core: riscv: mm: fix arch_va2pa_helper() on superpage translation

Any level of PTE may be a leaf PTE in RISC-V page table, if the
page is not 4KiB, the page offset should be extended to VPN fields
o

core: riscv: mm: fix arch_va2pa_helper() on superpage translation

Any level of PTE may be a leaf PTE in RISC-V page table, if the
page is not 4KiB, the page offset should be extended to VPN fields
of virtual address.

e.g. on Sv39, if there is a leaf PTE on level-1 (2MiB megapage),
it maps to physical page with (va[20:12] | va[11:0]) as the page
offset.

Sv39 Virtual address:
|<--- superpage offset --->|
38_______30_29______21|20______12_11____________0|
| VPN[2] | VPN[1] | VPN[0] | page offset |
‾‾‾‾9‾‾‾‾‾‾‾‾‾‾9‾‾‾‾‾|‾‾‾‾9‾‾‾‾‾‾‾‾‾‾‾‾12‾‾‾‾‾‾‾|
| |
Physical address: | |
| |
55___________30_29______21|20______12_11____________0|
| PPN[2] | PPN[1] | PPN[0] | page offset |
‾‾‾‾‾‾26‾‾‾‾‾‾‾‾‾‾‾9‾‾‾‾‾'‾‾‾‾9‾‾‾‾‾‾‾‾‾‾‾‾12‾‾‾‾‾‾‾'

Signed-off-by: Yu Chien Peter Lin <peterlin@andestech.com>
Reviewed-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: add CFG_RPMB_ANNOUNCE_PROBE_CAP

Add CFG_RPMB_ANNOUNCE_PROBE_CAP to control whether RPMB probe capability
should be announced to the kernel. For the kernel driver to enable
in-kernel RPMB routi

core: add CFG_RPMB_ANNOUNCE_PROBE_CAP

Add CFG_RPMB_ANNOUNCE_PROBE_CAP to control whether RPMB probe capability
should be announced to the kernel. For the kernel driver to enable
in-kernel RPMB routing it must know in advance that OP-TEE supports it.
By masking the capability the kernel will route all RPMB commands to
tee-supplicant.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: rpmb: probe for kernel RPMB driver

Three RPC functions are added to support RPMB probing and properly align
RPMB frames, OPTEE_RPC_CMD_RPMB_PROBE_RESET,
OPTEE_RPC_CMD_RPMB_PROBE_NEXT, and OPTE

core: rpmb: probe for kernel RPMB driver

Three RPC functions are added to support RPMB probing and properly align
RPMB frames, OPTEE_RPC_CMD_RPMB_PROBE_RESET,
OPTEE_RPC_CMD_RPMB_PROBE_NEXT, and OPTEE_RPC_CMD_RPMB_FRAMES.

OPTEE_RPC_CMD_RPMB_PROBE_RESET resets probing to a well known state and
returns the shared memory type needed when allocating shared memory for
communication with later RPMB functions.

OPTEE_RPC_CMD_RPMB_PROBE_NEXT selects the next RPMB device and returns
its device information. Later calls to OPTEE_RPC_CMD_RPMB will use this
selected device.

OPTEE_RPC_CMD_RPMB_FRAMES sends the raw RPMB frames to normal world for
further routing to the RPMB device.

tee_rpmb_reinit() is added to allow re-initializing the RPMB FS if a
boot stage has used RPMB.

Backwards compatibility is maintained by falling back to the old type of
initialization if OPTEE_RPC_CMD_RPMB_PROBE_RESET returns
TEE_ERROR_NOT_SUPPORTED.

