- OP-TEE - lists.trustedfirmware.org

[PATCH v2] optee: Do not send requests to supplicant during shutdown

by Lars Persson

The addition of a shutdown hook by commit f25889f93184 ("optee: fix tee out of memory failure seen during kexec reboot") introduced a kernel shutdown regression that can be triggered after running the xtest suites. Once the shutdown hook is called it is not possible to communicate any more with the supplicant process because the system is not scheduling task any longer. Thus if the optee driver shutdown path receives a supplicant RPC request from the OP-TEE we will deadlock the kernel's shutdown. This unexpected event will in fact occur after the xtest suite has been run. It seems some cached SHM kept alive a context object which in turn kept alive a session towards a PTA or TA. Closing the session results in a socket RPC command being sent back from OP-TEE. This sequence of events is captured by a 5.15 kernel annotated with extra prints: Calling OPTEE_SMC_DISABLE_SHM_CACHE OPTEE_SMC_DISABLE_SHM_CACHE returned 0 freeing SHM ptr 0xFFFFFF8001079380 Calling OPTEE_SMC_DISABLE_SHM_CACHE OPTEE_SMC_DISABLE_SHM_CACHE returned 0 freeing SHM ptr 0xFFFFFF8001CC5580 Calling OPTEE_SMC_DISABLE_SHM_CACHE OPTEE_SMC_DISABLE_SHM_CACHE returned 0 freeing SHM ptr 0xFFFFFF8006308A80 Calling OPTEE_SMC_DISABLE_SHM_CACHE OPTEE_SMC_DISABLE_SHM_CACHE returned 0 freeing SHM ptr 0xFFFFFF8006308B00 optee: optee_handle_rpc: a0=0XFFFF0000 a1=0XA0 a2=0X0 optee: optee_handle_rpc: a0=0XFFFF0005 a1=0XFFFFFF80 a2=0X61E6500 optee: handle_rpc_func_cmd: cmd = 0XA optee_supp_thrd_req: func=0XA Introduce a shutdown state in the optee device object to return an immediate error to all RPC requests in the shutdown path. Fixes: f25889f93184 ("optee: fix tee out of memory failure seen during kexec reboot") Signed-off-by: Lars Persson <larper(a)axis.com> --- drivers/tee/optee/optee_private.h | 1 + drivers/tee/optee/smc_abi.c | 5 ++++- drivers/tee/optee/supp.c | 8 ++++++++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/tee/optee/optee_private.h b/drivers/tee/optee/optee_private.h index 46f74ab07c7e..9eb72931e11f 100644 --- a/drivers/tee/optee/optee_private.h +++ b/drivers/tee/optee/optee_private.h @@ -162,6 +162,7 @@ struct optee { struct tee_shm_pool *pool; unsigned int rpc_arg_count; bool scan_bus_done; + bool shutting_down; struct workqueue_struct *scan_bus_wq; struct work_struct scan_bus_work; }; diff --git a/drivers/tee/optee/smc_abi.c b/drivers/tee/optee/smc_abi.c index 449d6a72d289..10af747da816 100644 --- a/drivers/tee/optee/smc_abi.c +++ b/drivers/tee/optee/smc_abi.c @@ -1356,7 +1356,10 @@ static int optee_smc_remove(struct platform_device *pdev) */ static void optee_shutdown(struct platform_device *pdev) { - optee_disable_shm_cache(platform_get_drvdata(pdev)); + struct optee *optee = platform_get_drvdata(pdev); + + optee->shutting_down = true; + optee_disable_shm_cache(optee); } static int optee_probe(struct platform_device *pdev) diff --git a/drivers/tee/optee/supp.c b/drivers/tee/optee/supp.c index 322a543b8c27..801b4ec659e8 100644 --- a/drivers/tee/optee/supp.c +++ b/drivers/tee/optee/supp.c @@ -83,6 +83,14 @@ u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params, bool interruptable; u32 ret; + /* + * When the system is shutting down we cannot talk + * to the supplicant anymore even if we seem to have + * an open session to it. + */ + if (optee->shutting_down) + return TEEC_ERROR_COMMUNICATION; + /* * Return in case there is no supplicant available and * non-blocking request. -- 2.30.2

