core: arm: stmm_sp: return FFA_NOT_SUPPORTED for undefined FFA functions

edk2's patch ("ArmFfaLib: Add Rx/Tx support for Stmm secure partition") [0]
added Rx/Tx buffer mapping support to ArmFfaStand

core: arm: stmm_sp: return FFA_NOT_SUPPORTED for undefined FFA functions

edk2's patch ("ArmFfaLib: Add Rx/Tx support for Stmm secure partition") [0]
added Rx/Tx buffer mapping support to ArmFfaStandaloneMm(Core)Lib.

However, stmm_sp does not require Rx/Tx buffer mapping and
its SVC handler is lightweight. Therefore, when it receives
an undefined FFA function, it is sufficient to return FFA_NOT_SUPPORTED to
StandaloneMm instead of panicking.

This also aligns with the FF-A specification, which requires returning
FFA_NOT_SUPPORTED when an unimplemented function ID is received.

If StandaloneMm fails to initialize, it will return FFA_ERROR.
In this case, there is no way to keep the stmm_sp TA alive,
so panic is called.
Otherwise, StandaloneMm will return with DIRECT_MSG_RESP.

Link: https://github.com/tianocore/edk2/pull/11080/commits/75ca159e57dbe081b89373046280f34d67571852 [0]
Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Mikko Rapeli <mikko.rapeli@linaro.org>

show more ...

core: applies FF-A v1.2 features on StandaloneMm

edk2's StandaloneMm will be applied with FF-A v1.2.
while applying, StandaloneMm doesn't create anymore PHIT hob by itself
but it should be passed fr

core: applies FF-A v1.2 features on StandaloneMm

edk2's StandaloneMm will be applied with FF-A v1.2.
while applying, StandaloneMm doesn't create anymore PHIT hob by itself
but it should be passed from other software stack.

To make StandaloneMm runs properly, create Hob information and
deliver it using FF-A Boot protocol according to FF-A specification [1].

Also, apply FF-A management protocol to change it [2] to
get/set memory permission instead of using DIRECT_REQ_MSG.

Also, implements some FF-A ABIs to communication StandaloneMm properly.

Link: https://developer.arm.com/documentation/den0077/latest [1]
Link: https://developer.arm.com/documentation/den0140/latest [2]

Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>

show more ...

core: arm: ffa: switch to FF-A version 1.2

Update FF-A minor version from 1 to 2. spmc_exchange_version() is
updated to take the new version into account when negotiating with a
caller.

Configurati

core: arm: ffa: switch to FF-A version 1.2

Update FF-A minor version from 1 to 2. spmc_exchange_version() is
updated to take the new version into account when negotiating with a
caller.

Configurations with SPMC at EL3 and S-EL2 supplies an SP manifest when
booting OP-TEE, read the FF-A version to use from the manifest instead
of using the hard coded version.

The configuration with SPMC at S-EL1, part of OP-TEE, keep the FF-A
version at version 1.1 when configured with CFG_NS_VIRTUALIZATION=y as
workaround to remain compatible with Xen. This workaround will not be
needed after the next Xen release and can be removed then.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

tree-wide: use ROUNDUP_DIV() where applicable

Use ROUNDUP_DIV() instead of ROUNDUP(..., size) / size where applicable.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Je

tree-wide: use ROUNDUP_DIV() where applicable

Use ROUNDUP_DIV() instead of ROUNDUP(..., size) / size where applicable.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix race condition on TA/PTA/StMM context loading

Fix race condition on creation of a context for single instance TAs,
PTAs or StMM application. Such race condition could occur and lead to
dup

core: fix race condition on TA/PTA/StMM context loading

Fix race condition on creation of a context for single instance TAs,
PTAs or StMM application. Such race condition could occur and lead to
duplicated contexts if connected close enough that they are created
after tee_ta_init_session() calls tee_ta_init_session_with_context()
and before the context are added in the centralized context list.

This is realized by keeping tee_ta_mutex held while tee_ctxes list is
looked up for matching a context or a new context is added into that
list with its .is_initializing field activated. For that purpose
user TA and StMM application initialization function are split in
2 functions, the 2nd one used to finalizes the context creation
started in the 1st function.

By the way, add inline description comments and fix indentation issues
in uaer_ta.h and remove the inline comment in pseudo_ta.c that refers
to TA loading whereas the function relates to PTA contexts creation.

