OP-TEE TEE侧存储实现深度分析
本文档深入分析OP-TEE在TEE侧的存储实现,包括系统调用接口、对象管理、状态机、安全机制和性能优化等核心技术。存储服务架构概览
层次化架构设计
Copy
┌─────────────────────────────────────────────────────────────┐
│ GP Internal API Layer │ ← TA应用层接口
│ TEE_CreatePersistentObject, TEE_ReadObjectData, etc. │
├─────────────────────────────────────────────────────────────┤
│ Storage Service Syscalls │ ← 系统调用层
│ syscall_storage_obj_*, syscall_storage_enum_* │
├─────────────────────────────────────────────────────────────┤
│ Object Management Layer │ ← 对象管理层
│ tee_obj (handles), tee_pobj (persistent objects) │
├─────────────────────────────────────────────────────────────┤
│ File System Abstraction │ ← 文件系统抽象
│ tee_file_operations (策略模式实现) │
├─────────────────────────────────────────────────────────────┤
│ Storage Backend Layer │ ← 具体后端实现
│ REE FS (tee_ree_fs.c), RPMB FS (tee_rpmb_fs.c) │
└─────────────────────────────────────────────────────────────┘
核心数据结构深度分析
1. 存储系统调用接口实现 (tee_svc_storage.c)
系统调用状态机设计
存储系统调用实现了复杂的状态管理机制,确保操作的原子性和一致性:Copy
// 对象状态枚举
enum obj_state {
OBJ_STATE_UNINITIALIZED, // 未初始化状态
OBJ_STATE_OPEN_READ, // 只读打开状态
OBJ_STATE_OPEN_WRITE, // 读写打开状态
OBJ_STATE_CREATING, // 创建中状态
OBJ_STATE_CORRUPT, // 损坏状态
OBJ_STATE_CLOSED, // 已关闭状态
};
// 状态转换验证
static bool is_valid_state_transition(enum obj_state from, enum obj_state to)
{
switch (from) {
case OBJ_STATE_UNINITIALIZED:
return (to == OBJ_STATE_OPEN_READ || to == OBJ_STATE_OPEN_WRITE ||
to == OBJ_STATE_CREATING);
case OBJ_STATE_CREATING:
return (to == OBJ_STATE_OPEN_WRITE || to == OBJ_STATE_CORRUPT);
case OBJ_STATE_OPEN_READ:
case OBJ_STATE_OPEN_WRITE:
return (to == OBJ_STATE_CLOSED || to == OBJ_STATE_CORRUPT);
default:
return false;
}
}
高级对象操作系统调用实现
Copy
// 复杂的对象创建系统调用实现
static TEE_Result syscall_storage_obj_create(unsigned long storage_id,
void *object_id, size_t object_id_len,
unsigned long flags, unsigned long attr,
void *data, size_t len, uint32_t *obj)
{
TEE_Result res;
struct tee_ta_session *sess;
struct tee_obj *o = NULL;
struct tee_pobj *po = NULL;
void *attr_ptr = NULL;
const struct tee_file_operations *fops;
struct tee_file_handle *fh = NULL;
struct tee_svc_storage_head head;
char *obj_id_str = NULL;
// 1. 参数验证阶段
res = tee_ta_get_current_session(&sess);
if (res != TEE_SUCCESS)
return res;
if (!object_id || !object_id_len || object_id_len > TEE_OBJECT_ID_MAX_LEN)
return TEE_ERROR_BAD_PARAMETERS;
// 2. 存储后端选择
fops = tee_svc_storage_file_ops(storage_id);
if (!fops)
return TEE_ERROR_ITEM_NOT_FOUND;
// 3. 对象ID安全检查和字符串化
res = tee_svc_copy_from_user(&obj_id_str, object_id, object_id_len);
if (res != TEE_SUCCESS)
return res;
// 4. 持久化对象获取或创建
res = tee_pobj_get(&sess->ctx->uuid, obj_id_str, object_id_len,
TEE_POBJ_USAGE_CREATE, fops, &po);
if (res != TEE_SUCCESS)
goto exit;
// 5. 并发创建检查
if (po->creating) {
res = TEE_ERROR_ACCESS_CONFLICT;
goto exit;
}
po->creating = true;
// 6. 瞬态对象创建和初始化
res = tee_obj_alloc(&sess->ctx->uuid, &o);
if (res != TEE_SUCCESS)
goto exit;
// 7. GP文件头构建
init_store_head(&head, attr, len, 0);
// 8. 属性序列化处理
if (attr) {
res = tee_svc_cryp_obj_populate_type(o, attr, obj_id_str, object_id_len);
if (res != TEE_SUCCESS)
goto exit;
res = pack_attrs(o, &attr_ptr, &head.attr_size);
if (res != TEE_SUCCESS)
goto exit;
}
// 9. 后端文件创建调用
res = fops->create(po, true, &head, sizeof(head),
