Qualcomm TEE (QTEE) hosts Trusted Applications (TAs) and services in
the secure world, accessed via objects. A QTEE client can invoke these
objects to request services. Similarly, QTEE can request services from
the nonsecure world using objects exported to the secure world.
Add low-level primitives to facilitate the invocation of objects hosted
in QTEE, as well as those hosted in the nonsecure world.
If support for object invocation is available, the qcom_scm allocates
a dedicated child platform device. The driver for this device communicates
with QTEE using low-level primitives.
Tested-by: Neil Armstrong <neil.armstrong@linaro.org>
Tested-by: Harshal Dev <quic_hdev@quicinc.com>
Signed-off-by: Amirreza Zarrabi <amirreza.zarrabi@oss.qualcomm.com>
---
drivers/firmware/qcom/qcom_scm.c | 134 +++++++++++++++++++++++++++++++++
drivers/firmware/qcom/qcom_scm.h | 7 ++
include/linux/firmware/qcom/qcom_scm.h | 6 ++
3 files changed, 147 insertions(+)
diff --git a/drivers/firmware/qcom/qcom_scm.c b/drivers/firmware/qcom/qcom_scm.c
index edeae6cdcf31..65142fd31118 100644
--- a/drivers/firmware/qcom/qcom_scm.c
+++ b/drivers/firmware/qcom/qcom_scm.c
@@ -2094,6 +2094,130 @@ static int qcom_scm_qseecom_init(struct qcom_scm *scm)
#endif /* CONFIG_QCOM_QSEECOM */
+/**
+ * qcom_scm_qtee_invoke_smc() - Invoke a QTEE object.
+ * @inbuf: start address of memory area used for inbound buffer.
+ * @inbuf_size: size of the memory area used for inbound buffer.
+ * @outbuf: start address of memory area used for outbound buffer.
+ * @outbuf_size: size of the memory area used for outbound buffer.
+ * @result: result of QTEE object invocation.
+ * @response_type: response type returned by QTEE.
+ *
+ * @response_type determines how the contents of @inbuf and @outbuf
+ * should be processed.
+ *
+ * Return: On success, return 0 or <0 on failure.
+ */
+int qcom_scm_qtee_invoke_smc(phys_addr_t inbuf, size_t inbuf_size,
+ phys_addr_t outbuf, size_t outbuf_size,
+ u64 *result, u64 *response_type)
+{
+ struct qcom_scm_desc desc = {
+ .svc = QCOM_SCM_SVC_SMCINVOKE,
+ .cmd = QCOM_SCM_SMCINVOKE_INVOKE,
+ .owner = ARM_SMCCC_OWNER_TRUSTED_OS,
+ .args[0] = inbuf,
+ .args[1] = inbuf_size,
+ .args[2] = outbuf,
+ .args[3] = outbuf_size,
+ .arginfo = QCOM_SCM_ARGS(4, QCOM_SCM_RW, QCOM_SCM_VAL,
+ QCOM_SCM_RW, QCOM_SCM_VAL),
+ };
+ struct qcom_scm_res res;
+ int ret;
+
+ ret = qcom_scm_call(__scm->dev, &desc, &res);
+ if (ret)
+ return ret;
+
+ if (response_type)
+ *response_type = res.result[0];
+
+ if (result)
+ *result = res.result[1];
+
+ return 0;
+}
+EXPORT_SYMBOL(qcom_scm_qtee_invoke_smc);
+
+/**
+ * qcom_scm_qtee_callback_response() - Submit response for callback request.
+ * @buf: start address of memory area used for outbound buffer.
+ * @buf_size: size of the memory area used for outbound buffer.
+ * @result: Result of QTEE object invocation.
+ * @response_type: Response type returned by QTEE.
+ *
+ * @response_type determines how the contents of @buf should be processed.
+ *
+ * Return: On success, return 0 or <0 on failure.
