tee_core.c (30802B)
1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Copyright (c) 2015-2016, Linaro Limited 4 */ 5 6#define pr_fmt(fmt) "%s: " fmt, __func__ 7 8#include <linux/cdev.h> 9#include <linux/cred.h> 10#include <linux/fs.h> 11#include <linux/idr.h> 12#include <linux/module.h> 13#include <linux/slab.h> 14#include <linux/tee_drv.h> 15#include <linux/uaccess.h> 16#include <crypto/hash.h> 17#include <crypto/sha1.h> 18#include "tee_private.h" 19 20#define TEE_NUM_DEVICES 32 21 22#define TEE_IOCTL_PARAM_SIZE(x) (sizeof(struct tee_param) * (x)) 23 24#define TEE_UUID_NS_NAME_SIZE 128 25 26/* 27 * TEE Client UUID name space identifier (UUIDv4) 28 * 29 * Value here is random UUID that is allocated as name space identifier for 30 * forming Client UUID's for TEE environment using UUIDv5 scheme. 31 */ 32static const uuid_t tee_client_uuid_ns = UUID_INIT(0x58ac9ca0, 0x2086, 0x4683, 33 0xa1, 0xb8, 0xec, 0x4b, 34 0xc0, 0x8e, 0x01, 0xb6); 35 36/* 37 * Unprivileged devices in the lower half range and privileged devices in 38 * the upper half range. 39 */ 40static DECLARE_BITMAP(dev_mask, TEE_NUM_DEVICES); 41static DEFINE_SPINLOCK(driver_lock); 42 43static struct class *tee_class; 44static dev_t tee_devt; 45 46struct tee_context *teedev_open(struct tee_device *teedev) 47{ 48 int rc; 49 struct tee_context *ctx; 50 51 if (!tee_device_get(teedev)) 52 return ERR_PTR(-EINVAL); 53 54 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 55 if (!ctx) { 56 rc = -ENOMEM; 57 goto err; 58 } 59 60 kref_init(&ctx->refcount); 61 ctx->teedev = teedev; 62 rc = teedev->desc->ops->open(ctx); 63 if (rc) 64 goto err; 65 66 return ctx; 67err: 68 kfree(ctx); 69 tee_device_put(teedev); 70 return ERR_PTR(rc); 71 72} 73EXPORT_SYMBOL_GPL(teedev_open); 74 75void teedev_ctx_get(struct tee_context *ctx) 76{ 77 if (ctx->releasing) 78 return; 79 80 kref_get(&ctx->refcount); 81} 82 83static void teedev_ctx_release(struct kref *ref) 84{ 85 struct tee_context *ctx = container_of(ref, struct tee_context, 86 refcount); 87 ctx->releasing = true; 88 ctx->teedev->desc->ops->release(ctx); 89 kfree(ctx); 90} 91 92void teedev_ctx_put(struct tee_context *ctx) 93{ 94 if (ctx->releasing) 95 return; 96 97 kref_put(&ctx->refcount, teedev_ctx_release); 98} 99 100void teedev_close_context(struct tee_context *ctx) 101{ 102 struct tee_device *teedev = ctx->teedev; 103 104 teedev_ctx_put(ctx); 105 tee_device_put(teedev); 106} 107EXPORT_SYMBOL_GPL(teedev_close_context); 108 109static int tee_open(struct inode *inode, struct file *filp) 110{ 111 struct tee_context *ctx; 112 113 ctx = teedev_open(container_of(inode->i_cdev, struct tee_device, cdev)); 114 if (IS_ERR(ctx)) 115 return PTR_ERR(ctx); 116 117 /* 118 * Default user-space behaviour is to wait for tee-supplicant 119 * if not present for any requests in this context. 120 */ 121 ctx->supp_nowait = false; 122 filp->private_data = ctx; 123 return 0; 124} 125 126static int tee_release(struct inode *inode, struct file *filp) 127{ 128 teedev_close_context(filp->private_data); 129 return 0; 130} 131 132/** 133 * uuid_v5() - Calculate UUIDv5 134 * @uuid: Resulting UUID 135 * @ns: Name space ID for UUIDv5 function 136 * @name: Name for UUIDv5 function 137 * @size: Size of name 138 * 139 * UUIDv5 is specific in RFC 4122. 140 * 141 * This implements section (for SHA-1): 142 * 4.3. Algorithm for Creating a Name-Based UUID 143 */ 144static int uuid_v5(uuid_t *uuid, const uuid_t *ns, const void *name, 145 size_t size) 146{ 147 unsigned char hash[SHA1_DIGEST_SIZE]; 148 struct crypto_shash *shash = NULL; 149 struct shash_desc *desc = NULL; 150 int rc; 151 152 shash = crypto_alloc_shash("sha1", 0, 0); 153 if (IS_ERR(shash)) { 154 rc = PTR_ERR(shash); 155 pr_err("shash(sha1) allocation failed\n"); 156 return rc; 157 } 158 159 desc = kzalloc(sizeof(*desc) + crypto_shash_descsize(shash), 160 GFP_KERNEL); 161 if (!desc) { 162 rc = -ENOMEM; 163 goto out_free_shash; 164 } 165 166 desc->tfm = shash; 167 168 rc = crypto_shash_init(desc); 169 if (rc < 0) 170 goto out_free_desc; 171 172 rc = crypto_shash_update(desc, (const u8 *)ns, sizeof(*ns)); 173 if (rc < 0) 174 goto out_free_desc; 175 176 rc = crypto_shash_update(desc, (const u8 *)name, size); 177 if (rc < 0) 178 goto out_free_desc; 179 180 rc = crypto_shash_final(desc, hash); 