stm32mp1: use phys_to_virt_io_secure() where expected

This change updates platforms and drivers to use io_pa_or_va_secure()
when expecting a secure mapped address.

PWR, RCC, GIC, TAMP, BSEC, ETZPC,

stm32mp1: use phys_to_virt_io_secure() where expected

This change updates platforms and drivers to use io_pa_or_va_secure()
when expecting a secure mapped address.

PWR, RCC, GIC, TAMP, BSEC, ETZPC, I2C are always secure (when embedded).

RNG uses a secure or non-secure mapping according to its registration in
platform shared_resource driver.

GPIOs IO memory is always access though non-secure mapped virtual
addresses.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: introduce io_pa_or_va_{secure|nsec}()

io_pa_or_va_secure() returns the secure mapped virtual address
if MMU is enable while io_pa_or_va_nsec() would return the non-secure
mapped virtual addres

core: introduce io_pa_or_va_{secure|nsec}()

io_pa_or_va_secure() returns the secure mapped virtual address
if MMU is enable while io_pa_or_va_nsec() would return the non-secure
mapped virtual address.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: RPMB FS: fix panic when RPMB partition size is 16 MiB

The overflow check used when computing the number of the last block in
the RPMB parition is incorrect. It causes an overflow when
rpmb_siz

core: RPMB FS: fix panic when RPMB partition size is 16 MiB

The overflow check used when computing the number of the last block in
the RPMB parition is incorrect. It causes an overflow when
rpmb_size_mult is 128, that is, when the partition size is 16 MiB.
Indeed, max_blk_idx is a uint16_t and we are trying to store 65536
(= 128 * (128 * 1024) / 256).

Fix this by using a 32-bit temporary variable to hold the result of the
multiplication (the number of blocks), then subtract 1 to get the last
block number using SUB_OVERFLOW().

Fixes: ea81076f7896 ("core: RPMB FS: check for potential overflows")
Fixes: https://github.com/OP-TEE/optee_os/issues/3012
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Pengguang Zhu <zpghao@163.com>
Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

stm32_etzpc: core driver level for pm operations

Change power transition ordering level for the ETZPC driver. The
driver does not depend and clock configuration and the access
filtering configuratio

stm32_etzpc: core driver level for pm operations

Change power transition ordering level for the ETZPC driver. The
driver does not depend and clock configuration and the access
filtering configuration shall be restored prior device drivers
resumes sequence to reflect expected platform state.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pm: helper register_pm_core_service_cb()

Introduce inline helper function register_pm_core_service_cb() to
simplifies registration of core service PM callbacks:

help:
register_pm_core_servi

core: pm: helper register_pm_core_service_cb()

Introduce inline helper function register_pm_core_service_cb() to
simplifies registration of core service PM callbacks:

help:
register_pm_core_service_cb(my_callback, my_handle);
instead of generic:
register_pm_cb(&PM_CALLBACK_HANDLE_INITIALIZER(
my_callback, my_handle,
PM_CB_ORDER_CORE_SERVICE));

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: kern.ld.S: discard .interp section

tee.elf currently has an INTERP segment that contains
"/usr/lib/ld.so.1". This is totally meaningless, so remove it by
discarding the .interp section in

core: arm: kern.ld.S: discard .interp section

tee.elf currently has an INTERP segment that contains
"/usr/lib/ld.so.1". This is totally meaningless, so remove it by
discarding the .interp section in the linker script.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: bugfix mutex_destroy()

Prior to this patch mutex_destroy() was incorrectly testing the lock state.
With this patch the test is corrected to avoid panic() on unlocked mutexes.

Reviewed-by: Jer

core: bugfix mutex_destroy()

Prior to this patch mutex_destroy() was incorrectly testing the lock state.
With this patch the test is corrected to avoid panic() on unlocked mutexes.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ree_fs_ta.c: fix compile error

Fixes compile error with CFG_REE_FS_TA_BUFFERED=n:
core/arch/arm/kernel/ree_fs_ta.c:284:13: error: ‘ta_get_tag’ undeclared here (not in a function); did you mean

core: ree_fs_ta.c: fix compile error

Fixes compile error with CFG_REE_FS_TA_BUFFERED=n:
core/arch/arm/kernel/ree_fs_ta.c:284:13: error: ‘ta_get_tag’ undeclared here (not in a function); did you mean ‘ta_head’?
.get_tag = ta_get_tag,
^~~~~~~~~~
ta_head
core/arch/arm/kernel/ree_fs_ta.c:201:19: error: ‘ree_fs_ta_get_tag’ defined but not used [-Werror=unused-function]
static TEE_Result ree_fs_ta_get_tag(const struct user_ta_store_handle *h,
^~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
mk/compile.mk:147: recipe for target '../out-os-qemu/core/arch/arm/kernel/ree_fs_ta.o' failed

