add trusted execution environment (tee) driver

TEE working now for Android, tested ok with COPS!

* Updated according to review comments
- Added ST-Ericsson copyright headers to all tee files.
- Fixed problem with not using readl/writel when using ioremap.
- Fixed problem with forgetting to do iounmap on special case.
- Fixed incorrect usage when doing copy_to_user when writing to the device.
- Added architecture dependent file for the tee service that calls the secure world.
- Added support for more several inputs (sharedmemory buffers) for tee.
- Added dummy macro to map MT_MEMORY device.
- Fixed memory leak in secure world due to not closing a TEE session correctly from the kernel.
- Now we only copies input buffer from user space for tee.
- Documented structures in tee.h.
- Moved SVP implementation into arch/arm/mach-ux500 folder.
- Added new config flags for ux500 and SVP regarding TEE driver.
- Update mach-ux500/Kconfig:
  - Enable TEE_UX500 by default when using target hardware.
  - Enabel TEE_SVP by default when building simulator.
- Fix the cache sync problem: not request ROM code to clean cache
- ioremap for ICN_BASE, remove static mapping in cpu-db8500.c.
- Fix ioremap of ICN_BASE and do iounmap after use.

ST-Ericsson ID: WP269815

Change-Id: Ie861a90ec790e95fb3992e560512661693548a43
Reviewed-on: http://gerrit.lud.stericsson.com/gerrit/4168
Reviewed-by: Shujuan CHEN <shujuan.chen@stericsson.com>
Tested-by: Shujuan CHEN <shujuan.chen@stericsson.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>

11 files changed, 918 insertions, 0 deletions

diff --git a/arch/arm/mach-ux500/include/mach/tee_ta_start_modem.h b/arch/arm/mach-ux500/include/mach/tee_ta_start_modem.h
new file mode 100644
index 00000000000..6978b7314c5
--- /dev/null
+++ b/arch/arm/mach-ux500/include/mach/tee_ta_start_modem.h
@@ -0,0 +1,48 @@
+/*
+ * Data types and interface for TEE application for starting the modem.
+ *
+ * Copyright (C) ST-Ericsson SA 2010
+ * Author: Shujuan Chen <shujuan.chen@stericsson.com>
+ * License terms: GNU General Public License (GPL) version 2
+ */
+
+#ifndef TEE_TA_START_MODEM_H
+#define TEE_TA_START_MODEM_H
+
+#define COMMAND_ID_START_MODEM		0x00000001
+
+#define UUID_TEE_TA_START_MODEM_LOW	0x8AD94107
+#define UUID_TEE_TA_START_MODEM_MID	0x6E50
+#define UUID_TEE_TA_START_MODEM_HIGH	0x418E
+#define UUID_TEE_TA_START_MODEM_CLOCKSEQ \
+	{0xB1, 0x14, 0x75, 0x7D, 0x60, 0x21, 0xBD, 0x36}
+
+struct mcore_segment_descr {
+	void *segment;
+	void *hash;
+	u32 size;
+};
+
+struct access_image_descr {
+	void *elf_hdr;
+	void *pgm_hdr_tbl;
+	void *signature;
+	unsigned long nbr_segment;
+	struct mcore_segment_descr *descr;
+};
+
+/* TODO: To be redefined with only info needed by Secure world. */
+struct tee_ta_start_modem {
+	void *access_mem_start;
+	u32 shared_mem_size;
+	u32 access_private_mem_size;
+	struct access_image_descr access_image_descr;
+};
+
+/**
+ * This is the function to handle the modem release.
+ */
+int tee_ta_start_modem(struct tee_ta_start_modem *data);
+
+#endif
+
diff --git a/arch/arm/mach-ux500/tee_service_svp.c b/arch/arm/mach-ux500/tee_service_svp.c
new file mode 100644
index 00000000000..aa65dd961a0
--- /dev/null
+++ b/arch/arm/mach-ux500/tee_service_svp.c
@@ -0,0 +1,66 @@
+/*
+ * TEE service to handle the calls to trusted applications in SVP.
