Fixes #507 in LTC - vulnerability in der_decode_utf8_string()

Fix a vulnerability in der_decode_utf8_string as specified here:
https://github.com/libtom/libtomcrypt/issues/507

Patch manually picked

Fixes #507 in LTC - vulnerability in der_decode_utf8_string()

Fix a vulnerability in der_decode_utf8_string as specified here:
https://github.com/libtom/libtomcrypt/issues/507

Patch manually picked from:
https://github.com/libtom/libtomcrypt/commit/25c26a3b7a9ad8192ccc923e15cf62bf0108ef94

Signed-off-by: Luigi Coniglio <werew@ret2libc.com>
[Joakim Bech: Extended commit message]
Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7)
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: early_ta: fix tag hash calculation

Previously correct output due to the order of execution (tag is
calculated before any reads) and crypto_hash_final taking the minimum
of digest length and bu

core: early_ta: fix tag hash calculation

Previously correct output due to the order of execution (tag is
calculated before any reads) and crypto_hash_final taking the minimum
of digest length and buffer length, but this will be more reliable.

Signed-off-by: Daniel McIlvaney <damcilva@microsoft.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

cryp: prevent direct calls to update and final functions

With inconsistent or malformed data it has been possible to call
"update" and "final" crypto functions directly. Using a fuzzer tool [1]
we h

cryp: prevent direct calls to update and final functions

With inconsistent or malformed data it has been possible to call
"update" and "final" crypto functions directly. Using a fuzzer tool [1]
we have seen that this results in asserts, i.e., a crash that
potentially could leak sensitive information.

By setting the state (initialized) in the crypto context (i.e., the
tee_cryp_state) at the end of all syscall_*_init functions and then add
a check of the state at the beginning of all update and final functions,
we prevent direct entrance to the "update" and "final" functions.

[1] https://github.com/MartijnB/optee_fuzzer

Fixes: OP-TEE-2019-0021

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Martijn Bogaard <bogaard@riscure.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

cryp: ensure that mode is cipher in syscall_cipher_init

When calling syscall_cipher_init there is no check being done that the
state coming from the TA has been initialized to a valid cipher state.

cryp: ensure that mode is cipher in syscall_cipher_init

When calling syscall_cipher_init there is no check being done that the
state coming from the TA has been initialized to a valid cipher state.
By checking the class we prevent an assert in cipher_ops.

Fixes: OP-TEE-2019-0020

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Martijn Bogaard <bogaard@riscure.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

cryp: ensure that mode is AE in syscall_authenc_ functions

When doing calls to syscall_authenc_xyz functions (all of them except
syscall_authenc_init) there is no check being done that the state com

cryp: ensure that mode is AE in syscall_authenc_ functions

When doing calls to syscall_authenc_xyz functions (all of them except
syscall_authenc_init) there is no check being done that the state coming
from the TA has been initialized to a valid authenticated encryption
state. As a consequence of that it's possible to redirect execution to
other functions. Doing like that will make TEE core end up with a data
abort.

Fixes: OP-TEE-2019-0019

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Martijn Bogaard <bogaard@riscure.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

hikey, hikey960: set CFG_TEE_RAM_VA_SIZE to 2 MiB

Commit 8fd4d26f6e22 ("plat-hikey: support generic RAM layout") has
inadvertently removed the platform-specific definition of
TEE_RAM_VA_SIZE for HiK

hikey, hikey960: set CFG_TEE_RAM_VA_SIZE to 2 MiB

Commit 8fd4d26f6e22 ("plat-hikey: support generic RAM layout") has
inadvertently removed the platform-specific definition of
TEE_RAM_VA_SIZE for HiKey platforms. It was 2 MiB before, and became
1 MiB (the default). This commit restores the proper value.

Fixes the following panic on boot (HiKey960, 32-bit TEE core with pager
enabled):

I/TC: Pager is enabled. Hashes: 1824 bytes
I/TC: Pager pool size: 252kB
I/TC: OP-TEE version: 3.6.0-182-g2d7a8964df-dev (gcc version 6.2.1 20161016 (Linaro GCC 6.2-2016.11)) #5 Mon 07 Oct 2019 08:22:21 AM UTC arm
E/TC:0 0 Panic at core/lib/libtomcrypt/mpi_desc.c:39 <get_mp_scratch_memory_pool>
E/TC:0 0 Call stack:
E/TC:0 0 0x3f003a4d

Fixes: 8fd4d26f6e22 ("plat-hikey: support generic RAM layout")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

driver: implement CAAM driver

Add the NXP CAAM drivers:
- Random generator (instantiation and random generation)
- Hash

Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Acked-by: Etienne Ca

driver: implement CAAM driver

Add the NXP CAAM drivers:
- Random generator (instantiation and random generation)
- Hash

Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: imx: add imx7ulp CRM registers

Add imx7ulp CRM registers in a header file.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

core: tadb.c: get rid of atomic reference counting

This commit changes the way the tadb_db global variable is protected
against concurrent access on creation and deletion. Instead of using an
atomic

core: tadb.c: get rid of atomic reference counting

This commit changes the way the tadb_db global variable is protected
against concurrent access on creation and deletion. Instead of using an
atomic reference counter (struct refcount) and a mutex, only the mutex
is used and taken unconditionally. The reference count becomes a global
integer protected by the same mutex.

