core: arm64: update register accessor macros to support Clang

Clang complains about ASM operand width:

core/arch/arm/include/arm64.h:295:1: warning: value size does not match register size specifi

core: arm64: update register accessor macros to support Clang

Clang complains about ASM operand width:

core/arch/arm/include/arm64.h:295:1: warning: value size does not match register size specified by the constraint and modifier [-Wasm-operand-widths]
DEFINE_U32_REG_READWRITE_FUNCS(cpacr_el1)
^
core/arch/arm/include/arm64.h:278:3: note: expanded from macro 'DEFINE_U32_REG_READWRITE_FUNCS'
DEFINE_U32_REG_READ_FUNC(reg) \
^
core/arch/arm/include/arm64.h:272:3: note: expanded from macro 'DEFINE_U32_REG_READ_FUNC'
DEFINE_REG_READ_FUNC_(reg, uint32_t, reg)
^
core/arch/arm/include/arm64.h:261:42: note: expanded from macro 'DEFINE_REG_READ_FUNC_'
asm volatile("mrs %0, " #asmreg : "=r" (val)); \
^
core/arch/arm/include/arm64.h:295:1: note: use constraint modifier "w"
core/arch/arm/include/arm64.h:278:3: note: expanded from macro 'DEFINE_U32_REG_READWRITE_FUNCS'
DEFINE_U32_REG_READ_FUNC(reg) \
^
core/arch/arm/include/arm64.h:272:3: note: expanded from macro 'DEFINE_U32_REG_READ_FUNC'
DEFINE_REG_READ_FUNC_(reg, uint32_t, reg)
^
core/arch/arm/include/arm64.h:261:20: note: expanded from macro 'DEFINE_REG_READ_FUNC_'
asm volatile("mrs %0, " #asmreg : "=r" (val)); \
^

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Move .weak directive after the symbol definition

Clang ignores the .weak directive if it appears before the symbol is
defined. Fix the few places where it happens.

Signed-off-by: Jerome Forissier <

Move .weak directive after the symbol definition

Clang ignores the .weak directive if it appears before the symbol is
defined. Fix the few places where it happens.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Remove deprecated ldm/stm instructions

Some uses of SP, PC and LR in the register list of Load/Store Multiple
instructions is forbidden (Thumb) or deprecated (ARM) as per the ARM
ARM DDI 0406 C.d. F

Remove deprecated ldm/stm instructions

Some uses of SP, PC and LR in the register list of Load/Store Multiple
instructions is forbidden (Thumb) or deprecated (ARM) as per the ARM
ARM DDI 0406 C.d. For the LDM instructions, SP should not be in the
list, and the list should not contain both PC and LR. See sections:

[A8.8.58] LDM/LDMIA/LDMFD (Thumb)
[A8.8.59] LDM/LDMIA/LDMFD (ARM)
[A8.8.60] LDMDA/LDMFA
[A8.8.61] LDMDB/LDMEA
[A8.8.62] LDMIB/LDMED

For the STM instructions, neither SP nor PC should be in the list. See
sections:

[A8.8.200] STM (STMIA, STMEA)
[A8.8.201] STMDA (STMED)
[A8.8.202] STMDB (STMFD)
[A8.8.203] STMIB (STMFA)

Clang warns on the deprecated constructs. Use ldr/str instead.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core_mmu: fix "outside of array bounds" warning

Newest versions of GCC (v9.1.0 at least) are unhappy about subtraction
from array pointer:

core/arch/arm/mm/core_mmu.c: In function 'core_init_mmu_ma

core_mmu: fix "outside of array bounds" warning

Newest versions of GCC (v9.1.0 at least) are unhappy about subtraction
from array pointer:

core/arch/arm/mm/core_mmu.c: In function 'core_init_mmu_map':
core/arch/arm/mm/core_mmu.c:523:30: warning: array subscript -1 is outside array bounds of 'const struct core_mmu_phys_mem[]' [-Warray-bounds]
523 | for (mem = start; mem < end - 1; mem++) {
| ~~~~^~~
In file included from core/include/initcall.h:9,
from core/arch/arm/include/kernel/generic_boot.h:8,
from core/arch/arm/mm/core_mmu.c:11:
core/include/scattered_array.h:100:29: note: while referencing '__scattered_array_end'
100 | static const element_type __scattered_array_end[0] __unused \
| ^~~~~~~~~~~~~~~~~~~~~

This is valid warning, as such pointer arithmetic produces undefined
behavior according to paragraph 5.6.5.8 of C99 standard. On other hand
the standard allows pointers that point past the last element of
array, so expression "mem + 1" is valid.

Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core_self_tests.c: build with -fno-builtin

The memory tests in core_self_tests.c call the malloc()/calloc() API
without doing anything meaningful with the output. It turns out that a
clever compiler

core_self_tests.c: build with -fno-builtin

The memory tests in core_self_tests.c call the malloc()/calloc() API
without doing anything meaningful with the output. It turns out that a
clever compiler (read: Clang) will detect this and aggressively
optimize the code, to the point that a call to calloc() is removed
entirely. Here is a reduced test case for the record:

$ cat test.c
#include <stdlib.h>

int main(int argc, char *argv[])
{
return calloc(1000000, 1) ? 1 : 0;
}
$ clang --target=arm-linux-gnueabihf -Os -c test.c
$ llvm-objdump -d test.o

test.o: file format ELF32-arm-little

Disassembly of section .text:
0000000000000000 main:
0: 01 00 a0 e3 mov r0, #1
4: 1e ff 2f e1 bx lr

No call to calloc() in the generated code! As strange as it may seem,
this is reportedly a valid behavior for the compiler [1].

This optimization is obviously not wanted for the test that tries to
check that allocation of a very large buffer fails in OP-TEE.

This commit adds the -fno-builtins flag to the compiler command for that
particular source file, thus preventing the optimization and making the
test pass.

Link: [1] https://bugs.llvm.org/show_bug.cgi?id=37304
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: cast parameter to (void *) when using %p in EMSG()

Fixes the following Clang warning:

core/arch/arm/kernel/generic_boot.c:395:12: warning: format specifies type 'void *' but the argument

core: cast parameter to (void *) when using %p in EMSG()

Fixes the following Clang warning:

core/arch/arm/kernel/generic_boot.c:395:12: warning: format specifies type 'void *' but the argument
has type 'const uint8_t *' (aka 'const unsigned char *') [-Wformat-pedantic]
n, page, res);
^~~~

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: thread.c: increase stack_tmp size from 1.5 to to 2KiB

We get a dead canary error when booting QEMU with OP-TEE compiled with
Clang. Increase stack size a bit to fix the issue.

Signed-off

core: arm: thread.c: increase stack_tmp size from 1.5 to to 2KiB

We get a dead canary error when booting QEMU with OP-TEE compiled with
Clang. Increase stack size a bit to fix the issue.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: link.mk: generate empty tee-pageable.bin when pager is disabled

When CFG_WITH_PAGER != y, there is no need to call $(OBJCOPY) to
generate tee-pageable.bin, since we know it will be empty. Use

core: link.mk: generate empty tee-pageable.bin when pager is disabled

When CFG_WITH_PAGER != y, there is no need to call $(OBJCOPY) to
generate tee-pageable.bin, since we know it will be empty. Use 'touch'
instead.

This fixes an error with Clang, caused by the fact that llvm-objcopy
cannot generate an empty file:

llvm-objcopy: error: failed to open out/arm-plat-vexpress/core/tee-pageable.bin: Invalid argument.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm32: initialize struct with = { }

The proper way to initialize structures is with = { }. Fixes a Clang
warning:

core/arch/arm/kernel/unwind_arm32.c:497:38: warning: suggest braces around i

core: arm32: initialize struct with = { }

The proper way to initialize structures is with = { }. Fixes a Clang
warning:

core/arch/arm/kernel/unwind_arm32.c:497:38: warning: suggest braces around initialization of subobject [-Wmissing-braces]
struct unwind_state_arm32 state = { 0 };
^
{}

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: thread_a32.S: use assembler unified syntax (UAL)

The movnes instruction causes a compilation warning with Clang:

core/arch/arm/kernel/thread_a32.S:250:2: error: instruction 'movne' can not s

core: thread_a32.S: use assembler unified syntax (UAL)

The movnes instruction causes a compilation warning with Clang:

core/arch/arm/kernel/thread_a32.S:250:2: error: instruction 'movne' can not set flags, but 's' suffix specified
movnes pc, lr
^

This is because Clang supports only Unified Assembler Language syntax
(UAL). GCC also supports this syntax, and there are two ways to enable
it: either use the -masm-syntax-unified flag, or the ".syntax unified"
directive. Unfortunately, the first option does not work with GCC 8.2
[1]. Therefore, use the second option.

This modification results in identical code being generated with GCC
for the whole thread_a32.o file. And Clang generates the same code as
GCC for the the 'movsne pc, lr' instruction.

