core: kernel: move ree_fs_ta.c to core/tee

ree_fs_ta.c is not architecture-specific code, therefore
move it to core/tee.

Signed-off-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Je

core: kernel: move ree_fs_ta.c to core/tee

ree_fs_ta.c is not architecture-specific code, therefore
move it to core/tee.

Signed-off-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: kernel: move early_ta.c to core/tee

early_ta.c is not architecture-specific code,
therefore move it to core/tee.
Moves early_ta.h to core/include/kernel as well.

Signed-off-by: Marouene Bouba

core: kernel: move early_ta.c to core/tee

early_ta.c is not architecture-specific code,
therefore move it to core/tee.
Moves early_ta.h to core/include/kernel as well.

Signed-off-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: kernel: move pseudo_ta.c to core/tee

pseudo_ta.c is not architecture-specific code,
therefore move it to core/tee.
pseudo_ta.h is already located under core/include/kernel

Signed-off-by: Maro

core: kernel: move pseudo_ta.c to core/tee

pseudo_ta.c is not architecture-specific code,
therefore move it to core/tee.
pseudo_ta.h is already located under core/include/kernel

Signed-off-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: kernel: move user_ta.c to core/tee

user_ta.c is not architecture-specific code, therefore
move it to core/tee.
user_ta.h is already located under core/include/kernel.

Signed-off-by: Marouene

core: kernel: move user_ta.c to core/tee

user_ta.c is not architecture-specific code, therefore
move it to core/tee.
user_ta.h is already located under core/include/kernel.

Signed-off-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: kernel: sub.mk: don't build user_access.c when CFG_WITH_USER_TA=n

The user_access.c functions are used by tee_svc* which are not built when
CFG_WITH_USER_TA=n, therefore, make it depend on CFG

core: kernel: sub.mk: don't build user_access.c when CFG_WITH_USER_TA=n

The user_access.c functions are used by tee_svc* which are not built when
CFG_WITH_USER_TA=n, therefore, make it depend on CFG_WITH_USER_TA flag.

Signed-off-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>

show more ...

core: mutex: mutex is abstract pull it from arch folder

This commit moves mutex* and wait_queue* from arch folder to core/kernel
to make it architecture-independent.

Signed-off-by: Marouene Boubakr

core: mutex: mutex is abstract pull it from arch folder

This commit moves mutex* and wait_queue* from arch folder to core/kernel
to make it architecture-independent.

Signed-off-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: extract ldelf related code from system PTA

Various functions in the system PTA are only used in conjunction with
ldelf. They either implement a system service needed only by ldelf
(system_open

core: extract ldelf related code from system PTA

Various functions in the system PTA are only used in conjunction with
ldelf. They either implement a system service needed only by ldelf
(system_open_ta_binary(), etc.) or they provide an interface for TAs to
invoke services implemented in user space by ldelf (call_ldelf_dlopen(),
call_ldelf_dlsym()). Extract these to a separate file as a first step
towards converting the PTA system_*() calls into proper ldelf-specific
syscalls.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...

core: add generic struct ts_session

As a step in making room for Secure Partitions (SPs) running at S-EL0
add a Trusted Service (TS) abstraction. Both TAs and SPs is a TS.

Adds the generic struct t

core: add generic struct ts_session

As a step in making room for Secure Partitions (SPs) running at S-EL0
add a Trusted Service (TS) abstraction. Both TAs and SPs is a TS.

Adds the generic struct ts_session. All future sessions structs
(currently only struct tee_ta_session exists) should add this struct to
allow generic session operations.

With this struct comes new functions replacing previous struct
tee_ta_session oriented functions. The following functions are replaced
as:
tee_ta_get_current_session() -> ts_get_current_session()
tee_ta_push_current_session() -> ts_push_current_session()
tee_ta_pop_current_session() -> ts_pop_current_session()
tee_ta_get_calling_session() -> ts_get_calling_session()

ts_get_current_session() is changed compared to its predecessor to
panic() in case of failure to return a valid pointer.

A new function ts_get_current_session_may_fail() is added to handle an
eventual case where a return NULL session may be handled.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: separate copy_from_user() and friends

Removes the tee_svc_ prefix and moves tee_svc_copy_from_user() and
friends into <kernel/user_access.h> and core/kernel/user/access.c

Reviewed-by: Jerome

core: separate copy_from_user() and friends

Removes the tee_svc_ prefix and moves tee_svc_copy_from_user() and
friends into <kernel/user_access.h> and core/kernel/user/access.c

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: enable FF-A with SPM Core at S-EL1

Adds support for using FF-A as transport instead of using the
proprietary SMCs defined in optee_smc.h.

The configuration support the case where SPM Core is

core: enable FF-A with SPM Core at S-EL1

Adds support for using FF-A as transport instead of using the
proprietary SMCs defined in optee_smc.h.

