1// SPDX-License-Identifier: MIT
2/*
3 * AMD Trusted Execution Environment (TEE) interface
4 *
5 * Author: Rijo Thomas <Rijo-john.Thomas@amd.com>
6 * Author: Devaraj Rangasamy <Devaraj.Rangasamy@amd.com>
7 *
8 * Copyright (C) 2019,2021 Advanced Micro Devices, Inc.
9 */
10
11#include <linux/bitfield.h>
12#include <linux/types.h>
13#include <linux/mutex.h>
14#include <linux/delay.h>
15#include <linux/slab.h>
16#include <linux/gfp.h>
17#include <linux/psp.h>
18#include <linux/psp-tee.h>
19
20#include "psp-dev.h"
21#include "tee-dev.h"
22
23static bool psp_dead;
24
25static int tee_alloc_ring(struct psp_tee_device *tee, int ring_size)
26{
27	struct ring_buf_manager *rb_mgr = &tee->rb_mgr;
28	void *start_addr;
29
30	if (!ring_size)
31		return -EINVAL;
32
33	/* We need actual physical address instead of DMA address, since
34	 * Trusted OS running on AMD Secure Processor will map this region
35	 */
36	start_addr = (void *)__get_free_pages(GFP_KERNEL, get_order(ring_size));
37	if (!start_addr)
38		return -ENOMEM;
39
40	memset(start_addr, 0x0, ring_size);
41	rb_mgr->ring_start = start_addr;
42	rb_mgr->ring_size = ring_size;
43	rb_mgr->ring_pa = __psp_pa(start_addr);
44	mutex_init(&rb_mgr->mutex);
45
46	return 0;
47}
48
49static void tee_free_ring(struct psp_tee_device *tee)
50{
51	struct ring_buf_manager *rb_mgr = &tee->rb_mgr;
52
53	if (!rb_mgr->ring_start)
54		return;
55
56	free_pages((unsigned long)rb_mgr->ring_start,
57		   get_order(rb_mgr->ring_size));
58
59	rb_mgr->ring_start = NULL;
60	rb_mgr->ring_size = 0;
61	rb_mgr->ring_pa = 0;
62	mutex_destroy(&rb_mgr->mutex);
63}
64
65static int tee_wait_cmd_poll(struct psp_tee_device *tee, unsigned int timeout,
66			     unsigned int *reg)
67{
68	/* ~10ms sleep per loop => nloop = timeout * 100 */
69	int nloop = timeout * 100;
70
71	while (--nloop) {
72		*reg = ioread32(tee->io_regs + tee->vdata->cmdresp_reg);
73		if (FIELD_GET(PSP_CMDRESP_RESP, *reg))
74			return 0;
75
76		usleep_range(10000, 10100);
77	}
78
79	dev_err(tee->dev, "tee: command timed out, disabling PSP\n");
80	psp_dead = true;
81
82	return -ETIMEDOUT;
83}
84
85static
86struct tee_init_ring_cmd *tee_alloc_cmd_buffer(struct psp_tee_device *tee)
87{
88	struct tee_init_ring_cmd *cmd;
89
90	cmd = kzalloc(sizeof(*cmd), GFP_KERNEL);
91	if (!cmd)
92		return NULL;
93
94	cmd->hi_addr = upper_32_bits(tee->rb_mgr.ring_pa);
95	cmd->low_addr = lower_32_bits(tee->rb_mgr.ring_pa);
96	cmd->size = tee->rb_mgr.ring_size;
97
98	dev_dbg(tee->dev, "tee: ring address: high = 0x%x low = 0x%x size = %u\n",
99		cmd->hi_addr, cmd->low_addr, cmd->size);
100
101	return cmd;
102}
103
104static inline void tee_free_cmd_buffer(struct tee_init_ring_cmd *cmd)
105{
106	kfree(cmd);
107}
108
109static int tee_init_ring(struct psp_tee_device *tee)
110{
111	int ring_size = MAX_RING_BUFFER_ENTRIES * sizeof(struct tee_ring_cmd);
112	struct tee_init_ring_cmd *cmd;
113	phys_addr_t cmd_buffer;
114	unsigned int reg;
115	int ret;
116
117	BUILD_BUG_ON(sizeof(struct tee_ring_cmd) != 1024);
118
119	ret = tee_alloc_ring(tee, ring_size);
120	if (ret) {
121		dev_err(tee->dev, "tee: ring allocation failed %d\n", ret);
122		return ret;
123	}
124
125	tee->rb_mgr.wptr = 0;
126
127	cmd = tee_alloc_cmd_buffer(tee);
128	if (!cmd) {
129		tee_free_ring(tee);
130		return -ENOMEM;
131	}
132
