msm8916: Add HW backed keymaster v1 support

Install HW backed keymaster HAL binaries into dragonboard.
Add selinux rules to run qseecom daemon.

BUG=24675146

Change-Id: I73afdeb0a46540799a594e37f3cd5926e51ae334
Signed-off-by: Sourabh Banerjee <sbanerje@codeaurora.org>

6 files changed, 175 insertions, 4 deletions

diff --git a/soc/msm8916/init.msm8916.rc b/soc/msm8916/init.msm8916.rc
index 7c06538..85460d6 100644
--- a/soc/msm8916/init.msm8916.rc
+++ b/soc/msm8916/init.msm8916.rc
@@ -32,3 +32,7 @@ on fs
     mount vfat /dev/block/platform/soc.0/7824900.sdhci/by-name/modem /firmware ro context=u:object_r:firmware_file:s0,shortname=lower,uid=1000,gid=1000,dmask=227,fmask=337
     chown bluetooth net_bt_stack /dev/smd2
     chown bluetooth net_bt_stack /dev/smd3
+    chown system system /dev/ion
+    chown system drmrpc /dev/qseecom
+    chmod 0664 /dev/ion
+    chmod 0660 /dev/qseecom
diff --git a/soc/msm8916/prebuilts/qseecom.rc b/soc/msm8916/prebuilts/qseecom.rc
new file mode 100644
index 0000000..34131ba
--- /dev/null
+++ b/soc/msm8916/prebuilts/qseecom.rc
@@ -0,0 +1,34 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#    * Redistributions of source code must retain the above copyright
+#      notice, this list of conditions and the following disclaimer.
+#    * Redistributions in binary form must reproduce the above
+#      copyright notice, this list of conditions and the following
+#      disclaimer in the documentation and/or other materials provided
+#      with the distribution.
+#    * Neither the name of The Linux Foundation nor the names of its
+#      contributors may be used to endorse or promote products derived
+#      from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+on post-fs
+    symlink /dev/block/mmcblk0p3 /dev/block/bootdevice/by-name/ssd
+
+service qseecomd /system/bin/qseecomd
+    class core
+    user root
+    group root
diff --git a/soc/msm8916/prebuilts/sepolicy/device.te b/soc/msm8916/prebuilts/sepolicy/device.te
index 8efe124..4d107f1 100644
--- a/soc/msm8916/prebuilts/sepolicy/device.te
+++ b/soc/msm8916/prebuilts/sepolicy/device.te
@@ -6,3 +6,15 @@ type modem_efs_partition_device, dev_type;
 type shared_log_device, dev_type;
 type smem_log_device, dev_type;
 type ssd_block_device, dev_type;
+type rpmb_device, dev_type;
+type sg_device, dev_type;
+type data_qsee_file, file_type;
+type persist_file, file_type;
+type persist_data_file, file_type;
+type persist_drm_file, file_type;
+type ssd_device, dev_type;
+type time_daemon, domain;
+type qfp-daemon_data_file, file_type, data_file_type;
+type mdtp_device, dev_type;
+type dip_device, dev_type;
+type qce_device, dev_type;
diff --git a/soc/msm8916/prebuilts/sepolicy/file_contexts b/soc/msm8916/prebuilts/sepolicy/file_contexts
index 20e8ff4..79c9f0a 100644
--- a/soc/msm8916/prebuilts/sepolicy/file_contexts
+++ b/soc/msm8916/prebuilts/sepolicy/file_contexts
@@ -1,18 +1,24 @@
-# Qualcomm daemons for audio
+# Daemons for audio
 /system/bin/qmuxd                                      u:object_r:qmux_exec:s0
 /system/bin/rmt_storage                                u:object_r:rmt_exec:s0
 
+# Daemon for TEE
+/system/bin/qseecomd                                   u:object_r:tee_exec:s0
+
 # Files and symlinks used by qmuxd and rmt_storage.
 /dev/block/mmcblk0p1                                   u:object_r:modem_efs_partition_device:s0
 /dev/block/mmcblk0p12                                  u:object_r:modem_efs_partition_device:s0
 /dev/block/mmcblk0p13                                  u:object_r:modem_efs_partition_device:s0
 /dev/block/mmcblk0p15                                  u:object_r:modem_efs_partition_device:s0
 /dev/block/mmcblk0p2                                   u:object_r:modem_efs_partition_device:s0
+/dev/block/mmcblk0p3                                   u:object_r:modem_efs_partition_device:s0
 /dev/block/bootdevice/by-name/modemst1                 u:object_r:modem_efs_partition_device:s0
 /dev/block/bootdevice/by-name/modemst2                 u:object_r:modem_efs_partition_device:s0
 /dev/block/bootdevice/by-name/fsg                      u:object_r:modem_efs_partition_device:s0
 /dev/block/bootdevice/by-name/fsc                      u:object_r:modem_efs_partition_device:s0
 
