plat-k3: drivers: ti-sci: Add support for setting KEYREV

Add support for the TI-SCI OTP message TI_SCI_MSG_WRITE_KEYREV. This
allows for incrementing the key revision counter.

Signed-off-by: Andrew

plat-k3: drivers: ti-sci: Add support for setting KEYREV

Add support for the TI-SCI OTP message TI_SCI_MSG_WRITE_KEYREV. This
allows for incrementing the key revision counter.

Signed-off-by: Andrew Davis <afd@ti.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-k3: drivers: ti-sci: Add support for setting SWREV

Add support for the TI-SCI OTP message TI_SCI_MSG_WRITE_SWREV. This
allows for incrementing the software revision counter.

Signed-off-by: And

plat-k3: drivers: ti-sci: Add support for setting SWREV

Add support for the TI-SCI OTP message TI_SCI_MSG_WRITE_SWREV. This
allows for incrementing the software revision counter.

Signed-off-by: Andrew Davis <afd@ti.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-k3: drivers: ti-sci: Fix struct name in comments for OTP functions

A couple of the documented names for the OTP functions do not match
the struct names being documented. Fix this.

Signed-off-b

plat-k3: drivers: ti-sci: Fix struct name in comments for OTP functions

A couple of the documented names for the OTP functions do not match
the struct names being documented. Fix this.

Signed-off-by: Andrew Davis <afd@ti.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

ci: disable QEMUv8 Xen FF-A job

Disable the "make check (QEMUv8, Xem FF-A)" job until an issue is fixed
in the OP-TEE and FF-A kernel drivers [1].

Link: https://github.com/OP-TEE/optee_os/issues/73

ci: disable QEMUv8 Xen FF-A job

Disable the "make check (QEMUv8, Xem FF-A)" job until an issue is fixed
in the OP-TEE and FF-A kernel drivers [1].

Link: https://github.com/OP-TEE/optee_os/issues/7394 [1]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: stm32_iwdg: check for error on clk_enable during probe

Check for the error returned by clk_enable() during the driver's
probe.
While there, if watchdog is started but we cannot control it,

drivers: stm32_iwdg: check for error on clk_enable during probe

Check for the error returned by clk_enable() during the driver's
probe.
While there, if watchdog is started but we cannot control it,
trigger panic instead of return error. This also avoids adding
useless clk_disable() in the error exit path.

Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

drivers: stm32_iwdg: add get_timeleft watchdog handler

Implement .get_timeleft() watchdog operation handler for non-secure
world to query the watchdog device state. System time is logged at each
wat

drivers: stm32_iwdg: add get_timeleft watchdog handler

Implement .get_timeleft() watchdog operation handler for non-secure
world to query the watchdog device state. System time is logged at each
watchdog refresh to estimate time remaining before the watchdog elapses.

Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

drivers: wdt: add implementation of SMCWD_GET_TIMELEFT

Implement watchdog SMC service SMCWD_GET_TIMELEFT that is optional
and allows non-secure world to get information on watchdog state.
The servic

drivers: wdt: add implementation of SMCWD_GET_TIMELEFT

Implement watchdog SMC service SMCWD_GET_TIMELEFT that is optional
and allows non-secure world to get information on watchdog state.
The service is supported by new watchdog driver operation handler
get_timeleft.

Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

drivers: stm32_iwdg: remove OTP access in driver

Now we know if the watchdog is running by reading the hardware,
there is no need to read the OTP fuses related to the watchdog.
This allows removing

drivers: stm32_iwdg: remove OTP access in driver

Now we know if the watchdog is running by reading the hardware,
there is no need to read the OTP fuses related to the watchdog.
This allows removing platform function stm32_get_iwdg_otp_config()
and consequently stm32_iwdg.h header file.

Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>
Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

drivers: stm32_iwdg: probe if watchdog is running

Read from the hardware whether watchdog is already running when
core initializes. Relax timeout from 1 to 10ms to let the
watchdog warm-up when enab

drivers: stm32_iwdg: probe if watchdog is running

Read from the hardware whether watchdog is already running when
core initializes. Relax timeout from 1 to 10ms to let the
watchdog warm-up when enabled.

Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>

show more ...

ci: do not override QEMU version

The "make check (QEMUv8, BTI+MTE+PAC)" CI job currently checks out an
old version of QEMU. Not only is this workaround not necessary anymore,
but worse it makes the

ci: do not override QEMU version

The "make check (QEMUv8, BTI+MTE+PAC)" CI job currently checks out an
old version of QEMU. Not only is this workaround not necessary anymore,
but worse it makes the check fail with the following output (from
out/bin/serial0.log):

Starting kernel ...

