security/keys/trusted-keys/trusted_tee.c
Source file repositories/reference/linux-study-clean/security/keys/trusted-keys/trusted_tee.c
File Facts
- System
- Linux kernel
- Corpus path
security/keys/trusted-keys/trusted_tee.c- Extension
.c- Size
- 7079 bytes
- Lines
- 288
- Domain
- Core OS
- Bucket
- Security And Isolation
- Inferred role
- Core OS: implementation source
- Status
- source implementation candidate
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
linux/err.hlinux/key-type.hlinux/module.hlinux/slab.hlinux/string.hlinux/tee_drv.hlinux/uuid.hkeys/trusted_tee.h
Detected Declarations
struct trusted_key_tee_privatefunction sealfunction unsealfunction trusted_tee_get_randomfunction optee_ctx_matchfunction trusted_key_probefunction trusted_key_removefunction trusted_tee_initfunction trusted_tee_exit
Annotated Snippet
struct trusted_key_tee_private {
struct device *dev;
struct tee_context *ctx;
u32 session_id;
struct tee_shm *shm_pool;
};
static struct trusted_key_tee_private pvt_data;
/*
* Have the TEE seal(encrypt) the symmetric key
*/
static int trusted_tee_seal(struct trusted_key_payload *p, char *datablob)
{
int ret;
struct tee_ioctl_invoke_arg inv_arg;
struct tee_param param[4];
struct tee_shm *reg_shm = NULL;
memset(&inv_arg, 0, sizeof(inv_arg));
memset(¶m, 0, sizeof(param));
reg_shm = tee_shm_register_kernel_buf(pvt_data.ctx, p->key,
sizeof(p->key) + sizeof(p->blob));
if (IS_ERR(reg_shm)) {
dev_err(pvt_data.dev, "shm register failed\n");
return PTR_ERR(reg_shm);
}
inv_arg.func = TA_CMD_SEAL;
inv_arg.session = pvt_data.session_id;
inv_arg.num_params = 4;
param[0].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT;
param[0].u.memref.shm = reg_shm;
param[0].u.memref.size = p->key_len;
param[0].u.memref.shm_offs = 0;
param[1].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT;
param[1].u.memref.shm = reg_shm;
param[1].u.memref.size = sizeof(p->blob);
param[1].u.memref.shm_offs = sizeof(p->key);
ret = tee_client_invoke_func(pvt_data.ctx, &inv_arg, param);
if ((ret < 0) || (inv_arg.ret != 0)) {
dev_err(pvt_data.dev, "TA_CMD_SEAL invoke err: %x\n",
inv_arg.ret);
ret = -EFAULT;
} else {
p->blob_len = param[1].u.memref.size;
}
tee_shm_free(reg_shm);
return ret;
}
/*
* Have the TEE unseal(decrypt) the symmetric key
*/
static int trusted_tee_unseal(struct trusted_key_payload *p, char *datablob)
{
int ret;
struct tee_ioctl_invoke_arg inv_arg;
struct tee_param param[4];
struct tee_shm *reg_shm = NULL;
memset(&inv_arg, 0, sizeof(inv_arg));
memset(¶m, 0, sizeof(param));
reg_shm = tee_shm_register_kernel_buf(pvt_data.ctx, p->key,
sizeof(p->key) + sizeof(p->blob));
if (IS_ERR(reg_shm)) {
dev_err(pvt_data.dev, "shm register failed\n");
return PTR_ERR(reg_shm);
}
inv_arg.func = TA_CMD_UNSEAL;
inv_arg.session = pvt_data.session_id;
inv_arg.num_params = 4;
param[0].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT;
param[0].u.memref.shm = reg_shm;
param[0].u.memref.size = p->blob_len;
param[0].u.memref.shm_offs = sizeof(p->key);
param[1].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT;
param[1].u.memref.shm = reg_shm;
param[1].u.memref.size = sizeof(p->key);
param[1].u.memref.shm_offs = 0;
ret = tee_client_invoke_func(pvt_data.ctx, &inv_arg, param);
Annotation
- Immediate include surface: `linux/err.h`, `linux/key-type.h`, `linux/module.h`, `linux/slab.h`, `linux/string.h`, `linux/tee_drv.h`, `linux/uuid.h`, `keys/trusted_tee.h`.
- Detected declarations: `struct trusted_key_tee_private`, `function seal`, `function unseal`, `function trusted_tee_get_random`, `function optee_ctx_match`, `function trusted_key_probe`, `function trusted_key_remove`, `function trusted_tee_init`, `function trusted_tee_exit`.
- Atlas domain: Core OS / Security And Isolation.
- Implementation status: source implementation candidate.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.