core: ffa: add spmc_is_reserved_id()

Add spmc_is_reserved_id() and replace direct checks against spmd_id and
spmc_id. spmd_id and spmc_id are changed to static variables since they
don't need to be

core: ffa: add spmc_is_reserved_id()

Add spmc_is_reserved_id() and replace direct checks against spmd_id and
spmc_id. spmd_id and spmc_id are changed to static variables since they
don't need to be exported any longer.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Akshay Belsare <akshay.belsare@amd.com>

show more ...

core: applies FF-A v1.2 features on StandaloneMm

edk2's StandaloneMm will be applied with FF-A v1.2.
while applying, StandaloneMm doesn't create anymore PHIT hob by itself
but it should be passed fr

core: applies FF-A v1.2 features on StandaloneMm

edk2's StandaloneMm will be applied with FF-A v1.2.
while applying, StandaloneMm doesn't create anymore PHIT hob by itself
but it should be passed from other software stack.

To make StandaloneMm runs properly, create Hob information and
deliver it using FF-A Boot protocol according to FF-A specification [1].

Also, apply FF-A management protocol to change it [2] to
get/set memory permission instead of using DIRECT_REQ_MSG.

Also, implements some FF-A ABIs to communication StandaloneMm properly.

Link: https://developer.arm.com/documentation/den0077/latest [1]
Link: https://developer.arm.com/documentation/den0140/latest [2]

Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>

show more ...

riscv: mm: Fix core_mmu_entry_is_branch()

We must also check V bit to determine non-leaf PTE.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu-Chien Peter Lin <peter.lin@sifive.co

riscv: mm: Fix core_mmu_entry_is_branch()

We must also check V bit to determine non-leaf PTE.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu-Chien Peter Lin <peter.lin@sifive.com>

show more ...

riscv: mm: support Sv48 and Sv57 address translation for core and TA

Add the macros for Sv57 address translation mode. Add CFG_RISCV_MMU_MODE
into riscv.mk and set it as 39 by default to enable Sv39

riscv: mm: support Sv48 and Sv57 address translation for core and TA

Add the macros for Sv57 address translation mode. Add CFG_RISCV_MMU_MODE
into riscv.mk and set it as 39 by default to enable Sv39 virtual address
translation scheme.

Currently, TA virtual memory occupies 1GB space, and TAs page table
should be an entry inside a level 2 (VPN[2]) page table, which is
decided by user_va_idx variable. For Sv39 translation scheme, it starts
from VPN[2], so nothing to do. For Sv48 translation scheme, we need to
allocate entry 0 of level 3 (VPN[3]) page table, and let it point to the
level 2 page table used by TA. For Sv57 translation scheme, we need to
further allocate entry 0 of level 4 (VPN[4]) page table, and let it
point to the level 3 page table.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

riscv: mm: Explicitly set user VA range inside L2(RV64) and L1(RV32) VPN

Add macros for level and bit shift of virtual page number (VPN) encoded
in RISC-V virtual address. Explicitly set range of us

riscv: mm: Explicitly set user VA range inside L2(RV64) and L1(RV32) VPN

Add macros for level and bit shift of virtual page number (VPN) encoded
in RISC-V virtual address. Explicitly set range of user virtual address
inside level 2 VPN by giving CORE_MMU_VPN2_SHIFT since the
CORE_MMU_BASE_TABLE_SHIFT is not always based on level 2 VPN if the MMU
scheme is not Sv39.

For RV32, there is only two-level VPN. The user VA range would be inside
level 1 VPN.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

riscv: mm: clean up macro definitions

Rename RISCV_SATP_ASID_SIZE to RISCV_SATP_ASID_WIDTH since it is used to
represent width of bits. Also remove redundant RISCV_MMU_ASID_WIDTH
since we already ha

riscv: mm: clean up macro definitions

Rename RISCV_SATP_ASID_SIZE to RISCV_SATP_ASID_WIDTH since it is used to
represent width of bits. Also remove redundant RISCV_MMU_ASID_WIDTH
since we already have RISCV_SATP_ASID_WIDTH. Fix a minor compiler
warning due to inconsistent data types on variable comparison.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: remove $(libgcccore) usage

