1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Copyright (c) 2015-2016, Linaro Limited 4 */ 5 6#define pr_fmt(fmt) "%s: " fmt, __func__ 7 8#include <linux/cdev.h> 9#include <linux/cred.h> 10#include <linux/fs.h> 11#include <linux/idr.h> 12#include <linux/module.h> 13#include <linux/slab.h> 14#include <linux/tee_drv.h> 15#include <linux/uaccess.h> 16#include <crypto/hash.h> 17#include <crypto/sha1.h> 18#include "tee_private.h" 19 20#define TEE_NUM_DEVICES 32 21 22#define TEE_IOCTL_PARAM_SIZE(x) (sizeof(struct tee_param) * (x)) 23 24#define TEE_UUID_NS_NAME_SIZE 128 25 26/* 27 * TEE Client UUID name space identifier (UUIDv4) 28 * 29 * Value here is random UUID that is allocated as name space identifier for 30 * forming Client UUID's for TEE environment using UUIDv5 scheme. 31 */ 32static const uuid_t tee_client_uuid_ns = UUID_INIT(0x58ac9ca0, 0x2086, 0x4683, 33 0xa1, 0xb8, 0xec, 0x4b, 34 0xc0, 0x8e, 0x01, 0xb6); 35 36/* 37 * Unprivileged devices in the lower half range and privileged devices in 38 * the upper half range. 39 */ 40static DECLARE_BITMAP(dev_mask, TEE_NUM_DEVICES); 41static DEFINE_SPINLOCK(driver_lock); 42 43static const struct class tee_class = { 44 .name = "tee", 45}; 46 47static dev_t tee_devt; 48 49struct tee_context *teedev_open(struct tee_device *teedev) 50{ 51 int rc; 52 struct tee_context *ctx; 53 54 if (!tee_device_get(teedev)) 55 return ERR_PTR(-EINVAL); 56 57 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 58 if (!ctx) { 59 rc = -ENOMEM; 60 goto err; 61 } 62 63 kref_init(&ctx->refcount); 64 ctx->teedev = teedev; 65 rc = teedev->desc->ops->open(ctx); 66 if (rc) 67 goto err; 68 69 return ctx; 70err: 71 kfree(ctx); 72 tee_device_put(teedev); 73 return ERR_PTR(rc); 74 75} 76EXPORT_SYMBOL_GPL(teedev_open); 77 78void teedev_ctx_get(struct tee_context *ctx) 79{ 80 if (ctx->releasing) 81 return; 82 83 kref_get(&ctx->refcount); 84} 85 86static void teedev_ctx_release(struct kref *ref) 87{ 88 struct tee_context *ctx = container_of(ref, struct tee_context, 89 refcount); 90 ctx->releasing = true; 91 ctx->teedev->desc->ops->release(ctx); 92 kfree(ctx); 93} 94 95void teedev_ctx_put(struct tee_context *ctx) 96{ 97 if (ctx->releasing) 98 return; 99 100 kref_put(&ctx->refcount, teedev_ctx_release); 101} 102 103void teedev_close_context(struct tee_context *ctx) 104{ 105 struct tee_device *teedev = ctx->teedev; 106 107 teedev_ctx_put(ctx); 108 tee_device_put(teedev); 109} 110EXPORT_SYMBOL_GPL(teedev_close_context); 111 112static int tee_open(struct inode *inode, struct file *filp) 113{ 114 struct tee_context *ctx; 115 116 ctx = teedev_open(container_of(inode->i_cdev, struct tee_device, cdev)); 117 if (IS_ERR(ctx)) 118 return PTR_ERR(ctx); 119 120 /* 121 * Default user-space behaviour is to wait for tee-supplicant 122 * if not present for any requests in this context. 123 */ 124 ctx->supp_nowait = false; 125 filp->private_data = ctx; 126 return 0; 127} 128 129static int tee_release(struct inode *inode, struct file *filp) 130{ 131 teedev_close_context(filp->private_data); 132 return 0; 133} 134 135/** 136 * uuid_v5() - Calculate UUIDv5 137 * @uuid: Resulting UUID 138 * @ns: Name space ID for UUIDv5 function 139 * @name: Name for UUIDv5 function 140 * @size: Size of name 141 * 142 * UUIDv5 is specific in RFC 4122. 143 * 144 * This implements section (for SHA-1): 145 * 4.3. Algorithm for Creating a Name-Based UUID 146 */ 147static int uuid_v5(uuid_t *uuid, const uuid_t *ns, const void *name, 148 size_t size) 149{ 150 unsigned char hash[SHA1_DIGEST_SIZE]; 151 struct crypto_shash *shash = NULL; 152 struct shash_desc *desc = NULL; 153 int rc; 154 155 shash = crypto_alloc_shash("sha1", 0, 0); 156 if (IS_ERR(shash)) { 157 rc = PTR_ERR(shash); 158 pr_err("shash(sha1) allocation failed\n"); 159 return rc; 160 } 161 162 desc = kzalloc(sizeof(*desc) + crypto_shash_descsize(shash), 163 GFP_KERNEL); 164 if (!desc) { 165 rc = -ENOMEM; 166 goto out_free_shash; 167 } 168 169 desc->tfm = shash; 170 171 rc = crypto_shash_init(desc); 172 if (rc < 0) 173 goto out_free_desc; 174 175 rc = crypto_shash_update(desc, (const u8 *)ns, sizeof(*ns)); 176 if (rc < 0) 177 goto out_free_desc; 178 179 rc = crypto_shash_update(desc, (const u8 *)name, size); 180 if (rc < 0) 181 goto out_free_desc; 182 183 rc = crypto_shash_final(desc, hash); 