Merge branch 'OP-TEE:master' into master

OP-TEE · Nov 22, 2023 · 402038b · 402038b
2 parents e046138 + 4f91b9a
commit 402038b
Show file tree

Hide file tree

Showing 15 changed files with 404 additions and 109 deletions.
diff --git a/host/xtest/gp/patches/0016-TEE_Crypto_API.xml.patch b/host/xtest/gp/patches/0016-TEE_Crypto_API.xml.patch
@@ -0,0 +1,134 @@
+From e1e4ae13b9c5fb9928c94e05f0fa5c17769fd5bd Mon Sep 17 00:00:00 2001
+From: Jerome Forissier <[email protected]>
+Date: Fri, 3 Nov 2023 10:41:57 +0100
+Subject: [PATCH] TEE_Crypto_API.xml
+
+Disabling cases:
+
+- Invoke_Crypto_AllocateOperation_TEE_ALG_MD5_size_not_appropriate (3b-4d-15)
+- Invoke_Crypto_AllocateOperation_TEE_ALG_SHA1_size_not_appropriate (3b-86-3d)
+- Invoke_Crypto_AllocateOperation_TEE_ALG_SHA224_size_not_appropriate (3b-91-91)
+- Invoke_Crypto_AllocateOperation_TEE_ALG_SHA256_size_not_appropriate (3b-c6-3c)
+- Invoke_Crypto_AllocateOperation_TEE_ALG_SHA384_size_not_appropriate (3b-b0-94)
+- Invoke_Crypto_AllocateOperation_TEE_ALG_SHA512_size_not_appropriate (3b-f6-b8)
+
+These tests assume that TEE_AllocateOperation() must reject non-zero
+values for maxKeySize when the algorithm is MD5 or SHA (since the
+parameter is not applicable). But The GlobalPlatform TEE Internal Core
+API v1.1.2 has clarified the requirement, see:
+
+ 6.2.1 TEE_AllocateOperation
+
+ [...] The parameter maxKeySize MUST be a valid value as defined in Table
+ 5-9 for the algorithm, for algorithms referenced in Table 5-9. For all
+ other algorithms, the maxKeySize parameter may have any value.
+
+Link: https://github.com/OP-TEE/optee_os/pull/6416
+Signed-off-by: Jerome Forissier <[email protected]>
+---
+ packages/Crypto/xmlstable/TEE_Crypto_API.xml | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/packages/Crypto/xmlstable/TEE_Crypto_API.xml b/packages/Crypto/xmlstable/TEE_Crypto_API.xml
+index b824637..b1cd7b0 100644
+--- a/packages/Crypto/xmlstable/TEE_Crypto_API.xml
++++ b/packages/Crypto/xmlstable/TEE_Crypto_API.xml
+@@ -149178,6 +149178,7 @@
+                 </call>
+             </postamble>
+         </scenario>
++<!-- AllocateOperation
+         <scenario name="Invoke_Crypto_AllocateOperation_TEE_ALG_MD5_size_not_appropriate (3b-4d-15)" destructive="no">
+             <req name="ALLOCATE_OPERATION_ERROR_NOT_SUPPORTED">
+                 <description><![CDATA[If the mode is not compatible with the algorithm or key size or if the algorithm is not one of the listed algorithms or if maxKeySize is not appropriate for the algorithm.]]></description>
+@@ -149367,6 +149368,7 @@
+                 </call>
+             </postamble>
+         </scenario>
++-->
+         <scenario name="Invoke_Crypto_AllocateOperation_TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1_mode_not_allowed (3b-8b-3e)" destructive="no">
+             <req name="ALLOCATE_OPERATION_ERROR_NOT_SUPPORTED">
+                 <description><![CDATA[If the mode is not compatible with the algorithm or key size or if the algorithm is not one of the listed algorithms or if maxKeySize is not appropriate for the algorithm.]]></description>
+@@ -156360,6 +156362,7 @@
+                 </call>
+             </postamble>
+         </scenario>
++<!-- AllocateOperation
+         <scenario name="Invoke_Crypto_AllocateOperation_TEE_ALG_SHA1_size_not_appropriate (3b-86-3d)" destructive="no">
+             <req name="ALLOCATE_OPERATION_ERROR_NOT_SUPPORTED">
+                 <description><![CDATA[If the mode is not compatible with the algorithm or key size or if the algorithm is not one of the listed algorithms or if maxKeySize is not appropriate for the algorithm.]]></description>
+@@ -156549,6 +156552,7 @@
+                 </call>
+             </postamble>
+         </scenario>
++-->
+         <scenario name="Invoke_Crypto_AllocateOperation_TEE_ALG_SHA224_mode_not_allowed (3b-91-90)" destructive="no">
+             <req name="ALLOCATE_OPERATION_ERROR_NOT_SUPPORTED">
+                 <description><![CDATA[If the mode is not compatible with the algorithm or key size or if the algorithm is not one of the listed algorithms or if maxKeySize is not appropriate for the algorithm.]]></description>
+@@ -156738,6 +156742,7 @@
