1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2014, STMicroelectronics International N.V. 4 */ 5 #include <stdlib.h> 6 #include <string.h> 7 #include <string_ext.h> 8 #include <tee_api.h> 9 #include <tee_internal_api_extensions.h> 10 #include <types_ext.h> 11 #include <user_ta_header.h> 12 #include <utee_syscalls.h> 13 #include "tee_api_private.h" 14 15 /* 16 * return a known non-NULL invalid pointer when the 17 * requested size is zero 18 */ 19 #define TEE_NULL_SIZED_VA ((void *)1) 20 21 static const void *tee_api_instance_data; 22 23 /* System API - Internal Client API */ 24 25 static TEE_Result copy_param(struct utee_params *up, uint32_t param_types, 26 const TEE_Param params[TEE_NUM_PARAMS], 27 void **tmp_buf, size_t *tmp_len, 28 void *tmp_va[TEE_NUM_PARAMS]) 29 { 30 size_t n = 0; 31 uint8_t *tb = NULL; 32 size_t tbl = 0; 33 size_t tmp_align = sizeof(vaddr_t) * 2; 34 bool is_tmp_mem[TEE_NUM_PARAMS] = { false }; 35 void *b = NULL; 36 size_t s = 0; 37 const uint32_t flags = TEE_MEMORY_ACCESS_READ; 38 39 /* 40 * If a memory parameter points to TA private memory we need to 41 * allocate a temporary buffer to avoid exposing the memory 42 * directly to the called TA. 43 */ 44 45 *tmp_buf = NULL; 46 *tmp_len = 0; 47 for (n = 0; n < TEE_NUM_PARAMS; n++) { 48 tmp_va[n] = NULL; 49 switch (TEE_PARAM_TYPE_GET(param_types, n)) { 50 case TEE_PARAM_TYPE_MEMREF_INPUT: 51 case TEE_PARAM_TYPE_MEMREF_OUTPUT: 52 case TEE_PARAM_TYPE_MEMREF_INOUT: 53 b = params[n].memref.buffer; 54 s = params[n].memref.size; 55 /* 56 * We're only allocating temporary memory if the 57 * buffer is completely within TA memory. If it's 58 * NULL, empty, partially outside or completely 59 * outside TA memory there's nothing more we need 60 * to do here. If there's security/permissions 61 * problem we'll get an error in the 62 * invoke_command/open_session below. 63 */ 64 if (b && s && 65 !TEE_CheckMemoryAccessRights(flags, b, s)) { 66 is_tmp_mem[n] = true; 67 tbl += ROUNDUP(s, tmp_align); 68 } 69 break; 70 default: 71 break; 72 } 73 } 74 75 if (tbl) { 76 tb = tee_map_zi(tbl, TEE_MEMORY_ACCESS_ANY_OWNER); 77 if (!tb) 78 return TEE_ERROR_OUT_OF_MEMORY; 79 *tmp_buf = tb; 80 *tmp_len = tbl; 81 } 82 83 up->types = param_types; 84 for (n = 0; n < TEE_NUM_PARAMS; n++) { 85 switch (TEE_PARAM_TYPE_GET(param_types, n)) { 86 case TEE_PARAM_TYPE_VALUE_INPUT: 87 case TEE_PARAM_TYPE_VALUE_INOUT: 88 up->vals[n * 2] = params[n].value.a; 89 up->vals[n * 2 + 1] = params[n].value.b; 90 break; 91 case TEE_PARAM_TYPE_MEMREF_OUTPUT: 92 case TEE_PARAM_TYPE_MEMREF_INOUT: 93 case TEE_PARAM_TYPE_MEMREF_INPUT: 94 s = params[n].memref.size; 95 if (is_tmp_mem[n]) { 96 b = tb; 97 tmp_va[n] = tb; 98 tb += ROUNDUP(s, tmp_align); 99 if (TEE_PARAM_TYPE_GET(param_types, n) != 