Back to home page

OSCL-LXR
 
 

     

0001 // SPDX-License-Identifier: GPL-2.0-only
0002 /*
0003  * Copyright (c) 2015-2016, Linaro Limited
0004  */
0005 
0006 #define pr_fmt(fmt) "%s: " fmt, __func__
0007 
0008 #include <linux/cdev.h>
0009 #include <linux/cred.h>
0010 #include <linux/fs.h>
0011 #include <linux/idr.h>
0012 #include <linux/module.h>
0013 #include <linux/slab.h>
0014 #include <linux/tee_drv.h>
0015 #include <linux/uaccess.h>
0016 #include <crypto/hash.h>
0017 #include <crypto/sha1.h>
0018 #include "tee_private.h"
0019 
0020 #define TEE_NUM_DEVICES 32
0021 
0022 #define TEE_IOCTL_PARAM_SIZE(x) (sizeof(struct tee_param) * (x))
0023 
0024 #define TEE_UUID_NS_NAME_SIZE   128
0025 
0026 /*
0027  * TEE Client UUID name space identifier (UUIDv4)
0028  *
0029  * Value here is random UUID that is allocated as name space identifier for
0030  * forming Client UUID's for TEE environment using UUIDv5 scheme.
0031  */
0032 static const uuid_t tee_client_uuid_ns = UUID_INIT(0x58ac9ca0, 0x2086, 0x4683,
0033                            0xa1, 0xb8, 0xec, 0x4b,
0034                            0xc0, 0x8e, 0x01, 0xb6);
0035 
0036 /*
0037  * Unprivileged devices in the lower half range and privileged devices in
0038  * the upper half range.
0039  */
0040 static DECLARE_BITMAP(dev_mask, TEE_NUM_DEVICES);
0041 static DEFINE_SPINLOCK(driver_lock);
0042 
0043 static struct class *tee_class;
0044 static dev_t tee_devt;
0045 
0046 struct tee_context *teedev_open(struct tee_device *teedev)
0047 {
0048     int rc;
0049     struct tee_context *ctx;
0050 
0051     if (!tee_device_get(teedev))
0052         return ERR_PTR(-EINVAL);
0053 
0054     ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
0055     if (!ctx) {
0056         rc = -ENOMEM;
0057         goto err;
0058     }
0059 
0060     kref_init(&ctx->refcount);
0061     ctx->teedev = teedev;
0062     rc = teedev->desc->ops->open(ctx);
0063     if (rc)
0064         goto err;
0065 
0066     return ctx;
0067 err:
0068     kfree(ctx);
0069     tee_device_put(teedev);
0070     return ERR_PTR(rc);
0071 
0072 }
0073 EXPORT_SYMBOL_GPL(teedev_open);
0074 
0075 void teedev_ctx_get(struct tee_context *ctx)
0076 {
0077     if (ctx->releasing)
0078         return;
0079 
0080     kref_get(&ctx->refcount);
0081 }
0082 
0083 static void teedev_ctx_release(struct kref *ref)
0084 {
0085     struct tee_context *ctx = container_of(ref, struct tee_context,
0086                            refcount);
0087     ctx->releasing = true;
0088     ctx->teedev->desc->ops->release(ctx);
0089     kfree(ctx);
0090 }
0091 
0092 void teedev_ctx_put(struct tee_context *ctx)
0093 {
0094     if (ctx->releasing)
0095         return;
0096 
0097     kref_put(&ctx->refcount, teedev_ctx_release);
0098 }
0099 
0100 void teedev_close_context(struct tee_context *ctx)
0101 {
0102     struct tee_device *teedev = ctx->teedev;
0103 
0104     teedev_ctx_put(ctx);
0105     tee_device_put(teedev);
0106 }
0107 EXPORT_SYMBOL_GPL(teedev_close_context);
0108 
0109 static int tee_open(struct inode *inode, struct file *filp)
0110 {
0111     struct tee_context *ctx;
0112 
0113     ctx = teedev_open(container_of(inode->i_cdev, struct tee_device, cdev));
0114     if (IS_ERR(ctx))
0115         return PTR_ERR(ctx);
0116 
0117     /*
0118      * Default user-space behaviour is to wait for tee-supplicant
0119      * if not present for any requests in this context.
0120      */
0121     ctx->supp_nowait = false;
0122     filp->private_data = ctx;
0123     return 0;
0124 }
0125 
0126 static int tee_release(struct inode *inode, struct file *filp)
0127 {
0128     teedev_close_context(filp->private_data);
0129     return 0;
0130 }
0131 
0132 /**
0133  * uuid_v5() - Calculate UUIDv5
0134  * @uuid: Resulting UUID
0135  * @ns: Name space ID for UUIDv5 function
0136  * @name: Name for UUIDv5 function
0137  * @size: Size of name
0138  *
0139  * UUIDv5 is specific in RFC 4122.
