When unloading the app, reset all client members to NULL
to protect from accessing the memory after being freed.
Change-Id: I573b9c6fde03539522d2b04724a2246660c62518
Signed-off-by: jitendra thakare <jitendrathakare@codeaurora.org>
Check if the handle data_type received from userspace is valid
for app loaded query request to avoid the offset boundary check
for qseecom_send_modfd_resp is bypassed.
Change-Id: I5f3611a8f830d6904213781c5ba70cfc0ba3e2e0
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Make change to validate if there exists enough space to write a
unit64 instead of a unit32 value, in __qseecom_update_cmd_buf_64.
Change-Id: Iabf61dea240f16108e1765585aae3a12d2d651c9
Signed-off-by: jitendra thakare <jitendrathakare@codeaurora.org>
To avoid access of variable after being freed, using
list_first_entry_safe function to iterate over list
of given type, safe against removal of list entry.
Change-Id: I70611fddf3e9b80b1affa3e5235be24eac0d0a58
Signed-off-by: Monika Singh <monising@codeaurora.org>
Use put_user API to write the data from kernel space to
userspace to avoid accessing userspace memory directly
in kernel space.
Bug: 65468973
Change-Id: I649fe2597e80ccad50cf16b355e220734810e94c
Signed-off-by: Brahmaji K <bkomma@codeaurora.org>
A new smc cmd is added to check RPMB key provision status
Change-Id: I50411bf9ae7f31589be34d7b5aaf48f2c12f0018
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Reset app_crash flag to make sure app entry is not freed when
there is another client still being blocked on the same app.
Change-Id: I25d236abc97e60fe8a4abbbc8c086291c764a9c1
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Use put_user API to write the data from kernel space to
userspace to avoid accessing userspace memory directly
in kernel space.
Change-Id: I649fe2597e80ccad50cf16b355e220734810e94c
Signed-off-by: Brahmaji K <bkomma@codeaurora.org>
Make change in __qseecom_load_fw() and qseecom_load_commonlib_image()
to check buffer size before copying img to buffer.
CRs-fixed: 1080290
Change-Id: I0f48666ac948a9571e249598ae7cc19df9036b1d
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Add mutex around qseecom_set_client_mem_param to prevent an
ioctl thread modifying and corrupting data which is being
processed by another ioctl in the other thread
Change-Id: I0cfb8afab4001c2913be693dfe44c761b9568893
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Variable "load_img_req.img_len" and "load_img_req.mdt_len" are
from user land, so check their values against ion buf length
to avoid buffer overread on QSEE side.
Change-Id: I9e8bfe32d3b0cd5b441ad724543c56467fa5e4da
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
__qseecom_update_cmd_buf_64() called __qseecom_allocate_sg_list_buffer()
to allocate memory from within a for loop. Should it fail on any other
than the first time through the loop, the prior allocations will not be
deallocated, make change to deallocate memory in this error case.
Change-Id: I8cb71a3b141249d8266aec4890632f200d147405
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
release app list entry when __qseecom_get_fw_size() returns error.
Change-Id: I82406c39a2def87395811f442f39b57201766091
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Perform a complete or adequate check of return codes for several
functions, including __qseecom_enable_clk, ion_do_cache_op and
ion_sg_table(), used by qseecom.
Change-Id: Ib1682bdc6d3034a22586af62a3d8986c54d369d5
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Make change to improve input validation on request and response
buffers' address and length for qseecom_send_service_cmd.
Change-Id: I047e3264333d767541e43b7dadd1727232fd48ef
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Make change in qseecom_probe() to improve the error return value
checks on some subfunctions, and free memory allocated within
qseecom_retrieve_ce_data.
CRs-fixed: 1075082
Change-Id: I971e555ec8d02ccf4382e83132a696b065a8ff12
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
This change fixes issues reagrding the ioctl
QSEECOM_IOCTL_MDTP_CIPHER_DIP_REQ uncovered by fuzzy tests.
Modified handler of above ioctl, not to allow input/output
buffer sizes greater than a fixed defined size.
Change-Id: I69f94a29d939341564f6f3ebfda48fceaa934542
Signed-off-by: Brahmaji K <bkomma@codeaurora.org>
Add whitelist support for listener to send modified resp to TZ;
also add whitelist support for kernel client; and change the method
to check whitelist feature.
Change-Id: I0030b0008d6224cda3fdc1f80308a7e9bcfe4405
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
Make change in __qseecom_load_fw() and qseecom_load_commonlib_image()
to check buffer size before copying img to buffer.
CRs-fixed: 1080290
Change-Id: I0f48666ac948a9571e249598ae7cc19df9036b1d
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Make change in __qseecom_load_fw() and qseecom_load_commonlib_image()
to check buffer size before copying img to buffer.
CRs-fixed: 1080290
Change-Id: I0f48666ac948a9571e249598ae7cc19df9036b1d
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
ion_map_kernel() is called without checking for or acting upon the
possible error conditions this function may return, make change to
check its error return value.
CRs-fixed: 1081637
Change-Id: I0a34f0bbc9f2049b826777a31e14d2cf62cdc211
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Export new ioctl to user space to know the qsee version,
which is required for QSEECOM listener services.
Change-Id: Idd80ce0a3153d669d5f6fb748f73f7aaedefb3a5
Signed-off-by: Neeraj Soni <neersoni@codeaurora.org>
In an error handling case, the QSEECOM_IOCTL_LOAD_APP_REQ ioctl
freed the entry for new TA, but didn't removed it from
qseecom_registered_app_list. Make change to remove it.
