Hi,
This patch set introduces a new RPMB subsystem, based on patches from [1],
[2], and [3]. The RPMB subsystem aims at providing access to RPMB
partitions to other kernel drivers, in particular the OP-TEE driver. A new
user space ABI isn't needed, we can instead continue using the already
present ABI when writing the RPMB key during production.
I've added and removed things to keep only what is needed by the OP-TEE
driver. Since the posting of [3], there has been major changes in the MMC
subsystem so "mmc: block: register RPMB partition with the RPMB subsystem"
is in practice completely rewritten.
With this OP-TEE can access RPMB during early boot instead of having to
wait for user space to become available as in the current design [4].
This will benefit the efi variables [5] since we wont rely on userspace as
well as some TPM issues [6] that were solved.
The OP-TEE driver finds the correct RPMB device to interact with by
iterating over available devices until one is found with a programmed
authentication matching the one OP-TEE is using. This enables coexisting
users of other RPMBs since the owner can be determined by who knows the
authentication key.
I've put myself as a maintainer for the RPMB subsystem as I have an
interest in the OP-TEE driver to keep this in good shape. However, if you'd
rather see someone else taking the maintainership that's fine too. I'll
help keep the subsystem updated regardless.
[1] https://lore.kernel.org/lkml/[email protected]/
[2] https://lore.kernel.org/lkml/[email protected]/
[3] https://lore.kernel.org/linux-mmc/[email protected]/
[4] https://optee.readthedocs.io/en/latest/architecture/secure_storage.html#rpmb-secure-storage
[5] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c44b6be62e8dd4ee0a308c36a70620613e6fc55f
[6] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7269cba53d906cf257c139d3b3a53ad272176bca
Thanks,
Jens
Changes since v2:
* "rpmb: add Replay Protected Memory Block (RPMB) subsystem"
- Fixing documentation issues
- Adding a "depends on MMC" in the Kconfig
- Removed the class-device and the embedded device, struct rpmb_dev now
relies on the parent device for reference counting as requested
- Removed the now unneeded rpmb_ops get_resources() and put_resources()
since references are already taken in mmc_blk_alloc_rpmb_part() before
rpmb_dev_register() is called
- Added rpmb_interface_{,un}register() now that
class_interface_{,un}register() can't be used ay longer
* "mmc: block: register RPMB partition with the RPMB subsystem"
- Adding the missing error cleanup in alloc_idata()
- Taking the needed reference to md->disk in mmc_blk_alloc_rpmb_part()
instead of in mmc_rpmb_chrdev_open() and rpmb_op_mmc_get_resources()
* "optee: probe RPMB device using RPMB subsystem"
- Registering to get a notification when an RPMB device comes online
- Probes for RPMB devices each time an RPMB device comes online, until
a usable device is found
- When a usable RPMB device is found, call
optee_enumerate_devices(PTA_CMD_GET_DEVICES_RPMB)
- Pass type of rpmb in return value from OPTEE_RPC_CMD_RPMB_PROBE_NEXT
Changes since Shyam's RFC:
* Removed the remaining leftover rpmb_cdev_*() function calls
* Refactored the struct rpmb_ops with all the previous ops replaced, in
some sense closer to [3] with the route_frames() op
* Added rpmb_route_frames()
* Added struct rpmb_frame, enum rpmb_op_result, and enum rpmb_type from [3]
* Removed all functions not needed in the OP-TEE use case
* Added "mmc: block: register RPMB partition with the RPMB subsystem", based
on the commit with the same name in [3]
* Added "optee: probe RPMB device using RPMB subsystem" for integration
with OP-TEE
* Moved the RPMB driver into drivers/misc/rpmb-core.c
* Added my name to MODULE_AUTHOR() in rpmb-core.c
* Added an rpmb_mutex to serialize access to the IDA
* Removed the target parameter from all rpmb_*() functions since it's
currently unused
Jens Wiklander (3):
rpmb: add Replay Protected Memory Block (RPMB) subsystem
mmc: block: register RPMB partition with the RPMB subsystem
optee: probe RPMB device using RPMB subsystem
MAINTAINERS | 7 +
drivers/misc/Kconfig | 10 ++
drivers/misc/Makefile | 1 +
drivers/misc/rpmb-core.c | 258 ++++++++++++++++++++++++++++++
drivers/mmc/core/block.c | 153 +++++++++++++++++-
drivers/tee/optee/core.c | 55 +++++++
drivers/tee/optee/ffa_abi.c | 7 +
drivers/tee/optee/optee_private.h | 16 ++
drivers/tee/optee/optee_rpc_cmd.h | 35 ++++
drivers/tee/optee/rpc.c | 233 +++++++++++++++++++++++++++
drivers/tee/optee/smc_abi.c | 6 +
include/linux/rpmb.h | 195 ++++++++++++++++++++++
12 files changed, 974 insertions(+), 2 deletions(-)
create mode 100644 drivers/misc/rpmb-core.c
create mode 100644 include/linux/rpmb.h
base-commit: 41bccc98fb7931d63d03f326a746ac4d429c1dd3
--
2.34.1
Adds support in the OP-TEE drivers (both SMC and FF-A ABIs) to probe and
use an RPMB device via the RPBM subsystem instead of passing the RPMB
frames via tee-supplicant in user space. A fallback mechanism is kept to
route RPMB frames via tee-supplicant if the RPMB subsystem isn't
available.
The OP-TEE RPC ABI is extended to support iterating over all RPMB
devices until one is found with the expected RPMB key already
programmed.
Signed-off-by: Jens Wiklander <[email protected]>
---
drivers/tee/optee/core.c | 55 +++++++
drivers/tee/optee/ffa_abi.c | 7 +
drivers/tee/optee/optee_private.h | 16 ++
drivers/tee/optee/optee_rpc_cmd.h | 35 +++++
drivers/tee/optee/rpc.c | 233 ++++++++++++++++++++++++++++++
drivers/tee/optee/smc_abi.c | 6 +
6 files changed, 352 insertions(+)
diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c
index 3aed554bc8d8..6b32d3e7865b 100644
--- a/drivers/tee/optee/core.c
+++ b/drivers/tee/optee/core.c
@@ -11,6 +11,7 @@
#include <linux/io.h>
#include <linux/mm.h>
#include <linux/module.h>
+#include <linux/rpmb.h>
#include <linux/slab.h>
#include <linux/string.h>
#include <linux/tee_drv.h>
@@ -80,6 +81,57 @@ void optee_pool_op_free_helper(struct tee_shm_pool *pool, struct tee_shm *shm,
shm->pages = NULL;
}
+static void optee_rpmb_scan(struct work_struct *work)
+{
+ struct optee *optee = container_of(work, struct optee, scan_rpmb_work);
+ bool scan_done = false;
+ u32 res;
+
+ do {
+ mutex_lock(&optee->rpmb_dev_mutex);
+ /* No need to rescan if we haven't started scanning yet */
+ optee->rpmb_dev_request_rescan = false;
+ mutex_unlock(&optee->rpmb_dev_mutex);
+
+ res = optee_enumerate_devices(PTA_CMD_GET_DEVICES_RPMB);
+ if (res && res != TEE_ERROR_STORAGE_NOT_AVAILABLE)
+ pr_info("Scanning for RPMB device: res %#x\n", res);
+
+ mutex_lock(&optee->rpmb_dev_mutex);
+ /*
+ * If another RPMB device came online while scanning, scan one
+ * more time, unless we have already found an RPBM device.
+ */
+ scan_done = (optee->rpmb_dev ||
+ !optee->rpmb_dev_request_rescan);
+ optee->rpmb_dev_request_rescan = false;
+ optee->rpmb_dev_scan_in_progress = !scan_done;
+ mutex_unlock(&optee->rpmb_dev_mutex);
+ } while (!scan_done);
+}
+
+void optee_rpmb_intf_add_rdev(struct rpmb_interface *intf,
+ struct rpmb_dev *rdev)
+{
+ struct optee *optee = container_of(intf, struct optee, rpmb_intf);
+ bool queue_work = true;
+
+ mutex_lock(&optee->rpmb_dev_mutex);
+ if (optee->rpmb_dev || optee->rpmb_dev_scan_in_progress) {
+ queue_work = false;
+ if (optee->rpmb_dev_scan_in_progress)
+ optee->rpmb_dev_request_rescan = true;
+ }
+ if (queue_work)
+ optee->rpmb_dev_scan_in_progress = true;
+ mutex_unlock(&optee->rpmb_dev_mutex);
+
+ if (queue_work) {
+ INIT_WORK(&optee->scan_rpmb_work, optee_rpmb_scan);
+ schedule_work(&optee->scan_rpmb_work);
+ }
+}
+
static void optee_bus_scan(struct work_struct *work)
{
WARN_ON(optee_enumerate_devices(PTA_CMD_GET_DEVICES_SUPP));
@@ -161,6 +213,7 @@ void optee_release_supp(struct tee_context *ctx)
void optee_remove_common(struct optee *optee)
{
+ rpmb_interface_unregister(&optee->rpmb_intf);
/* Unregister OP-TEE specific client devices on TEE bus */
optee_unregister_devices();
@@ -177,6 +230,8 @@ void optee_remove_common(struct optee *optee)
tee_shm_pool_free(optee->pool);
optee_supp_uninit(&optee->supp);
mutex_destroy(&optee->call_queue.mutex);
+ rpmb_dev_put(optee->rpmb_dev);
+ mutex_destroy(&optee->rpmb_dev_mutex);
}
static int smc_abi_rc;
diff --git a/drivers/tee/optee/ffa_abi.c b/drivers/tee/optee/ffa_abi.c
index ecb5eb079408..befe19ecc30a 100644
--- a/drivers/tee/optee/ffa_abi.c
+++ b/drivers/tee/optee/ffa_abi.c
@@ -7,6 +7,7 @@
#include <linux/arm_ffa.h>
#include <linux/errno.h>
+#include <linux/rpmb.h>
#include <linux/scatterlist.h>
#include <linux/sched.h>
#include <linux/slab.h>
@@ -934,6 +935,7 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev)
optee_cq_init(&optee->call_queue, 0);
optee_supp_init(&optee->supp);
optee_shm_arg_cache_init(optee, arg_cache_flags);
+ mutex_init(&optee->rpmb_dev_mutex);
ffa_dev_set_drvdata(ffa_dev, optee);
ctx = teedev_open(optee->teedev);
if (IS_ERR(ctx)) {
@@ -955,6 +957,8 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev)
if (rc)
goto err_unregister_devices;
+ optee->rpmb_intf.add_rdev = optee_rpmb_intf_add_rdev;
+ rpmb_interface_register(&optee->rpmb_intf);
pr_info("initialized driver\n");
return 0;
@@ -968,6 +972,9 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev)
teedev_close_context(ctx);
err_rhashtable_free:
rhashtable_free_and_destroy(&optee->ffa.global_ids, rh_free_fn, NULL);
+ rpmb_dev_put(optee->rpmb_dev);
+ mutex_destroy(&optee->rpmb_dev_mutex);
+ rpmb_interface_unregister(&optee->rpmb_intf);
optee_supp_uninit(&optee->supp);
mutex_destroy(&optee->call_queue.mutex);
mutex_destroy(&optee->ffa.mutex);
diff --git a/drivers/tee/optee/optee_private.h b/drivers/tee/optee/optee_private.h
index 7a5243c78b55..1e4c33baef43 100644
--- a/drivers/tee/optee/optee_private.h
+++ b/drivers/tee/optee/optee_private.h
@@ -8,6 +8,7 @@
#include <linux/arm-smccc.h>
#include <linux/rhashtable.h>
+#include <linux/rpmb.h>
#include <linux/semaphore.h>
#include <linux/tee_drv.h>
#include <linux/types.h>
@@ -20,11 +21,13 @@
/* Some Global Platform error codes used in this driver */
#define TEEC_SUCCESS 0x00000000
#define TEEC_ERROR_BAD_PARAMETERS 0xFFFF0006
+#define TEEC_ERROR_ITEM_NOT_FOUND 0xFFFF0008
#define TEEC_ERROR_NOT_SUPPORTED 0xFFFF000A
#define TEEC_ERROR_COMMUNICATION 0xFFFF000E
#define TEEC_ERROR_OUT_OF_MEMORY 0xFFFF000C
#define TEEC_ERROR_BUSY 0xFFFF000D
#define TEEC_ERROR_SHORT_BUFFER 0xFFFF0010
+#define TEE_ERROR_STORAGE_NOT_AVAILABLE 0xF0100003
#define TEEC_ORIGIN_COMMS 0x00000002
@@ -197,6 +200,8 @@ struct optee_ops {
* @notif: notification synchronization struct
* @supp: supplicant synchronization struct for RPC to supplicant
* @pool: shared memory pool
+ * @mutex: mutex protecting @rpmb_dev
+ * @rpmb_dev: current RPMB device or NULL
* @rpc_param_count: If > 0 number of RPC parameters to make room for
* @scan_bus_done flag if device registation was already done.
* @scan_bus_work workq to scan optee bus and register optee drivers
@@ -215,9 +220,17 @@ struct optee {
struct optee_notif notif;
struct optee_supp supp;
struct tee_shm_pool *pool;
+ /* Protects rpmb_dev pointer and rpmb_dev_* */
+ struct mutex rpmb_dev_mutex;
+ struct rpmb_dev *rpmb_dev;
+ bool rpmb_dev_scan_in_progress;
+ bool rpmb_dev_request_rescan;
+ bool rpmb_dev_scan_done;
+ struct rpmb_interface rpmb_intf;
unsigned int rpc_param_count;
bool scan_bus_done;
struct work_struct scan_bus_work;
+ struct work_struct scan_rpmb_work;
};
struct optee_session {
@@ -280,8 +293,11 @@ int optee_cancel_req(struct tee_context *ctx, u32 cancel_id, u32 session);
#define PTA_CMD_GET_DEVICES 0x0
#define PTA_CMD_GET_DEVICES_SUPP 0x1
+#define PTA_CMD_GET_DEVICES_RPMB 0x2
int optee_enumerate_devices(u32 func);
void optee_unregister_devices(void);
+void optee_rpmb_intf_add_rdev(struct rpmb_interface *intf,
+ struct rpmb_dev *rdev);
int optee_pool_op_alloc_helper(struct tee_shm_pool *pool, struct tee_shm *shm,
size_t size, size_t align,
diff --git a/drivers/tee/optee/optee_rpc_cmd.h b/drivers/tee/optee/optee_rpc_cmd.h
index f3f06e0994a7..f351a8ac69fc 100644
--- a/drivers/tee/optee/optee_rpc_cmd.h
+++ b/drivers/tee/optee/optee_rpc_cmd.h
@@ -16,6 +16,14 @@
* and sends responses.
*/
+/*
+ * Replay Protected Memory Block access
+ *
+ * [in] memref[0] Frames to device
+ * [out] memref[1] Frames from device
+ */
+#define OPTEE_RPC_CMD_RPMB 1
+
/*
* Get time
*
@@ -103,4 +111,31 @@
/* I2C master control flags */
#define OPTEE_RPC_I2C_FLAGS_TEN_BIT BIT(0)
+/*
+ * Reset RPMB probing
+ *
+ * Releases an eventually already used RPMB devices and starts over searching
+ * for RPMB devices. Returns the kind of shared memory to use in subsequent
+ * OPTEE_RPC_CMD_RPMB_PROBE_NEXT and OPTEE_RPC_CMD_RPMB calls.
+ *
+ * [out] value[0].a OPTEE_RPC_SHM_TYPE_*, the parameter for
+ * OPTEE_RPC_CMD_SHM_ALLOC
+ */
+#define OPTEE_RPC_CMD_RPMB_PROBE_RESET 22
+
+/*
+ * Probe next RPMB device
+ *
+ * [out] value[0].a Type of RPMB device, OPTEE_RPC_RPMB_*
+ * [out] value[0].b EXT CSD-slice 168 "RPMB Size"
+ * [out] value[0].c EXT CSD-slice 222 "Reliable Write Sector Count"
+ * [out] memref[1] Buffer with the raw CID
+ */
+#define OPTEE_RPC_CMD_RPMB_PROBE_NEXT 23
+
+/* Type of RPMB device */
+#define OPTEE_RPC_RPMB_EMMC 0
+#define OPTEE_RPC_RPMB_UFS 1
+#define OPTEE_RPC_RPMB_NVME 2
+
#endif /*__OPTEE_RPC_CMD_H*/
diff --git a/drivers/tee/optee/rpc.c b/drivers/tee/optee/rpc.c
index e69bc6380683..97f69a108f61 100644
--- a/drivers/tee/optee/rpc.c
+++ b/drivers/tee/optee/rpc.c
@@ -7,6 +7,7 @@
#include <linux/delay.h>
#include <linux/i2c.h>
+#include <linux/rpmb.h>
#include <linux/slab.h>
#include <linux/tee_drv.h>
#include "optee_private.h"
@@ -255,6 +256,229 @@ void optee_rpc_cmd_free_suppl(struct tee_context *ctx, struct tee_shm *shm)
optee_supp_thrd_req(ctx, OPTEE_RPC_CMD_SHM_FREE, 1, ¶m);
}
+static void handle_rpc_func_rpmb_probe_reset(struct tee_context *ctx,
+ struct optee *optee,
+ struct optee_msg_arg *arg)
+{
+ struct tee_param params[1];
+
+ if (!IS_ENABLED(CONFIG_RPMB)) {
+ handle_rpc_supp_cmd(ctx, optee, arg);
+ return;
+ }
+
+ if (arg->num_params != ARRAY_SIZE(params) ||
+ optee->ops->from_msg_param(optee, params, arg->num_params,
+ arg->params) ||
+ params[0].attr != TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT) {
+ arg->ret = TEEC_ERROR_BAD_PARAMETERS;
+ return;
+ }
+
+ params[0].u.value.a = OPTEE_RPC_SHM_TYPE_KERNEL;
+ params[0].u.value.b = 0;
+ params[0].u.value.c = 0;
+ if (optee->ops->to_msg_param(optee, arg->params,
+ arg->num_params, params)) {
+ arg->ret = TEEC_ERROR_BAD_PARAMETERS;
+ return;
+ }
+
+ mutex_lock(&optee->rpmb_dev_mutex);
+ rpmb_dev_put(optee->rpmb_dev);
+ optee->rpmb_dev = NULL;
+ mutex_unlock(&optee->rpmb_dev_mutex);
+
+ arg->ret = TEEC_SUCCESS;
+}
+
+static int rpmb_type_to_rpc_type(enum rpmb_type rtype)
+{
+ switch (rtype) {
+ case RPMB_TYPE_EMMC:
+ return OPTEE_RPC_RPMB_EMMC;
+ case RPMB_TYPE_UFS:
+ return OPTEE_RPC_RPMB_UFS;
+ case RPMB_TYPE_NVME:
+ return OPTEE_RPC_RPMB_NVME;
+ default:
+ return -1;
+ }
+}
+
+static int rpc_rpmb_match(struct rpmb_dev *rdev, const void *data)
+{
+ return rpmb_type_to_rpc_type(rdev->ops->type) >= 0;
+}
+
+static void handle_rpc_func_rpmb_probe_next(struct tee_context *ctx,
+ struct optee *optee,
+ struct optee_msg_arg *arg)
+{
+ struct rpmb_dev *rdev;
+ struct tee_param params[2];
+ void *buf;
+
+ if (!IS_ENABLED(CONFIG_RPMB)) {
+ handle_rpc_supp_cmd(ctx, optee, arg);
+ return;
+ }
+
+ if (arg->num_params != ARRAY_SIZE(params) ||
+ optee->ops->from_msg_param(optee, params, arg->num_params,
+ arg->params) ||
+ params[0].attr != TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT ||
+ params[1].attr != TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT) {
+ arg->ret = TEEC_ERROR_BAD_PARAMETERS;
+ return;
+ }
+ buf = tee_shm_get_va(params[1].u.memref.shm,
+ params[1].u.memref.shm_offs);
+ if (!buf) {
+ arg->ret = TEEC_ERROR_BAD_PARAMETERS;
+ return;
+ }
+
+ mutex_lock(&optee->rpmb_dev_mutex);
+ rdev = rpmb_dev_find_device(NULL, optee->rpmb_dev, rpc_rpmb_match);
+ rpmb_dev_put(optee->rpmb_dev);
+ optee->rpmb_dev = rdev;
+ mutex_unlock(&optee->rpmb_dev_mutex);
+
+ if (!rdev) {
+ arg->ret = TEEC_ERROR_ITEM_NOT_FOUND;
+ return;
+ }
+
+ if (params[1].u.memref.size < rdev->dev_id_len) {
+ arg->ret = TEEC_ERROR_SHORT_BUFFER;
+ return;
+ }
+ memcpy(buf, rdev->dev_id, rdev->dev_id_len);
+ params[1].u.memref.size = rdev->dev_id_len;
+ params[0].u.value.a = rpmb_type_to_rpc_type(rdev->ops->type);
+ params[0].u.value.b = rdev->capacity;
+ params[0].u.value.c = rdev->reliable_wr_count;
+ if (optee->ops->to_msg_param(optee, arg->params,
+ arg->num_params, params)) {
+ arg->ret = TEEC_ERROR_BAD_PARAMETERS;
+ return;
+ }
+
+ arg->ret = TEEC_SUCCESS;
+}
+
+/* Request */
+struct rpmb_req {
+ u16 cmd;
+#define RPMB_CMD_DATA_REQ 0x00
+#define RPMB_CMD_GET_DEV_INFO 0x01
+ u16 dev_id;
+ u16 block_count;
+ /* Optional data frames (rpmb_data_frame) follow */
+};
+
+#define RPMB_REQ_DATA(req) ((void *)((struct rpmb_req *)(req) + 1))
+
+#define RPMB_CID_SZ 16
+
+/* Response to device info request */
+struct rpmb_dev_info {
+ u8 cid[RPMB_CID_SZ];
+ u8 rpmb_size_mult; /* EXT CSD-slice 168: RPMB Size */
+ u8 rel_wr_sec_c; /* EXT CSD-slice 222: Reliable Write Sector */
+ /* Count */
+ u8 ret_code;
+#define RPMB_CMD_GET_DEV_INFO_RET_OK 0x00
+#define RPMB_CMD_GET_DEV_INFO_RET_ERROR 0x01
+};
+
+static int get_dev_info(struct rpmb_dev *rdev, void *rsp, size_t rsp_size)
+{
+ struct rpmb_dev_info *dev_info;
+
+ if (rsp_size != sizeof(*dev_info))
+ return TEEC_ERROR_BAD_PARAMETERS;
+
+ dev_info = rsp;
+ memcpy(dev_info->cid, rdev->dev_id, sizeof(dev_info->cid));
+ dev_info->rpmb_size_mult = rdev->capacity;
+ dev_info->rel_wr_sec_c = rdev->reliable_wr_count;
+ dev_info->ret_code = RPMB_CMD_GET_DEV_INFO_RET_OK;
+
+ return TEEC_SUCCESS;
+}
+
+/*
+ * req is one struct rpmb_req followed by one or more struct rpmb_data_frame
+ * rsp is either one struct rpmb_dev_info or one or more struct rpmb_data_frame
+ */
+static u32 rpmb_process_request(struct optee *optee, struct rpmb_dev *rdev,
+ void *req, size_t req_size,
+ void *rsp, size_t rsp_size)
+{
+ struct rpmb_req *sreq = req;
+ int rc;
+
+ if (req_size < sizeof(*sreq))
+ return TEEC_ERROR_BAD_PARAMETERS;
+
+ switch (sreq->cmd) {
+ case RPMB_CMD_DATA_REQ:
+ rc = rpmb_route_frames(rdev, RPMB_REQ_DATA(req),
+ req_size - sizeof(struct rpmb_req),
+ rsp, rsp_size);
+ if (rc)
+ return TEEC_ERROR_BAD_PARAMETERS;
+ return TEEC_SUCCESS;
+ case RPMB_CMD_GET_DEV_INFO:
+ return get_dev_info(rdev, rsp, rsp_size);
+ default:
+ return TEEC_ERROR_BAD_PARAMETERS;
+ }
+}
+
+static void handle_rpc_func_rpmb(struct tee_context *ctx, struct optee *optee,
+ struct optee_msg_arg *arg)
+{
+ struct tee_param params[2];
+ struct rpmb_dev *rdev;
+ void *p0, *p1;
+
+ mutex_lock(&optee->rpmb_dev_mutex);
+ rdev = rpmb_dev_get(optee->rpmb_dev);
+ mutex_unlock(&optee->rpmb_dev_mutex);
+ if (!rdev) {
+ handle_rpc_supp_cmd(ctx, optee, arg);
+ return;
+ }
+
+ if (arg->num_params != ARRAY_SIZE(params) ||
+ optee->ops->from_msg_param(optee, params, arg->num_params,
+ arg->params) ||
+ params[0].attr != TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT ||
+ params[1].attr != TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT) {
+ arg->ret = TEEC_ERROR_BAD_PARAMETERS;
+ goto out;
+ }
+
+ p0 = tee_shm_get_va(params[0].u.memref.shm,
+ params[0].u.memref.shm_offs);
+ p1 = tee_shm_get_va(params[1].u.memref.shm,
+ params[1].u.memref.shm_offs);
+ arg->ret = rpmb_process_request(optee, rdev, p0,
+ params[0].u.memref.size,
+ p1, params[1].u.memref.size);
+ if (arg->ret)
+ goto out;
+
+ if (optee->ops->to_msg_param(optee, arg->params,
+ arg->num_params, params))
+ arg->ret = TEEC_ERROR_BAD_PARAMETERS;
+out:
+ rpmb_dev_put(rdev);
+}
+
void optee_rpc_cmd(struct tee_context *ctx, struct optee *optee,
struct optee_msg_arg *arg)
{
@@ -271,6 +495,15 @@ void optee_rpc_cmd(struct tee_context *ctx, struct optee *optee,
case OPTEE_RPC_CMD_I2C_TRANSFER:
handle_rpc_func_cmd_i2c_transfer(ctx, arg);
break;
+ case OPTEE_RPC_CMD_RPMB_PROBE_RESET:
+ handle_rpc_func_rpmb_probe_reset(ctx, optee, arg);
+ break;
+ case OPTEE_RPC_CMD_RPMB_PROBE_NEXT:
+ handle_rpc_func_rpmb_probe_next(ctx, optee, arg);
+ break;
+ case OPTEE_RPC_CMD_RPMB:
+ handle_rpc_func_rpmb(ctx, optee, arg);
+ break;
default:
handle_rpc_supp_cmd(ctx, optee, arg);
}
diff --git a/drivers/tee/optee/smc_abi.c b/drivers/tee/optee/smc_abi.c
index a37f87087e5c..8da53f41b052 100644
--- a/drivers/tee/optee/smc_abi.c
+++ b/drivers/tee/optee/smc_abi.c
@@ -20,6 +20,7 @@
#include <linux/of_irq.h>
#include <linux/of_platform.h>
#include <linux/platform_device.h>
+#include <linux/rpmb.h>
#include <linux/sched.h>
#include <linux/slab.h>
#include <linux/string.h>
@@ -1715,6 +1716,7 @@ static int optee_probe(struct platform_device *pdev)
optee->smc.memremaped_shm = memremaped_shm;
optee->pool = pool;
optee_shm_arg_cache_init(optee, arg_cache_flags);
+ mutex_init(&optee->rpmb_dev_mutex);
platform_set_drvdata(pdev, optee);
ctx = teedev_open(optee->teedev);
@@ -1769,6 +1771,8 @@ static int optee_probe(struct platform_device *pdev)
if (rc)
goto err_disable_shm_cache;
+ optee->rpmb_intf.add_rdev = optee_rpmb_intf_add_rdev;
+ rpmb_interface_register(&optee->rpmb_intf);
pr_info("initialized driver\n");
return 0;
@@ -1782,6 +1786,8 @@ static int optee_probe(struct platform_device *pdev)
err_close_ctx:
teedev_close_context(ctx);
err_supp_uninit:
+ rpmb_dev_put(optee->rpmb_dev);
+ mutex_destroy(&optee->rpmb_dev_mutex);
optee_shm_arg_cache_uninit(optee);
optee_supp_uninit(&optee->supp);
mutex_destroy(&optee->call_queue.mutex);
--
2.34.1
A number of storage technologies support a specialised hardware
partition designed to be resistant to replay attacks. The underlying
HW protocols differ but the operations are common. The RPMB partition
cannot be accessed via standard block layer, but by a set of specific
RPMB commands: WRITE, READ, GET_WRITE_COUNTER, and PROGRAM_KEY. Such a
partition provides authenticated and replay protected access, hence
suitable as a secure storage.
The initial aim of this patch is to provide a simple RPMB driver
interface which can be accessed by the optee driver to facilitate early
RPMB access to OP-TEE OS (secure OS) during the boot time.
A TEE device driver can claim the RPMB interface, for example, via
rpmb_interface_register() or rpmb_dev_find_device(). The RPMB driver
provides a callback to route RPMB frames to the RPMB device accessible
via rpmb_route_frames().
The detailed operation of implementing the access is left to the TEE
device driver itself.
