thread: move stack allocation from platform specific

Moves static stack allocation from platform specific code to the thread
subsystem.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tes

thread: move stack allocation from platform specific

Moves static stack allocation from platform specific code to the thread
subsystem.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU)
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)

show more ...

Check of the identity of the TA invoking a TA operation

On the following operations
invoke command
close
cancel
the one that is at the origin of the operations is checked. It could
be a

Check of the identity of the TA invoking a TA operation

On the following operations
invoke command
close
cancel
the one that is at the origin of the operations is checked. It could
be a TA or the core. In case of a TA, this is checked that it is the
same as the one that opened the session.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (QEMU)
Signed-off-by: Pascal Brand <pascal.brand@st.com>

show more ...

Added Abstract Layer for PRNG

- Extended crypto_ops with a new prng_ops which handles prng operations.
- Replace calls to get_rng_array() with crypto_ops.prng.read(), this
enforces PRNG operations

Added Abstract Layer for PRNG

- Extended crypto_ops with a new prng_ops which handles prng operations.
- Replace calls to get_rng_array() with crypto_ops.prng.read(), this
enforces PRNG operations go through PRNG HAL, instead of invoking
platform-dependent PRNG implementation directly.
- Create a new mpa_set_random_generator() interface for mpa user to register
a callback to generate random number, instead of expecting the user to provide
a get_rng_array(). This enables libmpa uses crypto_ops.prng.read().
- Added a new configuration CFG_WITH_PRNG_SOFTWARE to toggle SW/HW-dependent
PRNG implementation.
- The SW PRNG implementation is supplied by backed cryto library(libtomcrypt).
- Added a new SW PRNG 'Fortuna' to libtomcrypt.
- Added a new SW PRNG 'RC4' to libtomcrypt, when Fortuna is not available due
to AES and SHA256 not available, fallback to RC4.
- Get rid of bad implemented SW PRNG in plat_vexpress(rng_support.c).
- If CFG_WITH_PRNG_SOFTWARE is not enabled, the platform needs to supply
hw_get_random_byte().

Signed-off-by: SY Chiu <sy.chiu@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)
Tested-by: SY Chiu <sy.chiu@linaro.org> (QEMU)

show more ...

TEE Core File Operation Abstraction Layer

Tested-by: James Kung <james.kung@linaro.org> (QEMU platform)
Signed-off-by: James Kung <james.kung@linaro.org>
Reviewed-by: Jerome Forissier <jerome.foriss

TEE Core File Operation Abstraction Layer

Tested-by: James Kung <james.kung@linaro.org> (QEMU platform)
Signed-off-by: James Kung <james.kung@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

load/generate TEE Core build configuration file

At build time, conf.in file is generated at output root core directory.

At build entry, if CFG_OPTEE_CONFIG is defined, it specifies the
path of the

load/generate TEE Core build configuration file

At build time, conf.in file is generated at output root core directory.

At build entry, if CFG_OPTEE_CONFIG is defined, it specifies the
path of the target TEE Core build configuration to use.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Etienne CARRIERE <etienne.carriere@st.com>
Reviewed-by: Pascal BRAND <pascal.brand@st.com>
Reviewed-by: Etienne CARRIERE <etienne.carriere@st.com>

show more ...

CFG_TEE_CORE_TA_TRACE to disable TA traces

In order to disable TA traces, whatever the compilation options of the
TAs, CFG_TEE_CORE_TA_TRACE can be defined to n

Reviewed-by: Jerome Forissier <jerom

CFG_TEE_CORE_TA_TRACE to disable TA traces

In order to disable TA traces, whatever the compilation options of the
TAs, CFG_TEE_CORE_TA_TRACE can be defined to n

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)
Signed-off-by: Pascal Brand <pascal.brand@st.com>

show more ...

