core: add copy_{to,from}_private()

Adds the copy_{to,from}_private() functions which checks that the user
mode buffer resides in TA private memory and not non-secure shared
memory for instance.

Rev

core: add copy_{to,from}_private()

Adds the copy_{to,from}_private() functions which checks that the user
mode buffer resides in TA private memory and not non-secure shared
memory for instance.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: separate copy_from_user() and friends

Removes the tee_svc_ prefix and moves tee_svc_copy_from_user() and
friends into <kernel/user_access.h> and core/kernel/user/access.c

Reviewed-by: Jerome

core: separate copy_from_user() and friends

Removes the tee_svc_ prefix and moves tee_svc_copy_from_user() and
friends into <kernel/user_access.h> and core/kernel/user/access.c

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: fix build warning

Compiler warns about comparison of integer expressions of different
signedness. This causes build failures when error on warning is enabled.

Signed-off-by: Jorge Ra

drivers: caam: fix build warning

Compiler warns about comparison of integer expressions of different
signedness. This causes build failures when error on warning is enabled.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

scripts/sign_encrypt.py: add flags for the signing algorithm

+ Update the sign_encrypt.py so that it can choose the signing algorithm
between PSS and PKCS#1.5.
+ Convert the if/else into a try/exc

scripts/sign_encrypt.py: add flags for the signing algorithm

+ Update the sign_encrypt.py so that it can choose the signing algorithm
between PSS and PKCS#1.5.
+ Convert the if/else into a try/except for the signature check

Signed-off-by: Mingyuan Xiang <mingyuan@oxhainan.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

crypto: add function to free rsa keypair

There was no function to proper free a rsa kepair from inside a PTA.
Now there is crypto_acipher_free_rsa_keypair().

Signed-off-by: Elias von Däniken <elias

crypto: add function to free rsa keypair

There was no function to proper free a rsa kepair from inside a PTA.
Now there is crypto_acipher_free_rsa_keypair().

Signed-off-by: Elias von Däniken <elias.vondaeniken@bluewin.ch>
Acked-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: fix memset(), memcpy(), memmove() with -O3

When libutils is built with optimization -O3 (make CFG_CC_OPT_LEVEL=3),
memset() may cause infinite recursion. This bug was observed with GCC
8.3

libutils: fix memset(), memcpy(), memmove() with -O3

When libutils is built with optimization -O3 (make CFG_CC_OPT_LEVEL=3),
memset() may cause infinite recursion. This bug was observed with GCC
8.3 with QEMUv8. The reason is, at this optimization level the compiler
may decide to replace loops with calls to memset(), which is obviously
not valid when the loop is in the memset function itself. This behavior
can be turned off with -fno-tree-loop-distribute-patterns.

Therefore, add the appropriate build flag to memset.c. Note that a
similar fix was introduced in upstream newlib [1] but since it depends
on the newlib build script to detect compiler support, the patch is not
directly applicable. Instead $(call cc-option,...) is used here.

Although I have not observed any issue with memcpy() and memmove(),
upstream did apply the compiler flag to these functions too [1], [2],
which seems quite reasonable so do the same here.

Link: [1] https://github.com/bminor/newlib/commit/10e4d79a191f07999bc94b21535fba5d7c04f419
Link: [2] https://github.com/bminor/newlib/commit/82dfae9ab0734b9946321590162dc6021057fec1
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: memset(): add -O2 only if optimization is -Os

Commit 5b2aaa117eee ("libutee: optimize memcpy() for speed") added -O2
to memset.c to exclude the slower implementation which would be selecte

libutils: memset(): add -O2 only if optimization is -Os

Commit 5b2aaa117eee ("libutee: optimize memcpy() for speed") added -O2
to memset.c to exclude the slower implementation which would be selected
when level is -Os (in which case __OPTIMIZE_SIZE__ is defined).

Since the optimization level can now be selected globally with
CFG_CC_OPT_LEVEL, -O2 should not be forced unconditionally or it could
actually reduce the desired level (when CFG_CC_OPT_LEVEL=3).