Remove all remaining $(libgcccore) usage now that
lib/libutils/compiler-rt provides the needed bits.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

core: arm: remove $(libgcccore) usage

Remove all remaining $(libgcccore) usage now that
lib/libutils/compiler-rt provides the needed bits.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: ffa: reserve physical memory for manifest

With CFG_CORE_SEL2_SPMC=y (Hafnium as SPMC at S-EL2), the FF-A manifest
passed to OP-TEE resides in the memory reserved for OP-TEE just before
the loa

core: ffa: reserve physical memory for manifest

With CFG_CORE_SEL2_SPMC=y (Hafnium as SPMC at S-EL2), the FF-A manifest
passed to OP-TEE resides in the memory reserved for OP-TEE just before
the load address. The physical memory pool is initialized with the entire
range of secure memory, with holes carved out for already used memory.

Temporarily allocate the physical memory used by the manifest until it's
not needed any longer and released by release_manifest_dt().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

plat-k3: drivers: add platform flavors for 62A and 62P devices

Even though the SA2UL integration on the AM62Ax and AM62Px platforms are
functionally identical to the AM62x platforms many, when build

plat-k3: drivers: add platform flavors for 62A and 62P devices

Even though the SA2UL integration on the AM62Ax and AM62Px platforms are
functionally identical to the AM62x platforms many, when building
OP-TEE manually, are using the platform name they are building for and
not 'am62x' which leaves SA2UL_BASE undefined and to failed builds:

In file included from core/include/mm/core_memprot.h:9,
from core/include/kernel/interrupt.h:10,
from core/arch/arm/plat-k3/drivers/sa2ul_rng.c:12:
core/arch/arm/plat-k3/./platform_config.h:91:34: error: ‘SA2UL_BASE’ undeclared here (not in a function); did you mean ‘SCU_BASE’?
91 | #define RNG_BASE (SA2UL_BASE + 0x10000)
| ^~~~~~~~~~

For now let's just define the AM62Ax and AM62Px platform flavors
identical to how AM62x is defined and include an #else statement to
catch when a undefined platform flavor tries to build the SA2UL driver

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Andrew Davis <afd@ti.com>
Signed-off-by: Bryan Brattlof <bb@ti.com>

show more ...

core: fix crash during syscall ftrace

Syscall ftrace collects data during a syscall. get_fbuf() checks if
thread_get_id_may_fail() != -1 to see if a function is called under
normal thread execution.

core: fix crash during syscall ftrace

Syscall ftrace collects data during a syscall. get_fbuf() checks if
thread_get_id_may_fail() != -1 to see if a function is called under
normal thread execution. This can lead to an inconsistent state if a
native interrupt occur while ftrace_enter() or ftrace_return() is
recording data in the ftrace buffer. So fix this by using
thread_is_in_normal_mode() to exclude ftrace during interrupt
processing.

Reported-by: Jerome Forissier <jerome.forissier@linaro.org>
Closes: https://github.com/OP-TEE/optee_os/issues/7216
Fixes: 099918f6744c ("ftrace: Add support for syscall function tracer")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_armv8a)

show more ...

core: arm: update recorded SP first after MMU is enabled

With CFG_CORE_ASLR=y, stored addresses must be updated after MMU has
been enabled to match the map offset. In particular the recorded stack
p

core: arm: update recorded SP first after MMU is enabled

With CFG_CORE_ASLR=y, stored addresses must be updated after MMU has
been enabled to match the map offset. In particular the recorded stack
pointers in thread_core_local[] must be updated to match the new offset
before any calls can be done into C code or check_stack_limits() with
CFG_CORE_DEBUG_CHECK_STACKS=y might catch an inconsistent stack pointer.

Currently, boot_mem_relocate() is called before the recorded stack
pointers have been updated and causes a crash with CFG_CORE_ASLR=y and
CFG_CORE_DEBUG_CHECK_STACKS=y. So fix this by calling delaying the call
to boot_mem_relocate() to after the stack pointers in
thread_core_local[] has been updated.

