1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2015-2016, Linaro Limited 4 */ 5 6 #define pr_fmt(fmt) "%s: " fmt, __func__ 7 8 #include <linux/cdev.h> 9 #include <linux/cred.h> 10 #include <linux/fs.h> 11 #include <linux/idr.h> 12 #include <linux/module.h> 13 #include <linux/overflow.h> 14 #include <linux/slab.h> 15 #include <linux/tee_core.h> 16 #include <linux/uaccess.h> 17 #include <crypto/hash.h> 18 #include <crypto/sha1.h> 19 #include "tee_private.h" 20 21 #define TEE_NUM_DEVICES 32 22 23 #define TEE_IOCTL_PARAM_SIZE(x) (size_mul(sizeof(struct tee_param), (x))) 24 25 #define TEE_UUID_NS_NAME_SIZE 128 26 27 /* 28 * TEE Client UUID name space identifier (UUIDv4) 29 * 30 * Value here is random UUID that is allocated as name space identifier for 31 * forming Client UUID's for TEE environment using UUIDv5 scheme. 32 */ 33 static const uuid_t tee_client_uuid_ns = UUID_INIT(0x58ac9ca0, 0x2086, 0x4683, 34 0xa1, 0xb8, 0xec, 0x4b, 35 0xc0, 0x8e, 0x01, 0xb6); 36 37 /* 38 * Unprivileged devices in the lower half range and privileged devices in 39 * the upper half range. 40 */ 41 static DECLARE_BITMAP(dev_mask, TEE_NUM_DEVICES); 42 static DEFINE_SPINLOCK(driver_lock); 43 44 static const struct class tee_class; 45 static dev_t tee_devt; 46 47 struct tee_context *teedev_open(struct tee_device *teedev) 48 { 49 int rc; 50 struct tee_context *ctx; 51 52 if (!tee_device_get(teedev)) 53 return ERR_PTR(-EINVAL); 54 55 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 56 if (!ctx) { 57 rc = -ENOMEM; 58 goto err; 59 } 60 61 kref_init(&ctx->refcount); 62 ctx->teedev = teedev; 63 rc = teedev->desc->ops->open(ctx); 64 if (rc) 65 goto err; 66 67 return ctx; 68 err: 69 kfree(ctx); 70 tee_device_put(teedev); 71 return ERR_PTR(rc); 72 73 } 74 EXPORT_SYMBOL_GPL(teedev_open); 75 76 void teedev_ctx_get(struct tee_context *ctx) 77 { 78 if (ctx->releasing) 79 return; 80 81 kref_get(&ctx->refcount); 82 } 83 84 static void teedev_ctx_release(struct kref *ref) 85 { 86 struct tee_context *ctx = container_of(ref, struct tee_context, 87 refcount); 88 ctx->releasing = true; 89 ctx->teedev->desc->ops->release(ctx); 90 kfree(ctx); 91 } 92 93 void teedev_ctx_put(struct tee_context *ctx) 94 { 95 if (ctx->releasing) 96 return; 97 98 kref_put(&ctx->refcount, teedev_ctx_release); 99 } 100 101 void teedev_close_context(struct tee_context *ctx) 102 { 103 struct tee_device *teedev = ctx->teedev; 104 105 teedev_ctx_put(ctx); 106 tee_device_put(teedev); 107 } 108 EXPORT_SYMBOL_GPL(teedev_close_context); 109 110 static int tee_open(struct inode *inode, struct file *filp) 111 { 112 struct tee_context *ctx; 113 114 ctx = teedev_open(container_of(inode->i_cdev, struct tee_device, cdev)); 115 if (IS_ERR(ctx)) 116 return PTR_ERR(ctx); 117 118 /* 119 * Default user-space behaviour is to wait for tee-supplicant 120 * if not present for any requests in this context. 121 */ 122 ctx->supp_nowait = false; 123 filp->private_data = ctx; 124 return 0; 125 } 126 127 static int tee_release(struct inode *inode, struct file *filp) 128 { 129 teedev_close_context(filp->private_data); 130 return 0; 131 } 132 133 /** 134 * uuid_v5() - Calculate UUIDv5 135 * @uuid: Resulting UUID 136 * @ns: Name space ID for UUIDv5 function 137 * @name: Name for UUIDv5 function 138 * @size: Size of name 139 * 140 * UUIDv5 is specific in RFC 4122. 141 * 142 * This implements section (for SHA-1): 143 * 4.3. Algorithm for Creating a Name-Based UUID 144 */ 145 static int uuid_v5(uuid_t *uuid, const uuid_t *ns, const void *name, 146 size_t size) 147 { 148 unsigned char hash[SHA1_DIGEST_SIZE]; 149 struct crypto_shash *shash = NULL; 150 struct shash_desc *desc = NULL; 151 int rc; 152 153 shash = crypto_alloc_shash("sha1", 0, 0); 154 if (IS_ERR(shash)) { 155 rc = PTR_ERR(shash); 156 pr_err("shash(sha1) allocation failed\n"); 157 return rc; 158 } 159 160 desc = kzalloc(sizeof(*desc) + crypto_shash_descsize(shash), 161 GFP_KERNEL); 162 if (!desc) { 163 rc = -ENOMEM; 164 goto out_free_shash; 165 } 166 167 desc->tfm = shash; 168 169 rc = crypto_shash_init(desc); 170 if (rc < 0) 171 goto out_free_desc; 172 173 rc = crypto_shash_update(desc, (const u8 *)ns, sizeof(*ns)); 174 if (rc < 0) 175 goto out_free_desc; 176 177 rc = crypto_shash_update(desc, (const u8 *)name, size); 178 if (rc < 0) 179 goto out_free_desc; 180 181 rc = crypto_shash_final(desc, hash); 182 if (rc < 0) 183 