JIRA: https://issues.redhat.com/browse/RHEL-40642
commit 0439fcff304acdedfc493dbf900dce86922fd31f
Author: Sumit Garg <sumit.garg@linaro.org>
Date: Mon Mar 25 16:11:01 2024 +0100
tee: Refactor TEE subsystem header files
Since commit 25559c22ce ("tee: add kernel internal client interface"),
it has been a common include/linux/tee_drv.h header file which is shared
to hold TEE subsystem internal bits along with the APIs exposed to the
TEE client drivers. However, this practice is prone to TEE subsystem
internal APIs abuse and especially so with the new TEE implementation
drivers being added to reuse existing functionality.
In order to address this split TEE subsystem internal bits as a separate
header file: include/linux/tee_core.h which should be the one used by
TEE implementation drivers. With that include/linux/tee_drv.h lists only
APIs exposed by TEE subsystem to the TEE client drivers.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
(cherry picked from commit 0439fcff304acdedfc493dbf900dce86922fd31f)
Signed-off-by: Steve Dunnagan <sdunnaga@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-40642
commit 469f6acd9a538ea963e2d4d13ba721a7ad1c1813
Author: Ricardo B. Marliere <ricardo@marliere.net>
Date: Tue Feb 13 11:46:25 2024 -0300
tee: make tee_bus_type const
Since commit d492cc2573a0 ("driver core: device.h: make struct
bus_type a const *"), the driver core can properly handle constant
struct bus_type, move the tee_bus_type variable to be a constant
structure as well, placing it into read-only memory which can not be
modified at runtime.
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ricardo B. Marliere <ricardo@marliere.net>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
(cherry picked from commit 469f6acd9a538ea963e2d4d13ba721a7ad1c1813)
Signed-off-by: Steve Dunnagan <sdunnaga@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-40642
commit a9214a8883ceb82df55aa90d1c49ddb85fc1e3d5
Author: Etienne Carriere <etienne.carriere@foss.st.com>
Date: Mon Oct 30 09:48:10 2023 +0100
tee: system session
Adds kernel client API function tee_client_system_session() for a client
to request a system service entry in TEE context.
This feature is needed to prevent a system deadlock when several TEE
client applications invoke TEE, consuming all TEE thread contexts
available in the secure world. The deadlock can happen in the OP-TEE
driver for example if all these TEE threads issue an RPC call from TEE
to Linux OS to access an eMMC RPMB partition (TEE secure storage) which
device clock or regulator controller is accessed through an OP-TEE SCMI
services. In that case, Linux SCMI driver must reach OP-TEE SCMI service
without waiting until one of the consumed TEE threads is freed.
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Co-developed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
(cherry picked from commit a9214a8883ceb82df55aa90d1c49ddb85fc1e3d5)
Signed-off-by: Steve Dunnagan <sdunnaga@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-40642
commit 6dea6352bec3ab9f8f71d1694ca91002844a5067
Author: Jens Wiklander <jens.wiklander@linaro.org>
Date: Thu Sep 7 12:55:58 2023 +0200
optee: provide optee_do_bottom_half() as a common function
Provides optee_do_bottom_half() and optee_stop_async_notif() as common
functions callable from the FF-A ABI part of the driver too.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
(cherry picked from commit 6dea6352bec3ab9f8f71d1694ca91002844a5067)
Signed-off-by: Steve Dunnagan <sdunnaga@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-40642
commit 45bc2c9b5b230b95cad10f44204d7b28f52b74c0
Author: Etienne Carriere <etienne.carriere@foss.st.com>
Date: Mon Oct 30 09:48:11 2023 +0100
tee: optee: support tracking system threads
Adds support in the OP-TEE driver to keep track of reserved system
threads. The logic allows one OP-TEE thread to be reserved to TEE system
sessions.
The optee_cq_*() functions are updated to handle this if enabled,
that is when TEE describes how many thread context it supports
and when at least 1 session has registered as a system session
(using tee_client_system_session()).
For sake of simplicity, initialization of call queue management
is factorized into new helper function optee_cq_init().
The SMC ABI part of the driver enables this tracking, but the
FF-A ABI part does not.
