-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC] Bootstrap ta #1928
[RFC] Bootstrap ta #1928
Conversation
Uses OP-TEE/optee_test#240 to install bootstrap TAs Note that the 9000 tests will fail if bootstrap TAs are installed. |
Hi @jenswi-linaro, just a quick question: what do you mean when you say "security domain"? |
Hi @lorc, this for instance: https://tools.ietf.org/html/draft-pei-opentrustprotocol-04#section-5.3 Note that Security Domains doesn't to have provide isolation between TAs in different Security Domains. A Security Domain is just a TA management domain. |
scripts/sign_bsta.py
Outdated
@@ -0,0 +1,77 @@ | |||
#!/usr/bin/env python |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have you tested this script in both python2 and python3?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have now, and it seems to work. :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay then :-)
scripts/sign_bsta.py
Outdated
@@ -0,0 +1,77 @@ | |||
#!/usr/bin/env python | |||
# | |||
# Copyright (c) 2015, Linaro Limited |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
2017, I think :)
scripts/sign_bsta.py
Outdated
# | ||
|
||
def uuid_parse(s): | ||
from uuid import UUID |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please check this script with pycodestyle
(or with pip8.py
). There will be a lot of warnings.
core/tee/tadb.c
Outdated
|
||
if (db->files) | ||
return TEE_SUCCESS; | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove extra empty line.
core/tee/tadb.c
Outdated
|
||
assert(db->refc); | ||
db->refc--; | ||
if (db->refc) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How you can guarantee thread safety in tadb manipulation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These functions are supposed to be called from a static TA which will guarantee thread safety.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just realized that these functions are used from core/arch/arm/kernel/tadb_store.c
which is outside the pseudo TA context. Ideally I should have a read/write lock to allow concurrent loading of TAs.
core/tee/tadb.c
Outdated
tadb_put(db); | ||
} | ||
|
||
static TEE_Result populate_files(struct tee_tadb_dir *db) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Purpose of this function is bit unclear to me...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess I thought this function was going to be used by several functions when doing the initial design. Now it's clear it's only needed in tee_tadb_ta_create()
. I'll move the implementation into tee_tadb_ta_create()
instead.
core/tee/tadb.c
Outdated
size_t idx; | ||
const TEE_UUID null_uuid = { 0 }; | ||
|
||
if (db->files) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There you return if db->files != NULL
...
core/tee/tadb.c
Outdated
if (!memcmp(&entry.prop.uuid, &null_uuid, sizeof(null_uuid))) | ||
continue; | ||
|
||
if (test_file(db, entry.file_number)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
... and there you use db->files
to check if file_number
is stored. But at L265 you ensured that db->files
is NULL
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As this is called in a loop, db->files
could have been allocated at this point. test_file()
and set_file()
deals with that.
core/tee/tadb.c
Outdated
int i = 0; | ||
|
||
if (!ta) | ||
res = TEE_ERROR_OUT_OF_MEMORY; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like you missed return
there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks
core/tee/tadb.c
Outdated
size_t num_bytes = 0; | ||
|
||
while (num_bytes < l) { | ||
uint8_t b[1024 * 4]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you really sure, you want to allocate 4kb on stack?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right, it's a bit excessive. I'll replace it with malloc()
.
core/arch/arm/pta/management.c
Outdated
res = tee_hash_get_digest_size(TEE_DIGEST_HASH_TO_ALGO(shdr->algo), | ||
&hash_size); | ||
if (res != TEE_SUCCESS) | ||
return res; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return TEE_ERROR_SECURITY
?
core/arch/arm/pta/management.c
Outdated
|
||
res = crypto_ops.acipher.alloc_rsa_public_key(&key, shdr->sig_size); | ||
if (res != TEE_SUCCESS) | ||
return res; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return TEE_ERROR_SECURITY
?
core/arch/arm/pta/management.c
Outdated
sizeof(*shdr)); | ||
if (res) | ||
goto err_free_hash_ctx; | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove extra empty line.
