core: FFA_SHARE: Process Normal World share

Process a FFA_SHARE command coming from the Normal World. When
receiving a FFA_SHARE message from the Normal World, we check the
first receiver endpoint i

core: FFA_SHARE: Process Normal World share

Process a FFA_SHARE command coming from the Normal World. When
receiving a FFA_SHARE message from the Normal World, we check the
first receiver endpoint id. If the endpoint id is that off the OP_TEE
endpoint, we let the thread_spmc handler handle the share. If it is not,
we process it inside the spmc_sp_handler.
The mobj_ffa_() functions are used to create a new mobj for each new
share and to keep track of them.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: FFA_SHARE: Process secure share

Process a FFA_SHARE command coming from a SP. When receiving a
FFA_SHARE message from a SP, we don't create any new mobj's. Instead we
retrieve the mobj's from

core: FFA_SHARE: Process secure share

Process a FFA_SHARE command coming from a SP. When receiving a
FFA_SHARE message from a SP, we don't create any new mobj's. Instead we
retrieve the mobj's from the SP list off already mapped mobj's via
vm_get_mobj(). For each FFA_SHARE we check that the memory regions are
mapped and not shared with any other endpoints.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: FFA_SHARE: Process receiver data

Process the receiver specific data of a FFA_SHARE command.
Store the receiver and link it to the endpoints (SPs).

Signed-off-by: Jelle Sels <jelle.sels@arm.co

core: FFA_SHARE: Process receiver data

Process the receiver specific data of a FFA_SHARE command.
Store the receiver and link it to the endpoints (SPs).

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: FFA_SHARE: Process FFA_MEM_SHARE message

Process a FF-A FFA_MEM_SHARE message coming from a SP or being sent
from the Normal world with one or more SPs receivers.
FFA_MEM_SHARE is used to shar

core: FFA_SHARE: Process FFA_MEM_SHARE message

Process a FF-A FFA_MEM_SHARE message coming from a SP or being sent
from the Normal world with one or more SPs receivers.
FFA_MEM_SHARE is used to share a memory region from an endpoint (SP or
normal world) with one or more endpoints in secure world(SPs).

A simplified version of the share memory transaction descriptor looks
like the following:

|-------------------|
|ffa_mem_transaction| Contains general data for the whole share
|-------------------|
|mem_access_array[0]| Contains information specific for each receiver SP
|-------------------|
|mem_access_array[1]|
|-------------------|
|mem_access_array[n]|
|-------------------|
|ffa_mem_region | Contains the memory which is shared
|-------------------|

Add sp_mem as a new memory object. Sp_mem is used to store all
information needed for a FF-A share. For each new FF-A share a sp_mem
object is created. Each share is stored inside the mem_shares list
inside sp_mem.c

The ffa_mem_transaction data is stored inside the sp_mem object.
The receivers list inside sp_mem is used to store all the
ffa_mem_region related data.
The regions list is used to store all data related to the
mem_access_array. A mobj reference is will be used to map the region
into the SPs endpoint.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

FF-A: Add macro for FF-A memory cookie bit

When creating a new cookie of the mobj_ffa a BIT64(44) was used inline.
Create a macro for it.

Signed-off-by: Jelle <jelle.sels@arm.com>
Reviewed-by: Jens

FF-A: Add macro for FF-A memory cookie bit

When creating a new cookie of the mobj_ffa a BIT64(44) was used inline.
Create a macro for it.

Signed-off-by: Jelle <jelle.sels@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: Add vm_get_mobj

Return the mobj of a va.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@li

core: Add vm_get_mobj

Return the mobj of a va.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat-sam: set QSPI memories as non secure

When left unconfigured, the QSPI memories are assigned to the secure
world. However, the controller is assigned to normal world and Linux
expects to use QPS

plat-sam: set QSPI memories as non secure

When left unconfigured, the QSPI memories are assigned to the secure
world. However, the controller is assigned to normal world and Linux
expects to use QPSI memories with it which will fail because they are
not accessible. Configure them to be accessible by the normal world in
order to let Linux handle the QSPI controller properly.

Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Clément Léger <clement.leger@bootlin.com>

show more ...

drivers: caam: add CAAM registers for imx8q platforms

Add CAAM register definitions for the following platforms:
* imx8qm
* imx8qxp

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by:

drivers: caam: add CAAM registers for imx8q platforms

Add CAAM register definitions for the following platforms:
* imx8qm
* imx8qxp

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

drivers: caam: hal: add the support for imx8q

Add the CAAM HAL for the following platforms:
- imx8qm
- imx8qxp

These platforms feature a separate security controller that handles
the following re

drivers: caam: hal: add the support for imx8q

Add the CAAM HAL for the following platforms:
- imx8qm
- imx8qxp

These platforms feature a separate security controller that handles
the following resources/peripherals:
- RNG
- Peripheral owernership
- Clocks

