compiler.h: only use __no_stack_protector if supported by the compiler

The __attribute__((no_stack_protector)) was introduced in GCC 11.
Building a TA with a version of GCC older than that would tri

compiler.h: only use __no_stack_protector if supported by the compiler

The __attribute__((no_stack_protector)) was introduced in GCC 11.
Building a TA with a version of GCC older than that would trigger a
-Wattributes warning on the ta/user_ta_header.c file.

Use __has_attribute() to check support of the no_stack_protector
attribute before using it. If not supported, define the
__no_stack_protector alias as a NOP.

Fixes: e3fb2bd005f0 ("compiler.h: add __no_stack_protector")
Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

compiler.h: add __no_stack_protector

Add the __no_stack_protector macro as an alias for
__attribute__((no_stack_protector)), which prevents the generation by
the compiler of the stack protection cod

compiler.h: add __no_stack_protector

Add the __no_stack_protector macro as an alias for
__attribute__((no_stack_protector)), which prevents the generation by
the compiler of the stack protection code.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Khoa Hoang <admin@khoahoang.com>

show more ...

compiler.h: add __inhibit_loop_to_libcall

Introduce __inhibit_loop_to_libcall which allows to disable a specific
compiler optimization that detects and replaces some open coded loops
with standard l

compiler.h: add __inhibit_loop_to_libcall

Introduce __inhibit_loop_to_libcall which allows to disable a specific
compiler optimization that detects and replaces some open coded loops
with standard library calls (typically: memcpy() and memset()).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: Disable stack protector for __aeabi_uidivmod/__aeabi_idivmod

Some toolchain build optee_os with "-fstack-protector-strong",
But the generated codes add "check stack" operations after the
"

libutils: Disable stack protector for __aeabi_uidivmod/__aeabi_idivmod

Some toolchain build optee_os with "-fstack-protector-strong",
But the generated codes add "check stack" operations after the
"ret_idivmod_values", which overwrite the r1 value.

So __aeabi_uidivmod/__aeabi_idivmod will got error value,

Link: https://github.com/OP-TEE/optee_os/issues/6007
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Yuegui He <yuegui.he@amlogic.com>

show more ...

virt: rename CFG_VIRTUALIZATION to CFG_NS_VIRTUALIZATION

With the advent of virtualization support at S-EL2 in the Armv8.4-A
architecture, CFG_VIRTUALIZATION has become ambiguous. Let's rename
it to

virt: rename CFG_VIRTUALIZATION to CFG_NS_VIRTUALIZATION

With the advent of virtualization support at S-EL2 in the Armv8.4-A
architecture, CFG_VIRTUALIZATION has become ambiguous. Let's rename
it to CFG_NS_VIRTUALIZATION to indicate more clearly that it is about
supporting virtualization on the non-secure side.

This commit is the result of the following command:

$ for f in $(git grep -l -w CFG_VIRTUALIZATION); do \
sed -i -e 's/CFG_VIRTUALIZATION/CFG_NS_VIRTUALIZATION/g' $f; \
done

...plus the compatibility line in mk/config.mk:

CFG_NS_VIRTUALIZATION ?= $(CFG_VIRTUALIZATION)

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>

show more ...

libutils: compiler.h: introduce __alias(x)

Improve readability with an __alias definition.
Supports the __weak __alias("g") use case

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed

libutils: compiler.h: introduce __alias(x)

Improve readability with an __alias definition.
Supports the __weak __alias("g") use case

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: compiler.h: introduce __relrodata_unpaged(x)

Introduce macro __relrodata_unpaged(x) to mark data that need to be
unpaged and are essentially read-only but may contain relocations when
ASLR is

core: compiler.h: introduce __relrodata_unpaged(x)

Introduce macro __relrodata_unpaged(x) to mark data that need to be
unpaged and are essentially read-only but may contain relocations when
ASLR is enabled, hence "relocatable read-only". When ASLR is turned off,
the macro is identical to __rodata_unpaged(x). When ASLR is on however,
the data is emitted in section .data.rel.ro.__unpaged.x which is later
gathered by the linker file into the output section .data.rel.ro which
is mapped read only at runtime (after relocations are processed) and
is also unpaged (when pager is enabled).

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

assert.h: add static_assert

Adds the static_assert macro from C11.