Addressed comments, except then one with mutex (waiting for the outcome of #1942) |
core/tee/tadb.c
Outdated
continue; | ||
|
||
if (test_file(db, entry.file_number)) { | ||
DMSG("Clearing duplicate file number %" PRIu32, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If that is not going to happen, then EMSG
or at least IMSG
will fit much better.
|
||
res = read_ent(db, idx, &entry); | ||
if (res) { | ||
if (res == TEE_ERROR_ITEM_NOT_FOUND) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is confusing, that only one successful (apart from L336) return from this function resides in the middle of it.
Now, when I grasped idea of this function, this seems obvious. But it was hard to understand from a first try.
This is just a note. I don't ask you to perform any actions.
core/tee/tadb.c
Outdated
@@ -670,17 +694,25 @@ TEE_Result tee_tadb_ta_read(struct tee_tadb_ta *ta, void *buf, size_t *len) | |||
return res; | |||
} else { | |||
size_t num_bytes = 0; | |||
size_t b_size = MIN(SIZE_4K, l - num_bytes); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You zero out num_bytes
at the line above. Better to leave only MIN(SIZE_4k, l)
. It is easier to read.
scripts/sign_bsta.py
Outdated
@@ -0,0 +1,77 @@ | |||
#!/usr/bin/env python |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay then :-)
core/include/tee/tee_svc_storage.h
Outdated
*/ | ||
const struct tee_file_operations *tee_svc_storage_file_ops(uint32_t storage_id); | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor: extra empty line.
core/include/signed_hdr.h
Outdated
@@ -71,5 +72,10 @@ struct shdr { | |||
#define SHDR_GET_HASH(x) (uint8_t *)(((struct shdr *)(x)) + 1) | |||
#define SHDR_GET_SIG(x) (SHDR_GET_HASH(x) + (x)->hash_size) | |||
|
|||
struct shdr_bootstrap_ta { | |||
uint8_t uuid[16]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor: uuid[sizeof(TEE_UUID)]
?
core/include/tee/tadb.h
Outdated
|
||
struct tee_tadb_ta; | ||
|
||
struct tee_tadb_property { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe add a comment to describe the structure fields.
core/arch/arm/kernel/tadb_store.c
Outdated
static void secstor_ta_close(struct user_ta_store_handle *h) | ||
{ | ||
struct tee_tadb_ta *ta = (struct tee_tadb_ta *)h; | ||
tee_tadb_ta_close(ta); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor: add an empty line.
8549015
to
f4a4b84
Compare
Rebased and squashed on top of master to be able to use the read lock. It turned out atomic reference counting routines where needed too, added that to the beginning of the PR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
few comments on the refcount part.
looking at the ta mngt services...
core/include/kernel/refcount.h
Outdated
unsigned int val; | ||
}; | ||
|
||
/* Increases refcount by 1, return true if val != 0 else false */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure I understand the Api. I read this as "Return true if incremented refcount is not 0.", in which caserefcount_inc()
must be changed. If not, maybe clarify the Api.
Same kind of comments on refcount_dec()
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right. I'll update the description.
unsigned int oval = atomic_load_uint(&r->val); | ||
|
||
while (true) { | ||
nval = oval + 1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should read back in oval
an updated value of recount val
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's actually taken care of by atomic_cas_uint()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, right, sorry.
core/tee/tadb.c
Outdated
* grow the bitfield as needed. | ||
* | ||
* At the same time clean out duplicate file numbers, the first | ||
* entry with the file number has precedence. Duplicate entries is |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor: double space beforeDuplicate
and before supposed
at next line.
#include <tee/tee_svc_storage.h> | ||
#include <utee_defines.h> | ||
|
||
#define TADB_MAX_BUFFER_SIZE (64U * 1024) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
where does this comes from?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We do need some value, 64KiB is nothing for normal world to allocate as shared memory.
