plat-d06: Add support for HIP08A

HIP08A is another form of the D06 development board and equipped by
Hisilicon.

Signed-off-by: zhaozheng7 <zhaozheng96@outlook.com>
Reviewed-by: Yuan Wang <wangyuan4

plat-d06: Add support for HIP08A

HIP08A is another form of the D06 development board and equipped by
Hisilicon.

Signed-off-by: zhaozheng7 <zhaozheng96@outlook.com>
Reviewed-by: Yuan Wang <wangyuan46@huawei.com>
Acked-by: Zexi Yu <yuzexi@hisilicon.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: imx: rngb: soft reset in case of errors

Soft reset the RNGB core before retrying, if errors are logged in the
ESR register.

The i.MX 6ULL Applications Processor Reference Manual states in

drivers: imx: rngb: soft reset in case of errors

Soft reset the RNGB core before retrying, if errors are logged in the
ESR register.

The i.MX 6ULL Applications Processor Reference Manual states in the
RNG_CR[MASKERR] field description about errors in ESR:

All errors are considered fatal, requiring the RNGB to be reset.
Until the reset occurs, the RNGB does not service any random data.

It was observed that issuing CMD[CE|CI] (Clear error / interrupt
command) did not clear the ESR[SATE] (Statistical test error) state
as expected. Issuing CMD[SR] (Software reset) instead, as suggested
by the reference manual, works.

Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Acked-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>

show more ...

drivers: imx: rngb: split irq_mask() from irq_clear()

Introduce irq_mask() as a counterpart to irq_unmask(), split from
irq_clear(). This way function names match what they do, and we
can replace ir

drivers: imx: rngb: split irq_mask() from irq_clear()

Introduce irq_mask() as a counterpart to irq_unmask(), split from
irq_clear(). This way function names match what they do, and we
can replace irq_clear() with a soft_reset() in the error case next.

Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Acked-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>

show more ...

drivers: imx: rngb: use explicit seed generation command

Follow the Linux and U-Boot drivers in using the explicit command
to trigger seed generation. Relying on auto-seeding didn't seem
to trigger

drivers: imx: rngb: use explicit seed generation command

Follow the Linux and U-Boot drivers in using the explicit command
to trigger seed generation. Relying on auto-seeding didn't seem
to trigger reseeding when the first try fails the statistics tests.

Only switch to continuous auto-reseeding after initialization
succeeded.

Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Acked-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>

show more ...

core: stmm: Cleanup unused defines

commit aa6d7fc392b7 ("core: applies FF-A v1.2 features on StandaloneMm")
removed some MM code in favor of FF-A. However, some of the header
files were left untouch

core: stmm: Cleanup unused defines

commit aa6d7fc392b7 ("core: applies FF-A v1.2 features on StandaloneMm")
removed some MM code in favor of FF-A. However, some of the header
files were left untouched. Clean them up

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

show more ...

core: tee_ree_fs: fix possible mempool leak

In out_of_place_write() if copy_from_user() fails, the function returns
directly instead of using the common cleanup path. If this happens a
temporary blo

core: tee_ree_fs: fix possible mempool leak

In out_of_place_write() if copy_from_user() fails, the function returns
directly instead of using the common cleanup path. If this happens a
temporary block is leaked from the default memory pool. Fix this by
using the common exit path.

Fixes: b2284b11a961 ("core: update FS storage API with user space buffer")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Rouven Czerwinski <rouven.czerwinski@linaro.org>

show more ...

libutils: asan: skip global unpoison for bget-backed globals

Track ASan user-region type at map time and mark bget pool backing ranges
as ASAN_REG_MEM_POOL.

Global registration currently unpoisons

libutils: asan: skip global unpoison for bget-backed globals

Track ASan user-region type at map time and mark bget pool backing ranges
as ASAN_REG_MEM_POOL.

Global registration currently unpoisons globals via asan_tag_access().
For globals used as bget pool backing storage, this overwrites the initial
pool shadow state (ASAN_HEAP_RED_ZONE, heap-free) and breaks expected
allocator poisoning semantics.

Skip global unpoison for globals that contain a memory-pool backing range,
while keeping normal redzone handling for those globals. Update ASan
mapping call sites to pass region type (STACK, ELF, MEM_POOL, NO_TYPE).

