1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2014, STMicroelectronics International N.V. 4 */ 5 6 #include <assert.h> 7 #include <crypto/crypto.h> 8 #include <kernel/huk_subkey.h> 9 #include <kernel/misc.h> 10 #include <kernel/msg_param.h> 11 #include <kernel/mutex.h> 12 #include <kernel/panic.h> 13 #include <kernel/tee_common.h> 14 #include <kernel/tee_common_otp.h> 15 #include <kernel/tee_misc.h> 16 #include <kernel/thread.h> 17 #include <mm/core_memprot.h> 18 #include <mm/mobj.h> 19 #include <mm/tee_mm.h> 20 #include <optee_rpc_cmd.h> 21 #include <stdlib.h> 22 #include <string_ext.h> 23 #include <string.h> 24 #include <sys/queue.h> 25 #include <tee/tee_fs.h> 26 #include <tee/tee_fs_key_manager.h> 27 #include <tee/tee_pobj.h> 28 #include <tee/tee_svc_storage.h> 29 #include <trace.h> 30 #include <util.h> 31 32 #define RPMB_STORAGE_START_ADDRESS 0 33 #define RPMB_FS_FAT_START_ADDRESS 512 34 #define RPMB_BLOCK_SIZE_SHIFT 8 35 #define RPMB_CID_PRV_OFFSET 9 36 #define RPMB_CID_CRC_OFFSET 15 37 38 #define RPMB_FS_MAGIC 0x52504D42 39 #define FS_VERSION 2 40 #define N_ENTRIES 8 41 42 #define FILE_IS_ACTIVE (1u << 0) 43 #define FILE_IS_LAST_ENTRY (1u << 1) 44 45 #define TEE_RPMB_FS_FILENAME_LENGTH 224 46 47 /** 48 * FS parameters: Information often used by internal functions. 49 * fat_start_address will be set by rpmb_fs_setup(). 50 * rpmb_fs_parameters can be read by any other function. 51 */ 52 struct rpmb_fs_parameters { 53 uint32_t fat_start_address; 54 uint32_t max_rpmb_address; 55 }; 56 57 /** 58 * File entry for a single file in a RPMB_FS partition. 59 */ 60 struct rpmb_fat_entry { 61 uint32_t start_address; 62 uint32_t data_size; 63 uint32_t flags; 64 uint32_t write_counter; 65 uint8_t fek[TEE_FS_KM_FEK_SIZE]; 66 char filename[TEE_RPMB_FS_FILENAME_LENGTH]; 67 }; 68 69 /** 70 * FAT entry context with reference to a FAT entry and its 71 * location in RPMB. 72 */ 73 struct rpmb_file_handle { 74 struct rpmb_fat_entry fat_entry; 75 const TEE_UUID *uuid; 76 char filename[TEE_RPMB_FS_FILENAME_LENGTH]; 77 /* Address for current entry in RPMB */ 78 uint32_t rpmb_fat_address; 79 }; 80 81 /** 82 * RPMB_FS partition data 83 */ 84 struct rpmb_fs_partition { 85 uint32_t rpmb_fs_magic; 86 uint32_t fs_version; 87 uint32_t write_counter; 88 uint32_t fat_start_address; 89 /* Do not use reserved[] for other purpose than partition data. */ 90 uint8_t reserved[112]; 91 }; 92 93 /** 94 * A node in a list of directory entries. 95 */ 96 struct tee_rpmb_fs_dirent { 97 struct tee_fs_dirent entry; 98 SIMPLEQ_ENTRY(tee_rpmb_fs_dirent) link; 99 }; 100 101 /** 102 * The RPMB directory representation. It contains a queue of 103 * RPMB directory entries: 'next'. 104 * The current pointer points to the last directory entry 105 * returned by readdir(). 106 */ 107 struct tee_fs_dir { 108 struct tee_rpmb_fs_dirent *current; 109 /* */ 110 SIMPLEQ_HEAD(next_head, tee_rpmb_fs_dirent) next; 111 }; 112 113 static struct rpmb_fs_parameters *fs_par; 114 115 /* 116 * Lower interface to RPMB device 117 */ 118 119 #define RPMB_DATA_OFFSET (RPMB_STUFF_DATA_SIZE + RPMB_KEY_MAC_SIZE) 120 #define RPMB_MAC_PROTECT_DATA_SIZE (RPMB_DATA_FRAME_SIZE - RPMB_DATA_OFFSET) 121 122 #define RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM 0x0001 123 #define RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ 0x0002 124 #define RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE 0x0003 125 #define RPMB_MSG_TYPE_REQ_AUTH_DATA_READ 0x0004 126 #define RPMB_MSG_TYPE_REQ_RESULT_READ 0x0005 127 #define RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM 0x0100 128 #define RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ 0x0200 129 #define RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE 0x0300 130 #define RPMB_MSG_TYPE_RESP_AUTH_DATA_READ 0x0400 131 132 #define RPMB_STUFF_DATA_SIZE 196 133 #define RPMB_KEY_MAC_SIZE 32 134 #define RPMB_DATA_SIZE 256 135 #define RPMB_NONCE_SIZE 16 136 #define RPMB_DATA_FRAME_SIZE 512 137 138 #define RPMB_RESULT_OK 0x00 139 #define RPMB_RESULT_GENERAL_FAILURE 0x01 140 #define RPMB_RESULT_AUTH_FAILURE 0x02 141 #define RPMB_RESULT_COUNTER_FAILURE 0x03 142 #define RPMB_RESULT_ADDRESS_FAILURE 0x04 143 #define RPMB_RESULT_WRITE_FAILURE 0x05 144 #define RPMB_RESULT_READ_FAILURE 0x06 145 #define RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED 0x07 146 #define RPMB_RESULT_MASK 0x3F 147 #define RPMB_RESULT_WR_CNT_EXPIRED 0x80 148 149 /* RPMB internal commands */ 150 #define RPMB_CMD_DATA_REQ 0x00 151 #define RPMB_CMD_GET_DEV_INFO 0x01 152 153 #define RPMB_SIZE_SINGLE (128 * 1024) 154 155 /* Error codes for get_dev_info request/response. */ 156 #define RPMB_CMD_GET_DEV_INFO_RET_OK 0x00 157 #define RPMB_CMD_GET_DEV_INFO_RET_ERROR 0x01 158 159 struct rpmb_data_frame { 160 uint8_t stuff_bytes[RPMB_STUFF_DATA_SIZE]; 161 uint8_t key_mac[RPMB_KEY_MAC_SIZE]; 162 uint8_t data[RPMB_DATA_SIZE]; 163 uint8_t nonce[RPMB_NONCE_SIZE]; 164 uint8_t write_counter[4]; 165 uint8_t address[2]; 166 uint8_t block_count[2]; 167 uint8_t op_result[2]; 168 uint8_t msg_type[2]; 169 }; 170 171 struct rpmb_req { 172 uint16_t cmd; 173 uint16_t dev_id; 174 uint16_t block_count; 175 /* variable length of data */ 176 /* uint8_t data[]; REMOVED! */ 177 }; 178 179 #define TEE_RPMB_REQ_DATA(req) \ 180 ((void *)((struct rpmb_req *)(req) + 1)) 181 182 struct rpmb_raw_data { 183 uint16_t msg_type; 184 uint16_t *op_result; 185 uint16_t *block_count; 186 uint16_t *blk_idx; 187 uint32_t *write_counter; 188 uint8_t *nonce; 189 uint8_t *key_mac; 190 uint8_t *data; 191 /* data length to read or write */ 192 uint32_t len; 193 /* Byte address offset in the first block involved */ 194 uint8_t byte_offset; 195 }; 196 197 #define RPMB_EMMC_CID_SIZE 16 198 struct rpmb_dev_info { 199 uint8_t cid[RPMB_EMMC_CID_SIZE]; 200 /* EXT CSD-slice 168 "RPMB Size" */ 201 uint8_t rpmb_size_mult; 202 /* EXT CSD-slice 222 "Reliable Write Sector Count" */ 203 uint8_t rel_wr_sec_c; 204 /* Check the ret code and accept the data only if it is OK. */ 205 uint8_t ret_code; 206 }; 207 208 /* 209 * Struct for rpmb context data. 210 * 211 * @key RPMB key. 212 * @cid eMMC card ID. 213 * @wr_cnt Current write counter. 214 * @max_blk_idx The highest block index supported by current device. 215 * @rel_wr_blkcnt Max number of data blocks for each reliable write. 216 * @dev_id Device ID of the eMMC device. 217 * @wr_cnt_synced Flag indicating if write counter is synced to RPMB. 218 * @key_derived Flag indicating if key has been generated. 219 * @key_verified Flag indicating the key generated is verified ok. 220 * @dev_info_synced Flag indicating if dev info has been retrieved from RPMB. 221 */ 222 struct tee_rpmb_ctx { 223 uint8_t key[RPMB_KEY_MAC_SIZE]; 224 uint8_t cid[RPMB_EMMC_CID_SIZE]; 225 uint32_t wr_cnt; 226 uint16_t max_blk_idx; 227 uint16_t rel_wr_blkcnt; 228 uint16_t dev_id; 229 bool wr_cnt_synced; 230 bool key_derived; 231 bool key_verified; 232 bool dev_info_synced; 233 }; 234 235 static struct tee_rpmb_ctx *rpmb_ctx; 236 237 /* 238 * Mutex to serialize the operations exported by this file. 239 * It protects rpmb_ctx and prevents overlapping operations on eMMC devices with 240 * different IDs. 241 */ 242 static struct mutex rpmb_mutex = MUTEX_INITIALIZER; 243 244 #ifdef CFG_RPMB_TESTKEY 245 246 static const uint8_t rpmb_test_key[RPMB_KEY_MAC_SIZE] = { 247 0xD3, 0xEB, 0x3E, 0xC3, 0x6E, 0x33, 0x4C, 0x9F, 248 0x98, 0x8C, 0xE2, 0xC0, 0xB8, 0x59, 0x54, 0x61, 249 0x0D, 0x2B, 0xCF, 0x86, 0x64, 0x84, 0x4D, 0xF2, 250 0xAB, 0x56, 0xE6, 0xC6, 0x1B, 0xB7, 0x01, 0xE4 251 }; 252 253 static TEE_Result tee_rpmb_key_gen(uint16_t dev_id __unused, 254 uint8_t *key, uint32_t len) 255 { 256 TEE_Result res = TEE_SUCCESS; 257 258 if (!key || RPMB_KEY_MAC_SIZE != len) { 259 res = TEE_ERROR_BAD_PARAMETERS; 260 goto out; 261 } 262 263 DMSG("RPMB: Using test key"); 264 memcpy(key, rpmb_test_key, RPMB_KEY_MAC_SIZE); 265 266 out: 267 return res; 268 } 269 270 #else /* !CFG_RPMB_TESTKEY */ 271 272 static TEE_Result tee_rpmb_key_gen(uint16_t dev_id __unused, 273 uint8_t *key, uint32_t len) 274 { 275 uint8_t message[RPMB_EMMC_CID_SIZE]; 276 277 if (!key || RPMB_KEY_MAC_SIZE != len) 278 return TEE_ERROR_BAD_PARAMETERS; 279 280 IMSG("RPMB: Using generated key"); 281 282 /* 283 * PRV/CRC would be changed when doing eMMC FFU 284 * The following fields should be masked off when deriving RPMB key 285 * 286 * CID [55: 48]: PRV (Product revision) 287 * CID [07: 01]: CRC (CRC7 checksum) 288 * CID [00]: not used 289 */ 290 memcpy(message, rpmb_ctx->cid, RPMB_EMMC_CID_SIZE); 291 memset(message + RPMB_CID_PRV_OFFSET, 0, 1); 292 memset(message + RPMB_CID_CRC_OFFSET, 0, 1); 293 return huk_subkey_derive(HUK_SUBKEY_RPMB, message, sizeof(message), 