1 /* 2 * Copyright (c) 2015, Linaro Limited 3 * 4 * This software is licensed under the terms of the GNU General Public 5 * License version 2, as published by the Free Software Foundation, and 6 * may be copied, distributed, and modified under those terms. 7 * 8 * This program is distributed in the hope that it will be useful, 9 * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 * GNU General Public License for more details. 12 * 13 */ 14 15 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 16 17 #include <linux/arm-smccc.h> 18 #include <linux/errno.h> 19 #include <linux/io.h> 20 #include <linux/module.h> 21 #include <linux/of.h> 22 #include <linux/of_platform.h> 23 #include <linux/platform_device.h> 24 #include <linux/slab.h> 25 #include <linux/string.h> 26 #include <linux/tee_drv.h> 27 #include <linux/types.h> 28 #include <linux/uaccess.h> 29 #include "optee_private.h" 30 #include "optee_smc.h" 31 32 #define DRIVER_NAME "optee" 33 34 #define OPTEE_SHM_NUM_PRIV_PAGES 1 35 36 /** 37 * optee_from_msg_param() - convert from OPTEE_MSG parameters to 38 * struct tee_param 39 * @params: subsystem internal parameter representation 40 * @num_params: number of elements in the parameter arrays 41 * @msg_params: OPTEE_MSG parameters 42 * Returns 0 on success or <0 on failure 43 */ 44 int optee_from_msg_param(struct tee_param *params, size_t num_params, 45 const struct optee_msg_param *msg_params) 46 { 47 int rc; 48 size_t n; 49 struct tee_shm *shm; 50 phys_addr_t pa; 51 52 for (n = 0; n < num_params; n++) { 53 struct tee_param *p = params + n; 54 const struct optee_msg_param *mp = msg_params + n; 55 u32 attr = mp->attr & OPTEE_MSG_ATTR_TYPE_MASK; 56 57 switch (attr) { 58 case OPTEE_MSG_ATTR_TYPE_NONE: 59 p->attr = TEE_IOCTL_PARAM_ATTR_TYPE_NONE; 60 memset(&p->u, 0, sizeof(p->u)); 61 break; 62 case OPTEE_MSG_ATTR_TYPE_VALUE_INPUT: 63 case OPTEE_MSG_ATTR_TYPE_VALUE_OUTPUT: 64 case OPTEE_MSG_ATTR_TYPE_VALUE_INOUT: 65 p->attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT + 66 attr - OPTEE_MSG_ATTR_TYPE_VALUE_INPUT; 67 p->u.value.a = mp->u.value.a; 68 p->u.value.b = mp->u.value.b; 69 p->u.value.c = mp->u.value.c; 70 break; 71 case OPTEE_MSG_ATTR_TYPE_TMEM_INPUT: 72 case OPTEE_MSG_ATTR_TYPE_TMEM_OUTPUT: 73 case OPTEE_MSG_ATTR_TYPE_TMEM_INOUT: 74 p->attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT + 75 attr - OPTEE_MSG_ATTR_TYPE_TMEM_INPUT; 76 p->u.memref.size = mp->u.tmem.size; 77 shm = (struct tee_shm *)(unsigned long) 78 mp->u.tmem.shm_ref; 79 if (!shm) { 80 p->u.memref.shm_offs = 0; 81 p->u.memref.shm = NULL; 82 break; 83 } 84 rc = tee_shm_get_pa(shm, 0, &pa); 85 if (rc) 86 return rc; 87 p->u.memref.shm_offs = mp->u.tmem.buf_ptr - pa; 88 p->u.memref.shm = shm; 89 90 /* Check that the memref is covered by the shm object */ 91 if (p->u.memref.size) { 92 size_t o = p->u.memref.shm_offs + 93 p->u.memref.size - 1; 94 95 rc = tee_shm_get_pa(shm, o, NULL); 96 if (rc) 97 return rc; 98 } 99 break; 100 default: 101 return -EINVAL; 102 } 103 } 104 return 0; 105 } 106 107 /** 108 * optee_to_msg_param() - convert from struct tee_params to OPTEE_MSG parameters 109 * @msg_params: OPTEE_MSG parameters 110 * @num_params: number of elements in the parameter arrays 111 * @params: subsystem itnernal parameter representation 112 * Returns 0 on success or <0 on failure 113 */ 114 int optee_to_msg_param(struct optee_msg_param *msg_params, size_t num_params, 115 const struct tee_param *params) 