spmc: fix FF-A manifest boot-order handling

According to the official manifest binding documentation [1], all
integer properties must be defined as 32-bit wide DTB properties.
However, the OP-TEE SP

spmc: fix FF-A manifest boot-order handling

According to the official manifest binding documentation [1], all
integer properties must be defined as 32-bit wide DTB properties.
However, the OP-TEE SPMC previously implemented the boot-order property
as a 16-bit value. This patch corrects that inconsistency by adding
support for the correct 32 bit representation while keeping backwards
compatibility.

Recent changes in TF-A’s build tooling have broken support for manifest
files using the "/bits/" width specifier. This update restores
compatibility by eliminating the need to use them.

[1] FF-A Manifest Binding
Link: https://trustedfirmware-a.readthedocs.io/en/v2.12.0/components/ffa-manifest-binding.html

Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-k3: drivers: ti-sci: Add support for setting KEYREV

Add support for the TI-SCI OTP message TI_SCI_MSG_WRITE_KEYREV. This
allows for incrementing the key revision counter.

Signed-off-by: Andrew

plat-k3: drivers: ti-sci: Add support for setting KEYREV

Add support for the TI-SCI OTP message TI_SCI_MSG_WRITE_KEYREV. This
allows for incrementing the key revision counter.

Signed-off-by: Andrew Davis <afd@ti.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-k3: drivers: ti-sci: Add support for setting SWREV

Add support for the TI-SCI OTP message TI_SCI_MSG_WRITE_SWREV. This
allows for incrementing the software revision counter.

Signed-off-by: And

plat-k3: drivers: ti-sci: Add support for setting SWREV

Add support for the TI-SCI OTP message TI_SCI_MSG_WRITE_SWREV. This
allows for incrementing the software revision counter.

Signed-off-by: Andrew Davis <afd@ti.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-k3: drivers: ti-sci: Fix struct name in comments for OTP functions

A couple of the documented names for the OTP functions do not match
the struct names being documented. Fix this.

Signed-off-b

plat-k3: drivers: ti-sci: Fix struct name in comments for OTP functions

A couple of the documented names for the OTP functions do not match
the struct names being documented. Fix this.

Signed-off-by: Andrew Davis <afd@ti.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

drivers: stm32_iwdg: remove OTP access in driver

Now we know if the watchdog is running by reading the hardware,
there is no need to read the OTP fuses related to the watchdog.
This allows removing

drivers: stm32_iwdg: remove OTP access in driver

Now we know if the watchdog is running by reading the hardware,
there is no need to read the OTP fuses related to the watchdog.
This allows removing platform function stm32_get_iwdg_otp_config()
and consequently stm32_iwdg.h header file.

Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>
Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

plat-rockchip: rk3399: remove GIC configuration

From commit 773c05f417fa ("irqchip/gic-v3: Work around insecure GIC
integrations") in the Linux kernel it appears that the hardware
integration of the

plat-rockchip: rk3399: remove GIC configuration

From commit 773c05f417fa ("irqchip/gic-v3: Work around insecure GIC
integrations") in the Linux kernel it appears that the hardware
integration of the GIC500 isn't correct. For v6.13 kernels which
includes that commit this has the effect of OP-TEE printing and endless
stream of:
D/TC:0 0 gic_native_itr_handler:971 Special interrupt 1023

Fix this by removing GIC configuration for RK3399 so the device can be
used with v6.13 kernels and later.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: add thread_count to thread_init_threads()

Add a thread_count parameter to thread_init_threads(). This must currently
always be equal to CFG_NUM_THREADS, but may become a dynamic configuration

core: add thread_count to thread_init_threads()

Add a thread_count parameter to thread_init_threads(). This must currently
always be equal to CFG_NUM_THREADS, but may become a dynamic configuration
parameter with CFG_DYN_CONFIG=y in later patches.

