zynqmp: add flavors for kria starter kits

Add PLATFORM_FLAVOR for kd240, kr260 and kv260 kria starter kits.

Signed-off-by: Neal Frager <neal.frager@amd.com>
Acked-by: Etienne Carriere <etienne.carr

zynqmp: add flavors for kria starter kits

Add PLATFORM_FLAVOR for kd240, kr260 and kv260 kria starter kits.

Signed-off-by: Neal Frager <neal.frager@amd.com>
Acked-by: Etienne Carriere <etienne.carriere@st.com>
Reviewed-by: Ricardo Salveti <ricardo@foundries.io>

show more ...

core: only dump ftrace buffer with TA mapped

The ftrace buffer is mapped in secure user space. The dump_ftrace()
callback must only be called if the buffer is mapped. During TA panic
the dump_ftrace

core: only dump ftrace buffer with TA mapped

The ftrace buffer is mapped in secure user space. The dump_ftrace()
callback must only be called if the buffer is mapped. During TA panic
the dump_ftrace() might get called as part of the TA context cleanup and
cause a crash. So fix this by skipping the dump_ftrace() callback during
those occasions.

Fixes: 17513217b24c ("ftrace: dump ftrace after every ta_entry")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Rouven Czerwinski <rouven.czerwinski@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@st.com>

show more ...

MAINTAINERS: update Etienne's e-mail address

Update Etienne's e-mail address.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Joakim Bech <joakim.bech@gmail.com>
Acked-by: Etien

MAINTAINERS: update Etienne's e-mail address

Update Etienne's e-mail address.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Joakim Bech <joakim.bech@gmail.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

MAINTAINERS: update Ahmed's e-mail address

Update Ahmed's e-mail address.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Joakim Bech <joakim.bech@gmail.com>
Acked-by: Etienne C

MAINTAINERS: update Ahmed's e-mail address

Update Ahmed's e-mail address.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Joakim Bech <joakim.bech@gmail.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

MAINTAINERS: remove Amit (AllWinner sun50i A64)

Amit's email bounces, therefor remove him from MAINTAINERS. Since
there's no one left for AllWinner sun50i A64, change its status from
Maintained to O

MAINTAINERS: remove Amit (AllWinner sun50i A64)

Amit's email bounces, therefor remove him from MAINTAINERS. Since
there's no one left for AllWinner sun50i A64, change its status from
Maintained to Orphan.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Joakim Bech <joakim.bech@gmail.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

MAINTAINERS: update Joakim's details

Update Joakim's email address and GitHub handle.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Joakim Bech <joakim.bech@gmail.com>
Acked-b

MAINTAINERS: update Joakim's details

Update Joakim's email address and GitHub handle.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Joakim Bech <joakim.bech@gmail.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

MAINTAINERS: update Jerome's e-mail address

Update Jerome's e-mail address.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Joa

MAINTAINERS: update Jerome's e-mail address

Update Jerome's e-mail address.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Joakim Bech <joakim.bech@gmail.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: riscv: kernel: simplify hartid query API

The thread_get_hartid_by_hartindex() function is removed as there
is no need to query remote hartids. Additionally, using this API
before secondary har

core: riscv: kernel: simplify hartid query API

The thread_get_hartid_by_hartindex() function is removed as there
is no need to query remote hartids. Additionally, using this API
before secondary hart initialization would return incorrect values.

Replace with the simpler thread_get_hartid() which returns the current
hart's ID reliably.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: kernel: add hart index sanity check

Add debug-only bounds checking in __get_core_pos() to prevent
out-of-bounds array access into per-core data structures.

Signed-off-by: Yu-Chien Pete

core: riscv: kernel: add hart index sanity check

Add debug-only bounds checking in __get_core_pos() to prevent
out-of-bounds array access into per-core data structures.

Signed-off-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Reviewed-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

drivers: caam: improve empty aad updates

In caam_ae_update_aad an update without data was already handled as long
as the data pointer was NULL. This change updates the logic to also
account for the

drivers: caam: improve empty aad updates

In caam_ae_update_aad an update without data was already handled as long
as the data pointer was NULL. This change updates the logic to also
account for the case where the pointer is non-null but the length is
zero. When that was the case caam_cpy_buf would exit early without
allocating, leaving aad->data as NULL, making caam_cpy_block_src fail.

