ta: pkcs11: Fix RSA public key import

Different requirements are in place when importing RSA public key vs.
generaing a new RSA key pair.

Specified in:
PKCS #11 Cryptographic Token Interface Curren

ta: pkcs11: Fix RSA public key import

Different requirements are in place when importing RSA public key vs.
generaing a new RSA key pair.

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.1.2 RSA public key objects
and
2.1.4 PKCS #1 RSA key pair generation

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Correct return value for decryption with invalid ciphertext

When invalid input data is provided for TEE_AsymmetricDecrypt() it will
fail with TEE_ERROR_BAD_PARAMETERS.

PCSK#11 operation

ta: pkcs11: Correct return value for decryption with invalid ciphertext

When invalid input data is provided for TEE_AsymmetricDecrypt() it will
fail with TEE_ERROR_BAD_PARAMETERS.

PCSK#11 operation for C_Decrypt()/C_DecryptFinal() should return in this
case CKR_ENCRYPTED_DATA_INVALID or CKR_ENCRYPTED_DATA_LEN_RANGE.

As it is hard to determine which case it is return matching error similar
to encryption case.

Specified in:
PKCS #11 Cryptographic Token Interface Base Specification
Version 2.40 Plus Errata 01
5.9 Decryption functions
C_Decrypt/C_DecryptFinal

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Correct return value for encryption with invalid input

When invalid input data is provided for TEE_AsymmetricEncrypt() it will
fail with TEE_ERROR_BAD_PARAMETERS.

PCSK#11 operation for

ta: pkcs11: Correct return value for encryption with invalid input

When invalid input data is provided for TEE_AsymmetricEncrypt() it will
fail with TEE_ERROR_BAD_PARAMETERS.

PCSK#11 operation for C_Encrypt()/C_EncryptFinal() should return in this
case CKR_DATA_LEN_RANGE.

Specified in:
PKCS #11 Cryptographic Token Interface Base Specification
Version 2.40 Plus Errata 01
5.8 Encryption functions
C_Encrypt/C_EncryptFinal

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add support for RSA OAEP encryption & decryption

Add support for performing PKCS #1 RSA OAEP encryption & decryption
operations for:

- MGF1 SHA-1
- MGF1 SHA-224
- MGF1 SHA-256
- MGF1 SH

ta: pkcs11: Add support for RSA OAEP encryption & decryption

Add support for performing PKCS #1 RSA OAEP encryption & decryption
operations for:

- MGF1 SHA-1
- MGF1 SHA-224
- MGF1 SHA-256
- MGF1 SHA-384
- MGF1 SHA-512

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.1.8 PKCS #1 RSA OAEP

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add support for RSA PSS signing & verification

Add support for performing RSA PSS signing & verification operations for:

- PKCS #1 RSA PSS with supplied hash value
- Multi stage SHA-1
-

ta: pkcs11: Add support for RSA PSS signing & verification

Add support for performing RSA PSS signing & verification operations for:

- PKCS #1 RSA PSS with supplied hash value
- Multi stage SHA-1
- Multi stage SHA-224
- Multi stage SHA-256
- Multi stage SHA-384
- Multi stage SHA-512

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.1.10 PKCS #1 RSA PSS

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add support for RSA signing & verification

Add support for performing RSA signing & verification operations for:

- PKCS #1 v1.5 RSA with supplied hash value
- Multi stage MD5
- Multi st

ta: pkcs11: Add support for RSA signing & verification

Add support for performing RSA signing & verification operations for:

- PKCS #1 v1.5 RSA with supplied hash value
- Multi stage MD5
- Multi stage SHA-1
- Multi stage SHA-224
- Multi stage SHA-256
- Multi stage SHA-384
- Multi stage SHA-512

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.1 RSA

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add RSA key pair generation support

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.1.4 PKCS #1 RSA key pair generatio

ta: pkcs11: Add RSA key pair generation support

Specified in:
PKCS #11 Cryptographic Token Interface Current Mechanisms Specification
Version 2.40 Plus Errata 01
2.1.4 PKCS #1 RSA key pair generation

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add elliptic curve mecha bits to bytes conversions

Even thou not currently used by the code add support for EC bits to bytes
conversions to mechanism_supported_key_sizes_bytes() as more

ta: pkcs11: Add elliptic curve mecha bits to bytes conversions

Even thou not currently used by the code add support for EC bits to bytes
conversions to mechanism_supported_key_sizes_bytes() as more will be added
for RSA.

