core: msg_param: remove unused functions

Removes the unused functions msg_param_init_memparam() and
msg_param_get_buf_size().

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jero

core: msg_param: remove unused functions

Removes the unused functions msg_param_init_memparam() and
msg_param_get_buf_size().

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: use struct thread_param for RPC

Use struct thread_param as an abstraction of the parameters used for
RPC.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <

core: use struct thread_param for RPC

Use struct thread_param as an abstraction of the parameters used for
RPC.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

LTC: drop LTC_NO_ASM and configure

Drops LTC_NO_ASM and configures endian and word size accordingly, that
is, little endian and 32-bit or 64-bit depending on arm architecture.

Defines ulong32 and u

LTC: drop LTC_NO_ASM and configure

Drops LTC_NO_ASM and configures endian and word size accordingly, that
is, little endian and 32-bit or 64-bit depending on arm architecture.

Defines ulong32 and ulong64 based on uint32_t and uint64_t to make
sure that the types are always defined correctly.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: switch to mbedtls for bignum

Adds a mpi_desc.c wrapper to LTC in order to enable usage of bignum
(mpi) routines from mbedtls.

CFG_MBEDTLS_MPI=y (default y) builds the bignum routines for mbed

core: switch to mbedtls for bignum

Adds a mpi_desc.c wrapper to LTC in order to enable usage of bignum
(mpi) routines from mbedtls.

CFG_MBEDTLS_MPI=y (default y) builds the bignum routines for mbedtls and
also enables their usage in LTC and by that replaces libmpa for
privileged mode usage.

User mode TAs still use libmpa.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Move __early_ta from <compiler.h> to <kernel/early_ta.h>

The __early_ta macro is used only in C files generated by
scripts/ta_bin_to_c.py. There is no reason to have it defined in a widely
used head

Move __early_ta from <compiler.h> to <kernel/early_ta.h>

The __early_ta macro is used only in C files generated by
scripts/ta_bin_to_c.py. There is no reason to have it defined in a widely
used header like <compiler.h>.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: force read-only flag on .rodata.* sections

This commit fixes a warning with GCC 8.2 that did not occur with GCC 6.2:

$ make out/arm-plat-vexpress/core/arch/arm/kernel/user_ta.o
CHK ou

core: force read-only flag on .rodata.* sections

This commit fixes a warning with GCC 8.2 that did not occur with GCC 6.2:

$ make out/arm-plat-vexpress/core/arch/arm/kernel/user_ta.o
CHK out/arm-plat-vexpress/conf.mk
CHK out/arm-plat-vexpress/include/generated/conf.h
CHK out/arm-plat-vexpress/core/include/generated/asm-defines.h
CC out/arm-plat-vexpress/core/arch/arm/kernel/user_ta.o
{standard input}: Assembler messages:
{standard input}:4087: Warning: setting incorrect section attributes for .rodata.__unpaged

The message is printed as the assembler processes this code fragment,
generated by the C compiler:

.section .rodata.__unpaged,"aw"

The older compiler (GCC 6.2) would generate instead:

.section .rodata.__unpaged,"a",%progbits

The problem with .rodata.__unpaged,"aw" is that the "w" (writeable) flag
is not consistent with the section name (.rodata.*), which by convention
is supposed to be read-only.

- The section name (".rodata.__unpaged") is given by our macro:
__rodata_unpaged.
- The "w" flag is added by GCC, not sure why exactly. One reason [1] is
when a relocatable binary is being generated and the structure contains
relocatable data. But, we are not explicitly asking for a relocatable
binary, so this might as well be a bug or counter-intuitive feature of
the compiler.

Anyway, to avoid the warning, we need to fix the section flags. The
section type (%progbits) is optional, it is deduced from the section name
by default. %progbits indicates that the section contains data (i.e., is
not empty).

Link: [1] https://gcc.gnu.org/ml/gcc/2004-05/msg01016.html
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

libfdt: Move to version v1.4.6-9

This import adds FDT overlay plus brings in the latest bugfixes upstream.

As noted in the below url, there is a performance problem with 1.4.7 so we
target version

libfdt: Move to version v1.4.6-9

This import adds FDT overlay plus brings in the latest bugfixes upstream.

