core: tee_mmu: fix use after free bug in vm_unmap()

vm_unmap() uses r->va and r->size after it is freed and can cause the
end VA address calculation to be wrong and the while loop keep going
till it

core: tee_mmu: fix use after free bug in vm_unmap()

vm_unmap() uses r->va and r->size after it is freed and can cause the
end VA address calculation to be wrong and the while loop keep going
till it unmaps the rest of the regions. This bug can cause TA to
crash with a translation fault since vm_unmap() unmapped text and data

Signed-off-by: Khoa Hoang <admin@khoahoang.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: aslr: suppress R_AARCH64_ABS64 and R_ARM_ABS32 relocations

The following errors were observed when building with GCC 6.2.1:

- 64 bits:
GEN out/arm/core/tee.bin
Unexpected relocation t

core: aslr: suppress R_AARCH64_ABS64 and R_ARM_ABS32 relocations

The following errors were observed when building with GCC 6.2.1:

- 64 bits:
GEN out/arm/core/tee.bin
Unexpected relocation type 0x101

- 32 bits:
GEN out/arm/core/tee.bin
Unexpected relocation type 0x2

Relocation type 0x101 is R_AARCH64_ABS64 and 0x2 is R_ARM_ABS32. The
errors are output by scripts/gen_tee_bin.py which expects only relative
relocations (the ones that are necessary for ASLR).

This patch adds the -Bsymbolic linker option to avoid these
relocations. More information can be found in Linux commit [1].

Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=08cc55b2afd97a654f71b3bebf8bb0ec89fdc498
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

libutils: confine_array_index: arm64: replace csdb by hint #20

Older compilers such as GCC 6.2 do not support the csdb mnemonic [1].
For better compatibility, replace it by its equivalent: hint #20.

libutils: confine_array_index: arm64: replace csdb by hint #20

Older compilers such as GCC 6.2 do not support the csdb mnemonic [1].
For better compatibility, replace it by its equivalent: hint #20.

CC out/arm/ldelf/ta_elf_rel.o
{standard input}: Assembler messages:
{standard input}:274: Error: unknown mnemonic `csdb' -- `csdb'
{standard input}:371: Error: unknown mnemonic `csdb' -- `csdb'
{standard input}:667: Error: unknown mnemonic `csdb' -- `csdb'
{standard input}:776: Error: unknown mnemonic `csdb' -- `csdb'
{standard input}:1010: Error: unknown mnemonic `csdb' -- `csdb'
{standard input}:1084: Error: unknown mnemonic `csdb' -- `csdb'
{standard input}:1413: Error: unknown mnemonic `csdb' -- `csdb'
{standard input}:1495: Error: unknown mnemonic `csdb' -- `csdb'
{standard input}:1671: Error: unknown mnemonic `csdb' -- `csdb'
make[1]: *** [mk/compile.mk:157: out/arm/ldelf/ta_elf_rel.o] Error 1

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat-imx: psci: support Arm SMCCC_VERSION function ID

As per Arm SMCCC v1.1 specification [1], PSCI PSCI_FEATURES function ID
should report Arm Architecture Call SMCCC_VERSION as supported when
the

plat-imx: psci: support Arm SMCCC_VERSION function ID

As per Arm SMCCC v1.1 specification [1], PSCI PSCI_FEATURES function ID
should report Arm Architecture Call SMCCC_VERSION as supported when
the secure firmware supports both PSCI PSCI_FEATURES function ID and
Arm SMCCC_VERSION function ID.

