mm: split mobj_tee_ram onto rw/rx parts

Now mobj_tee_ram memory abstraction contains both TEE_RAM_RX and TEE_RAM_RW
regions joined together. This patch splits it to mobj_tee_ram_rx and
mobj_tee_ram_

mm: split mobj_tee_ram onto rw/rx parts

Now mobj_tee_ram memory abstraction contains both TEE_RAM_RX and TEE_RAM_RW
regions joined together. This patch splits it to mobj_tee_ram_rx and
mobj_tee_ram_rw to manage RX/RW memory objects separately.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Anton Rybakov <a.rybakov@omp.ru>

show more ...

ci: azure: run regression tests (make check) in QEMUv8

Adds a separate job to execute "make check" in the QEMUv8 environment.
The default configuration is tested as well as Normal World
virtualizati

ci: azure: run regression tests (make check) in QEMUv8

Adds a separate job to execute "make check" in the QEMUv8 environment.
The default configuration is tested as well as Normal World
virtualization (XEN_BOOT=y).

The Docker image used for this is jforissier/optee_os_ci:qemuv8_check
on Docker Hub [1]. The Dockerfile is available on Github [2].

Link: [1] https://hub.docker.com/repository/docker/jforissier/optee_os_ci/
Link: [2] https://github.com/jforissier/docker_optee_os_ci/blob/qemuv8_check/Dockerfile
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

hikey, hikey960: disable CFG_SECURE_DATA_PATH by default

Since linaro-swg/linux.git branch optee [1] was rebased onto kernel
v5.12, Secure Data Path is broken in xtest [2] because the client side
is

hikey, hikey960: disable CFG_SECURE_DATA_PATH by default

Since linaro-swg/linux.git branch optee [1] was rebased onto kernel
v5.12, Secure Data Path is broken in xtest [2] because the client side
is based on the ION allocator, which was removed from the kernel.

Therefore, disable SDP support by default.

Link: [1] https://github.com/linaro-swg/linux/tree/optee-v5.12-20210628
Link: [2] https://github.com/OP-TEE/optee_test/blob/3.13.0/host/xtest/regression_1000.c#L1220-L1263
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: csu: RNGB TZ reservation on imx6ull/sl/sll

Reserve the RNGB to the TrustZone.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutron

drivers: csu: RNGB TZ reservation on imx6ull/sl/sll

Reserve the RNGB to the TrustZone.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

core: REE FS: report earlier unexpected REE FS reset

When REE FS dirf.db file is not found but RPMB stores a hash for
that file it means the REE FS was tampered. This change makes OP-TEE
core to rep

core: REE FS: report earlier unexpected REE FS reset

When REE FS dirf.db file is not found but RPMB stores a hash for
that file it means the REE FS was tampered. This change makes OP-TEE
core to report this status instead of creating the file and let a later
access fails due to empty content hash mismatch.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: REE FS: introduce CFG_REE_FS_ALLOW_RESET

New boolean configuration switch CFG_REE_FS_ALLOW_RESET that, when
enabled, will make OP-TEE OS to allow REE FS content to be reset in
the Linux filesy

core: REE FS: introduce CFG_REE_FS_ALLOW_RESET

New boolean configuration switch CFG_REE_FS_ALLOW_RESET that, when
enabled, will make OP-TEE OS to allow REE FS content to be reset in
the Linux filesystem even when RPMB FS is enabled and already stores a
REE FS rollback protection hash. This switch is intended to test purpose
where REE FS can be wiped because the device flash memory was programmed
with brand new build artifacts.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

drivers: caam: fix DMA object when only output reallocated

Use case:
- cipher block to encrypt/decrypt is more than 1 Kbytes (e.g. 1232
bytes)
- input data are accessible from CAAM (no reallocatio

drivers: caam: fix DMA object when only output reallocated

Use case:
- cipher block to encrypt/decrypt is more than 1 Kbytes (e.g. 1232
bytes)
- input data are accessible from CAAM (no reallocation)
- output data is not accessible from CAAM (reallocation of DMA buffer).

In case of cipher operation, the input and output CAAM SGT/Buffer
are built in same time through function caam_dmaobj_sgtbuf_inout_build()
to ensure that both SGT/Buffer do the same cipher block size.
Function caam_dmaobj_sgtbuf_inout_build() calls the function
caam_dmaobj_sgtbuf_build():
- first to build the input data SGT/Buffer. Length returned is
whole cipher buffer size (i.e. 1232 bytes).
- secondly to build the output data SGT/Buffer. Length return is
whole cipher buffer size (i.e. 1232 bytes) whereas it must be 1024 bytes
because output data must use the reallocation DMA buffer (max 1KBytes).

Fix consist in returning the SGT/Buffer length effectively mapped and
not the maximum length that is the input data SGT/Buffer length.

