- OP-TEE - lists.trustedfirmware.org

Possible race during OP-TEE kernel module device probing

by Shf Chen (陳少甫)

Hi, We found a possible race condition issue during OP-TEE kernel driver probing the device. A NULL pointer dereference exception can happen when another kernel driver open OP-TEE context with tee_client_open_context() then do a SMC call to OP-TEE. Below is the exception: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 39-bit VAs, pgdp=00000001026bb000 [0000000000000000] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP Workqueue: events_unbound deferred_probe_work_func pstate: 03400005 (nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : optee_cq_wait_init+0x78/0x124 [optee] lr : optee_cq_wait_init+0x60/0x124 [optee] sp : ffffffc081fcb7f0 x29: ffffffc081fcb7f0 x28: 0000000000000000 x27: 0000000000001000 x26: ffffff8080e42c60 x25: ffffff8084d46040 x24: 0000000000000000 x23: 0000000000000000 x22: ffffffc081fcb8c0 x21: ffffffc081fcb8a8 x20: 0000000000000000 x19: ffffff8082741570 x18: ffffffe572f8ca00 x17: 00000000fa28650f x16: 00000000fa28650f x15: ffffff8084d47000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000084d47000 x11: 0000000000000000 x10: 0000000032000012 x9 : 04d4600000000001 x8 : ffffffc081fcb8c8 x7 : 0000000000000000 x6 : 000000000000003f x5 : ffffff83c86649e0 x4 : 0000000000000008 x3 : 0000000000000000 x2 : ffffff80827415a0 x1 : 0000000000000000 x0 : ffffffc081fcb8c0 Call trace: optee_cq_wait_init+0x78/0x124 [optee f6dbc35f8d96acbe1f3c329d72018151d796208d] optee_smc_do_call_with_arg+0x12c/0x95c [optee f6dbc35f8d96acbe1f3c329d72018151d796208d] optee_shm_register+0x284/0x360 [optee f6dbc35f8d96acbe1f3c329d72018151d796208d] register_shm_helper+0x1a4/0x2f4 [tee cdd8a0d077d984bda1f31f9e8903836edbe46603] tee_shm_register_kernel_buf+0x60/0x90 [tee cdd8a0d077d984bda1f31f9e8903836edbe46603] cmdq_sec_allocate_wsm+0x58/0xc4 [mtk_cmdq_sec_mbox ac82dc958e32252a21c6ce55bb8839ebb288387a] cmdq_sec_probe+0x80/0x4a0 [mtk_cmdq_sec_mbox ac82dc958e32252a21c6ce55bb8839ebb288387a] We found the optee->call_queue hasn't been initialized when our driver called OP-TEE, and it might have some issues about the device data structure initialize order in optee_probe()[drivers/tee/optee/smc_abi.c]: --- rc = tee_device_register(optee->teedev); // <----- TEE device register here if (rc) goto err_unreg_supp_teedev; rc = tee_device_register(optee->supp_teedev); if (rc) goto err_unreg_supp_teedev; optee_cq_init(&optee->call_queue, thread_count); // <----- Some data structures are initialized afterwards optee_supp_init(&optee->supp); optee->smc.memremaped_shm = memremaped_shm; optee->pool = pool; optee_shm_arg_cache_init(optee, arg_cache_flags); mutex_init(&optee->rpmb_dev_mutex); --- We want to ask if the data structure initialization should be done before the tee device registration? Best regards, Shao-Fu Chen

