summaryrefslogtreecommitdiff
path: root/include
diff options
context:
space:
mode:
authorZhen Kong <zkong@codeaurora.org>2016-07-08 14:40:45 -0700
committerGerrit - the friendly Code Review server <code-review@localhost>2016-08-23 14:08:27 -0700
commit5baaa9beb02a2f46fbd4d11cd97aa531fd527f9e (patch)
tree5a2bfa1283412681a101e1113d8681d54dd00960 /include
parente97b6a0e0217f7c072fdad6c50673cd7a64348e1 (diff)
qseecom: support whitelist memory for qseecom_send_modfd_cmd
qseecom_send_modfd_cmd converts ION buffer's virtual address to scatter gather(SG) list and then sends them to TA by populating SG list into message buffer. As the physical memory address in SG list is used directly by TA, this allows a malicious TA to access/corrupt arbitrary physical memory and may lead to the process gaining kernel/root privileges. Thus, make changes to have the QSEEComm driver passing a list of whitelist buffers that is allowed to be mapped by TA, and the QSEE kernel, in turn, should add checks to the register_shared_buffer syscall to make sure the shared buffers an application is mapping falls within one of these whitelist buffers. CRs-fixed: 1021945 Change-Id: I776ead0030cad167afcf41ab985db7151a42d126 Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Diffstat (limited to 'include')
-rw-r--r--include/soc/qcom/qseecomi.h47
1 files changed, 46 insertions, 1 deletions
diff --git a/include/soc/qcom/qseecomi.h b/include/soc/qcom/qseecomi.h
index 1349a3440e22..b0a8d67f50fa 100644
--- a/include/soc/qcom/qseecomi.h
+++ b/include/soc/qcom/qseecomi.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -18,6 +18,7 @@
#define QSEECOM_KEY_ID_SIZE 32
+#define QSEOS_RESULT_FAIL_SEND_CMD_NO_THREAD -19 /*0xFFFFFFED*/
#define QSEOS_RESULT_FAIL_UNSUPPORTED_CE_PIPE -63
#define QSEOS_RESULT_FAIL_KS_OP -64
#define QSEOS_RESULT_FAIL_KEY_ID_EXISTS -65
@@ -64,6 +65,9 @@ enum qseecom_qceos_cmd_id {
QSEOS_TEE_REQUEST_CANCELLATION,
QSEOS_CONTINUE_BLOCKED_REQ_COMMAND,
QSEOS_RPMB_CHECK_PROV_STATUS_COMMAND = 0x1B,
+ QSEOS_CLIENT_SEND_DATA_COMMAND_WHITELIST = 0x1C,
+ QSEOS_TEE_OPEN_SESSION_WHITELIST = 0x1D,
+ QSEOS_TEE_INVOKE_COMMAND_WHITELIST = 0x1E,
QSEOS_FSM_LTEOTA_REQ_CMD = 0x109,
QSEOS_FSM_LTEOTA_REQ_RSP_CMD = 0x110,
QSEOS_FSM_IKE_REQ_CMD = 0x203,
@@ -181,6 +185,8 @@ __packed struct qseecom_client_send_data_ireq {
uint32_t req_len;
uint32_t rsp_ptr;/* First 4 bytes should be the return status */
uint32_t rsp_len;
