Squashed commit upgrading to mbedtls-3.6.2

Squash merging branch import/mbedtls-3.6.2.

85df256c4a67 ("libmbedtls: add CFG_CORE_UNSAFE_MODEXP and CFG_TA_MEBDTLS_UNSAFE_MODEXP")
1e9c6f15ef0f ("libm

Squashed commit upgrading to mbedtls-3.6.2

Squash merging branch import/mbedtls-3.6.2.

85df256c4a67 ("libmbedtls: add CFG_CORE_UNSAFE_MODEXP and CFG_TA_MEBDTLS_UNSAFE_MODEXP")
1e9c6f15ef0f ("libmbedtls: allow inclusion of arm_neon.h")
fab5313d7598 ("libmbedtls: fix cipher_wrap.c for NIST AES Key Wrap mode")
58c8b24bac04 ("libmbedtls: fix cipher_wrap.c for chacha20 and chachapoly")
50e013c6c306 ("libmbedtls: add fault mitigation in mbedtls_rsa_rsassa_pkcs1_v15_verify()")
c363a3c7e7e1 ("libmbedtls: add fault mitigation in mbedtls_rsa_rsassa_pss_verify_ext()")
91d9fe4fad38 ("libmbedtls: add SM2 curve")
b03fbd7006aa ("libmbedtls: fix no CRT issue")
bed9eb0c5209 ("libmbedtls: add interfaces in mbedtls for context memory operation")
65e7ec82d894 ("libmedtls: mpi_miller_rabin: increase count limit")
5e0191a043cb ("libmbedtls: add mbedtls_mpi_init_mempool()")
bf7ce25bb90f ("libmbedtls: make mbedtls_mpi_mont*() available")
04a9845a09b4 ("mbedtls: configure mbedtls to reach for config")
3f98104bba82 ("mbedtls: remove default include/mbedtls/config.h")
4d211f365152 ("Import mbedtls-3.6.2")

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: build with CFG_VERAISON_ATTESTATION_PTA=y

Add a build configuration CFG_VERAISON_ATTESTATION_PTA=y.

Signed-off-by: Yuichi Sugiyama <yuichis@ricsec.co.jp>
Reviewed-by: Jerome Forissier <jerome.f

ci: build with CFG_VERAISON_ATTESTATION_PTA=y

Add a build configuration CFG_VERAISON_ATTESTATION_PTA=y.

Signed-off-by: Yuichi Sugiyama <yuichis@ricsec.co.jp>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: qemuv8: add configurations with CFG_ULIBS_SHARED=y

Add configurations to the QEMUv8 job to test shared library support with
GCC as well as Clang. Shared libraries are somewhat already tested by

ci: qemuv8: add configurations with CFG_ULIBS_SHARED=y

Add configurations to the QEMUv8 job to test shared library support with
GCC as well as Clang. Shared libraries are somewhat already tested by
xtest 1022 which performs dlopen()/dlsym() on a custom library, but
CFG_ULIBS_SHARED=y will thoroughly test the loading and symbol resolution
at TA load time.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: bump scp-firmware to release tag v2.15.0

Sync CI test SCP-firmware source tree with latest release tag v2.15.0
instead of the previously selected commit SHA1 that we synced on before
a release t

ci: bump scp-firmware to release tag v2.15.0

Sync CI test SCP-firmware source tree with latest release tag v2.15.0
instead of the previously selected commit SHA1 that we synced on before
a release tag integrating OP-TEE support latest changes was available
in that repository.

By the way, clone the repo with a depth of 1 since it is enough for CI
tests needs.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: add a QEMUv8 check job built with Clang

The CI image on the Docker Hub has been updated to contain Clang 18.1.7
in /usr/bin [1] [2]. Let's add a job to build OP-TEE with this compiler
and run th

ci: add a QEMUv8 check job built with Clang

The CI image on the Docker Hub has been updated to contain Clang 18.1.7
in /usr/bin [1] [2]. Let's add a job to build OP-TEE with this compiler
and run the test suite for arm64 (QEMUv8).

Link: https://github.com/jforissier/docker_optee_os_ci/commit/fdb34bcf25f1 [1]
Link: https://hub.docker.com/r/jforissier/optee_os_ci/tags?name=qemu_check [2]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: qemuv7: exclude xtest pkcs11_1007

Exclude xtest case pkcs11_1007 from qemuv7 CI tests since we're facing
sporadic failures on this test on PKCS#11 sessions opening and release.
Occurrences of th

ci: qemuv7: exclude xtest pkcs11_1007

Exclude xtest case pkcs11_1007 from qemuv7 CI tests since we're facing
sporadic failures on this test on PKCS#11 sessions opening and release.
Occurrences of this issue have been found only on this Armv7-A platform.
Once the issue is solved, we be able to restore this test.

