1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2015-2021, Linaro Limited
4 */
5
6 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
7
8 #include <linux/delay.h>
9 #include <linux/i2c.h>
10 #include <linux/rpmb.h>
11 #include <linux/slab.h>
12 #include <linux/tee_core.h>
13 #include "optee_private.h"
14 #include "optee_rpc_cmd.h"
15
handle_rpc_func_cmd_get_time(struct optee_msg_arg * arg)16 static void handle_rpc_func_cmd_get_time(struct optee_msg_arg *arg)
17 {
18 struct timespec64 ts;
19
20 if (arg->num_params != 1)
21 goto bad;
22 if ((arg->params[0].attr & OPTEE_MSG_ATTR_TYPE_MASK) !=
23 OPTEE_MSG_ATTR_TYPE_VALUE_OUTPUT)
24 goto bad;
25
26 ktime_get_real_ts64(&ts);
27 arg->params[0].u.value.a = ts.tv_sec;
28 arg->params[0].u.value.b = ts.tv_nsec;
29
30 arg->ret = TEEC_SUCCESS;
31 return;
32 bad:
33 arg->ret = TEEC_ERROR_BAD_PARAMETERS;
34 }
35
36 #if IS_REACHABLE(CONFIG_I2C)
handle_rpc_func_cmd_i2c_transfer(struct tee_context * ctx,struct optee_msg_arg * arg)37 static void handle_rpc_func_cmd_i2c_transfer(struct tee_context *ctx,
38 struct optee_msg_arg *arg)
39 {
40 struct optee *optee = tee_get_drvdata(ctx->teedev);
41 struct tee_param *params;
42 struct i2c_adapter *adapter;
43 struct i2c_msg msg = { };
44 size_t i;
45 int ret = -EOPNOTSUPP;
46 static const u8 attr[] = {
47 TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT,
48 TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT,
49 TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT,
50 TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT,
51 };
52
53 if (arg->num_params != ARRAY_SIZE(attr)) {
54 arg->ret = TEEC_ERROR_BAD_PARAMETERS;
55 return;
56 }
57
58 params = kmalloc_objs(struct tee_param, arg->num_params);
59 if (!params) {
60 arg->ret = TEEC_ERROR_OUT_OF_MEMORY;
61 return;
62 }
63
64 if (optee->ops->from_msg_param(optee, params, arg->num_params,
65 arg->params))
66 goto bad;
67
68 for (i = 0; i < arg->num_params; i++) {
69 if (params[i].attr != attr[i])
70 goto bad;
71 }
72
73 adapter = i2c_get_adapter(params[0].u.value.b);
74 if (!adapter)
75 goto bad;
76
77 if (params[1].u.value.a & OPTEE_RPC_I2C_FLAGS_TEN_BIT) {
78 if (!i2c_check_functionality(adapter,
79 I2C_FUNC_10BIT_ADDR)) {
80 i2c_put_adapter(adapter);
81 goto bad;
82 }
83
84 msg.flags = I2C_M_TEN;
85 }
86
87 msg.addr = params[0].u.value.c;
88 msg.buf = params[2].u.memref.shm->kaddr;
89 msg.len = params[2].u.memref.size;
90
91 switch (params[0].u.value.a) {
92 case OPTEE_RPC_I2C_TRANSFER_RD:
93 msg.flags |= I2C_M_RD;
94 break;
95 case OPTEE_RPC_I2C_TRANSFER_WR:
96 break;
97 default:
98 i2c_put_adapter(adapter);
99 goto bad;
100 }
101
102 ret = i2c_transfer(adapter, &msg, 1);
103
104 if (ret < 0) {
105 arg->ret = TEEC_ERROR_COMMUNICATION;
106 } else {
107 params[3].u.value.a = msg.len;
108 if (optee->ops->to_msg_param(optee, arg->params,
109 arg->num_params, params))
110 arg->ret = TEEC_ERROR_BAD_PARAMETERS;
111 else
112 arg->ret = TEEC_SUCCESS;
113 }
114
115 i2c_put_adapter(adapter);
116 kfree(params);
117 return;
118 bad:
119 kfree(params);
120 arg->ret = TEEC_ERROR_BAD_PARAMETERS;
121 }
122 #else
handle_rpc_func_cmd_i2c_transfer(struct tee_context * ctx,struct optee_msg_arg * arg)123 static void handle_rpc_func_cmd_i2c_transfer(struct tee_context *ctx,
124 struct optee_msg_arg *arg)
125 {
126 arg->ret = TEEC_ERROR_NOT_SUPPORTED;
127 }
128 #endif
129
handle_rpc_func_cmd_wq(struct optee * optee,struct optee_msg_arg * arg)130 static void handle_rpc_func_cmd_wq(struct optee *optee,