Co-developed-by: Jens Wiklander <jens.wiklander@linaro.org>
Co-developed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
(cherry picked from commit 45bc2c9b5b230b95cad10f44204d7b28f52b74c0)
Signed-off-by: Steve Dunnagan <sdunnaga@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-40642
commit 077798da028e81ada39a256969207c91db66ebaf
Author: Etienne Carriere <etienne.carriere@foss.st.com>
Date: Mon Oct 30 09:48:09 2023 +0100
tee: optee: system thread call property
Adds an argument to do_call_with_arg() handler to tell whether the call
is a system thread call or not. This change always sets this info to false
hence no functional change.
This change prepares management of system invocation proposed in a later
change.
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Co-developed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
[jw: clarified that it's system thread calls]
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
(cherry picked from commit 077798da028e81ada39a256969207c91db66ebaf)
Signed-off-by: Steve Dunnagan <sdunnaga@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-40642
commit df724cedcfd7ce6638f40903144902a3e29fcec7
Author: Matthew Wilcox (Oracle) <willy@infradead.org>
Date: Tue Sep 6 19:48:55 2022 +0000
optee: remove vma linked list walk
Use the VMA iterator instead. Change the calling convention of
__check_mem_type() to pass in the mm instead of the first vma in the
range.
Link: https://lkml.kernel.org/r/20220906194824.2110408-39-Liam.Howlett@oracle.com
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Reviewed-by: Davidlohr Bueso <dave@stgolabs.net>
Tested-by: Yu Zhao <yuzhao@google.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: David Howells <dhowells@redhat.com>
Cc: SeongJae Park <sj@kernel.org>
Cc: Sven Schnelle <svens@linux.ibm.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
(cherry picked from commit df724cedcfd7ce6638f40903144902a3e29fcec7)
Signed-off-by: Steve Dunnagan <sdunnaga@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-24997
commit f4384b3e54ea813868bb81a861bf5b2406e15d8f
Author: Rijo Thomas <Rijo-john.Thomas@amd.com>
Date: Fri Sep 29 12:30:24 2023 +0530
tee: amdtee: fix use-after-free vulnerability in amdtee_close_session
There is a potential race condition in amdtee_close_session that may
cause use-after-free in amdtee_open_session. For instance, if a session
has refcount == 1, and one thread tries to free this session via:
kref_put(&sess->refcount, destroy_session);
the reference count will get decremented, and the next step would be to
call destroy_session(). However, if in another thread,
amdtee_open_session() is called before destroy_session() has completed
execution, alloc_session() may return 'sess' that will be freed up
later in destroy_session() leading to use-after-free in
amdtee_open_session.
To fix this issue, treat decrement of sess->refcount and removal of
'sess' from session list in destroy_session() as a critical section, so
that it is executed atomically.
Fixes: 757cc3e9ff ("tee: add AMD-TEE driver")
Cc: stable@vger.kernel.org
Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: David Arcari <darcari@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-24997
commit 436eeae0411acdfc54521ddea80ee76d4ae8a7ea
Author: Rijo Thomas <Rijo-john.Thomas@amd.com>
Date: Tue May 9 13:02:40 2023 +0530
tee: amdtee: Add return_origin to 'struct tee_cmd_load_ta'
After TEE has completed processing of TEE_CMD_ID_LOAD_TA, set proper
value in 'return_origin' argument passed by open_session() call. To do
so, add 'return_origin' field to the structure tee_cmd_load_ta. The
Trusted OS shall update return_origin as part of TEE processing.
This change to 'struct tee_cmd_load_ta' interface requires a similar update
in AMD-TEE Trusted OS's TEE_CMD_ID_LOAD_TA interface.
This patch has been verified on Phoenix Birman setup. On older APUs,
return_origin value will be 0.
