1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2015-2016, Linaro Limited 4 */ 5 6 #define pr_fmt(fmt) "%s: " fmt, __func__ 7 8 #include <linux/cdev.h> 9 #include <linux/cred.h> 10 #include <linux/fs.h> 11 #include <linux/idr.h> 12 #include <linux/module.h> 13 #include <linux/slab.h> 14 #include <linux/tee_drv.h> 15 #include <linux/uaccess.h> 16 #include <crypto/hash.h> 17 #include <crypto/sha1.h> 18 #include "tee_private.h" 19 20 #define TEE_NUM_DEVICES 32 21 22 #define TEE_IOCTL_PARAM_SIZE(x) (sizeof(struct tee_param) * (x)) 23 24 #define TEE_UUID_NS_NAME_SIZE 128 25 26 /* 27 * TEE Client UUID name space identifier (UUIDv4) 28 * 29 * Value here is random UUID that is allocated as name space identifier for 30 * forming Client UUID's for TEE environment using UUIDv5 scheme. 31 */ 32 static const uuid_t tee_client_uuid_ns = UUID_INIT(0x58ac9ca0, 0x2086, 0x4683, 33 0xa1, 0xb8, 0xec, 0x4b, 34 0xc0, 0x8e, 0x01, 0xb6); 35 36 /* 37 * Unprivileged devices in the lower half range and privileged devices in 38 * the upper half range. 39 */ 40 static DECLARE_BITMAP(dev_mask, TEE_NUM_DEVICES); 41 static DEFINE_SPINLOCK(driver_lock); 42 43 static struct class *tee_class; 44 static dev_t tee_devt; 45 46 struct tee_context *teedev_open(struct tee_device *teedev) 47 { 48 int rc; 49 struct tee_context *ctx; 50 51 if (!tee_device_get(teedev)) 52 return ERR_PTR(-EINVAL); 53 54 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 55 if (!ctx) { 56 rc = -ENOMEM; 57 goto err; 58 } 59 60 kref_init(&ctx->refcount); 61 ctx->teedev = teedev; 62 rc = teedev->desc->ops->open(ctx); 63 if (rc) 64 goto err; 65 66 return ctx; 67 err: 68 kfree(ctx); 69 tee_device_put(teedev); 70 return ERR_PTR(rc); 71 72 } 73 EXPORT_SYMBOL_GPL(teedev_open); 74 75 void teedev_ctx_get(struct tee_context *ctx) 76 { 77 if (ctx->releasing) 78 return; 79 80 kref_get(&ctx->refcount); 81 } 82 83 static void teedev_ctx_release(struct kref *ref) 84 { 85 struct tee_context *ctx = container_of(ref, struct tee_context, 86 refcount); 87 ctx->releasing = true; 88 ctx->teedev->desc->ops->release(ctx); 89 kfree(ctx); 90 } 91 92 void teedev_ctx_put(struct tee_context *ctx) 93 { 94 if (ctx->releasing) 95 return; 96 97 kref_put(&ctx->refcount, teedev_ctx_release); 98 } 99 100 void teedev_close_context(struct tee_context *ctx) 101 { 102 struct tee_device *teedev = ctx->teedev; 103 104 teedev_ctx_put(ctx); 105 tee_device_put(teedev); 106 } 107 EXPORT_SYMBOL_GPL(teedev_close_context); 108 109 static int tee_open(struct inode *inode, struct file *filp) 110 { 111 struct tee_context *ctx; 112 113 ctx = teedev_open(container_of(inode->i_cdev, struct tee_device, cdev)); 114 if (IS_ERR(ctx)) 115 return PTR_ERR(ctx); 116 117 /* 118 * Default user-space behaviour is to wait for tee-supplicant 119 * if not present for any requests in this context. 120 */ 121 ctx->supp_nowait = false; 122 filp->private_data = ctx; 123 return 0; 124 } 125 126 static int tee_release(struct inode *inode, struct file *filp) 127 { 128 teedev_close_context(filp->private_data); 129 return 0; 130 } 131 132 /** 133 * uuid_v5() - Calculate UUIDv5 134 * @uuid: Resulting UUID 135 * @ns: Name space ID for UUIDv5 function 136 * @name: Name for UUIDv5 function 137 * @size: Size of name 138 * 139 * UUIDv5 is specific in RFC 4122. 140 * 141 * This implements section (for SHA-1): 142 * 4.3. Algorithm for Creating a Name-Based UUID 143 */ 144 static int uuid_v5(uuid_t *uuid, const uuid_t *ns, const void *name, 145 size_t size) 146 { 147 unsigned char hash[SHA1_DIGEST_SIZE]; 148 struct crypto_shash *shash = NULL; 149 struct shash_desc *desc = NULL; 150 int rc; 151 152 shash = crypto_alloc_shash("sha1", 0, 0); 153 if (IS_ERR(shash)) { 154 rc = PTR_ERR(shash); 155 pr_err("shash(sha1) allocation failed\n"); 156 return rc; 157 } 158 159 desc = kzalloc(sizeof(*desc) + crypto_shash_descsize(shash), 160 GFP_KERNEL); 161 if (!desc) { 162 rc = -ENOMEM; 163 goto out_free_shash; 164 } 165 166 desc->tfm = shash; 167 168 rc = crypto_shash_init(desc); 169 if (rc < 0) 170 goto out_free_desc; 171 172 rc = crypto_shash_update(desc, (const u8 *)ns, sizeof(*ns)); 173 if (rc < 0) 174 goto out_free_desc; 175 176 rc = crypto_shash_update(desc, (const u8 *)name, size); 177 if (rc < 0) 178 goto out_free_desc; 179 180 rc = crypto_shash_final(desc, hash); 181 if (rc < 0) 182 goto out_free_desc; 183 184 memcpy(uuid->b, hash, UUID_SIZE); 185 186 /* Tag for version 5 */ 187 uuid->b[6] = (hash[6] & 0x0F) | 0x50; 188 uuid->b[8] = (hash[8] & 0x3F) | 0x80; 189 190 out_free_desc: 191 kfree(desc); 192 193 out_free_shash: 194 crypto_free_shash(shash); 195 return rc; 196 } 197 198 int tee_session_calc_client_uuid(uuid_t *uuid, u32 connection_method, 199 const u8 connection_data[TEE_IOCTL_UUID_LEN]) 200 { 201 gid_t ns_grp = (gid_t)-1; 202 kgid_t grp = INVALID_GID; 203 char *name = NULL; 204 int name_len; 205 int rc; 206 207 if (connection_method == TEE_IOCTL_LOGIN_PUBLIC || 208 connection_method == TEE_IOCTL_LOGIN_REE_KERNEL) { 209 /* Nil UUID to be passed to TEE environment */ 210 uuid_copy(uuid, &uuid_null); 211 return 0; 212 } 213 214 /* 215 * In Linux environment client UUID is based on UUIDv5. 216 * 217 * Determine client UUID with following semantics for 'name': 218 * 219 * For TEEC_LOGIN_USER: 220 * uid=<uid> 221 * 222 * For TEEC_LOGIN_GROUP: 223 * gid=<gid> 224 * 225 */ 226 227 name = kzalloc(TEE_UUID_NS_NAME_SIZE, GFP_KERNEL); 228 if (!name) 229 return -ENOMEM; 230 231 switch (connection_method) { 232 case TEE_IOCTL_LOGIN_USER: 233 name_len = snprintf(name, TEE_UUID_NS_NAME_SIZE, "uid=%x", 234 current_euid().val); 235 if (name_len >= TEE_UUID_NS_NAME_SIZE) { 236 rc = -E2BIG; 237 goto out_free_name; 238 } 239 break; 240 241 case TEE_IOCTL_LOGIN_GROUP: 242 memcpy(&ns_grp, connection_data, sizeof(gid_t)); 243 grp = make_kgid(current_user_ns(), ns_grp); 244 if (!gid_valid(grp) || !in_egroup_p(grp)) { 245 rc = -EPERM; 246 goto out_free_name; 247 } 248 249 name_len = snprintf(name, TEE_UUID_NS_NAME_SIZE, "gid=%x", 250 grp.val); 251 if (name_len >= TEE_UUID_NS_NAME_SIZE) { 252 rc = -E2BIG; 253 goto out_free_name; 254 } 255 break; 256 257 default: 258 rc = -EINVAL; 259 goto out_free_name; 260 } 261 262 rc = uuid_v5(uuid, &tee_client_uuid_ns, name, name_len); 263 out_free_name: 264 kfree(name); 265 266 return rc; 267 } 268 EXPORT_SYMBOL_GPL(tee_session_calc_client_uuid); 269 270 static int tee_ioctl_version(struct tee_context *ctx, 271 struct tee_ioctl_version_data __user *uvers) 272 { 273 struct tee_ioctl_version_data vers; 274 275 ctx->teedev->desc->ops->get_version(ctx->teedev, &vers); 276 277 if (ctx->teedev->desc->flags & TEE_DESC_PRIVILEGED) 278 vers.gen_caps |= TEE_GEN_CAP_PRIVILEGED; 279 280 if (copy_to_user(uvers, &vers, sizeof(vers))) 281 return -EFAULT; 282 283 return 0; 284 } 285 286 static int tee_ioctl_shm_alloc(struct tee_context *ctx, 287 struct tee_ioctl_shm_alloc_data __user *udata) 288 { 289 long ret; 290 struct tee_ioctl_shm_alloc_data data; 291 struct tee_shm *shm; 292 293 if (copy_from_user(&data, udata, sizeof(data))) 294 return -EFAULT; 295 296 /* Currently no input flags are supported */ 297 if (data.flags) 298 return -EINVAL; 299 300 shm = tee_shm_alloc(ctx, data.size, TEE_SHM_MAPPED | TEE_SHM_DMA_BUF); 301 if (IS_ERR(shm)) 302 return PTR_ERR(shm); 303 304 data.id = shm->id; 305 data.flags = shm->flags; 306 data.size = shm->size; 307 308 if (copy_to_user(udata, &data, sizeof(data))) 309 ret = -EFAULT; 310 else 311 ret = tee_shm_get_fd(shm); 312 313 /* 314 * When user space closes the file descriptor the shared memory 315 * should be freed or if tee_shm_get_fd() failed then it will 316 * be freed immediately. 317 */ 318 tee_shm_put(shm); 319 return ret; 320 } 321 322 static int 323 tee_ioctl_shm_register(struct tee_context *ctx, 324 struct tee_ioctl_shm_register_data __user *udata) 325 { 326 long ret; 327 struct tee_ioctl_shm_register_data data; 328 struct tee_shm *shm; 329 330 if (copy_from_user(&data, udata, sizeof(data))) 331 return -EFAULT; 332 333 /* Currently no input flags are supported */ 334 if (data.flags) 335 return -EINVAL; 336 337 shm = tee_shm_register(ctx, data.addr, data.length, 338 TEE_SHM_DMA_BUF | TEE_SHM_USER_MAPPED); 339 if (IS_ERR(shm)) 340 return PTR_ERR(shm); 341 342 data.id = shm->id; 343 data.flags = shm->flags; 344 data.length = shm->size; 345 346 if (copy_to_user(udata, &data, sizeof(data))) 347 ret = -EFAULT; 348 else 349 ret = tee_shm_get_fd(shm); 350 /* 351 * When user space closes the file descriptor the shared memory 352 * should be freed or if tee_shm_get_fd() failed then it will 353 * be freed immediately. 