- OP-TEE - lists.trustedfirmware.org

[PATCH] tee: clean up tee_core.h kernel-doc

by Randy Dunlap

Use the correct struct member name and function parameter name in kernel-doc comments. Move a macro that was between a struct's documentation and its declaration. These eliminate the following kernel-doc warnings: Warning: include/linux/tee_core.h:73 struct member 'c_no_users' not described in 'tee_device' Warning: include/linux/tee_core.h:132 #define TEE_DESC_PRIVILEGED 0x1; error: Cannot parse struct or union! Warning: include/linux/tee_core.h:257 function parameter 'connection_data' not described in 'tee_session_calc_client_uuid' Warning: include/linux/tee_core.h:320 function parameter 'teedev' not described in 'tee_get_drvdata' Signed-off-by: Randy Dunlap <rdunlap(a)infradead.org> --- Cc: Jens Wiklander <jens.wiklander(a)linaro.org> Cc: Sumit Garg <sumit.garg(a)kernel.org> Cc: op-tee(a)lists.trustedfirmware.org include/linux/tee_core.h | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) --- linux-next-20260309.orig/include/linux/tee_core.h +++ linux-next-20260309/include/linux/tee_core.h @@ -50,7 +50,7 @@ enum tee_dma_heap_id { * @dev: embedded basic device structure * @cdev: embedded cdev * @num_users: number of active users of this device - * @c_no_user: completion used when unregistering the device + * @c_no_users: completion used when unregistering the device * @mutex: mutex protecting @num_users and @idr * @idr: register of user space shared memory objects allocated or * registered on this device @@ -132,6 +132,7 @@ struct tee_driver_ops { /* Size for TEE revision string buffer used by get_tee_revision(). */ #define TEE_REVISION_STR_SIZE 128 +#define TEE_DESC_PRIVILEGED 0x1 /** * struct tee_desc - Describes the TEE driver to the subsystem * @name: name of driver @@ -139,7 +140,6 @@ struct tee_driver_ops { * @owner: module providing the driver * @flags: Extra properties of driver, defined by TEE_DESC_* below */ -#define TEE_DESC_PRIVILEGED 0x1 struct tee_desc { const char *name; const struct tee_driver_ops *ops; @@ -187,7 +187,7 @@ struct tee_protmem_pool_ops { * Allocates a new struct tee_device instance. The device is * removed by tee_device_unregister(). * - * @returns a pointer to a 'struct tee_device' or an ERR_PTR on failure + * @returns: a pointer to a 'struct tee_device' or an ERR_PTR on failure */ struct tee_device *tee_device_alloc(const struct tee_desc *teedesc, struct device *dev, @@ -201,7 +201,7 @@ struct tee_device *tee_device_alloc(cons * tee_device_unregister() need to be called to remove the @teedev if * this function fails. * - * @returns < 0 on failure + * @returns: < 0 on failure */ int tee_device_register(struct tee_device *teedev); @@ -254,14 +254,14 @@ void tee_device_set_dev_groups(struct te * tee_session_calc_client_uuid() - Calculates client UUID for session * @uuid: Resulting UUID * @connection_method: Connection method for session (TEE_IOCTL_LOGIN_*) - * @connectuon_data: Connection data for opening session + * @connection_data: Connection data for opening session * * Based on connection method calculates UUIDv5 based client UUID. * * For group based logins verifies that calling process has specified * credentials. * - * @return < 0 on failure + * @returns: < 0 on failure */ int tee_session_calc_client_uuid(uuid_t *uuid, u32 connection_method, const u8 connection_data[TEE_IOCTL_UUID_LEN]); @@ -295,7 +295,7 @@ struct tee_shm_pool_ops { * @paddr: Physical address of start of pool * @size: Size in bytes of the pool * - * @returns pointer to a 'struct tee_shm_pool' or an ERR_PTR on failure. + * @returns: pointer to a 'struct tee_shm_pool' or an ERR_PTR on failure. */ struct tee_shm_pool *tee_shm_pool_alloc_res_mem(unsigned long vaddr, phys_addr_t paddr, size_t size, @@ -318,14 +318,16 @@ static inline void tee_shm_pool_free(str * @paddr: Physical address of start of pool * @size: Size in bytes of the pool * - * @returns pointer to a 'struct tee_protmem_pool' or an ERR_PTR on failure. + * @returns: pointer to a 'struct tee_protmem_pool' or an ERR_PTR on failure. */ struct tee_protmem_pool *tee_protmem_static_pool_alloc(phys_addr_t paddr, size_t size); /** * tee_get_drvdata() - Return driver_data pointer - * @returns the driver_data pointer supplied to tee_register(). + * @teedev: Pointer to the tee_device + * + * @returns: the driver_data pointer supplied to tee_register(). */ void *tee_get_drvdata(struct tee_device *teedev); @@ -334,7 +336,7 @@ void *tee_get_drvdata(struct tee_device * TEE driver * @ctx: The TEE context for shared memory allocation * @size: Shared memory allocation size - * @returns a pointer to 'struct tee_shm' on success or an ERR_PTR on failure + * @returns: a pointer to 'struct tee_shm' on success or an ERR_PTR on failure */ struct tee_shm *tee_shm_alloc_priv_buf(struct tee_context *ctx, size_t size); @@ -354,7 +356,7 @@ void tee_dyn_shm_free_helper(struct tee_ /** * tee_shm_is_dynamic() - Check if shared memory object is of the dynamic kind * @shm: Shared memory handle - * @returns true if object is dynamic shared memory + * @returns: true if object is dynamic shared memory */ static inline bool tee_shm_is_dynamic(struct tee_shm *shm) { @@ -370,7 +372,7 @@ void tee_shm_put(struct tee_shm *shm); /** * tee_shm_get_id() - Get id of a shared memory object * @shm: Shared memory handle - * @returns id + * @returns: id */ static inline int tee_shm_get_id(struct tee_shm *shm) { @@ -382,7 +384,7 @@ static inline int tee_shm_get_id(struct * count * @ctx: Context owning the shared memory * @id: Id of shared memory object - * @returns a pointer to 'struct tee_shm' on success or an ERR_PTR on failure + * @returns: a pointer to 'struct tee_shm' on success or an ERR_PTR on failure */ struct tee_shm *tee_shm_get_from_id(struct tee_context *ctx, int id); @@ -402,7 +404,7 @@ static inline bool tee_param_is_memref(s * teedev_open() - Open a struct tee_device * @teedev: Device to open * - * @return a pointer to struct tee_context on success or an ERR_PTR on failure. + * @returns: pointer to struct tee_context on success or an ERR_PTR on failure. */ struct tee_context *teedev_open(struct tee_device *teedev);

3 months, 1 week

3
2
0 0

[PATCH v4] arm64: defconfig: Enable QCOMTEE module for QTEE-enabled Qualcomm SoCs

by Harshal Dev

All Qualcomm SoCs starting from SM8650 provide access to the Qualcomm Trusted Execution Environment (QTEE) through the SMCInvoke interface, implemented by the QCOMTEE driver. QTEE runs in the Secure World domain on ARM64 CPUs and exposes secure services to Linux running in the Normal World domain. This change enables the QCOMTEE driver as a module to support communication with QTEE. QCOMTEE has been tested on a Qualcomm RB3Gen2 board by loading and executing a Trusted Application via tests hosted at github.com/qualcomm/minkipc. Signed-off-by: Harshal Dev <harshal.dev(a)oss.qualcomm.com> --- Changes in v4: - Updated the commit message as per discussion to clarify the following: - Why we are enabling QCOMTEE for all arm64 boards. - From which Qualcomm SoC onwards the driver is applicable. - What functionality the driver provides. - How the functionality has been tested and on which board. - Link to v3: https://lore.kernel.org/r/20251208-qcom_qcomtee_defconfig-v3-1-b50dcf8ab45e… Changes in v3: - Updated the commit message to reflect the supported Qualcomm platforms. - Link to v2: https://lore.kernel.org/r/20251205-qcom_qcomtee_defconfig-v2-1-c92560b0346e… Changes in v2: - Updated CONFIG_QCOMTEE flag to 'm' since QCOMTEE can be built as a module. - Link to v1: https://lore.kernel.org/r/20251202-qcom_qcomtee_defconfig-v1-1-11bfe40a8ea4… --- arch/arm64/configs/defconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig index cdb7d69e3b24..e952d24bef77 100644 --- a/arch/arm64/configs/defconfig +++ b/arch/arm64/configs/defconfig @@ -1789,6 +1789,7 @@ CONFIG_FPGA_MGR_ZYNQMP_FPGA=m CONFIG_FPGA_MGR_VERSAL_FPGA=m CONFIG_TEE=y CONFIG_OPTEE=y +CONFIG_QCOMTEE=m CONFIG_MUX_GPIO=m CONFIG_MUX_MMIO=y CONFIG_SLIMBUS=m --- base-commit: 47b7b5e32bb7264b51b89186043e1ada4090b558 change-id: 20251202-qcom_qcomtee_defconfig-8dc0fed1411b Best regards, -- Harshal Dev <harshal.dev(a)oss.qualcomm.com>

3 months, 1 week

6
12
0 0

[RFT PATCH v2] tee: shm: Remove refcounting of kernel pages

by Sumit Garg

From: Matthew Wilcox <willy(a)infradead.org> Earlier TEE subsystem assumed to refcount all the memory pages to be shared with TEE implementation to be refcounted. However, the slab allocations within the kernel don't allow refcounting kernel pages. It is rather better to trust the kernel clients to not free pages while being shared with TEE implementation. Hence, remove refcounting of kernel pages from register_shm_helper() API. Fixes: b9c0e49abfca ("mm: decline to manipulate the refcount on a slab page") Reported-by: Marco Felsch <m.felsch(a)pengutronix.de> Reported-by: Sven Püschel <s.pueschel(a)pengutronix.de> Signed-off-by: Matthew Wilcox <willy(a)infradead.org> Co-developed-by: Sumit Garg <sumit.garg(a)oss.qualcomm.com> Signed-off-by: Sumit Garg <sumit.garg(a)oss.qualcomm.com> --- Changes in v2: - Attribute Matthew as the author of this patch. - Fix check for user pages. drivers/tee/tee_shm.c | 27 --------------------------- 1 file changed, 27 deletions(-) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index 4a47de4bb2e5..898707ca21a8 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -23,29 +23,11 @@ struct tee_shm_dma_mem { struct page *page; }; -static void shm_put_kernel_pages(struct page **pages, size_t page_count) -{ - size_t n; - - for (n = 0; n < page_count; n++) - put_page(pages[n]); -} - -static void shm_get_kernel_pages(struct page **pages, size_t page_count) -{ - size_t n; - - for (n = 0; n < page_count; n++) - get_page(pages[n]); -} - static void release_registered_pages(struct tee_shm *shm) { if (shm->pages) { if (shm->flags & TEE_SHM_USER_MAPPED) unpin_user_pages(shm->pages, shm->num_pages); - else - shm_put_kernel_pages(shm->pages, shm->num_pages); kfree(shm->pages); } @@ -477,13 +459,6 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, goto err_put_shm_pages; } - /* - * iov_iter_extract_kvec_pages does not get reference on the pages, - * get a reference on them. - */ - if (iov_iter_is_kvec(iter)) - shm_get_kernel_pages(shm->pages, num_pages); - shm->offset = off; shm->size = len; shm->num_pages = num_pages; @@ -499,8 +474,6 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, err_put_shm_pages: if (!iov_iter_is_kvec(iter)) unpin_user_pages(shm->pages, shm->num_pages); - else - shm_put_kernel_pages(shm->pages, shm->num_pages); err_free_shm_pages: kfree(shm->pages); err_free_shm: -- 2.51.0

3 months, 2 weeks

3
2
0 0

[PATCH 0/3] OP-TEE/OP-TEE drivers: simplify context matches

by Rouven Czerwinski via B4 Relay

Both the OP-TEE core and some OP-TEE drivers use an if/else expression to check a boolean which can instead be returned directly. Implement this change. --- Rouven Czerwinski (3): optee: simplify OP-TEE context match hwrng: optee - simplify OP-TEE context match rtc: optee: simplify OP-TEE context match drivers/char/hw_random/optee-rng.c | 5 +---- drivers/rtc/rtc-optee.c | 5 +---- drivers/tee/optee/device.c | 5 +---- 3 files changed, 3 insertions(+), 12 deletions(-) --- base-commit: 63804fed149a6750ffd28610c5c1c98cce6bd377 change-id: 20260126-optee-simplify-context-match-d5b3467bfacc Best regards, -- Rouven Czerwinski <rouven.czerwinski(a)linaro.org>

3 months, 3 weeks

6
8
0 0

Re: [PATCH v5] tee: optee: prevent use-after-free when the client exits before the supplicant

by Yuanjia Yeh

Hi all, We can reproduce the reported use-after-free issue on our platform via an overnight reboot test The verifications are listed as the following - With v2 + Michael Wu's patch: Issue resolved. - With v4: Race condition observation and already report to Amir - With v5: Race fixed. Stable in our tests, including: xtest + reboot loop (300 cycles) continuous reboot test (1000 cycles) No regressions observed with v5. If there are no other concerns, we recommend adopting v5. If needed, please add the following tag: Tested-by: Ox Yeh <ox.yeh(a)mediatek.com> Yuanjia Yeh

3 months, 3 weeks

3
3
0 0

OP-TEE Contributions Forum, monthly meeting February 24

by Jens Wiklander

Hi, Tomorrow, Tuesday, it's time for another LOC monthly meeting. For time and connection details, see the calendar at https://www.trustedfirmware.org/meetings/ - Rebased linaro-swg/kernel optee branch on v6.18 Any other topics? Cheers, Jens

3 months, 4 weeks

1
0
0 0

[RFT PATCH] tee: shm: Remove refcounting of kernel pages

by Sumit Garg

From: Sumit Garg <sumit.garg(a)oss.qualcomm.com> Earlier TEE subsystem assumed to refcount all the memory pages to be shared with TEE implementation to be refcounted. However, the slab allocations within the kernel don't allow refcounting kernel pages. It is rather better to trust the kernel clients to not free pages while being shared with TEE implementation. Hence, remove refcounting of kernel pages from register_shm_helper() API. Fixes: b9c0e49abfca ("mm: decline to manipulate the refcount on a slab page") Reported-by: Marco Felsch <m.felsch(a)pengutronix.de> Reported-by: Sven Püschel <s.pueschel(a)pengutronix.de> Suggested-by: Matthew Wilcox <willy(a)infradead.org> Signed-off-by: Sumit Garg <sumit.garg(a)oss.qualcomm.com> --- drivers/tee/tee_shm.c | 29 +---------------------------- 1 file changed, 1 insertion(+), 28 deletions(-) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index 4a47de4bb2e5..54e2ba3afb25 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -23,29 +23,11 @@ struct tee_shm_dma_mem { struct page *page; }; -static void shm_put_kernel_pages(struct page **pages, size_t page_count) -{ - size_t n; - - for (n = 0; n < page_count; n++) - put_page(pages[n]); -} - -static void shm_get_kernel_pages(struct page **pages, size_t page_count) -{ - size_t n; - - for (n = 0; n < page_count; n++) - get_page(pages[n]); -} - static void release_registered_pages(struct tee_shm *shm) { if (shm->pages) { if (shm->flags & TEE_SHM_USER_MAPPED) unpin_user_pages(shm->pages, shm->num_pages); - else - shm_put_kernel_pages(shm->pages, shm->num_pages); kfree(shm->pages); } @@ -477,13 +459,6 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, goto err_put_shm_pages; } - /* - * iov_iter_extract_kvec_pages does not get reference on the pages, - * get a reference on them. - */ - if (iov_iter_is_kvec(iter)) - shm_get_kernel_pages(shm->pages, num_pages); - shm->offset = off; shm->size = len; shm->num_pages = num_pages; @@ -497,10 +472,8 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, return shm; err_put_shm_pages: - if (!iov_iter_is_kvec(iter)) + if (iter_is_uvec(iter)) unpin_user_pages(shm->pages, shm->num_pages); - else - shm_put_kernel_pages(shm->pages, shm->num_pages); err_free_shm_pages: kfree(shm->pages); err_free_shm: -- 2.51.0

