Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp7545391ybi;
        Tue, 9 Jul 2019 00:04:37 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzk0gUS2lHwuBqmRltbSn2zDuy0lU4uozPClX6sBNOQsGV296S4dLv6BKT+JuczoNACAU20
X-Received: by 2002:a17:90a:974b:: with SMTP id i11mr23766580pjw.21.1562655877265;
        Tue, 09 Jul 2019 00:04:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1562655877; cv=none;
        d=google.com; s=arc-20160816;
        b=hY2nB+CF1Ciud4yi8vG+f3QYmtUjWeqsWSZXINy0l1kELG9ScwUBQTFPc3VxyNnjGF
         /ywsVvZal6HAe0Bgvj/exIVsQlz+PmKDAgqhi3u+aMUI9bc1625wpzvPlbIlgpD9szMG
         bV3Gv+IxF17Hgo2I5aF/JolBeX9YniORDvXHo8fullVcGThPhrnEBySu8TQHfcFDQWmv
         Xkgw3RG8AbXEA3X0BgUxZbc8HjoMJLDEmdm8wECyMexafJum25FAYPkEI9aMCfWgCvUa
         MGzRxiek2U8xErbjDITMidUX5H7CAwzIIXkS3muniUMuKzMSIt6uYFl2dtN1jXxlj0dN
         dTlA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=8chQ+xCDfWyHiMLd66byg5KO/gfXH9gGO2RNNVTCalM=;
        b=eRlDIhV/r0eHQpaBE55OOwinqjaYj+o2/r7Sg0ts0yfF06RbuMvKzRXGtyJTWzNjry
         hNCQYeK7y+HtdKAIusrJu+2kjWl4YvfxDxl0Zapq6lV5sDRrs5ZCHrHIzuH1bdgdD5Um
         crtuFhVC0GCvK2L78WXzWyd81lcjjzGqjaoV3ihdSEzwrMwWqMO++KOOgzX31nxCo0y4
         xFcHxtpnuMjRgafjHeLcj9d8mwFT2SH+IYTANgSLAbWMMsACLjmjU7ZssQqCQFW5vDL+
         UYUKYlMvau8p5OyU4lhPIja6Gf1EMZspGE8RF9hQ9PGTDdTKvvTfNrM/RMnzjLKSJ9Xt
         hJxQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=FqERsOeK;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 188si24194006pgd.404.2019.07.09.00.04.21;
        Tue, 09 Jul 2019 00:04:37 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=FqERsOeK;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726241AbfGIHEA (ORCPT <rfc822;patchstalker@gmail.com>
        + 99 others); Tue, 9 Jul 2019 03:04:00 -0400
Received: from mail-lf1-f68.google.com ([209.85.167.68]:43034 "EHLO
        mail-lf1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725818AbfGIHEA (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 9 Jul 2019 03:04:00 -0400
Received: by mail-lf1-f68.google.com with SMTP id c19so7001362lfm.10
        for <linux-kernel@vger.kernel.org>; Tue, 09 Jul 2019 00:03:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=8chQ+xCDfWyHiMLd66byg5KO/gfXH9gGO2RNNVTCalM=;
        b=FqERsOeKsbYL1hDU92erKcsqSB1n/vAR7oF6mwlHmjMymElPV/dSjJn/XSlHSfZEwl
         FiJa2Qy+MbE0ZcRhYzxULeOxF+5amdUoNaUDvzBiG1ygbeOoXtJt4r+y4dSA6n3rKTtX
         ahxZEns92uGy9H/iigIR/zg4sIsdA3LKqGbPUloh86uxiIRheCYx1r9BDkztOgbK6+j1
         drSe44wrIRt1WYt5yoAQLhVI2ZpPP58F+Mf5uIrl/Ie3prj3FyR9nsR4qHG+KzjLnak1
         Ts4jHuNI5+q0idxZC1kHvKIXskrUQe/brL4cELfjcUGeJU9GsDJ47tE9mooBwA32FKaG
         0b7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=8chQ+xCDfWyHiMLd66byg5KO/gfXH9gGO2RNNVTCalM=;
        b=VcZF6klJJppK3PJcnsjo3ljMz2eW9b63vnq3NRaEdMpR13NKjFb9Wns2V4otPHab8Z
         B/IdjaKbdGT6WryXAIgfK2JtyFdxdYiJqdef5u1AvLMvfud+upTpSgLBaV4FJfsIKJuE
         XuShO0FhKFxNXwty0HuV1np+x1Xxvvgm0Rq/0FVP0nkV6iQHpPWmCFD7gUxurN3iTF7z
         wmEBP8bcOeI3o09x6Ccfq61eV32+4PXWr/xsQmuZn6vYhHKcgajGVfACmkT6yxd4mzze
         ln/i/vvMREIzdvs7ODlUYJRYmWOj7rruCJjy2PJ5stYeVcnpx2IwMMi50TnjEmclOXfN
         eBtA==
X-Gm-Message-State: APjAAAXoTjuwTTqY5U1p9cG/b4xXXb+0vO2DPAQ3JTV4i+mbCNj9LX5o
        wBgZXrKK2JSn/STc2KOGUILFhA==
X-Received: by 2002:ac2:5609:: with SMTP id v9mr10278057lfd.27.1562655838100;
        Tue, 09 Jul 2019 00:03:58 -0700 (PDT)
Received: from jax (h-84-105.A175.priv.bahnhof.se. [79.136.84.105])
        by smtp.gmail.com with ESMTPSA id t23sm4092662ljd.98.2019.07.09.00.03.56
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Tue, 09 Jul 2019 00:03:57 -0700 (PDT)
Date:   Tue, 9 Jul 2019 09:03:55 +0200
From:   Jens Wiklander <jens.wiklander@linaro.org>
To:     Sumit Garg <sumit.garg@linaro.org>
Cc:     keyrings@vger.kernel.org, linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org, corbet@lwn.net,
        dhowells@redhat.com, jejb@linux.ibm.com,
        Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
