core: arm64: fix .section directive

Clang built from the llvm-project master branch (git describe:
llvmorg-11-init-12683-g54b3f91d205) causes the following build error:

AS out/arm/core/arch

core: arm64: fix .section directive

Clang built from the llvm-project master branch (git describe:
llvmorg-11-init-12683-g54b3f91d205) causes the following build error:

AS out/arm/core/arch/arm/kernel/generic_entry_a64.o
core/arch/arm/kernel/generic_entry_a64.S:426:2: error: changed section flags for .identity_map, expected: 0x6
.section .identity_map
^

Some information about this error can be found in the description for
LLVM commit [1] ("[MC][ELF] Error for sh_type, sh_flags or sh_entsize
change").

The ".section .identity_map" directive does not mention any flags so
since the section name is not a well-known one (.text etc.), the flags
default to none [2]. However, at this point in the source file we
already have emitted code into .text* which has flags "ax" (and type
%progbits), so the line does indeed change the flags, hence the compile
error.

This commit adds the missing flags and type.

Link: [2] https://sourceware.org/binutils/docs/as/Section.html "ELF Version"
Link: [1] https://github.com/llvm/llvm-project/commit/75af9da75572
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: clang: add --apply-dynamic-relocs linker flag

Core ASLR relies on the executable being ready to run from its
preferred load address, because some symbols are used before the MMU is
enabled and

core: clang: add --apply-dynamic-relocs linker flag

Core ASLR relies on the executable being ready to run from its
preferred load address, because some symbols are used before the MMU is
enabled and relocations are applied. Clang (ld.lld) on Aarch64 needs a
special flag for this: --apply-dynamic-relocs. Without the flag the
R_AARCH64_RELATIVE places are initially filled with zeros.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: libtomcrypt: fix return code in convert_ltc_verify_status()

Calling TEE_AsymmetricVerifyDigest() with invalid RSA signature
length cause TA to panic. By GP TEE Internal Core specs,
TEE_Asymmet

core: libtomcrypt: fix return code in convert_ltc_verify_status()

Calling TEE_AsymmetricVerifyDigest() with invalid RSA signature
length cause TA to panic. By GP TEE Internal Core specs,
TEE_AsymmetricVerifyDigest() shouldn't cause panic when call
with invalid signature length.

Fixes: a3f5668a0cae ("core: ltc: RSA signature verification: fix return code")
Signed-off-by: Khoa Hoang <admin@khoahoang.com>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

plat-stm32mp1: remove static ETZPC configuration

Remove static ETZPC configuration and rely on shared_resources
driver to dynamically configure secure aware resources.

Signed-off-by: Etienne Carrie

plat-stm32mp1: remove static ETZPC configuration

Remove static ETZPC configuration and rely on shared_resources
driver to dynamically configure secure aware resources.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

stm32_bsec: BSEC data access do not depend on non-closed device

BSEC driver does not need to check if device is closed_device or not
to tell which BSEC data non-secure world is allowed to access. Th

stm32_bsec: BSEC data access do not depend on non-closed device

BSEC driver does not need to check if device is closed_device or not
to tell which BSEC data non-secure world is allowed to access. This
change removes this support as it simplifies BSEC initialization
structure.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

stm32_bsec: introduce configuration switch for write support

Introduce configuration switch CFG_STM32_BSEC_WRITE to not embed
write operation support in BSEC.

Signed-off-by: Etienne Carriere <etien

stm32_bsec: introduce configuration switch for write support

Introduce configuration switch CFG_STM32_BSEC_WRITE to not embed
write operation support in BSEC.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

stm32_bsec: correct error detection in driver

Change stm32_bsec_read_otp() and stm32_bsec_write_otp() as accessing
BSEC shadow memory cannot report error.

Change check_no_error() to verify or not B

stm32_bsec: correct error detection in driver

Change stm32_bsec_read_otp() and stm32_bsec_write_otp() as accessing
BSEC shadow memory cannot report error.

Change check_no_error() to verify or not BSEC internal disturbance
error as only shadowing or writing OTPs can report BSEC disturbance
issues.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

stm32_bsec: simplify lock support functions

Change stm32_bsec_otp_lock() to only lock fuses as hardware safely does
not allow unlocking a locked BSEC word.

