plat-stm32mp1: enable dynamic shared memory

Register dynamic shared memory allowed by the platform that is
the DRAM address ranges below and above the secure DRAM (TZDRAM).

Signed-off-by: Etienne C

plat-stm32mp1: enable dynamic shared memory

Register dynamic shared memory allowed by the platform that is
the DRAM address ranges below and above the secure DRAM (TZDRAM).

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: aslr: fix cached_mem_end update

Fix update of cache_mem_end that corrupts CPU register R4 used to
store a boot argument in Aarch32.

Fixes: 487fd6828322 ("core: aslr: apply load offset to cach

core: aslr: fix cached_mem_end update

Fix update of cache_mem_end that corrupts CPU register R4 used to
store a boot argument in Aarch32.

Fixes: 487fd6828322 ("core: aslr: apply load offset to cached_mem_end")
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: generic_entry: fix aarch32 lpae mmu configuration

Correct configuration of the MMU registers TTBR0/TTBR1 for
Aarch32/LPAE that omitted to load a zero value in the 32bit upper
part of the regis

core: generic_entry: fix aarch32 lpae mmu configuration

Correct configuration of the MMU registers TTBR0/TTBR1 for
Aarch32/LPAE that omitted to load a zero value in the 32bit upper
part of the registers.

Fixes: 520860f658be ("core: generic_entry: add enable_mmu()")
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: CAAM: Fix caam_desc_pop() function for 64bit platforms

Fix caam_desc_pop() function for reading the output CAAM job ring
entry for 64-bit platforms.

Signed-off-by: Priyanka Singh <priyanka

drivers: CAAM: Fix caam_desc_pop() function for 64bit platforms

Fix caam_desc_pop() function for reading the output CAAM job ring
entry for 64-bit platforms.

Signed-off-by: Priyanka Singh <priyanka.singh@nxp.com>
Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Cedric Neveux <cedric.neveux@nxp.com>

show more ...

core: RPMB FS: Make N_ENTRIES a config variable

Allows to configure the number of FAT fs entries to be read from RPMB
storage in one chunk. Increasing this number makes functions that
traverse the F

core: RPMB FS: Make N_ENTRIES a config variable

Allows to configure the number of FAT fs entries to be read from RPMB
storage in one chunk. Increasing this number makes functions that
traverse the FAT fs read in more entries within a single RPMB read
operation. While this potentially improves RPMB I/O, it comes at the
cost of additional memory required to be allocated on the heap.
Determining an optimal size is platform- and use-case-dependent.

Signed-off-by: Manuel Huber <mahuber@microsoft.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: aslr: set tee_svc_uref_base to VCORE_START_VA

tee_svc_uref_base was using hardcoded TEE_TEXT_VA_START define value.
This value isn't valid after TEE core relocation. Switch to use
VCORE_START_

core: aslr: set tee_svc_uref_base to VCORE_START_VA

tee_svc_uref_base was using hardcoded TEE_TEXT_VA_START define value.
This value isn't valid after TEE core relocation. Switch to use
VCORE_START_VA which is linker variable that should get update after
relocation code executed.

Signed-off-by: Khoa Hoang <admin@khoahoang.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: aslr: apply load offset to cached_mem_end

cached_mem_end was calculated before relocation and use later for D$
flush. Add code to update cached_mem_end with ASLR load offset.

Signed-off-by: K

core: aslr: apply load offset to cached_mem_end

cached_mem_end was calculated before relocation and use later for D$
flush. Add code to update cached_mem_end with ASLR load offset.

Signed-off-by: Khoa Hoang <admin@khoahoang.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

Empty body for dump_fat() unless log level set to TRACE_FLOW

This patch improves RPMB performance. When called, dump_fat()
traverses the whole list of FAT entries and prints them out using
FMSG(). d

Empty body for dump_fat() unless log level set to TRACE_FLOW

This patch improves RPMB performance. When called, dump_fat()
traverses the whole list of FAT entries and prints them out using
FMSG(). dump_fat() is currently called by write_fat_entry() and
rpmb_fs_setup(). With this commit, dump_fat() is only active when
debugging/tracing, and empty for productive builds.

