plugins: example of using the tee-supplicant plugin framework

TEE clients can add to the tee-supplicant own plugins.
This feature makes the supplicant a bit more flexible
in terms of providing services. Any external TEE services
can be designed as a tee-supplicant plugin.

User TAs can interact with the plugins using libutee
and the OP-TEE kernel code can use a special plugin PRC for it.

This patch adds example of using the plugin framework.
'syslog' plugin is used as an example.
It can write log messages from OP-TEE (TAs or kernel)
to system log.

Also patch adds a new TA, which interacts with the
'syslog' plugin with the help of 'tee_invoke_supp_plugin()'.
This TA increments a value and prints some strings
to the syslog. Also patch adds a host CA, which
calls the TA 'TA_PING_CNT' times.

If the example works successfully, we can find the following
strings in the log file (for qemu it's '/var/log/messages' file):
```
21:18:05 buildroot daemon.info tee-supplicant[92]: Hello, plugin! value = 0x0
21:18:07 buildroot daemon.info tee-supplicant[92]: Hello, plugin! value = 0x1
21:18:09 buildroot daemon.info tee-supplicant[92]: Hello, plugin! value = 0x2
21:18:11 buildroot daemon.info tee-supplicant[92]: Hello, plugin! value = 0x3
21:18:13 buildroot daemon.info tee-supplicant[92]: Hello, plugin! value = 0x4
```

Signed-off-by: Aleksandr Anisimov <[email protected]>
Reviewed-by: Jens Wiklander <[email protected]>

Author: Aleksandr Anisimov

.gitignore

@@ -18,3 +18,4 @@ random/host/optee_example_random
 aes/host/optee_example_aes
 hotp/host/optee_example_hotp
 secure_storage/host/optee_example_secure_storage
+plugins/host/optee_example_plugins

plugins/Android.mk

@@ -0,0 +1,21 @@
+###################### optee-plugins ######################
+LOCAL_PATH := $(call my-dir)
+
+OPTEE_CLIENT_EXPORT = $(LOCAL_PATH)/../../optee_client/out/export
+
+include $(CLEAR_VARS)
+LOCAL_CFLAGS += -DANDROID_BUILD
+LOCAL_CFLAGS += -Wall
+
+LOCAL_SRC_FILES += host/main.c
+
+LOCAL_C_INCLUDES := $(LOCAL_PATH)/ta/include \
+		$(OPTEE_CLIENT_EXPORT)/include \
+
+LOCAL_SHARED_LIBRARIES := libteec
+LOCAL_MODULE := optee_example_plugins
+LOCAL_VENDOR_MODULE := true
+LOCAL_MODULE_TAGS := optional
+include $(BUILD_EXECUTABLE)
+
+include $(LOCAL_PATH)/ta/Android.mk

plugins/CMakeLists.txt

@@ -0,0 +1,20 @@
+project (optee_example_plugins C)
+
+set (SRC host/main.c)
+
+add_executable (${PROJECT_NAME} ${SRC})
+
+target_include_directories(${PROJECT_NAME}
+			   PRIVATE ta/include
+			   PRIVATE include)
+
+target_compile_definitions (${PROJECT_NAME}
+	PRIVATE -DBINARY_PREFIX="TEE-EXMPL"
+)
+
+target_link_libraries (${PROJECT_NAME}
+			   PRIVATE teec)
+
+install (TARGETS ${PROJECT_NAME} DESTINATION ${CMAKE_INSTALL_BINDIR})
+
+add_subdirectory (syslog)

plugins/Makefile

@@ -0,0 +1,17 @@
+export V?=0
+
+# If _HOST or _TA specific compilers are not specified, then use CROSS_COMPILE
+HOST_CROSS_COMPILE ?= $(CROSS_COMPILE)
+TA_CROSS_COMPILE ?= $(CROSS_COMPILE)
+
+.PHONY: all
+all:
+	$(MAKE) -C host CROSS_COMPILE="$(HOST_CROSS_COMPILE)" --no-builtin-variables
+	$(MAKE) -C ta CROSS_COMPILE="$(TA_CROSS_COMPILE)" LDFLAGS=""
+	$(MAKE) -C syslog CROSS_COMPILE="$(HOST_CROSS_COMPILE)"
+
+.PHONY: clean
+clean:
+	$(MAKE) -C host clean
+	$(MAKE) -C ta clean
+	$(MAKE) -C syslog clean

