core: kernel: dt_driver: variable may be unused

Fix the following warning with Clang 18.6.1:

core/kernel/dt_driver.c:456:15: error: variable 'count' set but not used [-Werror,-Wunused-but-set-vari

core: kernel: dt_driver: variable may be unused

Fix the following warning with Clang 18.6.1:

core/kernel/dt_driver.c:456:15: error: variable 'count' set but not used [-Werror,-Wunused-but-set-variable]
456 | unsigned int count = 0;
| ^

Indeed, when CFG_TEE_CORE_LOG_LEVEL <= 2, the value of count is never
read.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

core: ffa: reserve physical memory for manifest

With CFG_CORE_SEL2_SPMC=y (Hafnium as SPMC at S-EL2), the FF-A manifest
passed to OP-TEE resides in the memory reserved for OP-TEE just before
the loa

core: ffa: reserve physical memory for manifest

With CFG_CORE_SEL2_SPMC=y (Hafnium as SPMC at S-EL2), the FF-A manifest
passed to OP-TEE resides in the memory reserved for OP-TEE just before
the load address. The physical memory pool is initialized with the entire
range of secure memory, with holes carved out for already used memory.

Temporarily allocate the physical memory used by the manifest until it's
not needed any longer and released by release_manifest_dt().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: fix crash during syscall ftrace

Syscall ftrace collects data during a syscall. get_fbuf() checks if
thread_get_id_may_fail() != -1 to see if a function is called under
normal thread execution.

core: fix crash during syscall ftrace

Syscall ftrace collects data during a syscall. get_fbuf() checks if
thread_get_id_may_fail() != -1 to see if a function is called under
normal thread execution. This can lead to an inconsistent state if a
native interrupt occur while ftrace_enter() or ftrace_return() is
recording data in the ftrace buffer. So fix this by using
thread_is_in_normal_mode() to exclude ftrace during interrupt
processing.

Reported-by: Jerome Forissier <jerome.forissier@linaro.org>
Closes: https://github.com/OP-TEE/optee_os/issues/7216
Fixes: 099918f6744c ("ftrace: Add support for syscall function tracer")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_armv8a)

show more ...

core: move plat_get_random_stack_canaries() to common part

Other architectures (e.g. RISC-V) may want to call
plat_get_random_stack_canaries() for random stack
canaries. Move it from ARM architectur

core: move plat_get_random_stack_canaries() to common part

Other architectures (e.g. RISC-V) may want to call
plat_get_random_stack_canaries() for random stack
canaries. Move it from ARM architecture directory
to common part.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Co-developed-by: Alvin Chang <alvinga@andestech.com>
Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ldelf: enable ubsan support

Ubsan support was previously limited to core code. This commit moves the
ubsan runtime implementation to libutils, making it available for ldelf
and trusted applications.

ldelf: enable ubsan support

Ubsan support was previously limited to core code. This commit moves the
ubsan runtime implementation to libutils, making it available for ldelf
and trusted applications.

As a result, ldelf will now be built with ubsan support when
CFG_CORE_SANITIZE_UNDEFINED is enabled.

Additionally, to avoid potential infinite recursion, ubsan
instrumentation is explicitly disabled for ubsan.c.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: fix CFG_BOOT_INIT_THREAD_CORE_LOCAL0

CFG_BOOT_INIT_THREAD_CORE_LOCAL0 is misleading since it's concerning the
core id of the boot CPU. So rename the configuration flag to
CFG_BOOT_INIT_CURRENT

core: fix CFG_BOOT_INIT_THREAD_CORE_LOCAL0

CFG_BOOT_INIT_THREAD_CORE_LOCAL0 is misleading since it's concerning the
core id of the boot CPU. So rename the configuration flag to
CFG_BOOT_INIT_CURRENT_THREAD_CORE_LOCAL and update the code as needed.
Only thread_init_thread_core_local() has a change of behaviour where the
boot CPU now can have any core id.

Fixes: b5ec8152f3e5 ("core: arm: refactor boot")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: kernel: Remove unused call_initcalls()

Remove call_initcalls() since there is no architecture calls it.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Jens Wiklander <jens.wi

core: kernel: Remove unused call_initcalls()

Remove call_initcalls() since there is no architecture calls it.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: interrupt: clarify inline comment in interrupt_create_handler()

Clarify inline comment in interrupt_create_handler() to explicit that
this function request add_configure_handler() to not confi

core: interrupt: clarify inline comment in interrupt_create_handler()

Clarify inline comment in interrupt_create_handler() to explicit that
this function request add_configure_handler() to not configure the
interrupt (since it's already configured from interrupt_dt_get_by_*()
API functions).

