core: add vm_get_prot()

A following commit, related to the StMM functionality needs to read
the current page attributes before modifying them.
So let's add a function to retrieve the current attribu

core: add vm_get_prot()

A following commit, related to the StMM functionality needs to read
the current page attributes before modifying them.
So let's add a function to retrieve the current attributes.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: use libunw

Reduce core/arch/arm/kernel/unwind_arm{32,64}.c and use common code from
libunw instead.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wi

core: use libunw

Reduce core/arch/arm/kernel/unwind_arm{32,64}.c and use common code from
libunw instead.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

arm32: fold UNWIND(.fnstart/.fnend) into the FUNC macros

This change applies to arm32 assembler sources.

Instead of using UNWIND(.fnstart) after FUNC or LOCAL_FUNC and
UNWIND(.fnend) before END_FUN

arm32: fold UNWIND(.fnstart/.fnend) into the FUNC macros

This change applies to arm32 assembler sources.

Instead of using UNWIND(.fnstart) after FUNC or LOCAL_FUNC and
UNWIND(.fnend) before END_FUNC, let's fold these statements into the
FUNC macros.

The .fnstart/.fnend directives mark the start and end of a function
with an unwind table entry (.ARM.exidx) and therefore a function
without them has no entry and cannot be unwound. This means that a
stack dump (on abort or panic) would stop when reaching such a
function.

As a result of this patch, a small number of functions now have an
entry in the unwind table when they had none before (the functions
which were using FUNC or LOCAL_FUNC but had no .fnstart/.fnend). It was
almost always a bug and this pacth only increases the size of the
.ARM.exidx section by a few bytes (tested on QEMU).

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

arm32: move the UNWIND() macro to <asm.S>

All the users of the UNWIND() macro include <asm.S> already, which is
therefore a good place to define this macro. Let's move it from
<kernel/unwind.h> to <

arm32: move the UNWIND() macro to <asm.S>

All the users of the UNWIND() macro include <asm.S> already, which is
therefore a good place to define this macro. Let's move it from
<kernel/unwind.h> to <asm.S>, remove a couple of duplicates in
assembler files, and drop the useless includes.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: arm32: remove unused function relocate_exidx()

Since commit d1911a85142d ("core: load TAs using ldelf"), function
relocate_exidx() is not used any more. Remove it, as well as
offset_prel31() w

core: arm32: remove unused function relocate_exidx()

Since commit d1911a85142d ("core: load TAs using ldelf"), function
relocate_exidx() is not used any more. Remove it, as well as
offset_prel31() which was only called from this function.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: remove stack dump macros and multiple log levels

Of the various xPRINT_STACK() macros (x in {E,I,D,F}), only
EPRINT_STACK() is used. Let's simplify the code by removing the macros
altogether a

core: remove stack dump macros and multiple log levels

Of the various xPRINT_STACK() macros (x in {E,I,D,F}), only
EPRINT_STACK() is used. Let's simplify the code by removing the macros
altogether and calling print_kernel_stack() instead. Since only the
TRACE_ERROR is used, the 'level' argument to print_kernel_stack(),
print_stack_arm32() and print_stack_arm64() is removed too.

In addition to simplifying the code, these changes will allow the
consolidation of the stack unwinding code between core and ldelf.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: mm: fix region lookup in param_mem_to_user_va()

The test whether a memory parameter is located in a region may fail
because of a typo in the comparison. The region size must be
added to the st

core: mm: fix region lookup in param_mem_to_user_va()

The test whether a memory parameter is located in a region may fail
because of a typo in the comparison. The region size must be
added to the start address, not subtracted.

Fixes: 2667e1359e51 ("core: fix offset calculation in param_mem_to_user_va()")
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Wolfgang Ocker <weo@reccoware.de>

show more ...

Add support for Renesas RZ/N1 platform

Add support for RZ/N1 platform from Renasas (PLATFORM=rzn1):
- Cortex-A7 based dual core processor.

This platform supports TrustZone based IO register access

Add support for Renesas RZ/N1 platform

Add support for RZ/N1 platform from Renasas (PLATFORM=rzn1):
- Cortex-A7 based dual core processor.

This platform supports TrustZone based IO register access control, so
add corresponding OEM service based implementation.

