core: change the pattern used to generate asm-defines.h

This commit prepares support for the Clang compiler.

$O/core/include/generated/asm-defines.h is generated from
core/arch/arm/kernel/asm-defin

core: change the pattern used to generate asm-defines.h

This commit prepares support for the Clang compiler.

$O/core/include/generated/asm-defines.h is generated from
core/arch/arm/kernel/asm-defines.c by the C compiler with the -S flag
(generate assembler code), followed by some light post-processing with
sed.

The intermediate file ($O/core/include/generated/.asm-defines.s) is
actually not a valid assembler file. It contains illegal tokens, which
where chosen to make it easy to parse with sed. For example:

==>SM_CTX_SIZE #256 sizeof(struct sm_ctx) @

...is turned into:

#define SM_CTX_SIZE 256 /* sizeof(struct sm_ctx) */

While this works fine with GCC, the Clang compiler won't accept to
output invalid assembler. This commit slightly modifies the inline
assembler so that the needed information is contained within a .ascii
directive:

.ascii "==>SM_CTX_SIZE 248 sizeof(struct sm_ctx)" @

The 'c' constraint (%c0) is added to avoid the # prefix before an
immediate value, which is not accepted by Clang either.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm: remove -mthumb-interwork

The GCC compiler flag -mthumb-interwork is useful only for pre-v5 Arm
architectures and is not supported by Clang. Remove it.

Signed-off-by: Jerome Forissier <jerome.f

arm: remove -mthumb-interwork

The GCC compiler flag -mthumb-interwork is useful only for pre-v5 Arm
architectures and is not supported by Clang. Remove it.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

build: print CC line when .am-defines.s is generated

$O/include/generated/.am-defines.s is generated using the C compiler,
so we should print a line when compiling, as follows:

CC out/arm-pl

build: print CC line when .am-defines.s is generated

$O/include/generated/.am-defines.s is generated using the C compiler,
so we should print a line when compiling, as follows:

CC out/arm-plat-vexpress/core/include/generated/.asm-defines.s

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add C compiler version to identification string

Adds the compiler version to the string that is printed to the secure
console when OP-TEE initializes. For example:

"(gcc version 6.2.1 201610

core: add C compiler version to identification string

Adds the compiler version to the string that is printed to the secure
console when OP-TEE initializes. For example:

"(gcc version 6.2.1 20161016 (Linaro GCC 6.2-2016.11))"
"(clang version 8.0.0 (tags/RELEASE_800/final))"

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Update CHANGELOG.md for 3.6.0

Update CHANGELOG for 3.6.0 and collect Tested-by tags.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.o

Update CHANGELOG.md for 3.6.0

Update CHANGELOG for 3.6.0 and collect Tested-by tags.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (Juno)
Tested-by: Sumit Garg <sumit.garg@linaro.org> (Developerbox)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960, GP)
Tested-by: Rouven Czerwinski <r.czerwinski@pengutronix.de> (mx6qsabresd)
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (b2120, b2260, GP)
Tested-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> (RCAR H3)
Tested-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> (RCAR H3/virtualization)
Tested-by Rouven Czerwinski <r.czerwinski@pengutronix.de> (ccimx6ulsbcpro)
Tested-by: Akshay Bhat <akshay.bhat@timesys.com> (Atmel SAM)
Tested-by: Joakim Bech <joakim.bech@linaro.org> (Rpi3b)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU, GP)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMUv8, GP)
Tested-by: Victor Chong <victor.chong@linaro.org> (HiKey620 AOSP, HiKey960 AOSP)
Tested-by: Ying-Chun Liu (PaulLiu) <paul.liu@linaro.org> (bpi0)
Tested-by: Igor Opaniuk <igor.opaniuk@gmail.com> (Poplar)
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (stm32mp1, GP)

show more ...

core: kernel_generic_entry_a64.S: support CFG_DT_ADDR

Add CFG_DT_ADDR for a64 to override the DT address passing
through arg2.

Signed-off-by: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Reviewed-b

core: kernel_generic_entry_a64.S: support CFG_DT_ADDR

Add CFG_DT_ADDR for a64 to override the DT address passing
through arg2.

Signed-off-by: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

show more ...

core: console: fix use after free when CFG_DT=y

Commit 770b2afacf33 ("core: more flexible console init from DT") has
split configure_console_from_dt() in two parts, the first one being
moved to a ne

core: console: fix use after free when CFG_DT=y

Commit 770b2afacf33 ("core: more flexible console init from DT") has
split configure_console_from_dt() in two parts, the first one being
moved to a new function: get_console_node_from_dt(). Unfortunately,
this function may return pointers to a freed buffer.