Link: [1] https://github.com/gcc-mirror/gcc/commit/2fd2b9b8425f
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: change the pattern used to generate asm-defines.h

This commit prepares support for the Clang compiler.

$O/core/include/generated/asm-defines.h is generated from
core/arch/arm/kernel/asm-defin

core: change the pattern used to generate asm-defines.h

This commit prepares support for the Clang compiler.

$O/core/include/generated/asm-defines.h is generated from
core/arch/arm/kernel/asm-defines.c by the C compiler with the -S flag
(generate assembler code), followed by some light post-processing with
sed.

The intermediate file ($O/core/include/generated/.asm-defines.s) is
actually not a valid assembler file. It contains illegal tokens, which
where chosen to make it easy to parse with sed. For example:

==>SM_CTX_SIZE #256 sizeof(struct sm_ctx) @

...is turned into:

#define SM_CTX_SIZE 256 /* sizeof(struct sm_ctx) */

While this works fine with GCC, the Clang compiler won't accept to
output invalid assembler. This commit slightly modifies the inline
assembler so that the needed information is contained within a .ascii
directive:

.ascii "==>SM_CTX_SIZE 248 sizeof(struct sm_ctx)" @

The 'c' constraint (%c0) is added to avoid the # prefix before an
immediate value, which is not accepted by Clang either.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm: remove -mthumb-interwork

The GCC compiler flag -mthumb-interwork is useful only for pre-v5 Arm
architectures and is not supported by Clang. Remove it.

Signed-off-by: Jerome Forissier <jerome.f

arm: remove -mthumb-interwork

The GCC compiler flag -mthumb-interwork is useful only for pre-v5 Arm
architectures and is not supported by Clang. Remove it.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add C compiler version to identification string

Adds the compiler version to the string that is printed to the secure
console when OP-TEE initializes. For example:

"(gcc version 6.2.1 201610

core: add C compiler version to identification string

Adds the compiler version to the string that is printed to the secure
console when OP-TEE initializes. For example:

"(gcc version 6.2.1 20161016 (Linaro GCC 6.2-2016.11))"
"(clang version 8.0.0 (tags/RELEASE_800/final))"

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: kernel_generic_entry_a64.S: support CFG_DT_ADDR

Add CFG_DT_ADDR for a64 to override the DT address passing
through arg2.

Signed-off-by: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Reviewed-b

core: kernel_generic_entry_a64.S: support CFG_DT_ADDR

Add CFG_DT_ADDR for a64 to override the DT address passing
through arg2.

Signed-off-by: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

show more ...

core: console: fix use after free when CFG_DT=y

Commit 770b2afacf33 ("core: more flexible console init from DT") has
split configure_console_from_dt() in two parts, the first one being
moved to a ne

core: console: fix use after free when CFG_DT=y

Commit 770b2afacf33 ("core: more flexible console init from DT") has
split configure_console_from_dt() in two parts, the first one being
moved to a new function: get_console_node_from_dt(). Unfortunately,
this function may return pointers to a freed buffer.

Fix the problem by allocating each output string on the heap and letting
the caller clean on return.

Fixes: 770b2afacf33 ("core: more flexible console init from DT")
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinksi@pengutronix.de>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

dts: stm32mp1: default disable RCC secure hardening

This change disables security hardening of the RCC hardware interface
of ST boards. This allows one to use the upstream Linux kernel 5.2
in which

dts: stm32mp1: default disable RCC secure hardening

This change disables security hardening of the RCC hardware interface
of ST boards. This allows one to use the upstream Linux kernel 5.2
in which stm32mp1 platforms do not yet support hardened secure RCC.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32mp1: refuse to release enabled RCC hardening

With this change, platform panics when DT directives states RCC is
fully assigned to non-secure while SoC was configured by early
boot stage with RC

stm32mp1: refuse to release enabled RCC hardening

With this change, platform panics when DT directives states RCC is
fully assigned to non-secure while SoC was configured by early
boot stage with RCC TZ hardening enabled.

