- OP-TEE - lists.trustedfirmware.org

Linaro OP-TEE Contribution, LOC, monthly meeting September 23

by Jens Wiklander

Hi, Tomorrow, Tuesday, it's time for another LOC monthly meeting. For time and connection details, see the calendar at https://www.trustedfirmware.org/meetings/ - Pull request for the Secure Data Path patchset [1], accepted by arm-soc [2] - Pull request for the QCOMTEE driver patchset [3] has not been accepted yet. It also has a few error reports or patches pending since it was included in Linux-next Are there any other topics? Cheers, Jens [1] https://lore.kernel.org/op-tee/20250912101752.GA1453408@rayden/ [2] https://git.kernel.org/pub/scm/linux/kernel/git/soc/soc.git/commit/?id=8204… [3] https://lore.kernel.org/op-tee/20250915174957.GA2040478@rayden/

3 months

1
0
0 0

[PATCH] tee: fix register_shm_helper()

by Jens Wiklander

In register_shm_helper(), fix incorrect error handling for a call to iov_iter_extract_pages(). A case is missing for when iov_iter_extract_pages() only got some pages and return a number larger than 0, but not the requested amount. This fixes a possible NULL pointer dereference following a bad input from ioctl(TEE_IOC_SHM_REGISTER) where parts of the buffer isn't mapped. Cc: stable(a)vger.kernel.org Reported-by: Masami Ichikawa <masami256(a)gmail.com> Closes: https://lore.kernel.org/op-tee/CACOXgS-Bo2W72Nj1_44c7bntyNYOavnTjJAvUbEiQfq… Fixes: 7bdee4157591 ("tee: Use iov_iter to better support shared buffer registration") Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> --- drivers/tee/tee_shm.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index daf6e5cfd59a..6ed7d030f4ed 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -316,7 +316,16 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, len = iov_iter_extract_pages(iter, &shm->pages, LONG_MAX, num_pages, 0, &off); - if (unlikely(len <= 0)) { + if (DIV_ROUND_UP(len + off, PAGE_SIZE) != num_pages) { + if (len > 0) { + /* + * If we only got a few pages, update to release + * the correct amount below. + */ + shm->num_pages = len / PAGE_SIZE; + ret = ERR_PTR(-ENOMEM); + goto err_put_shm_pages; + } ret = len ? ERR_PTR(len) : ERR_PTR(-ENOMEM); goto err_free_shm_pages; } -- 2.43.0

3 months

3
3
0 0

[PATCH] tee: qcom: return -EFAULT instead of -EINVAL if copy_from_user() fails

by Dan Carpenter

If copy_from_user() fails, the correct error code is -EFAULT, not -EINVAL. Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> --- drivers/tee/qcomtee/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tee/qcomtee/core.c b/drivers/tee/qcomtee/core.c index 783acc59cfa9..b6715ada7700 100644 --- a/drivers/tee/qcomtee/core.c +++ b/drivers/tee/qcomtee/core.c @@ -424,7 +424,7 @@ static int qcomtee_prepare_msg(struct qcomtee_object_invoke_ctx *oic, if (!(u[i].flags & QCOMTEE_ARG_FLAGS_UADDR)) memcpy(msgptr, u[i].b.addr, u[i].b.size); else if (copy_from_user(msgptr, u[i].b.uaddr, u[i].b.size)) - return -EINVAL; + return -EFAULT; offset += qcomtee_msg_offset_align(u[i].b.size); ib++; -- 2.51.0

3 months

3
2
0 0

[BUG] tee_shm: NULL pointer dereference in unpin_user_pages() on invalid shm pages

