OP-TEE March 2026

op-tee@lists.trustedfirmware.org

19 participants
14 discussions

[RFT PATCH v2] tee: shm: Remove refcounting of kernel pages

by Sumit Garg

From: Matthew Wilcox <willy(a)infradead.org> Earlier TEE subsystem assumed to refcount all the memory pages to be shared with TEE implementation to be refcounted. However, the slab allocations within the kernel don't allow refcounting kernel pages. It is rather better to trust the kernel clients to not free pages while being shared with TEE implementation. Hence, remove refcounting of kernel pages from register_shm_helper() API. Fixes: b9c0e49abfca ("mm: decline to manipulate the refcount on a slab page") Reported-by: Marco Felsch <m.felsch(a)pengutronix.de> Reported-by: Sven Püschel <s.pueschel(a)pengutronix.de> Signed-off-by: Matthew Wilcox <willy(a)infradead.org> Co-developed-by: Sumit Garg <sumit.garg(a)oss.qualcomm.com> Signed-off-by: Sumit Garg <sumit.garg(a)oss.qualcomm.com> --- Changes in v2: - Attribute Matthew as the author of this patch. - Fix check for user pages. drivers/tee/tee_shm.c | 27 --------------------------- 1 file changed, 27 deletions(-) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index 4a47de4bb2e5..898707ca21a8 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -23,29 +23,11 @@ struct tee_shm_dma_mem { struct page *page; }; -static void shm_put_kernel_pages(struct page **pages, size_t page_count) -{ - size_t n; - - for (n = 0; n < page_count; n++) - put_page(pages[n]); -} - -static void shm_get_kernel_pages(struct page **pages, size_t page_count) -{ - size_t n; - - for (n = 0; n < page_count; n++) - get_page(pages[n]); -} - static void release_registered_pages(struct tee_shm *shm) { if (shm->pages) { if (shm->flags & TEE_SHM_USER_MAPPED) unpin_user_pages(shm->pages, shm->num_pages); - else - shm_put_kernel_pages(shm->pages, shm->num_pages); kfree(shm->pages); } @@ -477,13 +459,6 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, goto err_put_shm_pages; } - /* - * iov_iter_extract_kvec_pages does not get reference on the pages, - * get a reference on them. - */ - if (iov_iter_is_kvec(iter)) - shm_get_kernel_pages(shm->pages, num_pages); - shm->offset = off; shm->size = len; shm->num_pages = num_pages; @@ -499,8 +474,6 @@ register_shm_helper(struct tee_context *ctx, struct iov_iter *iter, u32 flags, err_put_shm_pages: if (!iov_iter_is_kvec(iter)) unpin_user_pages(shm->pages, shm->num_pages); - else - shm_put_kernel_pages(shm->pages, shm->num_pages); err_free_shm_pages: kfree(shm->pages); err_free_shm: -- 2.51.0

