lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20211209151123.3759999-3-dbrazdil@google.com>
Date:   Thu,  9 Dec 2021 15:11:23 +0000
From:   David Brazdil <dbrazdil@...gle.com>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     Rob Herring <robh+dt@...nel.org>, Jonathan Corbet <corbet@....net>,
        Derek Kiernan <derek.kiernan@...inx.com>,
        Dragan Cvetic <dragan.cvetic@...inx.com>,
        Arnd Bergmann <arnd@...db.de>,
        David Brazdil <dbrazdil@...gle.com>,
        Hans de Goede <hdegoede@...hat.com>,
        devicetree@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-doc@...r.kernel.org, Andrew Scull <ascull@...gle.com>,
        Will Deacon <will@...nel.org>
Subject: [PATCH v2 2/2] misc: dice: Add driver to forward secrets to userspace

Open Profile for DICE is a protocol for deriving unique secrets at boot
used by some Android devices. The firmware/bootloader hands over secrets
in a reserved memory region, which this driver takes ownership of and
exposes it to userspace via a misc device.

Userspace obtains the region's size using an ioctl and mmaps the memory
to its address space. This mapping cannot be write+shared, giving
userspace a guarantee that the secrets have not been overwritten by
another process.

Userspace can also issue an ioctl requesting that the memory be wiped by
the driver. Because both the kernel and userspace mappings use
write-combine semantics, all clients will observe the memory as zeroed
after the ioctl has returned.

Cc: Andrew Scull <ascull@...gle.com>
Cc: Will Deacon <will@...nel.org>
Signed-off-by: David Brazdil <dbrazdil@...gle.com>
---
 .../userspace-api/ioctl/ioctl-number.rst      |   1 +
 drivers/misc/Kconfig                          |   8 +
 drivers/misc/Makefile                         |   1 +
 drivers/misc/dice.c                           | 161 ++++++++++++++++++
 include/uapi/linux/dice.h                     |  14 ++
 5 files changed, 185 insertions(+)
 create mode 100644 drivers/misc/dice.c
 create mode 100644 include/uapi/linux/dice.h

diff --git a/Documentation/userspace-api/ioctl/ioctl-number.rst b/Documentation/userspace-api/ioctl/ioctl-number.rst
index cfe6cccf0f44..4b8bee2ffd1e 100644
--- a/Documentation/userspace-api/ioctl/ioctl-number.rst
+++ b/Documentation/userspace-api/ioctl/ioctl-number.rst
@@ -341,6 +341,7 @@ Code  Seq#    Include File                                           Comments
 0xAE  40-FF  linux/kvm.h                                             Kernel-based Virtual Machine
                                                                      <mailto:kvm@...r.kernel.org>
 0xAE  20-3F  linux/nitro_enclaves.h                                  Nitro Enclaves
+0xAE  40-5F  uapi/linux/dice.h                                       Open Profile for DICE driver
 0xAF  00-1F  linux/fsl_hypervisor.h                                  Freescale hypervisor
 0xB0  all                                                            RATIO devices in development:
                                                                      <mailto:vgo@...io.de>
diff --git a/drivers/misc/Kconfig b/drivers/misc/Kconfig
index 0f5a49fc7c9e..7165f4b6c41b 100644
--- a/drivers/misc/Kconfig
+++ b/drivers/misc/Kconfig
@@ -470,6 +470,14 @@ config HISI_HIKEY_USB
 	  switching between the dual-role USB-C port and the USB-A host ports
 	  using only one USB controller.

+config DICE
+	tristate "Open Profile for DICE driver"
+	depends on OF_RESERVED_MEM
+	help
+	  This driver allows to ownership of a reserved memory region
+	  containing DICE secrets and expose them to userspace via
+	  a character device.
+
 source "drivers/misc/c2port/Kconfig"
 source "drivers/misc/eeprom/Kconfig"
 source "drivers/misc/cb710/Kconfig"
diff --git a/drivers/misc/Makefile b/drivers/misc/Makefile
index a086197af544..f73c6bb23ccd 100644
--- a/drivers/misc/Makefile
+++ b/drivers/misc/Makefile
@@ -59,3 +59,4 @@ obj-$(CONFIG_UACCE)		+= uacce/
 obj-$(CONFIG_XILINX_SDFEC)	+= xilinx_sdfec.o
 obj-$(CONFIG_HISI_HIKEY_USB)	+= hisi_hikey_usb.o
 obj-$(CONFIG_HI6421V600_IRQ)	+= hi6421v600-irq.o
+obj-$(CONFIG_DICE)		+= dice.o
diff --git a/drivers/misc/dice.c b/drivers/misc/dice.c
new file mode 100644
index 000000000000..06f3754feb71
--- /dev/null
+++ b/drivers/misc/dice.c
@@ -0,0 +1,161 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Copyright (C) 2021 - Google LLC
+ * Author: David Brazdil <dbrazdil@...gle.com>
+ *
+ * Driver for Open Profile for DICE.
+ *
+ * This driver takes ownership of a reserved memory region containing secrets
+ * derived following the Open Profile for DICE. The contents of the memory
+ * region are not interpreted by the kernel but can be mapped into a userspace
+ * process via a misc device. The memory region can also be wiped, removing
+ * the secrets from memory.
+ *
+ * Userspace can access the data by (w/o error handling):
+ *
+ *     int fd = open("/dev/dice", O_RDONLY | O_CLOEXEC);
+ *     size_t size = ioctl(fd, DICE_GET_SIZE);
+ *     void *data = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
+ *     ioctl(fd, DICE_WIPE);
+ *     close(fd);
+ */
+
+#include <linux/dice.h>
+#include <linux/io.h>
+#include <linux/miscdevice.h>
+#include <linux/mm.h>
+#include <linux/module.h>
+#include <linux/of_reserved_mem.h>
+#include <linux/platform_device.h>
+
+static int dice_mmap(struct file *filp, struct vm_area_struct *vma);
+static long dice_ioctl(struct file *filp, unsigned int cmd, unsigned long arg);
+
+static const struct file_operations dice_fops = {
+	.mmap = dice_mmap,
+	.unlocked_ioctl = dice_ioctl,
+};
+
+static struct miscdevice dice_misc = {
+	.name	= "dice",
+	.minor	= MISC_DYNAMIC_MINOR,
+	.fops	= &dice_fops,
+	.mode	= 0400,
+};
+
+static struct reserved_mem *dice_rmem;
+static DEFINE_SPINLOCK(dice_lock);
+
+static int dice_mmap(struct file *filp, struct vm_area_struct *vma)
+{
+	/* Do not allow userspace to modify the underlying data. */
+	if ((vma->vm_flags & VM_WRITE) && (vma->vm_flags & VM_SHARED))
+		return -EPERM;
+
+	/* Create write-combine mapping so all clients observe a wipe. */
+	vma->vm_page_prot = pgprot_writecombine(vma->vm_page_prot);
+	vma->vm_flags |= VM_DONTCOPY | VM_DONTDUMP;
+	return vm_iomap_memory(vma, dice_rmem->base, dice_rmem->size);
+}
+
+static int dice_wipe(void)
+{
+	void *kaddr;
+
+	spin_lock(&dice_lock);
+	kaddr = devm_memremap(dice_misc.this_device, dice_rmem->base,
+			      dice_rmem->size, MEMREMAP_WC);
+	if (IS_ERR(kaddr)) {
+		spin_unlock(&dice_lock);
+		return PTR_ERR(kaddr);
+	}
+
+	memzero_explicit(kaddr, dice_rmem->size);
+	devm_memunmap(dice_misc.this_device, kaddr);
+	spin_unlock(&dice_lock);
+	return 0;
+}
+
+static long dice_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+{
+	switch (cmd) {
+	case DICE_GET_SIZE:
+		/* Checked against INT_MAX in dice_probe(). */
+		return dice_rmem->size;
+	case DICE_WIPE:
+		return dice_wipe();
+	}
+
+	return -ENOIOCTLCMD;
+}
+
+static int __init dice_probe(struct platform_device *pdev)
+{
+	struct device *dev = &pdev->dev;
+	struct device_node *rmem_np;
+	struct reserved_mem *rmem;
+	int ret;
+
+	if (dice_rmem) {
+		dev_err(dev, "only one instance of device allowed\n");
+		return -EBUSY;
+	}
+
+	rmem_np = of_parse_phandle(dev->of_node, "memory-region", 0);
+	if (!rmem_np) {
+		dev_err(dev, "missing 'memory-region' property\n");
+		return -EINVAL;
+	}
+
+	rmem = of_reserved_mem_lookup(rmem_np);
+	of_node_put(rmem_np);
+	if (!rmem) {
+		dev_err(dev, "failed to lookup reserved memory\n");
+		return -EINVAL;
+	}
+
+	if (!PAGE_ALIGNED(rmem->base) || !PAGE_ALIGNED(rmem->size)) {
+		dev_err(dev, "memory region must be page-aligned\n");
+		return -EINVAL;
+	}
+
+	if (!rmem->size || (rmem->size > INT_MAX)) {
+		dev_err(dev, "invalid memory region size\n");
+		return -EINVAL;
+	}
+
+	dice_misc.parent = dev;
+	ret = misc_register(&dice_misc);
+	if (ret) {
+		dev_err(dev, "failed to register misc device: %d\n", ret);
+		return ret;
+	}
+
+	dice_rmem = rmem;
+	return 0;
+}
+
+static int dice_remove(struct platform_device *pdev)
+{
+	misc_deregister(&dice_misc);
+	dice_rmem = NULL;
+	return 0;
+}
+
+static const struct of_device_id dice_of_match[] = {
+	{ .compatible = "google,dice" },
+	{},
+};
+
+static struct platform_driver dice_driver = {
+	.remove = dice_remove,
+	.driver = {
+		.name = "dice",
+		.of_match_table = dice_of_match,
+	},
+};
+
+module_platform_driver_probe(dice_driver, dice_probe);
+
+MODULE_LICENSE("GPL v2");
+MODULE_AUTHOR("David Brazdil <dbrazdil@...gle.com>");
diff --git a/include/uapi/linux/dice.h b/include/uapi/linux/dice.h
new file mode 100644
index 000000000000..68f7304408ed
--- /dev/null
+++ b/include/uapi/linux/dice.h
@@ -0,0 +1,14 @@
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+/*
+ * IOCTLs for Open Profile for DICE character device
+ */
+
+#ifndef _UAPI_DICE_H_
+#define _UAPI_DICE_H_
+
+#include <linux/ioctl.h>
+
+#define DICE_GET_SIZE	_IO(0xAE, 0x40)
+#define DICE_WIPE	_IO(0xAE, 0x41)
+
+#endif
--
2.34.1.400.ga245620fadb-goog

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