+ */
+int qcom_scm_qtee_callback_response(phys_addr_t buf, size_t buf_size,
+ u64 *result, u64 *response_type)
+{
+ struct qcom_scm_desc desc = {
+ .svc = QCOM_SCM_SVC_SMCINVOKE,
+ .cmd = QCOM_SCM_SMCINVOKE_CB_RSP,
+ .owner = ARM_SMCCC_OWNER_TRUSTED_OS,
+ .args[0] = buf,
+ .args[1] = buf_size,
+ .arginfo = QCOM_SCM_ARGS(2, QCOM_SCM_RW, QCOM_SCM_VAL),
+ };
+ struct qcom_scm_res res;
+ int ret;
+
+ ret = qcom_scm_call(__scm->dev, &desc, &res);
+ if (ret)
+ return ret;
+
+ if (response_type)
+ *response_type = res.result[0];
+
+ if (result)
+ *result = res.result[1];
+
+ return 0;
+}
+EXPORT_SYMBOL(qcom_scm_qtee_callback_response);
+
+static void qcom_scm_qtee_free(void *data)
+{
+ struct platform_device *qtee_dev = data;
+
+ platform_device_unregister(qtee_dev);
+}
+
+static int qcom_scm_qtee_init(struct qcom_scm *scm)
+{
+ struct platform_device *qtee_dev;
+ u64 result, response_type;
+ int ret;
+
+ /*
+ * Check if QTEE supports smcinvoke:
+ * This will fail due to invalid buffers, but first, it checks whether
+ * the call is supported in QTEE syscall handler.
+ * If not supported, -EIO is returned.
+ */
+ ret = qcom_scm_qtee_invoke_smc(0, 0, 0, 0, &result, &response_type);
+ if (ret == -EIO)
+ return -EIO;
+
+ /* Setup QTEE interface device. */
+ qtee_dev = platform_device_alloc("qcomtee", -1);
+ if (!qtee_dev)
+ return -ENOMEM;
+
+ qtee_dev->dev.parent = scm->dev;
+
+ ret = platform_device_add(qtee_dev);
+ if (ret) {
+ platform_device_put(qtee_dev);
+ return ret;
+ }
+
+ return devm_add_action_or_reset(scm->dev, qcom_scm_qtee_free, qtee_dev);
+}
+
/**
* qcom_scm_is_available() - Checks if SCM is available
*/
@@ -2326,6 +2450,16 @@ static int qcom_scm_probe(struct platform_device *pdev)
ret = qcom_scm_qseecom_init(scm);
WARN(ret < 0, "failed to initialize qseecom: %d\n", ret);
+ /*
+ * Initialize the QTEE object interface.
+ *
+ * This only represents the availability for QTEE object invocation
+ * and callback support. On failure, ignore the result. Any subsystem
+ * depending on it may fail if it tries to access this interface.
