virt: add nexus memory area

This patch is the first in series of patches that split OP-TEE RW memory
into two regions: nexus memory and TEE memory. Nexus memory will
be always mapped and it will be

virt: add nexus memory area

This patch is the first in series of patches that split OP-TEE RW memory
into two regions: nexus memory and TEE memory. Nexus memory will
be always mapped and it will be used to store all data that is
vital for OP-TEE core and is not bound to virtual guests.

TEE memory is a memory that holds data specific for certain guest.
There will be TEE memory bank for every guest and it will be mapped
into OP-TEE address space only during call from that guest.

This patch adds nexus memory and moves stacks into it. Also
it provides __nex_bss and __nex_data macros, so one can easily set right
section for a variable.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

pta_stats: add support for nex_malloc stats

Add statistic for OP-TEE nexus memory allocator.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@li

pta_stats: add support for nex_malloc stats

Add statistic for OP-TEE nexus memory allocator.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core_self_tests.c: add tests for nex_malloc

Now, when we have separate allocator for nexus
part of OP-TEE, it is good to add tests for it.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>

core_self_tests.c: add tests for nex_malloc

Now, when we have separate allocator for nexus
part of OP-TEE, it is good to add tests for it.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

bget_malloc: add nex_malloc pool

If virtualization enabled, this pool will be used to allocate
memory for OP-TEE nexus needs.
Without virtualization, generic malloc pool will be used.

Signed-off-by

bget_malloc: add nex_malloc pool

If virtualization enabled, this pool will be used to allocate
memory for OP-TEE nexus needs.
Without virtualization, generic malloc pool will be used.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-rcar: Use generic memory layout

plat-rcar have quite standard memory layout, so there is no sense
to maintain separate configuration if it possible to use generic
one.

Signed-off-by: Volodymyr

plat-rcar: Use generic memory layout

plat-rcar have quite standard memory layout, so there is no sense
to maintain separate configuration if it possible to use generic
one.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pta_stats: add memleak function

Adds a memleak function to the status PTA which calls mdbg_check(1)
to dump all allocations.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed

core: pta_stats: add memleak function

Adds a memleak function to the status PTA which calls mdbg_check(1)
to dump all allocations.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ltc: fix the CBC_MAC error

When there is some data already pending in the cbc->block and the input
data size is not large enough to do cbc_encrypt(), the pending data is
going to be overwritten. For

ltc: fix the CBC_MAC error

When there is some data already pending in the cbc->block and the input
data size is not large enough to do cbc_encrypt(), the pending data is
going to be overwritten. For example, a serial input with size like 3,3...
uncovers this bug.

Signed-off-by: Oliver Chiang <rockerfeynman@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU)

show more ...

core: fix get_elf_segments() segs initialization

get_elf_segments() doesn't initialize the returned segs array properly,
some fields are left uninitialized. Fix this by doing a compound
assignment w

core: fix get_elf_segments() segs initialization

get_elf_segments() doesn't initialize the returned segs array properly,
some fields are left uninitialized. Fix this by doing a compound
assignment when initializing new elements in the array.

Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: check the value of tee_otp_get_die_id()

Just like the get_prop_tee_dev_id() in tee_svc.c, it returns
TEE_ERROR_BAD_STATE, when tee_otp_get_die_id() reports someting bad.
Put the same check in

core: check the value of tee_otp_get_die_id()

Just like the get_prop_tee_dev_id() in tee_svc.c, it returns
TEE_ERROR_BAD_STATE, when tee_otp_get_die_id() reports someting bad.
Put the same check in tee_fs_init_key_manager() as well.

Fixes: https://github.com/OP-TEE/optee_os/issues/2762
Signed-off-by: Oliver Chiang <rockerfeynman@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
[jf: use URL in Fixes: tag]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: ta_open(): free allocated memory on error

In error condition on checking "ta_size", was returning
error from function without cleaning allocated memory.

Signed-off-by: Sahil Malhotra <sahil.m

core: ta_open(): free allocated memory on error

In error condition on checking "ta_size", was returning
error from function without cleaning allocated memory.

