Most Qualcomm platforms feature a proprietary hypervisor (such as Gunyah
or QHEE), which typically handles IOMMU configuration. This includes
mapping memory regions and device memory resources for remote processors
by intercepting qcom_scm_pas_auth_and_reset() calls. These mappings are
later removed during teardown. Additionally, SHM bridge setup is
required to enable memory protection for both remoteproc metadata and
its memory regions.
When the aforementioned hypervisor is absent, the operating system must
perform these configurations instead.
When Linux runs as the hypervisor (at EL2) on a SoC, it will have its
own device tree overlay file that specifies the firmware stream ID now
managed by Linux for a particular remote processor. If the iommus
property is specified in the remoteproc device tree node, it indicates
that IOMMU configuration must be handled by Linux. In this case, the
has_iommu flag is set for the remote processor, which ensures that the
resource table, carveouts, and SHM bridge are properly configured before
memory is passed to TrustZone for authentication. Otherwise, the
has_iommu flag remains unset, which is the default behavior.
Enables Secure PAS support for remote processors when IOMMU configuration
is managed by Linux.
Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
---
drivers/remoteproc/qcom_q6v5_pas.c | 63 +++++++++++++++++++++++++++---
1 file changed, 57 insertions(+), 6 deletions(-)
diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c
index 1e0f09bf1ef2..180528bcd57c 100644
--- a/drivers/remoteproc/qcom_q6v5_pas.c
+++ b/drivers/remoteproc/qcom_q6v5_pas.c
@@ -11,6 +11,7 @@
#include <linux/delay.h>
#include <linux/firmware.h>
#include <linux/interrupt.h>
+#include <linux/iommu.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/of.h>
@@ -250,6 +251,22 @@ static int qcom_pas_load(struct rproc *rproc, const struct firmware *fw)
return ret;
}
+static void qcom_pas_unmap_carveout(struct rproc *rproc, phys_addr_t mem_phys, size_t size)
+{
+ if (rproc->has_iommu)
+ iommu_unmap(rproc->domain, mem_phys, size);
+}
+
+static int qcom_pas_map_carveout(struct rproc *rproc, phys_addr_t mem_phys, size_t size)
+{
+ int ret = 0;
+
+ if (rproc->has_iommu)
+ ret = iommu_map(rproc->domain, mem_phys, mem_phys, size,
+ IOMMU_READ | IOMMU_WRITE, GFP_KERNEL);
+ return ret;
+}
+
static int qcom_pas_start(struct rproc *rproc)
{
struct qcom_pas *pas = rproc->priv;
@@ -284,11 +301,15 @@ static int qcom_pas_start(struct rproc *rproc)
}
if (pas->dtb_pas_id) {
- ret = qcom_scm_pas_auth_and_reset(pas->dtb_pas_id);
+ ret = qcom_pas_map_carveout(rproc, pas->dtb_mem_phys, pas->dtb_mem_size);
+ if (ret)
+ goto disable_px_supply;
+
+ ret = qcom_scm_pas_prepare_and_auth_reset(pas->dtb_pas_ctx);
if (ret) {
dev_err(pas->dev,
"failed to authenticate dtb image and release reset\n");
- goto disable_px_supply;
+ goto unmap_dtb_carveout;
}
}
@@ -299,18 +320,22 @@ static int qcom_pas_start(struct rproc *rproc)
qcom_pil_info_store(pas->info_name, pas->mem_phys, pas->mem_size);
- ret = qcom_scm_pas_auth_and_reset(pas->pas_id);
+ ret = qcom_pas_map_carveout(rproc, pas->mem_phys, pas->mem_size);
+ if (ret)
+ goto release_pas_metadata;
+
+ ret = qcom_scm_pas_prepare_and_auth_reset(pas->pas_ctx);
if (ret) {
dev_err(pas->dev,
"failed to authenticate image and release reset\n");
- goto release_pas_metadata;
+ goto unmap_carveout;
}
ret = qcom_q6v5_wait_for_start(&pas->q6v5, msecs_to_jiffies(5000));
if (ret == -ETIMEDOUT) {
dev_err(pas->dev, "start timed out\n");
qcom_scm_pas_shutdown(pas->pas_id);
- goto release_pas_metadata;
+ goto unmap_carveout;
}
qcom_scm_pas_metadata_release(pas->pas_ctx);
@@ -322,10 +347,16 @@ static int qcom_pas_start(struct rproc *rproc)
return 0;
+unmap_carveout:
+ qcom_pas_unmap_carveout(rproc, pas->mem_phys, pas->mem_size);
release_pas_metadata:
qcom_scm_pas_metadata_release(pas->pas_ctx);
if (pas->dtb_pas_id)
qcom_scm_pas_metadata_release(pas->dtb_pas_ctx);
+
+unmap_dtb_carveout:
+ if (pas->dtb_pas_id)
+ qcom_pas_unmap_carveout(rproc, pas->dtb_mem_phys, pas->dtb_mem_size);
disable_px_supply:
