From acb62de3a7792105e7533686a40f47a73da4b1a6 Mon Sep 17 00:00:00 2001 From: Mariam Elshakfy Date: Mon, 14 Jul 2025 12:07:14 +0000 Subject: [PATCH] arm/optee: Backport fix for CVE-2025-46733 This CVE is fixed in optee 4.7, so backport for 4.6 For optee-ftpm, the change is submitted right after the 4.6 tag, so update the SHA instead of holding an out-of-tree patch. Signed-off-by: Mariam Elshakfy Signed-off-by: Jon Mason --- .../optee-ftpm/optee-ftpm_4.6.0.bb | 4 +- ... => 0001-optee-enable-clang-support.patch} | 0 ...002-Add-optee-ta-instanceKeepCrashed.patch | 89 +++++++++++++++++++ .../recipes-security/optee/optee-os_4.6.0.bb | 3 +- 4 files changed, 93 insertions(+), 3 deletions(-) rename meta-arm/recipes-security/optee/optee-os/{0003-optee-enable-clang-support.patch => 0001-optee-enable-clang-support.patch} (100%) create mode 100644 meta-arm/recipes-security/optee/optee-os/0002-Add-optee-ta-instanceKeepCrashed.patch diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm_4.6.0.bb b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_4.6.0.bb index f611a451..9f328c25 100644 --- a/meta-arm/recipes-security/optee-ftpm/optee-ftpm_4.6.0.bb +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_4.6.0.bb @@ -35,8 +35,8 @@ SRC_URI = "\ # As per optee-ftpm TA documentation, we have to use this SHA of MS TPM reference SRCREV_ms-tpm ?= "98b60a44aba79b15fcce1c0d1e46cf5918400f6a" -# v4.6.0 -SRCREV_optee-ta ?= "6f99e783eb9bb57c314a881433d4ec970de87959" +# v4.6.0 + fix for CVE-2025-46733 +SRCREV_optee-ta ?= "ce33372ab772e879826361a1ca91126260bd9be1" SRCREV_FORMAT = "ms-tpm_optee-ta" diff --git a/meta-arm/recipes-security/optee/optee-os/0003-optee-enable-clang-support.patch b/meta-arm/recipes-security/optee/optee-os/0001-optee-enable-clang-support.patch similarity index 100% rename from meta-arm/recipes-security/optee/optee-os/0003-optee-enable-clang-support.patch rename to meta-arm/recipes-security/optee/optee-os/0001-optee-enable-clang-support.patch diff --git a/meta-arm/recipes-security/optee/optee-os/0002-Add-optee-ta-instanceKeepCrashed.patch b/meta-arm/recipes-security/optee/optee-os/0002-Add-optee-ta-instanceKeepCrashed.patch new file mode 100644 index 00000000..6ba379aa --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-os/0002-Add-optee-ta-instanceKeepCrashed.patch @@ -0,0 +1,89 @@ +From 941a58d78c99c4754fbd4ec3079ec9e1d596af8f Mon Sep 17 00:00:00 2001 +From: Jens Wiklander +Date: Fri, 4 Apr 2025 10:24:34 +0200 +Subject: [PATCH] Add optee.ta.instanceKeepCrashed property + +Add the optee.ta.instanceKeepCrashed property to prevent a TA with +gpd.ta.instanceKeepAlive=true to be restarted. This prevents unexpected +resetting of the state of the TA. + +Upstream-Status: Backport +CVE: CVE-2025-46733 +Signed-off-by: Jens Wiklander +Reviewed-by: Jerome Forissier +Reviewed-by: Alex Lewontin +Reviewed-by: Etienne Carriere +--- + core/kernel/tee_ta_manager.c | 10 +++++++--- + lib/libutee/include/user_ta_header.h | 8 +++++++- + ta/user_ta_header.c | 3 +++ + 3 files changed, 17 insertions(+), 4 deletions(-) + +diff --git a/core/kernel/tee_ta_manager.c b/core/kernel/tee_ta_manager.c +index e4740468873..75e55a8e475 100644 +--- a/core/kernel/tee_ta_manager.c ++++ b/core/kernel/tee_ta_manager.c +@@ -455,6 +455,7 @@ TEE_Result tee_ta_close_session(struct tee_ta_session *csess, + struct tee_ta_session *sess = NULL; + struct tee_ta_ctx *ctx = NULL; + struct ts_ctx *ts_ctx = NULL; ++ bool keep_crashed = false; + bool keep_alive = false; + + DMSG("csess 0x%" PRIxVA " id %u", +@@ -501,9 +502,12 @@ TEE_Result tee_ta_close_session(struct tee_ta_session *csess, + panic(); + + ctx->ref_count--; +- keep_alive = (ctx->flags & TA_FLAG_INSTANCE_KEEP_ALIVE) && +- (ctx->flags & TA_FLAG_SINGLE_INSTANCE); +- if (!ctx->ref_count && (ctx->panicked || !keep_alive)) { ++ if (ctx->flags & TA_FLAG_SINGLE_INSTANCE) ++ keep_alive = ctx->flags & TA_FLAG_INSTANCE_KEEP_ALIVE; ++ if (keep_alive) ++ keep_crashed = ctx->flags & TA_FLAG_INSTANCE_KEEP_CRASHED; ++ if (!ctx->ref_count && ++ ((ctx->panicked && !keep_crashed) || !keep_alive)) { + if (!ctx->is_releasing) { + TAILQ_REMOVE(&tee_ctxes, ctx, link); + ctx->is_releasing = true; +diff --git a/lib/libutee/include/user_ta_header.h b/lib/libutee/include/user_ta_header.h +index 0336c64b2f7..c5622982f2e 100644 +--- a/lib/libutee/include/user_ta_header.h ++++ b/lib/libutee/include/user_ta_header.h +@@ -52,8 +52,13 @@ + BIT32(11) + #define TA_FLAG_DEVICE_ENUM_TEE_STORAGE_PRIVATE \ + BIT32(12) /* with TEE_STORAGE_PRIVATE */ ++/* ++ * Don't restart a TA with TA_FLAG_INSTANCE_KEEP_ALIVE set if it has ++ * crashed. ++ */ ++#define TA_FLAG_INSTANCE_KEEP_CRASHED BIT32(13) + +-#define TA_FLAGS_MASK GENMASK_32(12, 0) ++#define TA_FLAGS_MASK GENMASK_32(13, 0) + + struct ta_head { + TEE_UUID uuid; +@@ -133,6 +138,7 @@ extern struct __elf_phdr_info __elf_phdr_info; + #define TA_PROP_STR_SINGLE_INSTANCE "gpd.ta.singleInstance" + #define TA_PROP_STR_MULTI_SESSION "gpd.ta.multiSession" + #define TA_PROP_STR_KEEP_ALIVE "gpd.ta.instanceKeepAlive" ++#define TA_PROP_STR_KEEP_CRASHED "optee.ta.instanceKeepCrashed" + #define TA_PROP_STR_DATA_SIZE "gpd.ta.dataSize" + #define TA_PROP_STR_STACK_SIZE "gpd.ta.stackSize" + #define TA_PROP_STR_VERSION "gpd.ta.version" +diff --git a/ta/user_ta_header.c b/ta/user_ta_header.c +index 3125af55c44..aa804c1efaa 100644 +--- a/ta/user_ta_header.c ++++ b/ta/user_ta_header.c +@@ -142,6 +142,9 @@ const struct user_ta_property ta_props[] = { + {TA_PROP_STR_KEEP_ALIVE, USER_TA_PROP_TYPE_BOOL, + &(const bool){(TA_FLAGS & TA_FLAG_INSTANCE_KEEP_ALIVE) != 0}}, + ++ {TA_PROP_STR_KEEP_CRASHED, USER_TA_PROP_TYPE_BOOL, ++ &(const bool){(TA_FLAGS & TA_FLAG_INSTANCE_KEEP_CRASHED) != 0}}, ++ + {TA_PROP_STR_DATA_SIZE, USER_TA_PROP_TYPE_U32, + &(const uint32_t){TA_DATA_SIZE}}, diff --git a/meta-arm/recipes-security/optee/optee-os_4.6.0.bb b/meta-arm/recipes-security/optee/optee-os_4.6.0.bb index c9a6b261..3e0eea20 100644 --- a/meta-arm/recipes-security/optee/optee-os_4.6.0.bb +++ b/meta-arm/recipes-security/optee/optee-os_4.6.0.bb @@ -7,5 +7,6 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" # v4.6.0 SRCREV = "71785645fa6ce42db40dbf5a54e0eaedc4f61591" SRC_URI += " \ - file://0003-optee-enable-clang-support.patch \ + file://0001-optee-enable-clang-support.patch \ + file://0002-Add-optee-ta-instanceKeepCrashed.patch \ "