diff options
author | Viswanath Kraleti <vkraleti@codeaurora.org> | 2016-03-03 19:28:26 +0530 |
---|---|---|
committer | Viswanath Kraleti <vkraleti@codeaurora.org> | 2016-03-18 22:58:24 +0530 |
commit | 0a278d1a4e6ec235071c80b89ac74f8f39ae3585 (patch) | |
tree | fddb854338a39482a39bf442a40cfc5e6ca3b548 | |
parent | 6be41318afa8d4b316831d961a411b910ee853dd (diff) | |
download | qcom-0a278d1a4e6ec235071c80b89ac74f8f39ae3585.tar.gz |
msm8916: Add HW backed keymaster v1 support
Install HW backed keymaster HAL binaries into dragonboard.
Add selinux rules to run qseecom daemon.
BUG=24675146
Change-Id: I73afdeb0a46540799a594e37f3cd5926e51ae334
Signed-off-by: Sourabh Banerjee <sbanerje@codeaurora.org>
-rw-r--r-- | soc/msm8916/init.msm8916.rc | 4 | ||||
-rw-r--r-- | soc/msm8916/prebuilts/qseecom.rc | 34 | ||||
-rw-r--r-- | soc/msm8916/prebuilts/sepolicy/device.te | 12 | ||||
-rw-r--r-- | soc/msm8916/prebuilts/sepolicy/file_contexts | 9 | ||||
-rw-r--r-- | soc/msm8916/prebuilts/sepolicy/qseecomd.te | 91 | ||||
-rw-r--r-- | soc/msm8916/soc.mk | 29 |
6 files changed, 175 insertions, 4 deletions
diff --git a/soc/msm8916/init.msm8916.rc b/soc/msm8916/init.msm8916.rc index 7c06538..85460d6 100644 --- a/soc/msm8916/init.msm8916.rc +++ b/soc/msm8916/init.msm8916.rc @@ -32,3 +32,7 @@ on fs mount vfat /dev/block/platform/soc.0/7824900.sdhci/by-name/modem /firmware ro context=u:object_r:firmware_file:s0,shortname=lower,uid=1000,gid=1000,dmask=227,fmask=337 chown bluetooth net_bt_stack /dev/smd2 chown bluetooth net_bt_stack /dev/smd3 + chown system system /dev/ion + chown system drmrpc /dev/qseecom + chmod 0664 /dev/ion + chmod 0660 /dev/qseecom diff --git a/soc/msm8916/prebuilts/qseecom.rc b/soc/msm8916/prebuilts/qseecom.rc new file mode 100644 index 0000000..34131ba --- /dev/null +++ b/soc/msm8916/prebuilts/qseecom.rc @@ -0,0 +1,34 @@ +# Copyright (c) 2016, The Linux Foundation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +on post-fs + symlink /dev/block/mmcblk0p3 /dev/block/bootdevice/by-name/ssd + +service qseecomd /system/bin/qseecomd + class core + user root + group root diff --git a/soc/msm8916/prebuilts/sepolicy/device.te b/soc/msm8916/prebuilts/sepolicy/device.te index 8efe124..4d107f1 100644 --- a/soc/msm8916/prebuilts/sepolicy/device.te +++ b/soc/msm8916/prebuilts/sepolicy/device.te @@ -6,3 +6,15 @@ type modem_efs_partition_device, dev_type; type shared_log_device, dev_type; type smem_log_device, dev_type; type ssd_block_device, dev_type; +type rpmb_device, dev_type; +type sg_device, dev_type; +type data_qsee_file, file_type; +type persist_file, file_type; +type persist_data_file, file_type; +type persist_drm_file, file_type; +type ssd_device, dev_type; +type time_daemon, domain; +type qfp-daemon_data_file, file_type, data_file_type; +type mdtp_device, dev_type; +type dip_device, dev_type; +type qce_device, dev_type; diff --git a/soc/msm8916/prebuilts/sepolicy/file_contexts b/soc/msm8916/prebuilts/sepolicy/file_contexts index 20e8ff4..79c9f0a 100644 --- a/soc/msm8916/prebuilts/sepolicy/file_contexts +++ b/soc/msm8916/prebuilts/sepolicy/file_contexts @@ -1,18 +1,24 @@ -# Qualcomm daemons for audio +# Daemons for audio /system/bin/qmuxd u:object_r:qmux_exec:s0 /system/bin/rmt_storage u:object_r:rmt_exec:s0 +# Daemon for TEE +/system/bin/qseecomd u:object_r:tee_exec:s0 + # Files and symlinks used by qmuxd and rmt_storage. /dev/block/mmcblk0p1 u:object_r:modem_efs_partition_device:s0 /dev/block/mmcblk0p12 u:object_r:modem_efs_partition_device:s0 /dev/block/mmcblk0p13 u:object_r:modem_efs_partition_device:s0 /dev/block/mmcblk0p15 u:object_r:modem_efs_partition_device:s0 /dev/block/mmcblk0p2 u:object_r:modem_efs_partition_device:s0 +/dev/block/mmcblk0p3 u:object_r:modem_efs_partition_device:s0 /dev/block/bootdevice/by-name/modemst1 u:object_r:modem_efs_partition_device:s0 /dev/block/bootdevice/by-name/modemst2 u:object_r:modem_efs_partition_device:s0 /dev/block/bootdevice/by-name/fsg u:object_r:modem_efs_partition_device:s0 /dev/block/bootdevice/by-name/fsc u:object_r:modem_efs_partition_device:s0 +/dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 + /data/misc/modem_config(/.*)? u:object_r:modem_config_file:s0 /dev/block/mmcblk0 u:object_r:mmc_block_device:s0 @@ -27,3 +33,4 @@ /dev/mhi_pipe_.* u:object_r:mhi_device:s0 /dev/diag u:object_r:diag_device:s0 /dev/smem_log u:object_r:smem_log_device:s0 +/dev/qseecom u:object_r:tee_device:s0 diff --git a/soc/msm8916/prebuilts/sepolicy/qseecomd.te b/soc/msm8916/prebuilts/sepolicy/qseecomd.te new file mode 100644 index 0000000..ef10f51 --- /dev/null +++ b/soc/msm8916/prebuilts/sepolicy/qseecomd.te @@ -0,0 +1,91 @@ +# Tee starts as root, and drops privileges +allow tee self:capability { + setuid + setgid + sys_admin + chown + sys_rawio +}; + +# Need to directly manipulate certain block devices +# for anti-rollback feature +allow tee modem_efs_partition_device:blk_file rw_file_perms; + +allow tee block_device:dir r_dir_perms; +allow tee rpmb_device:blk_file rw_file_perms; + +# Need to figure out how many scsi generic devices are preset +# before being able to identify which one is rpmb device +allow tee device:dir r_dir_perms; +allow tee sg_device:chr_file { rw_file_perms setattr }; + +# Allow qseecom to qsee folder so that listeners can create +# respective directories +allow tee data_qsee_file:dir create_dir_perms; +allow tee data_qsee_file:file create_file_perms; +allow tee system_data_file:dir r_dir_perms; + +allow tee persist_file:dir r_dir_perms; +r_dir_file(tee, persist_data_file) + +# Write to drm related pieces of persist partition +allow tee persist_drm_file:dir create_dir_perms; +allow tee persist_drm_file:file create_file_perms; + +# Provide tee access to ssd partition for HW FDE +allow tee ssd_device:blk_file rw_file_perms; + +# Allow tee to operate tee device +allow tee tee_device:chr_file rw_file_perms; + +# Allow tee to load firmware images +r_dir_file(tee, firmware_file) + +# Allow qseecom access to time domain +allow tee time_daemon:unix_stream_socket connectto; + +# Allow tee access for secure UI to work +allow tee graphics_device:dir r_dir_perms; +allow tee graphics_device:chr_file r_file_perms; + +binder_use(tee) + +allow tee system_app:unix_dgram_socket sendto; +unix_socket_connect(tee, property, init) + +# Allow qseecom access to set system property +allow tee system_prop:property_service set; + +userdebug_or_eng(` + allow tee su:unix_dgram_socket sendto; +') + +# Allow qseecom access to set system property +allow tee system_prop:property_service