From: "Jason-JH Lin (林睿祥)" <Jason-JH.Lin@mediatek.com>
To: "CK Hu (胡俊光)" <ck.hu@mediatek.com>,
"jassisinghbrar@gmail.com" <jassisinghbrar@gmail.com>,
"chunkuang.hu@kernel.org" <chunkuang.hu@kernel.org>,
"angelogioacchino.delregno@collabora.com"
<angelogioacchino.delregno@collabora.com>,
"robh+dt@kernel.org" <robh+dt@kernel.org>,
"krzysztof.kozlowski+dt@linaro.org"
<krzysztof.kozlowski+dt@linaro.org>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-mediatek@lists.infradead.org"
<linux-mediatek@lists.infradead.org>,
"Singo Chang (張興國)" <Singo.Chang@mediatek.com>,
"Johnson Wang (王聖鑫)" <Johnson.Wang@mediatek.com>,
"Jason-ch Chen (陳建豪)" <Jason-ch.Chen@mediatek.com>,
"Shawn Sung (宋孝謙)" <Shawn.Sung@mediatek.com>,
"Nancy Lin (林欣螢)" <Nancy.Lin@mediatek.com>,
"jkardatzke@google.com" <jkardatzke@google.com>,
"conor+dt@kernel.org" <conor+dt@kernel.org>,
Project_Global_Chrome_Upstream_Group
<Project_Global_Chrome_Upstream_Group@mediatek.com>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
"matthias.bgg@gmail.com" <matthias.bgg@gmail.com>
Subject: Re: [PATCH v2 8/9] mailbox: mediatek: Add CMDQ secure mailbox driver
Date: Mon, 6 Nov 2023 13:07:03 +0000 [thread overview]
Message-ID: <d905bc920e8a0375bed6a1e2e3fa20dbcb71417c.camel@mediatek.com> (raw)
In-Reply-To: <710408f06752201686f4b3587af1656d36e3654d.camel@mediatek.com>
Hi CK,
On Mon, 2023-11-06 at 06:53 +0000, CK Hu (胡俊光) wrote:
> Hi, Jason:
>
> On Mon, 2023-10-23 at 12:37 +0800, Jason-JH.Lin wrote:
> > To support secure video path feature, GCE have to read/write
> > registgers
> > in the secure world. GCE will enable the secure access permission
> > to
> > the
> > HW who wants to access the secure content buffer.
> >
> > Add CMDQ secure mailbox driver to make CMDQ client user is able to
> > sending their HW settings to the secure world. So that GCE can
> > execute
> > all instructions to configure HW in the secure world.
> >
> > Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com>
> > ---
> > drivers/mailbox/Makefile | 2 +-
> > drivers/mailbox/mtk-cmdq-sec-mailbox.c | 1102
> > +++++++++++++++++
> > drivers/mailbox/mtk-cmdq-sec-tee.c | 202 +++
> > include/linux/mailbox/mtk-cmdq-mailbox.h | 2 +
> > .../linux/mailbox/mtk-cmdq-sec-iwc-common.h | 293 +++++
> > include/linux/mailbox/mtk-cmdq-sec-mailbox.h | 83 ++
> > include/linux/mailbox/mtk-cmdq-sec-tee.h | 31 +
> > 7 files changed, 1714 insertions(+), 1 deletion(-)
> > create mode 100644 drivers/mailbox/mtk-cmdq-sec-mailbox.c
> > create mode 100644 drivers/mailbox/mtk-cmdq-sec-tee.c
> > create mode 100644 include/linux/mailbox/mtk-cmdq-sec-iwc-common.h
> > create mode 100644 include/linux/mailbox/mtk-cmdq-sec-mailbox.h
> > create mode 100644 include/linux/mailbox/mtk-cmdq-sec-tee.h
> >
> >
>
> [snip]
>
> > +
