tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

tee: optee: Add SMC for loading OP-TEE image

Adds an SMC call that will pass an OP-TEE binary image to EL3 and
instruct it to load it as the BL32 payload. This works in conjunction
with a feature added to Trusted Firmware for ARMv8 and above
architectures that supports this.

The main purpose of this change is to facilitate updating the OP-TEE
component on devices via a rootfs change rather than having to do a
firmware update. Further details are linked to in the Kconfig file.

Signed-off-by: Jeffrey Kardatzke <jkardatzke@chromium.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jeffrey Kardatzke <jkardatzke@google.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

authored by

Jeffrey Kardatzke and committed by
Jens Wiklander f3040daa eeac8ede

+243
+53
Documentation/staging/tee.rst
··· 214 214 building block for OP-TEE OS in secure world to implement the top half and 215 215 bottom half style of device drivers. 216 216 217 + OPTEE_INSECURE_LOAD_IMAGE Kconfig option 218 + ---------------------------------------- 219 + 220 + The OPTEE_INSECURE_LOAD_IMAGE Kconfig option enables the ability to load the 221 + BL32 OP-TEE image from the kernel after the kernel boots, rather than loading 222 + it from the firmware before the kernel boots. This also requires enabling the 223 + corresponding option in Trusted Firmware for Arm. The Trusted Firmware for Arm 224 + documentation [8] explains the security threat associated with enabling this as 225 + well as mitigations at the firmware and platform level. 226 + 227 + There are additional attack vectors/mitigations for the kernel that should be 228 + addressed when using this option. 229 + 230 + 1. Boot chain security. 231 + 232 + * Attack vector: Replace the OP-TEE OS image in the rootfs to gain control of 233 + the system. 234 + 235 + * Mitigation: There must be boot chain security that verifies the kernel and 236 + rootfs, otherwise an attacker can modify the loaded OP-TEE binary by 237 + modifying it in the rootfs. 238 + 239 + 2. Alternate boot modes. 240 + 241 + * Attack vector: Using an alternate boot mode (i.e. recovery mode), the 242 + OP-TEE driver isn't loaded, leaving the SMC hole open. 243 + 244 + * Mitigation: If there are alternate methods of booting the device, such as a 245 + recovery mode, it should be ensured that the same mitigations are applied 246 + in that mode. 247 + 248 + 3. Attacks prior to SMC invocation. 249 + 250 + * Attack vector: Code that is executed prior to issuing the SMC call to load 251 + OP-TEE can be exploited to then load an alternate OS image. 252 + 253 + * Mitigation: The OP-TEE driver must be loaded before any potential attack 254 + vectors are opened up. This should include mounting of any modifiable 255 + filesystems, opening of network ports or communicating with external 256 + devices (e.g. USB). 257 + 258 + 4. Blocking SMC call to load OP-TEE. 259 + 260 + * Attack vector: Prevent the driver from being probed, so the SMC call to 261 + load OP-TEE isn't executed when desired, leaving it open to being executed 262 + later and loading a modified OS. 263 + 264 + * Mitigation: It is recommended to build the OP-TEE driver as builtin driver 265 + rather than as a module to prevent exploits that may cause the module to 266 + not be loaded. 267 + 217 268 AMD-TEE driver 218 269 ============== 219 270 ··· 360 309 [6] include/linux/psp-tee.h 361 310 362 311 [7] drivers/tee/amdtee/amdtee_if.h 312 + 313 + [8] https://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html
+17
drivers/tee/optee/Kconfig
