1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2014, STMicroelectronics International N.V. 4 */ 5 #include <stdlib.h> 6 #include <string.h> 7 #include <string_ext.h> 8 #include <tee_api.h> 9 #include <tee_internal_api_extensions.h> 10 #include <types_ext.h> 11 #include <user_ta_header.h> 12 #include <utee_syscalls.h> 13 #include "tee_api_private.h" 14 15 static const void *tee_api_instance_data; 16 17 /* System API - Internal Client API */ 18 19 static TEE_Result copy_param(struct utee_params *up, uint32_t param_types, 20 const TEE_Param params[TEE_NUM_PARAMS], 21 void **tmp_buf, size_t *tmp_len, 22 void *tmp_va[TEE_NUM_PARAMS]) 23 { 24 size_t n = 0; 25 uint8_t *tb = NULL; 26 size_t tbl = 0; 27 size_t tmp_align = sizeof(vaddr_t) * 2; 28 bool is_tmp_mem[TEE_NUM_PARAMS] = { false }; 29 void *b = NULL; 30 size_t s = 0; 31 const uint32_t flags = TEE_MEMORY_ACCESS_READ; 32 33 /* 34 * If a memory parameter points to TA private memory we need to 35 * allocate a temporary buffer to avoid exposing the memory 36 * directly to the called TA. 37 */ 38 39 *tmp_buf = NULL; 40 *tmp_len = 0; 41 for (n = 0; n < TEE_NUM_PARAMS; n++) { 42 tmp_va[n] = NULL; 43 switch (TEE_PARAM_TYPE_GET(param_types, n)) { 44 case TEE_PARAM_TYPE_MEMREF_INPUT: 45 case TEE_PARAM_TYPE_MEMREF_OUTPUT: 46 case TEE_PARAM_TYPE_MEMREF_INOUT: 47 b = params[n].memref.buffer; 48 s = params[n].memref.size; 49 /* 50 * We're only allocating temporary memory if the 51 * buffer is completely within TA memory. If it's 52 * NULL, empty, partially outside or completely 53 * outside TA memory there's nothing more we need 54 * to do here. If there's security/permissions 55 * problem we'll get an error in the 56 * invoke_command/open_session below. 57 */ 58 if (b && s && 59 !TEE_CheckMemoryAccessRights(flags, b, s)) { 60 is_tmp_mem[n] = true; 61 tbl += ROUNDUP(s, tmp_align); 62 } 63 break; 64 default: 65 break; 66 } 67 } 68 69 if (tbl) { 70 tb = tee_map_zi(tbl, TEE_MEMORY_ACCESS_ANY_OWNER); 71 if (!tb) 72 return TEE_ERROR_OUT_OF_MEMORY; 73 *tmp_buf = tb; 74 *tmp_len = tbl; 75 } 76 77 up->types = param_types; 78 for (n = 0; n < TEE_NUM_PARAMS; n++) { 79 switch (TEE_PARAM_TYPE_GET(param_types, n)) { 80 case TEE_PARAM_TYPE_VALUE_INPUT: 81 case TEE_PARAM_TYPE_VALUE_INOUT: 82 up->vals[n * 2] = params[n].value.a; 83 up->vals[n * 2 + 1] = params[n].value.b; 84 break; 85 case TEE_PARAM_TYPE_MEMREF_OUTPUT: 86 case TEE_PARAM_TYPE_MEMREF_INOUT: 87 case TEE_PARAM_TYPE_MEMREF_INPUT: 88 s = params[n].memref.size; 89 if (is_tmp_mem[n]) { 90 b = tb; 91 tmp_va[n] = tb; 92 tb += ROUNDUP(s, tmp_align); 93 if (TEE_PARAM_TYPE_GET(param_types, n) != 94 TEE_PARAM_TYPE_MEMREF_OUTPUT) 95 memcpy(b, params[n].memref.buffer, s); 96 } else { 97 b = params[n].memref.buffer; 98 } 99 up->vals[n * 2] = (vaddr_t)b; 100 up->vals[n * 2 + 1] = s; 101 break; 102 default: 103 up->vals[n * 2] = 0; 104 up->vals[n * 2 + 1] = 0; 105 break; 106 } 107 } 108 109 return TEE_SUCCESS; 110 } 111 112 static void update_out_param(TEE_Param params[TEE_NUM_PARAMS], 113 void *tmp_va[TEE_NUM_PARAMS], 114 const struct utee_params *up) 115 { 116 size_t n; 117 uint32_t types = up->types; 118 119 for (n = 0; n < TEE_NUM_PARAMS; n++) { 120 uintptr_t a = up->vals[n * 2]; 121 uintptr_t b = up->vals[n * 2 + 1]; 122 123 switch (TEE_PARAM_TYPE_GET(types, n)) { 124 case TEE_PARAM_TYPE_VALUE_OUTPUT: 125 case TEE_PARAM_TYPE_VALUE_INOUT: 126 params[n].value.a = a; 127 