search

OP-TEE / optee_os

Trusted side of the TEE
Other
1.56k stars 1.05k forks source link

i.MX6ULL: Kernel crash on SMC call #6835

Closed parthitce closed 2 months ago

parthitce commented 4 months ago

Problem:

Toolchain:

arm-none-linux-gnueabihf-gcc --version
arm-none-linux-gnueabihf-gcc (Arm GNU Toolchain 12.2.Rel1 (Build arm-12.24)) 12.2.1 20221205
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Linux Kernel : Mailing 6.9 with patch.

# uname  -a
Linux buildroot 6.9.0-g5fd74e5f29e4-dirty #27 SMP Tue May 14 13:35:12 IST 2024 armv7l GNU/Linux

Devicetree changes:

+
+       firmware {
+               optee: optee {
+                       compatible = "linaro,optee-tz";
+                       method = "smc";
+                       status = "okay";
+               };
+       };
+
+       reserved-memory {
+               #address-cells = <1>;
+               #size-cells = <1>;
+               ranges;
+               /*
+                * 32 MiB reserved for OP-TEE (BL32)
+                * +-----------------------+ 0x8600_0000
+                * |      SHMEM 2MiB       |
+                * +-----------------------+ 0x85e0_0000
+                * |                       |
+                * +      TZDRAM 28MiB     |
+                * |                       |
+                * +-----------------------+ 0x8400_0000
+                */
+
+               optee_reserved: optee@84000000 {
+                       no-map;
+                       /* 32 MB */
+                       reg = <0x84000000 0x2000000>;
+                       status = "okay";
+               };
+       };

U-Boot : Mainline 2024.07

U-Boot SPL 2024.07-rc2-01436-g5c5565cfec9 (May 08 2024 - 19:49:42 +0530)
U-Boot 2024.07-rc2-01436-g5c5565cfec9 (May 08 2024 - 19:49:42 +0530)

Optee- OS : Mainline

I/TC: OP-TEE version: 4.2.0-42-g9b1d1cf0d (gcc version 12.2.1 20221205 (Arm GNU Toolchain 12.2.Rel1 (Build arm-12.24))) #7 Tue May 14 09:22:19 UTC 2024 arm

Compiled with:

make CFG_TEE_BENCHMARK=n CROSS_COMPILE=arm-none-linux-gnueabihf- CROSS_COMPILE_core=arm-none-linux-gnueabihf- CROSS_COMPILE_ta_arm32=arm-none-linux-gnueabihf- CROSS_COMPILE_ta_arm64=aarch64-none-linux-gnu- DEBUG=1 O=out/arm PLATFORM=imx PLATFORM_FLAVOR=mx6ullevk ARCH=arm CFG_NS_ENTRY_ADDR=0x80800000 CFG_DT_ADDR=0x82000000 DEBUG=y EARLY_TA_PATHS=out/arm/ta/trusted_keys/f04a0fe7-1f5d-4b9b-abf7-619b85b4ce8c.stripped.elf CFG_TZDRAM_START=0x84000000 CFG_TZDRAM_SIZE=0x01e00000 CFG_SHMEM_START=0x85e00000 CFG_SHMEM_SIZE=0x00200000 CFG_TEE_TA_LOG_LEVEL=4 CFG_TEE_CORE_LOG_LEVEL=4 uTee -j32

  MKIMAGE out/arm/core/uTee
Image Name:   
Created:      Tue May 14 14:52:20 2024
Image Type:   ARM Linux Kernel Image (uncompressed)
Data Size:    474552 Bytes = 463.43 KiB = 0.45 MiB
Load Address: 84000000
Entry Point:  84000000

Boot flow: Boot ROM -> SPL -> U-Boot -> OP-TEE -> Linux Kernel -> RFS

Additional information:

Related issues:

Thanks in advance for the pointers and help.

Note: Full console is attached. optee.txt

jenswi-linaro commented 4 months ago

It's interesting to note that lr is still intact, so it's not the bx lr at the end of __arm_smccc_smc() that goes wrong. Instead, it looks like the return from secure world goes wrong. Instead of returning to the instruction after the smc instruction it has returned to 0x4000228. This is an Arm v7-A system so the secure monitor (responsible for enter and exit of secure world) in OP-TEE is used. However, it looks like you have a few patches on top of upstream so that's as far as I can track it. If you have the source code of your downstream OP-TEE fork available look for code updating mon_lr in struct sm_nsec_ctx.

The log line "note: keyctl[136] exited with irqs disabled" suggests that mon_spsr in struct sm_nsec_ctx might be corrupt too.

The 0x4000228 address looks like it could be a secure world address.

parthitce commented 4 months ago

It's interesting to note that lr is still intact, so it's not the bx lr at the end of __arm_smccc_smc() that goes wrong. Instead, it looks like the return from secure world goes wrong. Instead of returning to the instruction after the smc instruction it has returned to 0x4000228. This is an Arm v7-A system so the secure monitor (responsible for enter and exit of secure world) in OP-TEE is used. However, it looks like you have a few patches on top of upstream so that's as far as I can track it. If you have the source code of your downstream OP-TEE fork available look for code updating mon_lr in struct sm_nsec_ctx.

The log line "note: keyctl[136] exited with irqs disabled" suggests that mon_spsr in struct sm_nsec_ctx might be corrupt too.

The 0x4000228 address looks like it could be a secure world address.

Thanks for the response. I will check the code path in the optee side. Also to add, as a blind thought, I did try using the mainline Optee with imx vendor kernel tree and it worked fine.

github-actions[bot] commented 3 months ago

This issue has been marked as a stale issue because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this issue will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time.