1*8d741a5dSApple OSS Distributions /*
2*8d741a5dSApple OSS Distributions * Copyright (c) 2022 Apple Computer, Inc. All rights reserved.
3*8d741a5dSApple OSS Distributions *
4*8d741a5dSApple OSS Distributions * @APPLE_LICENSE_HEADER_START@
5*8d741a5dSApple OSS Distributions *
6*8d741a5dSApple OSS Distributions * The contents of this file constitute Original Code as defined in and
7*8d741a5dSApple OSS Distributions * are subject to the Apple Public Source License Version 1.1 (the
8*8d741a5dSApple OSS Distributions * "License"). You may not use this file except in compliance with the
9*8d741a5dSApple OSS Distributions * License. Please obtain a copy of the License at
10*8d741a5dSApple OSS Distributions * http://www.apple.com/publicsource and read it before using this file.
11*8d741a5dSApple OSS Distributions *
12*8d741a5dSApple OSS Distributions * This Original Code and all software distributed under the License are
13*8d741a5dSApple OSS Distributions * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
14*8d741a5dSApple OSS Distributions * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
15*8d741a5dSApple OSS Distributions * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
16*8d741a5dSApple OSS Distributions * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
17*8d741a5dSApple OSS Distributions * License for the specific language governing rights and limitations
18*8d741a5dSApple OSS Distributions * under the License.
19*8d741a5dSApple OSS Distributions *
20*8d741a5dSApple OSS Distributions * @APPLE_LICENSE_HEADER_END@
21*8d741a5dSApple OSS Distributions */
22*8d741a5dSApple OSS Distributions
23*8d741a5dSApple OSS Distributions #include <stdarg.h>
24*8d741a5dSApple OSS Distributions #include <stdatomic.h>
25*8d741a5dSApple OSS Distributions #include <os/overflow.h>
26*8d741a5dSApple OSS Distributions #include <machine/atomic.h>
27*8d741a5dSApple OSS Distributions #include <mach/vm_param.h>
28*8d741a5dSApple OSS Distributions #include <mach/vm_map.h>
29*8d741a5dSApple OSS Distributions #include <mach/shared_region.h>
30*8d741a5dSApple OSS Distributions #include <vm/vm_kern_xnu.h>
31*8d741a5dSApple OSS Distributions #include <kern/zalloc.h>
32*8d741a5dSApple OSS Distributions #include <kern/kalloc.h>
33*8d741a5dSApple OSS Distributions #include <kern/assert.h>
34*8d741a5dSApple OSS Distributions #include <kern/locks.h>
35*8d741a5dSApple OSS Distributions #include <kern/recount.h>
36*8d741a5dSApple OSS Distributions #include <kern/sched_prim.h>
37*8d741a5dSApple OSS Distributions #include <kern/lock_rw.h>
38*8d741a5dSApple OSS Distributions #include <libkern/libkern.h>
39*8d741a5dSApple OSS Distributions #include <libkern/section_keywords.h>
40*8d741a5dSApple OSS Distributions #include <libkern/coretrust/coretrust.h>
41*8d741a5dSApple OSS Distributions #include <libkern/amfi/amfi.h>
42*8d741a5dSApple OSS Distributions #include <pexpert/pexpert.h>
43*8d741a5dSApple OSS Distributions #include <sys/vm.h>
44*8d741a5dSApple OSS Distributions #include <sys/proc.h>
45*8d741a5dSApple OSS Distributions #include <sys/codesign.h>
46*8d741a5dSApple OSS Distributions #include <sys/code_signing.h>
47*8d741a5dSApple OSS Distributions #include <sys/sysctl.h>
48*8d741a5dSApple OSS Distributions #include <uuid/uuid.h>
49*8d741a5dSApple OSS Distributions #include <IOKit/IOLib.h>
50*8d741a5dSApple OSS Distributions #include <IOKit/IOBSD.h>
51*8d741a5dSApple OSS Distributions
52*8d741a5dSApple OSS Distributions #if CONFIG_SPTM
53*8d741a5dSApple OSS Distributions /*
54*8d741a5dSApple OSS Distributions * The TrustedExecutionMonitor environment works in tandem with the SPTM to provide code
55*8d741a5dSApple OSS Distributions * signing and memory isolation enforcement for data structures critical to ensuring that
56*8d741a5dSApple OSS Distributions * all code executed on the system is authorized to do so.
57*8d741a5dSApple OSS Distributions *
58*8d741a5dSApple OSS Distributions * Unless the data is managed by TXM itself, XNU needs to page-align everything, make the
59*8d741a5dSApple OSS Distributions * relevant type transfer, and then reference the memory as read-only.
60*8d741a5dSApple OSS Distributions *
61*8d741a5dSApple OSS Distributions * TXM enforces concurrency on its side, but through the use of try-locks. Upon a failure
62*8d741a5dSApple OSS Distributions * in acquiring the lock, TXM will panic. As a result, in order to ensure single-threaded
63*8d741a5dSApple OSS Distributions * behavior, the kernel also has to take some locks on its side befor calling into TXM.
64*8d741a5dSApple OSS Distributions */
65*8d741a5dSApple OSS Distributions #include <sys/trusted_execution_monitor.h>
66*8d741a5dSApple OSS Distributions #include <pexpert/arm64/board_config.h>
67*8d741a5dSApple OSS Distributions
68*8d741a5dSApple OSS Distributions /* Lock group used for all locks within the kernel for TXM */
69*8d741a5dSApple OSS Distributions LCK_GRP_DECLARE(txm_lck_grp, "txm_code_signing_lck_grp");
70*8d741a5dSApple OSS Distributions
71*8d741a5dSApple OSS Distributions #pragma mark Utilities
72*8d741a5dSApple OSS Distributions
73*8d741a5dSApple OSS Distributions /* Number of thread stacks is known at build-time */
74*8d741a5dSApple OSS Distributions #define NUM_TXM_THREAD_STACKS (MAX_CPUS)
75*8d741a5dSApple OSS Distributions txm_thread_stack_t thread_stacks[NUM_TXM_THREAD_STACKS] = {0};
76*8d741a5dSApple OSS Distributions
77*8d741a5dSApple OSS Distributions /* Singly-linked-list head for thread stacks */
78*8d741a5dSApple OSS Distributions SLIST_HEAD(thread_stack_head, _txm_thread_stack) thread_stacks_head =
79*8d741a5dSApple OSS Distributions SLIST_HEAD_INITIALIZER(thread_stacks_head);
80*8d741a5dSApple OSS Distributions
81*8d741a5dSApple OSS Distributions static decl_lck_mtx_data(, thread_stacks_lock);
82*8d741a5dSApple OSS Distributions static void *thread_stack_event = NULL;
83*8d741a5dSApple OSS Distributions
84*8d741a5dSApple OSS Distributions static void
setup_thread_stacks(void)85*8d741a5dSApple OSS Distributions setup_thread_stacks(void)
86*8d741a5dSApple OSS Distributions {
87*8d741a5dSApple OSS Distributions extern const sptm_bootstrap_args_xnu_t *SPTMArgs;
88*8d741a5dSApple OSS Distributions txm_thread_stack_t *thread_stack = NULL;
89*8d741a5dSApple OSS Distributions
90*8d741a5dSApple OSS Distributions /* Initialize each thread stack and add it to the list */
91*8d741a5dSApple OSS Distributions for (uint32_t i = 0; i < NUM_TXM_THREAD_STACKS; i++) {
92*8d741a5dSApple OSS Distributions thread_stack = &thread_stacks[i];
93*8d741a5dSApple OSS Distributions
94*8d741a5dSApple OSS Distributions /* Acquire the thread stack virtual mapping */
95*8d741a5dSApple OSS Distributions thread_stack->thread_stack_papt = SPTMArgs->txm_thread_stacks[i];
96*8d741a5dSApple OSS Distributions
97*8d741a5dSApple OSS Distributions /* Acquire the thread stack physical page */
98*8d741a5dSApple OSS Distributions thread_stack->thread_stack_phys = (uintptr_t)kvtophys_nofail(
99*8d741a5dSApple OSS Distributions thread_stack->thread_stack_papt);
100*8d741a5dSApple OSS Distributions
101*8d741a5dSApple OSS Distributions /* Resolve the pointer to the thread stack data */
102*8d741a5dSApple OSS Distributions thread_stack->thread_stack_data =
103*8d741a5dSApple OSS Distributions (TXMThreadStack_t*)(thread_stack->thread_stack_papt + (PAGE_SIZE - 1024));
104*8d741a5dSApple OSS Distributions
105*8d741a5dSApple OSS Distributions /* Add thread stack to the list head */
106*8d741a5dSApple OSS Distributions SLIST_INSERT_HEAD(&thread_stacks_head, thread_stack, link);
107*8d741a5dSApple OSS Distributions }
108*8d741a5dSApple OSS Distributions
109*8d741a5dSApple OSS Distributions /* Initialize the thread stacks lock */
110*8d741a5dSApple OSS Distributions lck_mtx_init(&thread_stacks_lock, &txm_lck_grp, 0);
111*8d741a5dSApple OSS Distributions }
112*8d741a5dSApple OSS Distributions
113*8d741a5dSApple OSS Distributions static txm_thread_stack_t*
acquire_thread_stack(void)114*8d741a5dSApple OSS Distributions acquire_thread_stack(void)
115*8d741a5dSApple OSS Distributions {
116*8d741a5dSApple OSS Distributions txm_thread_stack_t *thread_stack = NULL;
117*8d741a5dSApple OSS Distributions
118*8d741a5dSApple OSS Distributions /* Lock the thread stack list */
119*8d741a5dSApple OSS Distributions lck_mtx_lock(&thread_stacks_lock);
120*8d741a5dSApple OSS Distributions
121*8d741a5dSApple OSS Distributions while (SLIST_EMPTY(&thread_stacks_head) == true) {
122*8d741a5dSApple OSS Distributions lck_mtx_sleep(
123*8d741a5dSApple OSS Distributions &thread_stacks_lock,
124*8d741a5dSApple OSS Distributions LCK_SLEEP_DEFAULT,
125*8d741a5dSApple OSS Distributions &thread_stack_event,
126*8d741a5dSApple OSS Distributions THREAD_UNINT);
127*8d741a5dSApple OSS Distributions }
128*8d741a5dSApple OSS Distributions
129*8d741a5dSApple OSS Distributions if (SLIST_EMPTY(&thread_stacks_head) == true) {
130*8d741a5dSApple OSS Distributions panic("unable to acquire a thread stack for TXM");
131*8d741a5dSApple OSS Distributions }
132*8d741a5dSApple OSS Distributions
133*8d741a5dSApple OSS Distributions /* Use the first available thread stack */
134*8d741a5dSApple OSS Distributions thread_stack = SLIST_FIRST(&thread_stacks_head);
135*8d741a5dSApple OSS Distributions
136*8d741a5dSApple OSS Distributions /* Remove the thread stack from the list */
137*8d741a5dSApple OSS Distributions SLIST_REMOVE_HEAD(&thread_stacks_head, link);
138*8d741a5dSApple OSS Distributions
139*8d741a5dSApple OSS Distributions /* Unlock the thread stack list */
140*8d741a5dSApple OSS Distributions lck_mtx_unlock(&thread_stacks_lock);
141*8d741a5dSApple OSS Distributions
142*8d741a5dSApple OSS Distributions /* Associate the thread stack with the current thread */
143*8d741a5dSApple OSS Distributions thread_associate_txm_thread_stack(thread_stack->thread_stack_phys);
144*8d741a5dSApple OSS Distributions
145*8d741a5dSApple OSS Distributions return thread_stack;
146*8d741a5dSApple OSS Distributions }
147*8d741a5dSApple OSS Distributions
148*8d741a5dSApple OSS Distributions static void
release_thread_stack(txm_thread_stack_t * thread_stack)149*8d741a5dSApple OSS Distributions release_thread_stack(
150*8d741a5dSApple OSS Distributions txm_thread_stack_t* thread_stack)
151*8d741a5dSApple OSS Distributions {
152*8d741a5dSApple OSS Distributions /* Remove the TXM thread stack association with the current thread */
153*8d741a5dSApple OSS Distributions thread_disassociate_txm_thread_stack(thread_stack->thread_stack_phys);
154*8d741a5dSApple OSS Distributions
155*8d741a5dSApple OSS Distributions /* Lock the thread stack list */
156*8d741a5dSApple OSS Distributions lck_mtx_lock(&thread_stacks_lock);
157*8d741a5dSApple OSS Distributions
158*8d741a5dSApple OSS Distributions /* Add the thread stack at the list head */
159*8d741a5dSApple OSS Distributions SLIST_INSERT_HEAD(&thread_stacks_head, thread_stack, link);
160*8d741a5dSApple OSS Distributions
161*8d741a5dSApple OSS Distributions /* Unlock the thread stack list */
162*8d741a5dSApple OSS Distributions lck_mtx_unlock(&thread_stacks_lock);
163*8d741a5dSApple OSS Distributions
164*8d741a5dSApple OSS Distributions /* Wake up any threads waiting to acquire a thread stack */
165*8d741a5dSApple OSS Distributions thread_wakeup(&thread_stack_event);
166*8d741a5dSApple OSS Distributions }
167*8d741a5dSApple OSS Distributions
168*8d741a5dSApple OSS Distributions static kern_return_t
txm_parse_return(TXMReturn_t txm_ret)169*8d741a5dSApple OSS Distributions txm_parse_return(
170*8d741a5dSApple OSS Distributions TXMReturn_t txm_ret)
171*8d741a5dSApple OSS Distributions {
172*8d741a5dSApple OSS Distributions switch (txm_ret.returnCode) {
173*8d741a5dSApple OSS Distributions case kTXMSuccess:
174*8d741a5dSApple OSS Distributions return KERN_SUCCESS;
175*8d741a5dSApple OSS Distributions
176*8d741a5dSApple OSS Distributions case kTXMReturnOutOfMemory:
177*8d741a5dSApple OSS Distributions return KERN_RESOURCE_SHORTAGE;
178*8d741a5dSApple OSS Distributions
179*8d741a5dSApple OSS Distributions case kTXMReturnNotFound:
180*8d741a5dSApple OSS Distributions return KERN_NOT_FOUND;
181*8d741a5dSApple OSS Distributions
182*8d741a5dSApple OSS Distributions case kTXMReturnNotSupported:
183*8d741a5dSApple OSS Distributions return KERN_NOT_SUPPORTED;
184*8d741a5dSApple OSS Distributions
185*8d741a5dSApple OSS Distributions #if kTXMKernelAPIVersion >= 6
186*8d741a5dSApple OSS Distributions case kTXMReturnTryAgain:
187*8d741a5dSApple OSS Distributions return KERN_OPERATION_TIMED_OUT;
188*8d741a5dSApple OSS Distributions #endif
189*8d741a5dSApple OSS Distributions
190*8d741a5dSApple OSS Distributions default:
191*8d741a5dSApple OSS Distributions return KERN_FAILURE;
192*8d741a5dSApple OSS Distributions }
193*8d741a5dSApple OSS Distributions }
194*8d741a5dSApple OSS Distributions
195*8d741a5dSApple OSS Distributions static void
txm_print_return(TXMKernelSelector_t selector,TXMReturn_t txm_ret)196*8d741a5dSApple OSS Distributions txm_print_return(
197*8d741a5dSApple OSS Distributions TXMKernelSelector_t selector,
198*8d741a5dSApple OSS Distributions TXMReturn_t txm_ret)
199*8d741a5dSApple OSS Distributions {
200*8d741a5dSApple OSS Distributions /*
201*8d741a5dSApple OSS Distributions * We specifically use IOLog instead of printf since printf is compiled out on
202*8d741a5dSApple OSS Distributions * RELEASE kernels. We want to ensure that errors from TXM are captured within
203*8d741a5dSApple OSS Distributions * sysdiagnoses from the field.
