| 6b8d35a5 | 09-Apr-2026 |
Martin Domig <martin.domig@wolfvision.net> |
core: pta: fix lockdown_device OTP write and verify
lockdown_device() contained two bugs that caused PTA_RK_SECURE_BOOT_LOCKDOWN_DEVICE to fail with TEE_ERROR_GENERIC (0xffff0000) even on hardware w
core: pta: fix lockdown_device OTP write and verify
lockdown_device() contained two bugs that caused PTA_RK_SECURE_BOOT_LOCKDOWN_DEVICE to fail with TEE_ERROR_GENERIC (0xffff0000) even on hardware with a valid hash already burned into OTP.
First, the status variable was overwritten with only ROCKCHIP_OTP_SECURE_BOOT_STATUS_ENABLE before being passed to rockchip_otp_write_secure(). If write_key_size() had previously set ROCKCHIP_OTP_SECURE_BOOT_STATUS_RSA4096 in the same OTP word, those bits would be present in the hardware but absent in the value passed to the write function. rockchip_otp_write_secure() treats any bit set in hardware but not in the new value as a conflict and returns TEE_ERROR_GENERIC, since OTP bits cannot be cleared.
Second, the post-write readback check was inverted: it called EMSG() and returned TEE_ERROR_GENERIC when test_bit_mask() returned true, i.e. when the enable bit was successfully set. This meant every successful lockdown was reported as a failure.
Signed-off-by: Martin Domig <martin.domig@wolfvision.net> Reviewed-by: Michael Tretter <m.tretter@pengutronix.de>
show more ...
|
| fb7bd0d5 | 08-Apr-2026 |
Martin Domig <martin.domig@wolfvision.net> |
core: pta: fix Rockchip burn_hash OTP protection check
Since a blank device has an all-zero OTP hash and new_hash is the signing-key hash, the condition is always true, and the function returns TEE_
core: pta: fix Rockchip burn_hash OTP protection check
Since a blank device has an all-zero OTP hash and new_hash is the signing-key hash, the condition is always true, and the function returns TEE_SUCCESS without ever calling write_hash() or write_key_size().
Signed-off-by: Martin Domig <martin.domig@wolfvision.net> Reviewed-by: Michael Tretter <m.tretter@pengutronix.de>
show more ...
|
| d6d1731b | 15-Nov-2025 |
Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de> |
libutils: move ASan runtime and tests from core to libutils
This patch relocates the ASan runtime and its self-tests from the core to libutils/ext. While ASan is still only enabled for the TEE core,
libutils: move ASan runtime and tests from core to libutils
This patch relocates the ASan runtime and its self-tests from the core to libutils/ext. While ASan is still only enabled for the TEE core, this refactoring removes core-specific placement and makes the code available to other components.
The main benefit is that ASan support and the test helpers can now be potentially reused by ldelf and TAs in the future, instead of being tied to the core build. The existing ASan core behaviour is unchanged.
Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
show more ...
|
| 65249dd6 | 20-Mar-2026 |
Jens Wiklander <jens.wiklander@linaro.org> |
core: pta: system: check zero-length in system_map_zi()
Add a check against allocating and mapping 0 bytes zero initialized memory.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewe
core: pta: system: check zero-length in system_map_zi()
Add a check against allocating and mapping 0 bytes zero initialized memory.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Rouven Czerwinski <rouven.czerwinski@linaro.org>
show more ...
|
| e339d8f5 | 24-Sep-2025 |
Gatien Chevallier <gatien.chevallier@foss.st.com> |
pta: stm32mp: add debug access PTA
Add the debug access PTA that is responsible of validating whether a given debug profile is configured or not. This basically means that the debug configuration sh
pta: stm32mp: add debug access PTA
Add the debug access PTA that is responsible of validating whether a given debug profile is configured or not. This basically means that the debug configuration should allow (at least!) access to the debug peripherals requiring the debug profile being checked.
