core: riscv: Do not restrict primary hart to hart ID 0 only

The ID of primary hart should not be restricted to zero. Thus,
determining primary hart and secondart harts by zero hart ID is not
feasibl

core: riscv: Do not restrict primary hart to hart ID 0 only

The ID of primary hart should not be restricted to zero. Thus,
determining primary hart and secondart harts by zero hart ID is not
feasible.

We refer to RISC-V linux kernel [1] to fix this issue, by adding a
"hart_lottery" variable. The first hart who enters OP-TEE will win the
lottery, atomically increment this variable, and be the primary hart.
Other harts enter OP-TEE later won't win the lottery, so they execute
the secondary boot sequence.

[1]:
https://github.com/torvalds/linux/blob/v6.7/arch/riscv/kernel/head.S#L244

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Change the condition of communication with untrusted domain

Use CFG_RISCV_WITH_M_MODE_SM to determine if OP-TEE uses M-mode secure
monitor based solution to communicate with the untruse

core: riscv: Change the condition of communication with untrusted domain

Use CFG_RISCV_WITH_M_MODE_SM to determine if OP-TEE uses M-mode secure
monitor based solution to communicate with the untrusetd domain.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

riscv: plat-virt: Set CFG_RISCV_WITH_M_MODE_SM as 'y'

In RISC-V QEMU virtual platform, OP-TEE OS uses M-mode secure monitor
based solution to communicate with the untrusted domain. Therefore, set
CF

riscv: plat-virt: Set CFG_RISCV_WITH_M_MODE_SM as 'y'

In RISC-V QEMU virtual platform, OP-TEE OS uses M-mode secure monitor
based solution to communicate with the untrusted domain. Therefore, set
CFG_RISCV_WITH_M_MODE_SM to 'y' in its configuration file.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Add CFG_RISCV_WITH_M_MODE_SM and dependency checking

OP-TEE may communicate with the untrusted domain by different solutions,
such as M-mode secure monitor based solution, or direct mes

core: riscv: Add CFG_RISCV_WITH_M_MODE_SM and dependency checking

OP-TEE may communicate with the untrusted domain by different solutions,
such as M-mode secure monitor based solution, or direct messaging based
solution. This commit adds CFG_RISCV_WITH_M_MODE_SM to indicate that
OP-TEE uses M-mode secure monitor based solution for the communication.

The CFG_RISCV_WITH_M_MODE_SM should depend on CFG_RISCV_S_MODE and
CFG_RISCV_SBI, since we are using "ecall" to trap into M-mode secure
monitor.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Apply mask/unmask exceptions when operating page table

Add missing thread_{mask/unmask}_exceptions() when we operate the page
table. This is referenced from ARM architecture.

Signed-of

core: riscv: Apply mask/unmask exceptions when operating page table

Add missing thread_{mask/unmask}_exceptions() when we operate the page
table. This is referenced from ARM architecture.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Apply STATUS helper for RPC resume

Since RPC resume is a kind of exception return, we invoke
xstatus_for_xret() to prepare the CSR STATUS for exception return. But
the actual value of S

core: riscv: Apply STATUS helper for RPC resume

Since RPC resume is a kind of exception return, we invoke
xstatus_for_xret() to prepare the CSR STATUS for exception return. But
the actual value of STATUS when calling thread_rpc() is still saved in
stack. This is to unify the behavior between RPC suspend and resume.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Apply exception return to handle_user_mode_panic()

Now thread_exit_user_mode() executes exception return to kernel mode.
Invoke xstatus_for_xret() helper function to prepare CSR STATUS

core: riscv: Apply exception return to handle_user_mode_panic()

Now thread_exit_user_mode() executes exception return to kernel mode.
Invoke xstatus_for_xret() helper function to prepare CSR STATUS for
exception return.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Refine thread trap handler

In order to support SMP, we made change on CSR SCRATCH from kernel stack
pointer to be kernel TP(thread_core_local). So that we can get TP from
SCRATCH easily

core: riscv: Refine thread trap handler

In order to support SMP, we made change on CSR SCRATCH from kernel stack
pointer to be kernel TP(thread_core_local). So that we can get TP from
SCRATCH easily in trap handler when the thread is in user mode. We also
save/restore CSR IE, kernel GP and SP so that we can handle task
migration to another hart.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Refine thread enter/exit user mode

Now when thread is in user mode, the kernel TP is saved into CSR SCRATCH
instead of into kernel stack. The IE is also considered since it
contains mas

core: riscv: Refine thread enter/exit user mode

Now when thread is in user mode, the kernel TP is saved into CSR SCRATCH
instead of into kernel stack. The IE is also considered since it
contains masks of different exceptions.