184 if (rc < 0) 185 goto out_free_desc; 186 187 memcpy(uuid->b, hash, UUID_SIZE); 188 189 /* Tag for version 5 */ 190 uuid->b[6] = (hash[6] & 0x0F) | 0x50; 191 uuid->b[8] = (hash[8] & 0x3F) | 0x80; 192 193out_free_desc: 194 kfree(desc); 195 196out_free_shash: 197 crypto_free_shash(shash); 198 return rc; 199} 200 201int tee_session_calc_client_uuid(uuid_t *uuid, u32 connection_method, 202 const u8 connection_data[TEE_IOCTL_UUID_LEN]) 203{ 204 gid_t ns_grp = (gid_t)-1; 205 kgid_t grp = INVALID_GID; 206 char *name = NULL; 207 int name_len; 208 int rc; 209 210 if (connection_method == TEE_IOCTL_LOGIN_PUBLIC || 211 connection_method == TEE_IOCTL_LOGIN_REE_KERNEL) { 212 /* Nil UUID to be passed to TEE environment */ 213 uuid_copy(uuid, &uuid_null); 214 return 0; 215 } 216 217 /* 218 * In Linux environment client UUID is based on UUIDv5. 219 * 220 * Determine client UUID with following semantics for 'name': 221 * 222 * For TEEC_LOGIN_USER: 223 * uid=<uid> 224 * 225 * For TEEC_LOGIN_GROUP: 226 * gid=<gid> 227 * 228 */ 229 230 name = kzalloc(TEE_UUID_NS_NAME_SIZE, GFP_KERNEL); 231 if (!name) 232 return -ENOMEM; 233 234 switch (connection_method) { 235 case TEE_IOCTL_LOGIN_USER: 236 name_len = snprintf(name, TEE_UUID_NS_NAME_SIZE, "uid=%x", 237 current_euid().val); 238 if (name_len >= TEE_UUID_NS_NAME_SIZE) { 239 rc = -E2BIG; 240 goto out_free_name; 241 } 242 break; 243 244 case TEE_IOCTL_LOGIN_GROUP: 245 memcpy(&ns_grp, connection_data, sizeof(gid_t)); 246 grp = make_kgid(current_user_ns(), ns_grp); 247 if (!gid_valid(grp) || !in_egroup_p(grp)) { 248 rc = -EPERM; 249 goto out_free_name; 250 } 251 252 name_len = snprintf(name, TEE_UUID_NS_NAME_SIZE, "gid=%x", 253 grp.val); 254 if (name_len >= TEE_UUID_NS_NAME_SIZE) { 255 rc = -E2BIG; 256 goto out_free_name; 257 } 258 break; 259 260 default: 261 rc = -EINVAL; 262 goto out_free_name; 263 } 264 265 rc = uuid_v5(uuid, &tee_client_uuid_ns, name, name_len); 266out_free_name: 267 kfree(name); 268 269 return rc; 270} 271EXPORT_SYMBOL_GPL(tee_session_calc_client_uuid); 272 273static int tee_ioctl_version(struct tee_context *ctx, 274 struct tee_ioctl_version_data __user *uvers) 275{ 276 struct tee_ioctl_version_data vers; 277 278 ctx->teedev->desc->ops->get_version(ctx->teedev, &vers); 279 280 if (ctx->teedev->desc->flags & TEE_DESC_PRIVILEGED) 281 vers.gen_caps |= TEE_GEN_CAP_PRIVILEGED; 282 283 if (copy_to_user(uvers, &vers, sizeof(vers))) 284 return -EFAULT; 285 286 return 0; 287} 288 289static int tee_ioctl_shm_alloc(struct tee_context *ctx, 290 struct tee_ioctl_shm_alloc_data __user *udata) 291{ 292 long ret; 293 struct tee_ioctl_shm_alloc_data data; 294 struct tee_shm *shm; 295 296 if (copy_from_user(&data, udata, sizeof(data))) 297 return -EFAULT; 298 299 /* Currently no input flags are supported */ 300 if (data.flags) 301 return -EINVAL; 302 303 shm = tee_shm_alloc_user_buf(ctx, data.size); 304 if (IS_ERR(shm)) 305 return PTR_ERR(shm); 306 307 data.id = shm->id; 308 data.size = shm->size; 309 310 if (copy_to_user(udata, &data, sizeof(data))) 311 ret = -EFAULT; 312 else 313 ret = tee_shm_get_fd(shm); 314 315 /* 316 * When user space closes the file descriptor the shared memory 317 * should be freed or if tee_shm_get_fd() failed then it will 318 * be freed immediately. 319 */ 320 tee_shm_put(shm); 321 return ret; 322} 323 324static int 325tee_ioctl_shm_register(struct tee_context *ctx, 326 struct tee_ioctl_shm_register_data __user *udata) 327{ 328 long ret; 329 struct tee_ioctl_shm_register_data data; 330 struct tee_shm *shm; 331 332 if (copy_from_user(&data, udata, sizeof(data))) 333 return -EFAULT; 334 335 /* Currently no input flags are supported */ 336 if (data.flags) 337 return -EINVAL; 338 339 shm = tee_shm_register_user_buf(ctx, data.addr, data.length); 340 if (IS_ERR(shm)) 341 return PTR_ERR(shm); 342 343 data.id = shm->id; 344 data.length = shm->size; 345 346 if (copy_to_user(udata, &data, sizeof(data))) 347 ret = -EFAULT; 348 else 349 ret = tee_shm_get_fd(shm); 350 /* 351 * When user space closes the file descriptor the shared memory 352 * should be freed or if tee_shm_get_fd() failed then it will 353 * be freed immediately. 