181 if (rc < 0) 182 goto out_free_desc; 183 184 memcpy(uuid->b, hash, UUID_SIZE); 185 186 /* Tag for version 5 */ 187 uuid->b[6] = (hash[6] & 0x0F) | 0x50; 188 uuid->b[8] = (hash[8] & 0x3F) | 0x80; 189 190out_free_desc: 191 kfree(desc); 192 193out_free_shash: 194 crypto_free_shash(shash); 195 return rc; 196} 197 198int tee_session_calc_client_uuid(uuid_t *uuid, u32 connection_method, 199 const u8 connection_data[TEE_IOCTL_UUID_LEN]) 200{ 201 gid_t ns_grp = (gid_t)-1; 202 kgid_t grp = INVALID_GID; 203 char *name = NULL; 204 int name_len; 205 int rc; 206 207 if (connection_method == TEE_IOCTL_LOGIN_PUBLIC || 208 connection_method == TEE_IOCTL_LOGIN_REE_KERNEL) { 209 /* Nil UUID to be passed to TEE environment */ 210 uuid_copy(uuid, &uuid_null); 211 return 0; 212 } 213 214 /* 215 * In Linux environment client UUID is based on UUIDv5. 216 * 217 * Determine client UUID with following semantics for 'name': 218 * 219 * For TEEC_LOGIN_USER: 220 * uid=<uid> 221 * 222 * For TEEC_LOGIN_GROUP: 223 * gid=<gid> 224 * 225 */ 226 227 name = kzalloc(TEE_UUID_NS_NAME_SIZE, GFP_KERNEL); 228 if (!name) 229 return -ENOMEM; 230 231 switch (connection_method) { 232 case TEE_IOCTL_LOGIN_USER: 233 name_len = snprintf(name, TEE_UUID_NS_NAME_SIZE, "uid=%x", 234 current_euid().val); 235 if (name_len >= TEE_UUID_NS_NAME_SIZE) { 236 rc = -E2BIG; 237 goto out_free_name; 238 } 239 break; 240 241 case TEE_IOCTL_LOGIN_GROUP: 242 memcpy(&ns_grp, connection_data, sizeof(gid_t)); 243 grp = make_kgid(current_user_ns(), ns_grp); 244 if (!gid_valid(grp) || !in_egroup_p(grp)) { 245 rc = -EPERM; 246 goto out_free_name; 247 } 248 249 name_len = snprintf(name, TEE_UUID_NS_NAME_SIZE, "gid=%x", 250 grp.val); 251 if (name_len >= TEE_UUID_NS_NAME_SIZE) { 252 rc = -E2BIG; 253 goto out_free_name; 254 } 255 break; 256 257 default: 258 rc = -EINVAL; 259 goto out_free_name; 260 } 261 262 rc = uuid_v5(uuid, &tee_client_uuid_ns, name, name_len); 263out_free_name: 264 kfree(name); 265 266 return rc; 267} 268EXPORT_SYMBOL_GPL(tee_session_calc_client_uuid); 269 270static int tee_ioctl_version(struct tee_context *ctx, 271 struct tee_ioctl_version_data __user *uvers) 272{ 273 struct tee_ioctl_version_data vers; 274 275 ctx->teedev->desc->ops->get_version(ctx->teedev, &vers); 276 277 if (ctx->teedev->desc->flags & TEE_DESC_PRIVILEGED) 278 vers.gen_caps |= TEE_GEN_CAP_PRIVILEGED; 279 280 if (copy_to_user(uvers, &vers, sizeof(vers))) 281 return -EFAULT; 282 283 return 0; 284} 285 286static int tee_ioctl_shm_alloc(struct tee_context *ctx, 287 struct tee_ioctl_shm_alloc_data __user *udata) 288{ 289 long ret; 290 struct tee_ioctl_shm_alloc_data data; 291 struct tee_shm *shm; 292 293 if (copy_from_user(&data, udata, sizeof(data))) 294 return -EFAULT; 295 296 /* Currently no input flags are supported */ 297 if (data.flags) 298 return -EINVAL; 299 300 shm = tee_shm_alloc_user_buf(ctx, data.size); 301 if (IS_ERR(shm)) 302 return PTR_ERR(shm); 303 304 data.id = shm->id; 305 data.size = shm->size; 306 307 if (copy_to_user(udata, &data, sizeof(data))) 308 ret = -EFAULT; 309 else 310 ret = tee_shm_get_fd(shm); 311 312 /* 313 * When user space closes the file descriptor the shared memory 314 * should be freed or if tee_shm_get_fd() failed then it will 315 * be freed immediately. 316 */ 317 tee_shm_put(shm); 318 return ret; 319} 320 321static int 322tee_ioctl_shm_register(struct tee_context *ctx, 323 struct tee_ioctl_shm_register_data __user *udata) 324{ 325 long ret; 326 struct tee_ioctl_shm_register_data data; 327 struct tee_shm *shm; 328 329 if (copy_from_user(&data, udata, sizeof(data))) 330 return -EFAULT; 331 332 /* Currently no input flags are supported */ 333 if (data.flags) 334 return -EINVAL; 335 336 shm = tee_shm_register_user_buf(ctx, data.addr, data.length); 337 if (IS_ERR(shm)) 338 return PTR_ERR(shm); 339 340 data.id = shm->id; 341 data.length = shm->size; 342 343 if (copy_to_user(udata, &data, sizeof(data))) 344 ret = -EFAULT; 345 else 346 ret = tee_shm_get_fd(shm); 347 /* 348 * When user space closes the file descriptor the shared memory 349 * should be freed or if tee_shm_get_fd() failed then it will 350 * be freed immediately. 