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: interrupt: itr_chip may not require configure handler

The configure handler in struct itr_ops is not required for interrupt
providers which consumers only use the DT to get and configure their

core: interrupt: itr_chip may not require configure handler

The configure handler in struct itr_ops is not required for interrupt
providers which consumers only use the DT to get and configure their
interrupts (with interrupt_dt_get_by_*() and interrupt_create_handler()).
Therefore change itr_chip_is_valid() to not enforce its support
but add back that constraint for the interrupt main controller.

Add an itr_chip_dt_only_init() helper function for interrupt
controllers which consumers only use the DT to configure their
interrupt, that is such controllers do not need a configure handler.

itr_chip_is_valid() is not called outside interrupt.c where it is
used in itr_chip_init() and itr_chip_dt_only_init() so make it a local
function.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: interrupt: rename .add handler to .configure

Rename field add of struct itr_ops to configure for consistency
since that handler is used the configure the interrupt. Update
existing interrupt d

core: interrupt: rename .add handler to .configure

Rename field add of struct itr_ops to configure for consistency
since that handler is used the configure the interrupt. Update
existing interrupt drivers accordingly.

By the way fix inline comment spelling typo (s/contrainsts/constraints/).

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: thread: initialize stack canaries from recorded end-va

Continue where "core: thread: get stacks from recorded end-va" left and
initialize the stack canaries based on the recorded end-va. This

core: thread: initialize stack canaries from recorded end-va

Continue where "core: thread: get stacks from recorded end-va" left and
initialize the stack canaries based on the recorded end-va. This is
needed in later patches where the stacks aren't statically allocated.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: thread: get stacks from recorded end-va

Each stack has its end-va or top recorded in either thread_core_local[]
or threads[] as tmp_stack_va_end, abt_stack_va_end, or stack_va_end.
This addres

core: thread: get stacks from recorded end-va

Each stack has its end-va or top recorded in either thread_core_local[]
or threads[] as tmp_stack_va_end, abt_stack_va_end, or stack_va_end.
This address together with the known size of the stack is enough to
calculate all the other needed stack related addresses:
- start and end canaries,
- top and bottom of the stacks.

Add and use new internal functions to calculate these addresses and
remove the now unused macros. This is needed in later patches where the
stacks aren't statically allocated.

INIT_CANARY(), GET_START_CANARY(), and GET_END_CANARY() are kept for now
to see that the addresses for the canaries are calculated correctly in
the new functions.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: refactor boot

Introduce CFG_BOOT_INIT_THREAD_CORE_LOCAL0 to indicate that
thread_core_local[0] is initialized before the boot_init_* functions are
called.

thread_init_core_local_stacks()

core: arm: refactor boot

Introduce CFG_BOOT_INIT_THREAD_CORE_LOCAL0 to indicate that
thread_core_local[0] is initialized before the boot_init_* functions are
called.

thread_init_core_local_stacks() and thread_init_thread_core_local() are
replaced by a new version of thread_init_thread_core_local() for
CFG_BOOT_INIT_THREAD_CORE_LOCAL0=y.

Move initialization of thread_core_local[] from very early to
boot_init_primary_late() where various DTBs containing run-time
configuration are available. This will be needed in later patches when
the number of configured cores can be read from DT or some other
run-time configuration.

Move the "OP-TEE version" print and following code from
boot_init_primary_late() to boot_init_primary_final()

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: fail build when CFG_INSECURE=n used with zero HUK

CFG_INSECURE=n indicates the build may be used for production. In this
environment using the zero HUK in inappropriate, so fail the build
in t

core: fail build when CFG_INSECURE=n used with zero HUK

CFG_INSECURE=n indicates the build may be used for production. In this
environment using the zero HUK in inappropriate, so fail the build
in this case.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: interrupt: enhance registered controller chips validity

Enhance assertion of interrupt chip validity using itr_chip_is_valid()
helper function instead of only testing the chip handle is not nu

core: interrupt: enhance registered controller chips validity

Enhance assertion of interrupt chip validity using itr_chip_is_valid()
helper function instead of only testing the chip handle is not null.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: interrupt: fix property count in dt_get_irq_type_prio()

Fix the number of properties passed by dt_get_irq_type_prio()
to dt_get_irq handler of the interrupt main chip. The fixed issue
was not

core: interrupt: fix property count in dt_get_irq_type_prio()

Fix the number of properties passed by dt_get_irq_type_prio()
to dt_get_irq handler of the interrupt main chip. The fixed issue
was not seen since existing registered dt_get_irq handlers (atmel_wdt.c,
gic.c and plic.c) do not really care when this count value is too high.

