core: riscv: spinlock.S: use REGOFF for stack push and pop

In __cpu_spin_lock(), using STR/LDR and RISCV_XLEN_BYTES, it seems
that it wants to adopt the RV64 or RV32 environment, but missing the
shi

core: riscv: spinlock.S: use REGOFF for stack push and pop

In __cpu_spin_lock(), using STR/LDR and RISCV_XLEN_BYTES, it seems
that it wants to adopt the RV64 or RV32 environment, but missing the
shift byte for differ environmnt. therefore remove the const value and
using REGOFF() macro to fit the RV32/RV64 environment.

Signed-off-by: Randolph Lin <randolph@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: arm64: increase thread stack size with KASAN/check-stacks

Increase STACK_THREAD_SIZE from 10 KiB to 12 KiB when
CFG_CORE_SANITIZE_KADDRESS is enabled.

With the previous size, some regression

core: arm64: increase thread stack size with KASAN/check-stacks

Increase STACK_THREAD_SIZE from 10 KiB to 12 KiB when
CFG_CORE_SANITIZE_KADDRESS is enabled.

With the previous size, some regression tests (for example
regression_1006 "Test Basic OS features") may fail due to stack
canary corruption caused by the additional stack usage from
instrumentation.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-stm32mp2: conf: default enable CFG_STM32_I2C for stm32mp2 family

Default enable STM32 I2C driver on STM32MP2 platforms.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Reviewed-by

plat-stm32mp2: conf: default enable CFG_STM32_I2C for stm32mp2 family

Default enable STM32 I2C driver on STM32MP2 platforms.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

dts: stm32: add i2c1 to i2c3 nodes in stm32mp211.dtsi

The STM32MP23x has a total of 3 instances of I2C.
Add all of them in stm32mp231.dtsi.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.c

dts: stm32: add i2c1 to i2c3 nodes in stm32mp211.dtsi

The STM32MP23x has a total of 3 instances of I2C.
Add all of them in stm32mp231.dtsi.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

dts: stm32: add i2c1, i2c2, i2c7 and i2c8 nodes in stm32mp231.dtsi

The STM32MP23x has a total of 4 instances of I2C.
Add all of them in stm32mp231.dtsi.

Signed-off-by: Thomas Bourgoin <thomas.bourg

dts: stm32: add i2c1, i2c2, i2c7 and i2c8 nodes in stm32mp231.dtsi

The STM32MP23x has a total of 4 instances of I2C.
Add all of them in stm32mp231.dtsi.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

dts: stm32: add i2c1 to i2c8 nodes in stm32mp251.dtsi

The STM32MP25x has a total of 8 instances of I2C hence add all
of them in stm32mp251.dtsi.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss

dts: stm32: add i2c1 to i2c8 nodes in stm32mp251.dtsi

The STM32MP25x has a total of 8 instances of I2C hence add all
of them in stm32mp251.dtsi.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

drivers: stm32_i2c: fallback to interrupt access when no bottom half

Change stm32_i2c driver to allow I2C transfers in interrupt context
before bottom half thread is initialized and after it's relea

drivers: stm32_i2c: fallback to interrupt access when no bottom half

Change stm32_i2c driver to allow I2C transfers in interrupt context
before bottom half thread is initialized and after it's released.

This can be needed by PMIC driver to handle PMCI interrupt events
when bottom half thread is not supported by normal wold.
In that case, PMIC driver would need to register its interrupt to
stm32_i2c driver.

Thread accesses to the bus still start by locking the I2C bus mutex.
Before using the bus, the sequence now masks the PMIC interrupt and
polls (with timeout) on I2C bus access atomic lock. This lock
may be held by an I2C transfer currently executing in an interrupt
context. A 100ms timeout is short enough to also allow
debug console traces in the interrupt sequence. Masking the interrupt
before polling the lock ensures no new pending interrupt will interrupt
us (and execute a I2C transfer) while the thread context accesses the
I2C bus.

Interrupt accesses to the bus atomically set/clear the I2C bus access
lock while executing the interrupt sequence.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

drivers: stm32_i2c: add support of stm32mp2 family

Add compatible st,stm32mp25-i2c to support stm32mp2x SoCs.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Reviewed-by: Etienne Carri

drivers: stm32_i2c: add support of stm32mp2 family

Add compatible st,stm32mp25-i2c to support stm32mp2x SoCs.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

core: fs_htree: fix incorrect data type in create_and_sync

Fixes an incorrect data type used in the create_and_sync function.
When this function calls tee_fs_htree_sync_to_storage, it may invoke
tee

core: fs_htree: fix incorrect data type in create_and_sync

Fixes an incorrect data type used in the create_and_sync function.
When this function calls tee_fs_htree_sync_to_storage, it may invoke
tee_fs_htree_close to free the input hash tree in error cases.
Therefore, the input type should be struct tee_fs_htree **ht_arg
to handle these scenarios correctly.

