1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2015-2021, Linaro Limited 4 */ 5 6 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 7 8 #include <linux/delay.h> 9 #include <linux/i2c.h> 10 #include <linux/rpmb.h> 11 #include <linux/slab.h> 12 #include <linux/tee_core.h> 13 #include "optee_private.h" 14 #include "optee_rpc_cmd.h" 15 16 static void handle_rpc_func_cmd_get_time(struct optee_msg_arg *arg) 17 { 18 struct timespec64 ts; 19 20 if (arg->num_params != 1) 21 goto bad; 22 if ((arg->params[0].attr & OPTEE_MSG_ATTR_TYPE_MASK) != 23 OPTEE_MSG_ATTR_TYPE_VALUE_OUTPUT) 24 goto bad; 25 26 ktime_get_real_ts64(&ts); 27 arg->params[0].u.value.a = ts.tv_sec; 28 arg->params[0].u.value.b = ts.tv_nsec; 29 30 arg->ret = TEEC_SUCCESS; 31 return; 32 bad: 33 arg->ret = TEEC_ERROR_BAD_PARAMETERS; 34 } 35 36 #if IS_REACHABLE(CONFIG_I2C) 37 static void handle_rpc_func_cmd_i2c_transfer(struct tee_context *ctx, 38 struct optee_msg_arg *arg) 39 { 40 struct optee *optee = tee_get_drvdata(ctx->teedev); 41 struct tee_param *params; 42 struct i2c_adapter *adapter; 43 struct i2c_msg msg = { }; 44 size_t i; 45 int ret = -EOPNOTSUPP; 46 static const u8 attr[] = { 47 TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT, 48 TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT, 49 TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT, 50 TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT, 51 }; 52 53 if (arg->num_params != ARRAY_SIZE(attr)) { 54 arg->ret = TEEC_ERROR_BAD_PARAMETERS; 55 return; 56 } 57 58 params = kmalloc_objs(struct tee_param, arg->num_params, GFP_KERNEL); 59 if (!params) { 60 arg->ret = TEEC_ERROR_OUT_OF_MEMORY; 61 return; 62 } 63 64 if (optee->ops->from_msg_param(optee, params, arg->num_params, 65 arg->params)) 66 goto bad; 67 68 for (i = 0; i < arg->num_params; i++) { 69 if (params[i].attr != attr[i]) 70 goto bad; 71 } 72 73 adapter = i2c_get_adapter(params[0].u.value.b); 74 if (!adapter) 75 goto bad; 76 77 if (params[1].u.value.a & OPTEE_RPC_I2C_FLAGS_TEN_BIT) { 78 if (!i2c_check_functionality(adapter, 79 I2C_FUNC_10BIT_ADDR)) { 80 i2c_put_adapter(adapter); 81 goto bad; 82 } 83 84 msg.flags = I2C_M_TEN; 85 } 86 87 msg.addr = params[0].u.value.c; 88 msg.buf = params[2].u.memref.shm->kaddr; 89 msg.len = params[2].u.memref.size; 90 91 switch (params[0].u.value.a) { 92 case OPTEE_RPC_I2C_TRANSFER_RD: 93 msg.flags |= I2C_M_RD; 94 break; 95 case OPTEE_RPC_I2C_TRANSFER_WR: 96 break; 97 default: 98 i2c_put_adapter(adapter); 99 goto bad; 100 } 101 102 ret = i2c_transfer(adapter, &msg, 1); 103 104 if (ret < 0) { 105 arg->ret = TEEC_ERROR_COMMUNICATION; 106 } else { 107 params[3].u.value.a = msg.len; 108 if (optee->ops->to_msg_param(optee, arg->params, 109 arg->num_params, params)) 110 arg->ret = TEEC_ERROR_BAD_PARAMETERS; 111 else 112 arg->ret = TEEC_SUCCESS; 113 } 114 115 i2c_put_adapter(adapter); 116 kfree(params); 117 return; 118 bad: 119 kfree(params); 120 arg->ret = TEEC_ERROR_BAD_PARAMETERS; 121 } 122 #else 123 static void handle_rpc_func_cmd_i2c_transfer(struct tee_context *ctx, 124 struct optee_msg_arg *arg) 125 { 126 arg->ret = TEEC_ERROR_NOT_SUPPORTED; 127 } 128 #endif 129 130 static void