1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2019, Linaro Limited 4 */ 5 6 #include <assert.h> 7 #include <ctype.h> 8 #include <elf32.h> 9 #include <elf64.h> 10 #include <elf_common.h> 11 #include <ldelf.h> 12 #include <pta_system.h> 13 #include <stdio.h> 14 #include <stdlib.h> 15 #include <string_ext.h> 16 #include <string.h> 17 #include <tee_api_types.h> 18 #include <tee_internal_api_extensions.h> 19 #include <user_ta_header.h> 20 #include <utee_syscalls.h> 21 22 #include "sys.h" 23 #include "ta_elf.h" 24 #include "unwind.h" 25 26 static vaddr_t ta_stack; 27 static vaddr_t ta_stack_size; 28 29 struct ta_elf_queue main_elf_queue = TAILQ_HEAD_INITIALIZER(main_elf_queue); 30 31 static struct ta_elf *queue_elf(const TEE_UUID *uuid) 32 { 33 struct ta_elf *elf = NULL; 34 35 TAILQ_FOREACH(elf, &main_elf_queue, link) 36 if (!memcmp(uuid, &elf->uuid, sizeof(*uuid))) 37 return NULL; 38 39 elf = calloc(1, sizeof(*elf)); 40 if (!elf) 41 err(TEE_ERROR_OUT_OF_MEMORY, "calloc"); 42 43 TAILQ_INIT(&elf->segs); 44 45 elf->uuid = *uuid; 46 TAILQ_INSERT_TAIL(&main_elf_queue, elf, link); 47 return elf; 48 } 49 50 static TEE_Result e32_parse_ehdr(struct ta_elf *elf, Elf32_Ehdr *ehdr) 51 { 52 if (ehdr->e_ident[EI_VERSION] != EV_CURRENT || 53 ehdr->e_ident[EI_CLASS] != ELFCLASS32 || 54 ehdr->e_ident[EI_DATA] != ELFDATA2LSB || 55 ehdr->e_ident[EI_OSABI] != ELFOSABI_NONE || 56 ehdr->e_type != ET_DYN || ehdr->e_machine != EM_ARM || 57 (ehdr->e_flags & EF_ARM_ABIMASK) != EF_ARM_ABI_VERSION || 58 #ifndef CFG_WITH_VFP 59 (ehdr->e_flags & EF_ARM_ABI_FLOAT_HARD) || 60 #endif 61 ehdr->e_phentsize != sizeof(Elf32_Phdr) || 62 ehdr->e_shentsize != sizeof(Elf32_Shdr)) 63 return TEE_ERROR_BAD_FORMAT; 64 65 elf->is_32bit = true; 66 elf->e_entry = ehdr->e_entry; 67 elf->e_phoff = ehdr->e_phoff; 68 elf->e_shoff = ehdr->e_shoff; 69 elf->e_phnum = ehdr->e_phnum; 70 elf->e_shnum = ehdr->e_shnum; 71 elf->e_phentsize = ehdr->e_phentsize; 72 elf->e_shentsize = ehdr->e_shentsize; 73 74 return TEE_SUCCESS; 75 } 76 77 #ifdef ARM64 78 static TEE_Result e64_parse_ehdr(struct ta_elf *elf, Elf64_Ehdr *ehdr) 79 { 80 if (ehdr->e_ident[EI_VERSION] != EV_CURRENT || 81 ehdr->e_ident[EI_CLASS] != ELFCLASS64 || 82 ehdr->e_ident[EI_DATA] != ELFDATA2LSB || 83 ehdr->e_ident[EI_OSABI] != ELFOSABI_NONE || 84 ehdr->e_type != ET_DYN || ehdr->e_machine != EM_AARCH64 || 85 ehdr->e_flags || ehdr->e_phentsize != sizeof(Elf64_Phdr) || 86 ehdr->e_shentsize != sizeof(Elf64_Shdr)) 87 return TEE_ERROR_BAD_FORMAT; 88 89 90 elf->is_32bit = false; 91 elf->e_entry = ehdr->e_entry; 92 elf->e_phoff = ehdr->e_phoff; 93 elf->e_shoff = ehdr->e_shoff; 94 elf->e_phnum = ehdr->e_phnum; 95 elf->e_shnum = ehdr->e_shnum; 96 elf->e_phentsize = ehdr->e_phentsize; 97 elf->e_shentsize = ehdr->e_shentsize; 98 99 return TEE_SUCCESS; 100 } 101 #else /*ARM64*/ 102 static TEE_Result e64_parse_ehdr(struct ta_elf *elf __unused, 103 Elf64_Ehdr *ehdr __unused) 104 { 105 return TEE_ERROR_NOT_SUPPORTED; 106 } 107 #endif /*ARM64*/ 108 109 static void read_dyn(struct ta_elf *elf, vaddr_t addr, 110 size_t idx, unsigned int *tag, size_t *val) 111 { 112 if (elf->is_32bit) { 113 Elf32_Dyn *dyn = (Elf32_Dyn *)(addr + elf->load_addr); 114 115 *tag = dyn[idx].d_tag; 116 *val = dyn[idx].d_un.d_val; 117 } else { 118 Elf64_Dyn *dyn = (Elf64_Dyn *)(addr + elf->load_addr); 119 120 *tag = dyn[idx].d_tag; 121 *val = dyn[idx].d_un.d_val; 122 } 123 } 124 125 static void save_hashtab_from_segment(struct ta_elf *elf, unsigned int type, 126 vaddr_t addr, size_t memsz) 127 { 128 size_t dyn_entsize = 0; 129 size_t num_dyns = 0; 130 size_t n = 0; 131 unsigned int tag = 0; 132 size_t val = 0; 133 134 if (type != PT_DYNAMIC) 135 return; 136 137 if (elf->is_32bit) 138 dyn_entsize = sizeof(Elf32_Dyn); 139 else 140 dyn_entsize = sizeof(Elf64_Dyn); 141 142 assert(!