ta: enable ubsan support for TAs

Introduce CFG_TA_SANITIZE_UNDEFINED config to sanitize trusted
applications. If CFG_TA_SANITIZE_UNDEFINED is set sanitize flags are
propagated to internal TAs (avb,

ta: enable ubsan support for TAs

Introduce CFG_TA_SANITIZE_UNDEFINED config to sanitize trusted
applications. If CFG_TA_SANITIZE_UNDEFINED is set sanitize flags are
propagated to internal TAs (avb, pkcs11, remoteproc, trusted_keys) and
external TAs, which are built with the devkit.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

ldelf: enable ubsan support

Ubsan support was previously limited to core code. This commit moves the
ubsan runtime implementation to libutils, making it available for ldelf
and trusted applications.

ldelf: enable ubsan support

Ubsan support was previously limited to core code. This commit moves the
ubsan runtime implementation to libutils, making it available for ldelf
and trusted applications.

As a result, ldelf will now be built with ubsan support when
CFG_CORE_SANITIZE_UNDEFINED is enabled.

Additionally, to avoid potential infinite recursion, ubsan
instrumentation is explicitly disabled for ubsan.c.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

Move base64.{c,h} from libutee to libutils

Make the base64 routines publicly available by moving them from libutee
to libutils. The _ prefix is removed from the public functions since
they aren't in

Move base64.{c,h} from libutee to libutils

Make the base64 routines publicly available by moving them from libutee
to libutils. The _ prefix is removed from the public functions since
they aren't internal to libutee any longer.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

libutils: add array helpers

Add helper function() to insert and remove an element from an array. The
helper functions shifts the elements in the array as needed to make room
or fill a room of an ele

libutils: add array helpers

Add helper function() to insert and remove an element from an array. The
helper functions shifts the elements in the array as needed to make room
or fill a room of an element at a certain position.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

libutils: qsort helper for standard types

Add qsort_int(), qsort_uint(), qsort_u32() and friends as qsort() helper
functions to sort standard typed arrays.

Signed-off-by: Etienne Carriere <etienne.

libutils: qsort helper for standard types

Add qsort_int(), qsort_uint(), qsort_u32() and friends as qsort() helper
functions to sort standard typed arrays.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: add stubs for pthread functions

When building with GCC 11.3.1 [1], the linker reports undefined symbols
in the C++ test TA:

$ make 2>&1 | grep -E "(in function|undefined reference)" | se

libutils: add stubs for pthread functions

When building with GCC 11.3.1 [1], the linker reports undefined symbols
in the C++ test TA:

$ make 2>&1 | grep -E "(in function|undefined reference)" | sed 's@.*/@@'
libstdc++.a(eh_alloc.o): in function `(anonymous namespace)::pool::free(void*) [clone .constprop.0]':
gthr-default.h:749: undefined reference to `pthread_mutex_lock'
gthr-default.h:779: undefined reference to `pthread_mutex_unlock'
libstdc++.a(eh_alloc.o): in function `(anonymous namespace)::pool::allocate(unsigned long) [clone .constprop.0]':
gthr-default.h:749: undefined reference to `pthread_mutex_lock'
gthr-default.h:779: undefined reference to `pthread_mutex_unlock'
libgcc_eh.a(unwind-dw2-fde-dip.o): in function `__gthread_mutex_lock':
gthr-default.h:749: undefined reference to `pthread_mutex_lock'
libgcc_eh.a(unwind-dw2-fde-dip.o): in function `__gthread_mutex_unlock':
gthr-default.h:779: undefined reference to `pthread_mutex_unlock'
[more of the same follow]

To fix that issue, introduce no-op stubs as weak symbols in libutils.
Doing so is valid because TAs are single threaded and non-reentrant.

Link: [1] https://developer.arm.com/-/media/Files/downloads/gnu/11.3.rel1/binrel/arm-gnu-toolchain-11.3.rel1-x86_64-aarch64-none-linux-gnu.tar.xz
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Sumit Garg <sumit.garg@linaro.org>

show more ...

Basic fault mitigation routines

Adds basic fault mitigation routines designed to help protecting from
fault injection attacks on the hardware. This is by no means bullet
proof, but it should at leas

Basic fault mitigation routines

Adds basic fault mitigation routines designed to help protecting from
fault injection attacks on the hardware. This is by no means bullet
proof, but it should at least improve the situation.

These routines focus on verifying that a function has been called and
that the returned value matches the result from the function. This is
done by having a handshake between the caller and the callee where also
the return value is transmitted in a separate channel.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

lib: libutils: ext/isoc: sub.mk: make sources path platform generic

The path to platform specific code is hard-coded. This commit
changes it to use defined variable. This is helpful in case
of porti

lib: libutils: ext/isoc: sub.mk: make sources path platform generic

The path to platform specific code is hard-coded. This commit
changes it to use defined variable. This is helpful in case
of porting OP-TEE OS to a new architecture such we make
maximum reuse of existing sources.