core/tee/tadb.c
Outdated
#define TADB_TAG_SIZE TEE_AES_BLOCK_SIZE | ||
#define TADB_KEY_SIZE TEE_AES_MAX_KEY_SIZE | ||
|
||
struct user_ta_store_handle; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor: unused
core/include/tee/tadb.h
Outdated
* TA binary | ||
* @bin_size: Size of the binary TA | ||
* @is_ta: True if this is a TA | ||
* @is_root: True if this is a root SD or a TA without an SD |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/an/a/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It depends on how you pronounce it, I pronounce it ess-dee
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok :)
unsigned int oval = atomic_load_uint(&r->val); | ||
|
||
while (true) { | ||
nval = oval + 1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, right, sorry.
core/include/tee/tadb.h
Outdated
*/ | ||
struct tee_tadb_property { | ||
TEE_UUID uuid; | ||
TEE_UUID parent;/* parent security domain, zeroes if nonexistent */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor: tab before comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't fit on the line then. I'll remove it now that there's a description of the struct above.
minor: could you rename the pTA "management" into sometihng like "TA management"? For example management.c being a bit too generic, even in pta/ subdir. Something like ta_management.c? |
Update |
In order to give an opinion on this RFC, I need to understand the big picture. How does it work (high-level)? What problem are you trying to address? What is different from what we are currently doing? What is a bootstrap TA? Why does it have a different extension as mentioned in the Sorry I don't feel like trying to figure this out from code only :( |
Some description available here: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please see my comments but overall I like this proposal.
The documentation will need updating, too (optee_design.md
, section "12. Trusted Applications", and BTW this section also lacks some description of the "early TA" feature I merged some time ago...)
core/arch/arm/pta/ta_management.c
Outdated
offs += sizeof(bs_ta); | ||
|
||
memset(&property, 0, sizeof(property)); | ||
COMPILE_TIME_ASSERT(sizeof(property.uuid) == sizeof(property.uuid)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sizeof(bs_ta.uuid)
ta/arch/arm/link.mk
Outdated
|
||
$(link-out-dir)/$(binary).bsta: $(link-out-dir)/$(binary).stripped.elf \ | ||
$(TA_SIGN_KEY) | ||
@echo ' SIGN $@' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@$(cmd-echo-silent)
(and fix above)
ta/arch/arm/link.mk
Outdated
$(link-out-dir)/$(binary).bsta: $(link-out-dir)/$(binary).stripped.elf \ | ||
$(TA_SIGN_KEY) | ||
@echo ' SIGN $@' | ||
$(q)$(SIGN_BSTA) --key $(TA_SIGN_KEY) --uuid $(binary) --version 0 \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/TA_SIGN_KEY/BSTA_SIGN_KEY/? (default BSTA_SIGN_KEY ?= $(TA_SIGN_KEY)
)
ta/arch/arm/link.mk
Outdated
TA_SIGN_KEY ?= $(TA_DEV_KIT_DIR)/keys/default_ta.pem | ||
|
||
all: $(link-out-dir)/$(binary).elf $(link-out-dir)/$(binary).dmp \ | ||
$(link-out-dir)/$(binary).stripped.elf $(link-out-dir)/$(binary).ta | ||
$(link-out-dir)/$(binary).stripped.elf $(link-out-dir)/$(binary).ta \ | ||
$(link-out-dir)/$(binary).bsta |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we really want to always generate a .bsta
? Of course it is convenient for testing, but normally only one format will be used. So we should make this optional. For instance, only if Update: following your email and your proposal to have only one TA header (the new bsta one), the last part of this comment is not really relevant. I agree one header format would be more convenient.$(BOOTSTRAP_TA)=y
. This variable would be set or not by the Makefile for each TA. And, it could also be set globally for instance when building xtest (make BOOSTRAP_TA=y
).
core/arch/arm/kernel/sub.mk
Outdated
@@ -2,6 +2,9 @@ ifeq ($(CFG_WITH_USER_TA),y) | |||
srcs-y += user_ta.c | |||
srcs-$(CFG_REE_FS_TA) += ree_fs_ta.c | |||
srcs-$(CFG_EARLY_TA) += early_ta.c | |||
|
|||
$(call force,CFG_SECURE_STORAGE_TA,y,required by CFG_MANAGEMENT_PTA) | |||
srcs-$(CFG_SECURE_STORAGE_TA) += tadb_store.c |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For consistency with ree_fs_ta.c
and early_ta.c
, tadb_store.c
, how about secure_storage_ta.c
?