100 TEE_PARAM_TYPE_MEMREF_OUTPUT) 101 memcpy(b, params[n].memref.buffer, s); 102 } else { 103 b = params[n].memref.buffer; 104 } 105 up->vals[n * 2] = (vaddr_t)b; 106 up->vals[n * 2 + 1] = s; 107 break; 108 default: 109 up->vals[n * 2] = 0; 110 up->vals[n * 2 + 1] = 0; 111 break; 112 } 113 } 114 115 return TEE_SUCCESS; 116 } 117 118 static void update_out_param(TEE_Param params[TEE_NUM_PARAMS], 119 void *tmp_va[TEE_NUM_PARAMS], 120 const struct utee_params *up) 121 { 122 size_t n; 123 uint32_t types = up->types; 124 125 for (n = 0; n < TEE_NUM_PARAMS; n++) { 126 uintptr_t a = up->vals[n * 2]; 127 uintptr_t b = up->vals[n * 2 + 1]; 128 129 switch (TEE_PARAM_TYPE_GET(types, n)) { 130 case TEE_PARAM_TYPE_VALUE_OUTPUT: 131 case TEE_PARAM_TYPE_VALUE_INOUT: 132 params[n].value.a = a; 133 params[n].value.b = b; 134 break; 135 case TEE_PARAM_TYPE_MEMREF_OUTPUT: 136 case TEE_PARAM_TYPE_MEMREF_INOUT: 137 if (tmp_va[n]) 138 memcpy(params[n].memref.buffer, tmp_va[n], 139 MIN(b, params[n].memref.size)); 140 params[n].memref.size = b; 141 break; 142 default: 143 break; 144 } 145 } 146 } 147 148 TEE_Result TEE_OpenTASession(const TEE_UUID *destination, 149 uint32_t cancellationRequestTimeout, 150 uint32_t paramTypes, 151 TEE_Param params[TEE_NUM_PARAMS], 152 TEE_TASessionHandle *session, 153 uint32_t *returnOrigin) 154 { 155 TEE_Result res = TEE_SUCCESS; 156 struct utee_params up; 157 uint32_t s = 0; 158 void *tmp_buf = NULL; 159 size_t tmp_len = 0; 160 void *tmp_va[TEE_NUM_PARAMS] = { NULL }; 161 162 if (paramTypes) 163 __utee_check_inout_annotation(params, 164 sizeof(TEE_Param) * 165 TEE_NUM_PARAMS); 166 __utee_check_out_annotation(session, sizeof(*session)); 167 168 res = copy_param(&up, paramTypes, params, &tmp_buf, &tmp_len, tmp_va); 169 if (res) 170 goto out; 171 res = _utee_open_ta_session(destination, cancellationRequestTimeout, 172 &up, &s, returnOrigin); 173 update_out_param(params, tmp_va, &up); 174 if (tmp_buf) { 175 TEE_Result res2 = tee_unmap(tmp_buf, tmp_len); 176 177 if (res2) 178 TEE_Panic(res2); 179 } 180 181 out: 182 /* 183 * Specification says that *session must hold TEE_HANDLE_NULL is 184 * TEE_SUCCESS isn't returned. Set it here explicitly in case 185 * the syscall fails before out parameters has been updated. 186 */ 187 if (res != TEE_SUCCESS) 188 s = TEE_HANDLE_NULL; 189 190 *session = (TEE_TASessionHandle)(uintptr_t)s; 191 return res; 192 } 193 194 void TEE_CloseTASession(TEE_TASessionHandle session) 195 { 196 if (session != TEE_HANDLE_NULL) { 197 TEE_Result res = _utee_close_ta_session((uintptr_t)session); 198 199 if (res != TEE_SUCCESS) 200 TEE_Panic(res); 201 } 202 } 203 204 TEE_Result TEE_InvokeTACommand(TEE_TASessionHandle session, 205 uint32_t cancellationRequestTimeout, 206 uint32_t