core: replace TAF with TA invocation in inline comments

TAF stands for Trusted Application Function. It is deprecated
since a while. This change replaces the few remaining occurrences
with TA invoca

core: replace TAF with TA invocation in inline comments

TAF stands for Trusted Application Function. It is deprecated
since a while. This change replaces the few remaining occurrences
with TA invocation.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: use PTA as acronym for pseudo TA

Make inline comments and trace messages more consistent by
using PTA as acronym for pseudo TA, rather than using pTA, PTA
and pta at various places.

Signed-of

core: use PTA as acronym for pseudo TA

Make inline comments and trace messages more consistent by
using PTA as acronym for pseudo TA, rather than using pTA, PTA
and pta at various places.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add inline description of TEE session field user_ctx

Replace inline comment ??? with an appropriate description of
the user_ctx field which points the the caller user TA context
in case a pseu

core: add inline description of TEE session field user_ctx

Replace inline comment ??? with an appropriate description of
the user_ctx field which points the the caller user TA context
in case a pseudo TA is invoked from the user TA client.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: do not use virtual addresses as session identifier

Session context virtual address is returned to the REE in
entry_open_session(); it is then used back in entry_close_session() and
entry_invok

core: do not use virtual addresses as session identifier

Session context virtual address is returned to the REE in
entry_open_session(); it is then used back in entry_close_session() and
entry_invoke_command(). Sharing virtual addresses with the REE leads to
virtual memory addresses disclosure that could be leveraged to defeat
ASLR (if/when implemented) and/or mount an attack.

Similarly, syscall_open_ta_session() returns a session ID directly
derived from the session virtual address to the caller TA.

This commit introduces a 32-bit identifier field in struct tee_ta_session.
The ID is generated when the session is created, starting from the id of
the last session in the queue, and counting up until a number that is not
used in the session queue is found.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.1]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

stm32_bsec: OTP driver for stm32mp platforms

BSEC is a one time programmable (OTP) memory interface for stm32mp
SoCs. OTPs are grouped into 32bit words identified by a incremental ID
starting from 0

stm32_bsec: OTP driver for stm32mp platforms

BSEC is a one time programmable (OTP) memory interface for stm32mp
SoCs. OTPs are grouped into 32bit words identified by a incremental ID
starting from 0. Shadowed OTPs are loaded in a volatile memory yet
used as OTP values by the software.

The platform shall implement stm32mp_get_bsec_static_cfg() to
provide BSEC driver some information as the BSEC memory size and
its lower/upper threshold ID that split non-secure from secure OTPs.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Christophe Montaud <christophe.montaud@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Signed-off-by: Mathieu Belou <mathieu.belou@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: deprecate read32(), write32() and friends

read8(), read16(), read32() write8(), write16() and write32()
are deprecated since the equivalent, prefixed with io_ were
introduced are aligns functi

core: deprecate read32(), write32() and friends

read8(), read16(), read32() write8(), write16() and write32()
are deprecated since the equivalent, prefixed with io_ were
introduced are aligns functions API with other memory cell
accesses util functions as io_mask32() or pub_be32().

This change fully removes support for the deprecated functions.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutil: io_clrsetbitsX() firends for 8bit and 16bit accesses

Introduce io_setbits8(), io_clrbits8(), io_clrsetbits8() and
io_setbits16(), io_clrbits16(), io_clrsetbits16() for bit clear/set
util ov

libutil: io_clrsetbitsX() firends for 8bit and 16bit accesses

Introduce io_setbits8(), io_clrbits8(), io_clrsetbits8() and
io_setbits16(), io_clrbits16(), io_clrsetbits16() for bit clear/set
util over 8bit and 16bit memory cells on the model of existing
io_clrsetbits32() and friends.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutil: replace write*() util functions with io_write*()

write8(), write16() and write32() expect the target written address
as 1st argument and the written value as 2nd argument. This is
confusing

libutil: replace write*() util functions with io_write*()

write8(), write16() and write32() expect the target written address
as 1st argument and the written value as 2nd argument. This is
confusing as put_be32(), put_be64(), io_mask32(), and the io_*bits32()
functions expect the opposite: 1st argument is the address and 2nd
argument is the written value(s).

This change introduces functions io_write8(), io_write16() and
io_write32() with io_mask32() like APIs. This change introduces
io_read*() for consistency: all prefixed with io_.

This change preserve the write8/write16/write32 functions for
compatibility. These will be deprecated in the next OP-TEE release
to lower confusion around these.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: change io_{clr|set|clrset}bits32() address argument type

Change API for io_clrbits32(), io_setbits32() and io_clrsetbits32() to
have a vaddr_t type address argument, rather than uintptr_t as
p

core: change io_{clr|set|clrset}bits32() address argument type

Change API for io_clrbits32(), io_setbits32() and io_clrsetbits32() to
have a vaddr_t type address argument, rather than uintptr_t as
previously.

This change updates accordingly the callers of these functions
that cover only stm32mp1 related resources.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

stm32_gpio: driver for GPIO and pin control

Driver is embedded upon CFG_STM32_GPIO=y.

