ta: relax location of ta_head

TAs where required to have the ta_head as at the load address of the TA
prior to this patch. This makes the linker script slightly more
complicated and also confuses GD

ta: relax location of ta_head

TAs where required to have the ta_head as at the load address of the TA
prior to this patch. This makes the linker script slightly more
complicated and also confuses GDB so that an offset must be applied to
the load address of the TA when using GDB for debugging. So allow that
ta_head symbol to reside anywhere in the ELF binary and also add ta_head
to the .dynsym section to make sure that tools and ldelf can find the
symbol.

This change requires prior updates to tools and ldelf.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Move section .note.gnu.property after .text in lds files

It is observed that clang compiler sometimes places the
.note.gnu.property at offset 0. For TA's, the loader expects
the user_ta_header at th

Move section .note.gnu.property after .text in lds files

It is observed that clang compiler sometimes places the
.note.gnu.property at offset 0. For TA's, the loader expects
the user_ta_header at that location while for ldelf,
_ldelf_start() is expected at this point. To avoid such
conflicts place this section after the text section.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: ta.ld.S: add .eh_frame_hdr and .eh_frame sections

Preparing for C++ support in TAs.

Adds .eh_frame_hdr and .eh_frame sections to the TA linker script.
Those may be generated by the C++ compiler

ta: ta.ld.S: add .eh_frame_hdr and .eh_frame sections

Preparing for C++ support in TAs.

Adds .eh_frame_hdr and .eh_frame sections to the TA linker script.
Those may be generated by the C++ compiler. The fragment is compied
from GCC's internal linker script (shown by -Wl,-verbose).

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: ta.ld.S: add .gcc_except_table section

Preparing for C++ support in TAs.

Adds a .gcc_except_table section merging the multiple entries that may
be generated by the C++ compiler. The fragment is

ta: ta.ld.S: add .gcc_except_table section

Preparing for C++ support in TAs.

Adds a .gcc_except_table section merging the multiple entries that may
be generated by the C++ compiler. The fragment is copied from GCC's
internal linker script (shown by -Wl,-verbose).

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: ta.ld.S: add .tdata and .tbss sections

Preparing for C++ support in TAs.

TA object file generated by a thread-enabled toolchain (such as g++
built without --disable-threads) may contain .tdata*

ta: ta.ld.S: add .tdata and .tbss sections

Preparing for C++ support in TAs.

TA object file generated by a thread-enabled toolchain (such as g++
built without --disable-threads) may contain .tdata* and .tbss*
sections even if the application is single threaded. Those are similar
to .data and .bss except that they are templates to be used by the
runtime code to set up Thread Local Storage data blocks.

This commit adds those two sections as well as related relocation
sections (.rel.tdata, .rel.tbss, .rela.tdata, .rela.tbss). The
fragments are copied from GCC's internal linker script (shown by
-Wl,-verbose). They are inserted next to .dynamic and .got because they
may all be part of a RELRO segment if the linker chooses to create one.
In practice there can be only one RELRO segment [1] so sections have to
be contiguous. Note that ldelf currently ignores RELRO.

[1] https://reviews.llvm.org/D40029

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: ta.ld.S: add __exidx_start and __exidx_end

Preparing for C++ support in TAs.

__exidx_start and __exidx_end are referenced by libgcc_eh.a.

Signed-off-by: Jerome Forissier <jerome@forissier.org>

ta: ta.ld.S: add __exidx_start and __exidx_end

Preparing for C++ support in TAs.

__exidx_start and __exidx_end are referenced by libgcc_eh.a.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: ta.ld.S: merge .ARM.extab* sections

Contrary to .ARM.exidx, we have no .ARM.extab entry in the TA linker
script. As a result, the multiple .ARM.extab* sections gathered from
the object files wil

ta: ta.ld.S: merge .ARM.extab* sections

Contrary to .ARM.exidx, we have no .ARM.extab entry in the TA linker
script. As a result, the multiple .ARM.extab* sections gathered from
the object files will remain in the TA. While this is perfectly valid
and does not cause any functional issue, it uselessly pollutes the
readelf/symbolize.py/etc. dumps.

This commit merges all the .ARM.extab* into a unique .ARM.extab.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Revert "ftrace: define CFG_FTRACE_BUF_SIZE in mk/config.mk"

This reverts commit 59e8ef0dcb3773964fd133d0a9360989cb86108f.

The default value for CFG_FTRACE_BUF_SIZE needs to be in the TA link
script

Revert "ftrace: define CFG_FTRACE_BUF_SIZE in mk/config.mk"

This reverts commit 59e8ef0dcb3773964fd133d0a9360989cb86108f.

The default value for CFG_FTRACE_BUF_SIZE needs to be in the TA link
script ta.ld.S, because this file is *not* pre-processed before being
added to the TA dev kit. Replacement of CFG_* values only happens when
the TA is built, at which point mk/config.mk is irrelevant. It makes
sense of course, since it allows to change TA settings and re-build
only the TA.

Fixes the following TA link error:

$ make CFLAGS_ta_arm32=-pg
[...]
bin/arm-linux-gnueabihf-ld.bfd:out/ta.lds:57: undefined symbol `CFG_FTRACE_BUF_SIZE' referenced in expression

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>

show more ...

ftrace: define CFG_FTRACE_BUF_SIZE in mk/config.mk

The main configuration file is a better place to define the size of the
ftrace buffer than the TA linker script.

Signed-off-by: Jerome Forissier <

ftrace: define CFG_FTRACE_BUF_SIZE in mk/config.mk

The main configuration file is a better place to define the size of the
ftrace buffer than the TA linker script.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

gprof: fix TEE core crash by allocating sample buffer dynamically

The gprof sample buffer is in user space memory but is also accessed by
the TEE core. Currently, space is reserved by the TA linker

gprof: fix TEE core crash by allocating sample buffer dynamically

The gprof sample buffer is in user space memory but is also accessed by
the TEE core. Currently, space is reserved by the TA linker script. The
address and size of the buffer is passed to the TEE core via a call to
the gprof PTA. After this call, the TEE core accesses the buffer
periodically, such as when the TA is interrupted by a timer interrupt.

Commit ef305e54eac8 ("libutee: allocate temp secmem for invoke")
modified the way that private TA memory is mapped in TA to TA
invocations, so that memory is mapped only for the duration of the
call. After this point, the memory is unmapped so the gprof sample
buffer becomes inaccessible, resulting in a crash:

E/TC:0 0 Core data-abort at address 0x121356 (translation fault)
E/TC:0 0 fsr 0x00000007 ttbr0 0x0e19206a ttbr1 0x0e18806a cidr 0x2
E/TC:0 0 cpu #0 cpsr 0x800001f2
E/TC:0 0 r0 0x00000000 r4 0x00000000 r8 0x00000000 r12 0x0017bb4b
E/TC:0 0 r1 0x000021ab r5 0x00000000 r9 0x00000000 sp 0x0e1928f0
E/TC:0 0 r2 0x0011d000 r6 0x00000000 r10 0x00000000 lr 0x0e112763
E/TC:0 0 r3 0x00121356 r7 0x0e1928f0 r11 0x00000000 pc 0x0e12958e
E/TC:0 0 Core data-abort at address 0x121356 .debug_info+1184598 (translation fault)
E/TC:0 0 Call stack:
E/TC:0 0 0x0e12958e tee_ta_gprof_sample_pc at optee_os/core/kernel/tee_ta_manager.c:897

The solution is to allocate and map the sample buffer explicitly in
user space when profiling is initialized, and at the same time get rid
of the reserved area in the TA linker script. The TEE core also needs
to check that the sample buffer is valid before writing to it,
otherwise a malicious TA could crash the core by unmapping that memory.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Sumit Garg <sumit.garg@linaro.org>

show more ...

ta: ta.ld.S: move .dynamic section next to .got

Changes the TA linker script so that the .dynamic section is adjacent
to the .got section. This prepares for using the Clang compiler (more
precisely:

ta: ta.ld.S: move .dynamic section next to .got

Changes the TA linker script so that the .dynamic section is adjacent
to the .got section. This prepares for using the Clang compiler (more
precisely: the LLVM linker, ld.lld).

Contrary to GCC, Clang enables the "RELRO" feature (RELocations Read-
Only) by default. In a nutshell: RELRO causes the linker to emit an
additional segment called RELRO, which tells the program loader that
a part of the binary may be turned to read-only mode once the
relocations are done. The goal is to increase protection against
arbitrary code execution attacks. The sections that are concerned are
.got and .dynamic, among others. Since there is only one RELRO segment,
the sections that are supposed to be covered have to be contiguous. If
they are not (which is currently the case in ta.ld.S), ld.lld shows an
error:

ld.lld: error: section: .dynamic is not contiguous with other relro sections

Therefore, move .dynamic next to .got so that all the RELRO-eligible
sections are contiguous.