by Masami Ichikawa

Hi. While doing my fuzzing work, I found the following kernel crash by NULL pointer dereference in Linux 6.17-rc5. [ 16.143987] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 [ 16.144141] Mem abort info: [ 16.144215] ESR = 0x0000000096000004 [ 16.144246] EC = 0x25 ** replaying previous printk message ** [ 16.144246] EC = 0x25: DABT (current EL), IL = 32 bits [ 16.144271] SET = 0, FnV = 0 [ 16.144289] EA = 0, S1PTW = 0 [ 16.144308] FSC = 0x04: level 0 translation fault [ 16.144325] Data abort info: [ 16.144335] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 16.144346] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 16.144358] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 16.144412] user pgtable: 4k pages, 52-bit VAs, pgdp=0000000048b34b00 [ 16.144432] [0000000000000008] pgd=0800000040bb3403, p4d=0000000000000000 [ 16.144876] Internal error: Oops: 0000000096000004 [#1] SMP [ 16.146429] Modules linked in: [ 16.146775] CPU: 0 UID: 0 PID: 148 Comm: xtest Not tainted 6.17.0-rc5 #58 PREEMPT [ 16.146995] Hardware name: linux,dummy-virt (DT) [ 16.147181] pstate: 21402005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 16.147330] pc : unpin_user_pages+0x78/0xd0 [ 16.147763] lr : unpin_user_pages+0xa0/0xd0 [ 16.147842] sp : ffff800084403d20 [ 16.147912] x29: ffff800084403d20 x28: fff00000054aa300 x27: 0000000000000000 [ 16.148089] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 [ 16.148235] x23: fff00000004fb5a8 x22: 0000000000000001 x21: 000000000000000d [ 16.148401] x20: fff0000000b2f9c0 x19: 0000000000000011 x18: 0000000000000001 [ 16.148544] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 16.148659] x14: 0000000000000002 x13: 0000000000000002 x12: 0000000000037d0f [ 16.148786] x11: fff0000001dad708 x10: 000000000000003f x9 : 0000000000000d1b [ 16.148925] x8 : 00000000000007e0 x7 : 0000000000000001 x6 : 000000000000000d [ 16.149039] x5 : ffffffffffffffff x4 : ffffffffffffffff x3 : 000000000000000e [ 16.149167] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffc1ffc0fd68c0 [ 16.149351] Call trace: [ 16.149520] unpin_user_pages+0x78/0xd0 (P) [ 16.149684] tee_shm_put+0x134/0x184 [ 16.149783] tee_shm_fop_release+0x14/0x24 [ 16.149866] __fput+0xcc/0x2dc [ 16.149925] fput_close_sync+0x40/0x108 [ 16.149991] __arm64_sys_close+0x38/0x7c [ 16.150058] invoke_syscall+0x48/0x110 [ 16.150127] el0_svc_common.constprop.0+0x40/0xe8 [ 16.150227] do_el0_svc+0x20/0x2c [ 16.150303] el0_svc+0x34/0xf0 [ 16.150369] el0t_64_sync_handler+0xa0/0xe4 [ 16.150439] el0t_64_sync+0x198/0x19c [ 16.150629] Code: aa0203e3 eb02027f 54000109 f8627a82 (f9400444) [ 16.150940] ---[ end trace 0000000000000000 ]--- [ 16.151230] Kernel panic - not syncing: Oops: Fatal exception [ 16.151466] SMP: stopping secondary CPUs [ 16.151838] Kernel Offset: disabled [ 16.151911] CPU features: 0x000000,0000d180,2bbe33e1,957e7f3f [ 16.152019] Memory Limit: none [ 16.152284] ---[ end Kernel panic - not syncing: Oops: Fatal exception ]--- decode_stacktrace.sh shows the following call sequence. [ 20.554057] unpin_user_pages (./include/linux/page-flags.h:284 mm/gup.c:259 mm/gup.c:420 mm/gup.c:400) (P) [ 20.554204] tee_shm_put (drivers/tee/tee_shm.c:42 drivers/tee/tee_shm.c:57 drivers/tee/tee_shm.c:587) [ 20.554291] tee_shm_fop_release (drivers/tee/tee_shm.c:437) [ 20.554366] __fput (fs/file_table.c:469) [ 20.554429] fput_close_sync (fs/file_table.c:574) [ 20.554496] __arm64_sys_close (fs/open.c:1590 fs/open.c:1572 fs/open.c:1572) [ 20.554565] invoke_syscall (./arch/arm64/include/asm/current.h:19 arch/arm64/kernel/syscall.c:54) [ 20.554639] el0_svc_common.constprop.0 (./include/linux/thread_info.h:135 arch/arm64/kernel/syscall.c:140) [ 20.554719] do_el0_svc (arch/arm64/kernel/syscall.c:152) [ 20.554782] el0_svc (./arch/arm64/include/asm/irqflags.h:55 ./arch/arm64/include/asm/irqflags.h:76 arch/arm64/kernel/entry-common.c:169 arch/arm64/kernel/entry-common.c:182 arch/arm64/kernel/entry-common.c:880) [ 20.554842] el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:899) [ 20.554914] el0t_64_sync (arch/arm64/kernel/entry.S:596) I set up a test environment using qemu_v8.xml in the OP-TEE/manifest repository. ## Test case This test is based on xtest_tee_test_1004 included in xtest in the optee_test repository. For fuzzing, the following data is created using xtest_crypto_test(). It creates parameters like this. op.params[0].tmpref.buffer = crypt_in; // crypt_in = malloc(sizeof(uint8_t) * 0xff); op.params[0].tmpref.size = input_len; // 0xffff op.params[1].tmpref.buffer = crypt_out; // crypt_out = malloc(sizeof(uint8_t) * 0xff); op.params[1].tmpref.size = input_len; // 0xffff When TEEC_InvokeCommand() in libteec was called with above parameters, it printed folloing errorr then, linux kernel was crashed. ERR [152] LT:TEEC_InvokeCommand:730: TEE_IOC_INVOKE failed ## Crash scenario 1. modified version of xtest_crypto_test() creates parameters. 2. xtest_crypto_test() calls TEEC_InvokeCommand() in the libteec. 3. TEEC_InvokeCommand calls ioctl(2). 4. tee_ioctl_invoke() in the tee_core.c is called by ioctl(2). 5. tee_ioctl_invoke() calles params_from_user(). 6. In the params_from_user(), it returned -EINVAL because of following if condition was true. if ((ip.a + ip.b) < ip.a || (ip.a + ip.b) > shm->size) { tee_shm_put(shm); return -EINVAL; } 7. tee_ioctl_invoke() recive an error from params_from_user() so that it run clean up process(in the out label). 8. tee_ioctl_invoke() returns -EINVAL. 9. TEEC_InvokeCommand() prints an error log then calls teec_free_temp_refs() in libteec. 10. teec_free_temp_refs() calls TEEC_ReleaseSharedMemory(). 11. TEEC_ReleaseSharedMemory() calls close(2). 12. tee_shm_put() in the tee_shm.c is called. 13. tee_shm_put() calls tee_shm_release(). 14. tee_shm_release() calls release_registered_pages(). 15. release_registered_pages() calls unpin_user_pages(). 16. Null pointer dereference is happened in unpin_user_pages(). ## Debugging I added following debug logs in the tee_shm_release() } else if (shm->flags & TEE_SHM_DYNAMIC) { int rc = teedev->desc->ops->shm_unregister(shm->ctx, shm); size_t i; if (rc) dev_err(teedev->dev.parent, "unregister shm %p failed: %d", shm, rc); pr_info("%s:%d: shm->num_pages: 0x%lx, shm->size: 0x%lx\n", __func__, __LINE__, shm->num_pages, shm->size); for (i = 0; i < shm->num_pages; i++) { if (!shm->pages[i]) { pr_info("%s:%d: shm->pages[%ld] is NULL", __func__, __LINE__, i); } } release_registered_pages(shm); } It showed the following logs. [ 21.350894] tee_shm_release:57: shm->num_pages: 0x11, shm->size: 0xd690 [ 21.350977] tee_shm_release:60: shm->pages[14] is NULL [ 21.351003] tee_shm_release:60: shm->pages[15] is NULL [ 21.351012] tee_shm_release:60: shm->pages[16] is NULL According to the above logs, shm->num_pages is 17 but the pages array contains NULL pointers so that it causes a NULL pointer dereference bug. I have confirmed that I can prevent NULL pointer dereference by making the following changes. diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index 2a7d253d9c55..c5d39a0efbdb 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -34,9 +34,16 @@ static void shm_get_kernel_pages(struct page **pages, size_t page_count) static void release_registered_pages(struct tee_shm *shm) { if (shm->pages) { - if (shm->flags & TEE_SHM_USER_MAPPED) - unpin_user_pages(shm->pages, shm->num_pages); - else + if (shm->flags & TEE_SHM_USER_MAPPED) { + size_t num_pages = 0; + size_t i; + for (i = 0; i < shm->num_pages; i++, num_pages++) { + if (!shm->pages[i]) + break; + } + + unpin_user_pages(shm->pages, num_pages); + } else shm_put_kernel_pages(shm->pages, shm->num_pages); kfree(shm->pages); Regards, -- Masami Ichikawa