131 struct optee_msg_arg *arg)
132 {
133 int rc = 0;
134
135 if (arg->num_params != 1)
136 goto bad;
137
138 if ((arg->params[0].attr & OPTEE_MSG_ATTR_TYPE_MASK) !=
139 OPTEE_MSG_ATTR_TYPE_VALUE_INPUT)
140 goto bad;
141
142 switch (arg->params[0].u.value.a) {
143 case OPTEE_RPC_NOTIFICATION_WAIT:
144 rc = optee_notif_wait(optee, arg->params[0].u.value.b, arg->params[0].u.value.c);
145 if (rc)
146 goto bad;
147 break;
148 case OPTEE_RPC_NOTIFICATION_SEND:
149 if (optee_notif_send(optee, arg->params[0].u.value.b))
150 goto bad;
151 break;
152 default:
153 goto bad;
154 }
155
156 arg->ret = TEEC_SUCCESS;
157 return;
158 bad:
159 if (rc == -ETIMEDOUT)
160 arg->ret = TEE_ERROR_TIMEOUT;
161 else
162 arg->ret = TEEC_ERROR_BAD_PARAMETERS;
163 }
164
handle_rpc_func_cmd_wait(struct optee_msg_arg * arg)165 static void handle_rpc_func_cmd_wait(struct optee_msg_arg *arg)
166 {
167 u32 msec_to_wait;
168
169 if (arg->num_params != 1)
170 goto bad;
171
172 if ((arg->params[0].attr & OPTEE_MSG_ATTR_TYPE_MASK) !=
173 OPTEE_MSG_ATTR_TYPE_VALUE_INPUT)
174 goto bad;
175
176 msec_to_wait = arg->params[0].u.value.a;
177
178 /* Go to interruptible sleep */
179 msleep_interruptible(msec_to_wait);
180
181 arg->ret = TEEC_SUCCESS;
182 return;
183 bad:
184 arg->ret = TEEC_ERROR_BAD_PARAMETERS;
185 }
186
handle_rpc_supp_cmd(struct tee_context * ctx,struct optee * optee,struct optee_msg_arg * arg)187 static void handle_rpc_supp_cmd(struct tee_context *ctx, struct optee *optee,
188 struct optee_msg_arg *arg)
189 {
190 struct tee_param *params;
191
192 arg->ret_origin = TEEC_ORIGIN_COMMS;
193
194 params = kmalloc_objs(struct tee_param, arg->num_params);
195 if (!params) {
196 arg->ret = TEEC_ERROR_OUT_OF_MEMORY;
197 return;
198 }
199
200 if (optee->ops->from_msg_param(optee, params, arg->num_params,
201 arg->params)) {
202 arg->ret = TEEC_ERROR_BAD_PARAMETERS;
203 goto out;
204 }
205
206 arg->ret = optee_supp_thrd_req(ctx, arg->cmd, arg->num_params, params);
207
208 if (optee->ops->to_msg_param(optee, arg->params, arg->num_params,
209 params))
210 arg->ret = TEEC_ERROR_BAD_PARAMETERS;
211 out:
212 kfree(params);
213 }
214
optee_rpc_cmd_alloc_suppl(struct tee_context * ctx,size_t sz)215 struct tee_shm *optee_rpc_cmd_alloc_suppl(struct tee_context *ctx, size_t sz)
216 {
217 u32 ret;
218 struct tee_param param;
219 struct optee *optee = tee_get_drvdata(ctx->teedev);
220 struct tee_shm *shm;
221
222 param.attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT;
223 param.u.value.a = OPTEE_RPC_SHM_TYPE_APPL;
224 param.u.value.b = sz;
225 param.u.value.c = 0;
226
227 ret = optee_supp_thrd_req(ctx, OPTEE_RPC_CMD_SHM_ALLOC, 1, ¶m);
228 if (ret)
229 return ERR_PTR(-ENOMEM);
230
231 mutex_lock(&optee->supp.mutex);
232 /* Increases count as secure world doesn't have a reference */
233 shm = tee_shm_get_from_id(optee->supp.ctx, param.u.value.c);
234 mutex_unlock(&optee->supp.mutex);
235 return shm;
236 }
237
optee_rpc_cmd_free_suppl(struct tee_context * ctx,struct tee_shm * shm)238 void optee_rpc_cmd_free_suppl(struct tee_context *ctx, struct tee_shm *shm)
239 {
240 struct tee_param param;
241
242 param.attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT;
243 param.u.value.a = OPTEE_RPC_SHM_TYPE_APPL;
244 param.u.value.b = tee_shm_get_id(shm);
245 param.u.value.c = 0;
246
247 /*
248 * Match the tee_shm_get_from_id() in optee_rpc_cmd_alloc_suppl()
249 * as secure world has released its reference.