attr_ptr, head.attr_size, data, NULL, len, &fh);
if (res != TEE_SUCCESS)
goto exit;
// 10. 对象关联和状态设置
o->pobj = po;
po->refcnt++;
o->info.objectType = head.objectType;
o->info.objectSize = head.objectSize;
o->info.objectUsage = head.objectUsage;
o->fh = fh;
o->obj_state = OBJ_STATE_OPEN_WRITE;
// 11. 创建完成标记
tee_pobj_create_final(po);
// 12. 返回对象句柄
*obj = tee_svc_obj_to_handle(o);
exit:
if (res != TEE_SUCCESS) {
if (po) {
po->creating = false;
tee_pobj_release(po);
}
if (o)
tee_obj_free(o);
if (fh)
fops->close(&fh);
}
free(attr_ptr);
free(obj_id_str);
return res;
}
高效对象枚举系统实现
Copy
// 枚举器状态结构
struct tee_obj_enum {
struct tee_fs_dir *dir; // 目录句柄
const struct tee_file_operations *fops; // 文件操作接口
TEE_UUID uuid; // TA UUID
uint32_t storage_id; // 存储ID
size_t index; // 当前索引
bool started; // 是否已开始
};
// 高性能枚举实现
static TEE_Result syscall_storage_next_enum(unsigned long obj_enum_id,
struct utee_object_info *info,
void *obj_id, uint64_t *len)
{
TEE_Result res;
struct tee_obj_enum *oe;
struct tee_fs_dirent *dirent;
struct tee_file_handle *fh = NULL;
struct tee_svc_storage_head head;
struct tee_pobj *po = NULL;
size_t head_size = sizeof(head);
// 1. 枚举器验证
res = tee_svc_storage_get_enum(obj_enum_id, &oe);
if (res != TEE_SUCCESS)
return res;
if (!oe->started)
return TEE_ERROR_GENERIC;
// 2. 读取下一个目录项
res = oe->fops->readdir(oe->dir, &dirent);
if (res != TEE_SUCCESS) {
if (res == TEE_ERROR_ITEM_NOT_FOUND)
return TEE_ERROR_ITEM_NOT_FOUND; // 枚举结束
return res;
}
// 3. 构建临时持久化对象
res = tee_pobj_get(&oe->uuid, dirent->d_name, strlen(dirent->d_name),
TEE_POBJ_USAGE_ENUM, oe->fops, &po);
if (res != TEE_SUCCESS)
return res;
// 4. 打开文件并读取头部
res = oe->fops->open(po, NULL, &fh);
if (res != TEE_SUCCESS)
goto exit;
res = oe->fops->read(fh, 0, &head, NULL, &head_size);
if (res != TEE_SUCCESS || head_size != sizeof(head))
goto exit;
// 5. 验证头部格式
if (head.magic != TEE_SVC_STORAGE_MAGIC) {
res = TEE_ERROR_CORRUPT_OBJECT;
goto exit;
}
// 6. 填充对象信息
if (info) {
info->objectType = head.objectType;
info->objectSize = head.objectSize;
info->objectUsage = head.objectUsage;
info->dataSize = head.objectSize;
info->dataPosition = 0;
info->handleFlags = 0;
}
// 7. 返回对象ID
if (obj_id && len) {
size_t obj_id_len = strlen(dirent->d_name);
if (*len < obj_id_len) {
*len = obj_id_len;
res = TEE_ERROR_SHORT_BUFFER;
goto exit;
}
res = copy_to_user(obj_id, dirent->d_name, obj_id_len);
if (res != TEE_SUCCESS)
goto exit;
*len = obj_id_len;
}
exit:
if (fh)
oe->fops->close(&fh);
if (po)
tee_pobj_release(po);
return res;
}
数据流操作
Copy
// I/O系统调用
TEE_Result syscall_storage_obj_read(unsigned long obj, void *data, size_t len,
uint64_t *count);
TEE_Result syscall_storage_obj_write(unsigned long obj, void *data, size_t len);
TEE_Result syscall_storage_obj_trunc(unsigned long obj, size_t len);
TEE_Result syscall_storage_obj_seek(unsigned long obj, int32_t offset,
unsigned long whence);
2. 高级文件系统抽象层设计 (tee_fs.h)
文件操作接口的策略模式实现
Copy
// 完整的文件操作接口定义
struct tee_file_operations {
// === 对象生命周期管理 ===
// 打开现有对象,返回文件大小和句柄
TEE_Result (*open)(struct tee_pobj *po, size_t *size,
struct tee_file_handle **fh);
// 复杂的对象创建操作,支持原子写入
TEE_Result (*create)(struct tee_pobj *po, bool overwrite,
const void *head, size_t head_size, // GP文件头
const void *attr, size_t attr_size, // 序列化属性