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

asan: support trusted applications

Add CFG_TA_SANITIZE_KADDRESS and enable -fsanitize=kernel-address for TAs.
Extend ASan to map shadow regions in user space. Shadow memory for trusted
applications

asan: support trusted applications

Add CFG_TA_SANITIZE_KADDRESS and enable -fsanitize=kernel-address for TAs.
Extend ASan to map shadow regions in user space. Shadow memory for trusted
applications is now mapped during ldelf loading. CFG_TA_SANITIZE_KADDRESS
acts as a global flag and propagates to all internal and external TAs.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

asan: add ldelf support and user shadow mapping infrastructure

This commit enables ASan support in ldelf and introduces infrastructure
for mapping ASan shadow regions in user space. With these chang

asan: add ldelf support and user shadow mapping infrastructure

This commit enables ASan support in ldelf and introduces infrastructure
for mapping ASan shadow regions in user space. With these changes,
ASan built with CFG_CORE_SANITIZE_KADDRESS is no longer limited to
the core and can also operate in ldelf.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: asan: support multiple shadow regions

Replace the single shadow range with a list of shadowed virtual regions.
Access validation is performed per-region: an access is considered inside
sha

libutils: asan: support multiple shadow regions

Replace the single shadow range with a list of shadowed virtual regions.
Access validation is performed per-region: an access is considered inside
shadow memory only if it is fully contained within a single registered
region. The access is considered out of shadow memory if it does not
intersect any registered shadow region.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: move ASan runtime and tests from core to libutils

This patch relocates the ASan runtime and its self-tests from the core
to libutils/ext. While ASan is still only enabled for the TEE core,

libutils: move ASan runtime and tests from core to libutils

This patch relocates the ASan runtime and its self-tests from the core
to libutils/ext. While ASan is still only enabled for the TEE core, this
refactoring removes core-specific placement and makes the code
available to other components.

The main benefit is that ASan support and the test helpers can now be
potentially reused by ldelf and TAs in the future, instead of being
tied to the core build. The existing ASan core behaviour is unchanged.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: crypto: hisilicon: fix qp memory leak

Fix the null pointer access issue for hisilicon QM driver.

Fixes: c7f9abcee87f ("drivers: implement HiSilicon Queue Management (QM) module")
Signed-of

drivers: crypto: hisilicon: fix qp memory leak

Fix the null pointer access issue for hisilicon QM driver.

Fixes: c7f9abcee87f ("drivers: implement HiSilicon Queue Management (QM) module")
Signed-off-by: zhaozheng7 <zhaozheng96@outlook.com>
Acked-by: Zexi Yu <yuzexi@hisilicon.com>

show more ...

core: pta: system: check zero-length in system_map_zi()

Add a check against allocating and mapping 0 bytes zero initialized
memory.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewe

core: pta: system: check zero-length in system_map_zi()

Add a check against allocating and mapping 0 bytes zero initialized
memory.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Rouven Czerwinski <rouven.czerwinski@linaro.org>

show more ...

core: kernel: bump transfer list to spec version 2.0

Update the transfer list library to implement specification version 2.0,
as versions 1.0 and 0.9 have been withdrawn [1]. The primary change is
s

core: kernel: bump transfer list to spec version 2.0

Update the transfer list library to implement specification version 2.0,
as versions 1.0 and 0.9 have been withdrawn [1]. The primary change is
switching the checksum calculation from an XOR sum to a byte-wise sum.
This aligns the implementation with the updated specification and with
behavior already used in existing deployments.

1. https://github.com/FirmwareHandoff/firmware_handoff/pull/80

Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
Acked-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: imx: fix mx8mpevk optee memory layout

Mostly all i.MX OP-TEE platforms place OP-TEE at the end of the
available memory. Since the i.MX8MP-EVK has 6GiB RAM we need to set
CFG_LPAE_ADDR_SPACE_BI

core: imx: fix mx8mpevk optee memory layout

Mostly all i.MX OP-TEE platforms place OP-TEE at the end of the
available memory. Since the i.MX8MP-EVK has 6GiB RAM we need to set
CFG_LPAE_ADDR_SPACE_BITS accordingly else OP-TEE uses 32-bit and can't
access the memory above.

The fix uses the same amount of bits as used for CFG_CORE_ARM64_PA_BITS.

Acked-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>

show more ...

core: fix protmem overlap in check_reg_shm_conflict()

Prior to this patch, check_reg_shm_conflict() would miss checking the
last page of a registered shared memory if it had a non-zero page_offset
o

core: fix protmem overlap in check_reg_shm_conflict()

Prior to this patch, check_reg_shm_conflict() would miss checking the
last page of a registered shared memory if it had a non-zero page_offset
or a page-unaligned mobj.size. So fix it and ensure the final page is
included in the conflict check by accounting for the page_offset and any
remaining unaligned bytes in the size.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Rouven Czerwinski <rouven.czerwinski@linaro.org>

show more ...

core: fs: report key manager initialization failure

Some platforms may fail at deriving the Hardware Unique Key (HUK).

