core: include: cache_helpers.h: allow reusing architecture-dependent code

To allow reuse of architecture-dependent code, divide original
cache_helpers.h into two separate header files
core/$arch/inc

core: include: cache_helpers.h: allow reusing architecture-dependent code

To allow reuse of architecture-dependent code, divide original
cache_helpers.h into two separate header files
core/$arch/include/kernel/cache_helpers_arch.h and
core/include/kernel/cache_helpers.h

Signed-off-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
[jf: set author to be same as Signed-off-by:]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: include: misc.h: divide into misc.h and misc_arch.h

get_core_pos() is architecture-independent function and could be re-used
by an arch implementation, therefore, move it to a separate header

core: include: misc.h: divide into misc.h and misc_arch.h

get_core_pos() is architecture-independent function and could be re-used
by an arch implementation, therefore, move it to a separate header file
core/include/kernel/misc.h, and, keep architecture-dependent code
in core/$arch/include/kernel/misc_arch.h

Signed-off-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
[jf: set author to be same as Signed-off-by:]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

Basic fault mitigation routines

Adds basic fault mitigation routines designed to help protecting from
fault injection attacks on the hardware. This is by no means bullet
proof, but it should at leas

Basic fault mitigation routines

Adds basic fault mitigation routines designed to help protecting from
fault injection attacks on the hardware. This is by no means bullet
proof, but it should at least improve the situation.

These routines focus on verifying that a function has been called and
that the returned value matches the result from the function. This is
done by having a handshake between the caller and the callee where also
the return value is transmitted in a separate channel.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: include: Fix simple typo in drivers/stm32_gpio.h

Replace "Configuratioh" with "Configuration".

Signed-off-by: Ding Tao <miyatsu@qq.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.

core: include: Fix simple typo in drivers/stm32_gpio.h

Replace "Configuratioh" with "Configuration".

Signed-off-by: Ding Tao <miyatsu@qq.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: implement a method to dump user TA runtime status

This patch is to dump user TA runtime status for debug purposes.
The change includes:
1. Add new command (STATS_CMD_TA_STATS) in the stats PTA

core: implement a method to dump user TA runtime status

This patch is to dump user TA runtime status for debug purposes.
The change includes:
1. Add new command (STATS_CMD_TA_STATS) in the stats PTA.
2. Add tee_ta_dump_stats() to scan all ongoing TA instance and sessions
and snapshot their status.
3. Add new function: entry_dump_memstats() to __utee_entry() to get TA
heap statistics.
4. Add new compile option (CFG_TA_STATS, default n) to enable this
feature.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Weizhao Jiang <weizhaoj@amazon.com>
Signed-off-by: Weizhao Jiang <weizhaoj@amazon.com>
[jf: edit commit message]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: support loading TAs signed with a subkey

Adds support to load TAs signed with subkey or a chain of subkeys. This
allows delegation of TA signing without distributing the root key. TAs
signed w

core: support loading TAs signed with a subkey

Adds support to load TAs signed with subkey or a chain of subkeys. This
allows delegation of TA signing without distributing the root key. TAs
signed with a subkey are confined to the UUID-V5 namespace of the subkey
to avoid TA UUID clashes with different subkeys.

SHDR_SUBKEY is a type of header which enables chains of public keys.
The public root key is used to verify the first public subkey, which
then is used to verify the next public subkey and so on.

The TA is finally verified using the last subkey. All these headers are
added in front of the TA binary so everything needed to verify the TA is
available when it's loaded into memory.

For example:
Subkey
struct shdr
magic: 0x4f545348
img_type: 3 (SHDR_SUBKEY)
img_size: 320 bytes
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
hash_size: 32 bytes
sig_size: 256 bytes
hash: f573f329fe77be686ce71647909c4ea35b5e1cd7de86369bd7d9fca31f6a4d65
struct shdr_subkey
uuid: f04fa996-148a-453c-b037-1dcfbad120a6
name_size: 64
subkey_version: 1
max_depth: 4
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
attr_count: 2
next name: "mid_level_subkey"
Next header at offset: 692 (0x2b4)
Subkey
struct shdr
magic: 0x4f545348
img_type: 3 (SHDR_SUBKEY)
img_size: 320 bytes
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
hash_size: 32 bytes
sig_size: 256 bytes
hash: 233a6dcf1a2cf69e50cde8e20c4129157da707c76fa86ce12ee31037edef02d7
struct shdr_subkey
uuid: 1a5948c5-1aa0-518c-86f4-be6f6a057b16
name_size: 64
subkey_version: 1
max_depth: 3
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
attr_count: 2
next name: "subkey1_ta"
Next header at offset: 1384 (0x568)
Bootstrap TA
struct shdr
magic: 0x4f545348
img_type: 1 (SHDR_BOOTSTRAP_TA)
img_size: 84576 bytes
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
hash_size: 32 bytes
sig_size: 256 bytes
hash: ea31ac7dc2cc06a9dc2853cd791dd00f784b5edc062ecfa274deeb66589b4ca5
struct shdr_bootstrap_ta
uuid: 5c206987-16a3-59cc-ab0f-64b9cfc9e758
ta_version: 0
TA offset: 1712 (0x6b0) bytes
TA size: 84576 (0x14a60) bytes

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_virt)
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add offset argument to shdr_alloc_and_copy()

Adds an offset argument to shdr_alloc_and_copy() to make it easier to
copy a signed header located further into a non-secure buffer.

