search

OP-TEE / optee_os

Trusted side of the TEE
Other
1.56k stars 1.06k forks source link

Inquiry about the OPTEE_MSG_RPC_CMD_FS command execution mechanism. #7038

Open ydonghyuk opened 2 weeks ago

ydonghyuk commented 2 weeks ago

If the secure storage path is not pre-generated, we are reviewing the code generated by tee-supplicant.

When I tested in QEMU environment with the following modifications, it seems that /data/tee is not created by tee-supplicant. Can someone explain the mechanism for this behavior?

--- a/br-ext/package/optee_client_ext/S30optee
+++ b/br-ext/package/optee_client_ext/S30optee
@@ -19,17 +19,17 @@ start() {
                echo "FAIL"
                return "$status"
        fi
-       printf 'Create/set permissions on %s: ' "/data/tee"
-       mkdir -p /data/tee && chown -R tee:tee /data/tee && chmod 0770 /data/tee
-       status=$?
-       if [ "$status" -eq 0 ]; then
-               echo "OK"
-       else
-               echo "FAIL"
-               return "$status"
-       fi
+#      printf 'Create/set permissions on %s: ' "/data/tee"
+#      mkdir -p /data/tee && chown -R tee:tee /data/tee && chmod 0770 /data/tee
+#      status=$?
+#      if [ "$status" -eq 0 ]; then
+#              echo "OK"
+#      else
+#              echo "FAIL"
+#              return "$status"
+#      fi
        printf 'Starting %s: ' "$DAEMON"
-       start-stop-daemon -S -q -p "$PIDFILE" -c tee -x "$DAEMON_PATH/$DAEMON" \
+       start-stop-daemon -S -q -p "$PIDFILE" -c root -x "$DAEMON_PATH/$DAEMON" \
                -- $DAEMON_ARGS
        status=$?
        if [ "$status" -eq 0 ]; then

The contents of the modifications are as follows:

  1. Do not create /data/tee by initd script at boot time.
  2. Change tee-supplicant's execution uid to root (without considering permission issues)
etienne-lms commented 2 weeks ago

The directory will be created by tee-supplicant on the first access to the (REE_FS) secure storage. Try fox example xtest regression_1004 (that loads a TA hence use the secure storage for the TA version rollback protection). You'll see that /data/tee/ is created.

ydonghyuk commented 1 week ago

@etienne-lms Thanks, I verified that it works as you suggested. I also tested the following modification to change the secure storage path, but it didn't work. Did I miss something?

(optee_client)

diff --git a/config.mk b/config.mk
index 24904af..4a5a037 100644
--- a/config.mk
+++ b/config.mk
@@ -23,7 +23,7 @@ CFG_TEE_SUPP_LOG_LEVEL?=1
 #   This folder can be created with the required permission in an init
 #   script during boot, else it will be created by the tee-supplicant on
 #   first REE FS access.
-CFG_TEE_FS_PARENT_PATH ?= /data/tee
+CFG_TEE_FS_PARENT_PATH ?= /my_rw/tee

 # CFG_TEE_CLIENT_LOG_FILE
 #   The location of the client log file when logging to file is enabled.
diff --git a/tee-supplicant/CMakeLists.txt b/tee-supplicant/CMakeLists.txt
index 57a3326..f9c490a 100644
--- a/tee-supplicant/CMakeLists.txt
+++ b/tee-supplicant/CMakeLists.txt
@@ -12,7 +12,7 @@ option (CFG_TEE_SUPP_PLUGINS "Enable tee-supplicant plugin support" ON)
 set (CFG_TEE_SUPP_LOG_LEVEL "1" CACHE STRING "tee-supplicant log level")
 # FIXME: Question is, is this really needed? Should just use defaults from # GNUInstallDirs?
 set (CFG_TEE_CLIENT_LOAD_PATH "/lib" CACHE STRING "Colon-separated list of paths where to look for TAs (see also --ta-dir)")
-set (CFG_TEE_FS_PARENT_PATH "/data/tee" CACHE STRING "Location of TEE filesystem (secure storage)")
+set (CFG_TEE_FS_PARENT_PATH "/my_rw/tee" CACHE STRING "Location of TEE filesystem (secure storage)")
 # FIXME: Why do we have if defined(CFG_GP_SOCKETS) && CFG_GP_SOCKETS == 1 in the c-file?
 set (CFG_GP_SOCKETS "1" CACHE STRING "Enable GlobalPlatform Socket API support")
 set (CFG_TEE_PLUGIN_LOAD_PATH "/usr/lib/tee-supplicant/plugins/" CACHE STRING "tee-supplicant's plugins path")
etienne-lms commented 1 week ago

It should work, assuming tee-supplicant has sufficient rights to create this /my_rw directory at root / path. Tee-supplicant run as root will have. If run as tee user, it will not.

Note that if you need to change init.rd file S30optee, you can set the TEE FS parent path from tee-supplicant command line option -f/--fs-parent-path. This path defaults to CFG_TEE_FS_PARENT_PATH/TEE_FS_PARENT_PATH when no set from the command line option.

ydonghyuk commented 6 days ago

@etienne-lms When no set from the command line option, which of the two files below should I set CFG_TEE_FS_PARENT_PATH in? I'm a bit confused, so I'm asking. 1) optee_client/config.mk 2) optee_client/tee-supplicant/CMakeLists.txt

In QEMU v8, if I modify file 2), the secure storage path is changed normally, but I don't quite understand this process.

etienne-lms commented 6 days ago

_opteeclient/config.mk is used when building optee_client with a make command. _opteeclient/tee-supplicant/CMakeLists.txt is used when building optee_client with CMake.

Using OP-TEE distribution (OP-TEE/manifest.git + OP-TEE/build.git) as when building from qemu_armv8, optee_client is built with CMake (see build/br-ext/.../optee_client_ext.mk)