Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp1789922ybz; Thu, 30 Apr 2020 05:39:34 -0700 (PDT) X-Google-Smtp-Source: APiQypKGTTaZuFYey2xoQDB8M0bEouK4kgAZv0e+E3534ThhUKvbT2Jgidy/IehSNqzkKoNtwsRb X-Received: by 2002:a50:9f23:: with SMTP id b32mr2304526edf.183.1588250374015; Thu, 30 Apr 2020 05:39:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588250374; cv=none; d=google.com; s=arc-20160816; b=aSgQM6VKEFaUDHpzp91a9YE5mPEfWbRNBo2nXyWITxPeg4zb805iXHXQ5kQcHhE+z4 GaemARGRGNOpGW+ZR4K9NWj9yDGniD/o17zgW7Nh7HphJeC4uvg8/hWBccCWTbG7P4Mu 3xQFdMla8koUb/A6TxI9OAqPG4RFmW6vFiVUX9/hBT3XSXywQBZlAtp657FjjlwJQqiH F8FKUkjAOsyADWcXQanEtcet0LTEwQC0Xa09tqwGP3RmN3/yD4k6lcXmkzYlKYjNQpYQ qL1EZ5JDyGzIhLnXu5CIGK9Nc06oU1nkJW8fKku8gtf2VxWCtflEUrpQsse+mNGHMRyg aHiw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :ironport-sdr; bh=G8ounwtwry57jqCU8QI5TPk482dp8kwjihIud2Lg1do=; b=0EygvMpYmFExJdKoPjaixsbfNCLYa40bBfintZr14o9jTsKiSngT+PwtduLCnqom6v HRnhKiSWEb7kf8UIgzIMhlpMLGkGOSSmhY5nLqfISVm0heieByCsURsnDyrtJAwJoHw7 wVyFSGBC+qaP1l/a0RECtDmPGSiHOzTXWP0osK3LfrbzWlPfWpk2ewtOqz1dX1JKxBKK 4fCiUwRBS4OtFwatO0OROkftitMaUhSs5NbbAIL6Y1D9iCOem79e8iCAsNViipi6EPHR X1ZEy/zKjWjj2493Dj4S9dBdJ/Kw1D8jV7/sE+p7zIGuNyHeSHfJQZakfzo2ZZEEybGK SzZA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id di18si5037684edb.471.2020.04.30.05.39.10; Thu, 30 Apr 2020 05:39:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726852AbgD3Mha (ORCPT + 99 others); Thu, 30 Apr 2020 08:37:30 -0400 Received: from hel-mailgw-01.vaisala.com ([193.143.230.17]:46709 "EHLO hel-mailgw-01.vaisala.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726799AbgD3Mh2 (ORCPT ); Thu, 30 Apr 2020 08:37:28 -0400 IronPort-SDR: AmD8xpi3Hr1Az4P2E+AOh4cURl9Etk1RPPyArq46mmuuwu7i4sLyWfYaRiykmnYbGpfp/AF0zl Tfe6vTH4oWf5oymVw6wQMOC5nbDlw28ap/phXwMPH6I1HB/FPSkb06efWv7fElIODPRxqYncge vbWkq1RBYwdWmWYe2dlc0Ecl6a5AOfpsMpfPRokhFbVTmOQix0T8DRsfhXxpS/HiKcgMqNMERt 1EVU7aXnR0DL9zMP3IC+Ip2v7f+aS7pxQI/xuFyhq9ebVcDm31V8pD7dHbjLcCCXf1wZAc9p64 Rjo= X-IronPort-AV: E=Sophos;i="5.73,334,1583186400"; d="scan'208";a="278151921" From: =?UTF-8?q?Vesa=20J=C3=A4=C3=A4skel=C3=A4inen?= To: op-tee@lists.trustedfirmware.org, Jens Wiklander Cc: Rijo Thomas , Herbert Xu , Dan Carpenter , Devaraj Rangasamy , Hongbo Yao , Colin Ian King , linux-kernel@vger.kernel.org, =?UTF-8?q?Vesa=20J=C3=A4=C3=A4skel=C3=A4inen?= Subject: [PATCH v2 3/3] [RFC] tee: add support for app id for client UUID generation Date: Thu, 30 Apr 2020 15:37:11 +0300 Message-Id: <20200430123711.20083-4-vesa.jaaskelainen@vaisala.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200430123711.20083-1-vesa.jaaskelainen@vaisala.com> References: <20200430123711.20083-1-vesa.jaaskelainen@vaisala.