ta: pkcs11: Enforce that helpers are up to date

During each build enforce that src/pkcs11-helpers.c is up to date.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etie

ta: pkcs11: Enforce that helpers are up to date

During each build enforce that src/pkcs11-helpers.c is up to date.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

ta: pkcs11: Add missing PKCS11_CKR_ helpers

Adds used but missing PKCS11_CKR_ helpers:
- PKCS11_CKR_KEY_TYPE_INCONSISTENT
- PKCS11_CKR_KEY_NOT_WRAPPABLE
- PKCS11_CKR_KEY_UNEXTRACTABLE

Signed-off-by

ta: pkcs11: Add missing PKCS11_CKR_ helpers

Adds used but missing PKCS11_CKR_ helpers:
- PKCS11_CKR_KEY_TYPE_INCONSISTENT
- PKCS11_CKR_KEY_NOT_WRAPPABLE
- PKCS11_CKR_KEY_UNEXTRACTABLE

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

ta: pkcs11: Sort PKCS11_CKR_ helper lines

Sort PKCS11_CKR_ helper lines to match their order in pkcs11_ta.h.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Ca

ta: pkcs11: Sort PKCS11_CKR_ helper lines

Sort PKCS11_CKR_ helper lines to match their order in pkcs11_ta.h.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

ta: pkcs11: Add script to verify that helpers are present

Extracts list of symbols from include/pkcs11_ta.h and verifies that they
are present in src/pkcs11_helpers.c or are not used.

Signed-off-by

ta: pkcs11: Add script to verify that helpers are present

Extracts list of symbols from include/pkcs11_ta.h and verifies that they
are present in src/pkcs11_helpers.c or are not used.

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

MAINTAINERS: add PKCS#11 TA

Add a new entry for the PCKS#11 Trusted Application with the main
contributors as reviewers.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Vesa Jää

MAINTAINERS: add PKCS#11 TA

Add a new entry for the PCKS#11 Trusted Application with the main
contributors as reviewers.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Fix RSA public key import

Different requirements are in place when importing RSA public key vs.
generaing a new RSA key pair.

Specified in:
PKCS #11 Cryptographic Token Interface Curren

ta: pkcs11: Fix RSA public key import

Different requirements are in place when importing RSA public key vs.
generaing a new RSA key pair.

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.1.2 RSA public key objects
and
2.1.4 PKCS #1 RSA key pair generation

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Correct return value for decryption with invalid ciphertext

When invalid input data is provided for TEE_AsymmetricDecrypt() it will
fail with TEE_ERROR_BAD_PARAMETERS.

PCSK#11 operation

ta: pkcs11: Correct return value for decryption with invalid ciphertext

When invalid input data is provided for TEE_AsymmetricDecrypt() it will
fail with TEE_ERROR_BAD_PARAMETERS.

PCSK#11 operation for C_Decrypt()/C_DecryptFinal() should return in this
case CKR_ENCRYPTED_DATA_INVALID or CKR_ENCRYPTED_DATA_LEN_RANGE.

As it is hard to determine which case it is return matching error similar
to encryption case.

Specified in:
PKCS #11 Cryptographic Token Interface Base Specification
Version 2.40 Plus Errata 01
5.9 Decryption functions
C_Decrypt/C_DecryptFinal

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Correct return value for encryption with invalid input

When invalid input data is provided for TEE_AsymmetricEncrypt() it will
fail with TEE_ERROR_BAD_PARAMETERS.

PCSK#11 operation for

ta: pkcs11: Correct return value for encryption with invalid input

When invalid input data is provided for TEE_AsymmetricEncrypt() it will
fail with TEE_ERROR_BAD_PARAMETERS.

PCSK#11 operation for C_Encrypt()/C_EncryptFinal() should return in this
case CKR_DATA_LEN_RANGE.

Specified in:
PKCS #11 Cryptographic Token Interface Base Specification
Version 2.40 Plus Errata 01
5.8 Encryption functions
C_Encrypt/C_EncryptFinal

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add support for RSA OAEP encryption & decryption

Add support for performing PKCS #1 RSA OAEP encryption & decryption
operations for:

- MGF1 SHA-1
- MGF1 SHA-224
- MGF1 SHA-256
- MGF1 SH

ta: pkcs11: Add support for RSA OAEP encryption & decryption

Add support for performing PKCS #1 RSA OAEP encryption & decryption
operations for:

- MGF1 SHA-1
- MGF1 SHA-224
- MGF1 SHA-256
- MGF1 SHA-384
- MGF1 SHA-512

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.1.8 PKCS #1 RSA OAEP

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add support for RSA PSS signing & verification

Add support for performing RSA PSS signing & verification operations for:

- PKCS #1 RSA PSS with supplied hash value
- Multi stage SHA-1
-

ta: pkcs11: Add support for RSA PSS signing & verification

Add support for performing RSA PSS signing & verification operations for:

- PKCS #1 RSA PSS with supplied hash value
- Multi stage SHA-1
- Multi stage SHA-224
- Multi stage SHA-256
- Multi stage SHA-384
- Multi stage SHA-512

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.1.10 PKCS #1 RSA PSS

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add support for RSA signing & verification

Add support for performing RSA signing & verification operations for:

- PKCS #1 v1.5 RSA with supplied hash value
- Multi stage MD5
- Multi st

ta: pkcs11: Add support for RSA signing & verification

Add support for performing RSA signing & verification operations for:

- PKCS #1 v1.5 RSA with supplied hash value
- Multi stage MD5
- Multi stage SHA-1
- Multi stage SHA-224
- Multi stage SHA-256
- Multi stage SHA-384
- Multi stage SHA-512

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.1 RSA

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add RSA key pair generation support

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.1.4 PKCS #1 RSA key pair generatio

ta: pkcs11: Add RSA key pair generation support

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.1.4 PKCS #1 RSA key pair generation

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add elliptic curve mecha bits to bytes conversions

Even thou not currently used by the code add support for EC bits to bytes
conversions to mechanism_supported_key_sizes_bytes() as more

ta: pkcs11: Add elliptic curve mecha bits to bytes conversions

Even thou not currently used by the code add support for EC bits to bytes
conversions to mechanism_supported_key_sizes_bytes() as more will be added
for RSA.

This is to help to keep it in sync with
pkcs11_mechanism_supported_key_sizes().

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

Build: Fix CFG_EMBEDDED_TS dependency

Set CFG_EMBEDDED_TS when CFG_EARLY_TA or CFG_SECURE_PARTITION
is set even when no early_ta's or SPs are added to the system.

Fixes the following error:

$ mak

Build: Fix CFG_EMBEDDED_TS dependency

Set CFG_EMBEDDED_TS when CFG_EARLY_TA or CFG_SECURE_PARTITION
is set even when no early_ta's or SPs are added to the system.

Fixes the following error:

$ make -s CFG_EARLY_TA=y
arm-linux-gnueabihf-ld.bfd: out/arm-plat-vexpress/core/kernel/early_ta.o: in function `early_ta_open':
/home/.../optee_os/core/kernel/early_ta.c:32: undefined reference to `emb_ts_open'
arm-linux-gnueabihf-ld.bfd: out/arm-plat-vexpress/core/kernel/early_ta.o:(.scattered_array_ta_stores_1_2+0x8): undefined reference to `emb_ts_get_size'
arm-linux-gnueabihf-ld.bfd: out/arm-plat-vexpress/core/kernel/early_ta.o:(.scattered_array_ta_stores_1_2+0xc): undefined reference to `emb_ts_get_tag'
arm-linux-gnueabihf-ld.bfd: out/arm-plat-vexpress/core/kernel/early_ta.o:(.scattered_array_ta_stores_1_2+0x10): undefined reference to `emb_ts_read'
arm-linux-gnueabihf-ld.bfd: out/arm-plat-vexpress/core/kernel/early_ta.o:(.scattered_array_ta_stores_1_2+0x14): undefined reference to `emb_ts_close'
make: *** [core/arch/arm/kernel/link.mk:45: out/arm-plat-vexpress/core/all_objs.o] Error 1

Github issue:
https://github.com/OP-TEE/optee_os/issues/4729#issuecomment-893308216

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

plat-totalcompute: Introduce TC1 platform

The different platform parameters, such as GIC, UART, etc
are similar between TC0 and TC1. tc0_spmc_pm.c is also renamed to
tc_spmc_pm.c as its common to bo

plat-totalcompute: Introduce TC1 platform

The different platform parameters, such as GIC, UART, etc
are similar between TC0 and TC1. tc0_spmc_pm.c is also renamed to
tc_spmc_pm.c as its common to both platforms.

Signed-off-by: Usama Arif <usama.arif@arm.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

mm: fix mobj split by adding core_mmu_find_mapping_exclusive() helper

Fixes: ff01e2452169 ("mm: split mobj_tee_ram onto rw/rx parts")

This fixes mobj splitting onto RX/RW parts. Now split can be do

mm: fix mobj split by adding core_mmu_find_mapping_exclusive() helper

Fixes: ff01e2452169 ("mm: split mobj_tee_ram onto rw/rx parts")

This fixes mobj splitting onto RX/RW parts. Now split can be done
incorrectly if RX and RW regions doesn`t mapped contiguosly. Added helper
core_mmu_find_mapping_exclusive() allows to find unique mapping for
specified type and length independently of their order, so then RX/RW
regions for mobjects should be determined correctly.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Anton Rybakov <a.rybakov@omp.ru>

show more ...

core: add new init and nexus memory types

Adds the new memory types MEM_AREA_INIT_RAM_RO, MEM_AREA_INIT_RAM_RX and
MEM_AREA_NEX_RAM_RO to make sure that the memory types
MEM_AREA_TEE_RAM_RX, MEM_ARE

core: add new init and nexus memory types

Adds the new memory types MEM_AREA_INIT_RAM_RO, MEM_AREA_INIT_RAM_RX and
MEM_AREA_NEX_RAM_RO to make sure that the memory types
MEM_AREA_TEE_RAM_RX, MEM_AREA_TEE_RAM_RO and MEM_AREA_TEE_RAM_RW are
used only once. This is needed when to uniquely identify those memory
areas in mobj_init() and mobj_phys_init().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Anton Rybakov <a.rybakov@omp.ru>

show more ...

ta: pkcs11: Remove dual crypto operations from token capability

We don't support dual cryptographic operations in current
implemenetation. So remove it from token capability.

