core: spmc, sp: cleanup FF-A ID handling

When OP-TEE implements the S-EL1 SPMC, from an FF-A point-of-view the
core OP-TEE functionality is running in a logical SP that resides at the
same exception

core: spmc, sp: cleanup FF-A ID handling

When OP-TEE implements the S-EL1 SPMC, from an FF-A point-of-view the
core OP-TEE functionality is running in a logical SP that resides at the
same exception level as the SPMC. This means that the SPMC and the SP
should have separate FF-A IDs, i.e. the SPMC ID and a normal endpoint ID
for the SP. The SPMC ID is described in the SPMC manifest which gets
parsed by the SPMD, so this ID should be queried from the SPMD. OP-TEE's
endpoint ID is assigned by the SPMC.

Currently OP-TEE's FF-A endpoint ID and the SPMC ID are mixed together
and hardcoded, this patch implements the correct ID handling mechanism
as described above.

Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...

core: riscv: Prepare SATP for each hart

To support multiple harts environment, we have allocated root page table
for each hart. Further more, we need to prepare value of CSR SATP, which
holds the ph

core: riscv: Prepare SATP for each hart

To support multiple harts environment, we have allocated root page table
for each hart. Further more, we need to prepare value of CSR SATP, which
holds the physical page number (PPN) of the root page table, for each
hart.

This commit enlarges the "struct core_mmu_config" for RISC-V
architecture to hold the value of CSR SATP for all the harts. In early
boot stage, each hart should initialize its CSR SATP from "struct
core_mmu_config".

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu Chien Peter Lin <peterlin@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: riscv: Allocate root page table for each hart

To support multiple hart environment, each hart must have its dedicated
root page table. This commit enlarges the root page table. Also, when
the

core: riscv: Allocate root page table for each hart

To support multiple hart environment, each hart must have its dedicated
root page table. This commit enlarges the root page table. Also, when
the primary hart initializes the page table, we also copy the contents
of its root page table to the secondary harts' root page tables.
Therefore, all the harts have initial page tables at the boot time.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu Chien Peter Lin <peterlin@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

ci: qemuv8: add test case with CFG_WITH_PAGER=y

Add a "make check" test with pager enabled on QEMUv8.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.

ci: qemuv8: add test case with CFG_WITH_PAGER=y

Add a "make check" test with pager enabled on QEMUv8.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: arm64: increase STACK_ABT_SIZE from 1024 to 3072 when log level is 0

When adding "make check CFG_WITH_PAGER=y CFG_TEE_CORE_LOG_LEVEL=0" to
the QEMUv8 CI job, I noticed that OP-TEE fails to boo

core: arm64: increase STACK_ABT_SIZE from 1024 to 3072 when log level is 0

When adding "make check CFG_WITH_PAGER=y CFG_TEE_CORE_LOG_LEVEL=0" to
the QEMUv8 CI job, I noticed that OP-TEE fails to boot and hangs with no
message printed on the console. The root cause is memory corruption of
the translation tables triggered by a stack overflow. Indeed, the pager
uses the abort stack to handle unmapped pages, and therefore it requires
quite a bit of stack space. The log level is not very relevant.
Therefore, fix the issue by removing the particular case for log level 0.

More debugging info:

build$ make -j$(nproc) CFG_WITH_PAGER=y CFG_TEE_CORE_LOG_LEVEL=0 \
CFG_CORE_ASLR=n
build$ aarch64-linux-gnu-nm -n ../optee_os/out/arm/core/tee.elf
...
000000000e115000 B __nozi_start
000000000e115000 b thread_user_kdata_page
000000000e116000 b xlat_tables_ul1
000000000e118000 b xlat_tables
000000000e11d000 b base_xlation_table
000000000e11d100 B __nozi_end
000000000e11d100 B __nozi_stack_start
000000000e11d100 b stack_abt
000000000e11e200 B stack_tmp
...
build$ make run-only
optee_qemuv8$ gdb-multiarch
(gdb) symbol-file optee_os/out/arm/core/tee.elf
(gdb) target remote localhost:1234
(gdb) p sizeof(base_xlation_table)
$1 = 256
(gdb) watch *(char [256]*)base_xlation_table
(gdb) c # 5 times
Thread 1 hit Hardware watchpoint 1: *(char [256]*)base_xlation_table
(gdb) bt

At this point the call stack is:

hash_sha256_check()
fobj_load_page()
pager_deploy_page()
pager_get_page()
tee_pager_handle_fault()
abort_handler()
el1_sync_abort()

This code is indeed not supposed to touch base_xlation_table, it does
so due to the overflow of stack_abt.

