core: arm: remove $(libgcccore) usage

Remove all remaining $(libgcccore) usage now that
lib/libutils/compiler-rt provides the needed bits.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

core: arm: remove $(libgcccore) usage

Remove all remaining $(libgcccore) usage now that
lib/libutils/compiler-rt provides the needed bits.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: kernel: dt_driver: variable may be unused

Fix the following warning with Clang 18.6.1:

core/kernel/dt_driver.c:456:15: error: variable 'count' set but not used [-Werror,-Wunused-but-set-vari

core: kernel: dt_driver: variable may be unused

Fix the following warning with Clang 18.6.1:

core/kernel/dt_driver.c:456:15: error: variable 'count' set but not used [-Werror,-Wunused-but-set-variable]
456 | unsigned int count = 0;
| ^

Indeed, when CFG_TEE_CORE_LOG_LEVEL <= 2, the value of count is never
read.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

core: ffa: reserve physical memory for manifest

With CFG_CORE_SEL2_SPMC=y (Hafnium as SPMC at S-EL2), the FF-A manifest
passed to OP-TEE resides in the memory reserved for OP-TEE just before
the loa

core: ffa: reserve physical memory for manifest

With CFG_CORE_SEL2_SPMC=y (Hafnium as SPMC at S-EL2), the FF-A manifest
passed to OP-TEE resides in the memory reserved for OP-TEE just before
the load address. The physical memory pool is initialized with the entire
range of secure memory, with holes carved out for already used memory.

Temporarily allocate the physical memory used by the manifest until it's
not needed any longer and released by release_manifest_dt().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: fs_htree: Fix AAD length when CFG_REE_FS_HTREE_HASH_SIZE_COMPAT=y

Correct the hash size declared in AAD length declared in REE FS hash
tree authentication sequence when CFG_REE_FS_HTREE_HASH_S

core: fs_htree: Fix AAD length when CFG_REE_FS_HTREE_HASH_SIZE_COMPAT=y

Correct the hash size declared in AAD length declared in REE FS hash
tree authentication sequence when CFG_REE_FS_HTREE_HASH_SIZE_COMPAT is
enabled in which case the hash is truncated to the size of the
FEK key (TEE_FS_HTREE_FEK_SIZE).

The issue has currently no impact since REE FS hash tree authentication
is based on AES-GCM but it would be of importance if, for example, one
moves to an AES-CCM scheme while still enabling
CFG_REE_FS_HTREE_HASH_SIZE_COMPAT (even if unlikely to happen).
To prevent such issue in the future, let's declare the effectively
used hash size.

Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
Link: https://github.com/OP-TEE/optee_os/pull/7340/commits/087325faec7c057a638cca80f0549e9abe49f190#r2024716984
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-k3: drivers: add platform flavors for 62A and 62P devices

Even though the SA2UL integration on the AM62Ax and AM62Px platforms are
functionally identical to the AM62x platforms many, when build

plat-k3: drivers: add platform flavors for 62A and 62P devices

Even though the SA2UL integration on the AM62Ax and AM62Px platforms are
functionally identical to the AM62x platforms many, when building
OP-TEE manually, are using the platform name they are building for and
not 'am62x' which leaves SA2UL_BASE undefined and to failed builds:

In file included from core/include/mm/core_memprot.h:9,
from core/include/kernel/interrupt.h:10,
from core/arch/arm/plat-k3/drivers/sa2ul_rng.c:12:
core/arch/arm/plat-k3/./platform_config.h:91:34: error: ‘SA2UL_BASE’ undeclared here (not in a function); did you mean ‘SCU_BASE’?
91 | #define RNG_BASE (SA2UL_BASE + 0x10000)
| ^~~~~~~~~~

For now let's just define the AM62Ax and AM62Px platform flavors
identical to how AM62x is defined and include an #else statement to
catch when a undefined platform flavor tries to build the SA2UL driver

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Andrew Davis <afd@ti.com>
Signed-off-by: Bryan Brattlof <bb@ti.com>

show more ...

crypto: stm32: fix stm32_saes CTR mode on small input buffers

Fix missing cast when saving pre-computed masks in STM32 SAES driver
CTR implementation when several small input data is provided to
the

crypto: stm32: fix stm32_saes CTR mode on small input buffers

Fix missing cast when saving pre-computed masks in STM32 SAES driver
CTR implementation when several small input data is provided to
the update handler.

