core_mmu: introduce mmu partitions

For virtualization support we need to have multiple mmu partitions.
One partition per virtual machine. Partition holds information about
page tables, ASID, etc. Wh

core_mmu: introduce mmu partitions

For virtualization support we need to have multiple mmu partitions.
One partition per virtual machine. Partition holds information about
page tables, ASID, etc. When OP-TEE switches to another partition,
it effectivelly changes how it sees memory. In this way it is possible
to have multiple memory layouts with different shared buffers and TAs
mapped, even with different .bss and .data sections.

If virtualization is disabled, then only one, default partition exists
and it is impossible to allocate more.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core_mmu: add MEM_AREA_SEC_RAM_OVERALL memory type

This memory type describes mapping that covers all secure memory
as a flat mapping, so it is possible to access any portion of
secure memory at any

core_mmu: add MEM_AREA_SEC_RAM_OVERALL memory type

This memory type describes mapping that covers all secure memory
as a flat mapping, so it is possible to access any portion of
secure memory at any time.

It will be used with virtualization extensions.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

tee_mm: add TEE_MM_POOL_NEX_MALLOC flag

This flag tells tee_mm to use nex_malloc pool instead of default malloc

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander

tee_mm: add TEE_MM_POOL_NEX_MALLOC flag

This flag tells tee_mm to use nex_malloc pool instead of default malloc

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

virt: tag variables with __nex_data and __nex_bss

Variables that are needed by OP-TEE nexus will be moved
to nexus memory.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jens W

virt: tag variables with __nex_data and __nex_bss

Variables that are needed by OP-TEE nexus will be moved
to nexus memory.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

virt: add nexus memory area

This patch is the first in series of patches that split OP-TEE RW memory
into two regions: nexus memory and TEE memory. Nexus memory will
be always mapped and it will be

virt: add nexus memory area

This patch is the first in series of patches that split OP-TEE RW memory
into two regions: nexus memory and TEE memory. Nexus memory will
be always mapped and it will be used to store all data that is
vital for OP-TEE core and is not bound to virtual guests.

TEE memory is a memory that holds data specific for certain guest.
There will be TEE memory bank for every guest and it will be mapped
into OP-TEE address space only during call from that guest.

This patch adds nexus memory and moves stacks into it. Also
it provides __nex_bss and __nex_data macros, so one can easily set right
section for a variable.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

pta_stats: add support for nex_malloc stats

Add statistic for OP-TEE nexus memory allocator.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@li

pta_stats: add support for nex_malloc stats

Add statistic for OP-TEE nexus memory allocator.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core_self_tests.c: add tests for nex_malloc

Now, when we have separate allocator for nexus
part of OP-TEE, it is good to add tests for it.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>

core_self_tests.c: add tests for nex_malloc

Now, when we have separate allocator for nexus
part of OP-TEE, it is good to add tests for it.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

bget_malloc: add nex_malloc pool

If virtualization enabled, this pool will be used to allocate
memory for OP-TEE nexus needs.
Without virtualization, generic malloc pool will be used.

Signed-off-by

bget_malloc: add nex_malloc pool

If virtualization enabled, this pool will be used to allocate
memory for OP-TEE nexus needs.
Without virtualization, generic malloc pool will be used.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-rcar: Use generic memory layout

plat-rcar have quite standard memory layout, so there is no sense
to maintain separate configuration if it possible to use generic
one.

Signed-off-by: Volodymyr

plat-rcar: Use generic memory layout

plat-rcar have quite standard memory layout, so there is no sense
to maintain separate configuration if it possible to use generic
one.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pta_stats: add memleak function

Adds a memleak function to the status PTA which calls mdbg_check(1)
to dump all allocations.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed

core: pta_stats: add memleak function

Adds a memleak function to the status PTA which calls mdbg_check(1)
to dump all allocations.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix get_elf_segments() segs initialization

get_elf_segments() doesn't initialize the returned segs array properly,
some fields are left uninitialized. Fix this by doing a compound
assignment w

core: fix get_elf_segments() segs initialization

get_elf_segments() doesn't initialize the returned segs array properly,
some fields are left uninitialized. Fix this by doing a compound
assignment when initializing new elements in the array.

Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ta_open(): free allocated memory on error

In error condition on checking "ta_size", was returning
error from function without cleaning allocated memory.

Signed-off-by: Sahil Malhotra <sahil.m

core: ta_open(): free allocated memory on error

In error condition on checking "ta_size", was returning
error from function without cleaning allocated memory.

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Fixes: https://github.com/OP-TEE/optee_os/pull/2776
[jf: minor edits to commit message]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

scripts: re-indent Python scripts

Fixes the following warnings:

$ pycodestyle --version
2.5.0

$ pycodestyle scripts/*.py
scripts/bin_to_c.py:15:9: E117 over-indented
scripts/bin_to_c.py:34:9:

scripts: re-indent Python scripts

Fixes the following warnings:

$ pycodestyle --version
2.5.0

$ pycodestyle scripts/*.py
scripts/bin_to_c.py:15:9: E117 over-indented
scripts/bin_to_c.py:34:9: E117 over-indented
scripts/bin_to_c.py:37:17: E117 over-indented
scripts/bin_to_c.py:49:17: E117 over-indented
scripts/bin_to_c.py:50:25: E117 over-indented
scripts/bin_to_c.py:54:25: E117 over-indented
scripts/bin_to_c.py:56:25: E117 over-indented
scripts/bin_to_c.py:62:9: E117 over-indented

$ cd core/arch/arm/plat-stm32mp1/scripts; \
pycodestyle stm32image.py
stm32image.py:21:9: E117 over-indented
stm32image.py:27:9: E117 over-indented
stm32image.py:29:17: E117 over-indented
stm32image.py:39:9: E117 over-indented
stm32image.py:77:9: E117 over-indented
stm32image.py:84:17: E117 over-indented
stm32image.py:96:9: E117 over-indented
stm32image.py:100:9: E117 over-indented
stm32image.py:125:9: E117 over-indented
stm32image.py:140:9: E117 over-indented

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat-bcm: Add Broadcom ARMv8-A SoC ns3

Add base platform support for Broadcom ns3 SoC.
Broadcom ns3 is ARMv8-A based SoS with Cortex-A72 cores
and GICv3. It is configured to run with TF-A.

Signed-o

plat-bcm: Add Broadcom ARMv8-A SoC ns3

Add base platform support for Broadcom ns3 SoC.
Broadcom ns3 is ARMv8-A based SoS with Cortex-A72 cores
and GICv3. It is configured to run with TF-A.

Signed-off-by: Sandeep Tripathy <sandeep.tripathy@broadcom.com>
Reviewed-by: Raveendra Padasalagi <raveendra.padasalagi@broadcom.com>
Reviewed-by: Scott Branden <scott.branden@broadcom.com>
Reviewed-by: Pramod Kumar <pramod.kumar@broadcom.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: arm32: fix gicv3 fiq race

Fixes a race where FIQ isn't masked in the abort handler which results
lost register content and invalid processing of the abort when resumed.

Fixes: 18901324e00a ("

core: arm32: fix gicv3 fiq race

Fixes a race where FIQ isn't masked in the abort handler which results
lost register content and invalid processing of the abort when resumed.

Fixes: 18901324e00a ("Support ARM GICv3 mode")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-vexpress: disable uart IT with TF-A and GICv3

Disables uart interrupts if compiled for TF-A and GICv3 since TF-A
doesn't know which interrupts OP-TEE will handle.

Acked-by: Jerome Forissier <j

plat-vexpress: disable uart IT with TF-A and GICv3

Disables uart interrupts if compiled for TF-A and GICv3 since TF-A
doesn't know which interrupts OP-TEE will handle.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: entry_std: check value of num_params

Checks value of num_params against OPTEE_MSG_MAX_NUM_PARAMS before using
it in OPTEE_MSG_GET_ARG_SIZE() in order to avoid unexpected wrapping.

Fixes: "Mac

core: entry_std: check value of num_params

Checks value of num_params against OPTEE_MSG_MAX_NUM_PARAMS before using
it in OPTEE_MSG_GET_ARG_SIZE() in order to avoid unexpected wrapping.