Fixes: 702fe5a74327 ("core: kernel: interrupt: add type and prio for interrupts")
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: dt: cached data for fdt_get_reg_props_by_index()

Factorize fdt_get_reg_props_by_index() and fdt_reg_info() to
add DT cache info support to the former.

Signed-off-by: Etienne Carriere <etienne

core: dt: cached data for fdt_get_reg_props_by_index()

Factorize fdt_get_reg_props_by_index() and fdt_reg_info() to
add DT cache info support to the former.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix potential crash when setting transfer entry size

Fix a potential crash when the rounded up end-of-entry exceeds the
boundary of the old end-of-transfer-list when setting the size of
a tran

core: fix potential crash when setting transfer entry size

Fix a potential crash when the rounded up end-of-entry exceeds the
boundary of the old end-of-transfer-list when setting the size of
a transfer entry.

The crash happens when the specified entry is the last one in the
transfer list and its rounded up end 'old_ev' exceeds the
'tl_old_ev' which is not rounded up, leading to a negative value
with (tl_old_ev - old_ev).

Logically, 'tl_old_ev > old_ev' is the only case that indicates
there are subsequent entries to be moved.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: notif_default: support ns-virtualization

Add support for CFG_NS_VIRTUALIZATION=y in the default notification
implementation used with the SMC ABI.

virt_add_guest_spec_data() is used to add st

core: notif_default: support ns-virtualization

Add support for CFG_NS_VIRTUALIZATION=y in the default notification
implementation used with the SMC ABI.

virt_add_guest_spec_data() is used to add struct notif_vm_bitmap for
bookkeeping per guest, similarly to the implementation for the FF-A ABI.

This takes care of and removes the assert for "!guest" in
notif_send_async().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Yuvraj Sakshith <ysakshith@gmail.com>
Tested-by: Yuvraj Sakshith <ysakshith@gmail.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: refactor ubsan panic code

Move panic invocation to common function. That makes entire code a
little bit more compact and removes duplications. Also remove
volatile modifier from ubsan_panic va

core: refactor ubsan panic code

Move panic invocation to common function. That makes entire code a
little bit more compact and removes duplications. Also remove
volatile modifier from ubsan_panic variable to make checkpatch
happy.

Signed-off-by: Aleksandr Iashchenko <alexhoppus111@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix error in ubsan_builtin_unreachable naming

There is only __ubsan_handle_builtin_unreachable interface in gcc.
It was there starting from version 4.9.0.

Signed-off-by: Aleksandr Iashchenko

core: fix error in ubsan_builtin_unreachable naming

There is only __ubsan_handle_builtin_unreachable interface in gcc.
It was there starting from version 4.9.0.

Signed-off-by: Aleksandr Iashchenko <alexhoppus111@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix gcc warnings in ubsan

Latest gcc versions utilize void * as argument type for most of the
ubsan related handlers prototypes. Reproduced with gcc 11.2 .

Signed-off-by: Aleksandr Iashchenko

core: fix gcc warnings in ubsan

Latest gcc versions utilize void * as argument type for most of the
ubsan related handlers prototypes. Reproduced with gcc 11.2 .

Signed-off-by: Aleksandr Iashchenko <alexhoppus111@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix undefined reference to ubsan function

Add UBSan handler __ubsan_handle_invalid_builtin, which support
__builtin* functions validation. In some cases when __builtin functions
are used, und

core: fix undefined reference to ubsan function

Add UBSan handler __ubsan_handle_invalid_builtin, which support
__builtin* functions validation. In some cases when __builtin functions
are used, undefined behaviour might be triggered by invalid arguments.
E.g. passing 0 as the argument to __builtin_ctz or __builtin_clz
invokes undefined behavior and is diagnosed by UBSan.

Signed-off-by: Aleksandr Iashchenko <alexhoppus111@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

tree-wide: use ROUNDUP_DIV() where applicable

Use ROUNDUP_DIV() instead of ROUNDUP(..., size) / size where applicable.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Je

tree-wide: use ROUNDUP_DIV() where applicable

Use ROUNDUP_DIV() instead of ROUNDUP(..., size) / size where applicable.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

tree-wide: use power-of-2 rounding macros where applicable

Use ROUNDUP2(), ROUNDUP2_OVERFLOW(), ROUNDUP2_DIV() and ROUNDDOWN2() at
places where the rounding argument is a variable value and we want

tree-wide: use power-of-2 rounding macros where applicable

Use ROUNDUP2(), ROUNDUP2_OVERFLOW(), ROUNDUP2_DIV() and ROUNDDOWN2() at
places where the rounding argument is a variable value and we want to
leverage the implementation of these routines optimized for a
power-of-2 rounding argument.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...