204*8d741a5dSApple OSS Distributions */
205*8d741a5dSApple OSS Distributions
206*8d741a5dSApple OSS Distributions if (txm_ret.returnCode == kTXMSuccess) {
207*8d741a5dSApple OSS Distributions return;
208*8d741a5dSApple OSS Distributions } else if (txm_ret.returnCode == kTXMReturnTrustCache) {
209*8d741a5dSApple OSS Distributions IOLog("TXM [Error]: TrustCache: selector: %u | 0x%02X | 0x%02X | %u\n",
210*8d741a5dSApple OSS Distributions selector, txm_ret.tcRet.component, txm_ret.tcRet.error, txm_ret.tcRet.uniqueError);
211*8d741a5dSApple OSS Distributions } else if (txm_ret.returnCode == kTXMReturnCodeSignature) {
212*8d741a5dSApple OSS Distributions IOLog("TXM [Error]: CodeSignature: selector: %u | 0x%02X | 0x%02X | %u\n",
213*8d741a5dSApple OSS Distributions selector, txm_ret.csRet.component, txm_ret.csRet.error, txm_ret.csRet.uniqueError);
214*8d741a5dSApple OSS Distributions } else if (txm_ret.returnCode == kTXMReturnCodeErrno) {
215*8d741a5dSApple OSS Distributions IOLog("TXM [Error]: Errno: selector: %u | %d\n",
216*8d741a5dSApple OSS Distributions selector, txm_ret.errnoRet);
217*8d741a5dSApple OSS Distributions } else {
218*8d741a5dSApple OSS Distributions IOLog("TXM [Error]: selector: %u | %u\n",
219*8d741a5dSApple OSS Distributions selector, txm_ret.returnCode);
220*8d741a5dSApple OSS Distributions }
221*8d741a5dSApple OSS Distributions }
222*8d741a5dSApple OSS Distributions
223*8d741a5dSApple OSS Distributions #pragma mark Page Allocation
224*8d741a5dSApple OSS Distributions
225*8d741a5dSApple OSS Distributions static void
txm_add_page(void)226*8d741a5dSApple OSS Distributions txm_add_page(void)
227*8d741a5dSApple OSS Distributions {
228*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
229*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorAddFreeListPage,
230*8d741a5dSApple OSS Distributions .failure_fatal = true,
231*8d741a5dSApple OSS Distributions .num_input_args = 1
232*8d741a5dSApple OSS Distributions };
233*8d741a5dSApple OSS Distributions
234*8d741a5dSApple OSS Distributions /* Allocate a page from the VM -- transfers page to TXM internally */
235*8d741a5dSApple OSS Distributions vm_map_address_t phys_addr = pmap_txm_allocate_page();
236*8d741a5dSApple OSS Distributions
237*8d741a5dSApple OSS Distributions /* Add this page to the TXM free list */
238*8d741a5dSApple OSS Distributions txm_kernel_call(&txm_call, phys_addr);
239*8d741a5dSApple OSS Distributions }
240*8d741a5dSApple OSS Distributions
241*8d741a5dSApple OSS Distributions #pragma mark Calls
242*8d741a5dSApple OSS Distributions
243*8d741a5dSApple OSS Distributions static void
txm_kernel_call_registers_setup(txm_call_t * parameters,sptm_call_regs_t * registers,va_list args)244*8d741a5dSApple OSS Distributions txm_kernel_call_registers_setup(
245*8d741a5dSApple OSS Distributions txm_call_t *parameters,
246*8d741a5dSApple OSS Distributions sptm_call_regs_t *registers,
247*8d741a5dSApple OSS Distributions va_list args)
248*8d741a5dSApple OSS Distributions {
249*8d741a5dSApple OSS Distributions /*
250*8d741a5dSApple OSS Distributions * We are only ever allowed a maximum of 7 arguments for calling into TXM.
251*8d741a5dSApple OSS Distributions * This is because the SPTM dispatch only sets up registers x0-x7 for the
252*8d741a5dSApple OSS Distributions * call, and x0 is always reserved for passing in a thread stack for TXM
253*8d741a5dSApple OSS Distributions * to operate on.
254*8d741a5dSApple OSS Distributions */
255*8d741a5dSApple OSS Distributions
256*8d741a5dSApple OSS Distributions switch (parameters->num_input_args) {
257*8d741a5dSApple OSS Distributions case 7:
258*8d741a5dSApple OSS Distributions registers->x1 = va_arg(args, uintptr_t);
259*8d741a5dSApple OSS Distributions registers->x2 = va_arg(args, uintptr_t);
260*8d741a5dSApple OSS Distributions registers->x3 = va_arg(args, uintptr_t);
261*8d741a5dSApple OSS Distributions registers->x4 = va_arg(args, uintptr_t);
262*8d741a5dSApple OSS Distributions registers->x5 = va_arg(args, uintptr_t);
263*8d741a5dSApple OSS Distributions registers->x6 = va_arg(args, uintptr_t);
264*8d741a5dSApple OSS Distributions registers->x7 = va_arg(args, uintptr_t);
265*8d741a5dSApple OSS Distributions break;
266*8d741a5dSApple OSS Distributions
267*8d741a5dSApple OSS Distributions case 6:
268*8d741a5dSApple OSS Distributions registers->x1 = va_arg(args, uintptr_t);
269*8d741a5dSApple OSS Distributions registers->x2 = va_arg(args, uintptr_t);
270*8d741a5dSApple OSS Distributions registers->x3 = va_arg(args, uintptr_t);
271*8d741a5dSApple OSS Distributions registers->x4 = va_arg(args, uintptr_t);
272*8d741a5dSApple OSS Distributions registers->x5 = va_arg(args, uintptr_t);
273*8d741a5dSApple OSS Distributions registers->x6 = va_arg(args, uintptr_t);
274*8d741a5dSApple OSS Distributions break;
275*8d741a5dSApple OSS Distributions
276*8d741a5dSApple OSS Distributions case 5:
277*8d741a5dSApple OSS Distributions registers->x1 = va_arg(args, uintptr_t);
278*8d741a5dSApple OSS Distributions registers->x2 = va_arg(args, uintptr_t);
279*8d741a5dSApple OSS Distributions registers->x3 = va_arg(args, uintptr_t);
280*8d741a5dSApple OSS Distributions registers->x4 = va_arg(args, uintptr_t);
281*8d741a5dSApple OSS Distributions registers->x5 = va_arg(args, uintptr_t);
282*8d741a5dSApple OSS Distributions break;
283*8d741a5dSApple OSS Distributions
284*8d741a5dSApple OSS Distributions case 4:
285*8d741a5dSApple OSS Distributions registers->x1 = va_arg(args, uintptr_t);
286*8d741a5dSApple OSS Distributions registers->x2 = va_arg(args, uintptr_t);
287*8d741a5dSApple OSS Distributions registers->x3 = va_arg(args, uintptr_t);
288*8d741a5dSApple OSS Distributions registers->x4 = va_arg(args, uintptr_t);
289*8d741a5dSApple OSS Distributions break;
290*8d741a5dSApple OSS Distributions
291*8d741a5dSApple OSS Distributions case 3:
292*8d741a5dSApple OSS Distributions registers->x1 = va_arg(args, uintptr_t);
293*8d741a5dSApple OSS Distributions registers->x2 = va_arg(args, uintptr_t);
294*8d741a5dSApple OSS Distributions registers->x3 = va_arg(args, uintptr_t);
295*8d741a5dSApple OSS Distributions break;
296*8d741a5dSApple OSS Distributions
297*8d741a5dSApple OSS Distributions case 2:
298*8d741a5dSApple OSS Distributions registers->x1 = va_arg(args, uintptr_t);
299*8d741a5dSApple OSS Distributions registers->x2 = va_arg(args, uintptr_t);
300*8d741a5dSApple OSS Distributions break;
301*8d741a5dSApple OSS Distributions
302*8d741a5dSApple OSS Distributions case 1:
303*8d741a5dSApple OSS Distributions registers->x1 = va_arg(args, uintptr_t);
304*8d741a5dSApple OSS Distributions break;
305*8d741a5dSApple OSS Distributions
306*8d741a5dSApple OSS Distributions case 0:
307*8d741a5dSApple OSS Distributions break;
308*8d741a5dSApple OSS Distributions
309*8d741a5dSApple OSS Distributions default:
310*8d741a5dSApple OSS Distributions panic("invalid number of arguments to TXM: selector: %u | %u",
311*8d741a5dSApple OSS Distributions parameters->selector, parameters->num_input_args);
312*8d741a5dSApple OSS Distributions }
313*8d741a5dSApple OSS Distributions }
314*8d741a5dSApple OSS Distributions
315*8d741a5dSApple OSS Distributions static TXMReturn_t
txm_kernel_call_internal(txm_call_t * parameters,va_list args)316*8d741a5dSApple OSS Distributions txm_kernel_call_internal(
317*8d741a5dSApple OSS Distributions txm_call_t *parameters,
318*8d741a5dSApple OSS Distributions va_list args)
319*8d741a5dSApple OSS Distributions {
320*8d741a5dSApple OSS Distributions TXMReturn_t txm_ret = (TXMReturn_t){.returnCode = kTXMReturnGeneric};
321*8d741a5dSApple OSS Distributions sptm_call_regs_t txm_registers = {0};
322*8d741a5dSApple OSS Distributions txm_thread_stack_t *thread_stack = NULL;
323*8d741a5dSApple OSS Distributions const TXMThreadStack_t *thread_stack_data = NULL;
324*8d741a5dSApple OSS Distributions const TXMSharedContextData_t *shared_context_data = NULL;
325*8d741a5dSApple OSS Distributions
326*8d741a5dSApple OSS Distributions /* Obtain a stack for this call */
327*8d741a5dSApple OSS Distributions thread_stack = acquire_thread_stack();
328*8d741a5dSApple OSS Distributions thread_stack_data = thread_stack->thread_stack_data;
329*8d741a5dSApple OSS Distributions shared_context_data = &thread_stack_data->sharedData;
330*8d741a5dSApple OSS Distributions
331*8d741a5dSApple OSS Distributions /* Setup argument registers */
332*8d741a5dSApple OSS Distributions txm_registers.x0 = thread_stack->thread_stack_phys;
333*8d741a5dSApple OSS Distributions txm_kernel_call_registers_setup(parameters, &txm_registers, args);
334*8d741a5dSApple OSS Distributions
335*8d741a5dSApple OSS Distributions /* Track resource usage */
336*8d741a5dSApple OSS Distributions recount_enter_secure();
337*8d741a5dSApple OSS Distributions
338*8d741a5dSApple OSS Distributions /* Call into TXM */
339*8d741a5dSApple OSS Distributions txm_enter(parameters->selector, &txm_registers);
340*8d741a5dSApple OSS Distributions
341*8d741a5dSApple OSS Distributions recount_leave_secure();
342*8d741a5dSApple OSS Distributions
343*8d741a5dSApple OSS Distributions txm_ret = (TXMReturn_t){.rawValue = shared_context_data->txmReturnCode};
344*8d741a5dSApple OSS Distributions parameters->txm_ret = txm_ret;
345*8d741a5dSApple OSS Distributions
346*8d741a5dSApple OSS Distributions if (parameters->txm_ret.returnCode == kTXMSuccess) {
347*8d741a5dSApple OSS Distributions parameters->num_return_words = shared_context_data->txmNumReturnWords;
348*8d741a5dSApple OSS Distributions if (parameters->num_return_words > kTXMStackReturnWords) {
349*8d741a5dSApple OSS Distributions panic("received excessive return words from TXM: selector: %u | %llu",
350*8d741a5dSApple OSS Distributions parameters->selector, parameters->num_return_words);
351*8d741a5dSApple OSS Distributions }
352*8d741a5dSApple OSS Distributions
353*8d741a5dSApple OSS Distributions for (uint64_t i = 0; i < parameters->num_return_words; i++) {
354*8d741a5dSApple OSS Distributions parameters->return_words[i] = shared_context_data->txmReturnWords[i];
355*8d741a5dSApple OSS Distributions }
356*8d741a5dSApple OSS Distributions }
357*8d741a5dSApple OSS Distributions
358*8d741a5dSApple OSS Distributions /* Release the thread stack as it is no longer needed */
359*8d741a5dSApple OSS Distributions release_thread_stack(thread_stack);
360*8d741a5dSApple OSS Distributions thread_stack_data = NULL;
361*8d741a5dSApple OSS Distributions shared_context_data = NULL;
362*8d741a5dSApple OSS Distributions
363*8d741a5dSApple OSS Distributions return txm_ret;
364*8d741a5dSApple OSS Distributions }
365*8d741a5dSApple OSS Distributions
366*8d741a5dSApple OSS Distributions kern_return_t
txm_kernel_call(txm_call_t * parameters,...)367*8d741a5dSApple OSS Distributions txm_kernel_call(
368*8d741a5dSApple OSS Distributions txm_call_t *parameters, ...)
369*8d741a5dSApple OSS Distributions {
370*8d741a5dSApple OSS Distributions TXMReturn_t txm_ret = (TXMReturn_t){.returnCode = kTXMReturnGeneric};
371*8d741a5dSApple OSS Distributions kern_return_t ret = KERN_DENIED;
372*8d741a5dSApple OSS Distributions va_list args;
373*8d741a5dSApple OSS Distributions
374*8d741a5dSApple OSS Distributions /* Start the variadic arguments list */
375*8d741a5dSApple OSS Distributions va_start(args, parameters);
376*8d741a5dSApple OSS Distributions
377*8d741a5dSApple OSS Distributions do {
378*8d741a5dSApple OSS Distributions txm_ret = txm_kernel_call_internal(parameters, args);
379*8d741a5dSApple OSS Distributions if (txm_ret.returnCode == kTXMReturnOutOfMemory) {
380*8d741a5dSApple OSS Distributions if (parameters->selector == kTXMKernelSelectorAddFreeListPage) {
381*8d741a5dSApple OSS Distributions panic("received out-of-memory error when adding a free page to TXM");
382*8d741a5dSApple OSS Distributions }
383*8d741a5dSApple OSS Distributions txm_add_page();
384*8d741a5dSApple OSS Distributions }
385*8d741a5dSApple OSS Distributions } while (txm_ret.returnCode == kTXMReturnOutOfMemory);
386*8d741a5dSApple OSS Distributions
387*8d741a5dSApple OSS Distributions /* Clean up the variadic arguments list */
388*8d741a5dSApple OSS Distributions va_end(args);
389*8d741a5dSApple OSS Distributions
390*8d741a5dSApple OSS Distributions /* Print all TXM logs from the log buffer */
391*8d741a5dSApple OSS Distributions if (parameters->skip_logs == false) {
392*8d741a5dSApple OSS Distributions txm_print_logs();
393*8d741a5dSApple OSS Distributions }
394*8d741a5dSApple OSS Distributions
395*8d741a5dSApple OSS Distributions /* Print the return code from TXM -- only prints for an error */
396*8d741a5dSApple OSS Distributions if (parameters->failure_silent != true) {
397*8d741a5dSApple OSS Distributions if (parameters->failure_code_silent != txm_ret.returnCode) {
398*8d741a5dSApple OSS Distributions txm_print_return(parameters->selector, txm_ret);
399*8d741a5dSApple OSS Distributions }
400*8d741a5dSApple OSS Distributions }
401*8d741a5dSApple OSS Distributions
402*8d741a5dSApple OSS Distributions /*
403*8d741a5dSApple OSS Distributions * To ease the process of calling into TXM, and to also reduce the number of
404*8d741a5dSApple OSS Distributions * lines of code for each call site, the txm_call_t offers some properties
405*8d741a5dSApple OSS Distributions * we can enforce over here. Go through these, and panic in case they aren't
406*8d741a5dSApple OSS Distributions * honored.
407*8d741a5dSApple OSS Distributions *
408*8d741a5dSApple OSS Distributions * NOTE: We check for "<" instead of "!=" for the number of return words we
409*8d741a5dSApple OSS Distributions * get back from TXM since this helps in forward development. If the kernel
410*8d741a5dSApple OSS Distributions * and TXM are proceeding at different project cadences, we do not want to
411*8d741a5dSApple OSS Distributions * gate adding more return words from TXM on the kernel first adopting the
412*8d741a5dSApple OSS Distributions * new number of return words.
