1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries. 4 */ 5 6 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 7 8 #include <linux/firmware/qcom/qcom_scm.h> 9 #include <linux/init.h> 10 #include <linux/module.h> 11 #include <linux/slab.h> 12 #include <linux/uaccess.h> 13 #include <linux/xarray.h> 14 15 #include "qcomtee.h" 16 17 /* QTEE root object. */ 18 struct qcomtee_object qcomtee_object_root = { 19 .name = "root", 20 .object_type = QCOMTEE_OBJECT_TYPE_ROOT, 21 .info.qtee_id = QCOMTEE_MSG_OBJECT_ROOT, 22 }; 23 24 /* Next argument of type @type after index @i. */ 25 int qcomtee_next_arg_type(struct qcomtee_arg *u, int i, 26 enum qcomtee_arg_type type) 27 { 28 while (u[i].type != QCOMTEE_ARG_TYPE_INV && u[i].type != type) 29 i++; 30 return i; 31 } 32 33 /* 34 * QTEE expects IDs with the QCOMTEE_MSG_OBJECT_NS_BIT set for objects 35 * of the QCOMTEE_OBJECT_TYPE_CB type. 36 */ 37 #define QCOMTEE_OBJECT_ID_START (QCOMTEE_MSG_OBJECT_NS_BIT + 1) 38 #define QCOMTEE_OBJECT_ID_END (U32_MAX) 39 40 #define QCOMTEE_OBJECT_SET(p, type, ...) \ 41 __QCOMTEE_OBJECT_SET(p, type, ##__VA_ARGS__, 0UL) 42 #define __QCOMTEE_OBJECT_SET(p, type, optr, ...) \ 43 do { \ 44 (p)->object_type = (type); \ 45 (p)->info.qtee_id = (unsigned long)(optr); \ 46 } while (0) 47 48 static struct qcomtee_object * 49 qcomtee_qtee_object_alloc(struct qcomtee_object_invoke_ctx *oic, 50 unsigned int object_id) 51 { 52 struct qcomtee *qcomtee = tee_get_drvdata(oic->ctx->teedev); 53 struct qcomtee_object *object; 54 55 object = kzalloc(sizeof(*object), GFP_KERNEL); 56 if (!object) 57 return NULL_QCOMTEE_OBJECT; 58 59 /* If failed, "no-name". */ 60 object->name = kasprintf(GFP_KERNEL, "qcomtee-%u", object_id); 61 QCOMTEE_OBJECT_SET(object, QCOMTEE_OBJECT_TYPE_TEE, object_id); 62 kref_init(&object->refcount); 63 /* A QTEE object requires a context for async operations. */ 64 object->info.qcomtee_async_ctx = qcomtee->ctx; 65 teedev_ctx_get(object->info.qcomtee_async_ctx); 66 67 return object; 68 } 69 70 static void qcomtee_qtee_object_free(struct qcomtee_object *object) 71 { 72 /* See qcomtee_qtee_object_alloc(). */ 73 teedev_ctx_put(object->info.qcomtee_async_ctx); 74 75 kfree(object->name); 76 kfree(object); 77 } 78 79 static void qcomtee_do_release_qtee_object(struct work_struct *work) 80 { 81 struct qcomtee_object *object; 82 struct qcomtee *qcomtee; 83 int ret, result; 84 85 /* RELEASE does not require any argument. */ 86 struct qcomtee_arg args[] = { { .type = QCOMTEE_ARG_TYPE_INV } }; 87 88 object = container_of(work, struct qcomtee_object, work); 89 qcomtee = tee_get_drvdata(object->info.qcomtee_async_ctx->teedev); 90 /* Get the TEE context used for asynchronous operations. */ 91 qcomtee->oic.ctx = object->info.qcomtee_async_ctx; 92 93 ret = qcomtee_object_do_invoke_internal(&qcomtee->oic, object, 94 QCOMTEE_MSG_OBJECT_OP_RELEASE, 95 args, &result); 96 97 /* Is it safe to retry the release? */ 98 if (ret && ret != -ENODEV) { 99 queue_work(qcomtee->wq, &object->work); 100 } else { 101 if (ret || result) 102 pr_err("%s release failed, ret = %d (%x)\n", 103 qcomtee_object_name(object), ret, result); 104 qcomtee_qtee_object_free(object); 105 } 106 } 107 108 static void qcomtee_release_qtee_object(struct