(memsz % dyn_entsize)); 143 num_dyns = memsz / dyn_entsize; 144 145 for (n = 0; n < num_dyns; n++) { 146 read_dyn(elf, addr, n, &tag, &val); 147 if (tag == DT_HASH) { 148 elf->hashtab = (void *)(val + elf->load_addr); 149 break; 150 } 151 } 152 } 153 154 static void save_hashtab(struct ta_elf *elf) 155 { 156 size_t n = 0; 157 158 if (elf->is_32bit) { 159 Elf32_Phdr *phdr = elf->phdr; 160 161 for (n = 0; n < elf->e_phnum; n++) 162 save_hashtab_from_segment(elf, phdr[n].p_type, 163 phdr[n].p_vaddr, 164 phdr[n].p_memsz); 165 } else { 166 Elf64_Phdr *phdr = elf->phdr; 167 168 for (n = 0; n < elf->e_phnum; n++) 169 save_hashtab_from_segment(elf, phdr[n].p_type, 170 phdr[n].p_vaddr, 171 phdr[n].p_memsz); 172 } 173 assert(elf->hashtab); 174 } 175 176 static void e32_save_symtab(struct ta_elf *elf, size_t tab_idx) 177 { 178 Elf32_Shdr *shdr = elf->shdr; 179 size_t str_idx = shdr[tab_idx].sh_link; 180 181 elf->dynsymtab = (void *)(shdr[tab_idx].sh_addr + elf->load_addr); 182 assert(!(shdr[tab_idx].sh_size % sizeof(Elf32_Sym))); 183 elf->num_dynsyms = shdr[tab_idx].sh_size / sizeof(Elf32_Sym); 184 185 elf->dynstr = (void *)(shdr[str_idx].sh_addr + elf->load_addr); 186 elf->dynstr_size = shdr[str_idx].sh_size; 187 } 188 189 static void e64_save_symtab(struct ta_elf *elf, size_t tab_idx) 190 { 191 Elf64_Shdr *shdr = elf->shdr; 192 size_t str_idx = shdr[tab_idx].sh_link; 193 194 elf->dynsymtab = (void *)(vaddr_t)(shdr[tab_idx].sh_addr + 195 elf->load_addr); 196 assert(!(shdr[tab_idx].sh_size % sizeof(Elf64_Sym))); 197 elf->num_dynsyms = shdr[tab_idx].sh_size / sizeof(Elf64_Sym); 198 199 elf->dynstr = (void *)(vaddr_t)(shdr[str_idx].sh_addr + elf->load_addr); 200 elf->dynstr_size = shdr[str_idx].sh_size; 201 } 202 203 static void save_symtab(struct ta_elf *elf) 204 { 205 size_t n = 0; 206 207 if (elf->is_32bit) { 208 Elf32_Shdr *shdr = elf->shdr; 209 210 for (n = 0; n < elf->e_shnum; n++) { 211 if (shdr[n].sh_type == SHT_DYNSYM) { 212 e32_save_symtab(elf, n); 213 break; 214 } 215 } 216 } else { 217 Elf64_Shdr *shdr = elf->shdr; 218 219 for (n = 0; n < elf->e_shnum; n++) { 220 if (shdr[n].sh_type == SHT_DYNSYM) { 221 e64_save_symtab(elf, n); 222 break; 223 } 224 } 225 226 } 227 228 save_hashtab(elf); 229 } 230 231 static void init_elf(struct ta_elf *elf) 232 { 233 TEE_Result res = TEE_SUCCESS; 234 vaddr_t va = 0; 235 uint32_t flags = PTA_SYSTEM_MAP_FLAG_SHAREABLE; 236 237 res = sys_open_ta_bin(&elf->uuid, &elf->handle); 238 if (res) 239 err(res, "sys_open_ta_bin(%pUl)", (void *)&elf->uuid); 240 241 /* 242 * Map it read-only executable when we're loading a library where 243 * the ELF header is included in a load segment. 244 */ 245 if (!elf->is_main) 246 flags |= PTA_SYSTEM_MAP_FLAG_EXECUTABLE; 247 res = sys_map_ta_bin(&va, SMALL_PAGE_SIZE, flags, elf->handle, 0, 0, 0); 248 if (res) 249 err(res, "sys_map_ta_bin"); 250 elf->ehdr_addr = va; 251 if (!elf->is_main) { 252 elf->load_addr = va; 253 elf->max_addr = va + SMALL_PAGE_SIZE; 254 elf->max_offs = SMALL_PAGE_SIZE; 255 } 256 257 if (!IS_ELF(*(Elf32_Ehdr *)va)) 258 err(TEE_ERROR_BAD_FORMAT, "TA is not an ELF"); 259 260 res = e32_parse_ehdr(elf, (void *)va); 261 if (res == TEE_ERROR_BAD_FORMAT) 262 res = e64_parse_ehdr(elf, (void *)va); 263 if (res) 264 err(res, "Cannot parse ELF"); 265 266 if (elf->e_phoff + elf->e_phnum * elf->e_phentsize > SMALL_PAGE_SIZE) 267 err(TEE_ERROR_NOT_SUPPORTED, "Cannot read program headers"); 268 269 elf->phdr = (void *)(va + elf->e_phoff); 270 } 271 272 static size_t roundup(size_t v) 273 { 274 return ROUNDUP(v, SMALL_PAGE_SIZE); 275 } 276 277 static size_t rounddown(size_t v) 278 { 279 return ROUNDDOWN(v, SMALL_PAGE_SIZE); 280 } 281 282 static void add_segment(struct ta_elf *elf, size_t offset, size_t vaddr, 283 size_t filesz, size_t memsz, size_t flags, size_t