svc: check for allocation overflow in crypto calls part 2

Without checking for overflow there is a risk of allocating a buffer
with size smaller than anticipated and as a consequence of that it migh

svc: check for allocation overflow in crypto calls part 2

Without checking for overflow there is a risk of allocating a buffer
with size smaller than anticipated and as a consequence of that it might
lead to a heap based overflow with attacker controlled data written
outside the boundaries of the buffer.

Fixes: OP-TEE-2018-0011: "Integer overflow in crypto system calls (x2)"

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

svc: check for allocation overflow in crypto calls

Without checking for overflow there is a risk of allocating a buffer
with size smaller than anticipated and as a consequence of that it might
lead

svc: check for allocation overflow in crypto calls

Without checking for overflow there is a risk of allocating a buffer
with size smaller than anticipated and as a consequence of that it might
lead to a heap based overflow with attacker controlled data written
outside the boundaries of the buffer.

Fixes: OP-TEE-2018-0010: "Integer overflow in crypto system calls (x2)"

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

svc: check for allocation overflow in syscall_cryp_obj_populate

Without checking for overflow there is a risk of allocating a buffer
with size smaller than anticipated and as a consequence of that i

svc: check for allocation overflow in syscall_cryp_obj_populate

Without checking for overflow there is a risk of allocating a buffer
with size smaller than anticipated and as a consequence of that it might
lead to a heap based overflow with attacker controlled data written
outside the boundaries of the buffer.

Fixes: OP-TEE-2018-0009: "Integer overflow in crypto system calls"

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

fs: prevent out of place write when no data

Fixes: "Uninitialized return value returned if len equals 0" as reported
by Riscure.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by:

fs: prevent out of place write when no data

Fixes: "Uninitialized return value returned if len equals 0" as reported
by Riscure.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add missing return(s) in shdr_alloc_and_copy

Fixes: "Incorrect error handling in shdr_alloc_and_copy (x2)" as
reported by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-b

core: add missing return(s) in shdr_alloc_and_copy

Fixes: "Incorrect error handling in shdr_alloc_and_copy (x2)" as
reported by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

rpc: ensure that TA fits in allocated memory

When the TEE is about to load a TA it first asks the REE for the size of
the TA in question. Next it allocates memory for this based on the size
in the p

rpc: ensure that TA fits in allocated memory

When the TEE is about to load a TA it first asks the REE for the size of
the TA in question. Next it allocates memory for this based on the size
in the previous query. However, there is no guarantee that the REE
actually allocates the requested size. A compromised REE could for
example modify the RPC request. This means that even though an
allocation is successful, we still need to check that the size of the
allocated buffer has room to fit the entire TA we are about to load.

Fixes: "REE provided size not checked when loading TAs" as reported by
Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

tadb: set error condition on TA size mismatch

If tee_tadb_ta_read(..) is successful in secstor_ta_open(..), then we
must set an error code manually if the size check right after fails.

Fixes: "Load

tadb: set error condition on TA size mismatch

If tee_tadb_ta_read(..) is successful in secstor_ta_open(..), then we
must set an error code manually if the size check right after fails.

Fixes: "Loading from secure storage returns success with uninitialized
pointer" as reported by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: initialize saved_attr

The saved_attr variable is used in the cleanup condition in the
entry_open_session(..) function. The function cleanup_params(..)
conditionally free up memory based on the

core: initialize saved_attr

The saved_attr variable is used in the cleanup condition in the
entry_open_session(..) function. The function cleanup_params(..)
conditionally free up memory based on the values from saved_attr and
therefore saved_attr must be initialized with a proper value in case the
functions that are supposed to fill in correct attributes are failing.

Fixes: "Use of uninitialized variable in REE exposed function" as
reported by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

rpmb: check return value from essiv call

An error in the function essiv, as for example memory allocation failure
could result in an uninitialized IV, which means that the IV used for
en/decryption

rpmb: check return value from essiv call

An error in the function essiv, as for example memory allocation failure
could result in an uninitialized IV, which means that the IV used for
en/decryption would consist of data previously stored at this memory
location. This could eventually corrupt the filesystem.

