diff mbox series

[v5,2/3] mmc: block: register RPMB partition with the RPMB subsystem

Message ID 20240422091936.3714381-3-jens.wiklander@linaro.org
State Superseded
Headers show
Series Replay Protected Memory Block (RPMB) subsystem | expand

Commit Message

Jens Wiklander April 22, 2024, 9:19 a.m. UTC
Register eMMC RPMB partition with the RPMB subsystem and provide
an implementation for the RPMB access operations abstracting
the actual multi step process.

Add a callback to extract the needed device information at registration
to avoid accessing the struct mmc_card at a later stage as we're not
holding a reference counter for this struct.

Taking the needed reference to md->disk in mmc_blk_alloc_rpmb_part()
instead of in mmc_rpmb_chrdev_open(). This is needed by the
route_frames() function pointer in struct rpmb_ops.

Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
---
 drivers/mmc/core/block.c | 241 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 239 insertions(+), 2 deletions(-)

Comments

Manuel Traut April 25, 2024, 8:42 a.m. UTC | #1
On Mon, Apr 22, 2024 at 11:19:35AM +0200, Jens Wiklander wrote:
> Register eMMC RPMB partition with the RPMB subsystem and provide
> an implementation for the RPMB access operations abstracting
> the actual multi step process.
> 
> Add a callback to extract the needed device information at registration
> to avoid accessing the struct mmc_card at a later stage as we're not
> holding a reference counter for this struct.
> 
> Taking the needed reference to md->disk in mmc_blk_alloc_rpmb_part()
> instead of in mmc_rpmb_chrdev_open(). This is needed by the
> route_frames() function pointer in struct rpmb_ops.
> 
> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
> Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
> ---
>  drivers/mmc/core/block.c | 241 ++++++++++++++++++++++++++++++++++++++-
>  1 file changed, 239 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c
> index 32d49100dff5..a7f126fbc605 100644
> --- a/drivers/mmc/core/block.c
> +++ b/drivers/mmc/core/block.c
> @@ -33,6 +33,7 @@
>  #include <linux/cdev.h>
>  #include <linux/mutex.h>
>  #include <linux/scatterlist.h>
> +#include <linux/string.h>
>  #include <linux/string_helpers.h>
>  #include <linux/delay.h>
>  #include <linux/capability.h>
> @@ -40,6 +41,7 @@
>  #include <linux/pm_runtime.h>
>  #include <linux/idr.h>
>  #include <linux/debugfs.h>
> +#include <linux/rpmb.h>
>  
>  #include <linux/mmc/ioctl.h>
>  #include <linux/mmc/card.h>
> @@ -76,6 +78,48 @@ MODULE_ALIAS("mmc:block");
>  #define MMC_EXTRACT_INDEX_FROM_ARG(x) ((x & 0x00FF0000) >> 16)
>  #define MMC_EXTRACT_VALUE_FROM_ARG(x) ((x & 0x0000FF00) >> 8)
>  
> +/**
> + * struct rpmb_frame - rpmb frame as defined by eMMC 5.1 (JESD84-B51)
> + *
> + * @stuff        : stuff bytes
> + * @key_mac      : The authentication key or the message authentication
> + *                 code (MAC) depending on the request/response type.
> + *                 The MAC will be delivered in the last (or the only)
> + *                 block of data.
> + * @data         : Data to be written or read by signed access.
> + * @nonce        : Random number generated by the host for the requests
> + *                 and copied to the response by the RPMB engine.
> + * @write_counter: Counter value for the total amount of the successful
> + *                 authenticated data write requests made by the host.
> + * @addr         : Address of the data to be programmed to or read
> + *                 from the RPMB. Address is the serial number of
> + *                 the accessed block (half sector 256B).
> + * @block_count  : Number of blocks (half sectors, 256B) requested to be
> + *                 read/programmed.
> + * @result       : Includes information about the status of the write counter
> + *                 (valid, expired) and result of the access made to the RPMB.
> + * @req_resp     : Defines the type of request and response to/from the memory.
> + *
> + * The stuff bytes and big-endian properties are modeled to fit to the spec.
> + */
> +struct rpmb_frame {
> +	u8     stuff[196];
> +	u8     key_mac[32];
> +	u8     data[256];
> +	u8     nonce[16];
> +	__be32 write_counter;
> +	__be16 addr;
> +	__be16 block_count;
> +	__be16 result;
> +	__be16 req_resp;
> +} __packed;
> +
> +#define RPMB_PROGRAM_KEY       0x1    /* Program RPMB Authentication Key */
> +#define RPMB_GET_WRITE_COUNTER 0x2    /* Read RPMB write counter */
> +#define RPMB_WRITE_DATA        0x3    /* Write data to RPMB partition */
> +#define RPMB_READ_DATA         0x4    /* Read data from RPMB partition */
> +#define RPMB_RESULT_READ       0x5    /* Read result request  (Internal) */
> +
>  static DEFINE_MUTEX(block_mutex);
>  
>  /*
> @@ -163,6 +207,7 @@ struct mmc_rpmb_data {
>  	int id;
>  	unsigned int part_index;
>  	struct mmc_blk_data *md;
> +	struct rpmb_dev *rdev;
>  	struct list_head node;
>  };
>  
> @@ -2672,7 +2717,6 @@ static int mmc_rpmb_chrdev_open(struct inode *inode, struct file *filp)
>  
>  	get_device(&rpmb->dev);
>  	filp->private_data = rpmb;
> -	mmc_blk_get(rpmb->md->disk);
>  
>  	return nonseekable_open(inode, filp);
>  }
> @@ -2682,7 +2726,6 @@ static int mmc_rpmb_chrdev_release(struct inode *inode, struct file *filp)
>  	struct mmc_rpmb_data *rpmb = container_of(inode->i_cdev,
>  						  struct mmc_rpmb_data, chrdev);
>  
> -	mmc_blk_put(rpmb->md);
>  	put_device(&rpmb->dev);
>  
>  	return 0;
> @@ -2703,10 +2746,165 @@ static void mmc_blk_rpmb_device_release(struct device *dev)
>  {
>  	struct mmc_rpmb_data *rpmb = dev_get_drvdata(dev);
>  
> +	rpmb_dev_unregister(rpmb->rdev);
> +	mmc_blk_put(rpmb->md);
>  	ida_simple_remove(&mmc_rpmb_ida, rpmb->id);
>  	kfree(rpmb);
>  }
>  
> +static void free_idata(struct mmc_blk_ioc_data **idata, unsigned int cmd_count)
> +{
> +	unsigned int n;
> +
> +	for (n = 0; n < cmd_count; n++)
> +		kfree(idata[n]);
> +	kfree(idata);
> +}
> +
> +static struct mmc_blk_ioc_data **alloc_idata(struct mmc_rpmb_data *rpmb,
> +					     unsigned int cmd_count)
> +{
> +	struct mmc_blk_ioc_data **idata;
> +	unsigned int n;
> +
> +	idata = kcalloc(cmd_count, sizeof(*idata), GFP_KERNEL);
> +	if (!idata)
> +		return NULL;
> +
> +	for (n = 0; n < cmd_count; n++) {
> +		idata[n] = kcalloc(1, sizeof(**idata), GFP_KERNEL);
> +		if (!idata[n]) {
> +			free_idata(idata, n);
> +			return NULL;
> +		}
> +		idata[n]->rpmb = rpmb;
> +	}
> +
> +	return idata;
> +}
> +
> +static void set_idata(struct mmc_blk_ioc_data *idata, u32 opcode,
> +		      int write_flag, u8 *buf, unsigned int buf_bytes)
> +{
> +	/*
> +	 * The size of an RPMB frame must match what's expected by the
> +	 * hardware.
> +	 */
> +	BUILD_BUG_ON(sizeof(struct rpmb_frame) != 512);
> +
> +	idata->ic.opcode = opcode;
> +	idata->ic.flags = MMC_RSP_R1 | MMC_CMD_ADTC;
> +	idata->ic.write_flag = write_flag;
> +	idata->ic.blksz = sizeof(struct rpmb_frame);
> +	idata->ic.blocks = buf_bytes /  idata->ic.blksz;
> +	idata->buf = buf;

I tested the series on a i.MX8MM with a eMMC connected via the imx-sdhci
controller. Reading from RPMB does not work. It ends in timeouts due to
no response from the SDHCI controller.

If idata->buf is allocated here with kmalloc(buf_bytes, GFP_KERNEL) and
the content of buf is copied to the new allocated area, transfers succeed.

Is it possible that idata->buf is not DMA capable? Any other ideas?

> +	idata->buf_bytes = buf_bytes;
> +}
> +
> +static int mmc_route_rpmb_frames(struct device *dev, u8 *req,
> +				 unsigned int req_len, u8 *resp,
> +				 unsigned int resp_len)
> +{
> +	struct rpmb_frame *frm = (struct rpmb_frame *)req;
> +	struct mmc_rpmb_data *rpmb = dev_get_drvdata(dev);
> +	struct mmc_blk_data *md = rpmb->md;
> +	struct mmc_blk_ioc_data **idata;
> +	struct mmc_queue_req *mq_rq;
> +	unsigned int cmd_count;
> +	struct request *rq;
> +	u16 req_type;
> +	bool write;
> +	int ret;
> +
> +	if (IS_ERR(md->queue.card))
> +		return PTR_ERR(md->queue.card);
> +
> +	if (req_len < sizeof(*frm))
> +		return -EINVAL;
> +
> +	req_type = be16_to_cpu(frm->req_resp);
> +	switch (req_type) {
> +	case RPMB_PROGRAM_KEY:
> +		if (req_len != sizeof(struct rpmb_frame) ||
> +		    resp_len != sizeof(struct rpmb_frame))
> +			return -EINVAL;
> +		write = true;
> +		break;
> +	case RPMB_GET_WRITE_COUNTER:
> +		if (req_len != sizeof(struct rpmb_frame) ||
> +		    resp_len != sizeof(struct rpmb_frame))
> +			return -EINVAL;
> +		write = false;
> +		break;
> +	case RPMB_WRITE_DATA:
> +		if (req_len % sizeof(struct rpmb_frame) ||
> +		    resp_len != sizeof(struct rpmb_frame))
> +			return -EINVAL;
> +		write = true;
> +		break;
> +	case RPMB_READ_DATA:
> +		if (req_len != sizeof(struct rpmb_frame) ||
> +		    resp_len % sizeof(struct rpmb_frame))
> +			return -EINVAL;
> +		write = false;
> +		break;
> +	default:
> +		return -EINVAL;
> +	}
> +
> +	if (write)
> +		cmd_count = 3;
> +	else
> +		cmd_count = 2;
> +
> +	idata = alloc_idata(rpmb, cmd_count);
> +	if (!idata)
> +		return -ENOMEM;
> +
> +	if (write) {
> +		struct rpmb_frame *frm = (struct rpmb_frame *)resp;
> +
> +		/* Send write request frame(s) */
> +		set_idata(idata[0], MMC_WRITE_MULTIPLE_BLOCK,
> +			  1 | MMC_CMD23_ARG_REL_WR, req, req_len);
> +
> +		/* Send result request frame */
> +		memset(frm, 0, sizeof(*frm));
> +		frm->req_resp = cpu_to_be16(RPMB_RESULT_READ);
> +		set_idata(idata[1], MMC_WRITE_MULTIPLE_BLOCK, 1, resp,
> +			  resp_len);
> +
> +		/* Read response frame */
> +		set_idata(idata[2], MMC_READ_MULTIPLE_BLOCK, 0, resp, resp_len);
> +	} else {
> +		/* Send write request frame(s) */
> +		set_idata(idata[0], MMC_WRITE_MULTIPLE_BLOCK, 1, req, req_len);
> +
> +		/* Read response frame */
> +		set_idata(idata[1], MMC_READ_MULTIPLE_BLOCK, 0, resp, resp_len);
> +	}
> +
> +	rq = blk_mq_alloc_request(md->queue.queue, REQ_OP_DRV_OUT, 0);
> +	if (IS_ERR(rq)) {
> +		ret = PTR_ERR(rq);
> +		goto out;
> +	}
> +
> +	mq_rq = req_to_mmc_queue_req(rq);
> +	mq_rq->drv_op = MMC_DRV_OP_IOCTL_RPMB;
> +	mq_rq->drv_op_result = -EIO;
> +	mq_rq->drv_op_data = idata;
> +	mq_rq->ioc_count = cmd_count;
> +	blk_execute_rq(rq, false);
> +	ret = req_to_mmc_queue_req(rq)->drv_op_result;
> +
> +	blk_mq_free_request(rq);
> +
> +out:
> +	free_idata(idata, cmd_count);
> +	return ret;
> +}
> +
>  static int mmc_blk_alloc_rpmb_part(struct mmc_card *card,
>  				   struct mmc_blk_data *md,
>  				   unsigned int part_index,
> @@ -2741,6 +2939,7 @@ static int mmc_blk_alloc_rpmb_part(struct mmc_card *card,
>  	rpmb->dev.release = mmc_blk_rpmb_device_release;
>  	device_initialize(&rpmb->dev);
>  	dev_set_drvdata(&rpmb->dev, rpmb);
> +	mmc_blk_get(md->disk);
>  	rpmb->md = md;
>  
>  	cdev_init(&rpmb->chrdev, &mmc_rpmb_fileops);
> @@ -3002,6 +3201,42 @@ static void mmc_blk_remove_debugfs(struct mmc_card *card,
>  
>  #endif /* CONFIG_DEBUG_FS */
>  
> +static void mmc_blk_rpmb_add(struct mmc_card *card)
> +{
> +	struct mmc_blk_data *md = dev_get_drvdata(&card->dev);
> +	struct mmc_rpmb_data *rpmb;
> +	struct rpmb_dev *rdev;
> +	unsigned int n;
> +	u32 cid[4];
> +	struct rpmb_descr descr = {
> +		.type = RPMB_TYPE_EMMC,
> +		.route_frames = mmc_route_rpmb_frames,
> +		.reliable_wr_count = card->ext_csd.enhanced_rpmb_supported ?
> +				     2 : 32,
> +		.capacity = card->ext_csd.raw_rpmb_size_mult,
> +		.dev_id = (void *)cid,
> +		.dev_id_len = sizeof(cid),
> +	};
> +
> +	/*
> +	 * Provice CID as an octet array. The CID needs to be interpreted
> +	 * when used as input to derive the RPMB key since some fields
> +	 * will change due to firmware updates.
> +	 */
> +	for (n = 0; n < 4; n++)
> +		cid[n] = be32_to_cpu(card->raw_cid[n]);
> +
> +	list_for_each_entry(rpmb, &md->rpmbs, node) {
> +		rdev = rpmb_dev_register(&rpmb->dev, &descr);
> +		if (IS_ERR(rdev)) {
> +			pr_warn("%s: could not register RPMB device\n",
> +				dev_name(&rpmb->dev));
> +			continue;
> +		}
> +		rpmb->rdev = rdev;
> +	}
> +}
> +
>  static int mmc_blk_probe(struct mmc_card *card)
>  {
>  	struct mmc_blk_data *md;
> @@ -3047,6 +3282,8 @@ static int mmc_blk_probe(struct mmc_card *card)
>  		pm_runtime_enable(&card->dev);
>  	}
>  
> +	mmc_blk_rpmb_add(card);
> +
>  	return 0;
>  
>  out:
> -- 
> 2.34.1
>
Jens Wiklander April 26, 2024, 1:24 p.m. UTC | #2
On Thu, Apr 25, 2024 at 10:43 AM Manuel Traut <manut@mecka.net> wrote:
>
> On Mon, Apr 22, 2024 at 11:19:35AM +0200, Jens Wiklander wrote:
> > Register eMMC RPMB partition with the RPMB subsystem and provide
> > an implementation for the RPMB access operations abstracting
> > the actual multi step process.
> >
> > Add a callback to extract the needed device information at registration
> > to avoid accessing the struct mmc_card at a later stage as we're not
> > holding a reference counter for this struct.
> >
> > Taking the needed reference to md->disk in mmc_blk_alloc_rpmb_part()
> > instead of in mmc_rpmb_chrdev_open(). This is needed by the
> > route_frames() function pointer in struct rpmb_ops.
> >
> > Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
> > Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
> > Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
> > ---
> >  drivers/mmc/core/block.c | 241 ++++++++++++++++++++++++++++++++++++++-
> >  1 file changed, 239 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c
> > index 32d49100dff5..a7f126fbc605 100644
> > --- a/drivers/mmc/core/block.c
> > +++ b/drivers/mmc/core/block.c
> > @@ -33,6 +33,7 @@
> >  #include <linux/cdev.h>
> >  #include <linux/mutex.h>
> >  #include <linux/scatterlist.h>
> > +#include <linux/string.h>
> >  #include <linux/string_helpers.h>
> >  #include <linux/delay.h>
> >  #include <linux/capability.h>
> > @@ -40,6 +41,7 @@
> >  #include <linux/pm_runtime.h>
> >  #include <linux/idr.h>
> >  #include <linux/debugfs.h>
> > +#include <linux/rpmb.h>
> >
> >  #include <linux/mmc/ioctl.h>
> >  #include <linux/mmc/card.h>
> > @@ -76,6 +78,48 @@ MODULE_ALIAS("mmc:block");
> >  #define MMC_EXTRACT_INDEX_FROM_ARG(x) ((x & 0x00FF0000) >> 16)
> >  #define MMC_EXTRACT_VALUE_FROM_ARG(x) ((x & 0x0000FF00) >> 8)
> >
> > +/**
> > + * struct rpmb_frame - rpmb frame as defined by eMMC 5.1 (JESD84-B51)
> > + *
> > + * @stuff        : stuff bytes
> > + * @key_mac      : The authentication key or the message authentication
> > + *                 code (MAC) depending on the request/response type.
> > + *                 The MAC will be delivered in the last (or the only)
> > + *                 block of data.
> > + * @data         : Data to be written or read by signed access.
> > + * @nonce        : Random number generated by the host for the requests
> > + *                 and copied to the response by the RPMB engine.
> > + * @write_counter: Counter value for the total amount of the successful
> > + *                 authenticated data write requests made by the host.
> > + * @addr         : Address of the data to be programmed to or read
> > + *                 from the RPMB. Address is the serial number of
> > + *                 the accessed block (half sector 256B).
> > + * @block_count  : Number of blocks (half sectors, 256B) requested to be
> > + *                 read/programmed.
> > + * @result       : Includes information about the status of the write counter
> > + *                 (valid, expired) and result of the access made to the RPMB.
> > + * @req_resp     : Defines the type of request and response to/from the memory.
> > + *
> > + * The stuff bytes and big-endian properties are modeled to fit to the spec.
> > + */
> > +struct rpmb_frame {
> > +     u8     stuff[196];
> > +     u8     key_mac[32];
> > +     u8     data[256];
> > +     u8     nonce[16];
> > +     __be32 write_counter;
> > +     __be16 addr;
> > +     __be16 block_count;
> > +     __be16 result;
> > +     __be16 req_resp;
> > +} __packed;
> > +
> > +#define RPMB_PROGRAM_KEY       0x1    /* Program RPMB Authentication Key */
> > +#define RPMB_GET_WRITE_COUNTER 0x2    /* Read RPMB write counter */
> > +#define RPMB_WRITE_DATA        0x3    /* Write data to RPMB partition */
> > +#define RPMB_READ_DATA         0x4    /* Read data from RPMB partition */
> > +#define RPMB_RESULT_READ       0x5    /* Read result request  (Internal) */
> > +
> >  static DEFINE_MUTEX(block_mutex);
> >
> >  /*
> > @@ -163,6 +207,7 @@ struct mmc_rpmb_data {
> >       int id;
> >       unsigned int part_index;
> >       struct mmc_blk_data *md;
> > +     struct rpmb_dev *rdev;
> >       struct list_head node;
> >  };
> >
> > @@ -2672,7 +2717,6 @@ static int mmc_rpmb_chrdev_open(struct inode *inode, struct file *filp)
> >
> >       get_device(&rpmb->dev);
> >       filp->private_data = rpmb;
> > -     mmc_blk_get(rpmb->md->disk);
> >
> >       return nonseekable_open(inode, filp);
> >  }
> > @@ -2682,7 +2726,6 @@ static int mmc_rpmb_chrdev_release(struct inode *inode, struct file *filp)
> >       struct mmc_rpmb_data *rpmb = container_of(inode->i_cdev,
> >                                                 struct mmc_rpmb_data, chrdev);
> >
> > -     mmc_blk_put(rpmb->md);
> >       put_device(&rpmb->dev);
> >
> >       return 0;
> > @@ -2703,10 +2746,165 @@ static void mmc_blk_rpmb_device_release(struct device *dev)
> >  {
> >       struct mmc_rpmb_data *rpmb = dev_get_drvdata(dev);
> >
> > +     rpmb_dev_unregister(rpmb->rdev);
> > +     mmc_blk_put(rpmb->md);
> >       ida_simple_remove(&mmc_rpmb_ida, rpmb->id);
> >       kfree(rpmb);
> >  }
> >
> > +static void free_idata(struct mmc_blk_ioc_data **idata, unsigned int cmd_count)
> > +{
> > +     unsigned int n;
> > +
> > +     for (n = 0; n < cmd_count; n++)
> > +             kfree(idata[n]);
> > +     kfree(idata);
> > +}
> > +
> > +static struct mmc_blk_ioc_data **alloc_idata(struct mmc_rpmb_data *rpmb,
> > +                                          unsigned int cmd_count)
> > +{
> > +     struct mmc_blk_ioc_data **idata;
> > +     unsigned int n;
> > +
> > +     idata = kcalloc(cmd_count, sizeof(*idata), GFP_KERNEL);
> > +     if (!idata)
> > +             return NULL;
> > +
> > +     for (n = 0; n < cmd_count; n++) {
> > +             idata[n] = kcalloc(1, sizeof(**idata), GFP_KERNEL);
> > +             if (!idata[n]) {
> > +                     free_idata(idata, n);
> > +                     return NULL;
> > +             }
> > +             idata[n]->rpmb = rpmb;
> > +     }
> > +
> > +     return idata;
> > +}
> > +
> > +static void set_idata(struct mmc_blk_ioc_data *idata, u32 opcode,
> > +                   int write_flag, u8 *buf, unsigned int buf_bytes)
> > +{
> > +     /*
> > +      * The size of an RPMB frame must match what's expected by the
> > +      * hardware.
> > +      */
> > +     BUILD_BUG_ON(sizeof(struct rpmb_frame) != 512);
> > +
> > +     idata->ic.opcode = opcode;
> > +     idata->ic.flags = MMC_RSP_R1 | MMC_CMD_ADTC;
> > +     idata->ic.write_flag = write_flag;
> > +     idata->ic.blksz = sizeof(struct rpmb_frame);
> > +     idata->ic.blocks = buf_bytes /  idata->ic.blksz;
> > +     idata->buf = buf;
>
> I tested the series on a i.MX8MM with a eMMC connected via the imx-sdhci
> controller. Reading from RPMB does not work. It ends in timeouts due to
> no response from the SDHCI controller.
>
> If idata->buf is allocated here with kmalloc(buf_bytes, GFP_KERNEL) and
> the content of buf is copied to the new allocated area, transfers succeed.
>
> Is it possible that idata->buf is not DMA capable? Any other ideas?

