Age | Commit message (Collapse) | Author |
|
update_write_helper() is clearing uninitialized parts of blk_buf.
There's an error in the logic calculating how much should be cleared
resulting in a negative size being supplied to memset(). Fix this by
always clearing blk_buf before usage.
Fixes: cd799689cd3d ("core: rpmb: fix initialization of new rpmb data")
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Tested-by: Jerome Forissier <jerome@forissier.org> (HiKey)
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
The logic to deal with the private objects was missing in the
C_Logout() implementation.
PKCS#11 specification states that :
When C_Logout successfully executes, any of the application’s
handles to private objects should become invalid (even if a user
is later logged back into the token, those handles remain invalid).
In addition, all private session objects from sessions belonging
to the application should also be destroyed.
In addition, also release any ongoing cryptographic or
object-finding operations that may be associated with the session
while logging out.
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
SoftHSM Unit test suite passes a 4 byte pin while
initializing pin. Since current implementation
restricts the minimum pin length to 10, C_InitPin()
fails resulting in the testcases to be aborted.
Reduce the minimum pin length requirement inorder to
run the SoftHSM test suite.
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
Private objects of a session/token are accessible only
in a R/O or R/W user session i.e if a user is logged in.
R/O or R/W public session or a R/W SO session cannot
access these private objects. Check for SO session
was missing in the logic when checking for access of
private objects. This has now been added.
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
Prior to this patch was syscall_storage_next_enum() opening a file
handle with tee_svc_storage_read_head() but never freeing the handle.
Fix this by closing the file handle as part of cleaning up before
returning.
Fixes: 928efd065222 ("core: syscall_storage_next_enum() use live pobj")
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Implement commands
- PKCS11_CMD_GET_OBJECT_SIZE
- PKCS11_CMD_GET_ATTRIBUTE_VALUE
Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Co-developed-by: Gabor Szekely <szvgabor@gmail.com>
Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
|
|
Implement commands
- PKCS11_CMD_FIND_OBJECTS_INIT
- PKCS11_CMD_FIND_OBJECTS
- PKCS11_CMD_FIND_OBJECTS_FINAL
Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Co-developed-by: Gabor Szekely <szvgabor@gmail.com>
Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
|
|
Adds commands
- PKCS11_CMD_FIND_OBJECTS_INIT
- PKCS11_CMD_FIND_OBJECTS
- PKCS11_CMD_FIND_OBJECTS_FINAL
in enum pkcs11_ta_cmd.
Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Co-developed-by: Gabor Szekely <szvgabor@gmail.com>
Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
|
|
The code that is supposed to invoke the finalization functions in the
DT_FINI_ARRAY of a TA is broken. It mixes DT_INIT_ARRAY with
DT_FINI_ARRAYSZ. As a result, the finalization functions are never
called and the TA may even crash on exit.
Fix the issue by replacing the erroneous DT_INIT_ARRAY with
DT_FINI_ARRAY.
Fixes: dd655cb9906c ("ldelf, ta: add support for DT_INIT_ARRAY and DT_FINI_ARRAY")
Reported-by: JY Ho <JY.Ho@mediatek.com>
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Commit 00b3b9a25e76 ("core: add generic struct ts_session") has
introduced a regression in the ftrace code by introducing a call to
ts_get_current_session() in ftrace_update_times() in replacement of
tee_ta_get_current_session(). At this point it can happen that no
current session exists, in which case the function should simply return.
Unfortunately ts_get_current_session() will call panic() is such a
situation. The proper function is ts_get_current_session_may_fail().
Fixes: 00b3b9a25e76 ("core: add generic struct ts_session")
Fixes: https://github.com/OP-TEE/optee_os/issues/4313
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
|
|
Add memset() calls to ensure added object is extended with byte value 0
as specified in GPD TEE specification.
Fixes: 64c6d2917d12 ("core: rpmb fs uses mempool for temporary transfer buffers")
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
When re-initializing a token the previously created objects need
to be removed.
Signed-off-by: Robin van der Gracht <robin@protonic.nl>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
In C_InitToken() if PIN is NULL_PTR then it will activate TEE Identity
based authentication support for token.
Once activated:
- When ever PIN is required client's TEE Identity will be used for
authentication
- PIN failure counters are disabled
- If new PIN is given as input it is in form of PIN ACL string
- It can be disabled with C_InitToken with non-zero PIN
Internally protected authentication path will be used for mode
determination.
Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
|
|
Use common shortcut variable 'token' as in check_so_pin and check_user_pin.
Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
|
|
If successful token init has been performed and new PIN is set then reset
all pin change flags.
Call update_persistent_db() only once as a last step during the execution.
Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
|
|
Do not call TEE_ReadObjectData() when there is no object data to read
because the function panics when reading 0 bytes.