As noted in the below url, there is a performance problem with 1.4.7 so we
target version 1.4.6-9 instead.

https://github.com/ARM-software/arm-trusted-firmware/pull/1657

Upstream commit aadd0b65c987 ("checks: centralize printing of property
names in failure messages")

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
Suggested-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: GICv3: Handle group 1 secure interrupts

As per GICv3 architecture specification (Section 4.6 Interrupt grouping),
secure EL1 (Trusted OS) handles secure group 1 physical interrupts and
EL3

drivers: GICv3: Handle group 1 secure interrupts

As per GICv3 architecture specification (Section 4.6 Interrupt grouping),
secure EL1 (Trusted OS) handles secure group 1 physical interrupts and
EL3 handles group 0 physical interrupts which are considered as FIQs
(foreign interrupt) for Trusted OS.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (FVP)
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>

show more ...

synquacer: Set default number of threads to 8

Synquacer is 24 core system but 24 threads seems to be overkill in
terms of memory usage. So kept it to 8 threads for now.

Acked-by: Jerome Forissier <

synquacer: Set default number of threads to 8

Synquacer is 24 core system but 24 threads seems to be overkill in
terms of memory usage. So kept it to 8 threads for now.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>

show more ...

tee_time_arm_cntpct.c: remove mpa.h dependency

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

core: move initialization of common mobjs

Moves initialization of mobj_sec_ddr and mobj_tee_ram to mobj.c.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <je

core: move initialization of common mobjs

Moves initialization of mobj_sec_ddr and mobj_tee_ram to mobj.c.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ltc: move all bignum functions to mpa_desc.c

Moves all crypto_bignum*() functions from tee_ltc_provider.c to
mpa_desc.c in order to contain libmpa dependencies.

Reviewed-by: Jerome Forissier <jerom

ltc: move all bignum functions to mpa_desc.c

Moves all crypto_bignum*() functions from tee_ltc_provider.c to
mpa_desc.c in order to contain libmpa dependencies.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ltc: rename tomcrypt_mpa.h to tomcrypt_mp.h

Renames tomcrypt_mpa.h to tomcrypt_mp.h in order to make it
implementation neutral.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-of

ltc: rename tomcrypt_mpa.h to tomcrypt_mp.h

Renames tomcrypt_mpa.h to tomcrypt_mp.h in order to make it
implementation neutral.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ltc: move external_mem_pool to mpa_desc.c

Moves all initialization of external_mem_pool to mpa_desc.c and also
makes external_mem_pool static as there's no external references.

Reviewed-by: Jerome

ltc: move external_mem_pool to mpa_desc.c

Moves all initialization of external_mem_pool to mpa_desc.c and also
makes external_mem_pool static as there's no external references.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: remove thread_{add,rem}_mutex()

With the recently merged lockdep patches thread_add_mutex() and
thread_rem_mutex() are obsolete. Remove them to save memory and
overhead.

Acked-by: Jerome Fori

core: remove thread_{add,rem}_mutex()

With the recently merged lockdep patches thread_add_mutex() and
thread_rem_mutex() are obsolete. Remove them to save memory and
overhead.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix compile error with CFG_CORE_WORKAROUND_SPECTRE_BP_SEC=n

Fixes compile error:
CC ../out-os-qemu/core/arch/arm/mm/tee_mm.o
core/arch/arm/kernel/thread.c:984:16: error: ‘select_vector’

core: fix compile error with CFG_CORE_WORKAROUND_SPECTRE_BP_SEC=n

Fixes compile error:
CC ../out-os-qemu/core/arch/arm/mm/tee_mm.o
core/arch/arm/kernel/thread.c:984:16: error: ‘select_vector’ defined but not used [-Werror=unused-function]
static vaddr_t select_vector(vaddr_t a)
^~~~~~~~~~~~~
cc1: all warnings being treated as errors

when compiled with CFG_CORE_WORKAROUND_SPECTRE_BP_SEC=n

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

unwind: remove useless #if defined(CFG_UNWIND)

unwind_arm32.c and unwind_arm64.c are only compiled when CFG_UNWIND=y so
there is no need to check that flag again.

Signed-off-by: Jerome Forissier <j

unwind: remove useless #if defined(CFG_UNWIND)

unwind_arm32.c and unwind_arm64.c are only compiled when CFG_UNWIND=y so
there is no need to check that flag again.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: instrument mutexes with lockdep

Implements lockdep hooks for mutexes. CFG_LOCKDEP is disabled by default,
because it causes a noticeable slowdown (plain xtest runs 2-4x slower).

Tested-by: Je

core: instrument mutexes with lockdep

Implements lockdep hooks for mutexes. CFG_LOCKDEP is disabled by default,
because it causes a noticeable slowdown (plain xtest runs 2-4x slower).

Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU, HiKey960)
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

unwind: remove debug messages

The debug messages "vsp out of bounds" (arm32) or "FP out of bounds"
(arm64) are shown quite often when call stacks are captured (observed when
running the lockdep algo

unwind: remove debug messages

The debug messages "vsp out of bounds" (arm32) or "FP out of bounds"
(arm64) are shown quite often when call stacks are captured (observed when
running the lockdep algorithm on mutexes for instance). The call stacks
look fine nonetheless. So, remove these traces.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: introduce lockdep algorithm

This commit introduces an algorithm that may be used to detect improper
usage of locks at runtime. It can detect two kinds errors:

1. A thread tries to release a

core: introduce lockdep algorithm

This commit introduces an algorithm that may be used to detect improper
usage of locks at runtime. It can detect two kinds errors:

1. A thread tries to release a lock it does not own,
2. A thread tries to aquire a lock and the operation could *potentially*
result in a deadlock.

The potential deadlock detection assumes that the code adheres to a strict
locking hierarchy, in other word, that there is a partial ordering on the
locks so that there can be no situation where circular waits can occur. To
put things simply, any two locks should be acquired in the same order in
the same thread. This addresses the following case:

[Thread #1] [Thread #2]

lock(A)
lock(B)
lock(B)
lock(A) <-- deadlock!
...

The algorithm builds the lock hierarchy dynamically and reports as soon as
a violation is detected.

The interface is made of two functions: lockdep_lock_acquire() and
lockdep_lock_release(), which are meant to be introduced in the
implementation of the actual lock objects. The "acquire" hook tells the
algorithm that a particular lock is about to be requested by a particular
thread, while the "release" hook is meant to be called before the lock is
actually released. If an error is detected, debugging information is sent
to the console, and panic() is called. The debugging information includes
the lock cycle that was detected (in the above example, {A, B}), as well
as the call stacks at the points where the locks were acquired.

The good thing with such an instrumentation of the locking code is that
there is no need to wait for an actual deadlock to occur in order to
detect potential problems. For instance, the timing of execution in the
above example could be different but the problem would still be detected:

[Thread #1] [Thread #2]

lock(A)
lock(B)
unlock(B)
unlock(A)
lock(B)
lock(A) <-- error!

A pseudo-TA is added for testing (pta/core_lockdep_tests.c).

This code is based on two sources:
- A presentation called "Dl-Check: dynamic potential deadlock detection
tool for Java programs" [1], although the somewhat complex MNR algorithm
for topological ordering of a DAG was not used;
- A depth-first search algorithm [2] was used instead.

Link: [1] https://www.slideshare.net/IosifItkin/tmpa2017-dlcheck-dynamic-potential-deadlock-detection-tool-for-java-programs
Link: [2] https://en.wikipedia.org/wiki/Topological_sorting#Depth-first_search
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add unw_get_kernel_stack()

Adds a function to obtain the current kernel call stack as an array.
This is useful for debugging code which may need to record the call stack
at various point of th

core: add unw_get_kernel_stack()

Adds a function to obtain the current kernel call stack as an array.
This is useful for debugging code which may need to record the call stack
at various point of the kernel execution.

Depends on CFG_UNWIND=y.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pta: group self tests together

Avoid repeating $(CFG_TEE_CORE_EMBED_INTERNAL_TESTS) for each core
self-test source file by using a ifeq block. In addition to making things
shorter, it is now e

core: pta: group self tests together

Avoid repeating $(CFG_TEE_CORE_EMBED_INTERNAL_TESTS) for each core
self-test source file by using a ifeq block. In addition to making things
shorter, it is now easier to introduce conditional tests which would
otherwise need one ifeq per feature to be tested: we can simply use
src-$(CFG_FOO) += core_foo_tests.c.

No functional change.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mobj.c: sort #includes

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

drivers: imx_uart: avoid hang if UART is disabled

Avoid indefinite hangs by not writing to the UART if it's disabled.
If the UART is disabled, the write and flush routines will hang
indefinitely whi

drivers: imx_uart: avoid hang if UART is disabled

Avoid indefinite hangs by not writing to the UART if it's disabled.
If the UART is disabled, the write and flush routines will hang
indefinitely which can be difficult to debug.

Tested-by: Jordan Rhee <jordanrh@microsoft.com>
Signed-off-by: Jordan Rhee <jordanrh@microsoft.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>

show more ...

drivers: imx_uart: ensure space in TX UART before writing

Tested-by: Jordan Rhee <jordanrh@microsoft.com>
Signed-off-by: Jordan Rhee <jordanrh@microsoft.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>