Add support for compiler stack protector

This change add support for CFG_CORE_STACK_PROTECTOR{,_STRONG,_ALL}
and CFG_TA_STACK_PROTECTOR{,_STRONG,_ALL}. This flag enable the
compiler stack overflow p

Add support for compiler stack protector

This change add support for CFG_CORE_STACK_PROTECTOR{,_STRONG,_ALL}
and CFG_TA_STACK_PROTECTOR{,_STRONG,_ALL}. This flag enable the
compiler stack overflow protection feature -fstack-protector* and
also generate random stack canary value on kernel boot and TA entry.

Weak function plat_get_random_stack_canary() can be override by
platform to provide random stack canary value for the core kernel.

Signed-off-by: Khoa Hoang <admin@khoahoang.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

Basic fault mitigation routines

Adds basic fault mitigation routines designed to help protecting from
fault injection attacks on the hardware. This is by no means bullet
proof, but it should at leas

Basic fault mitigation routines

Adds basic fault mitigation routines designed to help protecting from
fault injection attacks on the hardware. This is by no means bullet
proof, but it should at least improve the situation.

These routines focus on verifying that a function has been called and
that the returned value matches the result from the function. This is
done by having a handshake between the caller and the callee where also
the return value is transmitted in a separate channel.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: implement a method to dump user TA runtime status

This patch is to dump user TA runtime status for debug purposes.
The change includes:
1. Add new command (STATS_CMD_TA_STATS) in the stats PTA

core: implement a method to dump user TA runtime status

This patch is to dump user TA runtime status for debug purposes.
The change includes:
1. Add new command (STATS_CMD_TA_STATS) in the stats PTA.
2. Add tee_ta_dump_stats() to scan all ongoing TA instance and sessions
and snapshot their status.
3. Add new function: entry_dump_memstats() to __utee_entry() to get TA
heap statistics.
4. Add new compile option (CFG_TA_STATS, default n) to enable this
feature.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Weizhao Jiang <weizhaoj@amazon.com>
Signed-off-by: Weizhao Jiang <weizhaoj@amazon.com>
[jf: edit commit message]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: support loading TAs signed with a subkey

Adds support to load TAs signed with subkey or a chain of subkeys. This
allows delegation of TA signing without distributing the root key. TAs
signed w

core: support loading TAs signed with a subkey

Adds support to load TAs signed with subkey or a chain of subkeys. This
allows delegation of TA signing without distributing the root key. TAs
signed with a subkey are confined to the UUID-V5 namespace of the subkey
to avoid TA UUID clashes with different subkeys.

SHDR_SUBKEY is a type of header which enables chains of public keys.
The public root key is used to verify the first public subkey, which
then is used to verify the next public subkey and so on.

The TA is finally verified using the last subkey. All these headers are
added in front of the TA binary so everything needed to verify the TA is
available when it's loaded into memory.

For example:
Subkey
struct shdr
magic: 0x4f545348
img_type: 3 (SHDR_SUBKEY)
img_size: 320 bytes
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
hash_size: 32 bytes
sig_size: 256 bytes
hash: f573f329fe77be686ce71647909c4ea35b5e1cd7de86369bd7d9fca31f6a4d65
struct shdr_subkey
uuid: f04fa996-148a-453c-b037-1dcfbad120a6
name_size: 64
subkey_version: 1
max_depth: 4
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
attr_count: 2
next name: "mid_level_subkey"
Next header at offset: 692 (0x2b4)
Subkey
struct shdr
magic: 0x4f545348
img_type: 3 (SHDR_SUBKEY)
img_size: 320 bytes
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
hash_size: 32 bytes
sig_size: 256 bytes
hash: 233a6dcf1a2cf69e50cde8e20c4129157da707c76fa86ce12ee31037edef02d7
struct shdr_subkey
uuid: 1a5948c5-1aa0-518c-86f4-be6f6a057b16
name_size: 64
subkey_version: 1
max_depth: 3
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
attr_count: 2
next name: "subkey1_ta"
Next header at offset: 1384 (0x568)
Bootstrap TA
struct shdr
magic: 0x4f545348
img_type: 1 (SHDR_BOOTSTRAP_TA)
img_size: 84576 bytes
algo: 0x70414930 (TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256)
hash_size: 32 bytes
sig_size: 256 bytes
hash: ea31ac7dc2cc06a9dc2853cd791dd00f784b5edc062ecfa274deeb66589b4ca5
struct shdr_bootstrap_ta
uuid: 5c206987-16a3-59cc-ab0f-64b9cfc9e758
ta_version: 0
TA offset: 1712 (0x6b0) bytes
TA size: 84576 (0x14a60) bytes

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_virt)
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Update CHANGELOG for 3.19.0

Update CHANGELOG for 3.19.0 and collect Tested-by tags.

Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6dlsabresd)
Tested-by: Clement Faure <clement.faure@nxp.c

Update CHANGELOG for 3.19.0

Update CHANGELOG for 3.19.0 and collect Tested-by tags.

Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6dlsabresd)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6qsabresd)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6sllevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6sxsabresd)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6ulevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6ullevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6ulzevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx7dsabresd)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx7ulpevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8mmevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8mnevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8mqevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8mpevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8qmmek)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8qxpmek)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8dxlevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8ulpevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx93evk)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_armv8a, GP, PKCS#11)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_virt, GP, PKCS#11)
Tested-by: Manorit Chawdhry <m-chawdhry@ti.com> (k3-j721e)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LS1012A-RDB)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LS1028A-RDB)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LS1088A-RDB)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LS2088A-RDB)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LS1046A-RDB)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LS1043A-RDB)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LX2160A-RDB)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LX2160A-QDS)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (hikey-hikey, GP, PKCS#11)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (Juno)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (imx-mx8mqevk)
Tested-by: Igor Opaniuk <igor.opaniuk@foundries.io> (Poplar)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (FVP)
Tested-by: Balint Dobszay <balint.dobszay@arm.com> (fvp-ts)
Tested-by: Ricardo Salveti <ricardo@foundries.io> (imx-mx8mmevk, plug-and-trust v0.4.0)
Tested-by: Ricardo Salveti <ricardo@foundries.io> (ZynqMP, GP, PKCS#11)
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (stm32mp1-157C_DK2, gp, pkcs11)
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (stm32mp1-157C_EV1, gp, pkcs11)
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: boot: do not force implement the external device-tree ABI

Do not implement external device tree ABI if CFG_EXTERNAL_DT=n. Some
ecosystem implementation do not require OP-TEE to modify or use t

core: boot: do not force implement the external device-tree ABI

Do not implement external device tree ABI if CFG_EXTERNAL_DT=n. Some
ecosystem implementation do not require OP-TEE to modify or use this
external device tree. This change is useful on 32bits systems where
OP-TEE only needs to pass BL33 DTB base address provided by earlier
boot stage: TF-A BL2.

CFG_EXTERNAL_DT default value is defined by CFG_DT for backward
compatibility of OP-TEE default configuration.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pgt: support preallocated translation tables for S-EL0

With CFG_CORE_PREALLOC_EL0_TBLS=y translation tables are allocated for a
user space context at the time when the mapping is added a struc

core: pgt: support preallocated translation tables for S-EL0

With CFG_CORE_PREALLOC_EL0_TBLS=y translation tables are allocated for a
user space context at the time when the mapping is added a struct
vm_region. The translation tables will be kept available for the S-EL0
context as long at the mappings are unchanged.

Secure Partitions (SPs) can depend on translation tables always being
available and avoid having to wait for translation tables.

Memory for the translation tables is allocated from the same memory as
used for TAs and SPs. The number of available translation tables are
limited by the amount of TA/SP memory available.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add pointer authentication support

Previously pointer authentication was only supported for TAs. With this
patch add a configuration option CFG_CORE_PAUTH to enable support for
core. Each priv

core: add pointer authentication support

Previously pointer authentication was only supported for TAs. With this
patch add a configuration option CFG_CORE_PAUTH to enable support for
core. Each privileged thread has its own APIA key. There are also a
separate APIA key for each physical core used when handling an abort or
when using the tmp stack.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ffa: Export ffa.h to be used by host

The ffa.h file is needed by the OP-TEE test suite. Export it so it can
be used by it.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Acked-by: Jerome Forissier

ffa: Export ffa.h to be used by host

The ffa.h file is needed by the OP-TEE test suite. Export it so it can
be used by it.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add CFG_REE_FS_INTEGRITY_RPMB for roll-back protection of REE

If we enable CFG_RPMB_FS and CFG_REE_FS at the same time in optee-os,
with tee-supplicant only supports REE, calls from xtest to

core: add CFG_REE_FS_INTEGRITY_RPMB for roll-back protection of REE

If we enable CFG_RPMB_FS and CFG_REE_FS at the same time in optee-os,
with tee-supplicant only supports REE, calls from xtest to
ree_fs_open() will attempt to access RPMB for roll-back protection,
which will fail because tee-supplicant can't access RPMB.

