core: support dynamic protected memory lending

With CFG_CORE_DYN_PROTMEM=y support dynamic protected memory lending.

A new internal struct mobj_ffa_rsm is added to handle dynamic protected
memory f

core: support dynamic protected memory lending

With CFG_CORE_DYN_PROTMEM=y support dynamic protected memory lending.

A new internal struct mobj_ffa_rsm is added to handle dynamic protected
memory for FF-A.

A new internal struct mobj_protmem is add to handle dynamic protected
memory without FF-A.

Lending non-secure memory to OP-TEE to use it as protected memory means
that it should to become inaccessible by the normal world as part of the
process. This part is currently not supported, since it must be done in
a platform specific way for platforms that support that. QEMU don't
support that.

Adding two platform specific functions, plat_get_protmem_config() and
plat_set_protmem_range() for dynamic protected memory. The functions has
__weak implementation to allow easier testing. However,
plat_set_protmem_range() requires CFG_INSECURE=y since it doesn't change
memory protection.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: arm: refactor struct mobj_ffa

Moves the non-secure shared memory specific fields of struct mobj_ffa
into the new struct mobj_ffa_shm which in turn embeds struct mobj_ffa.

This prepares for an

core: arm: refactor struct mobj_ffa

Moves the non-secure shared memory specific fields of struct mobj_ffa
into the new struct mobj_ffa_shm which in turn embeds struct mobj_ffa.

This prepares for another derivate of struct mobj_ffa that deals with
another kind of memory.

No change in functionality.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: ABI description for dynamic protected memory

Extend the SMC and FF-A ABI to handle dynamic protected memory lending.
The capability bits OPTEE_SMC_SEC_CAP_DYNAMIC_PROTMEM and
OPTEE_FFA_SEC_CAP

core: ABI description for dynamic protected memory

Extend the SMC and FF-A ABI to handle dynamic protected memory lending.
The capability bits OPTEE_SMC_SEC_CAP_DYNAMIC_PROTMEM and
OPTEE_FFA_SEC_CAP_PROTMEM respectively tells its availability.

OPTEE_MSG_CMD_GET_PROTMEM_CONFIG tells the minimal size and required
alignment of protected memory to lend.

For the SMC ABI, OPTEE_MSG_CMD_LEND_PROTMEM lends protected memory
and OPTEE_MSG_CMD_RECLAIM_PROTMEM returns the memory to normal world use.

For the FF-A ABI, FFA_LEND framework request followed by
OPTEE_MSG_CMD_ASSIGN_PROTMEM lends protected memory and
OPTEE_FFA_RELEASE_PROTMEM followed by the FFA_RECLAIM framework
request returns the memory to normal world use.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: arm: SMC ABI to return protected memory configuration

Extend the SMC ABI to return the protect memory configuration.

A capability bit, OPTEE_SMC_SEC_CAP_PROTMEM, is added to announce that
the

core: arm: SMC ABI to return protected memory configuration

Extend the SMC ABI to return the protect memory configuration.

A capability bit, OPTEE_SMC_SEC_CAP_PROTMEM, is added to announce that
the new SMC fast call OPTEE_SMC_GET_PROTMEM_CONFIG is available.
OPTEE_SMC_GET_PROTMEM_CONFIG returns the physical memory range of
reserved protected memory.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: sync ABI description files

Syncs the ABI description files optee_ffa.h and optee_msg.h with their
counterpart in the Linux kernel driver. Small changes in comments and
introduction of uint8_t

core: sync ABI description files

Syncs the ABI description files optee_ffa.h and optee_msg.h with their
counterpart in the Linux kernel driver. Small changes in comments and
introduction of uint8_t octets[24] as an alternative to struct
optee_msg_param_value value.

No ABI changes or extensions.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

plat: rpi5: add basic Raspberry Pi 5 support

RPi5 is based on new BCM2712 SoC which is based on quad Cortex-A76.

BCM2712 still does not provide secure memory so we are free to locate
OP-TEE anythin

plat: rpi5: add basic Raspberry Pi 5 support

RPi5 is based on new BCM2712 SoC which is based on quad Cortex-A76.

BCM2712 still does not provide secure memory so we are free to locate
OP-TEE anything we want. It would be most beneficial to locate OP-TEE
right after TF-A, at address 0x80000, but RPi5 loader places kernel
there and it's location can't be changed.

According to PCB silkscreen, RPi5 boards can have 1GB, 2GB, 4GB or 8GB
of memory. To be compatible with any variant, OP-TEE is placed close
to the end of the first gigabyte.

BCM2712 uses PL011 as debug UART so we enable its driver.

According to specification, BCM2712 includes cryptography extensions,
but this basic port does not enable them.

As there is no way to load OP-TEE image into memory during boot
process, TF-A with OPTEE_ALLOW_SMC_LOAD=1 option should be used. In
this case OP-TEE can be loaded via Linux kernel or U-Boot.

