Tee-dev

tee-dev@lists.linaro.org

291 discussions

[PATCH] optee: Fix multi page dynamic shm pool alloc

by Sumit Garg

optee_shm_register() expected pages to be passed as an array of page pointers rather than as an array of contiguous pages. So fix that via correctly passing pages as per expectation. Fixes: a249dd200d03 ("tee: optee: Fix dynamic shm pool allocations") Reported-by: Vincent Cao <vincent.t.cao(a)intel.com> Signed-off-by: Sumit Garg <sumit.garg(a)linaro.org> Tested-by: Vincent Cao <vincent.t.cao(a)intel.com> --- drivers/tee/optee/shm_pool.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/tee/optee/shm_pool.c b/drivers/tee/optee/shm_pool.c index 0332a53..85aa5bb 100644 --- a/drivers/tee/optee/shm_pool.c +++ b/drivers/tee/optee/shm_pool.c @@ -28,8 +28,20 @@ static int pool_op_alloc(struct tee_shm_pool_mgr *poolm, shm->size = PAGE_SIZE << order; if (shm->flags & TEE_SHM_DMA_BUF) { + unsigned int nr_pages = 1 << order, i; + struct page **pages; + + pages = kcalloc(nr_pages, sizeof(pages), GFP_KERNEL); + if (!pages) + return -ENOMEM; + + for (i = 0; i < nr_pages; i++) { + pages[i] = page; + page++; + } + shm->flags |= TEE_SHM_REGISTER; - rc = optee_shm_register(shm->ctx, shm, &page, 1 << order, + rc = optee_shm_register(shm->ctx, shm, pages, nr_pages, (unsigned long)shm->kaddr); } -- 2.7.4

5 years, 4 months

[RFC PATCH v3 0/4] TEE driver for AMD APUs

by Rijo Thomas

This patch series introduces Trusted Execution Environment (TEE) driver for AMD APU enabled systems. The TEE is a secure area of a processor which ensures that sensitive data is stored, processed and protected in an isolated and trusted environment. The AMD Secure Processor is a dedicated processor which provides TEE to enable HW platform security. It offers protection against software attacks generated in Rich Operating System (Rich OS) such as Linux running on x86. The AMD-TEE Trusted OS running on AMD Secure Processor allows loading and execution of security sensitive applications called Trusted Applications (TAs). An example of a TA would be a DRM (Digital Rights Management) TA written to enforce content protection. Linux already provides a tee subsystem, which is described in [1]. The tee subsystem provides a generic TEE ioctl interface which can be used by user space to talk to a TEE driver. AMD-TEE driver registers with tee subsystem and implements tee function callbacks in an AMD platform specific manner. The following TEE commands are recognized by AMD-TEE Trusted OS: 1. TEE_CMD_ID_LOAD_TA : Load Trusted Application (TA) binary into TEE environment 2. TEE_CMD_ID_UNLOAD_TA : Unload TA binary from TEE environment 3. TEE_CMD_ID_OPEN_SESSION : Open session with loaded TA 4. TEE_CMD_ID_CLOSE_SESSION : Close session with loaded TA 5. TEE_CMD_ID_INVOKE_CMD : Invoke a command with loaded TA 6. TEE_CMD_ID_MAP_SHARED_MEM : Map shared memory 7. TEE_CMD_ID_UNMAP_SHARED_MEM : Unmap shared memory Each command has its own payload format. The AMD-TEE driver creates a command buffer payload for submission to AMD-TEE Trusted OS. This patch series has a dependency on another patch set titled - Add TEE interface support to AMD Secure Processor driver. Link: https://lkml.org/lkml/2019/12/4/42 v3: * Updated [1] with driver details v2: * Added a helper API in AMD Secure Processor driver, which can be called by AMD-TEE driver during module init to check if TEE is present on the device * Added proper checks for parameter attribute variable * Used tee_shm_pool_alloc() to allocate struct tee_shm_pool data structure * Removed all references to tee_private.h header file in driver code, except for the file drivers/tee/amdtee/core.c. The driver loads TA binary by calling request_firmware(), which takes struct device* as one of its arguments. The device 'dev' field is part of struct tee_device, defined in tee_private.h [1] https://www.kernel.org/doc/Documentation/tee.txt Rijo Thomas (4): tee: allow compilation of tee subsystem for AMD CPUs tee: add AMD-TEE driver tee: amdtee: check TEE status during driver initialization Documentation: tee: add AMD-TEE driver details Documentation/tee.txt | 81 ++++++ drivers/crypto/ccp/tee-dev.c | 11 + drivers/tee/Kconfig | 4 +- drivers/tee/Makefile | 1 + drivers/tee/amdtee/Kconfig | 8 + drivers/tee/amdtee/Makefile | 5 + drivers/tee/amdtee/amdtee_if.h | 183 +++++++++++++ drivers/tee/amdtee/amdtee_private.h | 159 +++++++++++ drivers/tee/amdtee/call.c | 373 ++++++++++++++++++++++++++ drivers/tee/amdtee/core.c | 516 ++++++++++++++++++++++++++++++++++++ drivers/tee/amdtee/shm_pool.c | 93 +++++++ include/linux/psp-tee.h | 18 ++ include/uapi/linux/tee.h | 1 + 13 files changed, 1451 insertions(+), 2 deletions(-) create mode 100644 drivers/tee/amdtee/Kconfig create mode 100644 drivers/tee/amdtee/Makefile create mode 100644 drivers/tee/amdtee/amdtee_if.h create mode 100644 drivers/tee/amdtee/amdtee_private.h create mode 100644 drivers/tee/amdtee/call.c create mode 100644 drivers/tee/amdtee/core.c create mode 100644 drivers/tee/amdtee/shm_pool.c -- 1.9.1

