core: fix undefined behavior nonnull_args in user_access.c

Add null pointer checks on 'kaddr' and 'uaddr' before memcpy
to avoid ubsan 'nonnull_args' panic.

xtest error log - 4013
---
$ xtest 4013

core: fix undefined behavior nonnull_args in user_access.c

Add null pointer checks on 'kaddr' and 'uaddr' before memcpy
to avoid ubsan 'nonnull_args' panic.

xtest error log - 4013
---
$ xtest 4013

E/TC:? 0 Undefined behavior nonnull_arg at core/kernel/user_access.c:56 col 3
E/TC:1 0 Panic at core/kernel/ubsan.c:241 <__ubsan_handle_nonnull_arg>
E/TC:1 0 TEE load address @ 0x8e100000
E/TC:1 0 Call stack:
E/TC:1 0 0x8e10d6c0 print_kernel_stack at optee_os/core/arch/arm/kernel/unwind_arm64.c:89
E/TC:1 0 0x8e130c7c __do_panic at optee_os/core/kernel/panic.c:73
E/TC:1 0 0x8e134eac __ubsan_handle_nonnull_arg at optee_os/core/kernel/ubsan.c:241
E/TC:1 0 0x8e135a48 copy_from_user at optee_os/core/kernel/user_access.c:56
E/TC:1 0 0x8e157198 system_derive_ta_unique_key at optee_os/core/pta/system.c:111
E/TC:1 0 0x8e141258 pseudo_ta_enter_invoke_cmd at optee_os/core/kernel/pseudo_ta.c:209
E/TC:1 0 0x8e13401c tee_ta_invoke_command at optee_os/core/kernel/tee_ta_manager.c:765
E/TC:1 0 0x8e162dac syscall_invoke_ta_command at optee_os/core/tee/tee_svc.c:871
E/TC:1 0 0x8e108110 scall_do_call at optee_os/core/arch/arm/kernel/arch_scall_a64.S:140
E/TC:1 0 0x8e107544 thread_scall_handler at optee_os/core/arch/arm/kernel/thread.c:1138
E/TC:1 0 0x8e1048b4 el0_svc at optee_os/core/arch/arm/kernel/thread_a64.S:850
---

Signed-off-by: Abhishek Revadekar <abhishek.rvdkr@yahoo.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix unintended sign extension

Suspicious implicit sign extension: memtag_get_tag(kaddr) with type
uint8_t (8 bits, unsigned) is promoted in
memtag_get_tag(kaddr) << uref_tag_shift to type int

core: fix unintended sign extension

Suspicious implicit sign extension: memtag_get_tag(kaddr) with type
uint8_t (8 bits, unsigned) is promoted in
memtag_get_tag(kaddr) << uref_tag_shift to type int (32 bits, signed),
then sign-extended to type unsigned long (64 bits, unsigned).

If memtag_get_tag(kaddr) << uref_tag_shift is greater than 0x7FFFFFFF,
the upper bits of the result will all be 1.

Cast memtag_get_tag(kaddr) to vaddr_t to avoid implicit sign extension.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: allow zero length for bounce buffer input

Allows zero length for bb_memdup_user(), bb_memdup_user_private(), and
bb_strndup_user().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
R

core: allow zero length for bounce buffer input

Allows zero length for bb_memdup_user(), bb_memdup_user_private(), and
bb_strndup_user().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: add bb_free_wipe()

Adds bb_free_wipe() the bounce buffer counter-part of free_wipe().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere

core: add bb_free_wipe()

Adds bb_free_wipe() the bounce buffer counter-part of free_wipe().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: assign memory tags to bounce buffers

Just as the heap uses memory tags (CFG_MEMTAG=y) use memory tags for the
temporary bounce buffers. This should catch problems with out of bounds
accesses,

core: assign memory tags to bounce buffers

Just as the heap uses memory tags (CFG_MEMTAG=y) use memory tags for the
temporary bounce buffers. This should catch problems with out of bounds
accesses, using already freed, reset bounce buffers.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: add check_user_access() helper function

Adds check_user_access() to simplify checking if a user mode memory
buffer may be accessed as expected.

Signed-off-by: Jens Wiklander <jens.wiklander@l

core: add check_user_access() helper function

Adds check_user_access() to simplify checking if a user mode memory
buffer may be accessed as expected.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: Apply finer-grained PAN

Prior to this commit, the PAN was disabled for most of the time,
within the thread scall handler. After resolving all outstanding
missing unprivileged access functions,

core: Apply finer-grained PAN

Prior to this commit, the PAN was disabled for most of the time,
within the thread scall handler. After resolving all outstanding
missing unprivileged access functions, we can now enable finer-
grained PAN, where the unprivileged access is only allowed inside
handful of special user-access functions.

There are some exceptions where we toggle PAN to allow the OP-TEE
core to access user memory, instead of using user-access functions
or bounce buffers. Those are crypto services and ldelf syscall
handlers. Those are chosen to avoid potential large bounce buffer
allocations.

Signed-off-by: Seonghyun Park <seonghp@amazon.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: add bb_strndup_user()

Adds bb_strndup_user() to copy a user space string into a bounce buffer
large enough to hold the string.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Review

core: add bb_strndup_user()

Adds bb_strndup_user() to copy a user space string into a bounce buffer
large enough to hold the string.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: add more user access functions

Add more user access functions: clear_user(), strnlen_user() and
bb_memdup_user(), which can be used to manipulate, check or duplicate
given user space buffers.

core: add more user access functions

Add more user access functions: clear_user(), strnlen_user() and
bb_memdup_user(), which can be used to manipulate, check or duplicate
given user space buffers.