const void *data_core, const void *data_user, // 数据
size_t data_size, struct tee_file_handle **fh);
// 关闭文件并释放资源
void (*close)(struct tee_file_handle **fh);
// 安全删除对象(支持原子性)
TEE_Result (*remove)(struct tee_pobj *po);
// === 高效数据操作 ===
// 支持内核和用户空间的零拷贝读取
TEE_Result (*read)(struct tee_file_handle *fh, size_t pos,
void *buf_core, void *buf_user, size_t *len);
// 支持写时复制的高效写入
TEE_Result (*write)(struct tee_file_handle *fh, size_t pos,
const void *buf_core, const void *buf_user, size_t len);
// 原子性的文件截断操作
TEE_Result (*truncate)(struct tee_file_handle *fh, size_t size);
// === 对象管理操作 ===
// 原子性的对象重命名
TEE_Result (*rename)(struct tee_pobj *old_po, struct tee_pobj *new_po,
bool overwrite);
// === 目录枚举操作 ===
// 打开TA的存储目录
TEE_Result (*opendir)(const TEE_UUID *uuid, struct tee_fs_dir **d);
// 高效的目录项读取
TEE_Result (*readdir)(struct tee_fs_dir *d, struct tee_fs_dirent **ent);
// 关闭目录并清理资源
void (*closedir)(struct tee_fs_dir *d);
// === 扩展功能 ===
// 对象存在性检查(可选)
TEE_Result (*exists)(struct tee_pobj *po, bool *exists);
// 获取对象的元数据信息(可选)
TEE_Result (*get_info)(struct tee_pobj *po, struct tee_fs_file_info *info);
};
// 文件句柄结构
struct tee_file_handle {
const struct tee_file_operations *ops; // 操作接口指针
void *private_data; // 后端私有数据
struct mutex lock; // 文件级锁
uint32_t flags; // 文件标志
size_t pos; // 当前文件位置
struct tee_pobj *pobj; // 关联的持久化对象
};
智能存储后端选择算法
Copy
// 存储后端能力描述
struct storage_backend_caps {
bool available; // 后端是否可用
size_t max_file_size; // 最大文件大小
size_t total_capacity; // 总容量
size_t free_space; // 可用空间
uint32_t security_level; // 安全级别 (1-5)
uint32_t performance_rating; // 性能评级 (1-5)
bool supports_atomic_ops; // 是否支持原子操作
bool supports_encryption; // 是否支持加密
};
// 运行时后端能力检测
static TEE_Result probe_backend_capabilities(uint32_t storage_id,
struct storage_backend_caps *caps)
{
const struct tee_file_operations *ops;
memset(caps, 0, sizeof(*caps));
switch (storage_id) {
case TEE_STORAGE_PRIVATE_REE:
#ifdef CFG_REE_FS
ops = &ree_fs_ops;
caps->available = true;
caps->max_file_size = REE_FS_MAX_FILE_SIZE;
caps->total_capacity = get_ree_fs_total_space();
caps->free_space = get_ree_fs_free_space();
caps->security_level = 3; // 软件加密
caps->performance_rating = 5; // 高性能
caps->supports_atomic_ops = true;
caps->supports_encryption = true;
#endif
break;
case TEE_STORAGE_PRIVATE_RPMB:
#ifdef CFG_RPMB_FS
ops = &rpmb_fs_ops;
caps->available = is_rpmb_available();
caps->max_file_size = RPMB_FS_MAX_FILE_SIZE;
caps->total_capacity = get_rpmb_total_size();
caps->free_space = get_rpmb_free_space();
caps->security_level = 5; // 硬件保护
caps->performance_rating = 2; // 较低性能
caps->supports_atomic_ops = true;
caps->supports_encryption = true;
#endif
break;
default:
return TEE_ERROR_NOT_SUPPORTED;
}
return caps->available ? TEE_SUCCESS : TEE_ERROR_ITEM_NOT_FOUND;
}
// 高级后端选择算法
static const struct tee_file_operations *
tee_svc_storage_file_ops(uint32_t storage_id)
{
struct storage_backend_caps caps;
TEE_Result res;
// 显式指定后端的情况
if (storage_id == TEE_STORAGE_PRIVATE_REE) {
#ifdef CFG_REE_FS
res = probe_backend_capabilities(storage_id, &caps);
return (res == TEE_SUCCESS) ? &ree_fs_ops : NULL;
#else
return NULL;
#endif
}
if (storage_id == TEE_STORAGE_PRIVATE_RPMB) {
#ifdef CFG_RPMB_FS
res = probe_backend_capabilities(storage_id, &caps);