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Fixes: https://github.com/OP-TEE/optee_os/pull/2776
[jf: minor edits to commit message]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

scripts: re-indent Python scripts

Fixes the following warnings:

$ pycodestyle --version
2.5.0

$ pycodestyle scripts/*.py
scripts/bin_to_c.py:15:9: E117 over-indented
scripts/bin_to_c.py:34:9:

scripts: re-indent Python scripts

Fixes the following warnings:

$ pycodestyle --version
2.5.0

$ pycodestyle scripts/*.py
scripts/bin_to_c.py:15:9: E117 over-indented
scripts/bin_to_c.py:34:9: E117 over-indented
scripts/bin_to_c.py:37:17: E117 over-indented
scripts/bin_to_c.py:49:17: E117 over-indented
scripts/bin_to_c.py:50:25: E117 over-indented
scripts/bin_to_c.py:54:25: E117 over-indented
scripts/bin_to_c.py:56:25: E117 over-indented
scripts/bin_to_c.py:62:9: E117 over-indented

$ cd core/arch/arm/plat-stm32mp1/scripts; \
pycodestyle stm32image.py
stm32image.py:21:9: E117 over-indented
stm32image.py:27:9: E117 over-indented
stm32image.py:29:17: E117 over-indented
stm32image.py:39:9: E117 over-indented
stm32image.py:77:9: E117 over-indented
stm32image.py:84:17: E117 over-indented
stm32image.py:96:9: E117 over-indented
stm32image.py:100:9: E117 over-indented
stm32image.py:125:9: E117 over-indented
stm32image.py:140:9: E117 over-indented

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat-bcm: Add Broadcom ARMv8-A SoC ns3

Add base platform support for Broadcom ns3 SoC.
Broadcom ns3 is ARMv8-A based SoS with Cortex-A72 cores
and GICv3. It is configured to run with TF-A.

Signed-o

plat-bcm: Add Broadcom ARMv8-A SoC ns3

Add base platform support for Broadcom ns3 SoC.
Broadcom ns3 is ARMv8-A based SoS with Cortex-A72 cores
and GICv3. It is configured to run with TF-A.

Signed-off-by: Sandeep Tripathy <sandeep.tripathy@broadcom.com>
Reviewed-by: Raveendra Padasalagi <raveendra.padasalagi@broadcom.com>
Reviewed-by: Scott Branden <scott.branden@broadcom.com>
Reviewed-by: Pramod Kumar <pramod.kumar@broadcom.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: arm32: fix gicv3 fiq race

Fixes a race where FIQ isn't masked in the abort handler which results
lost register content and invalid processing of the abort when resumed.

Fixes: 18901324e00a ("

core: arm32: fix gicv3 fiq race

Fixes a race where FIQ isn't masked in the abort handler which results
lost register content and invalid processing of the abort when resumed.

Fixes: 18901324e00a ("Support ARM GICv3 mode")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: syscall_storage_obj_create(): fix a memory leak

Free the o->attr in the error handling part.

Fixes: https://github.com/OP-TEE/optee_os/issues/2738
Signed-off-by: Oliver Chiang <rockerfeynman@

core: syscall_storage_obj_create(): fix a memory leak

Free the o->attr in the error handling part.

Fixes: https://github.com/OP-TEE/optee_os/issues/2738
Signed-off-by: Oliver Chiang <rockerfeynman@gmail.com>
[jf: do not set o->attr = 0; move tee_obj_free(o) under if (o) { ... }]
[jf: add spaces to subject; use URL in Fixes: tag]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU)

show more ...

plat-vexpress: disable uart IT with TF-A and GICv3

Disables uart interrupts if compiled for TF-A and GICv3 since TF-A
doesn't know which interrupts OP-TEE will handle.

Acked-by: Jerome Forissier <j

plat-vexpress: disable uart IT with TF-A and GICv3

Disables uart interrupts if compiled for TF-A and GICv3 since TF-A
doesn't know which interrupts OP-TEE will handle.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: svc_cryp: fix truncated buffer length

Fixes truncated buffer length in multiple crypto syscalls. The buffer
length is truncated on 32-bit systems because a size_t can't hold a
uint64_t which i

core: svc_cryp: fix truncated buffer length

Fixes truncated buffer length in multiple crypto syscalls. The buffer
length is truncated on 32-bit systems because a size_t can't hold a
uint64_t which is use to carry the buffer length.

Fixes: "Truncated buffer length in crypto system calls (x4)" as reported
by Riscure.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: svc: always check ta parameters

Always check TA parameters from a user TA. This prevents a user TA from
passing invalid pointers to a pseudo TA.

Fixes: OP-TEE-2018-0007: "Buffer checks missin

core: svc: always check ta parameters

Always check TA parameters from a user TA. This prevents a user TA from
passing invalid pointers to a pseudo TA.

Fixes: OP-TEE-2018-0007: "Buffer checks missing when calling pseudo
TAs".

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: entry_std: check value of num_params

Checks value of num_params against OPTEE_MSG_MAX_NUM_PARAMS before using
it in OPTEE_MSG_GET_ARG_SIZE() in order to avoid unexpected wrapping.

Fixes: "Mac

core: entry_std: check value of num_params

Checks value of num_params against OPTEE_MSG_MAX_NUM_PARAMS before using
it in OPTEE_MSG_GET_ARG_SIZE() in order to avoid unexpected wrapping.

