core: pta: imx: disable access control for MP PTA

Allow opening the PTA without a calling session.

Enabling CFG_NXP_CAAM_MP_NO_ACCESS_CTRL permits users to use the OP-TEE
client interface to retrie

core: pta: imx: disable access control for MP PTA

Allow opening the PTA without a calling session.

Enabling CFG_NXP_CAAM_MP_NO_ACCESS_CTRL permits users to use the OP-TEE
client interface to retrieve the public key as well as to generate
signatures.

See https://github.com/OP-TEE/optee_client/pull/352

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

core: ltc: rsa_verify_hash: fix panic on hash mismatch

When running a test with CFG_FAULT_MITIGATION=y and with a corrupted
message, hash verification fails and panic TEE core:

F/TC:? 0 trace_sysca

core: ltc: rsa_verify_hash: fix panic on hash mismatch

When running a test with CFG_FAULT_MITIGATION=y and with a corrupted
message, hash verification fails and panic TEE core:

F/TC:? 0 trace_syscall:149 syscall #40 (syscall_asymm_verify)
E/TC:2 0 Panic at lib/libutils/ext/fault_mitigation.c:87 <___ftmn_callee_done_check>
E/TC:2 0 TEE load address @ 0x43200000
E/TC:2 0 Call stack:
E/TC:2 0 0x4320a9f0 print_kernel_stack at optee-os/core/arch/arm/kernel/unwind_arm64.c:91
E/TC:2 0 0x432203fc __do_panic at optee-os/core/kernel/panic.c:26 (discriminator 32)
E/TC:2 0 0x4327d324 ___ftmn_callee_done_check at optee-os/lib/libutils/ext/fault_mitigation.c:87
E/TC:2 0 0x43263aac __ftmn_callee_done_check at optee-os/lib/libutils/ext/include/fault_mitigation.h:349
E/TC:2 0 0x43258408 sw_crypto_acipher_rsassa_verify at optee-os/core/lib/libtomcrypt/rsa.c:669
E/TC:2 0 0x43247ecc syscall_asymm_verify at optee-os/core/tee/tee_svc_cryp.c:4420
E/TC:2 0 0x43206d18 scall_do_call at optee-os/core/arch/arm/kernel/arch_scall_a64.S:140
E/TC:2 0 0x43206798 thread_scall_handler at optee-os/core/arch/arm/kernel/thread.c:1115
E/TC:2 0 0x432043e8 el0_svc at optee-os/core/arch/arm/kernel/thread_a64.S:850

When CFG_FAULT_MITIGATION flag is enabled, ftmn_set_check_res_memcmp()
is used on the verification of RSA hash. ftmn.check.res is set with the
return value of the hash comparison. Since memcmp() is used, this can
be 0, when hash matches, or any non-zero number when hash does not match.

However, the value stored on ftmn.check.res is later compared with the
result of the signature comparison (!*stat), which can assume only two
values, 1==valid or 0==invalid.

With that, when ftmn_set_check_res_memcmp() returns any non-zero number,
force ftmn.check.res to 1 so that it matches the check with later
FTMN_CALLEE_DONE_CHECK().

Signed-off-by: Felix Freimann <felix.freimann@mediatek.com>
Signed-off-by: Vitor Sato Eschholz <vsatoes@baylibre.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

arm: aspeed: Update secure memory layout

Update the TZDRAM region based on the 1GB DRAM space of
Aspeed AST2600/AST2700 EVBs.

Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com>
Acked-by: Je

arm: aspeed: Update secure memory layout

Update the TZDRAM region based on the 1GB DRAM space of
Aspeed AST2600/AST2700 EVBs.

Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: plic: Refine interrupt targets from hartid to context

The PLIC specification says the interrupt targets are usually hart
contexts, where a hart context is a given privilege mode on a given

drivers: plic: Refine interrupt targets from hartid to context

The PLIC specification says the interrupt targets are usually hart
contexts, where a hart context is a given privilege mode on a given
hart. Therefore, PLIC driver should not only consider the HART ID, but
also current privilege mode. Refine it by introducing the function
called plic_get_context(), which translates the current HART ID into the
PLIC context ID. We assume that each hart has M-mode and S-mode,
therefore M-mode occupies even-numbered context ID, while S-mode
occupies odd-numbered context ID. The translation can be extended by
parsing device tree, submitted in future commits.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

riscv: plat-virt: Rename to latest interrupt controller functions

Rename main_init_plic() to boot_primary_init_intc(). Rename
main_secondary_init_plic() to boot_secondary_init_intc(). Also the
inclu

riscv: plat-virt: Rename to latest interrupt controller functions

Rename main_init_plic() to boot_primary_init_intc(). Rename
main_secondary_init_plic() to boot_secondary_init_intc(). Also the
include path of RISC-V PLIC driver header is fixed.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Load register TP from thread_user_mode_rec in trap handler

