1 // SPDX-License-Identifier: MIT 2 /* 3 * AMD Trusted Execution Environment (TEE) interface 4 * 5 * Author: Rijo Thomas <Rijo-john.Thomas@amd.com> 6 * Author: Devaraj Rangasamy <Devaraj.Rangasamy@amd.com> 7 * 8 * Copyright (C) 2019,2021 Advanced Micro Devices, Inc. 9 */ 10 11 #include <linux/bitfield.h> 12 #include <linux/types.h> 13 #include <linux/mutex.h> 14 #include <linux/delay.h> 15 #include <linux/slab.h> 16 #include <linux/gfp.h> 17 #include <linux/psp.h> 18 #include <linux/psp-tee.h> 19 20 #include "psp-dev.h" 21 #include "tee-dev.h" 22 23 static bool psp_dead; 24 25 static int tee_alloc_ring(struct psp_tee_device *tee, int ring_size) 26 { 27 struct ring_buf_manager *rb_mgr = &tee->rb_mgr; 28 void *start_addr; 29 30 if (!ring_size) 31 return -EINVAL; 32 33 /* We need actual physical address instead of DMA address, since 34 * Trusted OS running on AMD Secure Processor will map this region 35 */ 36 start_addr = (void *)__get_free_pages(GFP_KERNEL, get_order(ring_size)); 37 if (!start_addr) 38 return -ENOMEM; 39 40 memset(start_addr, 0x0, ring_size); 41 rb_mgr->ring_start = start_addr; 42 rb_mgr->ring_size = ring_size; 43 rb_mgr->ring_pa = __psp_pa(start_addr); 44 mutex_init(&rb_mgr->mutex); 45 46 return 0; 47 } 48 49 static void tee_free_ring(struct psp_tee_device *tee) 50 { 51 struct ring_buf_manager *rb_mgr = &tee->rb_mgr; 52 53 if (!rb_mgr->ring_start) 54 return; 55 56 free_pages((unsigned long)rb_mgr->ring_start, 57 get_order(rb_mgr->ring_size)); 58 59 rb_mgr->ring_start = NULL; 60 rb_mgr->ring_size = 0; 61 rb_mgr->ring_pa = 0; 62 mutex_destroy(&rb_mgr->mutex); 63 } 64 65 static int tee_wait_cmd_poll(struct psp_tee_device *tee, unsigned int timeout, 66 unsigned int *reg) 67 { 68 /* ~10ms sleep per loop => nloop = timeout * 100 */ 69 int nloop = timeout * 100; 70 71 while (--nloop) { 72 *reg = ioread32(tee->io_regs + tee->vdata->cmdresp_reg); 73 if (FIELD_GET(PSP_CMDRESP_RESP, *reg)) 74 return 0; 75 76 usleep_range(10000, 10100); 77 } 78 79 dev_err(tee->dev, "tee: command timed out, disabling PSP\n"); 80 psp_dead = true; 81 82 return -ETIMEDOUT; 83 } 84 85 static 86 struct tee_init_ring_cmd *tee_alloc_cmd_buffer(struct psp_tee_device *tee) 87 { 88 struct tee_init_ring_cmd *cmd; 89 90 cmd = kzalloc(sizeof(*cmd), GFP_KERNEL); 91 if (!cmd) 92 return NULL; 93 94 cmd->hi_addr = upper_32_bits(tee->rb_mgr.ring_pa); 95 cmd->low_addr = lower_32_bits(tee->rb_mgr.ring_pa); 96 cmd->size = tee->rb_mgr.ring_size; 97 98 dev_dbg(tee->dev, "tee: ring address: high = 0x%x low = 0x%x size = %u\n", 99 cmd->hi_addr, cmd->low_addr, cmd->size); 100 101 return cmd; 102 } 103 104 static inline void tee_free_cmd_buffer(struct tee_init_ring_cmd *cmd) 105 { 106 kfree(cmd); 107 } 108 109 static int tee_init_ring(struct psp_tee_device *tee) 110 { 111 int ring_size = MAX_RING_BUFFER_ENTRIES * sizeof(struct tee_ring_cmd); 112 struct tee_init_ring_cmd *cmd; 113 phys_addr_t cmd_buffer; 114 unsigned int reg; 115 int ret; 116 117 BUILD_BUG_ON(sizeof(struct tee_ring_cmd) != 1024); 118 119 ret = tee_alloc_ring(tee, ring_size); 120 if (ret) { 121 dev_err(tee->dev, "tee: ring allocation failed %d\n", ret); 122 return ret; 123 } 124 125 tee->rb_mgr.wptr = 0; 126 127 cmd = tee_alloc_cmd_buffer(tee); 128 if (!cmd) { 129 tee_free_ring(tee); 130 