From: Jarkko Sakkinen <jarkko@kernel.org>
To: Sumit Garg <sumit.garg@linaro.org>
Cc: jarkko.sakkinen@linux.intel.com, zohar@linux.ibm.com,
jejb@linux.ibm.com, dhowells@redhat.com,
jens.wiklander@linaro.org, corbet@lwn.net, jmorris@namei.org,
serge@hallyn.com, casey@schaufler-ca.com,
janne.karhunen@gmail.com, daniel.thompson@linaro.org,
Markus.Wamser@mixed-mode.de, lhinds@redhat.com,
keyrings@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
op-tee@lists.trustedfirmware.org
Subject: Re: [PATCH v8 2/4] KEYS: trusted: Introduce TEE based Trusted Keys
Date: Tue, 24 Nov 2020 05:46:01 +0200 [thread overview]
Message-ID: <20201124034601.GB40379@kernel.org> (raw)
In-Reply-To: <1604419306-26105-3-git-send-email-sumit.garg@linaro.org>
On Tue, Nov 03, 2020 at 09:31:44PM +0530, Sumit Garg wrote:
> Add support for TEE based trusted keys where TEE provides the functionality
> to seal and unseal trusted keys using hardware unique key.
>
> Refer to Documentation/tee.txt for detailed information about TEE.
>
> Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
> ---
> include/keys/trusted_tee.h | 55 ++++++
> security/keys/trusted-keys/Makefile | 1 +
> security/keys/trusted-keys/trusted_core.c | 4 +
> security/keys/trusted-keys/trusted_tee.c | 278 ++++++++++++++++++++++++++++++
> 4 files changed, 338 insertions(+)
> create mode 100644 include/keys/trusted_tee.h
> create mode 100644 security/keys/trusted-keys/trusted_tee.c
>
> diff --git a/include/keys/trusted_tee.h b/include/keys/trusted_tee.h
> new file mode 100644
> index 0000000..2e2bb15
> --- /dev/null
> +++ b/include/keys/trusted_tee.h
> @@ -0,0 +1,55 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +/*
> + * Copyright (C) 2019-2020 Linaro Ltd.
> + *
> + * Author:
> + * Sumit Garg <sumit.garg@linaro.org>
> + */
> +
> +#ifndef __TEE_TRUSTED_KEY_H
> +#define __TEE_TRUSTED_KEY_H
> +
> +#include <linux/tee_drv.h>
> +
> +#define DRIVER_NAME "tee-trusted-key"
> +
> +/*
> + * Get random data for symmetric key
> + *
> + * [out] memref[0] Random data
> + */
> +#define TA_CMD_GET_RANDOM 0x0
> +
> +/*
> + * Seal trusted key using hardware unique key
> + *
> + * [in] memref[0] Plain key
> + * [out] memref[1] Sealed key datablob
> + */
> +#define TA_CMD_SEAL 0x1
> +
> +/*
> + * Unseal trusted key using hardware unique key
> + *
> + * [in] memref[0] Sealed key datablob
> + * [out] memref[1] Plain key
> + */
> +#define TA_CMD_UNSEAL 0x2
> +
> +/**
> + * struct trusted_key_private - TEE Trusted key private data
> + * @dev: TEE based Trusted key device.
> + * @ctx: TEE context handler.
> + * @session_id: Trusted key TA session identifier.
> + * @shm_pool: Memory pool shared with TEE device.
> + */
> +struct trusted_key_private {
> + struct device *dev;
> + struct tee_context *ctx;
> + u32 session_id;
> + struct tee_shm *shm_pool;
> +};
> +
> +extern struct trusted_key_ops tee_trusted_key_ops;
> +
> +#endif
> diff --git a/security/keys/trusted-keys/Makefile b/security/keys/trusted-keys/Makefile
> index 49e3bcf..012dd78 100644
> --- a/security/keys/trusted-keys/Makefile
> +++ b/security/keys/trusted-keys/Makefile
> @@ -7,3 +7,4 @@ obj-$(CONFIG_TRUSTED_KEYS) += trusted.o
> trusted-y += trusted_core.o
> trusted-y += trusted_tpm1.o
> trusted-y += trusted_tpm2.o
> +trusted-y += trusted_tee.o
> diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c
> index aa4f2a0..15b1b0f3 100644
> --- a/security/keys/trusted-keys/trusted_core.c
> +++ b/security/keys/trusted-keys/trusted_core.c
> @@ -8,6 +8,7 @@
>
> #include <keys/user-type.h>
> #include <keys/trusted-type.h>
> +#include <keys/trusted_tee.h>
> #include <keys/trusted_tpm.h>
> #include <linux/capability.h>
> #include <linux/err.h>
> @@ -29,6 +30,9 @@ static const struct trusted_key_source trusted_key_sources[] = {
> #if defined(CONFIG_TCG_TPM)
> { "tpm", &tpm_trusted_key_ops },
> #endif
> +#if defined(CONFIG_TEE)
> + { "tee", &tee_trusted_key_ops },
> +#endif
> };
>
> DEFINE_STATIC_CALL_NULL(trusted_key_init, *trusted_key_sources[0].ops->init);
> diff --git a/security/keys/trusted-keys/trusted_tee.c b/security/keys/trusted-keys/trusted_tee.c
> new file mode 100644
> index 0000000..da8785a
> --- /dev/null
> +++ b/security/keys/trusted-keys/trusted_tee.c
> @@ -0,0 +1,278 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Copyright (C) 2019-2020 Linaro Ltd.
