core: ltc: SM2 PKE: fix bignum conversions

All integers used in the SM2 algorithms are encoded as 32 byte buffers
in big endian format. The current code does not properly pad the buffer
with zeros w

core: ltc: SM2 PKE: fix bignum conversions

All integers used in the SM2 algorithms are encoded as 32 byte buffers
in big endian format. The current code does not properly pad the buffer
with zeros when a value does not need the whole 32 bytes and has a few
other related issues. Fix that.

Fixes: f9a78287dd12 ("core: ltc: add support for SM2 PKE")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: acipher_helpers.h: add macro mp_to_unsigned_bin2()

Writing a bignum to a fixed size integer buffer in big endian order is
slightly cumbersome, because one has to take into account the act

core: ltc: acipher_helpers.h: add macro mp_to_unsigned_bin2()

Writing a bignum to a fixed size integer buffer in big endian order is
slightly cumbersome, because one has to take into account the actual
size of the bignum in order to have the zero padding on the left.
Let's say I am working with 256-bit numbers:

unsigned char buf[32] = { };
void *n = compute_some_bignum(...);

mp_to_unsigned_bin(n, buf + sizeof(buf) - mp_unsigned_bin_size(n));

This commit introduces mp_to_unsigned_bin2() which can be used like so:

unsigned char buf[32] = { };
void *n = compute_some_bignum(...);

mp_to_unsigned_bin2(n, buf, sizeof(buf));

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: generic_entry_a{32,64}.S: use correct cached_mem_end

Stores the correct register at cached_mem_end at boot. This avoids usage
of stale dcache content.

Fixes: 5dd1570ac5b0 ("core: add embedded

core: generic_entry_a{32,64}.S: use correct cached_mem_end

Stores the correct register at cached_mem_end at boot. This avoids usage
of stale dcache content.

Fixes: 5dd1570ac5b0 ("core: add embedded data region")
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: generic_entry_a64.S: use CIVAC over IVAC to clean cache data

After moving some initial sections around in memory we clean out the new
data and invalidate the cache so it can be seen by other c

core: generic_entry_a64.S: use CIVAC over IVAC to clean cache data

After moving some initial sections around in memory we clean out the new
data and invalidate the cache so it can be seen by other cores when they
enable caches. The instruction used was invalidate; on most systems this
will behave the same as clean/invalidate, but on some with L3 caches this
can cause the just written data to be invalidated. Use the
clean+invalidate to prevent this on such systems.

Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm64: introduce CFG_CORE_ARM64_PA_BITS

Introduces CFG_CORE_ARM64_PA_BITS which replaces the max_pa global
variable which was used to configure TCR_EL1.IPS.

Prior to 520860f ("core: generic_e

core: arm64: introduce CFG_CORE_ARM64_PA_BITS

Introduces CFG_CORE_ARM64_PA_BITS which replaces the max_pa global
variable which was used to configure TCR_EL1.IPS.

Prior to 520860f ("core: generic_entry: add enable_mmu()") TCR_EL1.IPS
was calculated and even updated later in the boot flow to automatically
cover the needed physical address space. But now it's calculated before
MMU is enabled and once MMU it's kept in read only memory.

With CFG_CORE_ARM64_PA_BITS TCR_EL1.IPS can be determined early and
later it is enough to check that physical addresses to be mapped are
covered by CFG_CORE_ARM64_PA_BITS.

Fixes: 520860f658be ("core: generic_entry: add enable_mmu()")
Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: make SMALL_PAGE_MASK and friends of type paddr_t

Makes SMALL_PAGE_MASK, CORE_MMU_PGDIR_MASK, CORE_MMU_USER_CODE_MASK and
CORE_MMU_USER_PARAM_MASK of type paddr_t to allow correct masking of
si

core: make SMALL_PAGE_MASK and friends of type paddr_t

Makes SMALL_PAGE_MASK, CORE_MMU_PGDIR_MASK, CORE_MMU_USER_CODE_MASK and
CORE_MMU_USER_PARAM_MASK of type paddr_t to allow correct masking of
significant bits.