4 years

4
7
0 0

Linaro OP-TEE Contribution (LOC) monthly meeting January 2022

by Ruchika Gupta

Hi, OP-TEE Contributions (LOC) monthly meeting is planned for Thursday Jan 27 @16.00 (UTC). If you have any topics you'd like to discuss, please let us know and we can schedule them. Meeting details: --------------- Date/time: January 27(a)16.00 (UTC) https://everytimezone.com/s/c3460919 Connection details: https://www.trustedfirmware.org/meetings/ Meeting notes: http://bit.ly/loc-notes Regards, Ruchika on behalf of the Linaro OP-TEE team

4 years

1
1
0 0

[GIT PULL] OP-TEE fixes for v5.17

by Jens Wiklander

Hello arm-soc maintainers, Please pull these OP-TEE driver fixes all concerning the recent changes regarding FF-A and asynchronous notifications. Thanks, Jens The following changes since commit e783362eb54cd99b2cac8b3a9aeac942e6f6ac07: Linux 5.17-rc1 (2022-01-23 10:12:53 +0200) are available in the Git repository at: git://git.linaro.org/people/jens.wiklander/linux-tee.git tags/optee-fixes-for-v5.17 for you to fetch changes up to 4064c461148ab129dfe5eaeea129b4af6cf4b9b7: optee: add error checks in optee_ffa_do_call_with_arg() (2022-01-24 13:00:59 +0100) ---------------------------------------------------------------- OP-TE fixes for v5.17 - Adds error checking in optee_ffa_do_call_with_arg() - Reintroduces an accidentally lost fix for a memref size check - Uses bitmap_free() to free memory obtained with bitmap_zalloc() ---------------------------------------------------------------- Christophe JAILLET (1): optee: Use bitmap_free() to free bitmap Jens Wiklander (1): optee: add error checks in optee_ffa_do_call_with_arg() Jerome Forissier (1): tee: optee: do not check memref size on return from Secure World drivers/tee/optee/ffa_abi.c | 15 ++++++++++++--- drivers/tee/optee/notif.c | 2 +- drivers/tee/optee/smc_abi.c | 10 ---------- 3 files changed, 13 insertions(+), 14 deletions(-)

4 years

1
0
0 0

[PATCH v2 00/12] tee: shared memory updates

by Jens Wiklander

Hi all, This patchset is a general cleanup of shared memory handling in the TEE subsystem. Until now has the in-kernel tee clients used tee_shm_alloc() and tee_shm_register() to share memory with secure world. These two function exposes via a flags parameter a bit more of the internals of the TEE subsystem than one would like. So in order to make things easier are those two functions replaced by few functions which should provide better abstraction. Two in-kernel tee clients are updated to use these new functions. The shared memory pool handling is simplified, an internal matter for the two TEE drivers OP-TEE and AMDTEE. An OP-TEE driver internal tee_context is added to handle shared memory allocations received via RPC, for instance the argument structure needed to make more complex RPC requests. The tee_context used when doing such a memory allocation must be kept until the memory is freed. With this we can avoid keeping a tee_context of a client around for longer than necessary. In the v1 review it was suggested [1] to allow physically non-contiguous memory allocations by the drivers. It turned out to be harder than anticipated so I'll save that for a separate patch. This patchset is also available at [2] and is based on the asynchronous notification patches [3] which was just merged during this merge window. Thanks, Jens [1] https://lore.kernel.org/linux-arm-kernel/20210609145811.GJ4910@sequoia/ [2] https://git.linaro.org/people/jens.wiklander/linux-tee.git/log/?h=tee_shm_v2 [3] https://git.linaro.org/people/jens.wiklander/linux-tee.git/log/?h=async_not… v1->v2: * The commits three "tee: add tee_shm_alloc_kernel_buf()", "tpm_ftpm_tee: use tee_shm_alloc_kernel_buf()" and "firmware: tee_bnxt: use tee_shm_alloc_kernel_buf()" has been merged some time ago as part of another patchset. * Another in-kernel tee client is updated with the commit "KEYS: trusted: tee: use tee_shm_register_kernel_buf()" * tee_shm_alloc_anon_kernel_buf() is replaced with an easier to use function tee_shm_alloc_priv_kernel_buf() and tee_shm_free_anon_kernel_buf() has been dropped. * A driver internal struct tee_context is used to when doing driver internal calls to secure world. * Adds patches to replace tee_shm_register() in a similar way as how tee_shm_alloc() is replaced. * A patch is added to clean up the TEE_SHM_* flags * Fixed a warning reported by kernel test robot <lkp(a)intel.com> Jens Wiklander (12): hwrng: optee-rng: use tee_shm_alloc_kernel_buf() tee: remove unused tee_shm_pool_alloc_res_mem() tee: add tee_shm_alloc_user_buf() tee: simplify shm pool handling tee: replace tee_shm_alloc() optee: add driver private tee_context optee: use driver internal tee_contex for some rpc optee: add optee_pool_op_free_helper() tee: add tee_shm_register_{user,kernel}_buf() KEYS: trusted: tee: use tee_shm_register_kernel_buf() tee: replace tee_shm_register() tee: refactor TEE_SHM_* flags drivers/char/hw_random/optee-rng.c | 6 +- drivers/tee/amdtee/shm_pool.c | 55 ++-- drivers/tee/optee/Kconfig | 8 - drivers/tee/optee/call.c | 2 +- drivers/tee/optee/core.c | 22 +- drivers/tee/optee/device.c | 5 +- drivers/tee/optee/ffa_abi.c | 136 ++++------ drivers/tee/optee/optee_private.h | 12 +- drivers/tee/optee/smc_abi.c | 155 +++-------- drivers/tee/tee_core.c | 5 +- drivers/tee/tee_private.h | 11 - drivers/tee/tee_shm.c | 322 +++++++++++++++-------- drivers/tee/tee_shm_pool.c | 162 +++--------- include/linux/tee_drv.h | 133 +++------- security/keys/trusted-keys/trusted_tee.c | 23 +- 15 files changed, 434 insertions(+), 623 deletions(-) -- 2.31.1

