core: Parse all memory DT nodes

The current code for parsing /memory* DT nodes does not work at all
on systems with multiple memory nodes. The code cannot handle e.g.

/ {
memory@480000000 {
r

core: Parse all memory DT nodes

The current code for parsing /memory* DT nodes does not work at all
on systems with multiple memory nodes. The code cannot handle e.g.

/ {
memory@480000000 {
reg = <0x00000000 0x48000000 0x00000000 0x78000000>;
device_type = "memory";
};
memory@600000000 {
reg = <0x00000006 0x00000000 0x00000000 0x80000000>;
device_type = "memory";
};
};

This patch fixes the code such that it iterates over all enabled
memory nodes instead of reading out the first /memory node only.
The code iterates over the DT twice, which is faster than constant
calls to realloc() to allocate more entries in core_mmu_phys_mem().

Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: dt: Repair type in _fdt_reg_size()

The function returns ssize_t , while DT_INFO_INVALID_REG is paddr_t,
fix the type.

Fixes: c0cfb36c ("core: dt: introduce _fdt_fill_device_info()")
Signed-of

core: dt: Repair type in _fdt_reg_size()

The function returns ssize_t , while DT_INFO_INVALID_REG is paddr_t,
fix the type.

Fixes: c0cfb36c ("core: dt: introduce _fdt_fill_device_info()")
Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

GP 1.1: Check parameters annotated in the specification

Checks that all the function parameters which are annotated in the
specification [1] are compliant with regards to memory access and memory
lo

GP 1.1: Check parameters annotated in the specification

Checks that all the function parameters which are annotated in the
specification [1] are compliant with regards to memory access and memory
location. In case the check fails the TA panics to help debugging. The
more precise and expensive checks can be disabled with
CFG_TA_STRICT_ANNOTATION_CHECKS=n.

TEE_Realloc(), TEE_MemMove(), TEE_MemCompare(), TEE_MemFill() are
skipped for performance reasons. The TA will instead die with a fatal
exception if buffers supplied to these functions do not follow the
annotation rules.

[1]: GlobalPlatform TEE Internal Core API Specification v1.1

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: strict buffer check in syscalls following GP 1.1

GP 1.1 [1] and also earlier specifications has certain annotation in the
description of API functions to among other things describe which kind

core: strict buffer check in syscalls following GP 1.1

GP 1.1 [1] and also earlier specifications has certain annotation in the
description of API functions to among other things describe which kind
of memory a buffer is required to reside in. It could be readable,
writeable, in shared memory in TA private memory.

The following syscalls are updated with slightly stricter checks with
regards to TA private memory where needed:
- syscall_open_ta_session()
- syscall_invoke_ta_command()
- syscall_get_time()
- syscall_set_ta_time()
- syscall_cryp_obj_get_info()
- syscall_cryp_random_number_generate()
- syscall_authenc_dec_final()
- syscall_storage_next_enum()
- syscall_storage_obj_read()
- syscall_storage_obj_write()

[1]: GlobalPlatform TEE Internal Core API Specification v1.1

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: remove VM_FLAG_LDELF from VM_FLAGS_NONPRIV

In order for tee_mmu_check_access_rights() to be able to identify ldelf
mappings as TA private remove VM_FLAG_LDELF from VM_FLAGS_NONPRIV. This
is ne

core: remove VM_FLAG_LDELF from VM_FLAGS_NONPRIV

In order for tee_mmu_check_access_rights() to be able to identify ldelf
mappings as TA private remove VM_FLAG_LDELF from VM_FLAGS_NONPRIV. This
is needed for the more strict check of the memory location of ret_orig
in syscall_open_ta_session() and syscall_invoke_ta_command().

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add copy_{to,from}_private()

Adds the copy_{to,from}_private() functions which checks that the user
mode buffer resides in TA private memory and not non-secure shared
memory for instance.

Rev

core: add copy_{to,from}_private()

Adds the copy_{to,from}_private() functions which checks that the user
mode buffer resides in TA private memory and not non-secure shared
memory for instance.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: separate copy_from_user() and friends

Removes the tee_svc_ prefix and moves tee_svc_copy_from_user() and
friends into <kernel/user_access.h> and core/kernel/user/access.c

Reviewed-by: Jerome

core: separate copy_from_user() and friends

Removes the tee_svc_ prefix and moves tee_svc_copy_from_user() and
friends into <kernel/user_access.h> and core/kernel/user/access.c

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: fix build warning

Compiler warns about comparison of integer expressions of different
signedness. This causes build failures when error on warning is enabled.