Cc: stable@vger.kernel.org
Fixes: 757cc3e9ff ("tee: add AMD-TEE driver")
Tested-by: Sourabh Das <sourabh.das@amd.com>
Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: David Arcari <darcari@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-27740
Tested: by me
commit 0249a75b365911f91b87935bc08a4795a6fa7dd0
Author: Ira Weiny <ira.weiny@intel.com>
Date: Fri Feb 3 20:06:34 2023 -0800
tee: Remove call to get_kernel_pages()
The kernel pages used by shm_get_kernel_pages() are allocated using
GFP_KERNEL through the following call stack:
trusted_instantiate()
trusted_payload_alloc() -> GFP_KERNEL
<trusted key op>
tee_shm_register_kernel_buf()
register_shm_helper()
shm_get_kernel_pages()
Where <trusted key op> is one of:
trusted_key_unseal()
trusted_key_get_random()
trusted_key_seal()
Because the pages can't be from highmem get_kernel_pages() boils down to
a get_page() call.
Remove the get_kernel_pages() call and open code the get_page().
In case a highmem page does slip through warn on once for a kmap'ed
address.
Cc: Jens Wiklander <jens.wiklander@linaro.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: "Fabio M. De Francesco" <fmdefrancesco@gmail.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ira Weiny <ira.weiny@intel.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Aristeu Rozanski <arozansk@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-27740
Tested: by me
commit c83900393aa133d5fefdbf2ab3377c7fbeec0c07
Author: Ira Weiny <ira.weiny@intel.com>
Date: Fri Feb 3 20:06:33 2023 -0800
tee: Remove vmalloc page support
The kernel pages used by shm_get_kernel_pages() are allocated using
GFP_KERNEL through the following call stack:
trusted_instantiate()
trusted_payload_alloc() -> GFP_KERNEL
<trusted key op>
tee_shm_register_kernel_buf()
register_shm_helper()
shm_get_kernel_pages()
Where <trusted key op> is one of:
trusted_key_unseal()
trusted_key_get_random()
trusted_key_seal()
Remove the vmalloc page support from shm_get_kernel_pages(). Replace
with a warn on once.
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: "Fabio M. De Francesco" <fmdefrancesco@gmail.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Ira Weiny <ira.weiny@intel.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Aristeu Rozanski <arozansk@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit 654d0310007146fae87b0c1a68f81e53ad519b14
Author: Etienne Carriere <etienne.carriere@linaro.org>
Date: Thu, 20 Apr 2023 09:49:23 +0200
Fixes an uninitialized variable in irq_handler() that could lead to
unpredictable behavior in case OP-TEE fails to handle SMC function ID
OPTEE_SMC_GET_ASYNC_NOTIF_VALUE. This change ensures that in that case
get_async_notif_value() properly reports there are no notification
event.
Reported-by: kernel test robot <lkp@intel.com>
Link: https://lore.kernel.org/r/202304200755.OoiuclDZ-lkp@intel.com/
Reported-by: Dan Carpenter <error27@gmail.com>
Link: https://lore.kernel.org/all/d9b7f69b-c737-4cb3-8e74-79fe00c934f9@kili.mountain/
Fixes: 6749e69c4dad ("optee: add asynchronous notifications")
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
Conflicts:
Documentation/staging/tee.rst
Drop doc hunk.
commit f3040daab8104ac68e2b241bc93288f63b88a3c7
Author: Jeffrey Kardatzke <jkardatzke@chromium.org>
Date: Fri, 31 Mar 2023 11:35:47 -0700
Adds an SMC call that will pass an OP-TEE binary image to EL3 and
instruct it to load it as the BL32 payload. This works in conjunction
with a feature added to Trusted Firmware for ARMv8 and above
architectures that supports this.
The main purpose of this change is to facilitate updating the OP-TEE
component on devices via a rootfs change rather than having to do a
firmware update. Further details are linked to in the Kconfig file.
Signed-off-by: Jeffrey Kardatzke <jkardatzke@chromium.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jeffrey Kardatzke <jkardatzke@google.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit b3b4ced12c1bc829888803ce07fff317e590ec1c
Author: Etienne Carriere <etienne.carriere@linaro.org>
Date: Wed, 22 Mar 2023 14:22:12 +0100
Implements use of per-cpu irq for optee asynchronous notification.
Existing optee async notif implementation allows OP-TEE world to
raise an interrupt on which Linux optee driver will query some pending
events. This change allows the signaling interrupt to be a per-cpu
interrupt as with Arm GIC PPIs. Using a PPI instead of an SPI is useful
when no GIC lines are provisioned in the chip design and there are spare
PPI lines.
