core: dt: fix inline description for _fdt_get_status()

Fix _fdt_get_status() inline desciption comment as the function
never returns a negative value reporting some kind of error case.

Signed-off-b

core: dt: fix inline description for _fdt_get_status()

Fix _fdt_get_status() inline desciption comment as the function
never returns a negative value reporting some kind of error case.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: lpae: allocate one more translation table for ASLR

Depending on the ASLR seed, the MMU code may run out of translation
tables and panic. For instance with seed = 0x71dfb000 in init_mem_map()
t

core: lpae: allocate one more translation table for ASLR

Depending on the ASLR seed, the MMU code may run out of translation
tables and panic. For instance with seed = 0x71dfb000 in init_mem_map()
the following crash is reproducible:

D/TC:0 core_mmu_entry_to_finer_grained:761 xlat tables used 7 / 7
...
D/TC:0 tee_entry_exchange_capabilities:102 Dynamic shared memory is enabled
E/TC:0 0 Panic 'Failed to spread pgdir on small tables' at core/arch/arm/mm/core_mmu.c:1739 <core_mmu_map_pages>
E/TC:0 0 TEE load address @ 0x7fefb000
E/TC:0 0 Call stack:
E/TC:0 0 0x000000007ff06688 print_kernel_stack at optee_os/core/arch/arm/kernel/unwind_arm64.c:79
E/TC:0 0 0x000000007ff13d24 __do_panic at optee_os/core/kernel/panic.c:24
E/TC:0 0 0x000000007ff083d8 core_mmu_map_pages at optee_os/core/arch/arm/mm/core_mmu.c:1719
E/TC:0 0 0x000000007ff0cf8c mobj_reg_shm_inc_map at optee_os/core/arch/arm/mm/mobj_dyn_shm.c:200
E/TC:0 0 0x000000007ff0d5a0 mobj_inc_map at optee_os/core/arch/arm/include/mm/mobj.h:92
E/TC:0 0 0x000000007ff03960 map_cmd_buffer at optee_os/core/arch/arm/kernel/thread_optee_smc.c:128

Fix the issue by allocating one more translation table when CFG_ASLR=y.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: Bad assert in fat_entry_dir_update()

Fix an assert in fat_entry_dir_update() that always fires when updating
fat entries other than the first element in the cache.

Signed-off-by: Neil Shipp <

core: Bad assert in fat_entry_dir_update()

Fix an assert in fat_entry_dir_update() that always fires when updating
fat entries other than the first element in the cache.

Signed-off-by: Neil Shipp <neilsh@microsoft.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

Makefile: sort in-tree TAs in lexical order

The Makefile function $(wildcard ...) may return matching files in any
order. Therefore the "make" command is not guaranteed to always produce
the same se

Makefile: sort in-tree TAs in lexical order

The Makefile function $(wildcard ...) may return matching files in any
order. Therefore the "make" command is not guaranteed to always produce
the same sequence of commands when building the in-tree TAs. This could
be inconvenient when troubleshooting build errors in different
environments for instance.
In order to produce predictable builds, sort the in-tree TA makefiles in
lexical order.

Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: include parity in DES/DES3 key sizes

Update from GP 1.0 the parity bits are now included in the DES and DES3
key sizes. This is an incompatible change where 56, 112 and 168 key sizes
are repla

core: include parity in DES/DES3 key sizes

Update from GP 1.0 the parity bits are now included in the DES and DES3
key sizes. This is an incompatible change where 56, 112 and 168 key sizes
are replaced with 64, 128 and 192 respectively.

This changes the ABI in a way that it's not enough even to recompile the
TA. In order to maintain backwards compatibility the configuration flag
CFG_COMPAT_GP10_DES is introduced (default y). The presence of the
parity bits is autodetected and this update is transparent to a TA which
hasn't been updated.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: syscall_asymm_verify(): accurate DSA parameter check

A comment in syscall_asymm_verify() reads:
"Depending on the DSA algorithm (NIST), the digital signature output
size may be truncated to th

core: syscall_asymm_verify(): accurate DSA parameter check

A comment in syscall_asymm_verify() reads:
"Depending on the DSA algorithm (NIST), the digital signature output
size may be truncated to the size of a key pair (Q prime size). Q prime
size must be less or equal than the hash output length of the hash
algorithm involved."

Instead of just assuming that Q size is small when data length is
smaller than the hash, check that it's the case also. Don't allow data
length smaller than both hash size and Q size.

Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Provide TEE_ATTR_FLAG_VALUE and TEE_ATTR_FLAG_PUBLIC

Provides TEE_ATTR_FLAG_VALUE and TEE_ATTR_FLAG_PUBLIC which are defined
already in GP v1.0 [1] and also expected in GP v1.1 [2]. The old
TEE_ATTR

Provide TEE_ATTR_FLAG_VALUE and TEE_ATTR_FLAG_PUBLIC

Provides TEE_ATTR_FLAG_VALUE and TEE_ATTR_FLAG_PUBLIC which are defined
already in GP v1.0 [1] and also expected in GP v1.1 [2]. The old
TEE_ATTR_BIT_VALUE and TEE_ATTR_BIT_PROTECTED are kept for backwards
compatibility for now.

