tree-wide: use ROUNDUP_DIV() where applicable

Use ROUNDUP_DIV() instead of ROUNDUP(..., size) / size where applicable.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Je

tree-wide: use ROUNDUP_DIV() where applicable

Use ROUNDUP_DIV() instead of ROUNDUP(..., size) / size where applicable.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ree_fs: fix dirfile handle refcount

The counter ree_fs_dirh_refcount is used to determine when ree_fs_dirh
should be free, not as a guarantee that ree_fs_dirh is still valid. This
wasn't the a

core: ree_fs: fix dirfile handle refcount

The counter ree_fs_dirh_refcount is used to determine when ree_fs_dirh
should be free, not as a guarantee that ree_fs_dirh is still valid. This
wasn't the assumption in ree_fs_readdir_rpc(), ree_fs_closedir_rpc(),
and ree_fs_opendir_rpc(). So fix that by using get_dirh() in
ree_fs_readdir_rpc as needed.

Reported-by: Gavin Liu <gavin.liu@mediatek.com>
Closes: https://github.com/OP-TEE/optee_os/issues/6895
Fixes: ace6039fd434 ("core: REE_FS: refcount dirfile handle")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: remove unnecessary includes

Remove unnecessary includes.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander

core: remove unnecessary includes

Remove unnecessary includes.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

tree wide: CFG_INSECURE deprecates CFG_WARN_INSECURE

Replaces configuration switch CFG_WARN_INSECURE with CFG_INSECURE
The new name is better because the switch not only warns but also
change the OP

tree wide: CFG_INSECURE deprecates CFG_WARN_INSECURE

Replaces configuration switch CFG_WARN_INSECURE with CFG_INSECURE
The new name is better because the switch not only warns but also
change the OP-TEE core behavior as, for example, allowing absence
of secure storage rollback protection.

Suggested-by: Jérôme Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: use monotonic counter for secure storage without RPMB

If OP-TEE is configured without RPMB (CFG_REE_FS_INTEGRITY_RPMB=n), use
the non-volatile monotonic counter interface instead to protect ag

core: use monotonic counter for secure storage without RPMB

If OP-TEE is configured without RPMB (CFG_REE_FS_INTEGRITY_RPMB=n), use
the non-volatile monotonic counter interface instead to protect against
rollback of the REE FS base secure storage.

If configured without CFG_WARN_INSECURE=y, accept
TEE_ERROR_NOT_IMPLEMENTED error from nv_counter_get_ree_fs() and
nv_counter_incr_ree_fs_to() and warn once to make clear that the
configuration isn't secure.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Tested-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: update FS storage API with user space buffer

Updates the create(), read(), and write() function pointers in struct
ts_store_ops to take a user space buffer in addition to the previous
core buf

core: update FS storage API with user space buffer

Updates the create(), read(), and write() function pointers in struct
ts_store_ops to take a user space buffer in addition to the previous
core buffer. Core buffers are normal secure memory while user space
buffers should only be accessed using the user_access.h functions.

The different FS storage implementations are updated accordingly.

Note that the RPMB FS storage implementation resorts to using
enter_user_access() and exit_user_access() due to internal complexities.

Fixes: 4e154320e47c ("core: Apply finer-grained PAN")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: add CFG_REE_FS_INTEGRITY_RPMB for roll-back protection of REE

If we enable CFG_RPMB_FS and CFG_REE_FS at the same time in optee-os,
with tee-supplicant only supports REE, calls from xtest to

core: add CFG_REE_FS_INTEGRITY_RPMB for roll-back protection of REE

If we enable CFG_RPMB_FS and CFG_REE_FS at the same time in optee-os,
with tee-supplicant only supports REE, calls from xtest to
ree_fs_open() will attempt to access RPMB for roll-back protection,
which will fail because tee-supplicant can't access RPMB.

