Tee-dev

tee-dev@lists.linaro.org

291 discussions

[edk2][PATCH 1/1] ArmPkg/OpteeLib: Add APIs to communicate with OP-TEE

by Sumit Garg

Add following APIs to communicate with OP-TEE static TA: 1. OpteeInit 2. OpteeOpenSession 3. OpteeCloseSession 4. OpteeInvokeFunc Cc: Ard Biesheuvel <ard.biesheuvel(a)linaro.org> Cc: Leif Lindholm <leif.lindholm(a)linaro.org> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Sumit Garg <sumit.garg(a)linaro.org> --- ArmPkg/Include/Library/OpteeLib.h | 102 ++++++ ArmPkg/Library/OpteeLib/Optee.c | 358 +++++++++++++++++++++ ArmPkg/Library/OpteeLib/OpteeLib.inf | 2 + ArmPkg/Library/OpteeLib/OpteeSmc.h | 43 +++ .../Include/IndustryStandard/GlobalPlatform.h | 60 ++-- 5 files changed, 531 insertions(+), 34 deletions(-) create mode 100644 ArmPkg/Library/OpteeLib/OpteeSmc.h copy ArmPkg/Include/Library/OpteeLib.h => MdePkg/Include/IndustryStandard/GlobalPlatform.h (53%) diff --git a/ArmPkg/Include/Library/OpteeLib.h b/ArmPkg/Include/Library/OpteeLib.h index f65d8674d9b8..c323f49072f8 100644 --- a/ArmPkg/Include/Library/OpteeLib.h +++ b/ArmPkg/Include/Library/OpteeLib.h @@ -25,10 +25,112 @@ #define OPTEE_OS_UID2 0xaf630002 #define OPTEE_OS_UID3 0xa5d5c51b +#define OPTEE_MSG_ATTR_TYPE_NONE 0x0 +#define OPTEE_MSG_ATTR_TYPE_VALUE_INPUT 0x1 +#define OPTEE_MSG_ATTR_TYPE_VALUE_OUTPUT 0x2 +#define OPTEE_MSG_ATTR_TYPE_VALUE_INOUT 0x3 +#define OPTEE_MSG_ATTR_TYPE_MEM_INPUT 0x9 +#define OPTEE_MSG_ATTR_TYPE_MEM_OUTPUT 0xa +#define OPTEE_MSG_ATTR_TYPE_MEM_INOUT 0xb + +#define OPTEE_MSG_ATTR_TYPE_MASK 0xff + +typedef struct { + UINT64 BufPtr; + UINT64 Size; + UINT64 ShmRef; +} OPTEE_MSG_PARAM_MEM; + +typedef struct { + UINT64 A; + UINT64 B; + UINT64 C; +} OPTEE_MSG_PARAM_VALUE; + +typedef struct { + UINT64 Attr; + union { + OPTEE_MSG_PARAM_MEM Mem; + OPTEE_MSG_PARAM_VALUE Value; + } U; +} OPTEE_MSG_PARAM; + +#define MAX_PARAMS 4 + +typedef struct { + UINT32 Cmd; + UINT32 Func; + UINT32 Session; + UINT32 CancelId; + UINT32 Pad; + UINT32 Ret; + UINT32 RetOrigin; + UINT32 NumParams; + + // NumParams tells the actual number of element in Params + OPTEE_MSG_PARAM Params[MAX_PARAMS]; +} OPTEE_MSG_ARG; + +#define OPTEE_UUID_LEN 16 + +// +// struct OPTEE_OPEN_SESSION_ARG - Open session argument +// @Uuid: [in] UUID of the Trusted Application +// @Session: [out] Session id +// @Ret: [out] Return value +// @RetOrigin [out] Origin of the return value +// +typedef struct { + UINT8 Uuid[OPTEE_UUID_LEN]; + UINT32 Session; + UINT32 Ret; + UINT32 RetOrigin; +} OPTEE_OPEN_SESSION_ARG; + +// +// struct OPTEE_INVOKE_FUNC_ARG - Invoke function argument +// @Func: [in] Trusted Application function, specific to the TA +// @Session: [in] Session id +// @Ret: [out] Return value +// @RetOrigin [out] Origin of the return value +// @Params [inout] Parameters for function to be invoked +// +typedef struct { + UINT32 Func; + UINT32 Session; + UINT32 Ret; + UINT32 RetOrigin; + OPTEE_MSG_PARAM Params[MAX_PARAMS]; +} OPTEE_INVOKE_FUNC_ARG; + BOOLEAN EFIAPI IsOpteePresent ( VOID ); +EFI_STATUS +EFIAPI +OpteeInit ( + VOID + ); + +EFI_STATUS +EFIAPI +OpteeOpenSession ( + IN OUT OPTEE_OPEN_SESSION_ARG *OpenSessionArg + ); + +EFI_STATUS +EFIAPI +OpteeCloseSession ( + IN UINT32 Session + ); + +EFI_STATUS +EFIAPI +OpteeInvokeFunc ( + IN OUT OPTEE_INVOKE_FUNC_ARG *InvokeFuncArg + ); + #endif diff --git a/ArmPkg/Library/OpteeLib/Optee.c b/ArmPkg/Library/OpteeLib/Optee.c index 574527f8b5ea..2111022d3662 100644 --- a/ArmPkg/Library/OpteeLib/Optee.c +++ b/ArmPkg/Library/OpteeLib/Optee.c @@ -14,11 +14,19 @@ **/ +#include <Library/ArmMmuLib.h> #include <Library/ArmSmcLib.h> +#include <Library/BaseMemoryLib.h> #include <Library/BaseLib.h> +#include <Library/DebugLib.h> #include <Library/OpteeLib.h> #include <IndustryStandard/ArmStdSmc.h> +#include <IndustryStandard/GlobalPlatform.h> +#include <OpteeSmc.h> +#include <Uefi.h> + +STATIC OPTEE_SHARED_MEMORY_INFO OpteeShmInfo = { 0 }; /** Check