Update revision for release tag 3.10.0-rc1

Signed-off-by: Jerome Forissier <jerome@forissier.org>

virt: clear current thread id during initialization

When OP-TEE is built with CFG_VIRTUALIZATION=y, it does not call
`thread_clr_boot_thread()` during boot because the threads are
allocated in "tee"

virt: clear current thread id during initialization

When OP-TEE is built with CFG_VIRTUALIZATION=y, it does not call
`thread_clr_boot_thread()` during boot because the threads are
allocated in "tee" memory area, which is not available when there is
no virtual guests.

So, in this case local core state is left in erroneous state, which
causes assertion violation in thread_alloc_and_run(), when guests
calls OP-TEE for the first time from boot core.

Fixes: b166fabf3e8c ("core: initialize thread_core_local::curr_thread to -1")
Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

mk/subdir.mk: handle C++ flags related variables

Adds proper handling of cxxflags-y, cxxflags-<file name>-y,
cxxflags-remove-y, cxxflags-remove-<file name>-y, cxxflags-lib-y in the
same way as for C

mk/subdir.mk: handle C++ flags related variables

Adds proper handling of cxxflags-y, cxxflags-<file name>-y,
cxxflags-remove-y, cxxflags-remove-<file name>-y, cxxflags-lib-y in the
same way as for C flags.

Fixes: be3bc461c686 ("ta: experimental C++ support")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: shippable: build with CFG_CORE_DEBUG_CHECK_STACKS=y

Updates the Shippable CI configuration so that the stack check code is
compile-tested.

Signed-off-by: Jerome Forissier <jerome@forissier.org>

ci: shippable: build with CFG_CORE_DEBUG_CHECK_STACKS=y

Updates the Shippable CI configuration so that the stack check code is
compile-tested.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add stack overflow detection

This commit introduces CFG_CORE_DEBUG_CHECK_STACKS to check the stack
limits using compiler instrumentation (-finstrument-functions). When
enabled, the C compiler

core: add stack overflow detection

This commit introduces CFG_CORE_DEBUG_CHECK_STACKS to check the stack
limits using compiler instrumentation (-finstrument-functions). When
enabled, the C compiler will insert entry and exit hooks in all
functions in the TEE core. On entry, the stack pointer is checked and
if an overflow is detected, panic() is called.

How is this helpful since we have stack canaries already?
1. When a dead canary is found, the call stack will give no indication
of the root cause of the corruption which may have happened quite some
time before. Running the test case again with a debugger attached and a
watchpoint on the canary is not always an option.
2. The system may corrupt the stack and hang in an exception handler
before the first canary check, for instance, during boot when the
temporary stack is used. This code will likely catch such issues, too.

The downside is increased stack usage and a significant runtime overhead
which is why this feature should be enabled only for troubleshooting.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU, QEMUv8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: simplify setting of THREAD_CLF_TMP

Simplifies the manipulation of THREAD_CLF_TMP in the per-core
structure thread_core_local:

- thread_clr_thread_core_local() sets the flag for all cores so t

core: simplify setting of THREAD_CLF_TMP

Simplifies the manipulation of THREAD_CLF_TMP in the per-core
structure thread_core_local:

- thread_clr_thread_core_local() sets the flag for all cores so that
init_secondary_helper() doesn't have to. It is renamed to
thread_init_thread_core_local().
- The flag remains set upon return to normal world, ready for the next
entry into secure world.
- The foreign_intr_handler macro sets the flag since it uses the
temporary stack.
- thread_core_local_set_tmp_stack_flag() is now unused and can be
removed.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add __noprof attribute to register accessors

Allowing instrumentation of register accessor functions does not really
make sense, since they are normally inlined by the compiler. On the
contrar

core: add __noprof attribute to register accessors

Allowing instrumentation of register accessor functions does not really
make sense, since they are normally inlined by the compiler. On the
contrary, allowing the compiler to instrument these functions (if for
some reason they are not inlined) can cause serious problems such as
infinite recursion (in case the instrumentation ends up calling a
register accessor again) or unexpected results (if the accessor is used
by early code before the instrumentation is initialized).

