Introduce CFG_TA_BGET_TEST

Introduces CFG_TA_BGET_TEST which compiles the integrated bget test
suite together with the rest of bget. When enabled, the test entry point
is bget_main_test() in libutil

Introduce CFG_TA_BGET_TEST

Introduces CFG_TA_BGET_TEST which compiles the integrated bget test
suite together with the rest of bget. When enabled, the test entry point
is bget_main_test() in libutils.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: introduce CFG_ENABLE_EMBEDDED_TESTS

Introduces CFG_ENABLE_EMBEDDED_TESTS disabled by default. This flag
is used to control the default value of all other embedded tests.

This changes the defa

core: introduce CFG_ENABLE_EMBEDDED_TESTS

Introduces CFG_ENABLE_EMBEDDED_TESTS disabled by default. This flag
is used to control the default value of all other embedded tests.

This changes the default value of CFG_TEE_CORE_EMBED_INTERNAL_TESTS to
'n' since CFG_ENABLE_EMBEDDED_TESTS defaults to 'n'.

A Shippable target is updated with CFG_ENABLE_EMBEDDED_TESTS=y to have
these tests compiled in some configuration.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

qemu_v8: configure secure interrupts

Configures GIC and enable reception of interrupts from the secure uart.
This enables testing of secure interrupts on the QEMU v8 platform by
typing in the secure

qemu_v8: configure secure interrupts

Configures GIC and enable reception of interrupts from the secure uart.
This enables testing of secure interrupts on the QEMU v8 platform by
typing in the secure log.

Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

crypto: se050: build: elliptic curve

Makefile changes to compile-in and enable elliptic curve support.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wikland

crypto: se050: build: elliptic curve

Makefile changes to compile-in and enable elliptic curve support.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

crypto: se050: core: elliptic curve implementation

Elliptic curve driver.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etie

crypto: se050: core: elliptic curve implementation

Elliptic curve driver.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

crypto: se050: adaptors: elliptic curve

APDU and utility functions required to support elliptic curve
cryptography.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander

crypto: se050: adaptors: elliptic curve

APDU and utility functions required to support elliptic curve
cryptography.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add more checks before destroying object in a session

Few checks were missing in the implementaion of C_DestroyObject()
as per PKCS#11 Specification. These have been added now.
These che

ta: pkcs11: Add more checks before destroying object in a session

Few checks were missing in the implementaion of C_DestroyObject()
as per PKCS#11 Specification. These have been added now.
These checks are
- only session objects can be destroyed during a read only session
- only public objects can be destroyed unless the normal user is
logged in
- Certain objects may not be destroyed. Calling C_DestroyObject on
such objects will result in the CKR_ACTION_PROHIBITED error code.
An application can consult the object's CKA_DESTROYABLE
attribute to determine if an object may be destroyed or not.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: Fix return value when trying to open parallel session

It is mandatory to have CKF_SERIAL_SESSION set when invoking
C_OpenSession(). When omitted CKR_SESSION_PARALLEL_NOT_SUPPORTED must b

ta: pkcs11: Fix return value when trying to open parallel session

It is mandatory to have CKF_SERIAL_SESSION set when invoking
C_OpenSession(). When omitted CKR_SESSION_PARALLEL_NOT_SUPPORTED must be
returned.

Specified in:
PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01
5.6 Session management functions
C_OpenSession

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

drivers: crypto: se050: limitations to RSA crypto

The supported algorithms for encryption/decryption are:
PKCS1_OAEP
PKCS1_V1_5

When using PKCS1_PSS_MGF1 the se050 also has some restrictions on

drivers: crypto: se050: limitations to RSA crypto

The supported algorithms for encryption/decryption are:
PKCS1_OAEP
PKCS1_V1_5

When using PKCS1_PSS_MGF1 the se050 also has some restrictions on the
hash algorithms that can be used depending on the RSA key size.

Source: Plug And Trust MW documentation, Release v02,14,00 (Apr 03,
2020)

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

ta: pkcs11: Check for CKA_PRIVATE when creating objects

PKCS#11 Specification[1] states that Private session/token objects
cannot be created in Public sessions. So, add a check for access
type when

ta: pkcs11: Check for CKA_PRIVATE when creating objects

PKCS#11 Specification[1] states that Private session/token objects
cannot be created in Public sessions. So, add a check for access
type when creating objects.