4 months

4
6
0 0

[PATCH v20 0/6] Introduction of a remoteproc tee to load signed firmware

by Arnaud Pouliquen

Main updates from version V19[3]: -------------------------------- The devicetree is now structured as follows: firmware { optee { compatible = "linaro,optee-tz"; method = "smc"; #address-cells = <1>; #size-cells = <0>; rproc-service@0 { compatible = "rproc-service-80a4c275-0a47-4905-8285-1486a9771a08"; reg = <0>; #address-cells = <1>; #size-cells = <0>; status = "okay"; m4: m4@0 { compatible = "st,stm32mp15-m4-tee"; reg = <0>; mboxes = <&ipcc 0>, <&ipcc 1>, <&ipcc 2>; mbox-names = "vq0", "vq1", "shutdown"; memory-region = <&vdev0vring0>, <&m_ipc_shm>, <&mcuram2>, <&vdev0vring1>, <&vdev0buffer>, <&retram>; interrupt-parent = <&exti>; interrupts = <68 1>; status = "okay"; }; }; }; }; As a consequence, this version: - Introduces a new stm32_rproc_tee.c remoteproc driver. Instead of further complicating the existing stm32_rproc.c driver, a dedicated TEE-based driver is added. Both drivers are intended to also support the STM32MP2x Cortex-M33 remote processor in a next step. - Reworks the bindings: - Drop the st,stm32-rproc.yaml updates that were introduced in previous revisions. - Add remoteproc-tee.yaml for the "rproc-service-80a4c275-0a47-4905-8285-1486a9771a08" compatible. - Add st,stm32-rproc-tee.yaml for the "st,stm32mp15-m4-tee" compatible. - Reworks the probing sequence: The m4@0 device is now probed by the remoteproc-tee driver, which itself is instantiated by the TEE (OP-TEE) bus. Main updates from version V18[2]: -------------------------------- - rework documentation for the release_fw ops - rework function documentation in remoteproc_tee.c - replace spinlock by mutex and generalize usage in remoteproc_tee.c Main updates from version V17[1]: -------------------------------- - Fix: warning: EXPORT_SYMBOL() is used, but #include <linux/export.h> is missing More details are available in each patch commit message. [1] https://lore.kernel.org/linux-remoteproc/20250613091650.2337411-1-arnaud.po… [2] https://lore.kernel.org/linux-remoteproc/20250616075530.4106090-1-arnaud.po… [3] https://lore.kernel.org/linux-devicetree/20250625094028.758016-1-arnaud.pou… Tested-on: --------- commit 7d0a66e4bb90 ("Linux 6.18") Description of the feature: -------------------------- This series proposes the implementation of a remoteproc tee driver to communicate with a TEE trusted application responsible for authenticating and loading the remoteproc firmware image in an Arm secure context. 1) Principle: The remoteproc tee driver provides services to communicate with the OP-TEE trusted application running on the Trusted Execution Context (TEE). The trusted application in TEE manages the remote processor lifecycle: - authenticating and loading firmware images, - isolating and securing the remote processor memories, - supporting multi-firmware (e.g., TF-M + Zephyr on a Cortex-M33), - managing the start and stop of the firmware by the TEE. 2) Format of the signed image: Refer to: https://github.com/OP-TEE/optee_os/blob/master/ta/remoteproc/src/remoteproc… 3) OP-TEE trusted application API: Refer to: https://github.com/OP-TEE/optee_os/blob/master/ta/remoteproc/include/ta_rem… 4) OP-TEE signature script Refer to: https://github.com/OP-TEE/optee_os/blob/master/scripts/sign_rproc_fw.py Example of usage: sign_rproc_fw.py --in <fw1.elf> --in <fw2.elf> --out <signed_fw.sign> --key ${OP-TEE_PATH}/keys/default.pem 5) Impact on User space Application No sysfs impact. The user only needs to provide the signed firmware image instead of the ELF image. For more information about the implementation, a presentation is available here (note that the format of the signed image has evolved between the presentation and the integration in OP-TEE). https://resources.linaro.org/en/resource/6c5bGvZwUAjX56fvxthxds Arnaud Pouliquen (6): dt-bindings: firmware: Add TEE remoteproc service binding dt-bindings: remoteproc: Add STM32 TEE-controlled rproc binding remoteproc: core: Introduce rproc_pa_to_va helper remoteproc: Introduce optional release_fw operation remoteproc: Add TEE support remoteproc: stm32: Add TEE-controlled STM32 driver .../arm/firmware/linaro,optee-tz.yaml | 6 + .../bindings/remoteproc/remoteproc-tee.yaml | 47 ++ .../remoteproc/st,stm32-rproc-tee.yaml | 100 +++ drivers/remoteproc/Kconfig | 10 + drivers/remoteproc/Makefile | 3 +- drivers/remoteproc/remoteproc_core.c | 52 ++ drivers/remoteproc/remoteproc_internal.h | 6 + drivers/remoteproc/remoteproc_tee.c | 771 ++++++++++++++++++ drivers/remoteproc/stm32_rproc_tee.c | 526 ++++++++++++ include/linux/remoteproc.h | 6 + include/linux/remoteproc_tee.h | 89 ++ 11 files changed, 1615 insertions(+), 1 deletion(-) create mode 100644 Documentation/devicetree/bindings/remoteproc/remoteproc-tee.yaml create mode 100644 Documentation/devicetree/bindings/remoteproc/st,stm32-rproc-tee.yaml create mode 100644 drivers/remoteproc/remoteproc_tee.c create mode 100644 drivers/remoteproc/stm32_rproc_tee.c create mode 100644 include/linux/remoteproc_tee.h base-commit: 7d0a66e4bb9081d75c82ec4957c50034cb0ea449 -- 2.43.0

4 months

4
17
0 0

[PATCH v5] tee: optee: prevent use-after-free when the client exits before the supplicant

by Amirreza Zarrabi

Commit 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop") made the client wait as killable so it can be interrupted during shutdown or after a supplicant crash. This changes the original lifetime expectations: the client task can now terminate while the supplicant is still processing its request. If the client exits first it removes the request from its queue and kfree()s it, while the request ID remains in supp->idr. A subsequent lookup on the supplicant path then dereferences freed memory, leading to a use-after-free. Serialise access to the request with supp->mutex: * Hold supp->mutex in optee_supp_recv() and optee_supp_send() while looking up and touching the request. * Let optee_supp_thrd_req() notice that the client has terminated and signal optee_supp_send() accordingly. With these changes the request cannot be freed while the supplicant still has a reference, eliminating the race. Fixes: 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop") Signed-off-by: Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com> --- Changes in v5: - Move idr_alloc() inside the supp->mutex, reported by Yuanjia Yeh. - Link to v4: https://lore.kernel.org/r/20260209-fix-use-after-free-v4-1-7c4c4b02368f@oss… Changes in v4: - Pre-allocate request ID when allocating the request. - Cleanup the loop in optee_supp_recv(). - Update the return value for revoked request from -ENOENT to -EBADF. - Link to v3: https://lore.kernel.org/r/20260128-fix-use-after-free-v3-1-b0786670d927@oss… Changes in v3: - Introduce processed flag instead of -1 for req->id. - Update optee_supp_release() as reported by Michael Wu. - Use mutex instead of guard. - Link to v2: https://lore.kernel.org/r/20250617-fix-use-after-free-v2-1-1fbfafec5917@oss… Changes in v2: - Replace the static variable with a sentinel value. - Fix the issue with returning the popped request to the supplicant. - Link to v1: https://lore.kernel.org/r/20250605-fix-use-after-free-v1-1-a70d23bff248@oss… --- drivers/tee/optee/supp.c | 107 ++++++++++++++++++++++++++++++++--------------- 1 file changed, 74 insertions(+), 33 deletions(-) diff --git a/drivers/tee/optee/supp.c b/drivers/tee/optee/supp.c index d0f397c90242..2386bbd38ce7 100644 --- a/drivers/tee/optee/supp.c +++ b/drivers/tee/optee/supp.c @@ -10,7 +10,11 @@ struct optee_supp_req { struct list_head link; + int id; + bool in_queue; + bool processed; + u32 func; u32 ret; size_t num_params; @@ -19,6 +23,9 @@ struct optee_supp_req { struct completion c; }; +/* It is temporary request used for revoked pending request in supp->idr. */ +#define INVALID_REQ_PTR ((struct optee_supp_req *)ERR_PTR(-EBADF)) + void optee_supp_init(struct optee_supp *supp) { memset(supp, 0, sizeof(*supp)); @@ -39,21 +46,23 @@ void optee_supp_release(struct optee_supp *supp) { int id; struct optee_supp_req *req; - struct optee_supp_req *req_tmp; mutex_lock(&supp->mutex); - /* Abort all request retrieved by supplicant */ + /* Abort all request */ idr_for_each_entry(&supp->idr, req, id) { idr_remove(&supp->idr, id); - req->ret = TEEC_ERROR_COMMUNICATION; - complete(&req->c); - } + /* Skip if request was already marked invalid */ + if (IS_ERR(req)) + continue; - /* Abort all queued requests */ - list_for_each_entry_safe(req, req_tmp, &supp->reqs, link) { - list_del(&req->link); - req->in_queue = false; + /* For queued requests where supplicant has not seen it */ + if (req->in_queue) { + list_del(&req->link); + req->in_queue = false; + } + + req->processed = true; req->ret = TEEC_ERROR_COMMUNICATION; complete(&req->c); } @@ -100,8 +109,16 @@ u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params, /* Insert the request in the request list */ mutex_lock(&supp->mutex); + req->id = idr_alloc(&supp->idr, req, 1, 0, GFP_KERNEL); + if (req->id < 0) { + mutex_unlock(&supp->mutex); + kfree(req); + return TEEC_ERROR_OUT_OF_MEMORY; + } + list_add_tail(&req->link, &supp->reqs); req->in_queue = true; + req->processed = false; mutex_unlock(&supp->mutex); /* Tell an eventual waiter there's a new request */ @@ -117,21 +134,43 @@ u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params, if (wait_for_completion_killable(&req->c)) { mutex_lock(&supp->mutex); if (req->in_queue) { + /* Supplicant has not seen this request yet. */ + idr_remove(&supp->idr, req->id); list_del(&req->link); req->in_queue = false; + + ret = TEEC_ERROR_COMMUNICATION; + } else if (req->processed) { + /* + * Supplicant has processed this request. Ignore the + * kill signal for now and submit the result. req is not + * in supp->reqs (removed by supp_pop_entry()) nor in + * supp->idr (removed by supp_pop_req()). + */ + ret = req->ret; + } else { + /* + * Supplicant is in the middle of processing this + * request. Replace req with INVALID_REQ_PTR so that + * the ID remains busy, causing optee_supp_send() to + * fail on the next call to supp_pop_req() with this ID. + */ + idr_replace(&supp->idr, INVALID_REQ_PTR, req->id); + ret = TEEC_ERROR_COMMUNICATION; } + mutex_unlock(&supp->mutex); - req->ret = TEEC_ERROR_COMMUNICATION; + } else { + ret = req->ret; } - ret = req->ret; kfree(req); return ret; } static struct optee_supp_req *supp_pop_entry(struct optee_supp *supp, - int num_params, int *id) + int num_params) { struct optee_supp_req *req; @@ -153,10 +192,6 @@ static struct optee_supp_req *supp_pop_entry(struct optee_supp *supp, return ERR_PTR(-EINVAL); } - *id = idr_alloc(&supp->idr, req, 1, 0, GFP_KERNEL); - if (*id < 0) - return ERR_PTR(-ENOMEM); - list_del(&req->link); req->in_queue = false; @@ -214,7 +249,6 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params, struct optee *optee = tee_get_drvdata(teedev); struct optee_supp *supp = &optee->supp; struct optee_supp_req *req = NULL; - int id; size_t num_meta; int rc; @@ -224,15 +258,11 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params, while (true) { mutex_lock(&supp->mutex); - req = supp_pop_entry(supp, *num_params - num_meta, &id); + req = supp_pop_entry(supp, *num_params - num_meta); + if (req) + break; /* Keep mutex held. */ mutex_unlock(&supp->mutex); - if (req) { - if (IS_ERR(req)) - return PTR_ERR(req); - break; - } - /* * If we didn't get a request we'll block in * wait_for_completion() to avoid needless spinning. @@ -245,6 +275,13 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params, return -ERESTARTSYS; } + /* supp->mutex held and req != NULL. */ + + if (IS_ERR(req)) { + mutex_unlock(&supp->mutex); + return PTR_ERR(req); + } + if (num_meta) { /* * tee-supplicant support meta parameters -> requsts can be @@ -252,13 +289,11 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params, */ param->attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT | TEE_IOCTL_PARAM_ATTR_META; - param->u.value.a = id; + param->u.value.a = req->id; param->u.value.b = 0; param->u.value.c = 0; } else { - mutex_lock(&supp->mutex); - supp->req_id = id; - mutex_unlock(&supp->mutex); + supp->req_id = req->id; } *func = req->func; @@ -266,6 +301,7 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params, memcpy(param + num_meta, req->param, sizeof(struct tee_param) * req->num_params); + mutex_unlock(&supp->mutex); return 0; } @@ -297,12 +333,17 @@ static struct optee_supp_req *supp_pop_req(struct optee_supp *supp, if (!req) return ERR_PTR(-ENOENT); + /* optee_supp_thrd_req() already returned to optee. */ + if (IS_ERR(req)) + goto failed_req; + if ((num_params - nm) != req->num_params) return ERR_PTR(-EINVAL); + *num_meta = nm; +failed_req: idr_remove(&supp->idr, id); supp->req_id = -1; - *num_meta = nm; return req; } @@ -328,10 +369,9 @@ int optee_supp_send(struct tee_context *ctx, u32 ret, u32 num_params, mutex_lock(&supp->mutex); req = supp_pop_req(supp, num_params, param, &num_meta); - mutex_unlock(&supp->mutex); - if (IS_ERR(req)) { - /* Something is wrong, let supplicant restart. */ + mutex_unlock(&supp->mutex); + /* Something is wrong, let supplicant handel it. */ return PTR_ERR(req); } @@ -355,9 +395,10 @@ int optee_supp_send(struct tee_context *ctx, u32 ret, u32 num_params, } } req->ret = ret; - + req->processed = true; /* Let the requesting thread continue */ complete(&req->c); + mutex_unlock(&supp->mutex); return 0; } --- base-commit: 3f24e4edcd1b8981c6b448ea2680726dedd87279 change-id: 20250604-fix-use-after-free-8ff1b5d5d774 Best regards, -- Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com>