Whether RPMB devices are probed by the kernel or tee-supplicant is
decided by the kernel driver where the shared memory type returned by
OPTEE_RPC_CMD_RPMB_PROBE_RESET plays a vital role.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: riscv: Let platform choose native and foreign interrupts

Platform may want to choose different types of native and foreign
interrupts. This commit adds two definitions for the platforms:
1. PL

core: riscv: Let platform choose native and foreign interrupts

Platform may want to choose different types of native and foreign
interrupts. This commit adds two definitions for the platforms:
1. PLAT_THREAD_EXCP_FOREIGN_INTR: to define platform specific foreign
interrupts
2. PLAT_THREAD_EXCP_NATIVE_INTR: to define platform specific native
interrupts.

For RISC-V virt machine, we define all external/mtimer/software
interrupts as foreign interrupts. For RISC-V spike platform, we define
external interrupts as foreign interrupts, and mtimer/software
interrupts as native interrupts.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu Chien Peter Lin <peterlin@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: riscv: Update thread core local flags for native interrupts

Record the type of stack and the type of interrupt into thread core
local flags before handling the native interrupts. Once we finis

core: riscv: Update thread core local flags for native interrupts

Record the type of stack and the type of interrupt into thread core
local flags before handling the native interrupts. Once we finish the
handling of the native interrupts, we clear the previous flags.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu Chien Peter Lin <peterlin@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: riscv: Determine foreign interrupts during interrupt handling

The foreign interrupts are defined in THREAD_EXCP_FOREIGN_INTR, whose
bit fields are corresponding to RISC-V MIP/SIP CSR. Thus, we

core: riscv: Determine foreign interrupts during interrupt handling

The foreign interrupts are defined in THREAD_EXCP_FOREIGN_INTR, whose
bit fields are corresponding to RISC-V MIP/SIP CSR. Thus, we can
determine whether the coming interrupt is foreign interrupt or not by
THREAD_EXCP_FOREIGN_INTR.

However, the trap information is encoded in XCAUSE CSR. Thus, we must
translate the value of XCAUSE to XIP first, and then compare the XIP
with THREAD_EXCP_FOREIGN_INTR. For example, if the coming interrupt is
supervisor timer interrupt, the value of SCAUSE will be
0x8000000000000005 on RV64 system. We need to translate it to be
sip.STIP, which is 0x20. Then, we can further compare 0x20 with
THREAD_EXCP_FOREIGN_INTR. If 0x20 is subset of THREAD_EXCP_FOREIGN_INTR,
it is determined as a foreign interrupt. Finally, we call
thread_foreign_interrupt_handler() to further handle it.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu Chien Peter Lin <peterlin@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: riscv: Implement foreign interrupt handler

In SMP based OP-TEE system, the foreign interrupts, which are handled
outside OP-TEE, might be injected during the execution of OP-TEE. When
OP-TEE r

core: riscv: Implement foreign interrupt handler

In SMP based OP-TEE system, the foreign interrupts, which are handled
outside OP-TEE, might be injected during the execution of OP-TEE. When
OP-TEE receives such foreign interrupts, it should suspend current
thread and yield the execution to the foreign domains to handle those
foreign interrupts.

This commit implements thread_foreign_interrupt_handler(), which is
expected to be called during trap handling. The job of this function are
suspending the current thread, and returning to the other domain to let
them handle the foreign interrupts.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu Chien Peter Lin <peterlin@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: riscv: Rename and re-order parameters of the interrupt handlers

Rename thread_interrupt_handler() to thread_native_interrupt_handler(),
since we are going to support the foreign interrupt hand

core: riscv: Rename and re-order parameters of the interrupt handlers

Rename thread_interrupt_handler() to thread_native_interrupt_handler(),
since we are going to support the foreign interrupt handler.

The native interrupts are handled in OP-TEE side, while the foreign
interrupts are handled outside OP-TEE.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu Chien Peter Lin <peterlin@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: Remove duplicated sp assignment for ARM64 in set_ctx_regs()

There are two lines of code to assign value of sp for ARM64. Remove one
of them.

