xtest: fix against new "TA private memory definition"
TA private memory definition has changed. Memory reference received
as parameters by an TA when invoked are never "private TA memory",
they are at least shared with the client(s) in some way.
As a side effect, when a TA invokes a TA relaying a memref parameter,
the invoked TA sees memory as ANY_OWNER: it is non secure shared memory.
When a TA invoke a TA with its private memory (stack, heap, code/data)
as memref parameter, the invoked TA sees ANY_OWNER memory, mapped secure,
inside TEE reserved memory (TA RAM).
Since this change, xtest 1006 is broken.
Rename PRIVATE_PARAMS into PARAM_ACCESS tests.
Run TEE_CheckMemoryAccessRights() on several areas of the memory space.
Fix TA that see memref parameters as ANY_OWNER only memory.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (qemu, GP tests)
diff --git a/ta/os_test/include/os_test.h b/ta/os_test/include/os_test.h
index 7c014b8..e3f827e 100644
--- a/ta/os_test/include/os_test.h
+++ b/ta/os_test/include/os_test.h
@@ -35,7 +35,7 @@
TEE_Param params[4]);
TEE_Result ta_entry_panic(uint32_t param_types, TEE_Param params[4]);
TEE_Result ta_entry_client(uint32_t param_types, TEE_Param params[4]);
-TEE_Result ta_entry_private_params(uint32_t param_types, TEE_Param params[4]);
+TEE_Result ta_entry_params_access_rights(uint32_t p_types, TEE_Param params[4]);
TEE_Result ta_entry_wait(uint32_t param_types, TEE_Param params[4]);
TEE_Result ta_entry_bad_mem_access(uint32_t param_types, TEE_Param params[4]);
TEE_Result ta_entry_mfw_apply_ddr_rules(uint32_t param_types,
diff --git a/ta/os_test/include/ta_os_test.h b/ta/os_test/include/ta_os_test.h
index be84e4e..3ee5a70 100644
--- a/ta/os_test/include/ta_os_test.h
+++ b/ta/os_test/include/ta_os_test.h
@@ -38,7 +38,7 @@
#define TA_OS_TEST_CMD_BASIC 5
#define TA_OS_TEST_CMD_PANIC 6
#define TA_OS_TEST_CMD_CLIENT 7
-#define TA_OS_TEST_CMD_PRIVATE_PARAMS 8
+#define TA_OS_TEST_CMD_PARAMS_ACCESS 8
#define TA_OS_TEST_CMD_WAIT 9
#define TA_OS_TEST_CMD_BAD_MEM_ACCESS 10
diff --git a/ta/os_test/os_test.c b/ta/os_test/os_test.c
index 1a87320..56ddabe 100644
--- a/ta/os_test/os_test.c
+++ b/ta/os_test/os_test.c
@@ -409,23 +409,65 @@
TEE_Param l_params[4] = { { {0} } };
uint8_t buf[32];
TEE_TASessionHandle sess = TEE_HANDLE_NULL;
+ TEE_UUID *uuid;
if (param_types !=
TEE_PARAM_TYPES(TEE_PARAM_TYPE_MEMREF_INPUT, 0, 0, 0))
return TEE_ERROR_GENERIC;
- res =
- TEE_CheckMemoryAccessRights(TEE_MEMORY_ACCESS_READ |
- TEE_MEMORY_ACCESS_ANY_OWNER,
- params[0].memref.buffer,
- params[0].memref.size);
+
+ /* test access rights on memref parameter */
+ res = TEE_CheckMemoryAccessRights(TEE_MEMORY_ACCESS_READ |
+ TEE_MEMORY_ACCESS_ANY_OWNER,
+ params[0].memref.buffer,
+ params[0].memref.size);
if (res != TEE_SUCCESS)
return res;
+
res = TEE_CheckMemoryAccessRights(TEE_MEMORY_ACCESS_READ,
params[0].memref.buffer,
params[0].memref.size);
if (res != TEE_ERROR_ACCESS_DENIED)
return TEE_ERROR_GENERIC;
+ /* test access rights on private read-only and read-write memory */
