core: make boot_arg_nsec_entry globally accessible

Required on TI platforms that need access to access the boot
arguments in an `early_init()` call.
Need the boot args to memory-map and initialise t

core: make boot_arg_nsec_entry globally accessible

Required on TI platforms that need access to access the boot
arguments in an `early_init()` call.
Need the boot args to memory-map and initialise the HUK before
it is used in the `tee_fs_init_key_manager` service init.

Signed-off-by: Alistair Higgins <Alistair_Higgins@trimble.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: boot_mem: enable asan support

Add boot_mem_init_asan() to tag all allocated memory with
asan_tag_access().

Allocations with boot_mem_alloc() and boot_mem_alloc_tmp() are tagged
with asan_tag_

core: boot_mem: enable asan support

Add boot_mem_init_asan() to tag all allocated memory with
asan_tag_access().

Allocations with boot_mem_alloc() and boot_mem_alloc_tmp() are tagged
with asan_tag_access().

boot_mem_foreach_padding() temporarily allow access to paddings for the
callback and restores no-access if the callback returns false to tell
that the padding wasn't consumed.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

riscv: kernel: support booting non-contiguous non-zero-based hart IDs

Currently, OP-TEE assumes 0 <= hartid < CFG_TEE_CORE_NB_CORE,
and must be contiguous, which fails to accommodate different
CPU t

riscv: kernel: support booting non-contiguous non-zero-based hart IDs

Currently, OP-TEE assumes 0 <= hartid < CFG_TEE_CORE_NB_CORE,
and must be contiguous, which fails to accommodate different
CPU topologies. For example, some RISC-V platforms, such as
the HiFive Unmatched board, do not run Linux and OP-TEE on
hart0, as it is a monitor core without supervisor mode support.

To address this, introduce hart_index, which is used to index
per-hart structures, such as thread_core_local and root_pgt.
The hart_index will range from 0 to (CFG_TEE_CORE_NB_CORE - 1),
and the primary hart will have an index of 0.

Additionally, a new function, boot_primary_init_core_ids(),
is added to initialize secondary hart IDs for booting via
sbi_hsm_hart_start().

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Samuel Holland <samuel.holland@sifive.com>
Reviewed-by: Zong Li <zong.li@sifive.com>
Reviewed-by: Alvin Chang <alvinga@andestech.com>

show more ...

core: boot: add boot_init_primary_runtime()

Split the early parts of boot_init_primary_final() into
boot_init_primary_runtime(). boot_init_primary_runtime() initializes the
runtime, part of that is

core: boot: add boot_init_primary_runtime()

Split the early parts of boot_init_primary_final() into
boot_init_primary_runtime(). boot_init_primary_runtime() initializes the
runtime, part of that is to generate the PAUTH keys. The PAUTH keys are
loaded in assembly before boot_init_primary_final() is called.

This fixes an error when SPs are initialized by entering and exiting
S-EL0 from boot_init_primary_final() but the PAUTH registers hasn't been
initialized with the right values.
E/TC:0 0 Core undef-abort at address 0xe106be4
E/TC:0 0 esr 0x72000000 ttbr0 0x200000e27d000 ttbr1 0x00000000 cidr 0x0
E/TC:0 0 cpu #0 cpsr 0x60000144
E/TC:0 0 x0 0000000000000000 x1 0000000000000000
E/TC:0 0 x2 0000000000000000 x3 0000000000000000
E/TC:0 0 x4 000000000e27a060 x5 000000000e27a05c
E/TC:0 0 x6 000000000000009f x7 0000000000000083
E/TC:0 0 x8 0000000000000000 x9 0000000000004367
E/TC:0 0 x10 000000000000009f x11 0000000000000000
E/TC:0 0 x12 0000000000000000 x13 0000000040006f80
E/TC:0 0 x14 0000000000000000 x15 0000000000000000
E/TC:0 0 x16 000000000e107460 x17 0000000000000000
E/TC:0 0 x18 0000000000000000 x19 000000000e002000
E/TC:0 0 x20 000000000e300000 x21 0000000040000000
E/TC:0 0 x22 0000000000000000 x23 000000000e272830
E/TC:0 0 x24 000000000e22c250 x25 0000000000000000
E/TC:0 0 x26 0000000000000000 x27 0000000000000000
E/TC:0 0 x28 0000000000000000 x29 000000000e27a020
E/TC:0 0 x30 0a2ed3b10e1314e8 elr 000000000e106be4
E/TC:0 0 sp_el0 000000000e27a010
E/TC:0 0 TEE load address @ 0xe100000
E/TC:0 0 Core undef-abort at address 0xe106be4 .debug_info+27620
E/TC:0 0 Call stack:
E/TC:0 0 0x0e106be4 thread_enter_user_mode at core/arch/arm/kernel/thread.c:1049
E/TC:0 0 0x0e110628 sp_open_session at core/arch/arm/kernel/secure_partition.c:635
E/TC:0 0 0x0e112508 sp_init_uuid at core/arch/arm/kernel/secure_partition.c:1583
E/TC:0 0 0x0e1135f8 sp_init_all at core/arch/arm/kernel/secure_partition.c:2018
E/TC:0 0 0x0e137950 do_init_calls at core/kernel/initcall.c:20
E/TC:0 0 0x0e137b0c call_finalcalls at core/kernel/initcall.c:73