if (pas->px_supply)
regulator_disable(pas->px_supply);
@@ -381,8 +412,12 @@ static int qcom_pas_stop(struct rproc *rproc)
ret = qcom_scm_pas_shutdown(pas->dtb_pas_id);
if (ret)
dev_err(pas->dev, "failed to shutdown dtb: %d\n", ret);
+
+ qcom_pas_unmap_carveout(rproc, pas->dtb_mem_phys, pas->dtb_mem_size);
}
+ qcom_pas_unmap_carveout(rproc, pas->mem_phys, pas->mem_size);
+
handover = qcom_q6v5_unprepare(&pas->q6v5);
if (handover)
qcom_pas_handover(&pas->q6v5);
@@ -424,7 +459,8 @@ static int qcom_pas_parse_firmware(struct rproc *rproc, const struct firmware *f
if (!rproc->has_iommu)
return ret;
- ret = qcom_scm_pas_get_rsc_table(pas->pas_id, NULL, 0, &output_rt, &output_rt_size);
+ ret = qcom_scm_pas_get_rsc_table(pas->pas_ctx, NULL, 0,
+ &output_rt, &output_rt_size);
if (ret) {
dev_err(pas->dev, "error %d getting resource_table\n", ret);
return ret;
@@ -726,6 +762,20 @@ static int qcom_pas_probe(struct platform_device *pdev)
return -ENOMEM;
}
+ if (of_property_present(pdev->dev.of_node, "iommus")) {
+ struct of_phandle_args args;
+
+ ret = of_parse_phandle_with_args(pdev->dev.of_node, "iommus",
+ "#iommu-cells", 0, &args);
+ if (ret < 0)
+ return ret;
+
+ rproc->has_iommu = true;
+ of_node_put(args.np);
+ } else {
+ rproc->has_iommu = false;
+ }
+
rproc->auto_boot = desc->auto_boot;
rproc_coredump_set_elf_info(rproc, ELFCLASS32, EM_NONE);
@@ -800,6 +850,7 @@ static int qcom_pas_probe(struct platform_device *pdev)
if (!pas->dtb_pas_ctx)
goto remove_ssr_sysmon;
+ pas->pas_ctx->has_iommu = pas->dtb_pas_ctx->has_iommu = rproc->has_iommu;
ret = rproc_add(rproc);
if (ret)
goto remove_ssr_sysmon;
--
2.50.1On Tue, Aug 19, 2025 at 10:24:45PM +0530, Mukesh Ojha wrote:
> Most Qualcomm platforms feature a proprietary hypervisor (such as Gunyah
> or QHEE), which typically handles IOMMU configuration. This includes
> mapping memory regions and device memory resources for remote processors
> by intercepting qcom_scm_pas_auth_and_reset() calls. These mappings are
> later removed during teardown. Additionally, SHM bridge setup is
> required to enable memory protection for both remoteproc metadata and
> its memory regions.
>
> When the aforementioned hypervisor is absent, the operating system must
> perform these configurations instead.
>
> When Linux runs as the hypervisor (at EL2) on a SoC, it will have its
> own device tree overlay file that specifies the firmware stream ID now
> managed by Linux for a particular remote processor. If the iommus
> property is specified in the remoteproc device tree node, it indicates
> that IOMMU configuration must be handled by Linux. In this case, the
> has_iommu flag is set for the remote processor, which ensures that the
> resource table, carveouts, and SHM bridge are properly configured before
> memory is passed to TrustZone for authentication. Otherwise, the
> has_iommu flag remains unset, which is the default behavior.
>
> Enables Secure PAS support for remote processors when IOMMU configuration
> is managed by Linux.
>
> Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
> ---
> drivers/remoteproc/qcom_q6v5_pas.c | 63 +++++++++++++++++++++++++++---
> 1 file changed, 57 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c
> index 1e0f09bf1ef2..180528bcd57c 100644
> --- a/drivers/remoteproc/qcom_q6v5_pas.c
> +++ b/drivers/remoteproc/qcom_q6v5_pas.c
> [...]
> @@ -424,7 +459,8 @@ static int qcom_pas_parse_firmware(struct rproc *rproc, const struct firmware *f
> if (!rproc->has_iommu)
> return ret;
>
> - ret = qcom_scm_pas_get_rsc_table(pas->pas_id, NULL, 0, &output_rt, &output_rt_size);
> + ret = qcom_scm_pas_get_rsc_table(pas->pas_ctx, NULL, 0,
> + &output_rt, &output_rt_size);
Unrelated formatting change, should be in previous commit.
> if (ret) {
> dev_err(pas->dev, "error %d getting resource_table\n", ret);
> return ret;
> @@ -726,6 +762,20 @@ static int qcom_pas_probe(struct platform_device *pdev)
> return -ENOMEM;
> }
>
> + if (of_property_present(pdev->dev.of_node, "iommus")) {
I think you need a dt-bindings change for this? You had one in v1, but
dropped it entirely for some reason.