3 months

3
5
0 0

[GIT PULL] TEE add QCOMTEE driver for v6.18

by Jens Wiklander

Hello arm-soc maintainers, Please pull this set of patches [1] adding a Qualcomm TEE (QTEE) driver to the TEE subsystem as described below. The QTEE patches depend on two patches from branch '20250911-qcom-tee-using-tee-ss-without-mem-obj-v12-2-17f07a942b8d(a)oss.qualcomm.com' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux Björn asked me [2] to pull them from his tree. This pull request is based on my previous pull request with tee-prot-dma-buf-for-v6.18 to avoid a few conflicts when merging. [1] https://lore.kernel.org/op-tee/20250911-qcom-tee-using-tee-ss-without-mem-o… [2] https://lore.kernel.org/op-tee/mir6lhkj456ra3i6w7def4rrtzw663f66l66cz4s3gxx… Thanks, Jens The following changes since commit dbc2868b7b57fb4caa8e44a69e882dcf8e8d59bf: optee: smc abi: dynamic protected memory allocation (2025-09-11 11:22:43 +0200) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/tee-qcomtee-for-v6.18 for you to fetch changes up to dcc7a571a3665a16581b5b18ca6b113f60a9a41a: Documentation: tee: Add Qualcomm TEE driver (2025-09-15 17:34:06 +0200) ---------------------------------------------------------------- Add Qualcomm TEE driver (QTEE) This introduces a Trusted Execution Environment (TEE) driver for Qualcomm TEE (QTEE). QTEE enables Trusted Applications (TAs) and services to run securely. It uses an object-based interface, where each service is an object with sets of operations. Kernel and userspace services are also available to QTEE through a similar approach. QTEE makes callback requests that are converted into object invocations. These objects can represent services within the kernel or userspace process. We extend the TEE subsystem to understand object parameters and an ioctl call so client can invoke objects in QTEE: - TEE_IOCTL_PARAM_ATTR_TYPE_OBJREF_* - TEE_IOC_OBJECT_INVOKE The existing ioctl calls TEE_IOC_SUPPL_RECV and TEE_IOC_SUPPL_SEND are used for invoking services in the userspace process by QTEE. The TEE backend driver uses the QTEE Transport Message to communicate with QTEE. Interactions through the object INVOKE interface are translated into QTEE messages. Likewise, object invocations from QTEE for userspace objects are converted into SEND/RECV ioctl calls to supplicants. ---------------------------------------------------------------- Amirreza Zarrabi (11): firmware: qcom: tzmem: export shm_bridge create/delete firmware: qcom: scm: add support for object invocation tee: allow a driver to allocate a tee_device without a pool tee: add close_context to TEE driver operation tee: add TEE_IOCTL_PARAM_ATTR_TYPE_UBUF tee: add TEE_IOCTL_PARAM_ATTR_TYPE_OBJREF tee: increase TEE_MAX_ARG_SIZE to 4096 tee: add Qualcomm TEE driver tee: qcom: add primordial object tee: qcom: enable TEE_IOC_SHM_ALLOC ioctl Documentation: tee: Add Qualcomm TEE driver Jens Wiklander (1): Merge branch '20250911-qcom-tee-using-tee-ss-without-mem-obj-v12-2-17f07a942b8d(a)oss.qualcomm.com' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux Documentation/tee/index.rst | 1 + Documentation/tee/qtee.rst | 96 ++++ MAINTAINERS | 7 + drivers/firmware/qcom/qcom_scm.c | 119 ++++ drivers/firmware/qcom/qcom_scm.h | 7 + drivers/firmware/qcom/qcom_tzmem.c | 63 ++- drivers/tee/Kconfig | 1 + drivers/tee/Makefile | 1 + drivers/tee/qcomtee/Kconfig | 12 + drivers/tee/qcomtee/Makefile | 9 + drivers/tee/qcomtee/async.c | 182 ++++++ drivers/tee/qcomtee/call.c | 820 +++++++++++++++++++++++++++ drivers/tee/qcomtee/core.c | 915 +++++++++++++++++++++++++++++++ drivers/tee/qcomtee/mem_obj.c | 169 ++++++ drivers/tee/qcomtee/primordial_obj.c | 113 ++++ drivers/tee/qcomtee/qcomtee.h | 185 +++++++ drivers/tee/qcomtee/qcomtee_msg.h | 304 ++++++++++ drivers/tee/qcomtee/qcomtee_object.h | 316 +++++++++++ drivers/tee/qcomtee/shm.c | 150 +++++ drivers/tee/qcomtee/user_obj.c | 692 +++++++++++++++++++++++ drivers/tee/tee_core.c | 127 ++++- drivers/tee/tee_private.h | 6 - include/linux/firmware/qcom/qcom_scm.h | 6 + include/linux/firmware/qcom/qcom_tzmem.h | 15 + include/linux/tee_core.h | 54 +- include/linux/tee_drv.h | 12 + include/uapi/linux/tee.h | 56 +- 27 files changed, 4410 insertions(+), 28 deletions(-) create mode 100644 Documentation/tee/qtee.rst create mode 100644 drivers/tee/qcomtee/Kconfig create mode 100644 drivers/tee/qcomtee/Makefile create mode 100644 drivers/tee/qcomtee/async.c create mode 100644 drivers/tee/qcomtee/call.c create mode 100644 drivers/tee/qcomtee/core.c create mode 100644 drivers/tee/qcomtee/mem_obj.c create mode 100644 drivers/tee/qcomtee/primordial_obj.c create mode 100644 drivers/tee/qcomtee/qcomtee.h create mode 100644 drivers/tee/qcomtee/qcomtee_msg.h create mode 100644 drivers/tee/qcomtee/qcomtee_object.h create mode 100644 drivers/tee/qcomtee/shm.c create mode 100644 drivers/tee/qcomtee/user_obj.c