4 months

1
0
0 0

[PATCH v2] tee: shm: fix slab page refcounting

by Marco Felsch

Skip manipulating the refcount in case of slab pages according commit b9c0e49abfca ("mm: decline to manipulate the refcount on a slab page"). Fixes: b9c0e49abfca ("mm: decline to manipulate the refcount on a slab page") Signed-off-by: Marco Felsch <m.felsch(a)pengutronix.de> --- v2: - Make use of page variable v1: - https://lore.kernel.org/all/20250325195021.3589797-1-m.felsch@pengutronix.d… drivers/tee/tee_shm.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index daf6e5cfd59a..35f0ac359b12 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -19,16 +19,24 @@ static void shm_put_kernel_pages(struct page **pages, size_t page_count) { size_t n; - for (n = 0; n < page_count; n++) - put_page(pages[n]); + for (n = 0; n < page_count; n++) { + struct page *page = pages[n]; + + if (!PageSlab(page)) + put_page(page); + } } static void shm_get_kernel_pages(struct page **pages, size_t page_count) { size_t n; - for (n = 0; n < page_count; n++) - get_page(pages[n]); + for (n = 0; n < page_count; n++) { + struct page *page = pages[n]; + + if (!PageSlab(page)) + get_page(page); + } } static void release_registered_pages(struct tee_shm *shm) -- 2.39.5

4 months, 1 week

5
17
0 0

[PATCH v4] tee: optee: prevent use-after-free when the client exits before the supplicant

by Amirreza Zarrabi

Commit 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop") made the client wait as killable so it can be interrupted during shutdown or after a supplicant crash. This changes the original lifetime expectations: the client task can now terminate while the supplicant is still processing its request. If the client exits first it removes the request from its queue and kfree()s it, while the request ID remains in supp->idr. A subsequent lookup on the supplicant path then dereferences freed memory, leading to a use-after-free. Serialise access to the request with supp->mutex: * Hold supp->mutex in optee_supp_recv() and optee_supp_send() while looking up and touching the request. * Let optee_supp_thrd_req() notice that the client has terminated and signal optee_supp_send() accordingly. With these changes the request cannot be freed while the supplicant still has a reference, eliminating the race. Fixes: 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop") Signed-off-by: Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com> --- Changes in v4: - Pre-allocate request ID when allocating the request. - Cleanup the loop in optee_supp_recv(). - Update the return value for revoked request from -ENOENT to -EBADF. - Link to v3: https://lore.kernel.org/r/20260128-fix-use-after-free-v3-1-b0786670d927@oss… Changes in v3: - Introduce processed flag instead of -1 for req->id. - Update optee_supp_release() as reported by Michael Wu. - Use mutex instead of guard. - Link to v2: https://lore.kernel.org/r/20250617-fix-use-after-free-v2-1-1fbfafec5917@oss… Changes in v2: - Replace the static variable with a sentinel value. - Fix the issue with returning the popped request to the supplicant. - Link to v1: https://lore.kernel.org/r/20250605-fix-use-after-free-v1-1-a70d23bff248@oss… --- drivers/tee/optee/supp.c | 106 ++++++++++++++++++++++++++++++++--------------- 1 file changed, 73 insertions(+), 33 deletions(-) diff --git a/drivers/tee/optee/supp.c b/drivers/tee/optee/supp.c index d0f397c90242..c1ae76df7067 100644 --- a/drivers/tee/optee/supp.c +++ b/drivers/tee/optee/supp.c @@ -10,7 +10,11 @@ struct optee_supp_req { struct list_head link; + int id; + bool in_queue; + bool processed; + u32 func; u32 ret; size_t num_params; @@ -19,6 +23,9 @@ struct optee_supp_req { struct completion c; }; +/* It is temporary request used for revoked pending request in supp->idr. */ +#define INVALID_REQ_PTR ((struct optee_supp_req *)ERR_PTR(-EBADF)) + void optee_supp_init(struct optee_supp *supp) { memset(supp, 0, sizeof(*supp)); @@ -39,21 +46,23 @@ void optee_supp_release(struct optee_supp *supp) { int id; struct optee_supp_req *req; - struct optee_supp_req *req_tmp; mutex_lock(&supp->mutex); - /* Abort all request retrieved by supplicant */ + /* Abort all request */ idr_for_each_entry(&supp->idr, req, id) { idr_remove(&supp->idr, id); - req->ret = TEEC_ERROR_COMMUNICATION; - complete(&req->c); - } + /* Skip if request was already marked invalid */ + if (IS_ERR(req)) + continue; - /* Abort all queued requests */ - list_for_each_entry_safe(req, req_tmp, &supp->reqs, link) { - list_del(&req->link); - req->in_queue = false; + /* For queued requests where supplicant has not seen it */ + if (req->in_queue) { + list_del(&req->link); + req->in_queue = false; + } + + req->processed = true; req->ret = TEEC_ERROR_COMMUNICATION; complete(&req->c); } @@ -93,6 +102,12 @@ u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params, if (!req) return TEEC_ERROR_OUT_OF_MEMORY; + req->id = idr_alloc(&supp->idr, req, 1, 0, GFP_KERNEL); + if (req->id < 0) { + kfree(req); + return TEEC_ERROR_OUT_OF_MEMORY; + } + init_completion(&req->c); req->func = func; req->num_params = num_params; @@ -102,6 +117,7 @@ u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params, mutex_lock(&supp->mutex); list_add_tail(&req->link, &supp->reqs); req->in_queue = true; + req->processed = false; mutex_unlock(&supp->mutex); /* Tell an eventual waiter there's a new request */ @@ -117,21 +133,43 @@ u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params, if (wait_for_completion_killable(&req->c)) { mutex_lock(&supp->mutex); if (req->in_queue) { + /* Supplicant has not seen this request yet. */ + idr_remove(&supp->idr, req->id); list_del(&req->link); req->in_queue = false; + + ret = TEEC_ERROR_COMMUNICATION; + } else if (req->processed) { + /* + * Supplicant has processed this request. Ignore the + * kill signal for now and submit the result. req is not + * in supp->reqs (removed by supp_pop_entry()) nor in + * supp->idr (removed by supp_pop_req()). + */ + ret = req->ret; + } else { + /* + * Supplicant is in the middle of processing this + * request. Replace req with INVALID_REQ_PTR so that + * the ID remains busy, causing optee_supp_send() to + * fail on the next call to supp_pop_req() with this ID. + */ + idr_replace(&supp->idr, INVALID_REQ_PTR, req->id); + ret = TEEC_ERROR_COMMUNICATION; } + mutex_unlock(&supp->mutex); - req->ret = TEEC_ERROR_COMMUNICATION; + } else { + ret = req->ret; } - ret = req->ret; kfree(req); return ret; } static struct optee_supp_req *supp_pop_entry(struct optee_supp *supp, - int num_params, int *id) + int num_params) { struct optee_supp_req *req; @@ -153,10 +191,6 @@ static struct optee_supp_req *supp_pop_entry(struct optee_supp *supp, return ERR_PTR(-EINVAL); } - *id = idr_alloc(&supp->idr, req, 1, 0, GFP_KERNEL); - if (*id < 0) - return ERR_PTR(-ENOMEM); - list_del(&req->link); req->in_queue = false; @@ -214,7 +248,6 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params, struct optee *optee = tee_get_drvdata(teedev); struct optee_supp *supp = &optee->supp; struct optee_supp_req *req = NULL; - int id; size_t num_meta; int rc; @@ -224,15 +257,11 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params, while (true) { mutex_lock(&supp->mutex); - req = supp_pop_entry(supp, *num_params - num_meta, &id); + req = supp_pop_entry(supp, *num_params - num_meta); + if (req) + break; /* Keep mutex held. */ mutex_unlock(&supp->mutex); - if (req) { - if (IS_ERR(req)) - return PTR_ERR(req); - break; - } - /* * If we didn't get a request we'll block in * wait_for_completion() to avoid needless spinning. @@ -245,6 +274,13 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params, return -ERESTARTSYS; } + /* supp->mutex held and req != NULL. */ + + if (IS_ERR(req)) { + mutex_unlock(&supp->mutex); + return PTR_ERR(req); + } + if (num_meta) { /* * tee-supplicant support meta parameters -> requsts can be @@ -252,13 +288,11 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params, */ param->attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT | TEE_IOCTL_PARAM_ATTR_META; - param->u.value.a = id; + param->u.value.a = req->id; param->u.value.b = 0; param->u.value.c = 0; } else { - mutex_lock(&supp->mutex); - supp->req_id = id; - mutex_unlock(&supp->mutex); + supp->req_id = req->id; } *func = req->func; @@ -266,6 +300,7 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params, memcpy(param + num_meta, req->param, sizeof(struct tee_param) * req->num_params); + mutex_unlock(&supp->mutex); return 0; } @@ -297,12 +332,17 @@ static struct optee_supp_req *supp_pop_req(struct optee_supp *supp, if (!req) return ERR_PTR(-ENOENT); + /* optee_supp_thrd_req() already returned to optee. */ + if (IS_ERR(req)) + goto failed_req; + if ((num_params - nm) != req->num_params) return ERR_PTR(-EINVAL); + *num_meta = nm; +failed_req: idr_remove(&supp->idr, id); supp->req_id = -1; - *num_meta = nm; return req; } @@ -328,10 +368,9 @@ int optee_supp_send(struct tee_context *ctx, u32 ret, u32 num_params, mutex_lock(&supp->mutex); req = supp_pop_req(supp, num_params, param, &num_meta); - mutex_unlock(&supp->mutex); - if (IS_ERR(req)) { - /* Something is wrong, let supplicant restart. */ + mutex_unlock(&supp->mutex); + /* Something is wrong, let supplicant handel it. */ return PTR_ERR(req); } @@ -355,9 +394,10 @@ int optee_supp_send(struct tee_context *ctx, u32 ret, u32 num_params, } } req->ret = ret; - + req->processed = true; /* Let the requesting thread continue */ complete(&req->c); + mutex_unlock(&supp->mutex); return 0; } --- base-commit: 3f24e4edcd1b8981c6b448ea2680726dedd87279 change-id: 20250604-fix-use-after-free-8ff1b5d5d774 Best regards, -- Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com>

4 months, 1 week

2
1
0 0

[PATCH v3] tee: optee: prevent use-after-free when the client exits before the supplicant

by Amirreza Zarrabi

Commit 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop") made the client wait as killable so it can be interrupted during shutdown or after a supplicant crash. This changes the original lifetime expectations: the client task can now terminate while the supplicant is still processing its request. If the client exits first it removes the request from its queue and kfree()s it, while the request ID remains in supp->idr. A subsequent lookup on the supplicant path then dereferences freed memory, leading to a use-after-free. Serialise access to the request with supp->mutex: * Hold supp->mutex in optee_supp_recv() and optee_supp_send() while looking up and touching the request. * Let optee_supp_thrd_req() notice that the client has terminated and signal optee_supp_send() accordingly. With these changes the request cannot be freed while the supplicant still has a reference, eliminating the race. Fixes: 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop") Signed-off-by: Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com> --- Changes in v3: - Introduce processed flag instead of -1 for req->id. - Update optee_supp_release() as reported by Michael Wu. - Use mutex instead of guard. - Link to v2: https://lore.kernel.org/r/20250617-fix-use-after-free-v2-1-1fbfafec5917@oss… Changes in v2: - Replace the static variable with a sentinel value. - Fix the issue with returning the popped request to the supplicant. - Link to v1: https://lore.kernel.org/r/20250605-fix-use-after-free-v1-1-a70d23bff248@oss… --- drivers/tee/optee/supp.c | 122 +++++++++++++++++++++++++++++++++-------------- 1 file changed, 86 insertions(+), 36 deletions(-) diff --git a/drivers/tee/optee/supp.c b/drivers/tee/optee/supp.c index d0f397c90242..0ec66008df19 100644 --- a/drivers/tee/optee/supp.c +++ b/drivers/tee/optee/supp.c @@ -10,7 +10,11 @@ struct optee_supp_req { struct list_head link; + int id; + bool in_queue; + bool processed; + u32 func; u32 ret; size_t num_params; @@ -19,6 +23,9 @@ struct optee_supp_req { struct completion c; }; +/* It is temporary request used for invalid pending request in supp->idr. */ +#define INVALID_REQ_PTR ((struct optee_supp_req *)ERR_PTR(-ENOENT)) + void optee_supp_init(struct optee_supp *supp) { memset(supp, 0, sizeof(*supp)); @@ -46,6 +53,10 @@ void optee_supp_release(struct optee_supp *supp) /* Abort all request retrieved by supplicant */ idr_for_each_entry(&supp->idr, req, id) { idr_remove(&supp->idr, id); + /* Skip if request was already marked invalid */ + if (IS_ERR(req)) + continue; + req->ret = TEEC_ERROR_COMMUNICATION; complete(&req->c); } @@ -102,6 +113,7 @@ u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params, mutex_lock(&supp->mutex); list_add_tail(&req->link, &supp->reqs); req->in_queue = true; + req->processed = false; mutex_unlock(&supp->mutex); /* Tell an eventual waiter there's a new request */ @@ -117,21 +129,40 @@ u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params, if (wait_for_completion_killable(&req->c)) { mutex_lock(&supp->mutex); if (req->in_queue) { + /* Supplicant has not seen this request yet. */ list_del(&req->link); req->in_queue = false; + + ret = TEEC_ERROR_COMMUNICATION; + } else if (req->processed) { + /* + * Supplicant has processed this request. Ignore the + * kill signal for now and submit the result. + */ + ret = req->ret; + } else { + /* + * Supplicant is in the middle of processing this + * request. Replace req with INVALID_REQ_PTR so that + * the ID remains busy, causing optee_supp_send() to + * fail on the next call to supp_pop_req() with this ID. + */ + idr_replace(&supp->idr, INVALID_REQ_PTR, req->id); + ret = TEEC_ERROR_COMMUNICATION; } + mutex_unlock(&supp->mutex); - req->ret = TEEC_ERROR_COMMUNICATION; + } else { + ret = req->ret; } - ret = req->ret; kfree(req); return ret; } static struct optee_supp_req *supp_pop_entry(struct optee_supp *supp, - int num_params, int *id) + int num_params) { struct optee_supp_req *req; @@ -153,8 +184,8 @@ static struct optee_supp_req *supp_pop_entry(struct optee_supp *supp, return ERR_PTR(-EINVAL); } - *id = idr_alloc(&supp->idr, req, 1, 0, GFP_KERNEL); - if (*id < 0) + req->id = idr_alloc(&supp->idr, req, 1, 0, GFP_KERNEL); + if (req->id < 0) return ERR_PTR(-ENOMEM); list_del(&req->link); @@ -214,7 +245,6 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params, struct optee *optee = tee_get_drvdata(teedev); struct optee_supp *supp = &optee->supp; struct optee_supp_req *req = NULL; - int id; size_t num_meta; int rc; @@ -224,15 +254,48 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params, while (true) { mutex_lock(&supp->mutex); - req = supp_pop_entry(supp, *num_params - num_meta, &id); - mutex_unlock(&supp->mutex); - if (req) { - if (IS_ERR(req)) - return PTR_ERR(req); - break; + req = supp_pop_entry(supp, *num_params - num_meta); + if (!req) { + mutex_unlock(&supp->mutex); + goto wait_for_request; + } + + if (IS_ERR(req)) { + rc = PTR_ERR(req); + mutex_unlock(&supp->mutex); + + return rc; } + /* + * Process the request while holding the lock, so that + * optee_supp_thrd_req() doesn't pull the request from under us. + */ + + if (num_meta) { + /* + * tee-supplicant support meta parameters -> + * requests can be processed asynchronously. + */ + param->attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT | + TEE_IOCTL_PARAM_ATTR_META; + param->u.value.a = req->id; + param->u.value.b = 0; + param->u.value.c = 0; + } else { + supp->req_id = req->id; + } + + *func = req->func; + *num_params = req->num_params + num_meta; + memcpy(param + num_meta, req->param, + sizeof(struct tee_param) * req->num_params); + + mutex_unlock(&supp->mutex); + return 0; + +wait_for_request: /* * If we didn't get a request we'll block in * wait_for_completion() to avoid needless spinning. @@ -243,29 +306,10 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params, */ if (wait_for_completion_interruptible(&supp->reqs_c)) return -ERESTARTSYS; - } - if (num_meta) { - /* - * tee-supplicant support meta parameters -> requsts can be - * processed asynchronously. - */ - param->attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT | - TEE_IOCTL_PARAM_ATTR_META; - param->u.value.a = id; - param->u.value.b = 0; - param->u.value.c = 0; - } else { - mutex_lock(&supp->mutex); - supp->req_id = id; - mutex_unlock(&supp->mutex); + /* Check for the next request in the queue. */ } - *func = req->func; - *num_params = req->num_params + num_meta; - memcpy(param + num_meta, req->param, - sizeof(struct tee_param) * req->num_params); - return 0; } @@ -297,12 +341,18 @@ static struct optee_supp_req *supp_pop_req(struct optee_supp *supp, if (!req) return ERR_PTR(-ENOENT); + /* optee_supp_thrd_req() already returned to optee. */ + if (IS_ERR(req)) + goto failed_req; + if ((num_params - nm) != req->num_params) return ERR_PTR(-EINVAL); + *num_meta = nm; +failed_req: idr_remove(&supp->idr, id); supp->req_id = -1; - *num_meta = nm; + return req; } @@ -328,9 +378,8 @@ int optee_supp_send(struct tee_context *ctx, u32 ret, u32 num_params, mutex_lock(&supp->mutex); req = supp_pop_req(supp, num_params, param, &num_meta); - mutex_unlock(&supp->mutex); - if (IS_ERR(req)) { + mutex_unlock(&supp->mutex); /* Something is wrong, let supplicant restart. */ return PTR_ERR(req); } @@ -355,9 +404,10 @@ int optee_supp_send(struct tee_context *ctx, u32 ret, u32 num_params, } } req->ret = ret; - + req->processed = true; /* Let the requesting thread continue */ complete(&req->c); + mutex_unlock(&supp->mutex); return 0; } --- base-commit: 3f24e4edcd1b8981c6b448ea2680726dedd87279 change-id: 20250604-fix-use-after-free-8ff1b5d5d774 Best regards, -- Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com>