354 */ 355 tee_shm_put(shm); 356 return ret; 357 } 358 359 static int params_from_user(struct tee_context *ctx, struct tee_param *params, 360 size_t num_params, 361 struct tee_ioctl_param __user *uparams) 362 { 363 size_t n; 364 365 for (n = 0; n < num_params; n++) { 366 struct tee_shm *shm; 367 struct tee_ioctl_param ip; 368 369 if (copy_from_user(&ip, uparams + n, sizeof(ip))) 370 return -EFAULT; 371 372 /* All unused attribute bits has to be zero */ 373 if (ip.attr & ~TEE_IOCTL_PARAM_ATTR_MASK) 374 return -EINVAL; 375 376 params[n].attr = ip.attr; 377 switch (ip.attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) { 378 case TEE_IOCTL_PARAM_ATTR_TYPE_NONE: 379 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT: 380 break; 381 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT: 382 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: 383 params[n].u.value.a = ip.a; 384 params[n].u.value.b = ip.b; 385 params[n].u.value.c = ip.c; 386 break; 387 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT: 388 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: 389 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: 390 /* 391 * If a NULL pointer is passed to a TA in the TEE, 392 * the ip.c IOCTL parameters is set to TEE_MEMREF_NULL 393 * indicating a NULL memory reference. 394 */ 395 if (ip.c != TEE_MEMREF_NULL) { 396 /* 397 * If we fail to get a pointer to a shared 398 * memory object (and increase the ref count) 399 * from an identifier we return an error. All 400 * pointers that has been added in params have 401 * an increased ref count. It's the callers 402 * responibility to do tee_shm_put() on all 403 * resolved pointers. 404 */ 405 shm = tee_shm_get_from_id(ctx, ip.c); 406 if (IS_ERR(shm)) 407 return PTR_ERR(shm); 408 409 /* 410 * Ensure offset + size does not overflow 411 * offset and does not overflow the size of 412 * the referred shared memory object. 413 */ 414 if ((ip.a + ip.b) < ip.a || 415 (ip.a + ip.b) > shm->size) { 416 tee_shm_put(shm); 417 return -EINVAL; 418 } 419 } else if (ctx->cap_memref_null) { 420 /* Pass NULL pointer to OP-TEE */ 421 shm = NULL; 422 } else { 423 return -EINVAL; 424 } 425 426 params[n].u.memref.shm_offs = ip.a; 427 params[n].u.memref.size = ip.b; 428 params[n].u.memref.shm = shm; 429 break; 430 default: 431 /* Unknown attribute */ 432 return -EINVAL; 433 } 434 } 435 return 0; 436 } 437 438 static int params_to_user(struct tee_ioctl_param __user *uparams, 439 size_t num_params, struct tee_param *params) 440 { 441 size_t n; 442 443 for (n = 0; n < num_params; n++) { 444 struct tee_ioctl_param __user *up = uparams + n; 445 struct tee_param *p = params + n; 446 447 switch (p->attr) { 448 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT: 449 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: 450 if (put_user(p->u.value.a, &up->a) || 451 put_user(p->u.value.b, &up->b) || 452 put_user(p->u.value.c, &up->c)) 453 return -EFAULT; 454 break; 455 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: 456 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: 457 if (put_user((u64)p->u.memref.size, &up->b)) 458 return -EFAULT; 459 break; 460 default: 461 break; 462 } 463 } 464 return 0; 465 } 466 467 static int tee_ioctl_open_session(struct tee_context *ctx, 468 struct tee_ioctl_buf_data __user *ubuf) 469 { 470 int rc; 471 size_t n; 472 struct tee_ioctl_buf_data buf; 473 struct tee_ioctl_open_session_arg __user *uarg; 474 struct tee_ioctl_open_session_arg arg; 475 struct tee_ioctl_param __user *uparams = NULL; 476 struct tee_param *params = NULL; 477 bool have_session = false; 478 479 if (!ctx->teedev->desc->ops->open_session) 480 return -EINVAL; 481 482 if (copy_from_user(&buf, ubuf, sizeof(buf))) 483 return -EFAULT; 484 485 if (buf.buf_len > TEE_MAX_ARG_SIZE || 486 buf.buf_len < sizeof(struct tee_ioctl_open_session_arg)) 487 return -EINVAL; 488 489 uarg = u64_to_user_ptr(buf.buf_ptr); 490 if (copy_from_user(&arg, uarg, sizeof(arg))) 491 return -EFAULT; 492 493 if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len) 494 return -EINVAL; 495 496 if (arg.num_params) { 497 params = kcalloc(arg.num_params, sizeof(struct tee_param), 498 GFP_KERNEL); 499 if (!params) 500 return -ENOMEM; 501 uparams = uarg->params; 502 rc = params_from_user(ctx, params, arg.num_params, uparams); 503 if (rc) 504 goto out; 505 } 