+                 </call>
+             </postamble>
+         </scenario>
++<!-- AllocateOperation
+         <scenario name="Invoke_Crypto_AllocateOperation_TEE_ALG_SHA224_size_not_appropriate (3b-91-91)" destructive="no">
+             <req name="ALLOCATE_OPERATION_ERROR_NOT_SUPPORTED">
+                 <description><![CDATA[If the mode is not compatible with the algorithm or key size or if the algorithm is not one of the listed algorithms or if maxKeySize is not appropriate for the algorithm.]]></description>
+@@ -156927,6 +156932,7 @@
+                 </call>
+             </postamble>
+         </scenario>
++-->
+         <scenario name="Invoke_Crypto_AllocateOperation_TEE_ALG_SHA256_mode_not_allowed (3b-c6-3b)" destructive="no">
+             <req name="ALLOCATE_OPERATION_ERROR_NOT_SUPPORTED">
+                 <description><![CDATA[If the mode is not compatible with the algorithm or key size or if the algorithm is not one of the listed algorithms or if maxKeySize is not appropriate for the algorithm.]]></description>
+@@ -157116,6 +157122,7 @@
+                 </call>
+             </postamble>
+         </scenario>
++<!-- AllocateOperation
+         <scenario name="Invoke_Crypto_AllocateOperation_TEE_ALG_SHA256_size_not_appropriate (3b-c6-3c)" destructive="no">
+             <req name="ALLOCATE_OPERATION_ERROR_NOT_SUPPORTED">
+                 <description><![CDATA[If the mode is not compatible with the algorithm or key size or if the algorithm is not one of the listed algorithms or if maxKeySize is not appropriate for the algorithm.]]></description>
+@@ -157305,6 +157312,7 @@
+                 </call>
+             </postamble>
+         </scenario>
++-->
+         <scenario name="Invoke_Crypto_AllocateOperation_TEE_ALG_SHA384_mode_not_allowed (3b-b0-93)" destructive="no">
+             <req name="ALLOCATE_OPERATION_ERROR_NOT_SUPPORTED">
+                 <description><![CDATA[If the mode is not compatible with the algorithm or key size or if the algorithm is not one of the listed algorithms or if maxKeySize is not appropriate for the algorithm.]]></description>
+@@ -157494,6 +157502,7 @@
+                 </call>
+             </postamble>
+         </scenario>
++<!-- AllocateOperation
+         <scenario name="Invoke_Crypto_AllocateOperation_TEE_ALG_SHA384_size_not_appropriate (3b-b0-94)" destructive="no">
+             <req name="ALLOCATE_OPERATION_ERROR_NOT_SUPPORTED">
+                 <description><![CDATA[If the mode is not compatible with the algorithm or key size or if the algorithm is not one of the listed algorithms or if maxKeySize is not appropriate for the algorithm.]]></description>
+@@ -157683,6 +157692,7 @@
+                 </call>
+             </postamble>
+         </scenario>
++-->
+         <scenario name="Invoke_Crypto_AllocateOperation_TEE_ALG_SHA512_mode_not_allowed (3b-f6-b7)" destructive="no">
+             <req name="ALLOCATE_OPERATION_ERROR_NOT_SUPPORTED">
+                 <description><![CDATA[If the mode is not compatible with the algorithm or key size or if the algorithm is not one of the listed algorithms or if maxKeySize is not appropriate for the algorithm.]]></description>
+@@ -157872,6 +157882,7 @@
+                 </call>
+             </postamble>
+         </scenario>
++<!-- AllocateOperation
+         <scenario name="Invoke_Crypto_AllocateOperation_TEE_ALG_SHA512_size_not_appropriate (3b-f6-b8)" destructive="no">
+             <req name="ALLOCATE_OPERATION_ERROR_NOT_SUPPORTED">
+                 <description><![CDATA[If the mode is not compatible with the algorithm or key size or if the algorithm is not one of the listed algorithms or if maxKeySize is not appropriate for the algorithm.]]></description>
+@@ -158061,6 +158072,7 @@
+                 </call>
+             </postamble>
+         </scenario>
++-->
+     </initial-state>
+     <initial-state name="TEE_Internal_API_Crypto_FreeOperation">
+         <scenario name="Invoke_Crypto_FreeAllKeysAndOperations_Success (30-74-50)" destructive="no">
+-- 
+2.34.1
+
diff --git a/host/xtest/pkcs11_1000.c b/host/xtest/pkcs11_1000.c
@@ -684,6 +684,7 @@ static CK_RV init_user_test_token_pin_auth(CK_SLOT_ID slot)
 	return rv;
 }
 
