core: pass session ID to tee_ta_close_session()

tee_ta_close_session() previously took a session pointer. When called
from entry_close_session(), this pointer was acquired without bumping
the refere

core: pass session ID to tee_ta_close_session()

tee_ta_close_session() previously took a session pointer. When called
from entry_close_session(), this pointer was acquired without bumping
the reference count, creating a race condition where the session could
be freed by another thread before being used. This race is harmless
unless ASAN or memory tagging is enabled.

Refactor tee_ta_close_session() to take a session ID instead of a
pointer to avoid possible races.

Fixes: 096cbcddbe21 ("Align Session handle for generic ta interface entry")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Sumit Garg <sumit.garg@oss.qualcomm.com>

show more ...

core: derive key: check provided out key size

syscall_cryp_derive_key() takes a derived_key parameter where the
derived key data is stored. The algorithms DH_DERIVE_SHARED_SECRET,
HKDF, CONCAT_KDF,

core: derive key: check provided out key size

syscall_cryp_derive_key() takes a derived_key parameter where the
derived key data is stored. The algorithms DH_DERIVE_SHARED_SECRET,
HKDF, CONCAT_KDF, and PBKDF2 doesn't check the output key size. Fix this
by adding or fixing the needed checks. Add an extra check to make sure
that the provided output key is a simple symmetric key.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@arm.com>
Acked-by: Sumit Garg <sumit.garg@oss.qualcomm.com>

show more ...

plat-d06: fix d06 platform bug

Delete unnecessary configuration information to prevent the failure of
correct value assignment.

Fixes: 4237855ad63e ("plat-d06: Add support for HIP08A")
Signed-off-b

plat-d06: fix d06 platform bug

Delete unnecessary configuration information to prevent the failure of
correct value assignment.

Fixes: 4237855ad63e ("plat-d06: Add support for HIP08A")
Signed-off-by: zhaozheng7 <zhaozheng96@outlook.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-qcom: Enable support for ARMv8 CE by default

Qcom platforms support ARMv8 Crypto Extensions (CE), so let's enable
it by default to optimize the crypto operations.

Reviewed-by: Jorge Ramirez-Or

plat-qcom: Enable support for ARMv8 CE by default

Qcom platforms support ARMv8 Crypto Extensions (CE), so let's enable
it by default to optimize the crypto operations.

Reviewed-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
Signed-off-by: Sumit Garg <sumit.garg@oss.qualcomm.com>

show more ...

libutils: fix ASAN longjmp guard in arm setjmp

Make ASAN_IS_ENABLED available to assembly so the setjmp assembly code
no longer evaluates it as 0, include the sanitizer header in the setjmp
assembly

libutils: fix ASAN longjmp guard in arm setjmp

Make ASAN_IS_ENABLED available to assembly so the setjmp assembly code
no longer evaluates it as 0, include the sanitizer header in the setjmp
assembly files, and simplify the longjmp guard condition.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: kernel: allow not masking interrupts on output traces

Add configuration switch CFG_CONSOLE_MASK_INTERRUPTS define whether
or not interrupts are masked when console trace messages are
emitted.

core: kernel: allow not masking interrupts on output traces

Add configuration switch CFG_CONSOLE_MASK_INTERRUPTS define whether
or not interrupts are masked when console trace messages are
emitted. The config switch is default enabled to reflect core legacy
behavior.

Disabling this configuration switch can be handy to still benefit from
OP-TEE threads output console trace support without adding extra
latency to native and foreign interrupts handling when trace messages
from interruptible thread context are emitted.

Enabling the configuration does not fully prevent collisions
of trace messages as described in mk/config.mk.

By the way, add an initial value to local variable p in trace_ext_puts().

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@arm.com>

show more ...

plat-rockchip: increase FDT max size to 384KiB on all Aarch64 supported SoCs

Increase the maximum size of the FDT to 384KiB in sync with Trusted
Firmware-A since TF-A v2.13[1] (May 2025). This limit

plat-rockchip: increase FDT max size to 384KiB on all Aarch64 supported SoCs

Increase the maximum size of the FDT to 384KiB in sync with Trusted
Firmware-A since TF-A v2.13[1] (May 2025). This limit is applicable to
all Rockchip SoCs supported by TF-A.

Prior to that commit in TF-A, we had 0x20000 (double the default of the
current OP-TEE OS default) since v2.4[2] (Nov 2020).

This allows us to pass and parse the FDT within OP-TEE as the default
64KiB really isn't enough nowadays (especially if one takes into account
FDT with symbols enabled for FDTO support), otherwise OP-TEE OS panics
at:
E/TC:0 init_external_dt:827 Invalid Device Tree at 0x8a2690: error -3

We currently only allocate 2MiB for TZDRAM on rk322x (as opposed to
32MiB on other Rockchip SoCs; see CFG_TZDRAM_SIZE), so increasing the
FDT buffer size from 64KiB to 384KiB may not be the best idea,
especially considering I couldn't find someone with a device based on
rk322x to test this commit. Additionally, the sizes of the two FDTs for
RK322x boards in the upstream Linux kernel built with symbols enabled
(DTC_FLAGS=-@) only is almost 33KiB. In U-Boot, the FDT for the only
supported board compiles to less than 28KiB for U-Boot proper's and a
tiny bit above 2KiB for SPL's. Thus, there is no hurry to increase the
FDT buffer size on rk322x, especially without being able to test, so
leave rk322x FDT buffer at 64KiB for now.

This fixes OP-TEE OS panics on PX30 and RK3399.

Link: https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/+/ab99dce4b7c8473d5bcb8c833bd410ab87b1e801%5E%21/ [1]
Link: https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/+/8109f738ffa79a63735cba29da26e7c2859977b5%5E%21/ [2]

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>

show more ...

plat-d06: Add support for HIP08A

HIP08A is another form of the D06 development board and equipped by
Hisilicon.

Signed-off-by: zhaozheng7 <zhaozheng96@outlook.com>
Reviewed-by: Yuan Wang <wangyuan4

plat-d06: Add support for HIP08A

HIP08A is another form of the D06 development board and equipped by
Hisilicon.

Signed-off-by: zhaozheng7 <zhaozheng96@outlook.com>
Reviewed-by: Yuan Wang <wangyuan46@huawei.com>
Acked-by: Zexi Yu <yuzexi@hisilicon.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: imx: rngb: soft reset in case of errors

Soft reset the RNGB core before retrying, if errors are logged in the
ESR register.

The i.MX 6ULL Applications Processor Reference Manual states in

drivers: imx: rngb: soft reset in case of errors

Soft reset the RNGB core before retrying, if errors are logged in the
ESR register.

The i.MX 6ULL Applications Processor Reference Manual states in the
RNG_CR[MASKERR] field description about errors in ESR:

All errors are considered fatal, requiring the RNGB to be reset.
Until the reset occurs, the RNGB does not service any random data.

It was observed that issuing CMD[CE|CI] (Clear error / interrupt
command) did not clear the ESR[SATE] (Statistical test error) state
as expected. Issuing CMD[SR] (Software reset) instead, as suggested
by the reference manual, works.

Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Acked-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>

show more ...

drivers: imx: rngb: split irq_mask() from irq_clear()

Introduce irq_mask() as a counterpart to irq_unmask(), split from
irq_clear(). This way function names match what they do, and we
can replace ir

drivers: imx: rngb: split irq_mask() from irq_clear()

Introduce irq_mask() as a counterpart to irq_unmask(), split from
irq_clear(). This way function names match what they do, and we
can replace irq_clear() with a soft_reset() in the error case next.

Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Acked-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>

show more ...

drivers: imx: rngb: use explicit seed generation command

Follow the Linux and U-Boot drivers in using the explicit command
to trigger seed generation. Relying on auto-seeding didn't seem
to trigger

drivers: imx: rngb: use explicit seed generation command

Follow the Linux and U-Boot drivers in using the explicit command
to trigger seed generation. Relying on auto-seeding didn't seem
to trigger reseeding when the first try fails the statistics tests.

Only switch to continuous auto-reseeding after initialization
succeeded.

Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Acked-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>

show more ...

core: stmm: Cleanup unused defines

commit aa6d7fc392b7 ("core: applies FF-A v1.2 features on StandaloneMm")
removed some MM code in favor of FF-A. However, some of the header
files were left untouch

core: stmm: Cleanup unused defines

commit aa6d7fc392b7 ("core: applies FF-A v1.2 features on StandaloneMm")
removed some MM code in favor of FF-A. However, some of the header
files were left untouched. Clean them up

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

show more ...

libmbedtls: Fix missing ctx_clone_func in xts_aes_info

OP-TEE added a ctx_clone_func function pointer based on upstream
libmbedtls. However, the xts_aes_info is forgot to add this field,
making the

libmbedtls: Fix missing ctx_clone_func in xts_aes_info

OP-TEE added a ctx_clone_func function pointer based on upstream
libmbedtls. However, the xts_aes_info is forgot to add this field,
making the free function be wrongly placed into the clone field.