116 { 117 int rc; 118 size_t n; 119 phys_addr_t pa; 120 121 for (n = 0; n < num_params; n++) { 122 const struct tee_param *p = params + n; 123 struct optee_msg_param *mp = msg_params + n; 124 125 switch (p->attr) { 126 case TEE_IOCTL_PARAM_ATTR_TYPE_NONE: 127 mp->attr = TEE_IOCTL_PARAM_ATTR_TYPE_NONE; 128 memset(&mp->u, 0, sizeof(mp->u)); 129 break; 130 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT: 131 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT: 132 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: 133 mp->attr = OPTEE_MSG_ATTR_TYPE_VALUE_INPUT + p->attr - 134 TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT; 135 mp->u.value.a = p->u.value.a; 136 mp->u.value.b = p->u.value.b; 137 mp->u.value.c = p->u.value.c; 138 break; 139 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT: 140 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: 141 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: 142 mp->attr = OPTEE_MSG_ATTR_TYPE_TMEM_INPUT + 143 p->attr - 144 TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT; 145 mp->u.tmem.shm_ref = (unsigned long)p->u.memref.shm; 146 mp->u.tmem.size = p->u.memref.size; 147 if (!p->u.memref.shm) { 148 mp->u.tmem.buf_ptr = 0; 149 break; 150 } 151 rc = tee_shm_get_pa(p->u.memref.shm, 152 p->u.memref.shm_offs, &pa); 153 if (rc) 154 return rc; 155 mp->u.tmem.buf_ptr = pa; 156 mp->attr |= OPTEE_MSG_ATTR_CACHE_PREDEFINED << 157 OPTEE_MSG_ATTR_CACHE_SHIFT; 158 break; 159 default: 160 return -EINVAL; 161 } 162 } 163 return 0; 164 } 165 166 static void optee_get_version(struct tee_device *teedev, 167 struct tee_ioctl_version_data *vers) 168 { 169 struct tee_ioctl_version_data v = { 170 .impl_id = TEE_IMPL_ID_OPTEE, 171 .impl_caps = TEE_OPTEE_CAP_TZ, 172 .gen_caps = TEE_GEN_CAP_GP, 173 }; 174 *vers = v; 175 } 176 177 static int optee_open(struct tee_context *ctx) 178 { 179 struct optee_context_data *ctxdata; 180 struct tee_device *teedev = ctx->teedev; 181 struct optee *optee = tee_get_drvdata(teedev); 182 183 ctxdata = kzalloc(sizeof(*ctxdata), GFP_KERNEL); 184 if (!ctxdata) 185 return -ENOMEM; 186 187 if (teedev == optee->supp_teedev) { 188 bool busy = true; 189 190 mutex_lock(&optee->supp.ctx_mutex); 191 if (!optee->supp.ctx) { 192 busy = false; 193 optee->supp.ctx = ctx; 194 } 195 mutex_unlock(&optee->supp.ctx_mutex); 196 if (busy) { 197 kfree(ctxdata); 198 return -EBUSY; 199 } 200 } 201 202 mutex_init(&ctxdata->mutex); 203 INIT_LIST_HEAD(&ctxdata->sess_list); 204 205 ctx->data = ctxdata; 206 return 0; 207 } 208 209 static void optee_release(struct tee_context *ctx) 210 { 211 struct optee_context_data *ctxdata = ctx->data; 212 struct tee_device *teedev = ctx->teedev; 213 struct optee *optee = tee_get_drvdata(teedev); 214 struct tee_shm *shm; 215 struct optee_msg_arg *arg = NULL; 216 phys_addr_t parg; 217 struct optee_session *sess; 218 struct optee_session *sess_tmp; 219 220 if (!ctxdata) 221 return; 222 223 shm = tee_shm_alloc(ctx, sizeof(struct optee_msg_arg), TEE_SHM_MAPPED); 224 if (!IS_ERR(shm)) { 225 arg = tee_shm_get_va(shm, 0); 226 /* 227 * If va2pa fails for some reason, we can't call 228 * optee_close_session(), only free the memory. Secure OS 229 * will leak sessions and finally refuse more sessions, but 230 * we will at least let normal world reclaim its memory. 