0140  *
0141  * This implements section (for SHA-1):
0142  * 4.3.  Algorithm for Creating a Name-Based UUID
0143  */
0144 static int uuid_v5(uuid_t *uuid, const uuid_t *ns, const void *name,
0145            size_t size)
0146 {
0147     unsigned char hash[SHA1_DIGEST_SIZE];
0148     struct crypto_shash *shash = NULL;
0149     struct shash_desc *desc = NULL;
0150     int rc;
0151 
0152     shash = crypto_alloc_shash("sha1", 0, 0);
0153     if (IS_ERR(shash)) {
0154         rc = PTR_ERR(shash);
0155         pr_err("shash(sha1) allocation failed\n");
0156         return rc;
0157     }
0158 
0159     desc = kzalloc(sizeof(*desc) + crypto_shash_descsize(shash),
0160                GFP_KERNEL);
0161     if (!desc) {
0162         rc = -ENOMEM;
0163         goto out_free_shash;
0164     }
0165 
0166     desc->tfm = shash;
0167 
0168     rc = crypto_shash_init(desc);
0169     if (rc < 0)
0170         goto out_free_desc;
0171 
0172     rc = crypto_shash_update(desc, (const u8 *)ns, sizeof(*ns));
0173     if (rc < 0)
0174         goto out_free_desc;
0175 
0176     rc = crypto_shash_update(desc, (const u8 *)name, size);
0177     if (rc < 0)
0178         goto out_free_desc;
0179 
0180     rc = crypto_shash_final(desc, hash);
0181     if (rc < 0)
0182         goto out_free_desc;
0183 
0184     memcpy(uuid->b, hash, UUID_SIZE);
0185 
0186     /* Tag for version 5 */
0187     uuid->b[6] = (hash[6] & 0x0F) | 0x50;
0188     uuid->b[8] = (hash[8] & 0x3F) | 0x80;
0189 
0190 out_free_desc:
0191     kfree(desc);
0192 
0193 out_free_shash:
0194     crypto_free_shash(shash);
0195     return rc;
0196 }
0197 
0198 int tee_session_calc_client_uuid(uuid_t *uuid, u32 connection_method,
0199                  const u8 connection_data[TEE_IOCTL_UUID_LEN])
0200 {
0201     gid_t ns_grp = (gid_t)-1;
0202     kgid_t grp = INVALID_GID;
0203     char *name = NULL;
0204     int name_len;
0205     int rc;
0206 
0207     if (connection_method == TEE_IOCTL_LOGIN_PUBLIC ||
0208         connection_method == TEE_IOCTL_LOGIN_REE_KERNEL) {
0209         /* Nil UUID to be passed to TEE environment */
0210         uuid_copy(uuid, &uuid_null);
0211         return 0;
0212     }
0213 
0214     /*
0215      * In Linux environment client UUID is based on UUIDv5.
0216      *
0217      * Determine client UUID with following semantics for 'name':
0218      *
0219      * For TEEC_LOGIN_USER:
0220      * uid=<uid>
0221      *
0222      * For TEEC_LOGIN_GROUP:
0223      * gid=<gid>
0224      *
0225      */
0226 
0227     name = kzalloc(TEE_UUID_NS_NAME_SIZE, GFP_KERNEL);
0228     if (!name)
0229         return -ENOMEM;
0230 
0231     switch (connection_method) {
0232     case TEE_IOCTL_LOGIN_USER:
0233         name_len = snprintf(name, TEE_UUID_NS_NAME_SIZE, "uid=%x",
0234                     current_euid().val);
0235         if (name_len >= TEE_UUID_NS_NAME_SIZE) {
0236             rc = -E2BIG;
0237             goto out_free_name;
0238         }
0239         break;
0240 
0241     case TEE_IOCTL_LOGIN_GROUP:
0242         memcpy(&ns_grp, connection_data, sizeof(gid_t));
0243         grp = make_kgid(current_user_ns(), ns_grp);
0244         if (!gid_valid(grp) || !in_egroup_p(grp)) {
0245             rc = -EPERM;
0246             goto out_free_name;
0247         }
0248 
0249         name_len = snprintf(name, TEE_UUID_NS_NAME_SIZE, "gid=%x",
0250                     grp.val);
0251         if (name_len >= TEE_UUID_NS_NAME_SIZE) {
0252             rc = -E2BIG;
0253             goto out_free_name;
0254         }
0255         break;
0256 
0257     default:
0258         rc = -EINVAL;
0259         goto out_free_name;
0260     }
0261 
0262     rc = uuid_v5(uuid, &tee_client_uuid_ns, name, name_len);
0263 out_free_name:
0264     kfree(name);
0265 
0266     return rc;
0267 }
0268 EXPORT_SYMBOL_GPL(tee_session_calc_client_uuid);
0269 
0270 static int tee_ioctl_version(struct tee_context *ctx,
0271                  struct tee_ioctl_version_data __user *uvers)
0272 {
0273     struct tee_ioctl_version_data vers;
0274 
0275     ctx->teedev->desc->ops->get_version(ctx->teedev, &vers);
0276 
0277     if (ctx->teedev->desc->flags & TEE_DESC_PRIVILEGED)
0278         vers.gen_caps |= TEE_GEN_CAP_PRIVILEGED;
0279 
0280     if (copy_to_user(uvers, &vers, sizeof(vers)))
0281         return -EFAULT;
0282 
0283     return 0;
0284 }
0285 
0286 static int tee_ioctl_shm_alloc(struct tee_context *ctx,
0287                    struct tee_ioctl_shm_alloc_data __user *udata)
0288 {
0289     long ret;
0290     struct tee_ioctl_shm_alloc_data data;
0291     struct tee_shm *shm;
0292 
0293     if (copy_from_user(&data, udata, sizeof(data)))
0294         return -EFAULT;
0295 
0296     /* Currently no input flags are supported */
0297     if (data.flags)
0298         return -EINVAL;
0299 
0300     shm = tee_shm_alloc_user_buf(ctx, data.size);
0301     if (IS_ERR(shm))
0302         return PTR_ERR(shm);
0303 
0304     data.id = shm->id;
0305     data.size = shm->size;
0306 
0307     if (copy_to_user(udata, &data, sizeof(data)))
0308         ret = -EFAULT;
0309     else
0310         ret = tee_shm_get_fd(shm);
0311 
0312     /*
0313      * When user space closes the file descriptor the shared memory
0314      * should be freed or if tee_shm_get_fd() failed then it will
0315      * be freed immediately.