413*8d741a5dSApple OSS Distributions */
414*8d741a5dSApple OSS Distributions ret = txm_parse_return(txm_ret);
415*8d741a5dSApple OSS Distributions
416*8d741a5dSApple OSS Distributions if (parameters->failure_fatal && (ret != KERN_SUCCESS)) {
417*8d741a5dSApple OSS Distributions panic("received fatal error for a selector from TXM: selector: %u | 0x%0llX",
418*8d741a5dSApple OSS Distributions parameters->selector, txm_ret.rawValue);
419*8d741a5dSApple OSS Distributions } else if (parameters->num_return_words < parameters->num_output_args) {
420*8d741a5dSApple OSS Distributions /* Only panic if return was a success */
421*8d741a5dSApple OSS Distributions if (ret == KERN_SUCCESS) {
422*8d741a5dSApple OSS Distributions panic("received fewer than expected return words from TXM: selector: %u | %llu",
423*8d741a5dSApple OSS Distributions parameters->selector, parameters->num_return_words);
424*8d741a5dSApple OSS Distributions }
425*8d741a5dSApple OSS Distributions }
426*8d741a5dSApple OSS Distributions
427*8d741a5dSApple OSS Distributions return ret;
428*8d741a5dSApple OSS Distributions }
429*8d741a5dSApple OSS Distributions
430*8d741a5dSApple OSS Distributions void
txm_transfer_region(vm_address_t addr,vm_size_t size)431*8d741a5dSApple OSS Distributions txm_transfer_region(
432*8d741a5dSApple OSS Distributions vm_address_t addr,
433*8d741a5dSApple OSS Distributions vm_size_t size)
434*8d741a5dSApple OSS Distributions {
435*8d741a5dSApple OSS Distributions vm_address_t addr_end = 0;
436*8d741a5dSApple OSS Distributions vm_size_t size_aligned = round_page(size);
437*8d741a5dSApple OSS Distributions
438*8d741a5dSApple OSS Distributions if ((addr & PAGE_MASK) != 0) {
439*8d741a5dSApple OSS Distributions panic("attempted to transfer non-page-aligned memory to TXM: %p", (void*)addr);
440*8d741a5dSApple OSS Distributions } else if (os_add_overflow(addr, size_aligned, &addr_end)) {
441*8d741a5dSApple OSS Distributions panic("overflow on range to be transferred to TXM: %p | %lu",
442*8d741a5dSApple OSS Distributions (void*)addr, size);
443*8d741a5dSApple OSS Distributions }
444*8d741a5dSApple OSS Distributions
445*8d741a5dSApple OSS Distributions /* Make the memory read-only first (transfer will panic otherwise) */
446*8d741a5dSApple OSS Distributions vm_protect(kernel_map, addr, size_aligned, false, VM_PROT_READ);
447*8d741a5dSApple OSS Distributions
448*8d741a5dSApple OSS Distributions /* Transfer each physical page to be TXM_DEFAULT */
449*8d741a5dSApple OSS Distributions for (vm_address_t page = addr; page < addr_end; page += PAGE_SIZE) {
450*8d741a5dSApple OSS Distributions pmap_txm_transfer_page(page);
451*8d741a5dSApple OSS Distributions }
452*8d741a5dSApple OSS Distributions }
453*8d741a5dSApple OSS Distributions
454*8d741a5dSApple OSS Distributions void
txm_reclaim_region(vm_address_t addr,vm_size_t size)455*8d741a5dSApple OSS Distributions txm_reclaim_region(
456*8d741a5dSApple OSS Distributions vm_address_t addr,
457*8d741a5dSApple OSS Distributions vm_size_t size)
458*8d741a5dSApple OSS Distributions {
459*8d741a5dSApple OSS Distributions vm_address_t addr_end = 0;
460*8d741a5dSApple OSS Distributions vm_size_t size_aligned = round_page(size);
461*8d741a5dSApple OSS Distributions
462*8d741a5dSApple OSS Distributions if ((addr & PAGE_MASK) != 0) {
463*8d741a5dSApple OSS Distributions panic("attempted to reclaim non-page-aligned memory from TXM: %p", (void*)addr);
464*8d741a5dSApple OSS Distributions } else if (os_add_overflow(addr, size_aligned, &addr_end)) {
465*8d741a5dSApple OSS Distributions panic("overflow on range to be reclaimed from TXM: %p | %lu",
466*8d741a5dSApple OSS Distributions (void*)addr, size);
467*8d741a5dSApple OSS Distributions }
468*8d741a5dSApple OSS Distributions
469*8d741a5dSApple OSS Distributions /*
470*8d741a5dSApple OSS Distributions * We can only reclaim once TXM has transferred the memory range back to the
471*8d741a5dSApple OSS Distributions * kernel. Hence, we simply try and switch permissions to read-write. If TXM
472*8d741a5dSApple OSS Distributions * hasn't transferred pages, this then should panic.
473*8d741a5dSApple OSS Distributions */
474*8d741a5dSApple OSS Distributions vm_protect(kernel_map, addr, size_aligned, false, VM_PROT_READ | VM_PROT_WRITE);
475*8d741a5dSApple OSS Distributions }
476*8d741a5dSApple OSS Distributions
477*8d741a5dSApple OSS Distributions static SECURITY_READ_ONLY_LATE(const char*) txm_log_page = NULL;
478*8d741a5dSApple OSS Distributions static SECURITY_READ_ONLY_LATE(const uint32_t*) txm_log_head = NULL;
479*8d741a5dSApple OSS Distributions static SECURITY_READ_ONLY_LATE(const uint32_t*) txm_log_sync = NULL;
480*8d741a5dSApple OSS Distributions
481*8d741a5dSApple OSS Distributions static decl_lck_mtx_data(, log_lock);
482*8d741a5dSApple OSS Distributions static uint32_t log_head = 0;
483*8d741a5dSApple OSS Distributions
484*8d741a5dSApple OSS Distributions void
txm_print_logs(void)485*8d741a5dSApple OSS Distributions txm_print_logs(void)
486*8d741a5dSApple OSS Distributions {
487*8d741a5dSApple OSS Distributions uint32_t start_index = 0;
488*8d741a5dSApple OSS Distributions uint32_t end_index = 0;
489*8d741a5dSApple OSS Distributions
490*8d741a5dSApple OSS Distributions /*
491*8d741a5dSApple OSS Distributions * The design here is very simple. TXM keeps adding slots to its circular buffer
492*8d741a5dSApple OSS Distributions * and the kernel attempts to read each one and print it, maintaining its own head
493*8d741a5dSApple OSS Distributions * for the log.
494*8d741a5dSApple OSS Distributions *
495*8d741a5dSApple OSS Distributions * This design is by nature lazy. TXM doesn't know or care if the kernel has gone
496*8d741a5dSApple OSS Distributions * through and printed any of the logs, so it'll just keep writing into its buffer
497*8d741a5dSApple OSS Distributions * and then circle around when it becomes full.
498*8d741a5dSApple OSS Distributions *
499*8d741a5dSApple OSS Distributions * This is fine most of the time since there are a decent amount of slots in the
500*8d741a5dSApple OSS Distributions * log buffer. We mostly have an issue when TXM is adding so many logs so quickly
501*8d741a5dSApple OSS Distributions * such that it wraps around and starts overwriting logs which haven't been seen
502*8d741a5dSApple OSS Distributions * by the kernel. If this were to happen, TXM's log head may circle around the
503*8d741a5dSApple OSS Distributions * head maintained by the kernel, causing a lot of logs to be missed, since the
504*8d741a5dSApple OSS Distributions * kernel only attempts the number of logs in-between the two heads.
505*8d741a5dSApple OSS Distributions *
506*8d741a5dSApple OSS Distributions * The fix for that is complicated, and until we see an actual impact, we're going
507*8d741a5dSApple OSS Distributions * to keep the simpler design in place.
508*8d741a5dSApple OSS Distributions */
509*8d741a5dSApple OSS Distributions
510*8d741a5dSApple OSS Distributions /* Return if the logging hasn't been setup yet */
511*8d741a5dSApple OSS Distributions if (txm_log_sync == NULL) {
512*8d741a5dSApple OSS Distributions return;
513*8d741a5dSApple OSS Distributions }
514*8d741a5dSApple OSS Distributions
515*8d741a5dSApple OSS Distributions /*
516*8d741a5dSApple OSS Distributions * Holding the log lock and printing can cause lots of issues since printing can
517*8d741a5dSApple OSS Distributions * be rather slow. While we make it a point to keep the logging buffer quiet, some
518*8d741a5dSApple OSS Distributions * actions (such as loading trust caches) are still very chatty.
519*8d741a5dSApple OSS Distributions *
520*8d741a5dSApple OSS Distributions * As a result, we optimize this routine to ensure that the lock itself isn't held
521*8d741a5dSApple OSS Distributions * for very long. All we need to do within the critical section is calculate the
522*8d741a5dSApple OSS Distributions * starting and ending index of the log buffer. The actual printing doesn't need
523*8d741a5dSApple OSS Distributions * to be done with the lock held.
524*8d741a5dSApple OSS Distributions */
525*8d741a5dSApple OSS Distributions lck_mtx_lock(&log_lock);
526*8d741a5dSApple OSS Distributions
527*8d741a5dSApple OSS Distributions start_index = log_head;
528*8d741a5dSApple OSS Distributions end_index = os_atomic_load(txm_log_head, relaxed) % kTXMLogSlots;
529*8d741a5dSApple OSS Distributions
530*8d741a5dSApple OSS Distributions /* Update the log head with the new index */
531*8d741a5dSApple OSS Distributions log_head = end_index;
532*8d741a5dSApple OSS Distributions
533*8d741a5dSApple OSS Distributions /* Release the log lock */
534*8d741a5dSApple OSS Distributions lck_mtx_unlock(&log_lock);
535*8d741a5dSApple OSS Distributions
536*8d741a5dSApple OSS Distributions if (start_index != end_index) {
537*8d741a5dSApple OSS Distributions /* Use load acquire here to sync up with all writes to the buffer */
538*8d741a5dSApple OSS Distributions os_atomic_load(txm_log_sync, acquire);
539*8d741a5dSApple OSS Distributions
540*8d741a5dSApple OSS Distributions while (start_index != end_index) {
541*8d741a5dSApple OSS Distributions const char *slot = txm_log_page + (start_index * kTXMLogSlotSize);
542*8d741a5dSApple OSS Distributions
543*8d741a5dSApple OSS Distributions /* We add newlines after each log statement since TXM does not */
544*8d741a5dSApple OSS Distributions printf("%s\n", slot);
545*8d741a5dSApple OSS Distributions
546*8d741a5dSApple OSS Distributions start_index = (start_index + 1) % kTXMLogSlots;
547*8d741a5dSApple OSS Distributions }
548*8d741a5dSApple OSS Distributions }
549*8d741a5dSApple OSS Distributions }
550*8d741a5dSApple OSS Distributions
551*8d741a5dSApple OSS Distributions #pragma mark Initialization
552*8d741a5dSApple OSS Distributions
553*8d741a5dSApple OSS Distributions SECURITY_READ_ONLY_LATE(const TXMReadOnlyData_t*) txm_ro_data = NULL;
554*8d741a5dSApple OSS Distributions SECURITY_READ_ONLY_LATE(const TXMStatistics_t*) txm_stats = NULL;
555*8d741a5dSApple OSS Distributions SECURITY_READ_ONLY_LATE(const CSConfig_t*) txm_cs_config = NULL;
556*8d741a5dSApple OSS Distributions SECURITY_READ_ONLY_LATE(CSRestrictedModeState_t*) txm_restricted_mode_state = NULL;
557*8d741a5dSApple OSS Distributions
558*8d741a5dSApple OSS Distributions SECURITY_READ_ONLY_LATE(bool*) developer_mode_enabled = NULL;
559*8d741a5dSApple OSS Distributions static SECURITY_READ_ONLY_LATE(bool) code_signing_enabled = true;
560*8d741a5dSApple OSS Distributions static SECURITY_READ_ONLY_LATE(uint32_t) managed_signature_size = 0;
561*8d741a5dSApple OSS Distributions
562*8d741a5dSApple OSS Distributions static decl_lck_mtx_data(, compilation_service_lock);
563*8d741a5dSApple OSS Distributions static decl_lck_mtx_data(, unregister_sync_lock);
564*8d741a5dSApple OSS Distributions
565*8d741a5dSApple OSS Distributions static void
get_logging_info(void)566*8d741a5dSApple OSS Distributions get_logging_info(void)
567*8d741a5dSApple OSS Distributions {
568*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
569*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorGetLogInfo,
570*8d741a5dSApple OSS Distributions .failure_fatal = true,
571*8d741a5dSApple OSS Distributions .num_output_args = 3
572*8d741a5dSApple OSS Distributions };
573*8d741a5dSApple OSS Distributions txm_kernel_call(&txm_call);
574*8d741a5dSApple OSS Distributions
575*8d741a5dSApple OSS Distributions txm_log_page = (const char*)txm_call.return_words[0];
576*8d741a5dSApple OSS Distributions txm_log_head = (const uint32_t*)txm_call.return_words[1];
577*8d741a5dSApple OSS Distributions txm_log_sync = (const uint32_t*)txm_call.return_words[2];
578*8d741a5dSApple OSS Distributions }
579*8d741a5dSApple OSS Distributions
580*8d741a5dSApple OSS Distributions static void
get_code_signing_info(void)581*8d741a5dSApple OSS Distributions get_code_signing_info(void)
582*8d741a5dSApple OSS Distributions {
583*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
584*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorGetCodeSigningInfo,
585*8d741a5dSApple OSS Distributions .failure_fatal = true,
586*8d741a5dSApple OSS Distributions .num_output_args = 6
587*8d741a5dSApple OSS Distributions };
588*8d741a5dSApple OSS Distributions txm_kernel_call(&txm_call);
589*8d741a5dSApple OSS Distributions
590*8d741a5dSApple OSS Distributions /*
591*8d741a5dSApple OSS Distributions * Not using txm_call.return_words[0] for now. This was previously the
592*8d741a5dSApple OSS Distributions * code_signing_enabled field, but we've since switched to acquiring that
593*8d741a5dSApple OSS Distributions * value from TXM's read-only data.
594*8d741a5dSApple OSS Distributions *
595*8d741a5dSApple OSS Distributions * Not using txm_call.return_words[4] for now. This was previously the
596*8d741a5dSApple OSS Distributions * txm_cs_config field, but we've since switched to acquiring that value
597*8d741a5dSApple OSS Distributions * from TXM's read-only data.
598*8d741a5dSApple OSS Distributions */
599*8d741a5dSApple OSS Distributions
600*8d741a5dSApple OSS Distributions developer_mode_enabled = (bool*)txm_call.return_words[1];
601*8d741a5dSApple OSS Distributions txm_stats = (TXMStatistics_t*)txm_call.return_words[2];
602*8d741a5dSApple OSS Distributions managed_signature_size = (uint32_t)txm_call.return_words[3];
603*8d741a5dSApple OSS Distributions txm_ro_data = (TXMReadOnlyData_t*)txm_call.return_words[5];
604*8d741a5dSApple OSS Distributions
605*8d741a5dSApple OSS Distributions /* Set code_signing_disabled based on read-only data */
606*8d741a5dSApple OSS Distributions code_signing_enabled = txm_ro_data->codeSigningDisabled == false;
607*8d741a5dSApple OSS Distributions
608*8d741a5dSApple OSS Distributions /* Set txm_cs_config based on read-only data */
609*8d741a5dSApple OSS Distributions txm_cs_config = &txm_ro_data->CSConfiguration;
610*8d741a5dSApple OSS Distributions
611*8d741a5dSApple OSS Distributions /* Only setup when REM is supported on the platform */
612*8d741a5dSApple OSS Distributions if (txm_cs_config->systemPolicy->featureSet.restrictedExecutionMode == true) {
613*8d741a5dSApple OSS Distributions txm_restricted_mode_state = txm_ro_data->restrictedModeState;
614*8d741a5dSApple OSS Distributions }
615*8d741a5dSApple OSS Distributions }
616*8d741a5dSApple OSS Distributions
617*8d741a5dSApple OSS Distributions static void
set_shared_region_base_address(void)618*8d741a5dSApple OSS Distributions set_shared_region_base_address(void)
619*8d741a5dSApple OSS Distributions {
620*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
621*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorSetSharedRegionBaseAddress,
622*8d741a5dSApple OSS Distributions .failure_fatal = true,
623*8d741a5dSApple OSS Distributions .num_input_args = 2,
624*8d741a5dSApple OSS Distributions };
625*8d741a5dSApple OSS Distributions
626*8d741a5dSApple OSS Distributions txm_kernel_call(&txm_call,
627*8d741a5dSApple OSS Distributions SHARED_REGION_BASE,
628*8d741a5dSApple OSS Distributions SHARED_REGION_SIZE);
629*8d741a5dSApple OSS Distributions }
630*8d741a5dSApple OSS Distributions
631*8d741a5dSApple OSS Distributions void
code_signing_init(void)632*8d741a5dSApple OSS Distributions code_signing_init(void)
633*8d741a5dSApple OSS Distributions {
634*8d741a5dSApple OSS Distributions #if kTXMKernelAPIVersion >= 6
635*8d741a5dSApple OSS Distributions printf("libTXM_KernelVersion: %u\n", libTrustedExecutionMonitor_KernelVersion);
636*8d741a5dSApple OSS Distributions printf("libTXM_Image4Version: %u\n", libTrustedExecutionMonitor_Image4Version);
637*8d741a5dSApple OSS Distributions #endif
638*8d741a5dSApple OSS Distributions
639*8d741a5dSApple OSS Distributions /* Setup the thread stacks used by TXM */
640*8d741a5dSApple OSS Distributions setup_thread_stacks();
641*8d741a5dSApple OSS Distributions
642*8d741a5dSApple OSS Distributions /* Setup the logging lock */
643*8d741a5dSApple OSS Distributions lck_mtx_init(&log_lock, &txm_lck_grp, 0);
644*8d741a5dSApple OSS Distributions
645*8d741a5dSApple OSS Distributions /* Setup TXM logging information */
646*8d741a5dSApple OSS Distributions get_logging_info();
647*8d741a5dSApple OSS Distributions
648*8d741a5dSApple OSS Distributions /* Setup code signing configuration */
649*8d741a5dSApple OSS Distributions get_code_signing_info();
650*8d741a5dSApple OSS Distributions
651*8d741a5dSApple OSS Distributions /* Setup all the other locks we need */
652*8d741a5dSApple OSS Distributions lck_mtx_init(&compilation_service_lock, &txm_lck_grp, 0);
653*8d741a5dSApple OSS Distributions lck_mtx_init(&unregister_sync_lock, &txm_lck_grp, 0);
654*8d741a5dSApple OSS Distributions
655*8d741a5dSApple OSS Distributions /*
656*8d741a5dSApple OSS Distributions * We need to let TXM know what the shared region base address is going
657*8d741a5dSApple OSS Distributions * to be for this boot.
