core: libmbedtls: add 3DES CMAC implementation

Add 3DES CMAC (NIST SP800-38B).

Signed-off-by: Alexander Zakharov <uglym8@gmail.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Et

core: libmbedtls: add 3DES CMAC implementation

Add 3DES CMAC (NIST SP800-38B).

Signed-off-by: Alexander Zakharov <uglym8@gmail.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
[jf: add commit description]
Signed-off-by: Jerome Forissier <jerome@forissier.org>

show more ...

ta: pkcs11: fix TEE identity authentication token reference

Correct token reference pass to verify client credentials.

Fixes: 1a27b197 ("ta: pkcs11: Add TEE Identity based authentication support")

ta: pkcs11: fix TEE identity authentication token reference

Correct token reference pass to verify client credentials.

Fixes: 1a27b197 ("ta: pkcs11: Add TEE Identity based authentication support")
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: forbid change of CKA_PRIVATE from true to false on object copy

In C_CopyObject(), forbid copying of an object with a template
which attempts to change the attribute CKA_PRIVATE from true

ta: pkcs11: forbid change of CKA_PRIVATE from true to false on object copy

In C_CopyObject(), forbid copying of an object with a template
which attempts to change the attribute CKA_PRIVATE from true to false.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add support for copying objects

Implement command PKCS11_CMD_COPY_OBJECT.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.

ta: pkcs11: Add support for copying objects

Implement command PKCS11_CMD_COPY_OBJECT.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add support for modifying objects

Implement command PKCS11_CMD_SET_ATTRIBUTE_VALUE.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carrie

ta: pkcs11: Add support for modifying objects

Implement command PKCS11_CMD_SET_ATTRIBUTE_VALUE.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

drivers: dcp: add DCP support

The Data Co-Processor (DCP) provides hardware acceleraiton for
cryptographic algorithms. The features of DCP are:
- AES128 ECB and CBC
- SHA1, SHA256
- AES128-CMAC a

drivers: dcp: add DCP support

The Data Co-Processor (DCP) provides hardware acceleraiton for
cryptographic algorithms. The features of DCP are:
- AES128 ECB and CBC
- SHA1, SHA256
- AES128-CMAC algorithm
- SRAM key storage
- HUK generation

This driver adds DCP support for the following platforms:
- imx6slevk
- imx6sllevk
- imx6ullevk
- imx6ulzevk

Signed-off-by: Remi Koman <remi.koman@nxp.com>
Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: csu: enable DCP protection

Enable DCP protection in the CSU for the following platforms:
- imx6slevk
- imx6sllevk
- imx6ullevk
- imx6ulzevk

Signed-off-by: Clement Faure <clement.fa

drivers: csu: enable DCP protection

Enable DCP protection in the CSU for the following platforms:
- imx6slevk
- imx6sllevk
- imx6ullevk
- imx6ulzevk

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add dcache_get_line_size() function

Add dcache_get_line_size() function to get cache line size for ARM32 and
ARM64 platforms.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by:

core: add dcache_get_line_size() function

Add dcache_get_line_size() function to get cache line size for ARM32 and
ARM64 platforms.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: clarify tlbi_mva_range()

Clarifies tlbi_mva_range() with a full description of the interface at
the declaration of the function. The supplied VA range must be aligned
on the supplied granulari

core: clarify tlbi_mva_range()

Clarifies tlbi_mva_range() with a full description of the interface at
the declaration of the function. The supplied VA range must be aligned
on the supplied granularity.

The implementation is updated to take full advantage of this restriction
together with an additional assert.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: crypto: se050: Global Platform SCP03 key provisioning

Remove the need to store the SCP03 keys by deriving them from the HUK
and the SE050 unique hardware identifier.

Works under the assump

drivers: crypto: se050: Global Platform SCP03 key provisioning

Remove the need to store the SCP03 keys by deriving them from the HUK
and the SE050 unique hardware identifier.

Works under the assumption that the HUK is unknown and never exposed
outside the TEE.

CFG_CORE_SE05X_SCP03_PROVISION
Needs to be configured to exec the feature.