goto out_free_desc; 184 185 memcpy(uuid->b, hash, UUID_SIZE); 186 187 /* Tag for version 5 */ 188 uuid->b[6] = (hash[6] & 0x0F) | 0x50; 189 uuid->b[8] = (hash[8] & 0x3F) | 0x80; 190 191 out_free_desc: 192 kfree(desc); 193 194 out_free_shash: 195 crypto_free_shash(shash); 196 return rc; 197 } 198 199 int tee_session_calc_client_uuid(uuid_t *uuid, u32 connection_method, 200 const u8 connection_data[TEE_IOCTL_UUID_LEN]) 201 { 202 gid_t ns_grp = (gid_t)-1; 203 kgid_t grp = INVALID_GID; 204 char *name = NULL; 205 int name_len; 206 int rc; 207 208 if (connection_method == TEE_IOCTL_LOGIN_PUBLIC || 209 connection_method == TEE_IOCTL_LOGIN_REE_KERNEL) { 210 /* Nil UUID to be passed to TEE environment */ 211 uuid_copy(uuid, &uuid_null); 212 return 0; 213 } 214 215 /* 216 * In Linux environment client UUID is based on UUIDv5. 217 * 218 * Determine client UUID with following semantics for 'name': 219 * 220 * For TEEC_LOGIN_USER: 221 * uid=<uid> 222 * 223 * For TEEC_LOGIN_GROUP: 224 * gid=<gid> 225 * 226 */ 227 228 name = kzalloc(TEE_UUID_NS_NAME_SIZE, GFP_KERNEL); 229 if (!name) 230 return -ENOMEM; 231 232 switch (connection_method) { 233 case TEE_IOCTL_LOGIN_USER: 234 name_len = snprintf(name, TEE_UUID_NS_NAME_SIZE, "uid=%x", 235 current_euid().val); 236 if (name_len >= TEE_UUID_NS_NAME_SIZE) { 237 rc = -E2BIG; 238 goto out_free_name; 239 } 240 break; 241 242 case TEE_IOCTL_LOGIN_GROUP: 243 memcpy(&ns_grp, connection_data, sizeof(gid_t)); 244 grp = make_kgid(current_user_ns(), ns_grp); 245 if (!gid_valid(grp) || !in_egroup_p(grp)) { 246 rc = -EPERM; 247 goto out_free_name; 248 } 249 250 name_len = snprintf(name, TEE_UUID_NS_NAME_SIZE, "gid=%x", 251 grp.val); 252 if (name_len >= TEE_UUID_NS_NAME_SIZE) { 253 rc = -E2BIG; 254 goto out_free_name; 255 } 256 break; 257 258 default: 259 rc = -EINVAL; 260 goto out_free_name; 261 } 262 263 rc = uuid_v5(uuid, &tee_client_uuid_ns, name, name_len); 264 out_free_name: 265 kfree(name); 266 267 return rc; 268 } 269 EXPORT_SYMBOL_GPL(tee_session_calc_client_uuid); 270 271 static int tee_ioctl_version(struct tee_context *ctx, 272 struct tee_ioctl_version_data __user *uvers) 273 { 274 struct tee_ioctl_version_data vers; 275 276 ctx->teedev->desc->ops->get_version(ctx->teedev, &vers); 277 278 if (ctx->teedev->desc->flags & TEE_DESC_PRIVILEGED) 279 vers.gen_caps |= TEE_GEN_CAP_PRIVILEGED; 280 281 if (copy_to_user(uvers, &vers, sizeof(vers))) 282 return -EFAULT; 283 284 return 0; 285 } 286 287 static int tee_ioctl_shm_alloc(struct tee_context *ctx, 288 struct tee_ioctl_shm_alloc_data __user *udata) 289 { 290 long ret; 291 struct tee_ioctl_shm_alloc_data data; 292 struct tee_shm *shm; 293 294 if (copy_from_user(&data, udata, sizeof(data))) 295 return -EFAULT; 296 297 /* Currently no input flags are supported */ 298 if (data.flags) 299 return -EINVAL; 300 301 shm = tee_shm_alloc_user_buf(ctx, data.size); 302 if (IS_ERR(shm)) 303 return PTR_ERR(shm); 304 305 data.id = shm->id; 306 data.size = shm->size; 307 308 if (copy_to_user(udata, &data, sizeof(data))) 309 ret = -EFAULT; 310 else 311 ret = tee_shm_get_fd(shm); 312 313 /* 314 * When user space closes the file descriptor the shared memory 315 * should be freed or if tee_shm_get_fd() failed then it will 316 * be freed immediately. 317 */ 318 tee_shm_put(shm); 319 return ret; 320 } 321 322 static int 323 tee_ioctl_shm_register(struct tee_context *ctx, 324 struct tee_ioctl_shm_register_data __user *udata) 325 { 326 long ret; 327 struct tee_ioctl_shm_register_data data; 328 struct tee_shm *shm; 329 330 if (copy_from_user(&data, udata, sizeof(data))) 331 return -EFAULT; 332 333 /* Currently no input flags are supported */ 334 if (data.flags) 335 return -EINVAL; 336 337 shm = tee_shm_register_user_buf(ctx, data.addr, data.length); 338 if (IS_ERR(shm)) 339 return PTR_ERR(shm); 340 341 data.id = shm->id; 342 data.length = shm->size; 343 344 if (copy_to_user(udata, &data, sizeof(data))) 345 ret = -EFAULT; 346 else 347 ret = tee_shm_get_fd(shm); 348 /* 349 * When user space closes the file descriptor the shared memory 350 * should be freed or if tee_shm_get_fd() failed then it will 351 * be freed immediately. 