lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230822125555.GA82256@rayden>
Date:   Tue, 22 Aug 2023 14:55:55 +0200
From:   Jens Wiklander <jens.wiklander@...aro.org>
To:     Sumit Garg <sumit.garg@...aro.org>
Cc:     linux-integrity@...r.kernel.org, keyrings@...r.kernel.org,
        jarkko@...nel.org, jejb@...ux.ibm.com, zohar@...ux.ibm.com,
        sudeep.holla@....com, achin.gupta@....com,
        linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] KEYS: trusted: tee: Refactor register SHM usage

On Tue, Aug 22, 2023 at 04:59:33PM +0530, Sumit Garg wrote:
> The OP-TEE driver using the old SMC based ABI permits overlapping shared
> buffers, but with the new FF-A based ABI each physical page may only
> be registered once.
> 
> As the key and blob buffer are allocated adjancently, there is no need
> for redundant register shared memory invocation. Also, it is incompatibile
> with FF-A based ABI limitation. So refactor register shared memory
> implementation to use only single invocation to register both key and blob
> buffers.
> 
> Fixes: 4615e5a34b95 ("optee: add FF-A support")
> Reported-by: Jens Wiklander <jens.wiklander@...aro.org>
> Signed-off-by: Sumit Garg <sumit.garg@...aro.org>
> ---
>  security/keys/trusted-keys/trusted_tee.c | 64 ++++++++----------------
>  1 file changed, 20 insertions(+), 44 deletions(-)
> 
> diff --git a/security/keys/trusted-keys/trusted_tee.c b/security/keys/trusted-keys/trusted_tee.c
> index ac3e270ade69..aa3d477de6db 100644
> --- a/security/keys/trusted-keys/trusted_tee.c
> +++ b/security/keys/trusted-keys/trusted_tee.c
> @@ -65,24 +65,16 @@ static int trusted_tee_seal(struct trusted_key_payload *p, char *datablob)
>  	int ret;
>  	struct tee_ioctl_invoke_arg inv_arg;
>  	struct tee_param param[4];
> -	struct tee_shm *reg_shm_in = NULL, *reg_shm_out = NULL;
> +	struct tee_shm *reg_shm = NULL;
>  
>  	memset(&inv_arg, 0, sizeof(inv_arg));
>  	memset(&param, 0, sizeof(param));
>  
> -	reg_shm_in = tee_shm_register_kernel_buf(pvt_data.ctx, p->key,
> -						 p->key_len);
> -	if (IS_ERR(reg_shm_in)) {
> -		dev_err(pvt_data.dev, "key shm register failed\n");
> -		return PTR_ERR(reg_shm_in);
> -	}
> -
> -	reg_shm_out = tee_shm_register_kernel_buf(pvt_data.ctx, p->blob,
> -						  sizeof(p->blob));
> -	if (IS_ERR(reg_shm_out)) {
> -		dev_err(pvt_data.dev, "blob shm register failed\n");
> -		ret = PTR_ERR(reg_shm_out);
> -		goto out;
> +	reg_shm = tee_shm_register_kernel_buf(pvt_data.ctx, p->key,
> +					      sizeof(p->key) + sizeof(p->blob));

This is somewhat fragile. What if struct trusted_key_payload has a small
unexpected change in layout?