658*8d741a5dSApple OSS Distributions */
659*8d741a5dSApple OSS Distributions set_shared_region_base_address();
660*8d741a5dSApple OSS Distributions
661*8d741a5dSApple OSS Distributions /* Require signed code when monitor is enabled */
662*8d741a5dSApple OSS Distributions if (code_signing_enabled == true) {
663*8d741a5dSApple OSS Distributions cs_debug_fail_on_unsigned_code = 1;
664*8d741a5dSApple OSS Distributions }
665*8d741a5dSApple OSS Distributions }
666*8d741a5dSApple OSS Distributions
667*8d741a5dSApple OSS Distributions void
txm_enter_lockdown_mode(void)668*8d741a5dSApple OSS Distributions txm_enter_lockdown_mode(void)
669*8d741a5dSApple OSS Distributions {
670*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
671*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorEnterLockdownMode,
672*8d741a5dSApple OSS Distributions .failure_fatal = true,
673*8d741a5dSApple OSS Distributions };
674*8d741a5dSApple OSS Distributions txm_kernel_call(&txm_call);
675*8d741a5dSApple OSS Distributions }
676*8d741a5dSApple OSS Distributions
677*8d741a5dSApple OSS Distributions kern_return_t
txm_secure_channel_shared_page(uint64_t * secure_channel_phys,size_t * secure_channel_size)678*8d741a5dSApple OSS Distributions txm_secure_channel_shared_page(
679*8d741a5dSApple OSS Distributions uint64_t *secure_channel_phys,
680*8d741a5dSApple OSS Distributions size_t *secure_channel_size)
681*8d741a5dSApple OSS Distributions {
682*8d741a5dSApple OSS Distributions #if kTXMKernelAPIVersion >= 5
683*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
684*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorGetSecureChannelAddr,
685*8d741a5dSApple OSS Distributions .num_output_args = 2
686*8d741a5dSApple OSS Distributions };
687*8d741a5dSApple OSS Distributions
688*8d741a5dSApple OSS Distributions kern_return_t ret = txm_kernel_call(&txm_call);
689*8d741a5dSApple OSS Distributions if (ret == KERN_NOT_SUPPORTED) {
690*8d741a5dSApple OSS Distributions return ret;
691*8d741a5dSApple OSS Distributions } else if (ret != KERN_SUCCESS) {
692*8d741a5dSApple OSS Distributions panic("unexpected failure for TXM secure channel: %d", ret);
693*8d741a5dSApple OSS Distributions }
694*8d741a5dSApple OSS Distributions
695*8d741a5dSApple OSS Distributions /* Return the physical address */
696*8d741a5dSApple OSS Distributions if (secure_channel_phys != NULL) {
697*8d741a5dSApple OSS Distributions *secure_channel_phys = txm_call.return_words[0];
698*8d741a5dSApple OSS Distributions }
699*8d741a5dSApple OSS Distributions
700*8d741a5dSApple OSS Distributions /* Return the size */
701*8d741a5dSApple OSS Distributions if (secure_channel_size != NULL) {
702*8d741a5dSApple OSS Distributions *secure_channel_size = txm_call.return_words[1];
703*8d741a5dSApple OSS Distributions }
704*8d741a5dSApple OSS Distributions
705*8d741a5dSApple OSS Distributions return KERN_SUCCESS;
706*8d741a5dSApple OSS Distributions #else
707*8d741a5dSApple OSS Distributions (void)secure_channel_phys;
708*8d741a5dSApple OSS Distributions (void)secure_channel_size;
709*8d741a5dSApple OSS Distributions return KERN_NOT_SUPPORTED;
710*8d741a5dSApple OSS Distributions #endif
711*8d741a5dSApple OSS Distributions }
712*8d741a5dSApple OSS Distributions
713*8d741a5dSApple OSS Distributions #pragma mark Developer Mode
714*8d741a5dSApple OSS Distributions
715*8d741a5dSApple OSS Distributions void
txm_toggle_developer_mode(bool state)716*8d741a5dSApple OSS Distributions txm_toggle_developer_mode(bool state)
717*8d741a5dSApple OSS Distributions {
718*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
719*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorDeveloperModeToggle,
720*8d741a5dSApple OSS Distributions .failure_fatal = true,
721*8d741a5dSApple OSS Distributions .num_input_args = 1
722*8d741a5dSApple OSS Distributions };
723*8d741a5dSApple OSS Distributions
724*8d741a5dSApple OSS Distributions txm_kernel_call(&txm_call, state);
725*8d741a5dSApple OSS Distributions }
726*8d741a5dSApple OSS Distributions
727*8d741a5dSApple OSS Distributions #pragma mark Restricted Execution Mode
728*8d741a5dSApple OSS Distributions
729*8d741a5dSApple OSS Distributions kern_return_t
txm_rem_enable(void)730*8d741a5dSApple OSS Distributions txm_rem_enable(void)
731*8d741a5dSApple OSS Distributions {
732*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
733*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorEnableRestrictedMode
734*8d741a5dSApple OSS Distributions };
735*8d741a5dSApple OSS Distributions return txm_kernel_call(&txm_call);
736*8d741a5dSApple OSS Distributions }
737*8d741a5dSApple OSS Distributions
738*8d741a5dSApple OSS Distributions kern_return_t
txm_rem_state(void)739*8d741a5dSApple OSS Distributions txm_rem_state(void)
740*8d741a5dSApple OSS Distributions {
741*8d741a5dSApple OSS Distributions if (txm_restricted_mode_state == NULL) {
742*8d741a5dSApple OSS Distributions return KERN_NOT_SUPPORTED;
743*8d741a5dSApple OSS Distributions }
744*8d741a5dSApple OSS Distributions
745*8d741a5dSApple OSS Distributions CSReturn_t cs_ret = restrictedModeStatus(txm_restricted_mode_state);
746*8d741a5dSApple OSS Distributions if (cs_ret.error == kCSReturnSuccess) {
747*8d741a5dSApple OSS Distributions return KERN_SUCCESS;
748*8d741a5dSApple OSS Distributions }
749*8d741a5dSApple OSS Distributions return KERN_DENIED;
750*8d741a5dSApple OSS Distributions }
751*8d741a5dSApple OSS Distributions
752*8d741a5dSApple OSS Distributions #pragma mark Device State
753*8d741a5dSApple OSS Distributions
754*8d741a5dSApple OSS Distributions void
txm_update_device_state(void)755*8d741a5dSApple OSS Distributions txm_update_device_state(void)
756*8d741a5dSApple OSS Distributions {
757*8d741a5dSApple OSS Distributions #if kTXMKernelAPIVersion >= 6
758*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
759*8d741a5dSApple OSS Distributions .selector = kTXMSelectorUpdateDeviceState,
760*8d741a5dSApple OSS Distributions .failure_fatal = true
761*8d741a5dSApple OSS Distributions };
762*8d741a5dSApple OSS Distributions txm_kernel_call(&txm_call);
763*8d741a5dSApple OSS Distributions #endif
764*8d741a5dSApple OSS Distributions }
765*8d741a5dSApple OSS Distributions
766*8d741a5dSApple OSS Distributions void
txm_complete_security_boot_mode(__unused uint32_t security_boot_mode)767*8d741a5dSApple OSS Distributions txm_complete_security_boot_mode(
768*8d741a5dSApple OSS Distributions __unused uint32_t security_boot_mode)
769*8d741a5dSApple OSS Distributions {
770*8d741a5dSApple OSS Distributions #if kTXMKernelAPIVersion >= 6
771*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
772*8d741a5dSApple OSS Distributions .selector = kTXMSelectorCompleteSecurityBootMode,
773*8d741a5dSApple OSS Distributions .num_input_args = 1,
774*8d741a5dSApple OSS Distributions .failure_fatal = true
775*8d741a5dSApple OSS Distributions };
776*8d741a5dSApple OSS Distributions txm_kernel_call(&txm_call, security_boot_mode);
777*8d741a5dSApple OSS Distributions #endif
778*8d741a5dSApple OSS Distributions }
779*8d741a5dSApple OSS Distributions
780*8d741a5dSApple OSS Distributions #pragma mark Code Signing and Provisioning Profiles
781*8d741a5dSApple OSS Distributions
782*8d741a5dSApple OSS Distributions bool
txm_code_signing_enabled(void)783*8d741a5dSApple OSS Distributions txm_code_signing_enabled(void)
784*8d741a5dSApple OSS Distributions {
785*8d741a5dSApple OSS Distributions return code_signing_enabled;
786*8d741a5dSApple OSS Distributions }
787*8d741a5dSApple OSS Distributions
788*8d741a5dSApple OSS Distributions vm_size_t
txm_managed_code_signature_size(void)789*8d741a5dSApple OSS Distributions txm_managed_code_signature_size(void)
790*8d741a5dSApple OSS Distributions {
791*8d741a5dSApple OSS Distributions return managed_signature_size;
792*8d741a5dSApple OSS Distributions }
793*8d741a5dSApple OSS Distributions
794*8d741a5dSApple OSS Distributions kern_return_t
txm_register_provisioning_profile(const void * profile_blob,const size_t profile_blob_size,void ** profile_obj)795*8d741a5dSApple OSS Distributions txm_register_provisioning_profile(
796*8d741a5dSApple OSS Distributions const void *profile_blob,
797*8d741a5dSApple OSS Distributions const size_t profile_blob_size,
798*8d741a5dSApple OSS Distributions void **profile_obj)
799*8d741a5dSApple OSS Distributions {
800*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
801*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorRegisterProvisioningProfile,
802*8d741a5dSApple OSS Distributions .num_input_args = 2,
803*8d741a5dSApple OSS Distributions .num_output_args = 1
804*8d741a5dSApple OSS Distributions };
805*8d741a5dSApple OSS Distributions vm_address_t payload_addr = 0;
806*8d741a5dSApple OSS Distributions kern_return_t ret = KERN_DENIED;
807*8d741a5dSApple OSS Distributions
808*8d741a5dSApple OSS Distributions /* We need to allocate page-wise in order to transfer the range to TXM */
809*8d741a5dSApple OSS Distributions ret = kmem_alloc(kernel_map, &payload_addr, profile_blob_size,
810*8d741a5dSApple OSS Distributions KMA_KOBJECT | KMA_DATA, VM_KERN_MEMORY_SECURITY);
811*8d741a5dSApple OSS Distributions if (ret != KERN_SUCCESS) {
812*8d741a5dSApple OSS Distributions printf("unable to allocate memory for profile payload: %d\n", ret);
813*8d741a5dSApple OSS Distributions goto exit;
814*8d741a5dSApple OSS Distributions }
815*8d741a5dSApple OSS Distributions
816*8d741a5dSApple OSS Distributions /* Copy the contents into the allocation */
817*8d741a5dSApple OSS Distributions memcpy((void*)payload_addr, profile_blob, profile_blob_size);
818*8d741a5dSApple OSS Distributions
819*8d741a5dSApple OSS Distributions /* Transfer the memory range to TXM */
820*8d741a5dSApple OSS Distributions txm_transfer_region(payload_addr, profile_blob_size);
821*8d741a5dSApple OSS Distributions
822*8d741a5dSApple OSS Distributions ret = txm_kernel_call(&txm_call, payload_addr, profile_blob_size);
823*8d741a5dSApple OSS Distributions if (ret == KERN_SUCCESS) {
824*8d741a5dSApple OSS Distributions *profile_obj = (void*)txm_call.return_words[0];
825*8d741a5dSApple OSS Distributions }
826*8d741a5dSApple OSS Distributions
827*8d741a5dSApple OSS Distributions exit:
828*8d741a5dSApple OSS Distributions if ((ret != KERN_SUCCESS) && (payload_addr != 0)) {
829*8d741a5dSApple OSS Distributions /* Reclaim this memory range */
830*8d741a5dSApple OSS Distributions txm_reclaim_region(payload_addr, profile_blob_size);
831*8d741a5dSApple OSS Distributions
832*8d741a5dSApple OSS Distributions /* Free the memory range */
833*8d741a5dSApple OSS Distributions kmem_free(kernel_map, payload_addr, profile_blob_size);
834*8d741a5dSApple OSS Distributions payload_addr = 0;
835*8d741a5dSApple OSS Distributions }
836*8d741a5dSApple OSS Distributions
837*8d741a5dSApple OSS Distributions return ret;
838*8d741a5dSApple OSS Distributions }
839*8d741a5dSApple OSS Distributions
840*8d741a5dSApple OSS Distributions kern_return_t
txm_trust_provisioning_profile(__unused void * profile_obj,__unused const void * sig_data,__unused size_t sig_size)841*8d741a5dSApple OSS Distributions txm_trust_provisioning_profile(
842*8d741a5dSApple OSS Distributions __unused void *profile_obj,
843*8d741a5dSApple OSS Distributions __unused const void *sig_data,
844*8d741a5dSApple OSS Distributions __unused size_t sig_size)
845*8d741a5dSApple OSS Distributions {
846*8d741a5dSApple OSS Distributions #if kTXMKernelAPIVersion >= 7
847*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
848*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorTrustProvisioningProfile,
849*8d741a5dSApple OSS Distributions .num_input_args = 3
850*8d741a5dSApple OSS Distributions };
851*8d741a5dSApple OSS Distributions
852*8d741a5dSApple OSS Distributions return txm_kernel_call(&txm_call, profile_obj, sig_data, sig_size);
853*8d741a5dSApple OSS Distributions #else
854*8d741a5dSApple OSS Distributions /* The TXM selector hasn't yet landed */
855*8d741a5dSApple OSS Distributions return KERN_SUCCESS;
856*8d741a5dSApple OSS Distributions #endif
857*8d741a5dSApple OSS Distributions }
858*8d741a5dSApple OSS Distributions
859*8d741a5dSApple OSS Distributions kern_return_t
txm_unregister_provisioning_profile(void * profile_obj)860*8d741a5dSApple OSS Distributions txm_unregister_provisioning_profile(
861*8d741a5dSApple OSS Distributions void *profile_obj)
862*8d741a5dSApple OSS Distributions {
863*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
864*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorUnregisterProvisioningProfile,
865*8d741a5dSApple OSS Distributions .num_input_args = 1,
866*8d741a5dSApple OSS Distributions .num_output_args = 2
867*8d741a5dSApple OSS Distributions };
868*8d741a5dSApple OSS Distributions vm_address_t profile_addr = 0;
869*8d741a5dSApple OSS Distributions vm_size_t profile_size = 0;
870*8d741a5dSApple OSS Distributions kern_return_t ret = KERN_DENIED;
871*8d741a5dSApple OSS Distributions
872*8d741a5dSApple OSS Distributions ret = txm_kernel_call(&txm_call, profile_obj);
873*8d741a5dSApple OSS Distributions if (ret != KERN_SUCCESS) {
874*8d741a5dSApple OSS Distributions return ret;
875*8d741a5dSApple OSS Distributions }
876*8d741a5dSApple OSS Distributions
877*8d741a5dSApple OSS Distributions profile_addr = txm_call.return_words[0];
878*8d741a5dSApple OSS Distributions profile_size = txm_call.return_words[1];
879*8d741a5dSApple OSS Distributions
880*8d741a5dSApple OSS Distributions /* Reclaim this memory range */
881*8d741a5dSApple OSS Distributions txm_reclaim_region(profile_addr, profile_size);
882*8d741a5dSApple OSS Distributions
883*8d741a5dSApple OSS Distributions /* Free the memory range */
884*8d741a5dSApple OSS Distributions kmem_free(kernel_map, profile_addr, profile_size);
885*8d741a5dSApple OSS Distributions
886*8d741a5dSApple OSS Distributions return KERN_SUCCESS;
887*8d741a5dSApple OSS Distributions }
888*8d741a5dSApple OSS Distributions
889*8d741a5dSApple OSS Distributions kern_return_t
txm_associate_provisioning_profile(void * sig_obj,void * profile_obj)890*8d741a5dSApple OSS Distributions txm_associate_provisioning_profile(
891*8d741a5dSApple OSS Distributions void *sig_obj,
892*8d741a5dSApple OSS Distributions void *profile_obj)
893*8d741a5dSApple OSS Distributions {
894*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
895*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorAssociateProvisioningProfile,
896*8d741a5dSApple OSS Distributions .num_input_args = 2,
897*8d741a5dSApple OSS Distributions };
898*8d741a5dSApple OSS Distributions
899*8d741a5dSApple OSS Distributions return txm_kernel_call(&txm_call, sig_obj, profile_obj);
900*8d741a5dSApple OSS Distributions }
901*8d741a5dSApple OSS Distributions
902*8d741a5dSApple OSS Distributions kern_return_t
txm_disassociate_provisioning_profile(void * sig_obj)903*8d741a5dSApple OSS Distributions txm_disassociate_provisioning_profile(
904*8d741a5dSApple OSS Distributions void *sig_obj)
905*8d741a5dSApple OSS Distributions {
906*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
907*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorDisassociateProvisioningProfile,
908*8d741a5dSApple OSS Distributions .num_input_args = 1,
909*8d741a5dSApple OSS Distributions };
910*8d741a5dSApple OSS Distributions
911*8d741a5dSApple OSS Distributions /*
912*8d741a5dSApple OSS Distributions * Take the unregistration sync lock.
