core: support dynamic protected memory lending

With CFG_CORE_DYN_PROTMEM=y support dynamic protected memory lending.

A new internal struct mobj_ffa_rsm is added to handle dynamic protected
memory f

core: support dynamic protected memory lending

With CFG_CORE_DYN_PROTMEM=y support dynamic protected memory lending.

A new internal struct mobj_ffa_rsm is added to handle dynamic protected
memory for FF-A.

A new internal struct mobj_protmem is add to handle dynamic protected
memory without FF-A.

Lending non-secure memory to OP-TEE to use it as protected memory means
that it should to become inaccessible by the normal world as part of the
process. This part is currently not supported, since it must be done in
a platform specific way for platforms that support that. QEMU don't
support that.

Adding two platform specific functions, plat_get_protmem_config() and
plat_set_protmem_range() for dynamic protected memory. The functions has
__weak implementation to allow easier testing. However,
plat_set_protmem_range() requires CFG_INSECURE=y since it doesn't change
memory protection.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: arm: refactor struct mobj_ffa

Moves the non-secure shared memory specific fields of struct mobj_ffa
into the new struct mobj_ffa_shm which in turn embeds struct mobj_ffa.

This prepares for an

core: arm: refactor struct mobj_ffa

Moves the non-secure shared memory specific fields of struct mobj_ffa
into the new struct mobj_ffa_shm which in turn embeds struct mobj_ffa.

This prepares for another derivate of struct mobj_ffa that deals with
another kind of memory.

No change in functionality.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

tree-wide: use ROUNDUP_DIV() where applicable

Use ROUNDUP_DIV() instead of ROUNDUP(..., size) / size where applicable.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Je

tree-wide: use ROUNDUP_DIV() where applicable

Use ROUNDUP_DIV() instead of ROUNDUP(..., size) / size where applicable.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: rename tee_mm_shm to core_virt_shm_pool

Rename tee_mm_shm to core_virt_shm_pool to make it clear that it handles
virtual memory allocations for shared memory.

Signed-off-by: Jens Wiklander <j

core: rename tee_mm_shm to core_virt_shm_pool

Rename tee_mm_shm to core_virt_shm_pool to make it clear that it handles
virtual memory allocations for shared memory.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: ffa: store shm_bits in partition for SPMC at S-EL1

Store the bitmask keeping track of allocated shared memory handles in
the current partition when configured with CFG_NS_VIRTUALIZATION and
CF

core: ffa: store shm_bits in partition for SPMC at S-EL1

Store the bitmask keeping track of allocated shared memory handles in
the current partition when configured with CFG_NS_VIRTUALIZATION and
CFG_CORE_SEL1_SPMC.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: ffa: add SPMC_CORE_SEL1_MAX_SHM_COUNT

Add SPMC_CORE_SEL1_MAX_SHM_COUNT, telling how many shared memory object
are supported in a configuration with SPMC at S-EL1.

Signed-off-by: Jens Wiklande

core: ffa: add SPMC_CORE_SEL1_MAX_SHM_COUNT

Add SPMC_CORE_SEL1_MAX_SHM_COUNT, telling how many shared memory object
are supported in a configuration with SPMC at S-EL1.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: mobj_ffa.c: add reassuring comment in mobj_ffa_unregister_by_cookie()

Adds a reassuring comment in mobj_ffa_unregister_by_cookie() to explain
why it may fail if the cookie hasn't been used yet

core: mobj_ffa.c: add reassuring comment in mobj_ffa_unregister_by_cookie()

Adds a reassuring comment in mobj_ffa_unregister_by_cookie() to explain
why it may fail if the cookie hasn't been used yet. Updates the error
message to include inactive_refs.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: ffa: fix race in mobj_put() and ffa_inactivate()

Prior to this patch there was a race condition when mobj_put()
is calling ffa_inactivate().
D/TC:0 0 ffa_inactivate:525 cookie 0x100000000000
D

core: ffa: fix race in mobj_put() and ffa_inactivate()

Prior to this patch there was a race condition when mobj_put()
is calling ffa_inactivate().
D/TC:0 0 ffa_inactivate:525 cookie 0x100000000000
D/TC:0 1 mobj_ffa_get_by_cookie:401 cookie 0x100000000000 active: refc 1
D/TC:? 1 read_console:114 got 0xd
D/TC:0 1 ffa_inactivate:525 cookie 0x100000000000
D/TC:0 0 ffa_inactivate:525 cookie 0x100000000000
E/TC:0 0 Panic at core/arch/arm/mm/mobj_ffa.c:527 <ffa_inactivate>
E/TC:0 0 TEE load address @ 0xe100000
E/TC:0 0 Call stack:
E/TC:0 0 0x0e108c0c print_kernel_stack at ??:?
E/TC:0 0 0x0e115b8c __do_panic at core/kernel/panic.c:24
E/TC:0 0 0x0e10a238 ffa_inactivate at mobj_ffa.c:?
E/TC:0 0 0x0e107318 __thread_std_smc_entry at ??:?

