core: tee_svc.c: allow to pass non-NULL memref of size 0

Allow TAs to pass non-NULL memref of size zero to other TAs by
changing the non-NULL pointer into a NULL one in such a case. GP TEE
Internal

core: tee_svc.c: allow to pass non-NULL memref of size 0

Allow TAs to pass non-NULL memref of size zero to other TAs by
changing the non-NULL pointer into a NULL one in such a case. GP TEE
Internal Core API does not forbid such memref parameter [1] whereas
the previous implementation generated a TEE_ERROR_BAD_PARAMETERS error
code when converting such memref buffer pointer into a physical memory
address.

This change is specifically needed to allow a TA to forward a REE
client memref for which GP TEE Client API explicitly allows such
non-NULL address zero sized memref [2]. It also makes the TA
implementation more flexible when dealing with its own memref.

[1] TEE Internal Core API Specification – Public Release v1.3.1,
§4.9.4 "Operation Parameters in the Internal Client API"
Table 4-15: "Interpretation of params[i] on Entry to Internal Client
API"

[2] TEE Client API Specification v1.0, §4.5.4 TEEC_RegisterSharedMemory,
paragraph "Implementers' Notes"

Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: remove temp memory allocation for TA invoke

Remove the temporary memory allocation used if a TA invokes another TA
with a private memory buffer. This has not been in used with TAs
compiled sin

core: remove temp memory allocation for TA invoke

Remove the temporary memory allocation used if a TA invokes another TA
with a private memory buffer. This has not been in used with TAs
compiled since commit ef305e54eac8 ("libutee: allocate temp secmem for
invoke") or OP-TEE version 3.6.0.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: simplify utee_param_to_param() with BB_MEMDUP_USER()

Simplifies utee_param_to_param() by using BB_MEMDUP_USER() instead of
bb_alloc() followed by copy_from_user().

Signed-off-by: Jens Wikland

core: simplify utee_param_to_param() with BB_MEMDUP_USER()

Simplifies utee_param_to_param() by using BB_MEMDUP_USER() instead of
bb_alloc() followed by copy_from_user().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: use user-access functions for passing params

Use user-access functions for parameter-passing between user TA and
the core when calling another TA from a TA and when entering a user
TA.

Signed

core: use user-access functions for passing params

Use user-access functions for parameter-passing between user TA and
the core when calling another TA from a TA and when entering a user
TA.

Signed-off-by: Seonghyun Park <seonghp@amazon.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

GP131: Update gpd.tee.trustedStorage.antiRollback.protectionLevel

Updates used values for
gpd.tee.trustedStorage.antiRollback.protectionLevel according to TEE
Internal Core API version 1.3.1.

Note

GP131: Update gpd.tee.trustedStorage.antiRollback.protectionLevel

Updates used values for
gpd.tee.trustedStorage.antiRollback.protectionLevel according to TEE
Internal Core API version 1.3.1.

Note that protection level 0 is not valid any longer, so report level
100 when RPMB isn't in use. Only root can tamper with the REE FS storage
due to the REE file system permissions.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: add TA property gpd.client.endian

Adds the new property "gpd.client.endian" to report the endianness used
by a client.

At the moment there is no way for a client to report its endianness to

GP131: add TA property gpd.client.endian

Adds the new property "gpd.client.endian" to report the endianness used
by a client.