Note that the accessors used by user space already have __noprof (see
lib/libutee/include/arm64_user_sysreg.h and scripts/arm32_sysreg.py).

For these reasons, add __noprof to core/arch/arm/include/arm{32,64}.h.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: always increase mappings for pta memrefs

In copy_in_param() always call mobj_inc_map() before mobj_get_va() to
guarantee that the memref is mapped for the duration of the call into
the PTA.

R

core: always increase mappings for pta memrefs

In copy_in_param() always call mobj_inc_map() before mobj_get_va() to
guarantee that the memref is mapped for the duration of the call into
the PTA.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mobj: add {inc,dec}_map() to struct mobj_ops

Adds inc_map() and dec_map() to struct mobj_ops. The old mobj_inc_map()
and mobj_dec_map() implementations in mobj_dyn_shm.c and mobj_ffa.c are
are

core: mobj: add {inc,dec}_map() to struct mobj_ops

Adds inc_map() and dec_map() to struct mobj_ops. The old mobj_inc_map()
and mobj_dec_map() implementations in mobj_dyn_shm.c and mobj_ffa.c are
are replaced with function pointers in mobj_reg_shm_ops and
mobj_ffa_ops. Inline versions of mobj_inc_map() and mobj_dec_map() are
added to call the correct function via struct mobj_ops instead. If
struct mobj_ops for a particular mobj doesn't have and implementation of
inc_map() or dec_map() TEE_SUCCESS is returned instead.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Add optimization and debug flags to exported TA C++ flags

$(platform-cflags-optimization) and $(platform-cflags-debug-info) are
added to the TA C flags via ta_arm{32,64}-platform-cflags. Do the same

Add optimization and debug flags to exported TA C++ flags

$(platform-cflags-optimization) and $(platform-cflags-debug-info) are
added to the TA C flags via ta_arm{32,64}-platform-cflags. Do the same
for C++ flags thanks to ta_arm{32,64}-platform-cxxflags.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU)
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMUv8)
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

core: arm: rpc i2c trampoline driver

Gives OP-TEE access to the i2c buses initialized and controlled by the
REE kernel. This is done by memory mapping a buffer from the thread's
cache where the inpu

core: arm: rpc i2c trampoline driver

Gives OP-TEE access to the i2c buses initialized and controlled by the
REE kernel. This is done by memory mapping a buffer from the thread's
cache where the input or output data is transferred.

Using this mechanism, OP-TEE clients do not have to worry about REE
RUNTIME_PM features switching off clocks from the controllers or
collisions with other bus masters.

This driver assumes that the I2C chip is on a REE statically assigned
bus which value is known to OP-TEE (it will not query/probe the REE).

The slave address can be either seven or ten bits. When using a ten
bit address, the corresponding flag needs to be set in the command and
the REE adapter must support the requested addressing mode.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: juno: update 808870 Unconditional VLDM workaround

With the commit be3bc461c686 ("ta: experimental C++ support") we have
some C++ tests in the regression tests which depends on libraries in the

core: juno: update 808870 Unconditional VLDM workaround

With the commit be3bc461c686 ("ta: experimental C++ support") we have
some C++ tests in the regression tests which depends on libraries in the
toolchain with hard float enabled. To be able to compile the regression
tests hard float cannot be disabled. Disabling hard float was our
original workaround for this erratum. Another way to avoid the erratum
is to disable strict alignment checks. So unless
CFG_SCTLR_ALIGNMENT_CHECK isn't explicitly set to 'y' force it to 'n'
instead.

Fixes: be3bc461c686 ("ta: experimental C++ support")
Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: init_secondary_helper(): fix spelling mistake

Fix spelling mistake in the info message displayed on the console when
secondary CPUs are initialized.