**
ERROR:../target/arm/internals.h:742:regime_is_user: code should not be reached
Bail out! ERROR:../target/arm/internals.h:742:regime_is_user: code should not be reached
Aborted (core dumped)
send: spawn id exp9 not open
while executing
"send -- "root\r\r""
(file "/root/optee/build/../build/qemu-check.exp" line 129

Therefore, let the QEMU version from the manifest be used.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-rockchip: rk3399: remove GIC configuration

From commit 773c05f417fa ("irqchip/gic-v3: Work around insecure GIC
integrations") in the Linux kernel it appears that the hardware
integration of the

plat-rockchip: rk3399: remove GIC configuration

From commit 773c05f417fa ("irqchip/gic-v3: Work around insecure GIC
integrations") in the Linux kernel it appears that the hardware
integration of the GIC500 isn't correct. For v6.13 kernels which
includes that commit this has the effect of OP-TEE printing and endless
stream of:
D/TC:0 0 gic_native_itr_handler:971 Special interrupt 1023

Fix this by removing GIC configuration for RK3399 so the device can be
used with v6.13 kernels and later.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: riscv: Call page_alloc_init()

Call page_alloc_init() from init_primary() after unused boot memory has
been released.

This commit is to synchronize the boot stages with ARM architecture,
intro

core: riscv: Call page_alloc_init()

Call page_alloc_init() from init_primary() after unused boot memory has
been released.

This commit is to synchronize the boot stages with ARM architecture,
introduced in commit 0e12fb0c2d75 ("core: arm: boot: call
page_alloc_init()") and commit 3e7d042b5d1e ("core: arm: boot: fix
calling page_alloc_init()").

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Yu-Chien Peter Lin <peter.lin@sifive.com>

show more ...

core: kernel: Remove CFG_BOOT_INIT_CURRENT_THREAD_CORE_LOCAL

Now both ARM and RISC-V architectures support initialize
thread_core_local[current_core_pos] before calling C code. Thus, we can
deprecat

core: kernel: Remove CFG_BOOT_INIT_CURRENT_THREAD_CORE_LOCAL

Now both ARM and RISC-V architectures support initialize
thread_core_local[current_core_pos] before calling C code. Thus, we can
deprecate CFG_BOOT_INIT_CURRENT_THREAD_CORE_LOCAL and corresponding
code.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Yu-Chien Peter Lin <peter.lin@sifive.com>

show more ...

core: riscv: Refactor boot

Move initialization of thread_core_local[] from very early to
boot_init_primary_late() and introduce boot_init_primary_runtime().

This commit is to synchronize the boot s

core: riscv: Refactor boot

Move initialization of thread_core_local[] from very early to
boot_init_primary_late() and introduce boot_init_primary_runtime().

This commit is to synchronize the boot stages with ARM architecture,
introduced in commit b5ec8152f3e5 ("core: arm: refactor boot") and
commit b0da0d592ac4 ("core: boot: add boot_init_primary_runtime()").

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Yu-Chien Peter Lin <peter.lin@sifive.com>

show more ...

core: riscv: Remove init_sec_mon()

In RISC-V architecture, the secure monitor is always initialized before
jumping into OP-TEE. Thus, init_sec_mon() can be deprecated.

Signed-off-by: Alvin Chang <a

core: riscv: Remove init_sec_mon()

In RISC-V architecture, the secure monitor is always initialized before
jumping into OP-TEE. Thus, init_sec_mon() can be deprecated.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Yu-Chien Peter Lin <peter.lin@sifive.com>

show more ...

shdr: add check for weak key sizes

Add a function is_weak_key_size(...), which checks whether a given key
size (in bits) complies with current security standards. If the key size
is lower than 2048,

shdr: add check for weak key sizes

Add a function is_weak_key_size(...), which checks whether a given key
size (in bits) complies with current security standards. If the key size
is lower than 2048, then it's considered deprecated and will make
signature verification fail. Note that this only affects verifying TA
and subkey signatures.

This change aligns with GlobalPlatform's decision, influenced by
feedback from ANSSI, BSI, SOGIS, and NIST. For further details on the
GlobalPlatform's cryptographic algorithm recommendations, see [1].

Link: https://globalplatform.org/specs-library/globalplatform-technology-cryptographic-algorithm-recommendations/ [1]
Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

keys: increase default RSA key size to 4096 bits

Change the key size in your default key located at default.pem to 4096
bits.

New key has been created using this command:
openssl genrsa -out keys

keys: increase default RSA key size to 4096 bits

Change the key size in your default key located at default.pem to 4096
bits.

