2 * Copyright (c) 2015-2016, Linaro Limited
4 * This software is licensed under the terms of the GNU General Public
5 * License version 2, as published by the Free Software Foundation, and
6 * may be copied, distributed, and modified under those terms.
8 * This program is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
15 #define pr_fmt(fmt) "%s: " fmt, __func__
17 #include <linux/cdev.h>
18 #include <linux/device.h>
20 #include <linux/idr.h>
21 #include <linux/module.h>
22 #include <linux/slab.h>
23 #include <linux/tee_drv.h>
24 #include <linux/uaccess.h>
25 #include "tee_private.h"
27 #define TEE_NUM_DEVICES 32
29 #define TEE_IOCTL_PARAM_SIZE(x) (sizeof(struct tee_param) * (x))
32 * Unprivileged devices in the lower half range and privileged devices in
33 * the upper half range.
35 static DECLARE_BITMAP(dev_mask, TEE_NUM_DEVICES);
36 static DEFINE_SPINLOCK(driver_lock);
38 static struct class *tee_class;
39 static dev_t tee_devt;
41 static int tee_open(struct inode *inode, struct file *filp)
44 struct tee_device *teedev;
45 struct tee_context *ctx;
47 teedev = container_of(inode->i_cdev, struct tee_device, cdev);
48 if (!tee_device_get(teedev))
51 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
58 INIT_LIST_HEAD(&ctx->list_shm);
59 filp->private_data = ctx;
60 rc = teedev->desc->ops->open(ctx);
67 tee_device_put(teedev);
71 static int tee_release(struct inode *inode, struct file *filp)
73 struct tee_context *ctx = filp->private_data;
74 struct tee_device *teedev = ctx->teedev;
77 ctx->teedev->desc->ops->release(ctx);
78 mutex_lock(&ctx->teedev->mutex);
79 list_for_each_entry(shm, &ctx->list_shm, link)
81 mutex_unlock(&ctx->teedev->mutex);
83 tee_device_put(teedev);
87 static int tee_ioctl_version(struct tee_context *ctx,
88 struct tee_ioctl_version_data __user *uvers)
90 struct tee_ioctl_version_data vers;
92 ctx->teedev->desc->ops->get_version(ctx->teedev, &vers);
93 if (copy_to_user(uvers, &vers, sizeof(vers)))
98 static int tee_ioctl_shm_alloc(struct tee_context *ctx,
99 struct tee_ioctl_shm_alloc_data __user *udata)
102 struct tee_ioctl_shm_alloc_data data;
105 if (copy_from_user(&data, udata, sizeof(data)))
108 /* Currently no input flags are supported */
114 shm = tee_shm_alloc(ctx, data.size, TEE_SHM_MAPPED | TEE_SHM_DMA_BUF);
119 data.flags = shm->flags;
120 data.size = shm->size;
122 if (copy_to_user(udata, &data, sizeof(data)))
125 ret = tee_shm_get_fd(shm);
128 * When user space closes the file descriptor the shared memory
129 * should be freed or if tee_shm_get_fd() failed then it will
130 * be freed immediately.
136 static int params_from_user(struct tee_context *ctx, struct tee_param *params,
138 struct tee_ioctl_param __user *uparams)
142 for (n = 0; n < num_params; n++) {
144 struct tee_ioctl_param ip;
146 if (copy_from_user(&ip, uparams + n, sizeof(ip)))
149 /* All unused attribute bits has to be zero */
150 if (ip.attr & ~TEE_IOCTL_PARAM_ATTR_TYPE_MASK)
153 params[n].attr = ip.attr;
155 case TEE_IOCTL_PARAM_ATTR_TYPE_NONE:
156 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT:
158 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT:
159 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT:
160 params[n].u.value.a = ip.a;
161 params[n].u.value.b = ip.b;
162 params[n].u.value.c = ip.c;
164 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT:
165 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
166 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
168 * If we fail to get a pointer to a shared memory
169 * object (and increase the ref count) from an
170 * identifier we return an error. All pointers that
171 * has been added in params have an increased ref
172 * count. It's the callers responibility to do
173 * tee_shm_put() on all resolved pointers.
