From fb6f59caba884f748223c6ba7481bd996a0307d0 Mon Sep 17 00:00:00 2001
From: Alexander Potapenko <glider@google.com>
Date: Tue, 30 Aug 2016 13:20:30 +0200
Subject: Add the /dev/tlk_device (Open Trusted Execution device driver)
 description

---
 sys/tlk_device.txt         | 83 ++++++++++++++++++++++++++++++++++++++++++++++
 sys/tlk_device_amd64.const | 16 +++++++++
 sys/tlk_device_arm64.const | 16 +++++++++
 3 files changed, 115 insertions(+)
 create mode 100644 sys/tlk_device.txt
 create mode 100644 sys/tlk_device_amd64.const
 create mode 100644 sys/tlk_device_arm64.const

(limited to 'sys')

diff --git a/sys/tlk_device.txt b/sys/tlk_device.txt
new file mode 100644
index 000000000..d8092fd1a
--- /dev/null
+++ b/sys/tlk_device.txt
@@ -0,0 +1,83 @@
+# Copyright 2016 syzkaller project authors. All rights reserved.
+# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+# Open Trusted Execution driver for /dev/tlk_device
+# Reference source code:
+# https://android.googlesource.com/kernel/tegra/+/android-tegra-dragon-3.18-marshmallow-dr-dragon/security/tlk_driver/ote_protocol.h
+
+include <linux/ioctl.h>
+include <linux/types.h>
+include <security/tlk_driver/ote_protocol.h>
+
+resource fd_tlk[fd]
+resource te_session_id[int32]
+
+syz_open_dev$tlk_device(dev strconst["/dev/tlk_device"], id const[0], flags flags[open_flags]) fd_tlk
+
+ioctl$TE_IOCTL_OPEN_CLIENT_SESSION(fd fd_tlk, cmd const[TE_IOCTL_OPEN_CLIENT_SESSION], arg ptr[inout, te_opensession])
+ioctl$TE_IOCTL_CLOSE_CLIENT_SESSION(fd fd_tlk, cmd const[TE_IOCTL_CLOSE_CLIENT_SESSION], arg ptr[inout, te_closesession])
+ioctl$TE_IOCTL_LAUNCH_OPERATION(fd fd_tlk, cmd const[TE_IOCTL_LAUNCH_OPERATION], arg ptr[inout, te_launchop])
+ioctl$TE_IOCTL_SS_CMD(fd fd_tlk, cmd const[TE_IOCTL_SS_CMD], arg flags[te_ss_cmd_flags])
+
+te_ss_cmd_flags = TE_IOCTL_SS_CMD_GET_NEW_REQ, TE_IOCTL_SS_CMD_REQ_COMPLETE
+te_oper_param_type_flags = TE_PARAM_TYPE_NONE, TE_PARAM_TYPE_INT_RO, TE_PARAM_TYPE_INT_RW, TE_PARAM_TYPE_MEM_RO, TE_PARAM_TYPE_MEM_RW, TE_PARAM_TYPE_PERSIST_MEM_RO, TE_PARAM_TYPE_PERSIST_MEM_RW, TE_PARAM_TYPE_FLAGS_PHYS_LIST
+
+
+# Values of time_low, time_mid, time_hi_and_version, clock_seq_and_node don't seem to mean anything.
+te_service_id {
+	unused_time_low	int32
+	unused_time_mid	int16
+	unused_time_hi_and_version	int16
+	unused_clock_seq_and_node	array[int8, 8]
+}
+
+te_opensession {
+	dest_uuid	te_service_id
+	operation	te_operation
+	answer		ptr[out, te_answer]
+}
+
+te_closesession {
+	session_id	te_session_id
+	answer		ptr[out, te_answer]
+}
+
+te_answer {
+	result		int32
+	session_id	te_session_id
+	result_origin	int32
+}
+
+te_launchop {
+	session_id	te_session_id
+	operation	te_operation
+	answer		int64
+}
+
+te_operation {
+	unused_command		int32
+	status			int32
+	list_head		ptr[in, te_oper_param]
+	unused_list_tail	ptr[in, te_oper_param]
+	list_count		int32
+	unused_interface_side	int32
+}
+
+te_int_mem_union [
+	int int32
+	Mem te_mem
+]
+
+te_mem {
+	base	vma
+	len	int32
+}
+
+# TODO(glider): self-referencing overflows the stack in sysgen.go
+te_oper_param {
+	index		int32
+	type		flags[te_oper_param_type_flags, int32]
+	u		te_int_mem_union
+#	next_ptr_user	ptr[in, te_oper_param, opt]
+	next_ptr_user	const[0, intptr]
+}
diff --git a/sys/tlk_device_amd64.const b/sys/tlk_device_amd64.const
new file mode 100644
index 000000000..6866a48c3
--- /dev/null
+++ b/sys/tlk_device_amd64.const
@@ -0,0 +1,16 @@
+# AUTOGENERATED FILE
+TE_IOCTL_CLOSE_CLIENT_SESSION = 3224925201
+TE_IOCTL_LAUNCH_OPERATION = 3224925204
+TE_IOCTL_OPEN_CLIENT_SESSION = 3224925200
+TE_IOCTL_SS_CMD = 2147775536
+TE_IOCTL_SS_CMD_GET_NEW_REQ = 1
+TE_IOCTL_SS_CMD_REQ_COMPLETE = 2
+TE_PARAM_TYPE_FLAGS_PHYS_LIST = 2147483648
+TE_PARAM_TYPE_INT_RO = 1
+TE_PARAM_TYPE_INT_RW = 2
+TE_PARAM_TYPE_MEM_RO = 3
+TE_PARAM_TYPE_MEM_RW = 4
+TE_PARAM_TYPE_NONE = 0
+TE_PARAM_TYPE_PERSIST_MEM_RO = 256
+TE_PARAM_TYPE_PERSIST_MEM_RW = 257
+__NR_ioctl = 16
diff --git a/sys/tlk_device_arm64.const b/sys/tlk_device_arm64.const
new file mode 100644
index 000000000..8b8dce95a
--- /dev/null
+++ b/sys/tlk_device_arm64.const
@@ -0,0 +1,16 @@
+# AUTOGENERATED FILE
+TE_IOCTL_CLOSE_CLIENT_SESSION = 3224925201
+TE_IOCTL_LAUNCH_OPERATION = 3224925204
+TE_IOCTL_OPEN_CLIENT_SESSION = 3224925200
+TE_IOCTL_SS_CMD = 2147775536
+TE_IOCTL_SS_CMD_GET_NEW_REQ = 1
+TE_IOCTL_SS_CMD_REQ_COMPLETE = 2
+TE_PARAM_TYPE_FLAGS_PHYS_LIST = 2147483648
+TE_PARAM_TYPE_INT_RO = 1
+TE_PARAM_TYPE_INT_RW = 2
+TE_PARAM_TYPE_MEM_RO = 3
+TE_PARAM_TYPE_MEM_RW = 4
+TE_PARAM_TYPE_NONE = 0
+TE_PARAM_TYPE_PERSIST_MEM_RO = 256
+TE_PARAM_TYPE_PERSIST_MEM_RW = 257
+__NR_ioctl = 29
-- 
cgit mrf-deployment