core: add pointer authentication support

Previously pointer authentication was only supported for TAs. With this
patch add a configuration option CFG_CORE_PAUTH to enable support for
core. Each priv

core: add pointer authentication support

Previously pointer authentication was only supported for TAs. With this
patch add a configuration option CFG_CORE_PAUTH to enable support for
core. Each privileged thread has its own APIA key. There are also a
separate APIA key for each physical core used when handling an abort or
when using the tmp stack.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix compilation problem with trace level 0

- if CFG_TEE_CORE_LOG_LEVEL in build/common.mk set to zero,
optee_os doesn't compile
- error is:
core/arch/arm/kernel/unwind_arm64.c:77:6: Error: r

core: fix compilation problem with trace level 0

- if CFG_TEE_CORE_LOG_LEVEL in build/common.mk set to zero,
optee_os doesn't compile
- error is:
core/arch/arm/kernel/unwind_arm64.c:77:6: Error: redefinition of 'print_kernel_stack'
77 | void print_kernel_stack(void)
| ^~~~~~~~~~~~~~~~~~
in file, included from core/arch/arm/kernel/unwind_arm64.c:35:
core/include/kernel/unwind.h:15:20: Warning: previous definition of 'print_kernel_stack' was here
15 | static inline void print_kernel_stack(void)
| ^~~~~~~~~~~~~~~~~~

To avoid this error we assure the function is not redefined.

Signed-off-by: Moritz Lummerzheim <moritz.lummerzheim@campus.tu-berlin.de>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: use libunw

Reduce core/arch/arm/kernel/unwind_arm{32,64}.c and use common code from
libunw instead.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wi

core: use libunw

Reduce core/arch/arm/kernel/unwind_arm{32,64}.c and use common code from
libunw instead.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: remove stack dump macros and multiple log levels

Of the various xPRINT_STACK() macros (x in {E,I,D,F}), only
EPRINT_STACK() is used. Let's simplify the code by removing the macros
altogether a

core: remove stack dump macros and multiple log levels

Of the various xPRINT_STACK() macros (x in {E,I,D,F}), only
EPRINT_STACK() is used. Let's simplify the code by removing the macros
altogether and calling print_kernel_stack() instead. Since only the
TRACE_ERROR is used, the 'level' argument to print_kernel_stack(),
print_stack_arm32() and print_stack_arm64() is removed too.

In addition to simplifying the code, these changes will allow the
consolidation of the stack unwinding code between core and ldelf.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add stack overflow detection

This commit introduces CFG_CORE_DEBUG_CHECK_STACKS to check the stack
limits using compiler instrumentation (-finstrument-functions). When
enabled, the C compiler

core: add stack overflow detection

This commit introduces CFG_CORE_DEBUG_CHECK_STACKS to check the stack
limits using compiler instrumentation (-finstrument-functions). When
enabled, the C compiler will insert entry and exit hooks in all
functions in the TEE core. On entry, the stack pointer is checked and
if an overflow is detected, panic() is called.

How is this helpful since we have stack canaries already?
1. When a dead canary is found, the call stack will give no indication
of the root cause of the corruption which may have happened quite some
time before. Running the test case again with a debugger attached and a
watchpoint on the canary is not always an option.
2. The system may corrupt the stack and hang in an exception handler
before the first canary check, for instance, during boot when the
temporary stack is used. This code will likely catch such issues, too.

The downside is increased stack usage and a significant runtime overhead
which is why this feature should be enabled only for troubleshooting.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU, QEMUv8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: fix print_kernel_stack() outside normal thread context

print_kernel_stack() depends on thread_stack_start() and
thread_stack_size() to get information about the current stack and stop
unwindin

core: fix print_kernel_stack() outside normal thread context

print_kernel_stack() depends on thread_stack_start() and
thread_stack_size() to get information about the current stack and stop
unwinding outside of the expected range. These functions can only be
used in a thread context; they don't work during the early boot when a
temporary stack is used. Therefore, we often get truncated stack dumps
when an abort or panic() occurs during boot.

This commit introduces a new function: get_stack_limits(), which will
correctly identify cases when the temporary stack is used. Tested on
QEMU (32/64 bits) by calling panic() at various stages of the boot. A
complete call stack was printed on the console every time (note: with
optimization set to -O0 via CFG_CC_OPTIMIZE_FOR_SIZE=n).

