core: dynamic allocation of thread_core_local and its stacks

With CFG_DYN_CONFIG enabled, use dynamic allocation of thread_core_local
and the two stacks, tmp_stack and abt_stack, recorded in it.

Si

core: dynamic allocation of thread_core_local and its stacks

With CFG_DYN_CONFIG enabled, use dynamic allocation of thread_core_local
and the two stacks, tmp_stack and abt_stack, recorded in it.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: arm: remove THREAD_CORE_LOCAL_STACKCHECK_RECURSION

THREAD_CORE_LOCAL_STACKCHECK_RECURSION was introduced in the commit
b5ec8152f3e5 ("core: arm: refactor boot"). However, clearing the
stackche

core: arm: remove THREAD_CORE_LOCAL_STACKCHECK_RECURSION

THREAD_CORE_LOCAL_STACKCHECK_RECURSION was introduced in the commit
b5ec8152f3e5 ("core: arm: refactor boot"). However, clearing the
stackcheck_recursion flag from assembly during boot isn't needed since
the stack pointer is set up in synch with the recorded information in
thread_core_local. So remove the unnecessary clearing and remove
THREAD_CORE_LOCAL_STACKCHECK_RECURSION.

Reported-by: Alvin Chang <alvinga@andestech.com>
Closes: https://github.com/OP-TEE/optee_os/commit/b5ec8152f3e5ad8cc111952f0483f5cf903aac7c#r154088026
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm32: initialize secure monitor late

Initialize the secure monitor as late as possible before exiting to the
normal world. This is needed in later patches where the stacks aren't
statically a

core: arm32: initialize secure monitor late

Initialize the secure monitor as late as possible before exiting to the
normal world. This is needed in later patches where the stacks aren't
statically allocated.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: refactor boot

Introduce CFG_BOOT_INIT_THREAD_CORE_LOCAL0 to indicate that
thread_core_local[0] is initialized before the boot_init_* functions are
called.

thread_init_core_local_stacks()

core: arm: refactor boot

Introduce CFG_BOOT_INIT_THREAD_CORE_LOCAL0 to indicate that
thread_core_local[0] is initialized before the boot_init_* functions are
called.

thread_init_core_local_stacks() and thread_init_thread_core_local() are
replaced by a new version of thread_init_thread_core_local() for
CFG_BOOT_INIT_THREAD_CORE_LOCAL0=y.

Move initialization of thread_core_local[] from very early to
boot_init_primary_late() where various DTBs containing run-time
configuration are available. This will be needed in later patches when
the number of configured cores can be read from DT or some other
run-time configuration.

Move the "OP-TEE version" print and following code from
boot_init_primary_late() to boot_init_primary_final()

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: ffa: use SMC Calling Convention 1.2

Add struct thread_smc_1_2_regs as a replacement for struct
thread_smc_args when dealing with FF-A SMCs. struct thread_smc_1_2_regs
covers the registers

core: arm: ffa: use SMC Calling Convention 1.2

Add struct thread_smc_1_2_regs as a replacement for struct
thread_smc_args when dealing with FF-A SMCs. struct thread_smc_1_2_regs
covers the registers x0-x17 to support passing arguments and results
according to SMC Calling Convention (SMCCC) version 1.2.

The difference is that before this change x8-x17 couldn't be used as
argument nor result and the content was preserved. With this patch are
x8-x17 returned as zeroes. New FF-A SMCs can take and return values in
the full range x0-x17.

64-bit SMCCC version 1.1 and earlier specified x4-x17 as unpredictable
or scratch registers. FF-A has specified x0-x7 as argument and result
registers, regardless of SMCCC. This has changed with SMCCC version 1.2
where the two standards harmonize on this.

struct thread_smc_1_2_regs is added in a 32-bit version for
compatibility, but it only covers r0-r7.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: fix style issues in asm-defines.c

Fixing a few cases of alignment that doesn't match open parenthesis.

Fixes: c02f9fb09df2 ("arm: add auto generated asm-defines.h")
Signed-off-by: Jens W

core: arm: fix style issues in asm-defines.c

Fixing a few cases of alignment that doesn't match open parenthesis.

Fixes: c02f9fb09df2 ("arm: add auto generated asm-defines.h")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: ffa: preserve 64bit smccc when possible

Prior to this patch when a FFA_MSG_SEND_DIRECT_REQ_64 was received the
response was sent as FFA_MSG_SEND_DIRECT_RESP_32. While not breaking
with the FF-

core: ffa: preserve 64bit smccc when possible

Prior to this patch when a FFA_MSG_SEND_DIRECT_REQ_64 was received the
response was sent as FFA_MSG_SEND_DIRECT_RESP_32. While not breaking
with the FF-A specification, it's still a bit unexpected and will cause
an error in the FF-A framework driver. So fix this by keeping track of
the SMCCC (SMC Calling Convention) used during the current
FFA_MSG_SEND_DIRECT_REQ and respond with matching SMCCC.

This has no impact on AArch32 mode since only the 32-bit SMCCC is valid
in that case. The greatest impact on AArch64 is that we must be able to
find out the current SMCCC during RPC, this means storing it in struct
thread_core_local to be able to access it in assembly low level
routines.

Support for FFA_MSG_SEND_DIRECT_REQ_64 is also advertised in
FFA_FEATURES.

Fixes: 15da69cff2ca ("core: ffa: Enable handling 64-bit direct messages")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: support larger values for CFG_TEE_CORE_NB_CORE

With larger values of CFG_TEE_CORE_NB_CORE (for example, 18 on the
marvell-cnf10ka platform) CORE_MMU_BASE_TABLE_OFFSET becomes to large to
be us

core: support larger values for CFG_TEE_CORE_NB_CORE

With larger values of CFG_TEE_CORE_NB_CORE (for example, 18 on the
marvell-cnf10ka platform) CORE_MMU_BASE_TABLE_OFFSET becomes to large to
be used as an immediate value in add and sub assembly instructions. This
is handle by using the new add_imm and sub_imm macros where needed. But
the add_imm and sub_imm macros can't handle complex defines so
CORE_MMU_BASE_TABLE_OFFSET must be evaluated in asm-defines.c first.

This should fix errors like:
core/arch/arm/kernel/thread_a64.S: Assembler messages:
core/arch/arm/kernel/thread_a64.S:339: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:347: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:355: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:372: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:379: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:386: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:660: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:732: Error: immediate out of range
make: *** [mk/compile.mk:165: out/core/arch/arm/kernel/thread_a64.o] Error 1

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Gowthami <gthiagarajan@marvell.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: spmc: handle non-secure interrupts

Add FFA_INTERRUPT and FFA_RUN support for signaling non-secure
interrupts and for resuming to the secure world. If a secure partition
is preempted by a non-s

core: spmc: handle non-secure interrupts

Add FFA_INTERRUPT and FFA_RUN support for signaling non-secure
interrupts and for resuming to the secure world. If a secure partition
is preempted by a non-secure interrupt OP-TEE saves the SP's state and
sends an FFA_INTERRUPT to the normal world. After handling the interrupt
the normal world should send an FFA_RUN to OP-TEE so it can continue
running the SP.
If OP-TEE is the active FF-A endpoint (i.e. it is running TAs) the
non-secure interrupts are signaled by the existing
OPTEE_FFA_YIELDING_CALL_RETURN_INTERRUPT message instead of
FFA_INTERRUPT.

Signed-off-by: Imre Kis <imre.kis@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: rename load_offset in struct core_mmu_config

Renames the field load_offset in struct core_mmu_config to the more
accurate name map_offset.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro

core: rename load_offset in struct core_mmu_config

Renames the field load_offset in struct core_mmu_config to the more
accurate name map_offset.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: introduce scall layer from svc parts

Introduces a scall layer by renaming various thread_svc* names and
_*handle_svc() functions and function pointers as a first step in doing
architecture neu

core: introduce scall layer from svc parts

Introduces a scall layer by renaming various thread_svc* names and
_*handle_svc() functions and function pointers as a first step in doing
architecture neutral syscall processing.

The name scall is used instead of syscall since the syscall_ prefix is
reserved for the functions implementing the actual syscall. While scall
is the infrastructure used to reach the syscall functions.

No files are renamed and removed at this stage. This patch doesn't
change any behaviour.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add pointer authentication support

Previously pointer authentication was only supported for TAs. With this
patch add a configuration option CFG_CORE_PAUTH to enable support for
core. Each priv

core: add pointer authentication support

Previously pointer authentication was only supported for TAs. With this
patch add a configuration option CFG_CORE_PAUTH to enable support for
core. Each privileged thread has its own APIA key. There are also a
separate APIA key for each physical core used when handling an abort or
when using the tmp stack.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: spectre-bhb software workaround

Expands the config option CFG_CORE_WORKAROUND_SPECTRE_BP_SEC to cover
CVE-2022-23960 (aka Spectre-BHB) too since both have much in common.

Spectre-BHB is

core: arm: spectre-bhb software workaround

Expands the config option CFG_CORE_WORKAROUND_SPECTRE_BP_SEC to cover
CVE-2022-23960 (aka Spectre-BHB) too since both have much in common.

Spectre-BHB is another speculation attack on branch prediction. Further
details can be found at [1].

The software workaround added for CPUs vulnerable to Spectre-V2 covers
Spectre-BHB too. New software workaround is only needed for CPUs immune to
Spectre-V2, but not so to Spectre-BHB.

The Spectre-V2 workaround is to invalidate the entire branch predictor
table. Most new CPU immune to Spectre-V2 but vulnerable to Spectre-BHB
can avoid invalidating the entire branch predictor table, instead is
this invalidation replaced by a loop designed to exhaust the branch
predictor in a way that the exploit isn't possible any longer.

Link: [1] https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/spectre-bhb

Fixes: CVE-2022-23960
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm64: suppress text relocations caused by restore_mapping macro

Suppress the text relocations caused by 'ldr x0, =1f' in macro
restore_mapping when CFG_CORE_UNMAP_CORE_AT_EL0=y. Since this oc

core: arm64: suppress text relocations caused by restore_mapping macro

Suppress the text relocations caused by 'ldr x0, =1f' in macro
restore_mapping when CFG_CORE_UNMAP_CORE_AT_EL0=y. Since this occurs
when switching from the reduced kernel mapping to the full mapping, the
code offset needs to be loaded from somewhere readily accessible at that
point, that is the stack.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: suppress text relocation on stack_tmp_export

stack_tmp_export is a pointer so it is associated with a dynamic
relocation when position-independent code is generated (ASLR). Moreover,
this symb

core: suppress text relocation on stack_tmp_export

stack_tmp_export is a pointer so it is associated with a dynamic
relocation when position-independent code is generated (ASLR). Moreover,
this symbol is in the .identity_map section, which is part of .text after
the final link. To get rid of this TEXTREL, remove stack_tmp_export and
compute the corresponding value in assembly instead from stack_tmp and
constants defined in core/arch/arm/kernel/asm-defines.c.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: move thread_private.h to an include directory

Moves core/arch/arm/kernel/thread_private.h to a include directory to be
included as <kernel/thread_private.h>.

Reviewed-by: Jerome Forissier <je

core: move thread_private.h to an include directory

Moves core/arch/arm/kernel/thread_private.h to a include directory to be
included as <kernel/thread_private.h>.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Add basic pointer authentication support for TA's

APIAKey is used for usespace TA's where these keys are generated
for every TA at load time. The TEE core maintains the key value
for each TA is resp

Add basic pointer authentication support for TA's

APIAKey is used for usespace TA's where these keys are generated
for every TA at load time. The TEE core maintains the key value
for each TA is responsible for storing/restorign them during
switch to EL0 and back.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm64: remove duplicate definition of THREAD_CTX_SIZE

Following commit 1b302ac09816 ("core: enable FF-A with SPM Core at
S-EL1"), the THREAD_CTX_SIZE macro is now defined twice on arm64
(in $(

core: arm64: remove duplicate definition of THREAD_CTX_SIZE

Following commit 1b302ac09816 ("core: enable FF-A with SPM Core at
S-EL1"), the THREAD_CTX_SIZE macro is now defined twice on arm64
(in $(out-dir)/core/include/generated/asm-defines.h).

Kill the definition in the #ifdef ARM64 block and keep the common
one.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: split boot_init_primary()

Splits boot_init_primary() into boot_init_primary_early() and
boot_init_primary_late(). The thread#0 stack pointer is assigned as
stack pointer before boot_init_prima

core: split boot_init_primary()

Splits boot_init_primary() into boot_init_primary_early() and
boot_init_primary_late(). The thread#0 stack pointer is assigned as
stack pointer before boot_init_primary_late() is called. This allows
functions registered to be called by call_finalcalls() to depend on the
full thread stack being available.

Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm64: preserve user space TPIDR_EL0

Preparing for C++ support in TAs.

Preserves the value of TPIDR_EL0 set by user space by saving and
restoring the register in case of syscall or foreign in

core: arm64: preserve user space TPIDR_EL0

Preparing for C++ support in TAs.

Preserves the value of TPIDR_EL0 set by user space by saving and
restoring the register in case of syscall or foreign interrupt.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: remove boot_get_handlers()

struct thread_handlers is used to pass the entry functions
for different power management events. In practice only .cpu_on is used
and with the default function at t

core: remove boot_get_handlers()

struct thread_handlers is used to pass the entry functions
for different power management events. In practice only .cpu_on is used
and with the default function at that. In the ARMv7 case where the
secure monitor replaces TF-A not even that function entry is used.

Remove struct thread_handlers and boot_get_handlers(). When configured
with TF-A initialize thread_*_handler_ptr with __weak default functions.

The __weak default PM functions
- thread_cpu_off_handler()
- thread_cpu_suspend_handler()
- thread_cpu_resume_handler()
- thread_system_off_handler()
- thread_system_reset_handler()
can be overridden by platforms when needed.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: enable FF-A with SPM Core at S-EL1

Adds support for using FF-A as transport instead of using the
proprietary SMCs defined in optee_smc.h.

The configuration support the case where SPM Core is

core: enable FF-A with SPM Core at S-EL1

Adds support for using FF-A as transport instead of using the
proprietary SMCs defined in optee_smc.h.

The configuration support the case where SPM Core is implementation at
S-EL1, that is, inside OP-TEE. This configuration is also know as "S-EL1
SPMC" in the FF-A 1.0 specification [1].

Compile with CFG_CORE_SEL1_SPMC=y

Note that this is an experimental feature, ABIs etc may have
incompatible changes

Link: [1] https://static.docs.arm.com/den0077/a/DEN0077A_PSA_Firmware_Framework_Arm_v8-A_1.0_EAC.pdf

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: remove generic_ from generic_boot

Now that the CFG_GENERIC_BOOT configuration flag has been removed also
remove "generic_" prefix from and in the related files.

Acked-by: Etienne Carriere <et

core: remove generic_ from generic_boot

Now that the CFG_GENERIC_BOOT configuration flag has been removed also
remove "generic_" prefix from and in the related files.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: thread_enter_user_mode(): avoid leaking register content

Prior to this patch not all registers passed to user mode where assigned
a new value. This allows user mode to see the value of some re

core: thread_enter_user_mode(): avoid leaking register content

Prior to this patch not all registers passed to user mode where assigned
a new value. This allows user mode to see the value of some registers
used by Core. With this patch all general purpose registers available in
user mode are either cleared or assigned a value.

Acked-by: Pipat Methavanitpong <pipat.methavanitpong@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: move relocation to embedded data region

The relocation sections are placed last in the linker script to be kept
out of the way for the other sections. The relocation sections are
interpreted b

core: move relocation to embedded data region

The relocation sections are placed last in the linker script to be kept
out of the way for the other sections. The relocation sections are
interpreted by gen_tee_bin.py and converted into a more compact data
structure which is stored in the embedded data region.

For each relocation, only one 32-bit offset is kept. Compared to the
standard ELF format, the size of the relocation table is either halved
(Rel32 type: two 32-bit words per entry) or divided by 6 (Rel64 type:
three 64-bit words per entry).

Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...