+ */
+ ret = qcom_scm_qtee_init(scm);
+ dev_warn_probe(scm->dev, ret, "Failed to initialize qcomtee\n");
+
return 0;
}
diff --git a/drivers/firmware/qcom/qcom_scm.h b/drivers/firmware/qcom/qcom_scm.h
index 0e8dd838099e..a56c8212cc0c 100644
--- a/drivers/firmware/qcom/qcom_scm.h
+++ b/drivers/firmware/qcom/qcom_scm.h
@@ -156,6 +156,13 @@ int qcom_scm_shm_bridge_enable(struct device *scm_dev);
#define QCOM_SCM_SVC_GPU 0x28
#define QCOM_SCM_SVC_GPU_INIT_REGS 0x01
+/* ARM_SMCCC_OWNER_TRUSTED_OS calls */
+
+#define QCOM_SCM_SVC_SMCINVOKE 0x06
+#define QCOM_SCM_SMCINVOKE_INVOKE_LEGACY 0x00
+#define QCOM_SCM_SMCINVOKE_CB_RSP 0x01
+#define QCOM_SCM_SMCINVOKE_INVOKE 0x02
+
/* common error codes */
#define QCOM_SCM_V2_EBUSY -12
#define QCOM_SCM_ENOMEM -5
diff --git a/include/linux/firmware/qcom/qcom_scm.h b/include/linux/firmware/qcom/qcom_scm.h
index 0f667bf1d4d9..a55ca771286b 100644
--- a/include/linux/firmware/qcom/qcom_scm.h
+++ b/include/linux/firmware/qcom/qcom_scm.h
@@ -175,4 +175,10 @@ static inline int qcom_scm_qseecom_app_send(u32 app_id,
#endif /* CONFIG_QCOM_QSEECOM */
+int qcom_scm_qtee_invoke_smc(phys_addr_t inbuf, size_t inbuf_size,
+ phys_addr_t outbuf, size_t outbuf_size,
+ u64 *result, u64 *response_type);
+int qcom_scm_qtee_callback_response(phys_addr_t buf, size_t buf_size,
+ u64 *result, u64 *response_type);
+
#endif
--
2.34.1On Wed, Aug 20, 2025 at 04:38:53PM -0700, Amirreza Zarrabi wrote:
> diff --git a/drivers/firmware/qcom/qcom_scm.c b/drivers/firmware/qcom/qcom_scm.c
[..]
> +static void qcom_scm_qtee_free(void *data)
> +{
> + struct platform_device *qtee_dev = data;
> +
> + platform_device_unregister(qtee_dev);
> +}
> +
> +static int qcom_scm_qtee_init(struct qcom_scm *scm)
> +{
> + struct platform_device *qtee_dev;
> + u64 result, response_type;
> + int ret;
> +
> + /*
> + * Check if QTEE supports smcinvoke:
> + * This will fail due to invalid buffers, but first, it checks whether
> + * the call is supported in QTEE syscall handler.
> + * If not supported, -EIO is returned.
> + */
> + ret = qcom_scm_qtee_invoke_smc(0, 0, 0, 0, &result, &response_type);
> + if (ret == -EIO)
> + return -EIO;
> +
> + /* Setup QTEE interface device. */
> + qtee_dev = platform_device_alloc("qcomtee", -1);
> + if (!qtee_dev)
> + return -ENOMEM;
> +
> + qtee_dev->dev.parent = scm->dev;
> +
> + ret = platform_device_add(qtee_dev);
> + if (ret) {
> + platform_device_put(qtee_dev);
> + return ret;
> + }
Wouldn't this work instead of the alloc + parent + add?
qtee_dev = platform_device_alloc_data(scm->dev, "qcomtee", -1, NULL, 0);
if (IS_ERR(qtee_dev))
return PTR_ERR(qtee_dev);
> +
> + return devm_add_action_or_reset(scm->dev, qcom_scm_qtee_free, qtee_dev);
> +}
> +
> /**
> * qcom_scm_is_available() - Checks if SCM is available
> */
> @@ -2326,6 +2450,16 @@ static int qcom_scm_probe(struct platform_device *pdev)
> ret = qcom_scm_qseecom_init(scm);
> WARN(ret < 0, "failed to initialize qseecom: %d\n", ret);
>
> + /*
> + * Initialize the QTEE object interface.
> + *
> + * This only represents the availability for QTEE object invocation
> + * and callback support. On failure, ignore the result. Any subsystem
> + * depending on it may fail if it tries to access this interface.
> + */
> + ret = qcom_scm_qtee_init(scm);
> + dev_warn_probe(scm->dev, ret, "Failed to initialize qcomtee\n");
A successful boot of db410c (APQ8016) now has the following in the log:
[ 0.161437] qcom_scm firmware:scm: error -EIO: Failed to initialize qcomtee
If the target doesn't implement qtee, I'd expect that you tell me that -
or preferably stay silent.
Looking at the other error conditions, we find -ENOMEM, for which you
should also avoid printing. In fact, I believe all other error paths of
qcom_scm_qtee_init() will have printed an error already (if not, please
move the error print to the place(s) where it's needed).
