drivers: stm32_rng: implement plat_rng_init()

Moves plat_rng_init() definition from platform source file rng_seed.c
to core driver source stm32_rng.c. There is no platform magic needed
in this funct

drivers: stm32_rng: implement plat_rng_init()

Moves plat_rng_init() definition from platform source file rng_seed.c
to core driver source stm32_rng.c. There is no platform magic needed
in this function. As a result, seed_rng.c source file is removed.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: stm32_rng: register as hwrng source

Implements RNG as hardware entropy source when CFG_STM32_RNG
is enable and CFG_WITH_SOFTWARE_PRNG is disable.

This is realised by implementing crypto_rn

drivers: stm32_rng: register as hwrng source

Implements RNG as hardware entropy source when CFG_STM32_RNG
is enable and CFG_WITH_SOFTWARE_PRNG is disable.

This is realised by implementing crypto_rng_read() and
hw_get_random_byte() in driver.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: stm32_rng: helper trace in rng path

Adds helper flow level trace messages in random sample generation
sequence.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne

drivers: stm32_rng: helper trace in rng path

Adds helper flow level trace messages in random sample generation
sequence.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: stm32_rng: remove millisecond timeout with interrupts masked

Removes the 10ms timeout monitored waiting loop in stm32_rng_read_raw()
that was called with interrupts masked. stm32_rng_read_r

drivers: stm32_rng: remove millisecond timeout with interrupts masked

Removes the 10ms timeout monitored waiting loop in stm32_rng_read_raw()
that was called with interrupts masked. stm32_rng_read_raw() is
renamed read_available() and does not pool a hardware status: it
either returns or reads samples according to RNG state.

Changes stm32_rng_read() to monitor RNG burst generation with a 100ms
timeout. This timeout threshold targets that at least few REE ticks
(dozen of ms) allow RNG to conceal and synchronize upon bad conditions.

As change rewrites function stm32_rng_read(), it also removes a zeroing
of the buffer on sample generation error. The wiping is removed since
pointless.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: stm32_rng: don't export stm32_rng_read_raw()

No need to export stm32_rng function stm32_rng_read_raw(). It is only
called from stm32_rng_read(). Also removes re-enabling of RNG in
stm32_rng

drivers: stm32_rng: don't export stm32_rng_read_raw()

No need to export stm32_rng function stm32_rng_read_raw(). It is only
called from stm32_rng_read(). Also removes re-enabling of RNG in
stm32_rng_read_raw() since already handled by caller function.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat-stm32mp1: seed PRNG with initialized rng device

Simplifies platform rng_seed.c implementation. Since a previous change
initializes stm32_rng driver before plat_rng_init() is called, it is now
p

plat-stm32mp1: seed PRNG with initialized rng device

Simplifies platform rng_seed.c implementation. Since a previous change
initializes stm32_rng driver before plat_rng_init() is called, it is now
possible to use stm32_rng_read() to get PRNG seed. The sequence is
simplified as stm32_rng_read() takes care of device resource dependencies.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: stm32_rng: init rng before service initcall level

Initializes stm32_rng driver before service initcall level so that
device driver is ready when plat_rng_init() is called.

At this stage, r

drivers: stm32_rng: init rng before service initcall level

Initializes stm32_rng driver before service initcall level so that
device driver is ready when plat_rng_init() is called.

At this stage, resource firewall may not be initialized therefore
choose to always map RNG IOMEM with secure attribute which conforms
to firewall configuration. When RNG is assigned to non-secure, RNG
resources are released once boot completes.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: stm32_rng: remove thread exceptions masking under spinlock

Fixes stm32_rng.c to not mask thread exceptions in function
stm32_rng_read_raw() that is called with a spinlock held and
interrupt

drivers: stm32_rng: remove thread exceptions masking under spinlock

Fixes stm32_rng.c to not mask thread exceptions in function
stm32_rng_read_raw() that is called with a spinlock held and
interrupts already masked.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

imx_ocotp: correct ocotp fuse address computation

Not all the imx platforms have the same bank spacing. In particular
the imx6 and imx7ulp both have bank sizes that are twice as large
as the imx8m.

imx_ocotp: correct ocotp fuse address computation

Not all the imx platforms have the same bank spacing. In particular
the imx6 and imx7ulp both have bank sizes that are twice as large
as the imx8m.

The ocotp_get_die_id_mx7ulp() function was written with the
old computation, so bank 2, work 6 would be 0x4e0 offset.
Using the new calc, bank 1, word 6 would be 0x4e0 offset.

So all the bank values should move to bank 1.

