core: dt_driver: add dt_driver_provider_priv_data()

Implements dt_driver_provider_priv_data() to get the private data
registered with a provider. Regulator framework will use this
function to return

core: dt_driver: add dt_driver_provider_priv_data()

Implements dt_driver_provider_priv_data() to get the private data
registered with a provider. Regulator framework will use this
function to return the regulator handle associated to a regulator
provider driver.

Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: dt_driver: define DT_DRIVER_REGULATOR

Adds DT_DRIVER_REGULATOR for a regulator consumer to retrieve its
regulator device(s) from device tree information.

Acked-by: Gatien Chevallier <gatien.c

core: dt_driver: define DT_DRIVER_REGULATOR

Adds DT_DRIVER_REGULATOR for a regulator consumer to retrieve its
regulator device(s) from device tree information.

Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: add non-volatile monotonic counter interface

Adds a stubbed non-volatile monotonic counter interface with a REE FS
counter. Platforms or drivers overrides the weak functions
nv_counter_get_ree

core: add non-volatile monotonic counter interface

Adds a stubbed non-volatile monotonic counter interface with a REE FS
counter. Platforms or drivers overrides the weak functions
nv_counter_get_ree_fs() and nv_counter_incr_ree_fs_to() to provide a
non-stubbed implementation of the counter.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: tpm: don't write to SPMC manifest

If "CFG_CORE_SEL1_SPMC=y" the TPM event log info is read from the SPMC
manifest instead of the external DT. The TPM event log handler code is
setting the even

core: tpm: don't write to SPMC manifest

If "CFG_CORE_SEL1_SPMC=y" the TPM event log info is read from the SPMC
manifest instead of the external DT. The TPM event log handler code is
setting the event log's address to zero in the DT, which fails since the
SPMC manifest is mapped as read-only. Remove this zeroing for the S-EL1
SPMC use case, it has no added security benefits since the SPMC manifest
DT itself is always in secure memory anyways.

Fixes: 722c618f0dfa ("core: map manifest using MEM_AREA_MANIFEST_DT")
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...

core: allow zero length for bounce buffer input

Allows zero length for bb_memdup_user(), bb_memdup_user_private(), and
bb_strndup_user().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
R

core: allow zero length for bounce buffer input

Allows zero length for bb_memdup_user(), bb_memdup_user_private(), and
bb_strndup_user().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: add bb_free_wipe()

Adds bb_free_wipe() the bounce buffer counter-part of free_wipe().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere

core: add bb_free_wipe()

Adds bb_free_wipe() the bounce buffer counter-part of free_wipe().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: dt_driver: fix error handling in probe_dt_drivers()

When the dt_driver_probe_list is empty but the dt_driver_failed_list
is not empty, meaning a probe has failed, and that there's no more prob

core: dt_driver: fix error handling in probe_dt_drivers()

When the dt_driver_probe_list is empty but the dt_driver_failed_list
is not empty, meaning a probe has failed, and that there's no more probe
to defer, the probe_dt_drivers() does not panic().

Fix and simplify the error handling to panic if a probe has failed.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: fix race in handling TA panic

A TA context (struct tee_ta_ctx), can only be accessed and manipulated
if either locked or set to busy by the current thread, or if it has no
no other references.

core: fix race in handling TA panic

A TA context (struct tee_ta_ctx), can only be accessed and manipulated
if either locked or set to busy by the current thread, or if it has no
no other references.

Prior to this patch this wasn't followed by tee_ta_open_session(),
tee_ta_invoke_command(), and dump_ta_memstats(). Accesses were made to
the "panicked" field of struct tee_ta_ctx.
destroy_ta_ctx_from_session() was also manipulating sessions possibly
being used by other threads.

So fix this by only accessing the internals of the TA context while
holding the needed lock. destroy_ta_ctx_from_session() is removed, the
new ts_ops callback release_state() is used instead to free what can be
freed from a panicked TA context. The last session referencing the TA
context will free it.