Link: https://github.com/OP-TEE/optee_os/issues/7512
Fixes: 5a9d570a8d7f ("core: fs_htree: re-init hash tree when both tag and counter are zero")

Signed-off-by: Ox Yeh <ox.yeh@mediatek.com>
Reviewed-by: Menson Chen <menson.chen@mediatek.com>
Reviewed-by: Rayan Hu <rayan.hu@mediatek.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-ti: Fix initialisation order

Since commit 358cdcd2b079 ("core: arm32: initialize secure monitor
late") TI platforms have been broken due to only initialising the
HUK in `init_sec_mon` after the

plat-ti: Fix initialisation order

Since commit 358cdcd2b079 ("core: arm32: initialize secure monitor
late") TI platforms have been broken due to only initialising the
HUK in `init_sec_mon` after the SSK has been derived/generated from
it in the `tee_fs_init_key_manager` service init.

Move initialisation of HUK into an `early_init` registration to
restore the correct order of operations.

Secure monitor initialisation cannot be moved into the
`early_init()` as the secure monitor stack is not yet initialised.

Link: https://github.com/OP-TEE/optee_os/issues/7587

Signed-off-by: Alistair Higgins <Alistair_Higgins@trimble.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: make boot_arg_nsec_entry globally accessible

Required on TI platforms that need access to access the boot
arguments in an `early_init()` call.
Need the boot args to memory-map and initialise t

core: make boot_arg_nsec_entry globally accessible

Required on TI platforms that need access to access the boot
arguments in an `early_init()` call.
Need the boot args to memory-map and initialise the HUK before
it is used in the `tee_fs_init_key_manager` service init.

Signed-off-by: Alistair Higgins <Alistair_Higgins@trimble.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-telechips: fix spelling mistake

Fix a spelling mistake in the tcmktool.py script.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@lina

plat-telechips: fix spelling mistake

Fix a spelling mistake in the tcmktool.py script.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: rsa_verify_hash: fix panic on hash length difference

Fixing coupled conditions in rsa_verify_hash_ex():
inc1 was set to 1 in situations when ftmn_set_check_res_memcmp() was not
executed a

core: ltc: rsa_verify_hash: fix panic on hash length difference

Fixing coupled conditions in rsa_verify_hash_ex():
inc1 was set to 1 in situations when ftmn_set_check_res_memcmp() was not
executed and leading to a panic in FTMN_CALLEE_DONE_CHECK()

Signed-off-by: Vladislavas Putys <vputys@witekio.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ffa: guard sp_session field state with spinlock

Accesses to the state field in struct sp_session is often guarded with a
spinlock, but there are a few places with it's missing. So, add the
mis

core: ffa: guard sp_session field state with spinlock

Accesses to the state field in struct sp_session is often guarded with a
spinlock, but there are a few places with it's missing. So, add the
missing spinlocks.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: ffa: verify thread ID before resuming S-EL0 SP

Check that the thread ID for an S-EL0 SP is correct before trying to
resume it. This guards against resuming an unrelated thread.

Signed-off-by:

core: ffa: verify thread ID before resuming S-EL0 SP

Check that the thread ID for an S-EL0 SP is correct before trying to
resume it. This guards against resuming an unrelated thread.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: ffa: fix direct request error code for S-EL0 SP

Direct requests to S-EL0 SPs are delivered using a thread. If no thread
is available return FFA_BUSY, to let the caller know that it should try

core: ffa: fix direct request error code for S-EL0 SP

Direct requests to S-EL0 SPs are delivered using a thread. If no thread
is available return FFA_BUSY, to let the caller know that it should try
again. This should normally never happen, but let's do our best for a
corner case.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: support dynamic protected memory lending

With CFG_CORE_DYN_PROTMEM=y support dynamic protected memory lending.

A new internal struct mobj_ffa_rsm is added to handle dynamic protected
memory f

core: support dynamic protected memory lending

With CFG_CORE_DYN_PROTMEM=y support dynamic protected memory lending.

A new internal struct mobj_ffa_rsm is added to handle dynamic protected
memory for FF-A.

A new internal struct mobj_protmem is add to handle dynamic protected
memory without FF-A.

Lending non-secure memory to OP-TEE to use it as protected memory means
that it should to become inaccessible by the normal world as part of the
process. This part is currently not supported, since it must be done in
a platform specific way for platforms that support that. QEMU don't
support that.

Adding two platform specific functions, plat_get_protmem_config() and
plat_set_protmem_range() for dynamic protected memory. The functions has
__weak implementation to allow easier testing. However,
plat_set_protmem_range() requires CFG_INSECURE=y since it doesn't change
memory protection.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: arm: refactor struct mobj_ffa

Moves the non-secure shared memory specific fields of struct mobj_ffa
into the new struct mobj_ffa_shm which in turn embeds struct mobj_ffa.

This prepares for an

core: arm: refactor struct mobj_ffa

Moves the non-secure shared memory specific fields of struct mobj_ffa
into the new struct mobj_ffa_shm which in turn embeds struct mobj_ffa.

This prepares for another derivate of struct mobj_ffa that deals with
another kind of memory.

