core: sm_a32.S: add missing .cantunwind

Adds missing .cantunwind directives to the two alternative exception
vectors sm_vect_table_a15 and sm_vect_table_bpiall.

Reviewed-by: Jerome Forissier <jerom

core: sm_a32.S: add missing .cantunwind

Adds missing .cantunwind directives to the two alternative exception
vectors sm_vect_table_a15 and sm_vect_table_bpiall.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: correct alignment for exception vectors

The FUNC and LOCAL_FUNC macros changes section so specifying alignment
before the function will be lost. This may break for instance usage of
sm_vect_ta

core: correct alignment for exception vectors

The FUNC and LOCAL_FUNC macros changes section so specifying alignment
before the function will be lost. This may break for instance usage of
sm_vect_table, depending on configuration. Fix this by passing required
alignment as a parameter to the macro.

Fixes: a31e8303cf2e ("Remove '.section .text.<name>' and use function macros instead")
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm32: fold UNWIND(.fnstart/.fnend) into the FUNC macros

This change applies to arm32 assembler sources.

Instead of using UNWIND(.fnstart) after FUNC or LOCAL_FUNC and
UNWIND(.fnend) before END_FUN

arm32: fold UNWIND(.fnstart/.fnend) into the FUNC macros

This change applies to arm32 assembler sources.

Instead of using UNWIND(.fnstart) after FUNC or LOCAL_FUNC and
UNWIND(.fnend) before END_FUNC, let's fold these statements into the
FUNC macros.

The .fnstart/.fnend directives mark the start and end of a function
with an unwind table entry (.ARM.exidx) and therefore a function
without them has no entry and cannot be unwound. This means that a
stack dump (on abort or panic) would stop when reaching such a
function.

As a result of this patch, a small number of functions now have an
entry in the unwind table when they had none before (the functions
which were using FUNC or LOCAL_FUNC but had no .fnstart/.fnend). It was
almost always a bug and this pacth only increases the size of the
.ARM.exidx section by a few bytes (tested on QEMU).

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

arm32: move the UNWIND() macro to <asm.S>

All the users of the UNWIND() macro include <asm.S> already, which is
therefore a good place to define this macro. Let's move it from
<kernel/unwind.h> to <

arm32: move the UNWIND() macro to <asm.S>

All the users of the UNWIND() macro include <asm.S> already, which is
therefore a good place to define this macro. Let's move it from
<kernel/unwind.h> to <asm.S>, remove a couple of duplicates in
assembler files, and drop the useless includes.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: remove boot_get_handlers()

struct thread_handlers is used to pass the entry functions
for different power management events. In practice only .cpu_on is used
and with the default function at t

core: remove boot_get_handlers()

struct thread_handlers is used to pass the entry functions
for different power management events. In practice only .cpu_on is used
and with the default function at that. In the ARMv7 case where the
secure monitor replaces TF-A not even that function entry is used.

Remove struct thread_handlers and boot_get_handlers(). When configured
with TF-A initialize thread_*_handler_ptr with __weak default functions.

The __weak default PM functions
- thread_cpu_off_handler()
- thread_cpu_suspend_handler()
- thread_cpu_resume_handler()
- thread_system_off_handler()
- thread_system_reset_handler()
can be overridden by platforms when needed.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: rename KEEP_INIT() and KEEP_PAGER()

The KEEP_INIT() and KEEP_PAGER() macros are quite often used in C files
immediately after the definition of a function or a structure without a
blank line i

core: rename KEEP_INIT() and KEEP_PAGER()

The KEEP_INIT() and KEEP_PAGER() macros are quite often used in C files
immediately after the definition of a function or a structure without a
blank line in between. This style mimics what the Linux kernel does for
a similar use cases: EXPORT_SYMBOL().

Unfortunately, the checkpatch.pl tool expects a blank line after
structure and function definitions, except for a few special cases such
as EXPORT_SYMBOL(). As a result we often get unwanted warnings when we
use KEEP_INIT() and KEEP_PAGER(). Among the exceptions are all words
starting with DECLARE_ or DEFINE_, so by renaming our macros we could
avoid the checkpatch warnings.