Apply exception return to thread_exit_user_mode() to let hart correctly
back to kernel mode from exception.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Apply exception return to resume thread

In current implementation, the thread is resumed by function return. It
is not suitable for all scenarios, especially when the thread should be
r

core: riscv: Apply exception return to resume thread

In current implementation, the thread is resumed by function return. It
is not suitable for all scenarios, especially when the thread should be
resumed to user mode. The kernel mode can not return to user mode by
pure function return.

This commit applies exception return to resume the thread. The EPC and
IE are added into thread context. The xstatus_for_xret() helper function
is added to prepare the value of CSR STATUS for exception return.
Currently we only consider PIE(previous interrupt-enable) and
PP(previous privilege mode) for exception return.

We clear thread context when the context is reinitialized, enable native
interrupt, and setup kernel GP/TP. The thread_resume() now takes care of
restoring CSR EPC, STATUS, IE, SCRATCH and all general-purpose
registers. Finally it executes exception return to target privilege mode
encoded in CSR STATUS. The registers GP and TP are also restored since
user mode may use them.

This commit also modify the usage of CSR SCRATCH. In current
implementation the SCRATCH is used to save kernel stack pointer when the
thread is in user mode. The value of TP, which stores thread_core_local
structure, is saved into kernel stack before entering user mode. The
trap handler can then get TP(thread_core_local) from kernel stack. This
is not suitable for SMP system, since the thread might be resumed to
another core, and that core gets wrong TP from kernel stack. Fix it by
directly storing TP into CSR SCRATCH.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>
Tested-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: boot: fix memtag init sequence

Based on following observations on FVP:
With boot_init_memtag called before MMU enable, DC GZA hits an alignment
fault. This is because all accesses are of devic

core: boot: fix memtag init sequence

Based on following observations on FVP:
With boot_init_memtag called before MMU enable, DC GZA hits an alignment
fault. This is because all accesses are of device type when MMU is off.
Arm ARM states for DC GZA: "If the memory region being modified is any
type of Device memory, this instruction can give an alignment fault."
Moving boot_init_memtag after MMU enable, DC GZA hits a permission
fault, this is because the range returned by core_mmu_get_secure_memory
consists of pages mapped RO (text sections) and then RW (data sections)
consecutively. DC GZA is a write instruction executed towards an RO page
leading to a fault.

To fix this, split boot_init_memtag into two halves:
- Setup memtag operations before MMU is enabled such that MAIR_EL1 is
properly configured for normal tagged memory.
- Clear core TEE RW sections after MMU is enabled.

Closes: https://github.com/OP-TEE/optee_os/issues/6649
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
[jw rewrote boot_clear_memtag()]
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

ta: pkcs11: Clarify context reference in step_symm_operation()

Function step_symm_operation() defines a local variable to reference
the session processing context but uses both session reference and

ta: pkcs11: Clarify context reference in step_symm_operation()

Function step_symm_operation() defines a local variable to reference
the session processing context but uses both session reference and
this local variable which can be confusing when reading the code. Change
the implementation to only use the local variable for consistency. No
functional changes.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: introduce CFG_NOTIF_TEST_WD

Add CFG_NOTIF_TEST_WD to control if the notification based test watchdog
should be enabled.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by:

core: introduce CFG_NOTIF_TEST_WD

Add CFG_NOTIF_TEST_WD to control if the notification based test watchdog
should be enabled.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: add CFG_CALLOUT

Add CFG_CALLOUT with a default value assigned from CFG_CORE_ASYNC_NOTIF
to control if the callout service should be enabled.

Signed-off-by: Jens Wiklander <jens.wiklander@lina

core: add CFG_CALLOUT

Add CFG_CALLOUT with a default value assigned from CFG_CORE_ASYNC_NOTIF
to control if the callout service should be enabled.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: notif: assert callback is unpaged

Add an assert that the atomic_cb() pointer in notif_register_driver()
points to an unpaged address since the callback function will be called
from an interrup

core: notif: assert callback is unpaged

Add an assert that the atomic_cb() pointer in notif_register_driver()
points to an unpaged address since the callback function will be called
from an interrupt handler and must not be paged.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: callout: assert callback is unpaged

Add an assert that the callback parameter passed to callout_add() points
to an unpaged address since the callback function will be called from an
interrupt

core: callout: assert callback is unpaged

Add an assert that the callback parameter passed to callout_add() points
to an unpaged address since the callback function will be called from an
interrupt handler and must not be paged.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: add missing DECLARE_KEEP_PAGER()

Adds missing DECLARE_KEEP_PAGER() for timer_desc, timer_itr_cb(),
arm_cntpct_time_source, wd_ndrv_atomic_cb(), and periodic_callback().
All possibly accessed f

core: add missing DECLARE_KEEP_PAGER()

Adds missing DECLARE_KEEP_PAGER() for timer_desc, timer_itr_cb(),
arm_cntpct_time_source, wd_ndrv_atomic_cb(), and periodic_callback().
All possibly accessed from an interrupt handler and must not be paged.