Signed-off-by: Tomas Winkler <[email protected]>
Signed-off-by: Alex Bennée <[email protected]>
Signed-off-by: Shyam Saini <[email protected]>
Signed-off-by: Jens Wiklander <[email protected]>
---
MAINTAINERS | 7 ++
drivers/misc/Kconfig | 10 ++
drivers/misc/Makefile | 1 +
drivers/misc/rpmb-core.c | 258 +++++++++++++++++++++++++++++++++++++++
include/linux/rpmb.h | 195 +++++++++++++++++++++++++++++
5 files changed, 471 insertions(+)
create mode 100644 drivers/misc/rpmb-core.c
create mode 100644 include/linux/rpmb.h
diff --git a/MAINTAINERS b/MAINTAINERS
index 8999497011a2..e83152c42499 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -19012,6 +19012,13 @@ T: git git://linuxtv.org/media_tree.git
F: Documentation/devicetree/bindings/media/allwinner,sun8i-a83t-de2-rotate.yaml
F: drivers/media/platform/sunxi/sun8i-rotate/
+RPMB SUBSYSTEM
+M: Jens Wiklander <[email protected]>
+L: [email protected]
+S: Supported
+F: drivers/misc/rpmb-core.c
+F: include/linux/rpmb.h
+
RPMSG TTY DRIVER
M: Arnaud Pouliquen <[email protected]>
L: [email protected]
diff --git a/drivers/misc/Kconfig b/drivers/misc/Kconfig
index 4fb291f0bf7c..dbff9e8c3a03 100644
--- a/drivers/misc/Kconfig
+++ b/drivers/misc/Kconfig
@@ -104,6 +104,16 @@ config PHANTOM
If you choose to build module, its name will be phantom. If unsure,
say N here.
+config RPMB
+ tristate "RPMB partition interface"
+ depends on MMC
+ help
+ Unified RPMB unit interface for RPMB capable devices such as eMMC and
+ UFS. Provides interface for in-kernel security controllers to access
+ RPMB unit.
+
+ If unsure, select N.
+
config TIFM_CORE
tristate "TI Flash Media interface support"
depends on PCI
diff --git a/drivers/misc/Makefile b/drivers/misc/Makefile
index ea6ea5bbbc9c..8af058ad1df4 100644
--- a/drivers/misc/Makefile
+++ b/drivers/misc/Makefile
@@ -15,6 +15,7 @@ obj-$(CONFIG_LKDTM) += lkdtm/
obj-$(CONFIG_TIFM_CORE) += tifm_core.o
obj-$(CONFIG_TIFM_7XX1) += tifm_7xx1.o
obj-$(CONFIG_PHANTOM) += phantom.o
+obj-$(CONFIG_RPMB) += rpmb-core.o
obj-$(CONFIG_QCOM_COINCELL) += qcom-coincell.o
obj-$(CONFIG_QCOM_FASTRPC) += fastrpc.o
obj-$(CONFIG_SENSORS_BH1770) += bh1770glc.o
diff --git a/drivers/misc/rpmb-core.c b/drivers/misc/rpmb-core.c
new file mode 100644
index 000000000000..e0003b039e9f
--- /dev/null
+++ b/drivers/misc/rpmb-core.c
@@ -0,0 +1,258 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright(c) 2015 - 2019 Intel Corporation. All rights reserved.
+ * Copyright(c) 2021 - 2024 Linaro Ltd.
+ */
+#include <linux/device.h>
+#include <linux/init.h>
+#include <linux/kernel.h>
+#include <linux/list.h>
+#include <linux/module.h>
+#include <linux/mutex.h>
+#include <linux/rpmb.h>
+#include <linux/slab.h>
+
+static struct list_head rpmb_dev_list;
+static struct list_head rpmb_intf_list;
+static DEFINE_MUTEX(rpmb_mutex);
+
+/**
+ * rpmb_dev_get() - increase rpmb device ref counter
+ * @rdev: rpmb device
+ */
+struct rpmb_dev *rpmb_dev_get(struct rpmb_dev *rdev)
+{
+ if (rdev)
+ get_device(rdev->parent_dev);
+ return rdev;
+}
+EXPORT_SYMBOL_GPL(rpmb_dev_get);
+
+/**
+ * rpmb_dev_put() - decrease rpmb device ref counter
+ * @rdev: rpmb device
+ */
+void rpmb_dev_put(struct rpmb_dev *rdev)
+{
+ if (rdev)
+ put_device(rdev->parent_dev);
+}
+EXPORT_SYMBOL_GPL(rpmb_dev_put);
+
+/**
+ * rpmb_route_frames() - route rpmb frames to rpmb device
+ * @rdev: rpmb device
+ * @req: rpmb request frames
+ * @req_len: length of rpmb request frames in bytes
+ * @rsp: rpmb response frames
+ * @rsp_len: length of rpmb response frames in bytes
+ *
+ * Returns: < 0 on failure
+ */
+int rpmb_route_frames(struct rpmb_dev *rdev, u8 *req,
+ unsigned int req_len, u8 *rsp, unsigned int rsp_len)
+{
+ struct rpmb_frame *frm = (struct rpmb_frame *)req;
+ u16 req_type;
+ bool write;
+
+ if (!req || req_len < sizeof(*frm) || !rsp || !rsp_len)
+ return -EINVAL;
+
+ req_type = be16_to_cpu(frm->req_resp);
+ switch (req_type) {
+ case RPMB_PROGRAM_KEY:
+ if (req_len != sizeof(struct rpmb_frame) ||
+ rsp_len != sizeof(struct rpmb_frame))
+ return -EINVAL;
+ write = true;
+ break;
+ case RPMB_GET_WRITE_COUNTER:
+ if (req_len != sizeof(struct rpmb_frame) ||
+ rsp_len != sizeof(struct rpmb_frame))
+ return -EINVAL;
+ write = false;
+ break;
+ case RPMB_WRITE_DATA:
+ if (req_len % sizeof(struct rpmb_frame) ||
+ rsp_len != sizeof(struct rpmb_frame))
+ return -EINVAL;
+ write = true;
+ break;
+ case RPMB_READ_DATA:
+ if (req_len != sizeof(struct rpmb_frame) ||
+ rsp_len % sizeof(struct rpmb_frame))
+ return -EINVAL;
+ write = false;
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ return rdev->ops->route_frames(rdev->parent_dev, write,
+ req, req_len, rsp, rsp_len);
+}
+EXPORT_SYMBOL_GPL(rpmb_route_frames);
+
+/**
+ * rpmb_dev_find_device() - return first matching rpmb device
+ * @data: data for the match function
+ * @match: the matching function
+ *
+ * Returns: a matching rpmb device or NULL on failure
+ */
+struct rpmb_dev *rpmb_dev_find_device(const void *data,
+ const struct rpmb_dev *start,
+ int (*match)(struct rpmb_dev *rdev,
+ const void *data))
+{
+ struct rpmb_dev *rdev;
+ struct list_head *pos;
+
+ mutex_lock(&rpmb_mutex);
+ if (start)
+ pos = start->list_node.next;
+ else
+ pos = rpmb_dev_list.next;
+
+ while (pos != &rpmb_dev_list) {
+ rdev = container_of(pos, struct rpmb_dev, list_node);
+ if (match(rdev, data)) {
+ rpmb_dev_get(rdev);
+ goto out;
+ }
+ pos = pos->next;
+ }
+ rdev = NULL;
+
+out:
+ mutex_unlock(&rpmb_mutex);
+
+ return rdev;
+}
+
+/**
+ * rpmb_dev_unregister() - unregister RPMB partition from the RPMB subsystem
+ * @rdev: the rpmb device to unregister
+ *
+ * Returns: < 0 on failure
+ */
+int rpmb_dev_unregister(struct rpmb_dev *rdev)
+{
+ if (!rdev)
+ return -EINVAL;
+
+ mutex_lock(&rpmb_mutex);
+ list_del(&rdev->list_node);
+ mutex_unlock(&rpmb_mutex);
+ kfree(rdev->dev_id);
+ kfree(rdev);
+
+ return 0;
+}
+EXPORT_SYMBOL_GPL(rpmb_dev_unregister);
+
+/**
+ * rpmb_dev_register - register RPMB partition with the RPMB subsystem
+ * @dev: storage device of the rpmb device
+ * @ops: device specific operations
+ *
+ * While registering the RPMB partition extract needed device information
+ * while needed resources are available.
+ *
+ * Returns: a pointer to a 'struct rpmb_dev' or an ERR_PTR on failure
+ */
+struct rpmb_dev *rpmb_dev_register(struct device *dev,
+ const struct rpmb_ops *ops)
+{
+ struct rpmb_dev *rdev;
+ struct rpmb_interface *intf;
+ int ret;
+
+ if (!dev || !ops || !ops->route_frames || !ops->set_dev_info)
+ return ERR_PTR(-EINVAL);
+
+ rdev = kzalloc(sizeof(*rdev), GFP_KERNEL);
+ if (!rdev)
+ return ERR_PTR(-ENOMEM);
+
+ mutex_lock(&rpmb_mutex);
+ list_add_tail(&rdev->list_node, &rpmb_dev_list);
+ mutex_unlock(&rpmb_mutex);
+
+ rdev->ops = ops;
+
+ rdev->parent_dev = dev;
+
+ ret = ops->set_dev_info(dev, rdev);
+ if (ret)
+ goto exit;
+
+ dev_dbg(rdev->parent_dev, "registered device\n");
+
+ mutex_lock(&rpmb_mutex);
+ list_for_each_entry(intf, &rpmb_intf_list, list_node)
+ if (intf->add_rdev)
+ intf->add_rdev(intf, rdev);
+ mutex_unlock(&rpmb_mutex);
+
+ return rdev;
+
+exit:
+ mutex_lock(&rpmb_mutex);
+ list_del(&rdev->list_node);
+ mutex_unlock(&rpmb_mutex);
+ kfree(rdev);
+ return ERR_PTR(ret);
+}
+EXPORT_SYMBOL_GPL(rpmb_dev_register);
+
+/**
+ * rpmb_interface_register() - register for new device notifications
+ *
+ * @intf : pointer to interface struct with a notification callback
+ */
+void rpmb_interface_register(struct rpmb_interface *intf)
+{
+ struct rpmb_dev *rdev;
+
+ mutex_lock(&rpmb_mutex);
+ list_add_tail(&intf->list_node, &rpmb_intf_list);
+ if (intf->add_rdev)
+ list_for_each_entry(rdev, &rpmb_dev_list, list_node)
+ intf->add_rdev(intf, rdev);
+ mutex_unlock(&rpmb_mutex);
+}
+EXPORT_SYMBOL_GPL(rpmb_interface_register);
+
+/**
+ * rpmb_interface_unregister() - unregister from new device notifications
+ *
+ * @intf : pointer to previously registered interface struct
+ */
+void rpmb_interface_unregister(struct rpmb_interface *intf)
+{
+ mutex_lock(&rpmb_mutex);
+ list_del(&intf->list_node);
+ mutex_unlock(&rpmb_mutex);
+}
+EXPORT_SYMBOL_GPL(rpmb_interface_unregister);
+
+static int __init rpmb_init(void)
+{
+ INIT_LIST_HEAD(&rpmb_dev_list);
+ INIT_LIST_HEAD(&rpmb_intf_list);
+ return 0;
+}
+
+static void __exit rpmb_exit(void)
+{
+ mutex_destroy(&rpmb_mutex);
+}
+
+subsys_initcall(rpmb_init);
+module_exit(rpmb_exit);
+
+MODULE_AUTHOR("Jens Wiklander <[email protected]>");
+MODULE_DESCRIPTION("RPMB class");
+MODULE_LICENSE("GPL");
diff --git a/include/linux/rpmb.h b/include/linux/rpmb.h
new file mode 100644
index 000000000000..c4b13dad10c4
--- /dev/null
+++ b/include/linux/rpmb.h
@@ -0,0 +1,195 @@
+/* SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0 */
+/*
+ * Copyright (C) 2015-2019 Intel Corp. All rights reserved
+ * Copyright (C) 2021-2022 Linaro Ltd
+ */
+#ifndef __RPMB_H__
+#define __RPMB_H__
+
+#include <linux/types.h>
+#include <linux/device.h>
+
+/**
+ * struct rpmb_frame - rpmb frame as defined by specs
+ *
+ * @stuff : stuff bytes
+ * @key_mac : The authentication key or the message authentication
+ * code (MAC) depending on the request/response type.
+ * The MAC will be delivered in the last (or the only)
+ * block of data.
+ * @data : Data to be written or read by signed access.
+ * @nonce : Random number generated by the host for the requests
+ * and copied to the response by the RPMB engine.
+ * @write_counter: Counter value for the total amount of the successful
+ * authenticated data write requests made by the host.
+ * @addr : Address of the data to be programmed to or read
+ * from the RPMB. Address is the serial number of
+ * the accessed block (half sector 256B).
+ * @block_count : Number of blocks (half sectors, 256B) requested to be
+ * read/programmed.
+ * @result : Includes information about the status of the write counter
+ * (valid, expired) and result of the access made to the RPMB.
+ * @req_resp : Defines the type of request and response to/from the memory.
+ */
+struct rpmb_frame {
+ u8 stuff[196];
+ u8 key_mac[32];
+ u8 data[256];
+ u8 nonce[16];
+ __be32 write_counter;
+ __be16 addr;
+ __be16 block_count;
+ __be16 result;
+ __be16 req_resp;
+} __packed;
+
+#define RPMB_PROGRAM_KEY 0x1 /* Program RPMB Authentication Key */
+#define RPMB_GET_WRITE_COUNTER 0x2 /* Read RPMB write counter */
+#define RPMB_WRITE_DATA 0x3 /* Write data to RPMB partition */
+#define RPMB_READ_DATA 0x4 /* Read data from RPMB partition */
+#define RPMB_RESULT_READ 0x5 /* Read result request (Internal) */
+
+#define RPMB_REQ2RESP(_OP) ((_OP) << 8)
+#define RPMB_RESP2REQ(_OP) ((_OP) >> 8)
+
+/**
+ * enum rpmb_op_result - rpmb operation results
+ *
+ * @RPMB_ERR_OK : operation successful
+ * @RPMB_ERR_GENERAL : general failure
+ * @RPMB_ERR_AUTH : mac doesn't match or ac calculation failure
+ * @RPMB_ERR_COUNTER : counter doesn't match or counter increment failure
+ * @RPMB_ERR_ADDRESS : address out of range or wrong address alignment
+ * @RPMB_ERR_WRITE : data, counter, or result write failure
+ * @RPMB_ERR_READ : data, counter, or result read failure
+ * @RPMB_ERR_NO_KEY : authentication key not yet programmed
+ *
+ * @RPMB_ERR_COUNTER_EXPIRED: counter expired
+ */
+enum rpmb_op_result {
+ RPMB_ERR_OK = 0x0000,
+ RPMB_ERR_GENERAL = 0x0001,
+ RPMB_ERR_AUTH = 0x0002,
+ RPMB_ERR_COUNTER = 0x0003,
+ RPMB_ERR_ADDRESS = 0x0004,
+ RPMB_ERR_WRITE = 0x0005,
+ RPMB_ERR_READ = 0x0006,
+ RPMB_ERR_NO_KEY = 0x0007,
+
+ RPMB_ERR_COUNTER_EXPIRED = 0x0080
+};
+
+/**
+ * enum rpmb_type - type of underlying storage technology
+ *
+ * @RPMB_TYPE_EMMC : emmc (JESD84-B50.1)
+ * @RPMB_TYPE_UFS : UFS (JESD220)
+ * @RPMB_TYPE_NVME : NVM Express
+ */
+enum rpmb_type {
+ RPMB_TYPE_EMMC,
+ RPMB_TYPE_UFS,
+ RPMB_TYPE_NVME,
+};
+
+/**
+ * struct rpmb_dev - device which can support RPMB partition
+ *
+ * @parent_dev : parent device
+ * @list_node : linked list node
+ * @ops : operation exported by rpmb
+ * @dev_id : unique device identifier read from the hardware
+ * @dev_id_len : length of unique device identifier
+ * @reliable_wr_count: number of sectors that can be written in one access
+ * @capacity : capacity of the device in units of 128K
+ */
+struct rpmb_dev {
+ struct device *parent_dev;
+ struct list_head list_node;
+ const struct rpmb_ops *ops;
+ u8 *dev_id;
+ size_t dev_id_len;
+ u16 reliable_wr_count;
+ u16 capacity;
+};
+
+/**
+ * struct rpmb_ops - RPMB ops to be implemented by underlying block device
+ *
+ * @type : block device type
+ * @route_frames : routes frames to and from the RPMB device
+ * @set_dev_info : extracts device info from the RPMB device
+ */
+struct rpmb_ops {
+ enum rpmb_type type;
+ int (*set_dev_info)(struct device *dev, struct rpmb_dev *rdev);
+ int (*route_frames)(struct device *dev, bool write,
+ u8 *req, unsigned int req_len,
+ u8 *resp, unsigned int resp_len);
+};
+
+/**
+ * struct rpmb_interface - subscribe to new RPMB devices
+ *
+ * @list_node : linked list node
+ * @add_rdev : notifies that a new RPMB device has been found
+ */
+struct rpmb_interface {
+ struct list_head list_node;
+ void (*add_rdev)(struct rpmb_interface *intf, struct rpmb_dev *rdev);
+};
+
+#if IS_ENABLED(CONFIG_RPMB)
+struct rpmb_dev *rpmb_dev_get(struct rpmb_dev *rdev);
+void rpmb_dev_put(struct rpmb_dev *rdev);
+struct rpmb_dev *rpmb_dev_find_device(const void *data,
+ const struct rpmb_dev *start,
+ int (*match)(struct rpmb_dev *rdev,
+ const void *data));
+struct rpmb_dev *rpmb_dev_register(struct device *dev,
+ const struct rpmb_ops *ops);
+int rpmb_dev_unregister(struct rpmb_dev *rdev);
+
+int rpmb_route_frames(struct rpmb_dev *rdev, u8 *req,
+ unsigned int req_len, u8 *resp, unsigned int resp_len);
+
+void rpmb_interface_register(struct rpmb_interface *intf);
+void rpmb_interface_unregister(struct rpmb_interface *intf);
+#else
+static inline struct rpmb_dev *rpmb_dev_get(struct rpmb_dev *rdev)
+{
+ return NULL;
+}
+
+static inline void rpmb_dev_put(struct rpmb_dev *rdev) { }
+
+static inline struct rpmb_dev *
+rpmb_dev_find_device(const void *data, const struct rpmb_dev *start,
+ int (*match)(struct rpmb_dev *rdev, const void *data))
+{
+ return NULL;
+}
+
+static inline struct rpmb_dev *
+rpmb_dev_register(struct device *dev, const struct rpmb_ops *ops)
+{
+ return NULL;
+}
+
+static inline int rpmb_dev_unregister(struct rpmb_dev *dev)
+{
+ return 0;
+}
+
+static inline int rpmb_route_frames(struct rpmb_dev *rdev, u8 *req,
+ unsigned int req_len, u8 *resp,
+ unsigned int resp_len)
+{
+ return -EOPNOTSUPP;
+}
+
+static inline void rpmb_interface_register(struct rpmb_interface *intf) { }
+static inline void rpmb_interface_unregister(struct rpmb_interface *intf) { }
+#endif /* CONFIG_RPMB */
+
+#endif /* __RPMB_H__ */
--
2.34.1
Register eMMC RPMB partition with the RPMB subsystem and provide
an implementation for the RPMB access operations abstracting
the actual multi step process.
Add a callback to extract the needed device information at registration
to avoid accessing the struct mmc_card at a later stage as we're not
holding a reference counter for this struct.
Taking the needed reference to md->disk in mmc_blk_alloc_rpmb_part()
instead of in mmc_rpmb_chrdev_open(). This is needed by the
route_frames() function pointer in struct rpmb_ops.
Signed-off-by: Tomas Winkler <[email protected]>
Signed-off-by: Alexander Usyskin <[email protected]>
Signed-off-by: Jens Wiklander <[email protected]>
---
drivers/mmc/core/block.c | 153 ++++++++++++++++++++++++++++++++++++++-
1 file changed, 151 insertions(+), 2 deletions(-)
diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c
index 32d49100dff5..f35c99638eb2 100644
--- a/drivers/mmc/core/block.c
+++ b/drivers/mmc/core/block.c
@@ -33,6 +33,7 @@
#include <linux/cdev.h>
#include <linux/mutex.h>
#include <linux/scatterlist.h>
+#include <linux/string.h>
#include <linux/string_helpers.h>
#include <linux/delay.h>
#include <linux/capability.h>
@@ -40,6 +41,7 @@
#include <linux/pm_runtime.h>
#include <linux/idr.h>
#include <linux/debugfs.h>
+#include <linux/rpmb.h>
#include <linux/mmc/ioctl.h>
#include <linux/mmc/card.h>
@@ -163,6 +165,7 @@ struct mmc_rpmb_data {
int id;
unsigned int part_index;
struct mmc_blk_data *md;
+ struct rpmb_dev *rdev;
struct list_head node;
};
@@ -2672,7 +2675,6 @@ static int mmc_rpmb_chrdev_open(struct inode *inode, struct file *filp)
get_device(&rpmb->dev);
filp->private_data = rpmb;
- mmc_blk_get(rpmb->md->disk);
return nonseekable_open(inode, filp);
}
@@ -2682,7 +2684,6 @@ static int mmc_rpmb_chrdev_release(struct inode *inode, struct file *filp)
struct mmc_rpmb_data *rpmb = container_of(inode->i_cdev,
struct mmc_rpmb_data, chrdev);
- mmc_blk_put(rpmb->md);
put_device(&rpmb->dev);
return 0;
@@ -2703,10 +2704,147 @@ static void mmc_blk_rpmb_device_release(struct device *dev)
{
struct mmc_rpmb_data *rpmb = dev_get_drvdata(dev);
+ rpmb_dev_unregister(rpmb->rdev);
+ mmc_blk_put(rpmb->md);
ida_simple_remove(&mmc_rpmb_ida, rpmb->id);
kfree(rpmb);
}
+static void free_idata(struct mmc_blk_ioc_data **idata, unsigned int cmd_count)
+{
+ unsigned int n;
+
+ for (n = 0; n < cmd_count; n++)
+ kfree(idata[n]);
+ kfree(idata);
+}
+
+static struct mmc_blk_ioc_data **alloc_idata(struct mmc_rpmb_data *rpmb,
+ unsigned int cmd_count)
+{
+ struct mmc_blk_ioc_data **idata;
+ unsigned int n;
+
+ idata = kcalloc(cmd_count, sizeof(*idata), GFP_KERNEL);
+ if (!idata)
+ return NULL;
+
+ for (n = 0; n < cmd_count; n++) {
+ idata[n] = kcalloc(1, sizeof(**idata), GFP_KERNEL);
+ if (!idata[n]) {
+ free_idata(idata, n);
+ return NULL;
+ }
+ idata[n]->rpmb = rpmb;
+ }
+
+ return idata;
+}
+
+static void set_idata(struct mmc_blk_ioc_data *idata, u32 opcode,
+ int write_flag, u8 *buf, unsigned int buf_bytes)
+{
+ idata->ic.opcode = opcode;
+ idata->ic.flags = MMC_RSP_R1 | MMC_CMD_ADTC;
+ idata->ic.write_flag = write_flag;
+ idata->ic.blksz = sizeof(struct rpmb_frame);
+ idata->ic.blocks = buf_bytes / idata->ic.blksz;
+ idata->buf = buf;
+ idata->buf_bytes = buf_bytes;
+}
+
+static int rpmb_op_mmc_route_frames(struct device *dev, bool write, u8 *req,
+ unsigned int req_len, u8 *resp,
+ unsigned int resp_len)
+{
+ struct mmc_rpmb_data *rpmb = dev_get_drvdata(dev);
+ struct mmc_blk_data *md = rpmb->md;
+ struct mmc_blk_ioc_data **idata;
+ unsigned int cmd_count;
+ struct request *rq;
+ int ret;
+
+ if (write)
+ cmd_count = 3;
+ else
+ cmd_count = 2;
+
+ if (IS_ERR(md->queue.card))
+ return PTR_ERR(md->queue.card);
+
+ idata = alloc_idata(rpmb, cmd_count);
+ if (!idata)
+ return -ENOMEM;
+
+ if (write) {
+ struct rpmb_frame *frm = (struct rpmb_frame *)resp;
+
+ /* Send write request frame(s) */
+ set_idata(idata[0], MMC_WRITE_MULTIPLE_BLOCK,
+ 1 | MMC_CMD23_ARG_REL_WR, req, req_len);
+
+ /* Send result request frame */
+ memset(frm, 0, sizeof(*frm));
+ frm->req_resp = cpu_to_be16(RPMB_RESULT_READ);
+ set_idata(idata[1], MMC_WRITE_MULTIPLE_BLOCK, 1, resp,
+ resp_len);
+
+ /* Read response frame */
+ set_idata(idata[2], MMC_READ_MULTIPLE_BLOCK, 0, resp, resp_len);
+ } else {
+ /* Send write request frame(s) */
+ set_idata(idata[0], MMC_WRITE_MULTIPLE_BLOCK, 1, req, req_len);
+
+ /* Read response frame */
+ set_idata(idata[1], MMC_READ_MULTIPLE_BLOCK, 0, resp, resp_len);
+ }
+
+ rq = blk_mq_alloc_request(md->queue.queue, REQ_OP_DRV_OUT, 0);
+ if (IS_ERR(rq)) {
+ ret = PTR_ERR(rq);
+ goto out;
+ }
+
+ req_to_mmc_queue_req(rq)->drv_op = MMC_DRV_OP_IOCTL_RPMB;
+ req_to_mmc_queue_req(rq)->drv_op_result = -EIO;
+ req_to_mmc_queue_req(rq)->drv_op_data = idata;
+ req_to_mmc_queue_req(rq)->ioc_count = cmd_count;
+ blk_execute_rq(rq, false);
+ ret = req_to_mmc_queue_req(rq)->drv_op_result;
+
+ blk_mq_free_request(rq);
+
+out:
+ free_idata(idata, cmd_count);
+ return ret;
+}
+
+static int rpmb_op_mmc_set_dev_info(struct device *dev, struct rpmb_dev *rdev)
+{
+ struct mmc_rpmb_data *rpmb = dev_get_drvdata(dev);
+ struct mmc_card *card = rpmb->md->queue.card;
+ unsigned int n;
+ u32 cid[4];
+
+ for (n = 0; n < 4; n++)
+ cid[n] = be32_to_cpu(card->raw_cid[n]);
+
+ rdev->dev_id = kmemdup(cid, sizeof(cid), GFP_KERNEL);
+ if (!rdev->dev_id)
+ return -ENOMEM;
+ rdev->dev_id_len = sizeof(cid);
+ rdev->reliable_wr_count = card->ext_csd.raw_rpmb_size_mult;
+ rdev->capacity = card->ext_csd.rel_sectors;
+
+ return 0;
+}
+
+static struct rpmb_ops rpmb_mmc_ops = {
+ .type = RPMB_TYPE_EMMC,
+ .route_frames = rpmb_op_mmc_route_frames,
+ .set_dev_info = rpmb_op_mmc_set_dev_info,
+};
+
static int mmc_blk_alloc_rpmb_part(struct mmc_card *card,
struct mmc_blk_data *md,
unsigned int part_index,
@@ -2741,6 +2879,7 @@ static int mmc_blk_alloc_rpmb_part(struct mmc_card *card,
rpmb->dev.release = mmc_blk_rpmb_device_release;
device_initialize(&rpmb->dev);
dev_set_drvdata(&rpmb->dev, rpmb);
+ mmc_blk_get(md->disk);
rpmb->md = md;
cdev_init(&rpmb->chrdev, &mmc_rpmb_fileops);
@@ -2751,6 +2890,14 @@ static int mmc_blk_alloc_rpmb_part(struct mmc_card *card,
goto out_put_device;
}
+ rpmb->rdev = rpmb_dev_register(&rpmb->dev, &rpmb_mmc_ops);
+ if (IS_ERR(rpmb->rdev)) {
+ pr_err("%s: could not register RPMB device\n", rpmb_name);
+ ret = PTR_ERR(rpmb->rdev);
+ rpmb->rdev = NULL;
+ goto out_cdev_device_del;
+ }
+
list_add(&rpmb->node, &md->rpmbs);
string_get_size((u64)size, 512, STRING_UNITS_2,
@@ -2762,6 +2909,8 @@ static int mmc_blk_alloc_rpmb_part(struct mmc_card *card,
return 0;
+out_cdev_device_del:
+ cdev_device_del(&rpmb->chrdev, &rpmb->dev);
out_put_device:
put_device(&rpmb->dev);
return ret;
--
2.34.1
Hi Jens,
On Tue, 27 Feb 2024 at 21:01, Jens Wiklander <[email protected]> wrote:
>
> Adds support in the OP-TEE drivers (both SMC and FF-A ABIs) to probe and
> use an RPMB device via the RPBM subsystem instead of passing the RPMB
s/RPBM/RPMB/
Here are other places too in this patch-set.
> frames via tee-supplicant in user space. A fallback mechanism is kept to
> route RPMB frames via tee-supplicant if the RPMB subsystem isn't
> available.
>
> The OP-TEE RPC ABI is extended to support iterating over all RPMB
> devices until one is found with the expected RPMB key already
> programmed.
I would appreciate it if you could add a link to OP-TEE OS changes in
the cover-letter although I have found them here [1].
