sign_encrypt.py: rename to hash_size and sig_size

Renames digest_len to hash_size and sig_len to sig_size in order to
match the names used in the corresponding C code.

Reviewed-by: Jerome Forissier

sign_encrypt.py: rename to hash_size and sig_size

Renames digest_len to hash_size and sig_len to sig_size in order to
match the names used in the corresponding C code.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

sign_encrypt.py: add subkey support

Adds support to sign TAs using a subkey. Two new commands are added to
help with this:
- sign-subkey: signs a new subkey using either the root key or the keys
fro

sign_encrypt.py: add subkey support

Adds support to sign TAs using a subkey. Two new commands are added to
help with this:
- sign-subkey: signs a new subkey using either the root key or the keys
from another subkey
- subkey-uuid: calculate the UUID of next TA or subkey

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

sign_encrypt.py: add display command

Adds a display command to sign_encrypt.py doing what dump_ta_header.py
used to do. Removes the now redundant script dump_ta_header.py.

Reviewed-by: Jerome Foris

sign_encrypt.py: add display command

Adds a display command to sign_encrypt.py doing what dump_ta_header.py
used to do. Removes the now redundant script dump_ta_header.py.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

sign_encrypt.py: add command func in argument parsing

While parsing the argument assign the function to handle the command for
easier dispatching of the command.

Reviewed-by: Jerome Forissier <jero

sign_encrypt.py: add command func in argument parsing

While parsing the argument assign the function to handle the command for
easier dispatching of the command.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

sign_encrypt.py: refactor with BinaryImage class

Moves manipulations of the TA binary into a BinaryImage class for some
abstraction and better structure of the code for the different
sub-commands.

sign_encrypt.py: refactor with BinaryImage class

Moves manipulations of the TA binary into a BinaryImage class for some
abstraction and better structure of the code for the different
sub-commands.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

sign_encrypt.py: refactor argument parsing

Uses the add_subparsers() method from argparse.ArgumentParser to add
the command instead of adding command and options at the same level.
With this we have

sign_encrypt.py: refactor argument parsing

Uses the add_subparsers() method from argparse.ArgumentParser to add
the command instead of adding command and options at the same level.
With this we have one parser for each command to allow the argparse
module to handle checks for optional and mandatory options. This makes
the argument parsing a bit more modular and easier to extend.

Behavior of the script is supposed to be unchanged with the exception of
printed help and errors since that now relies more on the argparse
module.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

sign_encrypt.py: make logger global

Makes the logger variable global to avoid passing it to all functions
that needs to log something.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Ac

sign_encrypt.py: make logger global

Makes the logger variable global to avoid passing it to all functions
that needs to log something.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: clk_dt: Switch to use get_secure_dt()

This adds support for both embedded and external secure device trees so
that clock driver and system configuration information can be fetched from
ther

drivers: clk_dt: Switch to use get_secure_dt()

This adds support for both embedded and external secure device trees so
that clock driver and system configuration information can be fetched from
there.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: dt_driver: Add driver probing to use secure device tree

When secure external device tree is configured for use OP-TEE's drivers
should be loaded based on its definitions. Add support to probe

core: dt_driver: Add driver probing to use secure device tree

When secure external device tree is configured for use OP-TEE's drivers
should be loaded based on its definitions. Add support to probe drivers
also with secure external device tree.

This allows common system device tree to be used to define devices for
bootloaders and OP-TEE.

In any case if embedded device tree is defined this will take precedense.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: Add new helper get_secure_dt()

Add new helper to query device tree considered secure for device driver
usage.

First priority is given to embedded device tree if present.

If system is configu

core: Add new helper get_secure_dt()

Add new helper to query device tree considered secure for device driver
usage.

First priority is given to embedded device tree if present.

