jforissier
commented
1 day ago Hello @r4ndd00d,
There is a section about this in the GlobalPlatform TEE Internal Core API documentation (v1.3.1, section 4.11.1 TEE_CheckMemoryAccessRights) which states:
Note that when true memory sharing is implemented between Clients and the Trusted Application, the Memory Reference Parameters passed to the TA entry points will typically not satisfy these requirements [read-after-read/read-after-write consistency and non-observability]. In this case, the function TEE_CheckMemoryAccessRights SHALL return TEE_ERROR_ACCESS_DENIED. The code handling such buffers has to be especially careful to avoid security issues brought by this lack of guarantees. For example, it can read each byte in the buffer only once and refrain from writing temporary data in the buffer.
So, users of the API are supposed to be aware of these kind of issues. That being said I agree it would be nice to explain this in the OP-TEE documentation and mention TEE_CheckMemoryAccessRights(). Would you mind creating a pull request in the documentation project? Thanks!
r4ndd00d
Hello,
I was wondering if the buffer passed in TEE_PARAM could be subjected to TOCTOU attacks and after sometime I stumbled on this issue.
Maybe i missed it, but I did not find this information anywhere in the documentation.
IMHO, this kind of behaviour should be clearly stated in the documentation, instead of just being mentioned in a closed issue, as this might be critical for the security of the platform.
Especially, the documentation should state that buffers passed using this mechanism:
Thanks, Best regards