core: ree_fs: initialize ta_ver.db when its size is zero

Creating and writing db_hdr involves several RPC commands. If a
power loss occurs during the creation flow, it may result in a
db file with a

core: ree_fs: initialize ta_ver.db when its size is zero

Creating and writing db_hdr involves several RPC commands. If a
power loss occurs during the creation flow, it may result in a
db file with an empty db_hdr. Attempting to read this file
subsequently leads to a TEE_ERROR_BAD_STATE error.

Instead of returning TEE_ERROR_BAD_STATE, continue the db_hdr
initialization flow to support subsequent functionality.

Link: https://github.com/OP-TEE/optee_os/issues/7513
Fixes: 183398139c9c ("core: enable rollback protection for REE-FS TAs")

Signed-off-by: Ox Yeh <ox.yeh@mediatek.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: console: Allow setting logging verbosity during runtime

The default console can be disabled at runtime for power management. Any
prints after boot from OP-TEE could cause a bus data abort if t

core: console: Allow setting logging verbosity during runtime

The default console can be disabled at runtime for power management. Any
prints after boot from OP-TEE could cause a bus data abort if the UART has
been disabled. Add an option to change the log level after boot has
completed which can be used to disable the console log.

Signed-off-by: Andrew Davis <afd@ti.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: kernel: align the address of transfer entry

Fix two issues in transfer_list_add() and transfer_list_add_with_align(),
which cause incompliance with the Firmware Handoff spec v1.0 [1].

1. Avoi

core: kernel: align the address of transfer entry

Fix two issues in transfer_list_add() and transfer_list_add_with_align(),
which cause incompliance with the Firmware Handoff spec v1.0 [1].

1. Avoid adding entries at an unaligned address.
2. Remove the implicit padding at the end of a transfer entry which is
included by 'tl->size'.

[1] https://github.com/FirmwareHandoff/firmware_handoff/releases/tag/v1.0

Fixes: a12225022bd5 ("core: add transfer list API")
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ffa: discover non-secure memory from manifest

If an FF-A manifest is available, try to discover non-secure memory from
the manifest.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

core: ffa: discover non-secure memory from manifest

If an FF-A manifest is available, try to discover non-secure memory from
the manifest.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: tpm: fix TPM log address parsing to use full 64-bit address

Remove ARM32-specific address parsing that only used the lower 32 bits
of the TPM event log address. ARM32 systems can have 64-bit p

core: tpm: fix TPM log address parsing to use full 64-bit address

Remove ARM32-specific address parsing that only used the lower 32 bits
of the TPM event log address. ARM32 systems can have 64-bit physical
addresses, so the full 64-bit address from the device tree property
should be parsed regardless of architecture.

The fix ensures both ARM32 and ARM64 architectures use the same
64-bit address construction: (property[0] << 32) | property[1],
preventing potential address truncation issues on ARM32 systems
with 64-bit physical address spaces.

Signed-off-by: Joseph Lo <josephl@nvidia.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: tpm: fix TPM log area zeroing condition to avoid manifest DT write fault

Change the condition for zeroing TPM event log address in device tree
from CFG_CORE_SEL1_SPMC to CFG_CORE_FFA. When CFG

core: tpm: fix TPM log area zeroing condition to avoid manifest DT write fault

Change the condition for zeroing TPM event log address in device tree
from CFG_CORE_SEL1_SPMC to CFG_CORE_FFA. When CFG_CORE_FFA is enabled,
the device tree comes from the manifest DT which is mapped as read-only,
not from the external device tree. Attempting to zero the
tpm_event_log_addr property in the manifest DT would cause a write
permission fault exception.

The fix prevents this fault by ensuring the zeroing operation only occurs
when using the external device tree (CFG_CORE_FFA=n), where write access
is permitted.

Signed-off-by: Joseph Lo <josephl@nvidia.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: asan: mark redzones as inaccessible for globals

For read-only globals (e.g. in .rodata), ASan marks the entire region as
accessible. This could hide buffer overflows, if redzones are not used.

core: asan: mark redzones as inaccessible for globals

For read-only globals (e.g. in .rodata), ASan marks the entire region as
accessible. This could hide buffer overflows, if redzones are not used.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: maintain the panicked TAs with instanceKeepCrashed property

TA context lists should retain panicked TAs (those with the
TA_FLAG_SINGLE_INSTANCE, TA_FLAG_INSTANCE_KEEP_ALIVE, and
TA_FLAG_INSTAN

core: maintain the panicked TAs with instanceKeepCrashed property

TA context lists should retain panicked TAs (those with the
TA_FLAG_SINGLE_INSTANCE, TA_FLAG_INSTANCE_KEEP_ALIVE, and
TA_FLAG_INSTANCE_KEEP_CRASHED flags) to maintain their panicked state and
prevent respawning.