When RCC TZ hardening is disabled, non-secure world could alter RCC
related configuration. Such a setup is allowed only if early boot
stage disabled RCC TZ hardening, OP-TEE DT states the same and
device is not in closed_device mode.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32mp1: introduce stm32_bsec_is_closed_device()

stm32_bsec_is_closed_device() states if the platform fuses state
a closed_device or not.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>

stm32mp1: introduce stm32_bsec_is_closed_device()

stm32_bsec_is_closed_device() states if the platform fuses state
a closed_device or not.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: fix icache_inv_user_range in AArch64

Prior to this patch in the AArch64 version of icache_inv_user_range()
ttbr0_el1 was overwritten with garbage if CFG_CORE_UNMAP_CORE_AT_EL0=n.
This patch fi

core: fix icache_inv_user_range in AArch64

Prior to this patch in the AArch64 version of icache_inv_user_range()
ttbr0_el1 was overwritten with garbage if CFG_CORE_UNMAP_CORE_AT_EL0=n.
This patch fixes this by instead modifying previously read value.

Fixes: 79083642a114 ("core: add icache_inv_user_range()")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ecc_sign_hash blinding CVE-2018-12437

This originates from the LibTomCrypt upstream mitigation patch:
f0a51bbdbd ("ecc_sign_hash blinding CVE-2018-12437") [1]

but with modifications to fit into th

ecc_sign_hash blinding CVE-2018-12437

This originates from the LibTomCrypt upstream mitigation patch:
f0a51bbdbd ("ecc_sign_hash blinding CVE-2018-12437") [1]

but with modifications to fit into the current LibTomCrypt version used
by OP-TEE (use the old function name rand_bn_range(..) instead of the
new name rand_bn_upto(..)).

Link: [1] https://github.com/libtom/libtomcrypt/commit/f0a51bbdbd50e03a43914c9ee912c451b6ad82e5

Fixes: OP-TEE-2019-0018

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU-v7)
Reported-by: Santos Merino del Pozo <santos.research@gmail.com>
Suggested-by: Santos Merino del Pozo <santos.research@gmail.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

ltc: allow usage of rand_bn functions for ECC builds

To be able to backport [1] we have to enable the "rand_bn" functions.

Link: [1] https://github.com/libtom/libtomcrypt/commit/f0a51bbdbd50e03a439

ltc: allow usage of rand_bn functions for ECC builds

To be able to backport [1] we have to enable the "rand_bn" functions.

Link: [1] https://github.com/libtom/libtomcrypt/commit/f0a51bbdbd50e03a43914c9ee912c451b6ad82e5

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

ftrace: Enable support for 32 bit apps

By default 32 bit trusted applications are compiled in thumb mode but
thumb mode doesn't support function graph tracing due to missing frame
pointer support re

ftrace: Enable support for 32 bit apps

By default 32 bit trusted applications are compiled in thumb mode but
thumb mode doesn't support function graph tracing due to missing frame
pointer support required to trace function call chain. So rather compile
trusted applications in ARM mode in case function tracing is enabled.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: crypto: libtomcrypt: fix LTC_CLEAN_STACK bug

LTC_CLEAN_STACK uses burn_stack() API that uses a recursive call which
leads to approx. double the size of stack cleaned than expected on ARM64,
be

core: crypto: libtomcrypt: fix LTC_CLEAN_STACK bug

LTC_CLEAN_STACK uses burn_stack() API that uses a recursive call which
leads to approx. double the size of stack cleaned than expected on ARM64,
because it consumes stack space in 32-byte chunks and assumes only buf
is pushed onto the stack while ignoring any other data such as lr, fp,
etc.. This causes stack overflow corrupting canaries in case we perform
a SHA512 hash operation which utilizes maximum stack as compared to other
libtomcrypt APIs. So get rid of this recursive call via using variable
length array to clean stack.

Also, convert zeromem() API as a wrapper to call memzero_explicit().

Fixes: ad565116a0d7 ("core: crypto: libtomcrypt: enable LTC_CLEAN_STACK")
Suggested-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: pager: use icache_inv_user_range()

Prior to this patch the entire icache was invalidated when icache
invalidations was needed, even if it only was for a single page. This
was needed to reach a

core: pager: use icache_inv_user_range()

Prior to this patch the entire icache was invalidated when icache
invalidations was needed, even if it only was for a single page. This
was needed to reach a stable state with regards to paging user TAs.

With this patch a new function, icache_inv_user_range(), is used to
invalidate pages used by user TAs and icache_inv_range() is used instead
to invalidate kernel mode pages.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pager: use tlbi_mva_asid() where applicable

Instead of invalidating a virtual address for all ASIDs only target the
relevant ones. For kernel mode mappings all ASIDs still needs to be
targeted

core: pager: use tlbi_mva_asid() where applicable

Instead of invalidating a virtual address for all ASIDs only target the
relevant ones. For kernel mode mappings all ASIDs still needs to be
targeted though.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...