231 */ 232 if (!IS_ERR(arg)) 233 tee_shm_va2pa(shm, arg, &parg); 234 } 235 236 list_for_each_entry_safe(sess, sess_tmp, &ctxdata->sess_list, 237 list_node) { 238 list_del(&sess->list_node); 239 if (!IS_ERR_OR_NULL(arg)) { 240 memset(arg, 0, sizeof(*arg)); 241 arg->cmd = OPTEE_MSG_CMD_CLOSE_SESSION; 242 arg->session = sess->session_id; 243 optee_do_call_with_arg(ctx, parg); 244 } 245 kfree(sess); 246 } 247 kfree(ctxdata); 248 249 if (!IS_ERR(shm)) 250 tee_shm_free(shm); 251 252 ctx->data = NULL; 253 254 if (teedev == optee->supp_teedev) { 255 mutex_lock(&optee->supp.ctx_mutex); 256 optee->supp.ctx = NULL; 257 mutex_unlock(&optee->supp.ctx_mutex); 258 } 259 } 260 261 static struct tee_driver_ops optee_ops = { 262 .get_version = optee_get_version, 263 .open = optee_open, 264 .release = optee_release, 265 .open_session = optee_open_session, 266 .close_session = optee_close_session, 267 .invoke_func = optee_invoke_func, 268 .cancel_req = optee_cancel_req, 269 }; 270 271 static struct tee_desc optee_desc = { 272 .name = DRIVER_NAME "-clnt", 273 .ops = &optee_ops, 274 .owner = THIS_MODULE, 275 }; 276 277 static struct tee_driver_ops optee_supp_ops = { 278 .get_version = optee_get_version, 279 .open = optee_open, 280 .release = optee_release, 281 .supp_recv = optee_supp_recv, 282 .supp_send = optee_supp_send, 283 }; 284 285 static struct tee_desc optee_supp_desc = { 286 .name = DRIVER_NAME "-supp", 287 .ops = &optee_supp_ops, 288 .owner = THIS_MODULE, 289 .flags = TEE_DESC_PRIVILEGED, 290 }; 291 292 static bool optee_msg_api_uid_is_optee_api(optee_invoke_fn *invoke_fn) 293 { 294 struct arm_smccc_res res; 295 296 invoke_fn(OPTEE_SMC_CALLS_UID, 0, 0, 0, 0, 0, 0, 0, &res); 297 298 if (res.a0 == OPTEE_MSG_UID_0 && res.a1 == OPTEE_MSG_UID_1 && 299 res.a2 == OPTEE_MSG_UID_2 && res.a3 == OPTEE_MSG_UID_3) 300 return true; 301 return false; 302 } 303 304 static bool optee_msg_api_revision_is_compatible(optee_invoke_fn *invoke_fn) 305 { 306 union { 307 struct arm_smccc_res smccc; 308 struct optee_smc_calls_revision_result result; 309 } res; 310 311 invoke_fn(OPTEE_SMC_CALLS_REVISION, 0, 0, 0, 0, 0, 0, 0, &res.smccc); 312 313 if (res.result.major == OPTEE_MSG_REVISION_MAJOR && 314 (int)res.result.minor >= OPTEE_MSG_REVISION_MINOR) 315 return true; 316 return false; 317 } 318 319 static bool optee_msg_exchange_capabilities(optee_invoke_fn *invoke_fn, 320 u32 *sec_caps) 321 { 322 union { 323 struct arm_smccc_res smccc; 324 struct optee_smc_exchange_capabilities_result result; 325 } res; 326 u32 a1 = 0; 327 328 /* 329 * TODO This isn't enough to tell if it's UP system (from kernel 330 * point of view) or not, is_smp() returns the the information 331 * needed, but can't be called directly from here. 332 */ 333 if (!IS_ENABLED(CONFIG_SMP) || nr_cpu_ids == 1) 334 a1 |= OPTEE_SMC_NSEC_CAP_UNIPROCESSOR; 335 336 invoke_fn(OPTEE_SMC_EXCHANGE_CAPABILITIES, a1, 0, 0, 0, 0, 0, 0, 337 &res.smccc); 338 339 if (res.result.status != OPTEE_SMC_RETURN_OK) 340 return false; 341 342 *sec_caps = res.result.capabilities; 343 return true; 344 } 345 346 static struct tee_shm_pool * 347 optee_config_shm_memremap(optee_invoke_fn *invoke_fn, void **memremaped_shm) 348 { 349 union { 350 struct arm_smccc_res smccc; 351 struct optee_smc_get_shm_config_result result; 352 } res; 353 struct tee_shm_pool *pool; 354 unsigned long vaddr; 355 phys_addr_t paddr; 356 size_t size; 357 phys_addr_t begin; 358 phys_addr_t end; 359 void *va; 360 struct tee_shm_pool_mem_info priv_info; 361 struct tee_shm_pool_mem_info dmabuf_info; 362 363 invoke_fn(OPTEE_SMC_GET_SHM_CONFIG, 0, 0, 0, 0, 