Cc: Jens Wiklander <jens.wiklander@linaro.org>
Cc: Sumit Garg <sumit.garg@linaro.org>
Cc: Marc Zyngier <maz@kernel.org>
Co-developed-by: Alexandre Torgue <alexandre.torgue@foss.st.com>
Signed-off-by: Alexandre Torgue <alexandre.torgue@foss.st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
[JW: fixing a spell error in @notif_pcpu_wq description]
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit f8502fba45bd30e1a6a354d9d898bc99d1a11e6d
Author: Rijo Thomas <Rijo-john.Thomas@amd.com>
Date: Tue, 28 Feb 2023 15:11:20 +0530
There is a potential race condition in amdtee_open_session that may
lead to use-after-free. For instance, in amdtee_open_session() after
sess->sess_mask is set, and before setting:
sess->session_info[i] = session_info;
if amdtee_close_session() closes this same session, then 'sess' data
structure will be released, causing kernel panic when 'sess' is
accessed within amdtee_open_session().
The solution is to set the bit sess->sess_mask as the last step in
amdtee_open_session().
Fixes: 757cc3e9ff ("tee: add AMD-TEE driver")
Cc: stable@vger.kernel.org
Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit cce616e012c215d65c15e5d1afa73182dea49389
Author: Yang Yingliang <yangyingliang@huawei.com>
Date: Wed, 9 Nov 2022 22:01:24 +0800
If device_register() returns error in optee_register_device(),
the name allocated by dev_set_name() need be freed. As comment
of device_register() says, it should use put_device() to give
up the reference in the error path. So fix this by calling
put_device(), then the name can be freed in kobject_cleanup(),
and optee_device is freed in optee_release_device().
Fixes: c3fa24af92 ("tee: optee: add TEE bus device enumeration support")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit 5b0c6328e47dccf552996ca711005ca3f44034e9
Author: Sudeep Holla <sudeep.holla@arm.com>
Date: Wed, 7 Sep 2022 15:52:40 +0100
In preparation to make memory operations accessible for a non
ffa_driver/device, it is better to split the ffa_ops into different
categories of operations: info, message and memory. The info and memory
are ffa_device independent and can be used without any associated
ffa_device from a non ffa_driver.
However, we don't export these info and memory APIs yet without the user.
The first users of these APIs can export them.
Link: https://lore.kernel.org/r/20220907145240.1683088-11-sudeep.holla@arm.com
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit 7aa7a97989557011f762a4b7c2e4e3b061b638e4
Author: Sudeep Holla <sudeep.holla@arm.com>
Date: Wed, 7 Sep 2022 15:52:37 +0100
Except the message APIs, all other APIs are ffa_device independent and can
be used without any associated ffa_device from a non ffa_driver.
In order to reflect the same, just rename ffa_dev_ops as ffa_ops to
avoid any confusion or to keep it simple.
Link: https://lore.kernel.org/r/20220907145240.1683088-8-sudeep.holla@arm.com
Suggested-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit 8c3812c8f74f050278d734ec4b90149d84bdbefb
Author: Sudeep Holla <sudeep.holla@arm.com>
Date: Wed, 7 Sep 2022 15:52:36 +0100
There is a requirement to make memory APIs independent of the ffa_device.
One of the use-case is to have a common memory driver that manages the
memory for all the ffa_devices. That common memory driver won't be a
ffa_driver or won't have any ffa_device associated with it. So having
these memory APIs accessible without a ffa_device is needed and should
be possible as most of these are handled by the partition manager(SPM
or hypervisor).
Drop the ffa_device argument to the memory APIs and make them ffa_device
independent.
Link: https://lore.kernel.org/r/20220907145240.1683088-7-sudeep.holla@arm.com
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit 320c3fa38c514eb71aa188da3495e13da9a30542
Author: Sudeep Holla <sudeep.holla@arm.com>
Date: Wed, 7 Sep 2022 15:52:32 +0100
Now that the ffa_device structure holds the pointer to ffa_dev_ops,
there is no need to obtain the same through ffa_dev_ops_get().
