pta_stats: add support for nex_malloc stats

Add statistic for OP-TEE nexus memory allocator.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@li

pta_stats: add support for nex_malloc stats

Add statistic for OP-TEE nexus memory allocator.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core_self_tests.c: add tests for nex_malloc

Now, when we have separate allocator for nexus
part of OP-TEE, it is good to add tests for it.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>

core_self_tests.c: add tests for nex_malloc

Now, when we have separate allocator for nexus
part of OP-TEE, it is good to add tests for it.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

bget_malloc: add nex_malloc pool

If virtualization enabled, this pool will be used to allocate
memory for OP-TEE nexus needs.
Without virtualization, generic malloc pool will be used.

Signed-off-by

bget_malloc: add nex_malloc pool

If virtualization enabled, this pool will be used to allocate
memory for OP-TEE nexus needs.
Without virtualization, generic malloc pool will be used.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-rcar: Use generic memory layout

plat-rcar have quite standard memory layout, so there is no sense
to maintain separate configuration if it possible to use generic
one.

Signed-off-by: Volodymyr

plat-rcar: Use generic memory layout

plat-rcar have quite standard memory layout, so there is no sense
to maintain separate configuration if it possible to use generic
one.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pta_stats: add memleak function

Adds a memleak function to the status PTA which calls mdbg_check(1)
to dump all allocations.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed

core: pta_stats: add memleak function

Adds a memleak function to the status PTA which calls mdbg_check(1)
to dump all allocations.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix get_elf_segments() segs initialization

get_elf_segments() doesn't initialize the returned segs array properly,
some fields are left uninitialized. Fix this by doing a compound
assignment w

core: fix get_elf_segments() segs initialization

get_elf_segments() doesn't initialize the returned segs array properly,
some fields are left uninitialized. Fix this by doing a compound
assignment when initializing new elements in the array.

Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ta_open(): free allocated memory on error

In error condition on checking "ta_size", was returning
error from function without cleaning allocated memory.

Signed-off-by: Sahil Malhotra <sahil.m

core: ta_open(): free allocated memory on error

In error condition on checking "ta_size", was returning
error from function without cleaning allocated memory.

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Fixes: https://github.com/OP-TEE/optee_os/pull/2776
[jf: minor edits to commit message]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

scripts: re-indent Python scripts

Fixes the following warnings:

$ pycodestyle --version
2.5.0

$ pycodestyle scripts/*.py
scripts/bin_to_c.py:15:9: E117 over-indented
scripts/bin_to_c.py:34:9:

scripts: re-indent Python scripts

Fixes the following warnings:

$ pycodestyle --version
2.5.0

$ pycodestyle scripts/*.py
scripts/bin_to_c.py:15:9: E117 over-indented
scripts/bin_to_c.py:34:9: E117 over-indented
scripts/bin_to_c.py:37:17: E117 over-indented
scripts/bin_to_c.py:49:17: E117 over-indented
scripts/bin_to_c.py:50:25: E117 over-indented
scripts/bin_to_c.py:54:25: E117 over-indented
scripts/bin_to_c.py:56:25: E117 over-indented
scripts/bin_to_c.py:62:9: E117 over-indented

$ cd core/arch/arm/plat-stm32mp1/scripts; \
pycodestyle stm32image.py
stm32image.py:21:9: E117 over-indented
stm32image.py:27:9: E117 over-indented
stm32image.py:29:17: E117 over-indented
stm32image.py:39:9: E117 over-indented
stm32image.py:77:9: E117 over-indented
stm32image.py:84:17: E117 over-indented
stm32image.py:96:9: E117 over-indented
stm32image.py:100:9: E117 over-indented
stm32image.py:125:9: E117 over-indented
stm32image.py:140:9: E117 over-indented

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat-bcm: Add Broadcom ARMv8-A SoC ns3

Add base platform support for Broadcom ns3 SoC.
Broadcom ns3 is ARMv8-A based SoS with Cortex-A72 cores
and GICv3. It is configured to run with TF-A.

Signed-o

plat-bcm: Add Broadcom ARMv8-A SoC ns3

Add base platform support for Broadcom ns3 SoC.
Broadcom ns3 is ARMv8-A based SoS with Cortex-A72 cores
and GICv3. It is configured to run with TF-A.