Therefore, add -O2 only if the global optimization is -Os.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Introduce CFG_CC_OPT_LEVEL and deprecate CFG_CC_OPTIMIZE_FOR_SIZE

The influence on the performance of the C optimization flag (-O) can be
significant as shown by the output of "time xtest":

|

Introduce CFG_CC_OPT_LEVEL and deprecate CFG_CC_OPTIMIZE_FOR_SIZE

The influence on the performance of the C optimization flag (-O) can be
significant as shown by the output of "time xtest":

| QEMUv8 | HiKey960 (A73 cores only)
-----+----------------+--------------------------
-O0 | 2m 54s, 2m 49s | 42.28s, 42.07s
-Os | 2m 03s, 2m 03s | 25.57s, 25.60s
-O2 | 1m 36s, 1m 35s | 24.01s, 23.93s

This commit introduces CFG_CC_OPT_LEVEL (default: s) which may be set to
0, s, 2 or any value accepted by the compiler. This gives better
flexibility to chose the best level depending on the use case.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: Fix fputs() when CFG_TEE_TA_LOG_LEVEL=0

When Optee OS is compiled with CFG_TEE_TA_LOG_LEVEL=0, Optee
test fails to compile properly:

arm-none-linux-gnueabihf-ld.bfd: libutils.a(fputs.o):

libutils: Fix fputs() when CFG_TEE_TA_LOG_LEVEL=0

When Optee OS is compiled with CFG_TEE_TA_LOG_LEVEL=0, Optee
test fails to compile properly:

arm-none-linux-gnueabihf-ld.bfd: libutils.a(fputs.o): in function `fputs':
fputs.c:15: undefined reference to `trace_ext_puts'
link.mk:109: recipe for target '5b9e0e40-2636-11e1-ad9e-0002a5d5c51b.elf'
failed

fputs is referenced by libstdc++.a which is used by the os_test
TA for the C++ tests.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: thread: add compiler barrier to thread_set_exceptions()

With compiler optimizer enable (-O2) compiler generate invalid code
for thread_get_id_may_fail(). The curr_thread read got re-order
afte

core: thread: add compiler barrier to thread_set_exceptions()

With compiler optimizer enable (-O2) compiler generate invalid code
for thread_get_id_may_fail(). The curr_thread read got re-order
after exceptions unmask.

Signed-off-by: Khoa Hoang <admin@khoahoang.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: Add a parameter to vm_map_pad() to specify alignment requirement

There are cases where the virtual address returned for a requested
mapping needs to satisfy certain alignment requirements. All

core: Add a parameter to vm_map_pad() to specify alignment requirement

There are cases where the virtual address returned for a requested
mapping needs to satisfy certain alignment requirements. Allow the
calling functions to specify the required alignment as a parameter
to vm_map_pad().

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

shippable: build secure partition code

A previous commit adds support for secure partition loading, acting
similarly to SPM in order to launch StandAloneMM.
Let's add this to shippable and make sure

shippable: build secure partition code

A previous commit adds support for secure partition loading, acting
similarly to SPM in order to launch StandAloneMM.
Let's add this to shippable and make sure the new code at least compiles
properly.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: load stmm via secure partition

Secure variable storage for EFI variables is critical for enabling and
protecting UEFI Secure Boot. Unfortunately due to the fact that SPD and
SPM are mutually e

core: load stmm via secure partition

Secure variable storage for EFI variables is critical for enabling and
protecting UEFI Secure Boot. Unfortunately due to the fact that SPD and
SPM are mutually exclusive, we can't run StMM from EDK2 and OP-TEE.
An advantage of doing so is that different firmware implementations
can leverage EDK2's StandAloneMM and in cooperation with OP-TEE RPMB
APIs can store UEFI variables in a secure storage.
This makes the variable storage quite generic in any device with an RPMB
partition.

Using a well debugged application is preferable over rewriting the whole
application as a TA. Another advantage is that this inherits the Fault
Tolerant Writes (FTW) functionality built-in on StMM to protect
variables against corruptions during writing. Considering the FFA
changes of the future Arm architectures using an SP that includes
everything seems like a better choice at the moment.
The 'SPM emulation' currently added into OP-TEE only supports
a single SP to be launched. This means that the StMM embedded
application has the RPMB driver built in at the moment. In the future we
can add code (evolving FFA) to launch multiple SPs. So the StMM variable
handling can be decoupled from the RPMB driver, which will reside in a
different SP.

