Remove deprecated ldm/stm instructions

Some uses of SP, PC and LR in the register list of Load/Store Multiple
instructions is forbidden (Thumb) or deprecated (ARM) as per the ARM
ARM DDI 0406 C.d. F

Remove deprecated ldm/stm instructions

Some uses of SP, PC and LR in the register list of Load/Store Multiple
instructions is forbidden (Thumb) or deprecated (ARM) as per the ARM
ARM DDI 0406 C.d. For the LDM instructions, SP should not be in the
list, and the list should not contain both PC and LR. See sections:

[A8.8.58] LDM/LDMIA/LDMFD (Thumb)
[A8.8.59] LDM/LDMIA/LDMFD (ARM)
[A8.8.60] LDMDA/LDMFA
[A8.8.61] LDMDB/LDMEA
[A8.8.62] LDMIB/LDMED

For the STM instructions, neither SP nor PC should be in the list. See
sections:

[A8.8.200] STM (STMIA, STMEA)
[A8.8.201] STMDA (STMED)
[A8.8.202] STMDB (STMFD)
[A8.8.203] STMIB (STMFA)

Clang warns on the deprecated constructs. Use ldr/str instead.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core_mmu: fix "outside of array bounds" warning

Newest versions of GCC (v9.1.0 at least) are unhappy about subtraction
from array pointer:

core/arch/arm/mm/core_mmu.c: In function 'core_init_mmu_ma

core_mmu: fix "outside of array bounds" warning

Newest versions of GCC (v9.1.0 at least) are unhappy about subtraction
from array pointer:

core/arch/arm/mm/core_mmu.c: In function 'core_init_mmu_map':
core/arch/arm/mm/core_mmu.c:523:30: warning: array subscript -1 is outside array bounds of 'const struct core_mmu_phys_mem[]' [-Warray-bounds]
523 | for (mem = start; mem < end - 1; mem++) {
| ~~~~^~~
In file included from core/include/initcall.h:9,
from core/arch/arm/include/kernel/generic_boot.h:8,
from core/arch/arm/mm/core_mmu.c:11:
core/include/scattered_array.h:100:29: note: while referencing '__scattered_array_end'
100 | static const element_type __scattered_array_end[0] __unused \
| ^~~~~~~~~~~~~~~~~~~~~

This is valid warning, as such pointer arithmetic produces undefined
behavior according to paragraph 5.6.5.8 of C99 standard. On other hand
the standard allows pointers that point past the last element of
array, so expression "mem + 1" is valid.

Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core_self_tests.c: build with -fno-builtin

The memory tests in core_self_tests.c call the malloc()/calloc() API
without doing anything meaningful with the output. It turns out that a
clever compiler

core_self_tests.c: build with -fno-builtin

The memory tests in core_self_tests.c call the malloc()/calloc() API
without doing anything meaningful with the output. It turns out that a
clever compiler (read: Clang) will detect this and aggressively
optimize the code, to the point that a call to calloc() is removed
entirely. Here is a reduced test case for the record:

$ cat test.c
#include <stdlib.h>

int main(int argc, char *argv[])
{
return calloc(1000000, 1) ? 1 : 0;
}
$ clang --target=arm-linux-gnueabihf -Os -c test.c
$ llvm-objdump -d test.o

test.o: file format ELF32-arm-little

Disassembly of section .text:
0000000000000000 main:
0: 01 00 a0 e3 mov r0, #1
4: 1e ff 2f e1 bx lr

No call to calloc() in the generated code! As strange as it may seem,
this is reportedly a valid behavior for the compiler [1].

This optimization is obviously not wanted for the test that tries to
check that allocation of a very large buffer fails in OP-TEE.

This commit adds the -fno-builtins flag to the compiler command for that
particular source file, thus preventing the optimization and making the
test pass.

Link: [1] https://bugs.llvm.org/show_bug.cgi?id=37304
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: cast parameter to (void *) when using %p in EMSG()

Fixes the following Clang warning:

core/arch/arm/kernel/generic_boot.c:395:12: warning: format specifies type 'void *' but the argument

core: cast parameter to (void *) when using %p in EMSG()

Fixes the following Clang warning:

core/arch/arm/kernel/generic_boot.c:395:12: warning: format specifies type 'void *' but the argument
has type 'const uint8_t *' (aka 'const unsigned char *') [-Wformat-pedantic]
n, page, res);
^~~~

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: thread.c: increase stack_tmp size from 1.5 to to 2KiB

We get a dead canary error when booting QEMU with OP-TEE compiled with
Clang. Increase stack size a bit to fix the issue.

