pta: stm32mp: add debug access PTA

Add the debug access PTA that is responsible of validating whether
a given debug profile is configured or not. This basically means that
the debug configuration sh

pta: stm32mp: add debug access PTA

Add the debug access PTA that is responsible of validating whether
a given debug profile is configured or not. This basically means that
the debug configuration should allow (at least!) access to the debug
peripherals requiring the debug profile being checked.

For now, as it is specific to BSEC, only embed the PTA if the BSEC support
is embedded as well.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@st.com>

show more ...

core: pta: add Rockchip secure boot PTA

The S_OTP area for the Rockchip secure boot RSA hash and status register
is accessible only from the secure world. Thus, secure boot must be
enabled from the

core: pta: add Rockchip secure boot PTA

The S_OTP area for the Rockchip secure boot RSA hash and status register
is accessible only from the secure world. Thus, secure boot must be
enabled from the secure world on these board.

The PTA implements 3 functions:

1. Ask the TA from the non-secure world about the current status and hash
of the hardware. This allows to inspect the current status of secure
boot on a specific device.

2. Write an RSA hash into the OTP fuses. It's the responsibility of the
user to calculate the hash and ensure that it matches the key, which
will be used to sign the images.

3. Actually lockdown the device by enabling secure boot. This is a
separate step to allow the user to verify the setup before
potentially bricking a device.

With these functions, a user may use a client running in the normal
world (for example in a boot loader or operating system) to enable
secure boot on a Rockchip device.

Implementing secure boot setup as an OP-TEE PTA has the advantage that
secure boot can be enabled at any time during the device setup instead
of during early boot. This allows a developer/user or additional scripts
to interact with the secure boot setup process.

The hash of the root key is accepted and reported as calculated by
sha256sum and internally converted to the correct byte order that needs
to be burned into the fuses.

Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ftrace: dump ftrace after every ta_entry

This patch implements the feature to dump ftrace buffer to
tee_supplicant after every entry to the ta.
To implement the feature, this patch does some modific

ftrace: dump ftrace after every ta_entry

This patch implements the feature to dump ftrace buffer to
tee_supplicant after every entry to the ta.
To implement the feature, this patch does some modification to the
ftrace dumping process and add a new config CFG_FTRACE_DUMP_EVERY_ENTRY
to control this behavior.
This can reduce the chance of losing the ftrace data due to not
enough ftrace buffer and make debugging long-lived TA possible.

Signed-off-by: Leo Chen <shf.chen@mediatek.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>

show more ...

libutee: make TEE_SetOperationKey2() panic if operation is NULL or not in initial state

The Internal Core API specification v1.3.1 has the following panic
conditions for TEE_SetOperationKey2(), same

libutee: make TEE_SetOperationKey2() panic if operation is NULL or not in initial state

The Internal Core API specification v1.3.1 has the following panic
conditions for TEE_SetOperationKey2(), same as v1.1:

- If operation is not a valid opened operation handle.
- If operation is not in initial state.

Therefore, it should call __GP11_TEE_SetOperationKey2() not the internal
function set_operation_key2(). Then operation is guaranteed to be
non-NULL and the test may be replaced by an assertion.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: make TEE_SetOperationKey() panic if handle state is initialized

According to the TEE Internal Core API specification v1.3.1 section
6.2.6, TEE_SetOperationKey() should panic if the flag
TEE

libutee: make TEE_SetOperationKey() panic if handle state is initialized

According to the TEE Internal Core API specification v1.3.1 section
6.2.6, TEE_SetOperationKey() should panic if the flag
TEE_HANDLE_FLAG_INITIALIZED is set on the operation. Update
TEE_SetOperationKey() accordingly.

A NULL operation should cause a panic, too. Since this condition is
caught in both TEE_SetOperationKey() and __GP11_TEE_SetOperationKey(),
we can drop the NULL check in set_operation_key() and assert instead.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

compiler.h: detect builtin arithmetic overflow support with __has_builtin

Using the __has_builtin macro to check if the compiler has builtin
arithmetic overflow function. This makes OP-TEE use more

compiler.h: detect builtin arithmetic overflow support with __has_builtin

Using the __has_builtin macro to check if the compiler has builtin
arithmetic overflow function. This makes OP-TEE use more efficient
code when compiled with clang.

Tested with clang 21.0.0 on arm64 platform, the generated assembly
is using the CPU flags to check overflow.

Signed-off-by: Leo Chen <shf.chen@mediatek.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

libutils: add integer overflow multiplication from LLVM compiler-rt

Add integer overflow multiplication function __mulodi4() needed for
__builtin_mul_overflow() to work on a few platforms.

Selected

libutils: add integer overflow multiplication from LLVM compiler-rt

Add integer overflow multiplication function __mulodi4() needed for
__builtin_mul_overflow() to work on a few platforms.

