libutils: export PRIxVA_WIDTH and add PRIxPA_WIDTH

Export two macros that are useful to print virtual or physical addresses
with the full width required by the native type, that is, 0x + 8
character

libutils: export PRIxVA_WIDTH and add PRIxPA_WIDTH

Export two macros that are useful to print virtual or physical addresses
with the full width required by the native type, that is, 0x + 8
characters when the pointer size is 32 bits, and 0x + 16 characters when
it is 64 bits.

Example:

vaddr_t va = 0x1234;

DMSG("va=0x%0*" PRIxVA, PRIxVA_WIDTH, va);

The above code will print "va=0x00001234" if vaddr_t is 32 bits, and
"va=0x0000000000001234" if vaddr_t is 64 bits.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: fix off-by-one errors in base64_dec()

There is a possible buffer overflow in base64_dec(). Since the output
buffer size is *blen, the last byte of the buffer is buf[*blen - 1] and
therefore

libutee: fix off-by-one errors in base64_dec()

There is a possible buffer overflow in base64_dec(). Since the output
buffer size is *blen, the last byte of the buffer is buf[*blen - 1] and
therefore the buffer must not be written to when the current index m is
such that (m >= *blen), not (m > *blen).

Reported-by: Naveen Thenkani <tnaveenmca@gmail.com>
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

libutee: lessen dependency on mbedtls internals

Until now tee_api_arith_mpi.c assumed that for instance
TEE_BigIntConvertFromOctetString() wouldn't do a
mbedtls_mpi_free(mpi);
mbedtls_mpi_init(mpi);

libutee: lessen dependency on mbedtls internals

Until now tee_api_arith_mpi.c assumed that for instance
TEE_BigIntConvertFromOctetString() wouldn't do a
mbedtls_mpi_free(mpi);
mbedtls_mpi_init(mpi);
sequence on the supplied mpi argument. Doing so replaces the special
allocation type MBEDTLS_MPI_ALLOC_TYPE_STATIC with
MBEDTLS_MPI_ALLOC_TYPE_MALLOC. This results in the value of the mpi
argument isn't propagated further to the dest argument of
TEE_BigIntConvertFromOctetString().

With this patch we're instead explicitly copying the value of
mbedtls_mpi to a TEE_BigInt when the value should be returned.

This patch is also needed when upgrading to mbedtls-2.16 or there will
be errors.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU, GP)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: fix deprecated TA_FLAG_REMAP_SUPPORT inline comment

Update inline comment and value for the deprecated TA flag
TA_FLAG_REMAP_SUPPORT.

Signed-off-by: Etienne Carriere <etienne.carriere@lina

libutee: fix deprecated TA_FLAG_REMAP_SUPPORT inline comment

Update inline comment and value for the deprecated TA flag
TA_FLAG_REMAP_SUPPORT.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

libutil: add UDIV_ROUND_NEAREST() macro

Default integer division rounds down. Here the interest is
to round to the nearest unsigned integer.

This is inspired from [1].

Link: [1] https://chromium.g

libutil: add UDIV_ROUND_NEAREST() macro

Default integer division rounds down. Here the interest is
to round to the nearest unsigned integer.

This is inspired from [1].

Link: [1] https://chromium.googlesource.com/chromiumos/platform/ec/+/master/include/util.h

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: ignore deprecated TA flags EXEC_DDR and USER_MODE

Commit 387b0ee39b1b ("core: deprecate TA property flags EXEC_DDR and
USER_MODE") removes the requirement for user TAs to set the flags
TA_FLAG

core: ignore deprecated TA flags EXEC_DDR and USER_MODE

Commit 387b0ee39b1b ("core: deprecate TA property flags EXEC_DDR and
USER_MODE") removes the requirement for user TAs to set the flags
TA_FLAG_EXEC_DDR (bit 0) and TA_FLAG_USER_MODE (bit 1), the rationale
being that they are meaningless in the current implementation.
The macros are re-defined to be zero to reflect the fact that they have
no use. But, instead of ignoring the previous values, the TEE core now
requires that bits 0 and 1 must *not* be set. This is a problem because
it needlessly breaks backward compatibility. A TA built against OP-TEE
3.0.0 will not work with 3.1.0 or later:

E/TC:? 0 tee_ta_init_user_ta_session:1040 Invalid TA flag(s) 0x3

This commit changes the acceptable flags mask (TA_FLAGS_MASK) to
include the previous EXEC_DDR and USER_MODE bits, thus restoring
backward compatibility.