+#ifdef OPENSSL_FOUND
 static CK_RV test_already_initialized_token(ADBG_Case_t *c, CK_SLOT_ID slot)
 {
 	CK_RV rv = CKR_GENERAL_ERROR;
@@ -1079,9 +1080,11 @@ static CK_RV test_set_pin(ADBG_Case_t *c, CK_SLOT_ID slot,
 
 	return rv;
 }
+#endif /*OPENSSL_FOUND*/
 
 static void xtest_pkcs11_test_1003(ADBG_Case_t *c)
 {
+#ifdef OPENSSL_FOUND
 	CK_RV rv = CKR_GENERAL_ERROR;
 	CK_FUNCTION_LIST_PTR ckfunc_list = NULL;
 	CK_SLOT_ID slot = 0;
@@ -1138,6 +1141,11 @@ static void xtest_pkcs11_test_1003(ADBG_Case_t *c)
 out:
 	rv = close_lib();
 	ADBG_EXPECT_CK_OK(c, rv);
+#else /*!OPENSSL_FOUND*/
+	UNUSED(c);
+	/* xtest_uuid_v5() depends on OpenSSL */
+	Do_ADBG_Log("OpenSSL not available, skipping test 1003");
+#endif /*OPENSSL_FOUND*/
 }
 ADBG_CASE_DEFINE(pkcs11, 1003, xtest_pkcs11_test_1003,
 		 "PKCS11: Login to PKCS#11 token with PIN based authentication");
@@ -2209,7 +2217,7 @@ static void xtest_pkcs11_test_1009(ADBG_Case_t *c)
 		}
 
 		/*
-		 * Test 4 verification 
+		 * Test 4 verification
 		 * Error - Signature Length Range with C_VerifyFinal
 		 */
 		if (test->in != NULL) {
@@ -8625,6 +8633,7 @@ static void xtest_pkcs11_test_1026(ADBG_Case_t *c)
 ADBG_CASE_DEFINE(pkcs11, 1026, xtest_pkcs11_test_1026,
 		 "PKCS11: RSA AES Key Wrap/Unwrap tests");
 
+#ifdef OPENSSL_FOUND
 static CK_RV test_login_logout_acl_auth(ADBG_Case_t *c, CK_SLOT_ID slot)
 {
 	CK_FLAGS session_flags = CKF_SERIAL_SESSION | CKF_RW_SESSION;
@@ -8658,11 +8667,13 @@ static CK_RV test_login_logout_acl_auth(ADBG_Case_t *c, CK_SLOT_ID slot)
 	Do_ADBG_EndSubCase(c, "Test C_Login()/C_Logout() with ACL based authentication");
 	return rv;
 }
+#endif /*OPENSSL_FOUND*/
 
 #define GID_STR_LEN  13
 
 static void xtest_pkcs11_test_1027(ADBG_Case_t *c)
 {
+#ifdef OPENSSL_FOUND
 	CK_RV rv = CKR_GENERAL_ERROR;
 	CK_FUNCTION_LIST_PTR ckfunc_list = NULL;
 	CK_SLOT_ID slot = 0;
@@ -8734,6 +8745,11 @@ static void xtest_pkcs11_test_1027(ADBG_Case_t *c)
 out_unsetenv:
 	ADBG_EXPECT_TRUE(c, !unsetenv("CKTEEC_LOGIN_TYPE"));
 	ADBG_EXPECT_TRUE(c, !unsetenv("CKTEEC_LOGIN_GID"));
+#else /*!OPENSSL_FOUND*/
+	UNUSED(c);
+	/* xtest_uuid_v5() depends on OpenSSL */
+	Do_ADBG_Log("OpenSSL not available, skipping test 1027");
+#endif /*OPENSSL_FOUND*/
 }
 ADBG_CASE_DEFINE(pkcs11, 1027, xtest_pkcs11_test_1027,
 		 "PKCS11: Login to PKCS#11 token with ACL based authentication");