1 month, 4 weeks

3
4
0 0

[PATCH v2 00/15] firmware: qcom: Add OP-TEE PAS service support

by Sumit Garg

From: Sumit Garg <sumit.garg(a)oss.qualcomm.com> Qcom platforms has the legacy of using non-standard SCM calls splintered over the various kernel drivers. These SCM calls aren't compliant with the standard SMC calling conventions which is a prerequisite to enable migration to the FF-A specifications from Arm. OP-TEE as an alternative trusted OS to Qualcomm TEE (QTEE) can't support these non-standard SCM calls. And even for newer architectures with S-EL2 and Hafnium support, QTEE won't be able to support SCM calls either with FF-A requirements coming in. And with both OP-TEE and QTEE drivers well integrated in the TEE subsystem, it makes further sense to reuse the TEE bus client drivers infrastructure. The added benefit of TEE bus infrastructure is that there is support for discoverable/enumerable services. With that client drivers don't have to manually invoke a special SCM call to know the service status. So enable the generic Peripheral Authentication Service (PAS) provided by the firmware. It acts as the common layer with different TZ backends plugged in whether it's an SCM implementation or a proper TEE bus based PAS service implementation. The TEE PAS service ABI is designed to be extensible with additional API as PTA_QCOM_PAS_CAPABILITIES. This allows to accommodate any future extensions of the PAS service needed while still maintaining backwards compatibility. Currently OP-TEE support is being added to provide the backend PAS service implementation which can be found as part of this PR [1]. This implementation has been tested on Kodiak/RB3Gen2 board with lemans EVK board being the next target. In addition to that WIN/IPQ targets planning to use OP-TEE will use this service too. Surely the backwards compatibility is maintained and tested for SCM backend. Patch summary: - Patch #1: adds Kodiak EL2 overlay since boot stack with TF-A/OP-TEE only allow UEFI and Linux to boot in EL2. - Patch #2: adds generic PAS service. - Patch #3: migrates SCM backend to generic PAS service. - Patch #4: adds TEE/OP-TEE backend for generic PAS service. - Patch #5-#13: migrates all client drivers to generic PAS service. - Patch #14: drops legacy PAS SCM exported APIs. The patch-set is based on v7.0-rc2 tag and can be found in git tree here [2]. Merge strategy: It is expected due to APIs dependency, the entire patch-set to go via the Qcom tree. All other subsystem maintainers, it will be great if I can get acks for the corresponding subsystem patches. [1] https://github.com/OP-TEE/optee_os/pull/7721 [2] https://git.kernel.org/pub/scm/linux/kernel/git/sumit.garg/linux.git/log/?h… --- Changes in v2: - Fixed kernel doc warnings. - Polish commit message and comments for patch #2. - Pass proper PAS ID in set_remote_state API for media firmware drivers. - Added Maintainer entry and dropped MODULE_AUTHOR. - Picked up ack from Jeff. Mukesh Ojha (1): arm64: dts: qcom: kodiak: Add EL2 overlay Sumit Garg (14): firmware: qcom: Add a generic PAS service firmware: qcom_scm: Migrate to generic PAS service firmware: qcom: Add a PAS TEE service remoteproc: qcom_q6v5_pas: Switch over to generic PAS TZ APIs remoteproc: qcom_q6v5_mss: Switch to generic PAS TZ APIs soc: qcom: mdtloader: Switch to generic PAS TZ APIs remoteproc: qcom_wcnss: Switch to generic PAS TZ APIs remoteproc: qcom: Select QCOM_PAS_TEE service backend drm/msm: Switch to generic PAS TZ APIs media: qcom: Switch to generic PAS TZ APIs net: ipa: Switch to generic PAS TZ APIs wifi: ath12k: Switch to generic PAS TZ APIs firmware: qcom_scm: Remove SCM PAS wrappers MAINTAINERS: Add maintainer entry for Qualcomm PAS TZ service MAINTAINERS | 9 + arch/arm64/boot/dts/qcom/Makefile | 2 + arch/arm64/boot/dts/qcom/kodiak-el2.dtso | 35 ++ drivers/firmware/qcom/Kconfig | 18 + drivers/firmware/qcom/Makefile | 2 + drivers/firmware/qcom/qcom_pas.c | 298 +++++++++++ drivers/firmware/qcom/qcom_pas.h | 53 ++ drivers/firmware/qcom/qcom_pas_tee.c | 477 ++++++++++++++++++ drivers/firmware/qcom/qcom_scm.c | 304 ++++------- drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 4 +- drivers/gpu/drm/msm/adreno/adreno_gpu.c | 11 +- .../media/platform/qcom/iris/iris_firmware.c | 9 +- drivers/media/platform/qcom/venus/firmware.c | 11 +- drivers/net/ipa/ipa_main.c | 13 +- drivers/net/wireless/ath/ath12k/ahb.c | 8 +- drivers/remoteproc/Kconfig | 1 + drivers/remoteproc/qcom_q6v5_mss.c | 5 +- drivers/remoteproc/qcom_q6v5_pas.c | 51 +- drivers/remoteproc/qcom_wcnss.c | 12 +- drivers/soc/qcom/mdt_loader.c | 12 +- include/linux/firmware/qcom/qcom_pas.h | 41 ++ include/linux/firmware/qcom/qcom_scm.h | 29 -- include/linux/soc/qcom/mdt_loader.h | 6 +- 23 files changed, 1108 insertions(+), 303 deletions(-) create mode 100644 arch/arm64/boot/dts/qcom/kodiak-el2.dtso create mode 100644 drivers/firmware/qcom/qcom_pas.c create mode 100644 drivers/firmware/qcom/qcom_pas.h create mode 100644 drivers/firmware/qcom/qcom_pas_tee.c create mode 100644 include/linux/firmware/qcom/qcom_pas.h -- 2.51.0

