libutee: TEE_Realloc(): avoid realloc()

TEE_Realloc() and realloc() have slightly different behaviour.
TEE_Realloc() must zero initialize newly allocated memory while
realloc() isn't expected to do

libutee: TEE_Realloc(): avoid realloc()

TEE_Realloc() and realloc() have slightly different behaviour.
TEE_Realloc() must zero initialize newly allocated memory while
realloc() isn't expected to do that. So use malloc_flags() and
raw_malloc_flags() with the MAF_ZERO_INIT flag to make sure that newly
allocated memory is zero initialized.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

tree-wide: use power-of-2 rounding macros where applicable

Use ROUNDUP2(), ROUNDUP2_OVERFLOW(), ROUNDUP2_DIV() and ROUNDDOWN2() at
places where the rounding argument is a variable value and we want

tree-wide: use power-of-2 rounding macros where applicable

Use ROUNDUP2(), ROUNDUP2_OVERFLOW(), ROUNDUP2_DIV() and ROUNDDOWN2() at
places where the rounding argument is a variable value and we want to
leverage the implementation of these routines optimized for a
power-of-2 rounding argument.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: fix TEE_MemMove()'s return type

In all the published versions of the TEE Internal API Specification,
the return type of TEE_MemMove() has always been void, not void *.

Fixes: b01047730e77

libutee: fix TEE_MemMove()'s return type

In all the published versions of the TEE Internal API Specification,
the return type of TEE_MemMove() has always been void, not void *.

Fixes: b01047730e77 ("Open-source the TEE Core")
Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

lib: libutee: fix use after free

Make sure to call addr_is_in_no_share_heap() before the freeing buffer.
This is a false positive as only the pointer value is used and not the
memory freed.

Signed-

lib: libutee: fix use after free

Make sure to call addr_is_in_no_share_heap() before the freeing buffer.
This is a false positive as only the pointer value is used and not the
memory freed.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: add support for TEE_MALLOC_NO_SHARE

Adds support for the TEE_MALLOC_NO_SHARE hint to TEE_Malloc(). With this
there is a check in TEE_OpenTASession() and TEE_InvokeTACommand() to see
that buff

GP131: add support for TEE_MALLOC_NO_SHARE

Adds support for the TEE_MALLOC_NO_SHARE hint to TEE_Malloc(). With this
there is a check in TEE_OpenTASession() and TEE_InvokeTACommand() to see
that buffers allocated with this flag are passed on to other TAs.

A second memory pool is added to be used for memory allocations using
this flag. This means a new configuration variable,
TA_NO_SHARE_DATA_SIZE, for user_ta_header.h. It's set to 0 by default,
so by default nothing can be allocated using the TEE_MALLOC_NO_SHARE
hint.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: check permissions on buffer passed to other TAs

In TEE Internal Core API Specification version 1.2 there is a passed in
"4.9.4 Operation Parameters in the Internal Client API" that says that:

GP131: check permissions on buffer passed to other TAs

In TEE Internal Core API Specification version 1.2 there is a passed in
"4.9.4 Operation Parameters in the Internal Client API" that says that:
Where all or part of the referenced memory buffer was passed to the
TA from the REE or from another TA, the implementation SHALL NOT
result in downgrade of the security characteristics of the buffer.
That is, buffers read-only memrefs should not be passed on to other TAs
as read/write. Fix this by adding the needed check in
TEE_OpenTASession() and TEE_InvokeTACommand().

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: Update TEE_CheckMemoryAccessRights()

Updates TEE_CheckMemoryAccessRights() to be more strict by taking passed
memory parameters (memrefs) and heap allocations into account.

