[PATCH v2 3/3] [RFC] tee: add support for app id for client UUID generation

From: Vesa JÃÃskelÃinen
Date: Thu Apr 30 2020 - 08:37:32 EST


Linux kernel does not provide common contex for application identifier,
instead different security frameworks provide own means to define
application identifier for running process. Code includes place holder for
such solutions but is left for later implementation.

Open questions:

1. App ID source

How to specify what source is used for app id?

Does it need to be protected on runtime?
- Should this be Kconfig setting?
- Cnfigure once during runtime thru sysfs or so?
- Configure from device tree?

2. Formatting for App ID

Should there be common format? Or common keyword id?

3. How to handle custom App ID sources

Android has own App ID so does Tizen.

Should there be place holder for this where to make local patch?

Signed-off-by: Vesa JÃÃskelÃinen <vesa.jaaskelainen@xxxxxxxxxxx>
---
drivers/tee/tee_core.c | 58 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 58 insertions(+)

diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c
index d5db206d6af2..35ea20a99b9e 100644
--- a/drivers/tee/tee_core.c
+++ b/drivers/tee/tee_core.c
@@ -125,6 +125,15 @@ static int tee_release(struct inode *inode, struct file *filp)
return 0;
}

+static const char *tee_session_get_application_id(void)
+{
+ return NULL;
+}
+
+static void tee_session_free_application_id(const char *app_id)
+{
+}
+
/**
* uuid_v5() - Calculate UUIDv5
* @uuid: Resulting UUID
@@ -218,6 +227,14 @@ int tee_session_calc_client_uuid(uuid_t *uuid, u32 connection_method,
* For TEEC_LOGIN_GROUP:
* gid=<gid>
*
+ * For TEEC_LOGIN_APPLICATION:
+ * app=<application id>
+ *
+ * For TEEC_LOGIN_USER_APPLICATION:
+ * uid=<uid>:app=<application id>
+ *
+ * For TEEC_LOGIN_GROUP_APPLICATION:
+ * gid=<gid>:app=<application id>
*/

name = kzalloc(TEE_UUID_NS_NAME_SIZE, GFP_KERNEL);
@@ -250,6 +267,47 @@ int tee_session_calc_client_uuid(uuid_t *uuid, u32 connection_method,
}
break;

+ case TEE_IOCTL_LOGIN_APPLICATION:
+ application_id = tee_session_get_application_id();
+ name_len = snprintf(name, TEE_UUID_NS_NAME_SIZE, "app=%s",
+ application_id);
+ tee_session_free_application_id(application_id);
+ if (name_len >= TEE_UUID_NS_NAME_SIZE) {
+ rc = -E2BIG;
+ goto out_free_name;
+ }
+ break;
+
+ case TEE_IOCTL_LOGIN_USER_APPLICATION:
+ application_id = tee_session_get_application_id();
+ name_len = snprintf(name, TEE_UUID_NS_NAME_SIZE,
+ "uid=%x:app=%s", current_euid().val,
+ application_id);
+ tee_session_free_application_id(application_id);
+ if (name_len >= TEE_UUID_NS_NAME_SIZE) {
+ rc = -E2BIG;
+ goto out_free_name;
+ }
+ break;
+
+ case TEE_IOCTL_LOGIN_GROUP_APPLICATION:
+ memcpy(&ns_grp, connection_data, sizeof(gid_t));
+ grp = make_kgid(current_user_ns(), ns_grp);
+ if (!gid_valid(grp) || !in_egroup_p(grp)) {
+ rc = -EPERM;
+ goto out_free_name;
+ }
+
+ application_id = tee_session_get_application_id();
+ name_len = snprintf(name, TEE_UUID_NS_NAME_SIZE,
+ "gid=%x:app=%s", grp.val, application_id);
+ tee_session_free_application_id(application_id);
+ if (name_len >= TEE_UUID_NS_NAME_SIZE) {
+ rc = -E2BIG;
+ goto out_free_name;
+ }
+ break;
+
default:
rc = -EINVAL;
goto out_free_name;
--
2.17.1