As now explained in ffa_inactivate():
/*
* pop_from_list() can fail to find the mobj if we had just
* decreased the refcount to 0 in mobj_put() and was going to
* acquire the shm_lock but another thread found this mobj and
* reinitialized the refcount to 1. Then before we got cpu time the
* other thread called mobj_put() and deactivated the mobj again.
* ...
*/

If our thread is delayed even further we may even inactivate an
unrelated mobj that happened to reuse the same piece of memory.

Fix this by adding another guarding condition so that the mobj is
guaranteed to be valid until ffa_inactivate() has returned. By adding a
new member in struct mobj_ffa, inactive_refs, we keep track of
references even when the mobj have been moved to the inactive list.

Adds a comment describing the non-trivial life cycle of struct mobj_ffa.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: spmc: support virtualization with SPMC at S-EL1

Adds support for virtualization with OP-TEE as SPMC at S-EL1. This if
the FF-A counterpart of SMC based ABI with virtualization.

Reviewed-by: B

core: spmc: support virtualization with SPMC at S-EL1

Adds support for virtualization with OP-TEE as SPMC at S-EL1. This if
the FF-A counterpart of SMC based ABI with virtualization.

Reviewed-by: Balint Dobszay <balint.dobszay@arm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mobj_ffa_add_pages_at() trust addresses from SPMC

mobj_ffa_add_pages_at() checks that a supplied physical address is
non-secure. This check is not needed with an SPMC at S-EL2 as we can
trust

core: mobj_ffa_add_pages_at() trust addresses from SPMC

mobj_ffa_add_pages_at() checks that a supplied physical address is
non-secure. This check is not needed with an SPMC at S-EL2 as we can
trust that to only provide verified addresses. So disable the check for
non-secure memory in that case, this has also the advantage that OP-TEE
no longer need to know the valid ranges of non-secure memory.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ffa: remove pager annotations

Configuration with pager and FF-A is currently not supported. Supporting
this would require extensions to the FF-A specification to be able to
load OP-TEE with pa

core: ffa: remove pager annotations

Configuration with pager and FF-A is currently not supported. Supporting
this would require extensions to the FF-A specification to be able to
load OP-TEE with paging enabled. So far we don't have any platforms with
FF-A which are memory constrained enough that paging can be motivated. If
this would change we'll have a good use case to test with when adding
pager support for FF-A.

Currently we have a few pager annotations (DECLARE_KEEP_PAGER() and
__*_unpaged) which are effectively unused. So save us from adding yet
more unused annotations by removing the few we have in the FF-A specific
code.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mmu: Fix wrong input argument of tee_mm_init()

Since commit [1], tee_mm_init() take pool size instead of end address.
This change corrects the input arg of caller which still use old
definitio

core: mmu: Fix wrong input argument of tee_mm_init()

Since commit [1], tee_mm_init() take pool size instead of end address.
This change corrects the input arg of caller which still use old
definition.

Link: [1] 2380d70 ("core: mmu: fix overflow with high address in tee_mm_pool_t")
Signed-off-by: james.jiang <james.jiang@mediatek.com>
Signed-off-by: Mark-PK Tsai <mark-pk.tsai@mediatek.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: rename mobj_get_cattr() to mobj_get_mem_type()

Renames mobj_get_cattr() to mobj_get_mem_type(). The mobj operation
get_ctype() is also renamed to get_mem_type().

This commit is only about ren

core: rename mobj_get_cattr() to mobj_get_mem_type()

Renames mobj_get_cattr() to mobj_get_mem_type(). The mobj operation
get_ctype() is also renamed to get_mem_type().

This commit is only about renaming ctype to mem_type, no changes in
behaviour.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: tag ops structures with __relrodata_unpaged

Global structures currently tagged with __rodata_unpaged need to use
__relrodata_unpaged instead because they contain pointers which are
subject to

core: tag ops structures with __relrodata_unpaged

Global structures currently tagged with __rodata_unpaged need to use
__relrodata_unpaged instead because they contain pointers which are
subject to relocation when CFG_CORE_ASLR=y. Doing so moves them out of
.rodata which will now stay unmodified even with ASLR turned on.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: change TEE_MATTR_CACHE_ to TEE_MATTR_MEM_TYPE_

Some extra memory types will be added. This patch renames all
TEE_MATTR_CACHE_ defines to TEE_MATTR_MEM_TYPE_. This will make the next
patches ea

core: change TEE_MATTR_CACHE_ to TEE_MATTR_MEM_TYPE_

Some extra memory types will be added. This patch renames all
TEE_MATTR_CACHE_ defines to TEE_MATTR_MEM_TYPE_. This will make the next
patches easier to understand.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add support for SPMC at EL3

Adds support for SPMC at EL3 with CFG_CORE_EL3_SPMC. This is from OP-TEE
point of view almost identical to CFG_CORE_SEL2_SPMC with SPMC at S-EL2.

The previously S-

core: add support for SPMC at EL3

Adds support for SPMC at EL3 with CFG_CORE_EL3_SPMC. This is from OP-TEE
point of view almost identical to CFG_CORE_SEL2_SPMC with SPMC at S-EL2.

