[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHUa44GBt-8Z8ZniTraJYHgFVEUgMTjTJLEden3m2jhhY9qc-w@mail.gmail.com>
Date: Mon, 29 Jul 2019 09:08:58 +0200
From: Jens Wiklander <jens.wiklander@...aro.org>
To: Sumit Garg <sumit.garg@...aro.org>
Cc: keyrings@...r.kernel.org, linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org,
Jonathan Corbet <corbet@....net>, dhowells@...hat.com,
jejb@...ux.ibm.com,
Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>,
Mimi Zohar <zohar@...ux.ibm.com>, jmorris@...ei.org,
serge@...lyn.com, Ard Biesheuvel <ard.biesheuvel@...aro.org>,
Daniel Thompson <daniel.thompson@...aro.org>,
Linux Doc Mailing List <linux-doc@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
"tee-dev @ lists . linaro . org" <tee-dev@...ts.linaro.org>
Subject: Re: [RFC 3/7] tee: add private login method for kernel clients
Hi Sumit,
On Tue, Jul 9, 2019 at 11:36 AM Sumit Garg <sumit.garg@...aro.org> wrote:
>
> On Tue, 9 Jul 2019 at 12:33, Jens Wiklander <jens.wiklander@...aro.org> wrote:
> >
> > On Tue, Jul 09, 2019 at 11:26:19AM +0530, Sumit Garg wrote:
> > > Thanks Jens for your comments.
> > >
> > > On Mon, 8 Jul 2019 at 21:09, Jens Wiklander <jens.wiklander@...aro.org> wrote:
> > > >
> > > > Hi Sumit,
> > > >
> > > > On Thu, Jun 13, 2019 at 04:00:29PM +0530, Sumit Garg wrote:
> > > > > There are use-cases where user-space shouldn't be allowed to communicate
> > > > > directly with a TEE device which is dedicated to provide a specific
> > > > > service for a kernel client. So add a private login method for kernel
> > > > > clients and disallow user-space to open-session using this login method.
> > > > >
> > > > > Signed-off-by: Sumit Garg <sumit.garg@...aro.org>
> > > > > ---
> > > > > drivers/tee/tee_core.c | 6 ++++++
> > > > > include/uapi/linux/tee.h | 2 ++
> > > > > 2 files changed, 8 insertions(+)
> > > > >
> > > > > diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c
> > > > > index 0f16d9f..4581bd1 100644
> > > > > --- a/drivers/tee/tee_core.c
> > > > > +++ b/drivers/tee/tee_core.c
> > > > > @@ -334,6 +334,12 @@ static int tee_ioctl_open_session(struct tee_context *ctx,
> > > > > goto out;
> > > > > }
> > > > >
> > > > > + if (arg.clnt_login == TEE_IOCTL_LOGIN_REE_KERNEL) {
> > > > TEE_IOCTL_LOGIN_REE_KERNEL is defined as 0x80000000 which is in the
> > > > range specified and implementation defined by the GP spec. I wonder if
> > > > we shouldn't filter the entire implementation defined range instead of
> > > > just this value.
> > >
> > > Agree. Will rather check for entire implementation defined range:
> > > 0x80000000 - 0xFFFFFFFF.
> > >
>
> I had a second thought on this. It would be more restrictive for
> user-space TEE client library which may need to use implementation
> defined login method. So either we could define specific ranges for
> kernel and user-space or we can start with single login method
> reserved for kernel.
I think we should reserve a range for kernel internal use. Only
reserving a single single login for kernel could force us to restrict
the API once more later, better to take a chunk now and be done with
it. Half of 0x80000000 - 0xFFFFFFFF is probably more than enough too
to leave a range for user space too.
>
> > > >
> > > > > + pr_err("login method not allowed for user-space client\n");
> > > > pr_debug(), if it's needed at all.
> > > >
> > >
> > > Ok will use pr_debug() instead.
> > >
> > > > > + rc = -EPERM;
> > > > > + goto out;
> > > > > + }
> > > > > +
> > > > > rc = ctx->teedev->desc->ops->open_session(ctx, &arg, params);
> > > > > if (rc)
> > > > > goto out;
> > > > > diff --git a/include/uapi/linux/tee.h b/include/uapi/linux/tee.h
> > > > > index 4b9eb06..f33c69c 100644
> > > > > --- a/include/uapi/linux/tee.h
> > > > > +++ b/include/uapi/linux/tee.h
> > > > > @@ -172,6 +172,8 @@ struct tee_ioctl_buf_data {
> > > > > #define TEE_IOCTL_LOGIN_APPLICATION 4
> > > > > #define TEE_IOCTL_LOGIN_USER_APPLICATION 5
> > > > > #define TEE_IOCTL_LOGIN_GROUP_APPLICATION 6
> > > > > +/* Private login method for REE kernel clients */
> > > > It's worth noting that this is filtered by the TEE framework, compared
> > > > to everything else which is treated opaquely.
> > > >
> > >
> > > IIUC, you are referring to login filter in optee_os. Change to prevent
> > > filter for this login method is part of this PR [1].
> > >
> > > [1] https://github.com/OP-TEE/optee_os/pull/3082
> >
> > No, I was referring to the changes in tee_ioctl_open_session() above.
> > It's relevant for user space to know since it will be prevented from
> > using that range of login identifiers.
>
> Ok, so you mean to extend the comment here for user-space to know that
> this login method/range is filtered by the TEE framework. Will do
> that.
>
> > This will restrict the user space
> > API, but I think the risk of breakage is minimal as OP-TEE is the only
> > in-tree driver registering in the TEE framework. I'm not aware of any
> > out-of-tree drivers registering.
>
> I am not sure if I follow you here. How do you expect this change to
> break out-of-tree TEE driver registration?
It's a change in common code that put restrictions on the API.
Thanks,
Jens
>
> -Sumit
>
> >
> > Thanks,
> > Jens
> >
> > >
> > > -Sumit
> > >
> > > > > +#define TEE_IOCTL_LOGIN_REE_KERNEL 0x80000000
> > > > >
> > > > > /**
> > > > > * struct tee_ioctl_param - parameter
> > > > > --
> > > > > 2.7.4
> > > > >
> > > >
> > > > Thanks,
> > > > Jens
Powered by blists - more mailing lists