Functions to read a lock return a TEE_Res

stm32_bsec: simplify lock support functions

Change stm32_bsec_otp_lock() to only lock fuses as hardware safely does
not allow unlocking a locked BSEC word.

Functions to read a lock return a TEE_Result status aside from the
effective lock value read.

Rename stm32_bsec_wr_lock() into stm32_bsec_read_permanent_lock()
as it is more explicit.

Change IMSG() into DMSG() as traces refer to debug info rather than
informative info.

Use flag character '#' to prefix printed hexadecimal values with "0x".

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

stm32_bsec: correct OTP locked programming bit position

Correct BSEC_LOCK_PROGRAM value in stm32_bsec driver.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jens Wiklander <jen

stm32_bsec: correct OTP locked programming bit position

Correct BSEC_LOCK_PROGRAM value in stm32_bsec driver.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-stm32mp1: map GPIOZ bank registers as secure

Fix GPZIOZ registers memory mapping that shall be mapped secure
for secure world to safely access the secure hardening configuration
registers of th

plat-stm32mp1: map GPIOZ bank registers as secure

Fix GPZIOZ registers memory mapping that shall be mapped secure
for secure world to safely access the secure hardening configuration
registers of the bank.

Fixes: 68c4a16b37c7 ("stm32mp1: use phys_to_virt_io_secure() where expected")
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

core: device pta: enumerate early TAs

This is an extension of commit 0b611081804a ("core: pta: Add device
pseudo TA") to register not only pseudo-TAs but also user-space early
TAs that have the TA_F

core: device pta: enumerate early TAs

This is an extension of commit 0b611081804a ("core: pta: Add device
pseudo TA") to register not only pseudo-TAs but also user-space early
TAs that have the TA_FLAG_DEVICE_ENUM flag set.

This change makes enumerated early TAs visible on the optee bus in the
Linux kernel.

Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
[jf: minor edits to descritpion, swap #include lines, s/(*pos)/*pos/]
[jf: move local variable declaration up]
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Maxim Uvarov <maxim.uvarov@linaro.org> (QEMU, ftpm)
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: move for_each_early_ta() macro to <kernel/early_ta.h>

Move the for_each_early_ta() macro out of early_ta.c so that it can be
used in other parts of the code (pseudo TAs for instance).

Signed-

core: move for_each_early_ta() macro to <kernel/early_ta.h>

Move the for_each_early_ta() macro out of early_ta.c so that it can be
used in other parts of the code (pseudo TAs for instance).

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Maxim Uvarov <maxim.uvarov@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: early_ta: expose TA flags in struct early_ta

Store TA flags in early TA descriptions so that such TAs can later be
enumerated by the device PTA when TA_FLAG_DEVICE_ENUM is set.
Change ta_bin_t

core: early_ta: expose TA flags in struct early_ta

Store TA flags in early TA descriptions so that such TAs can later be
enumerated by the device PTA when TA_FLAG_DEVICE_ENUM is set.
Change ta_bin_to_c.py to read the TA flags from its ELF file and store
it in the early TA description.

Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
[jf: minor edits to commit message and one comment]
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ree_fs_ta.c: initialize structs with '= { };'

Initialize structs with '= { };' rather than '= {0};' because (1) it is
the recommended style and (2) it fixes the following warning with Clang
9:

core: ree_fs_ta.c: initialize structs with '= { };'

Initialize structs with '= { };' rather than '= {0};' because (1) it is
the recommended style and (2) it fixes the following warning with Clang
9:

CC out/arm/core/arch/arm/kernel/ree_fs_ta.o
core/arch/arm/kernel/ree_fs_ta.c:325:40: warning: suggest braces around initialization of subobject [-Wmissing-braces]
struct shdr_bootstrap_ta hdr_entry = {0};
^
{}

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

core: RPMB FS: Caching for FAT FS entries

This patch adds optional FAT FS entry caching functionality to the
RPMB FS. This functionality can be enabled by a non zero value for
CFG_RPMB_FS_CACHE_ENTR

core: RPMB FS: Caching for FAT FS entries

This patch adds optional FAT FS entry caching functionality to the
RPMB FS. This functionality can be enabled by a non zero value for
CFG_RPMB_FS_CACHE_ENTRIES. The caching functionality can improve RPMB
I/O at the cost of additional heap memory. The cache size is most
likely platform-specific and should be chosen according to available
secure world memory and expected FAT FS entries in RPMB. The cache
holds the first X FAT FS entry in RAM. Whenever the FAT FS is
traversed, we read from the cache instead of invoking RPMB I/O. The
cache is updated when cached FAT FS entries are written.

