core: dt: add overlay support to dt_enable_secure_status

Add support to write the "secure-status" property to overlays in
addition to the inline DTB changes if the user enabled the overlay
support.

core: dt: add overlay support to dt_enable_secure_status

Add support to write the "secure-status" property to overlays in
addition to the inline DTB changes if the user enabled the overlay
support.

Most BL33 firmwares don't reuse the DTB provided to OP-TEE. Therefore
add an overlay for the requested node to not lose the changes done by
OP-TEE. The overlay can be used by the BL33 firmware to apply the
changes.

Reviewed-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>

show more ...

core: dt: add add_dt_node_overlay_fragment helper

Add a helper to add overlays to an external-dt for a caller provided
node. The overlay can be used by the caller to overwrite node
properties. The s

core: dt: add add_dt_node_overlay_fragment helper

Add a helper to add overlays to an external-dt for a caller provided
node. The overlay can be used by the caller to overwrite node
properties. The subsequent BL33 can use the overlay to apply the changes
to the BL33 DTB and kernel DTB.

Reviewed-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>

show more ...

core: dt: add support to pass target-path to add_dt_overlay_fragment

Exentend the API to be able to specify the DTB overlay "target-path".

Reviewed-by: Etienne Carriere <etienne.carriere@st.com>
Si

core: dt: add support to pass target-path to add_dt_overlay_fragment

Exentend the API to be able to specify the DTB overlay "target-path".

Reviewed-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>

show more ...

core: dt: fix add_res_mem_dt_node for _CFG_USE_DTB_OVERLAY use-cases

Currently add_res_mem_dt_node() doesn't add a overlay fragment if
CFG_EXTERNAL_DTB_OVERLAY=y and the provided DTB already contain

core: dt: fix add_res_mem_dt_node for _CFG_USE_DTB_OVERLAY use-cases

Currently add_res_mem_dt_node() doesn't add a overlay fragment if
CFG_EXTERNAL_DTB_OVERLAY=y and the provided DTB already contains a
"/reserved-memory" e.g. due to some co-processor reserved-memory
descriptions.

To fix this add_res_mem_dt_node() must always add a "/reserved-memory"
DTB overlay fragment if a DTB overlay shall be created
(_CFG_USE_DTB_OVERLAY=y).

Reviewed-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>

show more ...

core: atomic ftrace buffer map update

When switching sessions, that is, calling ts_push_current_session() or
ts_pop_current_session(), a foreign interrupt may save the current
thread. When this happ

core: atomic ftrace buffer map update

When switching sessions, that is, calling ts_push_current_session() or
ts_pop_current_session(), a foreign interrupt may save the current
thread. When this happens, the ftrace buffer mapping must be consistent
with the current session, or bad things, like OP-TEE core crashing or
corrupting TA memory, might occur. Fix this by masking foreign
interrupts while updating the linked list, and disable the ftrace buffer
while setting new TA mappings.

All mappings of a TA are removed if the TA crashes, even if user
mappings might still be active. Add checks in the functions accessing
the ftrace buffer that the buffer is accessible before accessing it to
avoid eventual OP-TEE core crashes.

Fixes: 17513217b24c ("ftrace: dump ftrace after every ta_entry")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
Acked-by: Rouven Czerwinski <rouven.czerwinski@linaro.org>

show more ...

core: user_ta: fix cleared userspace PAUTH keys

Restore pointer authentication keys that were cleared when commit
referenced below was integrated since vm_info_init(), called after
the keys are gene

core: user_ta: fix cleared userspace PAUTH keys

Restore pointer authentication keys that were cleared when commit
referenced below was integrated since vm_info_init(), called after
the keys are generated, resets the user context structure.

