core: arm32: initialize secure monitor late

Initialize the secure monitor as late as possible before exiting to the
normal world. This is needed in later patches where the stacks aren't
statically a

core: arm32: initialize secure monitor late

Initialize the secure monitor as late as possible before exiting to the
normal world. This is needed in later patches where the stacks aren't
statically allocated.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: thread: initialize stack canaries from recorded end-va

Continue where "core: thread: get stacks from recorded end-va" left and
initialize the stack canaries based on the recorded end-va. This

core: thread: initialize stack canaries from recorded end-va

Continue where "core: thread: get stacks from recorded end-va" left and
initialize the stack canaries based on the recorded end-va. This is
needed in later patches where the stacks aren't statically allocated.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: thread: get stacks from recorded end-va

Each stack has its end-va or top recorded in either thread_core_local[]
or threads[] as tmp_stack_va_end, abt_stack_va_end, or stack_va_end.
This addres

core: thread: get stacks from recorded end-va

Each stack has its end-va or top recorded in either thread_core_local[]
or threads[] as tmp_stack_va_end, abt_stack_va_end, or stack_va_end.
This address together with the known size of the stack is enough to
calculate all the other needed stack related addresses:
- start and end canaries,
- top and bottom of the stacks.

Add and use new internal functions to calculate these addresses and
remove the now unused macros. This is needed in later patches where the
stacks aren't statically allocated.

INIT_CANARY(), GET_START_CANARY(), and GET_END_CANARY() are kept for now
to see that the addresses for the canaries are calculated correctly in
the new functions.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: refactor boot

Introduce CFG_BOOT_INIT_THREAD_CORE_LOCAL0 to indicate that
thread_core_local[0] is initialized before the boot_init_* functions are
called.

thread_init_core_local_stacks()

core: arm: refactor boot

Introduce CFG_BOOT_INIT_THREAD_CORE_LOCAL0 to indicate that
thread_core_local[0] is initialized before the boot_init_* functions are
called.

thread_init_core_local_stacks() and thread_init_thread_core_local() are
replaced by a new version of thread_init_thread_core_local() for
CFG_BOOT_INIT_THREAD_CORE_LOCAL0=y.

Move initialization of thread_core_local[] from very early to
boot_init_primary_late() where various DTBs containing run-time
configuration are available. This will be needed in later patches when
the number of configured cores can be read from DT or some other
run-time configuration.

Move the "OP-TEE version" print and following code from
boot_init_primary_late() to boot_init_primary_final()

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: entry_a32.S: use ldr over adr

Load address of reset_vect_table using ldr r0, =reset_vect_table,
instead of adr r0 reset_vect_table to allow longer addressing range.

Signed-off-by: Jens W

core: arm: entry_a32.S: use ldr over adr

Load address of reset_vect_table using ldr r0, =reset_vect_table,
instead of adr r0 reset_vect_table to allow longer addressing range.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

riscv: plat-virt: Let CFG_RISCV_PLIC be build time configurable

RISC-V has several standard interrupt controllers supported by QEMU
virtual platform. Thus, we allow CFG_RISCV_PLIC to be overridden a

riscv: plat-virt: Let CFG_RISCV_PLIC be build time configurable

RISC-V has several standard interrupt controllers supported by QEMU
virtual platform. Thus, we allow CFG_RISCV_PLIC to be overridden at
build time while keeping the default value enabled.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: mmu: Add dynamic VA regions' mapping to page table

When optee boots, the initial mapping for MEM_AREA_RES_VASPACE and
MEM_AREA_SHM_VASPACE should be added into page tables and replicated to
al

core: mmu: Add dynamic VA regions' mapping to page table

When optee boots, the initial mapping for MEM_AREA_RES_VASPACE and
MEM_AREA_SHM_VASPACE should be added into page tables and replicated to
all CPU cores too. This fixes an issue when the VA of
MEM_AREA_RES_VASPACE or MEM_AREA_SHM_VASPACE is not in a same 1GB region
with other memory regions.

Link: https://github.com/OP-TEE/optee_os/issues/7275
Signed-off-by: Mark Zhang <markz@nvidia.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mm: fix carve_out_phys_mem()

carve_out_phys_mem() is prior to this patch not handling cases where the
memory to be carved out isn't covered entirely by the physical memory.
So fix carve_out_ph

core: mm: fix carve_out_phys_mem()

carve_out_phys_mem() is prior to this patch not handling cases where the
memory to be carved out isn't covered entirely by the physical memory.
So fix carve_out_phys_mem() to handle carving out memory that may only
overlap partially with the physical memory.

Add debug prints in core_mmu_set_discovered_nsec_ddr() to list the
non-secure RAM areas.