Signed-off-by: Manuel Huber <mahuber@microsoft.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: imx: add imx6ulzevk platform flavor

Add imx6ulzevk platform flavor.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

drivers: tzc: set maximum region size for tzc_auto_configure()

According to the TZC380 documentation, the AXI address width controls
the upper limit value of the region size.
This fix makes sure tha

drivers: tzc: set maximum region size for tzc_auto_configure()

According to the TZC380 documentation, the AXI address width controls
the upper limit value of the region size.
This fix makes sure that tzc_auto_configure() function will not
allocated a region bigger that the AXI address width.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

core: imx: add default UART for sabreauto boards

Board imx6*sabreauto default UART is UART4 and not UART1.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome@fo

core: imx: add default UART for sabreauto boards

Board imx6*sabreauto default UART is UART4 and not UART1.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: arm32: fix out-of-sync SPSR

On some platforms that use OP-TEE built as ARM32, asynchronous data
aborts are causing innocent TAs to be killed non-deterministically
upon invocations.

OP-TEE sho

core: arm32: fix out-of-sync SPSR

On some platforms that use OP-TEE built as ARM32, asynchronous data
aborts are causing innocent TAs to be killed non-deterministically
upon invocations.

OP-TEE should not be trapping asynchronous data aborts by default
(unless for bringups) because they usually indicate memory errors
outside the control of PE's MMU and thus better handled by the normal
world OS. Trapping async data aborts also force-unloads keep-alive TAs,
which defeats the feature.

This (masking async data aborts) turns out to be indeed the expected
behavior as `CPSR.A` is set upon SMC entry. The bit is however mistakenly
cleared upon transitioning from SVC mode (OP-TEE) to user mode (TA) due
to a typo introduced in the following commit:

commit a702f5e71e79 ("core: split thread_enter_user_mode")

where `get_spsr()` should be calling `read_cpsr()` instead of
`read_spsr()` in order to save important bits in CPSR to SPSR prior to
switching to user mode.

More general background at the risk of being pedantic:

Invoking a TA from the REE-OS triggers a series of exception level
transitions: NS.EL1-->[NS.EL2-->]EL3-->[S.EL2-->]S.EL1-->S.EL0.

During each transtion the SPSR of each level except EL0 should be kept
in sync with the level's PSTATE(ARM64) or CPSR(ARM32).

The PSTATE/CPSR is initialized by target level's software when
transitioning from a high level to a lower level. For example OP-TEE
initializes the PSTATE/CPSR upon SMC entry.

The PSTATE/CPSR is saved to the current level SPSR by software prior
to transitioning out to a lower level. The PSTATE/CPSR is restored
from SPSR automatically (without software intervention) upon
"returning" to a highlevel from a lower level.

Fixes: https://github.com/OP-TEE/optee_os/issues/3576

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Ali Zhang <alizhang@google.com>

show more ...

core: protect syscall table lookup from speculation

In user_ta_handle_svc() as part of handling a syscall there's a lookup
in the syscall table which can be subject to a speculation attack.
load_no_

core: protect syscall table lookup from speculation

In user_ta_handle_svc() as part of handling a syscall there's a lookup
in the syscall table which can be subject to a speculation attack.
load_no_speculate() is used to protect the sensitive lookup.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Remove libmpa in favor of libmbedtls

We currently have two "big numbers" library, Mbed TLS and MPA. Both can
be used by libutee to implement the TEE Internal Core API Arithmetical
functions, and by

Remove libmpa in favor of libmbedtls

We currently have two "big numbers" library, Mbed TLS and MPA. Both can
be used by libutee to implement the TEE Internal Core API Arithmetical
functions, and by the TEE core or pseudo-TAs. This situation is
reflected by two configuration variables allowing to choose between
libmbedtls and libmpa:

- CFG_TA_MBEDTLS_MPI (default y) configures libutee,
- CFG_CORE_MBEDTLS_MPI (default y) configures the TEE core/PTAs.

