1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2015-2021, Linaro Limited 4 */ 5 #include <linux/device.h> 6 #include <linux/err.h> 7 #include <linux/errno.h> 8 #include <linux/mm.h> 9 #include <linux/slab.h> 10 #include <linux/tee_drv.h> 11 #include <linux/types.h> 12 #include "optee_private.h" 13 14 #define MAX_ARG_PARAM_COUNT 6 15 16 /* 17 * How much memory we allocate for each entry. This doesn't have to be a 18 * single page, but it makes sense to keep at least keep it as multiples of 19 * the page size. 20 */ 21 #define SHM_ENTRY_SIZE PAGE_SIZE 22 23 /* 24 * We need to have a compile time constant to be able to determine the 25 * maximum needed size of the bit field. 26 */ 27 #define MIN_ARG_SIZE OPTEE_MSG_GET_ARG_SIZE(MAX_ARG_PARAM_COUNT) 28 #define MAX_ARG_COUNT_PER_ENTRY (SHM_ENTRY_SIZE / MIN_ARG_SIZE) 29 30 /* 31 * Shared memory for argument structs are cached here. The number of 32 * arguments structs that can fit is determined at runtime depending on the 33 * needed RPC parameter count reported by secure world 34 * (optee->rpc_param_count). 35 */ 36 struct optee_shm_arg_entry { 37 struct list_head list_node; 38 struct tee_shm *shm; 39 DECLARE_BITMAP(map, MAX_ARG_COUNT_PER_ENTRY); 40 }; 41 42 void optee_cq_wait_init(struct optee_call_queue *cq, 43 struct optee_call_waiter *w) 44 { 45 /* 46 * We're preparing to make a call to secure world. In case we can't 47 * allocate a thread in secure world we'll end up waiting in 48 * optee_cq_wait_for_completion(). 49 * 50 * Normally if there's no contention in secure world the call will 51 * complete and we can cleanup directly with optee_cq_wait_final(). 52 */ 53 mutex_lock(&cq->mutex); 54 55 /* 56 * We add ourselves to the queue, but we don't wait. This 57 * guarantees that we don't lose a completion if secure world 58 * returns busy and another thread just exited and try to complete 59 * someone. 60 */ 61 init_completion(&w->c); 62 list_add_tail(&w->list_node, &cq->waiters); 63 64 mutex_unlock(&cq->mutex); 65 } 66 67 void optee_cq_wait_for_completion(struct optee_call_queue *cq, 68 struct optee_call_waiter *w) 69 { 70 wait_for_completion(&w->c); 71 72 mutex_lock(&cq->mutex); 73 74 /* Move to end of list to get out of the way for other waiters */ 75 list_del(&w->list_node); 76 reinit_completion(&w->c); 77 list_add_tail(&w->list_node, &cq->waiters); 78 79 mutex_unlock(&cq->mutex); 80 } 81 82 static void optee_cq_complete_one(struct optee_call_queue *cq) 83 { 84 struct optee_call_waiter *w; 85 86 list_for_each_entry(w, &cq->waiters, list_node) { 87 if (!completion_done(&w->c)) { 88 complete(&w->c); 89 break; 90 } 91 } 92 } 93 94 void optee_cq_wait_final(struct optee_call_queue *cq, 95 struct optee_call_waiter *w) 96 { 97 /* 98 * We're done with the call to secure world. The thread in secure 99 * world that was used for this call is now available for some 100 * other task to use. 101 */ 102 mutex_lock(&cq->mutex); 103 104 /* Get out of the list */ 105 list_del(&w->list_node); 106 107 /* Wake up one eventual