plat-vexpress: relax CFG_TEE_CORE_NB_CORE configuration value

Fixes CFG_TEE_CORE_NB_CORE configuration value for all vexpress
platform flavors. Before this change CFG_TEE_CORE_NB_CORE variable
neede

plat-vexpress: relax CFG_TEE_CORE_NB_CORE configuration value

Fixes CFG_TEE_CORE_NB_CORE configuration value for all vexpress
platform flavors. Before this change CFG_TEE_CORE_NB_CORE variable
needed a specific scope to override the default value set by platform
conf.mk file.

Fixes: 24475b562b81 ("plat-vexpress: move CFG_TEE_CORE_NB_CORE to platform conf.mk")
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

mk: config: clarify CFG_VIRTUALIZATION is deprecated

Ensures that CFG_VIRTUALIZATION and CFG_NS_VIRTUALIZATION configuration
settings do not conflict. If both are set, they shall have the same
value

mk: config: clarify CFG_VIRTUALIZATION is deprecated

Ensures that CFG_VIRTUALIZATION and CFG_NS_VIRTUALIZATION configuration
settings do not conflict. If both are set, they shall have the same
value.

Clarifies CFG_VIRTUALIZATION is deprecated in mk/config.mk inline
comments.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

mk: config.mk: Explicitly warn about CFG_REE_FS_ALLOW_RESET

CFG_REE_FS_ALLOW_RESET weakens rollback protection of REE FS secure
storage and in turns breaks use-cases like rollback protection of TAs

mk: config.mk: Explicitly warn about CFG_REE_FS_ALLOW_RESET

CFG_REE_FS_ALLOW_RESET weakens rollback protection of REE FS secure
storage and in turns breaks use-cases like rollback protection of TAs
etc. So make it explicit that CFG_REE_FS_ALLOW_RESET is intended for
test purposes only. Also, warn user about the additional threat vectors
if this option is enabled for release build.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>

show more ...

plat-stm32mp1: conf: fix order for CFG_REGULATOR_FIXED

Changes CFG_REGULATOR_FIXED config setting location to match alphabetical
order.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
S

plat-stm32mp1: conf: fix order for CFG_REGULATOR_FIXED

Changes CFG_REGULATOR_FIXED config setting location to match alphabetical
order.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-stm32mp1: conf: enable support for GPIO regulators

Enables support for GPIO regulators on platform stm32mp1 when
CFG_STM32_GPIO is enabled.

Acked-by: Gatien Chevallier <gatien.chevallier@foss.

plat-stm32mp1: conf: enable support for GPIO regulators

Enables support for GPIO regulators on platform stm32mp1 when
CFG_STM32_GPIO is enabled.

Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

drivers: regulator: GPIO controlled regulator

Implements a GPIO controlled regulators driver compliant with DT nodes
compatible with regulator-gpio. These regulators use GPIO pins to select
the volt

drivers: regulator: GPIO controlled regulator

Implements a GPIO controlled regulators driver compliant with DT nodes
compatible with regulator-gpio. These regulators use GPIO pins to select
the voltage level. The implementation supports only dual voltage level
selection using a single pin. The DT bindings allows more pins to
select between more voltages but no known platform currently requires
that so we preferred the simplified case.

Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: kernel: tee_ta_manager.c: add uuid in open session error trace

Adds the TA UUID in open session error trace to allow to identify
witch TA cause the issue when debug trace are not acitvated.

B

core: kernel: tee_ta_manager.c: add uuid in open session error trace

Adds the TA UUID in open session error trace to allow to identify
witch TA cause the issue when debug trace are not acitvated.

By the way, fix specifier for res argument that is a uint32_t.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: allow CFG_TZSRAM_START being defined when pager is disabled

Fixes case when a platform configuration defines CFG_TZSRAM_START but
does not use the pager. CFG_TZSRAM_START defines the base

core: arm: allow CFG_TZSRAM_START being defined when pager is disabled

Fixes case when a platform configuration defines CFG_TZSRAM_START but
does not use the pager. CFG_TZSRAM_START defines the based address
of the memory used for resident memory and page pool when CFG_WITH_PAGER
is enabled.