for OP-TEE presence. @@ -31,6 +39,7 @@ IsOpteePresent ( { ARM_SMC_ARGS ArmSmcArgs; + ZeroMem (&ArmSmcArgs, sizeof (ARM_SMC_ARGS)); // Send a Trusted OS Calls UID command ArmSmcArgs.Arg0 = ARM_SMC_ID_TOS_UID; ArmCallSmc (&ArmSmcArgs); @@ -44,3 +53,352 @@ IsOpteePresent ( return FALSE; } } + +STATIC +EFI_STATUS +OpteeShmMemRemap ( + VOID + ) +{ + ARM_SMC_ARGS ArmSmcArgs; + EFI_PHYSICAL_ADDRESS Paddr; + EFI_PHYSICAL_ADDRESS Start; + EFI_PHYSICAL_ADDRESS End; + EFI_STATUS Status; + UINTN Size; + + ZeroMem (&ArmSmcArgs, sizeof (ARM_SMC_ARGS)); + ArmSmcArgs.Arg0 = OPTEE_SMC_GET_SHM_CONFIG; + + ArmCallSmc (&ArmSmcArgs); + if (ArmSmcArgs.Arg0 != OPTEE_SMC_RETURN_OK) { + DEBUG ((DEBUG_WARN, "OP-TEE shared memory not supported\n")); + return EFI_UNSUPPORTED; + } + + if (ArmSmcArgs.Arg3 != OPTEE_SMC_SHM_CACHED) { + DEBUG ((DEBUG_WARN, "OP-TEE: Only normal cached shared memory supported\n")); + return EFI_UNSUPPORTED; + } + + Start = (ArmSmcArgs.Arg1 + SIZE_4KB - 1) & ~(SIZE_4KB - 1); + End = (ArmSmcArgs.Arg1 + ArmSmcArgs.Arg2) & ~(SIZE_4KB - 1); + Paddr = Start; + Size = End - Start; + + if (Size < SIZE_4KB) { + DEBUG ((DEBUG_WARN, "OP-TEE shared memory too small\n")); + return EFI_BUFFER_TOO_SMALL; + } + + Status = ArmSetMemoryAttributes (Paddr, Size, EFI_MEMORY_WB); + if (EFI_ERROR (Status)) { + return Status; + } + + OpteeShmInfo.Base = (UINTN)Paddr; + OpteeShmInfo.Size = Size; + + return EFI_SUCCESS; +} + +EFI_STATUS +EFIAPI +OpteeInit ( + VOID + ) +{ + EFI_STATUS Status; + + if (!IsOpteePresent ()) { + DEBUG ((DEBUG_WARN, "OP-TEE not present\n")); + return EFI_UNSUPPORTED; + } + + Status = OpteeShmMemRemap (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_WARN, "OP-TEE shared memory remap failed\n")); + return Status; + } + + return EFI_SUCCESS; +} + +/** + Does Standard SMC to OP-TEE in secure world. + + @param[in] Parg Physical address of message to pass to secure world + + @return 0 on success, secure world return code otherwise + +**/ +STATIC +UINT32 +OpteeCallWithArg ( + IN EFI_PHYSICAL_ADDRESS Parg + ) +{ + ARM_SMC_ARGS ArmSmcArgs; + + ZeroMem (&ArmSmcArgs, sizeof (ARM_SMC_ARGS)); + ArmSmcArgs.Arg0 = OPTEE_SMC_CALL_WITH_ARG; + ArmSmcArgs.Arg1 = (UINT32)(Parg >> 32); + ArmSmcArgs.Arg2 = (UINT32)Parg; + + while (TRUE) { + ArmCallSmc (&ArmSmcArgs); + + if (ArmSmcArgs.Arg0 == OPTEE_SMC_RETURN_RPC_FOREIGN_INTR) { + // + // A foreign interrupt was raised while secure world was + // executing, since they are handled in UEFI a dummy RPC is + // performed to let UEFI take the interrupt through the normal + // vector. + // + ArmSmcArgs.Arg0 = OPTEE_SMC_RETURN_FROM_RPC; + } else { + break; + } + } + + return ArmSmcArgs.Arg0; +} + +EFI_STATUS +EFIAPI +OpteeOpenSession ( + IN OUT OPTEE_OPEN_SESSION_ARG *OpenSessionArg + ) +{ + OPTEE_MSG_ARG *MsgArg; + + MsgArg = NULL; + + if (OpteeShmInfo.Base == 0) { + DEBUG ((DEBUG_WARN, "OP-TEE not initialized\n")); + return EFI_NOT_STARTED; + } + + MsgArg = (OPTEE_MSG_ARG *)OpteeShmInfo.Base; + ZeroMem (MsgArg, sizeof (OPTEE_MSG_ARG)); + + MsgArg->Cmd = OPTEE_MSG_CMD_OPEN_SESSION; + + // + // Initialize and add the meta parameters needed when opening a + // session. + // + MsgArg->Params[0].Attr = OPTEE_MSG_ATTR_TYPE_VALUE_INPUT | + OPTEE_MSG_ATTR_META; + MsgArg->Params[1].Attr = OPTEE_MSG_ATTR_TYPE_VALUE_INPUT | + OPTEE_MSG_ATTR_META; + CopyMem (&MsgArg->Params[0].U.Value, OpenSessionArg->Uuid, OPTEE_UUID_LEN); + ZeroMem (&MsgArg->Params[1].U.Value, OPTEE_UUID_LEN); + MsgArg->Params[1].U.Value.C = TEE_LOGIN_PUBLIC; + + MsgArg->NumParams = 2; + + if (OpteeCallWithArg ((EFI_PHYSICAL_ADDRESS)MsgArg)) { + MsgArg->Ret = TEEC_ERROR_COMMUNICATION; + MsgArg->RetOrigin = TEEC_ORIGIN_COMMS; + } + + OpenSessionArg->Session = MsgArg->Session; + OpenSessionArg->Ret = MsgArg->Ret; + OpenSessionArg->RetOrigin = MsgArg->RetOrigin; + + return EFI_SUCCESS; +} + +EFI_STATUS +EFIAPI +OpteeCloseSession ( + IN UINT32 Session + ) +{ + OPTEE_MSG_ARG *MsgArg; + + MsgArg = NULL; + + if (OpteeShmInfo.Base == 0) { + DEBUG ((DEBUG_WARN, "OP-TEE not initialized\n")); + return EFI_NOT_STARTED; + } + + MsgArg = (OPTEE_MSG_ARG *)OpteeShmInfo.Base; + ZeroMem (MsgArg, sizeof (OPTEE_MSG_ARG)); + + MsgArg->Cmd = OPTEE_MSG_CMD_CLOSE_SESSION; + MsgArg->Session = Session; + + OpteeCallWithArg ((EFI_PHYSICAL_ADDRESS)MsgArg); + + return EFI_SUCCESS; +} + +STATIC +EFI_STATUS +OpteeToMsgParam ( + OUT OPTEE_MSG_PARAM *MsgParams, + IN UINT32 NumParams, + IN OPTEE_MSG_PARAM *InParams + ) +{ + UINT32 Idx; + UINTN ParamShmAddr; + UINTN ShmSize; + UINTN Size; + + Size = (sizeof (OPTEE_MSG_ARG) + sizeof (UINT64) - 1) & ~(sizeof (UINT64) - 1); + ParamShmAddr = OpteeShmInfo.Base + Size; + ShmSize = OpteeShmInfo.Size - Size; + + for (Idx = 0; Idx < NumParams; Idx++) { + CONST OPTEE_MSG_PARAM *Ip; + OPTEE_MSG_PARAM *Mp; + UINT32 Attr; + + Ip = InParams + Idx; + Mp = MsgParams + Idx; + Attr = Ip->Attr & OPTEE_MSG_ATTR_TYPE_MASK; + + switch (Attr) { + case OPTEE_MSG_ATTR_TYPE_NONE: + Mp->Attr = OPTEE_MSG_ATTR_TYPE_NONE; + ZeroMem (&Mp->U, sizeof (Mp->U)); + break; + + case OPTEE_MSG_ATTR_TYPE_VALUE_INPUT: + case OPTEE_MSG_ATTR_TYPE_VALUE_OUTPUT: + case OPTEE_MSG_ATTR_TYPE_VALUE_INOUT: + Mp->Attr = Attr; + Mp->U.Value.A = Ip->U.Value.A; + Mp->U.Value.B = Ip->U.Value.B; + Mp->U.Value.C = Ip->U.Value.C; + break; + + case OPTEE_MSG_ATTR_TYPE_MEM_INPUT: + case OPTEE_MSG_ATTR_TYPE_MEM_OUTPUT: + case OPTEE_MSG_ATTR_TYPE_MEM_INOUT: + Mp->Attr = Attr; + + if (Ip->U.Mem.Size > ShmSize) { + return EFI_OUT_OF_RESOURCES; + } + + CopyMem ((VOID *)ParamShmAddr, (VOID *)Ip->U.Mem.BufPtr, Ip->U.Mem.Size); + Mp->U.Mem.BufPtr = (UINT64)ParamShmAddr; + Mp->U.Mem.Size = Ip->U.Mem.Size; + + Size = (Ip->U.Mem.Size + sizeof (UINT64) - 1) & ~(sizeof (UINT64) - 1); + ParamShmAddr += Size; + ShmSize -= Size; + break; + + default: + return EFI_INVALID_PARAMETER; + } + } + + return EFI_SUCCESS; +} + +STATIC +EFI_STATUS +OpteeFromMsgParam ( + OUT OPTEE_MSG_PARAM *OutParams, + IN UINT32 NumParams, + IN OPTEE_MSG_PARAM *MsgParams + ) +{ + UINT32 Idx; + + for (Idx = 0; Idx < NumParams; Idx++) { + OPTEE_MSG_PARAM *Op; + CONST OPTEE_MSG_PARAM *Mp; + UINT32 Attr; + + Op = OutParams + Idx; + Mp = MsgParams + Idx; + Attr = Mp->Attr & OPTEE_MSG_ATTR_TYPE_MASK; + + switch (Attr) { + case OPTEE_MSG_ATTR_TYPE_NONE: + Op->Attr = OPTEE_MSG_ATTR_TYPE_NONE; + ZeroMem (&Op->U, sizeof (Op->U)); + break; + + case OPTEE_MSG_ATTR_TYPE_VALUE_INPUT: + case OPTEE_MSG_ATTR_TYPE_VALUE_OUTPUT: + case OPTEE_MSG_ATTR_TYPE_VALUE_INOUT: + Op->Attr = Attr; + Op->U.Value.A = Mp->U.Value.A; + Op->U.Value.B = Mp->U.Value.B; + Op->U.Value.C = Mp->U.Value.C; + break; + + case OPTEE_MSG_ATTR_TYPE_MEM_INPUT: + case OPTEE_MSG_ATTR_TYPE_MEM_OUTPUT: + case OPTEE_MSG_ATTR_TYPE_MEM_INOUT: + Op->Attr = Attr; + + if (Mp->U.Mem.Size > Op->U.Mem.Size) { + return EFI_BAD_BUFFER_SIZE; + } + + CopyMem ((VOID *)Op->U.Mem.BufPtr, (VOID *)Mp->U.Mem.BufPtr, Mp->U.Mem.Size); + Op->U.Mem.Size = Mp->U.Mem.Size; + break; + + default: + return EFI_INVALID_PARAMETER; + } + } + + return EFI_SUCCESS; +} + +EFI_STATUS +EFIAPI +OpteeInvokeFunc ( + IN OUT OPTEE_INVOKE_FUNC_ARG *InvokeFuncArg + ) +{ + EFI_STATUS Status; + OPTEE_MSG_ARG *MsgArg; + + MsgArg = NULL; + + if (OpteeShmInfo.Base == 0) { + DEBUG ((DEBUG_WARN, "OP-TEE not initialized\n")); + return EFI_NOT_STARTED; + } + + MsgArg = (OPTEE_MSG_ARG *)OpteeShmInfo.Base; + ZeroMem (MsgArg, sizeof (OPTEE_MSG_ARG)); + + MsgArg->Cmd = OPTEE_MSG_CMD_INVOKE_COMMAND; + MsgArg->Func = InvokeFuncArg->Func; + MsgArg->Session = InvokeFuncArg->Session; + + Status = OpteeToMsgParam (MsgArg->Params, MAX_PARAMS, InvokeFuncArg->Params); + if (Status) + return Status; + + MsgArg->NumParams = MAX_PARAMS; + + if (OpteeCallWithArg ((EFI_PHYSICAL_ADDRESS)MsgArg)) { + MsgArg->Ret = TEEC_ERROR_COMMUNICATION; + MsgArg->RetOrigin = TEEC_ORIGIN_COMMS; + } + + if (OpteeFromMsgParam (InvokeFuncArg->Params, MAX_PARAMS, MsgArg->Params)) { + MsgArg->Ret = TEEC_ERROR_COMMUNICATION; + MsgArg->RetOrigin = TEEC_ORIGIN_COMMS; + } + + InvokeFuncArg->Ret = MsgArg->Ret; + InvokeFuncArg->RetOrigin = MsgArg->RetOrigin; + + return EFI_SUCCESS; +} diff --git a/ArmPkg/Library/OpteeLib/OpteeLib.inf b/ArmPkg/Library/OpteeLib/OpteeLib.inf index 5abd427379cc..e03054a7167d 100644 --- a/ArmPkg/Library/OpteeLib/OpteeLib.inf +++ b/ArmPkg/Library/OpteeLib/OpteeLib.inf @@ -23,11 +23,13 @@ [Defines] [Sources] Optee.c + OpteeSmc.h [Packages] ArmPkg/ArmPkg.dec MdePkg/MdePkg.dec [LibraryClasses] + ArmMmuLib ArmSmcLib BaseLib diff --git a/ArmPkg/Library/OpteeLib/OpteeSmc.h b/ArmPkg/Library/OpteeLib/OpteeSmc.h new file mode 100644 index 000000000000..e2ea35784a0a --- /dev/null +++ b/ArmPkg/Library/OpteeLib/OpteeSmc.h @@ -0,0 +1,43 @@ +/** @file + OP-TEE SMC header file. + + Copyright (c) 2018, Linaro Ltd. All rights reserved.<BR> + + This program and the accompanying materials + are licensed and made available under the terms and conditions of the BSD License + which accompanies this distribution. The full text of the license may be found at + http://opensource.org/licenses/bsd-license.php + + THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, + WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#ifndef _OPTEE_SMC_H_ +#define _OPTEE_SMC_H_ + +/* Returned in Arg0 only from Trusted OS functions */ +#define OPTEE_SMC_RETURN_OK 0x0 + +#define OPTEE_SMC_RETURN_FROM_RPC 0x32000003 +#define OPTEE_SMC_CALL_WITH_ARG 0x32000004 +#define OPTEE_SMC_GET_SHM_CONFIG 0xb2000007 + +#define OPTEE_SMC_SHM_CACHED 1 + +#define OPTEE_SMC_RETURN_RPC_FOREIGN_INTR 0xffff0004 + +#define OPTEE_MSG_CMD_OPEN_SESSION 0 +#define OPTEE_MSG_CMD_INVOKE_COMMAND 1 +#define OPTEE_MSG_CMD_CLOSE_SESSION 2 + +#define OPTEE_MSG_ATTR_META 0x100 + +#define TEE_LOGIN_PUBLIC 0x0 + +typedef struct { + UINTN Base; + UINTN Size; +} OPTEE_SHARED_MEMORY_INFO; + +#endif diff --git a/ArmPkg/Include/Library/OpteeLib.h b/MdePkg/Include/IndustryStandard/GlobalPlatform.h similarity index 53% copy from ArmPkg/Include/Library/OpteeLib.h copy to MdePkg/Include/IndustryStandard/GlobalPlatform.h index f65d8674d9b8..14c621d89971 100644 --- a/ArmPkg/Include/Library/OpteeLib.h +++ b/MdePkg/Include/IndustryStandard/GlobalPlatform.h @@ -1,34 +1,26 @@ -/** @file - OP-TEE specific header file. - - Copyright (c) 2018, Linaro Ltd. All rights reserved.<BR> - - This program and the accompanying materials - are licensed and made available under the terms and conditions of the BSD License - which accompanies this distribution. The full text of the license may be found at - http://opensource.org/licenses/bsd-license.php - - THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, - WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#ifndef _OPTEE_H_ -#define _OPTEE_H_ - -/* - * The 'Trusted OS Call UID' is supposed to return the following UUID for - * OP-TEE OS. This is a 128-bit value. - */ -#define OPTEE_OS_UID0 0x384fb3e0 -#define OPTEE_OS_UID1 0xe7f811e3 -#define OPTEE_OS_UID2 0xaf630002 -#define OPTEE_OS_UID3 0xa5d5c51b - -BOOLEAN -EFIAPI -IsOpteePresent ( - VOID - ); - -#endif +/** @file + Standardized Global Platform header file. + + Copyright (c) 2018, Linaro Ltd. All rights reserved.<BR> + + This program and the accompanying materials + are licensed and made available under the terms and conditions of the BSD License + which accompanies this distribution. The full text of the license may be found at + http://opensource.org/licenses/bsd-license.php + + THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, + WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#ifndef _GLOBAL_PLATFORM_H_ +#define _GLOBAL_PLATFORM_H_ + +#define TEEC_ORIGIN_COMMS 0x00000002 + +#define TEEC_SUCCESS 0x00000000 +#define TEEC_ERROR_BAD_PARAMETERS 0xFFFF0006 +#define TEEC_ERROR_COMMUNICATION 0xFFFF000E +#define TEEC_ERROR_OUT_OF_MEMORY 0xFFFF000C + +#endif -- 2.7.4