0316      */
0317     tee_shm_put(shm);
0318     return ret;
0319 }
0320 
0321 static int
0322 tee_ioctl_shm_register(struct tee_context *ctx,
0323                struct tee_ioctl_shm_register_data __user *udata)
0324 {
0325     long ret;
0326     struct tee_ioctl_shm_register_data data;
0327     struct tee_shm *shm;
0328 
0329     if (copy_from_user(&data, udata, sizeof(data)))
0330         return -EFAULT;
0331 
0332     /* Currently no input flags are supported */
0333     if (data.flags)
0334         return -EINVAL;
0335 
0336     shm = tee_shm_register_user_buf(ctx, data.addr, data.length);
0337     if (IS_ERR(shm))
0338         return PTR_ERR(shm);
0339 
0340     data.id = shm->id;
0341     data.length = shm->size;
0342 
0343     if (copy_to_user(udata, &data, sizeof(data)))
0344         ret = -EFAULT;
0345     else
0346         ret = tee_shm_get_fd(shm);
0347     /*
0348      * When user space closes the file descriptor the shared memory
0349      * should be freed or if tee_shm_get_fd() failed then it will
0350      * be freed immediately.
0351      */
0352     tee_shm_put(shm);
0353     return ret;
0354 }
0355 
0356 static int params_from_user(struct tee_context *ctx, struct tee_param *params,
0357                 size_t num_params,
0358                 struct tee_ioctl_param __user *uparams)
0359 {
0360     size_t n;
0361 
0362     for (n = 0; n < num_params; n++) {
0363         struct tee_shm *shm;
0364         struct tee_ioctl_param ip;
0365 
0366         if (copy_from_user(&ip, uparams + n, sizeof(ip)))
0367             return -EFAULT;
0368 
0369         /* All unused attribute bits has to be zero */
0370         if (ip.attr & ~TEE_IOCTL_PARAM_ATTR_MASK)
0371             return -EINVAL;
0372 
0373         params[n].attr = ip.attr;
0374         switch (ip.attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) {
0375         case TEE_IOCTL_PARAM_ATTR_TYPE_NONE:
0376         case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT:
0377             break;
0378         case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT:
0379         case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT:
0380             params[n].u.value.a = ip.a;
0381             params[n].u.value.b = ip.b;
0382             params[n].u.value.c = ip.c;
0383             break;
0384         case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT:
0385         case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
0386         case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
0387             /*
0388              * If a NULL pointer is passed to a TA in the TEE,
0389              * the ip.c IOCTL parameters is set to TEE_MEMREF_NULL
0390              * indicating a NULL memory reference.
0391              */
0392             if (ip.c != TEE_MEMREF_NULL) {
0393                 /*
0394                  * If we fail to get a pointer to a shared
0395                  * memory object (and increase the ref count)
0396                  * from an identifier we return an error. All
0397                  * pointers that has been added in params have
0398                  * an increased ref count. It's the callers
0399                  * responibility to do tee_shm_put() on all
0400                  * resolved pointers.
0401                  */
0402                 shm = tee_shm_get_from_id(ctx, ip.c);
0403                 if (IS_ERR(shm))
0404                     return PTR_ERR(shm);
0405 
0406                 /*
0407                  * Ensure offset + size does not overflow
0408                  * offset and does not overflow the size of
0409                  * the referred shared memory object.
0410                  */
0411                 if ((ip.a + ip.b) < ip.a ||
0412                     (ip.a + ip.b) > shm->size) {
0413                     tee_shm_put(shm);
0414                     return -EINVAL;
0415                 }
0416             } else if (ctx->cap_memref_null) {
0417                 /* Pass NULL pointer to OP-TEE */
0418                 shm = NULL;
0419             } else {
0420                 return -EINVAL;
0421             }
0422 
0423             params[n].u.memref.shm_offs = ip.a;
0424             params[n].u.memref.size = ip.b;
0425             params[n].u.memref.shm = shm;
0426             break;
0427         default:
0428             /* Unknown attribute */
0429             return -EINVAL;
0430         }
0431     }
0432     return 0;
0433 }
0434 
0435 static int params_to_user(struct tee_ioctl_param __user *uparams,
0436               size_t num_params, struct tee_param *params)
0437 {
0438     size_t n;
0439 
0440     for (n = 0; n < num_params; n++) {
0441         struct tee_ioctl_param __user *up = uparams + n;
0442         struct tee_param *p = params + n;
0443 
0444         switch (p->attr) {
0445         case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT:
0446         case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT:
0447             if (put_user(p->u.value.a, &up->a) ||
0448                 put_user(p->u.value.b, &up->b) ||
0449                 put_user(p->u.value.c, &up->c))
0450                 return -EFAULT;
0451             break;
0452         case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
0453         case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
0454             if (put_user((u64)p->u.memref.size, &up->b))
0455                 return -EFAULT;
0456             break;
0457         default:
0458             break;
0459         }
0460     }
0461     return 0;
0462 }
0463 
0464 static int tee_ioctl_open_session(struct tee_context *ctx,
0465                   struct tee_ioctl_buf_data __user *ubuf)
0466 {
0467     int rc;
0468     size_t n;
0469     struct tee_ioctl_buf_data buf;
0470     struct tee_ioctl_open_session_arg __user *uarg;
0471     struct tee_ioctl_open_session_arg arg;
0472     struct tee_ioctl_param __user *uparams = NULL;
0473     struct tee_param *params = NULL;
0474     bool have_session = false;
0475 
0476     if (!ctx->teedev->desc->ops->open_session)
0477         return -EINVAL;
0478 
0479     if (copy_from_user(&buf, ubuf, sizeof(buf)))
0480         return -EFAULT;
0481 
0482     if (buf.buf_len > TEE_MAX_ARG_SIZE ||
0483         buf.buf_len < sizeof(struct tee_ioctl_open_session_arg))
0484         return -EINVAL;
0485 
0486     uarg = u64_to_user_ptr(buf.buf_ptr);
0487     if (copy_from_user(&arg, uarg, sizeof(arg)))
0488         return -EFAULT;
0489 
0490     if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len)
0491         return -EINVAL;
0492 
0493     if (arg.num_params) {
0494         params = kcalloc(arg.num_params, sizeof(struct tee_param),
0495                  GFP_KERNEL);
0496         if (!params)
0497             return -ENOMEM;
0498         uparams = uarg->params;
0499         rc = params_from_user(ctx, params, arg.num_params, uparams);
0500         if (rc)
0501             goto out;
0502     }
0503 
0504     if (arg.clnt_login >= TEE_IOCTL_LOGIN_REE_KERNEL_MIN &&
0505         arg.clnt_login <= TEE_IOCTL_LOGIN_REE_KERNEL_MAX) {
0506         pr_debug("login method not allowed for user-space client\n");
0507         rc = -EPERM;
0508         goto out;
0509     }
0510 
0511     rc = ctx->teedev->desc->ops->open_session(ctx, &arg, params);
0512     if (rc)
0513         goto out;
0514     have_session = true;
0515 
0516     if (put_user(arg.session, &uarg->session) ||
0517         put_user(arg.ret, &uarg->ret) ||
0518         put_user(arg.ret_origin, &uarg->ret_origin)) {
0519         rc = -EFAULT;
0520         goto out;
0521     }
0522     rc = params_to_user(uparams, arg.num_params, params);
0523 out:
0524     /*
0525      * If we've succeeded to open the session but failed to communicate
0526      * it back to user space, close the session again to avoid leakage.
