September 2025 - OP-TEE - lists.trustedfirmware.org

Re: [PATCH 0/8] sd: Add RPMB emulation to eMMC model

by Jan Kiszka

FYI: QEMU model is working fine, upstreaming started, feedback welcome. Jan On 24.08.25 09:18, Jan Kiszka wrote: > This closes an old gap in system integration testing for the very > complex ARM firmware stacks by adding fairly advanced Replay Protected > Memory Block (RPMB) emulation to the eMMC device model. Key programming > and message authentication are working, so is the write counter. Known > users are happy with the result. What is missing, but not only for RPMB- > related registers, is state persistence across QEMU restarts. This is OK > at this stage for most test scenarios, though, and could still be added > later on. > > What can already be done with it is demonstrated in the WIP branch of > isar-cip-core at [1]: TF-A + OP-TEE + StandaloneMM TA + fTPM TA, used by > U-Boot and Linux for UEFI variable storage and TPM scenarios. If you > want to try: build qemu-arm64 target for trixie with 6.12-cip *head* > kernel, enable secure boot and disk encryption, then run > > $ QEMU_PATH=/path/to/qemu-build/ ./start-qemu.sh > > Deploy snakeoil keys into PK, KEK and db after first boot to enable > secure booting: > > root@demo:~# cert-to-efi-sig-list PkKek-1-snakeoil.pem PK.esl > root@demo:~# sign-efi-sig-list -k PkKek-1-snakeoil.key -c PkKek-1-snakeoil.pem PK PK.esl PK.auth > root@demo:~# efi-updatevar -f PK.auth db > root@demo:~# efi-updatevar -f PK.auth KEK > root@demo:~# efi-updatevar -f PK.auth PK > > Note that emulation is a bit slow in general, and specifically the > partition encryption on first boot is taking 20 min. - we should > probably reduce its size or understand if there is still something to > optimize. > > Jan > > [1] https://gitlab.com/cip-project/cip-core/isar-cip-core/-/commits/wip/qemu-rp… > > Cc: "Daniel P. Berrangé" <berrange(a)redhat.com> > > Jan Kiszka (8): > hw/sd/sdcard: Fix size check for backing block image > hw/sd/sdcard: Add validation for boot-partition-size > hw/sd/sdcard: Allow user-instantiated eMMC > hw/sd/sdcard: Refactor sd_bootpart_offset > hw/sd/sdcard: Add basic support for RPMB partition > crypto/hmac: Allow to build hmac over multiple > qcrypto_gnutls_hmac_bytes[v] calls > hw/sd/sdcard: Handle RPMB MAC field > scripts: Add helper script to generate eMMC block device images > > crypto/hmac-gcrypt.c | 4 +- > crypto/hmac-glib.c | 4 +- > crypto/hmac-gnutls.c | 4 +- > crypto/hmac-nettle.c | 4 +- > hw/sd/sd.c | 314 ++++++++++++++++++++++++++++++++++++++--- > hw/sd/sdmmc-internal.h | 24 +++- > hw/sd/trace-events | 2 + > include/crypto/hmac.h | 12 ++ > scripts/mkemmc.sh | 185 ++++++++++++++++++++++++ > 9 files changed, 530 insertions(+), 23 deletions(-) > create mode 100755 scripts/mkemmc.sh > -- Siemens AG, Foundational Technologies Linux Expert Center