Fixes: 941dec3a7f6f ("core: adjust nsec ddr memory size correctly")
Fixes: 490c50dfdb33 ("core: assign non-sec DDR configuration from DT")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: mm: fix panic with TEE_SDP_TEST_MEM

The commit 2f2f69df5afe ("core: mm: replace MEM_AREA_TA_RAM") uses
MEM_AREA_SEC_RAM_OVERALL to map practically all secure memory. This
conflicts with TEE_SD

core: mm: fix panic with TEE_SDP_TEST_MEM

The commit 2f2f69df5afe ("core: mm: replace MEM_AREA_TA_RAM") uses
MEM_AREA_SEC_RAM_OVERALL to map practically all secure memory. This
conflicts with TEE_SDP_TEST_MEM where MEM_AREA_SEC_RAM_OVERALL covers
TEE_SDP_TEST_MEM and triggers a panic in verify_special_mem_areas().

The commit 1c1f8b65b5c6 ("core: mm: unify secure core and TA memory")
changed to use vaddr_to_phys() to find the physical address for
TEE_SDP_TEST_MEM_BASE. This isn't right since it refers to physical
memory only.

So fix these problems.

Fixes: 2f2f69df5afe ("core: mm: replace MEM_AREA_TA_RAM")
Fixes: 1c1f8b65b5c6 ("core: mm: unify secure core and TA memory")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-versal2: disable ARM CE v8.2

Disable the ARM CE v8.2 configuration since it is not available on the SoC.
Allow the ARM CE configuration to be overridden at build time while keeping
the default

plat-versal2: disable ARM CE v8.2

Disable the ARM CE v8.2 configuration since it is not available on the SoC.
Allow the ARM CE configuration to be overridden at build time while keeping
the default value enabled.

Signed-off-by: Amey Avinash Raghatate <AmeyAvinash.Raghatate@amd.com>
Signed-off-by: Akshay Belsare <akshay.belsare@amd.com>
Acked-by: Michal Simek <michal.simek@amd.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: stm32_risab: add .set_memory_conf ops

Add the .set_memory_conf ops to be able to reconfigure memory regions
protected by RISABs dynamically.

Factorize the RIF configuration application.

S

drivers: stm32_risab: add .set_memory_conf ops

Add the .set_memory_conf ops to be able to reconfigure memory regions
protected by RISABs dynamically.

Factorize the RIF configuration application.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

drivers: stm32_risab: rework regs_access_granted()

Rework regs_access_granted() to always authorize access to RISAB1/2
that can only be accessed by the Cortex-A35.

Also fix the sequence by isolatin

drivers: stm32_risab: rework regs_access_granted()

Rework regs_access_granted() to always authorize access to RISAB1/2
that can only be accessed by the Cortex-A35.

Also fix the sequence by isolating the case where the CID filtering is
not enabled.

Fixes: c413678c6ca6 ("drivers: stm32_risab: add RISAB internal memory firewall driver")
Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

drivers: firewall: stm32_etzpc: remove header file

Remove stm32_etzpc.h header file that is not required since the
declared and defined resources are used internally in stm32_etzpc.c

By the way, al

drivers: firewall: stm32_etzpc: remove header file

Remove stm32_etzpc.h header file that is not required since the
declared and defined resources are used internally in stm32_etzpc.c

By the way, also remove inclusion of stm32mp15-etzpc.h DT bindings
header file from stm32_rng.c where it is not needed.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

core: arm: virt-aware FF-A thread_foreign_intr_exit()

thread_foreign_intr_exit() is called after the thread state has been
saved and the thread is suspended. With virtualization enabled
(CFG_NS_VIRT

core: arm: virt-aware FF-A thread_foreign_intr_exit()

thread_foreign_intr_exit() is called after the thread state has been
saved and the thread is suspended. With virtualization enabled
(CFG_NS_VIRTUALIZATION=y) the virt_unset_guest() is also called. After
this, the guests thread contexts aren't available any longer. For FF-A
thread_foreign_intr_exit() needs a few fields from the suspend threads
context so extract those before suspending the thread and pass them as
parameters for thread_foreign_intr_exit().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: ffa: __nex-annotate nexus rxtx buffer

Add __nex_bss and __nex_data annotations for the rxtx buffers used in a
configuration with SPMC at S-EL2 or EL3.