4 months, 1 week

3
9
1 0

Linaro OP-TEE Contribution, LOC, monthly meeting January 27

by Jens Wiklander

Hi, Tomorrow, Tuesday, it's time for another LOC monthly meeting. For time and connection details, see the calendar at https://www.trustedfirmware.org/meetings/ - OP-TEE version 4.9.0 released - Following our discussion at the last LOC regarding exporting OP-TEE version information via sysfs, the latest version of the patch [1] has been accepted. - Any other topics? [1] https://lore.kernel.org/op-tee/20260112154833.78546-1-aristo.chen@canonical… Cheers, Jens

4 months, 4 weeks

1
0
0 0

Rebase linaro-swg/kernel to v6.18

by Jens Wiklander

Hi, I've just rebased the linaro-swg/kernel optee branch on v6.18 from v6.14. By rebasing, we eliminated a few workarounds on the optee branch and gained FF-A version 1.2 support in the kernel. Cheers, Jens

5 months

1
0
0 0

[PATCH][next] optee: make read-only array attr static const

by Colin Ian King

Don't populate the read-only array attr on the stack at run time, instead make it static const. Signed-off-by: Colin Ian King <coking(a)nvidia.com> --- drivers/tee/optee/rpc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tee/optee/rpc.c b/drivers/tee/optee/rpc.c index 97fc5b14db0c..1758eb7e6e8b 100644 --- a/drivers/tee/optee/rpc.c +++ b/drivers/tee/optee/rpc.c @@ -43,7 +43,7 @@ static void handle_rpc_func_cmd_i2c_transfer(struct tee_context *ctx, struct i2c_msg msg = { }; size_t i; int ret = -EOPNOTSUPP; - u8 attr[] = { + static const u8 attr[] = { TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT, TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT, TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT, -- 2.51.0

5 months

7
7
0 0

[GIT PULL] TEE sysfs for 6.20

by Jens Wiklander

Hello arm-soc maintainers, Please pull these two patches adding a generic TEE revision sysfs attribute and implement support for OP-TEE. Thanks, Jens The following changes since commit 8f0b4cce4481fb22653697cced8d0d04027cb1e8: Linux 6.19-rc1 (2025-12-14 16:05:07 +1200) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/tee-sysfs-for-6.20 for you to fetch changes up to c19faf5a62315d5e0e65dde49b7b59e30330b9c2: tee: optee: store OS revision for TEE core (2026-01-15 10:35:14 +0100) ---------------------------------------------------------------- TEE sysfs for 6.20 - Add an optional generic sysfs attribute for TEE revision - Implement revision reporting for OP-TEE using both SMC and FF-A ABIs ---------------------------------------------------------------- Aristo Chen (2): tee: add revision sysfs attribute tee: optee: store OS revision for TEE core Documentation/ABI/testing/sysfs-class-tee | 10 ++++++ drivers/tee/optee/core.c | 23 +++++++++++++ drivers/tee/optee/ffa_abi.c | 54 +++++++++++++++++++++++-------- drivers/tee/optee/optee_private.h | 19 +++++++++++ drivers/tee/optee/smc_abi.c | 15 +++++++-- drivers/tee/tee_core.c | 51 ++++++++++++++++++++++++++++- include/linux/tee_core.h | 9 ++++++ 7 files changed, 163 insertions(+), 18 deletions(-)

5 months, 1 week

1
0
0 0

[GIT PULL] AMDTEE update for 6.20

by Jens Wiklander

Hello arm-soc maintainers, Please pull this small patch removing unused return variables in a couple of functions in the AMDTEE driver in the TEE subsystem. Thanks, Jens The following changes since commit 8f0b4cce4481fb22653697cced8d0d04027cb1e8: Linux 6.19-rc1 (2025-12-14 16:05:07 +1200) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/amdtee-update-for-6.20 for you to fetch changes up to a0db08f47c836251fbaccf711e12fe8428235465: tee: amdtee: Remove unused return variables (2026-01-14 10:20:51 +0100) ---------------------------------------------------------------- AMDTEE update for 6.20 Remove unused return variables ---------------------------------------------------------------- Thorsten Blum (1): tee: amdtee: Remove unused return variables drivers/tee/amdtee/call.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)

5 months, 1 week

1
0
0 0

[GIT PULL] TEE bus callbacks for 6.20

by Jens Wiklander

Hello arm-soc maintainers, Please pull these updates adding TEE bus callbacks to let the users of the bus get rid of the struct device_driver callbacks .probe(), .remove() and .shutdown(). The maintainers for the updated drivers using the TEE bus have agreed to take these changes via my tree, with the exception of the maintainer for drivers/firmware/broadcom/tee_bnxt_fw.c, who has remained silent during the review. However, the changes in the drivers are straight forward so it's better to take these patches too rather than excluding them. Further details are in the last patch set: https://lore.kernel.org/op-tee/cover.1765791463.git.u.kleine-koenig@baylibr… Thanks, Jens The following changes since commit 8f0b4cce4481fb22653697cced8d0d04027cb1e8: Linux 6.19-rc1 (2025-12-14 16:05:07 +1200) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/tee-bus-callback-for-6.20 for you to fetch changes up to e82d0477fd80707221c3d110f56d05506de2698c: tpm/tpm_ftpm_tee: Fix kdoc after function renames (2026-01-15 10:28:33 +0100) ---------------------------------------------------------------- TEE bus callback for 6.20 - Move from generic device_driver to TEE bus-specific callbacks - Add module_tee_client_driver() and registration helpers to reduce boilerplate - Convert several client drivers (TPM, KEYS, firmware, EFI, hwrng, and RTC) - Update documentation and fix kernel-doc warnings ---------------------------------------------------------------- Uwe Kleine-König (18): tee: Add some helpers to reduce boilerplate for tee client drivers tee: Add probe, remove and shutdown bus callbacks to tee_client_driver tee: Adapt documentation to cover recent additions rtc: optee: Migrate to use tee specific driver registration function rtc: optee: Make use of tee bus methods hwrng: optee - Make use of module_tee_client_driver() hwrng: optee - Make use of tee bus methods efi: stmm: Make use of module_tee_client_driver() efi: stmm: Make use of tee bus methods firmware: arm_scmi: optee: Make use of module_tee_client_driver() firmware: arm_scmi: Make use of tee bus methods firmware: tee_bnxt: Make use of module_tee_client_driver() firmware: tee_bnxt: Make use of tee bus methods KEYS: trusted: Migrate to use tee specific driver registration function KEYS: trusted: Make use of tee bus methods tpm/tpm_ftpm_tee: Make use of tee specific driver registration tpm/tpm_ftpm_tee: Make use of tee bus methods tpm/tpm_ftpm_tee: Fix kdoc after function renames Documentation/driver-api/tee.rst | 18 +----- drivers/char/hw_random/optee-rng.c | 26 ++------- drivers/char/tpm/tpm_ftpm_tee.c | 35 ++++++++---- drivers/firmware/arm_scmi/transports/optee.c | 32 ++++------- drivers/firmware/broadcom/tee_bnxt_fw.c | 30 +++------- drivers/firmware/efi/stmm/tee_stmm_efi.c | 25 ++------- drivers/rtc/rtc-optee.c | 27 +++------ drivers/tee/tee_core.c | 84 ++++++++++++++++++++++++++++ include/linux/tee_drv.h | 12 ++++ security/keys/trusted-keys/trusted_tee.c | 17 +++--- 10 files changed, 166 insertions(+), 140 deletions(-)

5 months, 1 week

1
0
0 0

[GIT PULL] OP-TEE update for 6.20

by Jens Wiklander

Hello arm-soc maintainers, Please pull these three small updates for OP-TEE driver in the TEE subsystem, and for the OP-TEE mailing list. Thanks, Jens The following changes since commit 8f0b4cce4481fb22653697cced8d0d04027cb1e8: Linux 6.19-rc1 (2025-12-14 16:05:07 +1200) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/optee-update-for-6.20 for you to fetch changes up to 94ea7063fae835e800768d3b0507f0994ef03878: optee: make read-only array attr static const (2026-01-16 10:35:05 +0100) ---------------------------------------------------------------- OP-TEE update for 6.20 - A micro optimization by making a local array static const - Update OP-TEE mailing list as moderated - Update an outdated comment for cmd_alloc_suppl() ---------------------------------------------------------------- Colin Ian King (1): optee: make read-only array attr static const Geert Uytterhoeven (1): MAINTAINERS: Mark the OP-TEE mailing list moderated Julia Lawall (1): optee: update outdated comment MAINTAINERS | 6 +++--- drivers/tee/optee/rpc.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-)

5 months, 1 week

1
0
0 0

[GIT PULL] QCOMTEE fixes for 6.20

by Jens Wiklander

Hello arm-soc maintainers, Please pull thes three small fixes for the QCOMTEE driver in the TEE subsystem. Thanks, Jens The following changes since commit 8f0b4cce4481fb22653697cced8d0d04027cb1e8: Linux 6.19-rc1 (2025-12-14 16:05:07 +1200) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/qcomtee-fixes-for-6.20 for you to fetch changes up to 1c05d9a4cab2abfb93ebce5edaa17752126b6d35: tee: qcomtee: user: Fix confusing cleanup.h syntax (2026-01-05 10:21:09 +0100) ---------------------------------------------------------------- QCOMTEE fixes for 6.20 Small cleanups for the qcomtee driver to align with recommended coding practices for the cleanup.h infrastructure. ---------------------------------------------------------------- Krzysztof Kozlowski (3): tee: qcomtee: call: Fix confusing cleanup.h syntax tee: qcomtee: mem: Fix confusing cleanup.h syntax tee: qcomtee: user: Fix confusing cleanup.h syntax drivers/tee/qcomtee/call.c | 17 ++++++++--------- drivers/tee/qcomtee/mem_obj.c | 4 ++-- drivers/tee/qcomtee/user_obj.c | 8 ++++---- 3 files changed, 14 insertions(+), 15 deletions(-)

5 months, 1 week

1
0
0 0

OP-TEE 4.9.0 has been released

by Jens Wiklander

Hi, I'm pleased to announce that OP-TEE version 4.9.0 is now available. The list of changes can be found in the changelog [1]. A big thank you to everyone who participated with contributions and helping out with testing the release [2]. [1] https://github.com/OP-TEE/optee_os/blob/4.9.0/CHANGELOG.md [2] https://github.com/OP-TEE/optee_os/commit/c2b0684fcd89929976a8726e6e3af922b… Regards, Jens

5 months, 1 week

1
0
0 0

[PATCH v2] MAINTAINERS: Mark the OP-TEE mailing list moderated

by Geert Uytterhoeven

After sending a patch to op-tee(a)lists.trustedfirmware.org, I got the typical response for a moderated list: Your mail to 'op-tee(a)lists.trustedfirmware.org' with the subject [...] Is being held until the list moderator can review it for approval. The message is being held because: The message is not from a list member Either the message will get posted to the list, or you will receive notification of the moderator's decision. Mark this mailing list moderated in MAINTAINERS. Signed-off-by: Geert Uytterhoeven <geert+renesas(a)glider.be> Reviewed-by: Jens Wiklander <jens.wiklander(a)linaro.org> --- v2: - Add Reviewed-by. --- MAINTAINERS | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index 13e2f2fdc248ec65..9c988eb1cc86628f 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -19578,14 +19578,14 @@ F: drivers/net/phy/ncn* OP-TEE DRIVER M: Jens Wiklander <jens.wiklander(a)linaro.org> -L: op-tee(a)lists.trustedfirmware.org +L: op-tee(a)lists.trustedfirmware.org (moderated for non-subscribers) S: Maintained F: Documentation/ABI/testing/sysfs-bus-optee-devices F: drivers/tee/optee/ OP-TEE RANDOM NUMBER GENERATOR (RNG) DRIVER M: Sumit Garg <sumit.garg(a)kernel.org> -L: op-tee(a)lists.trustedfirmware.org +L: op-tee(a)lists.trustedfirmware.org (moderated for non-subscribers) S: Maintained F: drivers/char/hw_random/optee-rng.c @@ -25693,7 +25693,7 @@ F: include/media/i2c/tw9910.h TEE SUBSYSTEM M: Jens Wiklander <jens.wiklander(a)linaro.org> R: Sumit Garg <sumit.garg(a)kernel.org> -L: op-tee(a)lists.trustedfirmware.org +L: op-tee(a)lists.trustedfirmware.org (moderated for non-subscribers) S: Maintained F: Documentation/ABI/testing/sysfs-class-tee F: Documentation/driver-api/tee.rst -- 2.43.0