0527      */
0528     if (rc && have_session && ctx->teedev->desc->ops->close_session)
0529         ctx->teedev->desc->ops->close_session(ctx, arg.session);
0530 
0531     if (params) {
0532         /* Decrease ref count for all valid shared memory pointers */
0533         for (n = 0; n < arg.num_params; n++)
0534             if (tee_param_is_memref(params + n) &&
0535                 params[n].u.memref.shm)
0536                 tee_shm_put(params[n].u.memref.shm);
0537         kfree(params);
0538     }
0539 
0540     return rc;
0541 }
0542 
0543 static int tee_ioctl_invoke(struct tee_context *ctx,
0544                 struct tee_ioctl_buf_data __user *ubuf)
0545 {
0546     int rc;
0547     size_t n;
0548     struct tee_ioctl_buf_data buf;
0549     struct tee_ioctl_invoke_arg __user *uarg;
0550     struct tee_ioctl_invoke_arg arg;
0551     struct tee_ioctl_param __user *uparams = NULL;
0552     struct tee_param *params = NULL;
0553 
0554     if (!ctx->teedev->desc->ops->invoke_func)
0555         return -EINVAL;
0556 
0557     if (copy_from_user(&buf, ubuf, sizeof(buf)))
0558         return -EFAULT;
0559 
0560     if (buf.buf_len > TEE_MAX_ARG_SIZE ||
0561         buf.buf_len < sizeof(struct tee_ioctl_invoke_arg))
0562         return -EINVAL;
0563 
0564     uarg = u64_to_user_ptr(buf.buf_ptr);
0565     if (copy_from_user(&arg, uarg, sizeof(arg)))
0566         return -EFAULT;
0567 
0568     if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len)
0569         return -EINVAL;
0570 
0571     if (arg.num_params) {
0572         params = kcalloc(arg.num_params, sizeof(struct tee_param),
0573                  GFP_KERNEL);
0574         if (!params)
0575             return -ENOMEM;
0576         uparams = uarg->params;
0577         rc = params_from_user(ctx, params, arg.num_params, uparams);
0578         if (rc)
0579             goto out;
0580     }
0581 
0582     rc = ctx->teedev->desc->ops->invoke_func(ctx, &arg, params);
0583     if (rc)
0584         goto out;
0585 
0586     if (put_user(arg.ret, &uarg->ret) ||
0587         put_user(arg.ret_origin, &uarg->ret_origin)) {
0588         rc = -EFAULT;
0589         goto out;
0590     }
0591     rc = params_to_user(uparams, arg.num_params, params);
0592 out:
0593     if (params) {
0594         /* Decrease ref count for all valid shared memory pointers */
0595         for (n = 0; n < arg.num_params; n++)
0596             if (tee_param_is_memref(params + n) &&
0597                 params[n].u.memref.shm)
0598                 tee_shm_put(params[n].u.memref.shm);
0599         kfree(params);
0600     }
0601     return rc;
0602 }
0603 
0604 static int tee_ioctl_cancel(struct tee_context *ctx,
0605                 struct tee_ioctl_cancel_arg __user *uarg)
0606 {
0607     struct tee_ioctl_cancel_arg arg;
0608 
0609     if (!ctx->teedev->desc->ops->cancel_req)
0610         return -EINVAL;
0611 
0612     if (copy_from_user(&arg, uarg, sizeof(arg)))
0613         return -EFAULT;
0614 
0615     return ctx->teedev->desc->ops->cancel_req(ctx, arg.cancel_id,
0616                           arg.session);
0617 }
0618 
0619 static int
0620 tee_ioctl_close_session(struct tee_context *ctx,
0621             struct tee_ioctl_close_session_arg __user *uarg)
0622 {
0623     struct tee_ioctl_close_session_arg arg;
0624 
0625     if (!ctx->teedev->desc->ops->close_session)
0626         return -EINVAL;
0627 
0628     if (copy_from_user(&arg, uarg, sizeof(arg)))
0629         return -EFAULT;
0630 
0631     return ctx->teedev->desc->ops->close_session(ctx, arg.session);
0632 }
0633 
0634 static int params_to_supp(struct tee_context *ctx,
0635               struct tee_ioctl_param __user *uparams,
0636               size_t num_params, struct tee_param *params)
0637 {
0638     size_t n;
0639 
0640     for (n = 0; n < num_params; n++) {
0641         struct tee_ioctl_param ip;
0642         struct tee_param *p = params + n;
0643 
0644         ip.attr = p->attr;
0645         switch (p->attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) {
0646         case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT:
0647         case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT:
0648             ip.a = p->u.value.a;
0649             ip.b = p->u.value.b;
0650             ip.c = p->u.value.c;
0651             break;
0652         case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT:
0653         case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
0654         case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
0655             ip.b = p->u.memref.size;
0656             if (!p->u.memref.shm) {
0657                 ip.a = 0;
0658                 ip.c = (u64)-1; /* invalid shm id */
0659                 break;
0660             }
0661             ip.a = p->u.memref.shm_offs;
0662             ip.c = p->u.memref.shm->id;
0663             break;
0664         default:
0665             ip.a = 0;
0666             ip.b = 0;
0667             ip.c = 0;
0668             break;
0669         }
0670 
0671         if (copy_to_user(uparams + n, &ip, sizeof(ip)))
0672             return -EFAULT;
0673     }
0674 
0675     return 0;
0676 }
0677 
0678 static int tee_ioctl_supp_recv(struct tee_context *ctx,