506 507 if (arg.clnt_login >= TEE_IOCTL_LOGIN_REE_KERNEL_MIN && 508 arg.clnt_login <= TEE_IOCTL_LOGIN_REE_KERNEL_MAX) { 509 pr_debug("login method not allowed for user-space client\n"); 510 rc = -EPERM; 511 goto out; 512 } 513 514 rc = ctx->teedev->desc->ops->open_session(ctx, &arg, params); 515 if (rc) 516 goto out; 517 have_session = true; 518 519 if (put_user(arg.session, &uarg->session) || 520 put_user(arg.ret, &uarg->ret) || 521 put_user(arg.ret_origin, &uarg->ret_origin)) { 522 rc = -EFAULT; 523 goto out; 524 } 525 rc = params_to_user(uparams, arg.num_params, params); 526 out: 527 /* 528 * If we've succeeded to open the session but failed to communicate 529 * it back to user space, close the session again to avoid leakage. 530 */ 531 if (rc && have_session && ctx->teedev->desc->ops->close_session) 532 ctx->teedev->desc->ops->close_session(ctx, arg.session); 533 534 if (params) { 535 /* Decrease ref count for all valid shared memory pointers */ 536 for (n = 0; n < arg.num_params; n++) 537 if (tee_param_is_memref(params + n) && 538 params[n].u.memref.shm) 539 tee_shm_put(params[n].u.memref.shm); 540 kfree(params); 541 } 542 543 return rc; 544 } 545 546 static int tee_ioctl_invoke(struct tee_context *ctx, 547 struct tee_ioctl_buf_data __user *ubuf) 548 { 549 int rc; 550 size_t n; 551 struct tee_ioctl_buf_data buf; 552 struct tee_ioctl_invoke_arg __user *uarg; 553 struct tee_ioctl_invoke_arg arg; 554 struct tee_ioctl_param __user *uparams = NULL; 555 struct tee_param *params = NULL; 556 557 if (!ctx->teedev->desc->ops->invoke_func) 558 return -EINVAL; 559 560 if (copy_from_user(&buf, ubuf, sizeof(buf))) 561 return -EFAULT; 562 563 if (buf.buf_len > TEE_MAX_ARG_SIZE || 564 buf.buf_len < sizeof(struct tee_ioctl_invoke_arg)) 565 return -EINVAL; 566 567 uarg = u64_to_user_ptr(buf.buf_ptr); 568 if (copy_from_user(&arg, uarg, sizeof(arg))) 569 return -EFAULT; 570 571 if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len) 572 return -EINVAL; 573 574 if (arg.num_params) { 575 params = kcalloc(arg.num_params, sizeof(struct tee_param), 576 GFP_KERNEL); 577 if (!params) 578 return -ENOMEM; 579 uparams = uarg->params; 580 rc = params_from_user(ctx, params, arg.num_params, uparams); 581 if (rc) 582 goto out; 583 } 584 585 rc = ctx->teedev->desc->ops->invoke_func(ctx, &arg, params); 586 if (rc) 587 goto out; 588 589 if (put_user(arg.ret, &uarg->ret) || 590 put_user(arg.ret_origin, &uarg->ret_origin)) { 591 rc = -EFAULT; 592 goto out; 593 } 594 rc = params_to_user(uparams, arg.num_params, params); 595 out: 596 if (params) { 597 /* Decrease ref count for all valid shared memory pointers */ 598 for (n = 0; n < arg.num_params; n++) 599 if (tee_param_is_memref(params + n) && 600 params[n].u.memref.shm) 601 tee_shm_put(params[n].u.memref.shm); 602 kfree(params); 603 } 604 return rc; 605 } 606 607 static int tee_ioctl_cancel(struct tee_context *ctx, 608 struct tee_ioctl_cancel_arg __user *uarg) 609 { 610 struct tee_ioctl_cancel_arg arg; 611 612 if (!ctx->teedev->desc->ops->cancel_req) 613 return -EINVAL; 614 615 if (copy_from_user(&arg, uarg, sizeof(arg))) 616 return -EFAULT; 617 618 return ctx->teedev->desc->ops->cancel_req(ctx, arg.cancel_id, 619 arg.session); 620 } 621 622 static int 623 tee_ioctl_close_session(struct tee_context *ctx, 624 struct tee_ioctl_close_session_arg __user *uarg) 625 { 626 struct tee_ioctl_close_session_arg arg; 627 628 if (!ctx->teedev->desc->ops->close_session) 629 return -EINVAL; 630 631 if (copy_from_user(&arg, uarg, sizeof(arg))) 632 return -EFAULT; 633 634 return ctx->teedev->desc->ops->close_session(ctx, arg.session); 635 } 636 637 static int params_to_supp(struct tee_context *ctx, 638 struct tee_ioctl_param __user *uparams, 639 size_t num_params, struct tee_param *params) 640 { 641 size_t n; 642 643 for (n = 0; n < num_params; n++) { 644 struct tee_ioctl_param ip; 645 struct tee_param *p = params + n; 646 647 ip.attr = p->attr; 648 switch (p->attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) { 649 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT: 650 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: 651 ip.a = p->u.value.a; 652 ip.b = p->u.value.b; 653 ip.c = p->u.value.c; 654 break; 655 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT: 656 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: 