RISC-V kernel uses TP register to store thread_core_local structure.
When the thread enters user mode, the value of TP is used

core: riscv: Load register TP from thread_user_mode_rec in trap handler

RISC-V kernel uses TP register to store thread_core_local structure.
When the thread enters user mode, the value of TP is used by user mode.
Therefore, when CPU enters trap handler, it needs to restore TP to get
thread_core_local structure. In previous implementation, the value of TP
is saved under kernel SP before entering user mode, and the trap handler
restores TP from that stack location. However, the value of TP has
already been saved into the thread_user_mode_rec structure, which is
also upon kernel SP, before entering user mode. So the value of TP can
be restored just from thread_user_mode_rec, instead of saving into
another location which is under the kernel SP.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Support Privileged Access Never by CSR status.SUM bit

The SUM (Supervisor User Memory access) bit modifies the privilege with
which S-mode loads and stores the user virtual memory. When

core: riscv: Support Privileged Access Never by CSR status.SUM bit

The SUM (Supervisor User Memory access) bit modifies the privilege with
which S-mode loads and stores the user virtual memory. When SUM bit is
0, S-mode accesses to pages whose U bit of corresponding PTE is set will
fault. When SUM bit is 1, these accesses are permitted.

When CFG_PAN is disabled in RISC-V architecture, the status.SUM bit is
initialized as 1 by default. Therefore all accesses to user pages will
succeed. When CFG_PAN is enabled, the status.SUM bit is initialized as
0, and only set to 1 when kernel needs to access user pages.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Fix thread_rpc() wrong stack usage and CSR value

Since there are four registers to be stored onto stack, we should
preserve up to 32 bytes space on the stack instead of only 16 bytes,
o

core: riscv: Fix thread_rpc() wrong stack usage and CSR value

Since there are four registers to be stored onto stack, we should
preserve up to 32 bytes space on the stack instead of only 16 bytes,
otherwise the stack overflow occurs. The s0 is regarded as frame
pointer. The value of CSR status is also restored before returning from
thread_rpc().

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Fix width of status CSR

Since we also support RV64 with 64-bit register width, fix the width of
status CSR by declaring it as "unsigned long" and encoding it by general
bit-wise operati

core: riscv: Fix width of status CSR

Since we also support RV64 with 64-bit register width, fix the width of
status CSR by declaring it as "unsigned long" and encoding it by general
bit-wise operations instead of invoking fixed-width API.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

plat-marvell: Add support for CN10K SoCs

Add support for CN10K SoCs from Marvell.

Only tested 64-bit mode with default configurations:

1. Build command
make PLATFORM=marvell-cn10ka
2. Pass

plat-marvell: Add support for CN10K SoCs

Add support for CN10K SoCs from Marvell.

Only tested 64-bit mode with default configurations:

1. Build command
make PLATFORM=marvell-cn10ka
2. Passed xtest

Signed-off-by: Gowthami <gthiagarajan@marvell.com>
Reviewed-by: Anil Kumar Reddy <areddy3@marvell.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: support larger values for CFG_TEE_CORE_NB_CORE

With larger values of CFG_TEE_CORE_NB_CORE (for example, 18 on the
marvell-cnf10ka platform) CORE_MMU_BASE_TABLE_OFFSET becomes to large to
be us

core: support larger values for CFG_TEE_CORE_NB_CORE

With larger values of CFG_TEE_CORE_NB_CORE (for example, 18 on the
marvell-cnf10ka platform) CORE_MMU_BASE_TABLE_OFFSET becomes to large to
be used as an immediate value in add and sub assembly instructions. This
is handle by using the new add_imm and sub_imm macros where needed. But
the add_imm and sub_imm macros can't handle complex defines so
CORE_MMU_BASE_TABLE_OFFSET must be evaluated in asm-defines.c first.

This should fix errors like:
core/arch/arm/kernel/thread_a64.S: Assembler messages:
core/arch/arm/kernel/thread_a64.S:339: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:347: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:355: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:372: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:379: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:386: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:660: Error: immediate out of range
core/arch/arm/kernel/thread_a64.S:732: Error: immediate out of range
make: *** [mk/compile.mk:165: out/core/arch/arm/kernel/thread_a64.o] Error 1

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Gowthami <gthiagarajan@marvell.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm64: add add_imm and sub_imm assembly macros

Adds the add_imm and sub_imm assembly macros capable of adding or
subtracting a 24-bit immediate value to or from a general purpose
register.

Si

core: arm64: add add_imm and sub_imm assembly macros

Adds the add_imm and sub_imm assembly macros capable of adding or
subtracting a 24-bit immediate value to or from a general purpose
register.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: assign memory tags to bounce buffers

Just as the heap uses memory tags (CFG_MEMTAG=y) use memory tags for the
temporary bounce buffers. This should catch problems with out of bounds
accesses,

core: assign memory tags to bounce buffers

Just as the heap uses memory tags (CFG_MEMTAG=y) use memory tags for the
temporary bounce buffers. This should catch problems with out of bounds
accesses, using already freed, reset bounce buffers.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: riscv: riscv.mk: define CFG_WITH_LPAE

Set CFG_WITH_LPAE according to CFG_CORE_LARGE_PHYS_ADDR.
Memory manager makes use of CFG_WITH_LPAE, therefore, we set it
according to the platform specifi

core: riscv: riscv.mk: define CFG_WITH_LPAE

Set CFG_WITH_LPAE according to CFG_CORE_LARGE_PHYS_ADDR.
Memory manager makes use of CFG_WITH_LPAE, therefore, we set it
according to the platform specifications.