This is to help to keep it in sync with
pkcs11_mechanism_supported_key_sizes().

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

Build: Fix CFG_EMBEDDED_TS dependency

Set CFG_EMBEDDED_TS when CFG_EARLY_TA or CFG_SECURE_PARTITION
is set even when no early_ta's or SPs are added to the system.

Fixes the following error:

$ mak

Build: Fix CFG_EMBEDDED_TS dependency

Set CFG_EMBEDDED_TS when CFG_EARLY_TA or CFG_SECURE_PARTITION
is set even when no early_ta's or SPs are added to the system.

Fixes the following error:

$ make -s CFG_EARLY_TA=y
arm-linux-gnueabihf-ld.bfd: out/arm-plat-vexpress/core/kernel/early_ta.o: in function `early_ta_open':
/home/.../optee_os/core/kernel/early_ta.c:32: undefined reference to `emb_ts_open'
arm-linux-gnueabihf-ld.bfd: out/arm-plat-vexpress/core/kernel/early_ta.o:(.scattered_array_ta_stores_1_2+0x8): undefined reference to `emb_ts_get_size'
arm-linux-gnueabihf-ld.bfd: out/arm-plat-vexpress/core/kernel/early_ta.o:(.scattered_array_ta_stores_1_2+0xc): undefined reference to `emb_ts_get_tag'
arm-linux-gnueabihf-ld.bfd: out/arm-plat-vexpress/core/kernel/early_ta.o:(.scattered_array_ta_stores_1_2+0x10): undefined reference to `emb_ts_read'
arm-linux-gnueabihf-ld.bfd: out/arm-plat-vexpress/core/kernel/early_ta.o:(.scattered_array_ta_stores_1_2+0x14): undefined reference to `emb_ts_close'
make: *** [core/arch/arm/kernel/link.mk:45: out/arm-plat-vexpress/core/all_objs.o] Error 1

Github issue:
https://github.com/OP-TEE/optee_os/issues/4729#issuecomment-893308216

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

plat-totalcompute: Introduce TC1 platform

The different platform parameters, such as GIC, UART, etc
are similar between TC0 and TC1. tc0_spmc_pm.c is also renamed to
tc_spmc_pm.c as its common to bo

plat-totalcompute: Introduce TC1 platform

The different platform parameters, such as GIC, UART, etc
are similar between TC0 and TC1. tc0_spmc_pm.c is also renamed to
tc_spmc_pm.c as its common to both platforms.

Signed-off-by: Usama Arif <usama.arif@arm.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

mm: fix mobj split by adding core_mmu_find_mapping_exclusive() helper

Fixes: ff01e2452169 ("mm: split mobj_tee_ram onto rw/rx parts")

This fixes mobj splitting onto RX/RW parts. Now split can be do

mm: fix mobj split by adding core_mmu_find_mapping_exclusive() helper

Fixes: ff01e2452169 ("mm: split mobj_tee_ram onto rw/rx parts")

This fixes mobj splitting onto RX/RW parts. Now split can be done
incorrectly if RX and RW regions doesn`t mapped contiguosly. Added helper
core_mmu_find_mapping_exclusive() allows to find unique mapping for
specified type and length independently of their order, so then RX/RW
regions for mobjects should be determined correctly.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Anton Rybakov <a.rybakov@omp.ru>

show more ...

core: add new init and nexus memory types

Adds the new memory types MEM_AREA_INIT_RAM_RO, MEM_AREA_INIT_RAM_RX and
MEM_AREA_NEX_RAM_RO to make sure that the memory types
MEM_AREA_TEE_RAM_RX, MEM_ARE

core: add new init and nexus memory types

Adds the new memory types MEM_AREA_INIT_RAM_RO, MEM_AREA_INIT_RAM_RX and
MEM_AREA_NEX_RAM_RO to make sure that the memory types
MEM_AREA_TEE_RAM_RX, MEM_AREA_TEE_RAM_RO and MEM_AREA_TEE_RAM_RW are
used only once. This is needed when to uniquely identify those memory
areas in mobj_init() and mobj_phys_init().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Anton Rybakov <a.rybakov@omp.ru>

show more ...

ta: pkcs11: Remove dual crypto operations from token capability

We don't support dual cryptographic operations in current
implemenetation. So remove it from token capability.