Using a struct refcount was apparently an optimization to avoid taking
the lock unless actual creation or deletion of the tadb_db was needed.
Unfortunately this implementation was causing occasional crashes of the
TEE core (easily reproducible on HiKey running 'xtest 1013' in a loop).
The new implementation is simpler and appears to be rock solid with no
measurable difference in performance.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add support for dumping build configuration info on boot

During development, we occasionally experience crashes within the TEE
core. When the tests are run locally, the developer has all the n

core: add support for dumping build configuration info on boot

During development, we occasionally experience crashes within the TEE
core. When the tests are run locally, the developer has all the needed
information to troubleshoot the issue. But when the crash occurs on a
remote host (CI for instance), it is sometimes inconvenient or even
impossible to retrieve files other than the console logs. As a result,
it is equally inconvenient or impossible to obtain a symbolized crash
dump (scripts/symbolize.py needs the dump message but also tee.elf).
If the exact build configuration is known, then it is possible to
reproduce the build locally (assuming the same toolchain is also used
which is not a problem in practice) and proceed with debugging.
Unfortunately the values of the CFG_ flags are not always shown in the
logs and omitting only one flag can significantly change the TEE
binary.

This commit introduces CFG_SHOW_CONF_ON_BOOT (default n). When enabled,
the contents of the build configuration file $O/conf.mk is printed
to the secure console during initialization with TRACE_INFO severity.
The file is compressed to reduce memory usage and space used in the
logs, and it is encoded into printable text.

To obtain the conf.mk file, one needs to copy and paste the encoded
text into 'base64 -d | xz -d'. These two commands are also required at
build time when CFG_SHOW_CONF_ON_BOOT is y.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

TA dev kit: Clang support

Updates ta/mk/ta_dev_kit.mk and other makefiles so that the COMPILER
variable can be used when building TAs: make COMPILER=clang ...

Signed-off-by: Jerome Forissier <jerom

TA dev kit: Clang support

Updates ta/mk/ta_dev_kit.mk and other makefiles so that the COMPILER
variable can be used when building TAs: make COMPILER=clang ...

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Experimental Clang support

Allows building with Clang with "make COMPILER=clang [other flags...]".
The clang command has to be in the $PATH, as well as the associated
tools (clang-cpp, ld.lld, llvm-

Experimental Clang support

Allows building with Clang with "make COMPILER=clang [other flags...]".
The clang command has to be in the $PATH, as well as the associated
tools (clang-cpp, ld.lld, llvm-ar, llvm-nm, llvm-objcopy and
llvm-readelf).

Tested with Clang built from the master branch of [1] (development
version for 9.0):

mkdir build; cd build
cmake -G Ninja -DCMAKE_BUILD_TYPE=Release \
-DCMAKE_INSTALL_PREFIX=~/llvm-install \
-DLLVM_ENABLE_PROJECTS="clang;lld" \
-DLLVM_TARGETS_TO_BUILD="AArch64;ARM" \
~/llvm-project/llvm
ninja && ninja install

Limitations:

- CFG_CORE_SANITIZE_KADDRESS=y is not supported.
- CFG_WITH_PAGER is supported, but requires that the TEE core be
linked with the GNU linker. The reason is documented in
mk/clang.mk.

Bug:

- ldelf assertion failure in xtest 1019 when CFG_ULIBS_SHARED=y (QEMU)
E/LD: assertion 'maps[map_idx].sz == sz' failed at ldelf/ta_elf.c:1114 in ta_elf_print_mappings()
Prevents ldelf from displaying the TA mappings on abort or panic, but
does not seem to cause any other problem.

Link: [1] https://github.com/llvm/llvm-project/commits/8351c327647
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU pager/no pager)
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMUv8, pager/no pager)
Tested-by: Jerome Forissier <jerome@forissier.org> (HiKey960, 32/64, GP)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat/rcar: fix core numbering for M3 flavor

R-car Gen3 SoCs have consistent core numbering across all
variations: CA57 cluster have core numbers 0-3 and CA53 have
numbers 4-7.

M3 flavor have 6 core

plat/rcar: fix core numbering for M3 flavor

R-car Gen3 SoCs have consistent core numbering across all
variations: CA57 cluster have core numbers 0-3 and CA53 have
numbers 4-7.

