core: ree_fs: refactor check_update_version()

Refactors check_update_version() to support more than one version
database.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etien

core: ree_fs: refactor check_update_version()

Refactors check_update_version() to support more than one version
database.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add offset argument to shdr_alloc_and_copy()

Adds an offset argument to shdr_alloc_and_copy() to make it easier to
copy a signed header located further into a non-secure buffer.

Reviewed-by:

core: add offset argument to shdr_alloc_and_copy()

Adds an offset argument to shdr_alloc_and_copy() to make it easier to
copy a signed header located further into a non-secure buffer.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: clk_dt: Switch to use get_secure_dt()

This adds support for both embedded and external secure device trees so
that clock driver and system configuration information can be fetched from
ther

drivers: clk_dt: Switch to use get_secure_dt()

This adds support for both embedded and external secure device trees so
that clock driver and system configuration information can be fetched from
there.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: dt_driver: Add driver probing to use secure device tree

When secure external device tree is configured for use OP-TEE's drivers
should be loaded based on its definitions. Add support to probe

core: dt_driver: Add driver probing to use secure device tree

When secure external device tree is configured for use OP-TEE's drivers
should be loaded based on its definitions. Add support to probe drivers
also with secure external device tree.

This allows common system device tree to be used to define devices for
bootloaders and OP-TEE.

In any case if embedded device tree is defined this will take precedense.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: Add new helper get_secure_dt()

Add new helper to query device tree considered secure for device driver
usage.

First priority is given to embedded device tree if present.

If system is configu

core: Add new helper get_secure_dt()

Add new helper to query device tree considered secure for device driver
usage.

First priority is given to embedded device tree if present.

If system is configured with secure external device tree location then
external device tree is returned.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: versal: non volatile memory (eFuse and BBRAM)

Provide an interface to access the xilnvm service executing in the PLM
firmware running on the Microblaze processor.

Signed-off-by: Jorge Rami

drivers: versal: non volatile memory (eFuse and BBRAM)

Provide an interface to access the xilnvm service executing in the PLM
firmware running on the Microblaze processor.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat-imx, plat-ls: replace crypto_conf.mk by common drivers/crypto/caam/crypto.mk

move platform specific conf file to crypto drivers one.
CFG_CRYPTO_DRIVER should be define in driver conf file
inste

plat-imx, plat-ls: replace crypto_conf.mk by common drivers/crypto/caam/crypto.mk

move platform specific conf file to crypto drivers one.
CFG_CRYPTO_DRIVER should be define in driver conf file
instead of platform configuration file.

Signed-off-by: Olivier Masse <olivier.masse@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

core: pta: bcm: add option to disable SOTP PTA after first session

- If the config flag CFG_BCM_SOTP_SINGLE_SESSION is enabled, the BCM
SOTP driver should prevent any further connections after the

core: pta: bcm: add option to disable SOTP PTA after first session

- If the config flag CFG_BCM_SOTP_SINGLE_SESSION is enabled, the BCM
SOTP driver should prevent any further connections after the first PTA
SOTP session disconnects.
- When enabling this flag, it will be possible to restrict any SOTP
access after firmware bootup is complete.

Signed-off-by: Andrew Mustea <andrew.mustea@microsoft.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

drivers: versal: true random number generator

Configure the TRNG driver to operate in Hybrid mode with derivative
function.

This driver was ported from its original FSBL implementation [1].

[1] ht

drivers: versal: true random number generator

Configure the TRNG driver to operate in Hybrid mode with derivative
function.

This driver was ported from its original FSBL implementation [1].

[1] https://github.com/Xilinx/embeddedsw

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: dt: Make it possible to alter device mapping

In case where IP core device is TrustZone aware and is used by both REE
and TEE dt_map_dev() would normally cause non-secure mapping for the
device

core: dt: Make it possible to alter device mapping

In case where IP core device is TrustZone aware and is used by both REE
and TEE dt_map_dev() would normally cause non-secure mapping for the
device.