Reported-by: Jerome Forissier <jerome.forissier@linaro.org>
Closes: https://github.com/OP-TEE/optee_os/issues/7363
Fixes: ea991d7459f6 ("core: arm: remove THREAD_CORE_LOCAL_STACKCHECK_RECURSION")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_armv8a)

show more ...

core: riscv: allow enabling CFG_WITH_STACK_CANARIES

Remove force disablement of randomized stack canary for OP-TEE core.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Alvin

core: riscv: allow enabling CFG_WITH_STACK_CANARIES

Remove force disablement of randomized stack canary for OP-TEE core.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Alvin Chang <alvinga@andestech.com>

show more ...

core: riscv: support random stack canaries for stack protector

Call plat_get_random_stack_canaries() and update the value of
__stack_chk_guard during early initialization, so that the
random stack c

core: riscv: support random stack canaries for stack protector

Call plat_get_random_stack_canaries() and update the value of
__stack_chk_guard during early initialization, so that the
random stack canaries can be used to detect stack overflow
and buffer overflow.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Co-developed-by: Alvin Chang <alvinga@andestech.com>
Signed-off-by: Alvin Chang <alvinga@andestech.com>

show more ...

core: move plat_get_random_stack_canaries() to common part

Other architectures (e.g. RISC-V) may want to call
plat_get_random_stack_canaries() for random stack
canaries. Move it from ARM architectur

core: move plat_get_random_stack_canaries() to common part

Other architectures (e.g. RISC-V) may want to call
plat_get_random_stack_canaries() for random stack
canaries. Move it from ARM architecture directory
to common part.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Co-developed-by: Alvin Chang <alvinga@andestech.com>
Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: imx: disable CFG_CORE_HUK_SUBKEY_COMPAT_USE_OTP_DIE_ID with se05x

Commit fc80dabbd5a7 ("core: imx: enable
CFG_CORE_HUK_SUBKEY_COMPAT_USE_OTP_DIE_ID by default") created a
regression when se05x

core: imx: disable CFG_CORE_HUK_SUBKEY_COMPAT_USE_OTP_DIE_ID with se05x

Commit fc80dabbd5a7 ("core: imx: enable
CFG_CORE_HUK_SUBKEY_COMPAT_USE_OTP_DIE_ID by default") created a
regression when se05x is used on iMX platforms, as its own
implementation of tee_otp_get_die_id cannot be called so early in the
boot process, since the stack itself is not properly initialized at that
time.

Forcely disable CFG_CORE_HUK_SUBKEY_COMPAT_USE_OTP_DIE_ID when se05x is
used to restore back to the previous working behavior.

Signed-off-by: Ricardo Salveti <ricardo@foundries.io>
Acked-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Sahil Malhotra <sahil.malhotra@nxp.com>

show more ...

tree wide: fix header files dependencies in linker files

When linking with a generated linker script like kern.ld.S, dependencies
with header file are not regenerated.
Same issue as
commit acdc32afe

tree wide: fix header files dependencies in linker files

When linking with a generated linker script like kern.ld.S, dependencies
with header file are not regenerated.
Same issue as
commit acdc32afe18f ("mk/compile.mk: fix header dependency in .d file")

Add option -MP used to fix error generated when removing header files.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: ffa: enable FF-A version 1.2 for virtualization

With Xen version 4.20 released we can announce version 1.2 for OP-TEE
when negotiating the version to use. So remove the special check for

core: arm: ffa: enable FF-A version 1.2 for virtualization

With Xen version 4.20 released we can announce version 1.2 for OP-TEE
when negotiating the version to use. So remove the special check for
CFG_NS_VIRTUALIZATION=y when exchanging versions.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: riscv: add SiFive Unleashed and Unmatched board support

Add SiFive Unleashed and Unmatched board support.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Samuel Holland

core: riscv: add SiFive Unleashed and Unmatched board support

Add SiFive Unleashed and Unmatched board support.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Samuel Holland <samuel.holland@sifive.com>
Reviewed-by: Zong Li <zong.li@sifive.com>
Acked-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

riscv: kernel: support booting non-contiguous non-zero-based hart IDs

Currently, OP-TEE assumes 0 <= hartid < CFG_TEE_CORE_NB_CORE,
and must be contiguous, which fails to accommodate different
CPU t

riscv: kernel: support booting non-contiguous non-zero-based hart IDs

Currently, OP-TEE assumes 0 <= hartid < CFG_TEE_CORE_NB_CORE,
and must be contiguous, which fails to accommodate different
CPU topologies. For example, some RISC-V platforms, such as
the HiFive Unmatched board, do not run Linux and OP-TEE on
hart0, as it is a monitor core without supervisor mode support.