If system is configured with secure external device tree location then
external device tree is returned.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

MAINTAINERS: support Versal ACAP eFuse/BBRAM driver

Add myself as maintainer of the versal_nvm driver.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wikland

MAINTAINERS: support Versal ACAP eFuse/BBRAM driver

Add myself as maintainer of the versal_nvm driver.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: versal: non volatile memory (eFuse and BBRAM)

Provide an interface to access the xilnvm service executing in the PLM
firmware running on the Microblaze processor.

Signed-off-by: Jorge Rami

drivers: versal: non volatile memory (eFuse and BBRAM)

Provide an interface to access the xilnvm service executing in the PLM
firmware running on the Microblaze processor.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat-imx, plat-ls: replace crypto_conf.mk by common drivers/crypto/caam/crypto.mk

move platform specific conf file to crypto drivers one.
CFG_CRYPTO_DRIVER should be define in driver conf file
inste

plat-imx, plat-ls: replace crypto_conf.mk by common drivers/crypto/caam/crypto.mk

move platform specific conf file to crypto drivers one.
CFG_CRYPTO_DRIVER should be define in driver conf file
instead of platform configuration file.

Signed-off-by: Olivier Masse <olivier.masse@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

core: pta: bcm: add option to disable SOTP PTA after first session

- If the config flag CFG_BCM_SOTP_SINGLE_SESSION is enabled, the BCM
SOTP driver should prevent any further connections after the

core: pta: bcm: add option to disable SOTP PTA after first session

- If the config flag CFG_BCM_SOTP_SINGLE_SESSION is enabled, the BCM
SOTP driver should prevent any further connections after the first PTA
SOTP session disconnects.
- When enabling this flag, it will be possible to restrict any SOTP
access after firmware bootup is complete.

Signed-off-by: Andrew Mustea <andrew.mustea@microsoft.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

MAINTAINERS: add Versal ACAP TRNG maintainer

Add Versal ACAP TRNG maintainer

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

drivers: versal: true random number generator

Configure the TRNG driver to operate in Hybrid mode with derivative
function.

This driver was ported from its original FSBL implementation [1].

[1] ht

drivers: versal: true random number generator

Configure the TRNG driver to operate in Hybrid mode with derivative
function.

This driver was ported from its original FSBL implementation [1].

[1] https://github.com/Xilinx/embeddedsw

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: dt: Make it possible to alter device mapping

In case where IP core device is TrustZone aware and is used by both REE
and TEE dt_map_dev() would normally cause non-secure mapping for the
device

core: dt: Make it possible to alter device mapping

In case where IP core device is TrustZone aware and is used by both REE
and TEE dt_map_dev() would normally cause non-secure mapping for the
device.

When selected registers in IP core are only accessible by TrustZone device
needs to be mapped with MEM_AREA_IO_SEC to cause actual AXI memory access
be made with AWPROT[1] and ARPROT[1] bits configured properly.

This adds new argument for dt_map_dev() to enable forcing mapping to be
secure or non-secure.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat-zynq7k: Configure platform needing NMFI workaround

Unfortunately Xilinx Zynq-7000's ARM Cortext-A9 core has been configured
with NMFI support. This causes problems for OP-TEE's atomic context
p

plat-zynq7k: Configure platform needing NMFI workaround

Unfortunately Xilinx Zynq-7000's ARM Cortext-A9 core has been configured
with NMFI support. This causes problems for OP-TEE's atomic context
protections rendering FIQ interrupt un-usable in the system designs.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm32: sm: Apply FIQ workaround if configured

On systems with Non-maskable FIQ (NMFI) support in OP-TEE's atomic
contexts when trying to mask FIQ it cannot be set leaving it non-masked.

This state

arm32: sm: Apply FIQ workaround if configured

On systems with Non-maskable FIQ (NMFI) support in OP-TEE's atomic
contexts when trying to mask FIQ it cannot be set leaving it non-masked.

This state is then carried back into sm_ctx structure thus causing next
call to SMC entry having incorrect FIQ masking configured.

