1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2015-2016, Linaro Limited
4 */
5
6 #define pr_fmt(fmt) "%s: " fmt, __func__
7
8 #include <linux/cdev.h>
9 #include <linux/cred.h>
10 #include <linux/fs.h>
11 #include <linux/idr.h>
12 #include <linux/module.h>
13 #include <linux/slab.h>
14 #include <linux/tee_drv.h>
15 #include <linux/uaccess.h>
16 #include <crypto/hash.h>
17 #include <crypto/sha1.h>
18 #include "tee_private.h"
19
20 #define TEE_NUM_DEVICES 32
21
22 #define TEE_IOCTL_PARAM_SIZE(x) (sizeof(struct tee_param) * (x))
23
24 #define TEE_UUID_NS_NAME_SIZE 128
25
26 /*
27 * TEE Client UUID name space identifier (UUIDv4)
28 *
29 * Value here is random UUID that is allocated as name space identifier for
30 * forming Client UUID's for TEE environment using UUIDv5 scheme.
31 */
32 static const uuid_t tee_client_uuid_ns = UUID_INIT(0x58ac9ca0, 0x2086, 0x4683,
33 0xa1, 0xb8, 0xec, 0x4b,
34 0xc0, 0x8e, 0x01, 0xb6);
35
36 /*
37 * Unprivileged devices in the lower half range and privileged devices in
38 * the upper half range.
39 */
40 static DECLARE_BITMAP(dev_mask, TEE_NUM_DEVICES);
41 static DEFINE_SPINLOCK(driver_lock);
42
43 static struct class *tee_class;
44 static dev_t tee_devt;
45
teedev_open(struct tee_device * teedev)46 struct tee_context *teedev_open(struct tee_device *teedev)
47 {
48 int rc;
49 struct tee_context *ctx;
50
51 if (!tee_device_get(teedev))
52 return ERR_PTR(-EINVAL);
53
54 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
55 if (!ctx) {
56 rc = -ENOMEM;
57 goto err;
58 }
59
60 kref_init(&ctx->refcount);
61 ctx->teedev = teedev;
62 rc = teedev->desc->ops->open(ctx);
63 if (rc)
64 goto err;
65
66 return ctx;
67 err:
68 kfree(ctx);
69 tee_device_put(teedev);
70 return ERR_PTR(rc);
71
72 }
73 EXPORT_SYMBOL_GPL(teedev_open);
74
teedev_ctx_get(struct tee_context * ctx)75 void teedev_ctx_get(struct tee_context *ctx)
76 {
77 if (ctx->releasing)
78 return;
79
80 kref_get(&ctx->refcount);
81 }
82
teedev_ctx_release(struct kref * ref)83 static void teedev_ctx_release(struct kref *ref)
84 {
85 struct tee_context *ctx = container_of(ref, struct tee_context,
86 refcount);
87 ctx->releasing = true;
88 ctx->teedev->desc->ops->release(ctx);
89 kfree(ctx);
90 }
91
teedev_ctx_put(struct tee_context * ctx)92 void teedev_ctx_put(struct tee_context *ctx)
93 {
94 if (ctx->releasing)
95 return;
96
97 kref_put(&ctx->refcount, teedev_ctx_release);
98 }
99
teedev_close_context(struct tee_context * ctx)100 void teedev_close_context(struct tee_context *ctx)
101 {
102 struct tee_device *teedev = ctx->teedev;
103
104 teedev_ctx_put(ctx);
105 tee_device_put(teedev);
106 }
107 EXPORT_SYMBOL_GPL(teedev_close_context);
108
tee_open(struct inode * inode,struct file * filp)109 static int tee_open(struct inode *inode, struct file *filp)
110 {
111 struct tee_context *ctx;
112
113 ctx = teedev_open(container_of(inode->i_cdev, struct tee_device, cdev));
114 if (IS_ERR(ctx))
115 return PTR_ERR(ctx);
116
117 /*
118 * Default user-space behaviour is to wait for tee-supplicant
119 * if not present for any requests in this context.
120 */
121 ctx->supp_nowait = false;
122 filp->private_data = ctx;
123 return 0;
124 }
125
tee_release(struct inode * inode,struct file * filp)126 static int tee_release(struct inode *inode, struct file *filp)
127 {
128 teedev_close_context(filp->private_data);
129 return 0;
130 }
131
132 /**
133 * uuid_v5() - Calculate UUIDv5
134 * @uuid: Resulting UUID
135 * @ns: Name space ID for UUIDv5 function
136 * @name: Name for UUIDv5 function
137 * @size: Size of name
138 *
139 * UUIDv5 is specific in RFC 4122.
