HiKey tee-suplicant: not found

[FlynnMa]

Dear Sir,

I am using following https://github.com/linaro-swg/optee_android_manifest to setup my AOSP+OPTEE, I met this issue like tee-suplicant not found, I also tried xtext with following errors

Run test suite with level=0

TEE test application started with device [(null)]
######################################################
#
# XTEST_TEE_TEST
#
######################################################

* XTEST_TEE_1001 Core self tests
ERR [2841] TEEC:TEEC_OpenSession:484: TEE_IOC_OPEN_SESSION failed
  XTEST_TEE_1001 OK

* XTEST_TEE_1004 Test User Crypt TA
ERR [2841] TEEC:TEEC_OpenSession:484: TEE_IOC_OPEN_SESSION failed
external/optee_test/host/xtest/xtest_1000.c:392: xtest_teec_open_session( &session, &crypt_user_ta_uuid, ((void*)0), &ret_orig) has an unexpected value: 0xffff0007 = TEEC_ERROR_BAD_STATE, expected 0x0 = TEEC_SUCCESS
  XTEST_TEE_1004 FAILED

* XTEST_TEE_1005 Many sessions
ERR [2841] TEEC:TEEC_OpenSession:484: TEE_IOC_OPEN_SESSION failed
external/optee_test/host/xtest/xtest_1000.c:445: xtest_teec_open_session(&sessions[i], &os_test_ta_uuid, ((void*)0), &ret_orig) has an unexpected value: 0xffff0007 = TEEC_ERROR_BAD_STATE, expected 0x0 = TEEC_SUCCESS
  XTEST_TEE_1005 FAILED

* XTEST_TEE_1006 Test Basic OS features
ERR [2841] TEEC:TEEC_OpenSession:484: TEE_IOC_OPEN_SESSION failed
external/optee_test/host/xtest/xtest_1000.c:462: xtest_teec_open_session(&session, &os_test_ta_uuid, ((void*)0), &ret_orig) has an unexpected value: 0xffff0007 = TEEC_ERROR_BAD_STATE, expected 0x0 = TEEC_SUCCESS
  XTEST_TEE_1006 FAILED

* XTEST_TEE_1007 Test Panic
ERR [2841] TEEC:TEEC_OpenSession:484: TEE_IOC_OPEN_SESSION failed
external/optee_test/host/xtest/xtest_1000.c:484: xtest_teec_open_session(&session, &os_test_ta_uuid, ((void*)0), &ret_orig) has an unexpected value: 0xffff0007 = TEEC_ERROR_BAD_STATE, expected 0x0 = TEEC_SUCCESS
Segmentation fault

I see this #884, but didnot see there is solution.

Bellow are my OPTEE logs:

NOTICE:  BL3-1: Built : 14:00:04, Jul 14 DEBUG:   TEE-CORE:add_phys_mem:258: 0 8 0x00000000 size 0x01400000
DEBUG:   TEE-CORE:add_phys_mem:258: CFG_SHMEM_START 4 0x3ee00000 size 0x00200000
DEBUG:   TEE-CORE:add_phys_mem:258: CFG_TA_RAM_START 3 0x3f200000 size 0x00e00000
DEBUG:   TEE-CORE:add_phys_mem:258: CFG_TEE_RAM_START 1 0x3f000000 size 0x00100000
DEBUG:   TEE-CORE:add_phys_mem:258: CONSOLE_UART_BASE 6 0xf7000000 size 0x00200000
DEBUG:   TEE-CORE:init_mem_map:392: type va 8 0x3ca00000..0x3ddfffff pa 0x00000000..0x013fffff size 0x1400000
DEBUG:   TEE-CORE:init_mem_map:392: type va 6 0x3de00000..0x3dffffff pa 0xf7000000..0xf71fffff size 0x200000
DEBUG:   TEE-CORE:init_mem_map:392: type va 4 0x3e000000..0x3e1fffff pa 0x3ee00000..0x3effffff size 0x200000
DEBUG:   TEE-CORE:init_mem_map:392: type va 3 0x3e200000..0x3effffff pa 0x3f200000..0x3fffffff size 0xe00000
DEBUG:   TEE-CORE:init_mem_map:392: type va 1 0x3f000000..0x3f0fffff pa 0x3f000000..0x3f0fffff size 0x100000
INFO:    TEE-CORE: Initializing (2.1.0-29-g367040b #1 2016年 07月 14日 星期四 05:59:01 UTC aarch64)
DEBUG:   [0x0] TEE-CORE:init_canaries:153: #Stack canaries for stack_tmp[0] with top at 0x3f071838
DEBUG:   [0x0] TEE-CORE:init_canaries:153: watch *0x3f07183c
DEBUG:   [0x0] TEE-CORE:init_canaries:153: #Stack canaries for stack_tmp[1] with top at 0x3f072078
DEBUG:   [0x0] TEE-CORE:init_canaries:153: watch *0x3f07207c
DEBUG:   [0x0] TEE-CORE:init_canaries:153: #Stack canaries for stack_tmp[2] with top at 0x3f0728b8
DEBUG:   [0x0] TEE-CORE:init_canaries:153: watch *0x3f0728bc
DEBUG:   [0x0] TEE-CORE:init_canaries:153: #Stack canaries for stack_tmp[3] with top at 0x3f0730f8
DEBUG:   [0x0] TEE-CORE:init_canaries:153: watch *0x3f0730fc
DEBUG:   [0x0] TEE-CORE:init_canaries:153: #Stack canaries for stack_tmp[4] with top at 0x3f073938
DEBUG:   [0x0] TEE-CORE:init_canaries:153: watch *0x3f07393c
DEBUG:   [0x0] TEE-CORE:init_canaries:153: #Stack canaries for stack_tmp[5] with top at 0x3f074178
DEBUG:   [0x0] TEE-CORE:init_canaries:153: watch *0x3f07417c
DEBUG:   [0x0] TEE-CORE:init_canaries:153: #Stack canaries for stack_tmp[6] with top at 0x3f0749b8
DEBUG:   [0x0] TEE-CORE:init_canaries:153: watch *0x3f0749bc
DEBUG:   [0x0] TEE-CORE:init_canaries:153: #Stack canaries for stack_tmp[7] with top at 0x3f0751f8
DEBUG:   [0x0] TEE-CORE:init_canaries:153: watch *0x3f0751fc
DEBUG:   [0x0] TEE-CORE:init_canaries:154: #Stack canaries for stack_abt[0] with top at 0x3f075e38
DEBUG:   [0x0] TEE-CORE:init_canaries:154: watch *0x3f075e3c
DEBUG:   [0x0] TEE-CORE:init_canaries:154: #Stack canaries for stack_abt[1] with top at 0x3f076a78
DEBUG:   [0x0] TEE-CORE:init_canaries:154: watch *0x3f076a7c
DEBUG:   [0x0] TEE-CORE:init_canaries:154: #Stack canaries for stack_abt[2] with top at 0x3f0776b8
DEBUG:   [0x0] TEE-CORE:init_canaries:154: watch *0x3f0776bc
DEBUG:   [0x0] TEE-CORE:init_canaries:154: #Stack canaries for stack_abt[3] with top at 0x3f0782f8
DEBUG:   [0x0] TEE-CORE:init_canaries:154: watch *0x3f0782fc
DEBUG:   [0x0] TEE-CORE:init_canaries:154: #Stack canaries for stack_abt[4] with top at 0x3f078f38
DEBUG:   [0x0] TEE-CORE:init_canaries:154: watch *0x3f078f3c
DEBUG:   [0x0] TEE-CORE:init_canaries:154: #Stack canaries for stack_abt[5] with top at 0x3f079b78
DEBUG:   [0x0] TEE-CORE:init_canaries:154: watch *0x3f079b7c
DEBUG:   [0x0] TEE-CORE:init_canaries:154: #Stack canaries for stack_abt[6] with top at 0x3f07a7b8
DEBUG:   [0x0] TEE-CORE:init_canaries:154: watch *0x3f07a7bc
DEBUG:   [0x0] TEE-CORE:init_canaries:154: #Stack canaries for stack_abt[7] with top at 0x3f07b3f8
DEBUG:   [0x0] TEE-CORE:init_canaries:154: watch *0x3f07b3fc
DEBUG:   [0x0] TEE-CORE:init_canaries:159: #Stack canaries for stack_thread[0] with top at 0x3f07d438
DEBUG:   [0x0] TEE-CORE:init_canaries:159: watch *0x3f07d43c
DEBUG:   [0x0] TEE-CORE:init_canaries:159: #Stack canaries for stack_thread[1] with top at 0x3f07f478
DEBUG:   [0x0] TEE-CORE:init_canaries:159: watch *0x3f07f47c
DEBUG:   [0x0] TEE-CORE:init_canaries:159: #Stack canaries for stack_thread[2] with top at 0x3f0814b8
DEBUG:   [0x0] TEE-CORE:init_canaries:159: watch *0x3f0814bc
DEBUG:   [0x0] TEE-CORE:init_canaries:159: #Stack canaries for stack_thread[3] with top at 0x3f0834f8
DEBUG:   [0x0] TEE-CORE:init_canaries:159: watch *0x3f0834fc
DEBUG:   [0x0] TEE-CORE:init_canaries:159: #Stack canaries for stack_thread[4] with top at 0x3f085538
DEBUG:   [0x0] TEE-CORE:init_canaries:159: watch *0x3f08553c
DEBUG:   [0x0] TEE-CORE:init_canaries:159: #Stack canaries for stack_thread[5] with top at 0x3f087578
DEBUG:   [0x0] TEE-CORE:init_canaries:159: watch *0x3f08757c
DEBUG:   [0x0] TEE-CORE:init_canaries:159: #Stack canaries for stack_thread[6] with top at 0x3f0895b8
DEBUG:   [0x0] TEE-CORE:init_canaries:159: watch *0x3f0895bc
DEBUG:   [0x0] TEE-CORE:init_canaries:159: #Stack canaries for stack_thread[7] with top at 0x3f08b5f8
DEBUG:   [0x0] TEE-CORE:init_canaries:159: watch *0x3f08b5fc
INFO:    TEE-CORE: Initialized