Fix the problem by allocating each output string on the heap and letting
the caller clean on return.

Fixes: 770b2afacf33 ("core: more flexible console init from DT")
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinksi@pengutronix.de>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

dts: stm32mp1: default disable RCC secure hardening

This change disables security hardening of the RCC hardware interface
of ST boards. This allows one to use the upstream Linux kernel 5.2
in which

dts: stm32mp1: default disable RCC secure hardening

This change disables security hardening of the RCC hardware interface
of ST boards. This allows one to use the upstream Linux kernel 5.2
in which stm32mp1 platforms do not yet support hardened secure RCC.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32mp1: refuse to release enabled RCC hardening

With this change, platform panics when DT directives states RCC is
fully assigned to non-secure while SoC was configured by early
boot stage with RC

stm32mp1: refuse to release enabled RCC hardening

With this change, platform panics when DT directives states RCC is
fully assigned to non-secure while SoC was configured by early
boot stage with RCC TZ hardening enabled.

When RCC TZ hardening is disabled, non-secure world could alter RCC
related configuration. Such a setup is allowed only if early boot
stage disabled RCC TZ hardening, OP-TEE DT states the same and
device is not in closed_device mode.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32mp1: introduce stm32_bsec_is_closed_device()

stm32_bsec_is_closed_device() states if the platform fuses state
a closed_device or not.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>

stm32mp1: introduce stm32_bsec_is_closed_device()

stm32_bsec_is_closed_device() states if the platform fuses state
a closed_device or not.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

scripts: port gen_ldelf_hex to python3

Simple port for gen_ldelf_hex to python3.

Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

core: fix icache_inv_user_range in AArch64

Prior to this patch in the AArch64 version of icache_inv_user_range()
ttbr0_el1 was overwritten with garbage if CFG_CORE_UNMAP_CORE_AT_EL0=n.
This patch fi

core: fix icache_inv_user_range in AArch64

Prior to this patch in the AArch64 version of icache_inv_user_range()
ttbr0_el1 was overwritten with garbage if CFG_CORE_UNMAP_CORE_AT_EL0=n.
This patch fixes this by instead modifying previously read value.

Fixes: 79083642a114 ("core: add icache_inv_user_range()")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>

show more ...

Update revision for release tag 3.6.0-rc1

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

ecc_sign_hash blinding CVE-2018-12437

This originates from the LibTomCrypt upstream mitigation patch:
f0a51bbdbd ("ecc_sign_hash blinding CVE-2018-12437") [1]

but with modifications to fit into th

ecc_sign_hash blinding CVE-2018-12437

This originates from the LibTomCrypt upstream mitigation patch:
f0a51bbdbd ("ecc_sign_hash blinding CVE-2018-12437") [1]

but with modifications to fit into the current LibTomCrypt version used
by OP-TEE (use the old function name rand_bn_range(..) instead of the
new name rand_bn_upto(..)).

Link: [1] https://github.com/libtom/libtomcrypt/commit/f0a51bbdbd50e03a43914c9ee912c451b6ad82e5

Fixes: OP-TEE-2019-0018

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU-v7)
Reported-by: Santos Merino del Pozo <santos.research@gmail.com>
Suggested-by: Santos Merino del Pozo <santos.research@gmail.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

ltc: allow usage of rand_bn functions for ECC builds

To be able to backport [1] we have to enable the "rand_bn" functions.

Link: [1] https://github.com/libtom/libtomcrypt/commit/f0a51bbdbd50e03a439

ltc: allow usage of rand_bn functions for ECC builds

To be able to backport [1] we have to enable the "rand_bn" functions.

Link: [1] https://github.com/libtom/libtomcrypt/commit/f0a51bbdbd50e03a43914c9ee912c451b6ad82e5

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

ftrace: Enable support for 32 bit apps

By default 32 bit trusted applications are compiled in thumb mode but
thumb mode doesn't support function graph tracing due to missing frame
pointer support re

ftrace: Enable support for 32 bit apps

By default 32 bit trusted applications are compiled in thumb mode but
thumb mode doesn't support function graph tracing due to missing frame
pointer support required to trace function call chain. So rather compile
trusted applications in ARM mode in case function tracing is enabled.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: crypto: libtomcrypt: fix LTC_CLEAN_STACK bug