Fixes: b5ec8152f3e5 ("core: arm: refactor boot")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: Implicitly enable CFG_BOOT_MEM

Now both ARM and RISC-V architectures support and enable CFG_BOOT_MEM by
default. It's unnecessary to define CFG_BOOT_MEM. This commit removes
CFG_BOOT_MEM and r

core: Implicitly enable CFG_BOOT_MEM

Now both ARM and RISC-V architectures support and enable CFG_BOOT_MEM by
default. It's unnecessary to define CFG_BOOT_MEM. This commit removes
CFG_BOOT_MEM and relevant dead code.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Yu-Chien Peter Lin <peter.lin@sifive.com>

show more ...

core: boot_mem: keep track of padding

When boot_mem_alloc() allocates memory up to alignment - 1 number of
bytes may have be skipped to satisfy the required alignment of the
returned pointer. If the

core: boot_mem: keep track of padding

When boot_mem_alloc() allocates memory up to alignment - 1 number of
bytes may have be skipped to satisfy the required alignment of the
returned pointer. If the skipped bytes, or padding, is large enough,
it's recorded in a list of padding. The list of paddings can be
processed and consumed with boot_mem_foreach_padding(). This allows
sufficiently large paddings to be added to for instance the heap instead
of being wasted.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: add CFG_BOOT_MEM and boot_mem_*() functions

Adds CFG_BOOT_MEM to support stack-like memory allocations during boot
before a heap has been configured.

Signed-off-by: Jens Wiklander <jens.wikl

core: add CFG_BOOT_MEM and boot_mem_*() functions

Adds CFG_BOOT_MEM to support stack-like memory allocations during boot
before a heap has been configured.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: introduce boot_init_primary_final()

Introduce boot_init_primary_final() and move the call to
call_finalcalls() into that function.

This is needed in later patches to enabled PAUTH before

core: arm: introduce boot_init_primary_final()

Introduce boot_init_primary_final() and move the call to
call_finalcalls() into that function.

This is needed in later patches to enabled PAUTH before
boot_init_primary_final() is called.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: kernel: move manifest DT functions to dt.c

This moves functions to handle manifest DT, used as a SP (secure partition)
manifest via FF-A interface, to core/kernel/dt.c and their definitions
to

core: kernel: move manifest DT functions to dt.c

This moves functions to handle manifest DT, used as a SP (secure partition)
manifest via FF-A interface, to core/kernel/dt.c and their definitions
to dt.h.
manifest DT is dependent with CORE_FFA that depends on CFG_DT, as the same
as dt.c.

Signed-off-by: Sungbae Yoo <sungbaey@nvidia.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: kernel: factor out shared memory boot-time helpers

The static and dynamic shared memory helpers used for boot-time
reservation/registration are non-architecture-specific. Moving
them into the

core: kernel: factor out shared memory boot-time helpers

The static and dynamic shared memory helpers used for boot-time
reservation/registration are non-architecture-specific. Moving
them into the generic boot.c file will help avoid duplicated code
and improve maintainability.

Signed-off-by: Yu Chien Peter Lin <peterlin@andestech.com>
Reviewed-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: boot: fix memtag init sequence

Based on following observations on FVP:
With boot_init_memtag called before MMU enable, DC GZA hits an alignment
fault. This is because all accesses are of devic

core: boot: fix memtag init sequence

Based on following observations on FVP:
With boot_init_memtag called before MMU enable, DC GZA hits an alignment
fault. This is because all accesses are of device type when MMU is off.
Arm ARM states for DC GZA: "If the memory region being modified is any
type of Device memory, this instruction can give an alignment fault."
Moving boot_init_memtag after MMU enable, DC GZA hits a permission
fault, this is because the range returned by core_mmu_get_secure_memory
consists of pages mapped RO (text sections) and then RW (data sections)
consecutively. DC GZA is a write instruction executed towards an RO page
leading to a fault.