waiting task */ 108 optee_cq_complete_one(cq); 109 110 /* 111 * If we're completed we've got a completion from another task that 112 * was just done with its call to secure world. Since yet another 113 * thread now is available in secure world wake up another eventual 114 * waiting task. 115 */ 116 if (completion_done(&w->c)) 117 optee_cq_complete_one(cq); 118 119 mutex_unlock(&cq->mutex); 120 } 121 122 /* Requires the filpstate mutex to be held */ 123 static struct optee_session *find_session(struct optee_context_data *ctxdata, 124 u32 session_id) 125 { 126 struct optee_session *sess; 127 128 list_for_each_entry(sess, &ctxdata->sess_list, list_node) 129 if (sess->session_id == session_id) 130 return sess; 131 132 return NULL; 133 } 134 135 void optee_shm_arg_cache_init(struct optee *optee, u32 flags) 136 { 137 INIT_LIST_HEAD(&optee->shm_arg_cache.shm_args); 138 mutex_init(&optee->shm_arg_cache.mutex); 139 optee->shm_arg_cache.flags = flags; 140 } 141 142 void optee_shm_arg_cache_uninit(struct optee *optee) 143 { 144 struct list_head *head = &optee->shm_arg_cache.shm_args; 145 struct optee_shm_arg_entry *entry; 146 147 mutex_destroy(&optee->shm_arg_cache.mutex); 148 while (!list_empty(head)) { 149 entry = list_first_entry(head, struct optee_shm_arg_entry, 150 list_node); 151 list_del(&entry->list_node); 152 if (find_first_bit(entry->map, MAX_ARG_COUNT_PER_ENTRY) != 153 MAX_ARG_COUNT_PER_ENTRY) { 154 pr_err("Freeing non-free entry\n"); 155 } 156 tee_shm_free(entry->shm); 157 kfree(entry); 158 } 159 } 160 161 size_t optee_msg_arg_size(size_t rpc_param_count) 162 { 163 size_t sz = OPTEE_MSG_GET_ARG_SIZE(MAX_ARG_PARAM_COUNT); 164 165 if (rpc_param_count) 166 sz += OPTEE_MSG_GET_ARG_SIZE(rpc_param_count); 167 168 return sz; 169 } 170 171 /** 172 * optee_get_msg_arg() - Provide shared memory for argument struct 173 * @ctx: Caller TEE context 174 * @num_params: Number of parameter to store 175 * @entry_ret: Entry pointer, needed when freeing the buffer 176 * @shm_ret: Shared memory buffer 177 * @offs_ret: Offset of argument strut in shared memory buffer 178 * 179 * @returns a pointer to the argument struct in memory, else an ERR_PTR 180 */ 181 struct optee_msg_arg *optee_get_msg_arg(struct tee_context *ctx, 182 size_t num_params, 183 struct optee_shm_arg_entry **entry_ret, 184 struct tee_shm **shm_ret, 185 u_int *offs_ret) 186 { 187 struct optee *optee = tee_get_drvdata(ctx->teedev); 188 size_t sz = optee_msg_arg_size(optee->rpc_param_count); 189 struct optee_shm_arg_entry *entry; 190 struct optee_msg_arg *ma; 191 size_t args_per_entry; 192 u_long bit; 193 u_int offs; 194 void *res; 195 196 if (num_params > MAX_ARG_PARAM_COUNT) 197 return ERR_PTR(-EINVAL); 198 199 if (optee->shm_arg_cache.flags & OPTEE_SHM_ARG_SHARED) 200 args_per_entry = SHM_ENTRY_SIZE / sz; 201 else 202 args_per_entry = 1; 203 204 mutex_lock(&optee->shm_arg_cache.mutex); 205 list_for_each_entry(entry, &optee->shm_arg_cache.shm_args, list_node) { 206 bit = find_first_zero_bit(entry->map, MAX_ARG_COUNT_PER_ENTRY); 