* [PATCH v4 0/1] tpm_crb_ffa: handle tpm busy return code
@ 2025-06-13 23:31 Prachotan Bathi
2025-06-13 23:31 ` [PATCH v4 1/1] " Prachotan Bathi
0 siblings, 1 reply; 4+ messages in thread
From: Prachotan Bathi @ 2025-06-13 23:31 UTC (permalink / raw)
To: Peter Huewe, Jarkko Sakkinen, Jason Gunthorpe, Stuart Yoder
Cc: linux-integrity, linux-kernel, Prachotan Bathi
Platforms that support FF-A direct message request v2 can implement
Secure Partitions (SPs) that host multiple services. When the TPM
service shares its SP with other services, message requests from the
driver may fail with a BUSY response if another service is currently
active.
To improve robustness in such scenarios, we need to introduce retry
logic in the driver. When a BUSY error is received, the driver will
re-attempt the TPM request until it succeeds or a configurable timeout
(default: 2000 ms) is reached. This ensures reliable TPM access under
shared-SP conditions.
Add a module parameter, `busy_timeout`, which specifies the
maximum amount of time (in milliseconds) to retry on BUSY before giving
up.
This change builds on top of commit a85b55ee64a5, which introduced
support for TPM service communication using the FF-A direct message v2
path, in accordance with section 3.3 of the TPM Service Command
Response Buffer Interface specification.
https://developer.arm.com/documentation/den0138/latest/
Changes in v4:
- Updated commit message to clarify the purpose of the patch.
- Removed comments that state the obvious.
Prachotan Bathi (1):
tpm_crb_ffa: handle tpm busy return code
drivers/char/tpm/tpm_crb_ffa.c | 74 +++++++++++++++++++++++-----------
1 file changed, 50 insertions(+), 24 deletions(-)
--
2.43.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v4 1/1] tpm_crb_ffa: handle tpm busy return code
2025-06-13 23:31 [PATCH v4 0/1] tpm_crb_ffa: handle tpm busy return code Prachotan Bathi
@ 2025-06-13 23:31 ` Prachotan Bathi
2025-06-14 5:22 ` Paul Menzel
2025-06-17 14:40 ` Jarkko Sakkinen
0 siblings, 2 replies; 4+ messages in thread
From: Prachotan Bathi @ 2025-06-13 23:31 UTC (permalink / raw)
To: Peter Huewe, Jarkko Sakkinen, Jason Gunthorpe, Stuart Yoder
Cc: linux-integrity, linux-kernel, Prachotan Bathi
For CRB over FF-A interface, if the firmwre TPM or TPM service [1] shares
its Secure Partition (SP) with another service, message requests may
fail with a -EBUSY error. Platforms supporting direct message request v2[1]
can support secure partitions that support multiple services.
To handle this, replace the single check and call with a retry loop
that attempts the TPM message send operation until it succeeds or a
configurable timeout is reached. The retry mechanism introduces a
module parameter (`busy_timeout`, default: 2000ms) to control how long
to keep retrying on -EBUSY responses. Between retries, the code waits
briefly (50-100 microseconds) to avoid busy-waiting and handling
TPM BUSY conditions more gracefully.
[1] TPM Service Command Response Buffer Interface Over FF-A
https://developer.arm.com/documentation/den0138/latest/
Signed-off-by: Prachotan Bathi <prachotan.bathi@arm.com>
---
drivers/char/tpm/tpm_crb_ffa.c | 74 +++++++++++++++++++++++-----------
1 file changed, 50 insertions(+), 24 deletions(-)
diff --git a/drivers/char/tpm/tpm_crb_ffa.c b/drivers/char/tpm/tpm_crb_ffa.c
index 4ead61f01299..e47e110bac9e 100644
--- a/drivers/char/tpm/tpm_crb_ffa.c
+++ b/drivers/char/tpm/tpm_crb_ffa.c
@@ -10,6 +10,8 @@
#define pr_fmt(fmt) "CRB_FFA: " fmt
#include <linux/arm_ffa.h>
+#include <linux/delay.h>
+#include <linux/moduleparam.h>
#include "tpm_crb_ffa.h"
/* TPM service function status codes */
@@ -178,6 +180,17 @@ int tpm_crb_ffa_init(void)
}
EXPORT_SYMBOL_GPL(tpm_crb_ffa_init);
+static unsigned int busy_timeout = 2000;
+/**
+ * busy_timeout - Maximum time to retry before giving up on busy
+ *
+ * This parameter defines the maximum time in milliseconds to retry
+ * sending a message to the TPM service before giving up.
