ta: Compile TA with "-fno-stack-protector" if TA stack protector is off

Depends on compiler version and OS distributions, the stack protector
may be enabled by default. This means TA is always compi

ta: Compile TA with "-fno-stack-protector" if TA stack protector is off

Depends on compiler version and OS distributions, the stack protector
may be enabled by default. This means TA is always compiled with
"-fstack-protector", even if _CFG_TA_STACK_PROTECTOR is not 'y'.

To solve this issue, we explicitly provide "-fno-stack-protector"
compile option when _CFG_TA_STACK_PROTECTOR is not 'y'. Thus, the TA
stack protector is definitely disabled.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

ta: Export _CFG_TA_STACK_PROTECTOR

_CFG_TA_STACK_PROTECTOR is config variable referenced in __ta_entry() to
generate random stack canary. Thus, it needs to be exported to TA
makefile.

Signed-off-by

ta: Export _CFG_TA_STACK_PROTECTOR

_CFG_TA_STACK_PROTECTOR is config variable referenced in __ta_entry() to
generate random stack canary. Thus, it needs to be exported to TA
makefile.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

ta: enable ubsan support for TAs

Introduce CFG_TA_SANITIZE_UNDEFINED config to sanitize trusted
applications. If CFG_TA_SANITIZE_UNDEFINED is set sanitize flags are
propagated to internal TAs (avb,

ta: enable ubsan support for TAs

Introduce CFG_TA_SANITIZE_UNDEFINED config to sanitize trusted
applications. If CFG_TA_SANITIZE_UNDEFINED is set sanitize flags are
propagated to internal TAs (avb, pkcs11, remoteproc, trusted_keys) and
external TAs, which are built with the devkit.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

Deprecate libgcc for TAs

By default keep linking with libgcc for TAs, but add CFG_TA_LIBGCC to
easily turn off linking with libgcc in configurations where it isn't
needed.

Signed-off-by: Jens Wikla

Deprecate libgcc for TAs

By default keep linking with libgcc for TAs, but add CFG_TA_LIBGCC to
easily turn off linking with libgcc in configurations where it isn't
needed.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

libutils: refactor the MDBG malloc functions

Replace the MDBG malloc functions and macros with a new function
__mdbg_alloc() handling all the memory allocations similar to
mem_alloc(). The old MDBG

libutils: refactor the MDBG malloc functions

Replace the MDBG malloc functions and macros with a new function
__mdbg_alloc() handling all the memory allocations similar to
mem_alloc(). The old MDBG macros are replace by new macros calling
__mdbg_alloc().

mem_alloc(), mem_alloc_unlocked(), and mem_free() are updated to handle
configuration with and without MDBG, removing the all the ENABLE_MDBG
ifdefs in the C file.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

TA dev kit: Export ftrace_format.py

Commit 5c2c0fb31efb ("ftrace: change implementation to use binary circular
buffer") added script ftrace_format.py which is required to analyze ftrace
logs. So exp

TA dev kit: Export ftrace_format.py

Commit 5c2c0fb31efb ("ftrace: change implementation to use binary circular
buffer") added script ftrace_format.py which is required to analyze ftrace
logs. So export it as part of TA dev kit as well.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>

show more ...

Move mv-if-changed() into mk/macros.mk

Moves the make macro mv-if-changed() into mk/macros.mk to allow use of
it in the TA devkit.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed

Move mv-if-changed() into mk/macros.mk

Moves the make macro mv-if-changed() into mk/macros.mk to allow use of
it in the TA devkit.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: export remoteproc signature script and default key

The remoteproc firmware signature script and its associated
default key must be exported in the dev kit in order to be
able to sign the remotep

ta: export remoteproc signature script and default key

The remoteproc firmware signature script and its associated
default key must be exported in the dev kit in order to be
able to sign the remoteproc firmware.

Signed-off-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ffa: remove ffa.h and smccc.h from host export list

commit 5489e94f0566 ("core: ffa: add boot info structs and defines")
causes the compiler error below in host applications.

ffa.h:196:41: error: i

ffa: remove ffa.h and smccc.h from host export list

commit 5489e94f0566 ("core: ffa: add boot info structs and defines")
causes the compiler error below in host applications.

ffa.h:196:41: error: implicit declaration of function ‘U’ [-Werror=implicit-function-declaration]
196 | #define FFA_BOOT_INFO_NAME_LEN U(16)
| ^
ffa.h:319:19: note: in expansion of macro ‘FFA_BOOT_INFO_NAME_LEN’
319 | char name[FFA_BOOT_INFO_NAME_LEN];
| ^~~~~~~~~~~~~~~~~~~~~~
ffa.h:319:14: error: variably modified ‘name’ at file scope
319 | char name[FFA_BOOT_INFO_NAME_LEN];
| ^~~~

ffa.h uses the U macro which is only part of OP-TEE's libc and not a
standard macro. This causes a compiler error when compiling a host
application and the libc is provided by the compiler. This makes ffa.h
not suitable for host export.

This patch resolves the issue by removing ffa.h from the host export
list to prevent external components to use it. TAs and client
applications have no use of this file.