5 years, 4 months

[PATCH v3] optee: model OP-TEE as a platform device/driver

by Ard Biesheuvel

To simplify adding ACPI support to the OP-TEE driver, model it as a platform driver. This will permit us to use the generic device property layer for parsing additional properties, regardless of whether DT or ACPI is being used. Note that this change will result in the OP-TEE driver to be loaded automatically on systems that advertise the presence of OP-TEE via the device tree. Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> --- v3: Reshuffle the code a bit to make it apply to v5.5-rc1. Note that this puts the call to optee_enumerate_devices() back into the .probe() routine, as the init routine is being removed. drivers/tee/optee/core.c | 153 ++++++++------------ 1 file changed, 64 insertions(+), 89 deletions(-) diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c index b830e0a87fba..9bda2f466f39 100644 --- a/drivers/tee/optee/core.c +++ b/drivers/tee/optee/core.c @@ -534,13 +534,13 @@ static void optee_smccc_hvc(unsigned long a0, unsigned long a1, arm_smccc_hvc(a0, a1, a2, a3, a4, a5, a6, a7, res); } -static optee_invoke_fn *get_invoke_func(struct device_node *np) +static optee_invoke_fn *get_invoke_func(struct device *dev) { const char *method; - pr_info("probing for conduit method from DT.\n"); + pr_info("probing for conduit method.\n"); - if (of_property_read_string(np, "method", &method)) { + if (device_property_read_string(dev, "method", &method)) { pr_warn("missing \"method\" property\n"); return ERR_PTR(-ENXIO); } @@ -554,7 +554,37 @@ static optee_invoke_fn *get_invoke_func(struct device_node *np) return ERR_PTR(-EINVAL); } -static struct optee *optee_probe(struct device_node *np) +static int optee_remove(struct platform_device *pdev) +{ + struct optee *optee = platform_get_drvdata(pdev); + + /* + * Ask OP-TEE to free all cached shared memory objects to decrease + * reference counters and also avoid wild pointers in secure world + * into the old shared memory range. + */ + optee_disable_shm_cache(optee); + + /* + * The two devices have to be unregistered before we can free the + * other resources. + */ + tee_device_unregister(optee->supp_teedev); + tee_device_unregister(optee->teedev); + + tee_shm_pool_free(optee->pool); + if (optee->memremaped_shm) + memunmap(optee->memremaped_shm); + optee_wait_queue_exit(&optee->wait_queue); + optee_supp_uninit(&optee->supp); + mutex_destroy(&optee->call_queue.mutex); + + kfree(optee); + + return 0; +} + +static int optee_probe(struct platform_device *pdev) { optee_invoke_fn *invoke_fn; struct tee_shm_pool *pool = ERR_PTR(-EINVAL); @@ -564,25 +594,25 @@ static struct optee *optee_probe(struct device_node *np) u32 sec_caps; int rc; - invoke_fn = get_invoke_func(np); + invoke_fn = get_invoke_func(&pdev->dev); if (IS_ERR(invoke_fn)) - return (void *)invoke_fn; + return PTR_ERR(invoke_fn); if (!optee_msg_api_uid_is_optee_api(invoke_fn)) { pr_warn("api uid mismatch\n"); - return ERR_PTR(-EINVAL); + return -EINVAL; } optee_msg_get_os_revision(invoke_fn); if (!optee_msg_api_revision_is_compatible(invoke_fn)) { pr_warn("api revision mismatch\n"); - return ERR_PTR(-EINVAL); + return -EINVAL; } if (!optee_msg_exchange_capabilities(invoke_fn, &sec_caps)) { pr_warn("capabilities mismatch\n"); - return ERR_PTR(-EINVAL); + return -EINVAL; } /* @@ -598,7 +628,7 @@ static struct optee *optee_probe(struct device_node *np) pool = optee_config_shm_memremap(invoke_fn, &memremaped_shm); if (IS_ERR(pool)) - return (void *)pool; + return PTR_ERR(pool); optee = kzalloc(sizeof(*optee), GFP_KERNEL); if (!optee) { @@ -643,7 +673,16 @@ static struct optee *optee_probe(struct device_node *np) if (optee->sec_caps & OPTEE_SMC_SEC_CAP_DYNAMIC_SHM) pr_info("dynamic shared memory is enabled\n"); - return optee; + platform_set_drvdata(pdev, optee); + + rc = optee_enumerate_devices(); + if (rc) { + optee_remove(pdev); + return rc; + } + + pr_info("initialized driver\n"); + return 0; err: if (optee) { /* @@ -659,92 +698,28 @@ static struct optee *optee_probe(struct device_node *np) tee_shm_pool_free(pool); if (memremaped_shm) memunmap(memremaped_shm); - return ERR_PTR(rc); -} - -static void optee_remove(struct optee *optee) -{ - /* - * Ask OP-TEE to free all cached shared memory objects to decrease - * reference counters and also avoid wild pointers in secure world - * into the old shared memory range. - */ - optee_disable_shm_cache(optee); - - /* - * The two devices has to be unregistered before we can free the - * other resources. - */ - tee_device_unregister(optee->supp_teedev); - tee_device_unregister(optee->teedev); - - tee_shm_pool_free(optee->pool); - if (optee->memremaped_shm) - memunmap(optee->memremaped_shm); - optee_wait_queue_exit(&optee->wait_queue); - optee_supp_uninit(&optee->supp); - mutex_destroy(&optee->call_queue.mutex); - - kfree(optee); + return rc; } -static const struct of_device_id optee_match[] = { +static const struct of_device_id optee_dt_match[] = { { .compatible = "linaro,optee-tz" }, {}, }; - -static struct optee *optee_svc; - -static int __init optee_driver_init(void) -{ - struct device_node *fw_np = NULL; - struct device_node *np = NULL; - struct optee *optee = NULL; - int rc = 0; - - /* Node is supposed to be below /firmware */ - fw_np = of_find_node_by_name(NULL, "firmware"); - if (!fw_np) - return -ENODEV; - - np = of_find_matching_node(fw_np, optee_match); - if (!np || !of_device_is_available(np)) { - of_node_put(np); - return -ENODEV; - } - - optee = optee_probe(np); - of_node_put(np); - - if (IS_ERR(optee)) - return PTR_ERR(optee); - - rc = optee_enumerate_devices(); - if (rc) { - optee_remove(optee); - return rc; - } - - pr_info("initialized driver\n"); - - optee_svc = optee; - - return 0; -} -module_init(optee_driver_init); - -static void __exit optee_driver_exit(void) -{ - struct optee *optee = optee_svc; - - optee_svc = NULL; - if (optee) - optee_remove(optee); -} -module_exit(optee_driver_exit); +MODULE_DEVICE_TABLE(of, optee_dt_match); + +static struct platform_driver optee_driver = { + .probe = optee_probe, + .remove = optee_remove, + .driver = { + .name = "optee", + .of_match_table = optee_dt_match, + }, +}; +module_platform_driver(optee_driver); MODULE_AUTHOR("Linaro"); MODULE_DESCRIPTION("OP-TEE driver"); MODULE_SUPPORTED_DEVICE(""); MODULE_VERSION("1.0"); MODULE_LICENSE("GPL v2"); +MODULE_ALIAS("platform:optee"); -- 2.17.1