1 week, 2 days

3
4
0 0

[PATCH v19 0/6] Introduction of a remoteproc tee to load signed firmware

by Arnaud Pouliquen

Main updates from version V18[2]: - rework documentation for the release_fw ops - rework function documentation in remoteproc_tee.c - replace spinlock by mutex and generalize usage in remoteproc_tee.c Main updates from version V17[1]: - Fix: warning: EXPORT_SYMBOL() is used, but #include <linux/export.h> is missing More details are available in each patch commit message. [1] https://lore.kernel.org/linux-remoteproc/20250613091650.2337411-1-arnaud.po… [2] https://lore.kernel.org/linux-remoteproc/20250616075530.4106090-1-arnaud.po… Tested-on: commit 19272b37aa4f ("Linux 6.16-rc1") Description of the feature: -------------------------- This series proposes the implementation of a remoteproc tee driver to communicate with a TEE trusted application responsible for authenticating and loading the remoteproc firmware image in an Arm secure context. 1) Principle: The remoteproc tee driver provides services to communicate with the OP-TEE trusted application running on the Trusted Execution Context (TEE). The trusted application in TEE manages the remote processor lifecycle: - authenticating and loading firmware images, - isolating and securing the remote processor memories, - supporting multi-firmware (e.g., TF-M + Zephyr on a Cortex-M33), - managing the start and stop of the firmware by the TEE. 2) Format of the signed image: Refer to: https://github.com/OP-TEE/optee_os/blob/master/ta/remoteproc/src/remoteproc… 3) OP-TEE trusted application API: Refer to: https://github.com/OP-TEE/optee_os/blob/master/ta/remoteproc/include/ta_rem… 4) OP-TEE signature script Refer to: https://github.com/OP-TEE/optee_os/blob/master/scripts/sign_rproc_fw.py Example of usage: sign_rproc_fw.py --in <fw1.elf> --in <fw2.elf> --out <signed_fw.sign> --key ${OP-TEE_PATH}/keys/default.pem 5) Impact on User space Application No sysfs impact. The user only needs to provide the signed firmware image instead of the ELF image. For more information about the implementation, a presentation is available here (note that the format of the signed image has evolved between the presentation and the integration in OP-TEE). https://resources.linaro.org/en/resource/6c5bGvZwUAjX56fvxthxds Arnaud Pouliquen (6): remoteproc: core: Introduce rproc_pa_to_va helper remoteproc: Add TEE support remoteproc: Introduce optional release_fw operation dt-bindings: remoteproc: Add compatibility for TEE support remoteproc: stm32: Create sub-functions to request shutdown and release remoteproc: stm32: Add support of an OP-TEE TA to load the firmware .../bindings/remoteproc/st,stm32-rproc.yaml | 58 +- drivers/remoteproc/Kconfig | 10 + drivers/remoteproc/Makefile | 1 + drivers/remoteproc/remoteproc_core.c | 52 ++ drivers/remoteproc/remoteproc_internal.h | 6 + drivers/remoteproc/remoteproc_tee.c | 708 ++++++++++++++++++ drivers/remoteproc/stm32_rproc.c | 139 +++- include/linux/remoteproc.h | 6 + include/linux/remoteproc_tee.h | 87 +++ 9 files changed, 1023 insertions(+), 44 deletions(-) create mode 100644 drivers/remoteproc/remoteproc_tee.c create mode 100644 include/linux/remoteproc_tee.h base-commit: 19272b37aa4f83ca52bdf9c16d5d81bdd1354494 -- 2.25.1