351 */ 352 tee_shm_put(shm); 353 return ret; 354} 355 356static int params_from_user(struct tee_context *ctx, struct tee_param *params, 357 size_t num_params, 358 struct tee_ioctl_param __user *uparams) 359{ 360 size_t n; 361 362 for (n = 0; n < num_params; n++) { 363 struct tee_shm *shm; 364 struct tee_ioctl_param ip; 365 366 if (copy_from_user(&ip, uparams + n, sizeof(ip))) 367 return -EFAULT; 368 369 /* All unused attribute bits has to be zero */ 370 if (ip.attr & ~TEE_IOCTL_PARAM_ATTR_MASK) 371 return -EINVAL; 372 373 params[n].attr = ip.attr; 374 switch (ip.attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) { 375 case TEE_IOCTL_PARAM_ATTR_TYPE_NONE: 376 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT: 377 break; 378 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT: 379 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: 380 params[n].u.value.a = ip.a; 381 params[n].u.value.b = ip.b; 382 params[n].u.value.c = ip.c; 383 break; 384 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT: 385 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: 386 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: 387 /* 388 * If a NULL pointer is passed to a TA in the TEE, 389 * the ip.c IOCTL parameters is set to TEE_MEMREF_NULL 390 * indicating a NULL memory reference. 391 */ 392 if (ip.c != TEE_MEMREF_NULL) { 393 /* 394 * If we fail to get a pointer to a shared 395 * memory object (and increase the ref count) 396 * from an identifier we return an error. All 397 * pointers that has been added in params have 398 * an increased ref count. It's the callers 399 * responibility to do tee_shm_put() on all 400 * resolved pointers. 401 */ 402 shm = tee_shm_get_from_id(ctx, ip.c); 403 if (IS_ERR(shm)) 404 return PTR_ERR(shm); 405 406 /* 407 * Ensure offset + size does not overflow 408 * offset and does not overflow the size of 409 * the referred shared memory object. 410 */ 411 if ((ip.a + ip.b) < ip.a || 412 (ip.a + ip.b) > shm->size) { 413 tee_shm_put(shm); 414 return -EINVAL; 415 } 416 } else if (ctx->cap_memref_null) { 417 /* Pass NULL pointer to OP-TEE */ 418 shm = NULL; 419 } else { 420 return -EINVAL; 421 } 422 423 params[n].u.memref.shm_offs = ip.a; 424 params[n].u.memref.size = ip.b; 425 params[n].u.memref.shm = shm; 426 break; 427 default: 428 /* Unknown attribute */ 429 return -EINVAL; 430 } 431 } 432 return 0; 433} 434 435static int params_to_user(struct tee_ioctl_param __user *uparams, 436 size_t num_params, struct tee_param *params) 437{ 438 size_t n; 439 440 for (n = 0; n < num_params; n++) { 441 struct tee_ioctl_param __user *up = uparams + n; 442 struct tee_param *p = params + n; 443 444 switch (p->attr) { 445 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT: 446 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: 447 if (put_user(p->u.value.a, &up->a) || 448 put_user(p->u.value.b, &up->b) || 449 put_user(p->u.value.c, &up->c)) 450 return -EFAULT; 451 break; 452 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: 453 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: 454 if (put_user((u64)p->u.memref.size, &up->b)) 455 return -EFAULT; 456 break; 457 default: 458 break; 459 } 460 } 461 return 0; 462} 463 464static int tee_ioctl_open_session(struct tee_context *ctx, 465 struct tee_ioctl_buf_data __user *ubuf) 466{ 467 int rc; 468 size_t n; 469 struct tee_ioctl_buf_data buf; 470 struct tee_ioctl_open_session_arg __user *uarg; 471 struct tee_ioctl_open_session_arg arg; 472 struct tee_ioctl_param __user *uparams = NULL; 473 struct tee_param *params = NULL; 474 bool have_session = false; 475 476 if (!ctx->teedev->desc->ops->open_session) 477 return -EINVAL; 478 479 if (copy_from_user(&buf, ubuf, sizeof(buf))) 480 return -EFAULT; 481 482 if (buf.buf_len > TEE_MAX_ARG_SIZE || 483 buf.buf_len < sizeof(struct tee_ioctl_open_session_arg)) 484 return -EINVAL; 485 486 uarg = u64_to_user_ptr(buf.buf_ptr); 487 if (copy_from_user(&arg, uarg, sizeof(arg))) 488 return -EFAULT; 489 490 if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len) 491 return -EINVAL; 492 493 if (arg.num_params) { 494 params = kcalloc(arg.num_params, sizeof(struct tee_param), 495 GFP_KERNEL); 496 if (!params) 497 return -ENOMEM; 498 uparams = uarg->params; 499 rc = params_from_user(ctx, params, arg.num_params, uparams); 500 if (rc) 501 goto out; 502 } 503 504 if (arg.clnt_login >= TEE_IOCTL_LOGIN_REE_KERNEL_MIN && 505 arg.clnt_login <= TEE_IOCTL_LOGIN_REE_KERNEL_MAX) { 506 pr_debug("login method not allowed for user-space client\n"); 507 rc = -EPERM; 508 goto out; 509 } 510 511 rc = ctx->teedev->desc->ops->open_session(ctx, &arg, params); 512 if (rc) 513 goto out; 514 have_session = true; 515 516 if (put_user(arg.session, &uarg->session) || 517 put_user(arg.ret, &uarg->ret) || 518 put_user(arg.ret_origin, &uarg->ret_origin)) { 519 rc = -EFAULT; 520 goto out; 521 } 522 rc = params_to_user(uparams, arg.num_params, params); 523out: 524 /* 525 * If we've succeeded to open the session but failed to communicate 526 * it back to user space, close the session again to avoid leakage. 527 */ 528 if (rc && have_session && ctx->teedev->desc->ops->close_session) 529 ctx->teedev->desc->ops->close_session(ctx, arg.session); 530 531 if (params) { 532 /* Decrease ref count for all valid shared memory pointers */ 533 for (n = 0; n < arg.num_params; n++) 534 if (tee_param_is_memref(params + n) && 535 params[n].u.memref.shm) 536 tee_shm_put(params[n].u.memref.shm); 537 kfree(params); 538 } 539 540 return rc; 541} 542 543static int tee_ioctl_invoke(struct tee_context *ctx, 544 struct tee_ioctl_buf_data __user *ubuf) 545{ 546 int rc; 547 size_t n; 548 struct tee_ioctl_buf_data buf; 549 struct tee_ioctl_invoke_arg __user *uarg; 550 struct tee_ioctl_invoke_arg arg; 551 struct tee_ioctl_param __user *uparams = NULL; 552 struct tee_param *params = NULL; 553 554 if (!ctx->teedev->desc->ops->invoke_func) 555 return -EINVAL; 556 557 if (copy_from_user(&buf, ubuf, sizeof(buf))) 558 return -EFAULT; 559 560 if (buf.buf_len > TEE_MAX_ARG_SIZE || 561 buf.buf_len < sizeof(struct tee_ioctl_invoke_arg)) 562 return -EINVAL; 563 564 uarg = u64_to_user_ptr(buf.buf_ptr); 565 if (copy_from_user(&arg, uarg, sizeof(arg))) 566 return -EFAULT; 567 568 if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len) 569 return -EINVAL; 570 571 if (arg.num_params) { 572 params = kcalloc(arg.num_params, sizeof(struct tee_param), 573 GFP_KERNEL); 574 if (!params) 575 return -ENOMEM; 576 uparams = uarg->params; 577 rc = params_from_user(ctx, params, arg.num_params, uparams); 578 if (rc) 579 goto out; 580 } 581 582 rc = ctx->teedev->desc->ops->invoke_func(ctx, &arg, params); 583 if (rc) 584 goto out; 585 586 if (put_user(arg.ret, &uarg->ret) || 587 put_user(arg.ret_origin, &uarg->ret_origin)) { 588 rc = -EFAULT; 589 goto out; 590 } 591 rc = params_to_user(uparams, arg.num_params, params); 592out: 593 if (params) { 594 /* Decrease ref count for all valid shared memory pointers */ 595 for (n = 0; n < arg.num_params; n++) 596 if (tee_param_is_memref(params + n) && 597 params[n].u.memref.shm) 598 tee_shm_put(params[n].u.memref.shm); 599 kfree(params); 600 } 601 return rc; 602} 603 604static int tee_ioctl_cancel(struct tee_context *ctx, 605 struct tee_ioctl_cancel_arg __user *uarg) 606{ 607 struct tee_ioctl_cancel_arg arg; 608 609 if (!ctx->teedev->desc->ops->cancel_req) 610 return -EINVAL; 611 612 if (copy_from_user(&arg, uarg, sizeof(arg))) 613 return -EFAULT; 614 615 return ctx->teedev->desc->ops->cancel_req(ctx, arg.cancel_id, 616 arg.session); 617} 618 619static int 620tee_ioctl_close_session(struct tee_context *ctx, 621 struct tee_ioctl_close_session_arg __user *uarg) 622{ 623 struct tee_ioctl_close_session_arg arg; 624 625 if (!ctx->teedev->desc->ops->close_session) 626 return -EINVAL; 627 628 if (copy_from_user(&arg, uarg, sizeof(arg))) 629 return -EFAULT; 630 631 return ctx->teedev->desc->ops->close_session(ctx, arg.session); 632} 633 634static int params_to_supp(struct tee_context *ctx, 635 struct tee_ioctl_param __user *uparams, 636 size_t num_params, struct tee_param *params) 637{ 638 size_t n; 639 640 for (n = 0; n < num_params; n++) { 641 struct tee_ioctl_param ip; 642 struct tee_param *p = params + n; 643 644 ip.attr = p->attr; 645 switch (p->attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) { 646 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT: 647 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: 648 ip.a = p->u.value.a; 649 ip.b = p->u.value.b; 650 ip.c = p->u.value.c; 651 break; 652 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT: 653 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: 654 