Link: [1] https://developer.arm.com/docs/den0028/latest
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Cedric Neveux <cedric.neveux@nxp.com>

show more ...

core: make core_is_buffer_*() paddr_t compatible

The core_is_buffer_*() helpers are sometimes used with physical
addresses (type paddr_t). This can cause problem on platforms where
sizeof(paddr_t) >

core: make core_is_buffer_*() paddr_t compatible

The core_is_buffer_*() helpers are sometimes used with physical
addresses (type paddr_t). This can cause problem on platforms where
sizeof(paddr_t) > sizeof(vaddr_t), that is on ARM32 systems with
CFG_CORE_LARGE_PHYS_ADDR=y. The FVP platform compiled for AArch32 is one
such system which as a consequence fails with:
E/TC:0 0 check_phys_mem_is_outside:335 Non-sec mem (0x880000000:0x180000000) ove
rlaps map (type 12 0xff000000:0x1000000)
E/TC:0 0 Panic at core/arch/arm/mm/core_mmu.c:336 <check_phys_mem_is_outside>

This patch fixes this problem by taking input addresses as paddr_t and
sizes as paddr_ssize_t instead. The wrapper macros which did some
automatic casting removed. The requires updates at some of the places
where these functions are called.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: simple typo fixes in comments in ta/pkcs11 tree

* changed "a input" to "an input" in pcks11_ta.h
* changed "the the" to "if the" in handle.c

Signed-off-by: Markus S. Wamser <github-dev@mail2013

ta: simple typo fixes in comments in ta/pkcs11 tree

* changed "a input" to "an input" in pcks11_ta.h
* changed "the the" to "if the" in handle.c

Signed-off-by: Markus S. Wamser <github-dev@mail2013.wamser.eu>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: simple typo fixes in comments in core/include tree

* changed "the the" to "the" in crypto.h
* changed "the the" to "if the" in handle.h

Signed-off-by: Markus S. Wamser <github-dev@mail2013.wa

core: simple typo fixes in comments in core/include tree

* changed "the the" to "the" in crypto.h
* changed "the the" to "if the" in handle.h

Signed-off-by: Markus S. Wamser <github-dev@mail2013.wamser.eu>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: simple typo fix in comments in core/drivers tree

* changed "a input" to "an input"

Signed-off-by: Markus S. Wamser <github-dev@mail2013.wamser.eu>
Reviewed-by: Etienne Carriere <etienne.carri

core: simple typo fix in comments in core/drivers tree

* changed "a input" to "an input"

Signed-off-by: Markus S. Wamser <github-dev@mail2013.wamser.eu>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: simple typo fixes in comments in core/arch tree

* changed "the the" to "the" in thread.h
* changed "the the" to "to the" in wait_queue.c
* changed "Optinally" to "Optionally" in generic_entry_

core: simple typo fixes in comments in core/arch tree

* changed "the the" to "the" in thread.h
* changed "the the" to "to the" in wait_queue.c
* changed "Optinally" to "Optionally" in generic_entry_a32.S

Signed-off-by: Markus S. Wamser <github-dev@mail2013.wamser.eu>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-stm32mp1: ack SCMI SiP SMC entry with 0 return code

Load STM32_SIP_SVC_OK in output argument a0 on return from
SCMI message notification from SiP SMC function IDs. It simplifies
non-secure worl

plat-stm32mp1: ack SCMI SiP SMC entry with 0 return code

Load STM32_SIP_SVC_OK in output argument a0 on return from
SCMI message notification from SiP SMC function IDs. It simplifies
non-secure world to consider any non-zero values,
including standard unknown function error code (-1), as
reporting a failure.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

core: device pta: add flag to indicate dependency on tee-supplicant

Some TAs require tee-supplicant to be run. For example fTPM requires
storage services provided by tee-supplicant. When scanning an

core: device pta: add flag to indicate dependency on tee-supplicant

Some TAs require tee-supplicant to be run. For example fTPM requires
storage services provided by tee-supplicant. When scanning and
probe() devices on tee bus we can initialize early drivers which
do not require tee-supplicant and after mount fs and tee-supplicant
run do probe() drivers witch require tee-supplicant.

Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
Suggested-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

checkpatch: add codespell support

Add codespell check. If codespell dictionary is missing
then checkpatch.pl will generate warning but it will not
fail patch check.

