OP-TEE · pascal-brand38 · Sep 1, 2014
diff --git a/core/arch/arm32/kernel/tee_ta_manager.c b/core/arch/arm32/kernel/tee_ta_manager.c
@@ -56,6 +56,7 @@
 #include "user_ta_header.h"
 #include <mm/core_memprot.h>
 #include <mm/core_mmu.h>
+#include <mm/tee_mmu_unpg.h>
 #include <kernel/thread.h>
 #include <sm/teesmc.h>
 
@@ -168,8 +169,10 @@ static void jumper_destroyentrypoint(void *voidargs)
 	OUTMSG("%lx", args->res);
 }
 
-/* Stack size is updated to take into account */
-/* the size of the needs of the tee internal libs */
+/*
+ * Stack size is updated to take into account
+ * the size of the needs of the tee internal libs
+ */
 
 static TEE_Result invoke_ta(struct tee_ta_session *sess, uint32_t cmd,
 			    struct tee_ta_param *param, command_t commandtype)
@@ -244,6 +247,7 @@ static struct tee_ta_ctx *tee_ta_context_find(const TEE_UUID *uuid)
 	return NULL;
 }
 
+/* user TA mngt: init got section */
 static void tee_ta_init_got(struct tee_ta_ctx *const ctx)
 {
 	uint32_t *ptr;
@@ -271,6 +275,7 @@ static void tee_ta_init_got(struct tee_ta_ctx *const ctx)
 	}
 }
 
+/* user TA mngt: init bss section */
 static void tee_ta_init_zi(struct tee_ta_ctx *const ctx)
 {
 	/* setup ZI data */
@@ -295,7 +300,7 @@ static void tee_ta_init_reldyn(struct tee_ta_ctx *const ctx)
 		uint32_t *data;
 
 		if (rel_dyn->info != 0x17) {
-			DMSG("Unknown rel_dyn info 0x%x", rel_dyn->info);
+			EMSG("Unknown rel_dyn info 0x%x", rel_dyn->info);
 			TEE_ASSERT(0);
 		}
 
@@ -799,7 +804,7 @@ static TEE_Result tee_user_ta_enter(TEE_ErrorOrigin *err,
 	case USER_TA_FUNC_OPEN_CLIENT_SESSION:
 		res =
 		    tee_svc_enter_user_mode(param->types, params_uaddr,
-					    (uint32_t) session, 0, stack_uaddr,
+					    (uint32_t)session, 0, stack_uaddr,
 					    start_uaddr, &ctx->panicked,
 					    &ctx->panic_code);
 
@@ -811,7 +816,7 @@ static TEE_Result tee_user_ta_enter(TEE_ErrorOrigin *err,
 		break;
 
 	case USER_TA_FUNC_CLOSE_CLIENT_SESSION:
-		res = tee_svc_enter_user_mode((uint32_t) session, 0, 0, 0,
+		res = tee_svc_enter_user_mode((uint32_t)session, 0, 0, 0,
 					      stack_uaddr, start_uaddr,
 					      &ctx->panicked, &ctx->panic_code);
 
@@ -821,7 +826,7 @@ static TEE_Result tee_user_ta_enter(TEE_ErrorOrigin *err,
 	case USER_TA_FUNC_INVOKE_COMMAND:
 		res =
 		    tee_svc_enter_user_mode(cmd, param->types, params_uaddr,
-					    (uint32_t) session, stack_uaddr,
+					    (uint32_t)session, stack_uaddr,
 					    start_uaddr, &ctx->panicked,
 					    &ctx->panic_code);
 
@@ -951,6 +956,11 @@ static TEE_Result tee_ta_rpc_load(const TEE_UUID *uuid,
 	return res;
 }
 
+/*
+ * Free allocated resources in NonSecure world related to TA load.
+ *
+ * This routine runs with the old monitor and secure gate.
+ */
 static TEE_Result tee_ta_rpc_free(struct tee_ta_nwumap *map)
 {
 	TEE_Result res;
@@ -1134,6 +1144,9 @@ TEE_Result tee_ta_close_session(uint32_t id,
 	return TEE_SUCCESS;
 }
 
+/*
+ * tee_ta_verify_param - check that the 4 "params" match security
+ */
 static TEE_Result tee_ta_verify_param(struct tee_ta_session *sess,
 				      struct tee_ta_param *param)
 {
@@ -1281,6 +1294,8 @@ static TEE_Result tee_ta_init_session(TEE_ErrorOrigin *err,
 	kta_signed_header_t *ta = NULL;
 	struct tee_ta_nwumap lp;
 	struct tee_ta_session *s = calloc(1, sizeof(struct tee_ta_session));
+	struct tee_mmu_mapping map;
+	bool uta_mapped;
 
 	*err = TEE_ORIGIN_TEE;
 	if (!s)
@@ -1305,7 +1320,17 @@ static TEE_Result tee_ta_init_session(TEE_ErrorOrigin *err,
 		goto out;
 
 	/* Request TA from tee-supplicant */
+	uta_mapped = !tee_mmu_is_kernel_mapping();
+	if (uta_mapped) {
+		tee_mmu_get_map(&map);
+		tee_mmu_set_map(NULL);
+	}
+
 	res = tee_ta_rpc_load(uuid, &ta, &lp, err);
+
+	if (uta_mapped)
+		tee_mmu_set_map(&map);
+
 	if (res != TEE_SUCCESS)
 		goto out;
 
