Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Syscall verifiers #4229

Merged
merged 6 commits into from
Oct 22, 2024
Merged

Syscall verifiers #4229

merged 6 commits into from
Oct 22, 2024

Conversation

cepetr
Copy link
Contributor

@cepetr cepetr commented Sep 30, 2024
edited
Loading

This PR implements syscall argument verification, ensuring passed buffers are within memory accessible to unprivileged code. It also copies data when needed to prevent TOC/TOU attacks.

Additional changes:

  1. Unified and improved argument parsing in the syscall dispatch routine.
  2. Adjusted several APIs (display, system) to support argument verification.
  3. Removed the hash_processor API.

This resolves issue #4203.

@cepetr cepetr self-assigned this Sep 30, 2024
@cepetr cepetr added T2B1 Trezor Safe 3 T2T1 Trezor Model T T3T1 T3B1 core Trezor Core firmware. Runs on Trezor Model T and T2B1. labels Sep 30, 2024
@TychoVrahe TychoVrahe linked an issue Sep 30, 2024 that may be closed by this pull request
Syscall validation #4203
Closed
@cepetr cepetr force-pushed the cepetr/syscall-verify branch 2 times, most recently from 419af94 to d58001f Compare September 30, 2024 11:28
@cepetr cepetr marked this pull request as ready for review September 30, 2024 11:28
@TychoVrahe TychoVrahe removed the request for review from prusnak September 30, 2024 12:04
@cepetr cepetr force-pushed the cepetr/syscall-verify branch 2 times, most recently from 48272d1 to b283313 Compare October 2, 2024 05:49
ibz
ibz reviewed Oct 2, 2024
View reviewed changes
core/embed/trezorhal/stm32f4/syscall_dispatch.c
} break;
#endif

#ifdef USE_OPTIGA
/*optiga_sign_result optiga_sign(uint8_t index, const uint8_t *digest,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we have a SYSCALL_OPTIGA_SIGN though?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, thanks for catching that. I've added fixed it, see 2cff1e5

TychoVrahe
TychoVrahe requested changes Oct 21, 2024
View reviewed changes
Copy link
Contributor

@TychoVrahe TychoVrahe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few comments below

core/embed/trezorhal/stm32f4/syscall_verifiers.c Outdated Show resolved Hide resolved
core/embed/trezorhal/stm32f4/syscall_dispatch.c Outdated Show resolved Hide resolved
core/embed/trezorhal/stm32f4/syscall_verifiers.c Show resolved Hide resolved
core/embed/trezorhal/stm32f4/syscall_verifiers.c Show resolved Hide resolved
@TychoVrahe TychoVrahe mentioned this pull request Oct 21, 2024
Open
@cepetr cepetr merged commit 976867d into main Oct 22, 2024
93 checks passed
@cepetr cepetr deleted the cepetr/syscall-verify branch October 22, 2024 05:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ibz ibz ibz left review comments

@TychoVrahe TychoVrahe TychoVrahe approved these changes

Assignees

@cepetr cepetr

Labels
core Trezor Core firmware. Runs on Trezor Model T and T2B1. T2B1 Trezor Safe 3 T2T1 Trezor Model T T3B1 T3T1
Projects
Firmware
Status: Approved
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Syscall validation
3 participants
@cepetr @ibz @TychoVrahe