5 months, 1 week

3
2
0 0

[PATCH v1 1/1] tee: optee: expose OS revision via sysfs

by Wei Ming Chen

From: Aristo Chen <aristo.chen(a)canonical.com> Today the only way to read the OP-TEE OS version is from dmesg/journal logs, which can be lost as buffers roll over. Add a minimal optee_version_info (major/minor/build) and get_optee_revision hook, collect the OS revision in both SMC and FF-A ABIs, and publish /sys/class/tee/tee*/optee_os_revision for a stable userspace readout. Signed-off-by: Aristo Chen <aristo.chen(a)canonical.com> --- drivers/tee/optee/ffa_abi.c | 27 +++++++++++- drivers/tee/optee/optee_private.h | 1 + drivers/tee/optee/smc_abi.c | 27 +++++++++++- drivers/tee/tee_core.c | 73 ++++++++++++++++++++++++++++++- include/linux/tee_core.h | 2 + include/linux/tee_drv.h | 12 +++++ 6 files changed, 137 insertions(+), 5 deletions(-) diff --git a/drivers/tee/optee/ffa_abi.c b/drivers/tee/optee/ffa_abi.c index bf8390789ecf..291ba3bfde7f 100644 --- a/drivers/tee/optee/ffa_abi.c +++ b/drivers/tee/optee/ffa_abi.c @@ -776,7 +776,8 @@ static int optee_ffa_reclaim_protmem(struct optee *optee, */ static bool optee_ffa_api_is_compatible(struct ffa_device *ffa_dev, - const struct ffa_ops *ops) + const struct ffa_ops *ops, + struct optee_version_info *version_info) { const struct ffa_msg_ops *msg_ops = ops->msg_ops; struct ffa_send_direct_data data = { @@ -806,6 +807,12 @@ static bool optee_ffa_api_is_compatible(struct ffa_device *ffa_dev, pr_err("Unexpected error %d\n", rc); return false; } + if (version_info) { + version_info->os_major = data.data0; + version_info->os_minor = data.data1; + version_info->os_build_id = data.data2; + } + if (data.data2) pr_info("revision %lu.%lu (%08lx)", data.data0, data.data1, data.data2); @@ -893,6 +900,18 @@ static void optee_ffa_get_version(struct tee_device *teedev, *vers = v; } +static int optee_ffa_get_optee_revision(struct tee_device *teedev, + struct optee_version_info *vers) +{ + struct optee *optee = tee_get_drvdata(teedev); + + if (!optee) + return -ENODEV; + + *vers = optee->version_info; + return 0; +} + static int optee_ffa_open(struct tee_context *ctx) { return optee_open(ctx, true); @@ -900,6 +919,7 @@ static int optee_ffa_open(struct tee_context *ctx) static const struct tee_driver_ops optee_ffa_clnt_ops = { .get_version = optee_ffa_get_version, + .get_optee_revision = optee_ffa_get_optee_revision, .open = optee_ffa_open, .release = optee_release, .open_session = optee_open_session, @@ -918,6 +938,7 @@ static const struct tee_desc optee_ffa_clnt_desc = { static const struct tee_driver_ops optee_ffa_supp_ops = { .get_version = optee_ffa_get_version, + .get_optee_revision = optee_ffa_get_optee_revision, .open = optee_ffa_open, .release = optee_release_supp, .supp_recv = optee_supp_recv, @@ -1034,6 +1055,7 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev) { const struct ffa_notifier_ops *notif_ops; const struct ffa_ops *ffa_ops; + struct optee_version_info version_info = { }; unsigned int max_notif_value; unsigned int rpc_param_count; struct tee_shm_pool *pool; @@ -1047,7 +1069,7 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev) ffa_ops = ffa_dev->ops; notif_ops = ffa_ops->notifier_ops; - if (!optee_ffa_api_is_compatible(ffa_dev, ffa_ops)) + if (!optee_ffa_api_is_compatible(ffa_dev, ffa_ops, &version_info)) return -EINVAL; if (!optee_ffa_exchange_caps(ffa_dev, ffa_ops, &sec_caps, @@ -1059,6 +1081,7 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev) optee = kzalloc(sizeof(*optee), GFP_KERNEL); if (!optee) return -ENOMEM; + optee->version_info = version_info; pool = optee_ffa_shm_pool_alloc_pages(); if (IS_ERR(pool)) { diff --git a/drivers/tee/optee/optee_private.h b/drivers/tee/optee/optee_private.h index db9ea673fbca..967c015e8ffb 100644 --- a/drivers/tee/optee/optee_private.h +++ b/drivers/tee/optee/optee_private.h @@ -249,6 +249,7 @@ struct optee { bool in_kernel_rpmb_routing; struct work_struct scan_bus_work; struct work_struct rpmb_scan_bus_work; + struct optee_version_info version_info; }; struct optee_session { diff --git a/drivers/tee/optee/smc_abi.c b/drivers/tee/optee/smc_abi.c index 0be663fcd52b..1e412949898f 100644 --- a/drivers/tee/optee/smc_abi.c +++ b/drivers/tee/optee/smc_abi.c @@ -1232,6 +1232,18 @@ static void optee_get_version(struct tee_device *teedev, *vers = v; } +static int optee_get_optee_revision(struct tee_device *teedev, + struct optee_version_info *vers) +{ + struct optee *optee = tee_get_drvdata(teedev); + + if (!optee) + return -ENODEV; + + *vers = optee->version_info; + return 0; +} + static int optee_smc_open(struct tee_context *ctx) { struct optee *optee = tee_get_drvdata(ctx->teedev); @@ -1242,6 +1254,7 @@ static int optee_smc_open(struct tee_context *ctx) static const struct tee_driver_ops optee_clnt_ops = { .get_version = optee_get_version, + .get_optee_revision = optee_get_optee_revision, .open = optee_smc_open, .release = optee_release, .open_session = optee_open_session, @@ -1261,6 +1274,7 @@ static const struct tee_desc optee_clnt_desc = { static const struct tee_driver_ops optee_supp_ops = { .get_version = optee_get_version, + .get_optee_revision = optee_get_optee_revision, .open = optee_smc_open, .release = optee_release_supp, .supp_recv = optee_supp_recv, @@ -1323,7 +1337,8 @@ static bool optee_msg_api_uid_is_optee_image_load(optee_invoke_fn *invoke_fn) } #endif -static void optee_msg_get_os_revision(optee_invoke_fn *invoke_fn) +static void optee_msg_get_os_revision(optee_invoke_fn *invoke_fn, + struct optee_version_info *version_info) { union { struct arm_smccc_res smccc; @@ -1337,6 +1352,12 @@ static void optee_msg_get_os_revision(optee_invoke_fn *invoke_fn) invoke_fn(OPTEE_SMC_CALL_GET_OS_REVISION, 0, 0, 0, 0, 0, 0, 0, &res.smccc); + if (version_info) { + version_info->os_major = res.result.major; + version_info->os_minor = res.result.minor; + version_info->os_build_id = res.result.build_id; + } + if (res.result.build_id) pr_info("revision %lu.%lu (%0*lx)", res.result.major, res.result.minor, (int)sizeof(res.result.build_id) * 2, @@ -1727,6 +1748,7 @@ static int optee_probe(struct platform_device *pdev) unsigned int thread_count; struct tee_device *teedev; struct tee_context *ctx; + struct optee_version_info version_info = { }; u32 max_notif_value; u32 arg_cache_flags; u32 sec_caps; @@ -1745,7 +1767,7 @@ static int optee_probe(struct platform_device *pdev) return -EINVAL; } - optee_msg_get_os_revision(invoke_fn); + optee_msg_get_os_revision(invoke_fn, &version_info); if (!optee_msg_api_revision_is_compatible(invoke_fn)) { pr_warn("api revision mismatch\n"); @@ -1814,6 +1836,7 @@ static int optee_probe(struct platform_device *pdev) rc = -ENOMEM; goto err_free_shm_pool; } + optee->version_info = version_info; optee->ops = &optee_ops; optee->smc.invoke_fn = invoke_fn; diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c index d65d47cc154e..dc23058e7be6 100644 --- a/drivers/tee/tee_core.c +++ b/drivers/tee/tee_core.c @@ -1141,12 +1141,83 @@ static ssize_t implementation_id_show(struct device *dev, } static DEVICE_ATTR_RO(implementation_id); +static int tee_get_optee_revision(struct tee_device *teedev, + struct optee_version_info *ver_info) +{ + if (!teedev->desc->ops->get_optee_revision) + return -ENODEV; + + return teedev->desc->ops->get_optee_revision(teedev, ver_info); +} + +static bool tee_is_optee(struct tee_device *teedev) +{ + struct tee_ioctl_version_data vers; + + teedev->desc->ops->get_version(teedev, &vers); + + return vers.impl_id == TEE_IMPL_ID_OPTEE; +} + +static ssize_t optee_os_revision_show(struct device *dev, + struct device_attribute *attr, char *buf) +{ + struct tee_device *teedev = container_of(dev, struct tee_device, dev); + struct optee_version_info ver_info; + int ret; + + if (!tee_is_optee(teedev)) + return -ENODEV; + + ret = tee_get_optee_revision(teedev, &ver_info); + if (ret) + return ret; + + if (ver_info.os_build_id) + return sysfs_emit(buf, "%u.%u (%08x)\n", ver_info.os_major, + ver_info.os_minor, ver_info.os_build_id); + + return sysfs_emit(buf, "%u.%u\n", ver_info.os_major, + ver_info.os_minor); +} +static DEVICE_ATTR_RO(optee_os_revision); + static struct attribute *tee_dev_attrs[] = { &dev_attr_implementation_id.attr, NULL }; -ATTRIBUTE_GROUPS(tee_dev); +static struct attribute *tee_optee_attrs[] = { + &dev_attr_optee_os_revision.attr, + NULL +}; + +static umode_t tee_optee_attr_is_visible(struct kobject *kobj, + struct attribute *attr, int n) +{ + struct device *dev = kobj_to_dev(kobj); + struct tee_device *teedev = container_of(dev, struct tee_device, dev); + + if (tee_is_optee(teedev) && teedev->desc->ops->get_optee_revision) + return attr->mode; + + return 0; +} + +static const struct attribute_group tee_dev_group = { + .attrs = tee_dev_attrs, +}; + +static const struct attribute_group tee_optee_group = { + .attrs = tee_optee_attrs, + .is_visible = tee_optee_attr_is_visible, +}; + +static const struct attribute_group *tee_dev_groups[] = { + &tee_dev_group, + &tee_optee_group, + NULL +}; static const struct class tee_class = { .name = "tee", diff --git a/include/linux/tee_core.h b/include/linux/tee_core.h index 1f3e5dad6d0d..4bd9b6b191c9 100644 --- a/include/linux/tee_core.h +++ b/include/linux/tee_core.h @@ -98,6 +98,8 @@ struct tee_device { struct tee_driver_ops { void (*get_version)(struct tee_device *teedev, struct tee_ioctl_version_data *vers); + int (*get_optee_revision)(struct tee_device *teedev, + struct optee_version_info *vers); int (*open)(struct tee_context *ctx); void (*close_context)(struct tee_context *ctx); void (*release)(struct tee_context *ctx); diff --git a/include/linux/tee_drv.h b/include/linux/tee_drv.h index 88a6f9697c89..64a2fea11cb9 100644 --- a/include/linux/tee_drv.h +++ b/include/linux/tee_drv.h @@ -20,6 +20,18 @@ struct tee_device; +/** + * struct optee_version_info - OP-TEE version information + * @os_major: OS major version + * @os_minor: OS minor version + * @os_build_id: OS build identifier (0 if unspecified) + */ +struct optee_version_info { + u32 os_major; + u32 os_minor; + u32 os_build_id; +}; + /** * struct tee_context - driver specific context on file pointer data * @teedev: pointer to this drivers struct tee_device -- 2.43.0

5 months, 1 week

9
43
0 0

[PATCH] tee: amdtee: Remove unused return variables

by Thorsten Blum

In tee_params_to_amd_params() and amd_params_to_tee_params(), return 0 directly and remove the unused return variables. Signed-off-by: Thorsten Blum <thorsten.blum(a)linux.dev> --- drivers/tee/amdtee/call.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/tee/amdtee/call.c b/drivers/tee/amdtee/call.c index 4c21b02be4af..460b0c9e511f 100644 --- a/drivers/tee/amdtee/call.c +++ b/drivers/tee/amdtee/call.c @@ -15,7 +15,7 @@ static int tee_params_to_amd_params(struct tee_param *tee, u32 count, struct tee_operation *amd) { - int i, ret = 0; + int i; u32 type; if (!count) @@ -66,13 +66,13 @@ static int tee_params_to_amd_params(struct tee_param *tee, u32 count, i, amd->params[i].val.b); } } - return ret; + return 0; } static int amd_params_to_tee_params(struct tee_param *tee, u32 count, struct tee_operation *amd) { - int i, ret = 0; + int i; u32 type; if (!count) @@ -118,7 +118,7 @@ static int amd_params_to_tee_params(struct tee_param *tee, u32 count, i, amd->params[i].val.b); } } - return ret; + return 0; } static DEFINE_MUTEX(ta_refcount_mutex); -- Thorsten Blum <thorsten.blum(a)linux.dev> GPG: 1D60 735E 8AEF 3BE4 73B6 9D84 7336 78FD 8DFE EAD4

5 months, 1 week

2
1
0 0

[PATCH v2 00/17] tee: Use bus callbacks instead of driver callbacks

by Uwe Kleine-König

Hello, the objective of this series is to make tee driver stop using callbacks in struct device_driver. These were superseded by bus methods in 2006 (commit 594c8281f905 ("[PATCH] Add bus_type probe, remove, shutdown methods.")) but nobody cared to convert all subsystems accordingly. Here the tee drivers are converted. The first commit is somewhat unrelated, but simplifies the conversion (and the drivers). It introduces driver registration helpers that care about setting the bus and owner. (The latter is missing in all drivers, so by using these helpers the drivers become more correct.) v1 of this series is available at https://lore.kernel.org/all/cover.1765472125.git.u.kleine-koenig@baylibre.c… Changes since v1: - rebase to v6.19-rc1 (no conflicts) - add tags received so far - fix whitespace issues pointed out by Sumit Garg - fix shutdown callback to shutdown and not remove As already noted in v1's cover letter, this series should go in during a single merge window as there are runtime warnings when the series is only applied partially. Sumit Garg suggested to apply the whole series via Jens Wiklander's tree. If this is done the dependencies in this series are honored, in case the plan changes: Patches #4 - #17 depend on the first two. Note this series is only build tested. Uwe Kleine-König (17): tee: Add some helpers to reduce boilerplate for tee client drivers tee: Add probe, remove and shutdown bus callbacks to tee_client_driver tee: Adapt documentation to cover recent additions hwrng: optee - Make use of module_tee_client_driver() hwrng: optee - Make use of tee bus methods rtc: optee: Migrate to use tee specific driver registration function rtc: optee: Make use of tee bus methods efi: stmm: Make use of module_tee_client_driver() efi: stmm: Make use of tee bus methods firmware: arm_scmi: optee: Make use of module_tee_client_driver() firmware: arm_scmi: Make use of tee bus methods firmware: tee_bnxt: Make use of module_tee_client_driver() firmware: tee_bnxt: Make use of tee bus methods KEYS: trusted: Migrate to use tee specific driver registration function KEYS: trusted: Make use of tee bus methods tpm/tpm_ftpm_tee: Make use of tee specific driver registration tpm/tpm_ftpm_tee: Make use of tee bus methods Documentation/driver-api/tee.rst | 18 +---- drivers/char/hw_random/optee-rng.c | 26 ++---- drivers/char/tpm/tpm_ftpm_tee.c | 31 +++++--- drivers/firmware/arm_scmi/transports/optee.c | 32 +++----- drivers/firmware/broadcom/tee_bnxt_fw.c | 30 ++----- drivers/firmware/efi/stmm/tee_stmm_efi.c | 25 ++---- drivers/rtc/rtc-optee.c | 27 ++----- drivers/tee/tee_core.c | 84 ++++++++++++++++++++ include/linux/tee_drv.h | 12 +++ security/keys/trusted-keys/trusted_tee.c | 17 ++-- 10 files changed, 164 insertions(+), 138 deletions(-) base-commit: 8f0b4cce4481fb22653697cced8d0d04027cb1e8 -- 2.47.3

