arm32: sm: Apply FIQ workaround if configured

On systems with Non-maskable FIQ (NMFI) support in OP-TEE's atomic
contexts when trying to mask FIQ it cannot be set leaving it non-masked.

This state

arm32: sm: Apply FIQ workaround if configured

On systems with Non-maskable FIQ (NMFI) support in OP-TEE's atomic
contexts when trying to mask FIQ it cannot be set leaving it non-masked.

This state is then carried back into sm_ctx structure thus causing next
call to SMC entry having incorrect FIQ masking configured.

This can represent itself as:

E/TC:0 assertion 'thread_get_exceptions() == THREAD_EXCP_ALL' failed at core/arch/arm/kernel/thread_optee_smc.c:50 <thread_handle_fast_smc>

As a workaround force FIQ to be masked before entering SMC entry handler.

Note: on systems having the issue -- FIQ is considered un-usable and
causes panic in OP-TEE if received.

Note2: If you have system without SCTLR.NMFI enabled and you do get that
assertion do not enable the workaround! Eg. fix the real problem.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm32: kernel: Add check whether core needs NMFI workaround

During the boot additional check is performed to verify if the core is
affected and if the CFG_CORE_WORKAROUND_ARM_NMFI has been configure

arm32: kernel: Add check whether core needs NMFI workaround

During the boot additional check is performed to verify if the core is
affected and if the CFG_CORE_WORKAROUND_ARM_NMFI has been configured
properly.

Affected system is greeted with:

I/TC: WARNING: This ARM core has NMFI enabled, please apply workaround!

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm32: kernel: Add common itr_core_handler() for NMFI workaround

Should we receive FIQ interrupt treat it always as panic to indicate to
platform developer that FIQ interrupts must be disabled in sy

arm32: kernel: Add common itr_core_handler() for NMFI workaround

Should we receive FIQ interrupt treat it always as panic to indicate to
platform developer that FIQ interrupts must be disabled in system level.

Function itr_core_handler() is defined without __weak to make sure that
there are no other function trying to handle the FIQ.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm.mk: Add CFG_CORE_WORKAROUND_ARM_NMFI for NMFI problem

If the ARMv7 Cortex-A core is configured with Non-maskable FIQ (NMFI)
support there are side effects that FIQ can only be masked during
exce

arm.mk: Add CFG_CORE_WORKAROUND_ARM_NMFI for NMFI problem

If the ARMv7 Cortex-A core is configured with Non-maskable FIQ (NMFI)
support there are side effects that FIQ can only be masked during
exception entry and once unmasked by software it cannot anymore be masked.

Side effects of this is that critical sections within the code cannot
re-enable FIQ mask.

FIQ is recommended to be masked during secure monitor execution.

ARMv8 architecture is not affected as the Non-maskable FIQ support is not
available in there.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm32: correct bit define for SCTLR.NMFI setting

In SCTLR register definition NMFI bit is 27th bit. Correct the define.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by:

arm32: correct bit define for SCTLR.NMFI setting

In SCTLR register definition NMFI bit is 27th bit. Correct the define.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mm: fix error flushing unused pgt's

With commit b1df82f10633 ("core: use set_um_region() to update
translation tables") a "populated" value is used for each pgt
(translation table) to tell if

core: mm: fix error flushing unused pgt's

With commit b1df82f10633 ("core: use set_um_region() to update
translation tables") a "populated" value is used for each pgt
(translation table) to tell if it's up to date or if
core_mmu_populate_user_map() should initialize it.

When a pgt becomes unused it must be marked as unused. Prior to this
patch an error in the logic prevented pgt's to be marked as unused
properly. This can prevent core_mmu_populate_user_map() from
initializing a pgt. This can cause some new mappings to not be
established properly.

So fix this by giving the correct arguments for pgt_flush_range() in
rem_um_region() and core_is_buffer_inside() in pgt_entry_matches().

Fixes: b1df82f10633 ("core: use set_um_region() to update translation tables")
Acked-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

crypto: se050: SCP03 enabled only session.

The SE050F FIPS 140-2 certified device makes SCP03 mandatory from
boot.

To support this use case, we introduce CFG_CORE_SCP03_ONLY. Its
functionality is d

crypto: se050: SCP03 enabled only session.

The SE050F FIPS 140-2 certified device makes SCP03 mandatory from
boot.

To support this use case, we introduce CFG_CORE_SCP03_ONLY. Its
functionality is described in crypto.mk.

