Skip to content

drivers/misc/optee: expand RPC suppport for IMX9 #16734

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
xiaoxiang781216 merged 4 commits into from
Aug 5, 2025
Merged

drivers/misc/optee: expand RPC suppport for IMX9 #16734

xiaoxiang781216 merged 4 commits into from
Aug 5, 2025

Conversation

@tkaratapanis
Copy link
Contributor

@tkaratapanis tkaratapanis commented Jul 16, 2025

Summary

Currently the OP-TEE driver has bare minimum support of RPCs (Invokations of nuttx from OP-TEE), just enough to establish sessions. This PR aims to handle a group of RPCs OPTEE_SMC_RPC_FUNC_CMD, presently ignored.

The newly supported RPCs can be handled either directly by the kernel and the code in ./drivers/misc/optee_rpc.c or they might be delegated to userspace through ./drivers/misc/optee_supplicant.c.
The userspace support requires 2 extra commands to be handled by the ioctl handler, TEE_IOC_SUPPL_RECV and TEE_IOC_SUPPL_SEND. These commands must be invoked only by the TEE supplicant and not a regular nuttx Client Application (CA). A system can have multiple CAs (opens /dev/tee0) but only one TEE supplicant (opens /dev/teepriv0).

The newly supported RPCs provide:

  1. Shared memory allocation, either by the kernel or the userspace (TEE supplicant).
  2. Freeing of shared memory.
  3. Wall clock time to OP-TEE.
  4. Suspension of a CA for a time specified by OP-TEE.
  5. Supplicant RPCs. These result to higher-level services (e.g. secure storage) executed in user land through the TEE supplicant.

To support the supplicant, a new device (/dev/teepriv0) is registered by the OP-TEE driver if CONFIG_DEV_OPTEE_SUPPLICANT is enabled. This device can be opened only by one user or it returns -EBUSY, it maintains a separate shared memory list and its entries can be queried by other CAs.

The introduction of the supplicant logic, also requires to maintain in the struct optee_shm both the virtual address .vaddr and physical .paddr. The translation happens by the process who allocates that memory, since a CA and the supplicant have different memory mappings (different processes).

Impact

If CONFIG_DEV_OPTEE_SUPPLICANT is disabled (default) the code should work as it works now with the addition of kernel handled RPCs by ./driver/misc/optee_rpc.c (1-4 as listed in the summary section).

If CONFIG_DEV_OPTEE_SUPPLICANT is enabled and nuttx can run a TEE supplicant then services like secure storage can be provided to OP-TEE.

Testing

The tests happened in a custom imx9 board that runs TF-A (bl31) and OP-TEE (bl32) together with nuttx (bl33).

Since there is minimal support for OP-TEE interacting applications, the existing functionality was tested by running the optee_gp example:

nsh> optee_gp                                                                                                                                       
INF [11] TEEC:main:164: Available devices:                                                                                                             
INF [11] TEEC:main:174:   d96a5b40-c3e5-21e3-8794-1002a5d5c61b                                                                                         
INF [11] TEEC:main:174:   145f361e-40f3-11ee-be56-0242ac120002                                                                                         
INF [11] TEEC:main:174:   f04a0fe7-1f5d-4b9b-abf7-619b85b4ce8c

To test the supplicant functionality the code from https://github.com/OP-TEE/optee_client/tree/master/tee-supplicant was integrated with nuttx in a private fork. Also a testing CA (nuttx) and TA (OP-TEE) were developed that worked in unison to test secure storage. The test scenario is as follows:

  1. CA -> sends a request to the TA with uuid 145f361e-40f3-11ee-be56-0242ac120002 to create a file and write a known payload to it ("Secure OP-TEE data").
  2. The TA sends a bunch of RPC requests that are delegated to the TEE supplicant.
  3. The result of the operation is printed in the shell.
  4. CA -> sends a request to the same TA to open the file and print its contents.
  5. The TA sends a bunch of RPC requests that are delegated to the TEE supplicant.
  6. The result of the operation is printed in the shell
nsh> optee_supplicant -f /data/tee > /dev/null &          # Run the supplicant in the background   with /data/tee as the root fs for OP-TEE                                                                                                
optee_supplicant [0:100]
                                                                                                                               
nsh> optee_client 145f361e-40f3-11ee-be56-0242ac120002 2  # Request from the TA to create a secure file.                                                                                           
I/TA: File created! closing handle!                                                                                                                    
                                                                                                                                                                                                                                                                 
nsh> optee_client 145f361e-40f3-11ee-be56-0242ac120002 3  # Request from the TA to open that file and print its contents.                                                                                           
I/TA: file found!!                                                                                                                                     
I/TA: Object content (19 bytes): "Secure OP-TEE data"