align) 284 { 285 struct segment *seg = calloc(1, sizeof(*seg)); 286 287 if (!seg) 288 err(TEE_ERROR_OUT_OF_MEMORY, "calloc"); 289 290 seg->offset = offset; 291 seg->vaddr = vaddr; 292 seg->filesz = filesz; 293 seg->memsz = memsz; 294 seg->flags = flags; 295 seg->align = align; 296 297 TAILQ_INSERT_TAIL(&elf->segs, seg, link); 298 } 299 300 static void parse_load_segments(struct ta_elf *elf) 301 { 302 size_t n = 0; 303 304 if (elf->is_32bit) { 305 Elf32_Phdr *phdr = elf->phdr; 306 307 for (n = 0; n < elf->e_phnum; n++) 308 if (phdr[n].p_type == PT_LOAD) { 309 add_segment(elf, phdr[n].p_offset, 310 phdr[n].p_vaddr, phdr[n].p_filesz, 311 phdr[n].p_memsz, phdr[n].p_flags, 312 phdr[n].p_align); 313 } else if (phdr[n].p_type == PT_ARM_EXIDX) { 314 elf->exidx_start = phdr[n].p_vaddr; 315 elf->exidx_size = phdr[n].p_filesz; 316 } 317 } else { 318 Elf64_Phdr *phdr = elf->phdr; 319 320 for (n = 0; n < elf->e_phnum; n++) 321 if (phdr[n].p_type == PT_LOAD) 322 add_segment(elf, phdr[n].p_offset, 323 phdr[n].p_vaddr, phdr[n].p_filesz, 324 phdr[n].p_memsz, phdr[n].p_flags, 325 phdr[n].p_align); 326 } 327 } 328 329 static void copy_remapped_to(struct ta_elf *elf, const struct segment *seg) 330 { 331 uint8_t *dst = (void *)(seg->vaddr + elf->load_addr); 332 size_t n = 0; 333 size_t offs = seg->offset; 334 size_t num_bytes = seg->filesz; 335 336 if (offs < elf->max_offs) { 337 n = MIN(elf->max_offs - offs, num_bytes); 338 memcpy(dst, (void *)(elf->max_addr + offs - elf->max_offs), n); 339 dst += n; 340 offs += n; 341 num_bytes -= n; 342 } 343 344 if (num_bytes) { 345 TEE_Result res = sys_copy_from_ta_bin(dst, num_bytes, 346 elf->handle, offs); 347 348 if (res) 349 err(res, "sys_copy_from_ta_bin"); 350 elf->max_offs += offs; 351 } 352 } 353 354 static void adjust_segments(struct ta_elf *elf) 355 { 356 struct segment *seg = NULL; 357 struct segment *prev_seg = NULL; 358 size_t prev_end_addr = 0; 359 size_t align = 0; 360 size_t mask = 0; 361 362 /* Sanity check */ 363 TAILQ_FOREACH(seg, &elf->segs, link) { 364 size_t dummy __maybe_unused = 0; 365 366 assert(seg->align >= SMALL_PAGE_SIZE); 367 assert(!ADD_OVERFLOW(seg->vaddr, seg->memsz, &dummy)); 368 assert(seg->filesz <= seg->memsz); 369 assert((seg->offset & SMALL_PAGE_MASK) == 370 (seg->vaddr & SMALL_PAGE_MASK)); 371 372 prev_seg = TAILQ_PREV(seg, segment_head, link); 373 if (prev_seg) { 374 assert(seg->vaddr >= prev_seg->vaddr + prev_seg->memsz); 375 assert(seg->offset >= 376 prev_seg->offset + prev_seg->filesz); 377 } 378 if (!align) 379 align = seg->align; 380 assert(align == seg->align); 381 } 382 383 mask = align - 1; 384 385 seg = TAILQ_FIRST(&elf->segs); 386 if (seg) 387 seg = TAILQ_NEXT(seg, link); 388 while (seg) { 389 prev_seg = TAILQ_PREV(seg, segment_head, link); 390 prev_end_addr = prev_seg->vaddr + prev_seg->memsz; 391 392 /* 393 * This segment may overlap with the last "page" in the 394 * previous segment in two different ways: 395 * 1. Virtual address (and offset) overlaps => 396 * Permissions needs to be merged. The offset must have 397 * the SMALL_PAGE_MASK bits set as vaddr and offset must 398 * add up with prevsion segment. 399 * 400 * 2. Only offset overlaps => 401 * The same page in the ELF is mapped at two different 402 * virtual addresses. As a limitation this segment must 403 * be mapped as writeable. 404 */ 405 406 /* Case 1. */ 407 if (rounddown(seg->vaddr) < prev_end_addr) { 408 assert((seg->vaddr & mask) == (seg->offset & mask)); 409 assert(prev_seg->memsz == prev_seg->filesz); 410 411 /* 412 * Merge the segments and their permissions. 413 * Note that the may be a small hole between the 414 * two sections. 