crypto: add function to free rsa keypair

There was no function to proper free a rsa kepair from inside a PTA.
Now there is crypto_acipher_free_rsa_keypair().

Signed-off-by: Elias von Däniken <elias

crypto: add function to free rsa keypair

There was no function to proper free a rsa kepair from inside a PTA.
Now there is crypto_acipher_free_rsa_keypair().

Signed-off-by: Elias von Däniken <elias.vondaeniken@bluewin.ch>
Acked-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Introduce CFG_CC_OPT_LEVEL and deprecate CFG_CC_OPTIMIZE_FOR_SIZE

The influence on the performance of the C optimization flag (-O) can be
significant as shown by the output of "time xtest":

|

Introduce CFG_CC_OPT_LEVEL and deprecate CFG_CC_OPTIMIZE_FOR_SIZE

The influence on the performance of the C optimization flag (-O) can be
significant as shown by the output of "time xtest":

| QEMUv8 | HiKey960 (A73 cores only)
-----+----------------+--------------------------
-O0 | 2m 54s, 2m 49s | 42.28s, 42.07s
-Os | 2m 03s, 2m 03s | 25.57s, 25.60s
-O2 | 1m 36s, 1m 35s | 24.01s, 23.93s

This commit introduces CFG_CC_OPT_LEVEL (default: s) which may be set to
0, s, 2 or any value accepted by the compiler. This gives better
flexibility to chose the best level depending on the use case.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: thread: add compiler barrier to thread_set_exceptions()

With compiler optimizer enable (-O2) compiler generate invalid code
for thread_get_id_may_fail(). The curr_thread read got re-order
afte

core: thread: add compiler barrier to thread_set_exceptions()

With compiler optimizer enable (-O2) compiler generate invalid code
for thread_get_id_may_fail(). The curr_thread read got re-order
after exceptions unmask.

Signed-off-by: Khoa Hoang <admin@khoahoang.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: Add a parameter to vm_map_pad() to specify alignment requirement

There are cases where the virtual address returned for a requested
mapping needs to satisfy certain alignment requirements. All

core: Add a parameter to vm_map_pad() to specify alignment requirement

There are cases where the virtual address returned for a requested
mapping needs to satisfy certain alignment requirements. Allow the
calling functions to specify the required alignment as a parameter
to vm_map_pad().

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: load stmm via secure partition

Secure variable storage for EFI variables is critical for enabling and
protecting UEFI Secure Boot. Unfortunately due to the fact that SPD and
SPM are mutually e

core: load stmm via secure partition

Secure variable storage for EFI variables is critical for enabling and
protecting UEFI Secure Boot. Unfortunately due to the fact that SPD and
SPM are mutually exclusive, we can't run StMM from EDK2 and OP-TEE.
An advantage of doing so is that different firmware implementations
can leverage EDK2's StandAloneMM and in cooperation with OP-TEE RPMB
APIs can store UEFI variables in a secure storage.
This makes the variable storage quite generic in any device with an RPMB
partition.

Using a well debugged application is preferable over rewriting the whole
application as a TA. Another advantage is that this inherits the Fault
Tolerant Writes (FTW) functionality built-in on StMM to protect
variables against corruptions during writing. Considering the FFA
changes of the future Arm architectures using an SP that includes
everything seems like a better choice at the moment.
The 'SPM emulation' currently added into OP-TEE only supports
a single SP to be launched. This means that the StMM embedded
application has the RPMB driver built in at the moment. In the future we
can add code (evolving FFA) to launch multiple SPs. So the StMM variable
handling can be decoupled from the RPMB driver, which will reside in a
different SP.

So let's add a user mode secure partition context and support loading
"Standalone MM" of EDK2 into it. A separate syscall handling is added to
serve as different kind of ABI and syscall IDs. The secure partition has
a TA like interface towards normal world, but requests are routed into
the StMM partition instead.

CFG_STMM_PATH is assigned the path of BL32_AP_MM.fd, for instance:
CFG_STMM_PATH=...Build/QemuVirtMmStandalone/DEBUG_GCC5/FV/BL32_AP_MM.fd

Since this is quite tricky to compile and test you can use this [1].
Just clone the repo and run ./build.sh. The script will pick up edk2,
edk2-platforms, op-tee, atf and U-boot and compile all the necessary
binaries for QEMU. A patch (awful hack) has been added to U-boot to
allow RPMB emulation through it's supplicant, since QEMU RPMB emulation
is not yet available.
After compiling and launching QEMU the usual U-boot commands for EFI
variable management will store the variables on an RPMB device.

[1] https://git.linaro.org/people/ilias.apalodimas/efi_optee_variables.git/

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Co-developed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Co-developed-by: Pipat Methavanitpong <pipat1010@gmail.com>
Signed-off-by: Pipat Methavanitpong <pipat1010@gmail.com>
Co-developed-by: Miklos Balint <Miklos.Balint@arm.com>
Signed-off-by: Miklos Balint <Miklos.Balint@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add vm_get_prot()

A following commit, related to the StMM functionality needs to read
the current page attributes before modifying them.
So let's add a function to retrieve the current attribu

core: add vm_get_prot()

A following commit, related to the StMM functionality needs to read
the current page attributes before modifying them.
So let's add a function to retrieve the current attributes.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: use libunw

Reduce core/arch/arm/kernel/unwind_arm{32,64}.c and use common code from
libunw instead.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wi

core: use libunw

Reduce core/arch/arm/kernel/unwind_arm{32,64}.c and use common code from
libunw instead.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

arm32: fold UNWIND(.fnstart/.fnend) into the FUNC macros

This change applies to arm32 assembler sources.

Instead of using UNWIND(.fnstart) after FUNC or LOCAL_FUNC and
UNWIND(.fnend) before END_FUN

arm32: fold UNWIND(.fnstart/.fnend) into the FUNC macros

This change applies to arm32 assembler sources.

Instead of using UNWIND(.fnstart) after FUNC or LOCAL_FUNC and
UNWIND(.fnend) before END_FUNC, let's fold these statements into the
FUNC macros.

The .fnstart/.fnend directives mark the start and end of a function
with an unwind table entry (.ARM.exidx) and therefore a function
without them has no entry and cannot be unwound. This means that a
stack dump (on abort or panic) would stop when reaching such a
function.

As a result of this patch, a small number of functions now have an
entry in the unwind table when they had none before (the functions
which were using FUNC or LOCAL_FUNC but had no .fnstart/.fnend). It was
almost always a bug and this pacth only increases the size of the
.ARM.exidx section by a few bytes (tested on QEMU).

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

arm32: move the UNWIND() macro to <asm.S>

All the users of the UNWIND() macro include <asm.S> already, which is
therefore a good place to define this macro. Let's move it from
<kernel/unwind.h> to <

arm32: move the UNWIND() macro to <asm.S>

All the users of the UNWIND() macro include <asm.S> already, which is
therefore a good place to define this macro. Let's move it from
<kernel/unwind.h> to <asm.S>, remove a couple of duplicates in
assembler files, and drop the useless includes.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: arm32: remove unused function relocate_exidx()

Since commit d1911a85142d ("core: load TAs using ldelf"), function
relocate_exidx() is not used any more. Remove it, as well as
offset_prel31() w

core: arm32: remove unused function relocate_exidx()

Since commit d1911a85142d ("core: load TAs using ldelf"), function
relocate_exidx() is not used any more. Remove it, as well as
offset_prel31() which was only called from this function.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: remove stack dump macros and multiple log levels

Of the various xPRINT_STACK() macros (x in {E,I,D,F}), only
EPRINT_STACK() is used. Let's simplify the code by removing the macros
altogether a

core: remove stack dump macros and multiple log levels

Of the various xPRINT_STACK() macros (x in {E,I,D,F}), only
EPRINT_STACK() is used. Let's simplify the code by removing the macros
altogether and calling print_kernel_stack() instead. Since only the
TRACE_ERROR is used, the 'level' argument to print_kernel_stack(),
print_stack_arm32() and print_stack_arm64() is removed too.

In addition to simplifying the code, these changes will allow the
consolidation of the stack unwinding code between core and ldelf.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: mm: fix region lookup in param_mem_to_user_va()

The test whether a memory parameter is located in a region may fail
because of a typo in the comparison. The region size must be
added to the st

core: mm: fix region lookup in param_mem_to_user_va()

The test whether a memory parameter is located in a region may fail
because of a typo in the comparison. The region size must be
added to the start address, not subtracted.

Fixes: 2667e1359e51 ("core: fix offset calculation in param_mem_to_user_va()")
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Wolfgang Ocker <weo@reccoware.de>

show more ...

Add support for Renesas RZ/N1 platform

Add support for RZ/N1 platform from Renasas (PLATFORM=rzn1):
- Cortex-A7 based dual core processor.

This platform supports TrustZone based IO register access

Add support for Renesas RZ/N1 platform

Add support for RZ/N1 platform from Renasas (PLATFORM=rzn1):
- Cortex-A7 based dual core processor.

This platform supports TrustZone based IO register access control, so
add corresponding OEM service based implementation.

Link: https://www.renesas.com/us/en/products/microcontrollers-microprocessors/rz/rzn/rzn1d.html
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: ns16550: Allow customizable serial IO config

Add io_width and reg_shift configurable parameters to struct ns16550_data
in order to support 32 bit register read/write.

Signed-off-by: Sumit

drivers: ns16550: Allow customizable serial IO config

Add io_width and reg_shift configurable parameters to struct ns16550_data
in order to support 32 bit register read/write.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: Allow non-secure context restore in thumb mode

Allow initial exit from secure monitor mode to non-secure context
in thumb mode in case next stage boot-loader is expected to execute
in thumb mo

core: Allow non-secure context restore in thumb mode

Allow initial exit from secure monitor mode to non-secure context
in thumb mode in case next stage boot-loader is expected to execute
in thumb mode.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

vexpress-qemu_v8a: set CFG_ARM64_core to 'y' by default

Enables CFG_ARM64_core by default for PLATFORM=vexpress-qemu_v8a. This
platform is mostly used in full 64-bit mode, especially since until now

vexpress-qemu_v8a: set CFG_ARM64_core to 'y' by default

Enables CFG_ARM64_core by default for PLATFORM=vexpress-qemu_v8a. This
platform is mostly used in full 64-bit mode, especially since until now
the build.git Makefiles do not support anything else [1].

Link: [1] https://github.com/OP-TEE/build/blob/3.10.0/qemu_v8.mk#L9
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: do not trace syscall_log()

Tracing the log syscall is of very little value since it will generate
some output to the console anyways. Worse, it pollutes the TA output in
case of a panic or an

core: do not trace syscall_log()

Tracing the log syscall is of very little value since it will generate
some output to the console anyways. Worse, it pollutes the TA output in
case of a panic or an abort. For example:

o regression_4005.1 AE case 0 algo 0x40000710 line 2819
F/TC:?? 0 trace_syscall:132 syscall #27 (syscall_cryp_obj_alloc)
F/TC:?? 0 trace_syscall:132 syscall #15 (syscall_cryp_state_alloc)
F/TC:?? 0 trace_syscall:132 syscall #27 (syscall_cryp_obj_alloc)
F/TC:?? 0 trace_syscall:132 syscall #24 (syscall_cryp_obj_get_info)
F/TC:?? 0 trace_syscall:132 syscall #30 (syscall_cryp_obj_populate)
F/TC:?? 0 trace_syscall:132 syscall #24 (syscall_cryp_obj_get_info)
F/TC:?? 0 trace_syscall:132 syscall #24 (syscall_cryp_obj_get_info)
F/TC:?? 0 trace_syscall:132 syscall #29 (syscall_cryp_obj_reset)
F/TC:?? 0 trace_syscall:132 syscall #24 (syscall_cryp_obj_get_info)
F/TC:?? 0 trace_syscall:132 syscall #24 (syscall_cryp_obj_get_info)
F/TC:?? 0 trace_syscall:132 syscall #31 (syscall_cryp_obj_copy)
F/TC:?? 0 trace_syscall:132 syscall #24 (syscall_cryp_obj_get_info)
F/TC:?? 0 trace_syscall:132 syscall #28 (syscall_cryp_obj_close)
F/TC:?? 0 trace_syscall:132 syscall #34 (syscall_authenc_init)
F/TC:?? 0 trace_syscall:132 syscall #2 (syscall_panic)
E/TC:?? 0
E/TC:?? 0 TA panicked with code 0xffff0006
F/TC:?? 0 trace_syscall:132 syscall #1 (syscall_log)
E/LD: Status of TA cb3e5ba0-adf1-11e0-998b-0002a5d5c51b
F/TC:?? 0 trace_syscall:132 syscall #1 (syscall_log)
E/LD: arch: aarch64
F/TC:?? 0 trace_syscall:132 syscall #1 (syscall_log)
E/LD: region 0: va 0x40004000 pa 0x100062d000 size 0x002000 flags rw-s (ldelf)
F/TC:?? 0 trace_syscall:132 syscall #1 (syscall_log)
E/LD: region 1: va 0x40006000 pa 0x100062f000 size 0x00d000 flags r-xs (ldelf)
...

Therefore, skip the trace if the syscall number it TEE_SCN_LOG.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add tee_pobj_create_final()

Adds tee_pobj_create_final() which finalized a create operation. Until
tee_pobj_create_final() has been called the struct pobj cannot be shared
with any other objec

core: add tee_pobj_create_final()

Adds tee_pobj_create_final() which finalized a create operation. Until
tee_pobj_create_final() has been called the struct pobj cannot be shared
with any other object.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: syscall_storage_next_enum() use live pobj

Instead of using a fake pobj in syscall_storage_next_enum() retrieve the
shared pobj instead in order to get the flags of an already opened
object.

T

core: syscall_storage_next_enum() use live pobj

Instead of using a fake pobj in syscall_storage_next_enum() retrieve the
shared pobj instead in order to get the flags of an already opened
object.

TEE_POBJ_USAGE_ENUM is supplied to tee_pobj_get() to avoid checking for
conflicts with how the pobj is already used.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: tee_pobj_get() takes an enum tee_pobj_usage

Changes tee_pobj_get() to take an enum tee_pobj_usage usage instead of a
bool temporary.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signe

core: tee_pobj_get() takes an enum tee_pobj_usage

Changes tee_pobj_get() to take an enum tee_pobj_usage usage instead of a
bool temporary.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: remove struct tee_obj::flags

struct tee_obj keeps a TEE_ObjectInfo which has a flags field with the
same meaning as the flags field in struct tee_obj. To avoid the two
fields getting out of sy

core: remove struct tee_obj::flags

struct tee_obj keeps a TEE_ObjectInfo which has a flags field with the
same meaning as the flags field in struct tee_obj. To avoid the two
fields getting out of sync remove struct tee_obj::flags and only use
TEE_ObjectInfo::handleFlags.

Additional checks are added in syscall_storage_obj_open() and
syscall_storage_obj_create() to make sure that no undefined flags are
added to TEE_ObjectInfo::handleFlags.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: syscall_storage_obj_create(): check that the attributes object is initialized

Adds a check in syscall_storage_obj_create() to see that the attributes
object is initialized.

Reviewed-by: Jerom

core: syscall_storage_obj_create(): check that the attributes object is initialized

Adds a check in syscall_storage_obj_create() to see that the attributes
object is initialized.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix offset calculation in param_mem_to_user_va()

In param_mem_to_user_va() the offset of a memory parameter is used to
check if a particular struct vm_region will cover that parameter.
struct

core: fix offset calculation in param_mem_to_user_va()

In param_mem_to_user_va() the offset of a memory parameter is used to
check if a particular struct vm_region will cover that parameter.
struct vm_region always uses offsets from the beginning of the first
physical page while a memory parameter contains only the offset from the
beginning of a MOBJ. Consequently the two offset cannot be compared
directly.

Until this patch the two offset where compared directly so fix it by
adding the phys_offs of the MOBJ to the offset of the memory parameter.

Note that this doesn't change the computed virtual address, it only
fails to find a matching struct vm_region under certain circumstances.

Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: Fix the entry on the match table for TPM support.

TF-A Measured Boot driver expects a tpm_event_log node on the
DTB with the compatible field set to "arm,tpm_event_log", so
fix the match table

core: Fix the entry on the match table for TPM support.

TF-A Measured Boot driver expects a tpm_event_log node on the
DTB with the compatible field set to "arm,tpm_event_log", so
fix the match table entry for the TPM support to match the one
used by TF-A.

Signed-off-by: Javier Almansa Sobrino <javier.almansasobrino@arm.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: mmu: arm64: fix get_va_width()

Fixes get_va_width() when CFG_LPAE_ADDR_SPACE_SIZE != (1ull << 32).

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wik

core: mmu: arm64: fix get_va_width()

Fixes get_va_width() when CFG_LPAE_ADDR_SPACE_SIZE != (1ull << 32).

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...