Fixes: "Macro for checking size of parameter buffer can overflow" as
reported by Riscure.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: tee_mmu_check_access_rights() check all pages

Prior to this patch tee_mmu_check_access_rights() checks an address in
each page of a supplied range. If both the start and length of that
range i

core: tee_mmu_check_access_rights() check all pages

Prior to this patch tee_mmu_check_access_rights() checks an address in
each page of a supplied range. If both the start and length of that
range is unaligned the last page in the range is sometimes not checked.
With this patch the first address of each page in the range is checked
to simplify the logic of checking each page and the range and also to
cover the last page under all circumstances.

Fixes: OP-TEE-2018-0005: "tee_mmu_check_access_rights does not check
final page of TA buffer"

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: ensure that supplied range matches MOBJ

In set_rmem_param() if the MOBJ is found by the cookie it's verified to
represent non-secure shared memory. Prior to this patch the supplied
sub-range t

core: ensure that supplied range matches MOBJ

In set_rmem_param() if the MOBJ is found by the cookie it's verified to
represent non-secure shared memory. Prior to this patch the supplied
sub-range to be used of the MOBJ was not checked here and relied on
later checks further down the chain. Those checks seems to be enough
for user TAs, but not for pseudo TAs where the size isn't checked.

This patch adds a check for offset and size to see that they remain
inside the memory covered by the MOBJ.

Fixes: OP-TEE-2018-0004: "Unchecked parameters are passed through from
REE".

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

rpc: ensure that TA fits in allocated memory

When the TEE is about to load a TA it first asks the REE for the size of
the TA in question. Next it allocates memory for this based on the size
in the p

rpc: ensure that TA fits in allocated memory

When the TEE is about to load a TA it first asks the REE for the size of
the TA in question. Next it allocates memory for this based on the size
in the previous query. However, there is no guarantee that the REE
actually allocates the requested size. A compromised REE could for
example modify the RPC request. This means that even though an
allocation is successful, we still need to check that the size of the
allocated buffer has room to fit the entire TA we are about to load.

Fixes: "REE provided size not checked when loading TAs" as reported by
Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

tadb: set error condition on TA size mismatch

If tee_tadb_ta_read(..) is successful in secstor_ta_open(..), then we
must set an error code manually if the size check right after fails.

Fixes: "Load

tadb: set error condition on TA size mismatch

If tee_tadb_ta_read(..) is successful in secstor_ta_open(..), then we
must set an error code manually if the size check right after fails.

Fixes: "Loading from secure storage returns success with uninitialized
pointer" as reported by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: initialize saved_attr

The saved_attr variable is used in the cleanup condition in the
entry_open_session(..) function. The function cleanup_params(..)
conditionally free up memory based on the

core: initialize saved_attr

The saved_attr variable is used in the cleanup condition in the
entry_open_session(..) function. The function cleanup_params(..)
conditionally free up memory based on the values from saved_attr and
therefore saved_attr must be initialized with a proper value in case the
functions that are supposed to fill in correct attributes are failing.

Fixes: "Use of uninitialized variable in REE exposed function" as
reported by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: clear the entire TA area

Previously we cleared (memset to zero) the size corresponding to code
and data segments, however the allocation for the TA is made on the
granularity of the memory poo

core: clear the entire TA area

Previously we cleared (memset to zero) the size corresponding to code
and data segments, however the allocation for the TA is made on the
granularity of the memory pool, meaning that we did not clear all memory
and because of that we could potentially leak code and data of a
previous loaded TA.

Fixes: OP-TEE-2018-0006: "Potential disclosure of previously loaded TA
code and data"

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

hikey960: set CFG_CORE_BGET_BESTFIT=y

Enables the "best fit" algorithm for core memory allocation on HiKey960.
This avoids occasional out-of-memory errors when running the full xtest
suite (with Glo

hikey960: set CFG_CORE_BGET_BESTFIT=y

Enables the "best fit" algorithm for core memory allocation on HiKey960.
This avoids occasional out-of-memory errors when running the full xtest
suite (with GlobalPlatform tests).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

stm32mp1: init console from DTB

Get console configuration from embedded DTB when available.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissie

stm32mp1: init console from DTB

Get console configuration from embedded DTB when available.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...