+ */
+module_param(busy_timeout, uint, 0644);
+MODULE_PARM_DESC(busy_timeout,
+ "Maximum time to retry before giving up on busy");
+
static int __tpm_crb_ffa_send_recieve(unsigned long func_id,
unsigned long a0,
unsigned long a1,
@@ -191,34 +204,47 @@ static int __tpm_crb_ffa_send_recieve(unsigned long func_id,
msg_ops = tpm_crb_ffa->ffa_dev->ops->msg_ops;
- if (ffa_partition_supports_direct_req2_recv(tpm_crb_ffa->ffa_dev)) {
- memset(&tpm_crb_ffa->direct_msg_data2, 0x00,
- sizeof(struct ffa_send_direct_data2));
+ ktime_t start;
+ ktime_t stop;
+
+ start = ktime_get();
+ stop = ktime_add(start, ms_to_ktime(busy_timeout));
+
+ do {
+ if (ffa_partition_supports_direct_req2_recv(tpm_crb_ffa->ffa_dev)) {
+ memset(&tpm_crb_ffa->direct_msg_data2, 0x00,
+ sizeof(struct ffa_send_direct_data2));
- tpm_crb_ffa->direct_msg_data2.data[0] = func_id;
- tpm_crb_ffa->direct_msg_data2.data[1] = a0;
- tpm_crb_ffa->direct_msg_data2.data[2] = a1;
- tpm_crb_ffa->direct_msg_data2.data[3] = a2;
+ tpm_crb_ffa->direct_msg_data2.data[0] = func_id;
+ tpm_crb_ffa->direct_msg_data2.data[1] = a0;
+ tpm_crb_ffa->direct_msg_data2.data[2] = a1;
+ tpm_crb_ffa->direct_msg_data2.data[3] = a2;
- ret = msg_ops->sync_send_receive2(tpm_crb_ffa->ffa_dev,
+ ret = msg_ops->sync_send_receive2(tpm_crb_ffa->ffa_dev,
&tpm_crb_ffa->direct_msg_data2);
- if (!ret)
- ret = tpm_crb_ffa_to_linux_errno(tpm_crb_ffa->direct_msg_data2.data[0]);
- } else {
- memset(&tpm_crb_ffa->direct_msg_data, 0x00,
- sizeof(struct ffa_send_direct_data));
-
- tpm_crb_ffa->direct_msg_data.data1 = func_id;
- tpm_crb_ffa->direct_msg_data.data2 = a0;
- tpm_crb_ffa->direct_msg_data.data3 = a1;
- tpm_crb_ffa->direct_msg_data.data4 = a2;
-
- ret = msg_ops->sync_send_receive(tpm_crb_ffa->ffa_dev,
- &tpm_crb_ffa->direct_msg_data);
- if (!ret)
- ret = tpm_crb_ffa_to_linux_errno(tpm_crb_ffa->direct_msg_data.data1);
- }
+ if (!ret)
+ ret = tpm_crb_ffa_to_linux_errno(tpm_crb_ffa->direct_msg_data2.data[0]);
+ } else {
+ memset(&tpm_crb_ffa->direct_msg_data, 0x00,
+ sizeof(struct ffa_send_direct_data));
+ tpm_crb_ffa->direct_msg_data.data1 = func_id;
+ tpm_crb_ffa->direct_msg_data.data2 = a0;
+ tpm_crb_ffa->direct_msg_data.data3 = a1;
+ tpm_crb_ffa->direct_msg_data.data4 = a2;
+
+ ret = msg_ops->sync_send_receive(tpm_crb_ffa->ffa_dev,
+ &tpm_crb_ffa->direct_msg_data);
+ if (!ret)
+ ret = tpm_crb_ffa_to_linux_errno(tpm_crb_ffa->direct_msg_data.data1);
+ }
+ if (ret == -EBUSY)
+ pr_err("TPM says busy, trying again, value, ret: %d\n",
+ ret);
+ else
+ break;
+ usleep_range(50, 100);
+ } while (ktime_before(ktime_get(), stop));
return ret;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v4 1/1] tpm_crb_ffa: handle tpm busy return code
