core: rpmb: get RPMB storage space allocation stats

Add rpmb_mem_stats() to get the RPMB secure storage space allocation
statistics.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
A

core: rpmb: get RPMB storage space allocation stats

Add rpmb_mem_stats() to get the RPMB secure storage space allocation
statistics.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: rpmb: probe for kernel RPMB driver

Three RPC functions are added to support RPMB probing and properly align
RPMB frames, OPTEE_RPC_CMD_RPMB_PROBE_RESET,
OPTEE_RPC_CMD_RPMB_PROBE_NEXT, and OPTE

core: rpmb: probe for kernel RPMB driver

Three RPC functions are added to support RPMB probing and properly align
RPMB frames, OPTEE_RPC_CMD_RPMB_PROBE_RESET,
OPTEE_RPC_CMD_RPMB_PROBE_NEXT, and OPTEE_RPC_CMD_RPMB_FRAMES.

OPTEE_RPC_CMD_RPMB_PROBE_RESET resets probing to a well known state and
returns the shared memory type needed when allocating shared memory for
communication with later RPMB functions.

OPTEE_RPC_CMD_RPMB_PROBE_NEXT selects the next RPMB device and returns
its device information. Later calls to OPTEE_RPC_CMD_RPMB will use this
selected device.

OPTEE_RPC_CMD_RPMB_FRAMES sends the raw RPMB frames to normal world for
further routing to the RPMB device.

tee_rpmb_reinit() is added to allow re-initializing the RPMB FS if a
boot stage has used RPMB.

Backwards compatibility is maintained by falling back to the old type of
initialization if OPTEE_RPC_CMD_RPMB_PROBE_RESET returns
TEE_ERROR_NOT_SUPPORTED.

Whether RPMB devices are probed by the kernel or tee-supplicant is
decided by the kernel driver where the shared memory type returned by
OPTEE_RPC_CMD_RPMB_PROBE_RESET plays a vital role.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: fix header file guard names

Fixes header file guards macro name prefix (mostly missing occurrences)
that should reflect the file base directory sub-path where applicable.

Reviewed-by: Jens Wi

core: fix header file guard names

Fixes header file guards macro name prefix (mostly missing occurrences)
that should reflect the file base directory sub-path where applicable.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: update FS storage API with user space buffer

Updates the create(), read(), and write() function pointers in struct
ts_store_ops to take a user space buffer in addition to the previous
core buf

core: update FS storage API with user space buffer

Updates the create(), read(), and write() function pointers in struct
ts_store_ops to take a user space buffer in addition to the previous
core buffer. Core buffers are normal secure memory while user space
buffers should only be accessed using the user_access.h functions.

The different FS storage implementations are updated accordingly.

Note that the RPMB FS storage implementation resorts to using
enter_user_access() and exit_user_access() due to internal complexities.

Fixes: 4e154320e47c ("core: Apply finer-grained PAN")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: allow configuration without any secure storage

Support a configuration with no secure storage (CFG_REE_FS=n and
CFG_RPMB_FS=n). In such a case, user TAs will get error code
TEEC_ERROR_ITEM_NOT

core: allow configuration without any secure storage

Support a configuration with no secure storage (CFG_REE_FS=n and
CFG_RPMB_FS=n). In such a case, user TAs will get error code
TEEC_ERROR_ITEM_NOT_FOUND when trying to access persistent objects.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core/include/*/*.h: use U() for unsigned constants

Updates with the U() macro as described in the recently updated coding
guidelines.

Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Je

core/include/*/*.h: use U() for unsigned constants

Updates with the U() macro as described in the recently updated coding
guidelines.

Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

rpmb: function to block rpmb write per platform

Often the RPMB should only be written if the platform is in the correct
state where the Hardware Unique Key (HUK) for the platform works
correctly. As

rpmb: function to block rpmb write per platform

Often the RPMB should only be written if the platform is in the correct
state where the Hardware Unique Key (HUK) for the platform works
correctly. As an example on imx platforms with HUK derivation from the
OTPMK, the OTPMK is only accessible from the secure or trusted state.
Add a function and weak implementation for platforms to indicate that
the device is in the correct state to allow RPMB key writes.

Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Cedric Neveux <cedric.neveux@nxp.com>

show more ...

Remove license notice from STMicroelectronics files

Since a while the source files license info are defined by SPDX
identifiers. We can safely remove the verbose license text from the
files that are

Remove license notice from STMicroelectronics files

Since a while the source files license info are defined by SPDX
identifiers. We can safely remove the verbose license text from the
files that are owned by either only STMicroelectronics or only both
Linaro and STMicroelectronics.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Add SPDX license identifiers

Adds one SPDX-License-Identifier line [1] to each source files that
contains license text.

Generated by [2]:
spdxify.py --add-spdx optee_os/

The scancode tool [3] wa

Add SPDX license identifiers

Adds one SPDX-License-Identifier line [1] to each source files that
contains license text.

Generated by [2]:
spdxify.py --add-spdx optee_os/

The scancode tool [3] was used to double check the license matching
code in the Python script. All the licenses detected by scancode are
either detected by spdxify.py, or have no SPDX identifier, or are false
matches.

Link: [1] https://spdx.org/licenses/
Link: [2] https://github.com/jforissier/misc/blob/f7b56c8/spdxify.py
Link: [3] https://github.com/nexB/scancode-toolkit
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: RPMB FS: provide tee_rpmb_fs_raw_open()

Provides tee_rpmb_fs_raw_open() use by OP-TEE OS.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Volodymyr Babchuk <vlad.babchuk@gm

core: RPMB FS: provide tee_rpmb_fs_raw_open()

Provides tee_rpmb_fs_raw_open() use by OP-TEE OS.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Remove SQL-FS

With recent developments in REE-FS SQL-FS has become redundant. This
patch removes SQL-FS.

Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissi

Remove SQL-FS

With recent developments in REE-FS SQL-FS has become redundant. This
patch removes SQL-FS.

Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: FS: remove redundant fields from struct tee_svc_storage_head

Removes the unused/redundant fields magic, head_size, ds_size from
struct tee_svc_storage_head. meta_size is renamed to attr_size t

core: FS: remove redundant fields from struct tee_svc_storage_head

Removes the unused/redundant fields magic, head_size, ds_size from
struct tee_svc_storage_head. meta_size is renamed to attr_size to better
reflect the usage.

The size of the data stream is calculated from the total size of the
file minus attr_size. This makes the header static after it's
initialized.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: FS: let FOP->create() initialize the new file

Moves the code from syscall_storage_obj_create() that does several calls
via the FOP interface into FOP->create() instead. With this all updates
c

core: FS: let FOP->create() initialize the new file

Moves the code from syscall_storage_obj_create() that does several calls
via the FOP interface into FOP->create() instead. With this all updates
can be performed while the mutex is held. This makes the create
operation easier to optimize as each call via the FOP interface is
atomic.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: FS: replace file name with struct tee_pobj

Replaces the file name with a pointer to corresponding struct tee_pobj
instead in the file operation interface.

Reviewed-by: Jerome Forissier <jerom

core: FS: replace file name with struct tee_pobj

Replaces the file name with a pointer to corresponding struct tee_pobj
instead in the file operation interface.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey, GP)
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (b2260, GP)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: FS: remove fop->seek()

Simplifies file operations interface and implementation by removing the
file operation function pointer seek(). read() and write() takes and
additional position argument

core: FS: remove fop->seek()

Simplifies file operations interface and implementation by removing the
file operation function pointer seek(). read() and write() takes and
additional position argument to avoid keeping track of the position in
the FS layer. The file position was already maintained in parallel in
struct tee_obj.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: FS: simplify FOP create

As the FOP create always is called with the overwrite flag it can be
simplified. This makes the implementation of create much easier.