+ *
+ * Copyright (C) ST-Ericsson SA 2010
+ * Author: Shujuan Chen <shujuan.chen@stericsson.com>
+ * License terms: GNU General Public License (GPL) version 2
+ */
+
+#include <linux/kernel.h>
+#include <linux/string.h>
+#include <linux/tee.h>
+#include <linux/err.h>
+#include "mach/tee_ta_start_modem.h"
+
+static int cmp_uuid_start_modem(struct tee_uuid *uuid)
+{
+	int ret = -EINVAL;
+
+	if (uuid == NULL)
+		return -EINVAL;
+
+	/* This handles the calls to TA for start the modem */
+	if ((uuid->timeLow == UUID_TEE_TA_START_MODEM_LOW) &&
+	    (uuid->timeMid == UUID_TEE_TA_START_MODEM_MID) &&
+	    (uuid->timeHiAndVersion == UUID_TEE_TA_START_MODEM_HIGH)) {
+
+		u8 clockSeqAndNode[TEE_UUID_CLOCK_SIZE] =
+			UUID_TEE_TA_START_MODEM_CLOCKSEQ;
+
+		ret = memcmp(uuid->clockSeqAndNode, clockSeqAndNode,
+			     TEE_UUID_CLOCK_SIZE);
+	}
+
+	return ret;
+}
+
+int call_sec_world(struct tee_session *ts, int sec_cmd)
+{
+	int ret = 0;
+
+	if (ts == NULL)
+		return -EINVAL;
+
+	if (cmp_uuid_start_modem(ts->uuid))
+		return -EINVAL;
+
+	switch (ts->cmd) {
+	case COMMAND_ID_START_MODEM:
+		ret = tee_ta_start_modem((struct tee_ta_start_modem *)
+					 ts->op);
+		if (ret) {
+			ts->err = TEED_ERROR_GENERIC;
+			ts->origin = TEED_ORIGIN_TEE_APPLICATION;
+			pr_err("tee_ta_start_modem() failed!\n");
+			return ret;
+		}
+		break;
+
+	default:
+		break;
+	}
+
+	/* TODO: to handle more trusted applications. */
+
+	return ret;
+}
diff --git a/arch/arm/mach-ux500/tee_ta_start_modem_svp.c b/arch/arm/mach-ux500/tee_ta_start_modem_svp.c
new file mode 100644
index 00000000000..12337b93154
--- /dev/null
+++ b/arch/arm/mach-ux500/tee_ta_start_modem_svp.c
@@ -0,0 +1,56 @@
+/*
+ * Trusted application for starting the modem.
+ *
+ * Copyright (C) ST-Ericsson SA 2010
+ * Author: Shujuan Chen <shujuan.chen@stericsson.com>
+ * License terms: GNU General Public License (GPL) version 2
+ */
+
+#include <linux/err.h>
+#include <linux/io.h>
+#include <linux/kernel.h>
+#include <linux/elf.h>
+#include <mach/hardware.h>
+
+#include "mach/tee_ta_start_modem.h"
+
+static int reset_modem(unsigned long modem_start_addr)
+{
+	void __iomem *base = ioremap(U5500_ACCCON_BASE_SEC, 0x2FF);
+	if (!base)
+		return -ENOMEM;
+
+	pr_info("[%s] Setting modem start address!\n", __func__);
+	writel(base + (U5500_ACCCON_CPUVEC_RESET_ADDR_OFFSET/sizeof(uint32_t)),
+	       modem_start_addr);
+
+	pr_info("[%s] resetting the modem!\n", __func__);
+	writel(base + (U5500_ACCCON_ACC_CPU_CTRL_OFFSET/sizeof(uint32_t)), 1);
+
+	iounmap(base);
+
+	return 0;
+}
+
+int tee_ta_start_modem(struct tee_ta_start_modem *data)
+{
+	int ret = 0;
+	struct elfhdr *elfhdr;
+	void __iomem *vaddr;
+
+	vaddr = ioremap((unsigned long)data->access_image_descr.elf_hdr,
+			sizeof(struct elfhdr));
+	if (!vaddr)
+		return -ENOMEM;
+
+	elfhdr = (struct elfhdr *)readl(vaddr);
+	pr_info("Reading in kernel:elfhdr 0x%x:elfhdr->entry=0x%x\n",
+			(uint32_t)elfhdr, (uint32_t)elfhdr->e_entry);
+
+	pr_info("[%s] reset modem()...\n", __func__);
+	ret = reset_modem(elfhdr->e_entry);
+
+	iounmap(vaddr);
+
+	return ret;
+}
diff --git a/arch/arm/mach-ux500/tee_ux500.c b/arch/arm/mach-ux500/tee_ux500.c
new file mode 100644
index 00000000000..ab3782a323c
--- /dev/null
+++ b/arch/arm/mach-ux500/tee_ux500.c
@@ -0,0 +1,79 @@
+/*
+ * TEE service to handle the calls to trusted applications.
