core: add fault mitigation tests

Adds some simple test for the fault mitigation routines.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@lina

core: add fault mitigation tests

Adds some simple test for the fault mitigation routines.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Basic fault mitigation routines

Adds basic fault mitigation routines designed to help protecting from
fault injection attacks on the hardware. This is by no means bullet
proof, but it should at leas

Basic fault mitigation routines

Adds basic fault mitigation routines designed to help protecting from
fault injection attacks on the hardware. This is by no means bullet
proof, but it should at least improve the situation.

These routines focus on verifying that a function has been called and
that the returned value matches the result from the function. This is
done by having a handshake between the caller and the callee where also
the return value is transmitted in a separate channel.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ffa: remove pager annotations

Configuration with pager and FF-A is currently not supported. Supporting
this would require extensions to the FF-A specification to be able to
load OP-TEE with pa

core: ffa: remove pager annotations

Configuration with pager and FF-A is currently not supported. Supporting
this would require extensions to the FF-A specification to be able to
load OP-TEE with paging enabled. So far we don't have any platforms with
FF-A which are memory constrained enough that paging can be motivated. If
this would change we'll have a good use case to test with when adding
pager support for FF-A.

Currently we have a few pager annotations (DECLARE_KEEP_PAGER() and
__*_unpaged) which are effectively unused. So save us from adding yet
more unused annotations by removing the few we have in the FF-A specific
code.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: stmm: use mempool to decompress stmm image

Changes StMM management to have zlib using default mempool to allocate
buffers for StMM image decompression. This is useful as the process
can r

core: arm: stmm: use mempool to decompress stmm image

Changes StMM management to have zlib using default mempool to allocate
buffers for StMM image decompression. This is useful as the process
can require buffer of several kilobytes.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: arm: stmm: preserve usr_lr register in stmm context

Adds management of CPU user mode LR register when executing StMM.

Generic function __thread_enter_user_mode() does not load that register
i

core: arm: stmm: preserve usr_lr register in stmm context

Adds management of CPU user mode LR register when executing StMM.

Generic function __thread_enter_user_mode() does not load that register
in the user mode context while StMM expects it is preserved between
exit and next entry. Therefore this change loads and saves that register
into StMM context from stmm_enter_user_mode() while in thread entry
atomic context.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: arm: thread: 32bit helpers thread_get_usr_lr()/thread_set_usr_lr()

Adds helper function thread_get_usr_lr() and thread_set_usr_lr() to
read and write CPU USR_LR banked register.

Reviewed-by:

core: arm: thread: 32bit helpers thread_get_usr_lr()/thread_set_usr_lr()

Adds helper function thread_get_usr_lr() and thread_set_usr_lr() to
read and write CPU USR_LR banked register.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: include: Fix simple typo in drivers/stm32_gpio.h

Replace "Configuratioh" with "Configuration".

Signed-off-by: Ding Tao <miyatsu@qq.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.

core: include: Fix simple typo in drivers/stm32_gpio.h

Replace "Configuratioh" with "Configuration".

Signed-off-by: Ding Tao <miyatsu@qq.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: ffa: Add support for FFA_MEM_PERM_GET/SET

Handle FFA_MEM_PERM_GET and FFA_MEM_PERM_SET interfaces for enabling
SPs to query and set the access rights of their memory regions. These
interfaces

core: ffa: Add support for FFA_MEM_PERM_GET/SET

Handle FFA_MEM_PERM_GET and FFA_MEM_PERM_SET interfaces for enabling
SPs to query and set the access rights of their memory regions. These
interfaces are only permitted in the initialization phase thus a new
state variable is being introduced in sp_session. SPs indicate the end
of their initialization phase through the FFA_MSG_WAIT interface.

Co-developed-by: Imre Kis <imre.kis@arm.com>
Signed-off-by: Imre Kis <imre.kis@arm.com>
Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: implement a method to dump user TA runtime status

This patch is to dump user TA runtime status for debug purposes.
The change includes:
1. Add new command (STATS_CMD_TA_STATS) in the stats PTA

core: implement a method to dump user TA runtime status

This patch is to dump user TA runtime status for debug purposes.
The change includes:
1. Add new command (STATS_CMD_TA_STATS) in the stats PTA.
2. Add tee_ta_dump_stats() to scan all ongoing TA instance and sessions
and snapshot their status.
3. Add new function: entry_dump_memstats() to __utee_entry() to get TA
heap statistics.
4. Add new compile option (CFG_TA_STATS, default n) to enable this
feature.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Weizhao Jiang <weizhaoj@amazon.com>
Signed-off-by: Weizhao Jiang <weizhaoj@amazon.com>
[jf: edit commit message]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

crypto: versal: authentication driver

This driver uses the PLM xilsecure service to deliver authentication
functionality using AES-GCM.