913*8d741a5dSApple OSS Distributions * For more information: rdar://99205627.
914*8d741a5dSApple OSS Distributions */
915*8d741a5dSApple OSS Distributions lck_mtx_lock(&unregister_sync_lock);
916*8d741a5dSApple OSS Distributions
917*8d741a5dSApple OSS Distributions /* Disassociate the profile from the signature */
918*8d741a5dSApple OSS Distributions kern_return_t ret = txm_kernel_call(&txm_call, sig_obj);
919*8d741a5dSApple OSS Distributions
920*8d741a5dSApple OSS Distributions /* Release the unregistration sync lock */
921*8d741a5dSApple OSS Distributions lck_mtx_unlock(&unregister_sync_lock);
922*8d741a5dSApple OSS Distributions
923*8d741a5dSApple OSS Distributions return ret;
924*8d741a5dSApple OSS Distributions }
925*8d741a5dSApple OSS Distributions
926*8d741a5dSApple OSS Distributions void
txm_set_compilation_service_cdhash(const uint8_t cdhash[CS_CDHASH_LEN])927*8d741a5dSApple OSS Distributions txm_set_compilation_service_cdhash(
928*8d741a5dSApple OSS Distributions const uint8_t cdhash[CS_CDHASH_LEN])
929*8d741a5dSApple OSS Distributions {
930*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
931*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorAuthorizeCompilationServiceCDHash,
932*8d741a5dSApple OSS Distributions .num_input_args = 1,
933*8d741a5dSApple OSS Distributions };
934*8d741a5dSApple OSS Distributions
935*8d741a5dSApple OSS Distributions lck_mtx_lock(&compilation_service_lock);
936*8d741a5dSApple OSS Distributions txm_kernel_call(&txm_call, cdhash);
937*8d741a5dSApple OSS Distributions lck_mtx_unlock(&compilation_service_lock);
938*8d741a5dSApple OSS Distributions }
939*8d741a5dSApple OSS Distributions
940*8d741a5dSApple OSS Distributions bool
txm_match_compilation_service_cdhash(const uint8_t cdhash[CS_CDHASH_LEN])941*8d741a5dSApple OSS Distributions txm_match_compilation_service_cdhash(
942*8d741a5dSApple OSS Distributions const uint8_t cdhash[CS_CDHASH_LEN])
943*8d741a5dSApple OSS Distributions {
944*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
945*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorMatchCompilationServiceCDHash,
946*8d741a5dSApple OSS Distributions .failure_silent = true,
947*8d741a5dSApple OSS Distributions .num_input_args = 1,
948*8d741a5dSApple OSS Distributions .num_output_args = 1,
949*8d741a5dSApple OSS Distributions };
950*8d741a5dSApple OSS Distributions kern_return_t ret = KERN_DENIED;
951*8d741a5dSApple OSS Distributions
952*8d741a5dSApple OSS Distributions /* Be safe and take the lock (avoid thread collisions) */
953*8d741a5dSApple OSS Distributions lck_mtx_lock(&compilation_service_lock);
954*8d741a5dSApple OSS Distributions ret = txm_kernel_call(&txm_call, cdhash);
955*8d741a5dSApple OSS Distributions lck_mtx_unlock(&compilation_service_lock);
956*8d741a5dSApple OSS Distributions
957*8d741a5dSApple OSS Distributions if (ret == KERN_SUCCESS) {
958*8d741a5dSApple OSS Distributions return true;
959*8d741a5dSApple OSS Distributions }
960*8d741a5dSApple OSS Distributions return false;
961*8d741a5dSApple OSS Distributions }
962*8d741a5dSApple OSS Distributions
963*8d741a5dSApple OSS Distributions void
txm_set_local_signing_public_key(const uint8_t public_key[XNU_LOCAL_SIGNING_KEY_SIZE])964*8d741a5dSApple OSS Distributions txm_set_local_signing_public_key(
965*8d741a5dSApple OSS Distributions const uint8_t public_key[XNU_LOCAL_SIGNING_KEY_SIZE])
966*8d741a5dSApple OSS Distributions {
967*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
968*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorSetLocalSigningPublicKey,
969*8d741a5dSApple OSS Distributions .num_input_args = 1,
970*8d741a5dSApple OSS Distributions };
971*8d741a5dSApple OSS Distributions
972*8d741a5dSApple OSS Distributions txm_kernel_call(&txm_call, public_key);
973*8d741a5dSApple OSS Distributions }
974*8d741a5dSApple OSS Distributions
975*8d741a5dSApple OSS Distributions uint8_t*
txm_get_local_signing_public_key(void)976*8d741a5dSApple OSS Distributions txm_get_local_signing_public_key(void)
977*8d741a5dSApple OSS Distributions {
978*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
979*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorGetLocalSigningPublicKey,
980*8d741a5dSApple OSS Distributions .num_output_args = 1,
981*8d741a5dSApple OSS Distributions };
982*8d741a5dSApple OSS Distributions kern_return_t ret = KERN_DENIED;
983*8d741a5dSApple OSS Distributions
984*8d741a5dSApple OSS Distributions ret = txm_kernel_call(&txm_call);
985*8d741a5dSApple OSS Distributions if (ret != KERN_SUCCESS) {
986*8d741a5dSApple OSS Distributions return NULL;
987*8d741a5dSApple OSS Distributions }
988*8d741a5dSApple OSS Distributions
989*8d741a5dSApple OSS Distributions return (uint8_t*)txm_call.return_words[0];
990*8d741a5dSApple OSS Distributions }
991*8d741a5dSApple OSS Distributions
992*8d741a5dSApple OSS Distributions void
txm_unrestrict_local_signing_cdhash(const uint8_t cdhash[CS_CDHASH_LEN])993*8d741a5dSApple OSS Distributions txm_unrestrict_local_signing_cdhash(
994*8d741a5dSApple OSS Distributions const uint8_t cdhash[CS_CDHASH_LEN])
995*8d741a5dSApple OSS Distributions {
996*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
997*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorAuthorizeLocalSigningCDHash,
998*8d741a5dSApple OSS Distributions .num_input_args = 1,
999*8d741a5dSApple OSS Distributions };
1000*8d741a5dSApple OSS Distributions
1001*8d741a5dSApple OSS Distributions txm_kernel_call(&txm_call, cdhash);
1002*8d741a5dSApple OSS Distributions }
1003*8d741a5dSApple OSS Distributions
1004*8d741a5dSApple OSS Distributions kern_return_t
txm_register_code_signature(const vm_address_t signature_addr,const vm_size_t signature_size,const vm_offset_t code_directory_offset,const char * signature_path,void ** sig_obj,vm_address_t * txm_signature_addr)1005*8d741a5dSApple OSS Distributions txm_register_code_signature(
1006*8d741a5dSApple OSS Distributions const vm_address_t signature_addr,
1007*8d741a5dSApple OSS Distributions const vm_size_t signature_size,
1008*8d741a5dSApple OSS Distributions const vm_offset_t code_directory_offset,
1009*8d741a5dSApple OSS Distributions const char *signature_path,
1010*8d741a5dSApple OSS Distributions void **sig_obj,
1011*8d741a5dSApple OSS Distributions vm_address_t *txm_signature_addr)
1012*8d741a5dSApple OSS Distributions {
1013*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
1014*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorRegisterCodeSignature,
1015*8d741a5dSApple OSS Distributions .num_input_args = 3,
1016*8d741a5dSApple OSS Distributions .num_output_args = 2,
1017*8d741a5dSApple OSS Distributions };
1018*8d741a5dSApple OSS Distributions kern_return_t ret = KERN_DENIED;
1019*8d741a5dSApple OSS Distributions
1020*8d741a5dSApple OSS Distributions /*
1021*8d741a5dSApple OSS Distributions * TXM performs more exhaustive validation of the code signature and figures
1022*8d741a5dSApple OSS Distributions * out the best code directory to use on its own. As a result, this offset here
1023*8d741a5dSApple OSS Distributions * is not used.
1024*8d741a5dSApple OSS Distributions */
1025*8d741a5dSApple OSS Distributions (void)code_directory_offset;
1026*8d741a5dSApple OSS Distributions
1027*8d741a5dSApple OSS Distributions /*
1028*8d741a5dSApple OSS Distributions * If the signature is large enough to not fit within TXM's managed signature
1029*8d741a5dSApple OSS Distributions * size, then we need to transfer it over so it is owned by TXM.
1030*8d741a5dSApple OSS Distributions */
1031*8d741a5dSApple OSS Distributions if (signature_size > txm_managed_code_signature_size()) {
1032*8d741a5dSApple OSS Distributions txm_transfer_region(signature_addr, signature_size);
1033*8d741a5dSApple OSS Distributions }
1034*8d741a5dSApple OSS Distributions
1035*8d741a5dSApple OSS Distributions ret = txm_kernel_call(
1036*8d741a5dSApple OSS Distributions &txm_call,
1037*8d741a5dSApple OSS Distributions signature_addr,
1038*8d741a5dSApple OSS Distributions signature_size,
1039*8d741a5dSApple OSS Distributions signature_path);
1040*8d741a5dSApple OSS Distributions
1041*8d741a5dSApple OSS Distributions if (ret != KERN_SUCCESS) {
1042*8d741a5dSApple OSS Distributions goto exit;
1043*8d741a5dSApple OSS Distributions }
1044*8d741a5dSApple OSS Distributions
1045*8d741a5dSApple OSS Distributions *sig_obj = (void*)txm_call.return_words[0];
1046*8d741a5dSApple OSS Distributions *txm_signature_addr = txm_call.return_words[1];
1047*8d741a5dSApple OSS Distributions
1048*8d741a5dSApple OSS Distributions exit:
1049*8d741a5dSApple OSS Distributions if ((ret != KERN_SUCCESS) && (signature_size > txm_managed_code_signature_size())) {
1050*8d741a5dSApple OSS Distributions txm_reclaim_region(signature_addr, signature_size);
1051*8d741a5dSApple OSS Distributions }
1052*8d741a5dSApple OSS Distributions
1053*8d741a5dSApple OSS Distributions return ret;
1054*8d741a5dSApple OSS Distributions }
1055*8d741a5dSApple OSS Distributions
1056*8d741a5dSApple OSS Distributions kern_return_t
txm_unregister_code_signature(void * sig_obj)1057*8d741a5dSApple OSS Distributions txm_unregister_code_signature(
1058*8d741a5dSApple OSS Distributions void *sig_obj)
1059*8d741a5dSApple OSS Distributions {
1060*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
1061*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorUnregisterCodeSignature,
1062*8d741a5dSApple OSS Distributions .failure_fatal = true,
1063*8d741a5dSApple OSS Distributions .num_input_args = 1,
1064*8d741a5dSApple OSS Distributions .num_output_args = 2,
1065*8d741a5dSApple OSS Distributions };
1066*8d741a5dSApple OSS Distributions TXMCodeSignature_t *cs_obj = sig_obj;
1067*8d741a5dSApple OSS Distributions vm_address_t signature_addr = 0;
1068*8d741a5dSApple OSS Distributions vm_size_t signature_size = 0;
1069*8d741a5dSApple OSS Distributions bool txm_managed = false;
1070*8d741a5dSApple OSS Distributions
1071*8d741a5dSApple OSS Distributions /* Check if the signature memory is TXM managed */
1072*8d741a5dSApple OSS Distributions txm_managed = cs_obj->sptmType != TXM_BULK_DATA;
1073*8d741a5dSApple OSS Distributions
1074*8d741a5dSApple OSS Distributions /*
1075*8d741a5dSApple OSS Distributions * Take the unregistration sync lock.
1076*8d741a5dSApple OSS Distributions * For more information: rdar://99205627.
1077*8d741a5dSApple OSS Distributions */
1078*8d741a5dSApple OSS Distributions lck_mtx_lock(&unregister_sync_lock);
1079*8d741a5dSApple OSS Distributions
1080*8d741a5dSApple OSS Distributions /* Unregister the signature from TXM -- cannot fail */
1081*8d741a5dSApple OSS Distributions txm_kernel_call(&txm_call, sig_obj);
1082*8d741a5dSApple OSS Distributions
1083*8d741a5dSApple OSS Distributions /* Release the unregistration sync lock */
1084*8d741a5dSApple OSS Distributions lck_mtx_unlock(&unregister_sync_lock);
1085*8d741a5dSApple OSS Distributions
1086*8d741a5dSApple OSS Distributions signature_addr = txm_call.return_words[0];
1087*8d741a5dSApple OSS Distributions signature_size = txm_call.return_words[1];
1088*8d741a5dSApple OSS Distributions
1089*8d741a5dSApple OSS Distributions /* Reclaim the memory range in case we need to */
1090*8d741a5dSApple OSS Distributions if (txm_managed == false) {
1091*8d741a5dSApple OSS Distributions txm_reclaim_region(signature_addr, signature_size);
1092*8d741a5dSApple OSS Distributions }
1093*8d741a5dSApple OSS Distributions
1094*8d741a5dSApple OSS Distributions return KERN_SUCCESS;
1095*8d741a5dSApple OSS Distributions }
1096*8d741a5dSApple OSS Distributions
1097*8d741a5dSApple OSS Distributions kern_return_t
txm_verify_code_signature(void * sig_obj)1098*8d741a5dSApple OSS Distributions txm_verify_code_signature(
1099*8d741a5dSApple OSS Distributions void *sig_obj)
1100*8d741a5dSApple OSS Distributions {
1101*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
1102*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorValidateCodeSignature,
1103*8d741a5dSApple OSS Distributions .num_input_args = 1,
1104*8d741a5dSApple OSS Distributions };
1105*8d741a5dSApple OSS Distributions kern_return_t ret = KERN_DENIED;
1106*8d741a5dSApple OSS Distributions
1107*8d741a5dSApple OSS Distributions /*
1108*8d741a5dSApple OSS Distributions * Verification of the code signature may perform a trust cache look up.
1109*8d741a5dSApple OSS Distributions * In order to avoid any collisions with threads which may be loading a
1110*8d741a5dSApple OSS Distributions * trust cache, we take a reader lock on the trust cache runtime.
