On 7/8/24 17:43, Mathieu Poirier wrote:
> On Fri, Jul 05, 2024 at 09:33:55AM +0200, Arnaud POULIQUEN wrote:
>>
>>
>> On 7/4/24 17:32, Mathieu Poirier wrote:
>>> On Thu, Jul 04, 2024 at 10:05:24AM +0200, Arnaud POULIQUEN wrote:
>>>>
>>>>
>>>> On 7/3/24 17:14, Mathieu Poirier wrote:
>>>>> On Wed, Jul 03, 2024 at 09:19:44AM +0200, Arnaud POULIQUEN wrote:
>>>>>> Hello Mathieu
>>>>>>
>>>>>> On 7/2/24 18:44, Mathieu Poirier wrote:
>>>>>>> Good morning,
>>>>>>>
>>>>>>> On Fri, Jun 21, 2024 at 04:37:56PM +0200, Arnaud Pouliquen wrote:
>>>>>>>> Add a remoteproc TEE (Trusted Execution Environment) driver
>>>>>>>> that will be probed by the TEE bus. If the associated Trusted
>>>>>>>> application is supported on secure part this driver offers a client
>>>>>>>> interface to load a firmware by the secure part.
>>>>>>>> This firmware could be authenticated by the secure trusted application.
>>>>>>>>
>>>>>>>> Signed-off-by: Arnaud Pouliquen <arnaud.pouliquen@xxxxxxxxxxx>
>>>>>>>> ---
>>>>>>>> Updates vs previous version:
>>>>>>>> - rename tee_remoteproc.* file to rmeoteproc_tee.*,
>>>>>>>> - rename TEE_REMOTEPROC config to REMOTEPROC_TEE,
>>>>>>>> - remove "stm32" in some variable declarations,
>>>>>>>> - remove useless "remoteproc_internal.h" include,
>>>>>>>> - fix tee_rproc_ctx devm_kzalloc.
>>>>>>>> - rework module description
>>>>>>>> ---
>>>>>>>> drivers/remoteproc/Kconfig | 10 +
>>>>>>>> drivers/remoteproc/Makefile | 1 +
>>>>>>>> drivers/remoteproc/remoteproc_tee.c | 446 ++++++++++++++++++++++++++++
>>>>>>>> include/linux/remoteproc.h | 4 +
>>>>>>>> include/linux/remoteproc_tee.h | 100 +++++++
>>>>>>>> 5 files changed, 561 insertions(+)
>>>>>>>> create mode 100644 drivers/remoteproc/remoteproc_tee.c
>>>>>>>> create mode 100644 include/linux/remoteproc_tee.h
>>>>>>>>
>>>>>>>> diff --git a/drivers/remoteproc/Kconfig b/drivers/remoteproc/Kconfig
>>>>>>>> index 48845dc8fa85..278f197acb90 100644
>>>>>>>> --- a/drivers/remoteproc/Kconfig
>>>>>>>> +++ b/drivers/remoteproc/Kconfig
>>>>>>>> @@ -365,6 +365,16 @@ config XLNX_R5_REMOTEPROC
>>>>>>>>
>>>>>>>> It's safe to say N if not interested in using RPU r5f cores.
>>>>>>>>
>>>>>>>> +
>>>>>>>> +config REMOTEPROC_TEE
>>>>>>>> + tristate "Remoteproc support by a TEE application"
>>>>>>>> + depends on OPTEE
>>>>>>>> + help
>>>>>>>> + Support a remote processor with a TEE application. The Trusted
>>>>>>>> + Execution Context is responsible for loading the trusted firmware
>>>>>>>> + image and managing the remote processor's lifecycle.
>>>>>>>> + This can be either built-in or a loadable module.