4 years

3
37
0 0

[PATCH v2] optee: add error checks in optee_ffa_do_call_with_arg()

by Jens Wiklander

Adds error checking in optee_ffa_do_call_with_arg() for correctness. Fixes: 4615e5a34b95 ("optee: add FF-A support") Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> --- drivers/tee/optee/ffa_abi.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/drivers/tee/optee/ffa_abi.c b/drivers/tee/optee/ffa_abi.c index 20a1b1a3d965..0775759a29c0 100644 --- a/drivers/tee/optee/ffa_abi.c +++ b/drivers/tee/optee/ffa_abi.c @@ -619,9 +619,18 @@ static int optee_ffa_do_call_with_arg(struct tee_context *ctx, .data2 = (u32)(shm->sec_world_id >> 32), .data3 = shm->offset, }; - struct optee_msg_arg *arg = tee_shm_get_va(shm, 0); - unsigned int rpc_arg_offs = OPTEE_MSG_GET_ARG_SIZE(arg->num_params); - struct optee_msg_arg *rpc_arg = tee_shm_get_va(shm, rpc_arg_offs); + struct optee_msg_arg *arg; + unsigned int rpc_arg_offs; + struct optee_msg_arg *rpc_arg; + + arg = tee_shm_get_va(shm, 0); + if (IS_ERR(arg)) + return PTR_ERR(arg); + + rpc_arg_offs = OPTEE_MSG_GET_ARG_SIZE(arg->num_params); + rpc_arg = tee_shm_get_va(shm, rpc_arg_offs); + if (IS_ERR(rpc_arg)) + return PTR_ERR(rpc_arg); return optee_ffa_yielding_call(ctx, &data, rpc_arg); } -- 2.31.1

4 years

2
2
0 0

Preparing for OP-TEE 3.16.0

by Jens Wiklander

[BCC all OP-TEE maintainers] Hi OP-TEE maintainers & contributors, OP-TEE v3.16.0 is scheduled to be released on 2022-01-28. So, now is a good time to start testing the master branch on the various platforms and report/fix any bugs. The GitHub pull request for collecting Tested-by tags or any other comments is https://github.com/OP-TEE/optee_os/pull/5094 As usual, we will create a release candidate tag one week before the release date for final testing. In addition to that you can find some additional information related to releases here: https://optee.readthedocs.io/en/latest/general/releases.html Thanks, Jens