params[n].value.b = b; 128 break; 129 case TEE_PARAM_TYPE_MEMREF_OUTPUT: 130 case TEE_PARAM_TYPE_MEMREF_INOUT: 131 if (tmp_va[n]) 132 memcpy(params[n].memref.buffer, tmp_va[n], 133 MIN(b, params[n].memref.size)); 134 params[n].memref.size = b; 135 break; 136 default: 137 break; 138 } 139 } 140 } 141 142 TEE_Result TEE_OpenTASession(const TEE_UUID *destination, 143 uint32_t cancellationRequestTimeout, 144 uint32_t paramTypes, 145 TEE_Param params[TEE_NUM_PARAMS], 146 TEE_TASessionHandle *session, 147 uint32_t *returnOrigin) 148 { 149 TEE_Result res = TEE_SUCCESS; 150 struct utee_params up; 151 uint32_t s = 0; 152 void *tmp_buf = NULL; 153 size_t tmp_len = 0; 154 void *tmp_va[TEE_NUM_PARAMS] = { NULL }; 155 156 res = copy_param(&up, paramTypes, params, &tmp_buf, &tmp_len, tmp_va); 157 if (res) 158 goto out; 159 res = utee_open_ta_session(destination, cancellationRequestTimeout, 160 &up, &s, returnOrigin); 161 update_out_param(params, tmp_va, &up); 162 if (tmp_buf) { 163 TEE_Result res2 = tee_unmap(tmp_buf, tmp_len); 164 165 if (res2) 166 TEE_Panic(res2); 167 } 168 169 out: 170 /* 171 * Specification says that *session must hold TEE_HANDLE_NULL is 172 * TEE_SUCCESS isn't returned. Set it here explicitly in case 173 * the syscall fails before out parameters has been updated. 174 */ 175 if (res != TEE_SUCCESS) 176 s = TEE_HANDLE_NULL; 177 178 *session = (TEE_TASessionHandle)(uintptr_t)s; 179 return res; 180 } 181 182 void TEE_CloseTASession(TEE_TASessionHandle session) 183 { 184 if (session != TEE_HANDLE_NULL) { 185 TEE_Result res = utee_close_ta_session((uintptr_t)session); 186 187 if (res != TEE_SUCCESS) 188 TEE_Panic(res); 189 } 190 } 191 192 TEE_Result TEE_InvokeTACommand(TEE_TASessionHandle session, 193 uint32_t cancellationRequestTimeout, 194 uint32_t commandID, uint32_t paramTypes, 195 TEE_Param params[TEE_NUM_PARAMS], 196 uint32_t *returnOrigin) 197 { 198 TEE_Result res = TEE_SUCCESS; 199 uint32_t ret_origin = TEE_ORIGIN_TEE; 200 struct utee_params up; 201 void *tmp_buf = NULL; 202 size_t tmp_len = 0; 203 void *tmp_va[TEE_NUM_PARAMS] = { NULL }; 204 205 res = copy_param(&up, paramTypes, params, &tmp_buf, &tmp_len, tmp_va); 206 if (res) 207 goto out; 208 res = utee_invoke_ta_command((uintptr_t)session, 209 cancellationRequestTimeout, 210 commandID, &up, &ret_origin); 211 update_out_param(params, tmp_va, &up); 212 if (tmp_buf) { 213 TEE_Result res2 = tee_unmap(tmp_buf, tmp_len); 214 215 if (res2) 216 TEE_Panic(res2); 217 } 218 219 out: 220 if (returnOrigin != NULL) 221 *returnOrigin = ret_origin; 222 223 if (ret_origin == TEE_ORIGIN_TRUSTED_APP) 224 return res; 225 226 if (res != TEE_SUCCESS && 227 res != TEE_ERROR_OUT_OF_MEMORY && 228 res != TEE_ERROR_TARGET_DEAD) 229 TEE_Panic(res); 230 231 return res; 232 } 233 234 /* System API - Cancellations */ 235 236 bool TEE_GetCancellationFlag(void) 237 { 238 uint32_t c; 239 TEE_Result res = utee_get_cancellation_flag(&c); 240 241 if (res != TEE_SUCCESS) 242 c = 0; 243 return !!c; 244 } 245 246 bool TEE_UnmaskCancellation(void) 247 { 248 uint32_t old_mask; 249 TEE_Result res = utee_unmask_cancellation(&old_mask); 250 251 if (res != TEE_SUCCESS) 252 TEE_Panic(res); 253 return !!old_mask; 254 } 255 256 bool TEE_MaskCancellation(void) 257 { 258 uint32_t old_mask; 259 TEE_Result res = utee_mask_cancellation(&old_mask); 260 261 if (res != TEE_SUCCESS) 262 TEE_Panic(res); 263 return !!old_mask; 264 } 265 266 /* System