Fixes: 941a58d78c99 ("Add optee.ta.instanceKeepCrashed property")
Signed-off-by: Joseph Lo <josephl@nvidia.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: panic: allow core halting on SGI in other cases than panic()

There may be cases where we want to halt several cores outside of a
panic() sequence.

Therefore, add CFG_MULTI_CORE_HALTING switch

core: panic: allow core halting on SGI in other cases than panic()

There may be cases where we want to halt several cores outside of a
panic() sequence.

Therefore, add CFG_MULTI_CORE_HALTING switch that allows to register
an interrupt handler for the CFG_HALT_CORES_SGI that is dedicated to
halt other cores.

This reduces the scope of CFG_HALT_CORES_ON_PANIC that is now used only
for halting other cores in a panic() sequence.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: asan: fix check_access()

The previous implementation of check_access() was not fully
correct and could fail to detect out-of-bounds accesses near
the end of an allocated buffer.

For example,

core: asan: fix check_access()

The previous implementation of check_access() was not fully
correct and could fail to detect out-of-bounds accesses near
the end of an allocated buffer.

For example, given a buffer of size 7 allocated at address A.
check_access(addr = A + 7, size = 1) would not trigger a panic,
because the check relied on va_is_well_aligned(end), which skips
validation when end is aligned.

The new check_access() implementation is based on the version from
FreeBSD's subr_asan.c and performs precise shadow memory validation.

In addition, asan_tag_access() behaviour was changed. The shadow byte
should encode the number of accessible bytes. (1 <= k <= 7) means that
the first k bytes are addressible.
This behaviour is in accordance with:

a) the stack instrumentation emitted by compiler
b) the original ASan paper, see [1] section 3.1 Shadow Memory
c) other kasan implementations from freebsd/linux-kernel

[1] https://www.usenix.org/system/files/conference/atc12/atc12-final39.pdf

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core, libutils: unpoison stack on longjmp for ASan

Adds support for unpoisoning the stack when performing longjmp,
to ensure correct ASan behavior.

When a longjmp unwinds the stack, parts of the st

core, libutils: unpoison stack on longjmp for ASan

Adds support for unpoisoning the stack when performing longjmp,
to ensure correct ASan behavior.

When a longjmp unwinds the stack, parts of the stack that were
poisoned during deeper calls may remain marked as inaccessible.
This can lead to false ASan reports after longjmp, as the new
frame reuses that memory.

To avoid this, a call to asan_handle_longjmp() is added to
setjmp_a64.S, which unpoisons the stack range between the current
SP and the old SP (saved during setjmp).

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: asan: add support for custom panic callback

Add asan_set_panic_cb() to register a custom panic callback.

The ability to set a panic callback will be used in ASan tests to
capture and validate

core: asan: add support for custom panic callback

Add asan_set_panic_cb() to register a custom panic callback.

The ability to set a panic callback will be used in ASan tests to
capture and validate expected violations without triggering a full
system panic, which is important for automated testing.

Introduce asan_report() to provide more detailed reporting of
access violations, including nearby shadow memory dump.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Add optee.ta.instanceKeepCrashed property

Add the optee.ta.instanceKeepCrashed property to prevent a TA with
gpd.ta.instanceKeepAlive=true to be restarted. This prevents unexpected
resetting of the

Add optee.ta.instanceKeepCrashed property

Add the optee.ta.instanceKeepCrashed property to prevent a TA with
gpd.ta.instanceKeepAlive=true to be restarted. This prevents unexpected
resetting of the state of the TA.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Alex Lewontin <alex.lewontin@canonical.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: user_ta: PAUTH key initialization may fail

Test crypto_rng_read() return value when initializing user TA pointer
authentication. For sake of simplicity get random bytes before user TA
context

core: user_ta: PAUTH key initialization may fail

Test crypto_rng_read() return value when initializing user TA pointer
authentication. For sake of simplicity get random bytes before user TA
context starts to be initialized.

Fixes: 2b06f9dede33 ("Add basic pointer authentication support for TA's")
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ree_fs: initialize ta_ver.db in one operation

Combined the object creation and data writing operations into a single
step to enhance reliability. This change addresses the situation where,
if

core: ree_fs: initialize ta_ver.db in one operation

Combined the object creation and data writing operations into a single
step to enhance reliability. This change addresses the situation where,
if object creation occurs but the data writing fails, an empty object
would be left behind, leading to potential issues during the next boot.

Link: https://github.com/OP-TEE/optee_os/issues/7438
Fixes: 183398139c9c ("core: enable rollback protection for REE-FS TAs")
Signed-off-by: Gavin Liu <gavin.liu@mediatek.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: replace CFG_DYN_STACK_CONFIG with CFG_DYN_CONFIG

This commit replaces CFG_DYN_STACK_CONFIG with CFG_DYN_CONFIG since now
RISC-V also supports CFG_DYN_STACK_CONFIG.

