core: fix RPMB rollback vulnerability

Normal world is used to pass the RPMB request to the eMMC. If normal
world saves a write request and returns an error instead it can be used
at a later stage wh

core: fix RPMB rollback vulnerability

Normal world is used to pass the RPMB request to the eMMC. If normal
world saves a write request and returns an error instead it can be used
at a later stage where OP-TEE doesn't expect a certain block to be
updated. For more details on possible attacks and mitigations see [1]
and [2].

The mitigation consists of two parts, while initializing and later how
each write request is handled.

While initializing the RPMB file system we don't have a spare dummy
block so the alternative method of reading a block and writing it again
is used instead.

For normal write request all errors after the request message has been
created will be retried 10 times. If a write request fails after 10
retries RPMB is disabled entirely until next boot. An eventual
requesting TA is with an unexpected error code since we can't tell if
the request has been committed to storage or not.

Link: [1] https://www.westerndigital.com/support/productsecurity/wdc-20008-replay-attack-vulnerabilities-rpmb-protocol-applications
Link: [2] https://documents.westerndigital.com/content/dam/doc-library/en_us/assets/public/western-digital/collateral/white-paper/white-paper-replay-protected-memory-block-protocol-vulernabilities.pdf

Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: libtomcrypt: dh_make_key(): do not force bit 'xbits' to be 1

When xbits != 0, dh_make_key() generates a private key of size xbits as
specified by GP ("TEE_ATTR_DH_X_BITS: If present, constrain

core: libtomcrypt: dh_make_key(): do not force bit 'xbits' to be 1

When xbits != 0, dh_make_key() generates a private key of size xbits as
specified by GP ("TEE_ATTR_DH_X_BITS: If present, constrains the private
value x to have [xbits] bits"). However, it also makes sure the top bit
of the private key is 1. Not only is it not required by the spec, it is
also a security vulnerability because it can drastically reduce the
acceptable range for the key: 2^(xbits-1) <= X <= P - 2.

Note: this brings the LTC implementation in line with the MBed TLS one,
see mbedtls_dhm_make_public().

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: libtomcrypt: dh_make_key(): remove useless code

In dh_make_key(), random data is copied into key->x by
mp_read_unsigned_bin(), and immediately after key->x is overwritten
by mp_mod(). Remove t

core: libtomcrypt: dh_make_key(): remove useless code

In dh_make_key(), random data is copied into key->x by
mp_read_unsigned_bin(), and immediately after key->x is overwritten
by mp_mod(). Remove the useless call.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: print "TEE load address" message on abort

Commit 02d307b7db90 ("core: use libunw") has involuntarily removed the
"TEE load address @ ..." message when a TEE core abort occurs. This
information

core: print "TEE load address" message on abort

Commit 02d307b7db90 ("core: use libunw") has involuntarily removed the
"TEE load address @ ..." message when a TEE core abort occurs. This
information is essential to be able to resolve function addresses when
ASLR is enabled, and scripts/symbolize.py needs this line. Add it back.

Fixes: 02d307b7db90 ("core: use libunw")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: fix SM2 PKE memory leak

In function `sm2_ltc_pke_decrypt`, the ecc_point `S` was not deleted
if the following bignumber `h` initialization failed.

Fixes: f9a78287dd1 (core: ltc: add supp

core: ltc: fix SM2 PKE memory leak

In function `sm2_ltc_pke_decrypt`, the ecc_point `S` was not deleted
if the following bignumber `h` initialization failed.

Fixes: f9a78287dd1 (core: ltc: add support for SM2 PKE)
Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: driver: generic resources for crypto device driver - ECC

Add a generic cryptographic ECC driver interface connecting
TEE Crypto generic APIs to HW driver interface

Signed-off-by: Cedric Neveu

core: driver: generic resources for crypto device driver - ECC

Add a generic cryptographic ECC driver interface connecting
TEE Crypto generic APIs to HW driver interface

Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: change SM2 PKE to use crypto_ecc_[public/keypair]_ops

Change the crypto_acipher_sm2_pke_encrypt and
crypto_acipher_sm2_pke_decrypt to use the crypto_ecc_public_ops and
crypto_ecc_keypair_

core: ltc: change SM2 PKE to use crypto_ecc_[public/keypair]_ops

Change the crypto_acipher_sm2_pke_encrypt and
crypto_acipher_sm2_pke_decrypt to use the crypto_ecc_public_ops and
crypto_ecc_keypair_ops methods.

Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: crypto: add encrypt/decrypt to crypto_ecc_[public/keypair]_ops

Add encypt and decrypt methods to respectively the crypto_ecc_public_ops
and the crypto_ecc_keypair_ops structure.
Method used fo

core: crypto: add encrypt/decrypt to crypto_ecc_[public/keypair]_ops

Add encypt and decrypt methods to respectively the crypto_ecc_public_ops
and the crypto_ecc_keypair_ops structure.
Method used for the SM2 PKE algorithms.

Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: set SM2 ECC Keys operations

Change the SM2 DSA sign/verify to be called through the allocated ECC
keys operations like ECC sign/verify operations.

Signed-off-by: Cedric Neveux <cedric.ne

core: ltc: set SM2 ECC Keys operations

Change the SM2 DSA sign/verify to be called through the allocated ECC
keys operations like ECC sign/verify operations.

Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: crypto: unify ECC and SM2_DSA sign/verify

Remove the crypto_acipher_sm2_dsa_sign/crypto_acipher_sm2_dsa_verify
functions and call the crypto_acipher_ecc_sign/crypto_acipher_ecc_verify
function

core: crypto: unify ECC and SM2_DSA sign/verify

Remove the crypto_acipher_sm2_dsa_sign/crypto_acipher_sm2_dsa_verify
functions and call the crypto_acipher_ecc_sign/crypto_acipher_ecc_verify
functions that are calling the ecc key operations set.

Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libs: ltc and mbedtls introduce crypto_ecc[public/keypair]_ops

Change ECC call functions name to be able to use a ECC HW driver.
At ECC public and keypair allocation, if success, set the key ops fie

libs: ltc and mbedtls introduce crypto_ecc[public/keypair]_ops

Change ECC call functions name to be able to use a ECC HW driver.
At ECC public and keypair allocation, if success, set the key ops field
to call the cryptographic operations linked to the key allocator.

Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: crypto: add struct crypto_ecc_[public/keypair]_ops

In order to enable one ECC HW driver and one ECC SW library at build and
runtime, introduces struct crypto_ecc_public_ops and
struct crypto_e

core: crypto: add struct crypto_ecc_[public/keypair]_ops

In order to enable one ECC HW driver and one ECC SW library at build and
runtime, introduces struct crypto_ecc_public_ops and
struct crypto_ecc_keypair_ops respectively to the struct ecc_public_key
and struct ecc_keypair.

At key (public/keypair) allocation, the HW driver is first called and
if key type/size not supported, the SW library is then called.
When key is allocated with success, the key->ops is set with the
cryptographic functions pointer to call when using keys to:
- Generate keypair
- Sign with keypair
- Shared secret with keypair
- Verify with public key
- Free public key

Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix secure partition TA context

Fix secure partition invocation in tee_ta_manager.c. The TA context
instance is found in the secure partition context (as here *_stmm_ctx()),
instead of the tru

core: fix secure partition TA context

Fix secure partition invocation in tee_ta_manager.c. The TA context
instance is found in the secure partition context (as here *_stmm_ctx()),
instead of the trusted service context as for regular TAs and PTAs.

This change moves to_ta_session() from header file to source file
so that is_stmm_ctx() is visible and can be asserted.

Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: caam: use do_free_keypair() instead of open-coding

There is a function to free an RSA keypair, use it instead of
duplicating the code.

Signed-off-by: Jerome Forissier <jerome@forissier.org

drivers: caam: use do_free_keypair() instead of open-coding

There is a function to free an RSA keypair, use it instead of
duplicating the code.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: caam: do_free_keypair(): add missing free for key->dq

The do_free_keypair() function lacks a call to crypto_bignum_free() for
the dq member of the key. Add it.

Fixes: a1d5c81f8834 ("crypto

drivers: caam: do_free_keypair(): add missing free for key->dq

The do_free_keypair() function lacks a call to crypto_bignum_free() for
the dq member of the key. Add it.

Fixes: a1d5c81f8834 ("crypto: add function to free rsa keypair")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: ltc: use crypto_acipher_free_rsa_keypair() instead of open-coding

There is a function to free an RSA keypair, use it instead of
duplicating the code.

Signed-off-by: Jerome Forissier <jerome@f

core: ltc: use crypto_acipher_free_rsa_keypair() instead of open-coding

There is a function to free an RSA keypair, use it instead of
duplicating the code.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: ltc: crypto_acipher_free_rsa_keypair(): add missing free for s->dq

The crypto_acipher_free_rsa_keypair() function lacks a call to
crypto_bignum_free() for the dq member of the key. Add it.

Fi

core: ltc: crypto_acipher_free_rsa_keypair(): add missing free for s->dq

The crypto_acipher_free_rsa_keypair() function lacks a call to
crypto_bignum_free() for the dq member of the key. Add it.

Fixes: a1d5c81f8834 ("crypto: add function to free rsa keypair")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

hikey: increase CFG_CORE_HEAP_SIZE from 64 to 72 KB

HiKey 620 uses the default core heap size which is 64 KB. This seems to
be a bit small now and the likely reason of some IBART failures [1]:

283

hikey: increase CFG_CORE_HEAP_SIZE from 64 to 72 KB

HiKey 620 uses the default core heap size which is 64 KB. This seems to
be a bit small now and the likely reason of some IBART failures [1]:

2833: regression_6018.2 OK
2834: o regression_6018.3 Storage id: 80000100
[...]
2846: E/TC:? 0 TA panicked with code 0xffff000c

Increase the size to 72 KB.

Link: [1] https://optee.mooo.com:5000/logs/OP-TEE/build/441/518642707/65112f06d1ffdd93762acdd1d8a8a06e9bebdd1d
Signed-off-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: move non TA specific fields from user_ta_ctx

Moves fields from user_ta_ctx to user_mode_ctx, which are not specific
to user TAs. This is needed to prepare for handling Secure Partitions,
user_

core: move non TA specific fields from user_ta_ctx

Moves fields from user_ta_ctx to user_mode_ctx, which are not specific
to user TAs. This is needed to prepare for handling Secure Partitions,
user_mode_ctx will be the common ground for the fields used by both TAs
and SPs.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...

core: extract ldelf related code from user_ta.c

Moves ldelf functionality from user_ta.c to a separate file.
This is the first step for decoupling ldelf from user TAs.

Reviewed-by: Jens Wiklander <

core: extract ldelf related code from user_ta.c

Moves ldelf functionality from user_ta.c to a separate file.
This is the first step for decoupling ldelf from user TAs.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...

core: pass user_mode_ctx to thread_user_clear_vfp()

Changes the parameter type of thread_user_clear_vfp() to struct
user_mode_ctx. This makes using the function more convenient, now it
doesn't have

core: pass user_mode_ctx to thread_user_clear_vfp()

Changes the parameter type of thread_user_clear_vfp() to struct
user_mode_ctx. This makes using the function more convenient, now it
doesn't have to be surrounded with conditional directives on each use.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...

drivers: imx_i2c: move utility macros

Move I2C utility macros (driver specific) from SoC specific register
definition files to the driver.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Re

drivers: imx_i2c: move utility macros

Move I2C utility macros (driver specific) from SoC specific register
definition files to the driver.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

drivers: imx_i2c: get base addresses from device tree

Enable device tree support.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Clement Faure <clement.faure@nxp.com>
Acked-by

drivers: imx_i2c: get base addresses from device tree

Enable device tree support.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

drivers: imx_i2c: enable the driver when not all three buses are ready

Allow the driver to operate even though not all three buses might have
been configured.

Signed-off-by: Jorge Ramirez-Ortiz <jo

drivers: imx_i2c: enable the driver when not all three buses are ready

Allow the driver to operate even though not all three buses might have
been configured.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

drivers: imx_i2c: add support for imx6ull

Support native I2C access on imx6ull (this SoC has an additional
register - compared to the imx8mm - to configure the daisy chain in
the iomuxc).

A patch [

drivers: imx_i2c: add support for imx6ull

Support native I2C access on imx6ull (this SoC has an additional
register - compared to the imx8mm - to configure the daisy chain in
the iomuxc).

A patch [1] has been sent to U-boot to address their current release
as of Oct 23, 2020 - where the peripheral clock is still set to 66MHz
instead of 24MHz.

Tested on imx6ull-evk 14x14 with the bus at 400Kbps.
[1] https://lists.denx.de/pipermail/u-boot/2020-October/430482.html

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...