core: pta/gprof.c: remove redundant access check

There is no need to call tee_mmu_check_access_rights() to check the
parameters of gprof_start_pc_sampling(), because they have been checked
already b

core: pta/gprof.c: remove redundant access check

There is no need to call tee_mmu_check_access_rights() to check the
parameters of gprof_start_pc_sampling(), because they have been checked
already by utee_param_to_param() in core/tee/tee_svc.c.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: REE FS TAs: add option to verify signature before processing

Adds configuration flag CFG_REE_FS_TA_BUFFERED, default enabled.

A new TA store is introduced which depends on the TEE FS TA store

core: REE FS TAs: add option to verify signature before processing

Adds configuration flag CFG_REE_FS_TA_BUFFERED, default enabled.

A new TA store is introduced which depends on the TEE FS TA store to
load the whole binary into a temporary buffer in secure DDR and
authenticate it before being processed further.

This reduces the attack surface of the TEE core in case of a
vulnerability in the ELF loader, at the expense of increased memory
usage at load time.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [3.6]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

libutils: remove buf_compare_ct()

Now that we have consttime_memcmp(), buf_compare_ct() is redundant.
Every time buf_compare_ct() is used, consttime_memcmp() may be used
instead.

This commit remove

libutils: remove buf_compare_ct()

Now that we have consttime_memcmp(), buf_compare_ct() is redundant.
Every time buf_compare_ct() is used, consttime_memcmp() may be used
instead.

This commit removes buf_compare_ct(). A compatibility wrapper is kept
in <string_ext.h> to avoid knowingly breaking the build of any TA that
may use it.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: RPMB FS: check for potential overflows

This commit deals with a number of potential integer overflows in the
RPMB FS code.

rpmb_fs_init() requests device information from the REE. The RPMB si

core: RPMB FS: check for potential overflows

This commit deals with a number of potential integer overflows in the
RPMB FS code.

rpmb_fs_init() requests device information from the REE. The RPMB size
is returned in struct rpmb_dev_info (field rpmb_size_mult) and is used
in a multiplication that could overflow. Use MUL_OVERFLOW() to deal with
this case.

Some overflow checks are also added in the read and write paths.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.12]
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: syscall_authenc_init(): check nonce accessibility

syscall_authenc_init() does not check that the given nonce address is
within TA accessible memory. Fix that.

Signed-off-by: Jerome Forissier

core: syscall_authenc_init(): check nonce accessibility

syscall_authenc_init() does not check that the given nonce address is
within TA accessible memory. Fix that.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.10]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: crypto: add overflow check when copying attributes

In copy_in_attrs(), attr_count * sizeof(struct utee_attribute) could
overflow if a very large attr_count is given. Use MUL_OVERFLOW() to
prop

core: crypto: add overflow check when copying attributes

In copy_in_attrs(), attr_count * sizeof(struct utee_attribute) could
overflow if a very large attr_count is given. Use MUL_OVERFLOW() to
properly deal with this case.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.9]
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: get_elf_segments(): use memmove on overlapping memory

get_elf_segments() final stage aggregates ELF segments. In the while
loop, the logic to remove the current index is to use memcpy() to shi

core: get_elf_segments(): use memmove on overlapping memory

get_elf_segments() final stage aggregates ELF segments. In the while
loop, the logic to remove the current index is to use memcpy() to shift
down everything beyond that point. This is incorrect; memmove() should
be used instead.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.8]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: load_elf_from_store(): check stack size

Inside load_elf_from_store(), the ta_head structure is retrieved from
un-authenticated area, and contains the stack size. The stack size could
either al

core: load_elf_from_store(): check stack size

Inside load_elf_from_store(), the ta_head structure is retrieved from
un-authenticated area, and contains the stack size. The stack size could
either already be 0, or could be large enough so it becomes 0 when rounded
up to STACK_ALIGNMENT. This could result in vm_map() returning a virtual
address for a 0-size memory block or other issues.

Check the rounded-up stack_size value before using it.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.7]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: add VA overflow check in shdr_alloc_and_copy()

Make sure that no address overflow can occur when shdr_alloc_and_copy()
copies the signed header.

Signed-off-by: Jerome Forissier <jerome.foriss

core: add VA overflow check in shdr_alloc_and_copy()

Make sure that no address overflow can occur when shdr_alloc_and_copy()
copies the signed header.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.4]
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: add overflow check in mobj_reg_shm_alloc()

In function mobj_reg_shm_alloc(), the macro MOBJ_REG_SHM_SIZE() could
overflow depending on 'nr_pages'. In such case, the mobj_reg_shm memory
would b

core: add overflow check in mobj_reg_shm_alloc()

In function mobj_reg_shm_alloc(), the macro MOBJ_REG_SHM_SIZE() could
overflow depending on 'nr_pages'. In such case, the mobj_reg_shm memory
would be a small memory block, while num_pages would be large, which could
lead to a generous memcpy() when copying the pages in internal memory, the
outcome of this depends on memory mapping.