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU, QEMUv8)
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ftrace: dump core load address to support ASLR

Additionally dump core address in ftrace buffer to support syscall
tracing in case TEE core ASLR is enabled.

Signed-off-by: Sumit Garg <sumit.ga

core: ftrace: dump core load address to support ASLR

Additionally dump core address in ftrace buffer to support syscall
tracing in case TEE core ASLR is enabled.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
[jf: s/Load address @/TEE load address @/]
Signed-off-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: add support for CFG_CORE_ASLR

Adds support for CFG_CORE_ASLR to load TEE Core at a random address.
ASLR makes the exploitation of memory corruption vulnerabilities more
difficult.

Paging is c

core: add support for CFG_CORE_ASLR

Adds support for CFG_CORE_ASLR to load TEE Core at a random address.
ASLR makes the exploitation of memory corruption vulnerabilities more
difficult.

Paging is currently not supported with CFG_CORE_ASLR=y.

Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ftrace: Add support for syscall function tracer

This patch adds support for syscall tracing in TEE core. It complements
existing ftrace support for user TAs via adding trace for syscalls that
are in

ftrace: Add support for syscall function tracer

This patch adds support for syscall tracing in TEE core. It complements
existing ftrace support for user TAs via adding trace for syscalls that
are invoked by user TAs into the TEE core.

And after this patch ftrace will cover both TA and TEE core code. So lets
rename config option from CFG_TA_FTRACE_SUPPORT to CFG_FTRACE_SUPPORT.

It is optional to enable syscall trace via CFG_SYSCALL_FTRACE=y config
option in addition to CFG_FTRACE_SUPPORT=y config option.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: clean kernel stack unwinding

Simplify kernel stack unwinding now that user mode unwinding is handled
by ldelf.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens

core: clean kernel stack unwinding

Simplify kernel stack unwinding now that user mode unwinding is handled
by ldelf.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: dump ftrace data with ldelf

Uses ldelf to dump ftrace data from a TA.

Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerom

core: dump ftrace data with ldelf

Uses ldelf to dump ftrace data from a TA.

Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: prepare support for TA function tracing

To support TA function tracing OP-TEE core role being:
- To initialize and register ftrace buffer per TA session.
- To dump TA ftrace buffer to normal w

core: prepare support for TA function tracing

To support TA function tracing OP-TEE core role being:
- To initialize and register ftrace buffer per TA session.
- To dump TA ftrace buffer to normal world via RPC call in case TA
session closes or in case of TA abort.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)

show more ...

unwind: remove useless #if defined(CFG_UNWIND)

unwind_arm32.c and unwind_arm64.c are only compiled when CFG_UNWIND=y so
there is no need to check that flag again.

Signed-off-by: Jerome Forissier <j

unwind: remove useless #if defined(CFG_UNWIND)

unwind_arm32.c and unwind_arm64.c are only compiled when CFG_UNWIND=y so
there is no need to check that flag again.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

unwind: remove debug messages

The debug messages "vsp out of bounds" (arm32) or "FP out of bounds"
(arm64) are shown quite often when call stacks are captured (observed when
running the lockdep algo

unwind: remove debug messages

The debug messages "vsp out of bounds" (arm32) or "FP out of bounds"
(arm64) are shown quite often when call stacks are captured (observed when
running the lockdep algorithm on mutexes for instance). The call stacks
look fine nonetheless. So, remove these traces.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add unw_get_kernel_stack()

Adds a function to obtain the current kernel call stack as an array.
This is useful for debugging code which may need to record the call stack
at various point of th

core: add unw_get_kernel_stack()

Adds a function to obtain the current kernel call stack as an array.
This is useful for debugging code which may need to record the call stack
at various point of the kernel execution.

Depends on CFG_UNWIND=y.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: make stack trace robust

Makes stack trace robust by checking addresses before copying data.
Kernel stack traces are a bit more relaxed as we have crashed already.

Reviewed-by: Jerome Forissie

core: make stack trace robust

Makes stack trace robust by checking addresses before copying data.
Kernel stack traces are a bit more relaxed as we have crashed already.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960 AArch32, Aarch64)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (Juno, QEMU)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Add SPDX license identifiers

Adds one SPDX-License-Identifier line [1] to each source files that
contains license text.