Signed-off-by: Jorge Ra

drivers: caam: fix build warning

Compiler warns about comparison of integer expressions of different
signedness. This causes build failures when error on warning is enabled.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

scripts/sign_encrypt.py: add flags for the signing algorithm

+ Update the sign_encrypt.py so that it can choose the signing algorithm
between PSS and PKCS#1.5.
+ Convert the if/else into a try/exc

scripts/sign_encrypt.py: add flags for the signing algorithm

+ Update the sign_encrypt.py so that it can choose the signing algorithm
between PSS and PKCS#1.5.
+ Convert the if/else into a try/except for the signature check

Signed-off-by: Mingyuan Xiang <mingyuan@oxhainan.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

crypto: add function to free rsa keypair

There was no function to proper free a rsa kepair from inside a PTA.
Now there is crypto_acipher_free_rsa_keypair().

Signed-off-by: Elias von Däniken <elias

crypto: add function to free rsa keypair

There was no function to proper free a rsa kepair from inside a PTA.
Now there is crypto_acipher_free_rsa_keypair().

Signed-off-by: Elias von Däniken <elias.vondaeniken@bluewin.ch>
Acked-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: fix memset(), memcpy(), memmove() with -O3

When libutils is built with optimization -O3 (make CFG_CC_OPT_LEVEL=3),
memset() may cause infinite recursion. This bug was observed with GCC
8.3

libutils: fix memset(), memcpy(), memmove() with -O3

When libutils is built with optimization -O3 (make CFG_CC_OPT_LEVEL=3),
memset() may cause infinite recursion. This bug was observed with GCC
8.3 with QEMUv8. The reason is, at this optimization level the compiler
may decide to replace loops with calls to memset(), which is obviously
not valid when the loop is in the memset function itself. This behavior
can be turned off with -fno-tree-loop-distribute-patterns.

Therefore, add the appropriate build flag to memset.c. Note that a
similar fix was introduced in upstream newlib [1] but since it depends
on the newlib build script to detect compiler support, the patch is not
directly applicable. Instead $(call cc-option,...) is used here.

Although I have not observed any issue with memcpy() and memmove(),
upstream did apply the compiler flag to these functions too [1], [2],
which seems quite reasonable so do the same here.

Link: [1] https://github.com/bminor/newlib/commit/10e4d79a191f07999bc94b21535fba5d7c04f419
Link: [2] https://github.com/bminor/newlib/commit/82dfae9ab0734b9946321590162dc6021057fec1
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: memset(): add -O2 only if optimization is -Os

Commit 5b2aaa117eee ("libutee: optimize memcpy() for speed") added -O2
to memset.c to exclude the slower implementation which would be selecte

libutils: memset(): add -O2 only if optimization is -Os

Commit 5b2aaa117eee ("libutee: optimize memcpy() for speed") added -O2
to memset.c to exclude the slower implementation which would be selected
when level is -Os (in which case __OPTIMIZE_SIZE__ is defined).

Since the optimization level can now be selected globally with
CFG_CC_OPT_LEVEL, -O2 should not be forced unconditionally or it could
actually reduce the desired level (when CFG_CC_OPT_LEVEL=3).

Therefore, add -O2 only if the global optimization is -Os.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Introduce CFG_CC_OPT_LEVEL and deprecate CFG_CC_OPTIMIZE_FOR_SIZE

The influence on the performance of the C optimization flag (-O) can be
significant as shown by the output of "time xtest":

|

Introduce CFG_CC_OPT_LEVEL and deprecate CFG_CC_OPTIMIZE_FOR_SIZE

The influence on the performance of the C optimization flag (-O) can be
significant as shown by the output of "time xtest":

| QEMUv8 | HiKey960 (A73 cores only)
-----+----------------+--------------------------
-O0 | 2m 54s, 2m 49s | 42.28s, 42.07s
-Os | 2m 03s, 2m 03s | 25.57s, 25.60s
-O2 | 1m 36s, 1m 35s | 24.01s, 23.93s