Thanks for testing. I don't know, the idata->buf is allocated using
alloc_pages_exact(nr_pages * PAGE_SIZE, GFP_KERNEL | __GFP_ZERO); in
optee_pool_op_alloc_helper(). Alternatively, it's from the memory
range mapped using memremap() in optee_config_shm_memremap(), but
that's only if you don't have "dynamic shared memory is enabled" in
the boot log.

Thanks,
Jens
Manuel Traut April 29, 2024, 9:40 a.m. UTC | #3
On Fri, Apr 26, 2024 at 03:24:21PM +0200, Jens Wiklander wrote:
> On Thu, Apr 25, 2024 at 10:43 AM Manuel Traut <manut@mecka.net> wrote:
> >
> > On Mon, Apr 22, 2024 at 11:19:35AM +0200, Jens Wiklander wrote:
> > > Register eMMC RPMB partition with the RPMB subsystem and provide
> > > an implementation for the RPMB access operations abstracting
> > > the actual multi step process.
> > >
> > > Add a callback to extract the needed device information at registration
> > > to avoid accessing the struct mmc_card at a later stage as we're not
> > > holding a reference counter for this struct.
> > >
> > > Taking the needed reference to md->disk in mmc_blk_alloc_rpmb_part()
> > > instead of in mmc_rpmb_chrdev_open(). This is needed by the
> > > route_frames() function pointer in struct rpmb_ops.
> > >
> > > Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
> > > Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
> > > Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
> > > ---
> > >  drivers/mmc/core/block.c | 241 ++++++++++++++++++++++++++++++++++++++-
> > >  1 file changed, 239 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c
> > > index 32d49100dff5..a7f126fbc605 100644
> > > --- a/drivers/mmc/core/block.c
> > > +++ b/drivers/mmc/core/block.c
> > > @@ -33,6 +33,7 @@
> > >  #include <linux/cdev.h>
> > >  #include <linux/mutex.h>
> > >  #include <linux/scatterlist.h>
> > > +#include <linux/string.h>
> > >  #include <linux/string_helpers.h>
> > >  #include <linux/delay.h>
> > >  #include <linux/capability.h>
> > > @@ -40,6 +41,7 @@
> > >  #include <linux/pm_runtime.h>
> > >  #include <linux/idr.h>
> > >  #include <linux/debugfs.h>
> > > +#include <linux/rpmb.h>
> > >
> > >  #include <linux/mmc/ioctl.h>
> > >  #include <linux/mmc/card.h>
> > > @@ -76,6 +78,48 @@ MODULE_ALIAS("mmc:block");
> > >  #define MMC_EXTRACT_INDEX_FROM_ARG(x) ((x & 0x00FF0000) >> 16)
> > >  #define MMC_EXTRACT_VALUE_FROM_ARG(x) ((x & 0x0000FF00) >> 8)
> > >
> > > +/**
> > > + * struct rpmb_frame - rpmb frame as defined by eMMC 5.1 (JESD84-B51)
> > > + *
> > > + * @stuff        : stuff bytes
> > > + * @key_mac      : The authentication key or the message authentication
> > > + *                 code (MAC) depending on the request/response type.
> > > + *                 The MAC will be delivered in the last (or the only)
> > > + *                 block of data.
> > > + * @data         : Data to be written or read by signed access.
> > > + * @nonce        : Random number generated by the host for the requests
> > > + *                 and copied to the response by the RPMB engine.
> > > + * @write_counter: Counter value for the total amount of the successful
> > > + *                 authenticated data write requests made by the host.
> > > + * @addr         : Address of the data to be programmed to or read
> > > + *                 from the RPMB. Address is the serial number of
> > > + *                 the accessed block (half sector 256B).
> > > + * @block_count  : Number of blocks (half sectors, 256B) requested to be
> > > + *                 read/programmed.
> > > + * @result       : Includes information about the status of the write counter
> > > + *                 (valid, expired) and result of the access made to the RPMB.
> > > + * @req_resp     : Defines the type of request and response to/from the memory.
> > > + *
> > > + * The stuff bytes and big-endian properties are modeled to fit to the spec.
> > > + */
> > > +struct rpmb_frame {
> > > +     u8     stuff[196];
> > > +     u8     key_mac[32];
> > > +     u8     data[256];
> > > +     u8     nonce[16];
> > > +     __be32 write_counter;
> > > +     __be16 addr;
> > > +     __be16 block_count;
> > > +     __be16 result;
> > > +     __be16 req_resp;
> > > +} __packed;
> > > +
> > > +#define RPMB_PROGRAM_KEY       0x1    /* Program RPMB Authentication Key */
> > > +#define RPMB_GET_WRITE_COUNTER 0x2    /* Read RPMB write counter */
> > > +#define RPMB_WRITE_DATA        0x3    /* Write data to RPMB partition */
> > > +#define RPMB_READ_DATA         0x4    /* Read data from RPMB partition */
> > > +#define RPMB_RESULT_READ       0x5    /* Read result request  (Internal) */
> > > +
> > >  static DEFINE_MUTEX(block_mutex);
> > >
> > >  /*
> > > @@ -163,6 +207,7 @@ struct mmc_rpmb_data {
> > >       int id;
> > >       unsigned int part_index;
> > >       struct mmc_blk_data *md;
> > > +     struct rpmb_dev *rdev;
> > >       struct list_head node;
> > >  };
> > >
> > > @@ -2672,7 +2717,6 @@ static int mmc_rpmb_chrdev_open(struct inode *inode, struct file *filp)
> > >
> > >       get_device(&rpmb->dev);
> > >       filp->private_data = rpmb;
> > > -     mmc_blk_get(rpmb->md->disk);
> > >
> > >       return nonseekable_open(inode, filp);
> > >  }
> > > @@ -2682,7 +2726,6 @@ static int mmc_rpmb_chrdev_release(struct inode *inode, struct file *filp)
> > >       struct mmc_rpmb_data *rpmb = container_of(inode->i_cdev,
> > >                                                 struct mmc_rpmb_data, chrdev);
> > >
> > > -     mmc_blk_put(rpmb->md);
> > >       put_device(&rpmb->dev);
> > >
> > >       return 0;
> > > @@ -2703,10 +2746,165 @@ static void mmc_blk_rpmb_device_release(struct device *dev)
> > >  {
> > >       struct mmc_rpmb_data *rpmb = dev_get_drvdata(dev);
> > >
> > > +     rpmb_dev_unregister(rpmb->rdev);
> > > +     mmc_blk_put(rpmb->md);
> > >       ida_simple_remove(&mmc_rpmb_ida, rpmb->id);
> > >       kfree(rpmb);
> > >  }
> > >
> > > +static void free_idata(struct mmc_blk_ioc_data **idata, unsigned int cmd_count)
> > > +{
> > > +     unsigned int n;
> > > +
> > > +     for (n = 0; n < cmd_count; n++)
> > > +             kfree(idata[n]);
> > > +     kfree(idata);
> > > +}
> > > +
> > > +static struct mmc_blk_ioc_data **alloc_idata(struct mmc_rpmb_data *rpmb,
> > > +                                          unsigned int cmd_count)
> > > +{
> > > +     struct mmc_blk_ioc_data **idata;
> > > +     unsigned int n;
> > > +
> > > +     idata = kcalloc(cmd_count, sizeof(*idata), GFP_KERNEL);
> > > +     if (!idata)
> > > +             return NULL;
> > > +     for (n = 0; n < cmd_count; n++) {
> > > +             idata[n] = kcalloc(1, sizeof(**idata), GFP_KERNEL);
> > > +             if (!idata[n]) {
> > > +                     free_idata(idata, n);
> > > +                     return NULL;
> > > +             }
> > > +             idata[n]->rpmb = rpmb;
> > > +     }
> > > +
> > > +     return idata;
> > > +}
> > > +
> > > +static void set_idata(struct mmc_blk_ioc_data *idata, u32 opcode,
> > > +                   int write_flag, u8 *buf, unsigned int buf_bytes)
> > > +{
> > > +     /*
> > > +      * The size of an RPMB frame must match what's expected by the
> > > +      * hardware.
> > > +      */
> > > +     BUILD_BUG_ON(sizeof(struct rpmb_frame) != 512);
> > > +
> > > +     idata->ic.opcode = opcode;
> > > +     idata->ic.flags = MMC_RSP_R1 | MMC_CMD_ADTC;
> > > +     idata->ic.write_flag = write_flag;
> > > +     idata->ic.blksz = sizeof(struct rpmb_frame);
> > > +     idata->ic.blocks = buf_bytes /  idata->ic.blksz;
> > > +     idata->buf = buf;
> >
> > I tested the series on a i.MX8MM with a eMMC connected via the imx-sdhci
> > controller. Reading from RPMB does not work. It ends in timeouts due to
> > no response from the SDHCI controller.
> >
> > If idata->buf is allocated here with kmalloc(buf_bytes, GFP_KERNEL) and
> > the content of buf is copied to the new allocated area, transfers succeed.
> >
> > Is it possible that idata->buf is not DMA capable? Any other ideas?
> 
> Thanks for testing. I don't know, the idata->buf is allocated using
> alloc_pages_exact(nr_pages * PAGE_SIZE, GFP_KERNEL | __GFP_ZERO); in
> optee_pool_op_alloc_helper().

Is this really true for idata->buf or isnt the complete RPMB frame memory
allocated like this and therefore idata->buf not page aligned?

For RPMB via tee-supplicant the idata->buf is allocated within memdup_user
and therefore page aligned.

> Alternatively, it's from the memory
> range mapped using memremap() in optee_config_shm_memremap(), but
> that's only if you don't have "dynamic shared memory is enabled" in
> the boot log.

"dynamic shared memory is enabled" is in the bootlog, ..

Thanks for your comments,
Manuel
Jens Wiklander April 29, 2024, 10:08 a.m. UTC | #4
On Mon, Apr 29, 2024 at 11:41 AM Manuel Traut <manut@mecka.net> wrote:
>
> On Fri, Apr 26, 2024 at 03:24:21PM +0200, Jens Wiklander wrote:
> > On Thu, Apr 25, 2024 at 10:43 AM Manuel Traut <manut@mecka.net> wrote:
> > >
> > > On Mon, Apr 22, 2024 at 11:19:35AM +0200, Jens Wiklander wrote:
> > > > Register eMMC RPMB partition with the RPMB subsystem and provide
> > > > an implementation for the RPMB access operations abstracting
> > > > the actual multi step process.
> > > >
> > > > Add a callback to extract the needed device information at registration
> > > > to avoid accessing the struct mmc_card at a later stage as we're not
> > > > holding a reference counter for this struct.
> > > >
> > > > Taking the needed reference to md->disk in mmc_blk_alloc_rpmb_part()
> > > > instead of in mmc_rpmb_chrdev_open(). This is needed by the
> > > > route_frames() function pointer in struct rpmb_ops.
> > > >
> > > > Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
> > > > Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
> > > > Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
> > > > ---
> > > >  drivers/mmc/core/block.c | 241 ++++++++++++++++++++++++++++++++++++++-
> > > >  1 file changed, 239 insertions(+), 2 deletions(-)
> > > >
> > > > diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c
> > > > index 32d49100dff5..a7f126fbc605 100644
> > > > --- a/drivers/mmc/core/block.c
> > > > +++ b/drivers/mmc/core/block.c
> > > > @@ -33,6 +33,7 @@
> > > >  #include <linux/cdev.h>
> > > >  #include <linux/mutex.h>
> > > >  #include <linux/scatterlist.h>
> > > > +#include <linux/string.h>
> > > >  #include <linux/string_helpers.h>
> > > >  #include <linux/delay.h>
> > > >  #include <linux/capability.h>
> > > > @@ -40,6 +41,7 @@
> > > >  #include <linux/pm_runtime.h>
> > > >  #include <linux/idr.h>
> > > >  #include <linux/debugfs.h>
> > > > +#include <linux/rpmb.h>
> > > >
> > > >  #include <linux/mmc/ioctl.h>
> > > >  #include <linux/mmc/card.h>
> > > > @@ -76,6 +78,48 @@ MODULE_ALIAS("mmc:block");
> > > >  #define MMC_EXTRACT_INDEX_FROM_ARG(x) ((x & 0x00FF0000) >> 16)
> > > >  #define MMC_EXTRACT_VALUE_FROM_ARG(x) ((x & 0x0000FF00) >> 8)
> > > >
> > > > +/**
> > > > + * struct rpmb_frame - rpmb frame as defined by eMMC 5.1 (JESD84-B51)
> > > > + *
> > > > + * @stuff        : stuff bytes
> > > > + * @key_mac      : The authentication key or the message authentication
> > > > + *                 code (MAC) depending on the request/response type.
> > > > + *                 The MAC will be delivered in the last (or the only)
> > > > + *                 block of data.
> > > > + * @data         : Data to be written or read by signed access.
> > > > + * @nonce        : Random number generated by the host for the requests
> > > > + *                 and copied to the response by the RPMB engine.
> > > > + * @write_counter: Counter value for the total amount of the successful
> > > > + *                 authenticated data write requests made by the host.
> > > > + * @addr         : Address of the data to be programmed to or read
> > > > + *                 from the RPMB. Address is the serial number of
> > > > + *                 the accessed block (half sector 256B).
> > > > + * @block_count  : Number of blocks (half sectors, 256B) requested to be
> > > > + *                 read/programmed.
> > > > + * @result       : Includes information about the status of the write counter
> > > > + *                 (valid, expired) and result of the access made to the RPMB.
> > > > + * @req_resp     : Defines the type of request and response to/from the memory.
> > > > + *
> > > > + * The stuff bytes and big-endian properties are modeled to fit to the spec.
> > > > + */
> > > > +struct rpmb_frame {
> > > > +     u8     stuff[196];
> > > > +     u8     key_mac[32];
> > > > +     u8     data[256];
> > > > +     u8     nonce[16];
> > > > +     __be32 write_counter;
> > > > +     __be16 addr;
> > > > +     __be16 block_count;
> > > > +     __be16 result;
> > > > +     __be16 req_resp;
> > > > +} __packed;
> > > > +
> > > > +#define RPMB_PROGRAM_KEY       0x1    /* Program RPMB Authentication Key */
> > > > +#define RPMB_GET_WRITE_COUNTER 0x2    /* Read RPMB write counter */
> > > > +#define RPMB_WRITE_DATA        0x3    /* Write data to RPMB partition */
> > > > +#define RPMB_READ_DATA         0x4    /* Read data from RPMB partition */
> > > > +#define RPMB_RESULT_READ       0x5    /* Read result request  (Internal) */
> > > > +
> > > >  static DEFINE_MUTEX(block_mutex);
> > > >
> > > >  /*
> > > > @@ -163,6 +207,7 @@ struct mmc_rpmb_data {
> > > >       int id;
> > > >       unsigned int part_index;
> > > >       struct mmc_blk_data *md;
> > > > +     struct rpmb_dev *rdev;
> > > >       struct list_head node;
> > > >  };
> > > >
> > > > @@ -2672,7 +2717,6 @@ static int mmc_rpmb_chrdev_open(struct inode *inode, struct file *filp)
> > > >
> > > >       get_device(&rpmb->dev);
> > > >       filp->private_data = rpmb;
> > > > -     mmc_blk_get(rpmb->md->disk);
> > > >
> > > >       return nonseekable_open(inode, filp);
> > > >  }
> > > > @@ -2682,7 +2726,6 @@ static int mmc_rpmb_chrdev_release(struct inode *inode, struct file *filp)
> > > >       struct mmc_rpmb_data *rpmb = container_of(inode->i_cdev,
> > > >                                                 struct mmc_rpmb_data, chrdev);
> > > >
> > > > -     mmc_blk_put(rpmb->md);
> > > >       put_device(&rpmb->dev);
> > > >
> > > >       return 0;
> > > > @@ -2703,10 +2746,165 @@ static void mmc_blk_rpmb_device_release(struct device *dev)
> > > >  {
> > > >       struct mmc_rpmb_data *rpmb = dev_get_drvdata(dev);
> > > >
> > > > +     rpmb_dev_unregister(rpmb->rdev);
> > > > +     mmc_blk_put(rpmb->md);
> > > >       ida_simple_remove(&mmc_rpmb_ida, rpmb->id);
> > > >       kfree(rpmb);
> > > >  }
> > > >
> > > > +static void free_idata(struct mmc_blk_ioc_data **idata, unsigned int cmd_count)
> > > > +{
> > > > +     unsigned int n;
> > > > +
> > > > +     for (n = 0; n < cmd_count; n++)
> > > > +             kfree(idata[n]);
> > > > +     kfree(idata);
> > > > +}
> > > > +
> > > > +static struct mmc_blk_ioc_data **alloc_idata(struct mmc_rpmb_data *rpmb,
> > > > +                                          unsigned int cmd_count)
> > > > +{
> > > > +     struct mmc_blk_ioc_data **idata;
> > > > +     unsigned int n;
> > > > +
> > > > +     idata = kcalloc(cmd_count, sizeof(*idata), GFP_KERNEL);
> > > > +     if (!idata)
> > > > +             return NULL;
> > > > +     for (n = 0; n < cmd_count; n++) {
> > > > +             idata[n] = kcalloc(1, sizeof(**idata), GFP_KERNEL);
> > > > +             if (!idata[n]) {
> > > > +                     free_idata(idata, n);
> > > > +                     return NULL;
> > > > +             }
> > > > +             idata[n]->rpmb = rpmb;
> > > > +     }
> > > > +
> > > > +     return idata;
> > > > +}
> > > > +
> > > > +static void set_idata(struct mmc_blk_ioc_data *idata, u32 opcode,
> > > > +                   int write_flag, u8 *buf, unsigned int buf_bytes)
> > > > +{
> > > > +     /*
> > > > +      * The size of an RPMB frame must match what's expected by the
> > > > +      * hardware.
> > > > +      */
> > > > +     BUILD_BUG_ON(sizeof(struct rpmb_frame) != 512);
> > > > +
> > > > +     idata->ic.opcode = opcode;
> > > > +     idata->ic.flags = MMC_RSP_R1 | MMC_CMD_ADTC;
> > > > +     idata->ic.write_flag = write_flag;
> > > > +     idata->ic.blksz = sizeof(struct rpmb_frame);
> > > > +     idata->ic.blocks = buf_bytes /  idata->ic.blksz;
> > > > +     idata->buf = buf;
> > >
> > > I tested the series on a i.MX8MM with a eMMC connected via the imx-sdhci
> > > controller. Reading from RPMB does not work. It ends in timeouts due to
> > > no response from the SDHCI controller.
> > >
> > > If idata->buf is allocated here with kmalloc(buf_bytes, GFP_KERNEL) and
> > > the content of buf is copied to the new allocated area, transfers succeed.
> > >
> > > Is it possible that idata->buf is not DMA capable? Any other ideas?
> >
> > Thanks for testing. I don't know, the idata->buf is allocated using
> > alloc_pages_exact(nr_pages * PAGE_SIZE, GFP_KERNEL | __GFP_ZERO); in
> > optee_pool_op_alloc_helper().
>
> Is this really true for idata->buf or isnt the complete RPMB frame memory
> allocated like this and therefore idata->buf not page aligned?

