xref: /linux/drivers/tee/optee/supp.c (revision 1116f0c5ff3385658ceb8ae2c5c4cb05bd7836d7)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (c) 2015, Linaro Limited
4  */
5 #include <linux/device.h>
6 #include <linux/slab.h>
7 #include <linux/uaccess.h>
8 #include "optee_private.h"
9 
10 struct optee_supp_req {
11 	struct list_head link;
12 
13 	bool in_queue;
14 	u32 func;
15 	u32 ret;
16 	size_t num_params;
17 	struct tee_param *param;
18 
19 	struct completion c;
20 };
21 
22 void optee_supp_init(struct optee_supp *supp)
23 {
24 	memset(supp, 0, sizeof(*supp));
25 	mutex_init(&supp->mutex);
26 	init_completion(&supp->reqs_c);
27 	idr_init(&supp->idr);
28 	INIT_LIST_HEAD(&supp->reqs);
29 	supp->req_id = -1;
30 }
31 
32 void optee_supp_uninit(struct optee_supp *supp)
33 {
34 	mutex_destroy(&supp->mutex);
35 	idr_destroy(&supp->idr);
36 }
37 
38 void optee_supp_release(struct optee_supp *supp)
39 {
40 	int id;
41 	struct optee_supp_req *req;
42 	struct optee_supp_req *req_tmp;
43 
44 	mutex_lock(&supp->mutex);
45 
46 	/* Abort all request retrieved by supplicant */
47 	idr_for_each_entry(&supp->idr, req, id) {
48 		idr_remove(&supp->idr, id);
49 		req->ret = TEEC_ERROR_COMMUNICATION;
50 		complete(&req->c);
51 	}
52 
53 	/* Abort all queued requests */
54 	list_for_each_entry_safe(req, req_tmp, &supp->reqs, link) {
55 		list_del(&req->link);
56 		req->in_queue = false;
57 		req->ret = TEEC_ERROR_COMMUNICATION;
58 		complete(&req->c);
59 	}
60 
61 	supp->ctx = NULL;
62 	supp->req_id = -1;
63 
64 	mutex_unlock(&supp->mutex);
65 }
66 
67 /**
68  * optee_supp_thrd_req() - request service from supplicant
69  * @ctx:	context doing the request
70  * @func:	function requested
71  * @num_params:	number of elements in @param array
72  * @param:	parameters for function
73  *
74  * Returns result of operation to be passed to secure world
75  */
76 u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params,
77 			struct tee_param *param)
78 
79 {
80 	struct optee *optee = tee_get_drvdata(ctx->teedev);
81 	struct optee_supp *supp = &optee->supp;
82 	struct optee_supp_req *req;
83 	u32 ret;
84 
85 	/*
86 	 * Return in case there is no supplicant available and
87 	 * non-blocking request.
88 	 */
89 	if (!supp->ctx && ctx->supp_nowait)
90 		return TEEC_ERROR_COMMUNICATION;
91 
92 	req = kzalloc(sizeof(*req), GFP_KERNEL);
93 	if (!req)
94 		return TEEC_ERROR_OUT_OF_MEMORY;
95 
96 	init_completion(&req->c);
97 	req->func = func;
98 	req->num_params = num_params;
99 	req->param = param;
100 
101 	/* Insert the request in the request list */
102 	mutex_lock(&supp->mutex);
103 	list_add_tail(&req->link, &supp->reqs);
104 	req->in_queue = true;
105 	mutex_unlock(&supp->mutex);
106 
107 	/* Tell an eventual waiter there's a new request */
108 	complete(&supp->reqs_c);
109 
110 	/*
111 	 * Wait for supplicant to process and return result, once we've
112 	 * returned from wait_for_completion(&req->c) successfully we have
113 	 * exclusive access again. Allow the wait to be killable such that
114 	 * the wait doesn't turn into an indefinite state if the supplicant
115 	 * gets hung for some reason.
116 	 */
117 	if (wait_for_completion_killable(&req->c)) {
118 		mutex_lock(&supp->mutex);
119 		if (req->in_queue) {
120 			list_del(&req->link);
121 			req->in_queue = false;
122 		}
123 		mutex_unlock(&supp->mutex);
124 		req->ret = TEEC_ERROR_COMMUNICATION;
125 	}
126 
127 	ret = req->ret;
128 	kfree(req);
129 
130 	return ret;
131 }
132 
133 static struct optee_supp_req  *supp_pop_entry(struct optee_supp *supp,
134 					      int num_params, int *id)
135 {
136 	struct optee_supp_req *req;
137 
138 	if (supp->req_id != -1) {
139 		/*
140 		 * Supplicant should not mix synchronous and asnynchronous
141 		 * requests.
142 		 */
143 		return ERR_PTR(-EINVAL);
144 	}
145 
146 	if (list_empty(&supp->reqs))
147 		return NULL;
148 
149 	req = list_first_entry(&supp->reqs, struct optee_supp_req, link);
150 
151 	if (num_params < req->num_params) {
152 		/* Not enough room for parameters */
153 		return ERR_PTR(-EINVAL);
154 	}
155 
156 	*id = idr_alloc(&supp->idr, req, 1, 0, GFP_KERNEL);
157 	if (*id < 0)
158 		return ERR_PTR(-ENOMEM);
159 
160 	list_del(&req->link);
161 	req->in_queue = false;
162 
163 	return req;
164 }
165 
166 static int supp_check_recv_params(size_t num_params, struct tee_param *params,
167 				  size_t *num_meta)
168 {
169 	size_t n;
170 
171 	if (!num_params)
172 		return -EINVAL;
173 
174 	/*
175 	 * If there's memrefs we need to decrease those as they where
176 	 * increased earlier and we'll even refuse to accept any below.
177 	 */
178 	for (n = 0; n < num_params; n++)
179 		if (tee_param_is_memref(params + n) && params[n].u.memref.shm)
180 			tee_shm_put(params[n].u.memref.shm);
181 
182 	/*
183 	 * We only expect parameters as TEE_IOCTL_PARAM_ATTR_TYPE_NONE with
184 	 * or without the TEE_IOCTL_PARAM_ATTR_META bit set.
185 	 */
186 	for (n = 0; n < num_params; n++)
187 		if (params[n].attr &&
188 		    params[n].attr != TEE_IOCTL_PARAM_ATTR_META)
189 			return -EINVAL;
190 
191 	/* At most we'll need one meta parameter so no need to check for more */
192 	if (params->attr == TEE_IOCTL_PARAM_ATTR_META)
193 		*num_meta = 1;
194 	else
195 		*num_meta = 0;
196 
197 	return 0;
198 }
199 
200 /**
201  * optee_supp_recv() - receive request for supplicant
202  * @ctx:	context receiving the request
203  * @func:	requested function in supplicant
204  * @num_params:	number of elements allocated in @param, updated with number
205  *		used elements
206  * @param:	space for parameters for @func
207  *
208  * Returns 0 on success or <0 on failure
209  */
210 int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params,
211 		    struct tee_param *param)
212 {
213 	struct tee_device *teedev = ctx->teedev;
214 	struct optee *optee = tee_get_drvdata(teedev);
215 	struct optee_supp *supp = &optee->supp;
216 	struct optee_supp_req *req = NULL;
217 	int id;
218 	size_t num_meta;
219 	int rc;
220 
221 	rc = supp_check_recv_params(*num_params, param, &num_meta);
222 	if (rc)
223 		return rc;
224 
225 	while (true) {
226 		mutex_lock(&supp->mutex);
227 		req = supp_pop_entry(supp, *num_params - num_meta, &id);
228 		mutex_unlock(&supp->mutex);
229 
230 		if (req) {
231 			if (IS_ERR(req))
232 				return PTR_ERR(req);
233 			break;
234 		}
235 
236 		/*
237 		 * If we didn't get a request we'll block in
238 		 * wait_for_completion() to avoid needless spinning.
239 		 *
240 		 * This is where supplicant will be hanging most of
241 		 * the time, let's make this interruptable so we
242 		 * can easily restart supplicant if needed.
243 		 */
244 		if (wait_for_completion_interruptible(&supp->reqs_c))
245 			return -ERESTARTSYS;
246 	}
247 
248 	if (num_meta) {
249 		/*
250 		 * tee-supplicant support meta parameters -> requsts can be
251 		 * processed asynchronously.
252 		 */
253 		param->attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT |
254 			      TEE_IOCTL_PARAM_ATTR_META;
255 		param->u.value.a = id;
256 		param->u.value.b = 0;
257 		param->u.value.c = 0;
258 	} else {
259 		mutex_lock(&supp->mutex);
260 		supp->req_id = id;
261 		mutex_unlock(&supp->mutex);
262 	}
263 
264 	*func = req->func;
265 	*num_params = req->num_params + num_meta;
266 	memcpy(param + num_meta, req->param,
267 	       sizeof(struct tee_param) * req->num_params);
268 
269 	return 0;
270 }
271 
272 static struct optee_supp_req *supp_pop_req(struct optee_supp *supp,
273 					   size_t num_params,
274 					   struct tee_param *param,
275 					   size_t *num_meta)
276 {
277 	struct optee_supp_req *req;
278 	int id;
279 	size_t nm;
280 	const u32 attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT |
281 			 TEE_IOCTL_PARAM_ATTR_META;
282 
283 	if (!num_params)
284 		return ERR_PTR(-EINVAL);
285 
286 	if (supp->req_id == -1) {
287 		if (param->attr != attr)
288 			return ERR_PTR(-EINVAL);
289 		id = param->u.value.a;
290 		nm = 1;
291 	} else {
292 		id = supp->req_id;
293 		nm = 0;
294 	}
295 
296 	req = idr_find(&supp->idr, id);
297 	if (!req)
298 		return ERR_PTR(-ENOENT);
299 
300 	if ((num_params - nm) != req->num_params)
301 		return ERR_PTR(-EINVAL);
302 
303 	idr_remove(&supp->idr, id);
304 	supp->req_id = -1;
305 	*num_meta = nm;
306 
307 	return req;
308 }
309 
310 /**
311  * optee_supp_send() - send result of request from supplicant
312  * @ctx:	context sending result
313  * @ret:	return value of request
314  * @num_params:	number of parameters returned
315  * @param:	returned parameters
316  *
317  * Returns 0 on success or <0 on failure.
318  */
319 int optee_supp_send(struct tee_context *ctx, u32 ret, u32 num_params,
320 		    struct tee_param *param)
321 {
322 	struct tee_device *teedev = ctx->teedev;
323 	struct optee *optee = tee_get_drvdata(teedev);
324 	struct optee_supp *supp = &optee->supp;
325 	struct optee_supp_req *req;
326 	size_t n;
327 	size_t num_meta;
328 
329 	mutex_lock(&supp->mutex);
330 	req = supp_pop_req(supp, num_params, param, &num_meta);
331 	mutex_unlock(&supp->mutex);
332 
333 	if (IS_ERR(req)) {
334 		/* Something is wrong, let supplicant restart. */
335 		return PTR_ERR(req);
336 	}
337 
338 	/* Update out and in/out parameters */
339 	for (n = 0; n < req->num_params; n++) {
340 		struct tee_param *p = req->param + n;
341 
342 		switch (p->attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) {
343 		case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT:
344 		case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT:
345 			p->u.value.a = param[n + num_meta].u.value.a;
346 			p->u.value.b = param[n + num_meta].u.value.b;
347 			p->u.value.c = param[n + num_meta].u.value.c;
348 			break;
349 		case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
350 		case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
351 			p->u.memref.size = param[n + num_meta].u.memref.size;
352 			break;
353 		default:
354 			break;
355 		}
356 	}
357 	req->ret = ret;
358 
359 	/* Let the requesting thread continue */
360 	complete(&req->c);
361 
362 	return 0;
363 }
364