For now, as it is specific to BSEC, only embed the PTA if the BSEC support is embedded as well.
Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com> Reviewed-by: Etienne Carriere <etienne.carriere@st.com>
show more ...
|
| 2949576e | 06-Aug-2025 |
Michael Tretter <m.tretter@pengutronix.de> |
core: pta: add Rockchip secure boot PTA
The S_OTP area for the Rockchip secure boot RSA hash and status register is accessible only from the secure world. Thus, secure boot must be enabled from the
core: pta: add Rockchip secure boot PTA
The S_OTP area for the Rockchip secure boot RSA hash and status register is accessible only from the secure world. Thus, secure boot must be enabled from the secure world on these board.
The PTA implements 3 functions:
1. Ask the TA from the non-secure world about the current status and hash of the hardware. This allows to inspect the current status of secure boot on a specific device.
2. Write an RSA hash into the OTP fuses. It's the responsibility of the user to calculate the hash and ensure that it matches the key, which will be used to sign the images.
3. Actually lockdown the device by enabling secure boot. This is a separate step to allow the user to verify the setup before potentially bricking a device.
With these functions, a user may use a client running in the normal world (for example in a boot loader or operating system) to enable secure boot on a Rockchip device.
Implementing secure boot setup as an OP-TEE PTA has the advantage that secure boot can be enabled at any time during the device setup instead of during early boot. This allows a developer/user or additional scripts to interact with the secure boot setup process.
The hash of the root key is accepted and reported as calculated by sha256sum and internally converted to the correct byte order that needs to be burned into the fuses.
Signed-off-by: Michael Tretter <m.tretter@pengutronix.de> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
show more ...
|
| b89bfe57 | 20-Oct-2025 |
Jan Kiszka <jan.kiszka@siemens.com> |
core: Relax StMM dependency to TEE_STORAGE_PRIVATE
This allows to run StMM without the userspace supplicant if the in-kernel RPMB service is available.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens
core: Relax StMM dependency to TEE_STORAGE_PRIVATE
This allows to run StMM without the userspace supplicant if the in-kernel RPMB service is available.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
show more ...
|
| 39d1e320 | 06-May-2025 |
Patrick Delaunay <patrick.delaunay@foss.st.com> |
drivers: gpio: add configure functions
Align the OP-TEE GPIO driver with GPIO lib (devm_gpiod_get_index with enum gpiod_flags) and add a way to select the GPIO configuration directly during request
drivers: gpio: add configure functions
Align the OP-TEE GPIO driver with GPIO lib (devm_gpiod_get_index with enum gpiod_flags) and add a way to select the GPIO configuration directly during request with the new function, gpio_dt_cfg_by_index().
This patch remove assumption on GPIO direction (gpio input was assumed in GPIO driver) or output level when the GPIO is requested by consumer. with this patch it must be requested explicitly with: - GPIO_IN: configure the input GPIO - GPIO_ASIS: direction is managed by caller later with gpio_set_value() call. - GPIO_OUT_LOW / GPIO_OUT_HIGH: output GPIO at expected level, the sequence for GPIO have the correct order to avoid glitch by using the gpio function at the correct order.
This patch is a preliminary step for the introduction of ops configure. The API gpio_dt_get_by_index() is keep for backward compatibility but should be used with gpio_configure() or replaced by gpio_dt_cfg_by_index().
Now gpio_configure() is only used in the 2 drivers, regulator_fixed and regulator_gpio, because in these drivers the flags gpio->dt_flags are modified after call of gpio_dt_get_by_index().
For get_voltage_level_gpio(), GPIO_OUT_HIGH is used by default as it is done in Linux function of_get_gpio_regulator_config().
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com> Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com> Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
show more ...
|
| 46be7ac1 | 11-Jul-2025 |
Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de> |
core: add ASan test for read-only global overflow
Adds a test case that triggers an out-of-bounds read on a read-only global buffer to verify that ASan properly detects overflows on .rodata.
