core: use libunw

Reduce core/arch/arm/kernel/unwind_arm{32,64}.c and use common code from
libunw instead.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wi

core: use libunw

Reduce core/arch/arm/kernel/unwind_arm{32,64}.c and use common code from
libunw instead.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: arm32: remove unused function relocate_exidx()

Since commit d1911a85142d ("core: load TAs using ldelf"), function
relocate_exidx() is not used any more. Remove it, as well as
offset_prel31() w

core: arm32: remove unused function relocate_exidx()

Since commit d1911a85142d ("core: load TAs using ldelf"), function
relocate_exidx() is not used any more. Remove it, as well as
offset_prel31() which was only called from this function.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: remove stack dump macros and multiple log levels

Of the various xPRINT_STACK() macros (x in {E,I,D,F}), only
EPRINT_STACK() is used. Let's simplify the code by removing the macros
altogether a

core: remove stack dump macros and multiple log levels

Of the various xPRINT_STACK() macros (x in {E,I,D,F}), only
EPRINT_STACK() is used. Let's simplify the code by removing the macros
altogether and calling print_kernel_stack() instead. Since only the
TRACE_ERROR is used, the 'level' argument to print_kernel_stack(),
print_stack_arm32() and print_stack_arm64() is removed too.

In addition to simplifying the code, these changes will allow the
consolidation of the stack unwinding code between core and ldelf.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add stack overflow detection

This commit introduces CFG_CORE_DEBUG_CHECK_STACKS to check the stack
limits using compiler instrumentation (-finstrument-functions). When
enabled, the C compiler

core: add stack overflow detection

This commit introduces CFG_CORE_DEBUG_CHECK_STACKS to check the stack
limits using compiler instrumentation (-finstrument-functions). When
enabled, the C compiler will insert entry and exit hooks in all
functions in the TEE core. On entry, the stack pointer is checked and
if an overflow is detected, panic() is called.

How is this helpful since we have stack canaries already?
1. When a dead canary is found, the call stack will give no indication
of the root cause of the corruption which may have happened quite some
time before. Running the test case again with a debugger attached and a
watchpoint on the canary is not always an option.
2. The system may corrupt the stack and hang in an exception handler
before the first canary check, for instance, during boot when the
temporary stack is used. This code will likely catch such issues, too.

The downside is increased stack usage and a significant runtime overhead
which is why this feature should be enabled only for troubleshooting.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU, QEMUv8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: arm: fix the unwind stack failure with __no_return function

unwind operation use LR instead of PC to locate unwind data. In some
case, the compiler removes all the extra instrustions after a b

core: arm: fix the unwind stack failure with __no_return function

unwind operation use LR instead of PC to locate unwind data. In some
case, the compiler removes all the extra instrustions after a branch to
__no_return function, and then LR saves the address of next function,
rather than the caller of the __no_return function, leading to unwind
failure.

The fix manually adjust the LR value to match the search algorithm so
as to locate the correct caller in unwind stack operation.

Signed-off-by: Angelina Zhao <xuemingzhao@asrmicro.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
[jf: reformat the commit description]
Signed-off-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: fix print_kernel_stack() outside normal thread context

print_kernel_stack() depends on thread_stack_start() and
thread_stack_size() to get information about the current stack and stop
unwindin

core: fix print_kernel_stack() outside normal thread context

print_kernel_stack() depends on thread_stack_start() and
thread_stack_size() to get information about the current stack and stop
unwinding outside of the expected range. These functions can only be
used in a thread context; they don't work during the early boot when a
temporary stack is used. Therefore, we often get truncated stack dumps
when an abort or panic() occurs during boot.

This commit introduces a new function: get_stack_limits(), which will
correctly identify cases when the temporary stack is used. Tested on
QEMU (32/64 bits) by calling panic() at various stages of the boot. A
complete call stack was printed on the console every time (note: with
optimization set to -O0 via CFG_CC_OPTIMIZE_FOR_SIZE=n).

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU, QEMUv8)
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ftrace: dump core load address to support ASLR

Additionally dump core address in ftrace buffer to support syscall
tracing in case TEE core ASLR is enabled.

Signed-off-by: Sumit Garg <sumit.ga

core: ftrace: dump core load address to support ASLR

Additionally dump core address in ftrace buffer to support syscall
tracing in case TEE core ASLR is enabled.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
[jf: s/Load address @/TEE load address @/]
Signed-off-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: add support for CFG_CORE_ASLR

Adds support for CFG_CORE_ASLR to load TEE Core at a random address.
ASLR makes the exploitation of memory corruption vulnerabilities more
difficult.