133	cmd_buffer = __psp_pa((void *)cmd);
134
135	/* Send command buffer details to Trusted OS by writing to
136	 * CPU-PSP message registers
137	 */
138
139	iowrite32(lower_32_bits(cmd_buffer),
140		  tee->io_regs + tee->vdata->cmdbuff_addr_lo_reg);
141	iowrite32(upper_32_bits(cmd_buffer),
142		  tee->io_regs + tee->vdata->cmdbuff_addr_hi_reg);
143	iowrite32(TEE_RING_INIT_CMD,
144		  tee->io_regs + tee->vdata->cmdresp_reg);
145
146	ret = tee_wait_cmd_poll(tee, TEE_DEFAULT_TIMEOUT, &reg);
147	if (ret) {
148		dev_err(tee->dev, "tee: ring init command timed out\n");
149		tee_free_ring(tee);
150		goto free_buf;
151	}
152
153	if (FIELD_GET(PSP_CMDRESP_STS, reg)) {
154		dev_err(tee->dev, "tee: ring init command failed (%#010lx)\n",
155			FIELD_GET(PSP_CMDRESP_STS, reg));
156		tee_free_ring(tee);
157		ret = -EIO;
158	}
159
160free_buf:
161	tee_free_cmd_buffer(cmd);
162
163	return ret;
164}
165
166static void tee_destroy_ring(struct psp_tee_device *tee)
167{
168	unsigned int reg;
169	int ret;
170
171	if (!tee->rb_mgr.ring_start)
172		return;
173
174	if (psp_dead)
175		goto free_ring;
176
177	iowrite32(TEE_RING_DESTROY_CMD,
178		  tee->io_regs + tee->vdata->cmdresp_reg);
179
180	ret = tee_wait_cmd_poll(tee, TEE_DEFAULT_TIMEOUT, &reg);
181	if (ret) {
182		dev_err(tee->dev, "tee: ring destroy command timed out\n");
183	} else if (FIELD_GET(PSP_CMDRESP_STS, reg)) {
184		dev_err(tee->dev, "tee: ring destroy command failed (%#010lx)\n",
185			FIELD_GET(PSP_CMDRESP_STS, reg));
186	}
187
188free_ring:
189	tee_free_ring(tee);
190}
191
192int tee_dev_init(struct psp_device *psp)
193{
194	struct device *dev = psp->dev;
195	struct psp_tee_device *tee;
196	int ret;
197
198	ret = -ENOMEM;
199	tee = devm_kzalloc(dev, sizeof(*tee), GFP_KERNEL);
200	if (!tee)
201		goto e_err;
202
203	psp->tee_data = tee;
204
205	tee->dev = dev;
206	tee->psp = psp;
207
208	tee->io_regs = psp->io_regs;
209
210	tee->vdata = (struct tee_vdata *)psp->vdata->tee;
211	if (!tee->vdata) {
212		ret = -ENODEV;
213		dev_err(dev, "tee: missing driver data\n");
214		goto e_err;
215	}
216
217	ret = tee_init_ring(tee);
218	if (ret) {
219		dev_err(dev, "tee: failed to init ring buffer\n");
220		goto e_err;
221	}
222
223	dev_notice(dev, "tee enabled\n");
224
225	return 0;
226
227e_err:
228	psp->tee_data = NULL;
229
230	dev_notice(dev, "tee initialization failed\n");
231
232	return ret;
233}
234
235void tee_dev_destroy(struct psp_device *psp)
236{
237	struct psp_tee_device *tee = psp->tee_data;
238
239	if (!tee)
240		return;
241
242	tee_destroy_ring(tee);
243}
244
245static int tee_submit_cmd(struct psp_tee_device *tee, enum tee_cmd_id cmd_id,
246			  void *buf, size_t len, struct tee_ring_cmd **resp)
247{
248	struct tee_ring_cmd *cmd;
249	int nloop = 1000, ret = 0;
250	u32 rptr;
251
252	*resp = NULL;
253
254	mutex_lock(&tee->rb_mgr.mutex);
255
256	/* Loop until empty entry found in ring buffer */
257	do {
258		/* Get pointer to ring buffer command entry */
259		cmd = (struct tee_ring_cmd *)
260			(tee->rb_mgr.ring_start + tee->rb_mgr.wptr);
261
262		rptr = ioread32(tee->io_regs + tee->vdata->ring_rptr_reg);
263
264		/* Check if ring buffer is full or command entry is waiting
265		 * for response from TEE
266		 */
267		if (!(tee->rb_mgr.wptr + sizeof(struct tee_ring_cmd) == rptr ||
268		      cmd->flag == CMD_WAITING_FOR_RESPONSE))