352 */ 353 tee_shm_put(shm); 354 return ret; 355 } 356 357 static int params_from_user(struct tee_context *ctx, struct tee_param *params, 358 size_t num_params, 359 struct tee_ioctl_param __user *uparams) 360 { 361 size_t n; 362 363 for (n = 0; n < num_params; n++) { 364 struct tee_shm *shm; 365 struct tee_ioctl_param ip; 366 367 if (copy_from_user(&ip, uparams + n, sizeof(ip))) 368 return -EFAULT; 369 370 /* All unused attribute bits has to be zero */ 371 if (ip.attr & ~TEE_IOCTL_PARAM_ATTR_MASK) 372 return -EINVAL; 373 374 params[n].attr = ip.attr; 375 switch (ip.attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) { 376 case TEE_IOCTL_PARAM_ATTR_TYPE_NONE: 377 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT: 378 break; 379 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT: 380 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: 381 params[n].u.value.a = ip.a; 382 params[n].u.value.b = ip.b; 383 params[n].u.value.c = ip.c; 384 break; 385 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT: 386 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: 387 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: 388 /* 389 * If a NULL pointer is passed to a TA in the TEE, 390 * the ip.c IOCTL parameters is set to TEE_MEMREF_NULL 391 * indicating a NULL memory reference. 392 */ 393 if (ip.c != TEE_MEMREF_NULL) { 394 /* 395 * If we fail to get a pointer to a shared 396 * memory object (and increase the ref count) 397 * from an identifier we return an error. All 398 * pointers that has been added in params have 399 * an increased ref count. It's the callers 400 * responibility to do tee_shm_put() on all 401 * resolved pointers. 402 */ 403 shm = tee_shm_get_from_id(ctx, ip.c); 404 if (IS_ERR(shm)) 405 return PTR_ERR(shm); 406 407 /* 408 * Ensure offset + size does not overflow 409 * offset and does not overflow the size of 410 * the referred shared memory object. 411 */ 412 if ((ip.a + ip.b) < ip.a || 413 (ip.a + ip.b) > shm->size) { 414 tee_shm_put(shm); 415 return -EINVAL; 416 } 417 } else if (ctx->cap_memref_null) { 418 /* Pass NULL pointer to OP-TEE */ 419 shm = NULL; 420 } else { 421 return -EINVAL; 422 } 423 424 params[n].u.memref.shm_offs = ip.a; 425 params[n].u.memref.size = ip.b; 426 params[n].u.memref.shm = shm; 427 break; 428 default: 429 /* Unknown attribute */ 430 return -EINVAL; 431 } 432 } 433 return 0; 434 } 435 436 static int params_to_user(struct tee_ioctl_param __user *uparams, 437 size_t num_params, struct tee_param *params) 438 { 439 size_t n; 440 441 for (n = 0; n < num_params; n++) { 442 struct tee_ioctl_param __user *up = uparams + n; 443 struct tee_param *p = params + n; 444 445 switch (p->attr) { 446 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT: 447 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: 448 if (put_user(p->u.value.a, &up->a) || 449 put_user(p->u.value.b, &up->b) || 450 put_user(p->u.value.c, &up->c)) 451 return -EFAULT; 452 break; 453 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: 454 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: 455 if (put_user((u64)p->u.memref.size, &up->b)) 456 return -EFAULT; 457 break; 458 default: 459 break; 460 } 461 } 462 return 0; 463 } 464 465 static int tee_ioctl_open_session(struct tee_context *ctx, 466 struct tee_ioctl_buf_data __user *ubuf) 467 { 468 int rc; 469 size_t n; 470 struct tee_ioctl_buf_data buf; 471 struct tee_ioctl_open_session_arg __user *uarg; 472 struct tee_ioctl_open_session_arg arg; 473 struct tee_ioctl_param __user *uparams = NULL; 474 struct tee_param *params = NULL; 475 bool have_session = false; 476 477 if (!ctx->teedev->desc->ops->open_session) 478 return -EINVAL; 479 480 if (copy_from_user(&buf, ubuf, sizeof(buf))) 481 return -EFAULT; 482 483 if (buf.buf_len > TEE_MAX_ARG_SIZE || 484 buf.buf_len < sizeof(struct tee_ioctl_open_session_arg)) 485 return -EINVAL; 486 487 uarg = u64_to_user_ptr(buf.buf_ptr); 488 if (copy_from_user(&arg, uarg, sizeof(arg))) 489 return -EFAULT; 490 491 if (size_add(sizeof(arg), TEE_IOCTL_PARAM_SIZE(arg.num_params)) != buf.buf_len) 492 return -EINVAL; 493 494 if (arg.num_params) { 495 params = kcalloc(arg.num_params, sizeof(struct tee_param), 496 GFP_KERNEL); 497 if (!params) 498 return -ENOMEM; 499 uparams = uarg->params; 500 rc = params_from_user(ctx, params, arg.num_params, uparams); 501 if (rc) 502 goto out; 503 } 504 505 if (arg.clnt_login >= TEE_IOCTL_LOGIN_REE_KERNEL_MIN && 506 arg.clnt_login <= TEE_IOCTL_LOGIN_REE_KERNEL_MAX) { 507 pr_debug("login method not allowed for user-space client\n"); 508 rc = -EPERM; 509 goto out; 510 } 511 512 rc = ctx->teedev->desc->ops->open_session(ctx, &arg, params); 513 if (rc) 514 goto out; 515 have_session = true; 516 517 if (put_user(arg.session, &uarg->session) || 518 put_user(arg.ret, &uarg->ret) || 519 put_user(arg.ret_origin, &uarg->ret_origin)) { 520 rc = -EFAULT; 521 goto out; 522 } 523 rc = params_to_user(uparams, arg.num_params, params); 524 out: 525 /* 526 * If we've succeeded to open the session but failed to communicate 527 * it back to user space, close the session again to avoid leakage. 