Fixes: cf707bd0d695 ("core: add callout service")
Fixes: 5b7afacfba96 ("core: arm64: implement timer_init_callout_service()")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_armv8a)
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-synquacer: use cpu_spin_lock_xsave() and friend

Change RNG PTA implementation for synquacer platform to use helper
functions cpu_spin_lock_xsave() and cpu_spin_unlock_xrestore() instead
of call

plat-synquacer: use cpu_spin_lock_xsave() and friend

Change RNG PTA implementation for synquacer platform to use helper
functions cpu_spin_lock_xsave() and cpu_spin_unlock_xrestore() instead
of calling thread_mask_exceptions()/cpu_spin_lock() pair and
thread_set_exceptions()/cpu_spin_unlock() pair. This makes the
implementation more consistent.

No functional change.

Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: mm: use thread_unmask_exceptions() where applicable

Change cache_op_outer() to use thread_unmask_exceptions() instead
of thread_set_exceptions() as the function unmasks interruptions it
p

core: arm: mm: use thread_unmask_exceptions() where applicable

Change cache_op_outer() to use thread_unmask_exceptions() instead
of thread_set_exceptions() as the function unmasks interruptions it
previously masked with thread_set_exceptions(). This change makes the
implementation more consistent.

No functional change.

Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: use cpu_spin_lock_xsave() in generic timer implementation

Change generic timer driver for Arm 64bit architecture to use helper
functions cpu_spin_lock_xsave() and cpu_spin_unlock_xrestore

core: arm: use cpu_spin_lock_xsave() in generic timer implementation

Change generic timer driver for Arm 64bit architecture to use helper
functions cpu_spin_lock_xsave() and cpu_spin_unlock_xrestore()
instead of calling thread_mask_exceptions()/cpu_spin_lock() pair
and thread_set_exceptions()/cpu_spin_unlock() pair. This makes
the implementation more consistent with the rest of the source tree.

No functional change.

Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

ta: remoteproc: allow remoteproc_load_fw re-entrance

Instead of returning an error if the TA_RPROC_CMD_LOAD_FW is called
several times, just return TEE_SUCCESS if the firmware is already loaded.

Th

ta: remoteproc: allow remoteproc_load_fw re-entrance

Instead of returning an error if the TA_RPROC_CMD_LOAD_FW is called
several times, just return TEE_SUCCESS if the firmware is already loaded.

This commit is the result of a discussion on Linux Kernel mailing list:
https://lore.kernel.org/lkml/ZeCujRgH%2FodzU9og@p14s/

Fixes: fcf382e2440c ("ta: remoteproc: add remote processor Trusted Application")

Suggested-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: notif_send_async(): remove debug print

Remove the debug print
D/TC:0 notif_send_async:93 0x0
from notif_send_async().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by:

core: notif_send_async(): remove debug print

Remove the debug print
D/TC:0 notif_send_async:93 0x0
from notif_send_async().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: tests: add a notification test watchdog

Add test watchdog for asynchronous notifications where a timer interrupt
triggers an asynchronous notification in the normal world kernel driver.
The no

core: tests: add a notification test watchdog

Add test watchdog for asynchronous notifications where a timer interrupt
triggers an asynchronous notification in the normal world kernel driver.
The normal world kernel driver responds by doing a
OPTEE_MSG_CMD_DO_BOTTOM_HALF call for bottom half processing. The
watchdog checks that there has been a response for each timer interrupt but
doesn't take any measures if a response is missing.

The purpose of the test is to exercise asynchronous notifications.
Feedback is limited to debug prints on the UART so eventual regressions
will not get caught by xtest unless there is a crash.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-vexpress: qemu_armv8: define IT_SEC_PHY_TIMER

Define the interrupt ID of the secure physical timer.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome

plat-vexpress: qemu_armv8: define IT_SEC_PHY_TIMER

Define the interrupt ID of the secure physical timer.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-vexpress: initialize callout service

If physical timer interrupt is defined, IT_SEC_PHY_TIMER, and OP-TEE
isn't virtualized, CFG_CORE_SEL2_SPMC isn't defined, initialize the
callout service usi

plat-vexpress: initialize callout service

If physical timer interrupt is defined, IT_SEC_PHY_TIMER, and OP-TEE
isn't virtualized, CFG_CORE_SEL2_SPMC isn't defined, initialize the
callout service using that interrupt ID.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...