OP-TEE session login checks for client UUID generation#406
OP-TEE session login checks for client UUID generation#406jforissier merged 6 commits intoOP-TEE:masterfrom
Conversation
vesajaaskelainen
changed the title
vesajaaskelainen
changed the title
vesajaaskelainen
force-pushed
the
optee-login-checks
branch
from
a66181b to
7ee0d32
Compare
jforissier
left a comment
jforissier
left a comment
There was a problem hiding this comment.
Minor comments below. Other than that this looks pretty good to me :)
- For commit "xtest: add helper to convert UUID string to TEEC_UUID":
Acked-by: Jerome Forissier <jerome@forissier.org> - All other commits:
Reviewed-by: Jerome Forissier <jerome@forissier.org>
|
One more thing: I think it would be good to accept UID 1001 and GID 1001, too. Those are created by our buildroot environment: I rarely run Note, in this case perhaps we should also update |
I can change it to use uid and gid dynamically aka. calculate UUIDv5 on the fly. |
Sounds good! |
vesajaaskelainen
force-pushed
the
optee-login-checks
branch
from
7ee0d32 to
bcec8ab
Compare
|
@jforissier I have now updated the PR with UUIDv5 calculation. There was this endianess thing that took a while. It would have been nice if big endian format (byte array) would have been used for UUID structure like what it was in Linux kernel. I added your ack/reviews for older commits and for those that were changed afterwards don't have those. I have also now updated uid/gid scheme in Linux kernel driver PR. |
|
@vesajaaskelainen thanks for the update, this looks pretty good to me -- I will review more closely tomorrow. I realize the code introduced in "xtest: add UUIDv5 calculation helper" is non-trivial and has to be done on the client side in any application that wants to use the user- or group-based login methods. Could we make things easier by adding a function to |
Now there is a confusion here. Kernel is expected to form the Client UUID so that it has any trustworthiness. The code for that is in Linaro's Linux PR: So there is no need to do this operation in user space at all. Only in group based login user space is expected to provide group ID otherwise the connection data is NULL. The test here is so that we query the Client ID from TA, eg we want to see that the kernel generated the right thing. And in order to verify it in case where test executor can change the logic is copied from kernel code so that verification can be done. So there is no need to have SHA-1 in client library at all. At least for this operation. It is only needed for running xtest. Earlier version was expecting that the xtest was executed as root and this now makes it as dynamic. |
Ah, I see. Makes sense now. I should have waited until properly reading the code before commenting ;-). Sorry for the confusion.
|
etienne-lms
left a comment
etienne-lms
left a comment
There was a problem hiding this comment.
Looks good. Some requested changes and some suggestions.
| if (p[8] != '-' || p[13] != '-' || p[18] != '-' || p[23] != '-') | ||
| return TEEC_ERROR_BAD_FORMAT; | ||
|
|
||
| u.timeLow = parse_hex(p, 8, &res); |
There was a problem hiding this comment.
suggest:
static TEEC_Result advance_dash(const char **s)
{
if (**s != '-')
return TEEC_ERROR_BAD_FORMAT;
(**s)++;
return TEEC_SUCCESS;
}
static TEEC_Result parse_hex32_and_adance(const char **s, size_t nchars, uint32_t *dst)
{
uint32_t v = 0;
size_t n = 0;
int c = 0;
for (n = 0; n < nchars; n++) {
c = hex((*s)[n]);
if (c == -1)
return TEE_ERROR_BAD_FORMAT;
v = (v << 4) + c;
}
*dest = v;
*s += nchars;
return TEE_SUCCESS;
}
TEEC_Result xtest_uuid_from_str(TEEC_UUID *uuid, const char *s)
{ TEEC_UUID u = { };
const char *p = s;
size_t i = 0;
if (get_hex32_and_advance(&p, 8, &u.timeLow)
advance_dash(&p) ||
get_hex32_and_advance(&p, 8, &u.timeMid)
advance_dash(&p) ||
get_hex32_and_advance(&p, 4, &u.timeHiAndVersion)
advance_dash(&p))
return TEEC_ERROR_BAD_FORMAT;
for (i = 0; i < 8; i++) {
if (get_hex32_and_advance(&p, 2, u.clockSeqAndNode + i))
return TEEC_ERROR_BAD_FORMAT;
if (i < 7 && advance_dash(&p))
return TEEC_ERROR_BAD_FORMAT;
}
*uuid = u;
return TEE_SUCCESS;
}
There was a problem hiding this comment.
Is it easier to read? I don't think so. And, the commit simply imports existing code, there is no reason to change it IMO.
There was a problem hiding this comment.
Left as is.
| @@ -0,0 +1,23 @@ | |||
| /* SPDX-License-Identifier: BSD-2-Clause */ | |||
| /* | |||
| * Copyright (c) 2014, STMicroelectronics International N.V. | |||
There was a problem hiding this comment.
