- OP-TEE - lists.trustedfirmware.org

by Amirreza Zarrabi

Hi Jens, Recently protected heap support has been added for the TEE subsystem. This allows dma-heaps to be managed by the TEE subsystem itself. For standard, non-protected heaps such as the system heap or CMA heap, I am trying to understand the expected usage model. One possible workaround appears to be to mmap the dma-buf fd in userspace, then register the resulting userspace VA with the TEE subsystem to obtain a TEE shared-memory object, for example: fd = dma_heap_alloc(...); va = mmap(fd, ...); shm_fd = tee_shm_register(va, size); tee_invoke(shm_fd); close(shm_fd); munmap(va, size); close(fd); This seems reasonable when the lifetime of the registered shared memory is limited to a single invocation or callback. However, I am concerned about cases (multiple exits in qcomtee) where the TEE side needs to retain access to the memory after the ioctl/invocation returns. In that case, registering only the userspace VA does not appear to keep the underlying dma-buf object alive. The TEE core pins the pages, but it does not hold a dma-buf reference or attachment. If userspace later closes the dma-buf fd and unmaps the VA, the dma-buf exporter may consider the buffer released, while the TEE side may still have the memory registered. Is there a recommended way to use standard heaps, such as the system or CMA dma-buf heaps, when the sharing lifetime is longer than a single TEE call? Would it make sense to extend tee_shm_register_fd() so that it can handle dma-buf fds from regular dma-heaps as well, not only dma-bufs managed by the TEE subsystem? That would allow the TEE core or backend driver to keep the dma-buf reference for the lifetime of the TEE shared-memory object. Best regards, Amir

3 weeks, 5 days

3
4
0 0

[GIT PULL] QCOMTEE fix for v7.1

by Jens Wiklander

Hello soc maintainers, Please pull this small fix for the QCOMTEE driver. Thanks, Jens The following changes since commit 028ef9c96e96197026887c0f092424679298aae8: Linux 7.0 (2026-04-12 13:48:06 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/qcomtee-fix-for-v7.1 for you to fetch changes up to 471c18323dfdfe7844e193b896a9267ae23a1026: tee: qcomtee: add missing va_end in early return qcomtee_object_user_init() (2026-05-20 09:22:52 +0200) ---------------------------------------------------------------- QCOMTEE fix for v7.1 Adding a missing va_end in early return qcomtee_object_user_init() ---------------------------------------------------------------- Robertus Diawan Chris (1): tee: qcomtee: add missing va_end in early return qcomtee_object_user_init() drivers/tee/qcomtee/core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)

3 weeks, 5 days

1
0
0 0

[GIT PULL] OP-TEE fix for v7.1

by Jens Wiklander

Hello soc maintainers, Please pull this patch fixing a use-after-free race in the OP-TEE driver where a client exiting prematurely could free a request still being processed by the supplicant. This is basically a resend of https://lore.kernel.org/op-tee/20260316071210.GA2470832@rayden/ Thanks, Jens The following changes since commit 6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f: Linux 7.0-rc1 (2026-02-22 13:18:59 -0800) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/optee-fix-for-v7.1 for you to fetch changes up to 387a926ee166814611acecb960207fe2f3c4fd3e: tee: optee: prevent use-after-free when the client exits before the supplicant (2026-03-02 14:36:50 +0100) ---------------------------------------------------------------- OP-TEE fix for v7.1 Prevent possible use after free in supplicant communication. ---------------------------------------------------------------- Amirreza Zarrabi (1): tee: optee: prevent use-after-free when the client exits before the supplicant drivers/tee/optee/supp.c | 107 ++++++++++++++++++++++++++++++++--------------- 1 file changed, 74 insertions(+), 33 deletions(-)

3 weeks, 5 days

1
0
0 0

[GIT PULL] TEE fixes for v7.1

by Jens Wiklander

Hello soc maintainers, Please pull these small fixes for the TEE subsystem. Thanks, Jens The following changes since commit 028ef9c96e96197026887c0f092424679298aae8: Linux 7.0 (2026-04-12 13:48:06 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/tee-fixes-for-v7.1 for you to fetch changes up to 6fa9b543f6b4ed15ff72af266b29f316643de289: tee: fix params_from_user() error path in tee_ioctl_supp_recv (2026-05-20 08:49:09 +0200) ---------------------------------------------------------------- TEE fixes for v7.1 Fixing: - params_from_user() cleanup in error path in tee_ioctl_supp_recv() - possible tee_shm leak in error path in register_shm_helper() - padding in struct tee_ioctl_object_invoke_arg ---------------------------------------------------------------- Arnd Bergmann (1): tee: fix tee_ioctl_object_invoke_arg padding Georgiy Osokin (1): tee: shm: fix shm leak in register_shm_helper() Qihang (1): tee: fix params_from_user() error path in tee_ioctl_supp_recv drivers/tee/tee_core.c | 56 +++++++++++++++++++++--------------------------- drivers/tee/tee_shm.c | 2 +- include/uapi/linux/tee.h | 1 + 3 files changed, 27 insertions(+), 32 deletions(-)

