drivers: crypto: drop useless & before function names

There is no need to use & on a function name to obtain the function
address. Drop the useless & characters.

Signed-off-by: Jerome Forissier <je

drivers: crypto: drop useless & before function names

There is no need to use & on a function name to obtain the function
address. Drop the useless & characters.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: drop useless & before function names

There is no need to use & on a function name to obtain the function
address. Drop the useless & characters.

Signed-off-by: Jerome Forissier <jero

drivers: caam: drop useless & before function names

There is no need to use & on a function name to obtain the function
address. Drop the useless & characters.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: add a new API to interact with plugins from TA

This patch adds a new API to libutee to interact
with tee-supplicant plugins from TEE userspace.

Every user TA can use 'tee_invoke_supp_plugi

libutee: add a new API to interact with plugins from TA

This patch adds a new API to libutee to interact
with tee-supplicant plugins from TEE userspace.

Every user TA can use 'tee_invoke_supp_plugin()' to send any commands
to a plugin. The commands are predefined by the plugin developer.

See the https://github.com/linaro-swg/optee_examples
repo for an example of using plugins.

Signed-off-by: Aleksandr Anisimov <a.anisimov@omprussia.ru>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add a new RPC as an interface to tee-supplicant plugins

Any external TEE services can be designed as a tee-supplicant plugin.
The plugins will be loaded by the supplicant during startup proces

core: add a new RPC as an interface to tee-supplicant plugins

Any external TEE services can be designed as a tee-supplicant plugin.
The plugins will be loaded by the supplicant during startup process
using libdl.
It makes it easy to:
- add new features in the supplicant that aren't needed in upstream,
e.g. Rich OS specific services;
- sync upstream version with own fork;

This patch adds a new RPC - 'OPTEE_RPC_CMD_SUPP_PLUGIN' as an unified
interface between OP-TEE and any plugins. Kernel code can use it
to call for execution of some command in plugins.

Every plugin has own name based on UUID.
OP-TEE has access to plugins by it.

See definition of protocol for the plugin RPC command
in 'core/include/optee_rpc_cmd.h' file.

Signed-off-by: Aleksandr Anisimov <a.anisimov@omprussia.ru>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix shared memory buffer rpc allocation

When dynamic shared memory has been configured, contiguous shared
memory regions outside reserved SHM need to be included in the
allocation pool.

To ke

core: fix shared memory buffer rpc allocation

When dynamic shared memory has been configured, contiguous shared
memory regions outside reserved SHM need to be included in the
allocation pool.

To keep the implementation simple, we will restrict the size of these
allocations to a single page; we can then leverage the mechanism used
for the allocation of arguments.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

link: make section size definitions relocation-proof

Value of define VCORE_UNPG_RW_SZ is determined by linker script and
provided to C code as a symbol value (__vcore_unpg_rw_size). This is a
standa

link: make section size definitions relocation-proof

Value of define VCORE_UNPG_RW_SZ is determined by linker script and
provided to C code as a symbol value (__vcore_unpg_rw_size). This is a
standard way of sharing linker variables with C code, which is described in
ld manual.

Problem is that linker sometimes makes those symbols relocatable and ASLR
code then moves them to random places with rest of the OP-TEE image.

For example, on build for RCAR platform I am getting those entries in
relocation section:

[...]
000000004415b120 R_AARCH64_RELATIVE *ABS*+0x0000000044100180
000000004415af60 R_AARCH64_RELATIVE *ABS*+0x000000004415fc48
000000004415afb0 R_AARCH64_RELATIVE *ABS*+0x00000000000a4000 <======
000000004415aef8 R_AARCH64_RELATIVE *ABS*+0x000000004415c000
[...]

From programmer's point of view this looks like "constant" VCORE_UNPG_RW_SZ
has random value every boot.

Obvious approach is to provide section end address and then calculate size
on C side:

#define VCORE_UNPG_RW_SZ ((size_t)(__vcore_unpg_rx_end -
__vcore_unpg_rx_start))

But with this approach compiler can't initialize constant values in
definitions like

register_phys_mem_ul(MEM_AREA_TEE_RAM_RW, VCORE_UNPG_RW_PA,
VCORE_UNPG_RW_SZ);

from core_mmu.c.

Basically, this leads to following constraints:

1. If we calculate section size in linker script, then compiler can use
it as a constant expression, but this value may be mangled by ASLR
at run-time.

2. We can't calculate section size in C code, because this value can't be
used as a constant expression.

This patch provides a workaround around this issue by providing two sets of
definitions: old _SZ definition is renamed to _SZ_UNSAFE and it should be
used only in places where a constant expression is required and provided it
is referenced only before dynamic relocations have been applied, while the
new _SZ definition can be used in all other situations.

Value of _new SZ is obtained by deducting section start address from end
address. Additional linker symbols are introduced to provide section end
addresses.

Fixes: 170e9084a84f ("core: add support for CFG_CORE_ASLR")
Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pta: drop SDP PTA

Drop SDP PTA as it is not used anywhere and looks like isn't
maintained. When is CFG_SDP_PTA=y the build fails with
compile errors:

error: implicit declaration of function ‘

core: pta: drop SDP PTA

Drop SDP PTA as it is not used anywhere and looks like isn't
maintained. When is CFG_SDP_PTA=y the build fails with
compile errors:

error: implicit declaration of function ‘tee_ta_get_calling_session’;
did you mean ‘ts_get_calling_session’?
[-Werror=implicit-function-declaration]
...
error: ‘struct tee_ta_session’ has no member named ‘ctx’

Signed-off-by: Igor Opaniuk <igor.opaniuk@gmail.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: split boot_init_primary()

Splits boot_init_primary() into boot_init_primary_early() and
boot_init_primary_late(). The thread#0 stack pointer is assigned as
stack pointer before boot_init_prima

core: split boot_init_primary()

Splits boot_init_primary() into boot_init_primary_early() and
boot_init_primary_late(). The thread#0 stack pointer is assigned as
stack pointer before boot_init_primary_late() is called. This allows
functions registered to be called by call_finalcalls() to depend on the
full thread stack being available.

Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: optee_rpc_cmd.h: shorten some I2C defines

Make the I2C defines consistent with the rest of the defines in
optee_rpc_cmd.h.

Reviewed-by: Igor Opaniuk <igor.opaniuk@foundries.io>
Acked-by: Etie

core: optee_rpc_cmd.h: shorten some I2C defines

Make the I2C defines consistent with the rest of the defines in
optee_rpc_cmd.h.

Reviewed-by: Igor Opaniuk <igor.opaniuk@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: imx: remove security check for i.MX6DQ

Recent commit cfff3778dae0 ("core: imx: remove security check for
i.MX6SDL") fixed an issue where i.MX6SDL SoC does not expose the
security configuration

core: imx: remove security check for i.MX6DQ

Recent commit cfff3778dae0 ("core: imx: remove security check for
i.MX6SDL") fixed an issue where i.MX6SDL SoC does not expose the
security configuration in the HPSR registers correctly.

This issue also affects i.MX6DQ. Let's add a check for this SoC
family in the same place.

Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Acked-by: Clement Faure <clement.faure@nxp.com>
Signed-off-by: Michael Scott <mike@foundries.io>
Signed-off-by: Ricardo Salveti <ricardo@foundries.io>

show more ...

driver: imx_wdog: search node by compatible

Instead of searching the node by hard-coded paths, search the node by
the compatible, which should be more robust against upstream device tree
changes. Up

driver: imx_wdog: search node by compatible

Instead of searching the node by hard-coded paths, search the node by
the compatible, which should be more robust against upstream device tree
changes. Upstream recently changed the naming of "aips-bus" to "bus",
breaking the OP-TEE i.MX Watchdog driver in the process, since the path
can no longer be found within the tree.

Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Tested-by: Ricardo Salveti <ricardo@foundries.io> (imx6ull evk, imx6q apalis-imx6, imx8mm evk, imx8mq evk)
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

drivers: imx_wdog: default initialize variables

Set all function variables to sensible defaults.

Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

core: fix bad memset() in update_write_helper()

update_write_helper() is clearing uninitialized parts of blk_buf.
There's an error in the logic calculating how much should be cleared
resulting in a

core: fix bad memset() in update_write_helper()

update_write_helper() is clearing uninitialized parts of blk_buf.
There's an error in the logic calculating how much should be cleared
resulting in a negative size being supplied to memset(). Fix this by
always clearing blk_buf before usage.

Fixes: cd799689cd3d ("core: rpmb: fix initialization of new rpmb data")
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Tested-by: Jerome Forissier <jerome@forissier.org> (HiKey)
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix file handle leakage in syscall_storage_next_enum()

Prior to this patch was syscall_storage_next_enum() opening a file
handle with tee_svc_storage_read_head() but never freeing the handle.

core: fix file handle leakage in syscall_storage_next_enum()

Prior to this patch was syscall_storage_next_enum() opening a file
handle with tee_svc_storage_read_head() but never freeing the handle.
Fix this by closing the file handle as part of cleaning up before
returning.

Fixes: 928efd065222 ("core: syscall_storage_next_enum() use live pobj")
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ftrace: fix regression causing panic in ftrace_update_times()

Commit 00b3b9a25e76 ("core: add generic struct ts_session") has
introduced a regression in the ftrace code by introducing a call to
ts_g

ftrace: fix regression causing panic in ftrace_update_times()

Commit 00b3b9a25e76 ("core: add generic struct ts_session") has
introduced a regression in the ftrace code by introducing a call to
ts_get_current_session() in ftrace_update_times() in replacement of
tee_ta_get_current_session(). At this point it can happen that no
current session exists, in which case the function should simply return.
Unfortunately ts_get_current_session() will call panic() is such a
situation. The proper function is ts_get_current_session_may_fail().

Fixes: 00b3b9a25e76 ("core: add generic struct ts_session")
Fixes: https://github.com/OP-TEE/optee_os/issues/4313
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

core: rpmb: fix initialization of new rpmb data

Add memset() calls to ensure added object is extended with byte value 0
as specified in GPD TEE specification.

Fixes: 64c6d2917d12 ("core: rpmb fs us

core: rpmb: fix initialization of new rpmb data

Add memset() calls to ensure added object is extended with byte value 0
as specified in GPD TEE specification.

Fixes: 64c6d2917d12 ("core: rpmb fs uses mempool for temporary transfer buffers")
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: tee_rpmb_fs: Return error when block decryption fails

When decrypt_block fails (although unlikely) it shouldn't be silently
ignored. In such case the data in the buffer pointed to by *out is
u

core: tee_rpmb_fs: Return error when block decryption fails

When decrypt_block fails (although unlikely) it shouldn't be silently
ignored. In such case the data in the buffer pointed to by *out is
unmodified or bogus while the return code is TEE_SUCCESS.

Signed-off-by: Robin van der Gracht <robin@protonic.nl>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: remove temporary external DT mapping

During boot the external DT is mapped while processing the DT. Once
OP-TEE is done with the DT it should be unmapped to avoid stale mappings
that might cau

core: remove temporary external DT mapping

During boot the external DT is mapped while processing the DT. Once
OP-TEE is done with the DT it should be unmapped to avoid stale mappings
that might cause problems later. Fix this by calling
core_mmu_rem_mapping() from release_external_dt() just before jumping to
normal world.

Fixes: https://github.com/OP-TEE/optee_os/issues/4278
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ifdef frag_id member in struct dt_descriptor

The frag_id member in struct dt_descriptor is only used if
CFG_EXTERNAL_DTB_OVERLAY is defined, so make it conditional.

Acked-by: Etienne Carriere

core: ifdef frag_id member in struct dt_descriptor

The frag_id member in struct dt_descriptor is only used if
CFG_EXTERNAL_DTB_OVERLAY is defined, so make it conditional.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add core_mmu_remove_mapping()

Adds core_mmu_remove_mapping() which removes mappings earlier added with
core_mmu_add_mapping().

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acke

core: add core_mmu_remove_mapping()

Adds core_mmu_remove_mapping() which removes mappings earlier added with
core_mmu_add_mapping().

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: imx: remove security check for i.MX6SDL

The i.MX6SDL SoCs do not expose the security configuration in the HPSR
registers correctly, they always return SNVS_SECURITY_CFG_FAB (000),
however the

core: imx: remove security check for i.MX6SDL

The i.MX6SDL SoCs do not expose the security configuration in the HPSR
registers correctly, they always return SNVS_SECURITY_CFG_FAB (000),
however the SSM information is still exposed correctly.
Remove the check for the security configuration, since the bits all read
zero on these SoCs, even if they are securely booted.

Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

plat-imx, plat-rzn1: remove redundant recipes to generate tee-raw.bin

Since commit 5ae0290f7f3b ("core: kernel: link.mk: Move rules to generate
tee-raw.bin and tee.srec from rcar platform"), the rec

plat-imx, plat-rzn1: remove redundant recipes to generate tee-raw.bin

Since commit 5ae0290f7f3b ("core: kernel: link.mk: Move rules to generate
tee-raw.bin and tee.srec from rcar platform"), the recipe to produce
tee-raw.bin is in the common makefile core/arch/arm/kernel/link.mk.
Therefore the recipes in core/arch/arm/plat-imx/link.mk and
core/arch/arm/plat-rzn1/link.mk are redundant and need to be removed.
Fixes the following build warning:

$ make -s PLATFORM=imx-mx6ullevk
core/arch/arm/plat-imx/link.mk:7: warning: overriding recipe for target 'out/arm-plat-imx/core/tee-raw.bin'
core/arch/arm/kernel/link.mk:230: warning: ignoring old recipe for target 'out/arm-plat-imx/core/tee-raw.bin'

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Sumit Garg <sumit.garg@linaro.org>

show more ...

core: rpmb fs uses mempool for temporary transfer buffers

RPMB FS driver may allocates a temporary buffer of size the one provided
by userland caller. These may be big buffer of dozens of kbytes and

core: rpmb fs uses mempool for temporary transfer buffers

RPMB FS driver may allocates a temporary buffer of size the one provided
by userland caller. These may be big buffer of dozens of kbytes and may
exhaust the heap capacities. Change the implementation to use a 4kByte
temporary buffer to update RPMB data instead of an allocated buffer of
the object target size. RPMB FAT entry data is updated by chunks of the
temporary buffer size, and RPMB FAT meta data is updated afterwards as
prior this change.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat-imx: do not enable CFG_CRYPTO_DRIVER with CFG_NXP_CAAM

Some IMX users might choose a different crypto driver (like the SE050)
but still require CAAM to provide the hardware unique key and perha

plat-imx: do not enable CFG_CRYPTO_DRIVER with CFG_NXP_CAAM

Some IMX users might choose a different crypto driver (like the SE050)
but still require CAAM to provide the hardware unique key and perhaps
the RNG - since reading the RNG over I2C can impact performance on
some platforms.

This commit allows for such configuration.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

core: ldelf: implement separate syscalls for ldelf

Implements a separate syscall handler for ldelf to decouple it from user
TAs and enable using it for all TSs. The calling convention is the same
as

core: ldelf: implement separate syscalls for ldelf

Implements a separate syscall handler for ldelf to decouple it from user
TAs and enable using it for all TSs. The calling convention is the same
as for utee_* syscalls. To distinguish between the different SVCs, the
syscall handler pointer is updated before entering ldelf and restored
after returning. The step of opening a system PTA session and invoking
the commands there is eliminated, the necessary functionality is
implemented in the ldelf syscall functions.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...