arm32: enable ACTLR_CA8_ENABLE_INVALIDATE_BTB

Enables ACTLR_CA8_ENABLE_INVALIDATE_BTB (ACTLR[6]) in generic boot if
compiled with CFG_CORE_WORKAROUND_SPECTRE_BP or
CFG_CORE_WORKAROUND_SPECTRE_BP_SEC

arm32: enable ACTLR_CA8_ENABLE_INVALIDATE_BTB

Enables ACTLR_CA8_ENABLE_INVALIDATE_BTB (ACTLR[6]) in generic boot if
compiled with CFG_CORE_WORKAROUND_SPECTRE_BP or
CFG_CORE_WORKAROUND_SPECTRE_BP_SEC and the cpu is discovered to be
Cortex-A8.

Fixes CVE-2017-5715
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mmu: protect global asid field with a lock

Protects the global ASID bitfield (g_asid) with a spinlock.

Fixes: 99f969dd6c99 ("core: fine grained tee_ta_mutex locking")
Reviewed-by: Volodymyr B

core: mmu: protect global asid field with a lock

Protects the global ASID bitfield (g_asid) with a spinlock.

Fixes: 99f969dd6c99 ("core: fine grained tee_ta_mutex locking")
Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (Hikey)

show more ...

core: fix handling of NULL memory references by Internal Client API

GlobalPlatform TEE Internal Core API v1.1.2 section 4.9.4 states that
parameters of type *_MEMREF_* can have memref.buffer == NULL

core: fix handling of NULL memory references by Internal Client API

GlobalPlatform TEE Internal Core API v1.1.2 section 4.9.4 states that
parameters of type *_MEMREF_* can have memref.buffer == NULL, provided
that memref.size is zero.

The corresponding test in tee_svc_copy_param() is backwards, so reverse
it.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Kevin Peng <kevinp@marvell.com>
Link: https://github.com/OP-TEE/optee_os/issues/2105
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU)
Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Tested-by: Kevin Peng <kevinp@marvell.com>

show more ...

Revert "core: fine grained tee_ta_mutex locking"

Commit 99f969dd6c99 ("core: fine grained tee_ta_mutex locking") fixes a
deadlock that can occur if a TA is loaded while not enough page tables
are av

Revert "core: fine grained tee_ta_mutex locking"

Commit 99f969dd6c99 ("core: fine grained tee_ta_mutex locking") fixes a
deadlock that can occur if a TA is loaded while not enough page tables
are available in pgt_cache to map the context. But it also splits up a
big critical section and there's obviously a few hidden dependencies
towards tee_ta_mutex causing stability issues with the pager. Running
'while xtest 1013; do true; done' in AArch64 with at least three
threads running in parallel will ultimately fail.

Therefore, revert the fine grained locking commit until the race
conditions are sorted out.

Reported-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

secstor: fix memory leak in install_ta()

If signature check failed, we need to close tadb session first.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jerome Forissier <jer

secstor: fix memory leak in install_ta()

If signature check failed, we need to close tadb session first.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: prevent crash in tee_mmu_final() on TA loading error

If the creation of the TA execution context fails before the mapping
directives are initialized, tee_mmu_final() will be called with the TA

core: prevent crash in tee_mmu_final() on TA loading error

If the creation of the TA execution context fails before the mapping
directives are initialized, tee_mmu_final() will be called with the TA
context field mmu being NULL.

This change allows tee_mmu_final() to be called with uninitialized
mapping resources without crashing the core.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix reference counting in tee_tadb_open()

Fixes reference counting error in tee_tadb_open() that was exposed by
commit 99f969dd6c99 ("core: fine grained tee_ta_mutex locking")

Fixes: 5baee69a

core: fix reference counting in tee_tadb_open()

Fixes reference counting error in tee_tadb_open() that was exposed by
commit 99f969dd6c99 ("core: fine grained tee_ta_mutex locking")

Fixes: 5baee69a0140 ("core: add tadb")
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU v7)
Reported-by: Andrew Davis <andrew.davis@linaro.org>
Tested-by: Andrew F. Davis <afd@ti.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

hikey: Enable cache APIs for hikey platform.

When decrypting into SDP buffers TA's like Playready
and Widevine need to be able to flush the cache.

Signed-off-by: Peter Griffin <peter.griffin@linaro

hikey: Enable cache APIs for hikey platform.

When decrypting into SDP buffers TA's like Playready
and Widevine need to be able to flush the cache.

