core: ffa: guard sp_session field state with spinlock

Accesses to the state field in struct sp_session is often guarded with a
spinlock, but there are a few places with it's missing. So, add the
mis

core: ffa: guard sp_session field state with spinlock

Accesses to the state field in struct sp_session is often guarded with a
spinlock, but there are a few places with it's missing. So, add the
missing spinlocks.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: ffa: verify thread ID before resuming S-EL0 SP

Check that the thread ID for an S-EL0 SP is correct before trying to
resume it. This guards against resuming an unrelated thread.

Signed-off-by:

core: ffa: verify thread ID before resuming S-EL0 SP

Check that the thread ID for an S-EL0 SP is correct before trying to
resume it. This guards against resuming an unrelated thread.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

spmc: fix FF-A manifest boot-order handling

According to the official manifest binding documentation [1], all
integer properties must be defined as 32-bit wide DTB properties.
However, the OP-TEE SP

spmc: fix FF-A manifest boot-order handling

According to the official manifest binding documentation [1], all
integer properties must be defined as 32-bit wide DTB properties.
However, the OP-TEE SPMC previously implemented the boot-order property
as a 16-bit value. This patch corrects that inconsistency by adding
support for the correct 32 bit representation while keeping backwards
compatibility.

Recent changes in TF-A’s build tooling have broken support for manifest
files using the "/bits/" width specifier. This update restores
compatibility by eliminating the need to use them.

[1] FF-A Manifest Binding
Link: https://trustedfirmware-a.readthedocs.io/en/v2.12.0/components/ffa-manifest-binding.html

Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: ffa: add framework for Logical SPs

Add a framework to register Logical Secure Partitions in parallel with
OP-TEE at S-EL1. This is akin to Pseudo TAs, it provides an ABI but it's
part of

core: arm: ffa: add framework for Logical SPs

Add a framework to register Logical Secure Partitions in parallel with
OP-TEE at S-EL1. This is akin to Pseudo TAs, it provides an ABI but it's
part of the OP-TEE binary. A critical difference is that it's only
available for FF-A and can only use the non-threaded environment, that
is, no mutexes or RPC.

The logical OP-TEE core partition is registered in the framework. The
SPMC is also registered in the framework, but with a nil UUID so it's
not returned by FFA_PARTITION_INFO_GET.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Akshay Belsare <akshay.belsare@amd.com>

show more ...

core: ffa: sp_partition_info_get() takes uuid_words[]

Replace the TEE_UUID *ffa_uuid parameter with uint32_t ffa_uuid_words[4]
to simplify how sp_partition_info_get() is called.

Signed-off-by: Jens

core: ffa: sp_partition_info_get() takes uuid_words[]

Replace the TEE_UUID *ffa_uuid parameter with uint32_t ffa_uuid_words[4]
to simplify how sp_partition_info_get() is called.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Akshay Belsare <akshay.belsare@amd.com>

show more ...

core: ffa: add spmc_is_reserved_id()

Add spmc_is_reserved_id() and replace direct checks against spmd_id and
spmc_id. spmd_id and spmc_id are changed to static variables since they
don't need to be

core: ffa: add spmc_is_reserved_id()

Add spmc_is_reserved_id() and replace direct checks against spmd_id and
spmc_id. spmd_id and spmc_id are changed to static variables since they
don't need to be exported any longer.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Akshay Belsare <akshay.belsare@amd.com>

show more ...

core: arm: ffa: switch to FF-A version 1.2

Update FF-A minor version from 1 to 2. spmc_exchange_version() is
updated to take the new version into account when negotiating with a
caller.

Configurati

core: arm: ffa: switch to FF-A version 1.2

Update FF-A minor version from 1 to 2. spmc_exchange_version() is
updated to take the new version into account when negotiating with a
caller.

Configurations with SPMC at EL3 and S-EL2 supplies an SP manifest when
booting OP-TEE, read the FF-A version to use from the manifest instead
of using the hard coded version.

The configuration with SPMC at S-EL1, part of OP-TEE, keep the FF-A
version at version 1.1 when configured with CFG_NS_VIRTUALIZATION=y as
workaround to remain compatible with Xen. This workaround will not be
needed after the next Xen release and can be removed then.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: ffa: use SMC Calling Convention 1.2

Add struct thread_smc_1_2_regs as a replacement for struct
thread_smc_args when dealing with FF-A SMCs. struct thread_smc_1_2_regs
covers the registers

core: arm: ffa: use SMC Calling Convention 1.2

Add struct thread_smc_1_2_regs as a replacement for struct
thread_smc_args when dealing with FF-A SMCs. struct thread_smc_1_2_regs
covers the registers x0-x17 to support passing arguments and results
according to SMC Calling Convention (SMCCC) version 1.2.