This commit adds the missing xts_aes_ctx_clone() implementation
and fixes the function pointer in the xts_aes_info.

Signed-off-by: Leo Chen <shf.chen@mediatek.com>
Reviewed-by: ming-jen.chang <ming-jen.chang@mediatek.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: tee_ree_fs: fix possible mempool leak

In out_of_place_write() if copy_from_user() fails, the function returns
directly instead of using the common cleanup path. If this happens a
temporary blo

core: tee_ree_fs: fix possible mempool leak

In out_of_place_write() if copy_from_user() fails, the function returns
directly instead of using the common cleanup path. If this happens a
temporary block is leaked from the default memory pool. Fix this by
using the common exit path.

Fixes: b2284b11a961 ("core: update FS storage API with user space buffer")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Rouven Czerwinski <rouven.czerwinski@linaro.org>

show more ...

ldelf: fix relocation bounds check

When relocating both ELFs only the start address of the relocation
destination is considered when checking that the relocation offset is
within bounds. Fix this by

ldelf: fix relocation bounds check

When relocating both ELFs only the start address of the relocation
destination is considered when checking that the relocation offset is
within bounds. Fix this by added a check for the entire write size.

Fixes: 447354c6e527 ("ldelf: strict checks during relocation")
Fixes: 7509ff7ce5e5 ("Add user mode ELF loader")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@arm.com>

show more ...

libutils: asan: skip global unpoison for bget-backed globals

Track ASan user-region type at map time and mark bget pool backing ranges
as ASAN_REG_MEM_POOL.

Global registration currently unpoisons

libutils: asan: skip global unpoison for bget-backed globals

Track ASan user-region type at map time and mark bget pool backing ranges
as ASAN_REG_MEM_POOL.

Global registration currently unpoisons globals via asan_tag_access().
For globals used as bget pool backing storage, this overwrites the initial
pool shadow state (ASAN_HEAP_RED_ZONE, heap-free) and breaks expected
allocator poisoning semantics.

Skip global unpoison for globals that contain a memory-pool backing range,
while keeping normal redzone handling for those globals. Update ASan
mapping call sites to pass region type (STACK, ELF, MEM_POOL, NO_TYPE).

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: asan: improve report output

Add optional shadow dump in TRACE_DEBUG builds for better ASan diagnostics.
Also expand the shadow bytes printed around the faulting address.

Signed-off-by: Al

libutils: asan: improve report output

Add optional shadow dump in TRACE_DEBUG builds for better ASan diagnostics.
Also expand the shadow bytes printed around the faulting address.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

asan: support trusted applications

Add CFG_TA_SANITIZE_KADDRESS and enable -fsanitize=kernel-address for TAs.
Extend ASan to map shadow regions in user space. Shadow memory for trusted
applications

asan: support trusted applications

Add CFG_TA_SANITIZE_KADDRESS and enable -fsanitize=kernel-address for TAs.
Extend ASan to map shadow regions in user space. Shadow memory for trusted
applications is now mapped during ldelf loading. CFG_TA_SANITIZE_KADDRESS
acts as a global flag and propagates to all internal and external TAs.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

asan: add ldelf support and user shadow mapping infrastructure

This commit enables ASan support in ldelf and introduces infrastructure
for mapping ASan shadow regions in user space. With these chang

asan: add ldelf support and user shadow mapping infrastructure

This commit enables ASan support in ldelf and introduces infrastructure
for mapping ASan shadow regions in user space. With these changes,
ASan built with CFG_CORE_SANITIZE_KADDRESS is no longer limited to
the core and can also operate in ldelf.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: asan: support multiple shadow regions

Replace the single shadow range with a list of shadowed virtual regions.
Access validation is performed per-region: an access is considered inside
sha

libutils: asan: support multiple shadow regions

Replace the single shadow range with a list of shadowed virtual regions.
Access validation is performed per-region: an access is considered inside
shadow memory only if it is fully contained within a single registered
region. The access is considered out of shadow memory if it does not
intersect any registered shadow region.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: move ASan runtime and tests from core to libutils

This patch relocates the ASan runtime and its self-tests from the core
to libutils/ext. While ASan is still only enabled for the TEE core,

libutils: move ASan runtime and tests from core to libutils

This patch relocates the ASan runtime and its self-tests from the core
to libutils/ext. While ASan is still only enabled for the TEE core, this
refactoring removes core-specific placement and makes the code
available to other components.

