core: arm: ffa: add test logical SP

Add a test LSP with UUID 54b5440e-a3d2-48d1-872a-7b6cbfc34855 to see
that LSPs can be found and reached from the normal world.

Signed-off-by: Jens Wiklander <jen

core: arm: ffa: add test logical SP

Add a test LSP with UUID 54b5440e-a3d2-48d1-872a-7b6cbfc34855 to see
that LSPs can be found and reached from the normal world.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Akshay Belsare <akshay.belsare@amd.com>

show more ...

core: add nex_dyn_vaspace and tee_dyn_vaspace areas

Add MEM_AREA_NEX_DYN_VASPACE and MEM_AREA_TEE_DYN_VASPACE areas for
dynamic Nexus and TEE memory mapping. This will be used to map
additional heap

core: add nex_dyn_vaspace and tee_dyn_vaspace areas

Add MEM_AREA_NEX_DYN_VASPACE and MEM_AREA_TEE_DYN_VASPACE areas for
dynamic Nexus and TEE memory mapping. This will be used to map
additional heap and the stacks in later patches.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm32: force CFG_LPAE_ADDR_SPACE_BITS=32

AArch32/Arm7 can only use 32 bits for virtual addresses so force that
configuration to avoid inconsistencies.

Signed-off-by: Jens Wiklander <jens.wikl

core: arm32: force CFG_LPAE_ADDR_SPACE_BITS=32

AArch32/Arm7 can only use 32 bits for virtual addresses so force that
configuration to avoid inconsistencies.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: fix inline comment on async notif interrupt

Fixes the inline comment that describes allowed values for
CFG_CORE_ASYNC_NOTIF_GIC_INTID that can be a SPI or a secure PPI.

Fixes: 9439728550

core: arm: fix inline comment on async notif interrupt

Fixes the inline comment that describes allowed values for
CFG_CORE_ASYNC_NOTIF_GIC_INTID that can be a SPI or a secure PPI.

Fixes: 943972855082 ("core: notif: allow GIC_PPI usage for async notif")
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: ffa: remove AArch32 support

The FF-A and AArch32 configuration was prior to this patch not compile
tested and not used upstream. So remove the AArch32 support for FF-A
configurations so save m

core: ffa: remove AArch32 support

The FF-A and AArch32 configuration was prior to this patch not compile
tested and not used upstream. So remove the AArch32 support for FF-A
configurations so save maintenance effort.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: unconditionally support manifest DT with FF-A

When configured for FF-A (CFG_CORE_FFA=y) unconditionally support
receiving at manifest device tree. This also makes CFG_DT=y mandatory
with FF-A.

core: unconditionally support manifest DT with FF-A

When configured for FF-A (CFG_CORE_FFA=y) unconditionally support
receiving at manifest device tree. This also makes CFG_DT=y mandatory
with FF-A.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Leisen <leisen1@huawei.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: always save manifest DT with CFG_CORE_SEL2_SPMC=y

With CFG_CORE_SEL2_SPMC=y the manifest device tree is passed via boot
info from the SPMC at S-EL2. This manifest can contain configuration
nee

core: always save manifest DT with CFG_CORE_SEL2_SPMC=y

With CFG_CORE_SEL2_SPMC=y the manifest device tree is passed via boot
info from the SPMC at S-EL2. This manifest can contain configuration
needed later during boot, so save it always regardless of
CFG_CORE_PHYS_RELOCATABLE.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Leisen <leisen1@huawei.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: support physically relocatable OP-TEE binary

With CFG_CORE_PHYS_RELOCATABLE=y enable support in OP-TEE to relocate
itself to allow it to run from physical address that differs from the
link ad

core: support physically relocatable OP-TEE binary

With CFG_CORE_PHYS_RELOCATABLE=y enable support in OP-TEE to relocate
itself to allow it to run from physical address that differs from the
link address.

