Installing a key on secure storage

[guagua-m]

Dear OPTEE group,
When I called someone else's successful code in REE environment to install and store the private key to TEE, the crash occurred.

This is the command I executed and the error code I returned.

./admin_cli/admin_cli put www.test.com etc/ecdsa_256.key
admin_cli: TEEC_Opensession failed with code 0xffff0000 origin 0x3

The log is as follows:

/TC:? 0 tee_ta_init_pseudo_ta_session:280 Lookup pseudo TA 8aaaf200-2450-11e4-6969-696969696969
D/TC:? 0 load_ldelf:704 ldelf load address 0x40006000
D/LD: ldelf:134 Loading TA 8aaaf200-2450-11e4-6969-696969696969
D/TC:? 0 tee_ta_init_session_with_context:573 Re-open TA 3a2f8978-5dc0-11e8-9c2d-fa7ae01bbebc
D/TC:? 0 system_open_ta_binary:250 Lookup user TA ELF 8aaaf200-2450-11e4-6969-696969696969 (Secure Storage TA)
D/TC:? 0 system_open_ta_binary:253 res=0xffff0008
D/TC:? 0 system_open_ta_binary:250 Lookup user TA ELF 8aaaf200-2450-11e4-6969-696969696969 (REE)
D/TC:? 0 system_open_ta_binary:253 res=0x0
D/TC:1 0 abort_handler:524 [abort] abort in User mode (TA will panic)
E/TC:? 0
E/TC:? 0 User TA data-abort at address 0x4007d5c0 (write permission fault)
E/TC:? 0 esr 0x9200004f ttbr0 0x200000e18a020 ttbr1 0x00000000 cidr 0x0
E/TC:? 0 cpu #1 cpsr 0x60000100
E/TC:? 0 x0 000000004006e000 x1 000000004007e170
E/TC:? 0 x2 000000000000f628 x3 000000000000f5c0
E/TC:? 0 x4 0000000000000403 x5 000000004007d5c0
E/TC:? 0 x6 0000000000000000 x7 0000000040010ef0
E/TC:? 0 x8 0000000000000007 x9 0000000000000011
E/TC:? 0 x10 0000000040005e98 x11 0000000040005e94
E/TC:? 0 x12 0000000000000000 x13 0000000040005ce8
E/TC:? 0 x14 0000000000000000 x15 0000000000000000
E/TC:? 0 x16 000000000e11e44c x17 3107c3c500000000
E/TC:? 0 x18 ab2163cc00000000 x19 0000000040010ef0
E/TC:? 0 x20 000000004007d628 x21 0000000000000003
E/TC:? 0 x22 000000004007d888 x23 000000004007d8d0
E/TC:? 0 x24 0000000000000001 x25 000000004007d778
E/TC:? 0 x26 0000000040010984 x27 0000000000000009
E/TC:? 0 x28 0000000000000018 x29 0000000040005ef0
E/TC:? 0 x30 00000000400063d8 elr 00000000400092b0
E/TC:? 0 sp_el0 0000000040005ef0
E/TC:? 0 region 0: va 0x0000000040000000 pa 0x000000000e102000 size 0x002000 flags ---R-X
E/TC:? 0 region 1: va 0x0000000040002000 pa 0x000000000e17c000 size 0x001000 flags ---RW-
E/TC:? 0 region 2: va 0x0000000040004000 pa 0x000000000e300000 size 0x002000 flags rw-RW-
E/TC:? 0 region 3: va 0x0000000040006000 pa 0x000000000e302000 size 0x007000 flags r-x---
E/TC:? 0 region 4: va 0x000000004000d000 pa 0x000000000e309000 size 0x001000 flags rw-RW-
E/TC:? 0 region 5: va 0x000000004000e000 pa 0x000000000e30a000 size 0x003000 flags rw-RW-
E/TC:? 0 region 6: va 0x0000000040011000 pa 0x000000000e30d000 size 0x001000 flags r--R--
E/TC:? 0 region 7: va 0x0000000040012000 pa 0x000000000e332000 size 0x011000 flags rw-RW-
E/TC:? 0 region 8: va 0x000000004006e000 pa 0x000000000e30e000 size 0x010000 flags r-xR--
E/TC:? 0 region 9: va 0x000000004007e000 pa 0x000000000e31e000 size 0x014000 flags rw-RW-
E/TC:? 0 init_with_ldelf:229 ldelf panicked
D/TC:? 0 tee_ta_close_session:499 csess 0xe178b20 id 1
D/TC:? 0 tee_ta_close_session:518 Destroy session
D/TC:? 0 destroy_context:298 Destroy TA ctx (0xe178ac0)
D/TC:? 0 tee_ta_close_session:499 csess 0xe178320 id 1
D/TC:? 0 tee_ta_close_session:518 Destroy session
E/TC:? 0 tee_ta_open_session:728 Failed. Return error 0xffff0000

Do you have any advice on how I can solve/block the fault?

Thanks,
Guagua

[jforissier]

E/TC:? 0 init_with_ldelf:229 ldelf panicked

This shows that the error happens before entering the TA. The ELF loader (ldelf) does an invalid access to memory. Adding DMSG() traces in ldelf() (file ldelf/main.c) and in the functions it calls may help.