354 */ 355 tee_shm_put(shm); 356 return ret; 357} 358 359static int params_from_user(struct tee_context *ctx, struct tee_param *params, 360 size_t num_params, 361 struct tee_ioctl_param __user *uparams) 362{ 363 size_t n; 364 365 for (n = 0; n < num_params; n++) { 366 struct tee_shm *shm; 367 struct tee_ioctl_param ip; 368 369 if (copy_from_user(&ip, uparams + n, sizeof(ip))) 370 return -EFAULT; 371 372 /* All unused attribute bits has to be zero */ 373 if (ip.attr & ~TEE_IOCTL_PARAM_ATTR_MASK) 374 return -EINVAL; 375 376 params[n].attr = ip.attr; 377 switch (ip.attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) { 378 case TEE_IOCTL_PARAM_ATTR_TYPE_NONE: 379 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT: 380 break; 381 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT: 382 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: 383 params[n].u.value.a = ip.a; 384 params[n].u.value.b = ip.b; 385 params[n].u.value.c = ip.c; 386 break; 387 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT: 388 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: 389 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: 390 /* 391 * If a NULL pointer is passed to a TA in the TEE, 392 * the ip.c IOCTL parameters is set to TEE_MEMREF_NULL 393 * indicating a NULL memory reference. 394 */ 395 if (ip.c != TEE_MEMREF_NULL) { 396 /* 397 * If we fail to get a pointer to a shared 398 * memory object (and increase the ref count) 399 * from an identifier we return an error. All 400 * pointers that has been added in params have 401 * an increased ref count. It's the callers 402 * responibility to do tee_shm_put() on all 403 * resolved pointers. 404 */ 405 shm = tee_shm_get_from_id(ctx, ip.c); 406 if (IS_ERR(shm)) 407 return PTR_ERR(shm); 408 409 /* 410 * Ensure offset + size does not overflow 411 * offset and does not overflow the size of 412 * the referred shared memory object. 413 */ 414 if ((ip.a + ip.b) < ip.a || 415 (ip.a + ip.b) > shm->size) { 416 tee_shm_put(shm); 417 return -EINVAL; 418 } 419 } else if (ctx->cap_memref_null) { 420 /* Pass NULL pointer to OP-TEE */ 421 shm = NULL; 422 } else { 423 return -EINVAL; 424 } 425 426 params[n].u.memref.shm_offs = ip.a; 427 params[n].u.memref.size = ip.b; 428 params[n].u.memref.shm = shm; 429 break; 430 default: 431 /* Unknown attribute */ 432 return -EINVAL; 433 } 434 } 435 return 0; 436} 437 438static int params_to_user(struct tee_ioctl_param __user *uparams, 439 size_t num_params, struct tee_param *params) 440{ 441 size_t n; 442 443 for (n = 0; n < num_params; n++) { 444 struct tee_ioctl_param __user *up = uparams + n; 445 struct tee_param *p = params + n; 446 447 switch (p->attr) { 448 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT: 449 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: 450 if (put_user(p->u.value.a, &up->a) || 451 put_user(p->u.value.b, &up->b) || 452 put_user(p->u.value.c, &up->c)) 453 return -EFAULT; 454 break; 455 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: 456 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: 457 if (put_user((u64)p->u.memref.size, &up->b)) 458 return -EFAULT; 459 break; 460 default: 461 break; 462 } 463 } 464 return 0; 465} 466 467static int tee_ioctl_open_session(struct tee_context *ctx, 468 struct tee_ioctl_buf_data __user *ubuf) 469{ 470 int rc; 471 size_t n; 472 struct tee_ioctl_buf_data buf; 473 struct tee_ioctl_open_session_arg __user *uarg; 474 struct tee_ioctl_open_session_arg arg; 475 struct tee_ioctl_param __user *uparams = NULL; 476 struct tee_param *params = NULL; 477 bool have_session = false; 478 479 if (!ctx->teedev->desc->ops->open_session) 480 return -EINVAL; 481 482 if (copy_from_user(&buf, ubuf, sizeof(buf))) 483 return -EFAULT; 484 485 if (buf.buf_len > TEE_MAX_ARG_SIZE || 486 buf.buf_len < sizeof(struct tee_ioctl_open_session_arg)) 487 return -EINVAL; 488 489 uarg = u64_to_user_ptr(buf.buf_ptr); 490 if (copy_from_user(&arg, uarg, sizeof(arg))) 491 return -EFAULT; 492 493 if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len) 494 return -EINVAL; 495 496 if (arg.num_params) { 497 params = kcalloc(arg.num_params, sizeof(struct tee_param), 498 GFP_KERNEL); 499 if (!params) 500 return -ENOMEM; 501 uparams = uarg->params; 502 rc = params_from_user(ctx, params, arg.num_params, uparams); 503 if (rc) 504 goto out; 505 } 506 507 if (arg.clnt_login >= TEE_IOCTL_LOGIN_REE_KERNEL_MIN && 508 arg.clnt_login <= TEE_IOCTL_LOGIN_REE_KERNEL_MAX) { 509 pr_debug("login method not allowed for user-space client\n"); 510 rc = -EPERM; 511 goto out; 512 } 513 514 rc = ctx->teedev->desc->ops->open_session(ctx, &arg, params); 515 if (rc) 516 goto out; 517 have_session = true; 518 519 if (put_user(arg.session, &uarg->session) || 520 put_user(arg.ret, &uarg->ret) || 521 put_user(arg.ret_origin, &uarg->ret_origin)) { 522 rc = -EFAULT; 523 goto out; 524 } 525 rc = params_to_user(uparams, arg.num_params, params); 526out: 527 /* 528 * If we've succeeded to open the session but failed to communicate 529 * it back to user space, close the session again to avoid leakage. 