Received: by 2002:ac0:da4c:0:0:0:0:0 with SMTP id a12csp1730758imi; Sat, 23 Jul 2022 15:51:26 -0700 (PDT) X-Google-Smtp-Source: AGRyM1tSLXfQFqxLYCR0Ejy+XF5XGILC3+1GM/+Ixx3hmr60euWakCa9ZgdfLzcW5S4BwLLumO3z X-Received: by 2002:a62:6545:0:b0:52b:6daa:1540 with SMTP id z66-20020a626545000000b0052b6daa1540mr6303120pfb.29.1658616685930; Sat, 23 Jul 2022 15:51:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658616685; cv=none; d=google.com; s=arc-20160816; b=KqagZ5A/AphRLzyb9WZfqjf2vFn6x/QTxT4tNgmsrMdl9LnyOJIoKSzLro12wjKGHq jsgumQDlcyBwHhoT60c/rWAviYeTdrRtkt7b7STjj7DRFpDbo19sxC7OMt6pjMlo9FVN M8UhF8fMvmuUACofeLLUr0ViMc4PvTHUdezZD4TFnpHSRpbpW4/itkPbgflggEgCHHks 89G+5fUQ9Hh6jyaEQjfKEqj4eD/8Qd8wshhtsgW3IpM6+73v2/eLqoP+MSvD/RNyURV8 CuPZDCNR1DMFXRKIQn5iJFx5DTVtqudrbnNN43rtDWnrmjCnJ+9YOSidNSj4PwcVC6cm GiQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=9+SGmh+zQFQNeqS1nDQMpNKAHLBf8ILAcQLa/iYZ68w=; b=tC/Ia827EMbBz6Fzgn0CZxO6Q20pSm/WK9Pm7r++tXXY1WVSl41Z9/H44TbFI9bG5Z GEarFsMQVaJa2AXvdNJezEd7VFyGjYEphOSnMACI2gqs5VIn5j73fi6Eymo6+dcrPgyV 3zsGeIDfa+vcm6F55nbtEOAdbQOtZEckEhHhgcj0CUWr75r8PbsibQom2w1/SVA5/h+d lYVFDnvnaD+eBMFWPJ+X46/d2O3ULbCAw8FWxNm/pRGsZ9/nnjejJa9xvgPzyJL+D8KZ qzA0Us71JNVfCJlWH9JvDO0hbAaplGUjcNJSKsfTUCn3oZYK5rDVTtxCHAqM4nJ09ujy rGwA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=I6zZngK3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id bi4-20020a170902bf0400b0016ca4b6f18fsi9111311plb.63.2022.07.23.15.51.09; Sat, 23 Jul 2022 15:51:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=I6zZngK3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229473AbiGWWuU (ORCPT + 99 others); Sat, 23 Jul 2022 18:50:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42502 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229875AbiGWWuS (ORCPT ); Sat, 23 Jul 2022 18:50:18 -0400 Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 34D605FF7; Sat, 23 Jul 2022 15:50:16 -0700 (PDT) Received: by mail-wm1-x329.google.com with SMTP id v67-20020a1cac46000000b003a1888b9d36so7195278wme.0; Sat, 23 Jul 2022 15:50:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=9+SGmh+zQFQNeqS1nDQMpNKAHLBf8ILAcQLa/iYZ68w=; b=I6zZngK3VVgtj67O2D5LjmT+jF8X+BMMukA7BCYamHgUJ8AvTIMrz53CKg0wpvK/3a sNl6U/bDUcqN6z8l+3d4MK/ARRO8iM/DYSLuss7o7T0hfx3aYB6zR18ZbrCd/83KntJA 0donLFzZHADhxPKFgsdpejxV1A5M1efs/UHpMy78nmCP3oHPh9BqeWwkomtjxkWLG0/U XV4o2NsxozeZDe7t+E5Z0cMhvVtgN67lxFfLrzHO3KPM/wbVUeWseGEnMSxPU16psKVZ 2VvpPX/nVJ8CZ5MlwjdAbRm2/FsY5cU+7y+46XS5pSFSckGNIIp42bmZsISm6xBdXkJN svyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=9+SGmh+zQFQNeqS1nDQMpNKAHLBf8ILAcQLa/iYZ68w=; b=tiCKd21Or54cCFq6bE6EvU7y4CzukRmCLgSViNqOkSsa8U0qNKCLsXiYgvXNywwXlf r98agPfOd9N2kVn8tJKYx/d3piyLHg9s1aH/7n70G7MDTKyACdtZJoGaIzC7DP+msunl vo9qLvJ5hN58vatBoJ0P3K/xCND+7r/UCL9k6mXGQv0aKrdinYWuOkWHPp/ja6IHi8zA ZlBqetx6ea5XjcfZPtfOBS/zX4xcQI3NsPIWS198V3ZJ1cB6UZOqsnufCvy4qEoH77IK 2NCUxS4sPb4rs1WY8/bXX65VT0h9A+Ao5/oDlxb9oW1RIqm8GhRrGGYryVOvS7RPOiub 56JA== X-Gm-Message-State: AJIora8GvR5Flnhfb2bdPNswVvjNxtEXqrfKnGxXk+tcFTdcCvv5ngiG 1fl0xNXWKi0EYSyv7bJUf2kBs2tHIdQ= X-Received: by 2002:a7b:cd15:0:b0:3a3:1d69:5201 with SMTP id f21-20020a7bcd15000000b003a31d695201mr3909731wmj.10.1658616614468; Sat, 23 Jul 2022 15:50:14 -0700 (PDT) Received: from xws.localdomain (pd9ea3743.dip0.t-ipconnect.de. [217.234.55.67]) by smtp.gmail.com with ESMTPSA id x3-20020adff0c3000000b0021deba99142sm7799284wro.40.2022.07.23.15.50.