To fix this, split boot_init_memtag into two halves:
- Setup memtag operations before MMU is enabled such that MAIR_EL1 is
properly configured for normal tagged memory.
- Clear core TEE RW sections after MMU is enabled.

Closes: https://github.com/OP-TEE/optee_os/issues/6649
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
[jw rewrote boot_clear_memtag()]
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: remove unused arguments from boot_init_primary_early()

Removes the now unused arguments from boot_init_primary_early().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by:

core: remove unused arguments from boot_init_primary_early()

Removes the now unused arguments from boot_init_primary_early().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Raymond Mao <raymond.mao@linaro.org>

show more ...

core: remove fdt argument from get_aslr_seed()

Removes the now ignored fdt argument from get_aslr_seed().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <et

core: remove fdt argument from get_aslr_seed()

Removes the now ignored fdt argument from get_aslr_seed().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Raymond Mao <raymond.mao@linaro.org>

show more ...

core: arm: refactor boot argument handling

Adds a C function, boot_save_args(), to as early as possible analyze and
save the needed parameters depending on the current configuration. The
parameters

core: arm: refactor boot argument handling

Adds a C function, boot_save_args(), to as early as possible analyze and
save the needed parameters depending on the current configuration. The
parameters are stored in global variables, which are then accessed by
the subsequently called functions, boot_init_primary_early(),
boot_init_primary_late(), and get_aslr_seed().

entry_a32.S now preserves {r0-r3,lr} and pass them to boot_save_args().

entry_a64.S now preserves {x0-x3} and pass them to boot_save_args() with
zero in a5.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Raymond Mao <raymond.mao@linaro.org>

show more ...

core: rename tos_fw_config_dt to manifest_dt

Renames tos_fw_config_dt to manifest_dt as a preparation for coming
patches to let it represent all device tree manifests provided in an
FF-A configurati

core: rename tos_fw_config_dt to manifest_dt

Renames tos_fw_config_dt to manifest_dt as a preparation for coming
patches to let it represent all device tree manifests provided in an
FF-A configuration.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Leisen <leisen1@huawei.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: Rename primary_init_intc() to boot_primary_init_intc()

Since interrupt controllers are usually initialized in boot stage,
rename primary_init_intc() to boot_primary_init_intc().

Signed-o

core: arm: Rename primary_init_intc() to boot_primary_init_intc()

Since interrupt controllers are usually initialized in boot stage,
rename primary_init_intc() to boot_primary_init_intc().

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: arm: Rename main_secondary_init_intc() to boot_secondary_init_intc()

main_secondary_*() is an ambiguous name since it conveys no meaning
relative to the purpose of the function. Fix it by rena

core: arm: Rename main_secondary_init_intc() to boot_secondary_init_intc()

main_secondary_*() is an ambiguous name since it conveys no meaning
relative to the purpose of the function. Fix it by renameing to
boot_secondary_init_intc(), since interrupt controllers are always
initialized in boot stage.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: rename interrupt controller functions

This commit renames interrupt controller function names
to be more generic:
- Rename main_init_gic() to primary_init_intc()
- Rename secondary_init_gic()

core: rename interrupt controller functions

This commit renames interrupt controller function names
to be more generic:
- Rename main_init_gic() to primary_init_intc()
- Rename secondary_init_gic() to secondary_init_intc()

Signed-off-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: arm: Move some DT functions to common kernel

Some existed functions for device tree in ARM could be also used for
other architectures. This commit moves most of functions from ARM
architecture

core: arm: Move some DT functions to common kernel

Some existed functions for device tree in ARM could be also used for
other architectures. This commit moves most of functions from ARM
architecture into "core/kernel/dt.c", including external DT descriptor,
DT overlay, external DT initialization, API for adding DT child nodes
and reserved-memory nodes. Since "core/kernel/dt.c" is dependent with
CFG_DT, other functions which are independent with CFG_DT are put into
new file "core/kernel/boot.c".

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: thread: Add support for canary value randomization

Currently hardcoded magic number is used as thread stack canary,
an attacker with full control over the overflow can embed the
hardcoded cana

core: thread: Add support for canary value randomization

Currently hardcoded magic number is used as thread stack canary,
an attacker with full control over the overflow can embed the
hardcoded canary value on the right location to bypass the overflow
detection.

