lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150421055932.GA7760@ermac>
Date:	Tue, 21 Apr 2015 07:59:32 +0200
From:	Jens Wiklander <jens.wiklander@...aro.org>
To:	Jason Gunthorpe <jgunthorpe@...idianresearch.com>
Cc:	Russell King - ARM Linux <linux@....linux.org.uk>,
	valentin.manea@...wei.com, devicetree@...r.kernel.org,
	javier@...igon.com, emmanuel.michel@...com,
	Herbert Xu <herbert@...dor.apana.org.au>,
	Arnd Bergmann <arnd@...db.de>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	linux-kernel@...r.kernel.org, jean-michel.delorme@...com,
	tpmdd-devel@...ts.sourceforge.net,
	linux-arm-kernel@...ts.infradead.org
Subject: Re: [tpmdd-devel] [RFC PATCH 1/2] tee: generic TEE subsystem

On Mon, Apr 20, 2015 at 11:55:15AM -0600, Jason Gunthorpe wrote:
> On Mon, Apr 20, 2015 at 03:02:03PM +0200, Jens Wiklander wrote:
> > > It appeared to me this driver was copying TPM's old architecture,
> > > which is very much known to be broken.
> > 
> > The struct tee_device holds a shared memory pool from which shared
> > memory objects are allocated. These shared memory objects can be mapped
> > both by user space and secure world. 
> 
> So this is a whole other set of problems besides what was already
> brought up.
> 
> You need to figure out a lifetime model for this shared memory that
> works.
> 
> > To come around the problem with what should happen when the driver
> > is removed I'm increasing the refcount on the driver for each
> > allocated shared memory object and created file pointers. As long as
> > any resource is in use by either user space or secure world the
> > driver can't be unloaded.
> 
> This isn't how the kernel works. The module refcount effects module
> unload (it protects the .text) - it does not interact with driver
> detatch. Userspace can trigger driver detatch (which results in
> tee_unregister being called) at any time via sysfs.
> 
> If you properly design for that case then module unload sequencing
> works properly for free.
> 
> Based on what I gather, I would suggest the following sequence in
> tee_unregister
>  - unregister all sysfs and char dev registrations.
>  - Write lock ops and set to null. This will error future cdev ioctls,
>    and guarentees no driver ops callbacks are in progress, or will be
>    started in future.
>  - Wait until all client accesses to shared memory are
>    released.
>  - Command the driver to release it's side of the
>    shared memory and wait for that to complete
>  - Free the shared memory
>  - deref the tee_device's struct device (match ref in tee_register)
> 
> Then in your struct tee_device's release function free the tee_device
> memory.
> 
> Replace all the module locking code with an active count in struct
> tee_device (see something like kernfs_drain for an example).
> 
> > * Change to use the pattern (with a struct device etc) as described
> >   above.
> 
> Yes, I think Greg confirmed you need to use a struct device, and purge
> misc_device from the mid layer.
> 
> >   I can't protect the ops with just a mutex since tee_ioctl_cmd() needs to
> >   be multithreaded.
> 
> Then use a sleeping read/write lock - aka an active count.

Thanks for the clarification, I got it now.

Regards,
Jens
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