[1]: GlobalPlatform TEE Internal API Specification v1.0
[2]: GlobalPlatform TEE Internal Core API Specification v1.1

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: use C locale when generating the build date

The build date included in the version string depends on the current
locale (language), which is not very good. Force LANG=C so that english
abbrevi

core: use C locale when generating the build date

The build date included in the version string depends on the current
locale (language), which is not very good. Force LANG=C so that english
abbreviations are used for the day and month.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

libutils: do not redefine ARRAY_SIZE

Do not redefine ARRAY_SIZE if it is already defined

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Etienne Carriere <etienne.carriere@lina

libutils: do not redefine ARRAY_SIZE

Do not redefine ARRAY_SIZE if it is already defined

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

drivers: imx_i2c: early_init

When i2c SE elements (crypto providers) are enabled, the driver
requires early initialization. This should be made the default
scenario for drivers with this use case

S

drivers: imx_i2c: early_init

When i2c SE elements (crypto providers) are enabled, the driver
requires early initialization. This should be made the default
scenario for drivers with this use case

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: configuration switches to tune stack sizes

Enabling certain configuration options might increase the TMP and
THREAD stack requirements.

This commit defines CFG_ options so that the sizes of t

core: configuration switches to tune stack sizes

Enabling certain configuration options might increase the TMP and
THREAD stack requirements.

This commit defines CFG_ options so that the sizes of those two stacks
can be fine tuned at build time.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

libutee: fix TEE_GetOperationInfoMultiple()

The size parameter passed to TEE_GetOperationInfoMultiple() tells the
size of the op_info buffer. The maximum number of keys which can be
contained in the

libutee: fix TEE_GetOperationInfoMultiple()

The size parameter passed to TEE_GetOperationInfoMultiple() tells the
size of the op_info buffer. The maximum number of keys which can be
contained in the struct can be calculated from this size parameter.

Prior to this patch is was assumed that the caller by this specified the
exact number of keys to report. This is not correct as the size
parameter is only the upper limit. Fix this by instead figuring out how
many keys (one or two) needs to be returned and after that check if the
buffer is large enough.

Fixes: 05304565f188 ("GP11 : TEE_GetOperationInfoMultiple")
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: fix TEE_SetOperationKey() and TEE_SetOperationKey2()

Supplying TEE_HANDLE_NULL instead of a valid key handle is supposed to
clear an eventual already present key from the operation handle a

libutee: fix TEE_SetOperationKey() and TEE_SetOperationKey2()

Supplying TEE_HANDLE_NULL instead of a valid key handle is supposed to
clear an eventual already present key from the operation handle and
return TEE_SUCCESS. Prior to this patch the key(s) where halfway cleared
and then functions panicked with TEE_ERROR_BAD_PARAMETERS. So fix this.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: TEE_GetOperationInfo() v1.1 update

In the v1.1 specification [1] TEE_GetOperationInfo() is required to set
keySize and requiredKeyUsage to 0 if TEE_HANDLE_FLAG_EXPECT_TWO_KEYS is
set in han

libutee: TEE_GetOperationInfo() v1.1 update

In the v1.1 specification [1] TEE_GetOperationInfo() is required to set
keySize and requiredKeyUsage to 0 if TEE_HANDLE_FLAG_EXPECT_TWO_KEYS is
set in handleState.

This is a clarification compared to the v1.0 [2] specification where
nothing special was noted for those fields when
TEE_HANDLE_FLAG_EXPECT_TWO_KEYS is set.

[1]: GlobalPlatform TEE Internal Core API Specification v1.1
[2]: GlobalPlatform TEE Internal API Specification v1.0
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: check that certain object attributes are consistent with max key size

When populating a crypto object check that certain attributes are
consistent with maximum key size. For example the attrib

core: check that certain object attributes are consistent with max key size

When populating a crypto object check that certain attributes are
consistent with maximum key size. For example the attribute
TEE_ATTR_DSA_PRIME must not have more significant bits than max key
size. All these attributes are flagged with TEE_TYPE_ATTR_BIGNUM_MAXBITS
and tee_svc_cryp_obj_populate_type() is updated as needed.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: check that object attributes for current usage are relevant

When populating or generating a key the relevant attributes can differ.
Some attributes are parameters for the key generation.

Upda

core: check that object attributes for current usage are relevant

When populating or generating a key the relevant attributes can differ.
Some attributes are parameters for the key generation.

