core: crypto: add struct crypto_ecc_[public/keypair]_ops

In order to enable one ECC HW driver and one ECC SW library at build and
runtime, introduces struct crypto_ecc_public_ops and
struct crypto_e

core: crypto: add struct crypto_ecc_[public/keypair]_ops

In order to enable one ECC HW driver and one ECC SW library at build and
runtime, introduces struct crypto_ecc_public_ops and
struct crypto_ecc_keypair_ops respectively to the struct ecc_public_key
and struct ecc_keypair.

At key (public/keypair) allocation, the HW driver is first called and
if key type/size not supported, the SW library is then called.
When key is allocated with success, the key->ops is set with the
cryptographic functions pointer to call when using keys to:
- Generate keypair
- Sign with keypair
- Shared secret with keypair
- Verify with public key
- Free public key

Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix secure partition TA context

Fix secure partition invocation in tee_ta_manager.c. The TA context
instance is found in the secure partition context (as here *_stmm_ctx()),
instead of the tru

core: fix secure partition TA context

Fix secure partition invocation in tee_ta_manager.c. The TA context
instance is found in the secure partition context (as here *_stmm_ctx()),
instead of the trusted service context as for regular TAs and PTAs.

This change moves to_ta_session() from header file to source file
so that is_stmm_ctx() is visible and can be asserted.

Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: caam: use do_free_keypair() instead of open-coding

There is a function to free an RSA keypair, use it instead of
duplicating the code.

Signed-off-by: Jerome Forissier <jerome@forissier.org

drivers: caam: use do_free_keypair() instead of open-coding

There is a function to free an RSA keypair, use it instead of
duplicating the code.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: caam: do_free_keypair(): add missing free for key->dq

The do_free_keypair() function lacks a call to crypto_bignum_free() for
the dq member of the key. Add it.

Fixes: a1d5c81f8834 ("crypto

drivers: caam: do_free_keypair(): add missing free for key->dq

The do_free_keypair() function lacks a call to crypto_bignum_free() for
the dq member of the key. Add it.

Fixes: a1d5c81f8834 ("crypto: add function to free rsa keypair")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: libmbedtls: use crypto_acipher_free_rsa_keypair() instead of open-coding

There is a function to free an RSA keypair, use it instead of
duplicating the code.

Signed-off-by: Jerome Forissier <j

core: libmbedtls: use crypto_acipher_free_rsa_keypair() instead of open-coding

There is a function to free an RSA keypair, use it instead of
duplicating the code.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: libmbedtls: crypto_acipher_free_rsa_keypair(): add missing free for s->dq

The crypto_acipher_free_rsa_keypair() function lacks a call to
crypto_bignum_free() for the dq member of the key. Add

core: libmbedtls: crypto_acipher_free_rsa_keypair(): add missing free for s->dq

The crypto_acipher_free_rsa_keypair() function lacks a call to
crypto_bignum_free() for the dq member of the key. Add it.

Fixes: a1d5c81f8834 ("crypto: add function to free rsa keypair")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: ltc: use crypto_acipher_free_rsa_keypair() instead of open-coding

There is a function to free an RSA keypair, use it instead of
duplicating the code.

Signed-off-by: Jerome Forissier <jerome@f

core: ltc: use crypto_acipher_free_rsa_keypair() instead of open-coding

There is a function to free an RSA keypair, use it instead of
duplicating the code.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: ltc: crypto_acipher_free_rsa_keypair(): add missing free for s->dq

The crypto_acipher_free_rsa_keypair() function lacks a call to
crypto_bignum_free() for the dq member of the key. Add it.

Fi

core: ltc: crypto_acipher_free_rsa_keypair(): add missing free for s->dq

The crypto_acipher_free_rsa_keypair() function lacks a call to
crypto_bignum_free() for the dq member of the key. Add it.

Fixes: a1d5c81f8834 ("crypto: add function to free rsa keypair")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

hikey: increase CFG_CORE_HEAP_SIZE from 64 to 72 KB

HiKey 620 uses the default core heap size which is 64 KB. This seems to
be a bit small now and the likely reason of some IBART failures [1]:

283

hikey: increase CFG_CORE_HEAP_SIZE from 64 to 72 KB

HiKey 620 uses the default core heap size which is 64 KB. This seems to
be a bit small now and the likely reason of some IBART failures [1]:

2833: regression_6018.2 OK
2834: o regression_6018.3 Storage id: 80000100
[...]
2846: E/TC:? 0 TA panicked with code 0xffff000c

Increase the size to 72 KB.

Link: [1] https://optee.mooo.com:5000/logs/OP-TEE/build/441/518642707/65112f06d1ffdd93762acdd1d8a8a06e9bebdd1d
Signed-off-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: move non TA specific fields from user_ta_ctx

Moves fields from user_ta_ctx to user_mode_ctx, which are not specific
to user TAs. This is needed to prepare for handling Secure Partitions,
user_

core: move non TA specific fields from user_ta_ctx

Moves fields from user_ta_ctx to user_mode_ctx, which are not specific
to user TAs. This is needed to prepare for handling Secure Partitions,
user_mode_ctx will be the common ground for the fields used by both TAs
and SPs.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...

core: extract ldelf related code from user_ta.c

Moves ldelf functionality from user_ta.c to a separate file.
This is the first step for decoupling ldelf from user TAs.