Signed-off-by: Jerome Forissier <jerome@fo

core: init_secondary_helper(): fix spelling mistake

Fix spelling mistake in the info message displayed on the console when
secondary CPUs are initialized.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm: add hard-float detection for cxxflags

Otherwise the compiler will complain that hard-float object files
generated from C code can not be linked with soft-float files generated
from cxx files.

arm: add hard-float detection for cxxflags

Otherwise the compiler will complain that hard-float object files
generated from C code can not be linked with soft-float files generated
from cxx files.

Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: add cxxflags for CPU support

Otherwise the compiler is not able to determine the FPU setting from the
CPU architecture for cxx files.

Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutroni

core: add cxxflags for CPU support

Otherwise the compiler is not able to determine the FPU setting from the
CPU architecture for cxx files.

Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

stm32_bsec: always embed shadow OTPs write function

Change the scope of configuration switch CFG_STM32_BSEC_WRITE to
not cover shadow OTP write support. CFG_STM32_BSEC_WRITE is used
to embed or not

stm32_bsec: always embed shadow OTPs write function

Change the scope of configuration switch CFG_STM32_BSEC_WRITE to
not cover shadow OTP write support. CFG_STM32_BSEC_WRITE is used
to embed or not OTP programming support but writing shadow OTPs
is a normal executing an OTP read operation hence this change
embeds stm32_bsec_write_otp() driver API function even when
CFG_STM32_BSEC_WRITE is disabled.

Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
[etienne: rephrase commit log]
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-stm32mp1: SiP SMC service for BSEC access

Correct the SiP SMC identifier, alignment with TF-A
and U-Boot.

Fixes: 206b29e850e9 ("plat-stm32mp1: SiP SMC service for BSEC access")
Signed-off-by:

plat-stm32mp1: SiP SMC service for BSEC access

Correct the SiP SMC identifier, alignment with TF-A
and U-Boot.

Fixes: 206b29e850e9 ("plat-stm32mp1: SiP SMC service for BSEC access")
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
[etienne: fix commit log]
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: experimental C++ support

Update the TA makefiles to support C++ (file extension: .cpp).

This allows the use of C++ in TA and libraries, with limitations (see
below). I consider this work experi

ta: experimental C++ support

Update the TA makefiles to support C++ (file extension: .cpp).

This allows the use of C++ in TA and libraries, with limitations (see
below). I consider this work experimental because it was only tested
with simple cases in xtest, introducing the required changes and
addressing issues one after another. Therefore, some features may be
missing for more complex use cases (additional relocation types or
runtime support...).

Tested with the arm-linux-gnueabihf- and aarch64-linux-gnu- toolchains
(GCC 8.3).

Limitations:

- Clang is not supported at the moment
- Exception handling: shared libraries cannot throw, catch or propagate
exceptions. Doing so would require linking the libraries and the main
program with the shared libgcc [1] which is not straightforward due
to the many dependencies on the GNU libc. Exceptions *can* be used in
the main program however, as well as in static libraries directly
linked with the main program.
- ldelf stack unwinding does not support C++ frames so crash/panic
dumps will likely be truncated when they involve C++ code.

Link: [1] https://gcc.gnu.org/onlinedocs/gcc/Link-Options.html see "-shared-libgcc"
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMU, QEMUv8, HiKey960)
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ldelf: increase heap size from 12 to 16 KiB

Preparing for C++ support in TAs.

The current ldelf heap is barely sufficient to run some tests such as
xtest 1022 (dlopen()) when CFG_ULIBS_SHARED=y. If

ldelf: increase heap size from 12 to 16 KiB

Preparing for C++ support in TAs.