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Robin van der Gracht <robin@protonic.nl>
|
|
The bytes subtracted here were added a few lines ago. Since *db_objs
was used there we should also do this here for readability.
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Robin van der Gracht <robin@protonic.nl>
|
|
When decrypt_block fails (although unlikely) it shouldn't be silently
ignored. In such case the data in the buffer pointed to by *out is
unmodified or bogus while the return code is TEE_SUCCESS.
Signed-off-by: Robin van der Gracht <robin@protonic.nl>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
|
|
During boot the external DT is mapped while processing the DT. Once
OP-TEE is done with the DT it should be unmapped to avoid stale mappings
that might cause problems later. Fix this by calling
core_mmu_rem_mapping() from release_external_dt() just before jumping to
normal world.
Fixes: https://github.com/OP-TEE/optee_os/issues/4278
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
The frag_id member in struct dt_descriptor is only used if
CFG_EXTERNAL_DTB_OVERLAY is defined, so make it conditional.
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Adds core_mmu_remove_mapping() which removes mappings earlier added with
core_mmu_add_mapping().
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Since commit 87372da451d4 ("Enable ASLR by default"), most platforms
have ASLR turned on and do not need to explicitly set CFG_CORE_ASLR=y
at build time. Remove the redundant settings in .shippable.yml.
Note that CFG_CORE_ASLR=n is still build-tested by a few platforms
such as rcar, rzg and zynqmp.
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
The i.MX6SDL SoCs do not expose the security configuration in the HPSR
registers correctly, they always return SNVS_SECURITY_CFG_FAB (000),
however the SSM information is still exposed correctly.
Remove the check for the security configuration, since the bits all read
zero on these SoCs, even if they are securely booted.
Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Acked-by: Clement Faure <clement.faure@nxp.com>
|
|
Since commit 5ae0290f7f3b ("core: kernel: link.mk: Move rules to generate
tee-raw.bin and tee.srec from rcar platform"), the recipe to produce
tee-raw.bin is in the common makefile core/arch/arm/kernel/link.mk.
Therefore the recipes in core/arch/arm/plat-imx/link.mk and
core/arch/arm/plat-rzn1/link.mk are redundant and need to be removed.
Fixes the following build warning:
$ make -s PLATFORM=imx-mx6ullevk
core/arch/arm/plat-imx/link.mk:7: warning: overriding recipe for target 'out/arm-plat-imx/core/tee-raw.bin'
core/arch/arm/kernel/link.mk:230: warning: ignoring old recipe for target 'out/arm-plat-imx/core/tee-raw.bin'
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
|
|
RPMB FS driver may allocates a temporary buffer of size the one provided
by userland caller. These may be big buffer of dozens of kbytes and may
exhaust the heap capacities. Change the implementation to use a 4kByte
temporary buffer to update RPMB data instead of an allocated buffer of
the object target size. RPMB FAT entry data is updated by chunks of the
temporary buffer size, and RPMB FAT meta data is updated afterwards as
prior this change.
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
Enabling CAAM no longer enables CRYPTO_DRIVER. Maintain shippable code
coverage by explicitly enabling the CRYPTO_DRIVER on CAAM supported
platforms (except when the SE050 is a preferred CRYPTO_DRIVER
provider).
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Clement Faure <clement.faure@nxp.com>
|
|
Improve readability by using expressions
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome@forissier.org>
|
|
Select a more standard configuration using the HUK and RNG from the
CAAM device.
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome@forissier.org>
|
|
Some IMX users might choose a different crypto driver (like the SE050)
but still require CAAM to provide the hardware unique key and perhaps
the RNG - since reading the RNG over I2C can impact performance on
some platforms.
This commit allows for such configuration.
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Clement Faure <clement.faure@nxp.com>
|
|
Implements a separate syscall handler for ldelf to decouple it from user
TAs and enable using it for all TSs. The calling convention is the same
as for utee_* syscalls. To distinguish between the different SVCs, the
syscall handler pointer is updated before entering ldelf and restored
after returning. The step of opening a system PTA session and invoking
the commands there is eliminated, the necessary functionality is
implemented in the ldelf syscall functions.
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>
|
|
Implements a function that checks if a handle database is empty, i.e.
all pointers stored in the database are NULL.
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>
|
|
Store the current SVC handler function pointer in struct ts_session, and
invoke the handler through this. Enables changing the SVC handler for a
session without modifying the ts_ops defined in the session context.
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>
|
|
Various functions in the system PTA are only used in conjunction with
ldelf. They either implement a system service needed only by ldelf
(system_open_ta_binary(), etc.) or they provide an interface for TAs to
invoke services implemented in user space by ldelf (call_ldelf_dlopen(),
call_ldelf_dlsym()). Extract these to a separate file as a first step
towards converting the PTA system_*() calls into proper ldelf-specific
syscalls.