[1] PKCS #11 Cryptographic Token Interface Usage Guide Version 2.40
(Table 3 - ACCESS TO DIFFERENT TYPES OBJECTS BY DIFFERENT TYPES
OF SESSIONS)

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Fix error returned

When trying to access an object of type CKA_PRIVATE without
logging in, the error returned should be
PKCS11_CKR_USER_NOT_LOGGED_IN.

Signed-off-by: Ruchika Gupta <ruch

ta: pkcs11: Fix error returned

When trying to access an object of type CKA_PRIVATE without
logging in, the error returned should be
PKCS11_CKR_USER_NOT_LOGGED_IN.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

mk/compile.mk: Fix handling of '+' in path for generated include guards

When building with bitbake with gitpkgv class git revision details have
'+' as delimeter.

Version details appears in path and

mk/compile.mk: Fix handling of '+' in path for generated include guards

When building with bitbake with gitpkgv class git revision details have
'+' as delimeter.

Version details appears in path and this causes following warnings during
the OP-TEE OS build:

In file included from core/arch/arm/kernel/entry_a64.S:11:
/build/.../optee-os/devel+gitrAUTOINC+e97c83bd6f-r0/build.zcu102/core/include/generated/asm-defines.h:1:123: warning: extra tokens at end of #ifndef directive
1 | #ifndef _build_..._optee_os_devel+gitrAUTOINC+e97c83bd6f_r0_build_zcu102_core_include_generated_asm_defines_h
| ^
/build/.../optee-os/devel+gitrAUTOINC+e97c83bd6f-r0/build.zcu102/core/include/generated/asm-defines.h:2:9: warning: missing whitespace after the macro name
2 | #define _build_..._optee_os_devel+gitrAUTOINC+e97c83bd6f_r0_build_zcu102_core_include_generated_asm_defines_h
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Use get_attribute_ptr() instead of get_attribute()

When just trying to determine if an attribute is present in the
list or not withour requiring the actual value of the attribute,
using

ta: pkcs11: Use get_attribute_ptr() instead of get_attribute()

When just trying to determine if an attribute is present in the
list or not withour requiring the actual value of the attribute,
using get_attribute_ptr() is better to use as it is more
light-weight than it's counterpart get_attribute().

Suggested-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add class_id in create_attributes_from_template()

Add a parameter to pass pkcs11_class_id. The parameter will be
used when attributes need to be created for a template
supporting public

ta: pkcs11: Add class_id in create_attributes_from_template()

Add a parameter to pass pkcs11_class_id. The parameter will be
used when attributes need to be created for a template
supporting public or private class key. It is unused for now.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add class and type hint in sanitize_client_object()

Specification allows one to pass templates while genrating
key/keypair where class and type may be omitted from the template.
In such

ta: pkcs11: Add class and type hint in sanitize_client_object()

Specification allows one to pass templates while genrating
key/keypair where class and type may be omitted from the template.
In such cases, pass class and type as hint in sanitize_client_object()
so that they can be added in the attribute list being prepared.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Fix for CKA_KEY_GEN_MECHANISM in create_attributes_from_template()

CKA_KEY_GEN_MECHANISM attribute is not added in the attribute list
(attrs) from the template (temp) when a key object i

ta: pkcs11: Fix for CKA_KEY_GEN_MECHANISM in create_attributes_from_template()

CKA_KEY_GEN_MECHANISM attribute is not added in the attribute list
(attrs) from the template (temp) when a key object is created as
it doesn't fall in mandatory/optional attribute. So, error checking for
this attribute should be done on the original source template(temp)
and not the attribute list(attrs) in create_attributes_from_template().

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Fix for CKA_LOCAL in create_attributes_from_template()

CKA_LOCAL attribute is not added in the attribute list
(attrs) from the template (temp) when a key object is created as
it doesn't

ta: pkcs11: Fix for CKA_LOCAL in create_attributes_from_template()

CKA_LOCAL attribute is not added in the attribute list
(attrs) from the template (temp) when a key object is created as
it doesn't fall in mandatory/optional attribute. So, error checking for
this attribute should be done on the original source template(temp)
and not the attribute list(attrs) in create_attributes_from_template().

