user_ta: should go for other TA stores on any load error

There seems to be an issue that if RPMB_FS is enabled in
OPTEE and TA is present in REE (normal file system), if
priority for secure storage

user_ta: should go for other TA stores on any load error

There seems to be an issue that if RPMB_FS is enabled in
OPTEE and TA is present in REE (normal file system), if
priority for secure storage TA is higher and RPMB
initialization fails, the error is returned and the
OPTEE doesn't goes to find the TA from REE TA store.

The issue is fixed by adding a 'continue' statement after
printing the respective error.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Sourabh Das <sourabhdas143@gmail.com>

show more ...

core: unwind: correct function args for print_stack_arm32/64

When CFG_TEE_CORE_LOG_LEVEL=0 to make, met build failure:
"
core/arch/arm/kernel/abort.c: In function '__print_stack_unwind_arm32':
core/

core: unwind: correct function args for print_stack_arm32/64

When CFG_TEE_CORE_LOG_LEVEL=0 to make, met build failure:
"
core/arch/arm/kernel/abort.c: In function '__print_stack_unwind_arm32':
core/arch/arm/kernel/abort.c:113:2: error: too many arguments to function 'print_stack_arm32'
print_stack_arm32(TRACE_ERROR, &state, exidx, exidx_sz, kernel_stack,
^~~~~~~~~~~~~~~~~
"

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: define syscall_t as void (*)(void)

syscall_t is currently typedef'ed as TEE_Result (*)(void). It is used to
represent a pointer to any system call, in the syscall table for instance.
As such,

core: define syscall_t as void (*)(void)

syscall_t is currently typedef'ed as TEE_Result (*)(void). It is used to
represent a pointer to any system call, in the syscall table for instance.
As such, the exact type behind syscall_t cannot reflect all the syscalls
since they have different prototypes. The current declaration with a
TEE_Result return type was probably chosen because it was a common
characteristic of all syscalls to return a TEE_Result.

However, this type causes compilation warnings with GCC 8.1:

core/arch/arm/tee/arch_svc.c:43:36: warning: cast between incompatible function types from ‘void (*)(long unsigned int)’ to ‘TEE_Result (*)(void)’ {aka ‘unsigned int (*)(void)’} [-Wcast-function-type]
#define SYSCALL_ENTRY(_fn) { .fn = (syscall_t)_fn }
^
core/arch/arm/tee/arch_svc.c:50:2: note: in expansion of macro ‘SYSCALL_ENTRY’
SYSCALL_ENTRY(syscall_sys_return),
^~~~~~~~~~~~~

The solution is to use 'void (*)(void)' instead, as explained in the GCC
documentation:

-Wcast-function-type

Warn when a function pointer is cast to an incompatible function
pointer. [...] The function type void (*) (void) is special and matches
everything, which can be used to suppress this warning. [...]

Link: [1] https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

thread: move stacks to separate sections

With this change it is possible to move tmp and abt stacks to kernel
memory area, while leaving thread stacks in tee memory.

Signed-off-by: Volodymyr Babchu

thread: move stacks to separate sections

With this change it is possible to move tmp and abt stacks to kernel
memory area, while leaving thread stacks in tee memory.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

link_dummy.ld: provide __data_start symbol

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

linker.h: declare __data_start as non-const

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

asid: move asid allocator from tee_mmu.c to core_mmu.c

ASIDs will be allocated for individual virtrual guests, so
allocator should reside in more generic place.

Also, comment for MMU_NUM_ASIDS was

asid: move asid allocator from tee_mmu.c to core_mmu.c

ASIDs will be allocated for individual virtrual guests, so
allocator should reside in more generic place.

Also, comment for MMU_NUM_ASIDS was updated.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

mmu: align va of memory regions to pa modulo PGDIR_SIZE

If pa % PGDIR_SIZE == va % PGDIR_SIZE, then we can effectively map
large smallpage-aligned regions. Most of the region can be mapped
with supe

mmu: align va of memory regions to pa modulo PGDIR_SIZE

If pa % PGDIR_SIZE == va % PGDIR_SIZE, then we can effectively map
large smallpage-aligned regions. Most of the region can be mapped
with super blocks and only ends will be mapped using small pages.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

generic_ram_layout: align TA_RAM to SMALL_PAGE_SIZE

This enables more optimal memory usage, as there will be no unused
holes in memory mappings.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail

generic_ram_layout: align TA_RAM to SMALL_PAGE_SIZE

This enables more optimal memory usage, as there will be no unused
holes in memory mappings.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: sm: initialize PMCR.DP to 1 and save/restore PMCR

Introduce CFG_SM_NO_CYCLE_COUNTING to intitialize PMCR.DP to 1 and
save/restore PMCR on world switch. Similar to what is done in ARM TF
c

core: arm: sm: initialize PMCR.DP to 1 and save/restore PMCR

Introduce CFG_SM_NO_CYCLE_COUNTING to intitialize PMCR.DP to 1 and
save/restore PMCR on world switch. Similar to what is done in ARM TF
commit 3e61b2b54336 ("Init and save / restore of PMCR_EL0 / PMCR") [1].

