core: arm: add feat_pan_implemented()

Adds the helper function feat_pan_implemented() to extract the
implemented PAN version. No version is 0 so this function can be used
tested as a boolean too.

S

core: arm: add feat_pan_implemented()

Adds the helper function feat_pan_implemented() to extract the
implemented PAN version. No version is 0 so this function can be used
tested as a boolean too.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

arm64: add read_pan() and SPSR_64_PAN

Adds the wrapper function read_pan() to read PSTATE.PAN, also adds a
SPSR_64_PAN define.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by:

arm64: add read_pan() and SPSR_64_PAN

Adds the wrapper function read_pan() to read PSTATE.PAN, also adds a
SPSR_64_PAN define.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: update FS storage API with user space buffer

Updates the create(), read(), and write() function pointers in struct
ts_store_ops to take a user space buffer in addition to the previous
core buf

core: update FS storage API with user space buffer

Updates the create(), read(), and write() function pointers in struct
ts_store_ops to take a user space buffer in addition to the previous
core buffer. Core buffers are normal secure memory while user space
buffers should only be accessed using the user_access.h functions.

The different FS storage implementations are updated accordingly.

Note that the RPMB FS storage implementation resorts to using
enter_user_access() and exit_user_access() due to internal complexities.

Fixes: 4e154320e47c ("core: Apply finer-grained PAN")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: arm: Rename primary_init_intc() to boot_primary_init_intc()

Since interrupt controllers are usually initialized in boot stage,
rename primary_init_intc() to boot_primary_init_intc().

Signed-o

core: arm: Rename primary_init_intc() to boot_primary_init_intc()

Since interrupt controllers are usually initialized in boot stage,
rename primary_init_intc() to boot_primary_init_intc().

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: arm: Rename main_secondary_init_intc() to boot_secondary_init_intc()

main_secondary_*() is an ambiguous name since it conveys no meaning
relative to the purpose of the function. Fix it by rena

core: arm: Rename main_secondary_init_intc() to boot_secondary_init_intc()

main_secondary_*() is an ambiguous name since it conveys no meaning
relative to the purpose of the function. Fix it by renameing to
boot_secondary_init_intc(), since interrupt controllers are always
initialized in boot stage.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

drivers: stm32_i2c: remove cases when CFG_DRIVERS_PINCTRL is disabled

Removes implementation when CFG_DRIVERS_PINCTRL is disables as stm32mp1
platform configuration enforces the switch is enabled.

drivers: stm32_i2c: remove cases when CFG_DRIVERS_PINCTRL is disabled

Removes implementation when CFG_DRIVERS_PINCTRL is disables as stm32mp1
platform configuration enforces the switch is enabled.

Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-stm32mp1: conf: enable CFG_DRIVERS_PINCTRL

Changes platform stm32mp1 configuration to always enable
CFG_DRIVERS_PINCTRL. The platform requires pinctrl_apply_state() to
be unpaged has it can be

plat-stm32mp1: conf: enable CFG_DRIVERS_PINCTRL

Changes platform stm32mp1 configuration to always enable
CFG_DRIVERS_PINCTRL. The platform requires pinctrl_apply_state() to
be unpaged has it can be used during PM suspend and resume sequences.

Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

drivers: stm32_i2c: support CFG_DRIVERS_PINCTRL

Updates stm32_i2c driver for when CFG_DRIVERS_PINCTRL is enabled making
I2C driver to get pin control configuration using the generic pin
control fram

drivers: stm32_i2c: support CFG_DRIVERS_PINCTRL

Updates stm32_i2c driver for when CFG_DRIVERS_PINCTRL is enabled making
I2C driver to get pin control configuration using the generic pin
control framework. When enabled, stm32_i2c driver get the active and
sleep pin control configuration from the device tree. Sleep pinctrl
configuration is optional.

SE050 and STM32MP1 PMIC drivers that use the stm32_i2c bus are both
updated accordingly.

Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-stm32mp1: shared_resources: support CFG_DRIVERS_PINCTRL

Adds shared resources helper functions stm32mp_register_secure_pinctrl()
and stm32mp_register_non_secure_pinctrl() for when a platform dr

plat-stm32mp1: shared_resources: support CFG_DRIVERS_PINCTRL

Adds shared resources helper functions stm32mp_register_secure_pinctrl()
and stm32mp_register_non_secure_pinctrl() for when a platform driver
registers pins from a pin control state with secure or non-secure
attribute. These function are required when CFG_DRIVERS_PINCTRL is
enabled.

Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: rename interrupt controller functions

This commit renames interrupt controller function names
to be more generic:
- Rename main_init_gic() to primary_init_intc()
- Rename secondary_init_gic()

core: rename interrupt controller functions

This commit renames interrupt controller function names
to be more generic:
- Rename main_init_gic() to primary_init_intc()
- Rename secondary_init_gic() to secondary_init_intc()

Signed-off-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: arm64: add dsb_osh()

Implement the use of osh data barrier to ensure that all data
access and modifications have been completed before executing
subsequent instructions.

Signed-off-by: Xiaoxu

core: arm64: add dsb_osh()

Implement the use of osh data barrier to ensure that all data
access and modifications have been completed before executing
subsequent instructions.

Signed-off-by: Xiaoxu Zeng <zengxiaoxu@huawei.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: stm32_bsec: add support for bits property in the DT

Adds the possibility to specify the number of managed bit in the NVMEM
cell device tree description, using the optional bits property
and

drivers: stm32_bsec: add support for bits property in the DT

Adds the possibility to specify the number of managed bit in the NVMEM
cell device tree description, using the optional bits property
and removes restriction on aligned NVMEM cell on 32-bit word by supporting
bit offset in stm32_bsec_find_otp_in_nvmem_layout().

Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>

show more ...

core: arm: Move some DT functions to common kernel

Some existed functions for device tree in ARM could be also used for
other architectures. This commit moves most of functions from ARM
architecture

core: arm: Move some DT functions to common kernel

Some existed functions for device tree in ARM could be also used for
other architectures. This commit moves most of functions from ARM
architecture into "core/kernel/dt.c", including external DT descriptor,
DT overlay, external DT initialization, API for adding DT child nodes
and reserved-memory nodes. Since "core/kernel/dt.c" is dependent with
CFG_DT, other functions which are independent with CFG_DT are put into
new file "core/kernel/boot.c".

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: spmc: simplify using {high,low}32_from_64()

Simplify spmc_sp_handle_mem_share() using high32_from_64() and
low32_from_64() instead of reg_pair_from_64().

Signed-off-by: Jens Wiklander <jens.w

core: spmc: simplify using {high,low}32_from_64()

Simplify spmc_sp_handle_mem_share() using high32_from_64() and
low32_from_64() instead of reg_pair_from_64().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: Apply finer-grained PAN

Prior to this commit, the PAN was disabled for most of the time,
within the thread scall handler. After resolving all outstanding
missing unprivileged access functions,

core: Apply finer-grained PAN

Prior to this commit, the PAN was disabled for most of the time,
within the thread scall handler. After resolving all outstanding
missing unprivileged access functions, we can now enable finer-
grained PAN, where the unprivileged access is only allowed inside
handful of special user-access functions.

There are some exceptions where we toggle PAN to allow the OP-TEE
core to access user memory, instead of using user-access functions
or bounce buffers. Those are crypto services and ldelf syscall
handlers. Those are chosen to avoid potential large bounce buffer
allocations.

Signed-off-by: Seonghyun Park <seonghp@amazon.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: use GET_USER_SCALAR() to save TA panic regs

Use GET_USER_SCALAR() macro to retrieve register values from the
user stack upon TA panic.

Signed-off-by: Seonghyun Park <seonghp@amazon.com>
Revie

core: use GET_USER_SCALAR() to save TA panic regs

Use GET_USER_SCALAR() macro to retrieve register values from the
user stack upon TA panic.

Signed-off-by: Seonghyun Park <seonghp@amazon.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

arm64: Introduce permissive PAN implementation

Privileged Access Never (PAN) is a part of ARMv8.1 extension that
restricts accesses to unprivileged memory from privileged mode
in order to prevent un

arm64: Introduce permissive PAN implementation

Privileged Access Never (PAN) is a part of ARMv8.1 extension that
restricts accesses to unprivileged memory from privileged mode
in order to prevent unintended accesses to potentially malicious
memory.

This introduces configuration of PAN and helper functions
enter_user_access() and exit_user_access() that toggles PSTATE.PAN
that controls the behavior of PAN.

Current OP-TEE impelmentation is not ready to apply strict PAN policy
due to missing user-access function uses, etc.

Hence, this patch takes a very permissive approach (yet better
than nothing), where PAN is deactivated in the entire lifetime of
thread_svc_handler (i.e., system call).

Signed-off-by: Seonghyun Park <seonghp@amazon.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-stm32mp1: stub stm32mp13 regulators

Implements stubs for SCMI regulators that are to be exposed by STM32MP13
SCMI server but are not implemented yet in OP-TEE core. The drivers for
these regula

plat-stm32mp1: stub stm32mp13 regulators

Implements stubs for SCMI regulators that are to be exposed by STM32MP13
SCMI server but are not implemented yet in OP-TEE core. The drivers for
these regulators (IOD SDMMC1/2 and VREFBUF) will be implemented once
there is a regulator framework in OP-TEE. In the meantime, stubbing those
allows to use the platform.

Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-stm32mp1: change log level in SCMI server

The SCMI server prints debug messages when handling some SCMI services.
At runtime this leads to a lot of traces and debug log level is too
verbose. Th

plat-stm32mp1: change log level in SCMI server

The SCMI server prints debug messages when handling some SCMI services.
At runtime this leads to a lot of traces and debug log level is too
verbose. Therefore change all debug traces to flow level for that
source file.

Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>

show more ...

qemu_armv8a: fix build with CFG_USER_TA_TARGETS=ta_arm32

The proper way to build in-tree TAs in 64-bit mode by default is to set
supported-ta-targets to "ta_arm64 ta_arm32". Indeed, the default targ

qemu_armv8a: fix build with CFG_USER_TA_TARGETS=ta_arm32

The proper way to build in-tree TAs in 64-bit mode by default is to set
supported-ta-targets to "ta_arm64 ta_arm32". Indeed, the default target
is always defined as the first entry in supported-ta-targets, as
documented in mk/config.mk.

Fixes the following build error:

$ make CFG_USER_TA_TARGETS=ta_arm32 PLATFORM=vexpress-qemu_armv8a
bash: -W: invalid option
...

default-user-ta-target is not to be used by the platform configuration
files. It is meant to be set by the main Makefile. For this reason,
replace the conditional assignment (?=) with $(call force, ...) in order
to catch inconsistencies in a more friendly way.

Fixes: 07031b23de23 ("qemu_armv8a: set default-user-ta-target ?= ta_arm64")
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix race in mobj_reg_shm_dec_map()

Fixes a race in mobj_reg_shm_dec_map() when r->mm is NULL. This is
similar to the race fixed by commit 06ea466f9c19 ("core: fix race in
mobj_reg_shm_inc_map(

core: fix race in mobj_reg_shm_dec_map()

Fixes a race in mobj_reg_shm_dec_map() when r->mm is NULL. This is
similar to the race fixed by commit 06ea466f9c19 ("core: fix race in
mobj_reg_shm_inc_map()"), but with one more possibility.

The problem goes like:
A. Thread 1 calls mobj_reg_shm_dec_map() at the same time as thread 2
calls mobj_reg_shm_inc_map().
B. Thread 1 decreases mapcount to zero and tries to take the spinlock,
but thread 1 is suspended before it has acquired the spinlock.
C. Thread 2 sees that mapcount is zero and takes the spinlock and maps
the memory.
D. Thread 2 calls mobj_reg_shm_dec_map(), mapcount reaches zero again
and the shared memory is unmapped and r->mm is set to NULL.
E. Thread 1 is finally resumed and acquires the spinlock, mapcount is still
zero but r->mm is also NULL.

To fix the problem at step E above check that r->mm is still non-NULL.

Note that the same fix isn't needed for ffa_dec_map() since
unmap_helper() checks that mf->mm is non-NULL first.

Fixes: 06ea466f9c19 ("core: fix race in mobj_reg_shm_inc_map()")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Olivier Masse <olivier.masse@nxp.com>

show more ...

core: spmc: handle missing FFA_MSG_SEND_VM_DESTROYED

Handles the previously missing FFA_MSG_SEND_VM_DESTROYED message used to
signal the destruction of a non-secure guest. This is the counter part
o

core: spmc: handle missing FFA_MSG_SEND_VM_DESTROYED

Handles the previously missing FFA_MSG_SEND_VM_DESTROYED message used to
signal the destruction of a non-secure guest. This is the counter part
of FFA_MSG_SEND_VM_CREATED that is used to signal the creation of a
non-secure guest.

Fixes: a65dd3a6b64d ("core: spmc: support virtualization with SPMC at S-EL1")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-k3: main: Print the provisioned key information

During provisioning these values are fused using the signing
certificate.

The maximum value of Key Count is 2 (when BMPK is used).

Signed-off-b

plat-k3: main: Print the provisioned key information

During provisioning these values are fused using the signing
certificate.

The maximum value of Key Count is 2 (when BMPK is used).

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-k3: drivers: add TISCI call to retrieve the Keycnt and Keyrev

Add TISCI call to retrieve the key count and key revision fused during
provisioning.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@fou

plat-k3: drivers: add TISCI call to retrieve the Keycnt and Keyrev

Add TISCI call to retrieve the key count and key revision fused during
provisioning.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-k3: main: coding standard consistency

The coding standard requires a line between function definitions.

Add such a line to make it visually consistent with the recently added
secure_boot_infor

plat-k3: main: coding standard consistency

The coding standard requires a line between function definitions.

Add such a line to make it visually consistent with the recently added
secure_boot_information(void).

This commit also removes a duplicated include directive.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...