5 months, 2 weeks

9
37
0 0

[PATCH v3] arm64: defconfig: Enable QCOMTEE on Qualcomm SM8650+

by Harshal Dev

Enable QCOMTEE driver on Qualcomm SM8650+ SoCs to facilitate communication with the Qualcomm Trusted Execution Environment (QTEE). (No enablement required in DTS files since QCOMTEE device is dynamically registered by the QCOM_SCM firmware driver) Signed-off-by: Harshal Dev <harshal.dev(a)oss.qualcomm.com> --- Changes in v3: - Updated the commit message to reflect the supported Qualcomm platforms. - Link to v2: https://lore.kernel.org/r/20251205-qcom_qcomtee_defconfig-v2-1-c92560b0346e… Changes in v2: - Updated CONFIG_QCOMTEE flag to 'm' since QCOMTEE can be built as a module. - Link to v1: https://lore.kernel.org/r/20251202-qcom_qcomtee_defconfig-v1-1-11bfe40a8ea4… --- arch/arm64/configs/defconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig index cdb7d69e3b24..e952d24bef77 100644 --- a/arch/arm64/configs/defconfig +++ b/arch/arm64/configs/defconfig @@ -1789,6 +1789,7 @@ CONFIG_FPGA_MGR_ZYNQMP_FPGA=m CONFIG_FPGA_MGR_VERSAL_FPGA=m CONFIG_TEE=y CONFIG_OPTEE=y +CONFIG_QCOMTEE=m CONFIG_MUX_GPIO=m CONFIG_MUX_MMIO=y CONFIG_SLIMBUS=m --- base-commit: 47b7b5e32bb7264b51b89186043e1ada4090b558 change-id: 20251202-qcom_qcomtee_defconfig-8dc0fed1411b Best regards, -- Harshal Dev <harshal.dev(a)oss.qualcomm.com>

5 months, 2 weeks

6
15
0 0

[PATCH] optee: update outdated comment

by Julia Lawall

The function cmd_alloc_suppl() was renamed as optee_rpc_cmd_alloc_suppl() in commit c51a564a5b48 ("optee: isolate smc abi"). Update the comment accordingly. Signed-off-by: Julia Lawall <Julia.Lawall(a)inria.fr> --- drivers/tee/optee/rpc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/tee/optee/rpc.c b/drivers/tee/optee/rpc.c index ebbbd42b0e3e..97fc5b14db0c 100644 --- a/drivers/tee/optee/rpc.c +++ b/drivers/tee/optee/rpc.c @@ -247,8 +247,8 @@ void optee_rpc_cmd_free_suppl(struct tee_context *ctx, struct tee_shm *shm) param.u.value.c = 0; /* - * Match the tee_shm_get_from_id() in cmd_alloc_suppl() as secure - * world has released its reference. + * Match the tee_shm_get_from_id() in optee_rpc_cmd_alloc_suppl() + * as secure world has released its reference. * * It's better to do this before sending the request to supplicant * as we'd like to let the process doing the initial allocation to

5 months, 2 weeks

3
2
0 0

[PATCH 1/3] tee: qcomtee: call: Fix confusing cleanup.h syntax

by Krzysztof Kozlowski

Initializing automatic __free variables to NULL without need (e.g. branches with different allocations), followed by actual allocation is in contrary to explicit coding rules guiding cleanup.h: "Given that the "__free(...) = NULL" pattern for variables defined at the top of the function poses this potential interdependency problem the recommendation is to always define and assign variables in one statement and not group variable definitions at the top of the function when __free() is used." Code does not have a bug, but is less readable and uses discouraged coding practice, so fix that by moving declaration to the place of assignment. Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)oss.qualcomm.com> --- drivers/tee/qcomtee/call.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/drivers/tee/qcomtee/call.c b/drivers/tee/qcomtee/call.c index 65f9140d4e1f..8f8830f0df26 100644 --- a/drivers/tee/qcomtee/call.c +++ b/drivers/tee/qcomtee/call.c @@ -395,9 +395,7 @@ static int qcomtee_object_invoke(struct tee_context *ctx, struct tee_ioctl_object_invoke_arg *arg, struct tee_param *params) { - struct qcomtee_object_invoke_ctx *oic __free(kfree) = NULL; struct qcomtee_context_data *ctxdata = ctx->data; - struct qcomtee_arg *u __free(kfree) = NULL; struct qcomtee_object *object; int i, ret, result; @@ -412,12 +410,14 @@ static int qcomtee_object_invoke(struct tee_context *ctx, } /* Otherwise, invoke a QTEE object: */ - oic = qcomtee_object_invoke_ctx_alloc(ctx); + struct qcomtee_object_invoke_ctx *oic __free(kfree) = + qcomtee_object_invoke_ctx_alloc(ctx); if (!oic) return -ENOMEM; /* +1 for ending QCOMTEE_ARG_TYPE_INV. */ - u = kcalloc(arg->num_params + 1, sizeof(*u), GFP_KERNEL); + struct qcomtee_arg *u __free(kfree) = kcalloc(arg->num_params + 1, sizeof(*u), + GFP_KERNEL); if (!u) return -ENOMEM; @@ -562,9 +562,8 @@ static int qcomtee_supp_send(struct tee_context *ctx, u32 errno, u32 num_params, static int qcomtee_open(struct tee_context *ctx) { - struct qcomtee_context_data *ctxdata __free(kfree) = NULL; - - ctxdata = kzalloc(sizeof(*ctxdata), GFP_KERNEL); + struct qcomtee_context_data *ctxdata __free(kfree) = kzalloc(sizeof(*ctxdata), + GFP_KERNEL); if (!ctxdata) return -ENOMEM; @@ -645,12 +644,12 @@ static void qcomtee_get_version(struct tee_device *teedev, static void qcomtee_get_qtee_feature_list(struct tee_context *ctx, u32 id, u32 *version) { - struct qcomtee_object_invoke_ctx *oic __free(kfree) = NULL; struct qcomtee_object *client_env, *service; struct qcomtee_arg u[3] = { 0 }; int result; - oic = qcomtee_object_invoke_ctx_alloc(ctx); + struct qcomtee_object_invoke_ctx *oic __free(kfree) = + qcomtee_object_invoke_ctx_alloc(ctx); if (!oic) return; -- 2.51.0

5 months, 2 weeks

5
14
0 0

Preparing for OP-TEE 4.9.0

by Jens Wiklander

[BCC all OP-TEE maintainers] Hi OP-TEE maintainers & contributors, OP-TEE version 4.9.0 is now scheduled for release on 2026-01-16. So, now is a good time to start testing the master branch across various platforms and report or fix any bugs. The GitHub pull request for collecting Tested-by tags or any other comments is https://github.com/OP-TEE/optee_os/pull/7666. I have now created the 4.9.0-rc1 tags in the various OP-TEE gits. Please proceed with the testing. You can find more information related to releases here: https://optee.readthedocs.io/en/latest/general/releases.html Thanks, Jens

5 months, 3 weeks

1
0
0 0

build breakage with SCMI

by Dan Carpenter

When I try building with `make run WITH_SCMI=y` then the build fails: core/lib/scmi-server/scmi_server.c: In function ‘scmi_server_initialize’: core/lib/scmi-server/scmi_server.c:83:22: error: implicit declaration of function ‘scmi_configure’ [-Wimplicit-function-declaration] 83 | rc = scmi_configure(cfg); | ^~~~~~~~~~~~~~ This was introduced in commit ce6ea4112008 ("scmi-server: configure SCP-firmware from DT"). A grep for scmi_configure() turns up empty. Was part of the commit missing? regards, dan carpenter

6 months, 1 week

3
3
0 0

[PATCH v1 00/17] tee: Use bus callbacks instead of driver callbacks

by Uwe Kleine-König

Hello, the objective of this series is to make tee driver stop using callbacks in struct device_driver. These were superseded by bus methods in 2006 (commit 594c8281f905 ("[PATCH] Add bus_type probe, remove, shutdown methods.")) but nobody cared to convert all subsystems accordingly. Here the tee drivers are converted. The first commit is somewhat unrelated, but simplifies the conversion (and the drivers). It introduces driver registration helpers that care about setting the bus and owner. (The latter is missing in all drivers, so by using these helpers the drivers become more correct.) The patches #4 - #17 depend on the first two, so if they should be applied to their respective subsystem trees these must contain the first two patches first. Note that after patch #2 is applied, unconverted drivers provoke a warning in driver_register(), so it would be good for the user experience if the whole series goes in during a single merge window. So I guess an immutable branch containing the frist three patches that can be merged into the other subsystem trees would be sensible. After all patches are applied, tee_bus_type can be made private to drivers/tee as it's not used in other places any more. Best regards Uwe Uwe Kleine-König (17): tee: Add some helpers to reduce boilerplate for tee client drivers tee: Add probe, remove and shutdown bus callbacks to tee_client_driver tee: Adapt documentation to cover recent additions hwrng: optee - Make use of module_tee_client_driver() hwrng: optee - Make use of tee bus methods rtc: optee: Migrate to use tee specific driver registration function rtc: optee: Make use of tee bus methods efi: stmm: Make use of module_tee_client_driver() efi: stmm: Make use of tee bus methods firmware: arm_scmi: optee: Make use of module_tee_client_driver() firmware: arm_scmi: Make use of tee bus methods firmware: tee_bnxt: Make use of module_tee_client_driver() firmware: tee_bnxt: Make use of tee bus methods KEYS: trusted: Migrate to use tee specific driver registration function KEYS: trusted: Make use of tee bus methods tpm/tpm_ftpm_tee: Make use of tee specific driver registration tpm/tpm_ftpm_tee: Make use of tee bus methods Documentation/driver-api/tee.rst | 18 +---- drivers/char/hw_random/optee-rng.c | 26 ++---- drivers/char/tpm/tpm_ftpm_tee.c | 31 +++++--- drivers/firmware/arm_scmi/transports/optee.c | 32 +++----- drivers/firmware/broadcom/tee_bnxt_fw.c | 30 ++----- drivers/firmware/efi/stmm/tee_stmm_efi.c | 25 ++---- drivers/rtc/rtc-optee.c | 27 ++----- drivers/tee/tee_core.c | 84 ++++++++++++++++++++ include/linux/tee_drv.h | 12 +++ security/keys/trusted-keys/trusted_tee.c | 17 ++-- 10 files changed, 164 insertions(+), 138 deletions(-) base-commit: 7d0a66e4bb9081d75c82ec4957c50034cb0ea449 -- 2.47.3

6 months, 1 week

6
47
0 0

[PATCH v2] arm64: defconfig: Enable QCOMTEE for Qualcomm SoCs

by Harshal Dev

Enable config 'm' for the QCOMTEE driver to facilitate communication with the Qualcomm Trusted Execution Environment (QTEE) on Qualcomm platforms. Signed-off-by: Harshal Dev <harshal.dev(a)oss.qualcomm.com> --- Changes in v2: - Updated CONFIG_QCOMTEE flag to 'm' since QCOMTEE can be built as a module. - Link to v1: https://lore.kernel.org/r/20251202-qcom_qcomtee_defconfig-v1-1-11bfe40a8ea4… --- arch/arm64/configs/defconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig index cdb7d69e3b24..e952d24bef77 100644 --- a/arch/arm64/configs/defconfig +++ b/arch/arm64/configs/defconfig @@ -1789,6 +1789,7 @@ CONFIG_FPGA_MGR_ZYNQMP_FPGA=m CONFIG_FPGA_MGR_VERSAL_FPGA=m CONFIG_TEE=y CONFIG_OPTEE=y +CONFIG_QCOMTEE=m CONFIG_MUX_GPIO=m CONFIG_MUX_MMIO=y CONFIG_SLIMBUS=m --- base-commit: 47b7b5e32bb7264b51b89186043e1ada4090b558 change-id: 20251202-qcom_qcomtee_defconfig-8dc0fed1411b Best regards, -- Harshal Dev <hdev(a)qti.qualcomm.com>

6 months, 2 weeks

2
4
0 0

[PATCH] arm64: defconfig: Enable QCOMTEE for Qualcomm SoCs

by Harshal Dev

Enable config for the QCOMTEE driver to facilitate communication with the Qualcomm Trusted Execution Environment (QTEE) on Qualcomm platforms. Signed-off-by: Harshal Dev <harshal.dev(a)oss.qualcomm.com> --- arch/arm64/configs/defconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig index cdb7d69e3b24..57b2b09d0479 100644 --- a/arch/arm64/configs/defconfig +++ b/arch/arm64/configs/defconfig @@ -1789,6 +1789,7 @@ CONFIG_FPGA_MGR_ZYNQMP_FPGA=m CONFIG_FPGA_MGR_VERSAL_FPGA=m CONFIG_TEE=y CONFIG_OPTEE=y +CONFIG_QCOMTEE=y CONFIG_MUX_GPIO=m CONFIG_MUX_MMIO=y CONFIG_SLIMBUS=m --- base-commit: 47b7b5e32bb7264b51b89186043e1ada4090b558 change-id: 20251202-qcom_qcomtee_defconfig-8dc0fed1411b Best regards, -- Harshal Dev <harshal.dev(a)oss.qualcomm.com>

6 months, 2 weeks

2
4
0 0

Linaro OP-TEE Contribution, LOC, monthly meeting November 25

by Jens Wiklander

Hi, Tomorrow, Tuesday, it's time for another LOC monthly meeting. For time and connection details, see the calendar at https://www.trustedfirmware.org/meetings/ I have a couple of small things for the agenda: - A recent patch [1] on the mailing list proposes to export the OP-TEE version info printed by the driver during boot in sysfs - Do we have any questions or issues with the proposed CFG_* variable improvements from the last LOC? Are there any other topics? Please note that the LOC in December will be cancelled. [1] https://lore.kernel.org/op-tee/20251121141230.489294-1-jj251510319013@gmail… Cheers, Jens

7 months

1
0
0 0

[GIT PULL] QCOMTEE fixes2 for v6.18

by Jens Wiklander

Hello arm-soc maintainers, Please pull these two small fixes for the QCOMTEE driver in the TEE subsystem. Thanks, Jens The following changes since commit 3a8660878839faadb4f1a6dd72c3179c1df56787: Linux 6.18-rc1 (2025-10-12 13:42:36 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/qcomtee-fixes2-for-6.18 for you to fetch changes up to e19d7f7e92e061707252eab2b71d2c3be09b2e96: tee: qcomtee: initialize result before use in release worker (2025-11-17 10:19:29 +0100) ---------------------------------------------------------------- QCOMTEE fixes2 for v6.18 - initialize result before use in in error path - fix uninitialized pointers with free attribute ---------------------------------------------------------------- Ally Heev (1): tee: qcomtee: fix uninitialized pointers with free attribute Amirreza Zarrabi (1): tee: qcomtee: initialize result before use in release worker drivers/tee/qcomtee/call.c | 2 +- drivers/tee/qcomtee/core.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)