2 weeks, 1 day

6
30
0 0

[PATCH v12 0/9] TEE subsystem for protected dma-buf allocations

by Jens Wiklander

Hi, This patch set allocates the protected DMA-bufs from a DMA-heap instantiated from the TEE subsystem. The TEE subsystem handles the DMA-buf allocations since it is the TEE (OP-TEE, AMD-TEE, TS-TEE, or perhaps a future QTEE) which sets up the protection for the memory used for the DMA-bufs. The DMA-heap uses a protected memory pool provided by the backend TEE driver, allowing it to choose how to allocate the protected physical memory. The allocated DMA-bufs must be imported with a new TEE_IOC_SHM_REGISTER_FD before they can be passed as arguments when requesting services from the secure world. Three use-cases (Secure Video Playback, Trusted UI, and Secure Video Recording) have been identified so far to serve as examples of what can be expected. The use-cases have predefined DMA-heap names, "protected,secure-video", "protected,trusted-ui", and "protected,secure-video-record". The backend driver registers protected memory pools for the use-cases it supports. Each use-case has its own protected memory pool since different use-cases require isolation from different parts of the system. A protected memory pool can be based on a static carveout instantiated while probing the TEE backend driver, or dynamically allocated from CMA (dma_alloc_pages()) and made protected as needed by the TEE. This can be tested on a RockPi 4B+ with the following steps: repo init -u https://github.com/jenswi-linaro/manifest.git -m rockpi4.xml \ -b prototype/sdp-v12 repo sync -j8 cd build make toolchains -j$(nproc) make all -j$(nproc) # Copy ../out/rockpi4.img to an SD card and boot the RockPi from that # Connect a monitor to the RockPi # login and at the prompt: gst-launch-1.0 videotestsrc ! \ aesenc key=1f9423681beb9a79215820f6bda73d0f \ iv=e9aa8e834d8d70b7e0d254ff670dd718 serialize-iv=true ! \ aesdec key=1f9423681beb9a79215820f6bda73d0f ! \ kmssink The aesdec module has been hacked to use an OP-TEE TA to decrypt the stream into protected DMA-bufs which are consumed by the kmssink. The primitive QEMU tests from previous patch sets can be tested on RockPi in the same way using: xtest --sdp-basic The primitive tests are tested on QEMU with the following steps: repo init -u https://github.com/jenswi-linaro/manifest.git -m qemu_v8.xml \ -b prototype/sdp-v12 repo sync -j8 cd build make toolchains -j$(nproc) make SPMC_AT_EL=1 all -j$(nproc) make SPMC_AT_EL=1 run-only # login and at the prompt: xtest --sdp-basic The SPMC_AT_EL=1 parameter configures the build with FF-A and an SPMC at S-EL1 inside OP-TEE. The parameter can be changed to SPMC_AT_EL=n to test without FF-A using the original SMC ABI instead. Please remember to do %make arm-tf-clean for TF-A to be rebuilt properly using the new configuration. https://optee.readthedocs.io/en/latest/building/prerequisites.html list dependencies required to build the above. The primitive tests are pretty basic, mostly checking that a Trusted Application in the secure world can access and manipulate the memory. There are also some negative tests for out of bounds buffers, etc. Thanks, Jens Changes since V11: * In "dma-buf: dma-heap: export declared functions": - use EXPORT_SYMBOL_NS_GPL() - Added TJ's R-B and Sumit's Ack * In "tee: implement protected DMA-heap", import the namespaces "DMA_BUF" and "DMA_BUF_HEAP" as needed. Changes since V10: * Changed the new ABI OPTEE_MSG_CMD_GET_PROTMEM_CONFIG to report a list of u32 memory attributes instead of u16 endpoints to make room for both endpoint and access permissions in each entry. * In "tee: new ioctl to a register tee_shm from a dmabuf file descriptor", remove the unused path for DMA-bufs allocated by other means than the on in the TEE SS. * In "tee: implement protected DMA-heap", handle unloading of the backend driver