Signed-off-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Alvin Chang <alvinga@andestech.com>

show more ...

core: mm: move pgt_cache.c to core/mm

This commit moves core/arch/arm/mm/pgt_cache.c to core/mm/pgt_cache.c
The implementation can be used by other architectures.
The commit does not rename CFG_CORE

core: mm: move pgt_cache.c to core/mm

This commit moves core/arch/arm/mm/pgt_cache.c to core/mm/pgt_cache.c
The implementation can be used by other architectures.
The commit does not rename CFG_CORE_PREALLOC_EL0_TBLS flag and other
depending flags (CFG_WITH_PAGER, CFG_WITH_LPAE). Therefore, an
architecture implementation may set or not these flags.

Signed-off-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Alvin Chang <alvinga@andestech.com>

show more ...

core: linker.h: replace __arm__ with ARM32

We use ARM32 and ARM64 throughout the core code, not __arm__ and
__aarch64__, so replace the occurrence of __arm__ that is in linker.h.

Signed-off-by: Jer

core: linker.h: replace __arm__ with ARM32

We use ARM32 and ARM64 throughout the core code, not __arm__ and
__aarch64__, so replace the occurrence of __arm__ that is in linker.h.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: asan: arm64: increase stack sizes for ASAN

Increase STACK_TMP_SIZE and STACK_THREAD_SIZE when
CFG_CORE_SANITIZE_KADDRESS=y. With that, xtest passes on
PLATFORM=vexpress-qemu_armv8a.

Signed-of

core: asan: arm64: increase stack sizes for ASAN

Increase STACK_TMP_SIZE and STACK_THREAD_SIZE when
CFG_CORE_SANITIZE_KADDRESS=y. With that, xtest passes on
PLATFORM=vexpress-qemu_armv8a.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: asan: prevent nefarious optimization in unchecked memcpy() and memset()

Add __inhibit_loop_to_libcall qualifier to asan_memcpy_unchecked() and
asan_memset_unchecked() so that the compiler does

core: asan: prevent nefarious optimization in unchecked memcpy() and memset()

Add __inhibit_loop_to_libcall qualifier to asan_memcpy_unchecked() and
asan_memset_unchecked() so that the compiler does not invoke the real
(checked) memcpy() and memset().

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: asan: initialize __exidx and __extab only for __arm__

__exidx_start/__exidx_end and __extab_start/__extab_end are defined
only for 32-bit Arm, so guard their ASAN initialization with __arm__.

core: asan: initialize __exidx and __extab only for __arm__

__exidx_start/__exidx_end and __extab_start/__extab_end are defined
only for 32-bit Arm, so guard their ASAN initialization with __arm__.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

qemu_armv8a: define CFG_ASAN_SHADOW_OFFSET

Sets the proper value for CFG_ASAN_SHADOW_OFFSET in order to enable
CFG_CORE_SANITIZE_KADDRESS=y.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro

qemu_armv8a: define CFG_ASAN_SHADOW_OFFSET

Sets the proper value for CFG_ASAN_SHADOW_OFFSET in order to enable
CFG_CORE_SANITIZE_KADDRESS=y.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: tee: initialize variables in entry_open_session()

Initialize local variables at declaration as specified by the coding
guidelines.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewe

core: tee: initialize variables in entry_open_session()

Initialize local variables at declaration as specified by the coding
guidelines.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pta: attestation: check return value of crypto_bignum_bin2bn()

Check the return value of crypto_bignum_bin2bn().

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Jerome Foris

core: pta: attestation: check return value of crypto_bignum_bin2bn()

Check the return value of crypto_bignum_bin2bn().

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: tee: initialize dirfile_entry objects

Coverity reports many errors where dirfile_entry{} is used
un-initialized.
Resolve these errors by setting these objects to zero on declaration.

Signed-o

core: tee: initialize dirfile_entry objects

Coverity reports many errors where dirfile_entry{} is used
un-initialized.
Resolve these errors by setting these objects to zero on declaration.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: tee: entry_open_session(): initialize tee_ta_param object

Initialize tee_ta_param{} to zero in entry_open_session() so it can be used
initialized in cleanup_shm_refs() without Coverity error.

core: tee: entry_open_session(): initialize tee_ta_param object

Initialize tee_ta_param{} to zero in entry_open_session() so it can be used
initialized in cleanup_shm_refs() without Coverity error.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: remove dead code

Remove value check as it cannot be true and appears to be dead code.
Use array index syntax instead of pointer arithmetic for better
readability.

Signed-off-by: Clem

drivers: caam: remove dead code

Remove value check as it cannot be true and appears to be dead code.
Use array index syntax instead of pointer arithmetic for better
readability.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...