3 months, 1 week

1
0
0 0

[PATCH v12 00/11] Trusted Execution Environment (TEE) driver for Qualcomm TEE (QTEE)

by Amirreza Zarrabi

This patch series introduces a Trusted Execution Environment (TEE) driver for Qualcomm TEE (QTEE). QTEE enables Trusted Applications (TAs) and services to run securely. It uses an object-based interface, where each service is an object with sets of operations. Clients can invoke these operations on objects, which can generate results, including other objects. For example, an object can load a TA and return another object that represents the loaded TA, allowing access to its services. Kernel and userspace services are also available to QTEE through a similar approach. QTEE makes callback requests that are converted into object invocations. These objects can represent services within the kernel or userspace process. Note: This patch series focuses on QTEE objects and userspace services. Linux already provides a TEE subsystem, which is described in [1]. The tee subsystem provides a generic ioctl interface, TEE_IOC_INVOKE, which can be used by userspace to talk to a TEE backend driver. We extend the Linux TEE subsystem to understand object parameters and an ioctl call so client can invoke objects in QTEE: - TEE_IOCTL_PARAM_ATTR_TYPE_OBJREF_* - TEE_IOC_OBJECT_INVOKE The existing ioctl calls TEE_IOC_SUPPL_RECV and TEE_IOC_SUPPL_SEND are used for invoking services in the userspace process by QTEE. The TEE backend driver uses the QTEE Transport Message to communicate with QTEE. Interactions through the object INVOKE interface are translated into QTEE messages. Likewise, object invocations from QTEE for userspace objects are converted into SEND/RECV ioctl calls to supplicants. The details of QTEE Transport Message to communicate with QTEE is available in [PATCH 12/12] Documentation: tee: Add Qualcomm TEE driver. You can run basic tests with following steps: git clone https://github.com/quic/quic-teec.git cd quic-teec mkdir build cmake .. -DCMAKE_TOOLCHAIN_FILE=CMakeToolchain.txt -DBUILD_UNITTEST=ON https://github.com/quic/quic-teec/blob/main/README.md lists dependencies needed to build the above. More comprehensive tests are availabe at https://github.com/qualcomm/minkipc. root@qcom-armv8a:~# qtee_supplicant & root@qcom-armv8a:~# qtee_supplicant: process entry PPID = 378 Total listener services to start = 4 Opening CRequestTABuffer_open Path /data/ register_service ::Opening CRegisterTABufCBO_UID Calling TAbufCBO Register QTEE_SUPPLICANT RUNNING root@qcom-armv8a:~# smcinvoke_client -c /data 1 Run callback obj test... Load /data/tzecotestapp.mbn, size 52192, buf 0x1e44ba0. System Time: 2024-02-27 17:26:31 PASSED - Callback tests with Buffer inputs. PASSED - Callback tests with Remote and Callback object inputs. PASSED - Callback tests with Memory Object inputs. TEST PASSED! root@qcom-armv8a:~# root@qcom-armv8a:~# smcinvoke_client -m /data 1 Run memory obj test... Load /data/tzecotestapp.mbn, size 52192, buf 0x26cafba0. System Time: 2024-02-27 17:26:39 PASSED - Single Memory Object access Test. PASSED - Two Memory Object access Test. TEST PASSED! This series has been tested for QTEE object invocations, including loading a TA, requesting services from the TA, memory sharing, and handling callback requests to a supplicant. Tested platforms: sm8650-mtp, sm8550-qrd, sm8650-qrd, sm8650-hdk [1] https://www.kernel.org/doc/Documentation/tee.txt Signed-off-by: Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com> Changes in v12: - Fixed kernel bot warnings. - Link to v11: https://lore.kernel.org/r/20250910-qcom-tee-using-tee-ss-without-mem-obj-v1… Changes in v11: - Rebased on next. - Link to v10: https://lore.kernel.org/r/20250909-qcom-tee-using-tee-ss-without-mem-obj-v1… Changes in v10: - Remove all loggings in qcom_scm_qtee_init(). - Reorder patches. - Link to v9: https://lore.kernel.org/r/20250901-qcom-tee-using-tee-ss-without-mem-obj-v9… Changes in v9: - Remove unnecessary logging in qcom_scm_probe(). - Replace the platform_device_alloc()/add() sequence with platform_device_register_data(). - Fixed sparse warning. - Fixed documentation typo. - Link to v8: https://lore.kernel.org/r/20250820-qcom-tee-using-tee-ss-without-mem-obj-v8… Changes in v8: - Check if arguments to qcom_scm_qtee_invoke_smc() and qcom_scm_qtee_callback_response() are NULL. - Add CPU_BIG_ENDIAN as a dependency to Kconfig. - Fixed kernel bot errors. - Link to v7: https://lore.kernel.org/r/20250812-qcom-tee-using-tee-ss-without-mem-obj-v7… Changes in v7: - Updated copyrights. - Updated Acked-by: tags. - Fixed kernel bot errors. - Link to v6: https://lore.kernel.org/r/20250713-qcom-tee-using-tee-ss-without-mem-obj-v6… Changes in v6: - Relocate