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: 655 ip.b = p->u.memref.size; 656 if (!p->u.memref.shm) { 657 ip.a = 0; 658 ip.c = (u64)-1; /* invalid shm id */ 659 break; 660 } 661 ip.a = p->u.memref.shm_offs; 662 ip.c = p->u.memref.shm->id; 663 break; 664 default: 665 ip.a = 0; 666 ip.b = 0; 667 ip.c = 0; 668 break; 669 } 670 671 if (copy_to_user(uparams + n, &ip, sizeof(ip))) 672 return -EFAULT; 673 } 674 675 return 0; 676} 677 678static int tee_ioctl_supp_recv(struct tee_context *ctx, 679 struct tee_ioctl_buf_data __user *ubuf) 680{ 681 int rc; 682 struct tee_ioctl_buf_data buf; 683 struct tee_iocl_supp_recv_arg __user *uarg; 684 struct tee_param *params; 685 u32 num_params; 686 u32 func; 687 688 if (!ctx->teedev->desc->ops->supp_recv) 689 return -EINVAL; 690 691 if (copy_from_user(&buf, ubuf, sizeof(buf))) 692 return -EFAULT; 693 694 if (buf.buf_len > TEE_MAX_ARG_SIZE || 695 buf.buf_len < sizeof(struct tee_iocl_supp_recv_arg)) 696 return -EINVAL; 697 698 uarg = u64_to_user_ptr(buf.buf_ptr); 699 if (get_user(num_params, &uarg->num_params)) 700 return -EFAULT; 701 702 if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) != buf.buf_len) 703 return -EINVAL; 704 705 params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL); 706 if (!params) 707 return -ENOMEM; 708 709 rc = params_from_user(ctx, params, num_params, uarg->params); 710 if (rc) 711 goto out; 712 713 rc = ctx->teedev->desc->ops->supp_recv(ctx, &func, &num_params, params); 714 if (rc) 715 goto out; 716 717 if (put_user(func, &uarg->func) || 718 put_user(num_params, &uarg->num_params)) { 719 rc = -EFAULT; 720 goto out; 721 } 722 723 rc = params_to_supp(ctx, uarg->params, num_params, params); 724out: 725 kfree(params); 726 return rc; 727} 728 729static int params_from_supp(struct tee_param *params, size_t num_params, 730 struct tee_ioctl_param __user *uparams) 731{ 732 size_t n; 733 734 for (n = 0; n < num_params; n++) { 735 struct tee_param *p = params + n; 736 struct tee_ioctl_param ip; 737 738 if (copy_from_user(&ip, uparams + n, sizeof(ip))) 739 return -EFAULT; 740 741 /* All unused attribute bits has to be zero */ 742 if (ip.attr & ~TEE_IOCTL_PARAM_ATTR_MASK) 743 return -EINVAL; 744 745 p->attr = ip.attr; 746 switch (ip.attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) { 747 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT: 748 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: 749 /* Only out and in/out values can be updated */ 750 p->u.value.a = ip.a; 751 p->u.value.b = ip.b; 752 p->u.value.c = ip.c; 753 break; 754 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: 755 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: 756 /* 757 * Only the size of the memref can be updated. 758 * Since we don't have access to the original 759 * parameters here, only store the supplied size. 760 * The driver will copy the updated size into the 761 * original parameters. 762 */ 763 p->u.memref.shm = NULL; 764 p->u.memref.shm_offs = 0; 765 p->u.memref.size = ip.b; 766 break; 767 default: 768 memset(&p->u, 0, sizeof(p->u)); 769 break; 770 } 771 } 772 return 0; 773} 774 775static int tee_ioctl_supp_send(struct tee_context *ctx, 776 struct tee_ioctl_buf_data __user *ubuf) 777{ 778 long rc; 779 struct tee_ioctl_buf_data buf; 780 struct tee_iocl_supp_send_arg __user *uarg; 781 struct tee_param *params; 782 u32 num_params; 783 u32 ret; 784 785 /* Not valid for this driver */ 786 if (!ctx->teedev->desc->ops->supp_send) 787 return -EINVAL; 788 789 if (copy_from_user(&buf, ubuf, sizeof(buf))) 790 return -EFAULT; 791 792 if (buf.buf_len > TEE_MAX_ARG_SIZE || 793 buf.buf_len < sizeof(struct tee_iocl_supp_send_arg)) 794 return -EINVAL; 795 796 uarg = u64_to_user_ptr(buf.buf_ptr); 797 if (get_user(ret, &uarg->ret) || 798 get_user(num_params, &uarg->num_params)) 799 return -EFAULT; 800 801 if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) > buf.buf_len) 802 return -EINVAL; 803 804 params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL); 805 if (!params) 806 return -ENOMEM; 807 808 rc = params_from_supp(params, num_params, uarg->params); 809 if (rc) 810 goto out; 811 812 rc = ctx->teedev->desc->ops->supp_send(ctx, ret, num_params, params); 813out: 814 kfree(params); 815 return rc; 816} 817 818static long