528 */ 529 if (rc && have_session && ctx->teedev->desc->ops->close_session) 530 ctx->teedev->desc->ops->close_session(ctx, arg.session); 531 532 if (params) { 533 /* Decrease ref count for all valid shared memory pointers */ 534 for (n = 0; n < arg.num_params; n++) 535 if (tee_param_is_memref(params + n) && 536 params[n].u.memref.shm) 537 tee_shm_put(params[n].u.memref.shm); 538 kfree(params); 539 } 540 541 return rc; 542 } 543 544 static int tee_ioctl_invoke(struct tee_context *ctx, 545 struct tee_ioctl_buf_data __user *ubuf) 546 { 547 int rc; 548 size_t n; 549 struct tee_ioctl_buf_data buf; 550 struct tee_ioctl_invoke_arg __user *uarg; 551 struct tee_ioctl_invoke_arg arg; 552 struct tee_ioctl_param __user *uparams = NULL; 553 struct tee_param *params = NULL; 554 555 if (!ctx->teedev->desc->ops->invoke_func) 556 return -EINVAL; 557 558 if (copy_from_user(&buf, ubuf, sizeof(buf))) 559 return -EFAULT; 560 561 if (buf.buf_len > TEE_MAX_ARG_SIZE || 562 buf.buf_len < sizeof(struct tee_ioctl_invoke_arg)) 563 return -EINVAL; 564 565 uarg = u64_to_user_ptr(buf.buf_ptr); 566 if (copy_from_user(&arg, uarg, sizeof(arg))) 567 return -EFAULT; 568 569 if (size_add(sizeof(arg), TEE_IOCTL_PARAM_SIZE(arg.num_params)) != buf.buf_len) 570 return -EINVAL; 571 572 if (arg.num_params) { 573 params = kcalloc(arg.num_params, sizeof(struct tee_param), 574 GFP_KERNEL); 575 if (!params) 576 return -ENOMEM; 577 uparams = uarg->params; 578 rc = params_from_user(ctx, params, arg.num_params, uparams); 579 if (rc) 580 goto out; 581 } 582 583 rc = ctx->teedev->desc->ops->invoke_func(ctx, &arg, params); 584 if (rc) 585 goto out; 586 587 if (put_user(arg.ret, &uarg->ret) || 588 put_user(arg.ret_origin, &uarg->ret_origin)) { 589 rc = -EFAULT; 590 goto out; 591 } 592 rc = params_to_user(uparams, arg.num_params, params); 593 out: 594 if (params) { 595 /* Decrease ref count for all valid shared memory pointers */ 596 for (n = 0; n < arg.num_params; n++) 597 if (tee_param_is_memref(params + n) && 598 params[n].u.memref.shm) 599 tee_shm_put(params[n].u.memref.shm); 600 kfree(params); 601 } 602 return rc; 603 } 604 605 static int tee_ioctl_cancel(struct tee_context *ctx, 606 struct tee_ioctl_cancel_arg __user *uarg) 607 { 608 struct tee_ioctl_cancel_arg arg; 609 610 if (!ctx->teedev->desc->ops->cancel_req) 611 return -EINVAL; 612 613 if (copy_from_user(&arg, uarg, sizeof(arg))) 614 return -EFAULT; 615 616 return ctx->teedev->desc->ops->cancel_req(ctx, arg.cancel_id, 617 arg.session); 618 } 619 620 static int 621 tee_ioctl_close_session(struct tee_context *ctx, 622 struct tee_ioctl_close_session_arg __user *uarg) 623 { 624 struct tee_ioctl_close_session_arg arg; 625 626 if (!ctx->teedev->desc->ops->close_session) 627 return -EINVAL; 628 629 if (copy_from_user(&arg, uarg, sizeof(arg))) 630 return -EFAULT; 631 632 return ctx->teedev->desc->ops->close_session(ctx, arg.session); 633 } 634 635 static int params_to_supp(struct tee_context *ctx, 636 struct tee_ioctl_param __user *uparams, 637 size_t num_params, struct tee_param *params) 638 { 639 size_t n; 640 641 for (n = 0; n < num_params; n++) { 642 struct tee_ioctl_param ip; 643 struct tee_param *p = params + n; 644 645 ip.attr = p->attr; 646 switch (p->attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) { 647 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT: 648 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: 649 ip.a = p->u.value.a; 650 ip.b = p->u.value.b; 651 ip.c = p->u.value.c; 652 break; 653 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT: 654 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: 655 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: 656 ip.b = p->u.memref.size; 657 if (!p->u.memref.shm) { 658 ip.a = 0; 659 ip.c = (u64)-1; /* invalid shm id */ 660 break; 661 } 662 ip.a = p->u.memref.shm_offs; 663 ip.c = p->u.memref.shm->id; 664 