+ *
+ * Copyright (C) ST-Ericsson SA 2010
+ * Author: Joakim Bech <joakim.xx.bech@stericsson.com>
+ * License terms: GNU General Public License (GPL) version 2
+ */
+#include <linux/kernel.h>
+#include <linux/tee.h>
+#include <linux/io.h>
+
+#include <mach/hardware.h>
+
+#define BOOT_BRIDGE_FUNC (U8500_BOOT_ROM_BASE + 0x18300)
+
+#define ISSWAPI_EXECUTE_TA 0x11000001
+#define ISSWAPI_CLOSE_TA   0x11000002
+
+#define SEC_ROM_NO_FLAG_MASK    0x0000
+
+static u32 call_sec_rom_bridge(u32 service_id, u32 cfg, ...)
+{
+	typedef u32 (*bridge_func)(u32, u32, va_list);
+	static bridge_func hw_sec_rom_pub_bridge;
+	va_list ap;
+	u32 ret;
+
+	hw_sec_rom_pub_bridge =
+		(bridge_func)((u32)IO_ADDRESS(BOOT_BRIDGE_FUNC));
+
+	va_start(ap, cfg);
+	ret = hw_sec_rom_pub_bridge(service_id, cfg, ap);
+	va_end(ap);
+
+	return ret;
+}
+
+int call_sec_world(struct tee_session *ts, int sec_cmd)
+{
+	/*
+	 * ts->ta and ts->uuid is set to NULL when opening the device,
+	 * hence it should be safe to just do the call here.
+	 */
+
+	switch (sec_cmd) {
+	case TEED_INVOKE:
+	if (!ts->uuid) {
+		call_sec_rom_bridge(ISSWAPI_EXECUTE_TA,
+				SEC_ROM_NO_FLAG_MASK,
+				virt_to_phys(&ts->id),
+				NULL,
+				virt_to_phys(ts->ta),
+				ts->cmd,
+				virt_to_phys((void *)(ts->op)),
+				virt_to_phys((void *)(&ts->origin)));
+	} else {
+		call_sec_rom_bridge(ISSWAPI_EXECUTE_TA,
+				SEC_ROM_NO_FLAG_MASK,
+				virt_to_phys(&ts->id),
+				virt_to_phys(ts->uuid),
+				virt_to_phys(ts->ta),
+				ts->cmd,
+				virt_to_phys((void *)(ts->op)),
+				virt_to_phys((void *)(&ts->origin)));
+	}
+	break;
+
+	case TEED_CLOSE_SESSION:
+		call_sec_rom_bridge(ISSWAPI_CLOSE_TA,
+				SEC_ROM_NO_FLAG_MASK,
+				ts->id,
+				NULL,
+				virt_to_phys(ts->ta),
+				virt_to_phys((void *)(&ts->origin)));
+	break;
+	}
+
+	return 0;
+}
diff --git a/drivers/Kconfig b/drivers/Kconfig
index d236aef7e59..68e36aed05b 100644
--- a/drivers/Kconfig
+++ b/drivers/Kconfig
@@ -126,6 +126,8 @@ source "drivers/platform/Kconfig"
 
 source "drivers/clk/Kconfig"
 
+source "drivers/tee/Kconfig"
+
 source "drivers/hwspinlock/Kconfig"
 
 source "drivers/clocksource/Kconfig"
@@ -141,3 +143,4 @@ source "drivers/virt/Kconfig"
 source "drivers/devfreq/Kconfig"
 
 endmenu
+
diff --git a/drivers/Makefile b/drivers/Makefile
index 95952c82bf1..4ca756c31be 100644
--- a/drivers/Makefile
+++ b/drivers/Makefile
@@ -122,6 +122,7 @@ obj-y				+= platform/
 obj-y				+= ieee802154/
 #common clk code
 obj-y				+= clk/
+obj-$(CONFIG_TEE_SUPPORT)	+= tee/
 
 obj-$(CONFIG_HWSPINLOCK)	+= hwspinlock/
 obj-$(CONFIG_NFC)		+= nfc/
diff --git a/drivers/tee/Kconfig b/drivers/tee/Kconfig
new file mode 100644
index 00000000000..a452e888d77
--- /dev/null
+++ b/drivers/tee/Kconfig
@@ -0,0 +1,13 @@
+#
+# Copyright (C) ST-Ericsson SA 2010
+# Author: Martin Hovang (martin.xm.hovang@stericsson.com)
+# License terms: GNU General Public License (GPL) version 2
+#
+
+# Trursted Execution Environment Configuration
+config TEE_SUPPORT
+	bool "Trusted Execution Environment Support"
+	default y
+	---help---
+	  This implements the Trusted Execution Environment (TEE) Client
+	  API Specification from GlobalPlatform Device Technology.