In some platforms, we only want optee-os to support
RPMB key provision checking by invoking any RPMB read/writes, but
don't care about whether contents could be read/written.
The tee-supplicant in these platform is limited to REE only, because
there's an existing issue in Linux OS causing kernel drivers failed to
support RPMB. So we need an option to prevent applications like xtest
to access RPMB when calling ree_fs_open(), but keep the ability to
call RPMB fs related apis. When we check the key thru RPMB read.
If key is provisioned, tee-supplicant will return
TEEC_ERROR_ITEM_NOT_FOUND. If not, optee-os will return
TEE_ERROR_STORAGE_NOT_AVAILABLE.

How-tested: execute `xtest -t regression` with optee-os CFG_REE_FS=y
and CFG_RPMB_FS=y. optee-client RPMB_EMU=n
Many testcases will fail. (ex: case 1004)

Signed-off-by: Judy Wang <wangjudy@microsoft.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: Add hw_get_random_bytes()

Currently there are two options for supporting hardware RNG, implementing
hw_get_random_byte() or overriding crypto_rng_read().

crypto_rng_read() is provided by eith

core: Add hw_get_random_bytes()

Currently there are two options for supporting hardware RNG, implementing
hw_get_random_byte() or overriding crypto_rng_read().

crypto_rng_read() is provided by either a software PRNG or by a hardware
RNG through a weak function in rng_hw.c. This weak function repeatedly
calls hw_get_random_byte(). This can be an unneeded slowdown for
platforms that fetch more than one byte of randomness per call to their
HW RNG (all of them). The usual pattern is to store these extra bytes
in a FIFO and feed them out one at a time. But since the only two callers
of hw_get_random_byte() are themselves users of more than one byte this
indirection is unnecessary. To get around this some platforms have also
started overriding crypto_rng_read() which makes the API flow a bit less
intuitive than it could be.

Plan here is that platforms only need to implement hw_get_random_bytes().
This can be called with length = 1 if we only need a single byte. But in
the more common case we get a performance boost and simplify the RNG call
flow.

To start we keep hw_get_random_byte() and have the new
hw_get_random_bytes() use it to get platform HW RNG byte at a time.
When we finish moving all plats over to hw_get_random_bytes() then
hw_get_random_byte() can be removed.

Signed-off-by: Andrew Davis <afd@ti.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Update CHANGELOG for 3.18.0

Update CHANGELOG for 3.18.0 and collect Tested-by tags.

Tested-by: Igor Opaniuk <igor.opaniuk@foundries.io> (Poplar)
Tested-by: Jerome Forissier <jerome.forissier@linaro

Update CHANGELOG for 3.18.0

Update CHANGELOG for 3.18.0 and collect Tested-by tags.

Tested-by: Igor Opaniuk <igor.opaniuk@foundries.io> (Poplar)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_virt, GP, PKCS#11)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (Juno)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (FVP Base RevC)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (FVP Foundation model)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (imx-mx8mqevk)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_armv8a, GP, PKCS#11)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (hikey-hikey960, GP, PKCS#11)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (hikey-hikey, GP, PKCS#11)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6dlsabresd)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6qsabresd)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6sllevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6sxsabresd)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6ulevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6ullevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6ulzevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx7dsabresd)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx7ulpevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8mmevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8mnevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8mqevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8mpevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8qmmek)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8qxpmek)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8dxlevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8ulpevk)
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (stm32mp1, gp, pkcs11, stmm)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LS1012A-RDB)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LS1028A-RDB)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LS1088A-RDB)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LS2088A-RDB)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LS1046A-RDB)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LS1043A-RDB)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LX2160A-RDB)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LX2160A-QDS)
Tested-by: Ricardo Salveti <ricardo@foundries.io> (ZynqMP)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: sp: handle memory regions w/o base address

The FF-A spec states that in the SP manifest a base address is not
mandatory for memory regions. If the field is not present, the specified
memory re

core: sp: handle memory regions w/o base address

The FF-A spec states that in the SP manifest a base address is not
mandatory for memory regions. If the field is not present, the specified
memory region must be allocated by the SPMC and mapped to the SP's
context.

A copy of the SP manifest fdt is used for passing the memory region
virtual addresses to the SP. Additional space is allocated when copying
the fdt so the originally not present base address fields can be added
later.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>
[jf: edit description to avoid checkpatch spelling warning]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

drivers: scmi-msg: add SCMI MSG message protocol

Implements MSG header protocol to handle SCMI messages. MSG header
protocol was introduced in Linux kernel v5.15 [1]. It relies on normal
cached shar

drivers: scmi-msg: add SCMI MSG message protocol

Implements MSG header protocol to handle SCMI messages. MSG header
protocol was introduced in Linux kernel v5.15 [1]. It relies on normal
cached shared memory buffer using a 32bit header followed by the SCMI
message payload.