core/include/kernel/refcount.h
Outdated
* When val becomes 0 refcount_inc() refuses to change the value any longer | ||
* and returns false. | ||
* | ||
* refcount_dec() returns true becuase this call caused the value to become |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sp
May also be good to say that the function decrements the vallue: "refcount_dec()
decrements the value and returns true when the call caused the value to become 0, false otherwise", or something like that.
core/kernel/refcount.c
Outdated
while (true) { | ||
nval = oval + 1; | ||
|
||
/* r->val is 0, we can't doing anything more. */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/doing/do/
core/include/kernel/refcount.h
Outdated
|
||
/* Increases refcount by 1, return true if val > 0 else false */ | ||
bool refcount_inc(struct refcount *r); | ||
/* Decreases refcount by 1, return true if val > 0 else false */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return true if val == 0
core/include/kernel/refcount.h
Outdated
* Reference conter | ||
* | ||
* When val becomes 0 refcount_inc() refuses to change the value any longer | ||
* and returns false. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I find the wording a bit weird, a more neutral tone may be better: "When val is 0, refcount_inc()
does not change the value and returns false.". You may add "Otherwise, it increments the value and returns true".
core/tee/sub.mk
Outdated
@@ -40,6 +40,9 @@ srcs-y += tee_obj.c | |||
srcs-y += tee_pobj.c | |||
srcs-y += tee_time_generic.c | |||
|
|||
$(call force,CFG_SECURE_STORAGE_TA,y,required by CFG_MANAGEMENT_PTA) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not needed here
deecfc3
to
87b4bff
Compare
Squashed and inserted some extra commit but not rebased to make it easier to compare with the old a2aa4a0 state. History is reordered to instead of adding a new sign script, the old one is replaced/updated and there's no .bsta file any longer. The REE FS TA storage now supports the new TA format as well as the old format. I missed addressing the refcount comments, will make an update commit later. Documentation will also follow later. |
Fixes problem with old filenumbers not being reused. |
Addresses the refcount comments |
Added documentation in #1986 |
core/tee/tadb.c
Outdated
size_t rl = len; | ||
struct tee_fs_rpc_operation op; | ||
|
||
assert(tadb_check_state(ta, TEE_MODE_ENCRYPT)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should return an error instead, I think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is an API usage error (programmers error). In the case of tee_tadb_ta_write()
, tee_tadb_ta_read()
and tee_tadb_ta_close_and_commit()
it's possible to return an error, but the two functions tee_tadb_ta_close_and_delete()
, tee_tadb_ta_close()
are void functions.
In all of the cases there's no good cleanup action that the caller can perform.There's obviously some confusion regarding what the handle is to be used for. Initially I was using two different structs for the "read" class and "write" class of functions. Perhaps I should reintroduce that instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If there's no cleanup possible, then indeed a return code is useless.
Initially I was using two different structs for the "read" class and "write" class of functions. Perhaps I should reintroduce that instead?
Yes, I think I would like it better.
core/tee/tadb.c
Outdated
|
||
void tee_tadb_ta_close_and_delete(struct tee_tadb_ta *ta) | ||
{ | ||
assert(tadb_check_state(ta, TEE_MODE_ENCRYPT)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here.
core/tee/tadb.c
Outdated
size_t sz = sizeof(ta->entry.tag); | ||
size_t idx; | ||
|
||
assert(tadb_check_state(ta, TEE_MODE_ENCRYPT)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here.
core/tee/tadb.c
Outdated
const size_t sz = ta->entry.prop.custom_size + ta->entry.prop.bin_size; | ||
size_t l = MIN(*len, sz - ta->pos); | ||
|
||
assert(tadb_check_state(ta, TEE_MODE_DECRYPT)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here.
core/tee/tadb.c
Outdated
|
||
void tee_tadb_ta_close(struct tee_tadb_ta *ta) | ||
{ | ||
assert(tadb_check_state(ta, TEE_MODE_DECRYPT)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here.
mk/config.mk
Outdated
@@ -262,6 +262,12 @@ CFG_GP_SOCKETS ?= y | |||
# invocation parameters referring to specific secure memories). | |||
CFG_SECURE_DATA_PATH ?= n | |||
|
|||
# Enable storage for TAs in secure storage | |||
CFG_SECSTOR_TA ?= y |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Depends on CFG_REE_FS=y
.