415 */ 416 prev_seg->filesz = seg->vaddr + seg->filesz - 417 prev_seg->vaddr; 418 prev_seg->memsz = seg->vaddr + seg->memsz - 419 prev_seg->vaddr; 420 prev_seg->flags |= seg->flags; 421 422 TAILQ_REMOVE(&elf->segs, seg, link); 423 free(seg); 424 seg = TAILQ_NEXT(prev_seg, link); 425 continue; 426 } 427 428 /* Case 2. */ 429 if ((seg->offset & mask) && 430 rounddown(seg->offset) < 431 (prev_seg->offset + prev_seg->filesz)) { 432 433 assert(seg->flags & PF_W); 434 seg->remapped_writeable = true; 435 } 436 437 /* 438 * No overlap, but we may need to align address, offset and 439 * size. 440 */ 441 seg->filesz += seg->vaddr - rounddown(seg->vaddr); 442 seg->memsz += seg->vaddr - rounddown(seg->vaddr); 443 seg->vaddr = rounddown(seg->vaddr); 444 seg->offset = rounddown(seg->offset); 445 seg = TAILQ_NEXT(seg, link); 446 } 447 448 } 449 450 static void populate_segments_legacy(struct ta_elf *elf) 451 { 452 TEE_Result res = TEE_SUCCESS; 453 struct segment *seg = NULL; 454 vaddr_t va = 0; 455 456 assert(elf->is_legacy); 457 TAILQ_FOREACH(seg, &elf->segs, link) { 458 struct segment *last_seg = TAILQ_LAST(&elf->segs, segment_head); 459 size_t pad_end = roundup(last_seg->vaddr + last_seg->memsz - 460 seg->vaddr - seg->memsz); 461 size_t num_bytes = roundup(seg->memsz); 462 463 if (!elf->load_addr) 464 va = 0; 465 else 466 va = seg->vaddr + elf->load_addr; 467 468 469 if (!(seg->flags & PF_R)) 470 err(TEE_ERROR_NOT_SUPPORTED, 471 "Segment must be readable"); 472 473 res = sys_map_zi(num_bytes, 0, &va, 0, pad_end); 474 if (res) 475 err(res, "sys_map_zi"); 476 res = sys_copy_from_ta_bin((void *)va, seg->filesz, 477 elf->handle, seg->offset); 478 if (res) 479 err(res, "sys_copy_from_ta_bin"); 480 481 if (!elf->load_addr) 482 elf->load_addr = va; 483 elf->max_addr = va + num_bytes; 484 elf->max_offs = seg->offset + seg->filesz; 485 } 486 } 487 488 static size_t get_pad_begin(void) 489 { 490 #ifdef CFG_TA_ASLR 491 size_t min = CFG_TA_ASLR_MIN_OFFSET_PAGES; 492 size_t max = CFG_TA_ASLR_MAX_OFFSET_PAGES; 493 TEE_Result res = TEE_SUCCESS; 494 uint32_t rnd32 = 0; 495 size_t rnd = 0; 496 497 COMPILE_TIME_ASSERT(CFG_TA_ASLR_MIN_OFFSET_PAGES < 498 CFG_TA_ASLR_MAX_OFFSET_PAGES); 499 if (max > min) { 500 res = utee_cryp_random_number_generate(&rnd32, sizeof(rnd32)); 501 if (res) { 502 DMSG("Random read failed: %#"PRIx32, res); 503 return min * SMALL_PAGE_SIZE; 504 } 505 rnd = rnd32 % (max - min); 506 } 507 508 return (min + rnd) * SMALL_PAGE_SIZE; 509 #else /*!CFG_TA_ASLR*/ 510 return 0; 511 #endif /*!CFG_TA_ASLR*/ 512 } 513 514 static void populate_segments(struct ta_elf *elf) 515 { 516 TEE_Result res = TEE_SUCCESS; 517 struct segment *seg = NULL; 518 vaddr_t va = 0; 519 size_t pad_begin = 0; 520 521 assert(!elf->is_legacy); 522 TAILQ_FOREACH(seg, &elf->segs, link) { 523 struct segment *last_seg = TAILQ_LAST(&elf->segs, segment_head); 524 size_t pad_end = roundup(last_seg->vaddr + last_seg->memsz - 525 seg->vaddr - seg->memsz); 526 527 if (seg->remapped_writeable) { 528 size_t num_bytes = roundup(seg->vaddr + seg->memsz) - 529 rounddown(seg->vaddr); 530 531 assert(elf->load_addr); 532 va = rounddown(elf->load_addr + seg->vaddr); 533 assert(va >= elf->max_addr); 534 res = sys_map_zi(num_bytes, 0, &va, 0, pad_end); 535 if (res) 536 err(res, "sys_map_zi"); 537 538 copy_remapped_to(elf, seg); 539 elf->max_addr = va + num_bytes; 540 } else { 541 uint32_t flags = 0; 542 size_t filesz = seg->filesz; 543 size_t memsz = seg->memsz; 544 size_t offset = seg->offset; 545 size_t vaddr = seg->vaddr; 546 547 if (offset < elf->max_offs) { 548 /* 549 * We're in a load segment which overlaps 550 * with (or is covered by) the first page 551 * of a shared library. 