Secstor anti-rollback #1630
Secstor anti-rollback #1630
Conversation
| @@ -56,7 +56,7 @@ struct tee_fs_dirfile_fileh { | |||
| * @commit_writes: commits changes since the file was opened | |||
| */ | |||
| struct tee_fs_dirfile_operations { | |||
| TEE_Result (*open)(bool create, const TEE_UUID *uuid, | |||
| TEE_Result (*open)(bool create, uint8_t *hash, const TEE_UUID *uuid, | |||
There was a problem hiding this comment.
You forgot to update comment above.
There was a problem hiding this comment.
I'm sorry, I don't get it. Which comment?
There was a problem hiding this comment.
Oh, I'm sorry. That was structure description, not function description. Please ignore this.
core/tee/tee_ree_fs.c
Outdated
| if (res) | ||
| return res; | ||
|
|
||
|
|
core/tee/tee_ree_fs.c
Outdated
| @@ -476,7 +476,7 @@ static TEE_Result get_dirh(struct tee_fs_dirfile_dirh **dirh) | |||
| } | |||
| } | |||
| assert(ree_fs_dirh); | |||
| ree_fs_dirh_refcount++; | |||
| assert(ree_fs_dirh_refcount); | |||
There was a problem hiding this comment.
Is there any sense in this assert if you increase refcount in the beginning of the function?
There was a problem hiding this comment.
The assert is in case it has wrapped.
core/tee/tee_ree_fs.c
Outdated
| @@ -462,10 +462,10 @@ static size_t ree_fs_dirh_refcount; | |||
|
|
|||
| static TEE_Result get_dirh(struct tee_fs_dirfile_dirh **dirh) | |||
| { | |||
| if (!ree_fs_dirh_refcount) { | |||
| ree_fs_dirh_refcount++; | |||
There was a problem hiding this comment.
In case of error (at L471), ree_fs_dirh_refcount will not be decreased.
There was a problem hiding this comment.
Yes, you're right. I'll fix.
|
update |
|
You have fixed issue with reference counting, but I'm not sure, if it is right approach. Now you must call Compare this with There are nothing bad with current code, but it can confuse anyone else, who will try to extend it. Actually, it confused me for a moment :) |
|
Yes, I agree it's a bit confusing. I'll rewrite it. |
There was a problem hiding this comment.
I think the secure storage protection level should be set to 100 when this anti-rollback feature is active.
Also, the documentation needs some minor updates in order to properly reflect these changes:
- https://github.com/OP-TEE/optee_os/blame/master/documentation/secure_storage.md#L77-L78
- Delete "Future work": https://github.com/OP-TEE/optee_os/blame/master/documentation/secure_storage.md#L226
- Maybe add a note in https://github.com/OP-TEE/optee_os/blob/master/documentation/secure_storage_rpmb.md stating that the RPMB FS is used to protect the REE fs from rollback when both are enabled?
core/include/tee/fs_dirfile.h
Outdated
| @@ -69,10 +69,14 @@ struct tee_fs_dirfile_operations { | |||
|
|
|||
| /** | |||
| * tee_fs_dirfile_open() - opens a dirfile handle | |||
| * @create: true if a new dirfile is to be created, else the dirfile | |||
| * is read opened and verified | |||
| * @hash: hash of underlaying file | |||
There was a problem hiding this comment.
s/underlaying/underlying/
core/include/tee/fs_dirfile.h
Outdated
| @@ -86,8 +90,10 @@ void tee_fs_dirfile_close(struct tee_fs_dirfile_dirh *dirh); | |||
| /** | |||
| * tee_fs_dirfile_commit_writes() - commit updates of dirfile | |||
| * @dirh: dirfile handle | |||
| * @hash: hash of underlaying file is copied here if not NULL | |||
There was a problem hiding this comment.
s/underlaying/underlying/
|
Update |
|
Revised
|
|
|
|
I'm not so familiar with |
Adds a hash parameter to the dirfile interface. The hash is used in the same way as in the htree interface, that is, used to verify integrity on open and used to get updated hash on writes. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Acked-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
REE FS closes the dirfile if returning error from a function that may have changed the content of a secure storage object. This effectively undoes previous operation. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Acked-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Provides tee_rpmb_fs_raw_open() use by OP-TEE OS. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Acked-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
Squashed, rebased and tags applied. |
core/tee/tee_svc.c
Outdated
| #ifdef CFG_RPMB_FS | ||
| static const uint32_t ts_antiroll_prot_lvl = 1000; | ||
| #else | ||
| static const uint32_t ts_antiroll_prot_lvl |
REE FS uses RPMB (if available) for storage of dirfile hash. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Acked-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
Sqashed in the missing ";" |
|
Thanks @jenswi-linaro! Now we can tick the "anti-rollback" box on the OP-TEE feature list, that's good. |
No description provided.