··· 7 7 help 8 8 This implements the OP-TEE Trusted Execution Environment (TEE) 9 9 driver. 10 + 11 + config OPTEE_INSECURE_LOAD_IMAGE 12 + bool "Load OP-TEE image as firmware" 13 + default n 14 + depends on OPTEE && ARM64 15 + help 16 + This loads the BL32 image for OP-TEE as firmware when the driver is 17 + probed. This returns -EPROBE_DEFER until the firmware is loadable from 18 + the filesystem which is determined by checking the system_state until 19 + it is in SYSTEM_RUNNING. This also requires enabling the corresponding 20 + option in Trusted Firmware for Arm. The documentation there explains 21 + the security threat associated with enabling this as well as 22 + mitigations at the firmware and platform level. 23 + https://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html 24 + 25 + Additional documentation on kernel security risks are at 26 + Documentation/staging/tee.rst.
+12
drivers/tee/optee/optee_msg.h
··· 241 241 * 384fb3e0-e7f8-11e3-af63-0002a5d5c51b. 242 242 * Represented in 4 32-bit words in OPTEE_MSG_UID_0, OPTEE_MSG_UID_1, 243 243 * OPTEE_MSG_UID_2, OPTEE_MSG_UID_3. 244 + * 245 + * In the case where the OP-TEE image is loaded by the kernel, this will 246 + * initially return an alternate UID to reflect that we are communicating with 247 + * the TF-A image loading service at that time instead of OP-TEE. That UID is: 248 + * a3fbeab1-1246-315d-c7c4-06b9c03cbea4. 249 + * Represented in 4 32-bit words in OPTEE_MSG_IMAGE_LOAD_UID_0, 250 + * OPTEE_MSG_IMAGE_LOAD_UID_1, OPTEE_MSG_IMAGE_LOAD_UID_2, 251 + * OPTEE_MSG_IMAGE_LOAD_UID_3. 244 252 */ 245 253 #define OPTEE_MSG_UID_0 0x384fb3e0 246 254 #define OPTEE_MSG_UID_1 0xe7f811e3 247 255 #define OPTEE_MSG_UID_2 0xaf630002 248 256 #define OPTEE_MSG_UID_3 0xa5d5c51b 257 + #define OPTEE_MSG_IMAGE_LOAD_UID_0 0xa3fbeab1 258 + #define OPTEE_MSG_IMAGE_LOAD_UID_1 0x1246315d 259 + #define OPTEE_MSG_IMAGE_LOAD_UID_2 0xc7c406b9 260 + #define OPTEE_MSG_IMAGE_LOAD_UID_3 0xc03cbea4 249 261 #define OPTEE_MSG_FUNCID_CALLS_UID 0xFF01 250 262 251 263 /*
+24
drivers/tee/optee/optee_smc.h
··· 105 105 }; 106 106 107 107 /* 108 + * Load Trusted OS from optee/tee.bin in the Linux firmware. 109 + * 110 + * WARNING: Use this cautiously as it could lead to insecure loading of the 111 + * Trusted OS. 112 + * This SMC instructs EL3 to load a binary and execute it as the Trusted OS. 113 + * 114 + * Call register usage: 115 + * a0 SMC Function ID, OPTEE_SMC_CALL_LOAD_IMAGE 116 + * a1 Upper 32bit of a 64bit size for the payload 117 + * a2 Lower 32bit of a 64bit size for the payload 118 + * a3 Upper 32bit of the physical address for the payload 119 + * a4 Lower 32bit of the physical address for the payload 120 + * 121 + * The payload is in the OP-TEE image format. 122 + * 123 + * Returns result in a0, 0 on success and an error code otherwise. 124 + */ 125 + #define OPTEE_SMC_FUNCID_LOAD_IMAGE 2 126 + #define OPTEE_SMC_CALL_LOAD_IMAGE \ 127 + ARM_SMCCC_CALL_VAL(ARM_SMCCC_FAST_CALL, ARM_SMCCC_SMC_32, \ 128 + ARM_SMCCC_OWNER_TRUSTED_OS_END, \ 129 + OPTEE_SMC_FUNCID_LOAD_IMAGE) 130 + 131 + /* 108 132 * Call with struct optee_msg_arg as argument 109 133 * 110 134 * When called with OPTEE_SMC_CALL_WITH_RPC_ARG or
+137
drivers/tee/optee/smc_abi.c
··· 7 7 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 8 8 9 9 #include <linux/arm-smccc.h> 10 + #include <linux/cpuhotplug.h> 10 11 #include <linux/errno.h> 12 + #include <linux/firmware.h> 11 13 #include <linux/interrupt.h> 12 14 #include <linux/io.h> 13 15 #include <linux/irqdomain.h> 16 + #include <linux/kernel.h> 14 17 #include <linux/mm.h> 15 18 #include <linux/module.h> 16 19 #include <linux/of.h> ··· 1152 1149 return false; 1153 1150 } 1154 1151 1152 + #ifdef CONFIG_OPTEE_INSECURE_LOAD_IMAGE 1153 + static bool optee_msg_api_uid_is_optee_image_load(optee_invoke_fn *invoke_fn) 1154 + { 1155 + struct arm_smccc_res res; 1156 + 1157 + invoke_fn(OPTEE_SMC_CALLS_UID, 0, 0, 0, 0, 0, 0, 0, &res); 1158 + 1159 + if (res.a0 == OPTEE_MSG_IMAGE_LOAD_UID_0 && 1160 + res.a1 == OPTEE_MSG_IMAGE_LOAD_UID_1 && 1161 + res.a2 == OPTEE_MSG_IMAGE_LOAD_UID_2 && 1162 + res.a3 == OPTEE_MSG_IMAGE_LOAD_UID_3) 1163 + return true; 1164 + return false; 1165 + } 1166 + #endif 1167 + 1155 1168 static void optee_msg_get_os_revision(optee_invoke_fn *invoke_fn) 1156 1169 { 1157 1170 union { ··· 1373 1354 optee_disable_shm_cache(optee); 1374 1355 } 1375 1356 1357 + #ifdef CONFIG_OPTEE_INSECURE_LOAD_IMAGE 1358 + 1359 + #define OPTEE_FW_IMAGE "optee/tee.bin" 1360 + 1361 + static optee_invoke_fn *cpuhp_invoke_fn; 1362 + 1363 + static int optee_cpuhp_probe(unsigned int cpu) 1364 + { 1365 + /* 1366 + * Invoking a call on a CPU will cause OP-TEE to perform the required 1367 + * setup for that CPU. Just invoke the call to get the UID since that 1368 + * has no side effects. 