Example:
extern paddr_t addr;
paddr_t page_addr = addr & ~SMALL_PAGE_MASK

If paddr_t is a 64-bit type SMALL_PAGE_MASK must also be 64-bit wide or
the ~ operation will not set all the higher bits.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: support shared irq

With some platforms would have multiplexed interrupts
and software implement difference interrupt handler.
Currently the interrupt mechanism only handle the first
matched ha

core: support shared irq

With some platforms would have multiplexed interrupts
and software implement difference interrupt handler.
Currently the interrupt mechanism only handle the first
matched handler, and can not support shared irq.

New change to keep find another matched handler if the
previous handler return none.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: davidwang <davidwang@realtek.com>

show more ...

core: ltc: SM2 DSA: fix bignum memory leaks

crypto_acipher_sm2_dsa_sign() and crypto_acipher_sm2_dsa_verify() leak
some bignum memory due to missing calls to ecc_free().
This is all the more problem

core: ltc: SM2 DSA: fix bignum memory leaks

crypto_acipher_sm2_dsa_sign() and crypto_acipher_sm2_dsa_verify() leak
some bignum memory due to missing calls to ecc_free().
This is all the more problematic that bignum allocations use a special
memory pool [1] that can easily cause deadlocks when misused.

This commit adds the missing calls.

[1] Commit a2eb5b55d169 ("libutils: add mempool API")

Fixes: 76c7ba4b9ff7 ("core: ltc: add support for SM2 DSA")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: SM2 PKE: fix bignum memory leaks

crypto_acipher_sm2_pke_encrypt() and crypto_acipher_sm2_pke_decrypt()
leak some bignum memory due to missing calls to ecc_free() and also due
to the fact

core: ltc: SM2 PKE: fix bignum memory leaks

crypto_acipher_sm2_pke_encrypt() and crypto_acipher_sm2_pke_decrypt()
leak some bignum memory due to missing calls to ecc_free() and also due
to the fact that the x and y fields of an ecc_point are overwritten.
This is all the more problematic that bignum allocations use a special
memory pool [1] that can easily cause deadlocks when misused.

This commit fixes these problems.

[1] Commit a2eb5b55d169 ("libutils: add mempool API")

Fixes: f9a78287dd12 ("core: ltc: add support for SM2 PKE")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: SM2 PKE: add missing return status check

The status of function ltc_ecc_is_point_at_infinity() is not checked in
crypto_acipher_sm2_pke_encrypt(). Fix that.

Fixes: f9a78287dd12 ("core: l

core: ltc: SM2 PKE: add missing return status check

The status of function ltc_ecc_is_point_at_infinity() is not checked in
crypto_acipher_sm2_pke_encrypt(). Fix that.

Fixes: f9a78287dd12 ("core: ltc: add support for SM2 PKE")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: crypto add support for SM2 DSA

Adds SM2 Digital Signature Algorithm [1] using LibTomCrypt. The TA
interface complies with the GlobalPlatform TEE Internal Core API
version 1.2.

SM2 DSA is enab

core: crypto add support for SM2 DSA

Adds SM2 Digital Signature Algorithm [1] using LibTomCrypt. The TA
interface complies with the GlobalPlatform TEE Internal Core API
version 1.2.

SM2 DSA is enabled with CFG_CRYPTO_SM2_DSA=y (default y) which currently
requires that CFG_CRYPTOLIB_NAME=tomcrypt. An Mbed TLS implementation
could be added later if needed.

[1] http://www.gmbz.org.cn/main/postDetail.html?id=20180724110812

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: add support for SM2 DSA

Adds support for the SM2 Digital Signature Algorithm [1] for use by
OP-TEE core based on LibTomCrypt.

[1] http://www.gmbz.org.cn/main/postDetail.html?id=20180724

core: ltc: add support for SM2 DSA

Adds support for the SM2 Digital Signature Algorithm [1] for use by
OP-TEE core based on LibTomCrypt.

[1] http://www.gmbz.org.cn/main/postDetail.html?id=20180724110812

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: crypto: add support for SM2 PKE

Adds SM2 Public Key Encryption [1] using LibTomCrypt. The TA interface
complies with the GlobalPlatform TEE Internal Core API version 1.2.

SM2 is enabled with

core: crypto: add support for SM2 PKE

Adds SM2 Public Key Encryption [1] using LibTomCrypt. The TA interface
complies with the GlobalPlatform TEE Internal Core API version 1.2.

SM2 is enabled with CFG_CRYPTO_SM2_PKE=y (default y) which currently
requires that CFG_CRYPTOLIB_NAME=tomcrypt. An Mbed TLS implementation
could be added later if needed.

[1] http://www.gmbz.org.cn/main/postDetail.html?id=20180724110812

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: add support for SM2 PKE

SM2 is a set of public key cryptographic algorithms based on elliptic
curves published by the Chinese Commercial Cryptography Administration
Office [1]. The standa

core: ltc: add support for SM2 PKE

SM2 is a set of public key cryptographic algorithms based on elliptic
curves published by the Chinese Commercial Cryptography Administration
Office [1]. The standard has three main parts which define:

- A Digital Signature Algorithm (part 2)
- A Key Exchange Protocol (part 3)
- A Public Key Encryption method (part 4)

This commit implements the PKE LibTomcrypt for use by the OP-TEE core.
It uses the LibTomCrypt ECC and arithmetic helper functions as well as
the OP-TEE hash interface for the SM3 algorithm.

As far as the ECC point encoding goes, only the uncompressed form is
supported, as permitted by the standard. In practice, it means that the
cipher text always starts with the byte value 0x04. Other forms cannot
be decrypted by this implementation.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: export ECC key helper functions

The static functions ecc_populate_ltc_private_key() and
ecc_populate_ltc_public_key() will be useful for other ECC algorithms
than the ones currently handl

core: ltc: export ECC key helper functions

The static functions ecc_populate_ltc_private_key() and
ecc_populate_ltc_public_key() will be useful for other ECC algorithms
than the ones currently handled by core/lib/libtomcrypt/ecc.c, namely:
the SM2 family of algorithms. Therefore, export these functions in
"acipher_helpers.h".

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: add implementations for .addmod and .submod

Adds the addmod() and submod() functions which are missing from the
ltc_mp descriptor. It is a bug, because crypto functions never check the
fu

core: ltc: add implementations for .addmod and .submod

Adds the addmod() and submod() functions which are missing from the
ltc_mp descriptor. It is a bug, because crypto functions never check the
functions pointers before using them.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: add SM2 curve parameters

Adds the recommended curve parameters for SM2 [1] [2].

[1] http://www.gmbz.org.cn/main/postDetail.html?id=20180724110812
[2] https://tools.ietf.org/id/draft-ribo

core: ltc: add SM2 curve parameters

Adds the recommended curve parameters for SM2 [1] [2].

[1] http://www.gmbz.org.cn/main/postDetail.html?id=20180724110812
[2] https://tools.ietf.org/id/draft-ribose-openpgp-oscca-00.html

Signed-off-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: enable rollback protection for REE-FS TAs

Add check for TA version while loading TA from REE-FS and compare
against secure storage based TA version database to prevent against
any TA version d

core: enable rollback protection for REE-FS TAs

Add check for TA version while loading TA from REE-FS and compare
against secure storage based TA version database to prevent against
any TA version downgrades.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm64: fix speculative execution past ERET vulnerability

Even though ERET always causes a jump to another address, aarch64 CPUs
speculatively execute following instructions as if the ERET
inst

core: arm64: fix speculative execution past ERET vulnerability

Even though ERET always causes a jump to another address, aarch64 CPUs
speculatively execute following instructions as if the ERET
instruction was not a jump instruction.
The speculative execution does not cross privilege-levels (to the jump
target as one would expect), but it continues on the kernel privilege
level as if the ERET instruction did not change the control flow -
thus execution anything that is accidentally linked after the ERET
instruction. Later, the results of this speculative execution are
always architecturally discarded, however they can leak data using
microarchitectural side channels. This speculative execution is very
reliable (seems to be unconditional) and it manages to complete even
relatively performance-heavy operations (e.g. multiple dependent
fetches from uncached memory).

It was fixed by Linux [1], FreeBSD [2] and OpenBSD [3]. The misbehavior
is demonstrated in [4] and [5].