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Co-developed-by: Hugo Trippaers <htrippaers@schubergphilis.com>
Signed-off-by: Hugo Trippaers <htrippaers@schubergphilis.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: imx: enable MU and ELE drivers for imx95

Enable both MU and ELE driver for imx95

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

core: imx: add MU_BASE and MU_SIZE for imx95

Add MU Base address and MU size for imx95

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

plat: Add support for Qualcomm Kodiak platform

Introduce initial Qualcomm platform support for the Kodiak which is the
SoC codename also known by product names SC7280/QCM6490 in upstream.

Acked-by:

plat: Add support for Qualcomm Kodiak platform

Introduce initial Qualcomm platform support for the Kodiak which is the
SoC codename also known by product names SC7280/QCM6490 in upstream.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Co-developed-by: Casey Connolly <casey.connolly@linaro.org>
Signed-off-by: Casey Connolly <casey.connolly@linaro.org>
Signed-off-by: Sumit Garg <sumit.garg@oss.qualcomm.com>

show more ...

plat-rockchip: rk3588: reject all zero HUK

If the generated HUK consists of all zeros, it cannot be distinguished
from a missing HUK in the OTP. If such a HUK is burned into the OTP, the
next read w

plat-rockchip: rk3588: reject all zero HUK

If the generated HUK consists of all zeros, it cannot be distinguished
from a missing HUK in the OTP. If such a HUK is burned into the OTP, the
next read will return that no HUK was present and generate a new key.
The previous all-zero HUK may already have been used, which violates the
assumption that a HUK doesn't change.

Since a HUK that consists of all zeros is likely an error in the TRNG,
reject the generated HUK, report an error and let upper layers handle
the error.

Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-rockchip: rk3588: cache HUK in memory

I observed timeout errors when OP-TEE reads the HUK from the OTP area
while running the optee-xtests (tests 1006 and 4013) or using the
pkcs#11 TA.

This i

plat-rockchip: rk3588: cache HUK in memory

I observed timeout errors when OP-TEE reads the HUK from the OTP area
while running the optee-xtests (tests 1006 and 4013) or using the
pkcs#11 TA.

This issue is circumvented by reading the HUK once and caching it in
memory for later use. As a side-effect, this reduces the accesses/reads
from the OTP area.

Unfortunately, I don't know the root cause for the timeout while reading
the fuses. I guess that there is a disabled clock which prevents the
read, but I didn't look further, since caching works fine.

While the documentation recommends to never process the HUK in software,
it is read and processed anyway if it can be read from the fuses. Thus,
I don't think that caching has an effect on the security of the HUK.
The caching is inspired by the HUK handling implemented in the nvmem
driver.

Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-rockchip: rk3588: refactor reading of HUK

Split the function that reads, generates and persists the HUK into
several helper functions to make the code more readable and simplify
error handling.

plat-rockchip: rk3588: refactor reading of HUK

Split the function that reads, generates and persists the HUK into
several helper functions to make the code more readable and simplify
error handling.

Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

drivers: rockchip: extract OTP driver from rk3588 platform

The OTP handling is useful outside the rk3588 platform implementation.
For example, the fuses for secure boot are accessible via the OTP.

drivers: rockchip: extract OTP driver from rk3588 platform

The OTP handling is useful outside the rk3588 platform implementation.
For example, the fuses for secure boot are accessible via the OTP.

Extract the OTP write and read support to a separate driver to make it
available for other modules.

Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
Reviewed-by: Etienne Carriere <etienne.carriere@st.com>

show more ...

plat-stm32mp1: add new API to erase SRAM3

Add new API TEE_Result stm32mp_syscfg_erase_sram3(void);
to be able to erase SRAM3 by hardware request.

Signed-off-by: Nicolas Toromanoff <nicolas.toromano

plat-stm32mp1: add new API to erase SRAM3

Add new API TEE_Result stm32mp_syscfg_erase_sram3(void);
to be able to erase SRAM3 by hardware request.

Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-stm32mp1: syscfg: add dsb in syscfg driver

Add dsb in syscfg driver to guarantee that the request operations
are performed in SYSCFG register when the external API are called
and before to retu

plat-stm32mp1: syscfg: add dsb in syscfg driver

Add dsb in syscfg driver to guarantee that the request operations
are performed in SYSCFG register when the external API are called
and before to return to caller:
- stm32mp1_iocomp() in init sequence
- stm32mp_set_vddsd_comp_state() and stm32mp_set_hslv_state()
called by PWR driver

Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

plat-stm32mp1: syscfg: set SYSCFG_CMPCR_READY_TIMEOUT_US to 10ms

CHange timeout to 10 ms instead of 1 ms.
On stm32mp13 we measure 1.5ms delay to have CMPCR_READY equal to 1.
Use 10 ms to be aligned

plat-stm32mp1: syscfg: set SYSCFG_CMPCR_READY_TIMEOUT_US to 10ms

CHange timeout to 10 ms instead of 1 ms.
On stm32mp13 we measure 1.5ms delay to have CMPCR_READY equal to 1.
Use 10 ms to be aligned with TF-A timeout.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: crypto: fix AES-GCM in-place decryption order

Fix AES-GCM in-place decryption to ensure GHASH always uses the original
ciphertext. Previously, plaintext could overwrite ciphertext before GHASH

core: crypto: fix AES-GCM in-place decryption order

Fix AES-GCM in-place decryption to ensure GHASH always uses the original
ciphertext. Previously, plaintext could overwrite ciphertext before GHASH,
causing authentication failures. Now GHASH is processed before decryption,
so in-place and non in-place decryption both work correctly without extra
buffering or conditional checks.