> + struct of_phandle_args args;
> +
> + ret = of_parse_phandle_with_args(pdev->dev.of_node, "iommus",
> + "#iommu-cells", 0, &args);
> + if (ret < 0)
> + return ret;
> +
> + rproc->has_iommu = true;
> + of_node_put(args.np);
> + } else {
> + rproc->has_iommu = false;
> + }
> +
> rproc->auto_boot = desc->auto_boot;
> rproc_coredump_set_elf_info(rproc, ELFCLASS32, EM_NONE);
>
> @@ -800,6 +850,7 @@ static int qcom_pas_probe(struct platform_device *pdev)
> if (!pas->dtb_pas_ctx)
> goto remove_ssr_sysmon;
>
> + pas->pas_ctx->has_iommu = pas->dtb_pas_ctx->has_iommu = rproc->has_iommu;
Nitpick: I think this would look cleaner if you separate it into two
lines (only one assignment on each line).
Thanks,
Stephan
On Wed, Aug 20, 2025 at 10:40:25AM +0200, Stephan Gerhold wrote:
> On Tue, Aug 19, 2025 at 10:24:45PM +0530, Mukesh Ojha wrote:
> > Most Qualcomm platforms feature a proprietary hypervisor (such as Gunyah
> > or QHEE), which typically handles IOMMU configuration. This includes
> > mapping memory regions and device memory resources for remote processors
> > by intercepting qcom_scm_pas_auth_and_reset() calls. These mappings are
> > later removed during teardown. Additionally, SHM bridge setup is
> > required to enable memory protection for both remoteproc metadata and
> > its memory regions.
> >
> > When the aforementioned hypervisor is absent, the operating system must
> > perform these configurations instead.
> >
> > When Linux runs as the hypervisor (at EL2) on a SoC, it will have its
> > own device tree overlay file that specifies the firmware stream ID now
> > managed by Linux for a particular remote processor. If the iommus
> > property is specified in the remoteproc device tree node, it indicates
> > that IOMMU configuration must be handled by Linux. In this case, the
> > has_iommu flag is set for the remote processor, which ensures that the
> > resource table, carveouts, and SHM bridge are properly configured before
> > memory is passed to TrustZone for authentication. Otherwise, the
> > has_iommu flag remains unset, which is the default behavior.
> >
> > Enables Secure PAS support for remote processors when IOMMU configuration
> > is managed by Linux.
> >
> > Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
> > ---
> > drivers/remoteproc/qcom_q6v5_pas.c | 63 +++++++++++++++++++++++++++---
> > 1 file changed, 57 insertions(+), 6 deletions(-)
> >
> > diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c
> > index 1e0f09bf1ef2..180528bcd57c 100644
> > --- a/drivers/remoteproc/qcom_q6v5_pas.c
> > +++ b/drivers/remoteproc/qcom_q6v5_pas.c
> > [...]
> > @@ -424,7 +459,8 @@ static int qcom_pas_parse_firmware(struct rproc *rproc, const struct firmware *f
> > if (!rproc->has_iommu)
> > return ret;
> >
> > - ret = qcom_scm_pas_get_rsc_table(pas->pas_id, NULL, 0, &output_rt, &output_rt_size);
> > + ret = qcom_scm_pas_get_rsc_table(pas->pas_ctx, NULL, 0,
> > + &output_rt, &output_rt_size);
>
> Unrelated formatting change, should be in previous commit.
Ack, will fix.
>
> > if (ret) {
> > dev_err(pas->dev, "error %d getting resource_table\n", ret);
> > return ret;
> > @@ -726,6 +762,20 @@ static int qcom_pas_probe(struct platform_device *pdev)
> > return -ENOMEM;
> > }
> >
> > + if (of_property_present(pdev->dev.of_node, "iommus")) {
>
> I think you need a dt-bindings change for this? You had one in v1, but
> dropped it entirely for some reason.
I missed to mentioned it in changelog.
As I said in another patch, I intended to send it separately however,
will send it along with this series in the next version.
>
> > + struct of_phandle_args args;
> > +
> > + ret = of_parse_phandle_with_args(pdev->dev.of_node, "iommus",
> > + "#iommu-cells", 0, &args);
> > + if (ret < 0)
> > + return ret;
> > +
> > + rproc->has_iommu = true;
> > + of_node_put(args.np);
> > + } else {
> > + rproc->has_iommu = false;
> > + }
> > +
> > rproc->auto_boot = desc->auto_boot;
> > rproc_coredump_set_elf_info(rproc, ELFCLASS32, EM_NONE);
> >
> > @@ -800,6 +850,7 @@ static int qcom_pas_probe(struct platform_device *pdev)
> > if (!pas->dtb_pas_ctx)
> > goto remove_ssr_sysmon;
> >
> > + pas->pas_ctx->has_iommu = pas->dtb_pas_ctx->has_iommu = rproc->has_iommu;
>
> Nitpick: I think this would look cleaner if you separate it into two
> lines (only one assignment on each line).
>
Sure.
Thanks for the review.
> Thanks,
> Stephan
--
-Mukesh Ojha
© 2016 - 2025 Red Hat, Inc.