Early TAs

[jforissier]

This series implements a feature called "early TAs", which is a way to link Trusted Applications into the TEE binary so that they may be loaded independently of the REE file system and tee-supplicant.

One use case is being able to invoke a TA from a Linux driver during the boot sequence, before user mode has been spawn. Obviously, In this use case, any service depending on tee-supplicant won't be available, but it can be useful anyway.

Another use case is to prevent uncontrolled rollback of user TAs. Since TAs are effectively part of the TEE binary, they follow the same life cycle (authentication by the previous stage of th boot loader, controlled updates...).

Note about compression: commit #.6 imports some files from zlib into core/lib/zlib. I could probably have re-used what we already have in lib/libzlib, but I thought that since we had some discussions about possibly removing our (partial) Trusted UI support, this whole directory would probably go away and we would be better off with zlib code under the core/ folder. I can change that of course.

[igoropaniuk]

EMSG?

[igoropaniuk]

minor: blank line

[etienne-lms]

*size is set twice. Looks like an error: I guess *size = h->early_ta->size; below should be removed.

[jforissier]

Oops! Will fix. I introduced this bug when I addressed @igoropaniuk's comment.

[igoropaniuk]

minor: blank line

[igoropaniuk]

unneeded initialization

[jforissier]

My thoughts exactly, but GCC 6.2.1 doesn't like it:

$ make PLATFORM=hikey CFG_EARLY_TA=y out/arm-plat-hikey/core/arch/arm/kernel/early_ta.o
  CHK     out/arm-plat-hikey/conf.mk
  CHK     out/arm-plat-hikey/include/generated/conf.h
  CC      out/arm-plat-hikey/core/arch/arm/kernel/early_ta.o
core/arch/arm/kernel/early_ta.c: In function ‘early_ta_read’:
core/arch/arm/kernel/early_ta.c:198:3: error: ‘tmpbuf’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
   free(tmpbuf);
   ^
core/arch/arm/kernel/early_ta.c:148:11: note: ‘tmpbuf’ was declared here
  uint8_t *tmpbuf;
           ^
cc1: all warnings being treated as errors
mk/compile.mk:146: recipe for target 'out/arm-plat-hikey/core/arch/arm/kernel/early_ta.o' failed
make: *** [out/arm-plat-hikey/core/arch/arm/kernel/early_ta.o] Error 1

[igoropaniuk]

Please add comment about priority field, what does it stand for

[jforissier]

Comment added in core/arch/arm/kernel/elf_load.h.

[etienne-lms]

Suggest to define those magic priority values in user_ta.h (i.e EARLY_TA_STORE_PRIORITY and REE_TA_STORE_PRIORITY).

[jforissier]

I think user_ta.h should not need to know about the various TA stores, so I'd rather avoid that.

[etienne-lms]

ok

[igoropaniuk]

Possible holy war, but https://stackoverflow.com/questions/1024049/is-it-pythonic-to-import-inside-functions

[jforissier]

I'll change. I also have a slight preference for imports at the top, probably because I'm essentially developing in C ;)

[igoropaniuk]

I guess when CFG_ZLIB isn't set early_ta.c won't compile?
Is it possible to use early TA feature without compression support?

[jforissier]

Right. Making compression support optional is doable of course, but it would make the code a bit harder to read (several #ifdef's in early_ta.c).

[igoropaniuk]

minor: blank line

[igoropaniuk]

why not to move creation of stub to separate function?

[jforissier]

This would mean moving almost everything from main() to generate_file(), no? So what would be the benefit?

[igoropaniuk]

minor: include order

[igoropaniuk]

minor: blank line

[etienne-lms]

*size is set twice. Looks like an error: I guess *size = h->early_ta->size; below should be removed.

[etienne-lms]

minor: strm->next_out = tmpbuf; seems useless: already set.

[jforissier]

No, that's for the case we're asked to read more than 1K of uncompressed data and throw them away (data == NULL). We read 1K chunks at a time. By resetting the pointer on each loop I try to read as much as possible each time.

[etienne-lms]

You mean we need to reset the output buffer point to the temp buff start address ?
Maybe this deserves a small comment. (maybe not :)

[jforissier]

Exactly. I will add a comment.

[etienne-lms]

Could you elaborate a bit these comments, stating which return values relate excepted successful content read? (the loop implementation is not that obvious)

[jforissier]

I suppose while ((st == Z_OK) && (total != len)) is obvious, right? So it's only the Z_BUF_ERROR case, not being an error here, that deserves some clarification?

[etienne-lms]

Reading again the current comment, I found it clear. Maybe move Z_STREAM_END description next to Z_OK. It would look less like an error case (as right after Z_BUF_ERROR);

Minor: add a terminal dots to each bullet.