Since below mentioned commit, TZSRAM_BASE being defined makes core_mmu.c
to assume there are 2 secure memories for OP-TEE core internal use. This
change ensures that when CFG_WITH_PAGER is disabled, TZSRAM is not
defined even if the platform configuration sets CFG_TZSRAM_START.

An example of such issues is when testing an STM32MP15 variant of
platform stm32mp1 with pager being disabled. Before this change,
OP-TEE boot sequence fails with a error trace message like:
E/TC:0 0 Panic 'Unexpected TZC configuration on secure region' at core/arch/arm/plat-stm32mp1/plat_tzc400.c:102 <init_stm32mp1_tzc>

Indeed debug trace messages can show that an invalid physical memory
area has been registered by core as TEE_RAM_RO, as shown below. Note that
for that platform, internal secure SYSRAM range is [0x2ffc000 0x30000000]:
D/TC:0 add_phys_mem:667 ram_start type TEE_RAM_RO 0x2ffc0000 size 0xae040000

Fixes: e09739a8a6a1 ("core: core_mmu.c: use secure_only[] where possible")
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-stm32mp1: scmi_server: report invalid regulator state request

Changes the SCMI return code from SCMI_GENERIC_ERROR to
SCMI_INVALID_PARAMETERS when the requested state is not one of
the 2 suppor

plat-stm32mp1: scmi_server: report invalid regulator state request

Changes the SCMI return code from SCMI_GENERIC_ERROR to
SCMI_INVALID_PARAMETERS when the requested state is not one of
the 2 supported SCMI voltage domain states
(SCMI_VOLTAGE_DOMAIN_CONFIG_ARCH_ON or
SCMI_VOLTAGE_DOMAIN_CONFIG_ARCH_OFF).

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

dts: stm32mp15: USBPHY regulator is always-on on ST boards

Sets property regulator-always-on on USB-PHY regulator supply for
ST boards DK1/DK2/ED1/EV1.

This fixes an issue in the commit that integr

dts: stm32mp15: USBPHY regulator is always-on on ST boards

Sets property regulator-always-on on USB-PHY regulator supply for
ST boards DK1/DK2/ED1/EV1.

This fixes an issue in the commit that integrated the regulator
framework in stm32mp1 scmi_server. On the mentioned boards, the
PWR USB3.3V regulator, exposed through SCMI to Linux/U-Boot, is
supplied by a PMIC regulator (named vdd_usb). The PMIC is connected
on an I2C bus currently assigned to non-secure world as used by mainline
Linux kernel and U-Boot for these boards. Therefore, OP-TEE can
access the PMIC at boot time to enable that PMIC regulator but not
at runtime as it could conflict with Linux kernel/U-Boot accesses on
that bus. Setting that PMIC regulator always-on on OP-TEE side
prevents OP-TEE from accessing the I2C bus to disable PMIC vdd_usb
regulator at runtime when Linux or U-Boot disable the PWR USB-3.3V
regulator using PWR regulator service exposed through SMCI.

On these boards, Linux and U-Boot are not expected to disable this
PMIC regulator. If so, the effect would be that SCMI requests to
enable to enable PWR USB-3.3V would simply return a failure code
and Linux/U-Boot USB stack to not be functional. OP-TEE core itself
does not use any USB resources on these platforms.

A ideal solution would be to assign that I2C bus to OP-TEE
(harden its secure configuration) but mainline Linux and U-Boot
packages are not yet ready for this due to legacy configuration
of these components for the devices connected on these boards. This
will come once mainline Linux kernel and U-Boot are ready.

Fixes: 23e200628dad ("plat-stm32mp1: scmi_server: use registered regulators")
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-stm32mp1: scmi_server: fix regulator framework integration

Fixes the return value when an SCMI regulator is already in
the expected state. Prior this change the implementation returned
SCMI_GEN

plat-stm32mp1: scmi_server: fix regulator framework integration

Fixes the return value when an SCMI regulator is already in
the expected state. Prior this change the implementation returned
SCMI_GENERIC_ERROR instead of SCMI_SUCCESS.