To support this message interface, the SCMI PTA defines a new capability
and a new command. Capability PTA_SCMI_CAPS_MSG_HEADER allows client and
service to negotiate the desired transport configuration. Command
PTA_SCMI_CMD_PROCESS_MSG_CHANNEL allows client to request processing
of a message sent based on that message exchange protocol.

Platforms shall enable configuration switch CFG_SCMI_MSG_SHM_MSG to have
their SCMI service supporting that communication protocol.

Link: [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f301bba0ca7392d16a6ea4f1d264a91f1fadea1a
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

mk: config.mk: fix dependency on CFG_SCMI_MSG_SHM_MSG

Fixes inaccurate test on CFG_SC MI_MSG_SHM_MSG config switch that is
not yet defined. Before this fix was CFG_SCMI_MSG_SMT_THREAD_ENTRY
always f

mk: config.mk: fix dependency on CFG_SCMI_MSG_SHM_MSG

Fixes inaccurate test on CFG_SC MI_MSG_SHM_MSG config switch that is
not yet defined. Before this fix was CFG_SCMI_MSG_SMT_THREAD_ENTRY
always forced to n.

Fixes: 28e51326a5c9 ("mk: config.mk: describe and initialize CFG_SCMI_MSG_*_ENTRY switches")
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

mk: config.mk: describe and initialize CFG_SCMI_MSG_*_ENTRY switches

Describe and set a default value to existing CFG_SCMI_MSG_*_ENTRY
configuration switches that allow to optimize memory which is d

mk: config.mk: describe and initialize CFG_SCMI_MSG_*_ENTRY switches

Describe and set a default value to existing CFG_SCMI_MSG_*_ENTRY
configuration switches that allow to optimize memory which is desired
when enabling pager and interrupt or fastcall SMC entry for SCMI
channels.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

build: introduce CFG_OPTEE_REVISION_EXTRA

Adds CFG_OPTEE_REVISION_EXTRA (default: empty) which can be used to
append a custom string to the revision string shown in the boot banner.
A typical use ca

build: introduce CFG_OPTEE_REVISION_EXTRA

Adds CFG_OPTEE_REVISION_EXTRA (default: empty) which can be used to
append a custom string to the revision string shown in the boot banner.
A typical use case is build environments such as Yocto/OpenEmbedded
which check out a particular version of the optee_os repository and may
add patches on top. In this case the revision string is something like:

3.17.0-dev (gcc version ...

which doesn't give any information on what modifications are added and
therefore makes it difficult to know for sure if a deployed binary is
indeed the expected one (even more so when the build date is fixed via
SOURCE_DATE_EPOCH for reproducible builds).
CFG_OPTEE_REVISION_EXTRA allows to append a specific build identifier.
For example:

$ make CFG_OPTEE_REVISION_EXTRA=-mybuild_1234

would give:

3.17.0-dev-mybuild_1234

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

tpm2: Add TPM2 as PCR provider to TCG eventlog parsing framework

TCG eventlog parsing framework parses the eventlog and extends the
PCR's. For this, it needs a provider for PCR's. Register TPM2 as
a

tpm2: Add TPM2 as PCR provider to TCG eventlog parsing framework

TCG eventlog parsing framework parses the eventlog and extends the
PCR's. For this, it needs a provider for PCR's. Register TPM2 as
a provider to this framework.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add support for MTE

Adds support for the Armv8.5-A Memory Tagging Extension with
CFG_MEMTAG=y.

A memtag.h API is introduced to handle this extension. If CFG_MEMTAG=n
the API doesn't add any o

core: add support for MTE

Adds support for the Armv8.5-A Memory Tagging Extension with
CFG_MEMTAG=y.

A memtag.h API is introduced to handle this extension. If CFG_MEMTAG=n
the API doesn't add any overhead and the behaviour is unchanged. With
CFG_MEMTAG=y a check is performed to see if the platform can support MTE
and the API is dynamically configured accordingly. This means that it's
safe to have CFG_MEMTAG=y even for platforms not supporting MTE. There
will be some minimal overhead then, but likely not noticeable.

An entry is also added in the TEE_PROPSET_TEE_IMPLEMENTATION for a u32
property "org.trustedfirmware.optee.cpu.feat_memtag_implemented". The
property is set to a non-zero value only if CFG_CORE_MEMTAG is
configured and the underlying CPU supports FEAT_MTE.