552 */ 553 if (vaddr + filesz < SMALL_PAGE_SIZE) { 554 size_t num_bytes = 0; 555 556 /* 557 * If this segment is completely 558 * covered, take next. 559 */ 560 if (vaddr + memsz <= SMALL_PAGE_SIZE) 561 continue; 562 563 /* 564 * All data of the segment is 565 * loaded, but we need to zero 566 * extend it. 567 */ 568 va = elf->max_addr; 569 num_bytes = roundup(vaddr + memsz) - 570 roundup(vaddr) - 571 SMALL_PAGE_SIZE; 572 assert(num_bytes); 573 res = sys_map_zi(num_bytes, 0, &va, 0, 574 0); 575 if (res) 576 err(res, "sys_map_zi"); 577 elf->max_addr = roundup(va + num_bytes); 578 continue; 579 } 580 581 /* Partial overlap, remove the first page. */ 582 vaddr += SMALL_PAGE_SIZE; 583 filesz -= SMALL_PAGE_SIZE; 584 memsz -= SMALL_PAGE_SIZE; 585 offset += SMALL_PAGE_SIZE; 586 } 587 588 if (!elf->load_addr) { 589 va = 0; 590 pad_begin = get_pad_begin(); 591 /* 592 * If mapping with pad_begin fails we'll 593 * retry without pad_begin, effectively 594 * disabling ASLR for the current ELF file. 595 */ 596 } else { 597 va = vaddr + elf->load_addr; 598 pad_begin = 0; 599 } 600 601 if (seg->flags & PF_W) 602 flags |= PTA_SYSTEM_MAP_FLAG_WRITEABLE; 603 else 604 flags |= PTA_SYSTEM_MAP_FLAG_SHAREABLE; 605 if (seg->flags & PF_X) 606 flags |= PTA_SYSTEM_MAP_FLAG_EXECUTABLE; 607 if (!(seg->flags & PF_R)) 608 err(TEE_ERROR_NOT_SUPPORTED, 609 "Segment must be readable"); 610 if (flags & PTA_SYSTEM_MAP_FLAG_WRITEABLE) { 611 res = sys_map_zi(memsz, 0, &va, pad_begin, 612 pad_end); 613 if (pad_begin && res == TEE_ERROR_OUT_OF_MEMORY) 614 res = sys_map_zi(memsz, 0, &va, 0, 615 pad_end); 616 if (res) 617 err(res, "sys_map_zi"); 618 res = sys_copy_from_ta_bin((void *)va, filesz, 619 elf->handle, offset); 620 if (res) 621 err(res, "sys_copy_from_ta_bin"); 622 } else { 623 res = sys_map_ta_bin(&va, filesz, flags, 624 elf->handle, offset, 625 pad_begin, pad_end); 626 if (pad_begin && res == TEE_ERROR_OUT_OF_MEMORY) 627 res = sys_map_ta_bin(&va, filesz, flags, 628 elf->handle, 629 offset, 0, 630 pad_end); 631 if (res) 632 err(res, "sys_map_ta_bin"); 633 } 634 635 if (!elf->load_addr) 636 elf->load_addr = va; 637 elf->max_addr = roundup(va + filesz); 638 elf->max_offs += filesz; 639 } 640 } 641 } 642 643 static void map_segments(struct ta_elf *elf) 644 { 645 TEE_Result res = TEE_SUCCESS; 646 647 parse_load_segments(elf); 648 adjust_segments(elf); 649 if (TAILQ_FIRST(&elf->segs)->offset < SMALL_PAGE_SIZE) { 650 vaddr_t va = 0; 651 size_t sz = elf->max_addr - elf->load_addr; 652 struct segment *seg = TAILQ_LAST(&elf->segs, segment_head); 653 size_t pad_begin = get_pad_begin(); 654 655 /* 656 * We're loading a library, if not other parts of the code 657 * need to be updated too. 658 */ 659 assert(!elf->is_main); 660 661 /* 662 * Now that we know how much virtual memory is needed move 663 * the already mapped part to a location which can 664 * accommodate us. 665 */ 666 res = sys_remap(elf->load_addr, &va, sz, pad_begin, 667 roundup(seg->vaddr + seg->memsz)); 668 if (res == TEE_ERROR_OUT_OF_MEMORY) 669 res = sys_remap(elf->load_addr, &va, sz, 0, 670 roundup(seg->vaddr + seg->memsz)); 671 if (res) 672 err(res, "sys_remap"); 673 elf->ehdr_addr = va; 674 elf->load_addr = va; 675 elf->max_addr = va + sz; 676 elf->phdr = (void *)(va + elf->e_phoff); 677 } 678 } 679 680 static void add_deps_from_segment(struct ta_elf *elf, unsigned int type, 681 vaddr_t addr, size_t memsz) 682 { 683 size_t dyn_entsize = 0; 684 size_t num_dyns = 0; 685 size_t n = 0; 686 unsigned int tag = 0; 687 size_t val = 0; 688 TEE_UUID uuid = { }; 689 char *str_tab = NULL; 690 691 if (type != PT_DYNAMIC) 692 return; 693 694 if (elf->is_32bit) 695 dyn_entsize = sizeof(Elf32_Dyn); 696 else 697 dyn_entsize = sizeof(Elf64_Dyn); 698 699 assert(!