6 years, 2 months

[PATCH v1 0/6] TEE mediator (and OP-TEE) support in XEN

by Volodymyr Babchuk

Hello all, This is follow for patch series [1]. There was lots of discussions for that series and I tried to address all of them in this new patchset. Currently, I had a working solution for OP-TEE virtualization and it is being upstreamed right now ([2]). So, I think it is a good time to introduce support in XEN as well. This series include generic TEE mediator framework and full-scale OP-TEE mediator which is working with mentioned chages in OP-TEE. So, multiple domains can work simultaneously with OP-TEE. I added XSM support, so now it is possible to control which domains can work with TEEs. Also I changed way how TEE discovery is done. Now it is very generic and should support any platform. [1] https://lists.xenproject.org/archives/html/xen-devel/2017-10/msg01451.html [2] https://github.com/OP-TEE/optee_os/pull/2370 Volodymyr Babchuk (6): arm: add SMC wrapper that is compatible with SMCCC arm: add generic TEE mediator framework arm: tee: add OP-TEE header files optee: add OP-TEE mediator libxl: create DTS node for OP-TEE if it is enabled xsm: add tee access policy support MAINTAINERS | 5 + tools/flask/policy/modules/dom0.te | 3 + tools/flask/policy/modules/domU_with_tee.te | 23 + tools/flask/policy/modules/modules.conf | 1 + tools/flask/policy/modules/xen.if | 12 + tools/libxl/libxl_arm.c | 29 + tools/libxl/libxl_create.c | 1 + tools/libxl/libxl_types.idl | 1 + tools/xl/xl_parse.c | 1 + xen/arch/arm/Kconfig | 10 + xen/arch/arm/Makefile | 1 + xen/arch/arm/arm32/Makefile | 1 + xen/arch/arm/arm32/smc.S | 39 ++ xen/arch/arm/arm64/Makefile | 1 + xen/arch/arm/arm64/asm-offsets.c | 4 + xen/arch/arm/arm64/smc.S | 30 + xen/arch/arm/domain.c | 7 + xen/arch/arm/setup.c | 4 + xen/arch/arm/shutdown.c | 2 + xen/arch/arm/tee/Kconfig | 4 + xen/arch/arm/tee/Makefile | 2 + xen/arch/arm/tee/optee.c | 972 ++++++++++++++++++++++++++++ xen/arch/arm/tee/tee.c | 89 +++ xen/arch/arm/vsmc.c | 5 + xen/arch/arm/xen.lds.S | 7 + xen/include/asm-arm/processor.h | 11 + xen/include/asm-arm/tee/optee_msg.h | 444 +++++++++++++ xen/include/asm-arm/tee/optee_smc.h | 507 +++++++++++++++ xen/include/asm-arm/tee/tee.h | 103 +++ xen/include/xsm/dummy.h | 10 + xen/include/xsm/xsm.h | 13 + xen/xsm/dummy.c | 4 + xen/xsm/flask/hooks.c | 15 + xen/xsm/flask/policy/access_vectors | 7 + xen/xsm/flask/policy/security_classes | 1 + 35 files changed, 2369 insertions(+) create mode 100644 tools/flask/policy/modules/domU_with_tee.te create mode 100644 xen/arch/arm/arm32/smc.S create mode 100644 xen/arch/arm/arm64/smc.S create mode 100644 xen/arch/arm/tee/Kconfig create mode 100644 xen/arch/arm/tee/Makefile create mode 100644 xen/arch/arm/tee/optee.c create mode 100644 xen/arch/arm/tee/tee.c create mode 100644 xen/include/asm-arm/tee/optee_msg.h create mode 100644 xen/include/asm-arm/tee/optee_smc.h create mode 100644 xen/include/asm-arm/tee/tee.h -- 2.7.4