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: remove unused tee_customer_part.h

Removes the unused <tee_customer_part.h>

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

stm32mp1: common SoC registers protections

Helper functions for stm32mp1 platform to access a SoC interface
register that can be accessed from several drivers and services.
They all use a common spi

stm32mp1: common SoC registers protections

Helper functions for stm32mp1 platform to access a SoC interface
register that can be accessed from several drivers and services.
They all use a common spinlock to ensure atomic update of the
register content.

Helpers: io_mask32_stm32shregs(), io_setbits32_stm32shregs(),
io_clrbits32_stm32shregs() and io_clrsetbits32_stm32shregs().

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

stm32mp1: simplify stm32mp_periph_is_*()

As per design shared resources explicitly registered as secure are
assigned to the secure world while other are defacto assigned to the
non-secure world.

Th

stm32mp1: simplify stm32mp_periph_is_*()

As per design shared resources explicitly registered as secure are
assigned to the secure world while other are defacto assigned to the
non-secure world.

This change remove functions stm32mp_periph_is_unregistered() and
stm32mp_periph_is_non_secure() and keeps only stm32mp_periph_is_secure()
which return value reflects whether the resource is assigned to the
secure or non-secure world.

Suggested-by: Jérôme Forissier <jerome.forissier@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32mp1: remove info traces on shared resource registering

Change verbosity of shared resource registration traces from info
to debug log level.

Signed-off-by: Etienne Carriere <etienne.carriere@l

stm32mp1: remove info traces on shared resource registering

Change verbosity of shared resource registration traces from info
to debug log level.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core:tee: remove redundant tee_obj_attr_to_binary() calls

A couple of tee_obj_attr_to_binary() calls are useless,
remove them.

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Fixes: https://

core:tee: remove redundant tee_obj_attr_to_binary() calls

A couple of tee_obj_attr_to_binary() calls are useless,
remove them.

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Fixes: https://github.com/OP-TEE/optee_os/issues/3004
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU, GP)

show more ...

core: fix session closure when open panicked

Change tee_ta_close_session() function to support panicked TA contexts.
Prior this change, the function did not expect referenced context
had previously

core: fix session closure when open panicked

Change tee_ta_close_session() function to support panicked TA contexts.
Prior this change, the function did not expect referenced context
had previously panicked. Since recent changes for reloadable keep alive
TAs, referenced below, Panic on open session does completely release
context which session closure is expected to proceed to.

Fixes: https://github.com/OP-TEE/optee_os/issues/3003
Fixes: fd10f62b8210 ("core: keep alive TA context can be created after TA has panicked")
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU, GP)

show more ...

core: storage: add some overflow checks

Adds overflow checks to the secure storage code.

Signed-off-by: Bastien Simondi <bsimondi@netflix.com>
[jf: Fix test in syscall_storage_obj_seek() case TEE_D

core: storage: add some overflow checks

Adds overflow checks to the secure storage code.

Signed-off-by: Bastien Simondi <bsimondi@netflix.com>
[jf: Fix test in syscall_storage_obj_seek() case TEE_DATA_SEEK_END]
[jf: Get rid of { } block, initialize new local variables]
[jf: Do not fail on (data && !len) in syscall_storage_obj_create()]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: check allocated size of temporary secure memory

When servicing syscall_invoke_ta_command(), the invoked TA could modify
the .size field. Make sure the allocated buffer is not overwritten on
re

core: check allocated size of temporary secure memory

When servicing syscall_invoke_ta_command(), the invoked TA could modify
the .size field. Make sure the allocated buffer is not overwritten on
return.

Signed-off-by: Bastien Simondi <bsimondi@netflix.com>
[jf: fix multi-line comment, replace '= { 0 };' with '= { };']
[jf: add commit description]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: crypto: libtomcrypt: enable LTC_CLEAN_STACK

Enables LTC_CLEAN_STACK so that LibTomCrypt will wipe key material and
other sensitive data once no longer used.