I find the comment slightly misleading, since the bulk of the TA is actually not in secure storage but directly stored in the REE FS. How about adding: "TA binaries are stored in the REE FS and are protected by metadata in secure storage." or something like that. Will make the dependancy on CFG_REE_FS=y
obvious.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated comment is fine. About the dependency I meant:
CFG_SECSTOR_TA ?= $(CFG_REE_FS)
$(call cfg-depends-all,CFG_SECSTOR_TA,CFG_REE_FS)
from argparse import ArgumentParser | ||
|
||
parser = ArgumentParser() | ||
parser.add_argument('--uuid', required=True, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could be optional (default: parse --in file name).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On the other hand, the name of the TA file doesn't have to be an UUID. Sounds like complicated usage to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
True
@@ -58,4 +58,5 @@ $(link-out-dir)/$(binary).stripped.elf: $(link-out-dir)/$(binary).elf | |||
$(link-out-dir)/$(binary).ta: $(link-out-dir)/$(binary).stripped.elf \ | |||
$(TA_SIGN_KEY) | |||
@echo ' SIGN $@' | |||
$(q)$(SIGN) --key $(TA_SIGN_KEY) --in $< --out $@ | |||
$(q)$(SIGN) --key $(TA_SIGN_KEY) --uuid $(binary) --version 0 \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Assuming --uuid
is optional, the command could remain unchanged
How about s/bootstrap/secure storage/g? My reasoning is: bootstrapping another TA management method (OTrP, etc.) is only one way this "secure storage TA" feature may be used. It is also perfectly valid to install all TAs in secure storage. So it would be more neutral and more general to use "secure storage TA", |
core/include/tee/tadb.h
Outdated
uint32_t custom_size; | ||
uint32_t bin_size; | ||
bool is_ta; | ||
bool is_root; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since parent
, handler
, is_ta
and is_root
are currently not used, I'd rather introduce them later. It is fine to mention in the commit log that this may be a first step towards supporting SDs, but it should not show in the code yet. The "secure storage TA" feature is useful on its own.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK
I don't agree with s/bootstrap/secure storage/g. I don't expect this to be used for anything but bootstrapping in a product. Test usage is another story, there we'll bootstrap a lot :-) I'm expecting this flow in a product:
As you see bootstrap signed TAs are only supposed to be used for just that, that they happen to be stored in secure storage has nothing to do with what they are. The main reason why a new format was needed is to be able to protect against downgrade attack of the bootstrap TA. |
@lorc, sorry, addressed the comments now. |
bef845d
to
6f8cc0f
Compare
Squashed and rebased, for reference the old state was bef845d |
Fixed checkpatch error |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is xtest _9
failing in CI?
A few more comments here and there. Note that the SPDX/copyright stuff applies to a number of files. So, with my comments addressed:
- For commit b70515f ("libutils: add atomic load, store and cas"):
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
- For commit 648d206 ("core: add refcount routines"), with or without my comment addressed:
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
- For commit 95e5e7a ("core: fs_htree: bugfix creating empty file"):
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
- For commit 9c11ac0 ("core: provide tee_svc_storage_file_ops()"):
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
- For commit 1ffb3c8 ("core: add shdr type SHDR_BOOTSTRAP_TA"): s/bootstram/bootstrap/ in the commit log, with that:
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
- For commit 712ae81 ("core: crypto: add struct shdr helper functions")
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
- For commit 6f59c74 ("core: ree fs ta store: use new shdr_*() helpers"):
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
- For commit cf8a284 ("core: ree fs ta store: support bootstrap TA format"):
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
- For commit 7e18023 ("Sign TAs as bootstrap TAs"):
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
- For commit 4447470 ("core: add tadb"):
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
- For commit b7659f9 ("core: add ta storage based on tadb"):
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
- For commit 6f8cc0f ("core: add management pseudo TA"): I recommend appending "for secstor TAs" to the commit subject, anyway:
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)
core/kernel/refcount.c
Outdated
/* | ||
* Note that atomic_cas_uint() updates oval to the current | ||
* r->val read, regardless of return value. | ||
*/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor:
I was a bit disturbed by this comment, because:
- We're only interested in what happens with
oval
when the function returns false. - When the function returns true,
oval
already has the value ofr->val
, so it is not really updated anyway
I'd suggest: /* At this point atomic_cas_uint() has updated oval to the current r->val */
after the if()
.