>>>>>>>> +
>>>>>>>> endif # REMOTEPROC
>>>>>>>>
>>>>>>>> endmenu
>>>>>>>> diff --git a/drivers/remoteproc/Makefile b/drivers/remoteproc/Makefile
>>>>>>>> index 91314a9b43ce..b4eb37177005 100644
>>>>>>>> --- a/drivers/remoteproc/Makefile
>>>>>>>> +++ b/drivers/remoteproc/Makefile
>>>>>>>> @@ -36,6 +36,7 @@ obj-$(CONFIG_RCAR_REMOTEPROC) += rcar_rproc.o
>>>>>>>> obj-$(CONFIG_ST_REMOTEPROC) += st_remoteproc.o
>>>>>>>> obj-$(CONFIG_ST_SLIM_REMOTEPROC) += st_slim_rproc.o
>>>>>>>> obj-$(CONFIG_STM32_RPROC) += stm32_rproc.o
>>>>>>>> +obj-$(CONFIG_REMOTEPROC_TEE) += remoteproc_tee.o
>>>>>>>> obj-$(CONFIG_TI_K3_DSP_REMOTEPROC) += ti_k3_dsp_remoteproc.o
>>>>>>>> obj-$(CONFIG_TI_K3_R5_REMOTEPROC) += ti_k3_r5_remoteproc.o
>>>>>>>> obj-$(CONFIG_XLNX_R5_REMOTEPROC) += xlnx_r5_remoteproc.o
>>>>>>>> diff --git a/drivers/remoteproc/remoteproc_tee.c b/drivers/remoteproc/remoteproc_tee.c
>>>>>>>> new file mode 100644
>>>>>>>> index 000000000000..70cb67451767
>>>>>>>> --- /dev/null
>>>>>>>> +++ b/drivers/remoteproc/remoteproc_tee.c
>>>>>>>> @@ -0,0 +1,446 @@
>>>>>>>> +// SPDX-License-Identifier: GPL-2.0-or-later
>>>>>>>> +/*
>>>>>>>> + * Copyright (C) STMicroelectronics 2024
>>>>>>>> + * Author: Arnaud Pouliquen <arnaud.pouliquen@xxxxxxxxxxx>
>>>>>>>> + */
>>>>>>>> +
>>>>>>>> +#include <linux/firmware.h>
>>>>>>>> +#include <linux/io.h>
>>>>>>>> +#include <linux/module.h>
>>>>>>>> +#include <linux/remoteproc.h>
>>>>>>>> +#include <linux/remoteproc_tee.h>
>>>>>>>> +#include <linux/slab.h>
>>>>>>>> +#include <linux/tee_drv.h>
>>>>>>>> +
>>>>>>>> +#define MAX_TEE_PARAM_ARRY_MEMBER 4
>>>>>>>> +
>>>>>>>> +/*
>>>>>>>> + * Authentication of the firmware and load in the remote processor memory
>>>>>>>> + *
>>>>>>>> + * [in] params[0].value.a: unique 32bit identifier of the remote processor
>>>>>>>> + * [in] params[1].memref: buffer containing the image of the buffer
>>>>>>>> + */
>>>>>>>> +#define TA_RPROC_FW_CMD_LOAD_FW 1
>>>>>>>> +
>>>>>>>> +/*
>>>>>>>> + * Start the remote processor
>>>>>>>> + *
>>>>>>>> + * [in] params[0].value.a: unique 32bit identifier of the remote processor
>>>>>>>> + */
>>>>>>>> +#define TA_RPROC_FW_CMD_START_FW 2
>>>>>>>> +
>>>>>>>> +/*
>>>>>>>> + * Stop the remote processor
>>>>>>>> + *
>>>>>>>> + * [in] params[0].value.a: unique 32bit identifier of the remote processor
>>>>>>>> + */
>>>>>>>> +#define TA_RPROC_FW_CMD_STOP_FW 3
>>>>>>>> +
>>>>>>>> +/*
>>>>>>>> + * Return the address of the resource table, or 0 if not found
>>>>>>>> + * No check is done to verify that the address returned is accessible by
>>>>>>>> + * the non secure context. If the resource table is loaded in a protected
>>>>>>>> + * memory the access by the non secure context will lead to a data abort.
>>>>>>>> + *
>>>>>>>> + * [in] params[0].value.a: unique 32bit identifier of the remote processor
>>>>>>>> + * [out] params[1].value.a: 32bit LSB resource table memory address
>>>>>>>> + * [out] params[1].value.b: 32bit MSB resource table memory address
>>>>>>>> + * [out] params[2].value.a: 32bit LSB resource table memory size
>>>>>>>> + * [out] params[2].value.b: 32bit MSB resource table memory size
>>>>>>>> + */
>>>>>>>> +#define TA_RPROC_FW_CMD_GET_RSC_TABLE 4
>>>>>>>> +
>>>>>>>> +/*
>>>>>>>> + * Return the address of the core dump
>>>>>>>> + *
>>>>>>>> + * [in] params[0].value.a: unique 32bit identifier of the remote processor
>>>>>>>> + * [out] params[1].memref: address of the core dump image if exist,
>>>>>>>> + * else return Null
>>>>>>>> + */
>>>>>>>> +#define TA_RPROC_FW_CMD_GET_COREDUMP 5
>>>>>>>> +
>>>>>>>> +struct tee_rproc_context {
>>>>>>>> + struct list_head sessions;
>>>>>>>> + struct tee_context *tee_ctx;
>>>>>>>> + struct device *dev;
>>>>>>>> +};
>>>>>>>> +
>>>>>>>> +static struct tee_rproc_context *tee_rproc_ctx;
>>>>>>>> +
>>>>>>>> +static void tee_rproc_prepare_args(struct tee_rproc *trproc, int cmd,
>>>>>>>> + struct tee_ioctl_invoke_arg *arg,
>>>>>>>> + struct tee_param *param,
>>>>>>>> + unsigned int num_params)