4 years

1
1
0 0

[PATCH] optee: Do not send requests to supplicant during shutdown

by Lars Persson

The addition of a shutdown hook by commit f25889f93184 ("optee: fix tee out of memory failure seen during kexec reboot") introduced a kernel shutdown regression that can be triggered after running the xtest suites. Once the shutdown hook is called it is not possible to communicate any more with the supplicant process because the system is not scheduling task any longer. Thus if the optee driver shutdown path receives a supplicant RPC request from the OP-TEE we will deadlock the kernel's shutdown. This unexpected event will in fact occur after the xtest suite has been run. It seems some cached SHM kept alive a context object which in turn kept alive a session towards a PTA or TA. Closing the session results in a socket RPC command being sent back from OP-TEE. This sequence of events is captured by a 5.15 kernel annotated with extra prints: Calling OPTEE_SMC_DISABLE_SHM_CACHE OPTEE_SMC_DISABLE_SHM_CACHE returned 0 freeing SHM ptr 0xFFFFFF8001079380 Calling OPTEE_SMC_DISABLE_SHM_CACHE OPTEE_SMC_DISABLE_SHM_CACHE returned 0 freeing SHM ptr 0xFFFFFF8001CC5580 Calling OPTEE_SMC_DISABLE_SHM_CACHE OPTEE_SMC_DISABLE_SHM_CACHE returned 0 freeing SHM ptr 0xFFFFFF8006308A80 Calling OPTEE_SMC_DISABLE_SHM_CACHE OPTEE_SMC_DISABLE_SHM_CACHE returned 0 freeing SHM ptr 0xFFFFFF8006308B00 optee: optee_handle_rpc: a0=0XFFFF0000 a1=0XA0 a2=0X0 optee: optee_handle_rpc: a0=0XFFFF0005 a1=0XFFFFFF80 a2=0X61E6500 optee: handle_rpc_func_cmd: cmd = 0XA optee_supp_thrd_req: func=0XA Introduce a shutdown state in the optee device object to return an immediate error to all RPC requests in the shutdown path. Fixes: f25889f93184 ("optee: fix tee out of memory failure seen during kexec reboot Signed-off-by: Lars Persson <larper(a)axis.com> --- drivers/tee/optee/optee_private.h | 1 + drivers/tee/optee/smc_abi.c | 5 ++++- drivers/tee/optee/supp.c | 8 ++++++++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/tee/optee/optee_private.h b/drivers/tee/optee/optee_private.h index 46f74ab07c7e..83380974ff44 100644 --- a/drivers/tee/optee/optee_private.h +++ b/drivers/tee/optee/optee_private.h @@ -164,6 +164,7 @@ struct optee { bool scan_bus_done; struct workqueue_struct *scan_bus_wq; struct work_struct scan_bus_work; + bool shutting_down; }; struct optee_session { diff --git a/drivers/tee/optee/smc_abi.c b/drivers/tee/optee/smc_abi.c index 449d6a72d289..10af747da816 100644 --- a/drivers/tee/optee/smc_abi.c +++ b/drivers/tee/optee/smc_abi.c @@ -1356,7 +1356,10 @@ static int optee_smc_remove(struct platform_device *pdev) */ static void optee_shutdown(struct platform_device *pdev) { - optee_disable_shm_cache(platform_get_drvdata(pdev)); + struct optee *optee = platform_get_drvdata(pdev); + + optee->shutting_down = true; + optee_disable_shm_cache(optee); } static int optee_probe(struct platform_device *pdev) diff --git a/drivers/tee/optee/supp.c b/drivers/tee/optee/supp.c index 322a543b8c27..801b4ec659e8 100644 --- a/drivers/tee/optee/supp.c +++ b/drivers/tee/optee/supp.c @@ -83,6 +83,14 @@ u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params, bool interruptable; u32 ret; + /* + * When the system is shutting down we cannot talk + * to the supplicant anymore even if we seem to have + * an open session to it. + */ + if (optee->shutting_down) + return TEEC_ERROR_COMMUNICATION; + /* * Return in case there is no supplicant available and * non-blocking request. -- 2.30.2