diff --git a/host/xtest/regression_1000.c b/host/xtest/regression_1000.c
@@ -24,7 +24,6 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <sys/stat.h>
 #include <sys/types.h>
 #include <ta_arm_bti.h>
 #include <ta_concurrent.h>
@@ -1378,6 +1377,7 @@ static void xtest_tee_test_1016(ADBG_Case_t *c)
 	TEEC_Session session = { };
 	TEEC_Operation op = TEEC_OPERATION_INITIALIZER;
 	uint32_t ret_orig = 0;
+	int dummy = 0;
 
 	if (!ADBG_EXPECT_TEEC_SUCCESS(c,
 		xtest_teec_open_session(&session, &os_test_ta_uuid, NULL,
@@ -1391,6 +1391,24 @@ static void xtest_tee_test_1016(ADBG_Case_t *c)
 		TEEC_InvokeCommand(&session, TA_OS_TEST_CMD_TA2TA_MEMREF, &op,
 				   &ret_orig));
 
+	op.paramTypes = TEEC_PARAM_TYPES(TEEC_MEMREF_TEMP_INPUT,
+					 TEEC_MEMREF_TEMP_INOUT,
+					 TEEC_MEMREF_TEMP_OUTPUT,
+					 TEEC_NONE);
+
+	op.params[0].tmpref.buffer = &dummy;
+	op.params[0].tmpref.size = 0;
+
+	op.params[1].tmpref.buffer = &dummy;
+	op.params[1].tmpref.size = 0;
+
+	op.params[2].tmpref.buffer = &dummy;
+	op.params[2].tmpref.size = 0;
+
+	(void)ADBG_EXPECT_TEEC_SUCCESS(c,
+		TEEC_InvokeCommand(&session, TA_OS_TEST_CMD_TA2TA_MEMREF_SIZE0,
+				   &op, &ret_orig));
+
 	TEEC_CloseSession(&session);
 }
 ADBG_CASE_DEFINE(regression, 1016, xtest_tee_test_1016,
@@ -2549,7 +2567,7 @@ static void xtest_tee_test_1033(ADBG_Case_t *c)
 		TEEC_Operation op = TEEC_OPERATION_INITIALIZER;
 
 		op.paramTypes = TEEC_PARAM_TYPES(TEEC_NONE, TEEC_NONE,
-						 TEEC_NONE, TEEC_NONE);	
+						 TEEC_NONE, TEEC_NONE);
 		ADBG_EXPECT_TEEC_RESULT(c, TEEC_ERROR_ITEM_NOT_FOUND,
 			TEEC_InvokeCommand(&session,
 					   TA_SUPP_PLUGIN_CMD_UNKNOWN_UUID,
@@ -3271,7 +3289,75 @@ static void xtest_tee_test_1039(ADBG_Case_t *c)
 	Do_ADBG_EndSubCase(c, "Load TA with identity subkey");
 