>>>>>>>> +{
>>>>>>>> + memset(arg, 0, sizeof(*arg));
>>>>>>>> + memset(param, 0, MAX_TEE_PARAM_ARRY_MEMBER * sizeof(*param));
>>>>>>>> +
>>>>>>>> + arg->func = cmd;
>>>>>>>> + arg->session = trproc->session_id;
>>>>>>>> + arg->num_params = num_params + 1;
>>>>>>>> +
>>>>>>>> + param[0] = (struct tee_param) {
>>>>>>>> + .attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT,
>>>>>>>> + .u.value.a = trproc->rproc_id,
>>>>>>>> + };
>>>>>>>> +}
>>>>>>>> +
>>>>>>>> +int tee_rproc_load_fw(struct rproc *rproc, const struct firmware *fw)
>>>>>>>> +{
>>>>>>>> + struct tee_param param[MAX_TEE_PARAM_ARRY_MEMBER];
>>>>>>>> + struct tee_rproc *trproc = rproc->tee_interface;
>>>>>>>> + struct tee_ioctl_invoke_arg arg;
>>>>>>>> + struct tee_shm *fw_shm;
>>>>>>>> + int ret;
>>>>>>>> +
>>>>>>>> + if (!trproc)
>>>>>>>> + return -EINVAL;
>>>>>>>> +
>>>>>>>> + fw_shm = tee_shm_register_kernel_buf(tee_rproc_ctx->tee_ctx, (void *)fw->data, fw->size);
>>>>>>>> + if (IS_ERR(fw_shm))
>>>>>>>> + return PTR_ERR(fw_shm);
>>>>>>>> +
>>>>>>>> + tee_rproc_prepare_args(trproc, TA_RPROC_FW_CMD_LOAD_FW, &arg, param, 1);
>>>>>>>> +
>>>>>>>> + /* Provide the address of the firmware image */
>>>>>>>> + param[1] = (struct tee_param) {
>>>>>>>> + .attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT,
>>>>>>>> + .u.memref = {
>>>>>>>> + .shm = fw_shm,
>>>>>>>> + .size = fw->size,
>>>>>>>> + .shm_offs = 0,
>>>>>>>> + },
>>>>>>>> + };
>>>>>>>> +
>>>>>>>> + ret = tee_client_invoke_func(tee_rproc_ctx->tee_ctx, &arg, param);
>>>>>>>> + if (ret < 0 || arg.ret != 0) {
>>>>>>>> + dev_err(tee_rproc_ctx->dev,
>>>>>>>> + "TA_RPROC_FW_CMD_LOAD_FW invoke failed TEE err: %x, ret:%x\n",
>>>>>>>> + arg.ret, ret);
>>>>>>>> + if (!ret)
>>>>>>>> + ret = -EIO;
>>>>>>>> + }
>>>>>>>> +
>>>>>>>> + tee_shm_free(fw_shm);
>>>>>>>> +
>>>>>>>> + return ret;
>>>>>>>> +}
>>>>>>>> +EXPORT_SYMBOL_GPL(tee_rproc_load_fw);
>>>>>>>> +
>>>>>>>> +static int tee_rproc_get_loaded_rsc_table(struct rproc *rproc, phys_addr_t *rsc_pa,
>>>>>>>> + size_t *table_sz)
>>>>>>>> +{
>>>>>>>> + struct tee_param param[MAX_TEE_PARAM_ARRY_MEMBER];
>>>>>>>> + struct tee_rproc *trproc = rproc->tee_interface;
>>>>>>>> + struct tee_ioctl_invoke_arg arg;
>>>>>>>> + int ret;
>>>>>>>> +
>>>>>>>> + tee_rproc_prepare_args(trproc, TA_RPROC_FW_CMD_GET_RSC_TABLE, &arg, param, 2);
>>>>>>>> +
>>>>>>>> + param[1].attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT;
>>>>>>>> + param[2].attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT;
>>>>>>>> +
>>>>>>>> + ret = tee_client_invoke_func(tee_rproc_ctx->tee_ctx, &arg, param);
>>>>>>>> + if (ret < 0 || arg.ret != 0) {
>>>>>>>> + dev_err(tee_rproc_ctx->dev,
>>>>>>>> + "TA_RPROC_FW_CMD_GET_RSC_TABLE invoke failed TEE err: %x, ret:%x\n",
>>>>>>>> + arg.ret, ret);
>>>>>>>> + return -EIO;
>>>>>>>> + }
>>>>>>>> +
>>>>>>>> + *table_sz = param[2].u.value.a;
>>>>>>>> +
>>>>>>>> + if (*table_sz)
>>>>>>>> + *rsc_pa = param[1].u.value.a;
>>>>>>>> + else
>>>>>>>> + *rsc_pa = 0;
>>>>>>>> +
>>>>>>>> + return 0;
>>>>>>>> +}
>>>>>>>> +
>>>>>>>> +int tee_rproc_parse_fw(struct rproc *rproc, const struct firmware *fw)
>>>>>>>> +{
>>>>>>>> + phys_addr_t rsc_table;
>>>>>>>> + void __iomem *rsc_va;
>>>>>>>> + size_t table_sz;
>>>>>>>> + int ret;
>>>>>>>> +
>>>>>>>> + ret = tee_rproc_load_fw(rproc, fw);
>>>>>>>> + if (ret)
>>>>>>>> + return ret;
>>>>>>>> +
>>>>>>>> + ret = tee_rproc_get_loaded_rsc_table(rproc, &rsc_table, &table_sz);
>>>>>>>> + if (ret)
>>>>>>>> + return ret;
>>>>>>>
>>>>>>> Do we need an API to unload the firware from memory too? If anything fails we
>>>>>>> still have firmware loaded into memory.
>>>>>>
>>>>>> For the time being, the clean-up of the memory is not implemented in OP-TEE.
>>>>>
>>>>> In my opinion cleaning up the firmware image loaded to memory when something
>>>>> fails is important and should be part of this patchset. Looking at the error
>>>>> path in this function, it is clear something is missing.