When selected registers in IP core are only accessible by TrustZone device
needs to be mapped with MEM_AREA_IO_SEC to cause actual AXI memory access
be made with AWPROT[1] and ARPROT[1] bits configured properly.

This adds new argument for dt_map_dev() to enable forcing mapping to be
secure or non-secure.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat-zynq7k: Configure platform needing NMFI workaround

Unfortunately Xilinx Zynq-7000's ARM Cortext-A9 core has been configured
with NMFI support. This causes problems for OP-TEE's atomic context
p

plat-zynq7k: Configure platform needing NMFI workaround

Unfortunately Xilinx Zynq-7000's ARM Cortext-A9 core has been configured
with NMFI support. This causes problems for OP-TEE's atomic context
protections rendering FIQ interrupt un-usable in the system designs.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm32: sm: Apply FIQ workaround if configured

On systems with Non-maskable FIQ (NMFI) support in OP-TEE's atomic
contexts when trying to mask FIQ it cannot be set leaving it non-masked.

This state

arm32: sm: Apply FIQ workaround if configured

On systems with Non-maskable FIQ (NMFI) support in OP-TEE's atomic
contexts when trying to mask FIQ it cannot be set leaving it non-masked.

This state is then carried back into sm_ctx structure thus causing next
call to SMC entry having incorrect FIQ masking configured.

This can represent itself as:

E/TC:0 assertion 'thread_get_exceptions() == THREAD_EXCP_ALL' failed at core/arch/arm/kernel/thread_optee_smc.c:50 <thread_handle_fast_smc>

As a workaround force FIQ to be masked before entering SMC entry handler.

Note: on systems having the issue -- FIQ is considered un-usable and
causes panic in OP-TEE if received.

Note2: If you have system without SCTLR.NMFI enabled and you do get that
assertion do not enable the workaround! Eg. fix the real problem.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm32: kernel: Add check whether core needs NMFI workaround

During the boot additional check is performed to verify if the core is
affected and if the CFG_CORE_WORKAROUND_ARM_NMFI has been configure

arm32: kernel: Add check whether core needs NMFI workaround

During the boot additional check is performed to verify if the core is
affected and if the CFG_CORE_WORKAROUND_ARM_NMFI has been configured
properly.

Affected system is greeted with:

I/TC: WARNING: This ARM core has NMFI enabled, please apply workaround!

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm32: kernel: Add common itr_core_handler() for NMFI workaround

Should we receive FIQ interrupt treat it always as panic to indicate to
platform developer that FIQ interrupts must be disabled in sy

arm32: kernel: Add common itr_core_handler() for NMFI workaround

Should we receive FIQ interrupt treat it always as panic to indicate to
platform developer that FIQ interrupts must be disabled in system level.

Function itr_core_handler() is defined without __weak to make sure that
there are no other function trying to handle the FIQ.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm.mk: Add CFG_CORE_WORKAROUND_ARM_NMFI for NMFI problem

If the ARMv7 Cortex-A core is configured with Non-maskable FIQ (NMFI)
support there are side effects that FIQ can only be masked during
exce

arm.mk: Add CFG_CORE_WORKAROUND_ARM_NMFI for NMFI problem

If the ARMv7 Cortex-A core is configured with Non-maskable FIQ (NMFI)
support there are side effects that FIQ can only be masked during
exception entry and once unmasked by software it cannot anymore be masked.

Side effects of this is that critical sections within the code cannot
re-enable FIQ mask.

FIQ is recommended to be masked during secure monitor execution.

ARMv8 architecture is not affected as the Non-maskable FIQ support is not
available in there.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm32: correct bit define for SCTLR.NMFI setting

In SCTLR register definition NMFI bit is 27th bit. Correct the define.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by:

arm32: correct bit define for SCTLR.NMFI setting

In SCTLR register definition NMFI bit is 27th bit. Correct the define.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mm: fix error flushing unused pgt's

With commit b1df82f10633 ("core: use set_um_region() to update
translation tables") a "populated" value is used for each pgt
(translation table) to tell if

core: mm: fix error flushing unused pgt's

With commit b1df82f10633 ("core: use set_um_region() to update
translation tables") a "populated" value is used for each pgt
(translation table) to tell if it's up to date or if
core_mmu_populate_user_map() should initialize it.