> + *
> + * Author:
> + * Sumit Garg <sumit.garg@linaro.org>
> + */
> +
> +#include <linux/err.h>
> +#include <linux/key-type.h>
> +#include <linux/slab.h>
> +#include <linux/string.h>
> +#include <linux/uuid.h>
> +
> +#include <keys/trusted-type.h>
> +#include <keys/trusted_tee.h>
> +
> +static struct trusted_key_private pvt_data;
> +
> +/*
> + * Have the TEE seal(encrypt) the symmetric key
> + */
> +static int trusted_tee_seal(struct trusted_key_payload *p, char *datablob)
> +{
> + int ret;
> + struct tee_ioctl_invoke_arg inv_arg;
> + struct tee_param param[4];
> + struct tee_shm *reg_shm_in = NULL, *reg_shm_out = NULL;
> +
> + memset(&inv_arg, 0, sizeof(inv_arg));
> + memset(¶m, 0, sizeof(param));
> +
> + reg_shm_in = tee_shm_register(pvt_data.ctx, (unsigned long)p->key,
> + p->key_len, TEE_SHM_DMA_BUF |
> + TEE_SHM_KERNEL_MAPPED);
> + if (IS_ERR(reg_shm_in)) {
> + dev_err(pvt_data.dev, "key shm register failed\n");
> + return PTR_ERR(reg_shm_in);
> + }
> +
> + reg_shm_out = tee_shm_register(pvt_data.ctx, (unsigned long)p->blob,
> + sizeof(p->blob), TEE_SHM_DMA_BUF |
> + TEE_SHM_KERNEL_MAPPED);
> + if (IS_ERR(reg_shm_out)) {
> + dev_err(pvt_data.dev, "blob shm register failed\n");
> + ret = PTR_ERR(reg_shm_out);
> + goto out;
> + }
> +
> + inv_arg.func = TA_CMD_SEAL;
> + inv_arg.session = pvt_data.session_id;
> + inv_arg.num_params = 4;
> +
> + param[0].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT;
> + param[0].u.memref.shm = reg_shm_in;
> + param[0].u.memref.size = p->key_len;
> + param[0].u.memref.shm_offs = 0;
> + param[1].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT;
> + param[1].u.memref.shm = reg_shm_out;
> + param[1].u.memref.size = sizeof(p->blob);
> + param[1].u.memref.shm_offs = 0;
> +
> + ret = tee_client_invoke_func(pvt_data.ctx, &inv_arg, param);
> + if ((ret < 0) || (inv_arg.ret != 0)) {
> + dev_err(pvt_data.dev, "TA_CMD_SEAL invoke err: %x\n",
> + inv_arg.ret);
> + ret = -EFAULT;
> + } else {
> + p->blob_len = param[1].u.memref.size;
> + }
> +
> +out:
> + if (reg_shm_out)
> + tee_shm_free(reg_shm_out);
> + if (reg_shm_in)
> + tee_shm_free(reg_shm_in);
> +
> + return ret;
> +}
> +
> +/*
> + * Have the TEE unseal(decrypt) the symmetric key
> + */
> +static int trusted_tee_unseal(struct trusted_key_payload *p, char *datablob)
> +{
> + int ret;
> + struct tee_ioctl_invoke_arg inv_arg;
> + struct tee_param param[4];
> + struct tee_shm *reg_shm_in = NULL, *reg_shm_out = NULL;
> +
> + memset(&inv_arg, 0, sizeof(inv_arg));
> + memset(¶m, 0, sizeof(param));
> +
> + reg_shm_in = tee_shm_register(pvt_data.ctx, (unsigned long)p->blob,
> + p->blob_len, TEE_SHM_DMA_BUF |
> + TEE_SHM_KERNEL_MAPPED);
> + if (IS_ERR(reg_shm_in)) {
> + dev_err(pvt_data.dev, "blob shm register failed\n");
> + return PTR_ERR(reg_shm_in);
> + }
> +
> + reg_shm_out = tee_shm_register(pvt_data.ctx, (unsigned long)p->key,
> + sizeof(p->key), TEE_SHM_DMA_BUF |
> + TEE_SHM_KERNEL_MAPPED);
> + if (IS_ERR(reg_shm_out)) {
> + dev_err(pvt_data.dev, "key shm register failed\n");
> + ret = PTR_ERR(reg_shm_out);
> + goto out;
> + }
> +
> + inv_arg.func = TA_CMD_UNSEAL;
> + inv_arg.session = pvt_data.session_id;
> + inv_arg.num_params = 4;
> +
> + param[0].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT;
> + param[0].u.memref.shm = reg_shm_in;
> + param[0].u.memref.size = p->blob_len;
> + param[0].u.memref.shm_offs = 0;
> + param[1].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT;
> + param[1].u.memref.shm = reg_shm_out;
> + param[1].u.memref.size = sizeof(p->key);