2025-06-13 23:31 ` [PATCH v4 1/1] " Prachotan Bathi
@ 2025-06-14 5:22 ` Paul Menzel
2025-06-17 14:40 ` Jarkko Sakkinen
1 sibling, 0 replies; 4+ messages in thread
From: Paul Menzel @ 2025-06-14 5:22 UTC (permalink / raw)
To: Prachotan Bathi
Cc: Peter Huewe, Jarkko Sakkinen, Jason Gunthorpe, Stuart Yoder,
linux-integrity, linux-kernel
Dear Praochotan,
Am 14.06.25 um 01:31 schrieb Prachotan Bathi:
> For CRB over FF-A interface, if the firmwre TPM or TPM service [1] shares
firmw*a*re
> its Secure Partition (SP) with another service, message requests may
> fail with a -EBUSY error. Platforms supporting direct message request v2[1]
> can support secure partitions that support multiple services.
Please remove the two leading spaces. Also I’d swap the sentences.
> To handle this, replace the single check and call with a retry loop
> that attempts the TPM message send operation until it succeeds or a
> configurable timeout is reached. The retry mechanism introduces a
> module parameter (`busy_timeout`, default: 2000ms) to control how long
Please append the unit to the name.
> to keep retrying on -EBUSY responses. Between retries, the code waits
> briefly (50-100 microseconds) to avoid busy-waiting and handling
> TPM BUSY conditions more gracefully.
It’d be great if you documented your test setup and how to test this.
Out of curiosity: Can the parameter be changed during runtime?
> [1] TPM Service Command Response Buffer Interface Over FF-A
> https://developer.arm.com/documentation/den0138/latest/
>
> Signed-off-by: Prachotan Bathi <prachotan.bathi@arm.com>
> ---
> drivers/char/tpm/tpm_crb_ffa.c | 74 +++++++++++++++++++++++-----------
> 1 file changed, 50 insertions(+), 24 deletions(-)
>
> diff --git a/drivers/char/tpm/tpm_crb_ffa.c b/drivers/char/tpm/tpm_crb_ffa.c
> index 4ead61f01299..e47e110bac9e 100644
> --- a/drivers/char/tpm/tpm_crb_ffa.c
> +++ b/drivers/char/tpm/tpm_crb_ffa.c
> @@ -10,6 +10,8 @@
> #define pr_fmt(fmt) "CRB_FFA: " fmt
>
> #include <linux/arm_ffa.h>
> +#include <linux/delay.h>
> +#include <linux/moduleparam.h>
> #include "tpm_crb_ffa.h"
>
> /* TPM service function status codes */
> @@ -178,6 +180,17 @@ int tpm_crb_ffa_init(void)
> }
> EXPORT_SYMBOL_GPL(tpm_crb_ffa_init);
>
> +static unsigned int busy_timeout = 2000;
Please append _ms to the variable name.
> +/**
> + * busy_timeout - Maximum time to retry before giving up on busy
> + *
> + * This parameter defines the maximum time in milliseconds to retry
> + * sending a message to the TPM service before giving up.
> + */
> +module_param(busy_timeout, uint, 0644);
> +MODULE_PARM_DESC(busy_timeout,
> + "Maximum time to retry before giving up on busy");
Please name the unit.
