libutee: fix value of TEE_ECC_CURVE_SM2

The GlobalPlatform TEE Interbal Core API specification v1.3 has the
following text:

In TEE Internal Core API v1.2 and v1.2.1, TEE_ECC_CURVE_25519 and
TEE_E

libutee: fix value of TEE_ECC_CURVE_SM2

The GlobalPlatform TEE Interbal Core API specification v1.3 has the
following text:

In TEE Internal Core API v1.2 and v1.2.1, TEE_ECC_CURVE_25519 and
TEE_ECC_CURVE_SM2 were incorrectly assigned the same identifier.

Indeed, both were 0x00000300. In v1.3, TEE_ECC_CURVE_SM2 is now
0x00000400. Update the code accordingly.

This is an API and ABI change, but note that this value is used only
in TEE_IsAlgorithmSupported(). Therefore, only TAs that dynamically
check for algorithm support at runtime may be impacted. This change
was tested on QEMUv8 by running "old" TAs (built without this commit)
with a "newer" OP-TEE OS (including this commit), that is:
- 'make run' and run 'xtest'
- apply this change
- 'make arm-tf && make run-only' and run 'xtest' again. No errors.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: fix MTE error in realloc()

With memory tagging realloc() should only untag the old buffer if the
allocation of a new buffer is successful.

The implementation of realloc() prior to this pa

libutils: fix MTE error in realloc()

With memory tagging realloc() should only untag the old buffer if the
allocation of a new buffer is successful.

The implementation of realloc() prior to this patch is based on bgetr().
This is not so convenient with MTE enabled since the old buffer must be
untagged before calling bgetr(). If realloc() fails the memory tags must
be restored, but this was not done.

Restoring the tags is made somewhat more complicated by the fact that
the size reported by bget_buf_size() may actually be larger than the
size of the tagged buffer. Memalign() is sometimes forced to allocate
buffers larger than requested in order to honor the requested alignment.

So instead of using bgetr(), realloc() is implemented using bget(),
memcpy(), memset() and brel() as needed. This is the same thing that
bgetr() did, except that the old buffer is not untagged until a new
buffer has been successfully allocated.

Fixes: 08a5c4f9ae42 ("libutils: add MTE support in malloc() and friends")
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_armv8a gp_20056)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: add MTE support in malloc() and friends

Adds support for memory tagging using the hardware assisted Armv8.5-A
Memory Tagging Extension in malloc() and friends.

When allocating memory the

libutils: add MTE support in malloc() and friends

Adds support for memory tagging using the hardware assisted Armv8.5-A
Memory Tagging Extension in malloc() and friends.

When allocating memory the acquired memory range in tagged a special
pointer with the tag coded in the top bits of the pointer. Accessing
this memory without the coded tag will result in a Tag Check Exception.

MTE is enabled for both OP-TEE core and TAs at the same time with
CFG_MEMTAG=y.

When the memory is freed it's untagged again. All accesses to heap
memory using old/stale pointers will be caught. This is an efficient
method to catch use-after-free and buffer overruns on the heap. The
buffer overruns are limited in granularity to blocks of 16 bytes.
However, the heap itself is also managed in blocks of 16 bytes so
smaller buffer overruns will not damage the heap.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add support for MTE

Adds support for the Armv8.5-A Memory Tagging Extension with
CFG_MEMTAG=y.

A memtag.h API is introduced to handle this extension. If CFG_MEMTAG=n
the API doesn't add any o

core: add support for MTE

Adds support for the Armv8.5-A Memory Tagging Extension with
CFG_MEMTAG=y.

A memtag.h API is introduced to handle this extension. If CFG_MEMTAG=n
the API doesn't add any overhead and the behaviour is unchanged. With
CFG_MEMTAG=y a check is performed to see if the platform can support MTE
and the API is dynamically configured accordingly. This means that it's
safe to have CFG_MEMTAG=y even for platforms not supporting MTE. There
will be some minimal overhead then, but likely not noticeable.

An entry is also added in the TEE_PROPSET_TEE_IMPLEMENTATION for a u32
property "org.trustedfirmware.optee.cpu.feat_memtag_implemented". The
property is set to a non-zero value only if CFG_CORE_MEMTAG is
configured and the underlying CPU supports FEAT_MTE.

