- OP-TEE - lists.trustedfirmware.org

[PATCH next] tee: qcom: prevent potential off by one read

by Dan Carpenter

Re-order these checks to check if "i" is a valid array index before using it. This prevents a potential off by one read access. Fixes: d6e290837e50 ("tee: add Qualcomm TEE driver") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> --- drivers/tee/qcomtee/call.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tee/qcomtee/call.c b/drivers/tee/qcomtee/call.c index cc17a48d0ab7..ac134452cc9c 100644 --- a/drivers/tee/qcomtee/call.c +++ b/drivers/tee/qcomtee/call.c @@ -308,7 +308,7 @@ static int qcomtee_params_from_args(struct tee_param *params, } /* Release any IO and OO objects not processed. */ - for (; u[i].type && i < num_params; i++) { + for (; i < num_params && u[i].type; i++) { if (u[i].type == QCOMTEE_ARG_TYPE_OO || u[i].type == QCOMTEE_ARG_TYPE_IO) qcomtee_object_put(u[i].o); -- 2.51.0

5 hours, 30 minutes

4
9
0 0

[GIT PULL] TEE fix2 for v6.17

by Jens Wiklander

Hello arm-soc maintainers, Please pull this fix in the TEE subsystem. Thanks, Jens The following changes since commit 8f5ae30d69d7543eee0d70083daf4de8fe15d585: Linux 6.17-rc1 (2025-08-10 19:41:16 +0300) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/tee-shm-register-fix-for-v6.17 for you to fetch changes up to d5cf5b37064b1699d946e8b7ab4ac7d7d101814c: tee: fix register_shm_helper() (2025-09-22 08:47:00 +0200) ---------------------------------------------------------------- TEE fix2 for v6.17 Fixing incorrect error handling for a call to iov_iter_extract_pages(). ---------------------------------------------------------------- Jens Wiklander (1): tee: fix register_shm_helper() drivers/tee/tee_shm.c | 8 ++++++++ 1 file changed, 8 insertions(+)

22 hours, 42 minutes

1
0
0 0

[PATCH v2] tee: fix register_shm_helper()

by Jens Wiklander

In register_shm_helper(), fix incorrect error handling for a call to iov_iter_extract_pages(). A case is missing for when iov_iter_extract_pages() only got some pages and return a number larger than 0, but not the requested amount. This fixes a possible NULL pointer dereference following a bad input from ioctl(TEE_IOC_SHM_REGISTER) where parts of the buffer isn't mapped. Cc: stable(a)vger.kernel.org Reported-by: Masami Ichikawa <masami256(a)gmail.com> Closes: https://lore.kernel.org/op-tee/CACOXgS-Bo2W72Nj1_44c7bntyNYOavnTjJAvUbEiQfq… Tested-by: Masami Ichikawa <masami256(a)gmail.com> Fixes: 7bdee4157591 ("tee: Use iov_iter to better support shared buffer registration") Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> --- Changes from v1 - Refactor the if statement as requested by Sumit - Adding Tested-by: Masami Ichikawa <masami256(a)gmail.com - Link to v1: https://lore.kernel.org/op-tee/20250919124217.2934718-1-jens.wiklander@lina… --- drivers/tee/tee_shm.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index daf6e5cfd59a..76c54e1dc98c 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -319,6 +319,14 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, if (unlikely(len <= 0)) { ret = len ? ERR_PTR(len) : ERR_PTR(-ENOMEM); goto err_free_shm_pages; + } else if (DIV_ROUND_UP(len + off, PAGE_SIZE) != num_pages) { + /* + * If we only got a few pages, update to release the + * correct amount below. + */ + shm->num_pages = len / PAGE_SIZE; + ret = ERR_PTR(-ENOMEM); + goto err_put_shm_pages; } /* -- 2.43.0