The driver currently does not handle unaligned data and lengt

crypto: versal: authentication driver

This driver uses the PLM xilsecure service to deliver authentication
functionality using AES-GCM.

The driver currently does not handle unaligned data and lengths; due
to this the corresponding xtest regression test will not pass
(xtest -t regression 4005 will fail).

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

crypto: versal: interprocessor communication

Interface to the PLM xilsecure service.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

crypto: versal: interprocessor communication

Interface to the PLM xilsecure service.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: shdr: check that hash algorithm is strong enough

Until now shdr_verify_signature() accepted any hash GP algorithm known
to OP-TEE. A few of those (MD5 and SHA-1) are known to be weak. So add
a

core: shdr: check that hash algorithm is strong enough

Until now shdr_verify_signature() accepted any hash GP algorithm known
to OP-TEE. A few of those (MD5 and SHA-1) are known to be weak. So add
an extra check to only allow algorithms strong enough.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Suggested-by: Asaf Modelevsky <amodele@amazon.com>
Reported-by: Asaf Modelevsky <amodele@amazon.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ree_fs: copy in encrypted TA header only once

In ree_fs_ta_open() when an encrypted TA is loaded there is an encrypted
TA sub-header. Prior to this patch it was copied in from non-secure
share

core: ree_fs: copy in encrypted TA header only once

In ree_fs_ta_open() when an encrypted TA is loaded there is an encrypted
TA sub-header. Prior to this patch it was copied in from non-secure
shared memory twice, first one time to read the total size of the
header, and then a second time to copy in the entire header. Fix this
by only copying in what wasn't copied the first time.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ree_fs: check ta size before use

Check that the total loaded size of a TA matches what is in the sign
header. This prevents an eventual attacker from providing arbitrary
values in the img_size

core: ree_fs: check ta size before use

Check that the total loaded size of a TA matches what is in the sign
header. This prevents an eventual attacker from providing arbitrary
values in the img_size field of the signed header.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Suggested-by: Asaf Modelevsky <amodele@amazon.com>
Reported-by: Asaf Modelevsky <amodele@amazon.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

crypto: se050: provision SCP03 keys on SCP03 enablement.

Rotate the SCP03 keys as soon as the SCP03 communication channel
is established.

This can happen during boot or at a later time via normal w

crypto: se050: provision SCP03 keys on SCP03 enablement.

Rotate the SCP03 keys as soon as the SCP03 communication channel
is established.

This can happen during boot or at a later time via normal world
request [1].

The rotation configuration that can be built-in in the driver allows
the algorithm to rotate to a HUK based secret key or back to the
factory based keys.

[1] https://u-boot.readthedocs.io/en/latest/usage/cmd/scp03.html

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

crypto: se050: reword configuration options

Reword and add caution clauses to some of the critical configuration
options in the driver.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked

crypto: se050: reword configuration options

Reword and add caution clauses to some of the critical configuration
options in the driver.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat-zynqmp: add ZCU104 and ZCU106 flavour support

Adding support for the ZCU104 and ZCU106 boards
since they possess the same core as the ZCU102.
This is to avoid having the "flavour not supported

plat-zynqmp: add ZCU104 and ZCU106 flavour support

Adding support for the ZCU104 and ZCU106 boards
since they possess the same core as the ZCU102.
This is to avoid having the "flavour not supported error"
when compiling for the ZCU104 and ZCU106.

Tested successfully on the ZCU106

Tested-by: Nasreddine Ouldei Tebina <tebina1@live.fr>
Signed-off-by: Nasreddine Ouldei Tebina <tebina1@live.fr>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Ricardo Salveti <ricardo@foundries.io>

show more ...

core: fix potential integer overflow in syscall_log()

Fixes a potential integer overflow in syscall_log(). Note that an
eventual overflow would still be caught by copy_from_user(), but it's
preferab

core: fix potential integer overflow in syscall_log()

Fixes a potential integer overflow in syscall_log(). Note that an
eventual overflow would still be caught by copy_from_user(), but it's
preferable to catch this earlier.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Suggested-by: Asaf Modelevsky <amodele@amazon.com>
Reported-by: Asaf Modelevsky <amodele@amazon.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-stm32mp1: helper config CFG_STM32MP15_HUK_OTP_BASE

Adds helper configuration switch CFG_STM32MP15_HUK_OTP_BASE to
define the OTP base index where HUK storage that occupies
the 4 32bit contiguou

plat-stm32mp1: helper config CFG_STM32MP15_HUK_OTP_BASE

Adds helper configuration switch CFG_STM32MP15_HUK_OTP_BASE to
define the OTP base index where HUK storage that occupies
the 4 32bit contiguous BSEC words.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: stm32mp15_huk: default to fuse key without derivation

Introduces 2 configuration switches for defining how stm32mp15 HUK
is generated from fuses. Both are exclusive. One of them must be set

drivers: stm32mp15_huk: default to fuse key without derivation

Introduces 2 configuration switches for defining how stm32mp15 HUK
is generated from fuses. Both are exclusive. One of them must be set
when CFG_STM32MP15_HUK is enable.