0679                    struct tee_ioctl_buf_data __user *ubuf)
0680 {
0681     int rc;
0682     struct tee_ioctl_buf_data buf;
0683     struct tee_iocl_supp_recv_arg __user *uarg;
0684     struct tee_param *params;
0685     u32 num_params;
0686     u32 func;
0687 
0688     if (!ctx->teedev->desc->ops->supp_recv)
0689         return -EINVAL;
0690 
0691     if (copy_from_user(&buf, ubuf, sizeof(buf)))
0692         return -EFAULT;
0693 
0694     if (buf.buf_len > TEE_MAX_ARG_SIZE ||
0695         buf.buf_len < sizeof(struct tee_iocl_supp_recv_arg))
0696         return -EINVAL;
0697 
0698     uarg = u64_to_user_ptr(buf.buf_ptr);
0699     if (get_user(num_params, &uarg->num_params))
0700         return -EFAULT;
0701 
0702     if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) != buf.buf_len)
0703         return -EINVAL;
0704 
0705     params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL);
0706     if (!params)
0707         return -ENOMEM;
0708 
0709     rc = params_from_user(ctx, params, num_params, uarg->params);
0710     if (rc)
0711         goto out;
0712 
0713     rc = ctx->teedev->desc->ops->supp_recv(ctx, &func, &num_params, params);
0714     if (rc)
0715         goto out;
0716 
0717     if (put_user(func, &uarg->func) ||
0718         put_user(num_params, &uarg->num_params)) {
0719         rc = -EFAULT;
0720         goto out;
0721     }
0722 
0723     rc = params_to_supp(ctx, uarg->params, num_params, params);
0724 out:
0725     kfree(params);
0726     return rc;
0727 }
0728 
0729 static int params_from_supp(struct tee_param *params, size_t num_params,
0730                 struct tee_ioctl_param __user *uparams)
0731 {
0732     size_t n;
0733 
0734     for (n = 0; n < num_params; n++) {
0735         struct tee_param *p = params + n;
0736         struct tee_ioctl_param ip;
0737 
0738         if (copy_from_user(&ip, uparams + n, sizeof(ip)))
0739             return -EFAULT;
0740 
0741         /* All unused attribute bits has to be zero */
0742         if (ip.attr & ~TEE_IOCTL_PARAM_ATTR_MASK)
0743             return -EINVAL;
0744 
0745         p->attr = ip.attr;
0746         switch (ip.attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) {
0747         case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT:
0748         case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT:
0749             /* Only out and in/out values can be updated */
0750             p->u.value.a = ip.a;
0751             p->u.value.b = ip.b;
0752             p->u.value.c = ip.c;
0753             break;
0754         case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
0755         case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
0756             /*
0757              * Only the size of the memref can be updated.
0758              * Since we don't have access to the original
0759              * parameters here, only store the supplied size.
0760              * The driver will copy the updated size into the
0761              * original parameters.
0762              */
0763             p->u.memref.shm = NULL;
0764             p->u.memref.shm_offs = 0;
0765             p->u.memref.size = ip.b;
0766             break;
0767         default:
0768             memset(&p->u, 0, sizeof(p->u));
0769             break;
0770         }
0771     }
0772     return 0;
0773 }
0774 
0775 static int tee_ioctl_supp_send(struct tee_context *ctx,
0776                    struct tee_ioctl_buf_data __user *ubuf)
0777 {
0778     long rc;
0779     struct tee_ioctl_buf_data buf;
0780     struct tee_iocl_supp_send_arg __user *uarg;
0781     struct tee_param *params;
0782     u32 num_params;
0783     u32 ret;
0784 
0785     /* Not valid for this driver */
0786     if (!ctx->teedev->desc->ops->supp_send)
0787         return -EINVAL;
0788 
0789     if (copy_from_user(&buf, ubuf, sizeof(buf)))
0790         return -EFAULT;
0791 
0792     if (buf.buf_len > TEE_MAX_ARG_SIZE ||
0793         buf.buf_len < sizeof(struct tee_iocl_supp_send_arg))
0794         return -EINVAL;
0795 
0796     uarg = u64_to_user_ptr(buf.buf_ptr);
0797     if (get_user(ret, &uarg->ret) ||
0798         get_user(num_params, &uarg->num_params))
0799         return -EFAULT;
0800 
0801     if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) > buf.buf_len)
0802         return -EINVAL;
0803 
0804     params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL);
0805     if (!params)
0806         return -ENOMEM;
0807 
0808     rc = params_from_supp(params, num_params, uarg->params);
0809     if (rc)
0810         goto out;
0811 
0812     rc = ctx->teedev->desc->ops->supp_send(ctx, ret, num_params, params);
0813 out:
0814     kfree(params);
0815     return rc;
0816 }
0817 
0818 static long tee_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
0819 {
0820     struct tee_context *ctx = filp->private_data;
0821     void __user *uarg = (void __user *)arg;
0822 
0823     switch (cmd) {
0824     case TEE_IOC_VERSION:
0825         return tee_ioctl_version(ctx, uarg);
0826     case TEE_IOC_SHM_ALLOC:
0827         return tee_ioctl_shm_alloc(ctx, uarg);
0828     case TEE_IOC_SHM_REGISTER:
0829         return tee_ioctl_shm_register(ctx, uarg);
0830     case TEE_IOC_OPEN_SESSION:
0831         return tee_ioctl_open_session(ctx, uarg);
