core: add thread_count to thread_init_threads()

Add a thread_count parameter to thread_init_threads(). This must currently
always be equal to CFG_NUM_THREADS, but may become a dynamic configuration

core: add thread_count to thread_init_threads()

Add a thread_count parameter to thread_init_threads(). This must currently
always be equal to CFG_NUM_THREADS, but may become a dynamic configuration
parameter with CFG_DYN_CONFIG=y in later patches.

The array threads[] is changed into a pointer to allow dynamic
allocation in later patches. The assembly code is updated accordingly to
handle a pointer instead of an array.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Tested-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: virt-aware FF-A thread_foreign_intr_exit()

thread_foreign_intr_exit() is called after the thread state has been
saved and the thread is suspended. With virtualization enabled
(CFG_NS_VIRT

core: arm: virt-aware FF-A thread_foreign_intr_exit()

thread_foreign_intr_exit() is called after the thread state has been
saved and the thread is suspended. With virtualization enabled
(CFG_NS_VIRTUALIZATION=y) the virt_unset_guest() is also called. After
this, the guests thread contexts aren't available any longer. For FF-A
thread_foreign_intr_exit() needs a few fields from the suspend threads
context so extract those before suspending the thread and pass them as
parameters for thread_foreign_intr_exit().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: support larger values for CFG_TEE_CORE_NB_CORE

With larger values of CFG_TEE_CORE_NB_CORE (for example, 18 on the
marvell-cnf10ka platform) CORE_MMU_BASE_TABLE_OFFSET becomes to large to
be us

core: support larger values for CFG_TEE_CORE_NB_CORE

With larger values of CFG_TEE_CORE_NB_CORE (for example, 18 on the
marvell-cnf10ka platform) CORE_MMU_BASE_TABLE_OFFSET becomes to large to
be used as an immediate value in add and sub assembly instructions. This
is handle by using the new add_imm and sub_imm macros where needed. But
the add_imm and sub_imm macros can't handle complex defines so
CORE_MMU_BASE_TABLE_OFFSET must be evaluated in asm-defines.c first.

This should fix errors like:
core/arch/arm/kernel/thread_a64.S: Assembler messages:
core/arch/arm/kernel/thread_a64.S:339: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:347: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:355: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:372: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:379: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:386: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:660: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:732: Error: immediate out of range
make: *** [mk/compile.mk:165: out/core/arch/arm/kernel/thread_a64.o] Error 1

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Gowthami <gthiagarajan@marvell.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: interrupt: rename itr_core_handler()

Renames itr_core_handler() to interrupt_main_handler() as a later
change will modify interrupt chip API functions using interrupt_
as prefix.

Reviewed-by:

core: interrupt: rename itr_core_handler()

Renames itr_core_handler() to interrupt_main_handler() as a later
change will modify interrupt chip API functions using interrupt_
as prefix.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add CFG_CORE_IRQ_IS_NATIVE_INTR

Adds CFG_CORE_IRQ_IS_NATIVE_INTR to configure how native and foreign are
signalled.
Selects if IRQ is used to signal native interrupt
if CFG_CORE_IRQ_IS_NATIVE_

core: add CFG_CORE_IRQ_IS_NATIVE_INTR

Adds CFG_CORE_IRQ_IS_NATIVE_INTR to configure how native and foreign are
signalled.
Selects if IRQ is used to signal native interrupt
if CFG_CORE_IRQ_IS_NATIVE_INTR == y:
IRQ signals a native interrupt pending
FIQ signals a foreign non-secure interrupt or a managed exit pending
else: (vice versa)
IRQ signals a foreign non-secure interrupt or a managed exit pending
FIQ signals a native interrupt pending

CFG_CORE_IRQ_IS_NATIVE_INTR replaces the places in the code where
CFG_ARM_GICV3 was used to configure how FIQ and IRQ was treated.

CFG_CORE_IRQ_IS_NATIVE_INTR is automatically configured according to
CFG_ARM_GICV3 if CFG_GIC == y. This prepares for other interrupt
controllers where it doesn't make sense to use CFG_ARM_GICV3.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: add thread_hvc()

Adds thread_hvc() which is the same as thread_smc() except that it uses
the HVC instruction instead of the SMC instruction. This is useful where
an SPMC at S-EL2 expects

core: arm: add thread_hvc()

Adds thread_hvc() which is the same as thread_smc() except that it uses
the HVC instruction instead of the SMC instruction. This is useful where
an SPMC at S-EL2 expects and HVC instead of SMC for certain functions.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: introduce scall layer from svc parts

Introduces a scall layer by renaming various thread_svc* names and
_*handle_svc() functions and function pointers as a first step in doing
architecture neu

core: introduce scall layer from svc parts

Introduces a scall layer by renaming various thread_svc* names and
_*handle_svc() functions and function pointers as a first step in doing
architecture neutral syscall processing.

The name scall is used instead of syscall since the syscall_ prefix is
reserved for the functions implementing the actual syscall. While scall
is the infrastructure used to reach the syscall functions.