module implementing the heap. The heap is reference counted and also calls tee_device_get() to guarantee that the module remains available while the heap is instantiated. * In "optee: support protected memory allocation", use dma_coerce_mask_and_coherent() instead of open-coding the function. * Added Sumit's R-B to - "optee: smc abi: dynamic protected memory allocation" - "optee: FF-A: dynamic protected memory allocation" - "optee: support protected memory allocation" - "tee: implement protected DMA-heap" - "dma-buf: dma-heap: export declared functions" Changes since V9: * Adding Sumit's R-B to "optee: sync secure world ABI headers" * Update commit message as requested for "dma-buf: dma-heap: export declared functions". * In "tee: implement protected DMA-heap": - add the hidden config option TEE_DMABUF_HEAPS to tell if the TEE subsystem can support DMA heaps - add a pfn_valid() to check that the passed physical address can be used by __pfn_to_page() and friends - remove the memremap() call, the caller is should do that instead if needed * In "tee: add tee_shm_alloc_dma_mem()" guard the calls to dma_alloc_pages() and dma_free_pages() with TEE_DMABUF_HEAPS to avoid linking errors in some configurations * In "optee: support protected memory allocation": - add the hidden config option OPTEE_STATIC_PROTMEM_POOL to tell if the driver can support a static protected memory pool - optee_protmem_pool_init() is slightly refactored to make the patches that follow easier - Call devm_memremap() before calling tee_protmem_static_pool_alloc() Changes since V8: * Using dma_alloc_pages() instead of cma_alloc() so the direct dependency on CMA can be removed together with the patches "cma: export cma_alloc() and cma_release()" and "dma-contiguous: export dma_contiguous_default_area". The patch * Renaming the patch "tee: add tee_shm_alloc_cma_phys_mem()" to "tee: add tee_shm_alloc_dma_mem()" * Setting DMA mask for the OP-TEE TEE device based on input from the secure world instead of relying on the parent device so following patches are removed: "tee: tee_device_alloc(): copy dma_mask from parent device" and "optee: pass parent device to tee_device_alloc()". * Adding Sumit Garg's R-B to "tee: refactor params_from_user()" * In the patch "tee: implement protected DMA-heap", map the physical memory passed to tee_protmem_static_pool_alloc(). Changes since V7: * Adding "dma-buf: dma-heap: export declared functions", "cma: export cma_alloc() and cma_release()", and "dma-contiguous: export dma_contiguous_default_area" to export the symbols needed to keep the TEE subsystem as a load module. * Removing CONFIG_TEE_DMABUF_HEAP and CONFIG_TEE_CMA since they aren't needed any longer. * Addressing review comments in "optee: sync secure world ABI headers" * Better align protected memory pool initialization between the smc-abi and ffa-abi parts of the optee driver. * Removing the patch "optee: account for direction while converting parameters" Changes since V6: * Restricted memory is now known as protected memory since to use the same term as https://docs.vulkan.org/guide/latest/protected.html. Update all patches to consistently use protected memory. * In "tee: implement protected DMA-heap" add the hidden config option TEE_DMABUF_HEAP to tell if the DMABUF_HEAPS functions are available for the TEE subsystem * Adding "tee: refactor params_from_user()", broken out from the patch "tee: new ioctl to a register tee_shm from a dmabuf file descriptor" * For "tee: new ioctl to a register tee_shm from a dmabuf file descriptor": - Update commit message to mention protected memory - Remove and open code tee_shm_get_parent_shm() in param_from_user_memref() * In "tee: add tee_shm_alloc_cma_phys_mem" add the hidden config option TEE_CMA to tell if the CMA functions are available for the TEE subsystem * For "tee: tee_device_alloc(): copy