> + param[1].u.memref.shm_offs = 0;
> +
> + ret = tee_client_invoke_func(pvt_data.ctx, &inv_arg, param);
> + if ((ret < 0) || (inv_arg.ret != 0)) {
> + dev_err(pvt_data.dev, "TA_CMD_UNSEAL invoke err: %x\n",
> + inv_arg.ret);
> + ret = -EFAULT;
> + } else {
> + p->key_len = param[1].u.memref.size;
> + }
> +
> +out:
> + if (reg_shm_out)
> + tee_shm_free(reg_shm_out);
> + if (reg_shm_in)
> + tee_shm_free(reg_shm_in);
> +
> + return ret;
> +}
> +
> +/*
> + * Have the TEE generate random symmetric key
> + */
> +static int trusted_tee_get_random(unsigned char *key, size_t key_len)
> +{
> + int ret;
> + struct tee_ioctl_invoke_arg inv_arg;
> + struct tee_param param[4];
> + struct tee_shm *reg_shm = NULL;
> +
> + memset(&inv_arg, 0, sizeof(inv_arg));
> + memset(¶m, 0, sizeof(param));
> +
> + reg_shm = tee_shm_register(pvt_data.ctx, (unsigned long)key, key_len,
> + TEE_SHM_DMA_BUF | TEE_SHM_KERNEL_MAPPED);
> + if (IS_ERR(reg_shm)) {
> + dev_err(pvt_data.dev, "key shm register failed\n");
> + return PTR_ERR(reg_shm);
> + }
> +
> + inv_arg.func = TA_CMD_GET_RANDOM;
> + inv_arg.session = pvt_data.session_id;
> + inv_arg.num_params = 4;
> +
> + param[0].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT;
> + param[0].u.memref.shm = reg_shm;
> + param[0].u.memref.size = key_len;
> + param[0].u.memref.shm_offs = 0;
> +
> + ret = tee_client_invoke_func(pvt_data.ctx, &inv_arg, param);
> + if ((ret < 0) || (inv_arg.ret != 0)) {
> + dev_err(pvt_data.dev, "TA_CMD_GET_RANDOM invoke err: %x\n",
> + inv_arg.ret);
> + ret = -EFAULT;
> + } else {
> + ret = param[0].u.memref.size;
> + }
> +
> + tee_shm_free(reg_shm);
> +
> + return ret;
> +}
> +
> +static int optee_ctx_match(struct tee_ioctl_version_data *ver, const void *data)
> +{
> + if (ver->impl_id == TEE_IMPL_ID_OPTEE)
> + return 1;
> + else
> + return 0;
> +}
> +
> +static int trusted_key_probe(struct device *dev)
> +{
> + struct tee_client_device *rng_device = to_tee_client_device(dev);
> + int ret;
> + struct tee_ioctl_open_session_arg sess_arg;
> +
> + memset(&sess_arg, 0, sizeof(sess_arg));
> +
> + pvt_data.ctx = tee_client_open_context(NULL, optee_ctx_match, NULL,
> + NULL);
> + if (IS_ERR(pvt_data.ctx))
> + return -ENODEV;
> +
> + memcpy(sess_arg.uuid, rng_device->id.uuid.b, TEE_IOCTL_UUID_LEN);
> + sess_arg.clnt_login = TEE_IOCTL_LOGIN_REE_KERNEL;
> + sess_arg.num_params = 0;
> +
> + ret = tee_client_open_session(pvt_data.ctx, &sess_arg, NULL);
> + if ((ret < 0) || (sess_arg.ret != 0)) {
> + dev_err(dev, "tee_client_open_session failed, err: %x\n",
> + sess_arg.ret);
> + ret = -EINVAL;
> + goto out_ctx;
> + }
> + pvt_data.session_id = sess_arg.session;
> +
> + ret = register_key_type(&key_type_trusted);
> + if (ret < 0)
> + goto out_sess;
> +
> + pvt_data.dev = dev;
> +
> + return 0;
> +
> +out_sess:
> + tee_client_close_session(pvt_data.ctx, pvt_data.session_id);
> +out_ctx:
> + tee_client_close_context(pvt_data.ctx);
> +
> + return ret;
> +}
> +
> +static int trusted_key_remove(struct device *dev)
> +{
> + unregister_key_type(&key_type_trusted);
> + tee_client_close_session(pvt_data.ctx, pvt_data.session_id);
> + tee_client_close_context(pvt_data.ctx);
> +
> + return 0;
> +}
> +
> +static const struct tee_client_device_id trusted_key_id_table[] = {
> + {UUID_INIT(0xf04a0fe7, 0x1f5d, 0x4b9b,
> + 0xab, 0xf7, 0x61, 0x9b, 0x85, 0xb4, 0xce, 0x8c)},
> + {}
> +};
> +MODULE_DEVICE_TABLE(tee, trusted_key_id_table);
> +
> +static struct tee_client_driver trusted_key_driver = {
> + .id_table = trusted_key_id_table,