294 key, len); 295 } 296 297 #endif /* !CFG_RPMB_TESTKEY */ 298 299 static void u32_to_bytes(uint32_t u32, uint8_t *bytes) 300 { 301 *bytes = (uint8_t) (u32 >> 24); 302 *(bytes + 1) = (uint8_t) (u32 >> 16); 303 *(bytes + 2) = (uint8_t) (u32 >> 8); 304 *(bytes + 3) = (uint8_t) u32; 305 } 306 307 static void bytes_to_u32(uint8_t *bytes, uint32_t *u32) 308 { 309 *u32 = (uint32_t) ((*(bytes) << 24) + 310 (*(bytes + 1) << 16) + 311 (*(bytes + 2) << 8) + (*(bytes + 3))); 312 } 313 314 static void u16_to_bytes(uint16_t u16, uint8_t *bytes) 315 { 316 *bytes = (uint8_t) (u16 >> 8); 317 *(bytes + 1) = (uint8_t) u16; 318 } 319 320 static void bytes_to_u16(uint8_t *bytes, uint16_t *u16) 321 { 322 *u16 = (uint16_t) ((*bytes << 8) + *(bytes + 1)); 323 } 324 325 static TEE_Result tee_rpmb_mac_calc(uint8_t *mac, uint32_t macsize, 326 uint8_t *key, uint32_t keysize, 327 struct rpmb_data_frame *datafrms, 328 uint16_t blkcnt) 329 { 330 TEE_Result res = TEE_ERROR_GENERIC; 331 int i; 332 void *ctx = NULL; 333 334 if (!mac || !key || !datafrms) 335 return TEE_ERROR_BAD_PARAMETERS; 336 337 res = crypto_mac_alloc_ctx(&ctx, TEE_ALG_HMAC_SHA256); 338 if (res) 339 return res; 340 341 res = crypto_mac_init(ctx, TEE_ALG_HMAC_SHA256, key, keysize); 342 if (res != TEE_SUCCESS) 343 goto func_exit; 344 345 for (i = 0; i < blkcnt; i++) { 346 res = crypto_mac_update(ctx, TEE_ALG_HMAC_SHA256, 347 datafrms[i].data, 348 RPMB_MAC_PROTECT_DATA_SIZE); 349 if (res != TEE_SUCCESS) 350 goto func_exit; 351 } 352 353 res = crypto_mac_final(ctx, TEE_ALG_HMAC_SHA256, mac, macsize); 354 if (res != TEE_SUCCESS) 355 goto func_exit; 356 357 res = TEE_SUCCESS; 358 359 func_exit: 360 crypto_mac_free_ctx(ctx, TEE_ALG_HMAC_SHA256); 361 return res; 362 } 363 364 struct tee_rpmb_mem { 365 struct mobj *phreq_mobj; 366 struct mobj *phresp_mobj; 367 size_t req_size; 368 size_t resp_size; 369 }; 370 371 static void tee_rpmb_free(struct tee_rpmb_mem *mem) 372 { 373 if (!mem) 374 return; 375 376 if (mem->phreq_mobj) { 377 thread_rpc_free_payload(mem->phreq_mobj); 378 mem->phreq_mobj = NULL; 379 } 380 if (mem->phresp_mobj) { 381 thread_rpc_free_payload(mem->phresp_mobj); 382 mem->phresp_mobj = NULL; 383 } 384 } 385 386 387 static TEE_Result tee_rpmb_alloc(size_t req_size, size_t resp_size, 388 struct tee_rpmb_mem *mem, void **req, void **resp) 389 { 390 TEE_Result res = TEE_SUCCESS; 391 size_t req_s = ROUNDUP(req_size, sizeof(uint32_t)); 392 size_t resp_s = ROUNDUP(resp_size, sizeof(uint32_t)); 393 394 if (!mem) 395 return TEE_ERROR_BAD_PARAMETERS; 396 397 memset(mem, 0, sizeof(*mem)); 398 399 mem->phreq_mobj = thread_rpc_alloc_payload(req_s); 400 mem->phresp_mobj = thread_rpc_alloc_payload(resp_s); 401 402 if (!mem->phreq_mobj || !mem->phresp_mobj) { 403 res = TEE_ERROR_OUT_OF_MEMORY; 404 goto out; 405 } 406 407 *req = mobj_get_va(mem->phreq_mobj, 0); 408 *resp = mobj_get_va(mem->phresp_mobj, 0); 409 if (!*req || !*resp) { 410 res = TEE_ERROR_GENERIC; 411 goto out; 412 } 413 414 mem->req_size = req_size; 415 mem->resp_size = resp_size; 416 417 out: 418 if (res != TEE_SUCCESS) 419 tee_rpmb_free(mem); 420 return res; 421 } 422 423 static TEE_Result tee_rpmb_invoke(struct tee_rpmb_mem *mem) 424 { 425 struct thread_param params[2] = { 426 [0] = THREAD_PARAM_MEMREF(IN, mem->phreq_mobj, 0, 427 mem->req_size), 428 [1] = THREAD_PARAM_MEMREF(OUT, mem->phresp_mobj, 0, 429 mem->resp_size), 430 }; 431 432 return thread_rpc_cmd(OPTEE_RPC_CMD_RPMB, 2, params); 433 } 434 435 static bool is_zero(const uint8_t *buf, size_t size) 436 { 437 size_t i; 438 439 for (i = 0; i < size; i++) 440 if (buf[i]) 441 return false; 442 return true; 443 } 444 445 static TEE_Result encrypt_block(uint8_t *out, const uint8_t *in, 446 uint16_t blk_idx, const uint8_t *fek, 447 const TEE_UUID *uuid) 448 { 449 return tee_fs_crypt_block(uuid, out, in, RPMB_DATA_SIZE, 450 blk_idx, fek, TEE_MODE_ENCRYPT); 451 } 452 453 static TEE_Result decrypt_block(uint8_t *out, const uint8_t *in, 454 uint16_t blk_idx, const uint8_t *fek, 455 const TEE_UUID *uuid) 456 { 457 return tee_fs_crypt_block(uuid, out, in, RPMB_DATA_SIZE, 458 blk_idx, fek, TEE_MODE_DECRYPT); 459 } 460 461 /* Decrypt/copy at most one block of data */ 462 static TEE_Result decrypt(uint8_t *out, const struct rpmb_data_frame *frm, 463 size_t size, size_t offset, 464 uint16_t blk_idx __maybe_unused, const uint8_t *fek, 465 const TEE_UUID *uuid) 466 { 467 uint8_t *tmp __maybe_unused; 468 469 470 if ((size + offset < size) || (size + offset > RPMB_DATA_SIZE)) 471 panic("invalid size or offset"); 472 473 if (!fek) { 474 /* Block is not encrypted (not a file data block) */ 475 memcpy(out, frm->data + offset, size); 476 } else if (is_zero(fek, TEE_FS_KM_FEK_SIZE)) { 477 /* The file was created with encryption disabled */ 478 return TEE_ERROR_SECURITY; 479 } else { 480 /* Block is encrypted */ 481 if (size < RPMB_DATA_SIZE) { 482 /* 483 * Since output buffer is not large enough to hold one 484 * block we must allocate a temporary buffer. 485 */ 486 tmp = malloc(RPMB_DATA_SIZE); 487 if (!tmp) 488 return TEE_ERROR_OUT_OF_MEMORY; 489 decrypt_block(tmp, frm->data, blk_idx, fek, uuid); 490 memcpy(out, tmp + offset, size); 491 free(tmp); 492 } else { 493 decrypt_block(out, frm->data, blk_idx, fek, uuid); 494 } 495 } 496 497 return TEE_SUCCESS; 498 } 499 500 static TEE_Result tee_rpmb_req_pack(struct rpmb_req *req, 501 struct rpmb_raw_data *rawdata, 502 uint16_t nbr_frms, uint16_t dev_id, 503 const uint8_t *fek, const TEE_UUID *uuid) 504 { 505 TEE_Result res = TEE_ERROR_GENERIC; 506 int i; 507 struct rpmb_data_frame *datafrm; 508 509 if (!req || !rawdata || !nbr_frms) 510 return TEE_ERROR_BAD_PARAMETERS; 511 512 /* 513 * Check write blockcount is not bigger than reliable write 514 * blockcount. 515 */ 516 if ((rawdata->msg_type == RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE) && 517 (nbr_frms > rpmb_ctx->rel_wr_blkcnt)) { 518 DMSG("wr_blkcnt(%d) > rel_wr_blkcnt(%d)", nbr_frms, 519 rpmb_ctx->rel_wr_blkcnt); 520 return TEE_ERROR_GENERIC; 521 } 522 523 req->cmd = RPMB_CMD_DATA_REQ; 524 req->dev_id = dev_id; 525 526 /* Allocate memory for construct all data packets and calculate MAC. */ 527 datafrm = calloc(nbr_frms, RPMB_DATA_FRAME_SIZE); 528 if (!datafrm) 529 return TEE_ERROR_OUT_OF_MEMORY; 530 531 for (i = 0; i < nbr_frms; i++) { 532 u16_to_bytes(rawdata->msg_type, datafrm[i].msg_type); 533 534 if (rawdata->block_count) 535 u16_to_bytes(*rawdata->block_count, 536 datafrm[i].block_count); 537 538 if (rawdata->blk_idx) { 539 /* Check the block index is within range. */ 540 if ((*rawdata->blk_idx + nbr_frms) > 541 rpmb_ctx->max_blk_idx) { 542 res = TEE_ERROR_GENERIC; 543 goto func_exit; 544 } 545 u16_to_bytes(*rawdata->blk_idx, datafrm[i].address); 546 } 547 548 if (rawdata->write_counter) 549 u32_to_bytes(*rawdata->write_counter, 550 datafrm[i].write_counter); 551 552 if (rawdata->nonce) 553 memcpy(datafrm[i].nonce, rawdata->nonce, 554 RPMB_NONCE_SIZE); 555 556 if (rawdata->data) { 557 if (fek) 558 encrypt_block(datafrm[i].data, 559 rawdata->data + (i * RPMB_DATA_SIZE), 560 *rawdata->blk_idx + i, fek, uuid); 561 else 562 memcpy(datafrm[i].data, 563 rawdata->data + (i * RPMB_DATA_SIZE), 564 RPMB_DATA_SIZE); 565 } 566 } 567 568 if (rawdata->key_mac) { 569 if (rawdata->msg_type == RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE) { 570 res = 571 tee_rpmb_mac_calc(rawdata->key_mac, 572 RPMB_KEY_MAC_SIZE, rpmb_ctx->key, 573 RPMB_KEY_MAC_SIZE, datafrm, 574 nbr_frms); 575 if (res != TEE_SUCCESS) 576 goto func_exit; 577 } 578 memcpy(datafrm[nbr_frms - 1].key_mac, 579 rawdata->key_mac, RPMB_KEY_MAC_SIZE); 580 } 581 582 memcpy(TEE_RPMB_REQ_DATA(req), datafrm, 583 nbr_frms * RPMB_DATA_FRAME_SIZE); 584 585 #ifdef CFG_RPMB_FS_DEBUG_DATA 586 for (i = 0; i < nbr_frms; i++) { 587 DMSG("Dumping data frame %d:", i); 588 DHEXDUMP((uint8_t *)&datafrm[i] + RPMB_STUFF_DATA_SIZE, 589 512 - RPMB_STUFF_DATA_SIZE); 590 } 591 #endif 592 593 res = TEE_SUCCESS; 594 func_exit: 595 free(datafrm); 596 return res; 597 } 598 599 static TEE_Result data_cpy_mac_calc_1b(struct rpmb_raw_data *rawdata, 600 struct rpmb_data_frame *frm, 601 const uint8_t *fek, const TEE_UUID *uuid) 602 { 603 TEE_Result res; 604 uint8_t *data; 605 uint16_t idx; 606 607 if (rawdata->len + rawdata->byte_offset > RPMB_DATA_SIZE) 608 return TEE_ERROR_BAD_PARAMETERS; 609 610 res = tee_rpmb_mac_calc(rawdata->key_mac, RPMB_KEY_MAC_SIZE, 611 rpmb_ctx->key, RPMB_KEY_MAC_SIZE, frm, 1); 612 if (res != TEE_SUCCESS) 613 return res; 614 615 data = rawdata->data; 616 bytes_to_u16(frm->address, &idx); 617 618 res = decrypt(data, frm, rawdata->len, rawdata->byte_offset, idx, fek, 619 uuid); 620 return res; 621 } 622 623 static TEE_Result tee_rpmb_data_cpy_mac_calc(struct