4 years

3
3
0 0

[PATCH] optee: add error checks in optee_ffa_do_call_with_arg()

by Jens Wiklander

Adds error checking in optee_ffa_do_call_with_arg() for correctness. Fixes: 4615e5a34b95 ("optee: add FF-A support") Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> --- drivers/tee/optee/ffa_abi.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/drivers/tee/optee/ffa_abi.c b/drivers/tee/optee/ffa_abi.c index d8c8683863aa..d88bd2e41572 100644 --- a/drivers/tee/optee/ffa_abi.c +++ b/drivers/tee/optee/ffa_abi.c @@ -619,9 +619,18 @@ static int optee_ffa_do_call_with_arg(struct tee_context *ctx, .data2 = (u32)(shm->sec_world_id >> 32), .data3 = shm->offset, }; - struct optee_msg_arg *arg = tee_shm_get_va(shm, 0); - unsigned int rpc_arg_offs = OPTEE_MSG_GET_ARG_SIZE(arg->num_params); - struct optee_msg_arg *rpc_arg = tee_shm_get_va(shm, rpc_arg_offs); + struct optee_msg_arg *arg; + unsigned int rpc_arg_offs; + struct optee_msg_arg *rpc_arg; + + arg = tee_shm_get_va(shm, 0); + if (IS_ERR(arg)) + return PTR_ERR(arg); + + rpc_arg_offs = OPTEE_MSG_GET_ARG_SIZE(arg->num_params); + rpc_arg = tee_shm_get_va(shm, rpc_arg_offs); + if (IS_ERR(arg)) + return PTR_ERR(arg); return optee_ffa_yielding_call(ctx, &data, rpc_arg); } -- 2.31.1

4 years

2
2
0 0

[PATCH] tee: optee: do not check memref size on return from Secure World

by Jerome Forissier

Commit c650b8dc7a79 ("tee: optee: do not check memref size on return from Secure World") was mistakenly lost in commit 4602c5842f64 ("optee: refactor driver with internal callbacks"). Remove the unwanted code again. Fixes: 4602c5842f64 ("optee: refactor driver with internal callbacks") Signed-off-by: Jerome Forissier <jerome(a)forissier.org> --- drivers/tee/optee/smc_abi.c | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/drivers/tee/optee/smc_abi.c b/drivers/tee/optee/smc_abi.c index cf2e3293567d..09e7ec673bb6 100644 --- a/drivers/tee/optee/smc_abi.c +++ b/drivers/tee/optee/smc_abi.c @@ -71,16 +71,6 @@ static int from_msg_param_tmp_mem(struct tee_param *p, u32 attr, p->u.memref.shm_offs = mp->u.tmem.buf_ptr - pa; p->u.memref.shm = shm; - /* Check that the memref is covered by the shm object */ - if (p->u.memref.size) { - size_t o = p->u.memref.shm_offs + - p->u.memref.size - 1; - - rc = tee_shm_get_pa(shm, o, NULL); - if (rc) - return rc; - } - return 0; } -- 2.32.0

4 years

3
3
0 0

[PATCH] docs: staging/tee.rst: fix two typos found while reading

by Wang Cheng

Signed-off-by: Wang Cheng <wanngchenng(a)gmail.com> --- Documentation/staging/tee.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Documentation/staging/tee.rst b/Documentation/staging/tee.rst index 3c63d8dcd61e..498343c7ab08 100644 --- a/Documentation/staging/tee.rst +++ b/Documentation/staging/tee.rst @@ -255,7 +255,7 @@ The following picture shows a high level overview of AMD-TEE:: +--------------------------+ +---------+--------------------+ At the lowest level (in x86), the AMD Secure Processor (ASP) driver uses the -CPU to PSP mailbox regsister to submit commands to the PSP. The format of the +CPU to PSP mailbox register to submit commands to the PSP. The format of the command buffer is opaque to the ASP driver. It's role is to submit commands to the secure processor and return results to AMD-TEE driver. The interface between AMD-TEE driver and AMD Secure Processor driver can be found in [6]. @@ -290,7 +290,7 @@ cancel_req driver callback is not supported by AMD-TEE. The GlobalPlatform TEE Client API [5] can be used by the user space (client) to talk to AMD's TEE. AMD's TEE provides a secure environment for loading, opening -a session, invoking commands and clossing session with TA. +a session, invoking commands and closing session with TA. References ========== -- 2.33.1

4 years

4
3
0 0

2026

2025

2024

2023

2022

2021

2020

OP-TEE