Signed-off-by: Ruchika

ta: pkcs11: Remove dual crypto operations from token capability

We don't support dual cryptographic operations in current
implemenetation. So remove it from token capability.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Fix calling twice of C_EncryptInit()/C_DecryptInit()

If C_EncryptInit()/C_DecryptInit() is called twice first starts the
operation and should inform caller that operation is already in p

ta: pkcs11: Fix calling twice of C_EncryptInit()/C_DecryptInit()

If C_EncryptInit()/C_DecryptInit() is called twice first starts the
operation and should inform caller that operation is already in progress
and keep the operation active until it is terminated with C_Encrypt()/
C_Decrypt() or by C_EncryptFinal()/C_DecryptFinal().

Specified in:

PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01
5.8 Encryption functions
C_EncryptInit
and
5.9 Decryption functions
C_DecryptInit

Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

arm64: format call stack addresses on 8 characters by default

print_stack_arm64() currently shows the full 64 bit addresses in
hexadecimal with leading zeros (0x0000000000000000). This is a bit hard

arm64: format call stack addresses on 8 characters by default

print_stack_arm64() currently shows the full 64 bit addresses in
hexadecimal with leading zeros (0x0000000000000000). This is a bit hard
to read and is not necessary since virtual addresses are typically 32
or 36 bits (defined by CFG_LPAE_ADDR_SPACE_BITS), and in any case
nowhere near 64 bits.
Therefore, use a 32-bit format by default (0x00000000) and expand the
width as necessary. The new format is already used in ldelf to print
the region addresses so this changes brings consistency.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-marvell: Add HUK support for OcteonTX2 Platforms

Added support for fetching Hardware Unique Key(HUK)
from the OcteonTX2 platform.

Signed-off-by: Anil Kumar Reddy <areddy3@marvell.com>
Reviewed

plat-marvell: Add HUK support for OcteonTX2 Platforms

Added support for fetching Hardware Unique Key(HUK)
from the OcteonTX2 platform.

Signed-off-by: Anil Kumar Reddy <areddy3@marvell.com>
Reviewed-by: Sunil Kovvuri Goutham <sgoutham@marvell.com>
Reviewed-by: Bharat Bhushan <bbhushan2@marvell.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

ci: azure: remove hack previously required for virt-make-fs

Since commit [1] in build.git, no need to touch a file in /boot.

Link: [1] https://github.com/OP-TEE/build/commit/fc2747c213bab7994317fe7

ci: azure: remove hack previously required for virt-make-fs

Since commit [1] in build.git, no need to touch a file in /boot.

Link: [1] https://github.com/OP-TEE/build/commit/fc2747c213bab7994317fe7a0d4a5fdaba92119a
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: run code style check in .azure-pipelines.yml

The Travis CI script .travis.yml is not run anymore. A banner at
https://travis-ci.org/ says "Since June 15th, 2021, the building on
travis-ci.org is

ci: run code style check in .azure-pipelines.yml

The Travis CI script .travis.yml is not run anymore. A banner at
https://travis-ci.org/ says "Since June 15th, 2021, the building on
travis-ci.org is ceased. Please use travis-ci.com from now on."

For simplicity let's move the code style checks to the Azure Pipelines
script. We already have two jobs there, a third one is easy to do.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-totalcompute: Add support for S-EL2 SPMC

This patch adds CFG_CORE_SEL2_SPMC support. Defines CFG_TZDRAM_START
address with memory region reserved for SPMC. Adds secondary cpu boot
request handl

plat-totalcompute: Add support for S-EL2 SPMC

This patch adds CFG_CORE_SEL2_SPMC support. Defines CFG_TZDRAM_START
address with memory region reserved for SPMC. Adds secondary cpu boot
request handler. Disables configuring GIC if SEL2 SPMC is enabled.