The main benefit is that ASan support and the test helpers can now be
potentially reused by ldelf and TAs in the future, instead of being
tied to the core build. The existing ASan core behaviour is unchanged.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: add tee_map_zi_va()

Introduce tee_map_zi_va(), a variant of tee_map_zi() that allows
mapping zero-initialized memory at a hinted virtual address.

The new prototype is:

void *tee_map_z

libutee: add tee_map_zi_va()

Introduce tee_map_zi_va(), a variant of tee_map_zi() that allows
mapping zero-initialized memory at a hinted virtual address.

The new prototype is:

void *tee_map_zi_va(vaddr_t va, size_t len, uint32_t flags);

The address hint is passed to the system PTA in param[1].value.{a,b} and
may be overridden later by the PTA.

This change only forwards the virtual address hint from the user
interface to the existing system PTA implementation. All address
selection and validation logic remains in the system PTA, and no new
capabilities are exposed to user space.

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

compiler.h: define __no_asan

Define __no_asan as no_sanitize_address

Signed-off-by: Aleksandr Iashchenko <aleksandr.iashchenko@linutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

Squashed commit upgrading to mbedtls-3.6.5

Squash merging branch import/mbedtls-3.6.5

commit c40cea47ad7c ("Import mbedtls-3.6.5")
commit 2826136f4b61 ("mbedtls: remove default include/mbedtls/conf

Squashed commit upgrading to mbedtls-3.6.5

Squash merging branch import/mbedtls-3.6.5

commit c40cea47ad7c ("Import mbedtls-3.6.5")
commit 2826136f4b61 ("mbedtls: remove default include/mbedtls/config.h")
commit e4f52f042adc ("mbedtls: configure mbedtls to reach for config")
commit 41c7e16c1099 ("libmbedtls: make mbedtls_mpi_mont*() available")
commit 196c68f26b35 ("libmbedtls: add mbedtls_mpi_init_mempool()")
commit 17a529137cf0 ("libmedtls: mpi_miller_rabin: increase count limit")
commit e984be59a8ad ("libmbedtls: add interfaces in mbedtls for context memory operation")
commit f5a824199020 ("libmbedtls: fix no CRT issue")
commit 77aed40de4f6 ("libmbedtls: add SM2 curve")
commit 383ec6f79d6e ("libmbedtls: add fault mitigation in mbedtls_rsa_rsassa_pss_verify_ext()")
commit 8ad6f859f90b ("libmbedtls: add fault mitigation in mbedtls_rsa_rsassa_pkcs1_v15_verify()")
commit 1ff4c0c4fd5d ("libmbedtls: fix cipher_wrap.c for chacha20 and chachapoly")
commit 369fcd552af0 ("libmbedtls: fix cipher_wrap.c for NIST AES Key Wrap mode")
commit c418523d36ef ("libmbedtls: allow inclusion of arm_neon.h")
commit 459bf515c5b2 ("libmbedtls: add CFG_CORE_UNSAFE_MODEXP and CFG_TA_MBEDTLS_UNSAFE_MODEXP")
commit 37734ceb58aa ("libmbedtls: use mempool_calloc() for temporary memory")
commit 3cb6bf44787f ("libmbedtls: fix build warning related to deprecated DTLS connect ID")
commit 92c283910cbb ("libmbedtls: fix compilation warning with GCC14")
commit 834f027107e1 ("libmbedtls: fix warning redundant-decls in mbedtls 3.6.5")

Signed-off-by: Yann Gautier <yann.gautier@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: crypto: hisilicon: fix qp memory leak

Fix the null pointer access issue for hisilicon QM driver.

Fixes: c7f9abcee87f ("drivers: implement HiSilicon Queue Management (QM) module")
Signed-of

drivers: crypto: hisilicon: fix qp memory leak

Fix the null pointer access issue for hisilicon QM driver.

Fixes: c7f9abcee87f ("drivers: implement HiSilicon Queue Management (QM) module")
Signed-off-by: zhaozheng7 <zhaozheng96@outlook.com>
Acked-by: Zexi Yu <yuzexi@hisilicon.com>

show more ...