[guagua-m]

E/TC:? 0 init_with_ldelf:229 ldelf panicked

This shows that the error happens before entering the TA. The ELF loader (ldelf) does an invalid access to memory. Adding traces in (file ) and in the functions it calls may help.DMSG()``ldelf()``ldelf/main.c

I followed what you said to find the ldelf panicked error.

1. first I found the sentence that reported the error in optee_os/core/arch/arm/kernel/user_ta.c, and confirmed that the function that reported the error was thread_enter_user_mode
2. Then I found the definition of this function in the file optee_os/core/arch/arm/kernel/thread.c, and traced the error to the __thread_enter_user_mode function by adding DMSG().

I couldn't find a definition for this function, and the underscore at the beginning means it's private, but I don't know what that means, so I can't follow this function down to the source of the ldelf panicked.

[guagua-m]

@jforissier I found question #4386 and I used the script you gave me to find the relocation in my .elf file, but nothing was returned. And I don't know how to calculate my fault address, maybe I can ask you to help me to see what this fault address is?

Here is my terminal log:

E/TC:? 0 User TA data-abort at address 0x4006e5c0 (write permission fault)
E/TC:? 0 esr 0x9200004f ttbr0 0x200000e18a000 ttbr1 0x00000000 cidr 0x0
E/TC:? 0 cpu #0 cpsr 0x60000100
E/TC:? 0 x0 000000004005f000 x1 000000004006f170
E/TC:? 0 x2 000000000000f628 x3 000000000000f5c0
E/TC:? 0 x4 0000000000000403 x5 000000004006e5c0
E/TC:? 0 x6 0000000000000000 x7 0000000040010ef0
E/TC:? 0 x8 0000000000000007 x9 0000000000000011
E/TC:? 0 x10 0000000040005e98 x11 0000000040005e94
E/TC:? 0 x12 0000000000000000 x13 0000000040005ce8
E/TC:? 0 x14 0000000000000000 x15 0000000000000000
E/TC:? 0 x16 000000000e11e520 x17 213e5d4300000000
E/TC:? 0 x18 85f0b4d800000000 x19 0000000040010ef0
E/TC:? 0 x20 000000004006e628 x21 0000000000000003
E/TC:? 0 x22 000000004006e888 x23 000000004006e8d0
E/TC:? 0 x24 0000000000000001 x25 000000004006e778
E/TC:? 0 x26 0000000040010984 x27 0000000000000009
E/TC:? 0 x28 0000000000000018 x29 0000000040005ef0
E/TC:? 0 x30 00000000400063d8 elr 00000000400092b0
E/TC:? 0 sp_el0 0000000040005ef0
E/TC:? 0 region 0: va 0x0000000040000000 pa 0x000000000e102000 size 0x002000 flags ---R-X
E/TC:? 0 region 1: va 0x0000000040002000 pa 0x000000000e17c000 size 0x001000 flags ---RW-
E/TC:? 0 region 2: va 0x0000000040004000 pa 0x000000000e300000 size 0x002000 flags rw-RW-
E/TC:? 0 region 3: va 0x0000000040006000 pa 0x000000000e302000 size 0x007000 flags r-x---
E/TC:? 0 region 4: va 0x000000004000d000 pa 0x000000000e309000 size 0x001000 flags rw-RW-
E/TC:? 0 region 5: va 0x000000004000e000 pa 0x000000000e30a000 size 0x003000 flags rw-RW-
E/TC:? 0 region 6: va 0x0000000040011000 pa 0x000000000e30d000 size 0x001000 flags r--R--
E/TC:? 0 region 7: va 0x0000000040012000 pa 0x000000000e332000 size 0x011000 flags rw-RW-
E/TC:? 0 region 8: va 0x000000004005f000 pa 0x000000000e30e000 size 0x010000 flags r-xR--
E/TC:? 0 region 9: va 0x000000004006f000 pa 0x000000000e31e000 size 0x014000 flags rw-RW-
E/TC:? 0 init_with_ldelf:232 ldelf panicked

There's my dmp file:

SYMBOL TABLE:
0000000000000000 l d .ta_head 0000000000000000 .ta_head
0000000000000020 l d .text 0000000000000000 .text
000000000000be18 l d .eh_frame 0000000000000000 .eh_frame
000000000000e320 l d .rodata 0000000000000000 .rodata
000000000000f368 l d .gnu.hash 0000000000000000 .gnu.hash
000000000000f388 l d .rela.dyn 0000000000000000 .rela.dyn
000000000000f598 l d .got 0000000000000000 .got
000000000000f628 l d .rela.got 0000000000000000 .rela.got
000000000000f778 l d .dynamic 0000000000000000 .dynamic
000000000000f888 l d .dynsym 0000000000000000 .dynsym
000000000000f8d0 l d .dynstr 0000000000000000 .dynstr
000000000000f8d8 l d .hash 0000000000000000 .hash
0000000000010000 l d .data 0000000000000000 .data
0000000000010178 l d .bss 0000000000000000 .bss
0000000000000000 l d .debug_info 0000000000000000 .debug_info
0000000000000000 l d .debug_abbrev 0000000000000000 .debug_abbrev
0000000000000000 l d .debug_loc 0000000000000000 .debug_loc
etc...