Fixes: 387b0ee39b1b ("core: deprecate TA property flags EXEC_DDR and USER_MODE")
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: use PTA as acronym for pseudo TA

Make inline comments and trace messages more consistent by
using PTA as acronym for pseudo TA, rather than using pTA, PTA
and pta at various places.

Signed-of

core: use PTA as acronym for pseudo TA

Make inline comments and trace messages more consistent by
using PTA as acronym for pseudo TA, rather than using pTA, PTA
and pta at various places.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: remove buf_compare_ct()

Now that we have consttime_memcmp(), buf_compare_ct() is redundant.
Every time buf_compare_ct() is used, consttime_memcmp() may be used
instead.

This commit remove

libutils: remove buf_compare_ct()

Now that we have consttime_memcmp(), buf_compare_ct() is redundant.
Every time buf_compare_ct() is used, consttime_memcmp() may be used
instead.

This commit removes buf_compare_ct(). A compatibility wrapper is kept
in <string_ext.h> to avoid knowingly breaking the build of any TA that
may use it.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: TEE_MemCompare(): use constant time algorithm

TEE_MemCompare() currently calls memcmp() which returns as soon as a
difference is found in the compared buffers. The fact that the
comparison

libutee: TEE_MemCompare(): use constant time algorithm

TEE_MemCompare() currently calls memcmp() which returns as soon as a
difference is found in the compared buffers. The fact that the
comparison is not constant time for a given buffer size can reveal
information on the buffer content and lead to side-channel attacks.
Although the GlobalPlatform TEE Internal Core API specification says
nothing about this timing aspect, it is unsafe not to propose a constant
time implementation to TAs. A member of the GP specification working
group confirmed in an informal discussion.

Therefore, replace memcmp() with consttime_memcmp() for constant time
comparison. If a TA needs the fastest possible buffer comparison it can
call the C library function memcmp() (from <string.h>), which we provide
in libutils.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [3.2]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

libutils: Import isc_tsmemcmp() from NTP as consttime_memcmp()

This patch imports a constant-time byte sequence comparison function
from the NTP source tree [1]. Contrary to our buf_compare_ct() fun

libutils: Import isc_tsmemcmp() from NTP as consttime_memcmp()

This patch imports a constant-time byte sequence comparison function
from the NTP source tree [1]. Contrary to our buf_compare_ct() function,
which has only two possible outcomes (zero or non-zero), the new function
is a direct replacement for memcmp() because it returns three possible
states (< 0, 0, > 0).

Link: [1] http://bk.ntp.org/ntp-stable/lib/isc/tsmemcmp.c
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: isoc: implement more ctypes functions

Implement missing functions from ctypes.h.

Signed-off-by: Yunjong Jeong <yunjong@kaist.ac.kr>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

libutee: fix TEE_OpenPersistentObject() error behavior

The TEE spec says about TEE_OpenPersistentObject():
"If this function fails for any reason, the value pointed to by
object is set to TEE_HANDLE

libutee: fix TEE_OpenPersistentObject() error behavior

The TEE spec says about TEE_OpenPersistentObject():
"If this function fails for any reason, the value pointed to by
object is set to TEE_HANDLE_NULL."