[1] https://github.com/jenswi-linaro/optee_os/commits/rpmb_probe/
>
> Signed-off-by: Jens Wiklander <[email protected]>
> ---
> drivers/tee/optee/core.c | 55 +++++++
> drivers/tee/optee/ffa_abi.c | 7 +
> drivers/tee/optee/optee_private.h | 16 ++
> drivers/tee/optee/optee_rpc_cmd.h | 35 +++++
> drivers/tee/optee/rpc.c | 233 ++++++++++++++++++++++++++++++
> drivers/tee/optee/smc_abi.c | 6 +
> 6 files changed, 352 insertions(+)
>
> diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c
> index 3aed554bc8d8..6b32d3e7865b 100644
> --- a/drivers/tee/optee/core.c
> +++ b/drivers/tee/optee/core.c
> @@ -11,6 +11,7 @@
> #include <linux/io.h>
> #include <linux/mm.h>
> #include <linux/module.h>
> +#include <linux/rpmb.h>
> #include <linux/slab.h>
> #include <linux/string.h>
> #include <linux/tee_drv.h>
> @@ -80,6 +81,57 @@ void optee_pool_op_free_helper(struct tee_shm_pool *pool, struct tee_shm *shm,
> shm->pages = NULL;
> }
>
> +static void optee_rpmb_scan(struct work_struct *work)
> +{
> + struct optee *optee = container_of(work, struct optee, scan_rpmb_work);
> + bool scan_done = false;
> + u32 res;
> +
> + do {
> + mutex_lock(&optee->rpmb_dev_mutex);
> + /* No need to rescan if we haven't started scanning yet */
> + optee->rpmb_dev_request_rescan = false;
> + mutex_unlock(&optee->rpmb_dev_mutex);
> +
> + res = optee_enumerate_devices(PTA_CMD_GET_DEVICES_RPMB);
> + if (res && res != TEE_ERROR_STORAGE_NOT_AVAILABLE)
I suppose this hasn't been tested for a negative case since
optee_enumerate_devices() won't return this error code (see [2]).
However, I would prefer to use GP Client error code:
TEEC_ERROR_ITEM_NOT_FOUND here instead.
[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/tee/optee/device.c#n43
> + pr_info("Scanning for RPMB device: res %#x\n", res);
> +
> + mutex_lock(&optee->rpmb_dev_mutex);
> + /*
> + * If another RPMB device came online while scanning, scan one
> + * more time, unless we have already found an RPBM device.
> + */
> + scan_done = (optee->rpmb_dev ||
I suppose we don't need to check for optee->rpmb_dev here since a
successful return from
optee_enumerate_devices(PTA_CMD_GET_DEVICES_RPMB) would ensure that
the RPMB device has been found.
> + !optee->rpmb_dev_request_rescan);
> + optee->rpmb_dev_request_rescan = false;
> + optee->rpmb_dev_scan_in_progress = !scan_done;
> + mutex_unlock(&optee->rpmb_dev_mutex);
> + } while (!scan_done);
> +}
> +
> +void optee_rpmb_intf_add_rdev(struct rpmb_interface *intf,
> + struct rpmb_dev *rdev)
> +{
> + struct optee *optee = container_of(intf, struct optee, rpmb_intf);
> + bool queue_work = true;
> +
> + mutex_lock(&optee->rpmb_dev_mutex);
> + if (optee->rpmb_dev || optee->rpmb_dev_scan_in_progress) {
Can we use work_pending() instead of our custom
optee->rpmb_dev_scan_in_progress flag?
> + queue_work = false;
> + if (optee->rpmb_dev_scan_in_progress)
> + optee->rpmb_dev_request_rescan = true;
> + }
> + if (queue_work)
> + optee->rpmb_dev_scan_in_progress = true;
> + mutex_unlock(&optee->rpmb_dev_mutex);
> +
> + if (queue_work) {
> + INIT_WORK(&optee->scan_rpmb_work, optee_rpmb_scan);
> + schedule_work(&optee->scan_rpmb_work);
Can we reuse optee->scan_bus_work rather than introducing a new one here?
> + }
> +}
> +
> static void optee_bus_scan(struct work_struct *work)
> {
> WARN_ON(optee_enumerate_devices(PTA_CMD_GET_DEVICES_SUPP));
> @@ -161,6 +213,7 @@ void optee_release_supp(struct tee_context *ctx)
>
> void optee_remove_common(struct optee *optee)
> {
> + rpmb_interface_unregister(&optee->rpmb_intf);
> /* Unregister OP-TEE specific client devices on TEE bus */
> optee_unregister_devices();
>
> @@ -177,6 +230,8 @@ void optee_remove_common(struct optee *optee)
> tee_shm_pool_free(optee->pool);
> optee_supp_uninit(&optee->supp);
> mutex_destroy(&optee->call_queue.mutex);
> + rpmb_dev_put(optee->rpmb_dev);
> + mutex_destroy(&optee->rpmb_dev_mutex);
> }
>
> static int smc_abi_rc;
> diff --git a/drivers/tee/optee/ffa_abi.c b/drivers/tee/optee/ffa_abi.c
> index ecb5eb079408..befe19ecc30a 100644
> --- a/drivers/tee/optee/ffa_abi.c
> +++ b/drivers/tee/optee/ffa_abi.c
> @@ -7,6 +7,7 @@
>
> #include <linux/arm_ffa.h>
> #include <linux/errno.h>
> +#include <linux/rpmb.h>
> #include <linux/scatterlist.h>
> #include <linux/sched.h>
> #include <linux/slab.h>
> @@ -934,6 +935,7 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev)
> optee_cq_init(&optee->call_queue, 0);
> optee_supp_init(&optee->supp);
> optee_shm_arg_cache_init(optee, arg_cache_flags);
> + mutex_init(&optee->rpmb_dev_mutex);
> ffa_dev_set_drvdata(ffa_dev, optee);
> ctx = teedev_open(optee->teedev);
> if (IS_ERR(ctx)) {
> @@ -955,6 +957,8 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev)
> if (rc)
> goto err_unregister_devices;
>
> + optee->rpmb_intf.add_rdev = optee_rpmb_intf_add_rdev;
> + rpmb_interface_register(&optee->rpmb_intf);
> pr_info("initialized driver\n");
> return 0;
>
> @@ -968,6 +972,9 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev)
> teedev_close_context(ctx);
> err_rhashtable_free:
> rhashtable_free_and_destroy(&optee->ffa.global_ids, rh_free_fn, NULL);
> + rpmb_dev_put(optee->rpmb_dev);
> + mutex_destroy(&optee->rpmb_dev_mutex);
> + rpmb_interface_unregister(&optee->rpmb_intf);
> optee_supp_uninit(&optee->supp);
> mutex_destroy(&optee->call_queue.mutex);
> mutex_destroy(&optee->ffa.mutex);
> diff --git a/drivers/tee/optee/optee_private.h b/drivers/tee/optee/optee_private.h
> index 7a5243c78b55..1e4c33baef43 100644
> --- a/drivers/tee/optee/optee_private.h
> +++ b/drivers/tee/optee/optee_private.h
> @@ -8,6 +8,7 @@
>
> #include <linux/arm-smccc.h>
> #include <linux/rhashtable.h>
> +#include <linux/rpmb.h>
> #include <linux/semaphore.h>
> #include <linux/tee_drv.h>
> #include <linux/types.h>
> @@ -20,11 +21,13 @@
> /* Some Global Platform error codes used in this driver */
> #define TEEC_SUCCESS 0x00000000
> #define TEEC_ERROR_BAD_PARAMETERS 0xFFFF0006
> +#define TEEC_ERROR_ITEM_NOT_FOUND 0xFFFF0008
> #define TEEC_ERROR_NOT_SUPPORTED 0xFFFF000A
> #define TEEC_ERROR_COMMUNICATION 0xFFFF000E
> #define TEEC_ERROR_OUT_OF_MEMORY 0xFFFF000C
> #define TEEC_ERROR_BUSY 0xFFFF000D
> #define TEEC_ERROR_SHORT_BUFFER 0xFFFF0010
> +#define TEE_ERROR_STORAGE_NOT_AVAILABLE 0xF0100003
>
> #define TEEC_ORIGIN_COMMS 0x00000002
>
> @@ -197,6 +200,8 @@ struct optee_ops {
> * @notif: notification synchronization struct
> * @supp: supplicant synchronization struct for RPC to supplicant
> * @pool: shared memory pool
> + * @mutex: mutex protecting @rpmb_dev
> + * @rpmb_dev: current RPMB device or NULL
> * @rpc_param_count: If > 0 number of RPC parameters to make room for
> * @scan_bus_done flag if device registation was already done.
> * @scan_bus_work workq to scan optee bus and register optee drivers
> @@ -215,9 +220,17 @@ struct optee {
> struct optee_notif notif;
> struct optee_supp supp;
> struct tee_shm_pool *pool;
> + /* Protects rpmb_dev pointer and rpmb_dev_* */
> + struct mutex rpmb_dev_mutex;
Given my comments above, do we really need this mutex?
> + struct rpmb_dev *rpmb_dev;
> + bool rpmb_dev_scan_in_progress;
> + bool rpmb_dev_request_rescan;
> + bool rpmb_dev_scan_done;
Left over, should it be dropped?
> + struct rpmb_interface rpmb_intf;
> unsigned int rpc_param_count;
> bool scan_bus_done;
> struct work_struct scan_bus_work;
> + struct work_struct scan_rpmb_work;
> };
>
> struct optee_session {
> @@ -280,8 +293,11 @@ int optee_cancel_req(struct tee_context *ctx, u32 cancel_id, u32 session);
>
> #define PTA_CMD_GET_DEVICES 0x0
> #define PTA_CMD_GET_DEVICES_SUPP 0x1
> +#define PTA_CMD_GET_DEVICES_RPMB 0x2
> int optee_enumerate_devices(u32 func);
> void optee_unregister_devices(void);
> +void optee_rpmb_intf_add_rdev(struct rpmb_interface *intf,
> + struct rpmb_dev *rdev);
>
> int optee_pool_op_alloc_helper(struct tee_shm_pool *pool, struct tee_shm *shm,
> size_t size, size_t align,
> diff --git a/drivers/tee/optee/optee_rpc_cmd.h b/drivers/tee/optee/optee_rpc_cmd.h
> index f3f06e0994a7..f351a8ac69fc 100644
> --- a/drivers/tee/optee/optee_rpc_cmd.h
> +++ b/drivers/tee/optee/optee_rpc_cmd.h
> @@ -16,6 +16,14 @@
> * and sends responses.
> */
>
> +/*
> + * Replay Protected Memory Block access
> + *
> + * [in] memref[0] Frames to device
> + * [out] memref[1] Frames from device
> + */
> +#define OPTEE_RPC_CMD_RPMB 1
> +
> /*
> * Get time
> *
> @@ -103,4 +111,31 @@
> /* I2C master control flags */
> #define OPTEE_RPC_I2C_FLAGS_TEN_BIT BIT(0)
>
> +/*
> + * Reset RPMB probing
> + *
> + * Releases an eventually already used RPMB devices and starts over searching
> + * for RPMB devices. Returns the kind of shared memory to use in subsequent
> + * OPTEE_RPC_CMD_RPMB_PROBE_NEXT and OPTEE_RPC_CMD_RPMB calls.
> + *
> + * [out] value[0].a OPTEE_RPC_SHM_TYPE_*, the parameter for
> + * OPTEE_RPC_CMD_SHM_ALLOC
> + */
> +#define OPTEE_RPC_CMD_RPMB_PROBE_RESET 22
> +
> +/*
> + * Probe next RPMB device
> + *
> + * [out] value[0].a Type of RPMB device, OPTEE_RPC_RPMB_*
> + * [out] value[0].b EXT CSD-slice 168 "RPMB Size"
> + * [out] value[0].c EXT CSD-slice 222 "Reliable Write Sector Count"
> + * [out] memref[1] Buffer with the raw CID
> + */
> +#define OPTEE_RPC_CMD_RPMB_PROBE_NEXT 23
> +
> +/* Type of RPMB device */
> +#define OPTEE_RPC_RPMB_EMMC 0
> +#define OPTEE_RPC_RPMB_UFS 1
> +#define OPTEE_RPC_RPMB_NVME 2
> +
> #endif /*__OPTEE_RPC_CMD_H*/
> diff --git a/drivers/tee/optee/rpc.c b/drivers/tee/optee/rpc.c
> index e69bc6380683..97f69a108f61 100644
> --- a/drivers/tee/optee/rpc.c
> +++ b/drivers/tee/optee/rpc.c
> @@ -7,6 +7,7 @@
>
> #include <linux/delay.h>
> #include <linux/i2c.h>
> +#include <linux/rpmb.h>
> #include <linux/slab.h>
> #include <linux/tee_drv.h>
> #include "optee_private.h"
> @@ -255,6 +256,229 @@ void optee_rpc_cmd_free_suppl(struct tee_context *ctx, struct tee_shm *shm)
> optee_supp_thrd_req(ctx, OPTEE_RPC_CMD_SHM_FREE, 1, ¶m);
> }
>
> +static void handle_rpc_func_rpmb_probe_reset(struct tee_context *ctx,
> + struct optee *optee,
> + struct optee_msg_arg *arg)
> +{
> + struct tee_param params[1];
> +
> + if (!IS_ENABLED(CONFIG_RPMB)) {
> + handle_rpc_supp_cmd(ctx, optee, arg);
> + return;
> + }
> +
> + if (arg->num_params != ARRAY_SIZE(params) ||
> + optee->ops->from_msg_param(optee, params, arg->num_params,
> + arg->params) ||
> + params[0].attr != TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT) {
> + arg->ret = TEEC_ERROR_BAD_PARAMETERS;
> + return;
> + }
> +
> + params[0].u.value.a = OPTEE_RPC_SHM_TYPE_KERNEL;
> + params[0].u.value.b = 0;
> + params[0].u.value.c = 0;
> + if (optee->ops->to_msg_param(optee, arg->params,
> + arg->num_params, params)) {
> + arg->ret = TEEC_ERROR_BAD_PARAMETERS;
> + return;
> + }
> +
> + mutex_lock(&optee->rpmb_dev_mutex);
> + rpmb_dev_put(optee->rpmb_dev);
> + optee->rpmb_dev = NULL;
> + mutex_unlock(&optee->rpmb_dev_mutex);
> +
> + arg->ret = TEEC_SUCCESS;
> +}
> +
> +static int rpmb_type_to_rpc_type(enum rpmb_type rtype)
> +{
> + switch (rtype) {
> + case RPMB_TYPE_EMMC:
> + return OPTEE_RPC_RPMB_EMMC;
> + case RPMB_TYPE_UFS:
> + return OPTEE_RPC_RPMB_UFS;
> + case RPMB_TYPE_NVME:
> + return OPTEE_RPC_RPMB_NVME;
> + default:
> + return -1;
> + }
> +}
> +
> +static int rpc_rpmb_match(struct rpmb_dev *rdev, const void *data)
> +{
> + return rpmb_type_to_rpc_type(rdev->ops->type) >= 0;
> +}
> +
> +static void handle_rpc_func_rpmb_probe_next(struct tee_context *ctx,
> + struct optee *optee,
> + struct optee_msg_arg *arg)
> +{
> + struct rpmb_dev *rdev;
> + struct tee_param params[2];
> + void *buf;
> +
> + if (!IS_ENABLED(CONFIG_RPMB)) {
What if the RPMB driver is built as a module? IS_REACHABLE() instead?
-Sumit
> + handle_rpc_supp_cmd(ctx, optee, arg);
> + return;
> + }
> +
> + if (arg->num_params != ARRAY_SIZE(params) ||
> + optee->ops->from_msg_param(optee, params, arg->num_params,
> + arg->params) ||
> + params[0].attr != TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT ||
> + params[1].attr != TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT) {
> + arg->ret = TEEC_ERROR_BAD_PARAMETERS;
> + return;
> + }
> + buf = tee_shm_get_va(params[1].u.memref.shm,
> + params[1].u.memref.shm_offs);
> + if (!buf) {
> + arg->ret = TEEC_ERROR_BAD_PARAMETERS;
> + return;
> + }
> +
> + mutex_lock(&optee->rpmb_dev_mutex);
> + rdev = rpmb_dev_find_device(NULL, optee->rpmb_dev, rpc_rpmb_match);
> + rpmb_dev_put(optee->rpmb_dev);
> + optee->rpmb_dev = rdev;
> + mutex_unlock(&optee->rpmb_dev_mutex);
> +
> + if (!rdev) {
> + arg->ret = TEEC_ERROR_ITEM_NOT_FOUND;
> + return;
> + }
> +
> + if (params[1].u.memref.size < rdev->dev_id_len) {
> + arg->ret = TEEC_ERROR_SHORT_BUFFER;
> + return;
> + }
> + memcpy(buf, rdev->dev_id, rdev->dev_id_len);
> + params[1].u.memref.size = rdev->dev_id_len;
> + params[0].u.value.a = rpmb_type_to_rpc_type(rdev->ops->type);
> + params[0].u.value.b = rdev->capacity;
> + params[0].u.value.c = rdev->reliable_wr_count;
> + if (optee->ops->to_msg_param(optee, arg->params,
> + arg->num_params, params)) {
> + arg->ret = TEEC_ERROR_BAD_PARAMETERS;
> + return;
> + }
> +
> + arg->ret = TEEC_SUCCESS;
> +}
> +
> +/* Request */
> +struct rpmb_req {
> + u16 cmd;
> +#define RPMB_CMD_DATA_REQ 0x00
> +#define RPMB_CMD_GET_DEV_INFO 0x01
> + u16 dev_id;
> + u16 block_count;
> + /* Optional data frames (rpmb_data_frame) follow */
> +};
> +
> +#define RPMB_REQ_DATA(req) ((void *)((struct rpmb_req *)(req) + 1))
> +
> +#define RPMB_CID_SZ 16
> +
> +/* Response to device info request */
> +struct rpmb_dev_info {
> + u8 cid[RPMB_CID_SZ];
> + u8 rpmb_size_mult; /* EXT CSD-slice 168: RPMB Size */
> + u8 rel_wr_sec_c; /* EXT CSD-slice 222: Reliable Write Sector */
> + /* Count */
> + u8 ret_code;
> +#define RPMB_CMD_GET_DEV_INFO_RET_OK 0x00
> +#define RPMB_CMD_GET_DEV_INFO_RET_ERROR 0x01
> +};
> +
> +static int get_dev_info(struct rpmb_dev *rdev, void *rsp, size_t rsp_size)
> +{
> + struct rpmb_dev_info *dev_info;
> +
> + if (rsp_size != sizeof(*dev_info))
> + return TEEC_ERROR_BAD_PARAMETERS;
> +
> + dev_info = rsp;
> + memcpy(dev_info->cid, rdev->dev_id, sizeof(dev_info->cid));
> + dev_info->rpmb_size_mult = rdev->capacity;
> + dev_info->rel_wr_sec_c = rdev->reliable_wr_count;
> + dev_info->ret_code = RPMB_CMD_GET_DEV_INFO_RET_OK;
> +
> + return TEEC_SUCCESS;
> +}
> +
> +/*
> + * req is one struct rpmb_req followed by one or more struct rpmb_data_frame
> + * rsp is either one struct rpmb_dev_info or one or more struct rpmb_data_frame
> + */
> +static u32 rpmb_process_request(struct optee *optee, struct rpmb_dev *rdev,
> + void *req, size_t req_size,
> + void *rsp, size_t rsp_size)
> +{
> + struct rpmb_req *sreq = req;
> + int rc;
> +
> + if (req_size < sizeof(*sreq))
> + return TEEC_ERROR_BAD_PARAMETERS;
> +
> + switch (sreq->cmd) {
> + case RPMB_CMD_DATA_REQ:
> + rc = rpmb_route_frames(rdev, RPMB_REQ_DATA(req),
> + req_size - sizeof(struct rpmb_req),
> + rsp, rsp_size);
> + if (rc)
> + return TEEC_ERROR_BAD_PARAMETERS;
> + return TEEC_SUCCESS;
> + case RPMB_CMD_GET_DEV_INFO:
> + return get_dev_info(rdev, rsp, rsp_size);
> + default:
> + return TEEC_ERROR_BAD_PARAMETERS;
> + }
> +}
> +
> +static void handle_rpc_func_rpmb(struct tee_context *ctx, struct optee *optee,
> + struct optee_msg_arg *arg)
> +{
> + struct tee_param params[2];
> + struct rpmb_dev *rdev;
> + void *p0, *p1;
> +
> + mutex_lock(&optee->rpmb_dev_mutex);
> + rdev = rpmb_dev_get(optee->rpmb_dev);
> + mutex_unlock(&optee->rpmb_dev_mutex);
> + if (!rdev) {
> + handle_rpc_supp_cmd(ctx, optee, arg);
> + return;
> + }
> +
> + if (arg->num_params != ARRAY_SIZE(params) ||
> + optee->ops->from_msg_param(optee, params, arg->num_params,
> + arg->params) ||
> + params[0].attr != TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT ||
> + params[1].attr != TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT) {
> + arg->ret = TEEC_ERROR_BAD_PARAMETERS;
> + goto out;
> + }
> +
> + p0 = tee_shm_get_va(params[0].u.memref.shm,
> + params[0].u.memref.shm_offs);
> + p1 = tee_shm_get_va(params[1].u.memref.shm,
> + params[1].u.memref.shm_offs);
> + arg->ret = rpmb_process_request(optee, rdev, p0,
> + params[0].u.memref.size,
> + p1, params[1].u.memref.size);
> + if (arg->ret)
> + goto out;
> +
> + if (optee->ops->to_msg_param(optee, arg->params,
> + arg->num_params, params))
> + arg->ret = TEEC_ERROR_BAD_PARAMETERS;
> +out:
> + rpmb_dev_put(rdev);
> +}
> +
> void optee_rpc_cmd(struct tee_context *ctx, struct optee *optee,
> struct optee_msg_arg *arg)
> {
> @@ -271,6 +495,15 @@ void optee_rpc_cmd(struct tee_context *ctx, struct optee *optee,
> case OPTEE_RPC_CMD_I2C_TRANSFER:
> handle_rpc_func_cmd_i2c_transfer(ctx, arg);
> break;
> + case OPTEE_RPC_CMD_RPMB_PROBE_RESET:
> + handle_rpc_func_rpmb_probe_reset(ctx, optee, arg);
> + break;
> + case OPTEE_RPC_CMD_RPMB_PROBE_NEXT:
> + handle_rpc_func_rpmb_probe_next(ctx, optee, arg);
> + break;
> + case OPTEE_RPC_CMD_RPMB:
> + handle_rpc_func_rpmb(ctx, optee, arg);
> + break;
> default:
> handle_rpc_supp_cmd(ctx, optee, arg);
> }
> diff --git a/drivers/tee/optee/smc_abi.c b/drivers/tee/optee/smc_abi.c
> index a37f87087e5c..8da53f41b052 100644
> --- a/drivers/tee/optee/smc_abi.c
> +++ b/drivers/tee/optee/smc_abi.c
> @@ -20,6 +20,7 @@
> #include <linux/of_irq.h>
> #include <linux/of_platform.h>
> #include <linux/platform_device.h>
> +#include <linux/rpmb.h>
> #include <linux/sched.h>
> #include <linux/slab.h>
> #include <linux/string.h>
> @@ -1715,6 +1716,7 @@ static int optee_probe(struct platform_device *pdev)
> optee->smc.memremaped_shm = memremaped_shm;
> optee->pool = pool;
> optee_shm_arg_cache_init(optee, arg_cache_flags);
> + mutex_init(&optee->rpmb_dev_mutex);
>
> platform_set_drvdata(pdev, optee);
> ctx = teedev_open(optee->teedev);
> @@ -1769,6 +1771,8 @@ static int optee_probe(struct platform_device *pdev)
> if (rc)
> goto err_disable_shm_cache;
>
> + optee->rpmb_intf.add_rdev = optee_rpmb_intf_add_rdev;
> + rpmb_interface_register(&optee->rpmb_intf);
> pr_info("initialized driver\n");
> return 0;
>
> @@ -1782,6 +1786,8 @@ static int optee_probe(struct platform_device *pdev)
> err_close_ctx:
> teedev_close_context(ctx);
> err_supp_uninit:
> + rpmb_dev_put(optee->rpmb_dev);
> + mutex_destroy(&optee->rpmb_dev_mutex);
> optee_shm_arg_cache_uninit(optee);
> optee_supp_uninit(&optee->supp);
> mutex_destroy(&optee->call_queue.mutex);
> --
> 2.34.1
>
Hi Jens,
thanks for your patch!
On Tue, Feb 27, 2024 at 4:31 PM Jens Wiklander
<[email protected]> wrote:
> A number of storage technologies support a specialised hardware
> partition designed to be resistant to replay attacks. The underlying
> HW protocols differ but the operations are common. The RPMB partition
> cannot be accessed via standard block layer, but by a set of specific
> RPMB commands: WRITE, READ, GET_WRITE_COUNTER, and PROGRAM_KEY. Such a
> partition provides authenticated and replay protected access, hence
> suitable as a secure storage.
>
> The initial aim of this patch is to provide a simple RPMB driver
> interface which can be accessed by the optee driver to facilitate early
> RPMB access to OP-TEE OS (secure OS) during the boot time.
>
> A TEE device driver can claim the RPMB interface, for example, via
> rpmb_interface_register() or rpmb_dev_find_device(). The RPMB driver
> provides a callback to route RPMB frames to the RPMB device accessible
> via rpmb_route_frames().
>
> The detailed operation of implementing the access is left to the TEE
> device driver itself.
>
> Signed-off-by: Tomas Winkler <[email protected]>
> Signed-off-by: Alex Bennée <[email protected]>
> Signed-off-by: Shyam Saini <[email protected]>
> Signed-off-by: Jens Wiklander <[email protected]>
I would mention in the commit that the subsystem is currently
only used with eMMC but is designed to be used also by UFS
and NVME. Nevertheless, no big deal so:
Reviewed-by: Linus Walleij <[email protected]>
> +config RPMB
> + tristate "RPMB partition interface"
> + depends on MMC
depends on MMC || SCSI_UFSHCD || NVME_CORE
?
Or do we want to hold it off until we implement the backends?
Yours,
Linus Walleij
Hi Jens,
I realized there is one thing I wonder about:
On Tue, Feb 27, 2024 at 4:31 PM Jens Wiklander
<[email protected]> wrote:
> +struct rpmb_frame {
> + u8 stuff[196];
> + u8 key_mac[32];
> + u8 data[256];
> + u8 nonce[16];
> + __be32 write_counter;
> + __be16 addr;
> + __be16 block_count;
> + __be16 result;
> + __be16 req_resp;
> +} __packed;
I didn't quite get why these things are encoded big-endian?
As on the producer side (the eMMC backend) it seems we are anyway
calling cpu_to_be* to convert them into this format.
If this is a requirement on the consumer side (such as TEE) I think
the consumer should swap the bytes rather than the producer,
but I guess that kind of assumes that we foresee there will be other
consumers in the first place.
Yours,
Linus Walleij
> Hi Jens,
>
> thanks for your patch!
>
> On Tue, Feb 27, 2024 at 4:31 PM Jens Wiklander <[email protected]>
> wrote:
>
> > A number of storage technologies support a specialised hardware
> > partition designed to be resistant to replay attacks. The underlying
> > HW protocols differ but the operations are common. The RPMB partition
> > cannot be accessed via standard block layer, but by a set of specific
> > RPMB commands: WRITE, READ, GET_WRITE_COUNTER, and
> PROGRAM_KEY. Such a
> > partition provides authenticated and replay protected access, hence
> > suitable as a secure storage.
> >
> > The initial aim of this patch is to provide a simple RPMB driver
> > interface which can be accessed by the optee driver to facilitate
> > early RPMB access to OP-TEE OS (secure OS) during the boot time.
> >
> > A TEE device driver can claim the RPMB interface, for example, via
> > rpmb_interface_register() or rpmb_dev_find_device(). The RPMB driver
> > provides a callback to route RPMB frames to the RPMB device accessible
> > via rpmb_route_frames().
> >
> > The detailed operation of implementing the access is left to the TEE
> > device driver itself.
> >
> > Signed-off-by: Tomas Winkler <[email protected]>
> > Signed-off-by: Alex Bennée <[email protected]>
> > Signed-off-by: Shyam Saini <[email protected]>
> > Signed-off-by: Jens Wiklander <[email protected]>
>
> I would mention in the commit that the subsystem is currently only used with
> eMMC but is designed to be used also by UFS and NVME. Nevertheless, no
> big deal so:
> Reviewed-by: Linus Walleij <[email protected]>
>
> > +config RPMB
> > + tristate "RPMB partition interface"
> > + depends on MMC
>
> depends on MMC || SCSI_UFSHCD || NVME_CORE ?
>
> Or do we want to hold it off until we implement the backends?
I believe I've sent the implementation for all the backends, need to search the mailing list.
>
> Hi Jens,
>
> I realized there is one thing I wonder about:
>
> On Tue, Feb 27, 2024 at 4:31 PM Jens Wiklander <[email protected]>
> wrote:
>
> > +struct rpmb_frame {
> > + u8 stuff[196];
> > + u8 key_mac[32];
> > + u8 data[256];
> > + u8 nonce[16];
> > + __be32 write_counter;
> > + __be16 addr;
> > + __be16 block_count;
> > + __be16 result;
> > + __be16 req_resp;
> > +} __packed;
>
> I didn't quite get why these things are encoded big-endian?
By the spec.
>
> As on the producer side (the eMMC backend) it seems we are anyway calling
> cpu_to_be* to convert them into this format.
>
> If this is a requirement on the consumer side (such as TEE) I think the
> consumer should swap the bytes rather than the producer, but I guess that
> kind of assumes that we foresee there will be other consumers in the first
> place.
>
This is end 2 end.
