */ 2151 if (expand_fat) 2152 fat_address += sizeof(struct rpmb_fat_entry); 2153 2154 mm = tee_mm_alloc2(p, RPMB_STORAGE_START_ADDRESS, fat_address); 2155 if (!mm) { 2156 res = TEE_ERROR_OUT_OF_MEMORY; 2157 goto out; 2158 } 2159 2160 if (expand_fat) { 2161 /* 2162 * Point fat_address to the beginning of the new 2163 * entry. 2164 */ 2165 fat_address -= sizeof(struct rpmb_fat_entry); 2166 memset(&last_fh, 0, sizeof(last_fh)); 2167 last_fh.fat_entry.flags = FILE_IS_LAST_ENTRY; 2168 last_fh.rpmb_fat_address = fat_address; 2169 res = write_fat_entry(&last_fh); 2170 if (res != TEE_SUCCESS) 2171 goto out; 2172 } 2173 } 2174 2175 if (!fh->rpmb_fat_address) 2176 res = TEE_ERROR_ITEM_NOT_FOUND; 2177 2178 out: 2179 fat_entry_dir_deinit(); 2180 return res; 2181 } 2182 2183 static TEE_Result generate_fek(struct rpmb_fat_entry *fe, const TEE_UUID *uuid) 2184 { 2185 TEE_Result res; 2186 2187 again: 2188 res = tee_fs_generate_fek(uuid, fe->fek, sizeof(fe->fek)); 2189 if (res != TEE_SUCCESS) 2190 return res; 2191 2192 if (is_zero(fe->fek, sizeof(fe->fek))) 2193 goto again; 2194 2195 return res; 2196 } 2197 2198 static TEE_Result rpmb_fs_open_internal(struct rpmb_file_handle *fh, 2199 const TEE_UUID *uuid, bool create) 2200 { 2201 tee_mm_pool_t p; 2202 bool pool_result; 2203 paddr_size_t pool_sz = 0; 2204 TEE_Result res = TEE_ERROR_GENERIC; 2205 2206 /* We need to do setup in order to make sure fs_par is filled in */ 2207 res = rpmb_fs_setup(); 2208 if (res != TEE_SUCCESS) 2209 goto out; 2210 2211 fh->uuid = uuid; 2212 if (create) { 2213 /* Upper memory allocation must be used for RPMB_FS. */ 2214 pool_sz = fs_par->max_rpmb_address - RPMB_STORAGE_START_ADDRESS; 2215 pool_result = tee_mm_init(&p, 2216 RPMB_STORAGE_START_ADDRESS, 2217 pool_sz, 2218 RPMB_BLOCK_SIZE_SHIFT, 2219 TEE_MM_POOL_HI_ALLOC); 2220 2221 if (!pool_result) { 2222 res = TEE_ERROR_OUT_OF_MEMORY; 2223 goto out; 2224 } 2225 2226 res = read_fat(fh, &p); 2227 tee_mm_final(&p); 2228 if (res != TEE_SUCCESS) 2229 goto out; 2230 } else { 2231 res = read_fat(fh, NULL); 2232 if (res != TEE_SUCCESS) 2233 goto out; 2234 } 2235 2236 /* 2237 * If this is opened with create and the entry found was not active 2238 * then this is a new file and the FAT entry must be written 2239 */ 2240 if (create) { 2241 if ((fh->fat_entry.flags & FILE_IS_ACTIVE) == 0) { 2242 memset(&fh->fat_entry, 0, 2243 sizeof(struct rpmb_fat_entry)); 2244 memcpy(fh->fat_entry.filename, fh->filename, 2245 strlen(fh->filename)); 2246 /* Start address and size are 0 */ 2247 fh->fat_entry.flags = FILE_IS_ACTIVE; 2248 2249 res = generate_fek(&fh->fat_entry, uuid); 2250 if (res != TEE_SUCCESS) 2251 goto out; 2252 DMSG("GENERATE FEK key: %p", 2253 (void *)fh->fat_entry.fek); 2254 DHEXDUMP(fh->fat_entry.fek, sizeof(fh->fat_entry.fek)); 2255 2256 res = write_fat_entry(fh); 2257 if (res != TEE_SUCCESS) 2258 goto out; 2259 } 2260 } 2261 2262 res = TEE_SUCCESS; 2263 2264 out: 2265 return res; 2266 } 2267 2268 static void rpmb_fs_close(struct tee_file_handle **tfh) 2269 { 2270 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)*tfh; 2271 