This commit still only uses the default tag with the value 0 resulting
in unchanged pointers when accessing memory. However, all plumbing is in
place allowing for instance tagging of the heap in a later commit.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: arm64: add read_dczid_el0()

Adds read_dczid_el0() to read Data Cache Zero ID register.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wikla

libutee: arm64: add read_dczid_el0()

Adds read_dczid_el0() to read Data Cache Zero ID register.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: refactor heap tagging

Refactors the heap tagging with CFG_CORE_SANITIZE_KADDRESS to use two new
hooks maybe_tag_buf() and maybe_untag_buf().

maybe_tag_buf() is called from raw_malloc_retu

libutils: refactor heap tagging

Refactors the heap tagging with CFG_CORE_SANITIZE_KADDRESS to use two new
hooks maybe_tag_buf() and maybe_untag_buf().

maybe_tag_buf() is called from raw_malloc_return_hook() which is called
after bget(). maybe_untag_buf() is called before brel() is called.

This removes some of the local modifications to bget.c.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ftrace: Refactor ftrace buffer dump implementation

Current implementation does a lot of tricky bits with ftrace buffer
pointer. It also leads to false positive -Warray-bounds warnings with
GCC 11.2

ftrace: Refactor ftrace buffer dump implementation

Current implementation does a lot of tricky bits with ftrace buffer
pointer. It also leads to false positive -Warray-bounds warnings with
GCC 11.2 toolchain as well. So refactor it to use array indexes instead.
Also, move hardcoded ftrace line sizes to macros instead for better
understanding.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_armv8a)

show more ...

core: dt_driver: drivers to test probe deferral

Implements driver providers for some emulated resource (clocks and reset
controllers), consumer drivers and a embedded test DTSI file to
test the DT_D

core: dt_driver: drivers to test probe deferral

Implements driver providers for some emulated resource (clocks and reset
controllers), consumer drivers and a embedded test DTSI file to
test the DT_DRIVER probe sequence.

The driver consumer run few tests and logs results locally. The
result participates in core self test result reported by the
PTA test interface.

One can test with vexpress platform flavor qemu_virt and qemu_v8 using,
for example, the build instruction below:
make PLATFORM=vexpress-qemu_virt \
CFG_DT_DRIVER_EMBEDDED_TEST=y \
CFG_EMBED_DTB_SOURCE_FILE=embedded_dtb_test.dts

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mbedtls: sm2: fix SM2 key generation

ecc_get_keysize() lacks a case for TEE_ECC_CURVE_SM2, which prevents the
generation of a SM2 key pair. Fix this.

Signed-off-by: Jerome Forissier <jerome@f

core: mbedtls: sm2: fix SM2 key generation

ecc_get_keysize() lacks a case for TEE_ECC_CURVE_SM2, which prevents the
generation of a SM2 key pair. Fix this.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: mbedtls: add curve type to domain parameter group ID conversion

MBedTLS functions mbedtls_ecp_group_load() and mbedtls_ecdsa_genkey()
take a group ID parameter of type mbedtls_ecp_group_id whi

core: mbedtls: add curve type to domain parameter group ID conversion

MBedTLS functions mbedtls_ecp_group_load() and mbedtls_ecdsa_genkey()
take a group ID parameter of type mbedtls_ecp_group_id which is an enum
(MBEDTLS_ECP_DP_SECP192R1, etc.). The code in lib/libmbedtls/core/ecc.c
incorrectly passes a uint32_t TEE curve ID instead
(TEE_ECC_CURVE_NIST_P192, etc.). By chance the values happen to be the
same for all the NIST curves, but not for SM2. Fix that by introducing a
conversion function.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: mbedtls: sm2: set curve by default when key type is SM2

crypto_asym_alloc_ecc_keypair() and crypto_asym_alloc_ecc_public_key()
should set the curve field of the ecc_key structure to TEE_ECC_CU

core: mbedtls: sm2: set curve by default when key type is SM2

crypto_asym_alloc_ecc_keypair() and crypto_asym_alloc_ecc_public_key()
should set the curve field of the ecc_key structure to TEE_ECC_CURVE_SM2
when the key type is one of TEE_TYPE_SM2_{DSA,KEP,PKE}_KEYPAIR because
the user is not supposed to provide any TEE_ATTR_ECC_CURVE attribute,
contrary to other ECC algorithms.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: pta: add remote attestation PTA

Add a PTA to perform remote attestation of user space TAs and TEE core
memory. Enabled with CFG_ATTESTATION_PTA=y. Four commands are defined:

- PTA_ATTESTATION

core: pta: add remote attestation PTA

Add a PTA to perform remote attestation of user space TAs and TEE core
memory. Enabled with CFG_ATTESTATION_PTA=y. Four commands are defined:

- PTA_ATTESTATION_GET_PUBKEY

Returns the public RSA key used to sign the measurements generated by
the other commands. The key pair is generated on first call (any
command) and saved to secure storage. It is therefore device-specific.