This can represent itself as:

E/TC:0 assertion 'thread_get_exceptions() == THREAD_EXCP_ALL' failed at core/arch/arm/kernel/thread_optee_smc.c:50 <thread_handle_fast_smc>

As a workaround force FIQ to be masked before entering SMC entry handler.

Note: on systems having the issue -- FIQ is considered un-usable and
causes panic in OP-TEE if received.

Note2: If you have system without SCTLR.NMFI enabled and you do get that
assertion do not enable the workaround! Eg. fix the real problem.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm32: kernel: Add check whether core needs NMFI workaround

During the boot additional check is performed to verify if the core is
affected and if the CFG_CORE_WORKAROUND_ARM_NMFI has been configure

arm32: kernel: Add check whether core needs NMFI workaround

During the boot additional check is performed to verify if the core is
affected and if the CFG_CORE_WORKAROUND_ARM_NMFI has been configured
properly.

Affected system is greeted with:

I/TC: WARNING: This ARM core has NMFI enabled, please apply workaround!

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm32: kernel: Add common itr_core_handler() for NMFI workaround

Should we receive FIQ interrupt treat it always as panic to indicate to
platform developer that FIQ interrupts must be disabled in sy

arm32: kernel: Add common itr_core_handler() for NMFI workaround

Should we receive FIQ interrupt treat it always as panic to indicate to
platform developer that FIQ interrupts must be disabled in system level.

Function itr_core_handler() is defined without __weak to make sure that
there are no other function trying to handle the FIQ.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm.mk: Add CFG_CORE_WORKAROUND_ARM_NMFI for NMFI problem

If the ARMv7 Cortex-A core is configured with Non-maskable FIQ (NMFI)
support there are side effects that FIQ can only be masked during
exce

arm.mk: Add CFG_CORE_WORKAROUND_ARM_NMFI for NMFI problem

If the ARMv7 Cortex-A core is configured with Non-maskable FIQ (NMFI)
support there are side effects that FIQ can only be masked during
exception entry and once unmasked by software it cannot anymore be masked.

Side effects of this is that critical sections within the code cannot
re-enable FIQ mask.

FIQ is recommended to be masked during secure monitor execution.

ARMv8 architecture is not affected as the Non-maskable FIQ support is not
available in there.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm32: correct bit define for SCTLR.NMFI setting

In SCTLR register definition NMFI bit is 27th bit. Correct the define.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by:

arm32: correct bit define for SCTLR.NMFI setting

In SCTLR register definition NMFI bit is 27th bit. Correct the define.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mm: fix error flushing unused pgt's

With commit b1df82f10633 ("core: use set_um_region() to update
translation tables") a "populated" value is used for each pgt
(translation table) to tell if

core: mm: fix error flushing unused pgt's

With commit b1df82f10633 ("core: use set_um_region() to update
translation tables") a "populated" value is used for each pgt
(translation table) to tell if it's up to date or if
core_mmu_populate_user_map() should initialize it.

When a pgt becomes unused it must be marked as unused. Prior to this
patch an error in the logic prevented pgt's to be marked as unused
properly. This can prevent core_mmu_populate_user_map() from
initializing a pgt. This can cause some new mappings to not be
established properly.

So fix this by giving the correct arguments for pgt_flush_range() in
rem_um_region() and core_is_buffer_inside() in pgt_entry_matches().

Fixes: b1df82f10633 ("core: use set_um_region() to update translation tables")
Acked-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

crypto: se050: SCP03 enabled only session.

The SE050F FIPS 140-2 certified device makes SCP03 mandatory from
boot.

To support this use case, we introduce CFG_CORE_SCP03_ONLY. Its
functionality is d

crypto: se050: SCP03 enabled only session.

The SE050F FIPS 140-2 certified device makes SCP03 mandatory from
boot.

To support this use case, we introduce CFG_CORE_SCP03_ONLY. Its
functionality is described in crypto.mk.

Some information regarding the SE050F device below [1]

[1] https://www.nxp.com/docs/en/application-note/AN12436.pdf

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...