Signed-off-by: Alvin Chang <alvinga@andestech

core: arm: Remove duplicated sp assignment for ARM64 in set_ctx_regs()

There are two lines of code to assign value of sp for ARM64. Remove one
of them.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: rename to core_mmu_init_phys_mem()

Rename core_mmu_init_ta_ram() to core_mmu_init_phys_mem() for a more
accurate name of the function.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org

core: rename to core_mmu_init_phys_mem()

Rename core_mmu_init_ta_ram() to core_mmu_init_phys_mem() for a more
accurate name of the function.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: replace tee_mm_sec_ddr with phys_mem functions

Replace the tee_mm_sec_ddr mm pool with the phys_mem functions. This
doesn't change the behaviour.

Signed-off-by: Jens Wiklander <jens.wiklander

core: replace tee_mm_sec_ddr with phys_mem functions

Replace the tee_mm_sec_ddr mm pool with the phys_mem functions. This
doesn't change the behaviour.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: riscv: Simplify SP setup in setup_unwind_user_mode()

The parameter "regs" is the stack pointer which is allocated to store
system call registers when calling thread_scall_handler(). Thus, we c

core: riscv: Simplify SP setup in setup_unwind_user_mode()

The parameter "regs" is the stack pointer which is allocated to store
system call registers when calling thread_scall_handler(). Thus, we can
simply get the original stack pointer by "regs + 1" equation, and use it
to exit user mode.

The code is referenced from ARM's setup_unwind_user_mode().

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu Chien Peter Lin <peterlin@andestech.com>

show more ...

core: open-code thread_init_stack()

The implementations of thread_init_stack() are identical and trivial for
both arm and riscv. So simplify code further and open-code it where it's
called from in c

core: open-code thread_init_stack()

The implementations of thread_init_stack() are identical and trivial for
both arm and riscv. So simplify code further and open-code it where it's
called from in core/kernel/thread.c.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Alvin Chang <alvinga@andestech.com>

show more ...

core: virt: initialize heap from virt_guest_created()

Replace the preinit_early() guest heap initialization with function call
in virt_guest_created().

Signed-off-by: Jens Wiklander <jens.wiklander

core: virt: initialize heap from virt_guest_created()

Replace the preinit_early() guest heap initialization with function call
in virt_guest_created().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: arm: kern.ld.S: assert enough RAM for paging

Update the assert for enough ram for paging to take hash data and
relocation information into account.

Signed-off-by: Jens Wiklander <jens.wikland

core: arm: kern.ld.S: assert enough RAM for paging

Update the assert for enough ram for paging to take hash data and
relocation information into account.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

vexpress-qemu_armv8a: increase CFG_CORE_TZSRAM_EMUL_SIZE to 512 kB

Set the default emulated SRAM to 512 kB since the default 448 kB isn't
enough to build with CFG_CORE_ASLR=y with a margin.

Signed-

vexpress-qemu_armv8a: increase CFG_CORE_TZSRAM_EMUL_SIZE to 512 kB

Set the default emulated SRAM to 512 kB since the default 448 kB isn't
enough to build with CFG_CORE_ASLR=y with a margin.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

riscv: plat-virt: Set CFG_BOOT_SYNC_CPU=n

On RISC-V QEMU virt platform, OP-TEE OS runs as S-mode. There is a
secure monitor runs as M-mode and controls the hart state of the
secondary CPUs in SMP sy

riscv: plat-virt: Set CFG_BOOT_SYNC_CPU=n

On RISC-V QEMU virt platform, OP-TEE OS runs as S-mode. There is a
secure monitor runs as M-mode and controls the hart state of the
secondary CPUs in SMP system (e.g., by SBI HSM extension) during OP-TEE
OS secondary CPUs booting.