1111*8d741a5dSApple OSS Distributions */
1112*8d741a5dSApple OSS Distributions
1113*8d741a5dSApple OSS Distributions lck_rw_lock_shared(&txm_trust_cache_lck);
1114*8d741a5dSApple OSS Distributions ret = txm_kernel_call(&txm_call, sig_obj);
1115*8d741a5dSApple OSS Distributions lck_rw_unlock_shared(&txm_trust_cache_lck);
1116*8d741a5dSApple OSS Distributions
1117*8d741a5dSApple OSS Distributions return ret;
1118*8d741a5dSApple OSS Distributions }
1119*8d741a5dSApple OSS Distributions
1120*8d741a5dSApple OSS Distributions kern_return_t
txm_reconstitute_code_signature(void * sig_obj,vm_address_t * unneeded_addr,vm_size_t * unneeded_size)1121*8d741a5dSApple OSS Distributions txm_reconstitute_code_signature(
1122*8d741a5dSApple OSS Distributions void *sig_obj,
1123*8d741a5dSApple OSS Distributions vm_address_t *unneeded_addr,
1124*8d741a5dSApple OSS Distributions vm_size_t *unneeded_size)
1125*8d741a5dSApple OSS Distributions {
1126*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
1127*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorReconstituteCodeSignature,
1128*8d741a5dSApple OSS Distributions .failure_fatal = true,
1129*8d741a5dSApple OSS Distributions .num_input_args = 1,
1130*8d741a5dSApple OSS Distributions .num_output_args = 2,
1131*8d741a5dSApple OSS Distributions };
1132*8d741a5dSApple OSS Distributions vm_address_t return_addr = 0;
1133*8d741a5dSApple OSS Distributions vm_size_t return_size = 0;
1134*8d741a5dSApple OSS Distributions
1135*8d741a5dSApple OSS Distributions /* Reconstitute the code signature -- cannot fail */
1136*8d741a5dSApple OSS Distributions txm_kernel_call(&txm_call, sig_obj);
1137*8d741a5dSApple OSS Distributions
1138*8d741a5dSApple OSS Distributions return_addr = txm_call.return_words[0];
1139*8d741a5dSApple OSS Distributions return_size = txm_call.return_words[1];
1140*8d741a5dSApple OSS Distributions
1141*8d741a5dSApple OSS Distributions /* Reclaim the memory region if we need to */
1142*8d741a5dSApple OSS Distributions if ((return_addr != 0) && (return_size != 0)) {
1143*8d741a5dSApple OSS Distributions txm_reclaim_region(return_addr, return_size);
1144*8d741a5dSApple OSS Distributions }
1145*8d741a5dSApple OSS Distributions
1146*8d741a5dSApple OSS Distributions *unneeded_addr = return_addr;
1147*8d741a5dSApple OSS Distributions *unneeded_size = return_size;
1148*8d741a5dSApple OSS Distributions
1149*8d741a5dSApple OSS Distributions return KERN_SUCCESS;
1150*8d741a5dSApple OSS Distributions }
1151*8d741a5dSApple OSS Distributions
1152*8d741a5dSApple OSS Distributions #pragma mark Address Spaces
1153*8d741a5dSApple OSS Distributions
1154*8d741a5dSApple OSS Distributions kern_return_t
txm_register_address_space(pmap_t pmap,uint16_t addr_space_id,TXMAddressSpaceFlags_t flags)1155*8d741a5dSApple OSS Distributions txm_register_address_space(
1156*8d741a5dSApple OSS Distributions pmap_t pmap,
1157*8d741a5dSApple OSS Distributions uint16_t addr_space_id,
1158*8d741a5dSApple OSS Distributions TXMAddressSpaceFlags_t flags)
1159*8d741a5dSApple OSS Distributions {
1160*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
1161*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorRegisterAddressSpace,
1162*8d741a5dSApple OSS Distributions .failure_fatal = true,
1163*8d741a5dSApple OSS Distributions .num_input_args = 2,
1164*8d741a5dSApple OSS Distributions .num_output_args = 1,
1165*8d741a5dSApple OSS Distributions };
1166*8d741a5dSApple OSS Distributions TXMAddressSpace_t *txm_addr_space = NULL;
1167*8d741a5dSApple OSS Distributions
1168*8d741a5dSApple OSS Distributions /* Register the address space -- cannot fail */
1169*8d741a5dSApple OSS Distributions txm_kernel_call(&txm_call, addr_space_id, flags);
1170*8d741a5dSApple OSS Distributions
1171*8d741a5dSApple OSS Distributions /* Set the address space object within the PMAP */
1172*8d741a5dSApple OSS Distributions txm_addr_space = (TXMAddressSpace_t*)txm_call.return_words[0];
1173*8d741a5dSApple OSS Distributions pmap_txm_set_addr_space(pmap, txm_addr_space);
1174*8d741a5dSApple OSS Distributions
1175*8d741a5dSApple OSS Distributions return KERN_SUCCESS;
1176*8d741a5dSApple OSS Distributions }
1177*8d741a5dSApple OSS Distributions
1178*8d741a5dSApple OSS Distributions kern_return_t
txm_unregister_address_space(pmap_t pmap)1179*8d741a5dSApple OSS Distributions txm_unregister_address_space(
1180*8d741a5dSApple OSS Distributions pmap_t pmap)
1181*8d741a5dSApple OSS Distributions {
1182*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
1183*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorUnregisterAddressSpace,
1184*8d741a5dSApple OSS Distributions .failure_fatal = true,
1185*8d741a5dSApple OSS Distributions .num_input_args = 1,
1186*8d741a5dSApple OSS Distributions };
1187*8d741a5dSApple OSS Distributions TXMAddressSpace_t *txm_addr_space = pmap_txm_addr_space(pmap);
1188*8d741a5dSApple OSS Distributions
1189*8d741a5dSApple OSS Distributions /*
1190*8d741a5dSApple OSS Distributions * Take the unregistration sync lock.
1191*8d741a5dSApple OSS Distributions * For more information: rdar://99205627.
1192*8d741a5dSApple OSS Distributions */
1193*8d741a5dSApple OSS Distributions lck_mtx_lock(&unregister_sync_lock);
1194*8d741a5dSApple OSS Distributions
1195*8d741a5dSApple OSS Distributions /* Unregister the address space -- cannot fail */
1196*8d741a5dSApple OSS Distributions txm_kernel_call(&txm_call, txm_addr_space);
1197*8d741a5dSApple OSS Distributions
1198*8d741a5dSApple OSS Distributions /* Release the unregistration sync lock */
1199*8d741a5dSApple OSS Distributions lck_mtx_unlock(&unregister_sync_lock);
1200*8d741a5dSApple OSS Distributions
1201*8d741a5dSApple OSS Distributions /* Remove the address space from the pmap */
1202*8d741a5dSApple OSS Distributions pmap_txm_set_addr_space(pmap, NULL);
1203*8d741a5dSApple OSS Distributions
1204*8d741a5dSApple OSS Distributions return KERN_SUCCESS;
1205*8d741a5dSApple OSS Distributions }
1206*8d741a5dSApple OSS Distributions
1207*8d741a5dSApple OSS Distributions kern_return_t
txm_associate_code_signature(pmap_t pmap,void * sig_obj,const vm_address_t region_addr,const vm_size_t region_size,const vm_offset_t region_offset)1208*8d741a5dSApple OSS Distributions txm_associate_code_signature(
1209*8d741a5dSApple OSS Distributions pmap_t pmap,
1210*8d741a5dSApple OSS Distributions void *sig_obj,
1211*8d741a5dSApple OSS Distributions const vm_address_t region_addr,
1212*8d741a5dSApple OSS Distributions const vm_size_t region_size,
1213*8d741a5dSApple OSS Distributions const vm_offset_t region_offset)
1214*8d741a5dSApple OSS Distributions {
1215*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
1216*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorAssociateCodeSignature,
1217*8d741a5dSApple OSS Distributions .num_input_args = 5,
1218*8d741a5dSApple OSS Distributions };
1219*8d741a5dSApple OSS Distributions TXMAddressSpace_t *txm_addr_space = pmap_txm_addr_space(pmap);
1220*8d741a5dSApple OSS Distributions kern_return_t ret = KERN_DENIED;
1221*8d741a5dSApple OSS Distributions
1222*8d741a5dSApple OSS Distributions /*
1223*8d741a5dSApple OSS Distributions * Associating a code signature may require exclusive access to the TXM address
1224*8d741a5dSApple OSS Distributions * space lock within TXM.
1225*8d741a5dSApple OSS Distributions */
1226*8d741a5dSApple OSS Distributions pmap_txm_acquire_exclusive_lock(pmap);
1227*8d741a5dSApple OSS Distributions
1228*8d741a5dSApple OSS Distributions /*
1229*8d741a5dSApple OSS Distributions * If the address space in question is a nested address space, then all associations
1230*8d741a5dSApple OSS Distributions * need to go into the shared region base range. The VM layer is inconsistent with
1231*8d741a5dSApple OSS Distributions * how it makes associations with TXM vs. how it maps pages into the shared region.
1232*8d741a5dSApple OSS Distributions *
1233*8d741a5dSApple OSS Distributions * For TXM, the associations are made without taking the base range into account,
1234*8d741a5dSApple OSS Distributions * but when mappings are entered into the shared region, the base range is taken
1235*8d741a5dSApple OSS Distributions * into account. To normalize this, we add the base range address here.
1236*8d741a5dSApple OSS Distributions */
1237*8d741a5dSApple OSS Distributions vm_address_t adjusted_region_addr = region_addr;
1238*8d741a5dSApple OSS Distributions if (txm_addr_space->addrSpaceID.type == kTXMAddressSpaceIDTypeSharedRegion) {
1239*8d741a5dSApple OSS Distributions adjusted_region_addr += SHARED_REGION_BASE;
1240*8d741a5dSApple OSS Distributions }
1241*8d741a5dSApple OSS Distributions
1242*8d741a5dSApple OSS Distributions /*
1243*8d741a5dSApple OSS Distributions * The VM tries a bunch of weird mappings within launchd for some platform code
1244*8d741a5dSApple OSS Distributions * which isn't mapped contiguously. These mappings don't succeed, but the failure
1245*8d741a5dSApple OSS Distributions * is fairly harmless since everything seems to work. However, since the call to
1246*8d741a5dSApple OSS Distributions * TXM fails, we make a series of logs. Hence, for launchd, we suppress failure
1247*8d741a5dSApple OSS Distributions * logs.
1248*8d741a5dSApple OSS Distributions */
1249*8d741a5dSApple OSS Distributions if (txm_addr_space->addrSpaceID.type == kTXMAddressSpaceIDTypeAddressSpace) {
1250*8d741a5dSApple OSS Distributions /* TXMTODO: Scope this to launchd better */
1251*8d741a5dSApple OSS Distributions txm_call.failure_code_silent = kTXMReturnPlatformCodeMapping;
1252*8d741a5dSApple OSS Distributions }
1253*8d741a5dSApple OSS Distributions
1254*8d741a5dSApple OSS Distributions /* Check if the main region has been set on the address space */
1255*8d741a5dSApple OSS Distributions bool main_region_set = txm_addr_space->mainRegion != NULL;
1256*8d741a5dSApple OSS Distributions bool main_region_set_after = false;
1257*8d741a5dSApple OSS Distributions
1258*8d741a5dSApple OSS Distributions ret = txm_kernel_call(
1259*8d741a5dSApple OSS Distributions &txm_call,
1260*8d741a5dSApple OSS Distributions txm_addr_space,
1261*8d741a5dSApple OSS Distributions sig_obj,
1262*8d741a5dSApple OSS Distributions adjusted_region_addr,
1263*8d741a5dSApple OSS Distributions region_size,
1264*8d741a5dSApple OSS Distributions region_offset);
1265*8d741a5dSApple OSS Distributions
1266*8d741a5dSApple OSS Distributions while (ret == KERN_OPERATION_TIMED_OUT) {
1267*8d741a5dSApple OSS Distributions /*
1268*8d741a5dSApple OSS Distributions * There is no easy method to sleep in the kernel. This operation has the
1269*8d741a5dSApple OSS Distributions * potential to burn CPU cycles, but that is alright since we don't actually
1270*8d741a5dSApple OSS Distributions * ever expect to enter this case on legitimately operating systems.
1271*8d741a5dSApple OSS Distributions */
1272*8d741a5dSApple OSS Distributions ret = txm_kernel_call(
1273*8d741a5dSApple OSS Distributions &txm_call,
1274*8d741a5dSApple OSS Distributions txm_addr_space,
1275*8d741a5dSApple OSS Distributions sig_obj,
1276*8d741a5dSApple OSS Distributions adjusted_region_addr,
1277*8d741a5dSApple OSS Distributions region_size,
1278*8d741a5dSApple OSS Distributions region_offset);
1279*8d741a5dSApple OSS Distributions }
1280*8d741a5dSApple OSS Distributions
1281*8d741a5dSApple OSS Distributions /*
1282*8d741a5dSApple OSS Distributions * If the main region wasn't set on the address space before hand, but this new
1283*8d741a5dSApple OSS Distributions * call into TXM was successful and sets the main region, it means this signature
1284*8d741a5dSApple OSS Distributions * object is associated with the main region on the address space. With this, we
1285*8d741a5dSApple OSS Distributions * can now set the appropriate trust level on the PMAP.
1286*8d741a5dSApple OSS Distributions */
1287*8d741a5dSApple OSS Distributions if (ret == KERN_SUCCESS) {
1288*8d741a5dSApple OSS Distributions main_region_set_after = txm_addr_space->mainRegion != NULL;
1289*8d741a5dSApple OSS Distributions }
1290*8d741a5dSApple OSS Distributions
1291*8d741a5dSApple OSS Distributions /* Unlock the TXM address space lock */
1292*8d741a5dSApple OSS Distributions pmap_txm_release_exclusive_lock(pmap);
1293*8d741a5dSApple OSS Distributions
1294*8d741a5dSApple OSS Distributions /* Check if we should set the trust level on the PMAP */
1295*8d741a5dSApple OSS Distributions if (!main_region_set && main_region_set_after) {
1296*8d741a5dSApple OSS Distributions const TXMCodeSignature_t *cs_obj = sig_obj;
1297*8d741a5dSApple OSS Distributions const SignatureValidation_t *sig = &cs_obj->sig;
1298*8d741a5dSApple OSS Distributions
1299*8d741a5dSApple OSS Distributions /*
1300*8d741a5dSApple OSS Distributions * This is gross, as we're dereferencing into a private data structure type.
1301*8d741a5dSApple OSS Distributions * There are 2 ways to clean this up in the future:
1302*8d741a5dSApple OSS Distributions * 1. Import libCodeSignature, so we can use "codeSignatureGetTrustLevel".
1303*8d741a5dSApple OSS Distributions * 2. Cache the trust level on the address space within TXM and then use it.
1304*8d741a5dSApple OSS Distributions */
1305*8d741a5dSApple OSS Distributions pmap_txm_set_trust_level(pmap, sig->trustLevel);
1306*8d741a5dSApple OSS Distributions }
1307*8d741a5dSApple OSS Distributions
1308*8d741a5dSApple OSS Distributions return ret;
1309*8d741a5dSApple OSS Distributions }
1310*8d741a5dSApple OSS Distributions
1311*8d741a5dSApple OSS Distributions kern_return_t
txm_allow_jit_region(pmap_t pmap)1312*8d741a5dSApple OSS Distributions txm_allow_jit_region(
1313*8d741a5dSApple OSS Distributions pmap_t pmap)
1314*8d741a5dSApple OSS Distributions {
1315*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
1316*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorAllowJITRegion,
1317*8d741a5dSApple OSS Distributions .num_input_args = 1,
1318*8d741a5dSApple OSS Distributions };
1319*8d741a5dSApple OSS Distributions TXMAddressSpace_t *txm_addr_space = pmap_txm_addr_space(pmap);
1320*8d741a5dSApple OSS Distributions kern_return_t ret = KERN_DENIED;
1321*8d741a5dSApple OSS Distributions
1322*8d741a5dSApple OSS Distributions pmap_txm_acquire_shared_lock(pmap);
1323*8d741a5dSApple OSS Distributions ret = txm_kernel_call(&txm_call, txm_addr_space);
1324*8d741a5dSApple OSS Distributions pmap_txm_release_shared_lock(pmap);
1325*8d741a5dSApple OSS Distributions
1326*8d741a5dSApple OSS Distributions return ret;
1327*8d741a5dSApple OSS Distributions }
1328*8d741a5dSApple OSS Distributions
1329*8d741a5dSApple OSS Distributions kern_return_t
txm_associate_jit_region(pmap_t pmap,const vm_address_t region_addr,const vm_size_t region_size)1330*8d741a5dSApple OSS Distributions txm_associate_jit_region(
1331*8d741a5dSApple OSS Distributions pmap_t pmap,
1332*8d741a5dSApple OSS Distributions const vm_address_t region_addr,
1333*8d741a5dSApple OSS Distributions const vm_size_t region_size)
1334*8d741a5dSApple OSS Distributions {
1335*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
1336*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorAssociateJITRegion,
1337*8d741a5dSApple OSS Distributions .num_input_args = 3,
1338*8d741a5dSApple OSS Distributions };
1339*8d741a5dSApple OSS Distributions TXMAddressSpace_t *txm_addr_space = pmap_txm_addr_space(pmap);
1340*8d741a5dSApple OSS Distributions kern_return_t ret = KERN_DENIED;
1341*8d741a5dSApple OSS Distributions
1342*8d741a5dSApple OSS Distributions /*
1343*8d741a5dSApple OSS Distributions * Associating a JIT region may require exclusive access to the TXM address
1344*8d741a5dSApple OSS Distributions * space lock within TXM.