This feature is currently only supported with CFG_CORE_SEL2_SPMC=y since
the TEE core has to know the range of available memory. With SPMC at EL2
this is accomplished via get_sec_mem_from_manifest(). An SPMC at S-EL2
may need to load OP-TEE at a different address depending on
configuration.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add driver for hafnium interrupt controller

Adds a driver for the paravirtualized interrupt controller provided by
Hafnium at S-EL2. The driver is enabled with CFG_CORE_HAFNIUM_INTC=y.

The in

core: add driver for hafnium interrupt controller

Adds a driver for the paravirtualized interrupt controller provided by
Hafnium at S-EL2. The driver is enabled with CFG_CORE_HAFNIUM_INTC=y.

The interrupt controller is limited compared to the GIC and only works
with interrupt ids which are already added in the SP manifest or as
predefined reserved interrupt ids.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add CFG_CORE_IRQ_IS_NATIVE_INTR

Adds CFG_CORE_IRQ_IS_NATIVE_INTR to configure how native and foreign are
signalled.
Selects if IRQ is used to signal native interrupt
if CFG_CORE_IRQ_IS_NATIVE_

core: add CFG_CORE_IRQ_IS_NATIVE_INTR

Adds CFG_CORE_IRQ_IS_NATIVE_INTR to configure how native and foreign are
signalled.
Selects if IRQ is used to signal native interrupt
if CFG_CORE_IRQ_IS_NATIVE_INTR == y:
IRQ signals a native interrupt pending
FIQ signals a foreign non-secure interrupt or a managed exit pending
else: (vice versa)
IRQ signals a foreign non-secure interrupt or a managed exit pending
FIQ signals a native interrupt pending

CFG_CORE_IRQ_IS_NATIVE_INTR replaces the places in the code where
CFG_ARM_GICV3 was used to configure how FIQ and IRQ was treated.

CFG_CORE_IRQ_IS_NATIVE_INTR is automatically configured according to
CFG_ARM_GICV3 if CFG_GIC == y. This prepares for other interrupt
controllers where it doesn't make sense to use CFG_ARM_GICV3.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ffa: remove pager annotations

Configuration with pager and FF-A is currently not supported. Supporting
this would require extensions to the FF-A specification to be able to
load OP-TEE with pa

core: ffa: remove pager annotations

Configuration with pager and FF-A is currently not supported. Supporting
this would require extensions to the FF-A specification to be able to
load OP-TEE with paging enabled. So far we don't have any platforms with
FF-A which are memory constrained enough that paging can be motivated. If
this would change we'll have a good use case to test with when adding
pager support for FF-A.

Currently we have a few pager annotations (DECLARE_KEEP_PAGER() and
__*_unpaged) which are effectively unused. So save us from adding yet
more unused annotations by removing the few we have in the FF-A specific
code.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm.mk: Add CFG_CORE_WORKAROUND_ARM_NMFI for NMFI problem

If the ARMv7 Cortex-A core is configured with Non-maskable FIQ (NMFI)
support there are side effects that FIQ can only be masked during
exce

arm.mk: Add CFG_CORE_WORKAROUND_ARM_NMFI for NMFI problem

If the ARMv7 Cortex-A core is configured with Non-maskable FIQ (NMFI)
support there are side effects that FIQ can only be masked during
exception entry and once unmasked by software it cannot anymore be masked.

Side effects of this is that critical sections within the code cannot
re-enable FIQ mask.

FIQ is recommended to be masked during secure monitor execution.

ARMv8 architecture is not affected as the Non-maskable FIQ support is not
available in there.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add pointer authentication support

Previously pointer authentication was only supported for TAs. With this
patch add a configuration option CFG_CORE_PAUTH to enable support for
core. Each priv

core: add pointer authentication support

Previously pointer authentication was only supported for TAs. With this
patch add a configuration option CFG_CORE_PAUTH to enable support for
core. Each privileged thread has its own APIA key. There are also a
separate APIA key for each physical core used when handling an abort or
when using the tmp stack.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm.mk: Added CFG_MAX_CACHE_LINE_SHIFT for maximum cache line size

When sharing memory between CPU and peripherals it is important that data
is accurate for all parties.