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add support for Key Generation

Adds support of mechanisms PKCS11_CKM_GENERIC_SECRET_KEY_GEN,
PKCS11_CKM_AES_KEY_GEN for key generation API.

Co-developed-by: Etienne Carriere <etienne.ca

ta: pkcs11: Add support for Key Generation

Adds support of mechanisms PKCS11_CKM_GENERIC_SECRET_KEY_GEN,
PKCS11_CKM_AES_KEY_GEN for key generation API.

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Define TA mechanisms for Key Generation

Adds the mechanisms PKCS11_CKM_GENERIC_SECRET_KEY_GEN
in enum pkcs11_mechanism_id.

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org

ta: pkcs11: Define TA mechanisms for Key Generation

Adds the mechanisms PKCS11_CKM_GENERIC_SECRET_KEY_GEN
in enum pkcs11_mechanism_id.

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Define command for Key Generation

Add command PKCS11_CMD_GENERATE_KEY in enum pkcs11_ta_cmd.

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carri

ta: pkcs11: Define command for Key Generation

Add command PKCS11_CMD_GENERATE_KEY in enum pkcs11_ta_cmd.

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

shippable: imx8mm/imx6ull: add plug and trust support

Validates the different SE050 configuration options with the Plug And
Trust library on arm64 and arm.

This will be useful to avoid regressions

shippable: imx8mm/imx6ull: add plug and trust support

Validates the different SE050 configuration options with the Plug And
Trust library on arm64 and arm.

This will be useful to avoid regressions when multiple crypto drivers
are enabled.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

ta: pkcs11: Fix the error code returned

While generating a key of type PKCS11_CKO_SECRET_KEY, if
CKA_VALUE_LEN field is not specified in the attribute
template, the error returned needs to be
PKCS11

ta: pkcs11: Fix the error code returned

While generating a key of type PKCS11_CKO_SECRET_KEY, if
CKA_VALUE_LEN field is not specified in the attribute
template, the error returned needs to be
PKCS11_CKR_TEMPLATE_INCOMPLETE.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Temporary workaround in sanitize_indirect_attr()

Since the type of key to be generated is implicit in the key generation
mechanism, the template does not need to supply a key type or cla

ta: pkcs11: Temporary workaround in sanitize_indirect_attr()

Since the type of key to be generated is implicit in the key generation
mechanism, the template does not need to supply a key type or class.
(CKA_CLASS and CKA_KEY_TYPE attributes). sanitize_indirect_attr()
expects these attributes to be available else gives an error.

The right way of handling this would be perhaps passing a hint
of the class and key type to this function if key is being generated
using key generated mechanisms. However, we don't have support for
wrap/derive key which uses the indirect attributes at present in the
code. So, we would not be able to test it. For now, just move the class
checking afer the attribute checking which helps avoid this error.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

Use barrier_read_cntpct() to read CNTPCT

Arm ARM quite clearly mentions [1] [2] that such reads must be preceded
by an ISB to forbid re-ordering.

[1] https://developer.arm.com/documentation/ddi0487

Use barrier_read_cntpct() to read CNTPCT

Arm ARM quite clearly mentions [1] [2] that such reads must be preceded
by an ISB to forbid re-ordering.

[1] https://developer.arm.com/documentation/ddi0487/fc/ page D13-2863
"Synchronization requirements for AArch64 System registers" and page
G8-6146 "Ordering of reads of System registers".
[2] https://developer.arm.com/documentation/ddi0406/cd/ page B3-1441
"Ordering of reads of system control registers"

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reported-by: Olivier Deprez <Olivier.Deprez@arm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: add isb() and barrier_read_cntpct()

Adds isb() and barrier_read_cntpct() to arm_user_sysreg.h, the latter to be
used as a helper when reading CNTPCT.

Reviewed-by: Jerome Forissier <jerome@

libutee: add isb() and barrier_read_cntpct()

Adds isb() and barrier_read_cntpct() to arm_user_sysreg.h, the latter to be
used as a helper when reading CNTPCT.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...