[FlynnMa]

Currently I am using boot_fat.uefi.imggenerated by AOSP, if I use boot-fat.uefi.img which is generated by https://github.com/OP-TEE/optee_os for HiKey, xtest can run for very long time, with lots of success results. But still have the tee-suplicant: not found issue.

The problem is if I use boot-fat.uefi.img which is generated by https://github.com/OP-TEE/optee_os, android can not be lunched.

[FlynnMa]

According with jbech-linaro from #865
Following test looks like my OPTEE kenel driver has not been loaded

hikey:/ $ dmesg | grep optee
dmesg | grep optee
[    4.302930] optee firmware:optee: probing for conduit method from DT.
[    4.309735] optee firmware:optee: initialized driver
hikey:/ $ tee-supplicant&
tee-supplicant&
[1] 3714
hikey:/ $ ERR [3714] TEES:main:380: failed to find an OP-TEE supplicant device

Then my xtest starts run with su;tee-supplicant &

hikey:/ $ su
su
hikey:/ # tee-supplicant &
tee-supplicant &
[1] 4065
hikey:/ #

hikey:/ # xtest
xtest
Run test suite with level=0

TEE test application started with device [(null)]
######################################################
#
# XTEST_TEE_TEST
#
######################################################

* XTEST_TEE_1001 Core self tests
ERR [4065] TEES:load_ta:199:   TA not found
  XTEST_TEE_1001 OK