Signed
core: add ASan test for read-only global overflow
Adds a test case that triggers an out-of-bounds read on a read-only global buffer to verify that ASan properly detects overflows on .rodata.
Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
show more ...
|
| 8e31dd58 | 02-Sep-2024 |
Clément Le Goffic <clement.legoffic@foss.st.com> |
core: pta: add alarm-related operations to RTC PTA
Add `set_alarm()`, `read_alarm()`, `enable_alarm()`, `wait_alarm()`, `cancel_wait()` and `set_wake_alarm_status()` operations. Also update RTC feat
core: pta: add alarm-related operations to RTC PTA
Add `set_alarm()`, `read_alarm()`, `enable_alarm()`, `wait_alarm()`, `cancel_wait()` and `set_wake_alarm_status()` operations. Also update RTC features to include alarm and wakeup alarm capabilities.
Signed-off-by: Clément Le Goffic <clement.legoffic@foss.st.com> Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com> Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
show more ...
|
| 1dc9a126 | 27-Jun-2025 |
Clément Le Goffic <clement.legoffic@foss.st.com> |
core: pta: check struct alignment in RTC PTA API
Check buffer alignment against its pretended type before assignation.
Fixes: cea1eb0bc90e ("pta: add PTA for RTC") Signed-off-by: Clément Le Goffic
core: pta: check struct alignment in RTC PTA API
Check buffer alignment against its pretended type before assignation.
Fixes: cea1eb0bc90e ("pta: add PTA for RTC") Signed-off-by: Clément Le Goffic <clement.legoffic@foss.st.com> Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
show more ...
|
| 999dcb5c | 08-Jun-2025 |
Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de> |
core: add ASan runtime tests to core self-tests
Adds a set of AddressSanitizer (ASan) runtime tests. Covers stack overflow, global buffer overflow, heap overflow, use-after-free, invalid memcpy/mems
core: add ASan runtime tests to core self-tests
Adds a set of AddressSanitizer (ASan) runtime tests. Covers stack overflow, global buffer overflow, heap overflow, use-after-free, invalid memcpy/memset cases.
These tests are important to ensure that ASan works correctly when enabled. Implementation of functions such as memset() and memcpy() may change in the future, or ASan support may silently break when switching to a new compiler version. Having explicit tests provides confidence that ASan instrumentation remains functional and correctly detects memory errors.
Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
show more ...
|
| 7332b18f | 20-Mar-2025 |
Jens Wiklander <jens.wiklander@linaro.org> |
core: pta: update virt_to_phys() self tests
Update pointer in the virt_to_phys() test for a TEE_RAM to make sure it's pointer in the TEE_RAM area since stack pointers may be mapped differently with
core: pta: update virt_to_phys() self tests
Update pointer in the virt_to_phys() test for a TEE_RAM to make sure it's pointer in the TEE_RAM area since stack pointers may be mapped differently with CFG_DYN_CONFIG=y.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
show more ...
|
| 76d920d3 | 25-Mar-2025 |
Raymond Mao <raymond.mao@linaro.org> |
core: pta: add self tests for transfer list
Add self tests for transfer list. Adapt CFG_TRANSFER_LIST with its dependencies and add CFG_TRANSFER_LIST_TEST.
Signed-off-by: Raymond Mao <raymond.mao@l
core: pta: add self tests for transfer list
Add self tests for transfer list. Adapt CFG_TRANSFER_LIST with its dependencies and add CFG_TRANSFER_LIST_TEST.
Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
show more ...
|
| 289ab1b4 | 26-Mar-2025 |
Jens Wiklander <jens.wiklander@linaro.org> |
core: pta: fix virt_to_phys() self tests
Only test on VCORE_FREE_* addresses if CFG_DYN_CONFIG=y since those addresses otherwise are unmapped or even unassigned.
Fixes: a05b3a459a3b ("core: pta: ad
core: pta: fix virt_to_phys() self tests
Only test on VCORE_FREE_* addresses if CFG_DYN_CONFIG=y since those addresses otherwise are unmapped or even unassigned.