return (res == TEE_SUCCESS) ? &rpmb_fs_ops : NULL;
#else
return NULL;
#endif
}
// TEE_STORAGE_PRIVATE - 智能选择最佳后端
if (storage_id == TEE_STORAGE_PRIVATE) {
struct storage_backend_caps ree_caps, rpmb_caps;
bool ree_ok = false, rpmb_ok = false;
#ifdef CFG_REE_FS
ree_ok = (probe_backend_capabilities(TEE_STORAGE_PRIVATE_REE, &ree_caps) == TEE_SUCCESS);
#endif
#ifdef CFG_RPMB_FS
rpmb_ok = (probe_backend_capabilities(TEE_STORAGE_PRIVATE_RPMB, &rpmb_caps) == TEE_SUCCESS);
#endif
// 选择策略:优先考虑可用性,其次考虑性能
if (ree_ok && (!rpmb_ok || ree_caps.performance_rating >= rpmb_caps.performance_rating)) {
return &ree_fs_ops;
} else if (rpmb_ok) {
return &rpmb_fs_ops;
}
}
return NULL;
}
3. 高级持久化对象管理系统 (tee_pobj.h)
复杂的对象结构和生命周期管理
Copy
// 持久化对象的完整结构定义
struct tee_pobj {
// === 链表管理 ===
TAILQ_ENTRY(tee_pobj) link; // 全局对象链表节点
// === 引用计数和生命周期 ===
uint32_t refcnt; // 原子引用计数
struct mutex refcnt_mutex; // 引用计数保护锁
// === 身份标识 ===
TEE_UUID uuid; // 所属TA的UUID
void *obj_id; // 对象唯一标识符
uint32_t obj_id_len; // 标识符长度
uint32_t obj_id_hash; // 标识符的哈希值(加速查找)
// === 访问控制 ===
uint32_t flags; // 访问权限标志位图
uint32_t obj_info_usage; // 当前使用状态
struct mutex access_mutex; // 访问控制互斥锁
// === 状态管理 ===
bool temporary; // 是否为临时对象
volatile bool creating; // 原子创建状态标志
volatile bool deleting; // 原子删除状态标志
uint64_t creation_time; // 创建时间戳
uint64_t last_access_time; // 最后访问时间
// === 后端接口 ===
const struct tee_file_operations *fops; // 文件操作接口指针
// === 统计信息 ===
uint64_t read_count; // 读取次数
uint64_t write_count; // 写入次数
uint64_t total_bytes_read; // 总读取字节数
uint64_t total_bytes_written; // 总写入字节数
};
// 对象状态转换函数
static inline bool tee_pobj_is_creating(const struct tee_pobj *po)
{
return po->creating;
}
static inline bool tee_pobj_is_deleting(const struct tee_pobj *po)
{
return po->deleting;
}
static inline bool tee_pobj_is_busy(const struct tee_pobj *po)
{
return po->creating || po->deleting;
}
高级对象使用状态管理
Copy
// 扩展的对象使用类型定义
enum tee_pobj_usage {
TEE_POBJ_USAGE_OPEN = BIT(0), // 打开操作
TEE_POBJ_USAGE_RENAME = BIT(1), // 重命名操作
TEE_POBJ_USAGE_CREATE = BIT(2), // 创建操作
TEE_POBJ_USAGE_ENUM = BIT(3), // 枚举操作
TEE_POBJ_USAGE_DELETE = BIT(4), // 删除操作
TEE_POBJ_USAGE_TRUNCATE = BIT(5), // 截断操作
TEE_POBJ_USAGE_READ_META = BIT(6), // 读取元数据
TEE_POBJ_USAGE_WRITE_META = BIT(7), // 写入元数据
};
// 使用状态冲突检测矩阵
static const bool usage_conflict_matrix[8][8] = {
// OPEN REN CRT ENUM DEL TRUNC META_R META_W
/* OPEN */ {0, 0, 1, 0, 1, 0, 0, 1 },
/* RENAME */ {0, 1, 1, 0, 1, 1, 0, 1 },
/* CREATE */ {1, 1, 1, 0, 1, 1, 1, 1 },
/* ENUM */ {0, 0, 0, 0, 0, 0, 0, 0 },
/* DELETE */ {1, 1, 1, 0, 1, 1, 1, 1 },
/* TRUNC */ {0, 1, 1, 0, 1, 1, 0, 1 },
/* META_R */ {0, 0, 1, 0, 1, 0, 0, 1 },
/* META_W */ {1, 1, 1, 0, 1, 1, 1, 1 },
};
// 高级使用冲突检测算法
static TEE_Result check_usage_conflict(uint32_t current_usage, uint32_t new_usage)
{
for (int i = 0; i < 8; i++) {
if (!(current_usage & BIT(i)))
continue;
for (int j = 0; j < 8; j++) {
if ((new_usage & BIT(j)) && usage_conflict_matrix[i][j]) {
EMSG("Usage conflict: current=0x%x, new=0x%x", current_usage, new_usage);
return TEE_ERROR_ACCESS_CONFLICT;
}
}
}
return TEE_SUCCESS;
}
// 原子性使用状态更新
static TEE_Result tee_pobj_set_usage(struct tee_pobj *po, uint32_t usage)
{
TEE_Result res;
mutex_lock(&po->access_mutex);
// 检查冲突
res = check_usage_conflict(po->obj_info_usage, usage);
if (res != TEE_SUCCESS)