commandID, uint32_t paramTypes, 207 TEE_Param params[TEE_NUM_PARAMS], 208 uint32_t *returnOrigin) 209 { 210 TEE_Result res = TEE_SUCCESS; 211 uint32_t ret_origin = TEE_ORIGIN_TEE; 212 struct utee_params up; 213 void *tmp_buf = NULL; 214 size_t tmp_len = 0; 215 void *tmp_va[TEE_NUM_PARAMS] = { NULL }; 216 217 if (paramTypes) 218 __utee_check_inout_annotation(params, 219 sizeof(TEE_Param) * 220 TEE_NUM_PARAMS); 221 if (returnOrigin) 222 __utee_check_out_annotation(returnOrigin, 223 sizeof(*returnOrigin)); 224 225 res = copy_param(&up, paramTypes, params, &tmp_buf, &tmp_len, tmp_va); 226 if (res) 227 goto out; 228 res = _utee_invoke_ta_command((uintptr_t)session, 229 cancellationRequestTimeout, 230 commandID, &up, &ret_origin); 231 update_out_param(params, tmp_va, &up); 232 if (tmp_buf) { 233 TEE_Result res2 = tee_unmap(tmp_buf, tmp_len); 234 235 if (res2) 236 TEE_Panic(res2); 237 } 238 239 out: 240 if (returnOrigin != NULL) 241 *returnOrigin = ret_origin; 242 243 if (ret_origin == TEE_ORIGIN_TRUSTED_APP) 244 return res; 245 246 if (res != TEE_SUCCESS && 247 res != TEE_ERROR_OUT_OF_MEMORY && 248 res != TEE_ERROR_TARGET_DEAD) 249 TEE_Panic(res); 250 251 return res; 252 } 253 254 /* System API - Cancellations */ 255 256 bool TEE_GetCancellationFlag(void) 257 { 258 uint32_t c; 259 TEE_Result res = _utee_get_cancellation_flag(&c); 260 261 if (res != TEE_SUCCESS) 262 c = 0; 263 return !!c; 264 } 265 266 bool TEE_UnmaskCancellation(void) 267 { 268 uint32_t old_mask; 269 TEE_Result res = _utee_unmask_cancellation(&old_mask); 270 271 if (res != TEE_SUCCESS) 272 TEE_Panic(res); 273 return !!old_mask; 274 } 275 276 bool TEE_MaskCancellation(void) 277 { 278 uint32_t old_mask; 279 TEE_Result res = _utee_mask_cancellation(&old_mask); 280 281 if (res != TEE_SUCCESS) 282 TEE_Panic(res); 283 return !!old_mask; 284 } 285 286 /* System API - Memory Management */ 287 288 TEE_Result TEE_CheckMemoryAccessRights(uint32_t accessFlags, void *buffer, 289 uint32_t size) 290 { 291 TEE_Result res; 292 293 if (size == 0) 294 return TEE_SUCCESS; 295 296 /* Check access rights against memory mapping */ 297 res = _utee_check_access_rights(accessFlags, buffer, size); 298 if (res != TEE_SUCCESS) 299 goto out; 300 301 /* 302 * Check access rights against input parameters 303 * Previous legacy code was removed and will need to be restored 304 */ 305 306 res = TEE_SUCCESS; 307 out: 308 return res; 309 } 310 311 void TEE_SetInstanceData(const void *instanceData) 312 { 313 tee_api_instance_data = instanceData; 314 } 315 316 const void *TEE_GetInstanceData(void) 317 { 318 return tee_api_instance_data; 319 } 320 321 void *TEE_MemMove(void *dest, const void *src, uint32_t size) 322 { 323 return memmove(dest, src, size); 324 } 325 326 int32_t