tee_client_api: register user memory

[lorc]

This patch is the userspace part of dynamic shared memory in OP-TEE (refer to OP-TEE/optee_os#1232). This patch is authred by @jenswi-linaro, I just tidied it a bit and rebased on current master.

This patch utilizes new ioctl that allows client application to share any buffer with OP-TEE.

[etienne-lms]

why registering the shared memory to the optee secure world ?

[lorc]

@etienne-lms, Idea is not to use preshared pool. There are many reasons:

• Current carveout have size of 1M on some platforms. This can be not enough in some use cases.
• TEEC_RegisterSharedMemory() uses shadow buffer and copies data on every command invocation back and forth.
• Preshared pool is not compatible with virtualization, because there are no easy way to split pool between VMs.

If client can use part of own memory for shared buffers, than all issues above can be solved easily.
I'm proposing this changes mainly because I want to use OP-TEE in virtualized environment.

[etienne-lms]

ok, i see your idea. And it is true that many buffer parameters can be provided to TAs without copies to the current single physically contiguous 'non secure shared memory area'.

I wonder why nonsecure should register shared buffers to the secure side.

If non-secure wishes to check if a buffer is ok to be used as shared mem, then it's fine, but this is not mandatory and waste cpu cycles. Non-secure could simply invoke the secure side with the memref parameters.

On secure side, we don't care if non-secure presents a shared memory area as "non-secure". Secure side will simply verify the shared memory area conformance against TA memref permissions. And maps it accordingly.

As far a nonsecure handle shared memory allocation, it is nonsecure world responsibility to track these memref, not the secure side.

[jenswi-linaro]

For a one shot invocation it's more efficient to do as you say @etienne-lms, but then for a single invocation performance isn't as critical as there's so much else that eats CPU time, checking the RSA signature of the TA for instance.

If we make multiple invocations it quickly pays off to have the shared memory registered in advance as it's represented by a single handle instead of a long list of physical pages.

Another advantage with always using registered memory is that we then can get rid of yet another way of describing a chunk of memory.

[igoropaniuk]

@etienne-lms
As I understand (based on @lorc comments and code) it's just some way of extending of existing preshared pool, which used for bypassing GP params, but with ability to work with this shared memory in more generic way (comparing wth GP params). Purposes are almost the same + we can avoid some restrictions of GP specification(amount of params, param size restrictions), and, as @lorc mentioned, unnesessary copying back & forth.

And, speaking about my benchmarking task it's kind of a life saver. I can easily, with minimum amount of code changes, move to this SHM API instead of using GP params :)

[igoropaniuk]

Reviewed-by: Igor Opaniuk <igor.opaniuk@linaro.org>

[etienne-lms]

late feedback... nice indeed.
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

[jbech-linaro]

Same here, late reply, all good. But I'd be nice to have our https://github.com/OP-TEE/optee_os/blob/master/documentation/optee_design.md#7-shared-memory updated to reflect the changes (and the current implementation).

Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

[jforissier]

Hi @lorc, would you please rebase this patch on top of the current master branch and add the R-b tags so that I can pick it up?

[lorc]

@jforissier I planed to wait till corresponding patches to OP-TEE kernel and OP-TEE driver will be ready for merge. But, actually you are right. This patch can be merged at any time. It is rebased on current master now. Thanks.

[jforissier]

@lorc thanks for rebasing. Actually, I'm not sure I want to merge this immediately since it depends on PRs that are still pending in optee_os and the linux driver. I'd rather wait until all 3 PRs are reviewed. Sorry I didn't realize this when I wrote the above ;)

[lorc]

Hello. I have rebased it again. Also I have added new patch that makes supplicant to register own memory instead of allocating it thru SHM pool.

[etienne-lms]

1 main potential issue to crosscheck: closing a fd on a

minor: typo in the commit message of the 2nd commit:
-If OP-TEE and kernel supports registereted shared memory
+If OP-TEE and kernel support registered shared memory

[etienne-lms]

this should also close(shm->fd);

[etienne-lms]

minor: useless init

[jenswi-linaro]

Wouldn't it be possible to rely on ctx->reg_mem instead?

[lorc]

@jenswi-linaro I'm not sure that I understood you. ctx->reg_mem is a kernel thing, isn't it?

[jenswi-linaro]

Sorry is was confusing this with how we use TEEC_Context in libteec.

Using global variables should in general be avoided, this gen_caps should be stored together with the file descriptor as gen_caps is holds information specific for this file descriptor.

[lorc]

@jenswi-linaro, I want ask you about interface between optee client and kernel driver.
Currently we have TEE_IOC_SHM_ALLOC, then I have added TEE_IOC_SHM_REGISTER. Now I want to share tmem buffers. And there are two ways. I can add TEE_IOC_SHM_ADD_TMEM_BUF or:
I can rename TEE_IOC_SHM_REGISTER to TEE_IOC_SHM_ADD and use flags to select desired operation: either register shared buffer in OP-TEE core, or register it in tee framework as a temporary buffer. Which way do you prefer?