3 weeks, 5 days

1
0
0 0

[PATCH v4 0/5] arm_ffa, KVM: Fix FF-A emad offset calculations

by Mostafa Saleh

Hi all, This series fixes the Endpoint Memory Access Descriptor (EMAD) offset calculations and adds the necessary bounds checks for both the core FF-A driver and the pKVM hypervisor. Prior to FF-A version 1.1, the memory region header didn't specify an explicit offset for the EMADs, leading to the assumption that they immediately follow the header. However, from v1.1 onwards, the specification dictates using the ep_mem_offset` field to determine the start of the memory access array. The patches in this series address this by: 1. Updating the core `arm_ffa` firmware driver to correctly calculate the descriptor offset using `ep_mem_offset` rather than defaulting to `sizeof(struct ffa_mem_region)`. It also introduces bounds checking against `max_fragsize`. 2. Enhancing the pKVM hypervisor validation logic to no longer strictly enforce that the descriptor strictly follows the header, aligning it with the driver behavior and the FF-A specification, while also ensuring the offset falls within the mailbox buffer bounds. While addressing these bugs, Sashiko uncovered other issues that were fixed in the same series. Changelog ######### v3 -> v4: - Address review comments and fix Sashiko bugs v2 -> v3: - Fixed typo in nvhe/ffa.c (missing sizeof) v1 -> v2: - For pKVM, removed the strict placement enforcement for `ep_mem_offset` as it is not compliant with the spec, and avoids making assumptions about the driver's memory layout. Link to: ######## v3: https://lore.kernel.org/all/20260512124442.1899107-1-sebastianene@google.co… v2: https://lore.kernel.org/all/20260430160241.1934777-1-sebastianene@google.co… v1: https://lore.kernel.org/all/ae9KN9nkOgDYJcGP@google.com/T/#t Mostafa Saleh (3): optee: ffa: Add NULL check in optee_ffa_lend_protmem firmware: arm_ffa: Fix out-of-bound writes in ffa_setup_and_transmit() KVM: arm64: Fix bounds checking in do_ffa_mem_reclaim() Sebastian Ene (2): firmware: arm_ffa: Fix Endpoint Memory Access Descriptor offset calculation KVM: arm64: Validate the offset to the mem access descriptor arch/arm64/kvm/hyp/nvhe/ffa.c | 30 +++++++++++++++++++++++------- drivers/firmware/arm_ffa/driver.c | 21 +++++++++++++-------- drivers/tee/optee/ffa_abi.c | 3 +++ include/linux/arm_ffa.h | 2 +- 4 files changed, 40 insertions(+), 16 deletions(-) -- 2.54.0.669.g59709faab0-goog

3 weeks, 5 days

3
11
0 0

[PATCH v2] tee: qcomtee: add missing va_end in early return qcomtee_object_user_init()

by Robertus Diawan Chris

qcomtee_object_user_init() is a variadic function and when the function return because there's no dispatch callback in QCOMTEE_OBJECT_TYPE_CB case, there's no va_end to cleanup "ap" object initialized by va_start and that can cause undefined behavior. So make sure to use va_end before returning the error code when there's no dispatch callback. This is reported by Coverity Scan as "Missing varargs init or cleanup". Fixes: d6e290837e50 ("tee: add Qualcomm TEE driver") Signed-off-by: Robertus Diawan Chris <robertusdchris(a)gmail.com> Reviewed-by: Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com> --- v1 -> v2: - Use "break" statement instead of "goto" statement. There's va_end outside of switch-case, so we only need to go out from switch-case instead of using a label (suggested by Amirreza Zarrabi). - Add "Reviewed-by" tag from Amirreza Zarrabi. v1: https://lore.kernel.org/all/20260513091031.145826-1-robertusdchris@gmail.co… I don't have the device, so I am not sure how to test this change. Thank you. drivers/tee/qcomtee/core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/tee/qcomtee/core.c b/drivers/tee/qcomtee/core.c index b1cb50e434f0..60fe3b5776e3 100644 --- a/drivers/tee/qcomtee/core.c +++ b/drivers/tee/qcomtee/core.c @@ -306,8 +306,10 @@ int qcomtee_object_user_init(struct qcomtee_object *object, break; case QCOMTEE_OBJECT_TYPE_CB: object->ops = ops; - if (!object->ops->dispatch) - return -EINVAL; + if (!object->ops->dispatch) { + ret = -EINVAL; + break; + } /* If failed, "no-name". */ object->name = kvasprintf_const(GFP_KERNEL, fmt, ap); base-commit: 5200f5f493f79f14bbdc349e402a40dfb32f23c8 -- 2.54.0