175 shm = tee_shm_get_from_id(ctx, ip.c);
179 params[n].u.memref.shm_offs = ip.a;
180 params[n].u.memref.size = ip.b;
181 params[n].u.memref.shm = shm;
184 /* Unknown attribute */
191 static int params_to_user(struct tee_ioctl_param __user *uparams,
192 size_t num_params, struct tee_param *params)
196 for (n = 0; n < num_params; n++) {
197 struct tee_ioctl_param __user *up = uparams + n;
198 struct tee_param *p = params + n;
201 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT:
202 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT:
203 if (put_user(p->u.value.a, &up->a) ||
204 put_user(p->u.value.b, &up->b) ||
205 put_user(p->u.value.c, &up->c))
208 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
209 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
210 if (put_user((u64)p->u.memref.size, &up->b))
219 static bool param_is_memref(struct tee_param *param)
221 switch (param->attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK) {
222 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT:
223 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
224 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
231 static int tee_ioctl_open_session(struct tee_context *ctx,
232 struct tee_ioctl_buf_data __user *ubuf)
236 struct tee_ioctl_buf_data buf;
237 struct tee_ioctl_open_session_arg __user *uarg;
238 struct tee_ioctl_open_session_arg arg;
239 struct tee_ioctl_param __user *uparams = NULL;
240 struct tee_param *params = NULL;
241 bool have_session = false;
243 if (!ctx->teedev->desc->ops->open_session)
246 if (copy_from_user(&buf, ubuf, sizeof(buf)))
249 if (buf.buf_len > TEE_MAX_ARG_SIZE ||
250 buf.buf_len < sizeof(struct tee_ioctl_open_session_arg))
253 uarg = u64_to_user_ptr(buf.buf_ptr);
254 if (copy_from_user(&arg, uarg, sizeof(arg)))
257 if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len)
260 if (arg.num_params) {
261 params = kcalloc(arg.num_params, sizeof(struct tee_param),
265 uparams = uarg->params;
266 rc = params_from_user(ctx, params, arg.num_params, uparams);
271 rc = ctx->teedev->desc->ops->open_session(ctx, &arg, params);
276 if (put_user(arg.session, &uarg->session) ||
277 put_user(arg.ret, &uarg->ret) ||
278 put_user(arg.ret_origin, &uarg->ret_origin)) {
282 rc = params_to_user(uparams, arg.num_params, params);
285 * If we've succeeded to open the session but failed to communicate
286 * it back to user space, close the session again to avoid leakage.
288 if (rc && have_session && ctx->teedev->desc->ops->close_session)
289 ctx->teedev->desc->ops->close_session(ctx, arg.session);
292 /* Decrease ref count for all valid shared memory pointers */
293 for (n = 0; n < arg.num_params; n++)
294 if (param_is_memref(params + n) &&
295 params[n].u.memref.shm)
296 tee_shm_put(params[n].u.memref.shm);
303 static int tee_ioctl_invoke(struct tee_context *ctx,
304 struct tee_ioctl_buf_data __user *ubuf)
308 struct tee_ioctl_buf_data buf;
309 struct tee_ioctl_invoke_arg __user *uarg;
310 struct tee_ioctl_invoke_arg arg;
311 struct tee_ioctl_param __user *uparams = NULL;
312 struct tee_param *params = NULL;
314 if (!ctx->teedev->desc->ops->invoke_func)
317 if (copy_from_user(&buf, ubuf, sizeof(buf)))
320 if (buf.buf_len > TEE_MAX_ARG_SIZE ||
321 buf.buf_len < sizeof(struct tee_ioctl_invoke_arg))
324 uarg = u64_to_user_ptr(buf.buf_ptr);
325 if (copy_from_user(&arg, uarg, sizeof(arg)))
328 if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len)
331 if (arg.num_params) {
332 params = kcalloc(arg.num_params, sizeof(struct tee_param),
336 uparams = uarg->params;
337 rc = params_from_user(ctx, params, arg.num_params, uparams);
342 rc = ctx->teedev->desc->ops->invoke_func(ctx, &arg, params);
346 if (put_user(arg.ret, &uarg->ret) ||
347 put_user(arg.ret_origin, &uarg->ret_origin)) {
351 rc = params_to_user(uparams, arg.num_params, params);
354 /* Decrease ref count for all valid shared memory pointers */
355 for (n = 0; n < arg.num_params; n++)
356 if (param_is_memref(params + n) &&
357 params[n].u.memref.shm)
358 tee_shm_put(params[n].u.memref.shm);
364 static int tee_ioctl_cancel(struct tee_context *ctx,
365 struct tee_ioctl_cancel_arg __user *uarg)