Acked-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens W

assert.h: add static_assert

Adds the static_assert macro from C11.

Acked-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

lib: libutils: compiler.h: set trailing comment according to target

In GNU assembler the comment character is target specific. GNU AS for
risc-v complains about '/' not recognized as character, ther

lib: libutils: compiler.h: set trailing comment according to target

In GNU assembler the comment character is target specific. GNU AS for
risc-v complains about '/' not recognized as character, therefore,
replace it with '#' to avoid errors.

Signed-off-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

compiler.h: add __rodata_dummy macro

Adds the macro __rodata_dummy which places a symbol in the section
".rodata.dummy". This macro is intended to be used in the
core/arch/arm/kernel/link_dummies_*.

compiler.h: add __rodata_dummy macro

Adds the macro __rodata_dummy which places a symbol in the section
".rodata.dummy". This macro is intended to be used in the
core/arch/arm/kernel/link_dummies_*.c files.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: use separate sections for each __rodata_unpaged variable

Adds a mandatory argument to the macro __rodata_unpaged() to take the
name of the variable to put in the unpaged rodata section. This w

core: use separate sections for each __rodata_unpaged variable

Adds a mandatory argument to the macro __rodata_unpaged() to take the
name of the variable to put in the unpaged rodata section. This will
result in separate sections for each such variable and make it easier to
debug the pruning of the dependency tree for unpaged sections.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: compiler.h: introduce fallthrough pseudo-keyword

Adds the fallthrough pseudo-keyword to be used in switch/case
statements. Tested with GCC 6.2.1, 7.2.1, 8.2.1, 8.3.0, 9.2.1 and Clang
9.0.1

libutils: compiler.h: introduce fallthrough pseudo-keyword

Adds the fallthrough pseudo-keyword to be used in switch/case
statements. Tested with GCC 6.2.1, 7.2.1, 8.2.1, 8.3.0, 9.2.1 and Clang
9.0.1 and 10.0.0.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: thread: add compiler barrier to thread_set_exceptions()

With compiler optimizer enable (-O2) compiler generate invalid code
for thread_get_id_may_fail(). The curr_thread read got re-order
afte

core: thread: add compiler barrier to thread_set_exceptions()

With compiler optimizer enable (-O2) compiler generate invalid code
for thread_get_id_may_fail(). The curr_thread read got re-order
after exceptions unmask.

Signed-off-by: Khoa Hoang <admin@khoahoang.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add stack overflow detection

This commit introduces CFG_CORE_DEBUG_CHECK_STACKS to check the stack
limits using compiler instrumentation (-finstrument-functions). When
enabled, the C compiler

core: add stack overflow detection

This commit introduces CFG_CORE_DEBUG_CHECK_STACKS to check the stack
limits using compiler instrumentation (-finstrument-functions). When
enabled, the C compiler will insert entry and exit hooks in all
functions in the TEE core. On entry, the stack pointer is checked and
if an overflow is detected, panic() is called.

How is this helpful since we have stack canaries already?
1. When a dead canary is found, the call stack will give no indication
of the root cause of the corruption which may have happened quite some
time before. Running the test case again with a debugger attached and a
watchpoint on the canary is not always an option.
2. The system may corrupt the stack and hang in an exception handler
before the first canary check, for instance, during boot when the
temporary stack is used. This code will likely catch such issues, too.

The downside is increased stack usage and a significant runtime overhead
which is why this feature should be enabled only for troubleshooting.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU, QEMUv8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

Fix warning in fallback SUB_OVERFLOW() macro

Fixes two warnings for 'comparison of integers of different signs' in
the __INTOF_SUB() helper macro used by the fallback SUB_OVERFLOW()
macro.

Fixes: e

Fix warning in fallback SUB_OVERFLOW() macro

Fixes two warnings for 'comparison of integers of different signs' in
the __INTOF_SUB() helper macro used by the fallback SUB_OVERFLOW()
macro.

Fixes: ecdedc94e720 ("util: update fallback SUB_OVERFLOW() macro")
Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Experimental Clang support

Allows building with Clang with "make COMPILER=clang [other flags...]".
The clang command has to be in the $PATH, as well as the associated
tools (clang-cpp, ld.lld, llvm-

Experimental Clang support

Allows building with Clang with "make COMPILER=clang [other flags...]".
The clang command has to be in the $PATH, as well as the associated
tools (clang-cpp, ld.lld, llvm-ar, llvm-nm, llvm-objcopy and
llvm-readelf).