5 years, 4 months

[PATCH v4 0/1] tpm/tpm_ftpm_tee: add shutdown call back

by Pavel Tatashin

Changes from v3: - Synced with mainline - Added Tested-by Sasha Levin, and Reviewed-by: Jarkko Sakkinen. Previous versions: v3: https://lore.kernel.org/lkml/20191016163114.985542-1-pasha.tatashin@soleen.… v2: https://lore.kernel.org/lkml/20191014202135.429009-1-pasha.tatashin@soleen.… v1: https://lore.kernel.org/lkml/20191011145721.59257-1-pasha.tatashin@soleen.c… Pavel Tatashin (1): tpm/tpm_ftpm_tee: add shutdown call back drivers/char/tpm/tpm_ftpm_tee.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) -- 2.24.0

5 years, 4 months

[PATCH v2] optee: model OP-TEE as a platform device/driver

by Ard Biesheuvel

To simplify adding ACPI support to the OP-TEE driver, model it as a platform driver. This will permit us to use the generic device property layer for parsing additional properties, regardless of whether DT or ACPI is being used. Note that this change will result in the OP-TEE driver to be loaded automatically on systems that advertise the presence of OP-TEE via the device tree. Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> --- This is a follow-up to https://lore.kernel.org/lkml/20181227190122.23149-1-ard.biesheuvel@linaro.o… but with the second patch dropped. On ACPI systems, adding a device node to the DSDT like below is sufficient to trigger loading of the OP-TEE driver at boot. Tested on SynQuacer. Device (TOS0) { Name (_HID, "PRP0001") Name (_UID, 0x0) Name (_DSD, Package () { ToUUID("daffd814-6eba-4d8c-8a91-bc9bbf4aa301"), Package () { Package (2) { "compatible", "linaro,optee-tz" }, Package (2) { "method", "smc" }, } }) } v2: - rebased onto latest v5.4 - add platform: module alias drivers/tee/optee/core.c | 87 +++++++------------- 1 file changed, 32 insertions(+), 55 deletions(-) diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c index 1854a3db7345..eea601acf63f 100644 --- a/drivers/tee/optee/core.c +++ b/drivers/tee/optee/core.c @@ -534,13 +534,13 @@ static void optee_smccc_hvc(unsigned long a0, unsigned long a1, arm_smccc_hvc(a0, a1, a2, a3, a4, a5, a6, a7, res); } -static optee_invoke_fn *get_invoke_func(struct device_node *np) +static optee_invoke_fn *get_invoke_func(struct device *dev) { const char *method; - pr_info("probing for conduit method from DT.\n"); + pr_info("probing for conduit method.\n"); - if (of_property_read_string(np, "method", &method)) { + if (device_property_read_string(dev, "method", &method)) { pr_warn("missing \"method\" property\n"); return ERR_PTR(-ENXIO); } @@ -554,7 +554,7 @@ static optee_invoke_fn *get_invoke_func(struct device_node *np) return ERR_PTR(-EINVAL); } -static struct optee *optee_probe(struct device_node *np) +static int optee_probe(struct platform_device *pdev) { optee_invoke_fn *invoke_fn; struct tee_shm_pool *pool = ERR_PTR(-EINVAL); @@ -564,25 +564,25 @@ static struct optee *optee_probe(struct device_node *np) u32 sec_caps; int rc; - invoke_fn = get_invoke_func(np); + invoke_fn = get_invoke_func(&pdev->dev); if (IS_ERR(invoke_fn)) - return (void *)invoke_fn; + return PTR_ERR(invoke_fn); if (!optee_msg_api_uid_is_optee_api(invoke_fn)) { pr_warn("api uid mismatch\n"); - return ERR_PTR(-EINVAL); + return -EINVAL; } optee_msg_get_os_revision(invoke_fn); if (!optee_msg_api_revision_is_compatible(invoke_fn)) { pr_warn("api revision mismatch\n"); - return ERR_PTR(-EINVAL); + return -EINVAL; } if (!optee_msg_exchange_capabilities(invoke_fn, &sec_caps)) { pr_warn("capabilities mismatch\n"); - return ERR_PTR(-EINVAL); + return -EINVAL; } /* @@ -598,7 +598,7 @@ static struct optee *optee_probe(struct device_node *np) pool = optee_config_shm_memremap(invoke_fn, &memremaped_shm); if (IS_ERR(pool)) - return (void *)pool; + return PTR_ERR(pool); optee = kzalloc(sizeof(*optee), GFP_KERNEL); if (!optee) { @@ -609,6 +609,8 @@ static struct optee *optee_probe(struct device_node *np) optee->invoke_fn = invoke_fn; optee->sec_caps = sec_caps; + platform_set_drvdata(pdev, optee); + teedev = tee_device_alloc(&optee_desc, NULL, pool, optee); if (IS_ERR(teedev)) { rc = PTR_ERR(teedev); @@ -648,7 +650,7 @@ static struct optee *optee_probe(struct device_node *np) goto err; pr_info("initialized driver\n"); - return optee; + return 0; err: if (optee) { /* @@ -664,11 +666,13 @@ static struct optee *optee_probe(struct device_node *np) tee_shm_pool_free(pool); if (memremaped_shm) memunmap(memremaped_shm); - return ERR_PTR(rc); + return rc; } -static void optee_remove(struct optee *optee) +static int optee_remove(struct platform_device *pdev) { + struct optee *optee = platform_get_drvdata(pdev); + /* * Ask OP-TEE to free all cached shared memory objects to decrease * reference counters and also avoid wild pointers in secure world @@ -691,56 +695,29 @@ static void optee_remove(struct optee *optee) mutex_destroy(&optee->call_queue.mutex); kfree(optee); + + return 0; } -static const struct of_device_id optee_match[] = { +static const struct of_device_id optee_dt_match[] = { { .compatible = "linaro,optee-tz" }, {}, }; - -static struct optee *optee_svc; - -static int __init optee_driver_init(void) -{ - struct device_node *fw_np; - struct device_node *np; - struct optee *optee; - - /* Node is supposed to be below /firmware */ - fw_np = of_find_node_by_name(NULL, "firmware"); - if (!fw_np) - return -ENODEV; - - np = of_find_matching_node(fw_np, optee_match); - if (!np || !of_device_is_available(np)) { - of_node_put(np); - return -ENODEV; - } - - optee = optee_probe(np); - of_node_put(np); - - if (IS_ERR(optee)) - return PTR_ERR(optee); - - optee_svc = optee; - - return 0; -} -module_init(optee_driver_init); - -static void __exit optee_driver_exit(void) -{ - struct optee *optee = optee_svc; - - optee_svc = NULL; - if (optee) - optee_remove(optee); -} -module_exit(optee_driver_exit); +MODULE_DEVICE_TABLE(of, optee_dt_match); + +static struct platform_driver optee_driver = { + .probe = optee_probe, + .remove = optee_remove, + .driver = { + .name = "optee", + .of_match_table = optee_dt_match, + }, +}; +module_platform_driver(optee_driver); MODULE_AUTHOR("Linaro"); MODULE_DESCRIPTION("OP-TEE driver"); MODULE_SUPPORTED_DEVICE(""); MODULE_VERSION("1.0"); MODULE_LICENSE("GPL v2"); +MODULE_ALIAS("platform:optee"); -- 2.17.1