7 months, 1 week

1
0
0 0

[PATCH v2] tee: qcomtee: initialize result before use in release worker

by Amirreza Zarrabi

Initialize result to 0 so the error path doesn't read it uninitialized when the invoke fails. Fixes a Smatch warning. Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Closes: https://lore.kernel.org/op-tee/7c1e0de2-7d42-4c6b-92fe-0e4fe5d650b5@oss.qua… Fixes: d6e290837e50 ("tee: add Qualcomm TEE driver") Signed-off-by: Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com> --- Changes in v2: - Update subject to tee: qcomtee:. - Link to v1: https://lore.kernel.org/r/20251110-qcom-tee-fix-warning-v1-1-d962f99f385d@o… --- drivers/tee/qcomtee/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tee/qcomtee/core.c b/drivers/tee/qcomtee/core.c index b6715ada7700..ecd04403591c 100644 --- a/drivers/tee/qcomtee/core.c +++ b/drivers/tee/qcomtee/core.c @@ -82,7 +82,7 @@ static void qcomtee_do_release_qtee_object(struct work_struct *work) { struct qcomtee_object *object; struct qcomtee *qcomtee; - int ret, result; + int ret, result = 0; /* RELEASE does not require any argument. */ struct qcomtee_arg args[] = { { .type = QCOMTEE_ARG_TYPE_INV } }; --- base-commit: ab40c92c74c6b0c611c89516794502b3a3173966 change-id: 20251110-qcom-tee-fix-warning-3d58d74a22d8 Best regards, -- Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com>

7 months, 1 week

4
3
0 0

[PATCH v2] tee: optee: prevent use-after-free when the client exits before the supplicant

by Amirreza Zarrabi

Commit 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop") made the client wait as killable so it can be interrupted during shutdown or after a supplicant crash. This changes the original lifetime expectations: the client task can now terminate while the supplicant is still processing its request. If the client exits first it removes the request from its queue and kfree()s it, while the request ID remains in supp->idr. A subsequent lookup on the supplicant path then dereferences freed memory, leading to a use-after-free. Serialise access to the request with supp->mutex: * Hold supp->mutex in optee_supp_recv() and optee_supp_send() while looking up and touching the request. * Let optee_supp_thrd_req() notice that the client has terminated and signal optee_supp_send() accordingly. With these changes the request cannot be freed while the supplicant still has a reference, eliminating the race. Fixes: 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop") Signed-off-by: Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com> --- Changes in v2: - Replace the static variable with a sentinel value. - Fix the issue with returning the popped request to the supplicant. - Link to v1: https://lore.kernel.org/r/20250605-fix-use-after-free-v1-1-a70d23bff248@oss… --- drivers/tee/optee/supp.c | 110 ++++++++++++++++++++++++++++++++--------------- 1 file changed, 75 insertions(+), 35 deletions(-) diff --git a/drivers/tee/optee/supp.c b/drivers/tee/optee/supp.c index d0f397c90242..fa39f5f226aa 100644 --- a/drivers/tee/optee/supp.c +++ b/drivers/tee/optee/supp.c @@ -9,6 +9,7 @@ struct optee_supp_req { struct list_head link; + int id; bool in_queue; u32 func; @@ -19,6 +20,9 @@ struct optee_supp_req { struct completion c; }; +/* It is temporary request used for invalid pending request in supp->idr. */ +#define INVALID_REQ_PTR ((struct optee_supp_req *)ERR_PTR(-ENOENT)) + void optee_supp_init(struct optee_supp *supp) { memset(supp, 0, sizeof(*supp)); @@ -102,6 +106,7 @@ u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params, mutex_lock(&supp->mutex); list_add_tail(&req->link, &supp->reqs); req->in_queue = true; + req->id = -1; mutex_unlock(&supp->mutex); /* Tell an eventual waiter there's a new request */ @@ -117,21 +122,40 @@ u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params, if (wait_for_completion_killable(&req->c)) { mutex_lock(&supp->mutex); if (req->in_queue) { + /* Supplicant has not seen this request yet. */ list_del(&req->link); req->in_queue = false; + + ret = TEEC_ERROR_COMMUNICATION; + } else if (req->id == -1) { + /* + * Supplicant has processed this request. Ignore the + * kill signal for now and submit the result. + */ + ret = req->ret; + } else { + /* + * Supplicant is in the middle of processing this + * request. Replace req with INVALID_REQ_PTR so that + * the ID remains busy, causing optee_supp_send() to + * fail on the next call to supp_pop_req() with this ID. + */ + idr_replace(&supp->idr, INVALID_REQ_PTR, req->id); + ret = TEEC_ERROR_COMMUNICATION; } + mutex_unlock(&supp->mutex); - req->ret = TEEC_ERROR_COMMUNICATION; + } else { + ret = req->ret; } - ret = req->ret; kfree(req); return ret; } static struct optee_supp_req *supp_pop_entry(struct optee_supp *supp, - int num_params, int *id) + int num_params) { struct optee_supp_req *req; @@ -153,8 +177,8 @@ static struct optee_supp_req *supp_pop_entry(struct optee_supp *supp, return ERR_PTR(-EINVAL); } - *id = idr_alloc(&supp->idr, req, 1, 0, GFP_KERNEL); - if (*id < 0) + req->id = idr_alloc(&supp->idr, req, 1, 0, GFP_KERNEL); + if (req->id < 0) return ERR_PTR(-ENOMEM); list_del(&req->link); @@ -214,7 +238,6 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params, struct optee *optee = tee_get_drvdata(teedev); struct optee_supp *supp = &optee->supp; struct optee_supp_req *req = NULL; - int id; size_t num_meta; int rc; @@ -223,16 +246,47 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params, return rc; while (true) { - mutex_lock(&supp->mutex); - req = supp_pop_entry(supp, *num_params - num_meta, &id); - mutex_unlock(&supp->mutex); + scoped_guard(mutex, &supp->mutex) { + req = supp_pop_entry(supp, *num_params - num_meta); + if (!req) + goto wait_for_request; - if (req) { if (IS_ERR(req)) return PTR_ERR(req); - break; + + /* + * Process the request while holding the lock, + * so that optee_supp_thrd_req() doesn't pull the + * request out from under us. + */ + + if (num_meta) { + /* + * tee-supplicant support meta parameters -> + * requests can be processed asynchronously. + */ + param->attr = + TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT | + TEE_IOCTL_PARAM_ATTR_META; + param->u.value.a = req->id; + param->u.value.b = 0; + param->u.value.c = 0; + } else { + supp->req_id = req->id; + } + + *func = req->func; + *num_params = req->num_params + num_meta; + memcpy(param + num_meta, req->param, + sizeof(struct tee_param) * req->num_params); + + return 0; } + /* Check for the next request in the queue. */ + continue; + +wait_for_request: /* * If we didn't get a request we'll block in * wait_for_completion() to avoid needless spinning. @@ -245,27 +299,6 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params, return -ERESTARTSYS; } - if (num_meta) { - /* - * tee-supplicant support meta parameters -> requsts can be - * processed asynchronously. - */ - param->attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT | - TEE_IOCTL_PARAM_ATTR_META; - param->u.value.a = id; - param->u.value.b = 0; - param->u.value.c = 0; - } else { - mutex_lock(&supp->mutex); - supp->req_id = id; - mutex_unlock(&supp->mutex); - } - - *func = req->func; - *num_params = req->num_params + num_meta; - memcpy(param + num_meta, req->param, - sizeof(struct tee_param) * req->num_params); - return 0; } @@ -297,12 +330,19 @@ static struct optee_supp_req *supp_pop_req(struct optee_supp *supp, if (!req) return ERR_PTR(-ENOENT); + /* optee_supp_thrd_req() already returned to optee. */ + if (IS_ERR(req)) + goto failed_req; + if ((num_params - nm) != req->num_params) return ERR_PTR(-EINVAL); + req->id = -1; + *num_meta = nm; +failed_req: idr_remove(&supp->idr, id); supp->req_id = -1; - *num_meta = nm; + return req; } @@ -328,9 +368,8 @@ int optee_supp_send(struct tee_context *ctx, u32 ret, u32 num_params, mutex_lock(&supp->mutex); req = supp_pop_req(supp, num_params, param, &num_meta); - mutex_unlock(&supp->mutex); - if (IS_ERR(req)) { + mutex_unlock(&supp->mutex); /* Something is wrong, let supplicant restart. */ return PTR_ERR(req); } @@ -358,6 +397,7 @@ int optee_supp_send(struct tee_context *ctx, u32 ret, u32 num_params, /* Let the requesting thread continue */ complete(&req->c); + mutex_unlock(&supp->mutex); return 0; } --- base-commit: 3be1a7a31fbda82f3604b6c31e4f390110de1b46 change-id: 20250604-fix-use-after-free-8ff1b5d5d774 Best regards, -- Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com>

7 months, 1 week

3
2
0 0

AI Policy - Guidance on AI-assisted contributions

by Shaun Longhorn

All, Please be aware that today we have published our AI policy with Guidance on AI-assisted contributions. See the full details here: https://www.trustedfirmware.org/aipolicy/ Should you have any questions feel free to raise them. Thanks, Shaun Community Manager

7 months, 1 week

1
0
0 0

[PATCH v3] tee: qcomtee: fix uninitialized pointers with free attribute

by Ally Heev

Uninitialized pointers with `__free` attribute can cause undefined behavior as the memory assigned randomly to the pointer is freed automatically when the pointer goes out of scope. qcomtee doesn't have any bugs related to this as of now, but it is better to initialize and assign pointers with `__free` attribute in one statement to ensure proper scope-based cleanup Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Closes: https://lore.kernel.org/all/aPiG_F5EBQUjZqsl@stanley.mountain/ Signed-off-by: Ally Heev <allyheev(a)gmail.com> --- Changes in v3: - fixed commit message and description - Link to v2: https://lore.kernel.org/r/20251110-aheev-uninitialized-free-attr-tee-v2-1-0… Changes in v2: - initializing variables to NULL at the declaration - Link to v1: https://lore.kernel.org/r/20251105-aheev-uninitialized-free-attr-tee-v1-1-2… --- drivers/tee/qcomtee/call.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tee/qcomtee/call.c b/drivers/tee/qcomtee/call.c index ac134452cc9cfd384c28d41547545f2c5748d86c..65f9140d4e1f8909d072004fd24730543e320d74 100644 --- a/drivers/tee/qcomtee/call.c +++ b/drivers/tee/qcomtee/call.c @@ -645,7 +645,7 @@ static void qcomtee_get_version(struct tee_device *teedev, static void qcomtee_get_qtee_feature_list(struct tee_context *ctx, u32 id, u32 *version) { - struct qcomtee_object_invoke_ctx *oic __free(kfree); + struct qcomtee_object_invoke_ctx *oic __free(kfree) = NULL; struct qcomtee_object *client_env, *service; struct qcomtee_arg u[3] = { 0 }; int result; --- base-commit: c9cfc122f03711a5124b4aafab3211cf4d35a2ac change-id: 20251105-aheev-uninitialized-free-attr-tee-0221e45ec5a2 Best regards, -- Ally Heev <allyheev(a)gmail.com>

7 months, 1 week

3
2
0 0

[GIT PULL] TEE fix for v6.18

by Jens Wiklander

Hello arm-soc maintainers, Please pull this small kernel-doc fix for the TEE subsystem. Thanks, Jens The following changes since commit 3a8660878839faadb4f1a6dd72c3179c1df56787: Linux 6.18-rc1 (2025-10-12 13:42:36 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/tee-fix-for-v6.18 for you to fetch changes up to aaf46c6a6df6052881c2e75cba65aeb6f1cfa88a: tee: <uapi/linux/tee.h: fix all kernel-doc issues (2025-11-10 09:47:54 +0100) ---------------------------------------------------------------- TEE kernel-doc fixes for v6.18 ---------------------------------------------------------------- Randy Dunlap (1): tee: <uapi/linux/tee.h: fix all kernel-doc issues include/uapi/linux/tee.h | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-)

7 months, 1 week

1
0
0 0

[PATCH] tee: qcom: initialize result before use in release worker

by Amirreza Zarrabi

Initialize result to 0 so the error path doesn't read it uninitialized when the invoke fails. Fixes a Smatch warning. Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Closes: https://lore.kernel.org/op-tee/7c1e0de2-7d42-4c6b-92fe-0e4fe5d650b5@oss.qua… Fixes: d6e290837e50 ("tee: add Qualcomm TEE driver") Signed-off-by: Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com> --- drivers/tee/qcomtee/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tee/qcomtee/core.c b/drivers/tee/qcomtee/core.c index b6715ada7700..ecd04403591c 100644 --- a/drivers/tee/qcomtee/core.c +++ b/drivers/tee/qcomtee/core.c @@ -82,7 +82,7 @@ static void qcomtee_do_release_qtee_object(struct work_struct *work) { struct qcomtee_object *object; struct qcomtee *qcomtee; - int ret, result; + int ret, result = 0; /* RELEASE does not require any argument. */ struct qcomtee_arg args[] = { { .type = QCOMTEE_ARG_TYPE_INV } }; --- base-commit: ab40c92c74c6b0c611c89516794502b3a3173966 change-id: 20251110-qcom-tee-fix-warning-3d58d74a22d8 Best regards, -- Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com>

7 months, 1 week

2
4
0 0

[PATCH v2] tee: fix uninitialized pointers with free attribute

by Ally Heev

Uninitialized pointers with `__free` attribute can cause undefined behavior as the memory assigned randomly to the pointer is freed automatically when the pointer goes out of scope. tee doesn't have any bugs related to this as of now, but it is better to initialize and assign pointers with `__free` attribute in one statement to ensure proper scope-based cleanup Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Closes: https://lore.kernel.org/all/aPiG_F5EBQUjZqsl@stanley.mountain/ Signed-off-by: Ally Heev <allyheev(a)gmail.com> --- Changes in v2: - initializing variables to NULL at the declaration - Link to v1: https://lore.kernel.org/r/20251105-aheev-uninitialized-free-attr-tee-v1-1-2… --- drivers/tee/qcomtee/call.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tee/qcomtee/call.c b/drivers/tee/qcomtee/call.c index ac134452cc9cfd384c28d41547545f2c5748d86c..65f9140d4e1f8909d072004fd24730543e320d74 100644 --- a/drivers/tee/qcomtee/call.c +++ b/drivers/tee/qcomtee/call.c @@ -645,7 +645,7 @@ static void qcomtee_get_version(struct tee_device *teedev, static void qcomtee_get_qtee_feature_list(struct tee_context *ctx, u32 id, u32 *version) { - struct qcomtee_object_invoke_ctx *oic __free(kfree); + struct qcomtee_object_invoke_ctx *oic __free(kfree) = NULL; struct qcomtee_object *client_env, *service; struct qcomtee_arg u[3] = { 0 }; int result; --- base-commit: c9cfc122f03711a5124b4aafab3211cf4d35a2ac change-id: 20251105-aheev-uninitialized-free-attr-tee-0221e45ec5a2 Best regards, -- Ally Heev <allyheev(a)gmail.com>

