drivers: stm32_bsec: support NVMEM cell description in device-tree

Support the nvmem cells description in device tree and
add the platform helper function stm32_bsec_find_otp_in_nvmem_layout()
that

drivers: stm32_bsec: support NVMEM cell description in device-tree

Support the nvmem cells description in device tree and
add the platform helper function stm32_bsec_find_otp_in_nvmem_layout()
that allows drivers to find an OTP location (BSEC word number and bit
size) from the OTP string identifier, name of the cell in device tree.

The bsec driver directly reads the nvmem cells sub node of bsec device.

This allow to remove the hardcoded OTP index in platform and is aligned
with linux kernel binding.

Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: stm32_bsec: move debug defines to include

Moves definition of DEBUG status macros from driver source file to
its header file to allow other drivers to control the debug level.
Introduces BS

drivers: stm32_bsec: move debug defines to include

Moves definition of DEBUG status macros from driver source file to
its header file to allow other drivers to control the debug level.
Introduces BSEC_DEBUG_ALL that is the default debug configuration.
Removes configuration masking as it has no use.

Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>
Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: stm32_bsec: rework and move BITS_PER_WORD

Transforms BITS_PER_WORD to BSEC_BITS_PER_WORD to specify it is
BSEC-related and move it to BSEC driver header file.

Adds BSEC_BYTES_PER_WORD for

drivers: stm32_bsec: rework and move BITS_PER_WORD

Transforms BITS_PER_WORD to BSEC_BITS_PER_WORD to specify it is
BSEC-related and move it to BSEC driver header file.

Adds BSEC_BYTES_PER_WORD for later use.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: implement lpc_uart driver

Support for lpc_uart that is a serial driver.

Signed-off-by: Xiaoxu Zeng <zengxiaoxu@huawei.com>
Signed-off-by: Zeng Tao <prime.zeng@hisilicon.com>
Reviewed-by: J

drivers: implement lpc_uart driver

Support for lpc_uart that is a serial driver.

Signed-off-by: Xiaoxu Zeng <zengxiaoxu@huawei.com>
Signed-off-by: Zeng Tao <prime.zeng@hisilicon.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: struct serial_ops: make all functions optional except putc()

Many platforms only use the putc() function pointer in struct
serial_ops. Therefore, explicitly make the others optional (flush(

drivers: struct serial_ops: make all functions optional except putc()

Many platforms only use the putc() function pointer in struct
serial_ops. Therefore, explicitly make the others optional (flush(),
have_rx_data() and getchar()) by adding comments to the struct and
making sure the code checks the pointer before using them.

With this it should be clear that drivers do not need to provide
stub functions.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: drivers: nxp: Add LX series SFP driver

- Implement reading and writing to the NXP LX2160-series Security Fuse
Processor (SFP).
- Add the CFG_LS_SFP flag to enable building the SFP driver.
-

core: drivers: nxp: Add LX series SFP driver

- Implement reading and writing to the NXP LX2160-series Security Fuse
Processor (SFP).
- Add the CFG_LS_SFP flag to enable building the SFP driver.
- The SFP driver should be able to:
- Read the entire SFP.
- Read the debug level.
- Read the Intent to Secure (ITS) and Secure Boot (SB) flags.
- Read individual OEM Unique Scratch Pad Fuse (OUID) registers.
- Read individual Super Root Key Hash (SRKH) registers.
- Set the debug level.
- Set the device to permanently program the fuse block by
setting the ITS and SB flags.
- Set individual OUID registers.
- Get the status of the SFP driver itself.
- Update fsl-lx2160a device tree with sfp and gpio nodes.

Signed-off-by: Andrew Mustea <andrew.mustea@microsoft.com>
Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: crypto: implement SM4 XTS

In this patch, we add software computing support for sm4-xts.