3 weeks, 6 days

2
1
0 0

[PATCH] tee: qcomtee: add missing va_end in early return qcomtee_object_user_init()

by Robertus Diawan Chris

qcomtee_object_user_init() is a variadic function and when the function return because there's no dispatch callback in QCOMTEE_OBJECT_TYPE_CB case, there's no va_end to cleanup "ap" object initialized by va_start and that can cause undefined behavior. So make sure to use va_end before returning the error code when there's no dispatch callback. This is reported by Coverity Scan as "Missing varargs init or cleanup". Fixes: d6e290837e50 ("tee: add Qualcomm TEE driver") Signed-off-by: Robertus Diawan Chris <robertusdchris(a)gmail.com> --- I don't have the device, so I am not sure how to test this change. Thank you. drivers/tee/qcomtee/core.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/tee/qcomtee/core.c b/drivers/tee/qcomtee/core.c index b1cb50e434f0..901a31e8201f 100644 --- a/drivers/tee/qcomtee/core.c +++ b/drivers/tee/qcomtee/core.c @@ -306,8 +306,10 @@ int qcomtee_object_user_init(struct qcomtee_object *object, break; case QCOMTEE_OBJECT_TYPE_CB: object->ops = ops; - if (!object->ops->dispatch) - return -EINVAL; + if (!object->ops->dispatch) { + ret = -EINVAL; + goto out; + } /* If failed, "no-name". */ object->name = kvasprintf_const(GFP_KERNEL, fmt, ap); @@ -320,6 +322,8 @@ int qcomtee_object_user_init(struct qcomtee_object *object, default: ret = -EINVAL; } + +out: va_end(ap); return ret; base-commit: 5d6919055dec134de3c40167a490f33c74c12581 -- 2.54.0