530 */ 531 if (rc && have_session && ctx->teedev->desc->ops->close_session) 532 ctx->teedev->desc->ops->close_session(ctx, arg.session); 533 534 if (params) { 535 /* Decrease ref count for all valid shared memory pointers */ 536 for (n = 0; n < arg.num_params; n++) 537 if (tee_param_is_memref(params + n) && 538 params[n].u.memref.shm) 539 tee_shm_put(params[n].u.memref.shm); 540 kfree(params); 541 } 542 543 return rc; 544} 545 546static int tee_ioctl_invoke(struct tee_context *ctx, 547 struct tee_ioctl_buf_data __user *ubuf) 548{ 549 int rc; 550 size_t n; 551 struct tee_ioctl_buf_data buf; 552 struct tee_ioctl_invoke_arg __user *uarg; 553 struct tee_ioctl_invoke_arg arg; 554 struct tee_ioctl_param __user *uparams = NULL; 555 struct tee_param *params = NULL; 556 557 if (!ctx->teedev->desc->ops->invoke_func) 558 return -EINVAL; 559 560 if (copy_from_user(&buf, ubuf, sizeof(buf))) 561 return -EFAULT; 562 563 if (buf.buf_len > TEE_MAX_ARG_SIZE || 564 buf.buf_len < sizeof(struct tee_ioctl_invoke_arg)) 565 return -EINVAL; 566 567 uarg = u64_to_user_ptr(buf.buf_ptr); 568 if (copy_from_user(&arg, uarg, sizeof(arg))) 569 return -EFAULT; 570 571 if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len) 572 return -EINVAL; 573 574 if (arg.num_params) { 575 params = kcalloc(arg.num_params, sizeof(struct tee_param), 576 GFP_KERNEL); 577 if (!params) 578 return -ENOMEM; 579 uparams = uarg->params; 580 rc = params_from_user(ctx, params, arg.num_params, uparams); 581 if (rc) 582 goto out; 583 } 584 585 rc = ctx->teedev->desc->ops->invoke_func(ctx, &arg, params); 586 if (rc) 587 goto out; 588 589 if (put_user(arg.ret, &uarg->ret) || 590 put_user(arg.ret_origin, &uarg->ret_origin)) { 591 rc = -EFAULT; 592 goto out; 593 } 594 rc = params_to_user(uparams, arg.num_params, params); 595out: 596 if (params) { 597 /* Decrease ref count for all valid shared memory pointers */ 598 for (n = 0; n < arg.num_params; n++) 599 if (tee_param_is_memref(params + n) && 600 params[n].u.memref.shm) 601 tee_shm_put(params[n].u.memref.shm); 602 kfree(params); 603 } 604 return rc; 605} 606 607static int tee_ioctl_cancel(struct tee_context *ctx, 608 struct tee_ioctl_cancel_arg __user *uarg) 609{ 610 struct tee_ioctl_cancel_arg arg; 611 612 if (!ctx->teedev->desc->ops->cancel_req) 613 return -EINVAL; 614 615 if (copy_from_user(&arg, uarg, sizeof(arg))) 616 return -EFAULT; 617 618 return ctx->teedev->desc->ops->cancel_req(ctx, arg.cancel_id, 619 arg.session); 620} 621 622static int 623tee_ioctl_close_session(struct tee_context *ctx, 624 struct tee_ioctl_close_session_arg __user *uarg) 625{ 626 struct tee_ioctl_close_session_arg arg; 627 628 if (!ctx->teedev->desc->ops->close_session) 629 return -EINVAL; 630 631 if (copy_from_user(&arg, uarg, sizeof(arg))) 632 return -EFAULT; 633 634 return ctx->teedev->desc->ops->close_session(ctx, arg.session); 635} 636 637static int params_to_supp(struct tee_context *ctx, 638 struct tee_ioctl_param __user *uparams, 639 size_t num_params, struct tee_param *params) 640{ 641 size_t n; 642 643 for (n = 0; n < num_params; n++) { 644 struct tee_ioctl_param ip; 645 struct tee_param *p = params + n; 646 647 ip.attr = p->attr; 648 switch (p->attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) { 649 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT: 650 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: 651 ip.a = p->u.value.a; 652 ip.b = p->u.value.b; 653 ip.c = p->u.value.c; 654 break; 655 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT: 656 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: 657 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: 658 ip.b = p->u.memref.size; 659 if (!p->u.memref.shm) { 