5 years, 4 months

[RFC PATCH v2 0/3] TEE driver for AMD APUs

by Rijo Thomas

This patch series introduces Trusted Execution Environment (TEE) driver for AMD APU enabled systems. The TEE is a secure area of a processor which ensures that sensitive data is stored, processed and protected in an isolated and trusted environment. The AMD Secure Processor is a dedicated processor which provides TEE to enable HW platform security. It offers protection against software attacks generated in Rich Operating System (Rich OS) such as Linux running on x86. The AMD-TEE Trusted OS running on AMD Secure Processor allows loading and execution of security sensitive applications called Trusted Applications (TAs). An example of a TA would be a DRM (Digital Rights Management) TA written to enforce content protection. Linux already provides a tee subsystem, which is described in [1]. The tee subsystem provides a generic TEE ioctl interface which can be used by user space to talk to a TEE driver. AMD-TEE driver registers with tee subsystem and implements tee function callbacks in an AMD platform specific manner. The following TEE commands are recognized by AMD-TEE Trusted OS: 1. TEE_CMD_ID_LOAD_TA : Load Trusted Application (TA) binary into TEE environment 2. TEE_CMD_ID_UNLOAD_TA : Unload TA binary from TEE environment 3. TEE_CMD_ID_OPEN_SESSION : Open session with loaded TA 4. TEE_CMD_ID_CLOSE_SESSION : Close session with loaded TA 5. TEE_CMD_ID_INVOKE_CMD : Invoke a command with loaded TA 6. TEE_CMD_ID_MAP_SHARED_MEM : Map shared memory 7. TEE_CMD_ID_UNMAP_SHARED_MEM : Unmap shared memory Each command has its own payload format. The AMD-TEE driver creates a command buffer payload for submission to AMD-TEE Trusted OS. I shall update [1] with AMD-TEE driver details shortly. This patch series has a dependency on another patch set titled - Add TEE interface support to AMD Secure Processor driver. Link: https://patchwork.kernel.org/project/linux-crypto/list/?submitter=188843 v2: * Added a helper API in AMD Secure Processor driver, which can be called by AMD-TEE driver during module init to check if TEE is present on the device * Added proper checks for parameter attribute variable * Used tee_shm_pool_alloc() to allocate struct tee_shm_pool data structure * Removed all references to tee_private.h header file in driver code, except for the file drivers/tee/amdtee/core.c. The driver loads TA binary by calling request_firmware(), which takes struct device* as one of its arguments. The device 'dev' field is part of struct tee_device, defined in tee_private.h [1] https://www.kernel.org/doc/Documentation/tee.txt Rijo Thomas (3): tee: allow compilation of tee subsystem for AMD CPUs tee: add AMD-TEE driver tee: amdtee: check TEE status during driver initialization drivers/crypto/ccp/tee-dev.c | 11 + drivers/tee/Kconfig | 4 +- drivers/tee/Makefile | 1 + drivers/tee/amdtee/Kconfig | 8 + drivers/tee/amdtee/Makefile | 5 + drivers/tee/amdtee/amdtee_if.h | 183 +++++++++++++ drivers/tee/amdtee/amdtee_private.h | 159 +++++++++++ drivers/tee/amdtee/call.c | 373 ++++++++++++++++++++++++++ drivers/tee/amdtee/core.c | 516 ++++++++++++++++++++++++++++++++++++ drivers/tee/amdtee/shm_pool.c | 93 +++++++ include/linux/psp-tee.h | 18 ++ include/uapi/linux/tee.h | 1 + 12 files changed, 1370 insertions(+), 2 deletions(-) create mode 100644 drivers/tee/amdtee/Kconfig create mode 100644 drivers/tee/amdtee/Makefile create mode 100644 drivers/tee/amdtee/amdtee_if.h create mode 100644 drivers/tee/amdtee/amdtee_private.h create mode 100644 drivers/tee/amdtee/call.c create mode 100644 drivers/tee/amdtee/core.c create mode 100644 drivers/tee/amdtee/shm_pool.c -- 1.9.1