[jforissier]

OK

[etienne-lms]

I would expect here (once read loop is done) that st == Z_BUF_ERROR is an error case.

[jforissier]

Right, I'll remove this check.

[etienne-lms]

minor: can call free(tmpbuf) straight since pointer is NULL initialized.

[jforissier]

yes

[etienne-lms]

minor: add terminal dot.

[etienne-lms]

I think EARLY_TA should be rename BUILTIN_TA.

[jforissier]

Indeed, BUILTIN_TA better describes what they really are. If no one objects I'll rename everything once we're done with the review. Otherwise it will bee too complex to follow the changes.

[etienne-lms]

From this description it is not clear whether one should define several EARLY_TA values (sic) each defining the full path of the TA elf file or if EARLY_TA is expected a unique directory path where one can store several TA ELF files to be embedded in the core binary.

As EARLY_TA is a configuration directive, I would suggest to prefix it CFG_EARLY_TA_PATH.

[jforissier]

I'll update the comment. What's expected is one or more paths to TA files separated with spaces, such as:

EARLY_TA="../optee_test/out/ta/crypt/cb3e5ba0-adf1-11e0-998b-0002a5d5c51b.stripped.elf ../optee_test/out/ta/aes_perf/e626662e-c0e2-485c-b8c8-09fbce6edf3d.stripped.elf"

Regarding the lack of CFG_ prefix: you're mostly right but there's a trick (that I should document): all CFG_ variables are written to $(out-dir)/conf.mk and any change to the values in this file causes a re-compilation of everything. So, consider the build steps I have given as an example:

$ make CFG_EARLY_TA=y            # (1)
<build some TAs>                 # (2)
$ make ... EARLY_TA=/some/path   # (3)

You can't give CFG_EARLY_TA_PATH during step (1) since we assume the TAs have not been built yet (they need optee_os to be built first so that dev_kit is available). So you can't have CFG_EARLY_TA_PATH set to the same value in steps (1) and (3) thus causing a full rebuilt of optee_os at step (3).

I propose to rename EARLY_TA and use BUILTIN_TA_PATHS instead (will do it at the same time I replace "early" with "builtin").

[etienne-lms]

flags seems useless.

[jforissier]

Leftover from a previous implementation... will remove, thanks

[etienne-lms]

minor: remove empty line (for consistency) ?

[etienne-lms]

minor: remove empty line (for consistency) ?

[etienne-lms]

You mean we need to reset the output buffer point to the temp buff start address ?
Maybe this deserves a small comment. (maybe not :)

[etienne-lms]

. = ALIGN(8);

[jforissier]

Yes!

[etienne-lms]

Finally remove the 8 byte alignment.

[etienne-lms]

Add assert(e->priority != ops->priority); before.

[jforissier]

I thought I would allow equal priorities, but it may be a bad idea (invocation order would depend on registration order which may not be well controlled...). I will add the assert.

[etienne-lms]

. = ALIGN(8);

[jforissier]

Will fix

[etienne-lms]

Reading again the current comment, I found it clear. Maybe move Z_STREAM_END description next to Z_OK. It would look less like an error case (as right after Z_BUF_ERROR);

Minor: add a terminal dots to each bullet.

[etienne-lms]

Few ta to replace with _ta in the macro.

[jforissier]

Yeah, good catch

[etienne-lms]

minor: I think this comment is useless

[jforissier]

OK, it is redundant with /* 0: not compressed */ in early_ta.h. Will remove it.

[etienne-lms]

Suggest to define those magic priority values in user_ta.h (i.e EARLY_TA_STORE_PRIORITY and REE_TA_STORE_PRIORITY).

[etienne-lms]

Must reset msg[0] = '\0' in the loop.

[jforissier]

Will fix

[etienne-lms]

Minor: comment above the field (rather than appended in the same line) ?

[etienne-lms]

Really need to remove the const qualifier ?

[jforissier]

Yes, because link is modified when the structure is put in the TA store list.

[etienne-lms]

right. thanks.

[etienne-lms]

minor: terminal dot.

[etienne-lms]

s/EARLY_TA/EARLY_TA_PATHS/

[etienne-lms]

s/EARLY_TA/EARLY_TA_PATHS/

Could you check that this works ok even if EARLY_TA_PATHS is empty or even not defined ?

[jforissier]

It does work

[etienne-lms]

Here, I wonder if we should try other stores only if ta_load() returns TEE_ERROR_ITEM_NOT_FOUND.
I mean that if the target uuid was found in the early TAs, the TA binary is expected valid. For example, if core lacks of heap was loading an early TA, it should not try the load the TA from the REE.