Note: no attack path are identified to exploit this overflow, however it
is error prone and could lead to a future vulnerability.

This commit replaces the MOBJ_REG_SHM_SIZE() macro with a static
function that performs the same computation, but returns 0 in case of
integer overflow. The call site is updated to return an error status
should this situation happen.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.3]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: do not use virtual addresses as session identifier

Session context virtual address is returned to the REE in
entry_open_session(); it is then used back in entry_close_session() and
entry_invok

core: do not use virtual addresses as session identifier

Session context virtual address is returned to the REE in
entry_open_session(); it is then used back in entry_close_session() and
entry_invoke_command(). Sharing virtual addresses with the REE leads to
virtual memory addresses disclosure that could be leveraged to defeat
ASLR (if/when implemented) and/or mount an attack.

Similarly, syscall_open_ta_session() returns a session ID directly
derived from the session virtual address to the caller TA.

This commit introduces a 32-bit identifier field in struct tee_ta_session.
The ID is generated when the session is created, starting from the id of
the last session in the queue, and counting up until a number that is not
used in the session queue is found.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.1]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: ELF relocation: use ADD_OVERFLOW()

The ELF relocation functions e32_process_rel() and e64_process_rel()
can experience integer overflows which could result in invalid memory
access. Use ADD_OV

core: ELF relocation: use ADD_OVERFLOW()

The ELF relocation functions e32_process_rel() and e64_process_rel()
can experience integer overflows which could result in invalid memory
access. Use ADD_OVERFLOW() to prevent these.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [1.8]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: elf_load_body(): use MUL_OVERFLOW() to get size of section headers

At the end of elf_load_body(), section headers are copied in a system heap
memory block, associated to state->shdr. As the co

core: elf_load_body(): use MUL_OVERFLOW() to get size of section headers

At the end of elf_load_body(), section headers are copied in a system heap
memory block, associated to state->shdr. As the computed size is the
result of an uncontrolled multiplication (ehdr.e_shnum * ehdr.e_shentsize),
it could have overflowed and result in allocating a small memory block.

Use an overflow checking macro to prevent this case.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [1.7]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: umap_add_region(): add overflow check

Use ADD_OVERFLOW() to be more resilient to very large values
potentially passed to umap_add_region().

Signed-off-by: Jerome Forissier <jerome.forissier@l

core: umap_add_region(): add overflow check

Use ADD_OVERFLOW() to be more resilient to very large values
potentially passed to umap_add_region().

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [1.3]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: entry_std.c: clean memory type inline comments

This change modifies inline comments.

Replace "non sec" and "nonsecure" with "non-secure".
Fixup "Rerefence" into "reference".
Clarify contiguou

core: entry_std.c: clean memory type inline comments

This change modifies inline comments.

Replace "non sec" and "nonsecure" with "non-secure".
Fixup "Rerefence" into "reference".
Clarify contiguous shared memory comment.
Minor rephrasing for consistency.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
[jf: minor edit to commit subject]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32mp1: embed BSEC driver

Embed BSEC driver in platform stm32mp1. The platform implements
stm32mp_get_bsec_static_cfg() to provide BSEC static configuration.

Add BSEC node in stm32mp157c.dtsi.
Ad

stm32mp1: embed BSEC driver

Embed BSEC driver in platform stm32mp1. The platform implements
stm32mp_get_bsec_static_cfg() to provide BSEC static configuration.

Add BSEC node in stm32mp157c.dtsi.
Add BSEC node with some BSEC word definition and assignment (non-secure
and/or secure) for board stm32mp157c-ed1 and stm32mp157c-ev1.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

stm32_bsec: OTP driver for stm32mp platforms

BSEC is a one time programmable (OTP) memory interface for stm32mp
SoCs. OTPs are grouped into 32bit words identified by a incremental ID
starting from 0

stm32_bsec: OTP driver for stm32mp platforms

BSEC is a one time programmable (OTP) memory interface for stm32mp
SoCs. OTPs are grouped into 32bit words identified by a incremental ID
starting from 0. Shadowed OTPs are loaded in a volatile memory yet
used as OTP values by the software.

The platform shall implement stm32mp_get_bsec_static_cfg() to
provide BSEC driver some information as the BSEC memory size and
its lower/upper threshold ID that split non-secure from secure OTPs.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Christophe Montaud <christophe.montaud@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Signed-off-by: Mathieu Belou <mathieu.belou@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-ls: updated conf.mk to set CFG_USER_TA_TARGETS

from R3.4.0 onwards, CFG_USER_TA_TARGETS = "ta_arm32 ta_arm64"
is set by default, if the CFG_USER_TA_TARGETS is not set.

Updating the conf.mk for

plat-ls: updated conf.mk to set CFG_USER_TA_TARGETS

from R3.4.0 onwards, CFG_USER_TA_TARGETS = "ta_arm32 ta_arm64"
is set by default, if the CFG_USER_TA_TARGETS is not set.