>>>>
>>>>
>>>> Please, could you detail what risks you see in not implementing the memory
>>>> clean-up at this first step?
>>>>
>>>
>>> Almost everything in the Linux kernel is about allocation and release of
>>> resources, the pattern is ubiquitous. Reading function tee_rproc_parse_fw(),
>>> the firmware is loaded by tee_rproc_load_fw() but never released - people
>>> reading this driver will wonder about that. There is also the possibility that
>>> other implementations will use the free'd memory for other purposes. This
>>> interface driver is meant to be generic and as such needs to take care of those
>>> corner cases.
>>
>> Thank you for the clarification.
>> If we want to support this, handling the error here would not be sufficient. For
>> instance, many things can go wrong in rproc_start().
>>
>
> I agree.
>
>> So either we do nothing, as with the ELF support, and we put a comment in the
>> remoteproc tee; or we may need to introduce new rproc ops to clean up/free
>> resources in case of errors in the remoteproc core.
>>
>
> Doing nothing is not an option. The ELF case is easy because the cleanup only
> involves rproc->cached_table - for the TEE it also involves freeing the FW
> image.
>
> I suggest introducting a new core function, i.e rproc_release_fw(), to
> counterbalance rproc_parse_fw():
>
> rproc_release_fw()
> {
> if (rproc->tee_interface)
> tee_rproc_unload_fw();
> kfree(rproc->cached_table);
> rproc->cached_table = NULL;
> rproc->table_ptr = NULL;
> }
>
> Function rproc_release_fw() would be called in rproc_fw_boot()'s error path and
> in rproc_shutdown().
I will implement this for the next version. This will also impact OP-TEE to
implement the associated service, so it could take some time before the next
version.
Thanks,
Arnaud
>
>> Or perhaps do you have another alternative to propose?
>>
>> Thanks,
>> Arnaud
>>
>>>
>>>> Currently, OP-TEE upstream does not clean the memory. Upon the next load, it
>>>> will either be overwritten or left unused by the newly authenticated firmware.
>>>>
>>>> If your concern is about the ability to read the code, the code is already
>>>> accessible in the binary firmware image on the Linux filesystem.
>>>>
>>>> As a next step a platform-dependent strategy has to be implemented to enhance
>>>> firmware protection:
>>>> - Ensure the integrity of the code.
>>>> - Preserve secrets.
>>>>
>>>> However, OP-TEE cannot trust the Non-secure context for this. Expecting Linux to
>>>> call a clean-up service does not seem reliable to me.
>>>>
>>>> In the downstream stm32mp platform, we have implemented the clean-up but above
>>>> all, ensured that Linux never has access to the remote processor firmware code
>>>> and data by using firewall configurations.
>>>> For time being we print a warning message on OP-TEE upstream[1]
>>>>
>>>> [1]https://elixir.bootlin.com/op-tee/latest/source/core/drivers/remoteproc/stm32_remoteproc.c#L361
>>>>
>>>>
>>>> Thanks,
>>>> Arnaud
>>>>
>>>>>
>>>>>> I plan to upstream this part in a second step, associated with a memory protection
>>>>>> strategy. This should be directly implemented in the OP-TEE service to avoid
>>>>>> reliance on Linux error management.
>>>>>> Nonetheless, an API could be added to clean the memory if needed.
>>>>>>
>>>>>> Thanks,
>>>>>> Arnaud
>>>>>>
>>>>>>>
>>>>>>> More comments to come later.
>>>>>>>
>>>>>>> Mathieu
>>>>>>>
>>>>>>>> +
>>>>>>>> + /*
>>>>>>>> + * We assume here that the memory mapping is the same between the TEE and Linux kernel
>>>>>>>> + * contexts. Else a new TEE remoteproc service could be needed to get a copy of the
>>>>>>>> + * resource table
>>>>>>>> + */
>>>>>>>> + rsc_va = ioremap_wc(rsc_table, table_sz);
>>>>>>>> + if (IS_ERR_OR_NULL(rsc_va)) {
>>>>>>>> + dev_err(tee_rproc_ctx->dev, "Unable to map memory region: %pa+%zx\n",
>>>>>>>> + &rsc_table, table_sz);
>>>>>>>> + return -ENOMEM;
>>>>>>>> + }
>>>>>>>> +
>>>>>>>> + /*
>>>>>>>> + * Create a copy of the resource table to have the same behavior as the elf loader.
>>>>>>>> + * This cached table will be used after the remoteproc stops to free resources, and for
>>>>>>>> + * crash recovery to reapply the settings.