Signed-off-by: Maxim Uvarov <max

checkpatch: add codespell support

Add codespell check. If codespell dictionary is missing
then checkpatch.pl will generate warning but it will not
fail patch check.

Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

checkpatch: move options to config file

move checkpatch command line options to config file setting.

Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
Acked-by: Jerome Forissier <jerome@forissi

checkpatch: move options to config file

move checkpatch command line options to config file setting.

Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-imx: generate tee-raw.bin

We have observed that existing ARM-TF for iMX8QM treats OP-TEE binary
as headerless image. So, to create proper boot image we need raw
OP-TEE binary image.

Signed-off

plat-imx: generate tee-raw.bin

We have observed that existing ARM-TF for iMX8QM treats OP-TEE binary
as headerless image. So, to create proper boot image we need raw
OP-TEE binary image.

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Acked-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Peng Fan <peng.fan@nxp.com>

show more ...

plat-imx: describe non-secure DDR in i.MX8Q* platforms

Add NSEC_DDR definition for for i.MX8QM and i.MX8QX SoCs.
This was tested on i.MX8QM platform.

Signed-off-by: Volodymyr Babchuk <volodymyr_bab

plat-imx: describe non-secure DDR in i.MX8Q* platforms

Add NSEC_DDR definition for for i.MX8QM and i.MX8QX SoCs.
This was tested on i.MX8QM platform.

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Acked-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Peng Fan <peng.fan@nxp.com>

show more ...

plat-imx: describe non-secure DDR memory

To enable dynamic SHM on iMX platform we need to describe
which memory regions belong to non-secure memory areas.

Signed-off-by: Volodymyr Babchuk <volodymy

plat-imx: describe non-secure DDR memory

To enable dynamic SHM on iMX platform we need to describe
which memory regions belong to non-secure memory areas.

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Acked-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Peng Fan <peng.fan@nxp.com>

show more ...

plat-imx: move platform-specific data to nexus memory

This is needed to enable virtualization support iMX platforms.

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Acked-by: Clement

plat-imx: move platform-specific data to nexus memory

This is needed to enable virtualization support iMX platforms.

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Acked-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Peng Fan <peng.fan@nxp.com>

show more ...

core: move static IRQC data to nexus memory

itr_chip and handlers list should reside in nexus memory
to ensure that irq controller is working.

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@ep

core: move static IRQC data to nexus memory

itr_chip and handlers list should reside in nexus memory
to ensure that irq controller is working.

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

mk/subdir.mk: avoid trailing slash in $(sub-dir-out)

As a general rule, paths to directories should not end with a slash
[1]. In some cases, $(sub-dir-out) does not meet this requirement. For
exampl

mk/subdir.mk: avoid trailing slash in $(sub-dir-out)

As a general rule, paths to directories should not end with a slash
[1]. In some cases, $(sub-dir-out) does not meet this requirement. For
example when building the 'crypt' TA in the optee_test project:

GEN /tmp/optee/optee_test/out/ta/crypt//ca_crt.c
CC /tmp/optee/optee_test/out/ta/crypt//ca_crt.o
GEN /tmp/optee/optee_test/out/ta/crypt//mid_crt.c
CC /tmp/optee/optee_test/out/ta/crypt//mid_crt.o
GEN /tmp/optee/optee_test/out/ta/crypt//mid_key.c
CC /tmp/optee/optee_test/out/ta/crypt//mid_key.o

In this example, $(sub-dir-out) is /tmp/optee/optee_test/out/ta/crypt/.

This patch removes the trailing slash.

[1] commit 4334e8d79fa3 ("Makefile variables $(*-dir) should not have a
trailing slash")

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-stm32mp1: enable IO compensation at boot time

Implement platform functions stm32mp_syscfg_enable_io_compensation()
and stm32mp_syscfg_disable_io_compensation() to enable/disable
STM23MP1 IO com

plat-stm32mp1: enable IO compensation at boot time

Implement platform functions stm32mp_syscfg_enable_io_compensation()
and stm32mp_syscfg_disable_io_compensation() to enable/disable
STM23MP1 IO compensation. Enable IO compensation when platform boots.

