core: provide struct user_ta_store_ops in public .h file

Moves struct user_ta_store_ops definition into the new
<kernel/user_ta_store.h> file.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro

core: provide struct user_ta_store_ops in public .h file

Moves struct user_ta_store_ops definition into the new
<kernel/user_ta_store.h> file.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Move reg_pair_*() to util.h

Moves the two functions reg_pair_to_64() and reg_pair_from_64() from the
core only .h file <kernel/misc.h> to the libutils .h file util.h to make
the functions available

Move reg_pair_*() to util.h

Moves the two functions reg_pair_to_64() and reg_pair_from_64() from the
core only .h file <kernel/misc.h> to the libutils .h file util.h to make
the functions available from TAs.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pager: check utc->areas before assigning tables

In tee_pager_assign_uta_tables() check that utc->areas are allocated
before assigning tables. If utc->areas are not allocated, skip the
operatio

core: pager: check utc->areas before assigning tables

In tee_pager_assign_uta_tables() check that utc->areas are allocated
before assigning tables. If utc->areas are not allocated, skip the
operation.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: vm_set_prot(): skip prot bits already set

In vm_set_prot() skip a region which already has the requested
protection bits set as requested.

Acked-by: Etienne Carriere <etienne.carriere@linaro.

core: vm_set_prot(): skip prot bits already set

In vm_set_prot() skip a region which already has the requested
protection bits set as requested.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: imx: Add in calls to set CAAM job-ring permissions

This patch adds a call to set CAAM job-ring permissions for i.MX6 and i.MX7
processors. Since the iMX6ULL does not have a CAAM it will be ski

core: imx: Add in calls to set CAAM job-ring permissions

This patch adds a call to set CAAM job-ring permissions for i.MX6 and i.MX7
processors. Since the iMX6ULL does not have a CAAM it will be skipped but,
all other i.MX6 and i.MX7 SoCs will have their default CAAM job-ring
permissions set to normal-world.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Peng Fan <peng.fan@nxp.com>

show more ...

core: imx: Add simple CAAM permissions set routine

When we transition to secure-world certain parts of the CAAM become opaque
to normal world. This patch adds a simple routine to set CAAM job-ring
p

core: imx: Add simple CAAM permissions set routine

When we transition to secure-world certain parts of the CAAM become opaque
to normal world. This patch adds a simple routine to set CAAM job-ring
permissions to normal-world by default.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Peng Fan <peng.fan@nxp.com>

show more ...

pta: fix spelling error in comment

Fix a spelling error in validate_in_param().

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

plat-imx: conf: add ccimx6ulsbcpro

The Digi CCIMX6UL SBC Pro board support 256MB of RAM and the default
UART is UART5.

Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Pe

plat-imx: conf: add ccimx6ulsbcpro

The Digi CCIMX6UL SBC Pro board support 256MB of RAM and the default
UART is UART5.

Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Peng Fan <peng.fan@nxp.com>

show more ...

virt: kern.ld.S: remove PROVIDE() keyword

The linker script for the TEE core exports two symbols using the
PROVIDE() keyword. This keyword is not needed; it makes no difference
because when CFG_VIRT

virt: kern.ld.S: remove PROVIDE() keyword

The linker script for the TEE core exports two symbols using the
PROVIDE() keyword. This keyword is not needed; it makes no difference
because when CFG_VIRTUALIZATION=y the symbols are *not* defined
elsewhere, and they *are* used by a C file, so that a normal symbol will
do the same [1]. Therefore, remove the keyword.

[1]: https://sourceware.org/binutils/docs/ld/PROVIDE.html#PROVIDE
"The PROVIDE keyword may be used to define a symbol [...] only if it is
referenced but not defined."

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

stm32mp1: fix stm32_get_gpio_bank_base()

Correct missing return in function stm32_get_gpio_bank_base(). Prior
this change, platform may fail to boot with debug trace:

E/TC:0 0 assertion 'bank <= GP

stm32mp1: fix stm32_get_gpio_bank_base()

Correct missing return in function stm32_get_gpio_bank_base(). Prior
this change, platform may fail to boot with debug trace:

E/TC:0 0 assertion 'bank <= GPIO_BANK_K' failed at core/arch/arm/plat-stm32mp1/main.c:311 <stm32_get_gpio_bank_base>

Fixes: 68c4a16b37c7 ("stm32mp1: use phys_to_virt_io_secure() where expected")

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

stm32mp1: power management for GPIOz

Ensure secure hardening of GPIOz bank pins is restored when resuming
from a low power state where configuration might be lost.