break; 665 default: 666 ip.a = 0; 667 ip.b = 0; 668 ip.c = 0; 669 break; 670 } 671 672 if (copy_to_user(uparams + n, &ip, sizeof(ip))) 673 return -EFAULT; 674 } 675 676 return 0; 677 } 678 679 static int tee_ioctl_supp_recv(struct tee_context *ctx, 680 struct tee_ioctl_buf_data __user *ubuf) 681 { 682 int rc; 683 struct tee_ioctl_buf_data buf; 684 struct tee_iocl_supp_recv_arg __user *uarg; 685 struct tee_param *params; 686 u32 num_params; 687 u32 func; 688 689 if (!ctx->teedev->desc->ops->supp_recv) 690 return -EINVAL; 691 692 if (copy_from_user(&buf, ubuf, sizeof(buf))) 693 return -EFAULT; 694 695 if (buf.buf_len > TEE_MAX_ARG_SIZE || 696 buf.buf_len < sizeof(struct tee_iocl_supp_recv_arg)) 697 return -EINVAL; 698 699 uarg = u64_to_user_ptr(buf.buf_ptr); 700 if (get_user(num_params, &uarg->num_params)) 701 return -EFAULT; 702 703 if (size_add(sizeof(*uarg), TEE_IOCTL_PARAM_SIZE(num_params)) != buf.buf_len) 704 return -EINVAL; 705 706 params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL); 707 if (!params) 708 return -ENOMEM; 709 710 rc = params_from_user(ctx, params, num_params, uarg->params); 711 if (rc) 712 goto out; 713 714 rc = ctx->teedev->desc->ops->supp_recv(ctx, &func, &num_params, params); 715 if (rc) 716 goto out; 717 718 if (put_user(func, &uarg->func) || 719 put_user(num_params, &uarg->num_params)) { 720 rc = -EFAULT; 721 goto out; 722 } 723 724 rc = params_to_supp(ctx, uarg->params, num_params, params); 725 out: 726 kfree(params); 727 return rc; 728 } 729 730 static int params_from_supp(struct tee_param *params, size_t num_params, 731 struct tee_ioctl_param __user *uparams) 732 { 733 size_t n; 734 735 for (n = 0; n < num_params; n++) { 736 struct tee_param *p = params + n; 737 struct tee_ioctl_param ip; 738 739 if (copy_from_user(&ip, uparams + n, sizeof(ip))) 740 return -EFAULT; 741 742 /* All unused attribute bits has to be zero */ 743 if (ip.attr & ~TEE_IOCTL_PARAM_ATTR_MASK) 744 return -EINVAL; 745 746 p->attr = ip.attr; 747 switch (ip.attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) { 748 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT: 749 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: 750 /* Only out and in/out values can be updated */ 751 p->u.value.a = ip.a; 752 p->u.value.b = ip.b; 753 p->u.value.c = ip.c; 754 break; 755 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: 756 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: 757 /* 758 * Only the size of the memref can be updated. 759 * Since we don't have access to the original 760 * parameters here, only store the supplied size. 761 * The driver will copy the updated size into the 762 * original parameters. 763 */ 764 p->u.memref.shm = NULL; 765 p->u.memref.shm_offs = 0; 766 p->u.memref.size = ip.b; 767 break; 768 default: 769 memset(&p->u, 0, sizeof(p->u)); 770 break; 771 } 772 } 773 return 0; 774 } 775 776 static int tee_ioctl_supp_send(struct tee_context *ctx, 777 struct tee_ioctl_buf_data __user *ubuf) 778 { 779 long rc; 780 struct tee_ioctl_buf_data buf; 781 struct tee_iocl_supp_send_arg __user *uarg; 782 struct tee_param *params; 783 u32 num_params; 784 u32 ret; 785 786 /* Not valid for this driver */ 787 if (!ctx->teedev->desc->ops->supp_send) 788 return -EINVAL; 789 790 if (copy_from_user(&buf, ubuf, sizeof(buf))) 791 return -EFAULT; 792 793 if (buf.buf_len > TEE_MAX_ARG_SIZE || 794 buf.buf_len < sizeof(struct tee_iocl_supp_send_arg)) 795 return -EINVAL; 796 797 uarg = u64_to_user_ptr(buf.buf_ptr); 798 if (get_user(ret, &uarg->ret) || 799 get_user(num_params, &uarg->num_params)) 800 return -EFAULT; 801 802 if (size_add(sizeof(*uarg), TEE_IOCTL_PARAM_SIZE(num_params)) > buf.buf_len) 803 return -EINVAL; 804 805 params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL); 806 if (!params) 807 return -ENOMEM; 808 809 rc = params_from_supp(params, num_params, uarg->params); 810 if (rc) 811 goto out; 812 813 rc = ctx->teedev->desc->ops->supp_send(ctx, ret, num_params, params); 814 out: 815 kfree(params); 816 return rc; 817 } 818 819 static long tee_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 820 { 821 struct tee_context *ctx = filp->private_data; 822 void __user *uarg = (void __user *)arg; 823 824 switch (cmd) { 825 case TEE_IOC_VERSION: 826 return tee_ioctl_version(ctx, uarg); 827 case TEE_IOC_SHM_ALLOC: 828 return tee_ioctl_shm_alloc(ctx, uarg); 829 case