QTEE version into the driver's main service structure. - Simplfies qcomtee_objref_to_arg() and qcomtee_objref_from_arg(). - Enhanced the return logic of qcomtee_object_do_invoke_internal(). - Improve comments and remove redundant checks. - Improve helpers in qcomtee_msh.h to use GENMASK() and FIELD_GET(). - updated Tested-by:, Acked-by:, and Reviewed-by: tags - Link to v5: https://lore.kernel.org/r/20250526-qcom-tee-using-tee-ss-without-mem-obj-v5… Changes in v5: - Remove references to kernel services and public APIs. - Support auto detection for failing devices (e.g., RB1, RB4). - Add helpers for obtaining client environment and service objects. - Query the QTEE version and print it. - Move remaining static variables, including the object table, to struct qcomtee. - Update TEE_MAX_ARG_SIZE to 4096. - Add a dependancy to QCOM_TZMEM_MODE_SHMBRIDGE in Kconfig - Reorganize code by removing release.c and qcom_scm.c. - Add more error messages and improve comments. - updated Tested-by:, Acked-by:, and Reviewed-by: tags - Link to v4: https://lore.kernel.org/r/20250428-qcom-tee-using-tee-ss-without-mem-obj-v4… Changes in v4: - Move teedev_ctx_get/put and tee_device_get/put to tee_core.h. - Rename object to id in struct tee_ioctl_object_invoke_arg. - Replace spinlock with mutex for qtee_objects_idr. - Move qcomtee_object_get to qcomtee_user/memobj_param_to_object. - More code cleanup following the comments. - Cleanup documentations. - Update MAINTAINERS file. - Link to v3: https://lore.kernel.org/r/20250327-qcom-tee-using-tee-ss-without-mem-obj-v3… Changes in v3: - Export shm_bridge create/delete APIs. - Enable support for QTEE memory objects. - Update the memory management code to use the TEE subsystem for all allocations using the pool. - Move all driver states into the driver's main service struct. - Add more documentations. - Link to v2: https://lore.kernel.org/r/20250202-qcom-tee-using-tee-ss-without-mem-obj-v2… Changes in v2: - Clean up commit messages and comments. - Use better names such as ubuf instead of membuf or QCOMTEE prefix instead of QCOM_TEE, or names that are more consistent with other TEE-backend drivers such as qcomtee_context_data instead of qcom_tee_context. - Drop the DTS patch and instantiate the device from the scm driver. - Use a single structure for all driver's internal states. - Drop srcu primitives and use the existing mutex for synchronization between the supplicant and QTEE. - Directly use tee_context to track the lifetime of qcomtee_context_data. - Add close_context() to be called when the user closes the tee_context. - Link to v1: https://lore.kernel.org/r/20241202-qcom-tee-using-tee-ss-without-mem-obj-v1… Changes in v1: - It is a complete rewrite to utilize the TEE subsystem. - Link to RFC: https://lore.kernel.org/all/20240702-qcom-tee-object-and-ioctls-v1-0-633c3d… --- Amirreza Zarrabi (11): firmware: qcom: tzmem: export shm_bridge create/delete firmware: qcom: scm: add support for object invocation tee: allow a driver to allocate a tee_device without a pool tee: add close_context to TEE driver operation tee: add TEE_IOCTL_PARAM_ATTR_TYPE_UBUF tee: add TEE_IOCTL_PARAM_ATTR_TYPE_OBJREF tee: increase TEE_MAX_ARG_SIZE to 4096 tee: add Qualcomm TEE driver tee: qcom: add primordial object tee: qcom: enable TEE_IOC_SHM_ALLOC ioctl Documentation: tee: Add Qualcomm TEE driver Documentation/tee/index.rst | 1 + Documentation/tee/qtee.rst | 96 ++++ MAINTAINERS | 7 + drivers/firmware/qcom/qcom_scm.c | 119 ++++ drivers/firmware/qcom/qcom_scm.h | 7 + drivers/firmware/qcom/qcom_tzmem.c | 63 ++- drivers/tee/Kconfig | 1 + drivers/tee/Makefile | 1 + drivers/tee/qcomtee/Kconfig | 12 + drivers/tee/qcomtee/Makefile | 9 + drivers/tee/qcomtee/async.c | 182 ++++++ drivers/tee/qcomtee/call.c | 820 +++++++++++++++++++++++++++ drivers/tee/qcomtee/core.c | 915 +++++++++++++++++++++++++++++++ drivers/tee/qcomtee/mem_obj.c | 169 ++++++ drivers/tee/qcomtee/primordial_obj.c | 113 ++++ drivers/tee/qcomtee/qcomtee.h | 185 +++++++ drivers/tee/qcomtee/qcomtee_msg.h | 304 ++++++++++ drivers/tee/qcomtee/qcomtee_object.h | 316 +++++++++++ drivers/tee/qcomtee/shm.c | 150 +++++ drivers/tee/qcomtee/user_obj.c | 692 +++++++++++++++++++++++ drivers/tee/tee_core.c | 127 ++++- drivers/tee/tee_private.h | 6 - include/linux/firmware/qcom/qcom_scm.h | 6 + include/linux/firmware/qcom/qcom_tzmem.h | 15 + include/linux/tee_core.h | 54 +- include/linux/tee_drv.h | 12 + include/uapi/linux/tee.h | 56 +- 27 files changed, 4410 insertions(+), 28 deletions(-) --- base-commit: 8b8aefa5a5c7d4a65883e5653cf12f94c0b68dbf change-id: 20241202-qcom-tee-using-tee-ss-without-mem-obj-362c66340527 Best regards, -- Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com>