This change defines SYSCFG clock that is needed and moves definition
of the RCC compatible string DT_RCC_CLK_COMPAT to RCC header file so
that it can be shared with stm32mp1_syscfg.c.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: always build libfdt

libfdt is built only when CFG_DT=y. As a result, the libfdt header
files are only available when CFG_DT=y and any source file that makes
optional use of the library has to

core: always build libfdt

libfdt is built only when CFG_DT=y. As a result, the libfdt header
files are only available when CFG_DT=y and any source file that makes
optional use of the library has to guard the #include <libfdt.h> with
a #ifdef CFG_DT ... #endif block. This contrasts with other features
which don't require such guards.

This patch builds libfdt unconditionally and removes the include
guards. No change is expected in the binaries.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

rpmb: fix building when TRACE_LEVEL >= TRACE_FLOW

Building with CFG_RPMB_FS=y and CFG_TEE_CORE_LOG_LEVEL=4 yields a
compile-time error due to a typo.

Replacing TEE_RESULT with TEE_Result fixes the

rpmb: fix building when TRACE_LEVEL >= TRACE_FLOW

Building with CFG_RPMB_FS=y and CFG_TEE_CORE_LOG_LEVEL=4 yields a
compile-time error due to a typo.

Replacing TEE_RESULT with TEE_Result fixes the issue.

Signed-off-by: Gianguido Sorà <me@gsora.xyz>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

plat-hisilicon: psci: support Arm SMCCC_VERSION function ID

As per Arm SMCCC v1.1 specification [1], PSCI PSCI_FEATURES function ID
should report Arm Architecture Call SMCCC_VERSION as supported whe

plat-hisilicon: psci: support Arm SMCCC_VERSION function ID

As per Arm SMCCC v1.1 specification [1], PSCI PSCI_FEATURES function ID
should report Arm Architecture Call SMCCC_VERSION as supported when
the secure firmware supports both PSCI PSCI_FEATURES function ID and
Arm SMCCC_VERSION function ID.

Link: [1] https://developer.arm.com/docs/den0028/latest
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

ta: add early TA to seal and unseal Linux trusted keys

This patch adds an early TA which acts as Linux TEE bus device to
provide a service of sealing/unsealing of trusted keys in case platform
doesn

ta: add early TA to seal and unseal Linux trusted keys

This patch adds an early TA which acts as Linux TEE bus device to
provide a service of sealing/unsealing of trusted keys in case platform
doesn't posses a TPM device or like.

To do sealing/unsealing we use system pseudo TA service to derive a
hardware unquie key to perform authenticated encryption/decryption
(using TEE_ALG_AES_GCM algo).

Also, this early TA only accepts login with a new private login method
specifically used by REE kernel (TEE_LOGIN_REE_KERNEL).

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

plat-stm32mp1: SiP SMC service for BSEC access

Implement a SiP SMC based interface fàr the non-secure world to access
BSEC words. The service is embedded upon CFG_STM32_BSEC_SIP=y. If not
embedded,

plat-stm32mp1: SiP SMC service for BSEC access

Implement a SiP SMC based interface fàr the non-secure world to access
BSEC words. The service is embedded upon CFG_STM32_BSEC_SIP=y. If not
embedded, the service simply reports a failure.

This service is used by U-boot package since its release v2019.07-rc1 [1]
to retrieve information such as the device MAC address [2].

Link: [1] https://github.com/u-boot/u-boot/blob/v2019.07-rc1/arch/arm/mach-stm32mp/include/mach/stm32mp1_smc.h
Link: [2] https://github.com/u-boot/u-boot/blob/v2019.07-rc1/arch/arm/mach-stm32mp/cpu.c#L475

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...