LTC_CLEAN_STACK uses burn_stack() API that uses a recursive call which
leads to approx. double the size of stack cleaned than expected on ARM64,
be

core: crypto: libtomcrypt: fix LTC_CLEAN_STACK bug

LTC_CLEAN_STACK uses burn_stack() API that uses a recursive call which
leads to approx. double the size of stack cleaned than expected on ARM64,
because it consumes stack space in 32-byte chunks and assumes only buf
is pushed onto the stack while ignoring any other data such as lr, fp,
etc.. This causes stack overflow corrupting canaries in case we perform
a SHA512 hash operation which utilizes maximum stack as compared to other
libtomcrypt APIs. So get rid of this recursive call via using variable
length array to clean stack.

Also, convert zeromem() API as a wrapper to call memzero_explicit().

Fixes: ad565116a0d7 ("core: crypto: libtomcrypt: enable LTC_CLEAN_STACK")
Suggested-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: pager: use icache_inv_user_range()

Prior to this patch the entire icache was invalidated when icache
invalidations was needed, even if it only was for a single page. This
was needed to reach a

core: pager: use icache_inv_user_range()

Prior to this patch the entire icache was invalidated when icache
invalidations was needed, even if it only was for a single page. This
was needed to reach a stable state with regards to paging user TAs.

With this patch a new function, icache_inv_user_range(), is used to
invalidate pages used by user TAs and icache_inv_range() is used instead
to invalidate kernel mode pages.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pager: use tlbi_mva_asid() where applicable

Instead of invalidating a virtual address for all ASIDs only target the
relevant ones. For kernel mode mappings all ASIDs still needs to be
targeted

core: pager: use tlbi_mva_asid() where applicable

Instead of invalidating a virtual address for all ASIDs only target the
relevant ones. For kernel mode mappings all ASIDs still needs to be
targeted though.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add tlbi_mva_asid()

Adds tlbi_mva_asid() to invalidate one TLB entry, typically page sized,
selected by virtual address and address identifier. The function targets
both the kernel mode and us

core: add tlbi_mva_asid()

Adds tlbi_mva_asid() to invalidate one TLB entry, typically page sized,
selected by virtual address and address identifier. The function targets
both the kernel mode and user mode address identifiers at the same time.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm64.h: add tlbi_vale1is()

Adds tlbi_vale1is() which is a wrapper around inline assembly code to
execute "tlbi vale1is". The operation is described as "TLB Invalidate
by VA, Last level, EL1,

core: arm64.h: add tlbi_vale1is()

Adds tlbi_vale1is() which is a wrapper around inline assembly code to
execute "tlbi vale1is". The operation is described as "TLB Invalidate
by VA, Last level, EL1, Inner Shareable" in the ARM ARM.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm32.h: add TLBI_{MVA_SHIFT,ASID_MASK}

Adds TLBI macros to help formatting source register for TLB
invalidations.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: J

core: arm32.h: add TLBI_{MVA_SHIFT,ASID_MASK}

Adds TLBI macros to help formatting source register for TLB
invalidations.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pager: use dcache_clean_range_pou()

Pager uses dcache_clean_range_pou() when cleaning pages before
invalidating icache for that page. Prior to this patch
dcache_clean_range() was used indirect

core: pager: use dcache_clean_range_pou()

Pager uses dcache_clean_range_pou() when cleaning pages before
invalidating icache for that page. Prior to this patch
dcache_clean_range() was used indirectly which cleans the range to point
of coherency instead of point of unification.

With this patch we're likely to save one data cache level by only
cleaning level 1 instead of level 1 and 2. This assumes separate data
and instructions caches level 1 and a unified data cache at level 2

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add dcache_clean_range_pou()

Adds dcache_clean_range_pou() which cleans the data cache to the point
of unification. This is exactly what's needed when later invalidating
the icache due to upda

core: add dcache_clean_range_pou()

Adds dcache_clean_range_pou() which cleans the data cache to the point
of unification. This is exactly what's needed when later invalidating
the icache due to updates in a page.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: cache_helpers_a{32,64}.S: remove section assignments

Since the FUNC and LOCAL_FUNC assembly macros now assign a section to
each assembly function the explicitly assigned sections in
cache_help

core: cache_helpers_a{32,64}.S: remove section assignments

Since the FUNC and LOCAL_FUNC assembly macros now assign a section to
each assembly function the explicitly assigned sections in
cache_helpers_a{32,64}.S are ignored. So remove the ignored section
assignments.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...