You're right.

>
> For RPMB via tee-supplicant the idata->buf is allocated within memdup_user
> and therefore page aligned.

Yes, that's a difference. Have you tested with page-aligned buffers to
see if it helps?

>
> > Alternatively, it's from the memory
> > range mapped using memremap() in optee_config_shm_memremap(), but
> > that's only if you don't have "dynamic shared memory is enabled" in
> > the boot log.
>
> "dynamic shared memory is enabled" is in the bootlog, ..

Great.

Thanks,
Jens
Manuel Traut April 29, 2024, 10:35 a.m. UTC | #5
On Mon, Apr 29, 2024 at 12:08:45PM +0200, Jens Wiklander wrote:
> On Mon, Apr 29, 2024 at 11:41 AM Manuel Traut <manut@mecka.net> wrote:
> >
> > On Fri, Apr 26, 2024 at 03:24:21PM +0200, Jens Wiklander wrote:
> > > On Thu, Apr 25, 2024 at 10:43 AM Manuel Traut <manut@mecka.net> wrote:
> > > >
> > > > On Mon, Apr 22, 2024 at 11:19:35AM +0200, Jens Wiklander wrote:
> > > > > Register eMMC RPMB partition with the RPMB subsystem and provide
> > > > > an implementation for the RPMB access operations abstracting
> > > > > the actual multi step process.
> > > > >
> > > > > Add a callback to extract the needed device information at registration
> > > > > to avoid accessing the struct mmc_card at a later stage as we're not
> > > > > holding a reference counter for this struct.
> > > > >
> > > > > Taking the needed reference to md->disk in mmc_blk_alloc_rpmb_part()
> > > > > instead of in mmc_rpmb_chrdev_open(). This is needed by the
> > > > > route_frames() function pointer in struct rpmb_ops.
> > > > >
> > > > > Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
> > > > > Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
> > > > > Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
> > > > > ---
> > > > >  drivers/mmc/core/block.c | 241 ++++++++++++++++++++++++++++++++++++++-
> > > > >  1 file changed, 239 insertions(+), 2 deletions(-)
> > > > >
> > > > > diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c
> > > > > index 32d49100dff5..a7f126fbc605 100644
> > > > > --- a/drivers/mmc/core/block.c
> > > > > +++ b/drivers/mmc/core/block.c
> > > > > @@ -33,6 +33,7 @@
> > > > >  #include <linux/cdev.h>
> > > > >  #include <linux/mutex.h>
> > > > >  #include <linux/scatterlist.h>
> > > > > +#include <linux/string.h>
> > > > >  #include <linux/string_helpers.h>
> > > > >  #include <linux/delay.h>
> > > > >  #include <linux/capability.h>
> > > > > @@ -40,6 +41,7 @@
> > > > >  #include <linux/pm_runtime.h>
> > > > >  #include <linux/idr.h>
> > > > >  #include <linux/debugfs.h>
> > > > > +#include <linux/rpmb.h>
> > > > >
> > > > >  #include <linux/mmc/ioctl.h>
> > > > >  #include <linux/mmc/card.h>
> > > > > @@ -76,6 +78,48 @@ MODULE_ALIAS("mmc:block");
> > > > >  #define MMC_EXTRACT_INDEX_FROM_ARG(x) ((x & 0x00FF0000) >> 16)
> > > > >  #define MMC_EXTRACT_VALUE_FROM_ARG(x) ((x & 0x0000FF00) >> 8)
> > > > >
> > > > > +/**
> > > > > + * struct rpmb_frame - rpmb frame as defined by eMMC 5.1 (JESD84-B51)
> > > > > + *
> > > > > + * @stuff        : stuff bytes
> > > > > + * @key_mac      : The authentication key or the message authentication
> > > > > + *                 code (MAC) depending on the request/response type.
> > > > > + *                 The MAC will be delivered in the last (or the only)
> > > > > + *                 block of data.
> > > > > + * @data         : Data to be written or read by signed access.
> > > > > + * @nonce        : Random number generated by the host for the requests
> > > > > + *                 and copied to the response by the RPMB engine.
> > > > > + * @write_counter: Counter value for the total amount of the successful
> > > > > + *                 authenticated data write requests made by the host.
> > > > > + * @addr         : Address of the data to be programmed to or read
> > > > > + *                 from the RPMB. Address is the serial number of
> > > > > + *                 the accessed block (half sector 256B).
> > > > > + * @block_count  : Number of blocks (half sectors, 256B) requested to be
> > > > > + *                 read/programmed.
> > > > > + * @result       : Includes information about the status of the write counter
> > > > > + *                 (valid, expired) and result of the access made to the RPMB.
> > > > > + * @req_resp     : Defines the type of request and response to/from the memory.
> > > > > + *
> > > > > + * The stuff bytes and big-endian properties are modeled to fit to the spec.
> > > > > + */
> > > > > +struct rpmb_frame {
> > > > > +     u8     stuff[196];
> > > > > +     u8     key_mac[32];
> > > > > +     u8     data[256];
> > > > > +     u8     nonce[16];
> > > > > +     __be32 write_counter;
> > > > > +     __be16 addr;
> > > > > +     __be16 block_count;
> > > > > +     __be16 result;
> > > > > +     __be16 req_resp;
> > > > > +} __packed;
> > > > > +
> > > > > +#define RPMB_PROGRAM_KEY       0x1    /* Program RPMB Authentication Key */
> > > > > +#define RPMB_GET_WRITE_COUNTER 0x2    /* Read RPMB write counter */
> > > > > +#define RPMB_WRITE_DATA        0x3    /* Write data to RPMB partition */
> > > > > +#define RPMB_READ_DATA         0x4    /* Read data from RPMB partition */
> > > > > +#define RPMB_RESULT_READ       0x5    /* Read result request  (Internal) */
> > > > > +
> > > > >  static DEFINE_MUTEX(block_mutex);
> > > > >
> > > > >  /*
> > > > > @@ -163,6 +207,7 @@ struct mmc_rpmb_data {
> > > > >       int id;
> > > > >       unsigned int part_index;
> > > > >       struct mmc_blk_data *md;
> > > > > +     struct rpmb_dev *rdev;
> > > > >       struct list_head node;
> > > > >  };
> > > > >
> > > > > @@ -2672,7 +2717,6 @@ static int mmc_rpmb_chrdev_open(struct inode *inode, struct file *filp)
> > > > >
> > > > >       get_device(&rpmb->dev);
> > > > >       filp->private_data = rpmb;
> > > > > -     mmc_blk_get(rpmb->md->disk);
> > > > >
> > > > >       return nonseekable_open(inode, filp);
> > > > >  }
> > > > > @@ -2682,7 +2726,6 @@ static int mmc_rpmb_chrdev_release(struct inode *inode, struct file *filp)
> > > > >       struct mmc_rpmb_data *rpmb = container_of(inode->i_cdev,
> > > > >                                                 struct mmc_rpmb_data, chrdev);
> > > > >
> > > > > -     mmc_blk_put(rpmb->md);
> > > > >       put_device(&rpmb->dev);
> > > > >
> > > > >       return 0;
> > > > > @@ -2703,10 +2746,165 @@ static void mmc_blk_rpmb_device_release(struct device *dev)
> > > > >  {
> > > > >       struct mmc_rpmb_data *rpmb = dev_get_drvdata(dev);
> > > > >
> > > > > +     rpmb_dev_unregister(rpmb->rdev);
> > > > > +     mmc_blk_put(rpmb->md);
> > > > >       ida_simple_remove(&mmc_rpmb_ida, rpmb->id);
> > > > >       kfree(rpmb);
> > > > >  }
> > > > >
> > > > > +static void free_idata(struct mmc_blk_ioc_data **idata, unsigned int cmd_count)
> > > > > +{
> > > > > +     unsigned int n;
> > > > > +
> > > > > +     for (n = 0; n < cmd_count; n++)
> > > > > +             kfree(idata[n]);
> > > > > +     kfree(idata);
> > > > > +}
> > > > > +
> > > > > +static struct mmc_blk_ioc_data **alloc_idata(struct mmc_rpmb_data *rpmb,
> > > > > +                                          unsigned int cmd_count)
> > > > > +{
> > > > > +     struct mmc_blk_ioc_data **idata;
> > > > > +     unsigned int n;
> > > > > +
> > > > > +     idata = kcalloc(cmd_count, sizeof(*idata), GFP_KERNEL);
> > > > > +     if (!idata)
> > > > > +             return NULL;
> > > > > +     for (n = 0; n < cmd_count; n++) {
> > > > > +             idata[n] = kcalloc(1, sizeof(**idata), GFP_KERNEL);
> > > > > +             if (!idata[n]) {
> > > > > +                     free_idata(idata, n);
> > > > > +                     return NULL;
> > > > > +             }
> > > > > +             idata[n]->rpmb = rpmb;
> > > > > +     }
> > > > > +
> > > > > +     return idata;
> > > > > +}
> > > > > +
> > > > > +static void set_idata(struct mmc_blk_ioc_data *idata, u32 opcode,
> > > > > +                   int write_flag, u8 *buf, unsigned int buf_bytes)
> > > > > +{
> > > > > +     /*
> > > > > +      * The size of an RPMB frame must match what's expected by the
> > > > > +      * hardware.
> > > > > +      */
> > > > > +     BUILD_BUG_ON(sizeof(struct rpmb_frame) != 512);
> > > > > +
> > > > > +     idata->ic.opcode = opcode;
> > > > > +     idata->ic.flags = MMC_RSP_R1 | MMC_CMD_ADTC;
> > > > > +     idata->ic.write_flag = write_flag;
> > > > > +     idata->ic.blksz = sizeof(struct rpmb_frame);
> > > > > +     idata->ic.blocks = buf_bytes /  idata->ic.blksz;
> > > > > +     idata->buf = buf;
> > > >
> > > > I tested the series on a i.MX8MM with a eMMC connected via the imx-sdhci
> > > > controller. Reading from RPMB does not work. It ends in timeouts due to
> > > > no response from the SDHCI controller.
> > > >
> > > > If idata->buf is allocated here with kmalloc(buf_bytes, GFP_KERNEL) and
> > > > the content of buf is copied to the new allocated area, transfers succeed.
> > > >
> > > > Is it possible that idata->buf is not DMA capable? Any other ideas?
> > >
> > > Thanks for testing. I don't know, the idata->buf is allocated using
> > > alloc_pages_exact(nr_pages * PAGE_SIZE, GFP_KERNEL | __GFP_ZERO); in
> > > optee_pool_op_alloc_helper().
> >
> > Is this really true for idata->buf or isnt the complete RPMB frame memory
> > allocated like this and therefore idata->buf not page aligned?
> 
> You're right.
> 
> >
> > For RPMB via tee-supplicant the idata->buf is allocated within memdup_user
> > and therefore page aligned.
> 
> Yes, that's a difference. Have you tested with page-aligned buffers to
> see if it helps?

Yes, this helps. I tested with the following patch, but probably it can also
be solved during frame allocation in optee?


commit b84a56c15abdcd07f4dacf0b7f482802f8ce752b
Author: Manuel Traut <manut@mecka.net>
Date:   Tue Apr 23 13:22:27 2024 +0200

    mmc: core: block: rpmb: Allocate page aligned memory
    
    "Random" position in optee shared memory cannot be used for blk
    IO on an eMMC with the i.MX8 SDHCI.
    
    This is for sure not the best possible solution, but works
    for the moment.

diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c
index 30da8fd03..f123a6c96 100644
--- a/drivers/mmc/core/block.c
+++ b/drivers/mmc/core/block.c
@@ -2786,6 +2786,8 @@ static struct mmc_blk_ioc_data **alloc_idata(struct mmc_rpmb_data *rpmb,
 	return idata;
 }
 
+#define DYNALLOC 1
+
 static void set_idata(struct mmc_blk_ioc_data *idata, u32 opcode,
 		      int write_flag, u8 *buf, unsigned int buf_bytes)
 {
@@ -2800,10 +2802,23 @@ static void set_idata(struct mmc_blk_ioc_data *idata, u32 opcode,
 	idata->ic.write_flag = write_flag;
 	idata->ic.blksz = sizeof(struct rpmb_frame);
 	idata->ic.blocks = buf_bytes /  idata->ic.blksz;
+#ifdef DYNALLOC
+	idata->buf = kmalloc(buf_bytes, GFP_KERNEL);
+	memcpy(idata->buf, buf, buf_bytes);
+#else
 	idata->buf = buf;
+#endif
 	idata->buf_bytes = buf_bytes;
 }
 
+#ifdef DYNALLOC
+static void free_idata_buf(struct mmc_blk_ioc_data *idata, u8 *buf, unsigned int buf_bytes)
+{
+    memcpy(buf, idata->buf, buf_bytes);
+    kfree(idata->buf);
+}
+#endif
+
 static int mmc_route_rpmb_frames(struct device *dev, u8 *req,
 				 unsigned int req_len, u8 *resp,
 				 unsigned int resp_len)
@@ -2901,6 +2916,13 @@ static int mmc_route_rpmb_frames(struct device *dev, u8 *req,
 	blk_execute_rq(rq, false);
 	ret = req_to_mmc_queue_req(rq)->drv_op_result;
 
+#ifdef DYNALLOC
+	free_idata_buf(idata[0], req, req_len);
+	free_idata_buf(idata[1], resp, resp_len);
+	if (write)
+		free_idata_buf(idata[2], resp, resp_len);
+#endif
+
 	blk_mq_free_request(rq);
 
 out:

> > > Alternatively, it's from the memory
> > > range mapped using memremap() in optee_config_shm_memremap(), but
> > > that's only if you don't have "dynamic shared memory is enabled" in
> > > the boot log.
> >
> > "dynamic shared memory is enabled" is in the bootlog, ..
> 
> Great.