rpmb_data_frame *datafrm, 624 struct rpmb_raw_data *rawdata, 625 uint16_t nbr_frms, 626 struct rpmb_data_frame *lastfrm, 627 const uint8_t *fek, 628 const TEE_UUID *uuid) 629 { 630 TEE_Result res = TEE_ERROR_GENERIC; 631 int i; 632 void *ctx = NULL; 633 uint16_t offset; 634 uint32_t size; 635 uint8_t *data; 636 uint16_t start_idx; 637 struct rpmb_data_frame localfrm; 638 639 if (!datafrm || !rawdata || !nbr_frms || !lastfrm) 640 return TEE_ERROR_BAD_PARAMETERS; 641 642 if (nbr_frms == 1) 643 return data_cpy_mac_calc_1b(rawdata, lastfrm, fek, uuid); 644 645 /* nbr_frms > 1 */ 646 647 data = rawdata->data; 648 649 res = crypto_mac_alloc_ctx(&ctx, TEE_ALG_HMAC_SHA256); 650 if (res) 651 goto func_exit; 652 653 res = crypto_mac_init(ctx, TEE_ALG_HMAC_SHA256, rpmb_ctx->key, 654 RPMB_KEY_MAC_SIZE); 655 if (res != TEE_SUCCESS) 656 goto func_exit; 657 658 /* 659 * Note: JEDEC JESD84-B51: "In every packet the address is the start 660 * address of the full access (not address of the individual half a 661 * sector)" 662 */ 663 bytes_to_u16(lastfrm->address, &start_idx); 664 665 for (i = 0; i < (nbr_frms - 1); i++) { 666 667 /* 668 * By working on a local copy of the RPMB frame, we ensure that 669 * the data can not be modified after the MAC is computed but 670 * before the payload is decrypted/copied to the output buffer. 671 */ 672 memcpy(&localfrm, &datafrm[i], RPMB_DATA_FRAME_SIZE); 673 674 res = crypto_mac_update(ctx, TEE_ALG_HMAC_SHA256, localfrm.data, 675 RPMB_MAC_PROTECT_DATA_SIZE); 676 if (res != TEE_SUCCESS) 677 goto func_exit; 678 679 if (i == 0) { 680 /* First block */ 681 offset = rawdata->byte_offset; 682 size = RPMB_DATA_SIZE - offset; 683 } else { 684 /* Middle blocks */ 685 size = RPMB_DATA_SIZE; 686 offset = 0; 687 } 688 689 res = decrypt(data, &localfrm, size, offset, start_idx + i, 690 fek, uuid); 691 if (res != TEE_SUCCESS) 692 goto func_exit; 693 694 data += size; 695 } 696 697 /* Last block */ 698 size = (rawdata->len + rawdata->byte_offset) % RPMB_DATA_SIZE; 699 if (size == 0) 700 size = RPMB_DATA_SIZE; 701 res = decrypt(data, lastfrm, size, 0, start_idx + nbr_frms - 1, fek, 702 uuid); 703 if (res != TEE_SUCCESS) 704 goto func_exit; 705 706 /* Update MAC against the last block */ 707 res = crypto_mac_update(ctx, TEE_ALG_HMAC_SHA256, lastfrm->data, 708 RPMB_MAC_PROTECT_DATA_SIZE); 709 if (res != TEE_SUCCESS) 710 goto func_exit; 711 712 res = crypto_mac_final(ctx, TEE_ALG_HMAC_SHA256, rawdata->key_mac, 713 RPMB_KEY_MAC_SIZE); 714 if (res != TEE_SUCCESS) 715 goto func_exit; 716 717 res = TEE_SUCCESS; 718 719 func_exit: 720 crypto_mac_free_ctx(ctx, TEE_ALG_HMAC_SHA256); 721 return res; 722 } 723 724 static TEE_Result tee_rpmb_resp_unpack_verify(struct rpmb_data_frame *datafrm, 725 struct rpmb_raw_data *rawdata, 726 uint16_t nbr_frms, 727 const uint8_t *fek, 728 const TEE_UUID *uuid) 729 { 730 TEE_Result res = TEE_ERROR_GENERIC; 731 uint16_t msg_type; 732 uint32_t wr_cnt; 733 uint16_t blk_idx; 734 uint16_t op_result; 735 struct rpmb_data_frame lastfrm; 736 737 if (!datafrm || !rawdata || !nbr_frms) 738 return TEE_ERROR_BAD_PARAMETERS; 739 740 #ifdef CFG_RPMB_FS_DEBUG_DATA 741 for (uint32_t i = 0; i < nbr_frms; i++) { 742 DMSG("Dumping data frame %d:", i); 743 DHEXDUMP((uint8_t *)&datafrm[i] + RPMB_STUFF_DATA_SIZE, 744 512 - RPMB_STUFF_DATA_SIZE); 745 } 746 #endif 747 748 /* Make sure the last data packet can't be modified once verified */ 749 memcpy(&lastfrm, &datafrm[nbr_frms - 1], RPMB_DATA_FRAME_SIZE); 750 751 /* Handle operation result and translate to TEEC error code. */ 752 bytes_to_u16(lastfrm.op_result, &op_result); 753 if (rawdata->op_result) 754 *rawdata->op_result = op_result; 755 if (op_result == RPMB_RESULT_AUTH_KEY_NOT_PROGRAMMED) 756 return TEE_ERROR_ITEM_NOT_FOUND; 757 if (op_result != RPMB_RESULT_OK) 758 return TEE_ERROR_GENERIC; 759 760 /* Check the response msg_type. */ 761 bytes_to_u16(lastfrm.msg_type, &msg_type); 762 if (msg_type != rawdata->msg_type) { 763 DMSG("Unexpected msg_type (0x%04x != 0x%04x)", msg_type, 764 rawdata->msg_type); 765 return TEE_ERROR_GENERIC; 766 } 767 768 if (rawdata->blk_idx) { 769 bytes_to_u16(lastfrm.address, &blk_idx); 770 if (blk_idx != *rawdata->blk_idx) { 771 DMSG("Unexpected block index"); 772 return TEE_ERROR_GENERIC; 773 } 774 } 775 776 if (rawdata->write_counter) { 777 wr_cnt = *rawdata->write_counter; 778 bytes_to_u32(lastfrm.write_counter, rawdata->write_counter); 779 if (msg_type == RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE) { 780 /* Verify the write counter is incremented by 1 */ 781 if (*rawdata->write_counter != wr_cnt + 1) { 782 DMSG("Counter mismatched (0x%04x/0x%04x)", 783 *rawdata->write_counter, wr_cnt + 1); 784 return TEE_ERROR_SECURITY; 785 } 786 rpmb_ctx->wr_cnt++; 787 } 788 } 789 790 if (rawdata->nonce) { 791 if (buf_compare_ct(rawdata->nonce, lastfrm.nonce, 792 RPMB_NONCE_SIZE) != 0) { 793 DMSG("Nonce mismatched"); 794 return TEE_ERROR_SECURITY; 795 } 796 } 797 798 if (rawdata->key_mac) { 799 if (msg_type == RPMB_MSG_TYPE_RESP_AUTH_DATA_READ) { 800 if (!rawdata->data) 801 return TEE_ERROR_GENERIC; 802 803 res = tee_rpmb_data_cpy_mac_calc(datafrm, rawdata, 804 nbr_frms, &lastfrm, 805 fek, uuid); 806 807 if (res != TEE_SUCCESS) 808 return res; 809 } else { 810 /* 811 * There should be only one data frame for 812 * other msg types. 813 */ 814 if (nbr_frms != 1) 815 return TEE_ERROR_GENERIC; 816 817 res = tee_rpmb_mac_calc(rawdata->key_mac, 818 RPMB_KEY_MAC_SIZE, 819 rpmb_ctx->key, 820 RPMB_KEY_MAC_SIZE, 821 &lastfrm, 1); 822 823 if (res != TEE_SUCCESS) 824 return res; 825 } 826 827 #ifndef CFG_RPMB_FS_NO_MAC 828 if (consttime_memcmp(rawdata->key_mac, 829 (datafrm + nbr_frms - 1)->key_mac, 830 RPMB_KEY_MAC_SIZE) != 0) { 831 DMSG("MAC mismatched:"); 832 #ifdef CFG_RPMB_FS_DEBUG_DATA 833 DHEXDUMP((uint8_t *)rawdata->key_mac, 32); 834 #endif 835 return TEE_ERROR_SECURITY; 836 } 837 #endif /* !CFG_RPMB_FS_NO_MAC */ 838 } 839 840 return TEE_SUCCESS; 841 } 842 843 static TEE_Result tee_rpmb_get_dev_info(uint16_t dev_id, 844 struct rpmb_dev_info *dev_info) 845 { 846 TEE_Result res = TEE_ERROR_GENERIC; 847 struct tee_rpmb_mem mem; 848 struct rpmb_dev_info *di; 849 struct rpmb_req *req = NULL; 850 uint8_t *resp = NULL; 851 uint32_t req_size; 852 uint32_t resp_size; 853 854 if (!dev_info) 855 return TEE_ERROR_BAD_PARAMETERS; 856 857 req_size = sizeof(struct rpmb_req); 858 resp_size = sizeof(struct rpmb_dev_info); 859 res = tee_rpmb_alloc(req_size, resp_size, &mem, 860 (void *)&req, (void *)&resp); 861 if (res != TEE_SUCCESS) 862 goto func_exit; 863 864 req->cmd = RPMB_CMD_GET_DEV_INFO; 865 req->dev_id = dev_id; 866 867 di = (struct rpmb_dev_info *)resp; 868 di->ret_code = RPMB_CMD_GET_DEV_INFO_RET_ERROR; 869 870 res = tee_rpmb_invoke(&mem); 871 if (res != TEE_SUCCESS) 872 goto func_exit; 873 874 if (di->ret_code != RPMB_CMD_GET_DEV_INFO_RET_OK) { 875 res = TEE_ERROR_GENERIC; 876 goto func_exit; 877 } 878 879 memcpy((uint8_t *)dev_info, resp, sizeof(struct rpmb_dev_info)); 880 881 #ifdef CFG_RPMB_FS_DEBUG_DATA 882 DMSG("Dumping dev_info:"); 883 DHEXDUMP((uint8_t *)dev_info, sizeof(struct rpmb_dev_info)); 884 #endif 885 886 res = TEE_SUCCESS; 887 888 func_exit: 889 tee_rpmb_free(&mem); 890 return res; 891 } 892 893 static TEE_Result tee_rpmb_init_read_wr_cnt(uint16_t dev_id, 894 uint32_t *wr_cnt, 895 uint16_t *op_result) 896 { 897 TEE_Result res = TEE_ERROR_GENERIC; 898 struct tee_rpmb_mem mem; 899 uint16_t msg_type; 900 uint8_t nonce[RPMB_NONCE_SIZE]; 901 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 902 struct rpmb_req *req = NULL; 903 struct rpmb_data_frame *resp = NULL; 904 struct rpmb_raw_data rawdata; 905 uint32_t req_size; 906 uint32_t resp_size; 907 908 if (!wr_cnt) 909 return TEE_ERROR_BAD_PARAMETERS; 910 911 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 912 resp_size = RPMB_DATA_FRAME_SIZE; 913 res = tee_rpmb_alloc(req_size, resp_size, &mem, 914 (void *)&req, (void *)&resp); 915 if (res != TEE_SUCCESS) 916 goto func_exit; 917 918 res = crypto_rng_read(nonce, RPMB_NONCE_SIZE); 919 if (res != TEE_SUCCESS) 920 goto func_exit; 921 922 msg_type = RPMB_MSG_TYPE_REQ_WRITE_COUNTER_VAL_READ; 923 924 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 925 rawdata.msg_type = msg_type; 926 rawdata.nonce = nonce; 927 928 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 929 if (res != TEE_SUCCESS) 930 goto func_exit; 931 932 res = tee_rpmb_invoke(&mem); 933 if (res != TEE_SUCCESS) 934 goto func_exit; 935 936 msg_type = RPMB_MSG_TYPE_RESP_WRITE_COUNTER_VAL_READ; 937 938 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 939 rawdata.msg_type = msg_type; 940 rawdata.op_result = op_result; 941 rawdata.write_counter = wr_cnt; 