Closes: https://github.com/OP-TEE/optee_os/issues/7659
Fixes: 614b28146e96 ("core: user_ta: PAUTH key initialization may fail")
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Reviewed-by: Rouven Czerwinski <rouven.czerwinski@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: only dump ftrace buffer with TA mapped

The ftrace buffer is mapped in secure user space. The dump_ftrace()
callback must only be called if the buffer is mapped. During TA panic
the dump_ftrace

core: only dump ftrace buffer with TA mapped

The ftrace buffer is mapped in secure user space. The dump_ftrace()
callback must only be called if the buffer is mapped. During TA panic
the dump_ftrace() might get called as part of the TA context cleanup and
cause a crash. So fix this by skipping the dump_ftrace() callback during
those occasions.

Fixes: 17513217b24c ("ftrace: dump ftrace after every ta_entry")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Rouven Czerwinski <rouven.czerwinski@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@st.com>

show more ...

ftrace: dump ftrace after every ta_entry

This patch implements the feature to dump ftrace buffer to
tee_supplicant after every entry to the ta.
To implement the feature, this patch does some modific

ftrace: dump ftrace after every ta_entry

This patch implements the feature to dump ftrace buffer to
tee_supplicant after every entry to the ta.
To implement the feature, this patch does some modification to the
ftrace dumping process and add a new config CFG_FTRACE_DUMP_EVERY_ENTRY
to control this behavior.
This can reduce the chance of losing the ftrace data due to not
enough ftrace buffer and make debugging long-lived TA possible.

Signed-off-by: Leo Chen <shf.chen@mediatek.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>

show more ...

core: user_mode_ctx: fix unused warning when disable log

When compiled with clang 22.0 and set CFG_TEE_CORE_LOG_LEVEL to 0,
the variable n becomes unused and the compiler generates a warning,
which

core: user_mode_ctx: fix unused warning when disable log

When compiled with clang 22.0 and set CFG_TEE_CORE_LOG_LEVEL to 0,
the variable n becomes unused and the compiler generates a warning,
which can fail the build process if -Werror is enabled.

core/kernel/user_mode_ctx.c:14:9: warning: variable 'n' set but not used [-Wunused-but-set-variable]
14 | size_t n = 0;
| ^
1 warning generated.

Signed-off-by: Leo Chen <shf.chen@mediatek.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: ree_fs: initialize ta_ver.db when its size is zero

Creating and writing db_hdr involves several RPC commands. If a
power loss occurs during the creation flow, it may result in a
db file with a

core: ree_fs: initialize ta_ver.db when its size is zero

Creating and writing db_hdr involves several RPC commands. If a
power loss occurs during the creation flow, it may result in a
db file with an empty db_hdr. Attempting to read this file
subsequently leads to a TEE_ERROR_BAD_STATE error.

Instead of returning TEE_ERROR_BAD_STATE, continue the db_hdr
initialization flow to support subsequent functionality.

Link: https://github.com/OP-TEE/optee_os/issues/7513
Fixes: 183398139c9c ("core: enable rollback protection for REE-FS TAs")

Signed-off-by: Ox Yeh <ox.yeh@mediatek.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: console: Allow setting logging verbosity during runtime

The default console can be disabled at runtime for power management. Any
prints after boot from OP-TEE could cause a bus data abort if t

core: console: Allow setting logging verbosity during runtime

The default console can be disabled at runtime for power management. Any
prints after boot from OP-TEE could cause a bus data abort if the UART has
been disabled. Add an option to change the log level after boot has
completed which can be used to disable the console log.

Signed-off-by: Andrew Davis <afd@ti.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: kernel: align the address of transfer entry

Fix two issues in transfer_list_add() and transfer_list_add_with_align(),
which cause incompliance with the Firmware Handoff spec v1.0 [1].

1. Avoi

core: kernel: align the address of transfer entry

Fix two issues in transfer_list_add() and transfer_list_add_with_align(),
which cause incompliance with the Firmware Handoff spec v1.0 [1].

1. Avoid adding entries at an unaligned address.
2. Remove the implicit padding at the end of a transfer entry which is
included by 'tl->size'.