TEE_IOC_SHM_REGISTER: 830 return tee_ioctl_shm_register(ctx, uarg); 831 case TEE_IOC_OPEN_SESSION: 832 return tee_ioctl_open_session(ctx, uarg); 833 case TEE_IOC_INVOKE: 834 return tee_ioctl_invoke(ctx, uarg); 835 case TEE_IOC_CANCEL: 836 return tee_ioctl_cancel(ctx, uarg); 837 case TEE_IOC_CLOSE_SESSION: 838 return tee_ioctl_close_session(ctx, uarg); 839 case TEE_IOC_SUPPL_RECV: 840 return tee_ioctl_supp_recv(ctx, uarg); 841 case TEE_IOC_SUPPL_SEND: 842 return tee_ioctl_supp_send(ctx, uarg); 843 default: 844 return -EINVAL; 845 } 846 } 847 848 static const struct file_operations tee_fops = { 849 .owner = THIS_MODULE, 850 .open = tee_open, 851 .release = tee_release, 852 .unlocked_ioctl = tee_ioctl, 853 .compat_ioctl = compat_ptr_ioctl, 854 }; 855 856 static void tee_release_device(struct device *dev) 857 { 858 struct tee_device *teedev = container_of(dev, struct tee_device, dev); 859 860 spin_lock(&driver_lock); 861 clear_bit(teedev->id, dev_mask); 862 spin_unlock(&driver_lock); 863 mutex_destroy(&teedev->mutex); 864 idr_destroy(&teedev->idr); 865 kfree(teedev); 866 } 867 868 /** 869 * tee_device_alloc() - Allocate a new struct tee_device instance 870 * @teedesc: Descriptor for this driver 871 * @dev: Parent device for this device 872 * @pool: Shared memory pool, NULL if not used 873 * @driver_data: Private driver data for this device 874 * 875 * Allocates a new struct tee_device instance. The device is 876 * removed by tee_device_unregister(). 877 * 878 * @returns a pointer to a 'struct tee_device' or an ERR_PTR on failure 879 */ 880 struct tee_device *tee_device_alloc(const struct tee_desc *teedesc, 881 struct device *dev, 882 struct tee_shm_pool *pool, 883 void *driver_data) 884 { 885 struct tee_device *teedev; 886 void *ret; 887 int rc, max_id; 888 int offs = 0; 889 890 if (!teedesc || !teedesc->name || !teedesc->ops || 891 !teedesc->ops->get_version || !teedesc->ops->open || 892 !teedesc->ops->release || !pool) 893 return ERR_PTR(-EINVAL); 894 895 teedev = kzalloc(sizeof(*teedev), GFP_KERNEL); 896 if (!teedev) { 897 ret = ERR_PTR(-ENOMEM); 898 goto err; 899 } 900 901 max_id = TEE_NUM_DEVICES / 2; 902 903 if (teedesc->flags & TEE_DESC_PRIVILEGED) { 904 offs = TEE_NUM_DEVICES / 2; 905 max_id = TEE_NUM_DEVICES; 906 } 907 908 spin_lock(&driver_lock); 909 teedev->id = find_next_zero_bit(dev_mask, max_id, offs); 910 if (teedev->id < max_id) 911 set_bit(teedev->id, dev_mask); 912 spin_unlock(&driver_lock); 913 914 if (teedev->id >= max_id) { 915 ret = ERR_PTR(-ENOMEM); 916 goto err; 917 } 918 919 snprintf(teedev->name, sizeof(teedev->name), "tee%s%d", 920 teedesc->flags & TEE_DESC_PRIVILEGED ? "priv" : "", 921 teedev->id - offs); 922 923 teedev->dev.class = &tee_class; 924 teedev->dev.release = tee_release_device; 925 teedev->dev.parent = dev; 926 927 teedev->dev.devt = MKDEV(MAJOR(tee_devt), teedev->id); 928 929 rc = dev_set_name(&teedev->dev, "%s", teedev->name); 930 if (rc) { 931 ret = ERR_PTR(rc); 932 goto err_devt; 933 } 934 935 cdev_init(&teedev->cdev, &tee_fops); 936 teedev->cdev.owner = teedesc->owner; 937 938 dev_set_drvdata(&teedev->dev, driver_data); 939 device_initialize(&teedev->dev); 940 941 /* 1 as tee_device_unregister() does one final tee_device_put() */ 942 teedev->num_users = 1; 943 init_completion(&teedev->c_no_users); 944 mutex_init(&teedev->mutex); 945 idr_init(&teedev->idr); 946 947 teedev->desc = teedesc; 948 teedev->pool = pool; 949 950 return teedev; 951 err_devt: 952 unregister_chrdev_region(teedev->dev.devt, 1); 953 err: 954 pr_err("could not register %s driver\n", 955 teedesc->flags & TEE_DESC_PRIVILEGED ? "privileged" : "client"); 956 if (teedev && teedev->id < TEE_NUM_DEVICES) { 957 spin_lock(&driver_lock); 958 clear_bit(teedev->id, dev_mask); 959 spin_unlock(&driver_lock); 960 } 961 kfree(teedev); 962 return ret; 963 } 964 EXPORT_SYMBOL_GPL(tee_device_alloc); 965 966 void tee_device_set_dev_groups(struct tee_device *teedev, 967 const struct attribute_group **dev_groups) 968 { 969 teedev->dev.groups = dev_groups; 970 } 971 EXPORT_SYMBOL_GPL(tee_device_set_dev_groups); 972 973 static ssize_t implementation_id_show(struct device *dev, 974 struct device_attribute *attr, char *buf) 975 { 976 struct tee_device *teedev = container_of(dev, struct tee_device, dev); 977 struct tee_ioctl_version_data vers; 978 979 teedev->desc->ops->get_version(teedev, &vers); 980 return scnprintf(buf, PAGE_SIZE, "%d\n", vers.impl_id); 981 } 982 static DEVICE_ATTR_RO(implementation_id); 983 984 static struct attribute *tee_dev_attrs[] = { 985 &dev_attr_implementation_id.attr, 986 NULL 987 }; 988 989 ATTRIBUTE_GROUPS(tee_dev); 990 991 static const struct class tee_class = { 992 .name = "tee", 993 .dev_groups = tee_dev_groups, 994 }; 995 996 /** 997 * tee_device_register() - Registers a TEE device 998 * @teedev: Device to register 999 * 1000 * tee_device_unregister() need to be called to remove the @teedev if 1001 * this function fails. 