Just use the ffa_dev->ops directly. Since the ffa_device itself carries
ffa_dev_ops now, there is no need to keep a copy in optee_ffa structure.
Drop ffa_ops in the optee_ffa structure as it is not needed anymore.
Link: https://lore.kernel.org/r/20220907145240.1683088-3-sudeep.holla@arm.com
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit eccd7439709810127563e7e3e49b8b44c7b2791d
Author: Jens Wiklander <jens.wiklander@linaro.org>
Date: Mon, 22 Aug 2022 07:43:35 +0200
Include <linux/uaccess.h> to avoid the warning:
drivers/tee/tee_shm.c: In function 'tee_shm_register':
>> drivers/tee/tee_shm.c:242:14: error: implicit declaration of function 'access_ok' [-Werror=implicit-function-declaration]
242 | if (!access_ok((void __user *)addr, length))
| ^~~~~~~~~
cc1: some warnings being treated as errors
Fixes: 573ae4f13f63 ("tee: add overflow check in register_shm_helper()")
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit 573ae4f13f630d6660008f1974c0a8a29c30e18a
Author: Jens Wiklander <jens.wiklander@linaro.org>
Date: Thu, 18 Aug 2022 13:08:59 +0200
With special lengths supplied by user space, register_shm_helper() has
an integer overflow when calculating the number of pages covered by a
supplied user space memory region.
This causes internal_get_user_pages_fast() a helper function of
pin_user_pages_fast() to do a NULL pointer dereference:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
Modules linked in:
CPU: 1 PID: 173 Comm: optee_example_a Not tainted 5.19.0 #11
Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
pc : internal_get_user_pages_fast+0x474/0xa80
Call trace:
internal_get_user_pages_fast+0x474/0xa80
pin_user_pages_fast+0x24/0x4c
register_shm_helper+0x194/0x330
tee_shm_register_user_buf+0x78/0x120
tee_ioctl+0xd0/0x11a0
__arm64_sys_ioctl+0xa8/0xec
invoke_syscall+0x48/0x114
Fix this by adding an an explicit call to access_ok() in
tee_shm_register_user_buf() to catch an invalid user space address
early.
Fixes: 033ddf12bc ("tee: add register user memory")
Cc: stable@vger.kernel.org
Reported-by: Nimish Mishra <neelam.nimish@gmail.com>
Reported-by: Anirban Chakraborty <ch.anirban00727@gmail.com>
Reported-by: Debdeep Mukhopadhyay <debdeep.mukhopadhyay@gmail.com>
Suggested-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit e5ce073c8a1e01b215a5eb32ba48f8d17ded3bd5
Author: Marc Kleine-Budde <mkl@pengutronix.de>
Date: Mon, 6 Jun 2022 13:43:53 +0200
This patch fixes the description of tee_get_drvdata()'s return value.
It actually returns the driver_data pointer supplied to
tee_device_alloc() since the TEE subsystem was added to the kernel.
Fixes: 967c9cca2c ("tee: generic TEE subsystem")
Cc: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit d4fac258d971bead9a6b5c5ebe2f0e415d05d110
Author: Yang Yingliang <yangyingliang@huawei.com>
Date: Tue, 28 Jun 2022 14:52:16 +0800
In optee_smc_do_call_with_arg() there is a code path when the argument
struct for RPC is passed appended to the primary argument struct. When
the address of the RPC struct is retrieved there's an invalid check for
success. It should be 'rpc_arg' pass to IS_ERR/PTR_ERR().
Fixes: ed8faf6c8f8c ("optee: add OPTEE_SMC_CALL_WITH_RPC_ARG and OPTEE_SMC_CALL_WITH_REGD_ARG")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
[jw: added background to the problem]
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit a3b9ecc805e9131476c719111fe347c7dbc0d1d1
Author: Linus Walleij <linus.walleij@linaro.org>
Date: Thu, 19 May 2022 23:46:35 +0200
A pointer into virtual memory is represented by a (void *)
not an u32, so the compiler warns:
drivers/tee/optee/call.c:365:29: warning: passing argument 1
of 'virt_to_pfn' makes pointer from integer without a
cast [-Wint-conversion]
Fix this with an explicit cast.