140 *
141 * This implements section (for SHA-1):
142 * 4.3. Algorithm for Creating a Name-Based UUID
143 */
uuid_v5(uuid_t * uuid,const uuid_t * ns,const void * name,size_t size)144 static int uuid_v5(uuid_t *uuid, const uuid_t *ns, const void *name,
145 size_t size)
146 {
147 unsigned char hash[SHA1_DIGEST_SIZE];
148 struct crypto_shash *shash = NULL;
149 struct shash_desc *desc = NULL;
150 int rc;
151
152 shash = crypto_alloc_shash("sha1", 0, 0);
153 if (IS_ERR(shash)) {
154 rc = PTR_ERR(shash);
155 pr_err("shash(sha1) allocation failed\n");
156 return rc;
157 }
158
159 desc = kzalloc(sizeof(*desc) + crypto_shash_descsize(shash),
160 GFP_KERNEL);
161 if (!desc) {
162 rc = -ENOMEM;
163 goto out_free_shash;
164 }
165
166 desc->tfm = shash;
167
168 rc = crypto_shash_init(desc);
169 if (rc < 0)
170 goto out_free_desc;
171
172 rc = crypto_shash_update(desc, (const u8 *)ns, sizeof(*ns));
173 if (rc < 0)
174 goto out_free_desc;
175
176 rc = crypto_shash_update(desc, (const u8 *)name, size);
177 if (rc < 0)
178 goto out_free_desc;
179
180 rc = crypto_shash_final(desc, hash);
181 if (rc < 0)
182 goto out_free_desc;
183
184 memcpy(uuid->b, hash, UUID_SIZE);
185
186 /* Tag for version 5 */
187 uuid->b[6] = (hash[6] & 0x0F) | 0x50;
188 uuid->b[8] = (hash[8] & 0x3F) | 0x80;
189
190 out_free_desc:
191 kfree(desc);
192
193 out_free_shash:
194 crypto_free_shash(shash);
195 return rc;
196 }
197
tee_session_calc_client_uuid(uuid_t * uuid,u32 connection_method,const u8 connection_data[TEE_IOCTL_UUID_LEN])198 int tee_session_calc_client_uuid(uuid_t *uuid, u32 connection_method,
199 const u8 connection_data[TEE_IOCTL_UUID_LEN])
200 {
201 gid_t ns_grp = (gid_t)-1;
202 kgid_t grp = INVALID_GID;
203 char *name = NULL;
204 int name_len;
205 int rc;
206
207 if (connection_method == TEE_IOCTL_LOGIN_PUBLIC ||
208 connection_method == TEE_IOCTL_LOGIN_REE_KERNEL) {
209 /* Nil UUID to be passed to TEE environment */
210 uuid_copy(uuid, &uuid_null);
211 return 0;
212 }
213
214 /*
215 * In Linux environment client UUID is based on UUIDv5.
216 *
217 * Determine client UUID with following semantics for 'name':
218 *
219 * For TEEC_LOGIN_USER:
220 * uid=<uid>
221 *
222 * For TEEC_LOGIN_GROUP:
223 * gid=<gid>
224 *
225 */
226
227 name = kzalloc(TEE_UUID_NS_NAME_SIZE, GFP_KERNEL);
228 if (!name)
229 return -ENOMEM;
230
231 switch (connection_method) {
232 case TEE_IOCTL_LOGIN_USER:
233 name_len = snprintf(name, TEE_UUID_NS_NAME_SIZE, "uid=%x",
234 current_euid().val);
235 if (name_len >= TEE_UUID_NS_NAME_SIZE) {
236 rc = -E2BIG;
237 goto out_free_name;
238 }
239 break;
240
241 case TEE_IOCTL_LOGIN_GROUP:
242 memcpy(&ns_grp, connection_data, sizeof(gid_t));
243 grp = make_kgid(current_user_ns(), ns_grp);
244 if (!gid_valid(grp) || !in_egroup_p(grp)) {
245 rc = -EPERM;
246 goto out_free_name;
247 }
248
249 name_len = snprintf(name, TEE_UUID_NS_NAME_SIZE, "gid=%x",
250 grp.val);
251 if (name_len >= TEE_UUID_NS_NAME_SIZE) {
252 rc = -E2BIG;
253 goto out_free_name;
254 }
255 break;
256
257 default:
258 rc = -EINVAL;
259 goto out_free_name;
260 }
261
262 rc = uuid_v5(uuid, &tee_client_uuid_ns, name, name_len);
263 out_free_name:
264 kfree(name);
265
266 return rc;
267 }
268 EXPORT_SYMBOL_GPL(tee_session_calc_client_uuid);
269
tee_ioctl_version(struct tee_context * ctx,struct tee_ioctl_version_data __user * uvers)270 static int tee_ioctl_version(struct tee_context *ctx,
271 struct tee_ioctl_version_data __user *uvers)
272 {
273 struct tee_ioctl_version_data vers;
274
275 ctx->teedev->desc->ops->get_version(ctx->teedev, &vers);
276
277 if (ctx->teedev->desc->flags & TEE_DESC_PRIVILEGED)
278 vers.gen_caps |= TEE_GEN_CAP_PRIVILEGED;
279
280 if (copy_to_user(uvers, &vers, sizeof(vers)))
281 return -EFAULT;
282
283 return 0;
284 }
285
tee_ioctl_shm_alloc(struct tee_context * ctx,struct tee_ioctl_shm_alloc_data __user * udata)286 static int tee_ioctl_shm_alloc(struct tee_context *ctx,
287 struct tee_ioctl_shm_alloc_data __user *udata)
288 {
289 long ret;
290 struct tee_ioctl_shm_alloc_data data;
291 struct tee_shm *shm;
292
293 if (copy_from_user(&data, udata, sizeof(data)))
294 return -EFAULT;
295
296 /* Currently no input flags are supported */
297 if (data.flags)
298 return -EINVAL;
299
300 shm = tee_shm_alloc_user_buf(ctx, data.size);
301 if (IS_ERR(shm))
302 return PTR_ERR(shm);
303
304 data.id = shm->id;
305 data.size = shm->size;
306
307 if (copy_to_user(udata, &data, sizeof(data)))
308 ret = -EFAULT;
309 else
310 ret = tee_shm_get_fd(shm);
311
312 /*
313 * When user space closes the file descriptor the shared memory
314 * should be freed or if tee_shm_get_fd() failed then it will
315 * be freed immediately.
316 */
317 tee_shm_put(shm);
318 return ret;
319 }
320
321 static int
tee_ioctl_shm_register(struct tee_context * ctx,struct tee_ioctl_shm_register_data __user * udata)322 tee_ioctl_shm_register(struct tee_context *ctx,
323 struct tee_ioctl_shm_register_data __user *udata)
324 {
325 long ret;
326 struct tee_ioctl_shm_register_data data;
327 struct tee_shm *shm;
328
329 if (copy_from_user(&data, udata, sizeof(data)))
330 return -EFAULT;
331
332 /* Currently no input flags are supported */
333 if (data.flags)
334 return -EINVAL;
335
336 shm = tee_shm_register_user_buf(ctx, data.addr, data.length);
337 if (IS_ERR(shm))
338 return PTR_ERR(shm);
339
340 data.id = shm->id;
341 data.length = shm->size;
342
343 if (copy_to_user(udata, &data, sizeof(data)))
344 ret = -EFAULT;
345 else
346 ret = tee_shm_get_fd(shm);
347 /*
348 * When user space closes the file descriptor the shared memory
349 * should be freed or if tee_shm_get_fd() failed then it will
350 * be freed immediately.