7 months, 2 weeks

2
1
0 0

[bug report] tee: add Qualcomm TEE driver

by Dan Carpenter

Hello Amirreza Zarrabi, Commit d6e290837e50 ("tee: add Qualcomm TEE driver") from Sep 11, 2025 (linux-next), leads to the following Smatch static checker warning: drivers/tee/qcomtee/core.c:104 qcomtee_do_release_qtee_object() error: uninitialized symbol 'result'. drivers/tee/qcomtee/core.c 81 static void qcomtee_do_release_qtee_object(struct work_struct *work) 82 { 83 struct qcomtee_object *object; 84 struct qcomtee *qcomtee; 85 int ret, result; 86 87 /* RELEASE does not require any argument. */ 88 struct qcomtee_arg args[] = { { .type = QCOMTEE_ARG_TYPE_INV } }; 89 90 object = container_of(work, struct qcomtee_object, work); 91 qcomtee = tee_get_drvdata(object->info.qcomtee_async_ctx->teedev); 92 /* Get the TEE context used for asynchronous operations. */ 93 qcomtee->oic.ctx = object->info.qcomtee_async_ctx; 94 95 ret = qcomtee_object_do_invoke_internal(&qcomtee->oic, object, 96 QCOMTEE_MSG_OBJECT_OP_RELEASE, 97 args, &result); 98 99 /* Is it safe to retry the release? */ 100 if (ret && ret != -ENODEV) { 101 queue_work(qcomtee->wq, &object->work); 102 } else { 103 if (ret || result) --> 104 pr_err("%s release failed, ret = %d (%x)\n", 105 qcomtee_object_name(object), ret, result); ^^^^^^ result could be uninitialized if ret is non-zero. 106 qcomtee_qtee_object_free(object); 107 } 108 } regards, dan carpenter

7 months, 2 weeks

3
2
0 0

[PATCH] tee: <uapi/linux/tee.h: fix all kernel-doc issues

by Randy Dunlap

Fix kernel-doc warnings so that there no other kernel-doc issues in <uapi/linux/tee.h>: - add ending ':' to some struct members as needed for kernel-doc - change struct name in kernel-doc to match the actual struct name (2x) - add a @params: kernel-doc entry multiple times Warning: tee.h:265 struct member 'ret_origin' not described in 'tee_ioctl_open_session_arg' Warning: tee.h:265 struct member 'num_params' not described in 'tee_ioctl_open_session_arg' Warning: tee.h:265 struct member 'params' not described in 'tee_ioctl_open_session_arg' Warning: tee.h:351 struct member 'num_params' not described in 'tee_iocl_supp_recv_arg' Warning: tee.h:351 struct member 'params' not described in 'tee_iocl_supp_recv_arg' Warning: tee.h:372 struct member 'num_params' not described in 'tee_iocl_supp_send_arg' Warning: tee.h:372 struct member 'params' not described in 'tee_iocl_supp_send_arg' Warning: tee.h:298: expecting prototype for struct tee_ioctl_invoke_func_arg. Prototype was for struct tee_ioctl_invoke_arg instead Warning: tee.h:473: expecting prototype for struct tee_ioctl_invoke_func_arg. Prototype was for struct tee_ioctl_object_invoke_arg instead Signed-off-by: Randy Dunlap <rdunlap(a)infradead.org> --- Cc: Jens Wiklander <jens.wiklander(a)linaro.org> Cc: Sumit Garg <sumit.garg(a)kernel.org> Cc: op-tee(a)lists.trustedfirmware.org --- include/uapi/linux/tee.h | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) --- linux-next-20251022.orig/include/uapi/linux/tee.h +++ linux-next-20251022/include/uapi/linux/tee.h @@ -249,8 +249,9 @@ struct tee_ioctl_param { * @cancel_id: [in] Cancellation id, a unique value to identify this request * @session: [out] Session id * @ret: [out] return value - * @ret_origin [out] origin of the return value - * @num_params [in] number of parameters following this struct + * @ret_origin: [out] origin of the return value + * @num_params: [in] number of &struct tee_ioctl_param entries in @params + * @params: array of ioctl parameters */ struct tee_ioctl_open_session_arg { __u8 uuid[TEE_IOCTL_UUID_LEN]; @@ -276,14 +277,14 @@ struct tee_ioctl_open_session_arg { struct tee_ioctl_buf_data) /** - * struct tee_ioctl_invoke_func_arg - Invokes a function in a Trusted - * Application + * struct tee_ioctl_invoke_arg - Invokes a function in a Trusted Application * @func: [in] Trusted Application function, specific to the TA * @session: [in] Session id * @cancel_id: [in] Cancellation id, a unique value to identify this request * @ret: [out] return value - * @ret_origin [out] origin of the return value - * @num_params [in] number of parameters following this struct + * @ret_origin: [out] origin of the return value + * @num_params: [in] number of parameters following this struct + * @params: array of ioctl parameters */ struct tee_ioctl_invoke_arg { __u32 func; @@ -338,7 +339,8 @@ struct tee_ioctl_close_session_arg { /** * struct tee_iocl_supp_recv_arg - Receive a request for a supplicant function * @func: [in] supplicant function - * @num_params [in/out] number of parameters following this struct + * @num_params: [in/out] number of &struct tee_ioctl_param entries in @params + * @params: array of ioctl parameters * * @num_params is the number of params that tee-supplicant has room to * receive when input, @num_params is the number of actual params @@ -363,7 +365,8 @@ struct tee_iocl_supp_recv_arg { /** * struct tee_iocl_supp_send_arg - Send a response to a received request * @ret: [out] return value - * @num_params [in] number of parameters following this struct + * @num_params: [in] number of &struct tee_ioctl_param entries in @params + * @params: array of ioctl parameters */ struct tee_iocl_supp_send_arg { __u32 ret; @@ -454,11 +457,13 @@ struct tee_ioctl_shm_register_fd_data { */ /** - * struct tee_ioctl_invoke_func_arg - Invokes an object in a Trusted Application + * struct tee_ioctl_object_invoke_arg - Invokes an object in a + * Trusted Application * @id: [in] Object id * @op: [in] Object operation, specific to the object * @ret: [out] return value * @num_params: [in] number of parameters following this struct + * @params: array of ioctl parameters */ struct tee_ioctl_object_invoke_arg { __u64 id;

7 months, 2 weeks

3
2
0 0

[PATCH] tee: fix uninitialized pointers with free attr

by Ally Heev

Uninitialized pointers with `__free` attribute can cause undefined behaviour as the memory assigned(randomly) to the pointer is freed automatically when the pointer goes out of scope tee doesn't have any bugs related to this as of now, but it is better to initialize and assign pointers with `__free` attr in one statement to ensure proper scope-based cleanup Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Closes: https://lore.kernel.org/all/aPiG_F5EBQUjZqsl@stanley.mountain/ Signed-off-by: Ally Heev <allyheev(a)gmail.com> --- drivers/tee/qcomtee/call.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/tee/qcomtee/call.c b/drivers/tee/qcomtee/call.c index ac134452cc9cfd384c28d41547545f2c5748d86c..8b7b4decddd8d1811dc0a7cc46a4a4fbada45526 100644 --- a/drivers/tee/qcomtee/call.c +++ b/drivers/tee/qcomtee/call.c @@ -645,12 +645,13 @@ static void qcomtee_get_version(struct tee_device *teedev, static void qcomtee_get_qtee_feature_list(struct tee_context *ctx, u32 id, u32 *version) { - struct qcomtee_object_invoke_ctx *oic __free(kfree); struct qcomtee_object *client_env, *service; struct qcomtee_arg u[3] = { 0 }; int result; - oic = qcomtee_object_invoke_ctx_alloc(ctx); + struct qcomtee_object_invoke_ctx *oic __free(kfree) = + qcomtee_object_invoke_ctx_alloc(ctx); + if (!oic) return; --- base-commit: c9cfc122f03711a5124b4aafab3211cf4d35a2ac change-id: 20251105-aheev-uninitialized-free-attr-tee-0221e45ec5a2 Best regards, -- Ally Heev <allyheev(a)gmail.com>

7 months, 2 weeks

3
2
0 0

[PATCH] tee: fix illegal pointer dereference in tee_shm_put()

by yangzhao

In tee_shm_put(), there is not only the NULL pointer dereference, but also the illegal pointer dereference. shutdown() ---> __optee_disable_shm_cache --> shm = reg_pair_to_ptr(...); tee_shm_free(shm); --> tee_shm_put(shm); //crash: shm->ctx maybe NULL pointer or illegal pointer Check whether the pointer is NULL and whether the pointer address is valid. This issue occurs when rich world uses the 6.x version of the kernel and optee secure world uses a lower version (such as version 3.2), and it is highly likely to trigger a kernel panic when conducting hibernate tests. Fixes: e4a718a3a47e ("tee: fix NULL pointer dereference in tee_shm_put") Signed-off-by: yangzhao <yangzhao(a)kylinos.cn> --- drivers/tee/tee_shm.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index 4a47de4bb2e5..de01d16409c1 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -722,7 +722,14 @@ void tee_shm_put(struct tee_shm *shm) struct tee_device *teedev; bool do_release = false; - if (!shm || !shm->ctx || !shm->ctx->teedev) + /* checking pointer */ + if (IS_ERR_OR_NULL(shm) || !virt_addr_valid(shm)) + return; + + if (IS_ERR_OR_NULL(shm->ctx) || !virt_addr_valid(shm->ctx)) + return; + + if (IS_ERR_OR_NULL(shm->ctx->teedev) || !virt_addr_valid(shm->ctx->teedev)) return; teedev = shm->ctx->teedev; -- 2.25.1

7 months, 2 weeks

2
3
0 0

Linaro OP-TEE Contribution, LOC, monthly meeting October 28

by Jens Wiklander

Hi, Tomorrow, Tuesday, it's time for another LOC monthly meeting. For time and connection details, see the calendar at https://www.trustedfirmware.org/meetings/ - OP-TEE version 4.8.0 has been released - We have an op-tee channel at the Trusted Firmware Discord server [1]. Last week, there was a message about improving the order of all the config options we have in OP-TEE, the CFG_* variables. In the long term, we might still aim for Kconfig, but that's quite a large step. However, there are intermediate steps that we can take. I hope we'll see more of this. Are there any other topics? [1] https://www.trustedfirmware.org/faq/ Cheers, Jens

7 months, 4 weeks

1
0
0 0

OP-TEE 4.8.0 has been released

by Jens Wiklander

Hi, I'm pleased to announce that OP-TEE version 4.6.0 is now available. The list of changes can be found in the changelog [1]. A big thank you to everyone who participated with contributions and helping out with testing the release [2]. [1] https://github.com/OP-TEE/optee_os/blob/4.8.0/CHANGELOG.md [2] https://github.com/OP-TEE/optee_os/commit/86660925433a8d4d1b19cfa5fe940081d… Regards, Jens

8 months

1
0
0 0

[PATCH] core: Relax StMM dependency to TEE_STORAGE_PRIVATE

by Jan Kiszka

From: Jan Kiszka <jan.kiszka(a)siemens.com> This allows to run StMM without the userspace supplicant if the in-kernel RPMB service is available. Signed-off-by: Jan Kiszka <jan.kiszka(a)siemens.com> --- core/pta/device.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/pta/device.c b/core/pta/device.c index 39ad3ddda..21c13bd94 100644 --- a/core/pta/device.c +++ b/core/pta/device.c @@ -67,8 +67,8 @@ static TEE_Result get_devices(uint32_t types, add_ta(ta->flags, &ta->uuid, buf, blen, &pos, rflags); if (stmm_get_uuid()) - add_ta(TA_FLAG_DEVICE_ENUM_SUPP, stmm_get_uuid(), buf, blen, - &pos, rflags); + add_ta(TA_FLAG_DEVICE_ENUM_TEE_STORAGE_PRIVATE, + stmm_get_uuid(), buf, blen, &pos, rflags); if (IS_ENABLED(CFG_EARLY_TA)) for_each_early_ta(eta) -- 2.51.0

8 months

2
2
0 0

Re: [PATCH 0/8] sd: Add RPMB emulation to eMMC model

by Jan Kiszka

FYI: QEMU model is working fine, upstreaming started, feedback welcome. Jan On 24.08.25 09:18, Jan Kiszka wrote: > This closes an old gap in system integration testing for the very > complex ARM firmware stacks by adding fairly advanced Replay Protected > Memory Block (RPMB) emulation to the eMMC device model. Key programming > and message authentication are working, so is the write counter. Known > users are happy with the result. What is missing, but not only for RPMB- > related registers, is state persistence across QEMU restarts. This is OK > at this stage for most test scenarios, though, and could still be added > later on. > > What can already be done with it is demonstrated in the WIP branch of > isar-cip-core at [1]: TF-A + OP-TEE + StandaloneMM TA + fTPM TA, used by > U-Boot and Linux for UEFI variable storage and TPM scenarios. If you > want to try: build qemu-arm64 target for trixie with 6.12-cip *head* > kernel, enable secure boot and disk encryption, then run > > $ QEMU_PATH=/path/to/qemu-build/ ./start-qemu.sh > > Deploy snakeoil keys into PK, KEK and db after first boot to enable > secure booting: > > root@demo:~# cert-to-efi-sig-list PkKek-1-snakeoil.pem PK.esl > root@demo:~# sign-efi-sig-list -k PkKek-1-snakeoil.key -c PkKek-1-snakeoil.pem PK PK.esl PK.auth > root@demo:~# efi-updatevar -f PK.auth db > root@demo:~# efi-updatevar -f PK.auth KEK > root@demo:~# efi-updatevar -f PK.auth PK > > Note that emulation is a bit slow in general, and specifically the > partition encryption on first boot is taking 20 min. - we should > probably reduce its size or understand if there is still something to > optimize. > > Jan > > [1] https://gitlab.com/cip-project/cip-core/isar-cip-core/-/commits/wip/qemu-rp… > > Cc: "Daniel P. Berrangé" <berrange(a)redhat.com> > > Jan Kiszka (8): > hw/sd/sdcard: Fix size check for backing block image > hw/sd/sdcard: Add validation for boot-partition-size > hw/sd/sdcard: Allow user-instantiated eMMC > hw/sd/sdcard: Refactor sd_bootpart_offset > hw/sd/sdcard: Add basic support for RPMB partition > crypto/hmac: Allow to build hmac over multiple > qcrypto_gnutls_hmac_bytes[v] calls > hw/sd/sdcard: Handle RPMB MAC field > scripts: Add helper script to generate eMMC block device images > > crypto/hmac-gcrypt.c | 4 +- > crypto/hmac-glib.c | 4 +- > crypto/hmac-gnutls.c | 4 +- > crypto/hmac-nettle.c | 4 +- > hw/sd/sd.c | 314 ++++++++++++++++++++++++++++++++++++++--- > hw/sd/sdmmc-internal.h | 24 +++- > hw/sd/trace-events | 2 + > include/crypto/hmac.h | 12 ++ > scripts/mkemmc.sh | 185 ++++++++++++++++++++++++ > 9 files changed, 530 insertions(+), 23 deletions(-) > create mode 100755 scripts/mkemmc.sh > -- Siemens AG, Foundational Technologies Linux Expert Center

8 months

3
4
0 0

2026

2025

2024

2023

2022

2021

2020

OP-TEE