Signed-off-by: Peter Griffin <peter.griffin@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

ltc: ctr: update pt and ct after acceleration

Problem occurs in the condition of the following case:

1st decryption:
Decrypt a ciphertext whose length is a multiple of the block size (16B)
(len = n

ltc: ctr: update pt and ct after acceleration

Problem occurs in the condition of the following case:

1st decryption:
Decrypt a ciphertext whose length is a multiple of the block size (16B)
(len = n * block_size)
2nd decryption:
Decrypt the continuing ciphertext whose length is not a multiple of the
block size
(len = m * block_size + l)

In this case accel_ctr_encrypt() is firstly used at the 2nd decryption.
If pt and ct are not updated, the top (l = len % block_size) bytes of
decryption result are sometimes destroyed.

Signed-off-by: Tetsuya Yoshizaki <yoshizaki.tetsuya@socionext.com>
Signed-off-by: Victor Chong <victor.chong@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)
Link: https://github.com/libtom/libtomcrypt/commit/d1d3ae2d1e70

show more ...

core: fine grained tee_ta_mutex locking

Changes TA loading and session initialization to use fine grained locking
based on the tee_ta_mutex.

This avoids a potential dead lock with PGT cache where w

core: fine grained tee_ta_mutex locking

Changes TA loading and session initialization to use fine grained locking
based on the tee_ta_mutex.

This avoids a potential dead lock with PGT cache where we're waiting for
new page tables with tee_ta_mutex locked, which prevents
tee_ta_close_session() to indirectly return any page tables.

This change also removes the last really big critical section. With this
TAs can be loaded in parallel.

Reported-by: Zhizhou Zhang <zhizhouzhang@asrmicro.com>
Tested-by: Zhizhou Zhang <zhizhouzhang@asrmicro.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: tee_svc.c: stop using tee_ta_mutex

A MOBJ handles serialization internally so there's no need to acquire
tee_ta_mutex before freeing or allocating a MOBJ.

Acked-by: Jerome Forissier <jerome.f

core: tee_svc.c: stop using tee_ta_mutex

A MOBJ handles serialization internally so there's no need to acquire
tee_ta_mutex before freeing or allocating a MOBJ.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Fix compiler warning with register_sdp_mem()

Fixes the following warning/error when CFG_SECURE_DATA_PATH is disabled:

$ make PLATFORM=hikey CFG_SECURE_DATA_PATH=n
...
core/arch/arm/mm/core_mmu.c

Fix compiler warning with register_sdp_mem()

Fixes the following warning/error when CFG_SECURE_DATA_PATH is disabled:

$ make PLATFORM=hikey CFG_SECURE_DATA_PATH=n
...
core/arch/arm/mm/core_mmu.c:90:61: error: ISO C does not allow extra ';' outside of a function [-Werror=pedantic]
register_sdp_mem(CFG_TEE_SDP_MEM_BASE, CFG_TEE_SDP_MEM_SIZE);
^
cc1: all warnings being treated as errors

Fixes: 2d9ed57b6bd8 ("Define register_sdp_mem() only when CFG_SECURE_DATA_PATH is defined")
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Remove support for Allwinner A80 platform (plat-sunxi)

It has been almost three years since we have heard about plat-sunxi
(no new contributions, no patch ack'ed or tested, no feedback at
release ti

Remove support for Allwinner A80 platform (plat-sunxi)

It has been almost three years since we have heard about plat-sunxi
(no new contributions, no patch ack'ed or tested, no feedback at
release time). Therefore, remove support for this platform.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
CC: Sun Yangbang <sunny@allwinnertech.com>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm32: sm: init CNTVOFF

There is an property "arm,cpu-registers-not-fw-configured" in Linux side,
that could workaround the issue that firmare initialize CNTVOFF.

But if use that property, virtuali

arm32: sm: init CNTVOFF

There is an property "arm,cpu-registers-not-fw-configured" in Linux side,
that could workaround the issue that firmare initialize CNTVOFF.

But if use that property, virtualization support will be break in linux.

Also without CNTVOFF or that property no defined, kernel could not
boot up on i.MX7D with two cores.

So we init CNTVOFF in OP-TEE to make kernel work well.

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

tzc380: export more api

Introduce tzc_security_inversion_en tzc_enable_region tzc_fail_dump and
tzc_int_clear.

When we want to block secure access to region configured TZC_ATTR_SP_NS_RW,
need to us

tzc380: export more api

Introduce tzc_security_inversion_en tzc_enable_region tzc_fail_dump and
tzc_int_clear.