942 rawdata.nonce = nonce; 943 rawdata.key_mac = hmac; 944 945 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, NULL); 946 if (res != TEE_SUCCESS) 947 goto func_exit; 948 949 res = TEE_SUCCESS; 950 951 func_exit: 952 tee_rpmb_free(&mem); 953 return res; 954 } 955 956 static TEE_Result tee_rpmb_verify_key_sync_counter(uint16_t dev_id) 957 { 958 uint16_t op_result = 0; 959 TEE_Result res = TEE_ERROR_GENERIC; 960 961 res = tee_rpmb_init_read_wr_cnt(dev_id, &rpmb_ctx->wr_cnt, 962 &op_result); 963 964 if (res == TEE_SUCCESS) { 965 rpmb_ctx->key_verified = true; 966 rpmb_ctx->wr_cnt_synced = true; 967 } 968 969 DMSG("Verify key returning 0x%x", res); 970 return res; 971 } 972 973 #ifdef CFG_RPMB_WRITE_KEY 974 static TEE_Result tee_rpmb_write_key(uint16_t dev_id) 975 { 976 TEE_Result res = TEE_ERROR_GENERIC; 977 struct tee_rpmb_mem mem = { 0 }; 978 uint16_t msg_type; 979 struct rpmb_req *req = NULL; 980 struct rpmb_data_frame *resp = NULL; 981 struct rpmb_raw_data rawdata; 982 uint32_t req_size; 983 uint32_t resp_size; 984 985 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 986 resp_size = RPMB_DATA_FRAME_SIZE; 987 res = tee_rpmb_alloc(req_size, resp_size, &mem, 988 (void *)&req, (void *)&resp); 989 if (res != TEE_SUCCESS) 990 goto func_exit; 991 992 msg_type = RPMB_MSG_TYPE_REQ_AUTH_KEY_PROGRAM; 993 994 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 995 rawdata.msg_type = msg_type; 996 rawdata.key_mac = rpmb_ctx->key; 997 998 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 999 if (res != TEE_SUCCESS) 1000 goto func_exit; 1001 1002 res = tee_rpmb_invoke(&mem); 1003 if (res != TEE_SUCCESS) 1004 goto func_exit; 1005 1006 msg_type = RPMB_MSG_TYPE_RESP_AUTH_KEY_PROGRAM; 1007 1008 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1009 rawdata.msg_type = msg_type; 1010 1011 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, NULL); 1012 if (res != TEE_SUCCESS) 1013 goto func_exit; 1014 1015 res = TEE_SUCCESS; 1016 1017 func_exit: 1018 tee_rpmb_free(&mem); 1019 return res; 1020 } 1021 1022 static TEE_Result tee_rpmb_write_and_verify_key(uint16_t dev_id) 1023 { 1024 TEE_Result res; 1025 1026 DMSG("RPMB INIT: Writing Key value:"); 1027 DHEXDUMP(rpmb_ctx->key, RPMB_KEY_MAC_SIZE); 1028 1029 res = tee_rpmb_write_key(dev_id); 1030 if (res == TEE_SUCCESS) { 1031 DMSG("RPMB INIT: Verifying Key"); 1032 res = tee_rpmb_verify_key_sync_counter(dev_id); 1033 } 1034 return res; 1035 } 1036 #else 1037 static TEE_Result tee_rpmb_write_and_verify_key(uint16_t dev_id __unused) 1038 { 1039 DMSG("RPMB INIT: CFG_RPMB_WRITE_KEY is not set"); 1040 return TEE_ERROR_BAD_STATE; 1041 } 1042 #endif 1043 1044 /* This function must never return TEE_SUCCESS if rpmb_ctx == NULL */ 1045 static TEE_Result tee_rpmb_init(uint16_t dev_id) 1046 { 1047 TEE_Result res = TEE_SUCCESS; 1048 struct rpmb_dev_info dev_info; 1049 uint32_t nblocks = 0; 1050 1051 if (!rpmb_ctx) { 1052 rpmb_ctx = calloc(1, sizeof(struct tee_rpmb_ctx)); 1053 if (!rpmb_ctx) 1054 return TEE_ERROR_OUT_OF_MEMORY; 1055 } else if (rpmb_ctx->dev_id != dev_id) { 1056 memset(rpmb_ctx, 0x00, sizeof(struct tee_rpmb_ctx)); 1057 } 1058 1059 rpmb_ctx->dev_id = dev_id; 1060 1061 if (!rpmb_ctx->dev_info_synced) { 1062 DMSG("RPMB: Syncing device information"); 1063 1064 dev_info.rpmb_size_mult = 0; 1065 dev_info.rel_wr_sec_c = 0; 1066 res = tee_rpmb_get_dev_info(dev_id, &dev_info); 1067 if (res != TEE_SUCCESS) 1068 goto func_exit; 1069 1070 DMSG("RPMB: RPMB size is %d*128 KB", dev_info.rpmb_size_mult); 1071 DMSG("RPMB: Reliable Write Sector Count is %d", 1072 dev_info.rel_wr_sec_c); 1073 1074 if (dev_info.rpmb_size_mult == 0) { 1075 res = TEE_ERROR_GENERIC; 1076 goto func_exit; 1077 } 1078 1079 if (MUL_OVERFLOW(dev_info.rpmb_size_mult, 1080 RPMB_SIZE_SINGLE / RPMB_DATA_SIZE, &nblocks) || 1081 SUB_OVERFLOW(nblocks, 1, &rpmb_ctx->max_blk_idx)) { 1082 res = TEE_ERROR_BAD_PARAMETERS; 1083 goto func_exit; 1084 } 1085 1086 memcpy(rpmb_ctx->cid, dev_info.cid, RPMB_EMMC_CID_SIZE); 1087 1088 #ifdef RPMB_DRIVER_MULTIPLE_WRITE_FIXED 1089 rpmb_ctx->rel_wr_blkcnt = dev_info.rel_wr_sec_c * 2; 1090 #else 1091 rpmb_ctx->rel_wr_blkcnt = 1; 1092 #endif 1093 1094 rpmb_ctx->dev_info_synced = true; 1095 } 1096 1097 if (!rpmb_ctx->key_derived) { 1098 DMSG("RPMB INIT: Deriving key"); 1099 1100 res = tee_rpmb_key_gen(dev_id, rpmb_ctx->key, 1101 RPMB_KEY_MAC_SIZE); 1102 if (res != TEE_SUCCESS) 1103 goto func_exit; 1104 1105 rpmb_ctx->key_derived = true; 1106 } 1107 1108 /* Perform a write counter read to verify if the key is ok. */ 1109 if (!rpmb_ctx->wr_cnt_synced || !rpmb_ctx->key_verified) { 1110 DMSG("RPMB INIT: Verifying Key"); 1111 1112 res = tee_rpmb_verify_key_sync_counter(dev_id); 1113 if (res == TEE_ERROR_ITEM_NOT_FOUND && 1114 !rpmb_ctx->key_verified) { 1115 /* 1116 * Need to write the key here and verify it. 1117 */ 1118 DMSG("RPMB INIT: Auth key not yet written"); 1119 res = tee_rpmb_write_and_verify_key(dev_id); 1120 } else if (res != TEE_SUCCESS) { 1121 EMSG("Verify key failed!"); 1122 EMSG("Make sure key here matches device key"); 1123 } 1124 } 1125 1126 func_exit: 1127 return res; 1128 } 1129 1130 /* 1131 * Read RPMB data in bytes. 1132 * 1133 * @dev_id Device ID of the eMMC device. 1134 * @addr Byte address of data. 1135 * @data Pointer to the data. 1136 * @len Size of data in bytes. 1137 * @fek Encrypted File Encryption Key or NULL. 1138 */ 1139 static TEE_Result tee_rpmb_read(uint16_t dev_id, uint32_t addr, uint8_t *data, 1140 uint32_t len, const uint8_t *fek, 1141 const TEE_UUID *uuid) 1142 { 1143 TEE_Result res = TEE_ERROR_GENERIC; 1144 struct tee_rpmb_mem mem = { 0 }; 1145 uint16_t msg_type; 1146 uint8_t nonce[RPMB_NONCE_SIZE]; 1147 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 1148 struct rpmb_req *req = NULL; 1149 struct rpmb_data_frame *resp = NULL; 1150 struct rpmb_raw_data rawdata; 1151 uint32_t req_size; 1152 uint32_t resp_size; 1153 uint16_t blk_idx; 1154 uint16_t blkcnt; 1155 uint8_t byte_offset; 1156 1157 if (!data || !len) 1158 return TEE_ERROR_BAD_PARAMETERS; 1159 1160 blk_idx = addr / RPMB_DATA_SIZE; 1161 byte_offset = addr % RPMB_DATA_SIZE; 1162 1163 if (len + byte_offset + RPMB_DATA_SIZE < RPMB_DATA_SIZE) { 1164 /* Overflow */ 1165 return TEE_ERROR_BAD_PARAMETERS; 1166 } 1167 blkcnt = 1168 ROUNDUP(len + byte_offset, RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1169 res = tee_rpmb_init(dev_id); 1170 if (res != TEE_SUCCESS) 1171 goto func_exit; 1172 1173 req_size = sizeof(struct rpmb_req) + RPMB_DATA_FRAME_SIZE; 1174 resp_size = RPMB_DATA_FRAME_SIZE * blkcnt; 1175 res = tee_rpmb_alloc(req_size, resp_size, &mem, 1176 (void *)&req, (void *)&resp); 1177 if (res != TEE_SUCCESS) 1178 goto func_exit; 1179 1180 msg_type = RPMB_MSG_TYPE_REQ_AUTH_DATA_READ; 1181 res = crypto_rng_read(nonce, RPMB_NONCE_SIZE); 1182 if (res != TEE_SUCCESS) 1183 goto func_exit; 1184 1185 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1186 rawdata.msg_type = msg_type; 1187 rawdata.nonce = nonce; 1188 rawdata.blk_idx = &blk_idx; 1189 res = tee_rpmb_req_pack(req, &rawdata, 1, dev_id, NULL, NULL); 1190 if (res != TEE_SUCCESS) 1191 goto func_exit; 1192 1193 req->block_count = blkcnt; 1194 1195 DMSG("Read %u block%s at index %u", blkcnt, ((blkcnt > 1) ? "s" : ""), 1196 blk_idx); 1197 1198 res = tee_rpmb_invoke(&mem); 1199 if (res != TEE_SUCCESS) 1200 goto func_exit; 1201 1202 msg_type = RPMB_MSG_TYPE_RESP_AUTH_DATA_READ; 1203 1204 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1205 rawdata.msg_type = msg_type; 1206 rawdata.block_count = &blkcnt; 1207 rawdata.blk_idx = &blk_idx; 1208 rawdata.nonce = nonce; 1209 rawdata.key_mac = hmac; 1210 rawdata.data = data; 1211 1212 rawdata.len = len; 1213 rawdata.byte_offset = byte_offset; 1214 1215 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, blkcnt, fek, uuid); 1216 if (res != TEE_SUCCESS) 1217 goto func_exit; 1218 1219 res = TEE_SUCCESS; 1220 1221 func_exit: 1222 tee_rpmb_free(&mem); 1223 return res; 1224 } 1225 1226 static TEE_Result tee_rpmb_write_blk(uint16_t dev_id, uint16_t blk_idx, 1227 const uint8_t *data_blks, uint16_t blkcnt, 1228 const uint8_t *fek, const TEE_UUID *uuid) 1229 { 1230 TEE_Result res; 1231 struct tee_rpmb_mem mem; 1232 uint16_t msg_type; 1233 uint32_t wr_cnt; 1234 uint8_t hmac[RPMB_KEY_MAC_SIZE]; 1235 struct rpmb_req *req = NULL; 1236 struct rpmb_data_frame *resp = NULL; 1237 struct rpmb_raw_data rawdata; 1238 uint32_t req_size; 1239 uint32_t resp_size; 1240 uint32_t nbr_writes; 1241 uint16_t tmp_blkcnt; 1242 uint16_t tmp_blk_idx; 1243 uint16_t i; 1244 1245 DMSG("Write %u block%s at index %u", blkcnt, ((blkcnt > 1) ? "s" : ""), 1246 blk_idx); 1247 1248 if (!data_blks || !blkcnt) 1249 return TEE_ERROR_BAD_PARAMETERS; 1250 1251 res = tee_rpmb_init(dev_id); 1252 if (res != TEE_SUCCESS) 1253 return res; 1254 1255 /* 1256 * We need to split data when block count 1257 * is bigger than reliable block write count. 