diff --git a/drivers/tee/Makefile b/drivers/tee/Makefile
new file mode 100644
index 00000000000..b937eb19d72
--- /dev/null
+++ b/drivers/tee/Makefile
@@ -0,0 +1,8 @@
+#
+# Copyright (C) ST-Ericsson SA 2010
+# Author: Martin Hovang (martin.xm.hovang@stericsson.com)
+# License terms: GNU General Public License (GPL) version 2
+#
+
+obj-$(CONFIG_TEE_SUPPORT) += tee_service.o
+obj-$(CONFIG_TEE_SUPPORT) += tee_driver.o
diff --git a/drivers/tee/tee_driver.c b/drivers/tee/tee_driver.c
new file mode 100644
index 00000000000..551c92cc054
--- /dev/null
+++ b/drivers/tee/tee_driver.c
@@ -0,0 +1,484 @@
+/*
+ * Copyright (C) ST-Ericsson SA 2010
+ * Author: Martin Hovang <martin.xm.hovang@stericsson.com>
+ * Author: Joakim Bech <joakim.xx.bech@stericsson.com>
+ * License terms: GNU General Public License (GPL) version 2
+ */
+
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/fs.h>
+#include <linux/cdev.h>
+#include <linux/mutex.h>
+#include <linux/miscdevice.h>
+#include <linux/uaccess.h>
+#include <linux/tee.h>
+#include <linux/slab.h>
+
+#define TEED_NAME "tee"
+
+#define TEED_STATE_OPEN_DEV 0
+#define TEED_STATE_OPEN_SESSION 1
+
+#define TEEC_MEM_INPUT  0x00000001
+#define TEEC_MEM_OUTPUT 0x00000002
+
+static int tee_open(struct inode *inode, struct file *file);
+static int tee_release(struct inode *inode, struct file *file);
+static int tee_read(struct file *filp, char __user *buffer,
+		    size_t length, loff_t *offset);
+static int tee_write(struct file *filp, const char __user *buffer,
+		     size_t length, loff_t *offset);
+
+static inline void set_emsg(struct tee_session *ts, u32 msg)
+{
+	ts->err = msg;
+	ts->origin = TEED_ORIGIN_DRIVER;
+}
+
+static void reset_session(struct tee_session *ts)
+{
+	ts->state = TEED_STATE_OPEN_DEV;
+	ts->err = TEED_SUCCESS;
+	ts->origin = TEED_ORIGIN_DRIVER;
+	ts->id = 0;
+	ts->ta = NULL;
+	ts->uuid = NULL;
+	ts->cmd = 0;
+	ts->driver_cmd = TEED_OPEN_SESSION;
+	ts->ta_size = 0;
+	ts->op = NULL;
+}
+
+static int copy_ta(struct tee_session *ts,
+		   struct tee_session *ku_buffer)
+{
+	ts->ta = kmalloc(ku_buffer->ta_size, GFP_KERNEL);
+	if (ts->ta == NULL) {
+		pr_err("[%s] error, out of memory (ta)\n",
+		       __func__);
+		set_emsg(ts, TEED_ERROR_OUT_OF_MEMORY);
+		return -ENOMEM;
+	}
+
+	ts->ta_size = ku_buffer->ta_size;
+
+	memcpy(ts->ta, ku_buffer->ta, ku_buffer->ta_size);
+	return 0;
+}
+
+static int copy_uuid(struct tee_session *ts,
+		     struct tee_session *ku_buffer)
+{
+	ts->uuid = kmalloc(sizeof(struct tee_uuid), GFP_KERNEL);
+
+	if (ts->uuid == NULL) {
+		pr_err("[%s] error, out of memory (uuid)\n",
+		       __func__);
+		set_emsg(ts, TEED_ERROR_OUT_OF_MEMORY);
+		return -ENOMEM;
+	}
+
+	memcpy(ts->uuid, ku_buffer->uuid, sizeof(struct tee_uuid));
+
+	return 0;
+}
+
+static inline void free_operation(struct tee_session *ts)
+{
+	int i;
+
+	for (i = 0; i < 4; ++i) {
+		kfree(ts->op->shm[i].buffer);
+		ts->op->shm[i].buffer = NULL;
+	}
+
+	kfree(ts->op);
+	ts->op = NULL;
+}
+
+static inline void memrefs_phys_to_virt(struct tee_session *ts)
+{
+	int i;
+
+	for (i = 0; i < 4; ++i) {
+		if (ts->op->flags & (1 << i)) {
+			ts->op->shm[i].buffer =
+				phys_to_virt((unsigned long)
+					     ts->op->shm[i].buffer);
+		}
+	}
+}
+
+static int copy_memref_to_user(struct tee_operation *op,
+			       struct tee_operation *ubuf_op,
+			       int memref)
+{