1002 * 1003 * @returns < 0 on failure 1004 */ 1005 int tee_device_register(struct tee_device *teedev) 1006 { 1007 int rc; 1008 1009 if (teedev->flags & TEE_DEVICE_FLAG_REGISTERED) { 1010 dev_err(&teedev->dev, "attempt to register twice\n"); 1011 return -EINVAL; 1012 } 1013 1014 rc = cdev_device_add(&teedev->cdev, &teedev->dev); 1015 if (rc) { 1016 dev_err(&teedev->dev, 1017 "unable to cdev_device_add() %s, major %d, minor %d, err=%d\n", 1018 teedev->name, MAJOR(teedev->dev.devt), 1019 MINOR(teedev->dev.devt), rc); 1020 return rc; 1021 } 1022 1023 teedev->flags |= TEE_DEVICE_FLAG_REGISTERED; 1024 return 0; 1025 } 1026 EXPORT_SYMBOL_GPL(tee_device_register); 1027 1028 void tee_device_put(struct tee_device *teedev) 1029 { 1030 mutex_lock(&teedev->mutex); 1031 /* Shouldn't put in this state */ 1032 if (!WARN_ON(!teedev->desc)) { 1033 teedev->num_users--; 1034 if (!teedev->num_users) { 1035 teedev->desc = NULL; 1036 complete(&teedev->c_no_users); 1037 } 1038 } 1039 mutex_unlock(&teedev->mutex); 1040 } 1041 1042 bool tee_device_get(struct tee_device *teedev) 1043 { 1044 mutex_lock(&teedev->mutex); 1045 if (!teedev->desc) { 1046 mutex_unlock(&teedev->mutex); 1047 return false; 1048 } 1049 teedev->num_users++; 1050 mutex_unlock(&teedev->mutex); 1051 return true; 1052 } 1053 1054 /** 1055 * tee_device_unregister() - Removes a TEE device 1056 * @teedev: Device to unregister 1057 * 1058 * This function should be called to remove the @teedev even if 1059 * tee_device_register() hasn't been called yet. Does nothing if 1060 * @teedev is NULL. 1061 */ 1062 void tee_device_unregister(struct tee_device *teedev) 1063 { 1064 if (!teedev) 1065 return; 1066 1067 if (teedev->flags & TEE_DEVICE_FLAG_REGISTERED) 1068 cdev_device_del(&teedev->cdev, &teedev->dev); 1069 1070 tee_device_put(teedev); 1071 wait_for_completion(&teedev->c_no_users); 1072 1073 /* 1074 * No need to take a mutex any longer now since teedev->desc was 1075 * set to NULL before teedev->c_no_users was completed. 1076 */ 1077 1078 teedev->pool = NULL; 1079 1080 put_device(&teedev->dev); 1081 } 1082 EXPORT_SYMBOL_GPL(tee_device_unregister); 1083 1084 /** 1085 * tee_get_drvdata() - Return driver_data pointer 1086 * @teedev: Device containing the driver_data pointer 1087 * @returns the driver_data pointer supplied to tee_device_alloc(). 1088 */ 1089 void *tee_get_drvdata(struct tee_device *teedev) 1090 { 1091 return dev_get_drvdata(&teedev->dev); 1092 } 1093 EXPORT_SYMBOL_GPL(tee_get_drvdata); 1094 1095 struct match_dev_data { 1096 struct tee_ioctl_version_data *vers; 1097 const void *data; 1098 int (*match)(struct tee_ioctl_version_data *, const void *); 1099 }; 1100 1101 static int match_dev(struct device *dev, const void *data) 1102 { 1103 const struct match_dev_data *match_data = data; 1104 struct tee_device *teedev = container_of(dev, struct tee_device, dev); 1105 1106 teedev->desc->ops->get_version(teedev, match_data->vers); 1107 return match_data->match(match_data->vers, match_data->data); 1108 } 1109 1110 struct tee_context * 1111 tee_client_open_context(struct tee_context *start, 1112 int (*match)(struct tee_ioctl_version_data *, 1113 const void *), 1114 const void *data, struct tee_ioctl_version_data *vers) 1115 { 1116 struct device *dev = NULL; 1117 struct device *put_dev = NULL; 1118 struct tee_context *ctx = NULL; 1119 struct tee_ioctl_version_data v; 1120 struct match_dev_data match_data = { vers ? vers : &v, data, match }; 1121 1122 if (start) 1123 dev = &start->teedev->dev; 1124 1125 do { 1126 dev = class_find_device(&tee_class, dev, &match_data, match_dev); 1127 if (!dev) { 1128 ctx = ERR_PTR(-ENOENT); 1129 break; 1130 } 1131 1132 put_device(put_dev); 1133 put_dev = dev; 1134 1135 ctx = teedev_open(container_of(dev, struct tee_device, dev)); 1136 } while (IS_ERR(ctx) && PTR_ERR(ctx) != -ENOMEM); 1137 1138 put_device(put_dev); 1139 /* 1140 * Default behaviour for in kernel client is to not wait for 1141 * tee-supplicant if not present for any requests in this context. 