Fixes: "Macro for checking size of parameter buffer can overflow" as
reported by Riscure.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: optee_msg.h: define OPTEE_MSG_MAX_NUM_PARAMS

Defines OPTEE_MSG_MAX_NUM_PARAMS to be used with the macro
OPTEE_MSG_GET_ARG_SIZE() in order to avoid unexpected wrapping.

Fixes: "Macro for check

core: optee_msg.h: define OPTEE_MSG_MAX_NUM_PARAMS

Defines OPTEE_MSG_MAX_NUM_PARAMS to be used with the macro
OPTEE_MSG_GET_ARG_SIZE() in order to avoid unexpected wrapping.

Fixes: "Macro for checking size of parameter buffer can overflow" as
reported by Riscure.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: tee_mmu_check_access_rights() check all pages

Prior to this patch tee_mmu_check_access_rights() checks an address in
each page of a supplied range. If both the start and length of that
range i

core: tee_mmu_check_access_rights() check all pages

Prior to this patch tee_mmu_check_access_rights() checks an address in
each page of a supplied range. If both the start and length of that
range is unaligned the last page in the range is sometimes not checked.
With this patch the first address of each page in the range is checked
to simplify the logic of checking each page and the range and also to
cover the last page under all circumstances.

Fixes: OP-TEE-2018-0005: "tee_mmu_check_access_rights does not check
final page of TA buffer"

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

svc: Initialize tmp_va_buf to prevent a TOCTOU attack

tmp_va_buf will be used if caller parameters points to private TA
memory. However, after doing the syscall to invoke the command it could
be tha

svc: Initialize tmp_va_buf to prevent a TOCTOU attack

tmp_va_buf will be used if caller parameters points to private TA
memory. However, after doing the syscall to invoke the command it could
be that REE has changed caller parameters to point to regular shared
memory and that could potentially open for tmp_va_buf leaking old
information on the stack.

Mitigate this by simplify tee_svc_update_out_param() by only taking
tmp_buf_va[n] into account to tell if a temporary buffer is used or not.

Note that tee_svc_copy_to_user() will make sure that only data writeable
by the user TA can be updated.

Fixes: "Double fetch can be used to copy from uninitialized pointer" as
reported by Riscure.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: ensure that supplied range matches MOBJ

In set_rmem_param() if the MOBJ is found by the cookie it's verified to
represent non-secure shared memory. Prior to this patch the supplied
sub-range t

core: ensure that supplied range matches MOBJ

In set_rmem_param() if the MOBJ is found by the cookie it's verified to
represent non-secure shared memory. Prior to this patch the supplied
sub-range to be used of the MOBJ was not checked here and relied on
later checks further down the chain. Those checks seems to be enough
for user TAs, but not for pseudo TAs where the size isn't checked.

This patch adds a check for offset and size to see that they remain
inside the memory covered by the MOBJ.

Fixes: OP-TEE-2018-0004: "Unchecked parameters are passed through from
REE".

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

svc: fix NULL pointer dereference during storage enumeration

In syscall_storage_next_enum(..) when 'tee_obj o' isn't successfully
initialized, then 'o->pobj->fops' is a NULL pointer and therefore we

svc: fix NULL pointer dereference during storage enumeration

In syscall_storage_next_enum(..) when 'tee_obj o' isn't successfully
initialized, then 'o->pobj->fops' is a NULL pointer and therefore we
need to check for that before trying to dereference it in the clean-up
part of the function.

Fixes: "Null pointer dereference in storage system call" as reported by
Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

svc: check for overflow when allocating a BigNum buffer

To avoid overflow errors and copy more data than being allocated we must
check for overflow when allocating a buffer for the bignum-buffer whi

svc: check for overflow when allocating a BigNum buffer

To avoid overflow errors and copy more data than being allocated we must
check for overflow when allocating a buffer for the bignum-buffer which
is 8 times larger than the binary buffer.

Fixes: "Integer overflow in crypto system call" as reported by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

svc: avoid TOCTOU issue in syscall_hash_final

When checking that the supplied buffer is big enough to fit the computed
digest one should use the local copy 'hlen' instead of 'hash_len' to
prevent th

svc: avoid TOCTOU issue in syscall_hash_final

When checking that the supplied buffer is big enough to fit the computed
digest one should use the local copy 'hlen' instead of 'hash_len' to
prevent that a malicious attacker in REE have changed the size of
'hash_len' after it has been copied to the local buffer.

(TOCTOU: Time Of Check To Time of Use)

Fixes: "Double-fetch of length in syscall_hash_final (x2)" as reported
by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...