To add extra layer of security, redefine the canary value as variable,
such that the canary can be initialized during runtime.

The canaries are initialized with static values from thread_init_canaries()
during the early boot stage. The plat_get_random_stack_canaries() is
refactored to support arbitrary-length random numbers, and a new function
called thread_update_canaries() is created to fetch the random values and
update the thread canaries. For CFG_NS_VIRTUALIZATION=y, the updated
function is disabled.

Signed-off-by: Vincent Chuang <Vincent.Chuang@mediatek.com>
Signed-off-by: Randy Hsu <Randy-CY.Hsu@mediatek.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: ffa: parse boot info

With CFG_CORE_SEL2_SPMC=y OP-TEE is executed as an SP at S-EL1. The
manifest describing the OP-TEE SP is passed as a boot argument.

The manifest contains among other thin

core: ffa: parse boot info

With CFG_CORE_SEL2_SPMC=y OP-TEE is executed as an SP at S-EL1. The
manifest describing the OP-TEE SP is passed as a boot argument.

The manifest contains among other things the two properties
"load-address" and "mem-size". These cover the secure memory allocated
for OP-TEE to cover core and TA memory. The retrieved memory range is
saved with a call to core_mmu_set_secure_memory() to be used when
initializing MMU and other memory configuration.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ffa: add TOS_FW_CONFIG handling

At boot TF-A passes two DT addresses (HW_CONFIG and TOS_FW_CONFIG), but
currently only the HW_CONFIG address is saved, the other one is dropped.
This commit add

core: ffa: add TOS_FW_CONFIG handling

At boot TF-A passes two DT addresses (HW_CONFIG and TOS_FW_CONFIG), but
currently only the HW_CONFIG address is saved, the other one is dropped.
This commit adds functionality to save the TOS_FW_CONFIG too, so we can
retrieve it later. This is necessary for the CFG_CORE_SEL1_SPMC use
case, because the SPMC manifest is passed in this DT.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...

Add support for compiler stack protector

This change add support for CFG_CORE_STACK_PROTECTOR{,_STRONG,_ALL}
and CFG_TA_STACK_PROTECTOR{,_STRONG,_ALL}. This flag enable the
compiler stack overflow p

Add support for compiler stack protector

This change add support for CFG_CORE_STACK_PROTECTOR{,_STRONG,_ALL}
and CFG_TA_STACK_PROTECTOR{,_STRONG,_ALL}. This flag enable the
compiler stack overflow protection feature -fstack-protector* and
also generate random stack canary value on kernel boot and TA entry.

Weak function plat_get_random_stack_canary() can be override by
platform to provide random stack canary value for the core kernel.

Signed-off-by: Khoa Hoang <admin@khoahoang.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: Add new helper get_secure_dt()

Add new helper to query device tree considered secure for device driver
usage.

First priority is given to embedded device tree if present.

If system is configu

core: Add new helper get_secure_dt()

Add new helper to query device tree considered secure for device driver
usage.

First priority is given to embedded device tree if present.

If system is configured with secure external device tree location then
external device tree is returned.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add support for MTE

Adds support for the Armv8.5-A Memory Tagging Extension with
CFG_MEMTAG=y.

A memtag.h API is introduced to handle this extension. If CFG_MEMTAG=n
the API doesn't add any o

core: add support for MTE

Adds support for the Armv8.5-A Memory Tagging Extension with
CFG_MEMTAG=y.

A memtag.h API is introduced to handle this extension. If CFG_MEMTAG=n
the API doesn't add any overhead and the behaviour is unchanged. With
CFG_MEMTAG=y a check is performed to see if the platform can support MTE
and the API is dynamically configured accordingly. This means that it's
safe to have CFG_MEMTAG=y even for platforms not supporting MTE. There
will be some minimal overhead then, but likely not noticeable.

An entry is also added in the TEE_PROPSET_TEE_IMPLEMENTATION for a u32
property "org.trustedfirmware.optee.cpu.feat_memtag_implemented". The
property is set to a non-zero value only if CFG_CORE_MEMTAG is
configured and the underlying CPU supports FEAT_MTE.

This commit still only uses the default tag with the value 0 resulting
in unchanged pointers when accessing memory. However, all plumbing is in
place allowing for instance tagging of the heap in a later commit.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...