The array threads[] is changed into a pointer to allow dynamic
allocation in later patches. The assembly code is updated accordingly to
handle a pointer instead of an array.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Tested-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: mm: shared xlat tables for NEX_DYN_VASPACE

Mappings in MEM_AREA_NEX_DYN_VASPACE belong to the nexus and are must to
be the same for all partitions. Since these mappings must be updated in
the

core: mm: shared xlat tables for NEX_DYN_VASPACE

Mappings in MEM_AREA_NEX_DYN_VASPACE belong to the nexus and are must to
be the same for all partitions. Since these mappings must be updated in
the partitions after the MMU has been enabled. Partitions share
translation tables for this mappings, so we only need to update in one
translation table when adding or removing mappings.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: dynamic allocation of thread_core_local and its stacks

With CFG_DYN_CONFIG enabled, use dynamic allocation of thread_core_local
and the two stacks, tmp_stack and abt_stack, recorded in it.

Si

core: dynamic allocation of thread_core_local and its stacks

With CFG_DYN_CONFIG enabled, use dynamic allocation of thread_core_local
and the two stacks, tmp_stack and abt_stack, recorded in it.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: add core_count to thread_init_thread_core_local()

Add a core_count parameter to thread_init_thread_core_local() to enable
dynamic configuration of the number of supported cores when configured

core: add core_count to thread_init_thread_core_local()

Add a core_count parameter to thread_init_thread_core_local() to enable
dynamic configuration of the number of supported cores when configured
with CFG_DYN_STACK_CONFIG=y, or it must be equal to
CFG_TEE_CORE_NB_CORE. This is needed in later patches where the number
of cores is configured dynamically.

The array thread_core_local[] is changed into a pointer to allow dynamic
allocation in later patches. The assembly code is updated accordingly to
handle a pointer instead of an array.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: virt: share TA memory with core

With CFG_NS_VIRTUALIZATION=y it is assumed that all physical OP-TEE
memory, core and TA, is equally secure. When a guest is created,
register the allocated

core: arm: virt: share TA memory with core

With CFG_NS_VIRTUALIZATION=y it is assumed that all physical OP-TEE
memory, core and TA, is equally secure. When a guest is created,
register the allocated physical TA memory in the physical core memory
pool instead of physical TA memory pool. This lets the partition to
allocate from a single pool reserved for the partition instead of trying
to guess how much core memory it might need.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: mm: fix core_mmu_xlat_table_alloc() for nexus

core_mmu_xlat_table_alloc() allocates new translation tables from
boot_mem until during early boot and after the MMU has been enabled with
ne

core: arm: mm: fix core_mmu_xlat_table_alloc() for nexus

core_mmu_xlat_table_alloc() allocates new translation tables from
boot_mem until during early boot and after the MMU has been enabled with
nex_phys_mem_core_alloc() or phys_mem_core_alloc(). However, the logic
selecting which function to call doesn't take the default partition into
account. The default partition has only a nexus physical memory pool so
nex_phys_mem_core_alloc() must be called if that partition is active. So
fix the problem with an extra check for default_partition.

Fixes: a28e4a0fe48d ("core: arm: mm: dynamic allocation of LPAE translation tables")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-ti: replace stack_tmp_stride usage

The function resume_springboard() needs to restore the tmp_stack before
the rest of the resume process can be started. Since the commit
05994c760d5d ("core: t

plat-ti: replace stack_tmp_stride usage

The function resume_springboard() needs to restore the tmp_stack before
the rest of the resume process can be started. Since the commit
05994c760d5d ("core: thread: get stacks from recorded end-va") we can
now read the address of the tmp_stack from thread_core_local. So update
resume_springboard() as needed.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm64: increase tmp stack size for debug

Increase STACK_TMP_SIZE when CFG_CORE_DEBUG_CHECK_STACKS=y.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jero

core: arm64: increase tmp stack size for debug

Increase STACK_TMP_SIZE when CFG_CORE_DEBUG_CHECK_STACKS=y.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: ffa: add test logical SP

Add a test LSP with UUID 54b5440e-a3d2-48d1-872a-7b6cbfc34855 to see
that LSPs can be found and reached from the normal world.

Signed-off-by: Jens Wiklander <jen

core: arm: ffa: add test logical SP

Add a test LSP with UUID 54b5440e-a3d2-48d1-872a-7b6cbfc34855 to see
that LSPs can be found and reached from the normal world.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Akshay Belsare <akshay.belsare@amd.com>

show more ...

core: arm: ffa: add framework for Logical SPs

Add a framework to register Logical Secure Partitions in parallel with
OP-TEE at S-EL1. This is akin to Pseudo TAs, it provides an ABI but it's
part of

core: arm: ffa: add framework for Logical SPs

Add a framework to register Logical Secure Partitions in parallel with
OP-TEE at S-EL1. This is akin to Pseudo TAs, it provides an ABI but it's
part of the OP-TEE binary. A critical difference is that it's only
available for FF-A and can only use the non-threaded environment, that
is, no mutexes or RPC.

The logical OP-TEE core partition is registered in the framework. The
SPMC is also registered in the framework, but with a nil UUID so it's
not returned by FFA_PARTITION_INFO_GET.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Akshay Belsare <akshay.belsare@amd.com>

show more ...

core: ffa: only accept FFA_RUN for S-EL0 SPs

OP-TEE core is never preemted with FFA_INTERRUPT so it must never be
resumed with FFA_RUN. However, S-EL0 SPs are preempted with
FFA_INTERRUPT so those a

core: ffa: only accept FFA_RUN for S-EL0 SPs

OP-TEE core is never preemted with FFA_INTERRUPT so it must never be
resumed with FFA_RUN. However, S-EL0 SPs are preempted with
FFA_INTERRUPT so those are still resumed using FFA_RUN.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Akshay Belsare <akshay.belsare@amd.com>

show more ...

core: ffa: sp_partition_info_get() takes uuid_words[]

Replace the TEE_UUID *ffa_uuid parameter with uint32_t ffa_uuid_words[4]
to simplify how sp_partition_info_get() is called.

Signed-off-by: Jens

core: ffa: sp_partition_info_get() takes uuid_words[]

Replace the TEE_UUID *ffa_uuid parameter with uint32_t ffa_uuid_words[4]
to simplify how sp_partition_info_get() is called.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Akshay Belsare <akshay.belsare@amd.com>

show more ...

core: ffa: add spmc_is_reserved_id()

Add spmc_is_reserved_id() and replace direct checks against spmd_id and
spmc_id. spmd_id and spmc_id are changed to static variables since they
don't need to be

core: ffa: add spmc_is_reserved_id()

Add spmc_is_reserved_id() and replace direct checks against spmd_id and
spmc_id. spmd_id and spmc_id are changed to static variables since they
don't need to be exported any longer.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Akshay Belsare <akshay.belsare@amd.com>

show more ...

core: applies FF-A v1.2 features on StandaloneMm

edk2's StandaloneMm will be applied with FF-A v1.2.
while applying, StandaloneMm doesn't create anymore PHIT hob by itself
but it should be passed fr

core: applies FF-A v1.2 features on StandaloneMm

edk2's StandaloneMm will be applied with FF-A v1.2.
while applying, StandaloneMm doesn't create anymore PHIT hob by itself
but it should be passed from other software stack.

To make StandaloneMm runs properly, create Hob information and
deliver it using FF-A Boot protocol according to FF-A specification [1].

Also, apply FF-A management protocol to change it [2] to
get/set memory permission instead of using DIRECT_REQ_MSG.

Also, implements some FF-A ABIs to communication StandaloneMm properly.