> +
> static int __tpm_crb_ffa_send_recieve(unsigned long func_id,
> unsigned long a0,
> unsigned long a1,
> @@ -191,34 +204,47 @@ static int __tpm_crb_ffa_send_recieve(unsigned long func_id,
>
> msg_ops = tpm_crb_ffa->ffa_dev->ops->msg_ops;
>
> - if (ffa_partition_supports_direct_req2_recv(tpm_crb_ffa->ffa_dev)) {
> - memset(&tpm_crb_ffa->direct_msg_data2, 0x00,
> - sizeof(struct ffa_send_direct_data2));
> + ktime_t start;
> + ktime_t stop;
> +
> + start = ktime_get();
> + stop = ktime_add(start, ms_to_ktime(busy_timeout));
> +
> + do {
> + if (ffa_partition_supports_direct_req2_recv(tpm_crb_ffa->ffa_dev)) {
> + memset(&tpm_crb_ffa->direct_msg_data2, 0x00,
> + sizeof(struct ffa_send_direct_data2));
>
> - tpm_crb_ffa->direct_msg_data2.data[0] = func_id;
> - tpm_crb_ffa->direct_msg_data2.data[1] = a0;
> - tpm_crb_ffa->direct_msg_data2.data[2] = a1;
> - tpm_crb_ffa->direct_msg_data2.data[3] = a2;
> + tpm_crb_ffa->direct_msg_data2.data[0] = func_id;
> + tpm_crb_ffa->direct_msg_data2.data[1] = a0;
> + tpm_crb_ffa->direct_msg_data2.data[2] = a1;
> + tpm_crb_ffa->direct_msg_data2.data[3] = a2;
>
> - ret = msg_ops->sync_send_receive2(tpm_crb_ffa->ffa_dev,
> + ret = msg_ops->sync_send_receive2(tpm_crb_ffa->ffa_dev,
> &tpm_crb_ffa->direct_msg_data2);
> - if (!ret)
> - ret = tpm_crb_ffa_to_linux_errno(tpm_crb_ffa->direct_msg_data2.data[0]);
> - } else {
> - memset(&tpm_crb_ffa->direct_msg_data, 0x00,
> - sizeof(struct ffa_send_direct_data));
> -
> - tpm_crb_ffa->direct_msg_data.data1 = func_id;
> - tpm_crb_ffa->direct_msg_data.data2 = a0;
> - tpm_crb_ffa->direct_msg_data.data3 = a1;
> - tpm_crb_ffa->direct_msg_data.data4 = a2;
> -
> - ret = msg_ops->sync_send_receive(tpm_crb_ffa->ffa_dev,
> - &tpm_crb_ffa->direct_msg_data);
> - if (!ret)
> - ret = tpm_crb_ffa_to_linux_errno(tpm_crb_ffa->direct_msg_data.data1);
> - }
> + if (!ret)
> + ret = tpm_crb_ffa_to_linux_errno(tpm_crb_ffa->direct_msg_data2.data[0]);
> + } else {
> + memset(&tpm_crb_ffa->direct_msg_data, 0x00,
> + sizeof(struct ffa_send_direct_data));
>
> + tpm_crb_ffa->direct_msg_data.data1 = func_id;
> + tpm_crb_ffa->direct_msg_data.data2 = a0;
> + tpm_crb_ffa->direct_msg_data.data3 = a1;
> + tpm_crb_ffa->direct_msg_data.data4 = a2;
> +
> + ret = msg_ops->sync_send_receive(tpm_crb_ffa->ffa_dev,
> + &tpm_crb_ffa->direct_msg_data);
> + if (!ret)
> + ret = tpm_crb_ffa_to_linux_errno(tpm_crb_ffa->direct_msg_data.data1);
> + }
> + if (ret == -EBUSY)
> + pr_err("TPM says busy, trying again, value, ret: %d\n",
> + ret);
> + else
> + break;
> + usleep_range(50, 100);
> + } while (ktime_before(ktime_get(), stop));
Log a message with the timeout in case the timeout is reached?
>
> return ret;
> }
Kind regards,
Paul
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v4 1/1] tpm_crb_ffa: handle tpm busy return code
2025-06-13 23:31 ` [PATCH v4 1/1] " Prachotan Bathi
2025-06-14 5:22 ` Paul Menzel
@ 2025-06-17 14:40 ` Jarkko Sakkinen
1 sibling, 0 replies; 4+ messages in thread
From: Jarkko Sakkinen @ 2025-06-17 14:40 UTC (permalink / raw)
To: Prachotan Bathi
Cc: Peter Huewe, Jason Gunthorpe, Stuart Yoder, linux-integrity,
linux-kernel
On Fri, Jun 13, 2025 at 06:31:32PM -0500, Prachotan Bathi wrote:
> For CRB over FF-A interface, if the firmwre TPM or TPM service [1] shares
> its Secure Partition (SP) with another service, message requests may
> fail with a -EBUSY error. Platforms supporting direct message request v2[1]
> can support secure partitions that support multiple services.
>
> To handle this, replace the single check and call with a retry loop
> that attempts the TPM message send operation until it succeeds or a
> configurable timeout is reached. The retry mechanism introduces a
> module parameter (`busy_timeout`, default: 2000ms) to control how long
> to keep retrying on -EBUSY responses. Between retries, the code waits
> briefly (50-100 microseconds) to avoid busy-waiting and handling
> TPM BUSY conditions more gracefully.
>
> [1] TPM Service Command Response Buffer Interface Over FF-A
> https://developer.arm.com/documentation/den0138/latest/
>
> Signed-off-by: Prachotan Bathi <prachotan.bathi@arm.com>
> ---
> drivers/char/tpm/tpm_crb_ffa.c | 74 +++++++++++++++++++++++-----------
> 1 file changed, 50 insertions(+), 24 deletions(-)
>
> diff --git a/drivers/char/tpm/tpm_crb_ffa.c b/drivers/char/tpm/tpm_crb_ffa.c
> index 4ead61f01299..e47e110bac9e 100644
> --- a/drivers/char/tpm/tpm_crb_ffa.c
> +++ b/drivers/char/tpm/tpm_crb_ffa.c
> @@ -10,6 +10,8 @@
> #define pr_fmt(fmt) "CRB_FFA: " fmt
>
> #include <linux/arm_ffa.h>
> +#include <linux/delay.h>
> +#include <linux/moduleparam.h>
> #include "tpm_crb_ffa.h"
>
> /* TPM service function status codes */
> @@ -178,6 +180,17 @@ int tpm_crb_ffa_init(void)
> }
> EXPORT_SYMBOL_GPL(tpm_crb_ffa_init);
>
> +static unsigned int busy_timeout = 2000;
> +/**
> + * busy_timeout - Maximum time to retry before giving up on busy
> + *
> + * This parameter defines the maximum time in milliseconds to retry
> + * sending a message to the TPM service before giving up.
> + */
> +module_param(busy_timeout, uint, 0644);
> +MODULE_PARM_DESC(busy_timeout,
> + "Maximum time to retry before giving up on busy");
> +
> static int __tpm_crb_ffa_send_recieve(unsigned long func_id,
there's BTW a typo ;-) s/recieve/receive
Not your fault but maybe it would make sense to correct that anyhow...
> unsigned long a0,
> unsigned long a1,
> @@ -191,34 +204,47 @@ static int __tpm_crb_ffa_send_recieve(unsigned long func_id,
Maybe this would be less exhausting if you instead would work out the
existing function something like __tpm_crb_ffa_try_send_receive() and
call that in a loop? It would be then similar organization as with
tpm_transmit().
