1/* 2 * rpmb_driver.c 3 * 4 * rpmb driver function, such as ioctl 5 * 6 * Copyright (C) 2022 Huawei Technologies Co., Ltd. 7 * 8 * This software is licensed under the terms of the GNU General Public 9 * License version 2, as published by the Free Software Foundation, and 10 * may be copied, distributed, and modified under those terms. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 */ 17#include "rpmb_driver.h" 18#include <securec.h> 19 20#include <linux/mmc/card.h> /* for struct mmc_card */ 21#include <linux/rpmb.h> 22#include <linux/mmc/sd.h> 23 24#ifdef CONFIG_MTK_UFS_SUPPORT 25#include "ufs-mtk.h" 26#endif 27#include <mt-plat/mtk_boot.h> 28#include "core.h" 29#include "card.h" 30#include "mmc_ops.h" 31#include "mtk_sd.h" 32#include "tc_ns_log.h" 33#include "queue.h" 34 35#define IOC_CMD_0 0 36#define IOC_CMD_1 1 37#define IOC_CMD_2 2 38#define STORAGE_IOC_MAX_RPMB_CMD 3 39#define RPMB_EMMC_CID_SIZE 32 40#define RPMB_CTRL_MAGIC 0x5A5A5A5A 41#define RPMB_REQ 1 /* RPMB request mark */ 42#define RPMB_RESP (1 << 1) /* RPMB response mark*/ 43#define RPMB_PROGRAM_KEY 0x1 /* Program RPMB Authentication Key */ 44#define RPMB_GET_WRITE_COUNTER 0x2 /* Read RPMB write counter */ 45#define RPMB_WRITE_DATA 0x3 /* Write data to RPMB partition */ 46#define RPMB_READ_DATA 0x4 /* Read data from RPMB partition */ 47#define RPMB_RESULT_READ 0x5 /* Read result request (Internal) */ 48 49struct emmc_rpmb_blk_data { 50 spinlock_t lock; 51 struct device *parent; 52 struct gendisk *disk; 53 struct mmc_queue queue; 54 struct list_head part; 55 uint32_t flags; 56 uint32_t usage; 57 uint32_t read_only; 58 uint32_t part_type; 59 uint32_t reset_done; 60 uint32_t part_curr; // keep curr partition 61 struct device_attribute force_ro; 62 struct device_attribute power_ro_lock; 63 int32_t area_type; 64}; 65 66static int32_t emmc_rpmb_switch(struct mmc_card *card, 67 struct emmc_rpmb_blk_data *md) 68{ 69 int32_t ret; 70 struct emmc_rpmb_blk_data *main_md = NULL; 71 72 if (card == NULL) 73 return -1; 74 75 main_md = dev_get_drvdata(&card->dev); 76 if (main_md == NULL) 77 return -1; 78 79 if (main_md->part_curr == md->part_type) 80 return 0; 81 82#if defined(CONFIG_MTK_EMMC_CQ_SUPPORT) || defined(CONFIG_MTK_EMMC_HW_CQ) 83 if (mmc_card_cmdq(card)) { 84 ret = mmc_cmdq_disable(card); 85 if (ret) { 86 tloge("CQ disabled failed!!! ret: 0x%x\n", ret); 87 return ret; 88 } 89 } 90#endif 91 92 if (mmc_card_mmc(card) != 0) { 93 uint8_t cfg = card->ext_csd.part_config; 94 95 cfg &= ~EXT_CSD_PART_CONFIG_ACC_MASK; 96 cfg |= md->part_type; 97 98 ret = mmc_switch(card, EXT_CSD_CMD_SET_NORMAL, 99 EXT_CSD_PART_CONFIG, 100 cfg, card->ext_csd.part_time); 101 if (ret) 102 return ret; 103 104 card->ext_csd.part_config = cfg; 105 } 106 107#if defined(CONFIG_MTK_EMMC_CQ_SUPPORT) || defined(CONFIG_MTK_EMMC_HW_CQ) 108 /* enable cmdq at user