core:mmu: fix userland va2pa conversion

This change takes care that the offset in granule of the target
address to be converted is not added twice when computing the
address physical page based on t

core:mmu: fix userland va2pa conversion

This change takes care that the offset in granule of the target
address to be converted is not added twice when computing the
address physical page based on the memory object reference.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core:unwind: check user context on stack print of panicked TAs

This change checks that the userland context pointer is valid before
reading its content.

Note that this change only lowers the chance

core:unwind: check user context on stack print of panicked TAs

This change checks that the userland context pointer is valid before
reading its content.

Note that this change only lowers the chance of malformed TA being
able to crash core or access core memory using crafted context
reference. The stack unwind process being executed from kernel land,
a real fix could require each stack unwind step to verify the memory
references before going further in the execution history.

Therefore this change does not fix the vulnerability of current
TA stack unwind process against core/TA isolation.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: map PTA registered shared memory late

Normal registered dynamic shared memory objects are not mapped into
OP-TEE OS memory space as that memory normally only is used in normal
(user) TAs.

If

core: map PTA registered shared memory late

Normal registered dynamic shared memory objects are not mapped into
OP-TEE OS memory space as that memory normally only is used in normal
(user) TAs.

If a Pseudo TA is invoked from a user TA it will use the mapping already
activated for the user TA and can easily access everything the user TA
can access, including buffers passed in parameters for the user TA.

However, if a Pseudo TA is invoked directly from a non-secure client
there is no user TA mapping to share, instead memory buffer passed
in parameters has to be mapped directly.

With this patch registered shared memory buffer passed from a non-secure
client are mapped if needed before invoking the Pseudo TA.

Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (qemu_virt/armv8, b2260)
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: reimplement mobj_mapped_shm_alloc()

Now that normal registered shared memory (created with
mobj_reg_shm_alloc()) can be mapped the MOBJ type struct mobj_mapped_shm
is redundant.

With this pat

core: reimplement mobj_mapped_shm_alloc()

Now that normal registered shared memory (created with
mobj_reg_shm_alloc()) can be mapped the MOBJ type struct mobj_mapped_shm
is redundant.

With this patch mobj_mapped_shm_alloc() is reimplemented using
mobj_reg_shm_alloc() and mobj_reg_shm_map().

struct mobj_mapped_shm and all associated functions and variables are
removed.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add mobj_reg_shm_{,un}map()

Adds mobj_reg_shm_map() and mobj_reg_shm_unmap() operating on MOBJs
created with mobj_reg_shm_alloc(), also know as registered shared
memory.

mobj_reg_shm_alloc()

core: add mobj_reg_shm_{,un}map()

Adds mobj_reg_shm_map() and mobj_reg_shm_unmap() operating on MOBJs
created with mobj_reg_shm_alloc(), also know as registered shared
memory.

mobj_reg_shm_alloc() maps the described shared memory into OP-TEE OS
memory space, mobj_reg_shm_unmap() unmaps the same memory again.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mobj: remove double physical offset

Removes the double bookkeeping of physical offset into first physical
page of a MOBJ. Now all the different offsets are needed to calculate
the final offset

core: mobj: remove double physical offset

Removes the double bookkeeping of physical offset into first physical
page of a MOBJ. Now all the different offsets are needed to calculate
the final offset.

Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey)
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mobj: add mobj_get_phys_offs()

Adds mobj_get_phys_offs() which returns the physical offset into the
first physical page/section of a MOBJ.