Fixes: fd10f62b8210 ("core: keep alive TA context can be created after TA has panicked")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Tested-by: Wentao Sun <wentao.sun@amlogic.com>

show more ...

core: add release_state to struct ts_ops

Adds the optional function pointer release_state() to struct ts_ops.
This callback will be called when a TA has panicked and as many
resources as possible ne

core: add release_state to struct ts_ops

Adds the optional function pointer release_state() to struct ts_ops.
This callback will be called when a TA has panicked and as many
resources as possible need to be released early. release_state() is a
subset of the destroy() callback. When the destroy() is called
eventually it will free the entire state of the TA regardless if
release_state() has been called before or not. This allows freeing
resources while there are still open sessions to the TA.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: use BB_MEMDUP_USER() where needed

Uses BB_MEMDUP_USER() instead of bb_memdup_user() where the destination
buffer isn't a void * in order to avoid using a extra void * variable to
handle the ou

core: use BB_MEMDUP_USER() where needed

Uses BB_MEMDUP_USER() instead of bb_memdup_user() where the destination
buffer isn't a void * in order to avoid using a extra void * variable to
handle the output pointer from bb_memdup_user().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: ldelf: apply finer-grained PAN

Prior to this commit, PAN was disabled when executing ldelf syscalls.
With the new user buffer aware ts_store API we can now enable
finer-grained PAN in ldelf sy

core: ldelf: apply finer-grained PAN

Prior to this commit, PAN was disabled when executing ldelf syscalls.
With the new user buffer aware ts_store API we can now enable
finer-grained PAN in ldelf syscalls.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: update ts_store API with user space buffer

Updates the read() function pointer in struct ts_store_ops to take an
user space buffer in addition to the previous core buffer. Core buffers
are nor

core: update ts_store API with user space buffer

Updates the read() function pointer in struct ts_store_ops to take an
user space buffer in addition to the previous core buffer. Core buffers
are normal secure memory while user space buffers should only be accessed
using the user_access.h functions.

The different TA storage implementations are updated accordingly.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: assign memory tags to bounce buffers

Just as the heap uses memory tags (CFG_MEMTAG=y) use memory tags for the
temporary bounce buffers. This should catch problems with out of bounds
accesses,

core: assign memory tags to bounce buffers

Just as the heap uses memory tags (CFG_MEMTAG=y) use memory tags for the
temporary bounce buffers. This should catch problems with out of bounds
accesses, using already freed, reset bounce buffers.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: asan: prevent nefarious optimization in unchecked memcpy() and memset()

Add __inhibit_loop_to_libcall qualifier to asan_memcpy_unchecked() and
asan_memset_unchecked() so that the compiler does

core: asan: prevent nefarious optimization in unchecked memcpy() and memset()

Add __inhibit_loop_to_libcall qualifier to asan_memcpy_unchecked() and
asan_memset_unchecked() so that the compiler does not invoke the real
(checked) memcpy() and memset().

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: allow redefinition of function huk_subkey_derive()

Set the function huk_subkey_derive() as weak to allow platform custom
implementation.
We add __huk_subkey_derive() with the implementation of

core: allow redefinition of function huk_subkey_derive()

Set the function huk_subkey_derive() as weak to allow platform custom
implementation.
We add __huk_subkey_derive() with the implementation of
HUK derivation so the default implementation is still accessible
when huk_subkey_derive() is overridden.
This is useful if the key derivation is implemented using hardware
discovered during intilization.
If the substem used to derive a key is disabled, the function
__huk_subkey_derive() can be used as a fallback.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: pta: add helper functions to support calls from TA when CFG_PAN=y

Introduce helper function to make it easier to use bounce buffers in a
PTA entry point to support calls with memrefs from user

core: pta: add helper functions to support calls from TA when CFG_PAN=y

Introduce helper function to make it easier to use bounce buffers in a
PTA entry point to support calls with memrefs from user space TAs when
PAN is enabled.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: update FS storage API with user space buffer

Updates the create(), read(), and write() function pointers in struct
ts_store_ops to take a user space buffer in addition to the previous
core buf

core: update FS storage API with user space buffer

Updates the create(), read(), and write() function pointers in struct
ts_store_ops to take a user space buffer in addition to the previous
core buffer. Core buffers are normal secure memory while user space
buffers should only be accessed using the user_access.h functions.

The different FS storage implementations are updated accordingly.

Note that the RPMB FS storage implementation resorts to using
enter_user_access() and exit_user_access() due to internal complexities.