Tested with Clang built from the master branch of [1] (development
version for 9.0):

mkdir build; cd build
cmake -G Ninja -DCMAKE_BUILD_TYPE=Release \
-DCMAKE_INSTALL_PREFIX=~/llvm-install \
-DLLVM_ENABLE_PROJECTS="clang;lld" \
-DLLVM_TARGETS_TO_BUILD="AArch64;ARM" \
~/llvm-project/llvm
ninja && ninja install

Limitations:

- CFG_CORE_SANITIZE_KADDRESS=y is not supported.
- CFG_WITH_PAGER is supported, but requires that the TEE core be
linked with the GNU linker. The reason is documented in
mk/clang.mk.

Bug:

- ldelf assertion failure in xtest 1019 when CFG_ULIBS_SHARED=y (QEMU)
E/LD: assertion 'maps[map_idx].sz == sz' failed at ldelf/ta_elf.c:1114 in ta_elf_print_mappings()
Prevents ldelf from displaying the TA mappings on abort or panic, but
does not seem to cause any other problem.

Link: [1] https://github.com/llvm/llvm-project/commits/8351c327647
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU pager/no pager)
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMUv8, pager/no pager)
Tested-by: Jerome Forissier <jerome@forissier.org> (HiKey960, 32/64, GP)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: relax noreturn label

Replaces attribute label identifier noreturn with __noreturn__ to
prevent conflicts when importing code which defines label noreturn
itself as a macro. This change app

libutils: relax noreturn label

Replaces attribute label identifier noreturn with __noreturn__ to
prevent conflicts when importing code which defines label noreturn
itself as a macro. This change applies suggestion from the GCC
documentation [1], applicable even prio GCC 4.x.x, cited below.

> You may optionally specify attribute names with ‘__’ preceding
> and following the name. This allows you to use them in header
> files without being concerned about a possible macro of the same
> name. For example, you may use the attribute name __noreturn__
> instead of noreturn.

Link: [1] https://gcc.gnu.org/onlinedocs/gcc-8.3.0/gcc/Attribute-Syntax.html#Attribute-Syntax
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Revert "compiler.h: introduce GCC version check"

This reverts commit fc78b3ffc59ef03e599ae952b4345f03f466f11c and
updates the comment in <compiler.h>.

It turns out not only GCC 8.x needs the workar

Revert "compiler.h: introduce GCC version check"

This reverts commit fc78b3ffc59ef03e599ae952b4345f03f466f11c and
updates the comment in <compiler.h>.

It turns out not only GCC 8.x needs the workaround. I tried 4.9, 6.2,
8.2, and 8.3 from various sources (Linaro or Ubuntu). If
__SECTION_FLAGS_RODATA is empty, this warning is always present:

CC out/arm-plat-vexpress/core/mm/fobj.o
{standard input}: Assembler messages:
{standard input}:402: Warning: setting incorrect section attributes for .rodata.__unpaged

The generated assembler file contains the "aw" flags:

$ grep '\.section.*\.rodata\.__unpaged' out/arm-plat-vexpress/core/mm/fobj.s
.section .rodata.__unpaged,"aw",%progbits

By reverting the above commit, we have:

$ grep '\.section.*\.rodata\.__unpaged' out/arm-plat-vexpress/core/mm/fobj.s
.section .rodata.__unpaged,"a",%progbits //,"aw",%progbits

...and the assembler does not warn anymore.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

compiler.h: introduce GCC version check

The macro __SECTION_FLAGS_RODATA introduced by commit fd1187725939 ("core:
force read-only flag on .rodata.* sections") is needed for GCC >= 8, so
it should d

compiler.h: introduce GCC version check

The macro __SECTION_FLAGS_RODATA introduced by commit fd1187725939 ("core:
force read-only flag on .rodata.* sections") is needed for GCC >= 8, so
it should depend on __GCC_VERSION. This prepares for Clang.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: don't use __bss and __data attributes

Manual placement in .data or .bss section breaks GCC Address
Sanitizer, because it refuses to track variables, that are stored in
user sections. Even if t

core: don't use __bss and __data attributes

Manual placement in .data or .bss section breaks GCC Address
Sanitizer, because it refuses to track variables, that are stored in
user sections. Even if those sections are actually not user-defined,
but generic .bss and .data.