207 if (bit < args_per_entry) 208 goto have_entry; 209 } 210 211 /* 212 * No entry was found, let's allocate a new. 213 */ 214 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 215 if (!entry) { 216 res = ERR_PTR(-ENOMEM); 217 goto out; 218 } 219 220 if (optee->shm_arg_cache.flags & OPTEE_SHM_ARG_ALLOC_PRIV) 221 res = tee_shm_alloc_priv_buf(ctx, SHM_ENTRY_SIZE); 222 else 223 res = tee_shm_alloc_kernel_buf(ctx, SHM_ENTRY_SIZE); 224 225 if (IS_ERR(res)) { 226 kfree(entry); 227 goto out; 228 } 229 entry->shm = res; 230 list_add(&entry->list_node, &optee->shm_arg_cache.shm_args); 231 bit = 0; 232 233 have_entry: 234 offs = bit * sz; 235 res = tee_shm_get_va(entry->shm, offs); 236 if (IS_ERR(res)) 237 goto out; 238 ma = res; 239 set_bit(bit, entry->map); 240 memset(ma, 0, sz); 241 ma->num_params = num_params; 242 *entry_ret = entry; 243 *shm_ret = entry->shm; 244 *offs_ret = offs; 245 out: 246 mutex_unlock(&optee->shm_arg_cache.mutex); 247 return res; 248 } 249 250 /** 251 * optee_free_msg_arg() - Free previsouly obtained shared memory 252 * @ctx: Caller TEE context 253 * @entry: Pointer returned when the shared memory was obtained 254 * @offs: Offset of shared memory buffer to free 255 * 256 * This function frees the shared memory obtained with optee_get_msg_arg(). 257 */ 258 void optee_free_msg_arg(struct tee_context *ctx, 259 struct optee_shm_arg_entry *entry, u_int offs) 260 { 261 struct optee *optee = tee_get_drvdata(ctx->teedev); 262 size_t sz = optee_msg_arg_size(optee->rpc_param_count); 263 u_long bit; 264 265 if (offs > SHM_ENTRY_SIZE || offs % sz) { 266 pr_err("Invalid offs %u\n", offs); 267 return; 268 } 269 bit = offs / sz; 270 271 mutex_lock(&optee->shm_arg_cache.mutex); 272 273 if (!test_bit(bit, entry->map)) 274 pr_err("Bit pos %lu is already free\n", bit); 275 clear_bit(bit, entry->map); 276 277 mutex_unlock(&optee->shm_arg_cache.mutex); 278 } 279 280 int optee_open_session(struct tee_context *ctx, 281 struct tee_ioctl_open_session_arg *arg, 282 struct tee_param *param) 283 { 284 struct optee *optee = tee_get_drvdata(ctx->teedev); 285 struct optee_context_data *ctxdata = ctx->data; 286 struct optee_shm_arg_entry *entry; 287 struct tee_shm *shm; 288 struct optee_msg_arg *msg_arg; 289 struct optee_session *sess = NULL; 290 uuid_t client_uuid; 291 u_int offs; 292 int rc; 293 294 /* +2 for the meta parameters added below */ 295 msg_arg = optee_get_msg_arg(ctx, arg->num_params + 2, 296 &entry, &shm, &offs); 297 if (IS_ERR(msg_arg)) 298 return PTR_ERR(msg_arg); 299 300 msg_arg->cmd = OPTEE_MSG_CMD_OPEN_SESSION; 301 msg_arg->cancel_id = arg->cancel_id; 302 303 /* 304 * Initialize and add the meta parameters needed when opening a 305 * session. 