core: pta: fix lockdown_device OTP write and verify

lockdown_device() contained two bugs that caused
PTA_RK_SECURE_BOOT_LOCKDOWN_DEVICE to fail with
TEE_ERROR_GENERIC (0xffff0000) even on hardware w

core: pta: fix lockdown_device OTP write and verify

lockdown_device() contained two bugs that caused
PTA_RK_SECURE_BOOT_LOCKDOWN_DEVICE to fail with
TEE_ERROR_GENERIC (0xffff0000) even on hardware with a valid hash
already burned into OTP.

First, the status variable was overwritten with only
ROCKCHIP_OTP_SECURE_BOOT_STATUS_ENABLE before being passed to
rockchip_otp_write_secure(). If write_key_size() had previously set
ROCKCHIP_OTP_SECURE_BOOT_STATUS_RSA4096 in the same OTP word, those
bits would be present in the hardware but absent in the value passed
to the write function. rockchip_otp_write_secure() treats any bit set
in hardware but not in the new value as a conflict and returns
TEE_ERROR_GENERIC, since OTP bits cannot be cleared.

Second, the post-write readback check was inverted: it called EMSG()
and returned TEE_ERROR_GENERIC when test_bit_mask() returned true,
i.e. when the enable bit was successfully set. This meant every
successful lockdown was reported as a failure.

Signed-off-by: Martin Domig <martin.domig@wolfvision.net>
Reviewed-by: Michael Tretter <m.tretter@pengutronix.de>

show more ...

core: pta: fix Rockchip burn_hash OTP protection check

Since a blank device has an all-zero OTP hash and new_hash is the
signing-key hash, the condition is always true, and the function
returns TEE_

core: pta: fix Rockchip burn_hash OTP protection check

Since a blank device has an all-zero OTP hash and new_hash is the
signing-key hash, the condition is always true, and the function
returns TEE_SUCCESS without ever calling write_hash() or
write_key_size().

Signed-off-by: Martin Domig <martin.domig@wolfvision.net>
Reviewed-by: Michael Tretter <m.tretter@pengutronix.de>

show more ...

Update CHANGELOG for 4.10.0

Update CHANGELOG for 4.10.0 and collect Tested-by tags.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@arm.com>

Update CHANGELOG for 4.10.0

Update CHANGELOG for 4.10.0 and collect Tested-by tags.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@arm.com> (vexpress-qemu_virt)
Tested-by: Joakim Bech <joakim.bech@gmail.com> (Rpi3b v1.2)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (imx-mx6dlsabresd)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (imx-mx6sxsabresd)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (imx-mx6ulevk)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (imx-mx6ullevk)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (imx-mx6ulzevk)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (imx-mx7ulpevk)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (imx-mx8dxlevk)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (imx-mx8mmevk)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (imx-mx8mnevk)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (imx-mx8mqevk)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (imx-mx8mpevk)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (imx-mx8qmmek)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (imx-mx8qxpmek)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (imx-mx8ulpevk)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (imx-mx93evk)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (imx-mx91evk)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (imx-mx95evk)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (imx-mx943evk)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LX2160A-RDB)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LS1046A-RDB)
Tested-by: Jerome Forissier <jerome.forissier@arm.com> (RockPi 4B)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (FVP)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (Hikey)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (Hikey + RPMB kernel routing)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (imx-mx8mqevk)
Tested-by: Sumit Garg <sumit.garg@oss.qualcomm.com> (qcom-kodiak)
Tested-by: Etienne Carriere <etienne.carriere@st.com> (stm32mp1-135F_DK)
Tested-by: Etienne Carriere <etienne.carriere@st.com> (stm32mp1-157C_EV1 with RPMB)
Tested-by: Etienne Carriere <etienne.carriere@st.com> (stm32mp1-157C_EV1_SCMI, with RPMB)
Tested-by: Etienne Carriere <etienne.carriere@st.com> (stm32mp1-157C_DK2)
Tested-by: Etienne Carriere <etienne.carriere@st.com> (stm32mp1-157C_DK2_SCMI)
Tested-by: Amey Raghatate <ameyavinash.raghatate@amd.com> (AMD Versal Gen 2)
Tested-by: Guiyong Hwang <gy.hwang@telechips.com> (telechips-tcc805x)

show more ...