+	unsigned long bytes_left;
+
+	bytes_left = copy_to_user(ubuf_op->shm[memref].buffer,
+				  op->shm[memref].buffer,
+				  op->shm[memref].size);
+
+	if (bytes_left != 0) {
+		pr_err("[%s] Failed to copy result to user space (%lu "
+		       "bytes left of buffer).\n", __func__, bytes_left);
+		return bytes_left;
+	}
+
+	bytes_left = put_user(op->shm[memref].size, &ubuf_op->shm[memref].size);
+
+	if (bytes_left != 0) {
+		pr_err("[%s] Failed to copy result to user space (%lu "
+		       "bytes left of size).\n", __func__, bytes_left);
+		return -EINVAL;
+	}
+
+	bytes_left = put_user(op->shm[memref].flags,
+			      &ubuf_op->shm[memref].flags);
+	if (bytes_left != 0) {
+		pr_err("[%s] Failed to copy result to user space (%lu "
+		       "bytes left of flags).\n", __func__, bytes_left);
+		return -EINVAL;
+	}
+
+	return 0;
+}
+
+static int copy_memref_to_kernel(struct tee_operation *op,
+				 struct tee_operation *kbuf_op,
+				 int memref)
+{
+	/* Buffer freed in invoke_command if this function fails */
+	op->shm[memref].buffer = kmalloc(kbuf_op->shm[memref].size, GFP_KERNEL);
+
+	if (!op->shm[memref].buffer) {
+		pr_err("[%s] out of memory\n", __func__);
+		return -ENOMEM;
+	}
+
+	/*
+	 * Copy shared memory operations to a local kernel
+	 * buffer if they are of type input.
+	 */
+	if (kbuf_op->shm[memref].flags & TEEC_MEM_INPUT) {
+		memcpy(op->shm[memref].buffer,
+		       kbuf_op->shm[memref].buffer,
+		       kbuf_op->shm[memref].size);
+	}
+
+	op->shm[memref].size = kbuf_op->shm[memref].size;
+	op->shm[memref].flags = kbuf_op->shm[memref].flags;
+
+	/* Secure world expects physical addresses. */
+	op->shm[memref].buffer = (void *)virt_to_phys(op->shm[memref].buffer);
+
+	return 0;
+}
+
+static int open_tee_device(struct tee_session *ts,
+			   struct tee_session *ku_buffer)
+{
+	int ret;
+
+	if (ku_buffer->driver_cmd != TEED_OPEN_SESSION) {
+		set_emsg(ts, TEED_ERROR_BAD_STATE);
+		return -EINVAL;
+	}
+
+	if (ku_buffer->ta) {
+		ret = copy_ta(ts, ku_buffer);
+	} else if (ku_buffer->uuid) {
+		ret = copy_uuid(ts, ku_buffer);
+	} else {
+		set_emsg(ts, TEED_ERROR_COMMUNICATION);
+		return -EINVAL;
+	}
+
+	ts->id = 0;
+	ts->state = TEED_STATE_OPEN_SESSION;
+	return ret;
+}
+
+static int invoke_command(struct tee_session *ts,
+			  struct tee_session *ku_buffer,
+			  struct tee_session __user *u_buffer)
+{
+	int i;
+	int ret = 0;
+	struct tee_operation *kbuf_op =
+		(struct tee_operation *)ku_buffer->op;
+
+	ts->op = kmalloc(sizeof(struct tee_operation), GFP_KERNEL);
+
+	if (!ts->op) {
+		if (ts->op == NULL) {
+			pr_err("[%s] error, out of memory "
+			       "(op)\n", __func__);
+			set_emsg(ts, TEED_ERROR_OUT_OF_MEMORY);
+			ret = -ENOMEM;
+			goto err;
+		}
+	}
+
+	/* Copy memrefs to kernel space. */
+	ts->op->flags = kbuf_op->flags;
+	ts->cmd = ku_buffer->cmd;
+
+	for (i = 0; i < 4; ++i) {
+		/* We only want to copy memrefs in use. */
+		if (kbuf_op->flags & (1 << i)) {
+			ret = copy_memref_to_kernel(ts->op, kbuf_op, i);
+
+			if (ret)
+				goto err;
+		} else {
+			ts->op->shm[i].buffer = NULL;
+			ts->op->shm[i].size = 0;
+			ts->op->shm[i].flags = 0;
+		}
+	}
+
+	/* To call secure world */
+	if (call_sec_world(ts, TEED_INVOKE)) {
+		ret = -EINVAL;
+		goto err;
+	}
+
+	/*
+	 * Convert physical addresses back to virtual address so the
+	 * kernel can free the buffers when closing the session.