To address this, introduce hart_index, which is used to index
per-hart structures, such as thread_core_local and root_pgt.
The hart_index will range from 0 to (CFG_TEE_CORE_NB_CORE - 1),
and the primary hart will have an index of 0.

Additionally, a new function, boot_primary_init_core_ids(),
is added to initialize secondary hart IDs for booting via
sbi_hsm_hart_start().

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Samuel Holland <samuel.holland@sifive.com>
Reviewed-by: Zong Li <zong.li@sifive.com>
Reviewed-by: Alvin Chang <alvinga@andestech.com>

show more ...

riscv: kernel: sbi: introduce sbi_hsm_hart_get_status() function

Introduce sbi_hsm_hart_get_status() function and add comment for
sbi_hsm_hart_start().

Signed-off-by: Yu-Chien Peter Lin <peter.lin@

riscv: kernel: sbi: introduce sbi_hsm_hart_get_status() function

Introduce sbi_hsm_hart_get_status() function and add comment for
sbi_hsm_hart_start().

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Samuel Holland <samuel.holland@sifive.com>
Reviewed-by: Zong Li <zong.li@sifive.com>
Reviewed-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

riscv: plat-virt: move stack alignment definition

The 16-byte stack alignment is a RISC-V ABI requirement
that applies to all RISC-V platforms. Move this definition
from the virt platform configurat

riscv: plat-virt: move stack alignment definition

The 16-byte stack alignment is a RISC-V ABI requirement
that applies to all RISC-V platforms. Move this definition
from the virt platform configuration to riscv.h.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Samuel Holland <samuel.holland@sifive.com>
Reviewed-by: Zong Li <zong.li@sifive.com>
Reviewed-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

riscv: kernel: entry.S: remove unused boot_args array

The boot_args array is unused anywhere and its contents
are cleared during the zeroing of the .bss section, so it
serves no purpose. Removing it

riscv: kernel: entry.S: remove unused boot_args array

The boot_args array is unused anywhere and its contents
are cleared during the zeroing of the .bss section, so it
serves no purpose. Removing it simplifies the code.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Samuel Holland <samuel.holland@sifive.com>
Reviewed-by: Zong Li <zong.li@sifive.com>
Reviewed-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: imx: disable ELE on i.MX8ULP by default

On i.MX8ULP, there is only one MU to communicate with ELE,
which cannot be dedicated on OP-TEE side all the time.
There may be ELE services running on L

core: imx: disable ELE on i.MX8ULP by default

On i.MX8ULP, there is only one MU to communicate with ELE,
which cannot be dedicated on OP-TEE side all the time.
There may be ELE services running on Linux side, which can
cause conflict with OP-TEE, So disabling ELE by default.
Moreover i.MX8ULP also has CAAM, so HUK and Random number
are coming from CAAM.

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-rockchip: rk3588: add OTP_S support and HUK

Add OTP_S support for Rockchip rk3588
Add tee_otp_get_hw_unique_key()

Signed-off-by: Ed Tubbs <ectubbs@gmail.com>
Acked-by: Etienne Carriere <etienn

plat-rockchip: rk3588: add OTP_S support and HUK

Add OTP_S support for Rockchip rk3588
Add tee_otp_get_hw_unique_key()

Signed-off-by: Ed Tubbs <ectubbs@gmail.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

ta: enable ubsan support for TAs

Introduce CFG_TA_SANITIZE_UNDEFINED config to sanitize trusted
applications. If CFG_TA_SANITIZE_UNDEFINED is set sanitize flags are
propagated to internal TAs (avb,

ta: enable ubsan support for TAs

Introduce CFG_TA_SANITIZE_UNDEFINED config to sanitize trusted
applications. If CFG_TA_SANITIZE_UNDEFINED is set sanitize flags are
propagated to internal TAs (avb, pkcs11, remoteproc, trusted_keys) and
external TAs, which are built with the devkit.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...