The configuration support the case where SPM Core is implementation at
S-EL1, that is, inside OP-TEE. This configuration is also know as "S-EL1
SPMC" in the FF-A 1.0 specification [1].

Compile with CFG_CORE_SEL1_SPMC=y

Note that this is an experimental feature, ABIs etc may have
incompatible changes

Link: [1] https://static.docs.arm.com/den0077/a/DEN0077A_PSA_Firmware_Framework_Arm_v8-A_1.0_EAC.pdf

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: call call_initcalls() directly

Now that init_teecore() is only a wrapper around call_initcalls(), drop
that function and call call_initcalls() directly from
init_tee_runtime().

Also move the

core: call call_initcalls() directly

Now that init_teecore() is only a wrapper around call_initcalls(), drop
that function and call call_initcalls() directly from
init_tee_runtime().

Also move the file to core/kernel/initcall.c since that's what it does.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: Add support to access a TPM event log in secure memory.

Support for OPTEE to be able to receive a TPM event log through
a DTB so it can forward it to a TA (such as a TPM service)
in order to e

core: Add support to access a TPM event log in secure memory.

Support for OPTEE to be able to receive a TPM event log through
a DTB so it can forward it to a TA (such as a TPM service)
in order to extend the measurements.

CFG_CORE_TPM_EVENT_LOG enables this feature.
CFG_TPM_LOG_BASE_ADDR hardcodes the phys address of the event log
in case CFG_DT is not set.
CFG_TPM_MAX_LOG_SIZE harcodes the size of the event log in case
CFG_DT is not set.

When this feature is enabled, the PTA_SYSTEM_GET_TPM_EVENT_LOG
command is available to any TA.

Signed-off-by: Javier Almansa Sobrino <javier.almansasobrino@arm.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add common user_mode_ctx_print_mappings()

Adds a common user_mode_ctx_print_mappings() which prints the current
user mode mappings.

Acked-by: Pipat Methavanitpong <pipat.methavanitpong@linaro

core: add common user_mode_ctx_print_mappings()

Adds a common user_mode_ctx_print_mappings() which prints the current
user mode mappings.

Acked-by: Pipat Methavanitpong <pipat.methavanitpong@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add support for dumping build configuration info on boot

During development, we occasionally experience crashes within the TEE
core. When the tests are run locally, the developer has all the n

core: add support for dumping build configuration info on boot

During development, we occasionally experience crashes within the TEE
core. When the tests are run locally, the developer has all the needed
information to troubleshoot the issue. But when the crash occurs on a
remote host (CI for instance), it is sometimes inconvenient or even
impossible to retrieve files other than the console logs. As a result,
it is equally inconvenient or impossible to obtain a symbolized crash
dump (scripts/symbolize.py needs the dump message but also tee.elf).
If the exact build configuration is known, then it is possible to
reproduce the build locally (assuming the same toolchain is also used
which is not a problem in practice) and proceed with debugging.
Unfortunately the values of the CFG_ flags are not always shown in the
logs and omitting only one flag can significantly change the TEE
binary.

This commit introduces CFG_SHOW_CONF_ON_BOOT (default n). When enabled,
the contents of the build configuration file $O/conf.mk is printed
to the secure console during initialization with TRACE_INFO severity.
The file is compressed to reduce memory usage and space used in the
logs, and it is encoded into printable text.

To obtain the conf.mk file, one needs to copy and paste the encoded
text into 'base64 -d | xz -d'. These two commands are also required at
build time when CFG_SHOW_CONF_ON_BOOT is y.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: introduce CFG_CORE_DYN_SHM

Introduces CFG_CORE_DYN_SHM which if set to y enables dynamic shared
memory, else disables support for dynamic shared memory. In contrast
with CFG_DYN_SHM_CAP it act

core: introduce CFG_CORE_DYN_SHM

Introduces CFG_CORE_DYN_SHM which if set to y enables dynamic shared
memory, else disables support for dynamic shared memory. In contrast
with CFG_DYN_SHM_CAP it actually removes the support instead of just
omit reporting it.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: introduce huk_subkey_derive()

The hardware unique key should preferably only be used to generate other
keys. This is encouraged with huk_subkey_derive() which is used to
derive a subkey from

core: introduce huk_subkey_derive()

The hardware unique key should preferably only be used to generate other
keys. This is encouraged with huk_subkey_derive() which is used to
derive a subkey from the hardware unique key.

Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: framework to register PM callbacks

Introduce a framework for power management callback registering.

Drivers and services can register a callback function for the platform
suspend and resume s

core: framework to register PM callbacks

Introduce a framework for power management callback registering.

Drivers and services can register a callback function for the platform
suspend and resume sequences. A private address handle can be registered
with the callback and retrieved from the callback. Callback can be
registered with a specific call order as defined per PM_CB_ORDER_*.

Callback shall return an error if failing to complete target transition.
This information may be used by the platform to resume a platform on
non-fatal failure to suspend.