> + .driver = {
> + .name = DRIVER_NAME,
> + .bus = &tee_bus_type,
> + .probe = trusted_key_probe,
> + .remove = trusted_key_remove,
> + },
> +};
> +
> +static int trusted_tee_init(void)
> +{
> + return driver_register(&trusted_key_driver.driver);
> +}
> +
> +static void trusted_tee_exit(void)
> +{
> + driver_unregister(&trusted_key_driver.driver);
> +}
> +
> +struct trusted_key_ops tee_trusted_key_ops = {
Nit: trusted_key_tee_ops
> + .migratable = 0, /* non-migratable */
> + .init = trusted_tee_init,
> + .seal = trusted_tee_seal,
> + .unseal = trusted_tee_unseal,
> + .get_random = trusted_tee_get_random,
> + .exit = trusted_tee_exit,
> +};
> --
> 2.7.4
>
>
/Jarkko
WARNING: multiple messages have this Message-ID (diff)
From: Jarkko Sakkinen <jarkko@kernel.org>
To: Sumit Garg <sumit.garg@linaro.org>
Cc: linux-security-module@vger.kernel.org,
daniel.thompson@linaro.org, op-tee@lists.trustedfirmware.org,
corbet@lwn.net, jejb@linux.ibm.com, janne.karhunen@gmail.com,
linux-doc@vger.kernel.org, jmorris@namei.org,
zohar@linux.ibm.com, linux-kernel@vger.kernel.org,
dhowells@redhat.com, lhinds@redhat.com, keyrings@vger.kernel.org,
jarkko.sakkinen@linux.intel.com, Markus.Wamser@mixed-mode.de,
casey@schaufler-ca.com, linux-integrity@vger.kernel.org,
jens.wiklander@linaro.org, linux-arm-kernel@lists.infradead.org,
serge@hallyn.com
Subject: Re: [PATCH v8 2/4] KEYS: trusted: Introduce TEE based Trusted Keys
Date: Tue, 24 Nov 2020 05:46:01 +0200 [thread overview]
Message-ID: <20201124034601.GB40379@kernel.org> (raw)
In-Reply-To: <1604419306-26105-3-git-send-email-sumit.garg@linaro.org>
On Tue, Nov 03, 2020 at 09:31:44PM +0530, Sumit Garg wrote:
> Add support for TEE based trusted keys where TEE provides the functionality
> to seal and unseal trusted keys using hardware unique key.
>
> Refer to Documentation/tee.txt for detailed information about TEE.
>
> Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
> ---
> include/keys/trusted_tee.h | 55 ++++++
> security/keys/trusted-keys/Makefile | 1 +
> security/keys/trusted-keys/trusted_core.c | 4 +
> security/keys/trusted-keys/trusted_tee.c | 278 ++++++++++++++++++++++++++++++
> 4 files changed, 338 insertions(+)
> create mode 100644 include/keys/trusted_tee.h
> create mode 100644 security/keys/trusted-keys/trusted_tee.c
>
> diff --git a/include/keys/trusted_tee.h b/include/keys/trusted_tee.h
> new file mode 100644
> index 0000000..2e2bb15
> --- /dev/null
> +++ b/include/keys/trusted_tee.h
> @@ -0,0 +1,55 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +/*
> + * Copyright (C) 2019-2020 Linaro Ltd.
> + *
> + * Author:
> + * Sumit Garg <sumit.garg@linaro.org>
> + */
> +
> +#ifndef __TEE_TRUSTED_KEY_H
> +#define __TEE_TRUSTED_KEY_H
> +
> +#include <linux/tee_drv.h>
> +
> +#define DRIVER_NAME "tee-trusted-key"
> +
> +/*
> + * Get random data for symmetric key
> + *
> + * [out] memref[0] Random data
> + */
> +#define TA_CMD_GET_RANDOM 0x0
> +
> +/*
> + * Seal trusted key using hardware unique key
> + *
> + * [in] memref[0] Plain key
> + * [out] memref[1] Sealed key datablob
> + */
> +#define TA_CMD_SEAL 0x1
> +
> +/*
> + * Unseal trusted key using hardware unique key
> + *
> + * [in] memref[0] Sealed key datablob
> + * [out] memref[1] Plain key
> + */
> +#define TA_CMD_UNSEAL 0x2
> +
> +/**
> + * struct trusted_key_private - TEE Trusted key private data
> + * @dev: TEE based Trusted key device.
> + * @ctx: TEE context handler.
> + * @session_id: Trusted key TA session identifier.
> + * @shm_pool: Memory pool shared with TEE device.