5 years, 4 months

Webinar: Running a fuzzing tool in OP-TEE

by Joakim Bech

Hi all, We usually avoid using tee-dev for non-technical discussions, but I do think this is highly relevant to the subscribers of this list and therefore I wanted to share this with you. Webinar: Running a fuzzing tool in OP-TEE Date: Tuesday 3 December 2019 Time: 18:00 GMT Presenter: Martijn Bogaard, Senior Security Analyst, Riscure Moderator: Joakim Bech, Principal Engineer, Security Working Group, Linaro Duration: 60 minutes (including Q&A) Link to register: http://bit.ly/2NU5POk You can read the complete abstract here: https://www.linaro.org/events/webinar-running-a-fuzzing-tool-in-op-tee/ The webinar will be 60 minutes long including time for Q&A at the end. Anyone is welcome to attend so please feel free to share these details. Any questions do let me know - we hope to see you there! Thanks, Joakim

5 years, 5 months

[RFC PATCH 0/2] TEE driver for AMD APUs

by Thomas, Rijo-john

This patch series introduces Trusted Execution Environment (TEE) driver for AMD APU enabled systems. The TEE is a secure area of a processor which ensures that sensitive data is stored, processed and protected in an isolated and trusted environment. The AMD Secure Processor is a dedicated processor which provides TEE to enable HW platform security. It offers protection against software attacks generated in Rich Operating System (Rich OS) such as Linux running on x86. The AMD-TEE Trusted OS running on AMD Secure Processor allows loading and execution of security sensitive applications called Trusted Applications (TAs). An example of a TA would be a DRM (Digital Rights Management) TA written to enforce content protection. Linux already provides a tee subsystem, which is described in [1]. The tee subsystem provides a generic TEE ioctl interface which can be used by user space to talk to a TEE driver. AMD-TEE driver registers with tee subsystem and implements tee function callbacks in an AMD platform specific manner. The following TEE commands are recognized by AMD-TEE Trusted OS: 1. TEE_CMD_ID_LOAD_TA : Load Trusted Application (TA) binary into TEE environment 2. TEE_CMD_ID_UNLOAD_TA : Unload TA binary from TEE environment 3. TEE_CMD_ID_OPEN_SESSION : Open session with loaded TA 4. TEE_CMD_ID_CLOSE_SESSION : Close session with loaded TA 5. TEE_CMD_ID_INVOKE_CMD : Invoke a command with loaded TA 6. TEE_CMD_ID_MAP_SHARED_MEM : Map shared memory 7. TEE_CMD_ID_UNMAP_SHARED_MEM : Unmap shared memory Each command has its own payload format. The AMD-TEE driver creates a command buffer payload for submission to AMD-TEE Trusted OS. This patch series has a dependency on another patch set titled - Add TEE interface support to AMD Secure Processor driver. [1] https://www.kernel.org/doc/Documentation/tee.txt Rijo Thomas (2): tee: allow compilation of tee subsystem for AMD CPUs tee: add AMD-TEE driver drivers/tee/Kconfig | 4 +- drivers/tee/Makefile | 1 + drivers/tee/amdtee/Kconfig | 8 + drivers/tee/amdtee/Makefile | 5 + drivers/tee/amdtee/amdtee_if.h | 183 +++++++++++++ drivers/tee/amdtee/amdtee_private.h | 159 +++++++++++ drivers/tee/amdtee/call.c | 370 ++++++++++++++++++++++++++ drivers/tee/amdtee/core.c | 510 ++++++++++++++++++++++++++++++++++++ drivers/tee/amdtee/shm_pool.c | 130 +++++++++ include/uapi/linux/tee.h | 1 + 10 files changed, 1369 insertions(+), 2 deletions(-) create mode 100644 drivers/tee/amdtee/Kconfig create mode 100644 drivers/tee/amdtee/Makefile create mode 100644 drivers/tee/amdtee/amdtee_if.h create mode 100644 drivers/tee/amdtee/amdtee_private.h create mode 100644 drivers/tee/amdtee/call.c create mode 100644 drivers/tee/amdtee/core.c create mode 100644 drivers/tee/amdtee/shm_pool.c -- 1.9.1