351 */
352 tee_shm_put(shm);
353 return ret;
354 }
355
params_from_user(struct tee_context * ctx,struct tee_param * params,size_t num_params,struct tee_ioctl_param __user * uparams)356 static int params_from_user(struct tee_context *ctx, struct tee_param *params,
357 size_t num_params,
358 struct tee_ioctl_param __user *uparams)
359 {
360 size_t n;
361
362 for (n = 0; n < num_params; n++) {
363 struct tee_shm *shm;
364 struct tee_ioctl_param ip;
365
366 if (copy_from_user(&ip, uparams + n, sizeof(ip)))
367 return -EFAULT;
368
369 /* All unused attribute bits has to be zero */
370 if (ip.attr & ~TEE_IOCTL_PARAM_ATTR_MASK)
371 return -EINVAL;
372
373 params[n].attr = ip.attr;
374 switch (ip.attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) {
375 case TEE_IOCTL_PARAM_ATTR_TYPE_NONE:
376 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT:
377 break;
378 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT:
379 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT:
380 params[n].u.value.a = ip.a;
381 params[n].u.value.b = ip.b;
382 params[n].u.value.c = ip.c;
383 break;
384 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT:
385 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
386 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
387 /*
388 * If a NULL pointer is passed to a TA in the TEE,
389 * the ip.c IOCTL parameters is set to TEE_MEMREF_NULL
390 * indicating a NULL memory reference.
391 */
392 if (ip.c != TEE_MEMREF_NULL) {
393 /*
394 * If we fail to get a pointer to a shared
395 * memory object (and increase the ref count)
396 * from an identifier we return an error. All
397 * pointers that has been added in params have
398 * an increased ref count. It's the callers
399 * responibility to do tee_shm_put() on all
400 * resolved pointers.
401 */
402 shm = tee_shm_get_from_id(ctx, ip.c);
403 if (IS_ERR(shm))
404 return PTR_ERR(shm);
405
406 /*
407 * Ensure offset + size does not overflow
408 * offset and does not overflow the size of
409 * the referred shared memory object.
410 */
411 if ((ip.a + ip.b) < ip.a ||
412 (ip.a + ip.b) > shm->size) {
413 tee_shm_put(shm);
414 return -EINVAL;
415 }
416 } else if (ctx->cap_memref_null) {
417 /* Pass NULL pointer to OP-TEE */
418 shm = NULL;
419 } else {
420 return -EINVAL;
421 }
422
423 params[n].u.memref.shm_offs = ip.a;
424 params[n].u.memref.size = ip.b;
425 params[n].u.memref.shm = shm;
426 break;
427 default:
428 /* Unknown attribute */
429 return -EINVAL;
430 }
431 }
432 return 0;
433 }
434
params_to_user(struct tee_ioctl_param __user * uparams,size_t num_params,struct tee_param * params)435 static int params_to_user(struct tee_ioctl_param __user *uparams,
436 size_t num_params, struct tee_param *params)
437 {
438 size_t n;
439
440 for (n = 0; n < num_params; n++) {
441 struct tee_ioctl_param __user *up = uparams + n;
442 struct tee_param *p = params + n;
443
444 switch (p->attr) {
445 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT:
446 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT:
447 if (put_user(p->u.value.a, &up->a) ||
448 put_user(p->u.value.b, &up->b) ||
449 put_user(p->u.value.c, &up->c))
450 return -EFAULT;
451 break;
452 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
453 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
454 if (put_user((u64)p->u.memref.size, &up->b))
455 return -EFAULT;
456 break;
457 default:
458 break;
459 }
460 }
461 return 0;
462 }
463
tee_ioctl_open_session(struct tee_context * ctx,struct tee_ioctl_buf_data __user * ubuf)464 static int tee_ioctl_open_session(struct tee_context *ctx,
465 struct tee_ioctl_buf_data __user *ubuf)
466 {
467 int rc;
468 size_t n;
469 struct tee_ioctl_buf_data buf;
470 struct tee_ioctl_open_session_arg __user *uarg;
471 struct tee_ioctl_open_session_arg arg;
472 struct tee_ioctl_param __user *uparams = NULL;
473 struct tee_param *params = NULL;
474 bool have_session = false;
475
476 if (!ctx->teedev->desc->ops->open_session)
477 return -EINVAL;
478
479 if (copy_from_user(&buf, ubuf, sizeof(buf)))
480 return -EFAULT;
481
482 if (buf.buf_len > TEE_MAX_ARG_SIZE ||
483 buf.buf_len < sizeof(struct tee_ioctl_open_session_arg))
484 return -EINVAL;
485
486 uarg = u64_to_user_ptr(buf.buf_ptr);
487 if (copy_from_user(&arg, uarg, sizeof(arg)))
488 return -EFAULT;
489
490 if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len)
491 return -EINVAL;
492
493 if (arg.num_params) {
494 params = kcalloc(arg.num_params, sizeof(struct tee_param),
495 GFP_KERNEL);
496 if (!params)
497 return -ENOMEM;
498 uparams = uarg->params;
499 rc = params_from_user(ctx, params, arg.num_params, uparams);
500 if (rc)
501 goto out;
502 }
503
504 if (arg.clnt_login >= TEE_IOCTL_LOGIN_REE_KERNEL_MIN &&
505 arg.clnt_login <= TEE_IOCTL_LOGIN_REE_KERNEL_MAX) {
506 pr_debug("login method not allowed for user-space client\n");
507 rc = -EPERM;
508 goto out;
509 }
510
511 rc = ctx->teedev->desc->ops->open_session(ctx, &arg, params);
512 if (rc)
513 goto out;
514 have_session = true;
515
516 if (put_user(arg.session, &uarg->session) ||
517 put_user(arg.ret, &uarg->ret) ||
518 put_user(arg.ret_origin, &uarg->ret_origin)) {
519 rc = -EFAULT;
520 goto out;
521 }
522 rc = params_to_user(uparams, arg.num_params, params);
523 out:
524 /*
525 * If we've succeeded to open the session but failed to communicate
526 * it back to user space, close the session again to avoid leakage.
