core: syscall_asymm_verify(): accurate DSA parameter check

A comment in syscall_asymm_verify() reads:
"Depending on the DSA algorithm (NIST), the digital signature output
size may be truncated to th

core: syscall_asymm_verify(): accurate DSA parameter check

A comment in syscall_asymm_verify() reads:
"Depending on the DSA algorithm (NIST), the digital signature output
size may be truncated to the size of a key pair (Q prime size). Q prime
size must be less or equal than the hash output length of the hash
algorithm involved."

Instead of just assuming that Q size is small when data length is
smaller than the hash, check that it's the case also. Don't allow data
length smaller than both hash size and Q size.

Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Provide TEE_ATTR_FLAG_VALUE and TEE_ATTR_FLAG_PUBLIC

Provides TEE_ATTR_FLAG_VALUE and TEE_ATTR_FLAG_PUBLIC which are defined
already in GP v1.0 [1] and also expected in GP v1.1 [2]. The old
TEE_ATTR

Provide TEE_ATTR_FLAG_VALUE and TEE_ATTR_FLAG_PUBLIC

Provides TEE_ATTR_FLAG_VALUE and TEE_ATTR_FLAG_PUBLIC which are defined
already in GP v1.0 [1] and also expected in GP v1.1 [2]. The old
TEE_ATTR_BIT_VALUE and TEE_ATTR_BIT_PROTECTED are kept for backwards
compatibility for now.

[1]: GlobalPlatform TEE Internal API Specification v1.0
[2]: GlobalPlatform TEE Internal Core API Specification v1.1

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: use C locale when generating the build date

The build date included in the version string depends on the current
locale (language), which is not very good. Force LANG=C so that english
abbrevi

core: use C locale when generating the build date

The build date included in the version string depends on the current
locale (language), which is not very good. Force LANG=C so that english
abbreviations are used for the day and month.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

libutils: do not redefine ARRAY_SIZE

Do not redefine ARRAY_SIZE if it is already defined

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Etienne Carriere <etienne.carriere@lina

libutils: do not redefine ARRAY_SIZE

Do not redefine ARRAY_SIZE if it is already defined

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

drivers: imx_i2c: early_init

When i2c SE elements (crypto providers) are enabled, the driver
requires early initialization. This should be made the default
scenario for drivers with this use case

S

drivers: imx_i2c: early_init

When i2c SE elements (crypto providers) are enabled, the driver
requires early initialization. This should be made the default
scenario for drivers with this use case

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: configuration switches to tune stack sizes

Enabling certain configuration options might increase the TMP and
THREAD stack requirements.

This commit defines CFG_ options so that the sizes of t

core: configuration switches to tune stack sizes

Enabling certain configuration options might increase the TMP and
THREAD stack requirements.

This commit defines CFG_ options so that the sizes of those two stacks
can be fine tuned at build time.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

libutee: fix TEE_GetOperationInfoMultiple()

The size parameter passed to TEE_GetOperationInfoMultiple() tells the
size of the op_info buffer. The maximum number of keys which can be
contained in the

libutee: fix TEE_GetOperationInfoMultiple()

The size parameter passed to TEE_GetOperationInfoMultiple() tells the
size of the op_info buffer. The maximum number of keys which can be
contained in the struct can be calculated from this size parameter.

Prior to this patch is was assumed that the caller by this specified the
exact number of keys to report. This is not correct as the size
parameter is only the upper limit. Fix this by instead figuring out how
many keys (one or two) needs to be returned and after that check if the
buffer is large enough.

Fixes: 05304565f188 ("GP11 : TEE_GetOperationInfoMultiple")
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: fix TEE_SetOperationKey() and TEE_SetOperationKey2()

Supplying TEE_HANDLE_NULL instead of a valid key handle is supposed to
clear an eventual already present key from the operation handle a

libutee: fix TEE_SetOperationKey() and TEE_SetOperationKey2()

Supplying TEE_HANDLE_NULL instead of a valid key handle is supposed to
clear an eventual already present key from the operation handle and
return TEE_SUCCESS. Prior to this patch the key(s) where halfway cleared
and then functions panicked with TEE_ERROR_BAD_PARAMETERS. So fix this.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: TEE_GetOperationInfo() v1.1 update

In the v1.1 specification [1] TEE_GetOperationInfo() is required to set
keySize and requiredKeyUsage to 0 if TEE_HANDLE_FLAG_EXPECT_TWO_KEYS is
set in han

libutee: TEE_GetOperationInfo() v1.1 update

In the v1.1 specification [1] TEE_GetOperationInfo() is required to set
keySize and requiredKeyUsage to 0 if TEE_HANDLE_FLAG_EXPECT_TWO_KEYS is
set in handleState.