250 *
251 * It's better to do this before sending the request to supplicant
252 * as we'd like to let the process doing the initial allocation to
253 * do release the last reference too in order to avoid stacking
254 * many pending fput() on the client process. This could otherwise
255 * happen if secure world does many allocate and free in a single
256 * invoke.
257 */
258 tee_shm_put(shm);
259
260 optee_supp_thrd_req(ctx, OPTEE_RPC_CMD_SHM_FREE, 1, ¶m);
261 }
262
handle_rpc_func_rpmb_probe_reset(struct tee_context * ctx,struct optee * optee,struct optee_msg_arg * arg)263 static void handle_rpc_func_rpmb_probe_reset(struct tee_context *ctx,
264 struct optee *optee,
265 struct optee_msg_arg *arg)
266 {
267 struct tee_param params[1];
268
269 if (arg->num_params != ARRAY_SIZE(params) ||
270 optee->ops->from_msg_param(optee, params, arg->num_params,
271 arg->params) ||
272 params[0].attr != TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT) {
273 arg->ret = TEEC_ERROR_BAD_PARAMETERS;
274 return;
275 }
276
277 params[0].u.value.a = OPTEE_RPC_SHM_TYPE_KERNEL;
278 params[0].u.value.b = 0;
279 params[0].u.value.c = 0;
280 if (optee->ops->to_msg_param(optee, arg->params,
281 arg->num_params, params)) {
282 arg->ret = TEEC_ERROR_BAD_PARAMETERS;
283 return;
284 }
285
286 mutex_lock(&optee->rpmb_dev_mutex);
287 rpmb_dev_put(optee->rpmb_dev);
288 optee->rpmb_dev = NULL;
289 mutex_unlock(&optee->rpmb_dev_mutex);
290
291 arg->ret = TEEC_SUCCESS;
292 }
293
rpmb_type_to_rpc_type(enum rpmb_type rtype)294 static int rpmb_type_to_rpc_type(enum rpmb_type rtype)
295 {
296 switch (rtype) {
297 case RPMB_TYPE_EMMC:
298 return OPTEE_RPC_RPMB_EMMC;
299 case RPMB_TYPE_UFS:
300 return OPTEE_RPC_RPMB_UFS;
301 case RPMB_TYPE_NVME:
302 return OPTEE_RPC_RPMB_NVME;
303 default:
304 return -1;
305 }
306 }
307
rpc_rpmb_match(struct device * dev,const void * data)308 static int rpc_rpmb_match(struct device *dev, const void *data)
309 {
310 struct rpmb_dev *rdev = to_rpmb_dev(dev);
311
312 return rpmb_type_to_rpc_type(rdev->descr.type) >= 0;
313 }
314
handle_rpc_func_rpmb_probe_next(struct tee_context * ctx,struct optee * optee,struct optee_msg_arg * arg)315 static void handle_rpc_func_rpmb_probe_next(struct tee_context *ctx,
316 struct optee *optee,
317 struct optee_msg_arg *arg)
318 {
319 struct rpmb_dev *rdev;
320 struct tee_param params[2];
321 void *buf;
322
323 if (arg->num_params != ARRAY_SIZE(params) ||
324 optee->ops->from_msg_param(optee, params, arg->num_params,
325 arg->params) ||
326 params[0].attr != TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT ||
327 params[1].attr != TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT) {
328 arg->ret = TEEC_ERROR_BAD_PARAMETERS;
329 return;
330 }
331 buf = tee_shm_get_va(params[1].u.memref.shm,
332 params[1].u.memref.shm_offs);
333 if (IS_ERR(buf)) {
334 arg->ret = TEEC_ERROR_BAD_PARAMETERS;
335 return;
336 }
337
338 mutex_lock(&optee->rpmb_dev_mutex);
339 rdev = rpmb_dev_find_device(NULL, optee->rpmb_dev, rpc_rpmb_match);
340 rpmb_dev_put(optee->rpmb_dev);
341 optee->rpmb_dev = rdev;
342 mutex_unlock(&optee->rpmb_dev_mutex);
343
344 if (!rdev) {
345 arg->ret = TEEC_ERROR_ITEM_NOT_FOUND;
346 return;
347 }
348
349 if (params[1].u.memref.size < rdev->descr.dev_id_len) {
350 arg->ret = TEEC_ERROR_SHORT_BUFFER;
351 return;
352 }
353 memcpy(buf, rdev->descr.dev_id, rdev->descr.dev_id_len);
354 params[1].u.memref.size = rdev->descr.dev_id_len;