4 weeks, 1 day

2
5
0 0

[PATCH v5 00/16] firmware: qcom: Add OP-TEE PAS service support

by Sumit Garg

From: Sumit Garg <sumit.garg(a)oss.qualcomm.com> Qcom platforms has the legacy of using non-standard SCM calls splintered over the various kernel drivers. These SCM calls aren't compliant with the standard SMC calling conventions which is a prerequisite to enable migration to the FF-A specifications from Arm. OP-TEE as an alternative trusted OS to Qualcomm TEE (QTEE) can't support these non-standard SCM calls. And even for newer architectures using S-EL2 with Hafnium support, QTEE won't be able to support SCM calls either with FF-A requirements coming in. And with both OP-TEE and QTEE drivers well integrated in the TEE subsystem, it makes further sense to reuse the TEE bus client drivers infrastructure. The added benefit of TEE bus infrastructure is that there is support for discoverable/enumerable services. With that client drivers don't have to manually invoke a special SCM call to know the service status. So enable the generic Peripheral Authentication Service (PAS) provided by the firmware. It acts as the common layer with different TZ backends plugged in whether it's an SCM implementation or a proper TEE bus based PAS service implementation. The TEE PAS service ABI is designed to be extensible with additional API as PTA_QCOM_PAS_CAPABILITIES. This allows to accommodate any future extensions of the PAS service needed while still maintaining backwards compatibility. Currently OP-TEE support is being added to provide the backend PAS service implementation which can be found as part of this PR [1]. This implementation has been tested on Kodiak/RB3Gen2 board with lemans EVK board being the next target. In addition to that WIN/IPQ targets planning to use OP-TEE will use this service too. Surely the backwards compatibility is maintained and tested for SCM backend. Note that kernel PAS service support while running in EL2 is at parity among OP-TEE vs QTEE. Especially the media (venus/iris) support depends on proper IOMMU support being worked out on the PAS client end. Patch summary: - Patch #1: adds Kodiak EL2 overlay since boot stack with TF-A/OP-TEE only allow UEFI and Linux to boot in EL2. - Patch #2: adds generic PAS service. - Patch #3: migrates SCM backend to generic PAS service. - Patch #4: adds TEE/OP-TEE backend for generic PAS service. - Patch #5-#14: migrates all client drivers to generic PAS service. - Patch #15: drops legacy PAS SCM exported APIs. The patch-set is based on v7.1-rc1 tag and can be found in git tree here [2]. Merge strategy: It is expected due to APIs dependency, the entire patch-set to go via the Qcom tree. All other subsystem maintainers, it will be great if I can get acks for the corresponding subsystem patches. [1] https://github.com/OP-TEE/optee_os/pull/7721 (already merged) [2] https://git.kernel.org/pub/scm/linux/kernel/git/sumit.garg/linux.git/log/?h… --- Changes in v5: - Incorporated misc. comments from Mukesh. - Split up patch #11 into 2 to add an independent commit for passing proper PAS ID to set_remote_state API. - Picked up tags. Changes in v4: - Incorporate misc. comments on patch #4. - Picked up an ack for patch #10. - Clarify in cover letter about state of media support. Changes in v3: - Incorporated some style and misc. comments for patch #2, #3 and #4. - Add QCOM_PAS Kconfig dependency for various subsystems. - Switch from pseudo TA to proper TA invoke commands. Changes in v2: - Fixed kernel doc warnings. - Polish commit message and comments for patch #2. - Pass proper PAS ID in set_remote_state API for media firmware drivers. - Added Maintainer entry and dropped MODULE_AUTHOR. Mukesh Ojha (1): arm64: dts: qcom: kodiak: Add EL2 overlay Sumit Garg (15): firmware: qcom: Add a generic PAS service firmware: qcom_scm: Migrate to generic PAS service firmware: qcom: Add a PAS TEE service remoteproc: qcom_q6v5_pas: Switch over to generic PAS TZ APIs remoteproc: qcom_q6v5_mss: Switch to generic PAS TZ APIs soc: qcom: mdtloader: Switch to generic PAS TZ APIs remoteproc: qcom_wcnss: Switch to generic PAS TZ APIs remoteproc: qcom: Select QCOM_PAS generic service drm/msm: Switch to generic PAS TZ APIs media: qcom: Switch to generic PAS TZ APIs media: qcom: Pass proper PAS ID to set_remote_state API net: ipa: Switch to generic PAS TZ APIs wifi: ath12k: Switch to generic PAS TZ APIs firmware: qcom_scm: Remove SCM PAS wrappers MAINTAINERS: Add maintainer entry for Qualcomm PAS TZ service MAINTAINERS | 9 + arch/arm64/boot/dts/qcom/Makefile | 2 + arch/arm64/boot/dts/qcom/kodiak-el2.dtso | 35 ++ drivers/firmware/qcom/Kconfig | 19 + drivers/firmware/qcom/Makefile | 2 + drivers/firmware/qcom/qcom_pas.c | 291 +++++++++++ drivers/firmware/qcom/qcom_pas.h | 50 ++ drivers/firmware/qcom/qcom_pas_tee.c | 476 ++++++++++++++++++ drivers/firmware/qcom/qcom_scm.c | 302 ++++------- drivers/gpu/drm/msm/Kconfig | 1 + drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 4 +- drivers/gpu/drm/msm/adreno/adreno_gpu.c | 11 +- drivers/media/platform/qcom/iris/Kconfig | 25 +- .../media/platform/qcom/iris/iris_firmware.c | 9 +- drivers/media/platform/qcom/venus/Kconfig | 1 + drivers/media/platform/qcom/venus/firmware.c | 11 +- drivers/net/ipa/Kconfig | 2 +- drivers/net/ipa/ipa_main.c | 13 +- drivers/net/wireless/ath/ath12k/Kconfig | 2 +- drivers/net/wireless/ath/ath12k/ahb.c | 8 +- drivers/remoteproc/Kconfig | 4 +- drivers/remoteproc/qcom_q6v5_mss.c | 5 +- drivers/remoteproc/qcom_q6v5_pas.c | 51 +- drivers/remoteproc/qcom_wcnss.c | 12 +- drivers/soc/qcom/mdt_loader.c | 12 +- include/linux/firmware/qcom/qcom_pas.h | 43 ++ include/linux/firmware/qcom/qcom_scm.h | 29 -- include/linux/soc/qcom/mdt_loader.h | 6 +- 28 files changed, 1117 insertions(+), 318 deletions(-) create mode 100644 arch/arm64/boot/dts/qcom/kodiak-el2.dtso create mode 100644 drivers/firmware/qcom/qcom_pas.c create mode 100644 drivers/firmware/qcom/qcom_pas.h create mode 100644 drivers/firmware/qcom/qcom_pas_tee.c create mode 100644 include/linux/firmware/qcom/qcom_pas.h -- 2.51.0

