Re: [PATCHv7] drivers: optee: allow op-tee to access devices on the i2c bus

["Jorge Ramirez-Ortiz, Foundries" <jorge@foundries.io>]

On 12/08/20, Jens Wiklander wrote:
> On Tue, Aug 11, 2020 at 07:55:31PM +0200, Jorge Ramirez-Ortiz wrote:
> > Some secure elements like NXP's SE050 sit on I2C buses. For OP-TEE to
> > control this type of cryptographic devices it needs coordinated access
> > to the bus, so collisions and RUNTIME_PM dont get in the way.
> > 
> > This trampoline driver allow OP-TEE to access them.
> > 
> > Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
> > ---
> >  v7: add support for ten bit i2c slave addressing
> >  v6: compile out if CONFIG_I2C not enabled
> >  v5: alphabetic order of includes
> >  v4: remove unnecessary extra line in optee_msg.h
> >  v3: use from/to msg param to support all types of memory
> >      modify OPTEE_MSG_RPC_CMD_I2C_TRANSFER message id
> >      
> >  drivers/tee/optee/optee_msg.h | 21 ++++++++
> >  drivers/tee/optee/rpc.c       | 95 +++++++++++++++++++++++++++++++++++
> >  2 files changed, 116 insertions(+)
> > 
> > diff --git a/drivers/tee/optee/optee_msg.h b/drivers/tee/optee/optee_msg.h
> > index 795bc19ae17a..7b2d919da2ac 100644
> > --- a/drivers/tee/optee/optee_msg.h
> > +++ b/drivers/tee/optee/optee_msg.h
> > @@ -419,4 +419,25 @@ struct optee_msg_arg {
> >   */
> >  #define OPTEE_MSG_RPC_CMD_SHM_FREE	7
> >  
> > +/*
> > + * Access a device on an i2c bus
> > + *
> > + * [in]  param[0].u.value.a		mode: RD(0), WR(1)
> > + * [in]  param[0].u.value.b		i2c adapter
> > + * [in]  param[0].u.value.c		i2c chip
> > + *
> > + * [in]  param[1].u.value.a		i2c control flags
> > + *
> > + * [in/out] memref[2]			buffer to exchange the transfer data
> > + *					with the secure world
> > + *
> > + * [out]  param[3].u.value.a		bytes transferred by the driver
> > + */
> > +#define OPTEE_MSG_RPC_CMD_I2C_TRANSFER 21
> > +/* I2C master transfer modes */
> > +#define OPTEE_MSG_RPC_CMD_I2C_TRANSFER_RD 0
> > +#define OPTEE_MSG_RPC_CMD_I2C_TRANSFER_WR 1
> > +/* I2C master control flags */
> > +#define OPTEE_MSG_RPC_CMD_I2C_FLAGS_TEN_BIT  BIT(0)
> > +
> >  #endif /* _OPTEE_MSG_H */
> > diff --git a/drivers/tee/optee/rpc.c b/drivers/tee/optee/rpc.c
> > index b4ade54d1f28..b6178761d79f 100644
> > --- a/drivers/tee/optee/rpc.c
> > +++ b/drivers/tee/optee/rpc.c
> > @@ -7,6 +7,7 @@
> >  
> >  #include <linux/delay.h>
> >  #include <linux/device.h>
> > +#include <linux/i2c.h>
> >  #include <linux/slab.h>
> >  #include <linux/tee_drv.h>
> >  #include "optee_private.h"
> > @@ -49,6 +50,97 @@ static void handle_rpc_func_cmd_get_time(struct optee_msg_arg *arg)
> >  	arg->ret = TEEC_ERROR_BAD_PARAMETERS;
> >  }
> >  
> > +#if IS_ENABLED(CONFIG_I2C)
> > +static void handle_rpc_func_cmd_i2c_transfer(struct tee_context *ctx,
> > +					     struct optee_msg_arg *arg)
> > +{
> > +	struct i2c_client client = { 0 };
> > +	struct tee_param *params;
> > +	int i, ret = -EOPNOTSUPP;
> > +	uint32_t attr[] = {
> uint32_t seems a randomly chosen type here. The
> TEE_IOCTL_PARAM_ATTR_TYPE_* defines fit in a u8.
> Consider u8 attr[] = { instead.

ok


> 
> > +		TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT,
> > +		TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INPUT,
> > +		TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INOUT,
> > +		TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_OUTPUT,
> > +	};
> > +
> > +	if (arg->num_params != ARRAY_SIZE(attr)) {
> > +		arg->ret = TEEC_ERROR_BAD_PARAMETERS;
> > +		return;
> > +	}
> > +
> > +	params = kmalloc_array(arg->num_params, sizeof(struct tee_param),
> > +			       GFP_KERNEL);
> > +	if (!params) {
> > +		arg->ret = TEEC_ERROR_OUT_OF_MEMORY;
> > +		return;
> > +	}
> > +
> > +	if (optee_from_msg_param(params, arg->num_params, arg->params))
> > +		goto bad;
> > +
> > +	for (i = 0; i < arg->num_params; i++) {
> arg->num_params has an unsigned type. Consider giving i an unsigned type
> too.

ok

> 
> > +		if ((params[i].attr & TEE_IOCTL_PARAM_ATTR_TYPE_MASK)
> > +		    != attr[i])
> It looks a bit funny with the comparison at the beginning of the line,
> normally we try to leave those at the end of the line. But
> optee_from_msg_param() doesn't set any higher bits in params[i].attr so
> you could also simplify the expression as:
> 		if (params[i].attr != attr[i])

ok will do the above


> 
> > +			goto bad;
> > +	}
> > +
> > +	client.adapter = i2c_get_adapter(params[0].u.value.b);
> > +	if (!client.adapter)
> > +		goto bad;
> > +
> > +	if (params[1].u.value.a & OPTEE_MSG_RPC_CMD_I2C_FLAGS_TEN_BIT) {
> > +		if (!i2c_check_functionality(client.adapter,
> > +					     I2C_FUNC_10BIT_ADDR)) {
> > +			i2c_put_adapter(client.adapter);
> > +			goto bad;
> > +		}
> > +
> > +		client.flags = I2C_CLIENT_TEN;
> > +	}
> > +
> > +	client.addr = params[0].u.value.c;
> > +	snprintf(client.name, I2C_NAME_SIZE, "i2c%d", client.adapter->nr);
> > +
> > +	switch (params[0].u.value.a) {
> > +	case OPTEE_MSG_RPC_CMD_I2C_TRANSFER_RD:
> > +		ret = i2c_master_recv(&client, params[2].u.memref.shm->kaddr,
> > +				      params[2].u.memref.size);
> > +		break;
> > +	case OPTEE_MSG_RPC_CMD_I2C_TRANSFER_WR:
> > +		ret = i2c_master_send(&client, params[2].u.memref.shm->kaddr,
> > +				      params[2].u.memref.size);
> > +		break;
> > +	default:
> > +		i2c_put_adapter(client.adapter);
> > +		goto bad;
> > +	}
> > +
> > +	if (ret < 0) {
> > +		arg->ret = TEEC_ERROR_COMMUNICATION;
> > +	} else {
> > +		params[3].u.value.a = ret;
> > +		arg->ret = TEEC_SUCCESS;
> > +
> > +		if (optee_to_msg_param(arg->params, arg->num_params, params))
> > +			arg->ret = TEEC_ERROR_BAD_PARAMETERS;
> Need
> arg->ret = TEEC_SUCCESS;
> when everything is OK.


it is already there.
but will do an else so it is more evident

> 
> > +	}
> > +
> > +	i2c_put_adapter(client.adapter);
> > +	kfree(params);
> > +	return;
> > +bad:
> > +	kfree(params);
> > +	arg->ret = TEEC_ERROR_BAD_PARAMETERS;
> > +}
> > +#else
> > +static void handle_rpc_func_cmd_i2c_transfer(struct tee_context *ctx,
> > +					     struct optee_msg_arg *arg)
> > +{
> > +	arg->ret = TEEC_ERROR_COMMUNICATION;
> I'd prefer TEEC_ERROR_NOT_SUPPORTED here.
> TEEC_ERROR_NOT_SUPPORTED would need to be defined as:
> #define TEEC_ERROR_NOT_SUPPORTED        0xFFFF000A
> in optee_private.h

ok

thanks for the quick review on this

> 
> Cheers,
> Jens
> 
> > +}
> > +#endif
> > +
> >  static struct wq_entry *wq_entry_get(struct optee_wait_queue *wq, u32 key)
> >  {
> >  	struct wq_entry *w;
> > @@ -382,6 +474,9 @@ static void handle_rpc_func_cmd(struct tee_context *ctx, struct optee *optee,
> >  	case OPTEE_MSG_RPC_CMD_SHM_FREE:
> >  		handle_rpc_func_cmd_shm_free(ctx, arg);
> >  		break;
> > +	case OPTEE_MSG_RPC_CMD_I2C_TRANSFER:
> > +		handle_rpc_func_cmd_i2c_transfer(ctx, arg);
> > +		break;
> >  	default:
> >  		handle_rpc_supp_cmd(ctx, arg);
> >  	}
> > -- 
> > 2.17.1
> >