Re: [PATCH 05/11] media: iris: Enable Secure PAS support with IOMMU managed by Linux
From: Mukesh Ojha
Date: Wed Apr 15 2026 - 03:36:28 EST
On Tue, Apr 14, 2026 at 12:01:28PM +0530, Mukesh Ojha wrote:
> On Tue, Apr 14, 2026 at 10:30:01AM +0530, Vishnu Reddy wrote:
> > From: Mukesh Ojha <mukesh.ojha@xxxxxxxxxxxxxxxx>
> >
> > Most Qualcomm platforms feature a proprietary hypervisor (such as Gunyah
> > or QHEE), which typically handles IOMMU configuration. This includes
> > mapping memory regions and device memory resources for remote processors
> > by intercepting qcom_scm_pas_auth_and_reset() calls. These mappings are
> > later removed during teardown. Additionally, SHM bridge setup is required
> > to enable memory protection for both remoteproc metadata and its memory
> > regions.
> >
> > When the hypervisor is absent, the operating system must perform these
> > configurations instead.
> >
> > Support for handling IOMMU and SHM setup in the absence of a hypervisor
> > is now in place. Extend the Iris driver to enable this functionality on
> > platforms where IOMMU is managed by Linux (i.e., non-Gunyah, non-QHEE).
> >
> > Additionally, the Iris driver must map the firmware and its required
> > resources to the firmware SID, which is now specified via iommu-map in
> > the device tree.
> >
> > Co-developed-by: Vikash Garodia <vikash.garodia@xxxxxxxxxxxxxxxx>
> > Signed-off-by: Vikash Garodia <vikash.garodia@xxxxxxxxxxxxxxxx>
> > Signed-off-by: Mukesh Ojha <mukesh.ojha@xxxxxxxxxxxxxxxx>
> > Signed-off-by: Vishnu Reddy <busanna.reddy@xxxxxxxxxxxxxxxx>
> > ---
> > drivers/media/platform/qcom/iris/iris_core.h | 4 ++
> > drivers/media/platform/qcom/iris/iris_firmware.c | 71 +++++++++++++++++++++---
> > 2 files changed, 66 insertions(+), 9 deletions(-)
> >
> > diff --git a/drivers/media/platform/qcom/iris/iris_core.h b/drivers/media/platform/qcom/iris/iris_core.h
> > index fb194c967ad4..aa7abef6f0e0 100644
> > --- a/drivers/media/platform/qcom/iris/iris_core.h
> > +++ b/drivers/media/platform/qcom/iris/iris_core.h
> > @@ -34,6 +34,8 @@ enum domain_type {
> > * struct iris_core - holds core parameters valid for all instances
> > *
> > * @dev: reference to device structure
> > + * @dev_fw: reference to the context bank device used for firmware load
> > + * @ctx_fw: SCM PAS context for authenticated firmware load and shutdown
> > * @reg_base: IO memory base address
> > * @irq: iris irq
> > * @v4l2_dev: a holder for v4l2 device structure
> > @@ -77,6 +79,8 @@ enum domain_type {
> >
> > struct iris_core {
> > struct device *dev;
> > + struct device *dev_fw;
> > + struct qcom_scm_pas_context *ctx_fw;
>
> fw_dev suits better and ctx_fw is always for firmware, maybe pas_ctx is
> better.
>
> > void __iomem *reg_base;
> > int irq;
> > struct v4l2_device v4l2_dev;
> > diff --git a/drivers/media/platform/qcom/iris/iris_firmware.c b/drivers/media/platform/qcom/iris/iris_firmware.c
> > index 5f408024e967..93d77996c83f 100644
> > --- a/drivers/media/platform/qcom/iris/iris_firmware.c
> > +++ b/drivers/media/platform/qcom/iris/iris_firmware.c
> > @@ -5,6 +5,7 @@
> >
> > #include <linux/firmware.h>
> > #include <linux/firmware/qcom/qcom_scm.h>
> > +#include <linux/iommu.h>
> > #include <linux/of_address.h>
> > #include <linux/of_reserved_mem.h>
> > #include <linux/soc/qcom/mdt_loader.h>
> > @@ -13,12 +14,15 @@
> > #include "iris_firmware.h"
> >
> > #define MAX_FIRMWARE_NAME_SIZE 128
> > +#define IRIS_FW_START_ADDR 0
> >
> > static int iris_load_fw_to_memory(struct iris_core *core, const char *fw_name)
> > {
> > + struct device *dev = core->dev_fw ? core->dev_fw : core->dev;
> > u32 pas_id = core->iris_platform_data->pas_id;
> > const struct firmware *firmware = NULL;
> > - struct device *dev = core->dev;
> > + struct qcom_scm_pas_context *ctx_fw;
> > + struct iommu_domain *domain;
> > struct resource res;
> > phys_addr_t mem_phys;
> > size_t res_size;
> > @@ -29,13 +33,17 @@ static int iris_load_fw_to_memory(struct iris_core *core, const char *fw_name)
> > if (strlen(fw_name) >= MAX_FIRMWARE_NAME_SIZE - 4)