Thanks
Manuel
Jens Wiklander April 29, 2024, 10:45 a.m. UTC | #6
On Mon, Apr 29, 2024 at 12:35 PM Manuel Traut <manut@mecka.net> wrote:
>
> On Mon, Apr 29, 2024 at 12:08:45PM +0200, Jens Wiklander wrote:
> > On Mon, Apr 29, 2024 at 11:41 AM Manuel Traut <manut@mecka.net> wrote:
> > >
> > > On Fri, Apr 26, 2024 at 03:24:21PM +0200, Jens Wiklander wrote:
> > > > On Thu, Apr 25, 2024 at 10:43 AM Manuel Traut <manut@mecka.net> wrote:
> > > > >
> > > > > On Mon, Apr 22, 2024 at 11:19:35AM +0200, Jens Wiklander wrote:
> > > > > > Register eMMC RPMB partition with the RPMB subsystem and provide
> > > > > > an implementation for the RPMB access operations abstracting
> > > > > > the actual multi step process.
> > > > > >
> > > > > > Add a callback to extract the needed device information at registration
> > > > > > to avoid accessing the struct mmc_card at a later stage as we're not
> > > > > > holding a reference counter for this struct.
> > > > > >
> > > > > > Taking the needed reference to md->disk in mmc_blk_alloc_rpmb_part()
> > > > > > instead of in mmc_rpmb_chrdev_open(). This is needed by the
> > > > > > route_frames() function pointer in struct rpmb_ops.
> > > > > >
> > > > > > Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
> > > > > > Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
> > > > > > Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
> > > > > > ---
> > > > > >  drivers/mmc/core/block.c | 241 ++++++++++++++++++++++++++++++++++++++-
> > > > > >  1 file changed, 239 insertions(+), 2 deletions(-)
> > > > > >
> > > > > > diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c
> > > > > > index 32d49100dff5..a7f126fbc605 100644
> > > > > > --- a/drivers/mmc/core/block.c
> > > > > > +++ b/drivers/mmc/core/block.c
> > > > > > @@ -33,6 +33,7 @@
> > > > > >  #include <linux/cdev.h>
> > > > > >  #include <linux/mutex.h>
> > > > > >  #include <linux/scatterlist.h>
> > > > > > +#include <linux/string.h>
> > > > > >  #include <linux/string_helpers.h>
> > > > > >  #include <linux/delay.h>
> > > > > >  #include <linux/capability.h>
> > > > > > @@ -40,6 +41,7 @@
> > > > > >  #include <linux/pm_runtime.h>
> > > > > >  #include <linux/idr.h>
> > > > > >  #include <linux/debugfs.h>
> > > > > > +#include <linux/rpmb.h>
> > > > > >
> > > > > >  #include <linux/mmc/ioctl.h>
> > > > > >  #include <linux/mmc/card.h>
> > > > > > @@ -76,6 +78,48 @@ MODULE_ALIAS("mmc:block");
> > > > > >  #define MMC_EXTRACT_INDEX_FROM_ARG(x) ((x & 0x00FF0000) >> 16)
> > > > > >  #define MMC_EXTRACT_VALUE_FROM_ARG(x) ((x & 0x0000FF00) >> 8)
> > > > > >
> > > > > > +/**
> > > > > > + * struct rpmb_frame - rpmb frame as defined by eMMC 5.1 (JESD84-B51)
> > > > > > + *
> > > > > > + * @stuff        : stuff bytes
> > > > > > + * @key_mac      : The authentication key or the message authentication
> > > > > > + *                 code (MAC) depending on the request/response type.
> > > > > > + *                 The MAC will be delivered in the last (or the only)
> > > > > > + *                 block of data.
> > > > > > + * @data         : Data to be written or read by signed access.
> > > > > > + * @nonce        : Random number generated by the host for the requests
> > > > > > + *                 and copied to the response by the RPMB engine.
> > > > > > + * @write_counter: Counter value for the total amount of the successful
> > > > > > + *                 authenticated data write requests made by the host.
> > > > > > + * @addr         : Address of the data to be programmed to or read
> > > > > > + *                 from the RPMB. Address is the serial number of
> > > > > > + *                 the accessed block (half sector 256B).
> > > > > > + * @block_count  : Number of blocks (half sectors, 256B) requested to be
> > > > > > + *                 read/programmed.
> > > > > > + * @result       : Includes information about the status of the write counter
> > > > > > + *                 (valid, expired) and result of the access made to the RPMB.
> > > > > > + * @req_resp     : Defines the type of request and response to/from the memory.
> > > > > > + *
> > > > > > + * The stuff bytes and big-endian properties are modeled to fit to the spec.
> > > > > > + */
> > > > > > +struct rpmb_frame {
> > > > > > +     u8     stuff[196];
> > > > > > +     u8     key_mac[32];
> > > > > > +     u8     data[256];
> > > > > > +     u8     nonce[16];
> > > > > > +     __be32 write_counter;
> > > > > > +     __be16 addr;
> > > > > > +     __be16 block_count;
> > > > > > +     __be16 result;
> > > > > > +     __be16 req_resp;
> > > > > > +} __packed;
> > > > > > +
> > > > > > +#define RPMB_PROGRAM_KEY       0x1    /* Program RPMB Authentication Key */
> > > > > > +#define RPMB_GET_WRITE_COUNTER 0x2    /* Read RPMB write counter */
> > > > > > +#define RPMB_WRITE_DATA        0x3    /* Write data to RPMB partition */
> > > > > > +#define RPMB_READ_DATA         0x4    /* Read data from RPMB partition */
> > > > > > +#define RPMB_RESULT_READ       0x5    /* Read result request  (Internal) */
> > > > > > +
> > > > > >  static DEFINE_MUTEX(block_mutex);
> > > > > >
> > > > > >  /*
> > > > > > @@ -163,6 +207,7 @@ struct mmc_rpmb_data {
> > > > > >       int id;
> > > > > >       unsigned int part_index;
> > > > > >       struct mmc_blk_data *md;
> > > > > > +     struct rpmb_dev *rdev;
> > > > > >       struct list_head node;
> > > > > >  };
> > > > > >
> > > > > > @@ -2672,7 +2717,6 @@ static int mmc_rpmb_chrdev_open(struct inode *inode, struct file *filp)
> > > > > >
> > > > > >       get_device(&rpmb->dev);
> > > > > >       filp->private_data = rpmb;
> > > > > > -     mmc_blk_get(rpmb->md->disk);
> > > > > >
> > > > > >       return nonseekable_open(inode, filp);
> > > > > >  }
> > > > > > @@ -2682,7 +2726,6 @@ static int mmc_rpmb_chrdev_release(struct inode *inode, struct file *filp)
> > > > > >       struct mmc_rpmb_data *rpmb = container_of(inode->i_cdev,
> > > > > >                                                 struct mmc_rpmb_data, chrdev);
> > > > > >
> > > > > > -     mmc_blk_put(rpmb->md);
> > > > > >       put_device(&rpmb->dev);
> > > > > >
> > > > > >       return 0;
> > > > > > @@ -2703,10 +2746,165 @@ static void mmc_blk_rpmb_device_release(struct device *dev)
> > > > > >  {
> > > > > >       struct mmc_rpmb_data *rpmb = dev_get_drvdata(dev);
> > > > > >
> > > > > > +     rpmb_dev_unregister(rpmb->rdev);
> > > > > > +     mmc_blk_put(rpmb->md);
> > > > > >       ida_simple_remove(&mmc_rpmb_ida, rpmb->id);
> > > > > >       kfree(rpmb);
> > > > > >  }
> > > > > >
> > > > > > +static void free_idata(struct mmc_blk_ioc_data **idata, unsigned int cmd_count)
> > > > > > +{
> > > > > > +     unsigned int n;
> > > > > > +
> > > > > > +     for (n = 0; n < cmd_count; n++)
> > > > > > +             kfree(idata[n]);
> > > > > > +     kfree(idata);
> > > > > > +}
> > > > > > +
> > > > > > +static struct mmc_blk_ioc_data **alloc_idata(struct mmc_rpmb_data *rpmb,
> > > > > > +                                          unsigned int cmd_count)
> > > > > > +{
> > > > > > +     struct mmc_blk_ioc_data **idata;
> > > > > > +     unsigned int n;
> > > > > > +
> > > > > > +     idata = kcalloc(cmd_count, sizeof(*idata), GFP_KERNEL);
> > > > > > +     if (!idata)
> > > > > > +             return NULL;
> > > > > > +     for (n = 0; n < cmd_count; n++) {
> > > > > > +             idata[n] = kcalloc(1, sizeof(**idata), GFP_KERNEL);
> > > > > > +             if (!idata[n]) {
> > > > > > +                     free_idata(idata, n);
> > > > > > +                     return NULL;
> > > > > > +             }
> > > > > > +             idata[n]->rpmb = rpmb;
> > > > > > +     }
> > > > > > +
> > > > > > +     return idata;
> > > > > > +}
> > > > > > +
> > > > > > +static void set_idata(struct mmc_blk_ioc_data *idata, u32 opcode,
> > > > > > +                   int write_flag, u8 *buf, unsigned int buf_bytes)
> > > > > > +{
> > > > > > +     /*
> > > > > > +      * The size of an RPMB frame must match what's expected by the
> > > > > > +      * hardware.
> > > > > > +      */
> > > > > > +     BUILD_BUG_ON(sizeof(struct rpmb_frame) != 512);
> > > > > > +
> > > > > > +     idata->ic.opcode = opcode;
> > > > > > +     idata->ic.flags = MMC_RSP_R1 | MMC_CMD_ADTC;
> > > > > > +     idata->ic.write_flag = write_flag;
> > > > > > +     idata->ic.blksz = sizeof(struct rpmb_frame);
> > > > > > +     idata->ic.blocks = buf_bytes /  idata->ic.blksz;
> > > > > > +     idata->buf = buf;
> > > > >
> > > > > I tested the series on a i.MX8MM with a eMMC connected via the imx-sdhci
> > > > > controller. Reading from RPMB does not work. It ends in timeouts due to
> > > > > no response from the SDHCI controller.
> > > > >
> > > > > If idata->buf is allocated here with kmalloc(buf_bytes, GFP_KERNEL) and
> > > > > the content of buf is copied to the new allocated area, transfers succeed.
> > > > >
> > > > > Is it possible that idata->buf is not DMA capable? Any other ideas?
> > > >
> > > > Thanks for testing. I don't know, the idata->buf is allocated using
> > > > alloc_pages_exact(nr_pages * PAGE_SIZE, GFP_KERNEL | __GFP_ZERO); in
> > > > optee_pool_op_alloc_helper().
> > >
> > > Is this really true for idata->buf or isnt the complete RPMB frame memory
> > > allocated like this and therefore idata->buf not page aligned?
> >
> > You're right.
> >
> > >
> > > For RPMB via tee-supplicant the idata->buf is allocated within memdup_user
> > > and therefore page aligned.
> >
> > Yes, that's a difference. Have you tested with page-aligned buffers to
> > see if it helps?
>
> Yes, this helps. I tested with the following patch, but probably it can also
> be solved during frame allocation in optee?

Great, thanks for confirming. Yes, we should fix that in the secure world.

Cheers,
Jens

>
>
> commit b84a56c15abdcd07f4dacf0b7f482802f8ce752b
> Author: Manuel Traut <manut@mecka.net>
> Date:   Tue Apr 23 13:22:27 2024 +0200
>
>     mmc: core: block: rpmb: Allocate page aligned memory
>
>     "Random" position in optee shared memory cannot be used for blk
>     IO on an eMMC with the i.MX8 SDHCI.
>
>     This is for sure not the best possible solution, but works
>     for the moment.
>
> diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c
> index 30da8fd03..f123a6c96 100644
> --- a/drivers/mmc/core/block.c
> +++ b/drivers/mmc/core/block.c
> @@ -2786,6 +2786,8 @@ static struct mmc_blk_ioc_data **alloc_idata(struct mmc_rpmb_data *rpmb,
>         return idata;
>  }
>
> +#define DYNALLOC 1
> +
>  static void set_idata(struct mmc_blk_ioc_data *idata, u32 opcode,
>                       int write_flag, u8 *buf, unsigned int buf_bytes)
>  {
> @@ -2800,10 +2802,23 @@ static void set_idata(struct mmc_blk_ioc_data *idata, u32 opcode,
>         idata->ic.write_flag = write_flag;
>         idata->ic.blksz = sizeof(struct rpmb_frame);
>         idata->ic.blocks = buf_bytes /  idata->ic.blksz;
> +#ifdef DYNALLOC
> +       idata->buf = kmalloc(buf_bytes, GFP_KERNEL);
> +       memcpy(idata->buf, buf, buf_bytes);
> +#else
>         idata->buf = buf;
> +#endif
>         idata->buf_bytes = buf_bytes;
>  }
>
> +#ifdef DYNALLOC
> +static void free_idata_buf(struct mmc_blk_ioc_data *idata, u8 *buf, unsigned int buf_bytes)
> +{
> +    memcpy(buf, idata->buf, buf_bytes);
> +    kfree(idata->buf);
> +}
> +#endif
> +
>  static int mmc_route_rpmb_frames(struct device *dev, u8 *req,
>                                  unsigned int req_len, u8 *resp,
>                                  unsigned int resp_len)
> @@ -2901,6 +2916,13 @@ static int mmc_route_rpmb_frames(struct device *dev, u8 *req,
>         blk_execute_rq(rq, false);
>         ret = req_to_mmc_queue_req(rq)->drv_op_result;
>
> +#ifdef DYNALLOC
> +       free_idata_buf(idata[0], req, req_len);
> +       free_idata_buf(idata[1], resp, resp_len);
> +       if (write)
> +               free_idata_buf(idata[2], resp, resp_len);
> +#endif
> +
>         blk_mq_free_request(rq);
>
>  out:
>
> > > > Alternatively, it's from the memory
> > > > range mapped using memremap() in optee_config_shm_memremap(), but
> > > > that's only if you don't have "dynamic shared memory is enabled" in
> > > > the boot log.
> > >
> > > "dynamic shared memory is enabled" is in the bootlog, ..
> >
> > Great.
>
> Thanks
> Manuel
Jens Wiklander April 29, 2024, 11:13 a.m. UTC | #7
On Mon, Apr 29, 2024 at 12:45 PM Jens Wiklander
<jens.wiklander@linaro.org> wrote:
>
> On Mon, Apr 29, 2024 at 12:35 PM Manuel Traut <manut@mecka.net> wrote:
> >
> > On Mon, Apr 29, 2024 at 12:08:45PM +0200, Jens Wiklander wrote:
> > > On Mon, Apr 29, 2024 at 11:41 AM Manuel Traut <manut@mecka.net> wrote:
> > > >
> > > > On Fri, Apr 26, 2024 at 03:24:21PM +0200, Jens Wiklander wrote:
> > > > > On Thu, Apr 25, 2024 at 10:43 AM Manuel Traut <manut@mecka.net> wrote:
> > > > > >
> > > > > > On Mon, Apr 22, 2024 at 11:19:35AM +0200, Jens Wiklander wrote:
> > > > > > > Register eMMC RPMB partition with the RPMB subsystem and provide
> > > > > > > an implementation for the RPMB access operations abstracting
> > > > > > > the actual multi step process.
> > > > > > >
> > > > > > > Add a callback to extract the needed device information at registration
> > > > > > > to avoid accessing the struct mmc_card at a later stage as we're not
> > > > > > > holding a reference counter for this struct.
> > > > > > >
> > > > > > > Taking the needed reference to md->disk in mmc_blk_alloc_rpmb_part()
> > > > > > > instead of in mmc_rpmb_chrdev_open(). This is needed by the
> > > > > > > route_frames() function pointer in struct rpmb_ops.
> > > > > > >
> > > > > > > Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
> > > > > > > Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
> > > > > > > Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
> > > > > > > ---
> > > > > > >  drivers/mmc/core/block.c | 241 ++++++++++++++++++++++++++++++++++++++-
> > > > > > >  1 file changed, 239 insertions(+), 2 deletions(-)
> > > > > > >
> > > > > > > diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c
> > > > > > > index 32d49100dff5..a7f126fbc605 100644
> > > > > > > --- a/drivers/mmc/core/block.c
> > > > > > > +++ b/drivers/mmc/core/block.c
> > > > > > > @@ -33,6 +33,7 @@
> > > > > > >  #include <linux/cdev.h>
> > > > > > >  #include <linux/mutex.h>
> > > > > > >  #include <linux/scatterlist.h>
> > > > > > > +#include <linux/string.h>
> > > > > > >  #include <linux/string_helpers.h>
> > > > > > >  #include <linux/delay.h>
> > > > > > >  #include <linux/capability.h>
> > > > > > > @@ -40,6 +41,7 @@
> > > > > > >  #include <linux/pm_runtime.h>
> > > > > > >  #include <linux/idr.h>
> > > > > > >  #include <linux/debugfs.h>
> > > > > > > +#include <linux/rpmb.h>
> > > > > > >
> > > > > > >  #include <linux/mmc/ioctl.h>
> > > > > > >  #include <linux/mmc/card.h>
> > > > > > > @@ -76,6 +78,48 @@ MODULE_ALIAS("mmc:block");
> > > > > > >  #define MMC_EXTRACT_INDEX_FROM_ARG(x) ((x & 0x00FF0000) >> 16)
> > > > > > >  #define MMC_EXTRACT_VALUE_FROM_ARG(x) ((x & 0x0000FF00) >> 8)
> > > > > > >
> > > > > > > +/**
> > > > > > > + * struct rpmb_frame - rpmb frame as defined by eMMC 5.1 (JESD84-B51)
> > > > > > > + *
> > > > > > > + * @stuff        : stuff bytes
> > > > > > > + * @key_mac      : The authentication key or the message authentication
> > > > > > > + *                 code (MAC) depending on the request/response type.
> > > > > > > + *                 The MAC will be delivered in the last (or the only)
> > > > > > > + *                 block of data.
> > > > > > > + * @data         : Data to be written or read by signed access.
> > > > > > > + * @nonce        : Random number generated by the host for the requests
> > > > > > > + *                 and copied to the response by the RPMB engine.
> > > > > > > + * @write_counter: Counter value for the total amount of the successful
> > > > > > > + *                 authenticated data write requests made by the host.
> > > > > > > + * @addr         : Address of the data to be programmed to or read
> > > > > > > + *                 from the RPMB. Address is the serial number of
> > > > > > > + *                 the accessed block (half sector 256B).
> > > > > > > + * @block_count  : Number of blocks (half sectors, 256B) requested to be
> > > > > > > + *                 read/programmed.
> > > > > > > + * @result       : Includes information about the status of the write counter
> > > > > > > + *                 (valid, expired) and result of the access made to the RPMB.
> > > > > > > + * @req_resp     : Defines the type of request and response to/from the memory.
> > > > > > > + *
> > > > > > > + * The stuff bytes and big-endian properties are modeled to fit to the spec.
> > > > > > > + */
> > > > > > > +struct rpmb_frame {
> > > > > > > +     u8     stuff[196];
> > > > > > > +     u8     key_mac[32];
> > > > > > > +     u8     data[256];
> > > > > > > +     u8     nonce[16];
> > > > > > > +     __be32 write_counter;
> > > > > > > +     __be16 addr;
> > > > > > > +     __be16 block_count;
> > > > > > > +     __be16 result;
> > > > > > > +     __be16 req_resp;
> > > > > > > +} __packed;
> > > > > > > +
> > > > > > > +#define RPMB_PROGRAM_KEY       0x1    /* Program RPMB Authentication Key */
> > > > > > > +#define RPMB_GET_WRITE_COUNTER 0x2    /* Read RPMB write counter */
> > > > > > > +#define RPMB_WRITE_DATA        0x3    /* Write data to RPMB partition */
> > > > > > > +#define RPMB_READ_DATA         0x4    /* Read data from RPMB partition */
> > > > > > > +#define RPMB_RESULT_READ       0x5    /* Read result request  (Internal) */
> > > > > > > +
> > > > > > >  static DEFINE_MUTEX(block_mutex);
> > > > > > >
> > > > > > >  /*
> > > > > > > @@ -163,6 +207,7 @@ struct mmc_rpmb_data {
> > > > > > >       int id;
> > > > > > >       unsigned int part_index;
> > > > > > >       struct mmc_blk_data *md;
> > > > > > > +     struct rpmb_dev *rdev;
> > > > > > >       struct list_head node;
> > > > > > >  };
> > > > > > >
> > > > > > > @@ -2672,7 +2717,6 @@ static int mmc_rpmb_chrdev_open(struct inode *inode, struct file *filp)
> > > > > > >
> > > > > > >       get_device(&rpmb->dev);
> > > > > > >       filp->private_data = rpmb;
> > > > > > > -     mmc_blk_get(rpmb->md->disk);
> > > > > > >
> > > > > > >       return nonseekable_open(inode, filp);
> > > > > > >  }
> > > > > > > @@ -2682,7 +2726,6 @@ static int mmc_rpmb_chrdev_release(struct inode *inode, struct file *filp)
> > > > > > >       struct mmc_rpmb_data *rpmb = container_of(inode->i_cdev,
> > > > > > >                                                 struct mmc_rpmb_data, chrdev);
> > > > > > >
> > > > > > > -     mmc_blk_put(rpmb->md);
> > > > > > >       put_device(&rpmb->dev);
> > > > > > >
> > > > > > >       return 0;
> > > > > > > @@ -2703,10 +2746,165 @@ static void mmc_blk_rpmb_device_release(struct device *dev)
> > > > > > >  {
> > > > > > >       struct mmc_rpmb_data *rpmb = dev_get_drvdata(dev);
> > > > > > >
> > > > > > > +     rpmb_dev_unregister(rpmb->rdev);
> > > > > > > +     mmc_blk_put(rpmb->md);
> > > > > > >       ida_simple_remove(&mmc_rpmb_ida, rpmb->id);
> > > > > > >       kfree(rpmb);
> > > > > > >  }
> > > > > > >
> > > > > > > +static void free_idata(struct mmc_blk_ioc_data **idata, unsigned int cmd_count)
> > > > > > > +{
> > > > > > > +     unsigned int n;
> > > > > > > +
> > > > > > > +     for (n = 0; n < cmd_count; n++)
> > > > > > > +             kfree(idata[n]);
> > > > > > > +     kfree(idata);
> > > > > > > +}
> > > > > > > +
> > > > > > > +static struct mmc_blk_ioc_data **alloc_idata(struct mmc_rpmb_data *rpmb,
> > > > > > > +                                          unsigned int cmd_count)
> > > > > > > +{
> > > > > > > +     struct mmc_blk_ioc_data **idata;
> > > > > > > +     unsigned int n;
> > > > > > > +
> > > > > > > +     idata = kcalloc(cmd_count, sizeof(*idata), GFP_KERNEL);
> > > > > > > +     if (!idata)
> > > > > > > +             return NULL;
> > > > > > > +     for (n = 0; n < cmd_count; n++) {
> > > > > > > +             idata[n] = kcalloc(1, sizeof(**idata), GFP_KERNEL);
> > > > > > > +             if (!idata[n]) {
> > > > > > > +                     free_idata(idata, n);
> > > > > > > +                     return NULL;
> > > > > > > +             }
> > > > > > > +             idata[n]->rpmb = rpmb;
> > > > > > > +     }
> > > > > > > +
> > > > > > > +     return idata;
> > > > > > > +}
> > > > > > > +
> > > > > > > +static void set_idata(struct mmc_blk_ioc_data *idata, u32 opcode,
> > > > > > > +                   int write_flag, u8 *buf, unsigned int buf_bytes)
> > > > > > > +{
> > > > > > > +     /*
> > > > > > > +      * The size of an RPMB frame must match what's expected by the
> > > > > > > +      * hardware.
> > > > > > > +      */
> > > > > > > +     BUILD_BUG_ON(sizeof(struct rpmb_frame) != 512);
> > > > > > > +
> > > > > > > +     idata->ic.opcode = opcode;
> > > > > > > +     idata->ic.flags = MMC_RSP_R1 | MMC_CMD_ADTC;
> > > > > > > +     idata->ic.write_flag = write_flag;
> > > > > > > +     idata->ic.blksz = sizeof(struct rpmb_frame);
> > > > > > > +     idata->ic.blocks = buf_bytes /  idata->ic.blksz;
> > > > > > > +     idata->buf = buf;
> > > > > >
> > > > > > I tested the series on a i.MX8MM with a eMMC connected via the imx-sdhci
> > > > > > controller. Reading from RPMB does not work. It ends in timeouts due to
> > > > > > no response from the SDHCI controller.
> > > > > >
> > > > > > If idata->buf is allocated here with kmalloc(buf_bytes, GFP_KERNEL) and
> > > > > > the content of buf is copied to the new allocated area, transfers succeed.
> > > > > >
> > > > > > Is it possible that idata->buf is not DMA capable? Any other ideas?
> > > > >
> > > > > Thanks for testing. I don't know, the idata->buf is allocated using
> > > > > alloc_pages_exact(nr_pages * PAGE_SIZE, GFP_KERNEL | __GFP_ZERO); in
> > > > > optee_pool_op_alloc_helper().
> > > >
> > > > Is this really true for idata->buf or isnt the complete RPMB frame memory
> > > > allocated like this and therefore idata->buf not page aligned?
> > >
> > > You're right.
> > >
> > > >
> > > > For RPMB via tee-supplicant the idata->buf is allocated within memdup_user
> > > > and therefore page aligned.
> > >
> > > Yes, that's a difference. Have you tested with page-aligned buffers to
> > > see if it helps?
> >
> > Yes, this helps. I tested with the following patch, but probably it can also
> > be solved during frame allocation in optee?
>
> Great, thanks for confirming. Yes, we should fix that in the secure world.

