drivers/misc/open-dice.c

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /*
   3  * Copyright (C) 2021 - Google LLC
   4  * Author: David Brazdil <dbrazdil@google.com>
   5  *
   6  * Driver for Open Profile for DICE.
   7  *
   8  * This driver takes ownership of a reserved memory region containing data
   9  * generated by the Open Profile for DICE measured boot protocol. The memory
  10  * contents are not interpreted by the kernel but can be mapped into a userspace
  11  * process via a misc device. Userspace can also request a wipe of the memory.
  12  *
  13  * Userspace can access the data with (w/o error handling):
  14  *
  15  *     fd = open("/dev/open-dice0", O_RDWR);
  16  *     read(fd, &size, sizeof(unsigned long));
  17  *     data = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
  18  *     write(fd, NULL, 0); // wipe
  19  *     close(fd);
  20  */
  21
  22 #include <linux/io.h>
  23 #include <linux/miscdevice.h>
  24 #include <linux/mm.h>
  25 #include <linux/module.h>
  26 #include <linux/of_reserved_mem.h>
  27 #include <linux/platform_device.h>
  28
  29 #define DRIVER_NAME "open-dice"
  30
  31 struct open_dice_drvdata {
  32         struct mutex lock;
  33         char name[16];
  34         struct reserved_mem *rmem;
  35         struct miscdevice misc;
  36 };
  37
  38 static inline struct open_dice_drvdata *to_open_dice_drvdata(struct file *filp)
  39 {
  40         return container_of(filp->private_data, struct open_dice_drvdata, misc);
  41 }
  42
  43 static int open_dice_wipe(struct open_dice_drvdata *drvdata)
  44 {
  45         void *kaddr;
  46
  47         mutex_lock(&drvdata->lock);
  48         kaddr = devm_memremap(drvdata->misc.this_device, drvdata->rmem->base,
  49                               drvdata->rmem->size, MEMREMAP_WC);
  50         if (IS_ERR(kaddr)) {
  51                 mutex_unlock(&drvdata->lock);
  52                 return PTR_ERR(kaddr);
  53         }
  54
  55         memset(kaddr, 0, drvdata->rmem->size);
  56         devm_memunmap(drvdata->misc.this_device, kaddr);
  57         mutex_unlock(&drvdata->lock);
  58         return 0;
  59 }
  60
  61 /*
  62  * Copies the size of the reserved memory region to the user-provided buffer.
  63  */
  64 static ssize_t open_dice_read(struct file *filp, char __user *ptr, size_t len,
  65                               loff_t *off)
  66 {
  67         unsigned long val = to_open_dice_drvdata(filp)->rmem->size;
  68
  69         return simple_read_from_buffer(ptr, len, off, &val, sizeof(val));
  70 }
  71
  72 /*
  73  * Triggers a wipe of the reserved memory region. The user-provided pointer
  74  * is never dereferenced.
  75  */
  76 static ssize_t open_dice_write(struct file *filp, const char __user *ptr,
  77                                size_t len, loff_t *off)
  78 {
  79         if (open_dice_wipe(to_open_dice_drvdata(filp)))
  80                 return -EIO;
  81
  82         /* Consume the input buffer. */
  83         return len;
  84 }
  85
  86 /*
  87  * Creates a mapping of the reserved memory region in user address space.