tee_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 819{ 820 struct tee_context *ctx = filp->private_data; 821 void __user *uarg = (void __user *)arg; 822 823 switch (cmd) { 824 case TEE_IOC_VERSION: 825 return tee_ioctl_version(ctx, uarg); 826 case TEE_IOC_SHM_ALLOC: 827 return tee_ioctl_shm_alloc(ctx, uarg); 828 case TEE_IOC_SHM_REGISTER: 829 return tee_ioctl_shm_register(ctx, uarg); 830 case TEE_IOC_OPEN_SESSION: 831 return tee_ioctl_open_session(ctx, uarg); 832 case TEE_IOC_INVOKE: 833 return tee_ioctl_invoke(ctx, uarg); 834 case TEE_IOC_CANCEL: 835 return tee_ioctl_cancel(ctx, uarg); 836 case TEE_IOC_CLOSE_SESSION: 837 return tee_ioctl_close_session(ctx, uarg); 838 case TEE_IOC_SUPPL_RECV: 839 return tee_ioctl_supp_recv(ctx, uarg); 840 case TEE_IOC_SUPPL_SEND: 841 return tee_ioctl_supp_send(ctx, uarg); 842 default: 843 return -EINVAL; 844 } 845} 846 847static const struct file_operations tee_fops = { 848 .owner = THIS_MODULE, 849 .open = tee_open, 850 .release = tee_release, 851 .unlocked_ioctl = tee_ioctl, 852 .compat_ioctl = compat_ptr_ioctl, 853}; 854 855static void tee_release_device(struct device *dev) 856{ 857 struct tee_device *teedev = container_of(dev, struct tee_device, dev); 858 859 spin_lock(&driver_lock); 860 clear_bit(teedev->id, dev_mask); 861 spin_unlock(&driver_lock); 862 mutex_destroy(&teedev->mutex); 863 idr_destroy(&teedev->idr); 864 kfree(teedev); 865} 866 867/** 868 * tee_device_alloc() - Allocate a new struct tee_device instance 869 * @teedesc: Descriptor for this driver 870 * @dev: Parent device for this device 871 * @pool: Shared memory pool, NULL if not used 872 * @driver_data: Private driver data for this device 873 * 874 * Allocates a new struct tee_device instance. The device is 875 * removed by tee_device_unregister(). 876 * 877 * @returns a pointer to a 'struct tee_device' or an ERR_PTR on failure 878 */ 879struct tee_device *tee_device_alloc(const struct tee_desc *teedesc, 880 struct device *dev, 881 struct tee_shm_pool *pool, 882 void *driver_data) 883{ 884 struct tee_device *teedev; 885 void *ret; 886 int rc, max_id; 887 int offs = 0; 888 889 if (!teedesc || !teedesc->name || !teedesc->ops || 890 !teedesc->ops->get_version || !teedesc->ops->open || 891 !teedesc->ops->release || !pool) 892 return ERR_PTR(-EINVAL); 893 894 teedev = kzalloc(sizeof(*teedev), GFP_KERNEL); 895 if (!teedev) { 896 ret = ERR_PTR(-ENOMEM); 897 goto err; 898 } 899 900 max_id = TEE_NUM_DEVICES / 2; 901 902 if (teedesc->flags & TEE_DESC_PRIVILEGED) { 903 offs = TEE_NUM_DEVICES / 2; 904 max_id = TEE_NUM_DEVICES; 905 } 906 907 spin_lock(&driver_lock); 908 teedev->id = find_next_zero_bit(dev_mask, max_id, offs); 909 if (teedev->id < max_id) 910 set_bit(teedev->id, dev_mask); 911 spin_unlock(&driver_lock); 912 913 if (teedev->id >= max_id) { 914 ret = ERR_PTR(-ENOMEM); 915 goto err; 916 } 917 918 snprintf(teedev->name, sizeof(teedev->name), "tee%s%d", 919 teedesc->flags & TEE_DESC_PRIVILEGED ? "priv" : "", 920 teedev->id - offs); 921 922 teedev->dev.class = tee_class; 923 teedev->dev.release = tee_release_device; 924 teedev->dev.parent = dev; 925 926 teedev->dev.devt = MKDEV(MAJOR(tee_devt), teedev->id); 927 928 rc = dev_set_name(&teedev->dev, "%s", teedev->name); 929 if (rc) { 930 ret = ERR_PTR(rc); 931 goto err_devt; 932 } 933 934 cdev_init(&teedev->cdev, &tee_fops); 935 teedev->cdev.owner = teedesc->owner; 936 937 dev_set_drvdata(&teedev->dev, driver_data); 938 device_initialize(&teedev->dev); 939 940 /* 1 as tee_device_unregister() does one final tee_device_put() */ 941 teedev->num_users = 1; 942 init_completion(&teedev->c_no_users); 943 mutex_init(&teedev->mutex); 944 idr_init(&teedev->idr); 945 946 teedev->desc = teedesc; 947 teedev->pool = pool; 948 949 return teedev; 950err_devt: 951 unregister_chrdev_region(teedev->dev.devt, 1); 952err: 953 pr_err("could not register %s driver\n", 954 teedesc->flags & TEE_DESC_PRIVILEGED ? "privileged" : "client"); 955 if (teedev && teedev->id < TEE_NUM_DEVICES) { 956 spin_lock(&driver_lock); 957 clear_bit(teedev->id, dev_mask); 958 spin_unlock(&driver_lock); 959 } 960 kfree(teedev); 961 return ret; 962} 963EXPORT_SYMBOL_GPL(tee_device_alloc); 964 965static ssize_t implementation_id_show(struct device *dev, 966 struct device_attribute *attr, char *buf) 967{ 968 struct tee_device *teedev = container_of(dev, struct tee_device, dev); 969 struct tee_ioctl_version_data vers; 970 971 teedev->desc->ops->get_version(teedev, &vers); 972 return scnprintf(buf, PAGE_SIZE, "%d\n", vers.impl_id); 973} 974static DEVICE_ATTR_RO(implementation_id); 975 976static struct attribute *tee_dev_attrs[] = { 977 &dev_attr_implementation_id.attr, 978 NULL 979}; 980 981ATTRIBUTE_GROUPS(tee_dev); 982 983/** 984 * tee_device_register() - Registers a TEE device 985 * @teedev: Device to register 986 * 987 * tee_device_unregister() need to be called to remove the @teedev if 988 * this function fails. 