Suggested-by: Jens Wikander <jens.wiklander@linaro.org>
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: replace REGISTER_TIME_SOURCE()

Remove REGISTER_TIME_SOURCE() and implement tee_time_get_sys_time() and
tee_time_get_sys_time_protection_level() directly in the file where
REGISTER_TIME_SOURCE(

core: replace REGISTER_TIME_SOURCE()

Remove REGISTER_TIME_SOURCE() and implement tee_time_get_sys_time() and
tee_time_get_sys_time_protection_level() directly in the file where
REGISTER_TIME_SOURCE() was used previously.

By avoiding indirect calls the linker can optimize the dependency tree
properly and we can remove the DECLARE_KEEP_PAGER() directive needed for
arm_cntpct_time_source.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: riscv: Apply SM-based boot flow for secondary harts

When the system adopts M-mode secure monitor based solution, the
secondary harts need to hand over the control back to the secure
monitor af

core: riscv: Apply SM-based boot flow for secondary harts

When the system adopts M-mode secure monitor based solution, the
secondary harts need to hand over the control back to the secure
monitor after the initial boot sequence. Add related code for this
purpose.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Do not restrict primary hart to hart ID 0 only

The ID of primary hart should not be restricted to zero. Thus,
determining primary hart and secondart harts by zero hart ID is not
feasibl

core: riscv: Do not restrict primary hart to hart ID 0 only

The ID of primary hart should not be restricted to zero. Thus,
determining primary hart and secondart harts by zero hart ID is not
feasible.

We refer to RISC-V linux kernel [1] to fix this issue, by adding a
"hart_lottery" variable. The first hart who enters OP-TEE will win the
lottery, atomically increment this variable, and be the primary hart.
Other harts enter OP-TEE later won't win the lottery, so they execute
the secondary boot sequence.

[1]:
https://github.com/torvalds/linux/blob/v6.7/arch/riscv/kernel/head.S#L244

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Change the condition of communication with untrusted domain

Use CFG_RISCV_WITH_M_MODE_SM to determine if OP-TEE uses M-mode secure
monitor based solution to communicate with the untruse

core: riscv: Change the condition of communication with untrusted domain

Use CFG_RISCV_WITH_M_MODE_SM to determine if OP-TEE uses M-mode secure
monitor based solution to communicate with the untrusetd domain.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

riscv: plat-virt: Set CFG_RISCV_WITH_M_MODE_SM as 'y'

In RISC-V QEMU virtual platform, OP-TEE OS uses M-mode secure monitor
based solution to communicate with the untrusted domain. Therefore, set
CF

riscv: plat-virt: Set CFG_RISCV_WITH_M_MODE_SM as 'y'

In RISC-V QEMU virtual platform, OP-TEE OS uses M-mode secure monitor
based solution to communicate with the untrusted domain. Therefore, set
CFG_RISCV_WITH_M_MODE_SM to 'y' in its configuration file.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Add CFG_RISCV_WITH_M_MODE_SM and dependency checking

OP-TEE may communicate with the untrusted domain by different solutions,
such as M-mode secure monitor based solution, or direct mes

core: riscv: Add CFG_RISCV_WITH_M_MODE_SM and dependency checking

OP-TEE may communicate with the untrusted domain by different solutions,
such as M-mode secure monitor based solution, or direct messaging based
solution. This commit adds CFG_RISCV_WITH_M_MODE_SM to indicate that
OP-TEE uses M-mode secure monitor based solution for the communication.