Cc: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
[jw: fixed merge conflict]
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit f3f3bdbd58cea4fdd088075fdc8864fc47ecd419
Author: Sudeep Holla <sudeep.holla@arm.com>
Date: Fri, 29 Apr 2022 12:39:46 +0100
Due to lack of an helper like ffa_dev_get_drvdata, this driver was
fetching driver_data directly accessing the structure member. Now that
we have added an helper, just use the same instead.
Link: https://lore.kernel.org/r/20220429113946.2087145-4-sudeep.holla@arm.com
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit d8fc1c7c4c9b705ce5f5bba772ad66a0137c685d
Author: Andrew Davis <afd@ti.com>
Date: Mon, 25 Apr 2022 09:16:17 -0500
These look to be leftover from an early edition of this driver. Userspace
does not need this information. Checking all users of this that I have
access to I have verified no one is using them.
They leak internal use flags out to userspace. Even more they are not
correct anymore after a45ea4efa358. Lets drop these flags before
someone does try to use them for something and they become ABI.
Signed-off-by: Andrew Davis <afd@ti.com>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit 66eb6df79aefd6b3f7d2e749da7104e90cedc0ff
Author: Andrew Davis <afd@ti.com>
Date: Mon, 25 Apr 2022 09:16:16 -0500
We should not need to index into SHMs based on absolute VA/PA.
These functions are not used and this kind of usage should not be
encouraged anyway. Remove these functions.
Signed-off-by: Andrew Davis <afd@ti.com>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit 5b4018b959149eb5b5f3004fc0339674af67516b
Author: Jens Wiklander <jens.wiklander@linaro.org>
Date: Tue, 25 Jan 2022 21:26:42 +0100
Implements a cache to handle shared memory used to pass the argument
struct needed when doing a normal yielding call into secure world.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit a639b2b18a240d497109631d48016b620fb354f9
Author: Jens Wiklander <jens.wiklander@linaro.org>
Date: Wed, 12 Jan 2022 17:06:32 +0100
Adds the secure capability OPTEE_FFA_SEC_CAP_ARG_OFFSET to indicate that
OP-TEE with FF-A can support an argument struct at a non-zero offset into
a passed shared memory object.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit ed8faf6c8f8c1f7e9ee88342a915ce5f09ca9736
Author: Jens Wiklander <jens.wiklander@linaro.org>
Date: Wed, 3 Nov 2021 11:42:30 +0100
Adds OPTEE_SMC_CALL_WITH_RPC_ARG and OPTEE_SMC_CALL_WITH_REGD_ARG where
the struct optee_msg_arg to be used for RPC is appended in the memory
following the normal argument struct optee_msg_arg. This is an
optimization to avoid caching the RPC argument struct while still
maintaining similar performance as if it was cached.
OPTEE_SMC_CALL_WITH_REGD_ARG optimized one step further by using a
registered shared memory object instead. It's in other aspects identical
to OPTEE_SMC_CALL_WITH_RPC_ARG.
The presence of OPTEE_SMC_CALL_WITH_RPC_ARG and
OPTEE_SMC_CALL_WITH_REGD_ARG is indicated by the new
OPTEE_SMC_SEC_CAP_RPC_ARG bit returned by
OPTEE_SMC_EXCHANGE_CAPABILITIES. OPTEE_SMC_EXCHANGE_CAPABILITIES also
reports the number of arguments that the RPC argument struct must have
room for.
OPTEE_SMC_CALL_WITH_RPC_ARG and OPTEE_SMC_CALL_WITH_ARG can be used
interleaved with difference that when OPTEE_SMC_CALL_WITH_RPC_ARG is
used the RPC argument struct to be used is the one appended to the
normal argument struct. The same is true for
OPTEE_SMC_CALL_WITH_REGD_ARG.
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit 30c375a7f6bd2b65243b58cf0aa39791978f2b0b
Author: Jens Wiklander <jens.wiklander@linaro.org>
Date: Wed, 16 Mar 2022 13:28:31 +0100
Renames the field rpc_arg_count in struct optee to rpc_param_count.