No files are renamed and removed at this stage. This patch doesn't
change any behaviour.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add pointer authentication support

Previously pointer authentication was only supported for TAs. With this
patch add a configuration option CFG_CORE_PAUTH to enable support for
core. Each priv

core: add pointer authentication support

Previously pointer authentication was only supported for TAs. With this
patch add a configuration option CFG_CORE_PAUTH to enable support for
core. Each privileged thread has its own APIA key. There are also a
separate APIA key for each physical core used when handling an abort or
when using the tmp stack.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add missing pauth key saving in foreign interrupt handler

When a foreign interrupt (non-secure) is trapped in OP-TEE the state of
the current thread is saved similarly to when an RPC is perfor

core: add missing pauth key saving in foreign interrupt handler

When a foreign interrupt (non-secure) is trapped in OP-TEE the state of
the current thread is saved similarly to when an RPC is performed.

With pointer authentication enabled two more registers which are part of
the current context, APIAKEYHI-EL1 and APIAKEYLO-EL1, are added. These
registers contains a key needed for pointer authentication. This key is
unique per context so it must always be saved and restored when
switching context.

Prior to this patch the step where this key is saved in the foreign
interrupt handler was missing, so fix this by adding the missing step.

Fixes: 2b06f9dede33 ("Add basic pointer authentication support for TA's")
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: spectre-bhb software workaround

Expands the config option CFG_CORE_WORKAROUND_SPECTRE_BP_SEC to cover
CVE-2022-23960 (aka Spectre-BHB) too since both have much in common.

Spectre-BHB is

core: arm: spectre-bhb software workaround

Expands the config option CFG_CORE_WORKAROUND_SPECTRE_BP_SEC to cover
CVE-2022-23960 (aka Spectre-BHB) too since both have much in common.

Spectre-BHB is another speculation attack on branch prediction. Further
details can be found at [1].

The software workaround added for CPUs vulnerable to Spectre-V2 covers
Spectre-BHB too. New software workaround is only needed for CPUs immune to
Spectre-V2, but not so to Spectre-BHB.

The Spectre-V2 workaround is to invalidate the entire branch predictor
table. Most new CPU immune to Spectre-V2 but vulnerable to Spectre-BHB
can avoid invalidating the entire branch predictor table, instead is
this invalidation replaced by a loop designed to exhaust the branch
predictor in a way that the exploit isn't possible any longer.

Link: [1] https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/spectre-bhb

Fixes: CVE-2022-23960
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: refactor spectre-v2 workarounds

Refactors the Spectre-V2 workarounds to make room for further workarounds.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wikl

core: refactor spectre-v2 workarounds

Refactors the Spectre-V2 workarounds to make room for further workarounds.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm64: suppress text relocations caused by restore_mapping macro

Suppress the text relocations caused by 'ldr x0, =1f' in macro
restore_mapping when CFG_CORE_UNMAP_CORE_AT_EL0=y. Since this oc

core: arm64: suppress text relocations caused by restore_mapping macro

Suppress the text relocations caused by 'ldr x0, =1f' in macro
restore_mapping when CFG_CORE_UNMAP_CORE_AT_EL0=y. Since this occurs
when switching from the reduced kernel mapping to the full mapping, the
code offset needs to be loaded from somewhere readily accessible at that
point, that is the stack.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm64: suppress text relocations in icache_inv_user_range()

When CFG_CORE_UNMAP_CORE_AT_EL0=y (default), icache_inv_user_range() uses
addresses from the literal pool (ldr xN, =label) to jump t

core: arm64: suppress text relocations in icache_inv_user_range()

When CFG_CORE_UNMAP_CORE_AT_EL0=y (default), icache_inv_user_range() uses
addresses from the literal pool (ldr xN, =label) to jump to/from the
reduced mapping. Use adr and apply the code offset instead to eliminate
the relocations when ASLR is turned on.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm64: suppress some text relocations in thread_a64.S

A couple of locations in thread_a64.S use 'ldr xN, =symbol' to load
the address of 'symbol'. Doing so creates an entry in the literal pool

core: arm64: suppress some text relocations in thread_a64.S

A couple of locations in thread_a64.S use 'ldr xN, =symbol' to load
the address of 'symbol'. Doing so creates an entry in the literal pool
which is subject to relocaton. In these cases, it is unnecessary because
the code is already running in the relocated VA space, so the PC-relative
macro 'adr_l xN, symbol' would load the proper address. Use this syntax
instead.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: move thread_defs.h into thread.h

Moves the defines in core/arch/arm/include/kernel/thread_defs.h into
core/include/kernel/thread.h.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-

core: move thread_defs.h into thread.h

Moves the defines in core/arch/arm/include/kernel/thread_defs.h into
core/include/kernel/thread.h.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: move thread_private.h to an include directory

Moves core/arch/arm/kernel/thread_private.h to a include directory to be
included as <kernel/thread_private.h>.