As you're ignoring the return value, please then also change the return
type of the function to void.
Regards,
Bjorn
> +
> return 0;
> }
Hi Bjorn,
On 8/27/2025 1:52 AM, Bjorn Andersson wrote:
> On Wed, Aug 20, 2025 at 04:38:53PM -0700, Amirreza Zarrabi wrote:
>> diff --git a/drivers/firmware/qcom/qcom_scm.c b/drivers/firmware/qcom/qcom_scm.c
> [..]
>> +static void qcom_scm_qtee_free(void *data)
>> +{
>> + struct platform_device *qtee_dev = data;
>> +
>> + platform_device_unregister(qtee_dev);
>> +}
>> +
>> +static int qcom_scm_qtee_init(struct qcom_scm *scm)
>> +{
>> + struct platform_device *qtee_dev;
>> + u64 result, response_type;
>> + int ret;
>> +
>> + /*
>> + * Check if QTEE supports smcinvoke:
>> + * This will fail due to invalid buffers, but first, it checks whether
>> + * the call is supported in QTEE syscall handler.
>> + * If not supported, -EIO is returned.
>> + */
>> + ret = qcom_scm_qtee_invoke_smc(0, 0, 0, 0, &result, &response_type);
>> + if (ret == -EIO)
>> + return -EIO;
>> +
>> + /* Setup QTEE interface device. */
>> + qtee_dev = platform_device_alloc("qcomtee", -1);
>> + if (!qtee_dev)
>> + return -ENOMEM;
>> +
>> + qtee_dev->dev.parent = scm->dev;
>> +
>> + ret = platform_device_add(qtee_dev);
>> + if (ret) {
>> + platform_device_put(qtee_dev);
>> + return ret;
>> + }
>
> Wouldn't this work instead of the alloc + parent + add?
>
> qtee_dev = platform_device_alloc_data(scm->dev, "qcomtee", -1, NULL, 0);
> if (IS_ERR(qtee_dev))
> return PTR_ERR(qtee_dev);
>
You are right, I'll replace it with platform_device_register_data().
>> +
>> + return devm_add_action_or_reset(scm->dev, qcom_scm_qtee_free, qtee_dev);
>> +}
>> +
>> /**
>> * qcom_scm_is_available() - Checks if SCM is available
>> */
>> @@ -2326,6 +2450,16 @@ static int qcom_scm_probe(struct platform_device *pdev)
>> ret = qcom_scm_qseecom_init(scm);
>> WARN(ret < 0, "failed to initialize qseecom: %d\n", ret);
>>
>> + /*
>> + * Initialize the QTEE object interface.
>> + *
>> + * This only represents the availability for QTEE object invocation
>> + * and callback support. On failure, ignore the result. Any subsystem
>> + * depending on it may fail if it tries to access this interface.
>> + */
>> + ret = qcom_scm_qtee_init(scm);
>> + dev_warn_probe(scm->dev, ret, "Failed to initialize qcomtee\n");
>
> A successful boot of db410c (APQ8016) now has the following in the log:
>
> [ 0.161437] qcom_scm firmware:scm: error -EIO: Failed to initialize qcomtee
>
> If the target doesn't implement qtee, I'd expect that you tell me that -
> or preferably stay silent.
>
> Looking at the other error conditions, we find -ENOMEM, for which you
> should also avoid printing. In fact, I believe all other error paths of
> qcom_scm_qtee_init() will have printed an error already (if not, please
> move the error print to the place(s) where it's needed).
>
> As you're ignoring the return value, please then also change the return
> type of the function to void.
>
> Regards,
> Bjorn
>
Sure, a successful QTEE boot already logs its version from TEE SS,
along with any internal error messages. Based on those logs,
it's quite clear whether this function failed or succeeded at the
beginning. I'll remove the print statements.
Regards,
Amir
>> +
>> return 0;
>> }
© 2016 - 2025 Red Hat, Inc.