Signed-off

core: arm: thread.c: increase stack_tmp size from 1.5 to to 2KiB

We get a dead canary error when booting QEMU with OP-TEE compiled with
Clang. Increase stack size a bit to fix the issue.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: link.mk: generate empty tee-pageable.bin when pager is disabled

When CFG_WITH_PAGER != y, there is no need to call $(OBJCOPY) to
generate tee-pageable.bin, since we know it will be empty. Use

core: link.mk: generate empty tee-pageable.bin when pager is disabled

When CFG_WITH_PAGER != y, there is no need to call $(OBJCOPY) to
generate tee-pageable.bin, since we know it will be empty. Use 'touch'
instead.

This fixes an error with Clang, caused by the fact that llvm-objcopy
cannot generate an empty file:

llvm-objcopy: error: failed to open out/arm-plat-vexpress/core/tee-pageable.bin: Invalid argument.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm32: initialize struct with = { }

The proper way to initialize structures is with = { }. Fixes a Clang
warning:

core/arch/arm/kernel/unwind_arm32.c:497:38: warning: suggest braces around i

core: arm32: initialize struct with = { }

The proper way to initialize structures is with = { }. Fixes a Clang
warning:

core/arch/arm/kernel/unwind_arm32.c:497:38: warning: suggest braces around initialization of subobject [-Wmissing-braces]
struct unwind_state_arm32 state = { 0 };
^
{}

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: thread_a32.S: use assembler unified syntax (UAL)

The movnes instruction causes a compilation warning with Clang:

core/arch/arm/kernel/thread_a32.S:250:2: error: instruction 'movne' can not s

core: thread_a32.S: use assembler unified syntax (UAL)

The movnes instruction causes a compilation warning with Clang:

core/arch/arm/kernel/thread_a32.S:250:2: error: instruction 'movne' can not set flags, but 's' suffix specified
movnes pc, lr
^

This is because Clang supports only Unified Assembler Language syntax
(UAL). GCC also supports this syntax, and there are two ways to enable
it: either use the -masm-syntax-unified flag, or the ".syntax unified"
directive. Unfortunately, the first option does not work with GCC 8.2
[1]. Therefore, use the second option.

This modification results in identical code being generated with GCC
for the whole thread_a32.o file. And Clang generates the same code as
GCC for the the 'movsne pc, lr' instruction.

Link: [1] https://github.com/gcc-mirror/gcc/commit/2fd2b9b8425f
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm: remove -mthumb-interwork

The GCC compiler flag -mthumb-interwork is useful only for pre-v5 Arm
architectures and is not supported by Clang. Remove it.

Signed-off-by: Jerome Forissier <jerome.f

arm: remove -mthumb-interwork

The GCC compiler flag -mthumb-interwork is useful only for pre-v5 Arm
architectures and is not supported by Clang. Remove it.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add C compiler version to identification string

Adds the compiler version to the string that is printed to the secure
console when OP-TEE initializes. For example:

"(gcc version 6.2.1 201610

core: add C compiler version to identification string

Adds the compiler version to the string that is printed to the secure
console when OP-TEE initializes. For example:

"(gcc version 6.2.1 20161016 (Linaro GCC 6.2-2016.11))"
"(clang version 8.0.0 (tags/RELEASE_800/final))"

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: kernel_generic_entry_a64.S: support CFG_DT_ADDR

Add CFG_DT_ADDR for a64 to override the DT address passing
through arg2.

Signed-off-by: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Reviewed-b

core: kernel_generic_entry_a64.S: support CFG_DT_ADDR

Add CFG_DT_ADDR for a64 to override the DT address passing
through arg2.

Signed-off-by: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

show more ...

dts: stm32mp1: default disable RCC secure hardening

This change disables security hardening of the RCC hardware interface
of ST boards. This allows one to use the upstream Linux kernel 5.2
in which

dts: stm32mp1: default disable RCC secure hardening

This change disables security hardening of the RCC hardware interface
of ST boards. This allows one to use the upstream Linux kernel 5.2
in which stm32mp1 platforms do not yet support hardened secure RCC.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32mp1: refuse to release enabled RCC hardening

With this change, platform panics when DT directives states RCC is
fully assigned to non-secure while SoC was configured by early
boot stage with RC

stm32mp1: refuse to release enabled RCC hardening

With this change, platform panics when DT directives states RCC is
fully assigned to non-secure while SoC was configured by early
boot stage with RCC TZ hardening enabled.

When RCC TZ hardening is disabled, non-secure world could alter RCC
related configuration. Such a setup is allowed only if early boot
stage disabled RCC TZ hardening, OP-TEE DT states the same and
device is not in closed_device mode.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32mp1: introduce stm32_bsec_is_closed_device()

stm32_bsec_is_closed_device() states if the platform fuses state
a closed_device or not.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>

stm32mp1: introduce stm32_bsec_is_closed_device()

stm32_bsec_is_closed_device() states if the platform fuses state
a closed_device or not.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: fix icache_inv_user_range in AArch64

Prior to this patch in the AArch64 version of icache_inv_user_range()
ttbr0_el1 was overwritten with garbage if CFG_CORE_UNMAP_CORE_AT_EL0=n.
This patch fi

core: fix icache_inv_user_range in AArch64

Prior to this patch in the AArch64 version of icache_inv_user_range()
ttbr0_el1 was overwritten with garbage if CFG_CORE_UNMAP_CORE_AT_EL0=n.
This patch fixes this by instead modifying previously read value.