At the moment there is no way for a client to report its endianness to
OP-TEE so assume that all are little-endian.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix potential integer overflow in syscall_log()

Fixes a potential integer overflow in syscall_log(). Note that an
eventual overflow would still be caught by copy_from_user(), but it's
preferab

core: fix potential integer overflow in syscall_log()

Fixes a potential integer overflow in syscall_log(). Note that an
eventual overflow would still be caught by copy_from_user(), but it's
preferable to catch this earlier.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Suggested-by: Asaf Modelevsky <amodele@amazon.com>
Reported-by: Asaf Modelevsky <amodele@amazon.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: tee_svc.c: add missing comma

Add missing comma to fix the following error:

$ make -s PLATFORM=vexpress-qemu_armv8a CFG_TA_PAUTH=y CFG_MEMTAG=y
core/tee/tee_svc.c:371:9: error: expected ‘}’

core: tee_svc.c: add missing comma

Add missing comma to fix the following error:

$ make -s PLATFORM=vexpress-qemu_armv8a CFG_TA_PAUTH=y CFG_MEMTAG=y
core/tee/tee_svc.c:371:9: error: expected ‘}’ before ‘{’ token
371 | {
| ^
core/tee/tee_svc.c:280:44: note: to match this ‘{’
280 | const struct tee_props tee_propset_tee[] = {
| ^

Fixes: a0e8ffe9ba8f ("core: add support for MTE")
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: syscalls: strip tags from user space pointers

Strips the tags from user space pointers before using them.
We're relying on TCR_EL1.TCMA0=1 to make the accesses unchecked.

Acked-by: Jerome For

core: syscalls: strip tags from user space pointers

Strips the tags from user space pointers before using them.
We're relying on TCR_EL1.TCMA0=1 to make the accesses unchecked.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add support for MTE

Adds support for the Armv8.5-A Memory Tagging Extension with
CFG_MEMTAG=y.

A memtag.h API is introduced to handle this extension. If CFG_MEMTAG=n
the API doesn't add any o

core: add support for MTE

Adds support for the Armv8.5-A Memory Tagging Extension with
CFG_MEMTAG=y.

A memtag.h API is introduced to handle this extension. If CFG_MEMTAG=n
the API doesn't add any overhead and the behaviour is unchanged. With
CFG_MEMTAG=y a check is performed to see if the platform can support MTE
and the API is dynamically configured accordingly. This means that it's
safe to have CFG_MEMTAG=y even for platforms not supporting MTE. There
will be some minimal overhead then, but likely not noticeable.

An entry is also added in the TEE_PROPSET_TEE_IMPLEMENTATION for a u32
property "org.trustedfirmware.optee.cpu.feat_memtag_implemented". The
property is set to a non-zero value only if CFG_CORE_MEMTAG is
configured and the underlying CPU supports FEAT_MTE.

This commit still only uses the default tag with the value 0 resulting
in unchanged pointers when accessing memory. However, all plumbing is in
place allowing for instance tagging of the heap in a later commit.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: Add property to check feature PAUTH in TEE property set

Add an entry in TEE_PROPSET_TEE_IMPLEMENTATION for a boolean
property org.trustedfirmware.optee.cpu.feat_pauth_implemented.
The property

core: Add property to check feature PAUTH in TEE property set

Add an entry in TEE_PROPSET_TEE_IMPLEMENTATION for a boolean
property org.trustedfirmware.optee.cpu.feat_pauth_implemented.
The property is set true only if CFG_TA_PAUTH is configured and
the underlying CPU supports FEAT_PAuth/FEAT_PAuth2.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: make mobj_get_va() more secure

Adds a length parameter to allow mobj_get_va() to check that the entire
va range requested is available.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.

core: make mobj_get_va() more secure

Adds a length parameter to allow mobj_get_va() to check that the entire
va range requested is available.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: Add property to check feature BTI in TEE property set

Add an entry in TEE_PROPSET_TEE_IMPLEMENTATION for a boolean
property org.trustedfirmware.optee.cpu.feat_bti_implemented.
The property is

core: Add property to check feature BTI in TEE property set

Add an entry in TEE_PROPSET_TEE_IMPLEMENTATION for a boolean
property org.trustedfirmware.optee.cpu.feat_bti_implemented.
The property is set true only if CFG_TA_BTI is configured and
the underlying CPU supports FEAT_BTI.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: replace tee_mmu prefix with vm

Replaces the tee_mmu prefix with vm. tee_mmu.h is renamed to vm.h and
core/arch/arm/mm/tee_mmu.c is moved to core/mm/vm.c. Public functions
belonging to these fi

core: replace tee_mmu prefix with vm

Replaces the tee_mmu prefix with vm. tee_mmu.h is renamed to vm.h and
core/arch/arm/mm/tee_mmu.c is moved to core/mm/vm.c. Public functions
belonging to these files are renamed with a vm prefix.