660 ip.a = 0; 661 ip.c = (u64)-1; /* invalid shm id */ 662 break; 663 } 664 ip.a = p->u.memref.shm_offs; 665 ip.c = p->u.memref.shm->id; 666 break; 667 default: 668 ip.a = 0; 669 ip.b = 0; 670 ip.c = 0; 671 break; 672 } 673 674 if (copy_to_user(uparams + n, &ip, sizeof(ip))) 675 return -EFAULT; 676 } 677 678 return 0; 679} 680 681static int tee_ioctl_supp_recv(struct tee_context *ctx, 682 struct tee_ioctl_buf_data __user *ubuf) 683{ 684 int rc; 685 struct tee_ioctl_buf_data buf; 686 struct tee_iocl_supp_recv_arg __user *uarg; 687 struct tee_param *params; 688 u32 num_params; 689 u32 func; 690 691 if (!ctx->teedev->desc->ops->supp_recv) 692 return -EINVAL; 693 694 if (copy_from_user(&buf, ubuf, sizeof(buf))) 695 return -EFAULT; 696 697 if (buf.buf_len > TEE_MAX_ARG_SIZE || 698 buf.buf_len < sizeof(struct tee_iocl_supp_recv_arg)) 699 return -EINVAL; 700 701 uarg = u64_to_user_ptr(buf.buf_ptr); 702 if (get_user(num_params, &uarg->num_params)) 703 return -EFAULT; 704 705 if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) != buf.buf_len) 706 return -EINVAL; 707 708 params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL); 709 if (!params) 710 return -ENOMEM; 711 712 rc = params_from_user(ctx, params, num_params, uarg->params); 713 if (rc) 714 goto out; 715 716 rc = ctx->teedev->desc->ops->supp_recv(ctx, &func, &num_params, params); 717 if (rc) 718 goto out; 719 720 if (put_user(func, &uarg->func) || 721 put_user(num_params, &uarg->num_params)) { 722 rc = -EFAULT; 723 goto out; 724 } 725 726 rc = params_to_supp(ctx, uarg->params, num_params, params); 727out: 728 kfree(params); 729 return rc; 730} 731 732static int params_from_supp(struct tee_param *params, size_t num_params, 733 struct tee_ioctl_param __user *uparams) 734{ 735 size_t n; 736 737 for (n = 0; n < num_params; n++) { 738 struct tee_param *p = params + n; 739 struct tee_ioctl_param ip; 740 741 if (copy_from_user(&ip, uparams + n, sizeof(ip))) 742 return -EFAULT; 743 744 /* All unused attribute bits has to be zero */ 745 if (ip.attr & ~TEE_IOCTL_PARAM_ATTR_MASK) 746 return -EINVAL; 747 748 p->attr = ip.attr; 749 switch (ip.attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) { 750 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT: 751 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT: 752 /* Only out and in/out values can be updated */ 753 p->u.value.a = ip.a; 754 p->u.value.b = ip.b; 755 p->u.value.c = ip.c; 756 break; 757 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT: 758 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT: 759 /* 760 * Only the size of the memref can be updated. 761 * Since we don't have access to the original 762 * parameters here, only store the supplied size. 763 * The driver will copy the updated size into the 764 * original parameters. 765 */ 766 p->u.memref.shm = NULL; 767 p->u.memref.shm_offs = 0; 768 p->u.memref.size = ip.b; 769 break; 770 default: 771 memset(&p->u, 0, sizeof(p->u)); 772 break; 773 } 774 } 775 return 0; 776} 777 778static int tee_ioctl_supp_send(struct tee_context *ctx, 779 struct tee_ioctl_buf_data __user *ubuf) 780{ 781 long rc; 782 struct tee_ioctl_buf_data buf; 783 struct tee_iocl_supp_send_arg __user *uarg; 784 struct tee_param *params; 785 u32 num_params; 786 u32 ret; 787 788 /* Not valid for this driver */ 789 if (!ctx->teedev->desc->ops->supp_send) 790 return -EINVAL; 791 792 if (copy_from_user(&buf, ubuf, sizeof(buf))) 793 return -EFAULT; 794 795 if (buf.buf_len > TEE_MAX_ARG_SIZE || 796 buf.buf_len < sizeof(struct tee_iocl_supp_send_arg)) 797 return -EINVAL; 798 799 uarg = u64_to_user_ptr(buf.buf_ptr); 800 if (get_user(ret, &uarg->ret) || 801 get_user(num_params, &uarg->num_params)) 802 return -EFAULT; 803 804 if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) > buf.buf_len) 805 return -EINVAL; 806 807 params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL); 808 if (!params) 809 return -ENOMEM; 810 811 rc = params_from_supp(params, num_params, uarg->params); 812 if (rc) 813 goto out; 814 815 rc = ctx->teedev->desc->ops->supp_send(ctx, ret, num_params, params); 816out: 817 kfree(params); 818 return rc; 819} 820 821static long tee_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 822{ 823 struct tee_context *ctx = filp->private_data; 824 void __user *uarg = (void __user *)arg; 825 826 switch (cmd) { 827 case TEE_IOC_VERSION: 828 return tee_ioctl_version(ctx, uarg); 829 case TEE_IOC_SHM_ALLOC: 830 return tee_ioctl_shm_alloc(ctx, uarg); 831 case TEE_IOC_SHM_REGISTER: 832 return tee_ioctl_shm_register(ctx, uarg); 833 case TEE_IOC_OPEN_SESSION: 834 return tee_ioctl_open_session(ctx, uarg); 835 case TEE_IOC_INVOKE: 836 return tee_ioctl_invoke(ctx, uarg); 837 case TEE_IOC_CANCEL: 838 return tee_ioctl_cancel(ctx, uarg); 839 case TEE_IOC_CLOSE_SESSION: 840 return tee_ioctl_close_session(ctx, uarg); 841 case TEE_IOC_SUPPL_RECV: 842 return tee_ioctl_supp_recv(ctx, uarg); 843 case TEE_IOC_SUPPL_SEND: 844 return tee_ioctl_supp_send(ctx, uarg); 845 default: 846 return -EINVAL; 847 } 848} 849 850static const struct file_operations tee_fops = { 851 .owner = THIS_MODULE, 852 .open = tee_open, 853 .release = tee_release, 854 .unlocked_ioctl = tee_ioctl, 855 .compat_ioctl = compat_ptr_ioctl, 856}; 857 858static void tee_release_device(struct device *dev) 859{ 860 struct tee_device *teedev = container_of(dev, struct tee_device, dev); 861 862 spin_lock(&driver_lock); 863 clear_bit(teedev->id, dev_mask); 864 spin_unlock(&driver_lock); 865 mutex_destroy(&teedev->mutex); 866 idr_destroy(&teedev->idr); 867 kfree(teedev); 868} 869 870/** 871 * tee_device_alloc() - Allocate a new struct tee_device instance 872 * @teedesc: Descriptor for this driver 873 * @dev: Parent device for this device 874 * @pool: Shared memory pool, NULL if not used 875 * @driver_data: Private driver data for this device 876 * 877 * Allocates a new struct tee_device instance. The device is 878 * removed by tee_device_unregister(). 879 * 880 * @returns a pointer to a 'struct tee_device' or an ERR_PTR on failure 881 */ 882struct tee_device *tee_device_alloc(const struct tee_desc *teedesc, 883 struct device *dev, 884 struct tee_shm_pool *pool, 885 void *driver_data) 886{ 887 struct tee_device *teedev; 888 void *ret; 889 int rc, max_id; 890 int offs = 0; 891 892 if (!teedesc || !teedesc->name || !teedesc->ops || 893 !teedesc->ops->get_version || !teedesc->ops->open || 894 !teedesc->ops->release || !pool) 895 return ERR_PTR(-EINVAL); 896 897 teedev = kzalloc(sizeof(*teedev), GFP_KERNEL); 898 if (!teedev) { 899 ret = ERR_PTR(-ENOMEM); 900 goto err; 901 } 902 903 max_id = TEE_NUM_DEVICES / 2; 904 905 if (teedesc->flags & TEE_DESC_PRIVILEGED) { 906 offs = TEE_NUM_DEVICES / 2; 907 max_id = TEE_NUM_DEVICES; 908 } 909 910 spin_lock(&driver_lock); 911 teedev->id = find_next_zero_bit(dev_mask, max_id, offs); 912 if (teedev->id < max_id) 913 set_bit(teedev->id, dev_mask); 914 spin_unlock(&driver_lock); 915 916 if (teedev->id >= max_id) { 917 ret = ERR_PTR(-ENOMEM); 918 goto err; 919 } 920 921 snprintf(teedev->name, sizeof(teedev->name), "tee%s%d", 922 teedesc->flags & TEE_DESC_PRIVILEGED ? "priv" : "", 923 teedev->id - offs); 924 925 teedev->dev.class = &tee_class; 926 teedev->dev.release = tee_release_device; 927 teedev->dev.parent = dev; 928 929 teedev->dev.devt = MKDEV(MAJOR(tee_devt), teedev->id); 930 931 rc = dev_set_name(&teedev->dev, "%s", teedev->name); 932 if (rc) { 933 ret = ERR_PTR(rc); 934 goto err_devt; 935 } 936 937 cdev_init(&teedev->cdev, &tee_fops); 938 teedev->cdev.owner = teedesc->owner; 939 940 dev_set_drvdata(&teedev->dev, driver_data); 941 device_initialize(&teedev->dev); 942 943 /* 1 as tee_device_unregister() does one final tee_device_put() */ 944 teedev->num_users = 1; 945 init_completion(&teedev->c_no_users); 946 mutex_init(&teedev->mutex); 947 idr_init(&teedev->idr); 948 949 teedev->desc = teedesc; 950 teedev->pool = pool; 951 952 return teedev; 953err_devt: 954 unregister_chrdev_region(teedev->dev.devt, 1); 955err: 956 pr_err("could not register %s driver\n", 957 teedesc->flags & TEE_DESC_PRIVILEGED ? "privileged" : "client"); 958 if (teedev && teedev->id < TEE_NUM_DEVICES) { 959 spin_lock(&driver_lock); 960 clear_bit(teedev->id, dev_mask); 961 spin_unlock(&driver_lock); 962 } 963 kfree(teedev); 964 return ret; 965} 966EXPORT_SYMBOL_GPL(tee_device_alloc); 967 968static ssize_t implementation_id_show(struct device *dev, 969 struct device_attribute *attr, char *buf) 970{ 971 struct tee_device *teedev = container_of(dev, struct tee_device, dev); 972 struct tee_ioctl_version_data vers; 973 974 teedev->desc->ops->get_version(teedev, &vers); 975 return scnprintf(buf, PAGE_SIZE, "%d\n", vers.impl_id); 976} 977static DEVICE_ATTR_RO(implementation_id); 978 979static struct attribute *tee_dev_attrs[] = { 980 &dev_attr_implementation_id.attr, 981 NULL 982}; 983 984ATTRIBUTE_GROUPS(tee_dev); 985 986/** 987 * tee_device_register() - Registers a TEE device 988 * @teedev: Device to register 989 * 990 * tee_device_unregister() need to be called to remove the @teedev if 991 * this function fails. 