Some information regarding the SE050F device below [1]

[1] https://www.nxp.com/docs/en/application-note/AN12436.pdf

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

crypto: se050: add support for the SE050F

Add the SCP03 keys to support the NXP SE050F device

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@li

crypto: se050: add support for the SE050F

Add the SCP03 keys to support the NXP SE050F device

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

crypto: se050: fix SE050F2 identifier

Used the wrong identifier for the SE050F2 board. This would cause the
SCP03 symmetric keys to be rejected by the Secure Element and so the
secure session could

crypto: se050: fix SE050F2 identifier

Used the wrong identifier for the SE050F2 board. This would cause the
SCP03 symmetric keys to be rejected by the Secure Element and so the
secure session could not be started.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: crypto-api: rsa: pass algorithm to implementation

This is required for drivers that might only support some
of the algorithms and want to delegate the operation to
their software implementatio

core: crypto-api: rsa: pass algorithm to implementation

This is required for drivers that might only support some
of the algorithms and want to delegate the operation to
their software implementations

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

core: ltc: rsa: support the crypto driver

Allow the software implementations to coexist with the crypto driver
API.

This way drivers using the Crypto API can fallback to their software
based implem

core: ltc: rsa: support the crypto driver

Allow the software implementations to coexist with the crypto driver
API.

This way drivers using the Crypto API can fallback to their software
based implementations if they need to.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: rsa: support the crypto driver

Provide an explicit interface to software cryptographic operations to
allow accessing them whenever the Crypto driver API is enabled.

Signed-off-by: Jorge Ramir

core: rsa: support the crypto driver

Provide an explicit interface to software cryptographic operations to
allow accessing them whenever the Crypto driver API is enabled.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-k3: am62x: add SA2UL and TRNG support

Add SA2UL and TRNG support for TI SoC AM62X through OP-TEE.

Signed-off-by: Kamlesh Gurudasani <kamlesh@ti.com>
Acked-by: Jerome Forissier <jerome.forissie

plat-k3: am62x: add SA2UL and TRNG support

Add SA2UL and TRNG support for TI SoC AM62X through OP-TEE.

Signed-off-by: Kamlesh Gurudasani <kamlesh@ti.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: avoid TA panic when secure storage is corrupt

init_head_from_data() triggers a TA panic in case corrupt data is read
from the secure storage, for instance by request from the PKCS#11
trusted a

core: avoid TA panic when secure storage is corrupt

init_head_from_data() triggers a TA panic in case corrupt data is read
from the secure storage, for instance by request from the PKCS#11
trusted application.
"Every Trusted Storage implementation is expected to return
TEE_ERROR_CORRUPT_OBJECT if a Trusted Application attempts to open
an object and the TEE determines that its contents (or those of the
storage itself) have been tampered with or rolled back."
See TEE Internal Core API Specification v1.1.2, section 5.7.1.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Zengxx <zengxiaoxu@huawei.com>
Signed-off-by: Joakim Nordell <joakim.nordell@axis.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: ts_manager: remove unneeded check

The function ts_get_current_session() can not return NULL as panic()
would abort the execution in that case.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundr

core: ts_manager: remove unneeded check

The function ts_get_current_session() can not return NULL as panic()
would abort the execution in that case.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: ffa: Process manifest endpoint_id

The manifest can specify the endpoint ID for a SP. Process it and make
sure that 2 SPs don't have the same endpoint ID.
The sp_init_uuid() has been split into

core: ffa: Process manifest endpoint_id

The manifest can specify the endpoint ID for a SP. Process it and make
sure that 2 SPs don't have the same endpoint ID.
The sp_init_uuid() has been split into 2 functions (sp_init_uuid() and
sp_first_run()), this is needed to make sure that the SPs has the
correct endpoint ID during it's first run.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: xiphera_trng: Allow interrupts while waiting for random

If for some reason getting new random values take a bit longer toggle
interrupt masks on/off while waiting.

This allows pending inte

drivers: xiphera_trng: Allow interrupts while waiting for random

If for some reason getting new random values take a bit longer toggle
interrupt masks on/off while waiting.

This allows pending interrupts to be served faster in REE side as getting
new random might not be that important. At the same time it gives more
time for random number generation to complete and not just performing
spinning and waiting.

It was originally recommended by TRNG vendor not to cache previous partial
results in memory. TRNG itself is rather fast so there should
be always fresh bytes available for consumption. Thus to simplify the code
remove the FIFO construct.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: drivers: stm32mp15 Hardware Unique Key driver

Generate a secret Hardware Unique Key from BSEC OTPs.

The algorithm used simplifies the device provisioning phase because
it does not require a u

core: drivers: stm32mp15 Hardware Unique Key driver

Generate a secret Hardware Unique Key from BSEC OTPs.

The algorithm used simplifies the device provisioning phase because
it does not require a unique per device secret to be fused: just a key
common to all devices.