goto exit;
// 更新使用状态
po->obj_info_usage |= usage;
po->last_access_time = get_current_time();
exit:
mutex_unlock(&po->access_mutex);
return res;
}
static void tee_pobj_clear_usage(struct tee_pobj *po, uint32_t usage)
{
mutex_lock(&po->access_mutex);
po->obj_info_usage &= ~usage;
mutex_unlock(&po->access_mutex);
}
GP标准存储文件格式深度分析
详细的GP标准文件头结构
Copy
// 完整的GP存储文件头定义
struct tee_svc_storage_head {
// === 文件头基本信息 ===
uint32_t magic; // 魔数: 0x53544F52 ("STOR")
uint32_t head_size; // 文件头大小(版本对应)
uint32_t version; // 文件格式版本
uint32_t flags; // 文件级标志
// === 对象属性信息 ===
uint32_t objectType; // 对象类型 (TEE_TYPE_*)
uint32_t objectSize; // 当前对象数据大小
uint32_t maxObjectSize; // 最大允许的对象大小
uint32_t objectUsage; // 对象用途标志 (TEE_USAGE_*)
uint32_t keySize; // 密钥大小(仅密钥对象)
uint32_t maxKeySize; // 最大密钥大小
// === 属性管理 ===
uint32_t have_attrs; // 属性存在位图
uint32_t attr_size; // 序列化属性的总大小
uint32_t num_attrs; // 属性数量
// === 安全信息 ===
uint8_t encrypted_fek[TEE_FS_KM_FEK_SIZE]; // 加密的文件加密密钥
uint8_t file_iv[TEE_AES_BLOCK_SIZE]; // 文件初始化向量
uint8_t integrity_hash[TEE_SHA256_HASH_SIZE]; // 整体完整性哈希
// === 时间戳和版本信息 ===
uint64_t creation_time; // 创建时间戳
uint64_t modification_time; // 最后修改时间
uint32_t version_counter; // 版本计数器(防重放)
// === 填充和校验 ===
uint32_t checksum; // 文件头校验和
uint8_t reserved[16]; // 保留空间(用于未来扩展)
};
#define TEE_SVC_STORAGE_MAGIC 0x53544F52 // "STOR"
#define TEE_SVC_STORAGE_VERSION 2 // 当前版本
// 文件头校验和计算
static uint32_t calculate_head_checksum(const struct tee_svc_storage_head *head)
{
uint32_t checksum = 0;
const uint32_t *words = (const uint32_t *)head;
size_t num_words = (sizeof(*head) - sizeof(head->checksum)) / sizeof(uint32_t);
for (size_t i = 0; i < num_words; i++) {
checksum ^= words[i];
}
return checksum;
}
// 文件头验证函数
static TEE_Result validate_storage_head(const struct tee_svc_storage_head *head)
{
// 1. 魔数验证
if (head->magic != TEE_SVC_STORAGE_MAGIC) {
EMSG("Invalid magic: 0x%x", head->magic);
return TEE_ERROR_CORRUPT_OBJECT;
}
// 2. 版本兼容性检查
if (head->version > TEE_SVC_STORAGE_VERSION) {
EMSG("Unsupported version: %u", head->version);
return TEE_ERROR_NOT_SUPPORTED;
}
// 3. 头部大小验证
if (head->head_size < sizeof(*head) || head->head_size > MAX_HEAD_SIZE) {
EMSG("Invalid head size: %u", head->head_size);
return TEE_ERROR_CORRUPT_OBJECT;
}
// 4. 校验和验证
uint32_t calculated_checksum = calculate_head_checksum(head);
if (calculated_checksum != head->checksum) {
EMSG("Checksum mismatch: calc=0x%x, stored=0x%x",
calculated_checksum, head->checksum);
return TEE_ERROR_CORRUPT_OBJECT;
}
// 5. 对象大小合理性检查
if (head->objectSize > head->maxObjectSize) {
EMSG("Object size %u exceeds max %u", head->objectSize, head->maxObjectSize);
return TEE_ERROR_CORRUPT_OBJECT;
}
return TEE_SUCCESS;
}
详细的文件结构布局分析
Copy
┌───────────────────────────────────────────────────────────┐
│ Storage Head (~192 bytes) │ ← 扩展的GP文件头
│ 魔数 | 版本 | 标志 | 对象类型 | 大小 | 用途 | 加密信息 │
├───────────────────────────────────────────────────────────┤
│ Serialized Attributes │ ← 序列化属性数据
│ 属性ID | 类型 | 长度 | 数据 | 属性ID | 类型 | 长度 | 数据 │ (可变长度)
├───────────────────────────────────────────────────────────┤
│ Object Data Payload │ ← 实际对象数据
│ 加密后的用户数据,按块管理,支持随机访问 │ (可变长度)
│ 块大小: 4KB, AES-GCM加密, ESSIV模式 │
├───────────────────────────────────────────────────────────┤
│ Hash Tree Metadata │ ← 完整性保护
