Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Syscall verifiers #4229

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Syscall verifiers #4229

wants to merge 6 commits into from

Conversation

cepetr
Copy link
Contributor

@cepetr cepetr commented Sep 30, 2024
edited
Loading

This PR implements syscall argument verification, ensuring passed buffers are within memory accessible to unprivileged code. It also copies data when needed to prevent TOC/TOU attacks.

Additional changes:

  1. Unified and improved argument parsing in the syscall dispatch routine.
  2. Adjusted several APIs (display, system) to support argument verification.
  3. Removed the hash_processor API.

This resolves issue #4203.

@cepetr cepetr self-assigned this Sep 30, 2024
@cepetr cepetr added T2B1 Trezor Safe 3 T2T1 Trezor Model T T3T1 T3B1 core Trezor Core firmware. Runs on Trezor Model T and T2B1. labels Sep 30, 2024
@TychoVrahe TychoVrahe linked an issue Sep 30, 2024 that may be closed by this pull request
Syscall validation #4203
Open
@cepetr cepetr force-pushed the cepetr/syscall-verify branch 2 times, most recently from 419af94 to d58001f Compare September 30, 2024 11:28
@cepetr cepetr marked this pull request as ready for review September 30, 2024 11:28
@TychoVrahe TychoVrahe removed the request for review from prusnak September 30, 2024 12:04
ibz
ibz reviewed Oct 2, 2024
View reviewed changes
core/embed/trezorhal/stm32f4/syscall_dispatch.c
} break;
#endif

#ifdef USE_OPTIGA
/*optiga_sign_result optiga_sign(uint8_t index, const uint8_t *digest,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we have a SYSCALL_OPTIGA_SIGN though?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, thanks for catching that. I've added fixed it, see 2cff1e5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ibz ibz ibz left review comments

@TychoVrahe TychoVrahe Awaiting requested review from TychoVrahe

At least 1 approving review is required to merge this pull request.

Assignees

@cepetr cepetr

Labels
core Trezor Core firmware. Runs on Trezor Model T and T2B1. T2B1 Trezor Safe 3 T2T1 Trezor Model T T3B1 T3T1
Projects
Firmware
Status: 🔎 Needs review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Syscall validation
2 participants
@cepetr @ibz