Libtomcrypt: use buf_compare_ct instead of mem_neq

This is a size-optimization, as the current optee_os code
already contains a function dedicated to constant-time
memory compare: buf_compare_ct()

Libtomcrypt: use buf_compare_ct instead of mem_neq

This is a size-optimization, as the current optee_os code
already contains a function dedicated to constant-time
memory compare: buf_compare_ct()

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (QEMU)
Signed-off-by: Pascal Brand <pascal.brand@st.com>

show more ...

arm32: move some inline assembly into arm32.h

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Pascal Brand <pascal.

arm32: move some inline assembly into arm32.h

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU)

show more ...

struct tee_ta_ctx: remove rw_data*

Removes rw_data and tw_data_usage elements in struct tee_ta_ctx as
they are not used any longer.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewe

struct tee_ta_ctx: remove rw_data*

Removes rw_data and tw_data_usage elements in struct tee_ta_ctx as
they are not used any longer.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>

show more ...

arm32: Adds LPAE support

Enables use of Large Physical Address Extension (LPAE) with
CFG_WITH_LPAE=y

To facilitate both the old V7 and the new LPAE translation tables an
abstraction layer has been

arm32: Adds LPAE support

Enables use of Large Physical Address Extension (LPAE) with
CFG_WITH_LPAE=y

To facilitate both the old V7 and the new LPAE translation tables an
abstraction layer has been added to avoid direct manipulations of the
translation tables.

Both V7 and LPAE implementation uses TEX remapping (SCTLR.TRE = 1) and
enables access flags (SCTLR.AFE = 1). This is a change in the V7 code
base as those bits where 0 before. There are two reason for this change:
1."From the introduction of the Large Physical Address Extension, ARM
deprecates any use of the AP[2:0] scheme for defining MMU access
permissions. This deprecation applies to software for all ARMv7-A
implementations, regardless of whether they include the Large
Physical Address Extension."
2. With SCTLR.TRE = 1 and SCTLR.AFE = 1 V7 and LPAE implementations uses
the same way of specifying access permissions and memory attributes.

Currently only supported on plat-vexpress.

Bugfix v7 config: sets NOS bit in TTBRx registers

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU, FVP Base model)
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)

show more ...

[plat-stm] fix/disable cache FullZeroLineWrite support

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)
Reviewed-by: Etienne C

[plat-stm] fix/disable cache FullZeroLineWrite support

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)
Reviewed-by: Etienne CARRIERE <etienne.carriere@st.com>
Tested-by: Pascal BRAND <pascal.brand@st.com>
Reviewed-by: Pascal BRAND <pascal.brand@st.com>
Signed-off-by: Pascal Brand <pascal.brand@st.com>

show more ...

Persistent Object Sharing Rules adjust with respect to GP v1.1

This patch implements this part of the GlobalPlatform Internal Core API v1.1

Multiple handles may be opened on the same object simulta

Persistent Object Sharing Rules adjust with respect to GP v1.1

This patch implements this part of the GlobalPlatform Internal Core API v1.1

Multiple handles may be opened on the same object simultaneously using
the functions TEE_OpenPersistentObject or TEE_CreatePersistentObject,
but sharing MUST be explicitly allowed. More precisely, at any one
time the following constraints apply: If more than one handle is opened
on the same object, and if any of these object handles was opened with
the flag TEE_DATA_FLAG_ACCESS_READ, then all the object handles MUST have
been opened with the flag TEE_DATA_FLAG_SHARE_READ. There is a corresponding
constraint with the flags TEE_DATA_FLAG_ACCESS_WRITE and
TEE_DATA_FLAG_SHARE_WRITE. Accessing an object with write-meta rights is
exclusive and can never be shared.

When one of the functions TEE_OpenPersistentObject or
TEE_CreatePersistentObject is called and if opening the object would violate
these constraints, then the function returns the return code
TEE_ERROR_ACCESS_CONFLICT.

