QSEE SECURITY TEST APP ====================== This application is used to repeatedly test the QSEECom interface, ensuring that buffer protections are applied and proper security precautions taken. Each run of the security app performs, at a minimum, the following: 1. A number of client threads are spawned, each starting the Security QSApp. 2. Each client spawns a number of listener threads, each registering with the QSApp. 3. The client threads perform a simple send command to ensure the QSApp is working. 4. Each client then sends a command to the QSApp, which in turn wakes up each of the listener threads originally spawned by the invoking client. 5. Listener threads, when woken, attempt to modify their parent client's send and receive buffers (to ensure the buffers have been locked), as well as modify the other listener's buffers (to ensure all non-secure memory to be used by the QSApp is secured). 6. Once the tests are complete, the listeners unregister and exit, followed by the clients shutting down the QSApp and exiting. 7. Application returns 0 on success. The number of clients, listeners, and test runs are compile-time defines. In addition to the above, some extra tests are available to be enabled via commandline arguments. These tests are not included in the regular suite due to the inability for further tests to be run afterwards, or non-deterministic inputs. The tests include: 1. Secure PIL Test: replace part of the QSApp image with randomly generated data to verify that it is checked for tampering before being allowed to execute: ./qseecom_security_test r 2. Protected Memory Access: attempts to access protected memory regions as a HLOS application, besides the clients' send/receive buffers; some of these memory accesses will cause the device to hang. The index of g_protected_memory to test is supplied as an argument: ./qseecom_security_test p <0...sizeof(g_protected_memory)> The following address areas are included for testing: TZ IMEM Multi-media sub-system Modem sub-system, firmware Modem sub-system, software Riva sub-system LPASS sub-system Secure Application in DDR 3. Secure Memory as Input Parameter: The ION buffer address used for the send/receive buffers is modified to, after the user virtual to kernel physical address conversion, point to a secure memory address. This ensures that TZ will not allow a secure application to overwrite secure memory. The caveat to this test is that the conversion factor is not deterministic, because it depends on the address space provided by Android to the test application at runtime. ./qseecom_security_test b