This commit introduces CFG_CC_OPT_LEVEL (default: s) which may be set to
0, s, 2 or any value accepted by the compiler. This gives better
flexibility to chose the best level depending on the use case.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: Fix fputs() when CFG_TEE_TA_LOG_LEVEL=0

When Optee OS is compiled with CFG_TEE_TA_LOG_LEVEL=0, Optee
test fails to compile properly:

arm-none-linux-gnueabihf-ld.bfd: libutils.a(fputs.o):

libutils: Fix fputs() when CFG_TEE_TA_LOG_LEVEL=0

When Optee OS is compiled with CFG_TEE_TA_LOG_LEVEL=0, Optee
test fails to compile properly:

arm-none-linux-gnueabihf-ld.bfd: libutils.a(fputs.o): in function `fputs':
fputs.c:15: undefined reference to `trace_ext_puts'
link.mk:109: recipe for target '5b9e0e40-2636-11e1-ad9e-0002a5d5c51b.elf'
failed

fputs is referenced by libstdc++.a which is used by the os_test
TA for the C++ tests.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: thread: add compiler barrier to thread_set_exceptions()

With compiler optimizer enable (-O2) compiler generate invalid code
for thread_get_id_may_fail(). The curr_thread read got re-order
afte

core: thread: add compiler barrier to thread_set_exceptions()

With compiler optimizer enable (-O2) compiler generate invalid code
for thread_get_id_may_fail(). The curr_thread read got re-order
after exceptions unmask.

Signed-off-by: Khoa Hoang <admin@khoahoang.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: Add a parameter to vm_map_pad() to specify alignment requirement

There are cases where the virtual address returned for a requested
mapping needs to satisfy certain alignment requirements. All

core: Add a parameter to vm_map_pad() to specify alignment requirement

There are cases where the virtual address returned for a requested
mapping needs to satisfy certain alignment requirements. Allow the
calling functions to specify the required alignment as a parameter
to vm_map_pad().

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

shippable: build secure partition code

A previous commit adds support for secure partition loading, acting
similarly to SPM in order to launch StandAloneMM.
Let's add this to shippable and make sure

shippable: build secure partition code

A previous commit adds support for secure partition loading, acting
similarly to SPM in order to launch StandAloneMM.
Let's add this to shippable and make sure the new code at least compiles
properly.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: load stmm via secure partition

Secure variable storage for EFI variables is critical for enabling and
protecting UEFI Secure Boot. Unfortunately due to the fact that SPD and
SPM are mutually e

core: load stmm via secure partition

Secure variable storage for EFI variables is critical for enabling and
protecting UEFI Secure Boot. Unfortunately due to the fact that SPD and
SPM are mutually exclusive, we can't run StMM from EDK2 and OP-TEE.
An advantage of doing so is that different firmware implementations
can leverage EDK2's StandAloneMM and in cooperation with OP-TEE RPMB
APIs can store UEFI variables in a secure storage.
This makes the variable storage quite generic in any device with an RPMB
partition.

Using a well debugged application is preferable over rewriting the whole
application as a TA. Another advantage is that this inherits the Fault
Tolerant Writes (FTW) functionality built-in on StMM to protect
variables against corruptions during writing. Considering the FFA
changes of the future Arm architectures using an SP that includes
everything seems like a better choice at the moment.
The 'SPM emulation' currently added into OP-TEE only supports
a single SP to be launched. This means that the StMM embedded
application has the RPMB driver built in at the moment. In the future we
can add code (evolving FFA) to launch multiple SPs. So the StMM variable
handling can be decoupled from the RPMB driver, which will reside in a
different SP.

So let's add a user mode secure partition context and support loading
"Standalone MM" of EDK2 into it. A separate syscall handling is added to
serve as different kind of ABI and syscall IDs. The secure partition has
a TA like interface towards normal world, but requests are routed into
the StMM partition instead.