1 week, 6 days

[PATCH 00/14] firmware: qcom: Add OP-TEE PAS service support

by Sumit Garg

From: Sumit Garg <sumit.garg(a)oss.qualcomm.com> Qcom platforms has the legacy of using non-standard SCM calls splintered over the various kernel drivers. These SCM calls aren't compliant with the standard SMC calling conventions which is a prerequisite to enable migration to the FF-A specifications from Arm. OP-TEE as an alternative trusted OS to QTEE can't support these non- standard SCM calls. And even for newer architectures QTEE won't be able to support SCM calls either with FF-A requirements coming in. And with both OP-TEE and QTEE drivers well integrated in the TEE subsystem, it makes further sense to reuse the TEE bus client drivers infrastructure. The added benefit of TEE bus infrastructure is that there is support for discoverable/enumerable services. With that client drivers don't have to manually invoke a special SCM call to know the service status. So enable the generic Peripheral Authentication Service (PAS) provided by the firmware. It acts as the common layer with different TZ backends plugged in whether it's an SCM implementation or a proper TEE bus based PAS service implementation. The TEE PAS service ABI is designed to be extensible with additional API as PTA_QCOM_PAS_CAPABILITIES. This allows to accommodate any future extensions of the PAS service needed while still maintaining backwards compatibility. Currently OP-TEE support is being added to provide the backend PAS service implementation which can be found as part of this PR [1]. This implementation has been tested on Kodiak/RB3Gen2 board with lemans EVK board being the next target. In addition to that WIN/IPQ targets planning to use OP-TEE will use this service too. Patch summary: - Patch #1: adds Kodiak EL2 overlay since boot stack with TF-A/OP-TEE only allow UEFI and Linux to boot in EL2. - Patch #2: adds generic PAS service. - Patch #3: migrates SCM backend to generic PAS service. - Patch #4: adds TEE/OP-TEE backend for generic PAS service. - Patch #5-#13: migrates all client drivers to generic PAS service. - Patch #14: drops legacy PAS SCM exported APIs. The patch-set is based on v7.0-rc2 tag and can be found in git tree here [2]. Merge strategy: ---------------- It is expected due to APIs dependency, the entire patch-set to go via the Qcom tree. All other subsystem maintainers, it will be great if I can get acks for the corresponding subsystem patches. [1] https://github.com/OP-TEE/optee_os/pull/7721 [2] https://git.kernel.org/pub/scm/linux/kernel/git/sumit.garg/linux.git/log/?h… Mukesh Ojha (1): arm64: dts: qcom: kodiak: Add EL2 overlay Sumit Garg (13): firmware: qcom: Add a generic PAS service firmware: qcom_scm: Migrate to generic PAS service firmware: qcom: Add a PAS TEE service remoteproc: qcom_q6v5_pas: Switch over to generic PAS TZ APIs remoteproc: qcom_q6v5_mss: Switch to generic PAS TZ APIs soc: qcom: mdtloader: Switch to generic PAS TZ APIs remoteproc: qcom_wcnss: Switch to generic PAS TZ APIs remoteproc: qcom: Select QCOM_PAS_TEE service backend drm/msm: Switch to generic PAS TZ APIs media: qcom: Switch to generic PAS TZ APIs net: ipa: Switch to generic PAS TZ APIs wifi: ath12k: Switch to generic PAS TZ APIs firmware: qcom_scm: Remove SCM PAS wrappers arch/arm64/boot/dts/qcom/Makefile | 2 + arch/arm64/boot/dts/qcom/kodiak-el2.dtso | 35 ++ drivers/firmware/qcom/Kconfig | 18 + drivers/firmware/qcom/Makefile | 2 + drivers/firmware/qcom/qcom_pas.c | 295 +++++++++++ drivers/firmware/qcom/qcom_pas.h | 53 ++ drivers/firmware/qcom/qcom_pas_tee.c | 478 ++++++++++++++++++ drivers/firmware/qcom/qcom_scm.c | 304 ++++------- drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 4 +- drivers/gpu/drm/msm/adreno/adreno_gpu.c | 11 +- .../media/platform/qcom/iris/iris_firmware.c | 9 +- drivers/media/platform/qcom/venus/firmware.c | 11 +- drivers/net/ipa/ipa_main.c | 13 +- drivers/net/wireless/ath/ath12k/ahb.c | 8 +- drivers/remoteproc/Kconfig | 1 + drivers/remoteproc/qcom_q6v5_mss.c | 5 +- drivers/remoteproc/qcom_q6v5_pas.c | 51 +- drivers/remoteproc/qcom_wcnss.c | 12 +- drivers/soc/qcom/mdt_loader.c | 12 +- include/linux/firmware/qcom/qcom_pas.h | 41 ++ include/linux/firmware/qcom/qcom_scm.h | 29 -- include/linux/soc/qcom/mdt_loader.h | 6 +- 22 files changed, 1097 insertions(+), 303 deletions(-) create mode 100644 arch/arm64/boot/dts/qcom/kodiak-el2.dtso create mode 100644 drivers/firmware/qcom/qcom_pas.c create mode 100644 drivers/firmware/qcom/qcom_pas.h create mode 100644 drivers/firmware/qcom/qcom_pas_tee.c create mode 100644 include/linux/firmware/qcom/qcom_pas.h -- 2.51.0

1 week, 6 days

[PATCH 0/3] OP-TEE/OP-TEE drivers: simplify context matches

by Rouven Czerwinski via B4 Relay

Both the OP-TEE core and some OP-TEE drivers use an if/else expression to check a boolean which can instead be returned directly. Implement this change. --- Rouven Czerwinski (3): optee: simplify OP-TEE context match hwrng: optee - simplify OP-TEE context match rtc: optee: simplify OP-TEE context match drivers/char/hw_random/optee-rng.c | 5 +---- drivers/rtc/rtc-optee.c | 5 +---- drivers/tee/optee/device.c | 5 +---- 3 files changed, 3 insertions(+), 12 deletions(-) --- base-commit: 63804fed149a6750ffd28610c5c1c98cce6bd377 change-id: 20260126-optee-simplify-context-match-d5b3467bfacc Best regards, -- Rouven Czerwinski <rouven.czerwinski(a)linaro.org>

2 weeks, 6 days

Re: [PATCH v5] tee: optee: prevent use-after-free when the client exits before the supplicant

by Yuanjia Yeh

Hi all, We can reproduce the reported use-after-free issue on our platform via an overnight reboot test The verifications are listed as the following - With v2 + Michael Wu's patch: Issue resolved. - With v4: Race condition observation and already report to Amir - With v5: Race fixed. Stable in our tests, including: xtest + reboot loop (300 cycles) continuous reboot test (1000 cycles) No regressions observed with v5. If there are no other concerns, we recommend adopting v5. If needed, please add the following tag: Tested-by: Ox Yeh <ox.yeh(a)mediatek.com> Yuanjia Yeh

3 weeks, 1 day

2026

2025

2024

2023

2022

2021

2020

OP-TEE March 2026