Generated by [2]:
spdxify.py --add-spdx optee_os/

The scancode tool [3] wa

Add SPDX license identifiers

Adds one SPDX-License-Identifier line [1] to each source files that
contains license text.

Generated by [2]:
spdxify.py --add-spdx optee_os/

The scancode tool [3] was used to double check the license matching
code in the Python script. All the licenses detected by scancode are
either detected by spdxify.py, or have no SPDX identifier, or are false
matches.

Link: [1] https://spdx.org/licenses/
Link: [2] https://github.com/jforissier/misc/blob/f7b56c8/spdxify.py
Link: [3] https://github.com/nexB/scancode-toolkit
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: make panic call stack consistent with abort call stack

The call stack is formatted differently when the TEE code panics vs.
when it receives an abort exception. The unfortunate consequence is,

core: make panic call stack consistent with abort call stack

The call stack is formatted differently when the TEE code panics vs.
when it receives an abort exception. The unfortunate consequence is,
the symbolize.py helper script cannot be used to troubleshoot panics.

Fix the issue by introducing common functions to format the call stack:
print_call_stack_arm32() and print_call_stack_arm64(), and by using
them in the panic and abort paths.

Suggested-by: Zeng Tao <prime.zeng@hisilicon.com>
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm64: fix print_kernel_stack()

print_kernel_stack() can only print the upmost address in the call
stack, because the unwind_stack_arm64() function is passed 0 for stack
and stack_size.

Use t

core: arm64: fix print_kernel_stack()

print_kernel_stack() can only print the upmost address in the call
stack, because the unwind_stack_arm64() function is passed 0 for stack
and stack_size.

Use the correct values, so that we can get complete stack dumps (when
panic() is called for instance).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: dump call stack of user TAs on abort

Update the abort handling code in the TEE core to support unwinding
the user mode stack in addition to the kernel stack. unwind_arm32.c is
modified slightl

core: dump call stack of user TAs on abort

Update the abort handling code in the TEE core to support unwinding
the user mode stack in addition to the kernel stack. unwind_arm32.c is
modified slightly so that it can be built for AArch64. This allows a
64-bit TEE core to dump both 32- and 64-bit TAs.

Paged TAs (CFG_PAGED_USER_TA=y) cannot currently be unwound, because
the code is not ready to handle the page faults that might occur as
the unwinding tables are accessed.

CFG_CORE_UNWIND is renamed to CFG_UNWIND since it enables both the
kernel and user TA stack dumps. It is still set automatically when
CFG_TEE_CORE_DEBUG=y.

32-bit user TAs have to be compiled with `-funwind-tables`, otherwise
the call stack can't be unwound and the abort reports will not show a
call stack .The TA dev kit takes care of adding this flag automatically
when CFG_UNWIND=y.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

trace.h: add macros to unwind and print the call stack (kernel only)

Adds [EIDF]PRINT_STACK() for debugging purposes. Depends on
CFG_CORE_UNWIND=y.
As a side-effect, also adds a few things that may

trace.h: add macros to unwind and print the call stack (kernel only)

Adds [EIDF]PRINT_STACK() for debugging purposes. Depends on
CFG_CORE_UNWIND=y.
As a side-effect, also adds a few things that may be useful on their
own: __always_inline, read_pc(), read_fp(), read_lr().

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: stack unwinding

Adds support for stack unwinding, currently only done for fatal aborts
from kernel mode if CFG_CORE_UNWIND = y

The ARMv7/Aarch32 implementation uses -funwind-tables to generat

core: stack unwinding

Adds support for stack unwinding, currently only done for fatal aborts
from kernel mode if CFG_CORE_UNWIND = y

The ARMv7/Aarch32 implementation uses -funwind-tables to generate frame
unwinding information which is quite large. Enabling stack unwinding
currently consumes ~8 KiB. The code to parse the frame unwind
information is imported from FreeBSD.

The Aarch64 implementation takes advantage of the frame pointer and has
minimal overhead. The core code to unwind the stack is imported from
FreeBSD.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey 32/64)
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU, FVP)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...