API - Memory Management */ 267 268 TEE_Result TEE_CheckMemoryAccessRights(uint32_t accessFlags, void *buffer, 269 uint32_t size) 270 { 271 TEE_Result res; 272 273 if (size == 0) 274 return TEE_SUCCESS; 275 276 /* Check access rights against memory mapping */ 277 res = utee_check_access_rights(accessFlags, buffer, size); 278 if (res != TEE_SUCCESS) 279 goto out; 280 281 /* 282 * Check access rights against input parameters 283 * Previous legacy code was removed and will need to be restored 284 */ 285 286 res = TEE_SUCCESS; 287 out: 288 return res; 289 } 290 291 void TEE_SetInstanceData(const void *instanceData) 292 { 293 tee_api_instance_data = instanceData; 294 } 295 296 const void *TEE_GetInstanceData(void) 297 { 298 return tee_api_instance_data; 299 } 300 301 void *TEE_MemMove(void *dest, const void *src, uint32_t size) 302 { 303 return memmove(dest, src, size); 304 } 305 306 int32_t TEE_MemCompare(const void *buffer1, const void *buffer2, uint32_t size) 307 { 308 return consttime_memcmp(buffer1, buffer2, size); 309 } 310 311 void *TEE_MemFill(void *buff, uint32_t x, uint32_t size) 312 { 313 return memset(buff, x, size); 314 } 315 316 /* Date & Time API */ 317 318 void TEE_GetSystemTime(TEE_Time *time) 319 { 320 TEE_Result res = utee_get_time(UTEE_TIME_CAT_SYSTEM, time); 321 322 if (res != TEE_SUCCESS) 323 TEE_Panic(res); 324 } 325 326 TEE_Result TEE_Wait(uint32_t timeout) 327 { 328 TEE_Result res = utee_wait(timeout); 329 330 if (res != TEE_SUCCESS && res != TEE_ERROR_CANCEL) 331 TEE_Panic(res); 332 333 return res; 334 } 335 336 TEE_Result TEE_GetTAPersistentTime(TEE_Time *time) 337 { 338 TEE_Result res; 339 340 res = utee_get_time(UTEE_TIME_CAT_TA_PERSISTENT, time); 341 342 if (res != TEE_SUCCESS && res != TEE_ERROR_OVERFLOW) { 343 time->seconds = 0; 344 time->millis = 0; 345 } 346 347 if (res != TEE_SUCCESS && 348 res != TEE_ERROR_TIME_NOT_SET && 349 res != TEE_ERROR_TIME_NEEDS_RESET && 350 res != TEE_ERROR_OVERFLOW && 351 res != TEE_ERROR_OUT_OF_MEMORY) 352 TEE_Panic(res); 353 354 return res; 355 } 356 357 TEE_Result TEE_SetTAPersistentTime(const TEE_Time *time) 358 { 359 TEE_Result res; 360 361 res = utee_set_ta_time(time); 362 363 if (res != TEE_SUCCESS && 364 res != TEE_ERROR_OUT_OF_MEMORY && 365 res != TEE_ERROR_STORAGE_NO_SPACE) 366 TEE_Panic(res); 367 368 return res; 369 } 370 371 void TEE_GetREETime(TEE_Time *time) 372 { 373 TEE_Result res = utee_get_time(UTEE_TIME_CAT_REE, time); 374 375 if (res != TEE_SUCCESS) 376 TEE_Panic(res); 377 } 378 379 void *TEE_Malloc(uint32_t len, uint32_t hint) 380 { 381 if (hint == TEE_MALLOC_FILL_ZERO) 382 return calloc(1, len); 383 else if (hint == TEE_USER_MEM_HINT_NO_FILL_ZERO) 384 return malloc(len); 385 386 EMSG("Invalid hint %#" PRIx32, hint); 387 388 return NULL; 389 } 390 391 void *TEE_Realloc(void *buffer, uint32_t newSize) 392 { 393 return realloc(buffer, newSize); 394 } 395 396 void TEE_Free(void *buffer) 397 { 398 free(buffer); 399 } 400 401 /* Cache maintenance support (TA requires the CACHE_MAINTENANCE property) */ 402 TEE_Result TEE_CacheClean(char *buf, size_t len) 403 { 404 return utee_cache_operation(buf, len, TEE_CACHECLEAN); 405 } 406 TEE_Result TEE_CacheFlush(char *buf, size_t len) 407 { 408 return utee_cache_operation(buf, len, TEE_CACHEFLUSH); 409 } 410 411 TEE_Result TEE_CacheInvalidate(char *buf, size_t len) 412 { 413 return utee_cache_operation(buf, len, TEE_CACHEINVALIDATE); 414 } 415