[1] https://github.com/FirmwareHandoff/firmware_handoff/releases/tag/v1.0

Fixes: a12225022bd5 ("core: add transfer list API")
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ffa: discover non-secure memory from manifest

If an FF-A manifest is available, try to discover non-secure memory from
the manifest.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

core: ffa: discover non-secure memory from manifest

If an FF-A manifest is available, try to discover non-secure memory from
the manifest.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: tpm: fix TPM log address parsing to use full 64-bit address

Remove ARM32-specific address parsing that only used the lower 32 bits
of the TPM event log address. ARM32 systems can have 64-bit p

core: tpm: fix TPM log address parsing to use full 64-bit address

Remove ARM32-specific address parsing that only used the lower 32 bits
of the TPM event log address. ARM32 systems can have 64-bit physical
addresses, so the full 64-bit address from the device tree property
should be parsed regardless of architecture.

The fix ensures both ARM32 and ARM64 architectures use the same
64-bit address construction: (property[0] << 32) | property[1],
preventing potential address truncation issues on ARM32 systems
with 64-bit physical address spaces.

Signed-off-by: Joseph Lo <josephl@nvidia.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: tpm: fix TPM log area zeroing condition to avoid manifest DT write fault

Change the condition for zeroing TPM event log address in device tree
from CFG_CORE_SEL1_SPMC to CFG_CORE_FFA. When CFG

core: tpm: fix TPM log area zeroing condition to avoid manifest DT write fault

Change the condition for zeroing TPM event log address in device tree
from CFG_CORE_SEL1_SPMC to CFG_CORE_FFA. When CFG_CORE_FFA is enabled,
the device tree comes from the manifest DT which is mapped as read-only,
not from the external device tree. Attempting to zero the
tpm_event_log_addr property in the manifest DT would cause a write
permission fault exception.

The fix prevents this fault by ensuring the zeroing operation only occurs
when using the external device tree (CFG_CORE_FFA=n), where write access
is permitted.

Signed-off-by: Joseph Lo <josephl@nvidia.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: asan: mark redzones as inaccessible for globals

For read-only globals (e.g. in .rodata), ASan marks the entire region as
accessible. This could hide buffer overflows, if redzones are not used.

core: asan: mark redzones as inaccessible for globals

For read-only globals (e.g. in .rodata), ASan marks the entire region as
accessible. This could hide buffer overflows, if redzones are not used.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: maintain the panicked TAs with instanceKeepCrashed property

TA context lists should retain panicked TAs (those with the
TA_FLAG_SINGLE_INSTANCE, TA_FLAG_INSTANCE_KEEP_ALIVE, and
TA_FLAG_INSTAN

core: maintain the panicked TAs with instanceKeepCrashed property

TA context lists should retain panicked TAs (those with the
TA_FLAG_SINGLE_INSTANCE, TA_FLAG_INSTANCE_KEEP_ALIVE, and
TA_FLAG_INSTANCE_KEEP_CRASHED flags) to maintain their panicked state and
prevent respawning.

Fixes: 941a58d78c99 ("Add optee.ta.instanceKeepCrashed property")
Signed-off-by: Joseph Lo <josephl@nvidia.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: panic: allow core halting on SGI in other cases than panic()

There may be cases where we want to halt several cores outside of a
panic() sequence.

Therefore, add CFG_MULTI_CORE_HALTING switch

core: panic: allow core halting on SGI in other cases than panic()

There may be cases where we want to halt several cores outside of a
panic() sequence.

Therefore, add CFG_MULTI_CORE_HALTING switch that allows to register
an interrupt handler for the CFG_HALT_CORES_SGI that is dedicated to
halt other cores.

This reduces the scope of CFG_HALT_CORES_ON_PANIC that is now used only
for halting other cores in a panic() sequence.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: asan: fix check_access()

The previous implementation of check_access() was not fully
correct and could fail to detect out-of-bounds accesses near
the end of an allocated buffer.

For example,

core: asan: fix check_access()

The previous implementation of check_access() was not fully
correct and could fail to detect out-of-bounds accesses near
the end of an allocated buffer.

For example, given a buffer of size 7 allocated at address A.
check_access(addr = A + 7, size = 1) would not trigger a panic,
because the check relied on va_is_well_aligned(end), which skips
validation when end is aligned.

