mem_obj.c 4.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
  4. */
  5. #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  6. #include <linux/firmware/qcom/qcom_scm.h>
  7. #include <linux/mm.h>
  8. #include "qcomtee.h"
  9. /**
  10. * DOC: Memory and Mapping Objects
  11. *
  12. * QTEE uses memory objects for memory sharing with Linux.
  13. * A memory object can be a standard dma_buf or a contiguous memory range,
  14. * e.g., tee_shm. A memory object should support one operation: map. When
  15. * invoked by QTEE, a mapping object is generated. A mapping object supports
  16. * one operation: unmap.
  17. *
  18. * (1) To map a memory object, QTEE invokes the primordial object with
  19. * %QCOMTEE_OBJECT_OP_MAP_REGION operation; see
  20. * qcomtee_primordial_obj_dispatch().
  21. * (2) To unmap a memory object, QTEE releases the mapping object which
  22. * calls qcomtee_mem_object_release().
  23. *
  24. * The map operation is implemented in the primordial object as a privileged
  25. * operation instead of qcomtee_mem_object_dispatch(). Otherwise, on
  26. * platforms without shm_bridge, a user can trick QTEE into writing to the
  27. * kernel memory by passing a user object as a memory object and returning a
  28. * random physical address as the result of the mapping request.
  29. */
  30. struct qcomtee_mem_object {
  31. struct qcomtee_object object;
  32. struct tee_shm *shm;
  33. /* QTEE requires these felids to be page aligned. */
  34. phys_addr_t paddr; /* Physical address of range. */
  35. size_t size; /* Size of the range. */
  36. };
  37. #define to_qcomtee_mem_object(o) \
  38. container_of((o), struct qcomtee_mem_object, object)
  39. static struct qcomtee_object_operations qcomtee_mem_object_ops;
  40. /* Is it a memory object using tee_shm? */
  41. int is_qcomtee_memobj_object(struct qcomtee_object *object)
  42. {
  43. return object != NULL_QCOMTEE_OBJECT &&
  44. typeof_qcomtee_object(object) == QCOMTEE_OBJECT_TYPE_CB &&
  45. object->ops == &qcomtee_mem_object_ops;
  46. }
  47. static int qcomtee_mem_object_dispatch(struct qcomtee_object_invoke_ctx *oic,
  48. struct qcomtee_object *object, u32 op,
  49. struct qcomtee_arg *args)
  50. {
  51. return -EINVAL;
  52. }
  53. static void qcomtee_mem_object_release(struct qcomtee_object *object)
  54. {
  55. struct qcomtee_mem_object *mem_object = to_qcomtee_mem_object(object);
  56. /* Matching get is in qcomtee_memobj_param_to_object(). */
  57. tee_shm_put(mem_object->shm);
  58. kfree(mem_object);
  59. }
  60. static struct qcomtee_object_operations qcomtee_mem_object_ops = {
  61. .release = qcomtee_mem_object_release,
  62. .dispatch = qcomtee_mem_object_dispatch,
  63. };
  64. /**
  65. * qcomtee_memobj_param_to_object() - OBJREF parameter to &struct qcomtee_object.
  66. * @object: object returned.
  67. * @param: TEE parameter.
  68. * @ctx: context in which the conversion should happen.
  69. *
  70. * @param is an OBJREF with %QCOMTEE_OBJREF_FLAG_MEM flags.
  71. *
  72. * Return: On success return 0 or <0 on failure.
  73. */
  74. int qcomtee_memobj_param_to_object(struct qcomtee_object **object,
  75. struct tee_param *param,
  76. struct tee_context *ctx)
  77. {
  78. struct tee_shm *shm;
  79. int err;
  80. struct qcomtee_mem_object *mem_object __free(kfree) = kzalloc_obj(*mem_object);
  81. if (!mem_object)
  82. return -ENOMEM;
  83. shm = tee_shm_get_from_id(ctx, param->u.objref.id);
  84. if (IS_ERR(shm))
  85. return PTR_ERR(shm);
  86. /* mem-object wrapping the memref. */
  87. err = qcomtee_object_user_init(&mem_object->object,
  88. QCOMTEE_OBJECT_TYPE_CB,
  89. &qcomtee_mem_object_ops, "tee-shm-%d",
  90. shm->id);
  91. if (err) {
  92. tee_shm_put(shm);
  93. return err;
  94. }
  95. mem_object->paddr = shm->paddr;
  96. mem_object->size = shm->size;
  97. mem_object->shm = shm;
  98. *object = &no_free_ptr(mem_object)->object;
  99. return 0;
  100. }
  101. /* Reverse what qcomtee_memobj_param_to_object() does. */
  102. int qcomtee_memobj_param_from_object(struct tee_param *param,
  103. struct qcomtee_object *object,
  104. struct tee_context *ctx)
  105. {
  106. struct qcomtee_mem_object *mem_object;
  107. mem_object = to_qcomtee_mem_object(object);
  108. /* Sure if the memobj is in a same context it is originated from. */
  109. if (mem_object->shm->ctx != ctx)
  110. return -EINVAL;
  111. param->u.objref.id = mem_object->shm->id;
  112. param->u.objref.flags = QCOMTEE_OBJREF_FLAG_MEM;
  113. /* Passing shm->id to userspace; drop the reference. */
  114. qcomtee_object_put(object);
  115. return 0;
  116. }
  117. /**
  118. * qcomtee_mem_object_map() - Map a memory object.
  119. * @object: memory object.
  120. * @map_object: created mapping object.
  121. * @mem_paddr: physical address of the memory.
  122. * @mem_size: size of the memory.
  123. * @perms: QTEE access permissions.
  124. *
  125. * Return: On success return 0 or <0 on failure.
  126. */
  127. int qcomtee_mem_object_map(struct qcomtee_object *object,
  128. struct qcomtee_object **map_object, u64 *mem_paddr,
  129. u64 *mem_size, u32 *perms)
  130. {
  131. struct qcomtee_mem_object *mem_object = to_qcomtee_mem_object(object);
  132. /* Reuses the memory object as a mapping object by re-sharing it. */
  133. qcomtee_object_get(&mem_object->object);
  134. *map_object = &mem_object->object;
  135. *mem_paddr = mem_object->paddr;
  136. *mem_size = mem_object->size;
  137. *perms = QCOM_SCM_PERM_RW;
  138. return 0;
  139. }