open-dice.c (5513B)
1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Copyright (C) 2021 - Google LLC 4 * Author: David Brazdil <dbrazdil@google.com> 5 * 6 * Driver for Open Profile for DICE. 7 * 8 * This driver takes ownership of a reserved memory region containing data 9 * generated by the Open Profile for DICE measured boot protocol. The memory 10 * contents are not interpreted by the kernel but can be mapped into a userspace 11 * process via a misc device. Userspace can also request a wipe of the memory. 12 * 13 * Userspace can access the data with (w/o error handling): 14 * 15 * fd = open("/dev/open-dice0", O_RDWR); 16 * read(fd, &size, sizeof(unsigned long)); 17 * data = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0); 18 * write(fd, NULL, 0); // wipe 19 * close(fd); 20 */ 21 22#include <linux/io.h> 23#include <linux/miscdevice.h> 24#include <linux/mm.h> 25#include <linux/module.h> 26#include <linux/of_reserved_mem.h> 27#include <linux/platform_device.h> 28 29#define DRIVER_NAME "open-dice" 30 31struct open_dice_drvdata { 32 struct mutex lock; 33 char name[16]; 34 struct reserved_mem *rmem; 35 struct miscdevice misc; 36}; 37 38static inline struct open_dice_drvdata *to_open_dice_drvdata(struct file *filp) 39{ 40 return container_of(filp->private_data, struct open_dice_drvdata, misc); 41} 42 43static int open_dice_wipe(struct open_dice_drvdata *drvdata) 44{ 45 void *kaddr; 46 47 mutex_lock(&drvdata->lock); 48 kaddr = devm_memremap(drvdata->misc.this_device, drvdata->rmem->base, 49 drvdata->rmem->size, MEMREMAP_WC); 50 if (IS_ERR(kaddr)) { 51 mutex_unlock(&drvdata->lock); 52 return PTR_ERR(kaddr); 53 } 54 55 memset(kaddr, 0, drvdata->rmem->size); 56 devm_memunmap(drvdata->misc.this_device, kaddr); 57 mutex_unlock(&drvdata->lock); 58 return 0; 59} 60 61/* 62 * Copies the size of the reserved memory region to the user-provided buffer. 63 */ 64static ssize_t open_dice_read(struct file *filp, char __user *ptr, size_t len, 65 loff_t *off) 66{ 67 unsigned long val = to_open_dice_drvdata(filp)->rmem->size; 68 69 return simple_read_from_buffer(ptr, len, off, &val, sizeof(val)); 70} 71 72/* 73 * Triggers a wipe of the reserved memory region. The user-provided pointer 74 * is never dereferenced. 75 */ 76static ssize_t open_dice_write(struct file *filp, const char __user *ptr, 77 size_t len, loff_t *off) 78{ 79 if (open_dice_wipe(to_open_dice_drvdata(filp))) 80 return -EIO; 81 82 /* Consume the input buffer. */ 83 return len; 84} 85 86/* 87 * Creates a mapping of the reserved memory region in user address space. 88 */ 89static int open_dice_mmap(struct file *filp, struct vm_area_struct *vma) 90{ 91 struct open_dice_drvdata *drvdata = to_open_dice_drvdata(filp); 92 93 /* Do not allow userspace to modify the underlying data. */ 94 if ((vma->vm_flags & VM_WRITE) && (vma->vm_flags & VM_SHARED)) 95 return -EPERM; 96 97 /* Ensure userspace cannot acquire VM_WRITE + VM_SHARED later. */ 98 if (vma->vm_flags & VM_WRITE) 99 vma->vm_flags &= ~VM_MAYSHARE; 100 else if (vma->vm_flags & VM_SHARED) 101 vma->vm_flags &= ~VM_MAYWRITE; 102 103 /* Create write-combine mapping so all clients observe a wipe. */ 104 vma->vm_page_prot = pgprot_writecombine(vma->vm_page_prot); 105 vma->vm_flags |= VM_DONTCOPY | VM_DONTDUMP; 106 return vm_iomap_memory(vma, drvdata->rmem->base, drvdata->rmem->size); 107} 108 109static const struct file_operations open_dice_fops = { 110 .owner = THIS_MODULE, 111 .read = open_dice_read, 112 .write = open_dice_write, 113 .mmap = open_dice_mmap, 114}; 115 116static int __init open_dice_probe(struct platform_device *pdev) 117{ 118 static unsigned int dev_idx; 119 struct device *dev = &pdev->dev; 120 struct reserved_mem *rmem; 121 struct open_dice_drvdata *drvdata; 122 int ret; 123 124 rmem = of_reserved_mem_lookup(dev->of_node); 125 if (!rmem) { 126 dev_err(dev, "failed to lookup reserved memory\n"); 127 return -EINVAL; 128 } 129 130 if (!rmem->size || (rmem->size > ULONG_MAX)) { 131 dev_err(dev, "invalid memory region size\n"); 132 return -EINVAL; 133 } 134 135 if (!PAGE_ALIGNED(rmem->base) || !PAGE_ALIGNED(rmem->size)) { 136 dev_err(dev, "memory region must be page-aligned\n"); 137 return -EINVAL; 138 } 139 140 drvdata = devm_kmalloc(dev, sizeof(*drvdata), GFP_KERNEL); 141 if (!drvdata) 142 return -ENOMEM; 143 144 *drvdata = (struct open_dice_drvdata){ 145 .lock = __MUTEX_INITIALIZER(drvdata->lock), 146 .rmem = rmem, 147 .misc = (struct miscdevice){ 148 .parent = dev, 149 .name = drvdata->name, 150 .minor = MISC_DYNAMIC_MINOR, 151 .fops = &open_dice_fops, 152 .mode = 0600, 153 }, 154 }; 155 156 /* Index overflow check not needed, misc_register() will fail. */ 157 snprintf(drvdata->name, sizeof(drvdata->name), DRIVER_NAME"%u", dev_idx++); 158 159 ret = misc_register(&drvdata->misc); 160 if (ret) { 161 dev_err(dev, "failed to register misc device '%s': %d\n", 162 drvdata->name, ret); 163 return ret; 164 } 165 166 platform_set_drvdata(pdev, drvdata); 167 return 0; 168} 169 170static int open_dice_remove(struct platform_device *pdev) 171{ 172 struct open_dice_drvdata *drvdata = platform_get_drvdata(pdev); 173 174 misc_deregister(&drvdata->misc); 175 return 0; 176} 177 178static const struct of_device_id open_dice_of_match[] = { 179 { .compatible = "google,open-dice" }, 180 {}, 181}; 182 183static struct platform_driver open_dice_driver = { 184 .remove = open_dice_remove, 185 .driver = { 186 .name = DRIVER_NAME, 187 .of_match_table = open_dice_of_match, 188 }, 189}; 190 191static int __init open_dice_init(void) 192{ 193 int ret = platform_driver_probe(&open_dice_driver, open_dice_probe); 194 195 /* DICE regions are optional. Succeed even with zero instances. */ 196 return (ret == -ENODEV) ? 0 : ret; 197} 198 199static void __exit open_dice_exit(void) 200{ 201 platform_driver_unregister(&open_dice_driver); 202} 203 204module_init(open_dice_init); 205module_exit(open_dice_exit); 206 207MODULE_LICENSE("GPL v2"); 208MODULE_AUTHOR("David Brazdil <dbrazdil@google.com>");