1 month, 4 weeks

6
40
0 0

[GIT PULL] OP-TEE update for 7.1

by Jens Wiklander

Hello soc maintainers, Please pull this small patch simlifying the OP-TEE context matching logic. Thanks, Jens The following changes since commit 6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f: Linux 7.0-rc1 (2026-02-22 13:18:59 -0800) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/optee-for-v7.1 for you to fetch changes up to 8c6e843f1c26a0b12720cab02f785c46450b6adc: optee: simplify OP-TEE context match (2026-03-04 08:33:31 +0100) ---------------------------------------------------------------- OP-TEE update for 7.1 Simplify TEE implementor ID match logic ---------------------------------------------------------------- Rouven Czerwinski (1): optee: simplify OP-TEE context match drivers/tee/optee/device.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-)

2 months

1
0
0 0

[GIT PULL] TEE update for 7.1

by Jens Wiklander

Hello soc maintainers, Please pull this small patch cleaning up kernel-doc comments in tee_core.h. Thanks, Jens The following changes since commit 6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f: Linux 7.0-rc1 (2026-02-22 13:18:59 -0800) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/tee-for-v7.1 for you to fetch changes up to e416e7fa417b2d2604c1526a2f9cc38da7ced166: tee: clean up tee_core.h kernel-doc (2026-03-13 08:22:54 +0100) ---------------------------------------------------------------- TEE update for 7.1 Clean up tee_core.h kernel-doc to eliminate build warnings ---------------------------------------------------------------- Randy Dunlap (1): tee: clean up tee_core.h kernel-doc include/linux/tee_core.h | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-)