Paging is c

core: add support for CFG_CORE_ASLR

Adds support for CFG_CORE_ASLR to load TEE Core at a random address.
ASLR makes the exploitation of memory corruption vulnerabilities more
difficult.

Paging is currently not supported with CFG_CORE_ASLR=y.

Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm32: initialize struct with = { }

The proper way to initialize structures is with = { }. Fixes a Clang
warning:

core/arch/arm/kernel/unwind_arm32.c:497:38: warning: suggest braces around i

core: arm32: initialize struct with = { }

The proper way to initialize structures is with = { }. Fixes a Clang
warning:

core/arch/arm/kernel/unwind_arm32.c:497:38: warning: suggest braces around initialization of subobject [-Wmissing-braces]
struct unwind_state_arm32 state = { 0 };
^
{}

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: clean kernel stack unwinding

Simplify kernel stack unwinding now that user mode unwinding is handled
by ldelf.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens

core: clean kernel stack unwinding

Simplify kernel stack unwinding now that user mode unwinding is handled
by ldelf.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: cleanup generic traces

Remove useless newline character in few generic debug traces.

Remove argument __func__ from a FMSG trace since already
output by macro FMSG().

Remove error trace from

core: cleanup generic traces

Remove useless newline character in few generic debug traces.

Remove argument __func__ from a FMSG trace since already
output by macro FMSG().

Remove error trace from syscall_storage_obj_read() that, prior
this change, output failing error code from storage read()
handler. This is useless and not done for other storage handlers
return code.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

unwind: remove useless #if defined(CFG_UNWIND)

unwind_arm32.c and unwind_arm64.c are only compiled when CFG_UNWIND=y so
there is no need to check that flag again.

Signed-off-by: Jerome Forissier <j

unwind: remove useless #if defined(CFG_UNWIND)

unwind_arm32.c and unwind_arm64.c are only compiled when CFG_UNWIND=y so
there is no need to check that flag again.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

unwind: remove debug messages

The debug messages "vsp out of bounds" (arm32) or "FP out of bounds"
(arm64) are shown quite often when call stacks are captured (observed when
running the lockdep algo

unwind: remove debug messages

The debug messages "vsp out of bounds" (arm32) or "FP out of bounds"
(arm64) are shown quite often when call stacks are captured (observed when
running the lockdep algorithm on mutexes for instance). The call stacks
look fine nonetheless. So, remove these traces.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add unw_get_kernel_stack()

Adds a function to obtain the current kernel call stack as an array.
This is useful for debugging code which may need to record the call stack
at various point of th

core: add unw_get_kernel_stack()

Adds a function to obtain the current kernel call stack as an array.
This is useful for debugging code which may need to record the call stack
at various point of the kernel execution.

Depends on CFG_UNWIND=y.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: make stack trace robust

Makes stack trace robust by checking addresses before copying data.
Kernel stack traces are a bit more relaxed as we have crashed already.

Reviewed-by: Jerome Forissie

core: make stack trace robust

Makes stack trace robust by checking addresses before copying data.
Kernel stack traces are a bit more relaxed as we have crashed already.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960 AArch32, Aarch64)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (Juno, QEMU)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm32: stack unwinding for dynamically linked TAs

Update the ELF loader so that TAs that contain multiple ELF binaries
have a valid exception index table (EXIDX). This table is the entry
point for t

arm32: stack unwinding for dynamically linked TAs

Update the ELF loader so that TAs that contain multiple ELF binaries
have a valid exception index table (EXIDX). This table is the entry
point for the call stack unwinding code. When a TA uses shared
libraries, we create a new EXIDX table by joining all the tables found
in each ELF and patching them to account for the new table address.
Information about the ARM unwind tables can be found in [1].

Link: [1] https://wiki.linaro.org/KenWerner/Sandbox/libunwind?action=AttachFile&do=get&target=libunwind-LDS.pdf
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

Add SPDX license identifiers

Adds one SPDX-License-Identifier line [1] to each source files that
contains license text.

Generated by [2]:
spdxify.py --add-spdx optee_os/

The scancode tool [3] wa

Add SPDX license identifiers

Adds one SPDX-License-Identifier line [1] to each source files that
contains license text.

Generated by [2]:
spdxify.py --add-spdx optee_os/

The scancode tool [3] was used to double check the license matching
code in the Python script. All the licenses detected by scancode are
either detected by spdxify.py, or have no SPDX identifier, or are false
matches.

Link: [1] https://spdx.org/licenses/
Link: [2] https://github.com/jforissier/misc/blob/f7b56c8/spdxify.py
Link: [3] https://github.com/nexB/scancode-toolkit
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: arm32: remove extra 'x' in core stack dump

Commit 6693786dda1a ("core: make panic call stack consistent with abort
call stack") has mistakenly introduced an extra 'x' in the TEE core
stack dum

core: arm32: remove extra 'x' in core stack dump

Commit 6693786dda1a ("core: make panic call stack consistent with abort
call stack") has mistakenly introduced an extra 'x' in the TEE core
stack dumps. Remove it.

Fixes: 6693786dda1a ("core: make panic call stack consistent with abort call stack")
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: make panic call stack consistent with abort call stack

The call stack is formatted differently when the TEE code panics vs.
when it receives an abort exception. The unfortunate consequence is,

core: make panic call stack consistent with abort call stack

The call stack is formatted differently when the TEE code panics vs.
when it receives an abort exception. The unfortunate consequence is,
the symbolize.py helper script cannot be used to troubleshoot panics.

Fix the issue by introducing common functions to format the call stack:
print_call_stack_arm32() and print_call_stack_arm64(), and by using
them in the panic and abort paths.

Suggested-by: Zeng Tao <prime.zeng@hisilicon.com>
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix print_kernel_stack()

Previously was print_kernel_stack() supplying zeroes instead of real
values for start and size of exidx tables needed for unwind. With this
patch are correct values f

core: fix print_kernel_stack()

Previously was print_kernel_stack() supplying zeroes instead of real
values for start and size of exidx tables needed for unwind. With this
patch are correct values for exidx and exidx_sz supplied.

Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (b2260)
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Fixes: 31a2964 ("core: dump call stack of user TAs on abort")
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: bugfix undefined behavior in expand_prel31()

Fixes undefined behavior in expand_prel31() detected with
CFG_CORE_SANITIZE_UNDEFINED=y

ERROR: [0x0] TEE-CORE: Undefined behavior shift_out_of_b

core: bugfix undefined behavior in expand_prel31()

Fixes undefined behavior in expand_prel31() detected with
CFG_CORE_SANITIZE_UNDEFINED=y

ERROR: [0x0] TEE-CORE: Undefined behavior shift_out_of_bounds at core/arch/arm/kernel/unwind_arm32.c:102 col 42
ERROR: [0x0] TEE-CORE: Panic at core/kernel/ubsan.c:189 <__ubsan_handle_shift_out_of_bounds>

Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU)
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: dump call stack of user TAs on abort

Update the abort handling code in the TEE core to support unwinding
the user mode stack in addition to the kernel stack. unwind_arm32.c is
modified slightl

core: dump call stack of user TAs on abort

Update the abort handling code in the TEE core to support unwinding
the user mode stack in addition to the kernel stack. unwind_arm32.c is
modified slightly so that it can be built for AArch64. This allows a
64-bit TEE core to dump both 32- and 64-bit TAs.

Paged TAs (CFG_PAGED_USER_TA=y) cannot currently be unwound, because
the code is not ready to handle the page faults that might occur as
the unwinding tables are accessed.

CFG_CORE_UNWIND is renamed to CFG_UNWIND since it enables both the
kernel and user TA stack dumps. It is still set automatically when
CFG_TEE_CORE_DEBUG=y.

32-bit user TAs have to be compiled with `-funwind-tables`, otherwise
the call stack can't be unwound and the abort reports will not show a
call stack .The TA dev kit takes care of adding this flag automatically
when CFG_UNWIND=y.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm32: unwind: print_stack(): fix unwind_state

print_stack() must save r7 and r11 in the unwind_state structure. Not
doing so will likely result in a crash dunring unwind.
Register r7 is typically u

arm32: unwind: print_stack(): fix unwind_state

print_stack() must save r7 and r11 in the unwind_state structure. Not
doing so will likely result in a crash dunring unwind.
Register r7 is typically used as a frame pointer by GCC in Thumb2 mode,
while r11 (a.k.a. fp) is the frame pointer in ARM mode.

Also, set PC to the beginning of print_stack() since there's no point
in going further inside the function.

Fixes: https://github.com/OP-TEE/optee_os/issues/1069
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU)
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm32: unwind: convert int to bool

The return status of unwind_tab() is used as a boolean, so change its
type.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Car

arm32: unwind: convert int to bool

The return status of unwind_tab() is used as a boolean, so change its
type.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm32: unwind: fix incorrect return status

After the unwind code was imported from FreeBSD sources, it was slightly
modified to invert some logic. One return slipped through.

Signed-off-by: Jerome

arm32: unwind: fix incorrect return status

After the unwind code was imported from FreeBSD sources, it was slightly
modified to invert some logic. One return slipped through.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...