Fixes: 79083642a114 ("core: add icache_inv_user_range()")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ftrace: Enable support for 32 bit apps

By default 32 bit trusted applications are compiled in thumb mode but
thumb mode doesn't support function graph tracing due to missing frame
pointer support re

ftrace: Enable support for 32 bit apps

By default 32 bit trusted applications are compiled in thumb mode but
thumb mode doesn't support function graph tracing due to missing frame
pointer support required to trace function call chain. So rather compile
trusted applications in ARM mode in case function tracing is enabled.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: pager: use icache_inv_user_range()

Prior to this patch the entire icache was invalidated when icache
invalidations was needed, even if it only was for a single page. This
was needed to reach a

core: pager: use icache_inv_user_range()

Prior to this patch the entire icache was invalidated when icache
invalidations was needed, even if it only was for a single page. This
was needed to reach a stable state with regards to paging user TAs.

With this patch a new function, icache_inv_user_range(), is used to
invalidate pages used by user TAs and icache_inv_range() is used instead
to invalidate kernel mode pages.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pager: use tlbi_mva_asid() where applicable

Instead of invalidating a virtual address for all ASIDs only target the
relevant ones. For kernel mode mappings all ASIDs still needs to be
targeted

core: pager: use tlbi_mva_asid() where applicable

Instead of invalidating a virtual address for all ASIDs only target the
relevant ones. For kernel mode mappings all ASIDs still needs to be
targeted though.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add tlbi_mva_asid()

Adds tlbi_mva_asid() to invalidate one TLB entry, typically page sized,
selected by virtual address and address identifier. The function targets
both the kernel mode and us

core: add tlbi_mva_asid()

Adds tlbi_mva_asid() to invalidate one TLB entry, typically page sized,
selected by virtual address and address identifier. The function targets
both the kernel mode and user mode address identifiers at the same time.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm64.h: add tlbi_vale1is()

Adds tlbi_vale1is() which is a wrapper around inline assembly code to
execute "tlbi vale1is". The operation is described as "TLB Invalidate
by VA, Last level, EL1,

core: arm64.h: add tlbi_vale1is()

Adds tlbi_vale1is() which is a wrapper around inline assembly code to
execute "tlbi vale1is". The operation is described as "TLB Invalidate
by VA, Last level, EL1, Inner Shareable" in the ARM ARM.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm32.h: add TLBI_{MVA_SHIFT,ASID_MASK}

Adds TLBI macros to help formatting source register for TLB
invalidations.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: J

core: arm32.h: add TLBI_{MVA_SHIFT,ASID_MASK}

Adds TLBI macros to help formatting source register for TLB
invalidations.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pager: use dcache_clean_range_pou()

Pager uses dcache_clean_range_pou() when cleaning pages before
invalidating icache for that page. Prior to this patch
dcache_clean_range() was used indirect

core: pager: use dcache_clean_range_pou()

Pager uses dcache_clean_range_pou() when cleaning pages before
invalidating icache for that page. Prior to this patch
dcache_clean_range() was used indirectly which cleans the range to point
of coherency instead of point of unification.

With this patch we're likely to save one data cache level by only
cleaning level 1 instead of level 1 and 2. This assumes separate data
and instructions caches level 1 and a unified data cache at level 2

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add dcache_clean_range_pou()

Adds dcache_clean_range_pou() which cleans the data cache to the point
of unification. This is exactly what's needed when later invalidating
the icache due to upda

core: add dcache_clean_range_pou()

Adds dcache_clean_range_pou() which cleans the data cache to the point
of unification. This is exactly what's needed when later invalidating
the icache due to updates in a page.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: cache_helpers_a{32,64}.S: remove section assignments

Since the FUNC and LOCAL_FUNC assembly macros now assign a section to
each assembly function the explicitly assigned sections in
cache_help

core: cache_helpers_a{32,64}.S: remove section assignments

Since the FUNC and LOCAL_FUNC assembly macros now assign a section to
each assembly function the explicitly assigned sections in
cache_helpers_a{32,64}.S are ignored. So remove the ignored section
assignments.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add icache_inv_user_range()

Adds icache_inv_user_range() which is used when invalidating currently
mapped user space memory. This is needed since a different ASID is
usually in use while in ke

core: add icache_inv_user_range()

Adds icache_inv_user_range() which is used when invalidating currently
mapped user space memory. This is needed since a different ASID is
usually in use while in kernel mode. So using icache_inv_range() would
normally not have any effect on user mode mappings.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...