set; + +# Allow access to qfp-daemon +allow tee qfp-daemon_data_file:dir create_dir_perms; +allow tee qfp-daemon_data_file:file create_file_perms; + +# Provide access to block devices for MDTP +allow tee mdtp_device:blk_file rw_file_perms; +allow tee dip_device:blk_file rw_file_perms; +allow tee system_block_device:blk_file r_file_perms; + +# Provide access to QC Crypto driver for MDTP +allow tee qce_device:chr_file rw_file_perms; + +# Provide access to /data/misc/qsee/mdtp for MDTP temp files +allow tee data_qsee_file:dir create_dir_perms; +allow tee data_qsee_file:{ file fifo_file } create_file_perms; + +# Provide read access to all /system files for MDTP file-to-block-mapping +r_dir_file(tee, exec_type) +r_dir_file(tee, system_file) + +# Provide tee ability to access QMUXD/IPCRouter for QMI +qmux_socket(tee) +allow tee self:socket create_socket_perms; + +# Provide tee ability to run executables in rootfs for MDTP +allow tee rootfs:file x_file_perms; diff --git a/soc/msm8916/soc.mk b/soc/msm8916/soc.mk index da282e9..4e4915e 100644 --- a/soc/msm8916/soc.mk +++ b/soc/msm8916/soc.mk @@ -53,7 +53,7 @@ $(call add_kernel_configs, $(realpath $(LOCAL_PATH)/soc.kconf)) DEVICE_PACKAGES += \ keystore.default -# Include Qualcomm Bool Control HAL. +# Include Bool Control HAL. DEVICE_PACKAGES += \ bootctrl.msm8916 @@ -73,11 +73,11 @@ MM_AUDIO_ENABLED_FTM := true MM_AUDIO_ENABLED_SAFX := true TARGET_USES_QCOM_MM_AUDIO := true -# Include Qualcomm Audio HAL implementation. +# Include Audio HAL implementation. DEVICE_PACKAGES += \ audio.primary.msm8916 -# Include Qualcomm Lights HAL implementation. +# Include Lights HAL implementation. DEVICE_PACKAGES += \ lights.msm8916 \ @@ -92,6 +92,10 @@ PRODUCT_COPY_FILES += \ PRODUCT_COPY_FILES += \ $(LOCAL_PATH)/prebuilts/audio.rc:system/etc/init/audio.rc \ +# Include prebuilts to support keymaster. +PRODUCT_COPY_FILES += \ + $(LOCAL_PATH)/prebuilts/qseecom.rc:system/etc/init/qseecom.rc \ + PRODUCT_LIBRARY_PATH := $(TOP)/vendor/bsp/qcom/device/dragonboard/linux_410c_board_support_package_LA.BR.1.2.4_rb1.10 # Audio daemons. @@ -120,3 +124,22 @@ PRODUCT_COPY_FILES += \ $(PRODUCT_LIBRARY_PATH)/lib/libbtnv.so:/system/lib/libbtnv.so \ $(PRODUCT_LIBRARY_PATH)/lib/libbt-vendor.so:/system/lib/libbt-vendor.so \ +# QSEE libs. +PRODUCT_COPY_FILES += \ + $(PRODUCT_LIBRARY_PATH)/lib/libQSEEComAPI.so:/system/lib/libQSEEComAPI.so \ + $(PRODUCT_LIBRARY_PATH)/lib/libQSEEComAPIStaticHelper.so:/system/lib/libQSEEComAPIStaticHelper.so \ + $(PRODUCT_LIBRARY_PATH)/lib/librpmb.so:/system/lib/librpmb.so \ + $(PRODUCT_LIBRARY_PATH)/lib/librpmbStaticHelper.so:/system/lib/librpmbStaticHelper.so \ + $(PRODUCT_LIBRARY_PATH)/lib/libssd.so:/system/lib/libssd.so \ + $(PRODUCT_LIBRARY_PATH)/lib/libssdStaticHelper.so:/system/lib/libssdStaticHelper.so \ + $(PRODUCT_LIBRARY_PATH)/lib/libdrmfs.so:/system/lib/libdrmfs.so \ + $(PRODUCT_LIBRARY_PATH)/lib/libdrmtime.so:/system/lib/libdrmtime.so \ + +# QSEECom daemons. +PRODUCT_COPY_FILES += \ + $(PRODUCT_LIBRARY_PATH)/bin/qseecomd:/system/bin/qseecomd \ + $(PRODUCT_LIBRARY_PATH)/bin/qseecomd_static:/system/bin/qseecomd_static \ + +# Include keystore library. +PRODUCT_COPY_FILES += \ + $(PRODUCT_LIBRARY_PATH)/lib/hw/keystore.msm8916.so:/system/lib/hw/keystore.msm8916.so |