drivers: imx: rngb: soft reset in case of errors

Soft reset the RNGB core before retrying, if errors are logged in the
ESR register.

The i.MX 6ULL Applications Processor Reference Manual states in

drivers: imx: rngb: soft reset in case of errors

Soft reset the RNGB core before retrying, if errors are logged in the
ESR register.

The i.MX 6ULL Applications Processor Reference Manual states in the
RNG_CR[MASKERR] field description about errors in ESR:

All errors are considered fatal, requiring the RNGB to be reset.
Until the reset occurs, the RNGB does not service any random data.

It was observed that issuing CMD[CE|CI] (Clear error / interrupt
command) did not clear the ESR[SATE] (Statistical test error) state
as expected. Issuing CMD[SR] (Software reset) instead, as suggested
by the reference manual, works.

Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Acked-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>

show more ...

drivers: imx: rngb: split irq_mask() from irq_clear()

Introduce irq_mask() as a counterpart to irq_unmask(), split from
irq_clear(). This way function names match what they do, and we
can replace ir

drivers: imx: rngb: split irq_mask() from irq_clear()

Introduce irq_mask() as a counterpart to irq_unmask(), split from
irq_clear(). This way function names match what they do, and we
can replace irq_clear() with a soft_reset() in the error case next.

Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Acked-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>

show more ...

drivers: imx: rngb: use explicit seed generation command

Follow the Linux and U-Boot drivers in using the explicit command
to trigger seed generation. Relying on auto-seeding didn't seem
to trigger

drivers: imx: rngb: use explicit seed generation command

Follow the Linux and U-Boot drivers in using the explicit command
to trigger seed generation. Relying on auto-seeding didn't seem
to trigger reseeding when the first try fails the statistics tests.

Only switch to continuous auto-reseeding after initialization
succeeded.

Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Acked-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>

show more ...

core: stmm: Cleanup unused defines

commit aa6d7fc392b7 ("core: applies FF-A v1.2 features on StandaloneMm")
removed some MM code in favor of FF-A. However, some of the header
files were left untouch

core: stmm: Cleanup unused defines

commit aa6d7fc392b7 ("core: applies FF-A v1.2 features on StandaloneMm")
removed some MM code in favor of FF-A. However, some of the header
files were left untouched. Clean them up

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

show more ...

libmbedtls: Fix missing ctx_clone_func in xts_aes_info

OP-TEE added a ctx_clone_func function pointer based on upstream
libmbedtls. However, the xts_aes_info is forgot to add this field,
making the

libmbedtls: Fix missing ctx_clone_func in xts_aes_info

OP-TEE added a ctx_clone_func function pointer based on upstream
libmbedtls. However, the xts_aes_info is forgot to add this field,
making the free function be wrongly placed into the clone field.

This commit adds the missing xts_aes_ctx_clone() implementation
and fixes the function pointer in the xts_aes_info.

Signed-off-by: Leo Chen <shf.chen@mediatek.com>
Reviewed-by: ming-jen.chang <ming-jen.chang@mediatek.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: tee_ree_fs: fix possible mempool leak

In out_of_place_write() if copy_from_user() fails, the function returns
directly instead of using the common cleanup path. If this happens a
temporary blo

core: tee_ree_fs: fix possible mempool leak

In out_of_place_write() if copy_from_user() fails, the function returns
directly instead of using the common cleanup path. If this happens a
temporary block is leaked from the default memory pool. Fix this by
using the common exit path.

Fixes: b2284b11a961 ("core: update FS storage API with user space buffer")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Rouven Czerwinski <rouven.czerwinski@linaro.org>

show more ...

ldelf: fix relocation bounds check

When relocating both ELFs only the start address of the relocation
destination is considered when checking that the relocation offset is
within bounds. Fix this by

ldelf: fix relocation bounds check

When relocating both ELFs only the start address of the relocation
destination is considered when checking that the relocation offset is
within bounds. Fix this by added a check for the entire write size.