1345*8d741a5dSApple OSS Distributions */
1346*8d741a5dSApple OSS Distributions pmap_txm_acquire_exclusive_lock(pmap);
1347*8d741a5dSApple OSS Distributions
1348*8d741a5dSApple OSS Distributions ret = txm_kernel_call(
1349*8d741a5dSApple OSS Distributions &txm_call,
1350*8d741a5dSApple OSS Distributions txm_addr_space,
1351*8d741a5dSApple OSS Distributions region_addr,
1352*8d741a5dSApple OSS Distributions region_size);
1353*8d741a5dSApple OSS Distributions
1354*8d741a5dSApple OSS Distributions /* Unlock the TXM address space lock */
1355*8d741a5dSApple OSS Distributions pmap_txm_release_exclusive_lock(pmap);
1356*8d741a5dSApple OSS Distributions
1357*8d741a5dSApple OSS Distributions return ret;
1358*8d741a5dSApple OSS Distributions }
1359*8d741a5dSApple OSS Distributions
1360*8d741a5dSApple OSS Distributions kern_return_t
txm_address_space_debugged(pmap_t pmap)1361*8d741a5dSApple OSS Distributions txm_address_space_debugged(
1362*8d741a5dSApple OSS Distributions pmap_t pmap)
1363*8d741a5dSApple OSS Distributions {
1364*8d741a5dSApple OSS Distributions TXMAddressSpace_t *txm_addr_space = pmap_txm_addr_space(pmap);
1365*8d741a5dSApple OSS Distributions bool debug_regions_allowed = false;
1366*8d741a5dSApple OSS Distributions
1367*8d741a5dSApple OSS Distributions /*
1368*8d741a5dSApple OSS Distributions * We do not actually need to trap into the monitor for this function for
1369*8d741a5dSApple OSS Distributions * now. It might be a tad bit more secure to actually trap into the monitor
1370*8d741a5dSApple OSS Distributions * as it implicitly verifies all of our pointers, but since this is a simple
1371*8d741a5dSApple OSS Distributions * state check against the address space, the real policy around it lies
1372*8d741a5dSApple OSS Distributions * within the kernel still, in which case entering the monitor doesn't
1373*8d741a5dSApple OSS Distributions * really provide much more security.
1374*8d741a5dSApple OSS Distributions */
1375*8d741a5dSApple OSS Distributions
1376*8d741a5dSApple OSS Distributions pmap_txm_acquire_shared_lock(pmap);
1377*8d741a5dSApple OSS Distributions debug_regions_allowed = os_atomic_load(&txm_addr_space->allowsInvalidCode, relaxed);
1378*8d741a5dSApple OSS Distributions pmap_txm_release_shared_lock(pmap);
1379*8d741a5dSApple OSS Distributions
1380*8d741a5dSApple OSS Distributions if (debug_regions_allowed == true) {
1381*8d741a5dSApple OSS Distributions return KERN_SUCCESS;
1382*8d741a5dSApple OSS Distributions }
1383*8d741a5dSApple OSS Distributions return KERN_DENIED;
1384*8d741a5dSApple OSS Distributions }
1385*8d741a5dSApple OSS Distributions
1386*8d741a5dSApple OSS Distributions kern_return_t
txm_associate_debug_region(pmap_t pmap,const vm_address_t region_addr,const vm_size_t region_size)1387*8d741a5dSApple OSS Distributions txm_associate_debug_region(
1388*8d741a5dSApple OSS Distributions pmap_t pmap,
1389*8d741a5dSApple OSS Distributions const vm_address_t region_addr,
1390*8d741a5dSApple OSS Distributions const vm_size_t region_size)
1391*8d741a5dSApple OSS Distributions {
1392*8d741a5dSApple OSS Distributions /*
1393*8d741a5dSApple OSS Distributions * This function is an interesting one. There is no need for us to make
1394*8d741a5dSApple OSS Distributions * a call into TXM for this one and instead, all we need to do here is
1395*8d741a5dSApple OSS Distributions * to verify that the TXM address space actually allows debug regions to
1396*8d741a5dSApple OSS Distributions * be mapped in or not.
1397*8d741a5dSApple OSS Distributions */
1398*8d741a5dSApple OSS Distributions (void)region_addr;
1399*8d741a5dSApple OSS Distributions (void)region_size;
1400*8d741a5dSApple OSS Distributions
1401*8d741a5dSApple OSS Distributions kern_return_t ret = txm_address_space_debugged(pmap);
1402*8d741a5dSApple OSS Distributions if (ret != KERN_SUCCESS) {
1403*8d741a5dSApple OSS Distributions printf("address space does not allow creating debug regions\n");
1404*8d741a5dSApple OSS Distributions }
1405*8d741a5dSApple OSS Distributions
1406*8d741a5dSApple OSS Distributions return ret;
1407*8d741a5dSApple OSS Distributions }
1408*8d741a5dSApple OSS Distributions
1409*8d741a5dSApple OSS Distributions kern_return_t
txm_allow_invalid_code(pmap_t pmap)1410*8d741a5dSApple OSS Distributions txm_allow_invalid_code(
1411*8d741a5dSApple OSS Distributions pmap_t pmap)
1412*8d741a5dSApple OSS Distributions {
1413*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
1414*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorAllowInvalidCode,
1415*8d741a5dSApple OSS Distributions .num_input_args = 1,
1416*8d741a5dSApple OSS Distributions };
1417*8d741a5dSApple OSS Distributions TXMAddressSpace_t *txm_addr_space = pmap_txm_addr_space(pmap);
1418*8d741a5dSApple OSS Distributions kern_return_t ret = KERN_DENIED;
1419*8d741a5dSApple OSS Distributions
1420*8d741a5dSApple OSS Distributions /*
1421*8d741a5dSApple OSS Distributions * Allowing invalid code may require exclusive access to the TXM address
1422*8d741a5dSApple OSS Distributions * space lock within TXM.
1423*8d741a5dSApple OSS Distributions */
1424*8d741a5dSApple OSS Distributions
1425*8d741a5dSApple OSS Distributions pmap_txm_acquire_exclusive_lock(pmap);
1426*8d741a5dSApple OSS Distributions ret = txm_kernel_call(&txm_call, txm_addr_space);
1427*8d741a5dSApple OSS Distributions pmap_txm_release_exclusive_lock(pmap);
1428*8d741a5dSApple OSS Distributions
1429*8d741a5dSApple OSS Distributions return ret;
1430*8d741a5dSApple OSS Distributions }
1431*8d741a5dSApple OSS Distributions
1432*8d741a5dSApple OSS Distributions kern_return_t
txm_get_trust_level_kdp(pmap_t pmap,uint32_t * trust_level)1433*8d741a5dSApple OSS Distributions txm_get_trust_level_kdp(
1434*8d741a5dSApple OSS Distributions pmap_t pmap,
1435*8d741a5dSApple OSS Distributions uint32_t *trust_level)
1436*8d741a5dSApple OSS Distributions {
1437*8d741a5dSApple OSS Distributions CSTrust_t txm_trust_level = kCSTrustUntrusted;
1438*8d741a5dSApple OSS Distributions
1439*8d741a5dSApple OSS Distributions kern_return_t ret = pmap_txm_get_trust_level_kdp(pmap, &txm_trust_level);
1440*8d741a5dSApple OSS Distributions if (ret != KERN_SUCCESS) {
1441*8d741a5dSApple OSS Distributions return ret;
1442*8d741a5dSApple OSS Distributions }
1443*8d741a5dSApple OSS Distributions
1444*8d741a5dSApple OSS Distributions if (trust_level != NULL) {
1445*8d741a5dSApple OSS Distributions *trust_level = txm_trust_level;
1446*8d741a5dSApple OSS Distributions }
1447*8d741a5dSApple OSS Distributions return KERN_SUCCESS;
1448*8d741a5dSApple OSS Distributions }
1449*8d741a5dSApple OSS Distributions
1450*8d741a5dSApple OSS Distributions kern_return_t
txm_get_jit_address_range_kdp(pmap_t pmap,uintptr_t * jit_region_start,uintptr_t * jit_region_end)1451*8d741a5dSApple OSS Distributions txm_get_jit_address_range_kdp(
1452*8d741a5dSApple OSS Distributions pmap_t pmap,
1453*8d741a5dSApple OSS Distributions uintptr_t *jit_region_start,
1454*8d741a5dSApple OSS Distributions uintptr_t *jit_region_end)
1455*8d741a5dSApple OSS Distributions {
1456*8d741a5dSApple OSS Distributions return pmap_txm_get_jit_address_range_kdp(pmap, jit_region_start, jit_region_end);
1457*8d741a5dSApple OSS Distributions }
1458*8d741a5dSApple OSS Distributions
1459*8d741a5dSApple OSS Distributions kern_return_t
txm_address_space_exempt(const pmap_t pmap)1460*8d741a5dSApple OSS Distributions txm_address_space_exempt(
1461*8d741a5dSApple OSS Distributions const pmap_t pmap)
1462*8d741a5dSApple OSS Distributions {
1463*8d741a5dSApple OSS Distributions if (pmap_performs_stage2_translations(pmap) == true) {
1464*8d741a5dSApple OSS Distributions return KERN_SUCCESS;
1465*8d741a5dSApple OSS Distributions }
1466*8d741a5dSApple OSS Distributions
1467*8d741a5dSApple OSS Distributions return KERN_DENIED;
1468*8d741a5dSApple OSS Distributions }
1469*8d741a5dSApple OSS Distributions
1470*8d741a5dSApple OSS Distributions kern_return_t
txm_fork_prepare(pmap_t old_pmap,pmap_t new_pmap)1471*8d741a5dSApple OSS Distributions txm_fork_prepare(
1472*8d741a5dSApple OSS Distributions pmap_t old_pmap,
1473*8d741a5dSApple OSS Distributions pmap_t new_pmap)
1474*8d741a5dSApple OSS Distributions {
1475*8d741a5dSApple OSS Distributions /*
1476*8d741a5dSApple OSS Distributions * We'll add support for this as the need for it becomes more important.
1477*8d741a5dSApple OSS Distributions * TXMTODO: Complete this implementation.
1478*8d741a5dSApple OSS Distributions */
1479*8d741a5dSApple OSS Distributions (void)old_pmap;
1480*8d741a5dSApple OSS Distributions (void)new_pmap;
1481*8d741a5dSApple OSS Distributions
1482*8d741a5dSApple OSS Distributions return KERN_SUCCESS;
1483*8d741a5dSApple OSS Distributions }
1484*8d741a5dSApple OSS Distributions
1485*8d741a5dSApple OSS Distributions kern_return_t
txm_acquire_signing_identifier(const void * sig_obj,const char ** signing_id)1486*8d741a5dSApple OSS Distributions txm_acquire_signing_identifier(
1487*8d741a5dSApple OSS Distributions const void *sig_obj,
1488*8d741a5dSApple OSS Distributions const char **signing_id)
1489*8d741a5dSApple OSS Distributions {
1490*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
1491*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorAcquireSigningIdentifier,
1492*8d741a5dSApple OSS Distributions .num_input_args = 1,
1493*8d741a5dSApple OSS Distributions .num_output_args = 1,
1494*8d741a5dSApple OSS Distributions .failure_fatal = true,
1495*8d741a5dSApple OSS Distributions };
1496*8d741a5dSApple OSS Distributions
1497*8d741a5dSApple OSS Distributions /* Get the signing ID -- should not fail */
1498*8d741a5dSApple OSS Distributions txm_kernel_call(&txm_call, sig_obj);
1499*8d741a5dSApple OSS Distributions
1500*8d741a5dSApple OSS Distributions if (signing_id != NULL) {
1501*8d741a5dSApple OSS Distributions *signing_id = (const char*)txm_call.return_words[0];
1502*8d741a5dSApple OSS Distributions }
1503*8d741a5dSApple OSS Distributions return KERN_SUCCESS;
1504*8d741a5dSApple OSS Distributions }
1505*8d741a5dSApple OSS Distributions
1506*8d741a5dSApple OSS Distributions #pragma mark Entitlements
1507*8d741a5dSApple OSS Distributions
1508*8d741a5dSApple OSS Distributions kern_return_t
txm_associate_kernel_entitlements(void * sig_obj,const void * kernel_entitlements)1509*8d741a5dSApple OSS Distributions txm_associate_kernel_entitlements(
1510*8d741a5dSApple OSS Distributions void *sig_obj,
1511*8d741a5dSApple OSS Distributions const void *kernel_entitlements)
1512*8d741a5dSApple OSS Distributions {
1513*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
1514*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorAssociateKernelEntitlements,
1515*8d741a5dSApple OSS Distributions .num_input_args = 2,
1516*8d741a5dSApple OSS Distributions .failure_fatal = true,
1517*8d741a5dSApple OSS Distributions };
1518*8d741a5dSApple OSS Distributions
1519*8d741a5dSApple OSS Distributions /* Associate the kernel entitlements -- should not fail */
1520*8d741a5dSApple OSS Distributions txm_kernel_call(&txm_call, sig_obj, kernel_entitlements);
1521*8d741a5dSApple OSS Distributions
1522*8d741a5dSApple OSS Distributions return KERN_SUCCESS;
1523*8d741a5dSApple OSS Distributions }
1524*8d741a5dSApple OSS Distributions
1525*8d741a5dSApple OSS Distributions kern_return_t
txm_resolve_kernel_entitlements(pmap_t pmap,const void ** kernel_entitlements)1526*8d741a5dSApple OSS Distributions txm_resolve_kernel_entitlements(
1527*8d741a5dSApple OSS Distributions pmap_t pmap,
1528*8d741a5dSApple OSS Distributions const void **kernel_entitlements)
1529*8d741a5dSApple OSS Distributions {
1530*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
1531*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorResolveKernelEntitlementsAddressSpace,
1532*8d741a5dSApple OSS Distributions .skip_logs = true,
1533*8d741a5dSApple OSS Distributions .num_input_args = 1,
1534*8d741a5dSApple OSS Distributions .num_output_args = 1,
1535*8d741a5dSApple OSS Distributions .failure_silent = true,
1536*8d741a5dSApple OSS Distributions };
1537*8d741a5dSApple OSS Distributions TXMAddressSpace_t *txm_addr_space = NULL;
1538*8d741a5dSApple OSS Distributions kern_return_t ret = KERN_DENIED;
1539*8d741a5dSApple OSS Distributions
1540*8d741a5dSApple OSS Distributions if (pmap == pmap_txm_kernel_pmap()) {
1541*8d741a5dSApple OSS Distributions return KERN_NOT_FOUND;
1542*8d741a5dSApple OSS Distributions }
1543*8d741a5dSApple OSS Distributions txm_addr_space = pmap_txm_addr_space(pmap);
1544*8d741a5dSApple OSS Distributions
1545*8d741a5dSApple OSS Distributions pmap_txm_acquire_shared_lock(pmap);
1546*8d741a5dSApple OSS Distributions ret = txm_kernel_call(&txm_call, txm_addr_space);
1547*8d741a5dSApple OSS Distributions pmap_txm_release_shared_lock(pmap);
1548*8d741a5dSApple OSS Distributions
1549*8d741a5dSApple OSS Distributions if ((ret == KERN_SUCCESS) && (kernel_entitlements != NULL)) {
1550*8d741a5dSApple OSS Distributions *kernel_entitlements = (const void*)txm_call.return_words[0];
1551*8d741a5dSApple OSS Distributions }
1552*8d741a5dSApple OSS Distributions return ret;
1553*8d741a5dSApple OSS Distributions }
1554*8d741a5dSApple OSS Distributions
1555*8d741a5dSApple OSS Distributions kern_return_t
txm_accelerate_entitlements(void * sig_obj,CEQueryContext_t * ce_ctx)1556*8d741a5dSApple OSS Distributions txm_accelerate_entitlements(
1557*8d741a5dSApple OSS Distributions void *sig_obj,
1558*8d741a5dSApple OSS Distributions CEQueryContext_t *ce_ctx)
1559*8d741a5dSApple OSS Distributions {
1560*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
1561*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorAccelerateEntitlements,
1562*8d741a5dSApple OSS Distributions .num_input_args = 1,
1563*8d741a5dSApple OSS Distributions .num_output_args = 1,
1564*8d741a5dSApple OSS Distributions };
1565*8d741a5dSApple OSS Distributions kern_return_t ret = KERN_DENIED;
1566*8d741a5dSApple OSS Distributions
1567*8d741a5dSApple OSS Distributions ret = txm_kernel_call(&txm_call, sig_obj);
1568*8d741a5dSApple OSS Distributions if ((ret == KERN_SUCCESS) && (ce_ctx != NULL)) {
1569*8d741a5dSApple OSS Distributions *ce_ctx = (CEQueryContext_t)txm_call.return_words[0];
1570*8d741a5dSApple OSS Distributions }
1571*8d741a5dSApple OSS Distributions
1572*8d741a5dSApple OSS Distributions return ret;
1573*8d741a5dSApple OSS Distributions }
1574*8d741a5dSApple OSS Distributions
1575*8d741a5dSApple OSS Distributions #pragma mark Image4
1576*8d741a5dSApple OSS Distributions
1577*8d741a5dSApple OSS Distributions void*
txm_image4_storage_data(__unused size_t * allocated_size)1578*8d741a5dSApple OSS Distributions txm_image4_storage_data(
1579*8d741a5dSApple OSS Distributions __unused size_t *allocated_size)
1580*8d741a5dSApple OSS Distributions {
1581*8d741a5dSApple OSS Distributions /*
1582*8d741a5dSApple OSS Distributions * AppleImage4 builds a variant of TXM which TXM should link against statically
1583*8d741a5dSApple OSS Distributions * thereby removing the need for the kernel to allocate some data on behalf of
1584*8d741a5dSApple OSS Distributions * the kernel extension.
