Merge "fix(optee): address late comments and fix bad rc" into integration

2025-04-16 09:34:18 +00:00 · 2023-02-10 11:26:48 +01:00 · 2023-02-10 11:26:48 +01:00 · a13b4cd78b
commit a13b4cd78b
parent 7db8d3cb39 8d7c80fa4c
2 changed files with 20 additions and 13 deletions
--- a/docs/threat_model/threat_model.rst
+++ b/docs/threat_model/threat_model.rst
@ -921,16 +921,16 @@ These are highlighted in the ``Mitigations implemented?`` box.
 +------------------------+-----------------------------------------------------+
 | ID                     | 14                                                  |
 +========================+=====================================================+
-| Threat                 | | **Security vulnerabilities in the Non-secure OS   |
-|                        |   can lead to secure world compromise if the option |
-|                        |   OPTEE_ALLOW_SMC_LOAD is enabled.**                |
+| Threat                 | | **Attacker wants to execute an arbitrary or       |
+|                        |   untrusted binary as the secure OS.**              |
 |                        |                                                     |
-|                        | | This option trusts the non-secure world up until  |
-|                        |   the point it issues the SMC call to load the      |
-|                        |   Secure BL32 payload. If a compromise occurs       |
-|                        |   before the SMC call is invoked, then arbitrary    |
-|                        |   code execution in S-EL1 can occur or arbitrary    |
-|                        |   memory in EL3 can be overwritten.                 |
+|                        | | When the option OPTEE_ALLOW_SMC_LOAD is enabled,  |
+|                        |   this trusts the non-secure world up until the     |
+|                        |   point it issues the SMC call to load the Secure   |
+|                        |   BL32 payload. If a compromise occurs before the   |
+|                        |   SMC call is invoked, then arbitrary code execution|
+|                        |   in S-EL1 can occur or arbitrary memory in EL3 can |
+|                        |   be overwritten.                                   |
 +------------------------+-----------------------------------------------------+
 | Diagram Elements       | DF5                                                 |
 +------------------------+-----------------------------------------------------+
@ -948,9 +948,9 @@ These are highlighted in the ``Mitigations implemented?`` box.
 +------------------------+-----------------+-----------------+-----------------+
 | Impact                 | Critical (5)    | Critical (5)    | Critical (5)    |
 +------------------------+-----------------+-----------------+-----------------+
-| Likelihood             | Low (2)         | Low (2)         | Low (2)         |
+| Likelihood             | High (4)        | High (4)        | High (4)        |
 +------------------------+-----------------+-----------------+-----------------+
-| Total Risk Rating      | Medium (10)     | Medium (10)     | Medium (10)     |
+| Total Risk Rating      | Critical (20)   | Critical (20)   | Critical (20)   |
 +------------------------+-----------------+-----------------+-----------------+
 | Mitigations            | When enabling the option OPTEE_ALLOW_SMC_LOAD,      |
 |                        | the non-secure OS must be considered a closed       |
--- a/services/spd/opteed/opteed_main.c
+++ b/services/spd/opteed/opteed_main.c
@ -168,7 +168,8 @@ static int32_t opteed_setup(void)
 * used.  It also assumes that a valid non-secure context has been
 * initialised by PSCI so it does not need to save and restore any
 * non-secure state. This function performs a synchronous entry into
- * OPTEE. OPTEE passes control back to this routine through a SMC.
+ * OPTEE. OPTEE passes control back to this routine through a SMC. This returns
+ * a non-zero value on success and zero on failure.
 ******************************************************************************/
 static int32_t
 opteed_init_with_entry_point(entry_point_info_t *optee_entry_point)
@ -232,6 +233,10 @@ static int32_t opteed_handle_smc_load(uint64_t data_size, uint32_t data_pa)
 	mapped_data_va = mapped_data_pa;
 	data_map_size = page_align(data_size + (mapped_data_pa - data_pa), UP);

+	/*
+	 * We do not validate the passed in address because we are trusting the
+	 * non-secure world at this point still.
+	 */
 	rc = mmap_add_dynamic_region(mapped_data_pa, mapped_data_va,
 				     data_map_size, MT_MEMORY | MT_RO | MT_NS);
 	if (rc != 0) {
@ -290,7 +295,9 @@ static int32_t opteed_handle_smc_load(uint64_t data_size, uint32_t data_pa)
 				   0,
 				   0,
 				   &opteed_sp_context[linear_id]);
-	rc = opteed_init_with_entry_point(&optee_ep_info);
+	if (opteed_init_with_entry_point(&optee_ep_info) == 0) {
+		rc = -EFAULT;
+	}

 	/* Restore non-secure state */
 	cm_el1_sysregs_context_restore(NON_SECURE);