1258 */ 1259 if (blkcnt < rpmb_ctx->rel_wr_blkcnt) 1260 req_size = sizeof(struct rpmb_req) + 1261 RPMB_DATA_FRAME_SIZE * blkcnt; 1262 else 1263 req_size = sizeof(struct rpmb_req) + 1264 RPMB_DATA_FRAME_SIZE * rpmb_ctx->rel_wr_blkcnt; 1265 1266 resp_size = RPMB_DATA_FRAME_SIZE; 1267 res = tee_rpmb_alloc(req_size, resp_size, &mem, 1268 (void *)&req, (void *)&resp); 1269 if (res != TEE_SUCCESS) 1270 return res; 1271 1272 nbr_writes = blkcnt / rpmb_ctx->rel_wr_blkcnt; 1273 if (blkcnt % rpmb_ctx->rel_wr_blkcnt > 0) 1274 nbr_writes += 1; 1275 1276 tmp_blkcnt = rpmb_ctx->rel_wr_blkcnt; 1277 tmp_blk_idx = blk_idx; 1278 for (i = 0; i < nbr_writes; i++) { 1279 /* 1280 * To handle the last write of block count which is 1281 * equal or smaller than reliable write block count. 1282 */ 1283 if (i == nbr_writes - 1) 1284 tmp_blkcnt = blkcnt - rpmb_ctx->rel_wr_blkcnt * 1285 (nbr_writes - 1); 1286 1287 msg_type = RPMB_MSG_TYPE_REQ_AUTH_DATA_WRITE; 1288 wr_cnt = rpmb_ctx->wr_cnt; 1289 1290 memset(req, 0x00, req_size); 1291 memset(resp, 0x00, resp_size); 1292 1293 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1294 rawdata.msg_type = msg_type; 1295 rawdata.block_count = &tmp_blkcnt; 1296 rawdata.blk_idx = &tmp_blk_idx; 1297 rawdata.write_counter = &wr_cnt; 1298 rawdata.key_mac = hmac; 1299 rawdata.data = (uint8_t *)data_blks + 1300 i * rpmb_ctx->rel_wr_blkcnt * RPMB_DATA_SIZE; 1301 1302 res = tee_rpmb_req_pack(req, &rawdata, tmp_blkcnt, dev_id, 1303 fek, uuid); 1304 if (res != TEE_SUCCESS) 1305 goto out; 1306 1307 res = tee_rpmb_invoke(&mem); 1308 if (res != TEE_SUCCESS) { 1309 /* 1310 * To force wr_cnt sync next time, as it might get 1311 * out of sync due to inconsistent operation result! 1312 */ 1313 rpmb_ctx->wr_cnt_synced = false; 1314 goto out; 1315 } 1316 1317 msg_type = RPMB_MSG_TYPE_RESP_AUTH_DATA_WRITE; 1318 1319 memset(&rawdata, 0x00, sizeof(struct rpmb_raw_data)); 1320 rawdata.msg_type = msg_type; 1321 rawdata.block_count = &tmp_blkcnt; 1322 rawdata.blk_idx = &tmp_blk_idx; 1323 rawdata.write_counter = &wr_cnt; 1324 rawdata.key_mac = hmac; 1325 1326 res = tee_rpmb_resp_unpack_verify(resp, &rawdata, 1, NULL, 1327 NULL); 1328 if (res != TEE_SUCCESS) { 1329 /* 1330 * To force wr_cnt sync next time, as it might get 1331 * out of sync due to inconsistent operation result! 1332 */ 1333 rpmb_ctx->wr_cnt_synced = false; 1334 goto out; 1335 } 1336 1337 tmp_blk_idx += tmp_blkcnt; 1338 } 1339 1340 out: 1341 tee_rpmb_free(&mem); 1342 return res; 1343 } 1344 1345 static bool tee_rpmb_write_is_atomic(uint16_t dev_id __unused, uint32_t addr, 1346 uint32_t len) 1347 { 1348 uint8_t byte_offset = addr % RPMB_DATA_SIZE; 1349 uint16_t blkcnt = ROUNDUP(len + byte_offset, 1350 RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1351 1352 return (blkcnt <= rpmb_ctx->rel_wr_blkcnt); 1353 } 1354 1355 /* 1356 * Write RPMB data in bytes. 1357 * 1358 * @dev_id Device ID of the eMMC device. 1359 * @addr Byte address of data. 1360 * @data Pointer to the data. 1361 * @len Size of data in bytes. 1362 * @fek Encrypted File Encryption Key or NULL. 1363 */ 1364 static TEE_Result tee_rpmb_write(uint16_t dev_id, uint32_t addr, 1365 const uint8_t *data, uint32_t len, 1366 const uint8_t *fek, const TEE_UUID *uuid) 1367 { 1368 TEE_Result res = TEE_ERROR_GENERIC; 1369 uint8_t *data_tmp = NULL; 1370 uint16_t blk_idx; 1371 uint16_t blkcnt; 1372 uint8_t byte_offset; 1373 1374 blk_idx = addr / RPMB_DATA_SIZE; 1375 byte_offset = addr % RPMB_DATA_SIZE; 1376 1377 blkcnt = 1378 ROUNDUP(len + byte_offset, RPMB_DATA_SIZE) / RPMB_DATA_SIZE; 1379 1380 if (byte_offset == 0 && (len % RPMB_DATA_SIZE) == 0) { 1381 res = tee_rpmb_write_blk(dev_id, blk_idx, data, blkcnt, fek, 1382 uuid); 1383 if (res != TEE_SUCCESS) 1384 goto func_exit; 1385 } else { 1386 data_tmp = calloc(blkcnt, RPMB_DATA_SIZE); 1387 if (!data_tmp) { 1388 res = TEE_ERROR_OUT_OF_MEMORY; 1389 goto func_exit; 1390 } 1391 1392 /* Read the complete blocks */ 1393 res = tee_rpmb_read(dev_id, blk_idx * RPMB_DATA_SIZE, data_tmp, 1394 blkcnt * RPMB_DATA_SIZE, fek, uuid); 1395 if (res != TEE_SUCCESS) 1396 goto func_exit; 1397 1398 /* Partial update of the data blocks */ 1399 memcpy(data_tmp + byte_offset, data, len); 1400 1401 res = tee_rpmb_write_blk(dev_id, blk_idx, data_tmp, blkcnt, 1402 fek, uuid); 1403 if (res != TEE_SUCCESS) 1404 goto func_exit; 1405 } 1406 1407 res = TEE_SUCCESS; 1408 1409 func_exit: 1410 free(data_tmp); 1411 return res; 1412 } 1413 1414 /* 1415 * Read the RPMB write counter. 1416 * 1417 * @dev_id Device ID of the eMMC device. 1418 * @counter Pointer to the counter. 1419 */ 1420 static TEE_Result tee_rpmb_get_write_counter(uint16_t dev_id, 1421 uint32_t *counter) 1422 { 1423 TEE_Result res = TEE_SUCCESS; 1424 1425 if (!counter) 1426 return TEE_ERROR_BAD_PARAMETERS; 1427 1428 if (!rpmb_ctx || !rpmb_ctx->wr_cnt_synced) { 1429 res = tee_rpmb_init(dev_id); 1430 if (res != TEE_SUCCESS) 1431 goto func_exit; 1432 } 1433 1434 *counter = rpmb_ctx->wr_cnt; 1435 1436 func_exit: 1437 return res; 1438 } 1439 1440 /* 1441 * Read the RPMB max block. 1442 * 1443 * @dev_id Device ID of the eMMC device. 1444 * @counter Pointer to receive the max block. 1445 */ 1446 static TEE_Result tee_rpmb_get_max_block(uint16_t dev_id, uint32_t *max_block) 1447 { 1448 TEE_Result res = TEE_SUCCESS; 1449 1450 if (!max_block) 1451 return TEE_ERROR_BAD_PARAMETERS; 1452 1453 if (!rpmb_ctx || !rpmb_ctx->dev_info_synced) { 1454 res = tee_rpmb_init(dev_id); 1455 if (res != TEE_SUCCESS) 1456 goto func_exit; 1457 } 1458 1459 *max_block = rpmb_ctx->max_blk_idx; 1460 1461 func_exit: 1462 return res; 1463 } 1464 1465 /* 1466 * End of lower interface to RPMB device 1467 */ 1468 1469 static TEE_Result get_fat_start_address(uint32_t *addr); 1470 1471 static void dump_fat(void) 1472 { 1473 TEE_Result res = TEE_ERROR_GENERIC; 1474 struct rpmb_fat_entry *fat_entries = NULL; 1475 uint32_t fat_address; 1476 size_t size; 1477 int i; 1478 bool last_entry_found = false; 1479 1480 res = get_fat_start_address(&fat_address); 1481 if (res != TEE_SUCCESS) 1482 goto out; 1483 1484 size = N_ENTRIES * sizeof(struct rpmb_fat_entry); 1485 fat_entries = malloc(size); 1486 if (!fat_entries) { 1487 res = TEE_ERROR_OUT_OF_MEMORY; 1488 goto out; 1489 } 1490 1491 while (!last_entry_found) { 1492 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, fat_address, 1493 (uint8_t *)fat_entries, size, NULL, NULL); 1494 if (res != TEE_SUCCESS) 1495 goto out; 1496 1497 for (i = 0; i < N_ENTRIES; i++) { 1498 1499 FMSG("flags 0x%x, size %d, address 0x%x, filename '%s'", 1500 fat_entries[i].flags, 1501 fat_entries[i].data_size, 1502 fat_entries[i].start_address, 1503 fat_entries[i].filename); 1504 1505 if ((fat_entries[i].flags & FILE_IS_LAST_ENTRY) != 0) { 1506 last_entry_found = true; 1507 break; 1508 } 1509 1510 /* Move to next fat_entry. */ 1511 fat_address += sizeof(struct rpmb_fat_entry); 1512 } 1513 } 1514 1515 out: 1516 free(fat_entries); 1517 } 1518 1519 #if (TRACE_LEVEL >= TRACE_DEBUG) 1520 static void dump_fh(struct rpmb_file_handle *fh) 1521 { 1522 DMSG("fh->filename=%s", fh->filename); 1523 DMSG("fh->rpmb_fat_address=%u", fh->rpmb_fat_address); 1524 DMSG("fh->fat_entry.start_address=%u", fh->fat_entry.start_address); 1525 DMSG("fh->fat_entry.data_size=%u", fh->fat_entry.data_size); 1526 } 1527 #else 1528 static void dump_fh(struct rpmb_file_handle *fh __unused) 1529 { 1530 } 1531 #endif 1532 1533 static struct rpmb_file_handle *alloc_file_handle(struct tee_pobj *po, 1534 bool temporary) 1535 { 1536 struct rpmb_file_handle *fh = NULL; 1537 1538 fh = calloc(1, sizeof(struct rpmb_file_handle)); 1539 if (!fh) 1540 return NULL; 1541 1542 if (po) 1543 tee_svc_storage_create_filename(fh->filename, 1544 sizeof(fh->filename), po, 1545 temporary); 1546 1547 return fh; 1548 } 1549 1550 /** 1551 * write_fat_entry: Store info in a fat_entry to RPMB. 1552 */ 1553 static TEE_Result write_fat_entry(struct rpmb_file_handle *fh, 1554 bool update_write_counter) 1555 { 1556 TEE_Result res = TEE_ERROR_GENERIC; 1557 1558 /* Protect partition data. */ 1559 if (fh->rpmb_fat_address < sizeof(struct rpmb_fs_partition)) { 1560 res = TEE_ERROR_ACCESS_CONFLICT; 1561 goto out; 1562 } 1563 1564 if (fh->rpmb_fat_address % sizeof(struct rpmb_fat_entry) != 0) { 1565 res = TEE_ERROR_BAD_PARAMETERS; 1566 goto out; 1567 } 1568 1569 if (update_write_counter) { 1570 res = tee_rpmb_get_write_counter(CFG_RPMB_FS_DEV_ID, 1571 &fh->fat_entry.write_counter); 1572 if (res != TEE_SUCCESS) 1573 goto out; 1574 } 1575 1576 