M3 flavor have 6 cores: two CA57s and four CA53s. Taking
into account consistent numbering, M3 will have the following
core ids: 0, 1, 3, 5, 6, 7. To fix this, we need to set
CFG_CORE_CLUSTER_SHIFT to 1.

This somewhat abuses implementation of get_core_pos_mpidr(),
but it is not expected, that it will change in the future.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

build: make cfg-one-enabled return 'n' instead of an empty string

Modify cfg-one-enabled in the same way the parent commit modified
cfg-all-enabled.

Signed-off-by: Jerome Forissier <jerome@forissie

build: make cfg-one-enabled return 'n' instead of an empty string

Modify cfg-one-enabled in the same way the parent commit modified
cfg-all-enabled.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

Revert "hikey: increase core heap size to 192 kB"

This reverts commit 28c75dbebc49 ("hikey: increase core heap size to
192 kB") which increased the core heap size in order to pass the AOSP
VTS. Unfo

Revert "hikey: increase core heap size to 192 kB"

This reverts commit 28c75dbebc49 ("hikey: increase core heap size to
192 kB") which increased the core heap size in order to pass the AOSP
VTS. Unfortunately, this bigger value does not work well when the pager
is enabled: it causes lots of page faults and a massive slowdown (for
instance, 'xtest 1013' on HiKey620 completes in ~ 1.7 s with the
default heap size of 64 kB but takes ~ 53 s with 192 kB).

Therefore, revert to the previous configuration. A bigger value can
always be set on the command line or by other means when building for
AOSP.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Victor Chong <victor.chong@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix configuration check for CFG_PAGED_USER_TA

The cfg-depends-all function from mk/checkconf.mk has to be enclosed
in a $(eval ...) statement. Fix core/core.mk accordingly.

Signed-off-by: Jer

core: fix configuration check for CFG_PAGED_USER_TA

The cfg-depends-all function from mk/checkconf.mk has to be enclosed
in a $(eval ...) statement. Fix core/core.mk accordingly.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

hikey: increase core heap size to 192 kB

To pass VTS in AOSP builds.

Signed-off-by: Victor Chong <victor.chong@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

core: move sockets PTA to core/tee

The sockets pseudo-TA is architecture-independent. Move it to
core/tee and drop the pta_ prefix which is not really useful.

Signed-off-by: Jerome Forissier <jerom

core: move sockets PTA to core/tee

The sockets pseudo-TA is architecture-independent. Move it to
core/tee and drop the pta_ prefix which is not really useful.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: move PTAs from core/arch/arm/pta to core/pta

All pseudo-TAs in core/arch/arm/pta are not architecture-
specific so move them out of the arch directory.

sdp_pta.c is renamed sdp.c since _pta i

core: move PTAs from core/arch/arm/pta to core/pta

All pseudo-TAs in core/arch/arm/pta are not architecture-
specific so move them out of the arch directory.

sdp_pta.c is renamed sdp.c since _pta is redundant.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: move test PTAs to core/pta/tests

Moves the test PTAs out of the arch-dependent tree into core/pta/tests.
File names are shortened a bit since the full paths make the purpose
clear.

Signed-off

core: move test PTAs to core/pta/tests

Moves the test PTAs out of the arch-dependent tree into core/pta/tests.
File names are shortened a bit since the full paths make the purpose
clear.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: prepare to move PTAs under core/pta and core/pta/tests

Most pseudo-TAs are currently under core/arch/arm/pta. This is wrong
since none of those are architecture-dependent. This patch creates
c

core: prepare to move PTAs under core/pta and core/pta/tests

Most pseudo-TAs are currently under core/arch/arm/pta. This is wrong
since none of those are architecture-dependent. This patch creates
core/pta and core/pta/tests to prepare for the following scheme:
- PTAs that implement a GP TEE API (sockets, for example) should be in
core/tee
- PTAs that implement other system services should be in /core/pta
- Test PTAs should be in core/pta/tests
- Platform-specific PTAs belong in the platform's directory
- Architecture-specific (but not platform-specific) PTAs should go
in core/arch/$(ARCH)/pta (there are none currently)

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pta/gprof.c: remove <arm.h> include

The gprof pseudo-TA does not need <arm.h> so remove it.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@

core: pta/gprof.c: remove <arm.h> include

The gprof pseudo-TA does not need <arm.h> so remove it.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Squashed commit upgrading to libtomcrypt-1.18.2-develop-20180819