>>>>>>>> + */
>>>>>>>> + rproc->cached_table = kmemdup((__force void *)rsc_va, table_sz, GFP_KERNEL);
>>>>>>>> + if (!rproc->cached_table) {
>>>>>>>> + ret = -ENOMEM;
>>>>>>>> + goto out;
>>>>>>>> + }
>>>>>>>> +
>>>>>>>> + rproc->table_ptr = rproc->cached_table;
>>>>>>>> + rproc->table_sz = table_sz;
>>>>>>>> +
>>>>>>>> +out:
>>>>>>>> + iounmap(rsc_va);
>>>>>>>> + return ret;
>>>>>>>> +}
>>>>>>>> +EXPORT_SYMBOL_GPL(tee_rproc_parse_fw);
>>>>>>>> +
>>>>>>>> +struct resource_table *tee_rproc_find_loaded_rsc_table(struct rproc *rproc,
>>>>>>>> + const struct firmware *fw)
>>>>>>>> +{
>>>>>>>> + struct tee_rproc *trproc = rproc->tee_interface;
>>>>>>>> + phys_addr_t rsc_table;
>>>>>>>> + size_t table_sz;
>>>>>>>> + int ret;
>>>>>>>> +
>>>>>>>> + if (!trproc)
>>>>>>>> + return ERR_PTR(-EINVAL);
>>>>>>>> +
>>>>>>>> + ret = tee_rproc_get_loaded_rsc_table(rproc, &rsc_table, &table_sz);
>>>>>>>> + if (ret)
>>>>>>>> + return ERR_PTR(ret);
>>>>>>>> +
>>>>>>>> + rproc->table_sz = table_sz;
>>>>>>>> + if (!table_sz)
>>>>>>>> + return NULL;
>>>>>>>> +
>>>>>>>> + /*
>>>>>>>> + * At this step the memory area that contains the resource table should have be declared
>>>>>>>> + * in the remote proc platform driver and allocated by rproc_alloc_registered_carveouts().
>>>>>>>> + */
>>>>>>>> + return (struct resource_table *)rproc_pa_to_va(rproc, rsc_table, table_sz, NULL);
>>>>>>>> +}
>>>>>>>> +EXPORT_SYMBOL_GPL(tee_rproc_find_loaded_rsc_table);
>>>>>>>> +
>>>>>>>> +int tee_rproc_start(struct rproc *rproc)
>>>>>>>> +{
>>>>>>>> + struct tee_param param[MAX_TEE_PARAM_ARRY_MEMBER];
>>>>>>>> + struct tee_rproc *trproc = rproc->tee_interface;
>>>>>>>> + struct tee_ioctl_invoke_arg arg;
>>>>>>>> + int ret = 0;
>>>>>>>> +
>>>>>>>> + if (!trproc)
>>>>>>>> + return -EINVAL;
>>>>>>>> +
>>>>>>>> + tee_rproc_prepare_args(trproc, TA_RPROC_FW_CMD_START_FW, &arg, param, 0);
>>>>>>>> +
>>>>>>>> + ret = tee_client_invoke_func(tee_rproc_ctx->tee_ctx, &arg, param);
>>>>>>>> + if (ret < 0 || arg.ret != 0) {
>>>>>>>> + dev_err(tee_rproc_ctx->dev,
>>>>>>>> + "TA_RPROC_FW_CMD_START_FW invoke failed TEE err: %x, ret:%x\n",
>>>>>>>> + arg.ret, ret);
>>>>>>>> + if (!ret)
>>>>>>>> + return -EIO;
>>>>>>>> + }
>>>>>>>> +
>>>>>>>> + return 0;
>>>>>>>> +}
>>>>>>>> +EXPORT_SYMBOL_GPL(tee_rproc_start);
>>>>>>>> +
>>>>>>>> +int tee_rproc_stop(struct rproc *rproc)
>>>>>>>> +{
>>>>>>>> + struct tee_param param[MAX_TEE_PARAM_ARRY_MEMBER];
>>>>>>>> + struct tee_rproc *trproc = rproc->tee_interface;
>>>>>>>> + struct tee_ioctl_invoke_arg arg;
>>>>>>>> + int ret;
>>>>>>>> +
>>>>>>>> + if (!trproc)
>>>>>>>> + return -EINVAL;
>>>>>>>> +
>>>>>>>> + tee_rproc_prepare_args(trproc, TA_RPROC_FW_CMD_STOP_FW, &arg, param, 0);
>>>>>>>> +
>>>>>>>> + ret = tee_client_invoke_func(tee_rproc_ctx->tee_ctx, &arg, param);
>>>>>>>> + if (ret < 0 || arg.ret != 0) {
>>>>>>>> + dev_err(tee_rproc_ctx->dev,
>>>>>>>> + "TA_RPROC_FW_CMD_STOP_FW invoke failed TEE err: %x, ret:%x\n",
>>>>>>>> + arg.ret, ret);
>>>>>>>> + if (!ret)
>>>>>>>> + ret = -EIO;
>>>>>>>> + }
>>>>>>>> +
>>>>>>>> + return ret;
>>>>>>>> +}
>>>>>>>> +EXPORT_SYMBOL_GPL(tee_rproc_stop);
>>>>>>>> +
>>>>>>>> +static const struct tee_client_device_id tee_rproc_id_table[] = {
>>>>>>>> + {UUID_INIT(0x80a4c275, 0x0a47, 0x4905, 0x82, 0x85, 0x14, 0x86, 0xa9, 0x77, 0x1a, 0x08)},
>>>>>>>> + {}
>>>>>>>> +};
>>>>>>>> +
>>>>>>>> +struct tee_rproc *tee_rproc_register(struct device *dev, struct rproc *rproc, unsigned int rproc_id)
>>>>>>>> +{
>>>>>>>> + struct tee_param param[MAX_TEE_PARAM_ARRY_MEMBER];
>>>>>>>> + struct tee_ioctl_open_session_arg sess_arg;
>>>>>>>> + struct tee_client_device *tee_device;
>>>>>>>> + struct tee_rproc *trproc, *p_err;
>>>>>>>> + int ret;
>>>>>>>> +
>>>>>>>> + /*
>>>>>>>> + * Test if the device has been probed by the TEE bus. In case of failure, we ignore the
>>>>>>>> + * reason. The bus could be not yet probed or the service not available in the secure
>>>>>>>> + * firmware.The assumption in such a case is that the TEE remoteproc is not probed.