2272 free(fh); 2273 *tfh = NULL; 2274 } 2275 2276 static TEE_Result rpmb_fs_read(struct tee_file_handle *tfh, size_t pos, 2277 void *buf_core, void *buf_user, size_t *len) 2278 { 2279 TEE_Result res; 2280 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)tfh; 2281 size_t size = *len; 2282 2283 /* One of buf_core and buf_user must be NULL */ 2284 assert(!buf_core || !buf_user); 2285 2286 if (!size) 2287 return TEE_SUCCESS; 2288 2289 mutex_lock(&rpmb_mutex); 2290 2291 dump_fh(fh); 2292 2293 res = read_fat(fh, NULL); 2294 if (res != TEE_SUCCESS) 2295 goto out; 2296 2297 if (pos >= fh->fat_entry.data_size) { 2298 *len = 0; 2299 goto out; 2300 } 2301 2302 size = MIN(size, fh->fat_entry.data_size - pos); 2303 if (size) { 2304 if (buf_core) { 2305 res = tee_rpmb_read(fh->fat_entry.start_address + pos, 2306 buf_core, size, fh->fat_entry.fek, 2307 fh->uuid); 2308 if (res != TEE_SUCCESS) 2309 goto out; 2310 } else if (buf_user) { 2311 uint32_t f = TEE_MEMORY_ACCESS_WRITE; 2312 2313 res = check_user_access(f, buf_user, size); 2314 if (res) 2315 goto out; 2316 enter_user_access(); 2317 res = tee_rpmb_read(fh->fat_entry.start_address + pos, 2318 buf_user, size, fh->fat_entry.fek, 2319 fh->uuid); 2320 exit_user_access(); 2321 if (res) 2322 goto out; 2323 } 2324 } 2325 *len = size; 2326 2327 out: 2328 mutex_unlock(&rpmb_mutex); 2329 return res; 2330 } 2331 2332 static TEE_Result update_write_helper(struct rpmb_file_handle *fh, 2333 size_t pos, const void *buf, 2334 size_t size, uintptr_t new_fat, 2335 size_t new_size) 2336 { 2337 uintptr_t old_fat = fh->fat_entry.start_address; 2338 size_t old_size = fh->fat_entry.data_size; 2339 const uint8_t *rem_buf = buf; 2340 size_t rem_size = size; 2341 uint8_t *blk_buf = NULL; 2342 size_t blk_offset = 0; 2343 size_t blk_size = 0; 2344 TEE_Result res = TEE_SUCCESS; 2345 2346 blk_buf = mempool_alloc(mempool_default, TMP_BLOCK_SIZE); 2347 if (!blk_buf) 2348 return TEE_ERROR_OUT_OF_MEMORY; 2349 2350 while (blk_offset < new_size) { 2351 uint8_t *copy_dst = blk_buf; 2352 size_t copy_size = 0; 2353 size_t rd_size = 0; 2354 2355 blk_size = MIN(TMP_BLOCK_SIZE, new_size - blk_offset); 2356 memset(blk_buf, 0, blk_size); 2357 2358 /* Possibly read old RPMB data in temporary buffer */ 2359 if (blk_offset < pos && blk_offset < old_size) { 2360 rd_size = MIN(blk_size, old_size - blk_offset); 2361 2362 res = tee_rpmb_read(old_fat + blk_offset, blk_buf, 2363 rd_size, fh->fat_entry.fek, 2364 fh->uuid); 2365 if (res != TEE_SUCCESS) 2366 break; 2367 } 2368 2369 /* Possibly update data in temporary buffer */ 2370 if ((blk_offset + TMP_BLOCK_SIZE > pos) && 2371 (blk_offset < pos + size)) { 2372 size_t offset = 0; 2373 2374 copy_dst = blk_buf; 2375 copy_size = TMP_BLOCK_SIZE; 2376 2377 if (blk_offset < pos) { 2378 offset = pos - blk_offset; 2379 2380 copy_dst += offset; 2381 copy_size -= offset; 2382 } 2383 copy_size = MIN(copy_size, rem_size); 2384 2385 memcpy(copy_dst, rem_buf, copy_size); 2386 rem_buf += copy_size; 2387 rem_size -= copy_size; 2388 } 2389 2390 /* Write temporary buffer to new RPMB destination */ 2391 res = tee_rpmb_write(new_fat + blk_offset, blk_buf, blk_size, 2392 fh->fat_entry.fek, fh->uuid); 2393 if (res != TEE_SUCCESS) 2394 break; 2395 2396 blk_offset += blk_size; 2397 } 2398 2399 mempool_free(mempool_default, blk_buf); 2400 2401 return res; 2402 } 2403 2404 static TEE_Result rpmb_fs_write_primitive(struct rpmb_file_handle *fh, 2405 size_t pos, const void *buf, 2406 size_t size) 2407 { 2408 TEE_Result res = TEE_ERROR_GENERIC; 2409 tee_mm_pool_t p = { }; 2410 bool pool_result = false; 2411 size_t end = 0; 2412 uint32_t start_addr = 0; 2413 paddr_size_t pool_sz = 0; 2414 2415 if (!size) 2416 return TEE_SUCCESS; 2417 2418 if (!fs_par) { 2419 res = TEE_ERROR_GENERIC; 2420 goto out; 2421 } 2422 2423 dump_fh(fh); 2424 2425 /* Upper memory allocation must be used for RPMB_FS. */ 2426 pool_sz = fs_par->max_rpmb_address - RPMB_STORAGE_START_ADDRESS; 2427 pool_result = tee_mm_init(&p, 2428 RPMB_STORAGE_START_ADDRESS, 2429 pool_sz, 2430 RPMB_BLOCK_SIZE_SHIFT, 2431 TEE_MM_POOL_HI_ALLOC); 2432 if (!pool_result) { 2433 res = TEE_ERROR_OUT_OF_MEMORY; 2434 goto out; 2435 } 2436 2437 res = read_fat(fh, &p); 2438 if (res != TEE_SUCCESS) 2439 goto out; 2440 2441 if (fh->fat_entry.flags & FILE_IS_LAST_ENTRY) 2442 panic("invalid last entry flag"); 2443 2444 if (ADD_OVERFLOW(pos, size, &end)) { 2445 res = TEE_ERROR_BAD_PARAMETERS; 2446 goto out; 2447 } 2448 if (ADD_OVERFLOW(fh->fat_entry.start_address, pos, &start_addr)) { 2449 res = TEE_ERROR_BAD_PARAMETERS; 2450 goto out; 2451 } 2452 2453 if (end <= fh->fat_entry.data_size && 2454 tee_rpmb_write_is_atomic(start_addr, size)) { 2455 2456 DMSG("Updating data in-place"); 2457 res = tee_rpmb_write(start_addr, buf, 2458 size, fh->fat_entry.fek, fh->uuid); 2459 } else { 2460 /* 2461 * File must be extended, or update cannot be atomic: allocate, 2462 * read, update, write. 2463 */ 2464 size_t new_size = MAX(end, fh->fat_entry.data_size); 2465 tee_mm_entry_t *mm = tee_mm_alloc(&p, new_size); 2466 uintptr_t new_fat_entry = 0; 2467 2468 DMSG("Need to re-allocate"); 2469 if (!mm) { 2470 DMSG("RPMB: No space left"); 2471 res = TEE_ERROR_STORAGE_NO_SPACE; 2472 goto out; 2473 } 2474 2475 new_fat_entry = tee_mm_get_smem(mm); 2476 2477 res = update_write_helper(fh, pos, buf, size, 2478 new_fat_entry, new_size); 2479 if (res == TEE_SUCCESS) { 2480 fh->fat_entry.data_size = new_size; 2481 fh->fat_entry.start_address = new_fat_entry; 2482 2483 res = write_fat_entry(fh); 2484 } 2485 } 2486 2487 out: 2488 if (pool_result) 2489 tee_mm_final(&p); 2490 2491 return res; 2492 } 2493 2494 static TEE_Result rpmb_fs_write(struct tee_file_handle *tfh, size_t pos, 2495 const void *buf_core, const void *buf_user, 2496 size_t size) 2497 { 2498 TEE_Result res = TEE_SUCCESS; 2499 2500 /* One of buf_core and buf_user must be NULL */ 2501 assert(!buf_core || !buf_user); 2502 2503 if (!size) 2504 return TEE_SUCCESS; 2505 2506 mutex_lock(&rpmb_mutex); 2507 if (buf_core) { 2508 res = rpmb_fs_write_primitive((struct rpmb_file_handle *)tfh, 2509 pos, buf_core, size); 2510 } else if (buf_user) { 2511 uint32_t f = TEE_MEMORY_ACCESS_READ; 2512 2513 