| 8e64b181 | 23-May-2019 |
Jens Wiklander <jens.wiklander@linaro.org> |
core: remove tee_ta_dump_current()
tee_ta_dump_current() is only called from abort_print_current_ta(), move the trivial implementation into abort_print_current_ta() and remove tee_ta_dump_current().
core: remove tee_ta_dump_current()
tee_ta_dump_current() is only called from abort_print_current_ta(), move the trivial implementation into abort_print_current_ta() and remove tee_ta_dump_current().
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
show more ...
|
| 02fbb41a | 27-Jun-2019 |
Jerome Forissier <jerome.forissier@linaro.org> |
core: lockdep: support non-blocking acquire
Adds support for non-blocking lock semantics such as mutex_trylock(). A new function is introduced to instrument this operation: lockdep_tryacquire(). It
core: lockdep: support non-blocking acquire
Adds support for non-blocking lock semantics such as mutex_trylock(). A new function is introduced to instrument this operation: lockdep_tryacquire(). It should be called when it is known that ownership of the underlying object has been granted to the caller. It behaves similarly to lockdep_acquire() in that it does record the call stack and records that the lock is owned. But it does not create any dependencies to the locks that are currently owned by the caller. See "Dynamic Lock Dependency Analysis of Concurrent Systems" [1] section 5.3.
Link: [1] http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.87.132&rep=rep1&type=pdf Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
show more ...
|
| ccbc05e1 | 03-Jun-2019 |
Jens Wiklander <jens.wiklander@linaro.org> |
core: lockdep: support lock destroy
With lockdep enabled (CFG_LOCKDEP=y), additional cleanup is needed when a mutex is destroyed. This patch adds mutex_destroy_check() which is called when a mutex i
core: lockdep: support lock destroy
With lockdep enabled (CFG_LOCKDEP=y), additional cleanup is needed when a mutex is destroyed. This patch adds mutex_destroy_check() which is called when a mutex is destroyed with mutex_destroy(). From mutex_destroy_check() the corresponding lockdep node and all edges referring to it are removed.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> Acked-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
show more ...
|
| d35a00c7 | 16-May-2019 |
Sumit Garg <sumit.garg@linaro.org> |
core: prepare support for TA function tracing
To support TA function tracing OP-TEE core role being: - To initialize and register ftrace buffer per TA session. - To dump TA ftrace buffer to normal w
core: prepare support for TA function tracing
To support TA function tracing OP-TEE core role being: - To initialize and register ftrace buffer per TA session. - To dump TA ftrace buffer to normal world via RPC call in case TA session closes or in case of TA abort.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)
show more ...
|
| 286c31d4 | 29-Apr-2019 |
Etienne Carriere <etienne.carriere@linaro.org> |
core: move embedded DTB out of init sections
This change makes generic boot to discover non-secure memory and console configuration from the external DTB only, no more from the embedded DTB as prior
core: move embedded DTB out of init sections
This change makes generic boot to discover non-secure memory and console configuration from the external DTB only, no more from the embedded DTB as prior this change. When generic boot attempts to access embedded DTB, the embedded DTB gets located in init read-only data section become unnecessary too big. With this change, embedded DTB now lies in the standard pageable read-only data section, relaxing memory footprint constraint.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
show more ...
|
| 52ae1039 | 23-May-2019 |
Jens Wiklander <jens.wiklander@linaro.org> |
core: handle_db: add ptr_destructor argument
Adds ptr_destructor argument to handle_db_destroy() which is called for each registered pointer.
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.
core: handle_db: add ptr_destructor argument
Adds ptr_destructor argument to handle_db_destroy() which is called for each registered pointer.
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
show more ...
|
| 49d06bff | 13-May-2019 |
Etienne Carriere <etienne.carriere@linaro.org> |
core: fix session closure when open panicked
Change tee_ta_close_session() function to support panicked TA contexts. Prior this change, the function did not expect referenced context had previously
core: fix session closure when open panicked
Change tee_ta_close_session() function to support panicked TA contexts. Prior this change, the function did not expect referenced context had previously panicked. Since recent changes for reloadable keep alive TAs, referenced below, Panic on open session does completely release context which session closure is expected to proceed to.