- PTA_ATTESTATION_GET_TA_SHDR_DIGEST

Returns the digest found in the secure header (struct shdr) of a TA
or trusted shared library given its UUID.

- PTA_ATTESTATION_HASH_TA_MEMORY

This command must be called by a user space TA (not a CA). It computes
a hash of the memory pages that belong to the caller and contain code
or read-only data. This hash is therefore a runtime measurement of the
TA execution environment, including shared libraries (if any). It can be
used to remotely attest that the device is running untampered TA code.

- PTA_ATTESTATION_HASH_TEE_MEMORY

Returns a hash of the TEE OS core (.text and .rodata sections, less the
small part of .text that may be modified at boot). Similar to
PTA_ATTESTATION_HASH_TA_MEMORY, the hash is computed each time the
command is called, so that the result reflects the actual memory
content.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: compiler.h: introduce __relrodata_unpaged(x)

Introduce macro __relrodata_unpaged(x) to mark data that need to be
unpaged and are essentially read-only but may contain relocations when
ASLR is

core: compiler.h: introduce __relrodata_unpaged(x)

Introduce macro __relrodata_unpaged(x) to mark data that need to be
unpaged and are essentially read-only but may contain relocations when
ASLR is enabled, hence "relocatable read-only". When ASLR is turned off,
the macro is identical to __rodata_unpaged(x). When ASLR is on however,
the data is emitted in section .data.rel.ro.__unpaged.x which is later
gathered by the linker file into the output section .data.rel.ro which
is mapped read only at runtime (after relocations are processed) and
is also unpaged (when pager is enabled).

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

pta: add PTA for RTC

On some systems, when the RTC is secured, there is no way for the
normal world to access it. This PTA uses the RTC API to allow a
Linux OP-TEE based RTC driver to communicate wi

pta: add PTA for RTC

On some systems, when the RTC is secured, there is no way for the
normal world to access it. This PTA uses the RTC API to allow a
Linux OP-TEE based RTC driver to communicate with the RTC that is
secured.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Clément Léger <clement.leger@bootlin.com>

show more ...

libutee: TEE_{Create,Open}PersistentObject() should accept NULL object ID

Passing a NULL objectId to TEE_CreatePersistentObject() or
TEE_OpenPersistentObject() should be allowed as long as objectIdL

libutee: TEE_{Create,Open}PersistentObject() should accept NULL object ID

Passing a NULL objectId to TEE_CreatePersistentObject() or
TEE_OpenPersistentObject() should be allowed as long as objectIdLen is
zero. Indeed, a zero-size object identifier is valid as per the
description of TEE_RenamePersistentObject(). In addition, "a Trusted
Application SHALL NOT pass the NULL pointer in an [in] parameter, except
perhaps if the buffer size is zero". Thus (NULL, 0) is valid.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

assert.h: add static_assert

Adds the static_assert macro from C11.

Acked-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens W

assert.h: add static_assert

Adds the static_assert macro from C11.

Acked-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

lib: libutils: compiler.h: set trailing comment according to target

In GNU assembler the comment character is target specific. GNU AS for
risc-v complains about '/' not recognized as character, ther

lib: libutils: compiler.h: set trailing comment according to target

In GNU assembler the comment character is target specific. GNU AS for
risc-v complains about '/' not recognized as character, therefore,
replace it with '#' to avoid errors.

Signed-off-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

lib: libutils: isoc: remove unused thread.h from bget_malloc.c

This commit removes thread.h from lib/libutils/isoc/bget_malloc.c since
it is not used, but also to eliminate the dependency between ge

lib: libutils: isoc: remove unused thread.h from bget_malloc.c

This commit removes thread.h from lib/libutils/isoc/bget_malloc.c since
it is not used, but also to eliminate the dependency between generic
libraries code and architecture-specific core functions.

Signed-off-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

ldelf: strip PAC from TA addresses

When pointer authentication is enables for TA's, the LR values
saved in the stack will have PAC which must be stripped off
when unwinding the stack.