When the HUK cannot be retrieved, the secure storage subsystem cannot
derive t

core: fs: report key manager initialization failure

Some platforms may fail at deriving the Hardware Unique Key (HUK).

When the HUK cannot be retrieved, the secure storage subsystem cannot
derive the Secure Storage Key (SSK). In this case secure storage is not
usable and the key manager initialization fails.

Emit an explicit error message when SSK derivation fails so that the
reason for secure storage being unavailable is visible in the logs.

This is particularly useful on platforms such as Versal where fuse
access depends on external firmware components.

Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: imx: relax CFG_DDR_SIZE decision

The overall NS DRAM size can be passed via DT if CFG_EXTERNAL_DT is
enabled. So don't throw an error in case no size was specified.

Reviewed-by: Sahil Malhotr

core: imx: relax CFG_DDR_SIZE decision

The overall NS DRAM size can be passed via DT if CFG_EXTERNAL_DT is
enabled. So don't throw an error in case no size was specified.

Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>

show more ...

drivers: imx: tzc380: document reconfiguration requirements

Document why the reconfiguration is required.

Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Signed-off-by: Marco Felsch <m.felsch@

drivers: imx: tzc380: document reconfiguration requirements

Document why the reconfiguration is required.

Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>

show more ...

drivers: imx: tzc380: add support to discover nsec_dram dynamically

Convert the driver to use the new core_mmu_for_each_nsec_ddr() to allow
dynamic configurations of the NS DRAM region(s). The DRAM

drivers: imx: tzc380: add support to discover nsec_dram dynamically

Convert the driver to use the new core_mmu_for_each_nsec_ddr() to allow
dynamic configurations of the NS DRAM region(s). The DRAM configuration
parsed by the OP-TEE core is either based on:
- manifest-dt
- external-dt
- internal/embedded-dt
- builtin compile-time defines

This logic allows the imx-tzc380 driver to use the runtime information
provided by an external DT. The compile-time builtin defines are used if
no external DT is found or the external DT doesn't contain any memory
information.

For plat-imx this mapps to register_ddr(CFG_DRAM_BASE, CFG_DDR_SIZE),
which is equivalent to
imx_tzc_auto_configure(CFG_DRAM_BASE, CFG_DDR_SIZE, TZC_ATTR_SP_NS_RW).

Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>

show more ...

core: mm: add core_mmu_for_each_nsec_ddr support

Currently all TZC drivers implement the nsec_ddr configuration via
compile time configuration switches. This fact is not ideal for
platforms which ha

core: mm: add core_mmu_for_each_nsec_ddr support

Currently all TZC drivers implement the nsec_ddr configuration via
compile time configuration switches. This fact is not ideal for
platforms which have various DRAM settings.

OP-TEE already supports discovering the nsec_ddr chunks during the early
boot process but doesn't expose this information. Therefore this foreach
helper is added which can be used by the TZC drivers to address the
above use-case.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>

show more ...

drivers: imx: tzc380: refactor region number handling

Move the region number handling into imx_tzc_auto_configure(), to make
it possible to call the helper without ext. required context.

This is re

drivers: imx: tzc380: refactor region number handling

Move the region number handling into imx_tzc_auto_configure(), to make
it possible to call the helper without ext. required context.

This is required for the upcoming dynamic ddr size configuration.

Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>

show more ...

drivers: imx: tzc380: add support to check TZASC enable state

If OP-TEE is used the TZASC should be enabled to validate the memory
access. This adds the initial support for the i.MX6 and i.MX8M to c

drivers: imx: tzc380: add support to check TZASC enable state

If OP-TEE is used the TZASC should be enabled to validate the memory
access. This adds the initial support for the i.MX6 and i.MX8M to check
if the TZASC is enabled and throw a panic if not.

Once all platforms are covered this CFG_TZASC_CHECK_ENABLED should be
removed and the check should be done by default to enforce that the
TZASC is running.

Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>

show more ...

drivers: imx: tzc380: add support to verify region0

There are platforms where memory aliasing can't be prevented, e.g. the
i.MX8M. If the previous running firmware configured region0, which
covers t

drivers: imx: tzc380: add support to verify region0

There are platforms where memory aliasing can't be prevented, e.g. the
i.MX8M. If the previous running firmware configured region0, which
covers the whole AXI address space, to be accessible from secure and
non-secure world the OP-TEE core memory would be accessible via memory
aliasing.

To prevent such attacks we need to ensure that region0 is accessible
from the secure world only.

Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>

show more ...

drivers: tzc380: add tzc_verify_region0_secure helper

Add a helper which verifies that region0 is only accessible by the
secure world.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Review

drivers: tzc380: add tzc_verify_region0_secure helper

Add a helper which verifies that region0 is only accessible by the
secure world.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>

show more ...