Link: https://developer.arm.com/documentation/den0077/latest [1]
Link: https://developer.arm.com/documentation/den0140/latest [2]

Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>

show more ...

core: arm: remove $(libgcccore) usage

Remove all remaining $(libgcccore) usage now that
lib/libutils/compiler-rt provides the needed bits.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

core: arm: remove $(libgcccore) usage

Remove all remaining $(libgcccore) usage now that
lib/libutils/compiler-rt provides the needed bits.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: ffa: reserve physical memory for manifest

With CFG_CORE_SEL2_SPMC=y (Hafnium as SPMC at S-EL2), the FF-A manifest
passed to OP-TEE resides in the memory reserved for OP-TEE just before
the loa

core: ffa: reserve physical memory for manifest

With CFG_CORE_SEL2_SPMC=y (Hafnium as SPMC at S-EL2), the FF-A manifest
passed to OP-TEE resides in the memory reserved for OP-TEE just before
the load address. The physical memory pool is initialized with the entire
range of secure memory, with holes carved out for already used memory.

Temporarily allocate the physical memory used by the manifest until it's
not needed any longer and released by release_manifest_dt().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

plat-k3: drivers: add platform flavors for 62A and 62P devices

Even though the SA2UL integration on the AM62Ax and AM62Px platforms are
functionally identical to the AM62x platforms many, when build

plat-k3: drivers: add platform flavors for 62A and 62P devices

Even though the SA2UL integration on the AM62Ax and AM62Px platforms are
functionally identical to the AM62x platforms many, when building
OP-TEE manually, are using the platform name they are building for and
not 'am62x' which leaves SA2UL_BASE undefined and to failed builds:

In file included from core/include/mm/core_memprot.h:9,
from core/include/kernel/interrupt.h:10,
from core/arch/arm/plat-k3/drivers/sa2ul_rng.c:12:
core/arch/arm/plat-k3/./platform_config.h:91:34: error: ‘SA2UL_BASE’ undeclared here (not in a function); did you mean ‘SCU_BASE’?
91 | #define RNG_BASE (SA2UL_BASE + 0x10000)
| ^~~~~~~~~~

For now let's just define the AM62Ax and AM62Px platform flavors
identical to how AM62x is defined and include an #else statement to
catch when a undefined platform flavor tries to build the SA2UL driver

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Andrew Davis <afd@ti.com>
Signed-off-by: Bryan Brattlof <bb@ti.com>

show more ...

core: fix crash during syscall ftrace

Syscall ftrace collects data during a syscall. get_fbuf() checks if
thread_get_id_may_fail() != -1 to see if a function is called under
normal thread execution.

core: fix crash during syscall ftrace

Syscall ftrace collects data during a syscall. get_fbuf() checks if
thread_get_id_may_fail() != -1 to see if a function is called under
normal thread execution. This can lead to an inconsistent state if a
native interrupt occur while ftrace_enter() or ftrace_return() is
recording data in the ftrace buffer. So fix this by using
thread_is_in_normal_mode() to exclude ftrace during interrupt
processing.

Reported-by: Jerome Forissier <jerome.forissier@linaro.org>
Closes: https://github.com/OP-TEE/optee_os/issues/7216
Fixes: 099918f6744c ("ftrace: Add support for syscall function tracer")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_armv8a)

show more ...

core: arm: update recorded SP first after MMU is enabled

With CFG_CORE_ASLR=y, stored addresses must be updated after MMU has
been enabled to match the map offset. In particular the recorded stack
p

core: arm: update recorded SP first after MMU is enabled

With CFG_CORE_ASLR=y, stored addresses must be updated after MMU has
been enabled to match the map offset. In particular the recorded stack
pointers in thread_core_local[] must be updated to match the new offset
before any calls can be done into C code or check_stack_limits() with
CFG_CORE_DEBUG_CHECK_STACKS=y might catch an inconsistent stack pointer.

Currently, boot_mem_relocate() is called before the recorded stack
pointers have been updated and causes a crash with CFG_CORE_ASLR=y and
CFG_CORE_DEBUG_CHECK_STACKS=y. So fix this by calling delaying the call
to boot_mem_relocate() to after the stack pointers in
thread_core_local[] has been updated.

Reported-by: Jerome Forissier <jerome.forissier@linaro.org>
Closes: https://github.com/OP-TEE/optee_os/issues/7363
Fixes: ea991d7459f6 ("core: arm: remove THREAD_CORE_LOCAL_STACKCHECK_RECURSION")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_armv8a)

show more ...