core: Fix value of OPTEE_SMC_SEC_CAP_VIRTUALIZATION

Update the value of OPTEE_SEC_CAP_VIRTUALIZATION as it currently conflicts
with OPTEE_SEC_CAP_DYNAMIC_SHM

Signed-off-by: Michalis Pappas <mpp@ope

core: Fix value of OPTEE_SMC_SEC_CAP_VIRTUALIZATION

Update the value of OPTEE_SEC_CAP_VIRTUALIZATION as it currently conflicts
with OPTEE_SEC_CAP_DYNAMIC_SHM

Signed-off-by: Michalis Pappas <mpp@opensynergy.com>
Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>

show more ...

ldelf: link.mk: add generated ldelf.map to $(cleanfiles)

Commit 7509ff7ce5e5 ("Add user mode ELF loader") omitted to add the
generated file $(O)/ldelf/ldelf.map to $(cleanfiles) and therefore
'make

ldelf: link.mk: add generated ldelf.map to $(cleanfiles)

Commit 7509ff7ce5e5 ("Add user mode ELF loader") omitted to add the
generated file $(O)/ldelf/ldelf.map to $(cleanfiles) and therefore
'make clean' leaves it intact. Fix that.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: core.mk: add generated conf.cmake file to $(cleanfiles)

Commit b924c494920f ("Generate conf.cmake for TA dev kit") omitted to
add the generated file $(O)/conf.cmake to $(cleanfiles) and theref

core: core.mk: add generated conf.cmake file to $(cleanfiles)

Commit b924c494920f ("Generate conf.cmake for TA dev kit") omitted to
add the generated file $(O)/conf.cmake to $(cleanfiles) and therefore
'make clean' leaves it intact. Fix that.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

mk: gensrc: add generated file to $(cleanfiles) automatically

The gensrc mechanism should not require the user to update the
cleanfiles variable since it can do it by itself. This commit updates
the

mk: gensrc: add generated file to $(cleanfiles) automatically

The gensrc mechanism should not require the user to update the
cleanfiles variable since it can do it by itself. This commit updates
the implementation and simplifies the call sites.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

MAINTAINERS: Add myself as reviewer for Developerbox

Update MAINTAINERS with myself as reviewer for Developerbox platform
(plat-synquacer).

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewe

MAINTAINERS: Add myself as reviewer for Developerbox

Update MAINTAINERS with myself as reviewer for Developerbox platform
(plat-synquacer).

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

MAINTAINERS: Add entry for ftrace support

Update MAINTAINERS file with entry for ftrace support and myself as
reviewer.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Joakim Bech <j

MAINTAINERS: Add entry for ftrace support

Update MAINTAINERS file with entry for ftrace support and myself as
reviewer.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ci: shippable: Enable build with ftrace config options

Enable ci build with ftrace config options enabled for both arm and
arm64 platforms.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Acked-b

ci: shippable: Enable build with ftrace config options

Enable ci build with ftrace config options enabled for both arm and
arm64 platforms.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ftrace: Add support for syscall function tracer

This patch adds support for syscall tracing in TEE core. It complements
existing ftrace support for user TAs via adding trace for syscalls that
are in

ftrace: Add support for syscall function tracer

This patch adds support for syscall tracing in TEE core. It complements
existing ftrace support for user TAs via adding trace for syscalls that
are invoked by user TAs into the TEE core.

And after this patch ftrace will cover both TA and TEE core code. So lets
rename config option from CFG_TA_FTRACE_SUPPORT to CFG_FTRACE_SUPPORT.