Reviewed-by: Jens Wiklander <

core: extract ldelf related code from user_ta.c

Moves ldelf functionality from user_ta.c to a separate file.
This is the first step for decoupling ldelf from user TAs.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...

core: pass user_mode_ctx to thread_user_clear_vfp()

Changes the parameter type of thread_user_clear_vfp() to struct
user_mode_ctx. This makes using the function more convenient, now it
doesn't have

core: pass user_mode_ctx to thread_user_clear_vfp()

Changes the parameter type of thread_user_clear_vfp() to struct
user_mode_ctx. This makes using the function more convenient, now it
doesn't have to be surrounded with conditional directives on each use.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...

drivers: imx_i2c: move utility macros

Move I2C utility macros (driver specific) from SoC specific register
definition files to the driver.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Re

drivers: imx_i2c: move utility macros

Move I2C utility macros (driver specific) from SoC specific register
definition files to the driver.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

drivers: imx_i2c: get base addresses from device tree

Enable device tree support.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Clement Faure <clement.faure@nxp.com>
Acked-by

drivers: imx_i2c: get base addresses from device tree

Enable device tree support.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

drivers: imx_i2c: enable the driver when not all three buses are ready

Allow the driver to operate even though not all three buses might have
been configured.

Signed-off-by: Jorge Ramirez-Ortiz <jo

drivers: imx_i2c: enable the driver when not all three buses are ready

Allow the driver to operate even though not all three buses might have
been configured.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

drivers: imx_i2c: add support for imx6ull

Support native I2C access on imx6ull (this SoC has an additional
register - compared to the imx8mm - to configure the daisy chain in
the iomuxc).

A patch [

drivers: imx_i2c: add support for imx6ull

Support native I2C access on imx6ull (this SoC has an additional
register - compared to the imx8mm - to configure the daisy chain in
the iomuxc).

A patch [1] has been sent to U-boot to address their current release
as of Oct 23, 2020 - where the peripheral clock is still set to 66MHz
instead of 24MHz.

Tested on imx6ull-evk 14x14 with the bus at 400Kbps.
[1] https://lists.denx.de/pipermail/u-boot/2020-October/430482.html

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

drivers: imx_i2c: prepare for imx6ull support

Improve code readability before adding support for more platforms.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Clement Faure <

drivers: imx_i2c: prepare for imx6ull support

Improve code readability before adding support for more platforms.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

ta: pkcs11: fix error handling when reading ALLOWED_MECHANISMS list

If parent_key_complies_allowed_processings() cannot return a clear
status on the mechanism IDs allowed by a key object, then somet

ta: pkcs11: fix error handling when reading ALLOWED_MECHANISMS list

If parent_key_complies_allowed_processings() cannot return a clear
status on the mechanism IDs allowed by a key object, then something
is broken. This cannot happen hence panic.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: sks: stringify error core KEY_SIZE_RANGE

Add string converter for PKCS11_CKR_KEY_SIZE_RANGE that can be returned
by check_created_attrs().

Actually check_created_attrs() is currently never call

ta: sks: stringify error core KEY_SIZE_RANGE

Add string converter for PKCS11_CKR_KEY_SIZE_RANGE that can be returned
by check_created_attrs().

Actually check_created_attrs() is currently never called. It is however
intended to key/object wrapping, derivation and generation.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: CKA_SIGN and CKA_VERIFY default to empty

Change CKA_SIGN and CKA_VERIFY attributes default value to false
as other keys cryptography processing support boolean attributes.
No reason only

ta: pkcs11: CKA_SIGN and CKA_VERIFY default to empty

Change CKA_SIGN and CKA_VERIFY attributes default value to false
as other keys cryptography processing support boolean attributes.
No reason only sign and verify support default to true.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: fix for spec WRAP_WITH_TRUSTED/ALWAYS_AUTHENTICATE defaults

Set PKCS11_CKA_WRAP_WITH_TRUSTED and PKCS11_CKA_ALWAYS_AUTHENTICATE
default values in the static values list of the specificat

ta: pkcs11: fix for spec WRAP_WITH_TRUSTED/ALWAYS_AUTHENTICATE defaults

Set PKCS11_CKA_WRAP_WITH_TRUSTED and PKCS11_CKA_ALWAYS_AUTHENTICATE
default values in the static values list of the specification.
No functional change.

Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Handle optional attributes without default values

In the current implementation all optional attributes of an object
if not specified in the template while creating object, are assigned

ta: pkcs11: Handle optional attributes without default values

In the current implementation all optional attributes of an object
if not specified in the template while creating object, are assigned
empty value by default. This works fine for the attributes where
specification mentions that default value is empty or the
attribute is modifiable later.

However for attributes like CKA_ALLOWED_MECHANISM, adding an empty
default value results in a failure later in crypto operations when
attribute of the object are checked against the mechanism.

To avoid such errors, the optional attributes array are split in 2 parts,
one with the default empty value and ones which don't require a
default value. All attributes in the specification which either should
have default empty value or are allowed to be modified later by call to
C_SetAttributes() or C_CopyObjects() would fall in the former category
and be initialized with empty/NULL value.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

core: add secure partitions store

SPs need to be started as part of the initialisation process of the
OP-TEE kernel. The secure partition store uses the embedded_ts store to
load SPs

Signed-off-by:

core: add secure partitions store

SPs need to be started as part of the initialisation process of the
OP-TEE kernel. The secure partition store uses the embedded_ts store to
load SPs

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: move early_ta implementation to embedded_ts

Ealy_ta's are similar to embedded SPs. Move all shared logic to the
embedded_ts.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Reviewed-by: Jens W

core: move early_ta implementation to embedded_ts

Ealy_ta's are similar to embedded SPs. Move all shared logic to the
embedded_ts.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: create embedded_ts

Create an embedded ts struct which will encapsulate both early_ta's
and embedded SPs.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Reviewed-by: Jens Wiklander <jens.wikla

core: create embedded_ts

Create an embedded ts struct which will encapsulate both early_ta's
and embedded SPs.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...