+/dev/block/mmcblk0rpmb                                 u:object_r:rpmb_device:s0
+
 /data/misc/modem_config(/.*)?                          u:object_r:modem_config_file:s0
 
 /dev/block/mmcblk0                                     u:object_r:mmc_block_device:s0
@@ -27,3 +33,4 @@
 /dev/mhi_pipe_.*                                       u:object_r:mhi_device:s0
 /dev/diag                                              u:object_r:diag_device:s0
 /dev/smem_log                                          u:object_r:smem_log_device:s0
+/dev/qseecom                                           u:object_r:tee_device:s0
diff --git a/soc/msm8916/prebuilts/sepolicy/qseecomd.te b/soc/msm8916/prebuilts/sepolicy/qseecomd.te
new file mode 100644
index 0000000..ef10f51
--- /dev/null
+++ b/soc/msm8916/prebuilts/sepolicy/qseecomd.te
@@ -0,0 +1,91 @@
+# Tee starts as root, and drops privileges
+allow tee self:capability {
+    setuid
+    setgid
+    sys_admin
+    chown
+    sys_rawio
+};
+
+# Need to directly manipulate certain block devices
+# for anti-rollback feature
+allow tee modem_efs_partition_device:blk_file rw_file_perms;
+
+allow tee block_device:dir r_dir_perms;
+allow tee rpmb_device:blk_file rw_file_perms;
+
+# Need to figure out how many scsi generic devices are preset
+# before being able to identify which one is rpmb device
+allow tee device:dir r_dir_perms;
+allow tee sg_device:chr_file { rw_file_perms setattr };
+
+# Allow qseecom to qsee folder so that listeners can create
+# respective directories
+allow tee data_qsee_file:dir create_dir_perms;
+allow tee data_qsee_file:file create_file_perms;
+allow tee system_data_file:dir r_dir_perms;
+
+allow tee persist_file:dir r_dir_perms;
+r_dir_file(tee, persist_data_file)
+
+# Write to drm related pieces of persist partition
+allow tee persist_drm_file:dir create_dir_perms;
+allow tee persist_drm_file:file create_file_perms;
+
+# Provide tee access to ssd partition for HW FDE
+allow tee ssd_device:blk_file rw_file_perms;
+
+# Allow tee to operate tee device
+allow tee tee_device:chr_file rw_file_perms;
+
+# Allow tee to load firmware images
+r_dir_file(tee, firmware_file)
+
+# Allow qseecom access to time domain
+allow tee time_daemon:unix_stream_socket connectto;
+
+# Allow tee access for secure UI to work
+allow tee graphics_device:dir r_dir_perms;
+allow tee graphics_device:chr_file r_file_perms;
+
+binder_use(tee)
+
+allow tee system_app:unix_dgram_socket sendto;
+unix_socket_connect(tee, property, init)
+
+# Allow qseecom access to set system property
+allow tee system_prop:property_service set;
+
+userdebug_or_eng(`
+  allow tee su:unix_dgram_socket sendto;
+')
+
+# Allow qseecom access to set system property
+allow tee system_prop:property_service set;
+
+# Allow access to qfp-daemon
+allow tee qfp-daemon_data_file:dir create_dir_perms;
+allow tee qfp-daemon_data_file:file create_file_perms;
+
+# Provide access to block devices for MDTP
+allow tee mdtp_device:blk_file rw_file_perms;
+allow tee dip_device:blk_file rw_file_perms;
+allow tee system_block_device:blk_file r_file_perms;
+
+# Provide access to QC Crypto driver for MDTP
+allow tee qce_device:chr_file rw_file_perms;
+
+# Provide access to /data/misc/qsee/mdtp for MDTP temp files
+allow tee data_qsee_file:dir create_dir_perms;
+allow tee data_qsee_file:{ file fifo_file } create_file_perms;
+
+# Provide read access to all /system files for MDTP file-to-block-mapping
+r_dir_file(tee, exec_type)
+r_dir_file(tee, system_file)
+
+# Provide tee ability to access QMUXD/IPCRouter for QMI
+qmux_socket(tee)
+allow tee self:socket create_socket_perms;
+
+# Provide tee ability to run executables in rootfs for MDTP
+allow tee rootfs:file x_file_perms;
diff --git a/soc/msm8916/soc.mk b/soc/msm8916/soc.mk
index da282e9..4e4915e 100644
--- a/soc/msm8916/soc.mk
+++ b/soc/msm8916/soc.mk
@@ -53,7 +53,7 @@ $(call add_kernel_configs, $(realpath $(LOCAL_PATH)/soc.kconf))
 DEVICE_PACKAGES += \
 	keystore.default
 