+ uint32_t sglistinfo_ptr;
+ uint32_t sglistinfo_len;
};
__packed struct qseecom_client_send_data_64bit_ireq {
@@ -190,6 +196,8 @@ __packed struct qseecom_client_send_data_64bit_ireq {
uint32_t req_len;
uint64_t rsp_ptr;
uint32_t rsp_len;
+ uint64_t sglistinfo_ptr;
+ uint32_t sglistinfo_len;
};
__packed struct qseecom_reg_log_buf_ireq {
@@ -292,6 +300,8 @@ __packed struct qseecom_qteec_ireq {
uint32_t req_len;
uint32_t resp_ptr;
uint32_t resp_len;
+ uint32_t sglistinfo_ptr;
+ uint32_t sglistinfo_len;
};
__packed struct qseecom_qteec_64bit_ireq {
@@ -301,6 +311,8 @@ __packed struct qseecom_qteec_64bit_ireq {
uint32_t req_len;
uint64_t resp_ptr;
uint32_t resp_len;
+ uint64_t sglistinfo_ptr;
+ uint32_t sglistinfo_len;
};
__packed struct qseecom_client_send_fsm_key_req {
@@ -658,4 +670,37 @@ __packed struct qseecom_continue_blocked_request_ireq {
#define TZ_OS_CONTINUE_BLOCKED_REQUEST_ID_PARAM_ID \
TZ_SYSCALL_CREATE_PARAM_ID_1(TZ_SYSCALL_PARAM_TYPE_VAL)
+#define TZ_APP_QSAPP_SEND_DATA_WITH_WHITELIST_ID \
+ TZ_SYSCALL_CREATE_SMC_ID(TZ_OWNER_TZ_APPS, \
+ TZ_SVC_APP_ID_PLACEHOLDER, 0x06)
+
+#define TZ_APP_QSAPP_SEND_DATA_WITH_WHITELIST_ID_PARAM_ID \
+ TZ_SYSCALL_CREATE_PARAM_ID_7( \
+ TZ_SYSCALL_PARAM_TYPE_VAL, TZ_SYSCALL_PARAM_TYPE_BUF_RW, \
+ TZ_SYSCALL_PARAM_TYPE_VAL, TZ_SYSCALL_PARAM_TYPE_BUF_RW, \
+ TZ_SYSCALL_PARAM_TYPE_VAL, TZ_SYSCALL_PARAM_TYPE_BUF_RW, \
+ TZ_SYSCALL_PARAM_TYPE_VAL)
+
+#define TZ_APP_GPAPP_OPEN_SESSION_WITH_WHITELIST_ID \
+ TZ_SYSCALL_CREATE_SMC_ID(TZ_OWNER_TZ_APPS, \
+ TZ_SVC_APP_ID_PLACEHOLDER, 0x07)
+
+#define TZ_APP_GPAPP_OPEN_SESSION_WITH_WHITELIST_ID_PARAM_ID \
+ TZ_SYSCALL_CREATE_PARAM_ID_7( \
+ TZ_SYSCALL_PARAM_TYPE_VAL, TZ_SYSCALL_PARAM_TYPE_BUF_RW, \
+ TZ_SYSCALL_PARAM_TYPE_VAL, TZ_SYSCALL_PARAM_TYPE_BUF_RW, \
+ TZ_SYSCALL_PARAM_TYPE_VAL, TZ_SYSCALL_PARAM_TYPE_BUF_RW, \
+ TZ_SYSCALL_PARAM_TYPE_VAL)
+
+#define TZ_APP_GPAPP_INVOKE_COMMAND_WITH_WHITELIST_ID \
+ TZ_SYSCALL_CREATE_SMC_ID(TZ_OWNER_TZ_APPS, \
+ TZ_SVC_APP_ID_PLACEHOLDER, 0x09)
+
+#define TZ_APP_GPAPP_INVOKE_COMMAND_WITH_WHITELIST_ID_PARAM_ID \
+ TZ_SYSCALL_CREATE_PARAM_ID_7( \
+ TZ_SYSCALL_PARAM_TYPE_VAL, TZ_SYSCALL_PARAM_TYPE_BUF_RW, \
+ TZ_SYSCALL_PARAM_TYPE_VAL, TZ_SYSCALL_PARAM_TYPE_BUF_RW, \
+ TZ_SYSCALL_PARAM_TYPE_VAL, TZ_SYSCALL_PARAM_TYPE_BUF_RW, \
+ TZ_SYSCALL_PARAM_TYPE_VAL)
+
#endif /* __QSEECOMI_H_ */
generated by cgit v1.2.3 (git 2.25.1) at 2026-02-02 05:11:03 +0000