core: add fault mitigation tests

Adds some simple test for the fault mitigation routines.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@lina

core: add fault mitigation tests

Adds some simple test for the fault mitigation routines.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: sp: Append fdt manifest to SP image

Sp use a manifest file that define information about the SP. A device
tree (fdt) will be used as a manifest file. This is in line with the
Hafnium SPMC mani

core: sp: Append fdt manifest to SP image

Sp use a manifest file that define information about the SP. A device
tree (fdt) will be used as a manifest file. This is in line with the
Hafnium SPMC manifest format.

The fdt will be appended to the SP image by adding a --manifest flag to
the scripts/ts_bin_to_c.py script.

Link: https://trustedfirmware-a.readthedocs.io/en/latest/components/ffa-manifest-binding.html
Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

mk: core: ta: make early TA compress optional

Define CFG_EARLY_TA_COMPRESS configuration switch to
allow platform to disable early TAs compression at build time.
Disabling the compression drasticall

mk: core: ta: make early TA compress optional

Define CFG_EARLY_TA_COMPRESS configuration switch to
allow platform to disable early TAs compression at build time.
Disabling the compression drastically reduces the amount of the
core heap required in the embedded part.

Enable the configuration by default for backward compatibility.

Suggested-by: Arnaud Pouliquen <arnaud.pouliquen@st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: Add support to import external TA signing public key

Build process requires that private key is present when signing TAs.

In order to support external HSM based re-signing of the TAs, add sup

core: Add support to import external TA signing public key

Build process requires that private key is present when signing TAs.

In order to support external HSM based re-signing of the TAs, add support
to import different TA signing public key into TEE OS binary by
introducing TA_PUBLIC_KEY.

By default TA_PUBLIC_KEY gets the value of TA_SIGN_KEY.

Re-signing of the TA's works by first signing TA during the build with
private key readily available during the build process (TA_SIGN_KEY).
Private key can in example be bundled key in keys/default_ta.pem.

Build will generate TA binary with signature embedded matching provided
private key.

This TA binary will be sent for HSM re-signing process where digest will
be calculated from the binary to get digest which will be signed with
private key protected by HSM. New signature will replaced the old
signature in the TA binary.

This re-signed TA will need to be deployed into the device for execution.

In order for OP-TEE OS to load the TA it needs to have the matching public
key from the HSM. Public key needs to be available during the build
process (TA_PUBLIC_KEY).

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

core: add secure partitions store

SPs need to be started as part of the initialisation process of the
OP-TEE kernel. The secure partition store uses the embedded_ts store to
load SPs

Signed-off-by:

core: add secure partitions store

SPs need to be started as part of the initialisation process of the
OP-TEE kernel. The secure partition store uses the embedded_ts store to
load SPs

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: load stmm via secure partition

Secure variable storage for EFI variables is critical for enabling and
protecting UEFI Secure Boot. Unfortunately due to the fact that SPD and
SPM are mutually e

core: load stmm via secure partition

Secure variable storage for EFI variables is critical for enabling and
protecting UEFI Secure Boot. Unfortunately due to the fact that SPD and
SPM are mutually exclusive, we can't run StMM from EDK2 and OP-TEE.
An advantage of doing so is that different firmware implementations
can leverage EDK2's StandAloneMM and in cooperation with OP-TEE RPMB
APIs can store UEFI variables in a secure storage.
This makes the variable storage quite generic in any device with an RPMB
partition.

Using a well debugged application is preferable over rewriting the whole
application as a TA. Another advantage is that this inherits the Fault
Tolerant Writes (FTW) functionality built-in on StMM to protect
variables against corruptions during writing. Considering the FFA
changes of the future Arm architectures using an SP that includes
everything seems like a better choice at the moment.
The 'SPM emulation' currently added into OP-TEE only supports
a single SP to be launched. This means that the StMM embedded
application has the RPMB driver built in at the moment. In the future we
can add code (evolving FFA) to launch multiple SPs. So the StMM variable
handling can be decoupled from the RPMB driver, which will reside in a
different SP.