This will set the correct computation.

Signed-off-by: Tim Anderson <tim.anderson@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Clement Faure <clement.faure@nxp.com>

show more ...

plat-zynqmp: Added __nex_bss symbol for virtualization support

Without the __nex_bss symbol added to gic_data and console_data
the zynqmp platform results in a deadlock when attempting
to write to t

plat-zynqmp: Added __nex_bss symbol for virtualization support

Without the __nex_bss symbol added to gic_data and console_data
the zynqmp platform results in a deadlock when attempting
to write to the serial device on the platform. This fix resolves
the deadlock issue. More details can be found in the referred link.

Link: https://github.com/OP-TEE/optee_os/issues/5384
Signed-off-by: Michael Doran <michael.doran@dornerworks.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: crypto: mte: strip tag before calling vm_check_access_rights()

op_attr_bignum_to_user() lacks a call to memtag_strip_tag() before it
calls vm_check_access_rights(). This results in the memory

core: crypto: mte: strip tag before calling vm_check_access_rights()

op_attr_bignum_to_user() lacks a call to memtag_strip_tag() before it
calls vm_check_access_rights(). This results in the memory buffer not
being found and the function returning TEE_ERROR_ACCESS_DENIED.

Test case: xtest pkcs11_1019 on QEMUv8, build command:

make CFG_PKCS11_TA=y CFG_USER_TA_TARGET_pkcs11=ta_arm64 MEMTAG=y run

Fixes: ef142203a36b ("core: syscalls: strip tags from user space pointers")
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ffa: Enable handling 64-bit direct messages

Enable using the 64-bit version of the FF-A direct request and response
calls.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Et

core: ffa: Enable handling 64-bit direct messages

Enable using the 64-bit version of the FF-A direct request and response
calls.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jelle Sels <jelle.sels@arm.com>

show more ...

plat-synquacer: rename rng_pta.h to synquacer_rng_pta.h

Renames plat-synquacer rng_pta.h to synquacer_rng_pta.h to prevent
confusion with generic RNG PTA header file pta_rng.h.

Acked-by: Jerome For

plat-synquacer: rename rng_pta.h to synquacer_rng_pta.h

Renames plat-synquacer rng_pta.h to synquacer_rng_pta.h to prevent
confusion with generic RNG PTA header file pta_rng.h.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

pta: rng: rename rng_pta_client.h to pta_rng.h

Renames RNG PTA exported header file from rng_pta_client.h to pta_rng.h
as the later follows PTAs header file name convention in optee_os
that is pta_x

pta: rng: rename rng_pta_client.h to pta_rng.h

Renames RNG PTA exported header file from rng_pta_client.h to pta_rng.h
as the later follows PTAs header file name convention in optee_os
that is pta_xxx.h.

Preserve rng_pta_client.h for backward compatibility. That header file
only includes pta_rng.h.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: imx: dcp: disable the use of UNIQUE KEY after HUK generation

Disable the use of DCP unique key (0xfe in the DCP key selection) after
the HUK generation.
The DCP unique key is used to genera

drivers: imx: dcp: disable the use of UNIQUE KEY after HUK generation

Disable the use of DCP unique key (0xfe in the DCP key selection) after
the HUK generation.
The DCP unique key is used to generate the HUK at boot time. Disabling
the use of the unique key prevents the non-secure world from
re-generating the HUK.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Ricardo Salveti <ricardo@foundries.io> (imx-mx6ullevk)

show more ...

drivers: imx: dcp: clear OTP_KEY bit for unique key selection

The use of the unique key for the HUK generation requires the OTP_KEY
bit to be cleared in the DCP control0 bit field.

Signed-off-by: C

drivers: imx: dcp: clear OTP_KEY bit for unique key selection

The use of the unique key for the HUK generation requires the OTP_KEY
bit to be cleared in the DCP control0 bit field.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Ricardo Salveti <ricardo@foundries.io> (imx-mx6ullevk)

show more ...

drivers: imx: dcp: workaround DCP errata 051292

The internal boot ROM should reset the DCP controller prior jumping to
bootloader execution. The current boot ROM implementation does not
assert a DCP

drivers: imx: dcp: workaround DCP errata 051292

The internal boot ROM should reset the DCP controller prior jumping to
bootloader execution. The current boot ROM implementation does not
assert a DCP reset.