Signed-off-by: Daniel Glöckner <dg@emlix.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

bget: fix nex_ pool building with disabled stats

gen_malloc_reset_stats() and gen_malloc_get_stats()
are only available when BufStats is defined.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmai

bget: fix nex_ pool building with disabled stats

gen_malloc_reset_stats() and gen_malloc_get_stats()
are only available when BufStats is defined.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Remove memalign()

Removes the unused memalign() function. Usage of this function will
cause severe fragmentation of the heap.

Another problem is with the implementation which is added on top of bge

Remove memalign()

Removes the unused memalign() function. Usage of this function will
cause severe fragmentation of the heap.

Another problem is with the implementation which is added on top of bget
while still depending heavily on internals of bget. The implementation was
somewhat buggy since it can sometimes can cause:
E/TC:0 0 assertion 'bn->prevfree == 0' failed at lib/libutils/isoc/bget_malloc.c
:423 <create_free_block>
E/TC:0 0 Panic at core/kernel/assert.c:28 <_assert_break>

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Fix alignment of data for mempool_alloc_pool()

Prior to this patch was _TEE_MathAPI_Init() in
lib/libutee/tee_api_arith_mpi.c supplying a data buffer which was only 4
byte aligned while mempool_allo

Fix alignment of data for mempool_alloc_pool()

Prior to this patch was _TEE_MathAPI_Init() in
lib/libutee/tee_api_arith_mpi.c supplying a data buffer which was only 4
byte aligned while mempool_alloc_pool() requires the alignment of long.
This will work in 32-bit mode, but could lead to alignment problem in
64-bit mode. The same problem can happen with
lib/libutee/tee_api_arith_mpa.c, but so far it has remained hidden.

Incorrect alignment can result in errors like:
E/TA: assertion '!((vaddr_t)data & (POOL_ALIGN - 1))' failed at lib/libutils/ext/mempool.c:134 in mempool_alloc_pool()

This fix introduces MEMPOOL_ALIGN which specifies required alignment of
data supplied to mempool_alloc_pool().

Fixes: 062e3d01c039 ("ta: switch to to mbedtls for bignum")
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v8)
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: add nex_strdup() function

This is the same as strdup() but it uses nex_malloc(), so
it can be used in nexus part of OP-TEE.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Revie

libutils: add nex_strdup() function

This is the same as strdup() but it uses nex_malloc(), so
it can be used in nexus part of OP-TEE.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

virt: tag variables with __nex_data and __nex_bss

Variables that are needed by OP-TEE nexus will be moved
to nexus memory.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jens W

virt: tag variables with __nex_data and __nex_bss

Variables that are needed by OP-TEE nexus will be moved
to nexus memory.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

virt: add nexus memory area

This patch is the first in series of patches that split OP-TEE RW memory
into two regions: nexus memory and TEE memory. Nexus memory will
be always mapped and it will be

virt: add nexus memory area

This patch is the first in series of patches that split OP-TEE RW memory
into two regions: nexus memory and TEE memory. Nexus memory will
be always mapped and it will be used to store all data that is
vital for OP-TEE core and is not bound to virtual guests.

TEE memory is a memory that holds data specific for certain guest.
There will be TEE memory bank for every guest and it will be mapped
into OP-TEE address space only during call from that guest.

This patch adds nexus memory and moves stacks into it. Also
it provides __nex_bss and __nex_data macros, so one can easily set right
section for a variable.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

bget_malloc: add nex_malloc pool

If virtualization enabled, this pool will be used to allocate
memory for OP-TEE nexus needs.
Without virtualization, generic malloc pool will be used.

Signed-off-by

bget_malloc: add nex_malloc pool

If virtualization enabled, this pool will be used to allocate
memory for OP-TEE nexus needs.
Without virtualization, generic malloc pool will be used.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

bget_malloc: hold all malloc state in malloc_ctx structure

This patch moves all bget_malloc.c state into malloc_ctx structure.
malloc_lock.c is removed because spinlock now is also stored in
malloc_

bget_malloc: hold all malloc state in malloc_ctx structure

This patch moves all bget_malloc.c state into malloc_ctx structure.
malloc_lock.c is removed because spinlock now is also stored in
malloc_ctx.