When a pgt becomes unused it must be marked as unused. Prior to this
patch an error in the logic prevented pgt's to be marked as unused
properly. This can prevent core_mmu_populate_user_map() from
initializing a pgt. This can cause some new mappings to not be
established properly.

So fix this by giving the correct arguments for pgt_flush_range() in
rem_um_region() and core_is_buffer_inside() in pgt_entry_matches().

Fixes: b1df82f10633 ("core: use set_um_region() to update translation tables")
Acked-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

crypto: se050: SCP03 enabled only session.

The SE050F FIPS 140-2 certified device makes SCP03 mandatory from
boot.

To support this use case, we introduce CFG_CORE_SCP03_ONLY. Its
functionality is d

crypto: se050: SCP03 enabled only session.

The SE050F FIPS 140-2 certified device makes SCP03 mandatory from
boot.

To support this use case, we introduce CFG_CORE_SCP03_ONLY. Its
functionality is described in crypto.mk.

Some information regarding the SE050F device below [1]

[1] https://www.nxp.com/docs/en/application-note/AN12436.pdf

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

crypto: se050: add support for the SE050F

Add the SCP03 keys to support the NXP SE050F device

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@li

crypto: se050: add support for the SE050F

Add the SCP03 keys to support the NXP SE050F device

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

crypto: se050: fix SE050F2 identifier

Used the wrong identifier for the SE050F2 board. This would cause the
SCP03 symmetric keys to be rejected by the Secure Element and so the
secure session could

crypto: se050: fix SE050F2 identifier

Used the wrong identifier for the SE050F2 board. This would cause the
SCP03 symmetric keys to be rejected by the Secure Element and so the
secure session could not be started.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: crypto-api: rsa: pass algorithm to implementation

This is required for drivers that might only support some
of the algorithms and want to delegate the operation to
their software implementatio

core: crypto-api: rsa: pass algorithm to implementation

This is required for drivers that might only support some
of the algorithms and want to delegate the operation to
their software implementations

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

core: ltc: rsa: support the crypto driver

Allow the software implementations to coexist with the crypto driver
API.

This way drivers using the Crypto API can fallback to their software
based implem

core: ltc: rsa: support the crypto driver

Allow the software implementations to coexist with the crypto driver
API.

This way drivers using the Crypto API can fallback to their software
based implementations if they need to.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: rsa: support the crypto driver

Provide an explicit interface to software cryptographic operations to
allow accessing them whenever the Crypto driver API is enabled.

Signed-off-by: Jorge Ramir

core: rsa: support the crypto driver

Provide an explicit interface to software cryptographic operations to
allow accessing them whenever the Crypto driver API is enabled.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-k3: am62x: add SA2UL and TRNG support

Add SA2UL and TRNG support for TI SoC AM62X through OP-TEE.

Signed-off-by: Kamlesh Gurudasani <kamlesh@ti.com>
Acked-by: Jerome Forissier <jerome.forissie

plat-k3: am62x: add SA2UL and TRNG support

Add SA2UL and TRNG support for TI SoC AM62X through OP-TEE.

Signed-off-by: Kamlesh Gurudasani <kamlesh@ti.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: avoid TA panic when secure storage is corrupt

init_head_from_data() triggers a TA panic in case corrupt data is read
from the secure storage, for instance by request from the PKCS#11
trusted a

core: avoid TA panic when secure storage is corrupt

init_head_from_data() triggers a TA panic in case corrupt data is read
from the secure storage, for instance by request from the PKCS#11
trusted application.
"Every Trusted Storage implementation is expected to return
TEE_ERROR_CORRUPT_OBJECT if a Trusted Application attempts to open
an object and the TEE determines that its contents (or those of the
storage itself) have been tampered with or rolled back."
See TEE Internal Core API Specification v1.1.2, section 5.7.1.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Zengxx <zengxiaoxu@huawei.com>
Signed-off-by: Joakim Nordell <joakim.nordell@axis.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...