storage: rpmb: call tee_fs_generate_fek() to generate FEK

The File Encryption Key is generated randomly but not encrypted by the
key manager before being written to the RPMB FAT. In other words, we

storage: rpmb: call tee_fs_generate_fek() to generate FEK

The File Encryption Key is generated randomly but not encrypted by the
key manager before being written to the RPMB FAT. In other words, we
consider that the RNG outputs an already encrypted key.
For consistency, call tee_fs_generate_fek() instead.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: David Brown <david.brown@linaro.org>

show more ...

storage: encrypt the FEK with a TA-specific key

The File Encryption Key is now encrypted with a Trusted application
Storage Key (TSK) rather than directly with the Secure Storage Key.
The TSK is der

storage: encrypt the FEK with a TA-specific key

The File Encryption Key is now encrypted with a Trusted application
Storage Key (TSK) rather than directly with the Secure Storage Key.
The TSK is derived from the SSK and the TA UUID. This improves
isolation between TAs, and makes it impossible to read the data of a
TA from another TA after manually moving files in the REE filesystem
for instance.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: David Brown <david.brown@linaro.org>

show more ...

Allow `_end` to be more than 1MB away from code

The PC relative load (`adr`) requires the destination label to be
within 1MB of the instruction itself. If for example, the HEAP_SIZE
is increased to

Allow `_end` to be more than 1MB away from code

The PC relative load (`adr`) requires the destination label to be
within 1MB of the instruction itself. If for example, the HEAP_SIZE
is increased too much, this can push the `_end` pass this limit.

Replace the single `adr` instruction with a pair (`adrp`, `add`) to
allow the symbol to load from any address.

Note that the increasing the heap size too much causes other failures.

Fixes #942.

Signed-off-by: David Brown <david.brown@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey)

show more ...

gpio/pl061: add get/set interrupt and mode control functions

Signed-off-by: Victor Chong <victor.chong@linaro.org>
Reviewed-by: David Brown <david.brown@linaro.org>
Reviewed-by: Jerome Forissier <je

gpio/pl061: add get/set interrupt and mode control functions

Signed-off-by: Victor Chong <victor.chong@linaro.org>
Reviewed-by: David Brown <david.brown@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

gpio: support multiple instances

Signed-off-by: Victor Chong <victor.chong@linaro.org>
Reviewed-by: David Brown <david.brown@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

storage: return TEE_ERROR_ITEM_NOT_FOUND when storage ID is unknown

As per the GP specification for functions TEE_OpenPersistentObject(),
TEE_CreatePersistentObject() and TEE_StartPersitetntObjectEn

storage: return TEE_ERROR_ITEM_NOT_FOUND when storage ID is unknown

As per the GP specification for functions TEE_OpenPersistentObject(),
TEE_CreatePersistentObject() and TEE_StartPersitetntObjectEnumerator(),
return TEE_ERROR_ITEM_NOT_FOUND when the storage ID is invalid instead
of TEE_ERROR_STORAGE_NOT_AVAILABLE.

Note:
The code modified in this commit cannot currently be reached because
libutee rejects invalid storage IDs with TEE_ERROR_ITEM_NOT_FOUND
already. But a patch is on the way [1] that will remove this user-mode
test, so fix the bug before it can happen.

[1] https://github.com/OP-TEE/optee_os/pull/938

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

drivers: add spi framework and pl022 driver

Signed-off-by: Victor Chong <victor.chong@linaro.org>
Reviewed-by: etienne carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklan

drivers: add spi framework and pl022 driver

Signed-off-by: Victor Chong <victor.chong@linaro.org>
Reviewed-by: etienne carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: rpc alloc check memory is valid

thread_rpc_alloc_arg() and thread_rpc_alloc_payload() only succeeds if
the allocated shared memory is valid shared memory.

Reviewed-by: etienne carriere <etien

core: rpc alloc check memory is valid

thread_rpc_alloc_arg() and thread_rpc_alloc_payload() only succeeds if
the allocated shared memory is valid shared memory.

Reviewed-by: etienne carriere <etienne.carriere@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Support CFG_TEE_CORE_NB_CORE > 8

Remove the stack_tmp_top[] array. Instead, compute the stack top for
each CPU in the assembly code:

sp = stack_tmp + (cpu_id + 1) * stack_tmp_stride

stack_tmp an

Support CFG_TEE_CORE_NB_CORE > 8

Remove the stack_tmp_top[] array. Instead, compute the stack top for
each CPU in the assembly code:

sp = stack_tmp + (cpu_id + 1) * stack_tmp_stride

stack_tmp and stack_tmp_stride are exported by thread.c.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: initialize tee_pager_tbl_info early

Initialize tee_pager_tbl_info early to support early address lookups in
MEM_AREA_TEE_RAM.

Reviewed-by: etienne carriere <etienne.carriere@linaro.org>
Teste

core: initialize tee_pager_tbl_info early

Initialize tee_pager_tbl_info early to support early address lookups in
MEM_AREA_TEE_RAM.

Reviewed-by: etienne carriere <etienne.carriere@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pager: use helper for tee_pager_tbl_info

Adds local helper variable for tee_pager_tbl_info to make the code
tidier.

Reviewed-by: etienne carriere <etienne.carriere@linaro.org>
Signed-off-by:

core: pager: use helper for tee_pager_tbl_info

Adds local helper variable for tee_pager_tbl_info to make the code
tidier.

Reviewed-by: etienne carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add core_mmu_linear_map_end

Adds core_mmu_linear_map_end to short circuit some
phys_to_virt/virt_to_phys lookups.

Reviewed-by: etienne carriere <etienne.carriere@linaro.org>
Signed-off-by: Je

core: add core_mmu_linear_map_end

Adds core_mmu_linear_map_end to short circuit some
phys_to_virt/virt_to_phys lookups.