I've pushed an update to
https://github.com/jenswi-linaro/optee_os/tree/rpmb_probe

Cheers,
Jens
Manuel Traut April 29, 2024, 1:13 p.m. UTC | #8
On Mon, Apr 29, 2024 at 01:13:58PM +0200, Jens Wiklander wrote:
> On Mon, Apr 29, 2024 at 12:45 PM Jens Wiklander
> <jens.wiklander@linaro.org> wrote:
> >
> > On Mon, Apr 29, 2024 at 12:35 PM Manuel Traut <manut@mecka.net> wrote:
> > >
> > > On Mon, Apr 29, 2024 at 12:08:45PM +0200, Jens Wiklander wrote:
> > > > On Mon, Apr 29, 2024 at 11:41 AM Manuel Traut <manut@mecka.net> wrote:
> > > > >
> > > > > On Fri, Apr 26, 2024 at 03:24:21PM +0200, Jens Wiklander wrote:
> > > > > > On Thu, Apr 25, 2024 at 10:43 AM Manuel Traut <manut@mecka.net> wrote:
> > > > > > >
> > > > > > > On Mon, Apr 22, 2024 at 11:19:35AM +0200, Jens Wiklander wrote:
> > > > > > > > Register eMMC RPMB partition with the RPMB subsystem and provide
> > > > > > > > an implementation for the RPMB access operations abstracting
> > > > > > > > the actual multi step process.
> > > > > > > >
> > > > > > > > Add a callback to extract the needed device information at registration
> > > > > > > > to avoid accessing the struct mmc_card at a later stage as we're not
> > > > > > > > holding a reference counter for this struct.
> > > > > > > >
> > > > > > > > Taking the needed reference to md->disk in mmc_blk_alloc_rpmb_part()
> > > > > > > > instead of in mmc_rpmb_chrdev_open(). This is needed by the
> > > > > > > > route_frames() function pointer in struct rpmb_ops.
> > > > > > > >
> > > > > > > > Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
> > > > > > > > Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
> > > > > > > > Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
> > > > > > > > ---
> > > > > > > >  drivers/mmc/core/block.c | 241 ++++++++++++++++++++++++++++++++++++++-
> > > > > > > >  1 file changed, 239 insertions(+), 2 deletions(-)
> > > > > > > >
> > > > > > > > diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c
> > > > > > > > index 32d49100dff5..a7f126fbc605 100644
> > > > > > > > --- a/drivers/mmc/core/block.c
> > > > > > > > +++ b/drivers/mmc/core/block.c
> > > > > > > > @@ -33,6 +33,7 @@
> > > > > > > >  #include <linux/cdev.h>
> > > > > > > >  #include <linux/mutex.h>
> > > > > > > >  #include <linux/scatterlist.h>
> > > > > > > > +#include <linux/string.h>
> > > > > > > >  #include <linux/string_helpers.h>
> > > > > > > >  #include <linux/delay.h>
> > > > > > > >  #include <linux/capability.h>
> > > > > > > > @@ -40,6 +41,7 @@
> > > > > > > >  #include <linux/pm_runtime.h>
> > > > > > > >  #include <linux/idr.h>
> > > > > > > >  #include <linux/debugfs.h>
> > > > > > > > +#include <linux/rpmb.h>
> > > > > > > >
> > > > > > > >  #include <linux/mmc/ioctl.h>
> > > > > > > >  #include <linux/mmc/card.h>
> > > > > > > > @@ -76,6 +78,48 @@ MODULE_ALIAS("mmc:block");
> > > > > > > >  #define MMC_EXTRACT_INDEX_FROM_ARG(x) ((x & 0x00FF0000) >> 16)
> > > > > > > >  #define MMC_EXTRACT_VALUE_FROM_ARG(x) ((x & 0x0000FF00) >> 8)
> > > > > > > >
> > > > > > > > +/**
> > > > > > > > + * struct rpmb_frame - rpmb frame as defined by eMMC 5.1 (JESD84-B51)
> > > > > > > > + *
> > > > > > > > + * @stuff        : stuff bytes
> > > > > > > > + * @key_mac      : The authentication key or the message authentication
> > > > > > > > + *                 code (MAC) depending on the request/response type.
> > > > > > > > + *                 The MAC will be delivered in the last (or the only)
> > > > > > > > + *                 block of data.
> > > > > > > > + * @data         : Data to be written or read by signed access.
> > > > > > > > + * @nonce        : Random number generated by the host for the requests
> > > > > > > > + *                 and copied to the response by the RPMB engine.
> > > > > > > > + * @write_counter: Counter value for the total amount of the successful
> > > > > > > > + *                 authenticated data write requests made by the host.
> > > > > > > > + * @addr         : Address of the data to be programmed to or read
> > > > > > > > + *                 from the RPMB. Address is the serial number of
> > > > > > > > + *                 the accessed block (half sector 256B).
> > > > > > > > + * @block_count  : Number of blocks (half sectors, 256B) requested to be
> > > > > > > > + *                 read/programmed.
> > > > > > > > + * @result       : Includes information about the status of the write counter
> > > > > > > > + *                 (valid, expired) and result of the access made to the RPMB.
> > > > > > > > + * @req_resp     : Defines the type of request and response to/from the memory.
> > > > > > > > + *
> > > > > > > > + * The stuff bytes and big-endian properties are modeled to fit to the spec.
> > > > > > > > + */
> > > > > > > > +struct rpmb_frame {
> > > > > > > > +     u8     stuff[196];
> > > > > > > > +     u8     key_mac[32];
> > > > > > > > +     u8     data[256];
> > > > > > > > +     u8     nonce[16];
> > > > > > > > +     __be32 write_counter;
> > > > > > > > +     __be16 addr;
> > > > > > > > +     __be16 block_count;
> > > > > > > > +     __be16 result;
> > > > > > > > +     __be16 req_resp;
> > > > > > > > +} __packed;
> > > > > > > > +
> > > > > > > > +#define RPMB_PROGRAM_KEY       0x1    /* Program RPMB Authentication Key */
> > > > > > > > +#define RPMB_GET_WRITE_COUNTER 0x2    /* Read RPMB write counter */
> > > > > > > > +#define RPMB_WRITE_DATA        0x3    /* Write data to RPMB partition */
> > > > > > > > +#define RPMB_READ_DATA         0x4    /* Read data from RPMB partition */
> > > > > > > > +#define RPMB_RESULT_READ       0x5    /* Read result request  (Internal) */
> > > > > > > > +
> > > > > > > >  static DEFINE_MUTEX(block_mutex);
> > > > > > > >
> > > > > > > >  /*
> > > > > > > > @@ -163,6 +207,7 @@ struct mmc_rpmb_data {
> > > > > > > >       int id;
> > > > > > > >       unsigned int part_index;
> > > > > > > >       struct mmc_blk_data *md;
> > > > > > > > +     struct rpmb_dev *rdev;
> > > > > > > >       struct list_head node;
> > > > > > > >  };
> > > > > > > >
> > > > > > > > @@ -2672,7 +2717,6 @@ static int mmc_rpmb_chrdev_open(struct inode *inode, struct file *filp)
> > > > > > > >
> > > > > > > >       get_device(&rpmb->dev);
> > > > > > > >       filp->private_data = rpmb;
> > > > > > > > -     mmc_blk_get(rpmb->md->disk);
> > > > > > > >
> > > > > > > >       return nonseekable_open(inode, filp);
> > > > > > > >  }
> > > > > > > > @@ -2682,7 +2726,6 @@ static int mmc_rpmb_chrdev_release(struct inode *inode, struct file *filp)
> > > > > > > >       struct mmc_rpmb_data *rpmb = container_of(inode->i_cdev,
> > > > > > > >                                                 struct mmc_rpmb_data, chrdev);
> > > > > > > >
> > > > > > > > -     mmc_blk_put(rpmb->md);
> > > > > > > >       put_device(&rpmb->dev);
> > > > > > > >
> > > > > > > >       return 0;
> > > > > > > > @@ -2703,10 +2746,165 @@ static void mmc_blk_rpmb_device_release(struct device *dev)
> > > > > > > >  {
> > > > > > > >       struct mmc_rpmb_data *rpmb = dev_get_drvdata(dev);
> > > > > > > >
> > > > > > > > +     rpmb_dev_unregister(rpmb->rdev);
> > > > > > > > +     mmc_blk_put(rpmb->md);
> > > > > > > >       ida_simple_remove(&mmc_rpmb_ida, rpmb->id);
> > > > > > > >       kfree(rpmb);
> > > > > > > >  }
> > > > > > > >
> > > > > > > > +static void free_idata(struct mmc_blk_ioc_data **idata, unsigned int cmd_count)
> > > > > > > > +{
> > > > > > > > +     unsigned int n;
> > > > > > > > +
> > > > > > > > +     for (n = 0; n < cmd_count; n++)
> > > > > > > > +             kfree(idata[n]);
> > > > > > > > +     kfree(idata);
> > > > > > > > +}
> > > > > > > > +
> > > > > > > > +static struct mmc_blk_ioc_data **alloc_idata(struct mmc_rpmb_data *rpmb,
> > > > > > > > +                                          unsigned int cmd_count)
> > > > > > > > +{
> > > > > > > > +     struct mmc_blk_ioc_data **idata;
> > > > > > > > +     unsigned int n;
> > > > > > > > +
> > > > > > > > +     idata = kcalloc(cmd_count, sizeof(*idata), GFP_KERNEL);
> > > > > > > > +     if (!idata)
> > > > > > > > +             return NULL;
> > > > > > > > +     for (n = 0; n < cmd_count; n++) {
> > > > > > > > +             idata[n] = kcalloc(1, sizeof(**idata), GFP_KERNEL);
> > > > > > > > +             if (!idata[n]) {
> > > > > > > > +                     free_idata(idata, n);
> > > > > > > > +                     return NULL;
> > > > > > > > +             }
> > > > > > > > +             idata[n]->rpmb = rpmb;
> > > > > > > > +     }
> > > > > > > > +
> > > > > > > > +     return idata;
> > > > > > > > +}
> > > > > > > > +
> > > > > > > > +static void set_idata(struct mmc_blk_ioc_data *idata, u32 opcode,
> > > > > > > > +                   int write_flag, u8 *buf, unsigned int buf_bytes)
> > > > > > > > +{
> > > > > > > > +     /*
> > > > > > > > +      * The size of an RPMB frame must match what's expected by the
> > > > > > > > +      * hardware.
> > > > > > > > +      */
> > > > > > > > +     BUILD_BUG_ON(sizeof(struct rpmb_frame) != 512);
> > > > > > > > +
> > > > > > > > +     idata->ic.opcode = opcode;
> > > > > > > > +     idata->ic.flags = MMC_RSP_R1 | MMC_CMD_ADTC;
> > > > > > > > +     idata->ic.write_flag = write_flag;
> > > > > > > > +     idata->ic.blksz = sizeof(struct rpmb_frame);
> > > > > > > > +     idata->ic.blocks = buf_bytes /  idata->ic.blksz;
> > > > > > > > +     idata->buf = buf;
> > > > > > >
> > > > > > > I tested the series on a i.MX8MM with a eMMC connected via the imx-sdhci
> > > > > > > controller. Reading from RPMB does not work. It ends in timeouts due to
> > > > > > > no response from the SDHCI controller.
> > > > > > >
> > > > > > > If idata->buf is allocated here with kmalloc(buf_bytes, GFP_KERNEL) and
> > > > > > > the content of buf is copied to the new allocated area, transfers succeed.
> > > > > > >
> > > > > > > Is it possible that idata->buf is not DMA capable? Any other ideas?
> > > > > >
> > > > > > Thanks for testing. I don't know, the idata->buf is allocated using
> > > > > > alloc_pages_exact(nr_pages * PAGE_SIZE, GFP_KERNEL | __GFP_ZERO); in
> > > > > > optee_pool_op_alloc_helper().
> > > > >
> > > > > Is this really true for idata->buf or isnt the complete RPMB frame memory
> > > > > allocated like this and therefore idata->buf not page aligned?
> > > >
> > > > You're right.
> > > >
> > > > >
> > > > > For RPMB via tee-supplicant the idata->buf is allocated within memdup_user
> > > > > and therefore page aligned.
> > > >
> > > > Yes, that's a difference. Have you tested with page-aligned buffers to
> > > > see if it helps?
> > >
> > > Yes, this helps. I tested with the following patch, but probably it can also
> > > be solved during frame allocation in optee?
> >
> > Great, thanks for confirming. Yes, we should fix that in the secure world.
> 
> I've pushed an update to
> https://github.com/jenswi-linaro/optee_os/tree/rpmb_probe

Thanks for taking care. I applied the additional patch

https://github.com/OP-TEE/optee_os/commit/cdbe8d149f1eed62bc8ef9137d208858bb7691d8.patch

to optee_os and removed the kmalloc dynalloc hack mentioned before from the
kernel.

The issue persists, please see below.