2 months

1
0
0 0

[PATCH 00/14] firmware: qcom: Add OP-TEE PAS service support

by Sumit Garg

From: Sumit Garg <sumit.garg(a)oss.qualcomm.com> Qcom platforms has the legacy of using non-standard SCM calls splintered over the various kernel drivers. These SCM calls aren't compliant with the standard SMC calling conventions which is a prerequisite to enable migration to the FF-A specifications from Arm. OP-TEE as an alternative trusted OS to QTEE can't support these non- standard SCM calls. And even for newer architectures QTEE won't be able to support SCM calls either with FF-A requirements coming in. And with both OP-TEE and QTEE drivers well integrated in the TEE subsystem, it makes further sense to reuse the TEE bus client drivers infrastructure. The added benefit of TEE bus infrastructure is that there is support for discoverable/enumerable services. With that client drivers don't have to manually invoke a special SCM call to know the service status. So enable the generic Peripheral Authentication Service (PAS) provided by the firmware. It acts as the common layer with different TZ backends plugged in whether it's an SCM implementation or a proper TEE bus based PAS service implementation. The TEE PAS service ABI is designed to be extensible with additional API as PTA_QCOM_PAS_CAPABILITIES. This allows to accommodate any future extensions of the PAS service needed while still maintaining backwards compatibility. Currently OP-TEE support is being added to provide the backend PAS service implementation which can be found as part of this PR [1]. This implementation has been tested on Kodiak/RB3Gen2 board with lemans EVK board being the next target. In addition to that WIN/IPQ targets planning to use OP-TEE will use this service too. Patch summary: - Patch #1: adds Kodiak EL2 overlay since boot stack with TF-A/OP-TEE only allow UEFI and Linux to boot in EL2. - Patch #2: adds generic PAS service. - Patch #3: migrates SCM backend to generic PAS service. - Patch #4: adds TEE/OP-TEE backend for generic PAS service. - Patch #5-#13: migrates all client drivers to generic PAS service. - Patch #14: drops legacy PAS SCM exported APIs. The patch-set is based on v7.0-rc2 tag and can be found in git tree here [2]. Merge strategy: ---------------- It is expected due to APIs dependency, the entire patch-set to go via the Qcom tree. All other subsystem maintainers, it will be great if I can get acks for the corresponding subsystem patches. [1] https://github.com/OP-TEE/optee_os/pull/7721 [2] https://git.kernel.org/pub/scm/linux/kernel/git/sumit.garg/linux.git/log/?h… Mukesh Ojha (1): arm64: dts: qcom: kodiak: Add EL2 overlay Sumit Garg (13): firmware: qcom: Add a generic PAS service firmware: qcom_scm: Migrate to generic PAS service firmware: qcom: Add a PAS TEE service remoteproc: qcom_q6v5_pas: Switch over to generic PAS TZ APIs remoteproc: qcom_q6v5_mss: Switch to generic PAS TZ APIs soc: qcom: mdtloader: Switch to generic PAS TZ APIs remoteproc: qcom_wcnss: Switch to generic PAS TZ APIs remoteproc: qcom: Select QCOM_PAS_TEE service backend drm/msm: Switch to generic PAS TZ APIs media: qcom: Switch to generic PAS TZ APIs net: ipa: Switch to generic PAS TZ APIs wifi: ath12k: Switch to generic PAS TZ APIs firmware: qcom_scm: Remove SCM PAS wrappers arch/arm64/boot/dts/qcom/Makefile | 2 + arch/arm64/boot/dts/qcom/kodiak-el2.dtso | 35 ++ drivers/firmware/qcom/Kconfig | 18 + drivers/firmware/qcom/Makefile | 2 + drivers/firmware/qcom/qcom_pas.c | 295 +++++++++++ drivers/firmware/qcom/qcom_pas.h | 53 ++ drivers/firmware/qcom/qcom_pas_tee.c | 478 ++++++++++++++++++ drivers/firmware/qcom/qcom_scm.c | 304 ++++------- drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 4 +- drivers/gpu/drm/msm/adreno/adreno_gpu.c | 11 +- .../media/platform/qcom/iris/iris_firmware.c | 9 +- drivers/media/platform/qcom/venus/firmware.c | 11 +- drivers/net/ipa/ipa_main.c | 13 +- drivers/net/wireless/ath/ath12k/ahb.c | 8 +- drivers/remoteproc/Kconfig | 1 + drivers/remoteproc/qcom_q6v5_mss.c | 5 +- drivers/remoteproc/qcom_q6v5_pas.c | 51 +- drivers/remoteproc/qcom_wcnss.c | 12 +- drivers/soc/qcom/mdt_loader.c | 12 +- include/linux/firmware/qcom/qcom_pas.h | 41 ++ include/linux/firmware/qcom/qcom_scm.h | 29 -- include/linux/soc/qcom/mdt_loader.h | 6 +- 22 files changed, 1097 insertions(+), 303 deletions(-) create mode 100644 arch/arm64/boot/dts/qcom/kodiak-el2.dtso create mode 100644 drivers/firmware/qcom/qcom_pas.c create mode 100644 drivers/firmware/qcom/qcom_pas.h create mode 100644 drivers/firmware/qcom/qcom_pas_tee.c create mode 100644 include/linux/firmware/qcom/qcom_pas.h -- 2.51.0

2 months

9
38
0 0

[GIT PULL] TEE shared memory fix for 7.0

by Jens Wiklander

Hello arm-soc maintainers, Please pull this patch removing the refcounting of kernel pages within the TEE shared memory helper. Thanks, Jens The following changes since commit 6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f: Linux 7.0-rc1 (2026-02-22 13:18:59 -0800) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/tee-fix-for-v7.0 for you to fetch changes up to 08d9a4580f71120be3c5b221af32dca00a48ceb0: tee: shm: Remove refcounting of kernel pages (2026-03-03 09:03:04 +0100) ---------------------------------------------------------------- TEE shared memory update for 7.0 Remove refcounting of kernel pages in register_shm_helper() to support slab allocations. ---------------------------------------------------------------- Matthew Wilcox (1): tee: shm: Remove refcounting of kernel pages drivers/tee/tee_shm.c | 27 --------------------------- 1 file changed, 27 deletions(-)