The difference is that before this change x8-x17 couldn't be used as
argument nor result and the content was preserved. With this patch are
x8-x17 returned as zeroes. New FF-A SMCs can take and return values in
the full range x0-x17.

64-bit SMCCC version 1.1 and earlier specified x4-x17 as unpredictable
or scratch registers. FF-A has specified x0-x7 as argument and result
registers, regardless of SMCCC. This has changed with SMCCC version 1.2
where the two standards harmonize on this.

struct thread_smc_1_2_regs is added in a 32-bit version for
compatibility, but it only covers r0-r7.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: mm: replace MEM_AREA_TA_RAM

Replace MEM_AREA_TA_RAM with MEM_AREA_SEC_RAM_OVERALL.

All read/write secure memory is covered by MEM_AREA_SEC_RAM_OVERALL,
sometimes using an aliased map. But sec

core: mm: replace MEM_AREA_TA_RAM

Replace MEM_AREA_TA_RAM with MEM_AREA_SEC_RAM_OVERALL.

All read/write secure memory is covered by MEM_AREA_SEC_RAM_OVERALL,
sometimes using an aliased map. But secure read-only or execute core
memory is not covered as that would defeat the purpose of
CFG_CORE_RWDATA_NOEXEC.

Since the partition TA memory isn't accessed via MEM_AREA_TA_RAM any
longer, don't map it using the partition specific map.

This is needed later where unification of OP-TEE core and physical TA
memory is possible.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: replace tee_mm_sec_ddr with phys_mem functions

Replace the tee_mm_sec_ddr mm pool with the phys_mem functions. This
doesn't change the behaviour.

Signed-off-by: Jens Wiklander <jens.wiklander

core: replace tee_mm_sec_ddr with phys_mem functions

Replace the tee_mm_sec_ddr mm pool with the phys_mem functions. This
doesn't change the behaviour.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: spmc: handle BTI/PAUTH info in SP manifest

Provide information to the SP whether BTI and PAUTH are enabled in
OP-TEE by updating the relevant DT node in the SP manifest.
This way the SP can de

core: spmc: handle BTI/PAUTH info in SP manifest

Provide information to the SP whether BTI and PAUTH are enabled in
OP-TEE by updating the relevant DT node in the SP manifest.
This way the SP can detect if the required protection is not available.

Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: Enable pointer authentication for SPs

Add support to pauth keys for SPs if pointer authentication is enabled.

Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
Acked-by: Etienne Carriere <etien

core: Enable pointer authentication for SPs

Add support to pauth keys for SPs if pointer authentication is enabled.

Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: spmc: Enable BTI for binary SPs

Enable BTI (Branch Target Identification) if the
GP attribute is set and the region is executable.

Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
Acked-by: Et

core: spmc: Enable BTI for binary SPs

Enable BTI (Branch Target Identification) if the
GP attribute is set and the region is executable.

Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: ffa: handle VM availability messages for SPs

The VM availability messages sent by the hypervisor to an SP should be
forwarded to the SP, if the SP has subscribed for these based on the SP
mani

core: ffa: handle VM availability messages for SPs

The VM availability messages sent by the hypervisor to an SP should be
forwarded to the SP, if the SP has subscribed for these based on the SP
manifest.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...

core: ffa: read S-EL0 SP properties from manifest

So far the properties of S-EL0 SPs have been hardcoded when queried by
FFA_PARTITION_INFO_GET. This was supposed to be a temporary workaround,
so re

core: ffa: read S-EL0 SP properties from manifest

So far the properties of S-EL0 SPs have been hardcoded when queried by
FFA_PARTITION_INFO_GET. This was supposed to be a temporary workaround,
so replace this with reading the properties from the SP's manifest which
is the proper solution.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...

core: spmc, sp: cleanup FF-A ID handling

When OP-TEE implements the S-EL1 SPMC, from an FF-A point-of-view the
core OP-TEE functionality is running in a logical SP that resides at the
same exception

core: spmc, sp: cleanup FF-A ID handling

When OP-TEE implements the S-EL1 SPMC, from an FF-A point-of-view the
core OP-TEE functionality is running in a logical SP that resides at the
same exception level as the SPMC. This means that the SPMC and the SP
should have separate FF-A IDs, i.e. the SPMC ID and a normal endpoint ID
for the SP. The SPMC ID is described in the SPMC manifest which gets
parsed by the SPMD, so this ID should be queried from the SPMD. OP-TEE's
endpoint ID is assigned by the SPMC.

Currently OP-TEE's FF-A endpoint ID and the SPMC ID are mixed together
and hardcoded, this patch implements the correct ID handling mechanism
as described above.

Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...

core: pta: drop benchmark

Drop Benchmark PTA as current implementation is non-function
and obsolete, and it's not supported anymore.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: E

core: pta: drop benchmark

Drop Benchmark PTA as current implementation is non-function
and obsolete, and it's not supported anymore.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io>

show more ...

core: ffa: Read FF-A version from the SP manifest

Read the SP's FF-A version from the ffa-version property of the SP
manifest. This property is mandatory according to the FF-A
specification.
SPs are

core: ffa: Read FF-A version from the SP manifest

Read the SP's FF-A version from the ffa-version property of the SP
manifest. This property is mandatory according to the FF-A
specification.
SPs are still able to do runtime version negotiation via the FFA_VERSION
interface.

Signed-off-by: Imre Kis <imre.kis@arm.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: spmc: implement boot-order support

Add support for boot-order property specified in the
SP manifest.

Signed-off-by: Gabor Ambrus <gabor.ambrus@arm.com>
Signed-off-by: Gabor Toth <gabor.toth2@

core: spmc: implement boot-order support

Add support for boot-order property specified in the
SP manifest.

Signed-off-by: Gabor Ambrus <gabor.ambrus@arm.com>
Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: sp: fix raw binary format SP loader

Loading a compressed raw binary format SP fails when read_compressed()
in embedded_ts.c is trying to allocate memory using bb_alloc(), since
the bounce buff

core: sp: fix raw binary format SP loader

Loading a compressed raw binary format SP fails when read_compressed()
in embedded_ts.c is trying to allocate memory using bb_alloc(), since
the bounce buffer in this user_mode_ctx is uninitialized. For ELF format
SPs ldelf is taking care of this, let's add the necessary initialization
to the raw binary format loader too.

Fixes: ef44161f847b ("core: update ts_store API with user space buffer")
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...

core: rename tos_fw_config_dt to manifest_dt

Renames tos_fw_config_dt to manifest_dt as a preparation for coming
patches to let it represent all device tree manifests provided in an
FF-A configurati

core: rename tos_fw_config_dt to manifest_dt

Renames tos_fw_config_dt to manifest_dt as a preparation for coming
patches to let it represent all device tree manifests provided in an
FF-A configuration.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Leisen <leisen1@huawei.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: spmc: Set initial SP state to busy

Set initial SP state to busy in order to prevent sending messages to
uninitialized SPs.

Signed-off-by: Imre Kis <imre.kis@arm.com>
Acked-by: Jens Wiklander

core: spmc: Set initial SP state to busy

Set initial SP state to busy in order to prevent sending messages to
uninitialized SPs.

Signed-off-by: Imre Kis <imre.kis@arm.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: update ts_store API with user space buffer

Updates the read() function pointer in struct ts_store_ops to take an
user space buffer in addition to the previous core buffer. Core buffers
are nor

core: update ts_store API with user space buffer

Updates the read() function pointer in struct ts_store_ops to take an
user space buffer in addition to the previous core buffer. Core buffers
are normal secure memory while user space buffers should only be accessed
using the user_access.h functions.

The different TA storage implementations are updated accordingly.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: sp: implement FF-A v1.1 boot protocol

Implement passing the boot info to Secure Partitions in the new format
defined by FF-A v1.1. The change is backwards compatible by keeping the
already exi

core: sp: implement FF-A v1.1 boot protocol

Implement passing the boot info to Secure Partitions in the new format
defined by FF-A v1.1. The change is backwards compatible by keeping the
already existing FF-A v1.0 format too. Which format to use is decided
based on the "ffa-version" field in the SP's manifest. The register to
use for passing the boot info blob's address is based on the
"gp-register-num" field.

Link: https://trustedfirmware-a.readthedocs.io/en/latest/components/ffa-manifest-binding.html#partition-properties
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...

core: sp: fix session handling in sp_first_run

Currently the error handling after sp_enter() calls vm_unmap() without
activating the correct session with ts_push_current_session(), fix this.
Also fi

core: sp: fix session handling in sp_first_run

Currently the error handling after sp_enter() calls vm_unmap() without
activating the correct session with ts_push_current_session(), fix this.
Also fix the returned error code to use TEE_* instead of FFA_*.

Fixes: 6d618ba1d612 ("core: sp: map device regions from SP manifest")
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...