> Yours,
> Linus Walleij
On Tue, Mar 5, 2024 at 1:54 PM Winkler, Tomas <[email protected]> wrote:
> > On Tue, Feb 27, 2024 at 4:31 PM Jens Wiklander <[email protected]>
> > wrote:
> >
> > > +struct rpmb_frame {
> > > + u8 stuff[196];
> > > + u8 key_mac[32];
> > > + u8 data[256];
> > > + u8 nonce[16];
> > > + __be32 write_counter;
> > > + __be16 addr;
> > > + __be16 block_count;
> > > + __be16 result;
> > > + __be16 req_resp;
> > > +} __packed;
> >
> > I didn't quite get why these things are encoded big-endian?
>
> By the spec.
So a kerneldoc comment above the struct with a reference to the spec
it is mirroring should be appropriate?
As it stands now it will be misunderstood by people like me as "just some
other Linux struct".
Yours,
Linus Walleij
On Tue, Mar 5, 2024 at 1:55 PM Winkler, Tomas <[email protected]> wrote:
>
>
> > Hi Jens,
> >
> > thanks for your patch!
> >
> > On Tue, Feb 27, 2024 at 4:31 PM Jens Wiklander <[email protected]>
> > wrote:
> >
> > > A number of storage technologies support a specialised hardware
> > > partition designed to be resistant to replay attacks. The underlying
> > > HW protocols differ but the operations are common. The RPMB partition
> > > cannot be accessed via standard block layer, but by a set of specific
> > > RPMB commands: WRITE, READ, GET_WRITE_COUNTER, and
> > PROGRAM_KEY. Such a
> > > partition provides authenticated and replay protected access, hence
> > > suitable as a secure storage.
> > >
> > > The initial aim of this patch is to provide a simple RPMB driver
> > > interface which can be accessed by the optee driver to facilitate
> > > early RPMB access to OP-TEE OS (secure OS) during the boot time.
> > >
> > > A TEE device driver can claim the RPMB interface, for example, via
> > > rpmb_interface_register() or rpmb_dev_find_device(). The RPMB driver
> > > provides a callback to route RPMB frames to the RPMB device accessible
> > > via rpmb_route_frames().
> > >
> > > The detailed operation of implementing the access is left to the TEE
> > > device driver itself.
> > >
> > > Signed-off-by: Tomas Winkler <[email protected]>
> > > Signed-off-by: Alex Bennée <[email protected]>
> > > Signed-off-by: Shyam Saini <[email protected]>
> > > Signed-off-by: Jens Wiklander <[email protected]>
> >
> > I would mention in the commit that the subsystem is currently only used with
> > eMMC but is designed to be used also by UFS and NVME. Nevertheless, no
> > big deal so:
> > Reviewed-by: Linus Walleij <[email protected]>
Thanks, I'll update the commit for the next version.
> >
> > > +config RPMB
> > > + tristate "RPMB partition interface"
> > > + depends on MMC
> >
> > depends on MMC || SCSI_UFSHCD || NVME_CORE ?
> >
> > Or do we want to hold it off until we implement the backends?
>
> I believe I've sent the implementation for all the backends, need to search the mailing list.
I would prefer to only add the MMC backend now. I'm afraid that adding
more backends will risk stalling this patch set, besides I don't have
the code for it either. Eventual older patches will need to be rebased
and possibly redesigned to take the previous comments into account.
Thanks,
Jens
> Hi Jens,
>
> thanks for your patch!
>
> On Tue, Feb 27, 2024 at 4:31 PM Jens Wiklander <[email protected]>
> wrote:
>
> > A number of storage technologies support a specialised hardware
> > partition designed to be resistant to replay attacks. The underlying
> > HW protocols differ but the operations are common. The RPMB partition
> > cannot be accessed via standard block layer, but by a set of specific
> > RPMB commands: WRITE, READ, GET_WRITE_COUNTER, and PROGRAM_KEY.
> Such a
> > partition provides authenticated and replay protected access, hence
> > suitable as a secure storage.
> >
> > The initial aim of this patch is to provide a simple RPMB driver
> > interface which can be accessed by the optee driver to facilitate
> > early RPMB access to OP-TEE OS (secure OS) during the boot time.
> >
> > A TEE device driver can claim the RPMB interface, for example, via
> > rpmb_interface_register() or rpmb_dev_find_device(). The RPMB driver
> > provides a callback to route RPMB frames to the RPMB device accessible
> > via rpmb_route_frames().
> >
> > The detailed operation of implementing the access is left to the TEE
> > device driver itself.
> >
> > Signed-off-by: Tomas Winkler <[email protected]>
> > Signed-off-by: Alex Bennée <[email protected]>
> > Signed-off-by: Shyam Saini <[email protected]>
> > Signed-off-by: Jens Wiklander <[email protected]>
>
> I would mention in the commit that the subsystem is currently only used with
> eMMC but is designed to be used also by UFS and NVME. Nevertheless, no big
> deal so:
Moreover, as the years went by, the differences between mmc and ufs grew:
In mmc there are 7 rpmb operations, in ufs 9.
In mmc the rpmb frame is 512Bytes, also in legacy ufs (up to including ufs3.1), but in ufs4.0 onward it can be 4k with extended header.
See e.g. https://patchwork.kernel.org/project/linux-scsi/patch/[email protected]/
In mmc the rpmb sequence is atomic, in ufs not.
In ufs rpmb is a wlun in mmc a partition.
Both protocols support in multi-region rpmb, but there are some differences there.
Etc.
Thanks,
Avri
> Reviewed-by: Linus Walleij <[email protected]>
>
> > +config RPMB
> > + tristate "RPMB partition interface"
> > + depends on MMC
>
> depends on MMC || SCSI_UFSHCD || NVME_CORE ?
>
> Or do we want to hold it off until we implement the backends?
>
> Yours,
> Linus Walleij
On Tue, Mar 5, 2024, at 17:33, Avri Altman wrote:
>> On Tue, Feb 27, 2024 at 4:31 PM Jens Wiklander <[email protected]> wrote:
>>
>> I would mention in the commit that the subsystem is currently only used with
>> eMMC but is designed to be used also by UFS and NVME. Nevertheless, no big
>> deal so:
> Moreover, as the years went by, the differences between mmc and ufs
> grew:
> In mmc there are 7 rpmb operations, in ufs 9.
> In mmc the rpmb frame is 512Bytes, also in legacy ufs (up to including
> ufs3.1), but in ufs4.0 onward it can be 4k with extended header.
> See e.g.
> https://patchwork.kernel.org/project/linux-scsi/patch/[email protected]/
> In mmc the rpmb sequence is atomic, in ufs not.
> In ufs rpmb is a wlun in mmc a partition.
> Both protocols support in multi-region rpmb, but there are some
> differences there.
How sure are we then that the user-visible ABI is sufficiently
abstract to cover all the hardware implementations? Are any of the
changes you mention going to be noticed by userspace or are they
only visible to the kernel driver?
Arnd
> On Tue, Mar 5, 2024, at 17:33, Avri Altman wrote:
> >> On Tue, Feb 27, 2024 at 4:31 PM Jens Wiklander
> <[email protected]> wrote:
> >>
> >> I would mention in the commit that the subsystem is currently only
> >> used with eMMC but is designed to be used also by UFS and NVME.
> >> Nevertheless, no big deal so:
> > Moreover, as the years went by, the differences between mmc and ufs
> > grew:
> > In mmc there are 7 rpmb operations, in ufs 9.
> > In mmc the rpmb frame is 512Bytes, also in legacy ufs (up to including
> > ufs3.1), but in ufs4.0 onward it can be 4k with extended header.
> > See e.g.
> > https://patchwork.kernel.org/project/linux-scsi/patch/20221107131038.2
> > [email protected]/ In mmc the rpmb sequence is atomic, in ufs
> > not.
> > In ufs rpmb is a wlun in mmc a partition.
> > Both protocols support in multi-region rpmb, but there are some
> > differences there.
>
> How sure are we then that the user-visible ABI is sufficiently abstract to cover
> all the hardware implementations? Are any of the changes you mention going to
> be noticed by userspace or are they only visible to the kernel driver?
Both in ufs & mmc rpmb today is accessed via user-space utils:
In mmc via mmc-utils (ioctl) , and in ufs via ufs-utils using its bsg interface.
No ABI changes are needed.
Thanks,
Avri
>
> Arnd
On Tue, 27 Feb 2024 at 16:31, Jens Wiklander <[email protected]> wrote:
>
> A number of storage technologies support a specialised hardware
> partition designed to be resistant to replay attacks. The underlying
> HW protocols differ but the operations are common. The RPMB partition
> cannot be accessed via standard block layer, but by a set of specific
> RPMB commands: WRITE, READ, GET_WRITE_COUNTER, and PROGRAM_KEY. Such a
> partition provides authenticated and replay protected access, hence
> suitable as a secure storage.
>
> The initial aim of this patch is to provide a simple RPMB driver
> interface which can be accessed by the optee driver to facilitate early
> RPMB access to OP-TEE OS (secure OS) during the boot time.
>
> A TEE device driver can claim the RPMB interface, for example, via
> rpmb_interface_register() or rpmb_dev_find_device(). The RPMB driver
> provides a callback to route RPMB frames to the RPMB device accessible
> via rpmb_route_frames().
>
> The detailed operation of implementing the access is left to the TEE
> device driver itself.
>
> Signed-off-by: Tomas Winkler <[email protected]>
> Signed-off-by: Alex Bennée <[email protected]>
> Signed-off-by: Shyam Saini <[email protected]>
> Signed-off-by: Jens Wiklander <[email protected]>
> ---
> MAINTAINERS | 7 ++
> drivers/misc/Kconfig | 10 ++
> drivers/misc/Makefile | 1 +
> drivers/misc/rpmb-core.c | 258 +++++++++++++++++++++++++++++++++++++++
> include/linux/rpmb.h | 195 +++++++++++++++++++++++++++++
> 5 files changed, 471 insertions(+)
> create mode 100644 drivers/misc/rpmb-core.c
> create mode 100644 include/linux/rpmb.h
>
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 8999497011a2..e83152c42499 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -19012,6 +19012,13 @@ T: git git://linuxtv.org/media_tree.git
> F: Documentation/devicetree/bindings/media/allwinner,sun8i-a83t-de2-rotate.yaml
> F: drivers/media/platform/sunxi/sun8i-rotate/
>
> +RPMB SUBSYSTEM
> +M: Jens Wiklander <[email protected]>
> +L: [email protected]
> +S: Supported
> +F: drivers/misc/rpmb-core.c
> +F: include/linux/rpmb.h
> +
> RPMSG TTY DRIVER
> M: Arnaud Pouliquen <[email protected]>
> L: [email protected]
> diff --git a/drivers/misc/Kconfig b/drivers/misc/Kconfig
> index 4fb291f0bf7c..dbff9e8c3a03 100644
> --- a/drivers/misc/Kconfig
> +++ b/drivers/misc/Kconfig
> @@ -104,6 +104,16 @@ config PHANTOM
> If you choose to build module, its name will be phantom. If unsure,
> say N here.
>
> +config RPMB
> + tristate "RPMB partition interface"
> + depends on MMC
> + help
> + Unified RPMB unit interface for RPMB capable devices such as eMMC and
> + UFS. Provides interface for in-kernel security controllers to access
> + RPMB unit.
> +
> + If unsure, select N.
> +
> config TIFM_CORE
> tristate "TI Flash Media interface support"
> depends on PCI
> diff --git a/drivers/misc/Makefile b/drivers/misc/Makefile
> index ea6ea5bbbc9c..8af058ad1df4 100644
> --- a/drivers/misc/Makefile
> +++ b/drivers/misc/Makefile
> @@ -15,6 +15,7 @@ obj-$(CONFIG_LKDTM) += lkdtm/
> obj-$(CONFIG_TIFM_CORE) += tifm_core.o
> obj-$(CONFIG_TIFM_7XX1) += tifm_7xx1.o
> obj-$(CONFIG_PHANTOM) += phantom.o
> +obj-$(CONFIG_RPMB) += rpmb-core.o
> obj-$(CONFIG_QCOM_COINCELL) += qcom-coincell.o
> obj-$(CONFIG_QCOM_FASTRPC) += fastrpc.o
> obj-$(CONFIG_SENSORS_BH1770) += bh1770glc.o
> diff --git a/drivers/misc/rpmb-core.c b/drivers/misc/rpmb-core.c
> new file mode 100644
> index 000000000000..e0003b039e9f
> --- /dev/null
> +++ b/drivers/misc/rpmb-core.c
> @@ -0,0 +1,258 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Copyright(c) 2015 - 2019 Intel Corporation. All rights reserved.
> + * Copyright(c) 2021 - 2024 Linaro Ltd.
> + */
> +#include <linux/device.h>
> +#include <linux/init.h>
> +#include <linux/kernel.h>
> +#include <linux/list.h>
> +#include <linux/module.h>
> +#include <linux/mutex.h>
> +#include <linux/rpmb.h>
> +#include <linux/slab.h>
> +
> +static struct list_head rpmb_dev_list;
> +static struct list_head rpmb_intf_list;
> +static DEFINE_MUTEX(rpmb_mutex);
> +
> +/**
> + * rpmb_dev_get() - increase rpmb device ref counter
> + * @rdev: rpmb device
> + */
> +struct rpmb_dev *rpmb_dev_get(struct rpmb_dev *rdev)
> +{
> + if (rdev)
> + get_device(rdev->parent_dev);
> + return rdev;
> +}
> +EXPORT_SYMBOL_GPL(rpmb_dev_get);
As rpmb_dev_find_device() already bumps the reference count by calling
rpmb_dev_get(), why does this need to be exported and called by the
tee driver in patch3, too?
Would it not be sufficient to export only rpmb_dev_put()?
Ahh, I realized now that when calling ->add_rdev() callback, the mutex
is being held without first increasing the reference count. Hmm, I
don't know what makes the best sense here.
> +
> +/**
> + * rpmb_dev_put() - decrease rpmb device ref counter
> + * @rdev: rpmb device
> + */
> +void rpmb_dev_put(struct rpmb_dev *rdev)
> +{
> + if (rdev)
> + put_device(rdev->parent_dev);
> +}
> +EXPORT_SYMBOL_GPL(rpmb_dev_put);
> +
> +/**
> + * rpmb_route_frames() - route rpmb frames to rpmb device
> + * @rdev: rpmb device
> + * @req: rpmb request frames
> + * @req_len: length of rpmb request frames in bytes
> + * @rsp: rpmb response frames
> + * @rsp_len: length of rpmb response frames in bytes
> + *
> + * Returns: < 0 on failure
> + */
> +int rpmb_route_frames(struct rpmb_dev *rdev, u8 *req,
> + unsigned int req_len, u8 *rsp, unsigned int rsp_len)
> +{
> + struct rpmb_frame *frm = (struct rpmb_frame *)req;
> + u16 req_type;
> + bool write;
> +
> + if (!req || req_len < sizeof(*frm) || !rsp || !rsp_len)
> + return -EINVAL;
> +
> + req_type = be16_to_cpu(frm->req_resp);
> + switch (req_type) {
> + case RPMB_PROGRAM_KEY:
> + if (req_len != sizeof(struct rpmb_frame) ||
> + rsp_len != sizeof(struct rpmb_frame))
> + return -EINVAL;
> + write = true;
> + break;
> + case RPMB_GET_WRITE_COUNTER:
> + if (req_len != sizeof(struct rpmb_frame) ||
> + rsp_len != sizeof(struct rpmb_frame))
> + return -EINVAL;
> + write = false;
> + break;
> + case RPMB_WRITE_DATA:
> + if (req_len % sizeof(struct rpmb_frame) ||
> + rsp_len != sizeof(struct rpmb_frame))
> + return -EINVAL;
> + write = true;
> + break;
> + case RPMB_READ_DATA:
> + if (req_len != sizeof(struct rpmb_frame) ||
> + rsp_len % sizeof(struct rpmb_frame))
> + return -EINVAL;
> + write = false;
> + break;
> + default:
> + return -EINVAL;
> + }
> +
> + return rdev->ops->route_frames(rdev->parent_dev, write,
> + req, req_len, rsp, rsp_len);
> +}
> +EXPORT_SYMBOL_GPL(rpmb_route_frames);
> +
> +/**
> + * rpmb_dev_find_device() - return first matching rpmb device
> + * @data: data for the match function
> + * @match: the matching function
There are a couple of missing parameters that should be described here.
Moreover, I think it's important to clarify that it's the caller's
responsibility to call rpmb_dev_put() on the returned rpmb_dev, when
it's ready with it.
> + *
> + * Returns: a matching rpmb device or NULL on failure
> + */
> +struct rpmb_dev *rpmb_dev_find_device(const void *data,
> + const struct rpmb_dev *start,
> + int (*match)(struct rpmb_dev *rdev,
> + const void *data))
> +{
> + struct rpmb_dev *rdev;
> + struct list_head *pos;
> +
> + mutex_lock(&rpmb_mutex);
> + if (start)
> + pos = start->list_node.next;
> + else
> + pos = rpmb_dev_list.next;
> +
> + while (pos != &rpmb_dev_list) {
> + rdev = container_of(pos, struct rpmb_dev, list_node);
> + if (match(rdev, data)) {
> + rpmb_dev_get(rdev);
> + goto out;
> + }
> + pos = pos->next;
> + }
> + rdev = NULL;
> +
> +out:
> + mutex_unlock(&rpmb_mutex);
> +
> + return rdev;
> +}
> +
> +/**
> + * rpmb_dev_unregister() - unregister RPMB partition from the RPMB subsystem
> + * @rdev: the rpmb device to unregister
It would be nice to clarify in the function description for when this
should be called. Especially from the data-lifecycle point of view.
> + *
> + * Returns: < 0 on failure
> + */
> +int rpmb_dev_unregister(struct rpmb_dev *rdev)
> +{
> + if (!rdev)
> + return -EINVAL;
> +
> + mutex_lock(&rpmb_mutex);
> + list_del(&rdev->list_node);
> + mutex_unlock(&rpmb_mutex);
> + kfree(rdev->dev_id);
> + kfree(rdev);
> +
> + return 0;
> +}
> +EXPORT_SYMBOL_GPL(rpmb_dev_unregister);
> +
> +/**
> + * rpmb_dev_register - register RPMB partition with the RPMB subsystem
> + * @dev: storage device of the rpmb device
> + * @ops: device specific operations
> + *
> + * While registering the RPMB partition extract needed device information
> + * while needed resources are available.
> + *
> + * Returns: a pointer to a 'struct rpmb_dev' or an ERR_PTR on failure
> + */
> +struct rpmb_dev *rpmb_dev_register(struct device *dev,
> + const struct rpmb_ops *ops)
> +{
> + struct rpmb_dev *rdev;
> + struct rpmb_interface *intf;
> + int ret;
> +
> + if (!dev || !ops || !ops->route_frames || !ops->set_dev_info)
> + return ERR_PTR(-EINVAL);
> +
> + rdev = kzalloc(sizeof(*rdev), GFP_KERNEL);
> + if (!rdev)
> + return ERR_PTR(-ENOMEM);
> +
> + mutex_lock(&rpmb_mutex);
> + list_add_tail(&rdev->list_node, &rpmb_dev_list);
> + mutex_unlock(&rpmb_mutex);
It does not look safe to add an rpmb_dev to the rpmb_dev_list, before
it has been completely initialized. The consumer of it may fetch it
and try use it before it's initialized.
> +
> + rdev->ops = ops;
> +
> + rdev->parent_dev = dev;
> +
> + ret = ops->set_dev_info(dev, rdev);
Rather than using a callback to initialize the rpmb_dev, I would
suggest (and prefer) to let the corresponding data be provided as an
in-parameter to rpmb_dev_register() instead.
> + if (ret)
> + goto exit;
> +
> + dev_dbg(rdev->parent_dev, "registered device\n");
> +
> + mutex_lock(&rpmb_mutex);
> + list_for_each_entry(intf, &rpmb_intf_list, list_node)
> + if (intf->add_rdev)
> + intf->add_rdev(intf, rdev);
Rather than implementing our own specific notification mechanism, we
could make use of a "blocking_notifier" (include/linux/notifier.h)
instead.
Moreover, it looks like we are lacking a way to inform the consumer
driver that an rpmb_dev is being removed. Or maybe that isn't needed,
as the reference counting manages that for us?
> + mutex_unlock(&rpmb_mutex);
> +
> + return rdev;
> +
> +exit:
> + mutex_lock(&rpmb_mutex);
> + list_del(&rdev->list_node);
> + mutex_unlock(&rpmb_mutex);
> + kfree(rdev);
> + return ERR_PTR(ret);
> +}
> +EXPORT_SYMBOL_GPL(rpmb_dev_register);
> +
> +/**
> + * rpmb_interface_register() - register for new device notifications
> + *
> + * @intf : pointer to interface struct with a notification callback
> + */
> +void rpmb_interface_register(struct rpmb_interface *intf)
> +{
> + struct rpmb_dev *rdev;
> +
> + mutex_lock(&rpmb_mutex);
> + list_add_tail(&intf->list_node, &rpmb_intf_list);
> + if (intf->add_rdev)
Is there any reason to allow the ->add_rdev() callback to be optional?
> + list_for_each_entry(rdev, &rpmb_dev_list, list_node)
> + intf->add_rdev(intf, rdev);
What if ->add_rdev() are happy to use one of the rpmb_dev, then we
will still continue to iterate over the list. Should we use a return
code to indicate if we should continue or not?
> + mutex_unlock(&rpmb_mutex);
> +}
> +EXPORT_SYMBOL_GPL(rpmb_interface_register);
> +
> +/**
> + * rpmb_interface_unregister() - unregister from new device notifications
> + *
> + * @intf : pointer to previously registered interface struct
> + */
> +void rpmb_interface_unregister(struct rpmb_interface *intf)
> +{
> + mutex_lock(&rpmb_mutex);
> + list_del(&intf->list_node);
> + mutex_unlock(&rpmb_mutex);
> +}
> +EXPORT_SYMBOL_GPL(rpmb_interface_unregister);
> +
> +static int __init rpmb_init(void)
> +{
> + INIT_LIST_HEAD(&rpmb_dev_list);
> + INIT_LIST_HEAD(&rpmb_intf_list);
> + return 0;
> +}
> +
> +static void __exit rpmb_exit(void)
> +{
> + mutex_destroy(&rpmb_mutex);
> +}
> +
> +subsys_initcall(rpmb_init);
> +module_exit(rpmb_exit);
> +
> +MODULE_AUTHOR("Jens Wiklander <[email protected]>");
> +MODULE_DESCRIPTION("RPMB class");
> +MODULE_LICENSE("GPL");
> diff --git a/include/linux/rpmb.h b/include/linux/rpmb.h
> new file mode 100644
> index 000000000000..c4b13dad10c4
> --- /dev/null
> +++ b/include/linux/rpmb.h
> @@ -0,0 +1,195 @@
> +/* SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0 */
> +/*
> + * Copyright (C) 2015-2019 Intel Corp. All rights reserved
> + * Copyright (C) 2021-2022 Linaro Ltd
> + */
> +#ifndef __RPMB_H__
> +#define __RPMB_H__
> +
> +#include <linux/types.h>
> +#include <linux/device.h>
> +
> +/**
> + * struct rpmb_frame - rpmb frame as defined by specs
> + *
> + * @stuff : stuff bytes
> + * @key_mac : The authentication key or the message authentication
> + * code (MAC) depending on the request/response type.
> + * The MAC will be delivered in the last (or the only)
> + * block of data.
> + * @data : Data to be written or read by signed access.
> + * @nonce : Random number generated by the host for the requests
> + * and copied to the response by the RPMB engine.
> + * @write_counter: Counter value for the total amount of the successful
> + * authenticated data write requests made by the host.
> + * @addr : Address of the data to be programmed to or read
> + * from the RPMB. Address is the serial number of
> + * the accessed block (half sector 256B).
> + * @block_count : Number of blocks (half sectors, 256B) requested to be
> + * read/programmed.
> + * @result : Includes information about the status of the write counter
> + * (valid, expired) and result of the access made to the RPMB.
> + * @req_resp : Defines the type of request and response to/from the memory.
> + */
> +struct rpmb_frame {
> + u8 stuff[196];
> + u8 key_mac[32];
> + u8 data[256];
> + u8 nonce[16];
> + __be32 write_counter;
> + __be16 addr;
> + __be16 block_count;
> + __be16 result;
> + __be16 req_resp;
> +} __packed;
I haven't looked at the NVME or the UFS spec in detail. Although, I
assume the above frame makes sense for those types of
interfaces/protocols too?
> +
> +#define RPMB_PROGRAM_KEY 0x1 /* Program RPMB Authentication Key */
> +#define RPMB_GET_WRITE_COUNTER 0x2 /* Read RPMB write counter */
> +#define RPMB_WRITE_DATA 0x3 /* Write data to RPMB partition */
> +#define RPMB_READ_DATA 0x4 /* Read data from RPMB partition */
> +#define RPMB_RESULT_READ 0x5 /* Read result request (Internal) */
> +
> +#define RPMB_REQ2RESP(_OP) ((_OP) << 8)
> +#define RPMB_RESP2REQ(_OP) ((_OP) >> 8)
> +
> +/**
> + * enum rpmb_op_result - rpmb operation results
> + *
> + * @RPMB_ERR_OK : operation successful
> + * @RPMB_ERR_GENERAL : general failure
> + * @RPMB_ERR_AUTH : mac doesn't match or ac calculation failure
> + * @RPMB_ERR_COUNTER : counter doesn't match or counter increment failure
> + * @RPMB_ERR_ADDRESS : address out of range or wrong address alignment
> + * @RPMB_ERR_WRITE : data, counter, or result write failure
> + * @RPMB_ERR_READ : data, counter, or result read failure
> + * @RPMB_ERR_NO_KEY : authentication key not yet programmed
> + *
> + * @RPMB_ERR_COUNTER_EXPIRED: counter expired
> + */
> +enum rpmb_op_result {
> + RPMB_ERR_OK = 0x0000,
> + RPMB_ERR_GENERAL = 0x0001,
> + RPMB_ERR_AUTH = 0x0002,
> + RPMB_ERR_COUNTER = 0x0003,
> + RPMB_ERR_ADDRESS = 0x0004,
> + RPMB_ERR_WRITE = 0x0005,
> + RPMB_ERR_READ = 0x0006,
> + RPMB_ERR_NO_KEY = 0x0007,
> +
> + RPMB_ERR_COUNTER_EXPIRED = 0x0080
> +};
> +
> +/**
> + * enum rpmb_type - type of underlying storage technology
> + *
> + * @RPMB_TYPE_EMMC : emmc (JESD84-B50.1)
> + * @RPMB_TYPE_UFS : UFS (JESD220)
> + * @RPMB_TYPE_NVME : NVM Express
> + */
> +enum rpmb_type {
> + RPMB_TYPE_EMMC,
> + RPMB_TYPE_UFS,
> + RPMB_TYPE_NVME,
> +};
> +
> +/**
> + * struct rpmb_dev - device which can support RPMB partition
> + *
> + * @parent_dev : parent device
> + * @list_node : linked list node
> + * @ops : operation exported by rpmb
> + * @dev_id : unique device identifier read from the hardware
This part puzzled me a bit, when I realized that they are used as an
input to derive the authentication-data.
For eMMC (as shown in patch2), we have chosen to use the CID register
data, which makes perfect sense to me. However, I think it's important
to clarify what this field is being used for, here in the description
too.
> + * @dev_id_len : length of unique device identifier
> + * @reliable_wr_count: number of sectors that can be written in one access
> + * @capacity : capacity of the device in units of 128K
> + */
> +struct rpmb_dev {
> + struct device *parent_dev;
> + struct list_head list_node;
> + const struct rpmb_ops *ops;
> + u8 *dev_id;
> + size_t dev_id_len;
> + u16 reliable_wr_count;
> + u16 capacity;
> +};
> +
> +/**
> + * struct rpmb_ops - RPMB ops to be implemented by underlying block device
> + *
> + * @type : block device type
> + * @route_frames : routes frames to and from the RPMB device
> + * @set_dev_info : extracts device info from the RPMB device
> + */
> +struct rpmb_ops {
> + enum rpmb_type type;
I would keep this in the rpmb_dev instead, as it's not really a callback (ops).
> + int (*set_dev_info)(struct device *dev, struct rpmb_dev *rdev);
As I suggested earlier, we should be able to drop the above callback.
That said, it looks like we end up with only one callback left, so
maybe just put that in the struct rpmb_dev instead?