Multiple malloc pools can be used now.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

bget: Check for size overflow

Check size overflow to avoid size <= 0 which may be caused by
calculation "size += sizeof(struct bhead)" and
"size = (size + (SizeQuant - 1)) & (~(SizeQuant - 1))".

Si

bget: Check for size overflow

Check size overflow to avoid size <= 0 which may be caused by
calculation "size += sizeof(struct bhead)" and
"size = (size + (SizeQuant - 1)) & (~(SizeQuant - 1))".

Signed-off-by: Peikan Tsai <mark1990301@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

trace: fix core id print if in non-atomic context

Make "?" print repetitive equivalent to number of digits needed to display
core id rather than extra spaces as it causes symbolize.py script parsing

trace: fix core id print if in non-atomic context

Make "?" print repetitive equivalent to number of digits needed to display
core id rather than extra spaces as it causes symbolize.py script parsing
failure for call stack addresses in case number of cores is greater than
10.

Also change symbolize.py to detect repetitive "?".

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

mbedtls: TEE_BigIntMul(): use temporary

mbedtls_mpi_mul_mpi() checks the allocated size of the output number
before starting to multiply the numbers. It makes a conservative guess
by requiring the r

mbedtls: TEE_BigIntMul(): use temporary

mbedtls_mpi_mul_mpi() checks the allocated size of the output number
before starting to multiply the numbers. It makes a conservative guess
by requiring the result to be at least as large as the sum of the sizes
of the input numbers. For instance, if A fits in one "limb" and B fits
in two, then the result is expected to have nblimbs = 3 at least.
This is sometimes too restrictive. Consider A = 1 (can be represented
with nblimbs == 1 32-bit words) and B = 0x0FFFFFFFFFFFFFFF (fits in a
bignum with nblimbs == 2 32-bit words). A * B is equal to B and fits
in 2 limbs, but the current code requires 3.
This patch fixes the problem by allocating a big enough temporary
result.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

mbedtls: fix memory leak in mpi_miller_rabin()

8ff963a60211 ("mbedtls: fix memory leak in mpi_miller_rabin()") from
branch import/mbedtls-2.6.1

Fixes memory leak in mpi_miller_rabin() that occurs w

mbedtls: fix memory leak in mpi_miller_rabin()

8ff963a60211 ("mbedtls: fix memory leak in mpi_miller_rabin()") from
branch import/mbedtls-2.6.1

Fixes memory leak in mpi_miller_rabin() that occurs when the function has
failed to obtain a usable random 'A' 300 turns in a row.

Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

mempool: fix race in get_pool()

Fixes a race in get_pool() which could leave the pool with zero refences
but still owned by the last thread using the pool.

Some performance number on Hikey with def

mempool: fix race in get_pool()

Fixes a race in get_pool() which could leave the pool with zero refences
but still owned by the last thread using the pool.

Some performance number on Hikey with default configuration:
github/master (edbb89f, before this commit):

4006 real 1m 41.11s
4007 real 1m 14.51s
4008 real 0m 0.13s
4009 real 1m 5.68s

Revert "mempool: optimize reference counting", before this commit:
4006 real 3m 27.78s
4007 real 0m 50.03s
4008 real 0m 0.13s
4009 real 2m 24.07s

With this commit, two runs:
4006 real 1m 37.51s
4007 real 0m 56.67s
4008 real 0m 0.09s
4009 real 1m 3.18s

4006 real 1m 37.61s
4007 real 0m 35.32s
4008 real 0m 0.13s
4009 real 1m 3.15s

Numbers are gathered with this script:
for a in 4006 4007 4008 4009 ; do \
echo -n $a " " >> time.txt ;\
time -o time.txt.tmp xtest -l 15 $a || break ;\
grep real time.txt.tmp >> time.txt
done
cat time.txt

Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...