Signed-off-by: Pingan Xie <xiepingan3@huawei.com>
Reviewed-by: Xiaoxu Zeng <zengxiaoxu@huawei.com>
Acke

core: crypto: implement SM4 XTS

In this patch, we add software computing support for sm4-xts.

Signed-off-by: Pingan Xie <xiepingan3@huawei.com>
Reviewed-by: Xiaoxu Zeng <zengxiaoxu@huawei.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

drivers: versal: SHA3-384 engine support

Enable the PLM controlled SHA3-384 cryptographic engine for TEE core
usage.

Since the engine does not have the concept of "context", it can't
provide the le

drivers: versal: SHA3-384 engine support

Enable the PLM controlled SHA3-384 cryptographic engine for TEE core
usage.

Since the engine does not have the concept of "context", it can't
provide the level support required by user-space (multiple parallel
contexts) hence why it is being provided just to the core.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Nathan Menhorn <nathan.menhorn@amd.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Add support for compiler stack protector

This change add support for CFG_CORE_STACK_PROTECTOR{,_STRONG,_ALL}
and CFG_TA_STACK_PROTECTOR{,_STRONG,_ALL}. This flag enable the
compiler stack overflow p

Add support for compiler stack protector

This change add support for CFG_CORE_STACK_PROTECTOR{,_STRONG,_ALL}
and CFG_TA_STACK_PROTECTOR{,_STRONG,_ALL}. This flag enable the
compiler stack overflow protection feature -fstack-protector* and
also generate random stack canary value on kernel boot and TA entry.

Weak function plat_get_random_stack_canary() can be override by
platform to provide random stack canary value for the core kernel.

Signed-off-by: Khoa Hoang <admin@khoahoang.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: ecc: support the crypto driver

Provide an interface that cryptographic IC drivers can use to fallback
to the software implementation of the algorithms.

This supports the use case where vulner

core: ecc: support the crypto driver

Provide an interface that cryptographic IC drivers can use to fallback
to the software implementation of the algorithms.

This supports the use case where vulnerabilities in the IC algorithms
can be addressed without a respin of the hardware.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Use struct utee_object_info in TA syscall abi

TEE_ObjectInfo was until now used in the syscall ABI provided to TAs.
TEE_ObjectInfo changes in later versions of the TEE Internal Core API so
add an in

Use struct utee_object_info in TA syscall abi

TEE_ObjectInfo was until now used in the syscall ABI provided to TAs.
TEE_ObjectInfo changes in later versions of the TEE Internal Core API so
add an independent definition with struct utee_object_info in order to
preserve a stable ABI.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: include: cache_helpers.h: allow reusing architecture-dependent code

To allow reuse of architecture-dependent code, divide original
cache_helpers.h into two separate header files
core/$arch/inc

core: include: cache_helpers.h: allow reusing architecture-dependent code

To allow reuse of architecture-dependent code, divide original
cache_helpers.h into two separate header files
core/$arch/include/kernel/cache_helpers_arch.h and
core/include/kernel/cache_helpers.h

Signed-off-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
[jf: set author to be same as Signed-off-by:]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: include: misc.h: divide into misc.h and misc_arch.h

get_core_pos() is architecture-independent function and could be re-used
by an arch implementation, therefore, move it to a separate header

core: include: misc.h: divide into misc.h and misc_arch.h

get_core_pos() is architecture-independent function and could be re-used
by an arch implementation, therefore, move it to a separate header file
core/include/kernel/misc.h, and, keep architecture-dependent code
in core/$arch/include/kernel/misc_arch.h

Signed-off-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
[jf: set author to be same as Signed-off-by:]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

Basic fault mitigation routines

Adds basic fault mitigation routines designed to help protecting from
fault injection attacks on the hardware. This is by no means bullet
proof, but it should at leas

Basic fault mitigation routines

Adds basic fault mitigation routines designed to help protecting from
fault injection attacks on the hardware. This is by no means bullet
proof, but it should at least improve the situation.