Same below.
lib/libutils/ext/include/atomic.h
Outdated
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | ||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | ||
* POSSIBILITY OF SUCH DAMAGE. | ||
* SPDX-License-Identifier: BSD-2-Clause |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Keep the license text and add the SPDX ID before.
core/include/kernel/refcount.h
Outdated
@@ -0,0 +1,71 @@ | |||
/* | |||
* Copyright (c) 2017, Linaro Limited | |||
* All rights reserved. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"All rights reserved" is cargo cult and IMO should better be omitted in new files (Wikipedia).
return NULL; | ||
memcpy(shdr, img, shdr_size); | ||
|
||
/* Check that the data wasn't modified before the copy was completed */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this add any security? I fail to imagine a case where continuing would be a problem, since the TA is signed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If shdr->hash_size
or shdr->sig_size
is increased we may access data outside the allocated buffer later on.
scripts/sign.py
Outdated
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | ||
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | ||
# POSSIBILITY OF SUCH DAMAGE. | ||
# SPDX-License-Identifier: BSD-2-Clause |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Keep the license text
# TA binaries are stored encrypted in the REE FS and are protected by | ||
# metadata in secure storage. | ||
CFG_SECSTOR_TA ?= $(call cfg-all-enabled,CFG_REE_FS CFG_WITH_USER_TA) | ||
$(eval $(call cfg-depends-all,CFG_SECSTOR_TA,CFG_REE_FS CFG_WITH_USER_TA)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These two lines should go into commit "core: add ta storage based on tadb", not in "core: add management pseudo TA".
|
59f4fa9
to
2ff58f2
Compare
Comments, addressed, squashed and tags applied. |
|
* Adds atomic_load_uint() and atomic_load_u32() * Adds atomic_store_uint() and atomic_store_u32() * Adds atomic_cas_uint() and atomic_cas_u32(), compare and store Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Adds refcount_inc() and refcount_dec() Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Fixes problem with creating an empty htree file. Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Adds a signed header type for bootstrap TA. This type is used when there isn't any security domains installed yet. Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Adds struct shdr helper functions to allocate and verify a struct shdr. Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Uses the new shdr_*() helper functions to verify a signed header. Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Adds support for the new bootstrap TA format to the REE FS TA storage. Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Changes to TA sign script to sign TAs as Bootstrap TAs (img_type == SHDR_BOOTSTRAP_TA) instead of the legacy TA format (img_type == SHDR_TA). Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Adds tadb which is a database in which TAs can be stored leveraging secure storage for anti-rollback, key storage and list of TAs. Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Adds ta storage based on tadb. The TAs has to be installed in tadb before they can be loaded. Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Adds a pseudo TA for management of Trusted Applications and Security Domains. The pseudo TA only provides a minimal interface, a more advanced interface is supposed to be provided by a user TA using this pseudo TA. Such a TA could for instance implement Global Platforms TEE Management Framework or OTrP. The management TA currently only supports installing bootstrap packaged TAs in secure storage. Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960) Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU) Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
2ff58f2
to
ff305df
Compare
Tag applied |
What's next step here? |
Since this breaks the |
All good now. Thanks. |
This pull request introduces bootstrap TAs which can completely replace the current TAs depending on how we'd like to progress.
I see some ways forward:
Doing 2 (or 3) doesn't mean that we have to remove the old code, we could just make it optional. But we'd change our current test setup to only install TAs via bootstrap TAs (or via a security domain).
Bootstrap TA are basically only the solution to the chicken and egg problem for security domains. Next step would be to introduce a security domain.