22 hours, 48 minutes

2
2
0 0

Linaro OP-TEE Contribution, LOC, monthly meeting September 23

by Jens Wiklander

Hi, Tomorrow, Tuesday, it's time for another LOC monthly meeting. For time and connection details, see the calendar at https://www.trustedfirmware.org/meetings/ - Pull request for the Secure Data Path patchset [1], accepted by arm-soc [2] - Pull request for the QCOMTEE driver patchset [3] has not been accepted yet. It also has a few error reports or patches pending since it was included in Linux-next Are there any other topics? Cheers, Jens [1] https://lore.kernel.org/op-tee/20250912101752.GA1453408@rayden/ [2] https://git.kernel.org/pub/scm/linux/kernel/git/soc/soc.git/commit/?id=8204… [3] https://lore.kernel.org/op-tee/20250915174957.GA2040478@rayden/

2 days, 17 hours

1
0
0 0

[PATCH v19 0/6] Introduction of a remoteproc tee to load signed firmware

by Arnaud Pouliquen

Main updates from version V18[2]: - rework documentation for the release_fw ops - rework function documentation in remoteproc_tee.c - replace spinlock by mutex and generalize usage in remoteproc_tee.c Main updates from version V17[1]: - Fix: warning: EXPORT_SYMBOL() is used, but #include <linux/export.h> is missing More details are available in each patch commit message. [1] https://lore.kernel.org/linux-remoteproc/20250613091650.2337411-1-arnaud.po… [2] https://lore.kernel.org/linux-remoteproc/20250616075530.4106090-1-arnaud.po… Tested-on: commit 19272b37aa4f ("Linux 6.16-rc1") Description of the feature: -------------------------- This series proposes the implementation of a remoteproc tee driver to communicate with a TEE trusted application responsible for authenticating and loading the remoteproc firmware image in an Arm secure context. 1) Principle: The remoteproc tee driver provides services to communicate with the OP-TEE trusted application running on the Trusted Execution Context (TEE). The trusted application in TEE manages the remote processor lifecycle: - authenticating and loading firmware images, - isolating and securing the remote processor memories, - supporting multi-firmware (e.g., TF-M + Zephyr on a Cortex-M33), - managing the start and stop of the firmware by the TEE. 2) Format of the signed image: Refer to: https://github.com/OP-TEE/optee_os/blob/master/ta/remoteproc/src/remoteproc… 3) OP-TEE trusted application API: Refer to: https://github.com/OP-TEE/optee_os/blob/master/ta/remoteproc/include/ta_rem… 4) OP-TEE signature script Refer to: https://github.com/OP-TEE/optee_os/blob/master/scripts/sign_rproc_fw.py Example of usage: sign_rproc_fw.py --in <fw1.elf> --in <fw2.elf> --out <signed_fw.sign> --key ${OP-TEE_PATH}/keys/default.pem 5) Impact on User space Application No sysfs impact. The user only needs to provide the signed firmware image instead of the ELF image. For more information about the implementation, a presentation is available here (note that the format of the signed image has evolved between the presentation and the integration in OP-TEE). https://resources.linaro.org/en/resource/6c5bGvZwUAjX56fvxthxds Arnaud Pouliquen (6): remoteproc: core: Introduce rproc_pa_to_va helper remoteproc: Add TEE support remoteproc: Introduce optional release_fw operation dt-bindings: remoteproc: Add compatibility for TEE support remoteproc: stm32: Create sub-functions to request shutdown and release remoteproc: stm32: Add support of an OP-TEE TA to load the firmware .../bindings/remoteproc/st,stm32-rproc.yaml | 58 +- drivers/remoteproc/Kconfig | 10 + drivers/remoteproc/Makefile | 1 + drivers/remoteproc/remoteproc_core.c | 52 ++ drivers/remoteproc/remoteproc_internal.h | 6 + drivers/remoteproc/remoteproc_tee.c | 708 ++++++++++++++++++ drivers/remoteproc/stm32_rproc.c | 139 +++- include/linux/remoteproc.h | 6 + include/linux/remoteproc_tee.h | 87 +++ 9 files changed, 1023 insertions(+), 44 deletions(-) create mode 100644 drivers/remoteproc/remoteproc_tee.c create mode 100644 include/linux/remoteproc_tee.h base-commit: 19272b37aa4f83ca52bdf9c16d5d81bdd1354494 -- 2.25.1