527 */
528 if (rc && have_session && ctx->teedev->desc->ops->close_session)
529 ctx->teedev->desc->ops->close_session(ctx, arg.session);
530
531 if (params) {
532 /* Decrease ref count for all valid shared memory pointers */
533 for (n = 0; n < arg.num_params; n++)
534 if (tee_param_is_memref(params + n) &&
535 params[n].u.memref.shm)
536 tee_shm_put(params[n].u.memref.shm);
537 kfree(params);
538 }
539
540 return rc;
541 }
542
tee_ioctl_invoke(struct tee_context * ctx,struct tee_ioctl_buf_data __user * ubuf)543 static int tee_ioctl_invoke(struct tee_context *ctx,
544 struct tee_ioctl_buf_data __user *ubuf)
545 {
546 int rc;
547 size_t n;
548 struct tee_ioctl_buf_data buf;
549 struct tee_ioctl_invoke_arg __user *uarg;
550 struct tee_ioctl_invoke_arg arg;
551 struct tee_ioctl_param __user *uparams = NULL;
552 struct tee_param *params = NULL;
553
554 if (!ctx->teedev->desc->ops->invoke_func)
555 return -EINVAL;
556
557 if (copy_from_user(&buf, ubuf, sizeof(buf)))
558 return -EFAULT;
559
560 if (buf.buf_len > TEE_MAX_ARG_SIZE ||
561 buf.buf_len < sizeof(struct tee_ioctl_invoke_arg))
562 return -EINVAL;
563
564 uarg = u64_to_user_ptr(buf.buf_ptr);
565 if (copy_from_user(&arg, uarg, sizeof(arg)))
566 return -EFAULT;
567
568 if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len)
569 return -EINVAL;
570
571 if (arg.num_params) {
572 params = kcalloc(arg.num_params, sizeof(struct tee_param),
573 GFP_KERNEL);
574 if (!params)
575 return -ENOMEM;
576 uparams = uarg->params;
577 rc = params_from_user(ctx, params, arg.num_params, uparams);
578 if (rc)
579 goto out;
580 }
581
582 rc = ctx->teedev->desc->ops->invoke_func(ctx, &arg, params);
583 if (rc)
584 goto out;
585
586 if (put_user(arg.ret, &uarg->ret) ||
587 put_user(arg.ret_origin, &uarg->ret_origin)) {
588 rc = -EFAULT;
589 goto out;
590 }
591 rc = params_to_user(uparams, arg.num_params, params);
592 out:
593 if (params) {
594 /* Decrease ref count for all valid shared memory pointers */
595 for (n = 0; n < arg.num_params; n++)
596 if (tee_param_is_memref(params + n) &&
597 params[n].u.memref.shm)
598 tee_shm_put(params[n].u.memref.shm);
599 kfree(params);
600 }
601 return rc;
602 }
603
tee_ioctl_cancel(struct tee_context * ctx,struct tee_ioctl_cancel_arg __user * uarg)604 static int tee_ioctl_cancel(struct tee_context *ctx,
605 struct tee_ioctl_cancel_arg __user *uarg)
606 {
607 struct tee_ioctl_cancel_arg arg;
608
609 if (!ctx->teedev->desc->ops->cancel_req)
610 return -EINVAL;
611
612 if (copy_from_user(&arg, uarg, sizeof(arg)))
613 return -EFAULT;
614
615 return ctx->teedev->desc->ops->cancel_req(ctx, arg.cancel_id,
616 arg.session);
617 }
618
619 static int
tee_ioctl_close_session(struct tee_context * ctx,struct tee_ioctl_close_session_arg __user * uarg)620 tee_ioctl_close_session(struct tee_context *ctx,
621 struct tee_ioctl_close_session_arg __user *uarg)
622 {
623 struct tee_ioctl_close_session_arg arg;
624
625 if (!ctx->teedev->desc->ops->close_session)
626 return -EINVAL;
627
628 if (copy_from_user(&arg, uarg, sizeof(arg)))
629 return -EFAULT;
630
631 return ctx->teedev->desc->ops->close_session(ctx, arg.session);
632 }
633
params_to_supp(struct tee_context * ctx,struct tee_ioctl_param __user * uparams,size_t num_params,struct tee_param * params)634 static int params_to_supp(struct tee_context *ctx,
635 struct tee_ioctl_param __user *uparams,
636 size_t num_params, struct tee_param *params)
637 {
638 size_t n;
639
640 for (n = 0; n < num_params; n++) {
641 struct tee_ioctl_param ip;
642 struct tee_param *p = params + n;
643
644 ip.attr = p->attr;
645 switch (p->attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) {
646 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT:
647 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT:
648 ip.a = p->u.value.a;
649 ip.b = p->u.value.b;
650 ip.c = p->u.value.c;
651 break;
652 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT:
653 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
654 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
655 ip.b = p->u.memref.size;
656 if (!p->u.memref.shm) {
657 ip.a = 0;
658 ip.c = (u64)-1; /* invalid shm id */
659 break;
660 }
661 ip.a = p->u.memref.shm_offs;
662 ip.c = p->u.memref.shm->id;
663 break;
664 default:
665 ip.a = 0;
666 ip.b = 0;
667 ip.c = 0;
668 break;
669 }
670
671 if (copy_to_user(uparams + n, &ip, sizeof(ip)))
672 return -EFAULT;
673 }
674
675 return 0;
676 }
677
tee_ioctl_supp_recv(struct tee_context * ctx,struct tee_ioctl_buf_data __user * ubuf)678 static int tee_ioctl_supp_recv(struct tee_context *ctx,
679 struct tee_ioctl_buf_data __user *ubuf)
680 {
681 int rc;
682 struct tee_ioctl_buf_data buf;
683 struct tee_iocl_supp_recv_arg __user *uarg;
684 struct tee_param *params;
685 u32 num_params;
686 u32 func;
687
688 if (!ctx->teedev->desc->ops->supp_recv)
689 return -EINVAL;
690
691 if (copy_from_user(&buf, ubuf, sizeof(buf)))
692 return -EFAULT;
693
694 if (buf.buf_len > TEE_MAX_ARG_SIZE ||
695 buf.buf_len < sizeof(struct tee_iocl_supp_recv_arg))
696 return -EINVAL;
697
698 uarg = u64_to_user_ptr(buf.buf_ptr);
699 if (get_user(num_params, &uarg->num_params))
700 return -EFAULT;
701
702 if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) != buf.buf_len)