New key has been created using this command:
openssl genrsa -out keys/default.pem 4096

Background:
GlobalPlatform, based on feedback from various national bodies such as
ANSSI, BSI, SOGIS, and NIST, has decided to designate RSA keys smaller
than 2048 bits as deprecated (see [1]).

Note:
This key is intended for testing purposes only. Therefore, it's not a
problem to publicly publish this, but it's important to remember to
change this if/when used in real products.

Link: https://globalplatform.org/specs-library/globalplatform-technology-cryptographic-algorithm-recommendations/ [1]

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

shdr: add SHA-224 to the deprecated algorithms

GlobalPlatform have based on feedback from different national body
organizations, such as ANSSI, BSI, SOGIS and NIST deprecated SHA-224.
Add TEE_ALG_SH

shdr: add SHA-224 to the deprecated algorithms

GlobalPlatform have based on feedback from different national body
organizations, such as ANSSI, BSI, SOGIS and NIST deprecated SHA-224.
Add TEE_ALG_SHA224 to the list of weak signature algorithms.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: QEMUv8: check CFG_DYN_CONFIG=n

Add a check with CFG_DYN_CONFIG explicitly disabled since it's enabled
by default for non-pager Arm configurations.

Signed-off-by: Jens Wiklander <jens.wiklander@

ci: QEMUv8: check CFG_DYN_CONFIG=n

Add a check with CFG_DYN_CONFIG explicitly disabled since it's enabled
by default for non-pager Arm configurations.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: dynamic allocation of threads and their stacks

With CFG_DYN_CONFIG enabled, use dynamic allocation of threads and their
stacks.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Revie

core: dynamic allocation of threads and their stacks

With CFG_DYN_CONFIG enabled, use dynamic allocation of threads and their
stacks.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: add thread_count to thread_init_threads()

Add a thread_count parameter to thread_init_threads(). This must currently
always be equal to CFG_NUM_THREADS, but may become a dynamic configuration

core: add thread_count to thread_init_threads()

Add a thread_count parameter to thread_init_threads(). This must currently
always be equal to CFG_NUM_THREADS, but may become a dynamic configuration
parameter with CFG_DYN_CONFIG=y in later patches.

The array threads[] is changed into a pointer to allow dynamic
allocation in later patches. The assembly code is updated accordingly to
handle a pointer instead of an array.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Tested-by: Yu-Chien Peter Lin <peter.lin@sifive.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: mm: shared xlat tables for NEX_DYN_VASPACE

Mappings in MEM_AREA_NEX_DYN_VASPACE belong to the nexus and are must to
be the same for all partitions. Since these mappings must be updated in
the

core: mm: shared xlat tables for NEX_DYN_VASPACE

Mappings in MEM_AREA_NEX_DYN_VASPACE belong to the nexus and are must to
be the same for all partitions. Since these mappings must be updated in
the partitions after the MMU has been enabled. Partitions share
translation tables for this mappings, so we only need to update in one
translation table when adding or removing mappings.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: dynamic allocation of thread_core_local and its stacks

With CFG_DYN_CONFIG enabled, use dynamic allocation of thread_core_local
and the two stacks, tmp_stack and abt_stack, recorded in it.

Si

core: dynamic allocation of thread_core_local and its stacks

With CFG_DYN_CONFIG enabled, use dynamic allocation of thread_core_local
and the two stacks, tmp_stack and abt_stack, recorded in it.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: add core_count to thread_init_thread_core_local()

Add a core_count parameter to thread_init_thread_core_local() to enable
dynamic configuration of the number of supported cores when configured

core: add core_count to thread_init_thread_core_local()

Add a core_count parameter to thread_init_thread_core_local() to enable
dynamic configuration of the number of supported cores when configured
with CFG_DYN_STACK_CONFIG=y, or it must be equal to
CFG_TEE_CORE_NB_CORE. This is needed in later patches where the number
of cores is configured dynamically.

The array thread_core_local[] is changed into a pointer to allow dynamic
allocation in later patches. The assembly code is updated accordingly to
handle a pointer instead of an array.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Alvin Chang <alvinga@andestech.com>
Tested-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: virt: share TA memory with core

With CFG_NS_VIRTUALIZATION=y it is assumed that all physical OP-TEE
memory, core and TA, is equally secure. When a guest is created,
register the allocated

core: arm: virt: share TA memory with core

With CFG_NS_VIRTUALIZATION=y it is assumed that all physical OP-TEE
memory, core and TA, is equally secure. When a guest is created,
register the allocated physical TA memory in the physical core memory
pool instead of physical TA memory pool. This lets the partition to
allocate from a single pool reserved for the partition instead of trying
to guess how much core memory it might need.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...