Consequence of this fix, AES CMAC update loop has to be fixed.

Fixes: 38923d487567 ("drivers: caam: implement CAAM DMA Object")

Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: azure: use Docker image jforissier/optee_os_ci

Since commit 6538ef550502 ("Add Clang 12.0.0 toolchain") [1], the Clang
toolchain is integrated into the docker image jforissier/optee_os_ci so
the

ci: azure: use Docker image jforissier/optee_os_ci

Since commit 6538ef550502 ("Add Clang 12.0.0 toolchain") [1], the Clang
toolchain is integrated into the docker image jforissier/optee_os_ci so
there is no need to use jforissier/optee_os_ci_clangbuilt which is now
obsolete.

Link: [1] https://github.com/jforissier/docker_optee_os_ci/commit/6538ef55050235065f53e141d76a3f8d260c6726
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: azure: remove references to Shippable

Reflect the fact that we have switched from Shippable CI to Microsoft
Azure by removing references to Shippable:
- the DNS name of the cache server is chang

ci: azure: remove references to Shippable

Reflect the fact that we have switched from Shippable CI to Microsoft
Azure by removing references to Shippable:
- the DNS name of the cache server is changed from 'shippable-cache' to
'cache'.
- a new user account 'optee_os_ci' is used instead of 'shippable'.

No functional change expected.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add more overflow checks in ree_fs_ta_open()

Adds more overflow checks in ree_fs_ta_open() and also checks that the
encrypted header (struct shdr_encrypted_ta) also fits in the size of the
TA

core: add more overflow checks in ree_fs_ta_open()

Adds more overflow checks in ree_fs_ta_open() and also checks that the
encrypted header (struct shdr_encrypted_ta) also fits in the size of the
TA binary.

The latter check is needed to guard against fabricated values in struct
shdr_encrypted_ta for iv_size and/or tag_size which could trick OP-TEE
to read beyond the end of the buffer where the TA was loaded.

Reading beyond the end of the TA buffer would normally result in a crash
or if there's a valid mappings just after just a failure to load the TA.
No unchecked code will be executed, but it may result in a secure world
crash.

So this commit will check that the iv_size and tag_size values can point
to a valid buffer before attempting to read and thus prevent a crash.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reported-by: Patrik Lantz <Patrik.Lantz@axis.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add overflow check in SHDR_ENC_GET_SIZE()

Prior to this patch could the additions in the macro SHDR_ENC_GET_SIZE()
cause an integer overflow. So fix this by using the ADD_OVERFLOW() macro
and

core: add overflow check in SHDR_ENC_GET_SIZE()

Prior to this patch could the additions in the macro SHDR_ENC_GET_SIZE()
cause an integer overflow. So fix this by using the ADD_OVERFLOW() macro
and a helper function. In case of overflow return 0 which never can be a
correct size.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reported-by: Patrik Lantz <Patrik.Lantz@axis.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: separate sp_ops using a __weak attribute instead

Breaks the dependency chain for sp_ops using the standard method with a
__weak symbol and an overriding symbol in link_dummies_paged.c.

Review

core: separate sp_ops using a __weak attribute instead

Breaks the dependency chain for sp_ops using the standard method with a
__weak symbol and an overriding symbol in link_dummies_paged.c.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU, pager, Clang 12)
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: separate stmm_sp_ops using a __weak attribute instead

Breaks the dependency chain for stmm_sp_ops using the standard method
with a __weak symbol and an overriding symbol in link_dummies_paged.

core: separate stmm_sp_ops using a __weak attribute instead

Breaks the dependency chain for stmm_sp_ops using the standard method
with a __weak symbol and an overriding symbol in link_dummies_paged.c.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: separate user_ta_ops using a __weak attribute instead

Breaks the dependency chain for user_ta_ops using the standard method
with a __weak symbol and an overriding symbol in link_dummies_paged.

core: separate user_ta_ops using a __weak attribute instead

Breaks the dependency chain for user_ta_ops using the standard method
with a __weak symbol and an overriding symbol in link_dummies_paged.c.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: make __wq_rpc() static again

With dependency chains properly broken for various ops structs we can
make __wq_rpc() static again and remove it from link_dummies_paged.c.

Acked-by: Jerome Foris

core: make __wq_rpc() static again

With dependency chains properly broken for various ops structs we can
make __wq_rpc() static again and remove it from link_dummies_paged.c.

Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: make __rodata_unpaged() symbols __weak

Makes the __rodata_unpaged tagged symbols __weak and non-static in order
to be overridden in core/arch/arm/kernel/link_dummies_paged.c. This
makes sure t

core: make __rodata_unpaged() symbols __weak

Makes the __rodata_unpaged tagged symbols __weak and non-static in order
to be overridden in core/arch/arm/kernel/link_dummies_paged.c. This
makes sure that these symbols doesn't bring in further symbols in the
unpaged section.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

compiler.h: add __rodata_dummy macro

Adds the macro __rodata_dummy which places a symbol in the section
".rodata.dummy". This macro is intended to be used in the
core/arch/arm/kernel/link_dummies_*.

compiler.h: add __rodata_dummy macro

Adds the macro __rodata_dummy which places a symbol in the section
".rodata.dummy". This macro is intended to be used in the
core/arch/arm/kernel/link_dummies_*.c files.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: use separate sections for each __rodata_unpaged variable

Adds a mandatory argument to the macro __rodata_unpaged() to take the
name of the variable to put in the unpaged rodata section. This w

core: use separate sections for each __rodata_unpaged variable

Adds a mandatory argument to the macro __rodata_unpaged() to take the
name of the variable to put in the unpaged rodata section. This will
result in separate sections for each such variable and make it easier to
debug the pruning of the dependency tree for unpaged sections.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pager: don't call free_region() from paged function

Call free_region() directly from tee_pager_rem_um_region() instead
of the unpaged helper function rem_region(). This reduces the unpaged
par

core: pager: don't call free_region() from paged function

Call free_region() directly from tee_pager_rem_um_region() instead
of the unpaged helper function rem_region(). This reduces the unpaged
part with a few bytes.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: imx_i2c: add support for MX8MQ

Add support for iMX8MQ.

Signed-off-by: David Griego <david.griego@foundries.io>
Reviewed-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklande

drivers: imx_i2c: add support for MX8MQ

Add support for iMX8MQ.

Signed-off-by: David Griego <david.griego@foundries.io>
Reviewed-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

lib: mbedtls: return TEE_ERROR_BAD_PARAMETERS on input data error

This change fixes Keymaster VTS if cryptolib uses libmedtls
EncryptionOperationsTest, RsaPkcs1Success and
EncryptionOperationsTest,

lib: mbedtls: return TEE_ERROR_BAD_PARAMETERS on input data error

This change fixes Keymaster VTS if cryptolib uses libmedtls
EncryptionOperationsTest, RsaPkcs1Success and
EncryptionOperationsTest, RsaOaepSuccess probabilistic failure.
We should change error code from libmedtls to TEE_AsymmetricDecrypt.
In the same scenario, the tomcrypt return value is eventually
Converted to TEE_ERROR_BAD_PARAMETERS,and then pass the test.
But mbedtls converted to TEE_ERROR_BAD_STATE,
This causes TEE_AsymmetricDecrypt() to panic.

Signed-off-by: Liu Shiwei <liushiwei@eswin.com>
Tested-by: Liu Shiwei <liushiwei@eswin.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Victor Chong <victor.chong@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat: rcar: fix second DDR bank address for m3_2x4g flavor

Due to mistake, NSEC_DDR_1_BASE was set to incorrect value. In fact, second
DDR bank begins at 0x480000000.

Signed-off-by: Volodymyr Babch

plat: rcar: fix second DDR bank address for m3_2x4g flavor

Due to mistake, NSEC_DDR_1_BASE was set to incorrect value. In fact, second
DDR bank begins at 0x480000000.

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pager: fix split_region() to maintain order

Fixes split_region() to maintain the order of paged regions when a
region is split into two.

Fixes: 4a3f6ad054d4 ("core: pager: let struct tee_page

core: pager: fix split_region() to maintain order

Fixes split_region() to maintain the order of paged regions when a
region is split into two.

Fixes: 4a3f6ad054d4 ("core: pager: let struct tee_pager_area span multiple translation tables")
Tested-by: Jerome Forissier <jerome@forissier.org> (HiKey)
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (stm32mp1 w/ gp, stmm)
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pager fix alloc_merged_pgt_array()

Fix the logic for how a shared pgt is detected in
alloc_merged_pgt_array(). Without this there's a buffer overrun in the
pgt_array plus of course not quite

core: pager fix alloc_merged_pgt_array()

Fix the logic for how a shared pgt is detected in
alloc_merged_pgt_array(). Without this there's a buffer overrun in the
pgt_array plus of course not quite right pgt pointers in that array.

Fixes: 4a3f6ad054d4 ("core: pager: let struct tee_pager_area span multiple translation tables")
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pager: fix split_region() pgt assignment

Fixes an error in how pgt_array is copied from the original paged region
into the new split off region.

Fixes: 4a3f6ad054d4 ("core: pager: let struct

core: pager: fix split_region() pgt assignment

Fixes an error in how pgt_array is copied from the original paged region
into the new split off region.

Fixes: 4a3f6ad054d4 ("core: pager: let struct tee_pager_area span multiple translation tables")
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...