Fixes: "Return value of cryptographic function is unchecked" by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: clear the entire TA area

Previously we cleared (memset to zero) the size corresponding to code
and data segments, however the allocation for the TA is made on the
granularity of the memory poo

core: clear the entire TA area

Previously we cleared (memset to zero) the size corresponding to code
and data segments, however the allocation for the TA is made on the
granularity of the memory pool, meaning that we did not clear all memory
and because of that we could potentially leak code and data of a
previous loaded TA.

Fixes: OP-TEE-2018-0006: "Potential disclosure of previously loaded TA
code and data"

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

lockdep: fix dup_call_stack()

dup_call_stack() does not properly deal with the sentinel. Fix it.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wikl

lockdep: fix dup_call_stack()

dup_call_stack() does not properly deal with the sentinel. Fix it.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

hikey960: set CFG_CORE_BGET_BESTFIT=y

Enables the "best fit" algorithm for core memory allocation on HiKey960.
This avoids occasional out-of-memory errors when running the full xtest
suite (with Glo

hikey960: set CFG_CORE_BGET_BESTFIT=y

Enables the "best fit" algorithm for core memory allocation on HiKey960.
This avoids occasional out-of-memory errors when running the full xtest
suite (with GlobalPlatform tests).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

stm32mp1: init console from DTB

Get console configuration from embedded DTB when available.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissie

stm32mp1: init console from DTB

Get console configuration from embedded DTB when available.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32_uart: API to init console bus from a DTB

Introduce stm32_uart_init_from_dt_node() that initializes an UART
device from the given DT node. The function returns the reference
to the created UART

stm32_uart: API to init console bus from a DTB

Introduce stm32_uart_init_from_dt_node() that initializes an UART
device from the given DT node. The function returns the reference
to the created UART instance.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32mp1: early console configuration

This change allows the OP-TEE configuration to select the UART
instance used as OP-TEE console. This change also prepares
a next step where the console is selec

stm32mp1: early console configuration

This change allows the OP-TEE configuration to select the UART
instance used as OP-TEE console. This change also prepares
a next step where the console is selected from device tree
directives.

Map all secure and non-secure UARTs, only the expected virtual
areas will be accessed at runtime.

Value 23 chosen for CFG_MMAP_REGIONS is more than required. As
later changes will introduce new drivers, this value is expected
affordable (memory footprint) and allow new drivers to land without
needed to increment a static value.

CFG_STM32_EARLY_CONSOLE_UART also to specify the hard coded UART
interface used for early trace console.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32mp1: minor base address cleanup

Add few comments in platform_config.h to macros split definition
by topics.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech

stm32mp1: minor base address cleanup

Add few comments in platform_config.h to macros split definition
by topics.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32_uart: rename exported structure and add secure flag

Rename structure console_pdata into stm32_uart_pdata as it will
be exported over the platform and should not use such a generic
naming.

Thi

stm32_uart: rename exported structure and add secure flag

Rename structure console_pdata into stm32_uart_pdata as it will
be exported over the platform and should not use such a generic
naming.

This change adds a secure flag to the UART device instance for
used to get the appropriate virtual address when required.
An UART bus could be used by the secure world in secure mode or
in non-secure mode. A bus to a secure element likely mandates
secure hardening of the UART. A debug console over a non-secure
UART link may require the UART resources to be assigned to the
non-secure world.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: dt: introduce _fdt_fill_device_info()

_fdt_fill_device_info() gets some generic properties from a given
node in a single always successful sequence.

Retrieved device information from the DT:

core: dt: introduce _fdt_fill_device_info()

_fdt_fill_device_info() gets some generic properties from a given
node in a single always successful sequence.

Retrieved device information from the DT:
- The status/secure-status state as per DT_STATUS_*,
- The first register base address found or DT_INFO_INVALID_REG (zero).
If there are several register base addresses others are ignored.
- The first clock identifier found or DT_INFO_INVALID_CLOCK (negative).
- This first reset identifier found or DT_INFO_INVALID_RESET (negative).

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: more flexible console init from DT

Introduce get_console_node_from_dt() that collects the references
to the console configuration in the DTB.

