[PATCH] KEYS: trusted: tee: use tee_shm_register_alloc_buf()
Jens Wiklander
jens.wiklander at linaro.org
Mon Aug 21 07:45:11 UTC 2023
Hi,
On Tue, Aug 8, 2023 at 11:07 AM Jens Wiklander
<jens.wiklander at linaro.org> wrote:
>
> Hi Sumit,
>
> On Mon, Aug 7, 2023 at 9:58 AM Sumit Garg <sumit.garg at linaro.org> wrote:
> >
> > Hi Jens,
> >
> > On Thu, 3 Aug 2023 at 18:05, Jens Wiklander <jens.wiklander at linaro.org> wrote:
> > >
> > > Prior to this patch was trusted_tee_seal() and trusted_tee_get_random()
> > > relying on tee_shm_register_kernel_buf() to share memory with the TEE.
> > > Depending on the memory allocation pattern the pages holding the
> > > registered buffers overlap with other buffers also shared with the TEE.
> > >
> >
> > The overlap here is due to the fact that we are registering two array
> > members of the same struct. This overlap can be removed by registering
> > the overall structure at once. But that sounds unnecessary data
> > structure type sharing with trusted keys TA.
> >
> > > The OP-TEE driver using the old SMC based ABI permits overlapping shared
> > > buffers, but with the new FF-A based ABI each physical page may only
> > > be registered once.
> >
> > Would it be possible for OP-TEE FF-A ABI to check if a page is already
> > registered?
>
> No, there's no such ABI in the FF-A specification.
>
> > If it is then just return success with appropriate page
> > offset.
>
> It's more complicated than that. What if only there's a partial registration?
>
> > As otherwise this sounds like an unnecessary restriction for
> > users. I don't think the problem is only particular to the trusted
> > keys driver but can be reproduced for user-space clients as well.
>
> Indeed, we're dealing with it by using a temporary buffer in the client lib.
>
> >
> > >
> > > Fix this problem by allocating a temporary page aligned shared memory
> > > buffer to be used as a bounce buffer for the needed data buffers.
> > >
> > > Since TEE trusted keys doesn't depend on registered shared memory
> > > support any longer remove that explicit dependency when opening a
> > > context to the TEE.
> > >
> > > Signed-off-by: Jens Wiklander <jens.wiklander at linaro.org>
> > > ---
> > > security/keys/trusted-keys/trusted_tee.c | 68 +++++++++++++-----------
> > > 1 file changed, 36 insertions(+), 32 deletions(-)
> > >
> > > diff --git a/security/keys/trusted-keys/trusted_tee.c b/security/keys/trusted-keys/trusted_tee.c
> > > index ac3e270ade69..3085343c489a 100644
> > > --- a/security/keys/trusted-keys/trusted_tee.c
> > > +++ b/security/keys/trusted-keys/trusted_tee.c
> > > @@ -8,6 +8,7 @@
> > >
> > > #include <linux/err.h>
> > > #include <linux/key-type.h>
> > > +#include <linux/minmax.h>
> > > #include <linux/module.h>
> > > #include <linux/slab.h>
> > > #include <linux/string.h>
> > > @@ -65,38 +66,37 @@ static int trusted_tee_seal(struct trusted_key_payload *p, char *datablob)
> > > int ret;
> > > struct tee_ioctl_invoke_arg inv_arg;
> > > struct tee_param param[4];
> > > - struct tee_shm *reg_shm_in = NULL, *reg_shm_out = NULL;
> > > + struct tee_shm *shm;
> > > + uint8_t *buf;
> > >
> > > memset(&inv_arg, 0, sizeof(inv_arg));
> > > memset(¶m, 0, sizeof(param));
> > >
> > > - reg_shm_in = tee_shm_register_kernel_buf(pvt_data.ctx, p->key,
> > > - p->key_len);
> > > - if (IS_ERR(reg_shm_in)) {
> > > - dev_err(pvt_data.dev, "key shm register failed\n");
> > > - return PTR_ERR(reg_shm_in);
> > > + shm = tee_shm_alloc_kernel_buf(pvt_data.ctx,
> > > + p->key_len + sizeof(p->blob));
> > > + if (IS_ERR(shm)) {
> > > + dev_err(pvt_data.dev, "key shm alloc failed\n");
> > > + return PTR_ERR(shm);
> > > }
> > > -
> > > - reg_shm_out = tee_shm_register_kernel_buf(pvt_data.ctx, p->blob,
> > > - sizeof(p->blob));
> > > - if (IS_ERR(reg_shm_out)) {
> > > - dev_err(pvt_data.dev, "blob shm register failed\n");
> > > - ret = PTR_ERR(reg_shm_out);
> > > + buf = tee_shm_get_va(shm, 0);
> > > + if (IS_ERR(buf)) {
> > > + ret = PTR_ERR(buf);
> > > goto out;
> > > }
> > > + memcpy(buf, p->key, p->key_len);
> >
> > These memcpy()'s here and below are undue overheads if we change to
> > tee_shm_alloc_kernel_buf().
