core: support physically relocatable OP-TEE binary

With CFG_CORE_PHYS_RELOCATABLE=y enable support in OP-TEE to relocate
itself to allow it to run from physical address that differs from the
link ad

core: support physically relocatable OP-TEE binary

With CFG_CORE_PHYS_RELOCATABLE=y enable support in OP-TEE to relocate
itself to allow it to run from physical address that differs from the
link address.

This feature is currently only supported with CFG_CORE_SEL2_SPMC=y since
the TEE core has to know the range of available memory. With SPMC at EL2
this is accomplished via get_sec_mem_from_manifest(). An SPMC at S-EL2
may need to load OP-TEE at a different address depending on
configuration.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ffa: parse boot info

With CFG_CORE_SEL2_SPMC=y OP-TEE is executed as an SP at S-EL1. The
manifest describing the OP-TEE SP is passed as a boot argument.

The manifest contains among other thin

core: ffa: parse boot info

With CFG_CORE_SEL2_SPMC=y OP-TEE is executed as an SP at S-EL1. The
manifest describing the OP-TEE SP is passed as a boot argument.

The manifest contains among other things the two properties
"load-address" and "mem-size". These cover the secure memory allocated
for OP-TEE to cover core and TA memory. The retrieved memory range is
saved with a call to core_mmu_set_secure_memory() to be used when
initializing MMU and other memory configuration.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add core_mmu_set_secure_memory()

Adds core_mmu_set_secure_memory() for use with CFG_CORE_PHYS_RELOCATABLE
where the secure physical memory range is determined at boot.

Reviewed-by: Etienne Ca

core: add core_mmu_set_secure_memory()

Adds core_mmu_set_secure_memory() for use with CFG_CORE_PHYS_RELOCATABLE
where the secure physical memory range is determined at boot.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add dt_getprop_as_number()

Adds dt_getprop_as_number() to read a property and parse it as a number
returned as a uint64_t. The size of the property determines if it's read
as an unsigned 32-bi

core: add dt_getprop_as_number()

Adds dt_getprop_as_number() to read a property and parse it as a number
returned as a uint64_t. The size of the property determines if it's read
as an unsigned 32-bit or 64-bit integer.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ffa: add boot info structs and defines

Adds defines to interpret FF-A Boot Info header and descriptor using two
new structs and accompanying defines.

Acked-by: Etienne Carriere <etienne.carri

core: ffa: add boot info structs and defines

Adds defines to interpret FF-A Boot Info header and descriptor using two
new structs and accompanying defines.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: core_mmu.c: only try to add pager vaspace when enabled

Only call add_pager_vaspace() when compiled with pager enabled to avoid
redundant looping over the memory areas to map.

Reviewed-by: Eti

core: core_mmu.c: only try to add pager vaspace when enabled

Only call add_pager_vaspace() when compiled with pager enabled to avoid
redundant looping over the memory areas to map.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: generic_ram_layout.h: remove TA_RAM_*

Removes the TA_RAM_START and TA_RAM_SIZE defines since core_mmu.c can
calculate the values based registered secure_only memory.

Reviewed-by: Etienne

core: arm: generic_ram_layout.h: remove TA_RAM_*

Removes the TA_RAM_START and TA_RAM_SIZE defines since core_mmu.c can
calculate the values based registered secure_only memory.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: virt: use core_mmu_get_ta_range()

In get_ta_ram_size() use core_mmu_get_ta_range() instead of the define
TA_RAM_SIZE.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by

core: virt: use core_mmu_get_ta_range()

In get_ta_ram_size() use core_mmu_get_ta_range() instead of the define
TA_RAM_SIZE.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: core_mmu.c: use secure_only[] where possible

Avoid using TEE_RAM_START, TEE_RAM_PH_SIZE, TA_RAM_START, and
TA_RAM_SIZE where secure_only[] can be used instead to calculate the
same numbers.

R

core: core_mmu.c: use secure_only[] where possible

Avoid using TEE_RAM_START, TEE_RAM_PH_SIZE, TA_RAM_START, and
TA_RAM_SIZE where secure_only[] can be used instead to calculate the
same numbers.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add core_mmu_get_ta_range()

Adds core_mmu_get_ta_range() to return the range of physical memory
reserved for TAs.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Je

core: add core_mmu_get_ta_range()

Adds core_mmu_get_ta_range() to return the range of physical memory
reserved for TAs.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add core_mmu_tee_load_pa address

Adds core_mmu_tee_load_pa for a dynamic record of where OP-TEE is loaded
into memory.