Updating the conf.mk for plat-ls devices to set the default
value to CFG_USER_TA_TARGETS as per platform.

Value to CFG_USER_TA_TARGETS can be overridden using the make cmd.

Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

drivers: GICv3: Configure native secure interrupt

OP-TEE dispatcher registers with TF-A to handle EL1S interrupts
by design. OP-TEE should own the G1S interrupts in GICv3.
-gic_it_add() should resul

drivers: GICv3: Configure native secure interrupt

OP-TEE dispatcher registers with TF-A to handle EL1S interrupts
by design. OP-TEE should own the G1S interrupts in GICv3.
-gic_it_add() should result in configuring a given interrupt to
G1S instead of G0 for GICv3.
-G1S interrupts to be enabled at distributor interface.
-system interface register ICC_IGRPEN1_EL1 to be used to enable
G1S interrupts.

Signed-off-by: Sandeep Tripathy <sandeep.tripathy@broadcom.com>
Reviewed-by: Soby Mathew <soby.mathew@arm.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Add support for Hisilicon Hi3519AV100 DEMO board

Hi3519AV100 is a high-performance and low-power 4K
Smart IP Camera SoC designed for IP cameras, action cameras,
panoramic cameras, rear view mirrors,

Add support for Hisilicon Hi3519AV100 DEMO board

Hi3519AV100 is a high-performance and low-power 4K
Smart IP Camera SoC designed for IP cameras, action cameras,
panoramic cameras, rear view mirrors, and UAVs. Hi3519A
V100 introduces H.265/H.264 encoding and decoding, with
performance up to 4K x 2K@60 fps and 1080p@240 fps.
For more information:
http://www.hisilicon.com/en/Products/ProductList/Surveillance

This patch has been tested using the following step,
1. Patch the uboot and Linux kernel with OP-TEE support if required
2. build step:
(1) make CROSS_COMPILE=arm-himix200-linux- PLATFORM=hisilicon
PLATFORM_FLAVOR=hi3519av100_demo (OPTEE-OS build)

(2) make CROSS_COMPILE_HOST=arm-himix200-linux- (OPTEE_CLIENT build)

(3) cross_compile openssl and replace optee_test/host/libopenssl

(4) make CROSS_COMPILE_HOST=arm-himix200-linux-
CROSS_COMPILE_TA=arm-himix200-linux-
TA_DEV_KIT_DIR=../optee_os/out/arm-plat-hisilicon/export-ta_arm32
COMPILE_NS_USER=32 (OPTEE_TEST build)

3. mkimage -A arm -T kernel -O tee -C none -d tee.bin uTee.optee
4. Boot setting in uboot:
nand read 0x22007fc0 0x100000 0x400000; /* load kernel */
tftp 0x30000000 uTee.optee;bootm 0x30000000;
5. after Linux startup, run daemon tee-supplicant
6. run xtest

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Zeng Tao <prime.zeng@hisilicon.com>

show more ...

core: mm: simplify overlap check

Overlap region check could be simplified as below:
"(StartA <= EndB) and (StartB <= EndA)"

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Joakim Bech <joak

core: mm: simplify overlap check

Overlap region check could be simplified as below:
"(StartA <= EndB) and (StartB <= EndA)"

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

Revert "core_mmu: phys_to_virt_io(): warn if PA has both S and NS mappings"

This reverts commit 53c1131c3dee546d6d618a0f7f20586598ca032c. The
original change breaks platforms that map their console

Revert "core_mmu: phys_to_virt_io(): warn if PA has both S and NS mappings"

This reverts commit 53c1131c3dee546d6d618a0f7f20586598ca032c. The
original change breaks platforms that map their console UART in both
security domains [1]. In this case, the platform won't boot because the
error message causes infinite recursion.

Since add_phys_mem() warns about overlaps already, there is really no
need for more checks.

Link: [1] https://github.com/OP-TEE/optee_os/issues/2821
Reported-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-rcar: add support for H3 module with 8GB memory

Renesas calls this flavor "salvator-h3-4x2g", in OP-TEE flavor
will be named "salvator_h3_4x2g".

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@

plat-rcar: add support for H3 module with 8GB memory

Renesas calls this flavor "salvator-h3-4x2g", in OP-TEE flavor
will be named "salvator_h3_4x2g".

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

plat-rcar: virtualization port for RCAR platform

Put platform information into nexus sections, so they are
available at all times.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by

plat-rcar: virtualization port for RCAR platform

Put platform information into nexus sections, so they are
available at all times.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

mmu_lpae: flush TLBs when switching partitions

Missed TLB flush caused random page faults on Renesas HW.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jerome Forissier <jerome

mmu_lpae: flush TLBs when switching partitions

Missed TLB flush caused random page faults on Renesas HW.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...