dma_mask from parent device" and "optee: pass parent device to tee_device_alloc", added Reviewed-by: Sumit Garg <sumit.garg(a)kernel.org> Changes since V5: * Removing "tee: add restricted memory allocation" and "tee: add TEE_IOC_RSTMEM_FD_INFO" * Adding "tee: implement restricted DMA-heap", "tee: new ioctl to a register tee_shm from a dmabuf file descriptor", "tee: add tee_shm_alloc_cma_phys_mem()", "optee: pass parent device to tee_device_alloc()", and "tee: tee_device_alloc(): copy dma_mask from parent device" * The two TEE driver OPs "rstmem_alloc()" and "rstmem_free()" are replaced with a struct tee_rstmem_pool abstraction. * Replaced the the TEE_IOC_RSTMEM_ALLOC user space API with the DMA-heap API Changes since V4: * Adding the patch "tee: add TEE_IOC_RSTMEM_FD_INFO" needed by the GStreamer demo * Removing the dummy CPU access and mmap functions from the dma_buf_ops * Fixing a compile error in "optee: FF-A: dynamic restricted memory allocation" reported by kernel test robot <lkp(a)intel.com> Changes since V3: * Make the use_case and flags field in struct tee_shm u32's instead of u16's * Add more description for TEE_IOC_RSTMEM_ALLOC in the header file * Import namespace DMA_BUF in module tee, reported by lkp(a)intel.com * Added a note in the commit message for "optee: account for direction while converting parameters" why it's needed * Factor out dynamic restricted memory allocation from "optee: support restricted memory allocation" into two new commits "optee: FF-A: dynamic restricted memory allocation" and "optee: smc abi: dynamic restricted memory allocation" * Guard CMA usage with #ifdef CONFIG_CMA, effectively disabling dynamic restricted memory allocate if CMA isn't configured Changes since the V2 RFC: * Based on v6.12 * Replaced the flags for SVP and Trusted UID memory with a u32 field with unique id for each use case * Added dynamic allocation of restricted memory pools * Added OP-TEE ABI both with and without FF-A for dynamic restricted memory * Added support for FF-A with FFA_LEND Changes since the V1 RFC: * Based on v6.11 * Complete rewrite, replacing the restricted heap with TEE_IOC_RSTMEM_ALLOC Changes since Olivier's post [2]: * Based on Yong Wu's post [1] where much of dma-buf handling is done in the generic restricted heap * Simplifications and cleanup * New commit message for "dma-buf: heaps: add Linaro restricted dmabuf heap support" * Replaced the word "secure" with "restricted" where applicable Etienne Carriere (1): tee: new ioctl to a register tee_shm from a dmabuf file descriptor Jens Wiklander (8): optee: sync secure world ABI headers dma-buf: dma-heap: export declared functions tee: implement protected DMA-heap tee: refactor params_from_user() tee: add tee_shm_alloc_dma_mem() optee: support protected memory allocation optee: FF-A: dynamic protected memory allocation optee: smc abi: dynamic protected memory allocation drivers/dma-buf/dma-heap.c | 4 + drivers/tee/Kconfig | 5 + drivers/tee/Makefile | 1 + drivers/tee/optee/Kconfig | 5 + drivers/tee/optee/Makefile | 1 + drivers/tee/optee/core.c | 7 + drivers/tee/optee/ffa_abi.c | 146 ++++++++- drivers/tee/optee/optee_ffa.h | 27 +- drivers/tee/optee/optee_msg.h | 84 ++++- drivers/tee/optee/optee_private.h | 15 +- drivers/tee/optee/optee_smc.h | 37 ++- drivers/tee/optee/protmem.c | 335 ++++++++++++++++++++ drivers/tee/optee/smc_abi.c | 141 ++++++++- drivers/tee/tee_core.c | 158 +++++++--- drivers/tee/tee_heap.c | 500 ++++++++++++++++++++++++++++++ drivers/tee/tee_private.h | 14 + drivers/tee/tee_shm.c | 157 +++++++++- include/linux/tee_core.h | 59 ++++ include/linux/tee_drv.h | 10 + include/uapi/linux/tee.h | 31 ++ 20 files changed, 1670 insertions(+), 67 deletions(-) create mode 100644 drivers/tee/optee/protmem.c create mode 100644 drivers/tee/tee_heap.c base-commit: c17b750b3ad9f45f2b6f7e6f7f4679844244f0b9 -- 2.43.0

