plat-stm32mp1: add stm32mp1_ram_intersect_pager_ram()

Add stm32mp1_ram_intersect_pager_ram() helper function to ease checking
when a memory range falls into OP-TEE pager pool. This will be needed
la

plat-stm32mp1: add stm32mp1_ram_intersect_pager_ram()

Add stm32mp1_ram_intersect_pager_ram() helper function to ease checking
when a memory range falls into OP-TEE pager pool. This will be needed
later to ensure memory used by OP-TEE pager is not re-assigned to
another purpose. This change only consider STM32MP15 variant where
OP-TEE pager can be used in internal RAMs.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

plat-stm32mp1: add stm32mp1_pa_or_sram_alias_pa()

Add stm32mp1_pa_or_sram_alias_pa() helper function to ease handling
SRAMx physical addresses that have aliases on STM32MP15 SoC.

Signed-off-by: Eti

plat-stm32mp1: add stm32mp1_pa_or_sram_alias_pa()

Add stm32mp1_pa_or_sram_alias_pa() helper function to ease handling
SRAMx physical addresses that have aliases on STM32MP15 SoC.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

drivers: firewall: stm32_etzpc: fix DECPROT values

Correct sanitize_decprot_config() implementation: label values to
enumerated type etzpc_decprot_attributes are prefixed ETZPC_.

Fixes: 9c22da4b29d

drivers: firewall: stm32_etzpc: fix DECPROT values

Correct sanitize_decprot_config() implementation: label values to
enumerated type etzpc_decprot_attributes are prefixed ETZPC_.

Fixes: 9c22da4b29de ("firewall: stm32_etzpc: check consistency of RCC vs DECPROT secure config")
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

drivers: firewall: stm32_etzpc: print DECPROT values as strings

Print ETZPC attribute strings instead of numerical value in trace
messages.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st

drivers: firewall: stm32_etzpc: print DECPROT values as strings

Print ETZPC attribute strings instead of numerical value in trace
messages.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

drivers: firewall: stm32_etzpc: explicit index in DECPROT string names

Explicit the indices assigned to DECPROT helper string names.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
R

drivers: firewall: stm32_etzpc: explicit index in DECPROT string names

Explicit the indices assigned to DECPROT helper string names.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

drivers: caam: check only format bit in operation

operation variable has been updated after entering the function
so we cannot check against full RSA operations.
Updated to check only format bit in

drivers: caam: check only format bit in operation

operation variable has been updated after entering the function
so we cannot check against full RSA operations.
Updated to check only format bit in operation

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: fix CFG_CORE_BIGNUM_MAX_BITS

CFG_CORE_BIGNUM_MAX_BITS should be 4576
4096 (RSA Max key size) +
8 * 60 (Header serialization and Black blob overhead in bytes)

Signed-off-by: Sahil Mal

drivers: caam: fix CFG_CORE_BIGNUM_MAX_BITS

CFG_CORE_BIGNUM_MAX_BITS should be 4576
4096 (RSA Max key size) +
8 * 60 (Header serialization and Black blob overhead in bytes)

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: change get_core_pos_mpidr() to support hypervisor

The secure hypervisor, such as Hafnium, is expected to manipulate
MPIDR_EL1 to indicate a VCPU ID.

This commit makes get_core_pos_mpidr() not

core: change get_core_pos_mpidr() to support hypervisor

The secure hypervisor, such as Hafnium, is expected to manipulate
MPIDR_EL1 to indicate a VCPU ID.

This commit makes get_core_pos_mpidr() not calculate a CPU ID
using the affinity bitfields of MPIDR_EL1 when there is a hypervisor
in SEL2.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Signed-off-by: Sungbae Yoo <sungbaey@nvidia.com>

show more ...

crypto: se05x: improve object deletion logs

For SE05x, only private keys are stored in the secure element: the
OP-TEE secure storage REE/RPMB retains the full public key but just a
handle to the pri

crypto: se05x: improve object deletion logs

For SE05x, only private keys are stored in the secure element: the
OP-TEE secure storage REE/RPMB retains the full public key but just a
handle to the private key.

If the secure element's persistent storage is erased, but OP-TEE's
secure storage remains, the public key can still be accessed while the
private key is inaccessible. However, in such cases, the 'key' will
still appear as present in the PKCS#11 database.

When CFG_CORE_SE05X_BLOCK_OBJ_DEL_ON_ERROR is enabled (not by default)
and the key pointed to by the handle is not present in the secure
element, OP-TEE PKCS#11 clients will encounter an error when attempting
to delete the private key information held in the OP-TEE secure
storage.

