From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.3 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D53CDC606B0 for ; Tue, 9 Jul 2019 07:04:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A4B5A21537 for ; Tue, 9 Jul 2019 07:04:00 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="FqERsOeK" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726010AbfGIHEA (ORCPT ); Tue, 9 Jul 2019 03:04:00 -0400 Received: from mail-lf1-f66.google.com ([209.85.167.66]:36023 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725975AbfGIHEA (ORCPT ); Tue, 9 Jul 2019 03:04:00 -0400 Received: by mail-lf1-f66.google.com with SMTP id q26so12630518lfc.3 for ; Tue, 09 Jul 2019 00:03:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=8chQ+xCDfWyHiMLd66byg5KO/gfXH9gGO2RNNVTCalM=; b=FqERsOeKsbYL1hDU92erKcsqSB1n/vAR7oF6mwlHmjMymElPV/dSjJn/XSlHSfZEwl FiJa2Qy+MbE0ZcRhYzxULeOxF+5amdUoNaUDvzBiG1ygbeOoXtJt4r+y4dSA6n3rKTtX ahxZEns92uGy9H/iigIR/zg4sIsdA3LKqGbPUloh86uxiIRheCYx1r9BDkztOgbK6+j1 drSe44wrIRt1WYt5yoAQLhVI2ZpPP58F+Mf5uIrl/Ie3prj3FyR9nsR4qHG+KzjLnak1 Ts4jHuNI5+q0idxZC1kHvKIXskrUQe/brL4cELfjcUGeJU9GsDJ47tE9mooBwA32FKaG 0b7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=8chQ+xCDfWyHiMLd66byg5KO/gfXH9gGO2RNNVTCalM=; b=IH/3tUDeke2SewyqaJZnmvItfT2NtWj2c0TyLXDl8SDJp/txkVaq62IvkcmD9h7Hfg EnZEMPAJ9zzvQePQ+hj/semdm2wtjOAzEm1i42wpEXoH2CKCS+6j+u5CoTGDs+QoxPRy QWyJ3dm0iMfTVNdtobb9XMI+csdwDOZO/M89m+qpCaSKO0lmIJzERhKBgkq0AZ5LzAoq mFwn9eKT9Yb7y02lcmQGyTlzVWdJ+rY/nmmmYGHRyC4Pvn9YSvHQ8W7aXk+kh8Qni6jD AUp94Daq8PVZbUxe6sX0H2H0GLNXh+A0Y0BceR7GudyvAkQ1emTaKZwSqhKa5UinToG8 ZGJQ== X-Gm-Message-State: APjAAAX2cGq1wbiaOVCHfqeSI6jyUn7AUKoKHmMxUKAKaCiSWQU+fXQo X8nsD9IWa0eh45aUgsSAAprVYA== X-Google-Smtp-Source: APXvYqzgNmzW9LCOXb+v0waZuOzOFRSv6192P+bRM1wg2dgVLC7ByJM1yDax+2RlKtrpd1p4VkFDMA== X-Received: by 2002:ac2:5609:: with SMTP id v9mr10278057lfd.27.1562655838100; Tue, 09 Jul 2019 00:03:58 -0700 (PDT) Received: from jax (h-84-105.A175.priv.bahnhof.se. [79.136.84.105]) by smtp.gmail.com with ESMTPSA id t23sm4092662ljd.98.2019.07.09.00.03.56 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 09 Jul 2019 00:03:57 -0700 (PDT) Date: Tue, 9 Jul 2019 09:03:55 +0200 From: Jens Wiklander To: Sumit Garg Cc: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, corbet@lwn.net, dhowells@redhat.com, jejb@linux.ibm.com, Jarkko Sakkinen , Mimi Zohar , jmorris@namei.org, serge@hallyn.com, Ard Biesheuvel , Daniel Thompson , linux-doc@vger.kernel.org, Linux Kernel Mailing List , tee-dev@lists.linaro.org Subject: Re: [RFC 3/7] tee: add private login method for kernel clients Message-ID: <20190709070354.GA5791@jax> References: <1560421833-27414-1-git-send-email-sumit.garg@linaro.org> <1560421833-27414-4-git-send-email-sumit.garg@linaro.org> <20190708153908.GA28253@jax> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.4 (2018-02-28) Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: On Tue, Jul 09, 2019 at 11:26:19AM +0530, Sumit Garg wrote: > Thanks Jens for your comments. > > On Mon, 8 Jul 2019 at 21:09, Jens Wiklander wrote: > > > > Hi Sumit, > > > > On Thu, Jun 13, 2019 at 04:00:29PM +0530, Sumit Garg wrote: > > > There are use-cases where user-space shouldn't be allowed to communicate > > > directly with a TEE device which is dedicated to provide a specific > > > service for a kernel client. So add a private login method for kernel > > > clients and disallow user-space to open-session using this login method. > > > > > > Signed-off-by: Sumit Garg > > > --- > > > drivers/tee/tee_core.c | 6 ++++++ > > > include/uapi/linux/tee.h | 2 ++ > > > 2 files changed, 8 insertions(+) > > > > > > diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c > > > index 0f16d9f..4581bd1 100644 > > > --- a/drivers/tee/tee_core.c > > > +++ b/drivers/tee/tee_core.c > > > @@ -334,6 +334,12 @@ static int tee_ioctl_open_session(struct tee_context *ctx, > > > goto out; > > > } > > > > > > + if (arg.clnt_login == TEE_IOCTL_LOGIN_REE_KERNEL) { > > TEE_IOCTL_LOGIN_REE_KERNEL is defined as 0x80000000 which is in the > > range specified and implementation defined by the GP spec. I wonder if > > we shouldn't filter the entire implementation defined range instead of > > just this value. > > Agree. Will rather check for entire implementation defined range: > 0x80000000 - 0xFFFFFFFF. > > > > > > + pr_err("login method not allowed for user-space client\n"); > > pr_debug(), if it's needed at all. > > > > Ok will use pr_debug() instead. > > > > + rc = -EPERM; > > > + goto out; > > > + } > > > + > > > rc = ctx->teedev->desc->ops->open_session(ctx, &arg, params); > > > if (rc) > > > goto out; > > > diff --git a/include/uapi/linux/tee.h b/include/uapi/linux/tee.h > > > index 4b9eb06..f33c69c 100644 > > > --- a/include/uapi/linux/tee.h > > > +++ b/include/uapi/linux/tee.h > > > @@ -172,6 +172,8 @@ struct tee_ioctl_buf_data { > > > #define TEE_IOCTL_LOGIN_APPLICATION 4 > > > #define TEE_IOCTL_LOGIN_USER_APPLICATION 5 > > > #define TEE_IOCTL_LOGIN_GROUP_APPLICATION 6 > > > +/* Private login method for REE kernel clients */ > > It's worth noting that this is filtered by the TEE framework, compared > > to everything else which is treated opaquely. > > > > IIUC, you are referring to login filter in optee_os. Change to prevent > filter for this login method is part of this PR [1]. > > [1] https://github.com/OP-TEE/optee_os/pull/3082 No, I was referring to the changes in tee_ioctl_open_session() above. It's relevant for user space to know since it will be prevented from using that range of login identifiers. This will restrict the user space API, but I think the risk of breakage is minimal as OP-TEE is the only in-tree driver registering in the TEE framework. I'm not aware of any out-of-tree drivers registering. Thanks, Jens > > -Sumit > > > > +#define TEE_IOCTL_LOGIN_REE_KERNEL 0x80000000 > > > > > > /** > > > * struct tee_ioctl_param - parameter > > > -- > > > 2.7.4 > > > > > > > Thanks, > > Jens