core: fix header file guard names

Fixes header file guards macro name prefix (mostly missing occurrences)
that should reflect the file base directory sub-path where applicable.

Reviewed-by: Jens Wi

core: fix header file guard names

Fixes header file guards macro name prefix (mostly missing occurrences)
that should reflect the file base directory sub-path where applicable.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core/include/*/*.h: use U() for unsigned constants

Updates with the U() macro as described in the recently updated coding
guidelines.

Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Je

core/include/*/*.h: use U() for unsigned constants

Updates with the U() macro as described in the recently updated coding
guidelines.

Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Remove 'All rights reserved' from Linaro files

The text 'All rights reserved' is useless [1]. The Free Software
Foundation's REUSE Initiative best practices document [2] does not
contain these words

Remove 'All rights reserved' from Linaro files

The text 'All rights reserved' is useless [1]. The Free Software
Foundation's REUSE Initiative best practices document [2] does not
contain these words. Therefore, we can safely remove the text from the
files that are owned by Linaro.

Generated by:
spdxify.py --linaro-only --strip-arr optee_os/

Link: [1] https://en.wikipedia.org/wiki/All_rights_reserved
Link: [2] https://reuse.software/practices/
Link: [3] https://github.com/jforissier/misc/blob/f7b56c8/spdxify.py
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

Remove license notice from Linaro files

Now that we have added SPDX identifiers, we can safely remove the
verbose license text from the files that are owned by Linaro.

Generated by [1]:
spdxify.p

Remove license notice from Linaro files

Now that we have added SPDX identifiers, we can safely remove the
verbose license text from the files that are owned by Linaro.

Generated by [1]:
spdxify.py --linaro-only --strip-license-text optee_os/

Link: [1] https://github.com/jforissier/misc/blob/f7b56c8/spdxify.py
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

Add SPDX license identifiers

Adds one SPDX-License-Identifier line [1] to each source files that
contains license text.

Generated by [2]:
spdxify.py --add-spdx optee_os/

The scancode tool [3] wa

Add SPDX license identifiers

Adds one SPDX-License-Identifier line [1] to each source files that
contains license text.

Generated by [2]:
spdxify.py --add-spdx optee_os/

The scancode tool [3] was used to double check the license matching
code in the Python script. All the licenses detected by scancode are
either detected by spdxify.py, or have no SPDX identifier, or are false
matches.

Link: [1] https://spdx.org/licenses/
Link: [2] https://github.com/jforissier/misc/blob/f7b56c8/spdxify.py
Link: [3] https://github.com/nexB/scancode-toolkit
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: FS: key manager takes supplied UUID

The FS key manager takes a supplied UUID instead of extracting it from
current session in order to be more flexible.

Reviewed-by: Jerome Forissier <jerome.

core: FS: key manager takes supplied UUID

The FS key manager takes a supplied UUID instead of extracting it from
current session in order to be more flexible.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: remove unused FS key manager features

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

core: provide tee_fs_fek_crypt()

FS key manager provides tee_fs_fek_crypt().

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

secure storage: change struct tee_fs_file_info member type

In struct tee_fs_file_info, the member length's origin type is size_t,
when NS user is 64 bits, and secure kernel is 32 bits, the type size

secure storage: change struct tee_fs_file_info member type

In struct tee_fs_file_info, the member length's origin type is size_t,
when NS user is 64 bits, and secure kernel is 32 bits, the type size_t
will have different width, which will cause xtest 20022 case fail.
This commit change the member length's type from size_t to uint64_t,
which can keep a fixed width.

Signed-off-by: Guanchao Liang <liang.guanchao@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey)

show more ...

core: REE FS: use a single file per object

Prior to this commit each persistent object was represented by a
directory with several files. With this commit each persistent object is
represented by a

core: REE FS: use a single file per object

Prior to this commit each persistent object was represented by a
directory with several files. With this commit each persistent object is
represented by a single file instead to simplify the implementation.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

storage: encrypt the FEK with a TA-specific key

The File Encryption Key is now encrypted with a Trusted application
Storage Key (TSK) rather than directly with the Secure Storage Key.
The TSK is der

storage: encrypt the FEK with a TA-specific key

The File Encryption Key is now encrypted with a Trusted application
Storage Key (TSK) rather than directly with the Secure Storage Key.
The TSK is derived from the SSK and the TA UUID. This improves
isolation between TAs, and makes it impossible to read the data of a
TA from another TA after manually moving files in the REE filesystem
for instance.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: David Brown <david.brown@linaro.org>

show more ...

RPMB: add file encryption

Adds support for CFG_ENC_FS=y when CFG_RPMB_FS=y.

The files stored on an RPMB partition are encrypted with AES in Cipher
Block Chaining (CBC) mode with Encrypted Salt/Sect

RPMB: add file encryption

Adds support for CFG_ENC_FS=y when CFG_RPMB_FS=y.

The files stored on an RPMB partition are encrypted with AES in Cipher
Block Chaining (CBC) mode with Encrypted Salt/Sector Initialization
Vector (ESSIV).
Each file has it own 128-bit File Encryption Key (FEK), randomly chosen
when the file is created. The FEK is added to the FAT entry for the
file, it is always decrypted with the Secure Storage Key (SSK) before
use. The file path is reduced accordingly, so that a FAT entry is still
256 bytes.
Each 256-byte block in the file is encrypted as follows:

k = 128 bits of SHA256(FEK);
IV = AES_Encrypt(k, block number);
encrypted_block = AES_CBC(IV, FEK, block_data);

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Secure Storage: export TEE file header structure for xtest

Export 'struct meta_header' and 'struct block_header' to
$TA_DEV_KIT_DIR/host_include, those structures can be used
by xtest. This prevents

Secure Storage: export TEE file header structure for xtest

Export 'struct meta_header' and 'struct block_header' to
$TA_DEV_KIT_DIR/host_include, those structures can be used
by xtest. This prevents hard-coding the structure in xtest.

Signed-off-by: SY Chiu <sy.chiu@linaro.org>
Tested-by: SY Chiu <sy.chiu@linaro.org> (QEMU)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>

show more ...

Secure Storage: Implement block-based encrypted file system

- Meta file encryption/decryption is enforced
- Block file encryption/decryption is optional

Signed-off-by: James Kung <james.kung@linaro

Secure Storage: Implement block-based encrypted file system

- Meta file encryption/decryption is enforced
- Block file encryption/decryption is optional

Signed-off-by: James Kung <james.kung@linaro.org>
Signed-off-by: SY Chiu <sy.chiu@linaro.org>
Tested-by: James Kung <james.kung@linaro.org> (QEMU, MT8173 EVB)
Tested-by: SY Chiu <sy.chiu@linaro.org> (QEMU)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...