657 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: 658 ip.b = p->u.memref.size; 659 if (!p->u.memref.shm) { 660 ip.a = 0; 661 ip.c = (u64)-1; /* invalid shm id */ 662 break; 663 } 664 ip.a = p->u.memref.shm_offs; 665 ip.c = p->u.memref.shm->id; 666 break; 667 default: 668 ip.a = 0; 669 ip.b = 0; 670 ip.c = 0; 671 break; 672 } 673 674 if (copy_to_user(uparams + n, &ip, sizeof(ip))) 675 return -EFAULT; 676 } 677 678 return 0; 679 } 680 681 static int tee_ioctl_supp_recv(struct tee_context *ctx, 682 struct tee_ioctl_buf_data __user *ubuf) 683 { 684 int rc; 685 struct tee_ioctl_buf_data buf; 686 struct tee_iocl_supp_recv_arg __user *uarg; 687 struct tee_param *params; 688 u32 num_params; 689 u32 func; 690 691 if (!ctx->teedev->desc->ops->supp_recv) 692 return -EINVAL; 693 694 if (copy_from_user(&buf, ubuf, sizeof(buf))) 695 return -EFAULT; 696 697 if (buf.buf_len > TEE_MAX_ARG_SIZE || 698 buf.buf_len < sizeof(struct tee_iocl_supp_recv_arg)) 699 return -EINVAL; 700 701 uarg = u64_to_user_ptr(buf.buf_ptr); 702 if (get_user(num_params, &uarg->num_params)) 703 return -EFAULT; 704 705 if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) != buf.buf_len) 706 return -EINVAL; 707 708 params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL); 709 if (!params) 710 return -ENOMEM; 711 712 rc = params_from_user(ctx, params, num_params, uarg->params); 713 if (rc) 714 goto out; 715 716 rc = ctx->teedev->desc->ops->supp_recv(ctx, &func, &num_params, params); 717 if (rc) 718 goto out; 719 720 if (put_user(func, &uarg->func) || 721 put_user(num_params, &uarg->num_params)) { 722 rc = -EFAULT; 723 goto out; 724 } 725 726 rc = params_to_supp(ctx, uarg->params, num_params, params); 727 out: 728 kfree(params); 729 return rc; 730 } 731 732 static int params_from_supp(struct tee_param *params, size_t num_params, 733 struct tee_ioctl_param __user *uparams) 734 { 735 size_t n; 736 737 for (n = 0; n < num_params; n++) { 738 struct tee_param *p = params + n; 739 struct tee_ioctl_param ip; 740 741 if (copy_from_user(&ip, uparams + n, sizeof(ip))) 742 return -EFAULT; 743 744 /* All unused attribute bits has to be zero */ 745 if (ip.attr & ~TEE_IOCTL_PARAM_ATTR_MASK) 746 return -EINVAL; 747 748 p->attr = ip.attr; 749 switch (ip.attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) { 750 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT: 751 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: 752 /* Only out and in/out values can be updated */ 753 p->u.value.a = ip.a; 754 p->u.value.b = ip.b; 755 p->u.value.c = ip.c; 756 break; 757 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: 758 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: 759 /* 760 * Only the size of the memref can be updated. 761 * Since we don't have access to the original 762 * parameters here, only store the supplied size. 763 * The driver will copy the updated size into the 764 * original parameters. 765 */ 766 p->u.memref.shm = NULL; 767 p->u.memref.shm_offs = 0; 768 p->u.memref.size = ip.b; 769 break; 770 default: 771 memset(&p->u, 0, sizeof(p->u)); 772 break; 773 } 774 } 775 return 0; 776 } 777 778 static int tee_ioctl_supp_send(struct tee_context *ctx, 779 struct tee_ioctl_buf_data __user *ubuf) 780 { 781 long rc; 782 struct tee_ioctl_buf_data buf; 783 struct tee_iocl_supp_send_arg __user *uarg; 784 struct tee_param *params; 785 u32 num_params; 786 u32 ret; 787 788 /* Not valid for this driver */ 789 if (!ctx->teedev->desc->ops->supp_send) 790 return -EINVAL; 791 792 if (copy_from_user(&buf, ubuf, sizeof(buf))) 793 return -EFAULT; 794 795 if (buf.buf_len > TEE_MAX_ARG_SIZE || 796 buf.buf_len < sizeof(struct tee_iocl_supp_send_arg)) 797 return -EINVAL; 798 799 uarg = u64_to_user_ptr(buf.buf_ptr); 800 if (get_user(ret, &uarg->ret) || 801 get_user(num_params, &uarg->num_params)) 802 return -EFAULT; 803 804 if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) > buf.buf_len) 805 return -EINVAL; 806 807 params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL); 808 if (!params) 809 return -ENOMEM; 810 811 rc = params_from_supp(params, num_params, uarg->params); 812 if (rc) 813 goto out; 814 815 rc = ctx->teedev->desc->ops->supp_send(ctx, ret, num_params, params); 816 out: 817 kfree(params); 818 return rc; 819 } 820 821 static long