2 days, 22 hours

6
23
0 0

[PATCH] tee: fix register_shm_helper()

by Jens Wiklander

In register_shm_helper(), fix incorrect error handling for a call to iov_iter_extract_pages(). A case is missing for when iov_iter_extract_pages() only got some pages and return a number larger than 0, but not the requested amount. This fixes a possible NULL pointer dereference following a bad input from ioctl(TEE_IOC_SHM_REGISTER) where parts of the buffer isn't mapped. Cc: stable(a)vger.kernel.org Reported-by: Masami Ichikawa <masami256(a)gmail.com> Closes: https://lore.kernel.org/op-tee/CACOXgS-Bo2W72Nj1_44c7bntyNYOavnTjJAvUbEiQfq… Fixes: 7bdee4157591 ("tee: Use iov_iter to better support shared buffer registration") Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> --- drivers/tee/tee_shm.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index daf6e5cfd59a..6ed7d030f4ed 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -316,7 +316,16 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, len = iov_iter_extract_pages(iter, &shm->pages, LONG_MAX, num_pages, 0, &off); - if (unlikely(len <= 0)) { + if (DIV_ROUND_UP(len + off, PAGE_SIZE) != num_pages) { + if (len > 0) { + /* + * If we only got a few pages, update to release + * the correct amount below. + */ + shm->num_pages = len / PAGE_SIZE; + ret = ERR_PTR(-ENOMEM); + goto err_put_shm_pages; + } ret = len ? ERR_PTR(len) : ERR_PTR(-ENOMEM); goto err_free_shm_pages; } -- 2.43.0

3 days

3
3
0 0

[PATCH] tee: qcom: return -EFAULT instead of -EINVAL if copy_from_user() fails

by Dan Carpenter

If copy_from_user() fails, the correct error code is -EFAULT, not -EINVAL. Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> --- drivers/tee/qcomtee/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tee/qcomtee/core.c b/drivers/tee/qcomtee/core.c index 783acc59cfa9..b6715ada7700 100644 --- a/drivers/tee/qcomtee/core.c +++ b/drivers/tee/qcomtee/core.c @@ -424,7 +424,7 @@ static int qcomtee_prepare_msg(struct qcomtee_object_invoke_ctx *oic, if (!(u[i].flags & QCOMTEE_ARG_FLAGS_UADDR)) memcpy(msgptr, u[i].b.addr, u[i].b.size); else if (copy_from_user(msgptr, u[i].b.uaddr, u[i].b.size)) - return -EINVAL; + return -EFAULT; offset += qcomtee_msg_offset_align(u[i].b.size); ib++; -- 2.51.0

5 days, 23 hours

3
2
0 0

[BUG] tee_shm: NULL pointer dereference in unpin_user_pages() on invalid shm pages