crypto: asu: send hash address in request buffer for digest

Update driver to read digest from hash address sent to firmware
instead of response buffer

Fixes: 74ddb42edbe0 ("crypto: asu: Add crypto

crypto: asu: send hash address in request buffer for digest

Update driver to read digest from hash address sent to firmware
instead of response buffer

Fixes: 74ddb42edbe0 ("crypto: asu: Add crypto hash driver")
Signed-off-by: Harish Ediga <harish.ediga@amd.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: asu: guard wfe() with IRQ-mask check and add response timeout

The wfe()-based response loop in asu_update_queue_buffer_n_send_ipi()
assumes THREAD_EXCP_NATIVE_INTR is clear at every call si

drivers: asu: guard wfe() with IRQ-mask check and add response timeout

The wfe()-based response loop in asu_update_queue_buffer_n_send_ipi()
assumes THREAD_EXCP_NATIVE_INTR is clear at every call site. This
does not hold during early boot: boot_init_primary_final() re-masks all
exceptions including THREAD_EXCP_NATIVE_INTR at boot.c:1103 before
calling thread_update_canaries() -> hw_get_random_bytes(). With
PSTATE.I=1 the GIC cannot deliver SPI 89 (ASU doorbell),
asu_resp_handler() never fires, sev() is never called, and wfe() blocks
indefinitely.

Fix the response loop with two changes:

1. Arm a 2s safety timeout unconditionally before the loop so ASU
firmware failures surface as TEE_ERROR_TARGET_DEAD rather than a
silent hang.

2. Sample thread_get_exceptions() immediately before each wfe() call
with no intervening code between the check and the instruction.
This closes the TOCTOU window where the exception mask could change
between a snapshot taken before the loop and the actual wfe().
- THREAD_EXCP_NATIVE_INTR clear (IRQs unmasked): wfe() yields the
CPU; asu_resp_handler() fires sev() to wake it on response.
- THREAD_EXCP_NATIVE_INTR set (IRQs masked): udelay(10) throttles
the busy-poll, avoiding both a wfe() hang and uncontrolled bus
hammering.

asu_resp_handler() retains its sev() call to support the wfe() path.

Fixes: 7f2d4e10736f ("drivers: amd: Add ASU support")
Signed-off-by: Akshay Belsare <akshay.belsare@amd.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

crypto: asu: fix command header length and race condition

- Updated asu_create_header() to pass command length in words
(sizeof(*cp)/sizeof(uint32_t)) instead of zero, to align with
ASUFW requir

crypto: asu: fix command header length and race condition

- Updated asu_create_header() to pass command length in words
(sizeof(*cp)/sizeof(uint32_t)) instead of zero, to align with
ASUFW requirements for proper command parsing.
- Multiple crypto drivers can submit request to shared buffer.
Make sure all queue parameters are update in spin_lock.

Fixes: 7f2d4e10736f ("drivers: amd: Add ASU support")
Signed-off-by: Harish Ediga <harish.ediga@amd.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: rpmb: fix file corruption when updating

The heap memory saving patch:
Fixes: 64c6d2917d12 ("core: rpmb fs uses mempool for temporary transfer buffers")
is introducing a file corruption when up

core: rpmb: fix file corruption when updating

The heap memory saving patch:
Fixes: 64c6d2917d12 ("core: rpmb fs uses mempool for temporary transfer buffers")
is introducing a file corruption when updating an existing file,
the data in the updated file after "pos + size" that must remain same
as before is getting zeroed.

This patch ensures that the temporary update buffer is always synced
with the existing file data before updating.

Fixes: 64c6d2917d12 ("core: rpmb fs uses mempool for temporary transfer buffers")
Signed-off-by: Aleksandar Gerasimovski <aleksandar.gerasimovski@belden.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@st.com>

show more ...

plat-altera: introduce SoCFPGA platform support

Add initial support for the SoCFPGA platform under plat/altera.