Note: another option to fix this issue is to pass '-z norelro' to the
linker, but that would obviously prevent future support of RELRO in the
TA loader.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: arm64: Add support for function tracing of user TAs

Function tracing (ftrace) is a useful debugging technique to dump
function call graph for in-depth analysis of program execution and also

libutee: arm64: Add support for function tracing of user TAs

Function tracing (ftrace) is a useful debugging technique to dump
function call graph for in-depth analysis of program execution and also
to get useful information in case of any program abort.

In case of TA, this function graph information is dumped in a buffer
kept in .bss section of corresponding instrumented TA. So this buffer
can be dumped to normal world in case TA session closes or in case of
any abort. Also size of this ftrace buffer is configurable per TA via
following config option during TA compilation:

CFG_FTRACE_BUF_SIZE=2048

Function tracing is completely optional debugging feature which could
be enabled via command line config option CFG_TA_FTRACE_SUPPORT=y.

Along with this user needs to add cflag: "-pg" to the files for whom
function graph is to be generated. Typically for the whole TA, it should
be compiled with CFG_TA_MCOUNT=y.

And in case user wants to set "-pg" for particular file, following should
go in corresponding sub.mk:

cflags-<file-name>-y+=-pg

Also, to generate function graph for user mode libraries enable
CFG_ULIBS_MCOUNT=y which will set "-pg" for all library files.

Currently this patch adds support for function tracing of 64-bit
TAs only.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)

show more ...

ta: arm: ta.ld.S: move relocation segments

Move relocation segments into the read/write section to avoid
modifications of the read only compared to what is in the ELF.
This is needed for sharing of

ta: arm: ta.ld.S: move relocation segments

Move relocation segments into the read/write section to avoid
modifications of the read only compared to what is in the ELF.
This is needed for sharing of read only sections of TAs.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

gprof: define original mcount APIs inserted by compiler

Simplify gprof implementation via defining original mcount APIs: _mcount
(for aarch64) and __gnu_mcount_nc (for arm) inserted by compiler inst

gprof: define original mcount APIs inserted by compiler

Simplify gprof implementation via defining original mcount APIs: _mcount
(for aarch64) and __gnu_mcount_nc (for arm) inserted by compiler instead
of providing them via __utee_mcount API.

Also remove weak definitions of mcount API that were earlier mandated by
linker script via PROVIDE().

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

ta.ld.S: make .plt section of user TAs executable

This patch is preparatory work for the support of dynamically linked
user mode TAs.

The Procedure Linkage Table (.plt) section should be executable

ta.ld.S: make .plt section of user TAs executable

This patch is preparatory work for the support of dynamically linked
user mode TAs.

The Procedure Linkage Table (.plt) section should be executable,
because it contains special code used to redirect function calls to
the proper destination in external (shared) libraries. Therefore, move
it into the executable segment.

A couple of blank lines are removed in the hope that it will make it
easier to see which sections are grouped together in the same segment.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

Add support for user TA profiling with gprof (-pg)

Adds the infrastructure to collect profiling information from Trusted
Applications running in user mode and instrumented with -pg.
Enable with: CFG

Add support for user TA profiling with gprof (-pg)

Adds the infrastructure to collect profiling information from Trusted
Applications running in user mode and instrumented with -pg.
Enable with: CFG_TA_GPROF_SUPPORT=y.

Profiling support in itself adds no significant performance overhead.
Instrumented applications however may run 1.3x - 2x slower, and have a
larger .bss section (+1.36 times .text size for 32-bit TAs, +1.77 times
.text size for 64-bit ones).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (D02 64-bit)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU 32-bit)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: map TA with strict permissions

Maps user TA with strict permissions. Blocks with mixed permissions are
mapped with the union of the permissions. In order to take full
advantage of the strict p

core: map TA with strict permissions

Maps user TA with strict permissions. Blocks with mixed permissions are
mapped with the union of the permissions. In order to take full
advantage of the strict permissions TAs should be mapped using small
pages, that is, using the config option CFG_SMALL_PAGE_USER_TA = y.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey)
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU, Juno)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Add support to generate multiple TA dev kits

Adds support to generate multiple TA dev kits, one for each word in the
variable "ta-targets". ta/ta.mk is included once for each word in
"ta-targets" wi

Add support to generate multiple TA dev kits

Adds support to generate multiple TA dev kits, one for each word in the
variable "ta-targets". ta/ta.mk is included once for each word in
"ta-targets" with the word assigned to "ta-target". This word is the
assigned the variable "sm" to allow each "ta-target" to be built as a
separate sub-module.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...