Thus, RISC-V virt platform does not need CFG_BOOT_SYNC_CPU.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu Chien Peter Lin <peterlin@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add CFG_CORE_ASLR_SEED

Add CFG_CORE_ASLR_SEED to override the used seed if CFG_CORE_ASLR=y.
CFG_CORE_ASLR_SEED is intended to help debugging ASLR related issues
by using the same address layou

core: add CFG_CORE_ASLR_SEED

Add CFG_CORE_ASLR_SEED to override the used seed if CFG_CORE_ASLR=y.
CFG_CORE_ASLR_SEED is intended to help debugging ASLR related issues
by using the same address layout each time.

CFG_CORE_ASLR_SEED requires CFG_INSECURE=y.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: drivers: riscv_zkr_rng: limit seed reading time

If the attempts to read SEED exceed 1 second for 16-bit
randomness, we consider it a failure.

Also, move seed CSR field encodings to the header

core: drivers: riscv_zkr_rng: limit seed reading time

If the attempts to read SEED exceed 1 second for 16-bit
randomness, we consider it a failure.

Also, move seed CSR field encodings to the header file.

Signed-off-by: Yu Chien Peter Lin <peterlin@andestech.com>
Reviewed-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

core: spmc: handle BTI/PAUTH info in SP manifest

Provide information to the SP whether BTI and PAUTH are enabled in
OP-TEE by updating the relevant DT node in the SP manifest.
This way the SP can de

core: spmc: handle BTI/PAUTH info in SP manifest

Provide information to the SP whether BTI and PAUTH are enabled in
OP-TEE by updating the relevant DT node in the SP manifest.
This way the SP can detect if the required protection is not available.

Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: Enable pointer authentication for SPs

Add support to pauth keys for SPs if pointer authentication is enabled.

Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
Acked-by: Etienne Carriere <etien

core: Enable pointer authentication for SPs

Add support to pauth keys for SPs if pointer authentication is enabled.

Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: spmc: Enable BTI for binary SPs

Enable BTI (Branch Target Identification) if the
GP attribute is set and the region is executable.

Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
Acked-by: Et

core: spmc: Enable BTI for binary SPs

Enable BTI (Branch Target Identification) if the
GP attribute is set and the region is executable.

Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: riscv: core_mmu_arch: fix next level page-table translation

If arch_va2pa_helper() and core_mmu_find_table() are called when
the MMU is disabled, we don't need to convert the next level page
b

core: riscv: core_mmu_arch: fix next level page-table translation

If arch_va2pa_helper() and core_mmu_find_table() are called when
the MMU is disabled, we don't need to convert the next level page
base address with phys_to_virt(). Add core_mmu_xlat_table_entry_pa2va()
to handle this address translation.

Signed-off-by: Yu Chien Peter Lin <peterlin@andestech.com>
Reviewed-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: riscv: core_mmu_arch: remove address translation when initializing SATP

Fix the handling of the page table base address (pgt) by removing
the unnecessary virt_to_phys(). The pgt is already a p

core: riscv: core_mmu_arch: remove address translation when initializing SATP

Fix the handling of the page table base address (pgt) by removing
the unnecessary virt_to_phys(). The pgt is already a physical address,
and thus does not require translation.

Additionally, since the ASID always set to 0, replaced the redundant
assertions with a explicit check to ensure the MMU is disabled in the
context.

Signed-off-by: Yu Chien Peter Lin <peterlin@andestech.com>
Reviewed-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: riscv: Increase size of stacks and extra check space

To support CFG_CORE_DEBUG_CHECK_STACKS=y for RISC-V, we set
STACK_CHECK_EXTRA as 1536 like what ARM does.

To avoid stack overruns when CFG

core: riscv: Increase size of stacks and extra check space

To support CFG_CORE_DEBUG_CHECK_STACKS=y for RISC-V, we set
STACK_CHECK_EXTRA as 1536 like what ARM does.

To avoid stack overruns when CFG_CORE_DEBUG_CHECK_STACKS=y, we increase
the size of abort stack to 4096 bytes and size of thread stack to 10240
bytes.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu-Chien Peter Lin <peterlin@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...