Reviewed-by: Etienne Carriere <et

core: FS: simplify FOP create

As the FOP create always is called with the overwrite flag it can be
simplified. This makes the implementation of create much easier.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (FVP)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: FS: remove FOP access

Removes all calls to FOP access and the FOP itself.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

core: FS: FOP rename checks for existing file

Simplify renaming of file by moving the check for existing files into the
rename FOP.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signe

core: FS: FOP rename checks for existing file

Simplify renaming of file by moving the check for existing files into the
rename FOP.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: FS: remove rmdir and mkdir

Removes explicit rmdir and mkdir. It's not needed for SQL FS and RPMB
FS. REE FS does rmdir and mkdir when needed directly inside
tee-supplicant instead.

Reviewed-b

core: FS: remove rmdir and mkdir

Removes explicit rmdir and mkdir. It's not needed for SQL FS and RPMB
FS. REE FS does rmdir and mkdir when needed directly inside
tee-supplicant instead.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: FS: change to new FOP interface

Changes the FOP interface to use TEE_Result as the primary return code to
harmonize better with the rest of the code.

Reviewed-by: Joakim Bech <joakim.bech@lin

core: FS: change to new FOP interface

Changes the FOP interface to use TEE_Result as the primary return code to
harmonize better with the rest of the code.

Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

secure storage: add SQL filesystem

This commit adds a new container type for trusted storage: SQL FS.
Data are stored in the non-secure world, just like the REE FS
(CFG_REE_FS). But, unlike REE FS w

secure storage: add SQL filesystem

This commit adds a new container type for trusted storage: SQL FS.
Data are stored in the non-secure world, just like the REE FS
(CFG_REE_FS). But, unlike REE FS which manipulates several files for
each secure object, this implementation needs only one container in a
SQLite database per secure object. We rely on the transaction-based
nature of the database to provide atomicity.

A storage identifier is added to the TA API: TEE_STORAGE_PRIVATE_SQL.
Trusted applications can use it to select this filesystem. The value
TEE_STORAGE_PRIVATE defined by GlobalPlatform will also select the
SQL FS if all other implementations are disabled.

This feature is enabled with CFG_SQL_FS=y. It depends on SQL support
in tee-supplicant [1].

[1] https://github.com/OP-TEE/optee_client/pull/50

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: David Brown <david.brown@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: secure storage: dual filesystems support

Adds support for multiple filesystems by keeping a pointer to
tee_file_operations in the tee_pobj and tee_storage_enum structures.

Two identifiers are

core: secure storage: dual filesystems support

Adds support for multiple filesystems by keeping a pointer to
tee_file_operations in the tee_pobj and tee_storage_enum structures.

Two identifiers are added to the API to be used as the storage_id
parameter, so that TAs may dynamically choose the filesystem:
- TEE_STORAGE_PRIVATE_REE (requires CFG_REE_FS=y)
- TEE_STORAGE_PRIVATE_RPMB (requires CFG_RPMB_FS=y)
The value TEE_STORAGE_PRIVATE will select the REE FS if available,
otherwise RPMB. At least one FS has to be enabled at build time. Only
the REE filesystem is enabled by default.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>

show more ...

Remove typedef tee_fs_dir, use 'struct tee_fs_dir'

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Tested-by: Pascal Brand <pascal.b

Remove typedef tee_fs_dir, use 'struct tee_fs_dir'

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Clean tee_ree_fs.c

Make most functions static. Use a consistent naming scheme (ree_fs_*).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linar

Clean tee_ree_fs.c

Make most functions static. Use a consistent naming scheme (ree_fs_*).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Delete core/tee/tee_fs.c

tee_fs.c contains trivial wrappers, that will eventually go. Move them
temporarily into tee_rpmb_fs.c and tee_fs_common.c (which will later be
renamed tee_ree_fs.c).

Signed

Delete core/tee/tee_fs.c

tee_fs.c contains trivial wrappers, that will eventually go. Move them
temporarily into tee_rpmb_fs.c and tee_fs_common.c (which will later be
renamed tee_ree_fs.c).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...