CFG_CORE_SE05X_DISPLAY_SCP03_KEYS:
Outputs the current and the new SCP03 keys to the console during
provisioning.

Note that to provision new SCP03 keys, SCP03 must already be in
operation (ie, have an encrypted communication channel between the
processor and the SE050).

Tested on imx8mm EVK.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: remove deprecated core_tlb_maintenance()

Removes the deprecated and unused function core_tlb_maintenance().

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander

core: remove deprecated core_tlb_maintenance()

Removes the deprecated and unused function core_tlb_maintenance().

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ls: lx2160aqds: get GIC base address from dtb

CFG_EMBED_DT option is enabled by default for LX2160A-QDS
GIC base address was hardcoded for LX2160A-QDS,
now will get the base address from dtb f

core: ls: lx2160aqds: get GIC base address from dtb

CFG_EMBED_DT option is enabled by default for LX2160A-QDS
GIC base address was hardcoded for LX2160A-QDS,
now will get the base address from dtb file.

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: dts: add DTS files for LX2160A-RDB

Add dts file for LX2160A-QDS Platform.

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

core: ls: add LX2160A-QDS platform

Add support for Layerscape® LX2160A-QDS from NXP.
Dynamic shared memory is also enabled.

Signed-off-by: Manish Tomar <manish.tomar@nxp.com>
Signed-off-by: Sahil M

core: ls: add LX2160A-QDS platform

Add support for Layerscape® LX2160A-QDS from NXP.
Dynamic shared memory is also enabled.

Signed-off-by: Manish Tomar <manish.tomar@nxp.com>
Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: ls: lx2160ardb: get GIC base address from dtb

CFG_EMBED_DT option is enabled by default for LX2160A-RDB
GIC base address was hardcoded for LX2160A-RDB,
now will get the base address from dtb f

core: ls: lx2160ardb: get GIC base address from dtb

CFG_EMBED_DT option is enabled by default for LX2160A-RDB
GIC base address was hardcoded for LX2160A-RDB,
now will get the base address from dtb file.

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: ls: Remove GIC initialization for ARM-TF based platforms

On ARMv8, GIC configuration is initialized in ARM-TF

Signed-off-by: Ruchika Gupta <ruchika.gupta@nxp.com>
Signed-off-by: Sahil Malhotr

core: ls: Remove GIC initialization for ARM-TF based platforms

On ARMv8, GIC configuration is initialized in ARM-TF

Signed-off-by: Ruchika Gupta <ruchika.gupta@nxp.com>
Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: dts: add DTS files for LX2160A-RDB

LX2160A-RDB will be compiled with Embedded DTB support.
Add dts file for LX2160A-RDB Platform.

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-

core: dts: add DTS files for LX2160A-RDB

LX2160A-RDB will be compiled with Embedded DTB support.
Add dts file for LX2160A-RDB Platform.

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: ls: lx2160ardb: Add regions for dynamic shared memory

To enable use of dynamic shared memory, DDR regions
need to be added in the platform MMU map.

Signed-off-by: Ruchika Gupta <ruchika.gupta

core: ls: lx2160ardb: Add regions for dynamic shared memory

To enable use of dynamic shared memory, DDR regions
need to be added in the platform MMU map.

Signed-off-by: Ruchika Gupta <ruchika.gupta@nxp.com>
Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

console: lx2160A: fix uart clock and baud rate

Currently there are garbled messages from OP-TEE due to
assumption that platform clock is always 700MHz. This is
not correct as LX2 supports variable p

console: lx2160A: fix uart clock and baud rate

Currently there are garbled messages from OP-TEE due to
assumption that platform clock is always 700MHz. This is
not correct as LX2 supports variable platform frequency.
It could be one of the 600, 650, 700, 750 Mhz based on
the RCW configuration.

Ideally OPTEE should read RCW registers from Global Utilities
Register block and derive the uart clock based on platform pll
frequency. But there is no need for this as Baud Rate is already
configured in PL011 by the previous boot stages in TF-A.
This fix calls pl011_init() with zero for baud rate => It won't be
reinitalized in OP-TEE.