Fixes: 447354c6e527 ("ldelf: strict checks during relocation")
Fixes: 7509ff7ce5e5 ("Add user mode ELF loader")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@arm.com>

show more ...

libutils: asan: skip global unpoison for bget-backed globals

Track ASan user-region type at map time and mark bget pool backing ranges
as ASAN_REG_MEM_POOL.

Global registration currently unpoisons

libutils: asan: skip global unpoison for bget-backed globals

Track ASan user-region type at map time and mark bget pool backing ranges
as ASAN_REG_MEM_POOL.

Global registration currently unpoisons globals via asan_tag_access().
For globals used as bget pool backing storage, this overwrites the initial
pool shadow state (ASAN_HEAP_RED_ZONE, heap-free) and breaks expected
allocator poisoning semantics.

Skip global unpoison for globals that contain a memory-pool backing range,
while keeping normal redzone handling for those globals. Update ASan
mapping call sites to pass region type (STACK, ELF, MEM_POOL, NO_TYPE).

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: asan: improve report output

Add optional shadow dump in TRACE_DEBUG builds for better ASan diagnostics.
Also expand the shadow bytes printed around the faulting address.

Signed-off-by: Al

libutils: asan: improve report output

Add optional shadow dump in TRACE_DEBUG builds for better ASan diagnostics.
Also expand the shadow bytes printed around the faulting address.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

asan: support trusted applications

Add CFG_TA_SANITIZE_KADDRESS and enable -fsanitize=kernel-address for TAs.
Extend ASan to map shadow regions in user space. Shadow memory for trusted
applications

asan: support trusted applications

Add CFG_TA_SANITIZE_KADDRESS and enable -fsanitize=kernel-address for TAs.
Extend ASan to map shadow regions in user space. Shadow memory for trusted
applications is now mapped during ldelf loading. CFG_TA_SANITIZE_KADDRESS
acts as a global flag and propagates to all internal and external TAs.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

asan: add ldelf support and user shadow mapping infrastructure

This commit enables ASan support in ldelf and introduces infrastructure
for mapping ASan shadow regions in user space. With these chang

asan: add ldelf support and user shadow mapping infrastructure

This commit enables ASan support in ldelf and introduces infrastructure
for mapping ASan shadow regions in user space. With these changes,
ASan built with CFG_CORE_SANITIZE_KADDRESS is no longer limited to
the core and can also operate in ldelf.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: asan: support multiple shadow regions

Replace the single shadow range with a list of shadowed virtual regions.
Access validation is performed per-region: an access is considered inside
sha

libutils: asan: support multiple shadow regions

Replace the single shadow range with a list of shadowed virtual regions.
Access validation is performed per-region: an access is considered inside
shadow memory only if it is fully contained within a single registered
region. The access is considered out of shadow memory if it does not
intersect any registered shadow region.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: move ASan runtime and tests from core to libutils

This patch relocates the ASan runtime and its self-tests from the core
to libutils/ext. While ASan is still only enabled for the TEE core,

libutils: move ASan runtime and tests from core to libutils

This patch relocates the ASan runtime and its self-tests from the core
to libutils/ext. While ASan is still only enabled for the TEE core, this
refactoring removes core-specific placement and makes the code
available to other components.

The main benefit is that ASan support and the test helpers can now be
potentially reused by ldelf and TAs in the future, instead of being
tied to the core build. The existing ASan core behaviour is unchanged.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: add tee_map_zi_va()

Introduce tee_map_zi_va(), a variant of tee_map_zi() that allows
mapping zero-initialized memory at a hinted virtual address.

The new prototype is:

void *tee_map_z

libutee: add tee_map_zi_va()

Introduce tee_map_zi_va(), a variant of tee_map_zi() that allows
mapping zero-initialized memory at a hinted virtual address.

The new prototype is:

void *tee_map_zi_va(vaddr_t va, size_t len, uint32_t flags);

The address hint is passed to the system PTA in param[1].value.{a,b} and
may be overridden later by the PTA.