        Mimi Zohar <zohar@linux.ibm.com>, jmorris@namei.org,
        serge@hallyn.com, Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        Daniel Thompson <daniel.thompson@linaro.org>,
        linux-doc@vger.kernel.org,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        tee-dev@lists.linaro.org
Subject: Re: [RFC 3/7] tee: add private login method for kernel clients
Message-ID: <20190709070354.GA5791@jax>
References: <1560421833-27414-1-git-send-email-sumit.garg@linaro.org>
 <1560421833-27414-4-git-send-email-sumit.garg@linaro.org>
 <20190708153908.GA28253@jax>
 <CAFA6WYNzs=RErreWaa5BmF-P03Vf9nzQjvY_JpMckw87k9z12w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CAFA6WYNzs=RErreWaa5BmF-P03Vf9nzQjvY_JpMckw87k9z12w@mail.gmail.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Jul 09, 2019 at 11:26:19AM +0530, Sumit Garg wrote:
> Thanks Jens for your comments.
> 
> On Mon, 8 Jul 2019 at 21:09, Jens Wiklander <jens.wiklander@linaro.org> wrote:
> >
> > Hi Sumit,
> >
> > On Thu, Jun 13, 2019 at 04:00:29PM +0530, Sumit Garg wrote:
> > > There are use-cases where user-space shouldn't be allowed to communicate
> > > directly with a TEE device which is dedicated to provide a specific
> > > service for a kernel client. So add a private login method for kernel
> > > clients and disallow user-space to open-session using this login method.
> > >
> > > Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
> > > ---
> > >  drivers/tee/tee_core.c   | 6 ++++++
> > >  include/uapi/linux/tee.h | 2 ++
> > >  2 files changed, 8 insertions(+)
> > >
> > > diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c
> > > index 0f16d9f..4581bd1 100644
> > > --- a/drivers/tee/tee_core.c
> > > +++ b/drivers/tee/tee_core.c
> > > @@ -334,6 +334,12 @@ static int tee_ioctl_open_session(struct tee_context *ctx,
> > >                       goto out;
> > >       }
> > >
> > > +     if (arg.clnt_login == TEE_IOCTL_LOGIN_REE_KERNEL) {
> > TEE_IOCTL_LOGIN_REE_KERNEL is defined as 0x80000000 which is in the
> > range specified and implementation defined by the GP spec. I wonder if
> > we shouldn't filter the entire implementation defined range instead of
> > just this value.
> 
> Agree. Will rather check for entire implementation defined range:
> 0x80000000 - 0xFFFFFFFF.
> 
> >
> > > +             pr_err("login method not allowed for user-space client\n");
> > pr_debug(), if it's needed at all.
> >
> 
> Ok will use pr_debug() instead.
> 
> > > +             rc = -EPERM;
> > > +             goto out;
> > > +     }
> > > +
> > >       rc = ctx->teedev->desc->ops->open_session(ctx, &arg, params);
> > >       if (rc)
> > >               goto out;
> > > diff --git a/include/uapi/linux/tee.h b/include/uapi/linux/tee.h
> > > index 4b9eb06..f33c69c 100644
> > > --- a/include/uapi/linux/tee.h
> > > +++ b/include/uapi/linux/tee.h
> > > @@ -172,6 +172,8 @@ struct tee_ioctl_buf_data {
> > >  #define TEE_IOCTL_LOGIN_APPLICATION          4
> > >  #define TEE_IOCTL_LOGIN_USER_APPLICATION     5
> > >  #define TEE_IOCTL_LOGIN_GROUP_APPLICATION    6
> > > +/* Private login method for REE kernel clients */
> > It's worth noting that this is filtered by the TEE framework, compared
> > to everything else which is treated opaquely.
> >
> 
> IIUC, you are referring to login filter in optee_os. Change to prevent
> filter for this login method is part of this PR [1].
> 
> [1] https://github.com/OP-TEE/optee_os/pull/3082

No, I was referring to the changes in tee_ioctl_open_session() above.
It's relevant for user space to know since it will be prevented from
using that range of login identifiers. This will restrict the user space
API, but I think the risk of breakage is minimal as OP-TEE is the only
in-tree driver registering in the TEE framework. I'm not aware of any
out-of-tree drivers registering.

Thanks,
Jens

> 
> -Sumit
> 
> > > +#define TEE_IOCTL_LOGIN_REE_KERNEL           0x80000000
> > >
> > >  /**
> > >   * struct tee_ioctl_param - parameter
> > > --
> > > 2.7.4
> > >
> >
> > Thanks,
> > Jens