Fixes: a05b3a459a3b ("core: pta: add self tests for virt_to_phys()") Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
show more ...
|
| 1190255b | 28-Jan-2025 |
Jens Wiklander <jens.wiklander@linaro.org> |
core: pta: add more self tests for virt_to_phys()
Add positive and negative virt_to_phys() and phys_to_virt() tests in the self test PTA.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> R
core: pta: add more self tests for virt_to_phys()
Add positive and negative virt_to_phys() and phys_to_virt() tests in the self test PTA.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
show more ...
|
| a05b3a45 | 27-Jan-2025 |
Jens Wiklander <jens.wiklander@linaro.org> |
core: pta: add self tests for virt_to_phys()
Add virt_to_phys() and phys_to_virt() tests in the self test PTA. The tests are performed on the recently added VCORE_FREE memory range.
Signed-off-by:
core: pta: add self tests for virt_to_phys()
Add virt_to_phys() and phys_to_virt() tests in the self test PTA. The tests are performed on the recently added VCORE_FREE memory range.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
show more ...
|
| 8261ca4b | 16-Jan-2025 |
Etienne Carriere <etienne.carriere@foss.st.com> |
core: pta: stats: Explicit Public DDR stats are deprecated
Explicitly mention in Public DDR allocation stats info that these statistics are deprecated. With this change, the information displayed by
core: pta: stats: Explicit Public DDR stats are deprecated
Explicitly mention in Public DDR allocation stats info that these statistics are deprecated. With this change, the information displayed by `xtest --stats --alloc` better show why the printed values are all 0s for this pool.
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
show more ...
|
| 6e2e1d60 | 16-Jan-2025 |
Etienne Carriere <etienne.carriere@foss.st.com> |
core: pta: stats: Explicit when nexus heap stats is not applicable
Explicitly mention in the nexus heap statistics info when the nexus heap is disabled. With this change, the information displayed b
core: pta: stats: Explicit when nexus heap stats is not applicable
Explicitly mention in the nexus heap statistics info when the nexus heap is disabled. With this change, the information displayed by `xtest --stats --alloc` better show why the printed values are all 0s for this pool.
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
show more ...
|
| 76306f73 | 16-Jan-2025 |
Etienne Carriere <etienne.carriere@foss.st.com> |
core: pta: stats: get RPMB secure storage allocation stats
Retrieve RPMB secure storage space allocation statistics from PTA stats STATS_CMD_ALLOC_STATS command.
STATS_NB_POOLS is intentionally not
core: pta: stats: get RPMB secure storage allocation stats
Retrieve RPMB secure storage space allocation statistics from PTA stats STATS_CMD_ALLOC_STATS command.
STATS_NB_POOLS is intentionally not incremented since it is expected to give the number of pools which IDs start from 1 (ALLOC_ID_HEAP), not from 0 (ALLOC_ID_ALL) that is a magic ID.
Ensure the stats are all 0 for when RPMB_FS is not supported or we failed to get the stats info. For this, let's zero initialize the shared buffer so that these default stats also apply on other stats that may not be reachable (deprecate public DDR pool, Nexus heap).
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
show more ...
|
| 0ed372c6 | 15-Jan-2025 |
Jerome Forissier <jerome.forissier@linaro.org> |
core: pta: device: fix enumeration for PTA_CMD_GET_DEVICES_SUPP
TAs which depend on TEE_STORAGE_PRIVATE do need the TEE supplicant if REE FS is disabled (in which case secure storage can only be RPM
core: pta: device: fix enumeration for PTA_CMD_GET_DEVICES_SUPP
TAs which depend on TEE_STORAGE_PRIVATE do need the TEE supplicant if REE FS is disabled (in which case secure storage can only be RPMB) and RPMB is not routed via the kernel.