367 struct tee_ioctl_cancel_arg arg;
369 if (!ctx->teedev->desc->ops->cancel_req)
372 if (copy_from_user(&arg, uarg, sizeof(arg)))
375 return ctx->teedev->desc->ops->cancel_req(ctx, arg.cancel_id,
380 tee_ioctl_close_session(struct tee_context *ctx,
381 struct tee_ioctl_close_session_arg __user *uarg)
383 struct tee_ioctl_close_session_arg arg;
385 if (!ctx->teedev->desc->ops->close_session)
388 if (copy_from_user(&arg, uarg, sizeof(arg)))
391 return ctx->teedev->desc->ops->close_session(ctx, arg.session);
394 static int params_to_supp(struct tee_context *ctx,
395 struct tee_ioctl_param __user *uparams,
396 size_t num_params, struct tee_param *params)
400 for (n = 0; n < num_params; n++) {
401 struct tee_ioctl_param ip;
402 struct tee_param *p = params + n;
404 ip.attr = p->attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK;
406 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT:
407 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT:
412 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT:
413 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
414 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
415 ip.b = p->u.memref.size;
416 if (!p->u.memref.shm) {
418 ip.c = (u64)-1; /* invalid shm id */
421 ip.a = p->u.memref.shm_offs;
422 ip.c = p->u.memref.shm->id;
431 if (copy_to_user(uparams + n, &ip, sizeof(ip)))
438 static int tee_ioctl_supp_recv(struct tee_context *ctx,
439 struct tee_ioctl_buf_data __user *ubuf)
442 struct tee_ioctl_buf_data buf;
443 struct tee_iocl_supp_recv_arg __user *uarg;
444 struct tee_param *params;
448 if (!ctx->teedev->desc->ops->supp_recv)
451 if (copy_from_user(&buf, ubuf, sizeof(buf)))
454 if (buf.buf_len > TEE_MAX_ARG_SIZE ||
455 buf.buf_len < sizeof(struct tee_iocl_supp_recv_arg))
458 uarg = u64_to_user_ptr(buf.buf_ptr);
459 if (get_user(num_params, &uarg->num_params))
462 if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) != buf.buf_len)
465 params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL);
469 rc = ctx->teedev->desc->ops->supp_recv(ctx, &func, &num_params, params);
473 if (put_user(func, &uarg->func) ||
474 put_user(num_params, &uarg->num_params)) {
479 rc = params_to_supp(ctx, uarg->params, num_params, params);
485 static int params_from_supp(struct tee_param *params, size_t num_params,
486 struct tee_ioctl_param __user *uparams)
490 for (n = 0; n < num_params; n++) {
491 struct tee_param *p = params + n;
492 struct tee_ioctl_param ip;
494 if (copy_from_user(&ip, uparams + n, sizeof(ip)))
497 /* All unused attribute bits has to be zero */
498 if (ip.attr & ~TEE_IOCTL_PARAM_ATTR_TYPE_MASK)
503 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT:
504 case TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT:
505 /* Only out and in/out values can be updated */
510 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT:
511 case TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT:
513 * Only the size of the memref can be updated.
514 * Since we don't have access to the original
515 * parameters here, only store the supplied size.
516 * The driver will copy the updated size into the
517 * original parameters.
519 p->u.memref.shm = NULL;
520 p->u.memref.shm_offs = 0;
521 p->u.memref.size = ip.b;
524 memset(&p->u, 0, sizeof(p->u));
531 static int tee_ioctl_supp_send(struct tee_context *ctx,
532 struct tee_ioctl_buf_data __user *ubuf)
535 struct tee_ioctl_buf_data buf;
536 struct tee_iocl_supp_send_arg __user *uarg;
537 struct tee_param *params;
541 /* Not valid for this driver */
542 if (!ctx->teedev->desc->ops->supp_send)
545 if (copy_from_user(&buf, ubuf, sizeof(buf)))
548 if (buf.buf_len > TEE_MAX_ARG_SIZE ||
549 buf.buf_len < sizeof(struct tee_iocl_supp_send_arg))
552 uarg = u64_to_user_ptr(buf.buf_ptr);
553 if (get_user(ret, &uarg->ret) ||
554 get_user(num_params, &uarg->num_params))
557 if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) > buf.buf_len)
560 params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL);
564 rc = params_from_supp(params, num_params, uarg->params);
568 rc = ctx->teedev->desc->ops->supp_send(ctx, ret, num_params, params);
574 static long tee_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