by Masami Ichikawa

Hi. While doing my fuzzing work, I found the following kernel crash by NULL pointer dereference in Linux 6.17-rc5. [ 16.143987] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 [ 16.144141] Mem abort info: [ 16.144215] ESR = 0x0000000096000004 [ 16.144246] EC = 0x25 ** replaying previous printk message ** [ 16.144246] EC = 0x25: DABT (current EL), IL = 32 bits [ 16.144271] SET = 0, FnV = 0 [ 16.144289] EA = 0, S1PTW = 0 [ 16.144308] FSC = 0x04: level 0 translation fault [ 16.144325] Data abort info: [ 16.144335] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 16.144346] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 16.144358] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 16.144412] user pgtable: 4k pages, 52-bit VAs, pgdp=0000000048b34b00 [ 16.144432] [0000000000000008] pgd=0800000040bb3403, p4d=0000000000000000 [ 16.144876] Internal error: Oops: 0000000096000004 [#1] SMP [ 16.146429] Modules linked in: [ 16.146775] CPU: 0 UID: 0 PID: 148 Comm: xtest Not tainted 6.17.0-rc5 #58 PREEMPT [ 16.146995] Hardware name: linux,dummy-virt (DT) [ 16.147181] pstate: 21402005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 16.147330] pc : unpin_user_pages+0x78/0xd0 [ 16.147763] lr : unpin_user_pages+0xa0/0xd0 [ 16.147842] sp : ffff800084403d20 [ 16.147912] x29: ffff800084403d20 x28: fff00000054aa300 x27: 0000000000000000 [ 16.148089] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 [ 16.148235] x23: fff00000004fb5a8 x22: 0000000000000001 x21: 000000000000000d [ 16.148401] x20: fff0000000b2f9c0 x19: 0000000000000011 x18: 0000000000000001 [ 16.148544] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 16.148659] x14: 0000000000000002 x13: 0000000000000002 x12: 0000000000037d0f [ 16.148786] x11: fff0000001dad708 x10: 000000000000003f x9 : 0000000000000d1b [ 16.148925] x8 : 00000000000007e0 x7 : 0000000000000001 x6 : 000000000000000d [ 16.149039] x5 : ffffffffffffffff x4 : ffffffffffffffff x3 : 000000000000000e [ 16.149167] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffc1ffc0fd68c0 [ 16.149351] Call trace: [ 16.149520] unpin_user_pages+0x78/0xd0 (P) [ 16.149684] tee_shm_put+0x134/0x184 [ 16.149783] tee_shm_fop_release+0x14/0x24 [ 16.149866] __fput+0xcc/0x2dc [ 16.149925] fput_close_sync+0x40/0x108 [ 16.149991] __arm64_sys_close+0x38/0x7c [ 16.150058] invoke_syscall+0x48/0x110 [ 16.150127] el0_svc_common.constprop.0+0x40/0xe8 [ 16.150227] do_el0_svc+0x20/0x2c [ 16.150303] el0_svc+0x34/0xf0 [ 16.150369] el0t_64_sync_handler+0xa0/0xe4 [ 16.150439] el0t_64_sync+0x198/0x19c [ 16.150629] Code: aa0203e3 eb02027f 54000109 f8627a82 (f9400444) [ 16.150940] ---[ end trace 0000000000000000 ]--- [ 16.151230] Kernel panic - not syncing: Oops: Fatal exception [ 16.151466] SMP: stopping secondary CPUs [ 16.151838] Kernel Offset: disabled [ 16.151911] CPU features: 0x000000,0000d180,2bbe33e1,957e7f3f [ 16.152019] Memory Limit: none [ 16.152284] ---[ end Kernel panic - not syncing: Oops: Fatal exception ]--- decode_stacktrace.sh shows the following call sequence. [ 20.554057] unpin_user_pages (./include/linux/page-flags.h:284 mm/gup.c:259 mm/gup.c:420 mm/gup.c:400) (P) [ 20.554204] tee_shm_put (drivers/tee/tee_shm.c:42 drivers/tee/tee_shm.c:57 drivers/tee/tee_shm.c:587) [ 20.554291] tee_shm_fop_release (drivers/tee/tee_shm.c:437) [ 20.554366] __fput (fs/file_table.c:469) [ 20.554429] fput_close_sync (fs/file_table.c:574) [ 20.554496] __arm64_sys_close (fs/open.c:1590 fs/open.c:1572 fs/open.c:1572) [ 20.554565] invoke_syscall (./arch/arm64/include/asm/current.h:19 arch/arm64/kernel/syscall.c:54) [ 20.554639] el0_svc_common.constprop.0 (./include/linux/thread_info.h:135 arch/arm64/kernel/syscall.c:140) [ 20.554719] do_el0_svc (arch/arm64/kernel/syscall.c:152) [ 20.554782] el0_svc (./arch/arm64/include/asm/irqflags.h:55 ./arch/arm64/include/asm/irqflags.h:76 