res = check_user_access(f, buf_user, size); 2514 if (res) 2515 goto out; 2516 enter_user_access(); 2517 res = rpmb_fs_write_primitive((struct rpmb_file_handle *)tfh, 2518 pos, buf_user, size); 2519 exit_user_access(); 2520 } 2521 out: 2522 mutex_unlock(&rpmb_mutex); 2523 2524 return res; 2525 } 2526 2527 static TEE_Result rpmb_fs_remove_internal(struct rpmb_file_handle *fh) 2528 { 2529 TEE_Result res; 2530 2531 res = read_fat(fh, NULL); 2532 if (res) 2533 return res; 2534 2535 /* Clear this file entry. */ 2536 memset(&fh->fat_entry, 0, sizeof(struct rpmb_fat_entry)); 2537 return write_fat_entry(fh); 2538 } 2539 2540 static TEE_Result rpmb_fs_remove(struct tee_pobj *po) 2541 { 2542 TEE_Result res; 2543 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2544 2545 if (!fh) 2546 return TEE_ERROR_OUT_OF_MEMORY; 2547 2548 mutex_lock(&rpmb_mutex); 2549 2550 res = rpmb_fs_remove_internal(fh); 2551 2552 mutex_unlock(&rpmb_mutex); 2553 2554 free(fh); 2555 return res; 2556 } 2557 2558 static TEE_Result rpmb_fs_rename_internal(struct tee_pobj *old, 2559 struct tee_pobj *new, 2560 bool overwrite) 2561 { 2562 TEE_Result res = TEE_ERROR_GENERIC; 2563 struct rpmb_file_handle *fh_old = NULL; 2564 struct rpmb_file_handle *fh_new = NULL; 2565 2566 if (!old) { 2567 res = TEE_ERROR_BAD_PARAMETERS; 2568 goto out; 2569 } 2570 2571 if (new) 2572 fh_old = alloc_file_handle(old, old->temporary); 2573 else 2574 fh_old = alloc_file_handle(old, true); 2575 if (!fh_old) { 2576 res = TEE_ERROR_OUT_OF_MEMORY; 2577 goto out; 2578 } 2579 2580 if (new) 2581 fh_new = alloc_file_handle(new, new->temporary); 2582 else 2583 fh_new = alloc_file_handle(old, false); 2584 if (!fh_new) { 2585 res = TEE_ERROR_OUT_OF_MEMORY; 2586 goto out; 2587 } 2588 2589 res = read_fat(fh_old, NULL); 2590 if (res != TEE_SUCCESS) 2591 goto out; 2592 2593 res = read_fat(fh_new, NULL); 2594 if (res == TEE_SUCCESS) { 2595 if (!overwrite) { 2596 res = TEE_ERROR_ACCESS_CONFLICT; 2597 goto out; 2598 } 2599 2600 /* Clear this file entry. */ 2601 memset(&fh_new->fat_entry, 0, sizeof(struct rpmb_fat_entry)); 2602 res = write_fat_entry(fh_new); 2603 if (res != TEE_SUCCESS) 2604 goto out; 2605 } 2606 2607 memset(fh_old->fat_entry.filename, 0, TEE_RPMB_FS_FILENAME_LENGTH); 2608 memcpy(fh_old->fat_entry.filename, fh_new->filename, 2609 strlen(fh_new->filename)); 2610 2611 res = write_fat_entry(fh_old); 2612 2613 out: 2614 free(fh_old); 2615 free(fh_new); 2616 2617 return res; 2618 } 2619 2620 static TEE_Result rpmb_fs_rename(struct tee_pobj *old, struct tee_pobj *new, 2621 bool overwrite) 2622 { 2623 TEE_Result res; 2624 2625 mutex_lock(&rpmb_mutex); 2626 res = rpmb_fs_rename_internal(old, new, overwrite); 2627 mutex_unlock(&rpmb_mutex); 2628 2629 return res; 2630 } 2631 2632 static TEE_Result rpmb_fs_truncate(struct tee_file_handle *tfh, size_t length) 2633 { 2634 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)tfh; 2635 tee_mm_pool_t p; 2636 bool pool_result = false; 2637 tee_mm_entry_t *mm; 2638 uint32_t newsize; 2639 uint8_t *newbuf = NULL; 2640 uintptr_t newaddr; 2641 TEE_Result res = TEE_ERROR_GENERIC; 2642 paddr_size_t pool_sz = 0; 2643 2644 mutex_lock(&rpmb_mutex); 2645 2646 if (length > INT32_MAX) { 2647 res = TEE_ERROR_BAD_PARAMETERS; 2648 goto out; 2649 } 2650 newsize = length; 2651 2652 res = read_fat(fh, NULL); 2653 if (res != TEE_SUCCESS) 2654 goto out; 2655 2656 if (newsize > fh->fat_entry.data_size) { 2657 /* Extend file */ 2658 2659 pool_sz = fs_par->max_rpmb_address - RPMB_STORAGE_START_ADDRESS; 2660 pool_result = tee_mm_init(&p, 2661 RPMB_STORAGE_START_ADDRESS, 2662 pool_sz, 2663 RPMB_BLOCK_SIZE_SHIFT, 2664 TEE_MM_POOL_HI_ALLOC); 2665 if (!pool_result) { 2666 res = TEE_ERROR_OUT_OF_MEMORY; 2667 goto out; 2668 } 2669 res = read_fat(fh, &p); 2670 if (res != TEE_SUCCESS) 2671 goto out; 2672 2673 mm = tee_mm_alloc(&p, newsize); 2674 newbuf = calloc(1, newsize); 2675 if (!mm || !newbuf) { 2676 res = TEE_ERROR_OUT_OF_MEMORY; 2677 goto out; 2678 } 2679 2680 if (fh->fat_entry.data_size) { 2681 res = tee_rpmb_read(fh->fat_entry.start_address, 2682 newbuf, fh->fat_entry.data_size, 2683 fh->fat_entry.fek, fh->uuid); 2684 if (res != TEE_SUCCESS) 2685 goto out; 2686 } 2687 2688 newaddr = tee_mm_get_smem(mm); 2689 res = tee_rpmb_write(newaddr, newbuf, 2690 newsize, fh->fat_entry.fek, fh->uuid); 2691 if (res != TEE_SUCCESS) 2692 goto out; 2693 2694 } else { 2695 /* Don't change file location */ 2696 newaddr = fh->fat_entry.start_address; 2697 } 2698 2699 /* fh->pos is unchanged */ 2700 fh->fat_entry.data_size = newsize; 2701 fh->fat_entry.start_address = newaddr; 2702 res = write_fat_entry(fh); 2703 2704 out: 2705 mutex_unlock(&rpmb_mutex); 2706 if (pool_result) 2707 tee_mm_final(&p); 2708 if (newbuf) 2709 free(newbuf); 2710 2711 return res; 2712 } 2713 2714 static void rpmb_fs_dir_free(struct tee_fs_dir *dir) 2715 { 2716 struct tee_rpmb_fs_dirent *e; 2717 2718 if (!dir) 2719 return; 2720 2721 free(dir->current); 2722 2723 while ((e = SIMPLEQ_FIRST(&dir->next))) { 2724 SIMPLEQ_REMOVE_HEAD(&dir->next, link); 2725 free(e); 2726 } 2727 } 2728 2729 static TEE_Result rpmb_fs_dir_populate(const char *path, 2730 struct tee_fs_dir *dir) 2731 { 2732 struct tee_rpmb_fs_dirent *current = NULL; 2733 struct rpmb_fat_entry *fe = NULL; 2734 uint32_t fat_address; 2735 uint32_t filelen; 2736 char *filename; 2737 bool matched; 2738 struct tee_rpmb_fs_dirent *next = NULL; 2739 uint32_t pathlen; 2740 TEE_Result res = TEE_ERROR_GENERIC; 2741 char temp; 2742 2743 mutex_lock(&rpmb_mutex); 2744 2745 res = fat_entry_dir_init(); 2746 if (res) 2747 goto out; 2748 2749 pathlen = strlen(path); 2750 2751 while (true) { 2752 res = fat_entry_dir_get_next(&fe, &fat_address); 2753 if (res || !fe) 2754 break; 2755 2756 filename = fe->filename; 2757 if (fe->flags & FILE_IS_ACTIVE) { 2758 matched = false; 2759 filelen = strlen(filename); 2760 if (filelen > pathlen) { 2761 temp = filename[pathlen]; 2762 filename[pathlen] = '\0'; 2763 if (strcmp(filename, path) == 0) 2764 matched = true; 2765 2766 filename[pathlen] = temp; 2767 } 2768 2769 if (matched) { 2770 next = malloc(sizeof(*next)); 2771 if (!next) { 2772 res = TEE_ERROR_OUT_OF_MEMORY; 2773 goto out; 2774 } 2775 2776 next->entry.oidlen = tee_hs2b((uint8_t *) 2777 &filename[pathlen], 2778 next->entry.oid, 2779 filelen - pathlen, 2780 sizeof(next->entry.oid)); 2781 if (next->entry.oidlen) { 2782 SIMPLEQ_INSERT_TAIL(&dir->next, 2783 next, link); 2784 current = next; 2785 } else { 2786 free(next); 2787 next = NULL; 2788 } 2789 } 2790 } 2791 } 2792 2793 if (res) 2794 goto out; 2795 2796 if (current) 2797 res = TEE_SUCCESS; 2798 else 2799 res = TEE_ERROR_ITEM_NOT_FOUND; /* No directories were found. */ 2800 2801 out: 2802 mutex_unlock(&rpmb_mutex); 2803 fat_entry_dir_deinit(); 2804 if (res) 2805 rpmb_fs_dir_free(dir); 2806 2807 return res; 2808 } 2809 2810 static TEE_Result rpmb_fs_opendir(const TEE_UUID *uuid, struct tee_fs_dir **dir) 2811 { 2812 uint32_t len; 2813 char path_local[TEE_RPMB_FS_FILENAME_LENGTH]; 2814 TEE_Result res = TEE_ERROR_GENERIC; 2815 struct tee_fs_dir *rpmb_dir = NULL; 2816 2817 if (!uuid || !dir) { 2818 res = TEE_ERROR_BAD_PARAMETERS; 2819 goto out; 2820 } 2821 2822 memset(path_local, 0, sizeof(path_local)); 2823 if (create_dirname(path_local, sizeof(path_local) - 1, uuid)) { 2824 res = TEE_ERROR_BAD_PARAMETERS; 2825 goto out; 2826 } 2827 len = strlen(path_local); 2828 2829 /* Add a slash to correctly match the full directory name. */ 2830 if (path_local[len - 1] != '/') 2831 path_local[len] = '/'; 2832 2833 rpmb_dir = calloc(1, sizeof(*rpmb_dir)); 2834 if (!rpmb_dir) { 2835 res = TEE_ERROR_OUT_OF_MEMORY; 2836 goto out; 2837 } 2838 SIMPLEQ_INIT(&rpmb_dir->next); 2839 2840 res = rpmb_fs_dir_populate(path_local, rpmb_dir); 2841 if (res != TEE_SUCCESS) { 2842 free(rpmb_dir); 2843 rpmb_dir = NULL; 2844 goto out; 2845 } 2846 2847 *dir = rpmb_dir; 2848 2849 out: 2850 return res; 2851 } 2852 2853 static TEE_Result rpmb_fs_readdir(struct tee_fs_dir *dir, 2854 struct tee_fs_dirent **ent) 2855 { 2856 if (!dir) 2857 return TEE_ERROR_GENERIC; 2858 2859 free(dir->current); 2860 2861 dir->current = SIMPLEQ_FIRST(&dir->next); 2862 if (!dir->current) 2863 return TEE_ERROR_ITEM_NOT_FOUND; 2864 2865 SIMPLEQ_REMOVE_HEAD(&dir->next, link); 2866 2867 *ent = &dir->current->entry; 2868 return TEE_SUCCESS; 2869 } 2870 2871 static void rpmb_fs_closedir(struct tee_fs_dir *dir) 2872 { 2873 if (dir) { 2874 rpmb_fs_dir_free(dir); 2875 free(dir); 2876 } 2877 } 2878 2879 static TEE_Result rpmb_fs_open(struct tee_pobj *po, size_t *size, 2880 struct tee_file_handle **ret_fh) 2881 { 2882 TEE_Result res; 2883 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2884 2885 if (!fh) 2886 return TEE_ERROR_OUT_OF_MEMORY; 2887 2888 mutex_lock(&rpmb_mutex); 2889 2890 res = rpmb_fs_open_internal(fh, &po->uuid, false); 2891 if (!res && size) 2892 *size = fh->fat_entry.data_size; 2893 2894 mutex_unlock(&rpmb_mutex); 2895 2896 if (res) 2897 free(fh); 2898 else 2899 *ret_fh = (struct tee_file_handle *)fh; 2900 2901 return res; 2902 } 2903 2904 static TEE_Result rpmb_fs_create(struct tee_pobj *po, bool overwrite, 2905 const void *head, size_t head_size, 2906 const void *attr, size_t attr_size, 2907 const void *data_core, const void *data_user, 2908 size_t