Android application to call CA shell command

[nikoskoutr]

Hello, I have installed a CA/TA alongside with android on the hikey board. When I call the CA from the shell everything is working fine (as root). But when I call the CA command from within an application I get an error from the context initialization. The error code is 0xffff0008 TEE_ERROR_ITEM_NOT_FOUND. I made the application a system app but it did not work. I also called other commands, such as ls and it is working.

Thank you for your help, Nick

[vchong]

Can you show some logs? Is it possible to run the app as root? Also, in device/linaro/hikey/sepolicy/file_contexts, try adding below and rebuild:

/path/to/your/CA u:object_r:tee_exec:s0

/path/to/your/CA is probably /system/bin/your_CA_name

[nikoskoutr]

Thank you for your response, I have applied your suggestion and now I get the following error from the adb log:

java.io.IOException: Cannot run program "tee_idemix": error=13, Permission denied

tee_idemix is the command i am trying to run. I also tried to run tee_hello world and i get the same 0xffff0008 TEE_ERROR_ITEM_NOT_FOUND error from within the app, although when i adb shell into the device as root, everything runs normally. I am currently investigating how to run an app as root. Unfortunately I could not find any logs, the app does not crash and the only log retrieved by the app is the line that gives me the error.

Any other suggestions are welcome, I will try to run the app as root and post if there is a solution. Thank you again.

[vchong]

What are the file permissions of tee_idemix and tee_helloworld? Just for testing try changing the file permission to 777 and see if that helps?

[nikoskoutr]

The permissions are 755 root:shell, i tried 777 and i get the same permission error. The permissions of ls which runs correct within the app, are 755 root:shell as well.

[vchong]

@liuyq @vishalbhoj any ideas?

[vchong]

When you call the CA from the shell (NOT as root), do you get the same error?

[liuyq]

from what I know, it's not possible to execute native command as root from app. it's better to call the function from app via service or native code I think.

[nikoskoutr]

Hello, When running as not root, i get the same error. I have found this https://github.com/OP-TEE/optee_os/issues/903. Using the info from this issue, i set the permissions of /dev/tee0 and /dev/teepriv0 to 666 and i use the command setenfoce 0. After that everything works correctly. I am using https://github.com/linaro-swg/optee_android_manifest/tree/hikey-n-4.9-240 is there a way to continue using selinux and call the TA? Also is there a way to change the permissions of the /dev/tee* and run setenfoce 0 at boot time? Thank you for your time.

[jenswi-linaro]

With setenforce 0 you disable SELinux if I understand it correctly. If you intend to use SELinux you will probably need to configure it to allow certain applications to use /dev/tee[0-9] and /dev/teepriv[0-9].

With rules under /dev/udev you can change permissions etc of the device when it's created.

[nikoskoutr]

Thank you for the help, I will not use selinux for the time being. My issue is resolved so i close it. Thank you again.

[vchong]

@nikoskoutr Great job getting it to work! :)

is there a way to continue using selinux and call the TA?

/system/bin/tee_idemix u:object_r:tee_exec:s0 in file_contexts should have worked. Not sure why not.

Also is there a way to change the permissions of the /dev/tee* and run setenfoce 0 at boot time?

In device/linaro/hikey/ueventd.common.rc, change 0660 to 0666. In device/linaro/hikey/bootloader/EFI/BOOT/grub.cfg, add androidboot.selinux=permissive to the end of lines that start with linux /kernel. Then rebuild and the system should boot with what you want.

[nikoskoutr]

@vchong Thank you very much for your good words and your help! I have applied what you suggested and the /dev/tee* devices have correct permissions. I still do not have selinux disabled on boot though, I will try and rebuild it. Is there a way to compile just the submodule that is required for this operation?

[vchong]

How did you get the /dev/tee* permissions correct if you haven't rebuilt it? Did you just change corresponding files on the board itself?

For grub.cfg, I think it will require a rebuild and reflash. The full line should look something like: linux /kernel console=ttyFIQ0 androidboot.console=ttyFIQ0 androidboot.hardware=hikey firmware_class.path=/system/etc/firmware efi=noruntime androidboot.selinux=permissive

I think you can try just make <options> bootimage and reflash boot.img. Not 100% sure though.

[liuyq]

On 20 July 2017 at 16:27, vchong notifications@github.com wrote:

How did you get the /dev/tee* permissions correct if you haven't rebuilt it? Did you just change corresponding files on the board itself?

For grub.cfg, I think it will require a rebuild and reflash. The full line should look something like: linux /kernel console=ttyFIQ0 androidboot.console=ttyFIQ0 androidboot.hardware=hikey firmware_class.path=/system/etc/firmware efi=noruntime androidboot.selinux=permissive

I think you can try just make bootimage and reflash boot.img. Not 100% sure though.

need to export TARGET_BOOTIMAGE_USE_FAT=true before run the "make droidcore" command to generate the boot_fat.uefi.img file to use the grub.cfg settings. The boot.img does not use the grub.cfg for boot for hikey.

To set androidboot.selinux=permissive with the boot.img, please update the BOARD_KERNEL_CMDLINE defined in device/linaro/hikey/hikey/BoardConfig.mk

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/linaro-swg/optee_android_manifest/issues/15#issuecomment-316634073, or mute the thread https://github.com/notifications/unsubscribe-auth/ADK7DNFR-6GyZLP9OGSGRNkyTmZzyBoOks5sPw-NgaJpZM4OZErm .

-- Best Regards, Yongqin Liu

mailing list

linaro-android@lists.linaro.org linaro-dev@lists.linaro.org http://lists.linaro.org/mailman/listinfo/linaro-android

[nikoskoutr]

@vchong I rebuilt the whole thing following what you said and i still did not get a permissive selinux. So i thought i made a mistake and wanted to rebuild it again, if that made a difference. On a side note, whenever I change the corresponding files on the board, they reset to the default configuration on every restart. I have followed what you suggested @liuyq and it worked fine! Thank you all for your great help!

[nikoskoutr]

Hello,

Everything is working fine and the development process of my TA/CA is going great. I have a question though, after rebuilding with the edited device/linaro/hikey/hikey/BoardConfig.mk my devices on adb has no serial number. Does anyone know why is this happening? Is there a way to fix it?

Thank you in advance, Nick

[vchong]

Try adding androidboot.serialno=0123456789 to BOARD_KERNEL_CMDLINE.

[vchong]

For posterity's sake, one the following fastboot commands should also work:

fastboot oem serialno fastboot getvar nve:SN@16_DIGIT_NUMBER