| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <591289e2-a5e3-4941-b8d4-85edac281013@kernel.org>
Date: Sun, 21 Sep 2025 23:23:41 +0100
From: Bryan O'Donoghue <bod@...nel.org>
To: Mukesh Ojha <mukesh.ojha@....qualcomm.com>,
Bjorn Andersson <andersson@...nel.org>,
Mathieu Poirier <mathieu.poirier@...aro.org>, Rob Herring <robh@...nel.org>,
Krzysztof Kozlowski <krzk+dt@...nel.org>, Conor Dooley
<conor+dt@...nel.org>, Manivannan Sadhasivam <mani@...nel.org>,
Konrad Dybcio <konradybcio@...nel.org>
Cc: linux-arm-msm@...r.kernel.org, linux-remoteproc@...r.kernel.org,
devicetree@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 06/12] firmware: qcom_scm: Add a prep version of
auth_and_reset function
On 20/09/2025 20:41, Mukesh Ojha wrote:
> Qualcomm SoCs running with QHEE (Qualcomm Hypervisor Execution
> Environment—a library present in the Gunyah hypervisor) utilize the
> Peripheral Authentication Service (PAS) from TrustZone (TZ) firmware to
> securely authenticate and reset remote processors via a sequence of SMC
> calls such as qcom_scm_pas_init_image(), qcom_scm_pas_mem_setup(), and
> qcom_scm_pas_auth_and_reset().
>
> For memory passed to Qualcomm TrustZone, it must either be part of a
> pool registered with TZ or be directly registered via SHMbridge SMC
> calls. When QHEE is present, PAS SMC calls from Linux running at EL1 are
> trapped by QHEE (running at EL2), which then creates or retrieves memory
> from the SHMbridge for both metadata and remoteproc carveout memory
> before passing them to TZ. However, when the SoC runs with a
> non-QHEE-based hypervisor, Linux must create the SHM bridge for both
> metadata (before it is passed to TZ in qcom_scm_pas_init_image()) and
> for remoteproc memory (before the call is made to TZ in
> qcom_scm_pas_auth_and_reset()).
>
> For auth_and_reset() call, first it need to register remoteproc carveout
> memory with TZ via SHMbridge SMC call and then it can trigger
> auth_and_reset SMC call and once the call returns, remoteproc carveout
> memory can be deregisterd with TZ.
>
> Add qcom_scm_pas_prepare_and_auth_reset() function which does prepare
> the SHMbridge over carveout memory and call auth_and_reset SMC call.
>
> Signed-off-by: Mukesh Ojha <mukesh.ojha@....qualcomm.com>
> ---
> drivers/firmware/qcom/qcom_scm.c | 46 ++++++++++++++++++++++++++++++++++
> include/linux/firmware/qcom/qcom_scm.h | 2 ++
> 2 files changed, 48 insertions(+)
>
> diff --git a/drivers/firmware/qcom/qcom_scm.c b/drivers/firmware/qcom/qcom_scm.c
> index 917341308873..7a86b27ea666 100644
> --- a/drivers/firmware/qcom/qcom_scm.c
> +++ b/drivers/firmware/qcom/qcom_scm.c
> @@ -790,6 +790,52 @@ int qcom_scm_pas_auth_and_reset(u32 pas_id)
> }
> EXPORT_SYMBOL_GPL(qcom_scm_pas_auth_and_reset);
>
> +/**
> + * qcom_scm_pas_prepare_and_auth_reset() - Prepare, authenticate, and reset the remote processor
> + *
> + * @ctx: Context saved during call to qcom_scm_pas_ctx_init()
> + *
> + * This function performs the necessary steps to prepare a PAS subsystem,
> + * authenticate it using the provided metadata, and initiate a reset sequence.
> + *
> + * It should be used when Linux is in control setting up the IOMMU hardware
> + * for remote subsystem during secure firmware loading processes. The preparation
> + * step sets up a shmbridge over the firmware memory before TrustZone accesses the
> + * firmware memory region for authentication. The authentication step verifies
> + * the integrity and authenticity of the firmware or configuration using secure
> + * metadata. Finally, the reset step ensures the subsystem starts in a clean and
> + * sane state.
> + *
> + * Return: 0 on success, negative errno on failure.
> + */
> +int qcom_scm_pas_prepare_and_auth_reset(struct qcom_scm_pas_ctx *ctx)
> +{
> + u64 handle;
> + int ret;
> +
> + if (!ctx->has_iommu)
> + return qcom_scm_pas_auth_and_reset(ctx->pas_id);
> +
> + /*
> + * When Linux running at EL1, Gunyah(EL2) traps auth_and_reset call and creates
> + * shmbridge on remote subsystem memory region before it passes the call to
> + * TrustZone to authenticate it while when Linux runs at EL2, it needs to create
> + * shmbridge before this call goes to TrustZone.
> + */
"When Linux runs @ EL1 the Hypervision Gunyah running @ EL2 traps the
auth_and_reset call(). Gunyah create an shmbridge on the remote
subsystem memory and then invokes a call to TrustZone to authenticate.
When Linux runs @ EL2 Linux must create the shmbridge itself and then
subsequently invoke TrustZone itself."
Please fix the commit log too.
> + ret = qcom_tzmem_shm_bridge_create(ctx->mem_phys, ctx->mem_size, &handle);
> + if (ret) {
> + dev_err(__scm->dev, "Failed to create shmbridge ret=%d %u\n",
> + ret, ctx->pas_id);
> + return ret;
> + }
> +
> + ret = qcom_scm_pas_auth_and_reset(ctx->pas_id);
> + qcom_tzmem_shm_bridge_delete(handle);
> +
> + return ret;
> +}
> +EXPORT_SYMBOL_GPL(qcom_scm_pas_prepare_and_auth_reset);
> +
> /**
> * qcom_scm_pas_shutdown() - Shut down the remote processor
> * @pas_id: peripheral authentication service id
> diff --git a/include/linux/firmware/qcom/qcom_scm.h b/include/linux/firmware/qcom/qcom_scm.h
> index 9ca3218f0948..1774584ff5e3 100644
> --- a/include/linux/firmware/qcom/qcom_scm.h
> +++ b/include/linux/firmware/qcom/qcom_scm.h
> @@ -78,6 +78,7 @@ struct qcom_scm_pas_ctx {
> phys_addr_t mem_phys;
> size_t mem_size;
> struct qcom_scm_pas_metadata *metadata;
> + bool has_iommu;
> };
>
> void *qcom_scm_pas_ctx_init(struct device *dev, u32 pas_id, phys_addr_t mem_phys,
> @@ -90,6 +91,7 @@ int qcom_scm_pas_mem_setup(u32 pas_id, phys_addr_t addr, phys_addr_t size);
> int qcom_scm_pas_auth_and_reset(u32 pas_id);
> int qcom_scm_pas_shutdown(u32 pas_id);
> bool qcom_scm_pas_supported(u32 pas_id);
> +int qcom_scm_pas_prepare_and_auth_reset(struct qcom_scm_pas_ctx *ctx);
>
> int qcom_scm_io_readl(phys_addr_t addr, unsigned int *val);
> int qcom_scm_io_writel(phys_addr_t addr, unsigned int val);
>
> --
> 2.50.1
>
>
---
bod
Powered by blists - more mailing lists