So let's add a user mode secure partition context and support loading
"Standalone MM" of EDK2 into it. A separate syscall handling is added to
serve as different kind of ABI and syscall IDs. The secure partition has
a TA like interface towards normal world, but requests are routed into
the StMM partition instead.

CFG_STMM_PATH is assigned the path of BL32_AP_MM.fd, for instance:
CFG_STMM_PATH=...Build/QemuVirtMmStandalone/DEBUG_GCC5/FV/BL32_AP_MM.fd

Since this is quite tricky to compile and test you can use this [1].
Just clone the repo and run ./build.sh. The script will pick up edk2,
edk2-platforms, op-tee, atf and U-boot and compile all the necessary
binaries for QEMU. A patch (awful hack) has been added to U-boot to
allow RPMB emulation through it's supplicant, since QEMU RPMB emulation
is not yet available.
After compiling and launching QEMU the usual U-boot commands for EFI
variable management will store the variables on an RPMB device.

[1] https://git.linaro.org/people/ilias.apalodimas/efi_optee_variables.git/

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Co-developed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Co-developed-by: Pipat Methavanitpong <pipat1010@gmail.com>
Signed-off-by: Pipat Methavanitpong <pipat1010@gmail.com>
Co-developed-by: Miklos Balint <Miklos.Balint@arm.com>
Signed-off-by: Miklos Balint <Miklos.Balint@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

mk: core: ta: Configurable Python interpreter

Build systems that manage multiple different python interpreters need
explicit control over which version of the interpreter to use.
This patch enables

mk: core: ta: Configurable Python interpreter

Build systems that manage multiple different python interpreters need
explicit control over which version of the interpreter to use.
This patch enables one to override the default interpreter with the path
to a specific one.

Signed-off-by: Dick Olsson <hi@senzilla.io>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

mk: gensrc: add generated file to $(cleanfiles) automatically

The gensrc mechanism should not require the user to update the
cleanfiles variable since it can do it by itself. This commit updates
the

mk: gensrc: add generated file to $(cleanfiles) automatically

The gensrc mechanism should not require the user to update the
cleanfiles variable since it can do it by itself. This commit updates
the implementation and simplifies the call sites.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add support for dumping build configuration info on boot

During development, we occasionally experience crashes within the TEE
core. When the tests are run locally, the developer has all the n

core: add support for dumping build configuration info on boot

During development, we occasionally experience crashes within the TEE
core. When the tests are run locally, the developer has all the needed
information to troubleshoot the issue. But when the crash occurs on a
remote host (CI for instance), it is sometimes inconvenient or even
impossible to retrieve files other than the console logs. As a result,
it is equally inconvenient or impossible to obtain a symbolized crash
dump (scripts/symbolize.py needs the dump message but also tee.elf).
If the exact build configuration is known, then it is possible to
reproduce the build locally (assuming the same toolchain is also used
which is not a problem in practice) and proceed with debugging.
Unfortunately the values of the CFG_ flags are not always shown in the
logs and omitting only one flag can significantly change the TEE
binary.

This commit introduces CFG_SHOW_CONF_ON_BOOT (default n). When enabled,
the contents of the build configuration file $O/conf.mk is printed
to the secure console during initialization with TRACE_INFO severity.
The file is compressed to reduce memory usage and space used in the
logs, and it is encoded into printable text.

To obtain the conf.mk file, one needs to copy and paste the encoded
text into 'base64 -d | xz -d'. These two commands are also required at
build time when CFG_SHOW_CONF_ON_BOOT is y.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: prepare to move PTAs under core/pta and core/pta/tests

Most pseudo-TAs are currently under core/arch/arm/pta. This is wrong
since none of those are architecture-dependent. This patch creates
c

core: prepare to move PTAs under core/pta and core/pta/tests

Most pseudo-TAs are currently under core/arch/arm/pta. This is wrong
since none of those are architecture-dependent. This patch creates
core/pta and core/pta/tests to prepare for the following scheme:
- PTAs that implement a GP TEE API (sockets, for example) should be in
core/tee
- PTAs that implement other system services should be in /core/pta
- Test PTAs should be in core/pta/tests
- Platform-specific PTAs belong in the platform's directory
- Architecture-specific (but not platform-specific) PTAs should go
in core/arch/$(ARCH)/pta (there are none currently)