703 return -EINVAL;
704
705 params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL);
706 if (!params)
707 return -ENOMEM;
708
709 rc = params_from_user(ctx, params, num_params, uarg->params);
710 if (rc)
711 goto out;
712
713 rc = ctx->teedev->desc->ops->supp_recv(ctx, &func, &num_params, params);
714 if (rc)
715 goto out;
716
717 if (put_user(func, &uarg->func) ||
718 put_user(num_params, &uarg->num_params)) {
719 rc = -EFAULT;
720 goto out;
721 }
722
723 rc = params_to_supp(ctx, uarg->params, num_params, params);
724 out:
725 kfree(params);
726 return rc;
727 }
728
params_from_supp(struct tee_param * params,size_t num_params,struct tee_ioctl_param __user * uparams)729 static int params_from_supp(struct tee_param *params, size_t num_params,
730 struct tee_ioctl_param __user *uparams)
731 {
732 size_t n;
733
734 for (n = 0; n < num_params; n++) {
735 struct tee_param *p = params + n;
736 struct tee_ioctl_param ip;
737
738 if (copy_from_user(&ip, uparams + n, sizeof(ip)))
739 return -EFAULT;
740
741 /* All unused attribute bits has to be zero */
742 if (ip.attr & ~TEE_IOCTL_PARAM_ATTR_MASK)
743 return -EINVAL;
744
745 p->attr = ip.attr;
746 switch (ip.attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) {
747 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT:
748 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT:
749 /* Only out and in/out values can be updated */
750 p->u.value.a = ip.a;
751 p->u.value.b = ip.b;
752 p->u.value.c = ip.c;
753 break;
754 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
755 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
756 /*
757 * Only the size of the memref can be updated.
758 * Since we don't have access to the original
759 * parameters here, only store the supplied size.
760 * The driver will copy the updated size into the
761 * original parameters.
762 */
763 p->u.memref.shm = NULL;
764 p->u.memref.shm_offs = 0;
765 p->u.memref.size = ip.b;
766 break;
767 default:
768 memset(&p->u, 0, sizeof(p->u));
769 break;
770 }
771 }
772 return 0;
773 }
774
tee_ioctl_supp_send(struct tee_context * ctx,struct tee_ioctl_buf_data __user * ubuf)775 static int tee_ioctl_supp_send(struct tee_context *ctx,
776 struct tee_ioctl_buf_data __user *ubuf)
777 {
778 long rc;
779 struct tee_ioctl_buf_data buf;
780 struct tee_iocl_supp_send_arg __user *uarg;
781 struct tee_param *params;
782 u32 num_params;
783 u32 ret;
784
785 /* Not valid for this driver */
786 if (!ctx->teedev->desc->ops->supp_send)
787 return -EINVAL;
788
789 if (copy_from_user(&buf, ubuf, sizeof(buf)))
790 return -EFAULT;
791
792 if (buf.buf_len > TEE_MAX_ARG_SIZE ||
793 buf.buf_len < sizeof(struct tee_iocl_supp_send_arg))
794 return -EINVAL;
795
796 uarg = u64_to_user_ptr(buf.buf_ptr);
797 if (get_user(ret, &uarg->ret) ||
798 get_user(num_params, &uarg->num_params))
799 return -EFAULT;
800
801 if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) > buf.buf_len)
802 return -EINVAL;
803
804 params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL);
805 if (!params)
806 return -ENOMEM;
807
808 rc = params_from_supp(params, num_params, uarg->params);
809 if (rc)
810 goto out;
811
812 rc = ctx->teedev->desc->ops->supp_send(ctx, ret, num_params, params);
813 out:
814 kfree(params);
815 return rc;
816 }
817
tee_ioctl(struct file * filp,unsigned int cmd,unsigned long arg)818 static long tee_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
819 {
820 struct tee_context *ctx = filp->private_data;
821 void __user *uarg = (void __user *)arg;
822
823 switch (cmd) {
824 case TEE_IOC_VERSION:
825 return tee_ioctl_version(ctx, uarg);
826 case TEE_IOC_SHM_ALLOC:
827 return tee_ioctl_shm_alloc(ctx, uarg);
828 case TEE_IOC_SHM_REGISTER:
829 return tee_ioctl_shm_register(ctx, uarg);
830 case TEE_IOC_OPEN_SESSION:
831 return tee_ioctl_open_session(ctx, uarg);
832 case TEE_IOC_INVOKE:
833 return tee_ioctl_invoke(ctx, uarg);
834 case TEE_IOC_CANCEL:
835 return tee_ioctl_cancel(ctx, uarg);
836 case TEE_IOC_CLOSE_SESSION:
837 return tee_ioctl_close_session(ctx, uarg);
838 case TEE_IOC_SUPPL_RECV:
839 return tee_ioctl_supp_recv(ctx, uarg);
840 case TEE_IOC_SUPPL_SEND:
841 return tee_ioctl_supp_send(ctx, uarg);
842 default:
843 return -EINVAL;
844 }
845 }
846
847 static const struct file_operations tee_fops = {
848 .owner = THIS_MODULE,
849 .open = tee_open,
850 .release = tee_release,
851 .unlocked_ioctl = tee_ioctl,
852 .compat_ioctl = compat_ptr_ioctl,
853 };
854
tee_release_device(struct device * dev)855 static void tee_release_device(struct device *dev)
856 {
857 struct tee_device *teedev = container_of(dev, struct tee_device, dev);
858
859 spin_lock(&driver_lock);
860 clear_bit(teedev->id, dev_mask);
861 spin_unlock(&driver_lock);
862 mutex_destroy(&teedev->mutex);
863 idr_destroy(&teedev->idr);
864 kfree(teedev);
865 }
866
867 /**
868 * tee_device_alloc() - Allocate a new struct tee_device instance
869 * @teedesc: Descriptor for this driver
870 * @dev: Parent device for this device
871 * @pool: Shared memory pool, NULL if not used
872 * @driver_data: Private driver data for this device
873 *
874 * Allocates a new struct tee_device instance. The device is
875 * removed by tee_device_unregister().