* XTEST_TEE_1004 Test User Crypt TA
o XTEST_TEE_1004.1 AES encrypt
  XTEST_TEE_1004.1 OK
o XTEST_TEE_1004.2 AES decrypt
  XTEST_TEE_1004.2 OK
o XTEST_TEE_1004.3 SHA-256 test, 3 bytes input
  XTEST_TEE_1004.3 OK
o XTEST_TEE_1004.4 AES-256 ECB encrypt test, 32 bytes input, with fixed key
  XTEST_TEE_1004.4 OK
o XTEST_TEE_1004.5 AES-256 ECB decrypt test, 32 bytes input, with fixed key
  XTEST_TEE_1004.5 

[FlynnMa]

I just closed it, I am still intrested in how to load tee-supplicant automatically on system startup, please kindly give me your comments if you know.

[vchong]

Currently I am using boot_fat.uefi.imggenerated by AOSP, if I use boot-fat.uefi.img which is generated by https://github.com/OP-TEE/optee_os for HiKey, xtest can run for very long time, with lots of success results. But still have the tee-suplicant: not found issue.

The supplicant is automatically loaded on boot for the regular HiKey build. If not loaded, then there shouldn't be lots of success results. The not found issue is probably due to you trying to start it a second time.

I am still interested in how to load tee-supplicant automatically on system startup

Based on https://github.com/linaro-swg/device-linaro-hikey/blob/master/init.hikey.rc#L93, it should have been automatically loaded for the Android HiKey build as well, but not sure why it's not. On your board, if you run ps -ef | grep tee-supplicant as soon as Android boots up, do you see tee-supplicant already running?

Additionally, see #903 for discussion regarding Android permission issue.

[FlynnMa]

Hi vchong,

Thanks for reply, regarding the auto launch of "tee-supplicant", I have checked other services defined by init.hikey.rc, applications auto launched includes: uim, tee-supplicant, wpa_supplicant, dhcpcd_wlan0, dhcpcd_eth0, dpcpcd_usb0, dhcpcd_bt-pan. So I checked background daemon with ps command, it shows nothing running:

$ adb shell
hikey:/ # ps
ps
USER       PID  PPID    VSZ   RSS WCHAN              PC S NAME
root      2182  1967   7756  2604 sigsuspend 7fb7e829e0 S sh
root      2212  2182   9440  2512 0          7fb7ce7340 R ps

So I tried with su;tee-supplicant & and then do psagain, tee-supplicant runs background, looks my init.hikey.rc does not work at all, I guess this is the root cause.

hikey:/ # su;tee-supplicant&
su;tee-supplicant&
hikey:/ # ps
ps
USER       PID  PPID    VSZ   RSS WCHAN              PC S NAME                  
root      3324  1967   7756  2616 sigsuspend 7fb7d5a9e0 S sh
root      3335  3324   7512  1720 _supp_recv 7fb7d4f908 S tee-supplicant
root     15888  3324   7756  1748 sigsuspend 7fb7d5a9e0 S sh
root     15895 15888   9440  2452 0          7fb7ddc340 R ps

[vchong]

Hi @Marduino,

Thanks! Can you run su before running ps, just to see if it makes a difference? It might be an issue but not sure right now if there are resources available to look into it.

[FlynnMa]

hi @vchong,

I guess I am close to the root cause now. Following are su and ps

hikey:/ $ su
su
hikey:/ # ps
ps
USER       PID  PPID    VSZ   RSS WCHAN              PC S NAME                  
shell     2020  1781   7756  2596 sigsuspend 7fb7d949e0 S sh
root      2114  2020   7756  1820 sigsuspend 7fb7e829e0 S sh
root      2156  2114   9440  2548 0          7fb7d53340 R ps