3 months, 1 week

4
16
0 0

[GIT PULL] TEE protected DMA-bufs for v6.18

by Jens Wiklander

Hello arm-soc maintainers, Please pull this set of patches enabling protected DMA-bufs in the TEE subsystem. There's a brief desciption in the tag below. All patches but "dma-buf: dma-heap: export declared functions" are withing the TEE subsystem. The dma-heap maintainer, Sumit Semwal, has acked the dma-heap patch to be merged via my tree. I believe I've addressed all comments from the reviews including providing a demo as described in [1]. [1] https://lore.kernel.org/op-tee/20250911135007.1275833-1-jens.wiklander@lina… Thanks, Jens The following changes since commit c17b750b3ad9f45f2b6f7e6f7f4679844244f0b9: Linux 6.17-rc2 (2025-08-17 15:22:10 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/tee-prot-dma-buf-for-v6.18 for you to fetch changes up to dbc2868b7b57fb4caa8e44a69e882dcf8e8d59bf: optee: smc abi: dynamic protected memory allocation (2025-09-11 11:22:43 +0200) ---------------------------------------------------------------- TEE protected DMA-bufs for v6.18 - Allocates protected DMA-bufs from a DMA-heap instantiated from the TEE subsystem. - The DMA-heap uses a protected memory pool provided by the backend TEE driver, allowing it to choose how to allocate the protected physical memory. - Three use-cases (Secure Video Playback, Trusted UI, and Secure Video Recording) have been identified so far to serve as examples of what can be expected. - The use-cases have predefined DMA-heap names, "protected,secure-video", "protected,trusted-ui", and "protected,secure-video-record". The backend driver registers protected memory pools for the use-cases it supports. ---------------------------------------------------------------- Etienne Carriere (1): tee: new ioctl to a register tee_shm from a dmabuf file descriptor Jens Wiklander (8): optee: sync secure world ABI headers dma-buf: dma-heap: export declared functions tee: implement protected DMA-heap tee: refactor params_from_user() tee: add tee_shm_alloc_dma_mem() optee: support protected memory allocation optee: FF-A: dynamic protected memory allocation optee: smc abi: dynamic protected memory allocation drivers/dma-buf/dma-heap.c | 4 + drivers/tee/Kconfig | 5 + drivers/tee/Makefile | 1 + drivers/tee/optee/Kconfig | 5 + drivers/tee/optee/Makefile | 1 + drivers/tee/optee/core.c | 7 + drivers/tee/optee/ffa_abi.c | 146 ++++++++++- drivers/tee/optee/optee_ffa.h | 27 +- drivers/tee/optee/optee_msg.h | 84 ++++++- drivers/tee/optee/optee_private.h | 15 +- drivers/tee/optee/optee_smc.h | 37 ++- drivers/tee/optee/protmem.c | 335 +++++++++++++++++++++++++ drivers/tee/optee/smc_abi.c | 141 ++++++++++- drivers/tee/tee_core.c | 158 +++++++++--- drivers/tee/tee_heap.c | 500 ++++++++++++++++++++++++++++++++++++++ drivers/tee/tee_private.h | 14 ++ drivers/tee/tee_shm.c | 157 +++++++++++- include/linux/tee_core.h | 59 +++++ include/linux/tee_drv.h | 10 + include/uapi/linux/tee.h | 31 +++ 20 files changed, 1670 insertions(+), 67 deletions(-) create mode 100644 drivers/tee/optee/protmem.c create mode 100644 drivers/tee/tee_heap.c

3 months, 1 week

1
0
0 0

[GIT PULL] TEE use SHA-1 library for v6.18

by Jens Wiklander

Hello arm-soc maintainers, Please pull this small patch for the TEE subssytem. It simplifies the code by using the SHA-1 library instead of crypto_shash. Thanks, Jens The following changes since commit 8f5ae30d69d7543eee0d70083daf4de8fe15d585: Linux 6.17-rc1 (2025-08-10 19:41:16 +0300) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/tee-sha1-lib-for-v6.18 for you to fetch changes up to dfb2a4f76ff7f60d6e2a55b6a973dd42930adf50: tee: Use SHA-1 library instead of crypto_shash (2025-08-13 14:29:49 +0200) ---------------------------------------------------------------- Use SHA-1 library instead of crypto_shash ---------------------------------------------------------------- Eric Biggers (1): tee: Use SHA-1 library instead of crypto_shash drivers/tee/Kconfig | 3 +-- drivers/tee/tee_core.c | 55 +++++++++----------------------------------------- 2 files changed, 10 insertions(+), 48 deletions(-)