This commit introduces the basic platform skeleton, including build
configuration, pl

plat-altera: introduce SoCFPGA platform support

Add initial support for the SoCFPGA platform under plat/altera.

This commit introduces the basic platform skeleton, including build
configuration, platform initialization entry points, and configuration
headers required for bring-up.

Signed-off-by: Jit Loon Lim <jit.loon.lim@altera.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: tee_ree_fs: reject dead htree handles after close-on-error

tee_fs_htree_*() may close fdp->ht on error, for example on the
REE FS OOM path, while the outer file handle remains alive.

Subseque

core: tee_ree_fs: reject dead htree handles after close-on-error

tee_fs_htree_*() may close fdp->ht on error, for example on the
REE FS OOM path, while the outer file handle remains alive.

Subsequent read/write/truncate operations could then dereference
fdp->ht through tee_fs_htree_get_meta() and crash the core.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ffa: fix memory range tracking in mobj_ffa_add_pages_at()

In mobj_ffa_add_pages_at(), the PA check for protected memory checked
the wrong offset and idx was incremented by the wrong variable.

core: ffa: fix memory range tracking in mobj_ffa_add_pages_at()

In mobj_ffa_add_pages_at(), the PA check for protected memory checked
the wrong offset and idx was incremented by the wrong variable. Fix both
for correct validation.

Fixes: 003383344c26 ("core: support dynamic protected memory lending")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@arm.com>

show more ...

core: ffa: fix double indexing in get_acc_perms()

With OP-TEE configured as SPMC with CFG_CORE_SEL1_SPMC=y,
get_acc_perms() is used to get the offset of a struct ffa_mem_region
descriptor.

The mem_

core: ffa: fix double indexing in get_acc_perms()

With OP-TEE configured as SPMC with CFG_CORE_SEL1_SPMC=y,
get_acc_perms() is used to get the offset of a struct ffa_mem_region
descriptor.

The mem_acc pointer is already advanced to the correct element via
stride calculation. So remove the incorrect index to read region_offs
from the correct memory location.

Fixes: a1c53023cc80 ("core: spmc: support FF-A 1.1")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@arm.com>

show more ...

core: imx: set CFG_INSECURE as y by default

The default value CFG_INSECURE ?= y is assigned in mk/config.mk.
But mk/config.mk is included after $(platform-dir)/conf.mk from
core/core.mk.
Since we ar

core: imx: set CFG_INSECURE as y by default

The default value CFG_INSECURE ?= y is assigned in mk/config.mk.
But mk/config.mk is included after $(platform-dir)/conf.mk from
core/core.mk.
Since we are making decision based on CFG_INSECURE in this file
so we need to set it early here also.

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: remove TEE_BigIntFMMConvertToBigInt

TEE_BigIntFMMConvertToBigInt is not implemented, and any usage leads to
linkage errors. Remove its declaration from the header file.

Signed-off-by: Zehu

libutee: remove TEE_BigIntFMMConvertToBigInt

TEE_BigIntFMMConvertToBigInt is not implemented, and any usage leads to
linkage errors. Remove its declaration from the header file.

Signed-off-by: Zehui Chen <ivila@apache.org>
Acked-by: Jerome Forissier <jerome.forissier@arm.com>

show more ...

core: vm_buf_intersects_um_private(): fix flag check

vm_buf_intersects_um_private() checks if a memory range intersects with
already registered memory ranges with the flag VM_FLAGS_NONPRIV set. Howe

core: vm_buf_intersects_um_private(): fix flag check

vm_buf_intersects_um_private() checks if a memory range intersects with
already registered memory ranges with the flag VM_FLAGS_NONPRIV set. However,
until now, the function was checking the flag against the attr field instead
of the correct flags field. In practise this results in the function always
returning false. Fix this by checking against the correct field.

Fixes: 89c9728d981f ("core: replace tee_mmu prefix with vm")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@arm.com>
Acked-by: Sumit Garg <sumit.garg@oss.qualcomm.com>

show more ...

core: fix session leak in tee_ta_open_session()

Add a missing call to close_session() in the error path where
check_params() fails, preventing a partially initialized session from
leaking.