Reviewed-by:

core: add offset argument to shdr_alloc_and_copy()

Adds an offset argument to shdr_alloc_and_copy() to make it easier to
copy a signed header located further into a non-secure buffer.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: Add new helper get_secure_dt()

Add new helper to query device tree considered secure for device driver
usage.

First priority is given to embedded device tree if present.

If system is configu

core: Add new helper get_secure_dt()

Add new helper to query device tree considered secure for device driver
usage.

First priority is given to embedded device tree if present.

If system is configured with secure external device tree location then
external device tree is returned.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: versal: non volatile memory (eFuse and BBRAM)

Provide an interface to access the xilnvm service executing in the PLM
firmware running on the Microblaze processor.

Signed-off-by: Jorge Rami

drivers: versal: non volatile memory (eFuse and BBRAM)

Provide an interface to access the xilnvm service executing in the PLM
firmware running on the Microblaze processor.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: dt: Make it possible to alter device mapping

In case where IP core device is TrustZone aware and is used by both REE
and TEE dt_map_dev() would normally cause non-secure mapping for the
device

core: dt: Make it possible to alter device mapping

In case where IP core device is TrustZone aware and is used by both REE
and TEE dt_map_dev() would normally cause non-secure mapping for the
device.

When selected registers in IP core are only accessible by TrustZone device
needs to be mapped with MEM_AREA_IO_SEC to cause actual AXI memory access
be made with AWPROT[1] and ARPROT[1] bits configured properly.

This adds new argument for dt_map_dev() to enable forcing mapping to be
secure or non-secure.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: rsa: support the crypto driver

Provide an explicit interface to software cryptographic operations to
allow accessing them whenever the Crypto driver API is enabled.

Signed-off-by: Jorge Ramir

core: rsa: support the crypto driver

Provide an explicit interface to software cryptographic operations to
allow accessing them whenever the Crypto driver API is enabled.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-stm32mp1: add support for i2c5 bus

This allows stm32_i2c driver to properly initialize and use
i2c5 bus on stm32mp15 SoC.

Signed-off-by: Michael Scott <mike@foundries.io>
Signed-off-by: Igor O

plat-stm32mp1: add support for i2c5 bus

This allows stm32_i2c driver to properly initialize and use
i2c5 bus on stm32mp15 SoC.

Signed-off-by: Michael Scott <mike@foundries.io>
Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: versal: PM service

Calls the TF-A exported SiP services or PLM PM APIs.

The programming of the FPGA bitstream is being phased out from the TF-A
so it is no longer supported as such: the re

drivers: versal: PM service

Calls the TF-A exported SiP services or PLM PM APIs.

The programming of the FPGA bitstream is being phased out from the TF-A
so it is no longer supported as such: the recommended interface uses
the MBOX driver to the PLM.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

crypto: se050: updates to the crypto object deletion interface

Keys created on the Secure Element NVM via the PKCS#11 TA are removed
by scanning the data buffer holding the reference to the key duri

crypto: se050: updates to the crypto object deletion interface

Keys created on the Secure Element NVM via the PKCS#11 TA are removed
by scanning the data buffer holding the reference to the key during
the release of the object.

The storage allocated to hold those keys (ECC/RSA) is always below the
page size length which seems like a reasonable figure to use for future
extensions.

- This commit avoids scanning objects larger than that length.

This commit also updates the interface to delegate the actual handling
of the object to the crypto driver instead of passing just the raw data
contained in the object.

The cryptographic layer is also being allowed to block the deletion of
the object. This is to cover the scenario where the I2C device is not
accessible while a reference to the key is being removed from the secure
storage in the filesystem.

Incidentally also fixes regression 6018: this test releases an object
of size 0xA0000 which can't be scanned due to this part of the code
hitting an Out of Memory condition.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: Add Ed25519 support

Add functionality to generate, import keys, sign/verify for
ED25519, ED25519ctx and ED25519ph.

The values for the object identifies originates from:
https://www.rfc-

ta: pkcs11: Add Ed25519 support

Add functionality to generate, import keys, sign/verify for
ED25519, ED25519ctx and ED25519ph.

