What is a sync_exception?

Robotics & Edge Computing Jetson & Embedded Systems Jetson AGX Xavier
1

Can anyone explain what a sync_exception is, and whether it’s something that a misbehaving secure application should be able to provoke?

I have one that reproducibly occurs during a call to HMAC_Init_ex.

Thanks,

Edmund

[   37.782470] [TRUSTY] sync_exception
[   37.782556] [TRUSTY] -----------------------------------------------
[   37.782702] [TRUSTY]  [Stack Trace]
[   37.782783] [TRUSTY] 
[   37.782844] [TRUSTY] [ 00 ] => pc: 0x0000000000064DCC  sp: 0xFFFFFFFFEA90F010
[   37.782989] [TRUSTY] [ 01 ] => pc: 0xFFFFFFFFEA802DA0  sp: 0xFFFFFFFFEA90F030
[   37.783165] [TRUSTY] -----------------------------------------------
[   37.784974] [TRUSTY] iframe 0xffffffffea90ef20:
[   37.789741] [TRUSTY] x0  0x           6608c x1  0x               2 x2  0x           64dcc x3  0x           64dcc
[   37.799779] [TRUSTY] x4  0x           6608c x5  0x           6608c x6  0x               0 x7  0x           66088
[   37.809493] [TRUSTY] x8  0x           59558 x9  0x           660a4 x10 0x           59558 x11 0x          fffffc
[   37.819465] [TRUSTY] x12 0x        446ed2d4 x13 0x          fff768 x14 0x           3f3c4 x15 0xffffffffea8dc3d8
[   37.829627] [TRUSTY] x16 0x               1 x17 0x               0 x18 0x               0 x19 0xffffffffea8fb748
[   37.839332] [TRUSTY] x20 0x               0 x21 0x               0 x22 0x               0 x23 0x               0
[   37.849646] [TRUSTY] x24 0x               0 x25 0x               0 x26 0x               0 x27 0x               0
[   37.859533] [TRUSTY] x28 0x               0 x29 0xffffffffea90f030 lr  0xffffffffea802dcc sp  0xffffffffea90f010
[   37.869516] [TRUSTY] elr 0x           64dcc
[   37.873710] [TRUSTY] spsr 0x        60000010
[   37.878172] [TRUSTY] ESR 0x8200000f: ec 0x20, il 0x1, iss 0xf
[   37.883958] [TRUSTY] panic (caller 0xffffffffea80165c): die
[   37.889721] [TRUSTY] HALT: (reason = 9)
[   37.894384] trusty-irq trusty:irq: trusty_panic_notify: trusty crashed, disabling trusty irqs
[   37.918143] trusty crashed[   37.918349] ------------[ cut here ]------------
[   37.918550] WARNING: CPU: 0 PID: 808 at /.../build/tmp/work-shared/jetson-xavier/kernel-source/nvidia/drivers/trusty/trusty.c:264 trusty_std_call32+0x238/0x248
[   37.927288] Modules linked in: ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype iptable_filter ip_tables xt_conntrack x_tables nf_nat nf_conntrack br_netfilter overlay bnep nvgpu bluedroid_pm
[   37.953853] 
[   37.955445] CPU: 0 PID: 808 Comm: kworker/0:1 Not tainted 4.9.140-l4t-r32.3.1+g47e7e1cb0b49 #1
[   37.963831] Hardware name: Jetson-AGX (DT)
[   37.968051] Workqueue: trusty-nop-wq nop_work_func
[   37.972612] task: ffffffc3ec457000 task.stack: ffffffc3eb930000
[   37.978799] PC is at trusty_std_call32+0x238/0x248
[   37.983779] LR is at trusty_std_call32+0x238/0x248
[   37.988522] pc : [<ffffff8008ca2000>] lr : [<ffffff8008ca2000>] pstate: 60c00045
[   37.996035] sp : ffffffc3eb933cb0
[   37.999705] x29: ffffffc3eb933cc0 x28: 00000000fffffff5 
[   38.005221] x27: 0000000000000000 x26: ffffffc3eb8a5100 
[   38.010986] x25: 0000000000000000 x24: ffffffc3ec457000 
[   38.015888] x23: 0000000000000002 x22: 0000000000000000 
[   38.020895] x21: 0000000032000019 x20: 000000003c000003 
[   38.026667] x19: ffffffc3ecbefc10 x18: 00000000fffffffe 
[   38.032697] x17: 0000000000000001 x16: 0000000000000003 
[   38.037971] x15: 0000000000000000 x14: ffffffffffffffff 
[   38.043895] x13: ffffffc46b93360f x12: ffffffc3eb933611 
[   38.049497] x11: 000000000000000b x10: 00000000000003d3 
[   38.055098] x9 : 00000000ffffffd0 x8 : 7263207974737572 
[   38.060650] x7 : 74205d3334313831 x6 : ffffff80083cab08 
[   38.066385] x5 : 0000000000000000 x4 : 0000000000000000 
[   38.071477] x3 : ffffffffffffffff x2 : 00000043f615d000 
[   38.077059] x1 : ffffffc3ec457000 x0 : 000000000000000e 
[   38.082151] 
[   38.083795] ---[ end trace f9a148013b6c5928 ]---
[   38.088254] Call trace:
[   38.090724] [<ffffff8008ca2000>] trusty_std_call32+0x238/0x248
[   38.096138] [<ffffff8008ca2348>] nop_work_func+0x68/0x158
[   38.101146] [<ffffff80080d41fc>] process_one_work+0x1bc/0x458
[   38.106728] [<ffffff80080d44ec>] worker_thread+0x54/0x488
[   38.111542] [<ffffff80080daf1c>] kthread+0xec/0xf0
[   38.116359] [<ffffff8008083850>] ret_from_fork+0x10/0x40
[   38.121370] trusty trusty: nop_work_func: SMC_SC_NOP failed -11
[   38.127119] trusty trusty: nop_work_func: SMC_SC_NOP failed -11
2

