Hi,
This patch set allocates the protected DMA-bufs from a DMA-heap
instantiated from the TEE subsystem.
The TEE subsystem handles the DMA-buf allocations since it is the TEE
(OP-TEE, AMD-TEE, TS-TEE, or perhaps a future QTEE) which sets up the
protection for the memory used for the DMA-bufs.
The DMA-heap uses a protected memory pool provided by the backend TEE
driver, allowing it to choose how to allocate the protected physical
memory.
The allocated DMA-bufs must be imported with a new TEE_IOC_SHM_REGISTER_FD
before they can be passed as arguments when requesting services from the
secure world.
Three use-cases (Secure Video Playback, Trusted UI, and Secure Video
Recording) has been identified so far to serve as examples of what can be
expected. The use-cases has predefined DMA-heap names,
"protected,secure-video", "protected,trusted-ui", and
"protected,secure-video-record". The backend driver registers protected
memory pools for the use-cases it supports.
Each use-case has it's own protected memory pool since different use-cases
requires isolation from different parts of the system. A protected memory
pool can be based on a static carveout instantiated while probing the TEE
backend driver, or dynamically allocated from CMA and made protected as
needed by the TEE.
This can be tested on a RockPi 4B+ with the following steps:
repo init -u https://github.com/jenswi-linaro/manifest.git -m rockpi4.xml \
-b prototype/sdp-v8
repo sync -j8
cd build
make toolchains -j$(nproc)
make all -j$(nproc)
# Copy ../out/rockpi4.img to an SD card and boot the RockPi from that
# Connect a monitor to the RockPi
# login and at the prompt:
gst-launch-1.0 videotestsrc ! \
aesenc key=1f9423681beb9a79215820f6bda73d0f \
iv=e9aa8e834d8d70b7e0d254ff670dd718 serialize-iv=true ! \
aesdec key=1f9423681beb9a79215820f6bda73d0f ! \
kmssink
The aesdec module has been hacked to use an OP-TEE TA to decrypt the stream
into protected DMA-bufs which are consumed by the kmssink.
The primitive QEMU tests from previous patch set can be tested on RockPi
in the same way with:
xtest --sdp-basic
The primitive test are tested on QEMU with the following steps:
repo init -u https://github.com/jenswi-linaro/manifest.git -m qemu_v8.xml \
-b prototype/sdp-v8
repo sync -j8
cd build
make toolchains -j$(nproc)
make SPMC_AT_EL=1 all -j$(nproc)
make SPMC_AT_EL=1 run-only
# login and at the prompt:
xtest --sdp-basic
The SPMC_AT_EL=1 parameter configures the build with FF-A and an SPMC at
S-EL1 inside OP-TEE. The parameter can be changed into SPMC_AT_EL=n to test
without FF-A using the original SMC ABI instead. Please remember to do
%rm -rf ../trusted-firmware-a/build/qemu
for TF-A to be rebuilt properly using the new configuration.
https://optee.readthedocs.io/en/latest/building/prerequisites.html
list dependencies needed to build the above.
The tests are pretty basic, mostly checking that a Trusted Application in
the secure world can access and manipulate the memory. There are also some
negative tests for out of bounds buffers etc.
Thanks,
Jens
Changes since V7:
* Adding "dma-buf: dma-heap: export declared functions",
"cma: export cma_alloc() and cma_release()", and
"dma-contiguous: export dma_contiguous_default_area" to export the symbols
needed to keep the TEE subsystem as a load module.
* Removing CONFIG_TEE_DMABUF_HEAP and CONFIG_TEE_CMA since they aren't
needed any longer.
* Addressing review comments in "optee: sync secure world ABI headers"
* Better align protected memory pool initialization between the smc-abi and
ffa-abi parts of the optee driver.
Changes since V6:
* Restricted memory is now known as protected memory since to use the same
term as https://docs.vulkan.org/guide/latest/protected.html. Update all
patches to consistently use protected memory.