+	 */
+	memrefs_phys_to_virt(ts);
+
+	for (i = 0; i < 4; ++i) {
+		if ((kbuf_op->flags & (1 << i)) &&
+		    (kbuf_op->shm[i].flags & TEEC_MEM_OUTPUT)) {
+			struct tee_operation *ubuf_op =
+				(struct tee_operation *)u_buffer->op;
+
+			ret = copy_memref_to_user(ts->op, ubuf_op, i);
+		}
+	}
+err:
+	free_operation(ts);
+
+	return ret;
+}
+
+static int tee_open(struct inode *inode, struct file *filp)
+{
+	struct tee_session *ts;
+
+	filp->private_data = kmalloc(sizeof(struct tee_session),
+				     GFP_KERNEL);
+
+	if (filp->private_data == NULL)
+		return -ENOMEM;
+
+	ts = (struct tee_session *) (filp->private_data);
+
+	reset_session(ts);
+
+	ts->sync = kmalloc(sizeof(struct mutex), GFP_KERNEL);
+
+	if (!ts->sync)
+		return -ENOMEM;
+
+	mutex_init(ts->sync);
+
+	return 0;
+}
+
+static int tee_release(struct inode *inode, struct file *filp)
+{
+	struct tee_session *ts;
+	int i;
+
+	ts = (struct tee_session *) (filp->private_data);
+
+	if (ts == NULL)
+			goto no_ts;
+
+	if (ts->op) {
+		for (i = 0; i < 4; ++i) {
+			kfree(ts->op->shm[i].buffer);
+			ts->op->shm[i].buffer = NULL;
+		}
+	}
+
+	kfree(ts->op);
+	ts->op = NULL;
+
+	kfree(ts->sync);
+	ts->sync = NULL;
+
+	kfree(ts->ta);
+	ts->ta = NULL;
+
+no_ts:
+	kfree(filp->private_data);
+	filp->private_data = NULL;
+
+	return 0;
+}
+
+/*
+ * Called when a process, which already opened the dev file, attempts
+ * to read from it. This function gets the current status of the session.
+ */
+static int tee_read(struct file *filp, char __user *buffer,
+		    size_t length, loff_t *offset)
+{
+	struct tee_read buf;
+	struct tee_session *ts;
+
+	if (length != sizeof(struct tee_read)) {
+		pr_err("[%s] error, incorrect input length\n",
+		       __func__);
+		return -EINVAL;
+	}
+
+	ts = (struct tee_session *) (filp->private_data);
+
+	if (ts == NULL || ts->sync == NULL) {
+		pr_err("[%s] error, private_data not "
+		       "initialized\n", __func__);
+		return -EINVAL;
+	}
+
+	mutex_lock(ts->sync);
+
+	buf.err = ts->err;
+	buf.origin = ts->origin;
+
+	mutex_unlock(ts->sync);
+
+	if (copy_to_user(buffer, &buf, length)) {
+		pr_err("[%s] error, copy_to_user failed!\n",
+		       __func__);
+		return -EINVAL;
+	}
+
+	return length;
+}
+
+/*
+ * Called when a process writes to a dev file
+ */
+static int tee_write(struct file *filp, const char __user *buffer,
+		     size_t length, loff_t *offset)
+{
+	struct tee_session ku_buffer;
+	struct tee_session *ts;
+	int ret = length;
+
+	if (length != sizeof(struct tee_session)) {
+		pr_err("[%s] error, incorrect input length\n",
+		       __func__);
+		return -EINVAL;
+	}
+
+	if (copy_from_user(&ku_buffer, buffer, length)) {
+		pr_err("[%s] error, tee_session "
+		       "copy_from_user failed\n", __func__);
+		return -EINVAL;
+	}
+
+	ts = (struct tee_session *) (filp->private_data);
+
+	if (ts == NULL || ts->sync == NULL) {
+		pr_err("[%s] error, private_data not "
+		       "initialized\n", __func__);
+		return -EINVAL;
+	}
+
+	mutex_lock(ts->sync);
+
+	switch (ts->state) {
+	case TEED_STATE_OPEN_DEV:
+		ret = open_tee_device(ts, &ku_buffer);
+		break;
+
+	case TEED_STATE_OPEN_SESSION:
+		switch (ku_buffer.driver_cmd) {
+		case TEED_INVOKE:
+			ret = invoke_command(ts, &ku_buffer,
+					     (struct tee_session *)buffer);
+			break;
+
+		case TEED_CLOSE_SESSION:
+			/* no caching implemented yet... */
+			if (call_sec_world(ts, TEED_CLOSE_SESSION))
+				ret = -EINVAL;
+
+			kfree(ts->ta);
+			ts->ta = NULL;
+
+			reset_session(ts);
+			break;
+
+		default:
+			set_emsg(ts, TEED_ERROR_BAD_PARAMETERS);
+			ret = -EINVAL;
+		}
+		break;
+	default:
+		pr_err("[%s] unknown state\n", __func__);
+		set_emsg(ts, TEED_ERROR_BAD_STATE);
+		ret = -EINVAL;
+	}
+
+	/*
+	 * We expect that ret has value zero when reaching the end here.