1585*8d741a5dSApple OSS Distributions */
1586*8d741a5dSApple OSS Distributions panic("unsupported AppleImage4 interface");
1587*8d741a5dSApple OSS Distributions }
1588*8d741a5dSApple OSS Distributions
1589*8d741a5dSApple OSS Distributions void
txm_image4_set_nonce(const img4_nonce_domain_index_t ndi,const img4_nonce_t * nonce)1590*8d741a5dSApple OSS Distributions txm_image4_set_nonce(
1591*8d741a5dSApple OSS Distributions const img4_nonce_domain_index_t ndi,
1592*8d741a5dSApple OSS Distributions const img4_nonce_t *nonce)
1593*8d741a5dSApple OSS Distributions {
1594*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
1595*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorImage4SetNonce,
1596*8d741a5dSApple OSS Distributions .failure_fatal = true,
1597*8d741a5dSApple OSS Distributions .num_input_args = 2,
1598*8d741a5dSApple OSS Distributions };
1599*8d741a5dSApple OSS Distributions
1600*8d741a5dSApple OSS Distributions txm_kernel_call(&txm_call, ndi, nonce);
1601*8d741a5dSApple OSS Distributions }
1602*8d741a5dSApple OSS Distributions
1603*8d741a5dSApple OSS Distributions void
txm_image4_roll_nonce(const img4_nonce_domain_index_t ndi)1604*8d741a5dSApple OSS Distributions txm_image4_roll_nonce(
1605*8d741a5dSApple OSS Distributions const img4_nonce_domain_index_t ndi)
1606*8d741a5dSApple OSS Distributions {
1607*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
1608*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorImage4RollNonce,
1609*8d741a5dSApple OSS Distributions .failure_fatal = true,
1610*8d741a5dSApple OSS Distributions .num_input_args = 1,
1611*8d741a5dSApple OSS Distributions };
1612*8d741a5dSApple OSS Distributions
1613*8d741a5dSApple OSS Distributions txm_kernel_call(&txm_call, ndi);
1614*8d741a5dSApple OSS Distributions }
1615*8d741a5dSApple OSS Distributions
1616*8d741a5dSApple OSS Distributions errno_t
txm_image4_copy_nonce(const img4_nonce_domain_index_t ndi,img4_nonce_t * nonce_out)1617*8d741a5dSApple OSS Distributions txm_image4_copy_nonce(
1618*8d741a5dSApple OSS Distributions const img4_nonce_domain_index_t ndi,
1619*8d741a5dSApple OSS Distributions img4_nonce_t *nonce_out)
1620*8d741a5dSApple OSS Distributions {
1621*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
1622*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorImage4GetNonce,
1623*8d741a5dSApple OSS Distributions .num_input_args = 1,
1624*8d741a5dSApple OSS Distributions .num_output_args = 1,
1625*8d741a5dSApple OSS Distributions };
1626*8d741a5dSApple OSS Distributions const img4_nonce_t *nonce = NULL;
1627*8d741a5dSApple OSS Distributions TXMReturn_t txm_ret = {0};
1628*8d741a5dSApple OSS Distributions kern_return_t ret = KERN_DENIED;
1629*8d741a5dSApple OSS Distributions
1630*8d741a5dSApple OSS Distributions ret = txm_kernel_call(&txm_call, ndi);
1631*8d741a5dSApple OSS Distributions if (ret != KERN_SUCCESS) {
1632*8d741a5dSApple OSS Distributions txm_ret = txm_call.txm_ret;
1633*8d741a5dSApple OSS Distributions if (txm_ret.returnCode != kTXMReturnCodeErrno) {
1634*8d741a5dSApple OSS Distributions return EPERM;
1635*8d741a5dSApple OSS Distributions }
1636*8d741a5dSApple OSS Distributions return txm_ret.errnoRet;
1637*8d741a5dSApple OSS Distributions }
1638*8d741a5dSApple OSS Distributions
1639*8d741a5dSApple OSS Distributions /* Acquire a pointer to the nonce from TXM */
1640*8d741a5dSApple OSS Distributions nonce = (const img4_nonce_t*)txm_call.return_words[0];
1641*8d741a5dSApple OSS Distributions
1642*8d741a5dSApple OSS Distributions if (nonce_out) {
1643*8d741a5dSApple OSS Distributions *nonce_out = *nonce;
1644*8d741a5dSApple OSS Distributions }
1645*8d741a5dSApple OSS Distributions return 0;
1646*8d741a5dSApple OSS Distributions }
1647*8d741a5dSApple OSS Distributions
1648*8d741a5dSApple OSS Distributions errno_t
txm_image4_execute_object(img4_runtime_object_spec_index_t obj_spec_index,const img4_buff_t * payload,const img4_buff_t * manifest)1649*8d741a5dSApple OSS Distributions txm_image4_execute_object(
1650*8d741a5dSApple OSS Distributions img4_runtime_object_spec_index_t obj_spec_index,
1651*8d741a5dSApple OSS Distributions const img4_buff_t *payload,
1652*8d741a5dSApple OSS Distributions const img4_buff_t *manifest)
1653*8d741a5dSApple OSS Distributions {
1654*8d741a5dSApple OSS Distributions /* Not supported within TXM yet */
1655*8d741a5dSApple OSS Distributions (void)obj_spec_index;
1656*8d741a5dSApple OSS Distributions (void)payload;
1657*8d741a5dSApple OSS Distributions (void)manifest;
1658*8d741a5dSApple OSS Distributions
1659*8d741a5dSApple OSS Distributions printf("image4 object execution isn't supported by TXM\n");
1660*8d741a5dSApple OSS Distributions return ENOSYS;
1661*8d741a5dSApple OSS Distributions }
1662*8d741a5dSApple OSS Distributions
1663*8d741a5dSApple OSS Distributions errno_t
txm_image4_copy_object(img4_runtime_object_spec_index_t obj_spec_index,vm_address_t object_out,size_t * object_length)1664*8d741a5dSApple OSS Distributions txm_image4_copy_object(
1665*8d741a5dSApple OSS Distributions img4_runtime_object_spec_index_t obj_spec_index,
1666*8d741a5dSApple OSS Distributions vm_address_t object_out,
1667*8d741a5dSApple OSS Distributions size_t *object_length)
1668*8d741a5dSApple OSS Distributions {
1669*8d741a5dSApple OSS Distributions /* Not supported within TXM yet */
1670*8d741a5dSApple OSS Distributions (void)obj_spec_index;
1671*8d741a5dSApple OSS Distributions (void)object_out;
1672*8d741a5dSApple OSS Distributions (void)object_length;
1673*8d741a5dSApple OSS Distributions
1674*8d741a5dSApple OSS Distributions printf("image4 object copying isn't supported by TXM\n");
1675*8d741a5dSApple OSS Distributions return ENOSYS;
1676*8d741a5dSApple OSS Distributions }
1677*8d741a5dSApple OSS Distributions
1678*8d741a5dSApple OSS Distributions const void*
txm_image4_get_monitor_exports(void)1679*8d741a5dSApple OSS Distributions txm_image4_get_monitor_exports(void)
1680*8d741a5dSApple OSS Distributions {
1681*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
1682*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorImage4GetExports,
1683*8d741a5dSApple OSS Distributions .failure_fatal = true,
1684*8d741a5dSApple OSS Distributions .num_output_args = 1,
1685*8d741a5dSApple OSS Distributions };
1686*8d741a5dSApple OSS Distributions
1687*8d741a5dSApple OSS Distributions txm_kernel_call(&txm_call);
1688*8d741a5dSApple OSS Distributions return (const void*)txm_call.return_words[0];
1689*8d741a5dSApple OSS Distributions }
1690*8d741a5dSApple OSS Distributions
1691*8d741a5dSApple OSS Distributions errno_t
txm_image4_set_release_type(const char * release_type)1692*8d741a5dSApple OSS Distributions txm_image4_set_release_type(
1693*8d741a5dSApple OSS Distributions const char *release_type)
1694*8d741a5dSApple OSS Distributions {
1695*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
1696*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorImage4SetReleaseType,
1697*8d741a5dSApple OSS Distributions .failure_fatal = true,
1698*8d741a5dSApple OSS Distributions .num_input_args = 1,
1699*8d741a5dSApple OSS Distributions };
1700*8d741a5dSApple OSS Distributions
1701*8d741a5dSApple OSS Distributions /* Set the release type -- cannot fail */
1702*8d741a5dSApple OSS Distributions txm_kernel_call(&txm_call, release_type);
1703*8d741a5dSApple OSS Distributions
1704*8d741a5dSApple OSS Distributions return 0;
1705*8d741a5dSApple OSS Distributions }
1706*8d741a5dSApple OSS Distributions
1707*8d741a5dSApple OSS Distributions errno_t
txm_image4_set_bnch_shadow(const img4_nonce_domain_index_t ndi)1708*8d741a5dSApple OSS Distributions txm_image4_set_bnch_shadow(
1709*8d741a5dSApple OSS Distributions const img4_nonce_domain_index_t ndi)
1710*8d741a5dSApple OSS Distributions {
1711*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
1712*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorImage4SetBootNonceShadow,
1713*8d741a5dSApple OSS Distributions .failure_fatal = true,
1714*8d741a5dSApple OSS Distributions .num_input_args = 1,
1715*8d741a5dSApple OSS Distributions };
1716*8d741a5dSApple OSS Distributions
1717*8d741a5dSApple OSS Distributions /* Set the release type -- cannot fail */
1718*8d741a5dSApple OSS Distributions txm_kernel_call(&txm_call, ndi);
1719*8d741a5dSApple OSS Distributions
1720*8d741a5dSApple OSS Distributions return 0;
1721*8d741a5dSApple OSS Distributions }
1722*8d741a5dSApple OSS Distributions
1723*8d741a5dSApple OSS Distributions #pragma mark Image4 - New
1724*8d741a5dSApple OSS Distributions
1725*8d741a5dSApple OSS Distributions static inline bool
_txm_image4_monitor_trap_supported(image4_cs_trap_t selector)1726*8d741a5dSApple OSS Distributions _txm_image4_monitor_trap_supported(
1727*8d741a5dSApple OSS Distributions image4_cs_trap_t selector)
1728*8d741a5dSApple OSS Distributions {
1729*8d741a5dSApple OSS Distributions switch (selector) {
1730*8d741a5dSApple OSS Distributions #if kTXMImage4APIVersion >= 1
1731*8d741a5dSApple OSS Distributions case IMAGE4_CS_TRAP_KMOD_SET_RELEASE_TYPE:
1732*8d741a5dSApple OSS Distributions case IMAGE4_CS_TRAP_NONCE_SET:
1733*8d741a5dSApple OSS Distributions case IMAGE4_CS_TRAP_NONCE_ROLL:
1734*8d741a5dSApple OSS Distributions case IMAGE4_CS_TRAP_IMAGE_ACTIVATE:
1735*8d741a5dSApple OSS Distributions return true;
1736*8d741a5dSApple OSS Distributions #endif
1737*8d741a5dSApple OSS Distributions
1738*8d741a5dSApple OSS Distributions default:
1739*8d741a5dSApple OSS Distributions return false;
1740*8d741a5dSApple OSS Distributions }
1741*8d741a5dSApple OSS Distributions }
1742*8d741a5dSApple OSS Distributions
1743*8d741a5dSApple OSS Distributions kern_return_t
txm_image4_transfer_region(image4_cs_trap_t selector,vm_address_t region_addr,vm_size_t region_size)1744*8d741a5dSApple OSS Distributions txm_image4_transfer_region(
1745*8d741a5dSApple OSS Distributions image4_cs_trap_t selector,
1746*8d741a5dSApple OSS Distributions vm_address_t region_addr,
1747*8d741a5dSApple OSS Distributions vm_size_t region_size)
1748*8d741a5dSApple OSS Distributions {
1749*8d741a5dSApple OSS Distributions if (_txm_image4_monitor_trap_supported(selector) == true) {
1750*8d741a5dSApple OSS Distributions txm_transfer_region(region_addr, region_size);
1751*8d741a5dSApple OSS Distributions }
1752*8d741a5dSApple OSS Distributions return KERN_SUCCESS;
1753*8d741a5dSApple OSS Distributions }
1754*8d741a5dSApple OSS Distributions
1755*8d741a5dSApple OSS Distributions kern_return_t
txm_image4_reclaim_region(image4_cs_trap_t selector,vm_address_t region_addr,vm_size_t region_size)1756*8d741a5dSApple OSS Distributions txm_image4_reclaim_region(
1757*8d741a5dSApple OSS Distributions image4_cs_trap_t selector,
1758*8d741a5dSApple OSS Distributions vm_address_t region_addr,
1759*8d741a5dSApple OSS Distributions vm_size_t region_size)
1760*8d741a5dSApple OSS Distributions {
1761*8d741a5dSApple OSS Distributions if (_txm_image4_monitor_trap_supported(selector) == true) {
1762*8d741a5dSApple OSS Distributions txm_reclaim_region(region_addr, region_size);
1763*8d741a5dSApple OSS Distributions }
1764*8d741a5dSApple OSS Distributions return KERN_SUCCESS;
1765*8d741a5dSApple OSS Distributions }
1766*8d741a5dSApple OSS Distributions
1767*8d741a5dSApple OSS Distributions errno_t
txm_image4_monitor_trap(image4_cs_trap_t selector,const void * input_data,size_t input_size)1768*8d741a5dSApple OSS Distributions txm_image4_monitor_trap(
1769*8d741a5dSApple OSS Distributions image4_cs_trap_t selector,
1770*8d741a5dSApple OSS Distributions const void *input_data,
1771*8d741a5dSApple OSS Distributions size_t input_size)
1772*8d741a5dSApple OSS Distributions {
1773*8d741a5dSApple OSS Distributions txm_call_t txm_call = {
1774*8d741a5dSApple OSS Distributions .selector = kTXMKernelSelectorImage4Dispatch,
1775*8d741a5dSApple OSS Distributions .num_input_args = 5,
1776*8d741a5dSApple OSS Distributions };
1777*8d741a5dSApple OSS Distributions
1778*8d741a5dSApple OSS Distributions kern_return_t ret = txm_kernel_call(
1779*8d741a5dSApple OSS Distributions &txm_call, selector,
1780*8d741a5dSApple OSS Distributions input_data, input_size,
1781*8d741a5dSApple OSS Distributions NULL, NULL);
1782*8d741a5dSApple OSS Distributions
1783*8d741a5dSApple OSS Distributions /* Return 0 for success */
1784*8d741a5dSApple OSS Distributions if (ret == KERN_SUCCESS) {
1785*8d741a5dSApple OSS Distributions return 0;
1786*8d741a5dSApple OSS Distributions }
1787*8d741a5dSApple OSS Distributions
1788*8d741a5dSApple OSS Distributions /* Check for an errno_t return */
1789*8d741a5dSApple OSS Distributions if (txm_call.txm_ret.returnCode == kTXMReturnCodeErrno) {
1790*8d741a5dSApple OSS Distributions if (txm_call.txm_ret.errnoRet == 0) {
1791*8d741a5dSApple OSS Distributions panic("image4 dispatch: unexpected success errno_t: %llu", selector);
1792*8d741a5dSApple OSS Distributions }
1793*8d741a5dSApple OSS Distributions return txm_call.txm_ret.errnoRet;
1794*8d741a5dSApple OSS Distributions }
1795*8d741a5dSApple OSS Distributions
1796*8d741a5dSApple OSS Distributions /* Return a generic error */
1797*8d741a5dSApple OSS Distributions return EPERM;
1798*8d741a5dSApple OSS Distributions }
1799*8d741a5dSApple OSS Distributions
1800*8d741a5dSApple OSS Distributions
1801*8d741a5dSApple OSS Distributions #endif /* CONFIG_SPTM */
1802