Fixes: 23e200628dad ("plat-stm32mp1: scmi_server: use registered regulators")
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: fix inline comment on async notif interrupt

Fixes the inline comment that describes allowed values for
CFG_CORE_ASYNC_NOTIF_GIC_INTID that can be a SPI or a secure PPI.

Fixes: 9439728550

core: arm: fix inline comment on async notif interrupt

Fixes the inline comment that describes allowed values for
CFG_CORE_ASYNC_NOTIF_GIC_INTID that can be a SPI or a secure PPI.

Fixes: 943972855082 ("core: notif: allow GIC_PPI usage for async notif")
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-stm32mp1: CFG_INSECURE=y allows insecure RCC configuration

Changes STM32MP1 shared resources to allow insecure RCC protection
with peripherals assigned to secure world when CFG_INSECURE is
enab

plat-stm32mp1: CFG_INSECURE=y allows insecure RCC configuration

Changes STM32MP1 shared resources to allow insecure RCC protection
with peripherals assigned to secure world when CFG_INSECURE is
enabled. This means for example that some SoC resources can be assigned
to OP-TEE without their clock and reset controllers being effectively
protected from non-secure accesses. Such configuration can be useful
for development and test purposes.

This change does not affect devices provisioned with secret that are
in so-called SEC_CLOSED state (BSEC fuses). Indeed this device state
currently requires RCC protection to be enabled as already implemented
in function check_rcc_secure_configuration().

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

tree wide: CFG_INSECURE deprecates CFG_WARN_INSECURE

Replaces configuration switch CFG_WARN_INSECURE with CFG_INSECURE
The new name is better because the switch not only warns but also
change the OP

tree wide: CFG_INSECURE deprecates CFG_WARN_INSECURE

Replaces configuration switch CFG_WARN_INSECURE with CFG_INSECURE
The new name is better because the switch not only warns but also
change the OP-TEE core behavior as, for example, allowing absence
of secure storage rollback protection.

Suggested-by: Jérôme Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: ffa: fix mem reclaim error reporting

Until now handle_mem_reclaim() was incorrectly returning the error value
in a1 instead of a2 as mandated by the specification. Successful returns
are not a

core: ffa: fix mem reclaim error reporting

Until now handle_mem_reclaim() was incorrectly returning the error value
in a1 instead of a2 as mandated by the specification. Successful returns
are not affected by this since they use the FFA_SUCCESS_32 FID. So fix this
by supplying the error value in the right register.

Fixes: 1b302ac09816 ("core: enable FF-A with SPM Core at S-EL1")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: check for NULL mobj before thread_rpc_free()

In the SMC and FF-A ABIs check that a mobj representing a shared memory
object isn't NULL before doing an RPC to free it in the normal world
t

core: arm: check for NULL mobj before thread_rpc_free()

In the SMC and FF-A ABIs check that a mobj representing a shared memory
object isn't NULL before doing an RPC to free it in the normal world
too. For the FF-A ABI it's harmless without this check, but the SMC ABI
may cause an NULL pointer dereference in the OP-TEE kernel driver.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-vexpress: activate CFG_CORE_HALT_CORES_ON_PANIC

Default halt the other cores when panicking on fvp, juno, qemu_virt and
qemu_armv8a platforms.

Signed-off-by: Gatien Chevallier <gatien.chevalli

plat-vexpress: activate CFG_CORE_HALT_CORES_ON_PANIC

Default halt the other cores when panicking on fvp, juno, qemu_virt and
qemu_armv8a platforms.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_armv8a)
Tested-by: Gatien Chevallier <gatien.chevallier@foss.st.com> (vexpress-qemu_armv8a)
Tested-by: Gatien Chevallier <gatien.chevallier@foss.st.com> (vexpress-qemu_virt)

show more ...

plat-stm32mp2: activate CFG_CORE_HALT_CORES_ON_PANIC

Default halt other cores when panicking on STM32MP25x platforms. SGI15
is used for this purpose.