>
> msg_ops = tpm_crb_ffa->ffa_dev->ops->msg_ops;
>
> - if (ffa_partition_supports_direct_req2_recv(tpm_crb_ffa->ffa_dev)) {
> - memset(&tpm_crb_ffa->direct_msg_data2, 0x00,
> - sizeof(struct ffa_send_direct_data2));
> + ktime_t start;
> + ktime_t stop;
> +
> + start = ktime_get();
> + stop = ktime_add(start, ms_to_ktime(busy_timeout));
> +
> + do {
> + if (ffa_partition_supports_direct_req2_recv(tpm_crb_ffa->ffa_dev)) {
> + memset(&tpm_crb_ffa->direct_msg_data2, 0x00,
> + sizeof(struct ffa_send_direct_data2));
nit: could use memzero() instead.
>
> - tpm_crb_ffa->direct_msg_data2.data[0] = func_id;
> - tpm_crb_ffa->direct_msg_data2.data[1] = a0;
> - tpm_crb_ffa->direct_msg_data2.data[2] = a1;
> - tpm_crb_ffa->direct_msg_data2.data[3] = a2;
> + tpm_crb_ffa->direct_msg_data2.data[0] = func_id;
> + tpm_crb_ffa->direct_msg_data2.data[1] = a0;
> + tpm_crb_ffa->direct_msg_data2.data[2] = a1;
> + tpm_crb_ffa->direct_msg_data2.data[3] = a2;
>
> - ret = msg_ops->sync_send_receive2(tpm_crb_ffa->ffa_dev,
> + ret = msg_ops->sync_send_receive2(tpm_crb_ffa->ffa_dev,
> &tpm_crb_ffa->direct_msg_data2);
> - if (!ret)
> - ret = tpm_crb_ffa_to_linux_errno(tpm_crb_ffa->direct_msg_data2.data[0]);
> - } else {
> - memset(&tpm_crb_ffa->direct_msg_data, 0x00,
> - sizeof(struct ffa_send_direct_data));
> -
> - tpm_crb_ffa->direct_msg_data.data1 = func_id;
> - tpm_crb_ffa->direct_msg_data.data2 = a0;
> - tpm_crb_ffa->direct_msg_data.data3 = a1;
> - tpm_crb_ffa->direct_msg_data.data4 = a2;
> -
> - ret = msg_ops->sync_send_receive(tpm_crb_ffa->ffa_dev,
> - &tpm_crb_ffa->direct_msg_data);
> - if (!ret)
> - ret = tpm_crb_ffa_to_linux_errno(tpm_crb_ffa->direct_msg_data.data1);
> - }
> + if (!ret)
> + ret = tpm_crb_ffa_to_linux_errno(tpm_crb_ffa->direct_msg_data2.data[0]);
> + } else {
> + memset(&tpm_crb_ffa->direct_msg_data, 0x00,
> + sizeof(struct ffa_send_direct_data));
>
> + tpm_crb_ffa->direct_msg_data.data1 = func_id;
> + tpm_crb_ffa->direct_msg_data.data2 = a0;
> + tpm_crb_ffa->direct_msg_data.data3 = a1;
> + tpm_crb_ffa->direct_msg_data.data4 = a2;
> +
> + ret = msg_ops->sync_send_receive(tpm_crb_ffa->ffa_dev,
> + &tpm_crb_ffa->direct_msg_data);
> + if (!ret)
> + ret = tpm_crb_ffa_to_linux_errno(tpm_crb_ffa->direct_msg_data.data1);
> + }
> + if (ret == -EBUSY)
> + pr_err("TPM says busy, trying again, value, ret: %d\n",
> + ret);
This is not an error condition but instead a legit condition, as far as
kernel is considered. Please, remove pr_err().
> + else
> + break;
> + usleep_range(50, 100);
> + } while (ktime_before(ktime_get(), stop));
>
> return ret;
> }
> --
> 2.43.0
>
BR, Jarkko
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-06-17 14:40 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-06-13 23:31 [PATCH v4 0/1] tpm_crb_ffa: handle tpm busy return code Prachotan Bathi
2025-06-13 23:31 ` [PATCH v4 1/1] " Prachotan Bathi
2025-06-14 5:22 ` Paul Menzel
2025-06-17 14:40 ` Jarkko Sakkinen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).