Closes: https://github.com/OP-TEE/optee_os/issues/6801
Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: make is_initializing field a generic service context

Replace fields is_initializing from struct user_mode_ctx and
struct stmm_ctx with a common new field is_initialing in generic
struct tee_ta

core: make is_initializing field a generic service context

Replace fields is_initializing from struct user_mode_ctx and
struct stmm_ctx with a common new field is_initialing in generic
struct tee_ta_ctx so that it can be used in generic context loading
functions for contexts which initialization is done with tee_ta_mutex
released.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: stmm_sp: fix calls to tee_pobj_get()

Fixes calls to tee_pobj_get() that use boolean value false as argument
where an enum tee_pobj_usage argument is expected.

Between OP-TEE release tags

core: arm: stmm_sp: fix calls to tee_pobj_get()

Fixes calls to tee_pobj_get() that use boolean value false as argument
where an enum tee_pobj_usage argument is expected.

Between OP-TEE release tags 2.4.0 and 3.11.0, tee_pobj_get() used to
take a boolean @temporary argument. The function prototype changed in
commit 6885abf2f7ef ("core: tee_pobj_get() takes an enum tee_pobj_usage")
and was merged in release tag 3.11.0 but initial implementation of StMM
support [1] and its related source file renaming [2] sadly used the
old prototype, using false (0) instead of TEE_POBJ_USAGE_OPEN (0).

Fixes: 42471ecf25b7 ("core: load stmm via secure partition") [1]
Fixes: f9cd31c5310d ("core: rename secure_partition to stmm_sp") [2]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: update FS storage API with user space buffer

Updates the create(), read(), and write() function pointers in struct
ts_store_ops to take a user space buffer in addition to the previous
core buf

core: update FS storage API with user space buffer

Updates the create(), read(), and write() function pointers in struct
ts_store_ops to take a user space buffer in addition to the previous
core buffer. Core buffers are normal secure memory while user space
buffers should only be accessed using the user_access.h functions.

The different FS storage implementations are updated accordingly.

Note that the RPMB FS storage implementation resorts to using
enter_user_access() and exit_user_access() due to internal complexities.

Fixes: 4e154320e47c ("core: Apply finer-grained PAN")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: add StMM to reported services

Adds StMM to the list of services reported by the device pseudo TA.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias

core: add StMM to reported services

Adds StMM to the list of services reported by the device pseudo TA.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: introduce scall layer from svc parts

Introduces a scall layer by renaming various thread_svc* names and
_*handle_svc() functions and function pointers as a first step in doing
architecture neu

core: introduce scall layer from svc parts

Introduces a scall layer by renaming various thread_svc* names and
_*handle_svc() functions and function pointers as a first step in doing
architecture neutral syscall processing.

The name scall is used instead of syscall since the syscall_ prefix is
reserved for the functions implementing the actual syscall. While scall
is the infrastructure used to reach the syscall functions.

No files are renamed and removed at this stage. This patch doesn't
change any behaviour.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: stmm: use mempool to decompress stmm image

Changes StMM management to have zlib using default mempool to allocate
buffers for StMM image decompression. This is useful as the process
can r

core: arm: stmm: use mempool to decompress stmm image

Changes StMM management to have zlib using default mempool to allocate
buffers for StMM image decompression. This is useful as the process
can require buffer of several kilobytes.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: arm: stmm: preserve usr_lr register in stmm context

Adds management of CPU user mode LR register when executing StMM.

Generic function __thread_enter_user_mode() does not load that register
i

core: arm: stmm: preserve usr_lr register in stmm context

Adds management of CPU user mode LR register when executing StMM.

Generic function __thread_enter_user_mode() does not load that register
in the user mode context while StMM expects it is preserved between
exit and next entry. Therefore this change loads and saves that register
into StMM context from stmm_enter_user_mode() while in thread entry
atomic context.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: call tee_pager_rem_um_regions() from vm_info_final()

Moves the call to tee_pager_rem_um_regions() into vm_info_final() from
free_utc() and stmm_ctx_destroy().

Reviewed-by: Etienne Carriere <e

core: call tee_pager_rem_um_regions() from vm_info_final()

Moves the call to tee_pager_rem_um_regions() into vm_info_final() from
free_utc() and stmm_ctx_destroy().

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: initialize struct user_mode_ctx with vm_info_init()

Broadens the scope of vm_info_init() to initialize the entire struct
user_mode_ctx.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.

core: initialize struct user_mode_ctx with vm_info_init()

Broadens the scope of vm_info_init() to initialize the entire struct
user_mode_ctx.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: map TA memory using TEE_MATTR_MEM_TYPE_TAGGED

Maps TA memory using the TEE_MATTR_MEM_TYPE_TAGGED which results in
tagged cached memory if the system has it enabled.