Updates tee_svc_cryp_check_attr() and object type descriptions to be
accurate.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: check max key size when populating object

Checks that attributes are within the bounds defined by the max key size
which was supplied when the object was allocated.

Acked-by: Etienne Carriere

core: check max key size when populating object

Checks that attributes are within the bounds defined by the max key size
which was supplied when the object was allocated.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix calculation of DES key size

Prior to this patch was the parity bits included when calculating the
key size for DES keys. Fix this by subtracting the parity bits.

Acked-by: Etienne Carrier

core: fix calculation of DES key size

Prior to this patch was the parity bits included when calculating the
key size for DES keys. Fix this by subtracting the parity bits.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: tee_obj_get() return TEE_ERROR_BAD_STATE

Updates tee_obj_get() to return TEE_ERROR_BAD_STATE when an object
reference can't be found. This will allow the GP TA API to panic the
caller as requi

core: tee_obj_get() return TEE_ERROR_BAD_STATE

Updates tee_obj_get() to return TEE_ERROR_BAD_STATE when an object
reference can't be found. This will allow the GP TA API to panic the
caller as required in the GP spec [1].

[1] GlobalPlatform TEE Internal Core API Specification v1.1
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: syscall_obj_generate_key() check public rsa exponent

The v1.1 spec [1] requires that the NIST SP800-56B [2] rules to be
followed when generating an RSA key.

Adds a check when generating a RSA

core: syscall_obj_generate_key() check public rsa exponent

The v1.1 spec [1] requires that the NIST SP800-56B [2] rules to be
followed when generating an RSA key.

Adds a check when generating a RSA key that the supplied exponent confirms
with the requirements in NIST SP800-56B, thas is, the key must be odd and
in the range 65537 <= e < 2^256.

[1]: GlobalPlatform TEE Internal Core API Specification v1.1
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Link [2]: https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/final

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: syscall_cryp_obj_alloc(): allow TEE_TYPE_DATA for transient objects

GP 1.1 spec [1] explicitly allows creation of TEE_TYPE_DATA object. So
update syscall_cryp_obj_alloc() accordingly.

[1]: G

core: syscall_cryp_obj_alloc(): allow TEE_TYPE_DATA for transient objects

GP 1.1 spec [1] explicitly allows creation of TEE_TYPE_DATA object. So
update syscall_cryp_obj_alloc() accordingly.

[1]: GlobalPlatform TEE Internal Core API Specification v1.1
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: TEE_AllocateOperation(): digest operations must have 0 max key size

Make sure that the "maxKeySize" parameter supplied to
TEE_AllocateOperation() is 0 for digest operations since they don't

libutee: TEE_AllocateOperation(): digest operations must have 0 max key size

Make sure that the "maxKeySize" parameter supplied to
TEE_AllocateOperation() is 0 for digest operations since they don't
accept any keys.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: fix TEE_CloseAndDeletePersistentObject1() with TEE_HANDLE_NULL

Fixing TEE_CloseAndDeletePersistentObject1() to return TEE_SUCCESS if
called with TEE_HANDLE_NULL as required in the v1.1 spec

libutee: fix TEE_CloseAndDeletePersistentObject1() with TEE_HANDLE_NULL

Fixing TEE_CloseAndDeletePersistentObject1() to return TEE_SUCCESS if
called with TEE_HANDLE_NULL as required in the v1.1 specification [1]
where the function was introduced.

[1]: GlobalPlatform TEE Internal Core API Specification v1.1
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: dt: discover_nsec_memory(): consider only non-secure memory

QEMU has a /secram@e000000 DT node with secure-status = "okay" and
status = "disabled", in other words: some secure-only memory is
d

core: dt: discover_nsec_memory(): consider only non-secure memory

QEMU has a /secram@e000000 DT node with secure-status = "okay" and
status = "disabled", in other words: some secure-only memory is
described in the DT. Memory that is not accessible from non-secure
world should not be added to the nsec map. Unfortunately, the commit
referenced below inadvertently added such memory, resulting in a panic
on boot:

I/TC: Non-secure external DT found
E/TC:0 0 check_phys_mem_is_outside:332 Non-sec mem (0xe000000:0x100000) overlaps map (type 14 0xe000000:0x100000)
E/TC:0 0 Panic at core/arch/arm/mm/core_mmu.c:336 <check_phys_mem_is_outside>

Change the DT status test to consider only memory accessible from non-
secure and secure world. Also, rename a couple of functions to make their
purpose clear.

Fixes: 721619e8890e ("core: Parse all memory DT nodes")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat: rcar: Enable parsing DT from TFA

Enable support for reading and processing DT passed in by TFA,
this is useful to read out the DRAM configuration and layout.

Signed-off-by: Marek Vasut <marek

plat: rcar: Enable parsing DT from TFA

Enable support for reading and processing DT passed in by TFA,
this is useful to read out the DRAM configuration and layout.

Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...