Introduces: vm_map_param(), vm_clean_param(),
vm_buf_is_inside_private(), vm_buf_intersects_private(),
vm_buf_to_mboj_offs(), vm_buf_is_inside_um_private(),
vm_buf_intersects_um_private(), vm_add_rwmem(), vm_rem_rwmem(),
vm_va2pa(), vm_pa2va(), vm_check_access_rights(), vm_set_ctx() replacing
their tee_mmu_*() counterpart.

Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: remove struct tee_ta_ctx from struct user_mode_ctx

Removes struct tee_ta_ctx from struct user_mode_ctx allowing a user mode
entity to be independent of the TA concept, that is, making room for

core: remove struct tee_ta_ctx from struct user_mode_ctx

Removes struct tee_ta_ctx from struct user_mode_ctx allowing a user mode
entity to be independent of the TA concept, that is, making room for SPs
in user mode.

A pointer to a struct user_mode_ctx is passed to many memory management
functions where a pointer to a struct ts_ctx is needed too. Prior to
this patch it was possible to calculate that address of corresponding
struct ts_ctx with help of the container_of() macro, that is no longer
possible. Instead is a struct ts_ctx *ts_ctx field added to struct
user_mode_ctx in order to allow such lookups.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add generic struct ts_ctx

Adds the generic struct ts_ctx to be used instead of struct tee_ta_ctx
where generic context operations are performed.

struct tee_ta_ctx adds a field with struct ts_

core: add generic struct ts_ctx

Adds the generic struct ts_ctx to be used instead of struct tee_ta_ctx
where generic context operations are performed.

struct tee_ta_ctx adds a field with struct ts_ctx for conversion to
struct ts_ctx where needed.

The struct ts_session is updated to keep a pointer to a struct ts_ctx
instead of the previous struct tee_ta_ctx.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add generic struct ts_session

As a step in making room for Secure Partitions (SPs) running at S-EL0
add a Trusted Service (TS) abstraction. Both TAs and SPs is a TS.

Adds the generic struct t

core: add generic struct ts_session

As a step in making room for Secure Partitions (SPs) running at S-EL0
add a Trusted Service (TS) abstraction. Both TAs and SPs is a TS.

Adds the generic struct ts_session. All future sessions structs
(currently only struct tee_ta_session exists) should add this struct to
allow generic session operations.

With this struct comes new functions replacing previous struct
tee_ta_session oriented functions. The following functions are replaced
as:
tee_ta_get_current_session() -> ts_get_current_session()
tee_ta_push_current_session() -> ts_push_current_session()
tee_ta_pop_current_session() -> ts_pop_current_session()
tee_ta_get_calling_session() -> ts_get_calling_session()

ts_get_current_session() is changed compared to its predecessor to
panic() in case of failure to return a valid pointer.

A new function ts_get_current_session_may_fail() is added to handle an
eventual case where a return NULL session may be handled.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Use fallthrough pseudo-keyword in switch/case statements

Use fallthrough; in switch/case statements. Imported libraries
(libtomcrypt, libmbedtls) are not modified to minimize differences with
upstre

Use fallthrough pseudo-keyword in switch/case statements

Use fallthrough; in switch/case statements. Imported libraries
(libtomcrypt, libmbedtls) are not modified to minimize differences with
upstream.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: strict buffer check in syscalls following GP 1.1

GP 1.1 [1] and also earlier specifications has certain annotation in the
description of API functions to among other things describe which kind

core: strict buffer check in syscalls following GP 1.1

GP 1.1 [1] and also earlier specifications has certain annotation in the
description of API functions to among other things describe which kind
of memory a buffer is required to reside in. It could be readable,
writeable, in shared memory in TA private memory.