Link: https://www.renesas.com/us/en/products/microcontrollers-microprocessors/rz/rzn/rzn1d.html
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: ns16550: Allow customizable serial IO config

Add io_width and reg_shift configurable parameters to struct ns16550_data
in order to support 32 bit register read/write.

Signed-off-by: Sumit

drivers: ns16550: Allow customizable serial IO config

Add io_width and reg_shift configurable parameters to struct ns16550_data
in order to support 32 bit register read/write.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: Allow non-secure context restore in thumb mode

Allow initial exit from secure monitor mode to non-secure context
in thumb mode in case next stage boot-loader is expected to execute
in thumb mo

core: Allow non-secure context restore in thumb mode

Allow initial exit from secure monitor mode to non-secure context
in thumb mode in case next stage boot-loader is expected to execute
in thumb mode.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

vexpress-qemu_v8a: set CFG_ARM64_core to 'y' by default

Enables CFG_ARM64_core by default for PLATFORM=vexpress-qemu_v8a. This
platform is mostly used in full 64-bit mode, especially since until now

vexpress-qemu_v8a: set CFG_ARM64_core to 'y' by default

Enables CFG_ARM64_core by default for PLATFORM=vexpress-qemu_v8a. This
platform is mostly used in full 64-bit mode, especially since until now
the build.git Makefiles do not support anything else [1].

Link: [1] https://github.com/OP-TEE/build/blob/3.10.0/qemu_v8.mk#L9
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: do not trace syscall_log()

Tracing the log syscall is of very little value since it will generate
some output to the console anyways. Worse, it pollutes the TA output in
case of a panic or an

core: do not trace syscall_log()

Tracing the log syscall is of very little value since it will generate
some output to the console anyways. Worse, it pollutes the TA output in
case of a panic or an abort. For example:

o regression_4005.1 AE case 0 algo 0x40000710 line 2819
F/TC:?? 0 trace_syscall:132 syscall #27 (syscall_cryp_obj_alloc)
F/TC:?? 0 trace_syscall:132 syscall #15 (syscall_cryp_state_alloc)
F/TC:?? 0 trace_syscall:132 syscall #27 (syscall_cryp_obj_alloc)
F/TC:?? 0 trace_syscall:132 syscall #24 (syscall_cryp_obj_get_info)
F/TC:?? 0 trace_syscall:132 syscall #30 (syscall_cryp_obj_populate)
F/TC:?? 0 trace_syscall:132 syscall #24 (syscall_cryp_obj_get_info)
F/TC:?? 0 trace_syscall:132 syscall #24 (syscall_cryp_obj_get_info)
F/TC:?? 0 trace_syscall:132 syscall #29 (syscall_cryp_obj_reset)
F/TC:?? 0 trace_syscall:132 syscall #24 (syscall_cryp_obj_get_info)
F/TC:?? 0 trace_syscall:132 syscall #24 (syscall_cryp_obj_get_info)
F/TC:?? 0 trace_syscall:132 syscall #31 (syscall_cryp_obj_copy)
F/TC:?? 0 trace_syscall:132 syscall #24 (syscall_cryp_obj_get_info)
F/TC:?? 0 trace_syscall:132 syscall #28 (syscall_cryp_obj_close)
F/TC:?? 0 trace_syscall:132 syscall #34 (syscall_authenc_init)
F/TC:?? 0 trace_syscall:132 syscall #2 (syscall_panic)
E/TC:?? 0
E/TC:?? 0 TA panicked with code 0xffff0006
F/TC:?? 0 trace_syscall:132 syscall #1 (syscall_log)
E/LD: Status of TA cb3e5ba0-adf1-11e0-998b-0002a5d5c51b
F/TC:?? 0 trace_syscall:132 syscall #1 (syscall_log)
E/LD: arch: aarch64
F/TC:?? 0 trace_syscall:132 syscall #1 (syscall_log)
E/LD: region 0: va 0x40004000 pa 0x100062d000 size 0x002000 flags rw-s (ldelf)
F/TC:?? 0 trace_syscall:132 syscall #1 (syscall_log)
E/LD: region 1: va 0x40006000 pa 0x100062f000 size 0x00d000 flags r-xs (ldelf)
...