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, fh->rpmb_fat_address, 1577 (uint8_t *)&fh->fat_entry, 1578 sizeof(struct rpmb_fat_entry), NULL, NULL); 1579 1580 dump_fat(); 1581 1582 out: 1583 return res; 1584 } 1585 1586 /** 1587 * rpmb_fs_setup: Setup rpmb fs. 1588 * Set initial partition and FS values and write to RPMB. 1589 * Store frequently used data in RAM. 1590 */ 1591 static TEE_Result rpmb_fs_setup(void) 1592 { 1593 TEE_Result res = TEE_ERROR_GENERIC; 1594 struct rpmb_fs_partition *partition_data = NULL; 1595 struct rpmb_file_handle *fh = NULL; 1596 uint32_t max_rpmb_block = 0; 1597 1598 if (fs_par) { 1599 res = TEE_SUCCESS; 1600 goto out; 1601 } 1602 1603 res = tee_rpmb_get_max_block(CFG_RPMB_FS_DEV_ID, &max_rpmb_block); 1604 if (res != TEE_SUCCESS) 1605 goto out; 1606 1607 partition_data = calloc(1, sizeof(struct rpmb_fs_partition)); 1608 if (!partition_data) { 1609 res = TEE_ERROR_OUT_OF_MEMORY; 1610 goto out; 1611 } 1612 1613 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, RPMB_STORAGE_START_ADDRESS, 1614 (uint8_t *)partition_data, 1615 sizeof(struct rpmb_fs_partition), NULL, NULL); 1616 if (res != TEE_SUCCESS) 1617 goto out; 1618 1619 #ifndef CFG_RPMB_RESET_FAT 1620 if (partition_data->rpmb_fs_magic == RPMB_FS_MAGIC) { 1621 if (partition_data->fs_version == FS_VERSION) { 1622 res = TEE_SUCCESS; 1623 goto store_fs_par; 1624 } else { 1625 /* Wrong software is in use. */ 1626 res = TEE_ERROR_ACCESS_DENIED; 1627 goto out; 1628 } 1629 } 1630 #else 1631 EMSG("**** Clearing Storage ****"); 1632 #endif 1633 1634 /* Setup new partition data. */ 1635 partition_data->rpmb_fs_magic = RPMB_FS_MAGIC; 1636 partition_data->fs_version = FS_VERSION; 1637 partition_data->fat_start_address = RPMB_FS_FAT_START_ADDRESS; 1638 1639 /* Initial FAT entry with FILE_IS_LAST_ENTRY flag set. */ 1640 fh = alloc_file_handle(NULL, false); 1641 if (!fh) { 1642 res = TEE_ERROR_OUT_OF_MEMORY; 1643 goto out; 1644 } 1645 fh->fat_entry.flags = FILE_IS_LAST_ENTRY; 1646 fh->rpmb_fat_address = partition_data->fat_start_address; 1647 1648 /* Write init FAT entry and partition data to RPMB. */ 1649 res = write_fat_entry(fh, true); 1650 if (res != TEE_SUCCESS) 1651 goto out; 1652 1653 res = 1654 tee_rpmb_get_write_counter(CFG_RPMB_FS_DEV_ID, 1655 &partition_data->write_counter); 1656 if (res != TEE_SUCCESS) 1657 goto out; 1658 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, RPMB_STORAGE_START_ADDRESS, 1659 (uint8_t *)partition_data, 1660 sizeof(struct rpmb_fs_partition), NULL, NULL); 1661 1662 #ifndef CFG_RPMB_RESET_FAT 1663 store_fs_par: 1664 #endif 1665 1666 /* Store FAT start address. */ 1667 fs_par = calloc(1, sizeof(struct rpmb_fs_parameters)); 1668 if (!fs_par) { 1669 res = TEE_ERROR_OUT_OF_MEMORY; 1670 goto out; 1671 } 1672 1673 fs_par->fat_start_address = partition_data->fat_start_address; 1674 fs_par->max_rpmb_address = max_rpmb_block << RPMB_BLOCK_SIZE_SHIFT; 1675 1676 dump_fat(); 1677 1678 out: 1679 free(fh); 1680 free(partition_data); 1681 return res; 1682 } 1683 1684 /** 1685 * get_fat_start_address: 1686 * FAT start_address from fs_par. 1687 */ 1688 static TEE_Result get_fat_start_address(uint32_t *addr) 1689 { 1690 if (!fs_par) 1691 return TEE_ERROR_NO_DATA; 1692 1693 *addr = fs_par->fat_start_address; 1694 1695 return TEE_SUCCESS; 1696 } 1697 1698 /** 1699 * read_fat: Read FAT entries 1700 * Return matching FAT entry for read, rm rename and stat. 1701 * Build up memory pool and return matching entry for write operation. 1702 * "Last FAT entry" can be returned during write. 1703 */ 1704 static TEE_Result read_fat(struct rpmb_file_handle *fh, tee_mm_pool_t *p) 1705 { 1706 TEE_Result res = TEE_ERROR_GENERIC; 1707 tee_mm_entry_t *mm = NULL; 1708 struct rpmb_fat_entry *fat_entries = NULL; 1709 uint32_t fat_address; 1710 size_t size; 1711 int i; 1712 bool entry_found = false; 1713 bool last_entry_found = false; 1714 bool expand_fat = false; 1715 struct rpmb_file_handle last_fh; 1716 1717 DMSG("fat_address %d", fh->rpmb_fat_address); 1718 1719 res = rpmb_fs_setup(); 1720 if (res != TEE_SUCCESS) 1721 goto out; 1722 1723 res = get_fat_start_address(&fat_address); 1724 if (res != TEE_SUCCESS) 1725 goto out; 1726 1727 size = N_ENTRIES * sizeof(struct rpmb_fat_entry); 1728 fat_entries = malloc(size); 1729 if (!fat_entries) { 1730 res = TEE_ERROR_OUT_OF_MEMORY; 1731 goto out; 1732 } 1733 1734 /* 1735 * The pool is used to represent the current RPMB layout. To find 1736 * a slot for the file tee_mm_alloc is called on the pool. Thus 1737 * if it is not NULL the entire FAT must be traversed to fill in 1738 * the pool. 1739 */ 1740 while (!last_entry_found && (!entry_found || p)) { 1741 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, fat_address, 1742 (uint8_t *)fat_entries, size, NULL, NULL); 1743 if (res != TEE_SUCCESS) 1744 goto out; 1745 1746 for (i = 0; i < N_ENTRIES; i++) { 1747 /* 1748 * Look for an entry, matching filenames. (read, rm, 1749 * rename and stat.). Only store first filename match. 1750 */ 1751 if (fh->filename && 1752 (strcmp(fh->filename, 1753 fat_entries[i].filename) == 0) && 1754 (fat_entries[i].flags & FILE_IS_ACTIVE) && 1755 (!entry_found)) { 1756 entry_found = true; 1757 fh->rpmb_fat_address = fat_address; 1758 memcpy(&fh->fat_entry, &fat_entries[i], 1759 sizeof(struct rpmb_fat_entry)); 1760 if (!p) 1761 break; 1762 } 1763 1764 /* Add existing files to memory pool. (write) */ 1765 if (p) { 1766 if ((fat_entries[i].flags & FILE_IS_ACTIVE) && 1767 (fat_entries[i].data_size > 0)) { 1768 1769 mm = tee_mm_alloc2 1770 (p, 1771 fat_entries[i].start_address, 1772 fat_entries[i].data_size); 1773 if (!mm) { 1774 res = TEE_ERROR_OUT_OF_MEMORY; 1775 goto out; 1776 } 1777 } 1778 1779 /* Unused FAT entries can be reused (write) */ 1780 if (((fat_entries[i].flags & FILE_IS_ACTIVE) == 1781 0) && (fh->rpmb_fat_address == 0)) { 1782 fh->rpmb_fat_address = fat_address; 1783 memcpy(&fh->fat_entry, &fat_entries[i], 1784 sizeof(struct rpmb_fat_entry)); 1785 } 1786 } 1787 1788 if ((fat_entries[i].flags & FILE_IS_LAST_ENTRY) != 0) { 1789 last_entry_found = true; 1790 1791 /* 1792 * If the last entry was reached and was chosen 1793 * by the previous check, then the FAT needs to 1794 * be expanded. 1795 * fh->rpmb_fat_address is the address chosen 1796 * to store the files FAT entry and fat_address 1797 * is the current FAT entry address being 1798 * compared. 1799 */ 1800 if (p && fh->rpmb_fat_address == fat_address) 1801 expand_fat = true; 1802 break; 1803 } 1804 1805 /* Move to next fat_entry. */ 1806 fat_address += sizeof(struct rpmb_fat_entry); 1807 } 1808 } 1809 1810 /* 1811 * Represent the FAT table in the pool. 1812 */ 1813 if (p) { 1814 /* 1815 * Since fat_address is the start of the last entry it needs to 1816 * be moved up by an entry. 1817 */ 1818 fat_address += sizeof(struct rpmb_fat_entry); 1819 1820 /* Make room for yet a FAT entry and add to memory pool. */ 1821 if (expand_fat) 1822 fat_address += sizeof(struct rpmb_fat_entry); 1823 1824 mm = tee_mm_alloc2(p, RPMB_STORAGE_START_ADDRESS, fat_address); 1825 if (!mm) { 1826 res = TEE_ERROR_OUT_OF_MEMORY; 1827 goto out; 1828 } 1829 1830 if (expand_fat) { 1831 /* 1832 * Point fat_address to the beginning of the new 1833 * entry. 1834 */ 1835 fat_address -= sizeof(struct rpmb_fat_entry); 1836 memset(&last_fh, 0, sizeof(last_fh)); 1837 last_fh.fat_entry.flags = FILE_IS_LAST_ENTRY; 1838 last_fh.rpmb_fat_address = fat_address; 1839 res = write_fat_entry(&last_fh, true); 1840 if (res != TEE_SUCCESS) 1841 goto out; 1842 } 1843 } 1844 1845 if (fh->filename && !fh->rpmb_fat_address) 1846 res = TEE_ERROR_ITEM_NOT_FOUND; 1847 1848 out: 1849 free(fat_entries); 1850 return res; 1851 } 1852 1853 static TEE_Result generate_fek(struct rpmb_fat_entry *fe, const TEE_UUID *uuid) 1854 { 1855 TEE_Result res; 1856 1857 again: 1858 res = tee_fs_generate_fek(uuid, fe->fek, sizeof(fe->fek)); 1859 if (res != TEE_SUCCESS) 1860 return res; 1861 1862 if (is_zero(fe->fek, sizeof(fe->fek))) 1863 goto again; 1864 1865 return res; 1866 } 1867 1868 static TEE_Result rpmb_fs_open_internal(struct rpmb_file_handle *fh, 1869 const TEE_UUID *uuid, bool create) 1870 { 1871 tee_mm_pool_t p; 1872 bool pool_result; 1873 TEE_Result res = TEE_ERROR_GENERIC; 1874 1875 /* We need to do setup in order to make sure fs_par is filled in */ 1876 res = rpmb_fs_setup(); 1877 if (res != TEE_SUCCESS) 1878 goto out; 1879 1880 fh->uuid = uuid; 1881 if (create) { 1882 /* Upper memory allocation must be used for RPMB_FS. */ 1883 pool_result = tee_mm_init(&p, 1884 RPMB_STORAGE_START_ADDRESS, 1885 fs_par->max_rpmb_address, 1886 RPMB_BLOCK_SIZE_SHIFT, 1887 TEE_MM_POOL_HI_ALLOC); 1888 1889 if (!pool_result) { 1890 res = TEE_ERROR_OUT_OF_MEMORY; 1891 goto out; 