-# Include Qualcomm Bool Control HAL.
+# Include Bool Control HAL.
 DEVICE_PACKAGES += \
 	bootctrl.msm8916
 
@@ -73,11 +73,11 @@ MM_AUDIO_ENABLED_FTM := true
 MM_AUDIO_ENABLED_SAFX := true
 TARGET_USES_QCOM_MM_AUDIO := true
 
-# Include Qualcomm Audio HAL implementation.
+# Include Audio HAL implementation.
 DEVICE_PACKAGES += \
 	audio.primary.msm8916
 
-# Include Qualcomm Lights HAL implementation.
+# Include Lights HAL implementation.
 DEVICE_PACKAGES += \
 	lights.msm8916 \
 
@@ -92,6 +92,10 @@ PRODUCT_COPY_FILES += \
 PRODUCT_COPY_FILES += \
 	$(LOCAL_PATH)/prebuilts/audio.rc:system/etc/init/audio.rc \
 
+# Include prebuilts to support keymaster.
+PRODUCT_COPY_FILES += \
+	$(LOCAL_PATH)/prebuilts/qseecom.rc:system/etc/init/qseecom.rc \
+
 PRODUCT_LIBRARY_PATH := $(TOP)/vendor/bsp/qcom/device/dragonboard/linux_410c_board_support_package_LA.BR.1.2.4_rb1.10
 
 # Audio daemons.
@@ -120,3 +124,22 @@ PRODUCT_COPY_FILES += \
 	$(PRODUCT_LIBRARY_PATH)/lib/libbtnv.so:/system/lib/libbtnv.so \
 	$(PRODUCT_LIBRARY_PATH)/lib/libbt-vendor.so:/system/lib/libbt-vendor.so \
 
+# QSEE libs.
+PRODUCT_COPY_FILES += \
+	$(PRODUCT_LIBRARY_PATH)/lib/libQSEEComAPI.so:/system/lib/libQSEEComAPI.so \
+	$(PRODUCT_LIBRARY_PATH)/lib/libQSEEComAPIStaticHelper.so:/system/lib/libQSEEComAPIStaticHelper.so \
+	$(PRODUCT_LIBRARY_PATH)/lib/librpmb.so:/system/lib/librpmb.so \
+	$(PRODUCT_LIBRARY_PATH)/lib/librpmbStaticHelper.so:/system/lib/librpmbStaticHelper.so \
+	$(PRODUCT_LIBRARY_PATH)/lib/libssd.so:/system/lib/libssd.so \
+	$(PRODUCT_LIBRARY_PATH)/lib/libssdStaticHelper.so:/system/lib/libssdStaticHelper.so \
+	$(PRODUCT_LIBRARY_PATH)/lib/libdrmfs.so:/system/lib/libdrmfs.so \
+	$(PRODUCT_LIBRARY_PATH)/lib/libdrmtime.so:/system/lib/libdrmtime.so \
+
+# QSEECom daemons.
+PRODUCT_COPY_FILES += \
+	$(PRODUCT_LIBRARY_PATH)/bin/qseecomd:/system/bin/qseecomd \
+	$(PRODUCT_LIBRARY_PATH)/bin/qseecomd_static:/system/bin/qseecomd_static \
+
+# Include keystore library.
+PRODUCT_COPY_FILES += \
+	$(PRODUCT_LIBRARY_PATH)/lib/hw/keystore.msm8916.so:/system/lib/hw/keystore.msm8916.so