│ 树结构元数据,用于快速完整性验证和损坏检测 │ (可选)
└───────────────────────────────────────────────────────────┘
属性序列化格式详解
Copy
// 属性序列化头部
struct attr_section_header {
uint32_t magic; // 属性段魔数: 0x41545452 ("ATTR")
uint32_t total_size; // 整个属性段大小
uint32_t num_attrs; // 属性数量
uint32_t checksum; // 属性段数据校验和
};
// 单个属性序列化格式
struct tee_obj_attr_packed {
uint32_t attr_id; // GP属性ID (TEE_ATTR_*)
uint32_t attr_type; // 属性类型 (ATTR_TYPE_*)
union {
// 缓冲区类型属性
struct {
uint32_t len; // 数据长度
uint8_t data[]; // 实际数据
} buffer;
// 数值类型属性
struct {
uint32_t value_a; // 值 A
uint32_t value_b; // 值 B
} value;
// 大整数类型属性
struct {
uint32_t sign; // 符号位
uint32_t len; // 数据长度
uint8_t data[]; // 大数据
} bigint;
};
};
// 属性序列化函数
static TEE_Result pack_attributes(const struct tee_obj *obj,
uint8_t **packed_attrs, size_t *packed_size)
{
size_t total_size = sizeof(struct attr_section_header);
uint8_t *buffer = NULL;
size_t offset = 0;
// 1. 计算总大小
for (size_t i = 0; i < obj->attr_count; i++) {
total_size += calculate_attr_packed_size(&obj->attrs[i]);
}
// 2. 分配缓冲区
buffer = malloc(total_size);
if (!buffer)
return TEE_ERROR_OUT_OF_MEMORY;
// 3. 序列化头部
struct attr_section_header *header = (struct attr_section_header *)buffer;
header->magic = 0x41545452; // "ATTR"
header->total_size = total_size;
header->num_attrs = obj->attr_count;
offset += sizeof(*header);
// 4. 序列化每个属性
for (size_t i = 0; i < obj->attr_count; i++) {
TEE_Result res = pack_single_attribute(&obj->attrs[i],
buffer + offset,
total_size - offset);
if (res != TEE_SUCCESS) {
free(buffer);
return res;
}
offset += get_packed_attr_size(&obj->attrs[i]);
}
// 5. 计算校验和
header->checksum = calculate_checksum(buffer + sizeof(header->checksum),
total_size - sizeof(header->checksum));
*packed_attrs = buffer;
*packed_size = total_size;
return TEE_SUCCESS;
}
## 高级安全机制和攻击防护
### 1. 多层次对象隔离与访问控制
#### TA级别安全隔离
```c
// TA UUID的安全验证和隔离机制
static TEE_Result validate_ta_access(const TEE_UUID *requesting_uuid,
const TEE_UUID *object_uuid)
{
// 1. UUID有效性检查
if (!requesting_uuid || !object_uuid) {
EMSG("Invalid UUID pointers");
return TEE_ERROR_BAD_PARAMETERS;
}
// 2. 空 UUID检查(安全威胁)
if (is_uuid_nil(requesting_uuid) || is_uuid_nil(object_uuid)) {
EMSG("Nil UUID access attempt detected");
return TEE_ERROR_SECURITY;
}
// 3. 严格的UUID匹配
if (memcmp(requesting_uuid, object_uuid, sizeof(TEE_UUID)) != 0) {
EMSG("Cross-TA access attempt: req=%pUb, obj=%pUb",
requesting_uuid, object_uuid);
return TEE_ERROR_ACCESS_DENIED;
}
// 4. TA签名验证(高级安全梡式)
#ifdef CFG_TA_SIGNATURE_VERIFICATION
return verify_ta_signature(requesting_uuid);
#endif
return TEE_SUCCESS;
}
// 对象ID的安全验证
static TEE_Result validate_object_id(const void *obj_id, size_t obj_id_len)
{
// 1. 参数基本校验
if (!obj_id || obj_id_len == 0) {
return TEE_ERROR_BAD_PARAMETERS;
}
// 2. 长度限制检查
if (obj_id_len > TEE_OBJECT_ID_MAX_LEN) {
EMSG("Object ID too long: %zu > %d", obj_id_len, TEE_OBJECT_ID_MAX_LEN);
return TEE_ERROR_BAD_PARAMETERS;
}
// 3. 字符合法性检查
const uint8_t *id_bytes = (const uint8_t *)obj_id;
for (size_t i = 0; i < obj_id_len; i++) {
// 禁止控制字符和不可打印字符
if (id_bytes[i] < 0x20 || id_bytes[i] > 0x7E) {
EMSG("Invalid character in object ID at position %zu: 0x%02x", i, id_bytes[i]);
return TEE_ERROR_BAD_PARAMETERS;
}
}
// 4. 路径遍历攻击防护
if (strstr((const char *)obj_id, "..") ||