When we want to block secure access to region configured TZC_ATTR_SP_NS_RW,
need to use tzc_security_inversion_en.

Sometimes we need to configure the regions first, then enable the
region.

tzasc380 interrupt could be enabled to catch some illegal access
with tzc_fail_dump and tzc_int_clear.

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

tzc380: do not write reserved bits

For region0, only SP is configurable, so should not configure
region low/high.

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander

tzc380: do not write reserved bits

For region0, only SP is configurable, so should not configure
region low/high.

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add pseudo-TA for retrieve sdp physical address

Add a pseudo-TA to convert a Secure Data Path virtual address to
physical address. May only be called by a TA that has
TA_FLAG_SECURE_DATA_PATH.

core: add pseudo-TA for retrieve sdp physical address

Add a pseudo-TA to convert a Secure Data Path virtual address to
physical address. May only be called by a TA that has
TA_FLAG_SECURE_DATA_PATH.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Edison Ai <edison.ai@arm.com> (Juno)
Signed-off-by: Edison Ai <edison.ai@arm.com>

show more ...

Define register_sdp_mem() only when CFG_SECURE_DATA_PATH is defined

Suggested-by: Jerome Forissier <jerome.forissier@linaro.org>
Suggested-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-o

Define register_sdp_mem() only when CFG_SECURE_DATA_PATH is defined

Suggested-by: Jerome Forissier <jerome.forissier@linaro.org>
Suggested-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Victor Chong <victor.chong@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: arm32: sm_a32.S: fix assembly errors

Fixes assembly error:
AS out/arm/core/arch/arm/sm/sm_a32.o
core/arch/arm/sm/sm_a32.S: Assembler messages:
core/arch/arm/sm/sm_a32.S:354: Error: invalid con

core: arm32: sm_a32.S: fix assembly errors

Fixes assembly error:
AS out/arm/core/arch/arm/sm/sm_a32.o
core/arch/arm/sm/sm_a32.S: Assembler messages:
core/arch/arm/sm/sm_a32.S:354: Error: invalid constant (c08) after fixup
core/arch/arm/sm/sm_a32.S:356: Error: invalid constant (c09) after fixup
core/arch/arm/sm/sm_a32.S:358: Error: invalid constant (c0e) after fixup
core/arch/arm/sm/sm_a32.S:363: Error: invalid constant (c0f) after fixup
mk/compile.mk:146: recipe for target 'out/arm/core/arch/arm/sm/sm_a32.o' failed

Fixes: 2ac6322d1ab1 ("core: arm32: sm: runtime selection of spectre workaround")
Tested-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> (QEMU v7)
Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm64.S: spectre workaround

If build with CFG_CORE_WORKAROUND_SPECTRE_BP_SEC=y invalidate branch
predictor on all secure world exceptions originating in secure EL0
(secure user space).

Fixes

core: arm64.S: spectre workaround

If build with CFG_CORE_WORKAROUND_SPECTRE_BP_SEC=y invalidate branch
predictor on all secure world exceptions originating in secure EL0
(secure user space).

Fixes CVE-2017-5715

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm64: thread: update vector relative to vbar

With CFG_CORE_UNMAP_CORE_AT_EL0=y the exception vector is updated to use
the minimal kernel mapping during user space execution. With this patch
v

core: arm64: thread: update vector relative to vbar

With CFG_CORE_UNMAP_CORE_AT_EL0=y the exception vector is updated to use
the minimal kernel mapping during user space execution. With this patch
vbar is updated relative to previous value in vbar to allow different
exception vectors for different cpu types.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm64: pad vector with illegal instruction

Pads exception vector with an illegal instruction to improve robustness.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by:

core: arm64: pad vector with illegal instruction

Pads exception vector with an illegal instruction to improve robustness.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: thread_a64.S: cleanup vector entries

Renames the labels in the exception vector to use consistent lower case
names.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by:

core: thread_a64.S: cleanup vector entries

Renames the labels in the exception vector to use consistent lower case
names.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm.h: move midr definitions

Moves MIDR definitions from arm32.h to arm.h

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

core: arm32: thread: invalidate branch predictor

If build with CFG_CORE_WORKAROUND_SPECTRE_BP_SEC=y invalidate branch
predictor on all secure world exceptions.

Fixes CVE-2017-5715

Tested-by: Jerom

core: arm32: thread: invalidate branch predictor

If build with CFG_CORE_WORKAROUND_SPECTRE_BP_SEC=y invalidate branch
predictor on all secure world exceptions.

Fixes CVE-2017-5715

Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...