With CFG_CORE_PHYS_RELOCATABLE=y core_mmu_tee_base_pa may need to be
upd

core: add core_mmu_tee_load_pa address

Adds core_mmu_tee_load_pa for a dynamic record of where OP-TEE is loaded
into memory.

With CFG_CORE_PHYS_RELOCATABLE=y core_mmu_tee_base_pa may need to be
updated during early boot since the physical address to use isn't
determined until then.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: riscv: kernel: Fix stack pointer initialization for each hart

The RISC-V privileged specification defines that at least one hart must
have a hart ID of zero. Since at least one stack_tmp_strid

core: riscv: kernel: Fix stack pointer initialization for each hart

The RISC-V privileged specification defines that at least one hart must
have a hart ID of zero. Since at least one stack_tmp_stride is required
for calculating the initial SP value for each hart, the formula should
be address of stack_tmp plus (hartid+1) multiplied by stack_tmp_stride.

This commit fixes the formula for initializing SP of each hart,
otherwise the stack underflow happens to hart 0.

Fixes: 93e54a63925f ("riscv: kernel: entry.S: provide entry script")
Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: notif: fix input comment typo

Fixes inline comment typo in OP-TEE standard SMCs description and
CFG_CORE_ASYNC_NOTIF switch description.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org

core: notif: fix input comment typo

Fixes inline comment typo in OP-TEE standard SMCs description and
CFG_CORE_ASYNC_NOTIF switch description.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: riscv: Refactor macros for inline assembly of CSR operations

Current CSR macros with inline assembly will lead to compilation error,
because they use pre-processor stringizing not value substi

core: riscv: Refactor macros for inline assembly of CSR operations

Current CSR macros with inline assembly will lead to compilation error,
because they use pre-processor stringizing not value substitution. The
definitions such as CSR_XSTATUS are not sustituted to CSR encoding in
CSR macros and compiler generates: Error: unknown CSR `CSR_XSTATUS'.

This patch fixes it by making the given CSR to be an assembly input
operand with constraint "i", which is used to indicate the operand is
an immediate integer operand. Thus, the CSR encoding can be correctly
compiled.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

driver: tpm2: remove TPM2 driver

Remove TPM2 driver from OP-TEE core. OP-TEE will instead rely on a
remote REE TPM2 driver allowing REE OS to embed TPM2 software stack
and leverage TPM2 features.

A

driver: tpm2: remove TPM2 driver

Remove TPM2 driver from OP-TEE core. OP-TEE will instead rely on a
remote REE TPM2 driver allowing REE OS to embed TPM2 software stack
and leverage TPM2 features.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat-vexpress: remove TPM2 MMIO driver

Disable TPM2 MMIO driver and remove its integration from platform
vexpress. OP-TEE will instead rely on a remote REE TPM2 driver
allowing REE OS to embed TPM2

plat-vexpress: remove TPM2 MMIO driver

Disable TPM2 MMIO driver and remove its integration from platform
vexpress. OP-TEE will instead rely on a remote REE TPM2 driver
allowing REE OS to embed TPM2 software stack and leverage TPM2 features.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: ftrace: mark thread_get_tsd() and thread_get_id() as __noprof

When CFG_FTRACE_SUPPORT=y CFG_SYSCALL_FTRACE=y, the following call stack
happens (QEMUv8):

_mcount()
ftrace_enter()
get_fbu

core: ftrace: mark thread_get_tsd() and thread_get_id() as __noprof

When CFG_FTRACE_SUPPORT=y CFG_SYSCALL_FTRACE=y, the following call stack
happens (QEMUv8):

_mcount()
ftrace_enter()
get_fbuf()
thread_get_tsd()
thread_get_id()

Therefore thread_get_tsd() and thread_get_id() must be tagged with
__noprof, otherwise a recursive call to _mcount() is triggered leading
to infinite recursion, stack overflow and a lockup of the TEE core.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>

show more ...

core: mark thread_init_core_local_stacks() as __nostackcheck

As its name implies, thread_init_core_local_stacks() performs stack
initializations therefore it should not invoke the stack-checking hoo

core: mark thread_init_core_local_stacks() as __nostackcheck

As its name implies, thread_init_core_local_stacks() performs stack
initializations therefore it should not invoke the stack-checking hooks
which are enabled when CFG_CORE_DEBUG_CHECK_STACKS=y. This is done by
adding the __nostackcheck qualifier to the function. Without it, the
boot hangs early and nothing is printed on the secure console.