3 weeks, 4 days

4
18
0 0

[PATCH] tee: QCOMTEE should depend on ARCH_QCOM

by Geert Uytterhoeven

The Qualcomm Trusted Execution Environment (QTEE) is only available on Qualcomm SoCs. Hence add a dependency on ARCH_QCOM, to prevent asking the user about this driver when configuring a kernel without Qualcomm platform support. Fixes: d6e290837e50f73f ("tee: add Qualcomm TEE driver") Signed-off-by: Geert Uytterhoeven <geert+renesas(a)glider.be> --- drivers/tee/qcomtee/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/tee/qcomtee/Kconfig b/drivers/tee/qcomtee/Kconfig index 927686abceb1536e..9f19dee08db491c3 100644 --- a/drivers/tee/qcomtee/Kconfig +++ b/drivers/tee/qcomtee/Kconfig @@ -2,6 +2,7 @@ # Qualcomm Trusted Execution Environment Configuration config QCOMTEE tristate "Qualcomm TEE Support" + depends on ARCH_QCOM || COMPILE_TEST depends on !CPU_BIG_ENDIAN select QCOM_SCM select QCOM_TZMEM_MODE_SHMBRIDGE -- 2.43.0

3 weeks, 5 days

3
2
0 0

[PATCH] MAINTAINERS: Mark the OP-TEE mailing list moderated

by Geert Uytterhoeven

After sending a patch to op-tee(a)lists.trustedfirmware.org, I got the typical response for a moderated list: Your mail to 'op-tee(a)lists.trustedfirmware.org' with the subject [...] Is being held until the list moderator can review it for approval. The message is being held because: The message is not from a list member Either the message will get posted to the list, or you will receive notification of the moderator's decision. Mark this mailing list moderated in MAINTAINERS. Signed-off-by: Geert Uytterhoeven <geert+renesas(a)glider.be> --- MAINTAINERS | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index fc755a50fb150498..5aa2e501231f2aa6 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -19115,14 +19115,14 @@ F: drivers/net/phy/ncn* OP-TEE DRIVER M: Jens Wiklander <jens.wiklander(a)linaro.org> -L: op-tee(a)lists.trustedfirmware.org +L: op-tee(a)lists.trustedfirmware.org (moderated for non-subscribers) S: Maintained F: Documentation/ABI/testing/sysfs-bus-optee-devices F: drivers/tee/optee/ OP-TEE RANDOM NUMBER GENERATOR (RNG) DRIVER M: Sumit Garg <sumit.garg(a)kernel.org> -L: op-tee(a)lists.trustedfirmware.org +L: op-tee(a)lists.trustedfirmware.org (moderated for non-subscribers) S: Maintained F: drivers/char/hw_random/optee-rng.c @@ -25116,7 +25116,7 @@ F: include/media/i2c/tw9910.h TEE SUBSYSTEM M: Jens Wiklander <jens.wiklander(a)linaro.org> R: Sumit Garg <sumit.garg(a)kernel.org> -L: op-tee(a)lists.trustedfirmware.org +L: op-tee(a)lists.trustedfirmware.org (moderated for non-subscribers) S: Maintained F: Documentation/ABI/testing/sysfs-class-tee F: Documentation/driver-api/tee.rst -- 2.43.0

3 weeks, 6 days

2
1
0 0

[PATCH next] tee: qcom: prevent potential off by one read

by Dan Carpenter

Re-order these checks to check if "i" is a valid array index before using it. This prevents a potential off by one read access. Fixes: d6e290837e50 ("tee: add Qualcomm TEE driver") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> --- drivers/tee/qcomtee/call.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tee/qcomtee/call.c b/drivers/tee/qcomtee/call.c index cc17a48d0ab7..ac134452cc9c 100644 --- a/drivers/tee/qcomtee/call.c +++ b/drivers/tee/qcomtee/call.c @@ -308,7 +308,7 @@ static int qcomtee_params_from_args(struct tee_param *params, } /* Release any IO and OO objects not processed. */ - for (; u[i].type && i < num_params; i++) { + for (; i < num_params && u[i].type; i++) { if (u[i].type == QCOMTEE_ARG_TYPE_OO || u[i].type == QCOMTEE_ARG_TYPE_IO) qcomtee_object_put(u[i].o); -- 2.51.0

1 month

4
9
0 0

[GIT PULL] TEE fix2 for v6.17

by Jens Wiklander

Hello arm-soc maintainers, Please pull this fix in the TEE subsystem. Thanks, Jens The following changes since commit 8f5ae30d69d7543eee0d70083daf4de8fe15d585: Linux 6.17-rc1 (2025-08-10 19:41:16 +0300) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/tee-shm-register-fix-for-v6.17 for you to fetch changes up to d5cf5b37064b1699d946e8b7ab4ac7d7d101814c: tee: fix register_shm_helper() (2025-09-22 08:47:00 +0200) ---------------------------------------------------------------- TEE fix2 for v6.17 Fixing incorrect error handling for a call to iov_iter_extract_pages(). ---------------------------------------------------------------- Jens Wiklander (1): tee: fix register_shm_helper() drivers/tee/tee_shm.c | 8 ++++++++ 1 file changed, 8 insertions(+)