To allocate and initialize the CAAM, the driver relies on the
MU driver and a secure controller API to communicate with the
security controller.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

drivers: caam: hal: make common initialization functions overideable

Define the following functions as weak:
* caam_hal_rng_instantiated()
* caam_hal_cfg_setup_nsjobring()

Add CAAM CAAM_NOT_INIT

drivers: caam: hal: make common initialization functions overideable

Define the following functions as weak:
* caam_hal_rng_instantiated()
* caam_hal_cfg_setup_nsjobring()

Add CAAM CAAM_NOT_INIT code for CAAM RNG initialization status.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

scripts/sign_encrypt.py: add flags for the encryption key type

Allow encryption key type to be overridden from command-line. Defaults
to SHDR_ENC_KEY_DEV_SPECIFIC.

Reviewed-by: Jerome Forissier <je

scripts/sign_encrypt.py: add flags for the encryption key type

Allow encryption key type to be overridden from command-line. Defaults
to SHDR_ENC_KEY_DEV_SPECIFIC.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Donald Chan <hoiho@amazon.com>

show more ...

plat-imx: add Advantech RSB-3720 board support

Support for Advantech RSB-3720 board (imx8mp).
(PLATFORM=imx-mx8mp_rsb3720_6g)

Signed-off-by: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Acked-by: J

plat-imx: add Advantech RSB-3720 board support

Support for Advantech RSB-3720 board (imx8mp).
(PLATFORM=imx-mx8mp_rsb3720_6g)

Signed-off-by: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

libutils: mempool based raw malloc functions

Instead of the old stack like internal memory allocator, use the raw
malloc functions instead for more efficient memory usage.

CFG_WITH_STATS is enabled

libutils: mempool based raw malloc functions

Instead of the old stack like internal memory allocator, use the raw
malloc functions instead for more efficient memory usage.

CFG_WITH_STATS is enabled automatically if
CFG_MEMPOOL_REPORT_LAST_OFFSET is enabled to secure a new dependency in
the code.

Acked-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: export raw malloc functions

Exports raw_{memalign,malloc,free,calloc,realloc}() and also adds
raw_malloc_get_ctx_size(), raw_malloc_init_ctx(),
raw_malloc_add_pool() and raw_malloc_get_sta

libutils: export raw malloc functions

Exports raw_{memalign,malloc,free,calloc,realloc}() and also adds
raw_malloc_get_ctx_size(), raw_malloc_init_ctx(),
raw_malloc_add_pool() and raw_malloc_get_stats().

This allows using the malloc functions to allocate with a independent
memory pool.

Acked-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

qemu: enable testing of notifications using the console

When asynchronous notifications are enabled the console driver in qemu
is configured as a top half and bottom half driver allowing basic
testi

qemu: enable testing of notifications using the console

When asynchronous notifications are enabled the console driver in qemu
is configured as a top half and bottom half driver allowing basic
testing of the notification framework.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add asynchronous notifications

Adds support for asynchronous notifications from secure world to normal
world. This allows a design with a top half and bottom half type of
driver where the top

core: add asynchronous notifications

Adds support for asynchronous notifications from secure world to normal
world. This allows a design with a top half and bottom half type of
driver where the top half runs in secure interrupt context and a
notifications tells normal world to schedule a yielding call to do the
bottom half processing.

The protocol is defined in optee_msg.h optee_rpc_cmd.h and optee_smc.h.

A notification consists of a 32-bit value which normal world can
retrieve using a fastcall into secure world. OP-TEE is currently only
supporting the value 0-63 where 0 has a special meaning. When 0 is sent
it means that normal world is supposed to make a yielding call
OPTEE_MSG_CMD_DO_BOTTOM_HALF.

The notification framework in OP-TEE defines an interface where drivers
can register a callback which is called on each yielding bottom half
call.

Notification capability is negotiated with the normal world while it
initializes its driver. If both sides supports these notifications then
they are enabled.

CFG_CORE_ASYNC_NOTIF_GIC_INTID is added to define the hardware interrupt
used to notify normal world. This is added to the DTB in case OP-TEE can
is configured with CFG_DT=y. Other cases requires the normal world DTB
to be kept in sync with this.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add new interface for synchronous notifications

Adds a new interface for synchronous notifications. The old RPC
interface based on OPTEE_RPC_CMD_WAIT_QUEUE is renamed to
OPTEE_RPC_CMD_NOTIFICA

core: add new interface for synchronous notifications

Adds a new interface for synchronous notifications. The old RPC
interface based on OPTEE_RPC_CMD_WAIT_QUEUE is renamed to
OPTEE_RPC_CMD_NOTIFICATION in order to match the new interface.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: drivers: gic.h: define PPI and SPI bases

Adds the two defines GIC_PPI_BASE and GIC_SPI_BASE to tell the base of
the ranges for PPIs and SPIs respectively.