>>>>>>>> + */
>>>>>>>> + if (!tee_rproc_ctx)
>>>>>>>> + return ERR_PTR(-EPROBE_DEFER);
>>>>>>>> +
>>>>>>>> + /* Prevent tee rproc module from being removed */
>>>>>>>> + if (!try_module_get(THIS_MODULE)) {
>>>>>>>> + dev_err(tee_rproc_ctx->dev, "can't get owner\n");
>>>>>>>> + return ERR_PTR(-ENODEV);
>>>>>>>> + }
>>>>>>>> +
>>>>>>>> + trproc = devm_kzalloc(dev, sizeof(*trproc), GFP_KERNEL);
>>>>>>>> + if (!trproc) {
>>>>>>>> + p_err = ERR_PTR(-ENOMEM);
>>>>>>>> + goto module_put;
>>>>>>>> + }
>>>>>>>> + tee_device = to_tee_client_device(tee_rproc_ctx->dev);
>>>>>>>> + memset(&sess_arg, 0, sizeof(sess_arg));
>>>>>>>> +
>>>>>>>> + memcpy(sess_arg.uuid, tee_device->id.uuid.b, TEE_IOCTL_UUID_LEN);
>>>>>>>> +
>>>>>>>> + sess_arg.clnt_login = TEE_IOCTL_LOGIN_REE_KERNEL;
>>>>>>>> + sess_arg.num_params = 1;
>>>>>>>> +
>>>>>>>> + param[0] = (struct tee_param) {
>>>>>>>> + .attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT,
>>>>>>>> + .u.value.a = rproc_id,
>>>>>>>> + };
>>>>>>>> +
>>>>>>>> + ret = tee_client_open_session(tee_rproc_ctx->tee_ctx, &sess_arg, param);
>>>>>>>> + if (ret < 0 || sess_arg.ret != 0) {
>>>>>>>> + dev_err(dev, "tee_client_open_session failed, err: %x\n", sess_arg.ret);
>>>>>>>> + p_err = ERR_PTR(-EINVAL);
>>>>>>>> + goto module_put;
>>>>>>>> + }
>>>>>>>> +
>>>>>>>> + trproc->parent = dev;
>>>>>>>> + trproc->rproc_id = rproc_id;
>>>>>>>> + trproc->session_id = sess_arg.session;
>>>>>>>> +
>>>>>>>> + trproc->rproc = rproc;
>>>>>>>> + rproc->tee_interface = trproc;
>>>>>>>> +
>>>>>>>> + list_add_tail(&trproc->node, &tee_rproc_ctx->sessions);
>>>>>>>> +
>>>>>>>> + return trproc;
>>>>>>>> +
>>>>>>>> +module_put:
>>>>>>>> + module_put(THIS_MODULE);
>>>>>>>> + return p_err;
>>>>>>>> +}
>>>>>>>> +EXPORT_SYMBOL_GPL(tee_rproc_register);
>>>>>>>> +
>>>>>>>> +int tee_rproc_unregister(struct tee_rproc *trproc)
>>>>>>>> +{
>>>>>>>> + struct rproc *rproc = trproc->rproc;
>>>>>>>> + int ret;
>>>>>>>> +
>>>>>>>> + ret = tee_client_close_session(tee_rproc_ctx->tee_ctx, trproc->session_id);
>>>>>>>> + if (ret < 0)
>>>>>>>> + dev_err(trproc->parent, "tee_client_close_session failed, err: %x\n", ret);
>>>>>>>> +
>>>>>>>> + list_del(&trproc->node);
>>>>>>>> + rproc->tee_interface = NULL;
>>>>>>>> +
>>>>>>>> + module_put(THIS_MODULE);
>>>>>>>> +
>>>>>>>> + return ret;
>>>>>>>> +}
>>>>>>>> +EXPORT_SYMBOL_GPL(tee_rproc_unregister);
>>>>>>>> +
>>>>>>>> +static int tee_rproc_ctx_match(struct tee_ioctl_version_data *ver, const void *data)
>>>>>>>> +{
>>>>>>>> + /* Today we support only the OP-TEE, could be extend to other tees */
>>>>>>>> + return (ver->impl_id == TEE_IMPL_ID_OPTEE);
>>>>>>>> +}
>>>>>>>> +
>>>>>>>> +static int tee_rproc_probe(struct device *dev)
>>>>>>>> +{
>>>>>>>> + struct tee_context *tee_ctx;
>>>>>>>> + int ret;
>>>>>>>> +
>>>>>>>> + /* Open context with TEE driver */
>>>>>>>> + tee_ctx = tee_client_open_context(NULL, tee_rproc_ctx_match, NULL, NULL);
>>>>>>>> + if (IS_ERR(tee_ctx))
>>>>>>>> + return PTR_ERR(tee_ctx);
>>>>>>>> +
>>>>>>>> + tee_rproc_ctx = devm_kzalloc(dev, sizeof(*tee_rproc_ctx), GFP_KERNEL);
>>>>>>>> + if (!tee_rproc_ctx) {
>>>>>>>> + ret = -ENOMEM;
>>>>>>>> + goto err;
>>>>>>>> + }
>>>>>>>> +
>>>>>>>> + tee_rproc_ctx->dev = dev;
>>>>>>>> + tee_rproc_ctx->tee_ctx = tee_ctx;
>>>>>>>> + INIT_LIST_HEAD(&tee_rproc_ctx->sessions);
>>>>>>>> +
>>>>>>>> + return 0;
>>>>>>>> +err:
>>>>>>>> + tee_client_close_context(tee_ctx);
>>>>>>>> +
>>>>>>>> + return ret;
>>>>>>>> +}
>>>>>>>> +
>>>>>>>> +static int tee_rproc_remove(struct device *dev)
>>>>>>>> +{
>>>>>>>> + struct tee_rproc *entry, *tmp;
>>>>>>>> +
>>>>>>>> + list_for_each_entry_safe(entry, tmp, &tee_rproc_ctx->sessions, node) {
>>>>>>>> + tee_client_close_session(tee_rproc_ctx->tee_ctx, entry->session_id);
>>>>>>>> + list_del(&entry->node);
>>>>>>>> + kfree(entry);
>>>>>>>> + }
>>>>>>>> +
>>>>>>>> + tee_client_close_context(tee_rproc_ctx->tee_ctx);
>>>>>>>> +
>>>>>>>> + return 0;
>>>>>>>> +}
>>>>>>>> +
>>>>>>>> +MODULE_DEVICE_TABLE(tee, tee_rproc_id_table);
>>>>>>>> +
>>>>>>>> +static struct tee_client_driver tee_rproc_fw_driver = {
>>>>>>>> + .id_table = tee_rproc_id_table,
>>>>>>>> + .driver = {
>>>>>>>> + .name = KBUILD_MODNAME,
>>>>>>>> + .bus = &tee_bus_type,
>>>>>>>> + .probe = tee_rproc_probe,
>>>>>>>> + .remove = tee_rproc_remove,
>>>>>>>> + },
>>>>>>>> +};
>>>>>>>> +
>>>>>>>> +static int __init tee_rproc_fw_mod_init(void)
>>>>>>>> +{
>>>>>>>> + return driver_register(&tee_rproc_fw_driver.driver);
>>>>>>>> +}
>>>>>>>> +
>>>>>>>> +static void __exit tee_rproc_fw_mod_exit(void)
>>>>>>>> +{
>>>>>>>> + driver_unregister(&tee_rproc_fw_driver.driver);
>>>>>>>> +}
>>>>>>>> +
>>>>>>>> +module_init(tee_rproc_fw_mod_init);
>>>>>>>> +module_exit(tee_rproc_fw_mod_exit);
>>>>>>>> +
>>>>>>>> +MODULE_DESCRIPTION(" remote processor support with a TEE application");
>>>>>>>> +MODULE_LICENSE("GPL");
>>>>>>>> diff --git a/include/linux/remoteproc.h b/include/linux/remoteproc.h
>>>>>>>> index 8fd0d7f63c8e..fbe1d6793709 100644
>>>>>>>> --- a/include/linux/remoteproc.h
>>>>>>>> +++ b/include/linux/remoteproc.h
>>>>>>>> @@ -503,6 +503,8 @@ enum rproc_features {
>>>>>>>> RPROC_MAX_FEATURES,
>>>>>>>> };
>>>>>>>>
>>>>>>>> +struct tee_rproc;
>>>>>>>> +
>>>>>>>> /**
>>>>>>>> * struct rproc - represents a physical remote processor device
>>>>>>>> * @node: list node of this rproc object
>>>>>>>> @@ -545,6 +547,7 @@ enum rproc_features {
>>>>>>>> * @cdev: character device of the rproc
>>>>>>>> * @cdev_put_on_release: flag to indicate if remoteproc should be shutdown on @char_dev release
>>>>>>>> * @features: indicate remoteproc features
>>>>>>>> + * @tee_interface: pointer to the remoteproc tee context
>>>>>>>> */
>>>>>>>> struct rproc {
>>>>>>>> struct list_head node;
>>>>>>>> @@ -586,6 +589,7 @@ struct rproc {
>>>>>>>> struct cdev cdev;
>>>>>>>> bool cdev_put_on_release;
>>>>>>>> DECLARE_BITMAP(features, RPROC_MAX_FEATURES);
>>>>>>>> + struct tee_rproc *tee_interface;
>>>>>>>> };
>>>>>>>>
>>>>>>>> /**
>>>>>>>> diff --git a/include/linux/remoteproc_tee.h b/include/linux/remoteproc_tee.h
>>>>>>>> new file mode 100644
>>>>>>>> index 000000000000..ccf34a218d54
>>>>>>>> --- /dev/null
>>>>>>>> +++ b/include/linux/remoteproc_tee.h
>>>>>>>> @@ -0,0 +1,100 @@
>>>>>>>> +/* SPDX-License-Identifier: GPL-2.0-or-later */
>>>>>>>> +/*
>>>>>>>> + * Copyright(c) 2024 STMicroelectronics
>>>>>>>> + */
>>>>>>>> +
>>>>>>>> +#ifndef REMOTEPROC_TEE_H
>>>>>>>> +#define REMOTEPROC_TEE_H
>>>>>>>> +
>>>>>>>> +#include <linux/tee_drv.h>
>>>>>>>> +#include <linux/firmware.h>
>>>>>>>> +#include <linux/remoteproc.h>
>>>>>>>> +
>>>>>>>> +struct rproc;
>>>>>>>> +
>>>>>>>> +/**
>>>>>>>> + * struct tee_rproc - TEE remoteproc structure
>>>>>>>> + * @node: Reference in list
>>>>>>>> + * @rproc: Remoteproc reference
>>>>>>>> + * @parent: Parent device
>>>>>>>> + * @rproc_id: Identifier of the target firmware
>>>>>>>> + * @session_id: TEE session identifier
>>>>>>>> + */
>>>>>>>> +struct tee_rproc {
>>>>>>>> + struct list_head node;
>>>>>>>> + struct rproc *rproc;
>>>>>>>> + struct device *parent;
>>>>>>>> + u32 rproc_id;
>>>>>>>> + u32 session_id;
>>>>>>>> +};
>>>>>>>> +
>>>>>>>> +#if IS_REACHABLE(CONFIG_REMOTEPROC_TEE)
>>>>>>>> +
>>>>>>>> +struct tee_rproc *tee_rproc_register(struct device *dev, struct rproc *rproc,
>>>>>>>> + unsigned int rproc_id);
>>>>>>>> +int tee_rproc_unregister(struct tee_rproc *trproc);
>>>>>>>> +int tee_rproc_parse_fw(struct rproc *rproc, const struct firmware *fw);
>>>>>>>> +int tee_rproc_load_fw(struct rproc *rproc, const struct firmware *fw);
>>>>>>>> +struct resource_table *tee_rproc_find_loaded_rsc_table(struct rproc *rproc,
>>>>>>>> + const struct firmware *fw);
>>>>>>>> +int tee_rproc_start(struct rproc *rproc);
>>>>>>>> +int tee_rproc_stop(struct rproc *rproc);
>>>>>>>> +
>>>>>>>> +#else
>>>>>>>> +
>>>>>>>> +static inline struct tee_rproc *tee_rproc_register(struct device *dev, struct rproc *rproc,
>>>>>>>> + unsigned int rproc_id)
>>>>>>>> +{
>>>>>>>> + return ERR_PTR(-ENODEV);
>>>>>>>> +}
>>>>>>>> +
>>>>>>>> +static int tee_rproc_parse_fw(struct rproc *rproc, const struct firmware *fw)
>>>>>>>> +{
>>>>>>>> + /* This shouldn't be possible */
>>>>>>>> + WARN_ON(1);
>>>>>>>> +
>>>>>>>> + return 0;
>>>>>>>> +}
>>>>>>>> +
>>>>>>>> +static inline int tee_rproc_unregister(struct tee_rproc *trproc)
>>>>>>>> +{
>>>>>>>> + /* This shouldn't be possible */
>>>>>>>> + WARN_ON(1);
>>>>>>>> +
>>>>>>>> + return 0;
>>>>>>>> +}
>>>>>>>> +
>>>>>>>> +static inline int tee_rproc_load_fw(struct rproc *rproc, const struct firmware *fw)
>>>>>>>> +{
>>>>>>>> + /* This shouldn't be possible */
>>>>>>>> + WARN_ON(1);
>>>>>>>> +
>>>>>>>> + return 0;
>>>>>>>> +}
>>>>>>>> +
>>>>>>>> +static inline int tee_rproc_start(struct rproc *rproc)
>>>>>>>> +{
>>>>>>>> + /* This shouldn't be possible */
>>>>>>>> + WARN_ON(1);
>>>>>>>> +
>>>>>>>> + return 0;
>>>>>>>> +}
>>>>>>>> +
>>>>>>>> +static inline int tee_rproc_stop(struct rproc *rproc)
>>>>>>>> +{
>>>>>>>> + /* This shouldn't be possible */
>>>>>>>> + WARN_ON(1);
>>>>>>>> +
>>>>>>>> + return 0;
>>>>>>>> +}
>>>>>>>> +
>>>>>>>> +static inline struct resource_table *
>>>>>>>> +tee_rproc_find_loaded_rsc_table(struct rproc *rproc, const struct firmware *fw)
>>>>>>>> +{
>>>>>>>> + /* This shouldn't be possible */
>>>>>>>> + WARN_ON(1);
>>>>>>>> +
>>>>>>>> + return NULL;
>>>>>>>> +}
>>>>>>>> +#endif /* CONFIG_REMOTEPROC_TEE */
>>>>>>>> +#endif /* REMOTEPROC_TEE_H */
>>>>>>>> --
>>>>>>>> 2.25.1
>>>>>>>>