In the same scope, how should core behave of an early TA shows formatting issues. I think it should panic if in debug mode, and simply refuse to load REE TA instead.

[jforissier]

Not trying the next store in case of error other than TEE_ERROR_ITEM_NOT_FOUND is also a valid option I think, but why would it be better? I'd rather keep the current code for the moment. If we later find out that some use cases require a different behavior, we'll change the logic.

[jenswi-linaro]

With this code if an early TA has formatting issues and there isn't a backup version in REE it would return TEE_ERROR_ITEM_NOT_FOUND instead of the actual error code.

[jforissier]

OK, how about this?

        SLIST_FOREACH(store, &uta_store_list, link) {
                DMSG("Lookup user TA %pUl (%s)", (void *)uuid,
                     store->description);
                res = ta_load(uuid, store, &s->ctx);
                if (res == TEE_ERROR_ITEM_NOT_FOUND)
                        continue;
                if (res == TEE_SUCCESS)
                        s->ctx->ops = &user_ta_ops;
                else
                        DMSG("res=0x%x", res);
                return res;
        }
        return TEE_ERROR_ITEM_NOT_FOUND;

[jenswi-linaro]

Looks good.

[etienne-lms]

ok

[etienne-lms]

I think this change is pretty nice as it is. See my last comment regarding load error cases.

I have not reviewed the zlib implementation :) and will only ack the python scripting.

[jforissier]

Update: fixed issue that tee.elf would not always be re-linked when TAs are added or removed.

[etienne-lms]

I fear this will not force relink if one updates an already existing TA ELF file.
Maybe it could be more simple to simple force relink if EARLY_TA_PATH is defined.

[jforissier]

If a TA is modified, the C file will become outdated and will be generated again. It's not something that is handled by this. This only takes care of the situation when no files are modified (because they are already all present and up-to-date from a previous build), but tee.elf should still be re-linked to add/remove files.

[airbak]

Compile error with gcc version 4.9.2 20140904:
cc1: error: unrecognized command line option "-Wno-discarded-qualifiers" [-Werror]

[jforissier]

Will fix

[airbak]

core/arch/arm/kernel/early_ta.c:77:16: error: assignment discards 'const' qualifier from pointer target type [-Werror]
ZLIB_CONST defined in ./lib/libzlib/include/zconf.h, but not defined in ./core/lib/zlib/zconf.h.

[jforissier]

Thanks for the hint, I'll fix this whole const handling issue by defining ZLIB_CONST and removing -Wno-discarded-qualifiers.

[airbak]

As CFG_EARLY_TA=y, EARLY_TA_PATHS=test_ta_uuid.
When test_ta and optee_os are both modified, need to make twice optee_os.
May it add "make headers_install"? Build headers for TA first, then build TA, finally build optee_os.

[jforissier]

Please note that, if you build optee_os with CFG_EARLY_TA=y first, and EARLY_TA_PATHS not set as explained in the comment, then optee_os will not be built twice. Only the link step will occur again when you run make EARLY_TA_PATHS=test_ta_uuid.elf.

That being said, I will see if I can do what you propose (add make headers_install). Shouldn't be that hard.

[jforissier]

All review comments addressed (or replied to), I think.

We have lots of review fix-ups so I will probably squash the commits together properly before asking for a last round of reviews.

When doing so, should I rename "early" to "built-in" as suggested previously (that is, CFG_BUILTIN_TA, BUILTIN_TA_PATHS, struct builtin_ta etc.)?

[jenswi-linaro]

Why this alignment?

[jforissier]

It helps iterate on the early_ta structs in the .rodata section. Without this, the compiler tends to align the structure on either 4 or 8 bytes and it depends on the arch.

[jenswi-linaro]

What's the problem with different alignment depending on the arch?

[jforissier]

At first I used __alignof__(struct early_ta) (instead of hard-coding 8) for rounding up the size of structs when iterating (here). It was OK on QEMU but I was 4 bytes off on D02 (64-bits). So I forced 8-byte alignement as an easy fix ;)
I'll take a closer look and see if I can get rid of it.

[jforissier]

Fixed by applying __aligned(__alignof__(struct early_ta)) to each variable of this type (see the Python script). Results in all variables being 4-bytes aligned on 32-bit as well as 64-bit platforms with no unwanted padding. I noticed that applying the same align attribute to the type or the variable is not equivalent, but could not figure out if it's expected or not...

[jenswi-linaro]

With this code if an early TA has formatting issues and there isn't a backup version in REE it would return TEE_ERROR_ITEM_NOT_FOUND instead of the actual error code.