0832     case TEE_IOC_INVOKE:
0833         return tee_ioctl_invoke(ctx, uarg);
0834     case TEE_IOC_CANCEL:
0835         return tee_ioctl_cancel(ctx, uarg);
0836     case TEE_IOC_CLOSE_SESSION:
0837         return tee_ioctl_close_session(ctx, uarg);
0838     case TEE_IOC_SUPPL_RECV:
0839         return tee_ioctl_supp_recv(ctx, uarg);
0840     case TEE_IOC_SUPPL_SEND:
0841         return tee_ioctl_supp_send(ctx, uarg);
0842     default:
0843         return -EINVAL;
0844     }
0845 }
0846 
0847 static const struct file_operations tee_fops = {
0848     .owner = THIS_MODULE,
0849     .open = tee_open,
0850     .release = tee_release,
0851     .unlocked_ioctl = tee_ioctl,
0852     .compat_ioctl = compat_ptr_ioctl,
0853 };
0854 
0855 static void tee_release_device(struct device *dev)
0856 {
0857     struct tee_device *teedev = container_of(dev, struct tee_device, dev);
0858 
0859     spin_lock(&driver_lock);
0860     clear_bit(teedev->id, dev_mask);
0861     spin_unlock(&driver_lock);
0862     mutex_destroy(&teedev->mutex);
0863     idr_destroy(&teedev->idr);
0864     kfree(teedev);
0865 }
0866 
0867 /**
0868  * tee_device_alloc() - Allocate a new struct tee_device instance
0869  * @teedesc:    Descriptor for this driver
0870  * @dev:    Parent device for this device
0871  * @pool:   Shared memory pool, NULL if not used
0872  * @driver_data: Private driver data for this device
0873  *
0874  * Allocates a new struct tee_device instance. The device is
0875  * removed by tee_device_unregister().
0876  *
0877  * @returns a pointer to a 'struct tee_device' or an ERR_PTR on failure
0878  */
0879 struct tee_device *tee_device_alloc(const struct tee_desc *teedesc,
0880                     struct device *dev,
0881                     struct tee_shm_pool *pool,
0882                     void *driver_data)
0883 {
0884     struct tee_device *teedev;
0885     void *ret;
0886     int rc, max_id;
0887     int offs = 0;
0888 
0889     if (!teedesc || !teedesc->name || !teedesc->ops ||
0890         !teedesc->ops->get_version || !teedesc->ops->open ||
0891         !teedesc->ops->release || !pool)
0892         return ERR_PTR(-EINVAL);
0893 
0894     teedev = kzalloc(sizeof(*teedev), GFP_KERNEL);
0895     if (!teedev) {
0896         ret = ERR_PTR(-ENOMEM);
0897         goto err;
0898     }
0899 
0900     max_id = TEE_NUM_DEVICES / 2;
0901 
0902     if (teedesc->flags & TEE_DESC_PRIVILEGED) {
0903         offs = TEE_NUM_DEVICES / 2;
0904         max_id = TEE_NUM_DEVICES;
0905     }
0906 
0907     spin_lock(&driver_lock);
0908     teedev->id = find_next_zero_bit(dev_mask, max_id, offs);
0909     if (teedev->id < max_id)
0910         set_bit(teedev->id, dev_mask);
0911     spin_unlock(&driver_lock);
0912 
0913     if (teedev->id >= max_id) {
0914         ret = ERR_PTR(-ENOMEM);
0915         goto err;
0916     }
0917 
0918     snprintf(teedev->name, sizeof(teedev->name), "tee%s%d",
0919          teedesc->flags & TEE_DESC_PRIVILEGED ? "priv" : "",
0920          teedev->id - offs);
0921 
0922     teedev->dev.class = tee_class;
0923     teedev->dev.release = tee_release_device;
0924     teedev->dev.parent = dev;
0925 
0926     teedev->dev.devt = MKDEV(MAJOR(tee_devt), teedev->id);
0927 
0928     rc = dev_set_name(&teedev->dev, "%s", teedev->name);
0929     if (rc) {
0930         ret = ERR_PTR(rc);
0931         goto err_devt;
0932     }
0933 
0934     cdev_init(&teedev->cdev, &tee_fops);
0935     teedev->cdev.owner = teedesc->owner;
0936 
0937     dev_set_drvdata(&teedev->dev, driver_data);
0938     device_initialize(&teedev->dev);
0939 
0940     /* 1 as tee_device_unregister() does one final tee_device_put() */
0941     teedev->num_users = 1;
0942     init_completion(&teedev->c_no_users);
0943     mutex_init(&teedev->mutex);
0944     idr_init(&teedev->idr);
0945 
0946     teedev->desc = teedesc;
0947     teedev->pool = pool;
0948 
0949     return teedev;
0950 err_devt:
0951     unregister_chrdev_region(teedev->dev.devt, 1);
0952 err:
0953     pr_err("could not register %s driver\n",
0954            teedesc->flags & TEE_DESC_PRIVILEGED ? "privileged" : "client");
0955     if (teedev && teedev->id < TEE_NUM_DEVICES) {
0956         spin_lock(&driver_lock);
0957         clear_bit(teedev->id, dev_mask);
0958         spin_unlock(&driver_lock);
0959     }
0960     kfree(teedev);
0961     return ret;
0962 }
0963 EXPORT_SYMBOL_GPL(tee_device_alloc);
0964 
0965 static ssize_t implementation_id_show(struct device *dev,
0966                       struct device_attribute *attr, char *buf)
0967 {
0968     struct tee_device *teedev = container_of(dev, struct tee_device, dev);
0969     struct tee_ioctl_version_data vers;
0970 
0971     teedev->desc->ops->get_version(teedev, &vers);
0972     return scnprintf(buf, PAGE_SIZE, "%d\n", vers.impl_id);
0973 }
0974 static DEVICE_ATTR_RO(implementation_id);
0975 
0976 static struct attribute *tee_dev_attrs[] = {
0977     &dev_attr_implementation_id.attr,
0978     NULL
0979 };
0980 
0981 ATTRIBUTE_GROUPS(tee_dev);
0982 
0983 /**
0984  * tee_device_register() - Registers a TEE device
0985  * @teedev: Device to register
0986  *
0987  * tee_device_unregister() need to be called to remove the @teedev if
0988  * this function fails.