[jforissier]

What is the output of readelf -a <uuid>.elf | grep TEXTREL? (replace <uuid>.elf with your TA ELF file). Did you build your TA with -fPIC (generate position-independent code)?

[guagua-m]

What is the output of ? (replace with your TA ELF file).

@jforissier I use the readelf command（readelf -a src/ta/8aaaf200-2450-11e4-6969-696969696969.elf | grep TEXTREL）, but the terminal returns nothing.

Did you build your TA with (generate position-independent code)?readelf -a <uuid>.elf | grep TEXTREL``<uuid>.elf``-fPIC

I don't know how to build my TA with -fPIC. What should I add to the Makefile?
Here is my outermost Makefile：

#Configurables
MK_FILE_PATH = $(lastword $(MAKEFILE_LIST))
PRJ_DIR      = $(abspath $(dir $(MK_FILE_PATH))/../..)
#Configurables end

TA_DEV_KIT_DIR 		= $(PRJ_DIR)/optee_os/out/arm/export-ta_arm64
TEEC_EXPORT 		= $(PRJ_DIR)/optee_client/public
HOST_CROSS_COMPILE 	= $(PRJ_DIR)/toolchains/aarch64/bin/aarch64-linux-gnu-
TA_CROSS_COMPILE	= ${HOST_CROSS_COMPILE}

CC 					= $(PRJ_DIR)/toolchains/aarch64/bin/aarch64-linux-gnu-gcc
CXX 				= $(PRJ_DIR)/toolchains/aarch64/bin/aarch64-linux-gnu-c++

BSSL_DIR 			= -I$(PRJ_DIR)/projects/bssl/src/include
BSSL_CRYPTO_DIR		= $(PRJ_DIR)/projects/bssl/src/build/crypto
BSSL_SSL_DIR 		= $(PRJ_DIR)/projects/bssl/src/build/ssl

CXXFLAGS 			= -g -std=c++11 
CXXFLAGS 			+= -I$(PRJ_DIR)/optee_client/public 
CXXFLAGS 			+= -I$(PRJ_DIR)/projects/delegator/src/ta/include
CXXFLAGS 			+= $(BSSL_DIR) -L$(BSSL_SSL_DIR) -L$(BSSL_CRYPTO_DIR) -lssl -lcrypto 
LDFLAGS				+= -lpthread
LDFLAGS 			+= -L$(PRJ_DIR)/out-br/build/optee_client-1.0/libteec -lteec

OUT_DIR				= out
TEE_SHARED_DIR		= /tmp/tee_share

all: server admin_cli ta
	cp -rf etc $(OUT_DIR)/
	cp -rf $(PRJ_DIR)/projects/bssl/src/build/tool/bssl $(OUT_DIR)
	cp -rf $(OUT_DIR) $(TEE_SHARED_DIR)/

admin_cli:
	#$(MAKE) -C admin_cli CROSS_COMPILE="$(HOST_CROSS_COMPILE)" PRJ_DIR="$(PRJ_DIR)" --no-builtin-variables
	mkdir -p $(OUT_DIR)/admin_cli
	$(CC) -o $(OUT_DIR)/admin_cli/main.o -c src/admin_cli/main.c $(CXXFLAGS) 
	$(CC) -o $(OUT_DIR)/admin_cli/admin_cli $(OUT_DIR)/admin_cli/main.o $(CXXFLAGS) $(LDFLAGS)

server:	
	mkdir -p $(OUT_DIR)/server
	$(CXX) -o $(OUT_DIR)/server/server.o -c src/server/server.c $(CXXFLAGS)
	$(CXX) -o $(OUT_DIR)/server/server $(OUT_DIR)/server/server.o $(CXXFLAGS) $(LDFLAGS)

clean:
	rm -rf out
	$(MAKE) -C src/ta clean

ta:
	mkdir -p $(OUT_DIR)/ta
	$(MAKE) -C src/ta CROSS_COMPILE="$(TA_CROSS_COMPILE)" PRJ_DIR="$(PRJ_DIR)"
	cp -rf src/ta/8aaaf200-2450-11e4-6969-696969696969.ta $(OUT_DIR)/ta/

[jforissier]

Does xtest run properly?

[guagua-m]

Does run properly?xtest

yes.

[jforissier]

Can you see -fpic used in the build log of your TA? (make V=1). It is supposed to be added automatically by this line: https://github.com/OP-TEE/optee_os/blob/145953d553269dac8b6d5af998818286a61a965e/core/arch/arm/arm.mk#LL367C6-L367C6

Which version of OP-TEE is that?

For troubleshooting, I can only re-iterate my advice:

Adding DMSG() traces in ldelf() (file ldelf/main.c) and in the functions it calls may help.

[guagua-m]

你能在 TA 的构建日志中看到使用吗？().它应该由以下行自动添加：[https://github.com/OP-TEE/optee_os/blob/145953d553269dac8b6d5af998818286a61a965e/core/arch/arm/arm.mk#LL367C6-L367C6-fpic``make](https://github.com/OP-TEE/optee_os/blob/145953d553269dac8b6d5af998818286a61a965e/core/arch/arm/arm.mk#LL367C6-L367C6%60-fpic%60%60make) V=1

yes，I can see.

