1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries. 4 */ 5 6 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 7 8 #include <linux/firmware/qcom/qcom_scm.h> 9 #include <linux/init.h> 10 #include <linux/module.h> 11 #include <linux/slab.h> 12 #include <linux/uaccess.h> 13 #include <linux/xarray.h> 14 15 #include "qcomtee.h" 16 17 /* QTEE root object. */ 18 struct qcomtee_object qcomtee_object_root = { 19 .name = "root", 20 .object_type = QCOMTEE_OBJECT_TYPE_ROOT, 21 .info.qtee_id = QCOMTEE_MSG_OBJECT_ROOT, 22 }; 23 24 /* Next argument of type @type after index @i. */ 25 int qcomtee_next_arg_type(struct qcomtee_arg *u, int i, 26 enum qcomtee_arg_type type) 27 { 28 while (u[i].type != QCOMTEE_ARG_TYPE_INV && u[i].type != type) 29 i++; 30 return i; 31 } 32 33 /* 34 * QTEE expects IDs with QCOMTEE_MSG_OBJECT_NS_BIT set for objects of 35 * QCOMTEE_OBJECT_TYPE_CB type. The first ID with QCOMTEE_MSG_OBJECT_NS_BIT 36 * set is reserved for the primordial object. 37 */ 38 #define QCOMTEE_OBJECT_PRIMORDIAL (QCOMTEE_MSG_OBJECT_NS_BIT) 39 #define QCOMTEE_OBJECT_ID_START (QCOMTEE_OBJECT_PRIMORDIAL + 1) 40 #define QCOMTEE_OBJECT_ID_END (U32_MAX) 41 42 #define QCOMTEE_OBJECT_SET(p, type, ...) \ 43 __QCOMTEE_OBJECT_SET(p, type, ##__VA_ARGS__, 0UL) 44 #define __QCOMTEE_OBJECT_SET(p, type, optr, ...) \ 45 do { \ 46 (p)->object_type = (type); \ 47 (p)->info.qtee_id = (unsigned long)(optr); \ 48 } while (0) 49 50 static struct qcomtee_object * 51 qcomtee_qtee_object_alloc(struct qcomtee_object_invoke_ctx *oic, 52 unsigned int object_id) 53 { 54 struct qcomtee *qcomtee = tee_get_drvdata(oic->ctx->teedev); 55 struct qcomtee_object *object; 56 57 object = kzalloc(sizeof(*object), GFP_KERNEL); 58 if (!object) 59 return NULL_QCOMTEE_OBJECT; 60 61 /* If failed, "no-name". */ 62 object->name = kasprintf(GFP_KERNEL, "qcomtee-%u", object_id); 63 QCOMTEE_OBJECT_SET(object, QCOMTEE_OBJECT_TYPE_TEE, object_id); 64 kref_init(&object->refcount); 65 /* A QTEE object requires a context for async operations. */ 66 object->info.qcomtee_async_ctx = qcomtee->ctx; 67 teedev_ctx_get(object->info.qcomtee_async_ctx); 68 69 return object; 70 } 71 72 static void qcomtee_qtee_object_free(struct qcomtee_object *object) 73 { 74 /* See qcomtee_qtee_object_alloc(). */ 75 teedev_ctx_put(object->info.qcomtee_async_ctx); 76 77 kfree(object->name); 78 kfree(object); 79 } 80 81 static void qcomtee_do_release_qtee_object(struct work_struct *work) 82 { 83 struct qcomtee_object *object; 84 struct qcomtee *qcomtee; 85 int ret, result; 86 87 /* RELEASE does not require any argument. */ 88 struct qcomtee_arg args[] = { { .type = QCOMTEE_ARG_TYPE_INV } }; 89 90 object = container_of(work, struct qcomtee_object, work); 91 qcomtee = tee_get_drvdata(object->info.qcomtee_async_ctx->teedev); 92 /* Get the TEE context used for asynchronous operations. */ 93 qcomtee->oic.ctx = object->info.qcomtee_async_ctx; 94 95 ret = qcomtee_object_do_invoke_internal(&qcomtee->oic, object, 96 QCOMTEE_MSG_OBJECT_OP_RELEASE, 97 args, &result); 98 99 /* Is it safe to retry the release? */ 100 if (ret && ret != -ENODEV) { 101 queue_work(qcomtee->wq, &object->work); 102 } else { 103 if (ret || result) 104 pr_err("%s release failed, ret = %d (%x)\n", 105 qcomtee_object_name(object), ret, result); 106 qcomtee_qtee_object_free(object); 107 } 108 } 109 110 static void qcomtee_release_qtee_object(struct qcomtee_object *object) 111 { 112 struct qcomtee *qcomtee = 113 tee_get_drvdata(object->info.qcomtee_async_ctx->teedev); 114 115 INIT_WORK(&object->work, qcomtee_do_release_qtee_object); 116 queue_work(qcomtee->wq, &object->work); 117 } 118 119 static void qcomtee_object_release(struct kref *refcount) 120 { 121 struct qcomtee_object *object; 122 const char *name; 123 124 object = container_of(refcount, struct qcomtee_object, refcount); 125 126 /* 127 * qcomtee_object_get() is called in a RCU read lock. synchronize_rcu() 128 * to avoid releasing the object while it is being accessed in 129 * qcomtee_object_get(). 130 */ 131 synchronize_rcu(); 132 133 switch (typeof_qcomtee_object(object)) { 134 case QCOMTEE_OBJECT_TYPE_TEE: 135 qcomtee_release_qtee_object(object); 136 137 break; 138 case QCOMTEE_OBJECT_TYPE_CB: 139 name = object->name; 140 141 if (object->ops->release) 142 object->ops->release(object); 143 144 kfree_const(name); 145 146 break; 147 case QCOMTEE_OBJECT_TYPE_ROOT: 148 case QCOMTEE_OBJECT_TYPE_NULL: 149 default: 150 break; 151 } 152 } 153 154 /** 155 * qcomtee_object_get() - Increase the object's reference count. 156 * @object: object to increase the reference count. 157 * 158 * Context: The caller should hold RCU read lock. 159 */ 160 int qcomtee_object_get(struct qcomtee_object *object) 161 { 162 if (object != &qcomtee_primordial_object && 163 object != NULL_QCOMTEE_OBJECT && 164 object != ROOT_QCOMTEE_OBJECT) 165 return kref_get_unless_zero(&object->refcount); 166 167 return 0; 168 } 169 170 /** 171 * qcomtee_object_put() - Decrease the object's reference count. 172 * @object: object to decrease the reference count. 173 */ 174 void qcomtee_object_put(struct qcomtee_object *object) 175 { 176 if (object != &qcomtee_primordial_object && 177 object != NULL_QCOMTEE_OBJECT && 178 object != ROOT_QCOMTEE_OBJECT) 179 kref_put(&object->refcount, qcomtee_object_release); 180 } 181 182 static int qcomtee_idx_alloc(struct qcomtee_object_invoke_ctx *oic, u32 *idx, 183 struct qcomtee_object *object) 184 { 185 struct qcomtee *qcomtee = tee_get_drvdata(oic->ctx->teedev); 186 187 /* Every ID allocated here has QCOMTEE_MSG_OBJECT_NS_BIT set. */ 188 return xa_alloc_cyclic(&qcomtee->xa_local_objects, idx, object, 189 XA_LIMIT(QCOMTEE_OBJECT_ID_START, 190 QCOMTEE_OBJECT_ID_END), 191 &qcomtee->xa_last_id, GFP_KERNEL); 192 } 193 194 struct qcomtee_object *qcomtee_idx_erase(struct qcomtee_object_invoke_ctx *oic, 195 u32 idx) 196 { 197 struct qcomtee *qcomtee = tee_get_drvdata(oic->ctx->teedev); 198 199 if (idx < QCOMTEE_OBJECT_ID_START || idx > QCOMTEE_OBJECT_ID_END) 200 return NULL_QCOMTEE_OBJECT; 201 202 return xa_erase(&qcomtee->xa_local_objects, idx); 203 } 204 205 /** 206 * qcomtee_object_id_get() - Get an ID for an object to send to QTEE. 207 * @oic: context to use for the invocation. 208 * @object: object to assign an ID. 209 * @object_id: object ID. 210 * 211 * Called on the path to QTEE to construct the message; see 212 * qcomtee_prepare_msg() and qcomtee_update_msg(). 213 * 214 * Return: On success, returns 0; on failure, returns < 0. 215 */ 216 static int qcomtee_object_id_get(struct qcomtee_object_invoke_ctx *oic, 217 struct qcomtee_object *object, 218 unsigned int *object_id) 219 { 220 u32 idx; 221 222 switch (typeof_qcomtee_object(object)) { 223 case QCOMTEE_OBJECT_TYPE_CB: 224 if (qcomtee_idx_alloc(oic, &idx, object) < 0) 225 return -ENOSPC; 226 227 *object_id = idx; 228 229 break; 230 case QCOMTEE_OBJECT_TYPE_ROOT: 231 case QCOMTEE_OBJECT_TYPE_TEE: 232 *object_id = object->info.qtee_id; 233 234 break; 235 case QCOMTEE_OBJECT_TYPE_NULL: 236 *object_id = QCOMTEE_MSG_OBJECT_NULL; 237 238 break; 239 } 240 241 return 0; 242 } 243 244 /* Release object ID assigned in qcomtee_object_id_get. */ 245 static void qcomtee_object_id_put(struct qcomtee_object_invoke_ctx *oic, 246 unsigned int object_id) 247 { 248 qcomtee_idx_erase(oic, object_id); 249 } 250 251 /** 252 * qcomtee_local_object_get() - Get the object referenced by the ID. 253 * @oic: context to use for the invocation. 254 * @object_id: object ID. 255 * 256 * It is called on the path from QTEE. 257 * It is called on behalf of QTEE to obtain an instance of an object 258 * for a given ID. It increases the object's reference count on success. 259 * 260 * Return: On error, returns %NULL_QCOMTEE_OBJECT. 261 * On success, returns the object. 262 */ 263 static struct qcomtee_object * 264 qcomtee_local_object_get(struct qcomtee_object_invoke_ctx *oic, 265 unsigned int object_id) 266 { 267 struct qcomtee *qcomtee = tee_get_drvdata(oic->ctx->teedev); 268 struct qcomtee_object *object; 269 270 if (object_id == QCOMTEE_OBJECT_PRIMORDIAL) 271 return &qcomtee_primordial_object; 272 273 guard(rcu)(); 274 object = xa_load(&qcomtee->xa_local_objects, object_id); 275 /* It already checks for %NULL_QCOMTEE_OBJECT. */ 276 qcomtee_object_get(object); 277 278 return object; 279 } 280 281 /** 282 * qcomtee_object_user_init() - Initialize an object for the user. 283 * @object: object to initialize. 284 * @ot: type of object as &enum qcomtee_object_type. 285 * @ops: instance of callbacks. 286 * @fmt: name assigned to the object. 287 * 288 * Return: On success, returns 0; on failure, returns < 0. 289 */ 290 int qcomtee_object_user_init(struct qcomtee_object *object, 291 enum qcomtee_object_type ot, 292 struct qcomtee_object_operations *ops, 293 const char *fmt, ...) 294 { 295 va_list ap; 296 int ret; 297 298 kref_init(&object->refcount); 299 QCOMTEE_OBJECT_SET(object, QCOMTEE_OBJECT_TYPE_NULL); 300 301 va_start(ap, fmt); 302 switch (ot) { 303 case QCOMTEE_OBJECT_TYPE_NULL: 304 ret = 0; 305 306 break; 307 case QCOMTEE_OBJECT_TYPE_CB: 308 object->ops = ops; 309 if (!object->ops->dispatch) 310 return -EINVAL; 311 312 /* If failed, "no-name". */ 313 object->name = kvasprintf_const(GFP_KERNEL, fmt, ap); 314 QCOMTEE_OBJECT_SET(object, QCOMTEE_OBJECT_TYPE_CB); 315 316 ret = 0; 317 break; 318 case QCOMTEE_OBJECT_TYPE_ROOT: 319 case QCOMTEE_OBJECT_TYPE_TEE: 320 default: 321 ret = -EINVAL; 322 } 323 va_end(ap); 324 325 return ret; 326 } 327 328 /** 329 * qcomtee_object_type() - Returns the type of object represented by an ID. 330 * @object_id: object ID for the object. 331 * 332 * Similar to typeof_qcomtee_object(), but instead of receiving an object as 333 * an argument, it receives an object ID. It is used internally on the return 334 * path from QTEE. 335 * 336 * Return: Returns the type of object referenced by @object_id. 337 */ 338 static enum qcomtee_object_type qcomtee_object_type(unsigned int object_id) 339 { 340 if (object_id == QCOMTEE_MSG_OBJECT_NULL) 341 return QCOMTEE_OBJECT_TYPE_NULL; 342 343 if (object_id & QCOMTEE_MSG_OBJECT_NS_BIT) 344 return QCOMTEE_OBJECT_TYPE_CB; 345 346 return QCOMTEE_OBJECT_TYPE_TEE; 347 } 348 349 /** 350 * qcomtee_object_qtee_init() - Initialize an object for QTEE. 351 * @oic: context to use for the invocation. 352 * @object: object returned. 353 * @object_id: object ID received from QTEE. 354 * 355 * Return: On failure, returns < 0 and sets @object to %NULL_QCOMTEE_OBJECT. 356 * On success, returns 0 357 */ 358 static int qcomtee_object_qtee_init(struct qcomtee_object_invoke_ctx *oic, 359 struct qcomtee_object **object, 360 unsigned int object_id) 361 { 362 int ret = 0; 363 364 switch (qcomtee_object_type(object_id)) { 365 case QCOMTEE_OBJECT_TYPE_NULL: 366 *object = NULL_QCOMTEE_OBJECT; 367 368 break; 369 case QCOMTEE_OBJECT_TYPE_CB: 370 *object = qcomtee_local_object_get(oic, object_id); 371 if (*object == NULL_QCOMTEE_OBJECT) 372 ret = -EINVAL; 373 374 break; 375 376 default: /* QCOMTEE_OBJECT_TYPE_TEE */ 377 *object = qcomtee_qtee_object_alloc(oic, object_id); 378 if (*object == NULL_QCOMTEE_OBJECT) 379 ret = -ENOMEM; 380 381 break; 382 } 383 384 return ret; 385 } 386 387 /* 388 * ''Marshaling API'' 389 * qcomtee_prepare_msg - Prepare the inbound buffer for sending to QTEE 390 * qcomtee_update_args - Parse the QTEE response in the inbound buffer 391 * qcomtee_prepare_args - Parse the QTEE request from the outbound buffer 392 * qcomtee_update_msg - Update the outbound buffer with the response for QTEE 393 */ 394 395 static int qcomtee_prepare_msg(struct qcomtee_object_invoke_ctx *oic, 396 struct qcomtee_object *object, u32 op, 397 struct qcomtee_arg *u) 398 { 399 struct qcomtee_msg_object_invoke *msg; 400 unsigned int object_id; 401 int i, ib, ob, io, oo; 402 size_t offset; 403 404 /* Use the input message buffer in 'oic'. */ 405 msg = oic->in_msg.addr; 406 407 /* Start offset in a message for buffer arguments. */ 408 offset = qcomtee_msg_buffer_args(struct qcomtee_msg_object_invoke, 409 qcomtee_args_len(u)); 410 411 /* Get the ID of the object being invoked. */ 412 if (qcomtee_object_id_get(oic, object, &object_id)) 413 return -ENOSPC; 414 415 ib = 0; 416 qcomtee_arg_for_each_input_buffer(i, u) { 417 void *msgptr; /* Address of buffer payload: */ 418 /* Overflow already checked in qcomtee_msg_buffers_alloc(). */ 419 msg->args[ib].b.offset = offset; 420 msg->args[ib].b.size = u[i].b.size; 421 422 msgptr = qcomtee_msg_offset_to_ptr(msg, offset); 423 /* Userspace client or kernel client!? */ 424 if (!(u[i].flags & QCOMTEE_ARG_FLAGS_UADDR)) 425 memcpy(msgptr, u[i].b.addr, u[i].b.size); 426 else if (copy_from_user(msgptr, u[i].b.uaddr, u[i].b.size)) 427 return -EINVAL; 428 429 offset += qcomtee_msg_offset_align(u[i].b.size); 430 ib++; 431 } 432 433 ob = ib; 434 qcomtee_arg_for_each_output_buffer(i, u) { 435 /* Overflow already checked in qcomtee_msg_buffers_alloc(). */ 436 msg->args[ob].b.offset = offset; 437 msg->args[ob].b.size = u[i].b.size; 438 439 offset += qcomtee_msg_offset_align(u[i].b.size); 440 ob++; 441 } 442 443 io = ob; 444 qcomtee_arg_for_each_input_object(i, u) { 445 if (qcomtee_object_id_get(oic, u[i].o, &msg->args[io].o)) { 446 qcomtee_object_id_put(oic, object_id); 447 for (io--; io >= ob; io--) 448 qcomtee_object_id_put(oic, msg->args[io].o); 449 450 return -ENOSPC; 451 } 452 453 io++; 454 } 455 456 oo = io; 457 qcomtee_arg_for_each_output_object(i, u) 458 oo++; 459 460 /* Set object, operation, and argument counts. */ 461 qcomtee_msg_init(msg, object_id, op, ib, ob, io, oo); 462 463 return 0; 464 } 465 466 /** 467 * qcomtee_update_args() - Parse the QTEE response in the inbound buffer. 468 * @u: array of arguments for the invocation. 469 * @oic: context to use for the invocation. 470 * 471 * @u must be the same as the one used in qcomtee_prepare_msg() when 472 * initializing the inbound buffer. 473 * 474 * On failure, it continues processing the QTEE message. The caller should 475 * do the necessary cleanup, including calling qcomtee_object_put() 476 * on the output objects. 477 * 478 * Return: On success, returns 0; on failure, returns < 0. 479 */ 480 static int qcomtee_update_args(struct qcomtee_arg *u, 481 struct qcomtee_object_invoke_ctx *oic) 482 { 483 struct qcomtee_msg_object_invoke *msg; 484 int i, ib, ob, io, oo; 485 int ret = 0; 486 487 /* Use the input message buffer in 'oic'. */ 488 msg = oic->in_msg.addr; 489 490 ib = 0; 491 qcomtee_arg_for_each_input_buffer(i, u) 492 ib++; 493 494 ob = ib; 495 qcomtee_arg_for_each_output_buffer(i, u) { 496 void *msgptr; /* Address of buffer payload: */ 497 /* QTEE can override the size to a smaller value. */ 498 u[i].b.size = msg->args[ob].b.size; 499 500 msgptr = qcomtee_msg_offset_to_ptr(msg, msg->args[ob].b.offset); 501 /* Userspace client or kernel client!? */ 502 if (!(u[i].flags & QCOMTEE_ARG_FLAGS_UADDR)) 503 memcpy(u[i].b.addr, msgptr, u[i].b.size); 504 else if (copy_to_user(u[i].b.uaddr, msgptr, u[i].b.size)) 505 ret = -EINVAL; 506 507 ob++; 508 } 509 510 io = ob; 511 qcomtee_arg_for_each_input_object(i, u) 512 io++; 513 514 oo = io; 515 qcomtee_arg_for_each_output_object(i, u) { 516 if (qcomtee_object_qtee_init(oic, &u[i].o, msg->args[oo].o)) 517 ret = -EINVAL; 518 519 oo++; 520 } 521 522 return ret; 523 } 524 525 /** 526 * qcomtee_prepare_args() - Parse the QTEE request from the outbound buffer. 527 * @oic: context to use for the invocation. 528 * 529 * It initializes &qcomtee_object_invoke_ctx->u based on the QTEE request in 530 * the outbound buffer. It sets %QCOMTEE_ARG_TYPE_INV at the end of the array. 531 * 532 * On failure, it continues processing the QTEE message. The caller should 533 * do the necessary cleanup, including calling qcomtee_object_put() 534 * on the input objects. 535 * 536 * Return: On success, returns 0; on failure, returns < 0. 537 */ 538 static int qcomtee_prepare_args(struct qcomtee_object_invoke_ctx *oic) 539 { 540 struct qcomtee_msg_callback *msg; 541 int i, ret = 0; 542 543 /* Use the output message buffer in 'oic'. */ 544 msg = oic->out_msg.addr; 545 546 qcomtee_msg_for_each_input_buffer(i, msg) { 547 oic->u[i].b.addr = 548 qcomtee_msg_offset_to_ptr(msg, msg->args[i].b.offset); 549 oic->u[i].b.size = msg->args[i].b.size; 550 oic->u[i].type = QCOMTEE_ARG_TYPE_IB; 551 } 552 553 qcomtee_msg_for_each_output_buffer(i, msg) { 554 oic->u[i].b.addr = 555 qcomtee_msg_offset_to_ptr(msg, msg->args[i].b.offset); 556 oic->u[i].b.size = msg->args[i].b.size; 557 oic->u[i].type = QCOMTEE_ARG_TYPE_OB; 558 } 559 560 qcomtee_msg_for_each_input_object(i, msg) { 561 if (qcomtee_object_qtee_init(oic, &oic->u[i].o, msg->args[i].o)) 562 ret = -EINVAL; 563 564 oic->u[i].type = QCOMTEE_ARG_TYPE_IO; 565 } 566 567 qcomtee_msg_for_each_output_object(i, msg) 568 oic->u[i].type = QCOMTEE_ARG_TYPE_OO; 569 570 /* End of Arguments. */ 571 oic->u[i].type = QCOMTEE_ARG_TYPE_INV; 572 573 return ret; 574 } 575 576 static int qcomtee_update_msg(struct qcomtee_object_invoke_ctx *oic) 577 { 578 struct qcomtee_msg_callback *msg; 579 int i, ib, ob, io, oo; 580 581 /* Use the output message buffer in 'oic'. */ 582 msg = oic->out_msg.addr; 583 584 ib = 0; 585 qcomtee_arg_for_each_input_buffer(i, oic->u) 586 ib++; 587 588 ob = ib; 589 qcomtee_arg_for_each_output_buffer(i, oic->u) { 590 /* Only reduce size; never increase it. */ 591 if (msg->args[ob].b.size < oic->u[i].b.size) 592 return -EINVAL; 593 594 msg->args[ob].b.size = oic->u[i].b.size; 595 ob++; 596 } 597 598 io = ob; 599 qcomtee_arg_for_each_input_object(i, oic->u) 600 io++; 601 602 oo = io; 603 qcomtee_arg_for_each_output_object(i, oic->u) { 604 if (qcomtee_object_id_get(oic, oic->u[i].o, &msg->args[oo].o)) { 605 for (oo--; oo >= io; oo--) 606 qcomtee_object_id_put(oic, msg->args[oo].o); 607 608 return -ENOSPC; 609 } 610 611 oo++; 612 } 613 614 return 0; 615 } 616 617 /* Invoke a callback object. */ 618 static void qcomtee_cb_object_invoke(struct qcomtee_object_invoke_ctx *oic, 619 struct qcomtee_msg_callback *msg) 620 { 621 int i, errno; 622 u32 op; 623 624 /* Get the object being invoked. */ 625 unsigned int object_id = msg->cxt; 626 struct qcomtee_object *object; 627 628 /* QTEE cannot invoke a NULL object or objects it hosts. */ 629 if (qcomtee_object_type(object_id) == QCOMTEE_OBJECT_TYPE_NULL || 630 qcomtee_object_type(object_id) == QCOMTEE_OBJECT_TYPE_TEE) { 631 errno = -EINVAL; 632 goto out; 633 } 634 635 object = qcomtee_local_object_get(oic, object_id); 636 if (object == NULL_QCOMTEE_OBJECT) { 637 errno = -EINVAL; 638 goto out; 639 } 640 641 oic->object = object; 642 643 /* Filter bits used by transport. */ 644 op = msg->op & QCOMTEE_MSG_OBJECT_OP_MASK; 645 646 switch (op) { 647 case QCOMTEE_MSG_OBJECT_OP_RELEASE: 648 qcomtee_object_id_put(oic, object_id); 649 qcomtee_object_put(object); 650 errno = 0; 651 652 break; 653 case QCOMTEE_MSG_OBJECT_OP_RETAIN: 654 qcomtee_object_get(object); 655 errno = 0; 656 657 break; 658 default: 659 errno = qcomtee_prepare_args(oic); 660 if (errno) { 661 /* Release any object that arrived as input. */ 662 qcomtee_arg_for_each_input_buffer(i, oic->u) 663 qcomtee_object_put(oic->u[i].o); 664 665 break; 666 } 667 668 errno = object->ops->dispatch(oic, object, op, oic->u); 669 if (!errno) { 670 /* On success, notify at the appropriate time. */ 671 oic->flags |= QCOMTEE_OIC_FLAG_NOTIFY; 672 } 673 } 674 675 out: 676 677 oic->errno = errno; 678 } 679 680 static int 681 qcomtee_object_invoke_ctx_invoke(struct qcomtee_object_invoke_ctx *oic, 682 int *result, u64 *res_type) 683 { 684 phys_addr_t out_msg_paddr; 685 phys_addr_t in_msg_paddr; 686 int ret; 687 u64 res; 688 689 tee_shm_get_pa(oic->out_shm, 0, &out_msg_paddr); 690 tee_shm_get_pa(oic->in_shm, 0, &in_msg_paddr); 691 if (!(oic->flags & QCOMTEE_OIC_FLAG_BUSY)) 692 ret = qcom_scm_qtee_invoke_smc(in_msg_paddr, oic->in_msg.size, 693 out_msg_paddr, oic->out_msg.size, 694 &res, res_type); 695 else 696 ret = qcom_scm_qtee_callback_response(out_msg_paddr, 697 oic->out_msg.size, 698 &res, res_type); 699 700 if (ret) 701 pr_err("QTEE returned with %d.\n", ret); 702 else 703 *result = (int)res; 704 705 return ret; 706 } 707 708 /** 709 * qcomtee_qtee_objects_put() - Put the callback objects in the argument array. 710 * @u: array of arguments. 711 * 712 * When qcomtee_object_do_invoke_internal() is successfully invoked, 713 * QTEE takes ownership of the callback objects. If the invocation fails, 714 * qcomtee_object_do_invoke_internal() calls qcomtee_qtee_objects_put() 715 * to mimic the release of callback objects by QTEE. 716 */ 717 static void qcomtee_qtee_objects_put(struct qcomtee_arg *u) 718 { 719 int i; 720 721 qcomtee_arg_for_each_input_object(i, u) { 722 if (typeof_qcomtee_object(u[i].o) == QCOMTEE_OBJECT_TYPE_CB) 723 qcomtee_object_put(u[i].o); 724 } 725 } 726 727 /** 728 * qcomtee_object_do_invoke_internal() - Submit an invocation for an object. 729 * @oic: context to use for the current invocation. 730 * @object: object being invoked. 731 * @op: requested operation on the object. 732 * @u: array of arguments for the current invocation. 733 * @result: result returned from QTEE. 734 * 735 * The caller is responsible for keeping track of the refcount for each 736 * object, including @object. On return, the caller loses ownership of all 737 * input objects of type %QCOMTEE_OBJECT_TYPE_CB. 738 * 739 * Return: On success, returns 0; on failure, returns < 0. 740 */ 741 int qcomtee_object_do_invoke_internal(struct qcomtee_object_invoke_ctx *oic, 742 struct qcomtee_object *object, u32 op, 743 struct qcomtee_arg *u, int *result) 744 { 745 struct qcomtee_msg_callback *cb_msg; 746 struct qcomtee_object *qto; 747 int i, ret, errno; 748 u64 res_type; 749 750 /* Allocate inbound and outbound buffers. */ 751 ret = qcomtee_msg_buffers_alloc(oic, u); 752 if (ret) { 753 qcomtee_qtee_objects_put(u); 754 755 return ret; 756 } 757 758 ret = qcomtee_prepare_msg(oic, object, op, u); 759 if (ret) { 760 qcomtee_qtee_objects_put(u); 761 762 goto out; 763 } 764 765 /* Use input message buffer in 'oic'. */ 766 cb_msg = oic->out_msg.addr; 767 768 while (1) { 769 if (oic->flags & QCOMTEE_OIC_FLAG_BUSY) { 770 errno = oic->errno; 771 if (!errno) 772 errno = qcomtee_update_msg(oic); 773 qcomtee_msg_set_result(cb_msg, errno); 774 } 775 776 /* Invoke the remote object. */ 777 ret = qcomtee_object_invoke_ctx_invoke(oic, result, &res_type); 778 /* Return form callback objects result submission: */ 779 if (oic->flags & QCOMTEE_OIC_FLAG_BUSY) { 780 qto = oic->object; 781 if (qto) { 782 if (oic->flags & QCOMTEE_OIC_FLAG_NOTIFY) { 783 if (qto->ops->notify) 784 qto->ops->notify(oic, qto, 785 errno || ret); 786 } 787 788 /* Get is in qcomtee_cb_object_invoke(). */ 789 qcomtee_object_put(qto); 790 } 791 792 oic->object = NULL_QCOMTEE_OBJECT; 793 oic->flags &= ~(QCOMTEE_OIC_FLAG_BUSY | 794 QCOMTEE_OIC_FLAG_NOTIFY); 795 } 796 797 if (ret) { 798 /* 799 * Unable to finished the invocation. 800 * If QCOMTEE_OIC_FLAG_SHARED is not set, put 801 * QCOMTEE_OBJECT_TYPE_CB input objects. 802 */ 803 if (!(oic->flags & QCOMTEE_OIC_FLAG_SHARED)) 804 qcomtee_qtee_objects_put(u); 805 else 806 ret = -ENODEV; 807 808 goto out; 809 810 } else { 811 /* 812 * QTEE obtained ownership of QCOMTEE_OBJECT_TYPE_CB 813 * input objects in 'u'. On further failure, QTEE is 814 * responsible for releasing them. 815 */ 816 oic->flags |= QCOMTEE_OIC_FLAG_SHARED; 817 } 818 819 /* Is it a callback request? */ 820 if (res_type != QCOMTEE_RESULT_INBOUND_REQ_NEEDED) { 821 /* 822 * Parse results. If failed, assume the service 823 * was unavailable (i.e. QCOMTEE_MSG_ERROR_UNAVAIL) 824 * and put output objects to initiate cleanup. 825 */ 826 if (!*result && qcomtee_update_args(u, oic)) { 827 *result = QCOMTEE_MSG_ERROR_UNAVAIL; 828 qcomtee_arg_for_each_output_object(i, u) 829 qcomtee_object_put(u[i].o); 830 } 831 832 break; 833 834 } else { 835 oic->flags |= QCOMTEE_OIC_FLAG_BUSY; 836 qcomtee_fetch_async_reqs(oic); 837 qcomtee_cb_object_invoke(oic, cb_msg); 838 } 839 } 840 841 qcomtee_fetch_async_reqs(oic); 842 out: 843 qcomtee_msg_buffers_free(oic); 844 845 return ret; 846 } 847 848 int qcomtee_object_do_invoke(struct qcomtee_object_invoke_ctx *oic, 849 struct qcomtee_object *object, u32 op, 850 struct qcomtee_arg *u, int *result) 851 { 852 /* User can not set bits used by transport. */ 853 if (op & ~QCOMTEE_MSG_OBJECT_OP_MASK) 854 return -EINVAL; 855 856 /* User can only invoke QTEE hosted objects. */ 857 if (typeof_qcomtee_object(object) != QCOMTEE_OBJECT_TYPE_TEE && 858 typeof_qcomtee_object(object) != QCOMTEE_OBJECT_TYPE_ROOT) 859 return -EINVAL; 860 861 /* User cannot directly issue these operations to QTEE. */ 862 if (op == QCOMTEE_MSG_OBJECT_OP_RELEASE || 863 op == QCOMTEE_MSG_OBJECT_OP_RETAIN) 864 return -EINVAL; 865 866 return qcomtee_object_do_invoke_internal(oic, object, op, u, result); 867 } 868 869 /** 870 * qcomtee_object_get_client_env() - Get a privileged client env. object. 871 * @oic: context to use for the current invocation. 872 * 873 * The caller should call qcomtee_object_put() on the returned object 874 * to release it. 875 * 876 * Return: On error, returns %NULL_QCOMTEE_OBJECT. 877 * On success, returns the object. 878 */ 879 struct qcomtee_object * 880 qcomtee_object_get_client_env(struct qcomtee_object_invoke_ctx *oic) 881 { 882 struct qcomtee_arg u[3] = { 0 }; 883 int ret, result; 884 885 u[0].o = NULL_QCOMTEE_OBJECT; 886 u[0].type = QCOMTEE_ARG_TYPE_IO; 887 u[1].type = QCOMTEE_ARG_TYPE_OO; 888 ret = qcomtee_object_do_invoke(oic, ROOT_QCOMTEE_OBJECT, 889 QCOMTEE_ROOT_OP_REG_WITH_CREDENTIALS, u, 890 &result); 891 if (ret || result) 892 return NULL_QCOMTEE_OBJECT; 893 894 return u[1].o; 895 } 896 897 struct qcomtee_object * 898 qcomtee_object_get_service(struct qcomtee_object_invoke_ctx *oic, 899 struct qcomtee_object *client_env, u32 uid) 900 { 901 struct qcomtee_arg u[3] = { 0 }; 902 int ret, result; 903 904 u[0].b.addr = &uid; 905 u[0].b.size = sizeof(uid); 906 u[0].type = QCOMTEE_ARG_TYPE_IB; 907 u[1].type = QCOMTEE_ARG_TYPE_OO; 908 ret = qcomtee_object_do_invoke(oic, client_env, QCOMTEE_CLIENT_ENV_OPEN, 909 u, &result); 910 911 if (ret || result) 912 return NULL_QCOMTEE_OBJECT; 913 914 return u[1].o; 915 } 916