Signed-off-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

ftrace: move ftrace code from libutee to libutils

Since TEE core and TA can share most of ftrace library code, so move
ftrace code from libutee to libutils library which is shared among TEE
core and

ftrace: move ftrace code from libutee to libutils

Since TEE core and TA can share most of ftrace library code, so move
ftrace code from libutee to libutils library which is shared among TEE
core and TA.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

libutils: add memzero_explicit()

Adds a new function: memzero_explicit(s, count) which is equivalent to
memset(s, 0, count) except that it cannot be optimized away by the
compiler.

memset() being a

libutils: add memzero_explicit()

Adds a new function: memzero_explicit(s, count) which is equivalent to
memset(s, 0, count) except that it cannot be optimized away by the
compiler.

memset() being a built-in function, the compiler is free to perform
optimizations such as simply discarding a call when it considers that the
call cannot have any observable effect from the program's point of view.
A typical example is clearing local data before returning from a
function. memset() is likely to have no effect in this case while
memzero_explicit() will work as expected.

Calling memset() directly from memzero_explicit() would work as long as
link time optimization (LTO) is not applied. With LTO however, the
compiler could inline the call to memzero_explicit() and find out that
dead store optimization applies. In order to avoid that, we use a method
mentioned in [1] which consists in using a volatile function pointer.
This method is considered "effective in practice" with all the commonly
used compilers.

Link: [1] https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-yang.pdf
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

libutils: remove buf_compare_ct()

Now that we have consttime_memcmp(), buf_compare_ct() is redundant.
Every time buf_compare_ct() is used, consttime_memcmp() may be used
instead.

This commit remove

libutils: remove buf_compare_ct()

Now that we have consttime_memcmp(), buf_compare_ct() is redundant.
Every time buf_compare_ct() is used, consttime_memcmp() may be used
instead.

This commit removes buf_compare_ct(). A compatibility wrapper is kept
in <string_ext.h> to avoid knowingly breaking the build of any TA that
may use it.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: Import isc_tsmemcmp() from NTP as consttime_memcmp()

This patch imports a constant-time byte sequence comparison function
from the NTP source tree [1]. Contrary to our buf_compare_ct() fun

libutils: Import isc_tsmemcmp() from NTP as consttime_memcmp()

This patch imports a constant-time byte sequence comparison function
from the NTP source tree [1]. Contrary to our buf_compare_ct() function,
which has only two possible outcomes (zero or non-zero), the new function
is a direct replacement for memcmp() because it returns three possible
states (< 0, 0, > 0).

Link: [1] http://bk.ntp.org/ntp-stable/lib/isc/tsmemcmp.c
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: add nex_strdup() function

This is the same as strdup() but it uses nex_malloc(), so
it can be used in nexus part of OP-TEE.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Revie

libutils: add nex_strdup() function

This is the same as strdup() but it uses nex_malloc(), so
it can be used in nexus part of OP-TEE.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: add mempool API

Adds mempool.h with an API suitable for allocating short-lived object.
Based on the internal counterpart in libmpa. This is needed to integrate
other bignum implementations

libutils: add mempool API

Adds mempool.h with an API suitable for allocating short-lived object.
Based on the internal counterpart in libmpa. This is needed to integrate
other bignum implementations.

Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: add atomic_inc32() and atomic_dec32()

Adds atomic increment and decrement for uint32_t implemented without
privileged instructions.

Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Tes

libutils: add atomic_inc32() and atomic_dec32()

Adds atomic increment and decrement for uint32_t implemented without
privileged instructions.

Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU, FVP, Juno)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: add %pUl format for UUIDs

The debug traces in tee_ta_manager.c do not show the last 8 bytes of
the TA UUIDs, which makes the output confusing sometimes.
This commit adds support for a new

libutils: add %pUl format for UUIDs

The debug traces in tee_ta_manager.c do not show the last 8 bytes of
the TA UUIDs, which makes the output confusing sometimes.
This commit adds support for a new printf format for little-endian
encoded UUIDs: %pUl, and uses it in tee_ta_manager.c. For example:

TEE_UUID uuid;
DMSG("UUID: %pUl", (void *)&uuid);

...will print something like:

[...] UUID: cb3e5ba0-adf1-11e0-998b0002a5d5c51b

The new format is available when using the trace macros or the new
functions: snprintk(), vsnprintk() declared in <printk.h>.
But, snprintf() and vsnprintf() are not modified in order not to break
standard compliance.

This format is taken from the Linux kernel [1].

[1] https://www.kernel.org/doc/Documentation/printk-formats.txt

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>

show more ...

Merge tee_{core,uta}_trace.h into libutil

Merges tee_core_trace.h and tee_uta_trace.h into a common trace.h
in libutil. Since the trace functions now resides libutil they have
to rely on core and li

Merge tee_{core,uta}_trace.h into libutil

Merges tee_core_trace.h and tee_uta_trace.h into a common trace.h
in libutil. Since the trace functions now resides libutil they have
to rely on core and libutee to provide functions to print to the
log device.

* Keeps compatible interface from tee_kta_trace.h
* Adds TAMSG() and TAMSG_RAW() to log TA related events
* Removes the TRACE_ALWAYS level

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU virt platform)
Reviewed-by: Etienne Carriere <etienne.carriere@st.com>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)

show more ...

Add constant time buf_compare_ct function

This patch adds a constant time memory compare function that mitigates
timing attacks. This patch also fixes three locations where this could
be a problem.

Add constant time buf_compare_ct function

This patch adds a constant time memory compare function that mitigates
timing attacks. This patch also fixes three locations where this could
be a problem.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

Open-source the TEE Core

Signed-off-by: Pascal Brand <pascal.brand@st.com>