core: Fix the entry on the match table for TPM support.

TF-A Measured Boot driver expects a tpm_event_log node on the
DTB with the compatible field set to "arm,tpm_event_log", so
fix the match table

core: Fix the entry on the match table for TPM support.

TF-A Measured Boot driver expects a tpm_event_log node on the
DTB with the compatible field set to "arm,tpm_event_log", so
fix the match table entry for the TPM support to match the one
used by TF-A.

Signed-off-by: Javier Almansa Sobrino <javier.almansasobrino@arm.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: mmu: arm64: fix get_va_width()

Fixes get_va_width() when CFG_LPAE_ADDR_SPACE_SIZE != (1ull << 32).

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wik

core: mmu: arm64: fix get_va_width()

Fixes get_va_width() when CFG_LPAE_ADDR_SPACE_SIZE != (1ull << 32).

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: rpc i2c: fix, REE processed bytes

Fix number of bytes processed by the REE that is returned in p[3] as
defined in the API, not in p[2].

Fixes: 30c53a724263 ("core: arm: rpc i2c trampolin

core: arm: rpc i2c: fix, REE processed bytes

Fix number of bytes processed by the REE that is returned in p[3] as
defined in the API, not in p[2].

Fixes: 30c53a724263 ("core: arm: rpc i2c trampoline driver")
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add user parameter thread_rpc_shm_cache_alloc()

Adds a user parameter to thread_rpc_shm_cache_alloc() to make sure that
different callers of thread_rpc_shm_cache_alloc() doesn't interfere with

core: add user parameter thread_rpc_shm_cache_alloc()

Adds a user parameter to thread_rpc_shm_cache_alloc() to make sure that
different callers of thread_rpc_shm_cache_alloc() doesn't interfere with
each other. The FS allocation could perhaps be intertwined with I2C
allocations if crypto operations are done over I2C.

Fixes: 9bee8f2a5af7 ("core: add generic rpc shared memory buffer caching")
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: embed AEABI personality routines upon CFG_UNWIND

Fix a TA build issue found when CFG_UNWIND=n. This issue produces a
build error trace like the below:

.../toolchains/aarch32/bin/arm-linux

libutils: embed AEABI personality routines upon CFG_UNWIND

Fix a TA build issue found when CFG_UNWIND=n. This issue produces a
build error trace like the below:

.../toolchains/aarch32/bin/arm-linux-gnueabihf-ld.bfd: .../toolchains/aarch32/bin/../lib/gcc/arm-linux-gnueabihf/8.3.0/libgcc_eh.a(unwind-arm.o): in function `__aeabi_unwind_cpp_pr0':
/tmp/dgboter/bbs/rhev-vm8--rhe6x86_64/buildbot/rhe6x86_64--arm-linux-gnueabihf/build/src/gcc/libgcc/config/arm/unwind-arm.c:494: multiple definition of `__aeabi_unwind_cpp_pr0'; .../optee_os/out/arm/export-ta_arm32/lib/libutils.a(aeabi_unwind.o): .../optee_os/lib/libutils/ext/arch/arm/aeabi_unwind.c:9: first defined here
.../optee_os/out/arm/export-ta_arm32/mk/link.mk:109: recipe for target 'out/5b9e0e40-2636-11e1-ad9e-0002a5d5c51b.elf' failed

I don't understand why toolchain support for __aeabi_unwind_cpp_pr0()
conflicts with the libutils implementation only when CFG_UNWIND=n. Yet
the current change works around the issue.

Fixes: https://github.com/OP-TEE/optee_test/issues/440
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

Update revision for release tag 3.10.0-rc1

Signed-off-by: Jerome Forissier <jerome@forissier.org>

virt: clear current thread id during initialization

When OP-TEE is built with CFG_VIRTUALIZATION=y, it does not call
`thread_clr_boot_thread()` during boot because the threads are
allocated in "tee"

virt: clear current thread id during initialization

When OP-TEE is built with CFG_VIRTUALIZATION=y, it does not call
`thread_clr_boot_thread()` during boot because the threads are
allocated in "tee" memory area, which is not available when there is
no virtual guests.