+	 * If it has any other value some error must have occured.
+	 */
+	if (!ret)
+		ret = length;
+	else
+		ret = -EINVAL;
+
+	mutex_unlock(ts->sync);
+
+	return ret;
+}
+
+static const struct file_operations tee_fops = {
+	.owner = THIS_MODULE,
+	.read = tee_read,
+	.write = tee_write,
+	.open = tee_open,
+	.release = tee_release,
+};
+
+static struct miscdevice tee_dev = {
+	MISC_DYNAMIC_MINOR,
+	TEED_NAME,
+	&tee_fops
+};
+
+static int __init tee_init(void)
+{
+	int err = 0;
+
+	err = misc_register(&tee_dev);
+
+	if (err) {
+		pr_err("[%s] error %d adding character device "
+		       "TEE\n", __func__, err);
+	}
+
+	return err;
+}
+
+static void __exit tee_exit(void)
+{
+	misc_deregister(&tee_dev);
+}
+
+module_init(tee_init);
+module_exit(tee_exit);
+
+MODULE_LICENSE("Dual BSD/GPL");
+MODULE_DESCRIPTION("Trusted Execution Enviroment driver");
diff --git a/drivers/tee/tee_service.c b/drivers/tee/tee_service.c
new file mode 100644
index 00000000000..b01e9d0ac39
--- /dev/null
+++ b/drivers/tee/tee_service.c
@@ -0,0 +1,17 @@
+/*
+ * TEE service to handle the calls to trusted applications.
+ *
+ * Copyright (C) ST-Ericsson SA 2010
+ * Author: Joakim Bech <joakim.xx.bech@stericsson.com>
+ * License terms: GNU General Public License (GPL) version 2
+ */
+#include <linux/kernel.h>
+#include <linux/tee.h>
+#include <linux/device.h>
+
+int __weak call_sec_world(struct tee_session *ts, int sec_cmd)
+{
+	pr_info("[%s] Generic call_sec_world called!\n", __func__);
+
+	return 0;
+}
diff --git a/include/linux/tee.h b/include/linux/tee.h
new file mode 100644
index 00000000000..0cdec2d254a
--- /dev/null
+++ b/include/linux/tee.h
@@ -0,0 +1,143 @@
+/*
+ * Trusted Execution Environment (TEE) interface for TrustZone enabled ARM CPUs.
+ *
+ * Copyright (C) ST-Ericsson SA 2010
+ * Author: Shujuan Chen <shujuan.chen@stericsson.com>
+ * Author: Martin Hovang <martin.xm.hovang@stericsson.com
+ * Author: Joakim Bech <joakim.xx.bech@stericsson.com>
+ * License terms: GNU General Public License (GPL) version 2
+ */
+
+#ifndef TEE_H
+#define TEE_H
+
+/* tee_cmd id values */
+#define TEED_OPEN_SESSION    0x00000000U
+#define TEED_CLOSE_SESSION   0x00000001U
+#define TEED_INVOKE          0x00000002U
+
+/* tee_retval id values */
+#define TEED_SUCCESS                0x00000000U
+#define TEED_ERROR_GENERIC          0xFFFF0000U
+#define TEED_ERROR_ACCESS_DENIED    0xFFFF0001U
+#define TEED_ERROR_CANCEL           0xFFFF0002U
+#define TEED_ERROR_ACCESS_CONFLICT  0xFFFF0003U
+#define TEED_ERROR_EXCESS_DATA      0xFFFF0004U
+#define TEED_ERROR_BAD_FORMAT       0xFFFF0005U
+#define TEED_ERROR_BAD_PARAMETERS   0xFFFF0006U
+#define TEED_ERROR_BAD_STATE        0xFFFF0007U
+#define TEED_ERROR_ITEM_NOT_FOUND   0xFFFF0008U
+#define TEED_ERROR_NOT_IMPLEMENTED  0xFFFF0009U
+#define TEED_ERROR_NOT_SUPPORTED    0xFFFF000AU
+#define TEED_ERROR_NO_DATA          0xFFFF000BU
+#define TEED_ERROR_OUT_OF_MEMORY    0xFFFF000CU
+#define TEED_ERROR_BUSY             0xFFFF000DU
+#define TEED_ERROR_COMMUNICATION    0xFFFF000EU
+#define TEED_ERROR_SECURITY         0xFFFF000FU
+#define TEED_ERROR_SHORT_BUFFER     0xFFFF0010U
+
+/* TEE origin codes */
+#define TEED_ORIGIN_DRIVER          0x00000002U
+#define TEED_ORIGIN_TEE             0x00000003U
+#define TEED_ORIGIN_TEE_APPLICATION 0x00000004U
+
+#define TEE_UUID_CLOCK_SIZE 8
+
+#define TEEC_CONFIG_PAYLOAD_REF_COUNT 4
+
+/**
+ * struct tee_uuid - Structure that represent an uuid.