The previously S-EL2 specific functions mobj_ffa_sel2_spmc_new() and
mobj_ffa_sel2_spmc_delete() are renamed to mobj_ffa_spmc_new() and
mobj_ffa_spmc_delete() respectively since they are no longer reserved to
used only with SPMC at S-EL2.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix race in ffa_inc_map()

Fixes a race in ffa_inc_map() when mapcount is 0. The problem goes like:

Thread 1 and 2 calls ffa_inc_map() at the same time and mapcount is 0.
Thread 1 takes the lo

core: fix race in ffa_inc_map()

Fixes a race in ffa_inc_map() when mapcount is 0. The problem goes like:

Thread 1 and 2 calls ffa_inc_map() at the same time and mapcount is 0.
Thread 1 takes the lock first and initializes mapcount to 1 and map the
mobj etc.

When thread 2 has the lock it discovers that mapcount has been
initialize while it was waiting for the lock.

Prior to this patch we where exiting the function doing nothing more
since the mobj was mapped, but by doing so we'll miss to increase
mapcount.

Fix this by restarting the call to refcount_inc() using a loop.

Fixes: 73e1d3f398b0 ("core: add mobj_ffa")
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: make mobj_get_va() more secure

Adds a length parameter to allow mobj_get_va() to check that the entire
va range requested is available.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.

core: make mobj_get_va() more secure

Adds a length parameter to allow mobj_get_va() to check that the entire
va range requested is available.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

FF-A: Add macro for FF-A memory cookie bit

When creating a new cookie of the mobj_ffa a BIT64(44) was used inline.
Create a macro for it.

Signed-off-by: Jelle <jelle.sels@arm.com>
Reviewed-by: Jens

FF-A: Add macro for FF-A memory cookie bit

When creating a new cookie of the mobj_ffa a BIT64(44) was used inline.
Create a macro for it.

Signed-off-by: Jelle <jelle.sels@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: arch: kernel: move spmc functions from thread.h to thread_spmc.h

It is more relevant to declare thread_spmc_populate_mobj_from_rx() and
thread_spmc_relinquish() in thread_spmc.h instead of thr

core: arch: kernel: move spmc functions from thread.h to thread_spmc.h

It is more relevant to declare thread_spmc_populate_mobj_from_rx() and
thread_spmc_relinquish() in thread_spmc.h instead of thread.h
Source file mobj_ffa.c makes use of these two functions, hence include
kernel/thread_spmc.h header.

Signed-off-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: clarify internal_offset in mobj_ffa_get_by_cookie()

Adds a comment in mobj_ffa_get_by_cookie() clarifying how
internal_offset and the page_offset kept in a struct mobj_ffa relates.

Acked-by:

core: clarify internal_offset in mobj_ffa_get_by_cookie()

Adds a comment in mobj_ffa_get_by_cookie() clarifying how
internal_offset and the page_offset kept in a struct mobj_ffa relates.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: call mapped_shm_init() via preinit()

Calls mapped_shm_init() and mobj_mapped_shm_init() a bit earlier by
registering it with preinit().

Acked-by: Jerome Forissier <jerome@forissier.org>
Revie

core: call mapped_shm_init() via preinit()

Calls mapped_shm_init() and mobj_mapped_shm_init() a bit earlier by
registering it with preinit().

Acked-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: make __rodata_unpaged() symbols __weak

Makes the __rodata_unpaged tagged symbols __weak and non-static in order
to be overridden in core/arch/arm/kernel/link_dummies_paged.c. This
makes sure t

core: make __rodata_unpaged() symbols __weak

Makes the __rodata_unpaged tagged symbols __weak and non-static in order
to be overridden in core/arch/arm/kernel/link_dummies_paged.c. This
makes sure that these symbols doesn't bring in further symbols in the
unpaged section.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: use separate sections for each __rodata_unpaged variable

Adds a mandatory argument to the macro __rodata_unpaged() to take the
name of the variable to put in the unpaged rodata section. This w

core: use separate sections for each __rodata_unpaged variable

Adds a mandatory argument to the macro __rodata_unpaged() to take the
name of the variable to put in the unpaged rodata section. This will
result in separate sections for each such variable and make it easier to
debug the pruning of the dependency tree for unpaged sections.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: enable FF-A with SPM Core at S-EL2

This enables support for FF-A with SPM Core at S-EL2 in a secure
hypervisor while OP-TEE is running at S-EL1 as a SP.
This configuration is also know as "S-E

core: enable FF-A with SPM Core at S-EL2

This enables support for FF-A with SPM Core at S-EL2 in a secure
hypervisor while OP-TEE is running at S-EL1 as a SP.
This configuration is also know as "S-EL2 SPMC" in the FFA specification.

Compile with CFG_CORE_SEL2_SPMC=y

Note that this is an experimental feature, ABIs etc may have
incompatible changes.

This depends on using the FF-A v4 patchset in the Linux kernel.

Reviewed-by: Jelle Sels <jelle.sels@arm.com>
Co-developed-by: Marc Bonnici <marc.bonnici@arm.com>
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...