Reviewed-by: etienne carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pager replace TEE_PAGER_AREA_* with TEE_MATTR_*

Replaces TEE_PAGER_AREA_* attributes with corresponding
TEE_MATTR_* attributes.

Reviewed-by: etienne carriere <etienne.carriere@linaro.org>
Sig

core: pager replace TEE_PAGER_AREA_* with TEE_MATTR_*

Replaces TEE_PAGER_AREA_* attributes with corresponding
TEE_MATTR_* attributes.

Reviewed-by: etienne carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: tee_pager_handle_fault() returns true if OK

Change tee_pager_handle_fault() to return true if a fault has been
dealt with successfully or false if execution has to be aborted.

Reviewed-by: et

core: tee_pager_handle_fault() returns true if OK

Change tee_pager_handle_fault() to return true if a fault has been
dealt with successfully or false if execution has to be aborted.

Reviewed-by: etienne carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

io.h: add io_mask{8,16,32} functions

When writing peripheral drivers, there's very often a need to read a
register value, set/clear some bits and then write the new value
back. Instead of having to

io.h: add io_mask{8,16,32} functions

When writing peripheral drivers, there's very often a need to read a
register value, set/clear some bits and then write the new value
back. Instead of having to 'manually' call read, do bit manipulations
and write every single time, add this helper function for convenience.

Signed-off-by: Victor Chong <victor.chong@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: core_mmu_populate_user_map() arguments

Replaces the struct tee_mmu_info *mmu argument for
core_mmu_populate_user_map() with struct user_ta_ctx *utc instead. This
affects a few other mmu functi

core: core_mmu_populate_user_map() arguments

Replaces the struct tee_mmu_info *mmu argument for
core_mmu_populate_user_map() with struct user_ta_ctx *utc instead. This
affects a few other mmu functions too.

Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add core_mmu_{set,get}_entry_primitive()

Adds core_mmu_set_entry_primitive() and core_mmu_get_entry_primitive()
and moves core_mmu_set_entry() and core_mmu_get_entry() to generic
translation t

core: add core_mmu_{set,get}_entry_primitive()

Adds core_mmu_set_entry_primitive() and core_mmu_get_entry_primitive()
and moves core_mmu_set_entry() and core_mmu_get_entry() to generic
translation table code.

Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mask interrupts at assert or panic()

Masks interrupts at assert or panic() to keep the cpu pinned.

Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklan

core: mask interrupts at assert or panic()

Masks interrupts at assert or panic() to keep the cpu pinned.

Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm32.h: add address translation functions

Adds more address translation functions that can be useful when
debugging.

Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Signed-off-by: Jens Wik

core: arm32.h: add address translation functions

Adds more address translation functions that can be useful when
debugging.

Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: thread: release locked unused stack pages

Before this patch when the pager is active the thread stacks uses demand
allocation to add required physical pages to the stacks, but those pages
are

core: thread: release locked unused stack pages

Before this patch when the pager is active the thread stacks uses demand
allocation to add required physical pages to the stacks, but those pages
are never returned to the pool of physical pages.

With this patch when pager is active the locked but currently unused
thread stack pages are released on thread free or RPC. This returns the
previously demand allocated physical pages to the pager.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey)
Reviewed-by: David Brown <david.brown@linaro.org>
Tested-by: David Brown <david.brown@linaro.org> (qemu-32, FVP-64)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: allocate memory pool unlocked

Allocate the LTC memory pool without the TEE_PAGER_AREA_LOCK to allow
paging out data and make more physical pages available for paging.

Reviewed-by: Jerome

core: ltc: allocate memory pool unlocked

Allocate the LTC memory pool without the TEE_PAGER_AREA_LOCK to allow
paging out data and make more physical pages available for paging.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: David Brown <david.brown@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pager: add support to page out r/w pages

Adds support in pager to page out read-write pages by encrypting them
with AES-GCM to avoid leaking sensitive information. With this patch there
are th

core: pager: add support to page out r/w pages

Adds support in pager to page out read-write pages by encrypting them
with AES-GCM to avoid leaking sensitive information. With this patch there
are three different ways of providing virtual memory:
- read only, where each page is protected with a SHA-256 hash
- read write locked, corresponding with previous zero initialized where
mapped pages are removed from the usual pool of physical pages and
only returned on explicit release
- read write, *new* dirty read write pages triggers update to the
storage using encryption (AES-GCM) before the page is reused.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: David Brown <david.brown@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

pager: add debug prints

Add debug prints that are triggered every 1024th page fault or when the
number of pages available to the pager changes. Useful to find out why
certain tests seems to run slow

pager: add debug prints

Add debug prints that are triggered every 1024th page fault or when the
number of pages available to the pager changes. Useful to find out why
certain tests seems to run slowly when the pager is enabled.

Enabled by CFG_TEE_CORE_DEBUG=y.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: David Brown <david.brown@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

pager: add pager_aes_gcm_{de,en}crypt()

Adds pager_aes_gcm_decrypt() and pager_aes_gcm_encrypt() providing a
pager optimized AES-GCM implementation to be used with read/write
paging.

Reviewed-by: J

pager: add pager_aes_gcm_{de,en}crypt()

Adds pager_aes_gcm_decrypt() and pager_aes_gcm_encrypt() providing a
pager optimized AES-GCM implementation to be used with read/write
paging.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: David Brown <david.brown@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ltc: provide rng_generate()

Adds rng_generate() to the tee_crypt_provider interface to be used by
pager and early initialization code where the complete crypto library
might not be available.

Revie

ltc: provide rng_generate()

Adds rng_generate() to the tee_crypt_provider interface to be used by
pager and early initialization code where the complete crypto library
might not be available.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: David Brown <david.brown@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...