6 years, 2 months

hikey 970

by Kris Kwiatkowski

Hello, Does OP-TEE support HiKey 970? Kris

6 years, 3 months

[RESEND PATCH] tee: add kernel internal client interface

by Jens Wiklander

Adds a kernel internal TEE client interface to be used by other drivers. Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> --- drivers/tee/tee_core.c | 113 +++++++++++++++++++++++++++++++++++++--- include/linux/tee_drv.h | 73 ++++++++++++++++++++++++++ 2 files changed, 179 insertions(+), 7 deletions(-) diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c index dd46b758852a..7b2bb4c50058 100644 --- a/drivers/tee/tee_core.c +++ b/drivers/tee/tee_core.c @@ -38,15 +38,13 @@ static DEFINE_SPINLOCK(driver_lock); static struct class *tee_class; static dev_t tee_devt; -static int tee_open(struct inode *inode, struct file *filp) +static struct tee_context *teedev_open(struct tee_device *teedev) { int rc; - struct tee_device *teedev; struct tee_context *ctx; - teedev = container_of(inode->i_cdev, struct tee_device, cdev); if (!tee_device_get(teedev)) - return -EINVAL; + return ERR_PTR(-EINVAL); ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); if (!ctx) { @@ -57,16 +55,16 @@ static int tee_open(struct inode *inode, struct file *filp) kref_init(&ctx->refcount); ctx->teedev = teedev; INIT_LIST_HEAD(&ctx->list_shm); - filp->private_data = ctx; rc = teedev->desc->ops->open(ctx); if (rc) goto err; - return 0; + return ctx; err: kfree(ctx); tee_device_put(teedev); - return rc; + return ERR_PTR(rc); + } void teedev_ctx_get(struct tee_context *ctx) @@ -100,6 +98,18 @@ static void teedev_close_context(struct tee_context *ctx) teedev_ctx_put(ctx); } +static int tee_open(struct inode *inode, struct file *filp) +{ + struct tee_context *ctx; + + ctx = teedev_open(container_of(inode->i_cdev, struct tee_device, cdev)); + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + + filp->private_data = ctx; + return 0; +} + static int tee_release(struct inode *inode, struct file *filp) { teedev_close_context(filp->private_data); @@ -928,6 +938,95 @@ void *tee_get_drvdata(struct tee_device *teedev) } EXPORT_SYMBOL_GPL(tee_get_drvdata); +struct match_dev_data { + struct tee_ioctl_version_data *vers; + const void *data; + int (*match)(struct tee_ioctl_version_data *, const void *); +}; + +static int match_dev(struct device *dev, const void *data) +{ + const struct match_dev_data *match_data = data; + struct tee_device *teedev = container_of(dev, struct tee_device, dev); + + teedev->desc->ops->get_version(teedev, match_data->vers); + return match_data->match(match_data->vers, match_data->data); +} + +struct tee_context * +tee_client_open_context(struct tee_context *start, + int (*match)(struct tee_ioctl_version_data *, + const void *), + const void *data, struct tee_ioctl_version_data *vers) +{ + struct device *dev = NULL; + struct device *put_dev = NULL; + struct tee_context *ctx = NULL; + struct tee_ioctl_version_data v; + struct match_dev_data match_data = { vers ? vers : &v, data, match }; + + if (start) + dev = &start->teedev->dev; + + do { + dev = class_find_device(tee_class, dev, &match_data, match_dev); + if (!dev) { + ctx = ERR_PTR(-ENOENT); + break; + } + + put_device(put_dev); + put_dev = dev; + + ctx = teedev_open(container_of(dev, struct tee_device, dev)); + } while (IS_ERR(ctx) && PTR_ERR(ctx) != -ENOMEM); + + put_device(put_dev); + return ctx; +} +EXPORT_SYMBOL_GPL(tee_client_open_context); + +void tee_client_close_context(struct tee_context *ctx) +{ + teedev_close_context(ctx); +} +EXPORT_SYMBOL_GPL(tee_client_close_context); + +void tee_client_get_version(struct tee_context *ctx, + struct tee_ioctl_version_data *vers) +{ + ctx->teedev->desc->ops->get_version(ctx->teedev, vers); +} +EXPORT_SYMBOL_GPL(tee_client_get_version); + +int tee_client_open_session(struct tee_context *ctx, + struct tee_ioctl_open_session_arg *arg, + struct tee_param *param) +{ + if (!ctx->teedev->desc->ops->open_session) + return -EINVAL; + return ctx->teedev->desc->ops->open_session(ctx, arg, param); +} +EXPORT_SYMBOL_GPL(tee_client_open_session); + +int tee_client_close_session(struct tee_context *ctx, u32 session) +{ + if (!ctx->teedev->desc->ops->close_session) + return -EINVAL; + return ctx->teedev->desc->ops->close_session(ctx, session); +} +EXPORT_SYMBOL_GPL(tee_client_close_session); + +int tee_client_invoke_func(struct tee_context *ctx, + struct tee_ioctl_invoke_arg *arg, + struct tee_param *param) +{ + if (!ctx->teedev->desc->ops->invoke_func) + return -EINVAL; + return ctx->teedev->desc->ops->invoke_func(ctx, arg, param); +} +EXPORT_SYMBOL_GPL(tee_client_invoke_func); + static int __init tee_init(void) { int rc; diff --git a/include/linux/tee_drv.h b/include/linux/tee_drv.h index a2b3dfcee0b5..6cfe05893a76 100644 --- a/include/linux/tee_drv.h +++ b/include/linux/tee_drv.h @@ -453,6 +453,79 @@ static inline int tee_shm_get_id(struct tee_shm *shm) */ struct tee_shm *tee_shm_get_from_id(struct tee_context *ctx, int id); +/** + * tee_client_open_context() - Open a TEE context + * @start: if not NULL, continue search after this context + * @match: function to check TEE device + * @data: data for match function + * @vers: if not NULL, version data of TEE device of the context returned + * + * This function does an operation similar to open("/dev/teeX") in user space. + * A returned context must be released with tee_client_close_context(). + * + * Returns a TEE context of the first TEE device matched by the match() + * callback or an ERR_PTR. + */ +struct tee_context * +tee_client_open_context(struct tee_context *start, + int (*match)(struct tee_ioctl_version_data *, + const void *), + const void *data, struct tee_ioctl_version_data *vers); + +/** + * tee_client_close_context() - Close a TEE context + * @ctx: TEE context to close + * + * Note that all sessions previously opened with this context will be + * closed when this function is called. + */ +void tee_client_close_context(struct tee_context *ctx); + +/** + * tee_client_get_version() - Query version of TEE + * @ctx: TEE context to TEE to query + * @vers: Pointer to version data + */ +void tee_client_get_version(struct tee_context *ctx, + struct tee_ioctl_version_data *vers); + +/** + * tee_client_open_session() - Open a session to a Trusted Application + * @ctx: TEE context + * @arg: Open session arguments, see description of + * struct tee_ioctl_open_session_arg + * @param: Parameters passed to the Trusted Application + * + * Returns < 0 on error else see @arg->ret for result. If @arg->ret + * is TEEC_SUCCESS the session identifier is available in @arg->session. + */ +int tee_client_open_session(struct tee_context *ctx, + struct tee_ioctl_open_session_arg *arg, + struct tee_param *param); + +/** + * tee_client_close_session() - Close a session to a Trusted Application + * @ctx: TEE Context + * @session: Session id + * + * Return < 0 on error else 0, regardless the session will not be + * valid after this function has returned. + */ +int tee_client_close_session(struct tee_context *ctx, u32 session); + +/** + * tee_client_invoke_func() - Invoke a function in a Trusted Application + * @ctx: TEE Context + * @arg: Invoke arguments, see description of + * struct tee_ioctl_invoke_arg + * @param: Parameters passed to the Trusted Application + * + * Returns < 0 on error else see @arg->ret for result. + */ +int tee_client_invoke_func(struct tee_context *ctx, + struct tee_ioctl_invoke_arg *arg, + struct tee_param *param); + static inline bool tee_param_is_memref(struct tee_param *param) { switch (param->attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) { -- 2.17.1

