core: arm: rpc i2c: fix, REE processed bytes

Fix number of bytes processed by the REE that is returned in p[3] as
defined in the API, not in p[2].

Fixes: 30c53a724263 ("core: arm: rpc i2c trampolin

core: arm: rpc i2c: fix, REE processed bytes

Fix number of bytes processed by the REE that is returned in p[3] as
defined in the API, not in p[2].

Fixes: 30c53a724263 ("core: arm: rpc i2c trampoline driver")
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add user parameter thread_rpc_shm_cache_alloc()

Adds a user parameter to thread_rpc_shm_cache_alloc() to make sure that
different callers of thread_rpc_shm_cache_alloc() doesn't interfere with

core: add user parameter thread_rpc_shm_cache_alloc()

Adds a user parameter to thread_rpc_shm_cache_alloc() to make sure that
different callers of thread_rpc_shm_cache_alloc() doesn't interfere with
each other. The FS allocation could perhaps be intertwined with I2C
allocations if crypto operations are done over I2C.

Fixes: 9bee8f2a5af7 ("core: add generic rpc shared memory buffer caching")
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

virt: clear current thread id during initialization

When OP-TEE is built with CFG_VIRTUALIZATION=y, it does not call
`thread_clr_boot_thread()` during boot because the threads are
allocated in "tee"

virt: clear current thread id during initialization

When OP-TEE is built with CFG_VIRTUALIZATION=y, it does not call
`thread_clr_boot_thread()` during boot because the threads are
allocated in "tee" memory area, which is not available when there is
no virtual guests.

So, in this case local core state is left in erroneous state, which
causes assertion violation in thread_alloc_and_run(), when guests
calls OP-TEE for the first time from boot core.

Fixes: b166fabf3e8c ("core: initialize thread_core_local::curr_thread to -1")
Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: add stack overflow detection

This commit introduces CFG_CORE_DEBUG_CHECK_STACKS to check the stack
limits using compiler instrumentation (-finstrument-functions). When
enabled, the C compiler

core: add stack overflow detection

This commit introduces CFG_CORE_DEBUG_CHECK_STACKS to check the stack
limits using compiler instrumentation (-finstrument-functions). When
enabled, the C compiler will insert entry and exit hooks in all
functions in the TEE core. On entry, the stack pointer is checked and
if an overflow is detected, panic() is called.

How is this helpful since we have stack canaries already?
1. When a dead canary is found, the call stack will give no indication
of the root cause of the corruption which may have happened quite some
time before. Running the test case again with a debugger attached and a
watchpoint on the canary is not always an option.
2. The system may corrupt the stack and hang in an exception handler
before the first canary check, for instance, during boot when the
temporary stack is used. This code will likely catch such issues, too.

The downside is increased stack usage and a significant runtime overhead
which is why this feature should be enabled only for troubleshooting.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU, QEMUv8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: simplify setting of THREAD_CLF_TMP

Simplifies the manipulation of THREAD_CLF_TMP in the per-core
structure thread_core_local:

- thread_clr_thread_core_local() sets the flag for all cores so t

core: simplify setting of THREAD_CLF_TMP

Simplifies the manipulation of THREAD_CLF_TMP in the per-core
structure thread_core_local:

- thread_clr_thread_core_local() sets the flag for all cores so that
init_secondary_helper() doesn't have to. It is renamed to
thread_init_thread_core_local().
- The flag remains set upon return to normal world, ready for the next
entry into secure world.
- The foreign_intr_handler macro sets the flag since it uses the
temporary stack.
- thread_core_local_set_tmp_stack_flag() is now unused and can be
removed.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add __noprof attribute to register accessors

Allowing instrumentation of register accessor functions does not really
make sense, since they are normally inlined by the compiler. On the
contrar

core: add __noprof attribute to register accessors

Allowing instrumentation of register accessor functions does not really
make sense, since they are normally inlined by the compiler. On the
contrary, allowing the compiler to instrument these functions (if for
some reason they are not inlined) can cause serious problems such as
infinite recursion (in case the instrumentation ends up calling a
register accessor again) or unexpected results (if the accessor is used
by early code before the instrumentation is initialized).

Note that the accessors used by user space already have __noprof (see
lib/libutee/include/arm64_user_sysreg.h and scripts/arm32_sysreg.py).

For these reasons, add __noprof to core/arch/arm/include/arm{32,64}.h.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: always increase mappings for pta memrefs

In copy_in_param() always call mobj_inc_map() before mobj_get_va() to
guarantee that the memref is mapped for the duration of the call into
the PTA.

R

core: always increase mappings for pta memrefs

In copy_in_param() always call mobj_inc_map() before mobj_get_va() to
guarantee that the memref is mapped for the duration of the call into
the PTA.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mobj: add {inc,dec}_map() to struct mobj_ops

Adds inc_map() and dec_map() to struct mobj_ops. The old mobj_inc_map()
and mobj_dec_map() implementations in mobj_dyn_shm.c and mobj_ffa.c are
are

core: mobj: add {inc,dec}_map() to struct mobj_ops

Adds inc_map() and dec_map() to struct mobj_ops. The old mobj_inc_map()
and mobj_dec_map() implementations in mobj_dyn_shm.c and mobj_ffa.c are
are replaced with function pointers in mobj_reg_shm_ops and
mobj_ffa_ops. Inline versions of mobj_inc_map() and mobj_dec_map() are
added to call the correct function via struct mobj_ops instead. If
struct mobj_ops for a particular mobj doesn't have and implementation of
inc_map() or dec_map() TEE_SUCCESS is returned instead.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Add optimization and debug flags to exported TA C++ flags

$(platform-cflags-optimization) and $(platform-cflags-debug-info) are
added to the TA C flags via ta_arm{32,64}-platform-cflags. Do the same

Add optimization and debug flags to exported TA C++ flags

$(platform-cflags-optimization) and $(platform-cflags-debug-info) are
added to the TA C flags via ta_arm{32,64}-platform-cflags. Do the same
for C++ flags thanks to ta_arm{32,64}-platform-cxxflags.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU)
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMUv8)
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

core: arm: rpc i2c trampoline driver

Gives OP-TEE access to the i2c buses initialized and controlled by the
REE kernel. This is done by memory mapping a buffer from the thread's
cache where the inpu

core: arm: rpc i2c trampoline driver

Gives OP-TEE access to the i2c buses initialized and controlled by the
REE kernel. This is done by memory mapping a buffer from the thread's
cache where the input or output data is transferred.

Using this mechanism, OP-TEE clients do not have to worry about REE
RUNTIME_PM features switching off clocks from the controllers or
collisions with other bus masters.

This driver assumes that the I2C chip is on a REE statically assigned
bus which value is known to OP-TEE (it will not query/probe the REE).

The slave address can be either seven or ten bits. When using a ten
bit address, the corresponding flag needs to be set in the command and
the REE adapter must support the requested addressing mode.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: juno: update 808870 Unconditional VLDM workaround

With the commit be3bc461c686 ("ta: experimental C++ support") we have
some C++ tests in the regression tests which depends on libraries in the

core: juno: update 808870 Unconditional VLDM workaround

With the commit be3bc461c686 ("ta: experimental C++ support") we have
some C++ tests in the regression tests which depends on libraries in the
toolchain with hard float enabled. To be able to compile the regression
tests hard float cannot be disabled. Disabling hard float was our
original workaround for this erratum. Another way to avoid the erratum
is to disable strict alignment checks. So unless
CFG_SCTLR_ALIGNMENT_CHECK isn't explicitly set to 'y' force it to 'n'
instead.

Fixes: be3bc461c686 ("ta: experimental C++ support")
Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: init_secondary_helper(): fix spelling mistake

Fix spelling mistake in the info message displayed on the console when
secondary CPUs are initialized.

Signed-off-by: Jerome Forissier <jerome@fo

core: init_secondary_helper(): fix spelling mistake

Fix spelling mistake in the info message displayed on the console when
secondary CPUs are initialized.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm: add hard-float detection for cxxflags

Otherwise the compiler will complain that hard-float object files
generated from C code can not be linked with soft-float files generated
from cxx files.

arm: add hard-float detection for cxxflags

Otherwise the compiler will complain that hard-float object files
generated from C code can not be linked with soft-float files generated
from cxx files.

Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: add cxxflags for CPU support

Otherwise the compiler is not able to determine the FPU setting from the
CPU architecture for cxx files.

Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutroni

core: add cxxflags for CPU support

Otherwise the compiler is not able to determine the FPU setting from the
CPU architecture for cxx files.

Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

stm32_bsec: always embed shadow OTPs write function

Change the scope of configuration switch CFG_STM32_BSEC_WRITE to
not cover shadow OTP write support. CFG_STM32_BSEC_WRITE is used
to embed or not

stm32_bsec: always embed shadow OTPs write function

Change the scope of configuration switch CFG_STM32_BSEC_WRITE to
not cover shadow OTP write support. CFG_STM32_BSEC_WRITE is used
to embed or not OTP programming support but writing shadow OTPs
is a normal executing an OTP read operation hence this change
embeds stm32_bsec_write_otp() driver API function even when
CFG_STM32_BSEC_WRITE is disabled.

Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
[etienne: rephrase commit log]
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-stm32mp1: SiP SMC service for BSEC access

Correct the SiP SMC identifier, alignment with TF-A
and U-Boot.

Fixes: 206b29e850e9 ("plat-stm32mp1: SiP SMC service for BSEC access")
Signed-off-by:

plat-stm32mp1: SiP SMC service for BSEC access

Correct the SiP SMC identifier, alignment with TF-A
and U-Boot.

Fixes: 206b29e850e9 ("plat-stm32mp1: SiP SMC service for BSEC access")
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
[etienne: fix commit log]
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: experimental C++ support

Update the TA makefiles to support C++ (file extension: .cpp).

This allows the use of C++ in TA and libraries, with limitations (see
below). I consider this work experi

ta: experimental C++ support

Update the TA makefiles to support C++ (file extension: .cpp).

This allows the use of C++ in TA and libraries, with limitations (see
below). I consider this work experimental because it was only tested
with simple cases in xtest, introducing the required changes and
addressing issues one after another. Therefore, some features may be
missing for more complex use cases (additional relocation types or
runtime support...).

Tested with the arm-linux-gnueabihf- and aarch64-linux-gnu- toolchains
(GCC 8.3).

Limitations:

- Clang is not supported at the moment
- Exception handling: shared libraries cannot throw, catch or propagate
exceptions. Doing so would require linking the libraries and the main
program with the shared libgcc [1] which is not straightforward due
to the many dependencies on the GNU libc. Exceptions *can* be used in
the main program however, as well as in static libraries directly
linked with the main program.
- ldelf stack unwinding does not support C++ frames so crash/panic
dumps will likely be truncated when they involve C++ code.

Link: [1] https://gcc.gnu.org/onlinedocs/gcc/Link-Options.html see "-shared-libgcc"
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU, QEMUv8, HiKey960)
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm64: preserve user space TPIDR_EL0

Preparing for C++ support in TAs.

Preserves the value of TPIDR_EL0 set by user space by saving and
restoring the register in case of syscall or foreign in

core: arm64: preserve user space TPIDR_EL0

Preparing for C++ support in TAs.

Preserves the value of TPIDR_EL0 set by user space by saving and
restoring the register in case of syscall or foreign interrupt.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

rmpb: fix infinite recursion in dump_fat() when CFG_TEE_CORE_LOG_LEVEL=4

When CFG_TEE_CORE_LOG_LEVEL=4 and CFG_RPMB_FS=y, the TEE core crashes
with a dead stack canary message:

E/TC:0 0 Dead canar

rmpb: fix infinite recursion in dump_fat() when CFG_TEE_CORE_LOG_LEVEL=4

When CFG_TEE_CORE_LOG_LEVEL=4 and CFG_RPMB_FS=y, the TEE core crashes
with a dead stack canary message:

E/TC:0 0 Dead canary at end of 'stack_abt[3]'
E/TC:0 0 Panic at core/arch/arm/kernel/thread.c:192 <thread_check_canaries>
E/TC:0 0 TEE load address @ 0x1bd0f000
E/TC:0 0 Call stack:
E/TC:0 0 0x1bd17b3d print_kernel_stack at optee_os/core/arch/arm/kernel/unwind_arm32.c:452
E/TC:0 0 0x1bd23a07 __do_panic at optee_os/core/kernel/panic.c:32 (discriminator 1)
E/TC:0 0 0x1bd120cb thread_check_canaries at optee_os/core/arch/arm/kernel/thread.c:188 (discriminator 2)
E/TC:0 0 0x1bd12c1f thread_state_suspend at optee_os/core/arch/arm/kernel/thread.c:754
E/TC:0 0 0x1bd14610 thread_rpc at optee_os/core/arch/arm/kernel/thread_optee_smc_a32.S:227

The issue happens to be with the debug function dump_fat() which causes
infinite recursion. Fix it by doing nothing until after RPMB
initialization has completed.

Fixes: 5f68d7848fe8 ("core: RPMB FS: Caching for FAT FS entries")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: fix the unwind stack failure with __no_return function

unwind operation use LR instead of PC to locate unwind data. In some
case, the compiler removes all the extra instrustions after a b

core: arm: fix the unwind stack failure with __no_return function

unwind operation use LR instead of PC to locate unwind data. In some
case, the compiler removes all the extra instrustions after a branch to
__no_return function, and then LR saves the address of next function,
rather than the caller of the __no_return function, leading to unwind
failure.

The fix manually adjust the LR value to match the search algorithm so
as to locate the correct caller in unwind stack operation.

Signed-off-by: Angelina Zhao <xuemingzhao@asrmicro.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
[jf: reformat the commit description]
Signed-off-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: remove the unused PM stubs

Removes the PM stubs and all references to CFG_PM_STUBS.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.o

core: remove the unused PM stubs

Removes the PM stubs and all references to CFG_PM_STUBS.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: remove thread_*_handler_ptr

The thread_*_handler_ptr function pointers only holds the same constant
value. Instead of loading the function pointer from the entry functions
call the handler fun

core: remove thread_*_handler_ptr

The thread_*_handler_ptr function pointers only holds the same constant
value. Instead of loading the function pointer from the entry functions
call the handler functions directly and remove these
thread_*_handler_ptr function pointers.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: remove boot_get_handlers()

struct thread_handlers is used to pass the entry functions
for different power management events. In practice only .cpu_on is used
and with the default function at t

core: remove boot_get_handlers()

struct thread_handlers is used to pass the entry functions
for different power management events. In practice only .cpu_on is used
and with the default function at that. In the ARMv7 case where the
secure monitor replaces TF-A not even that function entry is used.

Remove struct thread_handlers and boot_get_handlers(). When configured
with TF-A initialize thread_*_handler_ptr with __weak default functions.

The __weak default PM functions
- thread_cpu_off_handler()
- thread_cpu_suspend_handler()
- thread_cpu_resume_handler()
- thread_system_off_handler()
- thread_system_reset_handler()
can be overridden by platforms when needed.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: log message when secure storage corruption is detected

When CFG_REE_FS and CFG_RPMB_FS are both 'y', the data stored by OP-TEE
in the REE filesystem (typically, under /data/tee) are protected

core: log message when secure storage corruption is detected

When CFG_REE_FS and CFG_RPMB_FS are both 'y', the data stored by OP-TEE
in the REE filesystem (typically, under /data/tee) are protected by
hashes stored in the RPMB. Any modifications to the REE files via
external means are therefore detected and TEE_ERROR_SECURITY is
returned. However, no error or debug message is printed to the secure
console which makes troubleshooting more difficult than needed. This
commit adds a debug message.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

mk: core: ta: Configurable Python interpreter

Build systems that manage multiple different python interpreters need
explicit control over which version of the interpreter to use.
This patch enables

mk: core: ta: Configurable Python interpreter

Build systems that manage multiple different python interpreters need
explicit control over which version of the interpreter to use.
This patch enables one to override the default interpreter with the path
to a specific one.

Signed-off-by: Dick Olsson <hi@senzilla.io>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...