Fixes: https://github.com/OP-TEE/optee_os/issues/3003 Fixes: fd10f62b8210 ("core: keep alive TA context can be created after TA has panicked") Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU, GP)
show more ...
|
| 3ca4a1ca | 25-Feb-2019 |
Jerome Forissier <jerome.forissier@linaro.org> |
core: FS: wipe sensitive data after use
The secure storage code makes use of various cryptographic data (keys and IVs). Make sure the buffers are wiped after use to minimize the risks that sensitive
core: FS: wipe sensitive data after use
The secure storage code makes use of various cryptographic data (keys and IVs). Make sure the buffers are wiped after use to minimize the risks that sensitive data may be leaked to an attacker who would have gained some access to the secure memory.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> Reported-by: Bastien Simondi <bsimondi@netflix.com> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
show more ...
|
| e1509d6e | 29-Jan-2019 |
Jerome Forissier <jerome.forissier@linaro.org> |
core: check for overflow in msg_param_mobj_from_noncontig()
msg_param_mobj_from_noncontig() does not check that buf_ptr + size does not overflow. As a result, num_pages could be computed small, whil
core: check for overflow in msg_param_mobj_from_noncontig()
msg_param_mobj_from_noncontig() does not check that buf_ptr + size does not overflow. As a result, num_pages could be computed small, while size could be big. Only num_pages will be mapped/registered in the returned mobj. If the caller does not compare mobj->size with required size, it can end up manipulating memory out of the intended region.
Fix the issue by using overflow checking macros.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> Reported-by: Bastien Simondi <bsimondi@netflix.com> [1.2] Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
show more ...
|
| fd10f62b | 28-Jan-2019 |
Ovidiu Mihalachi <ovidiu_mihalachi@mentor.com> |
core: keep alive TA context can be created after TA has panicked
When a keep alive TA instance panics, it continues to exist and blocks all further use of the TA until the next reboot of the system.
core: keep alive TA context can be created after TA has panicked
When a keep alive TA instance panics, it continues to exist and blocks all further use of the TA until the next reboot of the system. Moreover, when a new session is trying to be created for the panicked TA (while another session to that TA is still opened), the system hangs.
This change releases panicked TA context and clears all references to the released context when the TA panics regardless the TA properties. This allows keep alive TA instances to be created back after they have panicked without needing to reboot OP-TEE core.
Sessions on panicked TAs have to be closed by the client by calling the proper API when session client is scheduled back.
Signed-off-by: Ovidiu Mihalachi <ovidiu_mihalachi@mentor.com> Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
show more ...
|
| 6e59bb1e | 07-May-2019 |
Etienne Carriere <etienne.carriere@linaro.org> |
core: handle user TA context released from session
Change is_user_ta_ctx() to support NULL context reference. For such references the function now returns boolean value false. This allows caller to
core: handle user TA context released from session
Change is_user_ta_ctx() to support NULL context reference. For such references the function now returns boolean value false. This allows caller to nicely abort their sequence when the context reference is already released from the session instance. Note that caller shall not assume a context refer to a PTA when is_user_ta_ctx() return false, it shall call is_pseudo_ta_ctx().
A side effect is that few test on reference and function return value can be simplified.
This change also ensures TA dump_state() function does not crash when called provides a null context reference.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
show more ...
|
| 37a6b717 | 18-Apr-2019 |
Jens Wiklander <jens.wiklander@linaro.org> |
core: introduce CFG_CORE_DYN_SHM
Introduces CFG_CORE_DYN_SHM which if set to y enables dynamic shared memory, else disables support for dynamic shared memory. In contrast with CFG_DYN_SHM_CAP it act
core: introduce CFG_CORE_DYN_SHM
Introduces CFG_CORE_DYN_SHM which if set to y enables dynamic shared memory, else disables support for dynamic shared memory. In contrast with CFG_DYN_SHM_CAP it actually removes the support instead of just omit reporting it.