> + */
> +struct trusted_key_private {
> + struct device *dev;
> + struct tee_context *ctx;
> + u32 session_id;
> + struct tee_shm *shm_pool;
> +};
> +
> +extern struct trusted_key_ops tee_trusted_key_ops;
> +
> +#endif
> diff --git a/security/keys/trusted-keys/Makefile b/security/keys/trusted-keys/Makefile
> index 49e3bcf..012dd78 100644
> --- a/security/keys/trusted-keys/Makefile
> +++ b/security/keys/trusted-keys/Makefile
> @@ -7,3 +7,4 @@ obj-$(CONFIG_TRUSTED_KEYS) += trusted.o
> trusted-y += trusted_core.o
> trusted-y += trusted_tpm1.o
> trusted-y += trusted_tpm2.o
> +trusted-y += trusted_tee.o
> diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c
> index aa4f2a0..15b1b0f3 100644
> --- a/security/keys/trusted-keys/trusted_core.c
> +++ b/security/keys/trusted-keys/trusted_core.c
> @@ -8,6 +8,7 @@
>
> #include <keys/user-type.h>
> #include <keys/trusted-type.h>
> +#include <keys/trusted_tee.h>
> #include <keys/trusted_tpm.h>
> #include <linux/capability.h>
> #include <linux/err.h>
> @@ -29,6 +30,9 @@ static const struct trusted_key_source trusted_key_sources[] = {
> #if defined(CONFIG_TCG_TPM)
> { "tpm", &tpm_trusted_key_ops },
> #endif
> +#if defined(CONFIG_TEE)
> + { "tee", &tee_trusted_key_ops },
> +#endif
> };
>
> DEFINE_STATIC_CALL_NULL(trusted_key_init, *trusted_key_sources[0].ops->init);
> diff --git a/security/keys/trusted-keys/trusted_tee.c b/security/keys/trusted-keys/trusted_tee.c
> new file mode 100644
> index 0000000..da8785a
> --- /dev/null
> +++ b/security/keys/trusted-keys/trusted_tee.c
> @@ -0,0 +1,278 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Copyright (C) 2019-2020 Linaro Ltd.
> + *
> + * Author:
> + * Sumit Garg <sumit.garg@linaro.org>
> + */
> +
> +#include <linux/err.h>
> +#include <linux/key-type.h>
> +#include <linux/slab.h>
> +#include <linux/string.h>
> +#include <linux/uuid.h>
> +
> +#include <keys/trusted-type.h>
> +#include <keys/trusted_tee.h>
> +
> +static struct trusted_key_private pvt_data;
> +
> +/*
> + * Have the TEE seal(encrypt) the symmetric key
> + */
> +static int trusted_tee_seal(struct trusted_key_payload *p, char *datablob)
> +{
> + int ret;
> + struct tee_ioctl_invoke_arg inv_arg;
> + struct tee_param param[4];
> + struct tee_shm *reg_shm_in = NULL, *reg_shm_out = NULL;
> +
> + memset(&inv_arg, 0, sizeof(inv_arg));
> + memset(¶m, 0, sizeof(param));
> +
> + reg_shm_in = tee_shm_register(pvt_data.ctx, (unsigned long)p->key,
> + p->key_len, TEE_SHM_DMA_BUF |
> + TEE_SHM_KERNEL_MAPPED);
> + if (IS_ERR(reg_shm_in)) {
> + dev_err(pvt_data.dev, "key shm register failed\n");
> + return PTR_ERR(reg_shm_in);
> + }
> +
> + reg_shm_out = tee_shm_register(pvt_data.ctx, (unsigned long)p->blob,
> + sizeof(p->blob), TEE_SHM_DMA_BUF |
> + TEE_SHM_KERNEL_MAPPED);
> + if (IS_ERR(reg_shm_out)) {
> + dev_err(pvt_data.dev, "blob shm register failed\n");
> + ret = PTR_ERR(reg_shm_out);
> + goto out;
> + }
> +
> + inv_arg.func = TA_CMD_SEAL;
> + inv_arg.session = pvt_data.session_id;
> + inv_arg.num_params = 4;
> +
> + param[0].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT;
> + param[0].u.memref.shm = reg_shm_in;
> + param[0].u.memref.size = p->key_len;
> + param[0].u.memref.shm_offs = 0;
> + param[1].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT;
> + param[1].u.memref.shm = reg_shm_out;
> + param[1].u.memref.size = sizeof(p->blob);
> + param[1].u.memref.shm_offs = 0;
> +
> + ret = tee_client_invoke_func(pvt_data.ctx, &inv_arg, param);
> + if ((ret < 0) || (inv_arg.ret != 0)) {