So, in this case local core state is left in erroneous state, which
causes assertion violation in thread_alloc_and_run(), when guests
calls OP-TEE for the first time from boot core.

Fixes: b166fabf3e8c ("core: initialize thread_core_local::curr_thread to -1")
Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

mk/subdir.mk: handle C++ flags related variables

Adds proper handling of cxxflags-y, cxxflags-<file name>-y,
cxxflags-remove-y, cxxflags-remove-<file name>-y, cxxflags-lib-y in the
same way as for C

mk/subdir.mk: handle C++ flags related variables

Adds proper handling of cxxflags-y, cxxflags-<file name>-y,
cxxflags-remove-y, cxxflags-remove-<file name>-y, cxxflags-lib-y in the
same way as for C flags.

Fixes: be3bc461c686 ("ta: experimental C++ support")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: shippable: build with CFG_CORE_DEBUG_CHECK_STACKS=y

Updates the Shippable CI configuration so that the stack check code is
compile-tested.

Signed-off-by: Jerome Forissier <jerome@forissier.org>

ci: shippable: build with CFG_CORE_DEBUG_CHECK_STACKS=y

Updates the Shippable CI configuration so that the stack check code is
compile-tested.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add stack overflow detection

This commit introduces CFG_CORE_DEBUG_CHECK_STACKS to check the stack
limits using compiler instrumentation (-finstrument-functions). When
enabled, the C compiler

core: add stack overflow detection

This commit introduces CFG_CORE_DEBUG_CHECK_STACKS to check the stack
limits using compiler instrumentation (-finstrument-functions). When
enabled, the C compiler will insert entry and exit hooks in all
functions in the TEE core. On entry, the stack pointer is checked and
if an overflow is detected, panic() is called.

How is this helpful since we have stack canaries already?
1. When a dead canary is found, the call stack will give no indication
of the root cause of the corruption which may have happened quite some
time before. Running the test case again with a debugger attached and a
watchpoint on the canary is not always an option.
2. The system may corrupt the stack and hang in an exception handler
before the first canary check, for instance, during boot when the
temporary stack is used. This code will likely catch such issues, too.

The downside is increased stack usage and a significant runtime overhead
which is why this feature should be enabled only for troubleshooting.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU, QEMUv8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: simplify setting of THREAD_CLF_TMP

Simplifies the manipulation of THREAD_CLF_TMP in the per-core
structure thread_core_local:

- thread_clr_thread_core_local() sets the flag for all cores so t

core: simplify setting of THREAD_CLF_TMP

Simplifies the manipulation of THREAD_CLF_TMP in the per-core
structure thread_core_local:

- thread_clr_thread_core_local() sets the flag for all cores so that
init_secondary_helper() doesn't have to. It is renamed to
thread_init_thread_core_local().
- The flag remains set upon return to normal world, ready for the next
entry into secure world.
- The foreign_intr_handler macro sets the flag since it uses the
temporary stack.
- thread_core_local_set_tmp_stack_flag() is now unused and can be
removed.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add __noprof attribute to register accessors

Allowing instrumentation of register accessor functions does not really
make sense, since they are normally inlined by the compiler. On the
contrar

core: add __noprof attribute to register accessors

Allowing instrumentation of register accessor functions does not really
make sense, since they are normally inlined by the compiler. On the
contrary, allowing the compiler to instrument these functions (if for
some reason they are not inlined) can cause serious problems such as
infinite recursion (in case the instrumentation ends up calling a
register accessor again) or unexpected results (if the accessor is used
by early code before the instrumentation is initialized).

Note that the accessors used by user space already have __noprof (see
lib/libutee/include/arm64_user_sysreg.h and scripts/arm32_sysreg.py).

For these reasons, add __noprof to core/arch/arm/include/arm{32,64}.h.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: always increase mappings for pta memrefs

In copy_in_param() always call mobj_inc_map() before mobj_get_va() to
guarantee that the memref is mapped for the duration of the call into
the PTA.