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 23 Jul 2022 15:50:14 -0700 (PDT) From: Maximilian Luz To: Andy Gross , Bjorn Andersson , Ard Biesheuvel Cc: Konrad Dybcio , Rob Herring , Krzysztof Kozlowski , Steev Klimaszewski , Shawn Guo , Sudeep Holla , Cristian Marussi , Greg Kroah-Hartman , linux-arm-msm@vger.kernel.org, linux-efi@vger.kernel.org, devicetree@vger.kernel.org, linux-kernel@vger.kernel.org, Maximilian Luz Subject: [PATCH 0/4] firmware: Add support for Qualcomm UEFI Secure Application Date: Sun, 24 Jul 2022 00:49:45 +0200 Message-Id: <20220723224949.1089973-1-luzmaximilian@gmail.com> X-Mailer: git-send-email 2.37.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On modern Qualcomm platforms, access to EFI variables is restricted to the secure world / TrustZone, i.e. the Trusted Execution Environment (TrEE or TEE) as Qualcomm seems to call it. To access EFI variables, we therefore need to talk to the UEFI Secure Application (uefisecapp), residing in the TrEE. This series adds support for accessing EFI variables on those platforms. To do this, we first need to add some SCM call functions used to manage and talk to Secure Applications. A very small subset of this interface is added in the second patch (whereas the first one exports the required functions for that). Interface specifications are extracted from [1]. While this does not (yet) support re-entrant SCM calls (including callbacks and listeners), this is enough to talk to the aforementioned uefisecapp on a couple of platforms (I've tested this on a Surface Pro X and heard reports from Lenovo Flex 5G, Lenovo Thinkpad x13s, and Lenovo Yoga C630 devices). The third patch adds a client driver for uefisecapp, installing the respective efivar operations. The application interface has been reverse engineered from the Windows QcTrEE8180.sys driver. Apart from uefisecapp, there are more Secure Applications running that we might want to support in the future. For example, on the Surface Pro X (sc8180x-based), the TPM is also managed via one. I'm not sure whether this should go to drivers/firmware or to drivers/soc/qcom. I've put this into firmware as all of this is essentially an interface to the secure firmware running in the TrustZone (and SCM stuff is handled here already), but please let me know if I should move this. Regards, Max [1]: https://git.codelinaro.org/clo/la/kernel/msm-4.14/-/blob/auto-kernel.lnx.4.14.c34/drivers/misc/qseecom.c Maximilian Luz (4): firmware: qcom_scm: Export SCM call functions firmware: Add support for Qualcomm Trusted Execution Environment SCM calls firmware: Add support for Qualcomm UEFI Secure Application dt-bindings: firmware: Add Qualcomm UEFI Secure Application client .../firmware/qcom,tee-uefisecapp.yaml | 38 + MAINTAINERS | 14 + drivers/firmware/Kconfig | 20 + drivers/firmware/Makefile | 2 + drivers/firmware/qcom_scm.c | 118 ++- drivers/firmware/qcom_scm.h | 47 -- drivers/firmware/qcom_tee.c | 213 +++++ drivers/firmware/qcom_tee_uefisecapp.c | 761 ++++++++++++++++++ include/linux/qcom_scm.h | 49 ++ include/linux/qcom_tee.h | 179 ++++ 10 files changed, 1355 insertions(+), 86 deletions(-) create mode 100644 Documentation/devicetree/bindings/firmware/qcom,tee-uefisecapp.yaml create mode 100644 drivers/firmware/qcom_tee.c create mode 100644 drivers/firmware/qcom_tee_uefisecapp.c create mode 100644 include/linux/qcom_tee.h -- 2.37.1