876 *
877 * @returns a pointer to a 'struct tee_device' or an ERR_PTR on failure
878 */
tee_device_alloc(const struct tee_desc * teedesc,struct device * dev,struct tee_shm_pool * pool,void * driver_data)879 struct tee_device *tee_device_alloc(const struct tee_desc *teedesc,
880 struct device *dev,
881 struct tee_shm_pool *pool,
882 void *driver_data)
883 {
884 struct tee_device *teedev;
885 void *ret;
886 int rc, max_id;
887 int offs = 0;
888
889 if (!teedesc || !teedesc->name || !teedesc->ops ||
890 !teedesc->ops->get_version || !teedesc->ops->open ||
891 !teedesc->ops->release || !pool)
892 return ERR_PTR(-EINVAL);
893
894 teedev = kzalloc(sizeof(*teedev), GFP_KERNEL);
895 if (!teedev) {
896 ret = ERR_PTR(-ENOMEM);
897 goto err;
898 }
899
900 max_id = TEE_NUM_DEVICES / 2;
901
902 if (teedesc->flags & TEE_DESC_PRIVILEGED) {
903 offs = TEE_NUM_DEVICES / 2;
904 max_id = TEE_NUM_DEVICES;
905 }
906
907 spin_lock(&driver_lock);
908 teedev->id = find_next_zero_bit(dev_mask, max_id, offs);
909 if (teedev->id < max_id)
910 set_bit(teedev->id, dev_mask);
911 spin_unlock(&driver_lock);
912
913 if (teedev->id >= max_id) {
914 ret = ERR_PTR(-ENOMEM);
915 goto err;
916 }
917
918 snprintf(teedev->name, sizeof(teedev->name), "tee%s%d",
919 teedesc->flags & TEE_DESC_PRIVILEGED ? "priv" : "",
920 teedev->id - offs);
921
922 teedev->dev.class = tee_class;
923 teedev->dev.release = tee_release_device;
924 teedev->dev.parent = dev;
925
926 teedev->dev.devt = MKDEV(MAJOR(tee_devt), teedev->id);
927
928 rc = dev_set_name(&teedev->dev, "%s", teedev->name);
929 if (rc) {
930 ret = ERR_PTR(rc);
931 goto err_devt;
932 }
933
934 cdev_init(&teedev->cdev, &tee_fops);
935 teedev->cdev.owner = teedesc->owner;
936
937 dev_set_drvdata(&teedev->dev, driver_data);
938 device_initialize(&teedev->dev);
939
940 /* 1 as tee_device_unregister() does one final tee_device_put() */
941 teedev->num_users = 1;
942 init_completion(&teedev->c_no_users);
943 mutex_init(&teedev->mutex);
944 idr_init(&teedev->idr);
945
946 teedev->desc = teedesc;
947 teedev->pool = pool;
948
949 return teedev;
950 err_devt:
951 unregister_chrdev_region(teedev->dev.devt, 1);
952 err:
953 pr_err("could not register %s driver\n",
954 teedesc->flags & TEE_DESC_PRIVILEGED ? "privileged" : "client");
955 if (teedev && teedev->id < TEE_NUM_DEVICES) {
956 spin_lock(&driver_lock);
957 clear_bit(teedev->id, dev_mask);
958 spin_unlock(&driver_lock);
959 }
960 kfree(teedev);
961 return ret;
962 }
963 EXPORT_SYMBOL_GPL(tee_device_alloc);
964
implementation_id_show(struct device * dev,struct device_attribute * attr,char * buf)965 static ssize_t implementation_id_show(struct device *dev,
966 struct device_attribute *attr, char *buf)
967 {
968 struct tee_device *teedev = container_of(dev, struct tee_device, dev);
969 struct tee_ioctl_version_data vers;
970
971 teedev->desc->ops->get_version(teedev, &vers);
972 return scnprintf(buf, PAGE_SIZE, "%d\n", vers.impl_id);
973 }
974 static DEVICE_ATTR_RO(implementation_id);
975
976 static struct attribute *tee_dev_attrs[] = {
977 &dev_attr_implementation_id.attr,
978 NULL
979 };
980
981 ATTRIBUTE_GROUPS(tee_dev);
982
983 /**
984 * tee_device_register() - Registers a TEE device
985 * @teedev: Device to register
986 *
987 * tee_device_unregister() need to be called to remove the @teedev if
988 * this function fails.