The CFG_RISCV_WITH_M_MODE_SM should depend on CFG_RISCV_S_MODE and
CFG_RISCV_SBI, since we are using "ecall" to trap into M-mode secure
monitor.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Apply mask/unmask exceptions when operating page table

Add missing thread_{mask/unmask}_exceptions() when we operate the page
table. This is referenced from ARM architecture.

Signed-of

core: riscv: Apply mask/unmask exceptions when operating page table

Add missing thread_{mask/unmask}_exceptions() when we operate the page
table. This is referenced from ARM architecture.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Apply STATUS helper for RPC resume

Since RPC resume is a kind of exception return, we invoke
xstatus_for_xret() to prepare the CSR STATUS for exception return. But
the actual value of S

core: riscv: Apply STATUS helper for RPC resume

Since RPC resume is a kind of exception return, we invoke
xstatus_for_xret() to prepare the CSR STATUS for exception return. But
the actual value of STATUS when calling thread_rpc() is still saved in
stack. This is to unify the behavior between RPC suspend and resume.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Apply exception return to handle_user_mode_panic()

Now thread_exit_user_mode() executes exception return to kernel mode.
Invoke xstatus_for_xret() helper function to prepare CSR STATUS

core: riscv: Apply exception return to handle_user_mode_panic()

Now thread_exit_user_mode() executes exception return to kernel mode.
Invoke xstatus_for_xret() helper function to prepare CSR STATUS for
exception return.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Refine thread trap handler

In order to support SMP, we made change on CSR SCRATCH from kernel stack
pointer to be kernel TP(thread_core_local). So that we can get TP from
SCRATCH easily

core: riscv: Refine thread trap handler

In order to support SMP, we made change on CSR SCRATCH from kernel stack
pointer to be kernel TP(thread_core_local). So that we can get TP from
SCRATCH easily in trap handler when the thread is in user mode. We also
save/restore CSR IE, kernel GP and SP so that we can handle task
migration to another hart.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Refine thread enter/exit user mode

Now when thread is in user mode, the kernel TP is saved into CSR SCRATCH
instead of into kernel stack. The IE is also considered since it
contains mas

core: riscv: Refine thread enter/exit user mode

Now when thread is in user mode, the kernel TP is saved into CSR SCRATCH
instead of into kernel stack. The IE is also considered since it
contains masks of different exceptions.

Apply exception return to thread_exit_user_mode() to let hart correctly
back to kernel mode from exception.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Apply exception return to resume thread

In current implementation, the thread is resumed by function return. It
is not suitable for all scenarios, especially when the thread should be
r

core: riscv: Apply exception return to resume thread

In current implementation, the thread is resumed by function return. It
is not suitable for all scenarios, especially when the thread should be
resumed to user mode. The kernel mode can not return to user mode by
pure function return.

This commit applies exception return to resume the thread. The EPC and
IE are added into thread context. The xstatus_for_xret() helper function
is added to prepare the value of CSR STATUS for exception return.
Currently we only consider PIE(previous interrupt-enable) and
PP(previous privilege mode) for exception return.

We clear thread context when the context is reinitialized, enable native
interrupt, and setup kernel GP/TP. The thread_resume() now takes care of
restoring CSR EPC, STATUS, IE, SCRATCH and all general-purpose
registers. Finally it executes exception return to target privilege mode
encoded in CSR STATUS. The registers GP and TP are also restored since
user mode may use them.

This commit also modify the usage of CSR SCRATCH. In current
implementation the SCRATCH is used to save kernel stack pointer when the
thread is in user mode. The value of TP, which stores thread_core_local
structure, is saved into kernel stack before entering user mode. The
trap handler can then get TP(thread_core_local) from kernel stack. This
is not suitable for SMP system, since the thread might be resumed to
another core, and that core gets wrong TP from kernel stack. Fix it by
directly storing TP into CSR SCRATCH.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Tested-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: boot: fix memtag init sequence

Based on following observations on FVP:
With boot_init_memtag called before MMU enable, DC GZA hits an alignment
fault. This is because all accesses are of devic

core: boot: fix memtag init sequence

Based on following observations on FVP:
With boot_init_memtag called before MMU enable, DC GZA hits an alignment
fault. This is because all accesses are of device type when MMU is off.
Arm ARM states for DC GZA: "If the memory region being modified is any
type of Device memory, this instruction can give an alignment fault."
Moving boot_init_memtag after MMU enable, DC GZA hits a permission
fault, this is because the range returned by core_mmu_get_secure_memory
consists of pages mapped RO (text sections) and then RW (data sections)
consecutively. DC GZA is a write instruction executed towards an RO page
leading to a fault.

