diff options
author | Jens Wiklander <jens.wiklander@linaro.org> | 2017-04-13 15:01:53 +0200 |
---|---|---|
committer | Jérôme Forissier <jerome.forissier@linaro.org> | 2017-04-21 14:05:23 +0200 |
commit | 0c4e1284c44fe5700824a3fb47fff82d76025ff8 (patch) | |
tree | 20ebced529581219acc51014492dcab515f06f57 /core/tee | |
parent | 22efbd4a59b28eec98ca02cca5bc4b88f230487f (diff) |
core: FS: key manager takes supplied UUID
The FS key manager takes a supplied UUID instead of extracting it from
current session in order to be more flexible.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Diffstat (limited to 'core/tee')
-rw-r--r-- | core/tee/fs_htree.c | 8 | ||||
-rw-r--r-- | core/tee/tee_fs_key_manager.c | 47 | ||||
-rw-r--r-- | core/tee/tee_ree_fs.c | 2 | ||||
-rw-r--r-- | core/tee/tee_rpmb_fs.c | 24 | ||||
-rw-r--r-- | core/tee/tee_sql_fs.c | 2 |
5 files changed, 53 insertions, 30 deletions
diff --git a/core/tee/fs_htree.c b/core/tee/fs_htree.c index 796b18f4..10a8b0e0 100644 --- a/core/tee/fs_htree.c +++ b/core/tee/fs_htree.c @@ -116,6 +116,7 @@ struct tee_fs_htree { uint8_t fek[TEE_FS_HTREE_FEK_SIZE]; struct tee_fs_htree_imeta imeta; bool dirty; + const TEE_UUID *uuid; const struct tee_fs_htree_storage *stor; void *stor_aux; }; @@ -576,7 +577,7 @@ static TEE_Result verify_root(struct tee_fs_htree *ht) TEE_Result res; void *ctx; - res = tee_fs_fek_crypt(TEE_MODE_DECRYPT, ht->head.enc_fek, + res = tee_fs_fek_crypt(ht->uuid, TEE_MODE_DECRYPT, ht->head.enc_fek, sizeof(ht->fek), ht->fek); if (res != TEE_SUCCESS) return res; @@ -649,7 +650,7 @@ static TEE_Result init_root_node(struct tee_fs_htree *ht) return res; } -TEE_Result tee_fs_htree_open(bool create, uint8_t *hash, +TEE_Result tee_fs_htree_open(bool create, uint8_t *hash, const TEE_UUID *uuid, const struct tee_fs_htree_storage *stor, void *stor_aux, struct tee_fs_htree **ht_ret) { @@ -659,6 +660,7 @@ TEE_Result tee_fs_htree_open(bool create, uint8_t *hash, if (!ht) return TEE_ERROR_OUT_OF_MEMORY; + ht->uuid = uuid; ht->stor = stor; ht->stor_aux = stor_aux; @@ -669,7 +671,7 @@ TEE_Result tee_fs_htree_open(bool create, uint8_t *hash, if (res != TEE_SUCCESS) goto out; - res = tee_fs_fek_crypt(TEE_MODE_ENCRYPT, ht->fek, + res = tee_fs_fek_crypt(ht->uuid, TEE_MODE_ENCRYPT, ht->fek, sizeof(ht->fek), ht->head.enc_fek); if (res != TEE_SUCCESS) goto out; diff --git a/core/tee/tee_fs_key_manager.c b/core/tee/tee_fs_key_manager.c index fa579c69..577d515e 100644 --- a/core/tee/tee_fs_key_manager.c +++ b/core/tee/tee_fs_key_manager.c @@ -59,9 +59,9 @@ static struct tee_fs_ssk tee_fs_ssk; static uint8_t string_for_ssk_gen[] = "ONLY_FOR_tee_fs_ssk"; -static TEE_Result do_hmac(uint8_t *out_key, uint32_t out_key_size, - const uint8_t *in_key, uint32_t in_key_size, - const uint8_t *message, uint32_t message_size) +static