这是哪个版本的OP-TEE？

3.8.0

[guagua-m]

你能在 TA 的构建日志中看到使用吗？（）.它应该由以下行自动添加：https://github.com/OP-TEE/optee_os/blob/145953d553269dac8b6d5af998818286a61a965e/core/arch/arm/arm.mk#LL367C6-L367C6 -fpicmake V=1 ``

是的，我可以看到。

Sorry, I just misunderstood you, I can see this line in my arm.mk file, but I don't see the -fpic option when I use the make command.

Here are my returns from my terminal(make V=1)：
mkdir -p out/server
/home/ldl/optee/toolchains/aarch64/bin/aarch64-linux-gnu-c++ -o out/server/server.o -c src/server/server.c -g -std=c++11 -I/home/ldl/optee/optee_client/public -I/home/ldl/optee/projects/delegator/src/ta/include -I/home/ldl/optee/projects/bssl/src/include -L/home/ldl/optee/projects/bssl/src/build/ssl -L/home/ldl/optee/projects/bssl/src/build/crypto -lssl -lcrypto
/home/ldl/optee/toolchains/aarch64/bin/aarch64-linux-gnu-c++ -o out/server/server out/server/server.o -g -std=c++11 -I/home/ldl/optee/optee_client/public -I/home/ldl/optee/projects/delegator/src/ta/include -I/home/ldl/optee/projects/bssl/src/include -L/home/ldl/optee/projects/bssl/src/build/ssl -L/home/ldl/optee/projects/bssl/src/build/crypto -lssl -lcrypto -lpthread -L/home/ldl/optee/out-br/build/optee_client-1.0/libteec -lteec
#make -C admin_cli CROSS_COMPILE="/home/ldl/optee/toolchains/aarch64/bin/aarch64-linux-gnu-" PRJ_DIR="/home/ldl/optee" --no-builtin-variables
mkdir -p out/admin_cli
/home/ldl/optee/toolchains/aarch64/bin/aarch64-linux-gnu-gcc -o out/admin_cli/main.o -c src/admin_cli/main.c -g -std=c++11 -I/home/ldl/optee/optee_client/public -I/home/ldl/optee/projects/delegator/src/ta/include -I/home/ldl/optee/projects/bssl/src/include -L/home/ldl/optee/projects/bssl/src/build/ssl -L/home/ldl/optee/projects/bssl/src/build/crypto -lssl -lcrypto
cc1: 警告： command line option ‘-std=c++11’ is valid for C++/ObjC++ but not for C
/home/ldl/optee/toolchains/aarch64/bin/aarch64-linux-gnu-gcc -o out/admin_cli/admin_cli out/admin_cli/main.o -g -std=c++11 -I/home/ldl/optee/optee_client/public -I/home/ldl/optee/projects/delegator/src/ta/include -I/home/ldl/optee/projects/bssl/src/include -L/home/ldl/optee/projects/bssl/src/build/ssl -L/home/ldl/optee/projects/bssl/src/build/crypto -lssl -lcrypto -lpthread -L/home/ldl/optee/out-br/build/optee_client-1.0/libteec -lteec
mkdir -p out/ta
make -C src/ta CROSS_COMPILE="/home/ldl/optee/toolchains/aarch64/bin/aarch64-linux-gnu-" PRJ_DIR="/home/ldl/optee"
make[1]: 进入目录“/home/ldl/optee/projects/delegator/src/ta”
make[1]: 对“all”无需做任何事。
make[1]: 离开目录“/home/ldl/optee/projects/delegator/src/ta”
cp -rf src/ta/8aaaf200-2450-11e4-6969-696969696969.ta out/ta/
cp -rf etc out/
cp -rf /home/ldl/optee/projects/bssl/src/build/tool/bssl out
cp -rf out /home/ldl/qemu_share/

[jforissier]

That's not the TA build. Clean and rebuild.

[guagua-m]

That's not the TA build. Clean and rebuild.

Oh, sorry. After rebuilding I can see this option now.