2 months

5
5
0 0

OP-TEE Contributions Forum, monthly meeting March 24

by Jens Wiklander

Hi, Tomorrow, Tuesday, it's time for another LOC monthly meeting. For time and connection details, see the calendar at https://www.trustedfirmware.org/meetings/ - OP-TEE version 4.10.0 to be released April 17 - Marco Felsch is working on initial Kconfig support: https://github.com/OP-TEE/optee_os/pull/7714 + How to configure? Vanilla "make defconfig" and friends? Should we support passing "CFG_XXX=y" on the command line for convenience? In a one-step or two-step operation? + Integration with the build git: Do we need a way to ensure the active configuration matches what the build git expects? + Is it possible to make a seamless transition (with no visible external changes) when building OP-TEE? If so, do we want it? Any other topics? Cheers, Jens

2 months

1
0
0 0

[PATCH v21 0/6] Introduction of a remoteproc tee to load signed firmware

by Arnaud Pouliquen

Main updates from version V20[4]: -------------------------------- To address Rob’s concern on v20concerning resource declaration under the tee node, the device tree is now structured as follows,replacing the child-parent hierarchy with a phandle: firmware { tee_rproc: optee-rproc { compatible = "80a4c275-0a47-4905-8285-1486a9771a08"; }; }; m4: m4@0 { compatible = "st,stm32mp1-m4-tee"; reg = <0 0>; mboxes = <&ipcc 0>, <&ipcc 1>, <&ipcc 2>; mbox-names = "vq0", "vq1", "shutdown"; memory-region = <&vdev0vring0>, <&m_ipc_shm>, <&mcuram2>, <&vdev0vring1>, <&vdev0buffer>, <&retram>; interrupt-parent = <&exti>; interrupts = <68 1>; rproc-tee-phandle = <&tee_rproc 0>; st,auto-boot; wakeup-source; status = "okay"; }; As a consequence, this version: - Updates the device tree and bindings to: - Change the compatible property from "rproc-service-80a4c275-0a47-4905-8285-1486a9771a08" to "80a4c275-0a47-4905-8285-1486a9771a08". - Use the rproc-tee-phandle to avoid the parent-child hierarchy. - Updates stm32_rproc_tee.c and remoteproc_tee.c to adapt to the new bindings. - Updates remoteproc_tee.c to compute the device tree compatible string from the TEE UUID. Main updates from version V19[3]: -------------------------------- The devicetree is now structured as follows: firmware { optee { compatible = "linaro,optee-tz"; method = "smc"; #address-cells = <1>; #size-cells = <0>; rproc-service@0 { compatible = "rproc-service-80a4c275-0a47-4905-8285-1486a9771a08"; reg = <0>; #address-cells = <1>; #size-cells = <0>; status = "okay"; m4: m4@0 { compatible = "st,stm32mp15-m4-tee"; reg = <0>; mboxes = <&ipcc 0>, <&ipcc 1>, <&ipcc 2>; mbox-names = "vq0", "vq1", "shutdown"; memory-region = <&vdev0vring0>, <&m_ipc_shm>, <&mcuram2>, <&vdev0vring1>, <&vdev0buffer>, <&retram>; interrupt-parent = <&exti>; interrupts = <68 1>; status = "okay"; }; }; }; }; As a consequence, this version: - Introduces a new stm32_rproc_tee.c remoteproc driver. Instead of further complicating the existing stm32_rproc.c driver, a dedicated TEE-based driver is added. Both drivers are intended to also support the STM32MP2x Cortex-M33 remote processor in a next step. - Reworks the bindings: - Drop the st,stm32-rproc.yaml updates that were introduced in previous revisions. - Add remoteproc-tee.yaml for the "rproc-service-80a4c275-0a47-4905-8285-1486a9771a08" compatible. - Add st,stm32-rproc-tee.yaml for the "st,stm32mp15-m4-tee" compatible. - Reworks the probing sequence: The m4@0 device is now probed by the remoteproc-tee driver, which itself is instantiated by the TEE (OP-TEE) bus. Main updates from version V18[2]: -------------------------------- - rework documentation for the release_fw ops - rework function documentation in remoteproc_tee.c - replace spinlock by mutex and generalize usage in remoteproc_tee.c Main updates from version V17[1]: -------------------------------- - Fix: warning: EXPORT_SYMBOL() is used, but #include <linux/export.h> is missing More details are available in each patch commit message. [1] https://lore.kernel.org/linux-remoteproc/20250613091650.2337411-1-arnaud.po… [2] https://lore.kernel.org/linux-remoteproc/20250616075530.4106090-1-arnaud.po… [3] https://lore.kernel.org/linux-devicetree/20250625094028.758016-1-arnaud.pou… [3] https://lore.kernel.org/linux-remoteproc/20251217153917.3998544-1-arnaud.po… Tested-on: --------- commit 1f318b96cc84 ("Linux 7.0-rc3") Description of the feature: -------------------------- This series proposes the implementation of a remoteproc tee driver to communicate with a TEE trusted application responsible for authenticating and loading the remoteproc firmware image in an Arm secure context. 1) Principle: The remoteproc tee driver provides services to communicate with the OP-TEE trusted application running on the Trusted Execution Context (TEE). The trusted application in TEE manages the remote processor lifecycle: - authenticating and loading firmware images, - isolating and securing the remote processor memories, - supporting multi-firmware (e.g., TF-M + Zephyr on a Cortex-M33), - managing the start and stop of the firmware by the TEE. 2) Format of the signed image: Refer to: https://github.com/OP-TEE/optee_os/blob/master/ta/remoteproc/src/remoteproc… 3) OP-TEE trusted application API: Refer to: https://github.com/OP-TEE/optee_os/blob/master/ta/remoteproc/include/ta_rem… 4) OP-TEE signature script Refer to: https://github.com/OP-TEE/optee_os/blob/master/scripts/sign_rproc_fw.py Example of usage: sign_rproc_fw.py --in <fw1.elf> --in <fw2.elf> --out <signed_fw.sign> --key ${OP-TEE_PATH}/keys/default.pem 5) Impact on User space Application No sysfs impact. The user only needs to provide the signed firmware image instead of the ELF image. For more information about the implementation, a presentation is available here (note that the format of the signed image has evolved between the presentation and the integration in OP-TEE). https://resources.linaro.org/en/resource/6c5bGvZwUAjX56fvxthxds Arnaud Pouliquen (6): dt-bindings: firmware: Add TEE remoteproc service binding dt-bindings: remoteproc: Add STM32 TEE-controlled rproc binding remoteproc: core: Introduce rproc_pa_to_va helper remoteproc: Introduce optional release_fw operation remoteproc: Add TEE support remoteproc: stm32: Add TEE-controlled STM32 driver .../bindings/remoteproc/remoteproc-tee.yaml | 36 + .../remoteproc/st,stm32-rproc-tee.yaml | 108 +++ drivers/remoteproc/Kconfig | 10 + drivers/remoteproc/Makefile | 3 +- drivers/remoteproc/remoteproc_core.c | 52 ++ drivers/remoteproc/remoteproc_internal.h | 6 + drivers/remoteproc/remoteproc_tee.c | 810 ++++++++++++++++++ drivers/remoteproc/stm32_rproc_tee.c | 537 ++++++++++++ include/linux/remoteproc.h | 6 + include/linux/remoteproc_tee.h | 91 ++ 10 files changed, 1658 insertions(+), 1 deletion(-) create mode 100644 Documentation/devicetree/bindings/remoteproc/remoteproc-tee.yaml create mode 100644 Documentation/devicetree/bindings/remoteproc/st,stm32-rproc-tee.yaml create mode 100644 drivers/remoteproc/remoteproc_tee.c create mode 100644 drivers/remoteproc/stm32_rproc_tee.c create mode 100644 include/linux/remoteproc_tee.h base-commit: 1f318b96cc84d7c2ab792fcc0bfd42a7ca890681 -- 2.43.0