Callbacks are related to a callback level. It defines the callbacks
call ordering, allowing core low level drivers (as clocks or the GIC)
to be suspended after all drivers and resume before these.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Cedric Neveux <cedric.neveux@nxp.com>

show more ...

core: add scattered array

Adds a scattered array which allows defining arrays scattered over
several source files. The implementation is based on some support by the
linker.

This is a generic solut

core: add scattered array

Adds a scattered array which allows defining arrays scattered over
several source files. The implementation is based on some support by the
linker.

This is a generic solution to initcalls and other similar scattered
initializations.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: introduce lockdep algorithm

This commit introduces an algorithm that may be used to detect improper
usage of locks at runtime. It can detect two kinds errors:

1. A thread tries to release a

core: introduce lockdep algorithm

This commit introduces an algorithm that may be used to detect improper
usage of locks at runtime. It can detect two kinds errors:

1. A thread tries to release a lock it does not own,
2. A thread tries to aquire a lock and the operation could *potentially*
result in a deadlock.

The potential deadlock detection assumes that the code adheres to a strict
locking hierarchy, in other word, that there is a partial ordering on the
locks so that there can be no situation where circular waits can occur. To
put things simply, any two locks should be acquired in the same order in
the same thread. This addresses the following case:

[Thread #1] [Thread #2]

lock(A)
lock(B)
lock(B)
lock(A) <-- deadlock!
...

The algorithm builds the lock hierarchy dynamically and reports as soon as
a violation is detected.

The interface is made of two functions: lockdep_lock_acquire() and
lockdep_lock_release(), which are meant to be introduced in the
implementation of the actual lock objects. The "acquire" hook tells the
algorithm that a particular lock is about to be requested by a particular
thread, while the "release" hook is meant to be called before the lock is
actually released. If an error is detected, debugging information is sent
to the console, and panic() is called. The debugging information includes
the lock cycle that was detected (in the above example, {A, B}), as well
as the call stacks at the points where the locks were acquired.

The good thing with such an instrumentation of the locking code is that
there is no need to wait for an actual deadlock to occur in order to
detect potential problems. For instance, the timing of execution in the
above example could be different but the problem would still be detected:

[Thread #1] [Thread #2]

lock(A)
lock(B)
unlock(B)
unlock(A)
lock(B)
lock(A) <-- error!

A pseudo-TA is added for testing (pta/core_lockdep_tests.c).

This code is based on two sources:
- A presentation called "Dl-Check: dynamic potential deadlock detection
tool for Java programs" [1], although the somewhat complex MNR algorithm
for topological ordering of a DAG was not used;
- A depth-first search algorithm [2] was used instead.

Link: [1] https://www.slideshare.net/IosifItkin/tmpa2017-dlcheck-dynamic-potential-deadlock-detection-tool-for-java-programs
Link: [2] https://en.wikipedia.org/wiki/Topological_sorting#Depth-first_search
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add refcount routines

Adds refcount_inc() and refcount_dec()

Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by:

core: add refcount routines

Adds refcount_inc() and refcount_dec()

Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

msg_param: add msg_param.c with helper functions

This patch adds various helper functions to manipulate with parameters
passed to/from normal world.

Also it introduces new optee_param type which is

msg_param: add msg_param.c with helper functions

This patch adds various helper functions to manipulate with parameters
passed to/from normal world.

Also it introduces new optee_param type which is used to pass long
lists of parameters.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (Hikey)

show more ...

core: introduce struct dt_driver

When CFG_DT=y, a linker section is created (.rodata.dtdrv) to hold all
the DT-compatible drivers. The table can later be queried at runtime.
Some manipulation functi

core: introduce struct dt_driver

When CFG_DT=y, a linker section is created (.rodata.dtdrv) to hold all
the DT-compatible drivers. The table can later be queried at runtime.
Some manipulation functions are exported in <kernel/dt.h>.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add common implementation for console_putc() and console_flush()

Since most platforms now use the same console_putc() and
console_flush(), move them to core/kernel/console.c. Make them __weak

core: add common implementation for console_putc() and console_flush()

Since most platforms now use the same console_putc() and
console_flush(), move them to core/kernel/console.c. Make them __weak
so that platforms may still provide their own.
The common code expects the platforms to initialize whatever serial
device from console_init() and call register_console().

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: remove tee_dispatch_* functions

Prior to this patch the tee_dispatch_* functions where called when invoking
TAs from normal world.

The tee_dipatch_* functions provided little value and has no

core: remove tee_dispatch_* functions

Prior to this patch the tee_dispatch_* functions where called when invoking
TAs from normal world.

The tee_dipatch_* functions provided little value and has now been
collapsed into the architecture specific entry_std.c reducing the stack
usage.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add support for kernel address sanitizer

Adds support for kernel address sanitizer.
Currently only for plat-vexpress-qemu_virt.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Tes

core: add support for kernel address sanitizer

Adds support for kernel address sanitizer.
Currently only for plat-vexpress-qemu_virt.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU v7)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...