> > return -EINVAL;
> >
> > - ret = of_reserved_mem_region_to_resource(dev->of_node, 0, &res);
> > + ret = of_reserved_mem_region_to_resource(core->dev->of_node, 0, &res);
> > if (ret)
> > return ret;
> >
> > mem_phys = res.start;
> > res_size = resource_size(&res);
> >
> > + ctx_fw = devm_qcom_scm_pas_context_alloc(dev, pas_id, mem_phys, res_size);
> > + if (IS_ERR(ctx_fw))
> > + return PTR_ERR(ctx_fw);
> > +
> > ret = request_firmware(&firmware, fw_name, dev);
> > if (ret)
> > return ret;
> > @@ -52,9 +60,27 @@ static int iris_load_fw_to_memory(struct iris_core *core, const char *fw_name)
> > goto err_release_fw;
> > }
> >
> > - ret = qcom_mdt_load(dev, firmware, fw_name,
> > - pas_id, mem_virt, mem_phys, res_size, NULL);
> > + ctx_fw->use_tzmem = !!core->dev_fw;
> > + ret = qcom_mdt_pas_load(ctx_fw, firmware, fw_name, mem_virt, NULL);
We need to release the metadata because this is the change compared to
the previous qcom_mdt_load() API, which silently released DMA memory for
metadata in the pas_init SCM call for clients that passed metadata ctx
as NULL. Since with this new API every new client must pass the new pas
ctx, it cannot be NULL anymore. I intended to document this clearly when
introducing qcom_mdt_pas_load() API, but I did not do so. but thinking
it over again, we should not be asking client to release the memory
which they not allocated, so let me write a patch for this where I
client like remoteproc explicitly ask or set it if they do not want to
release this memory as their XPU locked and can only released after auth
and reset successful.
> > + if (ret)
> > +
> > + if (ctx_fw->use_tzmem) {
> > + domain = iommu_get_domain_for_dev(core->dev_fw);
> > + if (!domain) {
> > + ret = -ENODEV;
> > + goto err_mem_unmap;
> > + }
> > +
> > + ret = iommu_map(domain, IRIS_FW_START_ADDR, mem_phys, res_size,
> > + IOMMU_READ | IOMMU_WRITE | IOMMU_PRIV, GFP_KERNEL);
> > + if (ret)
> > + goto err_mem_unmap;
> > + }
> >
> > + core->ctx_fw = ctx_fw;
> > +
> > +err_mem_unmap:
> > memunmap(mem_virt);
> > err_release_fw:
> > release_firmware(firmware);
> > @@ -62,6 +88,19 @@ static int iris_load_fw_to_memory(struct iris_core *core, const char *fw_name)
> > return ret;
> > }
> >
> > +static void iris_fw_iommu_unmap(struct iris_core *core)
> > +{
> > + bool use_tzmem = core->ctx_fw->use_tzmem;
> > + struct iommu_domain *domain;
> > +
> > + if (!use_tzmem)
> > + return;
> > +
> > + domain = iommu_get_domain_for_dev(core->dev_fw);
> > + if (domain)
> > + iommu_unmap(domain, IRIS_FW_START_ADDR, core->ctx_fw->mem_size);
> > +}
> > +
> > int iris_fw_load(struct iris_core *core)
> > {
> > const struct tz_cp_config *cp_config;
> > @@ -79,10 +118,10 @@ int iris_fw_load(struct iris_core *core)
> > return -ENOMEM;
> > }
> >
> > - ret = qcom_scm_pas_auth_and_reset(core->iris_platform_data->pas_id);
> > + ret = qcom_scm_pas_prepare_and_auth_reset(core->ctx_fw);
> > if (ret) {
> > dev_err(core->dev, "auth and reset failed: %d\n", ret);
> > - return ret;
> > + goto err_unmap;
> > }
> >
> > for (i = 0; i < core->iris_platform_data->tz_cp_config_data_size; i++) {
> > @@ -93,17 +132,31 @@ int iris_fw_load(struct iris_core *core)
> > cp_config->cp_nonpixel_size);
> > if (ret) {
> > dev_err(core->dev, "qcom_scm_mem_protect_video_var failed: %d\n", ret);
> > - qcom_scm_pas_shutdown(core->iris_platform_data->pas_id);
> > - return ret;
> > + goto err_pas_shutdown;
> > }
> > }
> >
> > + return 0;
> > +
> > +err_pas_shutdown:
> > + qcom_scm_pas_shutdown(core->ctx_fw->pas_id);
> > +err_unmap:
> > + iris_fw_iommu_unmap(core);
> > +
> > return ret;
> > }
> >
> > int iris_fw_unload(struct iris_core *core)
> > {
> > - return qcom_scm_pas_shutdown(core->iris_platform_data->pas_id);
> > + int ret;
> > +
> > + ret = qcom_scm_pas_shutdown(core->ctx_fw->pas_id);
> > + if (ret)
> > + return ret;
> > +
> > + iris_fw_iommu_unmap(core);
> > +
> > + return ret;
> > }
> >
> > int iris_set_hw_state(struct iris_core *core, bool resume)
> >
> > --
> > 2.34.1
> >
>
> --
> -Mukesh Ojha
--
-Mukesh Ojha