Reviewed-by: Etie

GP131: Update TEE_CheckMemoryAccessRights()

Updates TEE_CheckMemoryAccessRights() to be more strict by taking passed
memory parameters (memrefs) and heap allocations into account.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: Update TEE_MemMove(), TEE_MemCompare() and TEE_MemFill()

Update TEE_MemMove(), TEE_MemCompare() and TEE_MemFill() according to
TEE Internal Core API version 1.3.1. The size parameter is chan

GP131: Update TEE_MemMove(), TEE_MemCompare() and TEE_MemFill()

Update TEE_MemMove(), TEE_MemCompare() and TEE_MemFill() according to
TEE Internal Core API version 1.3.1. The size parameter is changed to
use size_t instead of uint32_t.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: Update TEE_Malloc() and TEE_Realloc()

Update TEE_Malloc() and TEE_Realloc() according to TEE Internal Core API
version 1.3.1. The size parameter is changed to use size_t instead of
uint32_t.

GP131: Update TEE_Malloc() and TEE_Realloc()

Update TEE_Malloc() and TEE_Realloc() according to TEE Internal Core API
version 1.3.1. The size parameter is changed to use size_t instead of
uint32_t. The hint parameter has two new values, TEE_MALLOC_NO_FILL and
TEE_MALLOC_NO_SHARE.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: Update TEE_CheckMemoryAccessRights()

Update TEE_CheckMemoryAccessRights() according to TEE Internal Core API
version 1.3.1. The size parameter is changed to use size_t instead of
uint32_t.

R

GP131: Update TEE_CheckMemoryAccessRights()

Update TEE_CheckMemoryAccessRights() according to TEE Internal Core API
version 1.3.1. The size parameter is changed to use size_t instead of
uint32_t.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: Update TEE_Param

Updates TEE_Param according to TEE Internal Core API version 1.3.1.

A compatibility type with a __GP11_ prefix is added for compatibility
with version 1.1. The two API funct

GP131: Update TEE_Param

Updates TEE_Param according to TEE Internal Core API version 1.3.1.

A compatibility type with a __GP11_ prefix is added for compatibility
with version 1.1. The two API functions TEE_InvokeTACommand() and
TEE_OpenTASession() are updated in a similar manner.

For the two TA entry functions TA_InvokeCommandEntryPoint() and
TA_OpenSessionEntryPoint() we are implementing those in directly in
user_ta_header.c since it's compiled with the TA and can used
conditionals based on __OPTEE_CORE_API_COMPAT_1_1.

These TA entry points calls __ta_open_sess() and __ta_invoke_cmd() to
convert TEE_Param to the compatibility __GP11_TEE_Param and in then call
the compatibility entry points __GP11_TA_OpenSessionEntryPoint() and
__GP11_TA_InvokeCommandEntryPoint().

Supplying __GP11_TA_OpenSessionEntryPoint() and
__GP11_TA_InvokeCommandEntryPoint() as function pointers ensures that
libutee doesn't try to look up the compatibility entry points when not
needed.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: fix TEE_MemFill() return type

TEE_MemFill() has until this patch returned a void *, but the standard
says it should return void. So fix this.

Reviewed-by: Etienne Carriere <etienne.carrier

libutee: fix TEE_MemFill() return type

TEE_MemFill() has until this patch returned a void *, but the standard
says it should return void. So fix this.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: Handle zero sized buffer allocations

The GlobalPlatform TEE internal API specification mentions the following
about zero sized buffer allocations:
"The value returned is undefined but guara

libutee: Handle zero sized buffer allocations

The GlobalPlatform TEE internal API specification mentions the following
about zero sized buffer allocations:
"The value returned is undefined but guaranteed to be different from NULL.
The Trusted Application SHALL NOT access the returned pointer.
The Trusted Application SHOULD panic if the memory pointed to by such a
pointer is accessed for either read or write"

But, we would never observe a TA panic because a zero size is internally
translated to 1 and finally to (2 * sizeof(long)) in the bget() function.

This patch handles this aspect so to return a known non-NULL invalid
pointer when the requested size is zero.