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
show more ...
|
| 17888736 | 25-Apr-2019 |
Jens Wiklander <jens.wiklander@linaro.org> |
core: introduce CFG_CORE_HUK_SUBKEY_COMPAT
Adds CFG_CORE_HUK_SUBKEY_COMPAT which if set to 'y' makes huk_subkey_derive() produce RPMB and SSK keys identical to the legacy code.
Reviewed-by: Joakim
core: introduce CFG_CORE_HUK_SUBKEY_COMPAT
Adds CFG_CORE_HUK_SUBKEY_COMPAT which if set to 'y' makes huk_subkey_derive() produce RPMB and SSK keys identical to the legacy code.
Reviewed-by: Joakim Bech <joakim.bech@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
show more ...
|
| fa0525fa | 25-Apr-2019 |
Jens Wiklander <jens.wiklander@linaro.org> |
core: introduce huk_subkey_derive()
The hardware unique key should preferably only be used to generate other keys. This is encouraged with huk_subkey_derive() which is used to derive a subkey from
core: introduce huk_subkey_derive()
The hardware unique key should preferably only be used to generate other keys. This is encouraged with huk_subkey_derive() which is used to derive a subkey from the hardware unique key.
Reviewed-by: Joakim Bech <joakim.bech@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
show more ...
|
| 65fe41db | 01-Mar-2019 |
Etienne Carriere <etienne.carriere@linaro.org> |
core: cleanup generic traces
Remove useless newline character in few generic debug traces.
Remove argument __func__ from a FMSG trace since already output by macro FMSG().
Remove error trace from
core: cleanup generic traces
Remove useless newline character in few generic debug traces.
Remove argument __func__ from a FMSG trace since already output by macro FMSG().
Remove error trace from syscall_storage_obj_read() that, prior this change, output failing error code from storage read() handler. This is useless and not done for other storage handlers return code.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
show more ...
|
| 99164a05 | 04-Feb-2019 |
Jerome Forissier <jerome.forissier@linaro.org> |
core: do not use virtual addresses as session identifier
Session context virtual address is returned to the REE in entry_open_session(); it is then used back in entry_close_session() and entry_invok
core: do not use virtual addresses as session identifier
Session context virtual address is returned to the REE in entry_open_session(); it is then used back in entry_close_session() and entry_invoke_command(). Sharing virtual addresses with the REE leads to virtual memory addresses disclosure that could be leveraged to defeat ASLR (if/when implemented) and/or mount an attack.
Similarly, syscall_open_ta_session() returns a session ID directly derived from the session virtual address to the caller TA.
This commit introduces a 32-bit identifier field in struct tee_ta_session. The ID is generated when the session is created, starting from the id of the last session in the queue, and counting up until a number that is not used in the session queue is found.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.1] Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
show more ...
|
| 4a810b90 | 17-Dec-2018 |
Volodymyr Babchuk <vlad.babchuk@gmail.com> |
console: use nex_strdup() instead of strdup()
strdup() uses malloc() internally, which is not good for nexus part of OP-TEE.
Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> Reviewed-by: J
console: use nex_strdup() instead of strdup()
strdup() uses malloc() internally, which is not good for nexus part of OP-TEE.
Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
show more ...
|
| c211d0a4 | 06-Feb-2018 |
Volodymyr Babchuk <vlad.babchuk@gmail.com> |
virt: tag variables with __nex_data and __nex_bss
Variables that are needed by OP-TEE nexus will be moved to nexus memory.
Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> Acked-by: Jens W
virt: tag variables with __nex_data and __nex_bss
Variables that are needed by OP-TEE nexus will be moved to nexus memory.
Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
show more ...
|
| 5ee85d76 | 18-Jan-2019 |
Jerome Forissier <jerome.forissier@linaro.org> |
lockdep: fix dup_call_stack()
dup_call_stack() does not properly deal with the sentinel. Fix it.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> Reviewed-by: Jens Wiklander <jens.wikl
lockdep: fix dup_call_stack()
dup_call_stack() does not properly deal with the sentinel. Fix it.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
show more ...
|
| c0cfb36c | 08-Jan-2019 |
Etienne Carriere <etienne.carriere@linaro.org> |
core: dt: introduce _fdt_fill_device_info()
_fdt_fill_device_info() gets some generic properties from a given node in a single always successful sequence.