Reviewed-by: Etienne Carriere <etienne.carriere@lina

core: mobj: add mobj_get_phys_offs()

Adds mobj_get_phys_offs() which returns the physical offset into the
first physical page/section of a MOBJ.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Add Marvell platform with initial support for ARMADA A7K & A8K

Only tested 64-bit mode with default configurations:

1. build command
make PLATFORM=marvell-armada7080 CFG_ARM64_core=y
2. Passed

Add Marvell platform with initial support for ARMADA A7K & A8K

Only tested 64-bit mode with default configurations:

1. build command
make PLATFORM=marvell-armada7080 CFG_ARM64_core=y
2. Passed xtest

Signed-off-by: Kevin Peng <kevinp@marvell.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat-stm: support registered shm buffers

CFG_DDR_SECURE_BASE/_SIZE can be used to define the DDR range reserved
to secure side. This can be larger than the TEETZ reserved memory.
If CFG_DDR_SECURE_B

plat-stm: support registered shm buffers

CFG_DDR_SECURE_BASE/_SIZE can be used to define the DDR range reserved
to secure side. This can be larger than the TEETZ reserved memory.
If CFG_DDR_SECURE_BASE/_SIZE is defined, plat-stm registers the
non-secure external memory to support dynamic shm registering.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core:sdp: fix SDP test pseudo-TA against dynamic shm

Physical memory typed CORE_MEM_NSEC_SHM belong to the default
contiguous shm memory. Since dynamic SHM, now non secure memory
reference can be ou

core:sdp: fix SDP test pseudo-TA against dynamic shm

Physical memory typed CORE_MEM_NSEC_SHM belong to the default
contiguous shm memory. Since dynamic SHM, now non secure memory
reference can be outside the default NSEC_SHM, hence check
non secure reference using CORE_MEM_NON_SEC type instead of
CORE_MEM_NSEC_SHM.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-rcar: add non-secure DDR configuration

This patch adds non-secure DDR ranges for salvator-h3 and
salvator-m3 boards.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jens Wi

plat-rcar: add non-secure DDR configuration

This patch adds non-secure DDR ranges for salvator-h3 and
salvator-m3 boards.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-rcar: add initial support for salvator-m3 board

Prior to this patch OP-TEE was able to run only at salvator-h3 board
(but it worked on salvator-m3 too, only by coincidence).

Signed-off-by: Vol

plat-rcar: add initial support for salvator-m3 board

Prior to this patch OP-TEE was able to run only at salvator-h3 board
(but it worked on salvator-m3 too, only by coincidence).

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-rcar: force CFG_CORE_LARGE_PHYS_ADDR

On RCAR3 platform most of the DRAM is mapped over 4GB, so it needs
LPE enabled with 32-bit builds.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com

plat-rcar: force CFG_CORE_LARGE_PHYS_ADDR

On RCAR3 platform most of the DRAM is mapped over 4GB, so it needs
LPE enabled with 32-bit builds.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

pager: allow TA unwind when cause of unwind is not abort

It is perfectly safe to run the call stack unwinding code on a paged TA
as long as we're not processing an abort. Adjust __abort_print()
acco

pager: allow TA unwind when cause of unwind is not abort

It is perfectly safe to run the call stack unwinding code on a paged TA
as long as we're not processing an abort. Adjust __abort_print()
accordingly.
Prior to this patch, the call stack was missing from TA panics if pager
was enabled.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat-vexpress: juno: add missing DRAM1

Defines missing DRAM1 base 0x880000000 size 0x180000000 for Juno.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jens Wiklander <jens.wik

plat-vexpress: juno: add missing DRAM1

Defines missing DRAM1 base 0x880000000 size 0x180000000 for Juno.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (Juno)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-vexpress: fvp: add missing DRAM1

Defines missing DRAM1 base 0x880000000 size 0xa00000000 for FVP.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Jens Wiklander <jens.wi

plat-vexpress: fvp: add missing DRAM1

Defines missing DRAM1 base 0x880000000 size 0xa00000000 for FVP.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (FVP)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add register_phys_mem_ul()

Adds register_phys_mem_ul() which must be used (for compatibility with
CFG_CORE_LARGE_PHYS_ADDR=y) when input address and size is based on
symbols generated in the l

core: add register_phys_mem_ul()

Adds register_phys_mem_ul() which must be used (for compatibility with
CFG_CORE_LARGE_PHYS_ADDR=y) when input address and size is based on
symbols generated in the link script.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: trivial large paddr_t fixes