So let's add a user mode secure partition context and support loading
"Standalone MM" of EDK2 into it. A separate syscall handling is added to
serve as different kind of ABI and syscall IDs. The secure partition has
a TA like interface towards normal world, but requests are routed into
the StMM partition instead.

CFG_STMM_PATH is assigned the path of BL32_AP_MM.fd, for instance:
CFG_STMM_PATH=...Build/QemuVirtMmStandalone/DEBUG_GCC5/FV/BL32_AP_MM.fd

Since this is quite tricky to compile and test you can use this [1].
Just clone the repo and run ./build.sh. The script will pick up edk2,
edk2-platforms, op-tee, atf and U-boot and compile all the necessary
binaries for QEMU. A patch (awful hack) has been added to U-boot to
allow RPMB emulation through it's supplicant, since QEMU RPMB emulation
is not yet available.
After compiling and launching QEMU the usual U-boot commands for EFI
variable management will store the variables on an RPMB device.

[1] https://git.linaro.org/people/ilias.apalodimas/efi_optee_variables.git/

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Co-developed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Co-developed-by: Pipat Methavanitpong <pipat1010@gmail.com>
Signed-off-by: Pipat Methavanitpong <pipat1010@gmail.com>
Co-developed-by: Miklos Balint <Miklos.Balint@arm.com>
Signed-off-by: Miklos Balint <Miklos.Balint@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add vm_get_prot()

A following commit, related to the StMM functionality needs to read
the current page attributes before modifying them.
So let's add a function to retrieve the current attribu

core: add vm_get_prot()

A following commit, related to the StMM functionality needs to read
the current page attributes before modifying them.
So let's add a function to retrieve the current attributes.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: use libunw

Reduce core/arch/arm/kernel/unwind_arm{32,64}.c and use common code from
libunw instead.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wi

core: use libunw

Reduce core/arch/arm/kernel/unwind_arm{32,64}.c and use common code from
libunw instead.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ldelf: use libunw

Drop ldelf/unwind_arm32,64}.c and use common code from libunw instead.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.or

ldelf: use libunw

Drop ldelf/unwind_arm32,64}.c and use common code from libunw instead.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

Add unwind library (libunw)

Adds libunw to consolidate the stack unwinding code found in
ldelf/unwind_arm{32,64}.c and core/arch/arm/kernel/unwind_arm{32,64}.c.

The library is called "libunw" rathe

Add unwind library (libunw)

Adds libunw to consolidate the stack unwinding code found in
ldelf/unwind_arm{32,64}.c and core/arch/arm/kernel/unwind_arm{32,64}.c.

The library is called "libunw" rather than "libunwind" to avoid
confusion with the GNU libunwind [1]. The header file is <unw/unwind.h>
to avoid a conflict with GCC's <unwind.h>.

Link: [1] https://www.nongnu.org/libunwind
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

arm32: fold UNWIND(.fnstart/.fnend) into the FUNC macros

This change applies to arm32 assembler sources.

Instead of using UNWIND(.fnstart) after FUNC or LOCAL_FUNC and
UNWIND(.fnend) before END_FUN

arm32: fold UNWIND(.fnstart/.fnend) into the FUNC macros

This change applies to arm32 assembler sources.

Instead of using UNWIND(.fnstart) after FUNC or LOCAL_FUNC and
UNWIND(.fnend) before END_FUNC, let's fold these statements into the
FUNC macros.

The .fnstart/.fnend directives mark the start and end of a function
with an unwind table entry (.ARM.exidx) and therefore a function
without them has no entry and cannot be unwound. This means that a
stack dump (on abort or panic) would stop when reaching such a
function.

As a result of this patch, a small number of functions now have an
entry in the unwind table when they had none before (the functions
which were using FUNC or LOCAL_FUNC but had no .fnstart/.fnend). It was
almost always a bug and this pacth only increases the size of the
.ARM.exidx section by a few bytes (tested on QEMU).

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

arm32: move the UNWIND() macro to <asm.S>

All the users of the UNWIND() macro include <asm.S> already, which is
therefore a good place to define this macro. Let's move it from
<kernel/unwind.h> to <

arm32: move the UNWIND() macro to <asm.S>

All the users of the UNWIND() macro include <asm.S> already, which is
therefore a good place to define this macro. Let's move it from
<kernel/unwind.h> to <asm.S>, remove a couple of duplicates in
assembler files, and drop the useless includes.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: arm32: remove unused function relocate_exidx()

Since commit d1911a85142d ("core: load TAs using ldelf"), function
relocate_exidx() is not used any more. Remove it, as well as
offset_prel31() w

core: arm32: remove unused function relocate_exidx()

Since commit d1911a85142d ("core: load TAs using ldelf"), function
relocate_exidx() is not used any more. Remove it, as well as
offset_prel31() which was only called from this function.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: remove stack dump macros and multiple log levels

Of the various xPRINT_STACK() macros (x in {E,I,D,F}), only
EPRINT_STACK() is used. Let's simplify the code by removing the macros
altogether a

core: remove stack dump macros and multiple log levels

Of the various xPRINT_STACK() macros (x in {E,I,D,F}), only
EPRINT_STACK() is used. Let's simplify the code by removing the macros
altogether and calling print_kernel_stack() instead. Since only the
TRACE_ERROR is used, the 'level' argument to print_kernel_stack(),
print_stack_arm32() and print_stack_arm64() is removed too.

In addition to simplifying the code, these changes will allow the
consolidation of the stack unwinding code between core and ldelf.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ldelf: arm64: support R_AARCH64_NONE relocations

Add support for relocation type R_AARCH64_NONE indicating no
relocation is needed. No issue have been currently reported
on 64bit machines but the is

ldelf: arm64: support R_AARCH64_NONE relocations

Add support for relocation type R_AARCH64_NONE indicating no
relocation is needed. No issue have been currently reported
on 64bit machines but the issue was found with 32bit TAs that
were built with GCC 9 and were illegitimately refused to be loaded.

Linker that generates the TA executable usually does not add such
relocation type entries in the relocation table as it adds
no real value at run or debug time. This change ensures that if
such entries remain in a TA, it is still loadable.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

ldelf: arm32: support R_ARM_NONE relocations

Fixes an issue when the toolchain used to build a TA creates
R_ARM_NONE entries in the relocation table. Such relocation
type means that no relocation is

ldelf: arm32: support R_ARM_NONE relocations

Fixes an issue when the toolchain used to build a TA creates
R_ARM_NONE entries in the relocation table. Such relocation
type means that no relocation is expected but the relocation
table parser did not handle this type prior this change and TAs
with such entries failed to be loaded with an error message like:

E/LD: e32_relocate:378 Unknown relocation type 0

It appears that GCC 9 (at least GCC-9.2 and GCC-9.3) creates such
entries while prior version of the GCC toolchain did not.

Linker that generates the TA executable usually does not add such
relocation type entries in the relocation table as it adds
no real value at run or debug time. This change ensures that if
such entries remain in a TA, it is still loadable.

Fixes: https://github.com/OP-TEE/optee_os/issues/4064
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (stm32mp1, qemu)
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

ta: pkcs11: fix get_attribute_ptrs() against empty attributes

Fix get_attribute_ptrs() to output NULL attribute value references
when the target attribute value is empty, that is when the attribute

ta: pkcs11: fix get_attribute_ptrs() against empty attributes

Fix get_attribute_ptrs() to output NULL attribute value references
when the target attribute value is empty, that is when the attribute
value size is 0.

Fixes: 63f89caa9022 ("ta: pkcs11: attribute helper functions")
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

ta: pkcs11: fix trace_attributes() to support empty attribute arrays

Fix trace_attributes() to not print meaningless data when an attribute
array is empty.

Also fix a local variable that is not ini

ta: pkcs11: fix trace_attributes() to support empty attribute arrays

Fix trace_attributes() to not print meaningless data when an attribute
array is empty.

Also fix a local variable that is not initialized in trace_attributes().

Fixes: 63f89caa9022 ("ta: pkcs11: attribute helper functions")
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...