I tested with the repo manifest provided by https://github.com/OP-TEE/optee_os for hikey, it shows services as bellow:

root@HiKey:/ ps
PID   USER     TIME   COMMAND
    1 root       0:01 init
    2 root       0:00 [kthreadd]
    3 root       0:00 [ksoftirqd/0]
    4 root       0:00 [kworker/0:0]
    5 root       0:00 [kworker/0:0H]
    6 root       0:00 [kworker/u16:0]
    7 root       0:00 [rcu_preempt]
    8 root       0:00 [rcu_sched]
    9 root       0:00 [rcu_bh]
   10 root       0:00 [migration/0]
   11 root       0:00 [watchdog/0]
   12 root       0:00 [watchdog/1]
   13 root       0:00 [migration/1]
   14 root       0:00 [ksoftirqd/1]
   15 root       0:00 [kworker/1:0]
   16 root       0:00 [kworker/1:0H]
   17 root       0:00 [watchdog/2]
   18 root       0:00 [migration/2]
   19 root       0:00 [ksoftirqd/2]
   20 root       0:00 [kworker/2:0]
   21 root       0:00 [kworker/2:0H]
   22 root       0:00 [watchdog/3]
   23 root       0:00 [migration/3]
   24 root       0:00 [ksoftirqd/3]
   25 root       0:00 [kworker/3:0]
   26 root       0:00 [kworker/3:0H]
   27 root       0:00 [watchdog/4]
   28 root       0:00 [migration/4]
   29 root       0:00 [ksoftirqd/4]
   30 root       0:00 [kworker/4:0]
   31 root       0:00 [kworker/4:0H]
   32 root       0:00 [watchdog/5]
   33 root       0:00 [migration/5]
   34 root       0:00 [ksoftirqd/5]
   35 root       0:00 [kworker/5:0]
   36 root       0:00 [kworker/5:0H]
   37 root       0:00 [watchdog/6]
   38 root       0:00 [migration/6]
   39 root       0:00 [ksoftirqd/6]
   40 root       0:00 [kworker/6:0]
   41 root       0:00 [kworker/6:0H]
   42 root       0:00 [watchdog/7]
   43 root       0:00 [migration/7]
   44 root       0:00 [ksoftirqd/7]
   45 root       0:00 [kworker/7:0]
   46 root       0:00 [kworker/7:0H]
   47 root       0:00 [kdevtmpfs]
   48 root       0:00 [kworker/u16:1]
   52 root       0:00 [kworker/u16:2]
  118 root       0:00 [kworker/u16:3]
  320 root       0:00 [khungtaskd]
  321 root       0:00 [writeback]
  323 root       0:00 [ksmd]
  324 root       0:00 [khugepaged]
  325 root       0:00 [crypto]
  326 root       0:00 [bioset]
  328 root       0:00 [kblockd]
  340 root       0:00 [ata_sff]
  453 root       0:00 [kworker/1:1]
  454 root       0:00 [rpciod]
  455 root       0:00 [kworker/2:1]
  457 root       0:00 [kvm_arch_timer]
  458 root       0:00 [kvm-irqfd-clean]
  502 root       0:00 [kswapd0]
  503 root       0:00 [vmstat]
  588 root       0:00 [nfsiod]
  718 root       0:00 [bioset]
  721 root       0:00 [bioset]
  724 root       0:00 [bioset]
  727 root       0:00 [bioset]
  730 root       0:00 [bioset]
  733 root       0:00 [bioset]
  736 root       0:00 [bioset]
  739 root       0:00 [bioset]
  789 root       0:00 [vfio-irqfd-clea]
  803 root       0:00 [kpsmoused]
  856 root       0:00 [deferwq]
  878 root       0:00 /sbin/telnetd
  884 root       0:00 tee-supplicant
  886 root       0:00 init
  887 root       0:00 /bin/sh -sc . /etc/profile
  888 root       0:00 ps

[FlynnMa]

I think the root cause is due to init failed, but not sure how to fix:

[    6.135353] init: waitpid failed: No child processes
[    6.149422] init: createProcessGroup(0, 1304) failed for service 'ueventd': N     o such file or directory
[    6.485034] init: /dev/hw_random not found
[    6.498999] init: write_file: Unable to open '/proc/cpu/alignment': No such f     ile or directory
[    6.507714] init: write_file: Unable to open '/proc/sys/kernel/sched_tunable_     scaling': No such file or directory
[    6.518059] init: write_file: Unable to open '/proc/sys/kernel/sched_latency_     ns': No such file or directory
[    6.527981] init: write_file: Unable to open '/proc/sys/kernel/sched_wakeup_g     ranularity_ns': No such file or directory
[    6.556289] init: /dev/hw_random not found
[    6.775202] audit: type=1400 audit(12.495:5): avc:  denied  { create } for  p     id=1 comm="init" name="sdcard" scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0      tclass=lnk_file permissive=1
[    6.792315] init: write_file: Unable to open '/sys/devices/leds/leds/bt_activ     e/trigger': No such file or directory
[    6.805241] init: /recovery not specified in fstab
[    7.086114] init: write_file: Unable to open '/proc/sys/vm/min_free_order_shi     ft': No such file or directory
[    7.099947] logd.daemon: reinit
[    7.108138] type=1400 audit(12.827:7): avc: denied { add_name } for pid=1 com     m="init" name="g1" scontext=u:r:init:s0 tcontext=u:object_r:configfs:s0 tclass=d     ir permissive=1
[    7.110603] init: write_file: Unable to open '/config/usb_gadget/g1/functions     /rndis.gs4/wceis': Permission denied
[    7.119223] init: cannot find '/system/bin/update_verifier', disabling 'exec      2 (/system/bin/update_verifier)': No such file or directory
[    7.119285] init: cannot find '/system/bin/install-recovery.sh', disabling 'f     lash_recovery': No such file or directory
[    7.121311] init: service tee-supplicant does not have a SELinux domain defin     ed
[    7.294695] init: write_file: Unable to open '/sys/class/android_usb/android0     /enable': Permission denied
[    7.294778] init: write_file: Unable to open '/sys/class/android_usb/android0     /idVendor': Permission denied
[    7.294784] type=1400 audit(13.015:16): avc: denied { write } for pid=1 comm=     "init" name="android0" dev="sysfs" ino=13270 scontext=u:r:init:s0 tcontext=u:obj     ect_r:sysfs:s0 tclass=dir permissive=1
[    7.294840] init: write_file: Unable to open '/sys/class/android_usb/android0     /idProduct': Permission denied
[    7.294906] init: write_file: Unable to open '/sys/class/android_usb/android0     /functions': Permission denied
[    7.294966] init: write_file: Unable to open '/sys/class/android_usb/android0     /enable': Permission denied

[vchong]

Thanks @Marduino!

So there's the problem there:

[    7.121311] init: service tee-supplicant does not have a SELinux domain defined

Not sure why there are so many other errors as well for the other stuffs.

@kuscsik fyi above

[FlynnMa]

@kuscsik I am lost in this, no clue, would you please help me?

[vchong]

@Marduino He (@kuscsik) might look into this, but there's no time frame or schedule for it. It depends on other priorities. Just fyi.

[d3zd3z]

For a non-development build, the supplicant will need a SELinux domain defined for it to even be able to run it from the command line. Likewise, apps will also need to have domains modified to be able to open the tee device (once we solve the permissions issues as well).

[zoltan-ongithub]

I'm working on a fix to put the supplicant into the SELinux domain of the mediaplayer service. Testing the image right now. I'm also setting tee devices to the media permission group.

[d3zd3z]

@kuscsik this does seem like it will solve the short term issue of permissions. I wonder if it is going to preclude using OP-TEE for something other than media playback, though?

[zoltan-ongithub]

@d3zd3z Good point. I started to add a new tee_supplicant selinux domain for optee. I got the device files now with the new SELinux domain working, but I still need to ensure the tee-supplicant is started with the right permissions. Update coming soon...

[zoltan-ongithub]

Fix submitted for review:

linaro-swg/device-linaro-hikey#4

[ghost]

We're closing this issue since the question has been answered. If you however feel that you have additional questions or still thinks this is an issue, please feel free to re-open the issue again.