Note that this also fixes similar symptoms with syscall profiling
(CFG_FTRACE_SUPPORT=y CFG_SYSCALL_FTRACE=y) because the _mcount()/
__gnu_mcount_nc() hooks need the stack. Both __nostackcheck and
__noprof expand to __attribute__((no_instrument_function)).

Fixes: ca8258906949 ("core: split core/arch/arm/kernel/thread.c")
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>

show more ...

core: ftrace: mark thread_get_id_may_fail() as __noprof

With CFG_FTRACE_SUPPORT=y CFG_ULIBS_MCOUNT=y CFG_SYSCALL_FTRACE=y
(tested on QEMUv8), OP-TEE boot hangs due to infinite recursion:

ftrace_ent

core: ftrace: mark thread_get_id_may_fail() as __noprof

With CFG_FTRACE_SUPPORT=y CFG_ULIBS_MCOUNT=y CFG_SYSCALL_FTRACE=y
(tested on QEMUv8), OP-TEE boot hangs due to infinite recursion:

ftrace_enter()
get_fbuf()
thread_get_id_may_fail()
_mcount() [or __gnu_mcount_nc()]
ftrace_enter()
...

Break the cycle by tagging thread_get_id_may_fail() with __noprof so
that it doesn't call _mcount()/__gnu_mcount_nc().

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>

show more ...

crypto: se050: compare symmetric keys in constant time

Symmetric keys should be compared in constant time to protect against
side channel attacks.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundrie

crypto: se050: compare symmetric keys in constant time

Symmetric keys should be compared in constant time to protect against
side channel attacks.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: riscv: mm: Add missing return for TLB helpers

These functions should contain tailing ret instruction to return to
caller.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jerome F

core: riscv: mm: Add missing return for TLB helpers

These functions should contain tailing ret instruction to return to
caller.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

drivers: caam: rework the CAAM crypto makefile

Re-work the CAAM crypto makefile to make it more readable.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wikland

drivers: caam: rework the CAAM crypto makefile

Re-work the CAAM crypto makefile to make it more readable.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ls: remove CFG_WITH_SOFTWARE_PRNG default definition for LS platforms

Remove the enablement of CFG_WITH_SOFTWARE_PRNG flag when the CAAM is
disabled. CFG_WITH_SOFTWARE_PRNG is enabled by defau

core: ls: remove CFG_WITH_SOFTWARE_PRNG default definition for LS platforms

Remove the enablement of CFG_WITH_SOFTWARE_PRNG flag when the CAAM is
disabled. CFG_WITH_SOFTWARE_PRNG is enabled by default.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: imx: remove CFG_WITH_SOFTWARE_PRNG default definition for i.MX platforms

Remove the enablement of CFG_WITH_SOFTWARE_PRNG ?= y since it's already
globally enabled.

Signed-off-by: Clement Faure

core: imx: remove CFG_WITH_SOFTWARE_PRNG default definition for i.MX platforms

Remove the enablement of CFG_WITH_SOFTWARE_PRNG ?= y since it's already
globally enabled.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: move CFG_WITH_SOFTWARE_PRNG default definition

Move CFG_WITH_SOFTWARE_PRNG default definition to crypto.mk to make it
overide-able by the HW crypto implementation.
Without this fix, forcing CF

core: move CFG_WITH_SOFTWARE_PRNG default definition

Move CFG_WITH_SOFTWARE_PRNG default definition to crypto.mk to make it
overide-able by the HW crypto implementation.
Without this fix, forcing CFG_WITH_SOFTWARE_PRNG to n in a crypto driver
configuration file will trigger the following compilation issue:

core/drivers/crypto/<driver>/crypto.mk:140: *** CFG_WITH_SOFTWARE_PRNG is set to 'y' (from file) but its value must be 'n' [Mandated by xxx]. Stop.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...