core: reset cancellation mask on TA exit

Before this patch, the TA cancellation mask was only reset when the
session was created, but the GP spec requires the cancellation mask to
be reset each time

core: reset cancellation mask on TA exit

Before this patch, the TA cancellation mask was only reset when the
session was created, but the GP spec requires the cancellation mask to
be reset each time a TA is entered via one of its entry points. So fix
this by resetting the cancellation mask each time a TA returns.

Link: https://github.com/OP-TEE/optee_test/issues/731
Fixes: b01047730e77 ("Open-source the TEE Core")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

ci: add QEMUv7 job

Add a job to build and run tests with QEMU for Arm v7 (32-bit). The
build flags are imported from the IBART job definition [1] since
IBART is being deprecated. CFG_ENABLE_EMBEDDED

ci: add QEMUv7 job

Add a job to build and run tests with QEMU for Arm v7 (32-bit). The
build flags are imported from the IBART job definition [1] since
IBART is being deprecated. CFG_ENABLE_EMBEDDED_TESTS=n is dropped
however.

The job uses a new container image from the Docker Hub:
jforissier/optee_os_ci:qemu_check [2]. The source code (Dockerfile)
is at [3]. It is almost the same as the one used for QEMUv8
(jforissier/optee_os_ci:qemuv8_check2) except that
it contains a more generic "get_optee.sh [<platform>] [<destination>]"
script (which can clone any patform) and also includes two missing
packages that are required for QEMUv7 build (libgmp-dev and libmpc-dev).
The QEMUv8 jobs will be updated to switch to the newer image in a
subsequent commit.

Link: https://github.com/jbech-linaro/ibart/blob/b585163626341864790398df6489c9556e0b20f1/jobdefs/examples/optee_qemu.yaml#L40C26-L40C176 [1]
Link: https://hub.docker.com/r/jforissier/optee_os_ci/tags?page=1&name=qemu_check [2]
Link: https://github.com/jforissier/docker_optee_os_ci/tree/qemu_check [3]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

vexpress-qemu_armv8a: increase CFG_CORE_HEAP_SIZE to 131072

Set the default core heap size for QEMUv8 to 128K because 64K is not
enough to complete the "make check" test with CFG_RPMB_FS=y
CFG_RPMB_

vexpress-qemu_armv8a: increase CFG_CORE_HEAP_SIZE to 131072

Set the default core heap size for QEMUv8 to 128K because 64K is not
enough to complete the "make check" test with CFG_RPMB_FS=y
CFG_RPMB_WRITE_KEY=y.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: stm32_i2c: protect bus access with a mutex

Protect concurrent accesses to an STM32 I2C bus with a PM aware mutex.

Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Signed-off-by:

drivers: stm32_i2c: protect bus access with a mutex

Protect concurrent accesses to an STM32 I2C bus with a PM aware mutex.

Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

drivers: firewall: stm32_rifsc: remove use of CFG_PM

Remove use of CFG_PM from STM32 RIFSC driver since this configuration
switch is not defined in OP-TEE OS.

Reviewed-by: Gatien Chevallier <gatien

drivers: firewall: stm32_rifsc: remove use of CFG_PM

Remove use of CFG_PM from STM32 RIFSC driver since this configuration
switch is not defined in OP-TEE OS.

Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

drivers: stm32_rng: remove use of CFG_PM

Remove use of CFG_PM from STM32 RNG driver since this configuration
switch is not defined in OP-TEE OS.

Reviewed-by: Gatien Chevallier <gatien.chevallier@fo

drivers: stm32_rng: remove use of CFG_PM

Remove use of CFG_PM from STM32 RNG driver since this configuration
switch is not defined in OP-TEE OS.

Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

drivers: crypto: stm32_cryp: add pm to CRYP driver

Add power management support to the CRYP driver through suspend/resume
callbacks.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Sig

drivers: crypto: stm32_cryp: add pm to CRYP driver

Add power management support to the CRYP driver through suspend/resume
callbacks.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

drivers: crypto: stm32_cryp: add delay when resetting CRYP peripheral.

Add 2 us of delay between reset assert and reset deassert to ensure the
peripheral is properly reset.

Signed-off-by: Thomas Bo

drivers: crypto: stm32_cryp: add delay when resetting CRYP peripheral.

Add 2 us of delay between reset assert and reset deassert to ensure the
peripheral is properly reset.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

drivers: crypto: stm32_cryp: remove reset binding requirements

Remove panic during probe when "resets" property is not found because
it's optional in most cases.

Signed-off-by: Thomas Bourgoin <tho

drivers: crypto: stm32_cryp: remove reset binding requirements

Remove panic during probe when "resets" property is not found because
it's optional in most cases.

Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

ci.yml: add a make command to build HPRE code

Add a make command of CFG_HISILICON_ACC_V3=y

Signed-off-by: loubaihui <loubaihui1@huawei.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

ci.yml: add a make command to build HPRE code

Add a make command of CFG_HISILICON_ACC_V3=y

Signed-off-by: loubaihui <loubaihui1@huawei.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: crypto: hisilicon: init HPRE hardware block

The HiSilicon HPRE is a High Performance RSA Engine.
This module implement the hardware initialization of
the HPRE.

Signed-off-by: loubaihui <lo

drivers: crypto: hisilicon: init HPRE hardware block

The HiSilicon HPRE is a High Performance RSA Engine.
This module implement the hardware initialization of
the HPRE.

Signed-off-by: loubaihui <loubaihui1@huawei.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: remame WD to OPTEE_OS_TO_TEST

WD is not a very good variable name, it stands for "working directory"
but does not express what this directory contains. Use OPTEE_OS_TO_TEST
instead, since it is

ci: remame WD to OPTEE_OS_TO_TEST

WD is not a very good variable name, it stands for "working directory"
but does not express what this directory contains. Use OPTEE_OS_TO_TEST
instead, since it is actually the optee_os directory checked out by CI
(i.e., the current branch or PR to test).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

ci: update QEMUv8 jobs to use newer Docker image

Update the QEMUv8 jobs to use the newer Docker image:
jforissier/optee_os_ci:qemu_check, which has a more generic script to
clone the OP-TEE environm

ci: update QEMUv8 jobs to use newer Docker image

Update the QEMUv8 jobs to use the newer Docker image:
jforissier/optee_os_ci:qemu_check, which has a more generic script to
clone the OP-TEE environment [1].

Link: https://github.com/jforissier/docker_optee_os_ci/blob/qemu_check/get_optee.sh [1]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: kernel: Fix typo in __do_panic()

Must be "preemption" instead of "prehemption".

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

drivers: regulator: use mutex_pm_aware

Use newly introduced struct mutex_pm_aware semaphore to protect
regulator accesses.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Eti

drivers: regulator: use mutex_pm_aware

Use newly introduced struct mutex_pm_aware semaphore to protect
regulator accesses.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

drivers: clk: replace clock main spinlock with a mutex

Change clock framework lock from an interrupts masked spinning lock
to a mutex. This allows the clock framework to better handle slow
stabilizi

drivers: clk: replace clock main spinlock with a mutex

Change clock framework lock from an interrupts masked spinning lock
to a mutex. This allows the clock framework to better handle slow
stabilizing clocks as PLLs without masking the system interrupt
which can have side effects on the REE or even the TEE.

To support clock accesses during low power state transition sequences
while non-secure world is no operating, the lock is not taken when
the execution is not in the scope of a TEE thread.

This change is not expected to impact supported platforms that currently
only access clock operation from thread contexts or atomic PM sequences.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: kernel: mutex compliant with PM sequences

Add mutex_pm_aware_*() functions for mutex used on resources accessed
at runtime using a conventional mutex and also during low power
sequences that e

core: kernel: mutex compliant with PM sequences

Add mutex_pm_aware_*() functions for mutex used on resources accessed
at runtime using a conventional mutex and also during low power
sequences that execute in a non-thread context.

This change defines MUTEX_PM_AWARE_INITIALIZER macro from a new
header file (mutex_pm_aware.h) instead of existing mutex.h to prevent
a circular dependency between spinlock.h (requires thread.h), thread.h
(indirectly includes mutex.h) and mutex.h (that would depend on
spinlock.h for definition of the SPINLOCK_UNLOCK macro ).

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: kernel: thread spin locking

Add thread_spin_lock() and thread_spin_unlock() for active spinning
locks in situation where we need an exclusive lock in a thread and
interruptible context even at

core: kernel: thread spin locking

Add thread_spin_lock() and thread_spin_unlock() for active spinning
locks in situation where we need an exclusive lock in a thread and
interruptible context even at the cost of a high CPU usage.

These function are intended to be used in thread context hence
they assert being executed in such a context. This is to prevent
on mistakenly spin in an atomic context which potentially leads
to a deadlock situation.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: spmc, sp: cleanup FF-A ID handling

When OP-TEE implements the S-EL1 SPMC, from an FF-A point-of-view the
core OP-TEE functionality is running in a logical SP that resides at the
same exception

core: spmc, sp: cleanup FF-A ID handling

When OP-TEE implements the S-EL1 SPMC, from an FF-A point-of-view the
core OP-TEE functionality is running in a logical SP that resides at the
same exception level as the SPMC. This means that the SPMC and the SP
should have separate FF-A IDs, i.e. the SPMC ID and a normal endpoint ID
for the SP. The SPMC ID is described in the SPMC manifest which gets
parsed by the SPMD, so this ID should be queried from the SPMD. OP-TEE's
endpoint ID is assigned by the SPMC.

Currently OP-TEE's FF-A endpoint ID and the SPMC ID are mixed together
and hardcoded, this patch implements the correct ID handling mechanism
as described above.

Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...

core: riscv: Prepare SATP for each hart

To support multiple harts environment, we have allocated root page table
for each hart. Further more, we need to prepare value of CSR SATP, which
holds the ph

core: riscv: Prepare SATP for each hart

To support multiple harts environment, we have allocated root page table
for each hart. Further more, we need to prepare value of CSR SATP, which
holds the physical page number (PPN) of the root page table, for each
hart.

This commit enlarges the "struct core_mmu_config" for RISC-V
architecture to hold the value of CSR SATP for all the harts. In early
boot stage, each hart should initialize its CSR SATP from "struct
core_mmu_config".

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu Chien Peter Lin <peterlin@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: riscv: Allocate root page table for each hart

To support multiple hart environment, each hart must have its dedicated
root page table. This commit enlarges the root page table. Also, when
the

core: riscv: Allocate root page table for each hart

To support multiple hart environment, each hart must have its dedicated
root page table. This commit enlarges the root page table. Also, when
the primary hart initializes the page table, we also copy the contents
of its root page table to the secondary harts' root page tables.
Therefore, all the harts have initial page tables at the boot time.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu Chien Peter Lin <peterlin@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

ci: qemuv8: add test case with CFG_WITH_PAGER=y

Add a "make check" test with pager enabled on QEMUv8.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.

ci: qemuv8: add test case with CFG_WITH_PAGER=y

Add a "make check" test with pager enabled on QEMUv8.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: arm64: increase STACK_ABT_SIZE from 1024 to 3072 when log level is 0

When adding "make check CFG_WITH_PAGER=y CFG_TEE_CORE_LOG_LEVEL=0" to
the QEMUv8 CI job, I noticed that OP-TEE fails to boo

core: arm64: increase STACK_ABT_SIZE from 1024 to 3072 when log level is 0

When adding "make check CFG_WITH_PAGER=y CFG_TEE_CORE_LOG_LEVEL=0" to
the QEMUv8 CI job, I noticed that OP-TEE fails to boot and hangs with no
message printed on the console. The root cause is memory corruption of
the translation tables triggered by a stack overflow. Indeed, the pager
uses the abort stack to handle unmapped pages, and therefore it requires
quite a bit of stack space. The log level is not very relevant.
Therefore, fix the issue by removing the particular case for log level 0.

More debugging info:

build$ make -j$(nproc) CFG_WITH_PAGER=y CFG_TEE_CORE_LOG_LEVEL=0 \
CFG_CORE_ASLR=n
build$ aarch64-linux-gnu-nm -n ../optee_os/out/arm/core/tee.elf
...
000000000e115000 B __nozi_start
000000000e115000 b thread_user_kdata_page
000000000e116000 b xlat_tables_ul1
000000000e118000 b xlat_tables
000000000e11d000 b base_xlation_table
000000000e11d100 B __nozi_end
000000000e11d100 B __nozi_stack_start
000000000e11d100 b stack_abt
000000000e11e200 B stack_tmp
...
build$ make run-only
optee_qemuv8$ gdb-multiarch
(gdb) symbol-file optee_os/out/arm/core/tee.elf
(gdb) target remote localhost:1234
(gdb) p sizeof(base_xlation_table)
$1 = 256
(gdb) watch *(char [256]*)base_xlation_table
(gdb) c # 5 times
Thread 1 hit Hardware watchpoint 1: *(char [256]*)base_xlation_table
(gdb) bt

At this point the call stack is:

hash_sha256_check()
fobj_load_page()
pager_deploy_page()
pager_get_page()
tee_pager_handle_fault()
abort_handler()
el1_sync_abort()

This code is indeed not supposed to touch base_xlation_table, it does
so due to the overflow of stack_abt.

Suggested-by: Jens Wikander <jens.wiklander@linaro.org>
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: replace REGISTER_TIME_SOURCE()

Remove REGISTER_TIME_SOURCE() and implement tee_time_get_sys_time() and
tee_time_get_sys_time_protection_level() directly in the file where
REGISTER_TIME_SOURCE(

core: replace REGISTER_TIME_SOURCE()

Remove REGISTER_TIME_SOURCE() and implement tee_time_get_sys_time() and
tee_time_get_sys_time_protection_level() directly in the file where
REGISTER_TIME_SOURCE() was used previously.

By avoiding indirect calls the linker can optimize the dependency tree
properly and we can remove the DECLARE_KEEP_PAGER() directive needed for
arm_cntpct_time_source.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: riscv: Apply SM-based boot flow for secondary harts

When the system adopts M-mode secure monitor based solution, the
secondary harts need to hand over the control back to the secure
monitor af

core: riscv: Apply SM-based boot flow for secondary harts

When the system adopts M-mode secure monitor based solution, the
secondary harts need to hand over the control back to the secure
monitor after the initial boot sequence. Add related code for this
purpose.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...