Maybe * Copyright (c) 2019, Linaro Limited as per new source file xtest_uuid_helpers.c.
There was a problem hiding this comment.
As this is a copy from same project other git tree I would not like to change it. But in here I can put what ever is recommended action from project team. Probably should be own commit after the copy or so.
There was a problem hiding this comment.
When copying an existing file I don't change the copyrights, I simply add mine if I modify the code.
There was a problem hiding this comment.
Left as is.
|
I'm restarting IBART. It should pass now that OP-TEE/optee_client#195 is merged. |
vesajaaskelainen
force-pushed
the
optee-login-checks
branch
2 times, most recently
from
ecb76e2 to
0ecc4ee
Compare
|
@jforissier updated the PR based on feedback. |
|
For the two commits: "xtest: regression_1000: add test for session login as user" and "xtest: regression_1000: add test for session login as group":
|
vesajaaskelainen
force-pushed
the
optee-login-checks
branch
from
0ecc4ee to
e6db8ab
Compare
Thanks for the review! Updated the PR with those included. |
|
I have now tested this with PATCH v2 for kernel changes that is on mailing list. Note: What is in Linaro tree there is no practical change in the code. I do not have access to full test suite so cannot say if there are any effects for that. Hopefully not. Only issue might be that if application based logins are tested and they do not pass as kernel says not supported. |
I have run it on QEMU, all is good. In fact there are no tests with login methods other than |
Thanks for testing it out! |
|
@etienne-lms @jenswi-linaro gentle reminder in case you'd like to ack before I merge this, thanks. |
jenswi-linaro
left a comment
jenswi-linaro
left a comment
There was a problem hiding this comment.
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
etienne-lms
left a comment
etienne-lms
left a comment
There was a problem hiding this comment.
Acked-by: Etienne Carriere <etienne.carriere@linaro.org> with a minor header file inclusion ordering issue.
I can fix @etienne-lms's comment later today and will include those acks and update the PR. |
Add helper method to query current client identity for session login testing. Acked-by: Etienne Carriere <etienne.carriere@linaro.org> Acked-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Jerome Forissier <jerome@forissier.org> Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Verifies that Linux REE kernel authentication and authorization works for public session login. Acked-by: Etienne Carriere <etienne.carriere@linaro.org> Acked-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Jerome Forissier <jerome@forissier.org> Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
This is copied and adapted from optee-os repository: lib/libutee/tee_uuid_from_str.c Renamed as xtest_uuid_helpers.c|h Acked-by: Etienne Carriere <etienne.carriere@linaro.org> Acked-by: Jens Wiklander <jens.wiklander@linaro.org> Acked-by: Jerome Forissier <jerome@forissier.org> Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
UUIDv5 is specific in RFC 4122. This implements section (for SHA-1): 4.3. Algorithm for Creating a Name-Based UUID Acked-by: Etienne Carriere <etienne.carriere@linaro.org> Acked-by: Jens Wiklander <jens.wiklander@linaro.org> Acked-by: Jerome Forissier <jerome@forissier.org> Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Verifies that Linux REE kernel authentication and authorization works for session login for user. Acked-by: Etienne Carriere <etienne.carriere@linaro.org> Acked-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Jerome Forissier <jerome@forissier.org> Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Verifies that Linux REE kernel authentication and authorization works for session login with specified group. Acked-by: Etienne Carriere <etienne.carriere@linaro.org> Acked-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Jerome Forissier <jerome@forissier.org> Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
vesajaaskelainen
force-pushed
the
optee-login-checks
branch
from
e6db8ab to
14e3f38
Compare
|
@jforissier updated the PR with acks and #include reordering. |
|
@vesajaaskelainen cool, I'm merging this, thanks. Edit: I just wanted to add it was a nice contribution, several people asked about this login feature in the past, but no one really had a clue how to implement it 😉 |
|
Now that this is merged... I am wondering if we won't face the same issue as for #415: one testing latest OP-TEE (os/client/test) with latest mainline Linux kernel will get its xtest regression tests to fail on these new tests since mainline Linux kernel does not integrate linaro-swg/linux#74. |
Yes, but it is just a matter of time until the code lands upstream, and it is one of the reasons we have linaro-swg/linux branch optee.
=> The commits to cherry-pick from https://github.com/linaro-swg/linux/commits/optee are:
|
|
PATCH v2 has been sent for those Linux kernel patches in the mailing list about a week ago. Now kernel is in rc4 and in weekend that would be rc5. So probably the earliest we have code in the kernel is 3-4 weeks (for 5.8-rc1) assuming that there are no blocking issues found. Best would be if we could cherry-pick changes from upstream kernel for those vendor trees. But I suppose you were planning to make op-tee release in about 3 week timeline which is kinda problematic. |
4 participants
These changes adds testing for handling of open session client UUID generation within Linux kernel.
This is related to: OP-TEE/optee_os#3642