Signed-off-by: Gatien Chevallier <gatien.cheval

plat-stm32mp2: activate CFG_CORE_HALT_CORES_ON_PANIC

Default halt other cores when panicking on STM32MP25x platforms. SGI15
is used for this purpose.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-stm32mp1: activate CFG_CORE_HALT_CORES_ON_PANIC

Default halt the other core when panicking on STM32MP15x platforms.
SGI15 is used for this purpose.

Signed-off-by: Gatien Chevallier <gatien.che

plat-stm32mp1: activate CFG_CORE_HALT_CORES_ON_PANIC

Default halt the other core when panicking on STM32MP15x platforms.
SGI15 is used for this purpose.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Gatien Chevallier <gatien.chevallier@foss.st.com> (stm32mp1-157C_DK2)

show more ...

core: interrupt: halt other cores when one is panicking

When one core panics, send an SGI (CFG_CORE_HALT_CORES_ON_PANIC_SGI)
to halt other cores if CFG_CORE_HALT_CORES_ON_PANIC is enabled.

Signed-o

core: interrupt: halt other cores when one is panicking

When one core panics, send an SGI (CFG_CORE_HALT_CORES_ON_PANIC_SGI)
to halt other cores if CFG_CORE_HALT_CORES_ON_PANIC is enabled.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: interrupt_raise_sgi() updates

Adds ITR_CPU_MASK_TO_THIS_CPU and ITR_CPU_MASK_TO_OTHER_CPUS to simplify
targeting CPUs in some use cases. The cpu_mask parameter is changed to a
uint32_t to make

core: interrupt_raise_sgi() updates

Adds ITR_CPU_MASK_TO_THIS_CPU and ITR_CPU_MASK_TO_OTHER_CPUS to simplify
targeting CPUs in some use cases. The cpu_mask parameter is changed to a
uint32_t to make room for the two new flags.

The gic driver is updated to support this new flag.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: print current guest ID in logs

If CFG_NS_VIRTUALIZATION is enabled include the current guest ID on each
log line. A number is added before the core number identifying the
currently set guest I

core: print current guest ID in logs

If CFG_NS_VIRTUALIZATION is enabled include the current guest ID on each
log line. A number is added before the core number identifying the
currently set guest ID, for example:
D/TC:2 0 0 call_initcalls:40 level 1 teecore_init_pub_ram()

Where the "2" indicates that this is done with guest ID 2 active.

Update the symbolize.py script accordingly to recognize and ignore an
eventual guest ID in a log entry.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

libutee: remove leftover references to libmpa

Removes references to libmpa removed since OP-TEE release tag 3.9.0,
by commit 7fb525f1f8a6 ("Remove libmpa in favor of libmbedtls").

This change remov

libutee: remove leftover references to libmpa

Removes references to libmpa removed since OP-TEE release tag 3.9.0,
by commit 7fb525f1f8a6 ("Remove libmpa in favor of libmbedtls").

This change removes configuration switch CFG_TA_MBEDTLS_MPI
and CFG_TA_MBEDTLS that are no more used by OP-TEE component.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

ta: pkcs11: Improve PIN counter handling robustness

Make sure PIN check attempt is saved persistently before continuing with
the actual PIN verification, improving counter and flags coherency in
cas

ta: pkcs11: Improve PIN counter handling robustness

Make sure PIN check attempt is saved persistently before continuing with
the actual PIN verification, improving counter and flags coherency in
case of subsequent failure with persistent saving.

Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

TA dev kit: Export ftrace_format.py

Commit 5c2c0fb31efb ("ftrace: change implementation to use binary circular
buffer") added script ftrace_format.py which is required to analyze ftrace
logs. So exp

TA dev kit: Export ftrace_format.py

Commit 5c2c0fb31efb ("ftrace: change implementation to use binary circular
buffer") added script ftrace_format.py which is required to analyze ftrace
logs. So export it as part of TA dev kit as well.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>

show more ...