Fixes: 4e154320e47c ("core: Apply finer-grained PAN")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: fix reading result in ldelf_dlopen()

The commit 52e7b1a67f8f ("core: use user-access functions in ldelf
interaction") start to use a bounce buffer to initialize the argument
for LDELF_DL_ENTRY

core: fix reading result in ldelf_dlopen()

The commit 52e7b1a67f8f ("core: use user-access functions in ldelf
interaction") start to use a bounce buffer to initialize the argument
for LDELF_DL_ENTRY_DLSYM. However, it also reads the result of
LDELF_DL_ENTRY_DLSYM from the bounce buffer. This is an error since the
result of LDELF_DL_ENTRY_DLSYM still remains on the stack used by ldelf.
So fix this by reading the result from the ldelf stack.

Fixes: 52e7b1a67f8f ("core: use user-access functions in ldelf interaction")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: add check_user_access() helper function

Adds check_user_access() to simplify checking if a user mode memory
buffer may be accessed as expected.

Signed-off-by: Jens Wiklander <jens.wiklander@l

core: add check_user_access() helper function

Adds check_user_access() to simplify checking if a user mode memory
buffer may be accessed as expected.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: kernel: Refine variable declarations and return values in dt.c

Provide initialization values for local variables. The return values of
libfdt functions are returned instead of -1 since libfdt

core: kernel: Refine variable declarations and return values in dt.c

Provide initialization values for local variables. The return values of
libfdt functions are returned instead of -1 since libfdt has its own
error codes and they are useful for debug.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: Move some DT functions to common kernel

Some existed functions for device tree in ARM could be also used for
other architectures. This commit moves most of functions from ARM
architecture

core: arm: Move some DT functions to common kernel

Some existed functions for device tree in ARM could be also used for
other architectures. This commit moves most of functions from ARM
architecture into "core/kernel/dt.c", including external DT descriptor,
DT overlay, external DT initialization, API for adding DT child nodes
and reserved-memory nodes. Since "core/kernel/dt.c" is dependent with
CFG_DT, other functions which are independent with CFG_DT are put into
new file "core/kernel/boot.c".

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: fix update from user parameters with CFG_PAN=y

When CFG_PAN is enabled, OP-TEE kernel can not directly access the user
memory, otherwise an exception occurs. To fix it, we apply user-access
fu

core: fix update from user parameters with CFG_PAN=y

When CFG_PAN is enabled, OP-TEE kernel can not directly access the user
memory, otherwise an exception occurs. To fix it, we apply user-access
functions when OP-TEE kernel updates the parameters from user stack. A
bounce buffer is allocated and the user stack contents are duplicated
into the bounce buffer before OP-TEE kernel accesses them.

Fixes: 376448c26af4 ("core: use user-access functions for passing params")
Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix ldelf invalid access to user stack with CFG_PAN=y

When CFG_PAN is enabled, OP-TEE kernel can not directly access the user
memory, otherwise an exception occurs. To fix it, we apply user-ac

core: fix ldelf invalid access to user stack with CFG_PAN=y

When CFG_PAN is enabled, OP-TEE kernel can not directly access the user
memory, otherwise an exception occurs. To fix it, we apply user-access
functions when ldelf gets the parameters from the user stack "arg".

Fixes: 52e7b1a67f8f ("core: use user-access functions in ldelf interaction")
Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: Apply finer-grained PAN

Prior to this commit, the PAN was disabled for most of the time,
within the thread scall handler. After resolving all outstanding
missing unprivileged access functions,

core: Apply finer-grained PAN

Prior to this commit, the PAN was disabled for most of the time,
within the thread scall handler. After resolving all outstanding
missing unprivileged access functions, we can now enable finer-
grained PAN, where the unprivileged access is only allowed inside
handful of special user-access functions.

There are some exceptions where we toggle PAN to allow the OP-TEE
core to access user memory, instead of using user-access functions
or bounce buffers. Those are crypto services and ldelf syscall
handlers. Those are chosen to avoid potential large bounce buffer
allocations.

Signed-off-by: Seonghyun Park <seonghp@amazon.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: use user-access functions for passing params

Use user-access functions for parameter-passing between user TA and
the core when calling another TA from a TA and when entering a user
TA.

Signed

core: use user-access functions for passing params

Use user-access functions for parameter-passing between user TA and
the core when calling another TA from a TA and when entering a user
TA.

Signed-off-by: Seonghyun Park <seonghp@amazon.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...