> + int (*route_frames)(struct device *dev, bool write,
> + u8 *req, unsigned int req_len,
> + u8 *resp, unsigned int resp_len);
> +};
> +
> +/**
> + * struct rpmb_interface - subscribe to new RPMB devices
> + *
> + * @list_node : linked list node
> + * @add_rdev : notifies that a new RPMB device has been found
> + */
> +struct rpmb_interface {
> + struct list_head list_node;
> + void (*add_rdev)(struct rpmb_interface *intf, struct rpmb_dev *rdev);
> +};
> +
> +#if IS_ENABLED(CONFIG_RPMB)
> +struct rpmb_dev *rpmb_dev_get(struct rpmb_dev *rdev);
> +void rpmb_dev_put(struct rpmb_dev *rdev);
> +struct rpmb_dev *rpmb_dev_find_device(const void *data,
> + const struct rpmb_dev *start,
> + int (*match)(struct rpmb_dev *rdev,
> + const void *data));
> +struct rpmb_dev *rpmb_dev_register(struct device *dev,
> + const struct rpmb_ops *ops);
> +int rpmb_dev_unregister(struct rpmb_dev *rdev);
> +
> +int rpmb_route_frames(struct rpmb_dev *rdev, u8 *req,
> + unsigned int req_len, u8 *resp, unsigned int resp_len);
> +
> +void rpmb_interface_register(struct rpmb_interface *intf);
> +void rpmb_interface_unregister(struct rpmb_interface *intf);
> +#else
> +static inline struct rpmb_dev *rpmb_dev_get(struct rpmb_dev *rdev)
> +{
> + return NULL;
> +}
> +
> +static inline void rpmb_dev_put(struct rpmb_dev *rdev) { }
> +
> +static inline struct rpmb_dev *
> +rpmb_dev_find_device(const void *data, const struct rpmb_dev *start,
> + int (*match)(struct rpmb_dev *rdev, const void *data))
> +{
> + return NULL;
> +}
> +
> +static inline struct rpmb_dev *
> +rpmb_dev_register(struct device *dev, const struct rpmb_ops *ops)
> +{
> + return NULL;
> +}
> +
> +static inline int rpmb_dev_unregister(struct rpmb_dev *dev)
> +{
> + return 0;
> +}
> +
> +static inline int rpmb_route_frames(struct rpmb_dev *rdev, u8 *req,
> + unsigned int req_len, u8 *resp,
> + unsigned int resp_len)
> +{
> + return -EOPNOTSUPP;
> +}
> +
> +static inline void rpmb_interface_register(struct rpmb_interface *intf) { }
> +static inline void rpmb_interface_unregister(struct rpmb_interface *intf) { }
> +#endif /* CONFIG_RPMB */
> +
> +#endif /* __RPMB_H__ */
> --
> 2.34.1
>
Kind regards
Uffe
> > +struct rpmb_frame {
> > + u8 stuff[196];
> > + u8 key_mac[32];
> > + u8 data[256];
> > + u8 nonce[16];
> > + __be32 write_counter;
> > + __be16 addr;
> > + __be16 block_count;
> > + __be16 result;
> > + __be16 req_resp;
> > +} __packed;
>
> I haven't looked at the NVME or the UFS spec in detail. Although, I assume the
> above frame makes sense for those types of interfaces/protocols too?
The rpmb implementation in ufs, has drifted apart from eMMC. E.g. in UFS4.0:
- the frame is different - see struct ufs_arpmb_meta in include/uapi/scsi/scsi_bsg_ufs.h,
- Additional extended header was added,
- the frame size is no longer 512Bytes (256Bytes meta info + 256Bytes data) but 4k,
- there are 9 rpmb operations instead of 7,
- The atomicity requirement of the command sequence was waved,
And probably more differences that I forgot.
This is why it is better to designated this as an eMMC-only implementation?
Thanks,
Avri
> > > +struct rpmb_frame {
> > > + u8 stuff[196];
> > > + u8 key_mac[32];
> > > + u8 data[256];
> > > + u8 nonce[16];
> > > + __be32 write_counter;
> > > + __be16 addr;
> > > + __be16 block_count;
> > > + __be16 result;
> > > + __be16 req_resp;
> > > +} __packed;
> >
> > I haven't looked at the NVME or the UFS spec in detail. Although, I
> > assume the above frame makes sense for those types of
> interfaces/protocols too?
> The rpmb implementation in ufs, has drifted apart from eMMC. E.g. in
> UFS4.0:
> - the frame is different - see struct ufs_arpmb_meta in
> include/uapi/scsi/scsi_bsg_ufs.h,
> - Additional extended header was added,
> - the frame size is no longer 512Bytes (256Bytes meta info + 256Bytes data)
> but 4k,
> - there are 9 rpmb operations instead of 7,
> - The atomicity requirement of the command sequence was waved, And
> probably more differences that I forgot.
> This is why it is better to designated this as an eMMC-only implementation?
As I wrote previously the original implementation has already resolved protocol differences
(NVMe have also different byte ordering) for closed usecase of storing data (not the configuration)
I believe the whole point here is to let TEE driver to store the data, regardless of the technology.
In addition I might be wrong but I don't see much value in eMMC as the UFS and NVMe are currently leading technologies.
Thanks
Tomas
On Mon, 25 Mar 2024 at 09:23, Winkler, Tomas <[email protected]> wrote:
>
>
> > > > +struct rpmb_frame {
> > > > + u8 stuff[196];
> > > > + u8 key_mac[32];
> > > > + u8 data[256];
> > > > + u8 nonce[16];
> > > > + __be32 write_counter;
> > > > + __be16 addr;
> > > > + __be16 block_count;
> > > > + __be16 result;
> > > > + __be16 req_resp;
> > > > +} __packed;
> > >
> > > I haven't looked at the NVME or the UFS spec in detail. Although, I
> > > assume the above frame makes sense for those types of
> > interfaces/protocols too?
> > The rpmb implementation in ufs, has drifted apart from eMMC. E.g. in
> > UFS4.0:
> > - the frame is different - see struct ufs_arpmb_meta in
> > include/uapi/scsi/scsi_bsg_ufs.h,
> > - Additional extended header was added,
> > - the frame size is no longer 512Bytes (256Bytes meta info + 256Bytes data)
> > but 4k,
> > - there are 9 rpmb operations instead of 7,
> > - The atomicity requirement of the command sequence was waved, And
> > probably more differences that I forgot.
> > This is why it is better to designated this as an eMMC-only implementation?
>
> As I wrote previously the original implementation has already resolved protocol differences
> (NVMe have also different byte ordering) for closed usecase of storing data (not the configuration)
> I believe the whole point here is to let TEE driver to store the data, regardless of the technology.
Yes, I also agree. It makes sense to have a generic way to manage RPMB
partitions, even if there are some specific parts that must be managed
differently based on the underlying technology.
That said, I tend to think that we actually want the UFS and NVMe
implementation being included in the $subject series too. To get the
complete picture. Otherwise, we may just end up having to redesign a
lot of things, if we just start with eMMC.
> In addition I might be wrong but I don't see much value in eMMC as the UFS and NVMe are currently leading technologies.
Even if UFS and NVMe have been taking over some of the earlier eMMC
product segments, I think it's too soon to declare eMMC dead. :-)
Moreover, we also have older platforms that we want to get supported
upstream and allowing them to move away from downstream-hacks, is also
a very good reason to add eMMC support.
> Thanks
> Tomas
>
Kind regards
Uffe
On Mon, Mar 25, 2024 at 9:23 AM Winkler, Tomas <tomas.winkler@intelcom> wrote:
>
>
> > > > +struct rpmb_frame {
> > > > + u8 stuff[196];
> > > > + u8 key_mac[32];
> > > > + u8 data[256];
> > > > + u8 nonce[16];
> > > > + __be32 write_counter;
> > > > + __be16 addr;
> > > > + __be16 block_count;
> > > > + __be16 result;
> > > > + __be16 req_resp;
> > > > +} __packed;
> > >
> > > I haven't looked at the NVME or the UFS spec in detail. Although, I
> > > assume the above frame makes sense for those types of
> > interfaces/protocols too?
> > The rpmb implementation in ufs, has drifted apart from eMMC. E.g. in
> > UFS4.0:
> > - the frame is different - see struct ufs_arpmb_meta in
> > include/uapi/scsi/scsi_bsg_ufs.h,
> > - Additional extended header was added,
> > - the frame size is no longer 512Bytes (256Bytes meta info + 256Bytes data)
> > but 4k,
> > - there are 9 rpmb operations instead of 7,
> > - The atomicity requirement of the command sequence was waved, And
> > probably more differences that I forgot.
> > This is why it is better to designated this as an eMMC-only implementation?
Thanks for the update.
To move forward here we can either
1. as you suggest make this an eMMC-only implementation,
or
2. we could remove struct rpmb_frame from include/linux/rpmb.h to make
the shuffled data more opaque.
Is it possible to find and route RPMB data to NVME and UFS devices
without a common meeting point like the RPMB subsystem proposed here?
If the answer is yes option 1 makes more sense since we'll add a
missing capability to eMMC. If the answer is no option 2 makes sense
for NVME and UFS even if we save the implementation for later.
>
> As I wrote previously the original implementation has already resolved protocol differences
> (NVMe have also different byte ordering) for closed usecase of storing data (not the configuration)
> I believe the whole point here is to let TEE driver to store the data, regardless of the technology.
Agreed.
> In addition I might be wrong but I don't see much value in eMMC as the UFS and NVMe are currently leading technologies.
This patchset addresses a problem on present platforms so it's not irrelevant.
Thanks,
Jens
On Fri, Mar 22, 2024 at 5:26 PM Ulf Hansson <[email protected]> wrote:
>
> On Tue, 27 Feb 2024 at 16:31, Jens Wiklander <[email protected]> wrote:
> >
> > A number of storage technologies support a specialised hardware
> > partition designed to be resistant to replay attacks. The underlying
> > HW protocols differ but the operations are common. The RPMB partition
> > cannot be accessed via standard block layer, but by a set of specific
> > RPMB commands: WRITE, READ, GET_WRITE_COUNTER, and PROGRAM_KEY. Such a
> > partition provides authenticated and replay protected access, hence
> > suitable as a secure storage.
> >
> > The initial aim of this patch is to provide a simple RPMB driver
> > interface which can be accessed by the optee driver to facilitate early
> > RPMB access to OP-TEE OS (secure OS) during the boot time.
> >
> > A TEE device driver can claim the RPMB interface, for example, via
> > rpmb_interface_register() or rpmb_dev_find_device(). The RPMB driver
> > provides a callback to route RPMB frames to the RPMB device accessible
> > via rpmb_route_frames().
> >
> > The detailed operation of implementing the access is left to the TEE
> > device driver itself.
> >
> > Signed-off-by: Tomas Winkler <[email protected]>
> > Signed-off-by: Alex Bennée <[email protected]>
> > Signed-off-by: Shyam Saini <[email protected]>
> > Signed-off-by: Jens Wiklander <[email protected]>
> > ---
> > MAINTAINERS | 7 ++
> > drivers/misc/Kconfig | 10 ++
> > drivers/misc/Makefile | 1 +
> > drivers/misc/rpmb-core.c | 258 +++++++++++++++++++++++++++++++++++++++
> > include/linux/rpmb.h | 195 +++++++++++++++++++++++++++++
> > 5 files changed, 471 insertions(+)
> > create mode 100644 drivers/misc/rpmb-core.c
> > create mode 100644 include/linux/rpmb.h
> >
> > diff --git a/MAINTAINERS b/MAINTAINERS
> > index 8999497011a2..e83152c42499 100644
> > --- a/MAINTAINERS
> > +++ b/MAINTAINERS
> > @@ -19012,6 +19012,13 @@ T: git git://linuxtv.org/media_tree.git
> > F: Documentation/devicetree/bindings/media/allwinner,sun8i-a83t-de2-rotate.yaml
> > F: drivers/media/platform/sunxi/sun8i-rotate/
> >
> > +RPMB SUBSYSTEM
> > +M: Jens Wiklander <[email protected]>
> > +L: [email protected]
> > +S: Supported
> > +F: drivers/misc/rpmb-core.c
> > +F: include/linux/rpmb.h
> > +
> > RPMSG TTY DRIVER
> > M: Arnaud Pouliquen <[email protected]>
> > L: [email protected]
> > diff --git a/drivers/misc/Kconfig b/drivers/misc/Kconfig
> > index 4fb291f0bf7c..dbff9e8c3a03 100644
> > --- a/drivers/misc/Kconfig
> > +++ b/drivers/misc/Kconfig
> > @@ -104,6 +104,16 @@ config PHANTOM
> > If you choose to build module, its name will be phantom. If unsure,
> > say N here.
> >
> > +config RPMB
> > + tristate "RPMB partition interface"
> > + depends on MMC
> > + help
> > + Unified RPMB unit interface for RPMB capable devices such as eMMC and
> > + UFS. Provides interface for in-kernel security controllers to access
> > + RPMB unit.
> > +
> > + If unsure, select N.
> > +
> > config TIFM_CORE
> > tristate "TI Flash Media interface support"
> > depends on PCI
> > diff --git a/drivers/misc/Makefile b/drivers/misc/Makefile
> > index ea6ea5bbbc9c..8af058ad1df4 100644
> > --- a/drivers/misc/Makefile
> > +++ b/drivers/misc/Makefile
> > @@ -15,6 +15,7 @@ obj-$(CONFIG_LKDTM) += lkdtm/
> > obj-$(CONFIG_TIFM_CORE) += tifm_core.o
> > obj-$(CONFIG_TIFM_7XX1) += tifm_7xx1.o
> > obj-$(CONFIG_PHANTOM) += phantom.o
> > +obj-$(CONFIG_RPMB) += rpmb-core.o
> > obj-$(CONFIG_QCOM_COINCELL) += qcom-coincell.o
> > obj-$(CONFIG_QCOM_FASTRPC) += fastrpc.o
> > obj-$(CONFIG_SENSORS_BH1770) += bh1770glc.o
> > diff --git a/drivers/misc/rpmb-core.c b/drivers/misc/rpmb-core.c
> > new file mode 100644
> > index 000000000000..e0003b039e9f
> > --- /dev/null
> > +++ b/drivers/misc/rpmb-core.c
> > @@ -0,0 +1,258 @@
> > +// SPDX-License-Identifier: GPL-2.0
> > +/*
> > + * Copyright(c) 2015 - 2019 Intel Corporation. All rights reserved.
> > + * Copyright(c) 2021 - 2024 Linaro Ltd.
> > + */
> > +#include <linux/device.h>
> > +#include <linux/init.h>
> > +#include <linux/kernel.h>
> > +#include <linux/list.h>
> > +#include <linux/module.h>
> > +#include <linux/mutex.h>
> > +#include <linux/rpmb.h>
> > +#include <linux/slab.h>
> > +
> > +static struct list_head rpmb_dev_list;
> > +static struct list_head rpmb_intf_list;
> > +static DEFINE_MUTEX(rpmb_mutex);
> > +
> > +/**
> > + * rpmb_dev_get() - increase rpmb device ref counter
> > + * @rdev: rpmb device
> > + */
> > +struct rpmb_dev *rpmb_dev_get(struct rpmb_dev *rdev)
> > +{
> > + if (rdev)
> > + get_device(rdev->parent_dev);
> > + return rdev;
> > +}
> > +EXPORT_SYMBOL_GPL(rpmb_dev_get);
>
> As rpmb_dev_find_device() already bumps the reference count by calling
> rpmb_dev_get(), why does this need to be exported and called by the
> tee driver in patch3, too?
>
> Would it not be sufficient to export only rpmb_dev_put()?
>
> Ahh, I realized now that when calling ->add_rdev() callback, the mutex
> is being held without first increasing the reference count. Hmm, I
> don't know what makes the best sense here.
rpmb_dev_get() is needed in another place in the OP-TEE driver too,
I'll get to that below.
>
> > +
> > +/**
> > + * rpmb_dev_put() - decrease rpmb device ref counter
> > + * @rdev: rpmb device
> > + */
> > +void rpmb_dev_put(struct rpmb_dev *rdev)
> > +{
> > + if (rdev)
> > + put_device(rdev->parent_dev);
> > +}
> > +EXPORT_SYMBOL_GPL(rpmb_dev_put);
> > +
> > +/**
> > + * rpmb_route_frames() - route rpmb frames to rpmb device
> > + * @rdev: rpmb device
> > + * @req: rpmb request frames
> > + * @req_len: length of rpmb request frames in bytes
> > + * @rsp: rpmb response frames
> > + * @rsp_len: length of rpmb response frames in bytes
> > + *
> > + * Returns: < 0 on failure
> > + */
> > +int rpmb_route_frames(struct rpmb_dev *rdev, u8 *req,
> > + unsigned int req_len, u8 *rsp, unsigned int rsp_len)
> > +{
> > + struct rpmb_frame *frm = (struct rpmb_frame *)req;
> > + u16 req_type;
> > + bool write;
> > +
> > + if (!req || req_len < sizeof(*frm) || !rsp || !rsp_len)
> > + return -EINVAL;
> > +
> > + req_type = be16_to_cpu(frm->req_resp);
> > + switch (req_type) {
> > + case RPMB_PROGRAM_KEY:
> > + if (req_len != sizeof(struct rpmb_frame) ||
> > + rsp_len != sizeof(struct rpmb_frame))
> > + return -EINVAL;
> > + write = true;
> > + break;
> > + case RPMB_GET_WRITE_COUNTER:
> > + if (req_len != sizeof(struct rpmb_frame) ||
> > + rsp_len != sizeof(struct rpmb_frame))
> > + return -EINVAL;
> > + write = false;
> > + break;
> > + case RPMB_WRITE_DATA:
> > + if (req_len % sizeof(struct rpmb_frame) ||
> > + rsp_len != sizeof(struct rpmb_frame))
> > + return -EINVAL;
> > + write = true;
> > + break;
> > + case RPMB_READ_DATA:
> > + if (req_len != sizeof(struct rpmb_frame) ||
> > + rsp_len % sizeof(struct rpmb_frame))
> > + return -EINVAL;
> > + write = false;
> > + break;
> > + default:
> > + return -EINVAL;
> > + }
> > +
> > + return rdev->ops->route_frames(rdev->parent_dev, write,
> > + req, req_len, rsp, rsp_len);
> > +}
> > +EXPORT_SYMBOL_GPL(rpmb_route_frames);
> > +
> > +/**
> > + * rpmb_dev_find_device() - return first matching rpmb device
> > + * @data: data for the match function
> > + * @match: the matching function
>
> There are a couple of missing parameters that should be described here.
>
> Moreover, I think it's important to clarify that it's the caller's
> responsibility to call rpmb_dev_put() on the returned rpmb_dev, when
> it's ready with it.
I'll update.
>
> > + *
> > + * Returns: a matching rpmb device or NULL on failure
> > + */
> > +struct rpmb_dev *rpmb_dev_find_device(const void *data,
> > + const struct rpmb_dev *start,
> > + int (*match)(struct rpmb_dev *rdev,
> > + const void *data))
> > +{
> > + struct rpmb_dev *rdev;
> > + struct list_head *pos;
> > +
> > + mutex_lock(&rpmb_mutex);
> > + if (start)
> > + pos = start->list_node.next;
> > + else
> > + pos = rpmb_dev_list.next;
> > +
> > + while (pos != &rpmb_dev_list) {
> > + rdev = container_of(pos, struct rpmb_dev, list_node);
> > + if (match(rdev, data)) {
> > + rpmb_dev_get(rdev);
> > + goto out;
> > + }
> > + pos = pos->next;
> > + }
> > + rdev = NULL;
> > +
> > +out:
> > + mutex_unlock(&rpmb_mutex);
> > +
> > + return rdev;
> > +}
> > +
> > +/**
> > + * rpmb_dev_unregister() - unregister RPMB partition from the RPMB subsystem
> > + * @rdev: the rpmb device to unregister
>
> It would be nice to clarify in the function description for when this
> should be called. Especially from the data-lifecycle point of view.
OK, I'll update.
>
> > + *
> > + * Returns: < 0 on failure
> > + */
> > +int rpmb_dev_unregister(struct rpmb_dev *rdev)
> > +{
> > + if (!rdev)
> > + return -EINVAL;
> > +
> > + mutex_lock(&rpmb_mutex);
> > + list_del(&rdev->list_node);
> > + mutex_unlock(&rpmb_mutex);
> > + kfree(rdev->dev_id);
> > + kfree(rdev);
> > +
> > + return 0;
> > +}
> > +EXPORT_SYMBOL_GPL(rpmb_dev_unregister);
> > +
> > +/**
> > + * rpmb_dev_register - register RPMB partition with the RPMB subsystem
> > + * @dev: storage device of the rpmb device
> > + * @ops: device specific operations
> > + *
> > + * While registering the RPMB partition extract needed device information
> > + * while needed resources are available.
> > + *
> > + * Returns: a pointer to a 'struct rpmb_dev' or an ERR_PTR on failure
> > + */
> > +struct rpmb_dev *rpmb_dev_register(struct device *dev,
> > + const struct rpmb_ops *ops)
> > +{
> > + struct rpmb_dev *rdev;
> > + struct rpmb_interface *intf;
> > + int ret;
> > +
> > + if (!dev || !ops || !ops->route_frames || !ops->set_dev_info)
> > + return ERR_PTR(-EINVAL);
> > +
> > + rdev = kzalloc(sizeof(*rdev), GFP_KERNEL);
> > + if (!rdev)
> > + return ERR_PTR(-ENOMEM);
> > +
> > + mutex_lock(&rpmb_mutex);
> > + list_add_tail(&rdev->list_node, &rpmb_dev_list);
> > + mutex_unlock(&rpmb_mutex);
>
> It does not look safe to add an rpmb_dev to the rpmb_dev_list, before
> it has been completely initialized. The consumer of it may fetch it
> and try use it before it's initialized.
You're right, I'll move the registration to the end of mmc_blk_probe().
>
> > +
> > + rdev->ops = ops;
> > +
> > + rdev->parent_dev = dev;
> > +
> > + ret = ops->set_dev_info(dev, rdev);
>
> Rather than using a callback to initialize the rpmb_dev, I would
> suggest (and prefer) to let the corresponding data be provided as an
> in-parameter to rpmb_dev_register() instead.
OK
>
> > + if (ret)
> > + goto exit;
> > +
> > + dev_dbg(rdev->parent_dev, "registered device\n");
> > +
> > + mutex_lock(&rpmb_mutex);
> > + list_for_each_entry(intf, &rpmb_intf_list, list_node)
> > + if (intf->add_rdev)
> > + intf->add_rdev(intf, rdev);
>
> Rather than implementing our own specific notification mechanism, we
> could make use of a "blocking_notifier" (include/linux/notifier.h)
> instead.
Good idea, I'll use that.
>
> Moreover, it looks like we are lacking a way to inform the consumer
> driver that an rpmb_dev is being removed. Or maybe that isn't needed,
> as the reference counting manages that for us?
Yes, the reference counting is managing this.
>
> > + mutex_unlock(&rpmb_mutex);
> > +
> > + return rdev;
> > +
> > +exit:
> > + mutex_lock(&rpmb_mutex);
> > + list_del(&rdev->list_node);
> > + mutex_unlock(&rpmb_mutex);
> > + kfree(rdev);
> > + return ERR_PTR(ret);
> > +}
> > +EXPORT_SYMBOL_GPL(rpmb_dev_register);
> > +
> > +/**
> > + * rpmb_interface_register() - register for new device notifications
> > + *
> > + * @intf : pointer to interface struct with a notification callback
> > + */
> > +void rpmb_interface_register(struct rpmb_interface *intf)
> > +{
> > + struct rpmb_dev *rdev;
> > +
> > + mutex_lock(&rpmb_mutex);
> > + list_add_tail(&intf->list_node, &rpmb_intf_list);
> > + if (intf->add_rdev)
>
> Is there any reason to allow the ->add_rdev() callback to be optional?
No, I'll fix.
>
> > + list_for_each_entry(rdev, &rpmb_dev_list, list_node)
> > + intf->add_rdev(intf, rdev);
>
> What if ->add_rdev() are happy to use one of the rpmb_dev, then we
> will still continue to iterate over the list. Should we use a return
> code to indicate if we should continue or not?
I'm switching to "blocking_notifier".
>
> > + mutex_unlock(&rpmb_mutex);
> > +}
> > +EXPORT_SYMBOL_GPL(rpmb_interface_register);
> > +
> > +/**
> > + * rpmb_interface_unregister() - unregister from new device notifications
> > + *
> > + * @intf : pointer to previously registered interface struct
> > + */
> > +void rpmb_interface_unregister(struct rpmb_interface *intf)
> > +{
> > + mutex_lock(&rpmb_mutex);
> > + list_del(&intf->list_node);
> > + mutex_unlock(&rpmb_mutex);
> > +}
> > +EXPORT_SYMBOL_GPL(rpmb_interface_unregister);
> > +
> > +static int __init rpmb_init(void)
> > +{
> > + INIT_LIST_HEAD(&rpmb_dev_list);
> > + INIT_LIST_HEAD(&rpmb_intf_list);
> > + return 0;
> > +}
> > +
> > +static void __exit rpmb_exit(void)
> > +{
> > + mutex_destroy(&rpmb_mutex);
> > +}
> > +
> > +subsys_initcall(rpmb_init);
> > +module_exit(rpmb_exit);
> > +
> > +MODULE_AUTHOR("Jens Wiklander <[email protected]>");
> > +MODULE_DESCRIPTION("RPMB class");
> > +MODULE_LICENSE("GPL");
> > diff --git a/include/linux/rpmb.h b/include/linux/rpmb.h
> > new file mode 100644
> > index 000000000000..c4b13dad10c4
> > --- /dev/null
> > +++ b/include/linux/rpmb.h
> > @@ -0,0 +1,195 @@
> > +/* SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0 */
> > +/*
> > + * Copyright (C) 2015-2019 Intel Corp. All rights reserved
> > + * Copyright (C) 2021-2022 Linaro Ltd
> > + */
> > +#ifndef __RPMB_H__
> > +#define __RPMB_H__
> > +
> > +#include <linux/types.h>
> > +#include <linux/device.h>
> > +
> > +/**
> > + * struct rpmb_frame - rpmb frame as defined by specs
> > + *
> > + * @stuff : stuff bytes
> > + * @key_mac : The authentication key or the message authentication
> > + * code (MAC) depending on the request/response type.
> > + * The MAC will be delivered in the last (or the only)
> > + * block of data.
> > + * @data : Data to be written or read by signed access.
> > + * @nonce : Random number generated by the host for the requests
> > + * and copied to the response by the RPMB engine.
> > + * @write_counter: Counter value for the total amount of the successful
> > + * authenticated data write requests made by the host.
> > + * @addr : Address of the data to be programmed to or read
> > + * from the RPMB. Address is the serial number of
> > + * the accessed block (half sector 256B).
> > + * @block_count : Number of blocks (half sectors, 256B) requested to be
> > + * read/programmed.
> > + * @result : Includes information about the status of the write counter
> > + * (valid, expired) and result of the access made to the RPMB.
> > + * @req_resp : Defines the type of request and response to/from the memory.
> > + */
> > +struct rpmb_frame {
> > + u8 stuff[196];
> > + u8 key_mac[32];
> > + u8 data[256];
> > + u8 nonce[16];
> > + __be32 write_counter;
> > + __be16 addr;
> > + __be16 block_count;
> > + __be16 result;
> > + __be16 req_resp;
> > +} __packed;
>
> I haven't looked at the NVME or the UFS spec in detail. Although, I
> assume the above frame makes sense for those types of
> interfaces/protocols too?
This is MMC-specific as we learned in the mail thread. I'll move this
into the MMC-specific code.
>
> > +
> > +#define RPMB_PROGRAM_KEY 0x1 /* Program RPMB Authentication Key */
> > +#define RPMB_GET_WRITE_COUNTER 0x2 /* Read RPMB write counter */
> > +#define RPMB_WRITE_DATA 0x3 /* Write data to RPMB partition */
> > +#define RPMB_READ_DATA 0x4 /* Read data from RPMB partition */
> > +#define RPMB_RESULT_READ 0x5 /* Read result request (Internal) */
> > +
> > +#define RPMB_REQ2RESP(_OP) ((_OP) << 8)
> > +#define RPMB_RESP2REQ(_OP) ((_OP) >> 8)
> > +
> > +/**
> > + * enum rpmb_op_result - rpmb operation results
> > + *
> > + * @RPMB_ERR_OK : operation successful
> > + * @RPMB_ERR_GENERAL : general failure
> > + * @RPMB_ERR_AUTH : mac doesn't match or ac calculation failure
> > + * @RPMB_ERR_COUNTER : counter doesn't match or counter increment failure
> > + * @RPMB_ERR_ADDRESS : address out of range or wrong address alignment
> > + * @RPMB_ERR_WRITE : data, counter, or result write failure
> > + * @RPMB_ERR_READ : data, counter, or result read failure
> > + * @RPMB_ERR_NO_KEY : authentication key not yet programmed
> > + *
> > + * @RPMB_ERR_COUNTER_EXPIRED: counter expired
> > + */
> > +enum rpmb_op_result {
> > + RPMB_ERR_OK = 0x0000,
> > + RPMB_ERR_GENERAL = 0x0001,
> > + RPMB_ERR_AUTH = 0x0002,
> > + RPMB_ERR_COUNTER = 0x0003,
> > + RPMB_ERR_ADDRESS = 0x0004,
> > + RPMB_ERR_WRITE = 0x0005,
> > + RPMB_ERR_READ = 0x0006,
> > + RPMB_ERR_NO_KEY = 0x0007,
> > +
> > + RPMB_ERR_COUNTER_EXPIRED = 0x0080
> > +};
> > +
> > +/**
> > + * enum rpmb_type - type of underlying storage technology
> > + *
> > + * @RPMB_TYPE_EMMC : emmc (JESD84-B50.1)
> > + * @RPMB_TYPE_UFS : UFS (JESD220)
> > + * @RPMB_TYPE_NVME : NVM Express
> > + */
> > +enum rpmb_type {
> > + RPMB_TYPE_EMMC,
> > + RPMB_TYPE_UFS,
> > + RPMB_TYPE_NVME,
> > +};
> > +
> > +/**
> > + * struct rpmb_dev - device which can support RPMB partition
> > + *
> > + * @parent_dev : parent device
> > + * @list_node : linked list node
> > + * @ops : operation exported by rpmb
> > + * @dev_id : unique device identifier read from the hardware
>
> This part puzzled me a bit, when I realized that they are used as an
> input to derive the authentication-data.
>
> For eMMC (as shown in patch2), we have chosen to use the CID register
> data, which makes perfect sense to me. However, I think it's important
> to clarify what this field is being used for, here in the description
> too.
Good point, I'll add that.