0989  *
0990  * @returns < 0 on failure
0991  */
0992 int tee_device_register(struct tee_device *teedev)
0993 {
0994     int rc;
0995 
0996     if (teedev->flags & TEE_DEVICE_FLAG_REGISTERED) {
0997         dev_err(&teedev->dev, "attempt to register twice\n");
0998         return -EINVAL;
0999     }
1000 
1001     teedev->dev.groups = tee_dev_groups;
1002 
1003     rc = cdev_device_add(&teedev->cdev, &teedev->dev);
1004     if (rc) {
1005         dev_err(&teedev->dev,
1006             "unable to cdev_device_add() %s, major %d, minor %d, err=%d\n",
1007             teedev->name, MAJOR(teedev->dev.devt),
1008             MINOR(teedev->dev.devt), rc);
1009         return rc;
1010     }
1011 
1012     teedev->flags |= TEE_DEVICE_FLAG_REGISTERED;
1013     return 0;
1014 }
1015 EXPORT_SYMBOL_GPL(tee_device_register);
1016 
1017 void tee_device_put(struct tee_device *teedev)
1018 {
1019     mutex_lock(&teedev->mutex);
1020     /* Shouldn't put in this state */
1021     if (!WARN_ON(!teedev->desc)) {
1022         teedev->num_users--;
1023         if (!teedev->num_users) {
1024             teedev->desc = NULL;
1025             complete(&teedev->c_no_users);
1026         }
1027     }
1028     mutex_unlock(&teedev->mutex);
1029 }
1030 
1031 bool tee_device_get(struct tee_device *teedev)
1032 {
1033     mutex_lock(&teedev->mutex);
1034     if (!teedev->desc) {
1035         mutex_unlock(&teedev->mutex);
1036         return false;
1037     }
1038     teedev->num_users++;
1039     mutex_unlock(&teedev->mutex);
1040     return true;
1041 }
1042 
1043 /**
1044  * tee_device_unregister() - Removes a TEE device
1045  * @teedev: Device to unregister
1046  *
1047  * This function should be called to remove the @teedev even if
1048  * tee_device_register() hasn't been called yet. Does nothing if
1049  * @teedev is NULL.
1050  */
1051 void tee_device_unregister(struct tee_device *teedev)
1052 {
1053     if (!teedev)
1054         return;
1055 
1056     if (teedev->flags & TEE_DEVICE_FLAG_REGISTERED)
1057         cdev_device_del(&teedev->cdev, &teedev->dev);
1058 
1059     tee_device_put(teedev);
1060     wait_for_completion(&teedev->c_no_users);
1061 
1062     /*
1063      * No need to take a mutex any longer now since teedev->desc was
1064      * set to NULL before teedev->c_no_users was completed.
1065      */
1066 
1067     teedev->pool = NULL;
1068 
1069     put_device(&teedev->dev);
1070 }
1071 EXPORT_SYMBOL_GPL(tee_device_unregister);
1072 
1073 /**
1074  * tee_get_drvdata() - Return driver_data pointer
1075  * @teedev: Device containing the driver_data pointer
1076  * @returns the driver_data pointer supplied to tee_device_alloc().
1077  */
1078 void *tee_get_drvdata(struct tee_device *teedev)
1079 {
1080     return dev_get_drvdata(&teedev->dev);
1081 }
1082 EXPORT_SYMBOL_GPL(tee_get_drvdata);
1083 
1084 struct match_dev_data {
1085     struct tee_ioctl_version_data *vers;
1086     const void *data;
1087     int (*match)(struct tee_ioctl_version_data *, const void *);
1088 };
1089 
1090 static int match_dev(struct device *dev, const void *data)
1091 {
1092     const struct match_dev_data *match_data = data;
1093     struct tee_device *teedev = container_of(dev, struct tee_device, dev);
1094 
1095     teedev->desc->ops->get_version(teedev, match_data->vers);
1096     return match_data->match(match_data->vers, match_data->data);
1097 }
1098 
1099 struct tee_context *
1100 tee_client_open_context(struct tee_context *start,
1101             int (*match)(struct tee_ioctl_version_data *,
1102                      const void *),
1103             const void *data, struct tee_ioctl_version_data *vers)
1104 {
1105     struct device *dev = NULL;
1106     struct device *put_dev = NULL;
1107     struct tee_context *ctx = NULL;
1108     struct tee_ioctl_version_data v;
1109     struct match_dev_data match_data = { vers ? vers : &v, data, match };
1110 
1111     if (start)
1112         dev = &start->teedev->dev;
1113 
1114     do {
1115         dev = class_find_device(tee_class, dev, &match_data, match_dev);
1116         if (!dev) {
1117             ctx = ERR_PTR(-ENOENT);
1118             break;
1119         }
1120 
1121         put_device(put_dev);
1122         put_dev = dev;
1123 
1124         ctx = teedev_open(container_of(dev, struct tee_device, dev));
1125     } while (IS_ERR(ctx) && PTR_ERR(ctx) != -ENOMEM);
1126 
1127     put_device(put_dev);
1128     /*
1129      * Default behaviour for in kernel client is to not wait for
1130      * tee-supplicant if not present for any requests in this context.