tee_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 822 { 823 struct tee_context *ctx = filp->private_data; 824 void __user *uarg = (void __user *)arg; 825 826 switch (cmd) { 827 case TEE_IOC_VERSION: 828 return tee_ioctl_version(ctx, uarg); 829 case TEE_IOC_SHM_ALLOC: 830 return tee_ioctl_shm_alloc(ctx, uarg); 831 case TEE_IOC_SHM_REGISTER: 832 return tee_ioctl_shm_register(ctx, uarg); 833 case TEE_IOC_OPEN_SESSION: 834 return tee_ioctl_open_session(ctx, uarg); 835 case TEE_IOC_INVOKE: 836 return tee_ioctl_invoke(ctx, uarg); 837 case TEE_IOC_CANCEL: 838 return tee_ioctl_cancel(ctx, uarg); 839 case TEE_IOC_CLOSE_SESSION: 840 return tee_ioctl_close_session(ctx, uarg); 841 case TEE_IOC_SUPPL_RECV: 842 return tee_ioctl_supp_recv(ctx, uarg); 843 case TEE_IOC_SUPPL_SEND: 844 return tee_ioctl_supp_send(ctx, uarg); 845 default: 846 return -EINVAL; 847 } 848 } 849 850 static const struct file_operations tee_fops = { 851 .owner = THIS_MODULE, 852 .open = tee_open, 853 .release = tee_release, 854 .unlocked_ioctl = tee_ioctl, 855 .compat_ioctl = compat_ptr_ioctl, 856 }; 857 858 static void tee_release_device(struct device *dev) 859 { 860 struct tee_device *teedev = container_of(dev, struct tee_device, dev); 861 862 spin_lock(&driver_lock); 863 clear_bit(teedev->id, dev_mask); 864 spin_unlock(&driver_lock); 865 mutex_destroy(&teedev->mutex); 866 idr_destroy(&teedev->idr); 867 kfree(teedev); 868 } 869 870 /** 871 * tee_device_alloc() - Allocate a new struct tee_device instance 872 * @teedesc: Descriptor for this driver 873 * @dev: Parent device for this device 874 * @pool: Shared memory pool, NULL if not used 875 * @driver_data: Private driver data for this device 876 * 877 * Allocates a new struct tee_device instance. The device is 878 * removed by tee_device_unregister(). 879 * 880 * @returns a pointer to a 'struct tee_device' or an ERR_PTR on failure 881 */ 882 struct tee_device *tee_device_alloc(const struct tee_desc *teedesc, 883 struct device *dev, 884 struct tee_shm_pool *pool, 885 void *driver_data) 886 { 887 struct tee_device *teedev; 888 void *ret; 889 int rc, max_id; 890 int offs = 0; 891 892 if (!teedesc || !teedesc->name || !teedesc->ops || 893 !teedesc->ops->get_version || !teedesc->ops->open || 894 !teedesc->ops->release || !pool) 895 return ERR_PTR(-EINVAL); 896 897 teedev = kzalloc(sizeof(*teedev), GFP_KERNEL); 898 if (!teedev) { 899 ret = ERR_PTR(-ENOMEM); 900 goto err; 901 } 902 903 max_id = TEE_NUM_DEVICES / 2; 904 905 if (teedesc->flags & TEE_DESC_PRIVILEGED) { 906 offs = TEE_NUM_DEVICES / 2; 907 max_id = TEE_NUM_DEVICES; 908 } 909 910 spin_lock(&driver_lock); 911 teedev->id = find_next_zero_bit(dev_mask, max_id, offs); 912 if (teedev->id < max_id) 913 set_bit(teedev->id, dev_mask); 914 spin_unlock(&driver_lock); 915 916 if (teedev->id >= max_id) { 917 ret = ERR_PTR(-ENOMEM); 918 goto err; 919 } 920 921 snprintf(teedev->name, sizeof(teedev->name), "tee%s%d", 922 teedesc->flags & TEE_DESC_PRIVILEGED ? "priv" : "", 923 teedev->id - offs); 924 925 teedev->dev.class = tee_class; 926 teedev->dev.release = tee_release_device; 927 teedev->dev.parent = dev; 928 929 teedev->dev.devt = MKDEV(MAJOR(tee_devt), teedev->id); 930 931 rc = dev_set_name(&teedev->dev, "%s", teedev->name); 932 if (rc) { 933 ret = ERR_PTR(rc); 934 goto err_devt; 935 } 936 937 cdev_init(&teedev->cdev, &tee_fops); 938 teedev->cdev.owner = teedesc->owner; 939 940 dev_set_drvdata(&teedev->dev, driver_data); 941 device_initialize(&teedev->dev); 942 943 /* 1 as tee_device_unregister() does one final tee_device_put() */ 944 teedev->num_users = 1; 945 init_completion(&teedev->c_no_users); 946 mutex_init(&teedev->mutex); 947 idr_init(&teedev->idr); 948 949 teedev->desc = teedesc; 950 teedev->pool = pool; 951 952 return teedev; 953 err_devt: 954 unregister_chrdev_region(teedev->dev.devt, 1); 955 err: 956 pr_err("could not register %s driver\n", 957 teedesc->flags & TEE_DESC_PRIVILEGED ? "privileged" : "client"); 958 if (teedev && teedev->id < TEE_NUM_DEVICES) { 959 spin_lock(&driver_lock); 960 clear_bit(teedev->id, dev_mask); 961 spin_unlock(&driver_lock); 962 } 963 kfree(teedev); 964 return ret; 965 } 966 EXPORT_SYMBOL_GPL(tee_device_alloc); 967 968 static ssize_t implementation_id_show(struct device *dev, 969 struct device_attribute *attr, char *buf) 970 { 971 struct tee_device *teedev = container_of(dev, struct tee_device, dev); 972 struct tee_ioctl_version_data vers; 973 974 teedev->desc->ops->get_version(teedev, &vers); 975 return scnprintf(buf, PAGE_SIZE, "%d\n", vers.impl_id); 976 } 977 static DEVICE_ATTR_RO(implementation_id); 978 979 static struct attribute *tee_dev_attrs[] = { 980 &dev_attr_implementation_id.attr, 981 NULL 982 }; 983 984 ATTRIBUTE_GROUPS(tee_dev); 985 986 /** 987 * tee_device_register() - Registers a TEE device 988 * @teedev: Device to register 989 * 990 * tee_device_unregister() need to be called to remove the @teedev if 991 * this function fails. 