4 weeks, 1 day

3
22
0 0

[PATCH] hwrng: tpm: Do not enable by default

by Jan Kiszka

From: Jan Kiszka <jan.kiszka(a)siemens.com> As seen with optee_ftpm, which uses ms-tpm-20-ref [1], a TPM may write the current time epoch to its NV storage every 4 seconds if there are commands sent to it. The 60 seconds periodic update of the entropy pool that the hwrng kthread does triggers this, causing about 4 writes per requests. Makes 2 millions per year for a 24/7 device, and that is a lot for its backing NV storage. It is therefore better to make the user intentionally enable this, providing a chance to read the warning. [1] https://github.com/Microsoft/ms-tpm-20-ref Signed-off-by: Jan Kiszka <jan.kiszka(a)siemens.com> --- drivers/char/tpm/Kconfig | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig index 8a8f692b6088..d64c929cacbe 100644 --- a/drivers/char/tpm/Kconfig +++ b/drivers/char/tpm/Kconfig @@ -45,13 +45,17 @@ config TCG_TPM2_HMAC config HW_RANDOM_TPM bool "TPM HW Random Number Generator support" depends on TCG_TPM && HW_RANDOM && !(TCG_TPM=y && HW_RANDOM=m) - default y help This setting exposes the TPM's Random Number Generator as a hwrng device. This allows the kernel to collect randomness from the TPM at boot, and provides the TPM randomines in /dev/hwrng. - If unsure, say Y. + WARNING: Specifically firmware-based TPMs, possibly also hardware + variants, can wear-out from the frequent requests issued by the + Hardware Random Number Generator Core when filling the kernel's + entropy pool. These requests are sent once every minute by default, + and the TPM may write the current time to its NV storage for each of + them. config TCG_TIS_CORE tristate -- 2.51.0

1 month

4
11
0 0

[REPORT] tee: tee_ioctl_supp_recv() missing tee_shm_put() cleanup for memref params

by Qihang

Hi, I would like to report a likely shared-memory reference leak in drivers/tee/tee_core.c, in tee_ioctl_supp_recv(). The issue is that tee_ioctl_supp_recv() calls params_from_user(), which acquires references for MEMREF-type parameters via tee_shm_get_from_id(), but the cleanup path only frees the params array and does not drop the acquired shm references. Relevant code in tee_ioctl_supp_recv(): rc = params_from_user(ctx, params, num_params, uarg->params); if (rc) goto out; rc = ctx->teedev->desc->ops->supp_recv(ctx, &func, &num_params, params); if (rc) goto out; ... out: kfree(params); return rc; By contrast, other callers of params_from_user() in tee_core.c do release MEMREF references on cleanup, for example: - tee_ioctl_open_session() - tee_ioctl_invoke() - tee_ioctl_object_invoke() The helper comment in param_from_user_memref() also states that the caller is responsible for calling tee_shm_put() on all resolved pointers. Reachability / trigger paths: 1. qcomtee backend: qcomtee registers .supp_recv = qcomtee_supp_recv on a non-privileged tee device path. qcomtee_supp_recv() rejects any non-meta parameter after the first one: for (i = 1; i < *num_params; i++) if (params[i].attr) return -EINVAL; This allows a path where params_from_user() has already acquired a shm reference for a MEMREF parameter, then qcomtee_supp_recv() returns an error, and tee_ioctl_supp_recv() exits without tee_shm_put(). 2. Partial failure before backend callback: if params_from_user() successfully resolves an earlier MEMREF parameter and then fails on a later parameter, tee_ioctl_supp_recv() still goes to the same cleanup path without dropping already acquired shm refs. This means the issue is not just a backend-specific quirk: the core ioctl cleanup path itself is missing tee_shm_put() handling. Impact: - leaked shared-memory references - shared-memory objects may remain pinned and never reach final release - repeated triggering can cause resource exhaustion / DoS This does not appear to be a UAF, since refcount_t saturation prevents wraparound. The impact looks limited to resource leakage and availability. If useful, I can also prepare a patch. Thanks, Qihang

1 month

3
12
0 0

2026

2025

2024

2023

2022

2021

2020

OP-TEE