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (HiKey960, ASAN)
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU, GP, ASAN)

show more ...

virt: add nexus memory area

This patch is the first in series of patches that split OP-TEE RW memory
into two regions: nexus memory and TEE memory. Nexus memory will
be always mapped and it will be

virt: add nexus memory area

This patch is the first in series of patches that split OP-TEE RW memory
into two regions: nexus memory and TEE memory. Nexus memory will
be always mapped and it will be used to store all data that is
vital for OP-TEE core and is not bound to virtual guests.

TEE memory is a memory that holds data specific for certain guest.
There will be TEE memory bank for every guest and it will be mapped
into OP-TEE address space only during call from that guest.

This patch adds nexus memory and moves stacks into it. Also
it provides __nex_bss and __nex_data macros, so one can easily set right
section for a variable.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Move __early_ta from <compiler.h> to <kernel/early_ta.h>

The __early_ta macro is used only in C files generated by
scripts/ta_bin_to_c.py. There is no reason to have it defined in a widely
used head

Move __early_ta from <compiler.h> to <kernel/early_ta.h>

The __early_ta macro is used only in C files generated by
scripts/ta_bin_to_c.py. There is no reason to have it defined in a widely
used header like <compiler.h>.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: force read-only flag on .rodata.* sections

This commit fixes a warning with GCC 8.2 that did not occur with GCC 6.2:

$ make out/arm-plat-vexpress/core/arch/arm/kernel/user_ta.o
CHK ou

core: force read-only flag on .rodata.* sections

This commit fixes a warning with GCC 8.2 that did not occur with GCC 6.2:

$ make out/arm-plat-vexpress/core/arch/arm/kernel/user_ta.o
CHK out/arm-plat-vexpress/conf.mk
CHK out/arm-plat-vexpress/include/generated/conf.h
CHK out/arm-plat-vexpress/core/include/generated/asm-defines.h
CC out/arm-plat-vexpress/core/arch/arm/kernel/user_ta.o
{standard input}: Assembler messages:
{standard input}:4087: Warning: setting incorrect section attributes for .rodata.__unpaged

The message is printed as the assembler processes this code fragment,
generated by the C compiler:

.section .rodata.__unpaged,"aw"

The older compiler (GCC 6.2) would generate instead:

.section .rodata.__unpaged,"a",%progbits

The problem with .rodata.__unpaged,"aw" is that the "w" (writeable) flag
is not consistent with the section name (.rodata.*), which by convention
is supposed to be read-only.

- The section name (".rodata.__unpaged") is given by our macro:
__rodata_unpaged.
- The "w" flag is added by GCC, not sure why exactly. One reason [1] is
when a relocatable binary is being generated and the structure contains
relocatable data. But, we are not explicitly asking for a relocatable
binary, so this might as well be a bug or counter-intuitive feature of
the compiler.

Anyway, to avoid the warning, we need to fix the section flags. The
section type (%progbits) is optional, it is deduced from the section name
by default. %progbits indicates that the section contains data (i.e., is
not empty).

Link: [1] https://gcc.gnu.org/ml/gcc/2004-05/msg01016.html
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

Remove license notice from STMicroelectronics files

Since a while the source files license info are defined by SPDX
identifiers. We can safely remove the verbose license text from the
files that are

Remove license notice from STMicroelectronics files

Since a while the source files license info are defined by SPDX
identifiers. We can safely remove the verbose license text from the
files that are owned by either only STMicroelectronics or only both
Linaro and STMicroelectronics.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

util: remove unused macros

After commit 9a8117de1263 ("util: update fallback ADD_OVERFLOW() macro")
and commit ecdedc94e720 ("util: update fallback SUB_OVERFLOW() macro"),
the following macros are n

util: remove unused macros

After commit 9a8117de1263 ("util: update fallback ADD_OVERFLOW() macro")
and commit ecdedc94e720 ("util: update fallback SUB_OVERFLOW() macro"),
the following macros are not used anymore. Remove them.

__INTOF_HALF_MAX_SIGNED(type)
__INTOF_MAX_SIGNED(type)
__INTOF_MIN_SIGNED(type)
__INTOF_MIN(type)
__INTOF_MAX(type)

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...