Acked-by: Etienne Carriere

core: map TA memory using TEE_MATTR_MEM_TYPE_TAGGED

Maps TA memory using the TEE_MATTR_MEM_TYPE_TAGGED which results in
tagged cached memory if the system has it enabled.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: tag ops structures with __relrodata_unpaged

Global structures currently tagged with __rodata_unpaged need to use
__relrodata_unpaged instead because they contain pointers which are
subject to

core: tag ops structures with __relrodata_unpaged

Global structures currently tagged with __rodata_unpaged need to use
__relrodata_unpaged instead because they contain pointers which are
subject to relocation when CFG_CORE_ASLR=y. Doing so moves them out of
.rodata which will now stay unmodified even with ASLR turned on.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: move thread_private.h to an include directory

Moves core/arch/arm/kernel/thread_private.h to a include directory to be
included as <kernel/thread_private.h>.

Reviewed-by: Jerome Forissier <je

core: move thread_private.h to an include directory

Moves core/arch/arm/kernel/thread_private.h to a include directory to be
included as <kernel/thread_private.h>.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: make mobj_get_va() more secure

Adds a length parameter to allow mobj_get_va() to check that the entire
va range requested is available.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.

core: make mobj_get_va() more secure

Adds a length parameter to allow mobj_get_va() to check that the entire
va range requested is available.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: stmm: Increase the shared number of pages

Currently we only allow single page sharing for the StanAloneMM non-secure
world buffer. There are cases on EFI variables though which this isn't
eno

core: stmm: Increase the shared number of pages

Currently we only allow single page sharing for the StanAloneMM non-secure
world buffer. There are cases on EFI variables though which this isn't
enough. For example an EFI signature list (.esl) containing more than
two keys would fail since the payload is larger than a single page. So
let's bump the number to something more reasonable.

Tested-by: Ying-Chun Liu (PaulLiu) <paul.liu@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

show more ...

core: separate sp_ops using a __weak attribute instead

Breaks the dependency chain for sp_ops using the standard method with a
__weak symbol and an overriding symbol in link_dummies_paged.c.

Review

core: separate sp_ops using a __weak attribute instead

Breaks the dependency chain for sp_ops using the standard method with a
__weak symbol and an overriding symbol in link_dummies_paged.c.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU, pager, Clang 12)
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: separate stmm_sp_ops using a __weak attribute instead

Breaks the dependency chain for stmm_sp_ops using the standard method
with a __weak symbol and an overriding symbol in link_dummies_paged.

core: separate stmm_sp_ops using a __weak attribute instead

Breaks the dependency chain for stmm_sp_ops using the standard method
with a __weak symbol and an overriding symbol in link_dummies_paged.c.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: use separate sections for each __rodata_unpaged variable

Adds a mandatory argument to the macro __rodata_unpaged() to take the
name of the variable to put in the unpaged rodata section. This w

core: use separate sections for each __rodata_unpaged variable

Adds a mandatory argument to the macro __rodata_unpaged() to take the
name of the variable to put in the unpaged rodata section. This will
result in separate sections for each such variable and make it easier to
debug the pruning of the dependency tree for unpaged sections.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: rename struct tee_pager_area to vm_paged_region

Renames struct tee_pager_area to struct vm_paged_region and moves it
next to the declaration of struct vm_region. Since areas are now called
pag

core: rename struct tee_pager_area to vm_paged_region

Renames struct tee_pager_area to struct vm_paged_region and moves it
next to the declaration of struct vm_region. Since areas are now called
paged regions or regions also rename functions, variables and struct
members accordingly.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: stmm: Remove pager constraint on stmm_sp_ops

Fix a memory layout issue when CFG_WITH_STMM_SP=y and CFG_WITH_PAGER=y.

Before this change were all StMM operation function handlers their
related

core: stmm: Remove pager constraint on stmm_sp_ops

Fix a memory layout issue when CFG_WITH_STMM_SP=y and CFG_WITH_PAGER=y.

Before this change were all StMM operation function handlers their
related resources being linked into the pager unpaged sections despite
they could be pageable. The reason is stmm_sp_ops is referenced in
helper function is_stmm_ctx() which is referenced in unpaged helper
function is_user_mode_ctx().

This change removes stmm_sp_ops reference pager constraint by using
an indirect reference in is_stmm_ctx().

Declare stmm_dump_state() in pager unpaged section and preserve
__rodata_unpaged attribute for stmm_sp_ops since ::dump_state
operation is called from unpaged context by abort_print_current_ts().

Co-developed-by: Timothée Cercueil <timothee.cercueil@st.com>
Signed-off-by: Timothée Cercueil <timothee.cercueil@st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: Rename abort_print_current_ta

Rename abort_print_current_ta to abort_print_current_ts as it is used by
both SPs and TAs.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Reviewed-by: Jens Wikla

core: Rename abort_print_current_ta

Rename abort_print_current_ta to abort_print_current_ts as it is used by
both SPs and TAs.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...