STM32 GPIO driver API main functions:
- stm32_gpio_set_output_level() sets target output GPIO level,
- stm32_gp

stm32_gpio: driver for GPIO and pin control

Driver is embedded upon CFG_STM32_GPIO=y.

STM32 GPIO driver API main functions:
- stm32_gpio_set_output_level() sets target output GPIO level,
- stm32_gpio_get_input_level() returns target input GPIO level,
- stm32_pinctrl_load_active_cfg() loads interface pin mux active state,
- stm32_pinctrl_load_standby_cfg() loads interface pin mux standby state,
- stm32_pinctrl_fdt_get_pinctrl() save pin configuration from DT content,
- stm32_gpio_set_secure_cfg() sets secure state for target GPIO/pin mux.

GPIO driver does not register to PM framework. It is the GPIO/pin owner
responsibility to call stm32_pinctrl_load_{active|standby}_cfg() on
peripherals power state transitions.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Mathieu Belou <mathieu.belou@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

stm32_etzpc: STM32 Extended TrustZone Protection Controller

ETZPC is a hardware instance that control access permissions to
some stm32mp SoC peripheral interfaces and internal memories.

This change

stm32_etzpc: STM32 Extended TrustZone Protection Controller

ETZPC is a hardware instance that control access permissions to
some stm32mp SoC peripheral interfaces and internal memories.

This change introduce the stm32_etzpc driver. It is embedded upon
build directive CFG_STM32_ETZPC=y.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Mathieu BELOU <mathieu.belou@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

virt: add virtualization subsystem

This patch adds virtualization framework to OP-TEE.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

tee_mm: add TEE_MM_POOL_NEX_MALLOC flag

This flag tells tee_mm to use nex_malloc pool instead of default malloc

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander

tee_mm: add TEE_MM_POOL_NEX_MALLOC flag

This flag tells tee_mm to use nex_malloc pool instead of default malloc

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: optee_msg.h: define OPTEE_MSG_MAX_NUM_PARAMS

Defines OPTEE_MSG_MAX_NUM_PARAMS to be used with the macro
OPTEE_MSG_GET_ARG_SIZE() in order to avoid unexpected wrapping.

Fixes: "Macro for check

core: optee_msg.h: define OPTEE_MSG_MAX_NUM_PARAMS

Defines OPTEE_MSG_MAX_NUM_PARAMS to be used with the macro
OPTEE_MSG_GET_ARG_SIZE() in order to avoid unexpected wrapping.

Fixes: "Macro for checking size of parameter buffer can overflow" as
reported by Riscure.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

stm32_uart: API to init console bus from a DTB

Introduce stm32_uart_init_from_dt_node() that initializes an UART
device from the given DT node. The function returns the reference
to the created UART

stm32_uart: API to init console bus from a DTB

Introduce stm32_uart_init_from_dt_node() that initializes an UART
device from the given DT node. The function returns the reference
to the created UART instance.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32_uart: rename exported structure and add secure flag

Rename structure console_pdata into stm32_uart_pdata as it will
be exported over the platform and should not use such a generic
naming.

Thi

stm32_uart: rename exported structure and add secure flag

Rename structure console_pdata into stm32_uart_pdata as it will
be exported over the platform and should not use such a generic
naming.

This change adds a secure flag to the UART device instance for
used to get the appropriate virtual address when required.
An UART bus could be used by the secure world in secure mode or
in non-secure mode. A bus to a secure element likely mandates
secure hardening of the UART. A debug console over a non-secure
UART link may require the UART resources to be assigned to the
non-secure world.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: dt: introduce _fdt_fill_device_info()

_fdt_fill_device_info() gets some generic properties from a given
node in a single always successful sequence.

Retrieved device information from the DT:

core: dt: introduce _fdt_fill_device_info()

_fdt_fill_device_info() gets some generic properties from a given
node in a single always successful sequence.

Retrieved device information from the DT:
- The status/secure-status state as per DT_STATUS_*,
- The first register base address found or DT_INFO_INVALID_REG (zero).
If there are several register base addresses others are ignored.
- The first clock identifier found or DT_INFO_INVALID_CLOCK (negative).
- This first reset identifier found or DT_INFO_INVALID_RESET (negative).

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: more flexible console init from DT

Introduce get_console_node_from_dt() that collects the references
to the console configuration in the DTB.

Existing configure_console_from_dt() relies on it

core: more flexible console init from DT

Introduce get_console_node_from_dt() that collects the references
to the console configuration in the DTB.

Existing configure_console_from_dt() relies on it when initiating
the console from the early core inits based on registered matching
device tables.

get_console_node_from_dt() allows a driver probed from the driver
initialization sequence (i.e registered from driver_init()) to
get the console DT directive.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: move io_pa_va support out of serial drivers

io_pa_or_va() is generic enough to be useful for non serial driver
matters. Move it to core_mem_prot.h.

Signed-off-by: Etienne Carriere <etienne.ca

core: move io_pa_va support out of serial drivers

io_pa_or_va() is generic enough to be useful for non serial driver
matters. Move it to core_mem_prot.h.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

libtomcrypt: Import SHA512/256 approved hash algorithm

SHA-512/256 is an approved hash algorithm and a vetted conditioner as
per NIST.SP.800-90B spec. We have used it to condition raw thermal
sensor

libtomcrypt: Import SHA512/256 approved hash algorithm

SHA-512/256 is an approved hash algorithm and a vetted conditioner as
per NIST.SP.800-90B spec. We have used it to condition raw thermal
sensor noise on Developerbox to condense entropy.

It is imported from libtomcrypt:
Git url: https://github.com/libtom/libtomcrypt.git, release tag: v1.18.0.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: io_{set|clr|clrset}bits32() helpers

Introduce new iomem util functions to set, clear or set and clear
bit masks in peripheral interfaces.

io_setbits32(addr, mask) sets the bits enabled in mas

core: io_{set|clr|clrset}bits32() helpers

Introduce new iomem util functions to set, clear or set and clear
bit masks in peripheral interfaces.

io_setbits32(addr, mask) sets the bits enabled in mask at address.
io_clrbits32(addr, mask) clears the bits enabled in mask.
io_clrsetbits32(addr, clear_mask, set_mask) clears the bits enabled in
clear_mask and sets the bits enabled in set_mask.

These functions are more friendly in instruction blocks to sets and
clears bitmasks in peripheral registers. They provide a more readable
implementation than playing with io_mask32() for the equivalent
sequence, for example, extracted from a DDR controller driver:

(...)
/* IOs powering down (PUBL registers) */

io_setbits32(ddrphy_base + DDRPHYC_ACIOCR, DDRPHYC_ACIOCR_ACPDD);
io_setbits_32(ddrphy_base + DDRPHYC_ACIOCR, DDRPHYC_ACIOCR_ACPDR);

io_clrsetbits32(ddrphy_base + DDRPHYC_ACIOCR,
DDRPHYC_ACIOCR_CKPDD_MASK, DDRPHYC_ACIOCR_CKPDD_0);

io_clrsetbits32(ddrphy_base + DDRPHYC_ACIOCR,
DDRPHYC_ACIOCR_CKPDR_MASK, DDRPHYC_ACIOCR_CKPDR_0);

io_clrsetbits32(ddrphy_base + DDRPHYC_ACIOCR,
DDRPHYC_ACIOCR_CSPDD_MASK, DDRPHYC_ACIOCR_CSPDD_0);
(...)

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: framework to register PM callbacks

Introduce a framework for power management callback registering.

Drivers and services can register a callback function for the platform
suspend and resume s

core: framework to register PM callbacks

Introduce a framework for power management callback registering.

Drivers and services can register a callback function for the platform
suspend and resume sequences. A private address handle can be registered
with the callback and retrieved from the callback. Callback can be
registered with a specific call order as defined per PM_CB_ORDER_*.

Callback shall return an error if failing to complete target transition.
This information may be used by the platform to resume a platform on
non-fatal failure to suspend.

Callbacks are related to a callback level. It defines the callbacks
call ordering, allowing core low level drivers (as clocks or the GIC)
to be suspended after all drivers and resume before these.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Cedric Neveux <cedric.neveux@nxp.com>

show more ...

Remove Secure Element API support

There is probably no-one using the Secure Element API. We have never heard
anyone asking questions about it, have no way to test it and we believe
it is not even wo

Remove Secure Element API support

There is probably no-one using the Secure Element API. We have never heard
anyone asking questions about it, have no way to test it and we believe
it is not even working right now. Therefore, remove it.

- The reserved syscalls are still present, but return
TEE_ERROR_NOT_SUPPORTED
- The TEE_SE* functions (GlobalPlatform TEE Secure Element API,
GPD_SPE_024) are removed from libutee.a and the header file
tee_internal_se_api.h is removed as well

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

stm32mp1: device tree platform description

This change introduces the device tree source files describing boards
EV1 and ED1 and the related bindings.

The stm32mp1 DTS files and bindings header fil

stm32mp1: device tree platform description

This change introduces the device tree source files describing boards
EV1 and ED1 and the related bindings.

The stm32mp1 DTS files and bindings header files are dumped from
latest Linux kernel (v4.19). Bindings documentation is not stored in
OP-TEE OS source tree, one shall refer to the bindings documentation
from latest Linux kernel source tree.

Note that license terms where changed for binding header file gpio.h
to release them under dual 2-Clause DSB/GPLv2.0 instead of GPLv2.0 as
release in the Linux kernel.

Platform relies on DT source file (CFG_EMBED_DTB_SOURCE_FILE) to
distinguish between the platform flavors for the few configuration
directive that are static and cannot be provided only through FDT.

Default configuration locates the secure DDR area (TZDRAM) from
the base address of the last 32MBytes of the DDR over 30Mbyte.
The last 2MBytes of the DDR are the OP-TEE static shared memory.

Many contributors not listed below.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: initcall.h use scattered array

Initcalls uses generic scattered array instead of special
implementation.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier

core: initcall.h use scattered array

Initcalls uses generic scattered array instead of special
implementation.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...