It is optional to enable syscall trace via CFG_SYSCALL_FTRACE=y config
option in addition to CFG_FTRACE_SUPPORT=y config option.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

ftrace: core: prepare support for syscall ftrace

Enable compilation of ftrace library code for TEE core.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jerome Forissier <jerome@fori

ftrace: core: prepare support for syscall ftrace

Enable compilation of ftrace library code for TEE core.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

ftrace: move ftrace code from libutee to libutils

Since TEE core and TA can share most of ftrace library code, so move
ftrace code from libutee to libutils library which is shared among TEE
core and

ftrace: move ftrace code from libutee to libutils

Since TEE core and TA can share most of ftrace library code, so move
ftrace code from libutee to libutils library which is shared among TEE
core and TA.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: Add support for multi-threaded MPIDR values

If the MT bit is set the affinities are shifted in the MPIDR register
so the get_core_pos_mpidr function needs to be modified accordingly.
This is n

core: Add support for multi-threaded MPIDR values

If the MT bit is set the affinities are shifted in the MPIDR register
so the get_core_pos_mpidr function needs to be modified accordingly.
This is necessary to make OP-TEE to be able to run on multi-threaded
systems. The number of threads/core can be modified by the
CFG_CORE_THREAD_SHIFT makefile parameter. The default value is the
existing single threaded mode.

Signed-off-by: Imre Kis <imre.kis@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Update CHANGELOG for 3.7.0

Update CHANGELOG for 3.7.0

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Akshay Bhat <akshay.bhat@timesys.com> (Atmel SAM)
Tested-by: Andrew F. Davis <af

Update CHANGELOG for 3.7.0

Update CHANGELOG for 3.7.0

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Akshay Bhat <akshay.bhat@timesys.com> (Atmel SAM)
Tested-by: Andrew F. Davis <afd@ti.com> (plat-k3, plat-ti)
Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> WaRP7
Tested-by: Clement Faure <clement.faure@nxp.com> (mx6sllevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (mx6sxsabresd)
Tested-by: Clement Faure <clement.faure@nxp.com> (mx6ulevk, mx6ullevk)
Tested-by: Clement Faure <clement.faure@nxp.com> (mx7dsabresd)
Tested-by: Clement Faure <clement.faure@nxp.com> (mx8mm, mx8mn, mx8mq)
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (stm32mp1)
Tested-by: Igor Opaniuk <igor.opaniuk@gmail.com> (Poplar)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (Juno)
Tested-by: Jerome Forissier <jerome@forissier.org> (HiKey960, GP)
Tested-by: Jerome Forissier <jerome@forissier.org> (HiKey, GP)
Tested-by: Jerome Forissier <jerome@forissier.org> (QEMUv8)
Tested-by: Joakim Bech <joakim.bech@linaro.org> (FVP)
Tested-by: Joakim Bech <joakim.bech@linaro.org> (Rpi3b)
Tested-by: Joakim Bech <joakim.bech@linaro.org> (Rpi3b with NFS)
Tested-by: Michael Grand <michael.grand.mg@gmail.com> ZynqMP (zcu102, ultra96v1)
Tested-by: Rouven Czerwinski <r.czerwinski@pengutronix.de> (imx-imx8mqevk)
Tested-by: Sahil Malhotra <sahil.malhotra@nxp.com> (LS1046A-RDB)
Tested-by: Sumit Garg <sumit.garg@linaro.org> (Developerbox)
Tested-by: Victor Chong <victor.chong@linaro.org> (Hikey620 AOSP)

show more ...

scripts: add update_changelog.py

Add a simple helper script that makes the tedious and slightly error
prone update process easier and more stable.

Usage example:
$ ./scripts/update_changelog.py -

scripts: add update_changelog.py

Add a simple helper script that makes the tedious and slightly error
prone update process easier and more stable.

Usage example:
$ ./scripts/update_changelog.py --changelog-file CHANGELOG.md \
--release-version 3.7.0 --previous-release-version 3.6.0 \
--release-date 2019-10-18

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: fix null terminator in PTA dlsym

Correct misplaced null terminator character in PTA system when invoking
ldelf entry to look for a target symbol.