R

core: always increase mappings for pta memrefs

In copy_in_param() always call mobj_inc_map() before mobj_get_va() to
guarantee that the memref is mapped for the duration of the call into
the PTA.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mobj: add {inc,dec}_map() to struct mobj_ops

Adds inc_map() and dec_map() to struct mobj_ops. The old mobj_inc_map()
and mobj_dec_map() implementations in mobj_dyn_shm.c and mobj_ffa.c are
are

core: mobj: add {inc,dec}_map() to struct mobj_ops

Adds inc_map() and dec_map() to struct mobj_ops. The old mobj_inc_map()
and mobj_dec_map() implementations in mobj_dyn_shm.c and mobj_ffa.c are
are replaced with function pointers in mobj_reg_shm_ops and
mobj_ffa_ops. Inline versions of mobj_inc_map() and mobj_dec_map() are
added to call the correct function via struct mobj_ops instead. If
struct mobj_ops for a particular mobj doesn't have and implementation of
inc_map() or dec_map() TEE_SUCCESS is returned instead.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Add optimization and debug flags to exported TA C++ flags

$(platform-cflags-optimization) and $(platform-cflags-debug-info) are
added to the TA C flags via ta_arm{32,64}-platform-cflags. Do the same

Add optimization and debug flags to exported TA C++ flags

$(platform-cflags-optimization) and $(platform-cflags-debug-info) are
added to the TA C flags via ta_arm{32,64}-platform-cflags. Do the same
for C++ flags thanks to ta_arm{32,64}-platform-cxxflags.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU)
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMUv8)
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

core: arm: rpc i2c trampoline driver

Gives OP-TEE access to the i2c buses initialized and controlled by the
REE kernel. This is done by memory mapping a buffer from the thread's
cache where the inpu

core: arm: rpc i2c trampoline driver

Gives OP-TEE access to the i2c buses initialized and controlled by the
REE kernel. This is done by memory mapping a buffer from the thread's
cache where the input or output data is transferred.

Using this mechanism, OP-TEE clients do not have to worry about REE
RUNTIME_PM features switching off clocks from the controllers or
collisions with other bus masters.

This driver assumes that the I2C chip is on a REE statically assigned
bus which value is known to OP-TEE (it will not query/probe the REE).

The slave address can be either seven or ten bits. When using a ten
bit address, the corresponding flag needs to be set in the command and
the REE adapter must support the requested addressing mode.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: juno: update 808870 Unconditional VLDM workaround

With the commit be3bc461c686 ("ta: experimental C++ support") we have
some C++ tests in the regression tests which depends on libraries in the

core: juno: update 808870 Unconditional VLDM workaround

With the commit be3bc461c686 ("ta: experimental C++ support") we have
some C++ tests in the regression tests which depends on libraries in the
toolchain with hard float enabled. To be able to compile the regression
tests hard float cannot be disabled. Disabling hard float was our
original workaround for this erratum. Another way to avoid the erratum
is to disable strict alignment checks. So unless
CFG_SCTLR_ALIGNMENT_CHECK isn't explicitly set to 'y' force it to 'n'
instead.

Fixes: be3bc461c686 ("ta: experimental C++ support")
Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: init_secondary_helper(): fix spelling mistake

Fix spelling mistake in the info message displayed on the console when
secondary CPUs are initialized.

Signed-off-by: Jerome Forissier <jerome@fo

core: init_secondary_helper(): fix spelling mistake

Fix spelling mistake in the info message displayed on the console when
secondary CPUs are initialized.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm: add hard-float detection for cxxflags

Otherwise the compiler will complain that hard-float object files
generated from C code can not be linked with soft-float files generated
from cxx files.

arm: add hard-float detection for cxxflags

Otherwise the compiler will complain that hard-float object files
generated from C code can not be linked with soft-float files generated
from cxx files.

Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: add cxxflags for CPU support

Otherwise the compiler is not able to determine the FPU setting from the
CPU architecture for cxx files.

Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutroni

core: add cxxflags for CPU support

Otherwise the compiler is not able to determine the FPU setting from the
CPU architecture for cxx files.

Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

stm32_bsec: always embed shadow OTPs write function

Change the scope of configuration switch CFG_STM32_BSEC_WRITE to
not cover shadow OTP write support. CFG_STM32_BSEC_WRITE is used
to embed or not

stm32_bsec: always embed shadow OTPs write function

Change the scope of configuration switch CFG_STM32_BSEC_WRITE to
not cover shadow OTP write support. CFG_STM32_BSEC_WRITE is used
to embed or not OTP programming support but writing shadow OTPs
is a normal executing an OTP read operation hence this change
embeds stm32_bsec_write_otp() driver API function even when
CFG_STM32_BSEC_WRITE is disabled.

Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
[etienne: rephrase commit log]
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-stm32mp1: SiP SMC service for BSEC access

Correct the SiP SMC identifier, alignment with TF-A
and U-Boot.

Fixes: 206b29e850e9 ("plat-stm32mp1: SiP SMC service for BSEC access")
Signed-off-by:

plat-stm32mp1: SiP SMC service for BSEC access

Correct the SiP SMC identifier, alignment with TF-A
and U-Boot.

Fixes: 206b29e850e9 ("plat-stm32mp1: SiP SMC service for BSEC access")
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
[etienne: fix commit log]
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: experimental C++ support

Update the TA makefiles to support C++ (file extension: .cpp).

This allows the use of C++ in TA and libraries, with limitations (see
below). I consider this work experi

ta: experimental C++ support

Update the TA makefiles to support C++ (file extension: .cpp).

This allows the use of C++ in TA and libraries, with limitations (see
below). I consider this work experimental because it was only tested
with simple cases in xtest, introducing the required changes and
addressing issues one after another. Therefore, some features may be
missing for more complex use cases (additional relocation types or
runtime support...).

Tested with the arm-linux-gnueabihf- and aarch64-linux-gnu- toolchains
(GCC 8.3).

Limitations:

- Clang is not supported at the moment
- Exception handling: shared libraries cannot throw, catch or propagate
exceptions. Doing so would require linking the libraries and the main
program with the shared libgcc [1] which is not straightforward due
to the many dependencies on the GNU libc. Exceptions *can* be used in
the main program however, as well as in static libraries directly
linked with the main program.
- ldelf stack unwinding does not support C++ frames so crash/panic
dumps will likely be truncated when they involve C++ code.

Link: [1] https://gcc.gnu.org/onlinedocs/gcc/Link-Options.html see "-shared-libgcc"
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU, QEMUv8, HiKey960)
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ldelf: increase heap size from 12 to 16 KiB

Preparing for C++ support in TAs.

The current ldelf heap is barely sufficient to run some tests such as
xtest 1022 (dlopen()) when CFG_ULIBS_SHARED=y. If

ldelf: increase heap size from 12 to 16 KiB

Preparing for C++ support in TAs.

The current ldelf heap is barely sufficient to run some tests such as
xtest 1022 (dlopen()) when CFG_ULIBS_SHARED=y. If slightly larger
section headers are present (such as when introducing Thread Local
Storage tests, needed for C++), the heap becomes too small and the TA
fails to load.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ldelf, libutee: rework support of DT_INIT_ARRAY/DT_FINI_ARRAY

Now that we have the standard function dl_iterate_phdr() in libutee, we
can use it to process the initialization and finalization arrays

ldelf, libutee: rework support of DT_INIT_ARRAY/DT_FINI_ARRAY

Now that we have the standard function dl_iterate_phdr() in libutee, we
can use it to process the initialization and finalization arrays in the
ELF files and deprecate the ad-hoc structure __init_fini_info
introduced in commit dd655cb9906c ("ldelf, ta: add support for
DT_INIT_ARRAY and DT_FINI_ARRAY") [1].
Unfortunately, removing __init_fini_info is not an option if we want to
ensure backward compatibility. This concerns only TAs which use ELF
initialization and/or finalization functions.

[1] Released in version 3.9.0.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...