In some platforms, we only want optee-os to support
RPMB key provision checking by invoking any RPMB read/writes, but
don't care about whether contents could be read/written.
The tee-supplicant in these platform is limited to REE only, because
there's an existing issue in Linux OS causing kernel drivers failed to
support RPMB. So we need an option to prevent applications like xtest
to access RPMB when calling ree_fs_open(), but keep the ability to
call RPMB fs related apis. When we check the key thru RPMB read.
If key is provisioned, tee-supplicant will return
TEEC_ERROR_ITEM_NOT_FOUND. If not, optee-os will return
TEE_ERROR_STORAGE_NOT_AVAILABLE.

How-tested: execute `xtest -t regression` with optee-os CFG_REE_FS=y
and CFG_RPMB_FS=y. optee-client RPMB_EMU=n
Many testcases will fail. (ex: case 1004)

Signed-off-by: Judy Wang <wangjudy@microsoft.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: ree_fs_open(): close dirfile on error

Updates ree_fs_open() to close the dirfile on error. This should take
care of the rare case were the internal file handle in the dirfile has
been closed d

core: ree_fs_open(): close dirfile on error

Updates ree_fs_open() to close the dirfile on error. This should take
care of the rare case were the internal file handle in the dirfile has
been closed due to an error.

Fixes an error like:
E/TC:1 1 Core data-abort at address 0xc0 (translation fault)
E/TC:1 1 esr 0x96000006 ttbr0 0x600000e19a020 ttbr1 0x00000000 cidr 0x0
E/TC:1 1 cpu #1 cpsr 0x00000004
E/TC:1 1 x0 00000000000000c0 x1 0000000000000078
E/TC:1 1 x2 000000000e1a0c88 x3 000000000e1a0c28
E/TC:1 1 x4 0000000000000078 x5 000000000e128220
E/TC:1 1 x6 000000000000001f x7 0000000000000000
E/TC:1 1 x8 0000000000000000 x9 0000000000000000
E/TC:1 1 x10 0000000000000000 x11 0000000000000000
E/TC:1 1 x12 0000000000000000 x13 0000000040014f80
E/TC:1 1 x14 0000000000000000 x15 0000000000000000
E/TC:1 1 x16 000000000e12f318 x17 0000000000000000
E/TC:1 1 x18 0000000000000000 x19 0000000000000078
E/TC:1 1 x20 0000000000000000 x21 000000000e1a0c28
E/TC:1 1 x22 00000000ffffffff x23 000000000e1a0c88
E/TC:1 1 x24 000000000e1891c4 x25 000000000e17d1b0
E/TC:1 1 x26 000000000e17de50 x27 000000000e1891c4
E/TC:1 1 x28 0000000000000000 x29 000000000e1a0b90
E/TC:1 1 x30 000000000e128254 elr 000000000e128260
E/TC:1 1 sp_el0 000000000e1a0b90
E/TC:1 1 TEE load address @ 0xe100000
E/TC:1 1 Call stack:
E/TC:1 1 0x0e128260 ree_fs_read_primitive at core/tee/tee_ree_fs.c:311
E/TC:1 1 0x0e129324 read_dent at core/tee/fs_dirfile.c:89
E/TC:1 1 0x0e129770 tee_fs_dirfile_find at core/tee/fs_dirfile.c:213
E/TC:1 1 0x0e128f1c set_name at core/tee/tee_ree_fs.c:664
E/TC:1 1 0x0e125954 tee_svc_storage_init_file at core/tee/tee_svc_storage.c:297
E/TC:1 1 0x0e10d514 tee_svc_do_call at core/arch/arm/tee/arch_svc_a64.S:140
E/TC:1 1 0x0e1062ec thread_svc_handler at core/arch/arm/kernel/thread.c:1585 (discriminator 4)
E/TC:1 1 0x0e103618 el0_svc at core/arch/arm/kernel/thread_a64.S:651

Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: REE FS: report earlier unexpected REE FS reset

When REE FS dirf.db file is not found but RPMB stores a hash for
that file it means the REE FS was tampered. This change makes OP-TEE
core to rep

core: REE FS: report earlier unexpected REE FS reset

When REE FS dirf.db file is not found but RPMB stores a hash for
that file it means the REE FS was tampered. This change makes OP-TEE
core to report this status instead of creating the file and let a later
access fails due to empty content hash mismatch.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: REE FS: introduce CFG_REE_FS_ALLOW_RESET