This change only forwards the virtual address hint from the user
interface to the existing system PTA implementation. All address
selection and validation logic remains in the system PTA, and no new
capabilities are exposed to user space.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

compiler.h: define __no_asan

Define __no_asan as no_sanitize_address

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

Squashed commit upgrading to mbedtls-3.6.5

Squash merging branch import/mbedtls-3.6.5

commit c40cea47ad7c ("Import mbedtls-3.6.5")
commit 2826136f4b61 ("mbedtls: remove default include/mbedtls/conf

Squashed commit upgrading to mbedtls-3.6.5

Squash merging branch import/mbedtls-3.6.5

commit c40cea47ad7c ("Import mbedtls-3.6.5")
commit 2826136f4b61 ("mbedtls: remove default include/mbedtls/config.h")
commit e4f52f042adc ("mbedtls: configure mbedtls to reach for config")
commit 41c7e16c1099 ("libmbedtls: make mbedtls_mpi_mont*() available")
commit 196c68f26b35 ("libmbedtls: add mbedtls_mpi_init_mempool()")
commit 17a529137cf0 ("libmedtls: mpi_miller_rabin: increase count limit")
commit e984be59a8ad ("libmbedtls: add interfaces in mbedtls for context memory operation")
commit f5a824199020 ("libmbedtls: fix no CRT issue")
commit 77aed40de4f6 ("libmbedtls: add SM2 curve")
commit 383ec6f79d6e ("libmbedtls: add fault mitigation in mbedtls_rsa_rsassa_pss_verify_ext()")
commit 8ad6f859f90b ("libmbedtls: add fault mitigation in mbedtls_rsa_rsassa_pkcs1_v15_verify()")
commit 1ff4c0c4fd5d ("libmbedtls: fix cipher_wrap.c for chacha20 and chachapoly")
commit 369fcd552af0 ("libmbedtls: fix cipher_wrap.c for NIST AES Key Wrap mode")
commit c418523d36ef ("libmbedtls: allow inclusion of arm_neon.h")
commit 459bf515c5b2 ("libmbedtls: add CFG_CORE_UNSAFE_MODEXP and CFG_TA_MBEDTLS_UNSAFE_MODEXP")
commit 37734ceb58aa ("libmbedtls: use mempool_calloc() for temporary memory")
commit 3cb6bf44787f ("libmbedtls: fix build warning related to deprecated DTLS connect ID")
commit 92c283910cbb ("libmbedtls: fix compilation warning with GCC14")
commit 834f027107e1 ("libmbedtls: fix warning redundant-decls in mbedtls 3.6.5")

Signed-off-by: Yann Gautier <yann.gautier@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: crypto: hisilicon: fix qp memory leak

Fix the null pointer access issue for hisilicon QM driver.

Fixes: c7f9abcee87f ("drivers: implement HiSilicon Queue Management (QM) module")
Signed-of

drivers: crypto: hisilicon: fix qp memory leak

Fix the null pointer access issue for hisilicon QM driver.

Fixes: c7f9abcee87f ("drivers: implement HiSilicon Queue Management (QM) module")
Signed-off-by: zhaozheng7 <zhaozheng96@outlook.com>
Acked-by: Zexi Yu <yuzexi@hisilicon.com>

show more ...

core: pta: system: check zero-length in system_map_zi()

Add a check against allocating and mapping 0 bytes zero initialized
memory.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewe

core: pta: system: check zero-length in system_map_zi()

Add a check against allocating and mapping 0 bytes zero initialized
memory.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Rouven Czerwinski <rouven.czerwinski@linaro.org>

show more ...

core: kernel: bump transfer list to spec version 2.0

Update the transfer list library to implement specification version 2.0,
as versions 1.0 and 0.9 have been withdrawn [1]. The primary change is
s

core: kernel: bump transfer list to spec version 2.0

Update the transfer list library to implement specification version 2.0,
as versions 1.0 and 0.9 have been withdrawn [1]. The primary change is
switching the checksum calculation from an XOR sum to a byte-wise sum.
This aligns the implementation with the updated specification and with
behavior already used in existing deployments.