To fix this, split boot_init_memtag into two halves:
- Setup memtag operations before MMU is enabled such that MAIR_EL1 is
properly configured for normal tagged memory.
- Clear core TEE RW sections after MMU is enabled.

Closes: https://github.com/OP-TEE/optee_os/issues/6649
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
[jw rewrote boot_clear_memtag()]
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

ta: pkcs11: Clarify context reference in step_symm_operation()

Function step_symm_operation() defines a local variable to reference
the session processing context but uses both session reference and

ta: pkcs11: Clarify context reference in step_symm_operation()

Function step_symm_operation() defines a local variable to reference
the session processing context but uses both session reference and
this local variable which can be confusing when reading the code. Change
the implementation to only use the local variable for consistency. No
functional changes.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: introduce CFG_NOTIF_TEST_WD

Add CFG_NOTIF_TEST_WD to control if the notification based test watchdog
should be enabled.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by:

core: introduce CFG_NOTIF_TEST_WD

Add CFG_NOTIF_TEST_WD to control if the notification based test watchdog
should be enabled.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: add CFG_CALLOUT

Add CFG_CALLOUT with a default value assigned from CFG_CORE_ASYNC_NOTIF
to control if the callout service should be enabled.

Signed-off-by: Jens Wiklander <jens.wiklander@lina

core: add CFG_CALLOUT

Add CFG_CALLOUT with a default value assigned from CFG_CORE_ASYNC_NOTIF
to control if the callout service should be enabled.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: notif: assert callback is unpaged

Add an assert that the atomic_cb() pointer in notif_register_driver()
points to an unpaged address since the callback function will be called
from an interrup

core: notif: assert callback is unpaged

Add an assert that the atomic_cb() pointer in notif_register_driver()
points to an unpaged address since the callback function will be called
from an interrupt handler and must not be paged.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: callout: assert callback is unpaged

Add an assert that the callback parameter passed to callout_add() points
to an unpaged address since the callback function will be called from an
interrupt

core: callout: assert callback is unpaged

Add an assert that the callback parameter passed to callout_add() points
to an unpaged address since the callback function will be called from an
interrupt handler and must not be paged.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: add missing DECLARE_KEEP_PAGER()

Adds missing DECLARE_KEEP_PAGER() for timer_desc, timer_itr_cb(),
arm_cntpct_time_source, wd_ndrv_atomic_cb(), and periodic_callback().
All possibly accessed f

core: add missing DECLARE_KEEP_PAGER()

Adds missing DECLARE_KEEP_PAGER() for timer_desc, timer_itr_cb(),
arm_cntpct_time_source, wd_ndrv_atomic_cb(), and periodic_callback().
All possibly accessed from an interrupt handler and must not be paged.

Fixes: cf707bd0d695 ("core: add callout service")
Fixes: 5b7afacfba96 ("core: arm64: implement timer_init_callout_service()")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_armv8a)
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-synquacer: use cpu_spin_lock_xsave() and friend

Change RNG PTA implementation for synquacer platform to use helper
functions cpu_spin_lock_xsave() and cpu_spin_unlock_xrestore() instead
of call

plat-synquacer: use cpu_spin_lock_xsave() and friend

Change RNG PTA implementation for synquacer platform to use helper
functions cpu_spin_lock_xsave() and cpu_spin_unlock_xrestore() instead
of calling thread_mask_exceptions()/cpu_spin_lock() pair and
thread_set_exceptions()/cpu_spin_unlock() pair. This makes the
implementation more consistent.

No functional change.

Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...