Retrieved device information from the DT:
core: dt: introduce _fdt_fill_device_info()
_fdt_fill_device_info() gets some generic properties from a given node in a single always successful sequence.
Retrieved device information from the DT: - The status/secure-status state as per DT_STATUS_*, - The first register base address found or DT_INFO_INVALID_REG (zero). If there are several register base addresses others are ignored. - The first clock identifier found or DT_INFO_INVALID_CLOCK (negative). - This first reset identifier found or DT_INFO_INVALID_RESET (negative).
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org> Acked-by: Joakim Bech <joakim.bech@linaro.org> Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
show more ...
|
| 770b2afa | 08-Jan-2019 |
Etienne Carriere <etienne.carriere@linaro.org> |
core: more flexible console init from DT
Introduce get_console_node_from_dt() that collects the references to the console configuration in the DTB.
Existing configure_console_from_dt() relies on it
core: more flexible console init from DT
Introduce get_console_node_from_dt() that collects the references to the console configuration in the DTB.
Existing configure_console_from_dt() relies on it when initiating the console from the early core inits based on registered matching device tables.
get_console_node_from_dt() allows a driver probed from the driver initialization sequence (i.e registered from driver_init()) to get the console DT directive.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org> Acked-by: Joakim Bech <joakim.bech@linaro.org> Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
show more ...
|
| b7c94e43 | 14-Dec-2018 |
Etienne Carriere <etienne.carriere@linaro.org> |
core: framework to register PM callbacks
Introduce a framework for power management callback registering.
Drivers and services can register a callback function for the platform suspend and resume s
core: framework to register PM callbacks
Introduce a framework for power management callback registering.
Drivers and services can register a callback function for the platform suspend and resume sequences. A private address handle can be registered with the callback and retrieved from the callback. Callback can be registered with a specific call order as defined per PM_CB_ORDER_*.
Callback shall return an error if failing to complete target transition. This information may be used by the platform to resume a platform on non-fatal failure to suspend.
Callbacks are related to a callback level. It defines the callbacks call ordering, allowing core low level drivers (as clocks or the GIC) to be suspended after all drivers and resume before these.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Acked-by: Cedric Neveux <cedric.neveux@nxp.com>
show more ...
|
| 08baa8c9 | 30-Nov-2018 |
Etienne Carriere <etienne.carriere@linaro.org> |
core: console: allow fallback to /chosen/stdout-path
Makes chosen console selection more flexible being probed from either secure-chosen node or chosen node and from either secure embedded DTB or no
core: console: allow fallback to /chosen/stdout-path
Makes chosen console selection more flexible being probed from either secure-chosen node or chosen node and from either secure embedded DTB or non-secure external DTB.
Secure-chosen node has precedence over chosen node. Chosen console from the secure DTB as precedence over chosen console defined by the non-secure device tree.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
show more ...
|
| 6179ebfa | 30-Nov-2018 |
Etienne Carriere <etienne.carriere@linaro.org> |
core: rename get_dt_blob() into get_dt()
Rename get_dt_blob() into get_dt() to get some consistency in `dt`, `dtb`, `fdt` labelling in generic_boot.c
Signed-off-by: Etienne Carriere <etienne.carrie
core: rename get_dt_blob() into get_dt()
Rename get_dt_blob() into get_dt() to get some consistency in `dt`, `dtb`, `fdt` labelling in generic_boot.c
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
show more ...
|
| 5e4210e9 | 22-Nov-2018 |
Jens Wiklander <jens.wiklander@linaro.org> |
core: add scattered array
Adds a scattered array which allows defining arrays scattered over several source files. The implementation is based on some support by the linker.
This is a generic solut
core: add scattered array
Adds a scattered array which allows defining arrays scattered over several source files. The implementation is based on some support by the linker.
This is a generic solution to initcalls and other similar scattered initializations.
Acked-by: Etienne Carriere <etienne.carriere@linaro.org> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
show more ...
|