In addition there is CFG_TA_MBEDTLS (default y, mandatory when
CFG_TA_MBEDTLS_MPI is y) to build libmbedtls and install it into the
SDK for direct use by TAs (libmbedtls also has function to deal with
certificates for instance).

MBed TLS has been supported and used by default for just over a year;
and we have recently found an issue with the MPA implementation of the
integer multiplication with modulus (mpa_mulmod()) [1] [2]. Therefore,
now is a good time to remove libmpa and use libmbedtls instead.

Link: [1] https://github.com/OP-TEE/optee_os/pull/3541#issuecomment-577592381
Link: [2] https://github.com/OP-TEE/optee_test/pull/389
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: vm_unmap(): remove length alignment requirement

Removes the requirement that length of memory area to unmap must be page
aligned. The supplied length is instead rounded up to the nearest page.

core: vm_unmap(): remove length alignment requirement

Removes the requirement that length of memory area to unmap must be page
aligned. The supplied length is instead rounded up to the nearest page.

This fixes a regression with CFG_FTRACE_SUPPORT=y:
E/TC:? 0 assertion '!res' failed at core/arch/arm/kernel/user_ta.c:571 <user_ta_dump_ftrace>

Fixes: cffe74d2446b ("core: fix assigned size of struct mobj_reg_shm")
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: set SCTLR_SPAN

Initializes SCTLR.SPAN to 1. SCTLR.SPAN was introduced with v8.1-PAN and
was prior to that defined as RES1.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off

core: arm: set SCTLR_SPAN

Initializes SCTLR.SPAN to 1. SCTLR.SPAN was introduced with v8.1-PAN and
was prior to that defined as RES1.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: add SCTLR_SPAN define

Adds define for setting SCTLR.SPAN which is available with the
architecture feature ARMv8.1-PAN in both AArch32 and AArch64.

Reviewed-by: Jerome Forissier <jerome@f

core: arm: add SCTLR_SPAN define

Adds define for setting SCTLR.SPAN which is available with the
architecture feature ARMv8.1-PAN in both AArch32 and AArch64.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

hikey960: fix support for 4G & 6G boards

Since commit 4518cdc1ff64 ("core: arm64: introduce CFG_CORE_ARM64_PA_BITS")
platforms are required to define CFG_CORE_ARM64_PA_BITS if their physical
address

hikey960: fix support for 4G & 6G boards

Since commit 4518cdc1ff64 ("core: arm64: introduce CFG_CORE_ARM64_PA_BITS")
platforms are required to define CFG_CORE_ARM64_PA_BITS if their physical
address space extends beyond 4G. This was missing for HiKey960 4G & 6G
versions, which indeed have addresses beyond 4G.

Signed-off-by: Henrik Uhrenfeldt <henrik.uhrenfeldt@huawei.com>

show more ...

core: driver: Fix CAAM Hash - User Buffers

Fix the CAAM Hash driver when input/output buffers are User buffers
allocated on multiple Small Pages.

Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com

core: driver: Fix CAAM Hash - User Buffers

Fix the CAAM Hash driver when input/output buffers are User buffers
allocated on multiple Small Pages.

Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: CAAM driver User Buffer SGT create

CAAM Driver can operate directly with the User Buffer and in this
case, the buffer can be on non-contiguous physical page.

CAAM is using a DMA to load/st

drivers: CAAM driver User Buffer SGT create

CAAM Driver can operate directly with the User Buffer and in this
case, the buffer can be on non-contiguous physical page.

CAAM is using a DMA to load/store data from memory. The DMA is working
with physical address. In case of the User Buffer, if the buffer is
crossing multiple Small Page, a CAAM Scatter Gather Table needs to
be created to rebuild the physical memory chunks used by the User virtual
buffer.

Add a function to check if a buffer is a User buffer crossing mutliple
small page.
Add a function to create a SGT Table of the User buffer.

Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-amlogic: Add initial support for Amlogic platforms

This is the initial support for the Amlogic platforms.

Tested 64-bin mode on A113D (AXG) board using upstream TF-A BL31.

* xtest results (-l

plat-amlogic: Add initial support for Amlogic platforms

This is the initial support for the Amlogic platforms.

