core: use user-access functions for passing params

Use user-access functions for parameter-passing between user TA and
the core when calling another TA from a TA and when entering a user
TA.

Signed

core: use user-access functions for passing params

Use user-access functions for parameter-passing between user TA and
the core when calling another TA from a TA and when entering a user
TA.

Signed-off-by: Seonghyun Park <seonghp@amazon.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: use user-access functions in ldelf interaction

When interacting with LDELF, replace implicit user space accesses from
privileged mode using proper user-access functions.

Co-developed-by: Seon

core: use user-access functions in ldelf interaction

When interacting with LDELF, replace implicit user space accesses from
privileged mode using proper user-access functions.

Co-developed-by: Seonghyun Park <seonghp@amazon.com>
Signed-off-by: Seonghyun Park <seonghp@amazon.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: add bb_strndup_user()

Adds bb_strndup_user() to copy a user space string into a bounce buffer
large enough to hold the string.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Review

core: add bb_strndup_user()

Adds bb_strndup_user() to copy a user space string into a bounce buffer
large enough to hold the string.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: add more user access functions

Add more user access functions: clear_user(), strnlen_user() and
bb_memdup_user(), which can be used to manipulate, check or duplicate
given user space buffers.

core: add more user access functions

Add more user access functions: clear_user(), strnlen_user() and
bb_memdup_user(), which can be used to manipulate, check or duplicate
given user space buffers.

Signed-off-by: Seonghyun Park <seonghp@amazon.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: add bounce buffer to user mode context

Adds a bounce buffer for user space buffer to be used during syscall
processing to avoid unchecked privileged access into user space memory.

bb_alloc(),

core: add bounce buffer to user mode context

Adds a bounce buffer for user space buffer to be used during syscall
processing to avoid unchecked privileged access into user space memory.

bb_alloc(), bb_free(), and bb_reset() are added to manage memory
allocation from the bounce buffer.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

arm64: Introduce permissive PAN implementation

Privileged Access Never (PAN) is a part of ARMv8.1 extension that
restricts accesses to unprivileged memory from privileged mode
in order to prevent un

arm64: Introduce permissive PAN implementation

Privileged Access Never (PAN) is a part of ARMv8.1 extension that
restricts accesses to unprivileged memory from privileged mode
in order to prevent unintended accesses to potentially malicious
memory.

This introduces configuration of PAN and helper functions
enter_user_access() and exit_user_access() that toggles PSTATE.PAN
that controls the behavior of PAN.

Current OP-TEE impelmentation is not ready to apply strict PAN policy
due to missing user-access function uses, etc.

Hence, this patch takes a very permissive approach (yet better
than nothing), where PAN is deactivated in the entire lifetime of
thread_svc_handler (i.e., system call).

Signed-off-by: Seonghyun Park <seonghp@amazon.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

Update CHANGELOG for 3.22.0

Update CHANGELOG for 3.22.0 and collect Tested-by tags.

Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6dlsabresd)
Tested-by: Clement Faure <clement.faure@nxp.c

Update CHANGELOG for 3.22.0

Update CHANGELOG for 3.22.0 and collect Tested-by tags.

Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6dlsabresd)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6qsabresd)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6sllevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6sxsabresd)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6ulevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6ullevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx6ulzevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx7dsabresd)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx7ulpevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8mmevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8mnevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8mpevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8mqevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8qmmek)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8qxpmek)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx8ulpevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (imx-mx93evk)
Tested-by: Etienne Carriere <etienne.carriere@foss.st.com> (stm32mp1-135F_DK)
Tested-by: Etienne Carriere <etienne.carriere@foss.st.com> (stm32mp1-157C_DK2)
Tested-by: Etienne Carriere <etienne.carriere@foss.st.com> (stm32mp1-157C_EV1)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (FVP)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (Juno)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (imx-mx8mqevk)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (rockchip-rk3399) (RockPi4B)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_armv8a)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_virt)
Tested-by: Joakim Bech <joakim.bech@linaro.org> (Rpi3B)
Tested-by: Jorge Ramirez-Ortiz <jorge@foundries.io> (versal)
Tested-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com> (rcar-salvator_m3_2x4g / virt)
Signed-off-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

plat-stm32mp1: stub stm32mp13 regulators

Implements stubs for SCMI regulators that are to be exposed by STM32MP13
SCMI server but are not implemented yet in OP-TEE core. The drivers for
these regula

plat-stm32mp1: stub stm32mp13 regulators

Implements stubs for SCMI regulators that are to be exposed by STM32MP13
SCMI server but are not implemented yet in OP-TEE core. The drivers for
these regulators (IOD SDMMC1/2 and VREFBUF) will be implemented once
there is a regulator framework in OP-TEE. In the meantime, stubbing those
allows to use the platform.

Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: crypto_bignum_free(): add indirection and set pointer to NULL

To prevent human mistake, crypto_bignum_free() sets the location of the
bignum pointer to NULL after freeing it.

Signed-off-by: J

core: crypto_bignum_free(): add indirection and set pointer to NULL

To prevent human mistake, crypto_bignum_free() sets the location of the
bignum pointer to NULL after freeing it.

Signed-off-by: Jihwan Park <jihwp@amazon.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-stm32mp1: change log level in SCMI server

The SCMI server prints debug messages when handling some SCMI services.
At runtime this leads to a lot of traces and debug log level is too
verbose. Th

plat-stm32mp1: change log level in SCMI server

The SCMI server prints debug messages when handling some SCMI services.
At runtime this leads to a lot of traces and debug log level is too
verbose. Therefore change all debug traces to flow level for that
source file.

Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>

show more ...

core: tee_svc_cryp: report RSAES_PKCS1_OAEP_MGF1 bad hash ID

Fixes syscall_asymm_operate() to report inconsistent hash algorithm
specified as attribute for TEE_ALG_RSAES_PKCS1_OAEP_MGF1_* operations

core: tee_svc_cryp: report RSAES_PKCS1_OAEP_MGF1 bad hash ID

Fixes syscall_asymm_operate() to report inconsistent hash algorithm
specified as attribute for TEE_ALG_RSAES_PKCS1_OAEP_MGF1_* operations
as OP-TEE only supports the hash predefined for the request algorithm
TEE_ALG_RSAES_PKCS1_OAEP_MGF1_xxx.

Link: https://github.com/OP-TEE/optee_os/issues/6143
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

qemu_armv8a: fix build with CFG_USER_TA_TARGETS=ta_arm32

The proper way to build in-tree TAs in 64-bit mode by default is to set
supported-ta-targets to "ta_arm64 ta_arm32". Indeed, the default targ

qemu_armv8a: fix build with CFG_USER_TA_TARGETS=ta_arm32

The proper way to build in-tree TAs in 64-bit mode by default is to set
supported-ta-targets to "ta_arm64 ta_arm32". Indeed, the default target
is always defined as the first entry in supported-ta-targets, as
documented in mk/config.mk.

Fixes the following build error:

$ make CFG_USER_TA_TARGETS=ta_arm32 PLATFORM=vexpress-qemu_armv8a
bash: -W: invalid option
...

default-user-ta-target is not to be used by the platform configuration
files. It is meant to be set by the main Makefile. For this reason,
replace the conditional assignment (?=) with $(call force, ...) in order
to catch inconsistencies in a more friendly way.

Fixes: 07031b23de23 ("qemu_armv8a: set default-user-ta-target ?= ta_arm64")
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ftrace: change implementation to use binary circular buffer

The current implementation of function tracing (CFG_FTRACE_SUPPORT)
produces human-readable text into the output buffer that is passed to

ftrace: change implementation to use binary circular buffer

The current implementation of function tracing (CFG_FTRACE_SUPPORT)
produces human-readable text into the output buffer that is passed to
tee-supplicant and ultimately saved to the Linux filesystem. Two main
issues with that:

1. The string formatting code is somewhat complex. It introduces
significant overhead in the execution time of the instrumented
functions.
2. The various policies about how to handle a buffer full condition
(CFG_FTRACE_BUF_WHEN_FULL) are not very convenient. In particular,
"shift" is typically the most desirable option because it always
keeps the most recent entries, but it is very inefficient to the
point of not being usable in practice.

This commit addresses the above concerns by making the ftrace buffer
circular one, each entry being 64-bit value. The formatting code is
offloaded to a new Python script: scripts/ftrace_format.py. The
output is unchanged except for an added field showing the current
depth in the call stack.