Fix #174

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Suggested-by: xlyu <jpmhesheit@gmail.com>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (QEMU)
Signed-off-by: Pascal Brand <pascal.brand@st.com>

show more ...

crypto API: make sure TEE_Attribute parameters are readable

Fixes https://github.com/OP-TEE/optee_os/issues/161.

Services that take a TEE_Attribute array for input must check that the
memory is rea

crypto API: make sure TEE_Attribute parameters are readable

Fixes https://github.com/OP-TEE/optee_os/issues/161.

Services that take a TEE_Attribute array for input must check that the
memory is readable before using it. This is accomplished by
check_attr_read_access(), which is either called directly by the system
service or by tee_svc_cryp_check_attr(). Buffers pointed to by 'reference'
attributes are also validated.
Then, it is no longer necessary to check accessibility in other
functions such as tee_svc_cryp_obj_store_attr_raw().

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>

show more ...

Internal API extension on Cache Operations

Following extensions are introduced:
- TEE_CacheClean()
- TEE_CacheFlush()
- TEE_CacheInvalidate()

Reviewed-by: Jerome Forissier <jerome.foris

Internal API extension on Cache Operations

Following extensions are introduced:
- TEE_CacheClean()
- TEE_CacheFlush()
- TEE_CacheInvalidate()

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)
Signed-off-by: Pascal Brand <pascal.brand@st.com>

show more ...

Fix information leakage in key generator

When generating keys we are using the RNG available for the particular
platform in use. For some reason we always or'ed a bit in the last byte,
which means t

Fix information leakage in key generator

When generating keys we are using the RNG available for the particular
platform in use. For some reason we always or'ed a bit in the last byte,
which means that we leak information. Leaking information like this is
considered as a security flaw and therefore we have removed the line
setting this bit.

Fix #178

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU)
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>

show more ...

RSA decode in constant time

This is a cherry-pick of the libtomcrypt pull-request
https://github.com/libtom/libtomcrypt/pull/57

As pointed by Herve Sibert, verification has been kept non-constant t

RSA decode in constant time

This is a cherry-pick of the libtomcrypt pull-request
https://github.com/libtom/libtomcrypt/pull/57

As pointed by Herve Sibert, verification has been kept non-constant time
in this patch.

Excerpt from original libtomcrypt pull-request:
as proposed in RFC 3447 only one error return code is used when there are
errors while decoding the pkcs#1 format.
also, all steps are executed and only the "output" is skipped if something
went wrong.

Sorry this could break backwards compatibility, since there's no more
BUFFER_OVERFLOW messaging.
Former error-handling code could also be affected because now there's only
OK as return code in cases where "res" is also set to '1'.

Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)
Tested-by: Pascal Brand <pascal.brand@linaro.org> (QEMU)
Signed-off-by: Pascal Brand <pascal.brand@st.com>

show more ...

Fix user TA trace issue

Definition of the global "trace_level" variable has been
moved from the libutil to a TA file (user_ta_header.c).
This allows to initialize it with the correct value/level
CFG

Fix user TA trace issue

Definition of the global "trace_level" variable has been
moved from the libutil to a TA file (user_ta_header.c).
This allows to initialize it with the correct value/level
CFG_TEE_TA_LOG_LEVEL when the TA code is compiled.
Same trace level is now applied at all TA code and associated
libraries: libutee/libutils/libmpa.

Change-Id: Id6bda7f0611f78fe7ad3ee6b61193f4b80aba94d
Signed-off-by: Jean-Michel Delorme <jean-michel.delorme@st.com>
Reviewed-on: https://gerrit.st.com/22472
Reviewed-by: Emmanuel MICHEL <emmanuel.michel@st.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)

show more ...

arm32 pager: remove unused functions

Removes unused tee_pager_unhide_all_pages() and tee_pager_unmap()

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerom

arm32 pager: remove unused functions

Removes unused tee_pager_unhide_all_pages() and tee_pager_unmap()

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>

show more ...

core/arm32: support PL310 lockdown at TEE boot

Add routine arm_cl2_lockgit allways() that enable lock on all d/i ways.

