core: add more overflow checks in ree_fs_ta_open()

Adds more overflow checks in ree_fs_ta_open() and also checks that the
encrypted header (struct shdr_encrypted_ta) also fits in the size of the
TA

core: add more overflow checks in ree_fs_ta_open()

Adds more overflow checks in ree_fs_ta_open() and also checks that the
encrypted header (struct shdr_encrypted_ta) also fits in the size of the
TA binary.

The latter check is needed to guard against fabricated values in struct
shdr_encrypted_ta for iv_size and/or tag_size which could trick OP-TEE
to read beyond the end of the buffer where the TA was loaded.

Reading beyond the end of the TA buffer would normally result in a crash
or if there's a valid mappings just after just a failure to load the TA.
No unchecked code will be executed, but it may result in a secure world
crash.

So this commit will check that the iv_size and tag_size values can point
to a valid buffer before attempting to read and thus prevent a crash.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reported-by: Patrik Lantz <Patrik.Lantz@axis.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add overflow check in SHDR_ENC_GET_SIZE()

Prior to this patch could the additions in the macro SHDR_ENC_GET_SIZE()
cause an integer overflow. So fix this by using the ADD_OVERFLOW() macro
and

core: add overflow check in SHDR_ENC_GET_SIZE()

Prior to this patch could the additions in the macro SHDR_ENC_GET_SIZE()
cause an integer overflow. So fix this by using the ADD_OVERFLOW() macro
and a helper function. In case of overflow return 0 which never can be a
correct size.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reported-by: Patrik Lantz <Patrik.Lantz@axis.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: separate sp_ops using a __weak attribute instead

Breaks the dependency chain for sp_ops using the standard method with a
__weak symbol and an overriding symbol in link_dummies_paged.c.

Review

core: separate sp_ops using a __weak attribute instead

Breaks the dependency chain for sp_ops using the standard method with a
__weak symbol and an overriding symbol in link_dummies_paged.c.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU, pager, Clang 12)
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: separate stmm_sp_ops using a __weak attribute instead

Breaks the dependency chain for stmm_sp_ops using the standard method
with a __weak symbol and an overriding symbol in link_dummies_paged.

core: separate stmm_sp_ops using a __weak attribute instead

Breaks the dependency chain for stmm_sp_ops using the standard method
with a __weak symbol and an overriding symbol in link_dummies_paged.c.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: separate user_ta_ops using a __weak attribute instead

Breaks the dependency chain for user_ta_ops using the standard method
with a __weak symbol and an overriding symbol in link_dummies_paged.

core: separate user_ta_ops using a __weak attribute instead

Breaks the dependency chain for user_ta_ops using the standard method
with a __weak symbol and an overriding symbol in link_dummies_paged.c.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: make __wq_rpc() static again

With dependency chains properly broken for various ops structs we can
make __wq_rpc() static again and remove it from link_dummies_paged.c.

Acked-by: Jerome Foris

core: make __wq_rpc() static again

With dependency chains properly broken for various ops structs we can
make __wq_rpc() static again and remove it from link_dummies_paged.c.

Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: make __rodata_unpaged() symbols __weak

Makes the __rodata_unpaged tagged symbols __weak and non-static in order
to be overridden in core/arch/arm/kernel/link_dummies_paged.c. This
makes sure t

core: make __rodata_unpaged() symbols __weak

Makes the __rodata_unpaged tagged symbols __weak and non-static in order
to be overridden in core/arch/arm/kernel/link_dummies_paged.c. This
makes sure that these symbols doesn't bring in further symbols in the
unpaged section.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: use separate sections for each __rodata_unpaged variable

Adds a mandatory argument to the macro __rodata_unpaged() to take the
name of the variable to put in the unpaged rodata section. This w

core: use separate sections for each __rodata_unpaged variable

Adds a mandatory argument to the macro __rodata_unpaged() to take the
name of the variable to put in the unpaged rodata section. This will
result in separate sections for each such variable and make it easier to
debug the pruning of the dependency tree for unpaged sections.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pager: don't call free_region() from paged function

Call free_region() directly from tee_pager_rem_um_region() instead
of the unpaged helper function rem_region(). This reduces the unpaged
par

core: pager: don't call free_region() from paged function

Call free_region() directly from tee_pager_rem_um_region() instead
of the unpaged helper function rem_region(). This reduces the unpaged
part with a few bytes.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: imx_i2c: add support for MX8MQ

Add support for iMX8MQ.

Signed-off-by: David Griego <david.griego@foundries.io>
Reviewed-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklande

drivers: imx_i2c: add support for MX8MQ

Add support for iMX8MQ.

Signed-off-by: David Griego <david.griego@foundries.io>
Reviewed-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat: rcar: fix second DDR bank address for m3_2x4g flavor

Due to mistake, NSEC_DDR_1_BASE was set to incorrect value. In fact, second
DDR bank begins at 0x480000000.

Signed-off-by: Volodymyr Babch

plat: rcar: fix second DDR bank address for m3_2x4g flavor

Due to mistake, NSEC_DDR_1_BASE was set to incorrect value. In fact, second
DDR bank begins at 0x480000000.

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pager: fix split_region() to maintain order

Fixes split_region() to maintain the order of paged regions when a
region is split into two.

Fixes: 4a3f6ad054d4 ("core: pager: let struct tee_page

core: pager: fix split_region() to maintain order

Fixes split_region() to maintain the order of paged regions when a
region is split into two.

Fixes: 4a3f6ad054d4 ("core: pager: let struct tee_pager_area span multiple translation tables")
Tested-by: Jerome Forissier <jerome@forissier.org> (HiKey)
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (stm32mp1 w/ gp, stmm)
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pager fix alloc_merged_pgt_array()

Fix the logic for how a shared pgt is detected in
alloc_merged_pgt_array(). Without this there's a buffer overrun in the
pgt_array plus of course not quite

core: pager fix alloc_merged_pgt_array()

Fix the logic for how a shared pgt is detected in
alloc_merged_pgt_array(). Without this there's a buffer overrun in the
pgt_array plus of course not quite right pgt pointers in that array.

Fixes: 4a3f6ad054d4 ("core: pager: let struct tee_pager_area span multiple translation tables")
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pager: fix split_region() pgt assignment

Fixes an error in how pgt_array is copied from the original paged region
into the new split off region.

Fixes: 4a3f6ad054d4 ("core: pager: let struct

core: pager: fix split_region() pgt assignment

Fixes an error in how pgt_array is copied from the original paged region
into the new split off region.

Fixes: 4a3f6ad054d4 ("core: pager: let struct tee_pager_area span multiple translation tables")
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pager: fix increment calculation in tee_pager_set_um_region_attr()

With the introduction of the commit referred below may a paged region
span multiple translation tables, but tee_pager_set_um_

core: pager: fix increment calculation in tee_pager_set_um_region_attr()

With the introduction of the commit referred below may a paged region
span multiple translation tables, but tee_pager_set_um_region_attr()
wasn't updated to handle this. So fix this by accurately calculate
the increment in the main loop of that function.

Fixes: 4a3f6ad054d4 ("core: pager: let struct tee_pager_area span multiple translation tables")
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (HiKey)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-zynq7k: fix wrong argument ordering in NS world unlocking

A defect was introduced in 3.5.0 where the register value and address
in io_write32 are displaced, which eventually led to failure swit

plat-zynq7k: fix wrong argument ordering in NS world unlocking

A defect was introduced in 3.5.0 where the register value and address
in io_write32 are displaced, which eventually led to failure switching
to NS world.

Fixes: af4c7f4b3ad2 ("zynq7k: upgrade from write32() to io_write32() and friends")
Signed-off-by: Yan Yan <yan.yan@windriver.com>
Tested-by: Yan Yan <yan.yan@windriver.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat-imx: add compulab iot-gate-imx8 board support

Support for Compulab IoT Gateway (imx8mm) platform.
(PLATFORM=imx-mx8mm_cl_iot_gate)

Signed-off-by: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
A

plat-imx: add compulab iot-gate-imx8 board support

Support for Compulab IoT Gateway (imx8mm) platform.
(PLATFORM=imx-mx8mm_cl_iot_gate)

Signed-off-by: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

libtomcrypt: fix rsa key generation public exponent

Fix libtomcrypt crypto_acipher_gen_rsa_key() to call rsa_make_key_bn_e()
API to generate a RSA key with a public exponent up to 256 bits.

RSA sta

libtomcrypt: fix rsa key generation public exponent

Fix libtomcrypt crypto_acipher_gen_rsa_key() to call rsa_make_key_bn_e()
API to generate a RSA key with a public exponent up to 256 bits.

RSA standard specify that public exponent e can be between 65537 (included)
and 2^256 (excluded).

Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

core_mmu: fix implicit behavior of core_mmu_add_mapping()

In core_mmu_add_mapping() requested physical address
rounded up/down to granule size (0x100000), which leads
to establishing of virtual mapp

core_mmu: fix implicit behavior of core_mmu_add_mapping()

In core_mmu_add_mapping() requested physical address
rounded up/down to granule size (0x100000), which leads
to establishing of virtual mappings with overlapped
physical counterparts. If two virtual mappings overlaps
due to such roundings, then following phys_to_virt() can
implicitly return result of virtual address from
unexpected mapping. This patch fix such behavior by
returning virtual address of newly established mapping.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Anton Rybakov <a.rybakov@omp.ru>

show more ...

rsa: add rsa key generate with public exponent upto 256 bits

Function rsa_make_key() limits the RSA key generates to a public
exponent of type long (32 bits or 64 bits).
RSA standard specify that pu

rsa: add rsa key generate with public exponent upto 256 bits

Function rsa_make_key() limits the RSA key generates to a public
exponent of type long (32 bits or 64 bits).
RSA standard specify that public exponent e can be between 65537 (included)
and 2^256 (excluded).

Add function rsa_make_key_ubin_e to use a hexadecimal public exponent.
Add function rsa_make_key_bn_e to use a bignumber public exponent
(op-tee).

Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
[jf: cherry-pick commit 49556a8e606cfa37375324a6051833f3db916640 upstream]
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix populate_files() coverity warning

In populate_files() db->files is checked to be not NULL leading but at
another place db->nbits is checked instead before accessing db->files.
Both checks

core: fix populate_files() coverity warning

In populate_files() db->files is checked to be not NULL leading but at
another place db->nbits is checked instead before accessing db->files.
Both checks are OK since db->files mustn't be NULL if db->nbits is
larger than 0.

This confuses coverity to emit a warning, so change the function to
check db->nbits instead.

This fixes coverity scan:
CID 1501793 (#1 of 1): Dereference after null check (FORWARD_NULL)

Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix tee_fs_dirfile_get_tmp() coverity warning

In tee_fs_dirfile_get_tmp() dirh->files is checked to be not NULL
leading but at another place dirh->nbits is checked instead before
accessing dir

core: fix tee_fs_dirfile_get_tmp() coverity warning

In tee_fs_dirfile_get_tmp() dirh->files is checked to be not NULL
leading but at another place dirh->nbits is checked instead before
accessing dirh->files. Both checks are OK since dirh->files mustn't be
NULL if dirh->nbits is larger than 0.

This confuses coverity to emit a warning, so change the function to
check dirh->nbits instead.

This fixes coverity scan:
CID 1501821 (#1 of 1): Dereference after null check (FORWARD_NULL)

Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm32: update thread_smc() for SMCCC v1.2

SMC Calling Convention v1.2 allows returning result in r4-r7 in addition
to the already used r0-r3. In thread_smc() we're not using r4-r7 to
return a

core: arm32: update thread_smc() for SMCCC v1.2

SMC Calling Convention v1.2 allows returning result in r4-r7 in addition
to the already used r0-r3. In thread_smc() we're not using r4-r7 to
return a result, but the normal function calling convention requires
r4-r7 to be preserved so save and restore them.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: FF-A: add missing break statements to spmc_sp_msg_handler()

Some break statements are missing in spmc_sp_msg_handler(). Add them.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Acked-by: Jero

core: FF-A: add missing break statements to spmc_sp_msg_handler()

Some break statements are missing in spmc_sp_msg_handler(). Add them.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

plat: rcar: enable hardware RNG pseudo TA

Enable access of hardware entropy through HWRNG PTA.

Signed-off-by: Sergiy Kibrik <Sergiy_Kibrik@epam.com>
Reviewed-by: Jerome Forissier <jerome@forissier.

plat: rcar: enable hardware RNG pseudo TA

Enable access of hardware entropy through HWRNG PTA.

Signed-off-by: Sergiy Kibrik <Sergiy_Kibrik@epam.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...