355 params[0].u.value.a = rpmb_type_to_rpc_type(rdev->descr.type);
356 params[0].u.value.b = rdev->descr.capacity;
357 params[0].u.value.c = rdev->descr.reliable_wr_count;
358 if (optee->ops->to_msg_param(optee, arg->params,
359 arg->num_params, params)) {
360 arg->ret = TEEC_ERROR_BAD_PARAMETERS;
361 return;
362 }
363
364 arg->ret = TEEC_SUCCESS;
365 }
366
handle_rpc_func_rpmb_frames(struct tee_context * ctx,struct optee * optee,struct optee_msg_arg * arg)367 static void handle_rpc_func_rpmb_frames(struct tee_context *ctx,
368 struct optee *optee,
369 struct optee_msg_arg *arg)
370 {
371 struct tee_param params[2];
372 struct rpmb_dev *rdev;
373 void *p0, *p1;
374
375 mutex_lock(&optee->rpmb_dev_mutex);
376 rdev = rpmb_dev_get(optee->rpmb_dev);
377 mutex_unlock(&optee->rpmb_dev_mutex);
378 if (!rdev) {
379 arg->ret = TEEC_ERROR_ITEM_NOT_FOUND;
380 return;
381 }
382
383 if (arg->num_params != ARRAY_SIZE(params) ||
384 optee->ops->from_msg_param(optee, params, arg->num_params,
385 arg->params) ||
386 params[0].attr != TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT ||
387 params[1].attr != TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT) {
388 arg->ret = TEEC_ERROR_BAD_PARAMETERS;
389 goto out;
390 }
391
392 p0 = tee_shm_get_va(params[0].u.memref.shm,
393 params[0].u.memref.shm_offs);
394 p1 = tee_shm_get_va(params[1].u.memref.shm,
395 params[1].u.memref.shm_offs);
396 if (rpmb_route_frames(rdev, p0, params[0].u.memref.size, p1,
397 params[1].u.memref.size)) {
398 arg->ret = TEEC_ERROR_BAD_PARAMETERS;
399 goto out;
400 }
401 if (optee->ops->to_msg_param(optee, arg->params,
402 arg->num_params, params)) {
403 arg->ret = TEEC_ERROR_BAD_PARAMETERS;
404 goto out;
405 }
406 arg->ret = TEEC_SUCCESS;
407 out:
408 rpmb_dev_put(rdev);
409 }
410
optee_rpc_cmd(struct tee_context * ctx,struct optee * optee,struct optee_msg_arg * arg)411 void optee_rpc_cmd(struct tee_context *ctx, struct optee *optee,
412 struct optee_msg_arg *arg)
413 {
414 switch (arg->cmd) {
415 case OPTEE_RPC_CMD_GET_TIME:
416 handle_rpc_func_cmd_get_time(arg);
417 break;
418 case OPTEE_RPC_CMD_NOTIFICATION:
419 handle_rpc_func_cmd_wq(optee, arg);
420 break;
421 case OPTEE_RPC_CMD_SUSPEND:
422 handle_rpc_func_cmd_wait(arg);
423 break;
424 case OPTEE_RPC_CMD_I2C_TRANSFER:
425 handle_rpc_func_cmd_i2c_transfer(ctx, arg);
426 break;
427 /*
428 * optee->in_kernel_rpmb_routing true means that OP-TEE supports
429 * in-kernel RPMB routing _and_ that the RPMB subsystem is
430 * reachable. This is reported to user space with
431 * rpmb_routing_model=kernel in sysfs.
432 *
433 * rpmb_routing_model=kernel is also a promise to user space that
434 * RPMB access will not require supplicant support, hence the
435 * checks below.
436 */
437 case OPTEE_RPC_CMD_RPMB_PROBE_RESET:
438 if (optee->in_kernel_rpmb_routing)
439 handle_rpc_func_rpmb_probe_reset(ctx, optee, arg);
440 else
441 handle_rpc_supp_cmd(ctx, optee, arg);
442 break;
443 case OPTEE_RPC_CMD_RPMB_PROBE_NEXT:
444 if (optee->in_kernel_rpmb_routing)
445 handle_rpc_func_rpmb_probe_next(ctx, optee, arg);
446 else
447 handle_rpc_supp_cmd(ctx, optee, arg);
448 break;
449 case OPTEE_RPC_CMD_RPMB_FRAMES:
450 if (optee->in_kernel_rpmb_routing)
451 handle_rpc_func_rpmb_frames(ctx, optee, arg);
452 else
453 handle_rpc_supp_cmd(ctx, optee, arg);
454 break;
455 default:
456 handle_rpc_supp_cmd(ctx, optee, arg);
457 }
458 }
459
460
461