6 years, 3 months

Help me in understanding OP-TEE boot flow on ARMv7

by Hoa Nguyen Duc

Dear All, My name is Nguyen Duc Hoa, come from Vietnam. I am working on Zynq Zybo-Z7 for porting optee to secure world. I just had a trouble when Op-TEE OS is loading the kernel image(zImage). Below image is my flow. I refered from below topic and build up my system. https://github.com/OP-TEE/optee_os/issues/1887 "U-Boot will load TEE and zImage, so need to verify the two images in U-Boot. `kernel_entry` will run into the address passed to bootm. When optee returns back, it will directly runs into the load address of zImage and continue booting kernel. " But on my side, in stage of booting kernel, I got an "kernel panic". (full log is attached) Following is how I did it: 1. Build OP-TEE with: make PLATFORM=zynq7k CROSS_COMPILE="ccache arm-linux-gnueabihf-" ARCH=arm CFG_TEE_CORE_LOG_LEVEL=4 CFG_DT_ADDR=0x02A00000 CFG_DT=y CFG_TEE_TA_MALLOC_DEBUG=y CFG_TEE_CORE_MALLOC_DEBUG=y CFG_TEE_CORE_USER_MEM_DEBUG=4 CFG_TEE_TA_LOG_LEVEL=4 CFG_NS_ENTRY_ADDR=0x03000000 arm-linux-gnueabihf-objcopy -O binary tee.elf tee.bin 2. Use mkimage to produce the uTee image. Make it looks like uImage so the bootm command can boot it. ./mkimage -A arm -O linux -C none -a 0x3E000000 -e 0x3E000000 -d tee.bin uTee 3. Make the linux kernel use xilinx_zynq_defconfig Enable OpTee and EARLYCON # OPTEE stuff CONFIG_TEE=y CONFIG_OPTEE=y CONFIG_ARM_PSCI_FW=y CONFIG_HAVE_ARM_SMCCC=y CONFIG_SERIAL_EARLYCON=y + DTS file is attached + Make kernel by below command make ARCH=arm xilinx_zynq_defconfig CROSS_COMPILE=arm-linux-gnueabihf- make ARCH=arm 4. In u-boot kernel, load everything in place and use bootm to enter OP-TEE mmcinfo ; fatload mmc 0 0x03000000 zImage ; fatload mmc 0 0x02A00000 zImage-zynq-zybo-z7.dtb ; fatload mmc 0:1 0x3E000000 uTee; setenv bootargs earlyprintk console=ttyPS0,115200 root=/dev/mmcblk0p2 rw rootwait ; bootm 0x3E000000 - 0x02A00000 ; *** QUESTIONS *** 1. Is this flow correct? 2. I refer to this thread mail https://lists.linaro.org/pipermail/tee-dev/2015-September/000176.html and I saw that in my side, after back to non secure world, it seem to be u-boot's environment variables was changed. For purpose of booting kernel, I must keep the u-boot's context and OpTEE OS switch to non-secure world this context will be restore, do I? So anyone have better understanding about this flow, it will be helpful for my further development. Thank you very much in advance.

6 years, 4 months

About the initialization vector (IV) of AES-GCM used in pager

by shijun zhao

Hi, everyone, I find that pager uses AES-GCM to protect data sections. I see that the initialization vectors (IVs) used in AES-GCM for every page is initialized to be zero. However, according to the NIST 800 specification [1]: IV should not repeat, otherwise AES-GCM may be vulnerable to the forgery attacks [2]. So I suggest concatenating the physical address of each page (DRAM address) and the IV, then the concatenated IVs will be different for each page. I also see that pager is removed from many devices, such as i.mx and Hikey. Doesn't OP-TEE support pager any more? Best Regards, Shijun Zhao 1. Dworkin M. NIST special publication 800-38B[J]. NIST special publication, 2005, 800(38B): 38B. 2. A. Joux, Authentication Failures in NIST version of GCM, Natl. Inst. Stand. Technol. [Web page], http://www.csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/800-38_Se….

6 years, 4 months

OP-TEE 3.2.0-rc1 [Re: OP-TEE 3.2.0-rc1 next week]

by Jerome Forissier

Hi, I have tagged 3.2.0-rc1 yesterday, please help test it. I will collect Tested-bys on https://github.com/OP-TEE/optee_os/pull/2404. Of course, feel free to use the GitHub issues/pull request pages in case something is wrong. Thanks, -- Jerome On 14 June 2018 at 10:30, Jerome Forissier <jerome.forissier(a)linaro.org> wrote: > Hello OP-TEE contributors and maintainers, > > It is time to prepare for release 3.2.0. I will create the -rc1 tag next > Wednesday (June 20), and hopefully the final release will follow one week > later. > > So, if there are things you would like included in 3.2.0, please push them > now. Please update your pending pull requests, help review patches, run > some tests on master, etc. After -rc1 and until the release, we will take > only bug fixes into master, as usual. > > I will let you know when the -rc1 tag is ready for testing. > > Thanks for your continued help and support! > -- > Jerome >

6 years, 5 months

Bug 3906 - meta-linaro/meta-optee/recipe-security/optee/optee-client.bb build failure due to openembedded-core changes (edit)