The current ldelf heap is barely sufficient to run some tests such as
xtest 1022 (dlopen()) when CFG_ULIBS_SHARED=y. If slightly larger
section headers are present (such as when introducing Thread Local
Storage tests, needed for C++), the heap becomes too small and the TA
fails to load.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ldelf, libutee: rework support of DT_INIT_ARRAY/DT_FINI_ARRAY

Now that we have the standard function dl_iterate_phdr() in libutee, we
can use it to process the initialization and finalization arrays

ldelf, libutee: rework support of DT_INIT_ARRAY/DT_FINI_ARRAY

Now that we have the standard function dl_iterate_phdr() in libutee, we
can use it to process the initialization and finalization arrays in the
ELF files and deprecate the ad-hoc structure __init_fini_info
introduced in commit dd655cb9906c ("ldelf, ta: add support for
DT_INIT_ARRAY and DT_FINI_ARRAY") [1].
Unfortunately, removing __init_fini_info is not an option if we want to
ensure backward compatibility. This concerns only TAs which use ELF
initialization and/or finalization functions.

[1] Released in version 3.9.0.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ldelf, libutee: add minimal Thread Local Storage support

Preparing for C++ support in TAs.

Adds enough runtime Thread Local Storage (TLS) support for the GNU C++
compilers (arm-linux-gnueabihf-g++,

ldelf, libutee: add minimal Thread Local Storage support

Preparing for C++ support in TAs.

Adds enough runtime Thread Local Storage (TLS) support for the GNU C++
compilers (arm-linux-gnueabihf-g++, aarch64-linux-gnu-g++) to work with
OP-TEE. That is:

- A Thread Control Block,
- The __tls_get_addr() and dl_iterate_phdr() functions.

Note that __tls_get_addr() is an ABI helper so it has no prototype in a
user-accessible header file. dl_iterate_phdr() however is defined in
<link.h> and may be used in a TA. The file lib/libutee/include/link.h is
borrowed from Android's Bionic [1] with minor changes (added the
required #include statement and named the function parameters). A
similar <link.h> header is provided by other C libraries such as GNU
libc, musl and FreeBSD/NetBSD/OpenBSD.

Link: [1] https://android.googlesource.com/platform/bionic/+/master/libc/include/link.h
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: add <elf.h>

Preparing for C++ support in TAs.

Adds header file <elf.h> in addition to <elf32.h> and <elf64.h>. This
file defines the various Elf types depending on the current
architecture

libutee: add <elf.h>

Preparing for C++ support in TAs.

Adds header file <elf.h> in addition to <elf32.h> and <elf64.h>. This
file defines the various Elf types depending on the current
architecture. In other words: when building for Aarch32 Elf_* is defined
as Elf32_*, but when building for Aarch64 it is defined as Elf64_*. This
will be useful for programs which need to examine their own structure
via dl_iterate_phdr() (which will come in a later commit).

Note: <elf.h> serves the same purpose as FreeBSD's <sys/elf.h> but does
it differently; the file is not imported from FreeBSD.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Move ELF headers from ldelf/ to lib/libutee/

Preparing for C++ support in TAs.

Moves the ELF headers (elf32.h, elf64.h, elf_common.h) from
ldelf/include to lib/libutee/include so that they may be u

Move ELF headers from ldelf/ to lib/libutee/

Preparing for C++ support in TAs.

Moves the ELF headers (elf32.h, elf64.h, elf_common.h) from
ldelf/include to lib/libutee/include so that they may be used
by libutee to implement the dl_iterate_phdr() function. This will be
done in a later commit.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: arm64: add read_tpidr_el0() and write_tpidr_el0() macros

Preparing for C++ support in TAs.

Adds macros to <arm64_user_sysreg.h> to access TPIDR_EL0, the EL0 Read/
Write Software Thread ID

libutee: arm64: add read_tpidr_el0() and write_tpidr_el0() macros

Preparing for C++ support in TAs.

Adds macros to <arm64_user_sysreg.h> to access TPIDR_EL0, the EL0 Read/
Write Software Thread ID Register.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm64: preserve user space TPIDR_EL0

Preparing for C++ support in TAs.

Preserves the value of TPIDR_EL0 set by user space by saving and
restoring the register in case of syscall or foreign in

core: arm64: preserve user space TPIDR_EL0

Preparing for C++ support in TAs.

Preserves the value of TPIDR_EL0 set by user space by saving and
restoring the register in case of syscall or foreign interrupt.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...