Add config switch CFG_PL310_LOCKED. If set, at TEE boot, PL310 L2 cache
is ful

core/arm32: support PL310 lockdown at TEE boot

Add routine arm_cl2_lockgit allways() that enable lock on all d/i ways.

Add config switch CFG_PL310_LOCKED. If set, at TEE boot, PL310 L2 cache
is fully locked and invalidated. Once TZ as booted, NSec inherits from
a pre-configured L2 cache, pre-enable, but bypassed as all ways are
locked. If NSec wants to benefit from L2 cache, it shall unlock all
d/i ways.
Default setup: CFG_PL310_LOCKED is not defined. Linux may not integrate
the outercache unlock sequence at l2x0 inits.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)

Reviewed-on: https://gerrit.st.com/17088
Reviewed-by: Etienne CARRIERE <etienne.carriere@st.com>
Tested-by: Pascal BRAND <pascal.brand@st.com>
Reviewed-by: Pascal BRAND <pascal.brand@st.com>
Signed-off-by: Pascal Brand <pascal.brand@st.com>

show more ...

[plat-stm] cache_maintenance_l2() performed on given area

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Pascal Br

[plat-stm] cache_maintenance_l2() performed on given area

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Pascal Brand <pascal.brand@st.com>

show more ...

Refactored version of cache_maintenance_l2() functions

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Pascal Brand

Refactored version of cache_maintenance_l2() functions

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Pascal Brand <pascal.brand@st.com>

show more ...

Disable TEX Remap before enable MMU

- Add write_ats1cpw() and read_par() for page description debug
- Clear TEX bit beofre enable MMU

Signed-off-by: SY Chiu <sy.chiu@linaro.org>
Reviewed-by: Jens W

Disable TEX Remap before enable MMU

- Add write_ats1cpw() and read_par() for page description debug
- Clear TEX bit beofre enable MMU

Signed-off-by: SY Chiu <sy.chiu@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: SY Chiu <sy.chiu@linaro.org> (QEMU)
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)

show more ...

sunxi: fix parallel build errors

Fixes https://github.com/OP-TEE/optee_os/issues/181.

plat-sunxi/link.mk uses CPP to generate its core linker script.
Commit a3911433960a ("core: get value of CFG_ v

sunxi: fix parallel build errors

Fixes https://github.com/OP-TEE/optee_os/issues/181.

plat-sunxi/link.mk uses CPP to generate its core linker script.
Commit a3911433960a ("core: get value of CFG_ variables directly from
generated/conf.h") has modified the core CPP flags to include conf.h
automatically, so one must make sure that this file exists when the linker
script is generated. This is done by adding a dependency on $(conf-file).

The vexpress platforms also lack the dependency, but the bug won't show
because of other dependencies which cause conf.h to be generated anyways.

PLATFORM=stm is fine because it does not use CPP.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

SE API: Change configuration to be prefixed with CFG_*

Signed-off-by: SY Chiu <sy.chiu@linaro.org>
Tested-by: SY Chiu <sy.chiu@linaro.org> (Modified QEMU + jcardsim)

SE API: hide private interfaces

- Split each headers into module.h and module_priv.h, move the methods that
is only used internally by SE implementation to module_priv.h, and export
module_priv.

SE API: hide private interfaces

- Split each headers into module.h and module_priv.h, move the methods that
is only used internally by SE implementation to module_priv.h, and export
module_priv.h to rest of TEE Core
- Added new include path to se_api_self_tests.c for which needs to include
private headers
- Split aid.c and apdu.c from iso7816.c. Originally they have to be wriiten in
the same file since they share some private data structures. Now, the
private data structure can be shared via private headers.
- Split reader.c from manager.c for the same reason above.

Signed-off-by: SY Chiu <sy.chiu@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: SY Chiu <sy.chiu@linaro.org> (Modified QEMU + jcardsim)

show more ...