util: add macros for arithmetics with overflow checking

Compiler builtin support for checking overflow of addition, subtraction
and multiplication is used if available. If unavailable a fallback
imp

util: add macros for arithmetics with overflow checking

Compiler builtin support for checking overflow of addition, subtraction
and multiplication is used if available. If unavailable a fallback
implementation using macros is used instead.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey 32/64)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: Rework i.MX6 source files

Add a CFG_MX6xxx variable for every i.MX6 SoC variants and get register
addresses and values based on these variables instead of relying on
board names.

Signed-

core: arm: Rework i.MX6 source files

Add a CFG_MX6xxx variable for every i.MX6 SoC variants and get register
addresses and values based on these variables instead of relying on
board names.

Signed-off-by: Mathieu Briand <mbriand@witekio.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Peng Fan <peng.fan@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: allow CFG_TEE_LOAD_ADDR to not be page aligned

Fixes: https://github.com/OP-TEE/optee_os/issues/1556
Fixes: 10d13b28c22a ("core: exclusive writable/executable attribute in core mapping")
Signe

core: allow CFG_TEE_LOAD_ADDR to not be page aligned

Fixes: https://github.com/OP-TEE/optee_os/issues/1556
Fixes: 10d13b28c22a ("core: exclusive writable/executable attribute in core mapping")
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: show user TA architecture on abort

In the TA abort message that is sent to the console when a user-mode
TA crashes, there is currently no clear indication of whether the TA
was running in 32-b

core: show user TA architecture on abort

In the TA abort message that is sent to the console when a user-mode
TA crashes, there is currently no clear indication of whether the TA
was running in 32-bit or 64-bit mode. Add it since it will be useful to
develop parsing tools.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: cosmetic updates to the abort dumps for better consistency

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

core: dump call stack of user TAs on abort

Update the abort handling code in the TEE core to support unwinding
the user mode stack in addition to the kernel stack. unwind_arm32.c is
modified slightl

core: dump call stack of user TAs on abort

Update the abort handling code in the TEE core to support unwinding
the user mode stack in addition to the kernel stack. unwind_arm32.c is
modified slightly so that it can be built for AArch64. This allows a
64-bit TEE core to dump both 32- and 64-bit TAs.

Paged TAs (CFG_PAGED_USER_TA=y) cannot currently be unwound, because
the code is not ready to handle the page faults that might occur as
the unwinding tables are accessed.

CFG_CORE_UNWIND is renamed to CFG_UNWIND since it enables both the
kernel and user TA stack dumps. It is still set automatically when
CFG_TEE_CORE_DEBUG=y.

32-bit user TAs have to be compiled with `-funwind-tables`, otherwise
the call stack can't be unwound and the abort reports will not show a
call stack .The TA dev kit takes care of adding this flag automatically
when CFG_UNWIND=y.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: elf_load.c: do not require first segment to be PT_LOAD

There is no obvious reason for requiring the first program header in a
user TA to be of type PT_LOAD. It is usually the case, due to the

core: elf_load.c: do not require first segment to be PT_LOAD

There is no obvious reason for requiring the first program header in a
user TA to be of type PT_LOAD. It is usually the case, due to the way
our linker script is written (ta/arch/arm/ta.ld.S). Still, it may occur
that other segments are inserted first by the linker. For example, when
linking a 32-bit binary built with unwind tables (-funwind-tables), the
first PHDR is PT_ARM_EXIDX. Such a TA won't load unless this patch is
applied.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-ti: Remove start address offset from base of TEE_RAM start

We offset our start address from the start of TEE_RAM_START, this
was to allow in-place loading while keeping the OPTEE header inside

plat-ti: Remove start address offset from base of TEE_RAM start

We offset our start address from the start of TEE_RAM_START, this
was to allow in-place loading while keeping the OPTEE header inside
secure memory. This is not needed anymore as we relocate the image.

Signed-off-by: Andrew F. Davis <afd@ti.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: separate instructions from read-only data

CFG_CORE_RODATA_NOEXEC=y/n allows to map non-executable memory with
a not-executable attribute.

Added alignments that may waste secure memory:
- unpa

core: separate instructions from read-only data

CFG_CORE_RODATA_NOEXEC=y/n allows to map non-executable memory with
a not-executable attribute.