(memsz % dyn_entsize)); 700 num_dyns = memsz / dyn_entsize; 701 702 for (n = 0; n < num_dyns; n++) { 703 read_dyn(elf, addr, n, &tag, &val); 704 if (tag == DT_STRTAB) { 705 str_tab = (char *)(val + elf->load_addr); 706 break; 707 } 708 } 709 710 for (n = 0; n < num_dyns; n++) { 711 read_dyn(elf, addr, n, &tag, &val); 712 if (tag != DT_NEEDED) 713 continue; 714 tee_uuid_from_str(&uuid, str_tab + val); 715 queue_elf(&uuid); 716 } 717 } 718 719 static void add_dependencies(struct ta_elf *elf) 720 { 721 size_t n = 0; 722 723 if (elf->is_32bit) { 724 Elf32_Phdr *phdr = elf->phdr; 725 726 for (n = 0; n < elf->e_phnum; n++) 727 add_deps_from_segment(elf, phdr[n].p_type, 728 phdr[n].p_vaddr, phdr[n].p_memsz); 729 } else { 730 Elf64_Phdr *phdr = elf->phdr; 731 732 for (n = 0; n < elf->e_phnum; n++) 733 add_deps_from_segment(elf, phdr[n].p_type, 734 phdr[n].p_vaddr, phdr[n].p_memsz); 735 } 736 } 737 738 static void copy_section_headers(struct ta_elf *elf) 739 { 740 TEE_Result res = TEE_SUCCESS; 741 size_t sz = elf->e_shnum * elf->e_shentsize; 742 size_t offs = 0; 743 744 elf->shdr = malloc(sz); 745 if (!elf->shdr) 746 err(TEE_ERROR_OUT_OF_MEMORY, "malloc"); 747 748 /* 749 * We're assuming that section headers comes after the load segments, 750 * but if it's a very small dynamically linked library the section 751 * headers can still end up (partially?) in the first mapped page. 752 */ 753 if (elf->e_shoff < SMALL_PAGE_SIZE) { 754 assert(!elf->is_main); 755 offs = MIN(SMALL_PAGE_SIZE - elf->e_shoff, sz); 756 memcpy(elf->shdr, (void *)(elf->load_addr + elf->e_shoff), 757 offs); 758 } 759 760 if (offs < sz) { 761 res = sys_copy_from_ta_bin((uint8_t *)elf->shdr + offs, 762 sz - offs, elf->handle, 763 elf->e_shoff + offs); 764 if (res) 765 err(res, "sys_copy_from_ta_bin"); 766 } 767 } 768 769 static void close_handle(struct ta_elf *elf) 770 { 771 TEE_Result res = sys_close_ta_bin(elf->handle); 772 773 if (res) 774 err(res, "sys_close_ta_bin"); 775 elf->handle = -1; 776 } 777 778 static void clean_elf_load_main(struct ta_elf *elf) 779 { 780 TEE_Result res = TEE_SUCCESS; 781 782 /* 783 * Clean up from last attempt to load 784 */ 785 res = sys_unmap(elf->ehdr_addr, SMALL_PAGE_SIZE); 786 if (res) 787 err(res, "sys_unmap"); 788 789 while (!TAILQ_EMPTY(&elf->segs)) { 790 struct segment *seg = TAILQ_FIRST(&elf->segs); 791 vaddr_t va = 0; 792 size_t num_bytes = 0; 793 794 va = rounddown(elf->load_addr + seg->vaddr); 795 if (seg->remapped_writeable) 796 num_bytes = roundup(seg->vaddr + seg->memsz) - 797 rounddown(seg->vaddr); 798 else 799 num_bytes = seg->memsz; 800 801 res = sys_unmap(va, num_bytes); 802 if (res) 803 err(res, "sys_unmap"); 804 805 TAILQ_REMOVE(&elf->segs, seg, link); 806 free(seg); 807 } 808 809 free(elf->shdr); 810 memset(&elf->is_32bit, 0, 811 (vaddr_t)&elf->uuid - (vaddr_t)&elf->is_32bit); 812 813 TAILQ_INIT(&elf->segs); 814 } 815 816 static void load_main(struct ta_elf *elf) 817 { 818 init_elf(elf); 819 map_segments(elf); 820 populate_segments(elf); 821 add_dependencies(elf); 822 copy_section_headers(elf); 823 save_symtab(elf); 824 close_handle(elf); 825 826 elf->head = (struct ta_head *)elf->load_addr; 827 if (elf->head->depr_entry != UINT64_MAX) { 828 /* 829 * Legacy TAs sets their entry point in ta_head. For 830 * non-legacy TAs the entry point of the ELF is set instead 831 * and leaving the ta_head entry point set to UINT64_MAX to 832 * indicate that it's not used. 833 * 834 * NB, everything before the commit a73b5878c89d ("Replace 835 * ta_head.entry with elf entry") is considered legacy TAs 836 * for ldelf. 837 * 838 * Legacy TAs cannot be mapped with shared memory segments 839 * so restart the mapping if it turned out we're loading a 840 * legacy TA. 841 */ 842 843 DMSG("Reloading TA %pUl as legacy TA", (void *)&elf->uuid); 844 clean_elf_load_main(elf); 845 elf->is_legacy = true; 846 init_elf(elf); 847 map_segments(elf); 848 populate_segments_legacy(elf); 849 add_dependencies(elf); 850 copy_section_headers(elf); 851 save_symtab(elf); 852 close_handle(elf); 853 elf->head = (struct ta_head *)elf->load_addr; 854 /* 855 * Check that the TA is still a legacy TA, if it isn't give 856 * up now since we're likely under attack. 