This is a clarification compared to the v1.0 [2] specification where
nothing special was noted for those fields when
TEE_HANDLE_FLAG_EXPECT_TWO_KEYS is set.

[1]: GlobalPlatform TEE Internal Core API Specification v1.1
[2]: GlobalPlatform TEE Internal API Specification v1.0
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: check that certain object attributes are consistent with max key size

When populating a crypto object check that certain attributes are
consistent with maximum key size. For example the attrib

core: check that certain object attributes are consistent with max key size

When populating a crypto object check that certain attributes are
consistent with maximum key size. For example the attribute
TEE_ATTR_DSA_PRIME must not have more significant bits than max key
size. All these attributes are flagged with TEE_TYPE_ATTR_BIGNUM_MAXBITS
and tee_svc_cryp_obj_populate_type() is updated as needed.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: check that object attributes for current usage are relevant

When populating or generating a key the relevant attributes can differ.
Some attributes are parameters for the key generation.

Upda

core: check that object attributes for current usage are relevant

When populating or generating a key the relevant attributes can differ.
Some attributes are parameters for the key generation.

Updates tee_svc_cryp_check_attr() and object type descriptions to be
accurate.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: check max key size when populating object

Checks that attributes are within the bounds defined by the max key size
which was supplied when the object was allocated.

Acked-by: Etienne Carriere

core: check max key size when populating object

Checks that attributes are within the bounds defined by the max key size
which was supplied when the object was allocated.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix calculation of DES key size

Prior to this patch was the parity bits included when calculating the
key size for DES keys. Fix this by subtracting the parity bits.

Acked-by: Etienne Carrier

core: fix calculation of DES key size

Prior to this patch was the parity bits included when calculating the
key size for DES keys. Fix this by subtracting the parity bits.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: tee_obj_get() return TEE_ERROR_BAD_STATE

Updates tee_obj_get() to return TEE_ERROR_BAD_STATE when an object
reference can't be found. This will allow the GP TA API to panic the
caller as requi

core: tee_obj_get() return TEE_ERROR_BAD_STATE

Updates tee_obj_get() to return TEE_ERROR_BAD_STATE when an object
reference can't be found. This will allow the GP TA API to panic the
caller as required in the GP spec [1].

[1] GlobalPlatform TEE Internal Core API Specification v1.1
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: syscall_obj_generate_key() check public rsa exponent

The v1.1 spec [1] requires that the NIST SP800-56B [2] rules to be
followed when generating an RSA key.

Adds a check when generating a RSA

core: syscall_obj_generate_key() check public rsa exponent

The v1.1 spec [1] requires that the NIST SP800-56B [2] rules to be
followed when generating an RSA key.

Adds a check when generating a RSA key that the supplied exponent confirms
with the requirements in NIST SP800-56B, thas is, the key must be odd and
in the range 65537 <= e < 2^256.

[1]: GlobalPlatform TEE Internal Core API Specification v1.1
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Link [2]: https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/final

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: syscall_cryp_obj_alloc(): allow TEE_TYPE_DATA for transient objects

GP 1.1 spec [1] explicitly allows creation of TEE_TYPE_DATA object. So
update syscall_cryp_obj_alloc() accordingly.

[1]: G

core: syscall_cryp_obj_alloc(): allow TEE_TYPE_DATA for transient objects

GP 1.1 spec [1] explicitly allows creation of TEE_TYPE_DATA object. So
update syscall_cryp_obj_alloc() accordingly.

[1]: GlobalPlatform TEE Internal Core API Specification v1.1
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: TEE_AllocateOperation(): digest operations must have 0 max key size

Make sure that the "maxKeySize" parameter supplied to
TEE_AllocateOperation() is 0 for digest operations since they don't

libutee: TEE_AllocateOperation(): digest operations must have 0 max key size

Make sure that the "maxKeySize" parameter supplied to
TEE_AllocateOperation() is 0 for digest operations since they don't
accept any keys.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: fix TEE_CloseAndDeletePersistentObject1() with TEE_HANDLE_NULL

Fixing TEE_CloseAndDeletePersistentObject1() to return TEE_SUCCESS if
called with TEE_HANDLE_NULL as required in the v1.1 spec

libutee: fix TEE_CloseAndDeletePersistentObject1() with TEE_HANDLE_NULL

Fixing TEE_CloseAndDeletePersistentObject1() to return TEE_SUCCESS if
called with TEE_HANDLE_NULL as required in the v1.1 specification [1]
where the function was introduced.