Signed-off-by: Jerome Forissier <j

core: crypto: libtomcrypt: enable LTC_CLEAN_STACK

Enables LTC_CLEAN_STACK so that LibTomCrypt will wipe key material and
other sensitive data once no longer used.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Suggested-by: Bastien Simondi <bsimondi@netflix.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: FS: wipe sensitive data after use

The secure storage code makes use of various cryptographic data (keys
and IVs). Make sure the buffers are wiped after use to minimize the
risks that sensitive

core: FS: wipe sensitive data after use

The secure storage code makes use of various cryptographic data (keys
and IVs). Make sure the buffers are wiped after use to minimize the
risks that sensitive data may be leaked to an attacker who would have
gained some access to the secure memory.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: thread: use READ_ONCE() when accessing data in shared memory

In some places we read a value from shared memory, then based on the
value we take some actions. When multiple tests are done, we s

core: thread: use READ_ONCE() when accessing data in shared memory

In some places we read a value from shared memory, then based on the
value we take some actions. When multiple tests are done, we should make
sure that the value is not read multiple times because there is no
guarantee that Normal World has not changed the value in the mean time,
which could break the logic. Consider for instance:

if (shared && shared->value)
do_something();

If "shared" resides in shared memory, it might change between
"if (shared)" and "if (shared->value)". If it happens to be set to NULL
for example, the code will crash.
To ensure consistency, a temporary variable has to be used to hold the
value, and the READ_ONCE() macro is required to prevent the compiler
from emitting multiple loads of the memory location.

Reported-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: verify size of allocated shared memory

Makes sure that normal world cannot change the size of allocated shared
memory, resulting in a smaller buffer being allocated.

Suggested-by: Bastien Sim

core: verify size of allocated shared memory

Makes sure that normal world cannot change the size of allocated shared
memory, resulting in a smaller buffer being allocated.

Suggested-by: Bastien Simondi <bsimondi@netflix.com> [1.1]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: scrub user-tainted memory returned by alloc_temp_sec_mem()

This is a security fix for TA-to-TA calls.

In syscall_open_ta_session() and syscall_invoke_ta_command(), caller TA
can reference som

core: scrub user-tainted memory returned by alloc_temp_sec_mem()

This is a security fix for TA-to-TA calls.

In syscall_open_ta_session() and syscall_invoke_ta_command(), caller TA
can reference some private memory, in which case the kernel makes a
temporary copy. Unfortunately, memory allocated through
alloc_temp_sec_mem() is not cleared when returned. One could leverage
this to copy arbitrary data into this secure memory pool or to snoop
former data from a previous call done by another TA (e.g., using
TEE_PARAM_TYPE_MEMREF_OUTPUT allows to map the data while not overwriting
it, hence accessing to what is already there).

This patch introduces mobj_free_wipe() to clear and free an mobj.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [1.5]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: scrub user-tainted kernel heap memory before freeing it

Some syscalls can be used to poison kernel heap memory. Data copied from
userland is not wiped when the syscall returns. For instance, w

core: scrub user-tainted kernel heap memory before freeing it

Some syscalls can be used to poison kernel heap memory. Data copied from
userland is not wiped when the syscall returns. For instance, when doing
syscall_log() one can copy arbitrary data of variable length onto kernel
memory. When free() is called, the block is returned to the memory pool,
tainted with that userland data. This might be used in combination with
some other vulnerability to produce an exploit.

This patch uses free_wipe() to clear the buffers that have been used to
store user-provided data before returning them to the heap.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [1.4]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: check for overflow in msg_param_mobj_from_noncontig()

msg_param_mobj_from_noncontig() does not check that buf_ptr + size does
not overflow. As a result, num_pages could be computed small, whil

core: check for overflow in msg_param_mobj_from_noncontig()

msg_param_mobj_from_noncontig() does not check that buf_ptr + size does
not overflow. As a result, num_pages could be computed small, while
size could be big. Only num_pages will be mapped/registered in the
returned mobj. If the caller does not compare mobj->size with required
size, it can end up manipulating memory out of the intended region.

Fix the issue by using overflow checking macros.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [1.2]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

stm32mp1: default embedded RNG driver

Default enable CFG_STM32_RNG in the platform configuration.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech

stm32mp1: default embedded RNG driver

Default enable CFG_STM32_RNG in the platform configuration.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

stm32mp1: fix missing RNG1 non-secure mapping

RNG1 may be assigned to the non-secure world while secure world do
use the resource. In such case, secure world is responsible for
accessing the periphe

stm32mp1: fix missing RNG1 non-secure mapping

RNG1 may be assigned to the non-secure world while secure world do
use the resource. In such case, secure world is responsible for
accessing the peripheral in a system state where non-secure world
cannot execute of interfere in RNG1 state. secure world will uses RNG1
even if non-secure, during OP-TEE initialization and some power states
transitions, when non-secure world is not executed.

This change corrects the missing mapping of RNG1 IO memory with
non-secure access attributes.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...