269			break;
270
271		dev_dbg(tee->dev, "tee: ring buffer full. rptr = %u wptr = %u\n",
272			rptr, tee->rb_mgr.wptr);
273
274		/* Wait if ring buffer is full or TEE is processing data */
275		mutex_unlock(&tee->rb_mgr.mutex);
276		schedule_timeout_interruptible(msecs_to_jiffies(10));
277		mutex_lock(&tee->rb_mgr.mutex);
278
279	} while (--nloop);
280
281	if (!nloop &&
282	    (tee->rb_mgr.wptr + sizeof(struct tee_ring_cmd) == rptr ||
283	     cmd->flag == CMD_WAITING_FOR_RESPONSE)) {
284		dev_err(tee->dev, "tee: ring buffer full. rptr = %u wptr = %u response flag %u\n",
285			rptr, tee->rb_mgr.wptr, cmd->flag);
286		ret = -EBUSY;
287		goto unlock;
288	}
289
290	/* Do not submit command if PSP got disabled while processing any
291	 * command in another thread
292	 */
293	if (psp_dead) {
294		ret = -EBUSY;
295		goto unlock;
296	}
297
298	/* Write command data into ring buffer */
299	cmd->cmd_id = cmd_id;
300	cmd->cmd_state = TEE_CMD_STATE_INIT;
301	memset(&cmd->buf[0], 0, sizeof(cmd->buf));
302	memcpy(&cmd->buf[0], buf, len);
303
304	/* Indicate driver is waiting for response */
305	cmd->flag = CMD_WAITING_FOR_RESPONSE;
306
307	/* Update local copy of write pointer */
308	tee->rb_mgr.wptr += sizeof(struct tee_ring_cmd);
309	if (tee->rb_mgr.wptr >= tee->rb_mgr.ring_size)
310		tee->rb_mgr.wptr = 0;
311
312	/* Trigger interrupt to Trusted OS */
313	iowrite32(tee->rb_mgr.wptr, tee->io_regs + tee->vdata->ring_wptr_reg);
314
315	/* The response is provided by Trusted OS in same
316	 * location as submitted data entry within ring buffer.
317	 */
318	*resp = cmd;
319
320unlock:
321	mutex_unlock(&tee->rb_mgr.mutex);
322
323	return ret;
324}
325
326static int tee_wait_cmd_completion(struct psp_tee_device *tee,
327				   struct tee_ring_cmd *resp,
328				   unsigned int timeout)
329{
330	/* ~1ms sleep per loop => nloop = timeout * 1000 */
331	int nloop = timeout * 1000;
332
333	while (--nloop) {
334		if (resp->cmd_state == TEE_CMD_STATE_COMPLETED)
335			return 0;
336
337		usleep_range(1000, 1100);
338	}
339
340	dev_err(tee->dev, "tee: command 0x%x timed out, disabling PSP\n",
341		resp->cmd_id);
342
343	psp_dead = true;
344
345	return -ETIMEDOUT;
346}
347
348int psp_tee_process_cmd(enum tee_cmd_id cmd_id, void *buf, size_t len,
349			u32 *status)
350{
351	struct psp_device *psp = psp_get_master_device();
352	struct psp_tee_device *tee;
353	struct tee_ring_cmd *resp;
354	int ret;
355
356	if (!buf || !status || !len || len > sizeof(resp->buf))
357		return -EINVAL;
358
359	*status = 0;
360
361	if (!psp || !psp->tee_data)
362		return -ENODEV;
363
364	if (psp_dead)
365		return -EBUSY;
366
367	tee = psp->tee_data;
368
369	ret = tee_submit_cmd(tee, cmd_id, buf, len, &resp);
370	if (ret)
371		return ret;
372
373	ret = tee_wait_cmd_completion(tee, resp, TEE_DEFAULT_TIMEOUT);
374	if (ret) {
375		resp->flag = CMD_RESPONSE_TIMEDOUT;
376		return ret;
377	}
378
379	memcpy(buf, &resp->buf[0], len);
380	*status = resp->status;
381
382	resp->flag = CMD_RESPONSE_COPIED;
383
384	return 0;
385}
386EXPORT_SYMBOL(psp_tee_process_cmd);
387
388int psp_check_tee_status(void)
389{
390	struct psp_device *psp = psp_get_master_device();
391
392	if (!psp || !psp->tee_data)
393		return -ENODEV;
394
395	return 0;
396}
397EXPORT_SYMBOL(psp_check_tee_status);
398