3 months, 1 week

1
0
0 0

[GIT PULL] TEE improve sysfs for 6.18

by Jens Wiklander

Hello arm-soc maintainers, Please pull this small patch for the TEE sysbsystem. It updates to use sysfs_emit() instead of scnprintf() for buffers passed to userspace. Thanks, Jens The following changes since commit 038d61fd642278bab63ee8ef722c50d10ab01e8f: Linux 6.16 (2025-07-27 14:26:38 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jenswi/linux-tee.git tags/tee-improve-sysfs-for-v6.18 for you to fetch changes up to 1faa0d62a19bb8a4b9022b603472e7127974cb55: drivers: tee: improve sysfs interface by using sysfs_emit() (2025-08-04 11:05:23 +0200) ---------------------------------------------------------------- Use sysfs_emit() for sysfs buffers to userspace ---------------------------------------------------------------- Akhilesh Patil (1): drivers: tee: improve sysfs interface by using sysfs_emit() drivers/tee/optee/core.c | 2 +- drivers/tee/tee_core.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)

3 months, 1 week

1
0
0 0

[PATCH v11 00/11] Trusted Execution Environment (TEE) driver for Qualcomm TEE (QTEE)

by Amirreza Zarrabi

This patch series introduces a Trusted Execution Environment (TEE) driver for Qualcomm TEE (QTEE). QTEE enables Trusted Applications (TAs) and services to run securely. It uses an object-based interface, where each service is an object with sets of operations. Clients can invoke these operations on objects, which can generate results, including other objects. For example, an object can load a TA and return another object that represents the loaded TA, allowing access to its services. Kernel and userspace services are also available to QTEE through a similar approach. QTEE makes callback requests that are converted into object invocations. These objects can represent services within the kernel or userspace process. Note: This patch series focuses on QTEE objects and userspace services. Linux already provides a TEE subsystem, which is described in [1]. The tee subsystem provides a generic ioctl interface, TEE_IOC_INVOKE, which can be used by userspace to talk to a TEE backend driver. We extend the Linux TEE subsystem to understand object parameters and an ioctl call so client can invoke objects in QTEE: - TEE_IOCTL_PARAM_ATTR_TYPE_OBJREF_* - TEE_IOC_OBJECT_INVOKE The existing ioctl calls TEE_IOC_SUPPL_RECV and TEE_IOC_SUPPL_SEND are used for invoking services in the userspace process by QTEE. The TEE backend driver uses the QTEE Transport Message to communicate with QTEE. Interactions through the object INVOKE interface are translated into QTEE messages. Likewise, object invocations from QTEE for userspace objects are converted into SEND/RECV ioctl calls to supplicants. The details of QTEE Transport Message to communicate with QTEE is available in [PATCH 12/12] Documentation: tee: Add Qualcomm TEE driver. You can run basic tests with following steps: git clone https://github.com/quic/quic-teec.git cd quic-teec mkdir build cmake .. -DCMAKE_TOOLCHAIN_FILE=CMakeToolchain.txt -DBUILD_UNITTEST=ON https://github.com/quic/quic-teec/blob/main/README.md lists dependencies needed to build the above. More comprehensive tests are availabe at https://github.com/qualcomm/minkipc. root@qcom-armv8a:~# qtee_supplicant & root@qcom-armv8a:~# qtee_supplicant: process entry PPID = 378 Total listener services to start = 4 Opening CRequestTABuffer_open Path /data/ register_service ::Opening CRegisterTABufCBO_UID Calling TAbufCBO Register QTEE_SUPPLICANT RUNNING root@qcom-armv8a:~# smcinvoke_client -c /data 1 Run callback obj test... Load /data/tzecotestapp.mbn, size 52192, buf 0x1e44ba0. System Time: 2024-02-27 17:26:31 PASSED - Callback tests with Buffer inputs. PASSED - Callback tests with Remote and Callback object inputs. PASSED - Callback tests with Memory Object inputs. TEST PASSED! root@qcom-armv8a:~# root@qcom-armv8a:~# smcinvoke_client -m /data 1 Run memory obj test... Load /data/tzecotestapp.mbn, size 52192, buf 0x26cafba0. System Time: 2024-02-27 17:26:39 PASSED - Single Memory Object access Test. PASSED - Two Memory Object access Test. TEST PASSED! This series has been tested for QTEE object invocations, including loading a TA, requesting services from the TA, memory sharing, and handling callback requests to a supplicant. Tested platforms: sm8650-mtp, sm8550-qrd, sm8650-qrd, sm8650-hdk [1] https://www.kernel.org/doc/Documentation/tee.txt Signed-off-by: Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com> Changes in v11: - Rebased on next. - Link to v10: https://lore.kernel.org/r/20250909-qcom-tee-using-tee-ss-without-mem-obj-v1… Changes in v10: - Remove all loggings in qcom_scm_qtee_init(). - Reorder patches. - Link to v9: https://lore.kernel.org/r/20250901-qcom-tee-using-tee-ss-without-mem-obj-v9… Changes in v9: - Remove unnecessary logging in qcom_scm_probe(). - Replace the platform_device_alloc()/add() sequence with platform_device_register_data(). - Fixed sparse warning. - Fixed documentation typo. - Link to v8: https://lore.kernel.org/r/20250820-qcom-tee-using-tee-ss-without-mem-obj-v8… Changes in v8: - Check if arguments to qcom_scm_qtee_invoke_smc() and