Reviewed-by: Jerome Forissier <je

core: move thread_private.h to an include directory

Moves core/arch/arm/kernel/thread_private.h to a include directory to be
included as <kernel/thread_private.h>.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Add basic pointer authentication support for TA's

APIAKey is used for usespace TA's where these keys are generated
for every TA at load time. The TEE core maintains the key value
for each TA is resp

Add basic pointer authentication support for TA's

APIAKey is used for usespace TA's where these keys are generated
for every TA at load time. The TEE core maintains the key value
for each TA is responsible for storing/restorign them during
switch to EL0 and back.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Generate ELF Note for BTI in all arm64 asm files

Add program property note section in the assembly files to
ensure that when linking them, program property note section
is generated in the final ELF

Generate ELF Note for BTI in all arm64 asm files

Add program property note section in the assembly files to
ensure that when linking them, program property note section
is generated in the final ELF.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Add BTI launch pads in aarch64 assembly files

Compiler adds BTI launchpads only in C source files. For
assembly files, BTI launchpad is also required at locations
where "br" is used and at the start

Add BTI launch pads in aarch64 assembly files

Compiler adds BTI launchpads only in C source files. For
assembly files, BTI launchpad is also required at locations
where "br" is used and at the start of the functions. This
needs to be added manually.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: asm.S : Introduce parameter _bti in FUNC's

There are few places where the original macros FUNC and LOCAL_FUNC
are used to define vector tables or exception vector tables.
To take care of s

libutils: asm.S : Introduce parameter _bti in FUNC's

There are few places where the original macros FUNC and LOCAL_FUNC
are used to define vector tables or exception vector tables.
To take care of such assembly code where BTI is not needed,
introduce new parameter _bti. If the _bti passed to the
function is not default, don't add BTI launchpad to the function.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: lpae: use "base table" naming instead of "l1 table"

This is a preparation for supporting base table
which is not level 1 (i.e. support level 0).
Tries not to change anything functional, but
ra

core: lpae: use "base table" naming instead of "l1 table"

This is a preparation for supporting base table
which is not level 1 (i.e. support level 0).
Tries not to change anything functional, but
rather just a renaming.
"base table" terminology is referenced from TF-A
Renamed CORE_MMU_L1_TBL_OFFSET -> CORE_MMU_BASE_TABLE_OFFSET
Added CORE_MMU_BASE_TABLE_LEVEL instead of hard-coded "1"
Added CORE_MMU_BASE_TABLE_SHIFT instead of hard-coded "30"
Few new defines were copied from TF-A xlat_tables_def.h,
like the existing XLAT related defines.

Signed-off-by: Izik Dubnov <izik@amazon.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add thread_smccc()

Adds the assembly function thread_smccc() which loads the first 8
registers with the argument and executes an SMC or HVC instruction as
appropriate. The result in the first

core: add thread_smccc()

Adds the assembly function thread_smccc() which loads the first 8
registers with the argument and executes an SMC or HVC instruction as
appropriate. The result in the first 8 registers is then saved in
the argument struct.

With the new flag CFG_CORE_SEL2_SPMC configures OP-TEE to work with a
SPMC at S-EL2 instead of the dispatcher at EL3. The SMC instruction
should not be used when working with a SPMC, OP-TEE should instead use
the HVC instruction in such a configuration.

Without a SPMC at S-EL2 OP-TEE works with the dispatcher at EL3 with no
changes.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: replace assembly directive .align with .balign

The assembly directive .align is replaced by .balign to harmonize with
the recently added align parameter of FUNC() and LOCAL_FUNC().

On the arm

core: replace assembly directive .align with .balign

The assembly directive .align is replaced by .balign to harmonize with
the recently added align parameter of FUNC() and LOCAL_FUNC().

On the arm architecture .align is number of low-order bits location
counter must have after advancement. While .balign always is advancement
to the next multiple of this number.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: correct alignment for exception vectors

The FUNC and LOCAL_FUNC macros changes section so specifying alignment
before the function will be lost. This may break for instance usage of
sm_vect_ta

core: correct alignment for exception vectors

The FUNC and LOCAL_FUNC macros changes section so specifying alignment
before the function will be lost. This may break for instance usage of
sm_vect_table, depending on configuration. Fix this by passing required
alignment as a parameter to the macro.

Fixes: a31e8303cf2e ("Remove '.section .text.<name>' and use function macros instead")
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: simplify setting of THREAD_CLF_TMP

Simplifies the manipulation of THREAD_CLF_TMP in the per-core
structure thread_core_local:

- thread_clr_thread_core_local() sets the flag for all cores so t

core: simplify setting of THREAD_CLF_TMP

Simplifies the manipulation of THREAD_CLF_TMP in the per-core
structure thread_core_local:

- thread_clr_thread_core_local() sets the flag for all cores so that
init_secondary_helper() doesn't have to. It is renamed to
thread_init_thread_core_local().
- The flag remains set upon return to normal world, ready for the next
entry into secure world.
- The foreign_intr_handler macro sets the flag since it uses the
temporary stack.
- thread_core_local_set_tmp_stack_flag() is now unused and can be
removed.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...