306 */ 307 msg_arg->params[0].attr = OPTEE_MSG_ATTR_TYPE_VALUE_INPUT | 308 OPTEE_MSG_ATTR_META; 309 msg_arg->params[1].attr = OPTEE_MSG_ATTR_TYPE_VALUE_INPUT | 310 OPTEE_MSG_ATTR_META; 311 memcpy(&msg_arg->params[0].u.value, arg->uuid, sizeof(arg->uuid)); 312 msg_arg->params[1].u.value.c = arg->clnt_login; 313 314 rc = tee_session_calc_client_uuid(&client_uuid, arg->clnt_login, 315 arg->clnt_uuid); 316 if (rc) 317 goto out; 318 export_uuid(msg_arg->params[1].u.octets, &client_uuid); 319 320 rc = optee->ops->to_msg_param(optee, msg_arg->params + 2, 321 arg->num_params, param); 322 if (rc) 323 goto out; 324 325 sess = kzalloc(sizeof(*sess), GFP_KERNEL); 326 if (!sess) { 327 rc = -ENOMEM; 328 goto out; 329 } 330 331 if (optee->ops->do_call_with_arg(ctx, shm, offs)) { 332 msg_arg->ret = TEEC_ERROR_COMMUNICATION; 333 msg_arg->ret_origin = TEEC_ORIGIN_COMMS; 334 } 335 336 if (msg_arg->ret == TEEC_SUCCESS) { 337 /* A new session has been created, add it to the list. */ 338 sess->session_id = msg_arg->session; 339 mutex_lock(&ctxdata->mutex); 340 list_add(&sess->list_node, &ctxdata->sess_list); 341 mutex_unlock(&ctxdata->mutex); 342 } else { 343 kfree(sess); 344 } 345 346 if (optee->ops->from_msg_param(optee, param, arg->num_params, 347 msg_arg->params + 2)) { 348 arg->ret = TEEC_ERROR_COMMUNICATION; 349 arg->ret_origin = TEEC_ORIGIN_COMMS; 350 /* Close session again to avoid leakage */ 351 optee_close_session(ctx, msg_arg->session); 352 } else { 353 arg->session = msg_arg->session; 354 arg->ret = msg_arg->ret; 355 arg->ret_origin = msg_arg->ret_origin; 356 } 357 out: 358 optee_free_msg_arg(ctx, entry, offs); 359 360 return rc; 361 } 362 363 int optee_close_session_helper(struct tee_context *ctx, u32 session) 364 { 365 struct optee *optee = tee_get_drvdata(ctx->teedev); 366 struct optee_shm_arg_entry *entry; 367 struct optee_msg_arg *msg_arg; 368 struct tee_shm *shm; 369 u_int offs; 370 371 msg_arg = optee_get_msg_arg(ctx, 0, &entry, &shm, &offs); 372 if (IS_ERR(msg_arg)) 373 return PTR_ERR(msg_arg); 374 375 msg_arg->cmd = OPTEE_MSG_CMD_CLOSE_SESSION; 376 msg_arg->session = session; 377 optee->ops->do_call_with_arg(ctx, shm, offs); 378 379 optee_free_msg_arg(ctx, entry, offs); 380 381 return 0; 382 } 383 384 int optee_close_session(struct tee_context *ctx, u32 session) 385 { 386 struct optee_context_data *ctxdata = ctx->data; 387 struct optee_session *sess; 388 389 /* Check that the session is valid and remove it from the list */ 390 mutex_lock(&ctxdata->mutex); 391 sess = find_session(ctxdata, session); 392 if (sess) 393 list_del(&sess->list_node); 394 mutex_unlock(&ctxdata->mutex); 395 if (!sess) 396 return -EINVAL; 397 kfree(sess); 398 399 return optee_close_session_helper(ctx, session); 400 } 401 402 int optee_invoke_func(struct tee_context *ctx, struct tee_ioctl_invoke_arg *arg, 403 struct tee_param *param) 404 { 405 struct optee *optee = tee_get_drvdata(ctx->teedev); 406 struct optee_context_data *ctxdata = ctx->data; 407 struct optee_shm_arg_entry *entry; 408 struct optee_msg_arg *msg_arg; 409 struct optee_session *sess; 410 struct tee_shm *shm; 411 u_int offs; 412 int rc; 413 414 /* Check that the session is valid */ 415 mutex_lock(&ctxdata->mutex); 416 sess = find_session(ctxdata, arg->session); 417 mutex_unlock(&ctxdata->mutex); 418 if (!sess) 