> + dev_err(pvt_data.dev, "TA_CMD_SEAL invoke err: %x\n",
> + inv_arg.ret);
> + ret = -EFAULT;
> + } else {
> + p->blob_len = param[1].u.memref.size;
> + }
> +
> +out:
> + if (reg_shm_out)
> + tee_shm_free(reg_shm_out);
> + if (reg_shm_in)
> + tee_shm_free(reg_shm_in);
> +
> + return ret;
> +}
> +
> +/*
> + * Have the TEE unseal(decrypt) the symmetric key
> + */
> +static int trusted_tee_unseal(struct trusted_key_payload *p, char *datablob)
> +{
> + int ret;
> + struct tee_ioctl_invoke_arg inv_arg;
> + struct tee_param param[4];
> + struct tee_shm *reg_shm_in = NULL, *reg_shm_out = NULL;
> +
> + memset(&inv_arg, 0, sizeof(inv_arg));
> + memset(¶m, 0, sizeof(param));
> +
> + reg_shm_in = tee_shm_register(pvt_data.ctx, (unsigned long)p->blob,
> + p->blob_len, TEE_SHM_DMA_BUF |
> + TEE_SHM_KERNEL_MAPPED);
> + if (IS_ERR(reg_shm_in)) {
> + dev_err(pvt_data.dev, "blob shm register failed\n");
> + return PTR_ERR(reg_shm_in);
> + }
> +
> + reg_shm_out = tee_shm_register(pvt_data.ctx, (unsigned long)p->key,
> + sizeof(p->key), TEE_SHM_DMA_BUF |
> + TEE_SHM_KERNEL_MAPPED);
> + if (IS_ERR(reg_shm_out)) {
> + dev_err(pvt_data.dev, "key shm register failed\n");
> + ret = PTR_ERR(reg_shm_out);
> + goto out;
> + }
> +
> + inv_arg.func = TA_CMD_UNSEAL;
> + inv_arg.session = pvt_data.session_id;
> + inv_arg.num_params = 4;
> +
> + param[0].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT;
> + param[0].u.memref.shm = reg_shm_in;
> + param[0].u.memref.size = p->blob_len;
> + param[0].u.memref.shm_offs = 0;
> + param[1].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT;
> + param[1].u.memref.shm = reg_shm_out;
> + param[1].u.memref.size = sizeof(p->key);
> + param[1].u.memref.shm_offs = 0;
> +
> + ret = tee_client_invoke_func(pvt_data.ctx, &inv_arg, param);
> + if ((ret < 0) || (inv_arg.ret != 0)) {
> + dev_err(pvt_data.dev, "TA_CMD_UNSEAL invoke err: %x\n",
> + inv_arg.ret);
> + ret = -EFAULT;
> + } else {
> + p->key_len = param[1].u.memref.size;
> + }
> +
> +out:
> + if (reg_shm_out)
> + tee_shm_free(reg_shm_out);
> + if (reg_shm_in)
> + tee_shm_free(reg_shm_in);
> +
> + return ret;
> +}
> +
> +/*
> + * Have the TEE generate random symmetric key
> + */
> +static int trusted_tee_get_random(unsigned char *key, size_t key_len)
> +{
> + int ret;
> + struct tee_ioctl_invoke_arg inv_arg;
> + struct tee_param param[4];
> + struct tee_shm *reg_shm = NULL;
> +
> + memset(&inv_arg, 0, sizeof(inv_arg));
> + memset(¶m, 0, sizeof(param));
> +
> + reg_shm = tee_shm_register(pvt_data.ctx, (unsigned long)key, key_len,
> + TEE_SHM_DMA_BUF | TEE_SHM_KERNEL_MAPPED);
> + if (IS_ERR(reg_shm)) {
> + dev_err(pvt_data.dev, "key shm register failed\n");
> + return PTR_ERR(reg_shm);
> + }
> +
> + inv_arg.func = TA_CMD_GET_RANDOM;
> + inv_arg.session = pvt_data.session_id;
> + inv_arg.num_params = 4;
> +
> + param[0].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT;
> + param[0].u.memref.shm = reg_shm;
> + param[0].u.memref.size = key_len;
> + param[0].u.memref.shm_offs = 0;
> +
> + ret = tee_client_invoke_func(pvt_data.ctx, &inv_arg, param);
> + if ((ret < 0) || (inv_arg.ret != 0)) {
> + dev_err(pvt_data.dev, "TA_CMD_GET_RANDOM invoke err: %x\n",
> + inv_arg.ret);
> + ret = -EFAULT;
> + } else {
> + ret = param[0].u.memref.size;
> + }
> +
> + tee_shm_free(reg_shm);
> +
> + return ret;
> +}
> +
> +static int optee_ctx_match(struct tee_ioctl_version_data *ver, const void *data)
> +{
> + if (ver->impl_id == TEE_IMPL_ID_OPTEE)
> + return 1;
> + else
> + return 0;
> +}
> +
> +static int trusted_key_probe(struct device *dev)
