On Sun, Sep 21, 2025 at 11:23:41PM +0100, Bryan O'Donoghue wrote:
> On 20/09/2025 20:41, Mukesh Ojha wrote:
> > Qualcomm SoCs running with QHEE (Qualcomm Hypervisor Execution
> > Environment—a library present in the Gunyah hypervisor) utilize the
> > Peripheral Authentication Service (PAS) from TrustZone (TZ) firmware to
> > securely authenticate and reset remote processors via a sequence of SMC
> > calls such as qcom_scm_pas_init_image(), qcom_scm_pas_mem_setup(), and
> > qcom_scm_pas_auth_and_reset().
> >
> > For memory passed to Qualcomm TrustZone, it must either be part of a
> > pool registered with TZ or be directly registered via SHMbridge SMC
> > calls. When QHEE is present, PAS SMC calls from Linux running at EL1 are
> > trapped by QHEE (running at EL2), which then creates or retrieves memory
> > from the SHMbridge for both metadata and remoteproc carveout memory
> > before passing them to TZ. However, when the SoC runs with a
> > non-QHEE-based hypervisor, Linux must create the SHM bridge for both
> > metadata (before it is passed to TZ in qcom_scm_pas_init_image()) and
> > for remoteproc memory (before the call is made to TZ in
> > qcom_scm_pas_auth_and_reset()).
> >
> > For auth_and_reset() call, first it need to register remoteproc carveout
> > memory with TZ via SHMbridge SMC call and then it can trigger
> > auth_and_reset SMC call and once the call returns, remoteproc carveout
> > memory can be deregisterd with TZ.
> >
> > Add qcom_scm_pas_prepare_and_auth_reset() function which does prepare
> > the SHMbridge over carveout memory and call auth_and_reset SMC call.
> >
> > Signed-off-by: Mukesh Ojha <mukesh.o...@oss.qualcomm.com>
> > ---
> > drivers/firmware/qcom/qcom_scm.c | 46
> > ++++++++++++++++++++++++++++++++++
> > include/linux/firmware/qcom/qcom_scm.h | 2 ++
> > 2 files changed, 48 insertions(+)
> >
> > diff --git a/drivers/firmware/qcom/qcom_scm.c
> > b/drivers/firmware/qcom/qcom_scm.c
> > index 917341308873..7a86b27ea666 100644
> > --- a/drivers/firmware/qcom/qcom_scm.c
> > +++ b/drivers/firmware/qcom/qcom_scm.c
> > @@ -790,6 +790,52 @@ int qcom_scm_pas_auth_and_reset(u32 pas_id)
> > }
> > EXPORT_SYMBOL_GPL(qcom_scm_pas_auth_and_reset);
> >
> > +/**
> > + * qcom_scm_pas_prepare_and_auth_reset() - Prepare, authenticate, and
> > reset the remote processor
> > + *
> > + * @ctx: Context saved during call to qcom_scm_pas_ctx_init()
> > + *
> > + * This function performs the necessary steps to prepare a PAS subsystem,
> > + * authenticate it using the provided metadata, and initiate a reset
> > sequence.
> > + *
> > + * It should be used when Linux is in control setting up the IOMMU hardware
> > + * for remote subsystem during secure firmware loading processes. The
> > preparation
> > + * step sets up a shmbridge over the firmware memory before TrustZone
> > accesses the
> > + * firmware memory region for authentication. The authentication step
> > verifies
> > + * the integrity and authenticity of the firmware or configuration using
> > secure
> > + * metadata. Finally, the reset step ensures the subsystem starts in a
> > clean and
> > + * sane state.
> > + *
> > + * Return: 0 on success, negative errno on failure.
> > + */
> > +int qcom_scm_pas_prepare_and_auth_reset(struct qcom_scm_pas_ctx *ctx)
> > +{
> > + u64 handle;
> > + int ret;
> > +
> > + if (!ctx->has_iommu)
> > + return qcom_scm_pas_auth_and_reset(ctx->pas_id);
> > +
> > + /*
> > + * When Linux running at EL1, Gunyah(EL2) traps auth_and_reset call and
> > creates
> > + * shmbridge on remote subsystem memory region before it passes the
> > call to
> > + * TrustZone to authenticate it while when Linux runs at EL2, it needs
> > to create
> > + * shmbridge before this call goes to TrustZone.
> > + */
>
> "When Linux runs @ EL1 the Hypervision Gunyah running @ EL2 traps the
> auth_and_reset call(). Gunyah create an shmbridge on the remote subsystem
> memory and then invokes a call to TrustZone to authenticate. When Linux runs
> @ EL2 Linux must create the shmbridge itself and then subsequently invoke
> TrustZone itself."
>
> Please fix the commit log too.
Thanks.,
Will fix the typo Hypervision and fix the commit log.
>
> > + ret = qcom_tzmem_shm_bridge_create(ctx->mem_phys, ctx->mem_size,
> > &handle);
> > + if (ret) {
> > + dev_err(__scm->dev, "Failed to create shmbridge ret=%d %u\n",
> > + ret, ctx->pas_id);
> > + return ret;
> > + }
> > +
> > + ret = qcom_scm_pas_auth_and_reset(ctx->pas_id);
> > + qcom_tzmem_shm_bridge_delete(handle);
> > +
> > + return ret;
> > +}
> > +EXPORT_SYMBOL_GPL(qcom_scm_pas_prepare_and_auth_reset);
> > +
> > /**
> > * qcom_scm_pas_shutdown() - Shut down the remote processor
> > * @pas_id: peripheral authentication service id
> > diff --git a/include/linux/firmware/qcom/qcom_scm.h
> > b/include/linux/firmware/qcom/qcom_scm.h
> > index 9ca3218f0948..1774584ff5e3 100644
> > --- a/include/linux/firmware/qcom/qcom_scm.h
> > +++ b/include/linux/firmware/qcom/qcom_scm.h
> > @@ -78,6 +78,7 @@ struct qcom_scm_pas_ctx {
> > phys_addr_t mem_phys;
> > size_t mem_size;
> > struct qcom_scm_pas_metadata *metadata;
> > + bool has_iommu;
> > };
> >
> > void *qcom_scm_pas_ctx_init(struct device *dev, u32 pas_id, phys_addr_t
> > mem_phys,
> > @@ -90,6 +91,7 @@ int qcom_scm_pas_mem_setup(u32 pas_id, phys_addr_t addr,
> > phys_addr_t size);
> > int qcom_scm_pas_auth_and_reset(u32 pas_id);
> > int qcom_scm_pas_shutdown(u32 pas_id);
> > bool qcom_scm_pas_supported(u32 pas_id);
> > +int qcom_scm_pas_prepare_and_auth_reset(struct qcom_scm_pas_ctx *ctx);
> >
> > int qcom_scm_io_readl(phys_addr_t addr, unsigned int *val);
> > int qcom_scm_io_writel(phys_addr_t addr, unsigned int val);
> >
> > --
> > 2.50.1
> >
> >
>
> ---
> bod
--
-Mukesh Ojha