Signed-off-by: Seonghyun Park <seonghp@amazon.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: add bounce buffer to user mode context

Adds a bounce buffer for user space buffer to be used during syscall
processing to avoid unchecked privileged access into user space memory.

bb_alloc(),

core: add bounce buffer to user mode context

Adds a bounce buffer for user space buffer to be used during syscall
processing to avoid unchecked privileged access into user space memory.

bb_alloc(), bb_free(), and bb_reset() are added to manage memory
allocation from the bounce buffer.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: syscalls: strip tags from user space pointers

Strips the tags from user space pointers before using them.
We're relying on TCR_EL1.TCMA0=1 to make the accesses unchecked.

Acked-by: Jerome For

core: syscalls: strip tags from user space pointers

Strips the tags from user space pointers before using them.
We're relying on TCR_EL1.TCMA0=1 to make the accesses unchecked.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add support for MTE

Adds support for the Armv8.5-A Memory Tagging Extension with
CFG_MEMTAG=y.

A memtag.h API is introduced to handle this extension. If CFG_MEMTAG=n
the API doesn't add any o

core: add support for MTE

Adds support for the Armv8.5-A Memory Tagging Extension with
CFG_MEMTAG=y.

A memtag.h API is introduced to handle this extension. If CFG_MEMTAG=n
the API doesn't add any overhead and the behaviour is unchanged. With
CFG_MEMTAG=y a check is performed to see if the platform can support MTE
and the API is dynamically configured accordingly. This means that it's
safe to have CFG_MEMTAG=y even for platforms not supporting MTE. There
will be some minimal overhead then, but likely not noticeable.

An entry is also added in the TEE_PROPSET_TEE_IMPLEMENTATION for a u32
property "org.trustedfirmware.optee.cpu.feat_memtag_implemented". The
property is set to a non-zero value only if CFG_CORE_MEMTAG is
configured and the underlying CPU supports FEAT_MTE.

This commit still only uses the default tag with the value 0 resulting
in unchanged pointers when accessing memory. However, all plumbing is in
place allowing for instance tagging of the heap in a later commit.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: Initiate and load Secure Partitions

Secure Partitions (SP) are S-El0 execution service defined in the Arm
FF-A specification.
The Secure Partitions are loaded as the last part of the boot proc

core: Initiate and load Secure Partitions

Secure Partitions (SP) are S-El0 execution service defined in the Arm
FF-A specification.
The Secure Partitions are loaded as the last part of the boot process.
A Secure Partitions can be added to image using the SP_PATHS build
option. The SPs are loaded using ldelf.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: replace tee_mmu prefix with vm

Replaces the tee_mmu prefix with vm. tee_mmu.h is renamed to vm.h and
core/arch/arm/mm/tee_mmu.c is moved to core/mm/vm.c. Public functions
belonging to these fi

core: replace tee_mmu prefix with vm

Replaces the tee_mmu prefix with vm. tee_mmu.h is renamed to vm.h and
core/arch/arm/mm/tee_mmu.c is moved to core/mm/vm.c. Public functions
belonging to these files are renamed with a vm prefix.

Introduces: vm_map_param(), vm_clean_param(),
vm_buf_is_inside_private(), vm_buf_intersects_private(),
vm_buf_to_mboj_offs(), vm_buf_is_inside_um_private(),
vm_buf_intersects_um_private(), vm_add_rwmem(), vm_rem_rwmem(),
vm_va2pa(), vm_pa2va(), vm_check_access_rights(), vm_set_ctx() replacing
their tee_mmu_*() counterpart.

Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add generic struct ts_session

As a step in making room for Secure Partitions (SPs) running at S-EL0
add a Trusted Service (TS) abstraction. Both TAs and SPs is a TS.

Adds the generic struct t

core: add generic struct ts_session

As a step in making room for Secure Partitions (SPs) running at S-EL0
add a Trusted Service (TS) abstraction. Both TAs and SPs is a TS.

Adds the generic struct ts_session. All future sessions structs
(currently only struct tee_ta_session exists) should add this struct to
allow generic session operations.

With this struct comes new functions replacing previous struct
tee_ta_session oriented functions. The following functions are replaced
as:
tee_ta_get_current_session() -> ts_get_current_session()
tee_ta_push_current_session() -> ts_push_current_session()
tee_ta_pop_current_session() -> ts_pop_current_session()
tee_ta_get_calling_session() -> ts_get_calling_session()

ts_get_current_session() is changed compared to its predecessor to
panic() in case of failure to return a valid pointer.

A new function ts_get_current_session_may_fail() is added to handle an
eventual case where a return NULL session may be handled.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add copy_{to,from}_private()

Adds the copy_{to,from}_private() functions which checks that the user
mode buffer resides in TA private memory and not non-secure shared
memory for instance.

Rev

core: add copy_{to,from}_private()

Adds the copy_{to,from}_private() functions which checks that the user
mode buffer resides in TA private memory and not non-secure shared
memory for instance.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: separate copy_from_user() and friends

Removes the tee_svc_ prefix and moves tee_svc_copy_from_user() and
friends into <kernel/user_access.h> and core/kernel/user/access.c

Reviewed-by: Jerome

core: separate copy_from_user() and friends

Removes the tee_svc_ prefix and moves tee_svc_copy_from_user() and
friends into <kernel/user_access.h> and core/kernel/user/access.c

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...