TEE_MemCompare(const void *buffer1, const void *buffer2, uint32_t size) 327 { 328 return consttime_memcmp(buffer1, buffer2, size); 329 } 330 331 void TEE_MemFill(void *buff, uint32_t x, uint32_t size) 332 { 333 memset(buff, x, size); 334 } 335 336 /* Date & Time API */ 337 338 void TEE_GetSystemTime(TEE_Time *time) 339 { 340 TEE_Result res = _utee_get_time(UTEE_TIME_CAT_SYSTEM, time); 341 342 if (res != TEE_SUCCESS) 343 TEE_Panic(res); 344 } 345 346 TEE_Result TEE_Wait(uint32_t timeout) 347 { 348 TEE_Result res = _utee_wait(timeout); 349 350 if (res != TEE_SUCCESS && res != TEE_ERROR_CANCEL) 351 TEE_Panic(res); 352 353 return res; 354 } 355 356 TEE_Result TEE_GetTAPersistentTime(TEE_Time *time) 357 { 358 TEE_Result res; 359 360 res = _utee_get_time(UTEE_TIME_CAT_TA_PERSISTENT, time); 361 362 if (res != TEE_SUCCESS && res != TEE_ERROR_OVERFLOW) { 363 time->seconds = 0; 364 time->millis = 0; 365 } 366 367 if (res != TEE_SUCCESS && 368 res != TEE_ERROR_TIME_NOT_SET && 369 res != TEE_ERROR_TIME_NEEDS_RESET && 370 res != TEE_ERROR_OVERFLOW && 371 res != TEE_ERROR_OUT_OF_MEMORY) 372 TEE_Panic(res); 373 374 return res; 375 } 376 377 TEE_Result TEE_SetTAPersistentTime(const TEE_Time *time) 378 { 379 TEE_Result res; 380 381 res = _utee_set_ta_time(time); 382 383 if (res != TEE_SUCCESS && 384 res != TEE_ERROR_OUT_OF_MEMORY && 385 res != TEE_ERROR_STORAGE_NO_SPACE) 386 TEE_Panic(res); 387 388 return res; 389 } 390 391 void TEE_GetREETime(TEE_Time *time) 392 { 393 TEE_Result res = _utee_get_time(UTEE_TIME_CAT_REE, time); 394 395 if (res != TEE_SUCCESS) 396 TEE_Panic(res); 397 } 398 399 void *TEE_Malloc(uint32_t len, uint32_t hint) 400 { 401 if (!len) 402 return TEE_NULL_SIZED_VA; 403 404 if (hint == TEE_MALLOC_FILL_ZERO) 405 return calloc(1, len); 406 else if (hint == TEE_USER_MEM_HINT_NO_FILL_ZERO) 407 return malloc(len); 408 409 EMSG("Invalid hint %#" PRIx32, hint); 410 411 return NULL; 412 } 413 414 void *TEE_Realloc(void *buffer, uint32_t newSize) 415 { 416 if (!newSize) { 417 TEE_Free(buffer); 418 return TEE_NULL_SIZED_VA; 419 } 420 421 if (buffer == TEE_NULL_SIZED_VA) 422 return calloc(1, newSize); 423 424 return realloc(buffer, newSize); 425 } 426 427 void TEE_Free(void *buffer) 428 { 429 if (buffer != TEE_NULL_SIZED_VA) 430 free(buffer); 431 } 432 433 /* Cache maintenance support (TA requires the CACHE_MAINTENANCE property) */ 434 TEE_Result TEE_CacheClean(char *buf, size_t len) 435 { 436 return _utee_cache_operation(buf, len, TEE_CACHECLEAN); 437 } 438 TEE_Result TEE_CacheFlush(char *buf, size_t len) 439 { 440 return _utee_cache_operation(buf, len, TEE_CACHEFLUSH); 441 } 442 443 TEE_Result TEE_CacheInvalidate(char *buf, size_t len) 444 { 445 return _utee_cache_operation(buf, len, TEE_CACHEINVALIDATE); 446 } 447