This was found through the Android Keymint tests because Rust represents
empty buffers (Rust slices) with a non-null pointer and length 0.

Fixes: faaf0c5975d2 ("drivers: caam: Add AES GCM")
Signed-off-by: Martin Nyhus <martin@nyhus.dev>
Acked-by: Sahil Malhotra <sahil.malhotra@nxp.com>

show more ...

core: pta: add Rockchip secure boot PTA

The S_OTP area for the Rockchip secure boot RSA hash and status register
is accessible only from the secure world. Thus, secure boot must be
enabled from the

core: pta: add Rockchip secure boot PTA

The S_OTP area for the Rockchip secure boot RSA hash and status register
is accessible only from the secure world. Thus, secure boot must be
enabled from the secure world on these board.

The PTA implements 3 functions:

1. Ask the TA from the non-secure world about the current status and hash
of the hardware. This allows to inspect the current status of secure
boot on a specific device.

2. Write an RSA hash into the OTP fuses. It's the responsibility of the
user to calculate the hash and ensure that it matches the key, which
will be used to sign the images.

3. Actually lockdown the device by enabling secure boot. This is a
separate step to allow the user to verify the setup before
potentially bricking a device.

With these functions, a user may use a client running in the normal
world (for example in a boot loader or operating system) to enable
secure boot on a Rockchip device.

Implementing secure boot setup as an OP-TEE PTA has the advantage that
secure boot can be enabled at any time during the device setup instead
of during early boot. This allows a developer/user or additional scripts
to interact with the secure boot setup process.

The hash of the root key is accepted and reported as calculated by
sha256sum and internally converted to the correct byte order that needs
to be burned into the fuses.

Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-rockchip: rk3588: define more OTP indexes

The OTP area contains other values in addition to the HW_UNIQUE_KEY. For
example, the SECURE_BOOT_STATUS and the RSA_HASH, which are used by the
ROM co

plat-rockchip: rk3588: define more OTP indexes

The OTP area contains other values in addition to the HW_UNIQUE_KEY. For
example, the SECURE_BOOT_STATUS and the RSA_HASH, which are used by the
ROM code to verify booted images, are located there as well.

Define the index (in 32 bit words) and length (in 32 bit words) of these
values, too, to allow applications to read and write these locations.

Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ftrace: dump ftrace after every ta_entry

This patch implements the feature to dump ftrace buffer to
tee_supplicant after every entry to the ta.
To implement the feature, this patch does some modific

ftrace: dump ftrace after every ta_entry

This patch implements the feature to dump ftrace buffer to
tee_supplicant after every entry to the ta.
To implement the feature, this patch does some modification to the
ftrace dumping process and add a new config CFG_FTRACE_DUMP_EVERY_ENTRY
to control this behavior.
This can reduce the chance of losing the ftrace data due to not
enough ftrace buffer and make debugging long-lived TA possible.

Signed-off-by: Leo Chen <shf.chen@mediatek.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>

show more ...

MAINTAINERS: extend the Qualcomm entry

Add myself as platform/driver co-maintainer

Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
Reviewed-by: Sumit Garg <sumit.garg@oss.qualco

MAINTAINERS: extend the Qualcomm entry

Add myself as platform/driver co-maintainer

Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
Reviewed-by: Tony Hamilton <tonyh@qti.qualcomm.com>

show more ...

plat: qcom: add platform banner

Display a basic platform banner.

Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
Reviewed-b

plat: qcom: add platform banner

Display a basic platform banner.

Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
Reviewed-by: Tony Hamilton <tonyh@qti.qualcomm.com>

show more ...

drivers: qcom: prng: add PRNG driver

The Qualcomm PRNG hardware generates cryptographic keys and random
numbers.

The PRNG is configured by the first-stage bootloader. This includes the
reseed frequ

drivers: qcom: prng: add PRNG driver

The Qualcomm PRNG hardware generates cryptographic keys and random
numbers.