992 * 993 * @returns < 0 on failure 994 */ 995int tee_device_register(struct tee_device *teedev) 996{ 997 int rc; 998 999 if (teedev->flags & TEE_DEVICE_FLAG_REGISTERED) { 1000 dev_err(&teedev->dev, "attempt to register twice\n"); 1001 return -EINVAL; 1002 } 1003 1004 teedev->dev.groups = tee_dev_groups; 1005 1006 rc = cdev_device_add(&teedev->cdev, &teedev->dev); 1007 if (rc) { 1008 dev_err(&teedev->dev, 1009 "unable to cdev_device_add() %s, major %d, minor %d, err=%d\n", 1010 teedev->name, MAJOR(teedev->dev.devt), 1011 MINOR(teedev->dev.devt), rc); 1012 return rc; 1013 } 1014 1015 teedev->flags |= TEE_DEVICE_FLAG_REGISTERED; 1016 return 0; 1017} 1018EXPORT_SYMBOL_GPL(tee_device_register); 1019 1020void tee_device_put(struct tee_device *teedev) 1021{ 1022 mutex_lock(&teedev->mutex); 1023 /* Shouldn't put in this state */ 1024 if (!WARN_ON(!teedev->desc)) { 1025 teedev->num_users--; 1026 if (!teedev->num_users) { 1027 teedev->desc = NULL; 1028 complete(&teedev->c_no_users); 1029 } 1030 } 1031 mutex_unlock(&teedev->mutex); 1032} 1033 1034bool tee_device_get(struct tee_device *teedev) 1035{ 1036 mutex_lock(&teedev->mutex); 1037 if (!teedev->desc) { 1038 mutex_unlock(&teedev->mutex); 1039 return false; 1040 } 1041 teedev->num_users++; 1042 mutex_unlock(&teedev->mutex); 1043 return true; 1044} 1045 1046/** 1047 * tee_device_unregister() - Removes a TEE device 1048 * @teedev: Device to unregister 1049 * 1050 * This function should be called to remove the @teedev even if 1051 * tee_device_register() hasn't been called yet. Does nothing if 1052 * @teedev is NULL. 1053 */ 1054void tee_device_unregister(struct tee_device *teedev) 1055{ 1056 if (!teedev) 1057 return; 1058 1059 if (teedev->flags & TEE_DEVICE_FLAG_REGISTERED) 1060 cdev_device_del(&teedev->cdev, &teedev->dev); 1061 1062 tee_device_put(teedev); 1063 wait_for_completion(&teedev->c_no_users); 1064 1065 /* 1066 * No need to take a mutex any longer now since teedev->desc was 1067 * set to NULL before teedev->c_no_users was completed. 1068 */ 1069 1070 teedev->pool = NULL; 1071 1072 put_device(&teedev->dev); 1073} 1074EXPORT_SYMBOL_GPL(tee_device_unregister); 1075 1076/** 1077 * tee_get_drvdata() - Return driver_data pointer 1078 * @teedev: Device containing the driver_data pointer 1079 * @returns the driver_data pointer supplied to tee_device_alloc(). 1080 */ 1081void *tee_get_drvdata(struct tee_device *teedev) 1082{ 1083 return dev_get_drvdata(&teedev->dev); 1084} 1085EXPORT_SYMBOL_GPL(tee_get_drvdata); 1086 1087struct match_dev_data { 1088 struct tee_ioctl_version_data *vers; 1089 const void *data; 1090 int (*match)(struct tee_ioctl_version_data *, const void *); 1091}; 1092 1093static int match_dev(struct device *dev, const void *data) 1094{ 1095 const struct match_dev_data *match_data = data; 1096 struct tee_device *teedev = container_of(dev, struct tee_device, dev); 1097 1098 teedev->desc->ops->get_version(teedev, match_data->vers); 1099 return match_data->match(match_data->vers, match_data->data); 1100} 1101 1102struct tee_context * 1103tee_client_open_context(struct tee_context *start, 1104 int (*match)(struct tee_ioctl_version_data *, 1105 const void *), 1106 const void *data, struct tee_ioctl_version_data *vers) 1107{ 1108 struct device *dev = NULL; 1109 struct device *put_dev = NULL; 1110 struct tee_context *ctx = NULL; 1111 struct tee_ioctl_version_data v; 1112 struct match_dev_data match_data = { vers ? vers : &v, data, match }; 1113 1114 if (start) 1115 dev = &start->teedev->dev; 1116 1117 do { 1118 dev = class_find_device(&tee_class, dev, &match_data, match_dev); 1119 if (!dev) { 1120 ctx = ERR_PTR(-ENOENT); 1121 break; 1122 } 1123 1124 put_device(put_dev); 1125 put_dev = dev; 1126 1127 ctx = teedev_open(container_of(dev, struct tee_device, dev)); 1128 } while (IS_ERR(ctx) && PTR_ERR(ctx) != -ENOMEM); 1129 1130 put_device(put_dev); 1131 /* 1132 * Default behaviour for in kernel client is to not wait for 1133 * tee-supplicant if not present for any requests in this context. 