1// SPDX-License-Identifier: GPL-2.0-only
  2/*
  3 * Copyright (C) 2021 - Google LLC
  4 * Author: David Brazdil <dbrazdil@google.com>
  5 *
  6 * Driver for Open Profile for DICE.
  7 *
  8 * This driver takes ownership of a reserved memory region containing data
  9 * generated by the Open Profile for DICE measured boot protocol. The memory
 10 * contents are not interpreted by the kernel but can be mapped into a userspace
 11 * process via a misc device. Userspace can also request a wipe of the memory.
 12 *
 13 * Userspace can access the data with (w/o error handling):
 14 *
 15 *     fd = open("/dev/open-dice0", O_RDWR);
 16 *     read(fd, &size, sizeof(unsigned long));
 17 *     data = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
 18 *     write(fd, NULL, 0); // wipe
 19 *     close(fd);
 20 */
 21
 22#include <linux/io.h>
 23#include <linux/miscdevice.h>
 24#include <linux/mm.h>
 25#include <linux/module.h>
 26#include <linux/of_reserved_mem.h>
 27#include <linux/platform_device.h>
 28
 29#define DRIVER_NAME "open-dice"
 30
 31struct open_dice_drvdata {
 32	struct mutex lock;
 33	char name[16];
 34	struct reserved_mem *rmem;
 35	struct miscdevice misc;
 36};
 37
 38static inline struct open_dice_drvdata *to_open_dice_drvdata(struct file *filp)
 39{
 40	return container_of(filp->private_data, struct open_dice_drvdata, misc);
 41}
 42
 43static int open_dice_wipe(struct open_dice_drvdata *drvdata)
 44{
 45	void *kaddr;
 46
 47	mutex_lock(&drvdata->lock);
 48	kaddr = devm_memremap(drvdata->misc.this_device, drvdata->rmem->base,
 49			      drvdata->rmem->size, MEMREMAP_WC);
 50	if (IS_ERR(kaddr)) {
 51		mutex_unlock(&drvdata->lock);
 52		return PTR_ERR(kaddr);
 53	}
 54
 55	memset(kaddr, 0, drvdata->rmem->size);
 56	devm_memunmap(drvdata->misc.this_device, kaddr);
 57	mutex_unlock(&drvdata->lock);
 58	return 0;
 59}
 60
 61/*
 62 * Copies the size of the reserved memory region to the user-provided buffer.
 63 */
 64static ssize_t open_dice_read(struct file *filp, char __user *ptr, size_t len,
 65			      loff_t *off)
 66{
 67	unsigned long val = to_open_dice_drvdata(filp)->rmem->size;
 68
 69	return simple_read_from_buffer(ptr, len, off, &val, sizeof(val));
 70}
 71
 72/*
 73 * Triggers a wipe of the reserved memory region. The user-provided pointer
 74 * is never dereferenced.
 75 */
 76static ssize_t open_dice_write(struct file *filp, const char __user *ptr,
 77			       size_t len, loff_t *off)
 78{
 79	if (open_dice_wipe(to_open_dice_drvdata(filp)))
 80		return -EIO;
 81
 82	/* Consume the input buffer. */
 83	return len;
 84}
 85
 86/*
 87 * Creates a mapping of the reserved memory region in user address space.
 88 */
 89static int open_dice_mmap(struct file *filp, struct vm_area_struct *vma)
 90{
 91	struct open_dice_drvdata *drvdata = to_open_dice_drvdata(filp);
 92
 93	if (vma->vm_flags & VM_MAYSHARE) {
 94		/* Do not allow userspace to modify the underlying data. */
 95		if (vma->vm_flags & VM_WRITE)
 96			return -EPERM;
 97		/* Ensure userspace cannot acquire VM_WRITE later. */
 98		vm_flags_clear(vma, VM_MAYWRITE);
 99	}
100
101	/* Create write-combine mapping so all clients observe a wipe. */
102	vma->vm_page_prot = pgprot_writecombine(vma->vm_page_prot);
103	vm_flags_set(vma, VM_DONTCOPY | VM_DONTDUMP);
104	return vm_iomap_memory(vma, drvdata->rmem->base, drvdata->rmem->size);
105}
106
107static const struct file_operations open_dice_fops = {
108	.owner = THIS_MODULE,
109	.read = open_dice_read,
110	.write = open_dice_write,
111	.mmap = open_dice_mmap,
112};
113
114static int __init open_dice_probe(struct platform_device *pdev)
115{
116	static unsigned int dev_idx;
117	struct device *dev = &pdev->dev;
118	struct reserved_mem *rmem;
119	struct open_dice_drvdata *drvdata;
120	int ret;
121
122	rmem = of_reserved_mem_lookup(dev->of_node);
123	if (!rmem) {
124		dev_err(dev, "failed to lookup reserved memory\n");
125		return -EINVAL;
126	}
127
128	if (!rmem->size || (rmem->size > ULONG_MAX)) {
129		dev_err(dev, "invalid memory region size\n");
130		return -EINVAL;
131	}
132
133	if (!PAGE_ALIGNED(rmem->base) || !PAGE_ALIGNED(rmem->size)) {
134		dev_err(dev, "memory region must be page-aligned\n");
135		return -EINVAL;
136	}
137
138	drvdata = devm_kmalloc(dev, sizeof(*drvdata), GFP_KERNEL);
139	if (!drvdata)
140		return -ENOMEM;
141
142	*drvdata = (struct open_dice_drvdata){
143		.rmem = rmem,
144		.misc = (struct miscdevice){
145			.parent	= dev,
146			.name	= drvdata->name,
147			.minor	= MISC_DYNAMIC_MINOR,
148			.fops	= &open_dice_fops,
149			.mode	= 0600,
150		},
151	};
152	mutex_init(&drvdata->lock);
153
154	/* Index overflow check not needed, misc_register() will fail. */
155	snprintf(drvdata->name, sizeof(drvdata->name), DRIVER_NAME"%u", dev_idx++);
156
157	ret = misc_register(&drvdata->misc);
158	if (ret) {
159		dev_err(dev, "failed to register misc device '%s': %d\n",
160			drvdata->name, ret);
161		return ret;
162	}
163
164	platform_set_drvdata(pdev, drvdata);
165	return 0;
166}
167
168static int open_dice_remove(struct platform_device *pdev)
169{
170	struct open_dice_drvdata *drvdata = platform_get_drvdata(pdev);
171
172	misc_deregister(&drvdata->misc);
173	return 0;
174}
175
176static const struct of_device_id open_dice_of_match[] = {
177	{ .compatible = "google,open-dice" },
178	{},
179};
180
181static struct platform_driver open_dice_driver = {
182	.remove = open_dice_remove,
183	.driver = {
184		.name = DRIVER_NAME,
185		.of_match_table = open_dice_of_match,
186	},
187};
188
189static int __init open_dice_init(void)
190{
191	int ret = platform_driver_probe(&open_dice_driver, open_dice_probe);
192
193	/* DICE regions are optional. Succeed even with zero instances. */
194	return (ret == -ENODEV) ? 0 : ret;
195}
196
197static void __exit open_dice_exit(void)
198{
199	platform_driver_unregister(&open_dice_driver);
200}
201
202module_init(open_dice_init);
203module_exit(open_dice_exit);
204
205MODULE_LICENSE("GPL v2");
206MODULE_AUTHOR("David Brazdil <dbrazdil@google.com>");