[jenswi-linaro]

So the difference between TEE_IOC_SHM_REGISTER and TEE_IOC_SHM_ADD_TMEM_BUF is that the latter is not registered in secure world and has to be represented as tmem when invoking for instance?

Why would we need TEE_IOC_SHM_ADD_TMEM_BUF? To me it seems like something user space shouldn't need to worry about.

[lorc]

So the difference between TEE_IOC_SHM_REGISTER and TEE_IOC_SHM_ADD_TMEM_BUF is that the latter is not registered in secure world and has to be represented as tmem when invoking for instance?

Exactly.

Why would we need TEE_IOC_SHM_ADD_TMEM_BUF? To me it seems like something user space shouldn't need to worry about.

Because current userspace<->kernelspace interface for TA parameter passing uses shm_id for memory references. My idea is to call TEE_IOC_SHM_ADD_TMEM_BUF to obtain shm_id. Another approach is to add new type for struct tee_ioctl_param.attr. Something like TEE_IOCTL_PARAM_ATTR_TYPE_TMPMEMREF_*

[jenswi-linaro]

Why do we need a way for userspace to control if buffers passed to secure world are registered in secure world or not?

[lorc]

A Shared Memory block can be registered or allocated once and then used in multiple Commands, and even in multiple Sessions, provided they exist within the scope of the TEE Context in which the Shared Memory was created. This pre-registration is typically more efficient than registering a block of memory using temporary registration if that memory buffer is used in more than one Command invocation.

I thought that TEEC_RegisterSharedMemory() and TEEC_AllocateSharedMemory() will register buffers in secure world (by using OPTEE_MSG_CMD_REGISTER_SHM SMC), while temporary memory buffers will not be registered and will be passed as list of pages every time TA function is invoked.

[jenswi-linaro]

OK, if I understand it correctly it's something that doesn't need to be done now.

It sounds like some optimization that could be useful but we need to know that it's actually is needed before we do something about it as it complicates things further a tiny bit. But we should right now make sure that if we choose to implement this later that the current ABI can be easily extended to deal with it. The flags field in struct tee_ioctl_shm_register_data seems suitable for this.

[lorc]

Ah, I see. Yes. You can think about this as an optimization. It needs extensions in tee core and in client library, but it is not necessary right now. So yes, we actually can postpone this for now.

I have tested ABI between NW and SW and it supports this use-case. I can share my patches for client library, kernel driver and xtest if you also want to test it.

[jenswi-linaro]

Right now I'd like to focus on getting the current stuff in place.
Once that's in place I'd be very interested in taking a look and test it.

[etienne-lms]

2 minor comments

[etienne-lms]

s/tee_shm_register_data/tee_ioctl_shm_register_data/

[etienne-lms]

minor: move after stdbool.h. Can you fix order of these #include <stXXX.h>.

[lorc]

Hello.

I rebased this PR onto current master. There was conflicts in #include part of the files. So I have moved #include <stdbool.h> into public header during conflict resolving. You might want to review this. I can't make this change as [review] patch, because it is product of conflict resolution during rebase.

Also I have addressed @jenswi-linaro's comment regarding global gen_caps variable in supplicant code. It is in the separate patch.

[jenswi-linaro]

With or without my comment addressed
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

[jenswi-linaro]

No need to normalize the bool explicitly as the compiler already is required to do that.

[lorc]

Pushed fix for !!(), also added Jens's R-b tag.

[etienne-lms]

some more...
r-b applies anyway...

[etienne-lms]

as you are so patient, would you mind adding a tabulation before these comments.

[lorc]

I'll do this in a separate patch, okay?

[etienne-lms]

as you like. (sorry to ask you to :)

[etienne-lms]

minor: remove argument

[etienne-lms]

minor: remove {/} ?

[lorc]

Addressed @etienne-lms's comments. Added separate patch that fixes comments in tee.h

BTW, I'm sorry that my English is far from perfect. Feel free to correct me, especially if my mistakes are terrible :)

[etienne-lms]

Same with me, so do not hesitate to contradict/correct me.

[etienne-lms]

r-b on the whole.

[lorc]

Thanks, @etienne-lms. I have squashed all fixes and added your r-b tag.
@jenswi-linaro, there is a new patch. It changes only comments/formatting. Probably, you want take a look. Or I can put it in a separate PR, to finish this faster :)

[jenswi-linaro]

Later is fine with me a least.

[lorc]

Okay, so I dropped this patch for now. Will push it as a separate PR after this one will be merged.