| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 Feb 2023 12:17:16 -0800
From: Jeffrey Kardatzke <jkardatzke@...omium.org>
To: Jens Wiklander <jens.wiklander@...aro.org>
Cc: op-tee@...ts.trustedfirmware.org,
Sumit Garg <sumit.garg@...aro.org>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] tee: optee: Add SMC for loading OP-TEE image
On Fri, Feb 24, 2023 at 12:25 AM Jens Wiklander
<jens.wiklander@...aro.org> wrote:
>
> On Thu, Feb 23, 2023 at 8:09 PM Jeffrey Kardatzke
> <jkardatzke@...omium.org> wrote:
> >
> > On Thu, Feb 23, 2023 at 1:28 AM Jens Wiklander
> > <jens.wiklander@...aro.org> wrote:
> > >
> > > Hi,
> > >
> > > On Wed, Feb 22, 2023 at 6:24 PM Jeffrey Kardatzke
> > > <jkardatzke@...omium.org> wrote:
> > > >
> > > > Adds an SMC call that will pass an OP-TEE binary image to EL3 and
> > > > instruct it to load it as the BL32 payload. This works in conjunction
> > > > with a feature added to Trusted Firmware for ARM that supports this.
> > > >
> > > > Signed-off-by: Jeffrey Kardatzke <jkardatzke@...omium.org>
> > > > Signed-off-by: Jeffrey Kardatzke <jkardatzke@...gle.com>
> > > > ---
> > > >
> > > > drivers/tee/optee/Kconfig | 10 +++++
> > > > drivers/tee/optee/optee_msg.h | 14 +++++++
> > > > drivers/tee/optee/optee_smc.h | 22 ++++++++++
> > > > drivers/tee/optee/smc_abi.c | 77 +++++++++++++++++++++++++++++++++++
> > > > 4 files changed, 123 insertions(+)
> > > >
> > > > diff --git a/drivers/tee/optee/Kconfig b/drivers/tee/optee/Kconfig
> > > > index f121c224e682..5ffbeb3eaac0 100644
> > > > --- a/drivers/tee/optee/Kconfig
> > > > +++ b/drivers/tee/optee/Kconfig
> > > > @@ -7,3 +7,13 @@ config OPTEE
> > > > help
> > > > This implements the OP-TEE Trusted Execution Environment (TEE)
> > > > driver.
> > > > +
> > > > +config OPTEE_LOAD_IMAGE
> > > > + bool "Load Op-Tee image as firmware"
> > >
> > > OP-TEE
> > Done, fixed in next patch set.
> > >
> > > > + default n
> > > > + depends on OPTEE
> > > > + help
> > > > + This loads the BL32 image for OP-TEE as firmware when the driver is probed.
> > > > + This returns -EPROBE_DEFER until the firmware is loadable from the
> > > > + filesystem which is determined by checking the system_state until it is in
> > > > + SYSTEM_RUNNING.
> > > > diff --git a/drivers/tee/optee/optee_msg.h b/drivers/tee/optee/optee_msg.h
> > > > index 70e9cc2ee96b..84c1b15032a9 100644
> > > > --- a/drivers/tee/optee/optee_msg.h
> > > > +++ b/drivers/tee/optee/optee_msg.h
> > > > @@ -284,6 +284,20 @@ struct optee_msg_arg {
> > > > */
> > > > #define OPTEE_MSG_FUNCID_GET_OS_REVISION 0x0001
> > > >
> > > > +/*
> > > > + * Load Trusted OS from optee/tee.bin in the Linux firmware.
> > > > + *
> > > > + * WARNING: Use this cautiously as it could lead to insecure loading of the
> > > > + * Trusted OS.
> > > > + * This SMC instructs EL3 to load a binary and excute it as the Trusted OS.
> > > > + * The first two params are the high and low 32 bits of the size of the payload
> > > > + * and the third and fourth params are the high and low 32 bits of the physical
> > > > + * address of the payload. The payload is in the OP-TEE image format.
> > > > + *
> > > > + * Returns 0 on success and an error code otherwise.
> > > > + */
> > > > +#define OPTEE_MSG_FUNCID_LOAD_IMAGE 0x0002
> > >
> > > There's no need to add anything to this file, you can define
> > > OPTEE_SMC_FUNCID_LOAD_IMAGE to 2 directly in optee_smc.h below.
> > >
> > Done, fixed in next patch set.