Function parameter names and local variables are also renamed to match.
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit 3e47235eaee09488c7e467b9aaccb7c93c862c6b
Author: Phil Chang <phil.chang@mediatek.com>
Date: Fri, 25 Feb 2022 23:20:40 +0800
In some low-memory devices, it's hard to aquire large-orders pages,
this patch allowed user using scatter pages to register shm.
Signed-off-by: Phil Chang <phil.chang@mediatek.com>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit a4b75fe8e1c15c96c4eb083e211ccbbfd56599f9
Author: Jan Engelhardt <jengelh@inai.de>
Date: Tue, 28 Dec 2021 20:57:37 +0100
Don't let TEE occupy two lines in menuconfig when practically no
other (sub)menu does either.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit b5e22886839ae466fcf03295150094516c0fd8eb
Author: Dongliang Mu <mudongliangabcd@gmail.com>
Date: Wed, 16 Mar 2022 21:50:47 +0800
The error handling code of optee_ffa_probe misses the mutex_destroy of
ffa.mutex when mutext_init succeeds.
Fix this by adding mutex_destory of ffa.mutex at the error handling part
Fixes: aceeafefff73 ("optee: use driver internal tee_context for some rpc")
Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit a45ea4efa358577c623d7353a6ba9af3c17f6ca0
Author: Jens Wiklander <jens.wiklander@linaro.org>
Date: Fri, 4 Feb 2022 10:33:59 +0100
Removes the redundant TEE_SHM_DMA_BUF, TEE_SHM_EXT_DMA_BUF,
TEE_SHM_MAPPED and TEE_SHM_KERNEL_MAPPED flags.
TEE_SHM_REGISTER is renamed to TEE_SHM_DYNAMIC in order to better
match its usage.
Assigns new values to the remaining flags to void gaps.
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit 53e16519c2eccdb2e1b123405466a29aaea1132e
Author: Jens Wiklander <jens.wiklander@linaro.org>
Date: Fri, 4 Feb 2022 10:33:58 +0100
tee_shm_register() is replaced by the previously introduced functions
tee_shm_register_user_buf() and tee_shm_register_kernel_buf().
Since there are not external callers left we can remove tee_shm_register()
and refactor the remains.
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit 056d3fed3d1ff3f5d699be337f048f9eed2befaf
Author: Jens Wiklander <jens.wiklander@linaro.org>
Date: Fri, 4 Feb 2022 10:33:56 +0100
Adds the two new functions tee_shm_register_user_buf() and
tee_shm_register_kernel_buf() which should be used instead of the old
tee_shm_register().
This avoids having the caller supplying the flags parameter which
exposes a bit more than desired of the internals of the TEE subsystem.
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit 924e32269228a4e2575e50e6fd6ed83cb57aa52a
Author: Jens Wiklander <jens.wiklander@linaro.org>
Date: Fri, 4 Feb 2022 10:33:55 +0100
Adds a common helper function to free a tee_shm allocated using the
helper function optee_pool_op_alloc_helper().
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit 5d41f1b3e3282909b6bbceacb9aebe1d3c849a49
Author: Jens Wiklander <jens.wiklander@linaro.org>
Date: Fri, 4 Feb 2022 10:33:54 +0100
tee_shm_alloc() is replaced by three new functions,
tee_shm_alloc_user_buf() - for user mode allocations, replacing passing
the flags TEE_SHM_MAPPED | TEE_SHM_DMA_BUF
tee_shm_alloc_kernel_buf() - for kernel mode allocations, slightly
optimized compared to using the flags TEE_SHM_MAPPED | TEE_SHM_DMA_BUF.
tee_shm_alloc_priv_buf() - primarily for TEE driver internal use.
This also makes the interface easier to use as we can get rid of the
somewhat hard to use flags parameter.
The TEE subsystem and the TEE drivers are updated to use the new
functions instead.
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit d88e0493a054c9fe72ade41a42d42e958ee6503d
Author: Jens Wiklander <jens.wiklander@linaro.org>
Date: Fri, 4 Feb 2022 10:33:53 +0100
Replaces the shared memory pool based on two pools with a single pool.