Therefore, skip the trace if the syscall number it TEE_SCN_LOG.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix offset calculation in param_mem_to_user_va()

In param_mem_to_user_va() the offset of a memory parameter is used to
check if a particular struct vm_region will cover that parameter.
struct

core: fix offset calculation in param_mem_to_user_va()

In param_mem_to_user_va() the offset of a memory parameter is used to
check if a particular struct vm_region will cover that parameter.
struct vm_region always uses offsets from the beginning of the first
physical page while a memory parameter contains only the offset from the
beginning of a MOBJ. Consequently the two offset cannot be compared
directly.

Until this patch the two offset where compared directly so fix it by
adding the phys_offs of the MOBJ to the offset of the memory parameter.

Note that this doesn't change the computed virtual address, it only
fails to find a matching struct vm_region under certain circumstances.

Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mmu: arm64: fix get_va_width()

Fixes get_va_width() when CFG_LPAE_ADDR_SPACE_SIZE != (1ull << 32).

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wik

core: mmu: arm64: fix get_va_width()

Fixes get_va_width() when CFG_LPAE_ADDR_SPACE_SIZE != (1ull << 32).

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: rpc i2c: fix, REE processed bytes

Fix number of bytes processed by the REE that is returned in p[3] as
defined in the API, not in p[2].

Fixes: 30c53a724263 ("core: arm: rpc i2c trampolin

core: arm: rpc i2c: fix, REE processed bytes

Fix number of bytes processed by the REE that is returned in p[3] as
defined in the API, not in p[2].

Fixes: 30c53a724263 ("core: arm: rpc i2c trampoline driver")
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add user parameter thread_rpc_shm_cache_alloc()

Adds a user parameter to thread_rpc_shm_cache_alloc() to make sure that
different callers of thread_rpc_shm_cache_alloc() doesn't interfere with

core: add user parameter thread_rpc_shm_cache_alloc()

Adds a user parameter to thread_rpc_shm_cache_alloc() to make sure that
different callers of thread_rpc_shm_cache_alloc() doesn't interfere with
each other. The FS allocation could perhaps be intertwined with I2C
allocations if crypto operations are done over I2C.

Fixes: 9bee8f2a5af7 ("core: add generic rpc shared memory buffer caching")
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

virt: clear current thread id during initialization

When OP-TEE is built with CFG_VIRTUALIZATION=y, it does not call
`thread_clr_boot_thread()` during boot because the threads are
allocated in "tee"

virt: clear current thread id during initialization

When OP-TEE is built with CFG_VIRTUALIZATION=y, it does not call
`thread_clr_boot_thread()` during boot because the threads are
allocated in "tee" memory area, which is not available when there is
no virtual guests.

So, in this case local core state is left in erroneous state, which
causes assertion violation in thread_alloc_and_run(), when guests
calls OP-TEE for the first time from boot core.

Fixes: b166fabf3e8c ("core: initialize thread_core_local::curr_thread to -1")
Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: add stack overflow detection

This commit introduces CFG_CORE_DEBUG_CHECK_STACKS to check the stack
limits using compiler instrumentation (-finstrument-functions). When
enabled, the C compiler

core: add stack overflow detection

This commit introduces CFG_CORE_DEBUG_CHECK_STACKS to check the stack
limits using compiler instrumentation (-finstrument-functions). When
enabled, the C compiler will insert entry and exit hooks in all
functions in the TEE core. On entry, the stack pointer is checked and
if an overflow is detected, panic() is called.

How is this helpful since we have stack canaries already?
1. When a dead canary is found, the call stack will give no indication
of the root cause of the corruption which may have happened quite some
time before. Running the test case again with a debugger attached and a
watchpoint on the canary is not always an option.
2. The system may corrupt the stack and hang in an exception handler
before the first canary check, for instance, during boot when the
temporary stack is used. This code will likely catch such issues, too.

The downside is increased stack usage and a significant runtime overhead
which is why this feature should be enabled only for troubleshooting.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU, QEMUv8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: simplify setting of THREAD_CLF_TMP

Simplifies the manipulation of THREAD_CLF_TMP in the per-core
structure thread_core_local:

- thread_clr_thread_core_local() sets the flag for all cores so t

core: simplify setting of THREAD_CLF_TMP

Simplifies the manipulation of THREAD_CLF_TMP in the per-core
structure thread_core_local:

- thread_clr_thread_core_local() sets the flag for all cores so that
init_secondary_helper() doesn't have to. It is renamed to
thread_init_thread_core_local().
- The flag remains set upon return to normal world, ready for the next
entry into secure world.
- The foreign_intr_handler macro sets the flag since it uses the
temporary stack.
- thread_core_local_set_tmp_stack_flag() is now unused and can be
removed.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add __noprof attribute to register accessors

Allowing instrumentation of register accessor functions does not really
make sense, since they are normally inlined by the compiler. On the
contrar

core: add __noprof attribute to register accessors

Allowing instrumentation of register accessor functions does not really
make sense, since they are normally inlined by the compiler. On the
contrary, allowing the compiler to instrument these functions (if for
some reason they are not inlined) can cause serious problems such as
infinite recursion (in case the instrumentation ends up calling a
register accessor again) or unexpected results (if the accessor is used
by early code before the instrumentation is initialized).

Note that the accessors used by user space already have __noprof (see
lib/libutee/include/arm64_user_sysreg.h and scripts/arm32_sysreg.py).

For these reasons, add __noprof to core/arch/arm/include/arm{32,64}.h.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: always increase mappings for pta memrefs

In copy_in_param() always call mobj_inc_map() before mobj_get_va() to
guarantee that the memref is mapped for the duration of the call into
the PTA.

R

core: always increase mappings for pta memrefs

In copy_in_param() always call mobj_inc_map() before mobj_get_va() to
guarantee that the memref is mapped for the duration of the call into
the PTA.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mobj: add {inc,dec}_map() to struct mobj_ops

Adds inc_map() and dec_map() to struct mobj_ops. The old mobj_inc_map()
and mobj_dec_map() implementations in mobj_dyn_shm.c and mobj_ffa.c are
are

core: mobj: add {inc,dec}_map() to struct mobj_ops

Adds inc_map() and dec_map() to struct mobj_ops. The old mobj_inc_map()
and mobj_dec_map() implementations in mobj_dyn_shm.c and mobj_ffa.c are
are replaced with function pointers in mobj_reg_shm_ops and
mobj_ffa_ops. Inline versions of mobj_inc_map() and mobj_dec_map() are
added to call the correct function via struct mobj_ops instead. If
struct mobj_ops for a particular mobj doesn't have and implementation of
inc_map() or dec_map() TEE_SUCCESS is returned instead.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Add optimization and debug flags to exported TA C++ flags

$(platform-cflags-optimization) and $(platform-cflags-debug-info) are
added to the TA C flags via ta_arm{32,64}-platform-cflags. Do the same

Add optimization and debug flags to exported TA C++ flags

$(platform-cflags-optimization) and $(platform-cflags-debug-info) are
added to the TA C flags via ta_arm{32,64}-platform-cflags. Do the same
for C++ flags thanks to ta_arm{32,64}-platform-cxxflags.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU)
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMUv8)
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

core: arm: rpc i2c trampoline driver

Gives OP-TEE access to the i2c buses initialized and controlled by the
REE kernel. This is done by memory mapping a buffer from the thread's
cache where the inpu

core: arm: rpc i2c trampoline driver

Gives OP-TEE access to the i2c buses initialized and controlled by the
REE kernel. This is done by memory mapping a buffer from the thread's
cache where the input or output data is transferred.

Using this mechanism, OP-TEE clients do not have to worry about REE
RUNTIME_PM features switching off clocks from the controllers or
collisions with other bus masters.

This driver assumes that the I2C chip is on a REE statically assigned
bus which value is known to OP-TEE (it will not query/probe the REE).

The slave address can be either seven or ten bits. When using a ten
bit address, the corresponding flag needs to be set in the command and
the REE adapter must support the requested addressing mode.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: juno: update 808870 Unconditional VLDM workaround

With the commit be3bc461c686 ("ta: experimental C++ support") we have
some C++ tests in the regression tests which depends on libraries in the

core: juno: update 808870 Unconditional VLDM workaround

With the commit be3bc461c686 ("ta: experimental C++ support") we have
some C++ tests in the regression tests which depends on libraries in the
toolchain with hard float enabled. To be able to compile the regression
tests hard float cannot be disabled. Disabling hard float was our
original workaround for this erratum. Another way to avoid the erratum
is to disable strict alignment checks. So unless
CFG_SCTLR_ALIGNMENT_CHECK isn't explicitly set to 'y' force it to 'n'
instead.

Fixes: be3bc461c686 ("ta: experimental C++ support")
Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...