Change-Id: Id681fbf3c923027d3db875d506cbe3f971919a8d
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
The whitelist status is set default as true though TZ failed to check,
which in turn causing the send_command fail by passing whitelist commnd id.
So updating the support status flag to false when TZ fails to check.
Change-Id: I78a7600506b4d2457bb1c38f8a39888a9cf9467c
Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
To support whitelist feature, sglistinfo table should also
be allocated from qseecom kernel APIs used by kernel client.
Besides, initialize sg in __qseecom_update_cmd_buf_64 to
address a static analysis warning.
Change-Id: I1f1967fd9e95444cca728f09e3e8f4914b2abb95
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
qseecom_send_modfd_cmd converts ION buffer's virtual address to
scatter gather(SG) list and then sends them to TA by populating
SG list into message buffer. As the physical memory address in
SG list is used directly by TA, this allows a malicious TA to
access/corrupt arbitrary physical memory and may lead to the
process gaining kernel/root privileges. Thus, make changes to
have the QSEEComm driver passing a list of whitelist buffers
that is allowed to be mapped by TA, and the QSEE kernel, in turn,
should add checks to the register_shared_buffer syscall to make
sure the shared buffers an application is mapping falls within
one of these whitelist buffers.
CRs-fixed: 1021945
Change-Id: I776ead0030cad167afcf41ab985db7151a42d126
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
qseecom_send_modfd_cmd_64 converts non-contiguous ION memory fd to
scatter-gather physical address list, and supports up to 512 SG list
entries. Now, 512 is not enough if client wants to send large data
in a fragmented system. In this change, if SG list entry number is
larger than 512, we will allocate a new contiguous kernel buffer,
then save all SG entries into this new buffer.
Change-Id: Id90eefb98b63bf16db755dae8e1482e448090f47
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
The resp_len and resp_buf_ptr of qseecom_send_modfd_listener_resp
are not checked, then an userspace application that manipulates
resp_len can corrupt the kernel memory. Thus make changes to
validate these parameters.
CRs-fixed: 1036418
Change-Id: Id43ec6b55b332d0dac09a9abb998a410f49b44f7
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Multiple clients are accessing crypto clock at same isntances, which
makes the clock reference count to unexpected value. Ioctls are mutex
protected to maintain proper clock reference count.
Change-Id: I2509e0e78a4eedd78cf2f37fb7efdf741ac3d50c
Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
Format specifier %p can leak kernel addresses while not valuing the
kptr_restrict system settings. When kptr_restrict is set to (1), kernel
pointers printed using the %pK format specifier will be replaced with 0's.
So that %pK will not leak kernel pointers to unprivileged users.
So change the format specifier from %p to %pK.
Debugging Note : &pK prints only Zeros as address. if you need actual
address information, pls echo 0 to kptr_restrict.
$ echo 0 > /proc/sys/kernel/kptr_restrict
Change-Id: I0baf2be2d5a476e2e4267f20b99d0ddf5492469e
Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
QSEE OS level scm_call operations will fail if there is any blocked
TZ app due to waiting on a listener. Driver needs to first check if
no app is blocked before sending QSEE OS level scm call, if there
are any then wait until all apps are unblocked.
Change-Id: Ie7fb4a9fb78adedcb223308cd11335bf6a48296e
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
For kernel clients, some of the flags are maintained which is not required
as those are specific to userspace clients. So remove the code which is
not required.
Change-Id: If7fb51cc17e9a8c0f3c2632e9c42d84489bda4f6
Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
App region notification has to sent only once, if appsbl
is already done then kernel should not sent.
Change-Id: Ie1c7bb78be30c723fef6d9b89d488fdac36bc07f
Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
Enable CE clocks before calling SCM. This is required to
check if MDTP is activated during recovery and to update the DIP
as required in case it is.
Change-Id: I01907d7cebae007c7f6a33d4bf29b3e4fc6e493c
Signed-off-by: Reut Zysman <rzysman@codeaurora.org>
key id string for certain use cases are not updated which
uses garbage value as key id while generating the keys.
From functional point of view these string should be
common between builds which needs an kernel update with
full disk encryption is enabled.
Change-Id: I29617ed26892dffc70edb86daa4556a2614d0ad0
Signed-off-by: AnilKumar Chimata <anilc@codeaurora.org>
LK is loading commonlib 32bit for keymaster usage and not loading
common lib 64bit which creates problem in loading 64bit secure
applications. This patch adds the support.
Change-Id: If10aea373e83bcf81acefa217776dbbd0168cd67
Signed-off-by: AnilKumar Chimata <anilc@codeaurora.org>
Key management operations for HW FDE that take long processing time
in secure environment, secure environment will send pending operation
response so that non-secure side can request further processing at a
later time. This would prevent non-secure components from starving for
secure processing time. This would also prevent non-secure WDT to bark.
Change-Id: I823c06b712fcdcecac30d886c6d1aa01ada56bd0
Signed-off-by: Dinesh K Garg <dineshg@codeaurora.org>
Remove the loading of commonlib when loaded by lk.
Change-Id: Id8fcce391fc313fa6f2cbfa483358a0e73704895
Acked-by: Baranidharan Muthukumaran <bmuthuku@qti.qualcomm.com>
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Enable crypto clocks while servicing the SSD listener. Also protect
the FDE key creation, update and wipe functions with mutex lock to
avoid other user to intervene before completing the operation.
Change-Id: I088829743eb4c7a9c3e887bbcc2030d4c51a80fb
Signed-off-by: AnilKumar Chimata <anilc@codeaurora.org>