core: mm: factor out virtual address range validation to arch code

Move virtual address range validation into architecture-specific
code since different architectures have different constraints on
v

core: mm: factor out virtual address range validation to arch code

Move virtual address range validation into architecture-specific
code since different architectures have different constraints on
valid VA ranges:

- For ARM, addresses must be within the VA width supported by the MMU
- For RISC-V, additional checks are needed on RV64 to ensure addresses
are canonically valid

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

riscv: mm: fix map_offset data type

Fix the data type of map_offset to allow storing 64-bit
offset on RV64.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Alvin Chang <alving

riscv: mm: fix map_offset data type

Fix the data type of map_offset to allow storing 64-bit
offset on RV64.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mm: refactor ASLR mapping for architecture support

To allow adding RISC-V ASLR support, add arch_aslr_base_addr()
which will be used to apply architecture specific ASLR base
calculation.

Sign

core: mm: refactor ASLR mapping for architecture support

To allow adding RISC-V ASLR support, add arch_aslr_base_addr()
which will be used to apply architecture specific ASLR base
calculation.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Alvin Chang <alvinga@andestech.com>

show more ...

spmc: fix FF-A manifest boot-order handling

According to the official manifest binding documentation [1], all
integer properties must be defined as 32-bit wide DTB properties.
However, the OP-TEE SP

spmc: fix FF-A manifest boot-order handling

According to the official manifest binding documentation [1], all
integer properties must be defined as 32-bit wide DTB properties.
However, the OP-TEE SPMC previously implemented the boot-order property
as a 16-bit value. This patch corrects that inconsistency by adding
support for the correct 32 bit representation while keeping backwards
compatibility.

Recent changes in TF-A’s build tooling have broken support for manifest
files using the "/bits/" width specifier. This update restores
compatibility by eliminating the need to use them.

[1] FF-A Manifest Binding
Link: https://trustedfirmware-a.readthedocs.io/en/v2.12.0/components/ffa-manifest-binding.html

Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: stm32_rifsc: fix RIMU configuration parsing

The RIF configuration of the first RIMU was incorrectly parsed over and
over again for each RIMU. Fix this by using the index that represents
the

drivers: stm32_rifsc: fix RIMU configuration parsing

The RIF configuration of the first RIMU was incorrectly parsed over and
over again for each RIMU. Fix this by using the index that represents
the RIMU ID.

Fixes: cd187630b280 ("drivers: add stm32 RIFSC support")
Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

drivers: stm32_rifsc: remove redundant and incorrect parsing of RIMU conf

In case we're not TDCID, we cannot configure RIMUs. Plus, the call was
redundant with the lines above.

Fixes: 471cec144fa3

drivers: stm32_rifsc: remove redundant and incorrect parsing of RIMU conf

In case we're not TDCID, we cannot configure RIMUs. Plus, the call was
redundant with the lines above.

Fixes: 471cec144fa3 ("drivers: stm32_rifsc: update RIFSC as a firewall controller")
Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

drivers: stm32_hpdma: implement transient CID0 on AHB errata for HPDMAs

On stm32mp2x SoCs, when an AHB busy signal is inserted during a
transaction, a ghost CID0 is generated on the bus. If the comp

drivers: stm32_hpdma: implement transient CID0 on AHB errata for HPDMAs

On stm32mp2x SoCs, when an AHB busy signal is inserted during a
transaction, a ghost CID0 is generated on the bus. If the compartment
filtering is enabled on RISAB3/4/5, this transient CID0 is interpreted
as a fault access by RISAB3/4/5 which aborts current access and returns
an IAC. Described in section 2.3.21 of errata sheet available here: [1].
Therefore, when CID filtering is enabled on RISAB, we must ban CID0 as
a possible CID value configured for any initiator on the bus.
This avoids a conflict between an initiator holding CID0 and the
transient CID0.

When "st,errata-ahbrisab" is set in the device tree, HPDMA channels cannot
hold the CID0 value on the bus.

Link: https://www.st.com/resource/en/errata_sheet/es0598-stm32mp23xx25xx-device-errata-stmicroelectronics.pdf [1]
Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

drivers: stm32_rifsc: implement transient CID0 on AHB errata for RIMUs

On stm32mp2x SoCs, when an AHB busy signal is inserted during a
transaction, a ghost CID0 is generated on the bus. If the compa

drivers: stm32_rifsc: implement transient CID0 on AHB errata for RIMUs

On stm32mp2x SoCs, when an AHB busy signal is inserted during a
transaction, a ghost CID0 is generated on the bus. If the compartment
filtering is enabled on RISAB3/4/5, this transient CID0 is interpreted
as a fault access by RISAB3/4/5 which aborts current access and returns
an IAC. Described in section 2.3.21 of errata sheet available here: [1].
Therefore, when CID filtering is enabled on RISAB, we must ban CID0 as
a possible CID value configured for any initiator on the bus.
This avoids a conflict between an initiator holding CID0 and the
transient CID0.

When "st,errata-ahbrisab" is set in the device tree, RIMUs cannot hold
the CID0 value on the bus.

Link: https://www.st.com/resource/en/errata_sheet/es0598-stm32mp23xx25xx-device-errata-stmicroelectronics.pdf [1]
Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

drivers: stm32_risab: implement transient CID0 on AHB errata for RISAB

On stm32mp2x SoCs, when an AHB busy signal is inserted during a
transaction, a ghost CID0 is generated on the bus. If the compa

drivers: stm32_risab: implement transient CID0 on AHB errata for RISAB

On stm32mp2x SoCs, when an AHB busy signal is inserted during a
transaction, a ghost CID0 is generated on the bus. If the compartment
filtering is enabled on RISAB3/4/5, this transient CID0 is interpreted
as a fault access by RISAB3/4/5 which aborts current access and returns
an IAC. Described in section 2.3.21 of errata sheet available here: [1].
Therefore, when CID filtering is enabled on RISAB, we must ban CID0 as
a possible CID value configured for any initiator on the bus.
This avoids a conflict between an initiator holding CID0 and the
transient CID0.

Force authorize CID0 access on RISAB so that it can always access
memories protected by RISABs when the "st,errata-ahbrisab" property is
set in the device tree.

Link: https://www.st.com/resource/en/errata_sheet/es0598-stm32mp23xx25xx-device-errata-stmicroelectronics.pdf [1]
Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

caam: fix compilation when CFG_NXP_CAAM_AE_* are disabled

Similarly to other CAAM modules, define empty function if CAAM AE is
not used, to avoid undefined reference to caam_ae_init().

Signed-off-b

caam: fix compilation when CFG_NXP_CAAM_AE_* are disabled

Similarly to other CAAM modules, define empty function if CAAM AE is
not used, to avoid undefined reference to caam_ae_init().

Signed-off-by: Pavel Löbl <pavel@loebl.cz>
Acked-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-k3: drivers: ti-sci: Add support for setting KEYREV

Add support for the TI-SCI OTP message TI_SCI_MSG_WRITE_KEYREV. This
allows for incrementing the key revision counter.

Signed-off-by: Andrew

plat-k3: drivers: ti-sci: Add support for setting KEYREV

Add support for the TI-SCI OTP message TI_SCI_MSG_WRITE_KEYREV. This
allows for incrementing the key revision counter.

Signed-off-by: Andrew Davis <afd@ti.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-k3: drivers: ti-sci: Add support for setting SWREV

Add support for the TI-SCI OTP message TI_SCI_MSG_WRITE_SWREV. This
allows for incrementing the software revision counter.

Signed-off-by: And

plat-k3: drivers: ti-sci: Add support for setting SWREV

Add support for the TI-SCI OTP message TI_SCI_MSG_WRITE_SWREV. This
allows for incrementing the software revision counter.

Signed-off-by: Andrew Davis <afd@ti.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-k3: drivers: ti-sci: Fix struct name in comments for OTP functions

A couple of the documented names for the OTP functions do not match
the struct names being documented. Fix this.

Signed-off-b

plat-k3: drivers: ti-sci: Fix struct name in comments for OTP functions

A couple of the documented names for the OTP functions do not match
the struct names being documented. Fix this.

Signed-off-by: Andrew Davis <afd@ti.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

drivers: stm32_iwdg: check for error on clk_enable during probe

Check for the error returned by clk_enable() during the driver's
probe.
While there, if watchdog is started but we cannot control it,

drivers: stm32_iwdg: check for error on clk_enable during probe

Check for the error returned by clk_enable() during the driver's
probe.
While there, if watchdog is started but we cannot control it,
trigger panic instead of return error. This also avoids adding
useless clk_disable() in the error exit path.

Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

drivers: stm32_iwdg: add get_timeleft watchdog handler

Implement .get_timeleft() watchdog operation handler for non-secure
world to query the watchdog device state. System time is logged at each
wat

drivers: stm32_iwdg: add get_timeleft watchdog handler

Implement .get_timeleft() watchdog operation handler for non-secure
world to query the watchdog device state. System time is logged at each
watchdog refresh to estimate time remaining before the watchdog elapses.

Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

drivers: wdt: add implementation of SMCWD_GET_TIMELEFT

Implement watchdog SMC service SMCWD_GET_TIMELEFT that is optional
and allows non-secure world to get information on watchdog state.
The servic

drivers: wdt: add implementation of SMCWD_GET_TIMELEFT

Implement watchdog SMC service SMCWD_GET_TIMELEFT that is optional
and allows non-secure world to get information on watchdog state.
The service is supported by new watchdog driver operation handler
get_timeleft.

Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

drivers: stm32_iwdg: remove OTP access in driver

Now we know if the watchdog is running by reading the hardware,
there is no need to read the OTP fuses related to the watchdog.
This allows removing

drivers: stm32_iwdg: remove OTP access in driver

Now we know if the watchdog is running by reading the hardware,
there is no need to read the OTP fuses related to the watchdog.
This allows removing platform function stm32_get_iwdg_otp_config()
and consequently stm32_iwdg.h header file.

Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>
Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

drivers: stm32_iwdg: probe if watchdog is running

Read from the hardware whether watchdog is already running when
core initializes. Relax timeout from 1 to 10ms to let the
watchdog warm-up when enab

drivers: stm32_iwdg: probe if watchdog is running

Read from the hardware whether watchdog is already running when
core initializes. Relax timeout from 1 to 10ms to let the
watchdog warm-up when enabled.

Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

plat-rockchip: rk3399: remove GIC configuration

From commit 773c05f417fa ("irqchip/gic-v3: Work around insecure GIC
integrations") in the Linux kernel it appears that the hardware
integration of the

plat-rockchip: rk3399: remove GIC configuration

From commit 773c05f417fa ("irqchip/gic-v3: Work around insecure GIC
integrations") in the Linux kernel it appears that the hardware
integration of the GIC500 isn't correct. For v6.13 kernels which
includes that commit this has the effect of OP-TEE printing and endless
stream of:
D/TC:0 0 gic_native_itr_handler:971 Special interrupt 1023

Fix this by removing GIC configuration for RK3399 so the device can be
used with v6.13 kernels and later.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: riscv: Call page_alloc_init()

Call page_alloc_init() from init_primary() after unused boot memory has
been released.

This commit is to synchronize the boot stages with ARM architecture,
intro

core: riscv: Call page_alloc_init()

Call page_alloc_init() from init_primary() after unused boot memory has
been released.

This commit is to synchronize the boot stages with ARM architecture,
introduced in commit 0e12fb0c2d75 ("core: arm: boot: call
page_alloc_init()") and commit 3e7d042b5d1e ("core: arm: boot: fix
calling page_alloc_init()").

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Yu-Chien Peter Lin <peter.lin@sifive.com>

show more ...

core: kernel: Remove CFG_BOOT_INIT_CURRENT_THREAD_CORE_LOCAL

Now both ARM and RISC-V architectures support initialize
thread_core_local[current_core_pos] before calling C code. Thus, we can
deprecat

core: kernel: Remove CFG_BOOT_INIT_CURRENT_THREAD_CORE_LOCAL

Now both ARM and RISC-V architectures support initialize
thread_core_local[current_core_pos] before calling C code. Thus, we can
deprecate CFG_BOOT_INIT_CURRENT_THREAD_CORE_LOCAL and corresponding
code.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Yu-Chien Peter Lin <peter.lin@sifive.com>

show more ...

core: riscv: Refactor boot

Move initialization of thread_core_local[] from very early to
boot_init_primary_late() and introduce boot_init_primary_runtime().

This commit is to synchronize the boot s

core: riscv: Refactor boot

Move initialization of thread_core_local[] from very early to
boot_init_primary_late() and introduce boot_init_primary_runtime().

This commit is to synchronize the boot stages with ARM architecture,
introduced in commit b5ec8152f3e5 ("core: arm: refactor boot") and
commit b0da0d592ac4 ("core: boot: add boot_init_primary_runtime()").

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Yu-Chien Peter Lin <peter.lin@sifive.com>

show more ...

core: riscv: Remove init_sec_mon()

In RISC-V architecture, the secure monitor is always initialized before
jumping into OP-TEE. Thus, init_sec_mon() can be deprecated.

Signed-off-by: Alvin Chang <a

core: riscv: Remove init_sec_mon()

In RISC-V architecture, the secure monitor is always initialized before
jumping into OP-TEE. Thus, init_sec_mon() can be deprecated.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Yu-Chien Peter Lin <peter.lin@sifive.com>

show more ...

shdr: add check for weak key sizes

Add a function is_weak_key_size(...), which checks whether a given key
size (in bits) complies with current security standards. If the key size
is lower than 2048,

shdr: add check for weak key sizes

Add a function is_weak_key_size(...), which checks whether a given key
size (in bits) complies with current security standards. If the key size
is lower than 2048, then it's considered deprecated and will make
signature verification fail. Note that this only affects verifying TA
and subkey signatures.

This change aligns with GlobalPlatform's decision, influenced by
feedback from ANSSI, BSI, SOGIS, and NIST. For further details on the
GlobalPlatform's cryptographic algorithm recommendations, see [1].

Link: https://globalplatform.org/specs-library/globalplatform-technology-cryptographic-algorithm-recommendations/ [1]
Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

shdr: add SHA-224 to the deprecated algorithms

GlobalPlatform have based on feedback from different national body
organizations, such as ANSSI, BSI, SOGIS and NIST deprecated SHA-224.
Add TEE_ALG_SH

shdr: add SHA-224 to the deprecated algorithms

GlobalPlatform have based on feedback from different national body
organizations, such as ANSSI, BSI, SOGIS and NIST deprecated SHA-224.
Add TEE_ALG_SHA224 to the list of weak signature algorithms.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...