Link: [1] https://github.com/torvalds/linux/commit/679db70801da9fda91d26caf13bf5b5ccc74e8e8
Link: [2] https://github.com/freebsd/freebsd/commit/29fb48ace4186a41c409fde52bcf4216e9e50b61
Link: [3] https://github.com/openbsd/src/commit/3a08873ece1cb28ace89fd65e8f3c1375cc98de2
Link: [4] https://github.com/google/safeside/blob/master/demos/eret_hvc_smc_wrapper.cc
Link: [5] https://github.com/google/safeside/blob/master/kernel_modules/kmod_eret_hvc_smc/eret_hvc_smc_module.c

Signed-off-by: Anthony Steinhauser <asteinhauser@google.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add core_mmu_map_contiguous_pages()

Adds core_mmu_map_contiguous_pages() which maps a range of physical
addresses.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wik

core: add core_mmu_map_contiguous_pages()

Adds core_mmu_map_contiguous_pages() which maps a range of physical
addresses.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: rename to mobj_{inc,dec}_map()

Renames mobj_reg_shm_inc_map() and mobj_reg_shm_dec_map() to
mobj_inc_map() and mobj_dec_map() respectively. This makes room for
other implementations of registe

core: rename to mobj_{inc,dec}_map()

Renames mobj_reg_shm_inc_map() and mobj_reg_shm_dec_map() to
mobj_inc_map() and mobj_dec_map() respectively. This makes room for
other implementations of registered shared memory.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: crypto: sm3: remove unused header

Removed unused mbedtls/md.h header file to fix error:

core/crypto/sm3-hmac.c:12:10: fatal error: mbedtls/md.h: No such file or directory

when building with

core: crypto: sm3: remove unused header

Removed unused mbedtls/md.h header file to fix error:

core/crypto/sm3-hmac.c:12:10: fatal error: mbedtls/md.h: No such file or directory

when building with CFG_CORE_MBEDTLS_MPI=n. To prevent future similar
regression, also add a test case to Shippable.

Fixes: https://github.com/OP-TEE/optee_os/issues/3487
Fixes: 47645577c806 ("core: crypto: add support for SM3")
Signed-off-by: Victor Chong <victor.chong@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: crypto: add support for SM3

Adds support for the SM3 cryptographic hash function [1] using the API
defined in the GlobalPlatform TEE Internal Core API v1.2, as well as the
HMAC based on this h

core: crypto: add support for SM3

Adds support for the SM3 cryptographic hash function [1] using the API
defined in the GlobalPlatform TEE Internal Core API v1.2, as well as the
HMAC based on this hash.

This implementation is based on code published on Gitlab [2]. See commit
ade6f848e084 ("core: crypto: add support for SM4") for details.

[1] https://tools.ietf.org/html/draft-sca-cfrg-sm3-02
[2] https://gitlab.com/otpfree/sm234

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: crypto: add support for SM4

Adds support for the SM4 cipher [1] using the API defined in the
GlobalPlatform TEE Internal Core API v1.2.

ECB, CBC and CTR modes are implemented. Other modes are

core: crypto: add support for SM4

Adds support for the SM4 cipher [1] using the API defined in the
GlobalPlatform TEE Internal Core API v1.2.

ECB, CBC and CTR modes are implemented. Other modes are valid but are
not included in the GP specification, so they are not considered here.

This implementation is based on code published on Gitlab [2]. The
project contains no licensing terms, so I contacted the author
(goldboar@163.com), asking for permission to re-use the code in OP-TEE
under a BSD-2-Clause license. I received the following reply:

"[...] If you like you can use it [...]"

I have reworked the source to better fit the OP-TEE coding style. I
have also added the CTR mode of operation.

I do not think we will need to merge any change from upstream in the
future.

[1] https://tools.ietf.org/html/draft-ribose-cfrg-sm4-10
[2] https://gitlab.com/otpfree/sm234

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat-ti: Switch to using SMCCC compatible calls

Previously on our TI evil vendor Linux tree we would use a sentinel value
in r12 to signal if a call was meant for OP-TEE or the legacy ROM. A path
to

plat-ti: Switch to using SMCCC compatible calls

Previously on our TI evil vendor Linux tree we would use a sentinel value
in r12 to signal if a call was meant for OP-TEE or the legacy ROM. A path
to using SMCCC compatible calls from Linux is being implemented.
Switch the OP-TEE side over.

Signed-off-by: Andrew F. Davis <afd@ti.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...