Closed jbech-linaro closed 2 weeks ago
Note to self, when looking at our recommendation, we should update the docs to use this way of checking instead,
uint32_t exp_param_types = TEE_PARAM_TYPES(TEE_PARAM_TYPE_MEMREF_INPUT,
TEE_PARAM_TYPE_MEMREF_INPUT,
TEE_PARAM_TYPE_MEMREF_INPUT,
TEE_PARAM_TYPE_VALUE_INPUT);
if (param_types != exp_param_types)
return TEE_ERROR_BAD_PARAMETERS;
which is a lot cleaner, compared to the current recommendation in the docs, that looks like this:
if ((TEE_PARAM_TYPE_GET(param_types, 0) != TEE_PARAM_TYPE_VALUE_IN) ||
(TEE_PARAM_TYPE_GET(param_types, 1) != TEE_PARAM_TYPE_VALUE_OUT) ||
(TEE_PARAM_TYPE_GET(param_types, 2) != TEE_PARAM_TYPE_MEMREF_INOUT) ||
(TEE_PARAM_TYPE_GET(param_types, 3) != TEE_PARAM_TYPE_NONE)) {
return TEE_ERROR_BAD_PARAMETERS
}
Others, do you agree?
I've added another commit to this PR that fixes the example as well.
Fixes potential future security vulnerabilites by highlighting the importance of verifying expected parameter types in Trusted Applications, as discussed in the GlobalConfusion paper [1] by Marcel Busch et al.
Note that a proposed fix (and a proof of concept using OP-TEE) is suggested in the same paper, which involves requiring TA writers to register expected function parameters. However, this change has not yet been added to any GlobalPlatform specifications (there is a discussion ongoing).
Link: [1] https://hexhive.epfl.ch/publications/files/24SEC4.pdf