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: embed ldelf into tee core

Embeds the ldelf binary into TEE Core using the new script
scripts/gen_ldelf_hex.py.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens

core: embed ldelf into tee core

Embeds the ldelf binary into TEE Core using the new script
scripts/gen_ldelf_hex.py.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add a file object interface

Adds a file object interface which is an abstraction of the storage part
in a struct tee_pager_area. This adds no new features, just moves some code
from tee_pager.

core: add a file object interface

Adds a file object interface which is an abstraction of the storage part
in a struct tee_pager_area. This adds no new features, just moves some code
from tee_pager.c into fobj.c.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix dependency in embedded DTB build

Correct the name of the script used to embed a DTB in the core
when added to the core dependency list.

Signed-off-by: Etienne Carriere <etienne.carriere@l

core: fix dependency in embedded DTB build

Correct the name of the script used to embed a DTB in the core
when added to the core dependency list.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: embedded secure device tree

This change introduces configurations CFG_EMDED_DTB and
CFG_EMBED_DTB_SOURCE_FILE. When CFG_EMDED_DTB=y a device
tree blob (DTB) is embedded in a read-only section

core: embedded secure device tree

This change introduces configurations CFG_EMDED_DTB and
CFG_EMBED_DTB_SOURCE_FILE. When CFG_EMDED_DTB=y a device
tree blob (DTB) is embedded in a read-only section of the
core based on an in-tree device tree source (DTS) file.

CFG_EMBED_DTS_SOURCE_FILE defines the relative path of
the target device in core/arch/$(ARCH)/dts.

Non empty CFG_EMBED_DTS_SOURCE_FILE content implies CFG_EMBED_DTB=y.
CFG_EMBED_DTB=y mandates CFG_EMBED_DTS_SOURCE_FILE definition.
CFG_EMDED_DTB=y mandates CFG_DT=y.

Since the embedded DTB is read-only, core do not attempt to
modify it adding information such as OP-TEE resources nodes and
properties. Core still get generic information such as system
memory address range and debug console configuration
from the embedded DTB.

Documentation includes a DT section in the OP-TEE design
description.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Add CFG_IN_TREE_EARLY_TAS

Adds CFG_IN_TREE_EARLY_TAS which is used to embed in-tree TAs as early
TAs in the OP-TEE binary.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by:

Add CFG_IN_TREE_EARLY_TAS

Adds CFG_IN_TREE_EARLY_TAS which is used to embed in-tree TAs as early
TAs in the OP-TEE binary.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: crypto: add struct shdr helper functions

Adds struct shdr helper functions to allocate and verify a struct shdr.

Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jerome Fo

core: crypto: add struct shdr helper functions

Adds struct shdr helper functions to allocate and verify a struct shdr.

Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Replace struct hash_ops with function interface

Adds crypto_hash_get_ctx_size(), crypto_hash_init(),
crypto_hash_update() and crypto_hash_final() replacing struct hash_ops
in crypto_ops.

Acked-by:

Replace struct hash_ops with function interface

Adds crypto_hash_get_ctx_size(), crypto_hash_init(),
crypto_hash_update() and crypto_hash_final() replacing struct hash_ops
in crypto_ops.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Add support for compressed early TAs

Add decompression code to the early TA loader and update the Python
script accordingly. The compression algorithm is "deflate", which is
used by zlib and gzip in

Add support for compressed early TAs

Add decompression code to the early TA loader and update the Python
script accordingly. The compression algorithm is "deflate", which is
used by zlib and gzip in particular. It allows for compression ratios
comprised between 3 (for bigger TAs) and 4.7 (for smaller ones). Those
numbers were observed with 32-bit TAs (QEMU).

On QEMU (armv7), the code size overhead when CFG_EARLY_TA=y, including
the decompressor, is 12K when DEBUG=0 or 20K when DEBUG=1. The
decompressor allocates about 39K of heap.

Another library compatible with zlib was tried for comparison [1].
The code size overhead with miniz was 8K (DEBUG=0) or 16K (DEBUG=1).
On the other hand, the dynamic allocation was about 43K, so the total
memory required was about same. Speed was not compared. In the end,
zlib was preferred for licensing reasons and because it is widely used.