If the setting is disabled, the PKCS#11 storage clears the
private key handle without errors.

This commit removes some ambiguity, so users do not see error messages
when operations complete successfully.

It also fails on sss_se05x_key_object_init errors unconditionally since
a failure on this function can only signify some form of stack
corruption.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-stm32mp1: shared_resource stops checking clock dependencies

Remove management of STM32MP15 secure clock support from the
platform specific share_resource.c driver. It is not needed STM32
ETZPC

plat-stm32mp1: shared_resource stops checking clock dependencies

Remove management of STM32MP15 secure clock support from the
platform specific share_resource.c driver. It is not needed STM32
ETZPC and RCC platform drivers now checks these dependencies.

Therefore the change removes stm32mp_register_clock_parents_secure()
and its related and ensures stm32mp_register_[non_]secure_xxx()
(from shared_resource.c driver) is not used for a clock (here PLL3).

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>

show more ...

drivers: clk: stm32mp15: default disable mckprot hardening

Default disable RCC MCKPROT hardening configuration for STM32MP15
platforms since remoteproc driver enables it when required.

Remove disab

drivers: clk: stm32mp15: default disable mckprot hardening

Default disable RCC MCKPROT hardening configuration for STM32MP15
platforms since remoteproc driver enables it when required.

Remove disabling of RCC MCKPROT from STM32MP15 shared_resource driver
since this is now done from the STM32MP15 clock driver.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>

show more ...

drivers: remoteproc: stm32mp15: check Cortex-M isolation

Set Cortex-M RCC isolation (MCKPROT) configuration when STM32MP15
remote processor secure loading is embedded in the platform.

Signed-off-by

drivers: remoteproc: stm32mp15: check Cortex-M isolation

Set Cortex-M RCC isolation (MCKPROT) configuration when STM32MP15
remote processor secure loading is embedded in the platform.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>

show more ...

firewall: stm32_etzpc: check consistency of RCC vs DECPROT secure config

Ensures that when an ETZPC DECPROT configuration is secure (resp.
MCU isolated) that SoC RCC is also secure (resp. MCKPROT is

firewall: stm32_etzpc: check consistency of RCC vs DECPROT secure config

Ensures that when an ETZPC DECPROT configuration is secure (resp.
MCU isolated) that SoC RCC is also secure (resp. MCKPROT isolated).

This change helps to remove dependency on shared_resource.c driver
that is no longer needed since integration of the firewall framework.

By the way, fix include files order.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>

show more ...

plat-ls: use fdt_reg_info()

Use fdt_reg_info() instead of fdt_reg_base_address() and fdt_reg_size()
to optimize look up in the DT due to finding parent node.

Signed-off-by: Etienne Carriere <etienn

plat-ls: use fdt_reg_info()

Use fdt_reg_info() instead of fdt_reg_base_address() and fdt_reg_size()
to optimize look up in the DT due to finding parent node.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: use fdt_reg_info()

Use fdt_reg_info() instead of fdt_reg_base_address() and fdt_reg_size()
to optimize look up in the DT due to finding parent node.

Signed-off-by: Etienne Carriere <etienn

drivers: use fdt_reg_info()

Use fdt_reg_info() instead of fdt_reg_base_address() and fdt_reg_size()
to optimize look up in the DT due to finding parent node.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mm: use fdt_reg_info()

Use fdt_reg_info() instead of fdt_reg_base_address() and fdt_reg_size()
to optimize look up in the DT due to finding parent node.

Signed-off-by: Etienne Carriere <etien

core: mm: use fdt_reg_info()

Use fdt_reg_info() instead of fdt_reg_base_address() and fdt_reg_size()
to optimize look up in the DT due to finding parent node.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: kernel: dt: add and use fdt_reg_info()

Implement fdt_reg_info() instead of fdt_reg_base_address() and
fdt_reg_size() to optimize look up in the DT due to finding parent node.

Signed-off-by: E

core: kernel: dt: add and use fdt_reg_info()

Implement fdt_reg_info() instead of fdt_reg_base_address() and
fdt_reg_size() to optimize look up in the DT due to finding parent node.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: dt: cache embedded DTB node information

Optimize OP-TEE boot time regarding parsing of the embedded DTB
content when using libfdt. The library functions fdt_parent_offset()
and fdt_node_offset

core: dt: cache embedded DTB node information

Optimize OP-TEE boot time regarding parsing of the embedded DTB
content when using libfdt. The library functions fdt_parent_offset()
and fdt_node_offset_by_phandle() are not very efficient since they
parse the DTB from root node to target node to look up for,
respectively, the node offset of a node parent and the node offset
related to a node phandle. Helper functions fdt_reg_base_address()
and fdt_reg_size() are also affected since they are based on
fdt_parent_offset() to find the #address-cells and #size-cells
properties of a node parent.