Signed-off-by: Thirupathaiah Annapureddy <thiruan@linux.microsoft.com>
Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: fix icache_inv_user_range()

Prior to this patch with CFG_WITH_PAGER=y, CFG_WITH_LPAE=y and
CFG_CORE_UNMAP_CORE_AT_EL0=n icache_inv_user_range() crashes with a
prefetch abort due to TTBR0 being

core: fix icache_inv_user_range()

Prior to this patch with CFG_WITH_PAGER=y, CFG_WITH_LPAE=y and
CFG_CORE_UNMAP_CORE_AT_EL0=n icache_inv_user_range() crashes with a
prefetch abort due to TTBR0 being configured with an invalid value.
This happens due to an error in the ifdef logic using an uninitialized
register.

Fix this by using the correct register.

Fixes: c4a57390edef ("core: pager: use icache_inv_user_range()")
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add support for SM2 using MBed TLS

The SM2 algorithms (PKE, KEP and DSA) are currently implemented using
LibTomCrypt. They are automatically disabled when MBed TLS is selected
as the core cryp

core: add support for SM2 using MBed TLS

The SM2 algorithms (PKE, KEP and DSA) are currently implemented using
LibTomCrypt. They are automatically disabled when MBed TLS is selected
as the core crypto library (that is, when CFG_CRYPTOLIB_NAME=mbedtls
CFG_CRYPTOLIB_DIR=lib/libmbedtls).

This commit removes this restriction by porting the relevant files
(core/lib/libtomcrypt/sm2-{dsa,kep,pke}.c) over to the MBed TLS API in
lib/libmbedtls/core.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: crypto: sm2: do not panic core if key allocation fails

During SM2 key derivation via syscall_cryp_derive_key(), if
crypto_acipher_alloc_ecc_public_key() fails for whatever reason in
get_sm2_ke

core: crypto: sm2: do not panic core if key allocation fails

During SM2 key derivation via syscall_cryp_derive_key(), if
crypto_acipher_alloc_ecc_public_key() fails for whatever reason in
get_sm2_kep_params(), peer_key and/or peer_eph_key are left in an invalid
state and it is incorrect to call crypto_acipher_free_ecc_public_key()
in this case. Doing so causes a core panic:

E/TC:? 0 assertion 'key->ops && key->ops->free' failed at core/crypto/crypto.c:702 <crypto_acipher_free_ecc_public_key>
E/TC:1 0 Panic at core/kernel/assert.c:28 <_assert_break>

Fix the get_sm2_kep_params() cleanup code to avoid this situation.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

libmbedtls: add SM2 curve

When MBEDTLS_ECP_DP_SM2_ENABLED is set, adds support for the ECC curve
defined for the Chinese SM2 algorithm (G/MT 0003 Part 5, [1]).

Link: [1] http://www.gmbz.org.cn/uplo

libmbedtls: add SM2 curve

When MBEDTLS_ECP_DP_SM2_ENABLED is set, adds support for the ECC curve
defined for the Chinese SM2 algorithm (G/MT 0003 Part 5, [1]).

Link: [1] http://www.gmbz.org.cn/upload/2018-07-24/1532401863206085511.pdf
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: ltc: move sm2_kdf() to common core/crypto/sm2-kdf.c

The key derivation function sm2_kdf() is a helper function used by SM2
KEP (Key Exchange Protocol) and PKE (Private Key Encryption). It is
c

core: ltc: move sm2_kdf() to common core/crypto/sm2-kdf.c

The key derivation function sm2_kdf() is a helper function used by SM2
KEP (Key Exchange Protocol) and PKE (Private Key Encryption). It is
currently implemented in core/lib/libtomcrypt/sm2_kdf.c, next to the SM2
source code based on LibTomCrypt.

In order to provide an MBed TLS implementation of SM2, the helper
function shall be outside the LibTomCrypt directory. Move it to
core/crypto/sm2-kdf.c.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

libutee: sockets: drop useless & before function names

There is no need to use & on a function name to obtain the function
address. Drop the useless & characters.

Signed-off-by: Jerome Forissier <j

libutee: sockets: drop useless & before function names

There is no need to use & on a function name to obtain the function
address. Drop the useless & characters.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...