Here are my returns from my terminal:
mkdir -p out/server
/home/ldl/optee/toolchains/aarch64/bin/aarch64-linux-gnu-c++ -o out/server/server.o -c src/server/server.c -g -std=c++11 -I/home/ldl/optee/optee_client/public -I/home/ldl/optee/projects/delegator/src/ta/include -I/home/ldl/optee/projects/bssl/src/include -L/home/ldl/optee/projects/bssl/src/build/ssl -L/home/ldl/optee/projects/bssl/src/build/crypto -lssl -lcrypto
/home/ldl/optee/toolchains/aarch64/bin/aarch64-linux-gnu-c++ -o out/server/server out/server/server.o -g -std=c++11 -I/home/ldl/optee/optee_client/public -I/home/ldl/optee/projects/delegator/src/ta/include -I/home/ldl/optee/projects/bssl/src/include -L/home/ldl/optee/projects/bssl/src/build/ssl -L/home/ldl/optee/projects/bssl/src/build/crypto -lssl -lcrypto -lpthread -L/home/ldl/optee/out-br/build/optee_client-1.0/libteec -lteec
#make -C admin_cli CROSS_COMPILE="/home/ldl/optee/toolchains/aarch64/bin/aarch64-linux-gnu-" PRJ_DIR="/home/ldl/optee" --no-builtin-variables
mkdir -p out/admin_cli
/home/ldl/optee/toolchains/aarch64/bin/aarch64-linux-gnu-gcc -o out/admin_cli/main.o -c src/admin_cli/main.c -g -std=c++11 -I/home/ldl/optee/optee_client/public -I/home/ldl/optee/projects/delegator/src/ta/include -I/home/ldl/optee/projects/bssl/src/include -L/home/ldl/optee/projects/bssl/src/build/ssl -L/home/ldl/optee/projects/bssl/src/build/crypto -lssl -lcrypto
cc1: 警告： command line option ‘-std=c++11’ is valid for C++/ObjC++ but not for C
/home/ldl/optee/toolchains/aarch64/bin/aarch64-linux-gnu-gcc -o out/admin_cli/admin_cli out/admin_cli/main.o -g -std=c++11 -I/home/ldl/optee/optee_client/public -I/home/ldl/optee/projects/delegator/src/ta/include -I/home/ldl/optee/projects/bssl/src/include -L/home/ldl/optee/projects/bssl/src/build/ssl -L/home/ldl/optee/projects/bssl/src/build/crypto -lssl -lcrypto -lpthread -L/home/ldl/optee/out-br/build/optee_client-1.0/libteec -lteec
mkdir -p out/ta
make -C src/ta CROSS_COMPILE="/home/ldl/optee/toolchains/aarch64/bin/aarch64-linux-gnu-" PRJ_DIR="/home/ldl/optee"
make[1]: 进入目录“/home/ldl/optee/projects/delegator/src/ta”
/home/ldl/optee/toolchains/aarch64/bin/aarch64-linux-gnu-gcc -std=gnu99 -fdiagnostics-show-option -Wall -Wcast-align -Werror-implicit-function-declaration -Wextra -Wfloat-equal -Wformat-nonliteral -Wformat-security -Wformat=2 -Winit-self -Wmissing-declarations -Wmissing-format-attribute -Wmissing-include-dirs -Wmissing-noreturn -Wmissing-prototypes -Wnested-externs -Wpointer-arith -Wshadow -Wstrict-prototypes -Wswitch-default -Wwrite-strings -Wno-missing-field-initializers -Wno-format-zero-length -Waggregate-return -Wredundant-decls -Wold-style-definition -Wstrict-aliasing=2 -Wundef -Os -g3 -fpic -mstrict-align -MD -MF ./.delegator_tz.o.d -MT delegator_tz.o -nostdinc -isystem /home/ldl/optee/toolchains/aarch64/bin/../lib/gcc/aarch64-linux-gnu/8.3.0/include -DCFG_TEE_TA_LOG_LEVEL=1 -I./include -I./. -DARM64=1 -D__LP64__=1 -DMBEDTLS_SELF_TEST -DTRACE_LEVEL=1 -I. -I/home/ldl/optee/optee_os/out/arm/export-ta_arm64/include -DCFG_ARM64_ta_arm64=1 -DCFG_TA_DYNLINK=1 -DCFG_TEE_TA_LOG_LEVEL=1 -DCFG_SYSTEM_PTA=1 -DCFG_UNWIND=1 -DCFG_TA_MBEDTLS=1 -DCFG_TA_MBEDTLS_SELF_TEST=1 -DCFG_TA_MBEDTLS_MPI=1 -DCFG_TA_FLOAT_SUPPORT=1 -D__FILE_ID__=delegator_tz_c -c delegator_tz.c -o delegator_tz.o
/home/ldl/optee/toolchains/aarch64/bin/aarch64-linux-gnu-objcopy --rename-section .rodata=.rodata.delegator_tz.c --rename-section .rodata.str1.1=.rodata.str1.1.delegator_tz.c ./delegator_tz.o
/home/ldl/optee/toolchains/aarch64/bin/aarch64-linux-gnu-gcc -std=gnu99 -fdiagnostics-show-option -Wall -Wcast-align -Werror-implicit-function-declaration -Wextra -Wfloat-equal -Wformat-nonliteral -Wformat-security -Wformat=2 -Winit-self -Wmissing-declarations -Wmissing-format-attribute -Wmissing-include-dirs -Wmissing-noreturn -Wmissing-prototypes -Wnested-externs -Wpointer-arith -Wshadow -Wstrict-prototypes -Wswitch-default -Wwrite-strings -Wno-missing-field-initializers -Wno-format-zero-length -Waggregate-return -Wredundant-decls -Wold-style-definition -Wstrict-aliasing=2 -Wundef -Os -g3 -fpic -mstrict-align -MD -MF ./.user_ta_header.o.d -MT user_ta_header.o -nostdinc -isystem /home/ldl/optee/toolchains/aarch64/bin/../lib/gcc/aarch64-linux-gnu/8.3.0/include -DCFG_TEE_TA_LOG_LEVEL=1 -I./include -DARM64=1 -D__LP64__=1 -DMBEDTLS_SELF_TEST -DTRACE_LEVEL=1 -I. -I/home/ldl/optee/optee_os/out/arm/export-ta_arm64/include -DCFG_ARM64_ta_arm64=1 -DCFG_TA_DYNLINK=1 -DCFG_TEE_TA_LOG_LEVEL=1 -DCFG_SYSTEM_PTA=1 -DCFG_UNWIND=1 -DCFG_TA_MBEDTLS=1 -DCFG_TA_MBEDTLS_SELF_TEST=1 -DCFG_TA_MBEDTLS_MPI=1 -DCFG_TA_FLOAT_SUPPORT=1 -D__FILE_ID__=user_ta_header_c -c /home/ldl/optee/optee_os/out/arm/export-ta_arm64/src/user_ta_header.c -o user_ta_header.o
/home/ldl/optee/toolchains/aarch64/bin/aarch64-linux-gnu-objcopy --rename-section .rodata=.rodata.user_ta_header.c --rename-section .rodata.str1.1=.rodata.str1.1.user_ta_header.c ./user_ta_header.o
/home/ldl/optee/toolchains/aarch64/bin/aarch64-linux-gnu-ld.bfd -e__ta_entry -pie -T ./ta.lds -Map=./8aaaf200-2450-11e4-6969-696969696969.map --sort-section=alignment -z max-page-size=4096 --as-needed ./delegator_tz.o ./user_ta_header.o -L/home/ldl/optee/optee_os/out/arm/export-ta_arm64/lib --start-group -lutils -lutee -lmbedtls -ldl --end-group -o 8aaaf200-2450-11e4-6969-696969696969.elf
/home/ldl/optee/toolchains/aarch64/bin/aarch64-linux-gnu-objdump -l -x -d 8aaaf200-2450-11e4-6969-696969696969.elf > 8aaaf200-2450-11e4-6969-696969696969.dmp
/home/ldl/optee/toolchains/aarch64/bin/aarch64-linux-gnu-objcopy --strip-unneeded 8aaaf200-2450-11e4-6969-696969696969.elf 8aaaf200-2450-11e4-6969-696969696969.stripped.elf
/home/ldl/optee/optee_os/out/arm/export-ta_arm64/scripts/sign_encrypt.py --key /home/ldl/optee/optee_os/out/arm/export-ta_arm64/keys/default_ta.pem --uuid 8aaaf200-2450-11e4-6969-696969696969 --ta-version 0 --in 8aaaf200-2450-11e4-6969-696969696969.stripped.elf --out 8aaaf200-2450-11e4-6969-696969696969.ta
make[1]: 离开目录“/home/ldl/optee/projects/delegator/src/ta”
cp -rf src/ta/8aaaf200-2450-11e4-6969-696969696969.ta out/ta/
cp -rf etc out/
cp -rf /home/ldl/optee/projects/bssl/src/build/tool/bssl out
cp -rf out /home/ldl/qemu_share/