5 years, 5 months

[PATCH 0/2] tee: optee: compatibility of natively running OS with virt-enabled OP-TEE

by Michalis Pappas

There are cases in a virtualized environment where a privileged guest needs to communicate with OP-TEE OS without the presence of a hypervisor (eg system recovery). As OP-TEE OS with virtualization support requires all guests to be announced and requests to be tagged with vm id, the above task would require reflashing OP-TEE OS with a build that disables virtualization support. The following patches introduce compatibilty between a natively running OS (ie without a hypervisor) and OP-TEE OS configured with virtualization support. This is achieved by the driver announcing itself to OP-TEE, and tagging subsequent requests with a predetermined vm id. For this change to be interoperable with virtualized environments, a hypervisor has the following options: 1. Filter out the OPTEE_SMC_SEC_CAP_VIRTUALIZATION capability, so that the driver is not aware of executing in a virtualized setup. In that case, the driver will not announce itself or update the vm id parameter. 2. Gracefully handle the announcement of addition / removal of guests from the driver (OPTEE_SMC_VM_CREATED / OPTEE_SMC_VM_DESTROYED), and overwrite the vm id parameter as normal. Enabling this option does not have an impact on OP-TEE OS configured without virtualization support. Please notice that this patch depends on 9733b072a12a from mainline Linux, which is not available in Linaro's tree. Michalis Pappas (2): tee: optee: Add protocol definitions for virtualization tee: optee: Allow native systems to interact with virtualization-enabled OP-TEE drivers/tee/optee/Kconfig | 23 +++++++++++++++ drivers/tee/optee/core.c | 43 ++++++++++++++++++++++++++++ drivers/tee/optee/optee_smc.h | 54 +++++++++++++++++++++++++++++++++++ 3 files changed, 120 insertions(+) -- 2.17.1 Please mind our privacy notice<https://www.opensynergy.com/datenschutzerklaerung/privacy-notice-for-busine…> pursuant to Art. 13 GDPR. // Unsere Hinweise zum Datenschutz gem. Art. 13 DSGVO finden Sie hier.<https://www.opensynergy.com/de/datenschutzerklaerung/datenschutzhinweise-fu…>

5 years, 5 months

[PATCH 12/15] drm/tee_shm: Drop dma_buf_k(unmap) support

by Daniel Vetter

There's no in-tree users anymore. Signed-off-by: Daniel Vetter <daniel.vetter(a)intel.com> Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: Jens Wiklander <jens.wiklander(a)linaro.org> Cc: tee-dev(a)lists.linaro.org -- Ack for merging this through drm trees very much appreciated. -Daniel --- drivers/misc/fastrpc.c | 8 -------- drivers/tee/tee_shm.c | 6 ------ 2 files changed, 14 deletions(-) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 1b1a794d639d..d0cbef9ec28a 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -555,13 +555,6 @@ static void fastrpc_dma_buf_detatch(struct dma_buf *dmabuf, kfree(a); } -static void *fastrpc_kmap(struct dma_buf *dmabuf, unsigned long pgnum) -{ - struct fastrpc_buf *buf = dmabuf->priv; - - return buf->virt ? buf->virt + pgnum * PAGE_SIZE : NULL; -} - static void *fastrpc_vmap(struct dma_buf *dmabuf) { struct fastrpc_buf *buf = dmabuf->priv; @@ -585,7 +578,6 @@ static const struct dma_buf_ops fastrpc_dma_buf_ops = { .map_dma_buf = fastrpc_map_dma_buf, .unmap_dma_buf = fastrpc_unmap_dma_buf, .mmap = fastrpc_mmap, - .map = fastrpc_kmap, .vmap = fastrpc_vmap, .release = fastrpc_release, }; diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index 09ddcd06c715..937ac5aaa6d8 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -71,11 +71,6 @@ static void tee_shm_op_release(struct dma_buf *dmabuf) tee_shm_release(shm); } -static void *tee_shm_op_map(struct dma_buf *dmabuf, unsigned long pgnum) -{ - return NULL; -} - static int tee_shm_op_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma) { struct tee_shm *shm = dmabuf->priv; @@ -93,7 +88,6 @@ static const struct dma_buf_ops tee_shm_dma_buf_ops = { .map_dma_buf = tee_shm_op_map_dma_buf, .unmap_dma_buf = tee_shm_op_unmap_dma_buf, .release = tee_shm_op_release, - .map = tee_shm_op_map, .mmap = tee_shm_op_mmap, }; -- 2.24.0

5 years, 5 months

← Newer
1
...
8
9
10
11
12
13
14
...
30
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

Tee-dev