Signed-off-by: Sandeep Tripathy <sandeep.tripathy@broadcom.com>
Reviewed-by: Raveendra Padasalagi <raveendra.padasalagi@broadcom.com>
Reviewed-by: Scott Branden <scott.branden@broadcom.com>
Reviewed-by: Pramod Kumar <pramod.kumar@broadcom.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: arm32: fix gicv3 fiq race

Fixes a race where FIQ isn't masked in the abort handler which results
lost register content and invalid processing of the abort when resumed.

Fixes: 18901324e00a ("

core: arm32: fix gicv3 fiq race

Fixes a race where FIQ isn't masked in the abort handler which results
lost register content and invalid processing of the abort when resumed.

Fixes: 18901324e00a ("Support ARM GICv3 mode")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-vexpress: disable uart IT with TF-A and GICv3

Disables uart interrupts if compiled for TF-A and GICv3 since TF-A
doesn't know which interrupts OP-TEE will handle.

Acked-by: Jerome Forissier <j

plat-vexpress: disable uart IT with TF-A and GICv3

Disables uart interrupts if compiled for TF-A and GICv3 since TF-A
doesn't know which interrupts OP-TEE will handle.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: entry_std: check value of num_params

Checks value of num_params against OPTEE_MSG_MAX_NUM_PARAMS before using
it in OPTEE_MSG_GET_ARG_SIZE() in order to avoid unexpected wrapping.

Fixes: "Mac

core: entry_std: check value of num_params

Checks value of num_params against OPTEE_MSG_MAX_NUM_PARAMS before using
it in OPTEE_MSG_GET_ARG_SIZE() in order to avoid unexpected wrapping.

Fixes: "Macro for checking size of parameter buffer can overflow" as
reported by Riscure.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: tee_mmu_check_access_rights() check all pages

Prior to this patch tee_mmu_check_access_rights() checks an address in
each page of a supplied range. If both the start and length of that
range i

core: tee_mmu_check_access_rights() check all pages

Prior to this patch tee_mmu_check_access_rights() checks an address in
each page of a supplied range. If both the start and length of that
range is unaligned the last page in the range is sometimes not checked.
With this patch the first address of each page in the range is checked
to simplify the logic of checking each page and the range and also to
cover the last page under all circumstances.

Fixes: OP-TEE-2018-0005: "tee_mmu_check_access_rights does not check
final page of TA buffer"

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: ensure that supplied range matches MOBJ

In set_rmem_param() if the MOBJ is found by the cookie it's verified to
represent non-secure shared memory. Prior to this patch the supplied
sub-range t

core: ensure that supplied range matches MOBJ

In set_rmem_param() if the MOBJ is found by the cookie it's verified to
represent non-secure shared memory. Prior to this patch the supplied
sub-range to be used of the MOBJ was not checked here and relied on
later checks further down the chain. Those checks seems to be enough
for user TAs, but not for pseudo TAs where the size isn't checked.

This patch adds a check for offset and size to see that they remain
inside the memory covered by the MOBJ.

Fixes: OP-TEE-2018-0004: "Unchecked parameters are passed through from
REE".

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

rpc: ensure that TA fits in allocated memory

When the TEE is about to load a TA it first asks the REE for the size of
the TA in question. Next it allocates memory for this based on the size
in the p

rpc: ensure that TA fits in allocated memory

When the TEE is about to load a TA it first asks the REE for the size of
the TA in question. Next it allocates memory for this based on the size
in the previous query. However, there is no guarantee that the REE
actually allocates the requested size. A compromised REE could for
example modify the RPC request. This means that even though an
allocation is successful, we still need to check that the size of the
allocated buffer has room to fit the entire TA we are about to load.

Fixes: "REE provided size not checked when loading TAs" as reported by
Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

tadb: set error condition on TA size mismatch

If tee_tadb_ta_read(..) is successful in secstor_ta_open(..), then we
must set an error code manually if the size check right after fails.

Fixes: "Load

tadb: set error condition on TA size mismatch

If tee_tadb_ta_read(..) is successful in secstor_ta_open(..), then we
must set an error code manually if the size check right after fails.

