1.. SPDX-License-Identifier: GPL-2.0 2 3============================================= 4QTEE (Qualcomm Trusted Execution Environment) 5============================================= 6 7The QTEE driver handles communication with Qualcomm TEE [1]. 8 9The lowest level of communication with QTEE builds on the ARM SMC Calling 10Convention (SMCCC) [2], which is the foundation for QTEE's Secure Channel 11Manager (SCM) [3] used internally by the driver. 12 13In a QTEE-based system, services are represented as objects with a series of 14operations that can be called to produce results, including other objects. 15 16When an object is hosted within QTEE, executing its operations is referred 17to as "direct invocation". QTEE can also invoke objects hosted in the non-secure 18world using a method known as "callback request". 19 20The SCM provides two functions to support direct invocation and callback requests: 21 22- QCOM_SCM_SMCINVOKE_INVOKE: Used for direct invocation. It can return either 23 a result or initiate a callback request. 24- QCOM_SCM_SMCINVOKE_CB_RSP: Used to submit a response to a callback request 25 triggered by a previous direct invocation. 26 27The QTEE Transport Message [4] is stacked on top of the SCM driver functions. 28 29A message consists of two buffers shared with QTEE: inbound and outbound 30buffers. The inbound buffer is used for direct invocation, and the outbound 31buffer is used to make callback requests. This picture shows the contents of 32a QTEE transport message:: 33 34 +---------------------+ 35 | v 36 +-----------------+-------+-------+------+--------------------------+ 37 | qcomtee_msg_ |object | buffer | | 38 | object_invoke | id | offset, size | | (inbound buffer) 39 +-----------------+-------+--------------+--------------------------+ 40 <---- header -----><---- arguments ------><- in/out buffer payload -> 41 42 +-----------+ 43 | v 44 +-----------------+-------+-------+------+----------------------+ 45 | qcomtee_msg_ |object | buffer | | 46 | callback | id | offset, size | | (outbound buffer) 47 +-----------------+-------+--------------+----------------------+ 48 49Each buffer is started with a header and array of arguments. 50 51QTEE Transport Message supports four types of arguments: 52 53- Input Object (IO) is an object parameter to the current invocation 54 or callback request. 55- Output Object (OO) is an object parameter from the current invocation 56 or callback request. 57- Input Buffer (IB) is (offset, size) pair to the inbound or outbound region 58 to store parameter to the current invocation or callback request. 59- Output Buffer (OB) is (offset, size) pair to the inbound or outbound region 60 to store parameter from the current invocation or callback request. 61 62Picture of the relationship between the different components in the QTEE 63architecture:: 64 65 User space Kernel Secure world 66 ~~~~~~~~~~ ~~~~~~ ~~~~~~~~~~~~ 67 +--------+ +----------+ +--------------+ 68 | Client | |callback | | Trusted | 69 +--------+ |server | | Application | 70 /\ +----------+ +--------------+ 71 || +----------+ /\ /\ 72 || |callback | || || 73 || |server | || \/ 74 || +----------+ || +--------------+ 75 || /\ || | TEE Internal | 76 || || || | API | 77 \/ \/ \/ +--------+--------+ +--------------+ 78 +---------------------+ | TEE | QTEE | | QTEE | 79 | libqcomtee [5] | | subsys | driver | | Trusted OS | 80 +-------+-------------+--+----+-------+----+-------------+--------------+ 81 | Generic TEE API | | QTEE MSG | 82 | IOCTL (TEE_IOC_*) | | SMCCC (QCOM_SCM_SMCINVOKE_*) | 83 +-----------------------------+ +---------------------------------+ 84 85References 86========== 87 88[1] https://docs.qualcomm.com/bundle/publicresource/topics/80-70015-11/qualcomm-trusted-execution-environment.html 89 90[2] http://infocenter.arm.com/help/topic/com.arm.doc.den0028a/index.html 91 92[3] drivers/firmware/qcom/qcom_scm.c 93 94[4] drivers/tee/qcomtee/qcomtee_msg.h 95 96[5] https://github.com/quic/quic-teec 97