The alloc() function pointer in struct tee_shm_pool_ops gets another
parameter, align. This makes it possible to make less than page aligned
allocations from the optional reserved shared memory pool while still
making user space allocations page aligned. With in practice unchanged
behaviour using only a single pool for bookkeeping.
The allocation algorithm in the static OP-TEE shared memory pool is
changed from best-fit to first-fit since only the latter supports an
alignment parameter. The best-fit algorithm was previously the default
choice and not a conscious one.
The optee and amdtee drivers are updated as needed to work with this
changed pool handling.
This also removes OPTEE_SHM_NUM_PRIV_PAGES which becomes obsolete with
this change as the private pages can be mixed with the payload pages.
The OP-TEE driver changes minimum alignment for argument struct from 8
bytes to 512 bytes. A typical OP-TEE private shm allocation is 224 bytes
(argument struct with 6 parameters, needed for open session). So with an
alignment of 512 well waste a bit more than 50%. Before this we had a
single page reserved for this so worst case usage compared to that would
be 3 pages instead of 1 page. However, this worst case only occurs if
there is a high pressure from multiple threads on secure world. All in
all this should scale up and down better than fixed boundaries.
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit 71cc47d4cc1f7a333584e0f2f7c863c71a6d3ced
Author: Jens Wiklander <jens.wiklander@linaro.org>
Date: Fri, 4 Feb 2022 10:33:52 +0100
Adds a new function tee_shm_alloc_user_buf() for user mode allocations,
replacing passing the flags TEE_SHM_MAPPED | TEE_SHM_DMA_BUF to
tee_shm_alloc().
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit f41b6be1ebdae452819551ed35a46e6fd32bf467
Author: Jens Wiklander <jens.wiklander@linaro.org>
Date: Fri, 4 Feb 2022 10:33:51 +0100
None of the drivers in the TEE subsystem uses
tee_shm_pool_alloc_res_mem() so remove the function.
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit f7b67642dd98617dc569836cdcba041c7ff00cbb
Author: Cai Huoqing <cai.huoqing@linux.dev>
Date: Wed, 9 Feb 2022 11:27:43 +0800
Replace "struct list_head head = LIST_HEAD_INIT(head)" with
"LIST_HEAD(head)" to simplify the code.
Signed-off-by: Cai Huoqing <cai.huoqing@linux.dev>
Reviewed-by: Rijo Thomas <Rijo-john.Thomas@amd.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit 40eb0dcf4114cbfff4d207890fa5a19e82da9fdc
Author: Yang Yingliang <yangyingliang@huawei.com>
Date: Thu, 10 Feb 2022 17:10:53 +0800
If teedev_open() fails, probe function need return
error code.
Fixes: aceeafefff73 ("optee: use driver internal tee_context for some rpc")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-16037
commit aceeafefff736057e8f93f19bbfbef26abd94604
Author: Jens Wiklander <jens.wiklander@linaro.org>
Date: Thu, 27 Jan 2022 15:29:39 +0100
Adds a driver private tee_context by moving the tee_context in struct
optee_notif to struct optee. This tee_context was previously used when
doing internal calls to secure world to deliver notification.
The new driver internal tee_context is now also when allocating driver
private shared memory. This decouples the shared memory object from its
original tee_context. This is needed when the life time of such a memory
allocation outlives the client tee_context.
This patch fixes the problem described below:
The addition of a shutdown hook by commit f25889f931 ("optee: fix tee out
of memory failure seen during kexec reboot") introduced a kernel shutdown
regression that can be triggered after running the OP-TEE xtest suites.
Once the shutdown hook is called it is not possible to communicate any more
with the supplicant process because the system is not scheduling task any
longer. Thus if the optee driver shutdown path receives a supplicant RPC
request from the OP-TEE we will deadlock the kernel's shutdown.
Fixes: f25889f931 ("optee: fix tee out of memory failure seen during kexec reboot")
Fixes: 217e0250cc ("tee: use reference counting for tee_context")
Reported-by: Lars Persson <larper@axis.com>
Cc: stable@vger.kernel.org
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
Steve Dunnagan
David Arcari
Aristeu Rozanski
Mark Salter