[jforissier]

OK so it's not related to PIC. Back to the very first thing I suggested and you did not try.

[guagua-m]

OK so it's not related to PIC. Back to the very first thing I suggested and you did not try.

@jforissier Thank you, I located the ldelf/ta_elf_rel.c file with DMSG() and found that an error occurred while writing, which corresponds to the write permission fault in the error log.

E/TC:? 0 User TA data-abort at address 0x4007d5c0 (write permission fault)

An error occurred when writing to the “where” pointer after looping to a certain address.

Here is the error code segment I located：

	/* ldelf/ta_elf_rel.c */
	for (; rela < rela_end; rela++) {
	  Elf64_Addr *where = NULL;
	  size_t sym_idx = 0;
	  /* Check the address is inside TA memory */
	  assert(rela->r_offset < (elf->max_addr - elf->load_addr));
	  where = (Elf64_Addr *)(elf->load_addr + rela->r_offset);
	  switch (ELF64_R_TYPE(rela->r_info)) {
	  case R_AARCH64_ABS64:
		  sym_idx = ELF64_R_SYM(rela->r_info);
		  assert(sym_idx < num_syms);
		  if (sym_tab[sym_idx].st_shndx == SHN_UNDEF) {
			  /* Symbol is external */
			  e64_process_dyn_rela(sym_tab, num_syms, str_tab,
						   str_tab_size, rela, where);
		  } else {
			  *where = rela->r_addend + elf->load_addr +
				   sym_tab[sym_idx].st_value;
		  }
		  break;
	  case R_AARCH64_RELATIVE:
		  *where = rela->r_addend + elf->load_addr;
		  break;
	  case R_AARCH64_GLOB_DAT:
	  case R_AARCH64_JUMP_SLOT:
		  e64_process_dyn_rela(sym_tab, num_syms, str_tab,
					   str_tab_size, rela, where);
		  DMSG("R_AARCH64_JUMP_SLOT");
		  break;
	  default:
		  err(TEE_ERROR_BAD_FORMAT, "Unknown relocation type %zd",
			   ELF64_R_TYPE(rela->r_info));
		  DMSG("e64_relocate err");
	  }
	}

I Outputs the variable value, (rela->r_offset = 0xf5c0, elf->load_addr = 0x4003d000, where =0x4004c5c0 ). The address of the where variable is the address of the error log.
According to the location of the error you mentioned in your #4385 question, I also understood that I should find the location of the rela->r_offset that is wrong in the code, I output here to see the address of the variable is 0xf5c0, then I looked up the address in the TA ELF (in the .dmp). But I can't find the section that corresponds to that address.

Can you please help me to see if this error address is calculated correctly? What should I do after finding the error address in the TA ELF file? I hope you can give me more help, thank you very much.