> +{
> + struct tee_client_device *rng_device = to_tee_client_device(dev);
> + int ret;
> + struct tee_ioctl_open_session_arg sess_arg;
> +
> + memset(&sess_arg, 0, sizeof(sess_arg));
> +
> + pvt_data.ctx = tee_client_open_context(NULL, optee_ctx_match, NULL,
> + NULL);
> + if (IS_ERR(pvt_data.ctx))
> + return -ENODEV;
> +
> + memcpy(sess_arg.uuid, rng_device->id.uuid.b, TEE_IOCTL_UUID_LEN);
> + sess_arg.clnt_login = TEE_IOCTL_LOGIN_REE_KERNEL;
> + sess_arg.num_params = 0;
> +
> + ret = tee_client_open_session(pvt_data.ctx, &sess_arg, NULL);
> + if ((ret < 0) || (sess_arg.ret != 0)) {
> + dev_err(dev, "tee_client_open_session failed, err: %x\n",
> + sess_arg.ret);
> + ret = -EINVAL;
> + goto out_ctx;
> + }
> + pvt_data.session_id = sess_arg.session;
> +
> + ret = register_key_type(&key_type_trusted);
> + if (ret < 0)
> + goto out_sess;
> +
> + pvt_data.dev = dev;
> +
> + return 0;
> +
> +out_sess:
> + tee_client_close_session(pvt_data.ctx, pvt_data.session_id);
> +out_ctx:
> + tee_client_close_context(pvt_data.ctx);
> +
> + return ret;
> +}
> +
> +static int trusted_key_remove(struct device *dev)
> +{
> + unregister_key_type(&key_type_trusted);
> + tee_client_close_session(pvt_data.ctx, pvt_data.session_id);
> + tee_client_close_context(pvt_data.ctx);
> +
> + return 0;
> +}
> +
> +static const struct tee_client_device_id trusted_key_id_table[] = {
> + {UUID_INIT(0xf04a0fe7, 0x1f5d, 0x4b9b,
> + 0xab, 0xf7, 0x61, 0x9b, 0x85, 0xb4, 0xce, 0x8c)},
> + {}
> +};
> +MODULE_DEVICE_TABLE(tee, trusted_key_id_table);
> +
> +static struct tee_client_driver trusted_key_driver = {
> + .id_table = trusted_key_id_table,
> + .driver = {
> + .name = DRIVER_NAME,
> + .bus = &tee_bus_type,
> + .probe = trusted_key_probe,
> + .remove = trusted_key_remove,
> + },
> +};
> +
> +static int trusted_tee_init(void)
> +{
> + return driver_register(&trusted_key_driver.driver);
> +}
> +
> +static void trusted_tee_exit(void)
> +{
> + driver_unregister(&trusted_key_driver.driver);
> +}
> +
> +struct trusted_key_ops tee_trusted_key_ops = {
Nit: trusted_key_tee_ops
> + .migratable = 0, /* non-migratable */
> + .init = trusted_tee_init,
> + .seal = trusted_tee_seal,
> + .unseal = trusted_tee_unseal,
> + .get_random = trusted_tee_get_random,
> + .exit = trusted_tee_exit,
> +};
> --
> 2.7.4
>
>
/Jarkko
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2020-11-24 3:46 UTC|newest]
Thread overview: 105+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-03 16:01 [PATCH v8 0/4] Introduce TEE based Trusted Keys support Sumit Garg
2020-11-03 16:01 ` Sumit Garg
2020-11-03 16:01 ` [PATCH v8 1/4] KEYS: trusted: Add generic trusted keys framework Sumit Garg
2020-11-03 16:01 ` Sumit Garg
2020-11-24 3:42 ` Jarkko Sakkinen
2020-11-24 3:42 ` Jarkko Sakkinen
2021-02-15 13:13 ` Sumit Garg
2021-02-15 13:13 ` Sumit Garg
2021-02-10 17:00 ` Jarkko Sakkinen
2021-02-10 17:00 ` Jarkko Sakkinen
2021-02-11 10:34 ` Ahmad Fatoum
2021-02-11 10:34 ` Ahmad Fatoum
2021-02-12 12:22 ` Jarkko Sakkinen
2021-02-12 12:22 ` Jarkko Sakkinen
2021-02-15 13:15 ` Sumit Garg
2021-02-15 13:15 ` Sumit Garg
2020-11-03 16:01 ` [PATCH v8 2/4] KEYS: trusted: Introduce TEE based Trusted Keys Sumit Garg
2020-11-03 16:01 ` Sumit Garg
2020-11-04 3:19 ` kernel test robot
2020-11-04 7:56 ` Sumit Garg
2020-11-24 3:46 ` Jarkko Sakkinen [this message]
2020-11-24 3:46 ` Jarkko Sakkinen
2021-01-11 16:35 ` Jarkko Sakkinen
2021-01-11 16:35 ` Jarkko Sakkinen
2021-01-13 11:17 ` Sumit Garg
2021-01-13 11:17 ` Sumit Garg
2021-01-14 2:05 ` Jarkko Sakkinen