Tested 64-bin mode on A113D (AXG) board using upstream TF-A BL31.

* xtest results (-l 15):
| 44074 subtests of which 0 failed
| 96 test cases of which 0 failed
| 0 test cases were skipped
| TEE test application done!

* Compiled with:
| make PLATFORM=amlogic

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Carlo Caione <ccaione@baylibre.com>

show more ...

core_mmu: fix warnings when CFG_CORE_DYN_SHM=n && CFG_SECURE_DATA_PATH=n

Static function pbuf_is_special_mem() is used only when dynamic shared
memory or secure data path are enabled. Add the proper

core_mmu: fix warnings when CFG_CORE_DYN_SHM=n && CFG_SECURE_DATA_PATH=n

Static function pbuf_is_special_mem() is used only when dynamic shared
memory or secure data path are enabled. Add the proper #ifdefs to fix
the following warning:

$ make -s CFG_CORE_DYN_SHM=n CFG_SECURE_DATA_PATH=n
core/arch/arm/mm/core_mmu.c:260:13: warning: ‘pbuf_is_special_mem’ defined but not used [-Wunused-function]
260 | static bool pbuf_is_special_mem(paddr_t pbuf, size_t len,
| ^~~~~~~~~~~~~~~~~~~

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: entry_fast.c: fix warning when CFG_CORE_DYN_SHM=n

When CFG_CORE_DYN_SHM=n and CFG_TEE_CORE_LOG_LEVEL<3 we have:

$ make -s CFG_CORE_DYN_SHM=n CFG_TEE_CORE_LOG_LEVEL=2
core/arch/arm/tee/entry

core: entry_fast.c: fix warning when CFG_CORE_DYN_SHM=n

When CFG_CORE_DYN_SHM=n and CFG_TEE_CORE_LOG_LEVEL<3 we have:

$ make -s CFG_CORE_DYN_SHM=n CFG_TEE_CORE_LOG_LEVEL=2
core/arch/arm/tee/entry_fast.c: In function ‘tee_entry_exchange_capabilities’:
core/arch/arm/tee/entry_fast.c:65:7: warning: unused variable ‘dyn_shm_en’ [-Wunused-variable]
65 | bool dyn_shm_en = false;
| ^~~~~~~~~~

Add __maybe_unused to get rid of the warning.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libfdt: move to version v1.5.1

Imports upstream libfdt version v1.5.1 [1]. Things worthy of note:

- SPDX license identifiers were added upstream in commit 94f87cd5b7c5
("libfdt: Add dual GPL/BSD

libfdt: move to version v1.5.1

Imports upstream libfdt version v1.5.1 [1]. Things worthy of note:

- SPDX license identifiers were added upstream in commit 94f87cd5b7c5
("libfdt: Add dual GPL/BSD SPDX tags to files missing license text").
They conflict with those we have added locally in commit 1bb929836182
("Add SPDX license identifiers"). We added "BSD-2-Clause" while
upstream added "GPL-2.0-or-later OR BSD-2-Clause". This commit keeps
the upstream tags.

- At this stage we carry no local modification except for two minor
things enabling C99 compliance:
1. Zero sized arrays at the end of structs fdt_node_header and
fdt_property are changed from "[0]" to "[]",
2. An extra semicolon is removed after the static function
overlay_fixup_one_phandle().
These changes were in the initial import already, commit b908c67504cd
("Import libfdt v1.4.1").

Link: [1] https://github.com/dgibson/dtc/tree/v1.5.1/libfdt
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-imx: Add SA settings for i.MX6UL

The Secure Access register configures the access mode for non-TrustZone
aware DMA masters. To ensure that no DMA master can read the secure
memory for OP-TEE, w

plat-imx: Add SA settings for i.MX6UL

The Secure Access register configures the access mode for non-TrustZone
aware DMA masters. To ensure that no DMA master can read the secure
memory for OP-TEE, we set access for all masters except the
processor (Cortex-A7) to non-secure only and lock the settings
afterwards.

Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Clement Faure <clement.faure@nxp.com>

show more ...