partition */ 109 if (!mmc_card_cmdq(card) && (md->part_type <= 0)) { 110 ret = mmc_cmdq_enable(card); 111 if (ret) 112 tloge("%s enable CMDQ error %d, so just work without\n", 113 mmc_hostname(card->host), ret); 114 } 115#endif 116 117#if defined(CONFIG_MTK_EMMC_HW_CQ) 118 card->part_curr = md->part_type; 119#endif 120 main_md->part_curr = md->part_type; 121 return 0; 122} 123 124#define RPMB_BLOCK_SIZE 512 125static void set_sbc(__u16 blks, __u16 type, u8 req_type, 126 struct mmc_command *sbc) 127{ 128 sbc->opcode = MMC_SET_BLOCK_COUNT; 129 sbc->arg = blks; 130 if ((req_type == RPMB_REQ && type == RPMB_WRITE_DATA) || 131 type == RPMB_PROGRAM_KEY) 132 sbc->arg |= 1 << 31; 133 sbc->flags = MMC_RSP_R1 | MMC_CMD_AC; 134} 135 136static void rpmb_send_req_cmd(struct mmc_card *card, 137 struct storage_blk_ioc_rpmb_data *storage_data, 138 __u16 blks, __u16 type, struct mmc_request *request) 139{ 140 request->cmd->opcode = MMC_WRITE_MULTIPLE_BLOCK; 141 request->data->flags |= MMC_DATA_WRITE; 142 if (type == RPMB_RESULT_READ) { 143 /* this is the step2 for write data cmd and write key cmd */ 144 sg_copy_from_buffer(request->data->sg, 1, 145 storage_data->data[IOC_CMD_1].buf, RPMB_BLOCK_SIZE * blks); 146 } else { 147 /* this is step 1 for read data and read counter */ 148 sg_copy_from_buffer(request->data->sg, 1, 149 storage_data->data[IOC_CMD_0].buf, RPMB_BLOCK_SIZE * blks); 150 } 151 mmc_set_data_timeout(request->data, card); 152 mmc_wait_for_req(card->host, request); 153} 154 155static void resp_get_sg(struct storage_blk_ioc_rpmb_data *storage_data, 156 __u16 blks, __u16 type, struct scatterlist *sg) 157{ 158 bool read_type = (type == RPMB_READ_DATA) || 159 (type == RPMB_GET_WRITE_COUNTER); 160 bool write_type = (type == RPMB_WRITE_DATA) || 161 (type == RPMB_PROGRAM_KEY); 162 if (read_type) { 163 if (storage_data->data[IOC_CMD_1].buf != NULL) 164 sg_copy_to_buffer(sg, 1, storage_data->data[IOC_CMD_1].buf, 165 RPMB_BLOCK_SIZE * blks); 166 else 167 tloge("invalid data1buff, is null\n"); 168 } else if (write_type) { 169 if (storage_data->data[IOC_CMD_2].buf != NULL) 170 sg_copy_to_buffer(sg, 1, storage_data->data[IOC_CMD_2].buf, 171 RPMB_BLOCK_SIZE * blks); 172 else 173 tloge("invalid data1buff, is null\n"); 174 } else { 175 /* do nothing */ 176 tloge("invalid reqtype %d\n", type); 177 } 178} 179 180static void rpmb_send_resp_cmd(struct mmc_card *card, 181 struct storage_blk_ioc_rpmb_data *storage_data, 182 __u16 blks, __u16 type, struct mmc_request *request) 183{ 184 request->cmd->opcode = MMC_READ_MULTIPLE_BLOCK; 185 request->data->flags |= MMC_DATA_READ; 186 mmc_set_data_timeout(request->data, card); 187 mmc_wait_for_req(card->host, request); 188 resp_get_sg(storage_data, blks, type, request->data->sg); 189} 190 191static int emmc_rpmb_send_command(struct mmc_card *card, 192 struct storage_blk_ioc_rpmb_data *storage_data, 193 __u16 blks, __u16 type, u8 req_type) 194{ 195 struct mmc_command cmd = {0}; 196 struct mmc_command sbc = {0}; 197 struct mmc_data data = {0}; 198 struct mmc_request request = {NULL}; 199 struct scatterlist sg; 200 u8 *transfer_buf = NULL; 201 202 if (blks == 0) { 203 tloge("Invalid blks: 0\n"); 204 return -EINVAL; 205 } 206 207 set_sbc(blks, type, req_type, &sbc); 208 request.sbc = &sbc; 209 210 cmd.arg = 0; 211 cmd.flags = MMC_RSP_R1 | MMC_CMD_ADTC; 212 request.cmd = &cmd; 213 214 data.blksz = RPMB_BLOCK_SIZE; 215 data.blocks = blks; 216 data.sg = &sg; 217 data.sg_len = 1; 218 request.data = &data; 219 220 request.stop = NULL; 221 222 transfer_buf = kzalloc(RPMB_BLOCK_SIZE * blks, GFP_KERNEL); 223 if (transfer_buf == NULL) 224 return -ENOMEM; 225 226 sg_init_one(&sg, transfer_buf, RPMB_BLOCK_SIZE * blks); 227 228 if (req_type == RPMB_REQ) 229 rpmb_send_req_cmd(card, storage_data, blks, type, &request); 230 else 231 rpmb_send_resp_cmd(card, storage_data, blks, type, &request); 232 233 kfree(transfer_buf); 234 235 if (cmd.error) 236 return cmd.error; 237 else if (data.error) 238 return data.error; 239 else 240 return 0; 241} 242 243static int emmc_rpmb_cmd_proc(struct mmc_card *card, unsigned short type, 244 struct storage_blk_ioc_rpmb_data *storage_data) 245{ 246 int err = 0; 247 248 /* STEP 1: send request to RPMB partition */ 249 if (type == RPMB_WRITE_DATA) { 250 err = emmc_rpmb_send_command(card, storage_data, 251 storage_data->data[IOC_CMD_0].blocks, type, RPMB_REQ); 252 } else { 253 /* assemble the frame */ 254 storage_data->data[IOC_CMD_0].blocks = storage_data->data[IOC_CMD_1].blocks; 255 err = emmc_rpmb_send_command(card, storage_data, 256 1, type, RPMB_REQ); 257 } 258 if (err != 0) { 259 tloge("step 1, request failed err-%d\n", err); 260 goto out; 261 } 262 263 /* STEP 2: check write result. Only for WRITE_DATA or Program key */ 264 if (type == RPMB_WRITE_DATA || type == RPMB_PROGRAM_KEY) { 265 err = emmc_rpmb_send_command(card, storage_data, 266 1, RPMB_RESULT_READ, RPMB_REQ); 267 if (err != 0) { 268 tloge("step 2, request result failed err-%d\n", err); 269 goto out; 270 } 271 } 272 273 /* STEP 3: get response from RPMB partition */ 274 if (type == RPMB_READ_DATA) 275 err = emmc_rpmb_send_command(card, storage_data, 276 storage_data->data[IOC_CMD_0].blocks, type, RPMB_RESP); 277 else 278 err = emmc_rpmb_send_command(card, storage_data, 1, 279 type, RPMB_RESP); 280 if (err != 0) 281 tloge("step 3, response failed err-%d\n", err); 282 283out: 284 return err; 285} 286 287static int rpmb_operation_emmc(enum rpmb_op_type operation, 288 struct storage_blk_ioc_rpmb_data *storage_data) 289{ 290 struct emmc_rpmb_blk_data *part_md = NULL; 291 int ret; 292 struct emmc_rpmb_blk_data *md = NULL; 293 294 struct mmc_card *card = get_card_from_mtk_msdc_host(); 295 if (card == NULL) 296 return -1; 297 298 md = dev_get_drvdata(&card->dev); 299 if (md == NULL) 300 return -1; 301 302 list_for_each_entry(part_md, &md->part, part) { 303 if (part_md->part_type == EXT_CSD_PART_CONFIG_ACC_RPMB) 304 break; 305 } 306 307 if (part_md->part_type != EXT_CSD_PART_CONFIG_ACC_RPMB) 308 return -1; 309 310 mmc_get_card(card); 311 ret = emmc_rpmb_switch(card, part_md); 312 if (ret != 0) { 313 tloge("emmc switch to rpmb failed ret-%x\n", ret); 314 goto error; 315 } 316 317 switch (operation) { 318 case RPMB_OP_RD: 319 ret = emmc_rpmb_cmd_proc(card, RPMB_READ_DATA, storage_data); 320 break; 321 case RPMB_OP_WR_CNT: 322 ret = emmc_rpmb_cmd_proc(card, RPMB_GET_WRITE_COUNTER, 323 storage_data); 324 break; 325 case RPMB_OP_WR_DATA: 326 ret = emmc_rpmb_cmd_proc(card, RPMB_WRITE_DATA, storage_data); 327 break; 328 default: 329 tloge("receive an unknown operation %d\n", operation); 330 goto error; 331 } 332 if (ret != 0) 333 tloge("emmc rpmb cmd proc failed ret-%x\n", ret); 334 335error: 336 ret = emmc_rpmb_switch(card, dev_get_drvdata(&card->dev)); 337 if (ret != 0) 338 tloge("emmc switch to main failed ret-%x\n", ret); 339 340 mmc_put_card(card); 341 342 return ret; 343} 344 345static int rpmb_req_read_data_ufs( 346 struct storage_blk_ioc_rpmb_data *storage_data) 347{ 348 struct rpmb_data data; 349 struct rpmb_dev *rawdev_ufs_rpmb = NULL; 350 int ret; 351 uint16_t blk_cnt; 352 353 rawdev_ufs_rpmb = ufs_mtk_rpmb_get_raw_dev(); 354 355 blk_cnt = storage_data->data[1].blocks; 356 tlogd("rpmb read data ufs, blk_cnt: %u\n", blk_cnt); 357 358 data.req_type = RPMB_READ_DATA; 359 data.icmd.nframes = 1; 360 data.icmd.frames = (struct rpmb_frame *)storage_data->data[IOC_CMD_0].buf; 361 362 /* 363 * We need to fill-in block_count by ourselves for UFS case. 364 */ 365 data.icmd.frames->block_count = cpu_to_be16(blk_cnt); 366 367 data.ocmd.nframes = blk_cnt; 368 data.ocmd.frames = (struct rpmb_frame *)storage_data->data[IOC_CMD_1].buf; 369 370 ret = rpmb_cmd_req(rawdev_ufs_rpmb, &data); 371 if (ret != 0) 372 tloge("rpmb req ufs error, ret:0x%x\n", ret); 373 374 tlogd("result 0x%x\n", cpu_to_be16(data.ocmd.frames->result)); 375 376 return ret; 377} 378 379static int rpmb_req_write_data_ufs( 380 struct storage_blk_ioc_rpmb_data *storage_data) 381{ 382 struct rpmb_data data; 383 struct rpmb_dev *rawdev_ufs_rpmb = NULL; 384 int ret; 385 uint16_t blk_cnt; 386 387 rawdev_ufs_rpmb = ufs_mtk_rpmb_get_raw_dev(); 388 389 blk_cnt = storage_data->data[IOC_CMD_0].blocks; 390 391 tlogd("blk_cnt: %d\n", blk_cnt); 392 393 /* 394 * Alloc output frame to avoid overwriting input frame 395 * buffer provided by TEE 396 */ 397 data.ocmd.frames = kzalloc(sizeof(struct rpmb_frame), 0); 398 if (data.ocmd.frames == NULL) 399 return RPMB_ALLOC_ERROR; 400 401 data.ocmd.nframes = 1; 402 403 data.req_type = RPMB_WRITE_DATA; 404 data.icmd.nframes = blk_cnt; 405 data.icmd.frames = (struct rpmb_frame *)storage_data->data[IOC_CMD_0].buf; 406 407 ret = rpmb_cmd_req(rawdev_ufs_rpmb, &data); 408 if (ret != 0) 409 tloge("rpmb_req write_data_ufs error, ret:0x%x\n", ret); 410 411 /* 412 * Microtrust TEE will check write counter in the first frame, 413 * thus we copy response frame to the first frame. 