Thanks,
Jens

> +	if (IS_ERR(reg_shm)) {
> +		dev_err(pvt_data.dev, "shm register failed\n");
> +		return PTR_ERR(reg_shm);
>  	}
>  
>  	inv_arg.func = TA_CMD_SEAL;
> @@ -90,13 +82,13 @@ static int trusted_tee_seal(struct trusted_key_payload *p, char *datablob)
>  	inv_arg.num_params = 4;
>  
>  	param[0].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT;
> -	param[0].u.memref.shm = reg_shm_in;
> +	param[0].u.memref.shm = reg_shm;
>  	param[0].u.memref.size = p->key_len;
>  	param[0].u.memref.shm_offs = 0;
>  	param[1].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT;
> -	param[1].u.memref.shm = reg_shm_out;
> +	param[1].u.memref.shm = reg_shm;
>  	param[1].u.memref.size = sizeof(p->blob);
> -	param[1].u.memref.shm_offs = 0;
> +	param[1].u.memref.shm_offs = sizeof(p->key);
>  
>  	ret = tee_client_invoke_func(pvt_data.ctx, &inv_arg, param);
>  	if ((ret < 0) || (inv_arg.ret != 0)) {
> @@ -107,11 +99,7 @@ static int trusted_tee_seal(struct trusted_key_payload *p, char *datablob)
>  		p->blob_len = param[1].u.memref.size;
>  	}
>  
> -out:
> -	if (reg_shm_out)
> -		tee_shm_free(reg_shm_out);
> -	if (reg_shm_in)
> -		tee_shm_free(reg_shm_in);
> +	tee_shm_free(reg_shm);
>  
>  	return ret;
>  }
> @@ -124,24 +112,16 @@ static int trusted_tee_unseal(struct trusted_key_payload *p, char *datablob)
>  	int ret;
>  	struct tee_ioctl_invoke_arg inv_arg;
>  	struct tee_param param[4];
> -	struct tee_shm *reg_shm_in = NULL, *reg_shm_out = NULL;
> +	struct tee_shm *reg_shm = NULL;
>  
>  	memset(&inv_arg, 0, sizeof(inv_arg));
>  	memset(&param, 0, sizeof(param));
>  
> -	reg_shm_in = tee_shm_register_kernel_buf(pvt_data.ctx, p->blob,
> -						 p->blob_len);
> -	if (IS_ERR(reg_shm_in)) {
> -		dev_err(pvt_data.dev, "blob shm register failed\n");
> -		return PTR_ERR(reg_shm_in);
> -	}
> -
> -	reg_shm_out = tee_shm_register_kernel_buf(pvt_data.ctx, p->key,
> -						  sizeof(p->key));
> -	if (IS_ERR(reg_shm_out)) {
> -		dev_err(pvt_data.dev, "key shm register failed\n");
> -		ret = PTR_ERR(reg_shm_out);
> -		goto out;
> +	reg_shm = tee_shm_register_kernel_buf(pvt_data.ctx, p->key,
> +					      sizeof(p->key) + sizeof(p->blob));
> +	if (IS_ERR(reg_shm)) {
> +		dev_err(pvt_data.dev, "shm register failed\n");
> +		return PTR_ERR(reg_shm);
>  	}
>  
>  	inv_arg.func = TA_CMD_UNSEAL;
> @@ -149,11 +129,11 @@ static int trusted_tee_unseal(struct trusted_key_payload *p, char *datablob)
>  	inv_arg.num_params = 4;
>  
>  	param[0].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT;
> -	param[0].u.memref.shm = reg_shm_in;
> +	param[0].u.memref.shm = reg_shm;
>  	param[0].u.memref.size = p->blob_len;
> -	param[0].u.memref.shm_offs = 0;
> +	param[0].u.memref.shm_offs = sizeof(p->key);
>  	param[1].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT;
> -	param[1].u.memref.shm = reg_shm_out;
> +	param[1].u.memref.shm = reg_shm;
>  	param[1].u.memref.size = sizeof(p->key);
>  	param[1].u.memref.shm_offs = 0;
>  
> @@ -166,11 +146,7 @@ static int trusted_tee_unseal(struct trusted_key_payload *p, char *datablob)
>  		p->key_len = param[1].u.memref.size;
>  	}
>  
> -out:
> -	if (reg_shm_out)
> -		tee_shm_free(reg_shm_out);
> -	if (reg_shm_in)
> -		tee_shm_free(reg_shm_in);
> +	tee_shm_free(reg_shm);
>  
>  	return ret;
>  }
> -- 
> 2.34.1
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