Today's CPU's has multiple

arm.mk: Added CFG_MAX_CACHE_LINE_SHIFT for maximum cache line size

When sharing memory between CPU and peripherals it is important that data
is accurate for all parties.

Today's CPU's has multiple levels for caches and their sizes are platform
specific. As there is no auto detectable way to determine cache line size
during runtime so it must be defined during compilation time.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm.mk: set CFG_ARM32_core=y when CFG_ARM34_core != y

Updates core/arch/arm/arm.mk to assume 32-bit mode when not 64-bit and
simplify the platforms conf.mk accordingly.

Signed-off-by: Jerome

core: arm.mk: set CFG_ARM32_core=y when CFG_ARM34_core != y

Updates core/arch/arm/arm.mk to assume 32-bit mode when not 64-bit and
simplify the platforms conf.mk accordingly.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: arm.mk: set CFG_WITH_LPAE=y when CFG_ARCH64_core=y

Since CFG_WITH_LPAE=y is mandatory when CFG_ARCH64_core=y, set it in the
common file core/arch/arm/arm.mk instead of leaving it to the platfo

core: arm.mk: set CFG_WITH_LPAE=y when CFG_ARCH64_core=y

Since CFG_WITH_LPAE=y is mandatory when CFG_ARCH64_core=y, set it in the
common file core/arch/arm/arm.mk instead of leaving it to the platforms.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add support for MTE

Adds support for the Armv8.5-A Memory Tagging Extension with
CFG_MEMTAG=y.

A memtag.h API is introduced to handle this extension. If CFG_MEMTAG=n
the API doesn't add any o

core: add support for MTE

Adds support for the Armv8.5-A Memory Tagging Extension with
CFG_MEMTAG=y.

A memtag.h API is introduced to handle this extension. If CFG_MEMTAG=n
the API doesn't add any overhead and the behaviour is unchanged. With
CFG_MEMTAG=y a check is performed to see if the platform can support MTE
and the API is dynamically configured accordingly. This means that it's
safe to have CFG_MEMTAG=y even for platforms not supporting MTE. There
will be some minimal overhead then, but likely not noticeable.

An entry is also added in the TEE_PROPSET_TEE_IMPLEMENTATION for a u32
property "org.trustedfirmware.optee.cpu.feat_memtag_implemented". The
property is set to a non-zero value only if CFG_CORE_MEMTAG is
configured and the underlying CPU supports FEAT_MTE.

This commit still only uses the default tag with the value 0 resulting
in unchanged pointers when accessing memory. However, all plumbing is in
place allowing for instance tagging of the heap in a later commit.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: spectre-bhb software workaround

Expands the config option CFG_CORE_WORKAROUND_SPECTRE_BP_SEC to cover
CVE-2022-23960 (aka Spectre-BHB) too since both have much in common.

Spectre-BHB is

core: arm: spectre-bhb software workaround

Expands the config option CFG_CORE_WORKAROUND_SPECTRE_BP_SEC to cover
CVE-2022-23960 (aka Spectre-BHB) too since both have much in common.

Spectre-BHB is another speculation attack on branch prediction. Further
details can be found at [1].

The software workaround added for CPUs vulnerable to Spectre-V2 covers
Spectre-BHB too. New software workaround is only needed for CPUs immune to
Spectre-V2, but not so to Spectre-BHB.

The Spectre-V2 workaround is to invalidate the entire branch predictor
table. Most new CPU immune to Spectre-V2 but vulnerable to Spectre-BHB
can avoid invalidating the entire branch predictor table, instead is
this invalidation replaced by a loop designed to exhaust the branch
predictor in a way that the exploit isn't possible any longer.

Link: [1] https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/spectre-bhb

Fixes: CVE-2022-23960
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add support for SPMC at EL3

Adds support for SPMC at EL3 with CFG_CORE_EL3_SPMC. This is from OP-TEE
point of view almost identical to CFG_CORE_SEL2_SPMC with SPMC at S-EL2.