return -ENOMEM; 131 } 132 133 cmd_buffer = __psp_pa((void *)cmd); 134 135 /* Send command buffer details to Trusted OS by writing to 136 * CPU-PSP message registers 137 */ 138 139 iowrite32(lower_32_bits(cmd_buffer), 140 tee->io_regs + tee->vdata->cmdbuff_addr_lo_reg); 141 iowrite32(upper_32_bits(cmd_buffer), 142 tee->io_regs + tee->vdata->cmdbuff_addr_hi_reg); 143 iowrite32(TEE_RING_INIT_CMD, 144 tee->io_regs + tee->vdata->cmdresp_reg); 145 146 ret = tee_wait_cmd_poll(tee, TEE_DEFAULT_TIMEOUT, ®); 147 if (ret) { 148 dev_err(tee->dev, "tee: ring init command timed out\n"); 149 tee_free_ring(tee); 150 goto free_buf; 151 } 152 153 if (FIELD_GET(PSP_CMDRESP_STS, reg)) { 154 dev_err(tee->dev, "tee: ring init command failed (%#010lx)\n", 155 FIELD_GET(PSP_CMDRESP_STS, reg)); 156 tee_free_ring(tee); 157 ret = -EIO; 158 } 159 160 free_buf: 161 tee_free_cmd_buffer(cmd); 162 163 return ret; 164 } 165 166 static void tee_destroy_ring(struct psp_tee_device *tee) 167 { 168 unsigned int reg; 169 int ret; 170 171 if (!tee->rb_mgr.ring_start) 172 return; 173 174 if (psp_dead) 175 goto free_ring; 176 177 iowrite32(TEE_RING_DESTROY_CMD, 178 tee->io_regs + tee->vdata->cmdresp_reg); 179 180 ret = tee_wait_cmd_poll(tee, TEE_DEFAULT_TIMEOUT, ®); 181 if (ret) { 182 dev_err(tee->dev, "tee: ring destroy command timed out\n"); 183 } else if (FIELD_GET(PSP_CMDRESP_STS, reg)) { 184 dev_err(tee->dev, "tee: ring destroy command failed (%#010lx)\n", 185 FIELD_GET(PSP_CMDRESP_STS, reg)); 186 } 187 188 free_ring: 189 tee_free_ring(tee); 190 } 191 192 int tee_dev_init(struct psp_device *psp) 193 { 194 struct device *dev = psp->dev; 195 struct psp_tee_device *tee; 196 int ret; 197 198 ret = -ENOMEM; 199 tee = devm_kzalloc(dev, sizeof(*tee), GFP_KERNEL); 200 if (!tee) 201 goto e_err; 202 203 psp->tee_data = tee; 204 205 tee->dev = dev; 206 tee->psp = psp; 207 208 tee->io_regs = psp->io_regs; 209 210 tee->vdata = (struct tee_vdata *)psp->vdata->tee; 211 if (!tee->vdata) { 212 ret = -ENODEV; 213 dev_err(dev, "tee: missing driver data\n"); 214 goto e_err; 215 } 216 217 ret = tee_init_ring(tee); 218 if (ret) { 219 dev_err(dev, "tee: failed to init ring buffer\n"); 220 goto e_err; 221 } 222 223 dev_notice(dev, "tee enabled\n"); 224 225 return 0; 226 227 e_err: 228 psp->tee_data = NULL; 229 230 dev_notice(dev, "tee initialization failed\n"); 231 232 return ret; 233 } 234 235 void tee_dev_destroy(struct psp_device *psp) 236 { 237 struct psp_tee_device *tee = psp->tee_data; 238 239 if (!tee) 240 return; 241 242 tee_destroy_ring(tee); 243 } 244 245 static int tee_submit_cmd(struct psp_tee_device *tee, enum tee_cmd_id cmd_id, 246 void *buf, size_t len, struct tee_ring_cmd **resp) 247 { 248 struct tee_ring_cmd *cmd; 249 int nloop = 1000, ret = 0; 250 u32 rptr; 251 252 *resp = NULL; 253 254 mutex_lock(&tee->rb_mgr.mutex); 255 256 /* Loop until empty entry found in ring buffer */ 257 do { 258 /* Get pointer to ring buffer command entry */ 259 cmd = (struct tee_ring_cmd *) 260 (tee->rb_mgr.ring_start + tee->rb_mgr.wptr); 261 262 rptr = ioread32(tee->io_regs + tee->vdata->ring_rptr_reg); 263 264 /* Check if ring buffer is full or command entry is waiting 265 * for response from TEE 266 */ 267 if (!(tee->rb_mgr.wptr + sizeof(struct tee_ring_cmd) == rptr || 268 cmd->flag == CMD_WAITING_FOR_RESPONSE)) 269 break; 270 271 dev_dbg(tee->dev, "tee: ring buffer full. rptr = %u wptr = %u\n", 272 rptr, tee->rb_mgr.wptr); 273 274 /* Wait if ring buffer is full or TEE is processing data */ 275 mutex_unlock(&tee->rb_mgr.mutex); 276 schedule_timeout_interruptible(msecs_to_jiffies(10)); 277 mutex_lock(&tee->rb_mgr.mutex); 278 279 } while (--nloop); 280 281 if (!nloop && 282 (tee->rb_mgr.wptr + sizeof(struct tee_ring_cmd) == rptr || 283 cmd->flag == CMD_WAITING_FOR_RESPONSE)) { 284 dev_err(tee->dev, "tee: ring buffer full. rptr = %u wptr = %u response flag %u\n", 285 rptr, tee->rb_mgr.wptr, cmd->flag); 286 ret = -EBUSY; 287 goto unlock; 288 } 289 290 /* Do not submit command if PSP got disabled while processing any 291 * command in another thread 292 */ 293 if (psp_dead) { 294 ret = -EBUSY; 295 goto unlock; 296 } 297 298 /* Write command data into ring buffer */ 299 cmd->cmd_id = cmd_id; 300 cmd->cmd_state = TEE_CMD_STATE_INIT; 301 memset(&cmd->buf[0], 0, sizeof(cmd->buf)); 302 memcpy(&cmd->buf[0], buf, len); 303 304 /* Indicate driver is waiting for response */ 305 cmd->flag = CMD_WAITING_FOR_RESPONSE; 306 307 /* Update local copy of write pointer */ 308 tee->rb_mgr.wptr += sizeof(struct tee_ring_cmd); 309 if (tee->rb_mgr.wptr >= tee->rb_mgr.ring_size) 310 tee->rb_mgr.wptr = 0; 311 312 /* Trigger interrupt to Trusted OS */ 313 iowrite32(tee->rb_mgr.wptr, tee->io_regs + tee->vdata->ring_wptr_reg); 314 315 /* The response is provided by Trusted OS in same 316 * location as submitted data entry within ring buffer. 317 */ 318 *resp = cmd; 319 320 unlock: 321 mutex_unlock(&tee->rb_mgr.mutex); 322 323 return ret; 324 } 325 326 static int tee_wait_cmd_completion(struct psp_tee_device *tee, 327 struct tee_ring_cmd *resp, 328 unsigned int timeout) 329 { 330 /* ~1ms sleep per loop => nloop = timeout * 1000 */ 331 int nloop = timeout * 1000; 332 333 while (--nloop) { 334 if (resp->cmd_state == TEE_CMD_STATE_COMPLETED) 335 return 0; 336 337 usleep_range(1000, 1100); 338 } 339 340 dev_err(tee->dev, "tee: command 0x%x timed out, disabling PSP\n", 341 resp->cmd_id); 342 343 psp_dead = true; 344 345 return -ETIMEDOUT; 346 } 347 348 int psp_tee_process_cmd(enum tee_cmd_id cmd_id, void *buf, size_t len, 349 u32 *status) 350 { 351 struct psp_device *psp = psp_get_master_device(); 352 struct psp_tee_device *tee; 353 struct tee_ring_cmd *resp; 354 int ret; 355 356 if (!buf || !status || !len || len > sizeof(resp->buf)) 357 return -EINVAL; 358 359 *status = 0; 360 361 if (!psp || !psp->tee_data) 362 return -ENODEV; 363 364 if (psp_dead) 365 return -EBUSY; 366 367 tee = psp->tee_data; 368 369 ret = tee_submit_cmd(tee, cmd_id, buf, len, &resp); 370 if (ret) 371 return ret; 372 373 ret = tee_wait_cmd_completion(tee, resp, TEE_DEFAULT_TIMEOUT); 374 if (ret) { 375 resp->flag = CMD_RESPONSE_TIMEDOUT; 376 return ret; 377 } 378 379 memcpy(buf, &resp->buf[0], len); 380 *status = resp->status; 381 382 resp->flag = CMD_RESPONSE_COPIED; 383 384 return 0; 385 } 386 EXPORT_SYMBOL(psp_tee_process_cmd); 387 388 int psp_check_tee_status(void) 389 { 390 struct psp_device *psp = psp_get_master_device(); 391 392 if (!psp || !psp->tee_data) 393 return -ENODEV; 394 395 return 0; 396 } 397 EXPORT_SYMBOL(psp_check_tee_status); 398