1369 + */ 1370 + if (optee_msg_api_uid_is_optee_api(cpuhp_invoke_fn)) 1371 + return 0; 1372 + else 1373 + return -EINVAL; 1374 + } 1375 + 1376 + static int optee_load_fw(struct platform_device *pdev, 1377 + optee_invoke_fn *invoke_fn) 1378 + { 1379 + const struct firmware *fw = NULL; 1380 + struct arm_smccc_res res; 1381 + phys_addr_t data_pa; 1382 + u8 *data_buf = NULL; 1383 + u64 data_size; 1384 + u32 data_pa_high, data_pa_low; 1385 + u32 data_size_high, data_size_low; 1386 + int rc; 1387 + int hp_state; 1388 + 1389 + if (!optee_msg_api_uid_is_optee_image_load(invoke_fn)) 1390 + return 0; 1391 + 1392 + rc = request_firmware(&fw, OPTEE_FW_IMAGE, &pdev->dev); 1393 + if (rc) { 1394 + /* 1395 + * The firmware in the rootfs will not be accessible until we 1396 + * are in the SYSTEM_RUNNING state, so return EPROBE_DEFER until 1397 + * that point. 1398 + */ 1399 + if (system_state < SYSTEM_RUNNING) 1400 + return -EPROBE_DEFER; 1401 + goto fw_err; 1402 + } 1403 + 1404 + data_size = fw->size; 1405 + /* 1406 + * This uses the GFP_DMA flag to ensure we are allocated memory in the 1407 + * 32-bit space since TF-A cannot map memory beyond the 32-bit boundary. 1408 + */ 1409 + data_buf = kmalloc(fw->size, GFP_KERNEL | GFP_DMA); 1410 + if (!data_buf) { 1411 + rc = -ENOMEM; 1412 + goto fw_err; 1413 + } 1414 + memcpy(data_buf, fw->data, fw->size); 1415 + data_pa = virt_to_phys(data_buf); 1416 + reg_pair_from_64(&data_pa_high, &data_pa_low, data_pa); 1417 + reg_pair_from_64(&data_size_high, &data_size_low, data_size); 1418 + goto fw_load; 1419 + 1420 + fw_err: 1421 + pr_warn("image loading failed\n"); 1422 + data_pa_high = 0; 1423 + data_pa_low = 0; 1424 + data_size_high = 0; 1425 + data_size_low = 0; 1426 + 1427 + fw_load: 1428 + /* 1429 + * Always invoke the SMC, even if loading the image fails, to indicate 1430 + * to EL3 that we have passed the point where it should allow invoking 1431 + * this SMC. 1432 + */ 1433 + pr_warn("OP-TEE image loaded from kernel, this can be insecure"); 1434 + invoke_fn(OPTEE_SMC_CALL_LOAD_IMAGE, data_size_high, data_size_low, 1435 + data_pa_high, data_pa_low, 0, 0, 0, &res); 1436 + if (!rc) 1437 + rc = res.a0; 1438 + if (fw) 1439 + release_firmware(fw); 1440 + kfree(data_buf); 1441 + 1442 + if (!rc) { 1443 + /* 1444 + * We need to initialize OP-TEE on all other running cores as 1445 + * well. Any cores that aren't running yet will get initialized 1446 + * when they are brought up by the power management functions in 1447 + * TF-A which are registered by the OP-TEE SPD. Due to that we 1448 + * can un-register the callback right after registering it. 1449 + */ 1450 + cpuhp_invoke_fn = invoke_fn; 1451 + hp_state = cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, "optee:probe", 1452 + optee_cpuhp_probe, NULL); 1453 + if (hp_state < 0) { 1454 + pr_warn("Failed with CPU hotplug setup for OP-TEE"); 1455 + return -EINVAL; 1456 + } 1457 + cpuhp_remove_state(hp_state); 1458 + cpuhp_invoke_fn = NULL; 1459 + } 1460 + 1461 + return rc; 1462 + } 1463 + #else 1464 + static inline int optee_load_fw(struct platform_device *pdev, 1465 + optee_invoke_fn *invoke_fn) 1466 + { 1467 + return 0; 1468 + } 1469 + #endif 1470 + 1376 1471 static int optee_probe(struct platform_device *pdev) 1377 1472 { 1378 1473 optee_invoke_fn *invoke_fn; ··· 1504 1371 invoke_fn = get_invoke_func(&pdev->dev); 1505 1372 if (IS_ERR(invoke_fn)) 1506 1373 return PTR_ERR(invoke_fn); 1374 + 1375 + rc = optee_load_fw(pdev, invoke_fn); 1376 + if (rc) 1377 + return rc; 1507 1378 1508 1379 if (!optee_msg_api_uid_is_optee_api(invoke_fn)) { 1509 1380 pr_warn("api uid mismatch\n");