This commit renames KEEP_INIT() and KEEP_PAGER() to DECLARE_KEEP_INIT()
and DECLARE_KEEP_PAGER(), respectively. The assembler macros are also
renamed for consistency. No functional change is expected.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Remove '.section .text.<name>' and use function macros instead

Assembler functions are normally defined using the FUNC/LOCAL_FUNC
macros from <asm.S>. The macros takes care of several things, includ

Remove '.section .text.<name>' and use function macros instead

Assembler functions are normally defined using the FUNC/LOCAL_FUNC
macros from <asm.S>. The macros takes care of several things, including
putting the function in a specific section for later garbage collection
by the linker (--gc-sections).

A few files do not follow this convention, let's fix them. Two
functions in ghash-ce-core_a64.S (pmull_gcm_load_round_keys() and
pmull_gcm_aes_sub()) totally lack a .section directive, which I think
is a mistake. Fix them at the same time.

No functional change is expected.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ftrace: Add support for syscall function tracer

This patch adds support for syscall tracing in TEE core. It complements
existing ftrace support for user TAs via adding trace for syscalls that
are in

ftrace: Add support for syscall function tracer

This patch adds support for syscall tracing in TEE core. It complements
existing ftrace support for user TAs via adding trace for syscalls that
are invoked by user TAs into the TEE core.

And after this patch ftrace will cover both TA and TEE core code. So lets
rename config option from CFG_TA_FTRACE_SUPPORT to CFG_FTRACE_SUPPORT.

It is optional to enable syscall trace via CFG_SYSCALL_FTRACE=y config
option in addition to CFG_FTRACE_SUPPORT=y config option.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: ftrace: Enable user-space access to counter regs

To enable function execution time support in function tracing output,
user-space ftrace framework needs to access frequency register and
physic

core: ftrace: Enable user-space access to counter regs

To enable function execution time support in function tracing output,
user-space ftrace framework needs to access frequency register and
physical counter register. So enable user-space access.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add CFG_CORE_WORKAROUND_NSITR_CACHE_PRIME

Adds CFG_CORE_WORKAROUND_NSITR_CACHE_PRIME which if 'y' enables
protection against a tool like Cachegrab
(https://github.com/nccgroup/cachegrab), whic

core: add CFG_CORE_WORKAROUND_NSITR_CACHE_PRIME

Adds CFG_CORE_WORKAROUND_NSITR_CACHE_PRIME which if 'y' enables
protection against a tool like Cachegrab
(https://github.com/nccgroup/cachegrab), which uses non-secure
interrupts to prime and later analyze the L1D, L1I and BTB caches to
gain information from secure world execution.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: remove useless .section directives

A few assembler files contain ".section .text.<something>" but these
sections do not appear to be used anywhere. In addition, the functions
defined in the fi

core: remove useless .section directives

A few assembler files contain ".section .text.<something>" but these
sections do not appear to be used anywhere. In addition, the functions
defined in the files are always put in their own section anyway,
(.text.<function_name>), because of the -ffunction-sections flag.
Therefore, let's remove the useless directives.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Remove deprecated ldm/stm instructions

Some uses of SP, PC and LR in the register list of Load/Store Multiple
instructions is forbidden (Thumb) or deprecated (ARM) as per the ARM
ARM DDI 0406 C.d. F

Remove deprecated ldm/stm instructions

Some uses of SP, PC and LR in the register list of Load/Store Multiple
instructions is forbidden (Thumb) or deprecated (ARM) as per the ARM
ARM DDI 0406 C.d. For the LDM instructions, SP should not be in the
list, and the list should not contain both PC and LR. See sections:

[A8.8.58] LDM/LDMIA/LDMFD (Thumb)
[A8.8.59] LDM/LDMIA/LDMFD (ARM)
[A8.8.60] LDMDA/LDMFA
[A8.8.61] LDMDB/LDMEA
[A8.8.62] LDMIB/LDMED

For the STM instructions, neither SP nor PC should be in the list. See
sections:

[A8.8.200] STM (STMIA, STMEA)
[A8.8.201] STMDA (STMED)
[A8.8.202] STMDB (STMFD)
[A8.8.203] STMIB (STMFA)

Clang warns on the deprecated constructs. Use ldr/str instead.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: sm: explicit return value for sm_from_nsec()

Define macros to explicit return value for sm_from_nsec() used
in monitor assembly trampoline to invoke either secure or non-secure
world.

Signed-

core: sm: explicit return value for sm_from_nsec()

Define macros to explicit return value for sm_from_nsec() used
in monitor assembly trampoline to invoke either secure or non-secure
world.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (qemu)

show more ...

core: rename read_idpfr1() to read_id_pfr1()

Renames the assembly macro read_idpfr1() to read_id_pfr1() to use the
real register name.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Si

core: rename read_idpfr1() to read_id_pfr1()

Renames the assembly macro read_idpfr1() to read_id_pfr1() to use the
real register name.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: sm: optimize padding in struct sm_ctx

Removes redundant padding in struct sm_ctx and sub-structs with regards
to CFG_SM_NO_CYCLE_COUNTING. Saves 4 bytes per core if
CFG_SM_NO_CYCLE_COUNT

core: arm: sm: optimize padding in struct sm_ctx

Removes redundant padding in struct sm_ctx and sub-structs with regards
to CFG_SM_NO_CYCLE_COUNTING. Saves 4 bytes per core if
CFG_SM_NO_CYCLE_COUNTING is defined.

Removes assumptions in monitor assembly code about where the padding in
struct sm_ctx is located.

Adds compile time asserts are added to check that struct sm_ctx is
properly aligned.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU virt)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: sm: fix FIQ from normal world

When compiled with "CFG_SM_NO_CYCLE_COUNTING=y" sm_save_unbanked_regs()
doesn't return with r0 pointing to ctx->nsec.r8 even if that's assumed
in sm_fiq_entr

core: arm: sm: fix FIQ from normal world

When compiled with "CFG_SM_NO_CYCLE_COUNTING=y" sm_save_unbanked_regs()
doesn't return with r0 pointing to ctx->nsec.r8 even if that's assumed
in sm_fiq_entry(). Fixes this by calculating the pointer based on sp
instead or relying on a certain value in r0.

Fixes: 8267e19bbcce ("core: arm: sm: initialize PMCR.DP to 1 and save/restore PMCR")
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: sm: initialize PMCR.DP to 1 and save/restore PMCR

Introduce CFG_SM_NO_CYCLE_COUNTING to intitialize PMCR.DP to 1 and
save/restore PMCR on world switch. Similar to what is done in ARM TF
c

core: arm: sm: initialize PMCR.DP to 1 and save/restore PMCR

Introduce CFG_SM_NO_CYCLE_COUNTING to intitialize PMCR.DP to 1 and
save/restore PMCR on world switch. Similar to what is done in ARM TF
commit 3e61b2b54336 ("Init and save / restore of PMCR_EL0 / PMCR") [1].

The purpose of this is to (hopefully) make attacks such as CLKSCREW [2]
harder to mount, although it is likely that timing information could be
obtained via other means.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Link: [1] https://github.com/ARM-software/arm-trusted-firmware/commit/3e61b2b54336
Link: [2] https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-tang.pdf
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: arm: sm: rename struct sm_mode_regs to sm_unbanked_regs

struct sm_mode_regs will soon be used to store one non-banked register
other then the mode registers (PMCR). Rename it to sm_unbanked_re

core: arm: sm: rename struct sm_mode_regs to sm_unbanked_regs

struct sm_mode_regs will soon be used to store one non-banked register
other then the mode registers (PMCR). Rename it to sm_unbanked_regs.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

Remove license notice from STMicroelectronics files

Since a while the source files license info are defined by SPDX
identifiers. We can safely remove the verbose license text from the
files that are

Remove license notice from STMicroelectronics files

Since a while the source files license info are defined by SPDX
identifiers. We can safely remove the verbose license text from the
files that are owned by either only STMicroelectronics or only both
Linaro and STMicroelectronics.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

build: include <generated/asm-defines.h> instead of <asm-defines.h>

Make it clear that asm-defines.h is not to be found in the sources
since it is generated.

Signed-off-by: Jerome Forissier <jerome

build: include <generated/asm-defines.h> instead of <asm-defines.h>

Make it clear that asm-defines.h is not to be found in the sources
since it is generated.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: sm_a32: add missing isb after scr change

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <

core: sm_a32: add missing isb after scr change

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm32: enable ACTLR_CA8_ENABLE_INVALIDATE_BTB

Enables ACTLR_CA8_ENABLE_INVALIDATE_BTB (ACTLR[6]) in generic boot if
compiled with CFG_CORE_WORKAROUND_SPECTRE_BP or
CFG_CORE_WORKAROUND_SPECTRE_BP_SEC

arm32: enable ACTLR_CA8_ENABLE_INVALIDATE_BTB

Enables ACTLR_CA8_ENABLE_INVALIDATE_BTB (ACTLR[6]) in generic boot if
compiled with CFG_CORE_WORKAROUND_SPECTRE_BP or
CFG_CORE_WORKAROUND_SPECTRE_BP_SEC and the cpu is discovered to be
Cortex-A8.

Fixes CVE-2017-5715
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm32: sm: init CNTVOFF

There is an property "arm,cpu-registers-not-fw-configured" in Linux side,
that could workaround the issue that firmare initialize CNTVOFF.

But if use that property, virtuali

arm32: sm: init CNTVOFF

There is an property "arm,cpu-registers-not-fw-configured" in Linux side,
that could workaround the issue that firmare initialize CNTVOFF.

But if use that property, virtualization support will be break in linux.

Also without CNTVOFF or that property no defined, kernel could not
boot up on i.MX7D with two cores.

So we init CNTVOFF in OP-TEE to make kernel work well.

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm32: sm_a32.S: fix assembly errors

Fixes assembly error:
AS out/arm/core/arch/arm/sm/sm_a32.o
core/arch/arm/sm/sm_a32.S: Assembler messages:
core/arch/arm/sm/sm_a32.S:354: Error: invalid con

core: arm32: sm_a32.S: fix assembly errors

Fixes assembly error:
AS out/arm/core/arch/arm/sm/sm_a32.o
core/arch/arm/sm/sm_a32.S: Assembler messages:
core/arch/arm/sm/sm_a32.S:354: Error: invalid constant (c08) after fixup
core/arch/arm/sm/sm_a32.S:356: Error: invalid constant (c09) after fixup
core/arch/arm/sm/sm_a32.S:358: Error: invalid constant (c0e) after fixup
core/arch/arm/sm/sm_a32.S:363: Error: invalid constant (c0f) after fixup
mk/compile.mk:146: recipe for target 'out/arm/core/arch/arm/sm/sm_a32.o' failed

Fixes: 2ac6322d1ab1 ("core: arm32: sm: runtime selection of spectre workaround")
Tested-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> (QEMU v7)
Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm32: sm: runtime selection of spectre workaround

Adds runtime selection of spectre workaround. Special treatment for
Cortex A-15 CPUs on which BPIALL isn't effective and requires a ICIALLU
i

core: arm32: sm: runtime selection of spectre workaround

Adds runtime selection of spectre workaround. Special treatment for
Cortex A-15 CPUs on which BPIALL isn't effective and requires a ICIALLU
instead.

Fixes CVE-2017-5715

Fixes: 3bc90f3d3ecd ("core: arm32: sm: invalidate branch predictor")
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...