The values for the object identifies originates from:
https://www.rfc-editor.org/rfc/rfc8420.html
A.1. ASN.1 Object for Ed25519

The PKCS#11 Specification:
https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/cs01/
pkcs11-spec-v3.1-cs01.pdf

Signed-off-by: Valerii Chubar <valerii_chubar@epam.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: simplify pgt interface provided by pgt_cache.h

Many of the function in the pgt interface takes more than one pointer to
struct pgt_cache, struct vm_info or struct ts_ctx. All these pointers
ar

core: simplify pgt interface provided by pgt_cache.h

Many of the function in the pgt interface takes more than one pointer to
struct pgt_cache, struct vm_info or struct ts_ctx. All these pointers
are available in struct user_mode_ctx so pass a pointer to that struct
instead. This saves a few function arguments and also makes it a bit
more clear how a function can be used.

pgt_clear_ctx_range(), pgt_flush_ctx_range() and pgt_flush_ctx() are
renamed to drop the "_ctx" part in their names since it's not relevant
any longer.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pgt: support preallocated translation tables for S-EL0

With CFG_CORE_PREALLOC_EL0_TBLS=y translation tables are allocated for a
user space context at the time when the mapping is added a struc

core: pgt: support preallocated translation tables for S-EL0

With CFG_CORE_PREALLOC_EL0_TBLS=y translation tables are allocated for a
user space context at the time when the mapping is added a struct
vm_region. The translation tables will be kept available for the S-EL0
context as long at the mappings are unchanged.

Secure Partitions (SPs) can depend on translation tables always being
available and avoid having to wait for translation tables.

Memory for the translation tables is allocated from the same memory as
used for TAs and SPs. The number of available translation tables are
limited by the amount of TA/SP memory available.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pgt: rename to pgt_put_all() and pgt_get_all()

The two functions pgt_free() and pgt_alloc() has names which doesn't
match well what they do so rename them.

pgt_free() to pgt_put_all():
This m

core: pgt: rename to pgt_put_all() and pgt_get_all()

The two functions pgt_free() and pgt_alloc() has names which doesn't
match well what they do so rename them.

pgt_free() to pgt_put_all():
This matches better how page tables are managed since pgt_put_all()
doesn't free the tables, they are just put in a cache list from which
they later can be free or re-allocated.

pgt_alloc() to pgt_get_all():
pgt_get_all() may actually not allocate a new table, not if it can be
found in the cache list.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pgt: use pgt_cache_list without pager too

Prior to this patch was only unused pgts cached when paging was enabled.
Take this one step further and cache unused pgts when paging is disabled
too.

core: pgt: use pgt_cache_list without pager too

Prior to this patch was only unused pgts cached when paging was enabled.
Take this one step further and cache unused pgts when paging is disabled
too. The purpose of this is to allow core_mmu_populate_user_map() to
skip already initialized translation tables.

Add two helper functions pgt_pop_from_cache_list() and
pgt_push_to_cache_list() to be used when updating the translation tables
currently in the cache list.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: tee_pager.h: provide stubbed tee_pager_pgt_save_and_release_entries()

Provides a stubbed static inline
tee_pager_pgt_save_and_release_entries() when CFG_PAGED_USER_TA isn't
defined.

Reviewed-

core: tee_pager.h: provide stubbed tee_pager_pgt_save_and_release_entries()

Provides a stubbed static inline
tee_pager_pgt_save_and_release_entries() when CFG_PAGED_USER_TA isn't
defined.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: move pgt_cache to struct user_mode_ctx

Moves pgt_cache from struct thread_specific_data to struct
user_mode_ctx.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome F

core: move pgt_cache to struct user_mode_ctx

Moves pgt_cache from struct thread_specific_data to struct
user_mode_ctx.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: initialize struct user_mode_ctx with vm_info_init()

Broadens the scope of vm_info_init() to initialize the entire struct
user_mode_ctx.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.

core: initialize struct user_mode_ctx with vm_info_init()

Broadens the scope of vm_info_init() to initialize the entire struct
user_mode_ctx.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: remove save_ctx parameter from pgt_free()

Prior to this patch was pgt_free() taking a save_ctx parameter which was
only used if paging of TAs was enabled. If on the other hand paging of
TAs wa

core: remove save_ctx parameter from pgt_free()

Prior to this patch was pgt_free() taking a save_ctx parameter which was
only used if paging of TAs was enabled. If on the other hand paging of
TAs was enabled this parameter was always true. So simplify the logic by
removing this parameter and where used internally always do as if
save_ctx was true. This means that pgts used for paging will always
first be pushed to the cache list to later be reclaimed by other means.

This patch does not change the de facto behaviour.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add pointer authentication support

Previously pointer authentication was only supported for TAs. With this
patch add a configuration option CFG_CORE_PAUTH to enable support for
core. Each priv

core: add pointer authentication support

Previously pointer authentication was only supported for TAs. With this
patch add a configuration option CFG_CORE_PAUTH to enable support for
core. Each privileged thread has its own APIA key. There are also a
separate APIA key for each physical core used when handling an abort or
when using the tmp stack.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: libtomcrypt: add Ed25519 support

Enable Ed25519 implementation of libtomcrypt and add the OP-TEE wrappers.

Signed-off-by: Valerii Chubar <valerii_chubar@epam.com>
Signed-off-by: Sergiy Kibrik

core: libtomcrypt: add Ed25519 support

Enable Ed25519 implementation of libtomcrypt and add the OP-TEE wrappers.

Signed-off-by: Valerii Chubar <valerii_chubar@epam.com>
Signed-off-by: Sergiy Kibrik <Sergiy_Kibrik@epam.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...