992 * 993 * @returns < 0 on failure 994 */ 995 int tee_device_register(struct tee_device *teedev) 996 { 997 int rc; 998 999 if (teedev->flags & TEE_DEVICE_FLAG_REGISTERED) { 1000 dev_err(&teedev->dev, "attempt to register twice\n"); 1001 return -EINVAL; 1002 } 1003 1004 teedev->dev.groups = tee_dev_groups; 1005 1006 rc = cdev_device_add(&teedev->cdev, &teedev->dev); 1007 if (rc) { 1008 dev_err(&teedev->dev, 1009 "unable to cdev_device_add() %s, major %d, minor %d, err=%d\n", 1010 teedev->name, MAJOR(teedev->dev.devt), 1011 MINOR(teedev->dev.devt), rc); 1012 return rc; 1013 } 1014 1015 teedev->flags |= TEE_DEVICE_FLAG_REGISTERED; 1016 return 0; 1017 } 1018 EXPORT_SYMBOL_GPL(tee_device_register); 1019 1020 void tee_device_put(struct tee_device *teedev) 1021 { 1022 mutex_lock(&teedev->mutex); 1023 /* Shouldn't put in this state */ 1024 if (!WARN_ON(!teedev->desc)) { 1025 teedev->num_users--; 1026 if (!teedev->num_users) { 1027 teedev->desc = NULL; 1028 complete(&teedev->c_no_users); 1029 } 1030 } 1031 mutex_unlock(&teedev->mutex); 1032 } 1033 1034 bool tee_device_get(struct tee_device *teedev) 1035 { 1036 mutex_lock(&teedev->mutex); 1037 if (!teedev->desc) { 1038 mutex_unlock(&teedev->mutex); 1039 return false; 1040 } 1041 teedev->num_users++; 1042 mutex_unlock(&teedev->mutex); 1043 return true; 1044 } 1045 1046 /** 1047 * tee_device_unregister() - Removes a TEE device 1048 * @teedev: Device to unregister 1049 * 1050 * This function should be called to remove the @teedev even if 1051 * tee_device_register() hasn't been called yet. Does nothing if 1052 * @teedev is NULL. 1053 */ 1054 void tee_device_unregister(struct tee_device *teedev) 1055 { 1056 if (!teedev) 1057 return; 1058 1059 if (teedev->flags & TEE_DEVICE_FLAG_REGISTERED) 1060 cdev_device_del(&teedev->cdev, &teedev->dev); 1061 1062 tee_device_put(teedev); 1063 wait_for_completion(&teedev->c_no_users); 1064 1065 /* 1066 * No need to take a mutex any longer now since teedev->desc was 1067 * set to NULL before teedev->c_no_users was completed. 1068 */ 1069 1070 teedev->pool = NULL; 1071 1072 put_device(&teedev->dev); 1073 } 1074 EXPORT_SYMBOL_GPL(tee_device_unregister); 1075 1076 /** 1077 * tee_get_drvdata() - Return driver_data pointer 1078 * @teedev: Device containing the driver_data pointer 1079 * @returns the driver_data pointer supplied to tee_register(). 1080 */ 1081 void *tee_get_drvdata(struct tee_device *teedev) 1082 { 1083 return dev_get_drvdata(&teedev->dev); 1084 } 1085 EXPORT_SYMBOL_GPL(tee_get_drvdata); 1086 1087 struct match_dev_data { 1088 struct tee_ioctl_version_data *vers; 1089 const void *data; 1090 int (*match)(struct tee_ioctl_version_data *, const void *); 1091 }; 1092 1093 static int match_dev(struct device *dev, const void *data) 1094 { 1095 const struct match_dev_data *match_data = data; 1096 struct tee_device *teedev = container_of(dev, struct tee_device, dev); 1097 1098 teedev->desc->ops->get_version(teedev, match_data->vers); 1099 return match_data->match(match_data->vers, match_data->data); 1100 } 1101 1102 struct tee_context * 1103 tee_client_open_context(struct tee_context *start, 1104 int (*match)(struct tee_ioctl_version_data *, 1105 const void *), 1106 const void *data, struct tee_ioctl_version_data *vers) 1107 { 1108 struct device *dev = NULL; 1109 struct device *put_dev = NULL; 1110 struct tee_context *ctx = NULL; 1111 struct tee_ioctl_version_data v; 1112 struct match_dev_data match_data = { vers ? vers : &v, data, match }; 1113 1114 if (start) 1115 dev = &start->teedev->dev; 1116 1117 do { 1118 dev = class_find_device(tee_class, dev, &match_data, match_dev); 1119 if (!dev) { 1120 ctx = ERR_PTR(-ENOENT); 1121 break; 1122 } 1123 1124 put_device(put_dev); 1125 put_dev = dev; 1126 1127 ctx = teedev_open(container_of(dev, struct tee_device, dev)); 1128 } while (IS_ERR(ctx) && PTR_ERR(ctx) != -ENOMEM); 1129 1130 put_device(put_dev); 1131 /* 1132 * Default behaviour for in kernel client is to not wait for 1133 * tee-supplicant if not present for any requests in this context. 