When CFG_STM32MP15_HUK_BSEC_KEY is enabled, HUK is HUK fuses raw content.
When CFG_STM32MP15_HUK_BSEC_DERIVE_UID is enabled, HUK is the derivation
of HUK fuses content derived with device UID fuses content.

The platform default enables CFG_STM32MP15_HUK_BSEC_KEY when
CFG_STM32MP15_HUK is enable.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

crypto: se050: provision SCP03 keys back factory keys

This commit allows a user who might have rotated the device's SCP03
keys to reset them back to their factory settings (public).

Signed-off-by:

crypto: se050: provision SCP03 keys back factory keys

This commit allows a user who might have rotated the device's SCP03
keys to reset them back to their factory settings (public).

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

crypto: se050: output the SCP03 security level to the console

The SCP03 keys used in the secure channel have different levels of
security that can change at runtime.

Output the name of the one bein

crypto: se050: output the SCP03 security level to the console

The SCP03 keys used in the secure channel have different levels of
security that can change at runtime.

Output the name of the one being used to the console for
informational purposes.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: dt: allow null value in reg property

This change allows reg property to have value 0. The reg property can
be used to describe an element that is not a physical address and
for which 0 is a va

core: dt: allow null value in reg property

This change allows reg property to have value 0. The reg property can
be used to describe an element that is not a physical address and
for which 0 is a valid value.

Signed-off-by: Olivier Moysan <olivier.moysan@foss.st.com>
Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: Add support for Hisilicon D06 (PLATFORM=d06)

D06 is a server-class development board equipped with a Hisilicon
Phosphor processor.

Signed-off-by: Xiaoxu Zeng <zengxiaoxu@huawei.com>
Acked-by:

core: Add support for Hisilicon D06 (PLATFORM=d06)

D06 is a server-class development board equipped with a Hisilicon
Phosphor processor.

Signed-off-by: Xiaoxu Zeng <zengxiaoxu@huawei.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: support loading TAs signed with a subkey

Adds support to load TAs signed with subkey or a chain of subkeys. This
allows delegation of TA signing without distributing the root key. TAs
signed w

core: support loading TAs signed with a subkey

Adds support to load TAs signed with subkey or a chain of subkeys. This
allows delegation of TA signing without distributing the root key. TAs
signed with a subkey are confined to the UUID-V5 namespace of the subkey
to avoid TA UUID clashes with different subkeys.

SHDR_SUBKEY is a type of header which enables chains of public keys.
The public root key is used to verify the first public subkey, which
then is used to verify the next public subkey and so on.

The TA is finally verified using the last subkey. All these headers are
added in front of the TA binary so everything needed to verify the TA is
available when it's loaded into memory.

For example:
Subkey
struct shdr
magic: 0x4f545348
img_type: 3 (SHDR_SUBKEY)
img_size: 320 bytes
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
hash_size: 32 bytes
sig_size: 256 bytes
hash: f573f329fe77be686ce71647909c4ea35b5e1cd7de86369bd7d9fca31f6a4d65
struct shdr_subkey
uuid: f04fa996-148a-453c-b037-1dcfbad120a6
name_size: 64
subkey_version: 1
max_depth: 4
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
attr_count: 2
next name: "mid_level_subkey"
Next header at offset: 692 (0x2b4)
Subkey
struct shdr
magic: 0x4f545348
img_type: 3 (SHDR_SUBKEY)
img_size: 320 bytes
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
hash_size: 32 bytes
sig_size: 256 bytes
hash: 233a6dcf1a2cf69e50cde8e20c4129157da707c76fa86ce12ee31037edef02d7
struct shdr_subkey
uuid: 1a5948c5-1aa0-518c-86f4-be6f6a057b16
name_size: 64
subkey_version: 1
max_depth: 3
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
attr_count: 2
next name: "subkey1_ta"
Next header at offset: 1384 (0x568)
Bootstrap TA
struct shdr
magic: 0x4f545348
img_type: 1 (SHDR_BOOTSTRAP_TA)
img_size: 84576 bytes
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
hash_size: 32 bytes
sig_size: 256 bytes
hash: ea31ac7dc2cc06a9dc2853cd791dd00f784b5edc062ecfa274deeb66589b4ca5
struct shdr_bootstrap_ta
uuid: 5c206987-16a3-59cc-ab0f-64b9cfc9e758
ta_version: 0
TA offset: 1712 (0x6b0) bytes
TA size: 84576 (0x14a60) bytes

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_virt)
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...