arch/arm64/kernel/entry-common.c:169 arch/arm64/kernel/entry-common.c:182 arch/arm64/kernel/entry-common.c:880) [ 20.554842] el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:899) [ 20.554914] el0t_64_sync (arch/arm64/kernel/entry.S:596) I set up a test environment using qemu_v8.xml in the OP-TEE/manifest repository. ## Test case This test is based on xtest_tee_test_1004 included in xtest in the optee_test repository. For fuzzing, the following data is created using xtest_crypto_test(). It creates parameters like this. op.params[0].tmpref.buffer = crypt_in; // crypt_in = malloc(sizeof(uint8_t) * 0xff); op.params[0].tmpref.size = input_len; // 0xffff op.params[1].tmpref.buffer = crypt_out; // crypt_out = malloc(sizeof(uint8_t) * 0xff); op.params[1].tmpref.size = input_len; // 0xffff When TEEC_InvokeCommand() in libteec was called with above parameters, it printed folloing errorr then, linux kernel was crashed. ERR [152] LT:TEEC_InvokeCommand:730: TEE_IOC_INVOKE failed ## Crash scenario 1. modified version of xtest_crypto_test() creates parameters. 2. xtest_crypto_test() calls TEEC_InvokeCommand() in the libteec. 3. TEEC_InvokeCommand calls ioctl(2). 4. tee_ioctl_invoke() in the tee_core.c is called by ioctl(2). 5. tee_ioctl_invoke() calles params_from_user(). 6. In the params_from_user(), it returned -EINVAL because of following if condition was true. if ((ip.a + ip.b) < ip.a || (ip.a + ip.b) > shm->size) { tee_shm_put(shm); return -EINVAL; } 7. tee_ioctl_invoke() recive an error from params_from_user() so that it run clean up process(in the out label). 8. tee_ioctl_invoke() returns -EINVAL. 9. TEEC_InvokeCommand() prints an error log then calls teec_free_temp_refs() in libteec. 10. teec_free_temp_refs() calls TEEC_ReleaseSharedMemory(). 11. TEEC_ReleaseSharedMemory() calls close(2). 12. tee_shm_put() in the tee_shm.c is called. 13. tee_shm_put() calls tee_shm_release(). 14. tee_shm_release() calls release_registered_pages(). 15. release_registered_pages() calls unpin_user_pages(). 16. Null pointer dereference is happened in unpin_user_pages(). ## Debugging I added following debug logs in the tee_shm_release() } else if (shm->flags & TEE_SHM_DYNAMIC) { int rc = teedev->desc->ops->shm_unregister(shm->ctx, shm); size_t i; if (rc) dev_err(teedev->dev.parent, "unregister shm %p failed: %d", shm, rc); pr_info("%s:%d: shm->num_pages: 0x%lx, shm->size: 0x%lx\n", __func__, __LINE__, shm->num_pages, shm->size); for (i = 0; i < shm->num_pages; i++) { if (!shm->pages[i]) { pr_info("%s:%d: shm->pages[%ld] is NULL", __func__, __LINE__, i); } } release_registered_pages(shm); } It showed the following logs. [ 21.350894] tee_shm_release:57: shm->num_pages: 0x11, shm->size: 0xd690 [ 21.350977] tee_shm_release:60: shm->pages[14] is NULL [ 21.351003] tee_shm_release:60: shm->pages[15] is NULL [ 21.351012] tee_shm_release:60: shm->pages[16] is NULL According to the above logs, shm->num_pages is 17 but the pages array contains NULL pointers so that it causes a NULL pointer dereference bug. I have confirmed that I can prevent NULL pointer dereference by making the following changes. diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index 2a7d253d9c55..c5d39a0efbdb 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -34,9 +34,16 @@ static void shm_get_kernel_pages(struct page **pages, size_t page_count) static void release_registered_pages(struct tee_shm *shm) { if (shm->pages) { - if (shm->flags & TEE_SHM_USER_MAPPED) - unpin_user_pages(shm->pages, shm->num_pages); - else + if (shm->flags & TEE_SHM_USER_MAPPED) { + size_t num_pages = 0; + size_t i; + for (i = 0; i < shm->num_pages; i++, num_pages++) { + if (!shm->pages[i]) + break; + } + + unpin_user_pages(shm->pages, num_pages); + } else shm_put_kernel_pages(shm->pages, shm->num_pages); kfree(shm->pages); Regards, -- Masami Ichikawa