Link: https://github.com/OP-TEE/optee_os/issues/6952
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

ci: build with CFG_RPMB_WRITE_KEY=y

Add a build configuration CFG_RPMB_WRITE_KEY=y.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.

ci: build with CFG_RPMB_WRITE_KEY=y

Add a build configuration CFG_RPMB_WRITE_KEY=y.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

ci: add build with Mbed TLS and crypto extensions

Build for QEMUv8 with Mbed TLS as the core crypto library and
cryptographic extensions enabled. This would have caught the issue fixed
in commit 021

ci: add build with Mbed TLS and crypto extensions

Build for QEMUv8 with Mbed TLS as the core crypto library and
cryptographic extensions enabled. This would have caught the issue fixed
in commit 021fee0affe5 ("core: mbedtls: Fix build").

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: add i.MX91 EVK build

Add PLATFORM=imx-mx91evk build.

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

ci: add i.MX95 EVK build

Add PLATFORM=imx-mx95evk build.

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

ci: upgrade actions/cache@v3 to v4

Upgrade the "cache" action to address the CI warning:

"""
The following actions uses Node.js version which is deprecated and
will be forced to run on node20: acti

ci: upgrade actions/cache@v3 to v4

Upgrade the "cache" action to address the CI warning:

"""
The following actions uses Node.js version which is deprecated and
will be forced to run on node20: actions/cache@v3. For more info: [1]
"""

Link: https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/ [1]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core/scmi: export sub.mk files in SCP-firmware

In order to ease the update of makefile when C or Header files of
SCP-firmware project changes, we integrate them in the optee subdirectory
of SCP-firm

core/scmi: export sub.mk files in SCP-firmware

In order to ease the update of makefile when C or Header files of
SCP-firmware project changes, we integrate them in the optee subdirectory
of SCP-firmware.

sub-optee-fvp.mk and sub-optee-stm32mp1.mk are moved unchanged in their
product directories of SCP-repository.

scmi-server/sub.mk is split:
- macro and compilation flags stay in optee-os
- srcs and incdirs are moved in product/optee directory

All modules and products related to optee are located in the
product/optee directory in the SCP-firmware repository, adding an "optee-"
prefix in the product name is useless. Remove it.

the ci will temporary point to the sha1 of the merged MR branch of
SCP-firmware. This will be replaced with next SCP-firmware tag v2.15.0
once released.

Signed-off-by: Vincent Guittot <vincent.guittot@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

ci: set FORCE_UNSAFE_CONFIGURE=1

The newer version of Buildroot recently selected in the OP-TEE manifest
[1] does not allow building as root by default (apparently this is not
a Buildroot policy but

ci: set FORCE_UNSAFE_CONFIGURE=1

The newer version of Buildroot recently selected in the OP-TEE manifest
[1] does not allow building as root by default (apparently this is not
a Buildroot policy but rather defined in some packages included in
Buildroot). While this makes sense in general, we could not care less in
a CI container. Therefore set the appropriate environment variable to
bypass this check. We could as well change the Docker image to build as
a non-root user but let's just pick the easiest way for now.

Link: https://github.com/OP-TEE/manifest/pull/281 [1]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: xen: test FF-A mediator with SPMC_AT_EL=1

Add a test for Xen FF-A mediator with SPMC_AT_EL=1.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Volodymyr Babchuk <volodymyr_ba

ci: xen: test FF-A mediator with SPMC_AT_EL=1

Add a test for Xen FF-A mediator with SPMC_AT_EL=1.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: make sure tee_entry_get_os_revision() uses a proper TEE_IMPL_GIT_SHA1

tee_entry_get_os_revision() stores TEE_IMPL_GIT_SHA1 into a 32 or
64-bit register, depending on the platform. Unfortunatel

core: make sure tee_entry_get_os_revision() uses a proper TEE_IMPL_GIT_SHA1

tee_entry_get_os_revision() stores TEE_IMPL_GIT_SHA1 into a 32 or
64-bit register, depending on the platform. Unfortunately the command
that creates TEE_IMPL_GIT_SHA1 does not provide any guarantee that the
value will fit. For instance it can happen that 8 characters are not
enough to disambiguate two commits in the repository, in which case
git rev-parse --short=8 will happily return 9 or more characters. In
this case a 32-bit build would display a warning and TEE_IMPL_GIT_SHA1
would be truncated in a way we don't want (discarding the most
significant bits).

Therefore, make sure TEE_IMPL_GIT_SHA1 is exactly 8 or 16 hexadecimal
characters (plus the leading 0x).

The OPTEE_FFA_GET_OS_VERSION operation in handle_blocking_call() has to
be modified since the output is a 32-bit register, and SPMC being a 64-bit
TEE core, TEE_IMPL_GIT_SHA1 is a 64-bit value too.

CI needs updating to avoid the following error:

fatal: detected dubious ownership in repository at
'/__w/optee_os/optee_os'

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Closes: https://github.com/OP-TEE/optee_os/issues/6783
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

ci: add QEMUv7 job

Add a job to build and run tests with QEMU for Arm v7 (32-bit). The
build flags are imported from the IBART job definition [1] since
IBART is being deprecated. CFG_ENABLE_EMBEDDED

ci: add QEMUv7 job

Add a job to build and run tests with QEMU for Arm v7 (32-bit). The
build flags are imported from the IBART job definition [1] since
IBART is being deprecated. CFG_ENABLE_EMBEDDED_TESTS=n is dropped
however.