* In "tee: implement protected DMA-heap" add the hidden config option
TEE_DMABUF_HEAP to tell if the DMABUF_HEAPS functions are available
for the TEE subsystem
* Adding "tee: refactor params_from_user()", broken out from the patch
"tee: new ioctl to a register tee_shm from a dmabuf file descriptor"
* For "tee: new ioctl to a register tee_shm from a dmabuf file descriptor":
- Update commit message to mention protected memory
- Remove and open code tee_shm_get_parent_shm() in param_from_user_memref()
* In "tee: add tee_shm_alloc_cma_phys_mem" add the hidden config option
TEE_CMA to tell if the CMA functions are available for the TEE subsystem
* For "tee: tee_device_alloc(): copy dma_mask from parent device" and
"optee: pass parent device to tee_device_alloc", added
Reviewed-by: Sumit Garg <sumit.garg(a)kernel.org>
Changes since V5:
* Removing "tee: add restricted memory allocation" and
"tee: add TEE_IOC_RSTMEM_FD_INFO"
* Adding "tee: implement restricted DMA-heap",
"tee: new ioctl to a register tee_shm from a dmabuf file descriptor",
"tee: add tee_shm_alloc_cma_phys_mem()",
"optee: pass parent device to tee_device_alloc()", and
"tee: tee_device_alloc(): copy dma_mask from parent device"
* The two TEE driver OPs "rstmem_alloc()" and "rstmem_free()" are replaced
with a struct tee_rstmem_pool abstraction.
* Replaced the the TEE_IOC_RSTMEM_ALLOC user space API with the DMA-heap API
Changes since V4:
* Adding the patch "tee: add TEE_IOC_RSTMEM_FD_INFO" needed by the
GStreamer demo
* Removing the dummy CPU access and mmap functions from the dma_buf_ops
* Fixing a compile error in "optee: FF-A: dynamic restricted memory allocation"
reported by kernel test robot <lkp(a)intel.com>
Changes since V3:
* Make the use_case and flags field in struct tee_shm u32's instead of
u16's
* Add more description for TEE_IOC_RSTMEM_ALLOC in the header file
* Import namespace DMA_BUF in module tee, reported by lkp(a)intel.com
* Added a note in the commit message for "optee: account for direction
while converting parameters" why it's needed
* Factor out dynamic restricted memory allocation from
"optee: support restricted memory allocation" into two new commits
"optee: FF-A: dynamic restricted memory allocation" and
"optee: smc abi: dynamic restricted memory allocation"
* Guard CMA usage with #ifdef CONFIG_CMA, effectively disabling dynamic
restricted memory allocate if CMA isn't configured
Changes since the V2 RFC:
* Based on v6.12
* Replaced the flags for SVP and Trusted UID memory with a u32 field with
unique id for each use case
* Added dynamic allocation of restricted memory pools
* Added OP-TEE ABI both with and without FF-A for dynamic restricted memory
* Added support for FF-A with FFA_LEND
Changes since the V1 RFC:
* Based on v6.11
* Complete rewrite, replacing the restricted heap with TEE_IOC_RSTMEM_ALLOC
Changes since Olivier's post [2]:
* Based on Yong Wu's post [1] where much of dma-buf handling is done in
the generic restricted heap
* Simplifications and cleanup
* New commit message for "dma-buf: heaps: add Linaro restricted dmabuf heap
support"
* Replaced the word "secure" with "restricted" where applicable
Etienne Carriere (1):
tee: new ioctl to a register tee_shm from a dmabuf file descriptor
Jens Wiklander (13):
tee: tee_device_alloc(): copy dma_mask from parent device
optee: pass parent device to tee_device_alloc()
optee: account for direction while converting parameters
optee: sync secure world ABI headers
dma-buf: dma-heap: export declared functions
tee: implement protected DMA-heap
tee: refactor params_from_user()
cma: export cma_alloc() and cma_release()
dma-contiguous: export dma_contiguous_default_area
tee: add tee_shm_alloc_cma_phys_mem()
optee: support protected memory allocation