Signed-off-by: Etienne Carriere <

stm32mp1: power management for GPIOz

Ensure secure hardening of GPIOz bank pins is restored when resuming
from a low power state where configuration might be lost.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

stm32mp1: counting GPIOZ bank pins

Get the GPIOZ bank pin count from the device tree. The shared
resources driver uses this information to validate GPIO pin numbers.

Signed-off-by: Etienne Carriere

stm32mp1: counting GPIOZ bank pins

Get the GPIOZ bank pin count from the device tree. The shared
resources driver uses this information to validate GPIO pin numbers.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: print TA stack dump from thread context

Instead of printing TA stack dump in abort mode, save the required
information and print it from user_ta_enter() in thread context. This
allows dumping

core: print TA stack dump from thread context

Instead of printing TA stack dump in abort mode, save the required
information and print it from user_ta_enter() in thread context. This
allows dumping the stack also for paged TAs.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: kern.ld.S: ignore .init section

The ELF .init section is meant to be used by program loaders to run
special initialization code before the main entry point is called. This
does not apply

core: arm: kern.ld.S: ignore .init section

The ELF .init section is meant to be used by program loaders to run
special initialization code before the main entry point is called. This
does not apply to the TEE core, and the compiler does not generate such
a section. Therefore, mentioning it in the linker script is useless.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

stm32mp1: use phys_to_virt_io_secure() where expected

This change updates platforms and drivers to use io_pa_or_va_secure()
when expecting a secure mapped address.

PWR, RCC, GIC, TAMP, BSEC, ETZPC,

stm32mp1: use phys_to_virt_io_secure() where expected

This change updates platforms and drivers to use io_pa_or_va_secure()
when expecting a secure mapped address.

PWR, RCC, GIC, TAMP, BSEC, ETZPC, I2C are always secure (when embedded).

RNG uses a secure or non-secure mapping according to its registration in
platform shared_resource driver.

GPIOs IO memory is always access though non-secure mapped virtual
addresses.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: introduce io_pa_or_va_{secure|nsec}()

io_pa_or_va_secure() returns the secure mapped virtual address
if MMU is enable while io_pa_or_va_nsec() would return the non-secure
mapped virtual addres

core: introduce io_pa_or_va_{secure|nsec}()

io_pa_or_va_secure() returns the secure mapped virtual address
if MMU is enable while io_pa_or_va_nsec() would return the non-secure
mapped virtual address.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: kern.ld.S: discard .interp section

tee.elf currently has an INTERP segment that contains
"/usr/lib/ld.so.1". This is totally meaningless, so remove it by
discarding the .interp section in

core: arm: kern.ld.S: discard .interp section

tee.elf currently has an INTERP segment that contains
"/usr/lib/ld.so.1". This is totally meaningless, so remove it by
discarding the .interp section in the linker script.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: bugfix mutex_destroy()

Prior to this patch mutex_destroy() was incorrectly testing the lock state.
With this patch the test is corrected to avoid panic() on unlocked mutexes.

Reviewed-by: Jer

core: bugfix mutex_destroy()

Prior to this patch mutex_destroy() was incorrectly testing the lock state.
With this patch the test is corrected to avoid panic() on unlocked mutexes.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ree_fs_ta.c: fix compile error