>
> There's a bit of overhead when entering and exiting the secure world
> too, just to save and restore registers. Anyway, trusted_tee_seal()
> doesn't together with FF-A without this patch.
By the way, without this patch the kernel fails with:
[ 12.642071] trusted-key-tee
optee-ta-f04a0fe7-1f5d-4b9b-abf7-619b85b4ce8c: blob shm register
failed
[ 12.642576] Unable to handle kernel paging request at virtual
address fffffffffffffff3
[ 12.642668] Mem abort info:
[ 12.642701] ESR = 0x0000000096000004
[ 12.642764] EC = 0x25: DABT (current EL), IL = 32 bits
[ 12.642821] SET = 0, FnV = 0
[ 12.642864] EA = 0, S1PTW = 0
[ 12.642910] FSC = 0x04: level 0 translation fault
[ 12.642960] Data abort info:
[ 12.643006] ISV = 0, ISS = 0x00000004
[ 12.643049] CM = 0, WnR = 0
[ 12.643104] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000043bfb000
[ 12.643197] [fffffffffffffff3] pgd=0000000000000000, p4d=0000000000000000
[ 12.643654] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
[ 12.643821] Modules linked in:
[ 12.647781] CPU: 0 PID: 134 Comm: keyctl Not tainted 6.4.0 #1
[ 12.647990] Hardware name: linux,dummy-virt (DT)
[ 12.648146] pstate: 63400009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
[ 12.648280] pc : tee_shm_put+0x1c/0x180
[ 12.648715] lr : tee_shm_free+0x10/0x1c
[ 12.648773] sp : ffff80000aa33aa0
[ 12.648822] x29: ffff80000aa33aa0 x28: ffff0000002b7900 x27: ffff80000a2f7750
[ 12.648980] x26: ffff80000aa33cf8 x25: ffff80000a2f76f0 x24: 0000000000000020
[ 12.649088] x23: ffff80000a6b2000 x22: 00000000fffffff3 x21: fffffffffffffff3
[ 12.649199] x20: fffffffffffffff3 x19: fffffffffffffff3 x18: ffffffffffffffff
[ 12.649307] x17: 62203a6338656334 x16: 623538623931362d x15: 376662612d623962
[ 12.649414] x14: 342d643566312d37 x13: ffff80000a271ac8 x12: 0000000000000363
[ 12.649523] x11: 0000000000000121 x10: ffff80000a2c9ac8 x9 : ffff80000a271ac8
[ 12.649667] x8 : 00000000ffffefff x7 : ffff80000a2c9ac8 x6 : 0000000000000000
[ 12.649797] x5 : ffff000041ea0c48 x4 : 0000000000000000 x3 : 0000000000000000
[ 12.649912] x2 : 0000000000000000 x1 : 0000000000000000 x0 : fffffffffffffff3
[ 12.650074] Call trace:
[ 12.650212] tee_shm_put+0x1c/0x180
[ 12.650361] tee_shm_free+0x10/0x1c
[ 12.650437] trusted_tee_seal+0xf4/0x17c
[ 12.650503] trusted_instantiate+0x16c/0x1fc
[ 12.650564] __key_instantiate_and_link+0x60/0x1f8
[ 12.650629] __key_create_or_update+0x2a4/0x460
[ 12.650691] key_create_or_update+0x14/0x20
[ 12.650757] __arm64_sys_add_key+0xe4/0x244
[ 12.650822] invoke_syscall+0x48/0x114
[ 12.650886] el0_svc_common.constprop.0+0x44/0xf4
[ 12.650958] do_el0_svc+0x3c/0xa8
[ 12.651015] el0_svc+0x2c/0x84
[ 12.651074] el0t_64_sync_handler+0xbc/0x138
[ 12.651144] el0t_64_sync+0x190/0x194
[ 12.651341] Code: a90153f3 aa0003f4 aa0003f3 a9025bf5 (f8438680)
[ 12.651654] ---[ end trace 0000000000000000 ]---
Segmentation fault
So clearly something needs to be done since there's a bug in the error path.
I'm not overly concerned about the overhead with memcpy(), since we're
using relatively small buffers. Kernel clients using large buffers
will need a different approach, for example by using page-aligned
buffers.
