Difference between /dev/tee and /dev/teepriv

linaro-swg / linux

Linux kernel source tree

Other

41 stars 79 forks source link

Difference between /dev/tee and /dev/teepriv #96

Closed jingdlu closed 3 years ago

jingdlu commented 3 years ago

I know that /dev/tee is for normal client to do operations like opening session, invoking command and so on. /dev/teepriv is for tee-supplicant to do PRC command receiving and sending. I'm wondering why we don't put these operation in one device file. In the optee_supp_desc structure, TEE_DESC_PRIVILEGED flag will be set. What's the usage for this flag? or what's the usage for TEE_GEN_CAP_PRIVILEGED capability exported by tee_ioctl_version?

Thanks

jenswi-linaro commented 3 years ago

The main reason is that we don't want to allow an unprivileged client to impersonate a tee-supplicant. Then it's also a convenient enabling slightly different behaviour in the driver callbacks.

jingdlu commented 3 years ago

But an unprivileged client can also open /dev/teepriv, right? How does it avoid an unprivileged client impersonating tee-supplicant?

jenswi-linaro commented 3 years ago

No /dev/teepriv is supposed to be protect by file permissions.

jforissier commented 3 years ago

No /dev/teepriv is supposed to be protect by file permissions.

...in our QEMU/Buildroot setup for instance we have:

$ ls -l /dev/tee*
crw-rw----    1 root     teeclnt   247,   0 Jul  6 06:54 /dev/tee0
crw-rw----    1 root     tee       247,  16 Jul  6 06:54 /dev/teepriv0

jingdlu commented 3 years ago

Thanks for your info.