1 month

1
0
0 0

[PATCH v2] tee: fix register_shm_helper()

by Jens Wiklander

In register_shm_helper(), fix incorrect error handling for a call to iov_iter_extract_pages(). A case is missing for when iov_iter_extract_pages() only got some pages and return a number larger than 0, but not the requested amount. This fixes a possible NULL pointer dereference following a bad input from ioctl(TEE_IOC_SHM_REGISTER) where parts of the buffer isn't mapped. Cc: stable(a)vger.kernel.org Reported-by: Masami Ichikawa <masami256(a)gmail.com> Closes: https://lore.kernel.org/op-tee/CACOXgS-Bo2W72Nj1_44c7bntyNYOavnTjJAvUbEiQfq… Tested-by: Masami Ichikawa <masami256(a)gmail.com> Fixes: 7bdee4157591 ("tee: Use iov_iter to better support shared buffer registration") Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> --- Changes from v1 - Refactor the if statement as requested by Sumit - Adding Tested-by: Masami Ichikawa <masami256(a)gmail.com - Link to v1: https://lore.kernel.org/op-tee/20250919124217.2934718-1-jens.wiklander@lina… --- drivers/tee/tee_shm.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index daf6e5cfd59a..76c54e1dc98c 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -319,6 +319,14 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, if (unlikely(len <= 0)) { ret = len ? ERR_PTR(len) : ERR_PTR(-ENOMEM); goto err_free_shm_pages; + } else if (DIV_ROUND_UP(len + off, PAGE_SIZE) != num_pages) { + /* + * If we only got a few pages, update to release the + * correct amount below. + */ + shm->num_pages = len / PAGE_SIZE; + ret = ERR_PTR(-ENOMEM); + goto err_put_shm_pages; } /* -- 2.43.0

1 month

2
2
0 0

Linaro OP-TEE Contribution, LOC, monthly meeting September 23

by Jens Wiklander

Hi, Tomorrow, Tuesday, it's time for another LOC monthly meeting. For time and connection details, see the calendar at https://www.trustedfirmware.org/meetings/ - Pull request for the Secure Data Path patchset [1], accepted by arm-soc [2] - Pull request for the QCOMTEE driver patchset [3] has not been accepted yet. It also has a few error reports or patches pending since it was included in Linux-next Are there any other topics? Cheers, Jens [1] https://lore.kernel.org/op-tee/20250912101752.GA1453408@rayden/ [2] https://git.kernel.org/pub/scm/linux/kernel/git/soc/soc.git/commit/?id=8204… [3] https://lore.kernel.org/op-tee/20250915174957.GA2040478@rayden/

1 month

1
0
0 0

[PATCH] tee: fix register_shm_helper()

by Jens Wiklander

In register_shm_helper(), fix incorrect error handling for a call to iov_iter_extract_pages(). A case is missing for when iov_iter_extract_pages() only got some pages and return a number larger than 0, but not the requested amount. This fixes a possible NULL pointer dereference following a bad input from ioctl(TEE_IOC_SHM_REGISTER) where parts of the buffer isn't mapped. Cc: stable(a)vger.kernel.org Reported-by: Masami Ichikawa <masami256(a)gmail.com> Closes: https://lore.kernel.org/op-tee/CACOXgS-Bo2W72Nj1_44c7bntyNYOavnTjJAvUbEiQfq… Fixes: 7bdee4157591 ("tee: Use iov_iter to better support shared buffer registration") Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> --- drivers/tee/tee_shm.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index daf6e5cfd59a..6ed7d030f4ed 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -316,7 +316,16 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, len = iov_iter_extract_pages(iter, &shm->pages, LONG_MAX, num_pages, 0, &off); - if (unlikely(len <= 0)) { + if (DIV_ROUND_UP(len + off, PAGE_SIZE) != num_pages) { + if (len > 0) { + /* + * If we only got a few pages, update to release + * the correct amount below. + */ + shm->num_pages = len / PAGE_SIZE; + ret = ERR_PTR(-ENOMEM); + goto err_put_shm_pages; + } ret = len ? ERR_PTR(len) : ERR_PTR(-ENOMEM); goto err_free_shm_pages; } -- 2.43.0

1 month

3
3
0 0

2025

2024

2023

2022

2021

2020

OP-TEE September 2025