989 * 990 * @returns < 0 on failure 991 */ 992int tee_device_register(struct tee_device *teedev) 993{ 994 int rc; 995 996 if (teedev->flags & TEE_DEVICE_FLAG_REGISTERED) { 997 dev_err(&teedev->dev, "attempt to register twice\n"); 998 return -EINVAL; 999 } 1000 1001 teedev->dev.groups = tee_dev_groups; 1002 1003 rc = cdev_device_add(&teedev->cdev, &teedev->dev); 1004 if (rc) { 1005 dev_err(&teedev->dev, 1006 "unable to cdev_device_add() %s, major %d, minor %d, err=%d\n", 1007 teedev->name, MAJOR(teedev->dev.devt), 1008 MINOR(teedev->dev.devt), rc); 1009 return rc; 1010 } 1011 1012 teedev->flags |= TEE_DEVICE_FLAG_REGISTERED; 1013 return 0; 1014} 1015EXPORT_SYMBOL_GPL(tee_device_register); 1016 1017void tee_device_put(struct tee_device *teedev) 1018{ 1019 mutex_lock(&teedev->mutex); 1020 /* Shouldn't put in this state */ 1021 if (!WARN_ON(!teedev->desc)) { 1022 teedev->num_users--; 1023 if (!teedev->num_users) { 1024 teedev->desc = NULL; 1025 complete(&teedev->c_no_users); 1026 } 1027 } 1028 mutex_unlock(&teedev->mutex); 1029} 1030 1031bool tee_device_get(struct tee_device *teedev) 1032{ 1033 mutex_lock(&teedev->mutex); 1034 if (!teedev->desc) { 1035 mutex_unlock(&teedev->mutex); 1036 return false; 1037 } 1038 teedev->num_users++; 1039 mutex_unlock(&teedev->mutex); 1040 return true; 1041} 1042 1043/** 1044 * tee_device_unregister() - Removes a TEE device 1045 * @teedev: Device to unregister 1046 * 1047 * This function should be called to remove the @teedev even if 1048 * tee_device_register() hasn't been called yet. Does nothing if 1049 * @teedev is NULL. 1050 */ 1051void tee_device_unregister(struct tee_device *teedev) 1052{ 1053 if (!teedev) 1054 return; 1055 1056 if (teedev->flags & TEE_DEVICE_FLAG_REGISTERED) 1057 cdev_device_del(&teedev->cdev, &teedev->dev); 1058 1059 tee_device_put(teedev); 1060 wait_for_completion(&teedev->c_no_users); 1061 1062 /* 1063 * No need to take a mutex any longer now since teedev->desc was 1064 * set to NULL before teedev->c_no_users was completed. 1065 */ 1066 1067 teedev->pool = NULL; 1068 1069 put_device(&teedev->dev); 1070} 1071EXPORT_SYMBOL_GPL(tee_device_unregister); 1072 1073/** 1074 * tee_get_drvdata() - Return driver_data pointer 1075 * @teedev: Device containing the driver_data pointer 1076 * @returns the driver_data pointer supplied to tee_register(). 1077 */ 1078void *tee_get_drvdata(struct tee_device *teedev) 1079{ 1080 return dev_get_drvdata(&teedev->dev); 1081} 1082EXPORT_SYMBOL_GPL(tee_get_drvdata); 1083 1084struct match_dev_data { 1085 struct tee_ioctl_version_data *vers; 1086 const void *data; 1087 int (*match)(struct tee_ioctl_version_data *, const void *); 1088}; 1089 1090static int match_dev(struct device *dev, const void *data) 1091{ 1092 const struct match_dev_data *match_data = data; 1093 struct tee_device *teedev = container_of(dev, struct tee_device, dev); 1094 1095 teedev->desc->ops->get_version(teedev, match_data->vers); 1096 return match_data->match(match_data->vers, match_data->data); 1097} 1098 1099struct tee_context * 1100tee_client_open_context(struct tee_context *start, 1101 int (*match)(struct tee_ioctl_version_data *, 1102 const void *), 1103 const void *data, struct tee_ioctl_version_data *vers) 1104{ 1105 struct device *dev = NULL; 1106 struct device *put_dev = NULL; 1107 struct tee_context *ctx = NULL; 1108 struct tee_ioctl_version_data v; 1109 struct match_dev_data match_data = { vers ? vers : &v, data, match }; 1110 1111 if (start) 1112 dev = &start->teedev->dev; 1113 1114 do { 1115 dev = class_find_device(tee_class, dev, &match_data, match_dev); 1116 if (!dev) { 1117 ctx = ERR_PTR(-ENOENT); 1118 break; 1119 } 1120 1121 put_device(put_dev); 1122 put_dev = dev; 1123 1124 ctx = teedev_open(container_of(dev, struct tee_device, dev)); 1125 } while (IS_ERR(ctx) && PTR_ERR(ctx) != -ENOMEM); 1126 1127 put_device(put_dev); 1128 /* 1129 * Default behaviour for in kernel client is to not wait for 1130 * tee-supplicant if not present for any requests in this context. 