plugins/host/Makefile

@@ -0,0 +1,30 @@
+CC      ?= $(CROSS_COMPILE)gcc
+LD      ?= $(CROSS_COMPILE)ld
+AR      ?= $(CROSS_COMPILE)ar
+NM      ?= $(CROSS_COMPILE)nm
+OBJCOPY ?= $(CROSS_COMPILE)objcopy
+OBJDUMP ?= $(CROSS_COMPILE)objdump
+READELF ?= $(CROSS_COMPILE)readelf
+
+OBJS = main.o
+
+CFLAGS += -Wall -I../ta/include -I$(TEEC_EXPORT)/include -I./include
+CFLAGS += -DBINARY_PREFIX=\"TEE-EXMPL\"
+
+#Add/link other required libraries here
+LDADD += -lteec -L$(TEEC_EXPORT)/lib
+
+BINARY = optee_example_plugins
+
+.PHONY: all
+all: $(BINARY)
+
+$(BINARY): $(OBJS)
+	$(CC) -o $@ $< $(LDADD)
+
+.PHONY: clean
+clean:
+	rm -f $(OBJS) $(BINARY)
+
+%.o: %.c
+	$(CC) $(CFLAGS) -c $< -o $@

plugins/host/main.c

@@ -0,0 +1,80 @@
+// SPDX-License-Identifier: BSD-2-Clause
+/*
+ * Copyright (c) 2020, Open Mobile Platform LLC
+ */
+
+#include <err.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdbool.h>
+#include <unistd.h>
+
+/* OP-TEE TEE client API (built by optee_client) */
+#include <tee_client_api.h>
+
+/* For the UUID (found in the TA's h-file(s)) */
+#include <plugin_ta.h>
+
+#define SLEEP_SEC 2
+#define TA_PING_CNT 5
+
+int main(void)
+{
+	int i = 0;
+	TEEC_Result res = TEEC_SUCCESS;
+	TEEC_Context ctx = { };
+	TEEC_Session sess = { };
+	TEEC_Operation op = { };
+	TEEC_UUID uuid = PLUGIN_TA_UUID;
+	uint32_t err_origin = 0;
+
+	/* Initialize a context connecting us to the TEE */
+	res = TEEC_InitializeContext(NULL, &ctx);
+	if (res != TEEC_SUCCESS)
+		errx(1, "TEEC_InitializeContext failed with code %#" PRIx32,
+		     res);
+
+	/* Open a session to the "plugin" TA */
+	res = TEEC_OpenSession(&ctx, &sess, &uuid, TEEC_LOGIN_PUBLIC, NULL,
+			       NULL, &err_origin);
+	if (res != TEEC_SUCCESS)
+		errx(1, "TEEC_Opensession failed with code %#" PRIx32 "origin %#" PRIx32,
+		     res, err_origin);
+
+	/* Clear the TEEC_Operation struct */
+	memset(&op, 0, sizeof(op));
+	op.paramTypes =
+		TEEC_PARAM_TYPES(TEEC_NONE, TEEC_NONE, TEEC_NONE, TEEC_NONE);
+
+	/*
+	 * TA will refer to the syslog plugin to print some log messages to REE.
+	 *
+	 * See the plugin code in the optee-client.
+	 * See the log through 'journalctl'.
+	 */
+
+	printf("Work logic: REE --> plugin TA --> syslog plugin in REE --> syslog\n");
+	printf("See the log from TEE through 'journalctl'\n\n");
+
+	for (i = 0; i < TA_PING_CNT; ++i) {
+		res = TEEC_InvokeCommand(&sess, PLUGIN_TA_PING, &op,
+					 &err_origin);
+
+		printf("Attempt #%d: TEEC_InvokeCommand() %s; res=%#" PRIx32 " orig=%#" PRIx32 "\n",
+		       i + 1, (res == TEEC_SUCCESS) ? "success" : "failed",
+		       res, err_origin);
+
+		sleep(SLEEP_SEC);
+	}
+
+	/*
+	 * We're done with the TA, close the session and
+	 * destroy the context.
+	 */
+
+	TEEC_CloseSession(&sess);
+	TEEC_FinalizeContext(&ctx);
+
+	return 0;
+}