To mitigate the issue, users can implement a DCP reset by setting
SFTRST[31] and CTRL_CLKGATE[30] bits in the DCP_CTRL_SET registers.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Ricardo Salveti <ricardo@foundries.io> (imx-mx6ullevk)

show more ...

plat-stm32mp1: restore reserved shared memory

Restores OP-TEE reserved shared memory (the last MBytes of DRAM located
on top of the secure DDR) in STM32MP15 default configuration. This
default confi

plat-stm32mp1: restore reserved shared memory

Restores OP-TEE reserved shared memory (the last MBytes of DRAM located
on top of the secure DDR) in STM32MP15 default configuration. This
default configuration is needed to support mainline TF-A in conjunction
with mainline Linux kernel.

Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: imx_snvs: re-work security state for imx8m platforms

The current implementation of snvs_get_security_cfg() for
imx8m platforms includes the read of SYS_SECURE_BOOT bit.
This fourth bit show

drivers: imx_snvs: re-work security state for imx8m platforms

The current implementation of snvs_get_security_cfg() for
imx8m platforms includes the read of SYS_SECURE_BOOT bit.
This fourth bit shows if the board boots from internal
ROM. This bit will reset to 1 for a board in the field
and 0 for a test chip.

The read of this bit is out of scope of the snvs_get_security_cfg()
purpose which is to return the system security configuration.
The SYS_SECURE_BOOT bit (msb) can be discarded.

Fixes: 5cd93c5a75 (drivers: imx_snvs: fix SNVS security configuration values)
Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat-hikey: Add embedded DTB to define SDP

For Hikey, the Secure Data Path memory region definition is
done in an embedded dtb as defined in
Documentation/devicetree/bindings/reserved-memory/linaro,

plat-hikey: Add embedded DTB to define SDP

For Hikey, the Secure Data Path memory region definition is
done in an embedded dtb as defined in
Documentation/devicetree/bindings/reserved-memory/linaro,secure-heap.yaml

Signed-off-by: Olivier Masse <olivier.masse@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: Define SDP in embedded DTB

Allow definition of the Secure Data Path memory region in an embedded DTB
There is no memory intersection checking for such SDP area as embedded DTB
is not available

core: Define SDP in embedded DTB

Allow definition of the Secure Data Path memory region in an embedded DTB
There is no memory intersection checking for such SDP area as embedded DTB
is not available during init of tee core memory mapping

Comply with reserved memory bindings
Linux documentation file:
Documentation/devicetree/bindings/reserved-memory/reserved-memory.yaml

Documented in:
Documentation/devicetree/bindings/reserved-memory/linaro,secure-heap.yaml

Signed-off-by: Olivier Masse <olivier.masse@nxp.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: fix TA crash if RPMB key is not provisioned

If optee-os is set with CFG_RPMB_WRITE_KEY=n, returning
TEE_ERROR_BAD_STATE will result in TA panic because of exit checks
in /lib/libutee/tee_api_o

core: fix TA crash if RPMB key is not provisioned

If optee-os is set with CFG_RPMB_WRITE_KEY=n, returning
TEE_ERROR_BAD_STATE will result in TA panic because of exit checks
in /lib/libutee/tee_api_objects.c APIs. Returning
TEE_ERROR_STORAGE_NOT_AVAILABLE to avoid TA panic and signal TA
RPMB is not ready for use, therefore TA could perform error handling.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Judy Wang <wangjudy@microsoft.com>

show more ...

plat-stm32mp1: introduce CFG_STM32MP1_SHARED_RESOURCES

It is now mandatory to enable CFG_STM32MP1_SHARED_RESOURCES to embed
shared_resources.c.

It is forced enabled for STM32MP15x boards and forced

plat-stm32mp1: introduce CFG_STM32MP1_SHARED_RESOURCES

It is now mandatory to enable CFG_STM32MP1_SHARED_RESOURCES to embed
shared_resources.c.

It is forced enabled for STM32MP15x boards and forced disabled for
STM32MP13x boards.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: stm32_shared_io: introduce shared io driver

This commit implements shared registers support, previously handled in
core/arch/arm/plat-stm32mp1/shared_resources.c, at platform level.

Defaul

drivers: stm32_shared_io: introduce shared io driver

This commit implements shared registers support, previously handled in
core/arch/arm/plat-stm32mp1/shared_resources.c, at platform level.

Default enable CFG_STM32_SHARED_IO.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: handle large holes in S-EL0 map

Prior to this patch it was assumed that the memory map of a user mode
context had no holes or very small holes. This leads to a higher pressure
on the translati

core: handle large holes in S-EL0 map

Prior to this patch it was assumed that the memory map of a user mode
context had no holes or very small holes. This leads to a higher pressure
on the translation tables than necessary.

So fix this by skipping to allocate translation tables for holes in the
memory map of a user mode context where possible.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...