Typical usage (captured on QEMUv8):

build$ mkdir -p ../tmp
build$ chmod a+w ../tmp
build$ make CFG_FTRACE_SUPPORT=y CFG_FTRACE_BUF_SIZE=15000 \
CFG_TA_MCOUNT=y CFG_ULIBS_MCOUNT=y CFG_SYSCALL_FTRACE=y \
QEMU_VIRTFS_AUTOMOUNT=y run
$ xtest regression_1004
...
$ cp /tmp/ftrace-cb3e5ba0-adf1-11e0-998b-0002a5d5c51b.out /mnt/host/tmp
build$ cd ..
optee$ optee_os/scripts/ftrace_format.py \
tmp/ftrace-cb3e5ba0-adf1-11e0-998b-0002a5d5c51b.out |
optee_os/scripts/symbolize.py \
-d optee_os/out/arm/core \
-d out-br/build/optee_test_ext-1.0/ta/*/out | less
TEE load address @ 0x5ab04000
Function graph for TA: cb3e5ba0-adf1-11e0-998b-0002a5d5c51b @ 80085000
| 1 | __ta_entry() {
| 2 | __utee_entry() {
43.840 us | 3 | ta_header_get_session()
7.216 us | 3 | tahead_get_trace_level()
14.480 us | 3 | trace_set_level()
| 3 | malloc_add_pool() {
| 4 | raw_malloc_add_pool() {
46.032 us | 5 | bpool()
| 5 | raw_realloc() {
166.256 us | 6 | bget()
23.056 us | 6 | raw_malloc_return_hook()
267.952 us | 5 | }
398.720 us | 4 | }
426.992 us | 3 | }
| 3 | TEE_GetPropertyAsU32() {
23.600 us | 4 | is_propset_pseudo_handle()
| 4 | __utee_check_instring_annotation() {
26.416 us | 5 | strlen()
| 5 | check_access() {
| 6 | TEE_CheckMemoryAccessRights() {
| 7 | _utee_check_access_rights() {
| 8 | syscall_check_access_rights() {
| 9 | ts_get_current_session() {
4.304 us | 10 | ts_get_current_session_may_fail()
10.976 us | 9 | }
| 9 | to_user_ta_ctx() {
2.496 us | 10 | is_user_ta_ctx()
8.096 us | 9 | }
| 9 | vm_check_access_rights() {
| 10 | vm_buf_is_inside_um_private() {
| 11 | core_is_buffer_inside() {
...

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: riscv: Add TLB operation related to virtual address and ASID

Add TLB invalidate function which is corresponding to virtual address
and ASID. The commit also adds missing declaration of tlbi_va

core: riscv: Add TLB operation related to virtual address and ASID

Add TLB invalidate function which is corresponding to virtual address
and ASID. The commit also adds missing declaration of tlbi_va_allasid().

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix race in mobj_reg_shm_dec_map()

Fixes a race in mobj_reg_shm_dec_map() when r->mm is NULL. This is
similar to the race fixed by commit 06ea466f9c19 ("core: fix race in
mobj_reg_shm_inc_map(

core: fix race in mobj_reg_shm_dec_map()

Fixes a race in mobj_reg_shm_dec_map() when r->mm is NULL. This is
similar to the race fixed by commit 06ea466f9c19 ("core: fix race in
mobj_reg_shm_inc_map()"), but with one more possibility.

The problem goes like:
A. Thread 1 calls mobj_reg_shm_dec_map() at the same time as thread 2
calls mobj_reg_shm_inc_map().
B. Thread 1 decreases mapcount to zero and tries to take the spinlock,
but thread 1 is suspended before it has acquired the spinlock.
C. Thread 2 sees that mapcount is zero and takes the spinlock and maps
the memory.
D. Thread 2 calls mobj_reg_shm_dec_map(), mapcount reaches zero again
and the shared memory is unmapped and r->mm is set to NULL.
E. Thread 1 is finally resumed and acquires the spinlock, mapcount is still
zero but r->mm is also NULL.

To fix the problem at step E above check that r->mm is still non-NULL.

Note that the same fix isn't needed for ffa_dec_map() since
unmap_helper() checks that mf->mm is non-NULL first.

Fixes: 06ea466f9c19 ("core: fix race in mobj_reg_shm_inc_map()")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Olivier Masse <olivier.masse@nxp.com>

show more ...

core: riscv: Add cflags for excluding source files from ftrace

Some C source files may lead to incorrect behaviors in ftrace. Exclude
them when the system is compiled with ftrace support.