The previously S-

core: add support for SPMC at EL3

Adds support for SPMC at EL3 with CFG_CORE_EL3_SPMC. This is from OP-TEE
point of view almost identical to CFG_CORE_SEL2_SPMC with SPMC at S-EL2.

The previously S-EL2 specific functions mobj_ffa_sel2_spmc_new() and
mobj_ffa_sel2_spmc_delete() are renamed to mobj_ffa_spmc_new() and
mobj_ffa_spmc_delete() respectively since they are no longer reserved to
used only with SPMC at S-EL2.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Add basic pointer authentication support for TA's

APIAKey is used for usespace TA's where these keys are generated
for every TA at load time. The TEE core maintains the key value
for each TA is resp

Add basic pointer authentication support for TA's

APIAKey is used for usespace TA's where these keys are generated
for every TA at load time. The TEE core maintains the key value
for each TA is responsible for storing/restorign them during
switch to EL0 and back.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: the FF-A ABI is now a stable ABI

The OP-TEE FF-A driver in the Linux kernel has been merged, so the
changes in the ABI towards the Linux kernel from now on have to be
backwards compatible.

Ac

core: the FF-A ABI is now a stable ABI

The OP-TEE FF-A driver in the Linux kernel has been merged, so the
changes in the ABI towards the Linux kernel from now on have to be
backwards compatible.

Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add asynchronous notifications

Adds support for asynchronous notifications from secure world to normal
world. This allows a design with a top half and bottom half type of
driver where the top

core: add asynchronous notifications

Adds support for asynchronous notifications from secure world to normal
world. This allows a design with a top half and bottom half type of
driver where the top half runs in secure interrupt context and a
notifications tells normal world to schedule a yielding call to do the
bottom half processing.

The protocol is defined in optee_msg.h optee_rpc_cmd.h and optee_smc.h.

A notification consists of a 32-bit value which normal world can
retrieve using a fastcall into secure world. OP-TEE is currently only
supporting the value 0-63 where 0 has a special meaning. When 0 is sent
it means that normal world is supposed to make a yielding call
OPTEE_MSG_CMD_DO_BOTTOM_HALF.

The notification framework in OP-TEE defines an interface where drivers
can register a callback which is called on each yielding bottom half
call.

Notification capability is negotiated with the normal world while it
initializes its driver. If both sides supports these notifications then
they are enabled.

CFG_CORE_ASYNC_NOTIF_GIC_INTID is added to define the hardware interrupt
used to notify normal world. This is added to the DTB in case OP-TEE can
is configured with CFG_DT=y. Other cases requires the normal world DTB
to be kept in sync with this.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm64: bti: Support building user mode libraries with BTI

When running with BTI enabled we need to ask the compiler to enable
generation of BTI landing pads. With this option enabled, all C
source f

arm64: bti: Support building user mode libraries with BTI

When running with BTI enabled we need to ask the compiler to enable
generation of BTI landing pads. With this option enabled, all C
source files compiled for user mode libraries or Trusted Application
will be compiled with BTI.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm64: bti: Support building TEE core C files with BTI

When running with BTI enabled we need to ask the compiler to enable
generation of BTI landing pads. With this option enabled, all C
source file

arm64: bti: Support building TEE core C files with BTI

When running with BTI enabled we need to ask the compiler to enable
generation of BTI landing pads. With this option enabled, all C
source files compiled for TEE Core including the kernel versions
of libraries such as libutils.a will be compiled with BTI. This
also includes ldelf loader C files.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: move debug info and CC optimization level to config.mk

Move configuration switches CFG_DEBUG_INFO and CFG_CC_OPT_LEVEL
default values from arm.mk to config.mk and add a short description.

Sig

core: move debug info and CC optimization level to config.mk

Move configuration switches CFG_DEBUG_INFO and CFG_CC_OPT_LEVEL
default values from arm.mk to config.mk and add a short description.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...