Optimize this by parsing the embedded DT once and caching node
information (parent node, phandle value, parent node #address-cells
and #size-cells values) in a array. Parse the array instead of the
DT for find these information.

We made few tests to use bisection or hash tables for look up the
information in the cache array. The gain was very small, likely due
to the number of DT node involved in the platform is relatively small
(only several hundreds or nodes).

This feature is enabled upon configuration switch CFG_DT_CACHED_NODE_INFO.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-stm32mp1: move sanity of RCC secure state against BSEC state

Move implementation that verifies STM32MP1 device Secure Closed state
(read from BSEC OTP fuses) against RCC secure hardening config

plat-stm32mp1: move sanity of RCC secure state against BSEC state

Move implementation that verifies STM32MP1 device Secure Closed state
(read from BSEC OTP fuses) against RCC secure hardening configuration.
It is moved from shared_resource.c platform driver to platform main.c.
This change prepares the removal of shared_resource.c driver that is
no longer needed since integration of the firewall framework.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

drivers: imx_csu: add settings for i.MX6

Add the CSU SA settings for i.MX6(Q/D). This setting ensures that no
non-TrustZone aware master is able to read secure memory. Information on
the CSU SA regi

drivers: imx_csu: add settings for i.MX6

Add the CSU SA settings for i.MX6(Q/D). This setting ensures that no
non-TrustZone aware master is able to read secure memory. Information on
the CSU SA register values were taken from i.MX6 Security Reference
Manual rev 0.

Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>

show more ...

plat-stm32mp1: remove unused stm32mp_nsec_can_access_pmic_regu()

Remove unused platform function stm32mp_nsec_can_access_pmic_regu().

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

plat-stm32mp1: remove unused stm32mp_nsec_can_access_pmic_regu()

Remove unused platform function stm32mp_nsec_can_access_pmic_regu().

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

plat-stm32mp1: scmi_server: remove useless assertion on rstctrl

Remove useless assertion on reset controller handle value.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by

plat-stm32mp1: scmi_server: remove useless assertion on rstctrl

Remove useless assertion on reset controller handle value.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>

show more ...

plat-stm32mp1: scmi_server: permit MCU reset upon remoteproc security

Forbid SCMI accesses to MCU reset controllers when remote processor
is to be managed through OP-TEE remoteproc services.

Signed

plat-stm32mp1: scmi_server: permit MCU reset upon remoteproc security

Forbid SCMI accesses to MCU reset controllers when remote processor
is to be managed through OP-TEE remoteproc services.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>

show more ...

drivers: stm32_remote_proc: add stm32_rproc_is_secure()

Add stm32_remoteproc driver API function stm32_rproc_is_secure()
that return whether of not remote processor management shall be
handled throu

drivers: stm32_remote_proc: add stm32_rproc_is_secure()

Add stm32_remoteproc driver API function stm32_rproc_is_secure()
that return whether of not remote processor management shall be
handled through OP-TEE remoteproc secure services.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>

show more ...

core: mm: fix mobj_tee_ram_rw initialization

Until this patch, for CFG_CORE_RWDATA_NOEXEC=n and CFG_CORE_ASLR=y
there's an error in mobj_init() when the length of the combined
TEE_RAM_RWX is calcula

core: mm: fix mobj_tee_ram_rw initialization

Until this patch, for CFG_CORE_RWDATA_NOEXEC=n and CFG_CORE_ASLR=y
there's an error in mobj_init() when the length of the combined
TEE_RAM_RWX is calculated.

The relocatable address VCORE_UNPG_RW_PA is mixed with the absolute
address TEE_RAM_START. Relocated addresses only changes with
CFG_CORE_ASLR=y so before ASLR this expression was correct.

The combined TEE_RAM_RWX is only used with CFG_CORE_RWDATA_NOEXEC=n so
that is also a prerequisite for the error. The calculated length field
is usually not more wrong than code depending on
mobj_tee_ram_rw/mobj_tee_ram_rx still works. So the error wasn't visible
until length checks for phys_to_virt() was introduced with the commit
c2e4eb43b7b7 ("core_mmu: fix phys_to_virt() to check length").

Fix this by using VCORE_START_VA instead of TEE_RAM_START since the
former is a relocated address.

Fixes: c2e4eb43b7b7 ("core_mmu: fix phys_to_virt() to check length")
Fixes: 170e9084a84f ("core: add support for CFG_CORE_ASLR")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...