Signed-off-by: Manuel Huber <mahuber@microsoft.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (HiKey960, GP)

show more ...

core: crypto: ECC: make sure key_size is consistent with attributes

TEE_GenerateKey() takes a key_size argument and various attributes. If
the size derived from the attributes is not key_size, we sh

core: crypto: ECC: make sure key_size is consistent with attributes

TEE_GenerateKey() takes a key_size argument and various attributes. If
the size derived from the attributes is not key_size, we should return
TEE_ERROR_BAD_PARAMETERS as per the GP TEE Internal Core API
specification v1.2.1: "If an incorrect or inconsistent attribute is
detected. The checks that are performed depend on the implementation.".

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: crypto: DH: make sure key_size is consistent with attributes

TEE_GenerateKey() takes a key_size argument and various attributes. For
Diffie-Hellman, if the size of the prime number (TEE_ATTR_D

core: crypto: DH: make sure key_size is consistent with attributes

TEE_GenerateKey() takes a key_size argument and various attributes. For
Diffie-Hellman, if the size of the prime number (TEE_ATTR_DH_PRIME) is
not key_size, we should return TEE_ERROR_BAD_PARAMETERS as per the GP
TEE Internal Core API specification v1.2.1: "If an incorrect or
inconsistent attribute is detected. The checks that are performed
depend on the implementation.".

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: crypto: use supplied DSA parameters when creating key

When generating a DSA key, syscall_obj_generate_key() currently ignores
the supplied parameters: TEE_ATTR_DSA_PRIME, TEE_ATTR_DSA_SUBPRIME

core: crypto: use supplied DSA parameters when creating key

When generating a DSA key, syscall_obj_generate_key() currently ignores
the supplied parameters: TEE_ATTR_DSA_PRIME, TEE_ATTR_DSA_SUBPRIME and
TEE_ATTR_DSA_BASE. Instead a new set of parameters is generated each
time based on the specified key size. This does not comply with the
GlobalPlatform TEE Internal Core API specification which lists these
atrributes as mandatory input to the generation function (see v1.2.1
table 5-12 TEE_GenerateKey parameters).

Fix this issue by providing the supplied parameters to LibTomCrypt's
dsa_generate_key() instead of calling dsa_make_key().

Fixes: https://github.com/OP-TEE/optee_os/issues/3746
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

Add initial UniPhier platform support

This introduces support for Socionext UniPhier SoCs. This support
includes LD11 and LD20 SoCs only. Tested with Akebi96 board[1].

[1] https://www.96boards.org/

Add initial UniPhier platform support

This introduces support for Socionext UniPhier SoCs. This support
includes LD11 and LD20 SoCs only. Tested with Akebi96 board[1].

[1] https://www.96boards.org/product/akebi96/

Signed-off-by: Tetsuya Yoshizaki <yoshizaki.tetsuya@socionext.com>
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mmu: remove TEE/TA RAM from total RAM

On platforms where the DT is parsed from the device tree, devices can
pass in the complete available memory. This is in accordance with the
device tree sp

core: mmu: remove TEE/TA RAM from total RAM

On platforms where the DT is parsed from the device tree, devices can
pass in the complete available memory. This is in accordance with the
device tree specification which mandates that the total physical memory
should be passed in the memory nodes.
Remove the TA and TEE RAM from the passed in memory, reserved-memory
nodes are used to indicate that part of the RAM is not accessible to
Linux. Fixes the following warning on some i.MX platforms:

I/TC: Non-secure external DT found
E/TC:0 0 check_phys_mem_is_outside:330 Non-sec mem (0x10000000:0x40000000) overlaps map (type 2 0x4e000000:0x5d000)
E/TC:0 0 Panic at core/arch/arm/mm/core_mmu.c:334 <check_phys_mem_is_outside>
E/TC:0 0 TEE load address @ 0x4e000000
E/TC:0 0 Call stack:
E/TC:0 0 0x4e006fd1

Fixes https://github.com/OP-TEE/optee_os/issues/3567
Fixes https://github.com/OP-TEE/optee_os/issues/3710

Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: Allow platforms to configure num of JR entries

Currently JR entries is fixed to 10 in common file. Allow
this to be over-ridden by platform's conf.mk

Signed-off-by: Ruchika Gupta <r

drivers: caam: Allow platforms to configure num of JR entries

Currently JR entries is fixed to 10 in common file. Allow
this to be over-ridden by platform's conf.mk

Signed-off-by: Ruchika Gupta <ruchika.gupta@nxp.com>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

drivers: caam: Fix bug in caam_hal_jr_flush()

After requesting the CAAM block for flushing the JR,
the function should wait till the halt is complete
(i.e HALT_ONGOING). The code currently erroneous

drivers: caam: Fix bug in caam_hal_jr_flush()

After requesting the CAAM block for flushing the JR,
the function should wait till the halt is complete
(i.e HALT_ONGOING). The code currently erroneously
checks this on HALT_COMPLETE which can result in
infinite loops on platforms where the halt gets
completed before this check exceutes for first time.

Signed-off-by: Ruchika Gupta <ruchika.gupta@nxp.com>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

drivers: caam: Modify access of 64 bit registers

The Address of Input/output Job ring and scatter gather table are
handled differently depending on platform

1. All BE CAAM platforms (LS1043, LS1012

drivers: caam: Modify access of 64 bit registers

The Address of Input/output Job ring and scatter gather table are
handled differently depending on platform

1. All BE CAAM platforms (LS1043, LS1012, LS1046)
and i.MX platforms (LE CAAM):
base + 0x0000 : most-significant 32 bits
base + 0x0004 : least-significant 32 bits

The 32-bit version of this core therefore has to write to base + 0x0004
to set the 32-bit wide DMA address.

2. All other LE CAAM platforms (LS2088, LS1088, LX2160 etc.)
base + 0x0000 : least-significant 32 bits
base + 0x0004 : most-significant 32 bits

Signed-off-by: Ruchika Gupta <ruchika.gupta@nxp.com>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

core: arm: mm: fix VA overflow issue in assign_mem_va()

Fix assign_mem_va() that is missing VA limit check on 64bit machines.
This change catches the overflow at address assignation preventing TEE
t

core: arm: mm: fix VA overflow issue in assign_mem_va()

Fix assign_mem_va() that is missing VA limit check on 64bit machines.
This change catches the overflow at address assignation preventing TEE
to panic in a not obvious way when the out of bound address is accessed.

Signed-off-by: Khoa Hoang <admin@khoahoang.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: use pointers to out/inring_entry for CAAM

Use pointers to outring_entry and inring_entry as input for
caam_desc_pop(), caam_desc_push() and caam_desc_jobstatus() functions.

This quic

drivers: caam: use pointers to out/inring_entry for CAAM

Use pointers to outring_entry and inring_entry as input for
caam_desc_pop(), caam_desc_push() and caam_desc_jobstatus() functions.

This quick re-work originaly comes from the initiative to get rid of a
GGC 9.2 warning -Waddress-of-packed-member

core/drivers/crypto/caam/caam_jr.c: In function ‘do_jr_dequeue’:
core/drivers/crypto/caam/caam_jr.c:262:22: warning: taking address of packed member of ‘struct outring_entry’ may result in an unaligned pointer value [-Waddress-of-packed-member]
262 | if (caam_desc_pop(&jr_out->desc) == caller->pdesc) {
| ^~~~~~~~~~~~~
core/drivers/crypto/caam/caam_jr.c:265:26: warning: taking address of packed member of ‘struct outring_entry’ may result in an unaligned pointer value [-Waddress-of-packed-member]
265 | caam_read_jobstatus(&jr_out->status);
| ^~~~~~~~~~~~~~~

By doing this, we let the function safely extracting the field.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...