Thanks for your support
Manuel

E/TC:? 0
E/TC:? 0 TA panicked with code 0xffff0006
[   18.661761] mmc0: Timeout waiting for hardware interrupt.
[   18.661776] mmc0: sdhci: ============ SDHCI REGISTER DUMP ===========
E/LD:  Status of TA bc50d971-d4c9-42c4-82cb-343fb7f37896
E/LD:   arch: arm
E/LD:  region  0: va 0x40005000 pa 0xbe81b000 size 0x002000 flags rw-s (ldelf)
E/LD:  region  1: va 0x40007000 pa 0xbe81d000 size 0x008000 flags r-xs (ldelf)
E/LD:  region  2: va 0x4000f000 pa 0xbe825000 size 0x001000 flags rw-s (ldelf)
E/LD:  region  3: va 0x40010000 pa 0xbe826000 size 0x004000 flags rw-s (ldelf)
E/LD:  region  4: va 0x40014000 pa 0xbe82a000 size 0x001000 flags r--s
E/LD:  region  5: va 0x40015000 pa 0xbe88b000 size 0x011000 flags rw-s (stack)
E/LD:  region  6: va 0x40026000 pa 0x534f8000 size 0x002000 flags rw-- (param)
E/LD:  region  7: va 0x40035000 pa 0x00001000 size 0x042000 flags r-xs [0]
E/LD:  region  8: va 0x40077000 pa 0x00043000 size 0x01e000 flags rw-s [0]
E/LD:   [0] bc50d971-d4c9-42c4-82cb-343fb7f37896 @ 0x40035000
E/LD:  Call stack:
E/LD:   0x40064d48
E/LD:   0x40060c17
E/LD:   0x40037d81
E/LD:   0x40038223
E/LD:   0x4004d343
E/LD:   0x4005d52d
E/LD:   0x4003885f
E/LD:   0x40064cd9
E/LD:   0x4006a8a3
E/LD:   0x4005d68c
[   18.661782] mmc0: sdhci: Sys addr:  0x00000008 | Version:  0x00000002
[   18.661790] mmc0: sdhci: Blk size:  0x00000200 | Blk cnt:  0x00000006
[   18.661796] mmc0: sdhci: Argument:  0x00000000 | Trn mode: 0x0000003b
[   18.661802] mmc0: sdhci: Present:   0x01088a8e | Host ctl: 0x00000031
[   18.661808] mmc0: sdhci: Power:     0x00000002 | Blk gap:  0x00000080
[   18.661814] mmc0: sdhci: Wake-up:   0x00000008 | Clock:    0x0000000f
[   18.661820] mmc0: sdhci: Timeout:   0x0000008f | Int stat: 0x00000000
[   18.661825] mmc0: sdhci: Int enab:  0x117f100b | Sig enab: 0x117f100b
[   18.661831] mmc0: sdhci: ACmd stat: 0x00000000 | Slot int: 0x00000502
[   18.661837] mmc0: sdhci: Caps:      0x07eb0000 | Caps_1:   0x0000b407
[   18.661842] mmc0: sdhci: Cmd:       0x0000123a | Max curr: 0x00ffffff
[   18.661848] mmc0: sdhci: Resp[0]:   0x00000900 | Resp[1]:  0xffffffff
[   18.661856] mmc0: sdhci: Resp[2]:   0x328f5903 | Resp[3]:  0x00000900
[   18.661862] mmc0: sdhci: Host ctl2: 0x00000008
[   18.661868] mmc0: sdhci: ADMA Err:  0x00000007 | ADMA Ptr: 0x412c0200
[   18.661874] mmc0: sdhci-esdhc-imx: ========= ESDHC IMX DEBUG STATUS DUMP =========
[   18.661879] mmc0: sdhci-esdhc-imx: cmd debug status:  0x2120
[   18.661885] mmc0: sdhci-esdhc-imx: data debug status:  0x22d0
[   18.661893] mmc0: sdhci-esdhc-imx: trans debug status:  0x23c0
[   18.661900] mmc0: sdhci-esdhc-imx: dma debug status:  0x2400
[   18.661907] mmc0: sdhci-esdhc-imx: adma debug status:  0x25b4
[   18.661915] mmc0: sdhci-esdhc-imx: fifo debug status:  0x2650
[   18.661922] mmc0: sdhci-esdhc-imx: async fifo debug status:  0x2760
[   18.661929] mmc0: sdhci: ============================================
[   18.662615] sdhci-esdhc-imx 30b40000.mmc: __mmc_blk_ioctl_cmd: data error -110
[   18.772374] tpm tpm0: ftpm_tee_tpm_op_send: SUBMIT_COMMAND invoke error: 0xffff3024
[   18.772393] tpm tpm0: tpm_try_transmit: send(): error -53212
[   18.772447] tpm tpm0: ftpm_tee_tpm_op_send: SUBMIT_COMMAND invoke error: 0xffff3024
[   18.772455] tpm tpm0: tpm_try_transmit: send(): error -53212
[   18.772465] ftpm-tee tpm: ftpm_tee_probe: tpm_chip_register failed with rc=-53212
[   18.772545] ftpm-tee: probe of tpm failed with error -53212
[   19.430011] caam_jr 30902000.jr: 20000254: CCB: desc idx 2: RNG: Not instantiated
[   28.901794] mmc0: Timeout waiting for hardware interrupt.
[  *** ] (1 of 2) Job dev-tpmrm0.device/start running (37s / 1min 30s)
[ ***  ] (2 of 2) Job dev-tpm0.device/start running (47s / 1min 30s)
[ ***  ] (2 of 2) Job dev-tpm0.device/start
Avri Altman April 29, 2024, 7:36 p.m. UTC | #9
> > > >
> > > > Is it possible that idata->buf is not DMA capable? Any other ideas?
> > >
> > > Thanks for testing. I don't know, the idata->buf is allocated using
> > > alloc_pages_exact(nr_pages * PAGE_SIZE, GFP_KERNEL | __GFP_ZERO); in
> > > optee_pool_op_alloc_helper().
> >
> > Is this really true for idata->buf or isnt the complete RPMB frame
> > memory allocated like this and therefore idata->buf not page aligned?
> 
> You're right.
Maybe add an assert of PAGE_ALIGNED(idata->buf)?

Thanks,
Avri

> 
> >
> > For RPMB via tee-supplicant the idata->buf is allocated within
> > memdup_user and therefore page aligned.
> 
> Yes, that's a difference. Have you tested with page-aligned buffers to see if it
> helps?
Jens Wiklander May 2, 2024, 9:53 a.m. UTC | #10
On Mon, Apr 29, 2024 at 3:13 PM Manuel Traut <manut@mecka.net> wrote:
>
> On Mon, Apr 29, 2024 at 01:13:58PM +0200, Jens Wiklander wrote:
> > On Mon, Apr 29, 2024 at 12:45 PM Jens Wiklander
> > <jens.wiklander@linaro.org> wrote:
> > >
> > > On Mon, Apr 29, 2024 at 12:35 PM Manuel Traut <manut@mecka.net> wrote:
> > > >
> > > > On Mon, Apr 29, 2024 at 12:08:45PM +0200, Jens Wiklander wrote:
> > > > > On Mon, Apr 29, 2024 at 11:41 AM Manuel Traut <manut@mecka.net> wrote:
> > > > > >
> > > > > > On Fri, Apr 26, 2024 at 03:24:21PM +0200, Jens Wiklander wrote:
> > > > > > > On Thu, Apr 25, 2024 at 10:43 AM Manuel Traut <manut@mecka.net> wrote:
> > > > > > > >
> > > > > > > > On Mon, Apr 22, 2024 at 11:19:35AM +0200, Jens Wiklander wrote:
> > > > > > > > > Register eMMC RPMB partition with the RPMB subsystem and provide
> > > > > > > > > an implementation for the RPMB access operations abstracting
> > > > > > > > > the actual multi step process.
> > > > > > > > >
> > > > > > > > > Add a callback to extract the needed device information at registration
> > > > > > > > > to avoid accessing the struct mmc_card at a later stage as we're not
> > > > > > > > > holding a reference counter for this struct.
> > > > > > > > >
> > > > > > > > > Taking the needed reference to md->disk in mmc_blk_alloc_rpmb_part()
> > > > > > > > > instead of in mmc_rpmb_chrdev_open(). This is needed by the
> > > > > > > > > route_frames() function pointer in struct rpmb_ops.
> > > > > > > > >
> > > > > > > > > Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
> > > > > > > > > Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
> > > > > > > > > Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
> > > > > > > > > ---
> > > > > > > > >  drivers/mmc/core/block.c | 241 ++++++++++++++++++++++++++++++++++++++-
> > > > > > > > >  1 file changed, 239 insertions(+), 2 deletions(-)
> > > > > > > > >
> > > > > > > > > diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c
> > > > > > > > > index 32d49100dff5..a7f126fbc605 100644
> > > > > > > > > --- a/drivers/mmc/core/block.c
> > > > > > > > > +++ b/drivers/mmc/core/block.c
> > > > > > > > > @@ -33,6 +33,7 @@
> > > > > > > > >  #include <linux/cdev.h>
> > > > > > > > >  #include <linux/mutex.h>
> > > > > > > > >  #include <linux/scatterlist.h>
> > > > > > > > > +#include <linux/string.h>
> > > > > > > > >  #include <linux/string_helpers.h>
> > > > > > > > >  #include <linux/delay.h>
> > > > > > > > >  #include <linux/capability.h>
> > > > > > > > > @@ -40,6 +41,7 @@
> > > > > > > > >  #include <linux/pm_runtime.h>
> > > > > > > > >  #include <linux/idr.h>
> > > > > > > > >  #include <linux/debugfs.h>
> > > > > > > > > +#include <linux/rpmb.h>
> > > > > > > > >
> > > > > > > > >  #include <linux/mmc/ioctl.h>
> > > > > > > > >  #include <linux/mmc/card.h>
> > > > > > > > > @@ -76,6 +78,48 @@ MODULE_ALIAS("mmc:block");
> > > > > > > > >  #define MMC_EXTRACT_INDEX_FROM_ARG(x) ((x & 0x00FF0000) >> 16)
> > > > > > > > >  #define MMC_EXTRACT_VALUE_FROM_ARG(x) ((x & 0x0000FF00) >> 8)
> > > > > > > > >
> > > > > > > > > +/**
> > > > > > > > > + * struct rpmb_frame - rpmb frame as defined by eMMC 5.1 (JESD84-B51)
> > > > > > > > > + *
> > > > > > > > > + * @stuff        : stuff bytes
> > > > > > > > > + * @key_mac      : The authentication key or the message authentication
> > > > > > > > > + *                 code (MAC) depending on the request/response type.
> > > > > > > > > + *                 The MAC will be delivered in the last (or the only)
> > > > > > > > > + *                 block of data.
> > > > > > > > > + * @data         : Data to be written or read by signed access.
> > > > > > > > > + * @nonce        : Random number generated by the host for the requests
> > > > > > > > > + *                 and copied to the response by the RPMB engine.
> > > > > > > > > + * @write_counter: Counter value for the total amount of the successful
> > > > > > > > > + *                 authenticated data write requests made by the host.
> > > > > > > > > + * @addr         : Address of the data to be programmed to or read
> > > > > > > > > + *                 from the RPMB. Address is the serial number of
> > > > > > > > > + *                 the accessed block (half sector 256B).
> > > > > > > > > + * @block_count  : Number of blocks (half sectors, 256B) requested to be
> > > > > > > > > + *                 read/programmed.
> > > > > > > > > + * @result       : Includes information about the status of the write counter
> > > > > > > > > + *                 (valid, expired) and result of the access made to the RPMB.
> > > > > > > > > + * @req_resp     : Defines the type of request and response to/from the memory.
> > > > > > > > > + *
> > > > > > > > > + * The stuff bytes and big-endian properties are modeled to fit to the spec.
> > > > > > > > > + */
> > > > > > > > > +struct rpmb_frame {
> > > > > > > > > +     u8     stuff[196];
> > > > > > > > > +     u8     key_mac[32];
> > > > > > > > > +     u8     data[256];
> > > > > > > > > +     u8     nonce[16];
> > > > > > > > > +     __be32 write_counter;
> > > > > > > > > +     __be16 addr;
> > > > > > > > > +     __be16 block_count;
> > > > > > > > > +     __be16 result;
> > > > > > > > > +     __be16 req_resp;
> > > > > > > > > +} __packed;
> > > > > > > > > +
> > > > > > > > > +#define RPMB_PROGRAM_KEY       0x1    /* Program RPMB Authentication Key */
> > > > > > > > > +#define RPMB_GET_WRITE_COUNTER 0x2    /* Read RPMB write counter */
> > > > > > > > > +#define RPMB_WRITE_DATA        0x3    /* Write data to RPMB partition */
> > > > > > > > > +#define RPMB_READ_DATA         0x4    /* Read data from RPMB partition */
> > > > > > > > > +#define RPMB_RESULT_READ       0x5    /* Read result request  (Internal) */
> > > > > > > > > +
> > > > > > > > >  static DEFINE_MUTEX(block_mutex);
> > > > > > > > >
> > > > > > > > >  /*
> > > > > > > > > @@ -163,6 +207,7 @@ struct mmc_rpmb_data {
> > > > > > > > >       int id;
> > > > > > > > >       unsigned int part_index;
> > > > > > > > >       struct mmc_blk_data *md;
> > > > > > > > > +     struct rpmb_dev *rdev;
> > > > > > > > >       struct list_head node;
> > > > > > > > >  };
> > > > > > > > >
> > > > > > > > > @@ -2672,7 +2717,6 @@ static int mmc_rpmb_chrdev_open(struct inode *inode, struct file *filp)
> > > > > > > > >
> > > > > > > > >       get_device(&rpmb->dev);
> > > > > > > > >       filp->private_data = rpmb;
> > > > > > > > > -     mmc_blk_get(rpmb->md->disk);
> > > > > > > > >
> > > > > > > > >       return nonseekable_open(inode, filp);
> > > > > > > > >  }
> > > > > > > > > @@ -2682,7 +2726,6 @@ static int mmc_rpmb_chrdev_release(struct inode *inode, struct file *filp)
> > > > > > > > >       struct mmc_rpmb_data *rpmb = container_of(inode->i_cdev,
> > > > > > > > >                                                 struct mmc_rpmb_data, chrdev);
> > > > > > > > >
> > > > > > > > > -     mmc_blk_put(rpmb->md);
> > > > > > > > >       put_device(&rpmb->dev);
> > > > > > > > >
> > > > > > > > >       return 0;
> > > > > > > > > @@ -2703,10 +2746,165 @@ static void mmc_blk_rpmb_device_release(struct device *dev)
> > > > > > > > >  {
> > > > > > > > >       struct mmc_rpmb_data *rpmb = dev_get_drvdata(dev);
> > > > > > > > >
> > > > > > > > > +     rpmb_dev_unregister(rpmb->rdev);
> > > > > > > > > +     mmc_blk_put(rpmb->md);
> > > > > > > > >       ida_simple_remove(&mmc_rpmb_ida, rpmb->id);
> > > > > > > > >       kfree(rpmb);
> > > > > > > > >  }
> > > > > > > > >
> > > > > > > > > +static void free_idata(struct mmc_blk_ioc_data **idata, unsigned int cmd_count)
> > > > > > > > > +{
> > > > > > > > > +     unsigned int n;
> > > > > > > > > +
> > > > > > > > > +     for (n = 0; n < cmd_count; n++)
> > > > > > > > > +             kfree(idata[n]);
> > > > > > > > > +     kfree(idata);
> > > > > > > > > +}
> > > > > > > > > +
> > > > > > > > > +static struct mmc_blk_ioc_data **alloc_idata(struct mmc_rpmb_data *rpmb,
> > > > > > > > > +                                          unsigned int cmd_count)
> > > > > > > > > +{
> > > > > > > > > +     struct mmc_blk_ioc_data **idata;
> > > > > > > > > +     unsigned int n;
> > > > > > > > > +
> > > > > > > > > +     idata = kcalloc(cmd_count, sizeof(*idata), GFP_KERNEL);
> > > > > > > > > +     if (!idata)
> > > > > > > > > +             return NULL;
> > > > > > > > > +     for (n = 0; n < cmd_count; n++) {
> > > > > > > > > +             idata[n] = kcalloc(1, sizeof(**idata), GFP_KERNEL);
> > > > > > > > > +             if (!idata[n]) {
> > > > > > > > > +                     free_idata(idata, n);
> > > > > > > > > +                     return NULL;
> > > > > > > > > +             }
> > > > > > > > > +             idata[n]->rpmb = rpmb;
> > > > > > > > > +     }
> > > > > > > > > +
> > > > > > > > > +     return idata;
> > > > > > > > > +}
> > > > > > > > > +
> > > > > > > > > +static void set_idata(struct mmc_blk_ioc_data *idata, u32 opcode,
> > > > > > > > > +                   int write_flag, u8 *buf, unsigned int buf_bytes)
> > > > > > > > > +{
> > > > > > > > > +     /*
> > > > > > > > > +      * The size of an RPMB frame must match what's expected by the
> > > > > > > > > +      * hardware.
> > > > > > > > > +      */
> > > > > > > > > +     BUILD_BUG_ON(sizeof(struct rpmb_frame) != 512);
> > > > > > > > > +
> > > > > > > > > +     idata->ic.opcode = opcode;
> > > > > > > > > +     idata->ic.flags = MMC_RSP_R1 | MMC_CMD_ADTC;
> > > > > > > > > +     idata->ic.write_flag = write_flag;
> > > > > > > > > +     idata->ic.blksz = sizeof(struct rpmb_frame);
> > > > > > > > > +     idata->ic.blocks = buf_bytes /  idata->ic.blksz;
> > > > > > > > > +     idata->buf = buf;
> > > > > > > >
> > > > > > > > I tested the series on a i.MX8MM with a eMMC connected via the imx-sdhci
> > > > > > > > controller. Reading from RPMB does not work. It ends in timeouts due to
> > > > > > > > no response from the SDHCI controller.
> > > > > > > >
> > > > > > > > If idata->buf is allocated here with kmalloc(buf_bytes, GFP_KERNEL) and
> > > > > > > > the content of buf is copied to the new allocated area, transfers succeed.
> > > > > > > >
> > > > > > > > Is it possible that idata->buf is not DMA capable? Any other ideas?
> > > > > > >
> > > > > > > Thanks for testing. I don't know, the idata->buf is allocated using
> > > > > > > alloc_pages_exact(nr_pages * PAGE_SIZE, GFP_KERNEL | __GFP_ZERO); in
> > > > > > > optee_pool_op_alloc_helper().
> > > > > >
> > > > > > Is this really true for idata->buf or isnt the complete RPMB frame memory
> > > > > > allocated like this and therefore idata->buf not page aligned?
> > > > >
> > > > > You're right.
> > > > >
> > > > > >
> > > > > > For RPMB via tee-supplicant the idata->buf is allocated within memdup_user
> > > > > > and therefore page aligned.
> > > > >
> > > > > Yes, that's a difference. Have you tested with page-aligned buffers to
> > > > > see if it helps?
> > > >
> > > > Yes, this helps. I tested with the following patch, but probably it can also
> > > > be solved during frame allocation in optee?
> > >
> > > Great, thanks for confirming. Yes, we should fix that in the secure world.
> >
> > I've pushed an update to
> > https://github.com/jenswi-linaro/optee_os/tree/rpmb_probe
>
> Thanks for taking care. I applied the additional patch
>
> https://github.com/OP-TEE/optee_os/commit/cdbe8d149f1eed62bc8ef9137d208858bb7691d8.patch
>
> to optee_os and removed the kmalloc dynalloc hack mentioned before from the
> kernel.
>
> The issue persists, please see below.

So it's not the alignment that is the problem. We need to understand
this problem better before adding workarounds. If I'm not mistaken,
alloc_pages_exact () and kmalloc() are supposed to provide DMAable
memory. Could this be a symptom of some other error in your system?