handle_rpc_func_cmd_wq(struct optee *optee, 131 struct optee_msg_arg *arg) 132 { 133 int rc = 0; 134 135 if (arg->num_params != 1) 136 goto bad; 137 138 if ((arg->params[0].attr & OPTEE_MSG_ATTR_TYPE_MASK) != 139 OPTEE_MSG_ATTR_TYPE_VALUE_INPUT) 140 goto bad; 141 142 switch (arg->params[0].u.value.a) { 143 case OPTEE_RPC_NOTIFICATION_WAIT: 144 rc = optee_notif_wait(optee, arg->params[0].u.value.b, arg->params[0].u.value.c); 145 if (rc) 146 goto bad; 147 break; 148 case OPTEE_RPC_NOTIFICATION_SEND: 149 if (optee_notif_send(optee, arg->params[0].u.value.b)) 150 goto bad; 151 break; 152 default: 153 goto bad; 154 } 155 156 arg->ret = TEEC_SUCCESS; 157 return; 158 bad: 159 if (rc == -ETIMEDOUT) 160 arg->ret = TEE_ERROR_TIMEOUT; 161 else 162 arg->ret = TEEC_ERROR_BAD_PARAMETERS; 163 } 164 165 static void handle_rpc_func_cmd_wait(struct optee_msg_arg *arg) 166 { 167 u32 msec_to_wait; 168 169 if (arg->num_params != 1) 170 goto bad; 171 172 if ((arg->params[0].attr & OPTEE_MSG_ATTR_TYPE_MASK) != 173 OPTEE_MSG_ATTR_TYPE_VALUE_INPUT) 174 goto bad; 175 176 msec_to_wait = arg->params[0].u.value.a; 177 178 /* Go to interruptible sleep */ 179 msleep_interruptible(msec_to_wait); 180 181 arg->ret = TEEC_SUCCESS; 182 return; 183 bad: 184 arg->ret = TEEC_ERROR_BAD_PARAMETERS; 185 } 186 187 static void handle_rpc_supp_cmd(struct tee_context *ctx, struct optee *optee, 188 struct optee_msg_arg *arg) 189 { 190 struct tee_param *params; 191 192 arg->ret_origin = TEEC_ORIGIN_COMMS; 193 194 params = kmalloc_objs(struct tee_param, arg->num_params, GFP_KERNEL); 195 if (!params) { 196 arg->ret = TEEC_ERROR_OUT_OF_MEMORY; 197 return; 198 } 199 200 if (optee->ops->from_msg_param(optee, params, arg->num_params, 201 arg->params)) { 202 arg->ret = TEEC_ERROR_BAD_PARAMETERS; 203 goto out; 204 } 205 206 arg->ret = optee_supp_thrd_req(ctx, arg->cmd, arg->num_params, params); 207 208 if (optee->ops->to_msg_param(optee, arg->params, arg->num_params, 209 params)) 210 arg->ret = TEEC_ERROR_BAD_PARAMETERS; 211 out: 212 kfree(params); 213 } 214 215 struct tee_shm *optee_rpc_cmd_alloc_suppl(struct tee_context *ctx, size_t sz) 216 { 217 u32 ret; 218 struct tee_param param; 219 struct optee *optee = tee_get_drvdata(ctx->teedev); 220 struct tee_shm *shm; 221 222 param.attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT; 223 param.u.value.a = OPTEE_RPC_SHM_TYPE_APPL; 224 param.u.value.b = sz; 225 param.u.value.c = 0; 226 227 ret = optee_supp_thrd_req(ctx, OPTEE_RPC_CMD_SHM_ALLOC, 1, ¶m); 228 if (ret) 229 return ERR_PTR(-ENOMEM); 230 231 mutex_lock(&optee->supp.mutex); 232 /* Increases count as secure world doesn't have a reference */ 233 shm = tee_shm_get_from_id(optee->supp.ctx, param.u.value.c); 234 mutex_unlock(&optee->supp.mutex); 235 return shm; 236 } 237 238 void optee_rpc_cmd_free_suppl(struct tee_context *ctx, struct tee_shm *shm) 239 { 240 struct tee_param param; 241 242 param.attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT; 243 param.u.value.a = OPTEE_RPC_SHM_TYPE_APPL; 244 param.u.value.b = tee_shm_get_id(shm); 245 param.u.value.c = 0; 246 247 /* 248 * Match the tee_shm_get_from_id() in optee_rpc_cmd_alloc_suppl() 249 * as secure world has released its reference. 