New boolean configuration switch CFG_REE_FS_ALLOW_RESET that, when
enabled, will make OP-TEE OS to allow REE FS content to be reset in
the Linux filesy

core: REE FS: introduce CFG_REE_FS_ALLOW_RESET

New boolean configuration switch CFG_REE_FS_ALLOW_RESET that, when
enabled, will make OP-TEE OS to allow REE FS content to be reset in
the Linux filesystem even when RPMB FS is enabled and already stores a
REE FS rollback protection hash. This switch is intended to test purpose
where REE FS can be wiped because the device flash memory was programmed
with brand new build artifacts.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: log message when secure storage corruption is detected

When CFG_REE_FS and CFG_RPMB_FS are both 'y', the data stored by OP-TEE
in the REE filesystem (typically, under /data/tee) are protected

core: log message when secure storage corruption is detected

When CFG_REE_FS and CFG_RPMB_FS are both 'y', the data stored by OP-TEE
in the REE filesystem (typically, under /data/tee) are protected by
hashes stored in the RPMB. Any modifications to the REE files via
external means are therefore detected and TEE_ERROR_SECURITY is
returned. However, no error or debug message is printed to the secure
console which makes troubleshooting more difficult than needed. This
commit adds a debug message.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

tee_ree_fs: create dirfile only when it's not found

Currently there's no check of return value of tee_fs_dirfile_open,
it's reasonable to do this when dir file truely doesn't exist.
However, if tee_

tee_ree_fs: create dirfile only when it's not found

Currently there's no check of return value of tee_fs_dirfile_open,
it's reasonable to do this when dir file truely doesn't exist.
However, if tee_fs_dirfile_open fails with other reason, calling
tee_fs_dirfile_open(true..) will overlap the old dir file, thus
file access in the future will fail.

Signed-off-by: Fangsuo Wu <fangsuowu@asrmicro.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: REE FS: use mempool_default for temp alloc

Uses mempool_default for temporary block allocation.

This fixes one out of memory error when loading multiple TAs in
parallel.

Acked-by: Jerome For

core: REE FS: use mempool_default for temp alloc

Uses mempool_default for temporary block allocation.

This fixes one out of memory error when loading multiple TAs in
parallel.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: remove flags argument from tee_pager_alloc()

Removes the flags argument from tee_pager_alloc() since it's only used
with TEE_MATTR_LOCKED. The exception is the bignum pool, but since it
still

core: remove flags argument from tee_pager_alloc()

Removes the flags argument from tee_pager_alloc() since it's only used
with TEE_MATTR_LOCKED. The exception is the bignum pool, but since it
still releases all locked pages each time the pool becomes unused it's
efficient usage of memory.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

fs: prevent out of place write when no data

Fixes: "Uninitialized return value returned if len equals 0" as reported
by Riscure.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by:

fs: prevent out of place write when no data

Fixes: "Uninitialized return value returned if len equals 0" as reported
by Riscure.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: introduce generic optee_rpc_cmd.h

Replaces the OPTEE_MSG RPC command protocol descriptions in optee_msg.h
and optee_msg_supplicant with a generic optee_rpc_cmd.h. Defined names
are also refact

core: introduce generic optee_rpc_cmd.h

Replaces the OPTEE_MSG RPC command protocol descriptions in optee_msg.h
and optee_msg_supplicant with a generic optee_rpc_cmd.h. Defined names
are also refactored to mirror the new structure.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

tee_ree_fs: avoid race condition between fh usage/closing

It is possible that one core will call ree_fs_close_primitive()
while another is calling ree_fs_read_primitive(). This patch
prevents this b

tee_ree_fs: avoid race condition between fh usage/closing

It is possible that one core will call ree_fs_close_primitive()
while another is calling ree_fs_read_primitive(). This patch
prevents this by putting ree_fs_close_primitive under mutex.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: REE FS: temporary block allocation

Large memory allocations with malloc() can fail due to a fragmented
heap. This is especially a problem when configured with pager as the
heap is kept as smal

core: REE FS: temporary block allocation

Large memory allocations with malloc() can fail due to a fragmented
heap. This is especially a problem when configured with pager as the
heap is kept as small as possible in that configuration for obvious
reasons.