2021-01-14 2:05 ` Jarkko Sakkinen
2021-01-15 6:02 ` Sumit Garg
2021-01-15 6:02 ` Sumit Garg
2021-01-19 10:30 ` Jarkko Sakkinen
2021-01-19 10:30 ` Jarkko Sakkinen
2021-01-20 1:31 ` Jarkko Sakkinen
2021-01-20 1:31 ` Jarkko Sakkinen
2021-01-20 7:23 ` Sumit Garg
2021-01-20 7:23 ` Sumit Garg
2021-01-21 0:01 ` Jarkko Sakkinen
2021-01-21 0:01 ` Jarkko Sakkinen
[not found] ` <01000177223f74d3-1eef7685-4a19-40d2-ace6-d4cd7f35579d-000000@email.amazonses.com>
2021-01-21 8:44 ` Jerome Forissier
2021-01-21 8:44 ` Jerome Forissier
2021-01-21 15:07 ` Jarkko Sakkinen
2021-01-21 15:07 ` Jarkko Sakkinen
2021-01-21 15:24 ` Jarkko Sakkinen
2021-01-21 15:24 ` Jarkko Sakkinen
2021-01-21 16:23 ` Jerome Forissier
2021-01-21 16:23 ` Jerome Forissier
2021-01-22 18:12 ` Jarkko Sakkinen
2021-01-22 18:12 ` Jarkko Sakkinen
2021-01-25 9:17 ` Sumit Garg
2021-01-27 17:14 ` Jarkko Sakkinen
2021-01-27 17:14 ` Jarkko Sakkinen
2021-01-27 17:19 ` Jarkko Sakkinen
2021-01-27 17:19 ` Jarkko Sakkinen
2021-02-04 0:05 ` Jarkko Sakkinen
2021-02-04 0:05 ` Jarkko Sakkinen
2021-02-11 23:34 ` Jarkko Sakkinen
2021-02-11 23:34 ` Jarkko Sakkinen
2021-02-11 23:35 ` Jarkko Sakkinen
2021-02-11 23:35 ` Jarkko Sakkinen
2021-02-15 13:07 ` Sumit Garg
2021-02-15 13:07 ` Sumit Garg
2021-02-16 7:29 ` Jarkko Sakkinen
2021-02-16 7:29 ` Jarkko Sakkinen
2021-02-22 7:15 ` Sumit Garg
2021-02-22 7:15 ` Sumit Garg
2021-02-24 16:58 ` Jarkko Sakkinen
2021-02-24 16:58 ` Jarkko Sakkinen
2021-01-20 13:36 ` Ahmad Fatoum
2021-01-20 13:36 ` Ahmad Fatoum
2020-11-03 16:01 ` [PATCH v8 3/4] doc: trusted-encrypted: updates with TEE as a new trust source Sumit Garg
2020-11-03 16:01 ` Sumit Garg
2020-12-02 19:34 ` gmail Elaine Palmer
2020-12-02 19:34 ` gmail Elaine Palmer
2020-12-04 15:30 ` Jarkko Sakkinen
2020-12-04 15:30 ` Jarkko Sakkinen
2020-12-08 15:02 ` Mimi Zohar
2020-12-08 15:02 ` Mimi Zohar
2020-12-08 17:49 ` Jarkko Sakkinen
2020-12-08 17:49 ` Jarkko Sakkinen
2020-12-09 16:50 ` Mimi Zohar
2020-12-09 16:50 ` Mimi Zohar
2020-12-11 10:36 ` Jarkko Sakkinen
2020-12-11 10:36 ` Jarkko Sakkinen
2020-12-11 15:29 ` Mimi Zohar
2020-12-11 15:29 ` Mimi Zohar
2020-12-06 18:51 ` Randy Dunlap
2020-12-06 18:51 ` Randy Dunlap
2020-12-08 15:55 ` Mimi Zohar
2020-12-08 15:55 ` Mimi Zohar
2020-12-08 17:07 ` Mimi Zohar
2020-12-08 17:07 ` Mimi Zohar
2020-11-03 16:01 ` [PATCH v8 4/4] MAINTAINERS: Add myself as Trusted Keys co-maintainer Sumit Garg
2020-11-03 16:01 ` Sumit Garg
2020-11-24 3:46 ` Jarkko Sakkinen
2020-11-24 3:46 ` Jarkko Sakkinen
2020-11-05 5:07 ` [PATCH v8 0/4] Introduce TEE based Trusted Keys support Jarkko Sakkinen
2020-11-05 5:07 ` Jarkko Sakkinen
2020-11-06 9:32 ` Sumit Garg
2020-11-06 9:32 ` Sumit Garg
2020-11-06 14:52 ` Jarkko Sakkinen
2020-11-06 14:52 ` Jarkko Sakkinen
2020-12-04 5:16 ` Jarkko Sakkinen
2020-12-04 5:16 ` Jarkko Sakkinen
2020-12-08 11:51 ` Sumit Garg
2020-12-08 11:51 ` Sumit Garg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201124034601.GB40379@kernel.org \
--to=jarkko@kernel.org \
--cc=Markus.Wamser@mixed-mode.de \
--cc=casey@schaufler-ca.com \
--cc=corbet@lwn.net \
--cc=daniel.thompson@linaro.org \
--cc=dhowells@redhat.com \
--cc=janne.karhunen@gmail.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jejb@linux.ibm.com \
--cc=jens.wiklander@linaro.org \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=lhinds@redhat.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=op-tee@lists.trustedfirmware.org \
--cc=serge@hallyn.com \
--cc=sumit.garg@linaro.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.