[jforissier]

Could you please run this script on your TA ELF file and attach the output here? Rename it to print_relocations.py and make it executable first (I had to use .txt because GitHub doesn't accept .py).
print_relocations.txt

[guagua-m]

Could you please run this script on your TA ELF file and attach the output here? Rename it to and make it executable first (I had to use because GitHub doesn't accept ). print_relocations.txtprint_relocations.py``.txt``.py

Thanks, I tried this script and realized I had used it before.
My command:
./print_relocations.py delegator/src/ta/8aaaf200-2450-11e4-6969-696969696969.elf
My terminal returns：
0xf5b8 in .got <GLOBAL_OFFSET_TABLE + 8>
0xf5c0 in .got <GLOBAL_OFFSET_TABLE + 16>
0xf5c8 in .got <GLOBAL_OFFSET_TABLE + 24>
0xf5d0 in .got <GLOBAL_OFFSET_TABLE + 32>
0xf5d8 in .got <GLOBAL_OFFSET_TABLE + 40>
0xf5e0 in .got <GLOBAL_OFFSET_TABLE + 48>
0xf5e8 in .got <GLOBAL_OFFSET_TABLE + 56>
0xf5f0 in .got <GLOBAL_OFFSET_TABLE + 64>
0xf5f8 in .got <GLOBAL_OFFSET_TABLE + 72>
0xf600 in .got <GLOBAL_OFFSET_TABLE + 80>
0xf608 in .got <GLOBAL_OFFSET_TABLE + 88>
0xf610 in .got <GLOBAL_OFFSET_TABLE + 96>
0xf618 in .got <GLOBAL_OFFSET_TABLE + 104>
0xf620 in .got <GLOBAL_OFFSET_TABLE + 112>
0x10000 in .data <ta_props>
0x10010 in .data <ta_props + 16>
0x10018 in .data <ta_props + 24>
0x10028 in .data <ta_props + 40>
0x10030 in .data <ta_props + 48>
0x10040 in .data <ta_props + 64>
0x10048 in .data <ta_props + 72>
0x10058 in .data <ta_props + 88>
0x10060 in .data <ta_props + 96>
0x10070 in .data <ta_props + 112>
0x10078 in .data <ta_props + 120>
0x10088 in .data <ta_props + 136>
0x10090 in .data <ta_props + 144>
0x100a0 in .data <ta_props + 160>
0x100a8 in .data <ta_props + 168>
0x100b8 in .data <ta_props + 184>
0x100c0 in .data <ta_props + 192>
0x100d0 in .data <ta_props + 208>
0x100e0 in .data <ta_sessions + 8>
0x100e8 in .data <memset_func>
0x10100 in .data <malloc_ctx + 16>
0x10108 in .data <malloc_ctx + 24>

[jforissier]

So 0xfc50 is a valid offset into the GOT, should be fine for relocation. Can you post the output of readelf -lS delegator/src/ta/8aaaf200-2450-11e4-6969-696969696969.elf ?

[guagua-m]

readelf -lS delegator/src/ta/8aaaf200-2450-11e4-6969-696969696969.elf

There are 27 section headers, starting at offset 0x84438:

Section Headers:
  [Nr] Name              Type             Address           Offset
       Size              EntSize          Flags  Link  Info  Align
  [ 0]                   NULL             0000000000000000  00000000
       0000000000000000  0000000000000000           0     0     0
  [ 1] .ta_head          PROGBITS         0000000000000000  00001000
       0000000000000020  0000000000000000   A       0     0     8
  [ 2] .text             PROGBITS         0000000000000020  00001020
       000000000000bdf8  0000000000000000  AX       0     0     4
  [ 3] .eh_frame         PROGBITS         000000000000be18  0000ce18
       0000000000002508  0000000000000000   A       0     0     8
  [ 4] .rodata           PROGBITS         000000000000e320  0000f320
       0000000000001042  0000000000000000   A       0     0     8
  [ 5] .gnu.hash         GNU_HASH         000000000000f368  00010368
       000000000000001c  0000000000000000   A      10     0     8
  [ 6] .rela.dyn         RELA             000000000000f388  00010388
       0000000000000210  0000000000000018   A      10     0     8
  [ 7] .got              PROGBITS         000000000000f598  00010598
       0000000000000090  0000000000000008  WA       0     0     8
  [ 8] .rela.got         RELA             000000000000f628  00010628
       0000000000000150  0000000000000018  AI      10     7     8
  [ 9] .dynamic          DYNAMIC          000000000000f778  00010778
       0000000000000110  0000000000000010  WA      11     0     8
  [10] .dynsym           DYNSYM           000000000000f888  00010888
       0000000000000048  0000000000000018   A      11     3     8
  [11] .dynstr           STRTAB           000000000000f8d0  000108d0
       0000000000000001  0000000000000000   A       0     0     1
  [12] .hash             HASH             000000000000f8d8  000108d8
       0000000000000018  0000000000000004   A      10     0     8
  [13] .data             PROGBITS         0000000000010000  00011000
       0000000000000174  0000000000000000  WA       0     0     8
  [14] .bss              NOBITS           0000000000010178  00011174
       0000000000013068  0000000000000000  WA       0     0     8
  [15] .debug_info       PROGBITS         0000000000000000  00011174
       0000000000016aa1  0000000000000000           0     0     1
  [16] .debug_abbrev     PROGBITS         0000000000000000  00027c15
       0000000000003628  0000000000000000           0     0     1
  [17] .debug_loc        PROGBITS         0000000000000000  0002b23d
       0000000000021a2e  0000000000000000           0     0     1
  [18] .debug_aranges    PROGBITS         0000000000000000  0004cc70
       0000000000000830  0000000000000000           0     0     16
  [19] .debug_ranges     PROGBITS         0000000000000000  0004d4a0
       0000000000001850  0000000000000000           0     0     16
  [20] .debug_macro      PROGBITS         0000000000000000  0004ecf0
       0000000000011738  0000000000000000           0     0     1
  [21] .debug_line       PROGBITS         0000000000000000  00060428
       000000000000c0f3  0000000000000000           0     0     1
  [22] .debug_str        PROGBITS         0000000000000000  0006c51b
       0000000000012f7b  0000000000000001  MS       0     0     1
  [23] .comment          PROGBITS         0000000000000000  0007f496
       0000000000000055  0000000000000001  MS       0     0     1
  [24] .symtab           SYMTAB           0000000000000000  0007f4f0
       0000000000003300  0000000000000018          25   255     8
  [25] .strtab           STRTAB           0000000000000000  000827f0
       0000000000001b54  0000000000000000           0     0     1
  [26] .shstrtab         STRTAB           0000000000000000  00084344
       00000000000000ed  0000000000000000           0     0     1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
  L (link order), O (extra OS processing required), G (group), T (TLS),
  C (compressed), x (unknown), o (OS specific), E (exclude),
  p (processor specific)