2 months, 1 week

3
12
0 0

[PATCH] optee: Check return value of tee_shm_get_va()

by Chen Ni

The function tee_shm_get_va() can return an error pointer if the shared memory is not properly mapped or if the offset is invalid. Without this check, passing the error pointer to subsequent memory operations could lead to a kernel panic. Add a check for IS_ERR() on the return value of tee_shm_get_va(). Fixes: f0c8431568ee ("optee: probe RPMB device using RPMB subsystem") Signed-off-by: Chen Ni <nichen(a)iscas.ac.cn> --- drivers/tee/optee/rpc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/tee/optee/rpc.c b/drivers/tee/optee/rpc.c index b0ed4cb49452..32f7742c094c 100644 --- a/drivers/tee/optee/rpc.c +++ b/drivers/tee/optee/rpc.c @@ -393,6 +393,11 @@ static void handle_rpc_func_rpmb_frames(struct tee_context *ctx, params[0].u.memref.shm_offs); p1 = tee_shm_get_va(params[1].u.memref.shm, params[1].u.memref.shm_offs); + if (IS_ERR(p0) || IS_ERR(p1)) { + arg->ret = TEEC_ERROR_BAD_PARAMETERS; + goto out; + } + if (rpmb_route_frames(rdev, p0, params[0].u.memref.size, p1, params[1].u.memref.size)) { arg->ret = TEEC_ERROR_BAD_PARAMETERS; -- 2.25.1