This commit still only uses the default tag with the value 0 resulting
in unchanged pointers when accessing memory. However, all plumbing is in
place allowing for instance tagging of the heap in a later commit.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: set CFG_TEE_CORE_LOG_LEVEL to 2 (info) by default

The default log level of the TEE core is 1 (error), which means it is
normally silent. Set it to 2 (info) so that the boot sequence can be
see

core: set CFG_TEE_CORE_LOG_LEVEL to 2 (info) by default

The default log level of the TEE core is 1 (error), which means it is
normally silent. Set it to 2 (info) so that the boot sequence can be
seen (OP-TEE version banner, CPUs detected etc.).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

Update CHANGELOG for 3.17.0

Update CHANGELOG for 3.17.0 and collect Tested-by tags.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (RP

Update CHANGELOG for 3.17.0

Update CHANGELOG for 3.17.0 and collect Tested-by tags.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (RPi3B)
Tested-by: Joakim Bech <joakim.bech@linaro.org> (RPi3B-NFS)
Tested-by: Neal Liu <neal_liu@aspeedtech.com> (ast2600)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6dlsabresd)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6qsabresd)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6sllevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6sxsabresd)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6ulevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6ullevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6ulzevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx7dsabresd)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx7ulpevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8mmevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8mnevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8mqevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8mpevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8qmmek)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8qxpmek)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8dxlevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8ulpevk)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_armv8a)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (hikey-hikey)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (imx-mx8mqevk)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (Juno)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (FVP)
Tested-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com> (rcar-salvator_m3_2x4g / virt)
Tested-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com> (rcar-salvator_m3_2x4g)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LS1012A-RDB)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LS1028A-RDB)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LS1088A-RDB)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LS2088A-RDB)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LS1046A-RDB)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LS1043A-RDB)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LS2160A-RDB)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LS2160A-QDS)
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (stm32mp1, gp pkcs11)
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (vexpress-qemu_virt, gp pkcs11 pager)

show more ...

core: FF-A: Map TPM event log for FF-A SPs

Enable passing the TPM event log to FF-A SPs if their manifest has an
"arm,tpm_event_log" compatible node. The event log is mapped to the
SP's address spac

core: FF-A: Map TPM event log for FF-A SPs

Enable passing the TPM event log to FF-A SPs if their manifest has an
"arm,tpm_event_log" compatible node. The event log is mapped to the
SP's address space and the address and size fields are updated in the
SP manifest.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Imre Kis <imre.kis@arm.com>

show more ...

core: Enable mapping DT from secure memory

Add CFG_MAP_EXT_DT_SECURE option to enable mapping the device tree from
the secure memory. As the device tree in the secure memory would only
have the even

core: Enable mapping DT from secure memory

Add CFG_MAP_EXT_DT_SECURE option to enable mapping the device tree from
the secure memory. As the device tree in the secure memory would only
have the event log address in the secure memory the property name is
changed from tpm_event_log_sm_addr to the standard tpm_event_log_addr
when CFG_MAP_EXT_DT_SECURE is enabled.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Imre Kis <imre.kis@arm.com>

show more ...

drivers/tpm2: Add TPM2 MMIO driver

Add support for platforms that interface with TPM2 via
MMIO using FIFO protocol.

Co-developed-by: Victor Chong <victor.chong@linaro.org>
Signed-off-by: Victor Cho

drivers/tpm2: Add TPM2 MMIO driver

Add support for platforms that interface with TPM2 via
MMIO using FIFO protocol.

Co-developed-by: Victor Chong <victor.chong@linaro.org>
Signed-off-by: Victor Chong <victor.chong@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers/tpm2: Add basic TPM2 support in OP-TEE

TPM2 driver introduced in this commit is based on TPM TCG
specification [1] & [2].

The APIs exposed allows to send commands and receive response
from

drivers/tpm2: Add basic TPM2 support in OP-TEE

TPM2 driver introduced in this commit is based on TPM TCG
specification [1] & [2].

The APIs exposed allows to send commands and receive response
from a TPM2 chip.

[1] TCG PC Client Platform TPM Profile Specification for TPM 2.0
Vesrion 1.0.5 Revision 14
[2] TCG PC Client Device Driver Design Principles for TPM 2.0
Version 1.1 Revision 0.04

Co-developed-by: Victor Chong <victor.chong@linaro.org>
Signed-off-by: Victor Chong <victor.chong@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...