[PATCH v4 4/7] dma-buf: heaps: restricted_heap: Add dma_ops
Daniel Vetter
daniel at ffwll.ch
Fri Jan 12 01:41:14 PST 2024
On Fri, Jan 12, 2024 at 05:20:11PM +0800, Yong Wu wrote:
> Add the dma_ops for this restricted heap. For restricted buffer,
> cache_ops/mmap are not allowed, thus return EPERM for them.
>
> Signed-off-by: Yong Wu <yong.wu at mediatek.com>
> ---
> drivers/dma-buf/heaps/restricted_heap.c | 103 ++++++++++++++++++++++++
> 1 file changed, 103 insertions(+)
>
> diff --git a/drivers/dma-buf/heaps/restricted_heap.c b/drivers/dma-buf/heaps/restricted_heap.c
> index 8c266a0f6192..ec4c63d2112d 100644
> --- a/drivers/dma-buf/heaps/restricted_heap.c
> +++ b/drivers/dma-buf/heaps/restricted_heap.c
> @@ -12,6 +12,10 @@
>
> #include "restricted_heap.h"
>
> +struct restricted_heap_attachment {
> + struct sg_table *table;
> +};
> +
> static int
> restricted_heap_memory_allocate(struct restricted_heap *heap, struct restricted_buffer *buf)
> {
> @@ -45,6 +49,104 @@ restricted_heap_memory_free(struct restricted_heap *heap, struct restricted_buff
> ops->memory_free(heap, buf);
> }
>
> +static int restricted_heap_attach(struct dma_buf *dmabuf, struct dma_buf_attachment *attachment)
> +{
> + struct restricted_buffer *restricted_buf = dmabuf->priv;
> + struct restricted_heap_attachment *a;
> + struct sg_table *table;
> + int ret;
> +
> + a = kzalloc(sizeof(*a), GFP_KERNEL);
> + if (!a)
> + return -ENOMEM;
> +
> + table = kzalloc(sizeof(*table), GFP_KERNEL);
> + if (!table) {
> + ret = -ENOMEM;
> + goto err_free_attach;
> + }
> +
> + ret = sg_alloc_table(table, 1, GFP_KERNEL);
> + if (ret)
> + goto err_free_sgt;
> + sg_set_page(table->sgl, NULL, restricted_buf->size, 0);
So this is definitely broken and violating the dma-buf api rules. You
cannot let attach succed and supply a dummy/invalid sg table.
Two options:
- Reject ->attach for all this buffers with -EBUSY and provide instead a
private api for these secure buffers, similar to how virtio_dma_buf has
private virto-specific apis. This interface would need to be
standardized across all arm TEE users, so that we don't have a
disastrous proliferation of apis.
- Allow ->attach, but _only_ for drivers/devices which can access the
secure buffer correctly, and only if you can put the right secure buffer
address into the sg table directly. If dma to a secure buffer for a
given struct device * will not work correctly (i.e. without data
corruption), you _must_ reject the attach attempt with -EBUSY.
The 2nd approach would be my preferred one, if it's technically possible.
Also my understanding is that arm TEE is standardized, so I think we'll at
least want some acks from other soc people whether this will work for them
too.
Finally the usual drill:
- this also needs the driver side support, if there's any changes needed.
Just the new heap isn't enough.
- and for drm you need open userspace for this. Doesn't have to be the
full content protection decode pipeline, the drivers in drm that landed
secure buffer support thus far enabled it using the
EGL_EXT_protected_content extension using gl, which side steps all the
complications around content decryption keys and support
Cheers, Sima
> +
> + a->table = table;
> + attachment->priv = a;
> +
> + return 0;
> +
> +err_free_sgt:
> + kfree(table);
> +err_free_attach:
> + kfree(a);
> + return ret;
> +}
> +
> +static void restricted_heap_detach(struct dma_buf *dmabuf, struct dma_buf_attachment *attachment)
> +{
> + struct restricted_heap_attachment *a = attachment->priv;
> +
> + sg_free_table(a->table);
> + kfree(a->table);
> + kfree(a);
> +}
> +
> +static struct sg_table *
> +restricted_heap_map_dma_buf(struct dma_buf_attachment *attachment, enum dma_data_direction direct)
> +{
> + struct restricted_heap_attachment *a = attachment->priv;
> + struct sg_table *table = a->table;
> +
> + return table;
> +}
> +
> +static void
> +restricted_heap_unmap_dma_buf(struct dma_buf_attachment *attachment, struct sg_table *table,
> + enum dma_data_direction direction)
> +{
> + struct restricted_heap_attachment *a = attachment->priv;
> +
> + WARN_ON(a->table != table);
> +}
> +
> +static int
> +restricted_heap_dma_buf_begin_cpu_access(struct dma_buf *dmabuf, enum dma_data_direction direction)
> +{
> + return -EPERM;
> +}
> +
> +static int
> +restricted_heap_dma_buf_end_cpu_access(struct dma_buf *dmabuf, enum dma_data_direction direction)
> +{
> + return -EPERM;
> +}
> +
> +static int restricted_heap_dma_buf_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma)
> +{
> + return -EPERM;
> +}
> +
> +static void restricted_heap_free(struct dma_buf *dmabuf)
> +{
> + struct restricted_buffer *restricted_buf = dmabuf->priv;
> + struct restricted_heap *heap = dma_heap_get_drvdata(restricted_buf->heap);
> +
> + restricted_heap_memory_free(heap, restricted_buf);
> + kfree(restricted_buf);
> +}
> +
> +static const struct dma_buf_ops restricted_heap_buf_ops = {
> + .attach = restricted_heap_attach,
> + .detach = restricted_heap_detach,
> + .map_dma_buf = restricted_heap_map_dma_buf,
> + .unmap_dma_buf = restricted_heap_unmap_dma_buf,
> + .begin_cpu_access = restricted_heap_dma_buf_begin_cpu_access,
> + .end_cpu_access = restricted_heap_dma_buf_end_cpu_access,
> + .mmap = restricted_heap_dma_buf_mmap,
> + .release = restricted_heap_free,
> +};
> +
> static struct dma_buf *
> restricted_heap_allocate(struct dma_heap *heap, unsigned long size,
> unsigned long fd_flags, unsigned long heap_flags)
> @@ -66,6 +168,7 @@ restricted_heap_allocate(struct dma_heap *heap, unsigned long size,
> if (ret)
> goto err_free_buf;
> exp_info.exp_name = dma_heap_get_name(heap);
> + exp_info.ops = &restricted_heap_buf_ops;
> exp_info.size = restricted_buf->size;
> exp_info.flags = fd_flags;
> exp_info.priv = restricted_buf;
> --
> 2.25.1
>
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
More information about the linux-arm-kernel
mailing list