[etienne-lms]

minor comment. looks good to me.

[etienne-lms]

alignment to remove

[jforissier]

Will do

[etienne-lms]

Finally remove the 8 byte alignment.

[etienne-lms]

As EARLY_TA_PATHS is a configuration directive that affects the core embedded content, i would rather have it prefixed CFG_. Your feeling ?

[jforissier]

No CFG_ to avoid re-building: #1733 (comment)

[etienne-lms]

ok, I see the point (I had forgotten that). However it looks rather like a workaround on the config to suite the current build process.

I wonder if we could split the optee_os build in 2:

• build core only (libs + core): i.e make core
• build user land only (libs + devkit): i.e make ta_devkit

In most cases (no early TA), one could run make all to get everything in place.
For early TAs support: first build the user libs, then build the (early) TAs, then build core with the early TAs. This would help generating a conf.mk that would reflect the real configuration used to build the core binary. This is change is related to that some platform could allow the TAs to build their own 'static' libraries independently from the core configuration: enabling some debug, profiling,traces for some TAs but not for all. But maybe that should be discussed later on...

[jforissier]

I have already added make ta_dev_kit, after @airbak's suggestion above. So indeed, we could very well use CFG_EARLY_TA_PATHS as you suggest and still avoid re-compilation.
Let me give it a try and update ;-)

[jforissier]

@etienne-lms ultimately I think CFG_ is not very convenient. During testing I have changed several times the list of applications (adding one or two, changing them), and with CFG_ the tee.bin is fully recompiled each time and it's a bit painful.
So I'm not changing the prefix. We can change later depending on the use cases.

[etienne-lms]

This P-R went to a good point (at least to my appraisal). You would like some review/ack tags or do we change early_ta into builtin_ta or whatever before tagging?

[jforissier]

@etienne-lms I have cleaned up and reordered the series, let's gather the review tags now.
GitHub shows the commits in a peculiar order (sorted by date it seems, when parent/child relationship would make more sense IMO). Here is the logical order for reviewing:

git log --oneline --reverse 5d0d5ac..HEAD

19e34cf Remove leading spaces and dots in DMSG() messages
f997070 Add target ta_dev_kit
1cc2bde Add description string to user_ta_store_ops
6ae578d Add support for several user TA stores
748fbdb Add support for early Trusted Applications
386f211 core: link.mk: force link of tee.elf when object list has changed
b40d654 Import zlib v1.2.11
22469c5 Add support for compressed early TAs

[jenswi-linaro]

I though these changes where to go into 6ae578d "Add support for several user TA stores"

[jforissier]

My mistake, will fix.

[jenswi-linaro]

Is __rodata_dtdrv_end guaranteed to end on a well aligned address?

[jforissier]

Good catch. Strictly speaking we should have . = ALIGN(__alignof__(struct early_ta)) but that can't be understood by the linker. Our options are:

1. Hard-code 4, which I expect to be the value of __alignof__(struct early_ta) for pretty much all platforms currently.
2. Use 8 for greater safety (?)
3. Add a definition to asm-defines.c.

I am tempted to do (3) although it may look weird to use this "asm" file for that purpose. Thoughts?

[jenswi-linaro]

We're usually doing 2. in the link script.

[jforissier]

ok

[jenswi-linaro]

Why can't -pedantic be used?

[jforissier]

out/arm/core/early_ta_8aaaf200-2450-11e4-abe2-0002a5d5c51b.c:17:8: error: initialization of a flexible array member [-Werror=pedantic]
  .ta = {
        ^

[jenswi-linaro]

Putting a __extension__ in front of the const struct early_ta ... would eliminate the need of removing the -pedantic flag. It relies on a compiler extension after all.

[jforissier]

Ha! I didn't know about this one. Fixed, thanks.

[jforissier]

Updated.

[jenswi-linaro]

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

[jforissier]

Jens' comments addressed and R-b applied.

git log --oneline --reverse master..HEAD
d1d4669 core/sub.mk: add missing dependency on the TA key processing script
0a7f5cf Remove leading spaces and dots in DMSG() messages
99af84e Add target ta_dev_kit
fcf98f3 Add description string to user_ta_store_ops
66b786d Add support for several user TA stores
afc3560 Add support for early Trusted Applications
08940b4 core: link.mk: force link of tee.elf when object list has changed
cf9108e Import zlib v1.2.11
0f96189 Add support for compressed early TAs

[etienne-lms]

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

Note: jens' r-b tag is missing on some commits.

[jforissier]

@etienne-lms thanks, I'll take care of adding the missing R-b before merging.