 }
-
-
 ADBG_CASE_DEFINE(regression, 1039, xtest_tee_test_1039,
 		 "Test subkey verification");
+
+struct test_1040_thread_arg {
+	TEEC_Result res;
+	pthread_t thr;
+};
+
+static void *test_1040_thread(void *arg)
+{
+	TEEC_Operation op = TEEC_OPERATION_INITIALIZER;
+	struct test_1040_thread_arg *a = arg;
+	TEEC_Result res = TEEC_SUCCESS;
+	uint32_t err_orig = 0;
+	TEEC_Session session = { };
+	size_t loop_count = 100;
+	size_t n = 0;
+
+	if (level == 0)
+		loop_count /= 2;
+
+	while (n < loop_count) {
+		res = xtest_teec_open_session(&session, &sims_test_ta_uuid,
+					      NULL, &err_orig);
+		if (res) {
+			if (res == TEEC_ERROR_TARGET_DEAD)
+				continue;
+			a->res = res;
+			return NULL;
+		}
+
+		memset(&op, 0, sizeof(op));
+		op.paramTypes = TEEC_PARAM_TYPES(TEEC_MEMREF_TEMP_INPUT,
+						 TEEC_NONE, TEEC_NONE,
+						 TEEC_NONE);
+		res = TEEC_InvokeCommand(&session, TA_SIMS_CMD_PANIC, &op,
+					 &err_orig);
+		TEEC_CloseSession(&session);
+		if (res != TEEC_ERROR_TARGET_DEAD) {
+			if (res)
+				a->res = res;
+			else
+				a->res = TEEC_ERROR_GENERIC;
+			return NULL;
+		}
+		n++;
+	}
+	a->res = TEEC_SUCCESS;
+	return NULL;
+}
+
+static void xtest_tee_test_1040(ADBG_Case_t *c)
+{
+	struct test_1040_thread_arg arg[NUM_THREADS] = { };
+	size_t nt = NUM_THREADS;
+	size_t n = 0;
+
+	Do_ADBG_BeginSubCase(c, "Concurent invoke with panic in TA");
+	for (n = 0; n < nt; n++) {
+		if (!ADBG_EXPECT(c, 0, pthread_create(&arg[n].thr, NULL,
+						      test_1040_thread,
+						      arg + n)))
+			nt = n; /* break loop and start cleanup */
+	}
+	for (n = 0; n < nt; n++) {
+		ADBG_EXPECT(c, 0, pthread_join(arg[n].thr, NULL));
+		ADBG_EXPECT_TEEC_SUCCESS(c, arg[n].res);
+	}
+	Do_ADBG_EndSubCase(c, "Concurent invoke with panic in TA");
+}
+ADBG_CASE_DEFINE(regression, 1040, xtest_tee_test_1040,
+		 "Test panic in concurrent open/invoke/close session");
diff --git a/host/xtest/stats.c b/host/xtest/stats.c
@@ -28,6 +28,7 @@
 #define STATS_CMD_ALLOC_STATS	1
 #define STATS_CMD_MEMLEAK_STATS	2
 #define STATS_CMD_TA_STATS	3
+#define STATS_CMD_GET_TIME	4
 
 #define TEE_ALLOCATOR_DESC_LENGTH 32
 struct malloc_stats {
@@ -57,6 +58,7 @@ static int usage(void)
 	fprintf(stderr, " --alloc        Print allocation statistics\n");
 	fprintf(stderr, " --memleak      Dump memory leak data on secure console\n");
 	fprintf(stderr, " --ta           Print loaded TAs context\n");
+	fprintf(stderr, " --time         Print REE and TEE time\n");
 
 	return EXIT_FAILURE;
 }
@@ -312,6 +314,36 @@ static int stat_loaded_ta(int argc, char *argv[])
 	return close_sess(&ctx, &sess);
 }
 
+static int stat_system_time(int argc, char *argv[])
+{
+	TEEC_Context ctx = { };
+	TEEC_Session sess = { };
+	TEEC_Result res = TEEC_ERROR_GENERIC;
+	uint32_t eo = 0;
+	TEEC_Operation op = { };
+
+	UNUSED(argv);
+	if (argc != 1)
+		return usage();
+
+	open_sess(&ctx, &sess);
+	op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_OUTPUT,
+					 TEEC_VALUE_OUTPUT,
+					 TEEC_NONE, TEEC_NONE);
+	res = TEEC_InvokeCommand(&sess, STATS_CMD_GET_TIME, &op, &eo);
+	if (res != TEEC_SUCCESS)
+		errx(EXIT_FAILURE,
+		     "TEEC_InvokeCommand: res %#"PRIx32" err_orig %#"PRIx32,
+		     res, eo);
+
+	printf("REE time: %"PRId32" seconds, %"PRId32" milliseconds\n",
+			op.params[0].value.a, op.params[0].value.b);
+	printf("TEE time: %"PRId32" seconds, %"PRId32" milliseconds\n",
+			op.params[1].value.a, op.params[1].value.b);
+
+	return close_sess(&ctx, &sess);
+}
+
 int stats_runner_cmd_parser(int argc, char *argv[])
 {
 	if (argc > 1) {
@@ -323,6 +355,8 @@ int stats_runner_cmd_parser(int argc, char *argv[])
 			return stat_memleak(argc - 1, argv + 1);
 		if (!strcmp(argv[1], "--ta"))
 			return stat_loaded_ta(argc - 1, argv + 1);
+		if (!strcmp(argv[1], "--time"))
+			return stat_system_time(argc - 1, argv + 1);
 	}
 
 	return usage();