This patch allocates the temporary block needed for reading and writing
in REE FS tee_pager_alloc() instead when the pager is enabled.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: REE FS: ree_fs_truncate() commit dirh writes

To commit the changes done by ree_fs_truncate() in the dirfile, call
commit_dirh_writes() before closing the dirh.

Signed-off-by: Jens Wiklander <

core: REE FS: ree_fs_truncate() commit dirh writes

To commit the changes done by ree_fs_truncate() in the dirfile, call
commit_dirh_writes() before closing the dirh.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: REE FS: make sure dirty flag is set when object is truncated

When an object is truncated but the number of blocks is unchanged, only
the metadata's length field is modified. The hash tree laye

core: REE FS: make sure dirty flag is set when object is truncated

When an object is truncated but the number of blocks is unchanged, only
the metadata's length field is modified. The hash tree layer has to be
notified so that it knows it has to flush the data before closing the
object, otherwise the truncation is lost.
Add a function for that purpose: tee_fs_htree_meta_set_dirty(), and
call it whenever meta->length is updated.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: REE FS: ree_fs_truncate(): fix reversed error checks

Reported-by: Kevin Peng <kevinp@marvell.com>
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jen

core: REE FS: ree_fs_truncate(): fix reversed error checks

Reported-by: Kevin Peng <kevinp@marvell.com>
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Remove 'All rights reserved' from Linaro files

The text 'All rights reserved' is useless [1]. The Free Software
Foundation's REUSE Initiative best practices document [2] does not
contain these words

Remove 'All rights reserved' from Linaro files

The text 'All rights reserved' is useless [1]. The Free Software
Foundation's REUSE Initiative best practices document [2] does not
contain these words. Therefore, we can safely remove the text from the
files that are owned by Linaro.

Generated by:
spdxify.py --linaro-only --strip-arr optee_os/

Link: [1] https://en.wikipedia.org/wiki/All_rights_reserved
Link: [2] https://reuse.software/practices/
Link: [3] https://github.com/jforissier/misc/blob/f7b56c8/spdxify.py
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

Remove license notice from Linaro files

Now that we have added SPDX identifiers, we can safely remove the
verbose license text from the files that are owned by Linaro.

Generated by [1]:
spdxify.p

Remove license notice from Linaro files

Now that we have added SPDX identifiers, we can safely remove the
verbose license text from the files that are owned by Linaro.

Generated by [1]:
spdxify.py --linaro-only --strip-license-text optee_os/

Link: [1] https://github.com/jforissier/misc/blob/f7b56c8/spdxify.py
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

Add SPDX license identifiers

Adds one SPDX-License-Identifier line [1] to each source files that
contains license text.

Generated by [2]:
spdxify.py --add-spdx optee_os/

The scancode tool [3] wa

Add SPDX license identifiers

Adds one SPDX-License-Identifier line [1] to each source files that
contains license text.

Generated by [2]:
spdxify.py --add-spdx optee_os/

The scancode tool [3] was used to double check the license matching
code in the Python script. All the licenses detected by scancode are
either detected by spdxify.py, or have no SPDX identifier, or are false
matches.

Link: [1] https://spdx.org/licenses/
Link: [2] https://github.com/jforissier/misc/blob/f7b56c8/spdxify.py
Link: [3] https://github.com/nexB/scancode-toolkit
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: rename to <crypto/crypto.h>

Renames core/include/tee/tee_cryp_provider.h to
core/include/crypto/crypto.h

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere

core: rename to <crypto/crypto.h>

Renames core/include/tee/tee_cryp_provider.h to
core/include/crypto/crypto.h

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...