2 months, 1 week

4
4
0 0

[PATCH] tee: clean up tee_core.h kernel-doc

by Randy Dunlap

Use the correct struct member name and function parameter name in kernel-doc comments. Move a macro that was between a struct's documentation and its declaration. These eliminate the following kernel-doc warnings: Warning: include/linux/tee_core.h:73 struct member 'c_no_users' not described in 'tee_device' Warning: include/linux/tee_core.h:132 #define TEE_DESC_PRIVILEGED 0x1; error: Cannot parse struct or union! Warning: include/linux/tee_core.h:257 function parameter 'connection_data' not described in 'tee_session_calc_client_uuid' Warning: include/linux/tee_core.h:320 function parameter 'teedev' not described in 'tee_get_drvdata' Signed-off-by: Randy Dunlap <rdunlap(a)infradead.org> --- Cc: Jens Wiklander <jens.wiklander(a)linaro.org> Cc: Sumit Garg <sumit.garg(a)kernel.org> Cc: op-tee(a)lists.trustedfirmware.org include/linux/tee_core.h | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) --- linux-next-20260309.orig/include/linux/tee_core.h +++ linux-next-20260309/include/linux/tee_core.h @@ -50,7 +50,7 @@ enum tee_dma_heap_id { * @dev: embedded basic device structure * @cdev: embedded cdev * @num_users: number of active users of this device - * @c_no_user: completion used when unregistering the device + * @c_no_users: completion used when unregistering the device * @mutex: mutex protecting @num_users and @idr * @idr: register of user space shared memory objects allocated or * registered on this device @@ -132,6 +132,7 @@ struct tee_driver_ops { /* Size for TEE revision string buffer used by get_tee_revision(). */ #define TEE_REVISION_STR_SIZE 128 +#define TEE_DESC_PRIVILEGED 0x1 /** * struct tee_desc - Describes the TEE driver to the subsystem * @name: name of driver @@ -139,7 +140,6 @@ struct tee_driver_ops { * @owner: module providing the driver * @flags: Extra properties of driver, defined by TEE_DESC_* below */ -#define TEE_DESC_PRIVILEGED 0x1 struct tee_desc { const char *name; const struct tee_driver_ops *ops; @@ -187,7 +187,7 @@ struct tee_protmem_pool_ops { * Allocates a new struct tee_device instance. The device is * removed by tee_device_unregister(). * - * @returns a pointer to a 'struct tee_device' or an ERR_PTR on failure + * @returns: a pointer to a 'struct tee_device' or an ERR_PTR on failure */ struct tee_device *tee_device_alloc(const struct tee_desc *teedesc, struct device *dev, @@ -201,7 +201,7 @@ struct tee_device *tee_device_alloc(cons * tee_device_unregister() need to be called to remove the @teedev if * this function fails. * - * @returns < 0 on failure + * @returns: < 0 on failure */ int tee_device_register(struct tee_device *teedev); @@ -254,14 +254,14 @@ void tee_device_set_dev_groups(struct te * tee_session_calc_client_uuid() - Calculates client UUID for session * @uuid: Resulting UUID * @connection_method: Connection method for session (TEE_IOCTL_LOGIN_*) - * @connectuon_data: Connection data for opening session + * @connection_data: Connection data for opening session * * Based on connection method calculates UUIDv5 based client UUID. * * For group based logins verifies that calling process has specified * credentials. * - * @return < 0 on failure + * @returns: < 0 on failure */ int tee_session_calc_client_uuid(uuid_t *uuid, u32 connection_method, const u8 connection_data[TEE_IOCTL_UUID_LEN]); @@ -295,7 +295,7 @@ struct tee_shm_pool_ops { * @paddr: Physical address of start of pool * @size: Size in bytes of the pool * - * @returns pointer to a 'struct tee_shm_pool' or an ERR_PTR on failure. + * @returns: pointer to a 'struct tee_shm_pool' or an ERR_PTR on failure. */ struct tee_shm_pool *tee_shm_pool_alloc_res_mem(unsigned long vaddr, phys_addr_t paddr, size_t size, @@ -318,14 +318,16 @@ static inline void tee_shm_pool_free(str * @paddr: Physical address of start of pool * @size: Size in bytes of the pool * - * @returns pointer to a 'struct tee_protmem_pool' or an ERR_PTR on failure. + * @returns: pointer to a 'struct tee_protmem_pool' or an ERR_PTR on failure. */ struct tee_protmem_pool *tee_protmem_static_pool_alloc(phys_addr_t paddr, size_t size); /** * tee_get_drvdata() - Return driver_data pointer - * @returns the driver_data pointer supplied to tee_register(). + * @teedev: Pointer to the tee_device + * + * @returns: the driver_data pointer supplied to tee_register(). */ void *tee_get_drvdata(struct tee_device *teedev); @@ -334,7 +336,7 @@ void *tee_get_drvdata(struct tee_device * TEE driver * @ctx: The TEE context for shared memory allocation * @size: Shared memory allocation size - * @returns a pointer to 'struct tee_shm' on success or an ERR_PTR on failure + * @returns: a pointer to 'struct tee_shm' on success or an ERR_PTR on failure */ struct tee_shm *tee_shm_alloc_priv_buf(struct tee_context *ctx, size_t size); @@ -354,7 +356,7 @@ void tee_dyn_shm_free_helper(struct tee_ /** * tee_shm_is_dynamic() - Check if shared memory object is of the dynamic kind * @shm: Shared memory handle - * @returns true if object is dynamic shared memory + * @returns: true if object is dynamic shared memory */ static inline bool tee_shm_is_dynamic(struct tee_shm *shm) { @@ -370,7 +372,7 @@ void tee_shm_put(struct tee_shm *shm); /** * tee_shm_get_id() - Get id of a shared memory object * @shm: Shared memory handle - * @returns id + * @returns: id */ static inline int tee_shm_get_id(struct tee_shm *shm) { @@ -382,7 +384,7 @@ static inline int tee_shm_get_id(struct * count * @ctx: Context owning the shared memory * @id: Id of shared memory object - * @returns a pointer to 'struct tee_shm' on success or an ERR_PTR on failure + * @returns: a pointer to 'struct tee_shm' on success or an ERR_PTR on failure */ struct tee_shm *tee_shm_get_from_id(struct tee_context *ctx, int id); @@ -402,7 +404,7 @@ static inline bool tee_param_is_memref(s * teedev_open() - Open a struct tee_device * @teedev: Device to open * - * @return a pointer to struct tee_context on success or an ERR_PTR on failure. + * @returns: pointer to struct tee_context on success or an ERR_PTR on failure. */ struct tee_context *teedev_open(struct tee_device *teedev);

2 months, 2 weeks

3
2
0 0

2026

2025

2024

2023

2022

2021

2020

OP-TEE