No change in functionality.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: ABI description for dynamic protected memory

Extend the SMC and FF-A ABI to handle dynamic protected memory lending.
The capability bits OPTEE_SMC_SEC_CAP_DYNAMIC_PROTMEM and
OPTEE_FFA_SEC_CAP

core: ABI description for dynamic protected memory

Extend the SMC and FF-A ABI to handle dynamic protected memory lending.
The capability bits OPTEE_SMC_SEC_CAP_DYNAMIC_PROTMEM and
OPTEE_FFA_SEC_CAP_PROTMEM respectively tells its availability.

OPTEE_MSG_CMD_GET_PROTMEM_CONFIG tells the minimal size and required
alignment of protected memory to lend.

For the SMC ABI, OPTEE_MSG_CMD_LEND_PROTMEM lends protected memory
and OPTEE_MSG_CMD_RECLAIM_PROTMEM returns the memory to normal world use.

For the FF-A ABI, FFA_LEND framework request followed by
OPTEE_MSG_CMD_ASSIGN_PROTMEM lends protected memory and
OPTEE_FFA_RELEASE_PROTMEM followed by the FFA_RECLAIM framework
request returns the memory to normal world use.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: arm: SMC ABI to return protected memory configuration

Extend the SMC ABI to return the protect memory configuration.

A capability bit, OPTEE_SMC_SEC_CAP_PROTMEM, is added to announce that
the

core: arm: SMC ABI to return protected memory configuration

Extend the SMC ABI to return the protect memory configuration.

A capability bit, OPTEE_SMC_SEC_CAP_PROTMEM, is added to announce that
the new SMC fast call OPTEE_SMC_GET_PROTMEM_CONFIG is available.
OPTEE_SMC_GET_PROTMEM_CONFIG returns the physical memory range of
reserved protected memory.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: sync ABI description files

Syncs the ABI description files optee_ffa.h and optee_msg.h with their
counterpart in the Linux kernel driver. Small changes in comments and
introduction of uint8_t

core: sync ABI description files

Syncs the ABI description files optee_ffa.h and optee_msg.h with their
counterpart in the Linux kernel driver. Small changes in comments and
introduction of uint8_t octets[24] as an alternative to struct
optee_msg_param_value value.

No ABI changes or extensions.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

plat: rpi5: add basic Raspberry Pi 5 support

RPi5 is based on new BCM2712 SoC which is based on quad Cortex-A76.

BCM2712 still does not provide secure memory so we are free to locate
OP-TEE anythin

plat: rpi5: add basic Raspberry Pi 5 support

RPi5 is based on new BCM2712 SoC which is based on quad Cortex-A76.

BCM2712 still does not provide secure memory so we are free to locate
OP-TEE anything we want. It would be most beneficial to locate OP-TEE
right after TF-A, at address 0x80000, but RPi5 loader places kernel
there and it's location can't be changed.

According to PCB silkscreen, RPi5 boards can have 1GB, 2GB, 4GB or 8GB
of memory. To be compatible with any variant, OP-TEE is placed close
to the end of the first gigabyte.

BCM2712 uses PL011 as debug UART so we enable its driver.

According to specification, BCM2712 includes cryptography extensions,
but this basic port does not enable them.

As there is no way to load OP-TEE image into memory during boot
process, TF-A with OPTEE_ALLOW_SMC_LOAD=1 option should be used. In
this case OP-TEE can be loaded via Linux kernel or U-Boot.

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Co-developed-by: Hugo Trippaers <htrippaers@schubergphilis.com>
Signed-off-by: Hugo Trippaers <htrippaers@schubergphilis.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

mmu: ignore VA spaces in core_mmu_get_type_by_pa

VA spaces have no valid PA addresses stored in memory map, so they are
not valid return values for core_mmu_get_type_by_pa() function.

This issues w

mmu: ignore VA spaces in core_mmu_get_type_by_pa

VA spaces have no valid PA addresses stored in memory map, so they are
not valid return values for core_mmu_get_type_by_pa() function.

This issues was discovered when OP-TEE tried to access a device tree
that was stored at the very beginning of physical address space. In
may case it had PA address 0x112C0, which was "covered" by
RES_VASPACE:

D/TC:0 0 dump_mmap_table:838 type RES_VASPACE va 0x1d800000..0x1e1fffff pa 0x00000000..0x009fffff size 0x00a00000 (pgdir)

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

drivers: ele: remove sab_init() initialization

ELE firmware has been divided into 2 firmwares for i.MX8ULP and i.MX95:
Primary and secondary firmware.
SAB init command is in Secondary firmware, whic

drivers: ele: remove sab_init() initialization

ELE firmware has been divided into 2 firmwares for i.MX8ULP and i.MX95:
Primary and secondary firmware.
SAB init command is in Secondary firmware, which will be loaded when
rootfs comes up, so this command is not available when OP-TEE is
initializing.
Moreover, we are not using any ELE command which is available in
secondary firmware, So removing sab_init() function.
Will add it when it will be used in driver.

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: ele: update struct get_info_rsp{} fields

There has been an addition of PQC related fields in
Get Info Command response for i.MX95.

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Ac

drivers: ele: update struct get_info_rsp{} fields

There has been an addition of PQC related fields in
Get Info Command response for i.MX95.

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...