0, 0, 0, &res.smccc); 364 if (res.result.status != OPTEE_SMC_RETURN_OK) { 365 pr_info("shm service not available\n"); 366 return ERR_PTR(-ENOENT); 367 } 368 369 if (res.result.settings != OPTEE_SMC_SHM_CACHED) { 370 pr_err("only normal cached shared memory supported\n"); 371 return ERR_PTR(-EINVAL); 372 } 373 374 begin = roundup(res.result.start, PAGE_SIZE); 375 end = rounddown(res.result.start + res.result.size, PAGE_SIZE); 376 paddr = begin; 377 size = end - begin; 378 379 if (size < 2 * OPTEE_SHM_NUM_PRIV_PAGES * PAGE_SIZE) { 380 pr_err("too small shared memory area\n"); 381 return ERR_PTR(-EINVAL); 382 } 383 384 va = memremap(paddr, size, MEMREMAP_WB); 385 if (!va) { 386 pr_err("shared memory ioremap failed\n"); 387 return ERR_PTR(-EINVAL); 388 } 389 vaddr = (unsigned long)va; 390 391 priv_info.vaddr = vaddr; 392 priv_info.paddr = paddr; 393 priv_info.size = OPTEE_SHM_NUM_PRIV_PAGES * PAGE_SIZE; 394 dmabuf_info.vaddr = vaddr + OPTEE_SHM_NUM_PRIV_PAGES * PAGE_SIZE; 395 dmabuf_info.paddr = paddr + OPTEE_SHM_NUM_PRIV_PAGES * PAGE_SIZE; 396 dmabuf_info.size = size - OPTEE_SHM_NUM_PRIV_PAGES * PAGE_SIZE; 397 398 pool = tee_shm_pool_alloc_res_mem(&priv_info, &dmabuf_info); 399 if (IS_ERR(pool)) { 400 memunmap(va); 401 goto out; 402 } 403 404 *memremaped_shm = va; 405 out: 406 return pool; 407 } 408 409 /* Simple wrapper functions to be able to use a function pointer */ 410 static void optee_smccc_smc(unsigned long a0, unsigned long a1, 411 unsigned long a2, unsigned long a3, 412 unsigned long a4, unsigned long a5, 413 unsigned long a6, unsigned long a7, 414 struct arm_smccc_res *res) 415 { 416 arm_smccc_smc(a0, a1, a2, a3, a4, a5, a6, a7, res); 417 } 418 419 static void optee_smccc_hvc(unsigned long a0, unsigned long a1, 420 unsigned long a2, unsigned long a3, 421 unsigned long a4, unsigned long a5, 422 unsigned long a6, unsigned long a7, 423 struct arm_smccc_res *res) 424 { 425 arm_smccc_hvc(a0, a1, a2, a3, a4, a5, a6, a7, res); 426 } 427 428 static optee_invoke_fn *get_invoke_func(struct device_node *np) 429 { 430 const char *method; 431 432 pr_info("probing for conduit method from DT.\n"); 433 434 if (of_property_read_string(np, "method", &method)) { 435 pr_warn("missing \"method\" property\n"); 436 return ERR_PTR(-ENXIO); 437 } 438 439 if (!strcmp("hvc", method)) 440 return optee_smccc_hvc; 441 else if (!strcmp("smc", method)) 442 return optee_smccc_smc; 443 444 pr_warn("invalid \"method\" property: %s\n", method); 445 return ERR_PTR(-EINVAL); 446 } 447 448 static struct optee *optee_probe(struct device_node *np) 449 { 450 optee_invoke_fn *invoke_fn; 451 struct tee_shm_pool *pool; 452 struct optee *optee = NULL; 453 void *memremaped_shm = NULL; 454 struct tee_device *teedev; 455 u32 sec_caps; 456 int rc; 457 458 invoke_fn = get_invoke_func(np); 459 if (IS_ERR(invoke_fn)) 460 return (void *)invoke_fn; 461 462 if (!optee_msg_api_uid_is_optee_api(invoke_fn)) { 463 pr_warn("api uid mismatch\n"); 464 return ERR_PTR(-EINVAL); 465 } 466 467 if (!optee_msg_api_revision_is_compatible(invoke_fn)) { 468 pr_warn("api revision mismatch\n"); 469 return ERR_PTR(-EINVAL); 470 } 471 472 if (!optee_msg_exchange_capabilities(invoke_fn, &sec_caps)) { 473 pr_warn("capabilities mismatch\n"); 474 return ERR_PTR(-EINVAL); 475 } 476 477 /* 478 * We have no other option for shared memory, if secure world 479 * doesn't have any reserved memory we can use we can't continue. 480 */ 481 if (!