1134 * Also this flag could be configured again before call to 1135 * tee_client_open_session() if any in kernel client requires 1136 * different behaviour. 1137 */ 1138 if (!IS_ERR(ctx)) 1139 ctx->supp_nowait = true; 1140 1141 return ctx; 1142} 1143EXPORT_SYMBOL_GPL(tee_client_open_context); 1144 1145void tee_client_close_context(struct tee_context *ctx) 1146{ 1147 teedev_close_context(ctx); 1148} 1149EXPORT_SYMBOL_GPL(tee_client_close_context); 1150 1151void tee_client_get_version(struct tee_context *ctx, 1152 struct tee_ioctl_version_data *vers) 1153{ 1154 ctx->teedev->desc->ops->get_version(ctx->teedev, vers); 1155} 1156EXPORT_SYMBOL_GPL(tee_client_get_version); 1157 1158int tee_client_open_session(struct tee_context *ctx, 1159 struct tee_ioctl_open_session_arg *arg, 1160 struct tee_param *param) 1161{ 1162 if (!ctx->teedev->desc->ops->open_session) 1163 return -EINVAL; 1164 return ctx->teedev->desc->ops->open_session(ctx, arg, param); 1165} 1166EXPORT_SYMBOL_GPL(tee_client_open_session); 1167 1168int tee_client_close_session(struct tee_context *ctx, u32 session) 1169{ 1170 if (!ctx->teedev->desc->ops->close_session) 1171 return -EINVAL; 1172 return ctx->teedev->desc->ops->close_session(ctx, session); 1173} 1174EXPORT_SYMBOL_GPL(tee_client_close_session); 1175 1176int tee_client_system_session(struct tee_context *ctx, u32 session) 1177{ 1178 if (!ctx->teedev->desc->ops->system_session) 1179 return -EINVAL; 1180 return ctx->teedev->desc->ops->system_session(ctx, session); 1181} 1182EXPORT_SYMBOL_GPL(tee_client_system_session); 1183 1184int tee_client_invoke_func(struct tee_context *ctx, 1185 struct tee_ioctl_invoke_arg *arg, 1186 struct tee_param *param) 1187{ 1188 if (!ctx->teedev->desc->ops->invoke_func) 1189 return -EINVAL; 1190 return ctx->teedev->desc->ops->invoke_func(ctx, arg, param); 1191} 1192EXPORT_SYMBOL_GPL(tee_client_invoke_func); 1193 1194int tee_client_cancel_req(struct tee_context *ctx, 1195 struct tee_ioctl_cancel_arg *arg) 1196{ 1197 if (!ctx->teedev->desc->ops->cancel_req) 1198 return -EINVAL; 1199 return ctx->teedev->desc->ops->cancel_req(ctx, arg->cancel_id, 1200 arg->session); 1201} 1202 1203static int tee_client_device_match(struct device *dev, 1204 struct device_driver *drv) 1205{ 1206 const struct tee_client_device_id *id_table; 1207 struct tee_client_device *tee_device; 1208 1209 id_table = to_tee_client_driver(drv)->id_table; 1210 tee_device = to_tee_client_device(dev); 1211 1212 while (!uuid_is_null(&id_table->uuid)) { 1213 if (uuid_equal(&tee_device->id.uuid, &id_table->uuid)) 1214 return 1; 1215 id_table++; 1216 } 1217 1218 return 0; 1219} 1220 1221static int tee_client_device_uevent(const struct device *dev, 1222 struct kobj_uevent_env *env) 1223{ 1224 uuid_t *dev_id = &to_tee_client_device(dev)->id.uuid; 1225 1226 return add_uevent_var(env, "MODALIAS=tee:%pUb", dev_id); 1227} 1228 1229const struct bus_type tee_bus_type = { 1230 .name = "tee", 1231 .match = tee_client_device_match, 1232 .uevent = tee_client_device_uevent, 1233}; 1234EXPORT_SYMBOL_GPL(tee_bus_type); 1235 1236static int __init tee_init(void) 1237{ 1238 int rc; 1239 1240 rc = class_register(&tee_class); 1241 if (rc) { 1242 pr_err("couldn't create class\n"); 1243 return rc; 1244 } 1245 1246 rc = alloc_chrdev_region(&tee_devt, 0, TEE_NUM_DEVICES, "tee"); 1247 if (rc) { 1248 pr_err("failed to allocate char dev region\n"); 1249 goto out_unreg_class; 1250 } 1251 1252 rc = bus_register(&tee_bus_type); 1253 if (rc) { 1254 pr_err("failed to register tee bus\n"); 1255 goto out_unreg_chrdev; 1256 } 1257 1258 return 0; 1259 1260out_unreg_chrdev: 1261 unregister_chrdev_region(tee_devt, TEE_NUM_DEVICES); 1262out_unreg_class: 1263 class_unregister(&tee_class); 1264 1265 return rc; 1266} 1267 1268static void __exit tee_exit(void) 1269{ 1270 bus_unregister(&tee_bus_type); 1271 unregister_chrdev_region(tee_devt, TEE_NUM_DEVICES); 1272 class_unregister(&tee_class); 1273} 1274 1275subsys_initcall(tee_init); 1276module_exit(tee_exit); 1277 1278MODULE_AUTHOR("Linaro"); 1279MODULE_DESCRIPTION("TEE Driver"); 1280MODULE_VERSION("1.0"); 1281MODULE_LICENSE("GPL v2"); 1282