Fixes: "Loading from secure storage returns success with uninitialized
pointer" as reported by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: initialize saved_attr

The saved_attr variable is used in the cleanup condition in the
entry_open_session(..) function. The function cleanup_params(..)
conditionally free up memory based on the

core: initialize saved_attr

The saved_attr variable is used in the cleanup condition in the
entry_open_session(..) function. The function cleanup_params(..)
conditionally free up memory based on the values from saved_attr and
therefore saved_attr must be initialized with a proper value in case the
functions that are supposed to fill in correct attributes are failing.

Fixes: "Use of uninitialized variable in REE exposed function" as
reported by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: clear the entire TA area

Previously we cleared (memset to zero) the size corresponding to code
and data segments, however the allocation for the TA is made on the
granularity of the memory poo

core: clear the entire TA area

Previously we cleared (memset to zero) the size corresponding to code
and data segments, however the allocation for the TA is made on the
granularity of the memory pool, meaning that we did not clear all memory
and because of that we could potentially leak code and data of a
previous loaded TA.

Fixes: OP-TEE-2018-0006: "Potential disclosure of previously loaded TA
code and data"

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

hikey960: set CFG_CORE_BGET_BESTFIT=y

Enables the "best fit" algorithm for core memory allocation on HiKey960.
This avoids occasional out-of-memory errors when running the full xtest
suite (with Glo

hikey960: set CFG_CORE_BGET_BESTFIT=y

Enables the "best fit" algorithm for core memory allocation on HiKey960.
This avoids occasional out-of-memory errors when running the full xtest
suite (with GlobalPlatform tests).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

stm32mp1: init console from DTB

Get console configuration from embedded DTB when available.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissie

stm32mp1: init console from DTB

Get console configuration from embedded DTB when available.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32mp1: early console configuration

This change allows the OP-TEE configuration to select the UART
instance used as OP-TEE console. This change also prepares
a next step where the console is selec

stm32mp1: early console configuration

This change allows the OP-TEE configuration to select the UART
instance used as OP-TEE console. This change also prepares
a next step where the console is selected from device tree
directives.

Map all secure and non-secure UARTs, only the expected virtual
areas will be accessed at runtime.

Value 23 chosen for CFG_MMAP_REGIONS is more than required. As
later changes will introduce new drivers, this value is expected
affordable (memory footprint) and allow new drivers to land without
needed to increment a static value.

CFG_STM32_EARLY_CONSOLE_UART also to specify the hard coded UART
interface used for early trace console.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32mp1: minor base address cleanup

Add few comments in platform_config.h to macros split definition
by topics.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech

stm32mp1: minor base address cleanup

Add few comments in platform_config.h to macros split definition
by topics.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32_uart: rename exported structure and add secure flag

Rename structure console_pdata into stm32_uart_pdata as it will
be exported over the platform and should not use such a generic
naming.

Thi

stm32_uart: rename exported structure and add secure flag

Rename structure console_pdata into stm32_uart_pdata as it will
be exported over the platform and should not use such a generic
naming.

This change adds a secure flag to the UART device instance for
used to get the appropriate virtual address when required.
An UART bus could be used by the secure world in secure mode or
in non-secure mode. A bus to a secure element likely mandates
secure hardening of the UART. A debug console over a non-secure
UART link may require the UART resources to be assigned to the
non-secure world.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

synquacer: Enable rng-pta as kernel device

Add TA_FLAG_DEVICE_ENUM flag to rng-pta header.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

synquacer: Enable rng-pta as kernel device

Add TA_FLAG_DEVICE_ENUM flag to rng-pta header.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pta: Add device pseudo TA

This pseudo TA enumerates OP-TEE pseudo TAs which can act as devices/
services for Linux TEE bus driver. For differentiation of such devices,
added TA_FLAG_DEVICE_ENU

core: pta: Add device pseudo TA

This pseudo TA enumerates OP-TEE pseudo TAs which can act as devices/
services for Linux TEE bus driver. For differentiation of such devices,
added TA_FLAG_DEVICE_ENUM optional flag in pseudo TA header.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...