989 *
990 * @returns < 0 on failure
991 */
tee_device_register(struct tee_device * teedev)992 int tee_device_register(struct tee_device *teedev)
993 {
994 int rc;
995
996 if (teedev->flags & TEE_DEVICE_FLAG_REGISTERED) {
997 dev_err(&teedev->dev, "attempt to register twice\n");
998 return -EINVAL;
999 }
1000
1001 teedev->dev.groups = tee_dev_groups;
1002
1003 rc = cdev_device_add(&teedev->cdev, &teedev->dev);
1004 if (rc) {
1005 dev_err(&teedev->dev,
1006 "unable to cdev_device_add() %s, major %d, minor %d, err=%d\n",
1007 teedev->name, MAJOR(teedev->dev.devt),
1008 MINOR(teedev->dev.devt), rc);
1009 return rc;
1010 }
1011
1012 teedev->flags |= TEE_DEVICE_FLAG_REGISTERED;
1013 return 0;
1014 }
1015 EXPORT_SYMBOL_GPL(tee_device_register);
1016
tee_device_put(struct tee_device * teedev)1017 void tee_device_put(struct tee_device *teedev)
1018 {
1019 mutex_lock(&teedev->mutex);
1020 /* Shouldn't put in this state */
1021 if (!WARN_ON(!teedev->desc)) {
1022 teedev->num_users--;
1023 if (!teedev->num_users) {
1024 teedev->desc = NULL;
1025 complete(&teedev->c_no_users);
1026 }
1027 }
1028 mutex_unlock(&teedev->mutex);
1029 }
1030
tee_device_get(struct tee_device * teedev)1031 bool tee_device_get(struct tee_device *teedev)
1032 {
1033 mutex_lock(&teedev->mutex);
1034 if (!teedev->desc) {
1035 mutex_unlock(&teedev->mutex);
1036 return false;
1037 }
1038 teedev->num_users++;
1039 mutex_unlock(&teedev->mutex);
1040 return true;
1041 }
1042
1043 /**
1044 * tee_device_unregister() - Removes a TEE device
1045 * @teedev: Device to unregister
1046 *
1047 * This function should be called to remove the @teedev even if
1048 * tee_device_register() hasn't been called yet. Does nothing if
1049 * @teedev is NULL.
1050 */
tee_device_unregister(struct tee_device * teedev)1051 void tee_device_unregister(struct tee_device *teedev)
1052 {
1053 if (!teedev)
1054 return;
1055
1056 if (teedev->flags & TEE_DEVICE_FLAG_REGISTERED)
1057 cdev_device_del(&teedev->cdev, &teedev->dev);
1058
1059 tee_device_put(teedev);
1060 wait_for_completion(&teedev->c_no_users);
1061
1062 /*
1063 * No need to take a mutex any longer now since teedev->desc was
1064 * set to NULL before teedev->c_no_users was completed.
1065 */
1066
1067 teedev->pool = NULL;
1068
1069 put_device(&teedev->dev);
1070 }
1071 EXPORT_SYMBOL_GPL(tee_device_unregister);
1072
1073 /**
1074 * tee_get_drvdata() - Return driver_data pointer
1075 * @teedev: Device containing the driver_data pointer
1076 * @returns the driver_data pointer supplied to tee_device_alloc().
1077 */
tee_get_drvdata(struct tee_device * teedev)1078 void *tee_get_drvdata(struct tee_device *teedev)
1079 {
1080 return dev_get_drvdata(&teedev->dev);
1081 }
1082 EXPORT_SYMBOL_GPL(tee_get_drvdata);
1083
1084 struct match_dev_data {
1085 struct tee_ioctl_version_data *vers;
1086 const void *data;
1087 int (*match)(struct tee_ioctl_version_data *, const void *);
1088 };
1089
match_dev(struct device * dev,const void * data)1090 static int match_dev(struct device *dev, const void *data)
1091 {
1092 const struct match_dev_data *match_data = data;
1093 struct tee_device *teedev = container_of(dev, struct tee_device, dev);
1094
1095 teedev->desc->ops->get_version(teedev, match_data->vers);
1096 return match_data->match(match_data->vers, match_data->data);
1097 }
1098
1099 struct tee_context *
tee_client_open_context(struct tee_context * start,int (* match)(struct tee_ioctl_version_data *,const void *),const void * data,struct tee_ioctl_version_data * vers)1100 tee_client_open_context(struct tee_context *start,
1101 int (*match)(struct tee_ioctl_version_data *,
1102 const void *),
1103 const void *data, struct tee_ioctl_version_data *vers)
1104 {
1105 struct device *dev = NULL;
1106 struct device *put_dev = NULL;
1107 struct tee_context *ctx = NULL;
1108 struct tee_ioctl_version_data v;
1109 struct match_dev_data match_data = { vers ? vers : &v, data, match };
1110
1111 if (start)
1112 dev = &start->teedev->dev;
1113
1114 do {
1115 dev = class_find_device(tee_class, dev, &match_data, match_dev);
1116 if (!dev) {
1117 ctx = ERR_PTR(-ENOENT);
1118 break;
1119 }
1120
1121 put_device(put_dev);
1122 put_dev = dev;
1123
1124 ctx = teedev_open(container_of(dev, struct tee_device, dev));
1125 } while (IS_ERR(ctx) && PTR_ERR(ctx) != -ENOMEM);
1126
1127 put_device(put_dev);
1128 /*
1129 * Default behaviour for in kernel client is to not wait for
1130 * tee-supplicant if not present for any requests in this context.
1131 * Also this flag could be configured again before call to
1132 * tee_client_open_session() if any in kernel client requires
1133 * different behaviour.