1131 * Also this flag could be configured again before call to 1132 * tee_client_open_session() if any in kernel client requires 1133 * different behaviour. 1134 */ 1135 if (!IS_ERR(ctx)) 1136 ctx->supp_nowait = true; 1137 1138 return ctx; 1139} 1140EXPORT_SYMBOL_GPL(tee_client_open_context); 1141 1142void tee_client_close_context(struct tee_context *ctx) 1143{ 1144 teedev_close_context(ctx); 1145} 1146EXPORT_SYMBOL_GPL(tee_client_close_context); 1147 1148void tee_client_get_version(struct tee_context *ctx, 1149 struct tee_ioctl_version_data *vers) 1150{ 1151 ctx->teedev->desc->ops->get_version(ctx->teedev, vers); 1152} 1153EXPORT_SYMBOL_GPL(tee_client_get_version); 1154 1155int tee_client_open_session(struct tee_context *ctx, 1156 struct tee_ioctl_open_session_arg *arg, 1157 struct tee_param *param) 1158{ 1159 if (!ctx->teedev->desc->ops->open_session) 1160 return -EINVAL; 1161 return ctx->teedev->desc->ops->open_session(ctx, arg, param); 1162} 1163EXPORT_SYMBOL_GPL(tee_client_open_session); 1164 1165int tee_client_close_session(struct tee_context *ctx, u32 session) 1166{ 1167 if (!ctx->teedev->desc->ops->close_session) 1168 return -EINVAL; 1169 return ctx->teedev->desc->ops->close_session(ctx, session); 1170} 1171EXPORT_SYMBOL_GPL(tee_client_close_session); 1172 1173int tee_client_invoke_func(struct tee_context *ctx, 1174 struct tee_ioctl_invoke_arg *arg, 1175 struct tee_param *param) 1176{ 1177 if (!ctx->teedev->desc->ops->invoke_func) 1178 return -EINVAL; 1179 return ctx->teedev->desc->ops->invoke_func(ctx, arg, param); 1180} 1181EXPORT_SYMBOL_GPL(tee_client_invoke_func); 1182 1183int tee_client_cancel_req(struct tee_context *ctx, 1184 struct tee_ioctl_cancel_arg *arg) 1185{ 1186 if (!ctx->teedev->desc->ops->cancel_req) 1187 return -EINVAL; 1188 return ctx->teedev->desc->ops->cancel_req(ctx, arg->cancel_id, 1189 arg->session); 1190} 1191 1192static int tee_client_device_match(struct device *dev, 1193 struct device_driver *drv) 1194{ 1195 const struct tee_client_device_id *id_table; 1196 struct tee_client_device *tee_device; 1197 1198 id_table = to_tee_client_driver(drv)->id_table; 1199 tee_device = to_tee_client_device(dev); 1200 1201 while (!uuid_is_null(&id_table->uuid)) { 1202 if (uuid_equal(&tee_device->id.uuid, &id_table->uuid)) 1203 return 1; 1204 id_table++; 1205 } 1206 1207 return 0; 1208} 1209 1210static int tee_client_device_uevent(struct device *dev, 1211 struct kobj_uevent_env *env) 1212{ 1213 uuid_t *dev_id = &to_tee_client_device(dev)->id.uuid; 1214 1215 return add_uevent_var(env, "MODALIAS=tee:%pUb", dev_id); 1216} 1217 1218struct bus_type tee_bus_type = { 1219 .name = "tee", 1220 .match = tee_client_device_match, 1221 .uevent = tee_client_device_uevent, 1222}; 1223EXPORT_SYMBOL_GPL(tee_bus_type); 1224 1225static int __init tee_init(void) 1226{ 1227 int rc; 1228 1229 tee_class = class_create(THIS_MODULE, "tee"); 1230 if (IS_ERR(tee_class)) { 1231 pr_err("couldn't create class\n"); 1232 return PTR_ERR(tee_class); 1233 } 1234 1235 rc = alloc_chrdev_region(&tee_devt, 0, TEE_NUM_DEVICES, "tee"); 1236 if (rc) { 1237 pr_err("failed to allocate char dev region\n"); 1238 goto out_unreg_class; 1239 } 1240 1241 rc = bus_register(&tee_bus_type); 1242 if (rc) { 1243 pr_err("failed to register tee bus\n"); 1244 goto out_unreg_chrdev; 1245 } 1246 1247 return 0; 1248 1249out_unreg_chrdev: 1250 unregister_chrdev_region(tee_devt, TEE_NUM_DEVICES); 1251out_unreg_class: 1252 class_destroy(tee_class); 1253 tee_class = NULL; 1254 1255 return rc; 1256} 1257 1258static void __exit tee_exit(void) 1259{ 1260 bus_unregister(&tee_bus_type); 1261 unregister_chrdev_region(tee_devt, TEE_NUM_DEVICES); 1262 class_destroy(tee_class); 1263 tee_class = NULL; 1264} 1265 1266subsys_initcall(tee_init); 1267module_exit(tee_exit); 1268 1269MODULE_AUTHOR("Linaro"); 1270MODULE_DESCRIPTION("TEE Driver"); 1271MODULE_VERSION("1.0"); 1272MODULE_LICENSE("GPL v2");