Signed-off-by: Arunachalam Ganapathy <arunachalam.ganapathy@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-totalcompute: Add OP-TEE SP manifest file

Add Secure Partition manifest file. This file is used when OP-TEE is build
with CFG_CORE_SEL2_SPMC support when creating the SP binary image.

Signed-o

plat-totalcompute: Add OP-TEE SP manifest file

Add Secure Partition manifest file. This file is used when OP-TEE is build
with CFG_CORE_SEL2_SPMC support when creating the SP binary image.

Signed-off-by: Arunachalam Ganapathy <arunachalam.ganapathy@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-totalcompute: define tzdram start address for S-EL1 SPMC config

Define TZDRAM_START for CFG_CORE_SEL1_SPMC config

Signed-off-by: Arunachalam Ganapathy <arunachalam.ganapathy@arm.com>
Reviewed-

plat-totalcompute: define tzdram start address for S-EL1 SPMC config

Define TZDRAM_START for CFG_CORE_SEL1_SPMC config

Signed-off-by: Arunachalam Ganapathy <arunachalam.ganapathy@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: Total Compute platform support

Initial support for Total Compute platform[1]
- defines tc0 platform configuration
- enables CFG_ARM64_core by default
- defines TZCDRAM_BASE

L

core: arm: Total Compute platform support

Initial support for Total Compute platform[1]
- defines tc0 platform configuration
- enables CFG_ARM64_core by default
- defines TZCDRAM_BASE

Link: [1] https://community.arm.com/developer/tools-software/oss-platforms/w/docs/606/total-compute

Signed-off-by: Arunachalam Ganapathy <arunachalam.ganapathy@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mm: remove redundant mobj_put() in vm_map_pad()

When mobj_get_cattr() fails vm_map_pad() doesn't need to
call mobj_put() which is expected to balance mobj_get() called
only after mobj_get_catt

core: mm: remove redundant mobj_put() in vm_map_pad()

When mobj_get_cattr() fails vm_map_pad() doesn't need to
call mobj_put() which is expected to balance mobj_get() called
only after mobj_get_cattr() succeeds. The issue was introduced
in release 3.8.0 with struct mobj reference counting.

Signed-off-by: Gavin Liu <Gavin.Liu@mediatek.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

crypto: optimize speed of AES CBC MAC

The current AES CBC MAC implementation invokes the AES CBC algorithm via
crypto_cipher_update() for each 16-byte block of the input data. This
can be inefficien

crypto: optimize speed of AES CBC MAC

The current AES CBC MAC implementation invokes the AES CBC algorithm via
crypto_cipher_update() for each 16-byte block of the input data. This
can be inefficient especially with hardware accelerated implementations
which may have a significant overhead (I am thinking of proprietary
implementations of MBed TLS for example).

This commit introduces a new config option:
CFG_CRYPTO_CBC_MAC_BUNDLE_BLOCKS (default 64) which allows to bundle
several 16-byte blocks of input data when calling the AES CBC function.
Therefore with the default value, data are processed 1 KB at a time
(assuming the caller provides enough data of course). There is a small
memory overhead (malloc) of the same size at most.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: azure: run 'git pull' to update repo tool before 'repo sync'

Update the repo tool to the latest commit on the 'stable' branch before
running 'repo sync' (the 'default' local branch tracks 'stabl

ci: azure: run 'git pull' to update repo tool before 'repo sync'

Update the repo tool to the latest commit on the 'stable' branch before
running 'repo sync' (the 'default' local branch tracks 'stable').
Fixes the following error [1]:

sudo -E bash -c "cd /root/optee_repo_qemu_v8 && repo sync -j 10"
project .repo/manifests/
Updating 7b69f4f..30fb9a8
Fast-forward

info: A new version of repo is available
warning: repo is not tracking a remote branch, so it will not receive updates
repo: Updating release signing keys to keyset ver 2.3
repo reset: error: Entry 'docs/manifest-format.md' not uptodate. Cannot merge.
fatal: Could not reset index file to revision 'v2.16.2^0'.

Link: [1] https://dev.azure.com/OPTEE/optee_os/_build/results?buildId=855&view=logs&j=705748f3-7146-5e86-79af-1c0266d20a8c&t=d3458a7d-1a81-5639-8e63-8927d807e53a&l=23
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...