lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAHUa44Fd3ujQY8ev9sZOMya7wrTmHnvda_05XhQA7X3knB3auA@mail.gmail.com>
Date:   Wed, 25 Mar 2020 09:33:45 +0100
From:   Jens Wiklander <jens.wiklander@...aro.org>
To:     Sumit Garg <sumit.garg@...aro.org>
Cc:     "tee-dev @ lists . linaro . org" <tee-dev@...ts.linaro.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Stuart Yoder <stuart.yoder@....com>,
        Daniel Thompson <daniel.thompson@...aro.org>
Subject: Re: [PATCH v4 2/2] tee: add private login method for kernel clients

On Mon, Mar 23, 2020 at 1:19 PM Sumit Garg <sumit.garg@...aro.org> wrote:
>
> There are use-cases where user-space shouldn't be allowed to communicate
> directly with a TEE device which is dedicated to provide a specific
> service for a kernel client. So add a private login method for kernel
> clients and disallow user-space to open-session using GP implementation
> defined login method range: (0x80000000 - 0xFFFFFFFF).
>
> Signed-off-by: Sumit Garg <sumit.garg@...aro.org>
> ---
>  drivers/tee/tee_core.c   | 6 ++++++
>  include/uapi/linux/tee.h | 8 ++++++++
>  2 files changed, 14 insertions(+)

Looks good.

Thanks,
Jens

>
> diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c
> index 37d22e3..533e7a8 100644
> --- a/drivers/tee/tee_core.c
> +++ b/drivers/tee/tee_core.c
> @@ -334,6 +334,12 @@ static int tee_ioctl_open_session(struct tee_context *ctx,
>                         goto out;
>         }
>
> +       if (arg.clnt_login & TEE_IOCTL_LOGIN_MASK) {
> +               pr_debug("login method not allowed for user-space client\n");
> +               rc = -EPERM;
> +               goto out;
> +       }
> +
>         rc = ctx->teedev->desc->ops->open_session(ctx, &arg, params);
>         if (rc)
>                 goto out;
> diff --git a/include/uapi/linux/tee.h b/include/uapi/linux/tee.h
> index 6596f3a..19172a2 100644
> --- a/include/uapi/linux/tee.h
> +++ b/include/uapi/linux/tee.h
> @@ -173,6 +173,14 @@ struct tee_ioctl_buf_data {
>  #define TEE_IOCTL_LOGIN_APPLICATION            4
>  #define TEE_IOCTL_LOGIN_USER_APPLICATION       5
>  #define TEE_IOCTL_LOGIN_GROUP_APPLICATION      6
> +/*
> + * Disallow user-space to use GP implementation specific login
> + * method range (0x80000000 - 0xFFFFFFFF). This range is rather
> + * being reserved for REE kernel clients or TEE implementation.
> + */
> +#define TEE_IOCTL_LOGIN_MASK                   0x80000000
> +/* Private login method for REE kernel clients */
> +#define TEE_IOCTL_LOGIN_REE_KERNEL             0x80000000
>
>  /**
>   * struct tee_ioctl_param - parameter
> --
> 2.7.4
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