> > > > +
> > > > /*
> > > > * Do a secure call with struct optee_msg_arg as argument
> > > > * The OPTEE_MSG_CMD_* below defines what goes in struct optee_msg_arg::cmd
> > > > diff --git a/drivers/tee/optee/optee_smc.h b/drivers/tee/optee/optee_smc.h
> > > > index 73b5e7760d10..908b1005e9db 100644
> > > > --- a/drivers/tee/optee/optee_smc.h
> > > > +++ b/drivers/tee/optee/optee_smc.h
> > > > @@ -104,6 +104,28 @@ struct optee_smc_call_get_os_revision_result {
> > > > unsigned long reserved1;
> > > > };
> > > >
> > > > +/*
> > > > + * Load Trusted OS from optee/tee.bin in the Linux firmware.
> > > > + *
> > > > + * WARNING: Use this cautiously as it could lead to insecure loading of the
> > > > + * Trusted OS.
> > > > + * This SMC instructs EL3 to load a binary and excute it as the Trusted OS.
> > >
> > > execute
> > >
> > Done, fixed in next patch set.
> > > > + *
> > > > + * Call register usage:
> > > > + * a0 SMC Function ID, OPTEE_SMC_CALL_LOAD_IMAGE
> > > > + * a1 Upper 32bit of a 64bit size for the payload
> > > > + * a2 Lower 32bit of a 64bit size for the payload
> > > > + * a3 Upper 32bit of the physical address for the payload
> > > > + * a4 Lower 32bit of the physical address for the payload
> > > > + *
> > > > + * The payload is in the OP-TEE image format.
> > > > + *
> > > > + * Returns result in a0, 0 on success and an error code otherwise.
> > > > + */
> > > > +#define OPTEE_SMC_FUNCID_LOAD_IMAGE OPTEE_MSG_FUNCID_LOAD_IMAGE
> > > > +#define OPTEE_SMC_CALL_LOAD_IMAGE \
> > > > + OPTEE_SMC_FAST_CALL_VAL(OPTEE_SMC_FUNCID_LOAD_IMAGE)
> > > > +
> > > > /*
> > > > * Call with struct optee_msg_arg as argument
> > > > *
> > > > diff --git a/drivers/tee/optee/smc_abi.c b/drivers/tee/optee/smc_abi.c
> > > > index a1c1fa1a9c28..c1abbee86b39 100644
> > > > --- a/drivers/tee/optee/smc_abi.c
> > > > +++ b/drivers/tee/optee/smc_abi.c
> > > > @@ -8,9 +8,11 @@
> > > >
> > > > #include <linux/arm-smccc.h>
> > > > #include <linux/errno.h>
> > > > +#include <linux/firmware.h>
> > > > #include <linux/interrupt.h>
> > > > #include <linux/io.h>
> > > > #include <linux/irqdomain.h>
> > > > +#include <linux/kernel.h>
> > > > #include <linux/mm.h>
> > > > #include <linux/module.h>
> > > > #include <linux/of.h>
> > > > @@ -1354,6 +1356,77 @@ static void optee_shutdown(struct platform_device *pdev)
> > > > optee_disable_shm_cache(optee);
> > > > }
> > > >
> > > > +#ifdef CONFIG_OPTEE_LOAD_IMAGE
> > > > +
> > > > +#define OPTEE_FW_IMAGE "optee/tee.bin"
> > > > +
> > > > +static int optee_load_fw(struct platform_device *pdev,
> > > > + optee_invoke_fn *invoke_fn)
> > > > +{
> > > > + const struct firmware *fw = NULL;
> > > > + struct arm_smccc_res res;
> > > > + phys_addr_t data_pa;
> > > > + u8 *data_buf = NULL;
> > > > + u64 data_size;
> > > > + u32 data_pa_high, data_pa_low;
> > > > + u32 data_size_high, data_size_low;
> > > > + int rc;
> > > > +
> > > > + rc = request_firmware(&fw, OPTEE_FW_IMAGE, &pdev->dev);
> > > > + if (rc) {
> > > > + /*
> > > > + * The firmware in the rootfs will not be accessible until we
> > > > + * are in the SYSTEM_RUNNING state, so return EPROBE_DEFER until
> > > > + * that point.
> > > > + */
> > > > + if (system_state < SYSTEM_RUNNING)
> > > > + return -EPROBE_DEFER;
> > > > + goto fw_err;
> > > > + }
> > > > +
> > > > + data_size = fw->size;
> > > > + /*
> > > > + * This uses the GFP_DMA flag to ensure we are allocated memory in the
> > > > + * 32-bit space since TF-A cannot map memory beyond the 32-bit boundary.