Added alignments that may waste secure memory:
- unpaged text/rodata bound
- init text/rodata bound

To prevent wasting at least one page, the sections text_paged and
rodata_paged are swapped in the memory layout.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey)
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (qemu_virt)
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (qemu_armv8)
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (b2260)

show more ...

core: exclusive writable/executable attribute in core mapping

Make executable memory non-writable and writable memory no-executable.
Effective upon CFG_CORE_RWDATA_NOEXEC=y. Default configuration en

core: exclusive writable/executable attribute in core mapping

Make executable memory non-writable and writable memory no-executable.
Effective upon CFG_CORE_RWDATA_NOEXEC=y. Default configuration enables
this directive.

If CFG_CORE_RWDATA_NOEXEC is enabled, the read-only sections are
mapped read-only/executable while the read/write memories are mapped
read/write/not-executable. Potential 4KB of secure RAM wasted since the
page alignment between unpaged text/rodata and unpaged read/write data.

If CFG_CORE_RWDATA_NOEXEC not disabled, all text/rodata/data/... sections
of the core are mapped read/write/executable.

Both code and rodata and mapped together without alignment constraint.
Hence define all "ro" are inside the "rx" relate area:
__vcore_init_ro_size = 0 or init "ro" effective size.

As init sections are mapped read-only, core won't be able to fill
trailing content of the init last page. Hence __init_end and __init_size
are page aligned.

Core must premap all physical memory as readable to allow move of
has tables to the allocated buffer during core inits.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey)
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (qemu_virt)
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (qemu_armv8)
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (b2260)

show more ...

core: label the bounds of core flat mapped memory

Define labels to identify the core memory layout. These labels will
be later use to define the mapping bounds between executable and
writable memori

core: label the bounds of core flat mapped memory

Define labels to identify the core memory layout. These labels will
be later use to define the mapping bounds between executable and
writable memories.

Update plat-sunxi/kernel.ld.S to match support of generic_boot.c.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: clean linker script file

Use __init_start and __init_end to refer to "init" bounds.
Removed unused __text_init_start/_end, __rodata_init_start/_end, ...

Define SMALL_PAGE_SIZE locally to link

core: clean linker script file

Use __init_start and __init_end to refer to "init" bounds.
Removed unused __text_init_start/_end, __rodata_init_start/_end, ...

Define SMALL_PAGE_SIZE locally to linker file kernel.ld.S.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: MEM_AREA_TEE_RAM_RW_DATA identifies core read/write data memory

This change prepares split of executable and writable from rw memory.
Upon configuration the core private memory "TEE RAM" (heap

core: MEM_AREA_TEE_RAM_RW_DATA identifies core read/write data memory

This change prepares split of executable and writable from rw memory.
Upon configuration the core private memory "TEE RAM" (heap, stack, ...)
will either be in TEE_RAM or TEE_RAM_RW. This MEM_AREA_TEE_RAM_RW_DATA
abstracts the memory used for core data.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: introduce TEE_RAM_RX/_RO/_RW memory areas

Define new memory type IDs for the core private memory:
- MEM_AREA_TEE_RAM_RX defines read-only/executable memory.
- MEM_AREA_TEE_RAM_RO defines read-

core: introduce TEE_RAM_RX/_RO/_RW memory areas

Define new memory type IDs for the core private memory:
- MEM_AREA_TEE_RAM_RX defines read-only/executable memory.
- MEM_AREA_TEE_RAM_RO defines read-only/non-executable memory.
- MEM_AREA_TEE_RAM_RW defines read/write/non-executable memory.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: non-LPAE reuse xlat table when possible at static map init

When a level2 translation table is already used for a virtual mapping
range, allow core to reuse it to extend mapping in the same vir

core: non-LPAE reuse xlat table when possible at static map init

When a level2 translation table is already used for a virtual mapping
range, allow core to reuse it to extend mapping in the same virtual
region. map_memarea() now maps a single given "memory map area" based
on MMU root table knowledge. Each non-LPAE level2 table is reset to zero
when allocated since the code now map_page_memarea() only the fills the
mapped virtual range in the target MMU table.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix non-LPAE static mapping against secure/non-secure bounds

Before this patch, core static mapping did not insure level2 tables
do not mix secure and non-secure virtual memory mappings.

Sign

core: fix non-LPAE static mapping against secure/non-secure bounds

Before this patch, core static mapping did not insure level2 tables
do not mix secure and non-secure virtual memory mappings.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: core static mapping should not mandate a default mapped SHM

Default SHM is a physically contiguous memory area that is default
mapped inside the core.

Before this change, current core mapping

core: core static mapping should not mandate a default mapped SHM

Default SHM is a physically contiguous memory area that is default
mapped inside the core.

Before this change, current core mapping mandated the registration of
a NSEC_SHM area. Other core layers maybe mandate such a memory but
there should not be any constraint in the static mapping initialisation
of the core. Other layer already check that this area is defined
when they require it.