These routines focus on verifying that a function has been called and
that the returned value matches the result from the function. This is
done by having a handshake between the caller and the callee where also
the return value is transmitted in a separate channel.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: include: Fix simple typo in drivers/stm32_gpio.h

Replace "Configuratioh" with "Configuration".

Signed-off-by: Ding Tao <miyatsu@qq.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.

core: include: Fix simple typo in drivers/stm32_gpio.h

Replace "Configuratioh" with "Configuration".

Signed-off-by: Ding Tao <miyatsu@qq.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: implement a method to dump user TA runtime status

This patch is to dump user TA runtime status for debug purposes.
The change includes:
1. Add new command (STATS_CMD_TA_STATS) in the stats PTA

core: implement a method to dump user TA runtime status

This patch is to dump user TA runtime status for debug purposes.
The change includes:
1. Add new command (STATS_CMD_TA_STATS) in the stats PTA.
2. Add tee_ta_dump_stats() to scan all ongoing TA instance and sessions
and snapshot their status.
3. Add new function: entry_dump_memstats() to __utee_entry() to get TA
heap statistics.
4. Add new compile option (CFG_TA_STATS, default n) to enable this
feature.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Weizhao Jiang <weizhaoj@amazon.com>
Signed-off-by: Weizhao Jiang <weizhaoj@amazon.com>
[jf: edit commit message]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: support loading TAs signed with a subkey

Adds support to load TAs signed with subkey or a chain of subkeys. This
allows delegation of TA signing without distributing the root key. TAs
signed w

core: support loading TAs signed with a subkey

Adds support to load TAs signed with subkey or a chain of subkeys. This
allows delegation of TA signing without distributing the root key. TAs
signed with a subkey are confined to the UUID-V5 namespace of the subkey
to avoid TA UUID clashes with different subkeys.

SHDR_SUBKEY is a type of header which enables chains of public keys.
The public root key is used to verify the first public subkey, which
then is used to verify the next public subkey and so on.

The TA is finally verified using the last subkey. All these headers are
added in front of the TA binary so everything needed to verify the TA is
available when it's loaded into memory.

For example:
Subkey
struct shdr
magic: 0x4f545348
img_type: 3 (SHDR_SUBKEY)
img_size: 320 bytes
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
hash_size: 32 bytes
sig_size: 256 bytes
hash: f573f329fe77be686ce71647909c4ea35b5e1cd7de86369bd7d9fca31f6a4d65
struct shdr_subkey
uuid: f04fa996-148a-453c-b037-1dcfbad120a6
name_size: 64
subkey_version: 1
max_depth: 4
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
attr_count: 2
next name: "mid_level_subkey"
Next header at offset: 692 (0x2b4)
Subkey
struct shdr
magic: 0x4f545348
img_type: 3 (SHDR_SUBKEY)
img_size: 320 bytes
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
hash_size: 32 bytes
sig_size: 256 bytes
hash: 233a6dcf1a2cf69e50cde8e20c4129157da707c76fa86ce12ee31037edef02d7
struct shdr_subkey
uuid: 1a5948c5-1aa0-518c-86f4-be6f6a057b16
name_size: 64
subkey_version: 1
max_depth: 3
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
attr_count: 2
next name: "subkey1_ta"
Next header at offset: 1384 (0x568)
Bootstrap TA
struct shdr
magic: 0x4f545348
img_type: 1 (SHDR_BOOTSTRAP_TA)
img_size: 84576 bytes
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
hash_size: 32 bytes
sig_size: 256 bytes
hash: ea31ac7dc2cc06a9dc2853cd791dd00f784b5edc062ecfa274deeb66589b4ca5
struct shdr_bootstrap_ta
uuid: 5c206987-16a3-59cc-ab0f-64b9cfc9e758
ta_version: 0
TA offset: 1712 (0x6b0) bytes
TA size: 84576 (0x14a60) bytes

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_virt)
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add offset argument to shdr_alloc_and_copy()

Adds an offset argument to shdr_alloc_and_copy() to make it easier to
copy a signed header located further into a non-secure buffer.