The purpose of this is to (hopefully) make attacks such as CLKSCREW [2]
harder to mount, although it is likely that timing information could be
obtained via other means.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Link: [1] https://github.com/ARM-software/arm-trusted-firmware/commit/3e61b2b54336
Link: [2] https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-tang.pdf
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: arm: sm: rename struct sm_mode_regs to sm_unbanked_regs

struct sm_mode_regs will soon be used to store one non-banked register
other then the mode registers (PMCR). Rename it to sm_unbanked_re

core: arm: sm: rename struct sm_mode_regs to sm_unbanked_regs

struct sm_mode_regs will soon be used to store one non-banked register
other then the mode registers (PMCR). Rename it to sm_unbanked_regs.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: make stack trace robust

Makes stack trace robust by checking addresses before copying data.
Kernel stack traces are a bit more relaxed as we have crashed already.

Reviewed-by: Jerome Forissie

core: make stack trace robust

Makes stack trace robust by checking addresses before copying data.
Kernel stack traces are a bit more relaxed as we have crashed already.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960 AArch32, Aarch64)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (Juno, QEMU)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix offset in assign_mobj_to_param_mem()

Prior to this patch assign_mobj_to_param_mem() stored the offset
supplied with a non-contiguous buffer in mem->offs. Since that offset
already is store

core: fix offset in assign_mobj_to_param_mem()

Prior to this patch assign_mobj_to_param_mem() stored the offset
supplied with a non-contiguous buffer in mem->offs. Since that offset
already is stored inside the resulting MOBJ that offset is added twice.
This patch fixes this by initializing mem->offs to 0 instead.

Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm64: update max pa after discovered nsec ddr

Once non-secure DDR is discovered either via FDT or via register_ddr()
maximum output address is updated.

Note that is only has an effect in AAr

core: arm64: update max pa after discovered nsec ddr

Once non-secure DDR is discovered either via FDT or via register_ddr()
maximum output address is updated.

Note that is only has an effect in AArch64.

Fixes: https://github.com/OP-TEE/optee_os/issues/2402
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Suggested-by: Jean-Paul Etienne <jean-paul.etienne@arm.com>
Reported-by: Rouven Czerwinski <rouven@czerwinskis.de>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (Juno, FVP)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm64.h: add TCR_EL1_IPS_MASK

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

plat-stm: fix MIN/MAX macro issue in platform_config.h

Use MIN_UNSAFE/MAX_UNSAFE macros as MAX/MIN macros fail to build
from in current platform_config.h imaplement with the error trace
below:

In f

plat-stm: fix MIN/MAX macro issue in platform_config.h

Use MIN_UNSAFE/MAX_UNSAFE macros as MAX/MIN macros fail to build
from in current platform_config.h imaplement with the error trace
below:

In file included from core/arch/arm/include/arm.h:8:0,
from core/arch/arm/include/kernel/thread.h:11,
from core/arch/arm/kernel/asm-defines.c:7:
lib/libutils/ext/include/util.h:24:16: error: missing binary operator before token "("
(__extension__({ __typeof__(a) _a = (a); \
^
core/arch/arm/plat-stm/./platform_config.h:190:25: note: in expansion of macro ‘MAX’
#define STM_SECDDR_END MAX(TZSRAM_BASE + TZSRAM_SIZE, \
^~~
core/arch/arm/plat-stm/./platform_config.h:204:6: note: in expansion of macro ‘STM_SECDDR_END’
#if (STM_SECDDR_END < 0x80000000ULL)
^~~~~~~~~~~~~~
make: *** [out/core/include/generated/.asm-defines.s] Error 1

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

benchmark: change the way of timestamp buffer allocation.

In case if timestamp buffer is allocated in userspace and new register
user memory API is used for its registering in OP-TEE (introduced in

benchmark: change the way of timestamp buffer allocation.

In case if timestamp buffer is allocated in userspace and new register
user memory API is used for its registering in OP-TEE (introduced in
optee_client commit 27888d73d156 ("tee_client_api: register user memory")),
there is no possibility to keep this mapping permanent among different
TEEC_InvokeCommand invocations, as all SHM are automatically unmapped from
OP-TEE VA space after TEEC_InvokeCommand is handled by OP-TEE.