Signed-o

core: fix session leak in tee_ta_open_session()

Add a missing call to close_session() in the error path where
check_params() fails, preventing a partially initialized session from
leaking.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Sumit Garg <sumit.garg@oss.qualcomm.com>

show more ...

core: return session ID from tee_ta_open_session()

tee_ta_open_session() previously returned a session pointer after
dropping its reference via tee_ta_put_session(). Reading the session ID
from this

core: return session ID from tee_ta_open_session()

tee_ta_open_session() previously returned a session pointer after
dropping its reference via tee_ta_put_session(). Reading the session ID
from this unlocked pointer in the caller created a brief UAF window if
another thread closed the session concurrently.

Fix this by outputting the session ID directly instead of the pointer.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Sumit Garg <sumit.garg@oss.qualcomm.com>

show more ...

core: fix concurrency races during session initialization

Previously, new sessions were added to the open_sessions list without
the exclusive lock held. This created a race condition where another
t

core: fix concurrency races during session initialization

Previously, new sessions were added to the open_sessions list without
the exclusive lock held. This created a race condition where another
thread could discover and acquire a partially initialized session while
tee_ta_open_session() was still executing.

Furthermore, the error path briefly released the session reference count
between tee_ta_put_session() and tee_ta_close_session(), creating a
second window for another thread to hijack a failing session.

Fix these races by locking new sessions to the current thread upon
creation and using a new close_session() helper to safely destroy
failing sessions without ever dropping the exclusive lock.

Fixes: b666b6f2d139 ("core: arm: thread-safe sessions")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Sumit Garg <sumit.garg@oss.qualcomm.com>

show more ...

core: pass session ID to tee_ta_close_session()

tee_ta_close_session() previously took a session pointer. When called
from entry_close_session(), this pointer was acquired without bumping
the refere

core: pass session ID to tee_ta_close_session()

tee_ta_close_session() previously took a session pointer. When called
from entry_close_session(), this pointer was acquired without bumping
the reference count, creating a race condition where the session could
be freed by another thread before being used. This race is harmless
unless ASAN or memory tagging is enabled.

Refactor tee_ta_close_session() to take a session ID instead of a
pointer to avoid possible races.

Fixes: 096cbcddbe21 ("Align Session handle for generic ta interface entry")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Sumit Garg <sumit.garg@oss.qualcomm.com>

show more ...

core: derive key: check provided out key size

syscall_cryp_derive_key() takes a derived_key parameter where the
derived key data is stored. The algorithms DH_DERIVE_SHARED_SECRET,
HKDF, CONCAT_KDF,

core: derive key: check provided out key size

syscall_cryp_derive_key() takes a derived_key parameter where the
derived key data is stored. The algorithms DH_DERIVE_SHARED_SECRET,
HKDF, CONCAT_KDF, and PBKDF2 doesn't check the output key size. Fix this
by adding or fixing the needed checks. Add an extra check to make sure
that the provided output key is a simple symmetric key.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@arm.com>
Acked-by: Sumit Garg <sumit.garg@oss.qualcomm.com>

show more ...

plat-d06: fix d06 platform bug

Delete unnecessary configuration information to prevent the failure of
correct value assignment.

Fixes: 4237855ad63e ("plat-d06: Add support for HIP08A")
Signed-off-b

plat-d06: fix d06 platform bug

Delete unnecessary configuration information to prevent the failure of
correct value assignment.

Fixes: 4237855ad63e ("plat-d06: Add support for HIP08A")
Signed-off-by: zhaozheng7 <zhaozheng96@outlook.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-qcom: Enable support for ARMv8 CE by default

Qcom platforms support ARMv8 Crypto Extensions (CE), so let's enable
it by default to optimize the crypto operations.

Reviewed-by: Jorge Ramirez-Or

plat-qcom: Enable support for ARMv8 CE by default

Qcom platforms support ARMv8 Crypto Extensions (CE), so let's enable
it by default to optimize the crypto operations.