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>
|
|
The user_ctx field in struct tee_ta_session is used by PTAs to keep
track of session specific information. Move it to struct ts_session to
make it generic and reachable for all sessions, not just TAs. This
enables extracting ldelf related code from system PTA.
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>
|
|
Most functions in system PTA have struct ts_session as parameter, but
only use it for getting the pointer to user_mode_ctx. This commit
simplifies the code by doing the casting in a single place and passing
user_mode_ctx as an argument instead.
This also eliminates casting to user_ta_ctx as an intermediate step. It
is a preparation step for extracting ldelf related functions from system
PTA to an ldelf specific syscall handler.
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>
|
|
So far the error TEE_ERROR_OUT_OF_MEMORY was returned if no
free memory could be allocated in the RPMB to store new data.
According to TEE Internal Core API Specification the error
TEE_ERROR_STORAGE_NO_SPACE shall be returned if insufficient
space is available to create the persistent object.
Signed-off-by: Stefan Schmidt <snst@meek.de>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
memalign() and friends where removed with the
commit 8cd8a6296974 ("Remove memalign()").
At the time memalign() was unused and a bit buggy. This new memalign()
is believed to work correctly due to extensive testing. Recently
memalign() has been needed by certain drivers so it makes sense to add
it again.
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Adds a hdr_size parameter to bget(), bgetz() and bgetr(). hdr_size must
be a multiple of BGET_HDR_QUANTUM. If hdr_size is larger than 0 the
buffer will be allocated so that the alignment constraints are fulfilled
after advancing hdr_size bytes into the returned buffer.
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Adds alignment parameter to bget(), bgetz() and bgetr(). If alignment is
larger then 0 the returned buffer is guaranteed to have an address which
is a multiple of this value.
The algorithm is basically unchanged, in the way that the memory is
still allocated from the end of a free memory block. The difference is
in the core implementation in bget() where now alignment of the returned
memory is taken into account. If only allocating with the minimum
alignment the memory blocks are expected to be allocated in the same
pattern.
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Introduces CFG_TA_BGET_TEST which compiles the integrated bget test
suite together with the rest of bget. When enabled, the test entry point
is bget_main_test() in libutils.
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Introduces CFG_ENABLE_EMBEDDED_TESTS disabled by default. This flag
is used to control the default value of all other embedded tests.
This changes the default value of CFG_TEE_CORE_EMBED_INTERNAL_TESTS to
'n' since CFG_ENABLE_EMBEDDED_TESTS defaults to 'n'.
A Shippable target is updated with CFG_ENABLE_EMBEDDED_TESTS=y to have
these tests compiled in some configuration.
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Configures GIC and enable reception of interrupts from the secure uart.
This enables testing of secure interrupts on the QEMU v8 platform by
typing in the secure log.
Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Makefile changes to compile-in and enable elliptic curve support.
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
Elliptic curve driver.
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
APDU and utility functions required to support elliptic curve
cryptography.
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
Few checks were missing in the implementaion of C_DestroyObject()
as per PKCS#11 Specification. These have been added now.
These checks are
- only session objects can be destroyed during a read only session
- only public objects can be destroyed unless the normal user is
logged in
- Certain objects may not be destroyed. Calling C_DestroyObject on
such objects will result in the CKR_ACTION_PROHIBITED error code.
An application can consult the object's CKA_DESTROYABLE
attribute to determine if an object may be destroyed or not.
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
It is mandatory to have CKF_SERIAL_SESSION set when invoking
C_OpenSession(). When omitted CKR_SESSION_PARALLEL_NOT_SUPPORTED must be
returned.
Specified in:
PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01
5.6 Session management functions
C_OpenSession
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
|
|
The supported algorithms for encryption/decryption are:
PKCS1_OAEP
PKCS1_V1_5
When using PKCS1_PSS_MGF1 the se050 also has some restrictions on the
hash algorithms that can be used depending on the RSA key size.
Source: Plug And Trust MW documentation, Release v02,14,00 (Apr 03,
2020)
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome@forissier.org>
|
|
PKCS#11 Specification[1] states that Private session/token objects
cannot be created in Public sessions. So, add a check for access
type when creating objects.
[1] PKCS #11 Cryptographic Token Interface Usage Guide Version 2.40
(Table 3 - ACCESS TO DIFFERENT TYPES OBJECTS BY DIFFERENT TYPES
OF SESSIONS)
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
|
|
When trying to access an object of type CKA_PRIVATE without
logging in, the error returned should be
PKCS11_CKR_USER_NOT_LOGGED_IN.
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
|