Link: [1] https://github.com/richgel999/miniz
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMUv8, pager)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (D02 32/64 bits)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (D02 32/64 bits, pager)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

Add support for early Trusted Applications

Early TAs are user-mode Trusted Applications that are embedded at link
time in the TEE binary. A special read-only data section is used to
store them (.rod

Add support for early Trusted Applications

Early TAs are user-mode Trusted Applications that are embedded at link
time in the TEE binary. A special read-only data section is used to
store them (.rodata.early_ta). A Python script takes care of converting
the TAs into a C source file with the proper linker section attribute.

The feature is disabled by default. To enable it, the paths to the TA
binaries have to be given in $(EARLY_TA_PATHS). They should be ELF
files. Typical build steps:
$ make ... CFG_EARLY_TA=y ta_dev_kit # (1)
$ # ... build the TAs ... # (2)
$ make ... EARLY_TA_PATHS=path/to/<uuid>.stripped.elf # (3)
Notes:
- Setting CFG_EARLY_TA=y during the first step (1) is not necessary,
but it will avoid rebuilding libraries during the third step (3)
- CFG_EARLY_TA is automatically enabled when EARLY_TA_PATHS is non-empty
in step (3)
- Several TAs may be given in $(EARLY_TA_PATHS) (3)

Early TAs are given a higher load priority than REE FS TAs, since they
should be available even before tee-supplicant is ready.

Suggested-by: Zeng Tao <prime.zeng@hisilicon.com>
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core/sub.mk: add missing dependency on the TA key processing script

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by:

core/sub.mk: add missing dependency on the TA key processing script

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add interface to load user TAs

Some use cases may require custom load and verification methods for
user-mode Trusted Applications. Introduce struct user_ta_store_ops with
open(), get_size(), r

core: add interface to load user TAs

Some use cases may require custom load and verification methods for
user-mode Trusted Applications. Introduce struct user_ta_store_ops with
open(), get_size(), read() and close() functions to abstract these
tasks from the ELF loader code. Do the communication with
tee-supplicant as well as the hashing and signature verification of the
TA binary in core/arch/arm/kernel/ree_fs_ta.c, which may be disabled
and replaced by a different implementation if need be.

CC: Zeng Tao <prime.zeng@hisilicon.com>
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey, QEMU)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

Make sure "make clean" removes everything "make" has created under $(O)

"make clean" would leave behind some files and many directories. Fix
this by correctly tracking the files and directories crea

Make sure "make clean" removes everything "make" has created under $(O)

"make clean" would leave behind some files and many directories. Fix
this by correctly tracking the files and directories created under $(O)
during the build process:
- Fix incorrect file names in $(cleanfiles) and add a few missing
ones.
- Introduce a makefile macro: $(cleandirs-for-rmdir), defined in a new
file: mk/cleandirs.mk. It returns the list of directories that should
be removed, given a list of files.
The clean target removes the files, then all the directories in depth-
first order. $(O) is also removed, if found to be empty.

Note that a more straightforward approach was discussed in [1]: use
"rm -rf $(O)/some_dir" and get rid of the whole file and directory
tracking via $(cleanfiles) and $(cleandirs). Although it was agreed it
would be safe, doing so would necessarily break the backward
compatibility for build scripts relying on "make O=<some path>", due to
the additional level ($(O)/some_dir).

Finally, mk/cleandirs.mk is exported to the TA dev kit and the clean
rule for the TAs is updated.

[1] https://github.com/OP-TEE/optee_os/pull/1270

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Andy Green <andy@warmcat.com>

show more ...

core: generate ta_pub_key.c with new build facility

Generates ta_pub_key.c using the new build facility for generated
source files.

Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Je

core: generate ta_pub_key.c with new build facility

Generates ta_pub_key.c using the new build facility for generated
source files.

Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Remove useless core/mm directory

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Pascal Brand <pascal.brand@st.com>

Remove ECC self-test TA

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (QEMU)
Signed-off-by: Pascal Brand <pascal.brand@st.com>