576 struct tee_context *ctx = filp->private_data;
577 void __user *uarg = (void __user *)arg;
580 case TEE_IOC_VERSION:
581 return tee_ioctl_version(ctx, uarg);
582 case TEE_IOC_SHM_ALLOC:
583 return tee_ioctl_shm_alloc(ctx, uarg);
584 case TEE_IOC_OPEN_SESSION:
585 return tee_ioctl_open_session(ctx, uarg);
587 return tee_ioctl_invoke(ctx, uarg);
589 return tee_ioctl_cancel(ctx, uarg);
590 case TEE_IOC_CLOSE_SESSION:
591 return tee_ioctl_close_session(ctx, uarg);
592 case TEE_IOC_SUPPL_RECV:
593 return tee_ioctl_supp_recv(ctx, uarg);
594 case TEE_IOC_SUPPL_SEND:
595 return tee_ioctl_supp_send(ctx, uarg);
601 static const struct file_operations tee_fops = {
602 .owner = THIS_MODULE,
604 .release = tee_release,
605 .unlocked_ioctl = tee_ioctl,
606 .compat_ioctl = tee_ioctl,
609 static void tee_release_device(struct device *dev)
611 struct tee_device *teedev = container_of(dev, struct tee_device, dev);
613 spin_lock(&driver_lock);
614 clear_bit(teedev->id, dev_mask);
615 spin_unlock(&driver_lock);
616 mutex_destroy(&teedev->mutex);
617 idr_destroy(&teedev->idr);
622 * tee_device_alloc() - Allocate a new struct tee_device instance
623 * @teedesc: Descriptor for this driver
624 * @dev: Parent device for this device
625 * @pool: Shared memory pool, NULL if not used
626 * @driver_data: Private driver data for this device
628 * Allocates a new struct tee_device instance. The device is
629 * removed by tee_device_unregister().
631 * @returns a pointer to a 'struct tee_device' or an ERR_PTR on failure
633 struct tee_device *tee_device_alloc(const struct tee_desc *teedesc,
635 struct tee_shm_pool *pool,
638 struct tee_device *teedev;
643 if (!teedesc || !teedesc->name || !teedesc->ops ||
644 !teedesc->ops->get_version || !teedesc->ops->open ||
645 !teedesc->ops->release || !pool)
646 return ERR_PTR(-EINVAL);
648 teedev = kzalloc(sizeof(*teedev), GFP_KERNEL);
650 ret = ERR_PTR(-ENOMEM);
654 if (teedesc->flags & TEE_DESC_PRIVILEGED)
655 offs = TEE_NUM_DEVICES / 2;
657 spin_lock(&driver_lock);
658 teedev->id = find_next_zero_bit(dev_mask, TEE_NUM_DEVICES, offs);
659 if (teedev->id < TEE_NUM_DEVICES)
660 set_bit(teedev->id, dev_mask);
661 spin_unlock(&driver_lock);
663 if (teedev->id >= TEE_NUM_DEVICES) {
664 ret = ERR_PTR(-ENOMEM);
668 snprintf(teedev->name, sizeof(teedev->name), "tee%s%d",
669 teedesc->flags & TEE_DESC_PRIVILEGED ? "priv" : "",
672 teedev->dev.class = tee_class;
673 teedev->dev.release = tee_release_device;
674 teedev->dev.parent = dev;
676 teedev->dev.devt = MKDEV(MAJOR(tee_devt), teedev->id);
678 rc = dev_set_name(&teedev->dev, "%s", teedev->name);
684 cdev_init(&teedev->cdev, &tee_fops);
685 teedev->cdev.owner = teedesc->owner;
686 teedev->cdev.kobj.parent = &teedev->dev.kobj;
688 dev_set_drvdata(&teedev->dev, driver_data);
689 device_initialize(&teedev->dev);
691 /* 1 as tee_device_unregister() does one final tee_device_put() */
692 teedev->num_users = 1;
693 init_completion(&teedev->c_no_users);
694 mutex_init(&teedev->mutex);
695 idr_init(&teedev->idr);
697 teedev->desc = teedesc;
702 unregister_chrdev_region(teedev->dev.devt, 1);
704 pr_err("could not register %s driver\n",
705 teedesc->flags & TEE_DESC_PRIVILEGED ? "privileged" : "client");
706 if (teedev && teedev->id < TEE_NUM_DEVICES) {
707 spin_lock(&driver_lock);
708 clear_bit(teedev->id, dev_mask);
709 spin_unlock(&driver_lock);
714 EXPORT_SYMBOL_GPL(tee_device_alloc);
716 static ssize_t implementation_id_show(struct device *dev,
717 struct device_attribute *attr, char *buf)
719 struct tee_device *teedev = container_of(dev, struct tee_device, dev);
720 struct tee_ioctl_version_data vers;
722 teedev->desc->ops->get_version(teedev, &vers);
723 return scnprintf(buf, PAGE_SIZE, "%d\n", vers.impl_id);
725 static DEVICE_ATTR_RO(implementation_id);
727 static struct attribute *tee_dev_attrs[] = {
728 &dev_attr_implementation_id.attr,
732 static const struct attribute_group tee_dev_group = {
733 .attrs = tee_dev_attrs,
737 * tee_device_register() - Registers a TEE device
738 * @teedev: Device to register
740 * tee_device_unregister() need to be called to remove the @teedev if
741 * this function fails.
743 * @returns < 0 on failure
745 int tee_device_register(struct tee_device *teedev)
749 if (teedev->flags & TEE_DEVICE_FLAG_REGISTERED) {
750 dev_err(&teedev->dev, "attempt to register twice\n");
754 rc = cdev_add(&teedev->cdev, teedev->dev.devt, 1);
756 dev_err(&teedev->dev,
757 "unable to cdev_add() %s, major %d, minor %d, err=%d\n",
758 teedev->name, MAJOR(teedev->dev.devt),
759 MINOR(teedev->dev.devt), rc);
763 rc = device_add(&teedev->dev);
765 dev_err(&teedev->dev,
766 "unable to device_add() %s, major %d, minor %d, err=%d\n",
767 teedev->name, MAJOR(teedev->dev.devt),
768 MINOR(teedev->dev.devt), rc);
772 rc = sysfs_create_group(&teedev->dev.kobj, &tee_dev_group);
774 dev_err(&teedev->dev,
775 "failed to create sysfs attributes, err=%d\n", rc);
776 goto err_sysfs_create_group;
779 teedev->flags |= TEE_DEVICE_FLAG_REGISTERED;
782 err_sysfs_create_group:
783 device_del(&teedev->dev);
785 cdev_del(&teedev->cdev);
788 EXPORT_SYMBOL_GPL(tee_device_register);
790 void tee_device_put(struct tee_device *teedev)
792 mutex_lock(&teedev->mutex);
793 /* Shouldn't put in this state */
794 if (!WARN_ON(!teedev->desc)) {
796 if (!teedev->num_users) {
798 complete(&teedev->c_no_users);
801 mutex_unlock(&teedev->mutex);
804 bool tee_device_get(struct tee_device *teedev)
806 mutex_lock(&teedev->mutex);
808 mutex_unlock(&teedev->mutex);
812 mutex_unlock(&teedev->mutex);
817 * tee_device_unregister() - Removes a TEE device
818 * @teedev: Device to unregister
820 * This function should be called to remove the @teedev even if
821 * tee_device_register() hasn't been called yet. Does nothing if
824 void tee_device_unregister(struct tee_device *teedev)
829 if (teedev->flags & TEE_DEVICE_FLAG_REGISTERED) {
830 sysfs_remove_group(&teedev->dev.kobj, &tee_dev_group);
831 cdev_del(&teedev->cdev);
832 device_del(&teedev->dev);
835 tee_device_put(teedev);
836 wait_for_completion(&teedev->c_no_users);
839 * No need to take a mutex any longer now since teedev->desc was
840 * set to NULL before teedev->c_no_users was completed.
845 put_device(&teedev->dev);
847 EXPORT_SYMBOL_GPL(tee_device_unregister);
850 * tee_get_drvdata() - Return driver_data pointer
851 * @teedev: Device containing the driver_data pointer
852 * @returns the driver_data pointer supplied to tee_register().
854 void *tee_get_drvdata(struct tee_device *teedev)
856 return dev_get_drvdata(&teedev->dev);
858 EXPORT_SYMBOL_GPL(tee_get_drvdata);
860 static int __init tee_init(void)
864 tee_class = class_create(THIS_MODULE, "tee");
865 if (IS_ERR(tee_class)) {
866 pr_err("couldn't create class\n");
867 return PTR_ERR(tee_class);
870 rc = alloc_chrdev_region(&tee_devt, 0, TEE_NUM_DEVICES, "tee");
872 pr_err("failed to allocate char dev region\n");
873 class_destroy(tee_class);
880 static void __exit tee_exit(void)
882 class_destroy(tee_class);
884 unregister_chrdev_region(tee_devt, TEE_NUM_DEVICES);
887 subsys_initcall(tee_init);
888 module_exit(tee_exit);
890 MODULE_AUTHOR("Linaro");
891 MODULE_DESCRIPTION("TEE Driver");
892 MODULE_VERSION("1.0");
893 MODULE_LICENSE("GPL v2");