The PRNG is configured by the first-stage bootloader. This includes the
reseed frequency.

This driver only consumes the generated output.

Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
Reviewed-by: Tony Hamilton <tonyh@qti.qualcomm.com>

show more ...

drivers: qcom: ramblur: configure pIMEM access

Configure memory access to enable execution of Trusted Applications.

OP-TEE and its Trusted Applications execute from pIMEM, a region protected
by the

drivers: qcom: ramblur: configure pIMEM access

Configure memory access to enable execution of Trusted Applications.

OP-TEE and its Trusted Applications execute from pIMEM, a region protected
by the RAMBLUR IP block.

RAMBLUR provides anti-rollback protection as well as confidentiality and
integrity guarantees for the memory region under its control.

Any agent accessing the pIMEM-protected region performs normal reads or
writes to the pIMEM address range in the SNoC. The SNoC routes these
transactions to the pIMEM slave port, and pIMEM remasters them to DDR.

For write transactions, pIMEM applies the required cryptographic
operations before committing data to DDR.

For read transactions, pIMEM applies the corresponding cryptographic
operations before returning the data from DDR to the requesting master.

The reserved DDR region used by pIMEM to store cryptographically
processed data and associated cryptographic state is referred to as the
pIMEM vault.

With the current U-Boot (tag 2026.01-rc3), the pIMEM Vault DDR
reservation is derived from the TZ node in U-Boot’s built-in device tree
(specifically the trusted_apps_mem reserved-memory node).

U-Boot uses this node to construct the EFI memory map that is later
passed to the kernel.

A future update will remove this dependency on the built-in device tree.
Instead, U-Boot will obtain the memory configuration directly from SMEM.
Because of this transition, the current version of the driver does not
generate a DT overlay for U-Boot to consume.

Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
Reviewed-by: Tony Hamilton <tonyh@qti.qualcomm.com>

show more ...

libutee: make TEE_SetOperationKey2() panic if operation is NULL or not in initial state

The Internal Core API specification v1.3.1 has the following panic
conditions for TEE_SetOperationKey2(), same

libutee: make TEE_SetOperationKey2() panic if operation is NULL or not in initial state

The Internal Core API specification v1.3.1 has the following panic
conditions for TEE_SetOperationKey2(), same as v1.1:

- If operation is not a valid opened operation handle.
- If operation is not in initial state.

Therefore, it should call __GP11_TEE_SetOperationKey2() not the internal
function set_operation_key2(). Then operation is guaranteed to be
non-NULL and the test may be replaced by an assertion.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: make TEE_SetOperationKey() panic if handle state is initialized

According to the TEE Internal Core API specification v1.3.1 section
6.2.6, TEE_SetOperationKey() should panic if the flag
TEE

libutee: make TEE_SetOperationKey() panic if handle state is initialized

According to the TEE Internal Core API specification v1.3.1 section
6.2.6, TEE_SetOperationKey() should panic if the flag
TEE_HANDLE_FLAG_INITIALIZED is set on the operation. Update
TEE_SetOperationKey() accordingly.

A NULL operation should cause a panic, too. Since this condition is
caught in both TEE_SetOperationKey() and __GP11_TEE_SetOperationKey(),
we can drop the NULL check in set_operation_key() and assert instead.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-rockchip: rk3588: assert buffer is size of HUK

The size of the buffer that is used to persist the HUK in the OTP and
the size of the buffer that is used to read the HUK from the OTP must
have t

plat-rockchip: rk3588: assert buffer is size of HUK

The size of the buffer that is used to persist the HUK in the OTP and
the size of the buffer that is used to read the HUK from the OTP must
have the same size as the HUK key data.

Add a static_assert to ensure that this is actually the case.

Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: add Clang build with log level 0 and no debug

Clang sometimes warns about unused variables that GCC doesn't report.
For example, see [1]. Therefore, add a "release" build of OP-TEE with
Clang to

ci: add Clang build with log level 0 and no debug

Clang sometimes warns about unused variables that GCC doesn't report.
For example, see [1]. Therefore, add a "release" build of OP-TEE with
Clang to the CI.