plugins/syslog/CMakeLists.txt

@@ -0,0 +1,8 @@
+project (96bcf744-4f72-4866-bf1d-8634fd9c65e5.plugin C)
+
+set (CFG_TEE_PLUGIN_LOAD_PATH "/usr/lib/tee-supplicant/plugins/")
+set (CMAKE_SHARED_LIBRARY_PREFIX "")
+
+add_library(${PROJECT_NAME} SHARED syslog_plugin.c)
+
+install (TARGETS ${PROJECT_NAME} DESTINATION ${CFG_TEE_PLUGIN_LOAD_PATH})

plugins/syslog/Makefile

@@ -0,0 +1,24 @@
+PLUGIN_UUID = 96bcf744-4f72-4866-bf1d-8634fd9c65e5
+
+PLUGIN			= $(PLUGIN_UUID).plugin
+PLUGIN_SRS		= $(wildcard ./*.c)
+PLUGIN_OBJ		= $(patsubst %.c, %.o, $(PLUGIN_SRS))
+PLUGIN_INCLUDES_DIR	= $(CURDIR) $(TEEC_EXPORT)/include
+
+PLUGIN_INCLUDES		= $(addprefix -I, $(PLUGIN_INCLUDES_DIR))
+PLUGIN_CCFLAGS		= -Wall -fPIC
+PLUGIN_LDFLAGS		= -shared
+
+.PHONY: all
+all: $(PLUGIN)
+
+$(PLUGIN): $(PLUGIN_OBJ)
+	$(CROSS_COMPILE)gcc $(PLUGIN_LDFLAGS) $(PLUGIN_OBJ) -o $@
+
+%.o: %.c
+	$(CROSS_COMPILE)gcc $(PLUGIN_CCFLAGS) $(PLUGIN_INCLUDES) -c $*.c -o $*.o
+
+.PHONY: clean
+clean:
+	$(RM) $(PLUGIN_OBJ) $(PLUGIN_UUID).plugin
+

plugins/syslog/syslog_plugin.c

@@ -0,0 +1,62 @@
+// SPDX-License-Identifier: BSD-2-Clause
+/*
+ * Copyright (c) 2020, Open Mobile Platform LLC
+ */
+
+#include <stddef.h>
+#include <syslog.h>
+#include <tee_plugin_method.h>
+
+/*
+ * OPTEE has access to the plugin by the UUID
+ */
+#define SYSLOG_PLUGIN_UUID { 0x96bcf744, 0x4f72, 0x4866, \
+		{ 0xbf, 0x1d, 0x86, 0x34, 0xfd, 0x9c, 0x65, 0xe5 } }
+
+/* plugin cmd */
+#define TO_SYSLOG 0
+
+static TEEC_Result syslog_plugin_init(void)
+{
+	return TEEC_SUCCESS;
+}
+
+static TEEC_Result write_syslog(unsigned int sub_cmd, void *data, size_t data_len)
+{
+	/* 'sub_cmd' in this case means priority according syslog.h */
+	openlog(NULL, LOG_CONS | LOG_PID, LOG_DAEMON);
+	syslog(sub_cmd, "%*s", (int)data_len, (const char *)data);
+	closelog();
+
+	return TEEC_SUCCESS;
+}
+
+static TEEC_Result syslog_plugin_invoke(unsigned int cmd, unsigned int sub_cmd,
+					void *data, size_t data_len,
+					size_t *out_len)
+{
+	/*
+	 * The pointer 'out_len' is used to save length of
+	 * output data from the plugin for TEE, when TEE will be needed
+	 * by the data.
+	 *
+	 * Buffer 'data' is used like input and output.
+	 */
+	(void)out_len;
+
+	switch (cmd) {
+	case TO_SYSLOG:
+		return write_syslog(sub_cmd, data, data_len);
+	default:
+		break;
+	}
+
+	return TEEC_ERROR_NOT_SUPPORTED;
+}
+
+struct plugin_method plugin_method = {
+	"syslog",
+	SYSLOG_PLUGIN_UUID,
+	syslog_plugin_init, /* can be NULL */
+	syslog_plugin_invoke,
+};

plugins/ta/Android.mk

@@ -0,0 +1,4 @@
+LOCAL_PATH := $(call my-dir)
+
+local_module := 2a287631-de1b-4fdd-a55c-b9312e40769a.ta
+include $(BUILD_OPTEE_MK)