+ res = TEE_CheckMemoryAccessRights(TEE_MEMORY_ACCESS_READ,
+ (void *)&test_uuid, sizeof(test_uuid));
+ if (res != TEE_SUCCESS)
+ return res;
+
+ res = TEE_CheckMemoryAccessRights(TEE_MEMORY_ACCESS_WRITE,
+ (void *)&test_uuid, sizeof(test_uuid));
+ if (res == TEE_SUCCESS)
+ return TEE_ERROR_GENERIC;
+
+ res = TEE_CheckMemoryAccessRights(TEE_MEMORY_ACCESS_READ |
+ TEE_MEMORY_ACCESS_WRITE,
+ &ret_orig, sizeof(ret_orig));
+ if (res != TEE_SUCCESS)
+ return res;
+
+ uuid = TEE_Malloc(sizeof(*uuid), 0);
+ if (!uuid)
+ return TEE_ERROR_OUT_OF_MEMORY;
+
+ res = TEE_CheckMemoryAccessRights(TEE_MEMORY_ACCESS_READ |
+ TEE_MEMORY_ACCESS_WRITE,
+ uuid, sizeof(*uuid));
+ TEE_Free(uuid);
+ if (res != TEE_SUCCESS)
+ return res;
+
+ /* test access rights on invalid memory (at least lower 256kB) */
+ res = TEE_CheckMemoryAccessRights(TEE_MEMORY_ACCESS_READ,
+ NULL, 1);
+ if (res == TEE_SUCCESS)
+ return TEE_ERROR_GENERIC;
+
+ res = TEE_CheckMemoryAccessRights(TEE_MEMORY_ACCESS_READ,
+ (void*)(256 * 1024), 1);
+ if (res == TEE_SUCCESS)
+ return TEE_ERROR_GENERIC;
+
res = TEE_OpenTASession(&test_uuid, 0, 0, NULL, &sess, &ret_orig);
if (res != TEE_SUCCESS) {
EMSG("test_mem_access_right: TEE_OpenTASession failed\n");
@@ -435,7 +477,7 @@
l_pts = TEE_PARAM_TYPES(TEE_PARAM_TYPE_MEMREF_INPUT, 0, 0, 0);
l_params[0].memref.buffer = buf;
l_params[0].memref.size = sizeof(buf);
- res = TEE_InvokeTACommand(sess, 0, TA_OS_TEST_CMD_PRIVATE_PARAMS,
+ res = TEE_InvokeTACommand(sess, 0, TA_OS_TEST_CMD_PARAMS_ACCESS,
l_pts, l_params, &ret_orig);
if (res != TEE_SUCCESS) {
EMSG("test_mem_access_right: TEE_InvokeTACommand failed\n");
@@ -798,26 +840,28 @@
return res;
}
-TEE_Result ta_entry_private_params(uint32_t param_types, TEE_Param params[4])
+TEE_Result ta_entry_params_access_rights(uint32_t param_types, TEE_Param params[4])
{
TEE_Result res;
if (param_types !=
TEE_PARAM_TYPES(TEE_PARAM_TYPE_MEMREF_INPUT, 0, 0, 0))
return TEE_ERROR_GENERIC;
- res =
- TEE_CheckMemoryAccessRights(TEE_MEMORY_ACCESS_READ |
- TEE_MEMORY_ACCESS_ANY_OWNER,
- params[0].memref.buffer,
- params[0].memref.size);
+
+ res = TEE_CheckMemoryAccessRights(TEE_MEMORY_ACCESS_READ |
+ TEE_MEMORY_ACCESS_ANY_OWNER,
+ params[0].memref.buffer,
+ params[0].memref.size);
if (res != TEE_SUCCESS)
return res;
res = TEE_CheckMemoryAccessRights(TEE_MEMORY_ACCESS_READ,
params[0].memref.buffer,
params[0].memref.size);
+ if (res != TEE_ERROR_ACCESS_DENIED)
+ return TEE_ERROR_GENERIC;
- return res;
+ return TEE_SUCCESS;
}
TEE_Result ta_entry_wait(uint32_t param_types, TEE_Param params[4])
diff --git a/ta/os_test/ta_entry.c b/ta/os_test/ta_entry.c
index fdae658..fec849f 100644
--- a/ta/os_test/ta_entry.c
+++ b/ta/os_test/ta_entry.c
@@ -91,8 +91,8 @@
case TA_OS_TEST_CMD_CLIENT:
return ta_entry_client(nParamTypes, pParams);
- case TA_OS_TEST_CMD_PRIVATE_PARAMS:
- return ta_entry_private_params(nParamTypes, pParams);
+ case TA_OS_TEST_CMD_PARAMS_ACCESS:
+ return ta_entry_params_access_rights(nParamTypes, pParams);
case TA_OS_TEST_CMD_WAIT:
return ta_entry_wait(nParamTypes, pParams);