1# Copyright 2016 syzkaller project authors. All rights reserved. 2# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. 3 4# Open Trusted Execution driver for /dev/tlk_device 5# Reference source code: 6# https://android.googlesource.com/kernel/tegra/+/android-tegra-dragon-3.18-marshmallow-dr-dragon/security/tlk_driver/ote_protocol.h 7 8include <linux/ioctl.h> 9include <linux/types.h> 10include <security/tlk_driver/ote_protocol.h> 11 12resource fd_tlk[fd] 13resource te_session_id[int32] 14 15syz_open_dev$tlk_device(dev ptr[in, string["/dev/tlk_device"]], id const[0], flags flags[open_flags]) fd_tlk 16 17ioctl$TE_IOCTL_OPEN_CLIENT_SESSION(fd fd_tlk, cmd const[TE_IOCTL_OPEN_CLIENT_SESSION], arg ptr[inout, te_opensession]) 18ioctl$TE_IOCTL_CLOSE_CLIENT_SESSION(fd fd_tlk, cmd const[TE_IOCTL_CLOSE_CLIENT_SESSION], arg ptr[inout, te_closesession]) 19ioctl$TE_IOCTL_LAUNCH_OPERATION(fd fd_tlk, cmd const[TE_IOCTL_LAUNCH_OPERATION], arg ptr[inout, te_launchop]) 20ioctl$TE_IOCTL_SS_CMD(fd fd_tlk, cmd const[TE_IOCTL_SS_CMD], arg flags[te_ss_cmd_flags]) 21 22te_ss_cmd_flags = TE_IOCTL_SS_CMD_GET_NEW_REQ, TE_IOCTL_SS_CMD_REQ_COMPLETE 23te_oper_param_type_flags = TE_PARAM_TYPE_NONE, TE_PARAM_TYPE_INT_RO, TE_PARAM_TYPE_INT_RW, TE_PARAM_TYPE_MEM_RO, TE_PARAM_TYPE_MEM_RW, TE_PARAM_TYPE_PERSIST_MEM_RO, TE_PARAM_TYPE_PERSIST_MEM_RW, TE_PARAM_TYPE_FLAGS_PHYS_LIST 24 25# Values of time_low, time_mid, time_hi_and_version, clock_seq_and_node don't seem to mean anything. 26te_service_id { 27 unused_time_low int32 28 unused_time_mid int16 29 unused_time_hi_and_version int16 30 unused_clock_seq_and_node array[int8, 8] 31} 32 33te_opensession { 34 dest_uuid te_service_id 35 operation te_operation 36 answer ptr[out, te_answer] 37} 38 39te_closesession { 40 session_id te_session_id 41 answer ptr[out, te_answer] 42} 43 44te_answer { 45 result int32 46 session_id te_session_id 47 result_origin int32 48} 49 50te_launchop { 51 session_id te_session_id 52 operation te_operation 53 answer int64 54} 55 56te_operation { 57 unused_command int32 58 status int32 59 list_head ptr[in, te_oper_param] 60 unused_list_tail ptr[in, te_oper_param] 61 list_count int32 62 unused_interface_side int32 63} 64 65te_int_mem_union [ 66 int int32 67 Mem te_mem 68] 69 70te_mem { 71 base vma 72 len int32 73} 74 75te_oper_param { 76 index int32 77 type flags[te_oper_param_type_flags, int32] 78 u te_int_mem_union 79 next_ptr_user ptr[in, te_oper_param, opt] 80} 81