857 */ 858 if (elf->head->depr_entry == UINT64_MAX) 859 err(TEE_ERROR_GENERIC, 860 "TA %pUl was changed on disk to non-legacy", 861 (void *)&elf->uuid); 862 } 863 864 } 865 866 void ta_elf_load_main(const TEE_UUID *uuid, uint32_t *is_32bit, uint64_t *sp, 867 uint32_t *ta_flags) 868 { 869 struct ta_elf *elf = queue_elf(uuid); 870 vaddr_t va = 0; 871 TEE_Result res = TEE_SUCCESS; 872 873 assert(elf); 874 elf->is_main = true; 875 876 load_main(elf); 877 878 *is_32bit = elf->is_32bit; 879 res = sys_map_zi(elf->head->stack_size, 0, &va, 0, 0); 880 if (res) 881 err(res, "sys_map_zi stack"); 882 883 if (elf->head->flags & ~TA_FLAGS_MASK) 884 err(TEE_ERROR_BAD_FORMAT, "Invalid TA flags(s) %#"PRIx32, 885 elf->head->flags & ~TA_FLAGS_MASK); 886 887 *ta_flags = elf->head->flags; 888 *sp = va + elf->head->stack_size; 889 ta_stack = va; 890 ta_stack_size = elf->head->stack_size; 891 } 892 893 void ta_elf_finalize_load_main(uint64_t *entry) 894 { 895 struct ta_elf *elf = TAILQ_FIRST(&main_elf_queue); 896 897 assert(elf->is_main); 898 899 if (elf->is_legacy) 900 *entry = elf->head->depr_entry; 901 else 902 *entry = elf->e_entry + elf->load_addr; 903 } 904 905 906 void ta_elf_load_dependency(struct ta_elf *elf, bool is_32bit) 907 { 908 if (elf->is_main) 909 return; 910 911 init_elf(elf); 912 if (elf->is_32bit != is_32bit) 913 err(TEE_ERROR_BAD_FORMAT, "ELF %pUl is %sbit (expected %sbit)", 914 (void *)&elf->uuid, elf->is_32bit ? "32" : "64", 915 is_32bit ? "32" : "64"); 916 917 map_segments(elf); 918 populate_segments(elf); 919 add_dependencies(elf); 920 copy_section_headers(elf); 921 save_symtab(elf); 922 close_handle(elf); 923 } 924 925 void ta_elf_finalize_mappings(struct ta_elf *elf) 926 { 927 TEE_Result res = TEE_SUCCESS; 928 struct segment *seg = NULL; 929 930 if (!elf->is_legacy) 931 return; 932 933 TAILQ_FOREACH(seg, &elf->segs, link) { 934 vaddr_t va = elf->load_addr + seg->vaddr; 935 uint32_t flags = 0; 936 937 if (seg->flags & PF_W) 938 flags |= PTA_SYSTEM_MAP_FLAG_WRITEABLE; 939 if (seg->flags & PF_X) 940 flags |= PTA_SYSTEM_MAP_FLAG_EXECUTABLE; 941 942 res = sys_set_prot(va, seg->memsz, flags); 943 if (res) 944 err(res, "sys_set_prot"); 945 } 946 } 947 948 static void __printf(3, 4) print_wrapper(void *pctx, print_func_t print_func, 949 const char *fmt, ...) 950 { 951 va_list ap; 952 953 va_start(ap, fmt); 954 print_func(pctx, fmt, ap); 955 va_end(ap); 956 } 957 958 static void print_seg(void *pctx, print_func_t print_func, 959 size_t idx __maybe_unused, int elf_idx __maybe_unused, 960 vaddr_t va __maybe_unused, paddr_t pa __maybe_unused, 961 size_t sz __maybe_unused, uint32_t flags) 962 { 963 int width __maybe_unused = 8; 964 char desc[14] __maybe_unused = ""; 965 char flags_str[] __maybe_unused = "----"; 966 967 if (elf_idx > -1) { 968 snprintf(desc, sizeof(desc), " [%d]", elf_idx); 969 } else { 970 if (flags & DUMP_MAP_EPHEM) 971 snprintf(desc, sizeof(desc), " (param)"); 972 if (flags & DUMP_MAP_LDELF) 973 snprintf(desc, sizeof(desc), " (ldelf)"); 974 if (va == ta_stack) 975 snprintf(desc, sizeof(desc), " (stack)"); 976 } 977 978 if (flags & DUMP_MAP_READ) 979 flags_str[0] = 'r'; 980 if (flags & DUMP_MAP_WRITE) 981 flags_str[1] = 'w'; 982 if (flags & DUMP_MAP_EXEC) 983 flags_str[2] = 'x'; 984 if (flags & DUMP_MAP_SECURE) 985 flags_str[3] = 's'; 986 987 print_wrapper(pctx, print_func, 988 "region %2zu: va 0x%0*"PRIxVA" pa 0x%0*"PRIxPA" size 0x%06zx flags %s%s\n", 989 idx, width, va, width, pa, sz, flags_str, desc); 990 } 991 992 static bool get_next_in_order(struct ta_elf_queue *elf_queue, 993 struct ta_elf **elf, struct segment **seg, 994 size_t *elf_idx) 995 { 996 struct ta_elf *e = NULL; 997 struct segment *s = NULL; 998 size_t idx = 0; 999 vaddr_t va = 0; 1000 struct ta_elf *e2 = NULL; 1001 size_t i2 = 0; 1002 1003 assert(elf && seg && elf_idx); 1004 e = *elf; 1005 s = *seg; 1006 assert((e == NULL && s == NULL) || (e != NULL && s != NULL)); 1007 1008 if (s) { 1009 s = TAILQ_NEXT(s, link); 1010 if (s) { 1011 *seg = s; 1012 return true; 1013 } 1014 } 1015 1016 if (e) 1017 va = e->load_addr; 1018 1019 /* Find the ELF with next load address */ 1020 e = NULL; 1021 TAILQ_FOREACH(e2, elf_queue, link) { 1022 if (e2->load_addr > va) { 1023 if (!e || e2->load_addr < e->load_addr) { 1024 e = e2; 1025 idx = i2; 1026 } 1027 } 1028 i2++; 1029 } 1030 if (!e) 1031 return false; 1032 1033 *elf = e; 1034 *seg = TAILQ_FIRST(&e->segs); 1035 *elf_idx = idx; 1036 return true; 1037 } 1038 1039 void ta_elf_print_mappings(void *pctx, print_func_t print_func, 1040 struct ta_elf_queue *elf_queue, size_t num_maps, 1041 struct dump_map *maps, vaddr_t mpool_base) 1042 { 1043 struct segment *seg = NULL; 1044 struct ta_elf *elf = NULL; 1045 size_t elf_idx = 0; 1046 size_t idx = 0; 1047 size_t map_idx = 0; 1048 1049 /* 1050 * Loop over all segments and maps, printing virtual address in 1051 * order. Segment has priority if the virtual address is present 1052 * in both map and segment. 1053 */ 1054 get_next_in_order(elf_queue, &elf, &seg, &elf_idx); 1055 while (true) { 1056 vaddr_t va = -1; 1057 size_t sz = 0; 1058 uint32_t flags = DUMP_MAP_SECURE; 1059 size_t offs = 0; 1060 1061 if (seg) { 1062 va = rounddown(seg->vaddr + elf->load_addr); 1063 sz = roundup(seg->vaddr + seg->memsz) - 1064 rounddown(seg->vaddr); 1065 } 1066 1067 while (map_idx < num_maps && maps[map_idx].va <= va) { 1068 uint32_t f = 0; 1069 1070 /* If there's a match, it should be the same map */ 1071 if (maps[map_idx].va == va) { 1072 /* 1073 * In shared libraries the first page is 1074 * mapped separately with the rest of that 1075 * segment following back to back in a 1076 * separate entry. 1077 */ 1078 if (map_idx + 1 < num_maps && 1079 maps[map_idx].sz == SMALL_PAGE_SIZE) { 1080 vaddr_t next_va = maps[map_idx].va + 1081 maps[map_idx].sz; 1082 size_t comb_sz = maps[map_idx].sz + 1083 maps[map_idx + 1].sz; 1084 1085 if (next_va == maps[map_idx + 1].va && 1086 comb_sz == sz && 1087 maps[map_idx].flags == 1088 maps[map_idx + 1].flags) { 1089 /* Skip this and next entry */ 1090 map_idx += 2; 1091 continue; 1092 } 1093 } 1094 assert(maps[map_idx].sz == sz); 1095 } else if (maps[map_idx].va < va) { 1096 if (maps[map_idx].va == mpool_base) 1097 f |= DUMP_MAP_LDELF; 1098 print_seg(pctx, print_func, idx, -1, 1099 maps[map_idx].va, maps[map_idx].pa, 1100 maps[map_idx].sz, 1101 maps[map_idx].flags | f); 1102 idx++; 1103 } 1104 map_idx++; 1105 } 1106 1107 if (!seg) 1108 break; 1109 1110 offs = rounddown(seg->offset); 1111 if (seg->flags & PF_R) 1112 flags |= DUMP_MAP_READ; 1113 if (seg->flags & PF_W) 1114 flags |= DUMP_MAP_WRITE; 1115 if (seg->flags & PF_X) 1116 flags |= DUMP_MAP_EXEC; 1117 1118 print_seg(pctx, print_func, idx, elf_idx, va, offs, sz, flags); 1119 idx++; 1120 1121 if (!get_next_in_order(elf_queue, &elf, &seg, &elf_idx)) 1122 seg = NULL; 1123 } 1124 1125 elf_idx = 0; 1126 TAILQ_FOREACH(elf, elf_queue, link) { 1127 print_wrapper(pctx, print_func, 1128 " [%zu] %pUl @ 0x%0*"PRIxVA"\n", 1129 elf_idx, (void *)&elf->uuid, 8, elf->load_addr); 1130 elf_idx++; 1131 } 1132 } 1133 1134 #ifdef CFG_UNWIND 1135 void ta_elf_stack_trace_a32(uint32_t regs[16]) 1136 { 1137 struct unwind_state_arm32 state = { }; 1138 1139 memcpy(state.registers, regs, sizeof(state.registers)); 1140 print_stack_arm32(&state, ta_stack, ta_stack_size); 1141 } 1142 1143 void ta_elf_stack_trace_a64(uint64_t fp, uint64_t sp, uint64_t pc) 1144 { 1145 struct unwind_state_arm64 state = { .fp = fp, .sp = sp, .pc = pc }; 1146 1147 print_stack_arm64(&state, ta_stack, ta_stack_size); 1148 } 1149 #endif 1150