Fixes compile error with CFG_REE_FS_TA_BUFFERED=n:
core/arch/arm/kernel/ree_fs_ta.c:284:13: error: ‘ta_get_tag’ undeclared here (not in a function); did you mean

core: ree_fs_ta.c: fix compile error

Fixes compile error with CFG_REE_FS_TA_BUFFERED=n:
core/arch/arm/kernel/ree_fs_ta.c:284:13: error: ‘ta_get_tag’ undeclared here (not in a function); did you mean ‘ta_head’?
.get_tag = ta_get_tag,
^~~~~~~~~~
ta_head
core/arch/arm/kernel/ree_fs_ta.c:201:19: error: ‘ree_fs_ta_get_tag’ defined but not used [-Werror=unused-function]
static TEE_Result ree_fs_ta_get_tag(const struct user_ta_store_handle *h,
^~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
mk/compile.mk:147: recipe for target '../out-os-qemu/core/arch/arm/kernel/ree_fs_ta.o' failed

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

stm32mp1: common SoC registers protections

Helper functions for stm32mp1 platform to access a SoC interface
register that can be accessed from several drivers and services.
They all use a common spi

stm32mp1: common SoC registers protections

Helper functions for stm32mp1 platform to access a SoC interface
register that can be accessed from several drivers and services.
They all use a common spinlock to ensure atomic update of the
register content.

Helpers: io_mask32_stm32shregs(), io_setbits32_stm32shregs(),
io_clrbits32_stm32shregs() and io_clrsetbits32_stm32shregs().

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

stm32mp1: simplify stm32mp_periph_is_*()

As per design shared resources explicitly registered as secure are
assigned to the secure world while other are defacto assigned to the
non-secure world.

Th

stm32mp1: simplify stm32mp_periph_is_*()

As per design shared resources explicitly registered as secure are
assigned to the secure world while other are defacto assigned to the
non-secure world.

This change remove functions stm32mp_periph_is_unregistered() and
stm32mp_periph_is_non_secure() and keeps only stm32mp_periph_is_secure()
which return value reflects whether the resource is assigned to the
secure or non-secure world.

Suggested-by: Jérôme Forissier <jerome.forissier@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32mp1: remove info traces on shared resource registering

Change verbosity of shared resource registration traces from info
to debug log level.

Signed-off-by: Etienne Carriere <etienne.carriere@l

stm32mp1: remove info traces on shared resource registering

Change verbosity of shared resource registration traces from info
to debug log level.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: thread: use READ_ONCE() when accessing data in shared memory

In some places we read a value from shared memory, then based on the
value we take some actions. When multiple tests are done, we s

core: thread: use READ_ONCE() when accessing data in shared memory

In some places we read a value from shared memory, then based on the
value we take some actions. When multiple tests are done, we should make
sure that the value is not read multiple times because there is no
guarantee that Normal World has not changed the value in the mean time,
which could break the logic. Consider for instance:

if (shared && shared->value)
do_something();

If "shared" resides in shared memory, it might change between
"if (shared)" and "if (shared->value)". If it happens to be set to NULL
for example, the code will crash.
To ensure consistency, a temporary variable has to be used to hold the
value, and the READ_ONCE() macro is required to prevent the compiler
from emitting multiple loads of the memory location.

Reported-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: verify size of allocated shared memory

Makes sure that normal world cannot change the size of allocated shared
memory, resulting in a smaller buffer being allocated.

Suggested-by: Bastien Sim

core: verify size of allocated shared memory

Makes sure that normal world cannot change the size of allocated shared
memory, resulting in a smaller buffer being allocated.

Suggested-by: Bastien Simondi <bsimondi@netflix.com> [1.1]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: scrub user-tainted memory returned by alloc_temp_sec_mem()

This is a security fix for TA-to-TA calls.

In syscall_open_ta_session() and syscall_invoke_ta_command(), caller TA
can reference som

core: scrub user-tainted memory returned by alloc_temp_sec_mem()

This is a security fix for TA-to-TA calls.

In syscall_open_ta_session() and syscall_invoke_ta_command(), caller TA
can reference some private memory, in which case the kernel makes a
temporary copy. Unfortunately, memory allocated through
alloc_temp_sec_mem() is not cleared when returned. One could leverage
this to copy arbitrary data into this secure memory pool or to snoop
former data from a previous call done by another TA (e.g., using
TEE_PARAM_TYPE_MEMREF_OUTPUT allows to map the data while not overwriting
it, hence accessing to what is already there).

This patch introduces mobj_free_wipe() to clear and free an mobj.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [1.5]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...