Fixes: ebef121c1f5c ("core, ldelf: add suppor

core: fix null terminator in PTA dlsym

Correct misplaced null terminator character in PTA system when invoking
ldelf entry to look for a target symbol.

Fixes: ebef121c1f5c ("core, ldelf: add support for runtime loading of shared libraries")
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
[jf: edit subject line]
Signed-off-by: Jerome Forissier <jerome@forissier.org>

show more ...

ltc: check range in _rijndael_ecb_ functions

There is no check that the 'skey' structure has been properly
initialized. For example, the skey->rijndael.Nr is assumed to contain a
positive number cor

ltc: check range in _rijndael_ecb_ functions

There is no check that the 'skey' structure has been properly
initialized. For example, the skey->rijndael.Nr is assumed to contain a
positive number corresponding to the number of AES rounds to perform. In
_rijndael_ecb_encrypt the skey->rijndael.Nr is subtracted by two, which
can result in an integer underflow if the structure hasn't been
initialized correctly.

By clamping the value for skey->rijndael.Nr into the valid rounds for
AES we can return an error instead of ending up reading outside the
boundaries (of skey->rijndael.eK).

Patch manually picked from [1].

Link: [1] https://github.com/libtom/libtomcrypt/commit/7b4a5c1dcf2803e9c6cbcbc2458db9317e6fb8ca
Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7)
Reported-by: Martijn Bogaard <bogaard@riscure.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

Fixes #507 in LTC - vulnerability in der_decode_utf8_string()

Fix a vulnerability in der_decode_utf8_string as specified here:
https://github.com/libtom/libtomcrypt/issues/507

Patch manually picked

Fixes #507 in LTC - vulnerability in der_decode_utf8_string()

Fix a vulnerability in der_decode_utf8_string as specified here:
https://github.com/libtom/libtomcrypt/issues/507

Patch manually picked from:
https://github.com/libtom/libtomcrypt/commit/25c26a3b7a9ad8192ccc923e15cf62bf0108ef94

Signed-off-by: Luigi Coniglio <werew@ret2libc.com>
[Joakim Bech: Extended commit message]
Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7)
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: early_ta: fix tag hash calculation

Previously correct output due to the order of execution (tag is
calculated before any reads) and crypto_hash_final taking the minimum
of digest length and bu

core: early_ta: fix tag hash calculation

Previously correct output due to the order of execution (tag is
calculated before any reads) and crypto_hash_final taking the minimum
of digest length and buffer length, but this will be more reliable.

Signed-off-by: Daniel McIlvaney <damcilva@microsoft.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

cryp: prevent direct calls to update and final functions

With inconsistent or malformed data it has been possible to call
"update" and "final" crypto functions directly. Using a fuzzer tool [1]
we h

cryp: prevent direct calls to update and final functions

With inconsistent or malformed data it has been possible to call
"update" and "final" crypto functions directly. Using a fuzzer tool [1]
we have seen that this results in asserts, i.e., a crash that
potentially could leak sensitive information.

By setting the state (initialized) in the crypto context (i.e., the
tee_cryp_state) at the end of all syscall_*_init functions and then add
a check of the state at the beginning of all update and final functions,
we prevent direct entrance to the "update" and "final" functions.

[1] https://github.com/MartijnB/optee_fuzzer

Fixes: OP-TEE-2019-0021

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Martijn Bogaard <bogaard@riscure.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

cryp: ensure that mode is cipher in syscall_cipher_init

When calling syscall_cipher_init there is no check being done that the
state coming from the TA has been initialized to a valid cipher state.

cryp: ensure that mode is cipher in syscall_cipher_init

When calling syscall_cipher_init there is no check being done that the
state coming from the TA has been initialized to a valid cipher state.
By checking the class we prevent an assert in cipher_ops.