Squash merging branch import/libtomcrypt-1.18.2-develop-20180819

5ecac6e9227c ("core: ltc: adapt to new version of LibTomCrypt")
54d

Squashed commit upgrading to libtomcrypt-1.18.2-develop-20180819

Squash merging branch import/libtomcrypt-1.18.2-develop-20180819

5ecac6e9227c ("core: ltc: adapt to new version of LibTomCrypt")
54d7f2f10c33 ("core: ltc: aes_modes_armv8a_ce_a64.S: get rid of literal load of addend vector")
68b1adf4c3db ("core: ltc: aes_modes_armv8a_ce_a64.S: fix incorrect assembly syntax")
b73cfbef058f ("core: ltc: make key in accel_ecb_encrypt() and accel_ecb_decrypt() const")
7160452f6698 ("core: ltc: fix 'switch case misses default'")
05313fd03df1 ("core: ltc: move AES CE files under aes/")
00ed54001f7d ("core: ltc: add custom DH key generation function dh_make_key()")
279e09ee4c7c ("core: ltc: tomcrypt_custom.h: OP-TEE thread support")
e61adb1a2203 ("core: crypto: libtomcrypt: fix LTC_CLEAN_STACK bug")
5c75c2d02f13 ("core: LTC use only _CFG_CORE_LTC_ variables")
5decfe20864a ("core: crypto: arm64 ce: update AES CBC routines")
c54b6344cc4e ("core: crypto: cleanup and fix CE accelerated AES CTR")
3f4d78d04eef ("core: crypto: arm32: add counter increment in ce_aes_ctr_encrypt()")
a85a4f88e39d ("Remove 'All rights reserved' from Linaro files")
14ec45d62762 ("Remove license notice from Linaro files")
084691667db2 ("Add SPDX license identifiers")
48de810896b8 ("LTC: add GHASH acceleration")
9f4ecf2ea898 ("arm32: AES using ARMv8-A cryptographic extensions")
a360627e4130 ("arm64: libtomcrypt: rename AES CE files")
48dab9f6464b ("arm64: libtomcrypt: move inline assembly to .S file")
7479ed2a4be9 ("ltc: bugfix find_prng()")
271db0fe9309 ("ltc: make cipher_descriptor a pointer to descriptors")
cbf6e51b6086 ("ltc: make hash_descriptor a pointer to descriptors")
6982b2b65910 ("ltc: make prng_descriptor a pointer to descriptors")
034ed64a6bb2 ("arm: Fix SHA-1 with cryptographic extensions")
468fcca20d8b ("arm64: SHA-224/SHA-256 using ARMv8-A cryptographic extensions")
a55567f8611c ("arm: update SHA-256 32-bit CE implementation to process multiple blocks")
ee62ece8ecf4 ("arm: update SHA-1 32-bit CE implementation to process multiple blocks")
4287faa43c7c ("arm64: SHA-1 using ARMv8-A cryptographic extensions")
0c6c51d33f05 ("ECC: optimize the pool of temporary variables")
f79f07210b95 ("arm64: AES XTS using ARMv8-A cryptographic extensions")
dc3e64eee4af ("arm64: AES using ARMv8-A cryptographic extensions")
fcad408195d8 ("SHA-1 ARMv8 crypto extension implementation")
e9fa8daa66ed ("SHA-256 ARMv8 crypto extension implementation")
36c11ddb0f2f ("Import LibTomCrypt v1.18.2 branch "develop" (Aug 19, 2019)")
01c7a0fe164c ("Remove LibTomCrypt")

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: force alignment of A32 assembler functions to 4 bytes

The Clang assembler will not align all the functions containing A32
code (as opposed to thumb) on 4-byte boundaries, contrary to GCC.

core: ltc: force alignment of A32 assembler functions to 4 bytes

The Clang assembler will not align all the functions containing A32
code (as opposed to thumb) on 4-byte boundaries, contrary to GCC.
This can cause a runtime exception (undef-abort).

Add a ".balign 4" to the ENTRY macro to fix that.

See also commit ff7c2da6d14b ("Force alignment of assembler functions
(FUNC and LOCAL_FUNC) to 4 bytes") [1].

Link: [1] https://github.com/OP-TEE/optee_os/commit/ff7c2da6d14b
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: aes_modes_armv8a_ce_a64.S: get rid of literal load of addend vector

Cherry pick of Linux kernel commit ed6ed11830a9 ("crypto:
arm64/aes-modes - get rid of literal load of addend vector").

core: ltc: aes_modes_armv8a_ce_a64.S: get rid of literal load of addend vector

Cherry pick of Linux kernel commit ed6ed11830a9 ("crypto:
arm64/aes-modes - get rid of literal load of addend vector"). Original
commit message:

"
Replace the literal load of the addend vector with a sequence that
performs each add individually. This sequence is only 2 instructions
longer than the original, and 2% faster on Cortex-A53.

This is an improvement by itself, but also works around a Clang issue,
whose integrated assembler does not implement the GNU ARM asm syntax
completely, and does not support the =literal notation for FP registers
(more info at https://bugs.llvm.org/show_bug.cgi?id=38642)
"

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

show more ...