Signed-off-by: Alvin Chang

core: replace CFG_DYN_STACK_CONFIG with CFG_DYN_CONFIG

This commit replaces CFG_DYN_STACK_CONFIG with CFG_DYN_CONFIG since now
RISC-V also supports CFG_DYN_STACK_CONFIG.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: get DDR range from embedded DTB

Find main memory (DDR) physical range(s) from the secure embedded DTB
if not found from the external DT.

Signed-off-by: Etienne Carriere <etienne.carriere

core: arm: get DDR range from embedded DTB

Find main memory (DDR) physical range(s) from the secure embedded DTB
if not found from the external DT.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Signed-off-by: Valentin Caron <valentin.caron@foss.st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: kernel: Remove CFG_BOOT_INIT_CURRENT_THREAD_CORE_LOCAL

Now both ARM and RISC-V architectures support initialize
thread_core_local[current_core_pos] before calling C code. Thus, we can
deprecat

core: kernel: Remove CFG_BOOT_INIT_CURRENT_THREAD_CORE_LOCAL

Now both ARM and RISC-V architectures support initialize
thread_core_local[current_core_pos] before calling C code. Thus, we can
deprecate CFG_BOOT_INIT_CURRENT_THREAD_CORE_LOCAL and corresponding
code.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Yu-Chien Peter Lin <peter.lin@sifive.com>

show more ...

core: dynamic allocation of threads and their stacks

With CFG_DYN_CONFIG enabled, use dynamic allocation of threads and their
stacks.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Revie

core: dynamic allocation of threads and their stacks

With CFG_DYN_CONFIG enabled, use dynamic allocation of threads and their
stacks.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: add thread_count to thread_init_threads()

Add a thread_count parameter to thread_init_threads(). This must currently
always be equal to CFG_NUM_THREADS, but may become a dynamic configuration

core: add thread_count to thread_init_threads()

Add a thread_count parameter to thread_init_threads(). This must currently
always be equal to CFG_NUM_THREADS, but may become a dynamic configuration
parameter with CFG_DYN_CONFIG=y in later patches.

The array threads[] is changed into a pointer to allow dynamic
allocation in later patches. The assembly code is updated accordingly to
handle a pointer instead of an array.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Tested-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: dynamic allocation of thread_core_local and its stacks

With CFG_DYN_CONFIG enabled, use dynamic allocation of thread_core_local
and the two stacks, tmp_stack and abt_stack, recorded in it.

Si

core: dynamic allocation of thread_core_local and its stacks

With CFG_DYN_CONFIG enabled, use dynamic allocation of thread_core_local
and the two stacks, tmp_stack and abt_stack, recorded in it.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: add core_count to thread_init_thread_core_local()

Add a core_count parameter to thread_init_thread_core_local() to enable
dynamic configuration of the number of supported cores when configured

core: add core_count to thread_init_thread_core_local()

Add a core_count parameter to thread_init_thread_core_local() to enable
dynamic configuration of the number of supported cores when configured
with CFG_DYN_STACK_CONFIG=y, or it must be equal to
CFG_TEE_CORE_NB_CORE. This is needed in later patches where the number
of cores is configured dynamically.

The array thread_core_local[] is changed into a pointer to allow dynamic
allocation in later patches. The assembly code is updated accordingly to
handle a pointer instead of an array.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: kernel: remove the last appended void transfer entry

transfer_list_set_data_size() appends a void entry for the following
entries to meet the alignment requirement even when it is the last
one

core: kernel: remove the last appended void transfer entry

transfer_list_set_data_size() appends a void entry for the following
entries to meet the alignment requirement even when it is the last
one, thus add a check before appending.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: kernel: fix bug in transfer_list_add()

Fix the missing cast on the target address when doing memmove.
Get the address of entry data via transfer_list_entry_data()
instead of adding offset.

Fi

core: kernel: fix bug in transfer_list_add()

Fix the missing cast on the target address when doing memmove.
Get the address of entry data via transfer_list_entry_data()
instead of adding offset.

Fixes: a12225022bd5 ("core: add transfer list API")
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: ffa: reserve physical nexus memory for manifest

In reinit_manifest_dt() when reserving physical memory for the manifest,
allocate from physical nexus memory instead to support ns-virtualizatio

core: ffa: reserve physical nexus memory for manifest

In reinit_manifest_dt() when reserving physical memory for the manifest,
allocate from physical nexus memory instead to support ns-virtualization.

Fixes: 414123ae8ca5 ("core: ffa: reserve physical memory for manifest")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...