The job uses a new container image from the Docker Hub:
jforissier/optee_os_ci:qemu_check [2]. The source code (Dockerfile)
is at [3]. It is almost the same as the one used for QEMUv8
(jforissier/optee_os_ci:qemuv8_check2) except that
it contains a more generic "get_optee.sh [<platform>] [<destination>]"
script (which can clone any patform) and also includes two missing
packages that are required for QEMUv7 build (libgmp-dev and libmpc-dev).
The QEMUv8 jobs will be updated to switch to the newer image in a
subsequent commit.

Link: https://github.com/jbech-linaro/ibart/blob/b585163626341864790398df6489c9556e0b20f1/jobdefs/examples/optee_qemu.yaml#L40C26-L40C176 [1]
Link: https://hub.docker.com/r/jforissier/optee_os_ci/tags?page=1&name=qemu_check [2]
Link: https://github.com/jforissier/docker_optee_os_ci/tree/qemu_check [3]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

ci.yml: add a make command to build HPRE code

Add a make command of CFG_HISILICON_ACC_V3=y

Signed-off-by: loubaihui <loubaihui1@huawei.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

ci.yml: add a make command to build HPRE code

Add a make command of CFG_HISILICON_ACC_V3=y

Signed-off-by: loubaihui <loubaihui1@huawei.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: remame WD to OPTEE_OS_TO_TEST

WD is not a very good variable name, it stands for "working directory"
but does not express what this directory contains. Use OPTEE_OS_TO_TEST
instead, since it is

ci: remame WD to OPTEE_OS_TO_TEST

WD is not a very good variable name, it stands for "working directory"
but does not express what this directory contains. Use OPTEE_OS_TO_TEST
instead, since it is actually the optee_os directory checked out by CI
(i.e., the current branch or PR to test).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

ci: update QEMUv8 jobs to use newer Docker image

Update the QEMUv8 jobs to use the newer Docker image:
jforissier/optee_os_ci:qemu_check, which has a more generic script to
clone the OP-TEE environm

ci: update QEMUv8 jobs to use newer Docker image

Update the QEMUv8 jobs to use the newer Docker image:
jforissier/optee_os_ci:qemu_check, which has a more generic script to
clone the OP-TEE environment [1].

Link: https://github.com/jforissier/docker_optee_os_ci/blob/qemu_check/get_optee.sh [1]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

ci: qemuv8: add test case with CFG_WITH_PAGER=y

Add a "make check" test with pager enabled on QEMUv8.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.

ci: qemuv8: add test case with CFG_WITH_PAGER=y

Add a "make check" test with pager enabled on QEMUv8.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

ci: add RISC-V build (rv64, PLATFORM=virt)

Add a 64-bit build of OP-TEE for the RISC-V architecture.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienn

ci: add RISC-V build (rv64, PLATFORM=virt)

Add a 64-bit build of OP-TEE for the RISC-V architecture.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: qemuv8: preventively avoid "no space left on device" errors

During my testing of build.git PR 731 ("optee_rust_examples_ext: Fix Rust
toolchain conflicts"), I noticed that the "no space left on

ci: qemuv8: preventively avoid "no space left on device" errors

During my testing of build.git PR 731 ("optee_rust_examples_ext: Fix Rust
toolchain conflicts"), I noticed that the "no space left on device"
error was triggered yet again (obviously due to more size being taken on
the disk by the Rust toolchain and the OP-TEE Rust examples).

Therefore, preventively apply the same fix as for other jobs. This way
the CI should pass when 731 is merged.

Link: https://github.com/OP-TEE/build
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Sumit Garg <sumit.garg@linaro.org>

show more ...

ci: update actions/checkout@v3 to v4

Updatate the "checkout" action to fix the following warning:

Node.js 16 actions are deprecated. Please update the following
actions to use Node.js 20: actions

ci: update actions/checkout@v3 to v4

Updatate the "checkout" action to fix the following warning:

Node.js 16 actions are deprecated. Please update the following
actions to use Node.js 20: actions/checkout@v3. [...]

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

ci: xen: fix "no space left in device" error"

We recently hit a "No space left on device" error with the
QEMUv8_Xen_check job. Apply the same workaround than in commit
a03aafed30c2 ("ci: hafnium: fi

ci: xen: fix "no space left in device" error"

We recently hit a "No space left on device" error with the
QEMUv8_Xen_check job. Apply the same workaround than in commit
a03aafed30c2 ("ci: hafnium: fix "no space left on device" error") and
commit 788069fa88ed ("ci: rust: fix "no space left in device" error").

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: do not add $HOME/.cargo/bin to $PATH

Since [1] there is no need to add $HOME/.cargo/bin to the user's PATH
anymore. Therefore remove the corresponding lines from the CI scripts.

Link: https://g

ci: do not add $HOME/.cargo/bin to $PATH

Since [1] there is no need to add $HOME/.cargo/bin to the user's PATH
anymore. Therefore remove the corresponding lines from the CI scripts.

Link: https://github.com/OP-TEE/build/commit/xxxx [1]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...