SET(TARGET_TEF_SIMULATOR_OSAL ${TARGET_TEF_SIMULATOR}-osal)
SET(TARGET_TEF_SIMULATOR_DAEMON ${TARGET_TEF_SIMULATOR}-daemon)
SET(TARGET_TEF_SIMULATOR_DAEMONCTL ${TARGET_TEF_SIMULATOR}-daemonctl)
+SET(TARGET_TEF_SIMULATOR_DEBUGPROXY ${TARGET_TEF_SIMULATOR}-debugproxy)
SET(TARGET_TEF_SIMULATOR_SSFLIB ${TARGET_TEF_SIMULATOR}-ssflib)
# below targets need different names due to linking with CAs and TAs (libteec for client)
%manifest tef-simulator.manifest
%attr(111,security_fw,security_fw) %{bin_dir}/tef-simulator-daemon
%attr(111,security_fw,security_fw) %{bin_dir}/tef-simulator-daemonctl
+%attr(111,security_fw,security_fw) %{bin_dir}/tef-simulator-debugproxy
%{lib_dir}/libtef-simulator-ssflib.so
%{lib_dir}/libtef-simulator-log.so
%{lib_dir}/libTEEStubEx.so
#
SET(DAEMONCTL_PATH ${DAEMON_PATH}/daemonctl)
+SET(DEBUGPROXY_PATH ${DAEMON_PATH}/debugproxy)
PKG_CHECK_MODULES(DAEMON_DEPS REQUIRED
libsystemd-daemon
FIND_PACKAGE(Threads REQUIRED)
-SET(DAEMONCTL_PATH ${DAEMON_PATH}/daemonctl)
-
SET(DAEMON_SOURCES
${DAEMON_PATH}/src/ConnectionSession.cpp
${DAEMON_PATH}/src/ControlConnectionHandler.cpp
INSTALL(DIRECTORY DESTINATION ${BUILD_ROOT}${STORAGE_DIR})
ADD_SUBDIRECTORY(daemonctl)
+ADD_SUBDIRECTORY(debugproxy)
--- /dev/null
+# Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# @file
+# @author Igor Kotrasinski (i.kotrasinsk@partner.samsung.com)
+# @brief CMakeLists for tef-simulator daemon debugproxy
+#
+
+SET(DEBUGPROXY_SOURCES
+ ${DEBUGPROXY_PATH}/src/main.cpp
+ )
+
+ADD_EXECUTABLE(${TARGET_TEF_SIMULATOR_DEBUGPROXY}
+ ${DEBUGPROXY_SOURCES}
+ )
+
+INCLUDE_DIRECTORIES(
+ ${DEBUGPROXY_PATH}/inc
+ )
+
+INSTALL(TARGETS ${TARGET_TEF_SIMULATOR_DEBUGPROXY} DESTINATION ${BIN_DIR})
--- /dev/null
+This binary is intended to help tef-simulator punch a hole in MAC for TA
+debugging. Details follow below.
+
+
+Problem
+=======
+- tef-simulator runs with the `System::TEF` label, and so does everything that
+ needs to access TAs
+- This includes instances of gdbserver that the simulator launches when a TA is
+ run with debug mode
+- Currently debugging works as follows:
+ - A mapping between UUIDs and ports can be set up using
+ tef-simulator-daemonctl
+ - When launching a TA, if a mapping is set, gdbserver is launched listening
+ on a provided localhost port
+ - The host can use `sdb forward` to communicate with the gdbserver instance
+ on the device
+ - Under the hood, sdb daemons on host and device communicate on remote
+ ports, serving as proxies between local ports on host and device
+ - sdbd on device runs as `sdk` user with `System` label
+- This causes a problem when gdbserver is run with `System::TEF` label, as a
+ process with a `System` label is denied connection to its port!
+
+
+Solution
+==================
+- Make a new daemon - tef-simulator-debugproxy
+- Runs with `System` label, as `security_fw` user, exposes a
+ `/var/run/tef-simulator-debugproxy` socket
+- The socket has a `security_fw` owner and group, `0660` permissions
+- When launching a TA in debug mode, tef-simulator opens the debugproxy socket
+ and tells the debugproxy which port it should listen to
+- After that, tef-simulator forks, makes the socket its stdin/stdout and runs
+ gdbserver in stdin/out mode
+- The debugproxy listens for connections, gets the port it should listen to,
+ then listens on it forwarding all communications to and from the gdbserver
--- /dev/null
+int main() {
+ return 0;
+}
projects / platform / core / security / tef-simulator.git / commitdiff