1. https://github.com/FirmwareHandoff/firmware_handoff/pull/80

Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
Acked-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: imx: fix mx8mpevk optee memory layout

Mostly all i.MX OP-TEE platforms place OP-TEE at the end of the
available memory. Since the i.MX8MP-EVK has 6GiB RAM we need to set
CFG_LPAE_ADDR_SPACE_BI

core: imx: fix mx8mpevk optee memory layout

Mostly all i.MX OP-TEE platforms place OP-TEE at the end of the
available memory. Since the i.MX8MP-EVK has 6GiB RAM we need to set
CFG_LPAE_ADDR_SPACE_BITS accordingly else OP-TEE uses 32-bit and can't
access the memory above.

The fix uses the same amount of bits as used for CFG_CORE_ARM64_PA_BITS.

Acked-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>

show more ...

core: fix protmem overlap in check_reg_shm_conflict()

Prior to this patch, check_reg_shm_conflict() would miss checking the
last page of a registered shared memory if it had a non-zero page_offset
o

core: fix protmem overlap in check_reg_shm_conflict()

Prior to this patch, check_reg_shm_conflict() would miss checking the
last page of a registered shared memory if it had a non-zero page_offset
or a page-unaligned mobj.size. So fix it and ensure the final page is
included in the conflict check by accounting for the page_offset and any
remaining unaligned bytes in the size.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Rouven Czerwinski <rouven.czerwinski@linaro.org>

show more ...

core: fs: report key manager initialization failure

Some platforms may fail at deriving the Hardware Unique Key (HUK).

When the HUK cannot be retrieved, the secure storage subsystem cannot
derive t

core: fs: report key manager initialization failure

Some platforms may fail at deriving the Hardware Unique Key (HUK).

When the HUK cannot be retrieved, the secure storage subsystem cannot
derive the Secure Storage Key (SSK). In this case secure storage is not
usable and the key manager initialization fails.

Emit an explicit error message when SSK derivation fails so that the
reason for secure storage being unavailable is visible in the logs.

This is particularly useful on platforms such as Versal where fuse
access depends on external firmware components.

Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: imx: relax CFG_DDR_SIZE decision

The overall NS DRAM size can be passed via DT if CFG_EXTERNAL_DT is
enabled. So don't throw an error in case no size was specified.

Reviewed-by: Sahil Malhotr

core: imx: relax CFG_DDR_SIZE decision

The overall NS DRAM size can be passed via DT if CFG_EXTERNAL_DT is
enabled. So don't throw an error in case no size was specified.

Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>

show more ...

drivers: imx: tzc380: document reconfiguration requirements

Document why the reconfiguration is required.

Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Signed-off-by: Marco Felsch <m.felsch@

drivers: imx: tzc380: document reconfiguration requirements

Document why the reconfiguration is required.

Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>

show more ...

drivers: imx: tzc380: add support to discover nsec_dram dynamically

Convert the driver to use the new core_mmu_for_each_nsec_ddr() to allow
dynamic configurations of the NS DRAM region(s). The DRAM

drivers: imx: tzc380: add support to discover nsec_dram dynamically

Convert the driver to use the new core_mmu_for_each_nsec_ddr() to allow
dynamic configurations of the NS DRAM region(s). The DRAM configuration
parsed by the OP-TEE core is either based on:
- manifest-dt
- external-dt
- internal/embedded-dt
- builtin compile-time defines

This logic allows the imx-tzc380 driver to use the runtime information
provided by an external DT. The compile-time builtin defines are used if
no external DT is found or the external DT doesn't contain any memory
information.

For plat-imx this mapps to register_ddr(CFG_DRAM_BASE, CFG_DDR_SIZE),
which is equivalent to
imx_tzc_auto_configure(CFG_DRAM_BASE, CFG_DDR_SIZE, TZC_ATTR_SP_NS_RW).

Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>

show more ...