>
> > + * @dev_id_len : length of unique device identifier
> > + * @reliable_wr_count: number of sectors that can be written in one access
> > + * @capacity : capacity of the device in units of 128K
> > + */
> > +struct rpmb_dev {
> > + struct device *parent_dev;
> > + struct list_head list_node;
> > + const struct rpmb_ops *ops;
> > + u8 *dev_id;
> > + size_t dev_id_len;
> > + u16 reliable_wr_count;
> > + u16 capacity;
> > +};
> > +
> > +/**
> > + * struct rpmb_ops - RPMB ops to be implemented by underlying block device
> > + *
> > + * @type : block device type
> > + * @route_frames : routes frames to and from the RPMB device
> > + * @set_dev_info : extracts device info from the RPMB device
> > + */
> > +struct rpmb_ops {
> > + enum rpmb_type type;
>
> I would keep this in the rpmb_dev instead, as it's not really a callback (ops).
>
> > + int (*set_dev_info)(struct device *dev, struct rpmb_dev *rdev);
>
> As I suggested earlier, we should be able to drop the above callback.
> That said, it looks like we end up with only one callback left, so
> maybe just put that in the struct rpmb_dev instead?
OK
Thanks,
Jens
>
> > + int (*route_frames)(struct device *dev, bool write,
> > + u8 *req, unsigned int req_len,
> > + u8 *resp, unsigned int resp_len);
> > +};
> > +
> > +/**
> > + * struct rpmb_interface - subscribe to new RPMB devices
> > + *
> > + * @list_node : linked list node
> > + * @add_rdev : notifies that a new RPMB device has been found
> > + */
> > +struct rpmb_interface {
> > + struct list_head list_node;
> > + void (*add_rdev)(struct rpmb_interface *intf, struct rpmb_dev *rdev);
> > +};
> > +
> > +#if IS_ENABLED(CONFIG_RPMB)
> > +struct rpmb_dev *rpmb_dev_get(struct rpmb_dev *rdev);
> > +void rpmb_dev_put(struct rpmb_dev *rdev);
> > +struct rpmb_dev *rpmb_dev_find_device(const void *data,
> > + const struct rpmb_dev *start,
> > + int (*match)(struct rpmb_dev *rdev,
> > + const void *data));
> > +struct rpmb_dev *rpmb_dev_register(struct device *dev,
> > + const struct rpmb_ops *ops);
> > +int rpmb_dev_unregister(struct rpmb_dev *rdev);
> > +
> > +int rpmb_route_frames(struct rpmb_dev *rdev, u8 *req,
> > + unsigned int req_len, u8 *resp, unsigned int resp_len);
> > +
> > +void rpmb_interface_register(struct rpmb_interface *intf);
> > +void rpmb_interface_unregister(struct rpmb_interface *intf);
> > +#else
> > +static inline struct rpmb_dev *rpmb_dev_get(struct rpmb_dev *rdev)
> > +{
> > + return NULL;
> > +}
> > +
> > +static inline void rpmb_dev_put(struct rpmb_dev *rdev) { }
> > +
> > +static inline struct rpmb_dev *
> > +rpmb_dev_find_device(const void *data, const struct rpmb_dev *start,
> > + int (*match)(struct rpmb_dev *rdev, const void *data))
> > +{
> > + return NULL;
> > +}
> > +
> > +static inline struct rpmb_dev *
> > +rpmb_dev_register(struct device *dev, const struct rpmb_ops *ops)
> > +{
> > + return NULL;
> > +}
> > +
> > +static inline int rpmb_dev_unregister(struct rpmb_dev *dev)
> > +{
> > + return 0;
> > +}
> > +
> > +static inline int rpmb_route_frames(struct rpmb_dev *rdev, u8 *req,
> > + unsigned int req_len, u8 *resp,
> > + unsigned int resp_len)
> > +{
> > + return -EOPNOTSUPP;
> > +}
> > +
> > +static inline void rpmb_interface_register(struct rpmb_interface *intf) { }
> > +static inline void rpmb_interface_unregister(struct rpmb_interface *intf) { }
> > +#endif /* CONFIG_RPMB */
> > +
> > +#endif /* __RPMB_H__ */
> > --
> > 2.34.1
> >
>
> Kind regards
> Uffe
On Fri, Mar 1, 2024 at 11:28 AM Sumit Garg <[email protected]> wrote:
>
> Hi Jens,
>
> On Tue, 27 Feb 2024 at 21:01, Jens Wiklander <[email protected]> wrote:
> >
> > Adds support in the OP-TEE drivers (both SMC and FF-A ABIs) to probe and
> > use an RPMB device via the RPBM subsystem instead of passing the RPMB
>
> s/RPBM/RPMB/
>
> Here are other places too in this patch-set.
>
> > frames via tee-supplicant in user space. A fallback mechanism is kept to
> > route RPMB frames via tee-supplicant if the RPMB subsystem isn't
> > available.
> >
> > The OP-TEE RPC ABI is extended to support iterating over all RPMB
> > devices until one is found with the expected RPMB key already
> > programmed.
>
> I would appreciate it if you could add a link to OP-TEE OS changes in
> the cover-letter although I have found them here [1].
>
> [1] https://github.com/jenswi-linaro/optee_os/commits/rpmb_probe/
OK, I'll add a link in the coverletter of the next patch set.
>
> >
> > Signed-off-by: Jens Wiklander <[email protected]>
> > ---
> > drivers/tee/optee/core.c | 55 +++++++
> > drivers/tee/optee/ffa_abi.c | 7 +
> > drivers/tee/optee/optee_private.h | 16 ++
> > drivers/tee/optee/optee_rpc_cmd.h | 35 +++++
> > drivers/tee/optee/rpc.c | 233 ++++++++++++++++++++++++++++++
> > drivers/tee/optee/smc_abi.c | 6 +
> > 6 files changed, 352 insertions(+)
> >
> > diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c
> > index 3aed554bc8d8..6b32d3e7865b 100644
> > --- a/drivers/tee/optee/core.c
> > +++ b/drivers/tee/optee/core.c
> > @@ -11,6 +11,7 @@
> > #include <linux/io.h>
> > #include <linux/mm.h>
> > #include <linux/module.h>
> > +#include <linux/rpmb.h>
> > #include <linux/slab.h>
> > #include <linux/string.h>
> > #include <linux/tee_drv.h>
> > @@ -80,6 +81,57 @@ void optee_pool_op_free_helper(struct tee_shm_pool *pool, struct tee_shm *shm,
> > shm->pages = NULL;
> > }
> >
> > +static void optee_rpmb_scan(struct work_struct *work)
> > +{
> > + struct optee *optee = container_of(work, struct optee, scan_rpmb_work);
> > + bool scan_done = false;
> > + u32 res;
> > +
> > + do {
> > + mutex_lock(&optee->rpmb_dev_mutex);
> > + /* No need to rescan if we haven't started scanning yet */
> > + optee->rpmb_dev_request_rescan = false;
> > + mutex_unlock(&optee->rpmb_dev_mutex);
> > +
> > + res = optee_enumerate_devices(PTA_CMD_GET_DEVICES_RPMB);
> > + if (res && res != TEE_ERROR_STORAGE_NOT_AVAILABLE)
>
> I suppose this hasn't been tested for a negative case since
> optee_enumerate_devices() won't return this error code (see [2]).
> However, I would prefer to use GP Client error code:
> TEEC_ERROR_ITEM_NOT_FOUND here instead.
>
> [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/tee/optee/device.c#n43
I prefer TEE_ERROR_STORAGE_NOT_AVAILABLE since that's the code GP says
a TA should get when storage is unavailable.
TEEC_ERROR_ITEM_NOT_FOUND is less specific. Anyway, I'll need to
translate the code in get_devices().
>
> > + pr_info("Scanning for RPMB device: res %#x\n", res);
> > +
> > + mutex_lock(&optee->rpmb_dev_mutex);
> > + /*
> > + * If another RPMB device came online while scanning, scan one
> > + * more time, unless we have already found an RPBM device.
> > + */
> > + scan_done = (optee->rpmb_dev ||
>
> I suppose we don't need to check for optee->rpmb_dev here since a
> successful return from
> optee_enumerate_devices(PTA_CMD_GET_DEVICES_RPMB) would ensure that
> the RPMB device has been found.
That makes sense, I'll check the return value instead.
>
> > + !optee->rpmb_dev_request_rescan);
> > + optee->rpmb_dev_request_rescan = false;
> > + optee->rpmb_dev_scan_in_progress = !scan_done;
> > + mutex_unlock(&optee->rpmb_dev_mutex);
> > + } while (!scan_done);
> > +}
> > +
> > +void optee_rpmb_intf_add_rdev(struct rpmb_interface *intf,
> > + struct rpmb_dev *rdev)
> > +{
> > + struct optee *optee = container_of(intf, struct optee, rpmb_intf);
> > + bool queue_work = true;
> > +
> > + mutex_lock(&optee->rpmb_dev_mutex);
> > + if (optee->rpmb_dev || optee->rpmb_dev_scan_in_progress) {
>
> Can we use work_pending() instead of our custom
> optee->rpmb_dev_scan_in_progress flag?
That seems racy, or am I missing something?
>
> > + queue_work = false;
> > + if (optee->rpmb_dev_scan_in_progress)
> > + optee->rpmb_dev_request_rescan = true;
> > + }
> > + if (queue_work)
> > + optee->rpmb_dev_scan_in_progress = true;
> > + mutex_unlock(&optee->rpmb_dev_mutex);
> > +
> > + if (queue_work) {
> > + INIT_WORK(&optee->scan_rpmb_work, optee_rpmb_scan);
> > + schedule_work(&optee->scan_rpmb_work);
>
> Can we reuse optee->scan_bus_work rather than introducing a new one here?
No, both may be active at the same time. We'd have to merge
optee_rpmb_scan() and optee_bus_scan(), but I'm not sure it's worth
it.
>
> > + }
> > +}
> > +
> > static void optee_bus_scan(struct work_struct *work)
> > {
> > WARN_ON(optee_enumerate_devices(PTA_CMD_GET_DEVICES_SUPP));
> > @@ -161,6 +213,7 @@ void optee_release_supp(struct tee_context *ctx)
> >
> > void optee_remove_common(struct optee *optee)
> > {
> > + rpmb_interface_unregister(&optee->rpmb_intf);
> > /* Unregister OP-TEE specific client devices on TEE bus */
> > optee_unregister_devices();
> >
> > @@ -177,6 +230,8 @@ void optee_remove_common(struct optee *optee)
> > tee_shm_pool_free(optee->pool);
> > optee_supp_uninit(&optee->supp);
> > mutex_destroy(&optee->call_queue.mutex);
> > + rpmb_dev_put(optee->rpmb_dev);
> > + mutex_destroy(&optee->rpmb_dev_mutex);
> > }
> >
> > static int smc_abi_rc;
> > diff --git a/drivers/tee/optee/ffa_abi.c b/drivers/tee/optee/ffa_abi.c
> > index ecb5eb079408..befe19ecc30a 100644
> > --- a/drivers/tee/optee/ffa_abi.c
> > +++ b/drivers/tee/optee/ffa_abi.c
> > @@ -7,6 +7,7 @@
> >
> > #include <linux/arm_ffa.h>
> > #include <linux/errno.h>
> > +#include <linux/rpmb.h>
> > #include <linux/scatterlist.h>
> > #include <linux/sched.h>
> > #include <linux/slab.h>
> > @@ -934,6 +935,7 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev)
> > optee_cq_init(&optee->call_queue, 0);
> > optee_supp_init(&optee->supp);
> > optee_shm_arg_cache_init(optee, arg_cache_flags);
> > + mutex_init(&optee->rpmb_dev_mutex);
> > ffa_dev_set_drvdata(ffa_dev, optee);
> > ctx = teedev_open(optee->teedev);
> > if (IS_ERR(ctx)) {
> > @@ -955,6 +957,8 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev)
> > if (rc)
> > goto err_unregister_devices;
> >
> > + optee->rpmb_intf.add_rdev = optee_rpmb_intf_add_rdev;
> > + rpmb_interface_register(&optee->rpmb_intf);
> > pr_info("initialized driver\n");
> > return 0;
> >
> > @@ -968,6 +972,9 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev)
> > teedev_close_context(ctx);
> > err_rhashtable_free:
> > rhashtable_free_and_destroy(&optee->ffa.global_ids, rh_free_fn, NULL);
> > + rpmb_dev_put(optee->rpmb_dev);
> > + mutex_destroy(&optee->rpmb_dev_mutex);
> > + rpmb_interface_unregister(&optee->rpmb_intf);
> > optee_supp_uninit(&optee->supp);
> > mutex_destroy(&optee->call_queue.mutex);
> > mutex_destroy(&optee->ffa.mutex);
> > diff --git a/drivers/tee/optee/optee_private.h b/drivers/tee/optee/optee_private.h
> > index 7a5243c78b55..1e4c33baef43 100644
> > --- a/drivers/tee/optee/optee_private.h
> > +++ b/drivers/tee/optee/optee_private.h
> > @@ -8,6 +8,7 @@
> >
> > #include <linux/arm-smccc.h>
> > #include <linux/rhashtable.h>
> > +#include <linux/rpmb.h>
> > #include <linux/semaphore.h>
> > #include <linux/tee_drv.h>
> > #include <linux/types.h>
> > @@ -20,11 +21,13 @@
> > /* Some Global Platform error codes used in this driver */
> > #define TEEC_SUCCESS 0x00000000
> > #define TEEC_ERROR_BAD_PARAMETERS 0xFFFF0006
> > +#define TEEC_ERROR_ITEM_NOT_FOUND 0xFFFF0008
> > #define TEEC_ERROR_NOT_SUPPORTED 0xFFFF000A
> > #define TEEC_ERROR_COMMUNICATION 0xFFFF000E
> > #define TEEC_ERROR_OUT_OF_MEMORY 0xFFFF000C
> > #define TEEC_ERROR_BUSY 0xFFFF000D
> > #define TEEC_ERROR_SHORT_BUFFER 0xFFFF0010
> > +#define TEE_ERROR_STORAGE_NOT_AVAILABLE 0xF0100003
> >
> > #define TEEC_ORIGIN_COMMS 0x00000002
> >
> > @@ -197,6 +200,8 @@ struct optee_ops {
> > * @notif: notification synchronization struct
> > * @supp: supplicant synchronization struct for RPC to supplicant
> > * @pool: shared memory pool
> > + * @mutex: mutex protecting @rpmb_dev
> > + * @rpmb_dev: current RPMB device or NULL
> > * @rpc_param_count: If > 0 number of RPC parameters to make room for
> > * @scan_bus_done flag if device registation was already done.
> > * @scan_bus_work workq to scan optee bus and register optee drivers
> > @@ -215,9 +220,17 @@ struct optee {
> > struct optee_notif notif;
> > struct optee_supp supp;
> > struct tee_shm_pool *pool;
> > + /* Protects rpmb_dev pointer and rpmb_dev_* */
> > + struct mutex rpmb_dev_mutex;
>
> Given my comments above, do we really need this mutex?
I don't see how we can do without the mutex.
>
> > + struct rpmb_dev *rpmb_dev;
> > + bool rpmb_dev_scan_in_progress;
> > + bool rpmb_dev_request_rescan;
> > + bool rpmb_dev_scan_done;
>
> Left over, should it be dropped?
Thanks, I'll remove it.
>
> > + struct rpmb_interface rpmb_intf;
> > unsigned int rpc_param_count;
> > bool scan_bus_done;
> > struct work_struct scan_bus_work;
> > + struct work_struct scan_rpmb_work;
> > };
> >
> > struct optee_session {
> > @@ -280,8 +293,11 @@ int optee_cancel_req(struct tee_context *ctx, u32 cancel_id, u32 session);
> >
> > #define PTA_CMD_GET_DEVICES 0x0
> > #define PTA_CMD_GET_DEVICES_SUPP 0x1
> > +#define PTA_CMD_GET_DEVICES_RPMB 0x2
> > int optee_enumerate_devices(u32 func);
> > void optee_unregister_devices(void);
> > +void optee_rpmb_intf_add_rdev(struct rpmb_interface *intf,
> > + struct rpmb_dev *rdev);
> >
> > int optee_pool_op_alloc_helper(struct tee_shm_pool *pool, struct tee_shm *shm,
> > size_t size, size_t align,
> > diff --git a/drivers/tee/optee/optee_rpc_cmd.h b/drivers/tee/optee/optee_rpc_cmd.h
> > index f3f06e0994a7..f351a8ac69fc 100644
> > --- a/drivers/tee/optee/optee_rpc_cmd.h
> > +++ b/drivers/tee/optee/optee_rpc_cmd.h
> > @@ -16,6 +16,14 @@
> > * and sends responses.
> > */
> >
> > +/*
> > + * Replay Protected Memory Block access
> > + *
> > + * [in] memref[0] Frames to device
> > + * [out] memref[1] Frames from device
> > + */
> > +#define OPTEE_RPC_CMD_RPMB 1
> > +
> > /*
> > * Get time
> > *
> > @@ -103,4 +111,31 @@
> > /* I2C master control flags */
> > #define OPTEE_RPC_I2C_FLAGS_TEN_BIT BIT(0)
> >
> > +/*
> > + * Reset RPMB probing
> > + *
> > + * Releases an eventually already used RPMB devices and starts over searching
> > + * for RPMB devices. Returns the kind of shared memory to use in subsequent
> > + * OPTEE_RPC_CMD_RPMB_PROBE_NEXT and OPTEE_RPC_CMD_RPMB calls.
> > + *
> > + * [out] value[0].a OPTEE_RPC_SHM_TYPE_*, the parameter for
> > + * OPTEE_RPC_CMD_SHM_ALLOC
> > + */
> > +#define OPTEE_RPC_CMD_RPMB_PROBE_RESET 22
> > +
> > +/*
> > + * Probe next RPMB device
> > + *
> > + * [out] value[0].a Type of RPMB device, OPTEE_RPC_RPMB_*
> > + * [out] value[0].b EXT CSD-slice 168 "RPMB Size"
> > + * [out] value[0].c EXT CSD-slice 222 "Reliable Write Sector Count"
> > + * [out] memref[1] Buffer with the raw CID
> > + */
> > +#define OPTEE_RPC_CMD_RPMB_PROBE_NEXT 23
> > +
> > +/* Type of RPMB device */
> > +#define OPTEE_RPC_RPMB_EMMC 0
> > +#define OPTEE_RPC_RPMB_UFS 1
> > +#define OPTEE_RPC_RPMB_NVME 2
> > +
> > #endif /*__OPTEE_RPC_CMD_H*/
> > diff --git a/drivers/tee/optee/rpc.c b/drivers/tee/optee/rpc.c
> > index e69bc6380683..97f69a108f61 100644
> > --- a/drivers/tee/optee/rpc.c
> > +++ b/drivers/tee/optee/rpc.c
> > @@ -7,6 +7,7 @@
> >
> > #include <linux/delay.h>
> > #include <linux/i2c.h>
> > +#include <linux/rpmb.h>
> > #include <linux/slab.h>
> > #include <linux/tee_drv.h>
> > #include "optee_private.h"
> > @@ -255,6 +256,229 @@ void optee_rpc_cmd_free_suppl(struct tee_context *ctx, struct tee_shm *shm)
> > optee_supp_thrd_req(ctx, OPTEE_RPC_CMD_SHM_FREE, 1, ¶m);
> > }
> >
> > +static void handle_rpc_func_rpmb_probe_reset(struct tee_context *ctx,
> > + struct optee *optee,
> > + struct optee_msg_arg *arg)
> > +{
> > + struct tee_param params[1];
> > +
> > + if (!IS_ENABLED(CONFIG_RPMB)) {
> > + handle_rpc_supp_cmd(ctx, optee, arg);
> > + return;
> > + }
> > +
> > + if (arg->num_params != ARRAY_SIZE(params) ||
> > + optee->ops->from_msg_param(optee, params, arg->num_params,
> > + arg->params) ||
> > + params[0].attr != TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT) {
> > + arg->ret = TEEC_ERROR_BAD_PARAMETERS;
> > + return;
> > + }
> > +
> > + params[0].u.value.a = OPTEE_RPC_SHM_TYPE_KERNEL;
> > + params[0].u.value.b = 0;
> > + params[0].u.value.c = 0;
> > + if (optee->ops->to_msg_param(optee, arg->params,
> > + arg->num_params, params)) {
> > + arg->ret = TEEC_ERROR_BAD_PARAMETERS;
> > + return;
> > + }
> > +
> > + mutex_lock(&optee->rpmb_dev_mutex);
> > + rpmb_dev_put(optee->rpmb_dev);
> > + optee->rpmb_dev = NULL;
> > + mutex_unlock(&optee->rpmb_dev_mutex);
> > +
> > + arg->ret = TEEC_SUCCESS;
> > +}
> > +
> > +static int rpmb_type_to_rpc_type(enum rpmb_type rtype)
> > +{
> > + switch (rtype) {
> > + case RPMB_TYPE_EMMC:
> > + return OPTEE_RPC_RPMB_EMMC;
> > + case RPMB_TYPE_UFS:
> > + return OPTEE_RPC_RPMB_UFS;
> > + case RPMB_TYPE_NVME:
> > + return OPTEE_RPC_RPMB_NVME;
> > + default:
> > + return -1;
> > + }
> > +}
> > +
> > +static int rpc_rpmb_match(struct rpmb_dev *rdev, const void *data)
> > +{
> > + return rpmb_type_to_rpc_type(rdev->ops->type) >= 0;
> > +}
> > +
> > +static void handle_rpc_func_rpmb_probe_next(struct tee_context *ctx,
> > + struct optee *optee,
> > + struct optee_msg_arg *arg)
> > +{
> > + struct rpmb_dev *rdev;
> > + struct tee_param params[2];
> > + void *buf;
> > +
> > + if (!IS_ENABLED(CONFIG_RPMB)) {
>
> What if the RPMB driver is built as a module? IS_REACHABLE() instead?
OK, I'll update.
Thanks,
Jens
>
> -Sumit
>
> > + handle_rpc_supp_cmd(ctx, optee, arg);
> > + return;
> > + }
> > +
> > + if (arg->num_params != ARRAY_SIZE(params) ||
> > + optee->ops->from_msg_param(optee, params, arg->num_params,
> > + arg->params) ||
> > + params[0].attr != TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT ||
> > + params[1].attr != TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT) {
> > + arg->ret = TEEC_ERROR_BAD_PARAMETERS;
> > + return;
> > + }
> > + buf = tee_shm_get_va(params[1].u.memref.shm,
> > + params[1].u.memref.shm_offs);
> > + if (!buf) {
> > + arg->ret = TEEC_ERROR_BAD_PARAMETERS;
> > + return;
> > + }
> > +
> > + mutex_lock(&optee->rpmb_dev_mutex);
> > + rdev = rpmb_dev_find_device(NULL, optee->rpmb_dev, rpc_rpmb_match);
> > + rpmb_dev_put(optee->rpmb_dev);
> > + optee->rpmb_dev = rdev;
> > + mutex_unlock(&optee->rpmb_dev_mutex);
> > +
> > + if (!rdev) {
> > + arg->ret = TEEC_ERROR_ITEM_NOT_FOUND;
> > + return;
> > + }
> > +
> > + if (params[1].u.memref.size < rdev->dev_id_len) {
> > + arg->ret = TEEC_ERROR_SHORT_BUFFER;
> > + return;
> > + }
> > + memcpy(buf, rdev->dev_id, rdev->dev_id_len);
> > + params[1].u.memref.size = rdev->dev_id_len;
> > + params[0].u.value.a = rpmb_type_to_rpc_type(rdev->ops->type);
> > + params[0].u.value.b = rdev->capacity;
> > + params[0].u.value.c = rdev->reliable_wr_count;
> > + if (optee->ops->to_msg_param(optee, arg->params,
> > + arg->num_params, params)) {
> > + arg->ret = TEEC_ERROR_BAD_PARAMETERS;
> > + return;
> > + }
> > +
> > + arg->ret = TEEC_SUCCESS;
> > +}
> > +
> > +/* Request */
> > +struct rpmb_req {
> > + u16 cmd;
> > +#define RPMB_CMD_DATA_REQ 0x00
> > +#define RPMB_CMD_GET_DEV_INFO 0x01
> > + u16 dev_id;
> > + u16 block_count;
> > + /* Optional data frames (rpmb_data_frame) follow */
> > +};
> > +
> > +#define RPMB_REQ_DATA(req) ((void *)((struct rpmb_req *)(req) + 1))
> > +
> > +#define RPMB_CID_SZ 16
> > +
> > +/* Response to device info request */
> > +struct rpmb_dev_info {
> > + u8 cid[RPMB_CID_SZ];
> > + u8 rpmb_size_mult; /* EXT CSD-slice 168: RPMB Size */
> > + u8 rel_wr_sec_c; /* EXT CSD-slice 222: Reliable Write Sector */
> > + /* Count */
> > + u8 ret_code;
> > +#define RPMB_CMD_GET_DEV_INFO_RET_OK 0x00
> > +#define RPMB_CMD_GET_DEV_INFO_RET_ERROR 0x01
> > +};
> > +
> > +static int get_dev_info(struct rpmb_dev *rdev, void *rsp, size_t rsp_size)
> > +{
> > + struct rpmb_dev_info *dev_info;
> > +
> > + if (rsp_size != sizeof(*dev_info))
> > + return TEEC_ERROR_BAD_PARAMETERS;
> > +
> > + dev_info = rsp;
> > + memcpy(dev_info->cid, rdev->dev_id, sizeof(dev_info->cid));
> > + dev_info->rpmb_size_mult = rdev->capacity;
> > + dev_info->rel_wr_sec_c = rdev->reliable_wr_count;
> > + dev_info->ret_code = RPMB_CMD_GET_DEV_INFO_RET_OK;
> > +
> > + return TEEC_SUCCESS;
> > +}
> > +
> > +/*
> > + * req is one struct rpmb_req followed by one or more struct rpmb_data_frame
> > + * rsp is either one struct rpmb_dev_info or one or more struct rpmb_data_frame
> > + */
> > +static u32 rpmb_process_request(struct optee *optee, struct rpmb_dev *rdev,
> > + void *req, size_t req_size,
> > + void *rsp, size_t rsp_size)
> > +{
> > + struct rpmb_req *sreq = req;
> > + int rc;
> > +
> > + if (req_size < sizeof(*sreq))
> > + return TEEC_ERROR_BAD_PARAMETERS;
> > +
> > + switch (sreq->cmd) {
> > + case RPMB_CMD_DATA_REQ:
> > + rc = rpmb_route_frames(rdev, RPMB_REQ_DATA(req),
> > + req_size - sizeof(struct rpmb_req),
> > + rsp, rsp_size);
> > + if (rc)
> > + return TEEC_ERROR_BAD_PARAMETERS;
> > + return TEEC_SUCCESS;
> > + case RPMB_CMD_GET_DEV_INFO:
> > + return get_dev_info(rdev, rsp, rsp_size);
> > + default:
> > + return TEEC_ERROR_BAD_PARAMETERS;
> > + }
> > +}
> > +
> > +static void handle_rpc_func_rpmb(struct tee_context *ctx, struct optee *optee,
> > + struct optee_msg_arg *arg)
> > +{
> > + struct tee_param params[2];
> > + struct rpmb_dev *rdev;
> > + void *p0, *p1;
> > +
> > + mutex_lock(&optee->rpmb_dev_mutex);
> > + rdev = rpmb_dev_get(optee->rpmb_dev);
> > + mutex_unlock(&optee->rpmb_dev_mutex);
> > + if (!rdev) {
> > + handle_rpc_supp_cmd(ctx, optee, arg);
> > + return;
> > + }
> > +
> > + if (arg->num_params != ARRAY_SIZE(params) ||
> > + optee->ops->from_msg_param(optee, params, arg->num_params,
> > + arg->params) ||
> > + params[0].attr != TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT ||
> > + params[1].attr != TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT) {
> > + arg->ret = TEEC_ERROR_BAD_PARAMETERS;
> > + goto out;
> > + }
> > +
> > + p0 = tee_shm_get_va(params[0].u.memref.shm,
> > + params[0].u.memref.shm_offs);
> > + p1 = tee_shm_get_va(params[1].u.memref.shm,
> > + params[1].u.memref.shm_offs);
> > + arg->ret = rpmb_process_request(optee, rdev, p0,
> > + params[0].u.memref.size,
> > + p1, params[1].u.memref.size);
> > + if (arg->ret)
> > + goto out;
> > +
> > + if (optee->ops->to_msg_param(optee, arg->params,
> > + arg->num_params, params))
> > + arg->ret = TEEC_ERROR_BAD_PARAMETERS;
> > +out:
> > + rpmb_dev_put(rdev);
> > +}
> > +
> > void optee_rpc_cmd(struct tee_context *ctx, struct optee *optee,
> > struct optee_msg_arg *arg)
> > {
> > @@ -271,6 +495,15 @@ void optee_rpc_cmd(struct tee_context *ctx, struct optee *optee,
> > case OPTEE_RPC_CMD_I2C_TRANSFER:
> > handle_rpc_func_cmd_i2c_transfer(ctx, arg);
> > break;
> > + case OPTEE_RPC_CMD_RPMB_PROBE_RESET:
> > + handle_rpc_func_rpmb_probe_reset(ctx, optee, arg);
> > + break;
> > + case OPTEE_RPC_CMD_RPMB_PROBE_NEXT:
> > + handle_rpc_func_rpmb_probe_next(ctx, optee, arg);
> > + break;
> > + case OPTEE_RPC_CMD_RPMB:
> > + handle_rpc_func_rpmb(ctx, optee, arg);
> > + break;
> > default:
> > handle_rpc_supp_cmd(ctx, optee, arg);
> > }
> > diff --git a/drivers/tee/optee/smc_abi.c b/drivers/tee/optee/smc_abi.c
> > index a37f87087e5c..8da53f41b052 100644
> > --- a/drivers/tee/optee/smc_abi.c
> > +++ b/drivers/tee/optee/smc_abi.c
> > @@ -20,6 +20,7 @@
> > #include <linux/of_irq.h>
> > #include <linux/of_platform.h>
> > #include <linux/platform_device.h>
> > +#include <linux/rpmb.h>
> > #include <linux/sched.h>
> > #include <linux/slab.h>
> > #include <linux/string.h>
> > @@ -1715,6 +1716,7 @@ static int optee_probe(struct platform_device *pdev)
> > optee->smc.memremaped_shm = memremaped_shm;
> > optee->pool = pool;
> > optee_shm_arg_cache_init(optee, arg_cache_flags);
> > + mutex_init(&optee->rpmb_dev_mutex);
> >
> > platform_set_drvdata(pdev, optee);
> > ctx = teedev_open(optee->teedev);
> > @@ -1769,6 +1771,8 @@ static int optee_probe(struct platform_device *pdev)
> > if (rc)
> > goto err_disable_shm_cache;
> >
> > + optee->rpmb_intf.add_rdev = optee_rpmb_intf_add_rdev;
> > + rpmb_interface_register(&optee->rpmb_intf);
> > pr_info("initialized driver\n");
> > return 0;
> >
> > @@ -1782,6 +1786,8 @@ static int optee_probe(struct platform_device *pdev)
> > err_close_ctx:
> > teedev_close_context(ctx);
> > err_supp_uninit:
> > + rpmb_dev_put(optee->rpmb_dev);
> > + mutex_destroy(&optee->rpmb_dev_mutex);
> > optee_shm_arg_cache_uninit(optee);
> > optee_supp_uninit(&optee->supp);
> > mutex_destroy(&optee->call_queue.mutex);
> > --
> > 2.34.1
> >
On Tue, Mar 5, 2024 at 1:24 PM Linus Walleij <[email protected]> wrote:
>
> Hi Jens,
>
> thanks for your patch!