Existing configure_console_from_dt() relies on it

core: more flexible console init from DT

Introduce get_console_node_from_dt() that collects the references
to the console configuration in the DTB.

Existing configure_console_from_dt() relies on it when initiating
the console from the early core inits based on registered matching
device tables.

get_console_node_from_dt() allows a driver probed from the driver
initialization sequence (i.e registered from driver_init()) to
get the console DT directive.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

synquacer: Enable rng-pta as kernel device

Add TA_FLAG_DEVICE_ENUM flag to rng-pta header.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

synquacer: Enable rng-pta as kernel device

Add TA_FLAG_DEVICE_ENUM flag to rng-pta header.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pta: Add device pseudo TA

This pseudo TA enumerates OP-TEE pseudo TAs which can act as devices/
services for Linux TEE bus driver. For differentiation of such devices,
added TA_FLAG_DEVICE_ENU

core: pta: Add device pseudo TA

This pseudo TA enumerates OP-TEE pseudo TAs which can act as devices/
services for Linux TEE bus driver. For differentiation of such devices,
added TA_FLAG_DEVICE_ENUM optional flag in pseudo TA header.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pseudo_ta: Pass null memref as valid param

GlobalPlatform spec allows null memory reference parameters as valid.
So update copy_in_params for pseudo_ta accordingly.

Also add check for mobj pt

core: pseudo_ta: Pass null memref as valid param

GlobalPlatform spec allows null memory reference parameters as valid.
So update copy_in_params for pseudo_ta accordingly.

Also add check for mobj ptr being NULL before dereference as it causes
a data abort in case REE has passed NULL buffer ptr with size > 0 as
memref param.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix thread_excp_vect_end and literal pool

The two symbols thread_excp_vect and thread_excp_vect_end are used to
mark the part of the privileged code that still to be mapped in order to
transit

core: fix thread_excp_vect_end and literal pool

The two symbols thread_excp_vect and thread_excp_vect_end are used to
mark the part of the privileged code that still to be mapped in order to
transition between user mode and privileged mode when compiled with
CFG_CORE_UNMAP_CORE_AT_EL0=y.

Prior to this patch it was assumed that thread_excp_vect_end would mark
the end of the thread_excp_vect() assembly function including literals
emitted by the assembler. This assumption was wrong and an extra .pool
directive is added before the thread_excp_vect_end to guarantee that all
literals will be included in the section starting with thread_excp_vect
and ending with thread_excp_vect_end.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)
Reported-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm: imx: add iMX7D PICO MBL board definition

This patch adds an OP-TEE port for the i.MX7D PICO for the MBED Linux OS
boot flow.

BootROM -> ATF/BL2
ATF -> FIP {u-boot, OPTEE}
OPTEE -> {popul

arm: imx: add iMX7D PICO MBL board definition

This patch adds an OP-TEE port for the i.MX7D PICO for the MBED Linux OS
boot flow.

BootROM -> ATF/BL2
ATF -> FIP {u-boot, OPTEE}
OPTEE -> {populates DTB overlay}
u-boot -> FIT {DTB, Kernel, initramfs}
Merges DTB and OPTEE DTB-overlay
Linux

CFG_NS_ENTRY_ADDR = 0x87800000 is the entry point of u-boot
CFG_DT_OVERLAY = y adds DTB overlay fragments to the passed DTB

make PLATFORM=mx7dpico_mbl

Signed-off-by: Jun Nie <jun.nie@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Peng Fan <peng.fan@nxp.com>

show more ...

probe_max_it overwrite the value of GICD_ISENABLER

probe_max_it save the original value of GICD_ISENABLER
and write 0xffffffff into GICD_ISENABLER to probe
the largest interrupt number.

Instead of

probe_max_it overwrite the value of GICD_ISENABLER

probe_max_it save the original value of GICD_ISENABLER
and write 0xffffffff into GICD_ISENABLER to probe
the largest interrupt number.

Instead of writing the original GICD_ISENABLER value
into GICD_ISENABLER, probe_max_it write the value into GICD_ICENABLER
and cause the original GICD_ISENABLER value bit flipping.

Signed-off-by: Lin Huang-Sen <r94922102@gmail.com>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...