250 * 251 * It's better to do this before sending the request to supplicant 252 * as we'd like to let the process doing the initial allocation to 253 * do release the last reference too in order to avoid stacking 254 * many pending fput() on the client process. This could otherwise 255 * happen if secure world does many allocate and free in a single 256 * invoke. 257 */ 258 tee_shm_put(shm); 259 260 optee_supp_thrd_req(ctx, OPTEE_RPC_CMD_SHM_FREE, 1, ¶m); 261 } 262 263 static void handle_rpc_func_rpmb_probe_reset(struct tee_context *ctx, 264 struct optee *optee, 265 struct optee_msg_arg *arg) 266 { 267 struct tee_param params[1]; 268 269 if (arg->num_params != ARRAY_SIZE(params) || 270 optee->ops->from_msg_param(optee, params, arg->num_params, 271 arg->params) || 272 params[0].attr != TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT) { 273 arg->ret = TEEC_ERROR_BAD_PARAMETERS; 274 return; 275 } 276 277 params[0].u.value.a = OPTEE_RPC_SHM_TYPE_KERNEL; 278 params[0].u.value.b = 0; 279 params[0].u.value.c = 0; 280 if (optee->ops->to_msg_param(optee, arg->params, 281 arg->num_params, params)) { 282 arg->ret = TEEC_ERROR_BAD_PARAMETERS; 283 return; 284 } 285 286 mutex_lock(&optee->rpmb_dev_mutex); 287 rpmb_dev_put(optee->rpmb_dev); 288 optee->rpmb_dev = NULL; 289 mutex_unlock(&optee->rpmb_dev_mutex); 290 291 arg->ret = TEEC_SUCCESS; 292 } 293 294 static int rpmb_type_to_rpc_type(enum rpmb_type rtype) 295 { 296 switch (rtype) { 297 case RPMB_TYPE_EMMC: 298 return OPTEE_RPC_RPMB_EMMC; 299 case RPMB_TYPE_UFS: 300 return OPTEE_RPC_RPMB_UFS; 301 case RPMB_TYPE_NVME: 302 return OPTEE_RPC_RPMB_NVME; 303 default: 304 return -1; 305 } 306 } 307 308 static int rpc_rpmb_match(struct device *dev, const void *data) 309 { 310 struct rpmb_dev *rdev = to_rpmb_dev(dev); 311 312 return rpmb_type_to_rpc_type(rdev->descr.type) >= 0; 313 } 314 315 static void handle_rpc_func_rpmb_probe_next(struct tee_context *ctx, 316 struct optee *optee, 317 struct optee_msg_arg *arg) 318 { 319 struct rpmb_dev *rdev; 320 struct tee_param params[2]; 321 void *buf; 322 323 if (arg->num_params != ARRAY_SIZE(params) || 324 optee->ops->from_msg_param(optee, params, arg->num_params, 325 arg->params) || 326 params[0].attr != TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT || 327 params[1].attr != TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT) { 328 arg->ret = TEEC_ERROR_BAD_PARAMETERS; 329 return; 330 } 331 buf = tee_shm_get_va(params[1].u.memref.shm, 332 params[1].u.memref.shm_offs); 333 if (IS_ERR(buf)) { 334 arg->ret = TEEC_ERROR_BAD_PARAMETERS; 335 return; 336 } 337 338 mutex_lock(&optee->rpmb_dev_mutex); 339 rdev = rpmb_dev_find_device(NULL, optee->rpmb_dev, rpc_rpmb_match); 340 rpmb_dev_put(optee->rpmb_dev); 341 optee->rpmb_dev = rdev; 342 mutex_unlock(&optee->rpmb_dev_mutex); 343 344 if (!rdev) { 345 arg->ret = TEEC_ERROR_ITEM_NOT_FOUND; 346 return; 347 } 348 349 if (params[1].u.memref.size < rdev->descr.dev_id_len) { 350 arg->ret = TEEC_ERROR_SHORT_BUFFER; 351 return; 352 } 353 memcpy(buf, rdev->descr.dev_id, rdev->descr.dev_id_len); 354 params[1].u.memref.size = rdev->descr.dev_id_len; 355 params[0].u.value.a = rpmb_type_to_rpc_type(rdev->descr.type); 356 params[0].u.value.b = rdev->descr.capacity; 357 params[0].u.value.c = rdev->descr.reliable_wr_count; 358 if (optee->ops->to_msg_param(optee, arg->params, 359 arg->num_params, params)) { 360 arg->ret = TEEC_ERROR_BAD_PARAMETERS; 361 return; 362 } 363 364 arg->ret = TEEC_SUCCESS; 365 } 366 367 static void handle_rpc_func_rpmb_frames(struct tee_context *ctx, 368 struct optee *optee, 369 struct optee_msg_arg *arg) 370 { 371 struct tee_param params[2]; 372 struct rpmb_dev *rdev; 373 void *p0, *p1; 374 375 mutex_lock(&optee->rpmb_dev_mutex); 376 rdev = rpmb_dev_get(optee->rpmb_dev); 377 mutex_unlock(&optee->rpmb_dev_mutex); 378 if (!rdev) { 379 arg->ret = TEEC_ERROR_ITEM_NOT_FOUND; 380 return; 381 } 382 383 if (arg->num_params != ARRAY_SIZE(params) || 384 optee->ops->from_msg_param(optee, params, arg->num_params, 385 arg->params) || 386 params[0].attr != TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT || 387 params[1].attr != TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT) { 388 arg->ret = TEEC_ERROR_BAD_PARAMETERS; 389 goto out; 390 } 391 392 p0 = tee_shm_get_va(params[0].u.memref.shm, 393 params[0].u.memref.shm_offs); 394 p1 = tee_shm_get_va(params[1].u.memref.shm, 395 params[1].u.memref.shm_offs); 396 if (rpmb_route_frames(rdev, p0, params[0].u.memref.size, p1, 397 params[1].u.memref.size)) { 398 arg->ret = TEEC_ERROR_BAD_PARAMETERS; 399 goto out; 400 } 401 if (optee->ops->to_msg_param(optee, arg->params, 402 arg->num_params, params)) { 403 arg->ret = TEEC_ERROR_BAD_PARAMETERS; 404 goto out; 405 } 406 arg->ret = TEEC_SUCCESS; 407 out: 408 rpmb_dev_put(rdev); 409 } 410 411 void optee_rpc_cmd(struct tee_context *ctx, struct optee *optee, 412 struct optee_msg_arg *arg) 413 { 414 switch (arg->cmd) { 415 case OPTEE_RPC_CMD_GET_TIME: 416 handle_rpc_func_cmd_get_time(arg); 417 break; 418 case OPTEE_RPC_CMD_NOTIFICATION: 419 handle_rpc_func_cmd_wq(optee, arg); 420 break; 421 case OPTEE_RPC_CMD_SUSPEND: 422 handle_rpc_func_cmd_wait(arg); 423 break; 424 case OPTEE_RPC_CMD_I2C_TRANSFER: 425 handle_rpc_func_cmd_i2c_transfer(ctx, arg); 426 break; 427 /* 428 * optee->in_kernel_rpmb_routing true means that OP-TEE supports 429 * in-kernel RPMB routing _and_ that the RPMB subsystem is 430 * reachable. This is reported to user space with 431 * rpmb_routing_model=kernel in sysfs. 432 * 433 * rpmb_routing_model=kernel is also a promise to user space that 434 * RPMB access will not require supplicant support, hence the 435 * checks below. 436 */ 437 case OPTEE_RPC_CMD_RPMB_PROBE_RESET: 438 if (optee->in_kernel_rpmb_routing) 439 handle_rpc_func_rpmb_probe_reset(ctx, optee, arg); 440 else 441 handle_rpc_supp_cmd(ctx, optee, arg); 442 break; 443 case OPTEE_RPC_CMD_RPMB_PROBE_NEXT: 444 if (optee->in_kernel_rpmb_routing) 445 handle_rpc_func_rpmb_probe_next(ctx, optee, arg); 446 else 447 handle_rpc_supp_cmd(ctx, optee, arg); 448 break; 449 case OPTEE_RPC_CMD_RPMB_FRAMES: 450 if (optee->in_kernel_rpmb_routing) 451 handle_rpc_func_rpmb_frames(ctx, optee, arg); 452 else 453 handle_rpc_supp_cmd(ctx, optee, arg); 454 break; 455 default: 456 handle_rpc_supp_cmd(ctx, optee, arg); 457 } 458 } 459 460 461