> > +int cmdq_sec_insert_backup_cookie(struct cmdq_pkt *pkt)
> > +{
> > + struct cmdq_client *cl = (struct cmdq_client *)pkt->cl;
> > + struct cmdq_sec_thread *thread = ((struct mbox_chan *)(cl-
> > > chan))->con_priv;
> >
> > + struct cmdq_sec *cmdq = container_of(thread->chan->mbox, struct
> > cmdq_sec, mbox);
> > + struct cmdq_operand left, right;
> > + dma_addr_t addr;
> > +
> > + if (!thread->occupied || !cmdq->shared_mem)
> > + return -EFAULT;
> > +
> > + pr_debug("%s %d: pkt:%p thread:%u gce:%#lx",
> > + __func__, __LINE__, pkt, thread->idx, (unsigned
> > long)cmdq->base_pa);
> > +
> > + addr = (u32)(cmdq->base_pa + CMDQ_THR_BASE +
> > + CMDQ_THR_SIZE * thread->idx + CMDQ_THR_EXEC_CNT_PA);
> > +
> > + cmdq_pkt_assign(pkt, CMDQ_THR_SPR_IDX1, CMDQ_ADDR_HIGH(addr));
> > + cmdq_pkt_read_s(pkt, CMDQ_THR_SPR_IDX1, CMDQ_ADDR_LOW(addr),
> > CMDQ_THR_SPR_IDX1);
> > +
> > + left.reg = true;
> > + left.idx = CMDQ_THR_SPR_IDX1;
> > + right.reg = false;
> > + right.value = 1;
> > + cmdq_pkt_logic_command(pkt, CMDQ_LOGIC_ADD, CMDQ_THR_SPR_IDX1,
> > &left, &right);
> > +
> > + addr = cmdq->shared_mem->pa + CMDQ_SEC_SHARED_THR_CNT_OFFSET +
> > + thread->idx * sizeof(u32);
> > +
> > + cmdq_pkt_assign(pkt, CMDQ_THR_SPR_IDX2, CMDQ_ADDR_HIGH(addr));
> > + cmdq_pkt_write_s(pkt, CMDQ_THR_SPR_IDX2, CMDQ_ADDR_LOW(addr),
> > CMDQ_THR_SPR_IDX1);
>
> This is a sample code of reading secure data and writing to normal
> world. I think you have already check address of cmdq_pkt_read_s() in
> TEE. This is a sample code that hacker may try to read any secure
> address:
>
> cmdq_pkt_assign(pkt, CMDQ_THR_SPR_IDX1,
> CMDQ_ADDR_HIGH(hack_address));
> cmdq_pkt_jump(pkt, read);
> cmdq_pkt_assign(pkt, CMDQ_THR_SPR_IDX1, CMDQ_ADDR_HIGH(addr));
> read:
> cmdq_pkt_read_s(pkt, CMDQ_THR_SPR_IDX1, CMDQ_ADDR_LOW(addr),
> CMDQ_THR_SPR_IDX1);
>
> Please explain how you protect this hacker attack.
>
Yes, hackers can use this sample code to read the HW register to the
shared memory, but they still can't get the secure content or other
useful information to get the secure content.
There are some protections we made for this action:
1. All the physical address of HW register in the read/write
instruction in secure command buffer need to be defined at whitelist.
2. Reading DRAM address instruction in secure command buffer are
forbidden.
3. The shared memory is used to store the value of cookie which is used
for secure cmdq packet scheduling. So secure GCE thread executing state
will crash by modifying it unexpectedly.
Although hackers could get the value store in the HW register by this
sample code, they still don't know what the HW register stand for and
what is the meaning of the value they read. Additionally, if they read
unexpectedly values into shared memory, they will corrupt the secure
GCE thread state.