1892 } 1893 1894 res = read_fat(fh, &p); 1895 tee_mm_final(&p); 1896 if (res != TEE_SUCCESS) 1897 goto out; 1898 } else { 1899 res = read_fat(fh, NULL); 1900 if (res != TEE_SUCCESS) 1901 goto out; 1902 } 1903 1904 /* 1905 * If this is opened with create and the entry found was not active 1906 * then this is a new file and the FAT entry must be written 1907 */ 1908 if (create) { 1909 if ((fh->fat_entry.flags & FILE_IS_ACTIVE) == 0) { 1910 memset(&fh->fat_entry, 0, 1911 sizeof(struct rpmb_fat_entry)); 1912 memcpy(fh->fat_entry.filename, fh->filename, 1913 strlen(fh->filename)); 1914 /* Start address and size are 0 */ 1915 fh->fat_entry.flags = FILE_IS_ACTIVE; 1916 1917 res = generate_fek(&fh->fat_entry, uuid); 1918 if (res != TEE_SUCCESS) 1919 goto out; 1920 DMSG("GENERATE FEK key: %p", 1921 (void *)fh->fat_entry.fek); 1922 DHEXDUMP(fh->fat_entry.fek, sizeof(fh->fat_entry.fek)); 1923 1924 res = write_fat_entry(fh, true); 1925 if (res != TEE_SUCCESS) 1926 goto out; 1927 } 1928 } 1929 1930 res = TEE_SUCCESS; 1931 1932 out: 1933 return res; 1934 } 1935 1936 static void rpmb_fs_close(struct tee_file_handle **tfh) 1937 { 1938 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)*tfh; 1939 1940 free(fh); 1941 *tfh = NULL; 1942 } 1943 1944 static TEE_Result rpmb_fs_read(struct tee_file_handle *tfh, size_t pos, 1945 void *buf, size_t *len) 1946 { 1947 TEE_Result res; 1948 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)tfh; 1949 size_t size = *len; 1950 1951 if (!size) 1952 return TEE_SUCCESS; 1953 1954 mutex_lock(&rpmb_mutex); 1955 1956 dump_fh(fh); 1957 1958 res = read_fat(fh, NULL); 1959 if (res != TEE_SUCCESS) 1960 goto out; 1961 1962 if (pos >= fh->fat_entry.data_size) { 1963 *len = 0; 1964 goto out; 1965 } 1966 1967 size = MIN(size, fh->fat_entry.data_size - pos); 1968 if (size) { 1969 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 1970 fh->fat_entry.start_address + pos, buf, 1971 size, fh->fat_entry.fek, fh->uuid); 1972 if (res != TEE_SUCCESS) 1973 goto out; 1974 } 1975 *len = size; 1976 1977 out: 1978 mutex_unlock(&rpmb_mutex); 1979 return res; 1980 } 1981 1982 static TEE_Result rpmb_fs_write_primitive(struct rpmb_file_handle *fh, 1983 size_t pos, const void *buf, 1984 size_t size) 1985 { 1986 TEE_Result res; 1987 tee_mm_pool_t p; 1988 bool pool_result = false; 1989 tee_mm_entry_t *mm; 1990 size_t end; 1991 size_t newsize; 1992 uint8_t *newbuf = NULL; 1993 uintptr_t newaddr; 1994 uint32_t start_addr; 1995 1996 if (!size) 1997 return TEE_SUCCESS; 1998 1999 if (!fs_par) { 2000 res = TEE_ERROR_GENERIC; 2001 goto out; 2002 } 2003 2004 dump_fh(fh); 2005 2006 /* Upper memory allocation must be used for RPMB_FS. */ 2007 pool_result = tee_mm_init(&p, 2008 RPMB_STORAGE_START_ADDRESS, 2009 fs_par->max_rpmb_address, 2010 RPMB_BLOCK_SIZE_SHIFT, 2011 TEE_MM_POOL_HI_ALLOC); 2012 if (!pool_result) { 2013 res = TEE_ERROR_OUT_OF_MEMORY; 2014 goto out; 2015 } 2016 2017 res = read_fat(fh, &p); 2018 if (res != TEE_SUCCESS) 2019 goto out; 2020 2021 if (fh->fat_entry.flags & FILE_IS_LAST_ENTRY) 2022 panic("invalid last entry flag"); 2023 2024 if (ADD_OVERFLOW(pos, size, &end)) { 2025 res = TEE_ERROR_BAD_PARAMETERS; 2026 goto out; 2027 } 2028 if (ADD_OVERFLOW(fh->fat_entry.start_address, pos, &start_addr)) { 2029 res = TEE_ERROR_BAD_PARAMETERS; 2030 goto out; 2031 } 2032 2033 if (end <= fh->fat_entry.data_size && 2034 tee_rpmb_write_is_atomic(CFG_RPMB_FS_DEV_ID, start_addr, size)) { 2035 2036 DMSG("Updating data in-place"); 2037 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, start_addr, buf, 2038 size, fh->fat_entry.fek, fh->uuid); 2039 if (res != TEE_SUCCESS) 2040 goto out; 2041 } else { 2042 /* 2043 * File must be extended, or update cannot be atomic: allocate, 2044 * read, update, write. 2045 */ 2046 2047 DMSG("Need to re-allocate"); 2048 newsize = MAX(end, fh->fat_entry.data_size); 2049 mm = tee_mm_alloc(&p, newsize); 2050 newbuf = calloc(1, newsize); 2051 if (!mm || !newbuf) { 2052 res = TEE_ERROR_OUT_OF_MEMORY; 2053 goto out; 2054 } 2055 2056 if (fh->fat_entry.data_size) { 2057 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 2058 fh->fat_entry.start_address, 2059 newbuf, fh->fat_entry.data_size, 2060 fh->fat_entry.fek, fh->uuid); 2061 if (res != TEE_SUCCESS) 2062 goto out; 2063 } 2064 2065 memcpy(newbuf + pos, buf, size); 2066 2067 newaddr = tee_mm_get_smem(mm); 2068 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, newaddr, newbuf, 2069 newsize, fh->fat_entry.fek, fh->uuid); 2070 if (res != TEE_SUCCESS) 2071 goto out; 2072 2073 fh->fat_entry.data_size = newsize; 2074 fh->fat_entry.start_address = newaddr; 2075 res = write_fat_entry(fh, true); 2076 if (res != TEE_SUCCESS) 2077 goto out; 2078 } 2079 2080 out: 2081 if (pool_result) 2082 tee_mm_final(&p); 2083 if (newbuf) 2084 free(newbuf); 2085 2086 return res; 2087 } 2088 2089 static TEE_Result rpmb_fs_write(struct tee_file_handle *tfh, size_t pos, 2090 const void *buf, size_t size) 2091 { 2092 TEE_Result res; 2093 2094 mutex_lock(&rpmb_mutex); 2095 res = rpmb_fs_write_primitive((struct rpmb_file_handle *)tfh, pos, 2096 buf, size); 2097 mutex_unlock(&rpmb_mutex); 2098 2099 return res; 2100 } 2101 2102 static TEE_Result rpmb_fs_remove_internal(struct rpmb_file_handle *fh) 2103 { 2104 TEE_Result res; 2105 2106 res = read_fat(fh, NULL); 2107 if (res) 2108 return res; 2109 2110 /* Clear this file entry. */ 2111 memset(&fh->fat_entry, 0, sizeof(struct rpmb_fat_entry)); 2112 return write_fat_entry(fh, false); 2113 } 2114 2115 static TEE_Result rpmb_fs_remove(struct tee_pobj *po) 2116 { 2117 TEE_Result res; 2118 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2119 2120 if (!fh) 2121 return TEE_ERROR_OUT_OF_MEMORY; 2122 2123 mutex_lock(&rpmb_mutex); 2124 2125 res = rpmb_fs_remove_internal(fh); 2126 2127 mutex_unlock(&rpmb_mutex); 2128 2129 free(fh); 2130 return res; 2131 } 2132 2133 static TEE_Result rpmb_fs_rename_internal(struct tee_pobj *old, 2134 struct tee_pobj *new, 2135 bool overwrite) 2136 { 2137 TEE_Result res = TEE_ERROR_GENERIC; 2138 struct rpmb_file_handle *fh_old = NULL; 2139 struct rpmb_file_handle *fh_new = NULL; 2140 2141 if (!old) { 2142 res = TEE_ERROR_BAD_PARAMETERS; 2143 goto out; 2144 } 2145 2146 if (new) 2147 fh_old = alloc_file_handle(old, old->temporary); 2148 else 2149 fh_old = alloc_file_handle(old, true); 2150 if (!fh_old) { 2151 res = TEE_ERROR_OUT_OF_MEMORY; 2152 goto out; 2153 } 2154 2155 if (new) 2156 fh_new = alloc_file_handle(new, new->temporary); 2157 else 2158 fh_new = alloc_file_handle(old, false); 2159 if (!fh_new) { 2160 res = TEE_ERROR_OUT_OF_MEMORY; 2161 goto out; 2162 } 2163 2164 res = read_fat(fh_old, NULL); 2165 if (res != TEE_SUCCESS) 2166 goto out; 2167 2168 res = read_fat(fh_new, NULL); 2169 if (res == TEE_SUCCESS) { 2170 if (!overwrite) { 2171 res = TEE_ERROR_ACCESS_CONFLICT; 2172 goto out; 2173 } 2174 2175 /* Clear this file entry. */ 2176 memset(&fh_new->fat_entry, 0, sizeof(struct rpmb_fat_entry)); 2177 res = write_fat_entry(fh_new, false); 2178 if (res != TEE_SUCCESS) 2179 goto out; 2180 } 2181 2182 memset(fh_old->fat_entry.filename, 0, TEE_RPMB_FS_FILENAME_LENGTH); 2183 memcpy(fh_old->fat_entry.filename, fh_new->filename, 2184 strlen(fh_new->filename)); 2185 2186 res = write_fat_entry(fh_old, false); 2187 2188 out: 2189 free(fh_old); 2190 free(fh_new); 2191 2192 return res; 2193 } 2194 2195 static TEE_Result rpmb_fs_rename(struct tee_pobj *old, struct tee_pobj *new, 2196 bool overwrite) 2197 { 2198 TEE_Result res; 2199 2200 mutex_lock(&rpmb_mutex); 2201 res = rpmb_fs_rename_internal(old, new, overwrite); 2202 mutex_unlock(&rpmb_mutex); 2203 2204 return res; 2205 } 2206 2207 static TEE_Result rpmb_fs_truncate(struct tee_file_handle *tfh, size_t length) 2208 { 2209 struct rpmb_file_handle *fh = (struct rpmb_file_handle *)tfh; 2210 tee_mm_pool_t p; 2211 bool pool_result = false; 2212 tee_mm_entry_t *mm; 2213 uint32_t newsize; 2214 uint8_t *newbuf = NULL; 2215 uintptr_t newaddr; 2216 TEE_Result res = TEE_ERROR_GENERIC; 2217 2218 mutex_lock(&rpmb_mutex); 2219 2220 if (length > INT32_MAX) { 2221 res = TEE_ERROR_BAD_PARAMETERS; 2222 goto out; 2223 } 2224 newsize = length; 2225 2226 res = read_fat(fh, NULL); 2227 if (res != TEE_SUCCESS) 2228 goto out; 2229 2230 if (newsize > fh->fat_entry.data_size) { 2231 /* Extend file */ 2232 2233 pool_result = tee_mm_init(&p, 2234 RPMB_STORAGE_START_ADDRESS, 2235 fs_par->max_rpmb_address, 2236 RPMB_BLOCK_SIZE_SHIFT, 2237 TEE_MM_POOL_HI_ALLOC); 2238 if (!pool_result) { 2239 res = TEE_ERROR_OUT_OF_MEMORY; 2240 goto out; 2241 } 2242 res = read_fat(fh, &p); 2243 if (res != TEE_SUCCESS) 2244 goto out; 2245 2246 mm = tee_mm_alloc(&p, newsize); 2247 newbuf = calloc(1, newsize); 2248 if (!mm || !newbuf) { 2249 res = TEE_ERROR_OUT_OF_MEMORY; 2250 goto out; 2251 } 2252 2253 if (fh->fat_entry.data_size) { 2254 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, 2255 fh->fat_entry.start_address, 2256 newbuf, fh->fat_entry.data_size, 2257 fh->fat_entry.fek, fh->uuid); 2258 if (res != TEE_SUCCESS) 2259 goto out; 2260 } 2261 2262 newaddr = tee_mm_get_smem(mm); 2263 res = tee_rpmb_write(CFG_RPMB_FS_DEV_ID, newaddr, newbuf, 2264 newsize, fh->fat_entry.fek, fh->uuid); 2265 if (res != TEE_SUCCESS) 2266 goto out; 2267 2268 } else { 2269 /* Don't change file location */ 2270 newaddr = fh->fat_entry.start_address; 2271 } 2272 2273 /* fh->pos is unchanged */ 2274 fh->fat_entry.data_size = newsize; 2275 fh->fat_entry.start_address = newaddr; 2276 res = write_fat_entry(fh, true); 2277 2278 out: 2279 mutex_unlock(&rpmb_mutex); 2280 if (pool_result) 2281 tee_mm_final(&p); 2282 if (newbuf) 2283 free(newbuf); 2284 2285 return res; 2286 } 2287 2288 static void rpmb_fs_dir_free(struct tee_fs_dir *dir) 2289 { 2290 struct tee_rpmb_fs_dirent *e; 2291 2292 if (!dir) 2293 return; 2294 2295 free(dir->current); 2296 2297 while ((e = SIMPLEQ_FIRST(&dir->next))) { 2298 SIMPLEQ_REMOVE_HEAD(&dir->next, link); 2299 free(e); 2300 } 2301 } 2302 2303 static TEE_Result rpmb_fs_dir_populate(const char *path, 2304 struct tee_fs_dir *dir) 2305 { 2306 struct tee_rpmb_fs_dirent *current = NULL; 2307 struct rpmb_fat_entry *fat_entries = NULL; 2308 uint32_t fat_address; 2309 uint32_t filelen; 2310 char *filename; 2311 int i; 2312 bool last_entry_found = false; 2313 bool matched; 2314 struct tee_rpmb_fs_dirent *next = NULL; 2315 uint32_t pathlen; 2316 TEE_Result res = TEE_ERROR_GENERIC; 2317 uint32_t size; 2318 char temp; 2319 2320 mutex_lock(&rpmb_mutex); 2321 2322 res = rpmb_fs_setup(); 2323 if (res != TEE_SUCCESS) 2324 goto out; 2325 2326 res = get_fat_start_address(&fat_address); 2327 if (res != TEE_SUCCESS) 2328 goto out; 2329 2330 size = N_ENTRIES * sizeof(struct rpmb_fat_entry); 2331 fat_entries = malloc(size); 2332 if (!fat_entries) { 2333 res = TEE_ERROR_OUT_OF_MEMORY; 2334 goto out; 2335 } 2336 2337 pathlen = strlen(path); 2338 while (!last_entry_found) { 2339 res = tee_rpmb_read(CFG_RPMB_FS_DEV_ID, fat_address, 2340 (uint8_t *)fat_entries, size, NULL, NULL); 2341 if (res != TEE_SUCCESS) 2342 goto out; 2343 2344 for (i = 0; i < N_ENTRIES; i++) { 2345 filename = fat_entries[i].filename; 2346 if (fat_entries[i].flags & FILE_IS_ACTIVE) { 2347 matched = false; 2348 filelen = strlen(filename); 2349 if (filelen > pathlen) { 2350 temp = filename[pathlen]; 2351 filename[pathlen] = '\0'; 2352 if (strcmp(filename, path) == 0) 2353 matched = true; 2354 2355 filename[pathlen] = temp; 2356 } 2357 2358 if (matched) { 2359 next = malloc(sizeof(*next)); 2360 if (!next) { 2361 res = TEE_ERROR_OUT_OF_MEMORY; 2362 goto out; 2363 } 2364 2365 next->entry.oidlen = tee_hs2b( 2366 (uint8_t *)&filename[pathlen], 2367 next->entry.oid, 2368 filelen - pathlen, 2369 sizeof(next->entry.oid)); 2370 if (next->entry.oidlen) { 2371 SIMPLEQ_INSERT_TAIL(&dir->next, 2372 next, link); 2373 current = next; 2374 } else { 2375 free(next); 2376 next = NULL; 2377 } 2378 2379 } 2380 } 2381 2382 if (fat_entries[i].flags & FILE_IS_LAST_ENTRY) { 2383 last_entry_found = true; 2384 break; 2385 } 2386 2387 /* Move to next fat_entry. */ 2388 fat_address += sizeof(struct rpmb_fat_entry); 2389 } 2390 } 2391 2392 if (current) 2393 res = TEE_SUCCESS; 2394 else 2395 res = TEE_ERROR_ITEM_NOT_FOUND; /* No directories were found. */ 2396 2397 out: 2398 mutex_unlock(&rpmb_mutex); 2399 if (res != TEE_SUCCESS) 2400 rpmb_fs_dir_free(dir); 2401 if (fat_entries) 2402 free(fat_entries); 2403 2404 return res; 2405 } 2406 2407 static TEE_Result rpmb_fs_opendir(const TEE_UUID *uuid, struct tee_fs_dir **dir) 2408 { 2409 uint32_t len; 2410 char path_local[TEE_RPMB_FS_FILENAME_LENGTH]; 2411 TEE_Result res = TEE_ERROR_GENERIC; 2412 struct tee_fs_dir *rpmb_dir = NULL; 2413 2414 if (!uuid || !dir) { 2415 res = TEE_ERROR_BAD_PARAMETERS; 2416 goto out; 2417 } 2418 2419 memset(path_local, 0, sizeof(path_local)); 2420 if (tee_svc_storage_create_dirname(path_local, sizeof(path_local) - 1, 2421 uuid) != TEE_SUCCESS) { 2422 res = TEE_ERROR_BAD_PARAMETERS; 2423 goto out; 2424 } 2425 len = strlen(path_local); 2426 2427 /* Add a slash to correctly match the full directory name. */ 2428 if (path_local[len - 1] != '/') 2429 path_local[len] = '/'; 2430 2431 rpmb_dir = calloc(1, sizeof(*rpmb_dir)); 2432 if (!rpmb_dir) { 2433 res = TEE_ERROR_OUT_OF_MEMORY; 2434 goto out; 2435 } 2436 SIMPLEQ_INIT(&rpmb_dir->next); 2437 2438 res = rpmb_fs_dir_populate(path_local, rpmb_dir); 2439 if (res != TEE_SUCCESS) { 2440 free(rpmb_dir); 2441 rpmb_dir = NULL; 2442 goto out; 2443 } 2444 2445 *dir = rpmb_dir; 2446 2447 out: 2448 return res; 2449 } 2450 2451 static TEE_Result rpmb_fs_readdir(struct tee_fs_dir *dir, 2452 struct tee_fs_dirent **ent) 2453 { 2454 if (!dir) 2455 return TEE_ERROR_GENERIC; 2456 2457 free(dir->current); 2458 2459 dir->current = SIMPLEQ_FIRST(&dir->next); 2460 if (!dir->current) 2461 return TEE_ERROR_ITEM_NOT_FOUND; 2462 2463 SIMPLEQ_REMOVE_HEAD(&dir->next, link); 2464 2465 *ent = &dir->current->entry; 2466 return TEE_SUCCESS; 2467 } 2468 2469 static void rpmb_fs_closedir(struct tee_fs_dir *dir) 2470 { 2471 if (dir) { 2472 rpmb_fs_dir_free(dir); 2473 free(dir); 2474 } 2475 } 2476 2477 static TEE_Result rpmb_fs_open(struct tee_pobj *po, size_t *size, 2478 struct tee_file_handle **ret_fh) 2479 { 2480 TEE_Result res; 2481 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2482 2483 if (!fh) 2484 return TEE_ERROR_OUT_OF_MEMORY; 2485 2486 mutex_lock(&rpmb_mutex); 2487 2488 res = rpmb_fs_open_internal(fh, &po->uuid, false); 2489 if (!res && size) 2490 *size = fh->fat_entry.data_size; 2491 2492 mutex_unlock(&rpmb_mutex); 2493 2494 if (res) 2495 free(fh); 2496 else 2497 *ret_fh = (struct tee_file_handle *)fh; 2498 2499 return res; 2500 } 2501 2502 static TEE_Result rpmb_fs_create(struct tee_pobj *po, bool overwrite, 2503 const void *head, size_t head_size, 2504 const void *attr, size_t attr_size, 2505 const void *data, size_t data_size, 2506 struct tee_file_handle **ret_fh) 2507 { 2508 TEE_Result res; 2509 size_t pos = 0; 2510 struct rpmb_file_handle *fh = alloc_file_handle(po, po->temporary); 2511 2512 if (!fh) 2513 return TEE_ERROR_OUT_OF_MEMORY; 2514 2515 mutex_lock(&rpmb_mutex); 2516 res = rpmb_fs_open_internal(fh, &po->uuid, true); 2517 if (res) 2518 goto out; 2519 2520 if (head && head_size) { 2521 res = rpmb_fs_write_primitive(fh, pos, head, head_size); 2522 if (res) 2523 goto out; 2524 pos += head_size; 2525 } 2526 2527 if (attr && attr_size) { 2528 res = rpmb_fs_write_primitive(fh, pos, attr, attr_size); 2529 if (res) 2530 goto out; 2531 pos += attr_size; 2532 } 2533 2534 if (data && data_size) { 2535 res = rpmb_fs_write_primitive(fh, pos, data, data_size); 2536 if (res) 2537 goto out; 2538 } 2539 2540 if (po->temporary) { 2541 /* 2542 * If it's a temporary filename (which it normally is) 2543 * rename into the final filename now that the file is 2544 * fully initialized. 2545 */ 2546 po->temporary = false; 2547 res = rpmb_fs_rename_internal(po, NULL, overwrite); 2548 if (res) { 2549 po->temporary = true; 2550 goto out; 2551 } 2552 /* Update file handle after rename. */ 2553 tee_svc_storage_create_filename(fh->filename, 2554 sizeof(fh->filename), 2555 po, false); 2556 } 2557 2558 out: 2559 if (res) { 2560 rpmb_fs_remove_internal(fh); 2561 free(fh); 2562 } else { 2563 *ret_fh = (struct tee_file_handle *)fh; 2564 } 2565 mutex_unlock(&rpmb_mutex); 2566 2567 return res; 2568 } 2569 2570 const struct tee_file_operations rpmb_fs_ops = { 2571 .open = rpmb_fs_open, 2572 .create = rpmb_fs_create, 2573 .close = rpmb_fs_close, 2574 .read = rpmb_fs_read, 2575 .write = rpmb_fs_write, 2576 .truncate = rpmb_fs_truncate, 2577 .rename = rpmb_fs_rename, 2578 .remove = rpmb_fs_remove, 2579 .opendir = rpmb_fs_opendir, 2580 .closedir = rpmb_fs_closedir, 2581 .readdir = rpmb_fs_readdir, 2582 }; 2583 2584 TEE_Result tee_rpmb_fs_raw_open(const char *fname, bool create, 2585 struct tee_file_handle **ret_fh) 2586 { 2587 TEE_Result res; 2588 struct rpmb_file_handle *fh = calloc(1, sizeof(*fh)); 2589 static const TEE_UUID uuid = { 0 }; 2590 2591 if (!fh) 2592 return TEE_ERROR_OUT_OF_MEMORY; 2593 2594 snprintf(fh->filename, sizeof(fh->filename), "/%s", fname); 2595 2596 mutex_lock(&rpmb_mutex); 2597 2598 res = rpmb_fs_open_internal(fh, &uuid, create); 2599 2600 mutex_unlock(&rpmb_mutex); 2601 2602 if (res) { 2603 if (create) 2604 rpmb_fs_remove_internal(fh); 2605 free(fh); 2606 } else { 2607 *ret_fh = (struct tee_file_handle *)fh; 2608 } 2609 2610 return res; 2611 } 2612