Reviewed-by: Jerome Forissier <jerom

core: drivers: gic.h: define PPI and SPI bases

Adds the two defines GIC_PPI_BASE and GIC_SPI_BASE to tell the base of
the ranges for PPIs and SPIs respectively.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: optee_smc.h: clarify calls with struct optee_msg_arg

Clarifies the responsibilities of the caller when calling with struct
optee_msg_arg as argument.

Reviewed-by: Jerome Forissier <jerome@for

core: optee_smc.h: clarify calls with struct optee_msg_arg

Clarifies the responsibilities of the caller when calling with struct
optee_msg_arg as argument.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GitHub actions: fix incorrect version

v4.0.1 was incorrectly added to the commit below, instead it should have
been v4.1.0.

Fixes: 1195d0dd14ba ("GitHub actions: General updates")

Signed-off-by: J

GitHub actions: fix incorrect version

v4.0.1 was incorrectly added to the commit below, instead it should have
been v4.1.0.

Fixes: 1195d0dd14ba ("GitHub actions: General updates")

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: provide __sprintf_chk implementation

While building optee_test CXX test-cases natively on aarch64, OP-TEE
build relies on toolchain provided by buildroot. The buildroot toolchain
is built

libutils: provide __sprintf_chk implementation

While building optee_test CXX test-cases natively on aarch64, OP-TEE
build relies on toolchain provided by buildroot. The buildroot toolchain
is built with flag: -fstack-protector-strong which requires
__sprintf_chk symbol provided by standard glibc. For OP-TEE we use a
customized libc which leads to below error:

...
CC out/init.o
CC out/os_test.o
CC out/ta_entry.o
CXX out/cxx_tests.o
CC out/user_ta_header.o
CPP out/ta.lds
LD out/5b9e0e40-2636-11e1-ad9e-0002a5d5c51b.elf
/home/sumit/optee_br/build/../toolchains/aarch64/bin/aarch64-linux-ld.bfd: /home/sumit/optee_br/toolchains/aarch64/bin/../lib/gcc/aarch64-buildroot-linux-gnu/10.3.0/../../../../aarch64-buildroot-linux-gnu/lib/../lib64/libstdc++.a(cp-demangle.o): in function d_append_num': cp-demangle.c:(.text+0x830): undefined reference to __sprintf_chk'
...

Fix this issue by providing __sprintf_chk implementation.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

config: Add config options to enable BTI for TEE core and TA's

Branch Target Identification (part of the ARMv8.5 Extensions)
provides a mechanism to limit the set of locations to which
computed bran

config: Add config options to enable BTI for TEE core and TA's

Branch Target Identification (part of the ARMv8.5 Extensions)
provides a mechanism to limit the set of locations to which
computed branch instructions such as BR or BLR can jump.
To make use of BTI in TEE cores and ldelf on CPU's that
support it, enable the option CFG_CORE_BTI. The option is only
supported for ARM64 cores.

To enable BTI support for TA's and user mode libraries,
enable the option CFG_TA_BTI.

The BTI support is currently not compatible with options
CFG_VIRTUALIZATION and CFG_WITH_PAGER.

To use the option CFG_CORE_BTI, GCC toolchain built with
--enable-standard-branch-protection is needed.

To test with QEMU, use option -cpu max,sve=off.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (vexpress-qemu_armv8a)

show more ...

arm64: bti: fail link phase if some objects do not support BTI

Adds the proper linker options (-z force-bti --fatal-warnings) to fail
the link if some object files lack the BTI feature bit when BTI

arm64: bti: fail link phase if some objects do not support BTI

Adds the proper linker options (-z force-bti --fatal-warnings) to fail
the link if some object files lack the BTI feature bit when BTI is
requested (CFG_CORE_BTI=Y, CFG_TA_BTI=y). The options are added for
tee.elf, ldelf.elf, in-tree TAs, in-tree user space shared libraries
(CFG_ULIBS_SHARED=y) as well as for external TAs and shared libraries
built with the dev kit.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

lib: libutils: Use ret for longjmp with Clang and BTI

longjmp uses br instead of ret to jump to the target. Thus the target
location should have the right BTI launchpad to handle this.
clang has a b

lib: libutils: Use ret for longjmp with Clang and BTI

longjmp uses br instead of ret to jump to the target. Thus the target
location should have the right BTI launchpad to handle this.
clang has a bug [1] and doesn't add the BTI after setjmp causing
exception when BTI is enabled. This works well with gcc [2]
and can be tested when compiling xtests with WITH_CXX_TESTS=n.
To avoid the exception, use ret instead of br with clang and BTI.

[1] - https://bugs.llvm.org/show_bug.cgi?id=49544
[2] - https://gcc.gnu.org/legacy-ml/gcc-patches/2018-11/msg02472.html

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

ta: Export CFG_TA_BTI

Export CFG_TA_BTI for availability when compiling xtest

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by:

ta: Export CFG_TA_BTI

Export CFG_TA_BTI for availability when compiling xtest

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...