1142 * Also this flag could be configured again before call to 1143 * tee_client_open_session() if any in kernel client requires 1144 * different behaviour. 1145 */ 1146 if (!IS_ERR(ctx)) 1147 ctx->supp_nowait = true; 1148 1149 return ctx; 1150 } 1151 EXPORT_SYMBOL_GPL(tee_client_open_context); 1152 1153 void tee_client_close_context(struct tee_context *ctx) 1154 { 1155 teedev_close_context(ctx); 1156 } 1157 EXPORT_SYMBOL_GPL(tee_client_close_context); 1158 1159 void tee_client_get_version(struct tee_context *ctx, 1160 struct tee_ioctl_version_data *vers) 1161 { 1162 ctx->teedev->desc->ops->get_version(ctx->teedev, vers); 1163 } 1164 EXPORT_SYMBOL_GPL(tee_client_get_version); 1165 1166 int tee_client_open_session(struct tee_context *ctx, 1167 struct tee_ioctl_open_session_arg *arg, 1168 struct tee_param *param) 1169 { 1170 if (!ctx->teedev->desc->ops->open_session) 1171 return -EINVAL; 1172 return ctx->teedev->desc->ops->open_session(ctx, arg, param); 1173 } 1174 EXPORT_SYMBOL_GPL(tee_client_open_session); 1175 1176 int tee_client_close_session(struct tee_context *ctx, u32 session) 1177 { 1178 if (!ctx->teedev->desc->ops->close_session) 1179 return -EINVAL; 1180 return ctx->teedev->desc->ops->close_session(ctx, session); 1181 } 1182 EXPORT_SYMBOL_GPL(tee_client_close_session); 1183 1184 int tee_client_system_session(struct tee_context *ctx, u32 session) 1185 { 1186 if (!ctx->teedev->desc->ops->system_session) 1187 return -EINVAL; 1188 return ctx->teedev->desc->ops->system_session(ctx, session); 1189 } 1190 EXPORT_SYMBOL_GPL(tee_client_system_session); 1191 1192 int tee_client_invoke_func(struct tee_context *ctx, 1193 struct tee_ioctl_invoke_arg *arg, 1194 struct tee_param *param) 1195 { 1196 if (!ctx->teedev->desc->ops->invoke_func) 1197 return -EINVAL; 1198 return ctx->teedev->desc->ops->invoke_func(ctx, arg, param); 1199 } 1200 EXPORT_SYMBOL_GPL(tee_client_invoke_func); 1201 1202 int tee_client_cancel_req(struct tee_context *ctx, 1203 struct tee_ioctl_cancel_arg *arg) 1204 { 1205 if (!ctx->teedev->desc->ops->cancel_req) 1206 return -EINVAL; 1207 return ctx->teedev->desc->ops->cancel_req(ctx, arg->cancel_id, 1208 arg->session); 1209 } 1210 1211 static int tee_client_device_match(struct device *dev, 1212 const struct device_driver *drv) 1213 { 1214 const struct tee_client_device_id *id_table; 1215 struct tee_client_device *tee_device; 1216 1217 id_table = to_tee_client_driver(drv)->id_table; 1218 tee_device = to_tee_client_device(dev); 1219 1220 while (!uuid_is_null(&id_table->uuid)) { 1221 if (uuid_equal(&tee_device->id.uuid, &id_table->uuid)) 1222 return 1; 1223 id_table++; 1224 } 1225 1226 return 0; 1227 } 1228 1229 static int tee_client_device_uevent(const struct device *dev, 1230 struct kobj_uevent_env *env) 1231 { 1232 uuid_t *dev_id = &to_tee_client_device(dev)->id.uuid; 1233 1234 return add_uevent_var(env, "MODALIAS=tee:%pUb", dev_id); 1235 } 1236 1237 const struct bus_type tee_bus_type = { 1238 .name = "tee", 1239 .match = tee_client_device_match, 1240 .uevent = tee_client_device_uevent, 1241 }; 1242 EXPORT_SYMBOL_GPL(tee_bus_type); 1243 1244 static int __init tee_init(void) 1245 { 1246 int rc; 1247 1248 rc = class_register(&tee_class); 1249 if (rc) { 1250 pr_err("couldn't create class\n"); 1251 return rc; 1252 } 1253 1254 rc = alloc_chrdev_region(&tee_devt, 0, TEE_NUM_DEVICES, "tee"); 1255 if (rc) { 1256 pr_err("failed to allocate char dev region\n"); 1257 goto out_unreg_class; 1258 } 1259 1260 rc = bus_register(&tee_bus_type); 1261 if (rc) { 1262 pr_err("failed to register tee bus\n"); 1263 goto out_unreg_chrdev; 1264 } 1265 1266 return 0; 1267 1268 out_unreg_chrdev: 1269 unregister_chrdev_region(tee_devt, TEE_NUM_DEVICES); 1270 out_unreg_class: 1271 class_unregister(&tee_class); 1272 1273 return rc; 1274 } 1275 1276 static void __exit tee_exit(void) 1277 { 1278 bus_unregister(&tee_bus_type); 1279 unregister_chrdev_region(tee_devt, TEE_NUM_DEVICES); 1280 class_unregister(&tee_class); 1281 } 1282 1283 subsys_initcall(tee_init); 1284 module_exit(tee_exit); 1285 1286 MODULE_AUTHOR("Linaro"); 1287 MODULE_DESCRIPTION("TEE Driver"); 1288 MODULE_VERSION("1.0"); 1289 MODULE_LICENSE("GPL v2"); 1290