| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 23 Apr 2020 18:17:01 +0300
From: Vesa Jääskeläinen
<vesa.jaaskelainen@...sala.com>
To: op-tee@...ts.trustedfirmware.org,
Jens Wiklander <jens.wiklander@...aro.org>
Cc: Rijo Thomas <Rijo-john.Thomas@....com>,
Herbert Xu <herbert@...dor.apana.org.au>,
Dan Carpenter <dan.carpenter@...cle.com>,
Devaraj Rangasamy <Devaraj.Rangasamy@....com>,
Hongbo Yao <yaohongbo@...wei.com>,
Colin Ian King <colin.king@...onical.com>,
linux-kernel@...r.kernel.org,
Vesa Jääskeläinen
<vesa.jaaskelainen@...sala.com>
Subject: [PATCH 3/3] [RFC] tee: add support for app id for client UUID generation
Linux kernel does not provide common contex for application identifier,
instead different security frameworks provide own means to define
application identifier for running process. Code includes place holder for
such solutions but is left for later implementation.
Open questions:
1. App ID source
How to specify what source is used for app id?
Does it need to be protected on runtime?
- Should this be Kconfig setting?
- Cnfigure once during runtime thru sysfs or so?
- Configure from device tree?
2. Formatting for App ID
Should there be common format? Or common keyword id?
3. How to handle custom App ID sources
Android has own App ID so does Tizen.
Should there be place holder for this where to make local patch?
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@...sala.com>
---
drivers/tee/tee_core.c | 45 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 45 insertions(+)
diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c
index 872272bf9dec..df03bd0071da 100644
--- a/drivers/tee/tee_core.c
+++ b/drivers/tee/tee_core.c
@@ -125,6 +125,15 @@ static int tee_release(struct inode *inode, struct file *filp)
return 0;
}
+static const char *tee_session_get_application_id(void)
+{
+ return NULL;
+}
+
+static void tee_session_free_application_id(const char *app_id)
+{
+}
+
/**
* uuid_v5() - Calculate UUIDv5
* @uuid: Resulting UUID
@@ -217,6 +226,14 @@ int tee_session_calc_client_uuid(uuid_t *uuid, u32 connection_method,
* For TEEC_LOGIN_GROUP:
* gid=<gid>
*
+ * For TEEC_LOGIN_APPLICATION:
+ * app=<application id>
+ *
+ * For TEEC_LOGIN_USER_APPLICATION:
+ * uid=<uid>:app=<application id>
+ *
+ * For TEEC_LOGIN_GROUP_APPLICATION:
+ * gid=<gid>:app=<application id>
*/
name = kzalloc(TEE_UUID_NS_NAME_SIZE, GFP_KERNEL);
@@ -240,6 +257,34 @@ int tee_session_calc_client_uuid(uuid_t *uuid, u32 connection_method,
scnprintf(name, TEE_UUID_NS_NAME_SIZE, "gid=%x", grp.val);
break;
+ case TEE_IOCTL_LOGIN_APPLICATION:
+ application_id = tee_session_get_application_id();
+ scnprintf(name, TEE_UUID_NS_NAME_SIZE, "app=%s",
+ application_id);
+ tee_session_free_application_id(application_id);
+ break;
+
+ case TEE_IOCTL_LOGIN_USER_APPLICATION:
+ application_id = tee_session_get_application_id();
+ scnprintf(name, TEE_UUID_NS_NAME_SIZE, "uid=%x:app=%s",
+ current_euid().val, application_id);
+ tee_session_free_application_id(application_id);
+ break;
+
+ case TEE_IOCTL_LOGIN_GROUP_APPLICATION:
+ memcpy(&ns_grp, connection_data, sizeof(gid_t));
+ grp = make_kgid(current_user_ns(), ns_grp);
+ if (!gid_valid(grp) || !in_egroup_p(grp)) {
+ rc = -EPERM;
+ goto out;
+ }
+
+ application_id = tee_session_get_application_id();
+ scnprintf(name, TEE_UUID_NS_NAME_SIZE, "gid=%x:app=%s",
+ grp.val, application_id);
+ tee_session_free_application_id(application_id);
+ break;
+
default:
rc = -EINVAL;
goto out;
--
2.17.1
Powered by blists - more mailing lists