>
> On Tue, Feb 27, 2024 at 4:31 PM Jens Wiklander
> <[email protected]> wrote:
>
> > A number of storage technologies support a specialised hardware
> > partition designed to be resistant to replay attacks. The underlying
> > HW protocols differ but the operations are common. The RPMB partition
> > cannot be accessed via standard block layer, but by a set of specific
> > RPMB commands: WRITE, READ, GET_WRITE_COUNTER, and PROGRAM_KEY. Such a
> > partition provides authenticated and replay protected access, hence
> > suitable as a secure storage.
> >
> > The initial aim of this patch is to provide a simple RPMB driver
> > interface which can be accessed by the optee driver to facilitate early
> > RPMB access to OP-TEE OS (secure OS) during the boot time.
> >
> > A TEE device driver can claim the RPMB interface, for example, via
> > rpmb_interface_register() or rpmb_dev_find_device(). The RPMB driver
> > provides a callback to route RPMB frames to the RPMB device accessible
> > via rpmb_route_frames().
> >
> > The detailed operation of implementing the access is left to the TEE
> > device driver itself.
> >
> > Signed-off-by: Tomas Winkler <[email protected]>
> > Signed-off-by: Alex Bennée <[email protected]>
> > Signed-off-by: Shyam Saini <[email protected]>
> > Signed-off-by: Jens Wiklander <[email protected]>
>
> I would mention in the commit that the subsystem is currently
> only used with eMMC but is designed to be used also by UFS
> and NVME. Nevertheless, no big deal so:
> Reviewed-by: Linus Walleij <[email protected]>
>
> > +config RPMB
> > + tristate "RPMB partition interface"
> > + depends on MMC
>
> depends on MMC || SCSI_UFSHCD || NVME_CORE
> ?
>
> Or do we want to hold it off until we implement the backends?
Correct, I think we should hold it off until then.
Thanks,
Jens
>
> Yours,
> Linus Walleij
On Thu, 28 Mar 2024 at 21:39, Jens Wiklander <[email protected]> wrote:
>
> On Fri, Mar 1, 2024 at 11:28 AM Sumit Garg <[email protected]> wrote:
> >
> > Hi Jens,
> >
> > On Tue, 27 Feb 2024 at 21:01, Jens Wiklander <[email protected]> wrote:
> > >
> > > Adds support in the OP-TEE drivers (both SMC and FF-A ABIs) to probe and
> > > use an RPMB device via the RPBM subsystem instead of passing the RPMB
> >
> > s/RPBM/RPMB/
> >
> > Here are other places too in this patch-set.
> >
> > > frames via tee-supplicant in user space. A fallback mechanism is kept to
> > > route RPMB frames via tee-supplicant if the RPMB subsystem isn't
> > > available.
> > >
> > > The OP-TEE RPC ABI is extended to support iterating over all RPMB
> > > devices until one is found with the expected RPMB key already
> > > programmed.
> >
> > I would appreciate it if you could add a link to OP-TEE OS changes in
> > the cover-letter although I have found them here [1].
> >
> > [1] https://github.com/jenswi-linaro/optee_os/commits/rpmb_probe/
>
> OK, I'll add a link in the coverletter of the next patch set.
>
> >
> > >
> > > Signed-off-by: Jens Wiklander <[email protected]>
> > > ---
> > > drivers/tee/optee/core.c | 55 +++++++
> > > drivers/tee/optee/ffa_abi.c | 7 +
> > > drivers/tee/optee/optee_private.h | 16 ++
> > > drivers/tee/optee/optee_rpc_cmd.h | 35 +++++
> > > drivers/tee/optee/rpc.c | 233 ++++++++++++++++++++++++++++++
> > > drivers/tee/optee/smc_abi.c | 6 +
> > > 6 files changed, 352 insertions(+)
> > >
> > > diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c
> > > index 3aed554bc8d8..6b32d3e7865b 100644
> > > --- a/drivers/tee/optee/core.c
> > > +++ b/drivers/tee/optee/core.c
> > > @@ -11,6 +11,7 @@
> > > #include <linux/io.h>
> > > #include <linux/mm.h>
> > > #include <linux/module.h>
> > > +#include <linux/rpmb.h>
> > > #include <linux/slab.h>
> > > #include <linux/string.h>
> > > #include <linux/tee_drv.h>
> > > @@ -80,6 +81,57 @@ void optee_pool_op_free_helper(struct tee_shm_pool *pool, struct tee_shm *shm,
> > > shm->pages = NULL;
> > > }
> > >
> > > +static void optee_rpmb_scan(struct work_struct *work)
> > > +{
> > > + struct optee *optee = container_of(work, struct optee, scan_rpmb_work);
> > > + bool scan_done = false;
> > > + u32 res;
> > > +
> > > + do {
> > > + mutex_lock(&optee->rpmb_dev_mutex);
> > > + /* No need to rescan if we haven't started scanning yet */
> > > + optee->rpmb_dev_request_rescan = false;
> > > + mutex_unlock(&optee->rpmb_dev_mutex);
> > > +
> > > + res = optee_enumerate_devices(PTA_CMD_GET_DEVICES_RPMB);
> > > + if (res && res != TEE_ERROR_STORAGE_NOT_AVAILABLE)
> >
> > I suppose this hasn't been tested for a negative case since
> > optee_enumerate_devices() won't return this error code (see [2]).
> > However, I would prefer to use GP Client error code:
> > TEEC_ERROR_ITEM_NOT_FOUND here instead.
> >
> > [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/tee/optee/device.c#n43
>
> I prefer TEE_ERROR_STORAGE_NOT_AVAILABLE since that's the code GP says
> a TA should get when storage is unavailable.
> TEEC_ERROR_ITEM_NOT_FOUND is less specific. Anyway, I'll need to
> translate the code in get_devices().
Okay, that's fair.
>
>
> >
> > > + pr_info("Scanning for RPMB device: res %#x\n", res);
> > > +
> > > + mutex_lock(&optee->rpmb_dev_mutex);
> > > + /*
> > > + * If another RPMB device came online while scanning, scan one
> > > + * more time, unless we have already found an RPBM device.
> > > + */
> > > + scan_done = (optee->rpmb_dev ||
> >
> > I suppose we don't need to check for optee->rpmb_dev here since a
> > successful return from
> > optee_enumerate_devices(PTA_CMD_GET_DEVICES_RPMB) would ensure that
> > the RPMB device has been found.
>
> That makes sense, I'll check the return value instead.
>
> >
> > > + !optee->rpmb_dev_request_rescan);
> > > + optee->rpmb_dev_request_rescan = false;
> > > + optee->rpmb_dev_scan_in_progress = !scan_done;
> > > + mutex_unlock(&optee->rpmb_dev_mutex);
> > > + } while (!scan_done);
> > > +}
> > > +
> > > +void optee_rpmb_intf_add_rdev(struct rpmb_interface *intf,
> > > + struct rpmb_dev *rdev)
> > > +{
> > > + struct optee *optee = container_of(intf, struct optee, rpmb_intf);
> > > + bool queue_work = true;
> > > +
> > > + mutex_lock(&optee->rpmb_dev_mutex);
> > > + if (optee->rpmb_dev || optee->rpmb_dev_scan_in_progress) {
> >
> > Can we use work_pending() instead of our custom
> > optee->rpmb_dev_scan_in_progress flag?
>
> That seems racy, or am I missing something?
>
You are right and even work_busy() is documented to provide unreliable
results. So I am rather thinking about just queuing the work and
thereby scanning for devices unconditionally. I suppose the extra
logic to check if we don't try to register duplicate devices can go
under optee_enumerate_devices().
> >
> > > + queue_work = false;
> > > + if (optee->rpmb_dev_scan_in_progress)
> > > + optee->rpmb_dev_request_rescan = true;
> > > + }
> > > + if (queue_work)
> > > + optee->rpmb_dev_scan_in_progress = true;
> > > + mutex_unlock(&optee->rpmb_dev_mutex);
> > > +
> > > + if (queue_work) {
> > > + INIT_WORK(&optee->scan_rpmb_work, optee_rpmb_scan);
> > > + schedule_work(&optee->scan_rpmb_work);
> >
> > Can we reuse optee->scan_bus_work rather than introducing a new one here?
>
> No, both may be active at the same time.
Actually both of them are using system_wq underneath, so it shouldn't
be a problem if both are active at the same time as they can be queued
simultaneously, right?
> We'd have to merge
> optee_rpmb_scan() and optee_bus_scan(), but I'm not sure it's worth
> it.
>
> >
> > > + }
> > > +}
> > > +
> > > static void optee_bus_scan(struct work_struct *work)
> > > {
> > > WARN_ON(optee_enumerate_devices(PTA_CMD_GET_DEVICES_SUPP));
> > > @@ -161,6 +213,7 @@ void optee_release_supp(struct tee_context *ctx)
> > >
> > > void optee_remove_common(struct optee *optee)
> > > {
> > > + rpmb_interface_unregister(&optee->rpmb_intf);
> > > /* Unregister OP-TEE specific client devices on TEE bus */
> > > optee_unregister_devices();
> > >
> > > @@ -177,6 +230,8 @@ void optee_remove_common(struct optee *optee)
> > > tee_shm_pool_free(optee->pool);
> > > optee_supp_uninit(&optee->supp);
> > > mutex_destroy(&optee->call_queue.mutex);
> > > + rpmb_dev_put(optee->rpmb_dev);
> > > + mutex_destroy(&optee->rpmb_dev_mutex);
> > > }
> > >
> > > static int smc_abi_rc;
> > > diff --git a/drivers/tee/optee/ffa_abi.c b/drivers/tee/optee/ffa_abi.c
> > > index ecb5eb079408..befe19ecc30a 100644
> > > --- a/drivers/tee/optee/ffa_abi.c
> > > +++ b/drivers/tee/optee/ffa_abi.c
> > > @@ -7,6 +7,7 @@
> > >
> > > #include <linux/arm_ffa.h>
> > > #include <linux/errno.h>
> > > +#include <linux/rpmb.h>
> > > #include <linux/scatterlist.h>
> > > #include <linux/sched.h>
> > > #include <linux/slab.h>
> > > @@ -934,6 +935,7 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev)
> > > optee_cq_init(&optee->call_queue, 0);
> > > optee_supp_init(&optee->supp);
> > > optee_shm_arg_cache_init(optee, arg_cache_flags);
> > > + mutex_init(&optee->rpmb_dev_mutex);
> > > ffa_dev_set_drvdata(ffa_dev, optee);
> > > ctx = teedev_open(optee->teedev);
> > > if (IS_ERR(ctx)) {
> > > @@ -955,6 +957,8 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev)
> > > if (rc)
> > > goto err_unregister_devices;
> > >
> > > + optee->rpmb_intf.add_rdev = optee_rpmb_intf_add_rdev;
> > > + rpmb_interface_register(&optee->rpmb_intf);
> > > pr_info("initialized driver\n");
> > > return 0;
> > >
> > > @@ -968,6 +972,9 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev)
> > > teedev_close_context(ctx);
> > > err_rhashtable_free:
> > > rhashtable_free_and_destroy(&optee->ffa.global_ids, rh_free_fn, NULL);
> > > + rpmb_dev_put(optee->rpmb_dev);
> > > + mutex_destroy(&optee->rpmb_dev_mutex);
> > > + rpmb_interface_unregister(&optee->rpmb_intf);
> > > optee_supp_uninit(&optee->supp);
> > > mutex_destroy(&optee->call_queue.mutex);
> > > mutex_destroy(&optee->ffa.mutex);
> > > diff --git a/drivers/tee/optee/optee_private.h b/drivers/tee/optee/optee_private.h
> > > index 7a5243c78b55..1e4c33baef43 100644
> > > --- a/drivers/tee/optee/optee_private.h
> > > +++ b/drivers/tee/optee/optee_private.h
> > > @@ -8,6 +8,7 @@
> > >
> > > #include <linux/arm-smccc.h>
> > > #include <linux/rhashtable.h>
> > > +#include <linux/rpmb.h>
> > > #include <linux/semaphore.h>
> > > #include <linux/tee_drv.h>
> > > #include <linux/types.h>
> > > @@ -20,11 +21,13 @@
> > > /* Some Global Platform error codes used in this driver */
> > > #define TEEC_SUCCESS 0x00000000
> > > #define TEEC_ERROR_BAD_PARAMETERS 0xFFFF0006
> > > +#define TEEC_ERROR_ITEM_NOT_FOUND 0xFFFF0008
> > > #define TEEC_ERROR_NOT_SUPPORTED 0xFFFF000A
> > > #define TEEC_ERROR_COMMUNICATION 0xFFFF000E
> > > #define TEEC_ERROR_OUT_OF_MEMORY 0xFFFF000C
> > > #define TEEC_ERROR_BUSY 0xFFFF000D
> > > #define TEEC_ERROR_SHORT_BUFFER 0xFFFF0010
> > > +#define TEE_ERROR_STORAGE_NOT_AVAILABLE 0xF0100003
> > >
> > > #define TEEC_ORIGIN_COMMS 0x00000002
> > >
> > > @@ -197,6 +200,8 @@ struct optee_ops {
> > > * @notif: notification synchronization struct
> > > * @supp: supplicant synchronization struct for RPC to supplicant
> > > * @pool: shared memory pool
> > > + * @mutex: mutex protecting @rpmb_dev
> > > + * @rpmb_dev: current RPMB device or NULL
> > > * @rpc_param_count: If > 0 number of RPC parameters to make room for
> > > * @scan_bus_done flag if device registation was already done.
> > > * @scan_bus_work workq to scan optee bus and register optee drivers
> > > @@ -215,9 +220,17 @@ struct optee {
> > > struct optee_notif notif;
> > > struct optee_supp supp;
> > > struct tee_shm_pool *pool;
> > > + /* Protects rpmb_dev pointer and rpmb_dev_* */
> > > + struct mutex rpmb_dev_mutex;
> >
> > Given my comments above, do we really need this mutex?
>
> I don't see how we can do without the mutex.
See if it is possible with the above mentioned approach.
-Sumit
On Wed, Apr 3, 2024 at 2:58 PM Sumit Garg <[email protected]> wrote:
>
> On Thu, 28 Mar 2024 at 21:39, Jens Wiklander <[email protected]> wrote:
> >
> > On Fri, Mar 1, 2024 at 11:28 AM Sumit Garg <[email protected]> wrote:
> > >
> > > Hi Jens,
> > >
> > > On Tue, 27 Feb 2024 at 21:01, Jens Wiklander <[email protected]> wrote:
> > > >
> > > > Adds support in the OP-TEE drivers (both SMC and FF-A ABIs) to probe and
> > > > use an RPMB device via the RPBM subsystem instead of passing the RPMB
> > >
> > > s/RPBM/RPMB/
> > >
> > > Here are other places too in this patch-set.
> > >
> > > > frames via tee-supplicant in user space. A fallback mechanism is kept to
> > > > route RPMB frames via tee-supplicant if the RPMB subsystem isn't
> > > > available.
> > > >
> > > > The OP-TEE RPC ABI is extended to support iterating over all RPMB
> > > > devices until one is found with the expected RPMB key already
> > > > programmed.
> > >
> > > I would appreciate it if you could add a link to OP-TEE OS changes in
> > > the cover-letter although I have found them here [1].
> > >
> > > [1] https://github.com/jenswi-linaro/optee_os/commits/rpmb_probe/
> >
> > OK, I'll add a link in the coverletter of the next patch set.
> >
> > >
> > > >
> > > > Signed-off-by: Jens Wiklander <[email protected]>
> > > > ---
> > > > drivers/tee/optee/core.c | 55 +++++++
> > > > drivers/tee/optee/ffa_abi.c | 7 +
> > > > drivers/tee/optee/optee_private.h | 16 ++
> > > > drivers/tee/optee/optee_rpc_cmd.h | 35 +++++
> > > > drivers/tee/optee/rpc.c | 233 ++++++++++++++++++++++++++++++
> > > > drivers/tee/optee/smc_abi.c | 6 +
> > > > 6 files changed, 352 insertions(+)
> > > >
> > > > diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c
> > > > index 3aed554bc8d8..6b32d3e7865b 100644
> > > > --- a/drivers/tee/optee/core.c
> > > > +++ b/drivers/tee/optee/core.c
> > > > @@ -11,6 +11,7 @@
> > > > #include <linux/io.h>
> > > > #include <linux/mm.h>
> > > > #include <linux/module.h>
> > > > +#include <linux/rpmb.h>
> > > > #include <linux/slab.h>
> > > > #include <linux/string.h>
> > > > #include <linux/tee_drv.h>
> > > > @@ -80,6 +81,57 @@ void optee_pool_op_free_helper(struct tee_shm_pool *pool, struct tee_shm *shm,
> > > > shm->pages = NULL;
> > > > }
> > > >
> > > > +static void optee_rpmb_scan(struct work_struct *work)
> > > > +{
> > > > + struct optee *optee = container_of(work, struct optee, scan_rpmb_work);
> > > > + bool scan_done = false;
> > > > + u32 res;
> > > > +
> > > > + do {
> > > > + mutex_lock(&optee->rpmb_dev_mutex);
> > > > + /* No need to rescan if we haven't started scanning yet */
> > > > + optee->rpmb_dev_request_rescan = false;
> > > > + mutex_unlock(&optee->rpmb_dev_mutex);
> > > > +
> > > > + res = optee_enumerate_devices(PTA_CMD_GET_DEVICES_RPMB);
> > > > + if (res && res != TEE_ERROR_STORAGE_NOT_AVAILABLE)
> > >
> > > I suppose this hasn't been tested for a negative case since
> > > optee_enumerate_devices() won't return this error code (see [2]).
> > > However, I would prefer to use GP Client error code:
> > > TEEC_ERROR_ITEM_NOT_FOUND here instead.
> > >
> > > [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/tee/optee/device.c#n43
> >
> > I prefer TEE_ERROR_STORAGE_NOT_AVAILABLE since that's the code GP says
> > a TA should get when storage is unavailable.
> > TEEC_ERROR_ITEM_NOT_FOUND is less specific. Anyway, I'll need to
> > translate the code in get_devices().
>
> Okay, that's fair.
>
> >
> >
> > >
> > > > + pr_info("Scanning for RPMB device: res %#x\n", res);
> > > > +
> > > > + mutex_lock(&optee->rpmb_dev_mutex);
> > > > + /*
> > > > + * If another RPMB device came online while scanning, scan one
> > > > + * more time, unless we have already found an RPBM device.
> > > > + */
> > > > + scan_done = (optee->rpmb_dev ||
> > >
> > > I suppose we don't need to check for optee->rpmb_dev here since a
> > > successful return from
> > > optee_enumerate_devices(PTA_CMD_GET_DEVICES_RPMB) would ensure that
> > > the RPMB device has been found.
> >
> > That makes sense, I'll check the return value instead.
> >
> > >
> > > > + !optee->rpmb_dev_request_rescan);
> > > > + optee->rpmb_dev_request_rescan = false;
> > > > + optee->rpmb_dev_scan_in_progress = !scan_done;
> > > > + mutex_unlock(&optee->rpmb_dev_mutex);
> > > > + } while (!scan_done);
> > > > +}
> > > > +
> > > > +void optee_rpmb_intf_add_rdev(struct rpmb_interface *intf,
> > > > + struct rpmb_dev *rdev)
> > > > +{
> > > > + struct optee *optee = container_of(intf, struct optee, rpmb_intf);
> > > > + bool queue_work = true;
> > > > +
> > > > + mutex_lock(&optee->rpmb_dev_mutex);
> > > > + if (optee->rpmb_dev || optee->rpmb_dev_scan_in_progress) {
> > >
> > > Can we use work_pending() instead of our custom
> > > optee->rpmb_dev_scan_in_progress flag?
> >
> > That seems racy, or am I missing something?
> >
>
> You are right and even work_busy() is documented to provide unreliable
> results. So I am rather thinking about just queuing the work and
> thereby scanning for devices unconditionally. I suppose the extra
> logic to check if we don't try to register duplicate devices can go
> under optee_enumerate_devices().
>
> > >
> > > > + queue_work = false;
> > > > + if (optee->rpmb_dev_scan_in_progress)
> > > > + optee->rpmb_dev_request_rescan = true;
> > > > + }
> > > > + if (queue_work)
> > > > + optee->rpmb_dev_scan_in_progress = true;
> > > > + mutex_unlock(&optee->rpmb_dev_mutex);
> > > > +
> > > > + if (queue_work) {
> > > > + INIT_WORK(&optee->scan_rpmb_work, optee_rpmb_scan);
> > > > + schedule_work(&optee->scan_rpmb_work);
> > >
> > > Can we reuse optee->scan_bus_work rather than introducing a new one here?
> >
> > No, both may be active at the same time.
>
> Actually both of them are using system_wq underneath, so it shouldn't
> be a problem if both are active at the same time as they can be queued
> simultaneously, right?
I'm sorry, I don't get it.
Are you suggesting to merge optee_rpmb_scan() and optee_bus_scan()?
If so, how to tell what to do, that is, if tee-supplicant has become
available or of we should scan for RPMB devices?
If not, you can only have one callback at a time in a work_struct.
>
> > We'd have to merge
> > optee_rpmb_scan() and optee_bus_scan(), but I'm not sure it's worth
> > it.
> >
> > >
> > > > + }
> > > > +}
> > > > +
> > > > static void optee_bus_scan(struct work_struct *work)
> > > > {
> > > > WARN_ON(optee_enumerate_devices(PTA_CMD_GET_DEVICES_SUPP));
> > > > @@ -161,6 +213,7 @@ void optee_release_supp(struct tee_context *ctx)
> > > >
> > > > void optee_remove_common(struct optee *optee)
> > > > {
> > > > + rpmb_interface_unregister(&optee->rpmb_intf);
> > > > /* Unregister OP-TEE specific client devices on TEE bus */
> > > > optee_unregister_devices();
> > > >
> > > > @@ -177,6 +230,8 @@ void optee_remove_common(struct optee *optee)
> > > > tee_shm_pool_free(optee->pool);
> > > > optee_supp_uninit(&optee->supp);
> > > > mutex_destroy(&optee->call_queue.mutex);
> > > > + rpmb_dev_put(optee->rpmb_dev);
> > > > + mutex_destroy(&optee->rpmb_dev_mutex);
> > > > }
> > > >
> > > > static int smc_abi_rc;
> > > > diff --git a/drivers/tee/optee/ffa_abi.c b/drivers/tee/optee/ffa_abi.c
> > > > index ecb5eb079408..befe19ecc30a 100644
> > > > --- a/drivers/tee/optee/ffa_abi.c
> > > > +++ b/drivers/tee/optee/ffa_abi.c
> > > > @@ -7,6 +7,7 @@
> > > >
> > > > #include <linux/arm_ffa.h>
> > > > #include <linux/errno.h>
> > > > +#include <linux/rpmb.h>
> > > > #include <linux/scatterlist.h>
> > > > #include <linux/sched.h>
> > > > #include <linux/slab.h>
> > > > @@ -934,6 +935,7 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev)
> > > > optee_cq_init(&optee->call_queue, 0);
> > > > optee_supp_init(&optee->supp);
> > > > optee_shm_arg_cache_init(optee, arg_cache_flags);
> > > > + mutex_init(&optee->rpmb_dev_mutex);
> > > > ffa_dev_set_drvdata(ffa_dev, optee);
> > > > ctx = teedev_open(optee->teedev);
> > > > if (IS_ERR(ctx)) {
> > > > @@ -955,6 +957,8 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev)
> > > > if (rc)
> > > > goto err_unregister_devices;
> > > >
> > > > + optee->rpmb_intf.add_rdev = optee_rpmb_intf_add_rdev;
> > > > + rpmb_interface_register(&optee->rpmb_intf);
> > > > pr_info("initialized driver\n");
> > > > return 0;
> > > >
> > > > @@ -968,6 +972,9 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev)
> > > > teedev_close_context(ctx);
> > > > err_rhashtable_free:
> > > > rhashtable_free_and_destroy(&optee->ffa.global_ids, rh_free_fn, NULL);
> > > > + rpmb_dev_put(optee->rpmb_dev);
> > > > + mutex_destroy(&optee->rpmb_dev_mutex);
> > > > + rpmb_interface_unregister(&optee->rpmb_intf);
> > > > optee_supp_uninit(&optee->supp);
> > > > mutex_destroy(&optee->call_queue.mutex);
> > > > mutex_destroy(&optee->ffa.mutex);
> > > > diff --git a/drivers/tee/optee/optee_private.h b/drivers/tee/optee/optee_private.h
> > > > index 7a5243c78b55..1e4c33baef43 100644
> > > > --- a/drivers/tee/optee/optee_private.h
> > > > +++ b/drivers/tee/optee/optee_private.h
> > > > @@ -8,6 +8,7 @@
> > > >
> > > > #include <linux/arm-smccc.h>
> > > > #include <linux/rhashtable.h>
> > > > +#include <linux/rpmb.h>
> > > > #include <linux/semaphore.h>
> > > > #include <linux/tee_drv.h>
> > > > #include <linux/types.h>
> > > > @@ -20,11 +21,13 @@
> > > > /* Some Global Platform error codes used in this driver */
> > > > #define TEEC_SUCCESS 0x00000000
> > > > #define TEEC_ERROR_BAD_PARAMETERS 0xFFFF0006
> > > > +#define TEEC_ERROR_ITEM_NOT_FOUND 0xFFFF0008
> > > > #define TEEC_ERROR_NOT_SUPPORTED 0xFFFF000A
> > > > #define TEEC_ERROR_COMMUNICATION 0xFFFF000E
> > > > #define TEEC_ERROR_OUT_OF_MEMORY 0xFFFF000C
> > > > #define TEEC_ERROR_BUSY 0xFFFF000D
> > > > #define TEEC_ERROR_SHORT_BUFFER 0xFFFF0010
> > > > +#define TEE_ERROR_STORAGE_NOT_AVAILABLE 0xF0100003
> > > >
> > > > #define TEEC_ORIGIN_COMMS 0x00000002
> > > >
> > > > @@ -197,6 +200,8 @@ struct optee_ops {
> > > > * @notif: notification synchronization struct
> > > > * @supp: supplicant synchronization struct for RPC to supplicant
> > > > * @pool: shared memory pool
> > > > + * @mutex: mutex protecting @rpmb_dev
> > > > + * @rpmb_dev: current RPMB device or NULL
> > > > * @rpc_param_count: If > 0 number of RPC parameters to make room for
> > > > * @scan_bus_done flag if device registation was already done.
> > > > * @scan_bus_work workq to scan optee bus and register optee drivers
> > > > @@ -215,9 +220,17 @@ struct optee {
> > > > struct optee_notif notif;
> > > > struct optee_supp supp;
> > > > struct tee_shm_pool *pool;
> > > > + /* Protects rpmb_dev pointer and rpmb_dev_* */
> > > > + struct mutex rpmb_dev_mutex;
> > >
> > > Given my comments above, do we really need this mutex?
> >
> > I don't see how we can do without the mutex.
>
> See if it is possible with the above mentioned approach.
I don't follow.