The files created by OP-TEE are encrypted (with a key only known to OP-TEE) under the directory we provided the TEE supplicant: /data/tee. We can however list the created files (besides dirf.db other OP-TEE filenames are not really known to nuttx):

nsh> ls -l /data/tee                                                                                                                                 
/data/tee:                                                                                                                                              
 -rwxrwxrwx       16384 0                                                                                                                              
 -rwxrwxrwx       16384 dirf.db

@github-actions github-actions bot added Area: Documentation Improvements or additions to documentation Area: Drivers Drivers issues Area: OS Components OS Components issues Size: XL The size of the change in this PR is very large. Consider breaking down the PR into smaller pieces. labels Jul 16, 2025
@xiaoxiang781216 xiaoxiang781216 mentioned this pull request Jul 17, 2025
Merged
@xiaoxiang781216
Copy link
Contributor

xiaoxiang781216 commented Jul 17, 2025

@tkaratapanis have you run nuttx on Cortex-A55 on i.MX95 EVB successfully?

xiaoxiang781216
xiaoxiang781216 reviewed Jul 17, 2025
View reviewed changes
@tkaratapanis
Copy link
Contributor Author

tkaratapanis commented Jul 17, 2025

@tkaratapanis have you run nuttx on Cortex-A55 on i.MX95 EVB successfully?

No, currently I am working only on i.MX93

@tkaratapanis tkaratapanis force-pushed the imx9-optee-rpc branch 2 times, most recently from d7521a6 to 556c844 Compare July 17, 2025 10:50
@jerpelea jerpelea changed the title Imx9 optee rpc drivers/misc/optee: expand RPC suppport for IMX9 Jul 17, 2025
jerpelea
jerpelea previously approved these changes Jul 17, 2025
View reviewed changes
Copy link
Contributor

@jerpelea jerpelea left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please add a commit message on the
"drivers/misc/optee: Add virtual and physical address to sturct optee_shm " patch

@github-actions github-actions bot added the Area: File System File System issues label Jul 17, 2025
acassis
acassis previously approved these changes Jul 17, 2025
View reviewed changes
@tkaratapanis tkaratapanis force-pushed the imx9-optee-rpc branch 2 times, most recently from e4adaf4 to b3caa99 Compare July 18, 2025 18:45
gpoulios
gpoulios reviewed Jul 18, 2025
View reviewed changes
xiaoxiang781216
xiaoxiang781216 reviewed Jul 19, 2025
View reviewed changes
jerpelea
jerpelea previously approved these changes Jul 21, 2025
View reviewed changes
xiaoxiang781216
xiaoxiang781216 reviewed Jul 21, 2025
View reviewed changes
@tkaratapanis tkaratapanis dismissed stale reviews from jerpelea and acassis via b2d0492 July 21, 2025 13:08
@tkaratapanis tkaratapanis force-pushed the imx9-optee-rpc branch 3 times, most recently from de9d22a to 46c9da8 Compare July 21, 2025 13:57
@tkaratapanis tkaratapanis force-pushed the imx9-optee-rpc branch 4 times, most recently from 9e9d0e9 to cb36095 Compare July 22, 2025 09:06
@tkaratapanis
drivers/misc/optee: Add virtual and physical address to sturct optee_shm
84c28e8 
The VA -> PA translation must be performed once, at allocation time,
while the caller's virtual address space is known. If a second process
later tries to translate the same VA from a different mapping, the
calculated physical address can be wrong.