qcomtee_object *object) 109 { 110 struct qcomtee *qcomtee = 111 tee_get_drvdata(object->info.qcomtee_async_ctx->teedev); 112 113 INIT_WORK(&object->work, qcomtee_do_release_qtee_object); 114 queue_work(qcomtee->wq, &object->work); 115 } 116 117 static void qcomtee_object_release(struct kref *refcount) 118 { 119 struct qcomtee_object *object; 120 const char *name; 121 122 object = container_of(refcount, struct qcomtee_object, refcount); 123 124 /* 125 * qcomtee_object_get() is called in a RCU read lock. synchronize_rcu() 126 * to avoid releasing the object while it is being accessed in 127 * qcomtee_object_get(). 128 */ 129 synchronize_rcu(); 130 131 switch (typeof_qcomtee_object(object)) { 132 case QCOMTEE_OBJECT_TYPE_TEE: 133 qcomtee_release_qtee_object(object); 134 135 break; 136 case QCOMTEE_OBJECT_TYPE_CB: 137 name = object->name; 138 139 if (object->ops->release) 140 object->ops->release(object); 141 142 kfree_const(name); 143 144 break; 145 case QCOMTEE_OBJECT_TYPE_ROOT: 146 case QCOMTEE_OBJECT_TYPE_NULL: 147 default: 148 break; 149 } 150 } 151 152 /** 153 * qcomtee_object_get() - Increase the object's reference count. 154 * @object: object to increase the reference count. 155 * 156 * Context: The caller should hold RCU read lock. 157 */ 158 int qcomtee_object_get(struct qcomtee_object *object) 159 { 160 if (object != NULL_QCOMTEE_OBJECT && object != ROOT_QCOMTEE_OBJECT) 161 return kref_get_unless_zero(&object->refcount); 162 163 return 0; 164 } 165 166 /** 167 * qcomtee_object_put() - Decrease the object's reference count. 168 * @object: object to decrease the reference count. 169 */ 170 void qcomtee_object_put(struct qcomtee_object *object) 171 { 172 if (object != NULL_QCOMTEE_OBJECT && object != ROOT_QCOMTEE_OBJECT) 173 kref_put(&object->refcount, qcomtee_object_release); 174 } 175 176 static int qcomtee_idx_alloc(struct qcomtee_object_invoke_ctx *oic, u32 *idx, 177 struct qcomtee_object *object) 178 { 179 struct qcomtee *qcomtee = tee_get_drvdata(oic->ctx->teedev); 180 181 /* Every ID allocated here has QCOMTEE_MSG_OBJECT_NS_BIT set. */ 182 return xa_alloc_cyclic(&qcomtee->xa_local_objects, idx, object, 183 XA_LIMIT(QCOMTEE_OBJECT_ID_START, 184 QCOMTEE_OBJECT_ID_END), 185 &qcomtee->xa_last_id, GFP_KERNEL); 186 } 187 188 struct qcomtee_object *qcomtee_idx_erase(struct qcomtee_object_invoke_ctx *oic, 189 u32 idx) 190 { 191 struct qcomtee *qcomtee = tee_get_drvdata(oic->ctx->teedev); 192 193 if (idx < QCOMTEE_OBJECT_ID_START || idx > QCOMTEE_OBJECT_ID_END) 194 return NULL_QCOMTEE_OBJECT; 195 196 return xa_erase(&qcomtee->xa_local_objects, idx); 197 } 198 199 /** 200 * qcomtee_object_id_get() - Get an ID for an object to send to QTEE. 201 * @oic: context to use for the invocation. 202 * @object: object to assign an ID. 203 * @object_id: object ID. 204 * 205 * Called on the path to QTEE to construct the message; see 206 * qcomtee_prepare_msg() and qcomtee_update_msg(). 207 * 208 * Return: On success, returns 0; on failure, returns < 0. 209 */ 210 static int qcomtee_object_id_get(struct qcomtee_object_invoke_ctx *oic, 211 struct qcomtee_object *object, 212 unsigned int *object_id) 213 { 214 u32 idx; 215 216 switch (typeof_qcomtee_object(object)) { 217 case QCOMTEE_OBJECT_TYPE_CB: 218 if (qcomtee_idx_alloc(oic, &idx, object) < 0) 219 return -ENOSPC; 220 221 *object_id = idx; 222 223 break; 224 case QCOMTEE_OBJECT_TYPE_ROOT: 225 case QCOMTEE_OBJECT_TYPE_TEE: 226 *object_id = object->info.qtee_id; 227 228 break; 229 case QCOMTEE_OBJECT_TYPE_NULL: 230 *object_id = QCOMTEE_MSG_OBJECT_NULL; 231 232 break; 233 } 234 235 return 0; 236 } 237 238 /* Release object ID assigned in qcomtee_object_id_get. */ 239 static void qcomtee_object_id_put(struct qcomtee_object_invoke_ctx *oic, 240 unsigned int object_id) 241 { 242 qcomtee_idx_erase(oic, object_id); 243 } 244 245 /** 246 * qcomtee_local_object_get() - Get the object referenced by the ID. 247 * @oic: context to use for the invocation. 248 * @object_id: object ID. 249 * 250 * It is called on the path from QTEE. 251 * It is called on behalf of QTEE to obtain an instance of an object 252 * for a given ID. It increases the object's reference count on success. 253 * 254 * Return: On error, returns %NULL_QCOMTEE_OBJECT. 255 * On success, returns the object. 256 */ 257 static struct qcomtee_object * 258 qcomtee_local_object_get(struct qcomtee_object_invoke_ctx *oic, 259 unsigned int object_id) 260 { 261 struct qcomtee *qcomtee = tee_get_drvdata(oic->ctx->teedev); 262 struct qcomtee_object *object; 263 264 guard(rcu)(); 265 object = xa_load(&qcomtee->xa_local_objects, object_id); 266 /* It already checks for %NULL_QCOMTEE_OBJECT. */ 267 qcomtee_object_get(object); 268 269 return object; 270 } 271 272 /** 273 * qcomtee_object_user_init() - Initialize an object for the user. 274 * @object: object to initialize. 275 * @ot: type of object as &enum qcomtee_object_type. 276 * @ops: instance of callbacks. 277 * @fmt: name assigned to the object. 278 * 279 * Return: On success, returns 0; on failure, returns < 0. 280 */ 281 int qcomtee_object_user_init(struct qcomtee_object *object, 282 enum qcomtee_object_type ot, 283 struct qcomtee_object_operations *ops, 284 const char *fmt, ...) 285 { 286 va_list ap; 287 int ret; 288 289 kref_init(&object->refcount); 290 QCOMTEE_OBJECT_SET(object, QCOMTEE_OBJECT_TYPE_NULL); 291 292 va_start(ap, fmt); 293 switch (ot) { 294 case QCOMTEE_OBJECT_TYPE_NULL: 295 ret = 0; 296 297 break; 298 case QCOMTEE_OBJECT_TYPE_CB: 299 object->ops = ops; 300 if (!object->ops->dispatch) 301 return -EINVAL; 302 303 /* If failed, "no-name". */ 304 object->name = kvasprintf_const(GFP_KERNEL, fmt, ap); 305 QCOMTEE_OBJECT_SET(object, QCOMTEE_OBJECT_TYPE_CB); 306 307 ret = 0; 308 break; 309 case QCOMTEE_OBJECT_TYPE_ROOT: 310 case QCOMTEE_OBJECT_TYPE_TEE: 311 default: 312 ret = -EINVAL; 313 } 314 va_end(ap); 315 316 return ret; 317 } 318 319 /** 320 * qcomtee_object_type() - Returns the type of object represented by an ID. 321 * @object_id: object ID for the object. 322 * 323 * Similar to typeof_qcomtee_object(), but instead of receiving an object as 324 * an argument, it receives an object ID. It is used internally on the return 325 * path from QTEE. 326 * 327 * Return: Returns the type of object referenced by @object_id. 328 */ 329 static enum qcomtee_object_type qcomtee_object_type(unsigned int object_id) 330 { 331 if (object_id == QCOMTEE_MSG_OBJECT_NULL) 332 return QCOMTEE_OBJECT_TYPE_NULL; 333 334 if (object_id & QCOMTEE_MSG_OBJECT_NS_BIT) 335 return QCOMTEE_OBJECT_TYPE_CB; 336 337 return QCOMTEE_OBJECT_TYPE_TEE; 338 } 339 340 /** 341 * qcomtee_object_qtee_init() - Initialize an object for QTEE. 342 * @oic: context to use for the invocation. 343 * @object: object returned. 344 * @object_id: object ID received from QTEE. 345 * 346 * Return: On failure, returns < 0 and sets @object to %NULL_QCOMTEE_OBJECT. 347 * On success, returns 0 348 */ 349 static int qcomtee_object_qtee_init(struct qcomtee_object_invoke_ctx *oic, 350 struct qcomtee_object **object, 351 unsigned int object_id) 352 { 353 int ret = 0; 354 355 switch (qcomtee_object_type(object_id)) { 356 case QCOMTEE_OBJECT_TYPE_NULL: 357 *object = NULL_QCOMTEE_OBJECT; 358 359 break; 360 case QCOMTEE_OBJECT_TYPE_CB: 361 *object = qcomtee_local_object_get(oic, object_id); 362 if (*object == NULL_QCOMTEE_OBJECT) 363 ret = -EINVAL; 364 365 break; 366 367 default: /* QCOMTEE_OBJECT_TYPE_TEE */ 368 *object = qcomtee_qtee_object_alloc(oic, object_id); 369 if (*object == NULL_QCOMTEE_OBJECT) 370 ret = -ENOMEM; 371 372 break; 373 } 374 375 return ret; 376 } 377 378 /* 379 * ''Marshaling API'' 380 * qcomtee_prepare_msg - Prepare the inbound buffer for sending to QTEE 381 * qcomtee_update_args - Parse the QTEE response in the inbound buffer 382 * qcomtee_prepare_args - Parse the QTEE request from the outbound buffer 383 * qcomtee_update_msg - Update the outbound buffer with the response for QTEE 384 */ 385 386 static int qcomtee_prepare_msg(struct qcomtee_object_invoke_ctx *oic, 387 struct qcomtee_object *object, u32 op, 388 struct qcomtee_arg *u) 389 { 390 struct qcomtee_msg_object_invoke *msg; 391 unsigned int object_id; 392 int i, ib, ob, io, oo; 393 size_t offset; 394 395 /* Use the input message buffer in 'oic'. */ 396 msg = oic->in_msg.addr; 397 398 /* Start offset in a message for buffer arguments. */ 399 offset = qcomtee_msg_buffer_args(struct qcomtee_msg_object_invoke, 400 qcomtee_args_len(u)); 401 402 /* Get the ID of the object being invoked. */ 403 if (qcomtee_object_id_get(oic, object, &object_id)) 404 return -ENOSPC; 405 406 ib = 0; 407 qcomtee_arg_for_each_input_buffer(i, u) { 408 void *msgptr; /* Address of buffer payload: */ 409 /* Overflow already checked in qcomtee_msg_buffers_alloc(). */ 410 msg->args[ib].b.offset = offset; 411 msg->args[ib].b.size = u[i].b.size; 412 413 msgptr = qcomtee_msg_offset_to_ptr(msg, offset); 414 /* Userspace client or kernel client!? */ 415 if (!(u[i].flags & QCOMTEE_ARG_FLAGS_UADDR)) 416 memcpy(msgptr, u[i].b.addr, u[i].b.size); 417 else if (copy_from_user(msgptr, u[i].b.uaddr, u[i].b.size)) 418 return -EINVAL; 419 420 offset += qcomtee_msg_offset_align(u[i].b.size); 421 ib++; 422 } 423 424 ob = ib; 425 qcomtee_arg_for_each_output_buffer(i, u) { 426 /* Overflow already checked in qcomtee_msg_buffers_alloc(). */ 427 msg->args[ob].b.offset = offset; 428 msg->args[ob].b.size = u[i].b.size; 429 430 offset += qcomtee_msg_offset_align(u[i].b.size); 431 ob++; 432 } 433 434 io = ob; 435 qcomtee_arg_for_each_input_object(i, u) { 436 if (qcomtee_object_id_get(oic, u[i].o, &msg->args[io].o)) { 437 qcomtee_object_id_put(oic, object_id); 438 for (io--; io >= ob; io--) 439 qcomtee_object_id_put(oic, msg->args[io].o); 440 441 return -ENOSPC; 442 } 443 444 io++; 445 } 446 447 oo = io; 448 qcomtee_arg_for_each_output_object(i, u) 449 oo++; 450 451 /* Set object, operation, and argument counts. */ 452 qcomtee_msg_init(msg, object_id, op, ib, ob, io, oo); 453 454 return 0; 455 } 456 457 /** 458 * qcomtee_update_args() - Parse the QTEE response in the inbound buffer. 459 * @u: array of arguments for the invocation. 460 * @oic: context to use for the invocation. 461 * 462 * @u must be the same as the one used in qcomtee_prepare_msg() when 463 * initializing the inbound buffer. 464 * 465 * On failure, it continues processing the QTEE message. The caller should 466 * do the necessary cleanup, including calling qcomtee_object_put() 467 * on the output objects. 468 * 469 * Return: On success, returns 0; on failure, returns < 0. 470 */ 471 static int qcomtee_update_args(struct qcomtee_arg *u, 472 struct qcomtee_object_invoke_ctx *oic) 473 { 474 struct qcomtee_msg_object_invoke *msg; 475 int i, ib, ob, io, oo; 476 int ret = 0; 477 478 /* Use the input message buffer in 'oic'. */ 479 msg = oic->in_msg.addr; 480 481 ib = 0; 482 qcomtee_arg_for_each_input_buffer(i, u) 483 ib++; 484 485 ob = ib; 486 qcomtee_arg_for_each_output_buffer(i, u) { 487 void *msgptr; /* Address of buffer payload: */ 488 /* QTEE can override the size to a smaller value. */ 489 u[i].b.size = msg->args[ob].b.size; 490 491 msgptr = qcomtee_msg_offset_to_ptr(msg, msg->args[ob].b.offset); 492 /* Userspace client or kernel client!? */ 493 if (!(u[i].flags & QCOMTEE_ARG_FLAGS_UADDR)) 494 memcpy(u[i].b.addr, msgptr, u[i].b.size); 495 else if (copy_to_user(u[i].b.uaddr, msgptr, u[i].b.size)) 496 ret = -EINVAL; 497 498 ob++; 499 } 500 501 io = ob; 502 qcomtee_arg_for_each_input_object(i, u) 503 io++; 504 505 oo = io; 506 qcomtee_arg_for_each_output_object(i, u) { 507 if (qcomtee_object_qtee_init(oic, &u[i].o, msg->args[oo].o)) 508 ret = -EINVAL; 509 510 oo++; 511 } 512 513 return ret; 514 } 515 516 /** 517 * qcomtee_prepare_args() - Parse the QTEE request from the outbound buffer. 518 * @oic: context to use for the invocation. 519 * 520 * It initializes &qcomtee_object_invoke_ctx->u based on the QTEE request in 521 * the outbound buffer. It sets %QCOMTEE_ARG_TYPE_INV at the end of the array. 522 * 523 * On failure, it continues processing the QTEE message. The caller should 524 * do the necessary cleanup, including calling qcomtee_object_put() 525 * on the input objects. 526 * 527 * Return: On success, returns 0; on failure, returns < 0. 528 */ 529 static int qcomtee_prepare_args(struct qcomtee_object_invoke_ctx *oic) 530 { 531 struct qcomtee_msg_callback *msg; 532 int i, ret = 0; 533 534 /* Use the output message buffer in 'oic'. */ 535 msg = oic->out_msg.addr; 536 537 qcomtee_msg_for_each_input_buffer(i, msg) { 538 oic->u[i].b.addr = 539 qcomtee_msg_offset_to_ptr(msg, msg->args[i].b.offset); 540 oic->u[i].b.size = msg->args[i].b.size; 541 oic->u[i].type = QCOMTEE_ARG_TYPE_IB; 542 } 543 544 qcomtee_msg_for_each_output_buffer(i, msg) { 545 oic->u[i].b.addr = 546 qcomtee_msg_offset_to_ptr(msg, msg->args[i].b.offset); 547 oic->u[i].b.size = msg->args[i].b.size; 548 oic->u[i].type = QCOMTEE_ARG_TYPE_OB; 549 } 550 551 qcomtee_msg_for_each_input_object(i, msg) { 552 if (qcomtee_object_qtee_init(oic, &oic->u[i].o, msg->args[i].o)) 553 ret = -EINVAL; 554 555 oic->u[i].type = QCOMTEE_ARG_TYPE_IO; 556 } 557 558 qcomtee_msg_for_each_output_object(i, msg) 559 oic->u[i].type = QCOMTEE_ARG_TYPE_OO; 560 561 /* End of Arguments. */ 562 oic->u[i].type = QCOMTEE_ARG_TYPE_INV; 563 564 return ret; 565 } 566 567 static int qcomtee_update_msg(struct qcomtee_object_invoke_ctx *oic) 568 { 569 struct qcomtee_msg_callback *msg; 570 int i, ib, ob, io, oo; 571 572 /* Use the output message buffer in 'oic'. */ 573 msg = oic->out_msg.addr; 574 575 ib = 0; 576 qcomtee_arg_for_each_input_buffer(i, oic->u) 577 ib++; 578 579 ob = ib; 580 qcomtee_arg_for_each_output_buffer(i, oic->u) { 581 /* Only reduce size; never increase it. */ 582 if (msg->args[ob].b.size < oic->u[i].b.size) 583 return -EINVAL; 584 585 msg->args[ob].b.size = oic->u[i].b.size; 586 ob++; 587 } 588 589 io = ob; 590 qcomtee_arg_for_each_input_object(i, oic->u) 591 io++; 592 593 oo = io; 594 qcomtee_arg_for_each_output_object(i, oic->u) { 595 if (qcomtee_object_id_get(oic, oic->u[i].o, &msg->args[oo].o)) { 596 for (oo--; oo >= io; oo--) 597 qcomtee_object_id_put(oic, msg->args[oo].o); 598 599 return -ENOSPC; 600 } 601 602 oo++; 603 } 604 605 return 0; 606 } 607 608 /* Invoke a callback object. */ 609 static void qcomtee_cb_object_invoke(struct qcomtee_object_invoke_ctx *oic, 610 struct qcomtee_msg_callback *msg) 611 { 612 int i, errno; 613 u32 op; 614 615 /* Get the object being invoked. */ 616 unsigned int object_id = msg->cxt; 617 struct qcomtee_object *object; 618 619 /* QTEE cannot invoke a NULL object or objects it hosts. */ 620 if (qcomtee_object_type(object_id) == QCOMTEE_OBJECT_TYPE_NULL || 621 qcomtee_object_type(object_id) == QCOMTEE_OBJECT_TYPE_TEE) { 622 errno = -EINVAL; 623 goto out; 624 } 625 626 object = qcomtee_local_object_get(oic, object_id); 627 if (object == NULL_QCOMTEE_OBJECT) { 628 errno = -EINVAL; 629 goto out; 630 } 631 632 oic->object = object; 633 634 /* Filter bits used by transport. */ 635 op = msg->op & QCOMTEE_MSG_OBJECT_OP_MASK; 636 637 switch (op) { 638 case QCOMTEE_MSG_OBJECT_OP_RELEASE: 639 qcomtee_object_id_put(oic, object_id); 640 qcomtee_object_put(object); 641 errno = 0; 642 643 break; 644 case QCOMTEE_MSG_OBJECT_OP_RETAIN: 645 qcomtee_object_get(object); 646 errno = 0; 647 648 break; 649 default: 650 errno = qcomtee_prepare_args(oic); 651 if (errno) { 652 /* Release any object that arrived as input. */ 653 qcomtee_arg_for_each_input_buffer(i, oic->u) 654 qcomtee_object_put(oic->u[i].o); 655 656 break; 657 } 658 659 errno = object->ops->dispatch(oic, object, op, oic->u); 660 if (!errno) { 661 /* On success, notify at the appropriate time. */ 662 oic->flags |= QCOMTEE_OIC_FLAG_NOTIFY; 663 } 664 } 665 666 out: 667 668 oic->errno = errno; 669 } 670 671 static int 672 qcomtee_object_invoke_ctx_invoke(struct qcomtee_object_invoke_ctx *oic, 673 int *result, u64 *res_type) 674 { 675 phys_addr_t out_msg_paddr; 676 phys_addr_t in_msg_paddr; 677 int ret; 678 u64 res; 679 680 tee_shm_get_pa(oic->out_shm, 0, &out_msg_paddr); 681 tee_shm_get_pa(oic->in_shm, 0, &in_msg_paddr); 682 if (!(oic->flags & QCOMTEE_OIC_FLAG_BUSY)) 683 ret = qcom_scm_qtee_invoke_smc(in_msg_paddr, oic->in_msg.size, 684 out_msg_paddr, oic->out_msg.size, 685 &res, res_type); 686 else 687 ret = qcom_scm_qtee_callback_response(out_msg_paddr, 688 oic->out_msg.size, 689 &res, res_type); 690 691 if (ret) 692 pr_err("QTEE returned with %d.\n", ret); 693 else 694 *result = (int)res; 695 696 return ret; 697 } 698 699 /** 700 * qcomtee_qtee_objects_put() - Put the callback objects in the argument array. 701 * @u: array of arguments. 702 * 703 * When qcomtee_object_do_invoke_internal() is successfully invoked, 704 * QTEE takes ownership of the callback objects. If the invocation fails, 705 * qcomtee_object_do_invoke_internal() calls qcomtee_qtee_objects_put() 706 * to mimic the release of callback objects by QTEE. 707 */ 708 static void qcomtee_qtee_objects_put(struct qcomtee_arg *u) 709 { 710 int i; 711 712 qcomtee_arg_for_each_input_object(i, u) { 713 if (typeof_qcomtee_object(u[i].o) == QCOMTEE_OBJECT_TYPE_CB) 714 qcomtee_object_put(u[i].o); 715 } 716 } 717 718 /** 719 * qcomtee_object_do_invoke_internal() - Submit an invocation for an object. 720 * @oic: context to use for the current invocation. 721 * @object: object being invoked. 722 * @op: requested operation on the object. 723 * @u: array of arguments for the current invocation. 724 * @result: result returned from QTEE. 725 * 726 * The caller is responsible for keeping track of the refcount for each 727 * object, including @object. On return, the caller loses ownership of all 728 * input objects of type %QCOMTEE_OBJECT_TYPE_CB. 729 * 730 * Return: On success, returns 0; on failure, returns < 0. 731 */ 732 int qcomtee_object_do_invoke_internal(struct qcomtee_object_invoke_ctx *oic, 733 struct qcomtee_object *object, u32 op, 734 struct qcomtee_arg *u, int *result) 735 { 736 struct qcomtee_msg_callback *cb_msg; 737 struct qcomtee_object *qto; 738 int i, ret, errno; 739 u64 res_type; 740 741 /* Allocate inbound and outbound buffers. */ 742 ret = qcomtee_msg_buffers_alloc(oic, u); 743 if (ret) { 744 qcomtee_qtee_objects_put(u); 745 746 return ret; 747 } 748 749 ret = qcomtee_prepare_msg(oic, object, op, u); 750 if (ret) { 751 qcomtee_qtee_objects_put(u); 752 753 goto out; 754 } 755 756 /* Use input message buffer in 'oic'. */ 757 cb_msg = oic->out_msg.addr; 758 759 while (1) { 760 if (oic->flags & QCOMTEE_OIC_FLAG_BUSY) { 761 errno = oic->errno; 762 if (!errno) 763 errno = qcomtee_update_msg(oic); 764 qcomtee_msg_set_result(cb_msg, errno); 765 } 766 767 /* Invoke the remote object. */ 768 ret = qcomtee_object_invoke_ctx_invoke(oic, result, &res_type); 769 /* Return form callback objects result submission: */ 770 if (oic->flags & QCOMTEE_OIC_FLAG_BUSY) { 771 qto = oic->object; 772 if (qto) { 773 if (oic->flags & QCOMTEE_OIC_FLAG_NOTIFY) { 774 if (qto->ops->notify) 775 qto->ops->notify(oic, qto, 776 errno || ret); 777 } 778 779 /* Get is in qcomtee_cb_object_invoke(). */ 780 qcomtee_object_put(qto); 781 } 782 783 oic->object = NULL_QCOMTEE_OBJECT; 784 oic->flags &= ~(QCOMTEE_OIC_FLAG_BUSY | 785 QCOMTEE_OIC_FLAG_NOTIFY); 786 } 787 788 if (ret) { 789 /* 790 * Unable to finished the invocation. 791 * If QCOMTEE_OIC_FLAG_SHARED is not set, put 792 * QCOMTEE_OBJECT_TYPE_CB input objects. 793 */ 794 if (!(oic->flags & QCOMTEE_OIC_FLAG_SHARED)) 795 qcomtee_qtee_objects_put(u); 796 else 797 ret = -ENODEV; 798 799 goto out; 800 801 } else { 802 /* 803 * QTEE obtained ownership of QCOMTEE_OBJECT_TYPE_CB 804 * input objects in 'u'. On further failure, QTEE is 805 * responsible for releasing them. 806 */ 807 oic->flags |= QCOMTEE_OIC_FLAG_SHARED; 808 } 809 810 /* Is it a callback request? */ 811 if (res_type != QCOMTEE_RESULT_INBOUND_REQ_NEEDED) { 812 /* 813 * Parse results. If failed, assume the service 814 * was unavailable (i.e. QCOMTEE_MSG_ERROR_UNAVAIL) 815 * and put output objects to initiate cleanup. 816 */ 817 if (!*result && qcomtee_update_args(u, oic)) { 818 *result = QCOMTEE_MSG_ERROR_UNAVAIL; 819 qcomtee_arg_for_each_output_object(i, u) 820 qcomtee_object_put(u[i].o); 821 } 822 823 break; 824 825 } else { 826 oic->flags |= QCOMTEE_OIC_FLAG_BUSY; 827 qcomtee_fetch_async_reqs(oic); 828 qcomtee_cb_object_invoke(oic, cb_msg); 829 } 830 } 831 832 qcomtee_fetch_async_reqs(oic); 833 out: 834 qcomtee_msg_buffers_free(oic); 835 836 return ret; 837 } 838 839 int qcomtee_object_do_invoke(struct qcomtee_object_invoke_ctx *oic, 840 struct qcomtee_object *object, u32 op, 841 struct qcomtee_arg *u, int *result) 842 { 843 /* User can not set bits used by transport. */ 844 if (op & ~QCOMTEE_MSG_OBJECT_OP_MASK) 845 return -EINVAL; 846 847 /* User can only invoke QTEE hosted objects. */ 848 if (typeof_qcomtee_object(object) != QCOMTEE_OBJECT_TYPE_TEE && 849 typeof_qcomtee_object(object) != QCOMTEE_OBJECT_TYPE_ROOT) 850 return -EINVAL; 851 852 /* User cannot directly issue these operations to QTEE. */ 853 if (op == QCOMTEE_MSG_OBJECT_OP_RELEASE || 854 op == QCOMTEE_MSG_OBJECT_OP_RETAIN) 855 return -EINVAL; 856 857 return qcomtee_object_do_invoke_internal(oic, object, op, u, result); 858 } 859 860 /** 861 * qcomtee_object_get_client_env() - Get a privileged client env. object. 862 * @oic: context to use for the current invocation. 863 * 864 * The caller should call qcomtee_object_put() on the returned object 865 * to release it. 866 * 867 * Return: On error, returns %NULL_QCOMTEE_OBJECT. 868 * On success, returns the object. 869 */ 870 struct qcomtee_object * 871 qcomtee_object_get_client_env(struct qcomtee_object_invoke_ctx *oic) 872 { 873 struct qcomtee_arg u[3] = { 0 }; 874 int ret, result; 875 876 u[0].o = NULL_QCOMTEE_OBJECT; 877 u[0].type = QCOMTEE_ARG_TYPE_IO; 878 u[1].type = QCOMTEE_ARG_TYPE_OO; 879 ret = qcomtee_object_do_invoke(oic, ROOT_QCOMTEE_OBJECT, 880 QCOMTEE_ROOT_OP_REG_WITH_CREDENTIALS, u, 881 &result); 882 if (ret || result) 883 return NULL_QCOMTEE_OBJECT; 884 885 return u[1].o; 886 } 887 888 struct qcomtee_object * 889 qcomtee_object_get_service(struct qcomtee_object_invoke_ctx *oic, 890 struct qcomtee_object *client_env, u32 uid) 891 { 892 struct qcomtee_arg u[3] = { 0 }; 893 int ret, result; 894 895 u[0].b.addr = &uid; 896 u[0].b.size = sizeof(uid); 897 u[0].type = QCOMTEE_ARG_TYPE_IB; 898 u[1].type = QCOMTEE_ARG_TYPE_OO; 899 ret = qcomtee_object_do_invoke(oic, client_env, QCOMTEE_CLIENT_ENV_OPEN, 900 u, &result); 901 902 if (ret || result) 903 return NULL_QCOMTEE_OBJECT; 904 905 return u[1].o; 906 } 907