The following syscalls are updated with slightly stricter checks with
regards to TA private memory where needed:
- syscall_open_ta_session()
- syscall_invoke_ta_command()
- syscall_get_time()
- syscall_set_ta_time()
- syscall_cryp_obj_get_info()
- syscall_cryp_random_number_generate()
- syscall_authenc_dec_final()
- syscall_storage_next_enum()
- syscall_storage_obj_read()
- syscall_storage_obj_write()

[1]: GlobalPlatform TEE Internal Core API Specification v1.1

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: separate copy_from_user() and friends

Removes the tee_svc_ prefix and moves tee_svc_copy_from_user() and
friends into <kernel/user_access.h> and core/kernel/user/access.c

Reviewed-by: Jerome

core: separate copy_from_user() and friends

Removes the tee_svc_ prefix and moves tee_svc_copy_from_user() and
friends into <kernel/user_access.h> and core/kernel/user/access.c

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: utee_param_to_param(): set mobj to NULL when NULL memrefs of size 0

Set the tee_ta_param mobj to NULL if user parameter is a NULL memrefs
of size 0.
When mobj pointer is NULL, it also identify

core: utee_param_to_param(): set mobj to NULL when NULL memrefs of size 0

Set the tee_ta_param mobj to NULL if user parameter is a NULL memrefs
of size 0.
When mobj pointer is NULL, it also identify the last parameter of the list.

Fixes: 9d2e798360b5 ("core: TEE capability for null sized memrefs support")

Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (HiKey960)
Tested-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: check writeable in tee_svc_copy_param()

Check that the callee_params are writeable too in tee_svc_copy_param()
as they will be updated in tee_svc_update_out_param() in case one of the
paramete

core: check writeable in tee_svc_copy_param()

Check that the callee_params are writeable too in tee_svc_copy_param()
as they will be updated in tee_svc_update_out_param() in case one of the
parameters is an "out" parameter. To keep it simple always require
callee_params to be writeable.

Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add struct user_mode_ctx

Adds struct user_mode_ctx which replaces user mode specific fields used
for memory mapping.

Acked-by: Pipat Methavanitpong <pipat.methavanitpong@linaro.org>
Acked-by:

core: add struct user_mode_ctx

Adds struct user_mode_ctx which replaces user mode specific fields used
for memory mapping.

Acked-by: Pipat Methavanitpong <pipat.methavanitpong@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: reference count struct mobj

The mobj interface is changed to use reference counting of mobjs, the
direct mobj_free() call is replaced by mobj_put(). As expected a
mobj_get() is also added to h

core: reference count struct mobj

The mobj interface is changed to use reference counting of mobjs, the
direct mobj_free() call is replaced by mobj_put(). As expected a
mobj_get() is also added to handle multiple references to the same mobj.

This also changes already present reference counting in struct
mobj_reg_shm to use the reference counting mechanism now available in
struct mobj.

The VM_FLAG_EXCLUSIVE_MOBJ flag is removed since the referenced mobj is
put instead when a struct vm_region is removed.

Tested-by: Jerome Forissier <jerome@forissier.org> (HiKey960)
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: check allocated size of temporary secure memory

When servicing syscall_invoke_ta_command(), the invoked TA could modify
the .size field. Make sure the allocated buffer is not overwritten on
re

core: check allocated size of temporary secure memory

When servicing syscall_invoke_ta_command(), the invoked TA could modify
the .size field. Make sure the allocated buffer is not overwritten on
return.

Signed-off-by: Bastien Simondi <bsimondi@netflix.com>
[jf: fix multi-line comment, replace '= { 0 };' with '= { };']
[jf: add commit description]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...