Link: https://github.com/OP-TEE/optee_os/pull/7654
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: user_mode_ctx: fix unused warning when disable log

When compiled with clang 22.0 and set CFG_TEE_CORE_LOG_LEVEL to 0,
the variable n becomes unused and the compiler generates a warning,
which

core: user_mode_ctx: fix unused warning when disable log

When compiled with clang 22.0 and set CFG_TEE_CORE_LOG_LEVEL to 0,
the variable n becomes unused and the compiler generates a warning,
which can fail the build process if -Werror is enabled.

core/kernel/user_mode_ctx.c:14:9: warning: variable 'n' set but not used [-Wunused-but-set-variable]
14 | size_t n = 0;
| ^
1 warning generated.

Signed-off-by: Leo Chen <shf.chen@mediatek.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

ci: disable regression_1034 for SPMC_AT_EL=2

The regression test case 1034 loads a large TA that depending on how
fragmented the memory used by tee-supplicant, can use more memory than
usual to desc

ci: disable regression_1034 for SPMC_AT_EL=2

The regression test case 1034 loads a large TA that depending on how
fragmented the memory used by tee-supplicant, can use more memory than
usual to describe the physical pages involved. For Hafnium this can
cause a panic since it expects that everything should fit in 4 kB.

Here's an error log with the Hafnium panic:
D/TC:3 0 mobj_ffa_get_by_cookie:684 Populating mobj from rx buffer, cookie 0x3
Panic: check failed (ffa_retrieved_memory_region_init( retrieve_request, to_locked.vm->ffa_version, HF_MAILBOX_SIZE, memory_region->sender, attributes, memory_region->flags, handle, permissions, receiver, 1, memory_access_desc_size, composite->page_count, composite->constituent_count, share_state->fragments[0], share_state->fragment_constituent_counts[0], &total_length, &fragment_length)) at ../../src/ffa_memory.c:3437
[ 102.392292] rcu: INFO: rcu_preempt detected stalls

The log above is from a build with Hafnium v2.12.0, but the error also
exists in the latest version, v2.14.0. This is obviously a bug, but
until it's resolved disable the troublesome test case.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

plat-corstone1000: Add Cortex-A320 support

Convert arm64-platform-cpuarch from a hard-coded cortex-a35 into a “?=”
(default) assignment so users can override it (for example to
cortex-a320) via the

plat-corstone1000: Add Cortex-A320 support

Convert arm64-platform-cpuarch from a hard-coded cortex-a35 into a “?=”
(default) assignment so users can override it (for example to
cortex-a320) via the make command line.

The Cortex-A320 core is not yet supported via -mcpu=cortex-a320.
When arm64-platform-cpuarch is set to cortex-a320, switch to
-march=armv9.2-a.

The new Corstone-1000 variant with Cortex-A320 replaces the original
GIC-400 (v2) interrupt controller with a GIC-600, which is
architecturally compliant with GICv3. Since OP-TEE already provides
a generic GICv3 driver, only minimal platform changes are needed
to expose the updated register map and initialize the GICv3 interface.

**Changes introduced**

* When `cortex-a320` is selected:
* Force `CFG_ARM_GICV3=y`.
* Map the Redistributor region (`GICR_BASE`).
* Use `gic_init_v3(…)` instead of the v2 helper for Cortex-A320 builds.
* Add `GICR_BASE`, `GIC_REDIST_REG_SIZE`, and related offsets.
* Retain legacy `GICC_BASE` definitions under the GICv2 path so that
the Cortex-A35 + GIC-400 variant continues to build unchanged.

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-k3: drivers: Add support for TI mailbox driver

New devices like the AM62L use a mailbox to communicate with the
security firmware. Add mailbox driver here to support the mailbox
hardware.

Sign

plat-k3: drivers: Add support for TI mailbox driver

New devices like the AM62L use a mailbox to communicate with the
security firmware. Add mailbox driver here to support the mailbox
hardware.

Signed-off-by: Aniket Sarkar <a-sarkar1@ti.com>
Signed-off-by: Suhaas Joshi <s-joshi@ti.com>
Reviewed-by: Andrew Davis <afd@ti.com>

show more ...