Elf file type is DYN (Shared object file)
Entry point 0x678
There are 4 program headers, starting at offset 64

Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  LOAD           0x0000000000001000 0x0000000000000000 0x0000000000000000
                 0x000000000000be18 0x000000000000be18  R E    0x1000
  LOAD           0x000000000000ce18 0x000000000000be18 0x000000000000be18
                 0x0000000000003ad8 0x0000000000003ad8  R      0x1000
  LOAD           0x0000000000011000 0x0000000000010000 0x0000000000010000
                 0x0000000000000174 0x00000000000131e0  RW     0x1000
  DYNAMIC        0x0000000000010778 0x000000000000f778 0x000000000000f778
                 0x0000000000000110 0x0000000000000110  RW     0x8

 Section to Segment mapping:
  Segment Sections...
   00     .ta_head .text 
   01     .eh_frame .rodata .gnu.hash .rela.dyn .got .rela.got .dynamic .dynsym .dynstr .hash 
   02     .data .bss 
   03     .dynamic 

[jforissier]

Which compiler are you using?

[guagua-m]

Which compiler are you using?

Is the compiler you are asking about referring to gcc? I'm running my qemu VM on ubuntu 20.04 and OP-TEE is running in qemu.

[jforissier]

Yes, please provide the following information:

• aarch64-linux-gnu-gcc --version
• Which version of OP-TEE? Have you tried the latest optee_os from the master branch?
• Are you using a custom linker script for your TA?

[jforissier]

The problem is that .got is in a read-only segment (the second LOAD segment, number 01). If you look at a typical TA (the crypt TA from xtest that I generated not long ago for QEMUv8), you can see that segment 01 is RW:

Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  LOAD           0x0000000000001000 0x0000000000000000 0x0000000000000000
                 0x0000000000053cd8 0x0000000000053cd8  R E    0x1000
  LOAD           0x0000000000055000 0x0000000000054000 0x0000000000054000
                 0x0000000000002078 0x000000000000fdc8  RW     0x1000
  DYNAMIC        0x0000000000055000 0x0000000000054000 0x0000000000054000
                 0x0000000000000110 0x0000000000000110  RW     0x8
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RW     0x10

 Section to Segment mapping:
  Segment Sections...
   00     .ta_head .text .eh_frame .rodata .gnu.hash .dynsym .dynstr .hash .rela.dyn
   01     .dynamic .got .rela.data .rela.got .data .bss
   02     .dynamic
   03

[guagua-m]

是的，还有哪个版本的 OP-TEE？您是否尝试过分支机构的最新产品？aarch64-linux-gnu-gcc --version``master

OP-TEE 3.8.0. I really haven't tried the latest version of OP-TEE and I don't know how to do the upgrade.
I entered the command to return no compiler installed, but I found him in the folder, probably because I didn't add the PATH path. This is return:

Command 'aarch64-linux-gnu-gcc' not found, but can be installed with:

sudo apt install gcc-aarch64-linux-gnu

Then I found the compiler in my folder(~/optee/toolchains/aarch64/bin) and executed the file to get the version information.
My command:

./aarch64-linux-gnu-gcc --version

My return:

aarch64-linux-gnu-gcc (GNU Toolchain for the A-profile Architecture 8.3-2019.03 (arm-rel-8.36)) 8.3.0
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

[jforissier]

I recommend updating the compiler you use to build the TA, because I suspect something is wrong with it. 10.2 and 11.3 have been used successfully. You can download 11.3 from https://snapshots.linaro.org/gnu-toolchain/11.3-2022.06-1/aarch64-linux-gnu/ if you wish.

[github-actions]

This issue has been marked as a stale issue because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this issue will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time.