The issue is revealed by xtest regression_4017 when run with at least
level 12, e.g. "xtest -l 15 regression_4017".

Fixes: 4320f5cf30c5 ("crypto: stm32: SAES cipher support")
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Acked-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

crypto: stm32: fix stm32_cryp CTR mode on small input buffers

Fix missing cast when saving pre-computed masks in STM32 CRYP driver
CTR implementation when several small input data is provided to
the

crypto: stm32: fix stm32_cryp CTR mode on small input buffers

Fix missing cast when saving pre-computed masks in STM32 CRYP driver
CTR implementation when several small input data is provided to
the update handler.

The issue could be found, for example, by assigning STM32 CRYP to OP-TEE
in stm32mp1-157C_DK2 board DTS file (patch below) and running xtest
regression_4017 with level 15 ("xtest -l 15 regression_4017").

Example of a patch on stm32mp157c-dk2.dts file to use CRYP driver for
AES operations:
+&cryp1 { status = "okay"; };
+
&etzpc {
st,decprot =
(...)
- <DECPROT(STM32MP1_ETZPC_CRYP1_ID, DECPROT_NS_RW, DECPROT_UNLOCK)>,
+ <DECPROT(STM32MP1_ETZPC_CRYP1_ID, DECPROT_S_RW, DECPROT_UNLOCK)>,
(...)
}

Fixes: 5e64ae6796b7 ("crypto: stm32: use CRYP IP for CIPHER algorithms")
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Acked-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix crash during syscall ftrace

Syscall ftrace collects data during a syscall. get_fbuf() checks if
thread_get_id_may_fail() != -1 to see if a function is called under
normal thread execution.

core: fix crash during syscall ftrace

Syscall ftrace collects data during a syscall. get_fbuf() checks if
thread_get_id_may_fail() != -1 to see if a function is called under
normal thread execution. This can lead to an inconsistent state if a
native interrupt occur while ftrace_enter() or ftrace_return() is
recording data in the ftrace buffer. So fix this by using
thread_is_in_normal_mode() to exclude ftrace during interrupt
processing.

Reported-by: Jerome Forissier <jerome.forissier@linaro.org>
Closes: https://github.com/OP-TEE/optee_os/issues/7216
Fixes: 099918f6744c ("ftrace: Add support for syscall function tracer")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_armv8a)

show more ...

drivers: sam: fix getting interrupts from DT

The issue is found on sama5d2 platform.
Get interrupt fails due to the change of function parameter (from
count by bytes to count by words), fixed by mak

drivers: sam: fix getting interrupts from DT

The issue is found on sama5d2 platform.
Get interrupt fails due to the change of function parameter (from
count by bytes to count by words), fixed by making corresponding
changes to the function called later.

Fixes: 63873401cb04 ("core: interrupt: fix property count in dt_get_irq_type_prio()")
Signed-off-by: Tony Han <tony.han@microchip.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: fs_htree: Fix wrong AAD length in authenc_init()

In authenc_init(), AAD length field passed to
crypto_authenc_init() does not match with the total
AAd data passed via crypto_authenc_update_aad

core: fs_htree: Fix wrong AAD length in authenc_init()

In authenc_init(), AAD length field passed to
crypto_authenc_init() does not match with the total
AAd data passed via crypto_authenc_update_aad() for
lower layer crypto computation.

To fix this issue and to support the legacy without
breaking existing REE file system content, introduce
a config CFG_REE_FS_HTREE_HASH_SIZE_COMPAT.

By default this config is enabled to support the legacy
REE FS hash tree that uses truncated hash implementation.

Link: https://github.com/OP-TEE/optee_os/issues/7331
Signed-off-by: Anil Kumar Reddy <areddy3@marvell.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: update recorded SP first after MMU is enabled

With CFG_CORE_ASLR=y, stored addresses must be updated after MMU has
been enabled to match the map offset. In particular the recorded stack
p

core: arm: update recorded SP first after MMU is enabled

With CFG_CORE_ASLR=y, stored addresses must be updated after MMU has
been enabled to match the map offset. In particular the recorded stack
pointers in thread_core_local[] must be updated to match the new offset
before any calls can be done into C code or check_stack_limits() with
CFG_CORE_DEBUG_CHECK_STACKS=y might catch an inconsistent stack pointer.

Currently, boot_mem_relocate() is called before the recorded stack
pointers have been updated and causes a crash with CFG_CORE_ASLR=y and
CFG_CORE_DEBUG_CHECK_STACKS=y. So fix this by calling delaying the call
to boot_mem_relocate() to after the stack pointers in
thread_core_local[] has been updated.

Reported-by: Jerome Forissier <jerome.forissier@linaro.org>
Closes: https://github.com/OP-TEE/optee_os/issues/7363
Fixes: ea991d7459f6 ("core: arm: remove THREAD_CORE_LOCAL_STACKCHECK_RECURSION")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_armv8a)

show more ...

core: riscv: allow enabling CFG_WITH_STACK_CANARIES

Remove force disablement of randomized stack canary for OP-TEE core.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Alvin

core: riscv: allow enabling CFG_WITH_STACK_CANARIES

Remove force disablement of randomized stack canary for OP-TEE core.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Alvin Chang <alvinga@andestech.com>

show more ...

core: riscv: support random stack canaries for stack protector

Call plat_get_random_stack_canaries() and update the value of
__stack_chk_guard during early initialization, so that the
random stack c

core: riscv: support random stack canaries for stack protector

Call plat_get_random_stack_canaries() and update the value of
__stack_chk_guard during early initialization, so that the
random stack canaries can be used to detect stack overflow
and buffer overflow.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Co-developed-by: Alvin Chang <alvinga@andestech.com>
Signed-off-by: Alvin Chang <alvinga@andestech.com>

show more ...

core: move plat_get_random_stack_canaries() to common part

Other architectures (e.g. RISC-V) may want to call
plat_get_random_stack_canaries() for random stack
canaries. Move it from ARM architectur

core: move plat_get_random_stack_canaries() to common part

Other architectures (e.g. RISC-V) may want to call
plat_get_random_stack_canaries() for random stack
canaries. Move it from ARM architecture directory
to common part.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Co-developed-by: Alvin Chang <alvinga@andestech.com>
Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix configuration to disable stack protector

Fix the configuration to explicitly disable the compile
option of core stack protector.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
R

core: fix configuration to disable stack protector

Fix the configuration to explicitly disable the compile
option of core stack protector.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Alvin Chang <alvinga@andestech.com>

show more ...

core: fix discovered ns-mem check

When discovering or assigning available non-secure physical memory it's
checked against overlaps with other memory types. Memory types reserving
virtual memory spac

core: fix discovered ns-mem check

When discovering or assigning available non-secure physical memory it's
checked against overlaps with other memory types. Memory types reserving
virtual memory space should be excluded including the two recently added
types MEM_AREA_NEX_DYN_VASPACE and MEM_AREA_TEE_DYN_VASPACE. This was
missed when the memory types where added so add the check to exclude
them now.

This fixes an error like:
E/TC:0   check_phys_mem_is_outside:455 Non-sec mem (0:0x60000000) overlaps map (type 10 0:0x100000)
E/TC:0   Panic at core/mm/core_mmu.c:459 <check_phys_mem_is_outside>

Fixes: 96f43358c593 ("core: add nex_dyn_vaspace and tee_dyn_vaspace areas")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: imx: disable CFG_CORE_HUK_SUBKEY_COMPAT_USE_OTP_DIE_ID with se05x

Commit fc80dabbd5a7 ("core: imx: enable
CFG_CORE_HUK_SUBKEY_COMPAT_USE_OTP_DIE_ID by default") created a
regression when se05x

core: imx: disable CFG_CORE_HUK_SUBKEY_COMPAT_USE_OTP_DIE_ID with se05x

Commit fc80dabbd5a7 ("core: imx: enable
CFG_CORE_HUK_SUBKEY_COMPAT_USE_OTP_DIE_ID by default") created a
regression when se05x is used on iMX platforms, as its own
implementation of tee_otp_get_die_id cannot be called so early in the
boot process, since the stack itself is not properly initialized at that
time.

Forcely disable CFG_CORE_HUK_SUBKEY_COMPAT_USE_OTP_DIE_ID when se05x is
used to restore back to the previous working behavior.

Signed-off-by: Ricardo Salveti <ricardo@foundries.io>
Acked-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Sahil Malhotra <sahil.malhotra@nxp.com>

show more ...

drivers: stm32_rifsc: remove semaphore acquisition when applying the conf

Remove the semaphore acquisition when applying the configuration
so that they are taken, if necessary, during the firewall b

drivers: stm32_rifsc: remove semaphore acquisition when applying the conf

Remove the semaphore acquisition when applying the configuration
so that they are taken, if necessary, during the firewall bus probe.
This avoids semaphores from being taken by OP-TEE when the peripheral
isn't used.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

tree wide: fix header files dependencies in linker files

When linking with a generated linker script like kern.ld.S, dependencies
with header file are not regenerated.
Same issue as
commit acdc32afe

tree wide: fix header files dependencies in linker files

When linking with a generated linker script like kern.ld.S, dependencies
with header file are not regenerated.
Same issue as
commit acdc32afe18f ("mk/compile.mk: fix header dependency in .d file")

Add option -MP used to fix error generated when removing header files.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: ffa: enable FF-A version 1.2 for virtualization

With Xen version 4.20 released we can announce version 1.2 for OP-TEE
when negotiating the version to use. So remove the special check for

core: arm: ffa: enable FF-A version 1.2 for virtualization

With Xen version 4.20 released we can announce version 1.2 for OP-TEE
when negotiating the version to use. So remove the special check for
CFG_NS_VIRTUALIZATION=y when exchanging versions.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

drivers: imx_csu: add SA settings for i.MX6ULL

Add the CSU SA settings for i.MX6ULL. The i.MX6ULL implements the same
non-Trustzone aware masters as the i.MX6UL, so the same settings can be
used. Th

drivers: imx_csu: add SA settings for i.MX6ULL

Add the CSU SA settings for i.MX6ULL. The i.MX6ULL implements the same
non-Trustzone aware masters as the i.MX6UL, so the same settings can be
used. This setting ensures that no non-TrustZone aware master is able
to read secure memory. Information on the CSU SA register values were
taken from i.MX6ULL Security Reference Manual rev 0.

Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Acked-by: Sahil Malhotra <sahil.malhotra@nxp.com>

show more ...

core: riscv: add SiFive Unleashed and Unmatched board support

Add SiFive Unleashed and Unmatched board support.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Samuel Holland

core: riscv: add SiFive Unleashed and Unmatched board support

Add SiFive Unleashed and Unmatched board support.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Samuel Holland <samuel.holland@sifive.com>
Reviewed-by: Zong Li <zong.li@sifive.com>
Acked-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: drivers: support SiFive UART

Add sifive uart support.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Samuel Holland <samuel.holland@sifive.com>
Reviewed-by: Zong Li <zo

core: drivers: support SiFive UART

Add sifive uart support.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Samuel Holland <samuel.holland@sifive.com>
Reviewed-by: Zong Li <zong.li@sifive.com>
Acked-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

riscv: kernel: support booting non-contiguous non-zero-based hart IDs

Currently, OP-TEE assumes 0 <= hartid < CFG_TEE_CORE_NB_CORE,
and must be contiguous, which fails to accommodate different
CPU t

riscv: kernel: support booting non-contiguous non-zero-based hart IDs

Currently, OP-TEE assumes 0 <= hartid < CFG_TEE_CORE_NB_CORE,
and must be contiguous, which fails to accommodate different
CPU topologies. For example, some RISC-V platforms, such as
the HiFive Unmatched board, do not run Linux and OP-TEE on
hart0, as it is a monitor core without supervisor mode support.

To address this, introduce hart_index, which is used to index
per-hart structures, such as thread_core_local and root_pgt.
The hart_index will range from 0 to (CFG_TEE_CORE_NB_CORE - 1),
and the primary hart will have an index of 0.

Additionally, a new function, boot_primary_init_core_ids(),
is added to initialize secondary hart IDs for booting via
sbi_hsm_hart_start().

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Samuel Holland <samuel.holland@sifive.com>
Reviewed-by: Zong Li <zong.li@sifive.com>
Reviewed-by: Alvin Chang <alvinga@andestech.com>

show more ...

riscv: kernel: sbi: introduce sbi_hsm_hart_get_status() function

Introduce sbi_hsm_hart_get_status() function and add comment for
sbi_hsm_hart_start().

Signed-off-by: Yu-Chien Peter Lin <peter.lin@

riscv: kernel: sbi: introduce sbi_hsm_hart_get_status() function

Introduce sbi_hsm_hart_get_status() function and add comment for
sbi_hsm_hart_start().

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Samuel Holland <samuel.holland@sifive.com>
Reviewed-by: Zong Li <zong.li@sifive.com>
Reviewed-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...