Selected files are imported from the compiler-rt directory in LLVM
version 20.1.3, tag llvmorg-20.1, to lib/libutils/compiler-rt with no
local changes except for the sub.mk file.

Signed-off-by: Leo Chen <shf.chen@mediatek.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

Squashed commit upgrading to mbedtls-3.6.4

Squash merging branch import/mbedtls-3.6.4

commit 43e97a8f0625 ("Import mbedtls-3.6.4")
commit 8ac83749d343 ("mbedtls: remove default include/mbedtls/conf

Squashed commit upgrading to mbedtls-3.6.4

Squash merging branch import/mbedtls-3.6.4

commit 43e97a8f0625 ("Import mbedtls-3.6.4")
commit 8ac83749d343 ("mbedtls: remove default include/mbedtls/config.h")
commit 89c0fc652535 ("mbedtls: configure mbedtls to reach for config")
commit 59c9730a19a8 ("libmbedtls: make mbedtls_mpi_mont*() available")
commit 20d408b354b4 ("libmbedtls: add mbedtls_mpi_init_mempool()")
commit ae519b65d8e1 ("libmedtls: mpi_miller_rabin: increase count limit")
commit eec216feead8 ("libmbedtls: add interfaces in mbedtls for context memory operation")
commit 436c9dec3733 ("libmbedtls: fix no CRT issue")
commit eb7fd40aa0c1 ("libmbedtls: add SM2 curve")
commit 6ca24312de58 ("libmbedtls: add fault mitigation in mbedtls_rsa_rsassa_pss_verify_ext()")
commit a7a355ebd993 ("libmbedtls: add fault mitigation in mbedtls_rsa_rsassa_pkcs1_v15_verify()")
commit 45083a9c2d7f ("libmbedtls: fix cipher_wrap.c for chacha20 and chachapoly")
commit a345e1bb1572 ("libmbedtls: fix cipher_wrap.c for NIST AES Key Wrap mode")
commit 015ba93f356d ("libmbedtls: allow inclusion of arm_neon.h")
commit 3c7a228496a7 ("libmbedtls: add CFG_CORE_UNSAFE_MODEXP and CFG_TA_MBEDTLS_UNSAFE_MODEXP")
commit c88a506a0f55 ("libmbedtls: use mempool_calloc() for temporary memory")
commit b22584209222 ("libmbedtls: fix build warning related to deprecated DTLS connect ID")
commit 4afc1eba8114 ("libmbedtls: sync with DTLS connect ID build fix")
commit 85329760d40b ("libmbedtls: fix compilation warning with GCC14")

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_virt)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_armv8a)

show more ...

libutee: Fix handling of failed TA_CreateEntryPoint() in keep-alive TAs

Do not mark init as done if init fails. This is necessary to avoid
running a TA uninitialized. Also, add a new marker indicati

libutee: Fix handling of failed TA_CreateEntryPoint() in keep-alive TAs

Do not mark init as done if init fails. This is necessary to avoid
running a TA uninitialized. Also, add a new marker indicating if the
malloc pool and other runtime setup has been performed - this part
of the init must not be repeated.

This issue could cause a NULL pointer dereference in PKCS#11 TA if
the TA's init failed. F.ex., if `tee-supplicant` was unavailable, the
PKCS#11 TA's `TA_CreateEntryPoint()` would fail to init its tokens,
and an error value would be returned. This in itself is fine, but the
problem is that the init would be marked as done. Hence, for the next
session, the TA's `TA_CreateEntryPoint()` would be omitted during init.

Link: https://github.com/OP-TEE/optee_os/pull/7443
Signed-off-by: Johan Korsnes <johan.korsnes@remarkable.no>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: disable word-at-a-time for str* functions with ASan

The optimized versions of str* functions perform word-aligned reads
that may go slightly past the actual string boundary. The out-of-bou

libutils: disable word-at-a-time for str* functions with ASan

The optimized versions of str* functions perform word-aligned reads
that may go slightly past the actual string boundary. The out-of-bound
read accesses doesn't look dangerous, because in this case buffer start
address is always word-size aligned.

Disable the optimized versions when CFG_CORE_SANITIZE_KADDRESS is enabled
to avoid ASan errors.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pta: add alarm-related operations to RTC PTA

Add `set_alarm()`, `read_alarm()`, `enable_alarm()`, `wait_alarm()`,
`cancel_wait()` and `set_wake_alarm_status()` operations.
Also update RTC feat

core: pta: add alarm-related operations to RTC PTA

Add `set_alarm()`, `read_alarm()`, `enable_alarm()`, `wait_alarm()`,
`cancel_wait()` and `set_wake_alarm_status()` operations.
Also update RTC features to include alarm and wakeup alarm capabilities.

Signed-off-by: Clément Le Goffic <clement.legoffic@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

libutils: drop redundant IS_ENABLED checks

The functions asan_tag_access() and asan_tag_heap_free() are
always defined. When CFG_CORE_SANITIZE_KADDRESS is disabled, they
are compiled as no-ops. Thus

libutils: drop redundant IS_ENABLED checks

The functions asan_tag_access() and asan_tag_heap_free() are
always defined. When CFG_CORE_SANITIZE_KADDRESS is disabled, they
are compiled as no-ops. Thus, the surrounding IS_ENABLED() checks
are unnecessary and removed.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: tag only actual allocated size in ASan heap tagging

Tag exactly the requested allocation size (hdr_size + requested_size)
instead of the rounded-up buffer size. This ensures that ASan does

libutils: tag only actual allocated size in ASan heap tagging

Tag exactly the requested allocation size (hdr_size + requested_size)
instead of the rounded-up buffer size. This ensures that ASan does not
mark extra padding as valid memory.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core, libutils: unpoison stack on longjmp for ASan

Adds support for unpoisoning the stack when performing longjmp,
to ensure correct ASan behavior.

When a longjmp unwinds the stack, parts of the st

core, libutils: unpoison stack on longjmp for ASan

Adds support for unpoisoning the stack when performing longjmp,
to ensure correct ASan behavior.

When a longjmp unwinds the stack, parts of the stack that were
poisoned during deeper calls may remain marked as inaccessible.
This can lead to false ASan reports after longjmp, as the new
frame reuses that memory.

To avoid this, a call to asan_handle_longjmp() is added to
setjmp_a64.S, which unpoisons the stack range between the current
SP and the old SP (saved during setjmp).

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Add optee.ta.instanceKeepCrashed property

Add the optee.ta.instanceKeepCrashed property to prevent a TA with
gpd.ta.instanceKeepAlive=true to be restarted. This prevents unexpected
resetting of the

Add optee.ta.instanceKeepCrashed property

Add the optee.ta.instanceKeepCrashed property to prevent a TA with
gpd.ta.instanceKeepAlive=true to be restarted. This prevents unexpected
resetting of the state of the TA.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Alex Lewontin <alex.lewontin@canonical.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

libmbedtls: fix compilation warning with GCC14 (2)

Cherry-picking commit 7505c3588f44 ("libmbedtls: fix compilation warning
with GCC14") which was lost in commit c3deb3d6f3b1 ("Squashed commit
upgra

libmbedtls: fix compilation warning with GCC14 (2)

Cherry-picking commit 7505c3588f44 ("libmbedtls: fix compilation warning
with GCC14") which was lost in commit c3deb3d6f3b1 ("Squashed commit
upgrading to mbedtls-3.6.3"). It should have been pushed onto the
import/mbedtls-3.6.2 branch when it was accepted in master but that
didn't happen and therefore it was unfortunately left aside when
upgrading. This time it has been applied to import/mbedtls-3.6.3 [1] so
it will hopefully not be forgotten in the next upgrade.

Link: https://github.com/OP-TEE/optee_os/commit/b526c146f87 [1]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: pta: add self tests for transfer list

Add self tests for transfer list.
Adapt CFG_TRANSFER_LIST with its dependencies and add
CFG_TRANSFER_LIST_TEST.

Signed-off-by: Raymond Mao <raymond.mao@l

core: pta: add self tests for transfer list

Add self tests for transfer list.
Adapt CFG_TRANSFER_LIST with its dependencies and add
CFG_TRANSFER_LIST_TEST.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libmbedtls: config: re-enable long long divisions

This reverts commit d3ec4328a070 ("libmbedtls: config: disable long long
divisions") to address performance regressions introduced by that
commit. T

libmbedtls: config: re-enable long long divisions

This reverts commit d3ec4328a070 ("libmbedtls: config: disable long long
divisions") to address performance regressions introduced by that
commit. The commit can be reverted now that __udivti3() needed by the
unsigned long long divisions is available again.

Link: https://github.com/OP-TEE/optee_os/pull/7359
Link: https://github.com/OP-TEE/optee_os/issues/7374
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

libutils: add division routines from LLVM compiler-rt

Add division routines needed to provide __udivti3() needed for long long
divisions in mbedtls.

Selected files are imported from the compiler-rt

libutils: add division routines from LLVM compiler-rt

Add division routines needed to provide __udivti3() needed for long long
divisions in mbedtls.

Selected files are imported from the compiler-rt directory in LLVM
version 20.1.3, tag llvmorg-20.1, to lib/libutils/compiler-rt with no
local changes except for the added sub.mk files.

Link: https://github.com/OP-TEE/optee_os/pull/7359
Link: https://github.com/OP-TEE/optee_os/issues/7374
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: fix crash during syscall ftrace

Syscall ftrace collects data during a syscall. get_fbuf() checks if
thread_get_id_may_fail() != -1 to see if a function is called under
normal thread execution.

core: fix crash during syscall ftrace

Syscall ftrace collects data during a syscall. get_fbuf() checks if
thread_get_id_may_fail() != -1 to see if a function is called under
normal thread execution. This can lead to an inconsistent state if a
native interrupt occur while ftrace_enter() or ftrace_return() is
recording data in the ftrace buffer. So fix this by using
thread_is_in_normal_mode() to exclude ftrace during interrupt
processing.

Reported-by: Jerome Forissier <jerome.forissier@linaro.org>
Closes: https://github.com/OP-TEE/optee_os/issues/7216
Fixes: 099918f6744c ("ftrace: Add support for syscall function tracer")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_armv8a)

show more ...

Squashed commit upgrading to mbedtls-3.6.3

Squash merging branch import/mbedtls-3.6.3.

83dd409f0591 ("Import mbedtls-3.6.3")
aa3df5be08de ("mbedtls: remove default include/mbedtls/config.h")
10d3d4

Squashed commit upgrading to mbedtls-3.6.3

Squash merging branch import/mbedtls-3.6.3.

83dd409f0591 ("Import mbedtls-3.6.3")
aa3df5be08de ("mbedtls: remove default include/mbedtls/config.h")
10d3d445f46f ("mbedtls: configure mbedtls to reach for config")
03fd7670bc8e ("libmbedtls: make mbedtls_mpi_mont*() available")
134b0c7c7577 ("libmbedtls: add mbedtls_mpi_init_mempool()")
84a14c2a9e2a ("libmedtls: mpi_miller_rabin: increase count limit")
5e39a372b06e ("libmbedtls: add interfaces in mbedtls for context memory operation")
d5f89f104e2f ("libmbedtls: fix no CRT issue")
7efbd8164a57 ("libmbedtls: add SM2 curve")
ef671e650a67 ("libmbedtls: add fault mitigation in mbedtls_rsa_rsassa_pss_verify_ext()")
dd7fe0899a74 ("libmbedtls: add fault mitigation in mbedtls_rsa_rsassa_pkcs1_v15_verify()")
2ff56f350a3e ("libmbedtls: fix cipher_wrap.c for chacha20 and chachapoly")
63b52087554b ("libmbedtls: fix cipher_wrap.c for NIST AES Key Wrap mode")
1a615e16f58a ("libmbedtls: allow inclusion of arm_neon.h")
3de987540e82 ("libmbedtls: add CFG_CORE_UNSAFE_MODEXP and CFG_TA_MBEDTLS_UNSAFE_MODEXP")
878995ea5dee ("libmbedtls: use mempool_calloc() for temporary memory")
0a7b758bcd12 ("libmbedtls: fix build warning related to deprecated DTLS connect ID")
e7332889098e ("libmbedtls: libmbedtls: sync with DTLS connect ID build fix")

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_virt)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_armv8a)

show more ...

pta: stats: add field for fragmentation metric

Add the field free2sum to struct pta_stats_alloc to enable xtest to
calculate fragmenation metric for the heap.

Signed-off-by: Jens Wiklander <jens.wi

pta: stats: add field for fragmentation metric

Add the field free2sum to struct pta_stats_alloc to enable xtest to
calculate fragmenation metric for the heap.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

libutils: bget: add free2_sum to struct bpoolset

Add the field free2_sum to struct bpoolset to be used to calculate a
metric for heap fragmentation. The value is calculated and kept up to
date when

libutils: bget: add free2_sum to struct bpoolset

Add the field free2_sum to struct bpoolset to be used to calculate a
metric for heap fragmentation. The value is calculated and kept up to
date when compiled with statistics (CFG_WITH_STATS=y) enabled. See
xtest and [1] for how to use the new field.

Link: https://asawicki.info/news_1757_a_metric_for_memory_fragmentation [1]
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

libutils: avoid unneeded zero init in realloc()

In raw_malloc_flags(), remove the special case for user space where
memory is always zero initialized regardless of MAF_ZERO_INIT. This
removes a case

libutils: avoid unneeded zero init in realloc()

In raw_malloc_flags(), remove the special case for user space where
memory is always zero initialized regardless of MAF_ZERO_INIT. This
removes a case of unneeded zero init for realloc().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

libutee: fix __utee_tcb_init()

Replace realloc() calls with calls to malloc_flags() to make sure that
newly allocated memory is zero initialized.

Fixes: 9d224046e710 ("ldelf, libutee: add minimal T

libutee: fix __utee_tcb_init()

Replace realloc() calls with calls to malloc_flags() to make sure that
newly allocated memory is zero initialized.

Fixes: 9d224046e710 ("ldelf, libutee: add minimal Thread Local Storage support")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...