Signed-of

core: riscv: Add cflags for excluding source files from ftrace

Some C source files may lead to incorrect behaviors in ftrace. Exclude
them when the system is compiled with ftrace support.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

libutils: ftrace: Add definitions for separating architectural headers

Add definitions for separating architectural headers. In kernel mode,
risc-v may include riscv.h to have the timer related func

libutils: ftrace: Add definitions for separating architectural headers

Add definitions for separating architectural headers. In kernel mode,
risc-v may include riscv.h to have the timer related functions. In TA
libraries, risc-v may include riscv_user_sysreg.h to have those
functions.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

libutee: Implement RISC-V helper functions for TA libraries

To enable ftrace support in TA libraries, the timer related functions
should be implemented. Add riscv_user_sysreg.h which implements thes

libutee: Implement RISC-V helper functions for TA libraries

To enable ftrace support in TA libraries, the timer related functions
should be implemented. Add riscv_user_sysreg.h which implements these
functions for TA libraries. The code is referenced from core header and
the M-mode related code is removed.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

ta: riscv: Add MCOUNT_SYM definition

With the -pg option, the compiler inserts a call to _mcount into every
function prologue. Add definition for MCOUNT_SYM so that the linker
creates the additional

ta: riscv: Add MCOUNT_SYM definition

With the -pg option, the compiler inserts a call to _mcount into every
function prologue. Add definition for MCOUNT_SYM so that the linker
creates the additional space for ftrace buffer.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

libutils: riscv: Update setjmp() and longjmp() for ftrace support

Fix the registers saving/restoring conventions. The length of jump
buffer is increased with one more slot to restore ftrace return s

libutils: riscv: Update setjmp() and longjmp() for ftrace support

Fix the registers saving/restoring conventions. The length of jump
buffer is increased with one more slot to restore ftrace return stack.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Implement timer related functions for ftrace support

Implement barrier_read_counter_timer() to read the timer value after a
barrier. Implement read_cntfrq() to get the frequency of mach

core: riscv: Implement timer related functions for ftrace support

Implement barrier_read_counter_timer() to read the timer value after a
barrier. Implement read_cntfrq() to get the frequency of machine timer
counter. The read_time() is moved from header to C source file to reduce
the code size.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

libutils: riscv: Implement _mount() and __ftrace_return()

When the core and TA are compiled with the -pg option, the compiler
inserts a call to _mcount() into every function prologue. It can be used

libutils: riscv: Implement _mount() and __ftrace_return()

When the core and TA are compiled with the -pg option, the compiler
inserts a call to _mcount() into every function prologue. It can be used
to trace the function calls such as ftrace.

Implement the _mount() to prepare the necessary parameters for ftrace.
The __ftrace_return() is also implemented for returning from ftrace.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

libutils: Add riscv.S to make it available for core and TA libs

Some assembly macros are necessary for both OP-TEE core and TA
libraries. Therefore, we add riscv specific assembly file into libutils

libutils: Add riscv.S to make it available for core and TA libs

Some assembly macros are necessary for both OP-TEE core and TA
libraries. Therefore, we add riscv specific assembly file into libutils
and move some assembly related macros from riscv.h to riscv.S.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: spmc: handle missing FFA_MSG_SEND_VM_DESTROYED

Handles the previously missing FFA_MSG_SEND_VM_DESTROYED message used to
signal the destruction of a non-secure guest. This is the counter part
o

core: spmc: handle missing FFA_MSG_SEND_VM_DESTROYED

Handles the previously missing FFA_MSG_SEND_VM_DESTROYED message used to
signal the destruction of a non-secure guest. This is the counter part
of FFA_MSG_SEND_VM_CREATED that is used to signal the creation of a
non-secure guest.

Fixes: a65dd3a6b64d ("core: spmc: support virtualization with SPMC at S-EL1")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-k3: main: Print the provisioned key information

During provisioning these values are fused using the signing
certificate.

The maximum value of Key Count is 2 (when BMPK is used).

Signed-off-b

plat-k3: main: Print the provisioned key information

During provisioning these values are fused using the signing
certificate.

The maximum value of Key Count is 2 (when BMPK is used).

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...