Also remove smccc.h as it was only added to the list because it is a
dependency of ffa.h

Signed-off-by: Imre Kis <imre.kis@arm.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

keys: rename the default key to default.pem

The default key can have other uses than the TA signature.
Rename the file to have a generic name.

For compatibility with existing code, doc and CI, the

keys: rename the default key to default.pem

The default key can have other uses than the TA signature.
Rename the file to have a generic name.

For compatibility with existing code, doc and CI, the
default_ta.pem is kept but becomes a symbolic link.

If the default_ta.pem is selected, the default.pem file is
also copied in the build folder as default_ta.pem symlink
points to it.

Signed-off-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

ta: use TA_SIGN_KEY value for the key to copy for build

The default_ta.pem is copied whatever the key file used.
This leads to a build error if TA_SIGN_KEY is specified in the
build command.

Use th

ta: use TA_SIGN_KEY value for the key to copy for build

The default_ta.pem is copied whatever the key file used.
This leads to a build error if TA_SIGN_KEY is specified in the
build command.

Use the "TA_SIGN_KEY" value instead of hard-coding the key name.

Signed-off-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

build: ta: add RISC-V linker script

Sort out the common code compiled by TA,
abstract RISCV and ARM compile the common part of TA.

Signed-off-by: liushiwei <liushiwei@eswincomputing.com>
Reviewed-b

build: ta: add RISC-V linker script

Sort out the common code compiled by TA,
abstract RISCV and ARM compile the common part of TA.

Signed-off-by: liushiwei <liushiwei@eswincomputing.com>
Reviewed-by: chenchaokai <chenchaokai@eswincomputing.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

Update reported version to GP TEE Core Internal API v1.3.1

The UUID assigned to libutee when compiled as a shared library is update
to let old TAs use the ABI of the old libutee before it's upgraded

Update reported version to GP TEE Core Internal API v1.3.1

The UUID assigned to libutee when compiled as a shared library is update
to let old TAs use the ABI of the old libutee before it's upgraded to
support Internal API v1.3.1.

This commit is followed by a number of commits which finally brings
OP-TEE up to date with v1.3.1.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Add support for compiler stack protector

This change add support for CFG_CORE_STACK_PROTECTOR{,_STRONG,_ALL}
and CFG_TA_STACK_PROTECTOR{,_STRONG,_ALL}. This flag enable the
compiler stack overflow p

Add support for compiler stack protector

This change add support for CFG_CORE_STACK_PROTECTOR{,_STRONG,_ALL}
and CFG_TA_STACK_PROTECTOR{,_STRONG,_ALL}. This flag enable the
compiler stack overflow protection feature -fstack-protector* and
also generate random stack canary value on kernel boot and TA entry.

Weak function plat_get_random_stack_canary() can be override by
platform to provide random stack canary value for the core kernel.

Signed-off-by: Khoa Hoang <admin@khoahoang.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ffa: Export ffa.h to be used by host

The ffa.h file is needed by the OP-TEE test suite. Export it so it can
be used by it.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Acked-by: Jerome Forissier

ffa: Export ffa.h to be used by host

The ffa.h file is needed by the OP-TEE test suite. Export it so it can
be used by it.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add support for MTE

Adds support for the Armv8.5-A Memory Tagging Extension with
CFG_MEMTAG=y.

A memtag.h API is introduced to handle this extension. If CFG_MEMTAG=n
the API doesn't add any o

core: add support for MTE

Adds support for the Armv8.5-A Memory Tagging Extension with
CFG_MEMTAG=y.

A memtag.h API is introduced to handle this extension. If CFG_MEMTAG=n
the API doesn't add any overhead and the behaviour is unchanged. With
CFG_MEMTAG=y a check is performed to see if the platform can support MTE
and the API is dynamically configured accordingly. This means that it's
safe to have CFG_MEMTAG=y even for platforms not supporting MTE. There
will be some minimal overhead then, but likely not noticeable.

An entry is also added in the TEE_PROPSET_TEE_IMPLEMENTATION for a u32
property "org.trustedfirmware.optee.cpu.feat_memtag_implemented". The
property is set to a non-zero value only if CFG_CORE_MEMTAG is
configured and the underlying CPU supports FEAT_MTE.

This commit still only uses the default tag with the value 0 resulting
in unchanged pointers when accessing memory. However, all plumbing is in
place allowing for instance tagging of the heap in a later commit.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pta: add remote attestation PTA

Add a PTA to perform remote attestation of user space TAs and TEE core
memory. Enabled with CFG_ATTESTATION_PTA=y. Four commands are defined:

- PTA_ATTESTATION

core: pta: add remote attestation PTA

Add a PTA to perform remote attestation of user space TAs and TEE core
memory. Enabled with CFG_ATTESTATION_PTA=y. Four commands are defined:

- PTA_ATTESTATION_GET_PUBKEY

Returns the public RSA key used to sign the measurements generated by
the other commands. The key pair is generated on first call (any
command) and saved to secure storage. It is therefore device-specific.

- PTA_ATTESTATION_GET_TA_SHDR_DIGEST

Returns the digest found in the secure header (struct shdr) of a TA
or trusted shared library given its UUID.