Thanks,
Jens
>
> -Sumit
On Wed, 3 Apr 2024 at 20:11, Jens Wiklander <[email protected]> wrote:
>
> On Wed, Apr 3, 2024 at 2:58 PM Sumit Garg <[email protected]> wrote:
> >
> > On Thu, 28 Mar 2024 at 21:39, Jens Wiklander <[email protected]> wrote:
> > >
> > > On Fri, Mar 1, 2024 at 11:28 AM Sumit Garg <sumit.garg@linaroorg> wrote:
> > > >
> > > > Hi Jens,
> > > >
> > > > On Tue, 27 Feb 2024 at 21:01, Jens Wiklander <jens.wiklander@linaroorg> wrote:
> > > > >
> > > > > Adds support in the OP-TEE drivers (both SMC and FF-A ABIs) to probe and
> > > > > use an RPMB device via the RPBM subsystem instead of passing the RPMB
> > > >
> > > > s/RPBM/RPMB/
> > > >
> > > > Here are other places too in this patch-set.
> > > >
> > > > > frames via tee-supplicant in user space. A fallback mechanism is kept to
> > > > > route RPMB frames via tee-supplicant if the RPMB subsystem isn't
> > > > > available.
> > > > >
> > > > > The OP-TEE RPC ABI is extended to support iterating over all RPMB
> > > > > devices until one is found with the expected RPMB key already
> > > > > programmed.
> > > >
> > > > I would appreciate it if you could add a link to OP-TEE OS changes in
> > > > the cover-letter although I have found them here [1].
> > > >
> > > > [1] https://github.com/jenswi-linaro/optee_os/commits/rpmb_probe/
> > >
> > > OK, I'll add a link in the coverletter of the next patch set.
> > >
> > > >
> > > > >
> > > > > Signed-off-by: Jens Wiklander <[email protected]>
> > > > > ---
> > > > > drivers/tee/optee/core.c | 55 +++++++
> > > > > drivers/tee/optee/ffa_abi.c | 7 +
> > > > > drivers/tee/optee/optee_private.h | 16 ++
> > > > > drivers/tee/optee/optee_rpc_cmd.h | 35 +++++
> > > > > drivers/tee/optee/rpc.c | 233 ++++++++++++++++++++++++++++++
> > > > > drivers/tee/optee/smc_abi.c | 6 +
> > > > > 6 files changed, 352 insertions(+)
> > > > >
> > > > > diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c
> > > > > index 3aed554bc8d8..6b32d3e7865b 100644
> > > > > --- a/drivers/tee/optee/core.c
> > > > > +++ b/drivers/tee/optee/core.c
> > > > > @@ -11,6 +11,7 @@
> > > > > #include <linux/io.h>
> > > > > #include <linux/mm.h>
> > > > > #include <linux/module.h>
> > > > > +#include <linux/rpmb.h>
> > > > > #include <linux/slab.h>
> > > > > #include <linux/string.h>
> > > > > #include <linux/tee_drv.h>
> > > > > @@ -80,6 +81,57 @@ void optee_pool_op_free_helper(struct tee_shm_pool *pool, struct tee_shm *shm,
> > > > > shm->pages = NULL;
> > > > > }
> > > > >
> > > > > +static void optee_rpmb_scan(struct work_struct *work)
> > > > > +{
> > > > > + struct optee *optee = container_of(work, struct optee, scan_rpmb_work);
> > > > > + bool scan_done = false;
> > > > > + u32 res;
> > > > > +
> > > > > + do {
> > > > > + mutex_lock(&optee->rpmb_dev_mutex);
> > > > > + /* No need to rescan if we haven't started scanning yet */
> > > > > + optee->rpmb_dev_request_rescan = false;
> > > > > + mutex_unlock(&optee->rpmb_dev_mutex);
> > > > > +
> > > > > + res = optee_enumerate_devices(PTA_CMD_GET_DEVICES_RPMB);
> > > > > + if (res && res != TEE_ERROR_STORAGE_NOT_AVAILABLE)
> > > >
> > > > I suppose this hasn't been tested for a negative case since
> > > > optee_enumerate_devices() won't return this error code (see [2]).
> > > > However, I would prefer to use GP Client error code:
> > > > TEEC_ERROR_ITEM_NOT_FOUND here instead.
> > > >
> > > > [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/tee/optee/device.c#n43
> > >
> > > I prefer TEE_ERROR_STORAGE_NOT_AVAILABLE since that's the code GP says
> > > a TA should get when storage is unavailable.
> > > TEEC_ERROR_ITEM_NOT_FOUND is less specific. Anyway, I'll need to
> > > translate the code in get_devices().
> >
> > Okay, that's fair.
> >
> > >
> > >
> > > >
> > > > > + pr_info("Scanning for RPMB device: res %#x\n", res);
> > > > > +
> > > > > + mutex_lock(&optee->rpmb_dev_mutex);
> > > > > + /*
> > > > > + * If another RPMB device came online while scanning, scan one
> > > > > + * more time, unless we have already found an RPBM device.
> > > > > + */
> > > > > + scan_done = (optee->rpmb_dev ||
> > > >
> > > > I suppose we don't need to check for optee->rpmb_dev here since a
> > > > successful return from
> > > > optee_enumerate_devices(PTA_CMD_GET_DEVICES_RPMB) would ensure that
> > > > the RPMB device has been found.
> > >
> > > That makes sense, I'll check the return value instead.
> > >
> > > >
> > > > > + !optee->rpmb_dev_request_rescan);
> > > > > + optee->rpmb_dev_request_rescan = false;
> > > > > + optee->rpmb_dev_scan_in_progress = !scan_done;
> > > > > + mutex_unlock(&optee->rpmb_dev_mutex);
> > > > > + } while (!scan_done);
> > > > > +}
> > > > > +
> > > > > +void optee_rpmb_intf_add_rdev(struct rpmb_interface *intf,
> > > > > + struct rpmb_dev *rdev)
> > > > > +{
> > > > > + struct optee *optee = container_of(intf, struct optee, rpmb_intf);
> > > > > + bool queue_work = true;
> > > > > +
> > > > > + mutex_lock(&optee->rpmb_dev_mutex);
> > > > > + if (optee->rpmb_dev || optee->rpmb_dev_scan_in_progress) {
> > > >
> > > > Can we use work_pending() instead of our custom
> > > > optee->rpmb_dev_scan_in_progress flag?
> > >
> > > That seems racy, or am I missing something?
> > >
> >
> > You are right and even work_busy() is documented to provide unreliable
> > results. So I am rather thinking about just queuing the work and
> > thereby scanning for devices unconditionally. I suppose the extra
> > logic to check if we don't try to register duplicate devices can go
> > under optee_enumerate_devices().
> >
> > > >
> > > > > + queue_work = false;
> > > > > + if (optee->rpmb_dev_scan_in_progress)
> > > > > + optee->rpmb_dev_request_rescan = true;
> > > > > + }
> > > > > + if (queue_work)
> > > > > + optee->rpmb_dev_scan_in_progress = true;
> > > > > + mutex_unlock(&optee->rpmb_dev_mutex);
> > > > > +
> > > > > + if (queue_work) {
> > > > > + INIT_WORK(&optee->scan_rpmb_work, optee_rpmb_scan);
> > > > > + schedule_work(&optee->scan_rpmb_work);
> > > >
> > > > Can we reuse optee->scan_bus_work rather than introducing a new one here?
> > >
> > > No, both may be active at the same time.
> >
> > Actually both of them are using system_wq underneath, so it shouldn't
> > be a problem if both are active at the same time as they can be queued
> > simultaneously, right?
>
> I'm sorry, I don't get it.
> Are you suggesting to merge optee_rpmb_scan() and optee_bus_scan()?
> If so, how to tell what to do, that is, if tee-supplicant has become
> available or of we should scan for RPMB devices?
> If not, you can only have one callback at a time in a work_struct.
You are right, keep it as it is.
>
> >
> > > We'd have to merge
> > > optee_rpmb_scan() and optee_bus_scan(), but I'm not sure it's worth
> > > it.
> > >
> > > >
> > > > > + }
> > > > > +}
> > > > > +
> > > > > static void optee_bus_scan(struct work_struct *work)
> > > > > {
> > > > > WARN_ON(optee_enumerate_devices(PTA_CMD_GET_DEVICES_SUPP));
> > > > > @@ -161,6 +213,7 @@ void optee_release_supp(struct tee_context *ctx)
> > > > >
> > > > > void optee_remove_common(struct optee *optee)
> > > > > {
> > > > > + rpmb_interface_unregister(&optee->rpmb_intf);
> > > > > /* Unregister OP-TEE specific client devices on TEE bus */
> > > > > optee_unregister_devices();
> > > > >
> > > > > @@ -177,6 +230,8 @@ void optee_remove_common(struct optee *optee)
> > > > > tee_shm_pool_free(optee->pool);
> > > > > optee_supp_uninit(&optee->supp);
> > > > > mutex_destroy(&optee->call_queue.mutex);
> > > > > + rpmb_dev_put(optee->rpmb_dev);
> > > > > + mutex_destroy(&optee->rpmb_dev_mutex);
> > > > > }
> > > > >
> > > > > static int smc_abi_rc;
> > > > > diff --git a/drivers/tee/optee/ffa_abi.c b/drivers/tee/optee/ffa_abi.c
> > > > > index ecb5eb079408..befe19ecc30a 100644
> > > > > --- a/drivers/tee/optee/ffa_abi.c
> > > > > +++ b/drivers/tee/optee/ffa_abi.c
> > > > > @@ -7,6 +7,7 @@
> > > > >
> > > > > #include <linux/arm_ffa.h>
> > > > > #include <linux/errno.h>
> > > > > +#include <linux/rpmb.h>
> > > > > #include <linux/scatterlist.h>
> > > > > #include <linux/sched.h>
> > > > > #include <linux/slab.h>
> > > > > @@ -934,6 +935,7 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev)
> > > > > optee_cq_init(&optee->call_queue, 0);
> > > > > optee_supp_init(&optee->supp);
> > > > > optee_shm_arg_cache_init(optee, arg_cache_flags);
> > > > > + mutex_init(&optee->rpmb_dev_mutex);
> > > > > ffa_dev_set_drvdata(ffa_dev, optee);
> > > > > ctx = teedev_open(optee->teedev);
> > > > > if (IS_ERR(ctx)) {
> > > > > @@ -955,6 +957,8 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev)
> > > > > if (rc)
> > > > > goto err_unregister_devices;
> > > > >
> > > > > + optee->rpmb_intf.add_rdev = optee_rpmb_intf_add_rdev;
> > > > > + rpmb_interface_register(&optee->rpmb_intf);
> > > > > pr_info("initialized driver\n");
> > > > > return 0;
> > > > >
> > > > > @@ -968,6 +972,9 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev)
> > > > > teedev_close_context(ctx);
> > > > > err_rhashtable_free:
> > > > > rhashtable_free_and_destroy(&optee->ffa.global_ids, rh_free_fn, NULL);
> > > > > + rpmb_dev_put(optee->rpmb_dev);
> > > > > + mutex_destroy(&optee->rpmb_dev_mutex);
> > > > > + rpmb_interface_unregister(&optee->rpmb_intf);
> > > > > optee_supp_uninit(&optee->supp);
> > > > > mutex_destroy(&optee->call_queue.mutex);
> > > > > mutex_destroy(&optee->ffa.mutex);
> > > > > diff --git a/drivers/tee/optee/optee_private.h b/drivers/tee/optee/optee_private.h
> > > > > index 7a5243c78b55..1e4c33baef43 100644
> > > > > --- a/drivers/tee/optee/optee_private.h
> > > > > +++ b/drivers/tee/optee/optee_private.h
> > > > > @@ -8,6 +8,7 @@
> > > > >
> > > > > #include <linux/arm-smccc.h>
> > > > > #include <linux/rhashtable.h>
> > > > > +#include <linux/rpmb.h>
> > > > > #include <linux/semaphore.h>
> > > > > #include <linux/tee_drv.h>
> > > > > #include <linux/types.h>
> > > > > @@ -20,11 +21,13 @@
> > > > > /* Some Global Platform error codes used in this driver */
> > > > > #define TEEC_SUCCESS 0x00000000
> > > > > #define TEEC_ERROR_BAD_PARAMETERS 0xFFFF0006
> > > > > +#define TEEC_ERROR_ITEM_NOT_FOUND 0xFFFF0008
> > > > > #define TEEC_ERROR_NOT_SUPPORTED 0xFFFF000A
> > > > > #define TEEC_ERROR_COMMUNICATION 0xFFFF000E
> > > > > #define TEEC_ERROR_OUT_OF_MEMORY 0xFFFF000C
> > > > > #define TEEC_ERROR_BUSY 0xFFFF000D
> > > > > #define TEEC_ERROR_SHORT_BUFFER 0xFFFF0010
> > > > > +#define TEE_ERROR_STORAGE_NOT_AVAILABLE 0xF0100003
> > > > >
> > > > > #define TEEC_ORIGIN_COMMS 0x00000002
> > > > >
> > > > > @@ -197,6 +200,8 @@ struct optee_ops {
> > > > > * @notif: notification synchronization struct
> > > > > * @supp: supplicant synchronization struct for RPC to supplicant
> > > > > * @pool: shared memory pool
> > > > > + * @mutex: mutex protecting @rpmb_dev
> > > > > + * @rpmb_dev: current RPMB device or NULL
> > > > > * @rpc_param_count: If > 0 number of RPC parameters to make room for
> > > > > * @scan_bus_done flag if device registation was already done.
> > > > > * @scan_bus_work workq to scan optee bus and register optee drivers
> > > > > @@ -215,9 +220,17 @@ struct optee {
> > > > > struct optee_notif notif;
> > > > > struct optee_supp supp;
> > > > > struct tee_shm_pool *pool;
> > > > > + /* Protects rpmb_dev pointer and rpmb_dev_* */
> > > > > + struct mutex rpmb_dev_mutex;
> > > >
> > > > Given my comments above, do we really need this mutex?
> > >
> > > I don't see how we can do without the mutex.
> >
> > See if it is possible with the above mentioned approach.
>
> I don't follow.
Probably my explanation above to handle complexity within
optee_enumerate_devices() wasn't clear. Let me try again:
- Schedule optee_enumerate_devices(PTA_CMD_GET_DEVICES_RPMB)
unconditionally whenever a new RPMB device is registered.
- While registering OP-TEE devices (TA UUIDs), don't register
duplicate devices or better make the device pseudo TA to return the
UUID list only once when RPMB has been discovered successfully.
This would allow us to drop the fragile handling via
rpmb_dev_scan_in_progress under mutex, right?
-Sumit
On Fri, Apr 5, 2024 at 9:15 AM Sumit Garg <[email protected]> wrote:
>
> On Wed, 3 Apr 2024 at 20:11, Jens Wiklander <[email protected]> wrote:
> >
> > On Wed, Apr 3, 2024 at 2:58 PM Sumit Garg <[email protected]> wrote:
> > >
> > > On Thu, 28 Mar 2024 at 21:39, Jens Wiklander <[email protected]> wrote:
> > > >
> > > > On Fri, Mar 1, 2024 at 11:28 AM Sumit Garg <[email protected]> wrote:
> > > > >
> > > > > Hi Jens,
> > > > >
> > > > > On Tue, 27 Feb 2024 at 21:01, Jens Wiklander <[email protected]> wrote:
> > > > > >
> > > > > > Adds support in the OP-TEE drivers (both SMC and FF-A ABIs) to probe and
> > > > > > use an RPMB device via the RPBM subsystem instead of passing the RPMB
> > > > >
> > > > > s/RPBM/RPMB/
> > > > >
> > > > > Here are other places too in this patch-set.
> > > > >
> > > > > > frames via tee-supplicant in user space. A fallback mechanism is kept to
> > > > > > route RPMB frames via tee-supplicant if the RPMB subsystem isn't
> > > > > > available.
> > > > > >
> > > > > > The OP-TEE RPC ABI is extended to support iterating over all RPMB
> > > > > > devices until one is found with the expected RPMB key already
> > > > > > programmed.
> > > > >
> > > > > I would appreciate it if you could add a link to OP-TEE OS changes in
> > > > > the cover-letter although I have found them here [1].
> > > > >
> > > > > [1] https://github.com/jenswi-linaro/optee_os/commits/rpmb_probe/
> > > >
> > > > OK, I'll add a link in the coverletter of the next patch set.
> > > >
> > > > >
> > > > > >
> > > > > > Signed-off-by: Jens Wiklander <[email protected]>
> > > > > > ---
> > > > > > drivers/tee/optee/core.c | 55 +++++++
> > > > > > drivers/tee/optee/ffa_abi.c | 7 +
> > > > > > drivers/tee/optee/optee_private.h | 16 ++
> > > > > > drivers/tee/optee/optee_rpc_cmd.h | 35 +++++
> > > > > > drivers/tee/optee/rpc.c | 233 ++++++++++++++++++++++++++++++
> > > > > > drivers/tee/optee/smc_abi.c | 6 +
> > > > > > 6 files changed, 352 insertions(+)
> > > > > >
> > > > > > diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c
> > > > > > index 3aed554bc8d8..6b32d3e7865b 100644
> > > > > > --- a/drivers/tee/optee/core.c
> > > > > > +++ b/drivers/tee/optee/core.c
> > > > > > @@ -11,6 +11,7 @@
> > > > > > #include <linux/io.h>
> > > > > > #include <linux/mm.h>
> > > > > > #include <linux/module.h>
> > > > > > +#include <linux/rpmb.h>
> > > > > > #include <linux/slab.h>
> > > > > > #include <linux/string.h>
> > > > > > #include <linux/tee_drv.h>
> > > > > > @@ -80,6 +81,57 @@ void optee_pool_op_free_helper(struct tee_shm_pool *pool, struct tee_shm *shm,
> > > > > > shm->pages = NULL;
> > > > > > }
> > > > > >
> > > > > > +static void optee_rpmb_scan(struct work_struct *work)
> > > > > > +{
> > > > > > + struct optee *optee = container_of(work, struct optee, scan_rpmb_work);
> > > > > > + bool scan_done = false;
> > > > > > + u32 res;
> > > > > > +
> > > > > > + do {
> > > > > > + mutex_lock(&optee->rpmb_dev_mutex);
> > > > > > + /* No need to rescan if we haven't started scanning yet */
> > > > > > + optee->rpmb_dev_request_rescan = false;
> > > > > > + mutex_unlock(&optee->rpmb_dev_mutex);
> > > > > > +
> > > > > > + res = optee_enumerate_devices(PTA_CMD_GET_DEVICES_RPMB);
> > > > > > + if (res && res != TEE_ERROR_STORAGE_NOT_AVAILABLE)
> > > > >
> > > > > I suppose this hasn't been tested for a negative case since
> > > > > optee_enumerate_devices() won't return this error code (see [2]).
> > > > > However, I would prefer to use GP Client error code:
> > > > > TEEC_ERROR_ITEM_NOT_FOUND here instead.
> > > > >
> > > > > [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/tee/optee/device.c#n43
> > > >
> > > > I prefer TEE_ERROR_STORAGE_NOT_AVAILABLE since that's the code GP says
> > > > a TA should get when storage is unavailable.
> > > > TEEC_ERROR_ITEM_NOT_FOUND is less specific. Anyway, I'll need to
> > > > translate the code in get_devices().
> > >
> > > Okay, that's fair.
> > >
> > > >
> > > >
> > > > >
> > > > > > + pr_info("Scanning for RPMB device: res %#x\n", res);
> > > > > > +
> > > > > > + mutex_lock(&optee->rpmb_dev_mutex);
> > > > > > + /*
> > > > > > + * If another RPMB device came online while scanning, scan one
> > > > > > + * more time, unless we have already found an RPBM device.
> > > > > > + */
> > > > > > + scan_done = (optee->rpmb_dev ||
> > > > >
> > > > > I suppose we don't need to check for optee->rpmb_dev here since a
> > > > > successful return from
> > > > > optee_enumerate_devices(PTA_CMD_GET_DEVICES_RPMB) would ensure that
> > > > > the RPMB device has been found.
> > > >
> > > > That makes sense, I'll check the return value instead.
> > > >
> > > > >
> > > > > > + !optee->rpmb_dev_request_rescan);
> > > > > > + optee->rpmb_dev_request_rescan = false;
> > > > > > + optee->rpmb_dev_scan_in_progress = !scan_done;
> > > > > > + mutex_unlock(&optee->rpmb_dev_mutex);
> > > > > > + } while (!scan_done);
> > > > > > +}
> > > > > > +
> > > > > > +void optee_rpmb_intf_add_rdev(struct rpmb_interface *intf,
> > > > > > + struct rpmb_dev *rdev)
> > > > > > +{
> > > > > > + struct optee *optee = container_of(intf, struct optee, rpmb_intf);
> > > > > > + bool queue_work = true;
> > > > > > +
> > > > > > + mutex_lock(&optee->rpmb_dev_mutex);
> > > > > > + if (optee->rpmb_dev || optee->rpmb_dev_scan_in_progress) {
> > > > >
> > > > > Can we use work_pending() instead of our custom
> > > > > optee->rpmb_dev_scan_in_progress flag?
> > > >
> > > > That seems racy, or am I missing something?
> > > >
> > >
> > > You are right and even work_busy() is documented to provide unreliable
> > > results. So I am rather thinking about just queuing the work and
> > > thereby scanning for devices unconditionally. I suppose the extra
> > > logic to check if we don't try to register duplicate devices can go
> > > under optee_enumerate_devices().
> > >
> > > > >
> > > > > > + queue_work = false;
> > > > > > + if (optee->rpmb_dev_scan_in_progress)
> > > > > > + optee->rpmb_dev_request_rescan = true;
> > > > > > + }
> > > > > > + if (queue_work)
> > > > > > + optee->rpmb_dev_scan_in_progress = true;
> > > > > > + mutex_unlock(&optee->rpmb_dev_mutex);
> > > > > > +
> > > > > > + if (queue_work) {
> > > > > > + INIT_WORK(&optee->scan_rpmb_work, optee_rpmb_scan);
> > > > > > + schedule_work(&optee->scan_rpmb_work);
> > > > >
> > > > > Can we reuse optee->scan_bus_work rather than introducing a new one here?
> > > >
> > > > No, both may be active at the same time.
> > >
> > > Actually both of them are using system_wq underneath, so it shouldn't
> > > be a problem if both are active at the same time as they can be queued
> > > simultaneously, right?
> >
> > I'm sorry, I don't get it.
> > Are you suggesting to merge optee_rpmb_scan() and optee_bus_scan()?
> > If so, how to tell what to do, that is, if tee-supplicant has become
> > available or of we should scan for RPMB devices?
> > If not, you can only have one callback at a time in a work_struct.
>
> You are right, keep it as it is.
>
> >
> > >
> > > > We'd have to merge
> > > > optee_rpmb_scan() and optee_bus_scan(), but I'm not sure it's worth
> > > > it.
> > > >
> > > > >
> > > > > > + }
> > > > > > +}
> > > > > > +
> > > > > > static void optee_bus_scan(struct work_struct *work)
> > > > > > {
> > > > > > WARN_ON(optee_enumerate_devices(PTA_CMD_GET_DEVICES_SUPP));
> > > > > > @@ -161,6 +213,7 @@ void optee_release_supp(struct tee_context *ctx)
> > > > > >
> > > > > > void optee_remove_common(struct optee *optee)
> > > > > > {
> > > > > > + rpmb_interface_unregister(&optee->rpmb_intf);
> > > > > > /* Unregister OP-TEE specific client devices on TEE bus */
> > > > > > optee_unregister_devices();
> > > > > >
> > > > > > @@ -177,6 +230,8 @@ void optee_remove_common(struct optee *optee)
> > > > > > tee_shm_pool_free(optee->pool);
> > > > > > optee_supp_uninit(&optee->supp);
> > > > > > mutex_destroy(&optee->call_queue.mutex);
> > > > > > + rpmb_dev_put(optee->rpmb_dev);
> > > > > > + mutex_destroy(&optee->rpmb_dev_mutex);
> > > > > > }
> > > > > >
> > > > > > static int smc_abi_rc;
> > > > > > diff --git a/drivers/tee/optee/ffa_abi.c b/drivers/tee/optee/ffa_abi.c
> > > > > > index ecb5eb079408..befe19ecc30a 100644
> > > > > > --- a/drivers/tee/optee/ffa_abi.c
> > > > > > +++ b/drivers/tee/optee/ffa_abi.c
> > > > > > @@ -7,6 +7,7 @@
> > > > > >
> > > > > > #include <linux/arm_ffa.h>
> > > > > > #include <linux/errno.h>
> > > > > > +#include <linux/rpmb.h>
> > > > > > #include <linux/scatterlist.h>
> > > > > > #include <linux/sched.h>
> > > > > > #include <linux/slab.h>
> > > > > > @@ -934,6 +935,7 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev)
> > > > > > optee_cq_init(&optee->call_queue, 0);
> > > > > > optee_supp_init(&optee->supp);
> > > > > > optee_shm_arg_cache_init(optee, arg_cache_flags);
> > > > > > + mutex_init(&optee->rpmb_dev_mutex);
> > > > > > ffa_dev_set_drvdata(ffa_dev, optee);
> > > > > > ctx = teedev_open(optee->teedev);
> > > > > > if (IS_ERR(ctx)) {
> > > > > > @@ -955,6 +957,8 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev)
> > > > > > if (rc)
> > > > > > goto err_unregister_devices;
> > > > > >
> > > > > > + optee->rpmb_intf.add_rdev = optee_rpmb_intf_add_rdev;
> > > > > > + rpmb_interface_register(&optee->rpmb_intf);
> > > > > > pr_info("initialized driver\n");
> > > > > > return 0;
> > > > > >
> > > > > > @@ -968,6 +972,9 @@ static int optee_ffa_probe(struct ffa_device *ffa_dev)
> > > > > > teedev_close_context(ctx);
> > > > > > err_rhashtable_free:
> > > > > > rhashtable_free_and_destroy(&optee->ffa.global_ids, rh_free_fn, NULL);
> > > > > > + rpmb_dev_put(optee->rpmb_dev);
> > > > > > + mutex_destroy(&optee->rpmb_dev_mutex);
> > > > > > + rpmb_interface_unregister(&optee->rpmb_intf);
> > > > > > optee_supp_uninit(&optee->supp);
> > > > > > mutex_destroy(&optee->call_queue.mutex);
> > > > > > mutex_destroy(&optee->ffa.mutex);
> > > > > > diff --git a/drivers/tee/optee/optee_private.h b/drivers/tee/optee/optee_private.h
> > > > > > index 7a5243c78b55..1e4c33baef43 100644
> > > > > > --- a/drivers/tee/optee/optee_private.h
> > > > > > +++ b/drivers/tee/optee/optee_private.h
> > > > > > @@ -8,6 +8,7 @@
> > > > > >
> > > > > > #include <linux/arm-smccc.h>
> > > > > > #include <linux/rhashtable.h>
> > > > > > +#include <linux/rpmb.h>
> > > > > > #include <linux/semaphore.h>
> > > > > > #include <linux/tee_drv.h>
> > > > > > #include <linux/types.h>
> > > > > > @@ -20,11 +21,13 @@
> > > > > > /* Some Global Platform error codes used in this driver */
> > > > > > #define TEEC_SUCCESS 0x00000000
> > > > > > #define TEEC_ERROR_BAD_PARAMETERS 0xFFFF0006
> > > > > > +#define TEEC_ERROR_ITEM_NOT_FOUND 0xFFFF0008
> > > > > > #define TEEC_ERROR_NOT_SUPPORTED 0xFFFF000A
> > > > > > #define TEEC_ERROR_COMMUNICATION 0xFFFF000E
> > > > > > #define TEEC_ERROR_OUT_OF_MEMORY 0xFFFF000C
> > > > > > #define TEEC_ERROR_BUSY 0xFFFF000D
> > > > > > #define TEEC_ERROR_SHORT_BUFFER 0xFFFF0010
> > > > > > +#define TEE_ERROR_STORAGE_NOT_AVAILABLE 0xF0100003
> > > > > >
> > > > > > #define TEEC_ORIGIN_COMMS 0x00000002
> > > > > >
> > > > > > @@ -197,6 +200,8 @@ struct optee_ops {
> > > > > > * @notif: notification synchronization struct
> > > > > > * @supp: supplicant synchronization struct for RPC to supplicant
> > > > > > * @pool: shared memory pool
> > > > > > + * @mutex: mutex protecting @rpmb_dev
> > > > > > + * @rpmb_dev: current RPMB device or NULL
> > > > > > * @rpc_param_count: If > 0 number of RPC parameters to make room for
> > > > > > * @scan_bus_done flag if device registation was already done.
> > > > > > * @scan_bus_work workq to scan optee bus and register optee drivers
> > > > > > @@ -215,9 +220,17 @@ struct optee {
> > > > > > struct optee_notif notif;
> > > > > > struct optee_supp supp;
> > > > > > struct tee_shm_pool *pool;
> > > > > > + /* Protects rpmb_dev pointer and rpmb_dev_* */
> > > > > > + struct mutex rpmb_dev_mutex;
> > > > >
> > > > > Given my comments above, do we really need this mutex?
> > > >
> > > > I don't see how we can do without the mutex.
> > >
> > > See if it is possible with the above mentioned approach.
> >
> > I don't follow.
>
> Probably my explanation above to handle complexity within
> optee_enumerate_devices() wasn't clear. Let me try again:
>
> - Schedule optee_enumerate_devices(PTA_CMD_GET_DEVICES_RPMB)
> unconditionally whenever a new RPMB device is registered.
> - While registering OP-TEE devices (TA UUIDs), don't register
> duplicate devices or better make the device pseudo TA to return the
> UUID list only once when RPMB has been discovered successfully.
>
> This would allow us to drop the fragile handling via
> rpmb_dev_scan_in_progress under mutex, right?
I got it now. I'll do that in the v4. Thanks for your patience. :-)
Cheers,
Jens