Thanks,
Jens

>
> Thanks for your support
> Manuel
>
> E/TC:? 0
> E/TC:? 0 TA panicked with code 0xffff0006
> [   18.661761] mmc0: Timeout waiting for hardware interrupt.
> [   18.661776] mmc0: sdhci: ============ SDHCI REGISTER DUMP ===========
> E/LD:  Status of TA bc50d971-d4c9-42c4-82cb-343fb7f37896
> E/LD:   arch: arm
> E/LD:  region  0: va 0x40005000 pa 0xbe81b000 size 0x002000 flags rw-s (ldelf)
> E/LD:  region  1: va 0x40007000 pa 0xbe81d000 size 0x008000 flags r-xs (ldelf)
> E/LD:  region  2: va 0x4000f000 pa 0xbe825000 size 0x001000 flags rw-s (ldelf)
> E/LD:  region  3: va 0x40010000 pa 0xbe826000 size 0x004000 flags rw-s (ldelf)
> E/LD:  region  4: va 0x40014000 pa 0xbe82a000 size 0x001000 flags r--s
> E/LD:  region  5: va 0x40015000 pa 0xbe88b000 size 0x011000 flags rw-s (stack)
> E/LD:  region  6: va 0x40026000 pa 0x534f8000 size 0x002000 flags rw-- (param)
> E/LD:  region  7: va 0x40035000 pa 0x00001000 size 0x042000 flags r-xs [0]
> E/LD:  region  8: va 0x40077000 pa 0x00043000 size 0x01e000 flags rw-s [0]
> E/LD:   [0] bc50d971-d4c9-42c4-82cb-343fb7f37896 @ 0x40035000
> E/LD:  Call stack:
> E/LD:   0x40064d48
> E/LD:   0x40060c17
> E/LD:   0x40037d81
> E/LD:   0x40038223
> E/LD:   0x4004d343
> E/LD:   0x4005d52d
> E/LD:   0x4003885f
> E/LD:   0x40064cd9
> E/LD:   0x4006a8a3
> E/LD:   0x4005d68c
> [   18.661782] mmc0: sdhci: Sys addr:  0x00000008 | Version:  0x00000002
> [   18.661790] mmc0: sdhci: Blk size:  0x00000200 | Blk cnt:  0x00000006
> [   18.661796] mmc0: sdhci: Argument:  0x00000000 | Trn mode: 0x0000003b
> [   18.661802] mmc0: sdhci: Present:   0x01088a8e | Host ctl: 0x00000031
> [   18.661808] mmc0: sdhci: Power:     0x00000002 | Blk gap:  0x00000080
> [   18.661814] mmc0: sdhci: Wake-up:   0x00000008 | Clock:    0x0000000f
> [   18.661820] mmc0: sdhci: Timeout:   0x0000008f | Int stat: 0x00000000
> [   18.661825] mmc0: sdhci: Int enab:  0x117f100b | Sig enab: 0x117f100b
> [   18.661831] mmc0: sdhci: ACmd stat: 0x00000000 | Slot int: 0x00000502
> [   18.661837] mmc0: sdhci: Caps:      0x07eb0000 | Caps_1:   0x0000b407
> [   18.661842] mmc0: sdhci: Cmd:       0x0000123a | Max curr: 0x00ffffff
> [   18.661848] mmc0: sdhci: Resp[0]:   0x00000900 | Resp[1]:  0xffffffff
> [   18.661856] mmc0: sdhci: Resp[2]:   0x328f5903 | Resp[3]:  0x00000900
> [   18.661862] mmc0: sdhci: Host ctl2: 0x00000008
> [   18.661868] mmc0: sdhci: ADMA Err:  0x00000007 | ADMA Ptr: 0x412c0200
> [   18.661874] mmc0: sdhci-esdhc-imx: ========= ESDHC IMX DEBUG STATUS DUMP =========
> [   18.661879] mmc0: sdhci-esdhc-imx: cmd debug status:  0x2120
> [   18.661885] mmc0: sdhci-esdhc-imx: data debug status:  0x22d0
> [   18.661893] mmc0: sdhci-esdhc-imx: trans debug status:  0x23c0
> [   18.661900] mmc0: sdhci-esdhc-imx: dma debug status:  0x2400
> [   18.661907] mmc0: sdhci-esdhc-imx: adma debug status:  0x25b4
> [   18.661915] mmc0: sdhci-esdhc-imx: fifo debug status:  0x2650
> [   18.661922] mmc0: sdhci-esdhc-imx: async fifo debug status:  0x2760
> [   18.661929] mmc0: sdhci: ============================================
> [   18.662615] sdhci-esdhc-imx 30b40000.mmc: __mmc_blk_ioctl_cmd: data error -110
> [   18.772374] tpm tpm0: ftpm_tee_tpm_op_send: SUBMIT_COMMAND invoke error: 0xffff3024
> [   18.772393] tpm tpm0: tpm_try_transmit: send(): error -53212
> [   18.772447] tpm tpm0: ftpm_tee_tpm_op_send: SUBMIT_COMMAND invoke error: 0xffff3024
> [   18.772455] tpm tpm0: tpm_try_transmit: send(): error -53212
> [   18.772465] ftpm-tee tpm: ftpm_tee_probe: tpm_chip_register failed with rc=-53212
> [   18.772545] ftpm-tee: probe of tpm failed with error -53212
> [   19.430011] caam_jr 30902000.jr: 20000254: CCB: desc idx 2: RNG: Not instantiated
> [   28.901794] mmc0: Timeout waiting for hardware interrupt.
> [  *** ] (1 of 2) Job dev-tpmrm0.device/start running (37s / 1min 30s)
> [ ***  ] (2 of 2) Job dev-tpm0.device/start running (47s / 1min 30s)
> [ ***  ] (2 of 2) Job dev-tpm0.device/start
>
Manuel Traut May 3, 2024, 9:16 a.m. UTC | #11
On Thu, May 02, 2024 at 11:53:40AM +0200, Jens Wiklander wrote:
> On Mon, Apr 29, 2024 at 3:13 PM Manuel Traut <manut@mecka.net> wrote:
> >
> > On Mon, Apr 29, 2024 at 01:13:58PM +0200, Jens Wiklander wrote:
> > > On Mon, Apr 29, 2024 at 12:45 PM Jens Wiklander
> > > <jens.wiklander@linaro.org> wrote:
> > > >
> > > > On Mon, Apr 29, 2024 at 12:35 PM Manuel Traut <manut@mecka.net> wrote:
> > > > >
> > > > > On Mon, Apr 29, 2024 at 12:08:45PM +0200, Jens Wiklander wrote:
> > > > > > On Mon, Apr 29, 2024 at 11:41 AM Manuel Traut <manut@mecka.net> wrote:
> > > > > > >
> > > > > > > On Fri, Apr 26, 2024 at 03:24:21PM +0200, Jens Wiklander wrote:
> > > > > > > > On Thu, Apr 25, 2024 at 10:43 AM Manuel Traut <manut@mecka.net> wrote:
> > > > > > > > >
> > > > > > > > > On Mon, Apr 22, 2024 at 11:19:35AM +0200, Jens Wiklander wrote:
> > > > > > > > > > Register eMMC RPMB partition with the RPMB subsystem and provide
> > > > > > > > > > an implementation for the RPMB access operations abstracting
> > > > > > > > > > the actual multi step process.
> > > > > > > > > >
> > > > > > > > > > Add a callback to extract the needed device information at registration
> > > > > > > > > > to avoid accessing the struct mmc_card at a later stage as we're not
> > > > > > > > > > holding a reference counter for this struct.
> > > > > > > > > >
> > > > > > > > > > Taking the needed reference to md->disk in mmc_blk_alloc_rpmb_part()
> > > > > > > > > > instead of in mmc_rpmb_chrdev_open(). This is needed by the
> > > > > > > > > > route_frames() function pointer in struct rpmb_ops.
> > > > > > > > > >
> > > > > > > > > > Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
> > > > > > > > > > Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
> > > > > > > > > > Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
> > > > > > > > > > ---
> > > > > > > > > >  drivers/mmc/core/block.c | 241 ++++++++++++++++++++++++++++++++++++++-
> > > > > > > > > >  1 file changed, 239 insertions(+), 2 deletions(-)
> > > > > > > > > >
> > > > > > > > > > diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c
> > > > > > > > > > index 32d49100dff5..a7f126fbc605 100644
> > > > > > > > > > --- a/drivers/mmc/core/block.c
> > > > > > > > > > +++ b/drivers/mmc/core/block.c
> > > > > > > > > > @@ -33,6 +33,7 @@
> > > > > > > > > >  #include <linux/cdev.h>
> > > > > > > > > >  #include <linux/mutex.h>
> > > > > > > > > >  #include <linux/scatterlist.h>
> > > > > > > > > > +#include <linux/string.h>
> > > > > > > > > >  #include <linux/string_helpers.h>
> > > > > > > > > >  #include <linux/delay.h>
> > > > > > > > > >  #include <linux/capability.h>
> > > > > > > > > > @@ -40,6 +41,7 @@
> > > > > > > > > >  #include <linux/pm_runtime.h>
> > > > > > > > > >  #include <linux/idr.h>
> > > > > > > > > >  #include <linux/debugfs.h>
> > > > > > > > > > +#include <linux/rpmb.h>
> > > > > > > > > >
> > > > > > > > > >  #include <linux/mmc/ioctl.h>
> > > > > > > > > >  #include <linux/mmc/card.h>
> > > > > > > > > > @@ -76,6 +78,48 @@ MODULE_ALIAS("mmc:block");
> > > > > > > > > >  #define MMC_EXTRACT_INDEX_FROM_ARG(x) ((x & 0x00FF0000) >> 16)
> > > > > > > > > >  #define MMC_EXTRACT_VALUE_FROM_ARG(x) ((x & 0x0000FF00) >> 8)
> > > > > > > > > >
> > > > > > > > > > +/**
> > > > > > > > > > + * struct rpmb_frame - rpmb frame as defined by eMMC 5.1 (JESD84-B51)
> > > > > > > > > > + *
> > > > > > > > > > + * @stuff        : stuff bytes
> > > > > > > > > > + * @key_mac      : The authentication key or the message authentication
> > > > > > > > > > + *                 code (MAC) depending on the request/response type.
> > > > > > > > > > + *                 The MAC will be delivered in the last (or the only)
> > > > > > > > > > + *                 block of data.
> > > > > > > > > > + * @data         : Data to be written or read by signed access.
> > > > > > > > > > + * @nonce        : Random number generated by the host for the requests
> > > > > > > > > > + *                 and copied to the response by the RPMB engine.
> > > > > > > > > > + * @write_counter: Counter value for the total amount of the successful
> > > > > > > > > > + *                 authenticated data write requests made by the host.
> > > > > > > > > > + * @addr         : Address of the data to be programmed to or read
> > > > > > > > > > + *                 from the RPMB. Address is the serial number of
> > > > > > > > > > + *                 the accessed block (half sector 256B).
> > > > > > > > > > + * @block_count  : Number of blocks (half sectors, 256B) requested to be
> > > > > > > > > > + *                 read/programmed.
> > > > > > > > > > + * @result       : Includes information about the status of the write counter
> > > > > > > > > > + *                 (valid, expired) and result of the access made to the RPMB.
> > > > > > > > > > + * @req_resp     : Defines the type of request and response to/from the memory.
> > > > > > > > > > + *
> > > > > > > > > > + * The stuff bytes and big-endian properties are modeled to fit to the spec.
> > > > > > > > > > + */
> > > > > > > > > > +struct rpmb_frame {
> > > > > > > > > > +     u8     stuff[196];
> > > > > > > > > > +     u8     key_mac[32];
> > > > > > > > > > +     u8     data[256];
> > > > > > > > > > +     u8     nonce[16];
> > > > > > > > > > +     __be32 write_counter;
> > > > > > > > > > +     __be16 addr;
> > > > > > > > > > +     __be16 block_count;
> > > > > > > > > > +     __be16 result;
> > > > > > > > > > +     __be16 req_resp;
> > > > > > > > > > +} __packed;
> > > > > > > > > > +
> > > > > > > > > > +#define RPMB_PROGRAM_KEY       0x1    /* Program RPMB Authentication Key */
> > > > > > > > > > +#define RPMB_GET_WRITE_COUNTER 0x2    /* Read RPMB write counter */
> > > > > > > > > > +#define RPMB_WRITE_DATA        0x3    /* Write data to RPMB partition */
> > > > > > > > > > +#define RPMB_READ_DATA         0x4    /* Read data from RPMB partition */
> > > > > > > > > > +#define RPMB_RESULT_READ       0x5    /* Read result request  (Internal) */
> > > > > > > > > > +
> > > > > > > > > >  static DEFINE_MUTEX(block_mutex);
> > > > > > > > > >
> > > > > > > > > >  /*
> > > > > > > > > > @@ -163,6 +207,7 @@ struct mmc_rpmb_data {
> > > > > > > > > >       int id;
> > > > > > > > > >       unsigned int part_index;
> > > > > > > > > >       struct mmc_blk_data *md;
> > > > > > > > > > +     struct rpmb_dev *rdev;
> > > > > > > > > >       struct list_head node;
> > > > > > > > > >  };
> > > > > > > > > >
> > > > > > > > > > @@ -2672,7 +2717,6 @@ static int mmc_rpmb_chrdev_open(struct inode *inode, struct file *filp)
> > > > > > > > > >
> > > > > > > > > >       get_device(&rpmb->dev);
> > > > > > > > > >       filp->private_data = rpmb;
> > > > > > > > > > -     mmc_blk_get(rpmb->md->disk);
> > > > > > > > > >
> > > > > > > > > >       return nonseekable_open(inode, filp);
> > > > > > > > > >  }
> > > > > > > > > > @@ -2682,7 +2726,6 @@ static int mmc_rpmb_chrdev_release(struct inode *inode, struct file *filp)
> > > > > > > > > >       struct mmc_rpmb_data *rpmb = container_of(inode->i_cdev,
> > > > > > > > > >                                                 struct mmc_rpmb_data, chrdev);
> > > > > > > > > >
> > > > > > > > > > -     mmc_blk_put(rpmb->md);
> > > > > > > > > >       put_device(&rpmb->dev);
> > > > > > > > > >
> > > > > > > > > >       return 0;
> > > > > > > > > > @@ -2703,10 +2746,165 @@ static void mmc_blk_rpmb_device_release(struct device *dev)
> > > > > > > > > >  {
> > > > > > > > > >       struct mmc_rpmb_data *rpmb = dev_get_drvdata(dev);
> > > > > > > > > >
> > > > > > > > > > +     rpmb_dev_unregister(rpmb->rdev);
> > > > > > > > > > +     mmc_blk_put(rpmb->md);
> > > > > > > > > >       ida_simple_remove(&mmc_rpmb_ida, rpmb->id);
> > > > > > > > > >       kfree(rpmb);
> > > > > > > > > >  }
> > > > > > > > > >
> > > > > > > > > > +static void free_idata(struct mmc_blk_ioc_data **idata, unsigned int cmd_count)
> > > > > > > > > > +{
> > > > > > > > > > +     unsigned int n;
> > > > > > > > > > +
> > > > > > > > > > +     for (n = 0; n < cmd_count; n++)
> > > > > > > > > > +             kfree(idata[n]);
> > > > > > > > > > +     kfree(idata);
> > > > > > > > > > +}
> > > > > > > > > > +
> > > > > > > > > > +static struct mmc_blk_ioc_data **alloc_idata(struct mmc_rpmb_data *rpmb,
> > > > > > > > > > +                                          unsigned int cmd_count)
> > > > > > > > > > +{
> > > > > > > > > > +     struct mmc_blk_ioc_data **idata;
> > > > > > > > > > +     unsigned int n;
> > > > > > > > > > +
> > > > > > > > > > +     idata = kcalloc(cmd_count, sizeof(*idata), GFP_KERNEL);
> > > > > > > > > > +     if (!idata)
> > > > > > > > > > +             return NULL;
> > > > > > > > > > +     for (n = 0; n < cmd_count; n++) {
> > > > > > > > > > +             idata[n] = kcalloc(1, sizeof(**idata), GFP_KERNEL);
> > > > > > > > > > +             if (!idata[n]) {
> > > > > > > > > > +                     free_idata(idata, n);
> > > > > > > > > > +                     return NULL;
> > > > > > > > > > +             }
> > > > > > > > > > +             idata[n]->rpmb = rpmb;
> > > > > > > > > > +     }
> > > > > > > > > > +
> > > > > > > > > > +     return idata;
> > > > > > > > > > +}
> > > > > > > > > > +
> > > > > > > > > > +static void set_idata(struct mmc_blk_ioc_data *idata, u32 opcode,
> > > > > > > > > > +                   int write_flag, u8 *buf, unsigned int buf_bytes)
> > > > > > > > > > +{
> > > > > > > > > > +     /*
> > > > > > > > > > +      * The size of an RPMB frame must match what's expected by the
> > > > > > > > > > +      * hardware.
> > > > > > > > > > +      */
> > > > > > > > > > +     BUILD_BUG_ON(sizeof(struct rpmb_frame) != 512);
> > > > > > > > > > +
> > > > > > > > > > +     idata->ic.opcode = opcode;
> > > > > > > > > > +     idata->ic.flags = MMC_RSP_R1 | MMC_CMD_ADTC;
> > > > > > > > > > +     idata->ic.write_flag = write_flag;
> > > > > > > > > > +     idata->ic.blksz = sizeof(struct rpmb_frame);
> > > > > > > > > > +     idata->ic.blocks = buf_bytes /  idata->ic.blksz;
> > > > > > > > > > +     idata->buf = buf;
> > > > > > > > >
> > > > > > > > > I tested the series on a i.MX8MM with a eMMC connected via the imx-sdhci
> > > > > > > > > controller. Reading from RPMB does not work. It ends in timeouts due to
> > > > > > > > > no response from the SDHCI controller.
> > > > > > > > >
> > > > > > > > > If idata->buf is allocated here with kmalloc(buf_bytes, GFP_KERNEL) and
> > > > > > > > > the content of buf is copied to the new allocated area, transfers succeed.
> > > > > > > > >
> > > > > > > > > Is it possible that idata->buf is not DMA capable? Any other ideas?
> > > > > > > >
> > > > > > > > Thanks for testing. I don't know, the idata->buf is allocated using
> > > > > > > > alloc_pages_exact(nr_pages * PAGE_SIZE, GFP_KERNEL | __GFP_ZERO); in
> > > > > > > > optee_pool_op_alloc_helper().
> > > > > > >
> > > > > > > Is this really true for idata->buf or isnt the complete RPMB frame memory
> > > > > > > allocated like this and therefore idata->buf not page aligned?
> > > > > >
> > > > > > You're right.
> > > > > >
> > > > > > >
> > > > > > > For RPMB via tee-supplicant the idata->buf is allocated within memdup_user
> > > > > > > and therefore page aligned.
> > > > > >
> > > > > > Yes, that's a difference. Have you tested with page-aligned buffers to
> > > > > > see if it helps?
> > > > >
> > > > > Yes, this helps. I tested with the following patch, but probably it can also
> > > > > be solved during frame allocation in optee?
> > > >
> > > > Great, thanks for confirming. Yes, we should fix that in the secure world.
> > >
> > > I've pushed an update to
> > > https://github.com/jenswi-linaro/optee_os/tree/rpmb_probe
> >
> > Thanks for taking care. I applied the additional patch
> >
> > https://github.com/OP-TEE/optee_os/commit/cdbe8d149f1eed62bc8ef9137d208858bb7691d8.patch
> >
> > to optee_os and removed the kmalloc dynalloc hack mentioned before from the
> > kernel.
> >
> > The issue persists, please see below.
> 
> So it's not the alignment that is the problem. We need to understand
> this problem better before adding workarounds. If I'm not mistaken,
> alloc_pages_exact () and kmalloc() are supposed to provide DMAable
> memory. Could this be a symptom of some other error in your system?

It seems to be still the alignment problem. With a debug print
to print the address in the linux kernel alloc_helper:

+++ b/drivers/tee/optee/core.c
@@ -42,6 +42,7 @@ int optee_pool_op_alloc_helper(struct tee_shm_pool *pool, struct tee_shm *shm,
                return -ENOMEM;

        shm->paddr = virt_to_phys(shm->kaddr);
+       printk(KERN_ERR "%s: phys: %p virt: %p", __func__, shm->paddr, shm->kaddr);
        shm->size = nr_pages * PAGE_SIZE;

in optee_os:

--- a/core/tee/tee_rpmb_fs.c
+++ b/core/tee/tee_rpmb_fs.c
@@ -438,6 +438,7 @@ static TEE_Result tee_rpmb_alloc(size_t req_size, size_t resp_size,

        *req = mobj_get_va(mem->mobj, 0, req_s);
        *resp = mobj_get_va(mem->mobj, req_s, resp_s);
+       EMSG("RPMB req: %p resp: %p", *req, *resp);


and in the kernel if PAGE_ALIGNED is not true in mmc frame routing:


@@ -2801,9 +2803,24 @@ static void set_idata(struct mmc_blk_ioc_data *idata, u32 opcode,
        idata->ic.blksz = sizeof(struct rpmb_frame);
        idata->ic.blocks = buf_bytes /  idata->ic.blksz;
        idata->buf = buf;
+       if (!PAGE_ALIGNED(idata->buf)) {
+           printk(KERN_ERR "RPMB FRAME IS NOT PAGE ALIGNED: %p", idata->buf);
+       }


it looks strange to me:

[   20.976798] optee_pool_op_alloc_helper: phys: 000000006e87bb2a virt: 00000000c90be80d
E/TC:? 0 tee_rpmb_alloc:441 RPMB req: 0xbbe01000 resp: 0xbbe02000
[   20.983028] RPMB FRAME IS NOT PAGE ALIGNED: 000000000160f4bd

I will try to understand what is going on..