Signed-off-by: Sadiq Hussain <sadiq.muchumarri@intel.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP 1.1: Check parameters annotated in the specification

Checks that all the function parameters which are annotated in the
specification [1] are compliant with regards to memory access and memory
lo

GP 1.1: Check parameters annotated in the specification

Checks that all the function parameters which are annotated in the
specification [1] are compliant with regards to memory access and memory
location. In case the check fails the TA panics to help debugging. The
more precise and expensive checks can be disabled with
CFG_TA_STRICT_ANNOTATION_CHECKS=n.

TEE_Realloc(), TEE_MemMove(), TEE_MemCompare(), TEE_MemFill() are
skipped for performance reasons. The TA will instead die with a fatal
exception if buffers supplied to these functions do not follow the
annotation rules.

[1]: GlobalPlatform TEE Internal Core API Specification v1.1

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee, ldelf: add leading underscore to syscall wrappers

libutee defines assembler wrapper functions for each OP-TEE system call.
These wrappers have a utee_ prefix. This commit adds a leading
und

libutee, ldelf: add leading underscore to syscall wrappers

libutee defines assembler wrapper functions for each OP-TEE system call.
These wrappers have a utee_ prefix. This commit adds a leading
underscore so that the names cannot clash with user-defined symbols.
Doing so is common practice for "system" libraries, as defined by the C
standard in a set of requirements that can be summarized as follows
(excerpt from the GNU libc documentation [1]):

[R]eserved names include all external identifiers (global functions
and variables) that begin with an underscore (‘_’) and all identifiers
regardless of use that begin with either two underscores or an
underscore followed by a capital letter are reserved names. This is so
that the library and header files can define functions, variables, and
macros for internal purposes without risk of conflict with names in
user programs.

The utee_*() wrappers are internal to OP-TEE and are not supposed to be
called directly by TAs so this should not have any user-visible impact.

Link: [1] https://www.gnu.org/software/libc/manual/html_node/Reserved-Names.html
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

libutee: allocate temp secmem for invoke

Allocates temporary secure memory for buffers in TA private memory
passed to invoke_command/open_session. This offloads the logic in TEE
core which until now

libutee: allocate temp secmem for invoke

Allocates temporary secure memory for buffers in TA private memory
passed to invoke_command/open_session. This offloads the logic in TEE
core which until now has allocated temporary secure memory as needed
during TA to TA calls.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: TEE_MemCompare(): use constant time algorithm

TEE_MemCompare() currently calls memcmp() which returns as soon as a
difference is found in the compared buffers. The fact that the
comparison

libutee: TEE_MemCompare(): use constant time algorithm

TEE_MemCompare() currently calls memcmp() which returns as soon as a
difference is found in the compared buffers. The fact that the
comparison is not constant time for a given buffer size can reveal
information on the buffer content and lead to side-channel attacks.
Although the GlobalPlatform TEE Internal Core API specification says
nothing about this timing aspect, it is unsafe not to propose a constant
time implementation to TAs. A member of the GP specification working
group confirmed in an informal discussion.

Therefore, replace memcmp() with consttime_memcmp() for constant time
comparison. If a TA needs the fastest possible buffer comparison it can
call the C library function memcmp() (from <string.h>), which we provide
in libutils.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [3.2]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

Remove license notice from STMicroelectronics files

Since a while the source files license info are defined by SPDX
identifiers. We can safely remove the verbose license text from the
files that are

Remove license notice from STMicroelectronics files

Since a while the source files license info are defined by SPDX
identifiers. We can safely remove the verbose license text from the
files that are owned by either only STMicroelectronics or only both
Linaro and STMicroelectronics.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: TEE_Malloc() and friend: skips layers

Prior to this patch TEE_Malloc(), TEE_Realloc() and TEE_Free() were using
two extra layers implemented on top of the well known malloc(),
realloc(), calloc(

ta: TEE_Malloc() and friend: skips layers

Prior to this patch TEE_Malloc(), TEE_Realloc() and TEE_Free() were using
two extra layers implemented on top of the well known malloc(),
realloc(), calloc() and free() functions. With this patch the extra layers
are skipped.

When compiled for user TAs realloc() clears all memory that otherwise
would be uninitialized memory since it's required by the spec [1] if
TEE_Malloc() is called with the hint TEE_MALLOC_FILL_ZERO. Since that's
the only recognized hint in the spec realloc() assumes that it's always
needed.

[1] GP TEE Internal Core API Specification v1.1

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

TEE_Realloc(): fix invalid declaration

Prior to this was TEE_Realloc() declared as:

void *TEE_Realloc(const void *buffer, uint32_t newSize);

This does not make sense as the argument buffer can and

TEE_Realloc(): fix invalid declaration

Prior to this was TEE_Realloc() declared as:

void *TEE_Realloc(const void *buffer, uint32_t newSize);

This does not make sense as the argument buffer can and will be changed
as a result of calling this function. Instead fix the declaration to be:

void *TEE_Realloc(void *buffer, uint32_t newSize);

This is also more in line with realloc().

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Add SPDX license identifiers

Adds one SPDX-License-Identifier line [1] to each source files that
contains license text.

Generated by [2]:
spdxify.py --add-spdx optee_os/

The scancode tool [3] wa

Add SPDX license identifiers

Adds one SPDX-License-Identifier line [1] to each source files that
contains license text.

Generated by [2]:
spdxify.py --add-spdx optee_os/

The scancode tool [3] was used to double check the license matching
code in the Python script. All the licenses detected by scancode are
either detected by spdxify.py, or have no SPDX identifier, or are false
matches.

Link: [1] https://spdx.org/licenses/
Link: [2] https://github.com/jforissier/misc/blob/f7b56c8/spdxify.py
Link: [3] https://github.com/nexB/scancode-toolkit
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

libutee: API: add 'const' qualifiers

As per the GlobalPlatform Internal Core API Specification v1.1,
section 3.4 Parameter Annotations: "[...] the [in], [inbuf],
[instring], [instringopt], and [ctx]

libutee: API: add 'const' qualifiers

As per the GlobalPlatform Internal Core API Specification v1.1,
section 3.4 Parameter Annotations: "[...] the [in], [inbuf],
[instring], [instringopt], and [ctx] annotations can make use of the
const C keyword [...] the C header file of a compliant Implementation
SHOULD use the const keyword when these annotations appear."

Note that the TA entry points: TA_OpenSessionEntryPoint(),
TA_CloseSessionEntryPoint() and TA_InvokeCommandEntryPoint() are
unchanged to avoid breaking existing code (not worth it).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

libutee: preserve error code when calling TEE_Panic()

On many occasions, libutee calls TEE_Panic(0) to kill a TA. When an
error status from a lower layer is available, it is much more helpful
to pas

libutee: preserve error code when calling TEE_Panic()

On many occasions, libutee calls TEE_Panic(0) to kill a TA. When an
error status from a lower layer is available, it is much more helpful
to pass it instead of zero, because the code is shown in the debug
traces.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core/libutee: perform cleanup for magic "4"

Perform cleanup for magic "4" constant that represents amount of tee
params

Signed-off-by: Igor Opaniuk <igor.opaniuk@linaro.org>
Reviewed-by: Etienne Ca

core/libutee: perform cleanup for magic "4"

Perform cleanup for magic "4" constant that represents amount of tee
params

Signed-off-by: Igor Opaniuk <igor.opaniuk@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

Make TEE Core TA interaction 64-bit compatible

* Updates TA entry
* Update ta_head
* Updates the syscall interface
* Adds functions to make a short pointer (32-bit uref) from a kernel pointer
and

Make TEE Core TA interaction 64-bit compatible

* Updates TA entry
* Update ta_head
* Updates the syscall interface
* Adds functions to make a short pointer (32-bit uref) from a kernel pointer
and vice versa

Note that this change is not backwards compatible, TAs needs to be
recompiled.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>

show more ...