6 days, 1 hour

3
5
0 0

[bug report] tee: add Qualcomm TEE driver

by Dan Carpenter

Hello Amirreza Zarrabi, Commit d6e290837e50 ("tee: add Qualcomm TEE driver") from Sep 11, 2025 (linux-next), leads to the following Smatch static checker warning: drivers/tee/qcomtee/core.c:104 qcomtee_do_release_qtee_object() error: uninitialized symbol 'result'. drivers/tee/qcomtee/core.c 81 static void qcomtee_do_release_qtee_object(struct work_struct *work) 82 { 83 struct qcomtee_object *object; 84 struct qcomtee *qcomtee; 85 int ret, result; 86 87 /* RELEASE does not require any argument. */ 88 struct qcomtee_arg args[] = { { .type = QCOMTEE_ARG_TYPE_INV } }; 89 90 object = container_of(work, struct qcomtee_object, work); 91 qcomtee = tee_get_drvdata(object->info.qcomtee_async_ctx->teedev); 92 /* Get the TEE context used for asynchronous operations. */ 93 qcomtee->oic.ctx = object->info.qcomtee_async_ctx; 94 95 ret = qcomtee_object_do_invoke_internal(&qcomtee->oic, object, 96 QCOMTEE_MSG_OBJECT_OP_RELEASE, 97 args, &result); 98 99 /* Is it safe to retry the release? */ 100 if (ret && ret != -ENODEV) { 101 queue_work(qcomtee->wq, &object->work); 102 } else { 103 if (ret || result) --> 104 pr_err("%s release failed, ret = %d (%x)\n", 105 qcomtee_object_name(object), ret, result); ^^^^^^ result could be uninitialized if ret is non-zero. 106 qcomtee_qtee_object_free(object); 107 } 108 } regards, dan carpenter