Thanks,
Jens
>
> Thanks,
> Jens
>
> >
> > -Sumit
> >
> > >
> > > inv_arg.func = TA_CMD_SEAL;
> > > inv_arg.session = pvt_data.session_id;
> > > inv_arg.num_params = 4;
> > >
> > > param[0].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT;
> > > - param[0].u.memref.shm = reg_shm_in;
> > > + param[0].u.memref.shm = shm;
> > > param[0].u.memref.size = p->key_len;
> > > param[0].u.memref.shm_offs = 0;
> > > param[1].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT;
> > > - param[1].u.memref.shm = reg_shm_out;
> > > + param[1].u.memref.shm = shm;
> > > param[1].u.memref.size = sizeof(p->blob);
> > > - param[1].u.memref.shm_offs = 0;
> > > + param[1].u.memref.shm_offs = p->key_len;
> > >
> > > ret = tee_client_invoke_func(pvt_data.ctx, &inv_arg, param);
> > > if ((ret < 0) || (inv_arg.ret != 0)) {
> > > @@ -104,14 +104,13 @@ static int trusted_tee_seal(struct trusted_key_payload *p, char *datablob)
> > > inv_arg.ret);
> > > ret = -EFAULT;
> > > } else {
> > > + memcpy(p->blob, buf + p->key_len,
> > > + min(param[1].u.memref.size, sizeof(p->blob)));
> > > p->blob_len = param[1].u.memref.size;
> > > }
> > >
> > > out:
> > > - if (reg_shm_out)
> > > - tee_shm_free(reg_shm_out);
> > > - if (reg_shm_in)
> > > - tee_shm_free(reg_shm_in);
> > > + tee_shm_free(shm);
> > >
> > > return ret;
> > > }
> > > @@ -166,11 +165,9 @@ static int trusted_tee_unseal(struct trusted_key_payload *p, char *datablob)
> > > p->key_len = param[1].u.memref.size;
> > > }
> > >
> > > + tee_shm_free(reg_shm_out);
> > > out:
> > > - if (reg_shm_out)
> > > - tee_shm_free(reg_shm_out);
> > > - if (reg_shm_in)
> > > - tee_shm_free(reg_shm_in);
> > > + tee_shm_free(reg_shm_in);
> > >
> > > return ret;
> > > }
> > > @@ -183,15 +180,21 @@ static int trusted_tee_get_random(unsigned char *key, size_t key_len)
> > > int ret;
> > > struct tee_ioctl_invoke_arg inv_arg;
> > > struct tee_param param[4];
> > > - struct tee_shm *reg_shm = NULL;
> > > + struct tee_shm *shm;
> > > + void *buf;
> > >
> > > memset(&inv_arg, 0, sizeof(inv_arg));
> > > memset(¶m, 0, sizeof(param));
> > >
> > > - reg_shm = tee_shm_register_kernel_buf(pvt_data.ctx, key, key_len);
> > > - if (IS_ERR(reg_shm)) {
> > > - dev_err(pvt_data.dev, "key shm register failed\n");
> > > - return PTR_ERR(reg_shm);
> > > + shm = tee_shm_alloc_kernel_buf(pvt_data.ctx, key_len);
> > > + if (IS_ERR(shm)) {
> > > + dev_err(pvt_data.dev, "key shm alloc failed\n");
> > > + return PTR_ERR(shm);
> > > + }
> > > + buf = tee_shm_get_va(shm, 0);
> > > + if (IS_ERR(buf)) {
> > > + ret = PTR_ERR(buf);
> > > + goto out;
> > > }
> > >
> > > inv_arg.func = TA_CMD_GET_RANDOM;
> > > @@ -199,7 +202,7 @@ static int trusted_tee_get_random(unsigned char *key, size_t key_len)
> > > inv_arg.num_params = 4;
> > >
> > > param[0].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT;
> > > - param[0].u.memref.shm = reg_shm;
> > > + param[0].u.memref.shm = shm;
> > > param[0].u.memref.size = key_len;
> > > param[0].u.memref.shm_offs = 0;
> > >
> > > @@ -209,18 +212,19 @@ static int trusted_tee_get_random(unsigned char *key, size_t key_len)
> > > inv_arg.ret);
> > > ret = -EFAULT;
> > > } else {
> > > + memcpy(key, buf, min(param[0].u.memref.size, key_len));
> > > ret = param[0].u.memref.size;
> > > }
> > >
> > > - tee_shm_free(reg_shm);
> > > +out:
> > > + tee_shm_free(shm);
> > >
> > > return ret;
> > > }
> > >
> > > static int optee_ctx_match(struct tee_ioctl_version_data *ver, const void *data)
> > > {
> > > - if (ver->impl_id == TEE_IMPL_ID_OPTEE &&
> > > - ver->gen_caps & TEE_GEN_CAP_REG_MEM)
> > > + if (ver->impl_id == TEE_IMPL_ID_OPTEE)
> > > return 1;
> > > else
> > > return 0;
> > > --
> > > 2.34.1
> > >
More information about the Linux-security-module-archive
mailing list