strstr((const char *)obj_id, "/") ||
strstr((const char *)obj_id, "\\")) {
EMSG("Path traversal attempt detected in object ID");
return TEE_ERROR_SECURITY;
}
return TEE_SUCCESS;
}
### 2. 高级并发控制和死锁预防
#### 参考计数和生命周期管理
```c
// 原子性参考计数操作
static inline void tee_pobj_get_ref(struct tee_pobj *po)
{
assert(po != NULL);
mutex_lock(&po->refcnt_mutex);
// 检查对象状态
if (po->deleting) {
EMSG("Attempting to get reference to deleting object");
mutex_unlock(&po->refcnt_mutex);
return;
}
// 防止溢出
if (po->refcnt == UINT32_MAX) {
EMSG("Reference count overflow for object %p", po);
mutex_unlock(&po->refcnt_mutex);
return;
}
po->refcnt++;
DMSG("Object %p refcnt increased to %u", po, po->refcnt);
mutex_unlock(&po->refcnt_mutex);
}
static inline void tee_pobj_put_ref(struct tee_pobj *po)
{
bool should_delete = false;
assert(po != NULL);
mutex_lock(&po->refcnt_mutex);
// 防止下溢
if (po->refcnt == 0) {
EMSG("Reference count underflow for object %p", po);
mutex_unlock(&po->refcnt_mutex);
return;
}
po->refcnt--;
DMSG("Object %p refcnt decreased to %u", po, po->refcnt);
// 检查是否需要删除
if (po->refcnt == 0 && po->deleting) {
should_delete = true;
}
mutex_unlock(&po->refcnt_mutex);
// 在锁外进行删除操作防止死锁
if (should_delete) {
tee_pobj_final_cleanup(po);
}
}
// 防止死锁的锁获取顺序
// 规则:总是先获取全局锁,再获取对象锁
static TEE_Result acquire_ordered_locks(struct tee_pobj *po1,
struct tee_pobj *po2)
{
// 按地址顺序获取锁防止死锁
struct tee_pobj *first = (po1 < po2) ? po1 : po2;
struct tee_pobj *second = (po1 < po2) ? po2 : po1;
mutex_lock(&first->access_mutex);
if (second != first) {
mutex_lock(&second->access_mutex);
}
return TEE_SUCCESS;
}
static void release_ordered_locks(struct tee_pobj *po1, struct tee_pobj *po2)
{
struct tee_pobj *first = (po1 < po2) ? po1 : po2;
struct tee_pobj *second = (po1 < po2) ? po2 : po1;
if (second != first) {
mutex_unlock(&second->access_mutex);
}
mutex_unlock(&first->access_mutex);
}
### 3. 弹性错误处理和自动恢复
#### 智能损坏对象检测和恢复
```c
// 多层次损坏检测系统
enum corruption_level {
CORRUPTION_NONE, // 无损坏
CORRUPTION_HEADER_CHECKSUM, // 文件头校验和错误
CORRUPTION_ATTR_INVALID, // 属性数据损坏
CORRUPTION_DATA_INTEGRITY, // 数据完整性损坏
CORRUPTION_SEVERE, // 严重损坏,不可恢复
};
static enum corruption_level detect_object_corruption(struct tee_pobj *po)
{
TEE_Result res;
struct tee_file_handle *fh = NULL;
struct tee_svc_storage_head head;
size_t head_size = sizeof(head);
// 1. 尝试打开文件
res = po->fops->open(po, NULL, &fh);
if (res != TEE_SUCCESS) {
DMSG("Cannot open file for corruption check: %x", res);
return CORRUPTION_SEVERE;
}
// 2. 读取和验证文件头
res = po->fops->read(fh, 0, &head, NULL, &head_size);
if (res != TEE_SUCCESS || head_size != sizeof(head)) {
DMSG("Cannot read file header: %x", res);
po->fops->close(&fh);
return CORRUPTION_SEVERE;
}
// 3. 验证文件头
res = validate_storage_head(&head);
if (res != TEE_SUCCESS) {
DMSG("File header validation failed: %x", res);
po->fops->close(&fh);
return CORRUPTION_HEADER_CHECKSUM;
}
// 4. 验证属性数据
if (head.attr_size > 0) {
res = validate_attributes(fh, &head);
if (res != TEE_SUCCESS) {
DMSG("Attribute validation failed: %x", res);
po->fops->close(&fh);
return CORRUPTION_ATTR_INVALID;
}
}
// 5. 验证数据完整性(样本检查)
res = validate_data_integrity_sample(fh, &head);
if (res != TEE_SUCCESS) {
DMSG("Data integrity check failed: %x", res);
po->fops->close(&fh);
return CORRUPTION_DATA_INTEGRITY;