1131      * Also this flag could be configured again before call to
1132      * tee_client_open_session() if any in kernel client requires
1133      * different behaviour.
1134      */
1135     if (!IS_ERR(ctx))
1136         ctx->supp_nowait = true;
1137 
1138     return ctx;
1139 }
1140 EXPORT_SYMBOL_GPL(tee_client_open_context);
1141 
1142 void tee_client_close_context(struct tee_context *ctx)
1143 {
1144     teedev_close_context(ctx);
1145 }
1146 EXPORT_SYMBOL_GPL(tee_client_close_context);
1147 
1148 void tee_client_get_version(struct tee_context *ctx,
1149                 struct tee_ioctl_version_data *vers)
1150 {
1151     ctx->teedev->desc->ops->get_version(ctx->teedev, vers);
1152 }
1153 EXPORT_SYMBOL_GPL(tee_client_get_version);
1154 
1155 int tee_client_open_session(struct tee_context *ctx,
1156                 struct tee_ioctl_open_session_arg *arg,
1157                 struct tee_param *param)
1158 {
1159     if (!ctx->teedev->desc->ops->open_session)
1160         return -EINVAL;
1161     return ctx->teedev->desc->ops->open_session(ctx, arg, param);
1162 }
1163 EXPORT_SYMBOL_GPL(tee_client_open_session);
1164 
1165 int tee_client_close_session(struct tee_context *ctx, u32 session)
1166 {
1167     if (!ctx->teedev->desc->ops->close_session)
1168         return -EINVAL;
1169     return ctx->teedev->desc->ops->close_session(ctx, session);
1170 }
1171 EXPORT_SYMBOL_GPL(tee_client_close_session);
1172 
1173 int tee_client_invoke_func(struct tee_context *ctx,
1174                struct tee_ioctl_invoke_arg *arg,
1175                struct tee_param *param)
1176 {
1177     if (!ctx->teedev->desc->ops->invoke_func)
1178         return -EINVAL;
1179     return ctx->teedev->desc->ops->invoke_func(ctx, arg, param);
1180 }
1181 EXPORT_SYMBOL_GPL(tee_client_invoke_func);
1182 
1183 int tee_client_cancel_req(struct tee_context *ctx,
1184               struct tee_ioctl_cancel_arg *arg)
1185 {
1186     if (!ctx->teedev->desc->ops->cancel_req)
1187         return -EINVAL;
1188     return ctx->teedev->desc->ops->cancel_req(ctx, arg->cancel_id,
1189                           arg->session);
1190 }
1191 
1192 static int tee_client_device_match(struct device *dev,
1193                    struct device_driver *drv)
1194 {
1195     const struct tee_client_device_id *id_table;
1196     struct tee_client_device *tee_device;
1197 
1198     id_table = to_tee_client_driver(drv)->id_table;
1199     tee_device = to_tee_client_device(dev);
1200 
1201     while (!uuid_is_null(&id_table->uuid)) {
1202         if (uuid_equal(&tee_device->id.uuid, &id_table->uuid))
1203             return 1;
1204         id_table++;
1205     }
1206 
1207     return 0;
1208 }
1209 
1210 static int tee_client_device_uevent(struct device *dev,
1211                     struct kobj_uevent_env *env)
1212 {
1213     uuid_t *dev_id = &to_tee_client_device(dev)->id.uuid;
1214 
1215     return add_uevent_var(env, "MODALIAS=tee:%pUb", dev_id);
1216 }
1217 
1218 struct bus_type tee_bus_type = {
1219     .name       = "tee",
1220     .match      = tee_client_device_match,
1221     .uevent     = tee_client_device_uevent,
1222 };
1223 EXPORT_SYMBOL_GPL(tee_bus_type);
1224 
1225 static int __init tee_init(void)
1226 {
1227     int rc;
1228 
1229     tee_class = class_create(THIS_MODULE, "tee");
1230     if (IS_ERR(tee_class)) {
1231         pr_err("couldn't create class\n");
1232         return PTR_ERR(tee_class);
1233     }
1234 
1235     rc = alloc_chrdev_region(&tee_devt, 0, TEE_NUM_DEVICES, "tee");
1236     if (rc) {
1237         pr_err("failed to allocate char dev region\n");
1238         goto out_unreg_class;
1239     }
1240 
1241     rc = bus_register(&tee_bus_type);
1242     if (rc) {
1243         pr_err("failed to register tee bus\n");
1244         goto out_unreg_chrdev;
1245     }
1246 
1247     return 0;
1248 
1249 out_unreg_chrdev:
1250     unregister_chrdev_region(tee_devt, TEE_NUM_DEVICES);
1251 out_unreg_class:
1252     class_destroy(tee_class);
1253     tee_class = NULL;
1254 
1255     return rc;
1256 }
1257 
1258 static void __exit tee_exit(void)
1259 {
1260     bus_unregister(&tee_bus_type);
1261     unregister_chrdev_region(tee_devt, TEE_NUM_DEVICES);
1262     class_destroy(tee_class);
1263     tee_class = NULL;
1264 }
1265 
1266 subsys_initcall(tee_init);
1267 module_exit(tee_exit);
1268 
1269 MODULE_AUTHOR("Linaro");
1270 MODULE_DESCRIPTION("TEE Driver");
1271 MODULE_VERSION("1.0");
1272 MODULE_LICENSE("GPL v2");
Source navigation ] Diff markup ] Identifier search ] general search ]

This page was automatically generated by the 2.1.0 LXR engine.

The LXR team
Valid CSS 2.1! Valid HTML 4.01!