I can also get a sync_exception by adding these lines (marked with #if 1) to hwkey_agent.c:

#include <trusty_std.h>
#if 1 //xx
#include <openssl/hmac.h>
#endif


	TLOGI("hwkey-agent is running!!\n");
#if 1 //xx
        {
            const unsigned char key[32] = { 0 };
            HMAC_CTX *ctx = 0;
            const EVP_MD *md = EVP_sha256();
            HMAC_Init_ex(ctx, key, sizeof(key), md, 0);
        }
	TLOGI("hwkey-agent is still running!!\n");
#endif

The output to the console includes:

hwkey-agent: 43: hwkey-agent is running!!
sync_exception
-----------------------------------------------
 [Stack Trace]

[ 00 ] => pc: 0x000000000001B310  sp: 0xFFFFFFFFEA8C1FF0
[ 01 ] => pc: 0xFFFFFFFFEA802DA0  sp: 0xFFFFFFFFEA8C2010
-----------------------------------------------
iframe 0xffffffffea8c1f00:
x0  0x               0 x1  0x          ffffa8 x2  0x              20 x3  0x           28e1c
x4  0x              20 x5  0x          ffffa8 x6  0x            800c x7  0x               0
x8  0x           28e1c x9  0x              10 x10 0x           10004 x11 0x          fffffc
x12 0x          ffffc8 x13 0x          ffff00 x14 0x            8060 x15 0xffffffffea8953d8
x16 0x               1 x17 0x               0 x18 0x               0 x19 0xffffffffea8b3d58
x20 0x               0 x21 0x               0 x22 0x               0 x23 0x               0
x24 0x               0 x25 0x               0 x26 0x               0 x27 0x               0
x28 0x               0 x29 0xffffffffea8c2010 lr  0xffffffffea802dcc sp  0xffffffffea8c1ff0
elr 0x           1b310
spsr 0x        20000010
ESR 0x92000007: ec 0x24, il 0x1, iss 0x7
panic (caller 0xffffffffea80165c): die
HALT: (reason = 9)

Can anyone reproduce this?

4

hello edmund.grimley-evans,

please download L4T sources package and review the sources for reference,
for example,
$L4T_Sources/r32.5/Linux_for_Tegra/source/public/atf_and_trusty/trusty/lk/common/arch/arm64/exceptions_c.c

the default sample code should works normally,
did you exclude key management from the sample code?
thanks

5

It turns out that the sync_exception isn’t anything very exciting: it can be caused by dereferencing an invalid address so it’s just a segfault, really. And the patch for hwkey_agent.c above omits calling HMAC_CTX_init, so the crash is not surprising. (I get confused writing code for different versions of OpenSSL.)

Trusty’s OpenSSL now seems to be working for me, apart from the problem described in another thread: Problem with OpenSSL: undefined reference to CRYPTO_gcm128_init

Edmund