- PTA_ATTESTATION_HASH_TA_MEMORY

This command must be called by a user space TA (not a CA). It computes
a hash of the memory pages that belong to the caller and contain code
or read-only data. This hash is therefore a runtime measurement of the
TA execution environment, including shared libraries (if any). It can be
used to remotely attest that the device is running untampered TA code.

- PTA_ATTESTATION_HASH_TEE_MEMORY

Returns a hash of the TEE OS core (.text and .rodata sections, less the
small part of .text that may be modified at boot). Similar to
PTA_ATTESTATION_HASH_TA_MEMORY, the hash is computed each time the
command is called, so that the result reflects the actual memory
content.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: Export CFG_TA_PAUTH

Export CFG_TA_PAUTH for availability when compiling xtest

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Re

ta: Export CFG_TA_PAUTH

Export CFG_TA_PAUTH for availability when compiling xtest

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: Export CFG_TA_BTI

Export CFG_TA_BTI for availability when compiling xtest

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by:

ta: Export CFG_TA_BTI

Export CFG_TA_BTI for availability when compiling xtest

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: remove deprecated CFG_TA_DYNLINK

Fully remove configuration switch CFG_TA_DYNLINK that is deprecated
since 3.6.0, see commit d1911a85142d ("core: load TAs using ldelf").

Signed-off-by: Etienne

ta: remove deprecated CFG_TA_DYNLINK

Fully remove configuration switch CFG_TA_DYNLINK that is deprecated
since 3.6.0, see commit d1911a85142d ("core: load TAs using ldelf").

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

Introduce CFG_TA_BGET_TEST

Introduces CFG_TA_BGET_TEST which compiles the integrated bget test
suite together with the rest of bget. When enabled, the test entry point
is bget_main_test() in libutil

Introduce CFG_TA_BGET_TEST

Introduces CFG_TA_BGET_TEST which compiles the integrated bget test
suite together with the rest of bget. When enabled, the test entry point
is bget_main_test() in libutils.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: export CFG_TEE_TA_LOG_LEVEL with ?= not :=

The value of CFG_TEE_TA_LOG_LEVEL used at optee_os build time is
exported to the TA dev kit ($O/export_ta_arm{32,64}/mk/conf.mk). The
purpose is to pro

ta: export CFG_TEE_TA_LOG_LEVEL with ?= not :=

The value of CFG_TEE_TA_LOG_LEVEL used at optee_os build time is
exported to the TA dev kit ($O/export_ta_arm{32,64}/mk/conf.mk). The
purpose is to provide a default value to the TA build environment,
which can easily be changed from the command line ("make
CFG_TEE_TA_LOG_LEVEL=3" for example).

However the following TA Makefile won't behave as expected:

BINARY := <somme uuid>
CFG_TEE_TA_LOG_LEVEL := 3 # Ignored!
include $(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk

This commit changes := to ?= so that ta_dev_kit.mk won't override any
value that may have been set previously in the TA Makefile or the
environment.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

build: fix race when generating conf.mk

This patch fixes the following error triggered by a heavily parallel build:

echo sm := ta_arm64 > .../export-ta_arm64/mk/conf.mk.tmp
/bin/bash: .../export-

build: fix race when generating conf.mk

This patch fixes the following error triggered by a heavily parallel build:

echo sm := ta_arm64 > .../export-ta_arm64/mk/conf.mk.tmp
/bin/bash: .../export-ta_arm64/mk/conf.mk.tmp: No such file or directory

Fixes: https://github.com/OP-TEE/optee_os/issues/3999
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Ross Burton <ross.burton@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

mk: core: ta: Configurable Python interpreter

Build systems that manage multiple different python interpreters need
explicit control over which version of the interpreter to use.
This patch enables

mk: core: ta: Configurable Python interpreter

Build systems that manage multiple different python interpreters need
explicit control over which version of the interpreter to use.
This patch enables one to override the default interpreter with the path
to a specific one.

Signed-off-by: Dick Olsson <hi@senzilla.io>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

Allow use of cc-option in core/arch/arm/arm.mk

It can be useful to call the cc-option macro when setting flags in
core/arch/arm/arm.mk. Unfortunately cc-option is defined in
mk/compile.mk which is t

Allow use of cc-option in core/arch/arm/arm.mk

It can be useful to call the cc-option macro when setting flags in
core/arch/arm/arm.mk. Unfortunately cc-option is defined in
mk/compile.mk which is too late to be useful (core/arch/arm/arm.mk is
included by core/core.mk before mk/compile.mk).

This commit addresses the issue by moving the definition of cc-option
to its own file, mk/cc-option.mk, which is then included by
core/arch/arm/arm.mk. There is a dependency on the compiler definitions
(mk/gcc.mk or mk/clang.mk) and on $(arch-bit-$(sm)) so
core/arch/arm/arm.mk is modified accordingly.

Moving cc-option out of mk/compile.mk means that all non-core
submodules would lose the definition unless they include
mk/cc-option.mk; the TA dev kit is modified so that TAs can call
cc-option from within their sub.mk files. As for other submodules, they
are internal and do not use cc-options as of now so they are not
modified.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...