As a side effect, the change updates core_mmu_is_shm_cached() so that
it reflects the cache attribute defined for MEM_AREA_NSEC_SHM.

Mapped memory reference map_nsec_shm is now useless and can be removed.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: remove useless memory map references

map_tee_ram and map_ta_ram references are not really useful. Remove
them and use the static values defining the memory physical locations.

Test on mandato

core: remove useless memory map references

map_tee_ram and map_ta_ram references are not really useful. Remove
them and use the static values defining the memory physical locations.

Test on mandatory registration of a the related in the mapping can
be removed as it is quite useless. If core is not mapped, it won't
boot. If TA RAM is not mapped, core will complain from the core
sequence related to TA RAM management.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: REE_FS: refcount dirfile handle

Introduces a reference counter to keep a dirfile handle open as long as
a file or directory is open. This avoids the frequent open and close of
the dirfile for

core: REE_FS: refcount dirfile handle

Introduces a reference counter to keep a dirfile handle open as long as
a file or directory is open. This avoids the frequent open and close of
the dirfile for operations on an already open file.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU, FVP)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: FS: don't store uuid in dirfile interface

Skips storing pointer to uuid in struct tee_fs_dirfile_dirh.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <

core: FS: don't store uuid in dirfile interface

Skips storing pointer to uuid in struct tee_fs_dirfile_dirh.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: workaround KEEP_*() macro problem

Workaround the KEEP_*() macro problem that sometimes causes the Aarch64
linker to assert. Since the pager is not enabled for Aarch64 yet we can
stub these mac

core: workaround KEEP_*() macro problem

Workaround the KEEP_*() macro problem that sometimes causes the Aarch64
linker to assert. Since the pager is not enabled for Aarch64 yet we can
stub these macros in the definition.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix non-LPAE mapping

Fixes: c6c69797168c ("mm: add new VA region for dynamic shared buffers")
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.w

core: fix non-LPAE mapping

Fixes: c6c69797168c ("mm: add new VA region for dynamic shared buffers")
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Andrew F. Davis <afd@ti.com> (am43xx)

show more ...

plat-hikey: configure and enable Secure Data Path by default

Reserve 4 MiB (0x3E800000 - 0x3EC00000) from the lower part of the DRAM
area that is already reserved for OP-TEE by UEFI (0x3E000000 -
0x

plat-hikey: configure and enable Secure Data Path by default

Reserve 4 MiB (0x3E800000 - 0x3EC00000) from the lower part of the DRAM
area that is already reserved for OP-TEE by UEFI (0x3E000000 -
0x40000000) to serve as the Secure Data Path pool.

A 2 MiB space is left between the top of this area and the NW/SW shared
memory, because we need the SDP area to be 4 MiB-aligned in order to
be protected by the memory firewall (protection is handled by ARM
Trusted Firmware [4] and is not strictly required for SDP to work).

To use SDP with Linux on HiKey, you need a modified ION driver [1]
which is available in the Linaro repository [2], and the following
configuration [3]:

CONFIG_STAGING=y
CONFIG_ION=y
CONFIG_ION_DUMMY=y
CONFIG_ION_DUMMY_UNMAPPED_HEAP=y
CONFIG_ION_DUMMY_UNMAPPED_BASE=0x3e800000
CONFIG_ION_DUMMY_UNMAPPED_SIZE=0x00400000
CONFIG_ANDROID=y
CONFIG_ANDROID_TIMED_OUTPUT=n
CONFIG_ANDROID_LOW_MEMORY_KILLER=n

[1] https://github.com/linaro-swg/linux/compare/e31dd54997^...961993fde6
[2] https://github.com/linaro-swg/linux/tree/optee
[3] https://github.com/OP-TEE/build/pull/145
[4] https://github.com/96boards-hikey/arm-trusted-firmware/pull/13

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-hikey: update the memory layout description

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens

plat-hikey: update the memory layout description

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: update optee_msg.h from Linux v4.12-rc1

The current Linux kernel (v4.12-rc1) has introduced a few changes in
optee_msg.h. The most important one is replacing the macro
OPTEE_MSG_GET_PARAMS() w

core: update optee_msg.h from Linux v4.12-rc1

The current Linux kernel (v4.12-rc1) has introduced a few changes in
optee_msg.h. The most important one is replacing the macro
OPTEE_MSG_GET_PARAMS() with a c99 style struct optee_msg_param params[]
member in struct optee_msg_arg.

The changes in core/arch/arm/kernel/thread.c and
core/arch/arm/tee/entry_std.c deals with that change.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...