Open karthikbhata97 opened 2 weeks ago
TPM event log can be visible from the non-secure world, it's not an issue (the TPM framework takes care of the information integrity for when this information has to be used), whereas TAs derived HUK are expected only for the related TA, not non-secure entities, hence this specific sanity test in system_derive_ta_unique_key()
and the related inline comment.
Feel free to raise Issues if you have questions. That said, if you believe you have found a security issue, please report them according to what is mentioned here: https://optee.readthedocs.io/en/latest/general/contact.html#vulnerability-reporting
I analyzed the system PTA and found that the following permission check is performed for the member input/outputs. (system pta -> system_derive_ta_unique_key) https://github.com/OP-TEE/optee_os/blob/030b3574a26ccd981da0b04d73f23e540e00aed5/core/pta/system.c#L84-L96
But, on another code path, no such checks are being performed (system pta -> system_get_tpm_event_log) https://github.com/OP-TEE/optee_os/blob/030b3574a26ccd981da0b04d73f23e540e00aed5/core/pta/system.c#L310
Is this a security concern? If so, I have found a couple more instances of such inconsistencies and I can report and create patches for them.