Reviewed-by:

core: add offset argument to shdr_alloc_and_copy()

Adds an offset argument to shdr_alloc_and_copy() to make it easier to
copy a signed header located further into a non-secure buffer.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: Add new helper get_secure_dt()

Add new helper to query device tree considered secure for device driver
usage.

First priority is given to embedded device tree if present.

If system is configu

core: Add new helper get_secure_dt()

Add new helper to query device tree considered secure for device driver
usage.

First priority is given to embedded device tree if present.

If system is configured with secure external device tree location then
external device tree is returned.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: versal: non volatile memory (eFuse and BBRAM)

Provide an interface to access the xilnvm service executing in the PLM
firmware running on the Microblaze processor.

Signed-off-by: Jorge Rami

drivers: versal: non volatile memory (eFuse and BBRAM)

Provide an interface to access the xilnvm service executing in the PLM
firmware running on the Microblaze processor.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: dt: Make it possible to alter device mapping

In case where IP core device is TrustZone aware and is used by both REE
and TEE dt_map_dev() would normally cause non-secure mapping for the
device

core: dt: Make it possible to alter device mapping

In case where IP core device is TrustZone aware and is used by both REE
and TEE dt_map_dev() would normally cause non-secure mapping for the
device.

When selected registers in IP core are only accessible by TrustZone device
needs to be mapped with MEM_AREA_IO_SEC to cause actual AXI memory access
be made with AWPROT[1] and ARPROT[1] bits configured properly.

This adds new argument for dt_map_dev() to enable forcing mapping to be
secure or non-secure.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: rsa: support the crypto driver

Provide an explicit interface to software cryptographic operations to
allow accessing them whenever the Crypto driver API is enabled.

Signed-off-by: Jorge Ramir

core: rsa: support the crypto driver

Provide an explicit interface to software cryptographic operations to
allow accessing them whenever the Crypto driver API is enabled.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-stm32mp1: add support for i2c5 bus

This allows stm32_i2c driver to properly initialize and use
i2c5 bus on stm32mp15 SoC.

Signed-off-by: Michael Scott <mike@foundries.io>
Signed-off-by: Igor O

plat-stm32mp1: add support for i2c5 bus

This allows stm32_i2c driver to properly initialize and use
i2c5 bus on stm32mp15 SoC.

Signed-off-by: Michael Scott <mike@foundries.io>
Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: versal: PM service

Calls the TF-A exported SiP services or PLM PM APIs.

The programming of the FPGA bitstream is being phased out from the TF-A
so it is no longer supported as such: the re

drivers: versal: PM service

Calls the TF-A exported SiP services or PLM PM APIs.

The programming of the FPGA bitstream is being phased out from the TF-A
so it is no longer supported as such: the recommended interface uses
the MBOX driver to the PLM.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

crypto: se050: updates to the crypto object deletion interface

Keys created on the Secure Element NVM via the PKCS#11 TA are removed
by scanning the data buffer holding the reference to the key duri

crypto: se050: updates to the crypto object deletion interface

Keys created on the Secure Element NVM via the PKCS#11 TA are removed
by scanning the data buffer holding the reference to the key during
the release of the object.

The storage allocated to hold those keys (ECC/RSA) is always below the
page size length which seems like a reasonable figure to use for future
extensions.

- This commit avoids scanning objects larger than that length.

This commit also updates the interface to delegate the actual handling
of the object to the crypto driver instead of passing just the raw data
contained in the object.

The cryptographic layer is also being allowed to block the deletion of
the object. This is to cover the scenario where the I2C device is not
accessible while a reference to the key is being removed from the secure
storage in the filesystem.

Incidentally also fixes regression 6018: this test releases an object
of size 0xA0000 which can't be scanned due to this part of the code
hitting an Out of Memory condition.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...