419 return -EINVAL; 420 421 msg_arg = optee_get_msg_arg(ctx, arg->num_params, 422 &entry, &shm, &offs); 423 if (IS_ERR(msg_arg)) 424 return PTR_ERR(msg_arg); 425 msg_arg->cmd = OPTEE_MSG_CMD_INVOKE_COMMAND; 426 msg_arg->func = arg->func; 427 msg_arg->session = arg->session; 428 msg_arg->cancel_id = arg->cancel_id; 429 430 rc = optee->ops->to_msg_param(optee, msg_arg->params, arg->num_params, 431 param); 432 if (rc) 433 goto out; 434 435 if (optee->ops->do_call_with_arg(ctx, shm, offs)) { 436 msg_arg->ret = TEEC_ERROR_COMMUNICATION; 437 msg_arg->ret_origin = TEEC_ORIGIN_COMMS; 438 } 439 440 if (optee->ops->from_msg_param(optee, param, arg->num_params, 441 msg_arg->params)) { 442 msg_arg->ret = TEEC_ERROR_COMMUNICATION; 443 msg_arg->ret_origin = TEEC_ORIGIN_COMMS; 444 } 445 446 arg->ret = msg_arg->ret; 447 arg->ret_origin = msg_arg->ret_origin; 448 out: 449 optee_free_msg_arg(ctx, entry, offs); 450 return rc; 451 } 452 453 int optee_cancel_req(struct tee_context *ctx, u32 cancel_id, u32 session) 454 { 455 struct optee *optee = tee_get_drvdata(ctx->teedev); 456 struct optee_context_data *ctxdata = ctx->data; 457 struct optee_shm_arg_entry *entry; 458 struct optee_msg_arg *msg_arg; 459 struct optee_session *sess; 460 struct tee_shm *shm; 461 u_int offs; 462 463 /* Check that the session is valid */ 464 mutex_lock(&ctxdata->mutex); 465 sess = find_session(ctxdata, session); 466 mutex_unlock(&ctxdata->mutex); 467 if (!sess) 468 return -EINVAL; 469 470 msg_arg = optee_get_msg_arg(ctx, 0, &entry, &shm, &offs); 471 if (IS_ERR(msg_arg)) 472 return PTR_ERR(msg_arg); 473 474 msg_arg->cmd = OPTEE_MSG_CMD_CANCEL; 475 msg_arg->session = session; 476 msg_arg->cancel_id = cancel_id; 477 optee->ops->do_call_with_arg(ctx, shm, offs); 478 479 optee_free_msg_arg(ctx, entry, offs); 480 return 0; 481 } 482 483 static bool is_normal_memory(pgprot_t p) 484 { 485 #if defined(CONFIG_ARM) 486 return (((pgprot_val(p) & L_PTE_MT_MASK) == L_PTE_MT_WRITEALLOC) || 487 ((pgprot_val(p) & L_PTE_MT_MASK) == L_PTE_MT_WRITEBACK)); 488 #elif defined(CONFIG_ARM64) 489 return (pgprot_val(p) & PTE_ATTRINDX_MASK) == PTE_ATTRINDX(MT_NORMAL); 490 #else 491 #error "Unuspported architecture" 492 #endif 493 } 494 495 static int __check_mem_type(struct mm_struct *mm, unsigned long start, 496 unsigned long end) 497 { 498 struct vm_area_struct *vma; 499 VMA_ITERATOR(vmi, mm, start); 500 501 for_each_vma_range(vmi, vma, end) { 502 if (!is_normal_memory(vma->vm_page_prot)) 503 return -EINVAL; 504 } 505 506 return 0; 507 } 508 509 int optee_check_mem_type(unsigned long start, size_t num_pages) 510 { 511 struct mm_struct *mm = current->mm; 512 int rc; 513 514 /* 515 * Allow kernel address to register with OP-TEE as kernel 516 * pages are configured as normal memory only. 517 */ 518 if (virt_addr_valid((void *)start) || is_vmalloc_addr((void *)start)) 519 return 0; 520 521 mmap_read_lock(mm); 522 rc = __check_mem_type(mm, start, start + num_pages * PAGE_SIZE); 523 mmap_read_unlock(mm); 524 525 return rc; 526 } 527