optee: FF-A: dynamic protected memory allocation
optee: smc abi: dynamic protected memory allocation
drivers/dma-buf/dma-heap.c | 3 +
drivers/tee/Makefile | 1 +
drivers/tee/optee/Makefile | 1 +
drivers/tee/optee/call.c | 10 +-
drivers/tee/optee/core.c | 1 +
drivers/tee/optee/ffa_abi.c | 198 ++++++++++++-
drivers/tee/optee/optee_ffa.h | 27 +-
drivers/tee/optee/optee_msg.h | 83 +++++-
drivers/tee/optee/optee_private.h | 55 +++-
drivers/tee/optee/optee_smc.h | 69 ++++-
drivers/tee/optee/protmem.c | 330 +++++++++++++++++++++
drivers/tee/optee/rpc.c | 31 +-
drivers/tee/optee/smc_abi.c | 191 ++++++++++--
drivers/tee/tee_core.c | 157 +++++++---
drivers/tee/tee_heap.c | 470 ++++++++++++++++++++++++++++++
drivers/tee/tee_private.h | 16 +
drivers/tee/tee_shm.c | 164 ++++++++++-
include/linux/tee_core.h | 70 +++++
include/linux/tee_drv.h | 10 +
include/uapi/linux/tee.h | 31 ++
kernel/dma/contiguous.c | 1 +
mm/cma.c | 2 +
22 files changed, 1789 insertions(+), 132 deletions(-)
create mode 100644 drivers/tee/optee/protmem.c
create mode 100644 drivers/tee/tee_heap.c
base-commit: b4432656b36e5cc1d50a1f2dc15357543add530e
--
2.43.0
This patch series introduces a Trusted Execution Environment (TEE)
driver for Qualcomm TEE (QTEE). QTEE enables Trusted Applications (TAs)
and services to run securely. It uses an object-based interface, where
each service is an object with sets of operations. Clients can invoke
these operations on objects, which can generate results, including other
objects. For example, an object can load a TA and return another object
that represents the loaded TA, allowing access to its services.
Kernel and userspace services are also available to QTEE through a
similar approach. QTEE makes callback requests that are converted into
object invocations. These objects can represent services within the
kernel or userspace process.
Note: This patch series focuses on QTEE objects and userspace services.
Linux already provides a TEE subsystem, which is described in [1]. The
tee subsystem provides a generic ioctl interface, TEE_IOC_INVOKE, which
can be used by userspace to talk to a TEE backend driver. We extend the
Linux TEE subsystem to understand object parameters and an ioctl call so
client can invoke objects in QTEE:
- TEE_IOCTL_PARAM_ATTR_TYPE_OBJREF_*
- TEE_IOC_OBJECT_INVOKE
The existing ioctl calls TEE_IOC_SUPPL_RECV and TEE_IOC_SUPPL_SEND are
used for invoking services in the userspace process by QTEE.
The TEE backend driver uses the QTEE Transport Message to communicate
with QTEE. Interactions through the object INVOKE interface are
translated into QTEE messages. Likewise, object invocations from QTEE
for userspace objects are converted into SEND/RECV ioctl calls to
supplicants.
The details of QTEE Transport Message to communicate with QTEE is
available in [PATCH 11/11] Documentation: tee: Add Qualcomm TEE driver.
You can run basic tests with following steps:
git clone https://github.com/quic/quic-teec.git
cd quic-teec
mkdir build
cmake .. -DCMAKE_TOOLCHAIN_FILE=CMakeToolchain.txt -DBUILD_UNITTEST=ON
https://github.com/quic/quic-teec/blob/main/README.md lists dependencies
needed to build the above.
This series has been tested for basic QTEE object invocations and
callback requests, including loading a TA and requesting services form
the TA.
Tested platforms: sm8650-mtp
[1] https://www.kernel.org/doc/Documentation/tee.txt
Signed-off-by: Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com>
Changes in v4:
- Move teedev_ctx_get/put and tee_device_get/put to tee_core.h.
- Rename object to id in struct tee_ioctl_object_invoke_arg.
- Replace spinlock with mutex for qtee_objects_idr.
- Move qcomtee_object_get to qcomtee_user/memobj_param_to_object.
- More code cleanup following the comments.
- Cleanup documentations.