Fixes: OP-TEE-2019-0020

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Martijn Bogaard <bogaard@riscure.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

cryp: ensure that mode is AE in syscall_authenc_ functions

When doing calls to syscall_authenc_xyz functions (all of them except
syscall_authenc_init) there is no check being done that the state com

cryp: ensure that mode is AE in syscall_authenc_ functions

When doing calls to syscall_authenc_xyz functions (all of them except
syscall_authenc_init) there is no check being done that the state coming
from the TA has been initialized to a valid authenticated encryption
state. As a consequence of that it's possible to redirect execution to
other functions. Doing like that will make TEE core end up with a data
abort.

Fixes: OP-TEE-2019-0019

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Martijn Bogaard <bogaard@riscure.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ldelf: increase heap size from 8 to 12 KiB

The ldelf heap is not big enough to load some 64-bit TAs with several
shared libraries such as xtest 1006 when CFG_ULIBS_SHARED=y:

* regression_1006 Test

ldelf: increase heap size from 8 to 12 KiB

The ldelf heap is not big enough to load some 64-bit TAs with several
shared libraries such as xtest 1006 when CFG_ULIBS_SHARED=y:

* regression_1006 Test Basic OS features
E/LD: copy_section_headers:766 malloc
E/TC:? 0 init_with_ldelf:229 ldelf failed with res: 0xffff000c
E/TC:? 0 tee_ta_open_session:727 Failed. Return error 0xffff000c
regression_1006 FAILED

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

hikey, hikey960: set CFG_TEE_RAM_VA_SIZE to 2 MiB

Commit 8fd4d26f6e22 ("plat-hikey: support generic RAM layout") has
inadvertently removed the platform-specific definition of
TEE_RAM_VA_SIZE for HiK

hikey, hikey960: set CFG_TEE_RAM_VA_SIZE to 2 MiB

Commit 8fd4d26f6e22 ("plat-hikey: support generic RAM layout") has
inadvertently removed the platform-specific definition of
TEE_RAM_VA_SIZE for HiKey platforms. It was 2 MiB before, and became
1 MiB (the default). This commit restores the proper value.

Fixes the following panic on boot (HiKey960, 32-bit TEE core with pager
enabled):

I/TC: Pager is enabled. Hashes: 1824 bytes
I/TC: Pager pool size: 252kB
I/TC: OP-TEE version: 3.6.0-182-g2d7a8964df-dev (gcc version 6.2.1 20161016 (Linaro GCC 6.2-2016.11)) #5 Mon 07 Oct 2019 08:22:21 AM UTC arm
E/TC:0 0 Panic at core/lib/libtomcrypt/mpi_desc.c:39 <get_mp_scratch_memory_pool>
E/TC:0 0 Call stack:
E/TC:0 0 0x3f003a4d

Fixes: 8fd4d26f6e22 ("plat-hikey: support generic RAM layout")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

driver: implement CAAM driver

Add the NXP CAAM drivers:
- Random generator (instantiation and random generation)
- Hash

Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Acked-by: Etienne Ca

driver: implement CAAM driver

Add the NXP CAAM drivers:
- Random generator (instantiation and random generation)
- Hash

Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: imx: add imx7ulp CRM registers

Add imx7ulp CRM registers in a header file.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

core: tadb.c: get rid of atomic reference counting

This commit changes the way the tadb_db global variable is protected
against concurrent access on creation and deletion. Instead of using an
atomic

core: tadb.c: get rid of atomic reference counting

This commit changes the way the tadb_db global variable is protected
against concurrent access on creation and deletion. Instead of using an
atomic reference counter (struct refcount) and a mutex, only the mutex
is used and taken unconditionally. The reference count becomes a global
integer protected by the same mutex.

Using a struct refcount was apparently an optimization to avoid taking
the lock unless actual creation or deletion of the tadb_db was needed.
Unfortunately this implementation was causing occasional crashes of the
TEE core (easily reproducible on HiKey running 'xtest 1013' in a loop).
The new implementation is simpler and appears to be rock solid with no
measurable difference in performance.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...