Regards,
Jason-JH.Lin
> Regards,
> CK
>
> > +
> > + return 0;
> > +}
> > +EXPORT_SYMBOL(cmdq_sec_insert_backup_cookie);
> > +
next prev parent reply other threads:[~2023-11-06 13:07 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-23 4:37 [PATCH v2 0/9] Add CMDQ secure driver for SVP Jason-JH.Lin
2023-10-23 4:37 ` [PATCH v2 1/9] dt-bindings: gce: mt8195: Add CMDQ_SYNC_TOKEN_SECURE_THR_EOF event id Jason-JH.Lin
2023-10-23 7:47 ` Krzysztof Kozlowski
2023-10-23 7:49 ` Krzysztof Kozlowski
2023-10-24 16:21 ` Jason-JH Lin (林睿祥)
2023-10-25 6:26 ` Jason-JH Lin (林睿祥)
2023-10-25 7:03 ` Krzysztof Kozlowski
2023-10-25 7:36 ` Jason-JH Lin (林睿祥)
2023-10-23 8:08 ` Krzysztof Kozlowski
2023-10-25 6:28 ` Jason-JH Lin (林睿祥)
2023-10-23 4:37 ` [PATCH v2 2/9] dt-bindings: mailbox: Add property for CMDQ secure driver Jason-JH.Lin
2023-10-23 7:49 ` Krzysztof Kozlowski
2023-10-24 16:37 ` Jason-JH Lin (林睿祥)
2023-10-28 9:10 ` Krzysztof Kozlowski
2023-10-31 2:34 ` Jason-JH Lin (林睿祥)
2023-10-23 4:37 ` [PATCH v2 3/9] soc: mailbox: Add cmdq_pkt_logic_command to support math operation Jason-JH.Lin
2023-10-23 8:26 ` Fei Shao
2023-10-23 9:14 ` Fei Shao
2023-10-24 16:59 ` Jason-JH Lin (林睿祥)
2023-10-23 9:50 ` AngeloGioacchino Del Regno
2023-10-24 17:11 ` Jason-JH Lin (林睿祥)
2023-10-23 4:37 ` [PATCH v2 4/9] soc: mailbox: Add cmdq_pkt_write_s_reg_value to support write value to reg Jason-JH.Lin
2023-10-23 9:50 ` AngeloGioacchino Del Regno
2023-10-25 0:45 ` Jason-JH Lin (林睿祥)
2023-10-23 4:37 ` [PATCH v2 5/9] soc: mailbox: Add cmdq_pkt_finalize_loop to support looping cmd with irq Jason-JH.Lin
2023-10-23 9:50 ` AngeloGioacchino Del Regno
2023-10-25 0:55 ` Jason-JH Lin (林睿祥)
2023-10-23 4:37 ` [PATCH v2 6/9] mailbox: mediatek: Add CMDQ driver support for mt8188 Jason-JH.Lin
2023-10-23 9:41 ` Fei Shao
2023-10-25 6:33 ` Jason-JH Lin (林睿祥)
2023-10-23 9:50 ` AngeloGioacchino Del Regno
2023-10-23 10:14 ` AngeloGioacchino Del Regno
2023-10-25 0:58 ` Jason-JH Lin (林睿祥)
2023-10-23 4:37 ` [PATCH v2 7/9] mailbox: mediatek: Add secure CMDQ driver support for CMDQ driver Jason-JH.Lin
2023-10-23 10:47 ` Fei Shao
2023-10-25 2:08 ` Jason-JH Lin (林睿祥)
2023-10-23 4:37 ` [PATCH v2 8/9] mailbox: mediatek: Add CMDQ secure mailbox driver Jason-JH.Lin
2023-10-23 10:48 ` AngeloGioacchino Del Regno
2023-10-25 6:20 ` Jason-JH Lin (林睿祥)
2023-11-06 6:53 ` CK Hu (胡俊光)
2023-11-06 13:07 ` Jason-JH Lin (林睿祥) [this message]
2023-10-23 4:37 ` [PATCH v2 9/9] arm64: dts: mediatek: mt8195: Add CMDQ secure driver support for gce0 Jason-JH.Lin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d905bc920e8a0375bed6a1e2e3fa20dbcb71417c.camel@mediatek.com \
--to=jason-jh.lin@mediatek.com \
--cc=Jason-ch.Chen@mediatek.com \
--cc=Johnson.Wang@mediatek.com \
--cc=Nancy.Lin@mediatek.com \
--cc=Project_Global_Chrome_Upstream_Group@mediatek.com \
--cc=Shawn.Sung@mediatek.com \
--cc=Singo.Chang@mediatek.com \
--cc=angelogioacchino.delregno@collabora.com \
--cc=chunkuang.hu@kernel.org \
--cc=ck.hu@mediatek.com \
--cc=conor+dt@kernel.org \
--cc=jassisinghbrar@gmail.com \
--cc=jkardatzke@google.com \
--cc=krzysztof.kozlowski+dt@linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=matthias.bgg@gmail.com \
--cc=robh+dt@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox