1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2015-2016, Linaro Limited 4 */ 5 6 #define pr_fmt(fmt) "%s: " fmt, __func__ 7 8 #include <linux/cdev.h> 9 #include <linux/fs.h> 10 #include <linux/idr.h> 11 #include <linux/module.h> 12 #include <linux/slab.h> 13 #include <linux/tee_drv.h> 14 #include <linux/uaccess.h> 15 #include "tee_private.h" 16 17 #define TEE_NUM_DEVICES 32 18 19 #define TEE_IOCTL_PARAM_SIZE(x) (sizeof(struct tee_param) * (x)) 20 21 /* 22 * Unprivileged devices in the lower half range and privileged devices in 23 * the upper half range. 24 */ 25 static DECLARE_BITMAP(dev_mask, TEE_NUM_DEVICES); 26 static DEFINE_SPINLOCK(driver_lock); 27 28 static struct class *tee_class; 29 static dev_t tee_devt; 30 31 static struct tee_context *teedev_open(struct tee_device *teedev) 32 { 33 int rc; 34 struct tee_context *ctx; 35 36 if (!tee_device_get(teedev)) 37 return ERR_PTR(-EINVAL); 38 39 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 40 if (!ctx) { 41 rc = -ENOMEM; 42 goto err; 43 } 44 45 kref_init(&ctx->refcount); 46 ctx->teedev = teedev; 47 INIT_LIST_HEAD(&ctx->list_shm); 48 rc = teedev->desc->ops->open(ctx); 49 if (rc) 50 goto err; 51 52 return ctx; 53 err: 54 kfree(ctx); 55 tee_device_put(teedev); 56 return ERR_PTR(rc); 57 58 } 59 60 void teedev_ctx_get(struct tee_context *ctx) 61 { 62 if (ctx->releasing) 63 return; 64 65 kref_get(&ctx->refcount); 66 } 67 68 static void teedev_ctx_release(struct kref *ref) 69 { 70 struct tee_context *ctx = container_of(ref, struct tee_context, 71 refcount); 72 ctx->releasing = true; 73 ctx->teedev->desc->ops->release(ctx); 74 kfree(ctx); 75 } 76 77 void teedev_ctx_put(struct tee_context *ctx) 78 { 79 if (ctx->releasing) 80 return; 81 82 kref_put(&ctx->refcount, teedev_ctx_release); 83 } 84 85 static void teedev_close_context(struct tee_context *ctx) 86 { 87 tee_device_put(ctx->teedev); 88 teedev_ctx_put(ctx); 89 } 90 91 static int tee_open(struct inode *inode, struct file *filp) 92 { 93 struct tee_context *ctx; 94 95 ctx = teedev_open(container_of(inode->i_cdev, struct tee_device, cdev)); 96 if (IS_ERR(ctx)) 97 return PTR_ERR(ctx); 98 99 /* 100 * Default user-space behaviour is to wait for tee-supplicant 101 * if not present for any requests in this context. 102 */ 103 ctx->supp_nowait = false; 104 filp->private_data = ctx; 105 return 0; 106 } 107 108 static int tee_release(struct inode *inode, struct file *filp) 109 { 110 teedev_close_context(filp->private_data); 111 return 0; 112 } 113 114 static int tee_ioctl_version(struct tee_context *ctx, 115 struct tee_ioctl_version_data __user *uvers) 116 { 117 struct tee_ioctl_version_data vers; 118 119 ctx->teedev->desc->ops->get_version(ctx->teedev, &vers); 120 121 if (ctx->teedev->desc->flags & TEE_DESC_PRIVILEGED) 122 vers.gen_caps |= TEE_GEN_CAP_PRIVILEGED; 123 124 if (copy_to_user(uvers, &vers, sizeof(vers))) 125 return -EFAULT; 126 127 return 0; 128 } 129 130 static int tee_ioctl_shm_alloc(struct tee_context *ctx, 131 struct tee_ioctl_shm_alloc_data __user *udata) 132 { 133 long ret; 134 struct tee_ioctl_shm_alloc_data data; 135 struct tee_shm *shm; 136 137 if (copy_from_user(&data, udata, sizeof(data))) 138 return -EFAULT; 139 140 /* Currently no input flags are supported */ 141 if (data.flags) 142 return -EINVAL; 143 144 shm = tee_shm_alloc(ctx, data.size, TEE_SHM_MAPPED | TEE_SHM_DMA_BUF); 145 if (IS_ERR(shm)) 146 return PTR_ERR(shm); 147 148 data.id = shm->id; 149 data.flags = shm->flags; 150 data.size = shm->size; 151 152 if (copy_to_user(udata, &data, sizeof(data))) 153 ret = -EFAULT; 154 else 155 ret = tee_shm_get_fd(shm); 156 157 /* 158 * When user space closes the file descriptor the shared memory 159 * should be freed or if tee_shm_get_fd() failed then it will 160 * be freed immediately. 161 */ 162 tee_shm_put(shm); 163 return ret; 164 } 165 166 static int 167 tee_ioctl_shm_register(struct tee_context *ctx, 168 struct tee_ioctl_shm_register_data __user *udata) 169 { 170 long ret; 171 struct tee_ioctl_shm_register_data data; 172 struct tee_shm *shm; 173 174 if (copy_from_user(&data, udata, sizeof(data))) 175 return -EFAULT; 176 177 /* Currently no input flags are supported */ 178 if (data.flags) 179 return -EINVAL; 180 181 shm = tee_shm_register(ctx, data.addr, data.length, 182 TEE_SHM_DMA_BUF | TEE_SHM_USER_MAPPED); 183 if (IS_ERR(shm)) 184 return PTR_ERR(shm); 185 186 data.id = shm->id; 187 data.flags = shm->flags; 188 data.length = shm->size; 189 190 if (copy_to_user(udata, &data, sizeof(data))) 191 ret = -EFAULT; 192 else 193 ret = tee_shm_get_fd(shm); 194 /* 195 * When user space closes the file descriptor the shared memory 196 * should be freed or if tee_shm_get_fd() failed then it will 197 * be freed immediately. 198 */ 199 tee_shm_put(shm); 200 return ret; 201 } 202 203 static int params_from_user(struct tee_context *ctx, struct tee_param *params, 204 size_t num_params, 205 struct tee_ioctl_param __user *uparams) 206 { 207 size_t n; 208 209 for (n = 0; n < num_params; n++) { 210 struct tee_shm *shm; 211 struct tee_ioctl_param ip; 212 213 if (copy_from_user(&ip, uparams + n, sizeof(ip))) 214 return -EFAULT; 215 216 /* All unused attribute bits has to be zero */ 217 if (ip.attr & ~TEE_IOCTL_PARAM_ATTR_MASK) 218 return -EINVAL; 219 220 params[n].attr = ip.attr; 221 switch (ip.attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) { 222 case TEE_IOCTL_PARAM_ATTR_TYPE_NONE: 223 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT: 224 break; 225 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT: 226 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: 227 params[n].u.value.a = ip.a; 228 params[n].u.value.b = ip.b; 229 params[n].u.value.c = ip.c; 230 break; 231 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT: 232 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: 233 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: 234 /* 235 * If we fail to get a pointer to a shared memory 236 * object (and increase the ref count) from an 237 * identifier we return an error. All pointers that 238 * has been added in params have an increased ref 239 * count. It's the callers responibility to do 240 * tee_shm_put() on all resolved pointers. 241 */ 242 shm = tee_shm_get_from_id(ctx, ip.c); 243 if (IS_ERR(shm)) 244 return PTR_ERR(shm); 245 246 /* 247 * Ensure offset + size does not overflow offset 248 * and does not overflow the size of the referred 249 * shared memory object. 250 */ 251 if ((ip.a + ip.b) < ip.a || 252 (ip.a + ip.b) > shm->size) { 253 tee_shm_put(shm); 254 return -EINVAL; 255 } 256 257 params[n].u.memref.shm_offs = ip.a; 258 params[n].u.memref.size = ip.b; 259 params[n].u.memref.shm = shm; 260 break; 261 default: 262 /* Unknown attribute */ 263 return -EINVAL; 264 } 265 } 266 return 0; 267 } 268 269 static int params_to_user(struct tee_ioctl_param __user *uparams, 270 size_t num_params, struct tee_param *params) 271 { 272 size_t n; 273 274 for (n = 0; n < num_params; n++) { 275 struct tee_ioctl_param __user *up = uparams + n; 276 struct tee_param *p = params + n; 277 278 switch (p->attr) { 279 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT: 280 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: 281 if (put_user(p->u.value.a, &up->a) || 282 put_user(p->u.value.b, &up->b) || 283 put_user(p->u.value.c, &up->c)) 284 return -EFAULT; 285 break; 286 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: 287 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: 288 if (put_user((u64)p->u.memref.size, &up->b)) 289 return -EFAULT; 290 default: 291 break; 292 } 293 } 294 return 0; 295 } 296 297 static int tee_ioctl_open_session(struct tee_context *ctx, 298 struct tee_ioctl_buf_data __user *ubuf) 299 { 300 int rc; 301 size_t n; 302 struct tee_ioctl_buf_data buf; 303 struct tee_ioctl_open_session_arg __user *uarg; 304 struct tee_ioctl_open_session_arg arg; 305 struct tee_ioctl_param __user *uparams = NULL; 306 struct tee_param *params = NULL; 307 bool have_session = false; 308 309 if (!ctx->teedev->desc->ops->open_session) 310 return -EINVAL; 311 312 if (copy_from_user(&buf, ubuf, sizeof(buf))) 313 return -EFAULT; 314 315 if (buf.buf_len > TEE_MAX_ARG_SIZE || 316 buf.buf_len < sizeof(struct tee_ioctl_open_session_arg)) 317 return -EINVAL; 318 319 uarg = u64_to_user_ptr(buf.buf_ptr); 320 if (copy_from_user(&arg, uarg, sizeof(arg))) 321 return -EFAULT; 322 323 if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len) 324 return -EINVAL; 325 326 if (arg.num_params) { 327 params = kcalloc(arg.num_params, sizeof(struct tee_param), 328 GFP_KERNEL); 329 if (!params) 330 return -ENOMEM; 331 uparams = uarg->params; 332 rc = params_from_user(ctx, params, arg.num_params, uparams); 333 if (rc) 334 goto out; 335 } 336 337 rc = ctx->teedev->desc->ops->open_session(ctx, &arg, params); 338 if (rc) 339 goto out; 340 have_session = true; 341 342 if (put_user(arg.session, &uarg->session) || 343 put_user(arg.ret, &uarg->ret) || 344 put_user(arg.ret_origin, &uarg->ret_origin)) { 345 rc = -EFAULT; 346 goto out; 347 } 348 rc = params_to_user(uparams, arg.num_params, params); 349 out: 350 /* 351 * If we've succeeded to open the session but failed to communicate 352 * it back to user space, close the session again to avoid leakage. 353 */ 354 if (rc && have_session && ctx->teedev->desc->ops->close_session) 355 ctx->teedev->desc->ops->close_session(ctx, arg.session); 356 357 if (params) { 358 /* Decrease ref count for all valid shared memory pointers */ 359 for (n = 0; n < arg.num_params; n++) 360 if (tee_param_is_memref(params + n) && 361 params[n].u.memref.shm) 362 tee_shm_put(params[n].u.memref.shm); 363 kfree(params); 364 } 365 366 return rc; 367 } 368 369 static int tee_ioctl_invoke(struct tee_context *ctx, 370 struct tee_ioctl_buf_data __user *ubuf) 371 { 372 int rc; 373 size_t n; 374 struct tee_ioctl_buf_data buf; 375 struct tee_ioctl_invoke_arg __user *uarg; 376 struct tee_ioctl_invoke_arg arg; 377 struct tee_ioctl_param __user *uparams = NULL; 378 struct tee_param *params = NULL; 379 380 if (!ctx->teedev->desc->ops->invoke_func) 381 return -EINVAL; 382 383 if (copy_from_user(&buf, ubuf, sizeof(buf))) 384 return -EFAULT; 385 386 if (buf.buf_len > TEE_MAX_ARG_SIZE || 387 buf.buf_len < sizeof(struct tee_ioctl_invoke_arg)) 388 return -EINVAL; 389 390 uarg = u64_to_user_ptr(buf.buf_ptr); 391 if (copy_from_user(&arg, uarg, sizeof(arg))) 392 return -EFAULT; 393 394 if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len) 395 return -EINVAL; 396 397 if (arg.num_params) { 398 params = kcalloc(arg.num_params, sizeof(struct tee_param), 399 GFP_KERNEL); 400 if (!params) 401 return -ENOMEM; 402 uparams = uarg->params; 403 rc = params_from_user(ctx, params, arg.num_params, uparams); 404 if (rc) 405 goto out; 406 } 407 408 rc = ctx->teedev->desc->ops->invoke_func(ctx, &arg, params); 409 if (rc) 410 goto out; 411 412 if (put_user(arg.ret, &uarg->ret) || 413 put_user(arg.ret_origin, &uarg->ret_origin)) { 414 rc = -EFAULT; 415 goto out; 416 } 417 rc = params_to_user(uparams, arg.num_params, params); 418 out: 419 if (params) { 420 /* Decrease ref count for all valid shared memory pointers */ 421 for (n = 0; n < arg.num_params; n++) 422 if (tee_param_is_memref(params + n) && 423 params[n].u.memref.shm) 424 tee_shm_put(params[n].u.memref.shm); 425 kfree(params); 426 } 427 return rc; 428 } 429 430 static int tee_ioctl_cancel(struct tee_context *ctx, 431 struct tee_ioctl_cancel_arg __user *uarg) 432 { 433 struct tee_ioctl_cancel_arg arg; 434 435 if (!ctx->teedev->desc->ops->cancel_req) 436 return -EINVAL; 437 438 if (copy_from_user(&arg, uarg, sizeof(arg))) 439 return -EFAULT; 440 441 return ctx->teedev->desc->ops->cancel_req(ctx, arg.cancel_id, 442 arg.session); 443 } 444 445 static int 446 tee_ioctl_close_session(struct tee_context *ctx, 447 struct tee_ioctl_close_session_arg __user *uarg) 448 { 449 struct tee_ioctl_close_session_arg arg; 450 451 if (!ctx->teedev->desc->ops->close_session) 452 return -EINVAL; 453 454 if (copy_from_user(&arg, uarg, sizeof(arg))) 455 return -EFAULT; 456 457 return ctx->teedev->desc->ops->close_session(ctx, arg.session); 458 } 459 460 static int params_to_supp(struct tee_context *ctx, 461 struct tee_ioctl_param __user *uparams, 462 size_t num_params, struct tee_param *params) 463 { 464 size_t n; 465 466 for (n = 0; n < num_params; n++) { 467 struct tee_ioctl_param ip; 468 struct tee_param *p = params + n; 469 470 ip.attr = p->attr; 471 switch (p->attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) { 472 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT: 473 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: 474 ip.a = p->u.value.a; 475 ip.b = p->u.value.b; 476 ip.c = p->u.value.c; 477 break; 478 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT: 479 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: 480 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: 481 ip.b = p->u.memref.size; 482 if (!p->u.memref.shm) { 483 ip.a = 0; 484 ip.c = (u64)-1; /* invalid shm id */ 485 break; 486 } 487 ip.a = p->u.memref.shm_offs; 488 ip.c = p->u.memref.shm->id; 489 break; 490 default: 491 ip.a = 0; 492 ip.b = 0; 493 ip.c = 0; 494 break; 495 } 496 497 if (copy_to_user(uparams + n, &ip, sizeof(ip))) 498 return -EFAULT; 499 } 500 501 return 0; 502 } 503 504 static int tee_ioctl_supp_recv(struct tee_context *ctx, 505 struct tee_ioctl_buf_data __user *ubuf) 506 { 507 int rc; 508 struct tee_ioctl_buf_data buf; 509 struct tee_iocl_supp_recv_arg __user *uarg; 510 struct tee_param *params; 511 u32 num_params; 512 u32 func; 513 514 if (!ctx->teedev->desc->ops->supp_recv) 515 return -EINVAL; 516 517 if (copy_from_user(&buf, ubuf, sizeof(buf))) 518 return -EFAULT; 519 520 if (buf.buf_len > TEE_MAX_ARG_SIZE || 521 buf.buf_len < sizeof(struct tee_iocl_supp_recv_arg)) 522 return -EINVAL; 523 524 uarg = u64_to_user_ptr(buf.buf_ptr); 525 if (get_user(num_params, &uarg->num_params)) 526 return -EFAULT; 527 528 if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) != buf.buf_len) 529 return -EINVAL; 530 531 params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL); 532 if (!params) 533 return -ENOMEM; 534 535 rc = params_from_user(ctx, params, num_params, uarg->params); 536 if (rc) 537 goto out; 538 539 rc = ctx->teedev->desc->ops->supp_recv(ctx, &func, &num_params, params); 540 if (rc) 541 goto out; 542 543 if (put_user(func, &uarg->func) || 544 put_user(num_params, &uarg->num_params)) { 545 rc = -EFAULT; 546 goto out; 547 } 548 549 rc = params_to_supp(ctx, uarg->params, num_params, params); 550 out: 551 kfree(params); 552 return rc; 553 } 554 555 static int params_from_supp(struct tee_param *params, size_t num_params, 556 struct tee_ioctl_param __user *uparams) 557 { 558 size_t n; 559 560 for (n = 0; n < num_params; n++) { 561 struct tee_param *p = params + n; 562 struct tee_ioctl_param ip; 563 564 if (copy_from_user(&ip, uparams + n, sizeof(ip))) 565 return -EFAULT; 566 567 /* All unused attribute bits has to be zero */ 568 if (ip.attr & ~TEE_IOCTL_PARAM_ATTR_MASK) 569 return -EINVAL; 570 571 p->attr = ip.attr; 572 switch (ip.attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) { 573 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT: 574 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: 575 /* Only out and in/out values can be updated */ 576 p->u.value.a = ip.a; 577 p->u.value.b = ip.b; 578 p->u.value.c = ip.c; 579 break; 580 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: 581 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: 582 /* 583 * Only the size of the memref can be updated. 584 * Since we don't have access to the original 585 * parameters here, only store the supplied size. 586 * The driver will copy the updated size into the 587 * original parameters. 588 */ 589 p->u.memref.shm = NULL; 590 p->u.memref.shm_offs = 0; 591 p->u.memref.size = ip.b; 592 break; 593 default: 594 memset(&p->u, 0, sizeof(p->u)); 595 break; 596 } 597 } 598 return 0; 599 } 600 601 static int tee_ioctl_supp_send(struct tee_context *ctx, 602 struct tee_ioctl_buf_data __user *ubuf) 603 { 604 long rc; 605 struct tee_ioctl_buf_data buf; 606 struct tee_iocl_supp_send_arg __user *uarg; 607 struct tee_param *params; 608 u32 num_params; 609 u32 ret; 610 611 /* Not valid for this driver */ 612 if (!ctx->teedev->desc->ops->supp_send) 613 return -EINVAL; 614 615 if (copy_from_user(&buf, ubuf, sizeof(buf))) 616 return -EFAULT; 617 618 if (buf.buf_len > TEE_MAX_ARG_SIZE || 619 buf.buf_len < sizeof(struct tee_iocl_supp_send_arg)) 620 return -EINVAL; 621 622 uarg = u64_to_user_ptr(buf.buf_ptr); 623 if (get_user(ret, &uarg->ret) || 624 get_user(num_params, &uarg->num_params)) 625 return -EFAULT; 626 627 if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) > buf.buf_len) 628 return -EINVAL; 629 630 params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL); 631 if (!params) 632 return -ENOMEM; 633 634 rc = params_from_supp(params, num_params, uarg->params); 635 if (rc) 636 goto out; 637 638 rc = ctx->teedev->desc->ops->supp_send(ctx, ret, num_params, params); 639 out: 640 kfree(params); 641 return rc; 642 } 643 644 static long tee_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 645 { 646 struct tee_context *ctx = filp->private_data; 647 void __user *uarg = (void __user *)arg; 648 649 switch (cmd) { 650 case TEE_IOC_VERSION: 651 return tee_ioctl_version(ctx, uarg); 652 case TEE_IOC_SHM_ALLOC: 653 return tee_ioctl_shm_alloc(ctx, uarg); 654 case TEE_IOC_SHM_REGISTER: 655 return tee_ioctl_shm_register(ctx, uarg); 656 case TEE_IOC_OPEN_SESSION: 657 return tee_ioctl_open_session(ctx, uarg); 658 case TEE_IOC_INVOKE: 659 return tee_ioctl_invoke(ctx, uarg); 660 case TEE_IOC_CANCEL: 661 return tee_ioctl_cancel(ctx, uarg); 662 case TEE_IOC_CLOSE_SESSION: 663 return tee_ioctl_close_session(ctx, uarg); 664 case TEE_IOC_SUPPL_RECV: 665 return tee_ioctl_supp_recv(ctx, uarg); 666 case TEE_IOC_SUPPL_SEND: 667 return tee_ioctl_supp_send(ctx, uarg); 668 default: 669 return -EINVAL; 670 } 671 } 672 673 static const struct file_operations tee_fops = { 674 .owner = THIS_MODULE, 675 .open = tee_open, 676 .release = tee_release, 677 .unlocked_ioctl = tee_ioctl, 678 .compat_ioctl = tee_ioctl, 679 }; 680 681 static void tee_release_device(struct device *dev) 682 { 683 struct tee_device *teedev = container_of(dev, struct tee_device, dev); 684 685 spin_lock(&driver_lock); 686 clear_bit(teedev->id, dev_mask); 687 spin_unlock(&driver_lock); 688 mutex_destroy(&teedev->mutex); 689 idr_destroy(&teedev->idr); 690 kfree(teedev); 691 } 692 693 /** 694 * tee_device_alloc() - Allocate a new struct tee_device instance 695 * @teedesc: Descriptor for this driver 696 * @dev: Parent device for this device 697 * @pool: Shared memory pool, NULL if not used 698 * @driver_data: Private driver data for this device 699 * 700 * Allocates a new struct tee_device instance. The device is 701 * removed by tee_device_unregister(). 702 * 703 * @returns a pointer to a 'struct tee_device' or an ERR_PTR on failure 704 */ 705 struct tee_device *tee_device_alloc(const struct tee_desc *teedesc, 706 struct device *dev, 707 struct tee_shm_pool *pool, 708 void *driver_data) 709 { 710 struct tee_device *teedev; 711 void *ret; 712 int rc, max_id; 713 int offs = 0; 714 715 if (!teedesc || !teedesc->name || !teedesc->ops || 716 !teedesc->ops->get_version || !teedesc->ops->open || 717 !teedesc->ops->release || !pool) 718 return ERR_PTR(-EINVAL); 719 720 teedev = kzalloc(sizeof(*teedev), GFP_KERNEL); 721 if (!teedev) { 722 ret = ERR_PTR(-ENOMEM); 723 goto err; 724 } 725 726 max_id = TEE_NUM_DEVICES / 2; 727 728 if (teedesc->flags & TEE_DESC_PRIVILEGED) { 729 offs = TEE_NUM_DEVICES / 2; 730 max_id = TEE_NUM_DEVICES; 731 } 732 733 spin_lock(&driver_lock); 734 teedev->id = find_next_zero_bit(dev_mask, max_id, offs); 735 if (teedev->id < max_id) 736 set_bit(teedev->id, dev_mask); 737 spin_unlock(&driver_lock); 738 739 if (teedev->id >= max_id) { 740 ret = ERR_PTR(-ENOMEM); 741 goto err; 742 } 743 744 snprintf(teedev->name, sizeof(teedev->name), "tee%s%d", 745 teedesc->flags & TEE_DESC_PRIVILEGED ? "priv" : "", 746 teedev->id - offs); 747 748 teedev->dev.class = tee_class; 749 teedev->dev.release = tee_release_device; 750 teedev->dev.parent = dev; 751 752 teedev->dev.devt = MKDEV(MAJOR(tee_devt), teedev->id); 753 754 rc = dev_set_name(&teedev->dev, "%s", teedev->name); 755 if (rc) { 756 ret = ERR_PTR(rc); 757 goto err_devt; 758 } 759 760 cdev_init(&teedev->cdev, &tee_fops); 761 teedev->cdev.owner = teedesc->owner; 762 teedev->cdev.kobj.parent = &teedev->dev.kobj; 763 764 dev_set_drvdata(&teedev->dev, driver_data); 765 device_initialize(&teedev->dev); 766 767 /* 1 as tee_device_unregister() does one final tee_device_put() */ 768 teedev->num_users = 1; 769 init_completion(&teedev->c_no_users); 770 mutex_init(&teedev->mutex); 771 idr_init(&teedev->idr); 772 773 teedev->desc = teedesc; 774 teedev->pool = pool; 775 776 return teedev; 777 err_devt: 778 unregister_chrdev_region(teedev->dev.devt, 1); 779 err: 780 pr_err("could not register %s driver\n", 781 teedesc->flags & TEE_DESC_PRIVILEGED ? "privileged" : "client"); 782 if (teedev && teedev->id < TEE_NUM_DEVICES) { 783 spin_lock(&driver_lock); 784 clear_bit(teedev->id, dev_mask); 785 spin_unlock(&driver_lock); 786 } 787 kfree(teedev); 788 return ret; 789 } 790 EXPORT_SYMBOL_GPL(tee_device_alloc); 791 792 static ssize_t implementation_id_show(struct device *dev, 793 struct device_attribute *attr, char *buf) 794 { 795 struct tee_device *teedev = container_of(dev, struct tee_device, dev); 796 struct tee_ioctl_version_data vers; 797 798 teedev->desc->ops->get_version(teedev, &vers); 799 return scnprintf(buf, PAGE_SIZE, "%d\n", vers.impl_id); 800 } 801 static DEVICE_ATTR_RO(implementation_id); 802 803 static struct attribute *tee_dev_attrs[] = { 804 &dev_attr_implementation_id.attr, 805 NULL 806 }; 807 808 static const struct attribute_group tee_dev_group = { 809 .attrs = tee_dev_attrs, 810 }; 811 812 /** 813 * tee_device_register() - Registers a TEE device 814 * @teedev: Device to register 815 * 816 * tee_device_unregister() need to be called to remove the @teedev if 817 * this function fails. 818 * 819 * @returns < 0 on failure 820 */ 821 int tee_device_register(struct tee_device *teedev) 822 { 823 int rc; 824 825 if (teedev->flags & TEE_DEVICE_FLAG_REGISTERED) { 826 dev_err(&teedev->dev, "attempt to register twice\n"); 827 return -EINVAL; 828 } 829 830 rc = cdev_add(&teedev->cdev, teedev->dev.devt, 1); 831 if (rc) { 832 dev_err(&teedev->dev, 833 "unable to cdev_add() %s, major %d, minor %d, err=%d\n", 834 teedev->name, MAJOR(teedev->dev.devt), 835 MINOR(teedev->dev.devt), rc); 836 return rc; 837 } 838 839 rc = device_add(&teedev->dev); 840 if (rc) { 841 dev_err(&teedev->dev, 842 "unable to device_add() %s, major %d, minor %d, err=%d\n", 843 teedev->name, MAJOR(teedev->dev.devt), 844 MINOR(teedev->dev.devt), rc); 845 goto err_device_add; 846 } 847 848 rc = sysfs_create_group(&teedev->dev.kobj, &tee_dev_group); 849 if (rc) { 850 dev_err(&teedev->dev, 851 "failed to create sysfs attributes, err=%d\n", rc); 852 goto err_sysfs_create_group; 853 } 854 855 teedev->flags |= TEE_DEVICE_FLAG_REGISTERED; 856 return 0; 857 858 err_sysfs_create_group: 859 device_del(&teedev->dev); 860 err_device_add: 861 cdev_del(&teedev->cdev); 862 return rc; 863 } 864 EXPORT_SYMBOL_GPL(tee_device_register); 865 866 void tee_device_put(struct tee_device *teedev) 867 { 868 mutex_lock(&teedev->mutex); 869 /* Shouldn't put in this state */ 870 if (!WARN_ON(!teedev->desc)) { 871 teedev->num_users--; 872 if (!teedev->num_users) { 873 teedev->desc = NULL; 874 complete(&teedev->c_no_users); 875 } 876 } 877 mutex_unlock(&teedev->mutex); 878 } 879 880 bool tee_device_get(struct tee_device *teedev) 881 { 882 mutex_lock(&teedev->mutex); 883 if (!teedev->desc) { 884 mutex_unlock(&teedev->mutex); 885 return false; 886 } 887 teedev->num_users++; 888 mutex_unlock(&teedev->mutex); 889 return true; 890 } 891 892 /** 893 * tee_device_unregister() - Removes a TEE device 894 * @teedev: Device to unregister 895 * 896 * This function should be called to remove the @teedev even if 897 * tee_device_register() hasn't been called yet. Does nothing if 898 * @teedev is NULL. 899 */ 900 void tee_device_unregister(struct tee_device *teedev) 901 { 902 if (!teedev) 903 return; 904 905 if (teedev->flags & TEE_DEVICE_FLAG_REGISTERED) { 906 sysfs_remove_group(&teedev->dev.kobj, &tee_dev_group); 907 cdev_del(&teedev->cdev); 908 device_del(&teedev->dev); 909 } 910 911 tee_device_put(teedev); 912 wait_for_completion(&teedev->c_no_users); 913 914 /* 915 * No need to take a mutex any longer now since teedev->desc was 916 * set to NULL before teedev->c_no_users was completed. 917 */ 918 919 teedev->pool = NULL; 920 921 put_device(&teedev->dev); 922 } 923 EXPORT_SYMBOL_GPL(tee_device_unregister); 924 925 /** 926 * tee_get_drvdata() - Return driver_data pointer 927 * @teedev: Device containing the driver_data pointer 928 * @returns the driver_data pointer supplied to tee_register(). 929 */ 930 void *tee_get_drvdata(struct tee_device *teedev) 931 { 932 return dev_get_drvdata(&teedev->dev); 933 } 934 EXPORT_SYMBOL_GPL(tee_get_drvdata); 935 936 struct match_dev_data { 937 struct tee_ioctl_version_data *vers; 938 const void *data; 939 int (*match)(struct tee_ioctl_version_data *, const void *); 940 }; 941 942 static int match_dev(struct device *dev, const void *data) 943 { 944 const struct match_dev_data *match_data = data; 945 struct tee_device *teedev = container_of(dev, struct tee_device, dev); 946 947 teedev->desc->ops->get_version(teedev, match_data->vers); 948 return match_data->match(match_data->vers, match_data->data); 949 } 950 951 struct tee_context * 952 tee_client_open_context(struct tee_context *start, 953 int (*match)(struct tee_ioctl_version_data *, 954 const void *), 955 const void *data, struct tee_ioctl_version_data *vers) 956 { 957 struct device *dev = NULL; 958 struct device *put_dev = NULL; 959 struct tee_context *ctx = NULL; 960 struct tee_ioctl_version_data v; 961 struct match_dev_data match_data = { vers ? vers : &v, data, match }; 962 963 if (start) 964 dev = &start->teedev->dev; 965 966 do { 967 dev = class_find_device(tee_class, dev, &match_data, match_dev); 968 if (!dev) { 969 ctx = ERR_PTR(-ENOENT); 970 break; 971 } 972 973 put_device(put_dev); 974 put_dev = dev; 975 976 ctx = teedev_open(container_of(dev, struct tee_device, dev)); 977 } while (IS_ERR(ctx) && PTR_ERR(ctx) != -ENOMEM); 978 979 put_device(put_dev); 980 /* 981 * Default behaviour for in kernel client is to not wait for 982 * tee-supplicant if not present for any requests in this context. 983 * Also this flag could be configured again before call to 984 * tee_client_open_session() if any in kernel client requires 985 * different behaviour. 986 */ 987 if (!IS_ERR(ctx)) 988 ctx->supp_nowait = true; 989 990 return ctx; 991 } 992 EXPORT_SYMBOL_GPL(tee_client_open_context); 993 994 void tee_client_close_context(struct tee_context *ctx) 995 { 996 teedev_close_context(ctx); 997 } 998 EXPORT_SYMBOL_GPL(tee_client_close_context); 999 1000 void tee_client_get_version(struct tee_context *ctx, 1001 struct tee_ioctl_version_data *vers) 1002 { 1003 ctx->teedev->desc->ops->get_version(ctx->teedev, vers); 1004 } 1005 EXPORT_SYMBOL_GPL(tee_client_get_version); 1006 1007 int tee_client_open_session(struct tee_context *ctx, 1008 struct tee_ioctl_open_session_arg *arg, 1009 struct tee_param *param) 1010 { 1011 if (!ctx->teedev->desc->ops->open_session) 1012 return -EINVAL; 1013 return ctx->teedev->desc->ops->open_session(ctx, arg, param); 1014 } 1015 EXPORT_SYMBOL_GPL(tee_client_open_session); 1016 1017 int tee_client_close_session(struct tee_context *ctx, u32 session) 1018 { 1019 if (!ctx->teedev->desc->ops->close_session) 1020 return -EINVAL; 1021 return ctx->teedev->desc->ops->close_session(ctx, session); 1022 } 1023 EXPORT_SYMBOL_GPL(tee_client_close_session); 1024 1025 int tee_client_invoke_func(struct tee_context *ctx, 1026 struct tee_ioctl_invoke_arg *arg, 1027 struct tee_param *param) 1028 { 1029 if (!ctx->teedev->desc->ops->invoke_func) 1030 return -EINVAL; 1031 return ctx->teedev->desc->ops->invoke_func(ctx, arg, param); 1032 } 1033 EXPORT_SYMBOL_GPL(tee_client_invoke_func); 1034 1035 int tee_client_cancel_req(struct tee_context *ctx, 1036 struct tee_ioctl_cancel_arg *arg) 1037 { 1038 if (!ctx->teedev->desc->ops->cancel_req) 1039 return -EINVAL; 1040 return ctx->teedev->desc->ops->cancel_req(ctx, arg->cancel_id, 1041 arg->session); 1042 } 1043 1044 static int tee_client_device_match(struct device *dev, 1045 struct device_driver *drv) 1046 { 1047 const struct tee_client_device_id *id_table; 1048 struct tee_client_device *tee_device; 1049 1050 id_table = to_tee_client_driver(drv)->id_table; 1051 tee_device = to_tee_client_device(dev); 1052 1053 while (!uuid_is_null(&id_table->uuid)) { 1054 if (uuid_equal(&tee_device->id.uuid, &id_table->uuid)) 1055 return 1; 1056 id_table++; 1057 } 1058 1059 return 0; 1060 } 1061 1062 static int tee_client_device_uevent(struct device *dev, 1063 struct kobj_uevent_env *env) 1064 { 1065 uuid_t *dev_id = &to_tee_client_device(dev)->id.uuid; 1066 1067 return add_uevent_var(env, "MODALIAS=tee:%pUb", dev_id); 1068 } 1069 1070 struct bus_type tee_bus_type = { 1071 .name = "tee", 1072 .match = tee_client_device_match, 1073 .uevent = tee_client_device_uevent, 1074 }; 1075 EXPORT_SYMBOL_GPL(tee_bus_type); 1076 1077 static int __init tee_init(void) 1078 { 1079 int rc; 1080 1081 tee_class = class_create(THIS_MODULE, "tee"); 1082 if (IS_ERR(tee_class)) { 1083 pr_err("couldn't create class\n"); 1084 return PTR_ERR(tee_class); 1085 } 1086 1087 rc = alloc_chrdev_region(&tee_devt, 0, TEE_NUM_DEVICES, "tee"); 1088 if (rc) { 1089 pr_err("failed to allocate char dev region\n"); 1090 goto out_unreg_class; 1091 } 1092 1093 rc = bus_register(&tee_bus_type); 1094 if (rc) { 1095 pr_err("failed to register tee bus\n"); 1096 goto out_unreg_chrdev; 1097 } 1098 1099 return 0; 1100 1101 out_unreg_chrdev: 1102 unregister_chrdev_region(tee_devt, TEE_NUM_DEVICES); 1103 out_unreg_class: 1104 class_destroy(tee_class); 1105 tee_class = NULL; 1106 1107 return rc; 1108 } 1109 1110 static void __exit tee_exit(void) 1111 { 1112 bus_unregister(&tee_bus_type); 1113 unregister_chrdev_region(tee_devt, TEE_NUM_DEVICES); 1114 class_destroy(tee_class); 1115 tee_class = NULL; 1116 } 1117 1118 subsys_initcall(tee_init); 1119 module_exit(tee_exit); 1120 1121 MODULE_AUTHOR("Linaro"); 1122 MODULE_DESCRIPTION("TEE Driver"); 1123 MODULE_VERSION("1.0"); 1124 MODULE_LICENSE("GPL v2"); 1125