data_size, 2909 struct tee_file_handle **ret_fh) 2910 { 2911 TEE_Result res; 2912 size_t pos = 0; 2913 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2914 2915 /* One of data_core and data_user must be NULL */ 2916 assert(!data_core || !data_user); 2917 2918 if (!fh) 2919 return TEE_ERROR_OUT_OF_MEMORY; 2920 2921 mutex_lock(&rpmb_mutex); 2922 res = rpmb_fs_open_internal(fh, &po->uuid, true); 2923 if (res) 2924 goto out; 2925 2926 if (head && head_size) { 2927 res = rpmb_fs_write_primitive(fh, pos, head, head_size); 2928 if (res) 2929 goto out; 2930 pos += head_size; 2931 } 2932 2933 if (attr && attr_size) { 2934 res = rpmb_fs_write_primitive(fh, pos, attr, attr_size); 2935 if (res) 2936 goto out; 2937 pos += attr_size; 2938 } 2939 2940 if (data_size) { 2941 if (data_core) { 2942 res = rpmb_fs_write_primitive(fh, pos, data_core, 2943 data_size); 2944 if (res) 2945 goto out; 2946 } else if (data_user) { 2947 uint32_t f = TEE_MEMORY_ACCESS_READ | 2948 TEE_MEMORY_ACCESS_ANY_OWNER; 2949 2950 res = check_user_access(f, data_user, data_size); 2951 if (res) 2952 goto out; 2953 enter_user_access(); 2954 res = rpmb_fs_write_primitive(fh, pos, data_user, 2955 data_size); 2956 exit_user_access(); 2957 if (res) 2958 goto out; 2959 } 2960 } 2961 2962 if (po->temporary) { 2963 /* 2964 * If it's a temporary filename (which it normally is) 2965 * rename into the final filename now that the file is 2966 * fully initialized. 2967 */ 2968 po->temporary = false; 2969 res = rpmb_fs_rename_internal(po, NULL, overwrite); 2970 if (res) { 2971 po->temporary = true; 2972 goto out; 2973 } 2974 /* Update file handle after rename. */ 2975 create_filename(fh->filename, sizeof(fh->filename), po, false); 2976 } 2977 2978 out: 2979 if (res) { 2980 rpmb_fs_remove_internal(fh); 2981 free(fh); 2982 } else { 2983 *ret_fh = (struct tee_file_handle *)fh; 2984 } 2985 mutex_unlock(&rpmb_mutex); 2986 2987 return res; 2988 } 2989 2990 const struct tee_file_operations rpmb_fs_ops = { 2991 .open = rpmb_fs_open, 2992 .create = rpmb_fs_create, 2993 .close = rpmb_fs_close, 2994 .read = rpmb_fs_read, 2995 .write = rpmb_fs_write, 2996 .truncate = rpmb_fs_truncate, 2997 .rename = rpmb_fs_rename, 2998 .remove = rpmb_fs_remove, 2999 .opendir = rpmb_fs_opendir, 3000 .closedir = rpmb_fs_closedir, 3001 .readdir = rpmb_fs_readdir, 3002 }; 3003 3004 TEE_Result tee_rpmb_fs_raw_open(const char *fname, bool create, 3005 struct tee_file_handle **ret_fh) 3006 { 3007 TEE_Result res; 3008 struct rpmb_file_handle *fh = calloc(1, sizeof(*fh)); 3009 static const TEE_UUID uuid = { 0 }; 3010 3011 if (!fh) 3012 return TEE_ERROR_OUT_OF_MEMORY; 3013 3014 snprintf(fh->filename, sizeof(fh->filename), "/%s", fname); 3015 3016 mutex_lock(&rpmb_mutex); 3017 3018 res = rpmb_fs_open_internal(fh, &uuid, create); 3019 3020 mutex_unlock(&rpmb_mutex); 3021 3022 if (res) { 3023 if (create) 3024 rpmb_fs_remove_internal(fh); 3025 free(fh); 3026 } else { 3027 *ret_fh = (struct tee_file_handle *)fh; 3028 } 3029 3030 return res; 3031 } 3032 3033 bool __weak plat_rpmb_key_is_ready(void) 3034 { 3035 return true; 3036 } 3037