The algorithm uses a 128 bit symmetric key stored as four 32 bit words
read from OTP fuses.

The HUK is calculated by AES-GCM encrypting the device UID (96 bits).

Since the UID is persistent - and so should be the key - the NONCE can
be reused and hold any value.

The OTP values must be secrets but don't need to be unique per-device.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: libtomcrypt: fix Ed25519 signature

Fixes signature size value not properly set from caller argument
in crypto_acipher_ed25519_sign() and crypto_acipher_ed25519ctx_sign().

Prior this patch cou

core: libtomcrypt: fix Ed25519 signature

Fixes signature size value not properly set from caller argument
in crypto_acipher_ed25519_sign() and crypto_acipher_ed25519ctx_sign().

Prior this patch could execution fail or not fail and possibly overflow
caller passed buffer, depending on content previously loaded in siglen
stack memory cell.

Fixes: a116848b51a2 ("core: libtomcrypt: add Ed25519 support")
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat-stm32mp1: add support for i2c5 bus

This allows stm32_i2c driver to properly initialize and use
i2c5 bus on stm32mp15 SoC.

Signed-off-by: Michael Scott <mike@foundries.io>
Signed-off-by: Igor O

plat-stm32mp1: add support for i2c5 bus

This allows stm32_i2c driver to properly initialize and use
i2c5 bus on stm32mp15 SoC.

Signed-off-by: Michael Scott <mike@foundries.io>
Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat-stm32mp1: fallthrough macro instead of comment

Use fallthrough macro instead of /* Fall Through */ comments.
This addresses this checkpatch warning:
WARNING: Prefer 'fallthrough;' over fallthro

plat-stm32mp1: fallthrough macro instead of comment

Use fallthrough macro instead of /* Fall Through */ comments.
This addresses this checkpatch warning:
WARNING: Prefer 'fallthrough;' over fallthrough comment

Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat-stm32mp1: conf: default enable CFG_EXTERNAL_DT for mp15

Changes stm32mp1 MP15 variant default configuration for
CFG_EXTERNAL_DT that is now default enabled. This is needed as
mainline U-Boot an

plat-stm32mp1: conf: default enable CFG_EXTERNAL_DT for mp15

Changes stm32mp1 MP15 variant default configuration for
CFG_EXTERNAL_DT that is now default enabled. This is needed as
mainline U-Boot and Linux may not yet define the necessary
optee nodes in their DT. Therefore prefer external DT be
accessed by default and let external OP-TEE configuration
disable the switch if desired.

This change does not modify MP13 variant default configuration
where CFG_EXTERNAL_DT is default disabled.

Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: entry_a64.S: add missing isb in init_pauth_per_cpu()

After updating sctlr_el1 to enable pointer authentication, the isb
instruction is needed to ensure that the subsequent code execution
is co

core: entry_a64.S: add missing isb in init_pauth_per_cpu()

After updating sctlr_el1 to enable pointer authentication, the isb
instruction is needed to ensure that the subsequent code execution
is correct.

Fixes: 93dc6b2960b9 ("core: add pointer authentication support")
Signed-off-by: Jason Li <jasl@nvidia.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
[jf: add () in commit subject]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

drivers: versal: PM service

Calls the TF-A exported SiP services or PLM PM APIs.

The programming of the FPGA bitstream is being phased out from the TF-A
so it is no longer supported as such: the re

drivers: versal: PM service

Calls the TF-A exported SiP services or PLM PM APIs.

The programming of the FPGA bitstream is being phased out from the TF-A
so it is no longer supported as such: the recommended interface uses
the MBOX driver to the PLM.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

crypto: se050: updates to the crypto object deletion interface

Keys created on the Secure Element NVM via the PKCS#11 TA are removed
by scanning the data buffer holding the reference to the key duri

crypto: se050: updates to the crypto object deletion interface

Keys created on the Secure Element NVM via the PKCS#11 TA are removed
by scanning the data buffer holding the reference to the key during
the release of the object.

The storage allocated to hold those keys (ECC/RSA) is always below the
page size length which seems like a reasonable figure to use for future
extensions.

- This commit avoids scanning objects larger than that length.

This commit also updates the interface to delegate the actual handling
of the object to the crypto driver instead of passing just the raw data
contained in the object.

The cryptographic layer is also being allowed to block the deletion of
the object. This is to cover the scenario where the I2C device is not
accessible while a reference to the key is being removed from the secure
storage in the filesystem.

Incidentally also fixes regression 6018: this test releases an object
of size 0xA0000 which can't be scanned due to this part of the code
hitting an Out of Memory condition.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...