414 */ 415 if (storage_data->data[IOC_CMD_2].buf == NULL) { 416 ret = -1; 417 goto free; 418 } 419 420 ret = memcpy_s(storage_data->data[IOC_CMD_2].buf, 421 storage_data->data[IOC_CMD_2].buf_bytes, 422 data.ocmd.frames, sizeof(*(data.ocmd.frames))); 423 if (ret != EOK) 424 tloge("frames copy fail, ret:0x%x\n", ret); 425 426 tlogd("result 0x%x\n", cpu_to_be16(data.ocmd.frames->result)); 427 428free: 429 kfree(data.ocmd.frames); 430 431 return ret; 432} 433 434static int rpmb_req_get_wc_ufs(u8 *key, u32 *wc, 435 struct storage_blk_ioc_rpmb_data *storage_data) 436{ 437 struct rpmb_data data; 438 struct rpmb_dev *rawdev_ufs_rpmb = NULL; 439 int ret; 440 441 tlogd("rpmb_req_get_wc_ufs start!!!\n"); 442 443 rawdev_ufs_rpmb = ufs_mtk_rpmb_get_raw_dev(); 444 445 /* 446 * Initial frame buffers 447 */ 448 data.icmd.frames = (struct rpmb_frame *)storage_data->data[IOC_CMD_0].buf; 449 data.ocmd.frames = (struct rpmb_frame *)storage_data->data[IOC_CMD_1].buf; 450 451 /* 452 * Prepare frame contents. 453 * Input frame (in view of device) only needs nonce 454 */ 455 data.req_type = RPMB_GET_WRITE_COUNTER; 456 data.icmd.nframes = 1; 457 458 /* Output frame (in view of device) */ 459 data.ocmd.nframes = 1; 460 ret = rpmb_cmd_req(rawdev_ufs_rpmb, &data); 461 if (ret != 0) 462 tloge("rpmb_req_get_wc_ufs error!!! ret:0x%x\n", ret); 463 464 tlogd("end\n"); 465 466 return ret; 467} 468 469#ifdef CONFIG_MTK_UFS_SUPPORT 470static int rpmb_operation_ufs(enum rpmb_op_type operation, 471 struct storage_blk_ioc_rpmb_data *storage_data) 472{ 473 int ret = -1; 474 475 switch (operation) { 476 case RPMB_OP_RD: 477 ret = rpmb_req_read_data_ufs(storage_data); 478 break; 479 case RPMB_OP_WR_CNT: 480 ret = rpmb_req_get_wc_ufs(NULL, NULL, storage_data); 481 break; 482 case RPMB_OP_WR_DATA: 483 ret = rpmb_req_write_data_ufs(storage_data); 484 break; 485 default: 486 tloge("receive an unknown command id %d.\n", operation); 487 break; 488 } 489 490 return ret; 491} 492#endif 493 494int rpmb_ioctl_cmd(enum func_id id, enum rpmb_op_type operation, 495 struct storage_blk_ioc_rpmb_data *storage_data) 496{ 497 int ret = 0; 498 int boot_type; 499 500 if (storage_data == NULL) 501 return -1; 502 503 boot_type = get_boot_type(); 504 if (boot_type == BOOTDEV_SDMMC) 505 ret = rpmb_operation_emmc(operation, storage_data); 506#ifdef CONFIG_MTK_UFS_SUPPORT 507 else if (boot_type == BOOTDEV_UFS) 508 ret = rpmb_operation_ufs(operation, storage_data); 509#endif 510 return ret; 511}