Tested with both in-place and non in-place decryption; all cases now
produce correct authentication tags.

Fixes: 1fca7e269b13 ("core: crypto: add new AES-GCM implementation")
Signed-off-by: Rayan Hu <rayan.hu@mediatek.com>
Reviewed-by: Menson Chen <menson.chen@mediatek.com>
Reviewed-by: ChingMing Chen <chingming.chen@mediatek.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

dts: stm32: move compatible of agent1 as the first line of the node

Move compatible of agent1 as the first line of the node to be aligned
with stm32mp23-st-scmi-cfg.dtsi

Signed-off-by: Thomas Bourg

dts: stm32: move compatible of agent1 as the first line of the node

Move compatible of agent1 as the first line of the node to be aligned
with stm32mp23-st-scmi-cfg.dtsi

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-stm32mp2: conf: support STM32MP23x SoC family

Add support for the STM32MP23 SoC family and the stm32mp235f-dk board.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Reviewed-by: E

plat-stm32mp2: conf: support STM32MP23x SoC family

Add support for the STM32MP23 SoC family and the stm32mp235f-dk board.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

dts: stm32: add stm32mp235f-dk board support

Add STM32MP235F Discovery Kit board support. It embeds a STM32MP235FAK
SoC, with 2GB of LPDDR4, 2*USB typeA, 1*USB3 typeC, 1*ETH, wifi/BT
combo, DSI HDMI

dts: stm32: add stm32mp235f-dk board support

Add STM32MP235F Discovery Kit board support. It embeds a STM32MP235FAK
SoC, with 2GB of LPDDR4, 2*USB typeA, 1*USB3 typeC, 1*ETH, wifi/BT
combo, DSI HDMI, LVDS connector ...

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

dts: stm32: introduce stm32mp23 SoCs family

STM32MP23 family is composed of 3 SoCs defined as following:

-STM32MP231: common part composed of 1*Cortex-A35, common peripherals
like SDMMC, UART, SPI,

dts: stm32: introduce stm32mp23 SoCs family

STM32MP23 family is composed of 3 SoCs defined as following:

-STM32MP231: common part composed of 1*Cortex-A35, common peripherals
like SDMMC, UART, SPI, I2C, parallel display, 1*ETH ...

-STM32MP233: STM32MP231 + 1*Cortex-A35 (dual CPU), a second ETH, CAN-FD.

-STM32MP235: STM32MP233 + GPU/AI and video encode/decode, DSI and LDVS
display.

A second diversity layer exists for security features/ A35 frequency:
-STM32MP23xY, "Y" gives information:
-Y = A means A35@1.2GHz + no cryp IP and no secure boot.
-Y = C means A35@1.2GHz + cryp IP and secure boot.
-Y = D means A35@1.5GHz + no cryp IP and no secure boot.
-Y = F means A35@1.5GHz + cryp IP and secure boot.

Signed-off-by: Alexandre Torgue <alexandre.torgue@foss.st.com>
Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

dts: stm32: fix memory ranges on fmc node for stm32mp251

Fix memory ranges on fmc node for in stm32mp251.dtsi

Signed-off-by: Christophe Kerello <christophe.kerello@foss.st.com>
Signed-off-by: Thoma

dts: stm32: fix memory ranges on fmc node for stm32mp251

Fix memory ranges on fmc node for in stm32mp251.dtsi

Signed-off-by: Christophe Kerello <christophe.kerello@foss.st.com>
Signed-off-by: Thomas BOURGOIN <thomas.bourgoin@foss.st.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-stm32mp2: conf: default enable CFG_SCMI_SCPFW

For STM32MP2x families the SCP firmware is the only SCMI server
supported.
Default enable CFG_SCMI_SCPFW=y in conf.mk

Signed-off-by: Thomas Bourgo

plat-stm32mp2: conf: default enable CFG_SCMI_SCPFW

For STM32MP2x families the SCP firmware is the only SCMI server
supported.
Default enable CFG_SCMI_SCPFW=y in conf.mk

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

core: console: Allow setting logging verbosity during runtime

The default console can be disabled at runtime for power management. Any
prints after boot from OP-TEE could cause a bus data abort if t

core: console: Allow setting logging verbosity during runtime

The default console can be disabled at runtime for power management. Any
prints after boot from OP-TEE could cause a bus data abort if the UART has
been disabled. Add an option to change the log level after boot has
completed which can be used to disable the console log.

Signed-off-by: Andrew Davis <afd@ti.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

dts: stm32: enable IWDG1 on stm32mp257f-dk board

Enable IWDG1 node and set a 32s timeout.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Acked-by: Gatien Chevallier <gatien.chevallier

dts: stm32: enable IWDG1 on stm32mp257f-dk board

Enable IWDG1 node and set a 32s timeout.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...