1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * Copyright (C) 2021 - Google LLC
4 * Author: David Brazdil <dbrazdil@google.com>
5 *
6 * Driver for Open Profile for DICE.
7 *
8 * This driver takes ownership of a reserved memory region containing data
9 * generated by the Open Profile for DICE measured boot protocol. The memory
10 * contents are not interpreted by the kernel but can be mapped into a userspace
11 * process via a misc device. Userspace can also request a wipe of the memory.
12 *
13 * Userspace can access the data with (w/o error handling):
14 *
15 * fd = open("/dev/open-dice0", O_RDWR);
16 * read(fd, &size, sizeof(unsigned long));
17 * data = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
18 * write(fd, NULL, 0); // wipe
19 * close(fd);
20 */
21
22#include <linux/io.h>
23#include <linux/miscdevice.h>
24#include <linux/mm.h>
25#include <linux/module.h>
26#include <linux/of_reserved_mem.h>
27#include <linux/platform_device.h>
28
29#define DRIVER_NAME "open-dice"
30
31struct open_dice_drvdata {
32 struct mutex lock;
33 char name[16];
34 struct reserved_mem *rmem;
35 struct miscdevice misc;
36};
37
38static inline struct open_dice_drvdata *to_open_dice_drvdata(struct file *filp)
39{
40 return container_of(filp->private_data, struct open_dice_drvdata, misc);
41}
42
43static int open_dice_wipe(struct open_dice_drvdata *drvdata)
44{
45 void *kaddr;
46
47 mutex_lock(&drvdata->lock);
48 kaddr = devm_memremap(dev: drvdata->misc.this_device, offset: drvdata->rmem->base,
49 size: drvdata->rmem->size, flags: MEMREMAP_WC);
50 if (IS_ERR(ptr: kaddr)) {
51 mutex_unlock(lock: &drvdata->lock);
52 return PTR_ERR(ptr: kaddr);
53 }
54
55 memset(kaddr, 0, drvdata->rmem->size);
56 devm_memunmap(dev: drvdata->misc.this_device, addr: kaddr);
57 mutex_unlock(lock: &drvdata->lock);
58 return 0;
59}
60
61/*
62 * Copies the size of the reserved memory region to the user-provided buffer.
63 */
64static ssize_t open_dice_read(struct file *filp, char __user *ptr, size_t len,
65 loff_t *off)
66{
67 unsigned long val = to_open_dice_drvdata(filp)->rmem->size;
68
69 return simple_read_from_buffer(to: ptr, count: len, ppos: off, from: &val, available: sizeof(val));
70}
71
72/*
73 * Triggers a wipe of the reserved memory region. The user-provided pointer
74 * is never dereferenced.
75 */
76static ssize_t open_dice_write(struct file *filp, const char __user *ptr,
77 size_t len, loff_t *off)
78{
79 if (open_dice_wipe(drvdata: to_open_dice_drvdata(filp)))
80 return -EIO;
81
82 /* Consume the input buffer. */
83 return len;
84}
85
86/*
87 * Creates a mapping of the reserved memory region in user address space.
88 */
89static int open_dice_mmap(struct file *filp, struct vm_area_struct *vma)
90{
91 struct open_dice_drvdata *drvdata = to_open_dice_drvdata(filp);
92
93 if (vma->vm_flags & VM_MAYSHARE) {
94 /* Do not allow userspace to modify the underlying data. */
95 if (vma->vm_flags & VM_WRITE)
96 return -EPERM;
97 /* Ensure userspace cannot acquire VM_WRITE later. */
98 vm_flags_clear(vma, VM_MAYWRITE);
99 }
100
101 /* Create write-combine mapping so all clients observe a wipe. */
102 vma->vm_page_prot = pgprot_writecombine(prot: vma->vm_page_prot);
103 vm_flags_set(vma, VM_DONTCOPY | VM_DONTDUMP);
104 return vm_iomap_memory(vma, start: drvdata->rmem->base, len: drvdata->rmem->size);
105}
106
107static const struct file_operations open_dice_fops = {
108 .owner = THIS_MODULE,
109 .read = open_dice_read,
110 .write = open_dice_write,
111 .mmap = open_dice_mmap,
112};
113
114static int __init open_dice_probe(struct platform_device *pdev)
115{
116 static unsigned int dev_idx;
117 struct device *dev = &pdev->dev;
118 struct reserved_mem *rmem;
119 struct open_dice_drvdata *drvdata;
120 int ret;
121
122 rmem = of_reserved_mem_lookup(np: dev->of_node);
123 if (!rmem) {
124 dev_err(dev, "failed to lookup reserved memory\n");
125 return -EINVAL;
126 }
127
128 if (!rmem->size || (rmem->size > ULONG_MAX)) {
129 dev_err(dev, "invalid memory region size\n");
130 return -EINVAL;
131 }
132
133 if (!PAGE_ALIGNED(rmem->base) || !PAGE_ALIGNED(rmem->size)) {
134 dev_err(dev, "memory region must be page-aligned\n");
135 return -EINVAL;
136 }
137
138 drvdata = devm_kmalloc(dev, size: sizeof(*drvdata), GFP_KERNEL);
139 if (!drvdata)
140 return -ENOMEM;
141
142 *drvdata = (struct open_dice_drvdata){
143 .rmem = rmem,
144 .misc = (struct miscdevice){
145 .parent = dev,
146 .name = drvdata->name,
147 .minor = MISC_DYNAMIC_MINOR,
148 .fops = &open_dice_fops,
149 .mode = 0600,
150 },
151 };
152 mutex_init(&drvdata->lock);
153
154 /* Index overflow check not needed, misc_register() will fail. */
155 snprintf(buf: drvdata->name, size: sizeof(drvdata->name), DRIVER_NAME"%u", dev_idx++);
156
157 ret = misc_register(misc: &drvdata->misc);
158 if (ret) {
159 dev_err(dev, "failed to register misc device '%s': %d\n",
160 drvdata->name, ret);
161 return ret;
162 }
163
164 platform_set_drvdata(pdev, data: drvdata);
165 return 0;
166}
167
168static void open_dice_remove(struct platform_device *pdev)
169{
170 struct open_dice_drvdata *drvdata = platform_get_drvdata(pdev);
171
172 misc_deregister(misc: &drvdata->misc);
173}
174
175static const struct of_device_id open_dice_of_match[] = {
176 { .compatible = "google,open-dice" },
177 {},
178};
179
180static struct platform_driver open_dice_driver = {
181 .remove_new = open_dice_remove,
182 .driver = {
183 .name = DRIVER_NAME,
184 .of_match_table = open_dice_of_match,
185 },
186};
187
188static int __init open_dice_init(void)
189{
190 int ret = platform_driver_probe(&open_dice_driver, open_dice_probe);
191
192 /* DICE regions are optional. Succeed even with zero instances. */
193 return (ret == -ENODEV) ? 0 : ret;
194}
195
196static void __exit open_dice_exit(void)
197{
198 platform_driver_unregister(&open_dice_driver);
199}
200
201module_init(open_dice_init);
202module_exit(open_dice_exit);
203
204MODULE_LICENSE("GPL v2");
205MODULE_AUTHOR("David Brazdil <dbrazdil@google.com>");
206

source code of linux/drivers/misc/open-dice.c