Signed-off-by: Jens Wiklander <jens.wikl

core: ffa: __nex-annotate nexus rxtx buffer

Add __nex_bss and __nex_data annotations for the rxtx buffers used in a
configuration with SPMC at S-EL2 or EL3.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: initcall.h: make boot_final() last final call

Make the boot_final() call last among the final call, that is, after the
xen_*_init*() calls. spmc_init() accesses the manifest_fd so it must be
c

core: initcall.h: make boot_final() last final call

Make the boot_final() call last among the final call, that is, after the
xen_*_init*() calls. spmc_init() accesses the manifest_fd so it must be
called before release_manifest_dt() removes it.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: ffa: virt-aware spmc_init() for SPMC at S-EL2/EL3

Call virt_add_guest_spec_data() for the struct notif_vm_bitmap to make
it accessible from notif_send_async().

Signed-off-by: Jens Wiklander <

core: ffa: virt-aware spmc_init() for SPMC at S-EL2/EL3

Call virt_add_guest_spec_data() for the struct notif_vm_bitmap to make
it accessible from notif_send_async().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: boot: enable native interrupts before initcalls

Enable native interrupts on Arm architectures when executing
initcalls (early,service,driver,final). This change allows drivers
to leverage

core: arm: boot: enable native interrupts before initcalls

Enable native interrupts on Arm architectures when executing
initcalls (early,service,driver,final). This change allows drivers
to leverage interrupts during OP-TEE core initialization, as for example
detecting a firewall access violation when it occurs. Before this change,
OP-TEE needed to complete its initialization and return the secure
monitor for secure interrupts to be handled.

Note that when CFG_NS_VIRTUALIZATION is enabled, initcalls called from
virt_on_stdcall() is not changed here since they are executing from a
standard call entry hence with native and foreign interrupts already
default unmasked.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-k3: Add initial support for AM62Lx SoC

AM62Lx newest among on the K3 class of SoCs designed to be low footprint
system where DDR can be as small as 128M. Hence, move the DDR location
to the beg

plat-k3: Add initial support for AM62Lx SoC

AM62Lx newest among on the K3 class of SoCs designed to be low footprint
system where DDR can be as small as 128M. Hence, move the DDR location
to the beginning of DDR right after TF-A.

Disable TI SCI, secure boot info and HW unique ID support for now, they
will be incrementally at later point in time as the underlying
communication layer is different than AM62x.

Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Dhruva Gole <d-gole@ti.com>

show more ...

core: fail build when CFG_INSECURE=n used with unsafe RNG seed

A production build needs a proper RNG seed. Fail the build when
CFG_INSECURE=n is used in conjunction with the default weak stub
implem

core: fail build when CFG_INSECURE=n used with unsafe RNG seed

A production build needs a proper RNG seed. Fail the build when
CFG_INSECURE=n is used in conjunction with the default weak stub
implementation of plat_rng_init().

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: fail build when CFG_INSECURE=n used with zero HUK

CFG_INSECURE=n indicates the build may be used for production. In this
environment using the zero HUK in inappropriate, so fail the build
in t

core: fail build when CFG_INSECURE=n used with zero HUK

CFG_INSECURE=n indicates the build may be used for production. In this
environment using the zero HUK in inappropriate, so fail the build
in this case.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

drivers: gic: minor coding style fixes

Fix minor issues coding style issue for uninitialized local variable
and trace message formatting. No functional change.

Signed-off-by: Etienne Carriere <etie

drivers: gic: minor coding style fixes

Fix minor issues coding style issue for uninitialized local variable
and trace message formatting. No functional change.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: interrupt: explicit dt_get_irq handler expects big endian data

Explicit that struct itr_chip::dt_get_irq handler expects a reference
to an array of big-endian properties. This was implicitly t

core: interrupt: explicit dt_get_irq handler expects big endian data

Explicit that struct itr_chip::dt_get_irq handler expects a reference
to an array of big-endian properties. This was implicitly told before
since DTB format is big-endian.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: interrupt: fix interrupt_create_handler() description

Correct inline description comment of interrupt_create_handler()
that referred deprecated API function labels dt_get_interrupt_by_*()
and

core: interrupt: fix interrupt_create_handler() description

Correct inline description comment of interrupt_create_handler()
that referred deprecated API function labels dt_get_interrupt_by_*()
and mention argument itr_desc that was reaplce with the 2 arguments
itr_chip and itr_num.

By the way, indent functions argument description for consistency
with the other function inline description comments in this header file.

Fixes: e9376d025eb5 ("core: interrupt: add interrupt_create_handler()")
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: interrupt: enhance registered controller chips validity

Enhance assertion of interrupt chip validity using itr_chip_is_valid()
helper function instead of only testing the chip handle is not nu

core: interrupt: enhance registered controller chips validity

Enhance assertion of interrupt chip validity using itr_chip_is_valid()
helper function instead of only testing the chip handle is not null.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...