Thanks,
Manuel

> > E/TC:? 0
> > E/TC:? 0 TA panicked with code 0xffff0006
> > [   18.661761] mmc0: Timeout waiting for hardware interrupt.
> > [   18.661776] mmc0: sdhci: ============ SDHCI REGISTER DUMP ===========
> > E/LD:  Status of TA bc50d971-d4c9-42c4-82cb-343fb7f37896
> > E/LD:   arch: arm
> > E/LD:  region  0: va 0x40005000 pa 0xbe81b000 size 0x002000 flags rw-s (ldelf)
> > E/LD:  region  1: va 0x40007000 pa 0xbe81d000 size 0x008000 flags r-xs (ldelf)
> > E/LD:  region  2: va 0x4000f000 pa 0xbe825000 size 0x001000 flags rw-s (ldelf)
> > E/LD:  region  3: va 0x40010000 pa 0xbe826000 size 0x004000 flags rw-s (ldelf)
> > E/LD:  region  4: va 0x40014000 pa 0xbe82a000 size 0x001000 flags r--s
> > E/LD:  region  5: va 0x40015000 pa 0xbe88b000 size 0x011000 flags rw-s (stack)
> > E/LD:  region  6: va 0x40026000 pa 0x534f8000 size 0x002000 flags rw-- (param)
> > E/LD:  region  7: va 0x40035000 pa 0x00001000 size 0x042000 flags r-xs [0]
> > E/LD:  region  8: va 0x40077000 pa 0x00043000 size 0x01e000 flags rw-s [0]
> > E/LD:   [0] bc50d971-d4c9-42c4-82cb-343fb7f37896 @ 0x40035000
> > E/LD:  Call stack:
> > E/LD:   0x40064d48
> > E/LD:   0x40060c17
> > E/LD:   0x40037d81
> > E/LD:   0x40038223
> > E/LD:   0x4004d343
> > E/LD:   0x4005d52d
> > E/LD:   0x4003885f
> > E/LD:   0x40064cd9
> > E/LD:   0x4006a8a3
> > E/LD:   0x4005d68c
> > [   18.661782] mmc0: sdhci: Sys addr:  0x00000008 | Version:  0x00000002
> > [   18.661790] mmc0: sdhci: Blk size:  0x00000200 | Blk cnt:  0x00000006
> > [   18.661796] mmc0: sdhci: Argument:  0x00000000 | Trn mode: 0x0000003b
> > [   18.661802] mmc0: sdhci: Present:   0x01088a8e | Host ctl: 0x00000031
> > [   18.661808] mmc0: sdhci: Power:     0x00000002 | Blk gap:  0x00000080
> > [   18.661814] mmc0: sdhci: Wake-up:   0x00000008 | Clock:    0x0000000f
> > [   18.661820] mmc0: sdhci: Timeout:   0x0000008f | Int stat: 0x00000000
> > [   18.661825] mmc0: sdhci: Int enab:  0x117f100b | Sig enab: 0x117f100b
> > [   18.661831] mmc0: sdhci: ACmd stat: 0x00000000 | Slot int: 0x00000502
> > [   18.661837] mmc0: sdhci: Caps:      0x07eb0000 | Caps_1:   0x0000b407
> > [   18.661842] mmc0: sdhci: Cmd:       0x0000123a | Max curr: 0x00ffffff
> > [   18.661848] mmc0: sdhci: Resp[0]:   0x00000900 | Resp[1]:  0xffffffff
> > [   18.661856] mmc0: sdhci: Resp[2]:   0x328f5903 | Resp[3]:  0x00000900
> > [   18.661862] mmc0: sdhci: Host ctl2: 0x00000008
> > [   18.661868] mmc0: sdhci: ADMA Err:  0x00000007 | ADMA Ptr: 0x412c0200
> > [   18.661874] mmc0: sdhci-esdhc-imx: ========= ESDHC IMX DEBUG STATUS DUMP =========
> > [   18.661879] mmc0: sdhci-esdhc-imx: cmd debug status:  0x2120
> > [   18.661885] mmc0: sdhci-esdhc-imx: data debug status:  0x22d0
> > [   18.661893] mmc0: sdhci-esdhc-imx: trans debug status:  0x23c0
> > [   18.661900] mmc0: sdhci-esdhc-imx: dma debug status:  0x2400
> > [   18.661907] mmc0: sdhci-esdhc-imx: adma debug status:  0x25b4
> > [   18.661915] mmc0: sdhci-esdhc-imx: fifo debug status:  0x2650
> > [   18.661922] mmc0: sdhci-esdhc-imx: async fifo debug status:  0x2760
> > [   18.661929] mmc0: sdhci: ============================================
> > [   18.662615] sdhci-esdhc-imx 30b40000.mmc: __mmc_blk_ioctl_cmd: data error -110
> > [   18.772374] tpm tpm0: ftpm_tee_tpm_op_send: SUBMIT_COMMAND invoke error: 0xffff3024
> > [   18.772393] tpm tpm0: tpm_try_transmit: send(): error -53212
> > [   18.772447] tpm tpm0: ftpm_tee_tpm_op_send: SUBMIT_COMMAND invoke error: 0xffff3024
> > [   18.772455] tpm tpm0: tpm_try_transmit: send(): error -53212
> > [   18.772465] ftpm-tee tpm: ftpm_tee_probe: tpm_chip_register failed with rc=-53212
> > [   18.772545] ftpm-tee: probe of tpm failed with error -53212
> > [   19.430011] caam_jr 30902000.jr: 20000254: CCB: desc idx 2: RNG: Not instantiated
> > [   28.901794] mmc0: Timeout waiting for hardware interrupt.
> > [  *** ] (1 of 2) Job dev-tpmrm0.device/start running (37s / 1min 30s)
> > [ ***  ] (2 of 2) Job dev-tpm0.device/start running (47s / 1min 30s)
> > [ ***  ] (2 of 2) Job dev-tpm0.device/start
> >
>
Jens Wiklander May 7, 2024, 9:21 a.m. UTC | #12
On Mon, Apr 29, 2024 at 9:36 PM Avri Altman <Avri.Altman@wdc.com> wrote:
>
> > > > >
> > > > > Is it possible that idata->buf is not DMA capable? Any other ideas?
> > > >
> > > > Thanks for testing. I don't know, the idata->buf is allocated using
> > > > alloc_pages_exact(nr_pages * PAGE_SIZE, GFP_KERNEL | __GFP_ZERO); in
> > > > optee_pool_op_alloc_helper().
> > >
> > > Is this really true for idata->buf or isnt the complete RPMB frame
> > > memory allocated like this and therefore idata->buf not page aligned?
> >
> > You're right.
> Maybe add an assert of PAGE_ALIGNED(idata->buf)?

That might be a bit much. It turned out that there was a 2-byte
alignment causing the trouble. I don't know exactly what's needed, but
the amount used by kmalloc() by default is good.

Cheers,
Jens

>
> Thanks,
> Avri
>
> >
> > >
> > > For RPMB via tee-supplicant the idata->buf is allocated within
> > > memdup_user and therefore page aligned.
> >
> > Yes, that's a difference. Have you tested with page-aligned buffers to see if it
> > helps?
diff mbox series

Patch

diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c
index 32d49100dff5..a7f126fbc605 100644
--- a/drivers/mmc/core/block.c
+++ b/drivers/mmc/core/block.c
@@ -33,6 +33,7 @@ 
 #include <linux/cdev.h>
 #include <linux/mutex.h>
 #include <linux/scatterlist.h>
+#include <linux/string.h>
 #include <linux/string_helpers.h>
 #include <linux/delay.h>
 #include <linux/capability.h>
@@ -40,6 +41,7 @@ 
 #include <linux/pm_runtime.h>
 #include <linux/idr.h>
 #include <linux/debugfs.h>
+#include <linux/rpmb.h>
 
 #include <linux/mmc/ioctl.h>
 #include <linux/mmc/card.h>
@@ -76,6 +78,48 @@  MODULE_ALIAS("mmc:block");
 #define MMC_EXTRACT_INDEX_FROM_ARG(x) ((x & 0x00FF0000) >> 16)
 #define MMC_EXTRACT_VALUE_FROM_ARG(x) ((x & 0x0000FF00) >> 8)
 
+/**
+ * struct rpmb_frame - rpmb frame as defined by eMMC 5.1 (JESD84-B51)
+ *
+ * @stuff        : stuff bytes
+ * @key_mac      : The authentication key or the message authentication
+ *                 code (MAC) depending on the request/response type.
+ *                 The MAC will be delivered in the last (or the only)
+ *                 block of data.
+ * @data         : Data to be written or read by signed access.
+ * @nonce        : Random number generated by the host for the requests
+ *                 and copied to the response by the RPMB engine.
+ * @write_counter: Counter value for the total amount of the successful
+ *                 authenticated data write requests made by the host.
+ * @addr         : Address of the data to be programmed to or read
+ *                 from the RPMB. Address is the serial number of
+ *                 the accessed block (half sector 256B).
+ * @block_count  : Number of blocks (half sectors, 256B) requested to be
+ *                 read/programmed.
+ * @result       : Includes information about the status of the write counter
+ *                 (valid, expired) and result of the access made to the RPMB.
+ * @req_resp     : Defines the type of request and response to/from the memory.
+ *
+ * The stuff bytes and big-endian properties are modeled to fit to the spec.
+ */
+struct rpmb_frame {
+	u8     stuff[196];
+	u8     key_mac[32];
+	u8     data[256];
+	u8     nonce[16];
+	__be32 write_counter;
+	__be16 addr;
+	__be16 block_count;
+	__be16 result;
+	__be16 req_resp;
+} __packed;
+
+#define RPMB_PROGRAM_KEY       0x1    /* Program RPMB Authentication Key */
+#define RPMB_GET_WRITE_COUNTER 0x2    /* Read RPMB write counter */
+#define RPMB_WRITE_DATA        0x3    /* Write data to RPMB partition */
+#define RPMB_READ_DATA         0x4    /* Read data from RPMB partition */
+#define RPMB_RESULT_READ       0x5    /* Read result request  (Internal) */
+
 static DEFINE_MUTEX(block_mutex);
 
 /*
@@ -163,6 +207,7 @@  struct mmc_rpmb_data {
 	int id;
 	unsigned int part_index;
 	struct mmc_blk_data *md;
+	struct rpmb_dev *rdev;
 	struct list_head node;
 };
 
@@ -2672,7 +2717,6 @@  static int mmc_rpmb_chrdev_open(struct inode *inode, struct file *filp)
 
 	get_device(&rpmb->dev);
 	filp->private_data = rpmb;
-	mmc_blk_get(rpmb->md->disk);
 
 	return nonseekable_open(inode, filp);
 }
@@ -2682,7 +2726,6 @@  static int mmc_rpmb_chrdev_release(struct inode *inode, struct file *filp)
 	struct mmc_rpmb_data *rpmb = container_of(inode->i_cdev,
 						  struct mmc_rpmb_data, chrdev);
 
-	mmc_blk_put(rpmb->md);
 	put_device(&rpmb->dev);
 
 	return 0;
@@ -2703,10 +2746,165 @@  static void mmc_blk_rpmb_device_release(struct device *dev)
 {
 	struct mmc_rpmb_data *rpmb = dev_get_drvdata(dev);
 
+	rpmb_dev_unregister(rpmb->rdev);
+	mmc_blk_put(rpmb->md);
 	ida_simple_remove(&mmc_rpmb_ida, rpmb->id);
 	kfree(rpmb);
 }
 
+static void free_idata(struct mmc_blk_ioc_data **idata, unsigned int cmd_count)
+{
+	unsigned int n;
+
+	for (n = 0; n < cmd_count; n++)
+		kfree(idata[n]);
+	kfree(idata);
+}
+
+static struct mmc_blk_ioc_data **alloc_idata(struct mmc_rpmb_data *rpmb,
+					     unsigned int cmd_count)
+{
+	struct mmc_blk_ioc_data **idata;
+	unsigned int n;
+
+	idata = kcalloc(cmd_count, sizeof(*idata), GFP_KERNEL);
+	if (!idata)
+		return NULL;
+
+	for (n = 0; n < cmd_count; n++) {
+		idata[n] = kcalloc(1, sizeof(**idata), GFP_KERNEL);
+		if (!idata[n]) {
+			free_idata(idata, n);
+			return NULL;
+		}
+		idata[n]->rpmb = rpmb;
+	}
+
+	return idata;
+}
+
+static void set_idata(struct mmc_blk_ioc_data *idata, u32 opcode,
+		      int write_flag, u8 *buf, unsigned int buf_bytes)
+{
+	/*
+	 * The size of an RPMB frame must match what's expected by the
+	 * hardware.
+	 */
+	BUILD_BUG_ON(sizeof(struct rpmb_frame) != 512);
+
+	idata->ic.opcode = opcode;
+	idata->ic.flags = MMC_RSP_R1 | MMC_CMD_ADTC;
+	idata->ic.write_flag = write_flag;
+	idata->ic.blksz = sizeof(struct rpmb_frame);
+	idata->ic.blocks = buf_bytes /  idata->ic.blksz;
+	idata->buf = buf;
+	idata->buf_bytes = buf_bytes;
+}
+
+static int mmc_route_rpmb_frames(struct device *dev, u8 *req,
+				 unsigned int req_len, u8 *resp,
+				 unsigned int resp_len)
+{
+	struct rpmb_frame *frm = (struct rpmb_frame *)req;
+	struct mmc_rpmb_data *rpmb = dev_get_drvdata(dev);
+	struct mmc_blk_data *md = rpmb->md;
+	struct mmc_blk_ioc_data **idata;
+	struct mmc_queue_req *mq_rq;
+	unsigned int cmd_count;
+	struct request *rq;
+	u16 req_type;
+	bool write;
+	int ret;
+
+	if (IS_ERR(md->queue.card))
+		return PTR_ERR(md->queue.card);
+
+	if (req_len < sizeof(*frm))
+		return -EINVAL;
+
+	req_type = be16_to_cpu(frm->req_resp);
+	switch (req_type) {
+	case RPMB_PROGRAM_KEY:
+		if (req_len != sizeof(struct rpmb_frame) ||
+		    resp_len != sizeof(struct rpmb_frame))
+			return -EINVAL;
+		write = true;
+		break;
+	case RPMB_GET_WRITE_COUNTER:
+		if (req_len != sizeof(struct rpmb_frame) ||
+		    resp_len != sizeof(struct rpmb_frame))
+			return -EINVAL;
+		write = false;
+		break;
+	case RPMB_WRITE_DATA:
+		if (req_len % sizeof(struct rpmb_frame) ||
+		    resp_len != sizeof(struct rpmb_frame))
+			return -EINVAL;
+		write = true;
+		break;
+	case RPMB_READ_DATA:
+		if (req_len != sizeof(struct rpmb_frame) ||
+		    resp_len % sizeof(struct rpmb_frame))
+			return -EINVAL;
+		write = false;
+		break;
+	default:
+		return -EINVAL;
+	}
+
+	if (write)
+		cmd_count = 3;
+	else
+		cmd_count = 2;
+
+	idata = alloc_idata(rpmb, cmd_count);
+	if (!idata)
+		return -ENOMEM;
+
+	if (write) {
+		struct rpmb_frame *frm = (struct rpmb_frame *)resp;
+
+		/* Send write request frame(s) */
+		set_idata(idata[0], MMC_WRITE_MULTIPLE_BLOCK,
+			  1 | MMC_CMD23_ARG_REL_WR, req, req_len);
+
+		/* Send result request frame */
+		memset(frm, 0, sizeof(*frm));
+		frm->req_resp = cpu_to_be16(RPMB_RESULT_READ);
+		set_idata(idata[1], MMC_WRITE_MULTIPLE_BLOCK, 1, resp,
+			  resp_len);
+
+		/* Read response frame */
+		set_idata(idata[2], MMC_READ_MULTIPLE_BLOCK, 0, resp, resp_len);
+	} else {
+		/* Send write request frame(s) */
+		set_idata(idata[0], MMC_WRITE_MULTIPLE_BLOCK, 1, req, req_len);
+
+		/* Read response frame */
+		set_idata(idata[1], MMC_READ_MULTIPLE_BLOCK, 0, resp, resp_len);
+	}
+
+	rq = blk_mq_alloc_request(md->queue.queue, REQ_OP_DRV_OUT, 0);
+	if (IS_ERR(rq)) {
+		ret = PTR_ERR(rq);
+		goto out;
+	}
+
+	mq_rq = req_to_mmc_queue_req(rq);
+	mq_rq->drv_op = MMC_DRV_OP_IOCTL_RPMB;
+	mq_rq->drv_op_result = -EIO;
+	mq_rq->drv_op_data = idata;
+	mq_rq->ioc_count = cmd_count;
+	blk_execute_rq(rq, false);
+	ret = req_to_mmc_queue_req(rq)->drv_op_result;
+
+	blk_mq_free_request(rq);
+
+out:
+	free_idata(idata, cmd_count);
+	return ret;
+}
+
 static int mmc_blk_alloc_rpmb_part(struct mmc_card *card,
 				   struct mmc_blk_data *md,
 				   unsigned int part_index,
@@ -2741,6 +2939,7 @@  static int mmc_blk_alloc_rpmb_part(struct mmc_card *card,
 	rpmb->dev.release = mmc_blk_rpmb_device_release;
 	device_initialize(&rpmb->dev);
 	dev_set_drvdata(&rpmb->dev, rpmb);
+	mmc_blk_get(md->disk);
 	rpmb->md = md;
 
 	cdev_init(&rpmb->chrdev, &mmc_rpmb_fileops);
@@ -3002,6 +3201,42 @@  static void mmc_blk_remove_debugfs(struct mmc_card *card,
 
 #endif /* CONFIG_DEBUG_FS */
 
+static void mmc_blk_rpmb_add(struct mmc_card *card)
+{
+	struct mmc_blk_data *md = dev_get_drvdata(&card->dev);
+	struct mmc_rpmb_data *rpmb;
+	struct rpmb_dev *rdev;
+	unsigned int n;
+	u32 cid[4];
+	struct rpmb_descr descr = {
+		.type = RPMB_TYPE_EMMC,
+		.route_frames = mmc_route_rpmb_frames,
+		.reliable_wr_count = card->ext_csd.enhanced_rpmb_supported ?
+				     2 : 32,
+		.capacity = card->ext_csd.raw_rpmb_size_mult,
+		.dev_id = (void *)cid,
+		.dev_id_len = sizeof(cid),
+	};
+
+	/*
+	 * Provice CID as an octet array. The CID needs to be interpreted
+	 * when used as input to derive the RPMB key since some fields
+	 * will change due to firmware updates.
+	 */
+	for (n = 0; n < 4; n++)
+		cid[n] = be32_to_cpu(card->raw_cid[n]);
+
+	list_for_each_entry(rpmb, &md->rpmbs, node) {
+		rdev = rpmb_dev_register(&rpmb->dev, &descr);
+		if (IS_ERR(rdev)) {
+			pr_warn("%s: could not register RPMB device\n",
+				dev_name(&rpmb->dev));
+			continue;
+		}
+		rpmb->rdev = rdev;
+	}
+}
+
 static int mmc_blk_probe(struct mmc_card *card)
 {
 	struct mmc_blk_data *md;
@@ -3047,6 +3282,8 @@  static int mmc_blk_probe(struct mmc_card *card)
 		pm_runtime_enable(&card->dev);
 	}
 
+	mmc_blk_rpmb_add(card);
+
 	return 0;
 
 out: