core: check max key size when populating object

Checks that attributes are within the bounds defined by the max key size
which was supplied when the object was allocated.

Acked-by: Etienne Carriere

core: check max key size when populating object

Checks that attributes are within the bounds defined by the max key size
which was supplied when the object was allocated.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix calculation of DES key size

Prior to this patch was the parity bits included when calculating the
key size for DES keys. Fix this by subtracting the parity bits.

Acked-by: Etienne Carrier

core: fix calculation of DES key size

Prior to this patch was the parity bits included when calculating the
key size for DES keys. Fix this by subtracting the parity bits.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: tee_obj_get() return TEE_ERROR_BAD_STATE

Updates tee_obj_get() to return TEE_ERROR_BAD_STATE when an object
reference can't be found. This will allow the GP TA API to panic the
caller as requi

core: tee_obj_get() return TEE_ERROR_BAD_STATE

Updates tee_obj_get() to return TEE_ERROR_BAD_STATE when an object
reference can't be found. This will allow the GP TA API to panic the
caller as required in the GP spec [1].

[1] GlobalPlatform TEE Internal Core API Specification v1.1
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: syscall_obj_generate_key() check public rsa exponent

The v1.1 spec [1] requires that the NIST SP800-56B [2] rules to be
followed when generating an RSA key.

Adds a check when generating a RSA

core: syscall_obj_generate_key() check public rsa exponent

The v1.1 spec [1] requires that the NIST SP800-56B [2] rules to be
followed when generating an RSA key.

Adds a check when generating a RSA key that the supplied exponent confirms
with the requirements in NIST SP800-56B, thas is, the key must be odd and
in the range 65537 <= e < 2^256.

[1]: GlobalPlatform TEE Internal Core API Specification v1.1
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Link [2]: https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/final

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: syscall_cryp_obj_alloc(): allow TEE_TYPE_DATA for transient objects

GP 1.1 spec [1] explicitly allows creation of TEE_TYPE_DATA object. So
update syscall_cryp_obj_alloc() accordingly.

[1]: G

core: syscall_cryp_obj_alloc(): allow TEE_TYPE_DATA for transient objects

GP 1.1 spec [1] explicitly allows creation of TEE_TYPE_DATA object. So
update syscall_cryp_obj_alloc() accordingly.

[1]: GlobalPlatform TEE Internal Core API Specification v1.1
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: dt: discover_nsec_memory(): consider only non-secure memory

QEMU has a /secram@e000000 DT node with secure-status = "okay" and
status = "disabled", in other words: some secure-only memory is
d

core: dt: discover_nsec_memory(): consider only non-secure memory

QEMU has a /secram@e000000 DT node with secure-status = "okay" and
status = "disabled", in other words: some secure-only memory is
described in the DT. Memory that is not accessible from non-secure
world should not be added to the nsec map. Unfortunately, the commit
referenced below inadvertently added such memory, resulting in a panic
on boot:

I/TC: Non-secure external DT found
E/TC:0 0 check_phys_mem_is_outside:332 Non-sec mem (0xe000000:0x100000) overlaps map (type 14 0xe000000:0x100000)
E/TC:0 0 Panic at core/arch/arm/mm/core_mmu.c:336 <check_phys_mem_is_outside>

Change the DT status test to consider only memory accessible from non-
secure and secure world. Also, rename a couple of functions to make their
purpose clear.

Fixes: 721619e8890e ("core: Parse all memory DT nodes")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat: rcar: Enable parsing DT from TFA

Enable support for reading and processing DT passed in by TFA,
this is useful to read out the DRAM configuration and layout.

Signed-off-by: Marek Vasut <marek

plat: rcar: Enable parsing DT from TFA

Enable support for reading and processing DT passed in by TFA,
this is useful to read out the DRAM configuration and layout.

Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: Parse all memory DT nodes

The current code for parsing /memory* DT nodes does not work at all
on systems with multiple memory nodes. The code cannot handle e.g.

/ {
memory@480000000 {
r

core: Parse all memory DT nodes

The current code for parsing /memory* DT nodes does not work at all
on systems with multiple memory nodes. The code cannot handle e.g.

/ {
memory@480000000 {
reg = <0x00000000 0x48000000 0x00000000 0x78000000>;
device_type = "memory";
};
memory@600000000 {
reg = <0x00000006 0x00000000 0x00000000 0x80000000>;
device_type = "memory";
};
};

This patch fixes the code such that it iterates over all enabled
memory nodes instead of reading out the first /memory node only.
The code iterates over the DT twice, which is faster than constant
calls to realloc() to allocate more entries in core_mmu_phys_mem().

Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: dt: Repair type in _fdt_reg_size()

The function returns ssize_t , while DT_INFO_INVALID_REG is paddr_t,
fix the type.

Fixes: c0cfb36c ("core: dt: introduce _fdt_fill_device_info()")
Signed-of

core: dt: Repair type in _fdt_reg_size()

The function returns ssize_t , while DT_INFO_INVALID_REG is paddr_t,
fix the type.

Fixes: c0cfb36c ("core: dt: introduce _fdt_fill_device_info()")
Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: strict buffer check in syscalls following GP 1.1

GP 1.1 [1] and also earlier specifications has certain annotation in the
description of API functions to among other things describe which kind

core: strict buffer check in syscalls following GP 1.1

GP 1.1 [1] and also earlier specifications has certain annotation in the
description of API functions to among other things describe which kind
of memory a buffer is required to reside in. It could be readable,
writeable, in shared memory in TA private memory.

The following syscalls are updated with slightly stricter checks with
regards to TA private memory where needed:
- syscall_open_ta_session()
- syscall_invoke_ta_command()
- syscall_get_time()
- syscall_set_ta_time()
- syscall_cryp_obj_get_info()
- syscall_cryp_random_number_generate()
- syscall_authenc_dec_final()
- syscall_storage_next_enum()
- syscall_storage_obj_read()
- syscall_storage_obj_write()

[1]: GlobalPlatform TEE Internal Core API Specification v1.1

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: remove VM_FLAG_LDELF from VM_FLAGS_NONPRIV

In order for tee_mmu_check_access_rights() to be able to identify ldelf
mappings as TA private remove VM_FLAG_LDELF from VM_FLAGS_NONPRIV. This
is ne

core: remove VM_FLAG_LDELF from VM_FLAGS_NONPRIV

In order for tee_mmu_check_access_rights() to be able to identify ldelf
mappings as TA private remove VM_FLAG_LDELF from VM_FLAGS_NONPRIV. This
is needed for the more strict check of the memory location of ret_orig
in syscall_open_ta_session() and syscall_invoke_ta_command().

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add copy_{to,from}_private()

Adds the copy_{to,from}_private() functions which checks that the user
mode buffer resides in TA private memory and not non-secure shared
memory for instance.

Rev

core: add copy_{to,from}_private()

Adds the copy_{to,from}_private() functions which checks that the user
mode buffer resides in TA private memory and not non-secure shared
memory for instance.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: separate copy_from_user() and friends

Removes the tee_svc_ prefix and moves tee_svc_copy_from_user() and
friends into <kernel/user_access.h> and core/kernel/user/access.c

Reviewed-by: Jerome

core: separate copy_from_user() and friends

Removes the tee_svc_ prefix and moves tee_svc_copy_from_user() and
friends into <kernel/user_access.h> and core/kernel/user/access.c

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: fix build warning

Compiler warns about comparison of integer expressions of different
signedness. This causes build failures when error on warning is enabled.

Signed-off-by: Jorge Ra

drivers: caam: fix build warning

Compiler warns about comparison of integer expressions of different
signedness. This causes build failures when error on warning is enabled.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

crypto: add function to free rsa keypair

There was no function to proper free a rsa kepair from inside a PTA.
Now there is crypto_acipher_free_rsa_keypair().

Signed-off-by: Elias von Däniken <elias

crypto: add function to free rsa keypair

There was no function to proper free a rsa kepair from inside a PTA.
Now there is crypto_acipher_free_rsa_keypair().

Signed-off-by: Elias von Däniken <elias.vondaeniken@bluewin.ch>
Acked-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Introduce CFG_CC_OPT_LEVEL and deprecate CFG_CC_OPTIMIZE_FOR_SIZE

The influence on the performance of the C optimization flag (-O) can be
significant as shown by the output of "time xtest":

|

Introduce CFG_CC_OPT_LEVEL and deprecate CFG_CC_OPTIMIZE_FOR_SIZE

The influence on the performance of the C optimization flag (-O) can be
significant as shown by the output of "time xtest":

| QEMUv8 | HiKey960 (A73 cores only)
-----+----------------+--------------------------
-O0 | 2m 54s, 2m 49s | 42.28s, 42.07s
-Os | 2m 03s, 2m 03s | 25.57s, 25.60s
-O2 | 1m 36s, 1m 35s | 24.01s, 23.93s

This commit introduces CFG_CC_OPT_LEVEL (default: s) which may be set to
0, s, 2 or any value accepted by the compiler. This gives better
flexibility to chose the best level depending on the use case.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: thread: add compiler barrier to thread_set_exceptions()

With compiler optimizer enable (-O2) compiler generate invalid code
for thread_get_id_may_fail(). The curr_thread read got re-order
afte

core: thread: add compiler barrier to thread_set_exceptions()

With compiler optimizer enable (-O2) compiler generate invalid code
for thread_get_id_may_fail(). The curr_thread read got re-order
after exceptions unmask.

Signed-off-by: Khoa Hoang <admin@khoahoang.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: Add a parameter to vm_map_pad() to specify alignment requirement

There are cases where the virtual address returned for a requested
mapping needs to satisfy certain alignment requirements. All

core: Add a parameter to vm_map_pad() to specify alignment requirement

There are cases where the virtual address returned for a requested
mapping needs to satisfy certain alignment requirements. Allow the
calling functions to specify the required alignment as a parameter
to vm_map_pad().

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: load stmm via secure partition

Secure variable storage for EFI variables is critical for enabling and
protecting UEFI Secure Boot. Unfortunately due to the fact that SPD and
SPM are mutually e

core: load stmm via secure partition

Secure variable storage for EFI variables is critical for enabling and
protecting UEFI Secure Boot. Unfortunately due to the fact that SPD and
SPM are mutually exclusive, we can't run StMM from EDK2 and OP-TEE.
An advantage of doing so is that different firmware implementations
can leverage EDK2's StandAloneMM and in cooperation with OP-TEE RPMB
APIs can store UEFI variables in a secure storage.
This makes the variable storage quite generic in any device with an RPMB
partition.

Using a well debugged application is preferable over rewriting the whole
application as a TA. Another advantage is that this inherits the Fault
Tolerant Writes (FTW) functionality built-in on StMM to protect
variables against corruptions during writing. Considering the FFA
changes of the future Arm architectures using an SP that includes
everything seems like a better choice at the moment.
The 'SPM emulation' currently added into OP-TEE only supports
a single SP to be launched. This means that the StMM embedded
application has the RPMB driver built in at the moment. In the future we
can add code (evolving FFA) to launch multiple SPs. So the StMM variable
handling can be decoupled from the RPMB driver, which will reside in a
different SP.

So let's add a user mode secure partition context and support loading
"Standalone MM" of EDK2 into it. A separate syscall handling is added to
serve as different kind of ABI and syscall IDs. The secure partition has
a TA like interface towards normal world, but requests are routed into
the StMM partition instead.

CFG_STMM_PATH is assigned the path of BL32_AP_MM.fd, for instance:
CFG_STMM_PATH=...Build/QemuVirtMmStandalone/DEBUG_GCC5/FV/BL32_AP_MM.fd

Since this is quite tricky to compile and test you can use this [1].
Just clone the repo and run ./build.sh. The script will pick up edk2,
edk2-platforms, op-tee, atf and U-boot and compile all the necessary
binaries for QEMU. A patch (awful hack) has been added to U-boot to
allow RPMB emulation through it's supplicant, since QEMU RPMB emulation
is not yet available.
After compiling and launching QEMU the usual U-boot commands for EFI
variable management will store the variables on an RPMB device.

[1] https://git.linaro.org/people/ilias.apalodimas/efi_optee_variables.git/

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Co-developed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Co-developed-by: Pipat Methavanitpong <pipat1010@gmail.com>
Signed-off-by: Pipat Methavanitpong <pipat1010@gmail.com>
Co-developed-by: Miklos Balint <Miklos.Balint@arm.com>
Signed-off-by: Miklos Balint <Miklos.Balint@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add vm_get_prot()

A following commit, related to the StMM functionality needs to read
the current page attributes before modifying them.
So let's add a function to retrieve the current attribu

core: add vm_get_prot()

A following commit, related to the StMM functionality needs to read
the current page attributes before modifying them.
So let's add a function to retrieve the current attributes.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: use libunw

Reduce core/arch/arm/kernel/unwind_arm{32,64}.c and use common code from
libunw instead.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wi

core: use libunw

Reduce core/arch/arm/kernel/unwind_arm{32,64}.c and use common code from
libunw instead.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

arm32: fold UNWIND(.fnstart/.fnend) into the FUNC macros

This change applies to arm32 assembler sources.

Instead of using UNWIND(.fnstart) after FUNC or LOCAL_FUNC and
UNWIND(.fnend) before END_FUN

arm32: fold UNWIND(.fnstart/.fnend) into the FUNC macros

This change applies to arm32 assembler sources.

Instead of using UNWIND(.fnstart) after FUNC or LOCAL_FUNC and
UNWIND(.fnend) before END_FUNC, let's fold these statements into the
FUNC macros.

The .fnstart/.fnend directives mark the start and end of a function
with an unwind table entry (.ARM.exidx) and therefore a function
without them has no entry and cannot be unwound. This means that a
stack dump (on abort or panic) would stop when reaching such a
function.

As a result of this patch, a small number of functions now have an
entry in the unwind table when they had none before (the functions
which were using FUNC or LOCAL_FUNC but had no .fnstart/.fnend). It was
almost always a bug and this pacth only increases the size of the
.ARM.exidx section by a few bytes (tested on QEMU).

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

arm32: move the UNWIND() macro to <asm.S>

All the users of the UNWIND() macro include <asm.S> already, which is
therefore a good place to define this macro. Let's move it from
<kernel/unwind.h> to <

arm32: move the UNWIND() macro to <asm.S>

All the users of the UNWIND() macro include <asm.S> already, which is
therefore a good place to define this macro. Let's move it from
<kernel/unwind.h> to <asm.S>, remove a couple of duplicates in
assembler files, and drop the useless includes.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: arm32: remove unused function relocate_exidx()

Since commit d1911a85142d ("core: load TAs using ldelf"), function
relocate_exidx() is not used any more. Remove it, as well as
offset_prel31() w

core: arm32: remove unused function relocate_exidx()

Since commit d1911a85142d ("core: load TAs using ldelf"), function
relocate_exidx() is not used any more. Remove it, as well as
offset_prel31() which was only called from this function.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: remove stack dump macros and multiple log levels

Of the various xPRINT_STACK() macros (x in {E,I,D,F}), only
EPRINT_STACK() is used. Let's simplify the code by removing the macros
altogether a

core: remove stack dump macros and multiple log levels

Of the various xPRINT_STACK() macros (x in {E,I,D,F}), only
EPRINT_STACK() is used. Let's simplify the code by removing the macros
altogether and calling print_kernel_stack() instead. Since only the
TRACE_ERROR is used, the 'level' argument to print_kernel_stack(),
print_stack_arm32() and print_stack_arm64() is removed too.

In addition to simplifying the code, these changes will allow the
consolidation of the stack unwinding code between core and ldelf.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...