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

Add CFG_CORE_LARGE_PHYS_ADDR for 64bit paddr_t

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

core: fix gic_init() prototype

Prior to this patch gic_init() incorrectly had paddr_t as type for the
GIC base addresses while the implementation used vaddr_t. The correct
type is vaddr_t which we'r

core: fix gic_init() prototype

Prior to this patch gic_init() incorrectly had paddr_t as type for the
GIC base addresses while the implementation used vaddr_t. The correct
type is vaddr_t which we're changing to here.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: lpae: take nsec DDR ranges into account

Takes nsec DDR ranges into account when setting TCR.PS field.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander

core: lpae: take nsec DDR ranges into account

Takes nsec DDR ranges into account when setting TCR.PS field.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: core.mk: make platform specific link.mk optional

Most platform do not need any special linker targets and so most
just link back to the default. Lets just have core.mk use the default
when a p

core: core.mk: make platform specific link.mk optional

Most platform do not need any special linker targets and so most
just link back to the default. Lets just have core.mk use the default
when a platform does not have this file. Also remove this from the
porting guidelines as it is now optional and only needed for advanced
use.

Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: link.mk: make platform specific kern.ld.S optional

Most platform do not need any special linker scripting and so most
just link back to the default. Lets just have link.mk use the default
when

core: link.mk: make platform specific kern.ld.S optional

Most platform do not need any special linker scripting and so most
just link back to the default. Lets just have link.mk use the default
when a platform does not have this file. Also remove this from the
porting guidelines as it is now optional and only needed for advanced
use.

Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: pager: ltc: prng: add entropy to the AE key for paged TAs

This commit fixes a vulnerability (OP-TEE-2017-0001) that affects
platforms built with CFG_WITH_SOFTWARE_PRNG=y. Note however that
pla

core: pager: ltc: prng: add entropy to the AE key for paged TAs

This commit fixes a vulnerability (OP-TEE-2017-0001) that affects
platforms built with CFG_WITH_SOFTWARE_PRNG=y. Note however that
platforms that also set CFG_SECURE_TIME_SOURCE_REE=y are still
vulnerable, unless they provide an implementation of
plat_prng_add_jitter_entropy_norpc().

Adds some entropy to the PRNG used to generate the AE key for paged
user TAs.

Link: https://op-tee.org/security-advisories/
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: ltc: prng: make sure some entropy is used immediately

This commit fixes a vulnerability (OP-TEE-2017-0001) that affects
platforms built with CFG_WITH_SOFTWARE_PRNG=y. Note however that
platfor

core: ltc: prng: make sure some entropy is used immediately

This commit fixes a vulnerability (OP-TEE-2017-0001) that affects
platforms built with CFG_WITH_SOFTWARE_PRNG=y. Note however that
platforms that also set CFG_SECURE_TIME_SOURCE_REE=y are still
vulnerable, unless they provide an implementation of
plat_prng_add_jitter_entropy_norpc().

The LibTomCrypt API is not used properly in the current PRNG
initialization code (tee_ltc_prng_init()). We have:

prng->start();
prng->ready();
plat_prng_add_jitter_entropy_norpc();

...and at this point, the PRNG is assumed to be ready to provide random
data through rng->read().

That is broken, because there is no guarantee that the added entropy
will have an immediate effect on the output of rng->read(). In fact, it
usually will NOT. For instance, the default software PRNG used in
OP-TEE (Fortuna) re-seeds its PRNG generator from the entropy pools
only once every ten reads. So we're effectively using an un-seeded
generator for the first ten calls to prng->read(). Practically it means
that the same byte sequences are generated after each boot and, for the
Fortuna PRNG, until the 11th call to the PRNG read function. At the
Internal Core API level, this affects TEE_GenerateRandom() and
TEE_GenerateKey().

The fix is simple: prng->ready() seeds the generator from the pools, so
by moving plat_prng_add_jitter_entropy_norpc() before prng->ready(), we
can ensure that some amount of entropy is used immediately.

Fixes: https://github.com/OP-TEE/optee_os/issues/1730
Link: https://op-tee.org/security-advisories
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...