Reviewed-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
Signed-off-by: Sumit Garg <sumit.garg@oss.qualcomm.com>

show more ...

libutils: fix ASAN longjmp guard in arm setjmp

Make ASAN_IS_ENABLED available to assembly so the setjmp assembly code
no longer evaluates it as 0, include the sanitizer header in the setjmp
assembly

libutils: fix ASAN longjmp guard in arm setjmp

Make ASAN_IS_ENABLED available to assembly so the setjmp assembly code
no longer evaluates it as 0, include the sanitizer header in the setjmp
assembly files, and simplify the longjmp guard condition.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: kernel: allow not masking interrupts on output traces

Add configuration switch CFG_CONSOLE_MASK_INTERRUPTS define whether
or not interrupts are masked when console trace messages are
emitted.

core: kernel: allow not masking interrupts on output traces

Add configuration switch CFG_CONSOLE_MASK_INTERRUPTS define whether
or not interrupts are masked when console trace messages are
emitted. The config switch is default enabled to reflect core legacy
behavior.

Disabling this configuration switch can be handy to still benefit from
OP-TEE threads output console trace support without adding extra
latency to native and foreign interrupts handling when trace messages
from interruptible thread context are emitted.

Enabling the configuration does not fully prevent collisions
of trace messages as described in mk/config.mk.

By the way, add an initial value to local variable p in trace_ext_puts().

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@arm.com>

show more ...

plat-rockchip: increase FDT max size to 384KiB on all Aarch64 supported SoCs

Increase the maximum size of the FDT to 384KiB in sync with Trusted
Firmware-A since TF-A v2.13[1] (May 2025). This limit

plat-rockchip: increase FDT max size to 384KiB on all Aarch64 supported SoCs

Increase the maximum size of the FDT to 384KiB in sync with Trusted
Firmware-A since TF-A v2.13[1] (May 2025). This limit is applicable to
all Rockchip SoCs supported by TF-A.

Prior to that commit in TF-A, we had 0x20000 (double the default of the
current OP-TEE OS default) since v2.4[2] (Nov 2020).

This allows us to pass and parse the FDT within OP-TEE as the default
64KiB really isn't enough nowadays (especially if one takes into account
FDT with symbols enabled for FDTO support), otherwise OP-TEE OS panics
at:
E/TC:0 init_external_dt:827 Invalid Device Tree at 0x8a2690: error -3

We currently only allocate 2MiB for TZDRAM on rk322x (as opposed to
32MiB on other Rockchip SoCs; see CFG_TZDRAM_SIZE), so increasing the
FDT buffer size from 64KiB to 384KiB may not be the best idea,
especially considering I couldn't find someone with a device based on
rk322x to test this commit. Additionally, the sizes of the two FDTs for
RK322x boards in the upstream Linux kernel built with symbols enabled
(DTC_FLAGS=-@) only is almost 33KiB. In U-Boot, the FDT for the only
supported board compiles to less than 28KiB for U-Boot proper's and a
tiny bit above 2KiB for SPL's. Thus, there is no hurry to increase the
FDT buffer size on rk322x, especially without being able to test, so
leave rk322x FDT buffer at 64KiB for now.

This fixes OP-TEE OS panics on PX30 and RK3399.

Link: https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/+/ab99dce4b7c8473d5bcb8c833bd410ab87b1e801%5E%21/ [1]
Link: https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/+/8109f738ffa79a63735cba29da26e7c2859977b5%5E%21/ [2]

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>

show more ...

plat-d06: Add support for HIP08A

HIP08A is another form of the D06 development board and equipped by
Hisilicon.

Signed-off-by: zhaozheng7 <zhaozheng96@outlook.com>
Reviewed-by: Yuan Wang <wangyuan4

plat-d06: Add support for HIP08A

HIP08A is another form of the D06 development board and equipped by
Hisilicon.

Signed-off-by: zhaozheng7 <zhaozheng96@outlook.com>
Reviewed-by: Yuan Wang <wangyuan46@huawei.com>
Acked-by: Zexi Yu <yuzexi@hisilicon.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...