TEE_Result do_hmac(void *out_key, size_t out_key_size, + const void *in_key, size_t in_key_size, + const void *message, size_t message_size) { TEE_Result res = TEE_ERROR_GENERIC; uint8_t *ctx = NULL; @@ -99,15 +99,15 @@ exit: return res; } -TEE_Result tee_fs_fek_crypt(TEE_OperationMode mode, const uint8_t *in_key, - size_t size, uint8_t *out_key) +TEE_Result tee_fs_fek_crypt(const TEE_UUID *uuid, TEE_OperationMode mode, + const uint8_t *in_key, size_t size, + uint8_t *out_key) { TEE_Result res; uint8_t *ctx = NULL; size_t ctx_size; uint8_t tsk[TEE_FS_KM_TSK_SIZE]; uint8_t dst_key[size]; - struct tee_ta_session *sess; if (!in_key || !out_key) return TEE_ERROR_BAD_PARAMETERS; @@ -118,14 +118,23 @@ TEE_Result tee_fs_fek_crypt(TEE_OperationMode mode, const uint8_t *in_key, if (tee_fs_ssk.is_init == 0) return TEE_ERROR_GENERIC; - res = tee_ta_get_current_session(&sess); - if (res != TEE_SUCCESS) - return res; - - res = do_hmac(tsk, sizeof(tsk), tee_fs_ssk.key, TEE_FS_KM_SSK_SIZE, - (uint8_t *)&sess->ctx->uuid, sizeof(TEE_UUID)); - if (res != TEE_SUCCESS) - return res; + if (uuid) { + res = do_hmac(tsk, sizeof(tsk), tee_fs_ssk.key, + TEE_FS_KM_SSK_SIZE, uuid, sizeof(*uuid)); + if (res != TEE_SUCCESS) + return res; + } else { + /* + * Pick something of a different size than TEE_UUID to + * guarantee that there's never a conflict. + */ + uint8_t dummy[1] = { 0 }; + + res = do_hmac(tsk, sizeof(tsk), tee_fs_ssk.key, + TEE_FS_KM_SSK_SIZE, dummy, sizeof(dummy)); + if (res != TEE_SUCCESS) + return res; + } res = crypto_ops.cipher.get_ctx_size(TEE_FS_KM_ENC_FEK_ALG, &ctx_size); if (res != TEE_SUCCESS) @@ -189,7 +198,7 @@ static TEE_Result tee_fs_init_key_manager(void) return res; } -TEE_Result tee_fs_generate_fek(uint8_t *buf, int buf_size) +TEE_Result tee_fs_generate_fek(const TEE_UUID *uuid, void *buf, size_t buf_size) { TEE_Result res; @@ -200,7 +209,8 @@ TEE_Result tee_fs_generate_fek(uint8_t *buf, int buf_size) if (res != TEE_SUCCESS) return res; - return tee_fs_fek_crypt(TEE_MODE_ENCRYPT, buf, TEE_FS_KM_FEK_SIZE, buf); + return tee_fs_fek_crypt(uuid, TEE_MODE_ENCRYPT, buf, + TEE_FS_KM_FEK_SIZE, buf); } static TEE_Result sha256(uint8_t *out, size_t out_size, const uint8_t *in, @@ -290,7 +300,8 @@ static TEE_Result essiv(uint8_t iv[TEE_AES_BLOCK_SIZE], /* * Encryption/decryption of RPMB FS file data. This is AES CBC with ESSIV. */ -TEE_Result tee_fs_crypt_block(uint8_t *out, const uint8_t *in, size_t size, +TEE_Result tee_fs_crypt_block(const TEE_UUID *uuid, uint8_t *out, + const uint8_t *in, size_t size, uint16_t blk_idx, const uint8_t *encrypted_fek, TEE_OperationMode mode) { @@ -305,7 +316,7 @@ TEE_Result tee_fs_crypt_block(uint8_t *out, const uint8_t *in, size_t size, blk_idx); /* Decrypt FEK */ - res = tee_fs_fek_crypt(TEE_MODE_DECRYPT, encrypted_fek, + res = tee_fs_fek_crypt(uuid, TEE_MODE_DECRYPT, encrypted_fek, TEE_FS_KM_FEK_SIZE, fek); if (res != TEE_SUCCESS) return res; diff --git a/core/tee/tee_ree_fs.c b/core/tee/tee_ree_fs.c index 6a64e2a9..6e771ac2 100644 --- a/core/tee/tee_ree_fs.c +++ b/core/tee/tee_ree_fs.c @@ -415,7 +415,7 @@ static TEE_Result open_internal(struct tee_pobj *po, bool create, if (res != TEE_SUCCESS) goto out; - res = tee_fs_htree_open(create, NULL, &ree_fs_storage_ops, + res = tee_fs_htree_open(create, NULL, &po->uuid, &ree_fs_storage_ops, fdp, &fdp->ht); out: if (res == TEE_SUCCESS) { diff --git a/core/tee/tee_rpmb_fs.c b/core/tee/tee_rpmb_fs.c index 542c9721..0daff44f 100644 --- a/core/tee/tee_rpmb_fs.c +++ b/core/tee/tee_rpmb_fs.c @@ -511,15 +511,25 @@ static bool is_zero(const uint8_t *buf, size_t size) static TEE_Result encrypt_block(uint8_t *out, const uint8_t *in, uint16_t blk_idx, const uint8_t *fek) { - return tee_fs_crypt_block(out, in, RPMB_DATA_SIZE, blk_idx, fek, - TEE_MODE_ENCRYPT); + struct tee_ta_session *sess; + TEE_Result res = tee_ta_get_current_session(&sess); + + if (res) + return res; + return tee_fs_crypt_block(&sess->ctx->uuid, out, in, RPMB_DATA_SIZE, + blk_idx, fek, TEE_MODE_ENCRYPT); } static TEE_Result decrypt_block(uint8_t *out, const uint8_t *in, uint16_t blk_idx, const uint8_t *fek) { - return tee_fs_crypt_block(out, in, RPMB_DATA_SIZE, blk_idx, fek, - TEE_MODE_DECRYPT); + struct tee_ta_session *sess; + TEE_Result res = tee_ta_get_current_session(&sess); + + if (res) + return res; + return tee_fs_crypt_block(&sess->ctx->uuid, out, in, RPMB_DATA_SIZE, + blk_idx, fek, TEE_MODE_DECRYPT); } /* Decrypt/copy at most one block of data */ @@ -1908,12 +1918,12 @@ out: return res; } -static TEE_Result generate_fek(struct rpmb_fat_entry *fe) +static TEE_Result generate_fek(struct rpmb_fat_entry *fe, const TEE_UUID *uuid) { TEE_Result res; again: - res = tee_fs_generate_fek(fe->fek, sizeof(fe->fek)); + res = tee_fs_generate_fek(uuid, fe->fek, sizeof(fe->fek)); if (res != TEE_SUCCESS) return res; @@ -1978,7 +1988,7 @@ static TEE_Result rpmb_fs_open_internal(struct tee_pobj *po, bool create, /* Start address and size are 0 */ fh->fat_entry.flags = FILE_IS_ACTIVE; - res = generate_fek(&fh->fat_entry); + res = generate_fek(&fh->fat_entry, &po->uuid); if (res != TEE_SUCCESS) goto out; DMSG("GENERATE FEK key: %p", diff --git a/core/tee/tee_sql_fs.c b/core/tee/tee_sql_fs.c index a59a20ca..fca56734 100644 --- a/core/tee/tee_sql_fs.c +++ b/core/tee/tee_sql_fs.c @@ -479,7 +479,7 @@ static TEE_Result open_internal(struct tee_pobj *po, bool create, if (res != TEE_SUCCESS) goto out; - res = tee_fs_htree_open(create, NULL, &sql_fs_storage_ops, + res = tee_fs_htree_open(create, NULL, &po->uuid, &sql_fs_storage_ops, fdp, &fdp->ht); out: if (res == TEE_SUCCESS) { |