by Simon Hughes

Hi Can only help with resolving the following issue with building optee? This is a bug I filed recently in the linaro bug database: Simon Hughes<mailto:simon.hughes@arm.com> 2018-06-13 16:36:50 UTC Changes committed to openembedded-core master within the last 24hrs have broken the mbed Linux build which uses meta-linaro: =================================================================== 02:48:15 ERROR: Logfile of failure stored in: /work/machine-imx7s-warp-mbl/mbl-manifest/build-mbl/tmp-mbl-glibc/work/cortexa7hf-neon-oe-linux-gnueabi/optee-client/2.6.0+gitAUTOINC+73b4e490a8-r0/temp/log.do_compile.12265 02:48:15 Log data follows: 02:48:15 | DEBUG: Executing shell function do_compile 02:48:15 | NOTE: make -j 24 02:48:15 | Building libteec.so 02:48:15 | CC src/tee_client_api.c 02:48:15 | CC src/teec_trace.c 02:48:15 | src/teec_trace.c: In function '_dprintf': 02:48:15 | src/teec_trace.c:110:24: error: '%s' directive output may be truncated writing up to 255 bytes into a region of size 246 [-Werror=format-truncation=] 02:48:15 | "%s [%d] %s:%s:%d: %s", 02:48:15 | ^~ 02:48:15 | src/teec_trace.c:112:11: 02:48:15 | line, raw); 02:48:15 | ~~~ 02:48:15 | src/teec_trace.c:109:3: note: 'snprintf' output 11 or more bytes (assuming 266) into a destination of size 256 02:48:15 | snprintf(prefixed, MAX_PRINT_SIZE, 02:48:15 | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 02:48:15 | "%s [%d] %s:%s:%d: %s", 02:48:15 | ~~~~~~~~~~~~~~~~~~~~~~~ 02:48:15 | trace_level_strings[level], thread_id, prefix, func, 02:48:15 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 02:48:15 | line, raw); 02:48:15 | ~~~~~~~~~~ 02:48:15 | cc1: all warnings being treated as errors 02:48:15 | Makefile:52: recipe for target '/work/machine-imx7s-warp-mbl/mbl-manifest/build-mbl/tmp-mbl-glibc/work/cortexa7hf-neon-oe-linux-gnueabi/optee-client/2.6.0+gitAUTOINC+73b4e490a8-r0/git/libteec/../out/libteec/teec_trace.o' failed 02:48:15 | make[1]: *** [/work/machine-imx7s-warp-mbl/mbl-manifest/build-mbl/tmp-mbl-glibc/work/cortexa7hf-neon-oe-linux-gnueabi/optee-client/2.6.0+gitAUTOINC+73b4e490a8-r0/git/libteec/../out/libteec/teec_trace.o] Error 1 02:48:15 | make[1]: *** Waiting for unfinished jobs.... 02:48:15 | Makefile:31: recipe for target 'build-libteec' failed 02:48:15 | make: *** [build-libteec] Error 2 02:48:15 | ERROR: oe_runmake failed 02:48:15 | WARNING: exit code 1 from a shell command. 02:48:15 | ERROR: Function failed: do_compile (log file is located at /work/machine-imx7s-warp-mbl/mbl-manifest/build-mbl/tmp-mbl-glibc/work/cortexa7hf-neon-oe-linux-gnueabi/optee-client/2.6.0+gitAUTOINC+73b4e490a8-r0/temp/log.do_compile.12265) 02:48:15 NOTE: recipe optee-client-2.6.0+gitAUTOINC+73b4e490a8-r0: task do_compile: Failed 02:48:15 NOTE: recipe alsa-state-0.2.0-r5: task do_install: Succeeded 02:48:15 ERROR: Task (/work/machine-imx7s-warp-mbl/mbl-manifest/build-mbl/conf/../../layers/meta-linaro/meta-optee/recipes-security/optee/optee-client.bb:do_compile) failed with exit code '1' 02:48:15 NOTE: recipe modutils-initscripts-1.0-r7: task do_install: Started =================================================================== between openembedded-core master commit bad: 8ab5b439ea82ac775494a0ce7a6f3615b61c94be openembedded-core master commit good:23f15c63777020f5d43b070a1eb2bcf246c19ff8 Here is the diff between mbl-manifest pinned-manifest.xml's between <bad build nad >good build simhug01@mbed-linux-test:/mnt/data/default_20180613_122141/mbl-manifest$ cat ../manifest_xml_changes.txt 20,21c20,21 < <project name="openembedded/meta-openembedded" path="layers/meta-openembedded" remote="github" revision="d9e257abbe16b9d30171493fa8f1d7e2d24cefe5" upstream="master"/> < <project name="openembedded/openembedded-core" path="layers/openembedded-core" remote="github" revision="8ab5b439ea82ac775494a0ce7a6f3615b61c94be" upstream="master"/> --- > <project name="openembedded/meta-openembedded" path="layers/meta-openembedded" remote="github" revision="bb57bac845f3cd1634862fa9868bc8e294ba74a9" upstream="master"/> > <project name="openembedded/openembedded-core" path="layers/openembedded-core" remote="github" revision="23f15c63777020f5d43b070a1eb2bcf246c19ff8" upstream="master"/> Other triage information: triage: ◾This build succeeded: http://xxxxx/job/mbl-master/559/ ◾This build failed: http://xxxxx//job/mbl-master/560/<http://xxxxx/job/mbl-master/560/> ◾The only projects that added changes between these to versions are openembedded-core and meta-openembedded (not meta-linaro containing meta-optee which holds the breaking optee-client.bb recipe). ◾Pinning oe-core in default.xml manifest to build 559 pin builds successfully (leaving meta-oe at head of master). ◾Pinning meta-oe in default manifest to build 559 pin doesn't build successfully (leaving oe-core at head of master). ◾Numerous oe-core changes have been added wrt gcc compiler recipes. Likely that a compiler option has been added to treat certain warnings as errors causing the latest break. ◾Should notify linaro project of the break and see if they fix it, or whether oe-core changes accommodate (less likely). Approach Linaro staff member Ryan Harkin as a Linaro interface to bug logger. Thanks Simon IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

6 years, 5 months

Question About Trusted Application (.ta)

by Yin Liu

Hello, I'm learning the Trusted application that can be run in the TEE. I was wondering whether there are some ways to check the .ta file's instructions, just like using objdump or readelf on ELF. I'm also interested how does the .ta be protected? What's the difference between the .ta and normal executable? Would it be possible to give me some information about that? Thanks in advance! Brs, YL

6 years, 5 months

OP-TEE 3.2.0-rc1 next week

by Jerome Forissier

Hello OP-TEE contributors and maintainers, It is time to prepare for release 3.2.0. I will create the -rc1 tag next Wednesday (June 20), and hopefully the final release will follow one week later. So, if there are things you would like included in 3.2.0, please push them now. Please update your pending pull requests, help review patches, run some tests on master, etc. After -rc1 and until the release, we will take only bug fixes into master, as usual. I will let you know when the -rc1 tag is ready for testing. Thanks for your continued help and support! -- Jerome

6 years, 5 months

← Newer
1
...
17
18
19
20
21
22
23
...
30
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

Tee-dev