6 days, 21 hours

1
0
0 0

[GIT PULL] TEE add QCOMTEE driver for v6.18

by Jens Wiklander

Hello arm-soc maintainers, Please pull this set of patches [1] adding a Qualcomm TEE (QTEE) driver to the TEE subsystem as described below. The QTEE patches depend on two patches from branch '20250911-qcom-tee-using-tee-ss-without-mem-obj-v12-2-17f07a942b8d(a)oss.qualcomm.com' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux Björn asked me [2] to pull them from his tree. This pull request is based on my previous pull request with tee-prot-dma-buf-for-v6.18 to avoid a few conflicts when merging. [1] https://lore.kernel.org/op-tee/20250911-qcom-tee-using-tee-ss-without-mem-o… [2] https://lore.kernel.org/op-tee/mir6lhkj456ra3i6w7def4rrtzw663f66l66cz4s3gxx… Thanks, Jens The following changes since commit dbc2868b7b57fb4caa8e44a69e882dcf8e8d59bf: optee: smc abi: dynamic protected memory allocation (2025-09-11 11:22:43 +0200) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/tee-qcomtee-for-v6.18 for you to fetch changes up to dcc7a571a3665a16581b5b18ca6b113f60a9a41a: Documentation: tee: Add Qualcomm TEE driver (2025-09-15 17:34:06 +0200) ---------------------------------------------------------------- Add Qualcomm TEE driver (QTEE) This introduces a Trusted Execution Environment (TEE) driver for Qualcomm TEE (QTEE). QTEE enables Trusted Applications (TAs) and services to run securely. It uses an object-based interface, where each service is an object with sets of operations. Kernel and userspace services are also available to QTEE through a similar approach. QTEE makes callback requests that are converted into object invocations. These objects can represent services within the kernel or userspace process. We extend the TEE subsystem to understand object parameters and an ioctl call so client can invoke objects in QTEE: - TEE_IOCTL_PARAM_ATTR_TYPE_OBJREF_* - TEE_IOC_OBJECT_INVOKE The existing ioctl calls TEE_IOC_SUPPL_RECV and TEE_IOC_SUPPL_SEND are used for invoking services in the userspace process by QTEE. The TEE backend driver uses the QTEE Transport Message to communicate with QTEE. Interactions through the object INVOKE interface are translated into QTEE messages. Likewise, object invocations from QTEE for userspace objects are converted into SEND/RECV ioctl calls to supplicants. ---------------------------------------------------------------- Amirreza Zarrabi (11): firmware: qcom: tzmem: export shm_bridge create/delete firmware: qcom: scm: add support for object invocation tee: allow a driver to allocate a tee_device without a pool tee: add close_context to TEE driver operation tee: add TEE_IOCTL_PARAM_ATTR_TYPE_UBUF tee: add TEE_IOCTL_PARAM_ATTR_TYPE_OBJREF tee: increase TEE_MAX_ARG_SIZE to 4096 tee: add Qualcomm TEE driver tee: qcom: add primordial object tee: qcom: enable TEE_IOC_SHM_ALLOC ioctl Documentation: tee: Add Qualcomm TEE driver Jens Wiklander (1): Merge branch '20250911-qcom-tee-using-tee-ss-without-mem-obj-v12-2-17f07a942b8d(a)oss.qualcomm.com' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux Documentation/tee/index.rst | 1 + Documentation/tee/qtee.rst | 96 ++++ MAINTAINERS | 7 + drivers/firmware/qcom/qcom_scm.c | 119 ++++ drivers/firmware/qcom/qcom_scm.h | 7 + drivers/firmware/qcom/qcom_tzmem.c | 63 ++- drivers/tee/Kconfig | 1 + drivers/tee/Makefile | 1 + drivers/tee/qcomtee/Kconfig | 12 + drivers/tee/qcomtee/Makefile | 9 + drivers/tee/qcomtee/async.c | 182 ++++++ drivers/tee/qcomtee/call.c | 820 +++++++++++++++++++++++++++ drivers/tee/qcomtee/core.c | 915 +++++++++++++++++++++++++++++++ drivers/tee/qcomtee/mem_obj.c | 169 ++++++ drivers/tee/qcomtee/primordial_obj.c | 113 ++++ drivers/tee/qcomtee/qcomtee.h | 185 +++++++ drivers/tee/qcomtee/qcomtee_msg.h | 304 ++++++++++ drivers/tee/qcomtee/qcomtee_object.h | 316 +++++++++++ drivers/tee/qcomtee/shm.c | 150 +++++ drivers/tee/qcomtee/user_obj.c | 692 +++++++++++++++++++++++ drivers/tee/tee_core.c | 127 ++++- drivers/tee/tee_private.h | 6 - include/linux/firmware/qcom/qcom_scm.h | 6 + include/linux/firmware/qcom/qcom_tzmem.h | 15 + include/linux/tee_core.h | 54 +- include/linux/tee_drv.h | 12 + include/uapi/linux/tee.h | 56 +- 27 files changed, 4410 insertions(+), 28 deletions(-) create mode 100644 Documentation/tee/qtee.rst create mode 100644 drivers/tee/qcomtee/Kconfig create mode 100644 drivers/tee/qcomtee/Makefile create mode 100644 drivers/tee/qcomtee/async.c create mode 100644 drivers/tee/qcomtee/call.c create mode 100644 drivers/tee/qcomtee/core.c create mode 100644 drivers/tee/qcomtee/mem_obj.c create mode 100644 drivers/tee/qcomtee/primordial_obj.c create mode 100644 drivers/tee/qcomtee/qcomtee.h create mode 100644 drivers/tee/qcomtee/qcomtee_msg.h create mode 100644 drivers/tee/qcomtee/qcomtee_object.h create mode 100644 drivers/tee/qcomtee/shm.c create mode 100644 drivers/tee/qcomtee/user_obj.c

1 week, 2 days

1
0
0 0

2025

2024

2023

2022

2021

2020

OP-TEE