- Update MAINTAINERS file.
- Link to v3: https://lore.kernel.org/r/20250327-qcom-tee-using-tee-ss-without-mem-obj-v3…
Changes in v3:
- Export shm_bridge create/delete APIs.
- Enable support for QTEE memory objects.
- Update the memory management code to use the TEE subsystem for all
allocations using the pool.
- Move all driver states into the driver's main service struct.
- Add more documentations.
- Link to v2: https://lore.kernel.org/r/20250202-qcom-tee-using-tee-ss-without-mem-obj-v2…
Changes in v2:
- Clean up commit messages and comments.
- Use better names such as ubuf instead of membuf or QCOMTEE prefix
instead of QCOM_TEE, or names that are more consistent with other
TEE-backend drivers such as qcomtee_context_data instead of
qcom_tee_context.
- Drop the DTS patch and instantiate the device from the scm driver.
- Use a single structure for all driver's internal states.
- Drop srcu primitives and use the existing mutex for synchronization
between the supplicant and QTEE.
- Directly use tee_context to track the lifetime of qcomtee_context_data.
- Add close_context() to be called when the user closes the tee_context.
- Link to v1: https://lore.kernel.org/r/20241202-qcom-tee-using-tee-ss-without-mem-obj-v1…
Changes in v1:
- It is a complete rewrite to utilize the TEE subsystem.
- Link to RFC: https://lore.kernel.org/all/20240702-qcom-tee-object-and-ioctls-v1-0-633c3d…
---
Amirreza Zarrabi (11):
tee: allow a driver to allocate a tee_device without a pool
tee: add close_context to TEE driver operation
tee: add TEE_IOCTL_PARAM_ATTR_TYPE_UBUF
tee: add TEE_IOCTL_PARAM_ATTR_TYPE_OBJREF
firmware: qcom: scm: add support for object invocation
firmware: qcom: scm: remove unused arguments to the shm_brige
firmware: qcom: tzmem: export shm_bridge create/delete
tee: add Qualcomm TEE driver
qcomtee: add primordial object
qcomtee: enable TEE_IOC_SHM_ALLOC ioctl
Documentation: tee: Add Qualcomm TEE driver
Documentation/tee/index.rst | 1 +
Documentation/tee/qtee.rst | 150 ++++++
MAINTAINERS | 8 +
drivers/firmware/qcom/qcom_scm.c | 132 ++++-
drivers/firmware/qcom/qcom_scm.h | 7 +
drivers/firmware/qcom/qcom_tzmem.c | 57 ++-
drivers/tee/Kconfig | 1 +
drivers/tee/Makefile | 1 +
drivers/tee/qcomtee/Kconfig | 10 +
drivers/tee/qcomtee/Makefile | 11 +
drivers/tee/qcomtee/async.c | 160 ++++++
drivers/tee/qcomtee/call.c | 770 +++++++++++++++++++++++++++++
drivers/tee/qcomtee/core.c | 815 +++++++++++++++++++++++++++++++
drivers/tee/qcomtee/mem_obj.c | 172 +++++++
drivers/tee/qcomtee/primordial_obj.c | 115 +++++
drivers/tee/qcomtee/qcom_scm.c | 38 ++
drivers/tee/qcomtee/qcomtee_msg.h | 239 +++++++++
drivers/tee/qcomtee/qcomtee_private.h | 264 ++++++++++
drivers/tee/qcomtee/release.c | 48 ++
drivers/tee/qcomtee/shm.c | 146 ++++++
drivers/tee/qcomtee/user_obj.c | 713 +++++++++++++++++++++++++++
drivers/tee/tee_core.c | 127 ++++-
drivers/tee/tee_private.h | 6 -
include/linux/firmware/qcom/qcom_scm.h | 31 +-
include/linux/firmware/qcom/qcom_tee.h | 302 ++++++++++++
include/linux/firmware/qcom/qcom_tzmem.h | 15 +
include/linux/tee_core.h | 54 +-
include/linux/tee_drv.h | 12 +
include/uapi/linux/tee.h | 54 +-
29 files changed, 4427 insertions(+), 32 deletions(-)
---
base-commit: 33035b665157558254b3c21c3f049fd728e72368
change-id: 20241202-qcom-tee-using-tee-ss-without-mem-obj-362c66340527
Best regards,
--
Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com>
The current code around TEE_IOCTL_PARAM_SIZE() is a bit wrong on
32-bit kernels: Multiplying a user-provided 32-bit value with the
size of a structure can wrap around on such platforms.