The new check_access() implementation is based on the version from
FreeBSD's subr_asan.c and performs precise shadow memory validation.

In addition, asan_tag_access() behaviour was changed. The shadow byte
should encode the number of accessible bytes. (1 <= k <= 7) means that
the first k bytes are addressible.
This behaviour is in accordance with:

a) the stack instrumentation emitted by compiler
b) the original ASan paper, see [1] section 3.1 Shadow Memory
c) other kasan implementations from freebsd/linux-kernel

[1] https://www.usenix.org/system/files/conference/atc12/atc12-final39.pdf

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core, libutils: unpoison stack on longjmp for ASan

Adds support for unpoisoning the stack when performing longjmp,
to ensure correct ASan behavior.

When a longjmp unwinds the stack, parts of the st

core, libutils: unpoison stack on longjmp for ASan

Adds support for unpoisoning the stack when performing longjmp,
to ensure correct ASan behavior.

When a longjmp unwinds the stack, parts of the stack that were
poisoned during deeper calls may remain marked as inaccessible.
This can lead to false ASan reports after longjmp, as the new
frame reuses that memory.

To avoid this, a call to asan_handle_longjmp() is added to
setjmp_a64.S, which unpoisons the stack range between the current
SP and the old SP (saved during setjmp).

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: asan: add support for custom panic callback

Add asan_set_panic_cb() to register a custom panic callback.

The ability to set a panic callback will be used in ASan tests to
capture and validate

core: asan: add support for custom panic callback

Add asan_set_panic_cb() to register a custom panic callback.

The ability to set a panic callback will be used in ASan tests to
capture and validate expected violations without triggering a full
system panic, which is important for automated testing.

Introduce asan_report() to provide more detailed reporting of
access violations, including nearby shadow memory dump.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Add optee.ta.instanceKeepCrashed property

Add the optee.ta.instanceKeepCrashed property to prevent a TA with
gpd.ta.instanceKeepAlive=true to be restarted. This prevents unexpected
resetting of the

Add optee.ta.instanceKeepCrashed property

Add the optee.ta.instanceKeepCrashed property to prevent a TA with
gpd.ta.instanceKeepAlive=true to be restarted. This prevents unexpected
resetting of the state of the TA.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Alex Lewontin <alex.lewontin@canonical.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: user_ta: PAUTH key initialization may fail

Test crypto_rng_read() return value when initializing user TA pointer
authentication. For sake of simplicity get random bytes before user TA
context

core: user_ta: PAUTH key initialization may fail

Test crypto_rng_read() return value when initializing user TA pointer
authentication. For sake of simplicity get random bytes before user TA
context starts to be initialized.

Fixes: 2b06f9dede33 ("Add basic pointer authentication support for TA's")
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ree_fs: initialize ta_ver.db in one operation

Combined the object creation and data writing operations into a single
step to enhance reliability. This change addresses the situation where,
if

core: ree_fs: initialize ta_ver.db in one operation

Combined the object creation and data writing operations into a single
step to enhance reliability. This change addresses the situation where,
if object creation occurs but the data writing fails, an empty object
would be left behind, leading to potential issues during the next boot.

Link: https://github.com/OP-TEE/optee_os/issues/7438
Fixes: 183398139c9c ("core: enable rollback protection for REE-FS TAs")
Signed-off-by: Gavin Liu <gavin.liu@mediatek.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: replace CFG_DYN_STACK_CONFIG with CFG_DYN_CONFIG

This commit replaces CFG_DYN_STACK_CONFIG with CFG_DYN_CONFIG since now
RISC-V also supports CFG_DYN_STACK_CONFIG.

Signed-off-by: Alvin Chang

core: replace CFG_DYN_STACK_CONFIG with CFG_DYN_CONFIG

This commit replaces CFG_DYN_STACK_CONFIG with CFG_DYN_CONFIG since now
RISC-V also supports CFG_DYN_STACK_CONFIG.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...