Timestamp buffer is now allocated with thread_rpc_alloc_global_payload().

Fixes: https://github.com/OP-TEE/optee_os/issues/1979
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Signed-off-by: Igor Opaniuk <igor.opaniuk@linaro.org>

show more ...

core: support for global shared buffers

Add support of allocating SHM shared with non-secure kernel
and exported to a non-secure userspace application.

Reviewed-by: Jens Wiklander <jens.wiklander@l

core: support for global shared buffers

Add support of allocating SHM shared with non-secure kernel
and exported to a non-secure userspace application.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Igor Opaniuk <igor.opaniuk@linaro.org>

show more ...

plat-stm32mp1: reformat OP-TEE images to stm32 format

OP-TEE core images are reformatted into a STM32 compliant format
expected by the platform flashing tools.

Signed-off-by: Etienne Carriere <etie

plat-stm32mp1: reformat OP-TEE images to stm32 format

OP-TEE core images are reformatted into a STM32 compliant format
expected by the platform flashing tools.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-stm32mp1: add initial support

Introduce platform stm32mp1 with board stm32mp1-stm32mp157c-ev1 based
on stm32mp1 SoC family integrating Arm Cortex-A7 technology. In its
default configuration, st

plat-stm32mp1: add initial support

Introduce platform stm32mp1 with board stm32mp1-stm32mp157c-ev1 based
on stm32mp1 SoC family integrating Arm Cortex-A7 technology. In its
default configuration, stm32mp1 OP-TEE core operates in a 256kB secure
RAM with pager support enabled.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add new RNG implementation

Adds a new cryptographically secure pseudo random number generator known
as Fortuna. The implementation is based on the description in [0]. This
implementation repla

core: add new RNG implementation

Adds a new cryptographically secure pseudo random number generator known
as Fortuna. The implementation is based on the description in [0]. This
implementation replaces the implementation in LTC which was used until
now.

Gathering of entropy has been refined with crypto_rng_add_event() to
better match how entropy is added to Fortuna. A enum crypto_rng_src
identifies the source of the event. The source also controls how the
event is added. There are two options available, queue it in a circular
buffer for later processing or adding it directly to a pool. The former
option is suitable when being called from an interrupt handler or some
other place where RPC to normal world is forbidden.

plat_prng_add_jitter_entropy_norpc() is removed and
plat_prng_add_jitter_entropy() is updated to use this new entropy source
scheme.

The configuration of LTC is simplified by this, now PRNG is always drawn
via prng_mpa_desc.

plat_rng_init() takes care of initializing the PRNG in order to allow
platforms to override or enhance the Fortuna integration.

[0] Link:https://www.schneier.com/academic/paperfiles/fortuna.pdf

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: split tee_pager_init()

Splits tee_pager_init() into tee_pager_set_alias_area() and
tee_pager_generate_authenc_key(). The former function is called where
tee_pager_init() used to be called and

core: split tee_pager_init()

Splits tee_pager_init() into tee_pager_set_alias_area() and
tee_pager_generate_authenc_key(). The former function is called where
tee_pager_init() used to be called and the latter function is called
after the crypto API and RNG has been initialized.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: don't divide by sizeof(*mem) for ddr nsec memory

Since the two addresses are already of type struct core_mmu_phys_mem, do
not divide by sizeof(struct core_mmu_phys_mem). This broke dynamic sha

core: don't divide by sizeof(*mem) for ddr nsec memory

Since the two addresses are already of type struct core_mmu_phys_mem, do
not divide by sizeof(struct core_mmu_phys_mem). This broke dynamic shared
memory on Juno r0, since nelem would be zero for two slots.

Tested on Juno r0.

Fixes: 2f82082fada3 ("core: add ddr overall register")
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Rouven Czerwinski <rouven@czerwinskis.de>

show more ...

plat-sunxi: Add plat-sunxi

Initial version support for Allwinner H2+ platform. Specific to Banana Pi
M2 zero board currently.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Je

plat-sunxi: Add plat-sunxi

Initial version support for Allwinner H2+ platform. Specific to Banana Pi
M2 zero board currently.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Ying-Chun Liu (PaulLiu) <paul.liu@linaro.org>

show more ...

core: add mdelay() function

checkpatch will check if udelay value is too large. Use udelay() to
implement mdelay() when we want to delay more than 10000 us.

Reviewed-by: Jens Wiklander <jens.wiklan

core: add mdelay() function

checkpatch will check if udelay value is too large. Use udelay() to
implement mdelay() when we want to delay more than 10000 us.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Ying-Chun Liu (PaulLiu) <paul.liu@linaro.org>

show more ...