There are use-cases where user-space shouldn't be allowed to communicate directly with a TEE device which is dedicated to provide a specific service for a kernel client. So add a private login method for kernel clients and disallow user-space to open-session using this login method. Signed-off-by: Sumit Garg <sumit.garg@xxxxxxxxxx> --- drivers/tee/tee_core.c | 6 ++++++ include/uapi/linux/tee.h | 2 ++ 2 files changed, 8 insertions(+) diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c index 0f16d9f..4581bd1 100644 --- a/drivers/tee/tee_core.c +++ b/drivers/tee/tee_core.c @@ -334,6 +334,12 @@ static int tee_ioctl_open_session(struct tee_context *ctx, goto out; } + if (arg.clnt_login == TEE_IOCTL_LOGIN_REE_KERNEL) { + pr_err("login method not allowed for user-space client\n"); + rc = -EPERM; + goto out; + } + rc = ctx->teedev->desc->ops->open_session(ctx, &arg, params); if (rc) goto out; diff --git a/include/uapi/linux/tee.h b/include/uapi/linux/tee.h index 4b9eb06..f33c69c 100644 --- a/include/uapi/linux/tee.h +++ b/include/uapi/linux/tee.h @@ -172,6 +172,8 @@ struct tee_ioctl_buf_data { #define TEE_IOCTL_LOGIN_APPLICATION 4 #define TEE_IOCTL_LOGIN_USER_APPLICATION 5 #define TEE_IOCTL_LOGIN_GROUP_APPLICATION 6 +/* Private login method for REE kernel clients */ +#define TEE_IOCTL_LOGIN_REE_KERNEL 0x80000000 /** * struct tee_ioctl_param - parameter -- 2.7.4