[1]: GlobalPlatform TEE Internal Core API Specification v1.1
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: dt: discover_nsec_memory(): consider only non-secure memory

QEMU has a /secram@e000000 DT node with secure-status = "okay" and
status = "disabled", in other words: some secure-only memory is
d

core: dt: discover_nsec_memory(): consider only non-secure memory

QEMU has a /secram@e000000 DT node with secure-status = "okay" and
status = "disabled", in other words: some secure-only memory is
described in the DT. Memory that is not accessible from non-secure
world should not be added to the nsec map. Unfortunately, the commit
referenced below inadvertently added such memory, resulting in a panic
on boot:

I/TC: Non-secure external DT found
E/TC:0 0 check_phys_mem_is_outside:332 Non-sec mem (0xe000000:0x100000) overlaps map (type 14 0xe000000:0x100000)
E/TC:0 0 Panic at core/arch/arm/mm/core_mmu.c:336 <check_phys_mem_is_outside>

Change the DT status test to consider only memory accessible from non-
secure and secure world. Also, rename a couple of functions to make their
purpose clear.

Fixes: 721619e8890e ("core: Parse all memory DT nodes")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat: rcar: Enable parsing DT from TFA

Enable support for reading and processing DT passed in by TFA,
this is useful to read out the DRAM configuration and layout.

Signed-off-by: Marek Vasut <marek

plat: rcar: Enable parsing DT from TFA

Enable support for reading and processing DT passed in by TFA,
this is useful to read out the DRAM configuration and layout.

Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: Parse all memory DT nodes

The current code for parsing /memory* DT nodes does not work at all
on systems with multiple memory nodes. The code cannot handle e.g.

/ {
memory@480000000 {
r

core: Parse all memory DT nodes

The current code for parsing /memory* DT nodes does not work at all
on systems with multiple memory nodes. The code cannot handle e.g.

/ {
memory@480000000 {
reg = <0x00000000 0x48000000 0x00000000 0x78000000>;
device_type = "memory";
};
memory@600000000 {
reg = <0x00000006 0x00000000 0x00000000 0x80000000>;
device_type = "memory";
};
};

This patch fixes the code such that it iterates over all enabled
memory nodes instead of reading out the first /memory node only.
The code iterates over the DT twice, which is faster than constant
calls to realloc() to allocate more entries in core_mmu_phys_mem().

Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: dt: Repair type in _fdt_reg_size()

The function returns ssize_t , while DT_INFO_INVALID_REG is paddr_t,
fix the type.

Fixes: c0cfb36c ("core: dt: introduce _fdt_fill_device_info()")
Signed-of

core: dt: Repair type in _fdt_reg_size()

The function returns ssize_t , while DT_INFO_INVALID_REG is paddr_t,
fix the type.

Fixes: c0cfb36c ("core: dt: introduce _fdt_fill_device_info()")
Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

GP 1.1: Check parameters annotated in the specification

Checks that all the function parameters which are annotated in the
specification [1] are compliant with regards to memory access and memory
lo

GP 1.1: Check parameters annotated in the specification

Checks that all the function parameters which are annotated in the
specification [1] are compliant with regards to memory access and memory
location. In case the check fails the TA panics to help debugging. The
more precise and expensive checks can be disabled with
CFG_TA_STRICT_ANNOTATION_CHECKS=n.

TEE_Realloc(), TEE_MemMove(), TEE_MemCompare(), TEE_MemFill() are
skipped for performance reasons. The TA will instead die with a fatal
exception if buffers supplied to these functions do not follow the
annotation rules.

[1]: GlobalPlatform TEE Internal Core API Specification v1.1

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: strict buffer check in syscalls following GP 1.1

GP 1.1 [1] and also earlier specifications has certain annotation in the
description of API functions to among other things describe which kind

core: strict buffer check in syscalls following GP 1.1

GP 1.1 [1] and also earlier specifications has certain annotation in the
description of API functions to among other things describe which kind
of memory a buffer is required to reside in. It could be readable,
writeable, in shared memory in TA private memory.

The following syscalls are updated with slightly stricter checks with
regards to TA private memory where needed:
- syscall_open_ta_session()
- syscall_invoke_ta_command()
- syscall_get_time()
- syscall_set_ta_time()
- syscall_cryp_obj_get_info()
- syscall_cryp_random_number_generate()
- syscall_authenc_dec_final()
- syscall_storage_next_enum()
- syscall_storage_obj_read()
- syscall_storage_obj_write()

[1]: GlobalPlatform TEE Internal Core API Specification v1.1

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: remove VM_FLAG_LDELF from VM_FLAGS_NONPRIV

In order for tee_mmu_check_access_rights() to be able to identify ldelf
mappings as TA private remove VM_FLAG_LDELF from VM_FLAGS_NONPRIV. This
is ne

core: remove VM_FLAG_LDELF from VM_FLAGS_NONPRIV

In order for tee_mmu_check_access_rights() to be able to identify ldelf
mappings as TA private remove VM_FLAG_LDELF from VM_FLAGS_NONPRIV. This
is needed for the more strict check of the memory location of ret_orig
in syscall_open_ta_session() and syscall_invoke_ta_command().

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...