(sec_caps & OPTEE_SMC_SEC_CAP_HAVE_RESERVED_SHM)) 482 return ERR_PTR(-EINVAL); 483 484 pool = optee_config_shm_memremap(invoke_fn, &memremaped_shm); 485 if (IS_ERR(pool)) 486 return (void *)pool; 487 488 optee = kzalloc(sizeof(*optee), GFP_KERNEL); 489 if (!optee) { 490 rc = -ENOMEM; 491 goto err; 492 } 493 494 optee->invoke_fn = invoke_fn; 495 496 teedev = tee_device_alloc(&optee_desc, NULL, pool, optee); 497 if (IS_ERR(teedev)) { 498 rc = PTR_ERR(teedev); 499 goto err; 500 } 501 optee->teedev = teedev; 502 503 teedev = tee_device_alloc(&optee_supp_desc, NULL, pool, optee); 504 if (IS_ERR(teedev)) { 505 rc = PTR_ERR(teedev); 506 goto err; 507 } 508 optee->supp_teedev = teedev; 509 510 rc = tee_device_register(optee->teedev); 511 if (rc) 512 goto err; 513 514 rc = tee_device_register(optee->supp_teedev); 515 if (rc) 516 goto err; 517 518 mutex_init(&optee->call_queue.mutex); 519 INIT_LIST_HEAD(&optee->call_queue.waiters); 520 optee_wait_queue_init(&optee->wait_queue); 521 optee_supp_init(&optee->supp); 522 optee->memremaped_shm = memremaped_shm; 523 optee->pool = pool; 524 525 optee_enable_shm_cache(optee); 526 527 pr_info("initialized driver\n"); 528 return optee; 529 err: 530 if (optee) { 531 /* 532 * tee_device_unregister() is safe to call even if the 533 * devices hasn't been registered with 534 * tee_device_register() yet. 535 */ 536 tee_device_unregister(optee->supp_teedev); 537 tee_device_unregister(optee->teedev); 538 kfree(optee); 539 } 540 if (pool) 541 tee_shm_pool_free(pool); 542 if (memremaped_shm) 543 memunmap(memremaped_shm); 544 return ERR_PTR(rc); 545 } 546 547 static void optee_remove(struct optee *optee) 548 { 549 /* 550 * Ask OP-TEE to free all cached shared memory objects to decrease 551 * reference counters and also avoid wild pointers in secure world 552 * into the old shared memory range. 553 */ 554 optee_disable_shm_cache(optee); 555 556 /* 557 * The two devices has to be unregistered before we can free the 558 * other resources. 559 */ 560 tee_device_unregister(optee->supp_teedev); 561 tee_device_unregister(optee->teedev); 562 563 tee_shm_pool_free(optee->pool); 564 if (optee->memremaped_shm) 565 memunmap(optee->memremaped_shm); 566 optee_wait_queue_exit(&optee->wait_queue); 567 optee_supp_uninit(&optee->supp); 568 mutex_destroy(&optee->call_queue.mutex); 569 570 kfree(optee); 571 } 572 573 static const struct of_device_id optee_match[] = { 574 { .compatible = "linaro,optee-tz" }, 575 {}, 576 }; 577 578 static struct optee *optee_svc; 579 580 static int __init optee_driver_init(void) 581 { 582 struct device_node *fw_np; 583 struct device_node *np; 584 struct optee *optee; 585 586 /* Node is supposed to be below /firmware */ 587 fw_np = of_find_node_by_name(NULL, "firmware"); 588 if (!fw_np) 589 return -ENODEV; 590 591 np = of_find_matching_node(fw_np, optee_match); 592 of_node_put(fw_np); 593 if (!np) 594 return -ENODEV; 595 596 optee = optee_probe(np); 597 of_node_put(np); 598 599 if (IS_ERR(optee)) 600 return PTR_ERR(optee); 601 602 optee_svc = optee; 603 604 return 0; 605 } 606 module_init(optee_driver_init); 607 608 static void __exit optee_driver_exit(void) 609 { 610 struct optee *optee = optee_svc; 611 612 optee_svc = NULL; 613 if (optee) 614 optee_remove(optee); 615 } 616 module_exit(optee_driver_exit); 617 618 MODULE_AUTHOR("Linaro"); 619 MODULE_DESCRIPTION("OP-TEE driver"); 620 MODULE_SUPPORTED_DEVICE(""); 621 MODULE_VERSION("1.0"); 622 MODULE_LICENSE("GPL v2"); 623