1134 * Also this flag could be configured again before call to 1135 * tee_client_open_session() if any in kernel client requires 1136 * different behaviour. 1137 */ 1138 if (!IS_ERR(ctx)) 1139 ctx->supp_nowait = true; 1140 1141 return ctx; 1142 } 1143 EXPORT_SYMBOL_GPL(tee_client_open_context); 1144 1145 void tee_client_close_context(struct tee_context *ctx) 1146 { 1147 teedev_close_context(ctx); 1148 } 1149 EXPORT_SYMBOL_GPL(tee_client_close_context); 1150 1151 void tee_client_get_version(struct tee_context *ctx, 1152 struct tee_ioctl_version_data *vers) 1153 { 1154 ctx->teedev->desc->ops->get_version(ctx->teedev, vers); 1155 } 1156 EXPORT_SYMBOL_GPL(tee_client_get_version); 1157 1158 int tee_client_open_session(struct tee_context *ctx, 1159 struct tee_ioctl_open_session_arg *arg, 1160 struct tee_param *param) 1161 { 1162 if (!ctx->teedev->desc->ops->open_session) 1163 return -EINVAL; 1164 return ctx->teedev->desc->ops->open_session(ctx, arg, param); 1165 } 1166 EXPORT_SYMBOL_GPL(tee_client_open_session); 1167 1168 int tee_client_close_session(struct tee_context *ctx, u32 session) 1169 { 1170 if (!ctx->teedev->desc->ops->close_session) 1171 return -EINVAL; 1172 return ctx->teedev->desc->ops->close_session(ctx, session); 1173 } 1174 EXPORT_SYMBOL_GPL(tee_client_close_session); 1175 1176 int tee_client_invoke_func(struct tee_context *ctx, 1177 struct tee_ioctl_invoke_arg *arg, 1178 struct tee_param *param) 1179 { 1180 if (!ctx->teedev->desc->ops->invoke_func) 1181 return -EINVAL; 1182 return ctx->teedev->desc->ops->invoke_func(ctx, arg, param); 1183 } 1184 EXPORT_SYMBOL_GPL(tee_client_invoke_func); 1185 1186 int tee_client_cancel_req(struct tee_context *ctx, 1187 struct tee_ioctl_cancel_arg *arg) 1188 { 1189 if (!ctx->teedev->desc->ops->cancel_req) 1190 return -EINVAL; 1191 return ctx->teedev->desc->ops->cancel_req(ctx, arg->cancel_id, 1192 arg->session); 1193 } 1194 1195 static int tee_client_device_match(struct device *dev, 1196 struct device_driver *drv) 1197 { 1198 const struct tee_client_device_id *id_table; 1199 struct tee_client_device *tee_device; 1200 1201 id_table = to_tee_client_driver(drv)->id_table; 1202 tee_device = to_tee_client_device(dev); 1203 1204 while (!uuid_is_null(&id_table->uuid)) { 1205 if (uuid_equal(&tee_device->id.uuid, &id_table->uuid)) 1206 return 1; 1207 id_table++; 1208 } 1209 1210 return 0; 1211 } 1212 1213 static int tee_client_device_uevent(struct device *dev, 1214 struct kobj_uevent_env *env) 1215 { 1216 uuid_t *dev_id = &to_tee_client_device(dev)->id.uuid; 1217 1218 return add_uevent_var(env, "MODALIAS=tee:%pUb", dev_id); 1219 } 1220 1221 struct bus_type tee_bus_type = { 1222 .name = "tee", 1223 .match = tee_client_device_match, 1224 .uevent = tee_client_device_uevent, 1225 }; 1226 EXPORT_SYMBOL_GPL(tee_bus_type); 1227 1228 static int __init tee_init(void) 1229 { 1230 int rc; 1231 1232 tee_class = class_create(THIS_MODULE, "tee"); 1233 if (IS_ERR(tee_class)) { 1234 pr_err("couldn't create class\n"); 1235 return PTR_ERR(tee_class); 1236 } 1237 1238 rc = alloc_chrdev_region(&tee_devt, 0, TEE_NUM_DEVICES, "tee"); 1239 if (rc) { 1240 pr_err("failed to allocate char dev region\n"); 1241 goto out_unreg_class; 1242 } 1243 1244 rc = bus_register(&tee_bus_type); 1245 if (rc) { 1246 pr_err("failed to register tee bus\n"); 1247 goto out_unreg_chrdev; 1248 } 1249 1250 return 0; 1251 1252 out_unreg_chrdev: 1253 unregister_chrdev_region(tee_devt, TEE_NUM_DEVICES); 1254 out_unreg_class: 1255 class_destroy(tee_class); 1256 tee_class = NULL; 1257 1258 return rc; 1259 } 1260 1261 static void __exit tee_exit(void) 1262 { 1263 bus_unregister(&tee_bus_type); 1264 unregister_chrdev_region(tee_devt, TEE_NUM_DEVICES); 1265 class_destroy(tee_class); 1266 tee_class = NULL; 1267 } 1268 1269 subsys_initcall(tee_init); 1270 module_exit(tee_exit); 1271 1272 MODULE_AUTHOR("Linaro"); 1273 MODULE_DESCRIPTION("TEE Driver"); 1274 MODULE_VERSION("1.0"); 1275 MODULE_LICENSE("GPL v2"); 1276