Signed-off-by

ldelf: strip PAC from TA addresses

When pointer authentication is enables for TA's, the LR values
saved in the stack will have PAC which must be stripped off
when unwinding the stack.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: Panic when IV is provided for ECB modes

Ideally, the ECB mode doesn't need an IV at all.
The GlobalPlatform spec says "IV required: No" for
the algorithms that use this mode (Table 6-6b).

libutee: Panic when IV is provided for ECB modes

Ideally, the ECB mode doesn't need an IV at all.
The GlobalPlatform spec says "IV required: No" for
the algorithms that use this mode (Table 6-6b).

So, in order to be inclined to the requirement of the
spec, the implementation can panic when IV is provided
for ECB modes.

Signed-off-by: Sadiq Hussain <sadiq.muchumarri@intel.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

libutils: mempool based raw malloc functions

Instead of the old stack like internal memory allocator, use the raw
malloc functions instead for more efficient memory usage.

CFG_WITH_STATS is enabled

libutils: mempool based raw malloc functions

Instead of the old stack like internal memory allocator, use the raw
malloc functions instead for more efficient memory usage.

CFG_WITH_STATS is enabled automatically if
CFG_MEMPOOL_REPORT_LAST_OFFSET is enabled to secure a new dependency in
the code.

Acked-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: export raw malloc functions

Exports raw_{memalign,malloc,free,calloc,realloc}() and also adds
raw_malloc_get_ctx_size(), raw_malloc_init_ctx(),
raw_malloc_add_pool() and raw_malloc_get_sta

libutils: export raw malloc functions

Exports raw_{memalign,malloc,free,calloc,realloc}() and also adds
raw_malloc_get_ctx_size(), raw_malloc_init_ctx(),
raw_malloc_add_pool() and raw_malloc_get_stats().

This allows using the malloc functions to allocate with a independent
memory pool.

Acked-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: provide __sprintf_chk implementation

While building optee_test CXX test-cases natively on aarch64, OP-TEE
build relies on toolchain provided by buildroot. The buildroot toolchain
is built

libutils: provide __sprintf_chk implementation

While building optee_test CXX test-cases natively on aarch64, OP-TEE
build relies on toolchain provided by buildroot. The buildroot toolchain
is built with flag: -fstack-protector-strong which requires
__sprintf_chk symbol provided by standard glibc. For OP-TEE we use a
customized libc which leads to below error:

...
CC out/init.o
CC out/os_test.o
CC out/ta_entry.o
CXX out/cxx_tests.o
CC out/user_ta_header.o
CPP out/ta.lds
LD out/5b9e0e40-2636-11e1-ad9e-0002a5d5c51b.elf
/home/sumit/optee_br/build/../toolchains/aarch64/bin/aarch64-linux-ld.bfd: /home/sumit/optee_br/toolchains/aarch64/bin/../lib/gcc/aarch64-buildroot-linux-gnu/10.3.0/../../../../aarch64-buildroot-linux-gnu/lib/../lib64/libstdc++.a(cp-demangle.o): in function d_append_num': cp-demangle.c:(.text+0x830): undefined reference to __sprintf_chk'
...

Fix this issue by providing __sprintf_chk implementation.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

lib: libutils: Use ret for longjmp with Clang and BTI

longjmp uses br instead of ret to jump to the target. Thus the target
location should have the right BTI launchpad to handle this.
clang has a b

lib: libutils: Use ret for longjmp with Clang and BTI

longjmp uses br instead of ret to jump to the target. Thus the target
location should have the right BTI launchpad to handle this.
clang has a bug [1] and doesn't add the BTI after setjmp causing
exception when BTI is enabled. This works well with gcc [2]
and can be tested when compiling xtests with WITH_CXX_TESTS=n.
To avoid the exception, use ret instead of br with clang and BTI.

[1] - https://bugs.llvm.org/show_bug.cgi?id=49544
[2] - https://gcc.gnu.org/legacy-ml/gcc-patches/2018-11/msg02472.html

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

Generate ELF Note for BTI in all arm64 asm files

Add program property note section in the assembly files to
ensure that when linking them, program property note section
is generated in the final ELF

Generate ELF Note for BTI in all arm64 asm files

Add program property note section in the assembly files to
ensure that when linking them, program property note section
is generated in the final ELF.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...