@@ -1339,7 +1364,7 @@ TEE_Result tee_ta_open_session(TEE_ErrorOrigin *err,
 			       struct tee_ta_param *param)
 {
 	TEE_Result res;
-	struct tee_ta_session *s;
+	struct tee_ta_session *s = NULL;
 	struct tee_ta_ctx *ctx;
 	bool panicked;
 

diff --git a/core/arch/arm32/mm/core_mmu.c b/core/arch/arm32/mm/core_mmu.c
@@ -401,15 +401,21 @@ bool core_pbuf_is(uint32_t attr, tee_paddr_t pbuf, size_t len)
 bool core_vbuf_is(uint32_t attr, const void *vbuf, size_t len)
 {
 	uint32_t p;
+	TEE_Result res;
 
 	/* Empty buffers complies with anything */
 	if (len == 0)
 		return true;
 
-	if (core_va2pa((uint32_t) vbuf, &p))
+	if (!tee_mmu_is_kernel_mapping()) {
+		res = tee_mmu_kmap_va2pa_helper((void *)vbuf, (void **)&p);
+		if (res != TEE_SUCCESS)
+			return false;
+	} else if (core_va2pa((uint32_t)vbuf, &p)) {
 		return false;
+	}
 
-	return core_pbuf_is(attr, (tee_paddr_t) p, len);
+	return core_pbuf_is(attr, (tee_paddr_t)p, len);
 }
 
 /*

diff --git a/core/arch/arm32/mm/tee_mmu.c b/core/arch/arm32/mm/tee_mmu.c
@@ -655,7 +655,7 @@ void tee_mmu_kmap_init(void)
 	tee_vaddr_t e = s + (TEE_MMU_UL1_NUM_KERN_ENTRIES << SECTION_SHIFT);
 
 	if ((TEE_MMU_UL1_PA_BASE % TEE_MMU_UL1_SIZE) != 0) {
-		DMSG("Bad MMU addr va 0x%x pa 0x%x 0x%x\n",
+		EMSG("Bad MMU addr va 0x%x pa 0x%x 0x%x\n",
 		     TEE_MMU_UL1_BASE, TEE_MMU_UL1_PA_BASE,
 		     TEE_MMU_UL1_PA_BASE % TEE_MMU_UL1_SIZE);
 		assert(0);
@@ -671,12 +671,13 @@ void tee_mmu_kmap_init(void)
 	}
 }
 
+/* dynamic map in teecore (TODO: check if this is required) */
 TEE_Result tee_mmu_kmap_helper(tee_paddr_t pa, size_t len, void **va)
 {
 	tee_mm_entry_t *mm;
 	size_t n;
 	uint32_t *l1 = (uint32_t *)TEE_MMU_UL1_KERN_BASE;
-	uint32_t py_offset = (uint32_t) pa >> SECTION_SHIFT;
+	uint32_t py_offset = (uint32_t)pa >> SECTION_SHIFT;
 	uint32_t pa_s = ROUNDDOWN(pa, SECTION_SIZE);
 	uint32_t pa_e = ROUNDUP(pa + len, SECTION_SIZE);
 	uint32_t flags;
@@ -713,6 +714,7 @@ TEE_Result tee_mmu_kmap_helper(tee_paddr_t pa, size_t len, void **va)
 	return TEE_SUCCESS;
 }
 
+/* dynamic unmap in teecore (TODO: check if this is required) */
 void tee_mmu_kunmap(void *va, size_t len)
 {
 	size_t n;
@@ -731,6 +733,7 @@ void tee_mmu_kunmap(void *va, size_t len)
 	tee_mm_free(mm);
 }
 
+/* pa/va conversion on dynamic map in teecore */
 TEE_Result tee_mmu_kmap_pa2va_helper(void *pa, void **va)
 {
 	size_t n;
@@ -750,18 +753,26 @@ TEE_Result tee_mmu_kmap_pa2va_helper(void *pa, void **va)
 	return TEE_ERROR_ACCESS_DENIED;
 }
 
+/* va/pa conversion on dynamic map in teecore */
 TEE_Result tee_mmu_kmap_va2pa_helper(void *va, void **pa)
 {
 	uint32_t n = (uint32_t)va >> SECTION_SHIFT;
 
-	if (n < TEE_MMU_UL1_NUM_USER_ENTRIES && n >= TEE_MMU_UL1_NUM_ENTRIES)
+	/* lower sections are user TA stuff */
+	if (n < TEE_MMU_UL1_NUM_USER_ENTRIES)
 		return TEE_ERROR_ACCESS_DENIED;
+
+	if ((TEE_MMU_UL1_ENTRY(n) & 0x3) == 0)
+		return TEE_ERROR_ACCESS_DENIED;
+
+	/* teecore is currently fully maped by section (core map or kmap) */
 	*pa = (void *)((TEE_MMU_UL1_ENTRY(n) & ~SECTION_MASK) |
 		       ((uint32_t)va & SECTION_MASK));
 
 	return TEE_SUCCESS;
 }
 
+/* dynamic map in teecore */
 bool tee_mmu_kmap_is_mapped(void *va, size_t len)
 {
 	tee_vaddr_t a = (tee_vaddr_t)va;
@@ -776,6 +787,7 @@ bool tee_mmu_kmap_is_mapped(void *va, size_t len)
 	return true;
 }
 
+/* return true is not TA currently mapped */
 bool tee_mmu_is_kernel_mapping(void)
 {
 	return (tee_mmu_get_ttbr0() == core_mmu_get_ttbr0());