qcom_scm_qtee_callback_response() are NULL. - Add CPU_BIG_ENDIAN as a dependency to Kconfig. - Fixed kernel bot errors. - Link to v7: https://lore.kernel.org/r/20250812-qcom-tee-using-tee-ss-without-mem-obj-v7… Changes in v7: - Updated copyrights. - Updated Acked-by: tags. - Fixed kernel bot errors. - Link to v6: https://lore.kernel.org/r/20250713-qcom-tee-using-tee-ss-without-mem-obj-v6… Changes in v6: - Relocate QTEE version into the driver's main service structure. - Simplfies qcomtee_objref_to_arg() and qcomtee_objref_from_arg(). - Enhanced the return logic of qcomtee_object_do_invoke_internal(). - Improve comments and remove redundant checks. - Improve helpers in qcomtee_msh.h to use GENMASK() and FIELD_GET(). - updated Tested-by:, Acked-by:, and Reviewed-by: tags - Link to v5: https://lore.kernel.org/r/20250526-qcom-tee-using-tee-ss-without-mem-obj-v5… Changes in v5: - Remove references to kernel services and public APIs. - Support auto detection for failing devices (e.g., RB1, RB4). - Add helpers for obtaining client environment and service objects. - Query the QTEE version and print it. - Move remaining static variables, including the object table, to struct qcomtee. - Update TEE_MAX_ARG_SIZE to 4096. - Add a dependancy to QCOM_TZMEM_MODE_SHMBRIDGE in Kconfig - Reorganize code by removing release.c and qcom_scm.c. - Add more error messages and improve comments. - updated Tested-by:, Acked-by:, and Reviewed-by: tags - Link to v4: https://lore.kernel.org/r/20250428-qcom-tee-using-tee-ss-without-mem-obj-v4… Changes in v4: - Move teedev_ctx_get/put and tee_device_get/put to tee_core.h. - Rename object to id in struct tee_ioctl_object_invoke_arg. - Replace spinlock with mutex for qtee_objects_idr. - Move qcomtee_object_get to qcomtee_user/memobj_param_to_object. - More code cleanup following the comments. - Cleanup documentations. - Update MAINTAINERS file. - Link to v3: https://lore.kernel.org/r/20250327-qcom-tee-using-tee-ss-without-mem-obj-v3… Changes in v3: - Export shm_bridge create/delete APIs. - Enable support for QTEE memory objects. - Update the memory management code to use the TEE subsystem for all allocations using the pool. - Move all driver states into the driver's main service struct. - Add more documentations. - Link to v2: https://lore.kernel.org/r/20250202-qcom-tee-using-tee-ss-without-mem-obj-v2… Changes in v2: - Clean up commit messages and comments. - Use better names such as ubuf instead of membuf or QCOMTEE prefix instead of QCOM_TEE, or names that are more consistent with other TEE-backend drivers such as qcomtee_context_data instead of qcom_tee_context. - Drop the DTS patch and instantiate the device from the scm driver. - Use a single structure for all driver's internal states. - Drop srcu primitives and use the existing mutex for synchronization between the supplicant and QTEE. - Directly use tee_context to track the lifetime of qcomtee_context_data. - Add close_context() to be called when the user closes the tee_context. - Link to v1: https://lore.kernel.org/r/20241202-qcom-tee-using-tee-ss-without-mem-obj-v1… Changes in v1: - It is a complete rewrite to utilize the TEE subsystem. - Link to RFC: https://lore.kernel.org/all/20240702-qcom-tee-object-and-ioctls-v1-0-633c3d… --- Amirreza Zarrabi (11): firmware: qcom: tzmem: export shm_bridge create/delete firmware: qcom: scm: add support for object invocation tee: allow a driver to allocate a tee_device without a pool tee: add close_context to TEE driver operation tee: add TEE_IOCTL_PARAM_ATTR_TYPE_UBUF tee: add TEE_IOCTL_PARAM_ATTR_TYPE_OBJREF tee: increase TEE_MAX_ARG_SIZE to 4096 tee: add Qualcomm TEE driver tee: qcom: add primordial object tee: qcom: enable TEE_IOC_SHM_ALLOC ioctl Documentation: tee: Add Qualcomm TEE driver Documentation/tee/index.rst | 1 + Documentation/tee/qtee.rst | 96 ++++ MAINTAINERS | 7 + drivers/firmware/qcom/qcom_scm.c | 119 ++++ drivers/firmware/qcom/qcom_scm.h | 7 + drivers/firmware/qcom/qcom_tzmem.c | 63 ++- drivers/tee/Kconfig | 1 + drivers/tee/Makefile | 1 + drivers/tee/qcomtee/Kconfig | 12 + drivers/tee/qcomtee/Makefile | 9 + drivers/tee/qcomtee/async.c | 182 ++++++ drivers/tee/qcomtee/call.c | 820 +++++++++++++++++++++++++++ drivers/tee/qcomtee/core.c | 915 +++++++++++++++++++++++++++++++ drivers/tee/qcomtee/mem_obj.c | 169 ++++++ drivers/tee/qcomtee/primordial_obj.c | 113 ++++ drivers/tee/qcomtee/qcomtee.h | 185 +++++++ drivers/tee/qcomtee/qcomtee_msg.h | 304 ++++++++++ drivers/tee/qcomtee/qcomtee_object.h | 316 +++++++++++ drivers/tee/qcomtee/shm.c | 150 +++++ drivers/tee/qcomtee/user_obj.c | 692 +++++++++++++++++++++++ drivers/tee/tee_core.c | 127 ++++- drivers/tee/tee_private.h | 6 - include/linux/firmware/qcom/qcom_scm.h | 6 + include/linux/firmware/qcom/qcom_tzmem.h | 15 + include/linux/tee_core.h | 54 +- include/linux/tee_drv.h | 12 + include/uapi/linux/tee.h | 56 +- 27 files changed, 4410 insertions(+), 28 deletions(-) --- base-commit: 8b8aefa5a5c7d4a65883e5653cf12f94c0b68dbf change-id: 20241202-qcom-tee-using-tee-ss-without-mem-obj-362c66340527 Best regards, -- Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com>

3 months, 1 week

2
13
0 0

2025

2024

2023

2022

2021

2020

OP-TEE