1134 */
1135 if (!IS_ERR(ctx))
1136 ctx->supp_nowait = true;
1137
1138 return ctx;
1139 }
1140 EXPORT_SYMBOL_GPL(tee_client_open_context);
1141
tee_client_close_context(struct tee_context * ctx)1142 void tee_client_close_context(struct tee_context *ctx)
1143 {
1144 teedev_close_context(ctx);
1145 }
1146 EXPORT_SYMBOL_GPL(tee_client_close_context);
1147
tee_client_get_version(struct tee_context * ctx,struct tee_ioctl_version_data * vers)1148 void tee_client_get_version(struct tee_context *ctx,
1149 struct tee_ioctl_version_data *vers)
1150 {
1151 ctx->teedev->desc->ops->get_version(ctx->teedev, vers);
1152 }
1153 EXPORT_SYMBOL_GPL(tee_client_get_version);
1154
tee_client_open_session(struct tee_context * ctx,struct tee_ioctl_open_session_arg * arg,struct tee_param * param)1155 int tee_client_open_session(struct tee_context *ctx,
1156 struct tee_ioctl_open_session_arg *arg,
1157 struct tee_param *param)
1158 {
1159 if (!ctx->teedev->desc->ops->open_session)
1160 return -EINVAL;
1161 return ctx->teedev->desc->ops->open_session(ctx, arg, param);
1162 }
1163 EXPORT_SYMBOL_GPL(tee_client_open_session);
1164
tee_client_close_session(struct tee_context * ctx,u32 session)1165 int tee_client_close_session(struct tee_context *ctx, u32 session)
1166 {
1167 if (!ctx->teedev->desc->ops->close_session)
1168 return -EINVAL;
1169 return ctx->teedev->desc->ops->close_session(ctx, session);
1170 }
1171 EXPORT_SYMBOL_GPL(tee_client_close_session);
1172
tee_client_invoke_func(struct tee_context * ctx,struct tee_ioctl_invoke_arg * arg,struct tee_param * param)1173 int tee_client_invoke_func(struct tee_context *ctx,
1174 struct tee_ioctl_invoke_arg *arg,
1175 struct tee_param *param)
1176 {
1177 if (!ctx->teedev->desc->ops->invoke_func)
1178 return -EINVAL;
1179 return ctx->teedev->desc->ops->invoke_func(ctx, arg, param);
1180 }
1181 EXPORT_SYMBOL_GPL(tee_client_invoke_func);
1182
tee_client_cancel_req(struct tee_context * ctx,struct tee_ioctl_cancel_arg * arg)1183 int tee_client_cancel_req(struct tee_context *ctx,
1184 struct tee_ioctl_cancel_arg *arg)
1185 {
1186 if (!ctx->teedev->desc->ops->cancel_req)
1187 return -EINVAL;
1188 return ctx->teedev->desc->ops->cancel_req(ctx, arg->cancel_id,
1189 arg->session);
1190 }
1191
tee_client_device_match(struct device * dev,struct device_driver * drv)1192 static int tee_client_device_match(struct device *dev,
1193 struct device_driver *drv)
1194 {
1195 const struct tee_client_device_id *id_table;
1196 struct tee_client_device *tee_device;
1197
1198 id_table = to_tee_client_driver(drv)->id_table;
1199 tee_device = to_tee_client_device(dev);
1200
1201 while (!uuid_is_null(&id_table->uuid)) {
1202 if (uuid_equal(&tee_device->id.uuid, &id_table->uuid))
1203 return 1;
1204 id_table++;
1205 }
1206
1207 return 0;
1208 }
1209
tee_client_device_uevent(const struct device * dev,struct kobj_uevent_env * env)1210 static int tee_client_device_uevent(const struct device *dev,
1211 struct kobj_uevent_env *env)
1212 {
1213 uuid_t *dev_id = &to_tee_client_device(dev)->id.uuid;
1214
1215 return add_uevent_var(env, "MODALIAS=tee:%pUb", dev_id);
1216 }
1217
1218 struct bus_type tee_bus_type = {
1219 .name = "tee",
1220 .match = tee_client_device_match,
1221 .uevent = tee_client_device_uevent,
1222 };
1223 EXPORT_SYMBOL_GPL(tee_bus_type);
1224
tee_init(void)1225 static int __init tee_init(void)
1226 {
1227 int rc;
1228
1229 tee_class = class_create("tee");
1230 if (IS_ERR(tee_class)) {
1231 pr_err("couldn't create class\n");
1232 return PTR_ERR(tee_class);
1233 }
1234
1235 rc = alloc_chrdev_region(&tee_devt, 0, TEE_NUM_DEVICES, "tee");
1236 if (rc) {
1237 pr_err("failed to allocate char dev region\n");
1238 goto out_unreg_class;
1239 }
1240
1241 rc = bus_register(&tee_bus_type);
1242 if (rc) {
1243 pr_err("failed to register tee bus\n");
1244 goto out_unreg_chrdev;
1245 }
1246
1247 return 0;
1248
1249 out_unreg_chrdev:
1250 unregister_chrdev_region(tee_devt, TEE_NUM_DEVICES);
1251 out_unreg_class:
1252 class_destroy(tee_class);
1253 tee_class = NULL;
1254
1255 return rc;
1256 }
1257
tee_exit(void)1258 static void __exit tee_exit(void)
1259 {
1260 bus_unregister(&tee_bus_type);
1261 unregister_chrdev_region(tee_devt, TEE_NUM_DEVICES);
1262 class_destroy(tee_class);
1263 tee_class = NULL;
1264 }
1265
1266 subsys_initcall(tee_init);
1267 module_exit(tee_exit);
1268
1269 MODULE_AUTHOR("Linaro");
1270 MODULE_DESCRIPTION("TEE Driver");
1271 MODULE_VERSION("1.0");
1272 MODULE_LICENSE("GPL v2");
1273