> > > > + */
> > > > + data_buf = kmalloc(fw->size, GFP_KERNEL | GFP_DMA);
> > > > + if (!data_buf) {
> > > > + rc = -ENOMEM;
> > > > + goto fw_err;
> > > > + }
> > > > + memcpy(data_buf, fw->data, fw->size);
> > > > + data_pa = virt_to_phys(data_buf);
> > > > + reg_pair_from_64(&data_pa_high, &data_pa_low, data_pa);
> > > > + reg_pair_from_64(&data_size_high, &data_size_low, data_size);
> > > > + goto fw_load;
> > > > +
> > > > +fw_err:
> > > > + pr_warn("image loading failed\n");
> > > > + data_pa_high = data_pa_low = data_size_high = data_size_low = 0;
> > > > +
> > > > +fw_load:
> > > > + /*
> > > > + * Always invoke the SMC, even if loading the image fails, to indicate
> > > > + * to EL3 that we have passed the point where it should allow invoking
> > > > + * this SMC.
> > > > + */
> > > > + invoke_fn(OPTEE_SMC_CALL_LOAD_IMAGE, data_size_high, data_size_low,
> > > > + data_pa_high, data_pa_low, 0, 0, 0, &res);
> > >
> > > Prior to this, you've done nothing to check that the firmware might do
> > > what you're expecting. optee_msg_api_uid_is_optee_api() does this
> > > under normal circumstances as that SMC function is defined in the SMC
> > > Calling Convention. I'm not sure what is the best approach here
> > > though.
> > >
> > The way I think about it is that we have to issue this SMC call once
> > we are in the SYSTEM_RUNNING state no matter what. We need to close
> > the security hole this would leave open otherwise. Any other checks we
> > would do that would prevent us from making that call could be other
> > attack vectors.
>
> This is clearly a weakness in the design. If the kernel config doesn't
> match exactly, we either have an open security hole in the secure
> world or fail to initialize the driver.
Yes, that's correct where if TF-A was built to enable the SMC call,
but then the kernel wasn't built to include the OP-TEE driver, or with
the image loading SMC config or the driver doesn't get loaded; that's
leaving an open security hole. It's understood as part of this design
that there's a big open security hole if the system isn't configured
properly.
> The former can only happen in
> systems designed like yours where the kernel up to this point has the
> same level of security as the secure world. There's no need for me to
> repeat my concerns over that, but this is now going to have an impact
> on platforms that don't use your security model too. So far we've
> managed to avoid configuration options in the OP-TEE driver that
> breaks everything for a class of devices.
I could change TF-A and the kernel driver so that if it somebody does
enable the kernel option but not the TF-A option, that TF-A returns a
specific error code (rather than passing the non-secure originating
call to OP-TEE) and the kernel driver can recognize that and then
continue as if OP-TEE was loaded. Then enabling this option won't
break anything if the TF-A config doesn't match.
>
> Given how important this call is for your platform and at the same
> time harmful for all others perhaps this call should be done in a
> separate driver.
I'm not a kernel driver expert...but if I moved this into its own
driver, then I think I'd need to have the OP-TEE driver defer loading
until the image loading driver succeeds if it's enabled. So somebody
enabling that other driver would hit the same issues as somebody
enabling this config option for OP-TEE. (I have no problem moving this
into a new driver if that's what you really want, but I want to be
sure the same concerns don't come up if I do that).
If your main concern is somebody enabling this option and breaking
their use of OP-TEE...then what I mentioned above should resolve that.
If not, let me know more specifically what issue you're trying to
avoid here.
Thanks,
Jeff
>
> Thanks,
> Jens
>
> > > > + if (!rc)
> > > > + rc = res.a0;
> > > > + if (fw)
> > > > + release_firmware(fw);
> > > > + kfree(data_buf);
> > > > +
> > > > + return rc;
> > > > +}
> > > > +#else
> > > > +static inline int optee_load_fw(struct platform_device *__unused,
> > > > + optee_invoke_fn *__unused) {
> > > > + return 0;
> > > > +}
> > > > +#endif
> > > > +
> > > > static int optee_probe(struct platform_device *pdev)
> > > > {
> > > > optee_invoke_fn *invoke_fn;
> > > > @@ -1372,6 +1445,10 @@ static int optee_probe(struct platform_device *pdev)
> > > > if (IS_ERR(invoke_fn))
> > > > return PTR_ERR(invoke_fn);
> > > >
> > > > + rc = optee_load_fw(pdev, invoke_fn);
> > > > + if (rc)
> > > > + return rc;
> > >
> > > What if OP-TEE already was loaded?
> > > This also causes trouble if unloading and loading the driver again.
> > > I think we need a way of telling if OP-TEE must be loaded first or not.
> > >
> > OK, I added some state tracking in the driver code to return the prior
> > loading result if it was already loaded.
> > > Thanks,
> > > Jens
> > >
> > > > +
> > > > if (!optee_msg_api_uid_is_optee_api(invoke_fn)) {
> > > > pr_warn("api uid mismatch\n");
> > > > return -EINVAL;
> > > > --
> > > > 2.39.2.637.g21b0678d19-goog
> > > >
Powered by blists - more mailing lists