Signed-off-by: Ruchika

ta: pkcs11: Remove dual crypto operations from token capability

We don't support dual cryptographic operations in current
implemenetation. So remove it from token capability.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Fix calling twice of C_EncryptInit()/C_DecryptInit()

If C_EncryptInit()/C_DecryptInit() is called twice first starts the
operation and should inform caller that operation is already in p

ta: pkcs11: Fix calling twice of C_EncryptInit()/C_DecryptInit()

If C_EncryptInit()/C_DecryptInit() is called twice first starts the
operation and should inform caller that operation is already in progress
and keep the operation active until it is terminated with C_Encrypt()/
C_Decrypt() or by C_EncryptFinal()/C_DecryptFinal().

Specified in:

PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01
5.8 Encryption functions
C_EncryptInit
and
5.9 Decryption functions
C_DecryptInit

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

arm64: format call stack addresses on 8 characters by default

print_stack_arm64() currently shows the full 64 bit addresses in
hexadecimal with leading zeros (0x0000000000000000). This is a bit hard

arm64: format call stack addresses on 8 characters by default

print_stack_arm64() currently shows the full 64 bit addresses in
hexadecimal with leading zeros (0x0000000000000000). This is a bit hard
to read and is not necessary since virtual addresses are typically 32
or 36 bits (defined by CFG_LPAE_ADDR_SPACE_BITS), and in any case
nowhere near 64 bits.
Therefore, use a 32-bit format by default (0x00000000) and expand the
width as necessary. The new format is already used in ldelf to print
the region addresses so this changes brings consistency.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-marvell: Add HUK support for OcteonTX2 Platforms

Added support for fetching Hardware Unique Key(HUK)
from the OcteonTX2 platform.

Signed-off-by: Anil Kumar Reddy <areddy3@marvell.com>
Reviewed

plat-marvell: Add HUK support for OcteonTX2 Platforms

Added support for fetching Hardware Unique Key(HUK)
from the OcteonTX2 platform.

Signed-off-by: Anil Kumar Reddy <areddy3@marvell.com>
Reviewed-by: Sunil Kovvuri Goutham <sgoutham@marvell.com>
Reviewed-by: Bharat Bhushan <bbhushan2@marvell.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

ci: azure: remove hack previously required for virt-make-fs

Since commit [1] in build.git, no need to touch a file in /boot.

Link: [1] https://github.com/OP-TEE/build/commit/fc2747c213bab7994317fe7

ci: azure: remove hack previously required for virt-make-fs

Since commit [1] in build.git, no need to touch a file in /boot.

Link: [1] https://github.com/OP-TEE/build/commit/fc2747c213bab7994317fe7a0d4a5fdaba92119a
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: run code style check in .azure-pipelines.yml

The Travis CI script .travis.yml is not run anymore. A banner at
https://travis-ci.org/ says "Since June 15th, 2021, the building on
travis-ci.org is

ci: run code style check in .azure-pipelines.yml

The Travis CI script .travis.yml is not run anymore. A banner at
https://travis-ci.org/ says "Since June 15th, 2021, the building on
travis-ci.org is ceased. Please use travis-ci.com from now on."

For simplicity let's move the code style checks to the Azure Pipelines
script. We already have two jobs there, a third one is easy to do.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-totalcompute: Add support for S-EL2 SPMC

This patch adds CFG_CORE_SEL2_SPMC support. Defines CFG_TZDRAM_START
address with memory region reserved for SPMC. Adds secondary cpu boot
request handl

plat-totalcompute: Add support for S-EL2 SPMC

This patch adds CFG_CORE_SEL2_SPMC support. Defines CFG_TZDRAM_START
address with memory region reserved for SPMC. Adds secondary cpu boot
request handler. Disables configuring GIC if SEL2 SPMC is enabled.

Signed-off-by: Arunachalam Ganapathy <arunachalam.ganapathy@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-totalcompute: Add OP-TEE SP manifest file

Add Secure Partition manifest file. This file is used when OP-TEE is build
with CFG_CORE_SEL2_SPMC support when creating the SP binary image.

Signed-o

plat-totalcompute: Add OP-TEE SP manifest file

Add Secure Partition manifest file. This file is used when OP-TEE is build
with CFG_CORE_SEL2_SPMC support when creating the SP binary image.

Signed-off-by: Arunachalam Ganapathy <arunachalam.ganapathy@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...