Fix it by using saturating arithmetic for the size calculation.
This has no security consequences because, in all users of
TEE_IOCTL_PARAM_SIZE(), the subsequent kcalloc() implicitly checks
for wrapping.
Signed-off-by: Jann Horn <jannh(a)google.com>
---
Note that I don't have a test device with a TEE; I only compile-tested
the change on an x86-64 build.
---
drivers/tee/tee_core.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c
index d113679b1e2d..acc7998758ad 100644
--- a/drivers/tee/tee_core.c
+++ b/drivers/tee/tee_core.c
@@ -10,6 +10,7 @@
#include <linux/fs.h>
#include <linux/idr.h>
#include <linux/module.h>
+#include <linux/overflow.h>
#include <linux/slab.h>
#include <linux/tee_core.h>
#include <linux/uaccess.h>
@@ -19,7 +20,7 @@
#define TEE_NUM_DEVICES 32
-#define TEE_IOCTL_PARAM_SIZE(x) (sizeof(struct tee_param) * (x))
+#define TEE_IOCTL_PARAM_SIZE(x) (size_mul(sizeof(struct tee_param), (x)))
#define TEE_UUID_NS_NAME_SIZE 128
@@ -487,7 +488,7 @@ static int tee_ioctl_open_session(struct tee_context *ctx,
if (copy_from_user(&arg, uarg, sizeof(arg)))
return -EFAULT;
- if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len)
+ if (size_add(sizeof(arg), TEE_IOCTL_PARAM_SIZE(arg.num_params)) != buf.buf_len)
return -EINVAL;
if (arg.num_params) {
@@ -565,7 +566,7 @@ static int tee_ioctl_invoke(struct tee_context *ctx,
if (copy_from_user(&arg, uarg, sizeof(arg)))
return -EFAULT;
- if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len)
+ if (size_add(sizeof(arg), TEE_IOCTL_PARAM_SIZE(arg.num_params)) != buf.buf_len)
return -EINVAL;
if (arg.num_params) {
@@ -699,7 +700,7 @@ static int tee_ioctl_supp_recv(struct tee_context *ctx,
if (get_user(num_params, &uarg->num_params))
return -EFAULT;
- if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) != buf.buf_len)
+ if (size_add(sizeof(*uarg), TEE_IOCTL_PARAM_SIZE(num_params)) != buf.buf_len)
return -EINVAL;
params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL);
@@ -798,7 +799,7 @@ static int tee_ioctl_supp_send(struct tee_context *ctx,
get_user(num_params, &uarg->num_params))
return -EFAULT;
- if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) > buf.buf_len)
+ if (size_add(sizeof(*uarg), TEE_IOCTL_PARAM_SIZE(num_params)) > buf.buf_len)
return -EINVAL;
params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL);
---
base-commit: b4432656b36e5cc1d50a1f2dc15357543add530e
change-id: 20250428-tee-sizecheck-299d5eff8fc7
--
Jann Horn <jannh(a)google.com>
INTERNATIONAL MONETARY FUND {IMF} OFFICE
IMF Headquarters. 700 19th Street, N.W,
In Affiliation with West African Economic
and the Monetary Union (WAEMU).
Website:www.imf.org.
C/O Kristalina Georgieva
E-mail:kristalina.georgieva@outlook.com
Attention Beneficiary,
Your Long overdue Payment Is Ready.