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-OriginalArrivalTime: 30 Apr 2020 12:37:21.0677 (UTC) FILETIME=[17F0A3D0:01D61EEC] Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Linux kernel does not provide common contex for application identifier, instead different security frameworks provide own means to define application identifier for running process. Code includes place holder for such solutions but is left for later implementation. Open questions: 1. App ID source How to specify what source is used for app id? Does it need to be protected on runtime? - Should this be Kconfig setting? - Cnfigure once during runtime thru sysfs or so? - Configure from device tree? 2. Formatting for App ID Should there be common format? Or common keyword id? 3. How to handle custom App ID sources Android has own App ID so does Tizen. Should there be place holder for this where to make local patch? Signed-off-by: Vesa Jääskeläinen --- drivers/tee/tee_core.c | 58 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c index d5db206d6af2..35ea20a99b9e 100644 --- a/drivers/tee/tee_core.c +++ b/drivers/tee/tee_core.c @@ -125,6 +125,15 @@ static int tee_release(struct inode *inode, struct file *filp) return 0; } +static const char *tee_session_get_application_id(void) +{ + return NULL; +} + +static void tee_session_free_application_id(const char *app_id) +{ +} + /** * uuid_v5() - Calculate UUIDv5 * @uuid: Resulting UUID @@ -218,6 +227,14 @@ int tee_session_calc_client_uuid(uuid_t *uuid, u32 connection_method, * For TEEC_LOGIN_GROUP: * gid= * + * For TEEC_LOGIN_APPLICATION: + * app= + * + * For TEEC_LOGIN_USER_APPLICATION: + * uid=:app= + * + * For TEEC_LOGIN_GROUP_APPLICATION: + * gid=:app= */ name = kzalloc(TEE_UUID_NS_NAME_SIZE, GFP_KERNEL); @@ -250,6 +267,47 @@ int tee_session_calc_client_uuid(uuid_t *uuid, u32 connection_method, } break; + case TEE_IOCTL_LOGIN_APPLICATION: + application_id = tee_session_get_application_id(); + name_len = snprintf(name, TEE_UUID_NS_NAME_SIZE, "app=%s", + application_id); + tee_session_free_application_id(application_id); + if (name_len >= TEE_UUID_NS_NAME_SIZE) { + rc = -E2BIG; + goto out_free_name; + } + break; + + case TEE_IOCTL_LOGIN_USER_APPLICATION: + application_id = tee_session_get_application_id(); + name_len = snprintf(name, TEE_UUID_NS_NAME_SIZE, + "uid=%x:app=%s", current_euid().val, + application_id); + tee_session_free_application_id(application_id); + if (name_len >= TEE_UUID_NS_NAME_SIZE) { + rc = -E2BIG; + goto out_free_name; + } + break; + + case TEE_IOCTL_LOGIN_GROUP_APPLICATION: + memcpy(&ns_grp, connection_data, sizeof(gid_t)); + grp = make_kgid(current_user_ns(), ns_grp); + if (!gid_valid(grp) || !in_egroup_p(grp)) { + rc = -EPERM; + goto out_free_name; + } + + application_id = tee_session_get_application_id(); + name_len = snprintf(name, TEE_UUID_NS_NAME_SIZE, + "gid=%x:app=%s", grp.val, application_id); + tee_session_free_application_id(application_id); + if (name_len >= TEE_UUID_NS_NAME_SIZE) { + rc = -E2BIG; + goto out_free_name; + } + break; + default: rc = -EINVAL; goto out_free_name; -- 2.17.1