CFG_STMM_PATH is assigned the path of BL32_AP_MM.fd, for instance:
CFG_STMM_PATH=...Build/QemuVirtMmStandalone/DEBUG_GCC5/FV/BL32_AP_MM.fd

Since this is quite tricky to compile and test you can use this [1].
Just clone the repo and run ./build.sh. The script will pick up edk2,
edk2-platforms, op-tee, atf and U-boot and compile all the necessary
binaries for QEMU. A patch (awful hack) has been added to U-boot to
allow RPMB emulation through it's supplicant, since QEMU RPMB emulation
is not yet available.
After compiling and launching QEMU the usual U-boot commands for EFI
variable management will store the variables on an RPMB device.

[1] https://git.linaro.org/people/ilias.apalodimas/efi_optee_variables.git/

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Co-developed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Co-developed-by: Pipat Methavanitpong <pipat1010@gmail.com>
Signed-off-by: Pipat Methavanitpong <pipat1010@gmail.com>
Co-developed-by: Miklos Balint <Miklos.Balint@arm.com>
Signed-off-by: Miklos Balint <Miklos.Balint@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add vm_get_prot()

A following commit, related to the StMM functionality needs to read
the current page attributes before modifying them.
So let's add a function to retrieve the current attribu

core: add vm_get_prot()

A following commit, related to the StMM functionality needs to read
the current page attributes before modifying them.
So let's add a function to retrieve the current attributes.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: use libunw

Reduce core/arch/arm/kernel/unwind_arm{32,64}.c and use common code from
libunw instead.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wi

core: use libunw

Reduce core/arch/arm/kernel/unwind_arm{32,64}.c and use common code from
libunw instead.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ldelf: use libunw

Drop ldelf/unwind_arm32,64}.c and use common code from libunw instead.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.or

ldelf: use libunw

Drop ldelf/unwind_arm32,64}.c and use common code from libunw instead.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

Add unwind library (libunw)

Adds libunw to consolidate the stack unwinding code found in
ldelf/unwind_arm{32,64}.c and core/arch/arm/kernel/unwind_arm{32,64}.c.

The library is called "libunw" rathe

Add unwind library (libunw)

Adds libunw to consolidate the stack unwinding code found in
ldelf/unwind_arm{32,64}.c and core/arch/arm/kernel/unwind_arm{32,64}.c.

The library is called "libunw" rather than "libunwind" to avoid
confusion with the GNU libunwind [1]. The header file is <unw/unwind.h>
to avoid a conflict with GCC's <unwind.h>.

Link: [1] https://www.nongnu.org/libunwind
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

arm32: fold UNWIND(.fnstart/.fnend) into the FUNC macros

This change applies to arm32 assembler sources.

Instead of using UNWIND(.fnstart) after FUNC or LOCAL_FUNC and
UNWIND(.fnend) before END_FUN

arm32: fold UNWIND(.fnstart/.fnend) into the FUNC macros

This change applies to arm32 assembler sources.

Instead of using UNWIND(.fnstart) after FUNC or LOCAL_FUNC and
UNWIND(.fnend) before END_FUNC, let's fold these statements into the
FUNC macros.

The .fnstart/.fnend directives mark the start and end of a function
with an unwind table entry (.ARM.exidx) and therefore a function
without them has no entry and cannot be unwound. This means that a
stack dump (on abort or panic) would stop when reaching such a
function.

As a result of this patch, a small number of functions now have an
entry in the unwind table when they had none before (the functions
which were using FUNC or LOCAL_FUNC but had no .fnstart/.fnend). It was
almost always a bug and this pacth only increases the size of the
.ARM.exidx section by a few bytes (tested on QEMU).

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

arm32: move the UNWIND() macro to <asm.S>

All the users of the UNWIND() macro include <asm.S> already, which is
therefore a good place to define this macro. Let's move it from
<kernel/unwind.h> to <

arm32: move the UNWIND() macro to <asm.S>

All the users of the UNWIND() macro include <asm.S> already, which is
therefore a good place to define this macro. Let's move it from
<kernel/unwind.h> to <asm.S>, remove a couple of duplicates in
assembler files, and drop the useless includes.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: arm32: remove unused function relocate_exidx()

Since commit d1911a85142d ("core: load TAs using ldelf"), function
relocate_exidx() is not used any more. Remove it, as well as
offset_prel31() w

core: arm32: remove unused function relocate_exidx()

Since commit d1911a85142d ("core: load TAs using ldelf"), function
relocate_exidx() is not used any more. Remove it, as well as
offset_prel31() which was only called from this function.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...