}
po->fops->close(&fh);
return CORRUPTION_NONE;
}
// 智能恢复策略
static TEE_Result attempt_object_recovery(struct tee_pobj *po,
enum corruption_level level)
{
switch (level) {
case CORRUPTION_HEADER_CHECKSUM:
// 尝试使用备份文件头恢复
return recover_from_backup_header(po);
case CORRUPTION_ATTR_INVALID:
// 重建属性数据
return rebuild_attributes(po);
case CORRUPTION_DATA_INTEGRITY:
// 使用哈希树进行部分恢复
return recover_using_hash_tree(po);
case CORRUPTION_SEVERE:
// 严重损坏,无法恢复
EMSG("Object severely corrupted, marking for deletion");
return TEE_ERROR_CORRUPT_OBJECT_2;
default:
return TEE_SUCCESS;
}
}
// 自动清理损坏对象
static void remove_corrupt_obj(struct user_ta_ctx *utc, struct tee_obj *o)
{
assert(o && o->pobj);
EMSG("Removing corrupted object: TA=%pUb, obj_id=%.*s",
&o->pobj->uuid, (int)o->pobj->obj_id_len,
(char *)o->pobj->obj_id);
// 1. 记录安全事件
log_security_event(SECURITY_EVENT_CORRUPTION_DETECTED,
&o->pobj->uuid, o->pobj->obj_id);
// 2. 删除损坏的文件
TEE_Result res = o->pobj->fops->remove(o->pobj);
if (res != TEE_SUCCESS) {
EMSG("Failed to remove corrupted file: %x", res);
}
// 3. 根据配置关闭句柄
if (!(utc->ta_ctx.flags & TA_FLAG_DONT_CLOSE_HANDLE_ON_CORRUPT_OBJECT)) {
tee_obj_close(utc, o);
}
// 4. 通知其他组件
notify_corruption_event(&o->pobj->uuid, o->pobj->obj_id);
}
// 资源清理和泄漏防护
static void cleanup_storage_resources(struct tee_ta_session *sess)
{
struct tee_obj *obj, *next_obj;
struct tee_obj_enum *oe, *next_oe;
// 1. 清理所有打开的对象
TAILQ_FOREACH_SAFE(obj, &sess->ctx->objects, link, next_obj) {
DMSG("Force closing object %p", obj);
tee_obj_close(sess->ctx, obj);
}
// 2. 清理所有枚举器
TAILQ_FOREACH_SAFE(oe, &sess->ctx->obj_enums, link, next_oe) {
DMSG("Force closing enumerator %p", oe);
tee_svc_storage_close_enum(sess->ctx, oe);
}
// 3. 检查是否有泄漏
if (!TAILQ_EMPTY(&sess->ctx->objects) ||
!TAILQ_EMPTY(&sess->ctx->obj_enums)) {
EMSG("Resource leak detected in TA %pUb", &sess->ctx->uuid);
}
}
## 核心实现文件深度分析
### `/core/tee/tee_svc_storage.c`
- **功能**: 存储系统调用的核心实现
- **关键函数**:
- `syscall_storage_obj_create()` - 创建持久化对象
- `syscall_storage_obj_open()` - 打开持久化对象
- `tee_svc_storage_read_head()` - 读取GP文件头
- `remove_corrupt_obj()` - 移除损坏的对象
### `/core/include/tee/tee_fs.h`
- **功能**: 文件系统抽象层定义
- **关键结构**:
- `tee_file_operations` - 统一的文件操作接口
- `tee_fs_dirent` - 目录项结构
- 存储后端选择逻辑
### `/core/include/tee/tee_pobj.h`
- **功能**: 持久化对象管理
- **关键函数**:
- `tee_pobj_get()` - 获取对象引用
- `tee_pobj_create_final()` - 完成对象创建
- `tee_pobj_release()` - 释放对象引用
## 存储流程
### 对象创建流程
1. **系统调用**: `syscall_storage_obj_create()`
2. **后端选择**: 根据storage_id选择文件操作接口
3. **对象获取**: `tee_pobj_get()` 创建对象结构
4. **文件创建**: 调用后端的`create()`操作
5. **头部写入**: 写入GP格式文件头
6. **数据写入**: 写入对象数据和属性
7. **创建完成**: `tee_pobj_create_final()` 标记完成
### 对象打开流程
1. **系统调用**: `syscall_storage_obj_open()`
2. **对象获取**: `tee_pobj_get()` 获取已存在对象
3. **文件打开**: 调用后端的`open()`操作
4. **头部读取**: `tee_svc_storage_read_head()` 验证文件格式
5. **权限检查**: 验证访问权限
6. **句柄返回**: 返回对象句柄给TA
### 数据访问流程
1. **I/O系统调用**: `syscall_storage_obj_read/write()`
2. **对象验证**: 检查对象状态和权限
3. **后端调用**: 调用具体后端的读写操作
4. **安全处理**: 由后端处理加密/解密和完整性验证
5. **结果返回**: 返回操作结果
## 配置选项
### 编译时配置
- `CFG_REE_FS`: 启用REE文件系统后端
- `CFG_RPMB_FS`: 启用RPMB文件系统后端
- `TEE_FS_NAME_MAX`: 文件名最大长度(350字节)
- `TEE_OBJECT_ID_MAX_LEN`: 对象ID最大长度
### 运行时行为
- 优先使用REE FS(如果可用)
- REE FS不可用时回退到RPMB
- 支持同时使用多种后端
- TA可明确指定后端类型