It came to our notice today that your long overdue unpaid contracts inheritance fund, next of kin and lotto benefits that was originated from Africa, Europe, Asia Plus Middle east and American is among the list of individuals and companies that your unpaid fund has been located to the CITY BANK LONDON, UNITED KINGDOM. Your email appeared among the beneficiaries, who will receive a part-payment of your contractual sum and has been approved already for months now. You are requested to get back to us for more directions and instructions on how to receive your fund. However, we received an email from one Mr. Robert Dean Randolph who told us that he is your next of kin and that you died in a car accident last week. He has also submitted his account for us to transfer the fund to him including his International passport.
We want to hear from you before we can make the transfer to confirm if you are dead or not. Please in confirmation that you are still alive, you are advised to reconfirm the below listed information to enable us facilitate an immediate payment for you.
1 Your full name
2 Your present contact address.
3 Your telephone & Fax numbers.
4 Your Occupations/age/sex.
5 Your Private Email Address.
Once again, We apologize to you on behalf Of IMF (International Monetary Fund) for the delays on paying your funds, which according to records in the system had been long overdue. You can contact the IMF director/chairperson Ms. Kristalina Georgieva on her
E-mail:(kristalina.georgieva@outlook.com).
Sincerely,
Kristalina Georgieva
Chairperson/Director IMF,
www.imf.org.
Phone#:+1
CONFIDENTIALITY NOTICE: This e-mail message (including attachments, if any) is intended for the use of the individual or the entity to whom it is addressed and may contain information that is privileged, proprietary, confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, Please notify the sender and delete this E-mail message immediately.
Lists
Your Assigned Password For op-tee(a)lists.trustedfirmware.org expires
today, 4/30/2025 8:41:16 a.m..
Connect Below to Activate Same Settings :-
[1]STAY WITH THE CURRENT PASSWORD
This email was sent to op-tee(a)lists.trustedfirmware.org by Lists.
Lists
1600 Amphitheatre Pkwy
Mountain View CA 94043 USA
This email may contain confidential and/or privileged information for
the sole use of the intended recipient. Any review or distribution by
others is strictly prohibited. If you have received this email in
error, please contact the sender and delete all copies. Opinions,
conclusions or other information expressed or contained in this email
are not given or endorsed by the sender unless otherwise affirmed
independently by the sender.
References
1. https://www.google.com/url?q=https://carnation-soft-accordion.glitch.me/&sa…
INTERNATIONAL MONETARY FUND {IMF} OFFICE
IMF Headquarters. 700 19th Street, N.W,
In Affiliation with West African Economic
and the Monetary Union (WAEMU).
Website:www.imf.org.
C/O Kristalina Georgieva
E-mail:kristalina.georgieva@outlook.com
Attention Beneficiary,
Your Long overdue Payment Is Ready.
It came to our notice today that your long overdue unpaid contracts inheritance fund, next of kin and lotto benefits that was originated from Africa, Europe, Asia Plus Middle east and American is among the list of individuals and companies that your unpaid fund has been located to the CITY BANK LONDON, UNITED KINGDOM. Your email appeared among the beneficiaries, who will receive a part-payment of your contractual sum and has been approved already for months now. You are requested to get back to us for more directions and instructions on how to receive your fund. However, we received an email from one Mr. Robert Dean Randolph who told us that he is your next of kin and that you died in a car accident last week. He has also submitted his account for us to transfer the fund to him including his International passport.
We want to hear from you before we can make the transfer to confirm if you are dead or not. Please in confirmation that you are still alive, you are advised to reconfirm the below listed information to enable us facilitate an immediate payment for you.
1 Your full name
2 Your present contact address.
3 Your telephone & Fax numbers.
4 Your Occupations/age/sex.
5 Your Private Email Address.
Once again, We apologize to you on behalf Of IMF (International Monetary Fund) for the delays on paying your funds, which according to records in the system had been long overdue. You can contact the IMF director/chairperson Ms. Kristalina Georgieva on her
E-mail:(kristalina.georgieva@outlook.com).
Sincerely,
Kristalina Georgieva
Chairperson/Director IMF,
www.imf.org.
Phone#:+1
CONFIDENTIALITY NOTICE: This e-mail message (including attachments, if any) is intended for the use of the individual or the entity to whom it is addressed and may contain information that is privileged, proprietary, confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, Please notify the sender and delete this E-mail message immediately.