Fixes: a96033ca7bee ("core: add flag to enumerate TAs when secure storage is ready") Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> Acked-by: Etienne Carriere <etienne.carriere@foss.st.com> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
show more ...
|
| c6c7967f | 13-Dec-2024 |
Jens Wiklander <jens.wiklander@linaro.org> |
core: pta: secstore: decrease TA buffer
install_ta() uses a buffer allocated from the heap while hashing a TA while installing it. The buffer size is 8kB which is a bit large to reliably allocate fr
core: pta: secstore: decrease TA buffer
install_ta() uses a buffer allocated from the heap while hashing a TA while installing it. The buffer size is 8kB which is a bit large to reliably allocate from the heap, so decrease it to 1kB.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
show more ...
|
| 900bf7c6 | 07-Nov-2024 |
Yuichi Sugiyama <yuichis@ricsec.co.jp> |
pta: veraison_attestation: integrate Veraison remote attestation PTA
Copy remote attestation PTA functionality from the repository: https://github.com/iisec-suzaki/optee-ra (commit: 80ca8ef), and ma
pta: veraison_attestation: integrate Veraison remote attestation PTA
Copy remote attestation PTA functionality from the repository: https://github.com/iisec-suzaki/optee-ra (commit: 80ca8ef), and make the following adjustments for integration:
- Add build configuration for remote attestation PTA by introducing the CFG_VERAISON_ATTESTATION_PTA option to align with the new naming convention. - Replace the custom base64 implementation with the base64 library added in PR OP-TEE#7007. - Update QCBOR integration by removing custom QCBOR files and using the standard library, adjusting paths as necessary. - Apply region validation improvements introduced in PR OP-TEE#6195. - Update API calls in sign.c to align with libmbedtls changes from PR OP-TEE#6151. - Calculate the required buffer size at runtime to minimize memory allocation. - Refactor code to improve readability and maintainability. - Add SPDX license identifier (BSD-2-Clause) and copyright notice.
Signed-off-by: Yuichi Sugiyama <yuichis@ricsec.co.jp> Reviewed-by: Thomas Fossati <thomas.fossati@linaro.org> Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Acked-by: Etienne Carriere <etienne.carriere@foss.st.com> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
show more ...
|
| a96033ca | 07-May-2024 |
Jens Wiklander <jens.wiklander@linaro.org> |
core: add flag to enumerate TAs when secure storage is ready
Add TA_FLAG_DEVICE_ENUM_TEE_STORAGE_PRIVATE with similar usage as TA_FLAG_DEVICE_ENUM_SUPP except that it is used to add an enumeration p
core: add flag to enumerate TAs when secure storage is ready
Add TA_FLAG_DEVICE_ENUM_TEE_STORAGE_PRIVATE with similar usage as TA_FLAG_DEVICE_ENUM_SUPP except that it is used to add an enumeration point when secure storage is ready.
The new TA function PTA_CMD_GET_DEVICES_RPMB is added to the device PTA to report TAs depending on RPMB.
PTA_CMD_GET_DEVICES_RPMB will if CFG_REE_FS!=y and CFG_RPMB_FS=y first try to initialize RPMB and only if successful will it return eventual TAs with the TA_FLAG_DEVICE_ENUM_TEE_STORAGE_PRIVATE flag set.
PTA_CMD_GET_DEVICES_SUPP will if CFG_REE_FS=y include TAs with the TA_FLAG_DEVICE_ENUM_TEE_STORAGE_PRIVATE flag set in the list of TAs to return.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
show more ...
|
| de19cacb | 08-May-2024 |
Jens Wiklander <jens.wiklander@linaro.org> |
core: replace tee_mm_sec_ddr with phys_mem functions
Replace the tee_mm_sec_ddr mm pool with the phys_mem functions. This doesn't change the behaviour.
Signed-off-by: Jens Wiklander <jens.wiklander
core: replace tee_mm_sec_ddr with phys_mem functions
Replace the tee_mm_sec_ddr mm pool with the phys_mem functions. This doesn't change the behaviour.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
show more ...
|