+ * @timeLow: The low field of the time stamp.
+ * @timeMid: The middle field of the time stamp.
+ * @timeHiAndVersion: The high field of the timestamp multiplexed
+ *                    with the version number.
+ * @clockSeqAndNode: The clock sequence and the node.
+ *
+ * This structure have different naming (camel case) to comply with Global
+ * Platforms TEE Client API spec. This type is defined in RFC4122.
+ */
+struct tee_uuid {
+	uint32_t timeLow;
+	uint16_t timeMid;
+	uint16_t timeHiAndVersion;
+	uint8_t clockSeqAndNode[TEE_UUID_CLOCK_SIZE];
+};
+
+/**
+ * struct tee_sharedmemory - Shared memory block for TEE.
+ * @buffer: The in/out data to TEE.
+ * @size: The size of the data.
+ * @flags: Variable telling whether it is a in, out or in/out parameter.
+ */
+struct tee_sharedmemory {
+	void *buffer;
+	size_t size;
+	uint32_t flags;
+};
+
+/**
+ * struct tee_operation - Payload for sessions or invoke operation.
+ * @shm: Array containing the shared memory buffers.
+ * @flags: Tells which if memory buffers that are in use.
+ */
+struct tee_operation {
+	struct tee_sharedmemory shm[TEEC_CONFIG_PAYLOAD_REF_COUNT];
+	uint32_t flags;
+};
+
+/**
+ * struct tee_session - The session of an open tee device.
+ * @state: The current state in the linux kernel.
+ * @err: Error code (as in Global Platform TEE Client API spec)
+ * @origin: Origin for the error code (also from spec).
+ * @id: Implementation defined type, 0 if not used.
+ * @ta: The trusted application.
+ * @uuid: The uuid for the trusted application.
+ * @cmd: The command to be executed in the trusted application.
+ * @driver_cmd: The command type in the driver. This is used from a client (user
+ *              space to tell the Linux kernel whether it's a open-,
+ *              close-session or if it is an invoke command.
+ * @ta_size: The size of the trusted application.
+ * @op: The payload for the trusted application.
+ * @sync: Mutex to handle multiple use of clients.
+ *
+ * This structure is mainly used in the Linux kernel as a session context for
+ * ongoing operations. Other than that it is also used in the communication with
+ * the user space.
+ */
+struct tee_session {
+	uint32_t state;
+	uint32_t err;
+	uint32_t origin;
+	uint32_t id;
+	void *ta;
+	struct tee_uuid *uuid;
+	unsigned int cmd;
+	unsigned int driver_cmd;
+	unsigned int ta_size;
+	struct tee_operation *op;
+	struct mutex *sync;
+};
+
+/**
+ * struct tee_read - Contains the error message and the origin.
+ * @err: Error code (as in Global Platform TEE Client API spec)
+ * @origin: Origin for the error code (also from spec).
+ *
+ * This is used by user space when a user space application wants to get more
+ * information about an error.
+ */
+struct tee_read {
+	unsigned int err; /* return value */
+	unsigned int origin; /* error origin */
+};
+
+/**
+ * Function that handles the function calls to trusted applications.
+ * @param ts: The session of a operation to be executed.
+ * @param sec_cmd: The type of command to be executed, open-, close-session,
+ *                 invoke command.
+ */
+int call_sec_world(struct tee_session *ts, int sec_cmd);
+
+#endif