  88  */
  89 static int open_dice_mmap(struct file *filp, struct vm_area_struct *vma)
  90 {
  91         struct open_dice_drvdata *drvdata = to_open_dice_drvdata(filp);
  92
  93         /* Do not allow userspace to modify the underlying data. */
  94         if ((vma->vm_flags & VM_WRITE) && (vma->vm_flags & VM_SHARED))
  95                 return -EPERM;
  96
  97         /* Ensure userspace cannot acquire VM_WRITE + VM_SHARED later. */
  98         if (vma->vm_flags & VM_WRITE)
  99                 vma->vm_flags &= ~VM_MAYSHARE;
 100         else if (vma->vm_flags & VM_SHARED)
 101                 vma->vm_flags &= ~VM_MAYWRITE;
 102
 103         /* Create write-combine mapping so all clients observe a wipe. */
 104         vma->vm_page_prot = pgprot_writecombine(vma->vm_page_prot);
 105         vma->vm_flags |= VM_DONTCOPY | VM_DONTDUMP;
 106         return vm_iomap_memory(vma, drvdata->rmem->base, drvdata->rmem->size);
 107 }
 108
 109 static const struct file_operations open_dice_fops = {
 110         .owner = THIS_MODULE,
 111         .read = open_dice_read,
 112         .write = open_dice_write,
 113         .mmap = open_dice_mmap,
 114 };
 115
 116 static int __init open_dice_probe(struct platform_device *pdev)
 117 {
 118         static unsigned int dev_idx;
 119         struct device *dev = &pdev->dev;
 120         struct reserved_mem *rmem;
 121         struct open_dice_drvdata *drvdata;
 122         int ret;
 123
 124         rmem = of_reserved_mem_lookup(dev->of_node);
 125         if (!rmem) {
 126                 dev_err(dev, "failed to lookup reserved memory\n");
 127                 return -EINVAL;
 128         }
 129
 130         if (!rmem->size || (rmem->size > ULONG_MAX)) {
 131                 dev_err(dev, "invalid memory region size\n");
 132                 return -EINVAL;
 133         }
 134
 135         if (!PAGE_ALIGNED(rmem->base) || !PAGE_ALIGNED(rmem->size)) {
 136                 dev_err(dev, "memory region must be page-aligned\n");
 137                 return -EINVAL;
 138         }
 139
 140         drvdata = devm_kmalloc(dev, sizeof(*drvdata), GFP_KERNEL);
 141         if (!drvdata)
 142                 return -ENOMEM;
 143
 144         *drvdata = (struct open_dice_drvdata){
 145                 .lock = __MUTEX_INITIALIZER(drvdata->lock),
 146                 .rmem = rmem,
 147                 .misc = (struct miscdevice){
 148                         .parent = dev,
 149                         .name   = drvdata->name,
 150                         .minor  = MISC_DYNAMIC_MINOR,
 151                         .fops   = &open_dice_fops,
 152                         .mode   = 0600,
 153                 },
 154         };
 155
 156         /* Index overflow check not needed, misc_register() will fail. */
 157         snprintf(drvdata->name, sizeof(drvdata->name), DRIVER_NAME"%u", dev_idx++);
 158
 159         ret = misc_register(&drvdata->misc);
 160         if (ret) {
 161                 dev_err(dev, "failed to register misc device '%s': %d\n",
 162                         drvdata->name, ret);
 163                 return ret;
 164         }
 165
 166         platform_set_drvdata(pdev, drvdata);
 167         return 0;
 168 }
 169
 170 static int open_dice_remove(struct platform_device *pdev)
 171 {
 172         struct open_dice_drvdata *drvdata = platform_get_drvdata(pdev);
 173
 174         misc_deregister(&drvdata->misc);
 175         return 0;
 176 }
 177
 178 static const struct of_device_id open_dice_of_match[] = {
 179         { .compatible = "google,open-dice" },
 180         {},
 181 };
 182
 183 static struct platform_driver open_dice_driver = {
 184         .remove = open_dice_remove,
 185         .driver = {
 186                 .name = DRIVER_NAME,
 187                 .of_match_table = open_dice_of_match,
 188         },
 189 };
 190
 191 static int __init open_dice_init(void)
 192 {
 193         int ret = platform_driver_probe(&open_dice_driver, open_dice_probe);
 194
 195         /* DICE regions are optional. Succeed even with zero instances. */
 196         return (ret == -ENODEV) ? 0 : ret;
 197 }
 198
 199 static void __exit open_dice_exit(void)
 200 {
 201         platform_driver_unregister(&open_dice_driver);
 202 }
 203
 204 module_init(open_dice_init);
 205 module_exit(open_dice_exit);
 206
 207 MODULE_LICENSE("GPL v2");
 208 MODULE_AUTHOR("David Brazdil <dbrazdil@google.com>");