Signed-off-by: Theodore Karatapanis <tkaratapanis@census-labs.com>
xiaoxiang781216
xiaoxiang781216 reviewed Jul 24, 2025
View reviewed changes
acassis
acassis previously approved these changes Jul 25, 2025
View reviewed changes
xiaoxiang781216
xiaoxiang781216 reviewed Jul 27, 2025
View reviewed changes
@tkaratapanis
drivers/misc/optee: Add mmap shm op + remove memfd
9e1f99e 
The previous approach with memfd has 3 problems:
1) The close operation on the memfd isn't tied with optee_shm_close,
   therefore close(fd) doesn't free the optee_shm struct allocated
   by the kernel.

2) The kernel unnecessarily maps the file descriptor to its memory,
   however only userspace should need to do that.

3) Since the kernel doesn't need to map the file descriptor we
   don't need to unmap it.

To use anonymous mapping, the prototype of map_anonymous() was
moved from fs/mmap/fs_anonmap.h to include/nuttx/fs/fs.h. Since
fs_anonmap.h didn't contain any other information it is deleted.

A type from fs/mmap/fs_rammap.h was moved to the public :
include/nuttx/fs/fs.h as well.

Signed-off-by: Theodore Karatapanis <tkaratapanis@census-labs.com>
@tkaratapanis tkaratapanis force-pushed the imx9-optee-rpc branch 2 times, most recently from 9183ece to 53c043b Compare August 4, 2025 09:37
@tkaratapanis
drivers/misc/optee: Expanded RPC support.
c9514b3 
This commit expands RPC support for the OP-TEE driver using 2 files:
1) drivers/misc/optee_rpc.c
   * Add support for RPCs that can be handled directly by the kernel.
   * Can delegate RPC handling to optee_supplicant.c for RPCs that
     need userspace interaction.
2) drivers/misc/optee_supplicant.c
   * Enable communication between the userspace TEE supplicant and the
     kernel driver.

Additional changes were needed to the following files:
1) drivers/misc/optee.c
   * Add ioctls used SOLELY by the userspace TEE supplicant.
   * Register /dev/teepriv0 if the supplicant is enabled in Kconfig
   * Add OPTEE_ROLE_CA and OPTEE_ROLE_SUPPLICANT conditionals to
     differentiate paths, between a normal Client Application (CA)
     and the TEE supplicant.
   * Change some functions from static to "public" to reuse them
     in other C files.
   * Adjust optee_to/from_msg_param() to work with RPCs.

2) drivers/misc/optee_smc.c
   * Call the RPC handler from optee_rpc.c

3) drivers/misc/optee_msg.h
   * Add definition needed for RPCs

4) drivers/misc/tee.h
   * Add ioctl definitions
   * Add TEE_SHM_SUPP flag, checked when unregistering supplicant
     memory.

5) Documentation/guides/optee.rs
   * Add documentation for RPCs and the supplicant.

6) drivers/misc/{CMakeLists.txt, Make.defs}
   * Account for the new files.

7) drivers/misc/Kconfig
   * Add DEV_OPTEE_SUPPLICANT option to enable/disable the supplicant
     driver.

Signed-off-by: Theodore Karatapanis <tkaratapanis@census-labs.com>
@tkaratapanis
drivers/misc/optee: Add error conversion from errno to TEE errors
dab4af3 
This commit simplifies sending errors back to OP-TEE and avoids
code duplication when handling errno values.

Signed-off-by: Theodore Karatapanis <tkaratapanis@census-labs.com>
@xiaoxiang781216 xiaoxiang781216 merged commit 9970e6a into apache:master Aug 5, 2025
40 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xiaoxiang781216 xiaoxiang781216 xiaoxiang781216 approved these changes

@jerpelea jerpelea jerpelea approved these changes

@acassis acassis acassis left review comments

+1 more reviewer

@gpoulios gpoulios gpoulios left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Area: Documentation Improvements or additions to documentation Area: Drivers Drivers issues Area: File System File System issues Area: OS Components OS Components issues Size: XL The size of the change in this PR is very large. Consider breaking down the PR into smaller pieces.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@tkaratapanis @xiaoxiang781216 @acassis @jerpelea @gpoulios